libwinpr-sspi: detect real computer name in server-side NLA
This commit is contained in:
Marc-André Moreau
parent
1aa0512490
commit
23027a5b97
@ -90,7 +90,6 @@ void credssp_buffer_print(rdpCredssp* credssp);
|
||||
void credssp_buffer_free(rdpCredssp* credssp);
|
||||
SECURITY_STATUS credssp_encrypt_public_key_echo(rdpCredssp* credssp);
|
||||
SECURITY_STATUS credssp_decrypt_public_key_echo(rdpCredssp* credssp);
|
||||
void credssp_encode_ts_credentials(rdpCredssp* credssp);
|
||||
SECURITY_STATUS credssp_encrypt_ts_credentials(rdpCredssp* credssp);
|
||||
SECURITY_STATUS credssp_decrypt_ts_credentials(rdpCredssp* credssp);
|
||||
|
||||
@ -520,8 +519,6 @@ int credssp_server_authenticate(rdpCredssp* credssp)
|
||||
return 0;
|
||||
}
|
||||
|
||||
printf("verifying public key echo\n");
|
||||
|
||||
credssp_decrypt_public_key_echo(credssp);
|
||||
|
||||
sspi_SecBufferFree(&credssp->negoToken);
|
||||
@ -678,7 +675,7 @@ SECURITY_STATUS credssp_decrypt_public_key_echo(rdpCredssp* credssp)
|
||||
Message.ulVersion = SECBUFFER_VERSION;
|
||||
Message.pBuffers = (PSecBuffer) &Buffers;
|
||||
|
||||
status = credssp->table->DecryptMessage(&credssp->context, &Message, 0, &pfQOP);
|
||||
status = credssp->table->DecryptMessage(&credssp->context, &Message, credssp->recv_seq_num++, &pfQOP);
|
||||
|
||||
if (status != SEC_E_OK)
|
||||
{
|
||||
@ -887,7 +884,6 @@ void credssp_encode_ts_credentials(rdpCredssp* credssp)
|
||||
|
||||
SECURITY_STATUS credssp_encrypt_ts_credentials(rdpCredssp* credssp)
|
||||
{
|
||||
BYTE* p;
|
||||
SecBuffer Buffers[2];
|
||||
SecBufferDesc Message;
|
||||
SECURITY_STATUS status;
|
||||
@ -897,37 +893,32 @@ SECURITY_STATUS credssp_encrypt_ts_credentials(rdpCredssp* credssp)
|
||||
Buffers[0].BufferType = SECBUFFER_TOKEN; /* Signature */
|
||||
Buffers[1].BufferType = SECBUFFER_DATA; /* TSCredentials */
|
||||
|
||||
Buffers[0].cbBuffer = 16;
|
||||
Buffers[0].pvBuffer = xzalloc(Buffers[0].cbBuffer);
|
||||
sspi_SecBufferAlloc(&credssp->authInfo, credssp->ContextSizes.cbMaxSignature + credssp->ts_credentials.cbBuffer);
|
||||
|
||||
Buffers[0].cbBuffer = credssp->ContextSizes.cbMaxSignature;
|
||||
Buffers[0].pvBuffer = credssp->authInfo.pvBuffer;
|
||||
ZeroMemory(Buffers[0].pvBuffer, Buffers[0].cbBuffer);
|
||||
|
||||
Buffers[1].cbBuffer = credssp->ts_credentials.cbBuffer;
|
||||
Buffers[1].pvBuffer = malloc(Buffers[1].cbBuffer);
|
||||
Buffers[1].pvBuffer = &((BYTE*) credssp->authInfo.pvBuffer)[Buffers[0].cbBuffer];
|
||||
CopyMemory(Buffers[1].pvBuffer, credssp->ts_credentials.pvBuffer, Buffers[1].cbBuffer);
|
||||
|
||||
Message.cBuffers = 2;
|
||||
Message.ulVersion = SECBUFFER_VERSION;
|
||||
Message.pBuffers = (PSecBuffer) &Buffers;
|
||||
|
||||
sspi_SecBufferAlloc(&credssp->authInfo, Buffers[0].cbBuffer + Buffers[1].cbBuffer);
|
||||
|
||||
status = credssp->table->EncryptMessage(&credssp->context, 0, &Message, credssp->send_seq_num++);
|
||||
|
||||
if (status != SEC_E_OK)
|
||||
return status;
|
||||
|
||||
p = (BYTE*) credssp->authInfo.pvBuffer;
|
||||
CopyMemory(p, Buffers[0].pvBuffer, Buffers[0].cbBuffer); /* Message Signature */
|
||||
CopyMemory(&p[Buffers[0].cbBuffer], Buffers[1].pvBuffer, Buffers[1].cbBuffer); /* Encrypted TSCredentials */
|
||||
|
||||
free(Buffers[0].pvBuffer);
|
||||
free(Buffers[1].pvBuffer);
|
||||
|
||||
return SEC_E_OK;
|
||||
}
|
||||
|
||||
SECURITY_STATUS credssp_decrypt_ts_credentials(rdpCredssp* credssp)
|
||||
{
|
||||
BYTE* p;
|
||||
int length;
|
||||
BYTE* buffer;
|
||||
ULONG pfQOP;
|
||||
SecBuffer Buffers[2];
|
||||
SecBufferDesc Message;
|
||||
@ -942,21 +933,20 @@ SECURITY_STATUS credssp_decrypt_ts_credentials(rdpCredssp* credssp)
|
||||
return SEC_E_INVALID_TOKEN;
|
||||
}
|
||||
|
||||
Buffers[0].cbBuffer = 16;
|
||||
Buffers[0].pvBuffer = malloc(Buffers[0].cbBuffer);
|
||||
CopyMemory(Buffers[0].pvBuffer, credssp->authInfo.pvBuffer, Buffers[0].cbBuffer);
|
||||
length = credssp->authInfo.cbBuffer;
|
||||
buffer = (BYTE*) malloc(length);
|
||||
CopyMemory(buffer, credssp->authInfo.pvBuffer, length);
|
||||
|
||||
Buffers[1].cbBuffer = credssp->authInfo.cbBuffer - Buffers[0].cbBuffer;
|
||||
Buffers[1].pvBuffer = malloc(Buffers[1].cbBuffer);
|
||||
p = (BYTE*) credssp->authInfo.pvBuffer;
|
||||
CopyMemory(Buffers[1].pvBuffer, &p[Buffers[0].cbBuffer], Buffers[1].cbBuffer);
|
||||
Buffers[0].cbBuffer = credssp->ContextSizes.cbMaxSignature;
|
||||
Buffers[0].pvBuffer = buffer;
|
||||
|
||||
Buffers[1].cbBuffer = length - credssp->ContextSizes.cbMaxSignature;
|
||||
Buffers[1].pvBuffer = &buffer[credssp->ContextSizes.cbMaxSignature];
|
||||
|
||||
Message.cBuffers = 2;
|
||||
Message.ulVersion = SECBUFFER_VERSION;
|
||||
Message.pBuffers = (PSecBuffer) &Buffers;
|
||||
|
||||
sspi_SecBufferAlloc(&credssp->authInfo, Buffers[0].cbBuffer + Buffers[1].cbBuffer);
|
||||
|
||||
status = credssp->table->DecryptMessage(&credssp->context, &Message, credssp->recv_seq_num++, &pfQOP);
|
||||
|
||||
if (status != SEC_E_OK)
|
||||
@ -964,8 +954,7 @@ SECURITY_STATUS credssp_decrypt_ts_credentials(rdpCredssp* credssp)
|
||||
|
||||
credssp_read_ts_credentials(credssp, &Buffers[1]);
|
||||
|
||||
free(Buffers[0].pvBuffer);
|
||||
free(Buffers[1].pvBuffer);
|
||||
free(buffer);
|
||||
|
||||
return SEC_E_OK;
|
||||
}
|
||||
|
||||
@ -22,6 +22,7 @@
|
||||
|
||||
#include <winpr/crt.h>
|
||||
#include <winpr/print.h>
|
||||
#include <winpr/sysinfo.h>
|
||||
|
||||
#include "ntlm_compute.h"
|
||||
|
||||
@ -327,39 +328,68 @@ void ntlm_populate_av_pairs(NTLM_CONTEXT* context)
|
||||
* @param NTLM context
|
||||
*/
|
||||
|
||||
char* test_NbDomainName = "FREERDP";
|
||||
char* test_NbComputerName = "FREERDP";
|
||||
char* test_DnsDomainName = "FreeRDP";
|
||||
char* test_DnsComputerName = "FreeRDP";
|
||||
|
||||
void ntlm_populate_server_av_pairs(NTLM_CONTEXT* context)
|
||||
{
|
||||
int length;
|
||||
AV_PAIRS* av_pairs = context->av_pairs;
|
||||
DWORD nSize;
|
||||
AV_PAIRS* av_pairs;
|
||||
char* NbDomainName;
|
||||
char* NbComputerName;
|
||||
char* DnsDomainName;
|
||||
char* DnsComputerName;
|
||||
|
||||
av_pairs->NbDomainName.length = strlen(test_NbDomainName) * 2;
|
||||
av_pairs = context->av_pairs;
|
||||
|
||||
nSize = 0;
|
||||
GetComputerNameExA(ComputerNameNetBIOS, NULL, &nSize);
|
||||
NbDomainName = malloc(nSize);
|
||||
GetComputerNameExA(ComputerNameNetBIOS, NbDomainName, &nSize);
|
||||
CharUpperA(NbDomainName);
|
||||
|
||||
nSize = 0;
|
||||
GetComputerNameExA(ComputerNameNetBIOS, NULL, &nSize);
|
||||
NbComputerName = malloc(nSize);
|
||||
GetComputerNameExA(ComputerNameNetBIOS, NbComputerName, &nSize);
|
||||
CharUpperA(NbComputerName);
|
||||
|
||||
nSize = 0;
|
||||
GetComputerNameExA(ComputerNameDnsDomain, NULL, &nSize);
|
||||
DnsDomainName = malloc(nSize);
|
||||
GetComputerNameExA(ComputerNameDnsDomain, DnsDomainName, &nSize);
|
||||
|
||||
nSize = 0;
|
||||
GetComputerNameExA(ComputerNameDnsHostname, NULL, &nSize);
|
||||
DnsComputerName = malloc(nSize);
|
||||
GetComputerNameExA(ComputerNameDnsHostname, DnsComputerName, &nSize);
|
||||
|
||||
av_pairs->NbDomainName.length = strlen(NbDomainName) * 2;
|
||||
av_pairs->NbDomainName.value = (BYTE*) malloc(av_pairs->NbDomainName.length);
|
||||
MultiByteToWideChar(CP_ACP, 0, test_NbDomainName, strlen(test_NbDomainName),
|
||||
MultiByteToWideChar(CP_ACP, 0, NbDomainName, strlen(NbDomainName),
|
||||
(LPWSTR) av_pairs->NbDomainName.value, av_pairs->NbDomainName.length / 2);
|
||||
|
||||
av_pairs->NbComputerName.length = strlen(test_NbDomainName) * 2;
|
||||
av_pairs->NbComputerName.length = strlen(NbDomainName) * 2;
|
||||
av_pairs->NbComputerName.value = (BYTE*) malloc(av_pairs->NbComputerName.length);
|
||||
MultiByteToWideChar(CP_ACP, 0, test_NbComputerName, strlen(test_NbComputerName),
|
||||
MultiByteToWideChar(CP_ACP, 0, NbComputerName, strlen(NbComputerName),
|
||||
(LPWSTR) av_pairs->NbComputerName.value, av_pairs->NbComputerName.length / 2);
|
||||
|
||||
av_pairs->DnsDomainName.length = strlen(test_DnsDomainName) * 2;
|
||||
av_pairs->DnsDomainName.length = strlen(DnsDomainName) * 2;
|
||||
av_pairs->DnsDomainName.value = (BYTE*) malloc(av_pairs->DnsDomainName.length);
|
||||
MultiByteToWideChar(CP_ACP, 0, test_DnsDomainName, strlen(test_DnsDomainName),
|
||||
MultiByteToWideChar(CP_ACP, 0, DnsDomainName, strlen(DnsDomainName),
|
||||
(LPWSTR) av_pairs->DnsDomainName.value, av_pairs->DnsDomainName.length / 2);
|
||||
|
||||
av_pairs->DnsComputerName.length = strlen(test_DnsComputerName) * 2;
|
||||
av_pairs->DnsComputerName.length = strlen(DnsComputerName) * 2;
|
||||
av_pairs->DnsComputerName.value = (BYTE*) malloc(av_pairs->DnsComputerName.length);
|
||||
MultiByteToWideChar(CP_ACP, 0, test_DnsComputerName, strlen(test_DnsComputerName),
|
||||
MultiByteToWideChar(CP_ACP, 0, DnsComputerName, strlen(DnsComputerName),
|
||||
(LPWSTR) av_pairs->DnsComputerName.value, av_pairs->DnsComputerName.length / 2);
|
||||
|
||||
length = ntlm_compute_av_pairs_length(context) + 4;
|
||||
sspi_SecBufferAlloc(&context->TargetInfo, length);
|
||||
ntlm_output_av_pairs(context, &context->TargetInfo);
|
||||
|
||||
free(NbDomainName);
|
||||
free(NbComputerName);
|
||||
free(DnsDomainName);
|
||||
free(DnsComputerName);
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
Loading…
Reference in New Issue
Block a user