From 23027a5b974d8f02b0f0891567eb13cfeba73e4a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Andr=C3=A9=20Moreau?= Date: Tue, 19 Jun 2012 18:06:43 -0400 Subject: [PATCH] libwinpr-sspi: detect real computer name in server-side NLA --- libfreerdp-crypto/nla.c | 47 ++++++++++---------------- winpr/sspi/NTLM/ntlm_av_pairs.c | 58 +++++++++++++++++++++++++-------- 2 files changed, 62 insertions(+), 43 deletions(-) diff --git a/libfreerdp-crypto/nla.c b/libfreerdp-crypto/nla.c index 22fd5117f..df87c2232 100644 --- a/libfreerdp-crypto/nla.c +++ b/libfreerdp-crypto/nla.c @@ -90,7 +90,6 @@ void credssp_buffer_print(rdpCredssp* credssp); void credssp_buffer_free(rdpCredssp* credssp); SECURITY_STATUS credssp_encrypt_public_key_echo(rdpCredssp* credssp); SECURITY_STATUS credssp_decrypt_public_key_echo(rdpCredssp* credssp); -void credssp_encode_ts_credentials(rdpCredssp* credssp); SECURITY_STATUS credssp_encrypt_ts_credentials(rdpCredssp* credssp); SECURITY_STATUS credssp_decrypt_ts_credentials(rdpCredssp* credssp); @@ -520,8 +519,6 @@ int credssp_server_authenticate(rdpCredssp* credssp) return 0; } - printf("verifying public key echo\n"); - credssp_decrypt_public_key_echo(credssp); sspi_SecBufferFree(&credssp->negoToken); @@ -678,7 +675,7 @@ SECURITY_STATUS credssp_decrypt_public_key_echo(rdpCredssp* credssp) Message.ulVersion = SECBUFFER_VERSION; Message.pBuffers = (PSecBuffer) &Buffers; - status = credssp->table->DecryptMessage(&credssp->context, &Message, 0, &pfQOP); + status = credssp->table->DecryptMessage(&credssp->context, &Message, credssp->recv_seq_num++, &pfQOP); if (status != SEC_E_OK) { @@ -887,7 +884,6 @@ void credssp_encode_ts_credentials(rdpCredssp* credssp) SECURITY_STATUS credssp_encrypt_ts_credentials(rdpCredssp* credssp) { - BYTE* p; SecBuffer Buffers[2]; SecBufferDesc Message; SECURITY_STATUS status; @@ -897,37 +893,32 @@ SECURITY_STATUS credssp_encrypt_ts_credentials(rdpCredssp* credssp) Buffers[0].BufferType = SECBUFFER_TOKEN; /* Signature */ Buffers[1].BufferType = SECBUFFER_DATA; /* TSCredentials */ - Buffers[0].cbBuffer = 16; - Buffers[0].pvBuffer = xzalloc(Buffers[0].cbBuffer); + sspi_SecBufferAlloc(&credssp->authInfo, credssp->ContextSizes.cbMaxSignature + credssp->ts_credentials.cbBuffer); + + Buffers[0].cbBuffer = credssp->ContextSizes.cbMaxSignature; + Buffers[0].pvBuffer = credssp->authInfo.pvBuffer; + ZeroMemory(Buffers[0].pvBuffer, Buffers[0].cbBuffer); Buffers[1].cbBuffer = credssp->ts_credentials.cbBuffer; - Buffers[1].pvBuffer = malloc(Buffers[1].cbBuffer); + Buffers[1].pvBuffer = &((BYTE*) credssp->authInfo.pvBuffer)[Buffers[0].cbBuffer]; CopyMemory(Buffers[1].pvBuffer, credssp->ts_credentials.pvBuffer, Buffers[1].cbBuffer); Message.cBuffers = 2; Message.ulVersion = SECBUFFER_VERSION; Message.pBuffers = (PSecBuffer) &Buffers; - sspi_SecBufferAlloc(&credssp->authInfo, Buffers[0].cbBuffer + Buffers[1].cbBuffer); - status = credssp->table->EncryptMessage(&credssp->context, 0, &Message, credssp->send_seq_num++); if (status != SEC_E_OK) return status; - p = (BYTE*) credssp->authInfo.pvBuffer; - CopyMemory(p, Buffers[0].pvBuffer, Buffers[0].cbBuffer); /* Message Signature */ - CopyMemory(&p[Buffers[0].cbBuffer], Buffers[1].pvBuffer, Buffers[1].cbBuffer); /* Encrypted TSCredentials */ - - free(Buffers[0].pvBuffer); - free(Buffers[1].pvBuffer); - return SEC_E_OK; } SECURITY_STATUS credssp_decrypt_ts_credentials(rdpCredssp* credssp) { - BYTE* p; + int length; + BYTE* buffer; ULONG pfQOP; SecBuffer Buffers[2]; SecBufferDesc Message; @@ -942,21 +933,20 @@ SECURITY_STATUS credssp_decrypt_ts_credentials(rdpCredssp* credssp) return SEC_E_INVALID_TOKEN; } - Buffers[0].cbBuffer = 16; - Buffers[0].pvBuffer = malloc(Buffers[0].cbBuffer); - CopyMemory(Buffers[0].pvBuffer, credssp->authInfo.pvBuffer, Buffers[0].cbBuffer); + length = credssp->authInfo.cbBuffer; + buffer = (BYTE*) malloc(length); + CopyMemory(buffer, credssp->authInfo.pvBuffer, length); - Buffers[1].cbBuffer = credssp->authInfo.cbBuffer - Buffers[0].cbBuffer; - Buffers[1].pvBuffer = malloc(Buffers[1].cbBuffer); - p = (BYTE*) credssp->authInfo.pvBuffer; - CopyMemory(Buffers[1].pvBuffer, &p[Buffers[0].cbBuffer], Buffers[1].cbBuffer); + Buffers[0].cbBuffer = credssp->ContextSizes.cbMaxSignature; + Buffers[0].pvBuffer = buffer; + + Buffers[1].cbBuffer = length - credssp->ContextSizes.cbMaxSignature; + Buffers[1].pvBuffer = &buffer[credssp->ContextSizes.cbMaxSignature]; Message.cBuffers = 2; Message.ulVersion = SECBUFFER_VERSION; Message.pBuffers = (PSecBuffer) &Buffers; - sspi_SecBufferAlloc(&credssp->authInfo, Buffers[0].cbBuffer + Buffers[1].cbBuffer); - status = credssp->table->DecryptMessage(&credssp->context, &Message, credssp->recv_seq_num++, &pfQOP); if (status != SEC_E_OK) @@ -964,8 +954,7 @@ SECURITY_STATUS credssp_decrypt_ts_credentials(rdpCredssp* credssp) credssp_read_ts_credentials(credssp, &Buffers[1]); - free(Buffers[0].pvBuffer); - free(Buffers[1].pvBuffer); + free(buffer); return SEC_E_OK; } diff --git a/winpr/sspi/NTLM/ntlm_av_pairs.c b/winpr/sspi/NTLM/ntlm_av_pairs.c index 86c4575bd..29167fca6 100644 --- a/winpr/sspi/NTLM/ntlm_av_pairs.c +++ b/winpr/sspi/NTLM/ntlm_av_pairs.c @@ -22,6 +22,7 @@ #include #include +#include #include "ntlm_compute.h" @@ -327,39 +328,68 @@ void ntlm_populate_av_pairs(NTLM_CONTEXT* context) * @param NTLM context */ -char* test_NbDomainName = "FREERDP"; -char* test_NbComputerName = "FREERDP"; -char* test_DnsDomainName = "FreeRDP"; -char* test_DnsComputerName = "FreeRDP"; - void ntlm_populate_server_av_pairs(NTLM_CONTEXT* context) { int length; - AV_PAIRS* av_pairs = context->av_pairs; + DWORD nSize; + AV_PAIRS* av_pairs; + char* NbDomainName; + char* NbComputerName; + char* DnsDomainName; + char* DnsComputerName; - av_pairs->NbDomainName.length = strlen(test_NbDomainName) * 2; + av_pairs = context->av_pairs; + + nSize = 0; + GetComputerNameExA(ComputerNameNetBIOS, NULL, &nSize); + NbDomainName = malloc(nSize); + GetComputerNameExA(ComputerNameNetBIOS, NbDomainName, &nSize); + CharUpperA(NbDomainName); + + nSize = 0; + GetComputerNameExA(ComputerNameNetBIOS, NULL, &nSize); + NbComputerName = malloc(nSize); + GetComputerNameExA(ComputerNameNetBIOS, NbComputerName, &nSize); + CharUpperA(NbComputerName); + + nSize = 0; + GetComputerNameExA(ComputerNameDnsDomain, NULL, &nSize); + DnsDomainName = malloc(nSize); + GetComputerNameExA(ComputerNameDnsDomain, DnsDomainName, &nSize); + + nSize = 0; + GetComputerNameExA(ComputerNameDnsHostname, NULL, &nSize); + DnsComputerName = malloc(nSize); + GetComputerNameExA(ComputerNameDnsHostname, DnsComputerName, &nSize); + + av_pairs->NbDomainName.length = strlen(NbDomainName) * 2; av_pairs->NbDomainName.value = (BYTE*) malloc(av_pairs->NbDomainName.length); - MultiByteToWideChar(CP_ACP, 0, test_NbDomainName, strlen(test_NbDomainName), + MultiByteToWideChar(CP_ACP, 0, NbDomainName, strlen(NbDomainName), (LPWSTR) av_pairs->NbDomainName.value, av_pairs->NbDomainName.length / 2); - av_pairs->NbComputerName.length = strlen(test_NbDomainName) * 2; + av_pairs->NbComputerName.length = strlen(NbDomainName) * 2; av_pairs->NbComputerName.value = (BYTE*) malloc(av_pairs->NbComputerName.length); - MultiByteToWideChar(CP_ACP, 0, test_NbComputerName, strlen(test_NbComputerName), + MultiByteToWideChar(CP_ACP, 0, NbComputerName, strlen(NbComputerName), (LPWSTR) av_pairs->NbComputerName.value, av_pairs->NbComputerName.length / 2); - av_pairs->DnsDomainName.length = strlen(test_DnsDomainName) * 2; + av_pairs->DnsDomainName.length = strlen(DnsDomainName) * 2; av_pairs->DnsDomainName.value = (BYTE*) malloc(av_pairs->DnsDomainName.length); - MultiByteToWideChar(CP_ACP, 0, test_DnsDomainName, strlen(test_DnsDomainName), + MultiByteToWideChar(CP_ACP, 0, DnsDomainName, strlen(DnsDomainName), (LPWSTR) av_pairs->DnsDomainName.value, av_pairs->DnsDomainName.length / 2); - av_pairs->DnsComputerName.length = strlen(test_DnsComputerName) * 2; + av_pairs->DnsComputerName.length = strlen(DnsComputerName) * 2; av_pairs->DnsComputerName.value = (BYTE*) malloc(av_pairs->DnsComputerName.length); - MultiByteToWideChar(CP_ACP, 0, test_DnsComputerName, strlen(test_DnsComputerName), + MultiByteToWideChar(CP_ACP, 0, DnsComputerName, strlen(DnsComputerName), (LPWSTR) av_pairs->DnsComputerName.value, av_pairs->DnsComputerName.length / 2); length = ntlm_compute_av_pairs_length(context) + 4; sspi_SecBufferAlloc(&context->TargetInfo, length); ntlm_output_av_pairs(context, &context->TargetInfo); + + free(NbDomainName); + free(NbComputerName); + free(DnsDomainName); + free(DnsComputerName); } /**