diff --git a/libfreerdp/core/settings.c b/libfreerdp/core/settings.c index f3c7b5df6..e4567ae0e 100644 --- a/libfreerdp/core/settings.c +++ b/libfreerdp/core/settings.c @@ -252,13 +252,24 @@ void settings_load_hkey_local_machine(rdpSettings* settings) BOOL settings_get_computer_name(rdpSettings* settings) { - DWORD nSize = MAX_COMPUTERNAME_LENGTH + 1; - CHAR computerName[MAX_COMPUTERNAME_LENGTH + 1]; + DWORD nSize = 0; + CHAR* computerName; + + if (GetComputerNameExA(ComputerNameNetBIOS, NULL, &nSize)) + return FALSE; + + computerName = calloc(nSize, sizeof(CHAR)); + + if (!computerName) + return FALSE; if (!GetComputerNameExA(ComputerNameNetBIOS, computerName, &nSize)) return FALSE; - settings->ComputerName = _strdup(computerName); + if (nSize > MAX_COMPUTERNAME_LENGTH) + computerName[MAX_COMPUTERNAME_LENGTH] = '\0'; + + settings->ComputerName = computerName; if (!settings->ComputerName) return FALSE; @@ -592,7 +603,6 @@ rdpSettings* freerdp_settings_new(DWORD flags) goto out_fail; settings->ActionScript = _strdup("~/.config/freerdp/action.sh"); - return settings; out_fail: free(settings->HomePath); diff --git a/winpr/libwinpr/sspi/NTLM/ntlm.c b/winpr/libwinpr/sspi/NTLM/ntlm.c index 83ce83dad..c7acec060 100644 --- a/winpr/libwinpr/sspi/NTLM/ntlm.c +++ b/winpr/libwinpr/sspi/NTLM/ntlm.c @@ -47,20 +47,34 @@ int ntlm_SetContextWorkstation(NTLM_CONTEXT* context, char* Workstation) { int status; char* ws = Workstation; - CHAR computerName[MAX_COMPUTERNAME_LENGTH + 1]; - DWORD nSize = sizeof(computerName) / sizeof(CHAR); + DWORD nSize = 0; + CHAR* computerName; if (!Workstation) { + if (GetComputerNameExA(ComputerNameNetBIOS, NULL, &nSize)) + return -1; + + computerName = calloc(nSize, sizeof(CHAR)); + + if (!computerName) + return -1; + if (!GetComputerNameExA(ComputerNameNetBIOS, computerName, &nSize)) return -1; - ws = _strdup(computerName); + + if (nSize > MAX_COMPUTERNAME_LENGTH) + computerName[MAX_COMPUTERNAME_LENGTH] = '\0'; + + ws = computerName; + if (!ws) return -1; } context->Workstation.Buffer = NULL; status = ConvertToUnicode(CP_UTF8, 0, ws, -1, &context->Workstation.Buffer, 0); + if (!Workstation) free(ws); @@ -69,7 +83,6 @@ int ntlm_SetContextWorkstation(NTLM_CONTEXT* context, char* Workstation) context->Workstation.Length = (USHORT)(status - 1); context->Workstation.Length *= 2; - return 1; } @@ -82,13 +95,14 @@ int ntlm_SetContextServicePrincipalNameW(NTLM_CONTEXT* context, LPWSTR ServicePr return 1; } - context->ServicePrincipalName.Length = (USHORT) (_wcslen(ServicePrincipalName) * 2); + context->ServicePrincipalName.Length = (USHORT)(_wcslen(ServicePrincipalName) * 2); context->ServicePrincipalName.Buffer = (PWSTR) malloc(context->ServicePrincipalName.Length + 2); if (!context->ServicePrincipalName.Buffer) return -1; - CopyMemory(context->ServicePrincipalName.Buffer, ServicePrincipalName, context->ServicePrincipalName.Length + 2); + CopyMemory(context->ServicePrincipalName.Buffer, ServicePrincipalName, + context->ServicePrincipalName.Length + 2); return 1; } @@ -96,7 +110,8 @@ int ntlm_SetContextServicePrincipalNameA(NTLM_CONTEXT* context, char* ServicePri { int status; context->ServicePrincipalName.Buffer = NULL; - status = ConvertToUnicode(CP_UTF8, 0, ServicePrincipalName, -1, &context->ServicePrincipalName.Buffer, 0); + status = ConvertToUnicode(CP_UTF8, 0, ServicePrincipalName, -1, + &context->ServicePrincipalName.Buffer, 0); if (status <= 0) return -1; @@ -108,16 +123,28 @@ int ntlm_SetContextServicePrincipalNameA(NTLM_CONTEXT* context, char* ServicePri int ntlm_SetContextTargetName(NTLM_CONTEXT* context, char* TargetName) { int status; - CHAR computerName[MAX_COMPUTERNAME_LENGTH + 1]; - DWORD nSize = sizeof(computerName) / sizeof(CHAR); char* name = TargetName; + DWORD nSize = 0; + CHAR* computerName = NULL; if (!name) { - if (!GetComputerNameExA(ComputerNameDnsHostname, computerName, &nSize)) + if (GetComputerNameExA(ComputerNameNetBIOS, NULL, &nSize)) return -1; - name = _strdup(computerName); + computerName = calloc(nSize, sizeof(CHAR)); + + if (!computerName) + return -1; + + if (!GetComputerNameExA(ComputerNameNetBIOS, computerName, &nSize)) + return -1; + + if (nSize > MAX_COMPUTERNAME_LENGTH) + computerName[MAX_COMPUTERNAME_LENGTH] = '\0'; + + name = computerName; + if (!name) return -1; @@ -131,6 +158,7 @@ int ntlm_SetContextTargetName(NTLM_CONTEXT* context, char* TargetName) { if (!TargetName) free(name); + return -1; } @@ -150,7 +178,6 @@ NTLM_CONTEXT* ntlm_ContextNew() DWORD dwSize; DWORD dwValue; NTLM_CONTEXT* context; - context = (NTLM_CONTEXT*) calloc(1, sizeof(NTLM_CONTEXT)); if (!context) @@ -173,13 +200,16 @@ NTLM_CONTEXT* ntlm_ContextNew() if (RegQueryValueEx(hKey, _T("UseMIC"), NULL, &dwType, (BYTE*) &dwValue, &dwSize) == ERROR_SUCCESS) context->UseMIC = dwValue ? 1 : 0; - if (RegQueryValueEx(hKey, _T("SendVersionInfo"), NULL, &dwType, (BYTE*) &dwValue, &dwSize) == ERROR_SUCCESS) + if (RegQueryValueEx(hKey, _T("SendVersionInfo"), NULL, &dwType, (BYTE*) &dwValue, + &dwSize) == ERROR_SUCCESS) context->SendVersionInfo = dwValue ? 1 : 0; - if (RegQueryValueEx(hKey, _T("SendSingleHostData"), NULL, &dwType, (BYTE*) &dwValue, &dwSize) == ERROR_SUCCESS) + if (RegQueryValueEx(hKey, _T("SendSingleHostData"), NULL, &dwType, (BYTE*) &dwValue, + &dwSize) == ERROR_SUCCESS) context->SendSingleHostData = dwValue ? 1 : 0; - if (RegQueryValueEx(hKey, _T("SendWorkstationName"), NULL, &dwType, (BYTE*) &dwValue, &dwSize) == ERROR_SUCCESS) + if (RegQueryValueEx(hKey, _T("SendWorkstationName"), NULL, &dwType, (BYTE*) &dwValue, + &dwSize) == ERROR_SUCCESS) context->SendWorkstationName = dwValue ? 1 : 0; if (RegQueryValueEx(hKey, _T("WorkstationName"), NULL, &dwType, NULL, &dwSize) == ERROR_SUCCESS) @@ -188,7 +218,7 @@ NTLM_CONTEXT* ntlm_ContextNew() if (!workstation) { - free (context); + free(context); return NULL; } @@ -213,11 +243,13 @@ NTLM_CONTEXT* ntlm_ContextNew() * but enabling it in WinPR breaks TS Gateway at this point */ context->SuppressExtendedProtection = FALSE; - status = RegOpenKeyEx(HKEY_LOCAL_MACHINE, _T("System\\CurrentControlSet\\Control\\LSA"), 0, KEY_READ | KEY_WOW64_64KEY, &hKey); + status = RegOpenKeyEx(HKEY_LOCAL_MACHINE, _T("System\\CurrentControlSet\\Control\\LSA"), 0, + KEY_READ | KEY_WOW64_64KEY, &hKey); if (status == ERROR_SUCCESS) { - if (RegQueryValueEx(hKey, _T("SuppressExtendedProtection"), NULL, &dwType, (BYTE*) &dwValue, &dwSize) == ERROR_SUCCESS) + if (RegQueryValueEx(hKey, _T("SuppressExtendedProtection"), NULL, &dwType, (BYTE*) &dwValue, + &dwSize) == ERROR_SUCCESS) context->SuppressExtendedProtection = dwValue ? 1 : 0; RegCloseKey(hKey); @@ -253,16 +285,17 @@ void ntlm_ContextFree(NTLM_CONTEXT* context) free(context); } -SECURITY_STATUS SEC_ENTRY ntlm_AcquireCredentialsHandleW(SEC_WCHAR* pszPrincipal, SEC_WCHAR* pszPackage, - ULONG fCredentialUse, void* pvLogonID, void* pAuthData, SEC_GET_KEY_FN pGetKeyFn, - void* pvGetKeyArgument, PCredHandle phCredential, PTimeStamp ptsExpiry) +SECURITY_STATUS SEC_ENTRY ntlm_AcquireCredentialsHandleW(SEC_WCHAR* pszPrincipal, + SEC_WCHAR* pszPackage, + ULONG fCredentialUse, void* pvLogonID, void* pAuthData, SEC_GET_KEY_FN pGetKeyFn, + void* pvGetKeyArgument, PCredHandle phCredential, PTimeStamp ptsExpiry) { SSPI_CREDENTIALS* credentials; SEC_WINNT_AUTH_IDENTITY* identity; if ((fCredentialUse != SECPKG_CRED_OUTBOUND) && - (fCredentialUse != SECPKG_CRED_INBOUND) && - (fCredentialUse != SECPKG_CRED_BOTH)) + (fCredentialUse != SECPKG_CRED_INBOUND) && + (fCredentialUse != SECPKG_CRED_BOTH)) { return SEC_E_INVALID_PARAMETER; } @@ -285,16 +318,17 @@ SECURITY_STATUS SEC_ENTRY ntlm_AcquireCredentialsHandleW(SEC_WCHAR* pszPrincipal return SEC_E_OK; } -SECURITY_STATUS SEC_ENTRY ntlm_AcquireCredentialsHandleA(SEC_CHAR* pszPrincipal, SEC_CHAR* pszPackage, - ULONG fCredentialUse, void* pvLogonID, void* pAuthData, SEC_GET_KEY_FN pGetKeyFn, - void* pvGetKeyArgument, PCredHandle phCredential, PTimeStamp ptsExpiry) +SECURITY_STATUS SEC_ENTRY ntlm_AcquireCredentialsHandleA(SEC_CHAR* pszPrincipal, + SEC_CHAR* pszPackage, + ULONG fCredentialUse, void* pvLogonID, void* pAuthData, SEC_GET_KEY_FN pGetKeyFn, + void* pvGetKeyArgument, PCredHandle phCredential, PTimeStamp ptsExpiry) { SSPI_CREDENTIALS* credentials; SEC_WINNT_AUTH_IDENTITY* identity; if ((fCredentialUse != SECPKG_CRED_OUTBOUND) && - (fCredentialUse != SECPKG_CRED_INBOUND) && - (fCredentialUse != SECPKG_CRED_BOTH)) + (fCredentialUse != SECPKG_CRED_INBOUND) && + (fCredentialUse != SECPKG_CRED_BOTH)) { return SEC_E_INVALID_PARAMETER; } @@ -333,7 +367,8 @@ SECURITY_STATUS SEC_ENTRY ntlm_FreeCredentialsHandle(PCredHandle phCredential) return SEC_E_OK; } -SECURITY_STATUS SEC_ENTRY ntlm_QueryCredentialsAttributesW(PCredHandle phCredential, ULONG ulAttribute, void* pBuffer) +SECURITY_STATUS SEC_ENTRY ntlm_QueryCredentialsAttributesW(PCredHandle phCredential, + ULONG ulAttribute, void* pBuffer) { if (ulAttribute == SECPKG_CRED_ATTR_NAMES) { @@ -343,7 +378,8 @@ SECURITY_STATUS SEC_ENTRY ntlm_QueryCredentialsAttributesW(PCredHandle phCredent return SEC_E_UNSUPPORTED_FUNCTION; } -SECURITY_STATUS SEC_ENTRY ntlm_QueryCredentialsAttributesA(PCredHandle phCredential, ULONG ulAttribute, void* pBuffer) +SECURITY_STATUS SEC_ENTRY ntlm_QueryCredentialsAttributesA(PCredHandle phCredential, + ULONG ulAttribute, void* pBuffer) { return ntlm_QueryCredentialsAttributesW(phCredential, ulAttribute, pBuffer); } @@ -351,9 +387,10 @@ SECURITY_STATUS SEC_ENTRY ntlm_QueryCredentialsAttributesA(PCredHandle phCredent /** * @see http://msdn.microsoft.com/en-us/library/windows/desktop/aa374707 */ -SECURITY_STATUS SEC_ENTRY ntlm_AcceptSecurityContext(PCredHandle phCredential, PCtxtHandle phContext, - PSecBufferDesc pInput, ULONG fContextReq, ULONG TargetDataRep, PCtxtHandle phNewContext, - PSecBufferDesc pOutput, PULONG pfContextAttr, PTimeStamp ptsTimeStamp) +SECURITY_STATUS SEC_ENTRY ntlm_AcceptSecurityContext(PCredHandle phCredential, + PCtxtHandle phContext, + PSecBufferDesc pInput, ULONG fContextReq, ULONG TargetDataRep, PCtxtHandle phNewContext, + PSecBufferDesc pOutput, PULONG pfContextAttr, PTimeStamp ptsTimeStamp) { NTLM_CONTEXT* context; SECURITY_STATUS status; @@ -462,10 +499,11 @@ SECURITY_STATUS SEC_ENTRY ntlm_ImpersonateSecurityContext(PCtxtHandle phContext) return SEC_E_OK; } -SECURITY_STATUS SEC_ENTRY ntlm_InitializeSecurityContextW(PCredHandle phCredential, PCtxtHandle phContext, - SEC_WCHAR* pszTargetName, ULONG fContextReq, ULONG Reserved1, ULONG TargetDataRep, - PSecBufferDesc pInput, ULONG Reserved2, PCtxtHandle phNewContext, - PSecBufferDesc pOutput, PULONG pfContextAttr, PTimeStamp ptsExpiry) +SECURITY_STATUS SEC_ENTRY ntlm_InitializeSecurityContextW(PCredHandle phCredential, + PCtxtHandle phContext, + SEC_WCHAR* pszTargetName, ULONG fContextReq, ULONG Reserved1, ULONG TargetDataRep, + PSecBufferDesc pInput, ULONG Reserved2, PCtxtHandle phNewContext, + PSecBufferDesc pOutput, PULONG pfContextAttr, PTimeStamp ptsExpiry) { NTLM_CONTEXT* context; SECURITY_STATUS status; @@ -577,10 +615,11 @@ SECURITY_STATUS SEC_ENTRY ntlm_InitializeSecurityContextW(PCredHandle phCredenti /** * @see http://msdn.microsoft.com/en-us/library/windows/desktop/aa375512%28v=vs.85%29.aspx */ -SECURITY_STATUS SEC_ENTRY ntlm_InitializeSecurityContextA(PCredHandle phCredential, PCtxtHandle phContext, - SEC_CHAR* pszTargetName, ULONG fContextReq, ULONG Reserved1, ULONG TargetDataRep, - PSecBufferDesc pInput, ULONG Reserved2, PCtxtHandle phNewContext, - PSecBufferDesc pOutput, PULONG pfContextAttr, PTimeStamp ptsExpiry) +SECURITY_STATUS SEC_ENTRY ntlm_InitializeSecurityContextA(PCredHandle phCredential, + PCtxtHandle phContext, + SEC_CHAR* pszTargetName, ULONG fContextReq, ULONG Reserved1, ULONG TargetDataRep, + PSecBufferDesc pInput, ULONG Reserved2, PCtxtHandle phNewContext, + PSecBufferDesc pOutput, PULONG pfContextAttr, PTimeStamp ptsExpiry) { SECURITY_STATUS status; SEC_WCHAR* pszTargetNameW = NULL; @@ -592,10 +631,8 @@ SECURITY_STATUS SEC_ENTRY ntlm_InitializeSecurityContextA(PCredHandle phCredenti } status = ntlm_InitializeSecurityContextW(phCredential, phContext, pszTargetNameW, fContextReq, - Reserved1, TargetDataRep, pInput, Reserved2, phNewContext, pOutput, pfContextAttr, ptsExpiry); - + Reserved1, TargetDataRep, pInput, Reserved2, phNewContext, pOutput, pfContextAttr, ptsExpiry); free(pszTargetNameW); - return status; } @@ -632,7 +669,8 @@ SECURITY_STATUS SEC_ENTRY ntlm_DeleteSecurityContext(PCtxtHandle phContext) /* http://msdn.microsoft.com/en-us/library/windows/desktop/aa379337/ */ -SECURITY_STATUS SEC_ENTRY ntlm_QueryContextAttributesW(PCtxtHandle phContext, ULONG ulAttribute, void* pBuffer) +SECURITY_STATUS SEC_ENTRY ntlm_QueryContextAttributesW(PCtxtHandle phContext, ULONG ulAttribute, + void* pBuffer) { NTLM_CONTEXT* context; @@ -663,23 +701,27 @@ SECURITY_STATUS SEC_ENTRY ntlm_QueryContextAttributesW(PCtxtHandle phContext, UL context->UseSamFileDatabase = FALSE; credentials = context->credentials; ZeroMemory(AuthIdentity, sizeof(SecPkgContext_AuthIdentity)); - UserA = AuthIdentity->User; - if (credentials->identity.UserLength > 0) { + + if (credentials->identity.UserLength > 0) + { status = ConvertFromUnicode(CP_UTF8, 0, - (WCHAR *)credentials->identity.User, - credentials->identity.UserLength, &UserA, 256, NULL, - NULL); + (WCHAR*)credentials->identity.User, + credentials->identity.UserLength, &UserA, 256, NULL, + NULL); + if (status <= 0) return SEC_E_INTERNAL_ERROR; } DomainA = AuthIdentity->Domain; - if (credentials->identity.DomainLength > 0) { + + if (credentials->identity.DomainLength > 0) + { status = ConvertFromUnicode(CP_UTF8, 0, - (WCHAR *)credentials->identity.Domain, - credentials->identity.DomainLength, &DomainA, 256, - NULL, NULL); + (WCHAR*)credentials->identity.Domain, + credentials->identity.DomainLength, &DomainA, 256, + NULL, NULL); if (status <= 0) return SEC_E_INTERNAL_ERROR; @@ -689,16 +731,15 @@ SECURITY_STATUS SEC_ENTRY ntlm_QueryContextAttributesW(PCtxtHandle phContext, UL } else if (ulAttribute == SECPKG_ATTR_AUTH_NTLM_NTPROOF_VALUE) { - BYTE *blob; - SecBuffer *ntproof, *target; - - ntproof = (SecBuffer *)pBuffer; + BYTE* blob; + SecBuffer* ntproof, *target; + ntproof = (SecBuffer*)pBuffer; target = &context->ChallengeTargetInfo; if (!sspi_SecBufferAlloc(ntproof, 36 + target->cbBuffer)) return (SEC_E_INSUFFICIENT_MEMORY); - blob = (BYTE *)ntproof->pvBuffer; + blob = (BYTE*)ntproof->pvBuffer; /* Server challenge. */ CopyMemory(blob, context->ServerChallenge, 8); /* Response version. */ @@ -713,74 +754,65 @@ SECURITY_STATUS SEC_ENTRY ntlm_QueryContextAttributesW(PCtxtHandle phContext, UL /* Reserved 4B. */ /* Server name. */ CopyMemory(&blob[36], target->pvBuffer, target->cbBuffer); - return (SEC_E_OK); } else if (ulAttribute == SECPKG_ATTR_AUTH_NTLM_RANDKEY) { - SecBuffer *randkey; + SecBuffer* randkey; + randkey = (SecBuffer*) pBuffer; - randkey = (SecBuffer *) pBuffer; if (!sspi_SecBufferAlloc(randkey, 16)) return (SEC_E_INSUFFICIENT_MEMORY); CopyMemory(randkey->pvBuffer, context->EncryptedRandomSessionKey, 16); - return (SEC_E_OK); } else if (ulAttribute == SECPKG_ATTR_AUTH_NTLM_MIC) { - SecBuffer *mic; - NTLM_AUTHENTICATE_MESSAGE *message; - - mic = (SecBuffer *) pBuffer; + SecBuffer* mic; + NTLM_AUTHENTICATE_MESSAGE* message; + mic = (SecBuffer*) pBuffer; message = &context->AUTHENTICATE_MESSAGE; if (!sspi_SecBufferAlloc(mic, 16)) return (SEC_E_INSUFFICIENT_MEMORY); CopyMemory(mic->pvBuffer, message->MessageIntegrityCheck, 16); - return (SEC_E_OK); } else if (ulAttribute == SECPKG_ATTR_AUTH_NTLM_MIC_VALUE) { - BYTE *blob; - SecBuffer *micvalue; + BYTE* blob; + SecBuffer* micvalue; ULONG msgSize = context->NegotiateMessage.cbBuffer + context->ChallengeMessage.cbBuffer + - context->AuthenticateMessage.cbBuffer; - - micvalue = (SecBuffer *) pBuffer; + context->AuthenticateMessage.cbBuffer; + micvalue = (SecBuffer*) pBuffer; if (!sspi_SecBufferAlloc(micvalue, msgSize)) return (SEC_E_INSUFFICIENT_MEMORY); - blob = (BYTE *) micvalue->pvBuffer; - + blob = (BYTE*) micvalue->pvBuffer; CopyMemory(blob, context->NegotiateMessage.pvBuffer, context->NegotiateMessage.cbBuffer); blob += context->NegotiateMessage.cbBuffer; - CopyMemory(blob, context->ChallengeMessage.pvBuffer, context->ChallengeMessage.cbBuffer); blob += context->ChallengeMessage.cbBuffer; - CopyMemory(blob, context->AuthenticateMessage.pvBuffer, context->AuthenticateMessage.cbBuffer); - blob += context->MessageIntegrityCheckOffset; ZeroMemory(blob, 16); - return (SEC_E_OK); } - return SEC_E_UNSUPPORTED_FUNCTION; } -SECURITY_STATUS SEC_ENTRY ntlm_QueryContextAttributesA(PCtxtHandle phContext, ULONG ulAttribute, void* pBuffer) +SECURITY_STATUS SEC_ENTRY ntlm_QueryContextAttributesA(PCtxtHandle phContext, ULONG ulAttribute, + void* pBuffer) { return ntlm_QueryContextAttributesW(phContext, ulAttribute, pBuffer); } -SECURITY_STATUS SEC_ENTRY ntlm_SetContextAttributesW(PCtxtHandle phContext, ULONG ulAttribute, void* pBuffer, ULONG cbBuffer) +SECURITY_STATUS SEC_ENTRY ntlm_SetContextAttributesW(PCtxtHandle phContext, ULONG ulAttribute, + void* pBuffer, ULONG cbBuffer) { NTLM_CONTEXT* context; @@ -809,7 +841,6 @@ SECURITY_STATUS SEC_ENTRY ntlm_SetContextAttributesW(PCtxtHandle phContext, ULON else if (ulAttribute == SECPKG_ATTR_AUTH_NTLM_SAM_FILE) { const char* filename = (char*) pBuffer; - free(context->SamFile); context->SamFile = NULL; @@ -833,22 +864,28 @@ SECURITY_STATUS SEC_ENTRY ntlm_SetContextAttributesW(PCtxtHandle phContext, ULON if (AuthNtlmMessage->type == 1) { sspi_SecBufferFree(&context->NegotiateMessage); + if (!sspi_SecBufferAlloc(&context->NegotiateMessage, AuthNtlmMessage->length)) return SEC_E_INSUFFICIENT_MEMORY; + CopyMemory(context->NegotiateMessage.pvBuffer, AuthNtlmMessage->buffer, AuthNtlmMessage->length); } else if (AuthNtlmMessage->type == 2) { sspi_SecBufferFree(&context->ChallengeMessage); + if (!sspi_SecBufferAlloc(&context->ChallengeMessage, AuthNtlmMessage->length)) return SEC_E_INSUFFICIENT_MEMORY; + CopyMemory(context->ChallengeMessage.pvBuffer, AuthNtlmMessage->buffer, AuthNtlmMessage->length); } else if (AuthNtlmMessage->type == 3) { sspi_SecBufferFree(&context->AuthenticateMessage); + if (!sspi_SecBufferAlloc(&context->AuthenticateMessage, AuthNtlmMessage->length)) return SEC_E_INSUFFICIENT_MEMORY; + CopyMemory(context->AuthenticateMessage.pvBuffer, AuthNtlmMessage->buffer, AuthNtlmMessage->length); } @@ -870,7 +907,8 @@ SECURITY_STATUS SEC_ENTRY ntlm_SetContextAttributesW(PCtxtHandle phContext, ULON } else if (ulAttribute == SECPKG_ATTR_AUTH_NTLM_CLIENT_CHALLENGE) { - SecPkgContext_AuthNtlmClientChallenge* AuthNtlmClientChallenge = (SecPkgContext_AuthNtlmClientChallenge*) pBuffer; + SecPkgContext_AuthNtlmClientChallenge* AuthNtlmClientChallenge = + (SecPkgContext_AuthNtlmClientChallenge*) pBuffer; if (cbBuffer < sizeof(SecPkgContext_AuthNtlmClientChallenge)) return SEC_E_INVALID_PARAMETER; @@ -880,7 +918,8 @@ SECURITY_STATUS SEC_ENTRY ntlm_SetContextAttributesW(PCtxtHandle phContext, ULON } else if (ulAttribute == SECPKG_ATTR_AUTH_NTLM_SERVER_CHALLENGE) { - SecPkgContext_AuthNtlmServerChallenge* AuthNtlmServerChallenge = (SecPkgContext_AuthNtlmServerChallenge*) pBuffer; + SecPkgContext_AuthNtlmServerChallenge* AuthNtlmServerChallenge = + (SecPkgContext_AuthNtlmServerChallenge*) pBuffer; if (cbBuffer < sizeof(SecPkgContext_AuthNtlmServerChallenge)) return SEC_E_INVALID_PARAMETER; @@ -892,7 +931,8 @@ SECURITY_STATUS SEC_ENTRY ntlm_SetContextAttributesW(PCtxtHandle phContext, ULON return SEC_E_UNSUPPORTED_FUNCTION; } -SECURITY_STATUS SEC_ENTRY ntlm_SetContextAttributesA(PCtxtHandle phContext, ULONG ulAttribute, void* pBuffer, ULONG cbBuffer) +SECURITY_STATUS SEC_ENTRY ntlm_SetContextAttributesA(PCtxtHandle phContext, ULONG ulAttribute, + void* pBuffer, ULONG cbBuffer) { return ntlm_SetContextAttributesW(phContext, ulAttribute, pBuffer, cbBuffer); } @@ -902,7 +942,8 @@ SECURITY_STATUS SEC_ENTRY ntlm_RevertSecurityContext(PCtxtHandle phContext) return SEC_E_OK; } -SECURITY_STATUS SEC_ENTRY ntlm_EncryptMessage(PCtxtHandle phContext, ULONG fQOP, PSecBufferDesc pMessage, ULONG MessageSeqNo) +SECURITY_STATUS SEC_ENTRY ntlm_EncryptMessage(PCtxtHandle phContext, ULONG fQOP, + PSecBufferDesc pMessage, ULONG MessageSeqNo) { int index; int length; @@ -944,6 +985,7 @@ SECURITY_STATUS SEC_ENTRY ntlm_EncryptMessage(PCtxtHandle phContext, ULONG fQOP, CopyMemory(data, data_buffer->pvBuffer, length); /* Compute the HMAC-MD5 hash of ConcatenationOf(seq_num,data) using the client signing key */ hmac = winpr_HMAC_New(); + if (hmac && winpr_HMAC_Init(hmac, WINPR_MD_MD5, context->SendSigningKey, WINPR_MD5_DIGEST_LENGTH)) { Data_Write_UINT32(&value, SeqNo); @@ -988,7 +1030,8 @@ SECURITY_STATUS SEC_ENTRY ntlm_EncryptMessage(PCtxtHandle phContext, ULONG fQOP, return SEC_E_OK; } -SECURITY_STATUS SEC_ENTRY ntlm_DecryptMessage(PCtxtHandle phContext, PSecBufferDesc pMessage, ULONG MessageSeqNo, PULONG pfQOP) +SECURITY_STATUS SEC_ENTRY ntlm_DecryptMessage(PCtxtHandle phContext, PSecBufferDesc pMessage, + ULONG MessageSeqNo, PULONG pfQOP) { int index; int length; @@ -1038,6 +1081,7 @@ SECURITY_STATUS SEC_ENTRY ntlm_DecryptMessage(PCtxtHandle phContext, PSecBufferD /* Compute the HMAC-MD5 hash of ConcatenationOf(seq_num,data) using the client signing key */ hmac = winpr_HMAC_New(); + if (hmac && winpr_HMAC_Init(hmac, WINPR_MD_MD5, context->RecvSigningKey, WINPR_MD5_DIGEST_LENGTH)) { Data_Write_UINT32(&value, SeqNo); @@ -1052,6 +1096,7 @@ SECURITY_STATUS SEC_ENTRY ntlm_DecryptMessage(PCtxtHandle phContext, PSecBufferD free(data); return SEC_E_INSUFFICIENT_MEMORY; } + #ifdef WITH_DEBUG_NTLM WLog_DBG(TAG, "Encrypted Data Buffer (length = %d)", length); winpr_HexDump(TAG, WLOG_DEBUG, data, length); @@ -1081,12 +1126,14 @@ SECURITY_STATUS SEC_ENTRY ntlm_DecryptMessage(PCtxtHandle phContext, PSecBufferD return SEC_E_OK; } -SECURITY_STATUS SEC_ENTRY ntlm_MakeSignature(PCtxtHandle phContext, ULONG fQOP, PSecBufferDesc pMessage, ULONG MessageSeqNo) +SECURITY_STATUS SEC_ENTRY ntlm_MakeSignature(PCtxtHandle phContext, ULONG fQOP, + PSecBufferDesc pMessage, ULONG MessageSeqNo) { return SEC_E_UNSUPPORTED_FUNCTION; } -SECURITY_STATUS SEC_ENTRY ntlm_VerifySignature(PCtxtHandle phContext, PSecBufferDesc pMessage, ULONG MessageSeqNo, PULONG pfQOP) +SECURITY_STATUS SEC_ENTRY ntlm_VerifySignature(PCtxtHandle phContext, PSecBufferDesc pMessage, + ULONG MessageSeqNo, PULONG pfQOP) { return SEC_E_UNSUPPORTED_FUNCTION; } @@ -1165,13 +1212,13 @@ const SecPkgInfoA NTLM_SecPkgInfoA = "NTLM Security Package" /* Comment */ }; -WCHAR NTLM_SecPkgInfoW_Name[] = { 'N','T','L','M','\0' }; +WCHAR NTLM_SecPkgInfoW_Name[] = { 'N', 'T', 'L', 'M', '\0' }; WCHAR NTLM_SecPkgInfoW_Comment[] = { - 'N','T','L','M',' ', - 'S','e','c','u','r','i','t','y',' ', - 'P','a','c','k','a','g','e','\0' + 'N', 'T', 'L', 'M', ' ', + 'S', 'e', 'c', 'u', 'r', 'i', 't', 'y', ' ', + 'P', 'a', 'c', 'k', 'a', 'g', 'e', '\0' }; const SecPkgInfoW NTLM_SecPkgInfoW = diff --git a/winpr/libwinpr/sspi/NTLM/ntlm_av_pairs.c b/winpr/libwinpr/sspi/NTLM/ntlm_av_pairs.c index c35179c4a..5bd35ab8c 100644 --- a/winpr/libwinpr/sspi/NTLM/ntlm_av_pairs.c +++ b/winpr/libwinpr/sspi/NTLM/ntlm_av_pairs.c @@ -90,11 +90,11 @@ void ntlm_print_av_pair_list(NTLM_AV_PAIR* pAvPairList) while (ntlm_av_pair_get_id(pAvPair) != MsvAvEOL) { WLog_INFO(TAG, "\t%s AvId: %"PRIu16" AvLen: %"PRIu16"", - AV_PAIR_STRINGS[ntlm_av_pair_get_id(pAvPair)], - ntlm_av_pair_get_id(pAvPair), - ntlm_av_pair_get_len(pAvPair)); + AV_PAIR_STRINGS[ntlm_av_pair_get_id(pAvPair)], + ntlm_av_pair_get_id(pAvPair), + ntlm_av_pair_get_len(pAvPair)); winpr_HexDump(TAG, WLOG_INFO, ntlm_av_pair_get_value_pointer(pAvPair), - ntlm_av_pair_get_len(pAvPair)); + ntlm_av_pair_get_len(pAvPair)); pAvPair = ntlm_av_pair_get_next_pointer(pAvPair); } } @@ -141,7 +141,8 @@ NTLM_AV_PAIR* ntlm_av_pair_get(NTLM_AV_PAIR* pAvPairList, NTLM_AV_ID AvId) return NULL; } -NTLM_AV_PAIR* ntlm_av_pair_add(NTLM_AV_PAIR* pAvPairList, NTLM_AV_ID AvId, PBYTE Value, UINT16 AvLen) +NTLM_AV_PAIR* ntlm_av_pair_add(NTLM_AV_PAIR* pAvPairList, NTLM_AV_ID AvId, PBYTE Value, + UINT16 AvLen) { NTLM_AV_PAIR* pAvPair; pAvPair = ntlm_av_pair_get(pAvPairList, MsvAvEOL); @@ -167,8 +168,8 @@ NTLM_AV_PAIR* ntlm_av_pair_add_copy(NTLM_AV_PAIR* pAvPairList, NTLM_AV_PAIR* pAv CopyMemory(&pAvPairCopy->AvId, &pAvPair->AvId, 2); CopyMemory(&pAvPairCopy->AvLen, &pAvPair->AvLen, 2); CopyMemory(ntlm_av_pair_get_value_pointer(pAvPairCopy), - ntlm_av_pair_get_value_pointer(pAvPair), - ntlm_av_pair_get_len (pAvPair)); + ntlm_av_pair_get_value_pointer(pAvPair), + ntlm_av_pair_get_len(pAvPair)); return pAvPairCopy; } @@ -176,13 +177,25 @@ int ntlm_get_target_computer_name(PUNICODE_STRING pName, COMPUTER_NAME_FORMAT ty { char* name; int status; - CHAR computerName[MAX_COMPUTERNAME_LENGTH + 1]; - DWORD nSize = sizeof(computerName) / sizeof(CHAR); + DWORD nSize = 0; + CHAR* computerName; - if (!GetComputerNameExA(type, computerName, &nSize)) + if (GetComputerNameExA(ComputerNameNetBIOS, NULL, &nSize)) return -1; - name = _strdup(computerName); + computerName = calloc(nSize, sizeof(CHAR)); + + if (!computerName) + return -1; + + if (!GetComputerNameExA(ComputerNameNetBIOS, computerName, &nSize)) + return -1; + + if (nSize > MAX_COMPUTERNAME_LENGTH) + computerName[MAX_COMPUTERNAME_LENGTH] = '\0'; + + name = computerName; + if (!name) return -1; @@ -210,7 +223,6 @@ void ntlm_free_unicode_string(PUNICODE_STRING string) if (string->Length > 0) { free(string->Buffer); - string->Buffer = NULL; string->Length = 0; string->MaximumLength = 0; @@ -262,7 +274,6 @@ void ntlm_compute_channel_bindings(NTLM_CONTEXT* context) BYTE* ChannelBindingToken; UINT32 ChannelBindingTokenLength; SEC_CHANNEL_BINDINGS* ChannelBindings; - ZeroMemory(context->ChannelBindingsHash, WINPR_MD5_DIGEST_LENGTH); ChannelBindings = context->Bindings.Bindings; @@ -280,17 +291,22 @@ void ntlm_compute_channel_bindings(NTLM_CONTEXT* context) if (!ntlm_md5_update_uint32_be(md5, ChannelBindings->dwInitiatorAddrType)) goto out; + if (!ntlm_md5_update_uint32_be(md5, ChannelBindings->cbInitiatorLength)) goto out; + if (!ntlm_md5_update_uint32_be(md5, ChannelBindings->dwAcceptorAddrType)) goto out; + if (!ntlm_md5_update_uint32_be(md5, ChannelBindings->cbAcceptorLength)) goto out; + if (!ntlm_md5_update_uint32_be(md5, ChannelBindings->cbApplicationDataLength)) goto out; if (!winpr_Digest_Update(md5, (void*) ChannelBindingToken, ChannelBindingTokenLength)) goto out; + if (!winpr_Digest_Final(md5, context->ChannelBindingsHash, WINPR_MD5_DIGEST_LENGTH)) goto out; @@ -348,7 +364,7 @@ int ntlm_construct_challenge_target_info(NTLM_CONTEXT* context) AvPairsCount = 5; AvPairsLength = NbDomainName.Length + NbComputerName.Length + - DnsDomainName.Length + DnsComputerName.Length + 8; + DnsDomainName.Length + DnsComputerName.Length + 8; length = ntlm_av_pair_list_size(AvPairsCount, AvPairsLength); if (!sspi_SecBufferAlloc(&context->ChallengeTargetInfo, length)) @@ -358,9 +374,12 @@ int ntlm_construct_challenge_target_info(NTLM_CONTEXT* context) AvPairListSize = (ULONG) context->ChallengeTargetInfo.cbBuffer; ntlm_av_pair_list_init(pAvPairList); ntlm_av_pair_add(pAvPairList, MsvAvNbDomainName, (PBYTE) NbDomainName.Buffer, NbDomainName.Length); - ntlm_av_pair_add(pAvPairList, MsvAvNbComputerName, (PBYTE) NbComputerName.Buffer, NbComputerName.Length); - ntlm_av_pair_add(pAvPairList, MsvAvDnsDomainName, (PBYTE) DnsDomainName.Buffer, DnsDomainName.Length); - ntlm_av_pair_add(pAvPairList, MsvAvDnsComputerName, (PBYTE) DnsComputerName.Buffer, DnsComputerName.Length); + ntlm_av_pair_add(pAvPairList, MsvAvNbComputerName, (PBYTE) NbComputerName.Buffer, + NbComputerName.Length); + ntlm_av_pair_add(pAvPairList, MsvAvDnsDomainName, (PBYTE) DnsDomainName.Buffer, + DnsDomainName.Length); + ntlm_av_pair_add(pAvPairList, MsvAvDnsComputerName, (PBYTE) DnsComputerName.Buffer, + DnsComputerName.Length); ntlm_av_pair_add(pAvPairList, MsvAvTimestamp, context->Timestamp, sizeof(context->Timestamp)); ntlm_free_unicode_string(&NbDomainName); ntlm_free_unicode_string(&NbComputerName); @@ -467,6 +486,7 @@ int ntlm_construct_authenticate_target_info(NTLM_CONTEXT* context) if (!sspi_SecBufferAlloc(&context->AuthenticateTargetInfo, size)) return -1; + AuthenticateTargetInfo = (NTLM_AV_PAIR*) context->AuthenticateTargetInfo.pvBuffer; ntlm_av_pair_list_init(AuthenticateTargetInfo); @@ -498,7 +518,7 @@ int ntlm_construct_authenticate_target_info(NTLM_CONTEXT* context) if (context->SendSingleHostData) { ntlm_av_pair_add(AuthenticateTargetInfo, MsvAvSingleHost, - (PBYTE) &context->SingleHostData, context->SingleHostData.Size); + (PBYTE) &context->SingleHostData, context->SingleHostData.Size); } if (!context->SuppressExtendedProtection) @@ -508,8 +528,8 @@ int ntlm_construct_authenticate_target_info(NTLM_CONTEXT* context) if (context->ServicePrincipalName.Length > 0) { ntlm_av_pair_add(AuthenticateTargetInfo, MsvAvTargetName, - (PBYTE) context->ServicePrincipalName.Buffer, - context->ServicePrincipalName.Length); + (PBYTE) context->ServicePrincipalName.Buffer, + context->ServicePrincipalName.Length); } }