|
Packit Service |
fa4841 |
/**
|
|
Packit Service |
fa4841 |
* FreeRDP: A Remote Desktop Protocol Implementation
|
|
Packit Service |
fa4841 |
* NTLM over HTTP
|
|
Packit Service |
fa4841 |
*
|
|
Packit Service |
fa4841 |
* Copyright 2012 Fujitsu Technology Solutions GmbH
|
|
Packit Service |
fa4841 |
* Copyright 2012 Dmitrij Jasnov <dmitrij.jasnov@ts.fujitsu.com>
|
|
Packit Service |
fa4841 |
* Copyright 2012 Marc-Andre Moreau <marcandre.moreau@gmail.com>
|
|
Packit Service |
fa4841 |
*
|
|
Packit Service |
fa4841 |
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
Packit Service |
fa4841 |
* you may not use this file except in compliance with the License.
|
|
Packit Service |
fa4841 |
* You may obtain a copy of the License at
|
|
Packit Service |
fa4841 |
*
|
|
Packit Service |
fa4841 |
* http://www.apache.org/licenses/LICENSE-2.0
|
|
Packit Service |
fa4841 |
*
|
|
Packit Service |
fa4841 |
* Unless required by applicable law or agreed to in writing, software
|
|
Packit Service |
fa4841 |
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
Packit Service |
fa4841 |
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
Packit Service |
fa4841 |
* See the License for the specific language governing permissions and
|
|
Packit Service |
fa4841 |
* limitations under the License.
|
|
Packit Service |
fa4841 |
*/
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
#ifdef HAVE_CONFIG_H
|
|
Packit Service |
fa4841 |
#include "config.h"
|
|
Packit Service |
fa4841 |
#endif
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
#include <winpr/crt.h>
|
|
Packit Service |
fa4841 |
#include <winpr/tchar.h>
|
|
Packit Service |
fa4841 |
#include <winpr/dsparse.h>
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
#include <freerdp/log.h>
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
#include "http.h"
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
#include "ntlm.h"
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
#define TAG FREERDP_TAG("core.gateway.ntlm")
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
struct rdp_ntlm
|
|
Packit Service |
fa4841 |
{
|
|
Packit Service |
fa4841 |
BOOL http;
|
|
Packit Service |
fa4841 |
CtxtHandle context;
|
|
Packit Service |
fa4841 |
ULONG cbMaxToken;
|
|
Packit Service |
fa4841 |
ULONG fContextReq;
|
|
Packit Service |
fa4841 |
ULONG pfContextAttr;
|
|
Packit Service |
fa4841 |
TimeStamp expiration;
|
|
Packit Service |
fa4841 |
PSecBuffer pBuffer;
|
|
Packit Service |
fa4841 |
SecBuffer inputBuffer[2];
|
|
Packit Service |
fa4841 |
SecBuffer outputBuffer[2];
|
|
Packit Service |
fa4841 |
BOOL haveContext;
|
|
Packit Service |
fa4841 |
BOOL haveInputBuffer;
|
|
Packit Service |
fa4841 |
LPTSTR ServicePrincipalName;
|
|
Packit Service |
fa4841 |
SecBufferDesc inputBufferDesc;
|
|
Packit Service |
fa4841 |
SecBufferDesc outputBufferDesc;
|
|
Packit Service |
fa4841 |
CredHandle credentials;
|
|
Packit Service |
fa4841 |
BOOL confidentiality;
|
|
Packit Service |
fa4841 |
SecPkgInfo* pPackageInfo;
|
|
Packit Service |
fa4841 |
SecurityFunctionTable* table;
|
|
Packit Service |
fa4841 |
SEC_WINNT_AUTH_IDENTITY identity;
|
|
Packit Service |
fa4841 |
SecPkgContext_Sizes ContextSizes;
|
|
Packit Service |
fa4841 |
SecPkgContext_Bindings* Bindings;
|
|
Packit Service |
fa4841 |
};
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
static ULONG cast_from_size_(size_t size, const char* fkt, const char* file, int line)
|
|
Packit Service |
fa4841 |
{
|
|
Packit Service |
fa4841 |
if (size > ULONG_MAX)
|
|
Packit Service |
fa4841 |
{
|
|
Packit Service |
bb5c11 |
WLog_ERR(TAG, "[%s %s:%d] Size %"PRIdz" is larger than INT_MAX %lu", fkt, file, line, size,
|
|
Packit Service |
bb5c11 |
ULONG_MAX);
|
|
Packit Service |
fa4841 |
return 0;
|
|
Packit Service |
fa4841 |
}
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
bb5c11 |
return (ULONG) size;
|
|
Packit Service |
fa4841 |
}
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
#define cast_from_size(size) cast_from_size_(size, __FUNCTION__, __FILE__, __LINE__)
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
BOOL ntlm_client_init(rdpNtlm* ntlm, BOOL http, LPCTSTR user, LPCTSTR domain, LPCTSTR password,
|
|
Packit Service |
fa4841 |
SecPkgContext_Bindings* Bindings)
|
|
Packit Service |
fa4841 |
{
|
|
Packit Service |
fa4841 |
SECURITY_STATUS status;
|
|
Packit Service |
fa4841 |
ntlm->http = http;
|
|
Packit Service |
fa4841 |
ntlm->Bindings = Bindings;
|
|
Packit Service |
fa4841 |
ntlm->table = InitSecurityInterfaceEx(0);
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
if (!ntlm->table)
|
|
Packit Service |
fa4841 |
return FALSE;
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
sspi_SetAuthIdentity(&(ntlm->identity), user, domain, password);
|
|
Packit Service |
fa4841 |
status = ntlm->table->QuerySecurityPackageInfo(NTLM_SSP_NAME, &ntlm->pPackageInfo);
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
if (status != SEC_E_OK)
|
|
Packit Service |
fa4841 |
{
|
|
Packit Service |
bb5c11 |
WLog_ERR(TAG, "QuerySecurityPackageInfo status %s [0x%08"PRIX32"]",
|
|
Packit Service |
fa4841 |
GetSecurityStatusString(status), status);
|
|
Packit Service |
fa4841 |
return FALSE;
|
|
Packit Service |
fa4841 |
}
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
ntlm->cbMaxToken = ntlm->pPackageInfo->cbMaxToken;
|
|
Packit Service |
bb5c11 |
status = ntlm->table->AcquireCredentialsHandle(NULL, NTLM_SSP_NAME,
|
|
Packit Service |
bb5c11 |
SECPKG_CRED_OUTBOUND, NULL, &ntlm->identity, NULL, NULL,
|
|
Packit Service |
bb5c11 |
&ntlm->credentials, &ntlm->expiration);
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
if (status != SEC_E_OK)
|
|
Packit Service |
fa4841 |
{
|
|
Packit Service |
bb5c11 |
WLog_ERR(TAG, "AcquireCredentialsHandle status %s [0x%08"PRIX32"]",
|
|
Packit Service |
fa4841 |
GetSecurityStatusString(status), status);
|
|
Packit Service |
fa4841 |
return FALSE;
|
|
Packit Service |
fa4841 |
}
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
ntlm->haveContext = FALSE;
|
|
Packit Service |
fa4841 |
ntlm->haveInputBuffer = FALSE;
|
|
Packit Service |
fa4841 |
ZeroMemory(&ntlm->inputBuffer, sizeof(SecBuffer));
|
|
Packit Service |
fa4841 |
ZeroMemory(&ntlm->outputBuffer, sizeof(SecBuffer));
|
|
Packit Service |
fa4841 |
ZeroMemory(&ntlm->ContextSizes, sizeof(SecPkgContext_Sizes));
|
|
Packit Service |
fa4841 |
ntlm->fContextReq = 0;
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
if (ntlm->http)
|
|
Packit Service |
fa4841 |
{
|
|
Packit Service |
fa4841 |
/* flags for HTTP authentication */
|
|
Packit Service |
fa4841 |
ntlm->fContextReq |= ISC_REQ_CONFIDENTIALITY;
|
|
Packit Service |
fa4841 |
}
|
|
Packit Service |
fa4841 |
else
|
|
Packit Service |
fa4841 |
{
|
|
Packit Service |
fa4841 |
/**
|
|
Packit Service |
bb5c11 |
* flags for RPC authentication:
|
|
Packit Service |
bb5c11 |
* RPC_C_AUTHN_LEVEL_PKT_INTEGRITY:
|
|
Packit Service |
bb5c11 |
* ISC_REQ_USE_DCE_STYLE | ISC_REQ_DELEGATE | ISC_REQ_MUTUAL_AUTH |
|
|
Packit Service |
bb5c11 |
* ISC_REQ_REPLAY_DETECT | ISC_REQ_SEQUENCE_DETECT
|
|
Packit Service |
bb5c11 |
*/
|
|
Packit Service |
fa4841 |
ntlm->fContextReq |= ISC_REQ_USE_DCE_STYLE;
|
|
Packit Service |
fa4841 |
ntlm->fContextReq |= ISC_REQ_DELEGATE | ISC_REQ_MUTUAL_AUTH;
|
|
Packit Service |
fa4841 |
ntlm->fContextReq |= ISC_REQ_REPLAY_DETECT | ISC_REQ_SEQUENCE_DETECT;
|
|
Packit Service |
fa4841 |
}
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
return TRUE;
|
|
Packit Service |
fa4841 |
}
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
BOOL ntlm_client_make_spn(rdpNtlm* ntlm, LPCTSTR ServiceClass, LPCTSTR hostname)
|
|
Packit Service |
fa4841 |
{
|
|
Packit Service |
fa4841 |
BOOL status = FALSE;
|
|
Packit Service |
fa4841 |
DWORD SpnLength = 0;
|
|
Packit Service |
fa4841 |
LPTSTR hostnameX = NULL;
|
|
Packit Service |
fa4841 |
#ifdef UNICODE
|
|
Packit Service |
bb5c11 |
ConvertToUnicode(CP_UTF8, 0, hostname, -1, (LPWSTR*) &hostnameX, 0);
|
|
Packit Service |
fa4841 |
#else
|
|
Packit Service |
fa4841 |
hostnameX = _strdup(hostname);
|
|
Packit Service |
fa4841 |
#endif
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
if (!hostnameX)
|
|
Packit Service |
fa4841 |
return FALSE;
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
if (!ServiceClass)
|
|
Packit Service |
fa4841 |
{
|
|
Packit Service |
bb5c11 |
ntlm->ServicePrincipalName = (LPTSTR) _tcsdup(hostnameX);
|
|
Packit Service |
fa4841 |
free(hostnameX);
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
if (!ntlm->ServicePrincipalName)
|
|
Packit Service |
fa4841 |
return FALSE;
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
return TRUE;
|
|
Packit Service |
fa4841 |
}
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
bb5c11 |
if (DsMakeSpn(ServiceClass, hostnameX, NULL, 0, NULL, &SpnLength, NULL) != ERROR_BUFFER_OVERFLOW)
|
|
Packit Service |
fa4841 |
goto error;
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
bb5c11 |
ntlm->ServicePrincipalName = (LPTSTR) calloc(SpnLength, sizeof(TCHAR));
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
if (!ntlm->ServicePrincipalName)
|
|
Packit Service |
fa4841 |
goto error;
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
bb5c11 |
if (DsMakeSpn(ServiceClass, hostnameX, NULL, 0, NULL, &SpnLength,
|
|
Packit Service |
fa4841 |
ntlm->ServicePrincipalName) != ERROR_SUCCESS)
|
|
Packit Service |
fa4841 |
goto error;
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
status = TRUE;
|
|
Packit Service |
fa4841 |
error:
|
|
Packit Service |
fa4841 |
free(hostnameX);
|
|
Packit Service |
fa4841 |
return status;
|
|
Packit Service |
fa4841 |
}
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
/**
|
|
Packit Service |
fa4841 |
* SSPI Client Ceremony
|
|
Packit Service |
fa4841 |
*
|
|
Packit Service |
fa4841 |
* --------------
|
|
Packit Service |
fa4841 |
* ( Client Begin )
|
|
Packit Service |
fa4841 |
* --------------
|
|
Packit Service |
fa4841 |
* |
|
|
Packit Service |
fa4841 |
* |
|
|
Packit Service |
fa4841 |
* \|/
|
|
Packit Service |
fa4841 |
* -----------+--------------
|
|
Packit Service |
fa4841 |
* | AcquireCredentialsHandle |
|
|
Packit Service |
fa4841 |
* --------------------------
|
|
Packit Service |
fa4841 |
* |
|
|
Packit Service |
fa4841 |
* |
|
|
Packit Service |
fa4841 |
* \|/
|
|
Packit Service |
fa4841 |
* -------------+--------------
|
|
Packit Service |
fa4841 |
* +---------------> / InitializeSecurityContext /
|
|
Packit Service |
fa4841 |
* | ----------------------------
|
|
Packit Service |
fa4841 |
* | |
|
|
Packit Service |
fa4841 |
* | |
|
|
Packit Service |
fa4841 |
* | \|/
|
|
Packit Service |
fa4841 |
* --------------------------- ---------+------------- ----------------------
|
|
Packit Service |
fa4841 |
* / Receive blob from server / < Received security blob? > --Yes-> / Send blob to server /
|
|
Packit Service |
fa4841 |
* -------------+------------- ----------------------- ----------------------
|
|
Packit Service |
fa4841 |
* /|\ | |
|
|
Packit Service |
fa4841 |
* | No |
|
|
Packit Service |
fa4841 |
* Yes \|/ |
|
|
Packit Service |
fa4841 |
* | ------------+----------- |
|
|
Packit Service |
fa4841 |
* +---------------- < Received Continue Needed > <-----------------+
|
|
Packit Service |
fa4841 |
* ------------------------
|
|
Packit Service |
fa4841 |
* |
|
|
Packit Service |
fa4841 |
* No
|
|
Packit Service |
fa4841 |
* \|/
|
|
Packit Service |
fa4841 |
* ------+-------
|
|
Packit Service |
fa4841 |
* ( Client End )
|
|
Packit Service |
fa4841 |
* --------------
|
|
Packit Service |
fa4841 |
*/
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
BOOL ntlm_authenticate(rdpNtlm* ntlm, BOOL* pbContinueNeeded)
|
|
Packit Service |
fa4841 |
{
|
|
Packit Service |
fa4841 |
SECURITY_STATUS status;
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
if (ntlm->outputBuffer[0].pvBuffer)
|
|
Packit Service |
fa4841 |
{
|
|
Packit Service |
fa4841 |
free(ntlm->outputBuffer[0].pvBuffer);
|
|
Packit Service |
fa4841 |
ntlm->outputBuffer[0].pvBuffer = NULL;
|
|
Packit Service |
fa4841 |
}
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
ntlm->outputBufferDesc.ulVersion = SECBUFFER_VERSION;
|
|
Packit Service |
fa4841 |
ntlm->outputBufferDesc.cBuffers = 1;
|
|
Packit Service |
fa4841 |
ntlm->outputBufferDesc.pBuffers = ntlm->outputBuffer;
|
|
Packit Service |
fa4841 |
ntlm->outputBuffer[0].BufferType = SECBUFFER_TOKEN;
|
|
Packit Service |
fa4841 |
ntlm->outputBuffer[0].cbBuffer = ntlm->cbMaxToken;
|
|
Packit Service |
fa4841 |
ntlm->outputBuffer[0].pvBuffer = malloc(ntlm->outputBuffer[0].cbBuffer);
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
if (!ntlm->outputBuffer[0].pvBuffer)
|
|
Packit Service |
fa4841 |
return FALSE;
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
if (ntlm->haveInputBuffer)
|
|
Packit Service |
fa4841 |
{
|
|
Packit Service |
fa4841 |
ntlm->inputBufferDesc.ulVersion = SECBUFFER_VERSION;
|
|
Packit Service |
fa4841 |
ntlm->inputBufferDesc.cBuffers = 1;
|
|
Packit Service |
fa4841 |
ntlm->inputBufferDesc.pBuffers = ntlm->inputBuffer;
|
|
Packit Service |
fa4841 |
ntlm->inputBuffer[0].BufferType = SECBUFFER_TOKEN;
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
if (ntlm->Bindings)
|
|
Packit Service |
fa4841 |
{
|
|
Packit Service |
fa4841 |
ntlm->inputBufferDesc.cBuffers++;
|
|
Packit Service |
fa4841 |
ntlm->inputBuffer[1].BufferType = SECBUFFER_CHANNEL_BINDINGS;
|
|
Packit Service |
fa4841 |
ntlm->inputBuffer[1].cbBuffer = ntlm->Bindings->BindingsLength;
|
|
Packit Service |
bb5c11 |
ntlm->inputBuffer[1].pvBuffer = (void*) ntlm->Bindings->Bindings;
|
|
Packit Service |
fa4841 |
}
|
|
Packit Service |
fa4841 |
}
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
bb5c11 |
if ((!ntlm) || (!ntlm->table))
|
|
Packit Service |
bb5c11 |
{
|
|
Packit Service |
bb5c11 |
WLog_ERR(TAG, "ntlm_authenticate: invalid ntlm context");
|
|
Packit Service |
bb5c11 |
return FALSE;
|
|
Packit Service |
bb5c11 |
}
|
|
Packit Service |
bb5c11 |
|
|
Packit Service |
bb5c11 |
status = ntlm->table->InitializeSecurityContext(&ntlm->credentials,
|
|
Packit Service |
bb5c11 |
(ntlm->haveContext) ? &ntlm->context : NULL,
|
|
Packit Service |
bb5c11 |
(ntlm->ServicePrincipalName) ? ntlm->ServicePrincipalName : NULL,
|
|
Packit Service |
bb5c11 |
ntlm->fContextReq, 0, SECURITY_NATIVE_DREP,
|
|
Packit Service |
bb5c11 |
(ntlm->haveInputBuffer) ? &ntlm->inputBufferDesc : NULL,
|
|
Packit Service |
bb5c11 |
0, &ntlm->context, &ntlm->outputBufferDesc,
|
|
Packit Service |
bb5c11 |
&ntlm->pfContextAttr, &ntlm->expiration);
|
|
Packit Service |
bb5c11 |
WLog_VRB(TAG, "InitializeSecurityContext status %s [0x%08"PRIX32"]",
|
|
Packit Service |
fa4841 |
GetSecurityStatusString(status), status);
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
if ((status == SEC_I_COMPLETE_AND_CONTINUE) || (status == SEC_I_COMPLETE_NEEDED) ||
|
|
Packit Service |
fa4841 |
(status == SEC_E_OK))
|
|
Packit Service |
fa4841 |
{
|
|
Packit Service |
fa4841 |
if ((status != SEC_E_OK) && ntlm->table->CompleteAuthToken)
|
|
Packit Service |
fa4841 |
{
|
|
Packit Service |
fa4841 |
SECURITY_STATUS cStatus;
|
|
Packit Service |
fa4841 |
cStatus = ntlm->table->CompleteAuthToken(&ntlm->context, &ntlm->outputBufferDesc);
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
if (cStatus != SEC_E_OK)
|
|
Packit Service |
fa4841 |
{
|
|
Packit Service |
bb5c11 |
WLog_WARN(TAG, "CompleteAuthToken status %s [0x%08"PRIX32"]",
|
|
Packit Service |
fa4841 |
GetSecurityStatusString(cStatus), cStatus);
|
|
Packit Service |
fa4841 |
return FALSE;
|
|
Packit Service |
fa4841 |
}
|
|
Packit Service |
fa4841 |
}
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
status = ntlm->table->QueryContextAttributes(&ntlm->context, SECPKG_ATTR_SIZES,
|
|
Packit Service |
bb5c11 |
&ntlm->ContextSizes);
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
if (status != SEC_E_OK)
|
|
Packit Service |
fa4841 |
{
|
|
Packit Service |
bb5c11 |
WLog_ERR(TAG, "QueryContextAttributes SECPKG_ATTR_SIZES failure %s [0x%08"PRIX32"]",
|
|
Packit Service |
fa4841 |
GetSecurityStatusString(status), status);
|
|
Packit Service |
fa4841 |
return FALSE;
|
|
Packit Service |
fa4841 |
}
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
if (status == SEC_I_COMPLETE_NEEDED)
|
|
Packit Service |
fa4841 |
status = SEC_E_OK;
|
|
Packit Service |
fa4841 |
else if (status == SEC_I_COMPLETE_AND_CONTINUE)
|
|
Packit Service |
fa4841 |
status = SEC_I_CONTINUE_NEEDED;
|
|
Packit Service |
fa4841 |
}
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
if (ntlm->haveInputBuffer)
|
|
Packit Service |
fa4841 |
{
|
|
Packit Service |
fa4841 |
free(ntlm->inputBuffer[0].pvBuffer);
|
|
Packit Service |
fa4841 |
ntlm->inputBuffer[0].pvBuffer = NULL;
|
|
Packit Service |
fa4841 |
}
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
ntlm->haveInputBuffer = TRUE;
|
|
Packit Service |
fa4841 |
ntlm->haveContext = TRUE;
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
if (pbContinueNeeded)
|
|
Packit Service |
fa4841 |
*pbContinueNeeded = (status == SEC_I_CONTINUE_NEEDED) ? TRUE : FALSE;
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
return TRUE;
|
|
Packit Service |
fa4841 |
}
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
static void ntlm_client_uninit(rdpNtlm* ntlm)
|
|
Packit Service |
fa4841 |
{
|
|
Packit Service |
fa4841 |
free(ntlm->identity.User);
|
|
Packit Service |
fa4841 |
ntlm->identity.User = NULL;
|
|
Packit Service |
fa4841 |
free(ntlm->identity.Domain);
|
|
Packit Service |
fa4841 |
ntlm->identity.Domain = NULL;
|
|
Packit Service |
fa4841 |
free(ntlm->identity.Password);
|
|
Packit Service |
fa4841 |
ntlm->identity.Password = NULL;
|
|
Packit Service |
fa4841 |
free(ntlm->ServicePrincipalName);
|
|
Packit Service |
fa4841 |
ntlm->ServicePrincipalName = NULL;
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
if (ntlm->table)
|
|
Packit Service |
fa4841 |
{
|
|
Packit Service |
fa4841 |
SECURITY_STATUS status;
|
|
Packit Service |
fa4841 |
status = ntlm->table->FreeCredentialsHandle(&ntlm->credentials);
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
if (status != SEC_E_OK)
|
|
Packit Service |
fa4841 |
{
|
|
Packit Service |
bb5c11 |
WLog_WARN(TAG, "FreeCredentialsHandle status %s [0x%08"PRIX32"]",
|
|
Packit Service |
fa4841 |
GetSecurityStatusString(status), status);
|
|
Packit Service |
fa4841 |
}
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
status = ntlm->table->FreeContextBuffer(ntlm->pPackageInfo);
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
if (status != SEC_E_OK)
|
|
Packit Service |
fa4841 |
{
|
|
Packit Service |
bb5c11 |
WLog_WARN(TAG, "FreeContextBuffer status %s [0x%08"PRIX32"]",
|
|
Packit Service |
fa4841 |
GetSecurityStatusString(status), status);
|
|
Packit Service |
fa4841 |
}
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
status = ntlm->table->DeleteSecurityContext(&ntlm->context);
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
if (status != SEC_E_OK)
|
|
Packit Service |
fa4841 |
{
|
|
Packit Service |
bb5c11 |
WLog_WARN(TAG, "DeleteSecurityContext status %s [0x%08"PRIX32"]",
|
|
Packit Service |
fa4841 |
GetSecurityStatusString(status), status);
|
|
Packit Service |
fa4841 |
}
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
ntlm->table = NULL;
|
|
Packit Service |
fa4841 |
}
|
|
Packit Service |
fa4841 |
}
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
rdpNtlm* ntlm_new(void)
|
|
Packit Service |
fa4841 |
{
|
|
Packit Service |
fa4841 |
rdpNtlm* ntlm;
|
|
Packit Service |
bb5c11 |
ntlm = (rdpNtlm*) calloc(1, sizeof(rdpNtlm));
|
|
Packit Service |
fa4841 |
return ntlm;
|
|
Packit Service |
fa4841 |
}
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
void ntlm_free(rdpNtlm* ntlm)
|
|
Packit Service |
fa4841 |
{
|
|
Packit Service |
fa4841 |
if (!ntlm)
|
|
Packit Service |
fa4841 |
return;
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
if (ntlm->outputBuffer[0].pvBuffer)
|
|
Packit Service |
fa4841 |
{
|
|
Packit Service |
fa4841 |
free(ntlm->outputBuffer[0].pvBuffer);
|
|
Packit Service |
fa4841 |
ntlm->outputBuffer[0].pvBuffer = NULL;
|
|
Packit Service |
fa4841 |
}
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
ntlm_client_uninit(ntlm);
|
|
Packit Service |
fa4841 |
free(ntlm);
|
|
Packit Service |
fa4841 |
}
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
SSIZE_T ntlm_client_get_context_max_size(rdpNtlm* ntlm)
|
|
Packit Service |
fa4841 |
{
|
|
Packit Service |
fa4841 |
if (!ntlm)
|
|
Packit Service |
fa4841 |
return -1;
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
if (ntlm->ContextSizes.cbMaxSignature > UINT16_MAX)
|
|
Packit Service |
fa4841 |
{
|
|
Packit Service |
bb5c11 |
WLog_ERR(TAG, "QueryContextAttributes SECPKG_ATTR_SIZES ContextSizes.cbMaxSignature > 0xFFFF");
|
|
Packit Service |
fa4841 |
return -1;
|
|
Packit Service |
fa4841 |
}
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
return ntlm->ContextSizes.cbMaxSignature;
|
|
Packit Service |
fa4841 |
}
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
SSIZE_T ntlm_client_query_auth_size(rdpNtlm* ntlm)
|
|
Packit Service |
fa4841 |
{
|
|
Packit Service |
fa4841 |
SECURITY_STATUS status;
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
if (!ntlm || !ntlm->table || !ntlm->table->QueryContextAttributes)
|
|
Packit Service |
fa4841 |
return -1;
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
bb5c11 |
status = ntlm->table->QueryContextAttributes(&ntlm->context, SECPKG_ATTR_SIZES,
|
|
Packit Service |
bb5c11 |
&ntlm->ContextSizes);
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
if (status != SEC_E_OK)
|
|
Packit Service |
fa4841 |
{
|
|
Packit Service |
bb5c11 |
WLog_ERR(TAG, "QueryContextAttributes SECPKG_ATTR_SIZES failure %s [0x%08"PRIX32"]",
|
|
Packit Service |
fa4841 |
GetSecurityStatusString(status), status);
|
|
Packit Service |
fa4841 |
return -1;
|
|
Packit Service |
fa4841 |
}
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
return ntlm_client_get_context_max_size(ntlm);
|
|
Packit Service |
fa4841 |
}
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
BOOL ntlm_client_encrypt(rdpNtlm* ntlm, ULONG fQOP, SecBufferDesc* Message, size_t sequence)
|
|
Packit Service |
fa4841 |
{
|
|
Packit Service |
fa4841 |
SECURITY_STATUS encrypt_status;
|
|
Packit Service |
fa4841 |
const ULONG s = cast_from_size(sequence);
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
if (!ntlm || !Message)
|
|
Packit Service |
fa4841 |
return FALSE;
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
encrypt_status = ntlm->table->EncryptMessage(&ntlm->context, fQOP, Message, s);
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
if (encrypt_status != SEC_E_OK)
|
|
Packit Service |
fa4841 |
{
|
|
Packit Service |
bb5c11 |
WLog_ERR(TAG, "EncryptMessage status %s [0x%08"PRIX32"]",
|
|
Packit Service |
fa4841 |
GetSecurityStatusString(encrypt_status), encrypt_status);
|
|
Packit Service |
fa4841 |
return FALSE;
|
|
Packit Service |
fa4841 |
}
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
return TRUE;
|
|
Packit Service |
fa4841 |
}
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
BOOL ntlm_client_set_input_buffer(rdpNtlm* ntlm, BOOL copy, const void* data, size_t size)
|
|
Packit Service |
fa4841 |
{
|
|
Packit Service |
fa4841 |
if (!ntlm || !data || (size == 0))
|
|
Packit Service |
fa4841 |
return FALSE;
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
ntlm->inputBuffer[0].cbBuffer = cast_from_size(size);
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
if (copy)
|
|
Packit Service |
fa4841 |
{
|
|
Packit Service |
fa4841 |
ntlm->inputBuffer[0].pvBuffer = malloc(size);
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
if (!ntlm->inputBuffer[0].pvBuffer)
|
|
Packit Service |
fa4841 |
return FALSE;
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
memcpy(ntlm->inputBuffer[0].pvBuffer, data, size);
|
|
Packit Service |
fa4841 |
}
|
|
Packit Service |
fa4841 |
else
|
|
Packit Service |
fa4841 |
ntlm->inputBuffer[0].pvBuffer = (void*)data;
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
return TRUE;
|
|
Packit Service |
fa4841 |
}
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
const SecBuffer* ntlm_client_get_output_buffer(rdpNtlm* ntlm)
|
|
Packit Service |
fa4841 |
{
|
|
Packit Service |
fa4841 |
if (!ntlm)
|
|
Packit Service |
fa4841 |
return NULL;
|
|
Packit Service |
fa4841 |
|
|
Packit Service |
fa4841 |
return &ntlm->outputBuffer[0];
|
|
Packit Service |
fa4841 |
}
|