FreeRDP
Loading...
Searching...
No Matches
sspi/NTLM/ntlm.c
1
20#include <winpr/config.h>
21
22#include <winpr/crt.h>
23#include <winpr/assert.h>
24#include <winpr/sspi.h>
25#include <winpr/print.h>
26#include <winpr/string.h>
27#include <winpr/tchar.h>
28#include <winpr/sysinfo.h>
29#include <winpr/registry.h>
30#include <winpr/endian.h>
31#include <winpr/build-config.h>
32
33#include "ntlm.h"
34#include "ntlm_export.h"
35#include "../sspi.h"
36
37#include "ntlm_message.h"
38
39#include "../../log.h"
40#define TAG WINPR_TAG("sspi.NTLM")
41
42#define WINPR_KEY "Software\\" WINPR_VENDOR_STRING "\\" WINPR_PRODUCT_STRING "\\WinPR\\NTLM"
43
44static char* NTLM_PACKAGE_NAME = "NTLM";
45
46#define check_context(ctx) check_context_((ctx), __FILE__, __func__, __LINE__)
47static BOOL check_context_(NTLM_CONTEXT* context, const char* file, const char* fkt, size_t line)
48{
49 BOOL rc = TRUE;
50 wLog* log = WLog_Get(TAG);
51 const DWORD log_level = WLOG_ERROR;
52
53 if (!context)
54 {
55 if (WLog_IsLevelActive(log, log_level))
56 WLog_PrintTextMessage(log, log_level, line, file, fkt, "invalid context");
57
58 return FALSE;
59 }
60
61 if (!context->RecvRc4Seal)
62 {
63 if (WLog_IsLevelActive(log, log_level))
64 WLog_PrintTextMessage(log, log_level, line, file, fkt, "invalid context->RecvRc4Seal");
65 rc = FALSE;
66 }
67 if (!context->SendRc4Seal)
68 {
69 if (WLog_IsLevelActive(log, log_level))
70 WLog_PrintTextMessage(log, log_level, line, file, fkt, "invalid context->SendRc4Seal");
71 rc = FALSE;
72 }
73
74 if (!context->SendSigningKey)
75 {
76 if (WLog_IsLevelActive(log, log_level))
77 WLog_PrintTextMessage(log, log_level, line, file, fkt,
78 "invalid context->SendSigningKey");
79 rc = FALSE;
80 }
81 if (!context->RecvSigningKey)
82 {
83 if (WLog_IsLevelActive(log, log_level))
84 WLog_PrintTextMessage(log, log_level, line, file, fkt,
85 "invalid context->RecvSigningKey");
86 rc = FALSE;
87 }
88 if (!context->SendSealingKey)
89 {
90 if (WLog_IsLevelActive(log, log_level))
91 WLog_PrintTextMessage(log, log_level, line, file, fkt,
92 "invalid context->SendSealingKey");
93 rc = FALSE;
94 }
95 if (!context->RecvSealingKey)
96 {
97 if (WLog_IsLevelActive(log, log_level))
98 WLog_PrintTextMessage(log, log_level, line, file, fkt,
99 "invalid context->RecvSealingKey");
100 rc = FALSE;
101 }
102 return rc;
103}
104
105static char* get_name(COMPUTER_NAME_FORMAT type)
106{
107 DWORD nSize = 0;
108
109 if (GetComputerNameExA(type, NULL, &nSize))
110 return NULL;
111
112 if (GetLastError() != ERROR_MORE_DATA)
113 return NULL;
114
115 char* computerName = calloc(1, nSize);
116
117 if (!computerName)
118 return NULL;
119
120 if (!GetComputerNameExA(type, computerName, &nSize))
121 {
122 free(computerName);
123 return NULL;
124 }
125
126 return computerName;
127}
128
129static int ntlm_SetContextWorkstation(NTLM_CONTEXT* context, char* Workstation)
130{
131 char* ws = Workstation;
132 CHAR* computerName = NULL;
133
134 WINPR_ASSERT(context);
135
136 if (!Workstation)
137 {
138 computerName = get_name(ComputerNameNetBIOS);
139 if (!computerName)
140 return -1;
141 ws = computerName;
142 }
143
144 size_t len = 0;
145 context->Workstation.Buffer = ConvertUtf8ToWCharAlloc(ws, &len);
146
147 free(computerName);
148
149 if (!context->Workstation.Buffer || (len > UINT16_MAX / sizeof(WCHAR)))
150 return -1;
151
152 context->Workstation.Length = (USHORT)(len * sizeof(WCHAR));
153 return 1;
154}
155
156static int ntlm_SetContextServicePrincipalNameW(NTLM_CONTEXT* context, LPWSTR ServicePrincipalName)
157{
158 WINPR_ASSERT(context);
159
160 if (!ServicePrincipalName)
161 {
162 context->ServicePrincipalName.Buffer = NULL;
163 context->ServicePrincipalName.Length = 0;
164 return 1;
165 }
166
167 context->ServicePrincipalName.Length = (USHORT)(_wcslen(ServicePrincipalName) * 2);
168 context->ServicePrincipalName.Buffer = (PWSTR)malloc(context->ServicePrincipalName.Length + 2);
169
170 if (!context->ServicePrincipalName.Buffer)
171 return -1;
172
173 memcpy(context->ServicePrincipalName.Buffer, ServicePrincipalName,
174 context->ServicePrincipalName.Length + 2);
175 return 1;
176}
177
178static int ntlm_SetContextTargetName(NTLM_CONTEXT* context, char* TargetName)
179{
180 char* name = TargetName;
181 DWORD nSize = 0;
182 CHAR* computerName = NULL;
183
184 WINPR_ASSERT(context);
185
186 if (!name)
187 {
188 if (GetComputerNameExA(ComputerNameNetBIOS, NULL, &nSize) ||
189 GetLastError() != ERROR_MORE_DATA)
190 return -1;
191
192 computerName = calloc(nSize, sizeof(CHAR));
193
194 if (!computerName)
195 return -1;
196
197 if (!GetComputerNameExA(ComputerNameNetBIOS, computerName, &nSize))
198 {
199 free(computerName);
200 return -1;
201 }
202
203 if (nSize > MAX_COMPUTERNAME_LENGTH)
204 computerName[MAX_COMPUTERNAME_LENGTH] = '\0';
205
206 name = computerName;
207
208 if (!name)
209 return -1;
210
211 CharUpperA(name);
212 }
213
214 size_t len = 0;
215 context->TargetName.pvBuffer = ConvertUtf8ToWCharAlloc(name, &len);
216
217 if (!context->TargetName.pvBuffer || (len > UINT16_MAX / sizeof(WCHAR)))
218 {
219 free(context->TargetName.pvBuffer);
220 context->TargetName.pvBuffer = NULL;
221
222 if (!TargetName)
223 free(name);
224
225 return -1;
226 }
227
228 context->TargetName.cbBuffer = (USHORT)(len * sizeof(WCHAR));
229
230 if (!TargetName)
231 free(name);
232
233 return 1;
234}
235
236static NTLM_CONTEXT* ntlm_ContextNew(void)
237{
238 HKEY hKey = 0;
239 LONG status = 0;
240 DWORD dwType = 0;
241 DWORD dwSize = 0;
242 DWORD dwValue = 0;
243 NTLM_CONTEXT* context = (NTLM_CONTEXT*)calloc(1, sizeof(NTLM_CONTEXT));
244
245 if (!context)
246 return NULL;
247
248 context->NTLMv2 = TRUE;
249 context->UseMIC = FALSE;
250 context->SendVersionInfo = TRUE;
251 context->SendSingleHostData = FALSE;
252 context->SendWorkstationName = TRUE;
253 context->NegotiateKeyExchange = TRUE;
254 context->UseSamFileDatabase = TRUE;
255 status = RegOpenKeyExA(HKEY_LOCAL_MACHINE, WINPR_KEY, 0, KEY_READ | KEY_WOW64_64KEY, &hKey);
256
257 if (status == ERROR_SUCCESS)
258 {
259 if (RegQueryValueEx(hKey, _T("NTLMv2"), NULL, &dwType, (BYTE*)&dwValue, &dwSize) ==
260 ERROR_SUCCESS)
261 context->NTLMv2 = dwValue ? 1 : 0;
262
263 if (RegQueryValueEx(hKey, _T("UseMIC"), NULL, &dwType, (BYTE*)&dwValue, &dwSize) ==
264 ERROR_SUCCESS)
265 context->UseMIC = dwValue ? 1 : 0;
266
267 if (RegQueryValueEx(hKey, _T("SendVersionInfo"), NULL, &dwType, (BYTE*)&dwValue, &dwSize) ==
268 ERROR_SUCCESS)
269 context->SendVersionInfo = dwValue ? 1 : 0;
270
271 if (RegQueryValueEx(hKey, _T("SendSingleHostData"), NULL, &dwType, (BYTE*)&dwValue,
272 &dwSize) == ERROR_SUCCESS)
273 context->SendSingleHostData = dwValue ? 1 : 0;
274
275 if (RegQueryValueEx(hKey, _T("SendWorkstationName"), NULL, &dwType, (BYTE*)&dwValue,
276 &dwSize) == ERROR_SUCCESS)
277 context->SendWorkstationName = dwValue ? 1 : 0;
278
279 if (RegQueryValueEx(hKey, _T("WorkstationName"), NULL, &dwType, NULL, &dwSize) ==
280 ERROR_SUCCESS)
281 {
282 char* workstation = (char*)malloc(dwSize + 1);
283
284 if (!workstation)
285 {
286 free(context);
287 return NULL;
288 }
289
290 status = RegQueryValueExA(hKey, "WorkstationName", NULL, &dwType, (BYTE*)workstation,
291 &dwSize);
292 if (status != ERROR_SUCCESS)
293 WLog_WARN(TAG, "Key ''WorkstationName' not found");
294 workstation[dwSize] = '\0';
295
296 if (ntlm_SetContextWorkstation(context, workstation) < 0)
297 {
298 free(workstation);
299 free(context);
300 return NULL;
301 }
302
303 free(workstation);
304 }
305
306 RegCloseKey(hKey);
307 }
308
309 /*
310 * Extended Protection is enabled by default in Windows 7,
311 * but enabling it in WinPR breaks TS Gateway at this point
312 */
313 context->SuppressExtendedProtection = FALSE;
314 status = RegOpenKeyEx(HKEY_LOCAL_MACHINE, _T("System\\CurrentControlSet\\Control\\LSA"), 0,
315 KEY_READ | KEY_WOW64_64KEY, &hKey);
316
317 if (status == ERROR_SUCCESS)
318 {
319 if (RegQueryValueEx(hKey, _T("SuppressExtendedProtection"), NULL, &dwType, (BYTE*)&dwValue,
320 &dwSize) == ERROR_SUCCESS)
321 context->SuppressExtendedProtection = dwValue ? 1 : 0;
322
323 RegCloseKey(hKey);
324 }
325
326 context->NegotiateFlags = 0;
327 context->LmCompatibilityLevel = 3;
328 ntlm_change_state(context, NTLM_STATE_INITIAL);
329 FillMemory(context->MachineID, sizeof(context->MachineID), 0xAA);
330
331 if (context->NTLMv2)
332 context->UseMIC = TRUE;
333
334 return context;
335}
336
337static void ntlm_ContextFree(NTLM_CONTEXT* context)
338{
339 if (!context)
340 return;
341
342 winpr_RC4_Free(context->SendRc4Seal);
343 winpr_RC4_Free(context->RecvRc4Seal);
344 sspi_SecBufferFree(&context->NegotiateMessage);
345 sspi_SecBufferFree(&context->ChallengeMessage);
346 sspi_SecBufferFree(&context->AuthenticateMessage);
347 sspi_SecBufferFree(&context->ChallengeTargetInfo);
348 sspi_SecBufferFree(&context->TargetName);
349 sspi_SecBufferFree(&context->NtChallengeResponse);
350 sspi_SecBufferFree(&context->LmChallengeResponse);
351 free(context->ServicePrincipalName.Buffer);
352 free(context->Workstation.Buffer);
353 free(context);
354}
355
356static SECURITY_STATUS SEC_ENTRY ntlm_AcquireCredentialsHandleW(
357 WINPR_ATTR_UNUSED SEC_WCHAR* pszPrincipal, WINPR_ATTR_UNUSED SEC_WCHAR* pszPackage,
358 ULONG fCredentialUse, WINPR_ATTR_UNUSED void* pvLogonID, void* pAuthData,
359 SEC_GET_KEY_FN pGetKeyFn, void* pvGetKeyArgument, PCredHandle phCredential,
360 WINPR_ATTR_UNUSED PTimeStamp ptsExpiry)
361{
362 SEC_WINPR_NTLM_SETTINGS* settings = NULL;
363
364 if ((fCredentialUse != SECPKG_CRED_OUTBOUND) && (fCredentialUse != SECPKG_CRED_INBOUND) &&
365 (fCredentialUse != SECPKG_CRED_BOTH))
366 {
367 return SEC_E_INVALID_PARAMETER;
368 }
369
370 SSPI_CREDENTIALS* credentials = sspi_CredentialsNew();
371
372 if (!credentials)
373 return SEC_E_INTERNAL_ERROR;
374
375 credentials->fCredentialUse = fCredentialUse;
376 credentials->pGetKeyFn = pGetKeyFn;
377 credentials->pvGetKeyArgument = pvGetKeyArgument;
378
379 if (pAuthData)
380 {
381 UINT32 identityFlags = sspi_GetAuthIdentityFlags(pAuthData);
382
383 sspi_CopyAuthIdentity(&(credentials->identity),
384 (const SEC_WINNT_AUTH_IDENTITY_INFO*)pAuthData);
385
386 if (identityFlags & SEC_WINNT_AUTH_IDENTITY_EXTENDED)
387 settings = (((SEC_WINNT_AUTH_IDENTITY_WINPR*)pAuthData)->ntlmSettings);
388 }
389
390 if (settings)
391 {
392 if (settings->samFile)
393 {
394 credentials->ntlmSettings.samFile = _strdup(settings->samFile);
395 if (!credentials->ntlmSettings.samFile)
396 {
397 sspi_CredentialsFree(credentials);
398 return SEC_E_INSUFFICIENT_MEMORY;
399 }
400 }
401 credentials->ntlmSettings.hashCallback = settings->hashCallback;
402 credentials->ntlmSettings.hashCallbackArg = settings->hashCallbackArg;
403 }
404
405 sspi_SecureHandleSetLowerPointer(phCredential, (void*)credentials);
406 sspi_SecureHandleSetUpperPointer(phCredential, (void*)NTLM_PACKAGE_NAME);
407 return SEC_E_OK;
408}
409
410static SECURITY_STATUS SEC_ENTRY ntlm_AcquireCredentialsHandleA(
411 SEC_CHAR* pszPrincipal, SEC_CHAR* pszPackage, ULONG fCredentialUse, void* pvLogonID,
412 void* pAuthData, SEC_GET_KEY_FN pGetKeyFn, void* pvGetKeyArgument, PCredHandle phCredential,
413 PTimeStamp ptsExpiry)
414{
415 SECURITY_STATUS status = SEC_E_INSUFFICIENT_MEMORY;
416 SEC_WCHAR* principal = NULL;
417 SEC_WCHAR* package = NULL;
418
419 if (pszPrincipal)
420 {
421 principal = ConvertUtf8ToWCharAlloc(pszPrincipal, NULL);
422 if (!principal)
423 goto fail;
424 }
425 if (pszPackage)
426 {
427 package = ConvertUtf8ToWCharAlloc(pszPackage, NULL);
428 if (!package)
429 goto fail;
430 }
431
432 status =
433 ntlm_AcquireCredentialsHandleW(principal, package, fCredentialUse, pvLogonID, pAuthData,
434 pGetKeyFn, pvGetKeyArgument, phCredential, ptsExpiry);
435
436fail:
437 free(principal);
438 free(package);
439
440 return status;
441}
442
443static SECURITY_STATUS SEC_ENTRY ntlm_FreeCredentialsHandle(PCredHandle phCredential)
444{
445 if (!phCredential)
446 return SEC_E_INVALID_HANDLE;
447
448 SSPI_CREDENTIALS* credentials =
449 (SSPI_CREDENTIALS*)sspi_SecureHandleGetLowerPointer(phCredential);
450
451 if (!credentials)
452 return SEC_E_INVALID_HANDLE;
453
454 sspi_CredentialsFree(credentials);
455 return SEC_E_OK;
456}
457
458static SECURITY_STATUS SEC_ENTRY ntlm_QueryCredentialsAttributesW(
459 WINPR_ATTR_UNUSED PCredHandle phCredential, WINPR_ATTR_UNUSED ULONG ulAttribute,
460 WINPR_ATTR_UNUSED void* pBuffer)
461{
462 if (ulAttribute == SECPKG_CRED_ATTR_NAMES)
463 {
464 return SEC_E_OK;
465 }
466
467 WLog_ERR(TAG, "TODO: Implement");
468 return SEC_E_UNSUPPORTED_FUNCTION;
469}
470
471static SECURITY_STATUS SEC_ENTRY ntlm_QueryCredentialsAttributesA(PCredHandle phCredential,
472 ULONG ulAttribute, void* pBuffer)
473{
474 return ntlm_QueryCredentialsAttributesW(phCredential, ulAttribute, pBuffer);
475}
476
480static SECURITY_STATUS SEC_ENTRY ntlm_AcceptSecurityContext(
481 PCredHandle phCredential, PCtxtHandle phContext, PSecBufferDesc pInput, ULONG fContextReq,
482 WINPR_ATTR_UNUSED ULONG TargetDataRep, PCtxtHandle phNewContext, PSecBufferDesc pOutput,
483 WINPR_ATTR_UNUSED PULONG pfContextAttr, WINPR_ATTR_UNUSED PTimeStamp ptsTimeStamp)
484{
485 SECURITY_STATUS status = 0;
486 SSPI_CREDENTIALS* credentials = NULL;
487 PSecBuffer input_buffer = NULL;
488 PSecBuffer output_buffer = NULL;
489
490 /* behave like windows SSPIs that don't want empty context */
491 if (phContext && !phContext->dwLower && !phContext->dwUpper)
492 return SEC_E_INVALID_HANDLE;
493
494 NTLM_CONTEXT* context = (NTLM_CONTEXT*)sspi_SecureHandleGetLowerPointer(phContext);
495
496 if (!context)
497 {
498 context = ntlm_ContextNew();
499
500 if (!context)
501 return SEC_E_INSUFFICIENT_MEMORY;
502
503 context->server = TRUE;
504
505 if (fContextReq & ASC_REQ_CONFIDENTIALITY)
506 context->confidentiality = TRUE;
507
508 credentials = (SSPI_CREDENTIALS*)sspi_SecureHandleGetLowerPointer(phCredential);
509 context->credentials = credentials;
510 context->SamFile = credentials->ntlmSettings.samFile;
511 context->HashCallback = credentials->ntlmSettings.hashCallback;
512 context->HashCallbackArg = credentials->ntlmSettings.hashCallbackArg;
513
514 ntlm_SetContextTargetName(context, NULL);
515 sspi_SecureHandleSetLowerPointer(phNewContext, context);
516 sspi_SecureHandleSetUpperPointer(phNewContext, (void*)NTLM_PACKAGE_NAME);
517 }
518
519 switch (ntlm_get_state(context))
520 {
521 case NTLM_STATE_INITIAL:
522 {
523 ntlm_change_state(context, NTLM_STATE_NEGOTIATE);
524
525 if (!pInput)
526 return SEC_E_INVALID_TOKEN;
527
528 if (pInput->cBuffers < 1)
529 return SEC_E_INVALID_TOKEN;
530
531 input_buffer = sspi_FindSecBuffer(pInput, SECBUFFER_TOKEN);
532
533 if (!input_buffer)
534 return SEC_E_INVALID_TOKEN;
535
536 if (input_buffer->cbBuffer < 1)
537 return SEC_E_INVALID_TOKEN;
538
539 status = ntlm_read_NegotiateMessage(context, input_buffer);
540 if (status != SEC_I_CONTINUE_NEEDED)
541 return status;
542
543 if (ntlm_get_state(context) == NTLM_STATE_CHALLENGE)
544 {
545 if (!pOutput)
546 return SEC_E_INVALID_TOKEN;
547
548 if (pOutput->cBuffers < 1)
549 return SEC_E_INVALID_TOKEN;
550
551 output_buffer = sspi_FindSecBuffer(pOutput, SECBUFFER_TOKEN);
552
553 if (!output_buffer->BufferType)
554 return SEC_E_INVALID_TOKEN;
555
556 if (output_buffer->cbBuffer < 1)
557 return SEC_E_INSUFFICIENT_MEMORY;
558
559 return ntlm_write_ChallengeMessage(context, output_buffer);
560 }
561
562 return SEC_E_OUT_OF_SEQUENCE;
563 }
564
565 case NTLM_STATE_AUTHENTICATE:
566 {
567 if (!pInput)
568 return SEC_E_INVALID_TOKEN;
569
570 if (pInput->cBuffers < 1)
571 return SEC_E_INVALID_TOKEN;
572
573 input_buffer = sspi_FindSecBuffer(pInput, SECBUFFER_TOKEN);
574
575 if (!input_buffer)
576 return SEC_E_INVALID_TOKEN;
577
578 if (input_buffer->cbBuffer < 1)
579 return SEC_E_INVALID_TOKEN;
580
581 status = ntlm_read_AuthenticateMessage(context, input_buffer);
582
583 if (pOutput)
584 {
585 for (ULONG i = 0; i < pOutput->cBuffers; i++)
586 {
587 pOutput->pBuffers[i].cbBuffer = 0;
588 pOutput->pBuffers[i].BufferType = SECBUFFER_TOKEN;
589 }
590 }
591
592 return status;
593 }
594
595 default:
596 return SEC_E_OUT_OF_SEQUENCE;
597 }
598}
599
600static SECURITY_STATUS SEC_ENTRY
601ntlm_ImpersonateSecurityContext(WINPR_ATTR_UNUSED PCtxtHandle phContext)
602{
603 return SEC_E_OK;
604}
605
606static SECURITY_STATUS SEC_ENTRY ntlm_InitializeSecurityContextW(
607 PCredHandle phCredential, PCtxtHandle phContext, SEC_WCHAR* pszTargetName, ULONG fContextReq,
608 WINPR_ATTR_UNUSED ULONG Reserved1, WINPR_ATTR_UNUSED ULONG TargetDataRep, PSecBufferDesc pInput,
609 WINPR_ATTR_UNUSED ULONG Reserved2, PCtxtHandle phNewContext, PSecBufferDesc pOutput,
610 WINPR_ATTR_UNUSED PULONG pfContextAttr, WINPR_ATTR_UNUSED PTimeStamp ptsExpiry)
611{
612 SECURITY_STATUS status = 0;
613 SSPI_CREDENTIALS* credentials = NULL;
614 PSecBuffer input_buffer = NULL;
615 PSecBuffer output_buffer = NULL;
616
617 /* behave like windows SSPIs that don't want empty context */
618 if (phContext && !phContext->dwLower && !phContext->dwUpper)
619 return SEC_E_INVALID_HANDLE;
620
621 NTLM_CONTEXT* context = (NTLM_CONTEXT*)sspi_SecureHandleGetLowerPointer(phContext);
622
623 if (pInput)
624 {
625 input_buffer = sspi_FindSecBuffer(pInput, SECBUFFER_TOKEN);
626 }
627
628 if (!context)
629 {
630 context = ntlm_ContextNew();
631
632 if (!context)
633 return SEC_E_INSUFFICIENT_MEMORY;
634
635 if (fContextReq & ISC_REQ_CONFIDENTIALITY)
636 context->confidentiality = TRUE;
637
638 credentials = (SSPI_CREDENTIALS*)sspi_SecureHandleGetLowerPointer(phCredential);
639 context->credentials = credentials;
640
641 if (context->Workstation.Length < 1)
642 {
643 if (ntlm_SetContextWorkstation(context, NULL) < 0)
644 {
645 ntlm_ContextFree(context);
646 return SEC_E_INTERNAL_ERROR;
647 }
648 }
649
650 if (ntlm_SetContextServicePrincipalNameW(context, pszTargetName) < 0)
651 {
652 ntlm_ContextFree(context);
653 return SEC_E_INTERNAL_ERROR;
654 }
655
656 sspi_SecureHandleSetLowerPointer(phNewContext, context);
657 sspi_SecureHandleSetUpperPointer(phNewContext, NTLM_SSP_NAME);
658 }
659
660 if ((!input_buffer) || (ntlm_get_state(context) == NTLM_STATE_AUTHENTICATE))
661 {
662 if (!pOutput)
663 return SEC_E_INVALID_TOKEN;
664
665 if (pOutput->cBuffers < 1)
666 return SEC_E_INVALID_TOKEN;
667
668 output_buffer = sspi_FindSecBuffer(pOutput, SECBUFFER_TOKEN);
669
670 if (!output_buffer)
671 return SEC_E_INVALID_TOKEN;
672
673 if (output_buffer->cbBuffer < 1)
674 return SEC_E_INVALID_TOKEN;
675
676 if (ntlm_get_state(context) == NTLM_STATE_INITIAL)
677 ntlm_change_state(context, NTLM_STATE_NEGOTIATE);
678
679 if (ntlm_get_state(context) == NTLM_STATE_NEGOTIATE)
680 return ntlm_write_NegotiateMessage(context, output_buffer);
681
682 return SEC_E_OUT_OF_SEQUENCE;
683 }
684 else
685 {
686 if (!input_buffer)
687 return SEC_E_INVALID_TOKEN;
688
689 if (input_buffer->cbBuffer < 1)
690 return SEC_E_INVALID_TOKEN;
691
692 PSecBuffer channel_bindings = sspi_FindSecBuffer(pInput, SECBUFFER_CHANNEL_BINDINGS);
693
694 if (channel_bindings)
695 {
696 context->Bindings.BindingsLength = channel_bindings->cbBuffer;
697 context->Bindings.Bindings = (SEC_CHANNEL_BINDINGS*)channel_bindings->pvBuffer;
698 }
699
700 if (ntlm_get_state(context) == NTLM_STATE_CHALLENGE)
701 {
702 status = ntlm_read_ChallengeMessage(context, input_buffer);
703
704 if (status != SEC_I_CONTINUE_NEEDED)
705 return status;
706
707 if (!pOutput)
708 return SEC_E_INVALID_TOKEN;
709
710 if (pOutput->cBuffers < 1)
711 return SEC_E_INVALID_TOKEN;
712
713 output_buffer = sspi_FindSecBuffer(pOutput, SECBUFFER_TOKEN);
714
715 if (!output_buffer)
716 return SEC_E_INVALID_TOKEN;
717
718 if (output_buffer->cbBuffer < 1)
719 return SEC_E_INSUFFICIENT_MEMORY;
720
721 if (ntlm_get_state(context) == NTLM_STATE_AUTHENTICATE)
722 return ntlm_write_AuthenticateMessage(context, output_buffer);
723 }
724
725 return SEC_E_OUT_OF_SEQUENCE;
726 }
727
728 return SEC_E_OUT_OF_SEQUENCE;
729}
730
734static SECURITY_STATUS SEC_ENTRY ntlm_InitializeSecurityContextA(
735 PCredHandle phCredential, PCtxtHandle phContext, SEC_CHAR* pszTargetName, ULONG fContextReq,
736 ULONG Reserved1, ULONG TargetDataRep, PSecBufferDesc pInput, ULONG Reserved2,
737 PCtxtHandle phNewContext, PSecBufferDesc pOutput, PULONG pfContextAttr, PTimeStamp ptsExpiry)
738{
739 SECURITY_STATUS status = 0;
740 SEC_WCHAR* pszTargetNameW = NULL;
741
742 if (pszTargetName)
743 {
744 pszTargetNameW = ConvertUtf8ToWCharAlloc(pszTargetName, NULL);
745 if (!pszTargetNameW)
746 return SEC_E_INTERNAL_ERROR;
747 }
748
749 status = ntlm_InitializeSecurityContextW(phCredential, phContext, pszTargetNameW, fContextReq,
750 Reserved1, TargetDataRep, pInput, Reserved2,
751 phNewContext, pOutput, pfContextAttr, ptsExpiry);
752 free(pszTargetNameW);
753 return status;
754}
755
756/* http://msdn.microsoft.com/en-us/library/windows/desktop/aa375354 */
757
758static SECURITY_STATUS SEC_ENTRY ntlm_DeleteSecurityContext(PCtxtHandle phContext)
759{
760 NTLM_CONTEXT* context = (NTLM_CONTEXT*)sspi_SecureHandleGetLowerPointer(phContext);
761 ntlm_ContextFree(context);
762 return SEC_E_OK;
763}
764
765SECURITY_STATUS ntlm_computeProofValue(NTLM_CONTEXT* ntlm, SecBuffer* ntproof)
766{
767 BYTE* blob = NULL;
768 SecBuffer* target = NULL;
769
770 WINPR_ASSERT(ntlm);
771 WINPR_ASSERT(ntproof);
772
773 target = &ntlm->ChallengeTargetInfo;
774
775 if (!sspi_SecBufferAlloc(ntproof, 36 + target->cbBuffer))
776 return SEC_E_INSUFFICIENT_MEMORY;
777
778 blob = (BYTE*)ntproof->pvBuffer;
779 CopyMemory(blob, ntlm->ServerChallenge, 8); /* Server challenge. */
780 blob[8] = 1; /* Response version. */
781 blob[9] = 1; /* Highest response version understood by the client. */
782 /* Reserved 6B. */
783 CopyMemory(&blob[16], ntlm->Timestamp, 8); /* Time. */
784 CopyMemory(&blob[24], ntlm->ClientChallenge, 8); /* Client challenge. */
785 /* Reserved 4B. */
786 /* Server name. */
787 CopyMemory(&blob[36], target->pvBuffer, target->cbBuffer);
788 return SEC_E_OK;
789}
790
791SECURITY_STATUS ntlm_computeMicValue(NTLM_CONTEXT* ntlm, SecBuffer* micvalue)
792{
793 BYTE* blob = NULL;
794 ULONG msgSize = 0;
795
796 WINPR_ASSERT(ntlm);
797 WINPR_ASSERT(micvalue);
798
799 msgSize = ntlm->NegotiateMessage.cbBuffer + ntlm->ChallengeMessage.cbBuffer +
800 ntlm->AuthenticateMessage.cbBuffer;
801
802 if (!sspi_SecBufferAlloc(micvalue, msgSize))
803 return SEC_E_INSUFFICIENT_MEMORY;
804
805 blob = (BYTE*)micvalue->pvBuffer;
806 CopyMemory(blob, ntlm->NegotiateMessage.pvBuffer, ntlm->NegotiateMessage.cbBuffer);
807 blob += ntlm->NegotiateMessage.cbBuffer;
808 CopyMemory(blob, ntlm->ChallengeMessage.pvBuffer, ntlm->ChallengeMessage.cbBuffer);
809 blob += ntlm->ChallengeMessage.cbBuffer;
810 CopyMemory(blob, ntlm->AuthenticateMessage.pvBuffer, ntlm->AuthenticateMessage.cbBuffer);
811 blob += ntlm->MessageIntegrityCheckOffset;
812 ZeroMemory(blob, 16);
813 return SEC_E_OK;
814}
815
816/* http://msdn.microsoft.com/en-us/library/windows/desktop/aa379337/ */
817
818static SECURITY_STATUS SEC_ENTRY ntlm_QueryContextAttributesW(PCtxtHandle phContext,
819 ULONG ulAttribute, void* pBuffer)
820{
821 if (!phContext)
822 return SEC_E_INVALID_HANDLE;
823
824 if (!pBuffer)
825 return SEC_E_INSUFFICIENT_MEMORY;
826
827 NTLM_CONTEXT* context = (NTLM_CONTEXT*)sspi_SecureHandleGetLowerPointer(phContext);
828 if (!check_context(context))
829 return SEC_E_INVALID_HANDLE;
830
831 if (ulAttribute == SECPKG_ATTR_SIZES)
832 {
833 SecPkgContext_Sizes* ContextSizes = (SecPkgContext_Sizes*)pBuffer;
834 ContextSizes->cbMaxToken = 2010;
835 ContextSizes->cbMaxSignature = 16; /* the size of expected signature is 16 bytes */
836 ContextSizes->cbBlockSize = 0; /* no padding */
837 ContextSizes->cbSecurityTrailer = 16; /* no security trailer appended in NTLM
838 contrary to Kerberos */
839 return SEC_E_OK;
840 }
841 else if (ulAttribute == SECPKG_ATTR_AUTH_IDENTITY)
842 {
843 SSPI_CREDENTIALS* credentials = NULL;
844 const SecPkgContext_AuthIdentity empty = { 0 };
845 SecPkgContext_AuthIdentity* AuthIdentity = (SecPkgContext_AuthIdentity*)pBuffer;
846
847 WINPR_ASSERT(AuthIdentity);
848 *AuthIdentity = empty;
849
850 context->UseSamFileDatabase = FALSE;
851 credentials = context->credentials;
852
853 if (credentials->identity.UserLength > 0)
854 {
855 if (ConvertWCharNToUtf8(credentials->identity.User, credentials->identity.UserLength,
856 AuthIdentity->User, ARRAYSIZE(AuthIdentity->User)) <= 0)
857 return SEC_E_INTERNAL_ERROR;
858 }
859
860 if (credentials->identity.DomainLength > 0)
861 {
862 if (ConvertWCharNToUtf8(credentials->identity.Domain,
863 credentials->identity.DomainLength, AuthIdentity->Domain,
864 ARRAYSIZE(AuthIdentity->Domain)) <= 0)
865 return SEC_E_INTERNAL_ERROR;
866 }
867
868 return SEC_E_OK;
869 }
870 else if (ulAttribute == SECPKG_ATTR_AUTH_NTLM_NTPROOF_VALUE)
871 {
872 return ntlm_computeProofValue(context, (SecBuffer*)pBuffer);
873 }
874 else if (ulAttribute == SECPKG_ATTR_AUTH_NTLM_RANDKEY)
875 {
876 SecBuffer* randkey = NULL;
877 randkey = (SecBuffer*)pBuffer;
878
879 if (!sspi_SecBufferAlloc(randkey, 16))
880 return (SEC_E_INSUFFICIENT_MEMORY);
881
882 CopyMemory(randkey->pvBuffer, context->EncryptedRandomSessionKey, 16);
883 return (SEC_E_OK);
884 }
885 else if (ulAttribute == SECPKG_ATTR_AUTH_NTLM_MIC)
886 {
887 SecBuffer* mic = (SecBuffer*)pBuffer;
888 NTLM_AUTHENTICATE_MESSAGE* message = &context->AUTHENTICATE_MESSAGE;
889
890 if (!sspi_SecBufferAlloc(mic, 16))
891 return (SEC_E_INSUFFICIENT_MEMORY);
892
893 CopyMemory(mic->pvBuffer, message->MessageIntegrityCheck, 16);
894 return (SEC_E_OK);
895 }
896 else if (ulAttribute == SECPKG_ATTR_AUTH_NTLM_MIC_VALUE)
897 {
898 return ntlm_computeMicValue(context, (SecBuffer*)pBuffer);
899 }
900 else if (ulAttribute == SECPKG_ATTR_PACKAGE_INFO)
901 {
902 SecPkgContext_PackageInfo* PackageInfo = (SecPkgContext_PackageInfo*)pBuffer;
903 size_t size = sizeof(SecPkgInfoA);
904 SecPkgInfoA* pPackageInfo =
905 (SecPkgInfoA*)sspi_ContextBufferAlloc(QuerySecurityPackageInfoIndex, size);
906
907 if (!pPackageInfo)
908 return SEC_E_INSUFFICIENT_MEMORY;
909
910 pPackageInfo->fCapabilities = NTLM_SecPkgInfoA.fCapabilities;
911 pPackageInfo->wVersion = NTLM_SecPkgInfoA.wVersion;
912 pPackageInfo->wRPCID = NTLM_SecPkgInfoA.wRPCID;
913 pPackageInfo->cbMaxToken = NTLM_SecPkgInfoA.cbMaxToken;
914 pPackageInfo->Name = _strdup(NTLM_SecPkgInfoA.Name);
915 pPackageInfo->Comment = _strdup(NTLM_SecPkgInfoA.Comment);
916
917 if (!pPackageInfo->Name || !pPackageInfo->Comment)
918 {
919 sspi_ContextBufferFree(pPackageInfo);
920 return SEC_E_INSUFFICIENT_MEMORY;
921 }
922 PackageInfo->PackageInfo = pPackageInfo;
923 return SEC_E_OK;
924 }
925
926 WLog_ERR(TAG, "TODO: Implement ulAttribute=0x%08" PRIx32, ulAttribute);
927 return SEC_E_UNSUPPORTED_FUNCTION;
928}
929
930static SECURITY_STATUS SEC_ENTRY ntlm_QueryContextAttributesA(PCtxtHandle phContext,
931 ULONG ulAttribute, void* pBuffer)
932{
933 return ntlm_QueryContextAttributesW(phContext, ulAttribute, pBuffer);
934}
935
936static SECURITY_STATUS SEC_ENTRY ntlm_SetContextAttributesW(PCtxtHandle phContext,
937 ULONG ulAttribute, void* pBuffer,
938 ULONG cbBuffer)
939{
940 if (!phContext)
941 return SEC_E_INVALID_HANDLE;
942
943 if (!pBuffer)
944 return SEC_E_INVALID_PARAMETER;
945
946 NTLM_CONTEXT* context = (NTLM_CONTEXT*)sspi_SecureHandleGetLowerPointer(phContext);
947 if (!context)
948 return SEC_E_INVALID_HANDLE;
949
950 if (ulAttribute == SECPKG_ATTR_AUTH_NTLM_HASH)
951 {
952 SecPkgContext_AuthNtlmHash* AuthNtlmHash = (SecPkgContext_AuthNtlmHash*)pBuffer;
953
954 if (cbBuffer < sizeof(SecPkgContext_AuthNtlmHash))
955 return SEC_E_INVALID_PARAMETER;
956
957 if (AuthNtlmHash->Version == 1)
958 CopyMemory(context->NtlmHash, AuthNtlmHash->NtlmHash, 16);
959 else if (AuthNtlmHash->Version == 2)
960 CopyMemory(context->NtlmV2Hash, AuthNtlmHash->NtlmHash, 16);
961
962 return SEC_E_OK;
963 }
964 else if (ulAttribute == SECPKG_ATTR_AUTH_NTLM_MESSAGE)
965 {
966 SecPkgContext_AuthNtlmMessage* AuthNtlmMessage = (SecPkgContext_AuthNtlmMessage*)pBuffer;
967
968 if (cbBuffer < sizeof(SecPkgContext_AuthNtlmMessage))
969 return SEC_E_INVALID_PARAMETER;
970
971 if (AuthNtlmMessage->type == 1)
972 {
973 sspi_SecBufferFree(&context->NegotiateMessage);
974
975 if (!sspi_SecBufferAlloc(&context->NegotiateMessage, AuthNtlmMessage->length))
976 return SEC_E_INSUFFICIENT_MEMORY;
977
978 CopyMemory(context->NegotiateMessage.pvBuffer, AuthNtlmMessage->buffer,
979 AuthNtlmMessage->length);
980 }
981 else if (AuthNtlmMessage->type == 2)
982 {
983 sspi_SecBufferFree(&context->ChallengeMessage);
984
985 if (!sspi_SecBufferAlloc(&context->ChallengeMessage, AuthNtlmMessage->length))
986 return SEC_E_INSUFFICIENT_MEMORY;
987
988 CopyMemory(context->ChallengeMessage.pvBuffer, AuthNtlmMessage->buffer,
989 AuthNtlmMessage->length);
990 }
991 else if (AuthNtlmMessage->type == 3)
992 {
993 sspi_SecBufferFree(&context->AuthenticateMessage);
994
995 if (!sspi_SecBufferAlloc(&context->AuthenticateMessage, AuthNtlmMessage->length))
996 return SEC_E_INSUFFICIENT_MEMORY;
997
998 CopyMemory(context->AuthenticateMessage.pvBuffer, AuthNtlmMessage->buffer,
999 AuthNtlmMessage->length);
1000 }
1001
1002 return SEC_E_OK;
1003 }
1004 else if (ulAttribute == SECPKG_ATTR_AUTH_NTLM_TIMESTAMP)
1005 {
1006 SecPkgContext_AuthNtlmTimestamp* AuthNtlmTimestamp =
1007 (SecPkgContext_AuthNtlmTimestamp*)pBuffer;
1008
1009 if (cbBuffer < sizeof(SecPkgContext_AuthNtlmTimestamp))
1010 return SEC_E_INVALID_PARAMETER;
1011
1012 if (AuthNtlmTimestamp->ChallengeOrResponse)
1013 CopyMemory(context->ChallengeTimestamp, AuthNtlmTimestamp->Timestamp, 8);
1014 else
1015 CopyMemory(context->Timestamp, AuthNtlmTimestamp->Timestamp, 8);
1016
1017 return SEC_E_OK;
1018 }
1019 else if (ulAttribute == SECPKG_ATTR_AUTH_NTLM_CLIENT_CHALLENGE)
1020 {
1021 SecPkgContext_AuthNtlmClientChallenge* AuthNtlmClientChallenge =
1022 (SecPkgContext_AuthNtlmClientChallenge*)pBuffer;
1023
1024 if (cbBuffer < sizeof(SecPkgContext_AuthNtlmClientChallenge))
1025 return SEC_E_INVALID_PARAMETER;
1026
1027 CopyMemory(context->ClientChallenge, AuthNtlmClientChallenge->ClientChallenge, 8);
1028 return SEC_E_OK;
1029 }
1030 else if (ulAttribute == SECPKG_ATTR_AUTH_NTLM_SERVER_CHALLENGE)
1031 {
1032 SecPkgContext_AuthNtlmServerChallenge* AuthNtlmServerChallenge =
1033 (SecPkgContext_AuthNtlmServerChallenge*)pBuffer;
1034
1035 if (cbBuffer < sizeof(SecPkgContext_AuthNtlmServerChallenge))
1036 return SEC_E_INVALID_PARAMETER;
1037
1038 CopyMemory(context->ServerChallenge, AuthNtlmServerChallenge->ServerChallenge, 8);
1039 return SEC_E_OK;
1040 }
1041
1042 WLog_ERR(TAG, "TODO: Implement ulAttribute=%08" PRIx32, ulAttribute);
1043 return SEC_E_UNSUPPORTED_FUNCTION;
1044}
1045
1046static SECURITY_STATUS SEC_ENTRY ntlm_SetContextAttributesA(PCtxtHandle phContext,
1047 ULONG ulAttribute, void* pBuffer,
1048 ULONG cbBuffer)
1049{
1050 return ntlm_SetContextAttributesW(phContext, ulAttribute, pBuffer, cbBuffer);
1051}
1052
1053static SECURITY_STATUS SEC_ENTRY ntlm_SetCredentialsAttributesW(
1054 WINPR_ATTR_UNUSED PCredHandle phCredential, WINPR_ATTR_UNUSED ULONG ulAttribute,
1055 WINPR_ATTR_UNUSED void* pBuffer, WINPR_ATTR_UNUSED ULONG cbBuffer)
1056{
1057 return SEC_E_UNSUPPORTED_FUNCTION;
1058}
1059
1060static SECURITY_STATUS SEC_ENTRY ntlm_SetCredentialsAttributesA(
1061 WINPR_ATTR_UNUSED PCredHandle phCredential, WINPR_ATTR_UNUSED ULONG ulAttribute,
1062 WINPR_ATTR_UNUSED void* pBuffer, WINPR_ATTR_UNUSED ULONG cbBuffer)
1063{
1064 return SEC_E_UNSUPPORTED_FUNCTION;
1065}
1066
1067static SECURITY_STATUS SEC_ENTRY ntlm_RevertSecurityContext(WINPR_ATTR_UNUSED PCtxtHandle phContext)
1068{
1069 return SEC_E_OK;
1070}
1071
1072static SECURITY_STATUS SEC_ENTRY ntlm_EncryptMessage(PCtxtHandle phContext,
1073 WINPR_ATTR_UNUSED ULONG fQOP,
1074 PSecBufferDesc pMessage, ULONG MessageSeqNo)
1075{
1076 const UINT32 SeqNo = MessageSeqNo;
1077 UINT32 value = 0;
1078 BYTE digest[WINPR_MD5_DIGEST_LENGTH] = { 0 };
1079 BYTE checksum[8] = { 0 };
1080 ULONG version = 1;
1081 PSecBuffer data_buffer = NULL;
1082 PSecBuffer signature_buffer = NULL;
1083 NTLM_CONTEXT* context = (NTLM_CONTEXT*)sspi_SecureHandleGetLowerPointer(phContext);
1084 if (!check_context(context))
1085 return SEC_E_INVALID_HANDLE;
1086
1087 for (ULONG index = 0; index < pMessage->cBuffers; index++)
1088 {
1089 SecBuffer* cur = &pMessage->pBuffers[index];
1090
1091 if (cur->BufferType & SECBUFFER_DATA)
1092 data_buffer = cur;
1093 else if (cur->BufferType & SECBUFFER_TOKEN)
1094 signature_buffer = cur;
1095 }
1096
1097 if (!data_buffer)
1098 return SEC_E_INVALID_TOKEN;
1099
1100 if (!signature_buffer)
1101 return SEC_E_INVALID_TOKEN;
1102
1103 /* Copy original data buffer */
1104 ULONG length = data_buffer->cbBuffer;
1105 void* data = malloc(length);
1106
1107 if (!data)
1108 return SEC_E_INSUFFICIENT_MEMORY;
1109
1110 CopyMemory(data, data_buffer->pvBuffer, length);
1111 /* Compute the HMAC-MD5 hash of ConcatenationOf(seq_num,data) using the client signing key */
1112 WINPR_HMAC_CTX* hmac = winpr_HMAC_New();
1113
1114 if (hmac &&
1115 winpr_HMAC_Init(hmac, WINPR_MD_MD5, context->SendSigningKey, WINPR_MD5_DIGEST_LENGTH))
1116 {
1117 winpr_Data_Write_UINT32(&value, SeqNo);
1118 winpr_HMAC_Update(hmac, (void*)&value, 4);
1119 winpr_HMAC_Update(hmac, data, length);
1120 winpr_HMAC_Final(hmac, digest, WINPR_MD5_DIGEST_LENGTH);
1121 winpr_HMAC_Free(hmac);
1122 }
1123 else
1124 {
1125 winpr_HMAC_Free(hmac);
1126 free(data);
1127 return SEC_E_INSUFFICIENT_MEMORY;
1128 }
1129
1130 /* Encrypt message using with RC4, result overwrites original buffer */
1131 if ((data_buffer->BufferType & SECBUFFER_READONLY) == 0)
1132 {
1133 if (context->confidentiality)
1134 winpr_RC4_Update(context->SendRc4Seal, length, (BYTE*)data,
1135 (BYTE*)data_buffer->pvBuffer);
1136 else
1137 CopyMemory(data_buffer->pvBuffer, data, length);
1138 }
1139
1140#ifdef WITH_DEBUG_NTLM
1141 WLog_DBG(TAG, "Data Buffer (length = %" PRIuz ")", length);
1142 winpr_HexDump(TAG, WLOG_DEBUG, data, length);
1143 WLog_DBG(TAG, "Encrypted Data Buffer (length = %" PRIu32 ")", data_buffer->cbBuffer);
1144 winpr_HexDump(TAG, WLOG_DEBUG, data_buffer->pvBuffer, data_buffer->cbBuffer);
1145#endif
1146 free(data);
1147 /* RC4-encrypt first 8 bytes of digest */
1148 winpr_RC4_Update(context->SendRc4Seal, 8, digest, checksum);
1149 if ((signature_buffer->BufferType & SECBUFFER_READONLY) == 0)
1150 {
1151 BYTE* signature = signature_buffer->pvBuffer;
1152 /* Concatenate version, ciphertext and sequence number to build signature */
1153 winpr_Data_Write_UINT32(signature, version);
1154 CopyMemory(&signature[4], (void*)checksum, 8);
1155 winpr_Data_Write_UINT32(&signature[12], SeqNo);
1156 }
1157 context->SendSeqNum++;
1158#ifdef WITH_DEBUG_NTLM
1159 WLog_DBG(TAG, "Signature (length = %" PRIu32 ")", signature_buffer->cbBuffer);
1160 winpr_HexDump(TAG, WLOG_DEBUG, signature_buffer->pvBuffer, signature_buffer->cbBuffer);
1161#endif
1162 return SEC_E_OK;
1163}
1164
1165static SECURITY_STATUS SEC_ENTRY ntlm_DecryptMessage(PCtxtHandle phContext, PSecBufferDesc pMessage,
1166 ULONG MessageSeqNo,
1167 WINPR_ATTR_UNUSED PULONG pfQOP)
1168{
1169 const UINT32 SeqNo = (UINT32)MessageSeqNo;
1170 UINT32 value = 0;
1171 BYTE digest[WINPR_MD5_DIGEST_LENGTH] = { 0 };
1172 BYTE checksum[8] = { 0 };
1173 UINT32 version = 1;
1174 BYTE expected_signature[WINPR_MD5_DIGEST_LENGTH] = { 0 };
1175 PSecBuffer data_buffer = NULL;
1176 PSecBuffer signature_buffer = NULL;
1177 NTLM_CONTEXT* context = (NTLM_CONTEXT*)sspi_SecureHandleGetLowerPointer(phContext);
1178 if (!check_context(context))
1179 return SEC_E_INVALID_HANDLE;
1180
1181 for (ULONG index = 0; index < pMessage->cBuffers; index++)
1182 {
1183 if (pMessage->pBuffers[index].BufferType == SECBUFFER_DATA)
1184 data_buffer = &pMessage->pBuffers[index];
1185 else if (pMessage->pBuffers[index].BufferType == SECBUFFER_TOKEN)
1186 signature_buffer = &pMessage->pBuffers[index];
1187 }
1188
1189 if (!data_buffer)
1190 return SEC_E_INVALID_TOKEN;
1191
1192 if (!signature_buffer)
1193 return SEC_E_INVALID_TOKEN;
1194
1195 /* Copy original data buffer */
1196 const ULONG length = data_buffer->cbBuffer;
1197 void* data = malloc(length);
1198
1199 if (!data)
1200 return SEC_E_INSUFFICIENT_MEMORY;
1201
1202 CopyMemory(data, data_buffer->pvBuffer, length);
1203
1204 /* Decrypt message using with RC4, result overwrites original buffer */
1205
1206 if (context->confidentiality)
1207 winpr_RC4_Update(context->RecvRc4Seal, length, (BYTE*)data, (BYTE*)data_buffer->pvBuffer);
1208 else
1209 CopyMemory(data_buffer->pvBuffer, data, length);
1210
1211 /* Compute the HMAC-MD5 hash of ConcatenationOf(seq_num,data) using the client signing key */
1212 WINPR_HMAC_CTX* hmac = winpr_HMAC_New();
1213
1214 if (hmac &&
1215 winpr_HMAC_Init(hmac, WINPR_MD_MD5, context->RecvSigningKey, WINPR_MD5_DIGEST_LENGTH))
1216 {
1217 winpr_Data_Write_UINT32(&value, SeqNo);
1218 winpr_HMAC_Update(hmac, (void*)&value, 4);
1219 winpr_HMAC_Update(hmac, data_buffer->pvBuffer, data_buffer->cbBuffer);
1220 winpr_HMAC_Final(hmac, digest, WINPR_MD5_DIGEST_LENGTH);
1221 winpr_HMAC_Free(hmac);
1222 }
1223 else
1224 {
1225 winpr_HMAC_Free(hmac);
1226 free(data);
1227 return SEC_E_INSUFFICIENT_MEMORY;
1228 }
1229
1230#ifdef WITH_DEBUG_NTLM
1231 WLog_DBG(TAG, "Encrypted Data Buffer (length = %" PRIuz ")", length);
1232 winpr_HexDump(TAG, WLOG_DEBUG, data, length);
1233 WLog_DBG(TAG, "Data Buffer (length = %" PRIu32 ")", data_buffer->cbBuffer);
1234 winpr_HexDump(TAG, WLOG_DEBUG, data_buffer->pvBuffer, data_buffer->cbBuffer);
1235#endif
1236 free(data);
1237 /* RC4-encrypt first 8 bytes of digest */
1238 winpr_RC4_Update(context->RecvRc4Seal, 8, digest, checksum);
1239 /* Concatenate version, ciphertext and sequence number to build signature */
1240 winpr_Data_Write_UINT32(expected_signature, version);
1241 CopyMemory(&expected_signature[4], (void*)checksum, 8);
1242 winpr_Data_Write_UINT32(&expected_signature[12], SeqNo);
1243 context->RecvSeqNum++;
1244
1245 if (memcmp(signature_buffer->pvBuffer, expected_signature, 16) != 0)
1246 {
1247 /* signature verification failed! */
1248 WLog_ERR(TAG, "signature verification failed, something nasty is going on!");
1249#ifdef WITH_DEBUG_NTLM
1250 WLog_ERR(TAG, "Expected Signature:");
1251 winpr_HexDump(TAG, WLOG_ERROR, expected_signature, 16);
1252 WLog_ERR(TAG, "Actual Signature:");
1253 winpr_HexDump(TAG, WLOG_ERROR, (BYTE*)signature_buffer->pvBuffer, 16);
1254#endif
1255 return SEC_E_MESSAGE_ALTERED;
1256 }
1257
1258 return SEC_E_OK;
1259}
1260
1261static SECURITY_STATUS SEC_ENTRY ntlm_MakeSignature(PCtxtHandle phContext,
1262 WINPR_ATTR_UNUSED ULONG fQOP,
1263 PSecBufferDesc pMessage, ULONG MessageSeqNo)
1264{
1265 PSecBuffer data_buffer = NULL;
1266 PSecBuffer sig_buffer = NULL;
1267 UINT32 seq_no = 0;
1268 BYTE digest[WINPR_MD5_DIGEST_LENGTH] = { 0 };
1269 BYTE checksum[8] = { 0 };
1270
1271 NTLM_CONTEXT* context = sspi_SecureHandleGetLowerPointer(phContext);
1272 if (!check_context(context))
1273 return SEC_E_INVALID_HANDLE;
1274
1275 for (ULONG i = 0; i < pMessage->cBuffers; i++)
1276 {
1277 if (pMessage->pBuffers[i].BufferType == SECBUFFER_DATA)
1278 data_buffer = &pMessage->pBuffers[i];
1279 else if (pMessage->pBuffers[i].BufferType == SECBUFFER_TOKEN)
1280 sig_buffer = &pMessage->pBuffers[i];
1281 }
1282
1283 if (!data_buffer || !sig_buffer)
1284 return SEC_E_INVALID_TOKEN;
1285
1286 WINPR_HMAC_CTX* hmac = winpr_HMAC_New();
1287
1288 if (!winpr_HMAC_Init(hmac, WINPR_MD_MD5, context->SendSigningKey, WINPR_MD5_DIGEST_LENGTH))
1289 {
1290 winpr_HMAC_Free(hmac);
1291 return SEC_E_INTERNAL_ERROR;
1292 }
1293
1294 winpr_Data_Write_UINT32(&seq_no, MessageSeqNo);
1295 winpr_HMAC_Update(hmac, (BYTE*)&seq_no, 4);
1296 winpr_HMAC_Update(hmac, data_buffer->pvBuffer, data_buffer->cbBuffer);
1297 winpr_HMAC_Final(hmac, digest, WINPR_MD5_DIGEST_LENGTH);
1298 winpr_HMAC_Free(hmac);
1299
1300 winpr_RC4_Update(context->SendRc4Seal, 8, digest, checksum);
1301
1302 BYTE* signature = sig_buffer->pvBuffer;
1303 winpr_Data_Write_UINT32(signature, 1L);
1304 CopyMemory(&signature[4], checksum, 8);
1305 winpr_Data_Write_UINT32(&signature[12], seq_no);
1306 sig_buffer->cbBuffer = 16;
1307
1308 return SEC_E_OK;
1309}
1310
1311static SECURITY_STATUS SEC_ENTRY ntlm_VerifySignature(PCtxtHandle phContext,
1312 PSecBufferDesc pMessage, ULONG MessageSeqNo,
1313 WINPR_ATTR_UNUSED PULONG pfQOP)
1314{
1315 PSecBuffer data_buffer = NULL;
1316 PSecBuffer sig_buffer = NULL;
1317 UINT32 seq_no = 0;
1318 BYTE digest[WINPR_MD5_DIGEST_LENGTH] = { 0 };
1319 BYTE checksum[8] = { 0 };
1320 BYTE signature[16] = { 0 };
1321
1322 NTLM_CONTEXT* context = sspi_SecureHandleGetLowerPointer(phContext);
1323 if (!check_context(context))
1324 return SEC_E_INVALID_HANDLE;
1325
1326 for (ULONG i = 0; i < pMessage->cBuffers; i++)
1327 {
1328 if (pMessage->pBuffers[i].BufferType == SECBUFFER_DATA)
1329 data_buffer = &pMessage->pBuffers[i];
1330 else if (pMessage->pBuffers[i].BufferType == SECBUFFER_TOKEN)
1331 sig_buffer = &pMessage->pBuffers[i];
1332 }
1333
1334 if (!data_buffer || !sig_buffer)
1335 return SEC_E_INVALID_TOKEN;
1336
1337 WINPR_HMAC_CTX* hmac = winpr_HMAC_New();
1338
1339 if (!winpr_HMAC_Init(hmac, WINPR_MD_MD5, context->RecvSigningKey, WINPR_MD5_DIGEST_LENGTH))
1340 {
1341 winpr_HMAC_Free(hmac);
1342 return SEC_E_INTERNAL_ERROR;
1343 }
1344
1345 winpr_Data_Write_UINT32(&seq_no, MessageSeqNo);
1346 winpr_HMAC_Update(hmac, (BYTE*)&seq_no, 4);
1347 winpr_HMAC_Update(hmac, data_buffer->pvBuffer, data_buffer->cbBuffer);
1348 winpr_HMAC_Final(hmac, digest, WINPR_MD5_DIGEST_LENGTH);
1349 winpr_HMAC_Free(hmac);
1350
1351 winpr_RC4_Update(context->RecvRc4Seal, 8, digest, checksum);
1352
1353 winpr_Data_Write_UINT32(signature, 1L);
1354 CopyMemory(&signature[4], checksum, 8);
1355 winpr_Data_Write_UINT32(&signature[12], seq_no);
1356
1357 if (memcmp(sig_buffer->pvBuffer, signature, 16) != 0)
1358 return SEC_E_MESSAGE_ALTERED;
1359
1360 return SEC_E_OK;
1361}
1362
1363const SecurityFunctionTableA NTLM_SecurityFunctionTableA = {
1364 3, /* dwVersion */
1365 NULL, /* EnumerateSecurityPackages */
1366 ntlm_QueryCredentialsAttributesA, /* QueryCredentialsAttributes */
1367 ntlm_AcquireCredentialsHandleA, /* AcquireCredentialsHandle */
1368 ntlm_FreeCredentialsHandle, /* FreeCredentialsHandle */
1369 NULL, /* Reserved2 */
1370 ntlm_InitializeSecurityContextA, /* InitializeSecurityContext */
1371 ntlm_AcceptSecurityContext, /* AcceptSecurityContext */
1372 NULL, /* CompleteAuthToken */
1373 ntlm_DeleteSecurityContext, /* DeleteSecurityContext */
1374 NULL, /* ApplyControlToken */
1375 ntlm_QueryContextAttributesA, /* QueryContextAttributes */
1376 ntlm_ImpersonateSecurityContext, /* ImpersonateSecurityContext */
1377 ntlm_RevertSecurityContext, /* RevertSecurityContext */
1378 ntlm_MakeSignature, /* MakeSignature */
1379 ntlm_VerifySignature, /* VerifySignature */
1380 NULL, /* FreeContextBuffer */
1381 NULL, /* QuerySecurityPackageInfo */
1382 NULL, /* Reserved3 */
1383 NULL, /* Reserved4 */
1384 NULL, /* ExportSecurityContext */
1385 NULL, /* ImportSecurityContext */
1386 NULL, /* AddCredentials */
1387 NULL, /* Reserved8 */
1388 NULL, /* QuerySecurityContextToken */
1389 ntlm_EncryptMessage, /* EncryptMessage */
1390 ntlm_DecryptMessage, /* DecryptMessage */
1391 ntlm_SetContextAttributesA, /* SetContextAttributes */
1392 ntlm_SetCredentialsAttributesA, /* SetCredentialsAttributes */
1393};
1394
1395const SecurityFunctionTableW NTLM_SecurityFunctionTableW = {
1396 3, /* dwVersion */
1397 NULL, /* EnumerateSecurityPackages */
1398 ntlm_QueryCredentialsAttributesW, /* QueryCredentialsAttributes */
1399 ntlm_AcquireCredentialsHandleW, /* AcquireCredentialsHandle */
1400 ntlm_FreeCredentialsHandle, /* FreeCredentialsHandle */
1401 NULL, /* Reserved2 */
1402 ntlm_InitializeSecurityContextW, /* InitializeSecurityContext */
1403 ntlm_AcceptSecurityContext, /* AcceptSecurityContext */
1404 NULL, /* CompleteAuthToken */
1405 ntlm_DeleteSecurityContext, /* DeleteSecurityContext */
1406 NULL, /* ApplyControlToken */
1407 ntlm_QueryContextAttributesW, /* QueryContextAttributes */
1408 ntlm_ImpersonateSecurityContext, /* ImpersonateSecurityContext */
1409 ntlm_RevertSecurityContext, /* RevertSecurityContext */
1410 ntlm_MakeSignature, /* MakeSignature */
1411 ntlm_VerifySignature, /* VerifySignature */
1412 NULL, /* FreeContextBuffer */
1413 NULL, /* QuerySecurityPackageInfo */
1414 NULL, /* Reserved3 */
1415 NULL, /* Reserved4 */
1416 NULL, /* ExportSecurityContext */
1417 NULL, /* ImportSecurityContext */
1418 NULL, /* AddCredentials */
1419 NULL, /* Reserved8 */
1420 NULL, /* QuerySecurityContextToken */
1421 ntlm_EncryptMessage, /* EncryptMessage */
1422 ntlm_DecryptMessage, /* DecryptMessage */
1423 ntlm_SetContextAttributesW, /* SetContextAttributes */
1424 ntlm_SetCredentialsAttributesW, /* SetCredentialsAttributes */
1425};
1426
1427const SecPkgInfoA NTLM_SecPkgInfoA = {
1428 0x00082B37, /* fCapabilities */
1429 1, /* wVersion */
1430 0x000A, /* wRPCID */
1431 0x00000B48, /* cbMaxToken */
1432 "NTLM", /* Name */
1433 "NTLM Security Package" /* Comment */
1434};
1435
1436static WCHAR NTLM_SecPkgInfoW_NameBuffer[32] = { 0 };
1437static WCHAR NTLM_SecPkgInfoW_CommentBuffer[32] = { 0 };
1438
1439const SecPkgInfoW NTLM_SecPkgInfoW = {
1440 0x00082B37, /* fCapabilities */
1441 1, /* wVersion */
1442 0x000A, /* wRPCID */
1443 0x00000B48, /* cbMaxToken */
1444 NTLM_SecPkgInfoW_NameBuffer, /* Name */
1445 NTLM_SecPkgInfoW_CommentBuffer /* Comment */
1446};
1447
1448char* ntlm_negotiate_flags_string(char* buffer, size_t size, UINT32 flags)
1449{
1450 if (!buffer || (size == 0))
1451 return buffer;
1452
1453 (void)_snprintf(buffer, size, "[0x%08" PRIx32 "] ", flags);
1454
1455 for (int x = 0; x < 31; x++)
1456 {
1457 const UINT32 mask = 1 << x;
1458 size_t len = strnlen(buffer, size);
1459 if (flags & mask)
1460 {
1461 const char* str = ntlm_get_negotiate_string(mask);
1462 const size_t flen = strlen(str);
1463
1464 if ((len > 0) && (buffer[len - 1] != ' '))
1465 {
1466 if (size - len < 1)
1467 break;
1468 winpr_str_append("|", buffer, size, NULL);
1469 len++;
1470 }
1471
1472 if (size - len < flen)
1473 break;
1474 winpr_str_append(str, buffer, size, NULL);
1475 }
1476 }
1477
1478 return buffer;
1479}
1480
1481const char* ntlm_message_type_string(UINT32 messageType)
1482{
1483 switch (messageType)
1484 {
1485 case MESSAGE_TYPE_NEGOTIATE:
1486 return "MESSAGE_TYPE_NEGOTIATE";
1487 case MESSAGE_TYPE_CHALLENGE:
1488 return "MESSAGE_TYPE_CHALLENGE";
1489 case MESSAGE_TYPE_AUTHENTICATE:
1490 return "MESSAGE_TYPE_AUTHENTICATE";
1491 default:
1492 return "MESSAGE_TYPE_UNKNOWN";
1493 }
1494}
1495
1496const char* ntlm_state_string(NTLM_STATE state)
1497{
1498 switch (state)
1499 {
1500 case NTLM_STATE_INITIAL:
1501 return "NTLM_STATE_INITIAL";
1502 case NTLM_STATE_NEGOTIATE:
1503 return "NTLM_STATE_NEGOTIATE";
1504 case NTLM_STATE_CHALLENGE:
1505 return "NTLM_STATE_CHALLENGE";
1506 case NTLM_STATE_AUTHENTICATE:
1507 return "NTLM_STATE_AUTHENTICATE";
1508 case NTLM_STATE_FINAL:
1509 return "NTLM_STATE_FINAL";
1510 default:
1511 return "NTLM_STATE_UNKNOWN";
1512 }
1513}
1514void ntlm_change_state(NTLM_CONTEXT* ntlm, NTLM_STATE state)
1515{
1516 WINPR_ASSERT(ntlm);
1517 WLog_DBG(TAG, "change state from %s to %s", ntlm_state_string(ntlm->state),
1518 ntlm_state_string(state));
1519 ntlm->state = state;
1520}
1521
1522NTLM_STATE ntlm_get_state(NTLM_CONTEXT* ntlm)
1523{
1524 WINPR_ASSERT(ntlm);
1525 return ntlm->state;
1526}
1527
1528BOOL ntlm_reset_cipher_state(PSecHandle phContext)
1529{
1530 NTLM_CONTEXT* context = sspi_SecureHandleGetLowerPointer(phContext);
1531
1532 if (context)
1533 {
1534 check_context(context);
1535 winpr_RC4_Free(context->SendRc4Seal);
1536 winpr_RC4_Free(context->RecvRc4Seal);
1537 context->SendRc4Seal = winpr_RC4_New(context->RecvSealingKey, 16);
1538 context->RecvRc4Seal = winpr_RC4_New(context->SendSealingKey, 16);
1539
1540 if (!context->SendRc4Seal)
1541 {
1542 WLog_ERR(TAG, "Failed to allocate context->SendRc4Seal");
1543 return FALSE;
1544 }
1545 if (!context->RecvRc4Seal)
1546 {
1547 WLog_ERR(TAG, "Failed to allocate context->RecvRc4Seal");
1548 return FALSE;
1549 }
1550 }
1551
1552 return TRUE;
1553}
1554
1555BOOL NTLM_init(void)
1556{
1557 InitializeConstWCharFromUtf8(NTLM_SecPkgInfoA.Name, NTLM_SecPkgInfoW_NameBuffer,
1558 ARRAYSIZE(NTLM_SecPkgInfoW_NameBuffer));
1559 InitializeConstWCharFromUtf8(NTLM_SecPkgInfoA.Comment, NTLM_SecPkgInfoW_CommentBuffer,
1560 ARRAYSIZE(NTLM_SecPkgInfoW_CommentBuffer));
1561
1562 return TRUE;
1563}
NTLM_AUTHENTICATE_MESSAGE
Definition libwinpr/sspi/NTLM/ntlm.h:206
NTLM_CONTEXT
Definition libwinpr/sspi/NTLM/ntlm.h:220
SECURITY_INTEGER
Definition include/winpr/sspi.h:51
SEC_CHANNEL_BINDINGS
Definition include/winpr/sspi.h:349
SEC_WINNT_AUTH_IDENTITY_WINPR
Definition include/winpr/sspi.h:885
SEC_WINPR_NTLM_SETTINGS
Definition include/winpr/sspi.h:863
SSPI_CREDENTIALS
Definition libwinpr/sspi/sspi.h:32
SecPkgContext_AuthIdentity
Definition include/winpr/sspi.h:1342
SecPkgContext_AuthNtlmClientChallenge
Definition include/winpr/sspi.h:1365
SecPkgContext_AuthNtlmHash
Definition include/winpr/sspi.h:1353
SecPkgContext_AuthNtlmMessage
Definition include/winpr/sspi.h:1375
SecPkgContext_AuthNtlmServerChallenge
Definition include/winpr/sspi.h:1370
SecPkgContext_AuthNtlmTimestamp
Definition include/winpr/sspi.h:1359
SecPkgContext_PackageInfo
Definition include/winpr/sspi.h:404
SecPkgContext_Sizes
Definition include/winpr/sspi.h:427
SEC_WINNT_AUTH_IDENTITY_INFO
Definition include/winpr/sspi.h:783