nego->state = NEGO_STATE_FAIL;
}
- if (!nego->NegotiateSecurityLayer_enabled)
+ if (!nego->NegotiateSecurityLayer)
{
DEBUG_NEGO("Security Layer Negotiation is disabled");
/* attempt only the highest enabled protocol (see nego_attempt_*) */
{
nego_tcp_connect(nego);
- if (nego->tcp_connected && !nego->NegotiateSecurityLayer_enabled)
+ if (nego->tcp_connected && !nego->NegotiateSecurityLayer)
return nego_security_connect(nego);
return nego->tcp_connected;
* @param enable_rdp whether to enable security layer negotiation (TRUE for enabled, FALSE for disabled)
*/
-void nego_set_negotiation_enabled(rdpNego* nego, BOOL NegotiateSecurityLayer_enabled)
+void nego_set_negotiation_enabled(rdpNego* nego, BOOL NegotiateSecurityLayer)
{
- DEBUG_NEGO("Enabling security layer negotiation: %s", NegotiateSecurityLayer_enabled ? "TRUE" : "FALSE");
- nego->NegotiateSecurityLayer_enabled = NegotiateSecurityLayer_enabled;
+ DEBUG_NEGO("Enabling security layer negotiation: %s", NegotiateSecurityLayer ? "TRUE" : "FALSE");
+ nego->NegotiateSecurityLayer = NegotiateSecurityLayer;
}
/**
UINT32 selected_protocol;
UINT32 requested_protocols;
- BOOL NegotiateSecurityLayer_enabled;
+ BOOL NegotiateSecurityLayer;
BYTE enabled_protocols[16];
rdpTransport* transport;
if (credssp_authenticate(transport->credssp) < 0)
{
- if (!connectErrorCode)
- connectErrorCode = AUTHENTICATIONERROR;
+ if (!connectErrorCode)
+ connectErrorCode = AUTHENTICATIONERROR;
printf("Authentication failure, check credentials.\n"
"If credentials are valid, the NTLMSSP implementation may be to blame.\n");
free(cert);
}
-static void tls_md5_update_uint32_be(MD5_CTX* md5, UINT32 num)
-{
- BYTE be32[4];
-
- be32[0] = (num >> 0) & 0xFF;
- be32[1] = (num >> 8) & 0xFF;
- be32[2] = (num >> 16) & 0xFF;
- be32[3] = (num >> 24) & 0xFF;
-
- MD5_Update(md5, be32, 4);
-}
-
-BYTE* tls_get_channel_bindings_hash(SecPkgContext_Bindings* Bindings)
-{
- MD5_CTX md5;
- BYTE* ChannelBindingToken;
- UINT32 ChannelBindingTokenLength;
- BYTE* ChannelBindingsHash;
- UINT32 ChannelBindingsHashLength;
- SEC_CHANNEL_BINDINGS* ChannelBindings;
-
- ChannelBindings = Bindings->Bindings;
- ChannelBindingTokenLength = Bindings->BindingsLength - sizeof(SEC_CHANNEL_BINDINGS);
- ChannelBindingToken = &((BYTE*) ChannelBindings)[ChannelBindings->dwApplicationDataOffset];
-
- ChannelBindingsHashLength = 16;
- ChannelBindingsHash = (BYTE*) malloc(ChannelBindingsHashLength);
- ZeroMemory(ChannelBindingsHash, ChannelBindingsHashLength);
-
- MD5_Init(&md5);
-
- tls_md5_update_uint32_be(&md5, ChannelBindings->dwInitiatorAddrType);
- tls_md5_update_uint32_be(&md5, ChannelBindings->cbInitiatorLength);
- tls_md5_update_uint32_be(&md5, ChannelBindings->dwAcceptorAddrType);
- tls_md5_update_uint32_be(&md5, ChannelBindings->cbAcceptorLength);
- tls_md5_update_uint32_be(&md5, ChannelBindings->cbApplicationDataLength);
-
- MD5_Update(&md5, (void*) ChannelBindingToken, ChannelBindingTokenLength);
-
- MD5_Final(ChannelBindingsHash, &md5);
-
- return ChannelBindingsHash;
-}
-
#define TLS_SERVER_END_POINT "tls-server-end-point:"
SecPkgContext_Bindings* tls_get_channel_bindings(X509* cert)
PWSTR Buffer;
} LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING;
+/**
+ * Windows Integrity Mechanism Design:
+ * http://msdn.microsoft.com/en-us/library/bb625963.aspx
+ */
+
+#define SECURITY_MANDATORY_UNTRUSTED_RID 0x0000
+#define SECURITY_MANDATORY_LOW_RID 0x1000
+#define SECURITY_MANDATORY_MEDIUM_RID 0x2000
+#define SECURITY_MANDATORY_HIGH_RID 0x3000
+#define SECURITY_MANDATORY_SYSTEM_RID 0x4000
+
#endif /* WINPR_SECURITY_H */
MD5_Final(context->ChannelBindingsHash, &md5);
}
-BYTE ntlm_MachineID[32] =
- "\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF"
- "\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF";
-
void ntlm_compute_single_host_data(NTLM_CONTEXT* context)
{
+ /**
+ * The Single_Host_Data structure allows a client to send machine-specific information
+ * within an authentication exchange to services on the same machine. The client can
+ * produce additional information to be processed in an implementation-specific way when
+ * the client and server are on the same host. If the server and client platforms are
+ * different or if they are on different hosts, then the information MUST be ignored.
+ * Any fields after the MachineID field MUST be ignored on receipt.
+ */
+
context->SingleHostData.Size = 48;
context->SingleHostData.Z4 = 0;
context->SingleHostData.DataPresent = 1;
- context->SingleHostData.CustomData = 0x2000;
- CopyMemory(context->SingleHostData.MachineID, ntlm_MachineID, 32);
+ context->SingleHostData.CustomData = SECURITY_MANDATORY_MEDIUM_RID;
+ FillMemory(context->SingleHostData.MachineID, 32, 0xAA);
}
void ntlm_construct_challenge_target_info(NTLM_CONTEXT* context)
AvPairsValueLength += 4;
}
+ if (context->SendSingleHostData)
+ {
+ AvPairsCount++; /* MsvAvSingleHost */
+ ntlm_compute_single_host_data(context);
+ AvPairsValueLength += context->SingleHostData.Size;
+ }
+
/**
* Extended Protection for Authentication:
* http://blogs.technet.com/b/srd/archive/2009/12/08/extended-protection-for-authentication.aspx
AvPairsCount++; /* MsvAvTargetName */
AvPairsValueLength += context->ServicePrincipalName.Length;
}
-
- if (context->SendSingleHostData)
- {
- AvPairsCount++; /* MsvAvSingleHost */
- ntlm_compute_single_host_data(context);
- AvPairsValueLength += context->SingleHostData.Size;
- }
}
size = ntlm_av_pair_list_size(AvPairsCount, AvPairsValueLength);
ntlm_av_pair_add(AuthenticateTargetInfo, MsvAvFlags, (PBYTE) &flags, 4);
}
+ if (context->SendSingleHostData)
+ {
+ ntlm_av_pair_add(AuthenticateTargetInfo, MsvAvSingleHost,
+ (PBYTE) &context->SingleHostData, context->SingleHostData.Size);
+ }
+
if (!context->SuppressExtendedProtection)
{
ntlm_av_pair_add(AuthenticateTargetInfo, MsvChannelBindings, context->ChannelBindingsHash, 16);
(PBYTE) context->ServicePrincipalName.Buffer,
context->ServicePrincipalName.Length);
}
-
- if (context->SendSingleHostData)
- {
- ntlm_av_pair_add(AuthenticateTargetInfo, MsvAvSingleHost,
- (PBYTE) &context->SingleHostData, context->SingleHostData.Size);
- }
}
if (context->NTLMv2)