int credssp_authenticate(rdpCredssp* credssp)
{
NTLMSSP* ntlmssp = credssp->ntlmssp;
STREAM* s = stream_new(0);
uint8* negoTokenBuffer = (uint8*) xmalloc(2048);
if (credssp_ntlmssp_init(credssp) == 0)
return 0;
if (credssp_get_public_key(credssp) == 0)
return 0;
/* NTLMSSP NEGOTIATE MESSAGE */
s->p = s->data = negoTokenBuffer;
ntlmssp_send(ntlmssp, s);
credssp->negoToken.data = s->data;
credssp->negoToken.length = s->p - s->data;
credssp_send(credssp, &credssp->negoToken, NULL, NULL);
/* NTLMSSP CHALLENGE MESSAGE */
if (credssp_recv(credssp, &credssp->negoToken, NULL, NULL) < 0)
return -1;
s->p = s->data = credssp->negoToken.data;
ntlmssp_recv(ntlmssp, s);
freerdp_blob_free(&credssp->negoToken);
/* NTLMSSP AUTHENTICATE MESSAGE */
s->p = s->data = negoTokenBuffer;
ntlmssp_send(ntlmssp, s);
/* The last NTLMSSP message is sent with the encrypted public key */
credssp->negoToken.data = s->data;
credssp->negoToken.length = s->p - s->data;
credssp_encrypt_public_key(credssp, &credssp->pubKeyAuth);
credssp_send(credssp, &credssp->negoToken, NULL, &credssp->pubKeyAuth);
/* Encrypted Public Key +1 */
if (credssp_recv(credssp, &credssp->negoToken, NULL, &credssp->pubKeyAuth) < 0)
return -1;
if (credssp_verify_public_key(credssp, &credssp->pubKeyAuth) == 0)
{
/* Failed to verify server public key echo */
return 0; /* DO NOT SEND CREDENTIALS! */
}
freerdp_blob_free(&credssp->negoToken);
freerdp_blob_free(&credssp->pubKeyAuth);
/* Send encrypted credentials */
credssp_encode_ts_credentials(credssp);
credssp_encrypt_ts_credentials(credssp, &credssp->authInfo);
credssp_send(credssp, NULL, &credssp->authInfo, NULL);
xfree(s);
return 1;
}
tbool rpch_in_connect_http(rdpRpch* rpch)
{
rdpTls* tls_in = rpch->tls_in;
rdpSettings* settings = rpch->settings;
rdpRpchHTTP* http_in = rpch->http_in;
NTLMSSP* http_in_ntlmssp = http_in->ntht;
STREAM* ntlmssp_stream;
STREAM* http_stream;
int decoded_ntht_length;
int encoded_ntht_length = 0;
int bytes;
uint8* decoded_ntht_data;
uint8* encoded_ntht_data = NULL;
char* ntlm_text;
LLOGLN(10, ("rpch_in_connect_http:"));
ntlmssp_stream = stream_new(0xFFFF);
http_stream = stream_new(0xFFFF);
ntlmssp_set_username(http_in_ntlmssp, settings->tsg_username);
ntlmssp_set_password(http_in_ntlmssp, settings->tsg_password);
ntlmssp_set_domain(http_in_ntlmssp, settings->tsg_domain);
ntlmssp_set_workstation(http_in_ntlmssp, "WORKSTATION"); /* TODO insert proper w.name */
LLOGLN(10, ("rpch_in_connect_http: tsg_username %s tsg_password %s tsg_domain %s",
settings->tsg_username, settings->tsg_password, settings->tsg_domain));
ntlmssp_send(http_in_ntlmssp, ntlmssp_stream);
decoded_ntht_length = (int) (ntlmssp_stream->p - ntlmssp_stream->data);
decoded_ntht_data = (uint8*) xmalloc(decoded_ntht_length);
ntlmssp_stream->p = ntlmssp_stream->data;
stream_read(ntlmssp_stream, decoded_ntht_data, decoded_ntht_length);
stream_clear(ntlmssp_stream);
ntlmssp_stream->p = ntlmssp_stream->data;
crypto_base64_encode(decoded_ntht_data, decoded_ntht_length, &encoded_ntht_data, &encoded_ntht_length);
stream_write(http_stream, "RPC_IN_DATA /rpc/rpcproxy.dll?localhost:3388 HTTP/1.1\n", 54);
stream_write(http_stream, "Accept: application/rpc\n", 24);
stream_write(http_stream, "Cache-Control: no-cache\n", 24);
stream_write(http_stream, "Connection: Keep-Alive\n", 23);
stream_write(http_stream, "Content-Length: 0\n", 18);
stream_write(http_stream, "User-Agent: MSRPC\n", 18);
stream_write(http_stream, "Host: ", 6);
stream_write(http_stream, settings->tsg_server, strlen(settings->tsg_server));
stream_write(http_stream, "\n", 1);
stream_write(http_stream, "Pragma: ResourceTypeUuid=44e265dd-7daf-42cd-8560-3cdb6e7a2729, SessionId=33ad20ac-7469-4f63-946d-113eac21a23c\n", 110);
stream_write(http_stream, "Authorization: NTLM ", 20);
stream_write(http_stream, encoded_ntht_data, encoded_ntht_length);
stream_write(http_stream, "\n\n", 2);
LLOGLN(10, ("rpch_in_connect_http: sending\n%s", http_stream->data));
DEBUG_RPCH("\nSend:\n%s\n", http_stream->data);
bytes = (int) (http_stream->p - http_stream->data);
tls_write(tls_in, http_stream->data, bytes);
stream_clear(http_stream);
http_stream->p = http_stream->data;
xfree(decoded_ntht_data);
encoded_ntht_length = -1;
xfree(encoded_ntht_data);
encoded_ntht_data = NULL;
http_in->contentLength = 0;
LLOGLN(10, ("rpch_in_connect_http: 1"));
stream_free(http_stream);
http_stream = read_http(tls_in, NULL, true);
if (http_stream == NULL)
{
LLOGLN(0, ("rpch_in_connect_http: error http_stream is nil"));
return false;
}
ntlm_text = strstr((char*)(http_stream->data), "NTLM ");
if (ntlm_text != NULL)
{
encoded_ntht_data = (uint8*)(ntlm_text + 5);
encoded_ntht_length = 0;
while (encoded_ntht_data[encoded_ntht_length] != '\r' &&
encoded_ntht_data[encoded_ntht_length] != '\n')
{
encoded_ntht_length++;
}
}
LLOGLN(0, ("rpch_in_connect_http: encoded_ntht_length %d encoded_ntht_data %s",
encoded_ntht_length, encoded_ntht_data));
if (encoded_ntht_length < 1) /* No NTLM data was found */
{
LLOGLN(0, ("rpch_in_connect_http: error encoded_ntht_length < 1"));
return false;
}
http_stream->p = http_stream->data;
crypto_base64_decode(encoded_ntht_data, encoded_ntht_length,
&decoded_ntht_data, &decoded_ntht_length);
stream_write(ntlmssp_stream, decoded_ntht_data, decoded_ntht_length);
ntlmssp_stream->p = ntlmssp_stream->data;
xfree(decoded_ntht_data);
ntlmssp_recv(http_in_ntlmssp, ntlmssp_stream);
stream_clear(ntlmssp_stream);
ntlmssp_stream->p = ntlmssp_stream->data;
ntlmssp_send(http_in_ntlmssp, ntlmssp_stream);
decoded_ntht_length = (int) (ntlmssp_stream->p - ntlmssp_stream->data);
decoded_ntht_data = (uint8*) xmalloc(decoded_ntht_length);
ntlmssp_stream->p = ntlmssp_stream->data;
stream_read(ntlmssp_stream, decoded_ntht_data, decoded_ntht_length);
stream_clear(ntlmssp_stream);
ntlmssp_stream->p = ntlmssp_stream->data;
crypto_base64_encode(decoded_ntht_data, decoded_ntht_length, &encoded_ntht_data, &encoded_ntht_length);
stream_write(http_stream, "RPC_IN_DATA /rpc/rpcproxy.dll?localhost:3388 HTTP/1.1\n", 54);
stream_write(http_stream, "Accept: application/rpc\n", 24);
stream_write(http_stream, "Cache-Control: no-cache\n", 24);
stream_write(http_stream, "Connection: Keep-Alive\n", 23);
stream_write(http_stream, "Content-Length: 1073741824\n", 27);
stream_write(http_stream, "User-Agent: MSRPC\n", 18);
stream_write(http_stream, "Host: ", 6);
stream_write(http_stream, settings->tsg_server, strlen(settings->tsg_server));
stream_write(http_stream, "\n", 1);
stream_write(http_stream, "Pragma: ResourceTypeUuid=44e265dd-7daf-42cd-8560-3cdb6e7a2729, SessionId=33ad20ac-7469-4f63-946d-113eac21a23c\n", 110);
stream_write(http_stream, "Authorization: NTLM ", 20);
stream_write(http_stream, encoded_ntht_data, encoded_ntht_length);
stream_write(http_stream, "\n\n", 2);
http_in->contentLength = 1073741824;
http_in->remContentLength = 1073741824;
DEBUG_RPCH("\nSend:\n%s\n", http_stream->data);
tls_write(tls_in, http_stream->data, http_stream->p - http_stream->data);
stream_clear(http_stream);
http_stream->p = http_stream->data;
xfree(decoded_ntht_data);
xfree(encoded_ntht_data);
/* At this point IN connection is ready to send CONN/B1 and start with sending data */
http_in->state = RPCH_HTTP_SENDING;
LLOGLN(10, ("rpch_in_connect_http: out"));
return true;
}
