Fixed a range of BER boundary encoding bugs which would occur when any NLA packet hit the 127 character mark. Removed ber#get_content_length as it was not behaving deterministically.

This commit is contained in:
Simon Engledew 2013-05-21 16:06:00 +01:00
parent ab7d1746d8
commit 0dc22d5a30
3 changed files with 148 additions and 152 deletions

View File

@ -54,10 +54,9 @@
FREERDP_API BOOL ber_read_length(wStream* s, int* length);
FREERDP_API int ber_write_length(wStream* s, int length);
FREERDP_API int _ber_skip_length(int length);
FREERDP_API int ber_get_content_length(int length);
FREERDP_API int _ber_sizeof_length(int length);
FREERDP_API BOOL ber_read_universal_tag(wStream* s, BYTE tag, BOOL pc);
FREERDP_API void ber_write_universal_tag(wStream* s, BYTE tag, BOOL pc);
FREERDP_API int ber_write_universal_tag(wStream* s, BYTE tag, BOOL pc);
FREERDP_API BOOL ber_read_application_tag(wStream* s, BYTE tag, int* length);
FREERDP_API void ber_write_application_tag(wStream* s, BYTE tag, int length);
FREERDP_API BOOL ber_read_application_tag(wStream* s, BYTE tag, int* length);
@ -65,21 +64,21 @@ FREERDP_API BOOL ber_read_enumerated(wStream* s, BYTE* enumerated, BYTE count);
FREERDP_API void ber_write_enumerated(wStream* s, BYTE enumerated, BYTE count);
FREERDP_API BOOL ber_read_contextual_tag(wStream* s, BYTE tag, int* length, BOOL pc);
FREERDP_API int ber_write_contextual_tag(wStream* s, BYTE tag, int length, BOOL pc);
FREERDP_API int ber_skip_contextual_tag(int length);
FREERDP_API int ber_sizeof_contextual_tag(int length);
FREERDP_API BOOL ber_read_sequence_tag(wStream* s, int* length);
FREERDP_API int ber_write_sequence_tag(wStream* s, int length);
FREERDP_API int ber_skip_sequence(int length);
FREERDP_API int ber_skip_sequence_tag(int length);
FREERDP_API int ber_sizeof_sequence(int length);
FREERDP_API int ber_sizeof_sequence_tag(int length);
FREERDP_API BOOL ber_read_bit_string(wStream* s, int* length, BYTE* padding);
FREERDP_API void ber_write_octet_string(wStream* s, const BYTE* oct_str, int length);
FREERDP_API int ber_write_octet_string(wStream* s, const BYTE* oct_str, int length);
FREERDP_API BOOL ber_read_octet_string_tag(wStream* s, int* length);
FREERDP_API int ber_write_octet_string_tag(wStream* s, int length);
FREERDP_API int ber_skip_octet_string(int length);
FREERDP_API int ber_sizeof_octet_string(int length);
FREERDP_API BOOL ber_read_BOOL(wStream* s, BOOL* value);
FREERDP_API void ber_write_BOOL(wStream* s, BOOL value);
FREERDP_API BOOL ber_read_integer(wStream* s, UINT32* value);
FREERDP_API int ber_write_integer(wStream* s, UINT32 value);
FREERDP_API BOOL ber_read_integer_length(wStream* s, int* length);
FREERDP_API int ber_skip_integer(UINT32 value);
FREERDP_API int ber_sizeof_integer(UINT32 value);
#endif /* FREERDP_CRYPTO_BER_H */

View File

@ -101,6 +101,9 @@ SECURITY_STATUS credssp_decrypt_public_key_echo(rdpCredssp* credssp);
SECURITY_STATUS credssp_encrypt_ts_credentials(rdpCredssp* credssp);
SECURITY_STATUS credssp_decrypt_ts_credentials(rdpCredssp* credssp);
#define ber_sizeof_sequence_octet_string(length) ber_sizeof_contextual_tag(ber_sizeof_octet_string(length)) + ber_sizeof_octet_string(length)
#define ber_write_sequence_octet_string(stream, context, value, length) ber_write_contextual_tag(stream, context, ber_sizeof_octet_string(length), TRUE) + ber_write_octet_string(stream, value, length)
/**
* Initialize NTLMSSP authentication module (client).
* @param credssp
@ -783,24 +786,24 @@ SECURITY_STATUS credssp_decrypt_public_key_echo(rdpCredssp* credssp)
return SEC_E_OK;
}
int credssp_skip_ts_password_creds(rdpCredssp* credssp)
int credssp_sizeof_ts_password_creds(rdpCredssp* credssp)
{
int length;
int ts_password_creds_length = 0;
length = ber_skip_octet_string(credssp->identity.DomainLength * 2);
length += ber_skip_contextual_tag(length);
length = ber_sizeof_octet_string(credssp->identity.DomainLength * 2);
length += ber_sizeof_contextual_tag(length);
ts_password_creds_length += length;
length = ber_skip_octet_string(credssp->identity.UserLength * 2);
length += ber_skip_contextual_tag(length);
length = ber_sizeof_octet_string(credssp->identity.UserLength * 2);
length += ber_sizeof_contextual_tag(length);
ts_password_creds_length += length;
length = ber_skip_octet_string(credssp->identity.PasswordLength * 2);
length += ber_skip_contextual_tag(length);
length = ber_sizeof_octet_string(credssp->identity.PasswordLength * 2);
length += ber_sizeof_contextual_tag(length);
ts_password_creds_length += length;
length = ber_skip_sequence(ts_password_creds_length);
length = ber_sizeof_sequence(ts_password_creds_length);
return length;
}
@ -842,47 +845,41 @@ void credssp_read_ts_password_creds(rdpCredssp* credssp, wStream* s)
credssp->identity.Flags = SEC_WINNT_AUTH_IDENTITY_UNICODE;
}
void credssp_write_ts_password_creds(rdpCredssp* credssp, wStream* s)
int credssp_write_ts_password_creds(rdpCredssp* credssp, wStream* s)
{
int length;
int size = 0;
int innerSize = credssp_sizeof_ts_password_creds(credssp);
length = credssp_skip_ts_password_creds(credssp);
/* TSPasswordCreds (SEQUENCE) */
length = ber_get_content_length(length);
ber_write_sequence_tag(s, length);
/* [0] domainName (OCTET STRING) */
ber_write_contextual_tag(s, 0, credssp->identity.DomainLength * 2 + 2, TRUE);
ber_write_octet_string(s, (BYTE*) credssp->identity.Domain, credssp->identity.DomainLength * 2);
/* [1] userName (OCTET STRING) */
ber_write_contextual_tag(s, 1, credssp->identity.UserLength * 2 + 2, TRUE);
ber_write_octet_string(s, (BYTE*) credssp->identity.User, credssp->identity.UserLength * 2);
/* [2] password (OCTET STRING) */
ber_write_contextual_tag(s, 2, credssp->identity.PasswordLength * 2 + 2, TRUE);
ber_write_octet_string(s, (BYTE*) credssp->identity.Password, credssp->identity.PasswordLength * 2);
if (innerSize > Stream_GetRemainingLength(s))
{
printf("\033[91m[ ERROR ] Not enough space allocated for ts_password_creds\033[0m");
}
int credssp_skip_ts_credentials(rdpCredssp* credssp)
/* TSPasswordCreds (SEQUENCE) */
size += ber_write_sequence_tag(s, innerSize);
/* [0] domainName (OCTET STRING) */
size += ber_write_sequence_octet_string(s, 0, (BYTE*) credssp->identity.Domain, credssp->identity.DomainLength * 2);
/* [1] userName (OCTET STRING) */
size += ber_write_sequence_octet_string(s, 1, (BYTE*) credssp->identity.User, credssp->identity.UserLength * 2);
/* [2] password (OCTET STRING) */
size += ber_write_sequence_octet_string(s, 2, (BYTE*) credssp->identity.Password, credssp->identity.PasswordLength * 2);
return size;
}
int credssp_sizeof_ts_credentials(rdpCredssp* credssp)
{
int length;
int ts_password_creds_length;
int ts_credentials_length = 0;
int size = 0;
length = ber_skip_integer(0);
length += ber_skip_contextual_tag(length);
ts_credentials_length += length;
size += ber_sizeof_integer(1);
size += ber_sizeof_contextual_tag(ber_sizeof_integer(1));
size += ber_sizeof_sequence_octet_string(ber_sizeof_sequence(credssp_sizeof_ts_password_creds(credssp)));
ts_password_creds_length = credssp_skip_ts_password_creds(credssp);
length = ber_skip_octet_string(ts_password_creds_length);
length += ber_skip_contextual_tag(length);
ts_credentials_length += length;
length = ber_skip_sequence(ts_credentials_length);
return length;
return size;
}
void credssp_read_ts_credentials(rdpCredssp* credssp, PSecBuffer ts_credentials)
@ -909,28 +906,27 @@ void credssp_read_ts_credentials(rdpCredssp* credssp, PSecBuffer ts_credentials)
Stream_Free(s, FALSE);
}
void credssp_write_ts_credentials(rdpCredssp* credssp, wStream* s)
int credssp_write_ts_credentials(rdpCredssp* credssp, wStream* s)
{
int length;
int ts_password_creds_length;
length = credssp_skip_ts_credentials(credssp);
ts_password_creds_length = credssp_skip_ts_password_creds(credssp);
int size = 0;
int innerSize = credssp_sizeof_ts_credentials(credssp);
/* TSCredentials (SEQUENCE) */
length = ber_get_content_length(length);
length -= ber_write_sequence_tag(s, length);
size += ber_write_sequence_tag(s, innerSize);
/* [0] credType (INTEGER) */
length -= ber_write_contextual_tag(s, 0, 3, TRUE);
length -= ber_write_integer(s, 1);
size += ber_write_contextual_tag(s, 0, ber_sizeof_integer(1), TRUE);
size += ber_write_integer(s, 1);
/* [1] credentials (OCTET STRING) */
length -= 1;
length -= ber_write_contextual_tag(s, 1, length, TRUE);
length -= ber_write_octet_string_tag(s, ts_password_creds_length);
credssp_write_ts_password_creds(credssp, s);
int passwordSize = ber_sizeof_sequence(credssp_sizeof_ts_password_creds(credssp));
size += ber_write_contextual_tag(s, 1, ber_sizeof_octet_string(passwordSize), TRUE);
size += ber_write_octet_string_tag(s, passwordSize);
size += credssp_write_ts_password_creds(credssp, s);
return size;
}
/**
@ -943,7 +939,7 @@ void credssp_encode_ts_credentials(rdpCredssp* credssp)
wStream* s;
int length;
length = credssp_skip_ts_credentials(credssp);
length = ber_sizeof_sequence(credssp_sizeof_ts_credentials(credssp));
sspi_SecBufferAlloc(&credssp->ts_credentials, length);
s = Stream_New(credssp->ts_credentials.pvBuffer, length);
@ -1029,41 +1025,40 @@ SECURITY_STATUS credssp_decrypt_ts_credentials(rdpCredssp* credssp)
return SEC_E_OK;
}
int credssp_skip_nego_token(int length)
int credssp_sizeof_nego_token(int length)
{
length = der_skip_octet_string(length);
length += der_skip_contextual_tag(length);
length = ber_sizeof_octet_string(length);
length += ber_sizeof_contextual_tag(length);
return length;
}
int credssp_skip_nego_tokens(int length)
int credssp_sizeof_nego_tokens(int length)
{
length = credssp_skip_nego_token(length);
length += der_skip_sequence_tag(length);
length += der_skip_sequence_tag(length);
length += der_skip_contextual_tag(length);
length = credssp_sizeof_nego_token(length);
length += ber_sizeof_sequence_tag(length);
length += ber_sizeof_sequence_tag(length);
length += ber_sizeof_contextual_tag(length);
return length;
}
int credssp_skip_pub_key_auth(int length)
int credssp_sizeof_pub_key_auth(int length)
{
length = ber_skip_octet_string(length);
length += ber_skip_contextual_tag(length);
length = ber_sizeof_octet_string(length);
length += ber_sizeof_contextual_tag(length);
return length;
}
int credssp_skip_auth_info(int length)
int credssp_sizeof_auth_info(int length)
{
length = ber_skip_octet_string(length);
length += ber_skip_contextual_tag(length);
length = ber_sizeof_octet_string(length);
length += ber_sizeof_contextual_tag(length);
return length;
}
int credssp_skip_ts_request(int length)
int credssp_sizeof_ts_request(int length)
{
length += ber_skip_integer(2);
length += ber_skip_contextual_tag(3);
length += der_skip_sequence_tag(length);
length += ber_sizeof_integer(2);
length += ber_sizeof_contextual_tag(3);
return length;
}
@ -1081,18 +1076,18 @@ void credssp_send(rdpCredssp* credssp)
int pub_key_auth_length;
int auth_info_length;
nego_tokens_length = (credssp->negoToken.cbBuffer > 0) ? credssp_skip_nego_tokens(credssp->negoToken.cbBuffer) : 0;
pub_key_auth_length = (credssp->pubKeyAuth.cbBuffer > 0) ? credssp_skip_pub_key_auth(credssp->pubKeyAuth.cbBuffer) : 0;
auth_info_length = (credssp->authInfo.cbBuffer > 0) ? credssp_skip_auth_info(credssp->authInfo.cbBuffer) : 0;
nego_tokens_length = (credssp->negoToken.cbBuffer > 0) ? credssp_sizeof_nego_tokens(credssp->negoToken.cbBuffer) : 0;
pub_key_auth_length = (credssp->pubKeyAuth.cbBuffer > 0) ? credssp_sizeof_pub_key_auth(credssp->pubKeyAuth.cbBuffer) : 0;
auth_info_length = (credssp->authInfo.cbBuffer > 0) ? credssp_sizeof_auth_info(credssp->authInfo.cbBuffer) : 0;
length = nego_tokens_length + pub_key_auth_length + auth_info_length;
ts_request_length = credssp_skip_ts_request(length);
s = Stream_New(NULL, ts_request_length);
ts_request_length = credssp_sizeof_ts_request(length);
s = Stream_New(NULL, ber_sizeof_sequence(ts_request_length));
/* TSRequest */
length = der_get_content_length(ts_request_length);
der_write_sequence_tag(s, length); /* SEQUENCE */
ber_write_sequence_tag(s, ts_request_length); /* SEQUENCE */
/* [0] version */
ber_write_contextual_tag(s, 0, 3, TRUE);
@ -1102,27 +1097,25 @@ void credssp_send(rdpCredssp* credssp)
if (nego_tokens_length > 0)
{
length = nego_tokens_length;
length -= der_write_contextual_tag(s, 1, der_get_content_length(length), TRUE); /* NegoData */
length -= der_write_sequence_tag(s, der_get_content_length(length)); /* SEQUENCE OF NegoDataItem */
length -= der_write_sequence_tag(s, der_get_content_length(length)); /* NegoDataItem */
length -= der_write_contextual_tag(s, 0, der_get_content_length(length), TRUE); /* [0] negoToken */
der_write_octet_string(s, (BYTE*) credssp->negoToken.pvBuffer, credssp->negoToken.cbBuffer); /* OCTET STRING */
length -= ber_write_contextual_tag(s, 1, ber_sizeof_sequence(ber_sizeof_sequence(ber_sizeof_sequence_octet_string(credssp->negoToken.cbBuffer))), TRUE); /* NegoData */
length -= ber_write_sequence_tag(s, ber_sizeof_sequence(ber_sizeof_sequence_octet_string(credssp->negoToken.cbBuffer))); /* SEQUENCE OF NegoDataItem */
length -= ber_write_sequence_tag(s, ber_sizeof_sequence_octet_string(credssp->negoToken.cbBuffer)); /* NegoDataItem */
length -= ber_write_sequence_octet_string(s, 0, (BYTE*) credssp->negoToken.pvBuffer, credssp->negoToken.cbBuffer); /* OCTET STRING */
}
/* [2] authInfo (OCTET STRING) */
if (auth_info_length > 0)
{
length = auth_info_length;
length -= ber_write_contextual_tag(s, 2, ber_get_content_length(length), TRUE);
ber_write_octet_string(s, credssp->authInfo.pvBuffer, credssp->authInfo.cbBuffer);
length -= ber_write_sequence_octet_string(s, 2, credssp->authInfo.pvBuffer, credssp->authInfo.cbBuffer);
}
/* [3] pubKeyAuth (OCTET STRING) */
if (pub_key_auth_length > 0)
{
length = pub_key_auth_length;
length -= ber_write_contextual_tag(s, 3, ber_get_content_length(length), TRUE);
ber_write_octet_string(s, credssp->pubKeyAuth.pvBuffer, credssp->pubKeyAuth.cbBuffer);
length -= ber_write_sequence_octet_string(s, 3, credssp->pubKeyAuth.pvBuffer, credssp->pubKeyAuth.cbBuffer);
}
transport_write(credssp->transport, s);

View File

@ -63,35 +63,31 @@ BOOL ber_read_length(wStream* s, int* length)
int ber_write_length(wStream* s, int length)
{
if (length > 0x7F)
if (length > 0xFF)
{
Stream_Write_UINT8(s, 0x82);
Stream_Write_UINT8(s, 0x80 ^ 2);
Stream_Write_UINT16_BE(s, length);
return 3;
}
else
if (length > 0x7F)
{
Stream_Write_UINT8(s, 0x80 ^ 1);
Stream_Write_UINT8(s, length);
return 2;
}
Stream_Write_UINT8(s, length);
return 1;
}
}
int _ber_skip_length(int length)
int _ber_sizeof_length(int length)
{
if (length > 0x80)
if (length > 0xFF)
return 3;
else
if (length > 0x7F)
return 2;
return 1;
}
int ber_get_content_length(int length)
{
if (length > 0x81)
return length - 4;
else
return length - 2;
}
/**
* Read BER Universal tag.
* @param s stream
@ -120,9 +116,10 @@ BOOL ber_read_universal_tag(wStream* s, BYTE tag, BOOL pc)
* @param pc primitive (FALSE) or constructed (TRUE)
*/
void ber_write_universal_tag(wStream* s, BYTE tag, BOOL pc)
int ber_write_universal_tag(wStream* s, BYTE tag, BOOL pc)
{
Stream_Write_UINT8(s, (BER_CLASS_UNIV | BER_PC(pc)) | (BER_TAG_MASK & tag));
return 1;
}
/**
@ -211,12 +208,12 @@ BOOL ber_read_contextual_tag(wStream* s, BYTE tag, int* length, BOOL pc)
int ber_write_contextual_tag(wStream* s, BYTE tag, int length, BOOL pc)
{
Stream_Write_UINT8(s, (BER_CLASS_CTXT | BER_PC(pc)) | (BER_TAG_MASK & tag));
return ber_write_length(s, length) + 1;
return 1 + ber_write_length(s, length);
}
int ber_skip_contextual_tag(int length)
int ber_sizeof_contextual_tag(int length)
{
return _ber_skip_length(length) + 1;
return 1 + _ber_sizeof_length(length);
}
BOOL ber_read_sequence_tag(wStream* s, int* length)
@ -242,17 +239,17 @@ BOOL ber_read_sequence_tag(wStream* s, int* length)
int ber_write_sequence_tag(wStream* s, int length)
{
Stream_Write_UINT8(s, (BER_CLASS_UNIV | BER_CONSTRUCT) | (BER_TAG_MASK & BER_TAG_SEQUENCE));
return ber_write_length(s, length) + 1;
return 1 + ber_write_length(s, length);
}
int ber_skip_sequence(int length)
int ber_sizeof_sequence(int length)
{
return 1 + _ber_skip_length(length) + length;
return 1 + _ber_sizeof_length(length) + length;
}
int ber_skip_sequence_tag(int length)
int ber_sizeof_sequence_tag(int length)
{
return 1 + _ber_skip_length(length);
return 1 + _ber_sizeof_length(length);
}
BOOL ber_read_enumerated(wStream* s, BYTE* enumerated, BYTE count)
@ -301,11 +298,14 @@ BOOL ber_read_bit_string(wStream* s, int* length, BYTE* padding)
* @param length string length
*/
void ber_write_octet_string(wStream* s, const BYTE* oct_str, int length)
int ber_write_octet_string(wStream* s, const BYTE* oct_str, int length)
{
ber_write_universal_tag(s, BER_TAG_OCTET_STRING, FALSE);
ber_write_length(s, length);
int size = 0;
size += ber_write_universal_tag(s, BER_TAG_OCTET_STRING, FALSE);
size += ber_write_length(s, length);
Stream_Write(s, oct_str, length);
size += length;
return size;
}
BOOL ber_read_octet_string_tag(wStream* s, int* length)
@ -319,12 +319,12 @@ int ber_write_octet_string_tag(wStream* s, int length)
{
ber_write_universal_tag(s, BER_TAG_OCTET_STRING, FALSE);
ber_write_length(s, length);
return 1 + _ber_skip_length(length);
return 1 + _ber_sizeof_length(length);
}
int ber_skip_octet_string(int length)
int ber_sizeof_octet_string(int length)
{
return 1 + _ber_skip_length(length) + length;
return 1 + _ber_sizeof_length(length) + length;
}
/**
@ -421,48 +421,52 @@ int ber_write_integer(wStream* s, UINT32 value)
{
ber_write_universal_tag(s, BER_TAG_INTEGER, FALSE);
if (value <= 0xFF)
if (value < 0x80)
{
ber_write_length(s, 1);
Stream_Write_UINT8(s, value);
return 2;
return 3;
}
else if (value < 0xFF80)
else if (value < 0x8000)
{
ber_write_length(s, 2);
Stream_Write_UINT16_BE(s, value);
return 3;
return 4;
}
else if (value < 0xFF8000)
else if (value < 0x800000)
{
ber_write_length(s, 3);
Stream_Write_UINT8(s, (value >> 16));
Stream_Write_UINT16_BE(s, (value & 0xFFFF));
return 4;
return 5;
}
else if (value <= 0xFFFFFFFF)
else if (value < 0x80000000)
{
ber_write_length(s, 4);
Stream_Write_UINT32_BE(s, value);
return 5;
return 6;
}
return 0;
}
int ber_skip_integer(UINT32 value)
int ber_sizeof_integer(UINT32 value)
{
if (value <= 0xFF)
if (value < 0x80)
{
return _ber_skip_length(1) + 2;
return 3;
}
else if (value <= 0xFFFF)
else if (value < 0x8000)
{
return _ber_skip_length(2) + 3;
return 4;
}
else if (value <= 0xFFFFFFFF)
else if (value < 0x800000)
{
return _ber_skip_length(4) + 5;
return 5;
}
else if (value < 0x80000000)
{
return 6;
}
return 0;