mirrors/FreeRDP
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Replaced cbMaxSignature with cbSecurityTrailer

Browse Source 
The token buffer size during authentication was constructed
from the wrong buffer size. These sizes are equal in case of
local account logins but differ with domain accounts.
This commit is contained in:
Armin Novak 2015-07-09 10:09:18 +02:00
parent ecf6ffdcce
commit 18cea1c9ba
1 changed files with 20 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
libfreerdp/core/nla.c
View File

@ -881,14 +881,15 @@ SECURITY_STATUS nla_encrypt_public_key_echo(rdpNla* nla)
int public_key_length;
public_key_length = nla->PublicKey.cbBuffer;
if (!sspi_SecBufferAlloc(&nla->pubKeyAuth, nla->ContextSizes.cbMaxSignature + public_key_length))
if (!sspi_SecBufferAlloc(&nla->pubKeyAuth, nla->ContextSizes.cbSecurityTrailer + public_key_length))
return SEC_E_INSUFFICIENT_MEMORY;
Buffers[0].BufferType = SECBUFFER_TOKEN; /* Signature */
Buffers[1].BufferType = SECBUFFER_DATA; /* TLS Public Key */
Buffers[0].cbBuffer = nla->ContextSizes.cbMaxSignature;
Buffers[0].cbBuffer = nla->ContextSizes.cbSecurityTrailer;
Buffers[0].pvBuffer = nla->pubKeyAuth.pvBuffer;
Buffers[1].BufferType = SECBUFFER_DATA; /* TLS Public Key */
Buffers[1].cbBuffer = public_key_length;
Buffers[1].pvBuffer = ((BYTE*) nla->pubKeyAuth.pvBuffer) + nla->ContextSizes.cbMaxSignature;
Buffers[1].pvBuffer = ((BYTE*) nla->pubKeyAuth.pvBuffer) + nla->ContextSizes.cbSecurityTrailer;
CopyMemory(Buffers[1].pvBuffer, nla->PublicKey.pvBuffer, Buffers[1].cbBuffer);
if (nla->server)
@ -924,9 +925,9 @@ SECURITY_STATUS nla_decrypt_public_key_echo(rdpNla* nla)
SecBufferDesc Message;
SECURITY_STATUS status;
if ((nla->PublicKey.cbBuffer + nla->ContextSizes.cbMaxSignature) != nla->pubKeyAuth.cbBuffer)
if ((nla->PublicKey.cbBuffer + nla->ContextSizes.cbSecurityTrailer) != nla->pubKeyAuth.cbBuffer)
{
WLog_ERR(TAG, "unexpected pubKeyAuth buffer size: %d", (int) nla->pubKeyAuth.cbBuffer);
WLog_ERR(TAG, "unexpected pubKeyAuth buffer size: %lu", nla->pubKeyAuth.cbBuffer);
return SEC_E_INVALID_TOKEN;
}
@ -939,11 +940,12 @@ SECURITY_STATUS nla_decrypt_public_key_echo(rdpNla* nla)
CopyMemory(buffer, nla->pubKeyAuth.pvBuffer, length);
public_key_length = nla->PublicKey.cbBuffer;
Buffers[0].BufferType = SECBUFFER_TOKEN; /* Signature */
Buffers[1].BufferType = SECBUFFER_DATA; /* Encrypted TLS Public Key */
Buffers[0].cbBuffer = nla->ContextSizes.cbMaxSignature;
Buffers[0].cbBuffer = nla->ContextSizes.cbSecurityTrailer;
Buffers[0].pvBuffer = buffer;
Buffers[1].cbBuffer = length - nla->ContextSizes.cbMaxSignature;
Buffers[1].pvBuffer = buffer + nla->ContextSizes.cbMaxSignature;
Buffers[1].BufferType = SECBUFFER_DATA; /* Encrypted TLS Public Key */
Buffers[1].cbBuffer = length - nla->ContextSizes.cbSecurityTrailer;
Buffers[1].pvBuffer = buffer + nla->ContextSizes.cbSecurityTrailer;
Message.cBuffers = 2;
Message.ulVersion = SECBUFFER_VERSION;
Message.pBuffers = (PSecBuffer) &Buffers;
@ -1228,13 +1230,14 @@ SECURITY_STATUS nla_encrypt_ts_credentials(rdpNla* nla)
if (!nla_encode_ts_credentials(nla))
return SEC_E_INSUFFICIENT_MEMORY;
if (!sspi_SecBufferAlloc(&nla->authInfo, nla->ContextSizes.cbMaxSignature + nla->tsCredentials.cbBuffer))
if (!sspi_SecBufferAlloc(&nla->authInfo, nla->ContextSizes.cbSecurityTrailer + nla->tsCredentials.cbBuffer))
return SEC_E_INSUFFICIENT_MEMORY;
Buffers[0].BufferType = SECBUFFER_TOKEN; /* Signature */
Buffers[1].BufferType = SECBUFFER_DATA; /* TSCredentials */
Buffers[0].cbBuffer = nla->ContextSizes.cbMaxSignature;
Buffers[0].BufferType = SECBUFFER_TOKEN; /* Signature */
Buffers[0].cbBuffer = nla->ContextSizes.cbSecurityTrailer;
Buffers[0].pvBuffer = nla->authInfo.pvBuffer;
ZeroMemory(Buffers[0].pvBuffer, Buffers[0].cbBuffer);
Buffers[1].BufferType = SECBUFFER_DATA; /* TSCredentials */
Buffers[1].cbBuffer = nla->tsCredentials.cbBuffer;
Buffers[1].pvBuffer = &((BYTE*) nla->authInfo.pvBuffer)[Buffers[0].cbBuffer];
CopyMemory(Buffers[1].pvBuffer, nla->tsCredentials.pvBuffer, Buffers[1].cbBuffer);
@ -1279,10 +1282,10 @@ SECURITY_STATUS nla_decrypt_ts_credentials(rdpNla* nla)
return SEC_E_INSUFFICIENT_MEMORY;
CopyMemory(buffer, nla->authInfo.pvBuffer, length);
Buffers[0].cbBuffer = nla->ContextSizes.cbMaxSignature;
Buffers[0].cbBuffer = nla->ContextSizes.cbSecurityTrailer;
Buffers[0].pvBuffer = buffer;
Buffers[1].cbBuffer = length - nla->ContextSizes.cbMaxSignature;
Buffers[1].pvBuffer = &buffer[nla->ContextSizes.cbMaxSignature];
Buffers[1].cbBuffer = length - nla->ContextSizes.cbSecurityTrailer;
Buffers[1].pvBuffer = &buffer[nla->ContextSizes.cbSecurityTrailer];
Message.cBuffers = 2;
Message.ulVersion = SECBUFFER_VERSION;
Message.pBuffers = (PSecBuffer) &Buffers;