mirrors
/
FreeRDP
mirror of https://github.com/FreeRDP/FreeRDP
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Respect SECBUFFER_READONLY flag in NTLM EncryptMessage

This commit is contained in:
Armin Novak 2020-06-17 12:18:42 +02:00 committed by akallabeth
parent 0d80353bf3
commit 8e45a2dd50
1 changed files with 24 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
winpr/libwinpr/sspi/NTLM/ntlm.c
View File

@ -961,7 +961,7 @@ static SECURITY_STATUS SEC_ENTRY ntlm_RevertSecurityContext(PCtxtHandle phContex
static SECURITY_STATUS SEC_ENTRY ntlm_EncryptMessage(PCtxtHandle phContext, ULONG fQOP, static SECURITY_STATUS SEC_ENTRY ntlm_EncryptMessage(PCtxtHandle phContext, ULONG fQOP,
PSecBufferDesc pMessage, ULONG MessageSeqNo) PSecBufferDesc pMessage, ULONG MessageSeqNo)
{ {
int index; ULONG index;
int length; int length;
void* data; void* data;
UINT32 SeqNo; UINT32 SeqNo;
@ -977,12 +977,14 @@ static SECURITY_STATUS SEC_ENTRY ntlm_EncryptMessage(PCtxtHandle phContext, ULON
SeqNo = MessageSeqNo; SeqNo = MessageSeqNo;
context = (NTLM_CONTEXT*)sspi_SecureHandleGetLowerPointer(phContext); context = (NTLM_CONTEXT*)sspi_SecureHandleGetLowerPointer(phContext);
for (index = 0; index < (int)pMessage->cBuffers; index++) for (index = 0; index < pMessage->cBuffers; index++)
{ {
if (pMessage->pBuffers[index].BufferType == SECBUFFER_DATA) SecBuffer* cur = &pMessage->pBuffers[index];
data_buffer = &pMessage->pBuffers[index];
else if (pMessage->pBuffers[index].BufferType == SECBUFFER_TOKEN) if (cur->BufferType & SECBUFFER_DATA)
signature_buffer = &pMessage->pBuffers[index]; data_buffer = cur;
else if (cur->BufferType & SECBUFFER_TOKEN)
signature_buffer = cur;
} }
if (!data_buffer) if (!data_buffer)
@ -1019,11 +1021,14 @@ static SECURITY_STATUS SEC_ENTRY ntlm_EncryptMessage(PCtxtHandle phContext, ULON
} }
/* Encrypt message using with RC4, result overwrites original buffer */ /* Encrypt message using with RC4, result overwrites original buffer */
if ((data_buffer->BufferType & SECBUFFER_READONLY) == 0)
if (context->confidentiality) {
winpr_RC4_Update(context->SendRc4Seal, length, (BYTE*)data, (BYTE*)data_buffer->pvBuffer); if (context->confidentiality)
else winpr_RC4_Update(context->SendRc4Seal, length, (BYTE*)data,
CopyMemory(data_buffer->pvBuffer, data, length); (BYTE*)data_buffer->pvBuffer);
else
CopyMemory(data_buffer->pvBuffer, data, length);
}
#ifdef WITH_DEBUG_NTLM #ifdef WITH_DEBUG_NTLM
WLog_DBG(TAG, "Data Buffer (length = %d)", length); WLog_DBG(TAG, "Data Buffer (length = %d)", length);
@ -1034,11 +1039,14 @@ static SECURITY_STATUS SEC_ENTRY ntlm_EncryptMessage(PCtxtHandle phContext, ULON
free(data); free(data);
/* RC4-encrypt first 8 bytes of digest */ /* RC4-encrypt first 8 bytes of digest */
winpr_RC4_Update(context->SendRc4Seal, 8, digest, checksum); winpr_RC4_Update(context->SendRc4Seal, 8, digest, checksum);
signature = (BYTE*)signature_buffer->pvBuffer; if ((signature_buffer->BufferType & SECBUFFER_READONLY) == 0)
/* Concatenate version, ciphertext and sequence number to build signature */ {
Data_Write_UINT32(signature, version); signature = (BYTE*)signature_buffer->pvBuffer;
CopyMemory(&signature[4], (void*)checksum, 8); /* Concatenate version, ciphertext and sequence number to build signature */
Data_Write_UINT32(&signature[12], SeqNo); Data_Write_UINT32(signature, version);
CopyMemory(&signature[4], (void*)checksum, 8);
Data_Write_UINT32(&signature[12], SeqNo);
}
context->SendSeqNum++; context->SendSeqNum++;
#ifdef WITH_DEBUG_NTLM #ifdef WITH_DEBUG_NTLM
WLog_DBG(TAG, "Signature (length = %" PRIu32 ")", signature_buffer->cbBuffer); WLog_DBG(TAG, "Signature (length = %" PRIu32 ")", signature_buffer->cbBuffer);