Commit Graph

55 Commits

Author SHA1 Message Date
Biswapriyo Nath
a22bd407b0 winpr: Fix typo in NTLM_AV_ID member.
According to Microsoft specifications[1] the 10th member is named as MsvAvChannelBindings.
[1]: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/
2021-06-23 12:04:29 +02:00
akallabeth
6726772d8d Fixed integer warnings 2021-06-18 09:41:02 +02:00
Armin Novak
d36d94766e Replaced assert with WINPR_ASSERT 2021-06-14 09:37:07 +02:00
akallabeth
58a3122250 Fixed OOB read in ntlm_av_pair_get
CVE-2020-11097 thanks to @antonio-morales for finding this.
2020-06-22 11:51:39 +02:00
akallabeth
057b6df4ae Fixed memory leaks in ntlm 2020-06-22 11:51:38 +02:00
Armin Novak
72ca88f49c Reformatted to new style 2019-11-07 10:53:54 +01:00
Armin Novak
f8dd9a9f75 Fixed ntlm_av_pair_get_len return, no signed value required 2019-04-05 09:28:09 +02:00
Samuel Holland
6931f54fad Fix NTLM AvPair lists
There were two main issues here: First, the `ntlm_av_pair_add` and
`ntlm_av_pair_add_copy` were not adding a new `MsvAvEOL` to the end of
the list to replace the one they overwrote. This caused the second call
to one of those functions to fail (since it couldn't find the
terminator), which was the source of the test failure. It also caused
`ntlm_av_pair_list_length` and `ntlm_print_av_pair_list` to read out of
bounds until they happened to find the right word.

Second, several bounds checks were wrong or missing. For example,
`ntlm_av_pair_add` does not ensure that the value fits inside the list.
And `ntlm_av_pair_get_len` and `ntlm_av_pair_get_value_pointer` can
return error codes or NULL, but those error returns were ignored, and
the values used anyway (such as in `ntlm_av_pair_add_copy`).

This fixes the list handling code to have the invariant that all
functions returning `NTLM_AV_PAIR*` only return non-`NULL` if the entire
returned `AvPair` is within bounds. This removes the need for the length
parameter in functions that only operate on a single `AvPair`. This
check is performed by the new `ntlm_av_pair_check` helper, which is
added in some new places and used to simplify the code in others.

Other issues fixed along the way include:
 - `ntlm_av_pair_list_length` did not cast to `PBYTE`, so it was
   returning the number of `NTLM_AV_PAIR`-sized chunks (which was
   possibly not even an integer) instead of the number of bytes
 - I removed an impossible check for `offset <= 0` in
   `ntlm_av_pair_get_next_pointer`
 - The assertion that `Value != NULL` and the call to `CopyMemory` are
   only necessary if `AvLen` is nonzero
 - `ntlm_av_pair_get_next_pointer` (renamed to `ntlm_av_pair_next`)
   could be declared `static`

With this commit, TestNTLM now passes on powerpc64.

```
$ ./Testing/TestSspi TestNTLM
NTLM_NEGOTIATE (length = 40):
NTLM_CHALLENGE (length = 168):
NTLM_AUTHENTICATE (length = 352):
$ echo $?
0
```

Fixes #5250
2019-03-17 20:40:13 -05:00
Armin Novak
eb57ed3a30 Refactored ntlm_av_pairs API
Tightened checks, cleaned up code and improved redability.
2018-11-20 11:08:31 +01:00
Mariusz Zaborski
00374382d9 There is no reason to restrict nSize to 2 the hostname can be empty on
UNIX-like machines.
2018-04-06 21:07:51 +02:00
Armin Novak
50a0968c6a Removed unused variables. 2017-12-21 11:29:24 +01:00
Armin Novak
b11de26f98 Fixed GetComputerNameExA return checks. 2017-02-27 11:49:53 +01:00
akallabeth
8a22052b61 Fixed memory leaks. 2017-02-25 08:35:37 +01:00
akallabeth
705c0c1e12 Fixed GetComputerNameExA calls. #3815 2017-02-24 21:58:08 +01:00
Norbert Federa
f71b6b46e8 fix string format specifiers
- fixed invalid, missing or additional arguments
- removed all type casts from arguments
- added missing (void*) typecasts for %p arguments
- use inttypes defines where appropriate
2016-12-16 13:48:43 +01:00
Norbert Federa
53bd98883e winpr/crypt api changes and memory leak fixes
- winpr_HMAC_New() now just returnes the opaque WINPR_HMAC_CTX* pointer
  which has to be passed to winpr_HMAC_Init() for (re)initialization
  and since winpr_HMAC_Final() no more frees the context you always have to
  use the new function winpr_HMAC_Free() once winpr_HMAC_New() has succeded

- winpr_Digest_New() now just returns the opaque WINPR_DIGEST_CTX* pointer
  which has to be passed to winpr_Digest_Init() for (re)initialization
  and since winpr_Digest_Final() no more frees the context you always have to
  use the new function winpr_Digest_Free() once winpr_Digest_New() has succeded
2016-11-24 18:27:29 +01:00
Norbert Federa
7befab856c Support for OpenSSL 1.1.0 2016-11-24 17:50:09 +01:00
Martin Fleisz
71765b72e3 Merge pull request #3284 from ondrejholy/endianness
Endianness fixes
2016-08-25 08:17:52 +02:00
Norbert Federa
333a1110f5 winpr/sspi/ntlm: fix computer name len calculation
The lpnSize parameter for GetComputerNameEx specifies the total
size of the buffer (in characters).
However, the current code calculated the amount of bytes.
Since only GetComputerNameExA was used and because sizeof(CHAR) == 1
the result was correct but the math was wrong.
Credit goes to @byteboon
2016-06-30 17:15:40 +02:00
Norbert Federa
26ed09a14f winpr/sspi/ntlm: fix GetComputerNameExA parameters
On input, the lpnSize [in, out] parameter for GetComputerNameEx()
specifies the total size of the buffer (in characters).
Several functions in ntlm.c were off by one which caused ntlm to fail
if the netbios hostname's strlen was exactly MAX_COMPUTERNAME_LENGTH.
2016-06-14 12:37:37 +02:00
Ondrej Holy
95a1b53940 winpr/ntlm: Fix endianness in ntlm_av_pair_list
Data in ntlm_av_pair_list are accessed directly, which doesn't work on
big endian machines currently. The recieved data are stored as little
endian. Use conversion macros from endian.h to load and store the data
properly.

https://github.com/FreeRDP/FreeRDP/issues/2520
2016-05-30 13:37:15 +02:00
Armin Novak
f997421098 Unified hmac functions. 2016-02-24 21:50:08 +01:00
Marc-André Moreau
87c42127c7 libwinpr-sspi: remove OpenSSL dependency in NTLM SSPI module 2015-10-08 16:48:58 -04:00
Marc-André Moreau
ac62d43e0f winpr: isolate OpenSSL 2015-10-06 10:56:24 -04:00
Bernhard Miklautz
af81a91ea7 windows: fix compilation and warnings 2015-06-22 19:31:25 +02:00
Bernhard Miklautz
06502e6a91 misc: integrate pull request feedback 2015-06-22 19:24:30 +02:00
Bernhard Miklautz
fc6a3cf3c1 sspi/ntlm: integrate pull request comments 2015-06-22 19:23:58 +02:00
David FORT
7c3f8f33ab Fixes for malloc / calloc + other fixes
This patch contains:

* checks for malloc return value + treat callers;
* modified malloc() + ZeroMemory() to calloc();
* misc fixes of micro errors seen during the code audit:
** some invalid checks in gcc.c, also there were some possible
integer overflow. This is interesting because at the end the data are parsed
and freed directly, so it's a vulnerability in some kind of dead code (at least
useless);
** fixed usage of GetComputerNameExA with just one call, when 2 were used
in misc places. According to MSDN GetComputerNameA() is supposed to return
an error when called with NULL;
** there were a bug in the command line parsing of shadow;
** in freerdp_dynamic_channel_collection_add() the size of array was multiplied
by 4 instead of 2 on resize
2015-06-22 19:21:47 +02:00
Mariusz Zaborski
80958751e4 Add check to protect memcpy(3) from using NULL pointer.
The ntlm_construct_challenge_target_info function can potentially pass NULL as
argument to the ntlm_av_pair_add function (for example DnsDomainName.Buffer).
This NULL finally lands in the CopyMemory (which is macro to the memcpy(3)
function) which can't handle NULL.
2015-05-25 08:32:48 +02:00
Norbert Federa
1eff1a345e free can handle NULL perfectly fine 2015-05-11 09:07:39 +02:00
Bernhard Miklautz
850de59b55 winpr: add checks for *alloc
Add missing checks if memory allocation was successful. Also adapt
caller(s) when possible.
2015-04-08 11:34:37 +02:00
Armin Novak
b22b897389 Reformatted changed files. 2014-09-09 16:32:22 +02:00
Armin Novak
7e3a1b3073 Now using macro to generate module specific log tag. 2014-09-09 16:32:04 +02:00
Armin Novak
28ece6bb46 Replaced stdio logging with WLog 2014-09-09 16:31:46 +02:00
Marc-André Moreau
8a343c3e6d libwinpr-sspi: fix memory leaks 2014-06-10 14:16:02 -04:00
Marc-André Moreau
1b5a2340d2 libwinpr-sspi: even more code hardening 2014-06-07 00:17:11 -04:00
Marc-André Moreau
c5a1a8ac27 libwinpr-sspi: fix native sspi build 2014-06-05 22:10:08 -04:00
Marc-André Moreau
21a259927a libwinpr-sspi: fix encoding of server-side NTLM challenge message 2014-01-24 13:02:45 -05:00
Hardening
7701c9d934 Replace printf(...) by fprintf(stderr, ...) 2013-03-28 23:06:34 +01:00
Marc-André Moreau
ff586504e7 libwinpr-sspi: cleanup NTLM messages 2013-01-30 20:39:57 -05:00
Marc-André Moreau
3d77d5a497 freerdp: merging with master 2013-01-14 13:50:16 -05:00
rdp.effort
e53e8e524d Initialize lpWideCharStr parameter when using ConvertToUnicode
This patch ensure that lpWideCharStr is initialized by callers of
ConvertToUnicode
2013-01-10 21:30:32 +01:00
Marc-André Moreau
0fbf846671 libwinpr-sspi: NTLM extended protection cleanup 2013-01-10 11:19:57 -05:00
Marc-André Moreau
f0c94562cc libfreerdp-core: TS Gateway cleanup and NTLM SingleHostData implementation 2013-01-09 12:05:34 -05:00
Marc-André Moreau
1d893ed268 libwinpr-sspi: add support for NTLMv2 Channel Binding Token (CBT) 2013-01-09 00:20:08 -05:00
Marc-André Moreau
d8949f5d8f libfreerdp-core: fix computing of test channel binding token 2013-01-08 21:56:28 -05:00
Marc-André Moreau
4cf0dc1004 libwinpr-sspi: improve attempted channel binding token computation 2013-01-06 16:05:20 -05:00
Marc-André Moreau
81c2782be3 libwinpr-sspi: start implementing Channel Bindings 2012-12-21 12:17:07 -05:00
Marc-André Moreau
038754cbed libwinpr-sspi: fix SSPI NTLM SuppressExtendedProtection 2012-12-20 16:35:07 -05:00
Marc-André Moreau
0047511055 libwinpr-sspi: fix unicode conversion 2012-12-17 13:35:12 -05:00