Commit Graph

139 Commits

Author SHA1 Message Date
akallabeth
b37d8c9be1 Fixed GHSL-2020-100: oob read in ntlm_read_ChallengeMessage
* Added length checks for data read from stream
* Unified function resource cleanup
2020-05-20 15:10:07 +02:00
akallabeth
8241ab42fd Fixed oob read in ntlm_read_AuthenticateMessage 2020-05-06 13:31:57 +02:00
akallabeth
afdffac4b5 Fixed oob read in ntlm_read_ntlm_v2_response 2020-05-06 13:31:57 +02:00
akallabeth
8fa3835963 Fixed oob read in ntlm_read_NegotiateMessage 2020-05-06 13:31:57 +02:00
Zhu Qun-Ying
5553be0983
possible memory leak when various functions return failure. (#6110)
* possible memory leak when allocation failed.

* Use initialization in stead of ZeroMemory

* Format with clang-format
2020-04-25 16:07:12 +02:00
Martin Haimberger
7b6b9a9675 removed unnecessary casts, use sizeof for debug printing 2020-04-15 13:20:03 +02:00
Martin Haimberger
85e49aa601 fix: server side ntlmv2 implementation
- in the case no mic was present, but the user was found,
  the enterd password was ignored and the user authenticated
2020-04-15 13:20:03 +02:00
Armin Novak
106ab8cfbd Removed unused function 2020-03-10 14:04:53 +01:00
Armin Novak
e63377945b Silenced warning due to missing debug define guard. 2020-03-10 14:04:53 +01:00
Armin Novak
1fd51d9183 Fixed clang scanbuild warnings. 2020-03-04 09:17:35 +01:00
Martin Fleisz
71feb974ac
Merge pull request #5739 from akallabeth/improve_function_hiding
Improve function hiding
2019-12-02 11:31:35 +01:00
Armin Novak
7c243da6e1 Remove symbols exported by accident. 2019-12-02 10:57:31 +01:00
David Fort
5e6775ce95 winpr: fix anonymous enum members and menbers without a size 2019-11-25 13:39:31 +01:00
Armin Novak
72ca88f49c Reformatted to new style 2019-11-07 10:53:54 +01:00
Armin Novak
f8dd9a9f75 Fixed ntlm_av_pair_get_len return, no signed value required 2019-04-05 09:28:09 +02:00
Armin Novak
2c9cd5067f Fixed argument pointer type cast 2019-04-05 09:22:50 +02:00
Samuel Holland
6931f54fad Fix NTLM AvPair lists
There were two main issues here: First, the `ntlm_av_pair_add` and
`ntlm_av_pair_add_copy` were not adding a new `MsvAvEOL` to the end of
the list to replace the one they overwrote. This caused the second call
to one of those functions to fail (since it couldn't find the
terminator), which was the source of the test failure. It also caused
`ntlm_av_pair_list_length` and `ntlm_print_av_pair_list` to read out of
bounds until they happened to find the right word.

Second, several bounds checks were wrong or missing. For example,
`ntlm_av_pair_add` does not ensure that the value fits inside the list.
And `ntlm_av_pair_get_len` and `ntlm_av_pair_get_value_pointer` can
return error codes or NULL, but those error returns were ignored, and
the values used anyway (such as in `ntlm_av_pair_add_copy`).

This fixes the list handling code to have the invariant that all
functions returning `NTLM_AV_PAIR*` only return non-`NULL` if the entire
returned `AvPair` is within bounds. This removes the need for the length
parameter in functions that only operate on a single `AvPair`. This
check is performed by the new `ntlm_av_pair_check` helper, which is
added in some new places and used to simplify the code in others.

Other issues fixed along the way include:
 - `ntlm_av_pair_list_length` did not cast to `PBYTE`, so it was
   returning the number of `NTLM_AV_PAIR`-sized chunks (which was
   possibly not even an integer) instead of the number of bytes
 - I removed an impossible check for `offset <= 0` in
   `ntlm_av_pair_get_next_pointer`
 - The assertion that `Value != NULL` and the call to `CopyMemory` are
   only necessary if `AvLen` is nonzero
 - `ntlm_av_pair_get_next_pointer` (renamed to `ntlm_av_pair_next`)
   could be declared `static`

With this commit, TestNTLM now passes on powerpc64.

```
$ ./Testing/TestSspi TestNTLM
NTLM_NEGOTIATE (length = 40):
NTLM_CHALLENGE (length = 168):
NTLM_AUTHENTICATE (length = 352):
$ echo $?
0
```

Fixes #5250
2019-03-17 20:40:13 -05:00
Armin Novak
17bbe7a23f Do not compile extended authentication debugging by default. 2018-11-21 15:36:31 +01:00
Armin Novak
d8d30a0554 Fix #5037: Fix calls to ntlm_print_av_pair_list 2018-11-21 09:18:38 +01:00
Armin Novak
eb57ed3a30 Refactored ntlm_av_pairs API
Tightened checks, cleaned up code and improved redability.
2018-11-20 11:08:31 +01:00
Armin Novak
2ee663f39d Fixed CVE-2018-8789
Thanks to Eyal Itkin from Check Point Software Technologies.
2018-11-20 11:08:31 +01:00
Ondrej Holy
35bccd5262 winpr/sspi/ntlm: Fix leak found by covscan
leaked_storage: Variable "sam" going out of scope leaks the storage it points to.
leaked_storage: Variable "s" going out of scope leaks the storage it points to.
leaked_storage: Variable "snt" going out of scope leaks the storage it points to.
2018-08-22 14:34:02 +02:00
Pascal J. Bourguignon
15f2bafeab Cleaned up const char** -> char** for argv, since we definitely do modify the argv!
(we overwrite the password and pin arguments).
This implies changes in the argument parsing tests that now must pass a mutable argv
(copied from the statically declared test argvs).
Some other const inconsistency have been dealt with too.
2018-06-06 16:43:09 +02:00
Armin Novak
e8b9116507 Fixed invalid function argument for ntlm_compute_message_integrity_check 2018-05-11 11:00:46 +02:00
Armin Novak
5b961e9c75 Fixed /pth: Consistently treat the hash offset to password length. 2018-05-03 17:51:11 +02:00
Martin Fleisz
b228deb998
Merge pull request #4543 from oshogbo/master
Fix variable passsed to HashCallback with MIC.
2018-04-18 14:50:31 +02:00
Mariusz Zaborski
509afe252d Remove MessageIntegrityCheck from context. 2018-04-17 15:03:27 +02:00
Mariusz Zaborski
fe37fede50 Fix variable passsed to HashCallback with MIC.
The value in the context is not set yet and we need one from
authentication message.
2018-04-06 21:18:20 +02:00
Mariusz Zaborski
00374382d9 There is no reason to restrict nSize to 2 the hostname can be empty on
UNIX-like machines.
2018-04-06 21:07:51 +02:00
Armin Novak
dc48c42926 Refactored NTLM, functions static where approprate 2018-01-16 11:34:07 +01:00
Armin Novak
5550f6ffe1 Fixed #4357: NTLM debug message. 2018-01-12 09:22:08 +01:00
Armin Novak
50a0968c6a Removed unused variables. 2017-12-21 11:29:24 +01:00
David Fort
41823080f9 Fix users of Stream_GetPosition() that returns size_t 2017-12-11 22:38:58 +01:00
dodo040
e0a9999fb2 fix: GSS API init, enterprise name management, variable names and format code 2017-11-13 16:20:56 +01:00
dodo040
b81f168f0e initial commit for kerberos support 2017-11-13 16:20:55 +01:00
Armin Novak
ceda244165 Fixed uninitialized values and leaks. 2017-07-28 08:35:31 +02:00
davewheel
4bfb4dddbf Add a callback to provide NTLM hashes on server-side
Adds a callback that allows servers to compute NTLM hashes by themselves. The typical
use of this callback is to provide a function that gives precomputed hash values.

Sponsored by: Wheel Systems (http://www.wheelsystems.com)
2017-05-18 14:24:24 +02:00
Armin Novak
b2c29158be Scanbuild warning, argument checks and leak fixes.
* Added Stream_GetRemainingCapacity to check remaining stream size
  before writes.
* Fixed shadow server memory leak.
* Fixed lots of scanbuild warnings
* Added missing argument checks in many functions
* Added missing static function declarations
2017-03-02 18:13:43 +01:00
Armin Novak
b11de26f98 Fixed GetComputerNameExA return checks. 2017-02-27 11:49:53 +01:00
akallabeth
8a22052b61 Fixed memory leaks. 2017-02-25 08:35:37 +01:00
akallabeth
705c0c1e12 Fixed GetComputerNameExA calls. #3815 2017-02-24 21:58:08 +01:00
Norbert Federa
f71b6b46e8 fix string format specifiers
- fixed invalid, missing or additional arguments
- removed all type casts from arguments
- added missing (void*) typecasts for %p arguments
- use inttypes defines where appropriate
2016-12-16 13:48:43 +01:00
Norbert Federa
53bd98883e winpr/crypt api changes and memory leak fixes
- winpr_HMAC_New() now just returnes the opaque WINPR_HMAC_CTX* pointer
  which has to be passed to winpr_HMAC_Init() for (re)initialization
  and since winpr_HMAC_Final() no more frees the context you always have to
  use the new function winpr_HMAC_Free() once winpr_HMAC_New() has succeded

- winpr_Digest_New() now just returns the opaque WINPR_DIGEST_CTX* pointer
  which has to be passed to winpr_Digest_Init() for (re)initialization
  and since winpr_Digest_Final() no more frees the context you always have to
  use the new function winpr_Digest_Free() once winpr_Digest_New() has succeded
2016-11-24 18:27:29 +01:00
Norbert Federa
7befab856c Support for OpenSSL 1.1.0 2016-11-24 17:50:09 +01:00
Martin Fleisz
71765b72e3 Merge pull request #3284 from ondrejholy/endianness
Endianness fixes
2016-08-25 08:17:52 +02:00
Marc-André Moreau
14cb6d33c6 freerdp: make modifications to NLA server-side fixes according to PR comments 2016-07-22 09:06:07 -04:00
Marc-André Moreau
801dc0f826 freerdp: add configurable NTLM SAM file option for server-side NLA 2016-07-21 18:58:24 -04:00
Norbert Federa
333a1110f5 winpr/sspi/ntlm: fix computer name len calculation
The lpnSize parameter for GetComputerNameEx specifies the total
size of the buffer (in characters).
However, the current code calculated the amount of bytes.
Since only GetComputerNameExA was used and because sizeof(CHAR) == 1
the result was correct but the math was wrong.
Credit goes to @byteboon
2016-06-30 17:15:40 +02:00
Norbert Federa
26ed09a14f winpr/sspi/ntlm: fix GetComputerNameExA parameters
On input, the lpnSize [in, out] parameter for GetComputerNameEx()
specifies the total size of the buffer (in characters).
Several functions in ntlm.c were off by one which caused ntlm to fail
if the netbios hostname's strlen was exactly MAX_COMPUTERNAME_LENGTH.
2016-06-14 12:37:37 +02:00
Ondrej Holy
0e353cce2e winpr/ntlm: Fix endianness in NTLM authentication
This patch fixes NTLM authentication to work properly on a big endian
machines. Freerdp exited with the following error without recent commits:
[09:50:20:914] [13821:13822] [ERROR][com.freerdp.core.transport] - BIO_read returned an error: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
[09:50:20:914] [13821:13822] [ERROR][com.freerdp.core] - freerdp_set_last_error ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x2000D]
[09:50:20:914] [13821:13822] [ERROR][com.freerdp.client.x11] - Freerdp connect error exit status 1

https://github.com/FreeRDP/FreeRDP/issues/2520
2016-05-30 13:37:15 +02:00