← Back to branch summary

~ubuntu-branches/ubuntu/lucid/curl/lucid-security

« back to all changes in this revision

Viewing changes to lib/http_ntlm.c

  • Committer: Bazaar Package Importer
  • Author(s): Martin Pitt
  • Date: 2005-12-12 15:04:52 UTC
  • mfrom: (1.1.4 upstream)
  • Revision ID: james.westby@ubuntu.com-20051212150452-2ymlra67b2p7kjyy
Tags: 7.15.1-1ubuntu1
Resynchronise with Debian to get URL parser overflow fix from 7.15.1
(CVE-2005-4077).

Show diffs side-by-side

added added

removed removed

Lines of Context:
lib/http_ntlm.c
18
18
 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19
19
 * KIND, either express or implied.
20
20
 *
21
 
 * $Id: http_ntlm.c,v 1.43 2005/04/07 15:27:14 bagder Exp $
 
21
 * $Id: http_ntlm.c,v 1.49 2005/11/14 22:10:52 bagder Exp $
22
22
 ***************************************************************************/
23
23
#include "setup.h"
24
24
 
76
76
 
77
77
#include <rpc.h>
78
78
 
 
79
/* Handle of security.dll or secur32.dll, depending on Windows version */
 
80
static HMODULE s_hSecDll = NULL;
 
81
/* Pointer to SSPI dispatch table */
 
82
static PSecurityFunctionTable s_pSecFn = NULL;
 
83
 
79
84
#endif
80
85
 
81
86
/* The last #include file should be: */
305
310
    ntlm->type_2 = NULL;
306
311
  }
307
312
  if (ntlm->has_handles) {
308
 
    DeleteSecurityContext(&ntlm->c_handle);
309
 
    FreeCredentialsHandle(&ntlm->handle);
 
313
    s_pSecFn->DeleteSecurityContext(&ntlm->c_handle);
 
314
    s_pSecFn->FreeCredentialsHandle(&ntlm->handle);
310
315
    ntlm->has_handles = 0;
311
316
  }
312
317
  if (ntlm->p_identity) {
337
342
#endif
338
343
  size_t size;
339
344
  char *base64=NULL;
340
 
  unsigned char ntlmbuf[256]; /* enough, unless the host/domain is very long */
 
345
  unsigned char ntlmbuf[512]; /* enough, unless the host/domain is very long */
341
346
 
342
347
  /* point to the address of the pointer that holds the string to sent to the
343
348
     server, which is for a plain host or for a HTTP proxy */
376
381
  if(!passwdp)
377
382
    passwdp=(char *)"";
378
383
 
 
384
#ifdef USE_WINDOWS_SSPI
 
385
  /* If security interface is not yet initialized try to do this */
 
386
  if (s_hSecDll == NULL) {
 
387
    /* Determine Windows version. Security functions are located in
 
388
     * security.dll on WinNT 4.0 and in secur32.dll on Win9x. Win2K and XP
 
389
     * contain both these DLLs (security.dll just forwards calls to
 
390
     * secur32.dll)
 
391
     */
 
392
    OSVERSIONINFO osver;
 
393
    osver.dwOSVersionInfoSize = sizeof(osver);
 
394
    GetVersionEx(&osver);
 
395
    if (osver.dwPlatformId == VER_PLATFORM_WIN32_NT
 
396
      && osver.dwMajorVersion == 4)
 
397
      s_hSecDll = LoadLibrary("security.dll");
 
398
    else
 
399
      s_hSecDll = LoadLibrary("secur32.dll");
 
400
    if (s_hSecDll != NULL) {
 
401
      INIT_SECURITY_INTERFACE pInitSecurityInterface;
 
402
        pInitSecurityInterface =
 
403
          (INIT_SECURITY_INTERFACE)GetProcAddress(s_hSecDll,
 
404
                                                  "InitSecurityInterfaceA");
 
405
        if (pInitSecurityInterface != NULL)
 
406
          s_pSecFn = pInitSecurityInterface();
 
407
    }
 
408
  }
 
409
  if (s_pSecFn == NULL)
 
410
    return CURLE_RECV_ERROR;
 
411
#endif
 
412
 
379
413
  switch(ntlm->state) {
380
414
  case NTLMSTATE_TYPE1:
381
415
  default: /* for the weird cases we (re)start here */
387
421
    ULONG attrs;
388
422
    const char *user;
389
423
    int domlen;
 
424
    TimeStamp tsDummy; /* For Windows 9x compatibility of SPPI calls */
390
425
 
391
426
    ntlm_sspi_cleanup(ntlm);
392
427
 
428
463
      ntlm->p_identity = NULL;
429
464
    }
430
465
 
431
 
    if (AcquireCredentialsHandle(
 
466
    if (s_pSecFn->AcquireCredentialsHandle(
432
467
          NULL, (char *)"NTLM", SECPKG_CRED_OUTBOUND, NULL, ntlm->p_identity,
433
 
          NULL, NULL, &ntlm->handle, NULL
434
 
        ) != SEC_E_OK) {
 
468
          NULL, NULL, &ntlm->handle, &tsDummy
 
469
          ) != SEC_E_OK) {
435
470
      return CURLE_OUT_OF_MEMORY;
436
471
    }
437
472
 
442
477
    buf.BufferType = SECBUFFER_TOKEN;
443
478
    buf.pvBuffer   = ntlmbuf;
444
479
 
445
 
    status = InitializeSecurityContext(&ntlm->handle, NULL, (char *) host,
446
 
                                       ISC_REQ_CONFIDENTIALITY |
447
 
                                       ISC_REQ_REPLAY_DETECT |
448
 
                                       ISC_REQ_CONNECTION,
449
 
                                       0, SECURITY_NETWORK_DREP, NULL, 0,
450
 
                                       &ntlm->c_handle, &desc, &attrs, NULL
451
 
                                      );
 
480
    status = s_pSecFn->InitializeSecurityContext(&ntlm->handle, NULL,
 
481
                                                 (char *) host,
 
482
                                                 ISC_REQ_CONFIDENTIALITY |
 
483
                                                 ISC_REQ_REPLAY_DETECT |
 
484
                                                 ISC_REQ_CONNECTION,
 
485
                                                 0, SECURITY_NETWORK_DREP,
 
486
                                                 NULL, 0,
 
487
                                                 &ntlm->c_handle, &desc,
 
488
                                                 &attrs, &tsDummy);
452
489
 
453
490
    if (status == SEC_I_COMPLETE_AND_CONTINUE ||
454
491
        status == SEC_I_CONTINUE_NEEDED) {
455
 
      CompleteAuthToken(&ntlm->c_handle, &desc);
 
492
      s_pSecFn->CompleteAuthToken(&ntlm->c_handle, &desc);
456
493
    }
457
494
    else if (status != SEC_E_OK) {
458
 
      FreeCredentialsHandle(&ntlm->handle);
 
495
      s_pSecFn->FreeCredentialsHandle(&ntlm->handle);
459
496
      return CURLE_RECV_ERROR;
460
497
    }
461
498
 
553
590
    SecBufferDesc type_2_desc, type_3_desc;
554
591
    SECURITY_STATUS status;
555
592
    ULONG attrs;
 
593
    TimeStamp tsDummy; /* For Windows 9x compatibility of SPPI calls */
556
594
 
557
595
    type_2_desc.ulVersion  = type_3_desc.ulVersion  = SECBUFFER_VERSION;
558
596
    type_2_desc.cBuffers   = type_3_desc.cBuffers   = 1;
566
604
    type_3.pvBuffer   = ntlmbuf;
567
605
    type_3.cbBuffer   = sizeof(ntlmbuf);
568
606
 
569
 
    status = InitializeSecurityContext(&ntlm->handle, &ntlm->c_handle,
 
607
    status = s_pSecFn->InitializeSecurityContext(&ntlm->handle, &ntlm->c_handle,
570
608
                                       (char *) host,
571
609
                                       ISC_REQ_CONFIDENTIALITY |
572
610
                                       ISC_REQ_REPLAY_DETECT |
573
611
                                       ISC_REQ_CONNECTION,
574
612
                                       0, SECURITY_NETWORK_DREP, &type_2_desc,
575
613
                                       0, &ntlm->c_handle, &type_3_desc,
576
 
                                       &attrs, NULL);
 
614
                                       &attrs, &tsDummy);
577
615
 
578
616
    if (status != SEC_E_OK)
579
617
      return CURLE_RECV_ERROR;
700
738
    size=64;
701
739
    ntlmbuf[62]=ntlmbuf[63]=0;
702
740
 
 
741
    /* Make sure that the user and domain strings fit in the target buffer
 
742
       before we copy them there. */
 
743
    if(size + userlen + domlen >= sizeof(ntlmbuf)) {
 
744
      failf(conn->data, "user + domain name too big");
 
745
      return CURLE_OUT_OF_MEMORY;
 
746
    }
 
747
 
703
748
    memcpy(&ntlmbuf[size], domain, domlen);
704
749
    size += domlen;
705
750
 
763
808
#ifdef USE_WINDOWS_SSPI
764
809
  ntlm_sspi_cleanup(&conn->ntlm);
765
810
  ntlm_sspi_cleanup(&conn->proxyntlm);
 
811
  if (s_hSecDll != NULL) {
 
812
    FreeLibrary(s_hSecDll);
 
813
        s_hSecDll = NULL;
 
814
        s_pSecFn = NULL;
 
815
  }
766
816
#else
767
817
  (void)conn;
768
818
#endif