From df739784e5cba0d032e0675d49fb449042799104 Mon Sep 17 00:00:00 2001 From: Steve Holme Date: Fri, 8 Aug 2014 07:23:38 +0100 Subject: [PATCH] ntlm: Fixed hard coded buffer for SSPI based auth packet generation Given the SSPI package info query indicates a token size of 2888 bytes, and as with the Winbind code and commit 9008f3d56, use a dynamic buffer for the Type-1 and Type-3 message generation rather than a fixed buffer of 1024 bytes. --- lib/curl_ntlm_msgs.c | 36 ++++++++++++++++++++++++++++-------- lib/urldata.h | 2 ++ 2 files changed, 30 insertions(+), 8 deletions(-) diff --git a/lib/curl_ntlm_msgs.c b/lib/curl_ntlm_msgs.c index 8d33e9d0b1..e3116a2951 100644 --- a/lib/curl_ntlm_msgs.c +++ b/lib/curl_ntlm_msgs.c @@ -353,6 +353,9 @@ void Curl_ntlm_sspi_cleanup(struct ntlmdata *ntlm) ntlm->has_handles = 0; } + ntlm->max_token_length = 0; + Curl_safefree(ntlm->output_token); + Curl_sspi_free_identity(ntlm->p_identity); ntlm->p_identity = NULL; } @@ -409,7 +412,6 @@ CURLcode Curl_ntlm_create_type1_message(const char *userp, (*) -> Optional */ - unsigned char ntlmbuf[NTLM_BUFSIZE]; size_t size; #ifdef USE_WINDOWS_SSPI @@ -429,9 +431,16 @@ CURLcode Curl_ntlm_create_type1_message(const char *userp, if(status != SEC_E_OK) return CURLE_NOT_BUILT_IN; + ntlm->max_token_length = SecurityPackage->cbMaxToken; + /* Release the package buffer as it is not required anymore */ s_pSecFn->FreeContextBuffer(SecurityPackage); + /* Allocate our output buffer */ + ntlm->output_token = malloc(ntlm->max_token_length); + if(!ntlm->output_token) + return CURLE_OUT_OF_MEMORY; + if(userp && *userp) { CURLcode result; @@ -460,9 +469,9 @@ CURLcode Curl_ntlm_create_type1_message(const char *userp, type_1_desc.ulVersion = SECBUFFER_VERSION; type_1_desc.cBuffers = 1; type_1_desc.pBuffers = &type_1_buf; - type_1_buf.cbBuffer = NTLM_BUFSIZE; + type_1_buf.cbBuffer = curlx_uztoul(ntlm->max_token_length); type_1_buf.BufferType = SECBUFFER_TOKEN; - type_1_buf.pvBuffer = ntlmbuf; + type_1_buf.pvBuffer = ntlm->output_token; /* Generate our type-1 message */ status = s_pSecFn->InitializeSecurityContext(&ntlm->handle, NULL, @@ -488,6 +497,7 @@ CURLcode Curl_ntlm_create_type1_message(const char *userp, #else + unsigned char ntlmbuf[NTLM_BUFSIZE]; const char *host = ""; /* empty */ const char *domain = ""; /* empty */ size_t hostlen = 0; @@ -565,7 +575,11 @@ CURLcode Curl_ntlm_create_type1_message(const char *userp, }); /* Return with binary blob encoded into base64 */ +#ifdef USE_WINDOWS_SSPI + return Curl_base64_encode(NULL, (char *)ntlm->output_token, size, outptr, outlen); +#else return Curl_base64_encode(NULL, (char *)ntlmbuf, size, outptr, outlen); +#endif } /* @@ -612,10 +626,10 @@ CURLcode Curl_ntlm_create_type3_message(struct SessionHandle *data, (*) -> Optional */ - unsigned char ntlmbuf[NTLM_BUFSIZE]; size_t size; #ifdef USE_WINDOWS_SSPI + CURLcode result = CURLE_OK; SecBuffer type_2_buf; SecBuffer type_3_buf; SecBufferDesc type_2_desc; @@ -641,8 +655,8 @@ CURLcode Curl_ntlm_create_type3_message(struct SessionHandle *data, type_3_desc.cBuffers = 1; type_3_desc.pBuffers = &type_3_buf; type_3_buf.BufferType = SECBUFFER_TOKEN; - type_3_buf.pvBuffer = ntlmbuf; - type_3_buf.cbBuffer = NTLM_BUFSIZE; + type_3_buf.pvBuffer = ntlm->output_token; + type_3_buf.cbBuffer = curlx_uztoul(ntlm->max_token_length); /* Generate our type-3 message */ status = s_pSecFn->InitializeSecurityContext(&ntlm->handle, @@ -661,9 +675,16 @@ CURLcode Curl_ntlm_create_type3_message(struct SessionHandle *data, size = type_3_buf.cbBuffer; + /* Return with binary blob encoded into base64 */ + result = Curl_base64_encode(NULL, (char *)ntlm->output_token, size, outptr, outlen); + Curl_ntlm_sspi_cleanup(ntlm); + return result; + #else + + unsigned char ntlmbuf[NTLM_BUFSIZE]; int lmrespoff; unsigned char lmresp[24]; /* fixed-size */ #if USE_NTRESPONSES @@ -979,10 +1000,9 @@ CURLcode Curl_ntlm_create_type3_message(struct SessionHandle *data, if(res) return CURLE_CONV_FAILED; -#endif - /* Return with binary blob encoded into base64 */ return Curl_base64_encode(NULL, (char *)ntlmbuf, size, outptr, outlen); +#endif } #endif /* USE_NTLM */ diff --git a/lib/urldata.h b/lib/urldata.h index dcf72dd1dc..69f2297ba2 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -433,6 +433,8 @@ struct ntlmdata { CtxtHandle c_handle; SEC_WINNT_AUTH_IDENTITY identity; SEC_WINNT_AUTH_IDENTITY *p_identity; + size_t max_token_length; + BYTE *output_token; int has_handles; void *type_2; unsigned long n_type_2;