1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-10 11:35:07 -05:00
Commit Graph

86 Commits

Author SHA1 Message Date
Daniel Stenberg
65d2f563fd
ntlm: avoid malloc(0) on zero length user and domain
... and simplify the too-long checks somewhat.

Detected by OSS-Fuzz

Closes #6264
2020-11-29 11:24:54 +01:00
Daniel Stenberg
4d2f800677
curl.se: new home
Closes #6172
2020-11-04 23:59:47 +01:00
Marcel Raad
f504f18641 ntlm: fix condition for curl_ntlm_core usage
`USE_WINDOWS_SSPI` without `USE_WIN32_CRYPTO` but with any other DES
backend is fine, but was excluded before.

This also fixes test 1013 as the condition for SMB support in
configure.ac didn't match the condition in the source code. Now it
does.

Fixes https://github.com/curl/curl/issues/1262
Closes https://github.com/curl/curl/pull/5771
2020-08-29 10:08:32 +02:00
Ruurd Beerstra
d80d419d3e
ntlm: enable NTLM support with wolfSSL
When wolfSSL is built with its OpenSSL API layer, it fetures the same DES*
functions that OpenSSL has. This change take advantage of that.

Co-authored-by: Daniel Stenberg
Closes #5556
Fixes #5548
2020-06-16 09:06:19 +02:00
Viktor Szakats
7284061361 windows: suppress UI in all CryptAcquireContext() calls
Ref: https://docs.microsoft.com/windows/win32/api/wincrypt/nf-wincrypt-cryptacquirecontexta#parameters
Reviewed-by: Marc Hörsken
Closes https://github.com/curl/curl/pull/5088
2020-03-17 23:08:02 +00:00
Steve Holme
7def168a4f
ntlm: Moved the HMAC MD5 function into the HMAC module as a generic function 2020-02-24 06:56:35 +00:00
Steve Holme
850a295b41
md4: Use our own MD4 implementation when no crypto libraries are available
Closes #3780
2019-08-04 18:01:29 +01:00
Steve Holme
72e5fd83b2
md4: No need to include Curl_md4.h for each TLS library 2019-08-04 18:01:29 +01:00
Steve Holme
3d9685ee55
md4: No need for the NTLM code to call Curl_md4it() for each TLS library
As the NTLM code no longer calls any of TLS libraries' specific MD4
functions, there is no need to call this function for each #ifdef.
2019-08-04 18:01:28 +01:00
Steve Holme
2ff216f1b0
md4: Move the mbed TLS MD4 implementation out of the NTLM code 2019-08-04 18:01:28 +01:00
Steve Holme
c5eb2fd618
md4: Move the WinCrypt implementation out of the NTLM code 2019-08-04 18:01:27 +01:00
Steve Holme
11c50f7655
md4: Move the SecureTransport implementation out of the NTLM code 2019-08-04 18:01:27 +01:00
Steve Holme
24c298fb4d
md4: Use the Curl_md4it() function for OpenSSL based NTLM 2019-08-04 18:01:26 +01:00
Steve Holme
c89365929b
md4: Move the GNU TLS gcrypt MD4 implementation out of the NTLM code 2019-08-04 18:01:26 +01:00
Steve Holme
78e263676b
md4: Move the GNU TLS Nettle MD4 implementation out of the NTLM code 2019-08-04 18:01:25 +01:00
lufia
6cd5c35509
ntlm: explicit type casting 2019-07-31 00:22:16 +02:00
Marcel Raad
e23c52b329
build: fix Codacy warnings
Reduce variable scopes and remove redundant variable stores.

Closes https://github.com/curl/curl/pull/3975
2019-06-05 20:38:06 +02:00
Steve Holme
cd15acd0ec ntlm: Support the NT response in the type-3 when OpenSSL doesn't include MD4
Just like we do for mbed TLS, use our local implementation of MD4 when
OpenSSL doesn't support it. This allows a type-3 message to include the
NT response.
2019-04-23 20:00:33 +01:00
Daniel Stenberg
76a9c3c4be
Secure Transport: no more "darwinssl"
Everyone calls it Secure Transport, now we do too.

Reviewed-by: Nick Zitzmann

Closes #3619
2019-02-28 08:42:59 +01:00
Daniel Stenberg
05b100aee2
cleanup: make local functions static
urlapi: turn three local-only functions into statics

conncache: make conncache_find_first_connection static

multi: make detach_connnection static

connect: make getaddressinfo static

curl_ntlm_core: make hmac_md5 static

http2: make two functions static

http: make http_setup_conn static

connect: make tcpnodelay static

tests: make UNITTEST a thing to mark functions with, so they can be static for
normal builds and non-static for unit test builds

... and mark Curl_shuffle_addr accordingly.

url: make up_free static

setopt: make vsetopt static

curl_endian: make write32_le static

rtsp: make rtsp_connisdead static

warnless: remove unused functions

memdebug: remove one unused function, made another static
2019-02-10 18:38:57 +01:00
Daniel Stenberg
dcd6f81025
snprintf: renamed and we now only use msnprintf()
The function does not return the same value as snprintf() normally does,
so readers may be mislead into thinking the code works differently than
it actually does. A different function name makes this easier to detect.

Reported-by: Tomas Hoger
Assisted-by: Daniel Gustafsson
Fixes #3296
Closes #3297
2018-11-23 08:26:51 +01:00
pkubaj
7c96f6a14b ntlm: Remove redundant ifdef USE_OPENSSL
lib/curl_ntlm.c had code that read as follows:

  #ifdef USE_OPENSSL
  # ifdef USE_OPENSSL
  # else
  # ..
  # endif
  #endif

Remove the redundant USE_OPENSSL along with #else (it's not possible to
reach it anyway). The removed construction is a leftover from when the
SSLeay support was removed.

Closes #3269
Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-11-20 14:59:12 +01:00
Daniel Stenberg
57d299a499
Curl_ntlm_core_mk_nt_hash: return error on too long password
... since it would cause an integer overflow if longer than (max size_t
/ 2).

This is CVE-2018-14618

Bug: https://curl.haxx.se/docs/CVE-2018-14618.html
Closes #2756
Reported-by: Zhaoyang Wu
2018-09-03 07:42:37 +02:00
Daniel Gustafsson
94400f32e9 all: Refactor malloc+memset to use calloc
When a zeroed out allocation is required, use calloc() rather than
malloc() followed by an explicit memset(). The result will be the
same, but using calloc() everywhere increases consistency in the
codebase and avoids the risk of subtle bugs when code is injected
between malloc and memset by accident.

Closes https://github.com/curl/curl/pull/2497
2018-04-15 03:00:37 -04:00
Daniel Stenberg
c1366571b6
vauth/cleartext: fix integer overflow check
Make the integer overflow check not rely on the undefined behavior that
a size_t wraps around on overflow.

Detected by lgtm.com
Closes #2408
2018-03-20 19:25:50 +01:00
Daniel Stenberg
014887c50a
curl_ntlm_core.c: use the limits.h's SIZE_T_MAX if provided 2017-11-27 10:40:31 +01:00
Daniel Stenberg
7f2a1df6f5
ntlm: avoid integer overflow for malloc size
Reported-by: Alex Nichols
Assisted-by: Kamil Dudka and Max Dymond

CVE-2017-8816

Bug: https://curl.haxx.se/docs/adv_2017-11e7.html
2017-11-27 08:19:34 +01:00
Daniel Stenberg
685ef13057 ntlm: avoid malloc(0) for zero length passwords
It triggers an assert() when built with memdebug since malloc(0) may
return NULL *or* a valid pointer.

Detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4054

Assisted-by: Max Dymond
Closes #2054
2017-11-04 22:22:49 +01:00
Viktor Szakats
6f86022df2 ntlm: use strict order for SSL backend #if branches
With the recently introduced MultiSSL support multiple SSL backends
can be compiled into cURL That means that now the order of the SSL

One option would be to use the same SSL backend as was configured
via `curl_global_sslset()`, however, NTLMv2 support would appear
to be available only with some SSL backends. For example, when
eb88d778e (ntlm: Use Windows Crypt API, 2014-12-02) introduced
support for NTLMv1 using Windows' Crypt API, it specifically did
*not* introduce NTLMv2 support using Crypt API at the same time.

So let's select one specific SSL backend for NTLM support when
compiled with multiple SSL backends, using a priority order such
that we support NTLMv2 even if only one compiled-in SSL backend can
be used for that.

Ref: https://github.com/curl/curl/pull/1848
2017-09-22 19:01:28 +00:00
Daniel Stenberg
e5743f08e7
code style: use spaces around pluses 2017-09-11 09:29:50 +02:00
Marcel Raad
7960442730
curl_ntlm_core: use Curl_raw_toupper instead of toupper
This was the only remaining use of toupper in the entire source code.

Suggested-by: Daniel Stenberg
2017-06-05 00:27:29 +02:00
Marcel Raad
892c5e4cb3
curl_ntlm_core: pass unsigned char to toupper
Otherwise, clang on Cygwin64 warns:
curl_ntlm_core.c:525:35: error: array subscript is of type 'char'
[-Werror,-Wchar-subscripts]
    dest[2 * i] = (unsigned char)(toupper(src[i]));
                                  ^~~~~~~~~~~~~~~
/usr/include/ctype.h:152:25: note: expanded from macro 'toupper'
      (void) __CTYPE_PTR[__x]; (toupper) (__x);})
                        ^~~~
2017-06-04 16:46:03 +02:00
Dan Fandrich
5f830eaba0 mbedtls: enable NTLM (& SMB) even if MD4 support is unavailable
In that case, use libcurl's internal MD4 routine. This fixes tests 1013
and 1014 which were failing due to configure assuming NTLM and SMB were
always available whenever mbed TLS was in use (which is now true).
2017-04-21 22:42:14 +02:00
Marcel Raad
9bc92eeb0e
NTLM: check for features with #ifdef instead of #if
Feature defines are normally checked with #ifdef instead of #if in the rest of
the codebase. Additionally, some compilers warn when a macro is implicitly
evaluated to 0 because it is not defined, which was the case here.

Ref: https://github.com/curl/curl/pull/1362#discussion_r108605101
Closes https://github.com/curl/curl/pull/1367
2017-03-29 20:16:09 +02:00
Michael Kaufmann
ddedc1b3f3 string formatting: fix 4 printf-style format strings 2017-02-19 14:13:42 +01:00
Viktor Szakats
88bdd7cf6f use *.sourceforge.io and misc URL updates
Ref: https://sourceforge.net/blog/introducing-https-for-project-websites/
Closes: https://github.com/curl/curl/pull/1247
2017-02-06 19:21:05 +00:00
Daniel Stenberg
b228d2952b checksrc: stricter no-space-before-paren enforcement
In order to make the code style more uniform everywhere
2016-12-13 23:39:11 +01:00
Daniel Stenberg
811a693b80 strcasecompare: all case insensitive string compares ignore locale now
We had some confusions on when each function was used. We should not act
differently on different locales anyway.
2016-10-31 08:46:35 +01:00
Bill Nagel
497e7c9d34 mbedtls: Added support for NTLM 2016-08-03 19:33:59 +01:00
Daniel Stenberg
434f8d0389 internals: rename the SessionHandle struct to Curl_easy 2016-06-22 10:28:41 +02:00
Daniel Stenberg
4f45240bc8 lib: include curl_printf.h as one of the last headers
curl_printf.h defines printf to curl_mprintf, etc. This can cause
problems with external headers which may use
__attribute__((format(printf, ...))) markers etc.

To avoid that they cause problems with system includes, we include
curl_printf.h after any system headers. That makes the three last
headers to always be, and we keep them in this order:

 curl_printf.h
 curl_memory.h
 memdebug.h

None of them include system headers, they all do funny #defines.

Reported-by: David Benjamin

Fixes #743
2016-04-29 22:32:49 +02:00
Viktor Szakats
a24f71aac4 URLs: change http to https in many places
Closes #754
2016-04-06 11:58:34 +02:00
David Benjamin
39c803cba2 openssl: remove most BoringSSL #ifdefs.
As of https://boringssl-review.googlesource.com/#/c/6980/, almost all of
BoringSSL #ifdefs in cURL should be unnecessary:

- BoringSSL provides no-op stubs for compatibility which replaces most
  #ifdefs.

- DES_set_odd_parity has been in BoringSSL for nearly a year now. Remove
  the compatibility codepath.

- With a small tweak to an extend_key_56_to_64 call, the NTLM code
  builds fine.

- Switch OCSP-related #ifdefs to the more generally useful
  OPENSSL_NO_OCSP.

The only #ifdefs which remain are Curl_ossl_version and the #undefs to
work around OpenSSL and wincrypt.h name conflicts. (BoringSSL leaves
that to the consumer. The in-header workaround makes things sensitive to
include order.)

This change errs on the side of removing conditionals despite many of
the restored codepaths being no-ops. (BoringSSL generally adds no-op
compatibility stubs when possible. OPENSSL_VERSION_NUMBER #ifdefs are
bad enough!)

Closes #640
2016-02-09 08:46:36 +01:00
Daniel Stenberg
4af40b3646 URLs: change all http:// URLs to https:// 2016-02-03 00:19:02 +01:00
Patrick Monnerat
f6fbbd6dc3 curl_ntlm_core: fix 2 curl_off_t constant overflows. 2015-11-05 15:20:43 +01:00
Daniel Stenberg
13ddb9e54a ntlm: error out without 64bit support as the code needs it
It makes it a clearer message for developers reaching that point without
the necessary support.

Thanks-by: Jay Satiro

Closes #78
2015-10-09 23:51:54 +02:00
Daniel Stenberg
8256b44e5a ntlm: get rid of unconditional use of long long
... since some compilers don't have it and instead use other types, such
as __int64.

Reported by: gkinseyhpw
Closes #478
2015-10-08 12:31:06 +02:00
Daniel Stenberg
613e5022fe NTLM: recent boringssl brought DES_set_odd_parity back
... so improve the #ifdefs for using our local implementation.
2015-08-22 23:59:18 +02:00
Dan Fandrich
35648f2e79 curl_memory: make curl_memory.h the second-last header file loaded
This header file must be included after all header files except
memdebug.h, as it does similar memory function redefinitions and can be
similarly affected by conflicting definitions in system or dependent
library headers.
2015-03-24 23:47:01 +01:00
Daniel Stenberg
0f4a03cbb6 free: instead of Curl_safefree()
Since we just started make use of free(NULL) in order to simplify code,
this change takes it a step further and:

- converts lots of Curl_safefree() calls to good old free()
- makes Curl_safefree() not check the pointer before free()

The (new) rule of thumb is: if you really want a function call that
frees a pointer and then assigns it to NULL, then use Curl_safefree().
But we will prefer just using free() from now on.
2015-03-16 15:01:15 +01:00