1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-16 06:25:03 -05:00
Commit Graph

66 Commits

Author SHA1 Message Date
Daniel Stenberg
dcd6f81025
snprintf: renamed and we now only use msnprintf()
The function does not return the same value as snprintf() normally does,
so readers may be mislead into thinking the code works differently than
it actually does. A different function name makes this easier to detect.

Reported-by: Tomas Hoger
Assisted-by: Daniel Gustafsson
Fixes #3296
Closes #3297
2018-11-23 08:26:51 +01:00
pkubaj
7c96f6a14b ntlm: Remove redundant ifdef USE_OPENSSL
lib/curl_ntlm.c had code that read as follows:

  #ifdef USE_OPENSSL
  # ifdef USE_OPENSSL
  # else
  # ..
  # endif
  #endif

Remove the redundant USE_OPENSSL along with #else (it's not possible to
reach it anyway). The removed construction is a leftover from when the
SSLeay support was removed.

Closes #3269
Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-11-20 14:59:12 +01:00
Daniel Stenberg
57d299a499
Curl_ntlm_core_mk_nt_hash: return error on too long password
... since it would cause an integer overflow if longer than (max size_t
/ 2).

This is CVE-2018-14618

Bug: https://curl.haxx.se/docs/CVE-2018-14618.html
Closes #2756
Reported-by: Zhaoyang Wu
2018-09-03 07:42:37 +02:00
Daniel Gustafsson
94400f32e9 all: Refactor malloc+memset to use calloc
When a zeroed out allocation is required, use calloc() rather than
malloc() followed by an explicit memset(). The result will be the
same, but using calloc() everywhere increases consistency in the
codebase and avoids the risk of subtle bugs when code is injected
between malloc and memset by accident.

Closes https://github.com/curl/curl/pull/2497
2018-04-15 03:00:37 -04:00
Daniel Stenberg
c1366571b6
vauth/cleartext: fix integer overflow check
Make the integer overflow check not rely on the undefined behavior that
a size_t wraps around on overflow.

Detected by lgtm.com
Closes #2408
2018-03-20 19:25:50 +01:00
Daniel Stenberg
014887c50a
curl_ntlm_core.c: use the limits.h's SIZE_T_MAX if provided 2017-11-27 10:40:31 +01:00
Daniel Stenberg
7f2a1df6f5
ntlm: avoid integer overflow for malloc size
Reported-by: Alex Nichols
Assisted-by: Kamil Dudka and Max Dymond

CVE-2017-8816

Bug: https://curl.haxx.se/docs/adv_2017-11e7.html
2017-11-27 08:19:34 +01:00
Daniel Stenberg
685ef13057 ntlm: avoid malloc(0) for zero length passwords
It triggers an assert() when built with memdebug since malloc(0) may
return NULL *or* a valid pointer.

Detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4054

Assisted-by: Max Dymond
Closes #2054
2017-11-04 22:22:49 +01:00
Viktor Szakats
6f86022df2 ntlm: use strict order for SSL backend #if branches
With the recently introduced MultiSSL support multiple SSL backends
can be compiled into cURL That means that now the order of the SSL

One option would be to use the same SSL backend as was configured
via `curl_global_sslset()`, however, NTLMv2 support would appear
to be available only with some SSL backends. For example, when
eb88d778e (ntlm: Use Windows Crypt API, 2014-12-02) introduced
support for NTLMv1 using Windows' Crypt API, it specifically did
*not* introduce NTLMv2 support using Crypt API at the same time.

So let's select one specific SSL backend for NTLM support when
compiled with multiple SSL backends, using a priority order such
that we support NTLMv2 even if only one compiled-in SSL backend can
be used for that.

Ref: https://github.com/curl/curl/pull/1848
2017-09-22 19:01:28 +00:00
Daniel Stenberg
e5743f08e7
code style: use spaces around pluses 2017-09-11 09:29:50 +02:00
Marcel Raad
7960442730
curl_ntlm_core: use Curl_raw_toupper instead of toupper
This was the only remaining use of toupper in the entire source code.

Suggested-by: Daniel Stenberg
2017-06-05 00:27:29 +02:00
Marcel Raad
892c5e4cb3
curl_ntlm_core: pass unsigned char to toupper
Otherwise, clang on Cygwin64 warns:
curl_ntlm_core.c:525:35: error: array subscript is of type 'char'
[-Werror,-Wchar-subscripts]
    dest[2 * i] = (unsigned char)(toupper(src[i]));
                                  ^~~~~~~~~~~~~~~
/usr/include/ctype.h:152:25: note: expanded from macro 'toupper'
      (void) __CTYPE_PTR[__x]; (toupper) (__x);})
                        ^~~~
2017-06-04 16:46:03 +02:00
Dan Fandrich
5f830eaba0 mbedtls: enable NTLM (& SMB) even if MD4 support is unavailable
In that case, use libcurl's internal MD4 routine. This fixes tests 1013
and 1014 which were failing due to configure assuming NTLM and SMB were
always available whenever mbed TLS was in use (which is now true).
2017-04-21 22:42:14 +02:00
Marcel Raad
9bc92eeb0e
NTLM: check for features with #ifdef instead of #if
Feature defines are normally checked with #ifdef instead of #if in the rest of
the codebase. Additionally, some compilers warn when a macro is implicitly
evaluated to 0 because it is not defined, which was the case here.

Ref: https://github.com/curl/curl/pull/1362#discussion_r108605101
Closes https://github.com/curl/curl/pull/1367
2017-03-29 20:16:09 +02:00
Michael Kaufmann
ddedc1b3f3 string formatting: fix 4 printf-style format strings 2017-02-19 14:13:42 +01:00
Viktor Szakats
88bdd7cf6f use *.sourceforge.io and misc URL updates
Ref: https://sourceforge.net/blog/introducing-https-for-project-websites/
Closes: https://github.com/curl/curl/pull/1247
2017-02-06 19:21:05 +00:00
Daniel Stenberg
b228d2952b checksrc: stricter no-space-before-paren enforcement
In order to make the code style more uniform everywhere
2016-12-13 23:39:11 +01:00
Daniel Stenberg
811a693b80 strcasecompare: all case insensitive string compares ignore locale now
We had some confusions on when each function was used. We should not act
differently on different locales anyway.
2016-10-31 08:46:35 +01:00
Bill Nagel
497e7c9d34 mbedtls: Added support for NTLM 2016-08-03 19:33:59 +01:00
Daniel Stenberg
434f8d0389 internals: rename the SessionHandle struct to Curl_easy 2016-06-22 10:28:41 +02:00
Daniel Stenberg
4f45240bc8 lib: include curl_printf.h as one of the last headers
curl_printf.h defines printf to curl_mprintf, etc. This can cause
problems with external headers which may use
__attribute__((format(printf, ...))) markers etc.

To avoid that they cause problems with system includes, we include
curl_printf.h after any system headers. That makes the three last
headers to always be, and we keep them in this order:

 curl_printf.h
 curl_memory.h
 memdebug.h

None of them include system headers, they all do funny #defines.

Reported-by: David Benjamin

Fixes #743
2016-04-29 22:32:49 +02:00
Viktor Szakats
a24f71aac4 URLs: change http to https in many places
Closes #754
2016-04-06 11:58:34 +02:00
David Benjamin
39c803cba2 openssl: remove most BoringSSL #ifdefs.
As of https://boringssl-review.googlesource.com/#/c/6980/, almost all of
BoringSSL #ifdefs in cURL should be unnecessary:

- BoringSSL provides no-op stubs for compatibility which replaces most
  #ifdefs.

- DES_set_odd_parity has been in BoringSSL for nearly a year now. Remove
  the compatibility codepath.

- With a small tweak to an extend_key_56_to_64 call, the NTLM code
  builds fine.

- Switch OCSP-related #ifdefs to the more generally useful
  OPENSSL_NO_OCSP.

The only #ifdefs which remain are Curl_ossl_version and the #undefs to
work around OpenSSL and wincrypt.h name conflicts. (BoringSSL leaves
that to the consumer. The in-header workaround makes things sensitive to
include order.)

This change errs on the side of removing conditionals despite many of
the restored codepaths being no-ops. (BoringSSL generally adds no-op
compatibility stubs when possible. OPENSSL_VERSION_NUMBER #ifdefs are
bad enough!)

Closes #640
2016-02-09 08:46:36 +01:00
Daniel Stenberg
4af40b3646 URLs: change all http:// URLs to https:// 2016-02-03 00:19:02 +01:00
Patrick Monnerat
f6fbbd6dc3 curl_ntlm_core: fix 2 curl_off_t constant overflows. 2015-11-05 15:20:43 +01:00
Daniel Stenberg
13ddb9e54a ntlm: error out without 64bit support as the code needs it
It makes it a clearer message for developers reaching that point without
the necessary support.

Thanks-by: Jay Satiro

Closes #78
2015-10-09 23:51:54 +02:00
Daniel Stenberg
8256b44e5a ntlm: get rid of unconditional use of long long
... since some compilers don't have it and instead use other types, such
as __int64.

Reported by: gkinseyhpw
Closes #478
2015-10-08 12:31:06 +02:00
Daniel Stenberg
613e5022fe NTLM: recent boringssl brought DES_set_odd_parity back
... so improve the #ifdefs for using our local implementation.
2015-08-22 23:59:18 +02:00
Dan Fandrich
35648f2e79 curl_memory: make curl_memory.h the second-last header file loaded
This header file must be included after all header files except
memdebug.h, as it does similar memory function redefinitions and can be
similarly affected by conflicting definitions in system or dependent
library headers.
2015-03-24 23:47:01 +01:00
Daniel Stenberg
0f4a03cbb6 free: instead of Curl_safefree()
Since we just started make use of free(NULL) in order to simplify code,
this change takes it a step further and:

- converts lots of Curl_safefree() calls to good old free()
- makes Curl_safefree() not check the pointer before free()

The (new) rule of thumb is: if you really want a function call that
frees a pointer and then assigns it to NULL, then use Curl_safefree().
But we will prefer just using free() from now on.
2015-03-16 15:01:15 +01:00
Daniel Stenberg
709cf76f6b openssl: remove all uses of USE_SSLEAY
SSLeay was the name of the library that was subsequently turned into
OpenSSL many moons ago (1999). curl does not work with the old SSLeay
library since years. This is now reflected by only using USE_OPENSSL in
code that depends on OpenSSL.
2015-03-05 10:57:52 +01:00
Daniel Stenberg
df5578a7a3 mprintf.h: remove #ifdef CURLDEBUG
... and as a consequence, introduce curl_printf.h with that re-define
magic instead and make all libcurl code use that instead.
2015-03-03 12:36:18 +01:00
Daniel Stenberg
83bb07027d unit1600: unit test for Curl_ntlm_core_mk_nt_hash 2015-02-03 21:03:11 +01:00
Steve Holme
8cc70db2db ntlm_core: Use own odd parity function when crypto engine doesn't have one 2015-01-28 22:34:53 +00:00
Steve Holme
c469369b86 ntlm_core: Prefer sizeof(key) rather than hard coded sizes 2015-01-28 22:34:52 +00:00
Steve Holme
58e39b4da5 ntlm_core: Added consistent comments to DES functions 2015-01-28 22:34:51 +00:00
Steve Holme
0ea9381b7d curl_ntlm_core.c: Fixed compilation warning from commit 1cb17b2a5d
curl_ntlm_core.c:146: warning: passing 'DES_cblock' (aka 'unsigned char
                      [8]') to parameter of type 'char *' converts
                      between pointers to integer types with different
                      sign
2015-01-02 21:14:36 +00:00
Steve Holme
1cb17b2a5d ntlm: Use extend_key_56_to_64() for all cryptography engines
Rather than duplicate the code in setup_des_key() for OpenSSL and in
extend_key_56_to_64() for non-OpenSSL based crypto engines, as it is
the same, use extend_key_56_to_64() for all engines.
2015-01-02 20:17:05 +00:00
Steve Holme
34f0bd110f curl_ntlm_core.c: Fixed compilation warning
curl_ntlm_core.c:458: warning: 'ascii_uppercase_to_unicode_le' defined
                      but not used
2015-01-02 16:28:03 +00:00
Steve Holme
b40e37f93d endian: Fixed Linux compilation issues
Having files named endian.[c|h] seemed to cause issues under Linux so
renamed them both to have the curl_ prefix in the filenames.
2014-12-31 14:02:25 +00:00
Steve Holme
f4413ca65a endian: Renamed functions for curl API naming convention 2014-12-31 12:17:00 +00:00
Steve Holme
7873f9bdbd endian: Moved write functions to new module 2014-12-31 12:16:58 +00:00
Steve Holme
ed16a1695f curl_ntlm_core.c: Fixed compilation warnings
curl_ntlm_core.c:301: warning: pointer targets in passing argument 2 of
                      'CryptImportKey' differ in signedness
curl_ntlm_core.c:310: warning: passing argument 6 of 'CryptEncrypt' from
                      incompatible pointer type
curl_ntlm_core.c:540: warning: passing argument 4 of 'CryptGetHashParam'
                      from incompatible pointer type
2014-12-24 22:22:07 +00:00
Steve Holme
82fdb87b27 ntlm: Disable NTLM v2 when 64-bit integers are not supported
This fixes compilation issues with compilers that don't support 64-bit
integers through long long or __int64 which was introduced in commit
07b66cbfa4.
2014-12-12 22:34:16 +00:00
Steve Holme
dcd484a238 smb: Fixed Windows autoconf builds following commit eb88d778e7
As Windows based autoconf builds don't yet define USE_WIN32_CRYPTO
either explicitly through --enable-win32-cypto or automatically on
_WIN32 based platforms, subsequent builds broke with the following
error message:

"Can't compile NTLM support without a crypto library."
2014-12-07 20:47:54 +00:00
Bill Nagel
eb88d778e7 ntlm: Use Windows Crypt API
Allow the use of the Windows Crypt API for NTLMv1 functions.
2014-12-07 18:32:59 +00:00
Patrick Monnerat
9b0b9f209e OS400: enable NTLM authentication 2014-12-05 18:42:39 +01:00
Steve Holme
3b738a16eb ntlm: Return CURLcode from Curl_ntlm_core_mk_lm_hash() 2014-10-26 09:14:34 +00:00
Steve Holme
9c5f851ec9 ntlm: Use 'CURLcode result'
Continuing commit 0eb3d15ccb more return code variable name changes.
2014-10-26 09:14:10 +00:00
Daniel Stenberg
e95ca7cec9 NTLM: set a fake entropy for debug builds with CURL_ENTROPY set
Curl_rand() will return a dummy and repatable random value for this
case. Makes it possible to write test cases that verify output.

Also, fake timestamp with CURL_FORCETIME set.

Only when built debug enabled of course.

Curl_ssl_random() was not used anymore so it has been
removed. Curl_rand() is enough.

create_digest_md5_message: generate base64 instead of hex string

curl_sasl: also fix memory leaks in some OOM situations
2014-06-11 23:15:48 +02:00