aboutsummaryrefslogtreecommitdiff
path: root/lib/vauth/ntlm.c
AgeCommit message (Collapse)Author
2019-02-04ntlm: fix *_type3_message size check to avoid buffer overflowDaniel Stenberg
Bug: https://curl.haxx.se/docs/CVE-2019-3822.html Reported-by: Wenxiang Qian CVE-2019-3822
2019-02-04NTLM: fix size check condition for type2 received dataDaniel Stenberg
Bug: https://curl.haxx.se/docs/CVE-2018-16890.html Reported-by: Wenxiang Qian CVE-2018-16890
2019-01-01ntlm: update selection of type 3 responseMarkus Moeller
NTLM2 did not work i.e. no NTLMv2 response was created. Changing the check seems to work. Ref: https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-NLMP/[MS-NLMP].pdf Fixes https://github.com/curl/curl/issues/3286 Closes https://github.com/curl/curl/pull/3287 Closes https://github.com/curl/curl/pull/3415
2018-11-23snprintf: renamed and we now only use msnprintf()Daniel Stenberg
The function does not return the same value as snprintf() normally does, so readers may be mislead into thinking the code works differently than it actually does. A different function name makes this easier to detect. Reported-by: Tomas Hoger Assisted-by: Daniel Gustafsson Fixes #3296 Closes #3297
2018-10-03comment: Fix multiple typos in function parametersDaniel Gustafsson
Ensure that the parameters in the comment match the actual names in the prototype. Closes #3079 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-05-14ntlm: Fix format specifiersRikard Falkeborn
2018-04-16ntlm_sspi: fix authentication using Credential Managertoughengineer
If you pass empty user/pass asking curl to use Windows Credential Storage (as stated in the docs) and it has valid credentials for the domain, e.g. curl -v -u : --ntlm example.com currently authentication fails. This change fixes it by providing proper SPN string to the SSPI API calls. Fixes https://github.com/curl/curl/issues/1622 Closes https://github.com/curl/curl/pull/1660
2017-11-21ntlm: remove unnecessary NULL-check to please scan-buildDaniel Stenberg
2017-09-22ntlm: use strict order for SSL backend #if branchesViktor Szakats
With the recently introduced MultiSSL support multiple SSL backends can be compiled into cURL That means that now the order of the SSL One option would be to use the same SSL backend as was configured via `curl_global_sslset()`, however, NTLMv2 support would appear to be available only with some SSL backends. For example, when eb88d778e (ntlm: Use Windows Crypt API, 2014-12-02) introduced support for NTLMv1 using Windows' Crypt API, it specifically did *not* introduce NTLMv2 support using Crypt API at the same time. So let's select one specific SSL backend for NTLM support when compiled with multiple SSL backends, using a priority order such that we support NTLMv2 even if only one compiled-in SSL backend can be used for that. Ref: https://github.com/curl/curl/pull/1848
2017-09-02Curl_base64_encode: always call with a real data handle.Patrick Monnerat
Some calls in different modules were setting the data handle to NULL, causing segmentation faults when using builds that enable character code conversions.
2017-05-08rand: treat fake entropy the same regardless of endiannessJay Satiro
When the random seed is purposely made predictable for testing purposes by using the CURL_ENTROPY environment variable, process that data in an endian agnostic way so the the initial random seed is the same regardless of endianness. - Change Curl_rand to write to a char array instead of int array. - Add Curl_rand_hex to write random hex characters to a buffer. Fixes #1315 Closes #1468 Co-authored-by: Daniel Stenberg Reported-by: Michael Kaufmann
2017-03-29NTLM: check for features with #ifdef instead of #ifMarcel Raad
Feature defines are normally checked with #ifdef instead of #if in the rest of the codebase. Additionally, some compilers warn when a macro is implicitly evaluated to 0 because it is not defined, which was the case here. Ref: https://github.com/curl/curl/pull/1362#discussion_r108605101 Closes https://github.com/curl/curl/pull/1367
2017-02-06use *.sourceforge.io and misc URL updatesViktor Szakats
Ref: https://sourceforge.net/blog/introducing-https-for-project-websites/ Closes: https://github.com/curl/curl/pull/1247
2016-11-14Curl_rand: fixed and moved to rand.cDaniel Stenberg
Now Curl_rand() is made to fail if it cannot get the necessary random level. Changed the proto of Curl_rand() slightly to provide a number of ints at once. Moved out from vtls, since it isn't a TLS function and vtls provides Curl_ssl_random() for this to use. Discussion: https://curl.haxx.se/mail/lib-2016-11/0119.html
2016-08-18vauth: Introduced Curl_auth_is_<mechansism>_supported() functionsSteve Holme
As Windows SSPI authentication calls fail when a particular mechanism isn't available, introduced these functions for DIGEST, NTLM, Kerberos 5 and Negotiate to allow both HTTP and SASL authentication the opportunity to query support for a supported mechanism before selecting it. For now each function returns TRUE to maintain compatability with the existing code when called.
2016-06-22internals: rename the SessionHandle struct to Curl_easyDaniel Stenberg
2016-04-06URLs: change http to https in many placesViktor Szakats
Closes #754
2016-03-25vauth: Refactored function names after move to new vauth directorySteve Holme
Renamed all the SASL functions that moved to the new vauth directory to include the correct module name.
2016-03-25vauth: Moved the NTLM authentication code to the new vauth directorySteve Holme