adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3da170a43c7f288fe9bc88fe325da488733acac3
metasploit-gs/external/source/exploits/drunkpotato/Common_Src_Files/spnegotokenhandler/derparse.c
T
C4ssandre 1b68a41c9a Formatting code by removing whitespaces.
2020-08-28 17:34:49 +02:00

724 lines
21 KiB
C
Raw Blame History

// Copyright (C) 2002 Microsoft Corporation
// All rights reserved.
//
// THIS CODE AND INFORMATION IS PROVIDED "AS IS"
// WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
// OR IMPLIED, INCLUDING BUT NOT LIMITED
// TO THE IMPLIED WARRANTIES OF MERCHANTIBILITY
// AND/OR FITNESS FOR A PARTICULAR PURPOSE.
//
// Date - 10/08/2002
// Author - Sanj Surati
/////////////////////////////////////////////////////////////
//
// DERPARSE.C
//
// SPNEGO Token Handler Source File
//
// Contains implementation of ASN.1 DER read/write functions
// as defined in DERPARSE.H.
//
/////////////////////////////////////////////////////////////
/*#include <stdlib.h>
#include <stdio.h>
#include <memory.h>
#include "spnego.h"
#include "derparse.h"*/
#include "..\pch.h"
#define __LITTLE_ENDIAN__ 1
//
// The GSS Mechanism OID enumeration values (SPNEGO_MECH_OID) control which offset in
// the array below, that a mechanism can be found.
//
MECH_OID g_stcMechOIDList[] =
{
{"\x06\x09\x2a\x86\x48\x82\xf7\x12\x01\x02\x02", 11, 9,
spnego_mech_oid_Kerberos_V5_Legacy }, // 1.2.840.48018.1.2.2
{"\x06\x09\x2a\x86\x48\x86\xf7\x12\x01\x02\x02", 11, 9,
spnego_mech_oid_Kerberos_V5 }, // 1.2.840.113554.1.2.2
{"\x06\x06\x2b\x06\x01\x05\x05\x02", 8, 6,
spnego_mech_oid_Spnego }, // 1.3.6.1.5.5.2
{"\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a", 12, 10,
spnego_mech_oid_NTLMSSP }, // 1.3.6.1.4.1.311.2.2.10
{"", 0, 0, spnego_mech_oid_NotUsed } // Placeholder
};
/////////////////////////////////////////////////////////////////////////////
//
// Function:
// ASNDerGetLength
//
// Parameters:
// [in] pbLengthData - DER Length Data
// [in] nBoundaryLength - Length that value must not exceed.
// [out] pnLength - Filled out with length value
// [out] pnNumLengthBytes - Filled out with number of bytes
// consumed by DER length.
//
// Returns:
// int Success - SPNEGO_E_SUCCESS
// Failure - SPNEGO API Error code
//
// Comments :
// Interprets the data at pbLengthData as a DER length. The length must
// fit within the bounds of nBoundary length. We do not currently
// process lengths that take more than 4 bytes.
//
////////////////////////////////////////////////////////////////////////////
static int ASNDerGetLength(unsigned char* pbLengthData, unsigned short nBoundaryLength, unsigned short* pnLength,
unsigned short* pnNumLengthBytes)
{
int nReturn = SPNEGO_E_INVALID_LENGTH;
unsigned short nNumLengthBytes = 0;
// First check if the extended length bit is set
if (*pbLengthData & LEN_XTND)
{
// Lower 7 bits contain the number of trailing bytes that describe the length
nNumLengthBytes = *pbLengthData & LEN_MASK;
// Check that the number of bytes we are about to read is within our boundary
// constraints
if (nNumLengthBytes <= nBoundaryLength - 1)
{
// For now, our handler won't deal with lengths greater than 4 bytes
if (nNumLengthBytes >= 1 && nNumLengthBytes <= 4)
{
// 0 out the initial length
*pnLength = 0L;
// Bump by 1 byte
pbLengthData++;
#ifdef __LITTLE_ENDIAN__
// There may be a cleaner way to do this, but for now, this seems to be
// an easy way to do the transformation
switch (nNumLengthBytes)
{
case 1:
{
*(((unsigned char*)pnLength)) = *pbLengthData;
break;
}
case 2:
{
*(((unsigned char*)pnLength)) = *(pbLengthData + 1);
*(((unsigned char*)pnLength) + 1) = *(pbLengthData);
break;
}
case 3:
{
*(((unsigned char*)pnLength)) = *(pbLengthData + 2);
*(((unsigned char*)pnLength) + 2) = *(pbLengthData + 1);
*(((unsigned char*)pnLength) + 3) = *(pbLengthData);
break;
}
case 4:
{
*(((unsigned char*)pnLength)) = *(pbLengthData + 3);
*(((unsigned char*)pnLength) + 1) = *(pbLengthData + 2);
*(((unsigned char*)pnLength) + 2) = *(pbLengthData + 1);
*(((unsigned char*)pnLength) + 3) = *(pbLengthData);
break;
}
} // SWITCH ( nNumLengthBytes )
#else
// We are Big-Endian, so the length can be copied in from the source
// as is. Ensure that we adjust for the number of bytes we actually
// copy.
memcpy(((unsigned char*)pnLength) + (4 - nNumLengthBytes),
pbLengthData, nNumLengthBytes);
#endif
// Account for the initial length byte
* pnNumLengthBytes = nNumLengthBytes + 1;
nReturn = SPNEGO_E_SUCCESS;
} // IF Valid Length
} // IF num bytes to read is within the boundary length
} // IF xtended length
else
{
// Extended bit is not set, so the length is in the value and the one
// byte describes the length
*pnLength = *pbLengthData & LEN_MASK;
*pnNumLengthBytes = 1;
nReturn = SPNEGO_E_SUCCESS;
}
return nReturn;
}
/////////////////////////////////////////////////////////////////////////////
//
// Function:
// ASNDerCheckToken
//
// Parameters:
// [in] pbTokenData - Token Data
// [in] nToken - Token identifier to check for
// [in] nLengthWithToken - Expected token length (with data)
// [in] nBoundaryLength - Length that value must not exceed.
// [out] pnLength - Filled out with data length
// [out] pnTokenLength - Filled out with number of bytes
// consumed by token identifier and length.
//
// Returns:
// int Success - SPNEGO_E_SUCCESS
// Failure - SPNEGO API Error code
//
// Comments :
// Checks the data pointed to by pbTokenData for the specified token
// identifier and the length that immediately follows. If
// nLengthWithToken is > 0, the calculated length must match. The
// length must also not exceed the specified boundary length .
//
////////////////////////////////////////////////////////////////////////////
int ASNDerCheckToken(unsigned char* pbTokenData, unsigned char nToken,
unsigned short nLengthWithToken, unsigned short nBoundaryLength,
unsigned short* pnLength, unsigned short* pnTokenLength)
{
int nReturn = SPNEGO_E_INVALID_LENGTH;
unsigned short nNumLengthBytes = 0L;
// Make sure that we've at least got 2 bytes of room to work with
if (nBoundaryLength >= 2)
{
// The first byte of the token data MUST match the specified token
if (*pbTokenData == nToken)
{
// Next byte indicates the length
pbTokenData++;
// Get the length described by the token
if ((nReturn = ASNDerGetLength(pbTokenData, nBoundaryLength, pnLength,
&nNumLengthBytes)) == SPNEGO_E_SUCCESS)
{
// Verify that the length is LESS THAN the boundary length
// (this should prevent us walking out of our buffer)
if ((nBoundaryLength - (nNumLengthBytes + 1) < *pnLength))
{
nReturn = SPNEGO_E_INVALID_LENGTH;
}
// If we were passed a length to check, do so now
if (nLengthWithToken > 0L)
{
// Check that the expected length matches
if ((nLengthWithToken - (nNumLengthBytes + 1)) != *pnLength)
{
nReturn = SPNEGO_E_INVALID_LENGTH;
}
} // IF need to validate length
if (SPNEGO_E_SUCCESS == nReturn)
{
*pnTokenLength = nNumLengthBytes + 1;
}
} // IF ASNDerGetLength
} // IF token matches
else
{
nReturn = SPNEGO_E_TOKEN_NOT_FOUND;
}
} // IF Boundary Length is at least 2 bytes
return nReturn;
}
/////////////////////////////////////////////////////////////////////////////
//
// Function:
// ASNDerCheckOID
//
// Parameters:
// [in] pbTokenData - Token Data
// [in] nMechOID - OID we are looking for
// [in] nBoundaryLength - Length that value must not exceed.
// [out] pnTokenLength - Filled out with number of bytes
// consumed by token and data.
//
// Returns:
// int Success - SPNEGO_E_SUCCESS
// Failure - SPNEGO API Error code
//
// Comments :
// Checks the data pointed to by pbTokenData for the specified OID.
//
////////////////////////////////////////////////////////////////////////////
int ASNDerCheckOID(unsigned char* pbTokenData, SPNEGO_MECH_OID nMechOID, unsigned short nBoundaryLength,
unsigned short* pnTokenLength)
{
int nReturn = 0L;
unsigned short nLength = 0L;
// Verify that we have an OID token
if ((nReturn = ASNDerCheckToken(pbTokenData, OID, 0L, nBoundaryLength,
&nLength, pnTokenLength)) == SPNEGO_E_SUCCESS)
{
// Add the data length to the Token Length
*pnTokenLength += nLength;
// Token Lengths plus the actual length must match the length in our OID list element.
// If it doesn't, we're done
if (*pnTokenLength == g_stcMechOIDList[nMechOID].iLen)
{
// Memcompare the token and the expected field
if (memcmp(pbTokenData, g_stcMechOIDList[nMechOID].ucOid, *pnTokenLength) != 0)
{
nReturn = SPNEGO_E_UNEXPECTED_OID;
}
}
else
{
nReturn = SPNEGO_E_UNEXPECTED_OID;
}
} // IF OID Token CHecks
return nReturn;
}
/////////////////////////////////////////////////////////////////////////////
//
// Function:
// ASNDerCalcNumLengthBytes
//
// Parameters:
// [in] nLength - Length to calculate length bytes for.
//
// Returns:
// int Number of bytes necessary to represent length
//
// Comments :
// Helper function to calculate the number of length bytes necessary to
// represent a length value. For our purposes, a 32-bit value should be
// enough to describea length.
//
////////////////////////////////////////////////////////////////////////////
static unsigned short ASNDerCalcNumLengthBytes(unsigned short nLength)
{
if (nLength <= 0x7F)
{
// A single byte will be sufficient for describing this length.
// The byte will simply contain the length
return 1;
}
else if (nLength <= 0xFF)
{
// Two bytes are necessary, one to say how many following bytes
// describe the length, and one to give the length
return 2;
}
else if (nLength <= 0xFFFF)
{
// Three bytes are necessary, one to say how many following bytes
// describe the length, and two to give the length
return 3;
}
else if (nLength <= 0xFFFFFF)
{
// Four bytes are necessary, one to say how many following bytes
// describe the length, and three to give the length
return 4;
}
else
{
// Five bytes are necessary, one to say how many following bytes
// describe the length, and four to give the length
return 5;
}
}
/////////////////////////////////////////////////////////////////////////////
//
// Function:
// ASNDerCalcTokenLength
//
// Parameters:
// [in] nLength - Length to calculate length bytes for.
// [in] nDataLength - Actual Data length value.
//
// Returns:
// long Number of bytes necessary to represent a token, length and data
//
// Comments :
// Helper function to calculate a token and value size, based on a
// supplied length value, and any binary data that will need to be
// written out.
//
////////////////////////////////////////////////////////////////////////////
unsigned short ASNDerCalcTokenLength(unsigned short nLength, unsigned short nDataLength)
{
// Add a byte to the length size to account for a single byte to
// hold the token type.
unsigned short nTotalLength = ASNDerCalcNumLengthBytes(nLength) + 1;
return nTotalLength + nDataLength;
}
/////////////////////////////////////////////////////////////////////////////
//
// Function:
// ASNDerCalcElementLength
//
// Parameters:
// [in] nDataLength - Length of data.
// [out] pnInternalLength - Filled out with length of element
// without sequence info.
//
// Returns:
// long Number of bytes necessary to represent an element
//
// Comments :
// Helper function to calculate an element length. An element consists
// of a sequence token, a type token and then the data.
//
////////////////////////////////////////////////////////////////////////////
unsigned short ASNDerCalcElementLength(unsigned short nDataLength, unsigned short* pnInternalLength)
{
// First the type token and the actual data
unsigned short nTotalLength = ASNDerCalcTokenLength(nDataLength, nDataLength);
// Internal length is the length without the element sequence token
if (NULL != pnInternalLength)
{
*pnInternalLength = nTotalLength;
}
// Next add in the element's sequence token (remember that its
// length is the total length of the type token and data)
nTotalLength += ASNDerCalcTokenLength(nTotalLength, 0L);
return nTotalLength;
}
/////////////////////////////////////////////////////////////////////////////
//
// Function:
// ASNDerCalcMechListLength
//
// Parameters:
// [in] mechoid - Mech OID to put in list.
// [out] pnInternalLength - Filled out with length of element
// without the primary sequence token.
//
// Returns:
// long Number of bytes necessary to represent a mechList
//
// Comments :
// Helper function to calculate a MechList length. A mechlist consists
// of a NegTokenInit sequence token, a sequence token for the MechList
// and finally a list of OIDs. In our case, we only really have one
// OID.
//
////////////////////////////////////////////////////////////////////////////
unsigned short ASNDerCalcMechListLength(SPNEGO_MECH_OID mechoid, unsigned short* pnInternalLength)
{
// First the OID
unsigned short nTotalLength = g_stcMechOIDList[mechoid].iLen;
// Next add in a sequence token
nTotalLength += ASNDerCalcTokenLength(nTotalLength, 0L);
// Internal length is the length without the element sequence token
if (NULL != pnInternalLength)
{
*pnInternalLength = nTotalLength;
}
// Finally add in the element's sequence token
nTotalLength += ASNDerCalcTokenLength(nTotalLength, 0L);
return nTotalLength;
}
/////////////////////////////////////////////////////////////////////////////
//
// Function:
// ASNDerWriteLength
//
// Parameters:
// [out] pbData - Buffer to write into.
// [in] nLength - Length to write out.
//
// Returns:
// int Number of bytes written out
//
// Comments :
// Helper function to write out a length value following DER rules .
//
////////////////////////////////////////////////////////////////////////////
static unsigned short ASNDerWriteLength(unsigned char* pbData, unsigned short nLength)
{
unsigned short nNumBytesRequired = ASNDerCalcNumLengthBytes(nLength);
unsigned short nNumLengthBytes = nNumBytesRequired - 1;
if (nNumBytesRequired > 1)
{
// Write out the number of bytes following which will be used
*pbData = (unsigned char)(LEN_XTND | nNumLengthBytes);
// Point to where we'll actually write the length
pbData++;
#ifdef __LITTLE_ENDIAN__
// There may be a cleaner way to do this, but for now, this seems to be
// an easy way to do the transformation
switch (nNumLengthBytes)
{
case 1:
{
// Cast the length to a single byte, since we know that it
// is 0x7F or less (or we wouldn't only need a single byte).
*pbData = (unsigned char)nLength;
break;
}
case 2:
{
*pbData = *(((unsigned char*)&nLength) + 1);
*(pbData + 1) = *(((unsigned char*)&nLength));
break;
}
case 3:
{
*pbData = *(((unsigned char*)&nLength) + 3);
*(pbData + 1) = *(((unsigned char*)&nLength) + 2);
*(pbData + 2) = *(((unsigned char*)&nLength));
break;
}
case 4:
{
*pbData = *(((unsigned char*)&nLength) + 3);
*(pbData + 1) = *(((unsigned char*)&nLength) + 2);
*(pbData + 2) = *(((unsigned char*)&nLength) + 1);
*(pbData + 3) = *(((unsigned char*)&nLength));
break;
}
} // SWITCH ( nNumLengthBytes )
#else
// We are Big-Endian, so the length can be copied in from the source
// as is. Ensure that we adjust for the number of bytes we actually
// copy.
memcpy(pbData,
((unsigned char*)&nLength) + (4 - nNumLengthBytes), nNumLengthBytes);
#endif
} // IF > 1 byte for length
else
{
// Cast the length to a single byte, since we know that it
// is 0x7F or less (or we wouldn't only need a single byte).
*pbData = (unsigned char)nLength;
}
return nNumBytesRequired;
}
/////////////////////////////////////////////////////////////////////////////
//
// Function:
// ASNDerWriteToken
//
// Parameters:
// [out] pbData - Buffer to write into.
// [in] ucType - Token Type
// [in] pbTokenValue - Actual Value
// [in] nLength - Length of Data.
//
// Returns:
// int Number of bytes written out
//
// Comments :
// Helper function to write out a token and any associated data. If
// pbTokenValue is non-NULL, then it is written out in addition to the
// token identifier and the length bytes.
//
////////////////////////////////////////////////////////////////////////////
unsigned short ASNDerWriteToken(unsigned char* pbData, unsigned char ucType,
unsigned char* pbTokenValue, unsigned short nLength)
{
unsigned short nTotalBytesWrittenOut = 0L;
unsigned short nNumLengthBytesWritten = 0L;
// Write out the type
*pbData = ucType;
// Wrote 1 byte, and move data pointer
nTotalBytesWrittenOut++;
pbData++;
// Now write out the length and adjust the number of bytes written out
nNumLengthBytesWritten = ASNDerWriteLength(pbData, nLength);
nTotalBytesWrittenOut += nNumLengthBytesWritten;
pbData += nNumLengthBytesWritten;
// Write out the token value if we got one. The assumption is that the
// nLength value indicates how many bytes are in pbTokenValue.
if (NULL != pbTokenValue)
{
memcpy(pbData, pbTokenValue, nLength);
nTotalBytesWrittenOut += nLength;
}
return nTotalBytesWrittenOut;
}
/////////////////////////////////////////////////////////////////////////////
//
// Function:
// ASNDerWriteOID
//
// Parameters:
// [out] pbData - Buffer to write into.
// [in] eMechOID - OID to write out.
//
// Returns:
// int Number of bytes written out
//
// Comments :
// Helper function to write out an OID. For these we have the raw bytes
// listed in a global structure. The caller simply indicates which OID
// should be written and we will splat out the data.
//
////////////////////////////////////////////////////////////////////////////
int ASNDerWriteOID(unsigned char* pbData, SPNEGO_MECH_OID eMechOID)
{
memcpy(pbData, g_stcMechOIDList[eMechOID].ucOid, g_stcMechOIDList[eMechOID].iLen);
return g_stcMechOIDList[eMechOID].iLen;
}
/////////////////////////////////////////////////////////////////////////////
//
// Function:
// ASNDerWriteMechList
//
// Parameters:
// [out] pbData - Buffer to write into.
// [in] eMechOID - OID to put in MechList.
//
// Returns:
// int Number of bytes written out
//
// Comments :
// Helper function to write out a MechList. A MechList consists of the
// Init Token Sequence, a sequence token and then the list of OIDs. In
// our case the OID is from a global array of known OIDs.
//
////////////////////////////////////////////////////////////////////////////
unsigned short ASNDerWriteMechList(unsigned char* pbData, SPNEGO_MECH_OID mechoid)
{
// First get the length
unsigned short nInternalLength = 0L;
unsigned short nMechListLength = ASNDerCalcMechListLength(mechoid, &nInternalLength);
unsigned short nTempLength = 0L;
nTempLength = ASNDerWriteToken(pbData, SPNEGO_NEGINIT_ELEMENT_MECHTYPES,
NULL, nInternalLength);
// Adjust the data pointer
pbData += nTempLength;
// Now write the Sequence token and the OID (the OID is a BLOB in the global
// structure.
nTempLength = ASNDerWriteToken(pbData, SPNEGO_CONSTRUCTED_SEQUENCE,
g_stcMechOIDList[mechoid].ucOid,
g_stcMechOIDList[mechoid].iLen);
return nMechListLength;
}
/////////////////////////////////////////////////////////////////////////////
//
// Function:
// ASNDerWriteElement
//
// Parameters:
// [out] pbData - Buffer to write into.
// [in] ucElementSequence - Sequence Token
// [in] ucType - Token Type
// [in] pbTokenValue - Actual Value
// [in] nLength - Length of Data.
//
// Returns:
// int Number of bytes written out
//
// Comments :
// Helper function to write out a SPNEGO Token element. An element
// consists of a sequence token, a type token and the associated data.
//
////////////////////////////////////////////////////////////////////////////
unsigned short ASNDerWriteElement(unsigned char* pbData, unsigned char ucElementSequence,
unsigned char ucType, unsigned char* pbTokenValue, unsigned short nLength)
{
// First get the length
unsigned short nInternalLength = 0L;
unsigned short nElementLength = ASNDerCalcElementLength(nLength, &nInternalLength);
unsigned short nTempLength = 0L;
// Write out the sequence byte and the length of the type and data
nTempLength = ASNDerWriteToken(pbData, ucElementSequence, NULL, nInternalLength);
// Adjust the data pointer
pbData += nTempLength;
// Now write the type and the data.
nTempLength = ASNDerWriteToken(pbData, ucType, pbTokenValue, nLength);
return nElementLength;
}
Reference in New Issue View Git Blame Copy Permalink