OLD | NEW |
(Empty) | |
| 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #ifndef NET_BASE_NTLM_BUFFER_READER_H_ |
| 6 #define NET_BASE_NTLM_BUFFER_READER_H_ |
| 7 |
| 8 #include <stddef.h> |
| 9 #include <stdint.h> |
| 10 |
| 11 #include <string> |
| 12 |
| 13 #include "base/strings/string_piece.h" |
| 14 #include "net/base/net_export.h" |
| 15 #include "net/ntlm/ntlm_constants.h" |
| 16 |
| 17 namespace net { |
| 18 namespace ntlm { |
| 19 |
| 20 // Supports various bounds-checked low level buffer operations required by an |
| 21 // NTLM implementation. |
| 22 // |
| 23 // The class supports the sequential read of a provided buffer. All reads |
| 24 // perform bounds checking to ensure enough space is remaining in the buffer. |
| 25 // |
| 26 // Read* methods read from the buffer at the current cursor position and |
| 27 // perform any necessary type conversion and provide the data in out params. |
| 28 // After a successful read the cursor position is advanced past the read |
| 29 // field. |
| 30 // |
| 31 // Failed Read*s or Match*s leave the cursor in an undefined position and the |
| 32 // buffer MUST be discarded with no further operations performed. |
| 33 // |
| 34 // Read*Payload methods first reads a security buffer (see |
| 35 // |ReadSecurityBuffer|), then reads the requested payload from the offset |
| 36 // and length stated in the security buffer. |
| 37 // |
| 38 // If the length and offset in the security buffer would cause a read outside |
| 39 // the message buffer the payload will not be read and the function will |
| 40 // return false. |
| 41 // |
| 42 // Based on [MS-NLMP]: NT LAN Manager (NTLM) Authentication Protocol |
| 43 // Specification version 28.0 [1]. Additional NTLM reference [2]. |
| 44 // |
| 45 // [1] https://msdn.microsoft.com/en-us/library/cc236621.aspx |
| 46 // [2] http://davenport.sourceforge.net/ntlm.html |
| 47 class NET_EXPORT_PRIVATE NtlmBufferReader { |
| 48 public: |
| 49 explicit NtlmBufferReader(base::StringPiece buffer); |
| 50 |
| 51 // This class does not take ownership of |ptr|, so the caller must ensure |
| 52 // that the buffer outlives the |NtlmBufferReader|. |
| 53 NtlmBufferReader(const uint8_t* ptr, size_t len); |
| 54 ~NtlmBufferReader(); |
| 55 |
| 56 size_t GetLength() const { return buffer_.length(); } |
| 57 size_t GetCursor() const { return cursor_; } |
| 58 bool IsEndOfBuffer() const { return cursor_ >= GetLength(); } |
| 59 |
| 60 // Returns true if there are |len| more bytes between the current cursor |
| 61 // position and the end of the buffer. |
| 62 bool CanRead(size_t len) const; |
| 63 |
| 64 // Returns true if there are |len| more bytes between |offset| and the end |
| 65 // of the buffer. The cursor position is not used or modified. |
| 66 bool CanReadFrom(size_t offset, size_t len) const; |
| 67 |
| 68 // Returns true if it would be possible to read the payload described by the |
| 69 // security buffer. |
| 70 bool CanReadFrom(SecurityBuffer sec_buf) const { |
| 71 return CanReadFrom(sec_buf.offset, sec_buf.length); |
| 72 } |
| 73 |
| 74 // Reads a 16 bit value (little endian) as a uint16_t. If there are not 16 |
| 75 // more bits available, it returns false. |
| 76 bool ReadUInt16(uint16_t* value) WARN_UNUSED_RESULT; |
| 77 |
| 78 // Reads a 32 bit value (little endian) as a uint32_t. If there are not 32 |
| 79 // more bits available, it returns false. |
| 80 bool ReadUInt32(uint32_t* value) WARN_UNUSED_RESULT; |
| 81 |
| 82 // Reads a 64 bit value (little endian) as a uint64_t. If there are not 64 |
| 83 // more bits available, it returns false. |
| 84 bool ReadUInt64(uint64_t* value) WARN_UNUSED_RESULT; |
| 85 |
| 86 // Calls |ReadUInt32| and returns it cast as |NegotiateFlags|. No |
| 87 // validation of the value takes place. |
| 88 bool ReadFlags(NegotiateFlags* flags) WARN_UNUSED_RESULT; |
| 89 |
| 90 // Reads |len| bytes and copies them into |buffer|. |
| 91 bool ReadBytes(uint8_t* buffer, size_t len) WARN_UNUSED_RESULT; |
| 92 |
| 93 // Reads |sec_buf.length| bytes from offset |sec_buf.offset| and copies them |
| 94 // into |buffer|. If the security buffer specifies a payload outside the |
| 95 // buffer, then the call fails. Unlike the other Read* methods, this does |
| 96 // not move the cursor. |
| 97 bool ReadBytesFrom(const SecurityBuffer& sec_buf, |
| 98 uint8_t* buffer) WARN_UNUSED_RESULT; |
| 99 |
| 100 // A security buffer is an 8 byte structure that defines the offset and |
| 101 // length of a payload (string, struct or byte array) that appears after the |
| 102 // fixed part of the message. |
| 103 // |
| 104 // The structure is (little endian fields): |
| 105 // uint16 - |length| Length of payload |
| 106 // uint16 - Allocation (this is always ignored and not returned) |
| 107 // uint32 - |offset| Offset from start of message |
| 108 bool ReadSecurityBuffer(SecurityBuffer* sec_buf) WARN_UNUSED_RESULT; |
| 109 |
| 110 // There are 3 message types Negotiate (sent by client), Challenge (sent by |
| 111 // server), and Authenticate (sent by client). |
| 112 // |
| 113 // This reads the message type from the header and will return false if the |
| 114 // value is invalid. |
| 115 bool ReadMessageType(MessageType* message_type) WARN_UNUSED_RESULT; |
| 116 |
| 117 // Skips over a security buffer field without reading the fields. This is |
| 118 // the equivalent of advancing the cursor 8 bytes. Returns false if there |
| 119 // are less than 8 bytes left in the buffer. |
| 120 bool SkipSecurityBuffer() WARN_UNUSED_RESULT; |
| 121 |
| 122 // Skips over the security buffer without returning the values, but fails if |
| 123 // the values would cause a read outside the buffer if the payload was |
| 124 // actually read. |
| 125 bool SkipSecurityBufferWithValidation() WARN_UNUSED_RESULT; |
| 126 |
| 127 // Skips over |count| bytes in the buffer. Returns false if there are not |
| 128 // |count| bytes left in the buffer. |
| 129 bool SkipBytes(size_t count) WARN_UNUSED_RESULT; |
| 130 |
| 131 // Reads and returns true if the next 8 bytes matches the signature in an |
| 132 // NTLM message "NTLMSSP\0". The cursor advances if the the signature |
| 133 // is matched. |
| 134 bool MatchSignature() WARN_UNUSED_RESULT; |
| 135 |
| 136 // Performs |ReadMessageType| and returns true if the value is |
| 137 // |message_type|. If the read fails or the message type does not match, |
| 138 // the buffer is invalid and MUST be discarded. |
| 139 bool MatchMessageType(MessageType message_type) WARN_UNUSED_RESULT; |
| 140 |
| 141 // Performs |MatchSignature| then |MatchMessageType|. |
| 142 bool MatchMessageHeader(MessageType message_type) WARN_UNUSED_RESULT; |
| 143 |
| 144 // Performs |ReadBytes(count)| and returns true if the contents is all |
| 145 // zero. |
| 146 bool MatchZeros(size_t count) WARN_UNUSED_RESULT; |
| 147 |
| 148 // Reads the security buffer and returns true if the length is 0 and |
| 149 // the offset is within the message. On failure, the buffer is invalid |
| 150 // and MUST be discarded. |
| 151 bool MatchEmptySecurityBuffer() WARN_UNUSED_RESULT; |
| 152 |
| 153 private: |
| 154 // Reads |sizeof(T)| bytes of an integer type from a little-endian buffer. |
| 155 template <typename T> |
| 156 bool ReadUInt(T* value); |
| 157 |
| 158 // Sets the cursor position. The caller should use |GetLength|, |CanRead|, |
| 159 // or |CanReadFrom| to verify the bounds before calling this method. |
| 160 void SetCursor(size_t cursor); |
| 161 |
| 162 // Advances the cursor by |count| bytes. The caller should use |GetLength|, |
| 163 // |CanRead|, or |CanReadFrom| to verify the bounds before calling this |
| 164 // method. |
| 165 void AdvanceCursor(size_t count) { SetCursor(GetCursor() + count); } |
| 166 |
| 167 // Returns a constant pointer to the start of the buffer. |
| 168 const uint8_t* GetBufferPtr() const { |
| 169 return reinterpret_cast<const uint8_t*>(buffer_.data()); |
| 170 } |
| 171 |
| 172 // Returns a pointer to the underlying buffer at the current cursor |
| 173 // position. |
| 174 const uint8_t* GetBufferAtCursor() const { return GetBufferPtr() + cursor_; } |
| 175 |
| 176 // Returns the byte at the current cursor position. |
| 177 uint8_t GetByteAtCursor() const { |
| 178 DCHECK(!IsEndOfBuffer()); |
| 179 return *(GetBufferAtCursor()); |
| 180 } |
| 181 |
| 182 const base::StringPiece buffer_; |
| 183 size_t cursor_; |
| 184 |
| 185 DISALLOW_COPY_AND_ASSIGN(NtlmBufferReader); |
| 186 }; |
| 187 |
| 188 } // namespace ntlm |
| 189 } // namespace net |
| 190 |
| 191 #endif // NET_BASE_NTLM_BUFFER_READER_H_ |
OLD | NEW |