From patchwork Wed Aug 2 11:31:49 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Sommerseth X-Patchwork-Id: 3311 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7301:370e:b0:d7:3b0f:3938 with SMTP id jv14csp489394dyb; Wed, 2 Aug 2023 04:33:28 -0700 (PDT) X-Google-Smtp-Source: APBJJlFzsSnTHVzz1wrgmcNIcl5JvSn/QG6abwE0ggC8v8pTU32JlXtft4yOqcQ5Wy+Ltg1O5OqS X-Received: by 2002:a17:90b:4f43:b0:268:6b9:c7ab with SMTP id pj3-20020a17090b4f4300b0026806b9c7abmr11197149pjb.48.1690976008056; Wed, 02 Aug 2023 04:33:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690976008; cv=none; d=google.com; s=arc-20160816; b=gkiNQtMYVmSFSQ/IlLZ1PZIT3oFQzIx3/A5FaYjVdQH3YQ4bQd8BJQPaSXjlwD/iEW CmfU5fJsxX2RXNxQqcA/HAwtDFnvXPlsInPSaDG4V2OhMtG7mbb4HOh3HbDLMVd2MDrj eN06L2a5auotcHw6lmYoW+pN7Aqp+OFo/tcH0rljLhxugMF27AV1J+4OSas4y70s48ce QbKDRDI0FZZF7AxOQXMPNt+oizcCG3aqTG/aZ5gk2/F4JZqE2FYzkOLm3lnJgx0nP30V wkna+AiTavVLtfFP8yHQMvuvup1laOc2/8lunU3ywKYm/DhP3tKV9Aa8JOY5OV5uQExO eAng== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:cc:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:dkim-signature; bh=FfquFmD6TptyzVhgPZqs7Z/uarM9uJ86s8xB7c15cWI=; fh=f8cPhbq3znlMRZvmf3KwRshDUvE7+BFeacIKHP+9U04=; b=KoEB2kwuNlOG0Uui7tIY2IT63SAC8yYW7phhcB/GaDlml7vBL/M91GkSr5zgWxWUxb etyKTY/iyuLyGzv51lKt15tiMk2GCiaiscy1+RENJ5RoRQB1TxL+Ho9E1H3sgqzpG3ZV HrqoGfLLMLWA4keJKYlVVHmMCNg7n7PQK0JBUQ0ZpKRd41PuCM244PWlGr9Dkq3q4MQ1 UyuzUmO4wH1U0lZz1v8/oCGOFY7PE9smNxq/Edfoy00/2/I6iqWymtnOiCACOVIQrpUs sE+PAQHRGRCyzj/4ecaXUKnbYqAP6Ut2hoRIHBOr8tUxfNmsmGFpk+BW84Hb2peIqOaF nmig== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=UN9OXTzh; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=cPlWiQwf; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=eurephia.org Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id om8-20020a17090b3a8800b0025c287f697asi1122682pjb.35.2023.08.02.04.33.27 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 02 Aug 2023 04:33:28 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=UN9OXTzh; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=cPlWiQwf; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=eurephia.org Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1qRA5a-0002bB-5k; Wed, 02 Aug 2023 11:32:26 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1qRA5W-0002b4-KO for openvpn-devel@lists.sourceforge.net; Wed, 02 Aug 2023 11:32:24 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=qLuF2ylwv2l7YUn3T/GXibnGb+fXLRvkS8Xne26aLb4=; b=UN9OXTzh6SBbGTXciR2X9ncNnF Fg5rjn6ihNwt8K/Qb6V8yN0iCg9R8jDxUPPnkjfY/7iI9G8MZhPmFFi2Or+x4GshkSrA+0FbNnZLk 0PE5Es6njiMEQI0wLdelctgcBX4VrgByRolUMf04QwLmvtTi3OaX4QcwxVAq7bcuUTbs=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=qLuF2ylwv2l7YUn3T/GXibnGb+fXLRvkS8Xne26aLb4=; b=c PlWiQwfk5g2kOfTIdJ+R+g0YMk6M8mcfLwlyHLFKKzGSwYM7/is1zGriTIU5P5sSGb8Au9EZA/q9q AeL82IS0O3E5h+bAdEYgjFEHGKYYR/tQzyQkzZ8maYcsLyn13gc6mXfVLlG+MB0qng/qBwUGJWd+2 nUlxRyWEe6IfW2c8=; Received: from mx1.basenordic.cloud ([217.170.196.134]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1qRA5U-00AhlW-GB for openvpn-devel@lists.sourceforge.net; Wed, 02 Aug 2023 11:32:22 +0000 Received: from localhost (unknown [127.0.0.1]) by mx1.basenordic.cloud (Postfix) with ESMTP id DDD38E70A; Wed, 2 Aug 2023 11:32:03 +0000 (UTC) X-Virus-Scanned: amavisd-new at basenordic.cloud Received: from mx1.basenordic.cloud ([127.0.0.1]) by localhost (mx1.basenordic.cloud [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JpK4BZyp7-8M; Wed, 2 Aug 2023 13:32:02 +0200 (CEST) Received: from xplorer.net (xplorer.sommerseth.xyz [10.35.7.11]) by mx1.basenordic.cloud (Postfix) with ESMTP id 2F764E708; Wed, 2 Aug 2023 13:31:57 +0200 (CEST) From: David Sommerseth To: openvpn-devel@lists.sourceforge.net Date: Wed, 2 Aug 2023 13:31:49 +0200 Message-Id: <20230802113149.36497-1-dazo+openvpn@eurephia.org> X-Mailer: git-send-email 2.39.3 MIME-Version: 1.0 X-Spam-Score: -2.3 (--) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: David Sommerseth The code was very clear if we accept that the base64 decode of the NTLM challenge was truncated or not. Move the related code lines closer to where it first used and comment what we are not concerned [...] Content analysis details: (-2.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [217.170.196.134 listed in list.dnswl.org] -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1qRA5U-00AhlW-GB Subject: [Openvpn-devel] [PATCH] ntlm: Clarify details on NTLM phase 3 decoding X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: David Sommerseth Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1773116858760236550?= X-GMAIL-MSGID: =?utf-8?q?1773116858760236550?= From: David Sommerseth The code was very clear if we accept that the base64 decode of the NTLM challenge was truncated or not. Move the related code lines closer to where it first used and comment what we are not concerned about any truncation. If the decoded result is truncated, the NTLM server side will reject our new response to the challenge as it will be incorrect. The buffer size fixed and known to be in a cleared state before the decode starts. Resolves: TOB-OVPN-14 Signed-off-by: David Sommerseth Acked-by: Gert Doering --- src/openvpn/ntlm.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c index 0cb0a32f..2e772141 100644 --- a/src/openvpn/ntlm.c +++ b/src/openvpn/ntlm.c @@ -207,7 +207,6 @@ ntlm_phase_3(const struct http_proxy_info *p, const char *phase_2, */ char pwbuf[sizeof(p->up.password) * 2]; /* for unicode password */ - uint8_t buf2[128]; /* decoded reply from proxy */ uint8_t phase3[464]; uint8_t md4_hash[MD4_DIGEST_LENGTH + 5]; @@ -230,8 +229,6 @@ ntlm_phase_3(const struct http_proxy_info *p, const char *phase_2, bool ntlmv2_enabled = (p->auth_method == HTTP_AUTH_NTLM2); - CLEAR(buf2); - ASSERT(strlen(p->up.username) > 0); ASSERT(strlen(p->up.password) > 0); @@ -264,6 +261,12 @@ ntlm_phase_3(const struct http_proxy_info *p, const char *phase_2, /* pad to 21 bytes */ memset(md4_hash + MD4_DIGEST_LENGTH, 0, 5); + /* If the decoded challenge is shorter than required by the protocol, + * the missing bytes will be NULL, as buf2 is known to be zeroed + * when this decode happens. + */ + uint8_t buf2[128]; /* decoded reply from proxy */ + CLEAR(buf2); ret_val = openvpn_base64_decode(phase_2, buf2, -1); if (ret_val < 0) {