From patchwork Thu Jan 18 15:12:42 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 3580 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7301:2802:b0:101:b91e:57cc with SMTP id hj2csp402551dyb; Thu, 18 Jan 2024 07:13:26 -0800 (PST) X-Google-Smtp-Source: AGHT+IHWQxhmUp3ccbpLwWd9nlLYbI2ITMjjZpAJJ6yC6yvgq/NO7AVFZZfyacAn8b1L/n3SlUdg X-Received: by 2002:a05:6e02:2193:b0:360:7937:6f7 with SMTP id j19-20020a056e02219300b00360793706f7mr1907354ila.3.1705590806487; Thu, 18 Jan 2024 07:13:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1705590806; cv=none; d=google.com; s=arc-20160816; b=kOrONTva0mVPR80yKUsUDjlJYFcuQxzG7wD+xzAvub4B6zJLFQyOkAzdIf8+J8i549 0XwYAihPmTJ8f2pqtnXCK5k2fj3BUSmNMh9cxR6G0REnXIuuVPG6/Bcx36v6lZvSPcVi d2cfFQ2LTgmjkD5QdRbUkhvwf/QYthHl3RKeYhlh1/Yrb/V603IjEhvPWXZmG8Osia/Q gfmOvGI5Pbyoyfrhv+t1EdsL7CecFAvkUFtHM1DMcaJjeQnZln0OWHA1Nd1X62V6oNHs 7A8a8RAZntN3WSM6/KiC9HlWy5fbh0RQd8UJGorE7By+Tl3Hs+ccNlJqZwe91tAGNMy+ l66w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=Ud5CvSrXcSI2JNLgc6yvkp2oD/VeS/Xd6DHUNiJHzhI=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=SbTOUGgn9Aw9c7kmPr40FE1YE3otp1BaMw2ZhXIrtH1dKQyfn+JlLy6soD5Vdk/xQt IVERDWLhITdbpfpeAU5jvWkECrGo38O0qDOCfcrx6PGRMChbbyTGJEdRc2Rh+7YzwewP 7tPH20zk+E2XYVO/0ID9UaFHM7rCHQqAqcWzxm4KvlvrgxtH92oXq29Km/EuH6889Q0q kvF/6kNiiSxQtwCL7F4H5ylIDJ3tfdzLrhM4BTcHKsW1aU376LF5wuVkwfHUXm1aRqBJ GeFQpfTpcyFdnJokIz9jV0pa0LxR2uXfAf36NCgRHFmlrphxFZcxwoIyd4nJhkfKoFvp xh1A== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=UlcMl24q; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=H66gbUHu; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id q136-20020a632a8e000000b0059779ae58a0si1548493pgq.465.2024.01.18.07.13.26 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 18 Jan 2024 07:13:26 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=UlcMl24q; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=H66gbUHu; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1rQU4l-0001g5-QB; Thu, 18 Jan 2024 15:13:04 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1rQU4k-0001fy-AN for openvpn-devel@lists.sourceforge.net; Thu, 18 Jan 2024 15:13:02 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=nY93GFkKt0byebCxbupO9dxtQDAlaZye2qUnrinwSe0=; b=UlcMl24qX9LXq0kPBh9obv2XKe fqNtDax4TvCQFA6+KDl9GQ7XPkU4SZw8IPEDWz8Xw4yNE3Kh8QLXoCthDvPFCc9/1bGx8DrGTMt6R IVqoQrfjsybDuIs/ql1YBnjBAVxFb93dY4DWmJGvjfNzEBdNKR+htj77MllkXtBEoB3E=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=nY93GFkKt0byebCxbupO9dxtQDAlaZye2qUnrinwSe0=; b=H66gbUHupgWlclRecwlx+a5vbb pSG9nXSkBoA8n3Fl8gksmyMhzHtDB9UCz2Nby5Xe52vBc8sRW2CkHTL4q43WGgupQr/TmNsOqPE9L gj2McFoJYPxBXR9eqyDBiM0MRu19uq4TCfXRdXSiPkW3EbJer/ZM4hLK91udq5Bd2WUM=; Received: from dhcp-174.greenie.muc.de ([193.149.48.174] helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1rQU4g-0006P4-0T for openvpn-devel@lists.sourceforge.net; Thu, 18 Jan 2024 15:13:02 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 40IFClt6012187 for ; Thu, 18 Jan 2024 16:12:47 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 40IFClfq012186 for openvpn-devel@lists.sourceforge.net; Thu, 18 Jan 2024 16:12:47 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Thu, 18 Jan 2024 16:12:42 +0100 Message-ID: <20240118151242.12169-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: -0.0 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Frank Lichtenheld Commit 21910ebc2ee8a6138eb2af8d38056d2b94e59f9c removed support for NTLMv1 authentication. This adjusts the behavior for existing configurations that specify "ntlm" keyword. Content analysis details: (-0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1rQU4g-0006P4-0T Subject: [Openvpn-devel] [PATCH v1] NTLM: when NTLMv1 is requested, try NTLMv2 instead X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1788441585271859654?= X-GMAIL-MSGID: =?utf-8?q?1788441585271859654?= From: Frank Lichtenheld Commit 21910ebc2ee8a6138eb2af8d38056d2b94e59f9c removed support for NTLMv1 authentication. This adjusts the behavior for existing configurations that specify "ntlm" keyword. Do not error out hard, instead just try to upgrade. This should work fine in many cases and will avoid breaking user configs unnecessarily on upgrade. In addition it fixes an issue with the mentioned patch where "auto" wasn't working correctly for NTLM anymore. Change-Id: Iec74e88f86cd15328f993b6cdd0317ebda81563c Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/500 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/Changes.rst b/Changes.rst index 69c811d..58cb3db 100644 --- a/Changes.rst +++ b/Changes.rst @@ -12,8 +12,13 @@ ``--allow-deprecated-insecure-static-crypto`` but will be removed in OpenVPN 2.8. -NTLMv1 support has been removed because it is completely insecure. - NTLMv2 support is still available, but will removed in a future release. +NTLMv1 authentication support for HTTP proxies has been removed. + This is considered an insecure method of authentication that uses + obsolete crypto algorithms. + NTLMv2 support is still available, but will be removed in a future + release. + When configured to authenticate with NTLMv1 (``ntlm`` keyword in + ``--http-proxy``) OpenVPN will try NTLMv2 instead. Overview of changes in 2.6 diff --git a/doc/man-sections/proxy-options.rst b/doc/man-sections/proxy-options.rst index ad49c60..38c4578 100644 --- a/doc/man-sections/proxy-options.rst +++ b/doc/man-sections/proxy-options.rst @@ -48,6 +48,8 @@ Note that support for NTLMv1 proxies was removed with OpenVPN 2.7. + :code:`ntlm` now is an alias for :code:`ntlm2`; i.e. OpenVPN will always + attempt to use NTLMv2 authentication. --http-proxy-user-pass userpass Overwrite the username/password information for ``--http-proxy``. If specified diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c index e2324f4..eeb3989 100644 --- a/src/openvpn/proxy.c +++ b/src/openvpn/proxy.c @@ -502,7 +502,7 @@ msg(M_FATAL, "HTTP_PROXY: server not specified"); } - ASSERT( o->port); + ASSERT(o->port); ALLOC_OBJ_CLEAR(p, struct http_proxy_info); p->options = *o; @@ -522,7 +522,8 @@ #if NTLM else if (!strcmp(o->auth_method_string, "ntlm")) { - msg(M_FATAL, "ERROR: NTLM v1 support has been removed. For now, you can use NTLM v2 by selecting ntlm2 but it is deprecated as well."); + msg(M_WARN, "NTLM v1 authentication has been removed in OpenVPN 2.7. Will try to use NTLM v2 authentication."); + p->auth_method = HTTP_AUTH_NTLM2; } else if (!strcmp(o->auth_method_string, "ntlm2")) { @@ -536,7 +537,9 @@ } } - /* only basic and NTLM/NTLMv2 authentication supported so far */ + /* When basic or NTLMv2 authentication is requested, get credentials now. + * In case of "auto" negotiation credentials will be retrieved later once + * we know whether we need any. */ if (p->auth_method == HTTP_AUTH_BASIC || p->auth_method == HTTP_AUTH_NTLM2) { get_user_pass_http(p, true); @@ -649,7 +652,8 @@ /* get user/pass if not previously given */ if (p->auth_method == HTTP_AUTH_BASIC - || p->auth_method == HTTP_AUTH_DIGEST) + || p->auth_method == HTTP_AUTH_DIGEST + || p->auth_method == HTTP_AUTH_NTLM2) { get_user_pass_http(p, false); } @@ -753,7 +757,7 @@ { processed = true; } - else if ((p->auth_method == HTTP_AUTH_NTLM2) && !processed) /* check for NTLM */ + else if (p->auth_method == HTTP_AUTH_NTLM2 && !processed) /* check for NTLM */ { #if NTLM /* look for the phase 2 response */