From patchwork Fri Jan 12 14:14:09 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "plaisthos (Code Review)" X-Patchwork-Id: 3565 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:a213:b0:100:d2e5:60d with SMTP id bs19csp2074488dyb; Fri, 12 Jan 2024 06:14:49 -0800 (PST) X-Google-Smtp-Source: AGHT+IGLpxgJCoUIH8AudcPJnZNvSj0vzMsA08F4GPsF38TOyVUxxEr/LjDqQQWMM6MXLV+vKUpo X-Received: by 2002:a05:6e02:1d97:b0:35f:b1d8:433f with SMTP id h23-20020a056e021d9700b0035fb1d8433fmr2262414ila.3.1705068888798; Fri, 12 Jan 2024 06:14:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1705068888; cv=none; d=google.com; s=arc-20160816; b=WC44+pSMdmVGZ4h0xrFHzOZdNns9BsDpLeitVL9l3/HWwMbiWU/GD2R1NhgBOfQLpf L8aPNJ8IPLt4A6LhM9FWJdX6Yz8qCqbPu32touCecljf8ey8Tb/msN0smpi75NbAUJiM eWI8qycnXIxxcPnwIelBchRnho12kiC+dnmzuebk/9HbH/+eDeW2Z7c15IF0MPhn0Sbw 7M3rCONM4KJai2akBT5gNz0GHfiM8u2MhVfU/Q9V40DrIkK/5f3VEnVC7fspuQZOYvCm BrKR7gq9OmbXYiL8hqMIuOb4AS19q1jjPApoEfby69738KQUCfFscMSwx+Ww8dKHT7hK En4w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=9NfhwUcyNnD9jWD84DijvDGByEkvR1Z7a12Lu8kVxyo=; fh=GFP4qDxgyJ2WEPo/oeLZg3Mj4NqvY1j2nTvTt7psNwg=; b=0jjOM5IySsmITp2QBZ1gT6ZbXm1y2nbr4gHS3Ylyh83YVqvaHkGcJB3R01jE2AkQTb ISFiQdGQViELSZOEH6u0uRiBamXva3gxzHO89N/2MGf0badGhJ2QNIBzjN2N7qb9B2Ep namq1ngtiLg857b7zJuuQVisG8lY48NfIBdqtitO28cb3rSDcHgxXbmiNTHUc2eL+tND ekXsr4VK956sP6HfYEjSacynv4yr1CAJlwbN9c7a3nN8mFvCPhKRzKNEc+Ndctv+ox/c Uo/uN1C8pNB42aPwWmn2paKxiTwdpQqTo2CCBj4AIwEavMn6pzePaxWJUgFAWjFjOPY8 08Iw== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=KiS2e99h; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=VhXkfm5e; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=MuHVIeIh; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id l125-20020a632583000000b005ce00198a50si3420845pgl.848.2024.01.12.06.14.48 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 12 Jan 2024 06:14:48 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=KiS2e99h; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=VhXkfm5e; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=MuHVIeIh; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1rOIIg-0000ig-4g; Fri, 12 Jan 2024 14:14:22 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1rOIIe-0000iT-T9 for openvpn-devel@lists.sourceforge.net; Fri, 12 Jan 2024 14:14:20 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=y8e9iEK3SPFMu3ygX7yBIyguOx2k30HFij/FozV+tXs=; b=KiS2e99hAg+chftjfAOqXdqYAB 6nYGd/ok9rr83g5K5Q1NwHHhigcUVmpYYDTlhysKq68IZ4uGF77YIigi/rhbWS/BmeVOLDzAJr5Zd rr2FY/zvyqHV8jNLS6R8sY3uOPtKXVV+3SaTcxnJqMn2KyUfaGrf4revl7hVSgD0nhUQ=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=y8e9iEK3SPFMu3ygX7yBIyguOx2k30HFij/FozV+tXs=; b=V hXkfm5e/+eSL1O/wbd1F3AANgQ6VBZKyApXsLuzPY39YsGuJtX6M5e4wVBy9HpONnOq3YP6EtxxYI Kz33bxEz+OV63SBxmyxt9nB68NX/Z0iljZyIi/sZy0yiuW2k70L4TQcsWOqbgI3HmCz8l8jw4Dgka NCkHcjKfDKjTiHRI=; Received: from mail-wr1-f45.google.com ([209.85.221.45]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1rOIIa-00083e-Cw for openvpn-devel@lists.sourceforge.net; Fri, 12 Jan 2024 14:14:20 +0000 Received: by mail-wr1-f45.google.com with SMTP id ffacd0b85a97d-336c5b5c163so3909252f8f.1 for ; Fri, 12 Jan 2024 06:14:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1705068850; x=1705673650; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=y8e9iEK3SPFMu3ygX7yBIyguOx2k30HFij/FozV+tXs=; b=MuHVIeIhwGJiU1r2pMkzacBx7V7uRGq35DAkEMpSsexIwdmWoiBrmDWD5rFEO3bRKL XPXmWVOuGbX3+W2HTHbvx3sWwQfNAXoVPKs7oWJsryVNI+c5teT2aKJKr18M7juSVg2/ EDgCe9HIWBJjDBiSUZYQQykzBlde/aCJO7+uz1zM6wWEJWovx79W+52/W8oUPI8/fejV ciI6KMcRHe0tpSRBQLc28kLqIzodoP7MBeiQFngOID+XsrHAEcYKhJhuRqTbs6sh1xw6 nTBN4/dXRjW6njbqfWkKBspv1p+TeJAcwoLeUiD1CxKLkTqU/PKBe3TxsHXDZph3Pk+p Wkrw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705068850; x=1705673650; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=y8e9iEK3SPFMu3ygX7yBIyguOx2k30HFij/FozV+tXs=; b=nu2/BxonGaK6BTlJYLjT6n3ZcytO1GlEuFz4ePnLYkzDOdx/PlmTCUPML9N0gpLmQI O5ixAE82Lv1llbvpEQy3nlcroG6av9sQJK6gj7DepvqxgkqKqT3lUeCkWMvKAxqfirli TyMaXWs1omr0dfDrYKxdvQcefrEQDJ2sgCAWbWJYAyCCJS+NSQsJS8o5rQsRtL4IpS9x YDP+61YDtU46MLZsVAsLgWyanV/Dh6hMLn+aho2cKF69fESZW8hzH8ZQvNHrHJ9EkF9F gv7Up3mhJUnSFsRrdeiZj9Rzuc42Y4+ED5vKCIlxvGkf88YGETPMgIwLNa6h7tauArEq nBgw== X-Gm-Message-State: AOJu0Yx7t4jvhdQusUZSdQ0v9bSGvMB5jnPCTzSC/s1zuZsTGWY97E4E 4u1uPdKwXcFbzue1bpQ2q08AfQYVorGd1qcqy2teltNshho= X-Received: by 2002:adf:c843:0:b0:336:7db7:aaae with SMTP id e3-20020adfc843000000b003367db7aaaemr1587462wrh.8.1705068850373; Fri, 12 Jan 2024 06:14:10 -0800 (PST) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id p13-20020adf9d8d000000b003375c8f796bsm4030975wre.0.2024.01.12.06.14.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 12 Jan 2024 06:14:09 -0800 (PST) From: "flichtenheld (Code Review)" X-Google-Original-From: "flichtenheld (Code Review)" X-Gerrit-PatchSet: 1 Date: Fri, 12 Jan 2024 14:14:09 +0000 To: plaisthos Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: Iec74e88f86cd15328f993b6cdd0317ebda81563c X-Gerrit-Change-Number: 500 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: 3c52e6fd757d42e8d8ce8f7e12c86079c17d203a References: Message-ID: <5cf59510bcf2f3efe2531d82075991a765373faa-HTML@gerrit.openvpn.net> MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: plaisthos. Hello plaisthos, I'd like you to do a code review. Please visit Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.221.45 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.221.45 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1rOIIa-00083e-Cw Subject: [Openvpn-devel] [S] Change in openvpn[master]: NTLM: when NTLMv1 is requested, try NTLMv2 instead X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: frank@lichtenheld.com, arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1787894315175335956?= X-GMAIL-MSGID: =?utf-8?q?1787894315175335956?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: plaisthos. Hello plaisthos, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/500?usp=email to review the following change. Change subject: NTLM: when NTLMv1 is requested, try NTLMv2 instead ...................................................................... NTLM: when NTLMv1 is requested, try NTLMv2 instead Commit 21910ebc2ee8a6138eb2af8d38056d2b94e59f9c removed support for NTLMv1 authentication. This adjusts the behavior for existing configurations that specify "ntlm" keyword. Do not error out hard, instead just try to upgrade. This should work fine in many cases and will avoid breaking user configs unnecessarily on upgrade. In addition it fixes an issue with the mentioned patch where "auto" wasn't working correctly for NTLM anymore. Change-Id: Iec74e88f86cd15328f993b6cdd0317ebda81563c Signed-off-by: Frank Lichtenheld --- M Changes.rst M doc/man-sections/proxy-options.rst M src/openvpn/proxy.c 3 files changed, 18 insertions(+), 7 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/00/500/1 diff --git a/Changes.rst b/Changes.rst index 69c811d..58cb3db 100644 --- a/Changes.rst +++ b/Changes.rst @@ -12,8 +12,13 @@ ``--allow-deprecated-insecure-static-crypto`` but will be removed in OpenVPN 2.8. -NTLMv1 support has been removed because it is completely insecure. - NTLMv2 support is still available, but will removed in a future release. +NTLMv1 authentication support for HTTP proxies has been removed. + This is considered an insecure method of authentication that uses + obsolete crypto algorithms. + NTLMv2 support is still available, but will be removed in a future + release. + When configured to authenticate with NTLMv1 (``ntlm`` keyword in + ``--http-proxy``) OpenVPN will try NTLMv2 instead. Overview of changes in 2.6 diff --git a/doc/man-sections/proxy-options.rst b/doc/man-sections/proxy-options.rst index ad49c60..38c4578 100644 --- a/doc/man-sections/proxy-options.rst +++ b/doc/man-sections/proxy-options.rst @@ -48,6 +48,8 @@ Note that support for NTLMv1 proxies was removed with OpenVPN 2.7. + :code:`ntlm` now is an alias for :code:`ntlm2`; i.e. OpenVPN will always + attempt to use NTLMv2 authentication. --http-proxy-user-pass userpass Overwrite the username/password information for ``--http-proxy``. If specified diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c index e2324f4..eeb3989 100644 --- a/src/openvpn/proxy.c +++ b/src/openvpn/proxy.c @@ -502,7 +502,7 @@ msg(M_FATAL, "HTTP_PROXY: server not specified"); } - ASSERT( o->port); + ASSERT(o->port); ALLOC_OBJ_CLEAR(p, struct http_proxy_info); p->options = *o; @@ -522,7 +522,8 @@ #if NTLM else if (!strcmp(o->auth_method_string, "ntlm")) { - msg(M_FATAL, "ERROR: NTLM v1 support has been removed. For now, you can use NTLM v2 by selecting ntlm2 but it is deprecated as well."); + msg(M_WARN, "NTLM v1 authentication has been removed in OpenVPN 2.7. Will try to use NTLM v2 authentication."); + p->auth_method = HTTP_AUTH_NTLM2; } else if (!strcmp(o->auth_method_string, "ntlm2")) { @@ -536,7 +537,9 @@ } } - /* only basic and NTLM/NTLMv2 authentication supported so far */ + /* When basic or NTLMv2 authentication is requested, get credentials now. + * In case of "auto" negotiation credentials will be retrieved later once + * we know whether we need any. */ if (p->auth_method == HTTP_AUTH_BASIC || p->auth_method == HTTP_AUTH_NTLM2) { get_user_pass_http(p, true); @@ -649,7 +652,8 @@ /* get user/pass if not previously given */ if (p->auth_method == HTTP_AUTH_BASIC - || p->auth_method == HTTP_AUTH_DIGEST) + || p->auth_method == HTTP_AUTH_DIGEST + || p->auth_method == HTTP_AUTH_NTLM2) { get_user_pass_http(p, false); } @@ -753,7 +757,7 @@ { processed = true; } - else if ((p->auth_method == HTTP_AUTH_NTLM2) && !processed) /* check for NTLM */ + else if (p->auth_method == HTTP_AUTH_NTLM2 && !processed) /* check for NTLM */ { #if NTLM /* look for the phase 2 response */