From patchwork Wed Jan 10 14:57:04 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "plaisthos (Code Review)" X-Patchwork-Id: 3560 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:a213:b0:100:d2e5:60d with SMTP id bs19csp793809dyb; Wed, 10 Jan 2024 06:57:55 -0800 (PST) X-Google-Smtp-Source: AGHT+IEPpYwNCw0FjJPFlqU9TRcdi4Uq03W0BpEBSmQtHlqyGF9/u61xHVfd0XkHuubvXrz58h1y X-Received: by 2002:a05:6830:348b:b0:6d9:d582:1970 with SMTP id c11-20020a056830348b00b006d9d5821970mr2304999otu.2.1704898675535; Wed, 10 Jan 2024 06:57:55 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1704898675; cv=none; d=google.com; s=arc-20160816; b=MitNdNS/jGc4j2ullM0BOqwyPtzlpB0fMXnKvtQdK7mfuiu6QQ3MSUhJ5lcI4Z/aLT LzJcjVfeEnTuMqlre2+QBeBf6klvDpfpPS8EXcrh0+4/PnvvPDjEAcMqwcWvqhfrNqwC 5V2tKUKw0XgXk3NBh7usI7lNtrGKKEJSrZpyniKNoDdJFWThU3as3N3rYR7g+WEsDOWW 0VcqEDmmvC+uERiGAbm6BEz0fKIW5hqP3Je9sQ9TgYa3aCsEeHvJ/FxioCEPKaExodvq 4s9VZAw0Kj9yLAZdnZre4hcC3UPJhjEePNPDQrglpv65kGTPFpLU8+6DH+eHYF9OmI2u qKJg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=kYoAGHIiIBZbbOP/e9FO5dDe/r/c9DXIpoqcfX6kPsI=; fh=GFP4qDxgyJ2WEPo/oeLZg3Mj4NqvY1j2nTvTt7psNwg=; b=KLzbrHkrTprQG9SJFlIaitgVWysTxnLTFSlYh+DN+1CafpuwYCpWrFJb2881DyIKjJ PsJ4jfFCqHxYb4GZW/wnunnOBVOKOltnkXwOsbJvXymYJtIFBlaXYbC7QhdnRXc1lVkO 8SAwFVMuw02kTQet/Rgmx2+JIWpqZpD2/QgHL652kPwznYgAxIJFO6OjW/HxYE98ML9S KuZiwBx2dGyOctRo2XuciEI4nxo0NIrN0QD106W/7kyh6xmh6FOTm6vkjRO1mq1Lz+Wn 81bTZUnecy0BnfYTIzH/4vlXJVSF5Xpag16s5zG1tMLt5QuCtsQlX3w8bj0Ntu/Cy5mW oqnQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="UOphF/2U"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=jaFzVUYU; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=HtkHDHTW; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id c31-20020a631c5f000000b005cdd7f6482fsi3854894pgm.5.2024.01.10.06.57.55 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 10 Jan 2024 06:57:55 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="UOphF/2U"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=jaFzVUYU; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=HtkHDHTW; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1rNa1G-0003MK-46; Wed, 10 Jan 2024 14:57:26 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1rNa1E-0003ME-Eu for openvpn-devel@lists.sourceforge.net; Wed, 10 Jan 2024 14:57:24 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=qirg3BFx1j2ACexl69ZvHmkHZVp0f19sLBg2bexob1I=; b=UOphF/2UIYZyFaTBhj+N+dfNMB 8rhGrn12jExBFd0zlfrBAsgjG3oXhCtfj+7JP/5w9s9NzRNIH8cKXlJ0QHNR/+ALPc0UZpv5GTs85 hM29UO0dh/SPGLQ/cBfMogKbxc5cbqGeW3C5Ux4OLfr/SVFPC7f8pUOpVMo/gT7ZLTEg=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=qirg3BFx1j2ACexl69ZvHmkHZVp0f19sLBg2bexob1I=; b=j aFzVUYUnk/P0UYhkxCDZE6HF1xBCLY8XrE0jfR0/T+ZDqoxh0/U2olM1Yamjb12lhz4JSqj/PaKYU QoXgQ1f8KBCWRCNrw3rdQJxxDjFEA4B1MEE7dwMMfvjDpsBYRM1l+MMRuPfmU6s9Q4/SY681X0HGu AHCY7vXd8cVBFeeA=; Received: from mail-wr1-f53.google.com ([209.85.221.53]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1rNa13-0007rO-3w for openvpn-devel@lists.sourceforge.net; Wed, 10 Jan 2024 14:57:16 +0000 Received: by mail-wr1-f53.google.com with SMTP id ffacd0b85a97d-336746c7b6dso3720664f8f.0 for ; Wed, 10 Jan 2024 06:57:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1704898625; x=1705503425; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=qirg3BFx1j2ACexl69ZvHmkHZVp0f19sLBg2bexob1I=; b=HtkHDHTWEucKsj2wk2Z8w82ikodvDzXH/A5kecXYl8srEorUjJgKU1Eh5G9bymyMVk PLttarWuTO6Q8KD9bSlldSUnFh0hrPpwjVDNgq5dK0eJZipVU3aY0iya60QXgM4ufnMI +m2+XgS1uDBlAlsGhMaGsaCeJnspJ5mppiaZaT8bdM/I1LFB4Fl4EoXv1H6O7ADmAlsu Mu37LEWXCup3KSSuqiZMxlNv4vw0/CcWGG/iXhU0x4p0b/qGqpfiz6Ykz6SJHCeXaMPS 6Biks5DxdLLtRVCc93eSYsMSza93A+Z5R2InDlU2VQayjTGHY4QHF4ynQGqeC0AjoKwq f4RA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704898625; x=1705503425; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=qirg3BFx1j2ACexl69ZvHmkHZVp0f19sLBg2bexob1I=; b=LPIkUA32dGHJx6NRlMHoc0+8WGMDA2wYsYvHgmA3Pqrm7AhSQuu2ZmMUN9wq/QYbYQ sY4KuHnnf8XlxFZwVJRSQrQeoAtScbO4A2CLvXKxUBptcahew/PJ5vN9na3euKqtzvHX vn524Px0q2TM9QyJDLNC8FqIIOKMIo0vfbLYLemwCV/qPT/Btaphfvk4hggHU/jK88c3 JyEeQrphseTRyiLPAZ2x4cXWcpXydd7W30Ahh2dFKurkB4OxnOpLvUKiNA6yBwK+Di0t K+AFSa+gi2ZKbCu7rD5fxo57Dyfal0j1UAm/IJVmGFHb8YGp9HXpWoL+DcLK/QJkpyzW ykrw== X-Gm-Message-State: AOJu0YztUuMa/8CcxVIyBliRBS0eHhrl5UJbDN0MafipZeXBhUfMt/GK HlXC1YeLyObwOlkezjwRVqqW5ha7meJcGBunS7aVNK1+jgs= X-Received: by 2002:a5d:49ce:0:b0:337:76a4:cdaa with SMTP id t14-20020a5d49ce000000b0033776a4cdaamr590617wrs.9.1704898624856; Wed, 10 Jan 2024 06:57:04 -0800 (PST) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id d16-20020a056000115000b00336aa190139sm5131868wrx.5.2024.01.10.06.57.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 10 Jan 2024 06:57:04 -0800 (PST) From: "flichtenheld (Code Review)" X-Google-Original-From: "flichtenheld (Code Review)" X-Gerrit-PatchSet: 1 Date: Wed, 10 Jan 2024 14:57:04 +0000 To: plaisthos Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: Iefa4930cb1e8c4135056a17ceb4283fc13cc75c8 X-Gerrit-Change-Number: 494 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: 1e72d9271371fe8c114509dba5549d340b5766bb References: Message-ID: MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: plaisthos. Hello plaisthos, I'd like you to do a code review. Please visit Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.221.53 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.221.53 listed in wl.mailspike.net] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1rNa13-0007rO-3w Subject: [Openvpn-devel] [S] Change in openvpn[release/2.6]: NTLM: increase size of phase 2 response we can handle X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: frank@lichtenheld.com, arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1787715833400325518?= X-GMAIL-MSGID: =?utf-8?q?1787715833400325518?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: plaisthos. Hello plaisthos, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/494?usp=email to review the following change. Change subject: NTLM: increase size of phase 2 response we can handle ...................................................................... NTLM: increase size of phase 2 response we can handle With NTLMv2 the target information buffer can be rather large even with normal domain setups. In my test setup it was 152 bytes starting at offset 71. Overall the base64 encode phase 2 response was 300 byte long. The linked documentation has 98 bytes at offset 60. 128 byte is clearly too low. While here improve the error messaging, so that if the buffer is too small at least one can determine that in the log. Change-Id: Iefa4930cb1e8c4135056a17ceb4283fc13cc75c8 Signed-off-by: Frank Lichtenheld --- M src/openvpn/ntlm.c M src/openvpn/proxy.c 2 files changed, 11 insertions(+), 12 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/94/494/1 diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c index 2b735ec..698abfb 100644 --- a/src/openvpn/ntlm.c +++ b/src/openvpn/ntlm.c @@ -218,7 +218,7 @@ uint8_t challenge[8], ntlm_response[24]; int i, ret_val; - uint8_t ntlmv2_response[144]; + uint8_t ntlmv2_response[256]; char userdomain_u[256]; /* for uppercase unicode username and domain */ char userdomain[128]; /* the same as previous but ascii */ uint8_t ntlmv2_hash[MD5_DIGEST_LENGTH]; @@ -270,17 +270,15 @@ * the missing bytes will be NULL, as buf2 is known to be zeroed * when this decode happens. */ - uint8_t buf2[128]; /* decoded reply from proxy */ + uint8_t buf2[512]; /* decoded reply from proxy */ CLEAR(buf2); ret_val = openvpn_base64_decode(phase_2, buf2, -1); if (ret_val < 0) { + msg(M_WARN, "NTLM: base64 decoding of phase 2 response failed"); return NULL; } - /* we can be sure that phase_2 is less than 128 - * therefore buf2 needs to be (3/4 * 128) */ - /* extract the challenge from bytes 24-31 */ for (i = 0; i<8; i++) { @@ -300,7 +298,7 @@ } else { - msg(M_INFO, "Warning: Username or domain too long"); + msg(M_WARN, "NTLM: Username or domain too long"); } unicodize(userdomain_u, userdomain); gen_hmac_md5((uint8_t *)userdomain_u, 2 * strlen(userdomain), md4_hash, @@ -335,9 +333,10 @@ if ((flags & 0x00800000) == 0x00800000) { tib_len = buf2[0x28]; /* Get Target Information block size */ - if (tib_len > 96) + if (tib_len + 0x1c + 16 > sizeof(ntlmv2_response)) { - tib_len = 96; + msg(M_WARN, "NTLM: target information buffer too long for response (len=%d)", tib_len); + return NULL; } { @@ -345,6 +344,7 @@ uint8_t tib_pos = buf2[0x2c]; if (tib_pos + tib_len > sizeof(buf2)) { + msg(M_ERR, "NTLM: phase 2 response from server too long (need %d bytes at offset %u)", tib_len, tib_pos); return NULL; } /* Get Target Information block pointer */ diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c index 76e27cb..b2e8b3d 100644 --- a/src/openvpn/proxy.c +++ b/src/openvpn/proxy.c @@ -638,7 +638,6 @@ { struct gc_arena gc = gc_new(); char buf[512]; - char buf2[129]; char get[80]; int status; int nparms; @@ -758,7 +757,7 @@ { #if NTLM /* look for the phase 2 response */ - + char buf2[512]; while (true) { if (!recv_line(sd, buf, sizeof(buf), get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received)) @@ -768,9 +767,9 @@ chomp(buf); msg(D_PROXY, "HTTP proxy returned: '%s'", buf); - openvpn_snprintf(get, sizeof get, "%%*s NTLM %%%ds", (int) sizeof(buf2) - 1); + CLEAR(buf2); + openvpn_snprintf(get, sizeof(get), "%%*s NTLM %%%zus", sizeof(buf2) - 1); nparms = sscanf(buf, get, buf2); - buf2[128] = 0; /* we only need the beginning - ensure it's null terminated. */ /* check for "Proxy-Authenticate: NTLM TlRM..." */ if (nparms == 1)