From patchwork Fri Jan 12 14:14:06 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "plaisthos (Code Review)" X-Patchwork-Id: 3564 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:a213:b0:100:d2e5:60d with SMTP id bs19csp2074443dyb; Fri, 12 Jan 2024 06:14:45 -0800 (PST) X-Google-Smtp-Source: AGHT+IGZITZ1RUD1RROu3SFw11Xb+EKtMa3PDwj8FeXlEJNohJXPhG4q0Su+3bszZawHmCQlJctI X-Received: by 2002:a05:6a00:2d94:b0:6da:83a2:1d5e with SMTP id fb20-20020a056a002d9400b006da83a21d5emr2005499pfb.2.1705068885581; Fri, 12 Jan 2024 06:14:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1705068885; cv=none; d=google.com; s=arc-20160816; b=T23q+EbSffZAc9ONtRCTEqbhAwSZ73pRdyXa3ogciB2vikKyrddjCOWHM7zqOPQeIx R7jjB0AS+r6fUoAesb+qOsY4WIPaVXMHrlVZ7ih2zZys+4/gXIe6pZqbYbx/V668tvB4 Jom8ujwUlVl/k87dkrKyE8PKxQnK4KfYRkWBb8vITLbV4r8YCRYfShwXY1dgcj/s+JCr c/GQprFPwJZYQx4ZdO822PDhJZkQoRnsAAJlafybcttrqY3915nhflVdKepXeo/ehu44 PTL6KOpaJZTbCzNg82r+4sLDXppI6Frmwx5OP+1d9h3XmX2lIL/Bn45yNlzP6DWTlwsg 3Qag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=163HB/SP6x3aod2wcbzSHv9ZTbR//K9P/f04gIzT+BU=; fh=GFP4qDxgyJ2WEPo/oeLZg3Mj4NqvY1j2nTvTt7psNwg=; b=PQ5jrWT9J5sd+c2+J3piNUzZBHcDscREnMdKqiONbKlruHjYZUdShV+5WEFvhFDrF0 9+6+19h6WUEtQiNMgVQesEobxIz5zazgoTXC0f+p5IyB3smZZQn3cXdjzcN8ecFKBp0g Rp4JtoUb7If+WhrU3FCrfBzK8/4JYGjJqRj7k6jZHv0fZwAUZDbgPw8r48aLdAmPXzqM lUORAtwSWQaJU7eF3m7EGIa3TPiVoS9WipYQaWskR3mGpnVP4P+mCHyCVtBfxuWDy+Th OzcmA7g9s8FNNJVCtbPKmBDfoR6EWD6MFzr7/zh5Gd43DUbEMs1DLuAVut3zPG9sk5e9 oXpA== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=GODvv0B6; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=VequcMk9; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=bWrgfjKC; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id k66-20020a633d45000000b005cec9fcfff8si3516750pga.62.2024.01.12.06.14.45 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 12 Jan 2024 06:14:45 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=GODvv0B6; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=VequcMk9; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=bWrgfjKC; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1rOIIj-0004cd-D7; Fri, 12 Jan 2024 14:14:25 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1rOIIg-0004cP-DI for openvpn-devel@lists.sourceforge.net; Fri, 12 Jan 2024 14:14:22 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=YqsWXmtlaBXtEBCkONxgrlE6fTAGJj7H/Mu+wAxILoc=; b=GODvv0B6CsKJk9hJrjML/rw9T2 cp6uSefYTKYLVYlZPDSc3IOZJDgKYK5CthaYKF3vl+XuLxHE3YFMlsjqGw6/l8ncz7bjU4PcGpJtu NF1ZaGFi1o16XXSV3jDdh3wNUNCW51Jdb7Qj8Fva22CCbLfBz8jrYUJs29sAVA/ezGhA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=YqsWXmtlaBXtEBCkONxgrlE6fTAGJj7H/Mu+wAxILoc=; b=V equcMk9QxYwKQrlP2uK0mRg6RiH6likD+Z+7qWQw62gc+yKOl/LNhKlx4NUum+toOODkJFcSk6tCZ QzxDjzLkTX6vfEbU/H4lgnyetELbT+KCLa0a7o7aT870RDH8q8bbOQb0nRVs0q5jwwU3DoNKTk8Ie ISnFHJYQ1Lgd25FE=; Received: from mail-wm1-f42.google.com ([209.85.128.42]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1rOIIb-00083j-Tp for openvpn-devel@lists.sourceforge.net; Fri, 12 Jan 2024 14:14:22 +0000 Received: by mail-wm1-f42.google.com with SMTP id 5b1f17b1804b1-40e62e6e3b0so12371035e9.2 for ; Fri, 12 Jan 2024 06:14:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1705068847; x=1705673647; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=YqsWXmtlaBXtEBCkONxgrlE6fTAGJj7H/Mu+wAxILoc=; b=bWrgfjKCeiDL06vNh+QUqe/udFibAcMHe0PUQ5e5WJnygKHxykuU9bLSQKQbb32l1r lIbdN8dx/EBj9UroRJlqtHvceTxuuEiAUWOKXbMB+WCP0Tv5VIvKz18enVixDlZkqU6O y5Ga9zje/U2j1JzNyRaTpMypYuWStvSMgikTi+NnG1ad7YPHffEMGjI9UEKqtv+qZMuk 5bGNGJvS3bpSaUjiAKoSRr9MAZmW3fOrrCcQng/l4HcMkqav870OU4v+Y/m/7yplj3fK w/1wQWuXN93tZcihxvDdmf2R51lczN/pt+a0j1SW3p8vZ4dhSqCmErkGLPYDDlHr6/e+ jhoA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705068847; x=1705673647; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=YqsWXmtlaBXtEBCkONxgrlE6fTAGJj7H/Mu+wAxILoc=; b=VANxoYiYi0WxWfpVVe5UhAN7WFxUNEkME7/Fx27HimFKXLgrD8AGgAQAkfdbII3z89 rAkvo9N009kuQST+FBKa/1Yf2mcVtT8stLiKpHYgp2sNHzkt2oA0cAlXJfkKeLYgfMH5 0AQiDLEVHJ5JvXIblx/wbs3pBpNG8Gl/MF4F+4pXU1fKb+S6GrneLeeVffp57zs74lT+ pgzqOa+5mFeifRFC2i721CHh2h29pIQomwmoF4cT4VjEQwUtOYijWdKnZbigGHPk+ROM 9bSxlKx52gpRbjO3b56bFukPzRZKDZaFarNgCtgr5gtDDIrJto4NCvzXKSafKj9s4z7p 6FyQ== X-Gm-Message-State: AOJu0YwG/HQNX5heDcGiP1WM9OADESaiJR6tNpvPHlE8PuWjUMF8RMtV lIttNezNpD2sP5qxQQ9PJboC6Uqpy9GWPxVhUDxV4cgA8no= X-Received: by 2002:a05:600c:5387:b0:40e:5186:7ed1 with SMTP id hg7-20020a05600c538700b0040e51867ed1mr561739wmb.25.1705068847015; Fri, 12 Jan 2024 06:14:07 -0800 (PST) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id u6-20020a05600c138600b0040d5a9d6b68sm9970364wmf.6.2024.01.12.06.14.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 12 Jan 2024 06:14:06 -0800 (PST) From: "flichtenheld (Code Review)" X-Google-Original-From: "flichtenheld (Code Review)" X-Gerrit-PatchSet: 1 Date: Fri, 12 Jan 2024 14:14:06 +0000 To: plaisthos Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: Iefa4930cb1e8c4135056a17ceb4283fc13cc75c8 X-Gerrit-Change-Number: 497 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: 85ad1530ca411a07d67be532e3c62f6c9e0155e5 References: Message-ID: <1b0f33af4b5532e492ab0c48b11f4f28bf456819-HTML@gerrit.openvpn.net> MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: plaisthos. Hello plaisthos, I'd like you to do a code review. Please visit Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.128.42 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.128.42 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1rOIIb-00083j-Tp Subject: [Openvpn-devel] [S] Change in openvpn[master]: NTLM: increase size of phase 2 response we can handle X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: frank@lichtenheld.com, arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1787894311855597632?= X-GMAIL-MSGID: =?utf-8?q?1787894311855597632?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: plaisthos. Hello plaisthos, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/497?usp=email to review the following change. Change subject: NTLM: increase size of phase 2 response we can handle ...................................................................... NTLM: increase size of phase 2 response we can handle With NTLMv2 the target information buffer can be rather large even with normal domain setups. In my test setup it was 152 bytes starting at offset 71. Overall the base64 encode phase 2 response was 300 byte long. The linked documentation has 98 bytes at offset 60. 128 byte is clearly too low. While here improve the error messaging, so that if the buffer is too small at least one can determine that in the log. Change-Id: Iefa4930cb1e8c4135056a17ceb4283fc13cc75c8 Signed-off-by: Frank Lichtenheld --- M src/openvpn/ntlm.c M src/openvpn/proxy.c 2 files changed, 10 insertions(+), 11 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/97/497/1 diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c index 99d4ae7..2c6a69d 100644 --- a/src/openvpn/ntlm.c +++ b/src/openvpn/ntlm.c @@ -205,7 +205,7 @@ uint8_t challenge[8]; int i, ret_val; - uint8_t ntlmv2_response[144]; + uint8_t ntlmv2_response[256]; char userdomain_u[256]; /* for uppercase unicode username and domain */ char userdomain[128]; /* the same as previous but ascii */ uint8_t ntlmv2_hash[MD5_DIGEST_LENGTH]; @@ -255,17 +255,15 @@ * the missing bytes will be NULL, as buf2 is known to be zeroed * when this decode happens. */ - uint8_t buf2[128]; /* decoded reply from proxy */ + uint8_t buf2[512]; /* decoded reply from proxy */ CLEAR(buf2); ret_val = openvpn_base64_decode(phase_2, buf2, -1); if (ret_val < 0) { + msg(M_WARN, "NTLM: base64 decoding of phase 2 response failed"); return NULL; } - /* we can be sure that phase_2 is less than 128 - * therefore buf2 needs to be (3/4 * 128) */ - /* extract the challenge from bytes 24-31 */ for (i = 0; i<8; i++) { @@ -284,7 +282,7 @@ } else { - msg(M_INFO, "Warning: Username or domain too long"); + msg(M_INFO, "NTLM: Username or domain too long"); } unicodize(userdomain_u, userdomain); gen_hmac_md5((uint8_t *)userdomain_u, 2 * strlen(userdomain), md4_hash, @@ -319,9 +317,10 @@ if ((flags & 0x00800000) == 0x00800000) { tib_len = buf2[0x28]; /* Get Target Information block size */ - if (tib_len > 96) + if (tib_len + 0x1c + 16 > sizeof(ntlmv2_response)) { - tib_len = 96; + msg(M_WARN, "NTLM: target information buffer too long for response (len=%d)", tib_len); + return NULL; } { @@ -329,6 +328,7 @@ uint8_t tib_pos = buf2[0x2c]; if (tib_pos + tib_len > sizeof(buf2)) { + msg(M_ERR, "NTLM: phase 2 response from server too long (need %d bytes at offset %u)", tib_len, tib_pos); return NULL; } /* Get Target Information block pointer */ diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c index 5a1b4e1..e081532 100644 --- a/src/openvpn/proxy.c +++ b/src/openvpn/proxy.c @@ -752,8 +752,7 @@ { #if NTLM /* look for the phase 2 response */ - char buf2[129]; - + char buf2[512]; while (true) { if (!recv_line(sd, buf, sizeof(buf), get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received)) @@ -764,9 +763,9 @@ msg(D_PROXY, "HTTP proxy returned: '%s'", buf); char get[80]; + CLEAR(buf2); openvpn_snprintf(get, sizeof(get), "%%*s NTLM %%%zus", sizeof(buf2) - 1); nparms = sscanf(buf, get, buf2); - buf2[128] = 0; /* we only need the beginning - ensure it's null terminated. */ /* check for "Proxy-Authenticate: NTLM TlRM..." */ if (nparms == 1)