From patchwork Wed Jan 17 09:08:39 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 3573 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:a213:b0:100:d2e5:60d with SMTP id bs19csp4714482dyb; Wed, 17 Jan 2024 01:09:35 -0800 (PST) X-Google-Smtp-Source: AGHT+IHi7MA7GFQvYp/qi9Qt0dUdhKwqRN0fh1UkFS7MzPMgGrZ2vU73kZNZ1dppFIBVyz4qphtt X-Received: by 2002:aa7:9dc6:0:b0:6d9:383b:d91a with SMTP id g6-20020aa79dc6000000b006d9383bd91amr18733268pfq.1.1705482575636; Wed, 17 Jan 2024 01:09:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1705482575; cv=none; d=google.com; s=arc-20160816; b=bWDCecXmvVny0gDovV8LCMBJoi2H23mOuCMURtCV8pKAvB9tcXzMnQsrc6zTvF9ZFB WpC/i60rFQDtnAGfiUvo4ygo9F9VcBgdY/tXLV20U8yMzcx1Pu7JhXt3KBJZRXIHbxaK zCUzyDlKGiDqqznLkyu1hBOmvaOTgX6SVODKB3m2Ejf8JVwY9o/mhV/qVgWdotRKBaHJ I7o6i2y9osAHNEkgsCq5j645YU8mBlhgKxIJa+tBze4fZmJmjUYoV4ax2/V3T8lYvUF+ QL3X8wOQ0tNFgCGUm+cXeI34ryPcaGi/829u0/yEuYeEOSo/U8r5x4Rpy8fvqEZuAdAy eb8w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=lwcWzM9YSXQAwpN9Eu1el8e/cDqxTIW2jaKAzaWKQY8=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=adqzqCFwReSlaucPXMnWr9vKu/b1qWdT47ca+16nSJdpV7YP9QN5Uzw9+uY1wrP4mh l4uMxoykUSZXxfCcfly4ahxd5yVYq4dsmDDhV8g4ybI34wI6fHiSvnF7FQI/1GhrUNak jslvb3J8HIfczGvJf8czdXYorCvmgW/HXujPacvxLjPc5XNY9MhuxlEIkMlyDfBN5XTe fTxWocj+73BWVW3nBC5WgwikFz1As0Wi3s1xspujDLzDeuV7+LgPnoTuWnbYZ+9oa5yT zix9PWc3xdrHK3/Q57OVQgos/BDON/IK5dBqZODxoIxhkrU3GuVNoH5mpAowrtfRsbcf so5A== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=BP2F9yig; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=flUin5OV; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id bd35-20020a056a0027a300b006db19e5015fsi1243951pfb.166.2024.01.17.01.09.35 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 17 Jan 2024 01:09:35 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=BP2F9yig; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=flUin5OV; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1rQ1uy-0002d9-Q0; Wed, 17 Jan 2024 09:09:04 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1rQ1us-0002cu-Sw for openvpn-devel@lists.sourceforge.net; Wed, 17 Jan 2024 09:09:00 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=zqiP1unuUbip0AGfcKhkKIcLGvidhGyhgarxHcGzseQ=; b=BP2F9yigk+2UX13gKFRmKn2IXK q+JeqLiIKHRo0uG6wSHTVWkgKJHZnSLdih+DHqLMDORE9lS/Kp0c2qh+CQcf+/TYBRwHWZAX0oshs QAervoW5FSInJd8DgTE3dtq7dGE8W6ENNCP3gtUiIlGKQQbFGNvWT9Afyooqdppg7AKU=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=zqiP1unuUbip0AGfcKhkKIcLGvidhGyhgarxHcGzseQ=; b=flUin5OVtC+2gYrSFvteiHPItl 2wMyTzH7xD110fjdYl6YmaehkEhDuPIFJKhteRQr7jkEuQ8h96Q+XKrCwVQxfic6DPrTIL8ghOZcN XJ/UpAlw2SCgXXRVI0bSvWsqOUpPXScQmob53liWpmSL8pYQZOhOe5+P0Psq0/hk5cgI=; Received: from dhcp-174.greenie.muc.de ([193.149.48.174] helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1rQ1um-0003tG-96 for openvpn-devel@lists.sourceforge.net; Wed, 17 Jan 2024 09:08:57 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 40H98e4L032631 for ; Wed, 17 Jan 2024 10:08:41 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 40H98eTh032630 for openvpn-devel@lists.sourceforge.net; Wed, 17 Jan 2024 10:08:40 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Wed, 17 Jan 2024 10:08:39 +0100 Message-ID: <20240117090840.32621-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: -0.0 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Frank Lichtenheld With NTLMv2 the target information buffer can be rather large even with normal domain setups. In my test setup it was 152 bytes starting at offset 71. Overall the base64 encode phase 2 response was 300 byte long. The linked documentation has 98 bytes at offset 60. 128 byte is clearly too low. Content analysis details: (-0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1rQ1um-0003tG-96 Subject: [Openvpn-devel] [PATCH v1] NTLM: increase size of phase 2 response we can handle X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1788328096991055277?= X-GMAIL-MSGID: =?utf-8?q?1788328096991055277?= From: Frank Lichtenheld With NTLMv2 the target information buffer can be rather large even with normal domain setups. In my test setup it was 152 bytes starting at offset 71. Overall the base64 encode phase 2 response was 300 byte long. The linked documentation has 98 bytes at offset 60. 128 byte is clearly too low. While here improve the error messaging, so that if the buffer is too small at least one can determine that in the log. Change-Id: Iefa4930cb1e8c4135056a17ceb4283fc13cc75c8 Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/497 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c index 99d4ae7..2c6a69d 100644 --- a/src/openvpn/ntlm.c +++ b/src/openvpn/ntlm.c @@ -205,7 +205,7 @@ uint8_t challenge[8]; int i, ret_val; - uint8_t ntlmv2_response[144]; + uint8_t ntlmv2_response[256]; char userdomain_u[256]; /* for uppercase unicode username and domain */ char userdomain[128]; /* the same as previous but ascii */ uint8_t ntlmv2_hash[MD5_DIGEST_LENGTH]; @@ -255,17 +255,15 @@ * the missing bytes will be NULL, as buf2 is known to be zeroed * when this decode happens. */ - uint8_t buf2[128]; /* decoded reply from proxy */ + uint8_t buf2[512]; /* decoded reply from proxy */ CLEAR(buf2); ret_val = openvpn_base64_decode(phase_2, buf2, -1); if (ret_val < 0) { + msg(M_WARN, "NTLM: base64 decoding of phase 2 response failed"); return NULL; } - /* we can be sure that phase_2 is less than 128 - * therefore buf2 needs to be (3/4 * 128) */ - /* extract the challenge from bytes 24-31 */ for (i = 0; i<8; i++) { @@ -284,7 +282,7 @@ } else { - msg(M_INFO, "Warning: Username or domain too long"); + msg(M_INFO, "NTLM: Username or domain too long"); } unicodize(userdomain_u, userdomain); gen_hmac_md5((uint8_t *)userdomain_u, 2 * strlen(userdomain), md4_hash, @@ -319,9 +317,10 @@ if ((flags & 0x00800000) == 0x00800000) { tib_len = buf2[0x28]; /* Get Target Information block size */ - if (tib_len > 96) + if (tib_len + 0x1c + 16 > sizeof(ntlmv2_response)) { - tib_len = 96; + msg(M_WARN, "NTLM: target information buffer too long for response (len=%d)", tib_len); + return NULL; } { @@ -329,6 +328,7 @@ uint8_t tib_pos = buf2[0x2c]; if (tib_pos + tib_len > sizeof(buf2)) { + msg(M_ERR, "NTLM: phase 2 response from server too long (need %d bytes at offset %u)", tib_len, tib_pos); return NULL; } /* Get Target Information block pointer */ diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c index 5a1b4e1..e081532 100644 --- a/src/openvpn/proxy.c +++ b/src/openvpn/proxy.c @@ -752,8 +752,7 @@ { #if NTLM /* look for the phase 2 response */ - char buf2[129]; - + char buf2[512]; while (true) { if (!recv_line(sd, buf, sizeof(buf), get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received)) @@ -764,9 +763,9 @@ msg(D_PROXY, "HTTP proxy returned: '%s'", buf); char get[80]; + CLEAR(buf2); openvpn_snprintf(get, sizeof(get), "%%*s NTLM %%%zus", sizeof(buf2) - 1); nparms = sscanf(buf, get, buf2); - buf2[128] = 0; /* we only need the beginning - ensure it's null terminated. */ /* check for "Proxy-Authenticate: NTLM TlRM..." */ if (nparms == 1)