From patchwork Wed Jan 17 09:49:52 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 3575 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:a213:b0:100:d2e5:60d with SMTP id bs19csp4730163dyb; Wed, 17 Jan 2024 01:50:28 -0800 (PST) X-Google-Smtp-Source: AGHT+IEqmMdPFjiquIwW9hEoWRE0vwzKQmWYiQ6zkv9qIOX0Zl+FHVhkoBlwpxOqQfJOnEiAA1cH X-Received: by 2002:a05:6e02:214c:b0:360:7937:6f7 with SMTP id d12-20020a056e02214c00b00360793706f7mr1596536ilv.3.1705485028661; Wed, 17 Jan 2024 01:50:28 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1705485028; cv=none; d=google.com; s=arc-20160816; b=V0eMeOfUzWh21k99/JJsgX3smFTx2Bsyik8dpBprA5FbuzGA+NZhzttASN9znKo3uQ TJUsoq7SlrMkLAyMwBZeRpE8UiSeR7QLXeTkVtDDcQkBHvA2gDVvWqXyFz6VsVG9Euar D0rTe2nz7i5/74pjXsg7l3RQ7YDeJJrgW2lDZMNOAbZFTv9OBk/HOHjVnw8gjqHyzt03 gep4HEPr35/ySJfDrB/f2qkyWlriVsVlFZo9EsH/MDbEQKoPkZsoYI7StA7SSR9yyJ1r /vHjp5T1N+LvWCHBDlY5FUI9DQlX2zkvRyaW1gwnMlrjzcrQyZkQtX27R7sWMw5L7nFL fJUQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=u6KThZxq7GyEcZEZM935MrIVLr1SMzbpj83GIKZWFqg=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=AQl1OGr1lRLE9Tsbu3AkITkBINREKulp+5qsHA+d3lScpC0PTHLs/31ARwGs3xfzw/ qysxYMoSZOSOTL2G+Yr9iQ2wuwqAPhgEUZwpqJFNb0A7Hx3qFuVlazYcpcajoP7Q+xy6 J9Tfjq+l4SMy9XqmJS3qeYWwwO4evk2TXaQNb9Doi9hCfTCZUjSGyr96vmhOE5fo0m7J hpJAPLVj0G1cM0LeoMCV4ndKLora7HR2lbK+cIsfd7ynu6VfelQJMHprW7LhOrvYl7dm kLOfX3AZjIe4pNujEoj4aHLu1V9pKiqwbzgEq+Ro4tY9M0crfLqnmtZ1iyTKX18ObzWo TiIg== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="Y3qA/JJH"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=Xu5o9pFj; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id i76-20020a639d4f000000b005cecf2bfa45si12762251pgd.378.2024.01.17.01.50.28 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 17 Jan 2024 01:50:28 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="Y3qA/JJH"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=Xu5o9pFj; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1rQ2Yi-0003Fv-Em; Wed, 17 Jan 2024 09:50:08 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1rQ2Yg-0003Fp-Ih for openvpn-devel@lists.sourceforge.net; Wed, 17 Jan 2024 09:50:07 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=CFQoS9owrLvO1s/gChXXZVqsHGzgi3vXNRvKipnK7E8=; b=Y3qA/JJH/4inoUM+PeAcscs46x EWIip5nUUwrR2d2RkmCrzIWye8j4UCy4W1S+lGPD4laCUVrcKGXvY8zLsI2eMUEvD8YRqBueZxkJQ OV6Nw4JfQJeMGjrXFECxqRwywSFDz444hNQjxxid8yPX0Ci+LlOtiCPd8ydFX7RmVW6c=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=CFQoS9owrLvO1s/gChXXZVqsHGzgi3vXNRvKipnK7E8=; b=Xu5o9pFjGlAyLXuDTMqUCX3NZG yq8jYGovrD8vg/jU7TTsf+8kL6LYvxkJ3Nvm4Tn1o6jrj/BrrvQU9QhN9NRJH2w2OY3eoxd4ThmxB bJjWA+5hvohcQ/Mvsf9abvkZFlrID3FAMuEt6n1iNyL0SNv30l1B9lfb9INQBlLy32xM=; Received: from dhcp-174.greenie.muc.de ([193.149.48.174] helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1rQ2Ye-0006uD-F7 for openvpn-devel@lists.sourceforge.net; Wed, 17 Jan 2024 09:50:06 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 40H9nrkN025948 for ; Wed, 17 Jan 2024 10:49:53 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 40H9nr1H025947 for openvpn-devel@lists.sourceforge.net; Wed, 17 Jan 2024 10:49:53 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Wed, 17 Jan 2024 10:49:52 +0100 Message-ID: <20240117094952.25938-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: -0.0 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Frank Lichtenheld With NTLMv2 the target information buffer can be rather large even with normal domain setups. In my test setup it was 152 bytes starting at offset 71. Overall the base64 encode phase 2 response was 300 byte long. The linked documentation has 98 bytes at offset 60. 128 byte is clearly too low. Content analysis details: (-0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1rQ2Ye-0006uD-F7 Subject: [Openvpn-devel] [PATCH/2.6] NTLM: increase size of phase 2 response we can handle X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1788330669429536462?= X-GMAIL-MSGID: =?utf-8?q?1788330669429536462?= From: Frank Lichtenheld With NTLMv2 the target information buffer can be rather large even with normal domain setups. In my test setup it was 152 bytes starting at offset 71. Overall the base64 encode phase 2 response was 300 byte long. The linked documentation has 98 bytes at offset 60. 128 byte is clearly too low. While here improve the error messaging, so that if the buffer is too small at least one can determine that in the log. Change-Id: Iefa4930cb1e8c4135056a17ceb4283fc13cc75c8 Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to release/2.6. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/494 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c index 2b735ec..698abfb 100644 --- a/src/openvpn/ntlm.c +++ b/src/openvpn/ntlm.c @@ -218,7 +218,7 @@ uint8_t challenge[8], ntlm_response[24]; int i, ret_val; - uint8_t ntlmv2_response[144]; + uint8_t ntlmv2_response[256]; char userdomain_u[256]; /* for uppercase unicode username and domain */ char userdomain[128]; /* the same as previous but ascii */ uint8_t ntlmv2_hash[MD5_DIGEST_LENGTH]; @@ -270,17 +270,15 @@ * the missing bytes will be NULL, as buf2 is known to be zeroed * when this decode happens. */ - uint8_t buf2[128]; /* decoded reply from proxy */ + uint8_t buf2[512]; /* decoded reply from proxy */ CLEAR(buf2); ret_val = openvpn_base64_decode(phase_2, buf2, -1); if (ret_val < 0) { + msg(M_WARN, "NTLM: base64 decoding of phase 2 response failed"); return NULL; } - /* we can be sure that phase_2 is less than 128 - * therefore buf2 needs to be (3/4 * 128) */ - /* extract the challenge from bytes 24-31 */ for (i = 0; i<8; i++) { @@ -300,7 +298,7 @@ } else { - msg(M_INFO, "Warning: Username or domain too long"); + msg(M_WARN, "NTLM: Username or domain too long"); } unicodize(userdomain_u, userdomain); gen_hmac_md5((uint8_t *)userdomain_u, 2 * strlen(userdomain), md4_hash, @@ -335,9 +333,10 @@ if ((flags & 0x00800000) == 0x00800000) { tib_len = buf2[0x28]; /* Get Target Information block size */ - if (tib_len > 96) + if (tib_len + 0x1c + 16 > sizeof(ntlmv2_response)) { - tib_len = 96; + msg(M_WARN, "NTLM: target information buffer too long for response (len=%d)", tib_len); + return NULL; } { @@ -345,6 +344,7 @@ uint8_t tib_pos = buf2[0x2c]; if (tib_pos + tib_len > sizeof(buf2)) { + msg(M_ERR, "NTLM: phase 2 response from server too long (need %d bytes at offset %u)", tib_len, tib_pos); return NULL; } /* Get Target Information block pointer */ diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c index 76e27cb..b2e8b3d 100644 --- a/src/openvpn/proxy.c +++ b/src/openvpn/proxy.c @@ -638,7 +638,6 @@ { struct gc_arena gc = gc_new(); char buf[512]; - char buf2[129]; char get[80]; int status; int nparms; @@ -758,7 +757,7 @@ { #if NTLM /* look for the phase 2 response */ - + char buf2[512]; while (true) { if (!recv_line(sd, buf, sizeof(buf), get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received)) @@ -768,9 +767,9 @@ chomp(buf); msg(D_PROXY, "HTTP proxy returned: '%s'", buf); - openvpn_snprintf(get, sizeof get, "%%*s NTLM %%%ds", (int) sizeof(buf2) - 1); + CLEAR(buf2); + openvpn_snprintf(get, sizeof(get), "%%*s NTLM %%%zus", sizeof(buf2) - 1); nparms = sscanf(buf, get, buf2); - buf2[128] = 0; /* we only need the beginning - ensure it's null terminated. */ /* check for "Proxy-Authenticate: NTLM TlRM..." */ if (nparms == 1)