aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjames <james@e7ae566f-a301-0410-adde-c780ea21d3b5>2008-07-17 05:09:27 +0000
committerjames <james@e7ae566f-a301-0410-adde-c780ea21d3b5>2008-07-17 05:09:27 +0000
commite691cd568ab5a0e34924a3b80693af6125209d76 (patch)
tree66ac0db42a44c88fa4efb2ab602681eb14aab719
parentFixed issue in read_key_file, where the return value of (diff)
downloadopenvpn-e691cd568ab5a0e34924a3b80693af6125209d76.tar.xz
Fixed a potential information leak in the new NTLM phase 3 code,
as well as a failure of the code to check the return value from base64_decode. Fixed compiler warnings in the new NTLM phase 3 code about implicit casting between signed and unsigned char *. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3064 e7ae566f-a301-0410-adde-c780ea21d3b5
-rw-r--r--ntlm.c17
-rw-r--r--proxy.c12
2 files changed, 21 insertions, 8 deletions
diff --git a/ntlm.c b/ntlm.c
index ff4e2f5..558cd1b 100644
--- a/ntlm.c
+++ b/ntlm.c
@@ -88,8 +88,8 @@ gen_hmac_md5 (const char* data, int data_len, const char* key, int key_len,char
HMAC_CTX c;
HMAC_Init (&c, key, key_len, EVP_md5());
- HMAC_Update (&c, data, data_len);
- HMAC_Final (&c, result, &len);
+ HMAC_Update (&c, (const unsigned char *)data, data_len);
+ HMAC_Final (&c, (unsigned char *)result, &len);
HMAC_CTX_cleanup(&c);
}
@@ -215,6 +215,8 @@ ntlm_phase_3 (const struct http_proxy_info *p, const char *phase_2, struct gc_ar
bool ntlmv2_enabled = (p->auth_method == HTTP_AUTH_NTLM2);
+ CLEAR (buf2);
+
ASSERT (strlen (p->up.username) > 0);
ASSERT (strlen (p->up.password) > 0);
@@ -241,6 +243,9 @@ ntlm_phase_3 (const struct http_proxy_info *p, const char *phase_2, struct gc_ar
memset (md4_hash + 16, 0, 5);
ret_val = base64_decode( phase_2, (void *)buf2);
+ if (ret_val < 0)
+ return NULL;
+
/* we can be sure that phase_2 is less than 128
* therefore buf2 needs to be (3/4 * 128) */
@@ -253,7 +258,7 @@ ntlm_phase_3 (const struct http_proxy_info *p, const char *phase_2, struct gc_ar
if (ntlmv2_enabled){ /* Generate NTLMv2 response */
/* NTLMv2 hash */
- my_strupr(strcpy(userdomain, username));
+ my_strupr((unsigned char *)strcpy(userdomain, username));
if (strlen(username) + strlen(domain) < sizeof(userdomain))
strcat(userdomain, domain);
else
@@ -266,8 +271,8 @@ ntlm_phase_3 (const struct http_proxy_info *p, const char *phase_2, struct gc_ar
ntlmv2_blob[0x00]=1; /* Signature */
ntlmv2_blob[0x01]=1; /* Signature */
ntlmv2_blob[0x04]=0; /* Reserved */
- gen_timestamp(&ntlmv2_blob[0x08]); /* 64-bit Timestamp */
- gen_nonce(&ntlmv2_blob[0x10]); /* 64-bit Client Nonce */
+ gen_timestamp((unsigned char *)&ntlmv2_blob[0x08]); /* 64-bit Timestamp */
+ gen_nonce((unsigned char *)&ntlmv2_blob[0x10]); /* 64-bit Client Nonce */
ntlmv2_blob[0x18]=0; /* Unknown, zero should work */
/* Add target information block to the blob */
@@ -313,7 +318,7 @@ ntlm_phase_3 (const struct http_proxy_info *p, const char *phase_2, struct gc_ar
memset (phase3, 0, sizeof (phase3)); /* clear reply */
- strcpy (phase3, "NTLMSSP\0"); /* signature */
+ strcpy ((char *)phase3, "NTLMSSP\0"); /* signature */
phase3[8] = 3; /* type 3 */
if (ntlmv2_enabled){ /* NTLMv2 response */
diff --git a/proxy.c b/proxy.c
index ade914f..af3ea8b 100644
--- a/proxy.c
+++ b/proxy.c
@@ -476,9 +476,17 @@ establish_http_proxy_passthru (struct http_proxy_info *p,
if (!send_line_crlf (sd, buf))
goto error;
- openvpn_snprintf (buf, sizeof(buf), "Proxy-Authorization: NTLM %s",
- ntlm_phase_3 (p, buf2, &gc));
msg (D_PROXY, "Attempting NTLM Proxy-Authorization phase 3");
+ {
+ const char *np3 = ntlm_phase_3 (p, buf2, &gc);
+ if (!np3)
+ {
+ msg (D_PROXY, "NTLM Proxy-Authorization phase 3 failed: received corrupted data from proxy server");
+ goto error;
+ }
+ openvpn_snprintf (buf, sizeof(buf), "Proxy-Authorization: NTLM %s", np3);
+ }
+
msg (D_PROXY, "Send to HTTP proxy: '%s'", buf);
openvpn_sleep (1);
if (!send_line_crlf (sd, buf))