Fixed a potential information leak in the new NTLM phase 3 code,

as well as a failure of the code to check the return value from
base64_decode.

Fixed compiler warnings in the new NTLM phase 3 code about implicit
casting between signed and unsigned char *.

git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3064 e7ae566f-a301-0410-adde-c780ea21d3b5

diff --git a/ntlm.c b/ntlm.c
index ff4e2f5e0b1e441fb43cf9412d37be439ab7b427..558cd1bcdabdca5c0b3b28fe56bf809144aab768 100644 (file)
--- a/ntlm.c
+++ b/ntlm.c
@@ -88,8 +88,8 @@ gen_hmac_md5 (const char* data, int data_len, const char* key, int key_len,char
 
        HMAC_CTX c;
        HMAC_Init (&c, key, key_len, EVP_md5());
-       HMAC_Update (&c, data, data_len);
-       HMAC_Final (&c, result, &len);
+       HMAC_Update (&c, (const unsigned char *)data, data_len);
+       HMAC_Final (&c, (unsigned char *)result, &len);
        HMAC_CTX_cleanup(&c);
 }
 
@@ -215,6 +215,8 @@ ntlm_phase_3 (const struct http_proxy_info *p, const char *phase_2, struct gc_ar
 
        bool ntlmv2_enabled = (p->auth_method == HTTP_AUTH_NTLM2);
 
+  CLEAR (buf2);
+
   ASSERT (strlen (p->up.username) > 0);
   ASSERT (strlen (p->up.password) > 0);
        
@@ -241,6 +243,9 @@ ntlm_phase_3 (const struct http_proxy_info *p, const char *phase_2, struct gc_ar
   memset (md4_hash + 16, 0, 5);
 
   ret_val = base64_decode( phase_2, (void *)buf2);
+  if (ret_val < 0)
+    return NULL;
+
   /* we can be sure that phase_2 is less than 128
    * therefore buf2 needs to be (3/4 * 128) */
 
@@ -253,7 +258,7 @@ ntlm_phase_3 (const struct http_proxy_info *p, const char *phase_2, struct gc_ar
        if (ntlmv2_enabled){ /* Generate NTLMv2 response */
                
                /* NTLMv2 hash */
-               my_strupr(strcpy(userdomain, username));
+               my_strupr((unsigned char *)strcpy(userdomain, username));
                if (strlen(username) + strlen(domain) < sizeof(userdomain))
                        strcat(userdomain, domain);
                else
@@ -266,8 +271,8 @@ ntlm_phase_3 (const struct http_proxy_info *p, const char *phase_2, struct gc_ar
                ntlmv2_blob[0x00]=1;                        /* Signature */
                ntlmv2_blob[0x01]=1;                        /* Signature */
                ntlmv2_blob[0x04]=0;                        /* Reserved */
-               gen_timestamp(&ntlmv2_blob[0x08]);          /* 64-bit Timestamp */
-               gen_nonce(&ntlmv2_blob[0x10]);              /* 64-bit Client Nonce */
+               gen_timestamp((unsigned char *)&ntlmv2_blob[0x08]);          /* 64-bit Timestamp */
+               gen_nonce((unsigned char *)&ntlmv2_blob[0x10]);              /* 64-bit Client Nonce */
                ntlmv2_blob[0x18]=0;                        /* Unknown, zero should work */
 
                /* Add target information block to the blob */
@@ -313,7 +318,7 @@ ntlm_phase_3 (const struct http_proxy_info *p, const char *phase_2, struct gc_ar
        
        memset (phase3, 0, sizeof (phase3)); /* clear reply */
 
-       strcpy (phase3, "NTLMSSP\0"); /* signature */
+       strcpy ((char *)phase3, "NTLMSSP\0"); /* signature */
        phase3[8] = 3; /* type 3 */
 
        if (ntlmv2_enabled){ /* NTLMv2 response */

diff --git a/proxy.c b/proxy.c
index ade914fcb440c406748a882065009a68bde95305..af3ea8be7bfd7ac977df74b7b04f7745d61da005 100644 (file)
--- a/proxy.c
+++ b/proxy.c
@@ -476,9 +476,17 @@ establish_http_proxy_passthru (struct http_proxy_info *p,
           if (!send_line_crlf (sd, buf))
             goto error;
 
-          openvpn_snprintf (buf, sizeof(buf), "Proxy-Authorization: NTLM %s",
-                           ntlm_phase_3 (p, buf2, &gc));
           msg (D_PROXY, "Attempting NTLM Proxy-Authorization phase 3");
+         {
+           const char *np3 = ntlm_phase_3 (p, buf2, &gc);
+           if (!np3)
+             {
+               msg (D_PROXY, "NTLM Proxy-Authorization phase 3 failed: received corrupted data from proxy server");
+               goto error;
+             }
+           openvpn_snprintf (buf, sizeof(buf), "Proxy-Authorization: NTLM %s", np3);
+         }
+
           msg (D_PROXY, "Send to HTTP proxy: '%s'", buf);
           openvpn_sleep (1);
           if (!send_line_crlf (sd, buf))