Re: [Openvpn-devel] #172: NTLM auth does not work with SQUID proxy server

Sat, 02 Feb 2013 13:47:21 +0000 

Hi,

On Tue, Jan 29, 2013 at 11:55:25AM +0100, Joerg Willmann wrote:
> I was just faced with the problem described in trac issue #172.
> I was trying to use ntlm authentication against a bluecoat proxy server.
> Since the reply string of the bluecoat proxy was too long the same problem 
> occurred as described in #172:
> 
> "NTLM Proxy-Authorization phase 3 failed: received corrupted data from 
> proxy server"
> 
> The patch attached to #172 solved my problem and seems to be reasonable.
> 
> I'm just wondering what it takes to make this issue being accepted. (Sorry 
> I didn't find a description of this process in 
> wiki/DeveloperDocumentation).
> Does it just take time or is some input required?

Thanks for bringing this to our attention again.  We've seemed to be
a bit lazy on going through trac tickets...

Anyway, for the sake of the archives, I'll append the patch below,
and if nobody NACKs it, I'll take Joerg's comment here and Chris' ack
in the trac ticket as "sufficient ACKs to go forward".

I won't claim to understand NTLM auth, but the explanation given makes
sense and the patch is harmless enough - the buf2 buffer is only used
in one other place, called "phase_2" there, and being base64-decoded
into a new buf2 which is char[128], so the extra byte is guaranteed
not to overflow anything.

inside ntlm_phase_3():

  char buf2[128]; /* decoded reply from proxy */
  ret_val = openvpn_base64_decode( phase_2, (void *)buf2, -1);


gert



-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             g...@greenie.muc.de
fax: +49-89-35655025                        g...@net.informatik.tu-muenchen.de

--- openvpn-2.2.1.org/proxy.c   2011-04-27 11:52:59.000000000 +0200
+++ openvpn-2.2.1-pre-eap/proxy.c       2012-01-24 16:17:27.000000000 +0100
@@ -519,7 +519,7 @@
 {
   struct gc_arena gc = gc_new ();
   char buf[512];
-  char buf2[128];
+  char buf2[129];
   char get[80];
   int status;
   int nparms;
@@ -642,7 +642,7 @@
 
               openvpn_snprintf (get, sizeof get, "%%*s NTLM %%%ds", (int) 
sizeof (buf2) - 1);
               nparms = sscanf (buf, get, buf2);
-              buf2[127] = 0; /* we only need the beginning - ensure it's null 
terminated. */
+              buf2[128] = 0; /* we only need the beginning - ensure it's null 
terminated. */
 
               /* check for "Proxy-Authenticate: NTLM TlRM..." */
               if (nparms == 1)

Attachment: pgph2L_a_jnAF.pgp
Description: PGP signature

Reply via email to