Hi, this came in as github pull req #14, and fixes the socks problem that people are complaining about in about every list, except here and in trac... - there *is* also trac#377.
The patch "as is" breaks windows compilation as...
> + if (p->authfile[0])
> + method_sel[2] = 0x02; /* METHODS = [2 (plain login)] */
> + const ssize_t size = send (sd, method_sel, sizeof (method_sel),
> MSG_NOSIGNAL);
... doing the variable declaration of "size" after some other code has
been executed is not permitted by MSVC. I'll amend that when committing.
To me, the patch is good, even though it might break user-visible behaviour
(users specifying proxy auth credentials to a proxy that is not using
them, this will now result in an error) - the reasoning behind it is valid.
More opinions are welcome, though...?
gert
On Sun, Apr 13, 2014 at 01:43:55PM +0200, Gert Doering wrote:
> From: Yawning Angel <yawn...@schwanenlied.me>
>
> So, RFC 1928 doesn't say anything about the METHODS field in the Method
> Selection message being ordered in terms of preference or anything, and
> the server is free to pick any of the METHODS offered by the client.
>
> Always sending a Method Selection message with NO AUTHENTICATION REQUIRED
> and USERNAME/PASSWORD set is broken on two fronts:
>
> * If the OpenVPN client can't handle the server picking USERNAME/PASSWORD
> due to the credentials being missing, it shouldn't offer it to the server.
>
> * If the OpenVPN client has credentials, then it should always attempt to
> authenticate. This is a security product. "You can misconfigure it and
> it will work" is not acceptable. Setting a username/password when the
> SOCKS server doesn't require/support that as an option is the user not
> configuring it correctly, and should be treated as such.
>
> Also verify that the SOCKS server returned the auth that was requested.
> ---
> src/openvpn/socks.c | 16 +++++++++++++---
> 1 file changed, 13 insertions(+), 3 deletions(-)
>
> diff --git a/src/openvpn/socks.c b/src/openvpn/socks.c
> index 1551da8..5cd27ac 100644
> --- a/src/openvpn/socks.c
> +++ b/src/openvpn/socks.c
> @@ -190,9 +190,12 @@ socks_handshake (struct socks_proxy_info *p,
> int len = 0;
> const int timeout_sec = 5;
>
> - /* VER = 5, NMETHODS = 2, METHODS = [0 (no auth), 2 (plain login)] */
> - const ssize_t size = send (sd, "\x05\x02\x00\x02", 4, MSG_NOSIGNAL);
> - if (size != 4)
> + /* VER = 5, NMETHODS = 1, METHODS = [0 (no auth)] */
> + char method_sel[3] = { 0x05, 0x01, 0x00 };
> + if (p->authfile[0])
> + method_sel[2] = 0x02; /* METHODS = [2 (plain login)] */
> + const ssize_t size = send (sd, method_sel, sizeof (method_sel),
> MSG_NOSIGNAL);
> + if (size != sizeof (method_sel))
> {
> msg (D_LINK_ERRORS | M_ERRNO, "socks_handshake: TCP port write failed
> on send()");
> return false;
> @@ -252,6 +255,13 @@ socks_handshake (struct socks_proxy_info *p,
> return false;
> }
>
> + /* validate that the auth method returned is the one sent */
> + if (buf[1] != method_sel[2])
> + {
> + msg (D_LINK_ERRORS, "socks_handshake: Socks proxy returned unexpected
> auth");
> + return false;
> + }
> +
> /* select the appropriate authentication method */
> switch (buf[1])
> {
> --
> 1.8.3.2
>
>
> ------------------------------------------------------------------------------
> Put Bad Developers to Shame
> Dominate Development with Jenkins Continuous Integration
> Continuously Automate Build, Test & Deployment
> Start a new project now. Try Jenkins in the cloud.
> http://p.sf.net/sfu/13600_Cloudbees
> _______________________________________________
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
pgp1iEKRxmWAf.pgp
Description: PGP signature
