Re: [Openvpn-devel] [PATCH] Fix SOCKSv5 method selection

Sun, 13 Apr 2014 13:01:12 +0000 

Hi,

On Sun, Apr 13, 2014 at 01:52:57PM +0200, Gert Doering wrote:
> I'll amend that when committing.

Here is the patch with the MSVC build change, plus some changes to the
commit message to point to the pull request and trac.

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             g...@greenie.muc.de
fax: +49-89-35655025                        g...@net.informatik.tu-muenchen.de

From 19b662a2013769f62bcd4e8776a63641e3fb991d Mon Sep 17 00:00:00 2001
From: Yawning Angel <yawn...@schwanenlied.me>
List-Post: openvpn-devel@lists.sourceforge.net
Date: Mon, 10 Mar 2014 03:47:58 +0000
Subject: [PATCH] Fix SOCKSv5 method selection

So, RFC 1928 doesn't say anything about the METHODS field in the Method
Selection message being ordered in terms of preference or anything, and
the server is free to pick any of the METHODS offered by the client.

Always sending a Method Selection message with NO AUTHENTICATION REQUIRED
and USERNAME/PASSWORD set is broken on two fronts:

 * If the OpenVPN client can't handle the server picking USERNAME/PASSWORD
   due to the credentials being missing, it shouldn't offer it to the server.

 * If the OpenVPN client has credentials, then it should always attempt to
   authenticate.  This is a security product.  "You can misconfigure it and
   it will work" is not acceptable.  Setting a username/password when the
   SOCKS server doesn't require/support that as an option is the user not
   configuring it correctly, and should be treated as such.

Also verify that the SOCKS server returned the auth that was requested.

URL: https://github.com/OpenVPN/openvpn/pull/14
Fix trac #377
---
 src/openvpn/socks.c | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/src/openvpn/socks.c b/src/openvpn/socks.c
index 1551da8..ee746a3 100644
--- a/src/openvpn/socks.c
+++ b/src/openvpn/socks.c
@@ -189,10 +189,15 @@ socks_handshake (struct socks_proxy_info *p,
   char buf[2];
   int len = 0;
   const int timeout_sec = 5;
+  const ssize_t size;
 
-  /* VER = 5, NMETHODS = 2, METHODS = [0 (no auth), 2 (plain login)] */
-  const ssize_t size = send (sd, "\x05\x02\x00\x02", 4, MSG_NOSIGNAL);
-  if (size != 4)
+  /* VER = 5, NMETHODS = 1, METHODS = [0 (no auth)] */
+  char method_sel[3] = { 0x05, 0x01, 0x00 };
+  if (p->authfile[0])
+      method_sel[2] = 0x02; /* METHODS = [2 (plain login)] */
+
+  size = send (sd, method_sel, sizeof (method_sel), MSG_NOSIGNAL);
+  if (size != sizeof (method_sel))
     {
       msg (D_LINK_ERRORS | M_ERRNO, "socks_handshake: TCP port write failed on 
send()");
       return false;
@@ -252,6 +257,13 @@ socks_handshake (struct socks_proxy_info *p,
       return false;
     }
 
+  /* validate that the auth method returned is the one sent */
+  if (buf[1] != method_sel[2])
+    {
+      msg (D_LINK_ERRORS, "socks_handshake: Socks proxy returned unexpected 
auth");
+      return false;
+    }
+
   /* select the appropriate authentication method */
   switch (buf[1])
     {
-- 
1.8.3.2

Attachment: pgp6mjoD5W7TK.pgp
Description: PGP signature

Reply via email to