Hi there
We are facing a problem with squid/fakeauth_auth helper, after change in NTLM
parameters of our stations(Require Message Integrity, Message Confidentiality,
NTLMv2 Session Security, 128-bit Encryption).
I made some tests and realized that NTLMSSP Flags returned in NTLMSSP_CHALLENGE
to station is wrong:
1 - Success Authentication (ntlm_auth)
1 - HTTP/1.0 407 Proxy Authentication Required (text/html)
2 - GET http:/// HTTP/1.1 , NTLMSSP_NEGOTIATE
-Proxy-Authorization: NTLM
Taldjfpoa\sdfalsdmflasdflafajsdfjajasldjJAJA\r\n - EXAMPLE
- NTLMSSP
NTLMSSP identifier: NTLMSSP
NTLM Message Type: NTLMSSP_NEGOTIATE (0x00000001)
-Flags: 0xa208b207 - estation send this flag
3 - HTTP/1.0 407 Proxy Authentication Required , NTLMSSP_CHALLENGE
(text/html)
Proxy-Authenticate: NTLM
TaljdflasjdfljasdlfjoqAJDFJQOWEURPOQWEURPQWEJKROQWEUFÇLAJSLFJASDLFJKQWEO........................
NTLMSSP
NTLMSSP identifier: NTLMSSP
NTLM Message Type: NTLMSSP_CHALLENGE (0x00000002)
.....
Flags: 0xa2898205 - estation receive these flag from squid.
4 - HTTP/1.1 , NTLMSSP_AUTH, User: Domain\User
2 - Unssucess Authentication (fakeauth_auth)
1 - HTTP/1.0 407 Proxy Authentication Required (text/html)
2 - GET http:/// HTTP/1.1 , NTLMSSP_NEGOTIATE
-Proxy-Authorization: NTLM
Taldjfpoa\sdfalsdmflasdflafajsdfjajasldjJAJA\r\n - EXAMPLE
- NTLMSSP
NTLMSSP identifier: NTLMSSP
NTLM Message Type: NTLMSSP_NEGOTIATE (0x00000001)
-Flags: 0xa208b207 - estation send this flag
3 - HTTP/1.0 407 Proxy Authentication Required , NTLMSSP_CHALLENGE
(text/html)
Proxy-Authenticate: NTLM
TaljdflasjdfljasdlfjoqAJDFJQOWEURPOQWEURPQWEJKROQWEUFÇLAJSLFJASDLFJKQWEO........................
NTLMSSP
NTLMSSP identifier: NTLMSSP
NTLM Message Type: NTLMSSP_CHALLENGE (0x00000002)
.....
Flags: 0x00018205 - estation receive this flag from squid/fakeauth_auth.
4 - Authetication Failed
As a test, I forced NTLMSSP_CHALLENGE FLAGS to be equal
NTLMSSP_NEGOTIATE(0xa208b207) then it worked fine.
changed function in fakeauth_auth.c
void ntlmMakeChallenge(struct ntlm_challenge *chal, int32_t flags)
{
static unsigned hash;
int r;
char *d;
int i;
debug("ntlmMakeChallenge: flg %08x\n", flags);
memset(chal, 0, sizeof(*chal));
memcpy(chal->hdr.signature, "NTLMSSP", 8);
chal->flags = htole32(CHALLENGE_TARGET_IS_DOMAIN |
NEGOTIATE_ALWAYS_SIGN |
NEGOTIATE_USE_NTLM |
NEGOTIATE_REQUEST_TARGET |
(NEGOTIATE_UNICODE & flags ? NEGOTIATE_UNICODE : NEGOTIATE_ASCII)
);
// Testing purpose
chal->flags = flags;
chal->hdr.type = htole32(NTLM_CHALLENGE);
chal->unknown[6] = htole16(0x003a);
d = (char *) chal + 48;
i = 0;
if (authenticate_ntlm_domain != NULL)
while (authenticate_ntlm_domain[i++]);
chal->target.offset = htole32(48);
chal->target.maxlen = htole16(i);
chal->target.len = chal->target.maxlen;
r = (int) rand();
r = (hash ^ r) + r;
for (i = 0; i < 8; i++) {
chal->challenge[i] = r;
r = (r>> 2) ^ r;
}
hash = r;
}
Diff file:
----------------------------------
***
/root/src/squid-3.0.STABLE14-20090424/helpers/ntlm_auth/fakeauth/fakeauth_auth.c
2009-04-24 06:21:00.000000000 -0300
---
/root/squid-3.0.STABLE14-20090424/helpers/ntlm_auth/fakeauth/fakeauth_auth.c
2009-04-24 11:19:28.000000000 -0300
***************
*** 158,163 ****
--- 158,164 ----
NEGOTIATE_REQUEST_TARGET |
(NEGOTIATE_UNICODE & flags ? NEGOTIATE_UNICODE : NEGOTIATE_ASCII)
);
+ chal->flags = flags;
chal->hdr.type = htole32(NTLM_CHALLENGE);
chal->unknown[6] = htole16(0x003a);
----------------------------------
any idea?
thanks
-----------------------------------------------------
Amos comments in Squid-users List
"
>
> First idea is that you should be sending code issues to squid-dev where we
> who fix the code hang out.
>
> Secondly, what exactly did you change to make it work? diff patch is
> required please along with the info as to what version of squid it is made
> from.
>
> Thirdly, note that NTLMv2 is not really NTLM any more. The fakeauth helper
> needs to handle both these days. Either with command line switches to
> configure the auth type in use or automatic sensing.
> see http://en.wikipedia.org/wiki/NTLM for some details of the differences.
> If we can make this helper cope without losing the old protocol I will
> commit for you.
>
> Thanks
> Amos
>"
_________________________________________________________________
Windows Live™ SkyDrive™: Get 25 GB of free online storage.
http://windowslive.com/online/skydrive?ocid=TXT_TAGLM_WL_skydrive_042009
