On Monday 25 February 2002 09:53, Chemolli Francesco (USI) wrote:
> The negotiate packet _does_ say something, there's the "flags"
> bitfield which defines several parameters to be used in the
> following phases (i.e. "I understand Unicode")
Exacly, and is why not having it when generating the challenge packet
is broken. The challenge generator and the browser needs to agree on
the flags.
There is at minimum two flags that is important
- NTLMSSP_NEGOTIATE_UNICODE (0x00000001)
- NTLMSSP_NEGOTIATE_NTLM2 (0x00008000)
As the flags field is only exchanged during the negotiation, things
breaks down in the current scheme.
Even if you were to have Squid do the flags field negotiation
correctly (which AFAICT it does not), the the helper MUST know the
negotiated flags when parsing the response.
Should also note that there should be a slight difference in the
challenge when NTLMv2 is used.
Also, I fail to understand how you can reuse challenges in the
current design. For this you really need to move the challenge
generation into Squid and using that secure channel to verify the
responses with the selected challenge.
Having challenge reuses per client IP could be made to work sort of..
(95%). But will fail if there is a change in active user at the IP,
either by another user logging on, or by multiuser stations such as
TS.
Regards
Henrik
Received on Mon Feb 25 2002 - 02:24:27 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:14:49 MST