Re: [PATCH] Re: Fixed Challenge/response sizes in Squid's NTLMSSP code

From: Serassio Guido <guido.serassio@dont-contact.us>
Date: Wed, 21 Jul 2004 19:43:54 +0200

Hi Andrew,

At 13.51 21/07/2004, Andrew Bartlett wrote:

>On Wed, 2004-07-14 at 03:51, Serassio Guido wrote:
> > Hi,
> >
> > At 11.55 13/07/2004, Henrik Nordstrom wrote:
> >
> > >On Tue, 13 Jul 2004, Andrew Bartlett wrote:
> > >
> > > > While I've been trying to code up the 'Negotiate' (SPNEGO) support for
> > > > Squid, I have seen a lot of:
> > > >
> > > > ntlm_request->authchallenge = xstrndup(reply, NTLM_CHALLENGE_SZ
> > > > + 5);
> > >
> > >As robert already said, there is no reason xstrdup should not be used
> > >here, and I also suspect many of these copies should go away completely
> > >when we get rid of the challenge/response cache.
> > >
> > > > These worry me - not only are these packets not fixed size, Squid
> has no
> > > > way of knowing what they should be!
> > >
> > >Correct. Squid has no business trying to guess the properties of the
> > >exchanged blobs.
> >
> > This explains now some strange problems with NTLM negotiate using native
> > Windows NTLM authenticator that I cannot understand before.
> >
> > I can confirm that NTLM negotiate fails with "long" domain and machine
> names:
> >
> > I have just rebuild Squid with NTLM_CHALLENGE_SZ set to 400 instead of
> 300,
> > and now al works !
>
>Patch to fix this attached. (Seems to work for me).

Thanks, I'will start from now to test this patch in Windows.

>This is a nasty bug - I'm not about to tell the Squid team how to run
>your releases, but I really hope this can be in a stable release soon.
>(Because for the poor admin, it's going to be the last thing they will
>think of...)

I agree. In the Windows port this bug can be more important, because the
major use of NTLM/NTLMv2 authentication.

For now, I have already got two problem report about.

Regards

Guido

-
========================================================
Guido Serassio
Acme Consulting S.r.l. - Microsoft Certified Partner
Via Gorizia, 69 10136 - Torino - ITALY
Tel. : +39.011.3249426 Fax. : +39.011.3293665
Email: guido.serassio@acmeconsulting.it
WWW: http://www.acmeconsulting.it/
Received on Wed Jul 21 2004 - 11:44:24 MDT

This archive was generated by hypermail pre-2.1.9 : Sat Jul 31 2004 - 12:00:03 MDT