fakeauth_auth problem

From: Joao Alves Neto <alves_joao_at_hotmail.com>
Date: Mon, 27 Apr 2009 18:58:30 +0000

Hi there

We are facing a problem with squid/fakeauth_auth helper, after change in NTLM parameters of our stations(Require Message Integrity, Message Confidentiality, NTLMv2 Session Security, 128-bit Encryption).

I made some tests and realized that NTLMSSP Flags returned in NTLMSSP_CHALLENGE to station is wrong:

1 - Success Authentication (ntlm_auth)

    1 - HTTP/1.0 407 Proxy Authentication Required (text/html)

    2 - GET http:/// HTTP/1.1 , NTLMSSP_NEGOTIATE
     -Proxy-Authorization: NTLM Taldjfpoa\sdfalsdmflasdflafajsdfjajasldjJAJA\r\n - EXAMPLE
          - NTLMSSP
            NTLMSSP identifier: NTLMSSP
            NTLM Message Type: NTLMSSP_NEGOTIATE (0x00000001)
          -Flags: 0xa208b207 - estation send this flag

    3 - HTTP/1.0 407 Proxy Authentication Required , NTLMSSP_CHALLENGE (text/html)
     Proxy-Authenticate: NTLM TaljdflasjdfljasdlfjoqAJDFJQOWEURPOQWEURPQWEJKROQWEUFÇLAJSLFJASDLFJKQWEO........................
     NTLMSSP
        NTLMSSP identifier: NTLMSSP
        NTLM Message Type: NTLMSSP_CHALLENGE (0x00000002)
        .....
        Flags: 0xa2898205 - estation receive these flag from squid.
    
    4 - HTTP/1.1 , NTLMSSP_AUTH, User: Domain\User

2 - Unssucess Authentication (fakeauth_auth)

    1 - HTTP/1.0 407 Proxy Authentication Required (text/html)

    2 - GET http:/// HTTP/1.1 , NTLMSSP_NEGOTIATE
     -Proxy-Authorization: NTLM Taldjfpoa\sdfalsdmflasdflafajsdfjajasldjJAJA\r\n - EXAMPLE
          - NTLMSSP
            NTLMSSP identifier: NTLMSSP
            NTLM Message Type: NTLMSSP_NEGOTIATE (0x00000001)
          -Flags: 0xa208b207 - estation send this flag

    3 - HTTP/1.0 407 Proxy Authentication Required , NTLMSSP_CHALLENGE (text/html)
     Proxy-Authenticate: NTLM TaljdflasjdfljasdlfjoqAJDFJQOWEURPOQWEURPQWEJKROQWEUFÇLAJSLFJASDLFJKQWEO........................
     NTLMSSP
        NTLMSSP identifier: NTLMSSP
        NTLM Message Type: NTLMSSP_CHALLENGE (0x00000002)
        .....
        Flags: 0x00018205 - estation receive this flag from squid/fakeauth_auth.

    4 - Authetication Failed
    
    
    
    
As a test, I forced NTLMSSP_CHALLENGE FLAGS to be equal NTLMSSP_NEGOTIATE(0xa208b207) then it worked fine.

changed function in fakeauth_auth.c

void ntlmMakeChallenge(struct ntlm_challenge *chal, int32_t flags)
{
    static unsigned hash;
    int r;
    char *d;
    int i;

    debug("ntlmMakeChallenge: flg %08x\n", flags);

    memset(chal, 0, sizeof(*chal));
    memcpy(chal->hdr.signature, "NTLMSSP", 8);
    chal->flags = htole32(CHALLENGE_TARGET_IS_DOMAIN |
    NEGOTIATE_ALWAYS_SIGN |
    NEGOTIATE_USE_NTLM |
    NEGOTIATE_REQUEST_TARGET |
    (NEGOTIATE_UNICODE & flags ? NEGOTIATE_UNICODE : NEGOTIATE_ASCII)
    );
    // Testing purpose
    chal->flags = flags;

    chal->hdr.type = htole32(NTLM_CHALLENGE);
    chal->unknown[6] = htole16(0x003a);

    d = (char *) chal + 48;
    i = 0;

    if (authenticate_ntlm_domain != NULL)
    while (authenticate_ntlm_domain[i++]);

    chal->target.offset = htole32(48);
    chal->target.maxlen = htole16(i);
    chal->target.len = chal->target.maxlen;

    r = (int) rand();
    r = (hash ^ r) + r;

    for (i = 0; i < 8; i++) {
    chal->challenge[i] = r;
    r = (r>> 2) ^ r;
    }

    hash = r;
}

Diff file:
----------------------------------
*** /root/src/squid-3.0.STABLE14-20090424/helpers/ntlm_auth/fakeauth/fakeauth_auth.c 2009-04-24 06:21:00.000000000 -0300
--- /root/squid-3.0.STABLE14-20090424/helpers/ntlm_auth/fakeauth/fakeauth_auth.c 2009-04-24 11:19:28.000000000 -0300
***************
*** 158,163 ****
--- 158,164 ----
        NEGOTIATE_REQUEST_TARGET |
        (NEGOTIATE_UNICODE & flags ? NEGOTIATE_UNICODE : NEGOTIATE_ASCII)
        );
+ chal->flags = flags;
      chal->hdr.type = htole32(NTLM_CHALLENGE);
      chal->unknown[6] = htole16(0x003a);
----------------------------------

any idea?

thanks

-----------------------------------------------------

Amos comments in Squid-users List

"
>
> First idea is that you should be sending code issues to squid-dev where we
> who fix the code hang out.
>
> Secondly, what exactly did you change to make it work? diff patch is
> required please along with the info as to what version of squid it is made
> from.
>
> Thirdly, note that NTLMv2 is not really NTLM any more. The fakeauth helper
> needs to handle both these days. Either with command line switches to
> configure the auth type in use or automatic sensing.
> see http://en.wikipedia.org/wiki/NTLM for some details of the differences.
> If we can make this helper cope without losing the old protocol I will
> commit for you.
>
> Thanks
> Amos
>"

_________________________________________________________________
Windows Live™ SkyDrive™: Get 25 GB of free online storage.
http://windowslive.com/online/skydrive?ocid=TXT_TAGLM_WL_skydrive_042009
Received on Mon Apr 27 2009 - 19:09:00 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 28 2009 - 12:00:03 MDT