RE: [squid-users] problem fakeauth_auth

From: Joao Alves Neto <alves_joao_at_hotmail.com>
Date: Mon, 27 Apr 2009 18:45:24 +0000

Hi Amos
 
 
I'll post this issue to squid-dev, but fyi, here is the change I made(FOR TESTE ONLY).
 

-----------------
*** /root/src/squid-3.0.STABLE14-20090424/helpers/ntlm_auth/fakeauth/fakeauth_auth.c 2009-04-24 06:21:00.000000000 -0300
--- /root/squid-3.0.STABLE14-20090424/helpers/ntlm_auth/fakeauth/fakeauth_auth.c 2009-04-24 11:19:28.000000000 -0300
***************
*** 158,163 ****
--- 158,164 ----
        NEGOTIATE_REQUEST_TARGET |
        (NEGOTIATE_UNICODE & flags ? NEGOTIATE_UNICODE : NEGOTIATE_ASCII)
        );
+ chal->flags = flags;
      chal->hdr.type = htole32(NTLM_CHALLENGE);
      chal->unknown[6] = htole16(0x003a);
--------------------
 
Regards
 
Joao

> Date: Mon, 27 Apr 2009 14:41:39 +1200
> From: squid3_at_treenet.co.nz
> To: alves_joao_at_hotmail.com
> CC: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] problem fakeauth_auth
>
>>
>> Hi there
>>
>> We are facing a problem with squid/fakeauth_auth helper, after change in
>> NTLM parameters of our stations(Require Message Integrity, Message
>> Confidentiality, NTLMv2 Session Security, 128-bit Encryption).
>>
>> I made some tests and realized that NTLMSSP Flags returned in
>> NTLMSSP_CHALLENGE to station is wrong:
>>
>>
>> 1 - Success Authentication (ntlm_auth)
>>
>> 1 - HTTP/1.0 407 Proxy Authentication Required (text/html)
>>
>>
>> 2 - GET http:/// HTTP/1.1 , NTLMSSP_NEGOTIATE
>> -Proxy-Authorization: NTLM
>> Taldjfpoa\sdfalsdmflasdflafajsdfjajasldjJAJA\r\n - EXAMPLE
>> - NTLMSSP
>> NTLMSSP identifier: NTLMSSP
>> NTLM Message Type: NTLMSSP_NEGOTIATE (0x00000001)
>> -Flags: 0xa208b207 - estation send this flag
>>
>>
>> 3 - HTTP/1.0 407 Proxy Authentication Required , NTLMSSP_CHALLENGE
>> (text/html)
>> Proxy-Authenticate: NTLM
>> TaljdflasjdfljasdlfjoqAJDFJQOWEURPOQWEURPQWEJKROQWEUFÇLAJSLFJASDLFJKQWEO........................
>> NTLMSSP
>> NTLMSSP identifier: NTLMSSP
>> NTLM Message Type: NTLMSSP_CHALLENGE (0x00000002)
>> .....
>> Flags: 0xa2898205 - estation receive these flag from squid.
>>
>> 4 - HTTP/1.1 , NTLMSSP_AUTH, User: Domain\User
>>
>>
>>
>> 2 - Unssucess Authentication (fakeauth_auth)
>>
>> 1 - HTTP/1.0 407 Proxy Authentication Required (text/html)
>>
>>
>> 2 - GET http:/// HTTP/1.1 , NTLMSSP_NEGOTIATE
>> -Proxy-Authorization: NTLM
>> Taldjfpoa\sdfalsdmflasdflafajsdfjajasldjJAJA\r\n - EXAMPLE
>> - NTLMSSP
>> NTLMSSP identifier: NTLMSSP
>> NTLM Message Type: NTLMSSP_NEGOTIATE (0x00000001)
>> -Flags: 0xa208b207 - estation send this flag
>>
>>
>> 3 - HTTP/1.0 407 Proxy Authentication Required , NTLMSSP_CHALLENGE
>> (text/html)
>> Proxy-Authenticate: NTLM
>> TaljdflasjdfljasdlfjoqAJDFJQOWEURPOQWEURPQWEJKROQWEUFÇLAJSLFJASDLFJKQWEO........................
>> NTLMSSP
>> NTLMSSP identifier: NTLMSSP
>> NTLM Message Type: NTLMSSP_CHALLENGE (0x00000002)
>> .....
>> Flags: 0x00018205 - estation receive this flag from
>> squid/fakeauth_auth.
>>
>>
>> 4 - Authetication Failed
>>
>>
>>
>>
>> As a test, I forced NTLMSSP_CHALLENGE FLAGS to be equal
>> NTLMSSP_NEGOTIATE(0xa208b207) then it worked fine.
>>
>> fakeauth_auth.c
>>
>> void ntlmMakeChallenge(struct ntlm_challenge *chal, int32_t flags)
>> {
>> static unsigned hash;
>> int r;
>> char *d;
>> int i;
>>
>> debug("ntlmMakeChallenge: flg %08x\n", flags);
>>
>> memset(chal, 0, sizeof(*chal));
>> memcpy(chal->hdr.signature, "NTLMSSP", 8);
>> chal->flags = htole32(CHALLENGE_TARGET_IS_DOMAIN |
>> NEGOTIATE_ALWAYS_SIGN |
>> NEGOTIATE_USE_NTLM |
>> NEGOTIATE_REQUEST_TARGET |
>> (NEGOTIATE_UNICODE & flags ? NEGOTIATE_UNICODE : NEGOTIATE_ASCII)
>> );
>> // Testing purpose
>> chal->flags = flags;
>>
>> chal->hdr.type = htole32(NTLM_CHALLENGE);
>> chal->unknown[6] = htole16(0x003a);
>>
>> d = (char *) chal + 48;
>> i = 0;
>>
>> if (authenticate_ntlm_domain != NULL)
>> while (authenticate_ntlm_domain[i++]);
>>
>>
>> chal->target.offset = htole32(48);
>> chal->target.maxlen = htole16(i);
>> chal->target.len = chal->target.maxlen;
>>
>> r = (int) rand();
>> r = (hash ^ r) + r;
>>
>> for (i = 0; i < 8; i++) {
>> chal->challenge[i] = r;
>> r = (r>> 2) ^ r;
>> }
>>
>> hash = r;
>> }
>>
>>
>> any idea?
>
> First idea is that you should be sending code issues to squid-dev where we
> who fix the code hang out.
>
> Secondly, what exactly did you change to make it work? diff patch is
> required please along with the info as to what version of squid it is made
> from.
>
> Thirdly, note that NTLMv2 is not really NTLM any more. The fakeauth helper
> needs to handle both these days. Either with command line switches to
> configure the auth type in use or automatic sensing.
> see http://en.wikipedia.org/wiki/NTLM for some details of the differences.
> If we can make this helper cope without losing the old protocol I will
> commit for you.
>
> Thanks
> Amos
>

_________________________________________________________________
Rediscover Hotmail®: Get e-mail storage that grows with you.
http://windowslive.com/RediscoverHotmail?ocid=TXT_TAGLM_WL_HM_Rediscover_Storage2_042009
Received on Mon Apr 27 2009 - 18:45:30 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 28 2009 - 12:00:02 MDT