Update selection of type 3 response in ntlm.c #3287
Conversation
NTLM2 did not work i.e. no NTLMv2 response was created. Changing the check seems to work. https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-NLMP/[MS-NLMP].pdf
remove space
|
Does the Travis-CI log indicate NTLM failures ? It is hard to read/understand the result in the log. Markus |
Yes, those tests seem to fail now and they all involve NTLM... |
|
I feared that be the case. Would it be possible to get the capture of the NTLM exchange i.e. what were the flags in type 1,2 and 3 for the successful and failed auth attempts ? Is there an option to test against an AD server which has NTLMv1 / LM disabled ? |
All curl tests are run either without a test server or with a "synthetic" test server that we build ourselves. This way everyone can build and run the tests and they can run in the CI etc without having to connect anywhere or need any magic accounts. (Also, most curl developers are on non-windows platforms.) For this particular failure, you've updated bits that curl sends in its NTLM headers without updating the corresponding tests so this is not a surprise. The tests will verify that curl sends exactly what is expected of it! |
|
The change shouldn't break anything for a "old" "insecure" AD server, but add additional functionality to support AD server which have LM and NTLMv1 disabled. So if the tests fail I need to understand what the synthetic setup looks like to adjust as I have a limited test environment. Is that possible ? Thank you |
|
Starting with the first test fail, test2025, I think the critical diff is this: -Authorization: NTLM TlRMTVNTUAADAAAAGAAYAEAAAAAYABgAWAAAAAAAAABwAAAACAAIAHAAAAAIAAgAeAAAAAAAAAAAAAAABoIBAI+/Fp9IERAQ74OsdNPbBpg7o8CVwLSO4DtFyIcZHUMKVktWIu92s2892OVpd2JzqnRlc3R1c2VyY3VybGhvc3Q=[CR][LF]
+Authorization: NTLM TlRMTVNTUAADAAAAGAAYAEAAAAAYABgAWAAAAAAAAABwAAAACAAIAHAAAAAIAAgAeAAAAAAAAAAAAAAABoIBACSb60vUMLShAAAAAAAAAAAAAAAAAAAAAHSb9yQXjz3gIcUWePywK8aoyXJ4KokJ13Rlc3R1c2VyY3VybGhvc3Q=[CR][LF]If you paste them into a text editor you can see how the headers start differ at position 105. Which isn't a surprise since the code has changed how the |
|
I am sorry I may not have understood correctly before. Are you saying some tests are just string comparisons not functional ? Markus |
|
They do both, but yes I'm saying these five tests all report the string differences as failures. Since they get a different string than they expect! |
|
So that means basically the change works. The tests need to be only adjusted ? |
|
If you say so. The custom test server we run really doesn't "know" NTLM, it just plays back whatever we tell it to. If you want to verify that your code really works and speaks NTLMv2 I trust that you use it against a real server that implements and supports that protocol. Once you know your code works against such a server, then simply updating the strings in the corresponding curl tests should be fine and will make sure we don't regress this going forward. |
lib/vauth/ntlm.c
Outdated
| @@ -451,6 +451,7 @@ CURLcode Curl_auth_create_ntlm_type1_message(struct Curl_easy *data, | |||
| LONGQUARTET(NTLMFLAG_NEGOTIATE_OEM | | |||
| NTLMFLAG_REQUEST_TARGET | | |||
| NTLMFLAG_NEGOTIATE_NTLM_KEY | | |||
| NTLMFLAG_NEGOTIATE_NTLM2_KEY | | |||
| NTLM2FLAG | | |||
There was a problem hiding this comment.
NTLM2FLAG already contains NTLMFLAG_NEGOTIATE_NTLM2_KEY, see line ~408:
#if defined(USE_NTRESPONSES) && defined(USE_NTLM2SESSION)
#define NTLM2FLAG NTLMFLAG_NEGOTIATE_NTLM2_KEY
#else
#define NTLM2FLAG 0
#endif
lib/vauth/ntlm.c
Outdated
| @@ -599,7 +600,7 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data, | |||
|
|
|||
| #if defined(USE_NTRESPONSES) && defined(USE_NTLM2SESSION) | |||
| /* We don't support NTLM2 if we don't have USE_NTRESPONSES */ | |||
| if(ntlm->flags & NTLMFLAG_NEGOTIATE_NTLM2_KEY) { | |||
| if(ntlm->flags & NTLMFLAG_NEGOTIATE_NTLM_KEY) { | |||
There was a problem hiding this comment.
I don't understand this change. Does this mean that an NTLMv1 message is sent to servers that support NTLMv2 ?
There was a problem hiding this comment.
That is the part of the code I am not sure about. The comment is about NTLM2, but the previous section is really the NTLMv2 section i.e. where the correct response is created. This one seem to create only the LM response. ( At least the was the result from the wireshark captures)
Markus
remove unnecessary flag
typing error
|
Does anybody know which Negotiate flag combination reflects the 6 cases ? There are six authentication levels. Send LM & NTLM responses: Clients use LM and NTLM authentication, and never use NTLMv2 session security; DCs accept LM, NTLM, and NTLMv2 authentication. Send LM & NTLM - use NTLMv2 session security if negotiated: Clients use LM and NTLM authentication, and use NTLMv2 session security if server supports it; DCs accept LM, NTLM, and NTLMv2 authentication. Send NTLM response only: Clients use NTLM authentication only, and use NTLMv2 session security if server supports it; DCs accept LM, NTLM, and NTLMv2 authentication. Send NTLMv2 response only: Clients use NTLMv2 authentication only, and use NTLMv2 session security if server supports it; DCs accept LM, NTLM, and NTLMv2 authentication. Send NTLMv2 response only\refuse LM: Clients use NTLMv2 authentication only, and use NTLMv2 session security if server supports it; DCs refuse LM (accept only NTLM and NTLMv2 authentication). Send NTLMv2 response only\refuse LM & NTLM: Clients use NTLMv2 authentication only, and use NTLMv2 session security if server supports it; DCs refuse LM and NTLM (accept only NTLMv2 authentication). Markus |
|
Who can verify that this is correct and can go into a release ? |
|
How can I rerun the tests ? They don't seem to be related to my code changes Thank you |
|
I've restarted the failed Travis tests. |
|
It looks like the master branch is broken make[2]: Entering directory |
|
Actually, at least the first failure is because of: Building with |
Thank you for the hint. I did not find this in the log. |
|
Not sure what the cause is of the unit1300 error. Looks more like an issue with the testing environment. Markus |
remove unnecessary flag
typing error
huaraz
force-pushed
the
patch-1
branch
3 times, most recently
from
b6fc986
to
cfc5958
Compare
remove unnecessary flag
typing error
|
Sorry I am too new to git and it seems I misunderstood how "squashing" works. I deleted the patch and recreated a new pull Markus |
NTLM2 did not work i.e. no NTLMv2 response was created. Changing the check seems to work. Ref: https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-NLMP/[MS-NLMP].pdf Fixes #3286 Closes #3287 Closes #3415
NTLM2 did not work i.e. no NTLMv2 response was created. Changing the check seems to work.
https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-NLMP/[MS-NLMP].pdf
Fixes #3286