[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-devel
Subject: Re: kio_http NTLM auth problem and possible patch.
From: Szombathelyi "György" <gyurco () freemail ! hu>
Date: 2005-06-11 14:40:19
Message-ID: 200506111640.20009.gyurco () freemail ! hu
[Download RAW message or body]
It seems that NTLM buffers should be padded to 2 byte boundaries. Can you try
the attached patch (untested by me)?
2005. június 10. 12.40 dátummal Simone Gotti ezt Ãrta:
> On Thursday 09 June 2005 23:38, Szombathelyi György wrote:
> > Hi!
> >
> > Can you post the tcpdump output for the failed NTLMv2 conversation?
>
> maybe I can send it to you privately as there're my personal account that
> can be probably discovered analyzing them. I can also redo them sending the
> wrong password to it.
>
> > Maybe
> > there's a bug in the NTLMv2 code, which should be fixed, instead of
> > disabling the whole NTLMv2 authentication.
>
> My idea isn't to disable NTLMv2 but to do 2 tries, One with NTLMv2 and if
> it fails then try with NTLMv1. Or maybe the NTLMv2 string generation has a
> bug.
>
> > Basically, if the server returns
> > a correct TargetInfo structure, NTLMv2 should be supported.
>
> A read some docs but didn't found this declaration. Do you know some other
> opensource client programs that supports NTLMv2? So I can try them and look
> how they works.
>
> Thanks.
>
> Bye!
>
> > 2005. június 7. 18.24 dátummal Hasso Tepper ezt Ãrta:
> > > Simone Gotti wrote:
> > > > Browsing a site on a customer intranet I noticed that I cannot access
> > > > it via NTLM with konqueror but it worked well with mozilla. I
> > > > tcpdumped the HTTP packets and noticed that the problem is that
> > > > kio_http uses NTLMv2 while mozilla uses NTLMv1 (maybe it doesn't
> > > > support v2). The v2 auth isn't recognized by the server and the auth
> > > > fails.
> > > >
> > > > The problem is that, as the TargetInfo field in the challenge string
> > > > isn't empty, KNTLM::getAuth tries to use, without succes, NTLMv2.
> > > > I read some docs but I didn't found a way to really check if NTLMv2
> > > > is supported. Forcing kntlm to use NTLMv1 (brutally commenting the
> > > > NTLMv2 code made it work).
> > > >
> > > > I'm doing a patch for kio_http/kntlm but I'd like to do some
> > > > questions on how the whole thing can be implemented:
> > > >
> > > > 1) bool KNTLM::getAuth( QByteArray &auth, const QByteArray
> > > > &challenge, const QString &user,
> > > > const QString &password, const QString &domain, const QString
> > > > &workstation, bool forceNTLM, bool forceNTLMv2 )
> > > >
> > > > With the current API you cannot force NTLMv1 instead of NTLMv2 as the
> > > > "forceNTLM" flag means that it'll just use NTLMv1 or v2 and not
> > > > simple LM or LMv2.
> > > >
> > > > A solution without api change will be to change the line:
> > > >
> > > > if ( forceNTLMv2 || !targetInfo.isEmpty() /* may support NTLMv2 */ )
> > > > {
> > > >
> > > > to
> > > >
> > > > if ( forceNTLMv2 ) {
> > >
> > > This hack solves issue for me reported as
> > > http://bugs.kde.org/show_bug.cgi?id=93454
> > >
> > > Many thanks for finding cause of problem!
> > >
> > > > When I finished my patch I'll post and commit it (if accepted), but
> > > > I'd be very happy to ear suggestions from people more experts than me
> > > > on this side.
> > >
> > > Would be happy to help with testing patch.
> > >
> > >
> > > regards,
> >
> > ____________________________________________________________________
> > Miert fizetsz az internetert? Korlatlan, ingyenes internet hozzaferes a
> > FreeStarttol. Probald ki most! http://www.freestart.hu
> >
> > >> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to
> > >> unsubscribe <<
____________________________________________________________________
Miert fizetsz az internetert? Korlatlan, ingyenes internet hozzaferes a FreeStarttol.
Probald ki most! http://www.freestart.hu
["kntlm.diff" (text/x-diff)]
Index: kntlm.cpp
===================================================================
--- kntlm.cpp (revision 423857)
+++ kntlm.cpp (working copy)
@@ -77,10 +77,10 @@
void KNTLM::addBuf( QByteArray &buf, SecBuf &secbuf, QByteArray &data )
{
- secbuf.offset = buf.size();
+ secbuf.offset = (buf.size() + 1) && 0xfffffffe;
secbuf.len = data.size();
secbuf.maxlen = data.size();
- buf.resize( buf.size() + data.size() );
+ buf.resize( secbuf.offset + data.size() );
memcpy( buf.data() + secbuf.offset, data.data(), data.size() );
}
@@ -130,7 +130,7 @@
((Auth*) rbuf.data())->flags = ch->flags;
QByteArray targetInfo = getBuf( challenge, ch->targetInfo );
- if ( forceNTLMv2 || !targetInfo.isEmpty() /* may support NTLMv2 */ ) {
+ if ( forceNTLMv2 || (!targetInfo.isEmpty() && (ch->flags & Negotiate_Target_Info)) \
/* may support NTLMv2 */ ) { if ( ch->flags & Negotiate_NTLM ) {
if ( targetInfo.isEmpty() ) return false;
response = getNTLMv2Response( dom, user, password, targetInfo, \
ch->challengeData );
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic