[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Potential issues in libntlm 1.2
|
From: |
Simon Josefsson |
|
Subject: |
Re: Potential issues in libntlm 1.2 |
|
Date: |
Thu, 22 Apr 2010 11:38:57 +0200 |
|
User-agent: |
Gnus/5.110011 (No Gnus v0.11) Emacs/23.1 (gnu/linux) |
Olivier Lau <address@hidden> writes:
> Hi,
>
> I have noticed the following potential issues in libntlm 1.2:
Hi Olivier. Thanks for your interest and review!
> - definition of tSmbNtlmAuthRequest in ntlm.h: the fields user and
> domain are inverted. According to the spec
> (http://davenport.sourceforge.net/ntlm.html), domain should be
> first. Also, "user" should actually be named "workstation" or "host".
Do you want the wire syntax to be modified here, or just the
representation in the struct?
I no longer have access to a environment to test NTLM in, and I feel
uncomfortable changing the wire syntax in a drastic way like this
without some testing. I also wonder why this wasn't noticed earlier, it
seems like the current approach would not work at all if it really is
broken?
Do you have access to some Microsoft server where you can test the code?
If you know what to download and install to setup an environment where
NTLM can be tested against Microsoft servers, that would be useful
documentation to have.
> - buildSmbNtlmAuthResponse_userlen() function (in smbutil.c): about the last
> line of the function:
>
> response->flags = challenge->flags;
>
> I believe the response to challenge should not mirror flags sent from
> the server, as the client does not necessarilly have the same
> capabilities as the server.
What should be done instead?
/Simon