Make sending only filled MsvAvFlags field for CHALLENGE message #98
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Ohh this is a pretty good catch, I have been chasing this kind of issue for a while, but me and others could not figure out what was going on. @FeoOne Could you please sign your commit so I can merge? |
|
Yeah, this problem also gave us a lot of headaches. I hope this is a fix for the root cause, but so far tests are showing positive results. Commit signed, thank you! |
Signed-off-by: Aleksandr Feoktistov <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I encountered a problem due to which MIC code verification on the server side in the gss-ntlmssp library consistently fails.
NTLM authentication used to implement DCE/RPC between Windows client and Linux server.
Environment
Client: Windows 10 22H2, standard MSRPC API.
Server: various Debian and RedHat based distributives, MIT Kerberos 5, gss-ntlmssp 1.2.
Experimentally, it was possible to establish that if there is no empty MsvAvFlags field (with a value of 0) in the TargetInfo list in the CHALLENGE message, the MIC hashes begins to match. The specification does not indicate that this field is required and there is an indirect indication that it may be missing in section 3.1.5.1.2:
Apparently, Windows does not take this field into account when calculating MIC code that is transmitted in the AUTHENTICATE message.