NTLM auth does not work with SQUID proxy server

[pmcenery]

NTLM authentication fails with SQUID proxy server. In the password file, I have tried both DOMAIN\username, and username on its own, but both produce the same result.

Attached is a log of the failure. I have version 2.2.0, but 2.2.1 does not appear to have any changes listed for any NTLM functionality.

Happy to provide any assistance. I can probably set up a server to test against if anyone wants to look at this issue seriously...

[pmcenery]

Log Output

[pmcenery]

If you have to use a SQUID proxy server with NTLM, then I'd recommend that you use a dedicated proxy client which is known to work - such as Cntlm (​http://cntlm.sourceforge.net/).

[cn]

patch to fix this issue

[cn]

Hi,

i also stumbled over this issue and found the bug:

The problem is located in the file proxy.c within "establish_http_proxy_passthru": To keep buffers small long base64-encoded NTLM-Strings are truncated.

But the truncating is done on a wrong place:
base 64 strings can be cut every 4 chars. the buffer is 128 bytes - including the terminating \0, so the usable data is only 127 bytes. And decoding a 127 char base64 string fails... this is why the ntlm authentication fails in certain cases (long strings)...

I've also attached a patch that resolves this issue.

bye,

chris

[Gert Döring]

taking this. thanks for the patch, and sorry for stalling.

patch will go into 2.3.0 and master (-devel)

[Gert Döring]

fix committed to master and release/2.3

commit f8ac53b98ed2513f1d80363b6fd2351f1b4ae511 (master)
commit 55058d4f96dfec96e9f0cad7802a5eaaf9a3301f (release/2.3)