lgcosta/go-ntlm
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix issue where NTLMv1 with extended session security would always authenticate with any password

Browse Source
This commit is contained in:
Conor Hunt
2013-07-23 14:55:12 -05:00
parent a11b8727db
commit e3fb7332f7
2 changed files with 34 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
ntlm/ntlmv1.go
View File

@@ -205,7 +205,11 @@ func (n *V1ServerSession) ProcessAuthenticateMessage(am *messages.Authenticate)
}
if !bytes.Equal(am.NtChallengeResponseFields.Payload, n.ntChallengeResponse) {
if !bytes.Equal(am.LmChallengeResponse.Payload, n.lmChallengeResponse) {
// There is a bug with the steps in MS-NLMP. In section 3.2.5.1.2 it says you should fall through
// to compare the lmChallengeResponse if the ntChallengeRepsonse fails, but with extended session security
// this would *always* pass because the lmChallengeResponse and expectedLmChallengeRepsonse will always
// be the same
if !bytes.Equal(am.LmChallengeResponse.Payload, n.lmChallengeResponse) || messages.NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY.IsSet(n.NegotiateFlags) {
return errors.New("Could not authenticate")
}
}