Merge pull request #86 from e9hack/fix_and_improve_NTLM_authentication

Fix and improve ntlm authentication
2026-01-23 02:34:59 +00:00 · 2024-11-29 15:17:15 +01:00 · 2024-11-29 15:17:15 +01:00 · 92bec14931
commit 92bec14931
parent 8b2661ecd7 b6daf27b8f
4 changed files with 73 additions and 16 deletions
--- a/7
+++ b/7
@ -20,6 +20,13 @@ OPTFLAGS += -DSETPROCTITLE -DSPT_TYPE=2
 # System dependant blocks... if your system is listed below, uncomment
 # the relevant lines

+# MSYS
+# The current version of gcc from MSYS defines __MSYS__ and __CYGWIN__.
+# To avoid to change the code, simply define CYGWIN additionally. 
+ifneq ($(filter $(MSYSTEM),MSYS MINGW32 MINGW64 UCRT64),)
+CFLAGS += -DCYGWIN
+endif
+
 # OpenBSD
 #OPTFLAGS += -DHAVE_SYS_PSTAT_H

--- a/buildwin.sh
+++ b/buildwin.sh
@ -4,13 +4,13 @@ echo "Build docs..."
 make -C docs

 echo "Build proxytunnel..."
-make -f Makefile.ssl11
-
-echo "Copy msys/openssl dll to build dir..."
-cp  /usr/bin/msys-2.0.dll /usr/bin/msys-crypto-1.1.dll /usr/bin/msys-ssl-1.1.dll /usr/bin/msys-z.dll .
+make -f Makefile
+strip -s proxytunnel.exe

 echo "Generate proxytunnel.zip with docs, exe and msys/openssl dll..."
-zip proxytunnel.zip proxytunnel.exe *.dll docs/proxytunnel.1 docs/proxytunnel.1.html docs/proxytunnel-paper.html
+zip proxytunnel.zip proxytunnel.exe docs/proxytunnel.1 docs/proxytunnel.1.html docs/proxytunnel-paper.html
+DLLS="$(ldd proxytunnel.exe | grep msys.*\.dll | awk '{print $3}' | xargs) /usr/lib/ossl-modules/legacy.dll"
+zip proxytunnel.zip -j $DLLS 

 if [ ! -z "${TRAVIS_TAG}" ]; then 
 echo "Deploy proxytunnel.zip to github release tag:${TRAVIS_TAG}..."
--- a/http.c
+++ b/http.c
@ -37,17 +37,16 @@
 * header
 */
 void analyze_HTTP(PTSTREAM *pts) {
-	char *p = strtok( buf, " ");
+	char *p;

 	/* Strip html error pages for faulty proxies (Stephane Engel <steph[at]macchiati.org>) */
-	while (strncmp( p, "HTTP/", 5) != 0 ) {
-		if ( readline(pts) ) {
-			p = strtok( buf, " ");
-		} else {
+	do {
+		if (readline(pts) <= 0) {
 			message( "analyze_HTTP: readline failed: Connection closed by remote host\n" );
 			exit(2);
 		}
-	}
+		p = strtok( buf, " \t");
+	} while (strncmp( p, "HTTP/", 5) != 0 );

 	if (strcmp( p, "HTTP/1.0" ) != 0 && strcmp( p, "HTTP/1.1" ) != 0) {
 		message( "Unsupported HTTP version number %s\n", p );
@ -117,6 +116,7 @@ void proxy_protocol(PTSTREAM *pts) {
 		if (args_info.ntlm_flag) {
 			if (ntlm_challenge == 1) {
 				build_type3_response();
+				ntlm_challenge = 2;
 				strzcat( buf, "Proxy-Authorization: NTLM %s\r\n", ntlm_type3_buf );
 			} else if (ntlm_challenge == 0) {
 				strzcat( buf, "Proxy-Authorization: NTLM %s\r\n", ntlm_type1_buf );
@ -157,7 +157,7 @@ void proxy_protocol(PTSTREAM *pts) {
 	/* Read the first line of the response and analyze it */
 	analyze_HTTP(pts);

-	if (args_info.remproxy_given ) {
+	if (ntlm_challenge < 3 && args_info.remproxy_given ) {
 		/* Clean buffer for next analysis */
 		while ( strcmp( buf, "\r\n" ) != 0 )
 			readline(pts);
@ -209,8 +209,8 @@ void proxy_protocol(PTSTREAM *pts) {
 	 * Then, repeat reading lines of the responses until a blank line
 	 * (which signifies the end of the response) is encountered.
 	 */
-	if (ntlm_challenge == 1) {
-		ntlm_challenge = 2;
+	if (ntlm_challenge == 2) {
+		ntlm_challenge = 3;
 	} else {
 		do {
 			readline(pts);
--- a/ntlm.c
+++ b/ntlm.c
@ -29,6 +29,9 @@
 #include <ctype.h>
 #include <sys/time.h>
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
+	#ifdef CYGWIN
+		#include <unistd.h>
+	#endif
 	#include <openssl/provider.h>
 	#include <openssl/evp.h>
 #else
@ -71,8 +74,55 @@ unsigned char lm2digest[LM2_DIGEST_LEN];

 void init_ntlm() {
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
-	OSSL_PROVIDER_load(NULL, "default");
-	OSSL_PROVIDER_load(NULL, "legacy");
+	OSSL_PROVIDER *provider;
+	provider = OSSL_PROVIDER_load(NULL, "default");
+	if (!provider) {
+		my_perror("Loading default provider failed");
+		exit(1);
+	}
+	provider = OSSL_PROVIDER_load(NULL, "legacy");
+#ifdef CYGWIN
+	if (!provider) {
+		// available at msys and git for windows
+		// the msys version has an additional dependency on libcrypto-3-x64.dll
+		provider = OSSL_PROVIDER_load(NULL, "/mingw64/lib/ossl-modules/legacy.dll");
+	}
+	if (!provider) {
+		// available at msys (without dependency on libcrypto-3-x64.dll)
+		provider = OSSL_PROVIDER_load(NULL, "/usr/lib/ossl-modules/legacy.dll");
+	}
+	if (!provider) {
+		// default installation path for additional tools
+		provider = OSSL_PROVIDER_load(NULL, "/usr/local/bin/legacy.dll");
+	}
+	if (!provider) {
+		// directory of proxytunnel itself
+		const char *p = strrchr(program_name, '/');
+		if (p) {
+			const int len = p - program_name;
+			char *tmp = (char*)alloca(len + sizeof("/legacy.dll"));
+			memcpy(tmp, program_name, len);
+			strcpy(tmp + len, "/legacy.dll");
+			provider = OSSL_PROVIDER_load(NULL, tmp);
+		}
+	}
+	if (!provider) {
+		// current working directory
+		char *cwd = getcwd(NULL, 0);
+		if (cwd) {
+			const int len = strlen(cwd);
+			char *tmp = (char*)alloca(len + sizeof("/legacy.dll"));
+			memcpy(tmp, cwd, len);
+			free(cwd);
+			strcpy(tmp + len, "/legacy.dll");
+			provider = OSSL_PROVIDER_load(NULL, tmp);
+		}
+	}	
+#endif
+	if (!provider) {
+		my_perror("Loading legacy provider failed");
+		exit(1);
+	}
 	md4alg = EVP_md4();
 	md5alg = EVP_md5();
 	mdctx = EVP_MD_CTX_new();