Package: libsasl2-modules
Version: 2.1.27+dfsg-1+deb10u1
Severity: wishlist
Tags: patch

The NTLM plugin defaults to the less-secure v1 of the protocol, does not
support a way for clients to override this default (this is tracked upstream
as https://github.com/cyrusimap/cyrus-sasl/issues/574), and will not even
attempt v2 if v1 fails (e.g., due to it being disabled server-side).

As a workaround until a better fix is available, I've applied the attached
patch (which is a variation on the proof of concept at
https://access.redhat.com/solutions/4253821). Since in this day and age
it makes more sense to prefer NTLMv2 (if NTLM is to be used at all),
I'm submitting it for the maintainers' consideration.
Default to ntlm_v2=yes.

See https://github.com/cyrusimap/cyrus-sasl/issues/574 and
https://bugzilla.redhat.com/show_bug.cgi?id=1722159

We definitely should prefer NTLMv2 over v1.
--- a/plugins/ntlm.c
+++ b/plugins/ntlm.c
@@ -1993,7 +1993,7 @@
     unsigned char hash[NTLM_HASH_LENGTH];
     unsigned char resp[NTLM_RESP_LENGTH], *lm_resp = NULL, *nt_resp = NULL;
     int result;
-    const char *sendv2;
+    const char *sendv2 = NULL;
 
     if (!serverin || serverinlen < NTLM_TYPE2_MINSIZE ||
 	memcmp(serverin, NTLM_SIGNATURE, sizeof(NTLM_SIGNATURE)) ||
@@ -2065,7 +2065,7 @@
     /* should we send a NTLMv2 response? */
     params->utils->getopt(params->utils->getopt_context,
 			  "NTLM", "ntlm_v2", &sendv2, NULL);
-    if (sendv2 &&
+    if (!sendv2 ||
 	(sendv2[0] == '1' || sendv2[0] == 'y' ||
 	 (sendv2[0] == 'o' && sendv2[1] == 'n') || sendv2[0] == 't')) {
 

Reply via email to