RE: Request to review the code changes for NTLMv2 Support in Curl
Date: Sat, 25 Jan 2014 23:35:06 +0100 (CET)
On Sat, 25 Jan 2014, Steve Holme wrote:
> I have these patches in a local branch here and am ready to apply them after
> the pending release - unless anyone else has any other comments. Note: I
> would recommend we combine some of the first 6 patches into a single patch
> as I don't think there is any need to show the copyright, and other minor
> corrections as separate commits but I wanted to list them individually here
> so everyone can see the differences.
Thanks for grabbing the ball. I've glanced over your patches and they look
fine and since I know you've looked at them at least slightly closer than me
I'm confident enough they are in a good enough shape to get merged for
testing pretty much immediately after 7.35.0.
> Option 1:
> Update the generated Type 3 message in the existing test harnesses to
> contain the extra NTLMv2 information.
As long as we know the updated stuff also works fine with NTLMv1 servers I
think this is fine. But...
> a) Add support for USE_NTLM_V2 so that developers can turn v2 support on or
... I think there may be reasons to allow applications at least to select
NTLMv2 only. The reason for this being that NTLM is deemed insecure, or at
least less secure than NTLMv2. For Firefox there's a discussion about
disabling NTLMv1 completely:
> b) Add "NTLMv2" as a string in the curl features list - as displayed with
> "curl --version"
But will there be any version/build of libcurl that supports NTLM but not
NTLMv2 once we add this support?
> As a timestamp is included in the NTLMv2 information - the code will need a
> minor tweak so that this timestamp is consistent in DEBUG builds and doesn't
> vary - similar to what I have done with the MD5-DIGEST tests  for IMAP,
> POP3 and SMTP. This will mean that the same timestamp is used under debug
> builds so that the message generation is consistent.
Right, we already add the hostname in NTLM using that method so doing it for
yet another field shouldn't be a biggie.
-- / daniel.haxx.se ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.htmlReceived on 2014-01-25