Problem when receiving NTLM-Challenge without version field

[Supernaibaf]

Hello,

In our .NET8 project we're having issues reaching different external addresses over our http proxy. The problem occurs when trying to restore the NuGet packages and also when we make a call with the HttpClient within the application. In both cases the call leads to the following exception, even though the username and password for the NTLM-authentication have been set correctly:

System.Net.Http.HttpRequestException: The proxy tunnel request to proxy 'http://<proxy-url>:8080/' failed with status code '407'."

The NuGet restore is performed within a mcr.microsoft.com/dotnet/sdk:8.0 docker image. The other HttpClient-Calls are done within a mcr.microsoft.com/dotnet/aspnet:8.0 docker image. In both containers we installed gss-ntlmssp.

When I enabled all .NET-EventSources and printed the events to the console I could see that the NTLM authentication to the proxy is started but after receiving the NTLM-Challenge from the proxy it seems like the authentication is canceled.

For me it looks like the challenge that we receive from the proxy (e.g. TlRMTVNTUAACAAAAAAAAAAAAAAAFgomge0p1qcyBxogAAAAAAAAAAAAAAAAAAAAA) does not contain the version field from the NTLM specification. I assume that gss-ntlmssp can then not parse it which then leads to .NET cancelling the authentication and throwing the exception. I also see the following error multiple times when enabling the debug output for gss-ntlmssp:

[1744204851] ERROR: gssntlm_init_sec_context() @ src/gss_sec_ctx.c:277 [589824:1314127873]

Interestingly, this issue does not occur, when we use a .NET6 docker image. I guess it's because a different version of gss-ntlmssp is installed on the .NET6 images (0.7.0-4) than on the .NET8 images (1.2.0-1).

If my assumption of the missing version field is correct, is this something that gss-ntlmssp should support or should this issue be fixed in the proxy?

[simo5]

This is a challenge packet, and GSS-NTLMSSP already is compatible with challenge packets that do not send a version field, however I think this packet is missing TragetName Fields (the first field after the packet type, but before the negotiate flags ...)
The spec says this field could be omitted, if it is not negotiated, but we do not handle this case correctly in gss-ntlmssp.

[simo5]

Note I do not have a lot of time to react to this bug quickly, but I could guide someone to create a patch (it is not the simplest part of the code unfortunately) if this is somewhat urgent.

[Supernaibaf]

Yeah, you probably know better than me which part of the challenge packet causes the problem.
Fortunately, we were able to whitelist the domains we needed on the proxy. So calls to these domains currently do not require authentication. However, this should only be a temporary solution and a fix in the near future would be nice.