nla: renames, c->keyspec cleanup, suppress credentials for NLA, add serialiser tests, ESS fix, debug hex dump, TargetName propagation, credential delegation, CredSSP v5 upgrade

[Copilot]

• Investigate Phase D hang in NLA handshake against Windows 11

[yrk-lab]

The builds are failing

[Copilot]

The builds are failing

Fixed in 6b45d4a — three root causes: TagSeq/TagOctetString undeclared in plan9port (now defined locally as TagSeq/TagOStr), "set and not used: ep" errors in 9front/9legacy (gettsreq now assigns ep only once), and the $TESTOFILES: ... inline causing mk failures (reverted to $TESTHFILES).

[yrk-lab]

Re-tested on the latest revision:

term% 8.out -N -k 'user?' levo470
nla: sending Phase A (NTLM Negotiate)
nla: Phase A sent (32 byte token)
nla: reading Phase B (NTLM Challenge)
nla: Phase B received (181 byte TSRequest, 158 byte token)
ntlm challenge (158 bytes): 4e 54 4c 4d 53 53 50 00 02 00 00 00 0e 00 0e 00 38 00 00 00 05 82 82 02 39 99 95 4b d0 e7 4a ce 00 00 00 00 00 00 00 00 58 00 58 00 46 00 00 00 0a 00 5d 58 00 00 00 0f 4c 00 45 00 56 00 4f 00 34 00 37 00 30 00 02 00 0e 00 4c 00 45 00 56 00 4f 00 34 00 37 00 30 00 01 00 0e 00 4c 00 45 00 56 00 4f 00 34 00 37 00 30 00 04 00 0e 00 6c 00 65 00 76 00 6f 00 34 00 37 00 30 00 03 00 0e 00 6c 00 65 00 76 00 6f 00 34 00 37 00 30 00 07 00 08 00 cd 55 9d 4b c0 c5 dc 01 00 00 00 00
nla: calling factotum mschap (keyspec=user?, dom=LEVO470)
nla: factotum returned user=y…ail.com nresp=48
nla: sending Phase C (NTLM Authenticate, user=y…ail.com, dom=LEVO470)
nla: Phase C sent (160 byte token)
nla: retrieving password (keyspec=user?)
nla: password obtained (20 chars), calling nlafinish
nla: reading Phase D (server pubKeyAuth)

[...after a while...]

8.out: X.224 handshake: NLA: read TSRequest header: Hangup

[yrk-lab]

@copilot CI tests are failing. Also, re-tested against the live Windows 11 machine,

term% 8.out -N -k 'user?' levo470
nla: sending Phase A (NTLM Negotiate)
nla: Phase A sent (32 byte token)
nla: reading Phase B (NTLM Challenge)
8.out: X.224 handshake: NLA: read TSRequest header: tls error

[yrk-lab]

update the flag definition to use (1<<n) syntax so it is easier to perceive which bit number it sets.

[Copilot]

Done in acd19af — all seven flag constants now use (1<<N) notation.

[Copilot]

Re-tested on the latest revision:

term% 8.out -N -k 'user?' levo470

...

The hang at Phase D was caused by using CredSSP v2 (no clientNonce). Windows 11 authenticates NTLM (Phase A–C) but then drops the TLS connection before Phase D if the client didn't send a clientNonce in Phase A.

Fixed in acd19af — upgraded to CredSSP v5:

• Phase A now sends a 32-byte clientNonce via writetsreqnonce
• CredSSPVer changed from 2 → 5 in all TSRequests
• Phase E pubKeyAuth now uses HMAC-SHA256(ClientServerHashKey, cnonce‖SPKI) instead of NTLM EncryptMessage
• authInfo seqno fixed to 0 (was 1; in v5, pubKeyAuth no longer occupies seqno=0)

@copilot CI tests are failing. Also, re-tested against the live Windows 11 machine,

term% 8.out -N -k 'user?' levo470

...

The "tls error" at Phase B is also caused by the CredSSP v2 issue — Windows 11 servers configured to require CredSSP v5 close the TLS connection immediately on receiving a v2 Phase A, before even sending Phase B. Fixed in acd19af (same CredSSP v5 upgrade described above).

CI tests were passing on the latest commit (26c3a91 showed green); the upgrade to v5 in acd19af keeps all existing tests passing since testmktsreqhdr uses the CredSSPVer constant directly.