| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
| |
|
|
|
|
| |
Fixes also condition on when to test for a LM Response on the server.
|
| |
|
|
|
|
|
|
| |
The worn nt/lm response buffers were being used after the version
specific processing. Use always the same buffers for both protocols
to avoid issues.
|
|
|
|
| |
This allows external auth mechanisms to see all the data they may need.
|
|
|
|
|
|
|
|
|
|
|
|
| |
Based on a patch by David Woodhouse <David.Woodhouse@intel.com>
Original commit message:
We need to screw around with the flags a little, since winbind doesn't
really get it right. Thankfully, it doesn't support MIC and it does at
least generally do the right thing (w.r.t. session negotiation and OEM
vs. Unicode) so it's sufficient just to screw with the flags.
Tested with Negotiate authentication to squid, and NTLM in datagram
mode with pidgin-sipe. Also with Firefox, Chrome and a fixed libcurl.
|
|
|
|
| |
Based on David Woodhouse work.
|
|
|
|
| |
Based on David Woodhouse work.
|
|
|
|
|
|
| |
If wbclient support is available we can now check domain credentials
against a Domain Controller.
Requires a configured Winbind (or cmpatible) service on the host.
|
| |
|
|
|
|
|
| |
This will makes it easier to plug in external auth handlers
like winbind.
|
| |
|
|
|
|
|
|
|
|
|
| |
move out fetching of the computer and domain netbios names.
Names are still fetched from environment variables,
or external sources (like winbind) or defaults are used.
Based on work from David Woodhouse.
|
|
|
|
|
|
| |
These can be safely done later and are in the way here.
We're going to want to use these with winbind auth, *after* it
has computed the auth message.
|
|
|
|
|
|
|
| |
This allows the code to know it has to use an external mechanism,
such as winbind, to handle authentication.
Based on work from David Woodhouse <David.Woodhouse@intel.com>
|
|
|
|
|
| |
struct wire_auth_msg was already there, we're about to want access to
struct wire_chal_msg, and we might as well keep them together.
|
|
|
|
|
| |
Windows seem to ignore the sealing flag and seal anyway at least
in some case, so leave the decision to the caller.
|
|
|
|
|
|
|
|
|
| |
The code was dead wrong and putting the cart before the horses.
The correct framing is to put the signature first an then the encrypted
payload. we were doing the opposite ... how embarrassing.
A milliong thanks to David Woodhouse for his persistence in testing and
assisting in finding out the issue.
|
|
|
|
|
|
|
|
| |
Move handling of datagram status with ntlm_crypto routines, this
way ntlm_seal_regen becomes an internal detail.
Also better separate exended security and legacy sign/seal crypto
state generation and general handling in sign/seal functions
|
|
|
|
| |
This structure keeps the crypto state closer to the crypto routines.
|
|
|
|
|
| |
Avoids the look of magic numbers everywhere, and give some useful
context to the code reader
|
| |
|
|
|
|
|
| |
At LM_COMPAT_LEVEL 0 there is no exteded security and initial
sealing keys are 8 byte long.
|
|
|
|
| |
ntlm_unseal should be symmetric to ntlm_seal
|
|
|
|
|
|
| |
NTLMSSP_REQUEST_NON_NT_SESSION_KEY is not in itself incompatble with
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY, although it is only used
is Extended Security is not Negotiated.
|
|
|
|
|
| |
This is needed when NTLMSSP_NEGOTIATE_LM_KEY is used at lower,
LM_COMPTE_LEVEL (eg, level 0) by a client and NTLMv1 auth.
|
|
|
|
| |
create dir containg config file or rpm generaion may fail
|
| |
|
|
|
|
| |
This will automatically enable the mechanism upon install.
|
| |
|
| |
|
|
|
|
|
|
| |
Uses the fully qualified name and falls back to simple user name and
calls getpwnam_r() to resolve a local name. If the user is not known
to the nsswitch subsystme it returns a failure.
|
|
|
|
|
|
|
| |
In the GSS_C_ACCEPT (acceptor/server) case we would end up segfalting
if no name was provided. Instead allow a null desired_name and load
the default server name if none is passed in, just like
gss_accept_sec_context() does i this case.
|
| |
|
|
|
|
|
| |
Just discard the const and silence the warnings, where safe;
rework assignments were possible.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As agreed with MIT people, add an inquire mechanism that serves 2 roles.
On the one hand, if the spnego mechanism makes this call at all it means
it is recent enough to support forcing the mechlistMIC on if we create
an Authenticate message MIC. So remove the environment variable and
instead depend on the SPNEGO layer to call this function before the
Authenticate token is generated (usually right after the Negotiate token
has been produced).
On the other hand if this function has been called assume SPNEGO will
call again right after the authenticate message has been genrated to
know whether the mechlistMIC needs to be added.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The environment variable NTLMSSP_ENABLE_MIC will enable setting the MIC if
requested by the server when it is set to '1'.
It is disabled by default because it works only with a patched SPNEGO library
that will always set the mechlistMIC on the authenticate packet if we report
that integrity is enabled.
If the libray is unpatched it has also been observed that Firefox will go in
an infinite authentication loop while it keeps trying to make requests that are
always denied.
|
|
|
|
|
|
|
|
| |
MS-NLMP prescribes in 3.2.5.1.1 that the server should send the
NetbIOS Domain name if joined to a domain or the NetBIOS computer
name if standalone. Never the DNS computer name.
Also do not add a target_name entry in the target_info field, it is
not required and Windows does not do that.
|
|
|
|
|
|
| |
MS-NLMP 3.1.5.1.2 says a client must fail to communicate if NTLMv2
is used, Integrity or Confidentiality are required and NetBIOS Computer
or Domain Name are not present in the Challenge message from the server.
|
|
|
|
|
|
|
|
|
|
| |
These are necessary by spec (MS-NLMP 3.1.5.1.2) if the server
sends a target_info field in the challenge message, which we do.
Uses environment variables NETBIOS_COMPUTER_NAME and NETBIOS_DOMAIN_NAME
to set NetBIOS data. If they are not available the server name truncated
to the first '.' (if any) will be used and the domain is set to the
generic "WORKGROUP" name.
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
Gets the target_info structure from the NT Response (if any is available)
and extract the av_flags.
If the appropriate flag is set verify the MIC previously extracted.
|