| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
| |
|
| |
|
| |
|
|
|
|
|
| |
Target_info can be optional, but it conflicts with channel bindings being
requesed.
|
|
|
|
|
|
|
|
|
| |
Thi re-encoded the target_info structure at the client side adding
additional provisions of MS-NLMP 3.1.5.2.1
That is:
- generate indication that a MIC is requested by the server
- add ClientSuppliedTargetName data
|
|
|
|
| |
This is useufl to use test vetors w/o altering them
|
| |
|
|
|
|
|
|
|
| |
The calculation was right but some unnecessary assignments were left
from a previous version.
Also make the length computation more obvious.
|
|
|
|
|
|
| |
wire_lm_response is just the same thing as wire_ntlm_response, the
only difference is how cli_chal is defined but it is not important
from a usage p[oint of view.
|
|
|
|
| |
It is never and should never be touched so const char * is better.
|
|
|
|
|
| |
If the client allows only 128bit security but the server does not offer
it, then fail the authentication.
|
|
|
|
|
|
|
|
|
|
|
| |
If a server send a target_info field in a challenge message it means
it does not need nor want a LM Response.
See also MS-NLMP 3.1.5.1.2
The authenticate message must alwyas send a lm_chalresp and a nt_chalresp
fields in the header but they will be simply zero length, yet the payload
pointer must point to the valid payload area. (Windows server fail
authentication if the LM Response buffer offset is zero).
|
|
|
|
|
| |
MS-NLMP 3.1.5.1.1 recommends to set the extended session security flag
if LM authentication is not going to be used.
|
|
|
|
|
|
| |
Missed to see that the server set timestamp and flags.
This was preventing MICs from being generated from the client among other
things.
|
|
|
|
|
|
|
| |
The calling application may want to check what flags were actually
negotiated.
Spnego also depends on the mechanism properly returning flags when
integrity is negotiated for MIC purposes.
|
| |
|
|
|
|
| |
It was off by a factor of 10
|
|
|
|
|
|
|
|
|
|
|
| |
The init context function was improperly initializing the ctx variable (too
late) when some early error conditions can happen. Therefore passing to the
delete context function a random memory address it would then try to free.
This wuld cause a SEGFAULT in most cases.
Additionally unfortunately iconv_close() does not follow good practices and
blindignly dereferences data, even if the passed in pointer is NULL.
So add a check before calling.
|
| |
|
| |
|
|
|
|
| |
Easier to use from clients this way.
|
| |
|
|
|
|
|
| |
The Export format version is set to 0.1
Long term keys are not exported.
|
| |
|
|
|
|
|
| |
This makes it much easier to export/import the crypto state.
In preparation for implemeting import/export of context.
|
|
|
|
|
|
|
|
| |
Free RC4 state if any
Free workstations tring if any
Also make sure to safely zero the struct before freeing to avoid leaking any
key material.
|
|
|
|
|
| |
There is no need to copy creds around, they are always available
or retrievable.
|
| |
|
|
|
|
| |
Thanks to Stefan Becker <chemobejk@gmail.com> for finding this leak.
|
|
|
|
|
| |
Can't use ':' in the prefix name as ':' is the separator between prefix and
values.
|
|
|
|
| |
Also add simple sanity check test.
|
|
|
|
| |
Including tests to verify conformance to MS-NLMP
|
| |
|
|
|
|
|
| |
In connectionless mode (GSS_C_DATAGRAM_FLAG on) sealing keys
ust be rotated for each message.
|
|
|
|
|
|
|
|
|
|
|
| |
In NTLMSSP connectionless mode applications are supposed to provide the
sequence number, however GSSAPI's get_mic and verify_mic functions do
not allow to pass an explicit sequence number.
Allow to override the context sequence numbers using a custom oid and
implemnting gss_set_sec_context_option()
Allows the operation only if the context is in connectionless mode.
|
|
|
|
|
| |
This needs a new GSSAPI flag, for now grab a number and define
GSS_C_DATAGRAM_FLAG ourselves.
|
|
|
|
|
| |
This contains definitions for various OIDs and flags needed to
implemented non-standard features like NTLMSSP Connectionless mode.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When enterprise names are used they need to be passed with the embedded
'@' signed escaped with a '\', when that is done the whole name is used
as the user name and the name is not split on the @ or \ characters.
These forms are now supported:
foo
USERNAME: foo
DOMAIN: <null>
BAR\foo
USERNAME: foo
DOMAIN: BAR
foo@BAR
USERNAME: foo
DOMAIN: BAR
foo\@bar.example.com
USERNAME: foo\@bar.example.com
DOMAIN: <null>
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
Fix segafult in NTOWFv2. When domain is NULL it is just omitted from the
NTOWFv2 computation.
Fix segfault in accept_sec_context, just make dom_name be an empty string.
Fix also memory leaks.
|
|
|
|
| |
Make sure to set the cred type and copy in the name.
|
| |
|
|
|
|
| |
Also add source and target names to the context.
|
| |
|
|
|
|
| |
For now works only for satndalone server with access to a password file.
|
| |
|
| |
|