| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
Otherwise in some cases MIT's GSSAPI can crash after trying to inquire
a name.
For example see: https://github.com/modauthgssapi/mod_auth_gssapi/issues/34
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Related #5
|
|
|
|
|
|
|
|
|
|
|
|
| |
For GSS_Inquire_cred RFC 2743 specifies:
Input:
o cred_handle CREDENTIAL HANDLE -- if GSS_C_NO_CREDENTIAL
-- is specified, default initiator credentials are queried
Thanks to Isaac Boukris for the inital patch on which this one is based.
Fixes: https://fedorahosted.org/gss-ntlmssp/ticket/6
|
|
|
|
| |
Fixes #5
|
|
|
|
|
|
|
|
|
| |
An array passed as a function argument is just a cosmetic ay to pass just a
pointer. Therefore sizeof(array) will only return the pointer length, not
the array length, and on 32 bit pointers are 4 bytes long.
Fix payload calculation by passing in the known correct length instead of using
fancy sizeofs ...
|
|
|
|
|
|
|
|
|
| |
Openssl detects at runtime the CPU type and on some 32 bit CPUs will
automatically switch to a compressed schedule for the RC4_KEY.
Don't try to be too smart nd just copy all the data even if it takes
4 times the space.
The code still assumes sizeof(RC4_INT) == sizeof(uint32_t)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows people to put in an email address as the source name and
have i treated automatically as an enterprise name as well.
Although technically NetBIOS names can have dots it is unlikely and the
user@domain form is generally undestood to be used with UPNs and email
like addresses which use the DNS Domain Name.
The fallback case for NetBIOS domain names with a dot is to configure the
client to use the DOMAIN\user name form instead.
|
|
|
|
|
|
| |
xgettext will helpfully include and comment which precedes the string
in the pot file to aid in translation. So put the comments with the error
numbers *before* the corresponding strings.
|
| |
|
| |
|
|
|
|
| |
We really ought to be including config.h consistently...
|
|
|
|
|
|
|
|
|
| |
Apparently Windows (2012 at least) refuses to authenticate if the
target_info field in the challenge message lacks the NetBIOS Domain
name.
So Always set the fake the nb_domain_name if not available, but do
not mark the server as a domain member in that case.
|
| |
|
|
|
|
| |
This should make error reporting a little bit better.
|
| |
|
|
|
|
|
|
| |
These macros prevent the chance of not setting minor_status approproiately.
They also hook into the tracing system, so any time an error is set, then it
can be traced to exactly what finction (and in which line) it was set.
|
|
|
|
|
|
| |
If the GSSNTLMSSP_DEBUG environment variable is set to a file that
can be opened for writing, then trace information will be written to
that file whenever DEBUG macros are called in the code.
|
| |
|
|
|
|
|
|
|
| |
Return an error if status_type is bogus.
We can't call gss_display_status() for GSS_C_GSS_CODE because we'd loop
back to ourselves as unfortunately the GSSAPI mechanisms SPI uses the
same symbol names as the public API ...
|
| |
|
|
|
|
|
|
|
| |
But make sure to clear out flags once we receive the challenge packet
or we end up with both (OEM and UNICODE) flags set when we generate
the AUTH package.
Special care needs to be taken for DATAGRAM packets, as they are special.
|
|
|
|
|
| |
Modern Windows OSs also completely ignore sending any of this stuff,
so just stop sending it ourselves, it's generally ignored anyway.
|
|
|
|
|
| |
We never use these fields, so do not even attempt to decode them
just ignore completely.
|
|
|
|
|
|
|
|
|
|
| |
Seem like some very old NTLM server may omit the target_info field
entirely in the Challenge message, although MS-NLMP says modern clients
SHOULD send and empty target info header even when no target info is being
sent.
Allow to interoperate with these old servers but always set the
target_info field when we generate Challenge packets.
|
|
|
|
|
| |
A server can be standalone or domain member, improve role management
so we can autodetct which role we should assume as a server.
|
|
|
|
|
| |
This is needed to find out if we are "domain joined" by way of
checking nb_domain_name, in following patches.
|
|
|
|
|
| |
Domain name is really just optional, only computer name is mandatory.
Domain name can be empty if the server is not a domain member.
|
|
|
|
|
| |
If we cannot source the domain name do not try to fake it up, just
leave it empty and omit it from the negotiation.
|
|
|
|
|
| |
Also lower the default lm compat level to 3 for broader compatibility.
This allows NTLMv1 with no LM auth.
|
|
|
|
|
| |
random_pad is always set to 0, so this change makes no difference,
however with this change we conform to MS-NLMP 3.4.4.1
|
|
|
|
|
|
|
|
| |
In the ntlmv1 extended security case, winbindd wants a
pre-digested challenge, this is arguably a bug as Winbind has all
the data it needs to compute it by itself ... oh well, just cope.
Thanks to David Woodhouse for finding this out.
|
| |
|
|
|
|
| |
Fixes also condition on when to test for a LM Response on the server.
|
| |
|
|
|
|
|
|
| |
The worn nt/lm response buffers were being used after the version
specific processing. Use always the same buffers for both protocols
to avoid issues.
|
|
|
|
| |
This allows external auth mechanisms to see all the data they may need.
|
|
|
|
|
|
|
|
|
|
|
|
| |
Based on a patch by David Woodhouse <David.Woodhouse@intel.com>
Original commit message:
We need to screw around with the flags a little, since winbind doesn't
really get it right. Thankfully, it doesn't support MIC and it does at
least generally do the right thing (w.r.t. session negotiation and OEM
vs. Unicode) so it's sufficient just to screw with the flags.
Tested with Negotiate authentication to squid, and NTLM in datagram
mode with pidgin-sipe. Also with Firefox, Chrome and a fixed libcurl.
|
|
|
|
| |
Based on David Woodhouse work.
|
|
|
|
| |
Based on David Woodhouse work.
|
|
|
|
|
|
| |
If wbclient support is available we can now check domain credentials
against a Domain Controller.
Requires a configured Winbind (or cmpatible) service on the host.
|
|
|
|
|
| |
This will makes it easier to plug in external auth handlers
like winbind.
|
| |
|
|
|
|
|
|
|
|
|
| |
move out fetching of the computer and domain netbios names.
Names are still fetched from environment variables,
or external sources (like winbind) or defaults are used.
Based on work from David Woodhouse.
|
|
|
|
|
|
| |
These can be safely done later and are in the way here.
We're going to want to use these with winbind auth, *after* it
has computed the auth message.
|
|
|
|
|
|
|
| |
This allows the code to know it has to use an external mechanism,
such as winbind, to handle authentication.
Based on work from David Woodhouse <David.Woodhouse@intel.com>
|
|
|
|
|
| |
struct wire_auth_msg was already there, we're about to want access to
struct wire_chal_msg, and we might as well keep them together.
|
|
|
|
|
| |
Windows seem to ignore the sealing flag and seal anyway at least
in some case, so leave the decision to the caller.
|
|
|
|
|
|
|
|
|
| |
The code was dead wrong and putting the cart before the horses.
The correct framing is to put the signature first an then the encrypted
payload. we were doing the opposite ... how embarrassing.
A milliong thanks to David Woodhouse for his persistence in testing and
assisting in finding out the issue.
|
|
|
|
|
|
|
|
| |
Move handling of datagram status with ntlm_crypto routines, this
way ntlm_seal_regen becomes an internal detail.
Also better separate exended security and legacy sign/seal crypto
state generation and general handling in sign/seal functions
|