Amandeep Gautam [Mon, 9 Dec 2019 19:15:57 +0000 (11:15 -0800)]
add support for getting session key
Return seesion key when gssntlm_inquire_sec_context_by_oid is called
witth GSS_C_INQ_SSPI_SESSION_KEY.
Simo Sorce [Tue, 17 Dec 2019 14:23:36 +0000 (09:23 -0500)]
Fix CI dependencies
Simo Sorce [Tue, 17 Dec 2019 14:14:53 +0000 (09:14 -0500)]
also on pull requests
Simo Sorce [Tue, 17 Dec 2019 14:05:17 +0000 (09:05 -0500)]
Add build CI
Simo Sorce [Wed, 11 Dec 2019 22:16:43 +0000 (17:16 -0500)]
Add Key exchange also when wanting integrity only
Key Exchange allows for improved security properties so it is always a
good idea to ask it whenever we want to perform any integrity not just
when full confidentiality is requested.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Wed, 11 Dec 2019 22:16:23 +0000 (17:16 -0500)]
Add new Windows version flags
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Thu, 16 May 2019 01:03:52 +0000 (21:03 -0400)]
Return actual data for RFC5587 API
Signed-off-by: Simo Sorce <simo@redhat.com>
David Woodhouse [Mon, 14 Mar 2016 20:04:11 +0000 (20:04 +0000)]
Add gss_inquire_attrs_for_mech()
Since commit
030a4a03a ("Report inquire_attrs_For_mech mech failures") in
MIT krb5, NTLMSSP fallback within SPNEGO is no longer working. It seems
that providing a gss_inquire_attrs_for_mech() function is now mandatory.
Although it does seem that perhaps krb5 should be a little more forgiving
and just assume GSS_C_NO_OID_SET, fix it anyway.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Simo Sorce [Thu, 16 May 2019 01:03:36 +0000 (21:03 -0400)]
Fix strncpy warnings with recent compilers
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Thu, 18 Apr 2019 19:35:19 +0000 (15:35 -0400)]
Release 0.8.0
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Thu, 18 Apr 2019 19:08:20 +0000 (15:08 -0400)]
Add support to return SSF value
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Thu, 18 Apr 2019 18:09:32 +0000 (14:09 -0400)]
Add support for RFC5801
These are the only GSS-API functions that can return a mechanism name
given an oid. These are now used by mod_auth_gssapi, so let's support
them in gssntlmssp.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Fri, 31 Mar 2017 21:50:12 +0000 (17:50 -0400)]
Rename and split the README file
Use markdown for neat formatting on pagure.
This file is used as the project description so add information on other
related documentation and split out the old testing information.
Signed-off-by: Simo Sorce <simo@redhat.com>
Merges #9
Simo Sorce [Mon, 20 Mar 2017 13:45:05 +0000 (09:45 -0400)]
Port some documentation into the tree
It used to be on the old fedorahosted wiki, but let's keep it as
markdown in the tree for now.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Wed, 29 Jun 2016 15:15:11 +0000 (11:15 -0400)]
Add compatibility with OpenSSL 1.1.0
In their continued wisdom OpenSSL developers keep breaking APIs left and right
with very poor documentation and forward/backward source compatibility.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Fri, 3 Jun 2016 14:31:05 +0000 (10:31 -0400)]
Release 0.7.0
Simo Sorce [Mon, 23 May 2016 14:46:13 +0000 (10:46 -0400)]
Add context extension to reset crypto state
This is need to account for the special handling described in MS-SPNG 3.3.5.1
It instructs sthat the NTLMSSP crypto state needs to be reset if MIC is
performed in the SPNEGO layer.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Mon, 23 May 2016 15:09:37 +0000 (11:09 -0400)]
Move setting seq numbers to a spearate function
In preparation to add another set function.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Mon, 23 May 2016 14:51:56 +0000 (10:51 -0400)]
Check that we are actually asking for a known oid
Do not treat any sec context inquiry the same, check the OID.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Fri, 20 May 2016 19:26:07 +0000 (15:26 -0400)]
Fix a regression in error handling
Commit
fb6ffe0c50e166bf095736a051e4840bd5a5ad4f introduced a regression
in acquire_cred_from() where a processing error would be masked and a
GSS_COMPLETE status would be returned instead. This caused a credential
structure to be returned when no credentials are actually available.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Greg Hudson <ghudson@mit.edu>
Simo Sorce [Thu, 19 Mar 2015 22:29:08 +0000 (18:29 -0400)]
Add placeholder inquire_name
Otherwise in some cases MIT's GSSAPI can crash after trying to inquire
a name.
For example see: https://github.com/modauthgssapi/mod_auth_gssapi/issues/34
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Mon, 20 Apr 2015 03:02:09 +0000 (23:02 -0400)]
Add test for accept returning mech
Simo Sorce [Mon, 20 Apr 2015 03:02:09 +0000 (23:02 -0400)]
Return actual mech on accept context too
Related #5
Simo Sorce [Sun, 19 Apr 2015 19:26:00 +0000 (15:26 -0400)]
Fix gss_inquire_cred with no creds
For GSS_Inquire_cred RFC 2743 specifies:
Input:
o cred_handle CREDENTIAL HANDLE -- if GSS_C_NO_CREDENTIAL
-- is specified, default initiator credentials are queried
Thanks to Isaac Boukris for the inital patch on which this one is based.
Fixes: https://fedorahosted.org/gss-ntlmssp/ticket/6
Simo Sorce [Sat, 4 Apr 2015 21:10:15 +0000 (17:10 -0400)]
Add test to check actual_mech is actually returned
Simo Sorce [Sat, 4 Apr 2015 20:47:14 +0000 (16:47 -0400)]
Return the actual_mech_type when requested
Fixes #5
Simo Sorce [Fri, 20 Mar 2015 00:28:39 +0000 (20:28 -0400)]
Release 0.6.0
Simo Sorce [Fri, 20 Mar 2015 00:22:49 +0000 (20:22 -0400)]
Fix length check of nt_response
An array passed as a function argument is just a cosmetic ay to pass just a
pointer. Therefore sizeof(array) will only return the pointer length, not
the array length, and on 32 bit pointers are 4 bytes long.
Fix payload calculation by passing in the known correct length instead of using
fancy sizeofs ...
Simo Sorce [Thu, 19 Mar 2015 23:22:04 +0000 (19:22 -0400)]
Fix error reporting in some tests
Simo Sorce [Thu, 19 Mar 2015 22:42:13 +0000 (18:42 -0400)]
Support openssl optimized 32bit RC4 key packing
Openssl detects at runtime the CPU type and on some 32 bit CPUs will
automatically switch to a compressed schedule for the RC4_KEY.
Don't try to be too smart nd just copy all the data even if it takes
4 times the space.
The code still assumes sizeof(RC4_INT) == sizeof(uint32_t)
Simo Sorce [Thu, 19 Mar 2015 22:28:14 +0000 (18:28 -0400)]
Fix incorrect import of exported_session_key
Simo Sorce [Fri, 20 Feb 2015 14:55:03 +0000 (09:55 -0500)]
Use Zanata for transalations
Simo Sorce [Fri, 20 Feb 2015 14:54:49 +0000 (09:54 -0500)]
Store pot file in git
Simo Sorce [Thu, 8 Jan 2015 17:34:37 +0000 (12:34 -0500)]
Fix make dist builds with automake 1.15
Do this by removing directives that we do not really depend on.
Simo Sorce [Tue, 6 Jan 2015 19:24:58 +0000 (14:24 -0500)]
Names with a . in the domain are enteprise names
This allows people to put in an email address as the source name and
have i treated automatically as an enterprise name as well.
Although technically NetBIOS names can have dots it is unlikely and the
user@domain form is generally undestood to be used with UPNs and email
like addresses which use the DNS Domain Name.
The fallback case for NetBIOS domain names with a dot is to configure the
client to use the DOMAIN\user name form instead.
Simo Sorce [Wed, 13 Aug 2014 16:38:22 +0000 (12:38 -0400)]
Fix spec file (was missing lang detection)
Simo Sorce [Tue, 12 Aug 2014 13:06:52 +0000 (09:06 -0400)]
Rleasese 0.5.0
David Woodhouse [Mon, 11 Aug 2014 09:03:13 +0000 (10:03 +0100)]
Add en_GB translation
Not much point in this at the moment but it serves as a useful example.
David Woodhouse [Mon, 11 Aug 2014 09:00:28 +0000 (10:00 +0100)]
Put comments before translatable strings
xgettext will helpfully include and comment which precedes the string
in the pot file to aid in translation. So put the comments with the error
numbers *before* the corresponding strings.
David Woodhouse [Mon, 11 Aug 2014 08:55:49 +0000 (09:55 +0100)]
Fix typos in error strings
David Woodhouse [Mon, 11 Aug 2014 08:37:25 +0000 (09:37 +0100)]
Use NLS for translating error messages in gssntlm_display_status()
David Woodhouse [Mon, 11 Aug 2014 08:37:05 +0000 (09:37 +0100)]
Add support for building with NLS
David Woodhouse [Mon, 11 Aug 2014 08:25:12 +0000 (09:25 +0100)]
Include config.h in gss_err.c, fix GNU strerror_r() code path
We really ought to be including config.h consistently...
Simo Sorce [Sun, 10 Aug 2014 20:44:58 +0000 (16:44 -0400)]
Always send NetBIOS Domain Name
Apparently Windows (2012 at least) refuses to authenticate if the
target_info field in the challenge message lacks the NetBIOS Domain
name.
So Always set the fake the nb_domain_name if not available, but do
not mark the server as a domain member in that case.
Simo Sorce [Sun, 10 Aug 2014 18:31:31 +0000 (14:31 -0400)]
0.5.0 - Release Candidate 2
Simo Sorce [Sun, 10 Aug 2014 18:17:00 +0000 (14:17 -0400)]
Add --with-wbclient configure flag
Simo Sorce [Sun, 10 Aug 2014 15:45:49 +0000 (11:45 -0400)]
Add more custom error message
This should make error reporting a little bit better.
Simo Sorce [Sun, 10 Aug 2014 13:31:59 +0000 (09:31 -0400)]
Add support for printing internal NTLM error codes
Simo Sorce [Sun, 10 Aug 2014 02:46:54 +0000 (22:46 -0400)]
Add macros to handle returning errors
These macros prevent the chance of not setting minor_status approproiately.
They also hook into the tracing system, so any time an error is set, then it
can be traced to exactly what finction (and in which line) it was set.
Simo Sorce [Sat, 9 Aug 2014 20:17:48 +0000 (16:17 -0400)]
Add debug helpers to be used to trace gss-ntlmssp
If the GSSNTLMSSP_DEBUG environment variable is set to a file that
can be opened for writing, then trace information will be written to
that file whenever DEBUG macros are called in the code.
Simo Sorce [Sat, 9 Aug 2014 19:21:30 +0000 (15:21 -0400)]
Simplify test checking and unify display format
Simo Sorce [Sat, 9 Aug 2014 15:45:39 +0000 (11:45 -0400)]
Use gssntlm_display_error in tests
Simo Sorce [Sat, 9 Aug 2014 14:58:08 +0000 (10:58 -0400)]
Add support for both strerror_r variants
Simo Sorce [Sat, 9 Aug 2014 15:49:14 +0000 (11:49 -0400)]
We can handle only mech status codes
Return an error if status_type is bogus.
We can't call gss_display_status() for GSS_C_GSS_CODE because we'd loop
back to ourselves as unfortunately the GSSAPI mechanisms SPI uses the
same symbol names as the public API ...
David Woodhouse [Fri, 8 Aug 2014 22:54:38 +0000 (23:54 +0100)]
Add gssntlm_display_status()
Simo Sorce [Fri, 8 Aug 2014 19:44:37 +0000 (15:44 -0400)]
Offer OEM charset support in the negotiate packet
But make sure to clear out flags once we receive the challenge packet
or we end up with both (OEM and UNICODE) flags set when we generate
the AUTH package.
Special care needs to be taken for DATAGRAM packets, as they are special.
Simo Sorce [Fri, 8 Aug 2014 20:18:57 +0000 (16:18 -0400)]
Do not send domain/workstation name in nego_msg
Modern Windows OSs also completely ignore sending any of this stuff,
so just stop sending it ourselves, it's generally ignored anyway.
Simo Sorce [Fri, 8 Aug 2014 20:11:40 +0000 (16:11 -0400)]
Ignore domain and workstation in negotiate message
We never use these fields, so do not even attempt to decode them
just ignore completely.
Simo Sorce [Fri, 8 Aug 2014 19:00:38 +0000 (15:00 -0400)]
Very old NTLM servers may omit target_info
Seem like some very old NTLM server may omit the target_info field
entirely in the Challenge message, although MS-NLMP says modern clients
SHOULD send and empty target info header even when no target info is being
sent.
Allow to interoperate with these old servers but always set the
target_info field when we generate Challenge packets.
Simo Sorce [Fri, 8 Aug 2014 15:20:36 +0000 (11:20 -0400)]
Bump version to 5.0 rc1
Simo Sorce [Fri, 8 Aug 2014 13:47:19 +0000 (09:47 -0400)]
Improve role management
A server can be standalone or domain member, improve role management
so we can autodetct which role we should assume as a server.
Simo Sorce [Fri, 8 Aug 2014 13:27:48 +0000 (09:27 -0400)]
Fetch server names much earier in the process
This is needed to find out if we are "domain joined" by way of
checking nb_domain_name, in following patches.
Simo Sorce [Fri, 8 Aug 2014 13:21:21 +0000 (09:21 -0400)]
Fix target info check
Domain name is really just optional, only computer name is mandatory.
Domain name can be empty if the server is not a domain member.
Simo Sorce [Fri, 8 Aug 2014 12:54:57 +0000 (08:54 -0400)]
Set the domain name only when available.
If we cannot source the domain name do not try to fake it up, just
leave it empty and omit it from the negotiation.
Simo Sorce [Thu, 7 Aug 2014 22:52:34 +0000 (18:52 -0400)]
Add helper to check for allowed ntlm versions
Also lower the default lm compat level to 3 for broader compatibility.
This allows NTLMv1 with no LM auth.
Simo Sorce [Thu, 7 Aug 2014 15:15:46 +0000 (11:15 -0400)]
Add test to check gss_wrap with no SEAL negotiated
Simo Sorce [Thu, 7 Aug 2014 12:28:12 +0000 (08:28 -0400)]
tests: Remove unused field
Simo Sorce [Wed, 6 Aug 2014 22:02:00 +0000 (18:02 -0400)]
Formal adjustment of ntlmv1_sign
random_pad is always set to 0, so this change makes no difference,
however with this change we conform to MS-NLMP 3.4.4.1
Simo Sorce [Wed, 6 Aug 2014 16:27:11 +0000 (12:27 -0400)]
Test both NTLMv1 and NTLMv2
Simo Sorce [Wed, 6 Aug 2014 15:32:30 +0000 (11:32 -0400)]
Fix winbindd NTLMv1 Extended Security auth
In the ntlmv1 extended security case, winbindd wants a
pre-digested challenge, this is arguably a bug as Winbind has all
the data it needs to compute it by itself ... oh well, just cope.
Thanks to David Woodhouse for finding this out.
Simo Sorce [Wed, 6 Aug 2014 15:31:46 +0000 (11:31 -0400)]
Add helper to compute extended security challenge
Simo Sorce [Wed, 6 Aug 2014 14:50:24 +0000 (10:50 -0400)]
Add support for NTLMv1 auth to the server
Fixes also condition on when to test for a LM Response on the server.
Simo Sorce [Wed, 6 Aug 2014 02:36:42 +0000 (22:36 -0400)]
Add functions to verify NTLMv1 responses
Simo Sorce [Wed, 6 Aug 2014 01:31:49 +0000 (21:31 -0400)]
Fix NTLMv1 client auth
The worn nt/lm response buffers were being used after the version
specific processing. Use always the same buffers for both protocols
to avoid issues.
Simo Sorce [Wed, 6 Aug 2014 14:58:21 +0000 (10:58 -0400)]
Pass ctx and cred to external_xxx_auth functions
This allows external auth mechanisms to see all the data they may need.
Simo Sorce [Mon, 4 Aug 2014 22:06:58 +0000 (18:06 -0400)]
Support client authentication using Winbind
Based on a patch by David Woodhouse <David.Woodhouse@intel.com>
Original commit message:
We need to screw around with the flags a little, since winbind doesn't
really get it right. Thankfully, it doesn't support MIC and it does at
least generally do the right thing (w.r.t. session negotiation and OEM
vs. Unicode) so it's sufficient just to screw with the flags.
Tested with Negotiate authentication to squid, and NTLM in datagram
mode with pidgin-sipe. Also with Firefox, Chrome and a fixed libcurl.
Simo Sorce [Mon, 4 Aug 2014 16:48:56 +0000 (12:48 -0400)]
Add call to get names from winbind
Based on David Woodhouse work.
Simo Sorce [Mon, 4 Aug 2014 16:48:56 +0000 (12:48 -0400)]
Add call to get creds from winbind
Based on David Woodhouse work.
Simo Sorce [Mon, 4 Aug 2014 15:49:23 +0000 (11:49 -0400)]
Add external server auth support via Winbind
If wbclient support is available we can now check domain credentials
against a Domain Controller.
Requires a configured Winbind (or cmpatible) service on the host.
Simo Sorce [Thu, 15 May 2014 11:59:09 +0000 (13:59 +0200)]
Initial build support for detecting and using libwbclient
Simo Sorce [Mon, 4 Aug 2014 20:28:13 +0000 (16:28 -0400)]
Move client auth bits to gss_auth
This will makes it easier to plug in external auth handlers
like winbind.
Simo Sorce [Mon, 4 Aug 2014 20:33:17 +0000 (16:33 -0400)]
Move sec_req flags in the context handler
Simo Sorce [Mon, 4 Aug 2014 18:42:37 +0000 (14:42 -0400)]
Use helpers to get the local netbios names
move out fetching of the computer and domain netbios names.
Names are still fetched from environment variables,
or external sources (like winbind) or defaults are used.
Based on work from David Woodhouse.
David Woodhouse [Wed, 9 Jul 2014 13:49:18 +0000 (14:49 +0100)]
Move local key and flags computations to the end
These can be safely done later and are in the way here.
We're going to want to use these with winbind auth, *after* it
has computed the auth message.
Simo Sorce [Thu, 15 May 2014 11:59:09 +0000 (13:59 +0200)]
Add support to perform external operations
This allows the code to know it has to use an external mechanism,
such as winbind, to handle authentication.
Based on work from David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 9 Jul 2014 13:35:13 +0000 (14:35 +0100)]
Move all message structures to ntlm_common.h
struct wire_auth_msg was already there, we're about to want access to
struct wire_chal_msg, and we might as well keep them together.
Simo Sorce [Thu, 7 Aug 2014 16:43:41 +0000 (12:43 -0400)]
Let caller decide whether to (un)seal or not
Windows seem to ignore the sealing flag and seal anyway at least
in some case, so leave the decision to the caller.
Simo Sorce [Thu, 7 Aug 2014 14:24:38 +0000 (10:24 -0400)]
Fix order of signature vs payload
The code was dead wrong and putting the cart before the horses.
The correct framing is to put the signature first an then the encrypted
payload. we were doing the opposite ... how embarrassing.
A milliong thanks to David Woodhouse for his persistence in testing and
assisting in finding out the issue.
Simo Sorce [Thu, 7 Aug 2014 01:40:32 +0000 (21:40 -0400)]
Internalize extended security and datagram status
Move handling of datagram status with ntlm_crypto routines, this
way ntlm_seal_regen becomes an internal detail.
Also better separate exended security and legacy sign/seal crypto
state generation and general handling in sign/seal functions
Simo Sorce [Thu, 7 Aug 2014 02:59:38 +0000 (22:59 -0400)]
Introduce ntlm_signseal_state
This structure keeps the crypto state closer to the crypto routines.
Simo Sorce [Tue, 5 Aug 2014 15:38:30 +0000 (11:38 -0400)]
Use a macro to define the ntlm signature size
Avoids the look of magic numbers everywhere, and give some useful
context to the code reader
Simo Sorce [Tue, 5 Aug 2014 15:26:42 +0000 (11:26 -0400)]
Implement gss_wrap_size_limit()
Simo Sorce [Wed, 6 Aug 2014 18:57:54 +0000 (14:57 -0400)]
Fix sealing key regen with shorter keys
At LM_COMPAT_LEVEL 0 there is no exteded security and initial
sealing keys are 8 byte long.
Simo Sorce [Wed, 6 Aug 2014 16:47:09 +0000 (12:47 -0400)]
Fix unsealing without extended session security
ntlm_unseal should be symmetric to ntlm_seal
Simo Sorce [Wed, 6 Aug 2014 16:27:32 +0000 (12:27 -0400)]
Fix flag clearing
NTLMSSP_REQUEST_NON_NT_SESSION_KEY is not in itself incompatble with
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY, although it is only used
is Extended Security is not Negotiated.
Simo Sorce [Wed, 6 Aug 2014 17:26:35 +0000 (13:26 -0400)]
Generate LM hash when getting pwd from cred_store
This is needed when NTLMSSP_NEGOTIATE_LM_KEY is used at lower,
LM_COMPTE_LEVEL (eg, level 0) by a client and NTLMv1 auth.
Simo Sorce [Fri, 1 Aug 2014 14:59:13 +0000 (10:59 -0400)]
Fix rpmbuild
create dir containg config file or rpm generaion may fail
Simo Sorce [Thu, 31 Jul 2014 19:55:10 +0000 (15:55 -0400)]
Bump up to pre-release status
Simo Sorce [Thu, 31 Jul 2014 19:53:38 +0000 (15:53 -0400)]
Install mechanism configuration in mech.d
This will automatically enable the mechanism upon install.
Simo Sorce [Sat, 12 Jul 2014 12:25:18 +0000 (08:25 -0400)]
Silence const errors