Simo Sorce [Fri, 20 Mar 2015 00:22:49 +0000 (20:22 -0400)]
Fix length check of nt_response
An array passed as a function argument is just a cosmetic ay to pass just a
pointer. Therefore sizeof(array) will only return the pointer length, not
the array length, and on 32 bit pointers are 4 bytes long.
Fix payload calculation by passing in the known correct length instead of using
fancy sizeofs ...
Simo Sorce [Thu, 19 Mar 2015 23:22:04 +0000 (19:22 -0400)]
Fix error reporting in some tests
Simo Sorce [Thu, 19 Mar 2015 22:42:13 +0000 (18:42 -0400)]
Support openssl optimized 32bit RC4 key packing
Openssl detects at runtime the CPU type and on some 32 bit CPUs will
automatically switch to a compressed schedule for the RC4_KEY.
Don't try to be too smart nd just copy all the data even if it takes
4 times the space.
The code still assumes sizeof(RC4_INT) == sizeof(uint32_t)
Simo Sorce [Thu, 19 Mar 2015 22:28:14 +0000 (18:28 -0400)]
Fix incorrect import of exported_session_key
Simo Sorce [Fri, 20 Feb 2015 14:55:03 +0000 (09:55 -0500)]
Use Zanata for transalations
Simo Sorce [Fri, 20 Feb 2015 14:54:49 +0000 (09:54 -0500)]
Store pot file in git
Simo Sorce [Thu, 8 Jan 2015 17:34:37 +0000 (12:34 -0500)]
Fix make dist builds with automake 1.15
Do this by removing directives that we do not really depend on.
Simo Sorce [Tue, 6 Jan 2015 19:24:58 +0000 (14:24 -0500)]
Names with a . in the domain are enteprise names
This allows people to put in an email address as the source name and
have i treated automatically as an enterprise name as well.
Although technically NetBIOS names can have dots it is unlikely and the
user@domain form is generally undestood to be used with UPNs and email
like addresses which use the DNS Domain Name.
The fallback case for NetBIOS domain names with a dot is to configure the
client to use the DOMAIN\user name form instead.
Simo Sorce [Wed, 13 Aug 2014 16:38:22 +0000 (12:38 -0400)]
Fix spec file (was missing lang detection)
Simo Sorce [Tue, 12 Aug 2014 13:06:52 +0000 (09:06 -0400)]
Rleasese 0.5.0
David Woodhouse [Mon, 11 Aug 2014 09:03:13 +0000 (10:03 +0100)]
Add en_GB translation
Not much point in this at the moment but it serves as a useful example.
David Woodhouse [Mon, 11 Aug 2014 09:00:28 +0000 (10:00 +0100)]
Put comments before translatable strings
xgettext will helpfully include and comment which precedes the string
in the pot file to aid in translation. So put the comments with the error
numbers *before* the corresponding strings.
David Woodhouse [Mon, 11 Aug 2014 08:55:49 +0000 (09:55 +0100)]
Fix typos in error strings
David Woodhouse [Mon, 11 Aug 2014 08:37:25 +0000 (09:37 +0100)]
Use NLS for translating error messages in gssntlm_display_status()
David Woodhouse [Mon, 11 Aug 2014 08:37:05 +0000 (09:37 +0100)]
Add support for building with NLS
David Woodhouse [Mon, 11 Aug 2014 08:25:12 +0000 (09:25 +0100)]
Include config.h in gss_err.c, fix GNU strerror_r() code path
We really ought to be including config.h consistently...
Simo Sorce [Sun, 10 Aug 2014 20:44:58 +0000 (16:44 -0400)]
Always send NetBIOS Domain Name
Apparently Windows (2012 at least) refuses to authenticate if the
target_info field in the challenge message lacks the NetBIOS Domain
name.
So Always set the fake the nb_domain_name if not available, but do
not mark the server as a domain member in that case.
Simo Sorce [Sun, 10 Aug 2014 18:31:31 +0000 (14:31 -0400)]
0.5.0 - Release Candidate 2
Simo Sorce [Sun, 10 Aug 2014 18:17:00 +0000 (14:17 -0400)]
Add --with-wbclient configure flag
Simo Sorce [Sun, 10 Aug 2014 15:45:49 +0000 (11:45 -0400)]
Add more custom error message
This should make error reporting a little bit better.
Simo Sorce [Sun, 10 Aug 2014 13:31:59 +0000 (09:31 -0400)]
Add support for printing internal NTLM error codes
Simo Sorce [Sun, 10 Aug 2014 02:46:54 +0000 (22:46 -0400)]
Add macros to handle returning errors
These macros prevent the chance of not setting minor_status approproiately.
They also hook into the tracing system, so any time an error is set, then it
can be traced to exactly what finction (and in which line) it was set.
Simo Sorce [Sat, 9 Aug 2014 20:17:48 +0000 (16:17 -0400)]
Add debug helpers to be used to trace gss-ntlmssp
If the GSSNTLMSSP_DEBUG environment variable is set to a file that
can be opened for writing, then trace information will be written to
that file whenever DEBUG macros are called in the code.
Simo Sorce [Sat, 9 Aug 2014 19:21:30 +0000 (15:21 -0400)]
Simplify test checking and unify display format
Simo Sorce [Sat, 9 Aug 2014 15:45:39 +0000 (11:45 -0400)]
Use gssntlm_display_error in tests
Simo Sorce [Sat, 9 Aug 2014 14:58:08 +0000 (10:58 -0400)]
Add support for both strerror_r variants
Simo Sorce [Sat, 9 Aug 2014 15:49:14 +0000 (11:49 -0400)]
We can handle only mech status codes
Return an error if status_type is bogus.
We can't call gss_display_status() for GSS_C_GSS_CODE because we'd loop
back to ourselves as unfortunately the GSSAPI mechanisms SPI uses the
same symbol names as the public API ...
David Woodhouse [Fri, 8 Aug 2014 22:54:38 +0000 (23:54 +0100)]
Add gssntlm_display_status()
Simo Sorce [Fri, 8 Aug 2014 19:44:37 +0000 (15:44 -0400)]
Offer OEM charset support in the negotiate packet
But make sure to clear out flags once we receive the challenge packet
or we end up with both (OEM and UNICODE) flags set when we generate
the AUTH package.
Special care needs to be taken for DATAGRAM packets, as they are special.
Simo Sorce [Fri, 8 Aug 2014 20:18:57 +0000 (16:18 -0400)]
Do not send domain/workstation name in nego_msg
Modern Windows OSs also completely ignore sending any of this stuff,
so just stop sending it ourselves, it's generally ignored anyway.
Simo Sorce [Fri, 8 Aug 2014 20:11:40 +0000 (16:11 -0400)]
Ignore domain and workstation in negotiate message
We never use these fields, so do not even attempt to decode them
just ignore completely.
Simo Sorce [Fri, 8 Aug 2014 19:00:38 +0000 (15:00 -0400)]
Very old NTLM servers may omit target_info
Seem like some very old NTLM server may omit the target_info field
entirely in the Challenge message, although MS-NLMP says modern clients
SHOULD send and empty target info header even when no target info is being
sent.
Allow to interoperate with these old servers but always set the
target_info field when we generate Challenge packets.
Simo Sorce [Fri, 8 Aug 2014 15:20:36 +0000 (11:20 -0400)]
Bump version to 5.0 rc1
Simo Sorce [Fri, 8 Aug 2014 13:47:19 +0000 (09:47 -0400)]
Improve role management
A server can be standalone or domain member, improve role management
so we can autodetct which role we should assume as a server.
Simo Sorce [Fri, 8 Aug 2014 13:27:48 +0000 (09:27 -0400)]
Fetch server names much earier in the process
This is needed to find out if we are "domain joined" by way of
checking nb_domain_name, in following patches.
Simo Sorce [Fri, 8 Aug 2014 13:21:21 +0000 (09:21 -0400)]
Fix target info check
Domain name is really just optional, only computer name is mandatory.
Domain name can be empty if the server is not a domain member.
Simo Sorce [Fri, 8 Aug 2014 12:54:57 +0000 (08:54 -0400)]
Set the domain name only when available.
If we cannot source the domain name do not try to fake it up, just
leave it empty and omit it from the negotiation.
Simo Sorce [Thu, 7 Aug 2014 22:52:34 +0000 (18:52 -0400)]
Add helper to check for allowed ntlm versions
Also lower the default lm compat level to 3 for broader compatibility.
This allows NTLMv1 with no LM auth.
Simo Sorce [Thu, 7 Aug 2014 15:15:46 +0000 (11:15 -0400)]
Add test to check gss_wrap with no SEAL negotiated
Simo Sorce [Thu, 7 Aug 2014 12:28:12 +0000 (08:28 -0400)]
tests: Remove unused field
Simo Sorce [Wed, 6 Aug 2014 22:02:00 +0000 (18:02 -0400)]
Formal adjustment of ntlmv1_sign
random_pad is always set to 0, so this change makes no difference,
however with this change we conform to MS-NLMP 3.4.4.1
Simo Sorce [Wed, 6 Aug 2014 16:27:11 +0000 (12:27 -0400)]
Test both NTLMv1 and NTLMv2
Simo Sorce [Wed, 6 Aug 2014 15:32:30 +0000 (11:32 -0400)]
Fix winbindd NTLMv1 Extended Security auth
In the ntlmv1 extended security case, winbindd wants a
pre-digested challenge, this is arguably a bug as Winbind has all
the data it needs to compute it by itself ... oh well, just cope.
Thanks to David Woodhouse for finding this out.
Simo Sorce [Wed, 6 Aug 2014 15:31:46 +0000 (11:31 -0400)]
Add helper to compute extended security challenge
Simo Sorce [Wed, 6 Aug 2014 14:50:24 +0000 (10:50 -0400)]
Add support for NTLMv1 auth to the server
Fixes also condition on when to test for a LM Response on the server.
Simo Sorce [Wed, 6 Aug 2014 02:36:42 +0000 (22:36 -0400)]
Add functions to verify NTLMv1 responses
Simo Sorce [Wed, 6 Aug 2014 01:31:49 +0000 (21:31 -0400)]
Fix NTLMv1 client auth
The worn nt/lm response buffers were being used after the version
specific processing. Use always the same buffers for both protocols
to avoid issues.
Simo Sorce [Wed, 6 Aug 2014 14:58:21 +0000 (10:58 -0400)]
Pass ctx and cred to external_xxx_auth functions
This allows external auth mechanisms to see all the data they may need.
Simo Sorce [Mon, 4 Aug 2014 22:06:58 +0000 (18:06 -0400)]
Support client authentication using Winbind
Based on a patch by David Woodhouse <David.Woodhouse@intel.com>
Original commit message:
We need to screw around with the flags a little, since winbind doesn't
really get it right. Thankfully, it doesn't support MIC and it does at
least generally do the right thing (w.r.t. session negotiation and OEM
vs. Unicode) so it's sufficient just to screw with the flags.
Tested with Negotiate authentication to squid, and NTLM in datagram
mode with pidgin-sipe. Also with Firefox, Chrome and a fixed libcurl.
Simo Sorce [Mon, 4 Aug 2014 16:48:56 +0000 (12:48 -0400)]
Add call to get names from winbind
Based on David Woodhouse work.
Simo Sorce [Mon, 4 Aug 2014 16:48:56 +0000 (12:48 -0400)]
Add call to get creds from winbind
Based on David Woodhouse work.
Simo Sorce [Mon, 4 Aug 2014 15:49:23 +0000 (11:49 -0400)]
Add external server auth support via Winbind
If wbclient support is available we can now check domain credentials
against a Domain Controller.
Requires a configured Winbind (or cmpatible) service on the host.
Simo Sorce [Thu, 15 May 2014 11:59:09 +0000 (13:59 +0200)]
Initial build support for detecting and using libwbclient
Simo Sorce [Mon, 4 Aug 2014 20:28:13 +0000 (16:28 -0400)]
Move client auth bits to gss_auth
This will makes it easier to plug in external auth handlers
like winbind.
Simo Sorce [Mon, 4 Aug 2014 20:33:17 +0000 (16:33 -0400)]
Move sec_req flags in the context handler
Simo Sorce [Mon, 4 Aug 2014 18:42:37 +0000 (14:42 -0400)]
Use helpers to get the local netbios names
move out fetching of the computer and domain netbios names.
Names are still fetched from environment variables,
or external sources (like winbind) or defaults are used.
Based on work from David Woodhouse.
David Woodhouse [Wed, 9 Jul 2014 13:49:18 +0000 (14:49 +0100)]
Move local key and flags computations to the end
These can be safely done later and are in the way here.
We're going to want to use these with winbind auth, *after* it
has computed the auth message.
Simo Sorce [Thu, 15 May 2014 11:59:09 +0000 (13:59 +0200)]
Add support to perform external operations
This allows the code to know it has to use an external mechanism,
such as winbind, to handle authentication.
Based on work from David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 9 Jul 2014 13:35:13 +0000 (14:35 +0100)]
Move all message structures to ntlm_common.h
struct wire_auth_msg was already there, we're about to want access to
struct wire_chal_msg, and we might as well keep them together.
Simo Sorce [Thu, 7 Aug 2014 16:43:41 +0000 (12:43 -0400)]
Let caller decide whether to (un)seal or not
Windows seem to ignore the sealing flag and seal anyway at least
in some case, so leave the decision to the caller.
Simo Sorce [Thu, 7 Aug 2014 14:24:38 +0000 (10:24 -0400)]
Fix order of signature vs payload
The code was dead wrong and putting the cart before the horses.
The correct framing is to put the signature first an then the encrypted
payload. we were doing the opposite ... how embarrassing.
A milliong thanks to David Woodhouse for his persistence in testing and
assisting in finding out the issue.
Simo Sorce [Thu, 7 Aug 2014 01:40:32 +0000 (21:40 -0400)]
Internalize extended security and datagram status
Move handling of datagram status with ntlm_crypto routines, this
way ntlm_seal_regen becomes an internal detail.
Also better separate exended security and legacy sign/seal crypto
state generation and general handling in sign/seal functions
Simo Sorce [Thu, 7 Aug 2014 02:59:38 +0000 (22:59 -0400)]
Introduce ntlm_signseal_state
This structure keeps the crypto state closer to the crypto routines.
Simo Sorce [Tue, 5 Aug 2014 15:38:30 +0000 (11:38 -0400)]
Use a macro to define the ntlm signature size
Avoids the look of magic numbers everywhere, and give some useful
context to the code reader
Simo Sorce [Tue, 5 Aug 2014 15:26:42 +0000 (11:26 -0400)]
Implement gss_wrap_size_limit()
Simo Sorce [Wed, 6 Aug 2014 18:57:54 +0000 (14:57 -0400)]
Fix sealing key regen with shorter keys
At LM_COMPAT_LEVEL 0 there is no exteded security and initial
sealing keys are 8 byte long.
Simo Sorce [Wed, 6 Aug 2014 16:47:09 +0000 (12:47 -0400)]
Fix unsealing without extended session security
ntlm_unseal should be symmetric to ntlm_seal
Simo Sorce [Wed, 6 Aug 2014 16:27:32 +0000 (12:27 -0400)]
Fix flag clearing
NTLMSSP_REQUEST_NON_NT_SESSION_KEY is not in itself incompatble with
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY, although it is only used
is Extended Security is not Negotiated.
Simo Sorce [Wed, 6 Aug 2014 17:26:35 +0000 (13:26 -0400)]
Generate LM hash when getting pwd from cred_store
This is needed when NTLMSSP_NEGOTIATE_LM_KEY is used at lower,
LM_COMPTE_LEVEL (eg, level 0) by a client and NTLMv1 auth.
Simo Sorce [Fri, 1 Aug 2014 14:59:13 +0000 (10:59 -0400)]
Fix rpmbuild
create dir containg config file or rpm generaion may fail
Simo Sorce [Thu, 31 Jul 2014 19:55:10 +0000 (15:55 -0400)]
Bump up to pre-release status
Simo Sorce [Thu, 31 Jul 2014 19:53:38 +0000 (15:53 -0400)]
Install mechanism configuration in mech.d
This will automatically enable the mechanism upon install.
Simo Sorce [Sat, 12 Jul 2014 12:25:18 +0000 (08:25 -0400)]
Silence const errors
Simo Sorce [Sat, 12 Jul 2014 12:23:24 +0000 (08:23 -0400)]
Cast to (char *) not (void *) to do pointer math
Simo Sorce [Sat, 12 Jul 2014 12:19:20 +0000 (08:19 -0400)]
Add gss_localname support
Uses the fully qualified name and falls back to simple user name and
calls getpwnam_r() to resolve a local name. If the user is not known
to the nsswitch subsystme it returns a failure.
Simo Sorce [Thu, 10 Jul 2014 16:03:28 +0000 (12:03 -0400)]
Handle missing name calling acquire creds.
In the GSS_C_ACCEPT (acceptor/server) case we would end up segfalting
if no name was provided. Instead allow a null desired_name and load
the default server name if none is passed in, just like
gss_accept_sec_context() does i this case.
Simo Sorce [Sat, 21 Jun 2014 18:34:33 +0000 (14:34 -0400)]
Release 0.4.0
Simo Sorce [Sat, 17 May 2014 13:40:22 +0000 (15:40 +0200)]
Fix const warnings
Just discard the const and silence the warnings, where safe;
rework assignments were possible.
Simo Sorce [Thu, 15 May 2014 11:56:20 +0000 (13:56 +0200)]
Fix Makefile cflags use
Simo Sorce [Sat, 17 May 2014 13:30:34 +0000 (15:30 +0200)]
Fix memory leak in NTLMv2 acceptor code
Simo Sorce [Mon, 5 May 2014 22:26:16 +0000 (18:26 -0400)]
Release Candidate 2 for 0.4.0
Simo Sorce [Mon, 5 May 2014 21:05:50 +0000 (17:05 -0400)]
Add way to talk about MIC with SPNEGO
As agreed with MIT people, add an inquire mechanism that serves 2 roles.
On the one hand, if the spnego mechanism makes this call at all it means
it is recent enough to support forcing the mechlistMIC on if we create
an Authenticate message MIC. So remove the environment variable and
instead depend on the SPNEGO layer to call this function before the
Authenticate token is generated (usually right after the Negotiate token
has been produced).
On the other hand if this function has been called assume SPNEGO will
call again right after the authenticate message has been genrated to
know whether the mechlistMIC needs to be added.
Simo Sorce [Sun, 6 Apr 2014 22:27:13 +0000 (18:27 -0400)]
Release Candidate 1 for 0.4.0
Simo Sorce [Thu, 10 Apr 2014 01:11:31 +0000 (21:11 -0400)]
Disable MIC by default.
The environment variable NTLMSSP_ENABLE_MIC will enable setting the MIC if
requested by the server when it is set to '1'.
It is disabled by default because it works only with a patched SPNEGO library
that will always set the mechlistMIC on the authenticate packet if we report
that integrity is enabled.
If the libray is unpatched it has also been observed that Firefox will go in
an infinite authentication loop while it keeps trying to make requests that are
always denied.
Simo Sorce [Sun, 13 Apr 2014 01:42:25 +0000 (21:42 -0400)]
Provide the correct target name in the challenge
MS-NLMP prescribes in 3.2.5.1.1 that the server should send the
NetbIOS Domain name if joined to a domain or the NetBIOS computer
name if standalone. Never the DNS computer name.
Also do not add a target_name entry in the target_info field, it is
not required and Windows does not do that.
Simo Sorce [Mon, 7 Apr 2014 03:26:44 +0000 (23:26 -0400)]
Check netbios computer and domain name when needed
MS-NLMP 3.1.5.1.2 says a client must fail to communicate if NTLMv2
is used, Integrity or Confidentiality are required and NetBIOS Computer
or Domain Name are not present in the Challenge message from the server.
Simo Sorce [Mon, 7 Apr 2014 03:24:06 +0000 (23:24 -0400)]
Always provide netbios computer and domain name
These are necessary by spec (MS-NLMP 3.1.5.1.2) if the server
sends a target_info field in the challenge message, which we do.
Uses environment variables NETBIOS_COMPUTER_NAME and NETBIOS_DOMAIN_NAME
to set NetBIOS data. If they are not available the server name truncated
to the first '.' (if any) will be used and the domain is set to the
generic "WORKGROUP" name.
Simo Sorce [Thu, 27 Mar 2014 03:26:52 +0000 (23:26 -0400)]
Test Challenge V2 message with CBT test vectors
Simo Sorce [Thu, 27 Mar 2014 03:31:45 +0000 (23:31 -0400)]
Verify Channel Bindings in accept_sec_context
Simo Sorce [Sat, 5 Apr 2014 20:24:52 +0000 (16:24 -0400)]
Add support for setting CBT in the client
Simo Sorce [Sun, 6 Apr 2014 21:53:58 +0000 (17:53 -0400)]
Add function to verify Channel Binding Token
Simo Sorce [Thu, 27 Mar 2014 03:19:52 +0000 (23:19 -0400)]
Add function to calculate channel bindings hash
Simo Sorce [Sat, 5 Apr 2014 19:21:17 +0000 (15:21 -0400)]
Get av_flags and check MIC if a client sent it
Gets the target_info structure from the NT Response (if any is available)
and extract the av_flags.
If the appropriate flag is set verify the MIC previously extracted.
Simo Sorce [Sat, 5 Apr 2014 18:51:02 +0000 (14:51 -0400)]
Return target_info from ntlm_decode_auth_msg
The target_info structure embedded in the NT Response message in NTLMv2
contains information needed to establish if the client has sent a valid
MIC. So we need to extract and return it if the caller requested it.
Also moves some wire structures definitions in common to be able to
reuse them.
Simo Sorce [Sun, 13 Apr 2014 05:45:42 +0000 (01:45 -0400)]
Make MIC conditional on integrity being requested
If integrity is requested by any party then the MIC, if requested by the
server will be generated, otherwise it will not be.
Simo Sorce [Thu, 27 Mar 2014 03:46:04 +0000 (23:46 -0400)]
Compute MIC in the client when requested
Simo Sorce [Sat, 5 Apr 2014 19:20:06 +0000 (15:20 -0400)]
Add function to verify MICs
Simo Sorce [Thu, 27 Mar 2014 03:20:24 +0000 (23:20 -0400)]
Add function to calculate MIC
Simo Sorce [Thu, 27 Mar 2014 03:45:26 +0000 (23:45 -0400)]
Use target_info parsing helper
Target_info can be optional, but it conflicts with channel bindings being
requesed.
Simo Sorce [Thu, 27 Mar 2014 03:21:02 +0000 (23:21 -0400)]
Augment target_info processing with a utility
Thi re-encoded the target_info structure at the client side adding
additional provisions of MS-NLMP 3.1.5.2.1
That is:
- generate indication that a MIC is requested by the server
- add ClientSuppliedTargetName data