[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Wed Apr 24 01:00:02 UTC 2024
The branch, master has been updated
via 1a02c6e59c1 WHATSNEW: document ldaps/tls related option changes
via acaa24c65d9 smbdotconf: finally remove unused "client use spnego principal" option
via 4ff1b321edb s4:selftest: remove useless 'client use spnego principal' tests
via 5d350c1ecd1 auth/gensec: remove useless client_use_spnego_principal usage
via a34532cd9b1 s3:selftest/tests.py: run TLDAP tests with sasl-sign,sasl-seal,ldaps,starttls
via d189952f0ef s3:torture: add ldaps/starttls support to run_tldap()
via 09647d1dc96 s3:torture: add '-T 'option=value' this is similar to '--option='=value'
via e6be6fa9488 blackbox/test_net_ads_search_server: also test ldaps/starttls
via 9827055be3c s4:selftest: also test samba4.ldb.simple.ldap with starttls and SASL-BIND
via 0122c0a6986 s4:libcli/ldap: add support for ADS_AUTH_SASL_{STARTTLS,LDAPS}
via 0f8a7c9ef6e s3:idmap_ad: add support for ADS_AUTH_SASL_{STARTTLS,LDAPS}
via 864ed28ce0e s3:libads: add support for ADS_AUTH_SASL_{STARTTLS,LDAPS}
via 844e1bdc6d4 smbdotconf: add client ldap sasl wrapping = {starttls,ldaps}
via 576ac69cbb3 s3:libads: call gensec_set_channel_bindings() for tls connections
via da87dbcea57 s3:libads: call ldap_set_option(LDAP_OPT_PROTOCOL_VERSION) as soon as possible
via 6a84552d593 s3:libads: add tls_wrapping into openldap
via 84b4551cdf6 s4:lib/tls: add tstream_tls_sync_setup()
via f1a83feb0ee s3:libads: always require ber_sockbuf_add_io() and LDAP_OPT_SOCKBUF
via 86e03bd515e s3:libads: use the correct struct sockbuf_io_desc type for 'sbiod' pointer
via e6593c297e6 s3:libads: no longer pass "GSS-SPNEGO" to ads_sasl_spnego_gensec_bind()
via 47758695898 s3:libads: remove dead code in ads_sasl_spnego_{gensec}_bind()
via aeed081fc81 s3:libads: directly use kerberos without asking the server
via 09b69a12a64 s3:libads: use GSS-SPNEGO directly without asking for supportedSASLMechanisms
via 29b77a34aa8 s3:tldap: add support for [START]TLS
via 3798dc7aea6 s3:tldap: make tldap_gensec_bind_send/recv public
via eb29f28a29c s3:tldap: add tldap_extended*
via 557de8f39e3 s3:tldap: store plain and gensec tstream
via 3bf3d4d855d s3:tldap: let tldap_gensec_bind_send/recv use gensec_update_send/recv
via 4b22fa01537 s3:tldap: don't use 'supportedSASLMechanisms' and force 'GSS-SPNEGO' instead
via 8c5b522682e s3:tldap: simplify tldap_gensec_bind.h
via 30440e0ee38 s3:tldap: simplify read_ldap_more() by using asn1_peek_full_tag()
via ca936312910 s4:lib/tls: add support for gnutls_certificate_set_x509_{system_trust,trust_dir}()
via 0b84c97cf39 docs-xml: add 'tls trust system cas' and 'tls ca directories' options
via 8062d317932 s4:ldap_server: remove unused include of gensec_internal.h
via ded41b0946f s3:libads: remove unused ADS_AUTH_SIMPLE_BIND code
via 2e975ae9833 s3:libads: remove unused include of gensec_internal.h
via c7c5d3fb76c s3:libsmb: libcli/auth/spnego.h is not needed in cliconnect.c
via e1c4caed10d WHATSNEW: document ldap_server ldaps/tls channel binding support
via 065da873296 s4:selftest: also test samba4.ldb.simple.ldap*SASL-BIND with ldap_testing:{channel_bound,tls_channel_bindings,forced_channel_binding}
via 6794cc47624 selftest: split out selftest/expectedfail.d/samba4.ldb.simple.ldap-tls
via 7acb15a53c0 s4:libcli/ldap: add tls channel binding support for ldap_bind_sasl()
via 6c17e3d2800 s4:ldap_server: add support for tls channel bindings
via 811d04fea7d s3:crypto/gse: implement channel binding support
via 1831006b777 s4:gensec_gssapi: implement channel binding support
via f1d34a430d2 auth/ntlmssp: implement channel binding support
via e912ba579b1 auth/gensec: add gensec_set_channel_bindings() function
via 546e39a6fa1 wscript_configure_embedded_heimdal: define HAVE_CLIENT_GSS_C_CHANNEL_BOUND_FLAG
via 9b92cbacac1 third_party/heimdal: import lorikeet-heimdal-202404171655 (commit 28a56d818074e049f0361ef74d7017f2a9391847)
via cbd7ce44121 s4:lib/tls: add tstream_tls_channel_bindings()
via 2f2af3aa8a0 lib/crypto: add legacy_gnutls_server_end_point_cb() if needed
via c200cf1b5f4 s4:libcli/ldap: make use of tstream_tls_params_client_lpcfg()
via 493d35a6910 s4:librpc/rpc: make use of tstream_tls_params_client_lpcfg()
via b8b874ef5e4 s3:rpc_server/mdssvc: make use of tstream_tls_params_client_lpcfg()
via 604413b98a2 s4:lib/tls: add tstream_tls_params_client_lpcfg()
via 3186cdce85a s4:lib/tls: split out tstream_tls_verify_peer() helper
via 15fb8fcc7b9 s4:lib/tls: include a TLS server name indication in the client handshake
via ecdd7691913 s4:lib/tls: we no longer need ifdef GNUTLS_NO_TICKETS
via 60b11645b0d s4:lib/tls: split out tstream_tls_prepare_gnutls()
via ac4bca77039 s4:lib/tls: assert that event contexts are not mixed
via 6688945fa03 s3:lib/tls: we need to call tstream_tls_retry_handshake/disconnect() until all buffers are flushed
via 5844ef27aa4 s4:lib/tls: remove tstream_tls_push_trigger_write step
via 68f6a461e17 s4:libcli/ldap: force GSS-SPNEGO in ldap_bind_sasl()
via 8deba427e26 s4:libcli/ldap: fix no memory error code in ldap_bind_sasl()
via 2435ab1ad70 ldb_ildap: require ldb_get_opaque(ldb, "loadparm") to be valid
via 8007569e9f7 s4:libcli/ldap: ldap4_new_connection() requires a valid lp_ctx
via 96e4a92f192 tests/segfault.py: make sure samdb.connect(url) has a valid lp_ctx
from 1cba9de1444 Fix a few "might be uninitialized" errors
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 1a02c6e59c18fdd23114312b8afca057f72602d4
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 4 19:34:22 2024 +0100
WHATSNEW: document ldaps/tls related option changes
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Apr 24 00:59:53 UTC 2024 on atb-devel-224
commit acaa24c65d9f0300e0c6cb04d406b075a8994cee
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 4 19:33:52 2024 +0100
smbdotconf: finally remove unused "client use spnego principal" option
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4ff1b321edbf35f72fc1837d77fb54f038a5b5e1
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 5 08:54:02 2024 +0100
s4:selftest: remove useless 'client use spnego principal' tests
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5d350c1ecd18d2d691aeb559b387c8e3c811cb81
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 4 19:31:33 2024 +0100
auth/gensec: remove useless client_use_spnego_principal usage
It's off by default and all sane servers use
not_defined_in_RFC4178 at please_ignore anyway.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a34532cd9b12a576ff189caba8dcbd65520688e6
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 4 15:54:36 2024 +0100
s3:selftest/tests.py: run TLDAP tests with sasl-sign,sasl-seal,ldaps,starttls
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d189952f0ef45be8dc6b2dcc14e606d50bf90bad
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 13 22:53:29 2024 +0100
s3:torture: add ldaps/starttls support to run_tldap()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 09647d1dc96690e7b52d4f37b6b4fc835a140817
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 4 15:27:24 2024 +0100
s3:torture: add '-T 'option=value' this is similar to '--option='=value'
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e6be6fa94881a78c9e542d1187cf87f013b1d71d
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 4 15:08:17 2024 +0100
blackbox/test_net_ads_search_server: also test ldaps/starttls
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9827055be3caaa0e98957446dfbab0b6b62b3253
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 13 16:04:57 2024 +0100
s4:selftest: also test samba4.ldb.simple.ldap with starttls and SASL-BIND
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0122c0a6986e28355ca22545fa40442afc0c43e2
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jan 24 10:43:42 2024 +0100
s4:libcli/ldap: add support for ADS_AUTH_SASL_{STARTTLS,LDAPS}
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0f8a7c9ef6e34d973dfdf966041d3e68118563f8
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 26 09:18:33 2024 +0100
s3:idmap_ad: add support for ADS_AUTH_SASL_{STARTTLS,LDAPS}
Review with: git show --patience
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 864ed28ce0e2d4b6712cf742f2dadd2aee445b9d
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jan 30 10:27:58 2024 +0100
s3:libads: add support for ADS_AUTH_SASL_{STARTTLS,LDAPS}
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 844e1bdc6d43dc42550229bcc69dd4fe7631f042
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 9 15:40:00 2024 +0100
smbdotconf: add client ldap sasl wrapping = {starttls,ldaps}
In order to use SASL authentitation within a TLS connection
we now provide "client ldap sasl wrapping = starttls" or
"client ldap sasl wrapping = ldaps".
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 576ac69cbb3a2c57507c80b48eed2572b047e98e
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 6 12:35:39 2024 +0100
s3:libads: call gensec_set_channel_bindings() for tls connections
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit da87dbcea575053ec50fdf3df961e2512553da68
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jan 30 10:27:58 2024 +0100
s3:libads: call ldap_set_option(LDAP_OPT_PROTOCOL_VERSION) as soon as possible
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6a84552d5931e8822404ba346959f13242f870d1
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jan 30 10:27:58 2024 +0100
s3:libads: add tls_wrapping into openldap
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 84b4551cdf64adae08722f4338e3ab90a37dccdb
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 6 11:48:41 2024 +0100
s4:lib/tls: add tstream_tls_sync_setup()
This operates in a non-async fashion and may block
in the push and pull function.
It will be used to plug into openldap transport
layer, this is needed in order to have access
to the channel bindings. And also use the same
configuration for all our gnutls based tls code.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f1a83feb0eec6fc6e4663edcc9fd71d2321123a2
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Apr 5 17:23:54 2024 +0200
s3:libads: always require ber_sockbuf_add_io() and LDAP_OPT_SOCKBUF
There's no point in trying to support --with-ads, but only use
plaintext ldap without sign/seal.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 86e03bd515e08250bbb0d22631d48b2143bd43ec
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 2 17:50:03 2024 +0100
s3:libads: use the correct struct sockbuf_io_desc type for 'sbiod' pointer
Using 'Sockbuf_IO_Desc' in idl implicitly means pidl will use
'struct Sockbuf_IO_Desc', which doesn't exist!
Using 'struct sockbuf_io_desc' which is used in OpenLDAP to
typedef Sockbuf_IO_Desc, we won't need to cast the assign the
'sbiod' pointer.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e6593c297e6e0213e7d2d1dd4482cafe03232f4a
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 9 10:50:13 2024 +0100
s3:libads: no longer pass "GSS-SPNEGO" to ads_sasl_spnego_gensec_bind()
That's the only thing we use...
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4775869589861444914aff993453998bed6adefc
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 2 12:35:05 2024 +0100
s3:libads: remove dead code in ads_sasl_spnego_{gensec}_bind()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit aeed081fc81ed13c59d50986105241293f260c00
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 26 18:09:39 2024 +0100
s3:libads: directly use kerberos without asking the server
Every AD DC supports kerberos so we can just use it without
asking the server (in an untrusted way) if kerberos is supported.
So remove another useless roundtrip.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 09b69a12a6456589ceefdfa941e2184ecf2e28ae
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 26 18:08:55 2024 +0100
s3:libads: use GSS-SPNEGO directly without asking for supportedSASLMechanisms
Every AD DC supports 'GSS-SPNEGO' and that's the only one we use anyway,
so remove an unused roundtrip.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 29b77a34aa85dd2b336d4f4e21088de57fc4a001
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jan 23 17:21:35 2024 +0100
s3:tldap: add support for [START]TLS
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3798dc7aea6b9d5d06c909cd39e017b372993ec6
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jan 24 00:32:51 2024 +0100
s3:tldap: make tldap_gensec_bind_send/recv public
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit eb29f28a29c7084ef6932d5634daca115c8d0d6d
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jan 23 20:38:21 2024 +0100
s3:tldap: add tldap_extended*
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 557de8f39e353953f82afd0ea9aa747c2bdc9dde
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jan 23 16:00:11 2024 +0100
s3:tldap: store plain and gensec tstream
Also allow resetting to plain.
We now have ld->active as the currently active
tstream, which will allow us to add tls support
soon.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3bf3d4d855d2a4cfbcd8be9db771add7c4b4a113
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jan 23 15:41:23 2024 +0100
s3:tldap: let tldap_gensec_bind_send/recv use gensec_update_send/recv
We should not use the sync gensec_update() in async code!
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4b22fa01537b88ed360961e4ad07de9741c5a1fd
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jan 23 15:30:05 2024 +0100
s3:tldap: don't use 'supportedSASLMechanisms' and force 'GSS-SPNEGO' instead
All active directory dcs support 'GSS-SPNEGO'.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8c5b522682e22e61643cd17495bf0e7085c3f0c0
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jan 23 16:45:07 2024 +0100
s3:tldap: simplify tldap_gensec_bind.h
We don't need any includes...
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 30440e0ee382b996788cd6ce9f9dd7e955d9d6aa
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 26 14:19:12 2024 +0100
s3:tldap: simplify read_ldap_more() by using asn1_peek_full_tag()
An LDAP pdu is at least 7 bytes long, so we read at least 7 bytes,
then it's easy to use asn1_peek_full_tag() in order to find out the
whole length of the pdu on one go.
As a side effect it's now possible that wireshark can reassemble
the fragments in a socket_wrapper generated pcap file.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ca93631291051be40f211997fb6636acf52f20a3
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 9 11:31:30 2024 +0100
s4:lib/tls: add support for gnutls_certificate_set_x509_{system_trust,trust_dir}()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0b84c97cf39c60706a637370e4856fc60671c3a8
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 13 17:42:41 2024 +0100
docs-xml: add 'tls trust system cas' and 'tls ca directories' options
This will make it easier to support trusting more than one CA.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8062d3179327ef01935c36e487356cb197179cad
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 27 16:49:24 2024 +0100
s4:ldap_server: remove unused include of gensec_internal.h
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ded41b0946f8fd3e1dd673ebf3f6d039f79c74e1
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Apr 25 14:49:33 2022 +0200
s3:libads: remove unused ADS_AUTH_SIMPLE_BIND code
We have other code to test simple binds.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2e975ae9833544c2132ffab550e86c2ec576e995
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 27 16:49:24 2024 +0100
s3:libads: remove unused include of gensec_internal.h
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c7c5d3fb76cda1a9cf29881d26d0b2d3d083039d
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 26 18:09:59 2024 +0100
s3:libsmb: libcli/auth/spnego.h is not needed in cliconnect.c
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e1c4caed10d775e23cd7dc294f2cccce76866894
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 4 19:34:22 2024 +0100
WHATSNEW: document ldap_server ldaps/tls channel binding support
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 065da873296c23ef3b9051fba39be097cfff60fa
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 13 15:50:14 2024 +0100
s4:selftest: also test samba4.ldb.simple.ldap*SASL-BIND with ldap_testing:{channel_bound,tls_channel_bindings,forced_channel_binding}
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6794cc476249452c415881396bce4df663fc4fba
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 13 15:50:14 2024 +0100
selftest: split out selftest/expectedfail.d/samba4.ldb.simple.ldap-tls
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7acb15a53c061344ffdbd58f9b2f01f8b0233f4e
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Sep 28 17:11:03 2023 +0200
s4:libcli/ldap: add tls channel binding support for ldap_bind_sasl()
We still allow 'ldap_testing:tls_channel_bindings = no' and
'ldap_testing:channel_bound = no' for testing
the old behavior in order to have expected failures in our tests.
And we have 'ldap_testing:forced_channel_binding = somestring'
in order to force invalid bindings.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6c17e3d2800723bafebd1986ab59a9422c881f0b
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jan 23 14:20:24 2024 +0100
s4:ldap_server: add support for tls channel bindings
ldap server require strong auth = allow_sasl_over_tls
is now an alias for 'allow_sasl_without_tls_channel_bindings'
and should be avoided and changed to 'yes' or
'allow_sasl_without_tls_channel_bindings'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 811d04fea7d329a7f3c8e01ac20bfad48ac9cd4f
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 29 11:55:45 2023 +0200
s3:crypto/gse: implement channel binding support
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1831006b77749dda902ae4ced0a96e5f14d89adb
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Sep 28 17:09:37 2023 +0200
s4:gensec_gssapi: implement channel binding support
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f1d34a430d227e685e2fe983b14c74136d9c8a8e
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 11 16:07:05 2020 +0100
auth/ntlmssp: implement channel binding support
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e912ba579b1469c78ca65345ec1fe8376c74272c
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 11 15:26:07 2020 +0100
auth/gensec: add gensec_set_channel_bindings() function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 546e39a6fa122e6a40d1e62724e1712882ce3bce
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Apr 5 16:07:50 2024 +0200
wscript_configure_embedded_heimdal: define HAVE_CLIENT_GSS_C_CHANNEL_BOUND_FLAG
See https://github.com/heimdal/heimdal/pull/1234 and
https://github.com/krb5/krb5/pull/1329.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9b92cbacac11fb64cca2c4770cbdce789525b87a
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 4 10:30:55 2024 +0100
third_party/heimdal: import lorikeet-heimdal-202404171655 (commit 28a56d818074e049f0361ef74d7017f2a9391847)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15603
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
See also:
https://github.com/heimdal/heimdal/pull/1234
https://github.com/heimdal/heimdal/pull/1238
https://github.com/heimdal/heimdal/pull/1240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit cbd7ce44121246167e0c8a6d905180d82df1a2ef
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Sep 28 12:34:35 2023 +0200
s4:lib/tls: add tstream_tls_channel_bindings()
This is based on GNUTLS_CB_TLS_SERVER_END_POINT
and is the value that is required for channel bindings
in LDAP of active directory domain controllers.
For gnutls versions before 3.7.2 we basically
copied the code from the GNUTLS_CB_TLS_SERVER_END_POINT
implementation as it only uses public gnutls functions
and it was easy to re-implement.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2f2af3aa8a0366e6502751415a08413bf28ba0cb
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 5 09:55:47 2024 +0100
lib/crypto: add legacy_gnutls_server_end_point_cb() if needed
gnutls_session_channel_binding(GNUTLS_CB_TLS_SERVER_END_POINT)
is only available with gnutls 3.7.2, but we still want to
support older gnutls versions and that's easily doable...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c200cf1b5f430f686b39df8513a6b7e3c592ed43
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 13 16:53:15 2024 +0100
s4:libcli/ldap: make use of tstream_tls_params_client_lpcfg()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 493d35a6910d9d9b70f55c2273f4e8a6c93a3bf5
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 13 16:52:56 2024 +0100
s4:librpc/rpc: make use of tstream_tls_params_client_lpcfg()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b8b874ef5e40d266a54501ba4523c6af7032ca00
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 13 16:50:23 2024 +0100
s3:rpc_server/mdssvc: make use of tstream_tls_params_client_lpcfg()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 604413b98a23f28288ec4af11023717a9239e0fe
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 13 16:36:27 2024 +0100
s4:lib/tls: add tstream_tls_params_client_lpcfg()
This will be able simplify the callers a lot...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3186cdce85a58451e9d5a05468029a13621128c3
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 12 12:02:13 2024 +0100
s4:lib/tls: split out tstream_tls_verify_peer() helper
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 15fb8fcc7b98c3eba8eab79b227127b4b71b096c
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 15 23:24:39 2024 +0100
s4:lib/tls: include a TLS server name indication in the client handshake
This is not strictly needed, but it might be useful
for load balancers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ecdd76919132430372ef04b03304fc51d6014e2f
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 17 18:16:46 2024 +0200
s4:lib/tls: we no longer need ifdef GNUTLS_NO_TICKETS
We require gnutls 3.6.13
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 60b11645b0d1c8304eabbb2aeca8a6b5190a3a2e
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 12 12:35:02 2024 +0100
s4:lib/tls: split out tstream_tls_prepare_gnutls()
Review with: git show --patience
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ac4bca77039cbc31323fb10b3706ed959a0cbbcd
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 26 15:30:09 2024 +0100
s4:lib/tls: assert that event contexts are not mixed
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6688945fa03f4a448708f729083ea4a1cdd1ab88
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 26 14:42:40 2024 +0100
s3:lib/tls: we need to call tstream_tls_retry_handshake/disconnect() until all buffers are flushed
Before the handshare or disconnect is over we need to wait until
we delivered the lowlevel messages to the transport/kernel socket.
Otherwise we'll have a problem if another tevent_context is used
after the handshake.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5844ef27aa46cba3d343035ccd35b03525db9843
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 26 14:27:16 2024 +0100
s4:lib/tls: remove tstream_tls_push_trigger_write step
At the time of https://bugzilla.samba.org/show_bug.cgi?id=7218,
we tested this versions:
2.4.1 -> broken
2.4.2 -> broken
2.6.0 -> broken
2.8.0 -> broken
2.8.1 -> broken
2.8.2 -> OK
2.8.3 -> OK
2.8.4 -> OK
2.8.5 -> OK
2.8.6 -> OK
2.10.0 -> broken
2.10.1 -> broken
2.10.2 -> OK
These seemed to be the fixes in gnutls upstream.
Change 2.8.1 -> 2.8.2:
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=28fb34099edaf62e5472cc6e5e2749fed369ea01
Change 2.10.1 -> 2.10.2:
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=0d07d8432d57805a8354ebd6c1e7829f3ab159cb
This shouldn't be a problem with recent (>= 3.6) versions of gnutls.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 68f6a461e1706f03007d3c5cfc68c71383b4ff28
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 26 18:04:57 2024 +0100
s4:libcli/ldap: force GSS-SPNEGO in ldap_bind_sasl()
There's no point in asking the server for supportedSASLMechanisms,
every server (we care about) supports GSS-SPNEGO.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8deba427e2697501f10e80a2ac0325a657635b92
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 26 18:07:53 2024 +0100
s4:libcli/ldap: fix no memory error code in ldap_bind_sasl()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2435ab1ad7092c004df72c2cb033eb94e5bf8274
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 17 21:02:03 2024 +0200
ldb_ildap: require ldb_get_opaque(ldb, "loadparm") to be valid
Without a valid loadparm_context we can't connect.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8007569e9f7d374456a3fbd172a905173462eb5f
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 17 21:01:08 2024 +0200
s4:libcli/ldap: ldap4_new_connection() requires a valid lp_ctx
Otherwise we'll crash in a lot of places later.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 96e4a92f192dcf0e5bd4ff4b3af9993ae864b804
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 17 20:52:30 2024 +0200
tests/segfault.py: make sure samdb.connect(url) has a valid lp_ctx
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 64 ++
auth/gensec/gensec.c | 63 ++
auth/gensec/gensec.h | 8 +
auth/gensec/gensec_internal.h | 18 +
auth/gensec/gensec_start.c | 1 +
auth/gensec/spnego.c | 10 -
auth/ntlmssp/ntlmssp_client.c | 13 +-
auth/ntlmssp/ntlmssp_private.h | 2 +
auth/ntlmssp/ntlmssp_server.c | 47 ++
auth/ntlmssp/ntlmssp_util.c | 98 +++
.../smbdotconf/ldap/clientldapsaslwrapping.xml | 7 +
.../ldap/ldapserverrequirestrongauth.xml | 38 +-
.../security/clientusepsnegoprincipal.xml | 35 -
docs-xml/smbdotconf/security/tlscadirs.xml | 14 +
docs-xml/smbdotconf/security/tlscafile.xml | 2 +
docs-xml/smbdotconf/security/tlstrustsystemcas.xml | 17 +
docs-xml/smbdotconf/security/tlsverifypeer.xml | 8 +-
lib/crypto/gnutls_helpers.h | 6 +
lib/crypto/gnutls_server_end_point_cb.c | 130 ++++
lib/crypto/wscript | 6 +-
lib/ldb-samba/ldb_ildap.c | 9 +-
lib/param/loadparm.c | 1 -
lib/param/loadparm.h | 1 +
lib/param/param_table.c | 4 +
python/samba/netcmd/testparm.py | 10 +
python/samba/tests/segfault.py | 4 +
selftest/expectedfail.d/samba4.ldb.simple.ldap-tls | 28 +
selftest/expectedfail_heimdal | 14 +
selftest/knownfail | 6 -
selftest/target/Samba3.pm | 2 +-
selftest/target/Samba4.pm | 2 +-
selftest/wscript | 4 +
source3/include/includes.h | 5 -
source3/include/tldap.h | 37 +-
source3/lib/tldap.c | 346 +++++++--
source3/lib/tldap_gensec_bind.c | 219 +++---
source3/lib/tldap_gensec_bind.h | 14 +-
source3/lib/tldap_tls_connect.c | 229 ++++++
.../lib/tldap_tls_connect.h | 30 +-
source3/libads/ads_proto.h | 10 +
source3/libads/ads_struct.c | 15 +-
source3/libads/authdata.c | 1 -
source3/libads/ldap.c | 104 ++-
source3/libads/sasl.c | 321 ++------
source3/libads/sasl_wrapping.c | 10 +-
source3/libads/tls_wrapping.c | 226 ++++++
source3/librpc/crypto/gse.c | 95 ++-
source3/librpc/idl/ads.idl | 26 +-
source3/libsmb/cliconnect.c | 1 -
source3/rpc_server/mdssvc/mdssvc_es.c | 25 +-
source3/selftest/tests.py | 5 +-
source3/torture/torture.c | 54 +-
source3/utils/testparm.c | 12 +
source3/winbindd/idmap_ad.c | 67 +-
source3/wscript | 6 +-
source3/wscript_build | 4 +
source4/auth/gensec/gensec_gssapi.c | 77 +-
source4/auth/gensec/gensec_gssapi.h | 1 +
source4/client/http_test.c | 4 +
source4/ldap_server/ldap_backend.c | 1 -
source4/ldap_server/ldap_bind.c | 62 +-
source4/ldap_server/ldap_server.c | 11 +
source4/lib/tls/tls.h | 28 +
source4/lib/tls/tls_tstream.c | 848 +++++++++++++++------
source4/lib/tls/wscript_build | 1 +
source4/libcli/ldap/ldap_bind.c | 111 +--
source4/libcli/ldap/ldap_client.c | 112 ++-
source4/libcli/ldap/ldap_client.h | 1 +
source4/librpc/rpc/dcerpc_roh.c | 20 +-
source4/scripting/bin/wscript_build | 2 +-
source4/scripting/wscript_build | 2 +-
source4/selftest/tests.py | 36 +-
testprogs/blackbox/test_net_ads_search_server.sh | 42 +
third_party/heimdal/lib/gssapi/krb5/8003.c | 5 +
.../heimdal/lib/gssapi/krb5/init_sec_context.c | 10 +
third_party/heimdal/lib/gssapi/test_context.c | 4 +
third_party/heimdal/lib/krb5/build_auth.c | 100 ++-
third_party/heimdal/lib/krb5/mk_req_ext.c | 1 +
third_party/heimdal/tests/gss/check-context.in | 35 +
wscript | 2 +-
wscript_configure_embedded_heimdal | 7 +
wscript_configure_system_gnutls | 5 +
82 files changed, 3102 insertions(+), 960 deletions(-)
delete mode 100644 docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml
create mode 100644 docs-xml/smbdotconf/security/tlscadirs.xml
create mode 100644 docs-xml/smbdotconf/security/tlstrustsystemcas.xml
create mode 100644 lib/crypto/gnutls_server_end_point_cb.c
create mode 100644 selftest/expectedfail.d/samba4.ldb.simple.ldap-tls
create mode 100644 selftest/expectedfail_heimdal
create mode 100644 source3/lib/tldap_tls_connect.c
copy libcli/named_pipe_auth/tstream_u32_read.h => source3/lib/tldap_tls_connect.h (59%)
create mode 100644 source3/libads/tls_wrapping.c
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index bdd296909d3..e08070a0ed3 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -12,6 +12,29 @@ Samba 4.21 will be the next version of the Samba suite.
UPGRADING
=========
+LDAP TLS/SASL channel binding support
+-------------------------------------
+
+The ldap server supports SASL binds with
+kerberos or NTLMSSP over TLS connections
+now (either ldaps or starttls).
+
+Setups where 'ldap server require strong auth = allow_sasl_over_tls'
+was required before, can now most likely move to the
+default of 'ldap server require strong auth = yes'.
+
+If SASL binds without correct tls channel bindings are required
+'ldap server require strong auth = allow_sasl_without_tls_channel_bindings'
+should be used now, as 'allow_sasl_over_tls' will generate a
+warning in every start of 'samba', as well as '[samba-tool ]testparm'.
+
+This is similar to LdapEnforceChannelBinding under
+HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
+on Windows.
+
+All client tools using ldaps also include the correct
+channel bindings now.
+
NEW FEATURES/CHANGES
====================
@@ -46,6 +69,42 @@ never took into account later changes, and so has not worked for a
number of years. Samba 4.21 and LDB 2.10 removes this unused and
broken feature.
+Using ldaps from 'winbindd' and 'net ads'
+-----------------------------------------
+
+Beginning with Samba 3.0.22 the 'ldap ssl = start tls' option also
+impacted LDAP connections to active directory domain controllers.
+Using the STARTTLS operation on LDAP port 389 connections. Starting
+with Samba 3.5.0 'ldap ssl ads = yes' was required in addition in
+order let to 'ldap ssl = start tls' have any effect on those
+connections.
+
+'ldap ssl ads' was deprecated with Samba 4.8.0 and removed together
+with the whole functionality in Samba 4.14.0, because it didn't support
+tls channel bindings required for the sasl authentication.
+
+The functionality is now re-added using the correct channel bindings
+based on the gnutls based tls implementation we already have, instead
+of using the tls layer provided by openldap. This makes it available
+and consistent with all LDAP client libraries we use and implement on
+our own.
+
+The 'client ldap sasl wrapping' option gained the two new possible values:
+'starttls' (using STARTTLS on tcp port 389)
+and
+'ldaps' (using TLS directly on tcp port 636).
+
+If you had 'ldap ssl = start tls' and 'ldap ssl ads = yes'
+before, you can now use 'client ldap sasl wrapping = starttls'
+in order to get STARTTLS on tcp port 389.
+
+As we no longer use the openldap tls layer it is required to configure the
+correct certificate trusts with at least one of the following options:
+'tls trust system cas', 'tls ca directories' or 'tls cafile'.
+While 'tls verify peer' and 'tls crlfile' are also relevant,
+see 'man smb.conf' for further details.
+
+
REMOVED FEATURES
================
@@ -55,6 +114,11 @@ smb.conf changes
Parameter Name Description Default
-------------- ----------- -------
+ client ldap sasl wrapping new values
+ client use spnego principal removed
+ ldap server require strong auth new values
+ tls trust system cas new
+ tls ca directories new
KNOWN ISSUES
diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
index 26b5865bff5..8785e69be63 100644
--- a/auth/gensec/gensec.c
+++ b/auth/gensec/gensec.c
@@ -854,3 +854,66 @@ _PUBLIC_ const char *gensec_get_target_principal(struct gensec_security *gensec_
return NULL;
}
+
+static int gensec_channel_bindings_destructor(struct gensec_channel_bindings *cb)
+{
+ data_blob_clear_free(&cb->initiator_address);
+ data_blob_clear_free(&cb->acceptor_address);
+ data_blob_clear_free(&cb->application_data);
+ *cb = (struct gensec_channel_bindings) { .initiator_addrtype = 0, };
+ return 0;
+}
+
+_PUBLIC_ NTSTATUS gensec_set_channel_bindings(struct gensec_security *gensec_security,
+ uint32_t initiator_addrtype,
+ const DATA_BLOB *initiator_address,
+ uint32_t acceptor_addrtype,
+ const DATA_BLOB *acceptor_address,
+ const DATA_BLOB *application_data)
+{
+ struct gensec_channel_bindings *cb = NULL;
+
+ if (gensec_security->subcontext) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ if (gensec_security->channel_bindings != NULL) {
+ return NT_STATUS_ALREADY_REGISTERED;
+ }
+
+ cb = talloc_zero(gensec_security, struct gensec_channel_bindings);
+ if (cb == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ talloc_set_destructor(cb, gensec_channel_bindings_destructor);
+
+ cb->initiator_addrtype = initiator_addrtype;
+ if (initiator_address != NULL) {
+ cb->initiator_address = data_blob_dup_talloc(cb,
+ *initiator_address);
+ if (cb->initiator_address.length != initiator_address->length) {
+ TALLOC_FREE(cb);
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+ cb->acceptor_addrtype = acceptor_addrtype;
+ if (acceptor_address != NULL) {
+ cb->acceptor_address = data_blob_dup_talloc(cb,
+ *acceptor_address);
+ if (cb->acceptor_address.length != acceptor_address->length) {
+ TALLOC_FREE(cb);
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+ if (application_data != NULL) {
+ cb->application_data = data_blob_dup_talloc(cb,
+ *application_data);
+ if (cb->application_data.length != application_data->length) {
+ TALLOC_FREE(cb);
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ gensec_security->channel_bindings = cb;
+ return NT_STATUS_OK;
+}
diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
index 29d5e92c130..25242384f55 100644
--- a/auth/gensec/gensec.h
+++ b/auth/gensec/gensec.h
@@ -70,6 +70,7 @@ struct gensec_target {
#define GENSEC_FEATURE_NO_AUTHZ_LOG 0x00000800
#define GENSEC_FEATURE_SMB_TRANSPORT 0x00001000
#define GENSEC_FEATURE_LDAPS_TRANSPORT 0x00002000
+#define GENSEC_FEATURE_CB_OPTIONAL 0x00004000
#define GENSEC_EXPIRE_TIME_INFINITY (NTTIME)0x8000000000000000LL
@@ -313,6 +314,13 @@ bool gensec_setting_bool(struct gensec_settings *settings, const char *mechanism
NTSTATUS gensec_set_target_principal(struct gensec_security *gensec_security, const char *principal);
const char *gensec_get_target_principal(struct gensec_security *gensec_security);
+NTSTATUS gensec_set_channel_bindings(struct gensec_security *gensec_security,
+ uint32_t initiator_addrtype,
+ const DATA_BLOB *initiator_address,
+ uint32_t acceptor_addrtype,
+ const DATA_BLOB *acceptor_address,
+ const DATA_BLOB *application_data);
+
NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx,
struct gensec_security *gensec_security,
struct smb_krb5_context *smb_krb5_context,
diff --git a/auth/gensec/gensec_internal.h b/auth/gensec/gensec_internal.h
index 8efb1bdff0f..4d8eca99881 100644
--- a/auth/gensec/gensec_internal.h
+++ b/auth/gensec/gensec_internal.h
@@ -95,6 +95,23 @@ struct gensec_security_ops_wrapper {
const char *oid;
};
+/*
+ * typedef struct gss_channel_bindings_struct {
+ * OM_uint32 initiator_addrtype;
+ * gss_buffer_desc initiator_address;
+ * OM_uint32 acceptor_addrtype;
+ * gss_buffer_desc acceptor_address;
+ * gss_buffer_desc application_data;
+ * } *gss_channel_bindings_t;
+ */
+struct gensec_channel_bindings {
+ uint32_t initiator_addrtype;
+ DATA_BLOB initiator_address;
+ uint32_t acceptor_addrtype;
+ DATA_BLOB acceptor_address;
+ DATA_BLOB application_data;
+};
+
struct gensec_security {
const struct gensec_security_ops *ops;
void *private_data;
@@ -106,6 +123,7 @@ struct gensec_security {
uint32_t max_update_size;
uint8_t dcerpc_auth_level;
struct tsocket_address *local_addr, *remote_addr;
+ struct gensec_channel_bindings *channel_bindings;
struct gensec_settings *settings;
/* When we are a server, this may be filled in to provide an
diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
index bcf98bd5968..4405aca278d 100644
--- a/auth/gensec/gensec_start.c
+++ b/auth/gensec/gensec_start.c
@@ -732,6 +732,7 @@ _PUBLIC_ NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx,
(*gensec_security)->auth_context = talloc_reference(*gensec_security, parent->auth_context);
(*gensec_security)->settings = talloc_reference(*gensec_security, parent->settings);
(*gensec_security)->auth_context = talloc_reference(*gensec_security, parent->auth_context);
+ (*gensec_security)->channel_bindings = talloc_reference(*gensec_security, parent->channel_bindings);
talloc_set_destructor((*gensec_security), gensec_security_destructor);
return NT_STATUS_OK;
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index fcb5a06439e..717f643957a 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -503,18 +503,8 @@ static NTSTATUS gensec_spnego_client_negTokenInit_start(
TALLOC_CTX *in_mem_ctx,
DATA_BLOB *in_next)
{
- const char *tp = NULL;
-
/* The server offers a list of mechanisms */
- tp = spnego_in->negTokenInit.targetPrincipal;
- if (tp != NULL && strcmp(tp, ADS_IGNORE_PRINCIPAL) != 0) {
- DBG_INFO("Server claims it's principal name is %s\n", tp);
- if (lpcfg_client_use_spnego_principal(gensec_security->settings->lp_ctx)) {
- gensec_set_target_principal(gensec_security, tp);
- }
- }
-
n->mech_idx = 0;
/* Do not use server mech list as it isn't protected. Instead, get all
diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
index 337aeed9229..d8dc1d2940b 100644
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -599,6 +599,8 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
SingleHost->Value.AvSingleHost.remaining = data_blob_null;
}
+ if (!(gensec_security->want_features & GENSEC_FEATURE_CB_OPTIONAL)
+ || gensec_security->channel_bindings != NULL)
{
struct AV_PAIR *ChannelBindings = NULL;
@@ -607,13 +609,12 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
count++;
*eol = *ChannelBindings;
- /*
- * gensec doesn't support channel bindings yet,
- * but we want to match Windows on the wire
- */
ChannelBindings->AvId = MsvChannelBindings;
- memset(ChannelBindings->Value.ChannelBindings, 0,
- sizeof(ChannelBindings->Value.ChannelBindings));
+ nt_status = ntlmssp_hash_channel_bindings(gensec_security,
+ ChannelBindings->Value.ChannelBindings);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
}
service = gensec_get_target_service(gensec_security);
diff --git a/auth/ntlmssp/ntlmssp_private.h b/auth/ntlmssp/ntlmssp_private.h
index 4d84e3347b6..7b939b80ae2 100644
--- a/auth/ntlmssp/ntlmssp_private.h
+++ b/auth/ntlmssp/ntlmssp_private.h
@@ -56,6 +56,8 @@ void debug_ntlmssp_flags(uint32_t neg_flags);
NTSTATUS ntlmssp_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
uint32_t neg_flags, const char *name);
const DATA_BLOB ntlmssp_version_blob(void);
+NTSTATUS ntlmssp_hash_channel_bindings(struct gensec_security *gensec_security,
+ uint8_t cb_hash[16]);
/* The following definitions come from auth/ntlmssp_server.c */
diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
index 64b96283eb2..1e49379a8ed 100644
--- a/auth/ntlmssp/ntlmssp_server.c
+++ b/auth/ntlmssp/ntlmssp_server.c
@@ -386,6 +386,9 @@ static NTSTATUS ntlmssp_server_preauth(struct gensec_security *gensec_security,
DATA_BLOB version_blob = data_blob_null;
const unsigned int mic_len = NTLMSSP_MIC_SIZE;
DATA_BLOB mic_blob = data_blob_null;
+ const uint8_t zero_channel_bindings[16] = { 0, };
+ const uint8_t *client_channel_bindings = zero_channel_bindings;
+ uint8_t server_channel_bindings[16] = { 0, };
const char *parse_string;
bool ok;
struct timeval endtime;
@@ -523,6 +526,7 @@ static NTSTATUS ntlmssp_server_preauth(struct gensec_security *gensec_security,
uint32_t i = 0;
uint32_t count = 0;
const struct AV_PAIR *flags = NULL;
+ const struct AV_PAIR *cb = NULL;
const struct AV_PAIR *eol = NULL;
uint32_t av_flags = 0;
@@ -598,6 +602,12 @@ static NTSTATUS ntlmssp_server_preauth(struct gensec_security *gensec_security,
ntlmssp_state->new_spnego = true;
}
+ cb = ndr_ntlmssp_find_av(&v2_resp.Challenge.AvPairs,
+ MsvChannelBindings);
+ if (cb != NULL) {
+ client_channel_bindings = cb->Value.ChannelBindings;
+ }
+
count = ntlmssp_state->server.av_pair_list.count;
if (v2_resp.Challenge.AvPairs.count < count) {
return NT_STATUS_INVALID_PARAMETER;
@@ -700,6 +710,43 @@ static NTSTATUS ntlmssp_server_preauth(struct gensec_security *gensec_security,
}
}
+ if (gensec_security->channel_bindings != NULL) {
+ nt_status = ntlmssp_hash_channel_bindings(gensec_security,
+ server_channel_bindings);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+
+ ok = mem_equal_const_time(client_channel_bindings,
+ server_channel_bindings,
+ 16);
+ if (!ok && gensec_security->want_features & GENSEC_FEATURE_CB_OPTIONAL) {
+ /*
+ * Unlike kerberos, explicit 16 zeros in
+ * MsvChannelBindings are not enough to
+ * pass the optional check.
+ *
+ * So we only let it through without explicit
+ * MsvChannelBindings.
+ */
+ ok = (client_channel_bindings == zero_channel_bindings);
+ }
+ if (!ok) {
+ DBG_WARNING("Invalid channel bindings for "
+ "user=[%s] domain=[%s] workstation=[%s]\n",
+ ntlmssp_state->user,
+ ntlmssp_state->domain,
+ ntlmssp_state->client.netbios_name);
+ dump_data(DBGLVL_WARNING,
+ client_channel_bindings,
+ 16);
+ dump_data(DBGLVL_WARNING,
+ server_channel_bindings,
+ 16);
+ return NT_STATUS_BAD_BINDINGS;
+ }
+ }
+
nttime_to_timeval(&endtime, ntlmssp_state->server.challenge_endtime);
expired = timeval_expired(&endtime);
if (expired) {
diff --git a/auth/ntlmssp/ntlmssp_util.c b/auth/ntlmssp/ntlmssp_util.c
index 6f3b474fd71..b8dc84e1652 100644
--- a/auth/ntlmssp/ntlmssp_util.c
+++ b/auth/ntlmssp/ntlmssp_util.c
@@ -22,9 +22,15 @@
*/
#include "includes.h"
+#include "auth/gensec/gensec.h"
+#include "auth/gensec/gensec_internal.h"
#include "../auth/ntlmssp/ntlmssp.h"
#include "../auth/ntlmssp/ntlmssp_private.h"
+#include "lib/crypto/gnutls_helpers.h"
+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
+
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
@@ -218,3 +224,95 @@ const DATA_BLOB ntlmssp_version_blob(void)
return data_blob_const(version_buffer, ARRAY_SIZE(version_buffer));
}
+
+NTSTATUS ntlmssp_hash_channel_bindings(struct gensec_security *gensec_security,
+ uint8_t cb_hash[16])
+{
+ const struct gensec_channel_bindings *cb =
+ gensec_security->channel_bindings;
+ gnutls_hash_hd_t hash_hnd = NULL;
+ uint8_t uint32buf[4];
+ int rc;
+
+ if (cb == NULL) {
+ memset(cb_hash, 0, 16);
+ return NT_STATUS_OK;
+ }
+
+ GNUTLS_FIPS140_SET_LAX_MODE();
+ rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
+ if (rc < 0) {
+ GNUTLS_FIPS140_SET_STRICT_MODE();
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
+ }
+
+ SIVAL(uint32buf, 0, cb->initiator_addrtype);
+ rc = gnutls_hash(hash_hnd, uint32buf, sizeof(uint32buf));
+ if (rc < 0) {
+ gnutls_hash_deinit(hash_hnd, NULL);
+ GNUTLS_FIPS140_SET_STRICT_MODE();
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
+ }
+ SIVAL(uint32buf, 0, cb->initiator_address.length);
+ rc = gnutls_hash(hash_hnd, uint32buf, sizeof(uint32buf));
+ if (rc < 0) {
+ gnutls_hash_deinit(hash_hnd, NULL);
+ GNUTLS_FIPS140_SET_STRICT_MODE();
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
+ }
+ if (cb->initiator_address.length > 0) {
+ rc = gnutls_hash(hash_hnd,
+ cb->initiator_address.data,
+ cb->initiator_address.length);
+ if (rc < 0) {
+ gnutls_hash_deinit(hash_hnd, NULL);
+ GNUTLS_FIPS140_SET_STRICT_MODE();
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
+ }
+ }
+ SIVAL(uint32buf, 0, cb->acceptor_addrtype);
+ rc = gnutls_hash(hash_hnd, uint32buf, sizeof(uint32buf));
+ if (rc < 0) {
+ gnutls_hash_deinit(hash_hnd, NULL);
+ GNUTLS_FIPS140_SET_STRICT_MODE();
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
+ }
+ SIVAL(uint32buf, 0, cb->acceptor_address.length);
+ rc = gnutls_hash(hash_hnd, uint32buf, sizeof(uint32buf));
+ if (rc < 0) {
+ gnutls_hash_deinit(hash_hnd, NULL);
+ GNUTLS_FIPS140_SET_STRICT_MODE();
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
+ }
+ if (cb->acceptor_address.length > 0) {
+ rc = gnutls_hash(hash_hnd,
+ cb->acceptor_address.data,
+ cb->acceptor_address.length);
+ if (rc < 0) {
+ gnutls_hash_deinit(hash_hnd, NULL);
+ GNUTLS_FIPS140_SET_STRICT_MODE();
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
+ }
+ }
+ SIVAL(uint32buf, 0, cb->application_data.length);
+ rc = gnutls_hash(hash_hnd, uint32buf, sizeof(uint32buf));
+ if (rc < 0) {
+ gnutls_hash_deinit(hash_hnd, NULL);
+ GNUTLS_FIPS140_SET_STRICT_MODE();
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
+ }
+ if (cb->application_data.length > 0) {
+ rc = gnutls_hash(hash_hnd,
+ cb->application_data.data,
+ cb->application_data.length);
+ if (rc < 0) {
+ gnutls_hash_deinit(hash_hnd, NULL);
+ GNUTLS_FIPS140_SET_STRICT_MODE();
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
+ }
+ }
+
+ gnutls_hash_deinit(hash_hnd, cb_hash);
+ GNUTLS_FIPS140_SET_STRICT_MODE();
+ return NT_STATUS_OK;
+}
diff --git a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
index 21bd2090057..5e108dc04ce 100644
--- a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
--
Samba Shared Repository
More information about the samba-cvs
mailing list