[SCM] Samba Shared Repository - branch v4-20-test updated
Jule Anger
janger at samba.org
Tue Jul 9 10:54:02 UTC 2024
The branch, v4-20-test has been updated
via 16b430e7401 s4:selftest: also test samba4.ldb.simple.ldap*SASL-BIND with ldap_testing:{channel_bound,tls_channel_bindings,forced_channel_binding}
via ac22551de3e selftest: split out selftest/expectedfail.d/samba4.ldb.simple.ldap-tls
via 7c6c742106b s4:libcli/ldap: add tls channel binding support for ldap_bind_sasl()
via 7f2e3839f25 s4:ldap_server: add support for tls channel bindings
via 64d4c1cdcc3 s3:crypto/gse: implement channel binding support
via 7b62c5f7d24 s4:gensec_gssapi: implement channel binding support
via 1219bf38301 auth/ntlmssp: implement channel binding support
via c41feb6c2a4 auth/gensec: add gensec_set_channel_bindings() function
via 2668243de22 wscript_configure_embedded_heimdal: define HAVE_CLIENT_GSS_C_CHANNEL_BOUND_FLAG
via c86e8742373 third_party/heimdal: import lorikeet-heimdal-202404171655 (commit 28a56d818074e049f0361ef74d7017f2a9391847)
via 20d5335dc1f s4:lib/tls: add tstream_tls_channel_bindings()
via 6fec41bdb31 lib/crypto: add legacy_gnutls_server_end_point_cb() if needed
via b2f44b81751 s4:libcli/ldap: make use of tstream_tls_params_client_lpcfg()
via 254fa5041d6 s4:librpc/rpc: make use of tstream_tls_params_client_lpcfg()
via 7a6ce2be813 s3:rpc_server/mdssvc: make use of tstream_tls_params_client_lpcfg()
via 8989c3cd8ba s4:lib/tls: add tstream_tls_params_client_lpcfg()
via f1ca22f5577 s4:lib/tls: split out tstream_tls_verify_peer() helper
via 1f0e6a44747 s4:lib/tls: include a TLS server name indication in the client handshake
via a55356b7cde s4:lib/tls: we no longer need ifdef GNUTLS_NO_TICKETS
via 0c8fd43cc83 s4:lib/tls: split out tstream_tls_prepare_gnutls()
via 3e90d30bab9 s4:lib/tls: assert that event contexts are not mixed
via c117f54ceed s3:lib/tls: we need to call tstream_tls_retry_handshake/disconnect() until all buffers are flushed
via 52adc59a926 s4:lib/tls: remove tstream_tls_push_trigger_write step
via 461f14259e2 s4:libcli/ldap: force GSS-SPNEGO in ldap_bind_sasl()
via 39ffaf056b2 s4:libcli/ldap: fix no memory error code in ldap_bind_sasl()
via 5545d934ec0 ldb_ildap: require ldb_get_opaque(ldb, "loadparm") to be valid
via 07e707c4de4 s4:libcli/ldap: ldap4_new_connection() requires a valid lp_ctx
via 52fc65513f4 selftest: move some more expected failures to expectedfail.d
from 63b47dc0edc Fix starvation of pending writes in CTDB queues
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test
- Log -----------------------------------------------------------------
commit 16b430e7401bb01cdaba7e39681d9d494228af03
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 13 15:50:14 2024 +0100
s4:selftest: also test samba4.ldb.simple.ldap*SASL-BIND with ldap_testing:{channel_bound,tls_channel_bindings,forced_channel_binding}
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 065da873296c23ef3b9051fba39be097cfff60fa)
Autobuild-User(v4-20-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-20-test): Tue Jul 9 10:53:40 UTC 2024 on atb-devel-224
commit ac22551de3ec0d604ab431f738630ff25aa9062d
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 13 15:50:14 2024 +0100
selftest: split out selftest/expectedfail.d/samba4.ldb.simple.ldap-tls
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 6794cc476249452c415881396bce4df663fc4fba)
commit 7c6c742106b14ab564bb24038266f53be9db915c
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Sep 28 17:11:03 2023 +0200
s4:libcli/ldap: add tls channel binding support for ldap_bind_sasl()
We still allow 'ldap_testing:tls_channel_bindings = no' and
'ldap_testing:channel_bound = no' for testing
the old behavior in order to have expected failures in our tests.
And we have 'ldap_testing:forced_channel_binding = somestring'
in order to force invalid bindings.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 7acb15a53c061344ffdbd58f9b2f01f8b0233f4e)
commit 7f2e3839f257d6c87d0b8f5e66ecd1a950964913
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jan 23 14:20:24 2024 +0100
s4:ldap_server: add support for tls channel bindings
ldap server require strong auth = allow_sasl_over_tls
is now an alias for 'allow_sasl_without_tls_channel_bindings'
and should be avoided and changed to 'yes' or
'allow_sasl_without_tls_channel_bindings'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 6c17e3d2800723bafebd1986ab59a9422c881f0b)
commit 64d4c1cdcc3ba09d48680f8315716c195d199aca
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 29 11:55:45 2023 +0200
s3:crypto/gse: implement channel binding support
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 811d04fea7d329a7f3c8e01ac20bfad48ac9cd4f)
commit 7b62c5f7d2419af3f29251ecd9e50811b0e7a4b2
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Sep 28 17:09:37 2023 +0200
s4:gensec_gssapi: implement channel binding support
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 1831006b77749dda902ae4ced0a96e5f14d89adb)
commit 1219bf3830120fa60c64a32ddc32899526510cd7
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 11 16:07:05 2020 +0100
auth/ntlmssp: implement channel binding support
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit f1d34a430d227e685e2fe983b14c74136d9c8a8e)
commit c41feb6c2a47860a38e971be8c0fb829dfb08706
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 11 15:26:07 2020 +0100
auth/gensec: add gensec_set_channel_bindings() function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit e912ba579b1469c78ca65345ec1fe8376c74272c)
commit 2668243de22135b8f605a59f16b5d23fddab3469
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Apr 5 16:07:50 2024 +0200
wscript_configure_embedded_heimdal: define HAVE_CLIENT_GSS_C_CHANNEL_BOUND_FLAG
See https://github.com/heimdal/heimdal/pull/1234 and
https://github.com/krb5/krb5/pull/1329.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 546e39a6fa122e6a40d1e62724e1712882ce3bce)
commit c86e8742373cfa022419de40427dba45239d0ae4
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 4 10:30:55 2024 +0100
third_party/heimdal: import lorikeet-heimdal-202404171655 (commit 28a56d818074e049f0361ef74d7017f2a9391847)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15603
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
See also:
https://github.com/heimdal/heimdal/pull/1234
https://github.com/heimdal/heimdal/pull/1238
https://github.com/heimdal/heimdal/pull/1240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 9b92cbacac11fb64cca2c4770cbdce789525b87a)
commit 20d5335dc1f2ee6b33ba9d10467ca0d9fe7b7271
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Sep 28 12:34:35 2023 +0200
s4:lib/tls: add tstream_tls_channel_bindings()
This is based on GNUTLS_CB_TLS_SERVER_END_POINT
and is the value that is required for channel bindings
in LDAP of active directory domain controllers.
For gnutls versions before 3.7.2 we basically
copied the code from the GNUTLS_CB_TLS_SERVER_END_POINT
implementation as it only uses public gnutls functions
and it was easy to re-implement.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit cbd7ce44121246167e0c8a6d905180d82df1a2ef)
commit 6fec41bdb31dc9a0150ed0342eedc3354a100714
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 5 09:55:47 2024 +0100
lib/crypto: add legacy_gnutls_server_end_point_cb() if needed
gnutls_session_channel_binding(GNUTLS_CB_TLS_SERVER_END_POINT)
is only available with gnutls 3.7.2, but we still want to
support older gnutls versions and that's easily doable...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 2f2af3aa8a0366e6502751415a08413bf28ba0cb)
commit b2f44b81751589fb3e32a7dd3899d41a80086424
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 13 16:53:15 2024 +0100
s4:libcli/ldap: make use of tstream_tls_params_client_lpcfg()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit c200cf1b5f430f686b39df8513a6b7e3c592ed43)
commit 254fa5041d6bc5bf037a3ce0a2dffff3ecff8879
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 13 16:52:56 2024 +0100
s4:librpc/rpc: make use of tstream_tls_params_client_lpcfg()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 493d35a6910d9d9b70f55c2273f4e8a6c93a3bf5)
commit 7a6ce2be813ea64a5871d49a019ca29a213bf8b9
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 13 16:50:23 2024 +0100
s3:rpc_server/mdssvc: make use of tstream_tls_params_client_lpcfg()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit b8b874ef5e40d266a54501ba4523c6af7032ca00)
commit 8989c3cd8ba34a4b92c3566306f0362302dd41e3
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 13 16:36:27 2024 +0100
s4:lib/tls: add tstream_tls_params_client_lpcfg()
This will be able simplify the callers a lot...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 604413b98a23f28288ec4af11023717a9239e0fe)
commit f1ca22f5577f26e640ddf22521f36eddbdb0283e
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 12 12:02:13 2024 +0100
s4:lib/tls: split out tstream_tls_verify_peer() helper
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 3186cdce85a58451e9d5a05468029a13621128c3)
commit 1f0e6a447479d96abbfde9d8a2a57ea16c67de97
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 15 23:24:39 2024 +0100
s4:lib/tls: include a TLS server name indication in the client handshake
This is not strictly needed, but it might be useful
for load balancers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 15fb8fcc7b98c3eba8eab79b227127b4b71b096c)
commit a55356b7cded628cb0f9dd61a3ad39cfde42d1ae
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 17 18:16:46 2024 +0200
s4:lib/tls: we no longer need ifdef GNUTLS_NO_TICKETS
We require gnutls 3.6.13
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ecdd76919132430372ef04b03304fc51d6014e2f)
commit 0c8fd43cc8347c566bbb0ac5f0cf021062482a06
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 12 12:35:02 2024 +0100
s4:lib/tls: split out tstream_tls_prepare_gnutls()
Review with: git show --patience
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 60b11645b0d1c8304eabbb2aeca8a6b5190a3a2e)
commit 3e90d30bab90f5d762c224971a8029d0ca10369d
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 26 15:30:09 2024 +0100
s4:lib/tls: assert that event contexts are not mixed
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ac4bca77039cbc31323fb10b3706ed959a0cbbcd)
commit c117f54ceed81451d5d010f12828fd9b18551099
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 26 14:42:40 2024 +0100
s3:lib/tls: we need to call tstream_tls_retry_handshake/disconnect() until all buffers are flushed
Before the handshare or disconnect is over we need to wait until
we delivered the lowlevel messages to the transport/kernel socket.
Otherwise we'll have a problem if another tevent_context is used
after the handshake.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 6688945fa03f4a448708f729083ea4a1cdd1ab88)
commit 52adc59a9263dd345a130ad1139c2757f9c95a1f
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 26 14:27:16 2024 +0100
s4:lib/tls: remove tstream_tls_push_trigger_write step
At the time of https://bugzilla.samba.org/show_bug.cgi?id=7218,
we tested this versions:
2.4.1 -> broken
2.4.2 -> broken
2.6.0 -> broken
2.8.0 -> broken
2.8.1 -> broken
2.8.2 -> OK
2.8.3 -> OK
2.8.4 -> OK
2.8.5 -> OK
2.8.6 -> OK
2.10.0 -> broken
2.10.1 -> broken
2.10.2 -> OK
These seemed to be the fixes in gnutls upstream.
Change 2.8.1 -> 2.8.2:
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=28fb34099edaf62e5472cc6e5e2749fed369ea01
Change 2.10.1 -> 2.10.2:
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=0d07d8432d57805a8354ebd6c1e7829f3ab159cb
This shouldn't be a problem with recent (>= 3.6) versions of gnutls.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 5844ef27aa46cba3d343035ccd35b03525db9843)
commit 461f14259e269af5bbe858a3e6027856d644a109
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 26 18:04:57 2024 +0100
s4:libcli/ldap: force GSS-SPNEGO in ldap_bind_sasl()
There's no point in asking the server for supportedSASLMechanisms,
every server (we care about) supports GSS-SPNEGO.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 68f6a461e1706f03007d3c5cfc68c71383b4ff28)
commit 39ffaf056b268be05aca5f0ec0c7bb2dcbebacae
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 26 18:07:53 2024 +0100
s4:libcli/ldap: fix no memory error code in ldap_bind_sasl()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 8deba427e2697501f10e80a2ac0325a657635b92)
commit 5545d934ec0a32ee18411fcceea64eca73d645ed
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 17 21:02:03 2024 +0200
ldb_ildap: require ldb_get_opaque(ldb, "loadparm") to be valid
Without a valid loadparm_context we can't connect.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 2435ab1ad7092c004df72c2cb033eb94e5bf8274)
commit 07e707c4de4f5c8d9e3cc70063a1b9d5f728bd9e
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 17 21:01:08 2024 +0200
s4:libcli/ldap: ldap4_new_connection() requires a valid lp_ctx
Otherwise we'll crash in a lot of places later.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 8007569e9f7d374456a3fbd172a905173462eb5f)
commit 52fc65513f4d0dd34e10bdb5fbc75dcf49a19ea1
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Mar 22 16:20:18 2024 +1300
selftest: move some more expected failures to expectedfail.d
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Apr 10 06:15:46 UTC 2024 on atb-devel-224
(cherry picked from commit 60df2a09a4394d2b494224ad3d33314079e73066)
-----------------------------------------------------------------------
Summary of changes:
auth/gensec/gensec.c | 63 +++
auth/gensec/gensec.h | 8 +
auth/gensec/gensec_internal.h | 18 +
auth/gensec/gensec_start.c | 1 +
auth/ntlmssp/ntlmssp_client.c | 13 +-
auth/ntlmssp/ntlmssp_private.h | 2 +
auth/ntlmssp/ntlmssp_server.c | 47 ++
auth/ntlmssp/ntlmssp_util.c | 98 ++++
.../ldap/ldapserverrequirestrongauth.xml | 38 +-
lib/crypto/gnutls_helpers.h | 6 +
lib/crypto/gnutls_server_end_point_cb.c | 130 +++++
lib/crypto/wscript | 6 +-
lib/ldb-samba/ldb_ildap.c | 9 +-
lib/param/loadparm.h | 1 +
lib/param/param_table.c | 2 +
python/samba/netcmd/testparm.py | 10 +
selftest/expectedfail.d/ldap-tlsverifypeer | 10 +
selftest/expectedfail.d/samba4.ldb.simple.ldap-tls | 21 +
selftest/expectedfail_heimdal | 12 +
selftest/knownfail | 16 -
selftest/target/Samba4.pm | 2 +-
selftest/wscript | 4 +
source3/librpc/crypto/gse.c | 95 +++-
source3/rpc_server/mdssvc/mdssvc_es.c | 25 +-
source3/utils/testparm.c | 12 +
source4/auth/gensec/gensec_gssapi.c | 77 ++-
source4/auth/gensec/gensec_gssapi.h | 1 +
source4/ldap_server/ldap_bind.c | 62 ++-
source4/ldap_server/ldap_server.c | 11 +
source4/lib/tls/tls.h | 7 +
source4/lib/tls/tls_tstream.c | 611 ++++++++++++---------
source4/lib/tls/wscript_build | 1 +
source4/libcli/ldap/ldap_bind.c | 111 ++--
source4/libcli/ldap/ldap_client.c | 20 +-
source4/librpc/rpc/dcerpc_roh.c | 20 +-
source4/selftest/tests.py | 31 +-
third_party/heimdal/lib/gssapi/krb5/8003.c | 5 +
.../heimdal/lib/gssapi/krb5/init_sec_context.c | 10 +
third_party/heimdal/lib/gssapi/test_context.c | 4 +
third_party/heimdal/lib/krb5/build_auth.c | 100 +++-
third_party/heimdal/lib/krb5/mk_req_ext.c | 1 +
third_party/heimdal/tests/gss/check-context.in | 35 ++
wscript_configure_embedded_heimdal | 7 +
wscript_configure_system_gnutls | 5 +
44 files changed, 1378 insertions(+), 390 deletions(-)
create mode 100644 lib/crypto/gnutls_server_end_point_cb.c
create mode 100644 selftest/expectedfail.d/ldap-tlsverifypeer
create mode 100644 selftest/expectedfail.d/samba4.ldb.simple.ldap-tls
create mode 100644 selftest/expectedfail_heimdal
Changeset truncated at 500 lines:
diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
index 26b5865bff5..8785e69be63 100644
--- a/auth/gensec/gensec.c
+++ b/auth/gensec/gensec.c
@@ -854,3 +854,66 @@ _PUBLIC_ const char *gensec_get_target_principal(struct gensec_security *gensec_
return NULL;
}
+
+static int gensec_channel_bindings_destructor(struct gensec_channel_bindings *cb)
+{
+ data_blob_clear_free(&cb->initiator_address);
+ data_blob_clear_free(&cb->acceptor_address);
+ data_blob_clear_free(&cb->application_data);
+ *cb = (struct gensec_channel_bindings) { .initiator_addrtype = 0, };
+ return 0;
+}
+
+_PUBLIC_ NTSTATUS gensec_set_channel_bindings(struct gensec_security *gensec_security,
+ uint32_t initiator_addrtype,
+ const DATA_BLOB *initiator_address,
+ uint32_t acceptor_addrtype,
+ const DATA_BLOB *acceptor_address,
+ const DATA_BLOB *application_data)
+{
+ struct gensec_channel_bindings *cb = NULL;
+
+ if (gensec_security->subcontext) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ if (gensec_security->channel_bindings != NULL) {
+ return NT_STATUS_ALREADY_REGISTERED;
+ }
+
+ cb = talloc_zero(gensec_security, struct gensec_channel_bindings);
+ if (cb == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ talloc_set_destructor(cb, gensec_channel_bindings_destructor);
+
+ cb->initiator_addrtype = initiator_addrtype;
+ if (initiator_address != NULL) {
+ cb->initiator_address = data_blob_dup_talloc(cb,
+ *initiator_address);
+ if (cb->initiator_address.length != initiator_address->length) {
+ TALLOC_FREE(cb);
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+ cb->acceptor_addrtype = acceptor_addrtype;
+ if (acceptor_address != NULL) {
+ cb->acceptor_address = data_blob_dup_talloc(cb,
+ *acceptor_address);
+ if (cb->acceptor_address.length != acceptor_address->length) {
+ TALLOC_FREE(cb);
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+ if (application_data != NULL) {
+ cb->application_data = data_blob_dup_talloc(cb,
+ *application_data);
+ if (cb->application_data.length != application_data->length) {
+ TALLOC_FREE(cb);
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ gensec_security->channel_bindings = cb;
+ return NT_STATUS_OK;
+}
diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
index 29d5e92c130..25242384f55 100644
--- a/auth/gensec/gensec.h
+++ b/auth/gensec/gensec.h
@@ -70,6 +70,7 @@ struct gensec_target {
#define GENSEC_FEATURE_NO_AUTHZ_LOG 0x00000800
#define GENSEC_FEATURE_SMB_TRANSPORT 0x00001000
#define GENSEC_FEATURE_LDAPS_TRANSPORT 0x00002000
+#define GENSEC_FEATURE_CB_OPTIONAL 0x00004000
#define GENSEC_EXPIRE_TIME_INFINITY (NTTIME)0x8000000000000000LL
@@ -313,6 +314,13 @@ bool gensec_setting_bool(struct gensec_settings *settings, const char *mechanism
NTSTATUS gensec_set_target_principal(struct gensec_security *gensec_security, const char *principal);
const char *gensec_get_target_principal(struct gensec_security *gensec_security);
+NTSTATUS gensec_set_channel_bindings(struct gensec_security *gensec_security,
+ uint32_t initiator_addrtype,
+ const DATA_BLOB *initiator_address,
+ uint32_t acceptor_addrtype,
+ const DATA_BLOB *acceptor_address,
+ const DATA_BLOB *application_data);
+
NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx,
struct gensec_security *gensec_security,
struct smb_krb5_context *smb_krb5_context,
diff --git a/auth/gensec/gensec_internal.h b/auth/gensec/gensec_internal.h
index 8efb1bdff0f..4d8eca99881 100644
--- a/auth/gensec/gensec_internal.h
+++ b/auth/gensec/gensec_internal.h
@@ -95,6 +95,23 @@ struct gensec_security_ops_wrapper {
const char *oid;
};
+/*
+ * typedef struct gss_channel_bindings_struct {
+ * OM_uint32 initiator_addrtype;
+ * gss_buffer_desc initiator_address;
+ * OM_uint32 acceptor_addrtype;
+ * gss_buffer_desc acceptor_address;
+ * gss_buffer_desc application_data;
+ * } *gss_channel_bindings_t;
+ */
+struct gensec_channel_bindings {
+ uint32_t initiator_addrtype;
+ DATA_BLOB initiator_address;
+ uint32_t acceptor_addrtype;
+ DATA_BLOB acceptor_address;
+ DATA_BLOB application_data;
+};
+
struct gensec_security {
const struct gensec_security_ops *ops;
void *private_data;
@@ -106,6 +123,7 @@ struct gensec_security {
uint32_t max_update_size;
uint8_t dcerpc_auth_level;
struct tsocket_address *local_addr, *remote_addr;
+ struct gensec_channel_bindings *channel_bindings;
struct gensec_settings *settings;
/* When we are a server, this may be filled in to provide an
diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
index bcf98bd5968..4405aca278d 100644
--- a/auth/gensec/gensec_start.c
+++ b/auth/gensec/gensec_start.c
@@ -732,6 +732,7 @@ _PUBLIC_ NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx,
(*gensec_security)->auth_context = talloc_reference(*gensec_security, parent->auth_context);
(*gensec_security)->settings = talloc_reference(*gensec_security, parent->settings);
(*gensec_security)->auth_context = talloc_reference(*gensec_security, parent->auth_context);
+ (*gensec_security)->channel_bindings = talloc_reference(*gensec_security, parent->channel_bindings);
talloc_set_destructor((*gensec_security), gensec_security_destructor);
return NT_STATUS_OK;
diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
index 337aeed9229..d8dc1d2940b 100644
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -599,6 +599,8 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
SingleHost->Value.AvSingleHost.remaining = data_blob_null;
}
+ if (!(gensec_security->want_features & GENSEC_FEATURE_CB_OPTIONAL)
+ || gensec_security->channel_bindings != NULL)
{
struct AV_PAIR *ChannelBindings = NULL;
@@ -607,13 +609,12 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
count++;
*eol = *ChannelBindings;
- /*
- * gensec doesn't support channel bindings yet,
- * but we want to match Windows on the wire
- */
ChannelBindings->AvId = MsvChannelBindings;
- memset(ChannelBindings->Value.ChannelBindings, 0,
- sizeof(ChannelBindings->Value.ChannelBindings));
+ nt_status = ntlmssp_hash_channel_bindings(gensec_security,
+ ChannelBindings->Value.ChannelBindings);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
}
service = gensec_get_target_service(gensec_security);
diff --git a/auth/ntlmssp/ntlmssp_private.h b/auth/ntlmssp/ntlmssp_private.h
index 4d84e3347b6..7b939b80ae2 100644
--- a/auth/ntlmssp/ntlmssp_private.h
+++ b/auth/ntlmssp/ntlmssp_private.h
@@ -56,6 +56,8 @@ void debug_ntlmssp_flags(uint32_t neg_flags);
NTSTATUS ntlmssp_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
uint32_t neg_flags, const char *name);
const DATA_BLOB ntlmssp_version_blob(void);
+NTSTATUS ntlmssp_hash_channel_bindings(struct gensec_security *gensec_security,
+ uint8_t cb_hash[16]);
/* The following definitions come from auth/ntlmssp_server.c */
diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
index 64b96283eb2..1e49379a8ed 100644
--- a/auth/ntlmssp/ntlmssp_server.c
+++ b/auth/ntlmssp/ntlmssp_server.c
@@ -386,6 +386,9 @@ static NTSTATUS ntlmssp_server_preauth(struct gensec_security *gensec_security,
DATA_BLOB version_blob = data_blob_null;
const unsigned int mic_len = NTLMSSP_MIC_SIZE;
DATA_BLOB mic_blob = data_blob_null;
+ const uint8_t zero_channel_bindings[16] = { 0, };
+ const uint8_t *client_channel_bindings = zero_channel_bindings;
+ uint8_t server_channel_bindings[16] = { 0, };
const char *parse_string;
bool ok;
struct timeval endtime;
@@ -523,6 +526,7 @@ static NTSTATUS ntlmssp_server_preauth(struct gensec_security *gensec_security,
uint32_t i = 0;
uint32_t count = 0;
const struct AV_PAIR *flags = NULL;
+ const struct AV_PAIR *cb = NULL;
const struct AV_PAIR *eol = NULL;
uint32_t av_flags = 0;
@@ -598,6 +602,12 @@ static NTSTATUS ntlmssp_server_preauth(struct gensec_security *gensec_security,
ntlmssp_state->new_spnego = true;
}
+ cb = ndr_ntlmssp_find_av(&v2_resp.Challenge.AvPairs,
+ MsvChannelBindings);
+ if (cb != NULL) {
+ client_channel_bindings = cb->Value.ChannelBindings;
+ }
+
count = ntlmssp_state->server.av_pair_list.count;
if (v2_resp.Challenge.AvPairs.count < count) {
return NT_STATUS_INVALID_PARAMETER;
@@ -700,6 +710,43 @@ static NTSTATUS ntlmssp_server_preauth(struct gensec_security *gensec_security,
}
}
+ if (gensec_security->channel_bindings != NULL) {
+ nt_status = ntlmssp_hash_channel_bindings(gensec_security,
+ server_channel_bindings);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+
+ ok = mem_equal_const_time(client_channel_bindings,
+ server_channel_bindings,
+ 16);
+ if (!ok && gensec_security->want_features & GENSEC_FEATURE_CB_OPTIONAL) {
+ /*
+ * Unlike kerberos, explicit 16 zeros in
+ * MsvChannelBindings are not enough to
+ * pass the optional check.
+ *
+ * So we only let it through without explicit
+ * MsvChannelBindings.
+ */
+ ok = (client_channel_bindings == zero_channel_bindings);
+ }
+ if (!ok) {
+ DBG_WARNING("Invalid channel bindings for "
+ "user=[%s] domain=[%s] workstation=[%s]\n",
+ ntlmssp_state->user,
+ ntlmssp_state->domain,
+ ntlmssp_state->client.netbios_name);
+ dump_data(DBGLVL_WARNING,
+ client_channel_bindings,
+ 16);
+ dump_data(DBGLVL_WARNING,
+ server_channel_bindings,
+ 16);
+ return NT_STATUS_BAD_BINDINGS;
+ }
+ }
+
nttime_to_timeval(&endtime, ntlmssp_state->server.challenge_endtime);
expired = timeval_expired(&endtime);
if (expired) {
diff --git a/auth/ntlmssp/ntlmssp_util.c b/auth/ntlmssp/ntlmssp_util.c
index 6f3b474fd71..b8dc84e1652 100644
--- a/auth/ntlmssp/ntlmssp_util.c
+++ b/auth/ntlmssp/ntlmssp_util.c
@@ -22,9 +22,15 @@
*/
#include "includes.h"
+#include "auth/gensec/gensec.h"
+#include "auth/gensec/gensec_internal.h"
#include "../auth/ntlmssp/ntlmssp.h"
#include "../auth/ntlmssp/ntlmssp_private.h"
+#include "lib/crypto/gnutls_helpers.h"
+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
+
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
@@ -218,3 +224,95 @@ const DATA_BLOB ntlmssp_version_blob(void)
return data_blob_const(version_buffer, ARRAY_SIZE(version_buffer));
}
+
+NTSTATUS ntlmssp_hash_channel_bindings(struct gensec_security *gensec_security,
+ uint8_t cb_hash[16])
+{
+ const struct gensec_channel_bindings *cb =
+ gensec_security->channel_bindings;
+ gnutls_hash_hd_t hash_hnd = NULL;
+ uint8_t uint32buf[4];
+ int rc;
+
+ if (cb == NULL) {
+ memset(cb_hash, 0, 16);
+ return NT_STATUS_OK;
+ }
+
+ GNUTLS_FIPS140_SET_LAX_MODE();
+ rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
+ if (rc < 0) {
+ GNUTLS_FIPS140_SET_STRICT_MODE();
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
+ }
+
+ SIVAL(uint32buf, 0, cb->initiator_addrtype);
+ rc = gnutls_hash(hash_hnd, uint32buf, sizeof(uint32buf));
+ if (rc < 0) {
+ gnutls_hash_deinit(hash_hnd, NULL);
+ GNUTLS_FIPS140_SET_STRICT_MODE();
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
+ }
+ SIVAL(uint32buf, 0, cb->initiator_address.length);
+ rc = gnutls_hash(hash_hnd, uint32buf, sizeof(uint32buf));
+ if (rc < 0) {
+ gnutls_hash_deinit(hash_hnd, NULL);
+ GNUTLS_FIPS140_SET_STRICT_MODE();
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
+ }
+ if (cb->initiator_address.length > 0) {
+ rc = gnutls_hash(hash_hnd,
+ cb->initiator_address.data,
+ cb->initiator_address.length);
+ if (rc < 0) {
+ gnutls_hash_deinit(hash_hnd, NULL);
+ GNUTLS_FIPS140_SET_STRICT_MODE();
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
+ }
+ }
+ SIVAL(uint32buf, 0, cb->acceptor_addrtype);
+ rc = gnutls_hash(hash_hnd, uint32buf, sizeof(uint32buf));
+ if (rc < 0) {
+ gnutls_hash_deinit(hash_hnd, NULL);
+ GNUTLS_FIPS140_SET_STRICT_MODE();
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
+ }
+ SIVAL(uint32buf, 0, cb->acceptor_address.length);
+ rc = gnutls_hash(hash_hnd, uint32buf, sizeof(uint32buf));
+ if (rc < 0) {
+ gnutls_hash_deinit(hash_hnd, NULL);
+ GNUTLS_FIPS140_SET_STRICT_MODE();
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
+ }
+ if (cb->acceptor_address.length > 0) {
+ rc = gnutls_hash(hash_hnd,
+ cb->acceptor_address.data,
+ cb->acceptor_address.length);
+ if (rc < 0) {
+ gnutls_hash_deinit(hash_hnd, NULL);
+ GNUTLS_FIPS140_SET_STRICT_MODE();
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
+ }
+ }
+ SIVAL(uint32buf, 0, cb->application_data.length);
+ rc = gnutls_hash(hash_hnd, uint32buf, sizeof(uint32buf));
+ if (rc < 0) {
+ gnutls_hash_deinit(hash_hnd, NULL);
+ GNUTLS_FIPS140_SET_STRICT_MODE();
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
+ }
+ if (cb->application_data.length > 0) {
+ rc = gnutls_hash(hash_hnd,
+ cb->application_data.data,
+ cb->application_data.length);
+ if (rc < 0) {
+ gnutls_hash_deinit(hash_hnd, NULL);
+ GNUTLS_FIPS140_SET_STRICT_MODE();
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
+ }
+ }
+
+ gnutls_hash_deinit(hash_hnd, cb_hash);
+ GNUTLS_FIPS140_SET_STRICT_MODE();
+ return NT_STATUS_OK;
+}
diff --git a/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml b/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml
index 02bdd811491..18f8903dcaa 100644
--- a/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml
+++ b/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml
@@ -7,20 +7,44 @@
<para>
The <smbconfoption name="ldap server require strong auth"/> defines whether
the ldap server requires ldap traffic to be signed or signed and encrypted (sealed).
- Possible values are <emphasis>no</emphasis>, <emphasis>allow_sasl_over_tls</emphasis>
+ Possible values are <emphasis>no</emphasis>,
+ <emphasis>allow_sasl_without_tls_channel_bindings</emphasis>
and <emphasis>yes</emphasis>.
</para>
+ <para>Windows has <emphasis>LdapEnforceChannelBinding</emphasis> under
+ <emphasis>HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\</emphasis>.
+ </para>
+
<para>A value of <emphasis>no</emphasis> allows simple and sasl binds over
- all transports.</para>
+ all transports. This matches LdapEnforceChannelBinding=0.</para>
+
+ <para>A value of <emphasis>allow_sasl_without_tls_channel_bindings</emphasis>
+ allows simple and sasl binds (without sign or seal) over TLS encrypted connections.
+ Missing tls channel bindings are ignored, so only use this if a value of
+ <emphasis>yes</emphasis> is not possible.
+ Unencrypted connections only allow sasl binds with sign or seal.
+ This matches LdapEnforceChannelBinding=1.
+ </para>
- <para>A value of <emphasis>allow_sasl_over_tls</emphasis> allows simple and sasl binds
- (without sign or seal) over TLS encrypted connections. Unencrypted connections only
- allow sasl binds with sign or seal.</para>
+ <para>Before support for tls channel bindings existed in Samba,
+ a value of <emphasis>allow_sasl_over_tls</emphasis> was possible in order
+ to allow sasl binds without tls channel bindings. This now misleading
+ as a value of <emphasis>yes</emphasis> will now allow sasl binds
+ with tls channel bindings. Configurations should be changed to
+ <emphasis>yes</emphasis> instead or
+ <emphasis>allow_sasl_without_tls_channel_bindings</emphasis>
+ if really required. Currently <emphasis>allow_sasl_over_tls</emphasis>
+ is just an alias of <emphasis>allow_sasl_without_tls_channel_bindings</emphasis>,
+ but it will be removed in future versions.
+ </para>
<para>A value of <emphasis>yes</emphasis> allows only simple binds
- over TLS encrypted connections. Unencrypted connections only
- allow sasl binds with sign or seal.</para>
+ and sasl binds with correct tls channel bindings
+ over TLS encrypted connections. sasl binds without tls channel bindings
+ are not allowed. Unencrypted connections only
+ allow sasl binds with sign or seal. This matches LdapEnforceChannelBinding=2.
+ </para>
</description>
<value type="default">yes</value>
</samba:parameter>
diff --git a/lib/crypto/gnutls_helpers.h b/lib/crypto/gnutls_helpers.h
index 0362d5ee782..6699ebc0196 100644
--- a/lib/crypto/gnutls_helpers.h
+++ b/lib/crypto/gnutls_helpers.h
@@ -233,4 +233,10 @@ NTSTATUS samba_gnutls_sp800_108_derive_key(
uint8_t *KO,
size_t KO_len);
+#ifndef HAVE_GNUTLS_CB_TLS_SERVER_END_POINT
+int legacy_gnutls_server_end_point_cb(gnutls_session_t session,
+ bool is_server,
+ gnutls_datum_t * cb);
+#endif /* HAVE_GNUTLS_CB_TLS_SERVER_END_POINT */
+
#endif /* _GNUTLS_HELPERS_H */
diff --git a/lib/crypto/gnutls_server_end_point_cb.c b/lib/crypto/gnutls_server_end_point_cb.c
new file mode 100644
index 00000000000..c9091974640
--- /dev/null
+++ b/lib/crypto/gnutls_server_end_point_cb.c
@@ -0,0 +1,130 @@
+/*
+ * Copyright (C) 2002-2016 Free Software Foundation, Inc.
+ * Copyright (C) 2014-2016 Nikos Mavrogiannopoulos
+ * Copyright (C) 2015-2018 Red Hat, Inc.
+ *
+ * Author: Nikos Mavrogiannopoulos
+ *
+ * This file is part of GnuTLS.
+ *
+ * The GnuTLS is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public License
+ * as published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>
+ *
+ */
+
+#include "replace.h"
+#include "gnutls_helpers.h"
+#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
+
+int legacy_gnutls_server_end_point_cb(gnutls_session_t session,
+ bool is_server,
+ gnutls_datum_t * cb)
+{
+ /*
+ * copied from the logic in gnutls_session_channel_binding()
+ * introduced by gnutls commit (as LGPL 2.1+):
+ *
+ * commit 9ebee00c793e40e3e8c797c645577c9e025b9f1e
--
Samba Shared Repository
More information about the samba-cvs
mailing list