summaryrefslogtreecommitdiffstats
path: root/auth/gensec
Commit message (Collapse)AuthorAgeFilesLines
* gensec: explain gensec_use_kerberos_mechs() logicAndrew Bartlett2012-02-101-1/+16
| | | | | Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Fri Feb 10 12:36:23 CET 2012 on sn-devel-104
* gensec: set flag to continue in outer for loop in gensec_use_kerberos_mechsAndrew Bartlett2012-02-101-1/+5
| | | | | | | | | This should be the correct fix for the valgrind erorr Volker found in 744ed53a62037a659133ccd4de2065491208ae7d. This fix avoids putting SPNEGO into the list twice when we are in the CRED_DONT_USE_KERBEROS case. Andrew Bartlett
* Revert "gensec: Fix a memory corruption in gensec_use_kerberos_mechs"Andrew Bartlett2012-02-101-2/+1
| | | | | | | | | This reverts commit 744ed53a62037a659133ccd4de2065491208ae7d. The real bug here is that the second half of the outer loop should not have been run once we found spnego. Andrew Bartlett
* gensec: Fix a memory corruption in gensec_use_kerberos_mechsVolker Lendecke2012-02-091-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Without this I get the following valgrind error: ==27740== Invalid write of size 8 ==27740== at 0x62C53E: gensec_use_kerberos_mechs (gensec_start.c:112) ==27740== by 0x62C623: gensec_security_mechs (gensec_start.c:141) ==27740== by 0x62C777: gensec_security_by_oid (gensec_start.c:181) ==27740== by 0x62DD6E: gensec_start_mech_by_oid (gensec_start.c:735) ==27740== by 0x50D6FD: negprot_spnego (negprot.c:210) ==27740== by 0x5B0DEA: smbd_smb2_request_process_negprot (smb2_negprot.c:209) ==27740== by 0x5AD036: smbd_smb2_request_dispatch (smb2_server.c:1417) ==27740== by 0x5AFB77: smbd_smb2_first_negprot (smb2_server.c:2643) ==27740== by 0x585C00: process_smb (process.c:1641) ==27740== by 0x587F78: smbd_server_connection_read_handler (process.c:2314) ==27740== by 0x587FD6: smbd_server_connection_handler (process.c:2331) ==27740== by 0x99E05B: run_events_poll (events.c:286) ==27740== by 0x584AFF: smbd_server_connection_loop_once (process.c:984) ==27740== by 0x58B2D9: smbd_process (process.c:3389) ==27740== by 0xDE4CA8: smbd_accept_connection (server.c:469) ==27740== by 0x99E05B: run_events_poll (events.c:286) ==27740== by 0x99E2D5: s3_event_loop_once (events.c:349) ==27740== by 0x99F990: _tevent_loop_once (tevent.c:504) ==27740== by 0xDE5A9B: smbd_parent_loop (server.c:869) ==27740== by 0xDE6DD8: main (server.c:1413) ==27740== Address 0x9ff3538 is 4,232 bytes inside a block of size 8,288 alloc'd ==27740== at 0x4C261D7: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==27740== by 0x6926965: __talloc (talloc.c:560) ==27740== by 0x6926771: talloc_pool (talloc.c:598) ==27740== by 0x93B927: talloc_stackframe_internal (talloc_stack.c:145) ==27740== by 0x93B9D6: talloc_stackframe_pool (talloc_stack.c:171) ==27740== by 0x58B2B7: smbd_process (process.c:3385) ==27740== by 0xDE4CA8: smbd_accept_connection (server.c:469) ==27740== by 0x99E05B: run_events_poll (events.c:286) ==27740== by 0x99E2D5: s3_event_loop_once (events.c:349) ==27740== by 0x99F990: _tevent_loop_once (tevent.c:504) ==27740== by 0xDE5A9B: smbd_parent_loop (server.c:869) ==27740== by 0xDE6DD8: main (server.c:1413) In the for-loop we can increment j twice, so we need twice as many output array elements as input array elements. Autobuild-User: Volker Lendecke <vl@samba.org> Autobuild-Date: Thu Feb 9 19:44:47 CET 2012 on sn-devel-104
* gensec: inline gensec_generate_session_info() into only callerAndrew Bartlett2012-01-302-34/+0
| | | | | | | | | | | | | | This avoids casting to and from the struct auth_user_info_dc *user_info_dc to to this, the if (user_info_dc->info->authenticated) is moved into auth_generate_session_info_wrapper(), which is the function that gensec_security->auth_context->generate_session_info points to. Andrew Bartlett
* auth/gensec_gssapi: sync gensec_gssapi_state with gse_contextStefan Metzmacher2012-01-251-1/+2
| | | | | | | | | Both use gss_krb5_lucid_context_v1_t now. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Wed Jan 25 10:22:31 CET 2012 on sn-devel-104
* auth/gensec: align common elements between gse_context and gensec_gssapi_stateAndrew Bartlett2012-01-181-3/+5
| | | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Wed Jan 18 19:29:40 CET 2012 on sn-devel-104
* s3:build: add auth/gensec/spnego.oStefan Metzmacher2012-01-131-0/+2
| | | | | | | metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Fri Jan 13 06:32:30 CET 2012 on sn-devel-104
* auth/gensec: move spnego.c to the toplevelStefan Metzmacher2012-01-132-0/+1407
| | | | metze
* auth/gensec: common helper functions should be in gensec_util.cStefan Metzmacher2012-01-131-0/+116
| | | | | | This makes the dependencies easier to handle. metze
* auth/gensec: add some more functions from gensec_start.c to gensec.hStefan Metzmacher2012-01-132-16/+37
| | | | metze
* auth/gensec: make sure functions from gensec.c are in gensec.hStefan Metzmacher2012-01-132-5/+7
| | | | metze
* s4:auth/gensec/spnego: add support for fragmented spnego messagesStefan Metzmacher2012-01-121-1/+1
| | | | metze
* auth/gensec: add gensec_*max_update_size()Stefan Metzmacher2012-01-123-0/+22
| | | | | | | This is only a hint for the backend, which may want to fragment update tokens. metze
* gensec: Make sure to check the optional auth_context hooks before using themAndrew Bartlett2012-01-111-1/+1
| | | | | | | | | These are optional to supply - some callers only provide an auth_context for the other plugin functions, and so we need to deal with this cleanly. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* gensec: Rename want_flags and got_flags in gensec_gssapiAndrew Bartlett2012-01-111-1/+1
| | | | | | | | This make it clearer what type of flags these are. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* gensec: make gensec_gssapi.h commonAndrew Bartlett2012-01-111-0/+67
| | | | | | | | | This will make it easier to share elements of the GSSAPI gensec mechs, in much the same way elements of the NTLMSSP mech are shared. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* gensec: move gensec_util.c to the top levelAndrew Bartlett2012-01-113-1/+110
| | | | | | | | To do this some defines need to move to common_auth.h Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s4-gensec: Move parsing of the PAC blob and creating the session_info into authAndrew Bartlett2011-12-291-0/+1
| | | | | | | | | | | | | This uses a single callback to handle the PAC from the DATA_BLOB format until it becomes a struct auth_session_info. This allows a seperation between the GSS acceptor code and the PAC interpretation code based on the supplied auth context. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Thu Dec 29 01:10:59 CET 2011 on sn-devel-104
* gensec: Allow an alternate set of modules to be specifiedAndrew Bartlett2011-12-282-1/+11
| | | | | | | This will allow s3 to specify modules to use as a list, rather than needing to start the individual module with gensec_start_mech_by_ops() Andrew Bartlett
* Revert making public of the samba-module library.Jelmer Vernooij2011-12-032-8/+8
| | | | | | | | | | | | | | | This library was tiny - containing just two public functions than were themselves trivial. The amount of overhead this causes isn't really worth the benefits of sharing the code with other projects like OpenChange. In addition, this code isn't really generically useful anyway, as it can only load from the module path set for Samba at configure time. Adding a new library was breaking the API/ABI anyway, so OpenChange had to be updated to cope with the new situation one way or another. I've added a simpler (compatible) routine for loading modules to OpenChange, which is less than 100 lines of code. Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Sat Dec 3 08:36:33 CET 2011 on sn-devel-104
* lib/util Rename samba_modules_load -> samba_module_init_fns_for_subsystemAndrew Bartlett2011-10-281-1/+1
| | | | | | | This is to provide a cleaner namespace in the public samba plugin functions. Andrew Bartlett
* lib/util Rename samba_init_module_fns_run -> samba_module_init_fns_runAndrew Bartlett2011-10-281-2/+2
| | | | | | | This is to provide a cleaner namespace in the public samba plugin functions. Andrew Bartlett
* lib/util Rename samba_init_module_fn -> samba_module_init_fnAndrew Bartlett2011-10-281-3/+3
| | | | | | | This is to provide a cleaner namespace in the public samba plugin functions. Andrew Bartlett
* lib/util Split samba-modules library into public and private partsAndrew Bartlett2011-10-282-2/+2
| | | | | | | This will allow OpenChange to get at the symbols it needs, without exposing any more of this as a public API than we must. Andrew Bartlett
* lib/util Rename load_samba_modules -> samba_modules_loadAndrew Bartlett2011-10-281-1/+1
| | | | | | | This is to provide a cleaner namespace in the public samba plugin functions. Andrew Bartlett
* lib/util Rename run_init_functions -> samba_init_module_fns_runAndrew Bartlett2011-10-281-2/+2
| | | | | | | This is to provide a cleaner namespace in the public samba plugin functions. Andrew Bartlett
* lib/util Rename init_module_fn to samba_init_module_fnAndrew Bartlett2011-10-281-3/+3
| | | | | | This prepares for making the samba_module.h header public again, for OpenChange. I am keen to avoid too much API namespace pollution if we can.
* auth/gensec: fix missleading commentStefan Metzmacher2011-10-241-1/+1
| | | | | | | | | We don't talloc_reference for tsocket_addresses. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Mon Oct 24 15:29:47 CEST 2011 on sn-devel-104
* auth/gensec: replace #if _SAMBA_BUILD_ == 4 by a feature testStefan Metzmacher2011-10-221-1/+1
| | | | metze
* gensec: move event context from gensec_*_init() to gensec_update()Andrew Bartlett2011-10-183-13/+8
| | | | | | | | | | | | This avoids keeping the event context around on a the gensec_security context structure long term. In the Samba3 server, the event context we either supply is a NULL pointer as no server-side modules currently use the event context. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* gensec: Refuse to seal if we did not negotiate to signAndrew Bartlett2011-10-181-0/+3
| | | | Signed-off-by: Stefan Metzmacher <metze@samba.org>
* gensec: Assert that we have not been subject to a downgrade attack in ↵Andrew Bartlett2011-10-183-1/+48
| | | | | | | | | | | | | | DCE/RPC clients Because of the calling convention, this is the best place to assert that we have not been subject to a downgrade attack on the negotiated features. (In DCE/RPC, this isn't a negotiation, the client simply specifies the level of protection that is required). Andrew Bartlett (some formatting fixes) Signed-off-by: Stefan Metzmacher <metze@samba.org>
* gensec: an event context is no longer mandetoryAndrew Bartlett2011-10-181-10/+0
| | | | | | | | | If you do not specify one however, you better know that the modules you are using do not need one! Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* gensec: trim header includes back to what is actually requiredAndrew Bartlett2011-10-111-8/+2
| | | | | Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Tue Oct 11 06:13:08 CEST 2011 on sn-devel-104
* auth: move gensec_start.c to the top levelAndrew Bartlett2011-10-113-5/+939
| | | | | | | This does not change who uses gensec for now, but makes it possible to write new gensec modules outside source4/ Andrew Bartlett
* build: provide tevent-util as a public libraryAndrew Bartlett2011-08-081-1/+1
| | | | | | | This is needed so that OpenChange can get at _tevent_req_nterr(), which is referenced by generated PIDL output. Andrew Bartlett
* gensec: clarify memory ownership for gensec_session_info() and ↵Andrew Bartlett2011-08-032-6/+11
| | | | | | | | | | | | | | | gensec_session_key() This is slightly less efficient, because we no longer keep a cache on the gensec structures, but much clearer in terms of memory ownership. Both gensec_session_info() and gensec_session_key() now take a mem_ctx and put the result only on that context. Some duplication of memory in the callers (who were rightly uncertain about who was the rightful owner of the returned memory) has been removed to compensate for the internal copy. Andrew Bartlett
* gensec: Remove mem_ctx from calls that do not return memoryAndrew Bartlett2011-08-032-8/+4
| | | | Signed-off-by: Andrew Tridgell <tridge@samba.org>
* gensec: split GENSEC into mechanism-dependent and runtime functionsAndrew Bartlett2011-08-033-0/+834
The startup and runtime functions that have no dependencies are moved into the top level. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
generated by cgit (git 2.34.1) at 2024-12-26 18:15:46 +0000