summaryrefslogtreecommitdiffstats
path: root/auth/gensec
Commit message (Collapse)AuthorAgeFilesLines
* gensec: add DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM backendAndreas Schneider2014-04-242-0/+293
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* auth/gensec: use auth_ctx->generate_session_info() for schannelStefan Metzmacher2014-04-241-3/+46
| | | | | | | | This way we generate a correct session info for the s3 rpc_server, including a unix token. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth: Pass though error from GENSEC sub-mechanismAndrew Bartlett2014-04-021-1/+1
| | | | | | | | | | | This allows wrong-password or account-locked-out errors to be passed though from Kerberos (gssapi). Andrew Bartlett Change-Id: I4bc11a1ad98dfbcc5a4ad9101cd843a7a59f0b59 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth/gensec/spnego: map SPNEGO_REJECT to NT_STATUS_LOGON_FAILUREStefan Metzmacher2014-03-271-1/+1
| | | | | | | | | | This is what NTLMSSP also gives. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Mar 27 02:34:36 CET 2014 on sn-devel-104
* auth/gensec: remove tevent_context argument from gensec_update()Stefan Metzmacher2014-03-272-4/+3
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: make use of gensec_update_ev() in spnego.cStefan Metzmacher2014-03-271-8/+8
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: add a gensec_update_ev() functionStefan Metzmacher2014-03-272-14/+27
| | | | | | | | | | | | | | This is the current gensec_update() which takes an optional tevent_context structure and allows semi-async code. This is just a temporary solution on the way to kill the semi-async code completely, by using gensec_update_send/recv. By providing a gensec_update_ev(), we can remove the explicit tevent_context from gensec_update() and fix all the sane callers. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: fix gensec_update() with ev == NULL.Stefan Metzmacher2014-03-271-0/+32
| | | | | | | | | | | In future we should remove the tevent_context argument from gensec_update() completely! If we have sane backends we should also remove the tevent_loop_allow_nesting() call again! t Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: only include "librpc/gen_ndr/dcerpc.h"Stefan Metzmacher2014-02-132-2/+2
| | | | | | | We only need some DCERPC_ defines. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* auth/gensec: implement GENSEC_FEATURE_SIGN_PKT_HEADER in schannel.cStefan Metzmacher2014-01-071-10/+46
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: move libcli/auth/schannel_sign.c into schannel.cStefan Metzmacher2014-01-071-0/+380
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* gensec: check for NULL gensec_security in gensec_security_by_auth_type().Günther Deschner2013-09-191-2/+4
| | | | | | | | | | We have equivalent checks in other gensec_security_by_X calls already. Guenther Signed-off-by: Günther Deschner <gd@samba.org> Pair-Programmed-With: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* gensec: remove duplicate gensec_security_by_authtype() call.Günther Deschner2013-09-191-27/+2
| | | | | | | | | | | We should use the equivalent gensec_security_by_auth_type() call which is exposed in the public header. Guenther Signed-off-by: Günther Deschner <gd@samba.org> Pair-Programmed-With: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* gensec: move schannel module to toplevel.Günther Deschner2013-09-192-0/+338
| | | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Pair-Programmed-With: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* Add SASL/EXTERNAL gensec moduleHoward Chu2013-09-183-1/+91
| | | | | | Signed-off-by: Howard Chu <hyc@symas.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
* auth/credentials: Add cli_credentials_{set,get}_forced_sasl_mech()Andrew Bartlett2013-09-161-0/+14
| | | | | | | | | | This will allow us to force the use of only DIGEST-MD5, for example, which is useful to avoid hitting GSSAPI, SPNEGO or NTLM when talking to OpenLDAP and Cyrus-SASL. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
* gensec: Fix CID 1063258 Uninitialized scalar variableVolker Lendecke2013-08-191-0/+1
| | | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: treat struct gensec_security_ops as const if possible.Stefan Metzmacher2013-08-103-34/+40
| | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: use 'const char * const *' for function parametersStefan Metzmacher2013-08-103-3/+3
| | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: make it possible to implement async backendsStefan Metzmacher2013-08-102-49/+160
| | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: avoid talloc_reference in gensec_security_mechs()Stefan Metzmacher2013-08-101-18/+9
| | | | | | | | We now always copy. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: avoid talloc_reference in gensec_use_kerberos_mechs()Stefan Metzmacher2013-08-101-18/+20
| | | | | | | | We now always copy. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: introduce gensec_internal.hStefan Metzmacher2013-08-106-96/+135
| | | | | | | | | | We should treat most gensec related structures private. It's a long way, but this is a start. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: add gensec_security_by_auth_type()Stefan Metzmacher2013-08-102-0/+29
| | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: first check GENSEC_FEATURE_SESSION_KEY before returning ↵Stefan Metzmacher2013-08-101-3/+4
| | | | | | | | | | NOT_IMPLEMENTED Preferr NT_STATUS_NO_USER_SESSION_KEY as return value of gensec_session_key(). Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* gensec: Make gensec_security_oids_from_ops staticVolker Lendecke2013-05-151-4/+5
| | | | | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Wed May 15 20:05:34 CEST 2013 on sn-devel-104
* gensec: Make gensec_security_by_sasl_list staticVolker Lendecke2013-05-151-3/+4
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* gensec: Make gensec_interface_version publicVolker Lendecke2013-05-152-1/+2
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* gensec: Allow login without a PAC by default (bug #9581)Andrew Bartlett2013-01-241-1/+1
| | | | | | | | | The sense of this test was inverted. We only want to take the ACCESS_DENIED error if gensec:require_pac=true. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth: Fix some nonempty blank linesVolker Lendecke2012-09-201-61/+59
| | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: Remove unused gensec_security parameterAndrew Bartlett2012-07-031-6/+3
|
* auth/gensec: implement gensec_spnego_expire_time()Stefan Metzmacher2012-05-171-0/+12
| | | | metze
* auth/gensec: add gensec_expire_time()Stefan Metzmacher2012-05-172-0/+12
| | | | metze
* auth-krb: Nove oid packet check to gensec_util.Simo Sorce2012-04-123-1/+47
| | | | | | | | This is clearly a utiliy function generic to gensec. Also the 3 callers had identical implementations. Provide a generic implementation for all of them and avoid duplicating the code everywhere. Signed-off-by: Andreas Schneider <asn@samba.org>
* gensec_gssapi: keep private header file close to the actual codeSimo Sorce2012-04-121-70/+0
| | | | Signed-off-by: Andreas Schneider <asn@samba.org>
* auth/gensec_gssapi: gss_krb5_lucid_context_v1_t is not shared with the gse ↵Stefan Metzmacher2012-03-151-1/+1
| | | | | | | | | code anymore metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Thu Mar 15 09:16:16 CET 2012 on sn-devel-104
* auth: Allow the netbios name and domain to be set from winbindd in ntlm_auth3Andrew Bartlett2012-02-171-0/+2
| | | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Fri Feb 17 12:18:51 CET 2012 on sn-devel-104
* auth: Provide a way to specify the NTLMSSP server name to GENSECAndrew Bartlett2012-02-171-0/+4
| | | | | | | | | This avoids us needing to assume lp_netbios_name().lp_dnsdomain() if the caller knows better. This will allow preservation of current s3 behaviour. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* gensec: explain gensec_use_kerberos_mechs() logicAndrew Bartlett2012-02-101-1/+16
| | | | | Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Fri Feb 10 12:36:23 CET 2012 on sn-devel-104
* gensec: set flag to continue in outer for loop in gensec_use_kerberos_mechsAndrew Bartlett2012-02-101-1/+5
| | | | | | | | | This should be the correct fix for the valgrind erorr Volker found in 744ed53a62037a659133ccd4de2065491208ae7d. This fix avoids putting SPNEGO into the list twice when we are in the CRED_DONT_USE_KERBEROS case. Andrew Bartlett
* Revert "gensec: Fix a memory corruption in gensec_use_kerberos_mechs"Andrew Bartlett2012-02-101-2/+1
| | | | | | | | | This reverts commit 744ed53a62037a659133ccd4de2065491208ae7d. The real bug here is that the second half of the outer loop should not have been run once we found spnego. Andrew Bartlett
* gensec: Fix a memory corruption in gensec_use_kerberos_mechsVolker Lendecke2012-02-091-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Without this I get the following valgrind error: ==27740== Invalid write of size 8 ==27740== at 0x62C53E: gensec_use_kerberos_mechs (gensec_start.c:112) ==27740== by 0x62C623: gensec_security_mechs (gensec_start.c:141) ==27740== by 0x62C777: gensec_security_by_oid (gensec_start.c:181) ==27740== by 0x62DD6E: gensec_start_mech_by_oid (gensec_start.c:735) ==27740== by 0x50D6FD: negprot_spnego (negprot.c:210) ==27740== by 0x5B0DEA: smbd_smb2_request_process_negprot (smb2_negprot.c:209) ==27740== by 0x5AD036: smbd_smb2_request_dispatch (smb2_server.c:1417) ==27740== by 0x5AFB77: smbd_smb2_first_negprot (smb2_server.c:2643) ==27740== by 0x585C00: process_smb (process.c:1641) ==27740== by 0x587F78: smbd_server_connection_read_handler (process.c:2314) ==27740== by 0x587FD6: smbd_server_connection_handler (process.c:2331) ==27740== by 0x99E05B: run_events_poll (events.c:286) ==27740== by 0x584AFF: smbd_server_connection_loop_once (process.c:984) ==27740== by 0x58B2D9: smbd_process (process.c:3389) ==27740== by 0xDE4CA8: smbd_accept_connection (server.c:469) ==27740== by 0x99E05B: run_events_poll (events.c:286) ==27740== by 0x99E2D5: s3_event_loop_once (events.c:349) ==27740== by 0x99F990: _tevent_loop_once (tevent.c:504) ==27740== by 0xDE5A9B: smbd_parent_loop (server.c:869) ==27740== by 0xDE6DD8: main (server.c:1413) ==27740== Address 0x9ff3538 is 4,232 bytes inside a block of size 8,288 alloc'd ==27740== at 0x4C261D7: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==27740== by 0x6926965: __talloc (talloc.c:560) ==27740== by 0x6926771: talloc_pool (talloc.c:598) ==27740== by 0x93B927: talloc_stackframe_internal (talloc_stack.c:145) ==27740== by 0x93B9D6: talloc_stackframe_pool (talloc_stack.c:171) ==27740== by 0x58B2B7: smbd_process (process.c:3385) ==27740== by 0xDE4CA8: smbd_accept_connection (server.c:469) ==27740== by 0x99E05B: run_events_poll (events.c:286) ==27740== by 0x99E2D5: s3_event_loop_once (events.c:349) ==27740== by 0x99F990: _tevent_loop_once (tevent.c:504) ==27740== by 0xDE5A9B: smbd_parent_loop (server.c:869) ==27740== by 0xDE6DD8: main (server.c:1413) In the for-loop we can increment j twice, so we need twice as many output array elements as input array elements. Autobuild-User: Volker Lendecke <vl@samba.org> Autobuild-Date: Thu Feb 9 19:44:47 CET 2012 on sn-devel-104
* gensec: inline gensec_generate_session_info() into only callerAndrew Bartlett2012-01-302-34/+0
| | | | | | | | | | | | | | This avoids casting to and from the struct auth_user_info_dc *user_info_dc to to this, the if (user_info_dc->info->authenticated) is moved into auth_generate_session_info_wrapper(), which is the function that gensec_security->auth_context->generate_session_info points to. Andrew Bartlett
* auth/gensec_gssapi: sync gensec_gssapi_state with gse_contextStefan Metzmacher2012-01-251-1/+2
| | | | | | | | | Both use gss_krb5_lucid_context_v1_t now. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Wed Jan 25 10:22:31 CET 2012 on sn-devel-104
* auth/gensec: align common elements between gse_context and gensec_gssapi_stateAndrew Bartlett2012-01-181-3/+5
| | | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Wed Jan 18 19:29:40 CET 2012 on sn-devel-104
* s3:build: add auth/gensec/spnego.oStefan Metzmacher2012-01-131-0/+2
| | | | | | | metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Fri Jan 13 06:32:30 CET 2012 on sn-devel-104
* auth/gensec: move spnego.c to the toplevelStefan Metzmacher2012-01-132-0/+1407
| | | | metze
* auth/gensec: common helper functions should be in gensec_util.cStefan Metzmacher2012-01-131-0/+116
| | | | | | This makes the dependencies easier to handle. metze
* auth/gensec: add some more functions from gensec_start.c to gensec.hStefan Metzmacher2012-01-132-16/+37
| | | | metze
* auth/gensec: make sure functions from gensec.c are in gensec.hStefan Metzmacher2012-01-132-5/+7
| | | | metze
generated by cgit (git 2.34.1) at 2024-06-08 03:01:49 +0000