summaryrefslogtreecommitdiffstats
path: root/source3/librpc/crypto/gse.c
Commit message (Collapse)AuthorAgeFilesLines
* auth/gensec: introduce gensec_internal.hStefan Metzmacher2013-08-101-0/+1
| | | | | | | | | | We should treat most gensec related structures private. It's a long way, but this is a start. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* gse: Use the smb_gss_oid_equal wrapper.Andreas Schneider2012-05-231-20/+3
| | | | Signed-off-by: Andreas Schneider <asn@samba.org>
* s3:gse: implement gensec_gse_expire_time()Stefan Metzmacher2012-05-171-0/+12
| | | | metze
* s3:gse: remember the expire timeStefan Metzmacher2012-05-171-2/+15
| | | | metze
* s3: Attempt to fix the build without kerberosVolker Lendecke2012-04-241-1/+1
| | | | | Autobuild-User: Volker Lendecke <vl@samba.org> Autobuild-Date: Tue Apr 24 15:04:14 CEST 2012 on sn-devel-104
* Make krb5 wrapper library common so they can be used all overSimo Sorce2012-04-231-3/+3
|
* gse: Remove unnecessary header.Simo Sorce2012-04-121-1/+0
| | | | Signed-off-by: Andreas Schneider <asn@samba.org>
* auth-krb: Nove oid packet check to gensec_util.Simo Sorce2012-04-121-21/+1
| | | | | | | | This is clearly a utiliy function generic to gensec. Also the 3 callers had identical implementations. Provide a generic implementation for all of them and avoid duplicating the code everywhere. Signed-off-by: Andreas Schneider <asn@samba.org>
* s3:gse: fix debug message in gse_get_server_auth_token()Stefan Metzmacher2012-03-171-1/+1
| | | | | | | metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Sat Mar 17 03:21:06 CET 2012 on sn-devel-104
* s3-krb5: Remove GSS_WRAP_IOV conditionalAndrew Bartlett2012-03-151-2/+2
| | | | | | | We already confirm that we have this functionality before we set HAVE_KRB5 at configure time. Andrew Bartlett
* Fix a bunch of "unused variable" warnings.Jeremy Allison2012-02-181-6/+6
| | | | | Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Sat Feb 18 06:22:40 CET 2012 on sn-devel-104
* auth/kerberos: Move gse_get_session_key() to common code and use in ↵Andrew Bartlett2012-02-171-113/+3
| | | | | | | | | gensec_gssapi Thie ensures that both code bases use the same logic to determine the use of NEW_SPNEGO. Andrew Bartlett
* s3-gse: Allow kerberos key type OID to be optionalAndrew Bartlett2012-02-171-4/+11
|
* s3-gse: Fix OID to read for kerberos key typeAndrew Bartlett2012-02-171-2/+2
|
* s3-librpc: Remove backup declaration of GSS_C_DCE_STYLEAndrew Bartlett2012-02-171-4/+0
| | | | | | All our supported krb5 libs provide this. Andrew Bartlett
* s3-gse: Remove unused OID declarationAndrew Bartlett2012-02-171-9/+0
|
* s3-librpc: Remove gse_verify_server_auth_flagsAndrew Bartlett2012-02-161-50/+0
| | | | | | | | | | | | | | | | gensec_update() ensures that DCE-style and sign/seal are negotiated correctly for DCE/RPC pipes. Also, the smb sealing client/server already check for the gensec_have_feature(). This additional check just keeps causing trouble, and is 'protecting' an already secure negoitated exchange. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Thu Feb 16 21:19:44 CET 2012 on sn-devel-104
* s3-gse: Use the session key type, not the lucid context to set NEW_SPNEGOAndrew Bartlett2012-02-161-67/+69
| | | | | | | | | | | | | | Using gss_krb5_export_lucid_sec_context() is a problem with MIT krb5, as it (reasonably, I suppose) invalidates the gssapi context on which it is called. Instead, we look to the type of session key which is negotiated, and see if it not AES (or newer). If we negotiated AES or newer, then we set GENSEC_FEATURE_NEW_SPENGO so that we know to generate valid mechListMic values in SPNEGO. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3:gse: return NT_STATUS_LOGON_FAILURE instead of NT_STATUS_INTERNAL_ERRORStefan Metzmacher2012-01-261-2/+2
| | | | | | | | | | | | | This matches the behavior of ads_verify_ticket(). Note that ads_verify_ticket() calls krb5_to_nt_status(), but as a server it's likely to always returns NT_STATUS_UNSUCCESSFUL. ads_verify_ticket() maps NT_STATUS_UNSUCCESSFUL to NT_STATUS_LOGON_FAILURE. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Thu Jan 26 10:48:36 CET 2012 on sn-devel-104
* s3-gse: add GENSEC_FEATURE_NEW_SPNEGO detection in gensec_gse_have_feature()Stefan Metzmacher2012-01-251-0/+55
| | | | metze
* s3-gse: make sure GSS_C_CONF_FLAG implies GSS_C_INTEG_FLAGStefan Metzmacher2012-01-201-0/+6
| | | | metze
* s3-gse: align common elements between gse_context and gensec_gssapi_stateAndrew Bartlett2012-01-181-7/+8
| | | | Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-gse: Make gensec_gse cope with non-DCE GSSAPIAndrew Bartlett2012-01-181-5/+8
| | | | | | | | | The validation of the mutual authentication reply produces no further data to send to the server. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-gse: the server should not check for GSS_C_MUTUAL_FLAGStefan Metzmacher2012-01-181-6/+0
| | | | | | | It up to the client to ask for GSS_C_MUTUAL_FLAG, except for the dcerpc case, where the server is stricter. metze
* s3-gse: verify that we got GSS_C_DCE_STYLE when expectedStefan Metzmacher2012-01-181-0/+11
| | | | | | GSS_C_DCE_STYLE implies GSS_C_MUTUAL_FLAG, so also check for it. metze
* s3-gse Remove authenticated flag from gseAndrew Bartlett2012-01-181-7/+0
| | | | | | | | The only user for this flag is called only directly after it was set. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-gse remove special more_processing hook from gseAndrew Bartlett2012-01-181-12/+2
| | | | | | | | | The NT_STATUS_MORE_PROCESSING_REQUIRED status code is what gensec is expecting in any case. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-gse Rename gss_c_flags and ret_flags in gseAndrew Bartlett2012-01-181-18/+18
| | | | | | | | | This make it clearer what type of flags these are and matches gensec_gssapi Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-gse Rename gss_ctx to match gensec_gssapi_contextAndrew Bartlett2012-01-181-17/+17
| | | | Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-gse Rename delegated_creds to match gensec_gssapi_contextAndrew Bartlett2012-01-181-4/+4
| | | | Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-gse gss_wrap_iov_length() only needs the type and lengthStefan Metzmacher2012-01-181-2/+4
| | | | metze
* s3-gse Make seal parameter a boolean for clarityAndrew Bartlett2012-01-181-2/+2
| | | | Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-gse Move GSS_C_DCE_STYLE backup definition to gse.cAndrew Bartlett2012-01-181-0/+4
| | | | Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-gse Add constAndrew Bartlett2012-01-181-4/+4
| | | | Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-gse Remove or make static unused/local-only GSE functionsAndrew Bartlett2012-01-181-225/+33
| | | | | | | | | The GSE layer is now used via the GENSEC module, so we do not need these functions exposed any more. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-gse Make gse available as a gensec client moduleAndrew Bartlett2012-01-181-1/+1
| | | | Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-gse: Add gensec wrapper for gse GSSAPI clientAndrew Bartlett2012-01-181-0/+440
| | | | | | | | | This brings in part of the s4 gensec_gssapi as the boilerplate for the new module. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-librpc Return user principal name on supplied mem_ctxAndrew Bartlett2012-01-111-3/+3
| | | | Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3:gse: MIT krb5 1.8.1 has a bug in gss_wrap_iov()Stefan Metzmacher2012-01-051-1/+1
| | | | | | gss_krb5int_make_seal_token_v3_iov() doesn't set '*conf_state'. metze
* s3-librpc store the sign/seal flags we got in the gssapi clientAndrew Bartlett2012-01-051-1/+1
| | | | Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-libads Factor out a new routine ↵Andrew Bartlett2012-01-051-3/+11
| | | | | | | | | | | | kerberos_get_principal_from_service_hostname() This is now used in the GSE GSSAPI client, so that when we connect to a target server at the CIFS level, we use the same name to connect at the DCE/RPC level. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-librpc Use gsskrb5_get_subkey() where available to get the session keyAndrew Bartlett2012-01-051-0/+15
| | | | | | | | This allows gse_get_session_key() to work against Heimdal. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-gse Work around the MIT 1.9 gss_krb5_import_credAndrew Bartlett2011-07-201-6/+16
| | | | | | | | | | | | | We detect this function at configure time, but it currently fails to operate the way we need - that is, when the principal is not specified, it gives this error. When the principal is specified we get 'wrong principal in request' in the GSS acceptor, so for now the best option is to fall back to the alternate approach. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Wed Jul 20 06:35:05 CEST 2011 on sn-devel-104
* s3-gse Allow printing the partial error stringAndrew Bartlett2011-07-201-6/+6
| | | | | | | | We may not be able to obtain the full error string, so print what we can get. This is required when the error is the the GSSAPI layer, not the mechanism. Andrew Bartlett
* s3:librpc: remove unneded gssapi includes from source3/librpc/crypto/gse.cMichael Adam2011-05-101-6/+0
| | | | | | | | | | These come in via the smb_krb5.h include (and lib/replace/system/kerberos.h) in the end. Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Autobuild-User: Michael Adam <obnox@samba.org> Autobuild-Date: Tue May 10 23:12:31 CEST 2011 on sn-devel-104
* Fix many const compiler warnings.Jeremy Allison2011-05-051-21/+23
|
* s3-rpc_server Fix compile without kerberosAndrew Bartlett2011-04-271-1/+2
| | | | | Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Wed Apr 27 23:08:48 CEST 2011 on sn-devel-104
* s3-gse: Don't release the mech OID from gss_accept_security_contextAndrew Bartlett2011-04-271-4/+31
| | | | | | | | | | This is constant data according to the man pages I find for this fucntion, and causes a segfault to free() when linked to Heimdal. I am advised that while it is constant for gss_mech_krb5, it may not be for other mechanisms, so an assert will ensure this is dealt with by the programmer who extends this code in future. Andrew Bartlett
* auth/kerberos: Create common helper to get the verified PAC from GSSAPIAndrew Bartlett2011-04-271-42/+5
| | | | | | | | | | | This only works for Heimdal and MIT Krb5 1.8, other versions will get an ACCESS_DEINED error. We no longer manually verify any details of the PAC in Samba for GSSAPI logins, as we never had the information to do it properly, and it is better to have the GSSAPI library handle it. Andrew Bartlett
* s3-gse: Allow the GSSAPI wrapper to load a keytab using gss_krb5_import_cred()Andrew Bartlett2011-04-201-21/+29
| | | | | | | | | | | | This Heimdal function does not set the global state, and allows the GSSAPI server to progress further when compiled against Heimdal (such as in the top level build). The ability to specify a keytab has been removed from the API as it is unused, and and the Heimdal function (avoiding setting global variables) works with an open keytab. Andrew Bartlett
generated by cgit (git 2.34.1) at 2025-09-27 02:59:29 +0000