diff options
Diffstat (limited to 'source4/auth')
23 files changed, 122 insertions, 82 deletions
diff --git a/source4/auth/auth.py b/source4/auth/auth.py index 226175a75b..1e5d68804b 100644 --- a/source4/auth/auth.py +++ b/source4/auth/auth.py @@ -1,5 +1,5 @@ # This file was automatically generated by SWIG (http://www.swig.org). -# Version 1.3.35 +# Version 1.3.36 # # Don't modify this file, modify the SWIG interface instead. diff --git a/source4/auth/auth_wrap.c b/source4/auth/auth_wrap.c index dea76ef87d..c514821c72 100644 --- a/source4/auth/auth_wrap.c +++ b/source4/auth/auth_wrap.c @@ -1,6 +1,6 @@ /* ---------------------------------------------------------------------------- * This file was automatically generated by SWIG (http://www.swig.org). - * Version 1.3.35 + * Version 1.3.36 * * This file is not intended to be easily readable and contains a number of * coding conventions designed to improve portability and efficiency. Do not make @@ -52,6 +52,12 @@ # endif #endif +#ifndef SWIG_MSC_UNSUPPRESS_4505 +# if defined(_MSC_VER) +# pragma warning(disable : 4505) /* unreferenced local function has been removed */ +# endif +#endif + #ifndef SWIGUNUSEDPARM # ifdef __cplusplus # define SWIGUNUSEDPARM(p) @@ -2523,7 +2529,7 @@ static swig_module_info swig_module = {swig_types, 16, 0, 0, 0, 0}; #define SWIG_name "_auth" -#define SWIGVERSION 0x010335 +#define SWIGVERSION 0x010336 #define SWIG_VERSION SWIGVERSION @@ -2548,13 +2554,13 @@ SWIGINTERN PyObject *_wrap_system_session(PyObject *SWIGUNUSEDPARM(self), PyObje PyObject *resultobj = 0; TALLOC_CTX *arg1 = (TALLOC_CTX *) 0 ; struct loadparm_context *arg2 = (struct loadparm_context *) 0 ; - struct auth_session_info *result = 0 ; void *argp2 = 0 ; int res2 = 0 ; PyObject * obj0 = 0 ; char * kwnames[] = { (char *) "lp_ctx", NULL }; + struct auth_session_info *result = 0 ; arg2 = loadparm_init(NULL); arg1 = NULL; @@ -2578,13 +2584,13 @@ SWIGINTERN PyObject *_wrap_system_session_anon(PyObject *SWIGUNUSEDPARM(self), P PyObject *resultobj = 0; TALLOC_CTX *arg1 = (TALLOC_CTX *) 0 ; struct loadparm_context *arg2 = (struct loadparm_context *) 0 ; - struct auth_session_info *result = 0 ; void *argp2 = 0 ; int res2 = 0 ; PyObject * obj0 = 0 ; char * kwnames[] = { (char *) "lp_ctx", NULL }; + struct auth_session_info *result = 0 ; arg2 = loadparm_init(NULL); arg1 = NULL; diff --git a/source4/auth/credentials/credentials.py b/source4/auth/credentials/credentials.py index 2cd56c3599..fe21dd2ba2 100644 --- a/source4/auth/credentials/credentials.py +++ b/source4/auth/credentials/credentials.py @@ -1,5 +1,5 @@ # This file was automatically generated by SWIG (http://www.swig.org). -# Version 1.3.35 +# Version 1.3.36 # # Don't modify this file, modify the SWIG interface instead. diff --git a/source4/auth/credentials/credentials_ntlm.c b/source4/auth/credentials/credentials_ntlm.c index 22e273c35a..ef41971462 100644 --- a/source4/auth/credentials/credentials_ntlm.c +++ b/source4/auth/credentials/credentials_ntlm.c @@ -23,7 +23,7 @@ #include "includes.h" #include "librpc/gen_ndr/samr.h" /* for struct samrPassword */ -#include "lib/crypto/crypto.h" +#include "../lib/crypto/crypto.h" #include "libcli/auth/libcli_auth.h" #include "auth/credentials/credentials.h" diff --git a/source4/auth/credentials/credentials_wrap.c b/source4/auth/credentials/credentials_wrap.c index 81ba426e45..260451d0fc 100644 --- a/source4/auth/credentials/credentials_wrap.c +++ b/source4/auth/credentials/credentials_wrap.c @@ -1,6 +1,6 @@ /* ---------------------------------------------------------------------------- * This file was automatically generated by SWIG (http://www.swig.org). - * Version 1.3.35 + * Version 1.3.36 * * This file is not intended to be easily readable and contains a number of * coding conventions designed to improve portability and efficiency. Do not make @@ -52,6 +52,12 @@ # endif #endif +#ifndef SWIG_MSC_UNSUPPRESS_4505 +# if defined(_MSC_VER) +# pragma warning(disable : 4505) /* unreferenced local function has been removed */ +# endif +#endif + #ifndef SWIGUNUSEDPARM # ifdef __cplusplus # define SWIGUNUSEDPARM(p) @@ -2524,7 +2530,7 @@ static swig_module_info swig_module = {swig_types, 17, 0, 0, 0, 0}; #define SWIG_name "_credentials" -#define SWIGVERSION 0x010335 +#define SWIGVERSION 0x010336 #define SWIG_VERSION SWIGVERSION @@ -2839,13 +2845,13 @@ fail: SWIGINTERN PyObject *_wrap_Credentials_get_username(PyObject *SWIGUNUSEDPARM(self), PyObject *args, PyObject *kwargs) { PyObject *resultobj = 0; cli_credentials *arg1 = (cli_credentials *) 0 ; - char *result = 0 ; void *argp1 = 0 ; int res1 = 0 ; PyObject * obj0 = 0 ; char * kwnames[] = { (char *) "self", NULL }; + char *result = 0 ; arg1 = NULL; if (!PyArg_ParseTupleAndKeywords(args,kwargs,(char *)"|O:Credentials_get_username",kwnames,&obj0)) SWIG_fail; @@ -2869,7 +2875,6 @@ SWIGINTERN PyObject *_wrap_Credentials_set_username(PyObject *SWIGUNUSEDPARM(sel cli_credentials *arg1 = (cli_credentials *) 0 ; char *arg2 = (char *) 0 ; enum credentials_obtained arg3 = (enum credentials_obtained) CRED_SPECIFIED ; - bool result; void *argp1 = 0 ; int res1 = 0 ; int res2 ; @@ -2883,6 +2888,7 @@ SWIGINTERN PyObject *_wrap_Credentials_set_username(PyObject *SWIGUNUSEDPARM(sel char * kwnames[] = { (char *) "self",(char *) "value",(char *) "obtained", NULL }; + bool result; arg1 = NULL; if (!PyArg_ParseTupleAndKeywords(args,kwargs,(char *)"|OOO:Credentials_set_username",kwnames,&obj0,&obj1,&obj2)) SWIG_fail; @@ -2920,13 +2926,13 @@ fail: SWIGINTERN PyObject *_wrap_Credentials_get_password(PyObject *SWIGUNUSEDPARM(self), PyObject *args, PyObject *kwargs) { PyObject *resultobj = 0; cli_credentials *arg1 = (cli_credentials *) 0 ; - char *result = 0 ; void *argp1 = 0 ; int res1 = 0 ; PyObject * obj0 = 0 ; char * kwnames[] = { (char *) "self", NULL }; + char *result = 0 ; arg1 = NULL; if (!PyArg_ParseTupleAndKeywords(args,kwargs,(char *)"|O:Credentials_get_password",kwnames,&obj0)) SWIG_fail; @@ -2950,7 +2956,6 @@ SWIGINTERN PyObject *_wrap_Credentials_set_password(PyObject *SWIGUNUSEDPARM(sel cli_credentials *arg1 = (cli_credentials *) 0 ; char *arg2 = (char *) 0 ; enum credentials_obtained arg3 = (enum credentials_obtained) CRED_SPECIFIED ; - bool result; void *argp1 = 0 ; int res1 = 0 ; int res2 ; @@ -2964,6 +2969,7 @@ SWIGINTERN PyObject *_wrap_Credentials_set_password(PyObject *SWIGUNUSEDPARM(sel char * kwnames[] = { (char *) "self",(char *) "val",(char *) "obtained", NULL }; + bool result; arg1 = NULL; if (!PyArg_ParseTupleAndKeywords(args,kwargs,(char *)"|OOO:Credentials_set_password",kwnames,&obj0,&obj1,&obj2)) SWIG_fail; @@ -3001,13 +3007,13 @@ fail: SWIGINTERN PyObject *_wrap_Credentials_get_domain(PyObject *SWIGUNUSEDPARM(self), PyObject *args, PyObject *kwargs) { PyObject *resultobj = 0; cli_credentials *arg1 = (cli_credentials *) 0 ; - char *result = 0 ; void *argp1 = 0 ; int res1 = 0 ; PyObject * obj0 = 0 ; char * kwnames[] = { (char *) "self", NULL }; + char *result = 0 ; arg1 = NULL; if (!PyArg_ParseTupleAndKeywords(args,kwargs,(char *)"|O:Credentials_get_domain",kwnames,&obj0)) SWIG_fail; @@ -3031,7 +3037,6 @@ SWIGINTERN PyObject *_wrap_Credentials_set_domain(PyObject *SWIGUNUSEDPARM(self) cli_credentials *arg1 = (cli_credentials *) 0 ; char *arg2 = (char *) 0 ; enum credentials_obtained arg3 = (enum credentials_obtained) CRED_SPECIFIED ; - bool result; void *argp1 = 0 ; int res1 = 0 ; int res2 ; @@ -3045,6 +3050,7 @@ SWIGINTERN PyObject *_wrap_Credentials_set_domain(PyObject *SWIGUNUSEDPARM(self) char * kwnames[] = { (char *) "self",(char *) "val",(char *) "obtained", NULL }; + bool result; arg1 = NULL; if (!PyArg_ParseTupleAndKeywords(args,kwargs,(char *)"|OOO:Credentials_set_domain",kwnames,&obj0,&obj1,&obj2)) SWIG_fail; @@ -3082,13 +3088,13 @@ fail: SWIGINTERN PyObject *_wrap_Credentials_get_realm(PyObject *SWIGUNUSEDPARM(self), PyObject *args, PyObject *kwargs) { PyObject *resultobj = 0; cli_credentials *arg1 = (cli_credentials *) 0 ; - char *result = 0 ; void *argp1 = 0 ; int res1 = 0 ; PyObject * obj0 = 0 ; char * kwnames[] = { (char *) "self", NULL }; + char *result = 0 ; arg1 = NULL; if (!PyArg_ParseTupleAndKeywords(args,kwargs,(char *)"|O:Credentials_get_realm",kwnames,&obj0)) SWIG_fail; @@ -3112,7 +3118,6 @@ SWIGINTERN PyObject *_wrap_Credentials_set_realm(PyObject *SWIGUNUSEDPARM(self), cli_credentials *arg1 = (cli_credentials *) 0 ; char *arg2 = (char *) 0 ; enum credentials_obtained arg3 = (enum credentials_obtained) CRED_SPECIFIED ; - bool result; void *argp1 = 0 ; int res1 = 0 ; int res2 ; @@ -3126,6 +3131,7 @@ SWIGINTERN PyObject *_wrap_Credentials_set_realm(PyObject *SWIGUNUSEDPARM(self), char * kwnames[] = { (char *) "self",(char *) "val",(char *) "obtained", NULL }; + bool result; arg1 = NULL; if (!PyArg_ParseTupleAndKeywords(args,kwargs,(char *)"|OOO:Credentials_set_realm",kwnames,&obj0,&obj1,&obj2)) SWIG_fail; @@ -3253,13 +3259,13 @@ fail: SWIGINTERN PyObject *_wrap_Credentials_get_bind_dn(PyObject *SWIGUNUSEDPARM(self), PyObject *args, PyObject *kwargs) { PyObject *resultobj = 0; cli_credentials *arg1 = (cli_credentials *) 0 ; - char *result = 0 ; void *argp1 = 0 ; int res1 = 0 ; PyObject * obj0 = 0 ; char * kwnames[] = { (char *) "self", NULL }; + char *result = 0 ; arg1 = NULL; if (!PyArg_ParseTupleAndKeywords(args,kwargs,(char *)"|O:Credentials_get_bind_dn",kwnames,&obj0)) SWIG_fail; @@ -3282,7 +3288,6 @@ SWIGINTERN PyObject *_wrap_Credentials_set_bind_dn(PyObject *SWIGUNUSEDPARM(self PyObject *resultobj = 0; cli_credentials *arg1 = (cli_credentials *) 0 ; char *arg2 = (char *) 0 ; - bool result; void *argp1 = 0 ; int res1 = 0 ; int res2 ; @@ -3293,6 +3298,7 @@ SWIGINTERN PyObject *_wrap_Credentials_set_bind_dn(PyObject *SWIGUNUSEDPARM(self char * kwnames[] = { (char *) "self",(char *) "bind_dn", NULL }; + bool result; arg1 = NULL; if (!PyArg_ParseTupleAndKeywords(args,kwargs,(char *)"|OO:Credentials_set_bind_dn",kwnames,&obj0,&obj1)) SWIG_fail; @@ -3350,13 +3356,13 @@ fail: SWIGINTERN PyObject *_wrap_Credentials_get_workstation(PyObject *SWIGUNUSEDPARM(self), PyObject *args, PyObject *kwargs) { PyObject *resultobj = 0; cli_credentials *arg1 = (cli_credentials *) 0 ; - char *result = 0 ; void *argp1 = 0 ; int res1 = 0 ; PyObject * obj0 = 0 ; char * kwnames[] = { (char *) "self", NULL }; + char *result = 0 ; arg1 = NULL; if (!PyArg_ParseTupleAndKeywords(args,kwargs,(char *)"|O:Credentials_get_workstation",kwnames,&obj0)) SWIG_fail; @@ -3380,7 +3386,6 @@ SWIGINTERN PyObject *_wrap_Credentials_set_workstation(PyObject *SWIGUNUSEDPARM( cli_credentials *arg1 = (cli_credentials *) 0 ; char *arg2 = (char *) 0 ; enum credentials_obtained arg3 = (enum credentials_obtained) CRED_SPECIFIED ; - bool result; void *argp1 = 0 ; int res1 = 0 ; int res2 ; @@ -3394,6 +3399,7 @@ SWIGINTERN PyObject *_wrap_Credentials_set_workstation(PyObject *SWIGUNUSEDPARM( char * kwnames[] = { (char *) "self",(char *) "workstation",(char *) "obtained", NULL }; + bool result; arg1 = NULL; if (!PyArg_ParseTupleAndKeywords(args,kwargs,(char *)"|OOO:Credentials_set_workstation",kwnames,&obj0,&obj1,&obj2)) SWIG_fail; @@ -3432,7 +3438,6 @@ SWIGINTERN PyObject *_wrap_Credentials_set_machine_account(PyObject *SWIGUNUSEDP PyObject *resultobj = 0; cli_credentials *arg1 = (cli_credentials *) 0 ; struct loadparm_context *arg2 = (struct loadparm_context *) 0 ; - NTSTATUS result; void *argp1 = 0 ; int res1 = 0 ; void *argp2 = 0 ; @@ -3442,6 +3447,7 @@ SWIGINTERN PyObject *_wrap_Credentials_set_machine_account(PyObject *SWIGUNUSEDP char * kwnames[] = { (char *) "self",(char *) "lp_ctx", NULL }; + NTSTATUS result; arg1 = NULL; arg2 = loadparm_init(NULL); @@ -3510,13 +3516,13 @@ fail: SWIGINTERN PyObject *_wrap_Credentials_is_anonymous(PyObject *SWIGUNUSEDPARM(self), PyObject *args, PyObject *kwargs) { PyObject *resultobj = 0; cli_credentials *arg1 = (cli_credentials *) 0 ; - bool result; void *argp1 = 0 ; int res1 = 0 ; PyObject * obj0 = 0 ; char * kwnames[] = { (char *) "self", NULL }; + bool result; arg1 = NULL; if (!PyArg_ParseTupleAndKeywords(args,kwargs,(char *)"|O:Credentials_is_anonymous",kwnames,&obj0)) SWIG_fail; @@ -3539,13 +3545,13 @@ SWIGINTERN PyObject *_wrap_Credentials_get_nt_hash(PyObject *SWIGUNUSEDPARM(self PyObject *resultobj = 0; cli_credentials *arg1 = (cli_credentials *) 0 ; TALLOC_CTX *arg2 = (TALLOC_CTX *) 0 ; - struct samr_Password *result = 0 ; void *argp1 = 0 ; int res1 = 0 ; PyObject * obj0 = 0 ; char * kwnames[] = { (char *) "self", NULL }; + struct samr_Password *result = 0 ; arg1 = NULL; arg2 = NULL; @@ -3568,13 +3574,13 @@ fail: SWIGINTERN PyObject *_wrap_Credentials_authentication_requested(PyObject *SWIGUNUSEDPARM(self), PyObject *args, PyObject *kwargs) { PyObject *resultobj = 0; cli_credentials *arg1 = (cli_credentials *) 0 ; - bool result; void *argp1 = 0 ; int res1 = 0 ; PyObject * obj0 = 0 ; char * kwnames[] = { (char *) "self", NULL }; + bool result; arg1 = NULL; if (!PyArg_ParseTupleAndKeywords(args,kwargs,(char *)"|O:Credentials_authentication_requested",kwnames,&obj0)) SWIG_fail; @@ -3596,13 +3602,13 @@ fail: SWIGINTERN PyObject *_wrap_Credentials_wrong_password(PyObject *SWIGUNUSEDPARM(self), PyObject *args, PyObject *kwargs) { PyObject *resultobj = 0; cli_credentials *arg1 = (cli_credentials *) 0 ; - bool result; void *argp1 = 0 ; int res1 = 0 ; PyObject * obj0 = 0 ; char * kwnames[] = { (char *) "self", NULL }; + bool result; arg1 = NULL; if (!PyArg_ParseTupleAndKeywords(args,kwargs,(char *)"|O:Credentials_wrong_password",kwnames,&obj0)) SWIG_fail; @@ -3624,13 +3630,13 @@ fail: SWIGINTERN PyObject *_wrap_Credentials_set_cmdline_callbacks(PyObject *SWIGUNUSEDPARM(self), PyObject *args, PyObject *kwargs) { PyObject *resultobj = 0; cli_credentials *arg1 = (cli_credentials *) 0 ; - bool result; void *argp1 = 0 ; int res1 = 0 ; PyObject * obj0 = 0 ; char * kwnames[] = { (char *) "self", NULL }; + bool result; arg1 = NULL; if (!PyArg_ParseTupleAndKeywords(args,kwargs,(char *)"|O:Credentials_set_cmdline_callbacks",kwnames,&obj0)) SWIG_fail; @@ -3669,7 +3675,6 @@ SWIGINTERN PyObject *_wrap_delete_Credentials(PyObject *SWIGUNUSEDPARM(self), Py arg1 = (cli_credentials *)(argp1); } delete_cli_credentials(arg1); - resultobj = SWIG_Py_Void(); return resultobj; fail: diff --git a/source4/auth/gensec/cyrus_sasl.c b/source4/auth/gensec/cyrus_sasl.c index 06a7b8a382..6f82de82fc 100644 --- a/source4/auth/gensec/cyrus_sasl.c +++ b/source4/auth/gensec/cyrus_sasl.c @@ -110,7 +110,7 @@ static int gensec_sasl_get_password(sasl_conn_t *conn, void *context, int id, static int gensec_sasl_dispose(struct gensec_sasl_state *gensec_sasl_state) { sasl_dispose(&gensec_sasl_state->conn); - return 0; + return SASL_OK; } static NTSTATUS gensec_sasl_client_start(struct gensec_security *gensec_security) diff --git a/source4/auth/gensec/gensec.c b/source4/auth/gensec/gensec.c index 0edb34d740..5d57383d2a 100644 --- a/source4/auth/gensec/gensec.c +++ b/source4/auth/gensec/gensec.c @@ -490,6 +490,7 @@ static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx, NT_STATUS_HAVE_NO_MEMORY(*gensec_security); (*gensec_security)->ops = NULL; + (*gensec_security)->private_data = NULL; ZERO_STRUCT((*gensec_security)->target); ZERO_STRUCT((*gensec_security)->peer_addr); @@ -525,6 +526,7 @@ _PUBLIC_ NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx, (*gensec_security)->private_data = NULL; (*gensec_security)->subcontext = true; + (*gensec_security)->want_features = parent->want_features; (*gensec_security)->event_ctx = parent->event_ctx; (*gensec_security)->msg_ctx = parent->msg_ctx; (*gensec_security)->lp_ctx = parent->lp_ctx; @@ -1015,7 +1017,11 @@ _PUBLIC_ NTSTATUS gensec_update_recv(struct gensec_update_request *req, TALLOC_C _PUBLIC_ void gensec_want_feature(struct gensec_security *gensec_security, uint32_t feature) { - gensec_security->want_features |= feature; + if (!gensec_security->ops || !gensec_security->ops->want_feature) { + gensec_security->want_features |= feature; + return; + } + gensec_security->ops->want_feature(gensec_security, feature); } /** diff --git a/source4/auth/gensec/gensec.h b/source4/auth/gensec/gensec.h index 2830297ffe..0b31882ddd 100644 --- a/source4/auth/gensec/gensec.h +++ b/source4/auth/gensec/gensec.h @@ -133,6 +133,8 @@ struct gensec_security_ops { NTSTATUS (*session_key)(struct gensec_security *gensec_security, DATA_BLOB *session_key); NTSTATUS (*session_info)(struct gensec_security *gensec_security, struct auth_session_info **session_info); + void (*want_feature)(struct gensec_security *gensec_security, + uint32_t feature); bool (*have_feature)(struct gensec_security *gensec_security, uint32_t feature); bool enabled; @@ -174,6 +176,7 @@ struct gensec_security; struct socket_context; NTSTATUS gensec_socket_init(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, struct socket_context *current_socket, struct event_context *ev, void (*recv_handler)(void *, uint16_t), diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 1334e799ae..e791226cf6 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -1181,6 +1181,10 @@ static NTSTATUS gensec_gssapi_session_key(struct gensec_security *gensec_securit OM_uint32 maj_stat, min_stat; krb5_keyblock *subkey; + if (gensec_gssapi_state->sasl_state != STAGE_DONE) { + return NT_STATUS_NO_USER_SESSION_KEY; + } + if (gensec_gssapi_state->session_key.data) { *session_key = gensec_gssapi_state->session_key; return NT_STATUS_OK; @@ -1200,10 +1204,7 @@ static NTSTATUS gensec_gssapi_session_key(struct gensec_security *gensec_securit *session_key = data_blob_talloc(gensec_gssapi_state, KRB5_KEY_DATA(subkey), KRB5_KEY_LENGTH(subkey)); krb5_free_keyblock(gensec_gssapi_state->smb_krb5_context->krb5_context, subkey); - if (gensec_gssapi_state->sasl_state == STAGE_DONE) { - /* only cache in the done stage */ - gensec_gssapi_state->session_key = *session_key; - } + gensec_gssapi_state->session_key = *session_key; dump_data_pw("KRB5 Session Key:\n", session_key->data, session_key->length); return NT_STATUS_OK; diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c index 47df2ccfcc..1f54043038 100644 --- a/source4/auth/gensec/gensec_krb5.c +++ b/source4/auth/gensec/gensec_krb5.c @@ -515,6 +515,10 @@ static NTSTATUS gensec_krb5_session_key(struct gensec_security *gensec_security, krb5_keyblock *skey; krb5_error_code err = -1; + if (gensec_krb5_state->state_position != GENSEC_KRB5_DONE) { + return NT_STATUS_NO_USER_SESSION_KEY; + } + if (gensec_krb5_state->session_key.data) { *session_key = gensec_krb5_state->session_key; return NT_STATUS_OK; diff --git a/source4/auth/gensec/schannel_sign.c b/source4/auth/gensec/schannel_sign.c index 1e57beba08..9862a029a4 100644 --- a/source4/auth/gensec/schannel_sign.c +++ b/source4/auth/gensec/schannel_sign.c @@ -21,7 +21,7 @@ */ #include "includes.h" -#include "lib/crypto/crypto.h" +#include "../lib/crypto/crypto.h" #include "auth/auth.h" #include "auth/gensec/schannel.h" #include "auth/credentials/credentials.h" diff --git a/source4/auth/gensec/schannel_state.c b/source4/auth/gensec/schannel_state.c index f0710c5581..64c21d0c3e 100644 --- a/source4/auth/gensec/schannel_state.c +++ b/source4/auth/gensec/schannel_state.c @@ -44,7 +44,7 @@ struct ldb_context *schannel_db_connect(TALLOC_CTX *mem_ctx, struct event_contex "computerName: CASE_INSENSITIVE\n" \ "flatname: CASE_INSENSITIVE\n"; - path = smbd_tmp_path(mem_ctx, lp_ctx, "schannel.ldb"); + path = private_path(mem_ctx, lp_ctx, "schannel.ldb"); if (!path) { return NULL; } @@ -195,7 +195,7 @@ NTSTATUS schannel_fetch_session_key_ldb(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - ret = ldb_search_exp_fmt(ldb, mem_ctx, &res, + ret = ldb_search(ldb, mem_ctx, &res, NULL, LDB_SCOPE_SUBTREE, NULL, "(&(computerName=%s)(flatname=%s))", computer_name, domain); if (ret != LDB_SUCCESS) { diff --git a/source4/auth/gensec/socket.c b/source4/auth/gensec/socket.c index 27449bf610..319730e2ca 100644 --- a/source4/auth/gensec/socket.c +++ b/source4/auth/gensec/socket.c @@ -408,8 +408,10 @@ static NTSTATUS gensec_socket_send(struct socket_context *sock, } /* Turn a normal socket into a potentially GENSEC wrapped socket */ +/* CAREFUL: this function will steal 'current_socket' */ NTSTATUS gensec_socket_init(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, struct socket_context *current_socket, struct event_context *ev, void (*recv_handler)(void *, uint16_t), @@ -420,7 +422,7 @@ NTSTATUS gensec_socket_init(struct gensec_security *gensec_security, struct socket_context *new_sock; NTSTATUS nt_status; - nt_status = socket_create_with_ops(current_socket, &gensec_socket_ops, &new_sock, + nt_status = socket_create_with_ops(mem_ctx, &gensec_socket_ops, &new_sock, SOCKET_TYPE_STREAM, current_socket->flags | SOCKET_FLAG_ENCRYPT); if (!NT_STATUS_IS_OK(nt_status)) { *new_socket = NULL; @@ -432,22 +434,19 @@ NTSTATUS gensec_socket_init(struct gensec_security *gensec_security, gensec_socket = talloc(new_sock, struct gensec_socket); if (gensec_socket == NULL) { *new_socket = NULL; + talloc_free(new_sock); return NT_STATUS_NO_MEMORY; } new_sock->private_data = gensec_socket; gensec_socket->socket = current_socket; - if (talloc_reference(gensec_socket, current_socket) == NULL) { - *new_socket = NULL; - return NT_STATUS_NO_MEMORY; - } - /* Nothing to do here, if we are not actually wrapping on this socket */ if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL) && !gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { gensec_socket->wrap = false; + talloc_steal(gensec_socket, current_socket); *new_socket = new_sock; return NT_STATUS_OK; } @@ -469,6 +468,7 @@ NTSTATUS gensec_socket_init(struct gensec_security *gensec_security, gensec_socket->packet = packet_init(gensec_socket); if (gensec_socket->packet == NULL) { *new_socket = NULL; + talloc_free(new_sock); return NT_STATUS_NO_MEMORY; } @@ -481,6 +481,7 @@ NTSTATUS gensec_socket_init(struct gensec_security *gensec_security, /* TODO: full-request that knows about maximum packet size */ + talloc_steal(gensec_socket, current_socket); *new_socket = new_sock; return NT_STATUS_OK; } diff --git a/source4/auth/gensec/spnego.c b/source4/auth/gensec/spnego.c index 1855e0583d..bf991616bd 100644 --- a/source4/auth/gensec/spnego.c +++ b/source4/auth/gensec/spnego.c @@ -1094,6 +1094,20 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA return NT_STATUS_INVALID_PARAMETER; } +static void gensec_spnego_want_feature(struct gensec_security *gensec_security, + uint32_t feature) +{ + struct spnego_state *spnego_state = (struct spnego_state *)gensec_security->private_data; + + if (!spnego_state || !spnego_state->sub_sec_security) { + gensec_security->want_features |= feature; + return; + } + + gensec_want_feature(spnego_state->sub_sec_security, + feature); +} + static bool gensec_spnego_have_feature(struct gensec_security *gensec_security, uint32_t feature) { @@ -1133,6 +1147,7 @@ static const struct gensec_security_ops gensec_spnego_security_ops = { .unwrap_packets = gensec_spnego_unwrap_packets, .session_key = gensec_spnego_session_key, .session_info = gensec_spnego_session_info, + .want_feature = gensec_spnego_want_feature, .have_feature = gensec_spnego_have_feature, .enabled = true, .priority = GENSEC_SPNEGO diff --git a/source4/auth/kerberos/kerberos.c b/source4/auth/kerberos/kerberos.c index 2579ab20cc..d54664fe66 100644 --- a/source4/auth/kerberos/kerberos.c +++ b/source4/auth/kerberos/kerberos.c @@ -33,7 +33,7 @@ This version is built to use a keyblock, rather than needing the original password. */ - int kerberos_kinit_keyblock_cc(krb5_context ctx, krb5_ccache cc, + krb5_error_code kerberos_kinit_keyblock_cc(krb5_context ctx, krb5_ccache cc, krb5_principal principal, krb5_keyblock *keyblock, time_t *expire_time, time_t *kdc_time) { @@ -77,7 +77,7 @@ simulate a kinit, putting the tgt in the given credentials cache. Orignally by remus@snapserver.com */ - int kerberos_kinit_password_cc(krb5_context ctx, krb5_ccache cc, + krb5_error_code kerberos_kinit_password_cc(krb5_context ctx, krb5_ccache cc, krb5_principal principal, const char *password, time_t *expire_time, time_t *kdc_time) { diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c index 9002715065..0567565d33 100644 --- a/source4/auth/kerberos/kerberos_util.c +++ b/source4/auth/kerberos/kerberos_util.c @@ -32,7 +32,7 @@ struct principal_container { krb5_principal principal; }; -static int free_principal(struct principal_container *pc) +static krb5_error_code free_principal(struct principal_container *pc) { /* current heimdal - 0.6.3, which we need anyway, fixes segfaults here */ krb5_free_principal(pc->smb_krb5_context->krb5_context, pc->principal); @@ -241,19 +241,17 @@ static krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx, return 0; } -static int free_keytab(struct keytab_container *ktc) +static krb5_error_code free_keytab(struct keytab_container *ktc) { - krb5_kt_close(ktc->smb_krb5_context->krb5_context, ktc->keytab); - - return 0; + return krb5_kt_close(ktc->smb_krb5_context->krb5_context, ktc->keytab); } -int smb_krb5_open_keytab(TALLOC_CTX *mem_ctx, +krb5_error_code smb_krb5_open_keytab(TALLOC_CTX *mem_ctx, struct smb_krb5_context *smb_krb5_context, const char *keytab_name, struct keytab_container **ktc) { krb5_keytab keytab; - int ret; + krb5_error_code ret; ret = krb5_kt_resolve(smb_krb5_context->krb5_context, keytab_name, &keytab); if (ret) { DEBUG(1,("failed to open krb5 keytab: %s\n", @@ -339,7 +337,7 @@ static krb5_error_code keytab_add_keys(TALLOC_CTX *parent_ctx, return 0; } -static int create_keytab(TALLOC_CTX *parent_ctx, +static krb5_error_code create_keytab(TALLOC_CTX *parent_ctx, struct cli_credentials *machine_account, struct smb_krb5_context *smb_krb5_context, const char **enctype_strings, @@ -603,7 +601,7 @@ static krb5_error_code remove_old_entries(TALLOC_CTX *parent_ctx, return ret; } -int smb_krb5_update_keytab(TALLOC_CTX *parent_ctx, +krb5_error_code smb_krb5_update_keytab(TALLOC_CTX *parent_ctx, struct cli_credentials *machine_account, struct smb_krb5_context *smb_krb5_context, const char **enctype_strings, @@ -635,7 +633,7 @@ int smb_krb5_update_keytab(TALLOC_CTX *parent_ctx, return ret; } -int smb_krb5_create_memory_keytab(TALLOC_CTX *parent_ctx, +krb5_error_code smb_krb5_create_memory_keytab(TALLOC_CTX *parent_ctx, struct cli_credentials *machine_account, struct smb_krb5_context *smb_krb5_context, const char **enctype_strings, diff --git a/source4/auth/kerberos/krb5_init_context.c b/source4/auth/kerberos/krb5_init_context.c index 82e42a4560..90b542c4c4 100644 --- a/source4/auth/kerberos/krb5_init_context.c +++ b/source4/auth/kerberos/krb5_init_context.c @@ -49,13 +49,13 @@ struct smb_krb5_socket { krb5_krbhst_info *hi; }; -static int smb_krb5_context_destroy_1(struct smb_krb5_context *ctx) +static krb5_error_code smb_krb5_context_destroy_1(struct smb_krb5_context *ctx) { krb5_free_context(ctx->krb5_context); return 0; } -static int smb_krb5_context_destroy_2(struct smb_krb5_context *ctx) +static krb5_error_code smb_krb5_context_destroy_2(struct smb_krb5_context *ctx) { /* Otherwise krb5_free_context will try and close what we have already free()ed */ krb5_set_warn_dest(ctx->krb5_context, NULL); diff --git a/source4/auth/ntlm/auth_server.c b/source4/auth/ntlm/auth_server.c index bb8773e75e..539ae6aa80 100644 --- a/source4/auth/ntlm/auth_server.c +++ b/source4/auth/ntlm/auth_server.c @@ -80,6 +80,7 @@ static NTSTATUS server_get_challenge(struct auth_method_context *ctx, TALLOC_CTX io.in.workgroup = ""; /* only used with SPNEGO, disabled above */ io.in.options = smb_options; + lp_smbcli_session_options(ctx->auth_ctx->lp_ctx, &io.in.session_options); status = smb_composite_connect(&io, mem_ctx, lp_resolve_context(ctx->auth_ctx->lp_ctx), ctx->auth_ctx->event_ctx); diff --git a/source4/auth/ntlm/ntlm_check.c b/source4/auth/ntlm/ntlm_check.c index 0dbbce0edc..62dec84f1d 100644 --- a/source4/auth/ntlm/ntlm_check.c +++ b/source4/auth/ntlm/ntlm_check.c @@ -20,7 +20,7 @@ */ #include "includes.h" -#include "lib/crypto/crypto.h" +#include "../lib/crypto/crypto.h" #include "librpc/gen_ndr/netlogon.h" #include "libcli/auth/libcli_auth.h" #include "param/param.h" diff --git a/source4/auth/ntlmssp/ntlmssp.c b/source4/auth/ntlmssp/ntlmssp.c index 0b7f0da9af..cea18c45a7 100644 --- a/source4/auth/ntlmssp/ntlmssp.c +++ b/source4/auth/ntlmssp/ntlmssp.c @@ -235,6 +235,10 @@ NTSTATUS gensec_ntlmssp_session_key(struct gensec_security *gensec_security, { struct gensec_ntlmssp_state *gensec_ntlmssp_state = (struct gensec_ntlmssp_state *)gensec_security->private_data; + if (gensec_ntlmssp_state->expected_state != NTLMSSP_DONE) { + return NT_STATUS_NO_USER_SESSION_KEY; + } + if (!gensec_ntlmssp_state->session_key.data) { return NT_STATUS_NO_USER_SESSION_KEY; } diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c index 891761860c..eb990dee9c 100644 --- a/source4/auth/ntlmssp/ntlmssp_client.c +++ b/source4/auth/ntlmssp/ntlmssp_client.c @@ -24,7 +24,7 @@ #include "includes.h" #include "auth/ntlmssp/ntlmssp.h" #include "auth/ntlmssp/msrpc_parse.h" -#include "lib/crypto/crypto.h" +#include "../lib/crypto/crypto.h" #include "libcli/auth/libcli_auth.h" #include "auth/credentials/credentials.h" #include "auth/gensec/gensec.h" diff --git a/source4/auth/ntlmssp/ntlmssp_server.c b/source4/auth/ntlmssp/ntlmssp_server.c index 838596ee98..ad1ee8e871 100644 --- a/source4/auth/ntlmssp/ntlmssp_server.c +++ b/source4/auth/ntlmssp/ntlmssp_server.c @@ -24,8 +24,7 @@ #include "includes.h" #include "auth/ntlmssp/ntlmssp.h" #include "auth/ntlmssp/msrpc_parse.h" -#include "lib/crypto/crypto.h" -#include "system/filesys.h" +#include "../lib/crypto/crypto.h" #include "libcli/auth/libcli_auth.h" #include "auth/credentials/credentials.h" #include "auth/gensec/gensec.h" @@ -125,8 +124,6 @@ NTSTATUS ntlmssp_server_negotiate(struct gensec_security *gensec_security, { struct gensec_ntlmssp_state *gensec_ntlmssp_state = (struct gensec_ntlmssp_state *)gensec_security->private_data; DATA_BLOB struct_blob; - char dnsname[MAXHOSTNAMELEN], dnsdomname[MAXHOSTNAMELEN]; - const char *p; uint32_t neg_flags = 0; uint32_t ntlmssp_command, chal_flags; const uint8_t *cryptkey; @@ -183,25 +180,24 @@ NTSTATUS ntlmssp_server_negotiate(struct gensec_security *gensec_security, gensec_ntlmssp_state->chal = data_blob_talloc(gensec_ntlmssp_state, cryptkey, 8); gensec_ntlmssp_state->internal_chal = data_blob_talloc(gensec_ntlmssp_state, cryptkey, 8); - dnsname[0] = '\0'; - if (gethostname(dnsname, sizeof(dnsname)) == -1) { - DEBUG(0,("gethostname failed\n")); - return NT_STATUS_UNSUCCESSFUL; - } - - /* This should be a 'netbios domain -> DNS domain' mapping */ - p = strchr(dnsname, '.'); - if (p != NULL) { - safe_strcpy(dnsdomname, p+1, sizeof(dnsdomname)); - strlower_m(dnsdomname); - } else { - dnsdomname[0] = '\0'; - } - /* This creates the 'blob' of names that appears at the end of the packet */ - if (chal_flags & NTLMSSP_CHAL_TARGET_INFO) - { + if (chal_flags & NTLMSSP_CHAL_TARGET_INFO) { + char dnsdomname[MAXHOSTNAMELEN], dnsname[MAXHOSTNAMELEN]; const char *target_name_dns = ""; + + /* Find out the DNS domain name */ + dnsdomname[0] = '\0'; + safe_strcpy(dnsdomname, lp_realm(gensec_security->lp_ctx), sizeof(dnsdomname) - 1); + strlower_m(dnsdomname); + + /* Find out the DNS host name */ + safe_strcpy(dnsname, gensec_ntlmssp_state->server_name, sizeof(dnsname) - 1); + if (dnsdomname[0] != '\0') { + safe_strcat(dnsname, ".", sizeof(dnsname) - 1); + safe_strcat(dnsname, dnsdomname, sizeof(dnsname) - 1); + } + strlower_m(dnsname); + if (chal_flags |= NTLMSSP_TARGET_TYPE_DOMAIN) { target_name_dns = dnsdomname; } else if (chal_flags |= NTLMSSP_TARGET_TYPE_SERVER) { @@ -221,7 +217,7 @@ NTSTATUS ntlmssp_server_negotiate(struct gensec_security *gensec_security, } { - /* Marshel the packet in the right format, be it unicode or ASCII */ + /* Marshal the packet in the right format, be it unicode or ASCII */ const char *gen_string; if (gensec_ntlmssp_state->unicode) { gen_string = "CdUdbddB"; diff --git a/source4/auth/ntlmssp/ntlmssp_sign.c b/source4/auth/ntlmssp/ntlmssp_sign.c index 063b16f539..49ed48df98 100644 --- a/source4/auth/ntlmssp/ntlmssp_sign.c +++ b/source4/auth/ntlmssp/ntlmssp_sign.c @@ -23,7 +23,7 @@ #include "auth/auth.h" #include "auth/ntlmssp/ntlmssp.h" #include "auth/ntlmssp/msrpc_parse.h" -#include "lib/crypto/crypto.h" +#include "../lib/crypto/crypto.h" #include "auth/credentials/credentials.h" #include "auth/gensec/gensec.h" #include "param/param.h" |