summaryrefslogtreecommitdiff
path: root/auth/gensec
AgeCommit message (Collapse)AuthorFilesLines
2013-09-19gensec: move schannel module to toplevel.Günther Deschner2-0/+338
Guenther Signed-off-by: Günther Deschner <gd@samba.org> Pair-Programmed-With: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-09-18Add SASL/EXTERNAL gensec moduleHoward Chu3-1/+91
Signed-off-by: Howard Chu <hyc@symas.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
2013-09-16auth/credentials: Add cli_credentials_{set,get}_forced_sasl_mech()Andrew Bartlett1-0/+14
This will allow us to force the use of only DIGEST-MD5, for example, which is useful to avoid hitting GSSAPI, SPNEGO or NTLM when talking to OpenLDAP and Cyrus-SASL. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
2013-08-19gensec: Fix CID 1063258 Uninitialized scalar variableVolker Lendecke1-0/+1
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10auth/gensec: treat struct gensec_security_ops as const if possible.Stefan Metzmacher3-34/+40
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10auth/gensec: use 'const char * const *' for function parametersStefan Metzmacher3-3/+3
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10auth/gensec: make it possible to implement async backendsStefan Metzmacher2-49/+160
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10auth/gensec: avoid talloc_reference in gensec_security_mechs()Stefan Metzmacher1-18/+9
We now always copy. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10auth/gensec: avoid talloc_reference in gensec_use_kerberos_mechs()Stefan Metzmacher1-18/+20
We now always copy. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10auth/gensec: introduce gensec_internal.hStefan Metzmacher6-96/+135
We should treat most gensec related structures private. It's a long way, but this is a start. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10auth/gensec: add gensec_security_by_auth_type()Stefan Metzmacher2-0/+29
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10auth/gensec: first check GENSEC_FEATURE_SESSION_KEY before returning ↵Stefan Metzmacher1-3/+4
NOT_IMPLEMENTED Preferr NT_STATUS_NO_USER_SESSION_KEY as return value of gensec_session_key(). Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-05-15gensec: Make gensec_security_oids_from_ops staticVolker Lendecke1-4/+5
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Wed May 15 20:05:34 CEST 2013 on sn-devel-104
2013-05-15gensec: Make gensec_security_by_sasl_list staticVolker Lendecke1-3/+4
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2013-05-15gensec: Make gensec_interface_version publicVolker Lendecke2-1/+2
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2013-01-24gensec: Allow login without a PAC by default (bug #9581)Andrew Bartlett1-1/+1
The sense of this test was inverted. We only want to take the ACCESS_DENIED error if gensec:require_pac=true. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-09-20auth: Fix some nonempty blank linesVolker Lendecke1-61/+59
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-07-03auth/gensec: Remove unused gensec_security parameterAndrew Bartlett1-6/+3
2012-05-17auth/gensec: implement gensec_spnego_expire_time()Stefan Metzmacher1-0/+12
metze
2012-05-17auth/gensec: add gensec_expire_time()Stefan Metzmacher2-0/+12
metze
2012-04-12auth-krb: Nove oid packet check to gensec_util.Simo Sorce3-1/+47
This is clearly a utiliy function generic to gensec. Also the 3 callers had identical implementations. Provide a generic implementation for all of them and avoid duplicating the code everywhere. Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12gensec_gssapi: keep private header file close to the actual codeSimo Sorce1-70/+0
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-03-15auth/gensec_gssapi: gss_krb5_lucid_context_v1_t is not shared with the gse ↵Stefan Metzmacher1-1/+1
code anymore metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Thu Mar 15 09:16:16 CET 2012 on sn-devel-104
2012-02-17auth: Allow the netbios name and domain to be set from winbindd in ntlm_auth3Andrew Bartlett1-0/+2
Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Fri Feb 17 12:18:51 CET 2012 on sn-devel-104
2012-02-17auth: Provide a way to specify the NTLMSSP server name to GENSECAndrew Bartlett1-0/+4
This avoids us needing to assume lp_netbios_name().lp_dnsdomain() if the caller knows better. This will allow preservation of current s3 behaviour. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-10gensec: explain gensec_use_kerberos_mechs() logicAndrew Bartlett1-1/+16
Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Fri Feb 10 12:36:23 CET 2012 on sn-devel-104
2012-02-10gensec: set flag to continue in outer for loop in gensec_use_kerberos_mechsAndrew Bartlett1-1/+5
This should be the correct fix for the valgrind erorr Volker found in 744ed53a62037a659133ccd4de2065491208ae7d. This fix avoids putting SPNEGO into the list twice when we are in the CRED_DONT_USE_KERBEROS case. Andrew Bartlett
2012-02-10Revert "gensec: Fix a memory corruption in gensec_use_kerberos_mechs"Andrew Bartlett1-2/+1
This reverts commit 744ed53a62037a659133ccd4de2065491208ae7d. The real bug here is that the second half of the outer loop should not have been run once we found spnego. Andrew Bartlett
2012-02-09gensec: Fix a memory corruption in gensec_use_kerberos_mechsVolker Lendecke1-1/+2
Without this I get the following valgrind error: ==27740== Invalid write of size 8 ==27740== at 0x62C53E: gensec_use_kerberos_mechs (gensec_start.c:112) ==27740== by 0x62C623: gensec_security_mechs (gensec_start.c:141) ==27740== by 0x62C777: gensec_security_by_oid (gensec_start.c:181) ==27740== by 0x62DD6E: gensec_start_mech_by_oid (gensec_start.c:735) ==27740== by 0x50D6FD: negprot_spnego (negprot.c:210) ==27740== by 0x5B0DEA: smbd_smb2_request_process_negprot (smb2_negprot.c:209) ==27740== by 0x5AD036: smbd_smb2_request_dispatch (smb2_server.c:1417) ==27740== by 0x5AFB77: smbd_smb2_first_negprot (smb2_server.c:2643) ==27740== by 0x585C00: process_smb (process.c:1641) ==27740== by 0x587F78: smbd_server_connection_read_handler (process.c:2314) ==27740== by 0x587FD6: smbd_server_connection_handler (process.c:2331) ==27740== by 0x99E05B: run_events_poll (events.c:286) ==27740== by 0x584AFF: smbd_server_connection_loop_once (process.c:984) ==27740== by 0x58B2D9: smbd_process (process.c:3389) ==27740== by 0xDE4CA8: smbd_accept_connection (server.c:469) ==27740== by 0x99E05B: run_events_poll (events.c:286) ==27740== by 0x99E2D5: s3_event_loop_once (events.c:349) ==27740== by 0x99F990: _tevent_loop_once (tevent.c:504) ==27740== by 0xDE5A9B: smbd_parent_loop (server.c:869) ==27740== by 0xDE6DD8: main (server.c:1413) ==27740== Address 0x9ff3538 is 4,232 bytes inside a block of size 8,288 alloc'd ==27740== at 0x4C261D7: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==27740== by 0x6926965: __talloc (talloc.c:560) ==27740== by 0x6926771: talloc_pool (talloc.c:598) ==27740== by 0x93B927: talloc_stackframe_internal (talloc_stack.c:145) ==27740== by 0x93B9D6: talloc_stackframe_pool (talloc_stack.c:171) ==27740== by 0x58B2B7: smbd_process (process.c:3385) ==27740== by 0xDE4CA8: smbd_accept_connection (server.c:469) ==27740== by 0x99E05B: run_events_poll (events.c:286) ==27740== by 0x99E2D5: s3_event_loop_once (events.c:349) ==27740== by 0x99F990: _tevent_loop_once (tevent.c:504) ==27740== by 0xDE5A9B: smbd_parent_loop (server.c:869) ==27740== by 0xDE6DD8: main (server.c:1413) In the for-loop we can increment j twice, so we need twice as many output array elements as input array elements. Autobuild-User: Volker Lendecke <vl@samba.org> Autobuild-Date: Thu Feb 9 19:44:47 CET 2012 on sn-devel-104
2012-01-30gensec: inline gensec_generate_session_info() into only callerAndrew Bartlett2-34/+0
This avoids casting to and from the struct auth_user_info_dc *user_info_dc to to this, the if (user_info_dc->info->authenticated) is moved into auth_generate_session_info_wrapper(), which is the function that gensec_security->auth_context->generate_session_info points to. Andrew Bartlett
2012-01-25auth/gensec_gssapi: sync gensec_gssapi_state with gse_contextStefan Metzmacher1-1/+2
Both use gss_krb5_lucid_context_v1_t now. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Wed Jan 25 10:22:31 CET 2012 on sn-devel-104
2012-01-18auth/gensec: align common elements between gse_context and gensec_gssapi_stateAndrew Bartlett1-3/+5
Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Wed Jan 18 19:29:40 CET 2012 on sn-devel-104
2012-01-13s3:build: add auth/gensec/spnego.oStefan Metzmacher1-0/+2
metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Fri Jan 13 06:32:30 CET 2012 on sn-devel-104
2012-01-13auth/gensec: move spnego.c to the toplevelStefan Metzmacher2-0/+1407
metze
2012-01-13auth/gensec: common helper functions should be in gensec_util.cStefan Metzmacher1-0/+116
This makes the dependencies easier to handle. metze
2012-01-13auth/gensec: add some more functions from gensec_start.c to gensec.hStefan Metzmacher2-16/+37
metze
2012-01-13auth/gensec: make sure functions from gensec.c are in gensec.hStefan Metzmacher2-5/+7
metze
2012-01-12s4:auth/gensec/spnego: add support for fragmented spnego messagesStefan Metzmacher1-1/+1
metze
2012-01-12auth/gensec: add gensec_*max_update_size()Stefan Metzmacher3-0/+22
This is only a hint for the backend, which may want to fragment update tokens. metze
2012-01-11gensec: Make sure to check the optional auth_context hooks before using themAndrew Bartlett1-1/+1
These are optional to supply - some callers only provide an auth_context for the other plugin functions, and so we need to deal with this cleanly. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-11gensec: Rename want_flags and got_flags in gensec_gssapiAndrew Bartlett1-1/+1
This make it clearer what type of flags these are. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-11gensec: make gensec_gssapi.h commonAndrew Bartlett1-0/+67
This will make it easier to share elements of the GSSAPI gensec mechs, in much the same way elements of the NTLMSSP mech are shared. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-11gensec: move gensec_util.c to the top levelAndrew Bartlett3-1/+110
To do this some defines need to move to common_auth.h Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-12-29s4-gensec: Move parsing of the PAC blob and creating the session_info into authAndrew Bartlett1-0/+1
This uses a single callback to handle the PAC from the DATA_BLOB format until it becomes a struct auth_session_info. This allows a seperation between the GSS acceptor code and the PAC interpretation code based on the supplied auth context. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Thu Dec 29 01:10:59 CET 2011 on sn-devel-104
2011-12-28gensec: Allow an alternate set of modules to be specifiedAndrew Bartlett2-1/+11
This will allow s3 to specify modules to use as a list, rather than needing to start the individual module with gensec_start_mech_by_ops() Andrew Bartlett
2011-12-03Revert making public of the samba-module library.Jelmer Vernooij2-8/+8
This library was tiny - containing just two public functions than were themselves trivial. The amount of overhead this causes isn't really worth the benefits of sharing the code with other projects like OpenChange. In addition, this code isn't really generically useful anyway, as it can only load from the module path set for Samba at configure time. Adding a new library was breaking the API/ABI anyway, so OpenChange had to be updated to cope with the new situation one way or another. I've added a simpler (compatible) routine for loading modules to OpenChange, which is less than 100 lines of code. Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Sat Dec 3 08:36:33 CET 2011 on sn-devel-104
2011-10-28lib/util Rename samba_modules_load -> samba_module_init_fns_for_subsystemAndrew Bartlett1-1/+1
This is to provide a cleaner namespace in the public samba plugin functions. Andrew Bartlett
2011-10-28lib/util Rename samba_init_module_fns_run -> samba_module_init_fns_runAndrew Bartlett1-2/+2
This is to provide a cleaner namespace in the public samba plugin functions. Andrew Bartlett
2011-10-28lib/util Rename samba_init_module_fn -> samba_module_init_fnAndrew Bartlett1-3/+3
This is to provide a cleaner namespace in the public samba plugin functions. Andrew Bartlett
2011-10-28lib/util Split samba-modules library into public and private partsAndrew Bartlett2-2/+2
This will allow OpenChange to get at the symbols it needs, without exposing any more of this as a public API than we must. Andrew Bartlett
generated by cgit (git 2.34.1) at 2024-11-16 22:39:57 +0000