summaryrefslogtreecommitdiff
path: root/auth
AgeCommit message (Collapse)AuthorFilesLines
2012-02-10credentials: Show returned error_string in debug messageAndrew Bartlett1-2/+2
2012-02-09gensec: Fix a memory corruption in gensec_use_kerberos_mechsVolker Lendecke1-1/+2
Without this I get the following valgrind error: ==27740== Invalid write of size 8 ==27740== at 0x62C53E: gensec_use_kerberos_mechs (gensec_start.c:112) ==27740== by 0x62C623: gensec_security_mechs (gensec_start.c:141) ==27740== by 0x62C777: gensec_security_by_oid (gensec_start.c:181) ==27740== by 0x62DD6E: gensec_start_mech_by_oid (gensec_start.c:735) ==27740== by 0x50D6FD: negprot_spnego (negprot.c:210) ==27740== by 0x5B0DEA: smbd_smb2_request_process_negprot (smb2_negprot.c:209) ==27740== by 0x5AD036: smbd_smb2_request_dispatch (smb2_server.c:1417) ==27740== by 0x5AFB77: smbd_smb2_first_negprot (smb2_server.c:2643) ==27740== by 0x585C00: process_smb (process.c:1641) ==27740== by 0x587F78: smbd_server_connection_read_handler (process.c:2314) ==27740== by 0x587FD6: smbd_server_connection_handler (process.c:2331) ==27740== by 0x99E05B: run_events_poll (events.c:286) ==27740== by 0x584AFF: smbd_server_connection_loop_once (process.c:984) ==27740== by 0x58B2D9: smbd_process (process.c:3389) ==27740== by 0xDE4CA8: smbd_accept_connection (server.c:469) ==27740== by 0x99E05B: run_events_poll (events.c:286) ==27740== by 0x99E2D5: s3_event_loop_once (events.c:349) ==27740== by 0x99F990: _tevent_loop_once (tevent.c:504) ==27740== by 0xDE5A9B: smbd_parent_loop (server.c:869) ==27740== by 0xDE6DD8: main (server.c:1413) ==27740== Address 0x9ff3538 is 4,232 bytes inside a block of size 8,288 alloc'd ==27740== at 0x4C261D7: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==27740== by 0x6926965: __talloc (talloc.c:560) ==27740== by 0x6926771: talloc_pool (talloc.c:598) ==27740== by 0x93B927: talloc_stackframe_internal (talloc_stack.c:145) ==27740== by 0x93B9D6: talloc_stackframe_pool (talloc_stack.c:171) ==27740== by 0x58B2B7: smbd_process (process.c:3385) ==27740== by 0xDE4CA8: smbd_accept_connection (server.c:469) ==27740== by 0x99E05B: run_events_poll (events.c:286) ==27740== by 0x99E2D5: s3_event_loop_once (events.c:349) ==27740== by 0x99F990: _tevent_loop_once (tevent.c:504) ==27740== by 0xDE5A9B: smbd_parent_loop (server.c:869) ==27740== by 0xDE6DD8: main (server.c:1413) In the for-loop we can increment j twice, so we need twice as many output array elements as input array elements. Autobuild-User: Volker Lendecke <vl@samba.org> Autobuild-Date: Thu Feb 9 19:44:47 CET 2012 on sn-devel-104
2012-02-08auth: rename ntlmssp.c to ntlmssp_util.cAndrew Bartlett2-1/+1
2012-01-30gensec: inline gensec_generate_session_info() into only callerAndrew Bartlett2-34/+0
This avoids casting to and from the struct auth_user_info_dc *user_info_dc to to this, the if (user_info_dc->info->authenticated) is moved into auth_generate_session_info_wrapper(), which is the function that gensec_security->auth_context->generate_session_info points to. Andrew Bartlett
2012-01-30auth: Make check_password and generate_session_info hook genericAndrew Bartlett2-6/+4
gensec_ntlmssp does not need to know the internal form of the struct user_info_dc or auth_serversupplied_info. This will allow the calling logic to be put in common. Andrew Bartlett
2012-01-29auth: provide private pointer and do not return original PAC signaturesAndrew Bartlett1-0/+3
There is no need to return the PAC signatures via the special-purpose torture element. Instead, use a private pointer on the auth_context in conjunction with the private PAC processing method. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Sun Jan 29 23:52:50 CET 2012 on sn-devel-104
2012-01-25auth/gensec_gssapi: sync gensec_gssapi_state with gse_contextStefan Metzmacher1-1/+2
Both use gss_krb5_lucid_context_v1_t now. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Wed Jan 25 10:22:31 CET 2012 on sn-devel-104
2012-01-18auth/gensec: align common elements between gse_context and gensec_gssapi_stateAndrew Bartlett1-3/+5
Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Wed Jan 18 19:29:40 CET 2012 on sn-devel-104
2012-01-13s3:build: add auth/gensec/spnego.oStefan Metzmacher1-0/+2
metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Fri Jan 13 06:32:30 CET 2012 on sn-devel-104
2012-01-13auth/gensec: move spnego.c to the toplevelStefan Metzmacher2-0/+1407
metze
2012-01-13auth/gensec: common helper functions should be in gensec_util.cStefan Metzmacher1-0/+116
This makes the dependencies easier to handle. metze
2012-01-13auth/gensec: add some more functions from gensec_start.c to gensec.hStefan Metzmacher2-16/+37
metze
2012-01-13auth/gensec: make sure functions from gensec.c are in gensec.hStefan Metzmacher2-5/+7
metze
2012-01-12s4:auth/gensec/spnego: add support for fragmented spnego messagesStefan Metzmacher1-1/+1
metze
2012-01-12auth/gensec: add gensec_*max_update_size()Stefan Metzmacher3-0/+22
This is only a hint for the backend, which may want to fragment update tokens. metze
2012-01-12auth/kerberos: Remove unused TALLOC_CTX argument to check_pac_checksumAndrew Bartlett1-6/+3
2012-01-11gensec: Make sure to check the optional auth_context hooks before using themAndrew Bartlett1-1/+1
These are optional to supply - some callers only provide an auth_context for the other plugin functions, and so we need to deal with this cleanly. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-11gensec: Rename want_flags and got_flags in gensec_gssapiAndrew Bartlett1-1/+1
This make it clearer what type of flags these are. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-11gensec: make gensec_gssapi.h commonAndrew Bartlett1-0/+67
This will make it easier to share elements of the GSSAPI gensec mechs, in much the same way elements of the NTLMSSP mech are shared. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-11gensec: move gensec_util.c to the top levelAndrew Bartlett4-1/+115
To do this some defines need to move to common_auth.h Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-11auth: make auth4_context common to provide access to generate_session_info_pac()Andrew Bartlett1-0/+59
By providing this context, a function pointer for generate_session_info_pac() can be inserted into gensec, allowing the s3 PAC processing in an otherwise more generic gensec module. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-11auth/kerberos: Remove unused headers from gssapi_parse.cAndrew Bartlett1-2/+0
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-09auth/credentials Remove debug that prints in normal operationAndrew Bartlett1-1/+0
The fact that this function is unimplemented is unimportant to the callers as credential caches are not handled via the auth/credentials code in s3. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Mon Jan 9 03:24:36 CET 2012 on sn-devel-104
2011-12-29auth/kerberos: Rename memory contexts for greater clarityAndrew Bartlett1-34/+34
This should better follow the mem_ctx/tmp_ctx pattern used elsewhere in Samba. Thankyou Simo for the suggestion. Andrew Bartlett
2011-12-29s4-gensec: Move parsing of the PAC blob and creating the session_info into authAndrew Bartlett1-0/+1
This uses a single callback to handle the PAC from the DATA_BLOB format until it becomes a struct auth_session_info. This allows a seperation between the GSS acceptor code and the PAC interpretation code based on the supplied auth context. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Thu Dec 29 01:10:59 CET 2011 on sn-devel-104
2011-12-29auth/kerberos: Make pac_data_out in kerberos_decode_pac() optionalAndrew Bartlett1-3/+32
2011-12-28auth/kerberos: Move gssapi_parse.c to the top levelAndrew Bartlett2-2/+121
This will help with writing a gensec module for the s3 gse layer. Andrew Bartlett
2011-12-28credentials: Always honour the return value of E_deshash()Andrew Bartlett1-4/+2
When this returns false, the hash value is not correct as the password could not be converted into an uppercase, 14 char or less ASCII string. Andrew Bartlett
2011-12-28gensec: Allow an alternate set of modules to be specifiedAndrew Bartlett2-1/+11
This will allow s3 to specify modules to use as a list, rather than needing to start the individual module with gensec_start_mech_by_ops() Andrew Bartlett
2011-12-07s4-dns Use match-by-key in GSSAPI server if principal is not specifiedAndrew Bartlett1-3/+9
This allows dlz_bind9 to match on exactly the same key as bind9 itself Andrew Bartlett Autobuild-User: Amitay Isaacs <amitay@samba.org> Autobuild-Date: Wed Dec 7 02:20:10 CET 2011 on sn-devel-104
2011-12-03Revert making public of the samba-module library.Jelmer Vernooij2-8/+8
This library was tiny - containing just two public functions than were themselves trivial. The amount of overhead this causes isn't really worth the benefits of sharing the code with other projects like OpenChange. In addition, this code isn't really generically useful anyway, as it can only load from the module path set for Samba at configure time. Adding a new library was breaking the API/ABI anyway, so OpenChange had to be updated to cope with the new situation one way or another. I've added a simpler (compatible) routine for loading modules to OpenChange, which is less than 100 lines of code. Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Sat Dec 3 08:36:33 CET 2011 on sn-devel-104
2011-11-21Fix a bunch of "warning: variable ‘XXXX’ set but not used ↵Jeremy Allison2-4/+2
[-Wunused-but-set-variable]" warnings from the new gcc. Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Mon Nov 21 23:39:08 CET 2011 on sn-devel-104
2011-11-10test: fixed several tests to use samba.testsAndrew Tridgell1-2/+2
this fixes error checking. Test failures were not being detected otherwise Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
2011-10-28lib/util Rename samba_modules_load -> samba_module_init_fns_for_subsystemAndrew Bartlett1-1/+1
This is to provide a cleaner namespace in the public samba plugin functions. Andrew Bartlett
2011-10-28lib/util Rename samba_init_module_fns_run -> samba_module_init_fns_runAndrew Bartlett1-2/+2
This is to provide a cleaner namespace in the public samba plugin functions. Andrew Bartlett
2011-10-28lib/util Rename samba_init_module_fn -> samba_module_init_fnAndrew Bartlett1-3/+3
This is to provide a cleaner namespace in the public samba plugin functions. Andrew Bartlett
2011-10-28lib/util Split samba-modules library into public and private partsAndrew Bartlett2-2/+2
This will allow OpenChange to get at the symbols it needs, without exposing any more of this as a public API than we must. Andrew Bartlett
2011-10-28lib/util Rename load_samba_modules -> samba_modules_loadAndrew Bartlett1-1/+1
This is to provide a cleaner namespace in the public samba plugin functions. Andrew Bartlett
2011-10-28lib/util Rename run_init_functions -> samba_init_module_fns_runAndrew Bartlett1-2/+2
This is to provide a cleaner namespace in the public samba plugin functions. Andrew Bartlett
2011-10-28lib/util Rename init_module_fn to samba_init_module_fnAndrew Bartlett1-3/+3
This prepares for making the samba_module.h header public again, for OpenChange. I am keen to avoid too much API namespace pollution if we can.
2011-10-28gensec: Add parinoia about integer wrappingAndrew Bartlett1-0/+7
2011-10-24idl: Improve MS-PAC IDLSimo Sorce1-11/+14
Change some misleading variable names to reflect the actual function. Add missing field name/types previously marked as unkown. Signed-off-by: Günther Deschner <gd@samba.org> Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Mon Oct 24 19:19:28 CEST 2011 on sn-devel-104
2011-10-24auth/gensec: fix missleading commentStefan Metzmacher1-1/+1
We don't talloc_reference for tsocket_addresses. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Mon Oct 24 15:29:47 CEST 2011 on sn-devel-104
2011-10-22auth/gensec: replace #if _SAMBA_BUILD_ == 4 by a feature testStefan Metzmacher1-1/+1
metze
2011-10-18gensec: move event context from gensec_*_init() to gensec_update()Andrew Bartlett3-13/+8
This avoids keeping the event context around on a the gensec_security context structure long term. In the Samba3 server, the event context we either supply is a NULL pointer as no server-side modules currently use the event context. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18ntlmssp: Refuse to seal if we did not negotiate to signAndrew Bartlett1-0/+5
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18gensec: Refuse to seal if we did not negotiate to signAndrew Bartlett1-0/+3
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18gensec: Assert that we have not been subject to a downgrade attack in ↵Andrew Bartlett3-1/+48
DCE/RPC clients Because of the calling convention, this is the best place to assert that we have not been subject to a downgrade attack on the negotiated features. (In DCE/RPC, this isn't a negotiation, the client simply specifies the level of protection that is required). Andrew Bartlett (some formatting fixes) Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18gensec: an event context is no longer mandetoryAndrew Bartlett1-10/+0
If you do not specify one however, you better know that the modules you are using do not need one! Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18ntlmssp: Put members from auth_ntlmssp_state into gensec_ntlmssp_stateAndrew Bartlett1-1/+17
Signed-off-by: Stefan Metzmacher <metze@samba.org>