Age | Commit message (Collapse) | Author | Files | Lines |
|
Found by the CodeNomicon test suites at the SNIA plugfest.
http://www.codenomicon.com/
If an invalid SPNEGO packet contains no OIDs we crash in the SMB1/SMB2 server
as we indirect the first returned value OIDs[0], which is returned as NULL.
Jeremy.
|
|
<andreas.moroder@gmx.net>".
Jeremy.
|
|
Guenther
|
|
contexts.
Jeremy.
|
|
context tallocs.
Jeremy.
|
|
use of malloc, and data_blob().
Jeremy.
|
|
as this correctly describes what this function does.
Jeremy.
|
|
but a TokenInit one.
Move to using spnego_gen_negTokenInit() instead.
Jeremy
|
|
We now have one function to do this in all calling code. More rationalization
to follow.
Jeremy.
|
|
negTokenInit's here. Use common code in spnego_parse_negTokenInit().
Jeremy.
|
|
All the members are children of ntlmssp_state anyway.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
This ensures the results can't be easily left to leak.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
The code is not yet in common, but I hope to fix that soon.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
If server requires LDAP signing we're getting LDAP_STRONG_AUTH_REQUIRED,
if "client ldap sasl wrapping = plain", instead of failing we now
autoupgrade to "client ldap sasl wrapping = sign" for the given connection.
metze
|
|
Inspired by the NTLMSSP merge work by Andrew Bartlett.
metze
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
Andrew Bartlett
|
|
Guenther
|
|
Guenther
|
|
"status" was used uninitialized on success -- metze, please check
(This used to be commit a0859529c853ffb756b1deee946923b6fff6136e)
|
|
metze
(This used to be commit b55b19190d9c1199be13727a75a5936d6f5f15a8)
|
|
bugs in various places whilst doing this (places that assumed
BOOL == int). I also need to fix the Samba4 pidl generation
(next checkin).
Jeremy.
(This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
|
|
(This used to be commit 3e155b249e03cc9f7bd0cbf3a3ab8a57536bf0ce)
|
|
The translate_name() used by cli_session_setup_spnego() cann rely
Winbindd since it is needed by the join process (and hence before
Winbind can be run).
(This used to be commit 00a93ed336c5f36643e6e33bd277608eaf05677c)
|
|
and client fixes. Patch from Todd Stetcher <todd.stetcher@isilon.com>.
(This used to be commit 8304ccba7346597425307e260e88647e49081f68)
|
|
warnings
for clock-skew errors.
Guenther
(This used to be commit 53c99d415d605ab03e3646f6096aff794457dd33)
|
|
The gss_import_name() broke as we switched from the internal MIT OID
"gss_nt_krb5_principal" to "GSS_KRB5_NT_PRINCIPAL_NAME" and didn't switch from
passing the krb5_principal (or better: a pointer to that, see MIT's "*HORRIBLE*
bug") to pass the string principal directly.
Jerry, Jeremy, neither I could figure out the need of passing in a
krb5_principal at all nor could I reproduce the crash you were seeing.
I sucessfully tested the code (now importing a string) with MIT 1.2.7, 1.3.6,
1.4.3, 1.5.1, 1.6.1 and Heimdal 0.7.2, 1.0, 1.0.1.
Guenther
(This used to be commit cb2dc715e33467c8b588161e816e72a948f6860c)
|
|
Guenther
(This used to be commit 2dea9464bba76af4315a8207ccd3e564ec19d146)
|
|
Guenther
(This used to be commit f31949ec3456134de474a0219a8cd5dcd15adea6)
|
|
in the
"not_defined_in_RFC4178@please_ignore" case to make at least LDAP SASL binds
succeed with windows server 2008.
Guenther
(This used to be commit f5b3de4d3069eaa750240e3422bac5cb169b6c0a)
|
|
Heimdal doesn't accept all OIDs and gss_import_name() fails with
GSS_S_BAD_NAMETYPE using this one. Use the GSS_KRB5_NT_PRINCIPAL_NAME OID
instead (which works with at least MIT 1.6.1 and Heimdal 1.0.1).
Guenther
(This used to be commit f783b32b65ee50e3730ae2d039ca04c9fc5a201a)
|
|
- with the "GSSAPI" sasl mech the plain, sign or seal negotiation
is independed from the req_flags and ret_flags
- verify the server supports the wrapping type we want
- better handling on negotiated buffer sizes
metze
(This used to be commit d0ec7323870ca16b28d458ff5f7dacce278b7d54)
|
|
metze
(This used to be commit 29e2d8e044c9213643a2f5f29891ce853a839347)
|
|
metze
(This used to be commit a5e1f9fd293fab26d664a72ee652eb8ca72128b7)
|
|
libraries support wrapping hooks...
metze
(This used to be commit 581a1d3a20ffed42ccc7f35f163fd343ed12ccd3)
|
|
also for the "GSSAPI" sasl mech.
- also use the ads_kinit_password() fallback logic
from the "GSS-SPNEGO" sasl mech.
metze
(This used to be commit cbaf44de1e1f8007dc4ca249791ea30d2902c7c4)
|
|
construct the principal
metze
(This used to be commit b545667d2a45a79bba05c9fe9e93a19951d60af7)
|
|
metze
(This used to be commit 83de27968d434d67d23851b0c285221c870ff75e)
|
|
sign and seal...
metze
(This used to be commit 4a4fc8cccbcbe17eebcefcd0107f7de60d751f5c)
|
|
metze
(This used to be commit 34ab84aceb86195743abd26c46a631640409725e)
|
|
metze
(This used to be commit 85d6cd3dfb5cbd9e899957265e352583ff608ed4)
|
|
(This used to be commit 8716edf157bf8866328f82eb6cf25e71af7fea15)
|
|
NOTE: only for the "GSSAPI" SASL mech yet
metze
(This used to be commit a079b66384b15e9d569dded0d9d6bd830e1a6dfa)
|
|
NOTE: windows servers are broken with sign only...
metze
(This used to be commit 408bb2e6e2171196a2bd314db181d9b124e931a1)
|
|
metze
(This used to be commit 2075c05b3d8baa7d6d8510cd962471a5781740a6)
|
|
substructure.
metze
(This used to be commit 00909194a6c1ed193dfdb296f50f58a53450583c)
|
|
(This used to be commit b0132e94fc5fef936aa766fb99a306b3628e9f07)
|
|
Jeremy.
(This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3)
|
|
replace all data_blob(NULL, 0) calls.
(This used to be commit 3d3d61687ef00181f4f04e001d42181d93ac931e)
|
|
because we try "GSS-SPNEGO" first and all windows version support
that.
metze
(This used to be commit 34a5badbded0b2537ee854287931e2a7dc3aeb37)
|
|
not specific for NTLMSSP
- it's possible that the server sends a mechOID and authdata
if negResult != SPNEGO_NEG_RESULT_INCOMPLETE, but we still
force the mechOID to be present if negResult == SPNEGO_NEG_RESULT_INCOMPLETE
metze
(This used to be commit e9f2aa22f90208a5e530ef3b68664151960a0a22)
|