summaryrefslogtreecommitdiff
path: root/source3/libads/sasl.c
AgeCommit message (Collapse)AuthorFilesLines
2011-05-05More simple const fixups.Jeremy Allison1-2/+2
2011-02-11s3-libads: make ads_guess_service_principal static.Günther Deschner1-0/+69
Guenther
2010-12-10s3-libads Default to NOT using the server-supplied principal from SPNEGOAndrew Bartlett1-3/+5
This principal is not supplied by later versions of windows, and using it opens up some oportunities for man in the middle attacks. (Becuase it isn't the name being contacted that is verified with the KDC). This adds the option 'client use spnego principal' to the smb.conf (as used in Samba4) to control this behaivour. As in Samba4, this defaults to false. Against 2008 servers, this will not change behaviour. Against earlier servers, it may cause a downgrade to NTLMSSP more often, in environments where server names are not registered with the KDC as servicePrincipalName values. Andrew Bartlett
2010-09-23Fix bug 7694 - Crash bug with invalid SPNEGO token.Jeremy Allison1-1/+2
Found by the CodeNomicon test suites at the SNIA plugfest. http://www.codenomicon.com/ If an invalid SPNEGO packet contains no OIDs we crash in the SMB1/SMB2 server as we indirect the first returned value OIDs[0], which is returned as NULL. Jeremy.
2010-09-09Fox missing SMB_MALLOC return checks noticed by "Andreas Moroder ↵Jeremy Allison1-3/+13
<andreas.moroder@gmx.net>". Jeremy.
2010-08-05s3: avoid global include of ads.h.Günther Deschner1-0/+2
Guenther
2010-07-20Add approriate TALLOC_CTX's thoughout the spnego code. No more implicit NULL ↵Jeremy Allison1-4/+4
contexts. Jeremy.
2010-07-20Fix one more data_blob -> data_blob_talloc. Move away from implicit NULL ↵Jeremy Allison1-3/+6
context tallocs. Jeremy.
2010-07-20Add TALLOC_CTX argument to spnego_parse_negTokenInit, reduceJeremy Allison1-1/+1
use of malloc, and data_blob(). Jeremy.
2010-07-20Rename spnego_gen_negTokenTarg() -> spnego_gen_krb5_negTokenInit()Jeremy Allison1-1/+1
as this correctly describes what this function does. Jeremy.
2010-07-20Remove gen_negTokenTarg(), as it's not actually creating a TokenTarg frame, ↵Jeremy Allison1-1/+1
but a TokenInit one. Move to using spnego_gen_negTokenInit() instead. Jeremy
2010-07-19Remove gen_negTokenInit() - change all callers to spnego_gen_negTokenInit().Jeremy Allison1-1/+2
We now have one function to do this in all calling code. More rationalization to follow. Jeremy.
2010-07-19Remove parse_negTokenTarg(), as it's actually incorrect. We're processingJeremy Allison1-1/+1
negTokenInit's here. Use common code in spnego_parse_negTokenInit(). Jeremy.
2010-07-19s3-ntlmssp: Remove ntlmssp_end and let the talloc hierarchy handle it.Simo Sorce1-7/+7
All the members are children of ntlmssp_state anyway. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-05-31s3:ntlmssp Use a TALLOC_CTX for ntlmssp_sign_packet() and ntlmssp_seal_packet()Andrew Bartlett1-1/+5
This ensures the results can't be easily left to leak. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-31ntlmssp: Make the ntlmssp.h from source3/ a common headerAndrew Bartlett1-1/+1
The code is not yet in common, but I hope to fix that soon. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Günther Deschner <gd@samba.org>
2010-03-30s3:libads: retry with signing after getting LDAP_STRONG_AUTH_REQUIREDStefan Metzmacher1-0/+10
If server requires LDAP signing we're getting LDAP_STRONG_AUTH_REQUIRED, if "client ldap sasl wrapping = plain", instead of failing we now autoupgrade to "client ldap sasl wrapping = sign" for the given connection. metze
2010-03-24s3:ntlmssp: pass names and use_ntlmv2 to ntlmssp_client_start() and store themStefan Metzmacher1-1/+6
Inspired by the NTLMSSP merge work by Andrew Bartlett. metze Signed-off-by: Günther Deschner <gd@samba.org>
2009-12-22s3:ntlmssp: only include ntlmssp.h where actually neededAndrew Bartlett1-0/+1
Andrew Bartlett
2009-09-17spnego: share spnego_parse.Günther Deschner1-0/+1
Guenther
2008-10-22s3: use shared asn1 code.Günther Deschner1-3/+3
Guenther
2008-03-23Fix Coverity ID 488Volker Lendecke1-0/+2
"status" was used uninitialized on success -- metze, please check (This used to be commit a0859529c853ffb756b1deee946923b6fff6136e)
2007-12-06libads: fix typoStefan Metzmacher1-1/+1
metze (This used to be commit b55b19190d9c1199be13727a75a5936d6f5f15a8)
2007-10-18RIP BOOL. Convert BOOL -> bool. I found a few interestingJeremy Allison1-2/+2
bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
2007-10-10r25422: Get rid of some cast warnings.Michael Adam1-3/+3
(This used to be commit 3e155b249e03cc9f7bd0cbf3a3ab8a57536bf0ce)
2007-10-10r25407: Revert Longhorn join patch as it is not correct for the 3.2 tree.Gerald Carter1-3/+1
The translate_name() used by cli_session_setup_spnego() cann rely Winbindd since it is needed by the join process (and hence before Winbind can be run). (This used to be commit 00a93ed336c5f36643e6e33bd277608eaf05677c)
2007-10-10r25400: Windows 2008 (Longhorn) Interop fixes for AD specific auth2 flags,Gerald Carter1-1/+3
and client fixes. Patch from Todd Stetcher <todd.stetcher@isilon.com>. (This used to be commit 8304ccba7346597425307e260e88647e49081f68)
2007-10-10r25328: When using ldap sasl wrapping with gssapi it's important to receive ↵Günther Deschner1-0/+5
warnings for clock-skew errors. Guenther (This used to be commit 53c99d415d605ab03e3646f6096aff794457dd33)
2007-10-10r25133: Fix sasl wrapping (for ldap sign&seal).Günther Deschner1-46/+5
The gss_import_name() broke as we switched from the internal MIT OID "gss_nt_krb5_principal" to "GSS_KRB5_NT_PRINCIPAL_NAME" and didn't switch from passing the krb5_principal (or better: a pointer to that, see MIT's "*HORRIBLE* bug") to pass the string principal directly. Jerry, Jeremy, neither I could figure out the need of passing in a krb5_principal at all nor could I reproduce the crash you were seeing. I sucessfully tested the code (now importing a string) with MIT 1.2.7, 1.3.6, 1.4.3, 1.5.1, 1.6.1 and Heimdal 0.7.2, 1.0, 1.0.1. Guenther (This used to be commit cb2dc715e33467c8b588161e816e72a948f6860c)
2007-10-10r25109: Remove obsolete argument from ads_guess_service_principal().Günther Deschner1-3/+2
Guenther (This used to be commit 2dea9464bba76af4315a8207ccd3e564ec19d146)
2007-10-10r25108: Make ifdef labyrinth in sasl code a bit more readable.Günther Deschner1-2/+2
Guenther (This used to be commit f31949ec3456134de474a0219a8cd5dcd15adea6)
2007-10-10r24804: As a temporary workaround, also try to guess the server's principal ↵Günther Deschner1-41/+12
in the "not_defined_in_RFC4178@please_ignore" case to make at least LDAP SASL binds succeed with windows server 2008. Guenther (This used to be commit f5b3de4d3069eaa750240e3422bac5cb169b6c0a)
2007-10-10r24251: Neverending fun:Günther Deschner1-1/+1
Heimdal doesn't accept all OIDs and gss_import_name() fails with GSS_S_BAD_NAMETYPE using this one. Use the GSS_KRB5_NT_PRINCIPAL_NAME OID instead (which works with at least MIT 1.6.1 and Heimdal 1.0.1). Guenther (This used to be commit f783b32b65ee50e3730ae2d039ca04c9fc5a201a)
2007-10-10r24131: - make it more clear what the different min and max fields meanStefan Metzmacher1-33/+44
- with the "GSSAPI" sasl mech the plain, sign or seal negotiation is independed from the req_flags and ret_flags - verify the server supports the wrapping type we want - better handling on negotiated buffer sizes metze (This used to be commit d0ec7323870ca16b28d458ff5f7dacce278b7d54)
2007-10-10r24128: fix double free in error pathStefan Metzmacher1-6/+7
metze (This used to be commit 29e2d8e044c9213643a2f5f29891ce853a839347)
2007-10-10r24104: fix the build, sorry...Stefan Metzmacher1-3/+4
metze (This used to be commit a5e1f9fd293fab26d664a72ee652eb8ca72128b7)
2007-10-10r24103: add some useful debug messages, as not all LDAPStefan Metzmacher1-3/+19
libraries support wrapping hooks... metze (This used to be commit 581a1d3a20ffed42ccc7f35f163fd343ed12ccd3)
2007-10-10r24098: - make use of the ads_service_principal abstractionStefan Metzmacher1-61/+32
also for the "GSSAPI" sasl mech. - also use the ads_kinit_password() fallback logic from the "GSS-SPNEGO" sasl mech. metze (This used to be commit cbaf44de1e1f8007dc4ca249791ea30d2902c7c4)
2007-10-10r24095: add one more fallback alternative toStefan Metzmacher1-0/+20
construct the principal metze (This used to be commit b545667d2a45a79bba05c9fe9e93a19951d60af7)
2007-10-10r24093: move gssapi/krb5 principal handling into a functionStefan Metzmacher1-88/+146
metze (This used to be commit 83de27968d434d67d23851b0c285221c870ff75e)
2007-10-10r24062: fix logic for broken krb5 libs which always forceStefan Metzmacher1-1/+2
sign and seal... metze (This used to be commit 4a4fc8cccbcbe17eebcefcd0107f7de60d751f5c)
2007-10-10r24042: add support for krb5 sign and seal in LDAP via "GSS-SPNEGO"Stefan Metzmacher1-1/+309
metze (This used to be commit 34ab84aceb86195743abd26c46a631640409725e)
2007-10-10r24037: only setup sasl wrapping after a successful bindStefan Metzmacher1-2/+4
metze (This used to be commit 85d6cd3dfb5cbd9e899957265e352583ff608ed4)
2007-10-10r23953: Some C++ warningsVolker Lendecke1-3/+6
(This used to be commit 8716edf157bf8866328f82eb6cf25e71af7fea15)
2007-10-10r23948: add gsskrb5 sign and seal support for LDAP connectionsStefan Metzmacher1-5/+135
NOTE: only for the "GSSAPI" SASL mech yet metze (This used to be commit a079b66384b15e9d569dded0d9d6bd830e1a6dfa)
2007-10-10r23946: add support for NTLMSSP sign and sealStefan Metzmacher1-1/+122
NOTE: windows servers are broken with sign only... metze (This used to be commit 408bb2e6e2171196a2bd314db181d9b124e931a1)
2007-10-10r23945: add infrastructure to select plain, sign or seal LDAP connectionStefan Metzmacher1-0/+8
metze (This used to be commit 2075c05b3d8baa7d6d8510cd962471a5781740a6)
2007-10-10r23888: move elements belonging to the current ldap connection to aStefan Metzmacher1-6/+6
substructure. metze (This used to be commit 00909194a6c1ed193dfdb296f50f58a53450583c)
2007-10-10r23784: use the GPLv3 boilerplate as recommended by the FSF and the license textAndrew Tridgell1-2/+1
(This used to be commit b0132e94fc5fef936aa766fb99a306b3628e9f07)
2007-10-10r23779: Change from v2 or later to v3 or later.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3)