summaryrefslogtreecommitdiff
path: root/source3/libads/sasl.c
AgeCommit message (Collapse)AuthorFilesLines
2010-09-23Fix bug 7694 - Crash bug with invalid SPNEGO token.Jeremy Allison1-1/+2
Found by the CodeNomicon test suites at the SNIA plugfest. http://www.codenomicon.com/ If an invalid SPNEGO packet contains no OIDs we crash in the SMB1/SMB2 server as we indirect the first returned value OIDs[0], which is returned as NULL. Jeremy.
2010-09-09Fox missing SMB_MALLOC return checks noticed by "Andreas Moroder ↵Jeremy Allison1-3/+13
<andreas.moroder@gmx.net>". Jeremy.
2010-08-05s3: avoid global include of ads.h.Günther Deschner1-0/+2
Guenther
2010-07-20Add approriate TALLOC_CTX's thoughout the spnego code. No more implicit NULL ↵Jeremy Allison1-4/+4
contexts. Jeremy.
2010-07-20Fix one more data_blob -> data_blob_talloc. Move away from implicit NULL ↵Jeremy Allison1-3/+6
context tallocs. Jeremy.
2010-07-20Add TALLOC_CTX argument to spnego_parse_negTokenInit, reduceJeremy Allison1-1/+1
use of malloc, and data_blob(). Jeremy.
2010-07-20Rename spnego_gen_negTokenTarg() -> spnego_gen_krb5_negTokenInit()Jeremy Allison1-1/+1
as this correctly describes what this function does. Jeremy.
2010-07-20Remove gen_negTokenTarg(), as it's not actually creating a TokenTarg frame, ↵Jeremy Allison1-1/+1
but a TokenInit one. Move to using spnego_gen_negTokenInit() instead. Jeremy
2010-07-19Remove gen_negTokenInit() - change all callers to spnego_gen_negTokenInit().Jeremy Allison1-1/+2
We now have one function to do this in all calling code. More rationalization to follow. Jeremy.
2010-07-19Remove parse_negTokenTarg(), as it's actually incorrect. We're processingJeremy Allison1-1/+1
negTokenInit's here. Use common code in spnego_parse_negTokenInit(). Jeremy.
2010-07-19s3-ntlmssp: Remove ntlmssp_end and let the talloc hierarchy handle it.Simo Sorce1-7/+7
All the members are children of ntlmssp_state anyway. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-05-31s3:ntlmssp Use a TALLOC_CTX for ntlmssp_sign_packet() and ntlmssp_seal_packet()Andrew Bartlett1-1/+5
This ensures the results can't be easily left to leak. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-31ntlmssp: Make the ntlmssp.h from source3/ a common headerAndrew Bartlett1-1/+1
The code is not yet in common, but I hope to fix that soon. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Günther Deschner <gd@samba.org>
2010-03-30s3:libads: retry with signing after getting LDAP_STRONG_AUTH_REQUIREDStefan Metzmacher1-0/+10
If server requires LDAP signing we're getting LDAP_STRONG_AUTH_REQUIRED, if "client ldap sasl wrapping = plain", instead of failing we now autoupgrade to "client ldap sasl wrapping = sign" for the given connection. metze
2010-03-24s3:ntlmssp: pass names and use_ntlmv2 to ntlmssp_client_start() and store themStefan Metzmacher1-1/+6
Inspired by the NTLMSSP merge work by Andrew Bartlett. metze Signed-off-by: Günther Deschner <gd@samba.org>
2009-12-22s3:ntlmssp: only include ntlmssp.h where actually neededAndrew Bartlett1-0/+1
Andrew Bartlett
2009-09-17spnego: share spnego_parse.Günther Deschner1-0/+1
Guenther
2008-10-22s3: use shared asn1 code.Günther Deschner1-3/+3
Guenther
2008-03-23Fix Coverity ID 488Volker Lendecke1-0/+2
"status" was used uninitialized on success -- metze, please check (This used to be commit a0859529c853ffb756b1deee946923b6fff6136e)
2007-12-06libads: fix typoStefan Metzmacher1-1/+1
metze (This used to be commit b55b19190d9c1199be13727a75a5936d6f5f15a8)
2007-10-18RIP BOOL. Convert BOOL -> bool. I found a few interestingJeremy Allison1-2/+2
bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
2007-10-10r25422: Get rid of some cast warnings.Michael Adam1-3/+3
(This used to be commit 3e155b249e03cc9f7bd0cbf3a3ab8a57536bf0ce)
2007-10-10r25407: Revert Longhorn join patch as it is not correct for the 3.2 tree.Gerald Carter1-3/+1
The translate_name() used by cli_session_setup_spnego() cann rely Winbindd since it is needed by the join process (and hence before Winbind can be run). (This used to be commit 00a93ed336c5f36643e6e33bd277608eaf05677c)
2007-10-10r25400: Windows 2008 (Longhorn) Interop fixes for AD specific auth2 flags,Gerald Carter1-1/+3
and client fixes. Patch from Todd Stetcher <todd.stetcher@isilon.com>. (This used to be commit 8304ccba7346597425307e260e88647e49081f68)
2007-10-10r25328: When using ldap sasl wrapping with gssapi it's important to receive ↵Günther Deschner1-0/+5
warnings for clock-skew errors. Guenther (This used to be commit 53c99d415d605ab03e3646f6096aff794457dd33)
2007-10-10r25133: Fix sasl wrapping (for ldap sign&seal).Günther Deschner1-46/+5
The gss_import_name() broke as we switched from the internal MIT OID "gss_nt_krb5_principal" to "GSS_KRB5_NT_PRINCIPAL_NAME" and didn't switch from passing the krb5_principal (or better: a pointer to that, see MIT's "*HORRIBLE* bug") to pass the string principal directly. Jerry, Jeremy, neither I could figure out the need of passing in a krb5_principal at all nor could I reproduce the crash you were seeing. I sucessfully tested the code (now importing a string) with MIT 1.2.7, 1.3.6, 1.4.3, 1.5.1, 1.6.1 and Heimdal 0.7.2, 1.0, 1.0.1. Guenther (This used to be commit cb2dc715e33467c8b588161e816e72a948f6860c)
2007-10-10r25109: Remove obsolete argument from ads_guess_service_principal().Günther Deschner1-3/+2
Guenther (This used to be commit 2dea9464bba76af4315a8207ccd3e564ec19d146)
2007-10-10r25108: Make ifdef labyrinth in sasl code a bit more readable.Günther Deschner1-2/+2
Guenther (This used to be commit f31949ec3456134de474a0219a8cd5dcd15adea6)
2007-10-10r24804: As a temporary workaround, also try to guess the server's principal ↵Günther Deschner1-41/+12
in the "not_defined_in_RFC4178@please_ignore" case to make at least LDAP SASL binds succeed with windows server 2008. Guenther (This used to be commit f5b3de4d3069eaa750240e3422bac5cb169b6c0a)
2007-10-10r24251: Neverending fun:Günther Deschner1-1/+1
Heimdal doesn't accept all OIDs and gss_import_name() fails with GSS_S_BAD_NAMETYPE using this one. Use the GSS_KRB5_NT_PRINCIPAL_NAME OID instead (which works with at least MIT 1.6.1 and Heimdal 1.0.1). Guenther (This used to be commit f783b32b65ee50e3730ae2d039ca04c9fc5a201a)
2007-10-10r24131: - make it more clear what the different min and max fields meanStefan Metzmacher1-33/+44
- with the "GSSAPI" sasl mech the plain, sign or seal negotiation is independed from the req_flags and ret_flags - verify the server supports the wrapping type we want - better handling on negotiated buffer sizes metze (This used to be commit d0ec7323870ca16b28d458ff5f7dacce278b7d54)
2007-10-10r24128: fix double free in error pathStefan Metzmacher1-6/+7
metze (This used to be commit 29e2d8e044c9213643a2f5f29891ce853a839347)
2007-10-10r24104: fix the build, sorry...Stefan Metzmacher1-3/+4
metze (This used to be commit a5e1f9fd293fab26d664a72ee652eb8ca72128b7)
2007-10-10r24103: add some useful debug messages, as not all LDAPStefan Metzmacher1-3/+19
libraries support wrapping hooks... metze (This used to be commit 581a1d3a20ffed42ccc7f35f163fd343ed12ccd3)
2007-10-10r24098: - make use of the ads_service_principal abstractionStefan Metzmacher1-61/+32
also for the "GSSAPI" sasl mech. - also use the ads_kinit_password() fallback logic from the "GSS-SPNEGO" sasl mech. metze (This used to be commit cbaf44de1e1f8007dc4ca249791ea30d2902c7c4)
2007-10-10r24095: add one more fallback alternative toStefan Metzmacher1-0/+20
construct the principal metze (This used to be commit b545667d2a45a79bba05c9fe9e93a19951d60af7)
2007-10-10r24093: move gssapi/krb5 principal handling into a functionStefan Metzmacher1-88/+146
metze (This used to be commit 83de27968d434d67d23851b0c285221c870ff75e)
2007-10-10r24062: fix logic for broken krb5 libs which always forceStefan Metzmacher1-1/+2
sign and seal... metze (This used to be commit 4a4fc8cccbcbe17eebcefcd0107f7de60d751f5c)
2007-10-10r24042: add support for krb5 sign and seal in LDAP via "GSS-SPNEGO"Stefan Metzmacher1-1/+309
metze (This used to be commit 34ab84aceb86195743abd26c46a631640409725e)
2007-10-10r24037: only setup sasl wrapping after a successful bindStefan Metzmacher1-2/+4
metze (This used to be commit 85d6cd3dfb5cbd9e899957265e352583ff608ed4)
2007-10-10r23953: Some C++ warningsVolker Lendecke1-3/+6
(This used to be commit 8716edf157bf8866328f82eb6cf25e71af7fea15)
2007-10-10r23948: add gsskrb5 sign and seal support for LDAP connectionsStefan Metzmacher1-5/+135
NOTE: only for the "GSSAPI" SASL mech yet metze (This used to be commit a079b66384b15e9d569dded0d9d6bd830e1a6dfa)
2007-10-10r23946: add support for NTLMSSP sign and sealStefan Metzmacher1-1/+122
NOTE: windows servers are broken with sign only... metze (This used to be commit 408bb2e6e2171196a2bd314db181d9b124e931a1)
2007-10-10r23945: add infrastructure to select plain, sign or seal LDAP connectionStefan Metzmacher1-0/+8
metze (This used to be commit 2075c05b3d8baa7d6d8510cd962471a5781740a6)
2007-10-10r23888: move elements belonging to the current ldap connection to aStefan Metzmacher1-6/+6
substructure. metze (This used to be commit 00909194a6c1ed193dfdb296f50f58a53450583c)
2007-10-10r23784: use the GPLv3 boilerplate as recommended by the FSF and the license textAndrew Tridgell1-2/+1
(This used to be commit b0132e94fc5fef936aa766fb99a306b3628e9f07)
2007-10-10r23779: Change from v2 or later to v3 or later.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3)
2007-10-10r22844: Introduce const DATA_BLOB data_blob_null = { NULL, 0, NULL }; andVolker Lendecke1-9/+9
replace all data_blob(NULL, 0) calls. (This used to be commit 3d3d61687ef00181f4f04e001d42181d93ac931e)
2007-10-10r22153: fix LDAP SASL "GSSAPI" bind against w2k3, this isn't criticalStefan Metzmacher1-5/+10
because we try "GSS-SPNEGO" first and all windows version support that. metze (This used to be commit 34a5badbded0b2537ee854287931e2a7dc3aeb37)
2007-10-10r22092: - make spnego_parse_auth_response() more generic andStefan Metzmacher1-1/+1
not specific for NTLMSSP - it's possible that the server sends a mechOID and authdata if negResult != SPNEGO_NEG_RESULT_INCOMPLETE, but we still force the mechOID to be present if negResult == SPNEGO_NEG_RESULT_INCOMPLETE metze (This used to be commit e9f2aa22f90208a5e530ef3b68664151960a0a22)
generated by cgit (git 2.34.1) at 2024-06-30 07:24:00 +0000