Age | Commit message (Collapse) | Author | Files | Lines | |
---|---|---|---|---|---|
2010-05-31 | s3:ntlmssp Use a TALLOC_CTX for ntlmssp_sign_packet() and ntlmssp_seal_packet() | Andrew Bartlett | 1 | -7/+9 | |
This ensures the results can't be easily left to leak. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Günther Deschner <gd@samba.org> | |||||
2010-05-31 | ntlmssp: Make the ntlmssp.h from source3/ a common header | Andrew Bartlett | 1 | -1/+1 | |
The code is not yet in common, but I hope to fix that soon. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Günther Deschner <gd@samba.org> | |||||
2010-05-31 | s3:auth Remove AUTH_NTLMSSP_STATE typedef. | Andrew Bartlett | 1 | -7/+7 | |
typedefs are no longer preferred Samba style. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Günther Deschner <gd@samba.org> | |||||
2010-05-31 | s3:auth Make AUTH_NTLMSSP_STATE a private structure. | Andrew Bartlett | 1 | -26/+27 | |
This makes it a little easier for it to writen in terms of GENSEC in future. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Günther Deschner <gd@samba.org> | |||||
2010-05-18 | s3: Remove use of iconv_convenience. | Jelmer Vernooij | 1 | -5/+4 | |
2010-03-24 | s3:ntlmssp: use client.netbios_name instead of workstation | Stefan Metzmacher | 1 | -1/+2 | |
metze Signed-off-by: Günther Deschner <gd@samba.org> | |||||
2010-03-04 | srv_pipe.c doesn't reference current_user anymore. Remove it. | Jeremy Allison | 1 | -2/+0 | |
Jeremy. | |||||
2010-02-23 | schannel_tdb: make code compilable in both trees | Simo Sorce | 1 | -1/+1 | |
2010-02-23 | s3:schannel streamline interface | Simo Sorce | 1 | -1/+1 | |
Make calling schannel much easier by removing the need to explicitly open the database. Let the abstraction do it instead. | |||||
2010-02-18 | More fixes for bug #7146 - Samba miss-parses authenticated RPC packets. | Jeremy Allison | 1 | -16/+31 | |
Alignment space calculations are tricky :-). Jeremy. | |||||
2010-02-18 | More fixes for bug #7146 - Samba miss-parses authenticated RPC packets. | Jeremy Allison | 1 | -14/+16 | |
Ensure we calculate the space correctly (including the ss_padding_len) when constructing reply packets. Jeremy. | |||||
2010-02-17 | Fix bug #7146 - Samba miss-parses authenticated RPC packets. | Jeremy Allison | 1 | -120/+311 | |
Parts of the Samba RPC client and server code misinterpret authenticated packets. DCE authenticated packets actually look like this : +--------------------------+ |header | | ... frag_len (packet len)| | ... auth_len | +--------------------------+ | | | Data payload | ... .... | | +--------------------------+ | | | auth_pad_len bytes | +--------------------------+ | | | Auth footer | | auth_pad_len value | +--------------------------+ | | | Auth payload | | (auth_len bytes long) | +--------------------------+ That's right. The pad bytes come *before* the footer specifying how many pad bytes there are. In order to read this you must seek to the end of the packet and subtract the auth_len (in the packet header) and the auth footer length (a known value). The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long as the pad alignment is on an 8 byte boundary (there are some special cases in the code for this). Tridge discovered there are some (DRS replication) cases where on 64-bit machines where the pad alignment is on a 16-byte boundary. This breaks the existing S3 hand-optimized rpc code. This patch removes all the special cases in client and server code, and allows the pad alignment for generated packets to be specified by changing a constant in include/local.h (this doesn't affect received packets, the new code always handles them correctly whatever pad alignment is used). This patch also works correctly with rpcclient using sign+seal from the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow) so even as a server it should still work with older libsmbclient and winbindd code. Jeremy | |||||
2009-12-22 | s3:ntlmssp: only include ntlmssp.h where actually needed | Andrew Bartlett | 1 | -0/+1 | |
Andrew Bartlett | |||||
2009-11-26 | s3-rpc: running minimal_includes.pl on rpc_client and rpc_server. | Günther Deschner | 1 | -2/+0 | |
Guenther | |||||
2009-11-08 | Revert "s3: Consolidate getting the name out of a pipes_struct" | Volker Lendecke | 1 | -15/+29 | |
This reverts commit 9621306351cdb469ef393a6d8cbeea456bc4bd9f. | |||||
2009-11-08 | Revert "s3: Do not reference ndr_table when calling rpc_srv_register" | Volker Lendecke | 1 | -7/+2 | |
This reverts commit 494b2aff8826947e3bd556aecb175746163da485. | |||||
2009-11-08 | s3: Do not reference ndr_table when calling rpc_srv_register | Volker Lendecke | 1 | -2/+7 | |
2009-11-08 | s3: Consolidate getting the name out of a pipes_struct | Volker Lendecke | 1 | -29/+15 | |
2009-11-07 | s3: get_pipe_name_from_iface -> get_pipe_name_from_syntax | Volker Lendecke | 1 | -17/+27 | |
2009-10-13 | s3:rpc: Fix is_known_pipename for dynamically loaded pipes | Volker Lendecke | 1 | -1/+22 | |
2009-09-17 | spnego: share spnego_parse. | Günther Deschner | 1 | -0/+1 | |
Guenther | |||||
2009-09-16 | libcli/auth: rewrite schannel sign/seal code to be more generic | Stefan Metzmacher | 1 | -17/+27 | |
This prepares support for HMAC-SHA256/AES. metze | |||||
2009-09-16 | s3-dcerpc: remove more obsolete or duplicate headers. | Günther Deschner | 1 | -15/+15 | |
Guenther | |||||
2009-09-16 | s3-schannel: add dump_NL_AUTH_SIGNATURE. | Günther Deschner | 1 | -23/+3 | |
Guenther | |||||
2009-09-16 | schannel: fully share schannel sign/seal between s3 and 4. | Günther Deschner | 1 | -25/+60 | |
Guenther | |||||
2009-09-15 | s3-dcerpc: really fix remaining old auth level constants. sorry... | Günther Deschner | 1 | -2/+2 | |
Guenther | |||||
2009-09-15 | s3-dcerpc: fix remaining old auth level constants. | Günther Deschner | 1 | -13/+13 | |
Guenther | |||||
2009-09-15 | s3-dcerpc: remove duplicate RPC_AUTH_LEVEL flags. | Günther Deschner | 1 | -5/+5 | |
Guenther | |||||
2009-09-15 | s3-dcerpc: use dcerpc_AuthLevel and remove duplicate set of flags. | Günther Deschner | 1 | -15/+15 | |
Guenther | |||||
2009-09-13 | s3-schannel: fix api_pipe_schannel_process(), was using incorrect buffer length. | Günther Deschner | 1 | -1/+3 | |
Found by RPC-SCHANNEL torture test. Guenther | |||||
2009-09-11 | s3-schannel: use NL_AUTH_SIGNATURE for schannel sign & seal (client & server). | Günther Deschner | 1 | -8/+31 | |
Guenther | |||||
2009-09-11 | s3-schannel: use NL_AUTH_MESSAGE for schannel bind reply. | Günther Deschner | 1 | -10/+17 | |
Guenther | |||||
2009-09-08 | s3-rpc_server: use NL_AUTH_MESSAGE in pipe_schannel_auth_bind(). | Günther Deschner | 1 | -6/+23 | |
Guenther | |||||
2009-08-27 | s3-netlogon: use shared credential and schannel storage infrastructure for ↵ | Günther Deschner | 1 | -7/+11 | |
netlogon server. Guenther | |||||
2009-07-05 | Use null_ndr_syntax_id instead of zeroing null_interface manually | Volker Lendecke | 1 | -6/+2 | |
2009-07-05 | Remove "typedef struct ndr_syntax_id RPC_IFACE;" | Volker Lendecke | 1 | -4/+6 | |
2009-07-05 | Make check_bind_req static to rpc_server/srv_pipe.c | Volker Lendecke | 1 | -2/+2 | |
2009-03-05 | Get the sense of the integer wrap test the right way around. Sorry. | Jeremy Allison | 1 | -1/+1 | |
Jeremy. | |||||
2009-03-05 | Now we're allowing a lower bound for auth_len, ensure we | Jeremy Allison | 1 | -1/+5 | |
also check for an upper one (integer wrap). Jeremy. | |||||
2009-03-05 | Complete the fix for bug 6100 | Volker Lendecke | 1 | -1/+1 | |
According to [MS-RPCE].pdf, section 2.2.2.11: ---- A client or a server that (during composing of a PDU) has allocated more space for the authentication token than the security provider fills in SHOULD fill in the rest of the allocated space with zero octets. These zero octets are still considered to belong to the authentication token part of the PDU.<36> ---- RPC implementations are allowed to send padding bytes at the end of an auth footer. Windows 7 makes use of this. Thanks to Nick Meier <nmeier@microsoft.com> Volker | |||||
2009-02-08 | Make prs_struct->out_data.current_pdu dynamically allocated | Volker Lendecke | 1 | -113/+98 | |
Another 4k per open pipe | |||||
2009-02-01 | Add two new parameters to control how we verify kerberos tickets. Removes ↵ | Dan Sledz | 1 | -1/+1 | |
lp_use_kerberos_keytab parameter. The first is "kerberos method" and replaces the "use kerberos keytab" with an enum. Valid options are: secrets only - use only the secrets for ticket verification (default) system keytab - use only the system keytab for ticket verification dedicated keytab - use a dedicated keytab for ticket verification. secrets and keytab - use the secrets.tdb first, then the system keytab For existing installs: "use kerberos keytab = yes" corresponds to secrets and keytab "use kerberos keytab = no" corresponds to secrets only The major difference between "system keytab" and "dedicated keytab" is that the latter method relies on kerberos to find the correct keytab entry instead of filtering based on expected principals. The second parameter is "dedicated keytab file", which is the keytab to use when in "dedicated keytab" mode. This keytab is only used in ads_verify_ticket. | |||||
2009-02-01 | Replace pipe names in pipes_struct by ndr_syntax_id | Volker Lendecke | 1 | -29/+52 | |
This was mainly used for debugging output | |||||
2009-01-21 | Memory leaks and other fixes found by Coverity | todd stecher | 1 | -1/+3 | |
2009-01-09 | Remove the rpc_srv_register wrapper around rpc_pipe_register_commands | Volker Lendecke | 1 | -15/+4 | |
2009-01-09 | Pass the full ndr_interface_table into the s3 rpcserver when registering | Volker Lendecke | 1 | -0/+10 | |
2009-01-09 | Simplify find_pipe_fns_by_context slightly | Volker Lendecke | 1 | -8/+4 | |
2009-01-09 | Fix some nonempty blank lines | Volker Lendecke | 1 | -17/+17 | |
2008-11-24 | Get rid of pipes_struct->pipe_user, we have server_info now --- YESSS! | Volker Lendecke | 1 | -49/+1 | |
2008-10-22 | s3: use shared asn1 code. | Günther Deschner | 1 | -1/+1 | |
Guenther |