summaryrefslogtreecommitdiff
path: root/source4/auth/gensec/spnego.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r18257: Order the GENSEC modules, with unknown modules last.Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit 8ae880b5019ab275fe0eca48120ab9e0fcca6293)
2007-10-10r18250: Add an ordering of GENSEC modules, so we do preferred modules first.Andrew Bartlett1-0/+1
Andrew Bartlett (This used to be commit 0afb4d1992b3c93557dec1e1cdca467efc299853)
2007-10-10r18068: This splits the handling of multiple SASL packets between the GENSECAndrew Bartlett1-0/+58
backend (if it chooses to implement it), or the GENSEC socket code. This is to allow us to handle DIGEST-MD5 across to cyrus-sasl. Andrew Bartlett (This used to be commit 0a098006b431f4aa48632a27ca08e9adca8d9609)
2007-10-10r17197: This patch moves the encryption of bulk data on SASL negotiated securityAndrew Bartlett1-18/+44
contexts from the application layer into the socket layer. This improves a number of correctness aspects, as we now allow LDAP packets to cross multiple SASL packets. It should also make it much easier to write async LDAP tests from windows clients, as they use SASL by default. It is also vital to allowing OpenLDAP clients to use GSSAPI against Samba4, as it negotiates a rather small SASL buffer size. This patch mirrors the earlier work done to move TLS into the socket layer. Unusual in this pstch is the extra read callback argument I take. As SASL is a layer on top of a socket, it is entirely possible for the SASL layer to drain a socket dry, but for the caller not to have read all the decrypted data. This would leave the system without an event to restart the read (as the socket is dry). As such, I re-invoke the read handler from a timed callback, which should trigger on the next running of the event loop. I believe that the TLS code does require a similar callback. In trying to understand why this is required, imagine a SASL-encrypted LDAP packet in the following formation: +-----------------+---------------------+ | SASL Packet #1 | SASL Packet #2 | ----------------------------------------+ | LDAP Packet #1 | LDAP Packet #2 | ----------------------------------------+ In the old code, this was illegal, but it is perfectly standard SASL-encrypted LDAP. Without the callback, we would read and process the first LDAP packet, and the SASL code would have read the second SASL packet (to decrypt enough data for the LDAP packet), and no data would remain on the socket. Without data on the socket, read events stop. That is why I add timed events, until the SASL buffer is drained. Another approach would be to add a hack to the event system, to have it pretend there remained data to read off the network (but that is ugly). In improving the code, to handle more real-world cases, I've been able to remove almost all the special-cases in the testnonblock code. The only special case is that we must use a deterministic partial packet when calling send, rather than a random length. (1 + n/2). This is needed because of the way the SASL and TLS code works, and the 'resend on failure' requirements. Andrew Bartlett (This used to be commit 5d7c9c12cb2b39673172a357092b80cd814850b0)
2007-10-10r14542: Remove librpc, libndr and libnbt from includes.hJelmer Vernooij1-0/+1
(This used to be commit 51b4270513752d2eafbe77f9de598de16ef84a1f)
2007-10-10r13903: Don't generate prototypes for modules and binaries in include/proto.h byJelmer Vernooij1-0/+1
default. (This used to be commit c80a8f1102caf744b66c13bebde38fba74983dc4)
2007-10-10r13584: Another try at SPNEGO stuff. I need to write a better testsuite for ↵Andrew Bartlett1-0/+23
this. This tries to ensure that when we are a client, we cope with mechs (like GSSAPI) that only abort (unknown server) at first runtime. Andrew Bartlett (This used to be commit cb5d18c6190fa1809478aeb60e352cb93c4214f6)
2007-10-10r13206: This patch finally re-adds a -k option that works reasonably.Andrew Bartlett1-4/+5
From here we can add tests to Samba for kerberos, forcing it on and off. In the process, I also remove the dependency of credentials on GENSEC. This also picks up on the idea of bringing 'set_boolean' into general code from jpeach's cifsdd patch. Andrew Bartlett (This used to be commit 1ac7976ea6e3ad6184c911de5df624c44e7c5228)
2007-10-10r12439: No need to keep walking this list if we find the match.Andrew Bartlett1-0/+1
Andrew Bartlett (This used to be commit cf1883c3cc1feecf3ddd7f36dbbca3bdf068bee2)
2007-10-10r12436: Fix Samba4 as a server to Win2000 for the domain join.Andrew Bartlett1-46/+74
We still have Win2000 issues, but now we correctly handle the case where NTLMSSP is chosen as an authentication mech, but the OID list still contains Kerberos as a later option. Andrew Bartlett (This used to be commit dc2b2c33f89b84bd221c9009750a22ff42fc462d)
2007-10-10r12060: Work towards allowing the credentials system to allow/deny certainAndrew Bartlett1-6/+9
GENSEC mechansims. This will allow a machine join to an NT4 domain to avoid even trying kerberos, or a sensitive operation to require it. Andrew Bartlett (This used to be commit 11c7a89e523f85afd728d5e5f03bb084dc620244)
2007-10-10r11226: Cope with Samba3's behaviour on LDAP with GSS-SPNEGO.Andrew Bartlett1-2/+3
Andrew Bartlett (This used to be commit 4d9667f5a037eb15f6f0e4329314a37f148e9db7)
2007-10-10r11219: Now that we have the credentials hooked in here, we have a much moreAndrew Bartlett1-1/+10
reasonable value to fill in for the mechListMIC. Andrew Bartlett (This used to be commit 51d78de2b79f4ab75c86c3255c23a478c6822a0e)
2007-10-10r11196: Clean up memory leaks (pointed out by vl), and handle the case whereAndrew Bartlett1-11/+47
the client doesn't guess correctly on the mech to use. It must back off and try the mech the server selected from the list. I'm not particularly attached to our SPNEGO parser, so while I can't easily use the SPNEGO application logic in Heimdal, I'm going to look closely at using the asn1 routines to avoid some pain here. Andrew Bartlett (This used to be commit 929217387449270b60c3f825dca3b3cae5a4f9d1)
2007-10-10r10291: The patch optionally (off by default, not available in all cases) allowsAndrew Bartlett1-1/+2
Samba to use the target principal name supplied in the mechTokenMIC of an SPNEGO negTokenInit. This isn't a great idea for security reasons, but is how Samba3 behaves, and allows kerberos to function more often in some environments. It is only available for CIFS session setups, due to the ordering of the exchange. Andrew Bartlett (This used to be commit f6a645644127ae695a9f7288e0a469f2eb7f3066)
2007-10-10r10153: This patch adds a new parameter to gensec_sig_size(), the size of theAndrew Bartlett1-2/+2
data to be signed/sealed. We can use this to split the data from the signature portion of the resultant wrapped packet. This required merging the gsskrb5_wrap_size patch from lorikeet-heimdal, and fixes AES encrption issues on DCE/RPC (we no longer use a static 45 byte value). This fixes one of the krb5 issues in my list. Andrew Bartlett (This used to be commit e4f2afc34362953f56a026b66ae1aea81e9db104)
2007-10-10r9927: Extend copyright for all the hard work I've done this year.Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit b50e546eb4d5d9171d4ae5e9c9bebd8c7c878bd8)
2007-10-10r9420: Fix the SPNEGO system again: Update the state position afterAndrew Bartlett1-4/+6
processing the state. Andrew Bartlett (This used to be commit c3a8080a189e084c5774bdd1a9f3ea62daed715e)
2007-10-10r9419: Silly, silly, untested mistake...Andrew Bartlett1-2/+2
Andrew Bartlett (This used to be commit 66cdd4dbd7f4024b49bcc9fe1c7ff2a0de7e82e8)
2007-10-10r9418: SPNEGO fixes:Andrew Bartlett1-18/+29
- Fix mixing of code and data - send mechListMic again in SPENGO server - only send optomistic first packet in the client. (This used to be commit 9941da8081ef5a669b0946265860d2f20d3718d3)
2007-10-10r9416: Cleanups inspired by jra's work to migrate Samba4's NTLMSSP code backAndrew Bartlett1-51/+50
into Samba3. The NTLMSSP sign/seal code now assumes that GENSEC has already checked to see if SIGN or SEAL should be permitted. This simplfies the code ensures that no matter what the mech, the correct code paths have been set in place. Also remove duplication caused by the NTLMv2 code's history, and document why some of the things a bit funny. In SPNEGO, create a new routine to handle the negTokenInit creation. We no longer send an OID for a mech we can't start (like kerberos on the server without a valid trust account). Andrew Bartlett (This used to be commit fe45ef608f961a6950d4d19b4cb5e7c27b38ba5f)
2007-10-10r9357: Remove DBGC_CLASS cruft copied over from Samba 3. I would like toTim Potter1-3/+0
replace this with something funkier. (This used to be commit 8d376d56c78894b9bbd27ed7fa70da415c0cd038)
2007-10-10r9233: Ensure that the output variable is initialised in this conversion fromAndrew Bartlett1-0/+1
error to non-error case. Andrew Bartlett (This used to be commit ab75cd53e7c65fa6242b8dde3bfede735a6b36d5)
2007-10-10r7827: Add in-memory keytab to Samba4, using the new MEMORY_WILDCARD keytabAndrew Bartlett1-9/+14
support in Heimdal. This removes the 'ext_keytab' step from my Samba4/WinXP client howto. In doing this work, I realised that the replay cache in Heimdal is currently a no-op, so I have removed the calls to it, and therefore the mutex calls from passdb/secrets.c. This patch also includes a replacement 'magic' mechanism detection, that does not issue extra error messages from deep inside the GSSAPI code. Andrew Bartlett (This used to be commit c19d5706f4fa760415b727b970bc99e7f1abd064)
2007-10-10r6800: A big GENSEC update:Andrew Bartlett1-119/+85
Finally remove the distinction between 'krb5' and 'ms_krb5'. We now don't do kerberos stuff twice on failure. The solution to this is slightly more general than perhaps was really required (as this is a special case), but it works, and I'm happy with the cleanup I achived in the process. All modules have been updated to supply a NULL-terminated list of OIDs. In that process, SPNEGO code has been generalised, as I realised that two of the functions should have been identical in behaviour. Over in the actual modules, I have worked to remove the 'kinit' code from gensec_krb5, and placed it in kerberos/kerberos_util.c. The GSSAPI module has been extended to use this, so no longer requires a manual kinit at the command line. It will soon loose the requirement for a on-disk keytab too. The general kerberos code has also been updated to move from error_message() to our routine which gets the Heimdal error string (which may be much more useful) when available. Andrew Bartlett (This used to be commit 0101728d8e2ed9419eb31fe95047944a718ba135)
2007-10-10r6792: Allow a mech to fail on the first pass at the packet, and still fallAndrew Bartlett1-0/+2
back to the other options. Andrew Bartlett (This used to be commit 9153d7306124d5e4ffc0467728210e2e2235059f)
2007-10-10r6610: Fix a const warning in the gensec spnego implementation. (A make protoTim Potter1-1/+1
is required after updating to this version). (This used to be commit 258d03ef9248b2827db18269e4f0883c73839084)
2007-10-10r6113: Move GENSEC and the kerberos code out of libcli/auth, and intoAndrew Bartlett1-0/+884
auth/gensec and auth/kerberos. This also pulls the kerberos configure code out of libads (which is otherwise dead), and into auth/kerberos/kerberos.m4 Andrew Bartlett (This used to be commit e074d63f3dcf4f84239a10879112ebaf1cfa6c4f)