summaryrefslogtreecommitdiff
path: root/source4/libcli/auth/gensec.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r4530: Start adding a bit of Doxygen compatible documentation comments to ↵Andrew Bartlett1-3/+23
GENSEC. Andrew Bartlett (This used to be commit c7acea9d5a097b51693f41de93274b857f7be0e3)
2007-10-10r4504: SettingAndrew Bartlett1-1/+1
.enabled = True on modules we know are good (and we want on be default) seems neater. Andrew Bartlett (This used to be commit 18850c66b7c8ac5e8caf08151dbb9b72cf93230f)
2007-10-10r4500: Allow GENSEC modules to be disabled by setting a flag on their moduleAndrew Bartlett1-1/+1
definition, not by hardcoded reference in loadparm.c Andrew Bartlett (This used to be commit 43558eaf7604d2bb0187e0d1ba0686935a965ad7)
2007-10-10r4459: GENSEC refinements:Andrew Bartlett1-5/+25
In developing a GSSAPI plugin for GENSEC, it became clear that the API needed to change: - GSSAPI exposes only a wrap() and unwrap() interface, and determines the location of the signature itself. - The 'have feature' API did not correctly function in the recursive SPNEGO environment. As such, NTLMSSP has been updated to support these methods. The LDAP client and server have been updated to use the new wrap() and unwrap() methods, and now pass the LDAP-* tests in our smbtorture. (Unfortunely I still get valgrind warnings, in the code that was previously unreachable). Andrew Bartlett (This used to be commit 9923c3bc1b5a6e93a5996aadb039bd229e888ac6)
2007-10-10r4358: At metze's request, the Christmas elves have removed gensec_end inAndrew Bartlett1-10/+0
favor of talloc_free(). Andrew Bartlett (This used to be commit 1933cd12fbaed56e13f2386b19de6ade99bf9478)
2007-10-10r4355: More work from the elves on Christmas eve:Andrew Bartlett1-8/+20
- Update Samba4's kerberos code to match the 'salting' changes in Samba3 (and many other cleanups by jra). - Move GENSEC into the modern era of talloc destructors. This avoids many of the memory leaks in this code, as we now can't somehow 'forget' to call the end routine. - This required fixing some of the talloc hierarchies. - The new krb5 seems more sensitive to getting the service name right, so start actually setting the service name on the krb5 context. Andrew Bartlett (This used to be commit 278bf1a61a6da6ef955a12c13d7b1a0357cebf1f)
2007-10-10r4325: add the GENSEC_FEATURE_DCE_STYLE flagStefan Metzmacher1-0/+1
this will be used by krb5 dcerpc auth metze (This used to be commit 04dc7fb9b24a1e38f31559ec6032701a176209ae)
2007-10-10r4079: implement the gensec_have_feature() correctly by askingStefan Metzmacher1-15/+12
the backend what is actually in use metze (This used to be commit 6f3eb7bc03609108b9e0ea5676fca3d04140e737)
2007-10-10r4054: got rid of Realloc(), replacing it with the type safe macro realloc_p()Andrew Tridgell1-1/+3
(This used to be commit b0f6e21481745d1b2ced28d9ed6f09f6ffd99562)
2007-10-10r4001: fix segfault fix auth failedStefan Metzmacher1-0/+3
metze (This used to be commit 6a7eee1d9917e0884072354dddae568645798da5)
2007-10-10r3737: - Get rid of the register_subsystem() and register_backend() functions.Jelmer Vernooij1-10/+1
- Re-disable tdbtool (it was building fine on my Debian box but other machines were having problems) (This used to be commit 0d7bb2c40b7a9ed59df3f8944133ea562697e814)
2007-10-10r3613: fixed a typoAndrew Tridgell1-2/+2
(This used to be commit 891e3097ee00d75f8f28efcccd8c15cd08b80e88)
2007-10-10r3586: Fix some of the issues with the module init functions.Jelmer Vernooij1-19/+6
Both subsystems and modules can now have init functions, which can be specified in .mk files (INIT_FUNCTION = ...) The build system will define : - SUBSYSTEM_init_static_modules that calls the init functions of all statically compiled modules. Failing to load will generate an error which is not fatal - BINARY_init_subsystems that calls the init functions (if defined) for the subsystems the binary depends on This removes the hack with the "static bool Initialised = " and the "lazy_init" functions (This used to be commit 7a8244761bfdfdfb48f8264d76951ebdfbf7bd8a)
2007-10-10r3453: - split out the auth and popt includesAndrew Tridgell1-0/+1
- tidied up some of the system includes - moved a few more structures back from misc.idl to netlogon.idl and samr.idl now that pidl knows about inter-IDL dependencies (This used to be commit 7b7477ac42d96faac1b0ff361525d2c63cedfc64)
2007-10-10r3110: Fix the krb5 client and server, so that it doesn't segfault. ThereAndrew Bartlett1-5/+2
were also gensec bugs that didn't turn up until we hit error paths in the krb5 code. Andrew Bartlett (This used to be commit e08366ffeb52e8c522d3808a2af1aa0bc632b55f)
2007-10-10r2860: add gensec_have_feature() to check what feature are used in the ↵Stefan Metzmacher1-0/+15
connection metze (This used to be commit 30aa8af04498d674dbcf428a9e62df9055f53ea2)
2007-10-10r2859: It seems useful to allow the seal/unseal functions in gensec to passAndrew Bartlett1-0/+12
though to the sign/check_sig functions. Andrew Bartlett (This used to be commit 18367c4235cf16f3c2fee003153ec9b19b02aa9b)
2007-10-10r2850: - check for GENSEC_WANT_SEAL in gensec_unseal_packet()Stefan Metzmacher1-0/+4
- pass functions to the subcontext in spnego metze (This used to be commit d02fab41f8261095ca8f9a819e0c25bef41b5807)
2007-10-10r2646: - use a talloc destructor to ensure that sockets from the new socketAndrew Tridgell1-2/+1
library are closed on abnormal termination - convert the service.h structures to the new talloc methods (This used to be commit 2dc334a3284858eb1c7190f9687c9b6c879ecc9d)
2007-10-10r2629: convert gensec to the new talloc modelAndrew Tridgell1-30/+26
by making our gensec structures a talloc child of the open connection we can be sure that it will be destroyed when the connection is dropped. (This used to be commit f12ee2f241aab1549bc1d9ca4c35a35a1ca0d09d)
2007-10-10r2377: added a more generic way of disabling gensec subsystems. For example,Andrew Tridgell1-0/+5
"gensec:ntlmssp=no" will disable ntlmssp. (This used to be commit 66f88c7d89154155b27bf8b7839c580fb1cd1e7c)
2007-10-10r2314: fix compiler warningStefan Metzmacher1-2/+2
metze (This used to be commit 75c3108955bab44ffda308406bae153e3a92cedf)
2007-10-10r2307: Fix the use of 'raw' NTLMSSP to hosts that support extended security,Andrew Bartlett1-0/+11
but do not support SPNEGO (such as XP, when not joined to a domain). This is triggered by the presense or lack of a security blob in the negprot reply. Andrew Bartlett (This used to be commit 99f7a38c077725b22475f2ba68d0955114879c24)
2007-10-10r2284: Thanks to some great detective work by tridge, NTLM2 signing now works.Andrew Bartlett1-7/+25
This means that 'require NTLMv2 session security' now works for RPC pipe signing. We don't yet have sealing, but it can't be much further. This is almost all tridge's code, munged into a form that can work with the GENSEC API. This commit also includes more lsakey fixes - that key is used for all DCE-RPC level authenticated connections, even over CIFS/ncacn_np. No doubt I missed something, but I'm going to get some sleep :-) Andrew Bartlett (This used to be commit a1fe175eec884280fb7e9ca8f528134cf4600beb)
2007-10-10r2053: All RPC sessions 'want' a session key. Of course, the key theyAndrew Bartlett1-0/+3
currently get it bougs, but anyway... Andrew Bartlett (This used to be commit 46864dd9d778c008c2f1a3a6701360d4ca64a664)
2007-10-10r2041: Fix NTLMSSP RPC sealing, client -> win2k3 server.Andrew Bartlett1-3/+38
The bug (found by tridge) is that Win2k3 is being tighter about the NTLMSSP flags. If we don't negotiate sealing, we can't use it. We now have a way to indicate to the GENSEC implementation mechanisms what things we want for a connection. Andrew Bartlett (This used to be commit 86f61568ea44c5719f9b583beeeefb12e0c26f4c)
2007-10-10r1737: don't segfault when a mech don't have a session_info hookStefan Metzmacher1-0/+3
metze (This used to be commit 68f3e538265b59ec818917b914678485585795a6)
2007-10-10r1724: Add a new function to return the list of available OIDs.Andrew Bartlett1-9/+39
(Used in our SPNEGO code). Andrew Bartlett (This used to be commit c91d6b6f9b53e64069fd5860f677bc1b4c250f0c)
2007-10-10r1685: Add the ability to lookup RPC auth types for the RPC-MGMT torture test.Andrew Bartlett1-0/+11
Andrew Bartlett (This used to be commit 0e4e3647e848605416fe79c742ac84d84dc4357c)
2007-10-10r1475: More kerberos workAndrew Bartlett1-8/+181
- We can now connect to hosts that follow the SPNEGO RFC, and *do not* give us their principal name in the mechListMIC. - The client code now remembers the hostname it connects to - We now kinit for a user, if there is not valid ticket already - Re-introduce clock skew compensation TODO: - See if the username in the ccache matches the username specified - Use a private ccache, rather then the global one, for a 'new' kinit - Determine 'default' usernames. - The default for Krb5 is the one in the ccache, then $USER - For NTLMSSP, it's just $USER Andrew Bartlett (This used to be commit de5da669397db4ac87c6da08d3533ca3030da2b0)
2007-10-10r1466: the name "oid" is taken by some silly system headers - avoid it in ↵Andrew Tridgell1-2/+2
our code (This used to be commit ea5659b051f95402441e69ba4ce5aea1ed6f5c86)
2007-10-10r1449: Use the config system somewhat better in libcli/authJelmer Vernooij1-7/+2
(This used to be commit 69de0d95c585c1a73072e921884cbd427c160176)
2007-10-10r1440: GENSEC improvements:Andrew Bartlett1-1/+57
- Infrustructure for kerberos - Don't segfault on un-implemented backend functions - Add comments. Andrew Bartlett (This used to be commit 1c31aa42710421917428d6ba86328ea5179751bd)
2007-10-10r1359: fix uninit var - found by valgrindStefan Metzmacher1-3/+1
metze (This used to be commit 264afea9ec3ada4df51e5f5de4c0b977024af40b)
2007-10-10r1357: Work on GENSEC:Andrew Bartlett1-5/+50
- Add the concept of a 'subcontext' into gensec, so that the spengo code doesn't have to figure out how to make one. (A subcontext inherits the username, domain, password (or callback) from the main context). - Add comments to some other routines, and explain a bit about what the various 'start' functions are for. Andrew Bartlett (This used to be commit 7aedbfbdd92b4ca93cbd0babff16e7526201ee88)
2007-10-10r1348: get gensec backend by OID instead of nameStefan Metzmacher1-11/+0
metze (This used to be commit 38e00f87191b86901b603e66aec1e7e71f74c29f)
2007-10-10r1344: add gensec_start_mech_by_name()Stefan Metzmacher1-0/+11
some gensec spnego fixes (NULL pointer and length checks) metze (This used to be commit 41ff6d0cd47f6295fe7fe1d31fec7306416ce199)
2007-10-10r1294: A nice, large, commit...Andrew Bartlett1-43/+362
This implements gensec for Samba's server side, and brings gensec up to the standards of a full subsystem. This means that use of the subsystem is by gensec_* functions, not function pointers in structures (this is internal). This causes changes in all the existing gensec users. Our RPC server no longer contains it's own generalised security scheme, and now calls gensec directly. Gensec has also taken over the role of auth/auth_ntlmssp.c An important part of gensec, is the output of the 'session_info' struct. This is now reference counted, so that we can correctly free it when a pipe is closed, no matter if it was inherited, or created by per-pipe authentication. The schannel code is reworked, to be in the same file for client and server. ntlm_auth is reworked to use gensec. The major problem with this code is the way it relies on subsystem auto-initialisation. The primary reason for this commit now.is to allow these problems to be looked at, and fixed. There are problems with the new code: - I've tested it with smbtorture, but currently don't have VMware and valgrind working (this I'll fix soon). - The SPNEGO code is client-only at this point. - We still do not do kerberos. Andrew Bartlett (This used to be commit 07fd885fd488fd1051eacc905a2d4962f8a018ec)
2007-10-10r1200: Add 'gensec', our generic security layer.Andrew Bartlett1-0/+104
This layer is used for DCERPC security, as well as ntlm_auth at this time. It expect things like SASL and the CIFS layer to use it as well. The particular purpose of this layer is to introduce SPENGO, which needs generic access to the actual implementation mechanisms. Schannel, due to it's 'interesting' setup properties is in GENSEC, but is only in the RPC code. Andrew Bartlett (This used to be commit 902af49006fb8cfecaadd3cc0c10e2e542083fb1)