summaryrefslogtreecommitdiff
path: root/source4/libcli/auth/ntlmssp.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r2645: converted the NTLMSSP code to the new style of tallocAndrew Tridgell1-52/+39
(This used to be commit b378aae95d4001c4cf4e6e59ed80ee1bd55382ee)
2007-10-10r2303: allow setting of many ntlmssp options from smb.conf or the commandAndrew Tridgell1-7/+28
line. This makes testing much easier. (This used to be commit 0a4723d250ba13e6374700fc6e80854ec6a3eddc)
2007-10-10r2285: Remove more static data, fix spelling in a comment.Andrew Bartlett1-2/+2
(This used to be commit 2c701f59a7f232fed624f7cec62dd494dd32c2d9)
2007-10-10r2284: Thanks to some great detective work by tridge, NTLM2 signing now works.Andrew Bartlett1-3/+3
This means that 'require NTLMv2 session security' now works for RPC pipe signing. We don't yet have sealing, but it can't be much further. This is almost all tridge's code, munged into a form that can work with the GENSEC API. This commit also includes more lsakey fixes - that key is used for all DCE-RPC level authenticated connections, even over CIFS/ncacn_np. No doubt I missed something, but I'm going to get some sleep :-) Andrew Bartlett (This used to be commit a1fe175eec884280fb7e9ca8f528134cf4600beb)
2007-10-10r2041: Fix NTLMSSP RPC sealing, client -> win2k3 server.Andrew Bartlett1-13/+9
The bug (found by tridge) is that Win2k3 is being tighter about the NTLMSSP flags. If we don't negotiate sealing, we can't use it. We now have a way to indicate to the GENSEC implementation mechanisms what things we want for a connection. Andrew Bartlett (This used to be commit 86f61568ea44c5719f9b583beeeefb12e0c26f4c)
2007-10-10r1886: Fix the buildVolker Lendecke1-3/+3
(This used to be commit 7be7f25a57422fea3e763479629e18dc9a204aba)
2007-10-10r1630: - fixed the replacement timegm() function to work correctly for DST ↵Andrew Tridgell1-2/+2
changes - got rid of global_myname(), using lp_netbios_name() instead (This used to be commit e8d4b390884e487163d81f66a5a7ac1de1305d9a)
2007-10-10r1498: (merge from 3.0)Andrew Bartlett1-3/+3
Rework our random number generation system. On systems with /dev/urandom, this avoids a change to secrets.tdb for every fork(). For other systems, we now only re-seed after a fork, and on startup. No need to do it per-operation. This removes the 'need_reseed' parameter from generate_random_buffer(). This also requires that we start the secrets subsystem, as that is where the reseed value is stored, for systems without /dev/urandom. In order to aviod identical streams in forked children, the random state is re-initialised after the fork(), at the same point were we do that to the tdbs. Andrew Bartlett (This used to be commit b97d3cb2efd68310b1aea8a3ac40a64979c8cdae)
2007-10-10r1439: Once we are authenticated, always return NT_STATUS_OK. (Makes SPENGOAndrew Bartlett1-1/+1
easier to code, as it may return an 'ok' with an empty blob). Andrew Bartlett (This used to be commit e48557158ed99eee7d3ef8231c629bbd14cda9d3)
2007-10-10r1274: revert -r 1239 as discussed with abartletStefan Metzmacher1-118/+95
metze (This used to be commit 52e2d038252bd745d53c687d266ad3ad62efa6fc)
2007-10-10r1239: move the old msrpc_<gen|parse>() functions to ↵Stefan Metzmacher1-95/+118
ndr_<push|pull>_format_blob() simular to ndr_<push|pull>_struct_blob() metze (This used to be commit b25dd341e0febd550a2936ca484b6fecce2ff8c2)
2007-10-10r1200: Add 'gensec', our generic security layer.Andrew Bartlett1-0/+17
This layer is used for DCERPC security, as well as ntlm_auth at this time. It expect things like SASL and the CIFS layer to use it as well. The particular purpose of this layer is to introduce SPENGO, which needs generic access to the actual implementation mechanisms. Schannel, due to it's 'interesting' setup properties is in GENSEC, but is only in the RPC code. Andrew Bartlett (This used to be commit 902af49006fb8cfecaadd3cc0c10e2e542083fb1)
2007-10-10r1001: in samba4 we don't(shouldn't) use typedef's anymore...Stefan Metzmacher1-11/+11
metze (This used to be commit ac5f6f7e511a730448012c8a709887827aea2281)
2007-10-10r995: - renamed many of our crypto routines to use the industry standardAndrew Tridgell1-4/+4
names rather than our crazy naming scheme. So DES is now called des_crypt() rather than smbhash() - added the code from the solution of the ADS crypto challenge that allows Samba to correctly handle a 128 bit session key in all of the netr_ServerAuthenticateX() varients. A huge thanks to Luke Howard from PADL for solving this one! - restructured the server side rpc authentication to allow for other than NTLMSSP sign and seal. This commit just adds the structure, the next commit will add schannel server side support. - added 128 bit session key support to our client side code, and testing against w2k3 with smbtorture. Works well. (This used to be commit 729b2f41c924a0b435d44a14209e6dacc2304cee)
2007-10-10r961: convert 'uchar' to 'uint8_t'Stefan Metzmacher1-11/+11
metze (This used to be commit 9f914e4af99e18b469d4cf9d8b1514a2bd28ddec)
2007-10-10r890: convert samba4 to use [u]int8_t instead of [u]int8Stefan Metzmacher1-3/+3
metze (This used to be commit 2986c5f08c8f0c26a2ea7b6ce20aae025183109f)
2007-10-10r884: convert samba4 to use [u]int32_t instead of [u]int32Stefan Metzmacher1-8/+8
metze (This used to be commit 0e5517d937a2eb7cf707991d1c7498c1ab456095)
2007-10-10r874: This patch is a pile of work on NTLMSSP:Andrew Bartlett1-95/+114
Samba's NTLMSSP code is now fully talloc based, which should go a long way to cleaning up the memory leaks in this code. This also avoids a lot of extra copies of data, as we now allocate the 'return' blobs on a caller-supplied context. I have also been doing a lot of work towards NTLM2 signing and sealing. I have this working for sealing, but not for the verifier (MD5 integrity check on the stream) which is still incorrect. (I can aim a rpcecho sinkdata from a Win2k3 box to my server, and the data arrives intact, but the signature check fails. It does however match the test values I have...). The new torture test is cludged in - when we get a unit test suite back, I'll happliy put it in the 'right' place.... Andrew Bartlett (This used to be commit 399e2e2b1149b8d1c070aa7f0d5131c0b577d2b9)
2007-10-10r610: - Merge the Samba3 'ntlm_auth --diagnostics' testsuite to Samba4.Andrew Bartlett1-2/+2
- This required using NETLOGON_NEG_AUTH2_FLAGS for the SetupCredentials2 negotiation flags, which is what Samba3 does, because otherwise the server uses different crypto. - This tests the returned session keys, which we decrypt. - Update the Samba4 notion of a 'session key' to be a DATA_BLOB in most places. - Fix session key code to return NT_STATUS_NO_SESSION_KEY if none is available. - Remove a useless argument to SMBsesskeygen_ntv1 - move netr_CredentialState from the .idl to the new credentials.h Andrew Bartlett (This used to be commit 44f8b5b53e6abd4de8a676f78d729988fadff320)
2007-10-10r451: More NTLMSSP work.Andrew Bartlett1-37/+153
The work here is trying to get the LM_KEY option for NLTMSSP operating, however until that functions properly, it is now controlled by some new smb.conf options, defaulting off. Andrew Bartlett (This used to be commit c63eb35b45c6db6e4c5302d1832bb5cef49a14f6)
2007-10-10r443: Update Samba4 to the auth and NTLMSSP code from Samba3.Andrew Bartlett1-74/+172
Not all the auth code is merged - only those parts that are actually being used in Samba4. There is a lot more work to do in the NTLMSSP area, and I hope to develop that work here. There is a start on this here - splitting NTLMSSP into two parts that my operate in an async fashion (before and after the actual authentication) Andrew Bartlett (This used to be commit 5876c78806e6a6c44613a1354e8d564b427d0c9f)
2003-12-15make sure we allow clients to negotiate ntlmssp seal if they want itAndrew Tridgell1-1/+2
(This used to be commit a1275c1e89462f0a3cce73066777055c3c970b76)
2003-11-26signed DCERPC over TCP now works !Andrew Tridgell1-0/+1055
* moved ntlmssp code into libcli/auth/, and updated to latest ntlmssp code from samba3 (thanks Andrew! the new interface is great) * added signing/ntlmssp support in the dcerpc code * added a dcerpc_auth.c module for the various dcerpc auth mechanisms (This used to be commit c18c9b5585a3e5f7868562820c14f7cb529cdbcd)