summaryrefslogtreecommitdiff
path: root/source4/libcli/auth/spnego.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r4692: Make the client SPNEGO code bail out in a couple more cases.Andrew Bartlett1-1/+4
Andrew Bartlett (This used to be commit a062ac122c402fb2cf31eb8e76f4077b1f33b8eb)
2007-10-10r4635: Fix NTLMSSP to return NT_STATUS_OK when it has constructed the authAndrew Bartlett1-30/+31
token in the client (the final token in the negotiation). Consequential fixes in the SPNEGO code, which now uses the out.length as the indicator of 'I need to send something to the other side'. Merge the NTLM and SPNEGO DCE-RPC authentication routines in the client. Fix the RPC-MULTIBIND test consequent to this merge. Andrew Bartlett (This used to be commit 43e3516fc03008e97ebb4ad1a0cde464303f43c6)
2007-10-10r4504: SettingAndrew Bartlett1-1/+2
.enabled = True on modules we know are good (and we want on be default) seems neater. Andrew Bartlett (This used to be commit 18850c66b7c8ac5e8caf08151dbb9b72cf93230f)
2007-10-10r4460: Add a new GENSEC module: gensec_gssapiAndrew Bartlett1-6/+22
(disabled by default, set parametric option: gensec:gssapi=yes to enable). This module backs directly onto GSSAPI, and allows us to sign and seal GSSAPI/Krb5 connections in particular. This avoids me reinventing the entire GSSAPI wheel. Currently a lot of things are left as default - we will soon start specifiying OIDs as well as passwords (it uses the keytab only at the moment). Tested with our LDAP-* torture tests against Win2k3. My hope is to use this module to access the new SPNEGO implementation in Heimdal, to avoid having to standards-verify our own. Andrew Bartlett (This used to be commit 14b650c85db14a9bf97e24682b2643b63c51ff35)
2007-10-10r4459: GENSEC refinements:Andrew Bartlett1-2/+51
In developing a GSSAPI plugin for GENSEC, it became clear that the API needed to change: - GSSAPI exposes only a wrap() and unwrap() interface, and determines the location of the signature itself. - The 'have feature' API did not correctly function in the recursive SPNEGO environment. As such, NTLMSSP has been updated to support these methods. The LDAP client and server have been updated to use the new wrap() and unwrap() methods, and now pass the LDAP-* tests in our smbtorture. (Unfortunely I still get valgrind warnings, in the code that was previously unreachable). Andrew Bartlett (This used to be commit 9923c3bc1b5a6e93a5996aadb039bd229e888ac6)
2007-10-10r4413: login failure doesn't warrant a level 1 debug (its filling my logs ↵Andrew Tridgell1-1/+1
during torture tests) (This used to be commit b9284c16dc37bf14fceeaa694e82f36a38b0dd93)
2007-10-10r4358: At metze's request, the Christmas elves have removed gensec_end inAndrew Bartlett1-23/+16
favor of talloc_free(). Andrew Bartlett (This used to be commit 1933cd12fbaed56e13f2386b19de6ade99bf9478)
2007-10-10r4355: More work from the elves on Christmas eve:Andrew Bartlett1-26/+23
- Update Samba4's kerberos code to match the 'salting' changes in Samba3 (and many other cleanups by jra). - Move GENSEC into the modern era of talloc destructors. This avoids many of the memory leaks in this code, as we now can't somehow 'forget' to call the end routine. - This required fixing some of the talloc hierarchies. - The new krb5 seems more sensitive to getting the service name right, so start actually setting the service name on the krb5 context. Andrew Bartlett (This used to be commit 278bf1a61a6da6ef955a12c13d7b1a0357cebf1f)
2007-10-10r4326: fix memory leakStefan Metzmacher1-1/+1
metze (This used to be commit 1ceeb77fc716729c69f2dba4a84579c366eefa1c)
2007-10-10r4070: move some defines from asn_1.h to the places they belong toStefan Metzmacher1-5/+4
metze (This used to be commit ab2c2f27e1c61516e885f02bf26350f97209057a)
2007-10-10r4044: only send supportedMech when we also send other dataStefan Metzmacher1-5/+8
metze (This used to be commit 1e0483a8482574fa0f8d7ad31cc4bf4a6155ec52)
2007-10-10r3786: send a mechListMIC to make the current samba3 client happyStefan Metzmacher1-1/+9
metze (This used to be commit 2403186562698b8e13c20741a0cbed812e1b8e89)
2007-10-10r3770: - fix endless recursion loop in spnego fallback codeStefan Metzmacher1-7/+11
- fix compiler warnings metze (This used to be commit 37a8bd2e30cab98bc8b1bf10d0a516827cbb3373)
2007-10-10r3737: - Get rid of the register_subsystem() and register_backend() functions.Jelmer Vernooij1-1/+1
- Re-disable tdbtool (it was building fine on my Debian box but other machines were having problems) (This used to be commit 0d7bb2c40b7a9ed59df3f8944133ea562697e814)
2007-10-10r3463: separated out some more headers (asn_1.h, messages.h, dlinklist.h and ↵Andrew Tridgell1-0/+1
ioctl.h) (This used to be commit b97e395c814762024336c1cf4d7c25be8da5813a)
2007-10-10r3453: - split out the auth and popt includesAndrew Tridgell1-0/+1
- tidied up some of the system includes - moved a few more structures back from misc.idl to netlogon.idl and samr.idl now that pidl knows about inter-IDL dependencies (This used to be commit 7b7477ac42d96faac1b0ff361525d2c63cedfc64)
2007-10-10r3322: fixed a bunch of warnings in the build, including one case where it ↵Andrew Tridgell1-1/+1
was a real bug (This used to be commit 02d5d0f685e44bd66aff4a007f0bf34c8f915574)
2007-10-10r3289: Mr. L. and Mr. B.!Stefan Metzmacher1-2/+1
can we decide to not break WinXP clients:-) metze (This used to be commit 5eb0ff78d5e68f488a439545fdaec90c28ef877a)
2007-10-10r3110: Fix the krb5 client and server, so that it doesn't segfault. ThereAndrew Bartlett1-11/+10
were also gensec bugs that didn't turn up until we hit error paths in the krb5 code. Andrew Bartlett (This used to be commit e08366ffeb52e8c522d3808a2af1aa0bc632b55f)
2007-10-10r2850: - check for GENSEC_WANT_SEAL in gensec_unseal_packet()Stefan Metzmacher1-2/+0
- pass functions to the subcontext in spnego metze (This used to be commit d02fab41f8261095ca8f9a819e0c25bef41b5807)
2007-10-10r2645: converted the NTLMSSP code to the new style of tallocAndrew Tridgell1-17/+6
(This used to be commit b378aae95d4001c4cf4e6e59ed80ee1bd55382ee)
2007-10-10r2587: fixed a couple of authentication memory leaks. There are more to beAndrew Tridgell1-0/+2
fixed - I'll commit a little test suite soon. (This used to be commit 5b967c1cbb9831f7f2c6c6187f9e8e6dcc284497)
2007-10-10r2307: Fix the use of 'raw' NTLMSSP to hosts that support extended security,Andrew Bartlett1-2/+3
but do not support SPNEGO (such as XP, when not joined to a domain). This is triggered by the presense or lack of a security blob in the negprot reply. Andrew Bartlett (This used to be commit 99f7a38c077725b22475f2ba68d0955114879c24)
2007-10-10r2284: Thanks to some great detective work by tridge, NTLM2 signing now works.Andrew Bartlett1-16/+46
This means that 'require NTLMv2 session security' now works for RPC pipe signing. We don't yet have sealing, but it can't be much further. This is almost all tridge's code, munged into a form that can work with the GENSEC API. This commit also includes more lsakey fixes - that key is used for all DCE-RPC level authenticated connections, even over CIFS/ncacn_np. No doubt I missed something, but I'm going to get some sleep :-) Andrew Bartlett (This used to be commit a1fe175eec884280fb7e9ca8f528134cf4600beb)
2007-10-10r2119: Noticed by jra:Andrew Bartlett1-6/+0
Clean up use of unitilaised variable. Andrew Bartlett (This used to be commit e8d0246882f0d70dc3c63208d0a990804f36a05d)
2007-10-10r1752: Fix compile bugs on C (rather than C++) tolerant compilers.Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit 0949b72645024a6810f447fe8acb643f98588ab3)
2007-10-10r1731: Add server-side SPNEGO support to Samba (disabled, until SMB signingAndrew Bartlett1-103/+207
is reworked). Andrew Bartlett (This used to be commit 73ee549b8c54e93556ff0105941996e0d4de8303)
2007-10-10r1605: GENSEC krb5 updates - fix a valgrind found uninitialised variable, andAndrew Bartlett1-12/+20
allow tests for 'unwrapped' krb5, allowed by Win2k3. SPENGO changes, trying to get the logic right (when and what sub-mechanisms to wrap). Andrew Bartlett (This used to be commit 8a0f7bf5e282d021afe93994a91fd76fa9c05f42)
2007-10-10r1521: Updates to our SMB signing code.Andrew Bartlett1-20/+23
- This causes our client and server code to use the same core code, with the same debugs etc. - In turn, this will allow the 'mandetory/fallback' signing algorithms to be shared, and only written once. Updates to the SPNEGO code - Don't wrap an empty token to the server, if we are actually already finished. Andrew Bartlett (This used to be commit 35b83eb329482ac1b3bc67285854cc47844ff353)
2007-10-10r1475: More kerberos workAndrew Bartlett1-1/+2
- We can now connect to hosts that follow the SPNEGO RFC, and *do not* give us their principal name in the mechListMIC. - The client code now remembers the hostname it connects to - We now kinit for a user, if there is not valid ticket already - Re-introduce clock skew compensation TODO: - See if the username in the ccache matches the username specified - Use a private ccache, rather then the global one, for a 'new' kinit - Determine 'default' usernames. - The default for Krb5 is the one in the ccache, then $USER - For NTLMSSP, it's just $USER Andrew Bartlett (This used to be commit de5da669397db4ac87c6da08d3533ca3030da2b0)
2007-10-10r1462: GENSEC Kerberos and SPENGO work:Andrew Bartlett1-60/+62
- Spelling - it's SPNEGO, not SPENGO - SMB signing - Krb5 logins are now correctly signed - SPNEGO - Changes to always tell GENSEC about incoming packets, empty or not. Andrew Bartlett (This used to be commit cea578d6f39a2ea4a24e7a0064c95193ab6f6df7)
2007-10-10r1449: Use the config system somewhat better in libcli/authJelmer Vernooij1-1/+1
(This used to be commit 69de0d95c585c1a73072e921884cbd427c160176)
2007-10-10r1421: fix a uninitialized var (thanks valgrind:-)Stefan Metzmacher1-5/+15
add a view debug messages metze (This used to be commit 79953dccc1f21dbabddff73a4b6d862eace29eb9)
2007-10-10r1372: Remove the 'default' case from the SPENGO state machine, and fix upAndrew Bartlett1-6/+6
some compiler warnings that allowed us to see. Andrew Bartlett (This used to be commit 1a6c2018dd49519e6fccdd5a7f35d70b67d45275)
2007-10-10r1367: SPNEGO know uses gensec_subcontext_start() in all placesStefan Metzmacher1-1/+2
metze (This used to be commit f7379324025c599cd201ce6d0905f0ca2c24ce73)
2007-10-10r1366: handle the case where the client need to send the negTokenInit beforeStefan Metzmacher1-1/+88
getting something from the server. (this is needed by SPNEGO in dcerpc) metze (This used to be commit ec978555f0bd612b80dfa49ccc880a3858285879)
2007-10-10r1365: in SPNEGO_SERVER_TARG we should not check the spnego_negResultStefan Metzmacher1-9/+0
because the client don't send this metze (This used to be commit b1217a4ef6592082bb02fd0596a0563bacdf1d8e)
2007-10-10r1364: the SPNEGO_SERVER_TARG state is different from the SPNEGO_CLIENT_TARGStefan Metzmacher1-4/+72
the client checks but not send spnego_negResult metze (This used to be commit 49e4d375e9504f595aaa64ac62ddb421f082c424)
2007-10-10r1360: - remove unused state SPNEGO_CLIENT_SEND_MECHSStefan Metzmacher1-5/+0
- remove unsed gensec_user forward, it's done by the gensec layer know metze (This used to be commit e19e5a91f2fd988546f42473bf241dff3c2fe198)
2007-10-10r1358: Re-indent the SPENGO implementation, and work on the basis of aAndrew Bartlett1-146/+201
switch, rather than a series of if statements. Also start to use the GENSEC subcontexts, and add some comments explaining some of the 'odd' logic in parts. I'll probably break these out into subfunctions soon. Thanks to metze for getting me to do this :-) Andrew Bartlett (This used to be commit 73e03596d3b2ad5927e8154d0fbfbdae9ec3f717)
2007-10-10r1350: - init nt_status- found by valgrindStefan Metzmacher1-1/+2
- set auth_type = DCERPC_AUTH_TYPE_SPNEGO metze (This used to be commit 7354521f3cfaa2ead8fac38a68b7704d43731f72)
2007-10-10r1347: - remove typedefStefan Metzmacher1-4/+13
- pass down gensec_user to the sub context - if segfault when mechType is NULL metze (This used to be commit 3f84263c27add3bf01eea88618f707da925bed5c)
2007-10-10r1346: revert my last spnego changesStefan Metzmacher1-124/+114
metze (This used to be commit 7b8237bfb3c302a448a7db0236c0a953603dcd89)
2007-10-10r1344: add gensec_start_mech_by_name()Stefan Metzmacher1-114/+124
some gensec spnego fixes (NULL pointer and length checks) metze (This used to be commit 41ff6d0cd47f6295fe7fe1d31fec7306416ce199)
2007-10-10r1294: A nice, large, commit...Andrew Bartlett1-60/+115
This implements gensec for Samba's server side, and brings gensec up to the standards of a full subsystem. This means that use of the subsystem is by gensec_* functions, not function pointers in structures (this is internal). This causes changes in all the existing gensec users. Our RPC server no longer contains it's own generalised security scheme, and now calls gensec directly. Gensec has also taken over the role of auth/auth_ntlmssp.c An important part of gensec, is the output of the 'session_info' struct. This is now reference counted, so that we can correctly free it when a pipe is closed, no matter if it was inherited, or created by per-pipe authentication. The schannel code is reworked, to be in the same file for client and server. ntlm_auth is reworked to use gensec. The major problem with this code is the way it relies on subsystem auto-initialisation. The primary reason for this commit now.is to allow these problems to be looked at, and fixed. There are problems with the new code: - I've tested it with smbtorture, but currently don't have VMware and valgrind working (this I'll fix soon). - The SPNEGO code is client-only at this point. - We still do not do kerberos. Andrew Bartlett (This used to be commit 07fd885fd488fd1051eacc905a2d4962f8a018ec)
2007-10-10r1229: the name of the protocol should be in first place of a function nameStefan Metzmacher1-7/+7
rename <read|write|free>_spnego_data() into spnego_<read|write|free>_data metze (This used to be commit 3f57c8f596eb6ad31a024acaf60fefcfd28d8387)
2007-10-10r1200: Add 'gensec', our generic security layer.Andrew Bartlett1-272/+250
This layer is used for DCERPC security, as well as ntlm_auth at this time. It expect things like SASL and the CIFS layer to use it as well. The particular purpose of this layer is to introduce SPENGO, which needs generic access to the actual implementation mechanisms. Schannel, due to it's 'interesting' setup properties is in GENSEC, but is only in the RPC code. Andrew Bartlett (This used to be commit 902af49006fb8cfecaadd3cc0c10e2e542083fb1)
2007-10-10r1198: Merge the Samba 3.0 ntlm_auth, including the kerberos and SPENGO parts.Andrew Bartlett1-0/+343
I have moved the SPNEGO and Kerberos code into libcli/auth, and intend to refactor them into the same format as NTLMSSP. Andrew Bartlett (This used to be commit 58da78a7460d5d0a4abee7d7b84799c228e6bc0b)