2004-07-11 12:38:27 +00:00
#################################
2006-03-07 16:41:04 +00:00
# Start SUBSYSTEM gensec
[LIBRARY :: gensec ]
2006-03-13 16:32:44 +00:00
VERSION = 0.0.1
2006-03-16 21:36:36 +00:00
SO_VERSION = 0
2005-12-15 16:32:08 +00:00
DESCRIPTION = Generic Security Library
2006-03-16 17:51:04 +00:00
PUBLIC_HEADERS = gensec.h spnego.h
PUBLIC_PROTO_HEADER = gensec_proto.h
2005-12-26 18:03:50 +00:00
OBJ_FILES = gensec.o
2006-04-24 15:47:59 +00:00
PUBLIC_DEPENDENCIES = \
2006-11-12 02:49:05 +00:00
CREDENTIALS LIBSAMBA-UTIL LIBCRYPTO ASN1_UTIL
2006-03-07 16:41:04 +00:00
# End SUBSYSTEM gensec
2004-07-11 12:38:27 +00:00
#################################
################################################
# Start MODULE gensec_krb5
[MODULE :: gensec_krb 5]
2006-03-07 16:41:04 +00:00
SUBSYSTEM = gensec
2004-11-06 23:23:15 +00:00
INIT_FUNCTION = gensec_krb5_init
2005-12-26 18:03:50 +00:00
OBJ_FILES = gensec_krb5.o
2007-04-20 11:00:20 +00:00
PRIVATE_DEPENDENCIES = CREDENTIALS_KRB5 KERBEROS auth auth_sam
2004-07-11 12:38:27 +00:00
# End MODULE gensec_krb5
################################################
2005-01-01 00:19:08 +00:00
################################################
# Start MODULE gensec_gssapi
[MODULE :: gensec_gssapi ]
2006-03-07 16:41:04 +00:00
SUBSYSTEM = gensec
2005-01-01 00:19:08 +00:00
INIT_FUNCTION = gensec_gssapi_init
2005-12-26 18:03:50 +00:00
OBJ_FILES = gensec_gssapi.o
2007-11-27 02:04:38 +01:00
PRIVATE_DEPENDENCIES = HEIMDAL_GSSAPI CREDENTIALS_KRB5 KERBEROS
2005-01-01 00:19:08 +00:00
# End MODULE gensec_gssapi
################################################
2006-09-06 10:34:18 +00:00
################################################
# Start MODULE cyrus_sasl
[MODULE :: cyrus_sasl ]
SUBSYSTEM = gensec
INIT_FUNCTION = gensec_sasl_init
OBJ_FILES = cyrus_sasl.o
2007-11-27 02:04:38 +01:00
PRIVATE_DEPENDENCIES = CREDENTIALS SASL
2006-09-06 10:34:18 +00:00
# End MODULE cyrus_sasl
################################################
2004-07-11 12:38:27 +00:00
################################################
# Start MODULE gensec_spnego
[MODULE :: gensec_spnego ]
2006-03-07 16:41:04 +00:00
SUBSYSTEM = gensec
2004-11-06 23:23:15 +00:00
INIT_FUNCTION = gensec_spnego_init
2006-03-06 23:28:18 +00:00
PRIVATE_PROTO_HEADER = spnego_proto.h
2007-04-20 11:00:20 +00:00
PRIVATE_DEPENDENCIES = ASN1_UTIL GENSEC_SOCKET CREDENTIALS
OBJ_FILES = spnego.o spnego_parse.o
2004-07-11 12:38:27 +00:00
# End MODULE gensec_spnego
################################################
r6028: A MAJOR update to intergrate the new credentails system fully with
GENSEC, and to pull SCHANNEL into GENSEC, by making it less 'special'.
GENSEC now no longer has it's own handling of 'set username' etc,
instead it uses cli_credentials calls.
In order to link the credentails code right though Samba, a lot of
interfaces have changed to remove 'username, domain, password'
arguments, and these have been replaced with a single 'struct
cli_credentials'.
In the session setup code, a new parameter 'workgroup' contains the
client/server current workgroup, which seems unrelated to the
authentication exchange (it was being filled in from the auth info).
This allows in particular kerberos to only call back for passwords
when it actually needs to perform the kinit.
The kerberos code has been modified not to use the SPNEGO provided
'principal name' (in the mechListMIC), but to instead use the name the
host was connected to as. This better matches Microsoft behaviour,
is more secure and allows better use of standard kerberos functions.
To achieve this, I made changes to our socket code so that the
hostname (before name resolution) is now recorded on the socket.
In schannel, most of the code from librpc/rpc/dcerpc_schannel.c is now
in libcli/auth/schannel.c, and it looks much more like a standard
GENSEC module. The actual sign/seal code moved to
libcli/auth/schannel_sign.c in a previous commit.
The schannel credentails structure is now merged with the rest of the
credentails, as many of the values (username, workstation, domain)
where already present there. This makes handling this in a generic
manner much easier, as there is no longer a custom entry-point.
The auth_domain module continues to be developed, but is now just as
functional as auth_winbind. The changes here are consequential to the
schannel changes.
The only removed function at this point is the RPC-LOGIN test
(simulating the load of a WinXP login), which needs much more work to
clean it up (it contains copies of too much code from all over the
torture suite, and I havn't been able to penetrate its 'structure').
Andrew Bartlett
(This used to be commit 2301a4b38a21aa60917973451687063d83d18d66)
2005-03-24 04:14:06 +00:00
################################################
# Start MODULE gensec_schannel
[MODULE :: gensec_schannel ]
2006-03-07 16:41:04 +00:00
SUBSYSTEM = gensec
2006-03-06 23:28:18 +00:00
PRIVATE_PROTO_HEADER = schannel_proto.h
r6028: A MAJOR update to intergrate the new credentails system fully with
GENSEC, and to pull SCHANNEL into GENSEC, by making it less 'special'.
GENSEC now no longer has it's own handling of 'set username' etc,
instead it uses cli_credentials calls.
In order to link the credentails code right though Samba, a lot of
interfaces have changed to remove 'username, domain, password'
arguments, and these have been replaced with a single 'struct
cli_credentials'.
In the session setup code, a new parameter 'workgroup' contains the
client/server current workgroup, which seems unrelated to the
authentication exchange (it was being filled in from the auth info).
This allows in particular kerberos to only call back for passwords
when it actually needs to perform the kinit.
The kerberos code has been modified not to use the SPNEGO provided
'principal name' (in the mechListMIC), but to instead use the name the
host was connected to as. This better matches Microsoft behaviour,
is more secure and allows better use of standard kerberos functions.
To achieve this, I made changes to our socket code so that the
hostname (before name resolution) is now recorded on the socket.
In schannel, most of the code from librpc/rpc/dcerpc_schannel.c is now
in libcli/auth/schannel.c, and it looks much more like a standard
GENSEC module. The actual sign/seal code moved to
libcli/auth/schannel_sign.c in a previous commit.
The schannel credentails structure is now merged with the rest of the
credentails, as many of the values (username, workstation, domain)
where already present there. This makes handling this in a generic
manner much easier, as there is no longer a custom entry-point.
The auth_domain module continues to be developed, but is now just as
functional as auth_winbind. The changes here are consequential to the
schannel changes.
The only removed function at this point is the RPC-LOGIN test
(simulating the load of a WinXP login), which needs much more work to
clean it up (it contains copies of too much code from all over the
torture suite, and I havn't been able to penetrate its 'structure').
Andrew Bartlett
(This used to be commit 2301a4b38a21aa60917973451687063d83d18d66)
2005-03-24 04:14:06 +00:00
INIT_FUNCTION = gensec_schannel_init
2005-12-26 18:03:50 +00:00
OBJ_FILES = schannel.o \
schannel_sign.o
2007-11-27 02:04:38 +01:00
PRIVATE_DEPENDENCIES = SCHANNELDB NDR_SCHANNEL CREDENTIALS
2006-04-27 19:50:13 +00:00
OUTPUT_TYPE = INTEGRATED
2005-04-25 05:03:50 +00:00
# End MODULE gensec_schannel
r6028: A MAJOR update to intergrate the new credentails system fully with
GENSEC, and to pull SCHANNEL into GENSEC, by making it less 'special'.
GENSEC now no longer has it's own handling of 'set username' etc,
instead it uses cli_credentials calls.
In order to link the credentails code right though Samba, a lot of
interfaces have changed to remove 'username, domain, password'
arguments, and these have been replaced with a single 'struct
cli_credentials'.
In the session setup code, a new parameter 'workgroup' contains the
client/server current workgroup, which seems unrelated to the
authentication exchange (it was being filled in from the auth info).
This allows in particular kerberos to only call back for passwords
when it actually needs to perform the kinit.
The kerberos code has been modified not to use the SPNEGO provided
'principal name' (in the mechListMIC), but to instead use the name the
host was connected to as. This better matches Microsoft behaviour,
is more secure and allows better use of standard kerberos functions.
To achieve this, I made changes to our socket code so that the
hostname (before name resolution) is now recorded on the socket.
In schannel, most of the code from librpc/rpc/dcerpc_schannel.c is now
in libcli/auth/schannel.c, and it looks much more like a standard
GENSEC module. The actual sign/seal code moved to
libcli/auth/schannel_sign.c in a previous commit.
The schannel credentails structure is now merged with the rest of the
credentails, as many of the values (username, workstation, domain)
where already present there. This makes handling this in a generic
manner much easier, as there is no longer a custom entry-point.
The auth_domain module continues to be developed, but is now just as
functional as auth_winbind. The changes here are consequential to the
schannel changes.
The only removed function at this point is the RPC-LOGIN test
(simulating the load of a WinXP login), which needs much more work to
clean it up (it contains copies of too much code from all over the
torture suite, and I havn't been able to penetrate its 'structure').
Andrew Bartlett
(This used to be commit 2301a4b38a21aa60917973451687063d83d18d66)
2005-03-24 04:14:06 +00:00
################################################
2005-03-06 06:37:38 +00:00
################################################
# Start SUBSYSTEM SCHANNELDB
[SUBSYSTEM :: SCHANNELDB ]
2006-03-07 13:36:26 +00:00
PRIVATE_PROTO_HEADER = schannel_state.h
2005-12-26 18:03:50 +00:00
OBJ_FILES = \
2005-10-21 16:29:54 +00:00
schannel_state.o
2007-11-29 16:01:08 +01:00
PRIVATE_DEPENDENCIES = LDB_WRAP
2005-03-06 06:37:38 +00:00
#
# End SUBSYSTEM SCHANNELDB
################################################
r17197: This patch moves the encryption of bulk data on SASL negotiated security
contexts from the application layer into the socket layer.
This improves a number of correctness aspects, as we now allow LDAP
packets to cross multiple SASL packets. It should also make it much
easier to write async LDAP tests from windows clients, as they use SASL
by default. It is also vital to allowing OpenLDAP clients to use GSSAPI
against Samba4, as it negotiates a rather small SASL buffer size.
This patch mirrors the earlier work done to move TLS into the socket
layer.
Unusual in this pstch is the extra read callback argument I take. As
SASL is a layer on top of a socket, it is entirely possible for the
SASL layer to drain a socket dry, but for the caller not to have read
all the decrypted data. This would leave the system without an event
to restart the read (as the socket is dry).
As such, I re-invoke the read handler from a timed callback, which
should trigger on the next running of the event loop. I believe that
the TLS code does require a similar callback.
In trying to understand why this is required, imagine a SASL-encrypted
LDAP packet in the following formation:
+-----------------+---------------------+
| SASL Packet #1 | SASL Packet #2 |
----------------------------------------+
| LDAP Packet #1 | LDAP Packet #2 |
----------------------------------------+
In the old code, this was illegal, but it is perfectly standard
SASL-encrypted LDAP. Without the callback, we would read and process
the first LDAP packet, and the SASL code would have read the second SASL
packet (to decrypt enough data for the LDAP packet), and no data would
remain on the socket.
Without data on the socket, read events stop. That is why I add timed
events, until the SASL buffer is drained.
Another approach would be to add a hack to the event system, to have it
pretend there remained data to read off the network (but that is ugly).
In improving the code, to handle more real-world cases, I've been able
to remove almost all the special-cases in the testnonblock code. The
only special case is that we must use a deterministic partial packet
when calling send, rather than a random length. (1 + n/2). This is
needed because of the way the SASL and TLS code works, and the 'resend
on failure' requirements.
Andrew Bartlett
(This used to be commit 5d7c9c12cb2b39673172a357092b80cd814850b0)
2006-07-23 02:50:08 +00:00
################################################
# Start SUBSYSTEM GENSEC_SOCKET
[SUBSYSTEM :: GENSEC_SOCKET ]
OBJ_FILES = \
socket.o
2006-10-29 17:40:19 +00:00
PUBLIC_DEPENDENCIES = samba-socket LIBPACKET
r17197: This patch moves the encryption of bulk data on SASL negotiated security
contexts from the application layer into the socket layer.
This improves a number of correctness aspects, as we now allow LDAP
packets to cross multiple SASL packets. It should also make it much
easier to write async LDAP tests from windows clients, as they use SASL
by default. It is also vital to allowing OpenLDAP clients to use GSSAPI
against Samba4, as it negotiates a rather small SASL buffer size.
This patch mirrors the earlier work done to move TLS into the socket
layer.
Unusual in this pstch is the extra read callback argument I take. As
SASL is a layer on top of a socket, it is entirely possible for the
SASL layer to drain a socket dry, but for the caller not to have read
all the decrypted data. This would leave the system without an event
to restart the read (as the socket is dry).
As such, I re-invoke the read handler from a timed callback, which
should trigger on the next running of the event loop. I believe that
the TLS code does require a similar callback.
In trying to understand why this is required, imagine a SASL-encrypted
LDAP packet in the following formation:
+-----------------+---------------------+
| SASL Packet #1 | SASL Packet #2 |
----------------------------------------+
| LDAP Packet #1 | LDAP Packet #2 |
----------------------------------------+
In the old code, this was illegal, but it is perfectly standard
SASL-encrypted LDAP. Without the callback, we would read and process
the first LDAP packet, and the SASL code would have read the second SASL
packet (to decrypt enough data for the LDAP packet), and no data would
remain on the socket.
Without data on the socket, read events stop. That is why I add timed
events, until the SASL buffer is drained.
Another approach would be to add a hack to the event system, to have it
pretend there remained data to read off the network (but that is ugly).
In improving the code, to handle more real-world cases, I've been able
to remove almost all the special-cases in the testnonblock code. The
only special case is that we must use a deterministic partial packet
when calling send, rather than a random length. (1 + n/2). This is
needed because of the way the SASL and TLS code works, and the 'resend
on failure' requirements.
Andrew Bartlett
(This used to be commit 5d7c9c12cb2b39673172a357092b80cd814850b0)
2006-07-23 02:50:08 +00:00
#PUBLIC_DEPENDENCIES = gensec
#
# End SUBSYSTEM GENSEC_SOCKET
################################################
