1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

49 Commits

Author SHA1 Message Date
Stefan Metzmacher
c64e6e0a0f s4:ntlmssp: inline ntlmssp_weakend_keys()
metze

Signed-off-by: Günther Deschner <gd@samba.org>
2010-03-24 17:34:52 +01:00
Stefan Metzmacher
d3e7266676 s4:ntlmssp: rename gensec_ntlmssp_state => ntlmssp_state
Inspired by the NTLMSSP merge work by Andrew Bartlett.

metze

Signed-off-by: Günther Deschner <gd@samba.org>
2010-03-24 17:34:51 +01:00
Stefan Metzmacher
ee240799b6 s4:ntlmssp: keep struct gensec_ntlmssp_context in gensec_security->private_data
Inspired by the NTLMSSP merge work by Andrew Bartlett.

metze

Signed-off-by: Günther Deschner <gd@samba.org>
2010-03-24 17:34:50 +01:00
Stefan Metzmacher
a0522a5b26 s4:ntlmssp: remove gensec_security from (gensec_)ntlmssp_state
Inspired by the NTLMSSP merge work by Andrew Bartlett.

metze

Signed-off-by: Günther Deschner <gd@samba.org>
2010-03-24 17:34:50 +01:00
Stefan Metzmacher
83cc137d5e s4:ntlmssp: create a gensec_ntlmssp_context between gensec_security and ntlmssp_state
Inspired by the NTLMSSP merge work by Andrew Bartlett.

metze

Signed-off-by: Günther Deschner <gd@samba.org>
2010-03-24 17:34:49 +01:00
Andrew Tridgell
f8109b0f49 s4: ran minimal_includes.pl on source4/auth/ntlmssp 2009-10-20 16:05:07 +11:00
Günther Deschner
e8c19f31b3 s4-ntlmssp: use NTLMSSP headers from IDL and remove duplicate constants.
Guenther
2009-08-28 10:09:06 +02:00
Andrew Bartlett
7a54cd041e Remove unused headers 2009-04-19 22:01:09 +02:00
Andrew Bartlett
dbcd80ed01 Fix Samba4 build errors with common libcli/samsync 2009-04-16 10:17:17 +10:00
Andrew Bartlett
71632a1697 Remove auth/ntlm as a dependency of GENSEC by means of function pointers.
When starting GENSEC on the server, the auth subsystem context must be
passed in, which now includes function pointers to the key elements.

This should (when the other dependencies are fixed up) allow GENSEC to
exist as a client or server library without bundling in too much of
our server code.

Andrew Bartlett
2009-02-13 10:24:16 +11:00
Jelmer Vernooij
3a6b88f9f9 Remove unused argument iconv_convenience. 2008-11-01 20:58:41 +01:00
Stefan Metzmacher
23e31350f5 ntlmssp: only give away the session key, when the authentication is done
metze
2008-09-23 11:30:01 +02:00
Andrew Bartlett
714b3a87d2 Fix the build after the auth/ -> auth/ntlm/ rename
I need to fix up the header inclusion, but this fixes things for now.

Andrew Bartlett
(This used to be commit 7c07edb24b)
2008-05-05 19:28:38 +10:00
Jelmer Vernooij
afe3e8172d Install public header files again and include required prototypes.
(This used to be commit 47ffbbf674)
2008-04-02 04:53:27 +02:00
Jelmer Vernooij
39a6495c86 Make more module init functions public, since they are compiled with -fvisibility=hidden. Not doing this causes failures on Mac OS X.
(This used to be commit da1a9438bd)
2008-02-20 19:40:20 +01:00
Jelmer Vernooij
6f79af9d13 r26652: msrpc_parse/msrpc_gen: Add iconv_convenience argument.
(This used to be commit e886f1bc0d)
2008-01-03 12:33:36 -06:00
Jelmer Vernooij
7f0e8252e7 r26379: Remove more global_loadparm instances.
(This used to be commit b6f66eb5e0)
2007-12-21 05:49:13 +01:00
Jelmer Vernooij
3b281c3081 r26222: Avoid global_loadparm in a couple more places.
(This used to be commit 5bd053a570)
2007-12-21 05:46:58 +01:00
Jelmer Vernooij
3642f3b40d r25552: Convert to standard bool type.
(This used to be commit b8d6b82f12)
2007-10-10 15:07:54 -05:00
Jelmer Vernooij
cd962355ab r25000: Fix some more C++ compatibility warnings.
(This used to be commit 08bb1ef643)
2007-10-10 15:05:27 -05:00
Andrew Tridgell
0479a2f1cb r23792: convert Samba4 to GPLv3
There are still a few tidyups of old FSF addresses to come (in both s3
and s4). More commits soon.
(This used to be commit fcf38a38ac)
2007-10-10 14:59:12 -05:00
Andrew Bartlett
84c5acc615 r19805: Add the (harmless, but apparently default)
NTLMSSP_NEGOTIATE_ALWAYS_SIGN flags into the default set.

Andrew Bartlett
(This used to be commit 04709c75af)
2007-10-10 14:28:21 -05:00
Andrew Bartlett
13dbee3ffe r19598: Ahead of a merge to current lorikeet-heimdal:
Break up auth/auth.h not to include the world.

Add credentials_krb5.h with the kerberos dependent prototypes.

Andrew Bartlett
(This used to be commit 2b569c42e0)
2007-10-10 14:25:00 -05:00
Andrew Tridgell
217998018f r18258: need to use .priority not .order here
(This used to be commit a47d65fe17)
2007-10-10 14:17:57 -05:00
Andrew Bartlett
c062b12fba r18250: Add an ordering of GENSEC modules, so we do preferred modules first.
Andrew Bartlett
(This used to be commit 0afb4d1992)
2007-10-10 14:17:55 -05:00
Stefan Metzmacher
4fe4093643 r17285: some reformating
metze
(This used to be commit c865aea260)
2007-10-10 14:15:06 -05:00
Stefan Metzmacher
622d1db80a r17284: move the input checking stuff from ntlmssp_update() into its
own function.

metze
(This used to be commit ee81ad5793)
2007-10-10 14:15:06 -05:00
Andrew Bartlett
51de50de29 r16961: Merge 'seperate policy from logic' changes from Samba3. The 56-bit
flag is handled just like all the others.

Also negotiate the unknown 0x02000000 flag, to match windows.

Andrew Bartlett
(This used to be commit 1d0befdb68)
2007-10-10 14:10:03 -05:00
Jelmer Vernooij
c07125d133 r14952: Make sure the auth subsystem gets initialized if a gensec module needs it.
(This used to be commit ecf84248b4)
2007-10-10 14:00:22 -05:00
Jelmer Vernooij
35349a58df r14542: Remove librpc, libndr and libnbt from includes.h
(This used to be commit 51b4270513)
2007-10-10 13:58:42 -05:00
Stefan Metzmacher
7d8424ede2 r14064: - split out MSRPC_PARSE into a speperate subsystem
- build gensec_ntlmssp always static for now, because torture/auth/ntlmssp.c
  needs to access functions from it

metze
(This used to be commit 43733c9556)
2007-10-10 13:52:39 -05:00
Andrew Bartlett
e7630ebe47 r13472: After Volker's advise, try every combination of parameters. This
isn't every parameter on NTLMSSP, but it is most of the important
ones.

This showed up that we had the '128bit && LM_KEY' case messed up.
This isn't supported, so we must look instead at the 56 bit flag.

Andrew Bartlett
(This used to be commit 990da31b5f)
2007-10-10 13:51:54 -05:00
Andrew Bartlett
e218c8442d r13470: Thanks to a report from VL:
We were causing mayhem by weakening the keys at the wrong point in time.

I think this is the correct place to do it.  The session key for SMB
signing, and the 'smb session key' (used for encrypting password sets)
is never weakened.

The session key used for bulk data encryption/signing is weakened.

This also makes more sense, when we look at the NTLM2 code.

Andrew Bartlett
(This used to be commit 3fd32a1209)
2007-10-10 13:51:54 -05:00
Andrew Bartlett
ae51cc9bec r12927: Fix typo.
(This used to be commit 01e98966ca)
2007-10-10 13:51:07 -05:00
Andrew Bartlett
8e42a0c63c r12919: Ensure we never 'extend' the session key length, or fill in past the
length of the (possibly null) pointer.

In reality this should come to us either 16 or 0 bytes in length, but
this is the safest test.

This is bug 3401 in Samba3, thanks to Yau Lam Yiu <yiuext at cs.ust.hk>

Andrew Bartlett
(This used to be commit f3aa702944)
2007-10-10 13:51:03 -05:00
Stefan Metzmacher
35dffd9a10 r12795: remember the gensec_security context
metze
(This used to be commit ec1a7b5cef)
2007-10-10 13:49:56 -05:00
Jelmer Vernooij
d4de4c2d21 r12608: Remove some unused #include lines.
(This used to be commit 70e7449318)
2007-10-10 13:49:03 -05:00
Andrew Bartlett
ba90b652d9 r9505: Work on GENSEC and the code that calls it, for tighter interface
requirements, and for better error reporting.

In particular, the composite session setup (extended security/SPNEGO)
code now returns errors, rather than NT_STATUS_NO_MEMORY.  This is
seen particularly when GENSEC fails to start.

The tighter interface rules apply to NTLMSSP, which must be called
exactly the right number of times.  This is to match some of our other
less-tested modules, where adding flexablity is harder.  (and this is
security code, so let's just get it right).  As such, the DCE/RPC and
LDAP clients have been updated.

Andrew Bartlett
(This used to be commit 134550cf75)
2007-10-10 13:34:24 -05:00
Andrew Bartlett
7e36c7e607 r9416: Cleanups inspired by jra's work to migrate Samba4's NTLMSSP code back
into Samba3.

The NTLMSSP sign/seal code now assumes that GENSEC has already checked
to see if SIGN or SEAL should be permitted.  This simplfies the code
ensures that no matter what the mech, the correct code paths have been
set in place.

Also remove duplication caused by the NTLMv2 code's history, and
document why some of the things a bit funny.

In SPNEGO, create a new routine to handle the negTokenInit creation.
We no longer send an OID for a mech we can't start (like kerberos on
the server without a valid trust account).

Andrew Bartlett
(This used to be commit fe45ef608f)
2007-10-10 13:33:36 -05:00
Andrew Bartlett
8e11003e21 r9411: Ensure we don't send a challenge without first getting a negotiate in
NTLMSSP, unless we are in datagram mode (not fully implemented yet).

Andrew Bartlett
(This used to be commit 727f510942)
2007-10-10 13:33:35 -05:00
Andrew Bartlett
8a68f96f8c r7827: Add in-memory keytab to Samba4, using the new MEMORY_WILDCARD keytab
support in Heimdal.

This removes the 'ext_keytab' step from my Samba4/WinXP client howto.

In doing this work, I realised that the replay cache in Heimdal is
currently a no-op, so I have removed the calls to it, and therefore
the mutex calls from passdb/secrets.c.

This patch also includes a replacement 'magic' mechanism detection,
that does not issue extra error messages from deep inside the GSSAPI
code.

Andrew Bartlett
(This used to be commit c19d5706f4)
2007-10-10 13:18:41 -05:00
Stefan Metzmacher
33bbe2b9e1 r7536: doesn't spam the smbd_log in the build_farm...
metze
(This used to be commit 9f4ed54c58)
2007-10-10 13:18:07 -05:00
Andrew Bartlett
5c6dd5e800 r6800: A big GENSEC update:
Finally remove the distinction between 'krb5' and 'ms_krb5'.  We now
don't do kerberos stuff twice on failure.  The solution to this is
slightly more general than perhaps was really required (as this is a
special case), but it works, and I'm happy with the cleanup I achived
in the process.  All modules have been updated to supply a
NULL-terminated list of OIDs.

In that process, SPNEGO code has been generalised, as I realised that
two of the functions should have been identical in behaviour.

Over in the actual modules, I have worked to remove the 'kinit' code
from gensec_krb5, and placed it in kerberos/kerberos_util.c.

The GSSAPI module has been extended to use this, so no longer requires
a manual kinit at the command line.  It will soon loose the
requirement for a on-disk keytab too.

The general kerberos code has also been updated to move from
error_message() to our routine which gets the Heimdal error string
(which may be much more useful) when available.

Andrew Bartlett
(This used to be commit 0101728d8e)
2007-10-10 13:16:45 -05:00
Stefan Metzmacher
fa24196d0d r6705: let the gensec module decide if messages can be signed and sealed in a different
order than a strict request - reply sequence

Note: we should also fix the client code...

metze
(This used to be commit 0a61d1f651)
2007-10-10 13:16:36 -05:00
Andrew Bartlett
9c0647ddca r6465: Use talloc_zero for the gensec_ntlmssp_state structure, as the history
of this code has too many pre-zeroed structure assumptions.

Remove unused 'stub' functions

Andrew Bartlett
(This used to be commit 78dc57c655)
2007-10-10 13:11:39 -05:00
Andrew Bartlett
8b0e09e24f r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent
struct ntlmssp_state, and pushes all the member elements into struct
gensec_ntlmssp_state.

This also removes the 2-layer start function, caused by the previous
double abstraction layer.

Andrew Bartlett
(This used to be commit eebbb4205b)
2007-10-10 13:11:39 -05:00
Andrew Bartlett
0501a440be r6462: Move the arcfour sbox state into it's own structure, and allocate it
with talloc() for the NTLMSSP system.

Andrew Bartlett
(This used to be commit 7a93ac49c2)
2007-10-10 13:11:39 -05:00
Andrew Bartlett
874cd2db86 r6460: Push the client credentials into NTLMSSP, allowing logins of the form
user@REALM for the first time.

Fix the build for smbencrypt.c

Andrew Bartlett
(This used to be commit 5a6a57cd93)
2007-10-10 13:11:39 -05:00
Andrew Bartlett
3045ecfa1d r6458: Split up NTLMSSP into a new directory, and into seperate files for the
client and server logic code.  In future, this may allow us to build
only the NTLMSSP client, and not the server, but in the short-term, it
allows me greater sainity in moving around these files.

Andrew Bartlett
(This used to be commit 2f22841c67)
2007-10-10 13:11:38 -05:00