1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-27 03:21:53 +03:00
Commit Graph

16 Commits

Author SHA1 Message Date
Simo Sorce
c84caabf8c s4:misc: remove last usage of legacy event_ fn names
Autobuild-User: Simo Sorce <idra@samba.org>
Autobuild-Date: Sun Aug 14 00:38:13 CEST 2011 on sn-devel-104
2011-08-14 00:38:13 +02:00
Andrew Bartlett
d69843c908 s3-ntlmssp Add hooks to optionally call into GENSEC in auth_ntlmssp
This allows the current behaviour of the NTLMSSP code to be unchanged
while adding a way to hook in an alternate implementation via an auth
module.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03 18:48:03 +10:00
Andrew Tridgell
bf1f2d4eb8 s4-gensec: prevent a double free in the error path of GSSAPI auth
the caller frees mem_ctx, so we shouldn't

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-23 07:17:57 +00:00
Stefan Metzmacher
e7454d46d4 s4:auth/gensec: s/private/private_data
metze
2009-02-02 13:08:04 +01:00
Stefan Metzmacher
183c379fe5 s4:lib/tevent: rename structs
list=""
list="$list event_context:tevent_context"
list="$list fd_event:tevent_fd"
list="$list timed_event:tevent_timer"

for s in $list; do
	o=`echo $s | cut -d ':' -f1`
	n=`echo $s | cut -d ':' -f2`
	r=`git grep "struct $o" |cut -d ':' -f1 |sort -u`
	files=`echo "$r" | grep -v source3 | grep -v nsswitch | grep -v packaging4`
	for f in $files; do
		cat $f | sed -e "s/struct $o/struct $n/g" > $f.tmp
		mv $f.tmp $f
	done
done

metze
2008-12-29 20:46:40 +01:00
Simo Sorce
83b0c5d43f Fix nasty bug that would come up only if a client connection to a remote
ldap server suddenly dies.
We were creating a wrong talloc hierarchy, so the event.fde was not
freed automatically as expected. This in turn made the event system call
the ldap io handlers with a null packet structure, causing a segfault.
Fix also the ordering in ldap_connection_dead()
Thanks to Metze for the huge help in tracking down this one.
2008-09-24 01:43:57 -04:00
Jelmer Vernooij
afe3e8172d Install public header files again and include required prototypes.
(This used to be commit 47ffbbf674)
2008-04-02 04:53:27 +02:00
Jelmer Vernooij
3642f3b40d r25552: Convert to standard bool type.
(This used to be commit b8d6b82f12)
2007-10-10 15:07:54 -05:00
Jelmer Vernooij
0b91f39164 r24780: More work allowing libutil to be used by external users.
(This used to be commit 31993cf67b)
2007-10-10 15:03:10 -05:00
Andrew Tridgell
0479a2f1cb r23792: convert Samba4 to GPLv3
There are still a few tidyups of old FSF addresses to come (in both s3
and s4). More commits soon.
(This used to be commit fcf38a38ac)
2007-10-10 14:59:12 -05:00
Jelmer Vernooij
4fa24df98d r19507: Merge my DSO fixes branch. Building Samba's libraries as shared libraries
works again now, by specifying --enable-dso to configure.
(This used to be commit 7a01235067)
2007-10-10 14:24:41 -05:00
Andrew Tridgell
30ee8beb93 r18301: I discovered how to load the warnings from a build farm build into
emacs compile mode (hint, paste to a file, and compile as "cat
filename").

This allowed me to fix nearly all the warnings for a IA_64 SuSE build
very quickly.
(This used to be commit eba6c84eff)
2007-10-10 14:18:04 -05:00
Andrew Tridgell
dfd4c8e84d r18295: pass write type for packet_size
this fixes a crash on IA_64 systems
(This used to be commit 22c3902762)
2007-10-10 14:18:03 -05:00
Andrew Bartlett
c3b54cf75b r18068: This splits the handling of multiple SASL packets between the GENSEC
backend (if it chooses to implement it), or the GENSEC socket code.

This is to allow us to handle DIGEST-MD5 across to cyrus-sasl.

Andrew Bartlett
(This used to be commit 0a098006b4)
2007-10-10 14:17:11 -05:00
Andrew Bartlett
9d6f276717 r17222: Change the function prototypes for the GENSEc and TLS socket creation
routines to return an NTSTATUS.  This should help track down errors.

Use a bit of talloc_steal and talloc_unlink to get the real socket to
be a child of the GENSEC or TLS socket.

Always return a new socket, even for the 'pass-though' case.

Andrew Bartlett
(This used to be commit 003e2ab93c)
2007-10-10 14:10:20 -05:00
Andrew Bartlett
ba07fa43d0 r17197: This patch moves the encryption of bulk data on SASL negotiated security
contexts from the application layer into the socket layer.

This improves a number of correctness aspects, as we now allow LDAP
packets to cross multiple SASL packets.  It should also make it much
easier to write async LDAP tests from windows clients, as they use SASL
by default.  It is also vital to allowing OpenLDAP clients to use GSSAPI
against Samba4, as it negotiates a rather small SASL buffer size.

This patch mirrors the earlier work done to move TLS into the socket
layer.

Unusual in this pstch is the extra read callback argument I take.  As
SASL is a layer on top of a socket, it is entirely possible for the
SASL layer to drain a socket dry, but for the caller not to have read
all the decrypted data.  This would leave the system without an event
to restart the read (as the socket is dry).

As such, I re-invoke the read handler from a timed callback, which
should trigger on the next running of the event loop.  I believe that
the TLS code does require a similar callback.

In trying to understand why this is required, imagine a SASL-encrypted
LDAP packet in the following formation:

+-----------------+---------------------+
| SASL  Packet #1 | SASL Packet #2      |
----------------------------------------+
| LDAP Packet #1       | LDAP Packet #2 |
----------------------------------------+

In the old code, this was illegal, but it is perfectly standard
SASL-encrypted LDAP.  Without the callback, we would read and process
the first LDAP packet, and the SASL code would have read the second SASL
packet (to decrypt enough data for the LDAP packet), and no data would
remain on the socket.

Without data on the socket, read events stop.  That is why I add timed
events, until the SASL buffer is drained.

Another approach would be to add a hack to the event system, to have it
pretend there remained data to read off the network (but that is ugly).

In improving the code, to handle more real-world cases, I've been able
to remove almost all the special-cases in the testnonblock code.  The
only special case is that we must use a deterministic partial packet
when calling send, rather than a random length.  (1 + n/2).  This is
needed because of the way the SASL and TLS code works, and the 'resend
on failure' requirements.

Andrew Bartlett
(This used to be commit 5d7c9c12cb)
2007-10-10 14:10:18 -05:00