1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

88 Commits

Author SHA1 Message Date
Stefan Metzmacher
1433501822 s3:libsmb: remove unused functions in clispnego.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-10 06:52:30 +01:00
Volker Lendecke
024c619fa8 spnego: Correctly check asn1_tag_remaining retval
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2016-02-03 15:04:11 +01:00
Stefan Metzmacher
14f1a94b6f s3:clispnego: fix confusing warning in spnego_gen_krb5_wrap()
asn1_extract_blob() stops further asn1 processing by setting has_error.

Don't call asn1_has_error() after asn1_extract_blob() has been successful
otherwise we get an "Failed to build krb5 wrapper at" message
on success.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11702

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2016-02-01 09:53:09 +01:00
Jeremy Allison
8108f0d320 s3: smbclient: asn1_extract_blob() stops further asn1 processing by setting has_error.
Don't call asn1_has_error() after asn1_extract_blob() has been successful
otherwise we get an "Failed to build negTokenInit at offset" message
on success.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Jan  7 16:00:02 CET 2016 on sn-devel-144
2016-01-07 16:00:02 +01:00
Volker Lendecke
b7f0e29fd2 lib: Use asn1_current_ofs()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-06 00:54:18 +01:00
Volker Lendecke
a93946b2fe lib: Use asn1_extract_blob()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-06 00:54:18 +01:00
Volker Lendecke
8cfb6a3139 lib: Use asn1_set_error()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-06 00:54:18 +01:00
Volker Lendecke
57a0bc9a9f lib: Use asn1_has_error()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-06 00:54:18 +01:00
Richard Sharpe
2224796fc3 Change all uses of uint32/16/8 in proto.h to uint32_t/16_t/8_t.
Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-04-29 23:42:20 +02:00
Jeremy Allison
a713623212 s3: libsmb: Ensure all asn1_XX returns are checked.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ronnie Sahlberg <ronniesahlberg@gmail.com>
2014-09-26 00:51:16 +02:00
Jeremy Allison
83f60672e1 Fix bug #9213 - Bad ASN.1 NegTokenInit packet can cause invalid free.
Not the correct fix for the specific issue, but a general fix to
make sure this can never happen again.

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Sep 26 04:07:57 CEST 2012 on sn-devel-104
2012-09-26 04:07:57 +02:00
Simo Sorce
893b213876 Avoid overriding default ccache for ads operations.
Avoid overriding default ccache for ads operations.

Nowadays various samba components may need to use GSSAPI and a default cred
cache to perform their tasks.
This code was completely overriding the whole process default ccache name, thus
altering the current credentials and sometimes hijacking them (or getting
preemptively hijaked).

By using gss_krb5_import_cred we can instead use a private ccache (necessary
sometimes to use a different set of credentials fromt he default
cifs/fqdn@realm one, for example when contacting foreign DCs using trust
credentials) that does not affect the rest of the process.

For the kerberos versions which don't have gss_krb5_import_cred
we fallback to temp override of KRB5CCNAME and gss_acquire_cred.

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>

Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Sep 12 21:18:09 CEST 2012 on sn-devel-104
2012-09-12 21:18:09 +02:00
Andrew Bartlett
4e3e323080 s3-libsmb: Remove unused spnego_parse_krb5_wrap()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-04-03 17:47:32 +02:00
Andrew Bartlett
f1452a2964 s3-libsmb: Initialise ticket to ensure we do not invalid memory
The free is however a talloc_free(), which has additional protection against
freeing the wrong thing.

Andrew Bartlett

Signed-off-by: Jeremy Allison <jra@samba.org>

Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Fri Mar  2 01:45:19 CET 2012 on sn-devel-104
2012-03-02 01:45:19 +01:00
Andrew Bartlett
cab24da68d s3-libsmb: Remove unused spnego_parse_auth_and_mic 2012-02-24 15:43:03 +11:00
Andrew Bartlett
bea05159e4 s3-libsmb: Remove unused spnego functions 2012-02-23 16:14:19 +11:00
Jeremy Allison
ad3ac7e3c0 Try and fix bug #8472 - Crash in asn.1 parsing code.
Found by Codenomicon at the SNIA plugfest. Don't keep going
in the loop when reading the OIDs fail.

Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Wed Sep 21 05:24:59 CEST 2011 on sn-devel-104
2011-09-21 05:24:59 +02:00
Günther Deschner
3aa9d3005a s3-build: only include asn1 headers where actually needed.
Guenther
2011-03-16 23:46:18 +01:00
Matthias Dieter Wallnöfer
13fa6743d8 s3/s4:auth SPNEGO - adaptions for the removed "const" from OIDs
This is needed in order to suppress warnings.
2010-12-21 15:10:37 +11:00
Simo Sorce
4cdee9b0ed s3-dcerpc: add spnego server helpers
squashed: add michlistMIC signature checks

Signed-off-by: Günther Deschner <gd@samba.org>
2010-09-23 10:54:23 -07:00
Simo Sorce
26f1218a36 s3-libsmb: Use data_blob_talloc to get krb5 ticket and session keys 2010-07-20 20:02:09 -04:00
Jeremy Allison
5002b3a90d Add approriate TALLOC_CTX's thoughout the spnego code. No more implicit NULL contexts.
Jeremy.
2010-07-20 16:17:58 -07:00
Jeremy Allison
cce19c5162 Fix one more data_blob -> data_blob_talloc. Move away from implicit NULL context tallocs.
Jeremy.
2010-07-20 14:59:31 -07:00
Jeremy Allison
4ed9437b7e Add TALLOC_CTX argument to spnego_parse_negTokenInit, reduce
use of malloc, and data_blob().

Jeremy.
2010-07-20 13:35:43 -07:00
Jeremy Allison
7d17bfcf51 Rename spnego_gen_negTokenTarg() -> spnego_gen_krb5_negTokenInit()
as this correctly describes what this function does.

Jeremy.
2010-07-20 11:14:49 -07:00
Jeremy Allison
8a882b645c Remove gen_negTokenTarg(), as it's not actually creating a TokenTarg frame, but a TokenInit one.
Move to using spnego_gen_negTokenInit() instead.

Jeremy
2010-07-20 11:04:19 -07:00
Jeremy Allison
668744964d Fixes pointed out by <david.kondrad@legrand.us>. Free memory if not being
returned to caller. Remove unneeded asn1_tag_remaining() calls.

Jeremy.
2010-07-20 09:51:48 -07:00
Jeremy Allison
0bb8d133c9 Remove gen_negTokenInit() - change all callers to spnego_gen_negTokenInit().
We now have one function to do this in all calling code. More rationalization
to follow.

Jeremy.
2010-07-19 17:14:26 -07:00
Jeremy Allison
8cba4a0c96 Move the addition of the 16 byte guid out of spnego_gen_negTokenInit() and
into negprot_spnego() where it belongs (it's not an SPNEGO operation).
Add a TALLOC_CTX for callers of negprot_spnego(). Closer to unifying all
the gen_negTokenXXX calls.

Jeremy.
2010-07-19 16:45:16 -07:00
Jeremy Allison
625a511389 Remove parse_negTokenTarg(), as it's actually incorrect. We're processing
negTokenInit's here. Use common code in spnego_parse_negTokenInit().

Jeremy.
2010-07-19 15:41:45 -07:00
Jeremy Allison
962951e63d Fix [Bug 7577] SPNEGO auth fails when contacting Win7 system using Microsoft Live Sign-in Assistant
Based on code from <david.kondrad@legrand.us>. Cope with every NegTokenInit ::= SEQUENCE value.
Jeremy.
2010-07-19 14:21:01 -07:00
Günther Deschner
04f8c229de s3-kerberos: only use krb5 headers where required.
This seems to be the only way to deal with mixed heimdal/MIT setups during
merged build.

Guenther
2009-11-27 16:36:00 +01:00
Günther Deschner
60bf0eb607 s3-kerberos: modify cli_krb5_get_ticket to take a new impersonate_princ_s arg.
Guenther
2009-11-06 13:31:17 +01:00
Günther Deschner
ef194bc692 s3-spnego: fix memleak in spnego_parse_auth().
Guenther
2009-10-15 15:45:20 +02:00
Günther Deschner
449ab398f5 s3-spnego: Fix Bug #6815. Windows 2008 R2 SPNEGO negTokenTarg parsing failure.
When parsing a SPNEGO session setup retry (falling back from KRB5 to NTLMSSP),
we failed to parse the ASN1_ENUMERATED negResult in the negTokenTarg, thus
failing spnego_parse_auth() completely.

By just using the shared spnego/asn1 code, we get the parsing the correct way.

Guenther
2009-10-15 14:41:22 +02:00
Günther Deschner
503d035814 spnego: share spnego_parse.
Guenther
2009-09-17 01:12:20 +02:00
Kouhei Sutou
7fc94932ad Rename ASN1_BITFIELD to ASN1_BIT_STRING.
X.690 uses "BIT STRING" not "BIT FIELD".
2009-08-11 12:59:14 +02:00
Jeremy Allison
5f295eb6f5 More conversions of NULL -> talloc_autofree_context()
so we at least know when we're using a long-lived context.
Jeremy.
2009-07-16 18:28:58 -07:00
Günther Deschner
d115c4587f s3-build: fix some const build warnings.
Guenther
2008-10-23 01:43:41 +02:00
Günther Deschner
c0cf457c85 s3-asn1: make all of s3 asn1 code do a proper asn1_init() first.
Guenther
2008-10-22 21:37:36 +02:00
Günther Deschner
d9f1fff5b3 s3: use shared asn1 code.
Guenther
2008-10-22 21:37:36 +02:00
Bill Ricker
f700ee6418 Fix Kerberos interop with Mac OS X 10.5 clients.
Ignore optional req_flags. Use the Kerberos mechanism OID negotiated
with the client rather than hardcoding OID_KERBEROS5_OLD.
(This used to be commit 59a2bcf30f)
2008-04-07 15:05:51 -07:00
Jeremy Allison
39e0dbcf07 Allow the mechOID to be written separately.
Jeremy.
(This used to be commit e3e08c6e7d)
2008-02-14 11:29:54 -08:00
Jeremy Allison
30191d1a57 RIP BOOL. Convert BOOL -> bool. I found a few interesting
bugs in various places whilst doing this (places that assumed
BOOL == int). I also need to fix the Samba4 pidl generation
(next checkin).
Jeremy.
(This used to be commit f35a266b3c)
2007-10-18 17:40:25 -07:00
Gerald Carter
5221ebb299 r25407: Revert Longhorn join patch as it is not correct for the 3.2 tree.
The translate_name() used by cli_session_setup_spnego() cann rely
Winbindd since it is needed by the join process (and hence before
Winbind can be run).
(This used to be commit 00a93ed336)
2007-10-10 12:31:03 -05:00
Gerald Carter
3529156971 r25400: Windows 2008 (Longhorn) Interop fixes for AD specific auth2 flags,
and client fixes.  Patch from Todd Stetcher <todd.stetcher@isilon.com>.
(This used to be commit 8304ccba73)
2007-10-10 12:31:02 -05:00
Stefan Metzmacher
42349190b7 r25227: Patch from "Steven Danneman" <steven.danneman@isilon.com>:
-
We ran across a bug joining our Samba server to a Win2K domain with LDAP
signing turned on.  Upon investigation I discovered that there is a bug
in Win2K server which returns a duplicated responseToken in the LDAP
bindResponse packet.  This blob is placed in the optional mechListMIC
field which is unsupported in both Win2K and Win2K3.  You can see RFC
2478 for the proper packet construction.  I've worked with metze on this
to confirm all these finding.

This patch properly parses then discards the mechListMIC field if it
exists in the packet, so we don't produce a malformed packet error,
causing LDAP signed joins to fail.  Also attached is a sniff of the
domain join, exposing Win2Ks bad behavior (packet 21).
-

(I've just changed the scope of the DATA_BLOB mechList)

metze
(This used to be commit 200b5bfb81)
2007-10-10 12:30:52 -05:00
Andrew Tridgell
5e54558c6d r23784: use the GPLv3 boilerplate as recommended by the FSF and the license text
(This used to be commit b0132e94fc)
2007-10-10 12:28:22 -05:00
Jeremy Allison
d824b98f80 r23779: Change from v2 or later to v3 or later.
Jeremy.
(This used to be commit 407e6e695b)
2007-10-10 12:28:20 -05:00
Volker Lendecke
b4a7b7a888 r22844: Introduce const DATA_BLOB data_blob_null = { NULL, 0, NULL }; and
replace all data_blob(NULL, 0) calls.
(This used to be commit 3d3d61687e)
2007-10-10 12:22:01 -05:00