1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

35 Commits

Author SHA1 Message Date
Stefan Metzmacher
31a92744bf auth/gensec: only include "librpc/gen_ndr/dcerpc.h"
We only need some DCERPC_ defines.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2014-02-13 11:54:13 +01:00
Günther Deschner
4f979525e4 gensec: check for NULL gensec_security in gensec_security_by_auth_type().
We have equivalent checks in other gensec_security_by_X calls already.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-09-19 11:09:06 +02:00
Günther Deschner
d433ad077f gensec: remove duplicate gensec_security_by_authtype() call.
We should use the equivalent gensec_security_by_auth_type() call which is
exposed in the public header.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-09-19 11:08:56 +02:00
Andrew Bartlett
3f464ca1f5 auth/credentials: Add cli_credentials_{set,get}_forced_sasl_mech()
This will allow us to force the use of only DIGEST-MD5, for example, which is useful
to avoid hitting GSSAPI, SPNEGO or NTLM when talking to OpenLDAP and Cyrus-SASL.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
2013-09-16 14:44:28 -07:00
Stefan Metzmacher
966faef9c6 auth/gensec: treat struct gensec_security_ops as const if possible.
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:19:04 +02:00
Stefan Metzmacher
c81b6f7448 auth/gensec: use 'const char * const *' for function parameters
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:19:04 +02:00
Stefan Metzmacher
6a7a44db59 auth/gensec: avoid talloc_reference in gensec_security_mechs()
We now always copy.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:19:03 +02:00
Stefan Metzmacher
3e3534f882 auth/gensec: avoid talloc_reference in gensec_use_kerberos_mechs()
We now always copy.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:19:03 +02:00
Stefan Metzmacher
71c63e85e7 auth/gensec: introduce gensec_internal.h
We should treat most gensec related structures private.

It's a long way, but this is a start.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:19:02 +02:00
Stefan Metzmacher
59b09564a7 auth/gensec: add gensec_security_by_auth_type()
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:18:56 +02:00
Volker Lendecke
26b6e28082 gensec: Make gensec_security_oids_from_ops static
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed May 15 20:05:34 CEST 2013 on sn-devel-104
2013-05-15 20:05:34 +02:00
Volker Lendecke
85220eaa9c gensec: Make gensec_security_by_sasl_list static
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2013-05-15 18:19:09 +02:00
Volker Lendecke
eb6ebe689f gensec: Make gensec_interface_version public
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2013-05-15 18:19:09 +02:00
Andrew Bartlett
d2ccaaad20 gensec: explain gensec_use_kerberos_mechs() logic
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Fri Feb 10 12:36:23 CET 2012 on sn-devel-104
2012-02-10 12:36:23 +01:00
Andrew Bartlett
93f3fc54e4 gensec: set flag to continue in outer for loop in gensec_use_kerberos_mechs
This should be the correct fix for the valgrind erorr Volker found in
744ed53a62.  This fix avoids putting
SPNEGO into the list twice when we are in the CRED_DONT_USE_KERBEROS
case.

Andrew Bartlett
2012-02-10 20:49:24 +11:00
Andrew Bartlett
901e3b7246 Revert "gensec: Fix a memory corruption in gensec_use_kerberos_mechs"
This reverts commit 744ed53a62.

The real bug here is that the second half of the outer loop should not
have been run once we found spnego.

Andrew Bartlett
2012-02-10 20:49:24 +11:00
Volker Lendecke
744ed53a62 gensec: Fix a memory corruption in gensec_use_kerberos_mechs
Without this I get the following valgrind error:

==27740== Invalid write of size 8
==27740==    at 0x62C53E: gensec_use_kerberos_mechs (gensec_start.c:112)
==27740==    by 0x62C623: gensec_security_mechs (gensec_start.c:141)
==27740==    by 0x62C777: gensec_security_by_oid (gensec_start.c:181)
==27740==    by 0x62DD6E: gensec_start_mech_by_oid (gensec_start.c:735)
==27740==    by 0x50D6FD: negprot_spnego (negprot.c:210)
==27740==    by 0x5B0DEA: smbd_smb2_request_process_negprot (smb2_negprot.c:209)
==27740==    by 0x5AD036: smbd_smb2_request_dispatch (smb2_server.c:1417)
==27740==    by 0x5AFB77: smbd_smb2_first_negprot (smb2_server.c:2643)
==27740==    by 0x585C00: process_smb (process.c:1641)
==27740==    by 0x587F78: smbd_server_connection_read_handler (process.c:2314)
==27740==    by 0x587FD6: smbd_server_connection_handler (process.c:2331)
==27740==    by 0x99E05B: run_events_poll (events.c:286)
==27740==    by 0x584AFF: smbd_server_connection_loop_once (process.c:984)
==27740==    by 0x58B2D9: smbd_process (process.c:3389)
==27740==    by 0xDE4CA8: smbd_accept_connection (server.c:469)
==27740==    by 0x99E05B: run_events_poll (events.c:286)
==27740==    by 0x99E2D5: s3_event_loop_once (events.c:349)
==27740==    by 0x99F990: _tevent_loop_once (tevent.c:504)
==27740==    by 0xDE5A9B: smbd_parent_loop (server.c:869)
==27740==    by 0xDE6DD8: main (server.c:1413)
==27740==  Address 0x9ff3538 is 4,232 bytes inside a block of size 8,288 alloc'd
==27740==    at 0x4C261D7: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==27740==    by 0x6926965: __talloc (talloc.c:560)
==27740==    by 0x6926771: talloc_pool (talloc.c:598)
==27740==    by 0x93B927: talloc_stackframe_internal (talloc_stack.c:145)
==27740==    by 0x93B9D6: talloc_stackframe_pool (talloc_stack.c:171)
==27740==    by 0x58B2B7: smbd_process (process.c:3385)
==27740==    by 0xDE4CA8: smbd_accept_connection (server.c:469)
==27740==    by 0x99E05B: run_events_poll (events.c:286)
==27740==    by 0x99E2D5: s3_event_loop_once (events.c:349)
==27740==    by 0x99F990: _tevent_loop_once (tevent.c:504)
==27740==    by 0xDE5A9B: smbd_parent_loop (server.c:869)
==27740==    by 0xDE6DD8: main (server.c:1413)

In the for-loop we can increment j twice, so we need twice as many output array
elements as input array elements.

Autobuild-User: Volker Lendecke <vl@samba.org>
Autobuild-Date: Thu Feb  9 19:44:47 CET 2012 on sn-devel-104
2012-02-09 19:44:47 +01:00
Stefan Metzmacher
edaa933b17 auth/gensec: add some more functions from gensec_start.c to gensec.h
metze
2012-01-13 04:58:40 +01:00
Stefan Metzmacher
891318ee4c s4:auth/gensec/spnego: add support for fragmented spnego messages
metze
2012-01-12 13:15:08 +01:00
Stefan Metzmacher
6eea2c33c7 auth/gensec: add gensec_*max_update_size()
This is only a hint for the backend, which may want to fragment
update tokens.

metze
2012-01-12 13:15:08 +01:00
Andrew Bartlett
4b7b26e3c0 gensec: Allow an alternate set of modules to be specified
This will allow s3 to specify modules to use as a list, rather than
needing to start the individual module with gensec_start_mech_by_ops()

Andrew Bartlett
2011-12-28 22:39:19 +11:00
Jelmer Vernooij
05bc4de083 Revert making public of the samba-module library.
This library was tiny - containing just two public functions than were
themselves trivial. The amount of overhead this causes isn't really worth the
benefits of sharing the code with other projects like OpenChange. In addition, this code
isn't really generically useful anyway, as it can only load from the module path
set for Samba at configure time.

Adding a new library was breaking the API/ABI anyway, so OpenChange had to be
updated to cope with the new situation one way or another. I've added a simpler
(compatible) routine for loading modules to OpenChange, which is less than 100 lines of code.

Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sat Dec  3 08:36:33 CET 2011 on sn-devel-104
2011-12-03 08:36:30 +01:00
Andrew Bartlett
7f8f7159af lib/util Rename samba_modules_load -> samba_module_init_fns_for_subsystem
This is to provide a cleaner namespace in the public samba plugin
functions.

Andrew Bartlett
2011-10-28 13:10:28 +02:00
Andrew Bartlett
0ce09fcf7a lib/util Rename samba_init_module_fns_run -> samba_module_init_fns_run
This is to provide a cleaner namespace in the public samba plugin
functions.

Andrew Bartlett
2011-10-28 13:10:28 +02:00
Andrew Bartlett
1b7cc4ac7c lib/util Rename samba_init_module_fn -> samba_module_init_fn
This is to provide a cleaner namespace in the public samba plugin
functions.

Andrew Bartlett
2011-10-28 13:10:28 +02:00
Andrew Bartlett
87354c9a6d lib/util Split samba-modules library into public and private parts
This will allow OpenChange to get at the symbols it needs, without
exposing any more of this as a public API than we must.

Andrew Bartlett
2011-10-28 13:10:28 +02:00
Andrew Bartlett
b7b798e15b lib/util Rename load_samba_modules -> samba_modules_load
This is to provide a cleaner namespace in the public samba plugin
functions.

Andrew Bartlett
2011-10-28 13:10:28 +02:00
Andrew Bartlett
ce0ccc2a2e lib/util Rename run_init_functions -> samba_init_module_fns_run
This is to provide a cleaner namespace in the public samba plugin
functions.

Andrew Bartlett
2011-10-28 13:10:28 +02:00
Andrew Bartlett
1935b7b6c2 lib/util Rename init_module_fn to samba_init_module_fn
This prepares for making the samba_module.h header public again, for OpenChange.

I am keen to avoid too much API namespace pollution if we can.
2011-10-28 13:10:28 +02:00
Stefan Metzmacher
061dad7727 auth/gensec: replace #if _SAMBA_BUILD_ == 4 by a feature test
metze
2011-10-22 09:28:26 +02:00
Andrew Bartlett
e7d5f0a357 gensec: move event context from gensec_*_init() to gensec_update()
This avoids keeping the event context around on a the gensec_security
context structure long term.

In the Samba3 server, the event context we either supply is a NULL
pointer as no server-side modules currently use the event context.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18 13:13:33 +11:00
Andrew Bartlett
0d5de7e19c gensec: Assert that we have not been subject to a downgrade attack in DCE/RPC clients
Because of the calling convention, this is the best place to assert
that we have not been subject to a downgrade attack on the negotiated
features.  (In DCE/RPC, this isn't a negotiation, the client simply
specifies the level of protection that is required).

Andrew Bartlett

(some formatting fixes)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18 13:13:32 +11:00
Andrew Bartlett
c77964724d gensec: an event context is no longer mandetory
If you do not specify one however, you better know that the modules
you are using do not need one!

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18 13:13:32 +11:00
Andrew Bartlett
454986298a gensec: trim header includes back to what is actually required
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Oct 11 06:13:08 CEST 2011 on sn-devel-104
2011-10-11 06:13:08 +02:00
Andrew Bartlett
fe02752ed6 auth: move gensec_start.c to the top level
This does not change who uses gensec for now, but makes it possible to
write new gensec modules outside source4/

Andrew Bartlett
2011-10-11 13:41:36 +11:00