The branch, master has been updated
via 9177a0d libcli/auth: add more const to
spnego_negTokenInit->mechTypes
via f1e6014 libcli/auth: avoid possible mem leak in read_negTokenInit()
via 966faef auth/gensec: treat struct gensec_security_ops as const if
possible.
via c81b6f7 auth/gensec: use 'const char * const *' for function
parameters
via e81550c auth/gensec: make it possible to implement async backends
via 6a7a44d auth/gensec: avoid talloc_reference in
gensec_security_mechs()
via 3e3534f auth/gensec: avoid talloc_reference in
gensec_use_kerberos_mechs()
via 71c63e8 auth/gensec: introduce gensec_internal.h
via 57bcbb9 libcli/auth/schannel: remove unused schannel_position
via 4c978b6 libcli/auth/schannel: make struct schannel_state private
via e90e1b5 s4:gensec/schannel: only require librpc/gen_ndr/dcerpc.h
via 9b9ab1a s4:gensec/schannel: there's no point in having
schannel_session_key()
via a07049a s4:gensec/schannel: GENSEC_FEATURE_ASYNC_REPLIES is not
supported
via b510476 s4:gensec/schannel: use the correct computer_name from
netlogon_creds_CredentialState
via 49f347e s4:gensec/schannel: simplify the code by using
netsec_create_state()
via 4cad5dc s4:gensec/schannel: remove unused dcerpc_schannel_creds()
via 2ea3a24 s4:torture: avoid usage of dcerpc_schannel_creds()
via c014427 s4:libnet: avoid usage of dcerpc_schannel_creds()
via a36ccdc s3:dcerpc_helpers: remove unused DEBUG message of
schannel_state->seq_num.
via a964309 s3:rpc_server: make use of netsec_create_state()
via af4dc30 s3:cli_pipe.c: return NO_USER_SESSION_KEY in
cli_get_session_key() for schannel
via 838cb53 s3:cli_pipe: pass down creds->computer_name to
NL_AUTH_MESSAGE
via e96142f s3:cli_pipe: make use of netsec_create_state()
via 3321539 libcli/auth: add netsec_create_state()
via 9f2e81a libcli/auth: maintain the sequence number for the NETLOGON
SSP as 64bit
via 59b0956 auth/gensec: add gensec_security_by_auth_type()
via 45c74c8 auth/gensec: first check GENSEC_FEATURE_SESSION_KEY before
returning NOT_IMPLEMENTED
via 04938cb s3:rpc_client: remove unused
cli_rpc_pipe_open_ntlmssp_auth_schannel()
via 3302356 s3:rpc_client: remove netr_LogonGetCapabilities check from
rpc_pipe_bind*
via eecb5ba s3:rpc_client: add netr_LogonGetCapabilities to
cli_rpc_pipe_open_schannel_with_key()
via e9c8e3f s3:rpc_client: use netlogon_creds_copy before rpc_pipe_bind
via 90e28c1 s3:rpc_client: fix/add AES downgrade detection to
rpc_pipe_bind_step_two_done()
via e77a64f s3:rpcclient: try to use NETLOGON_NEG_SUPPORTS_AES
via 0460063 s3:rpc_client: try to use NETLOGON_NEG_SUPPORTS_AES
via beba326 s3:libnet_join: try to use NETLOGON_NEG_SUPPORTS_AES
via d82ab705 s3:auth_domain: try to use NETLOGON_NEG_SUPPORTS_AES
via 11e0be0 s3:libsmb: remove unused cli_state->is_guestlogin
from d944841 torture: add smb2 FSCTL_[GET/SET]_COMPRESSION test
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 9177a0d1c1c92c45ef92fbda55fc6dd8aeb76b6c
Author: Stefan Metzmacher <me...@samba.org>
Date: Mon Aug 5 10:46:47 2013 +0200
libcli/auth: add more const to spnego_negTokenInit->mechTypes
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Autobuild-User(master): Stefan Metzmacher <me...@samba.org>
Autobuild-Date(master): Sat Aug 10 11:11:54 CEST 2013 on sn-devel-104
commit f1e60142e12deb560e3c62441fd9ff2acd086b60
Author: Stefan Metzmacher <me...@samba.org>
Date: Mon Aug 5 10:43:38 2013 +0200
libcli/auth: avoid possible mem leak in read_negTokenInit()
Also add error checks.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 966faef9c61d2ec02d75fc3ccc82a61524fb77e4
Author: Stefan Metzmacher <me...@samba.org>
Date: Mon Aug 5 11:20:21 2013 +0200
auth/gensec: treat struct gensec_security_ops as const if possible.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit c81b6f7448d7f945635784de645bea4f7f2e230f
Author: Stefan Metzmacher <me...@samba.org>
Date: Mon Aug 5 11:10:55 2013 +0200
auth/gensec: use 'const char * const *' for function parameters
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit e81550c8117166d0fbf69ba1d3957cb950c42961
Author: Stefan Metzmacher <me...@samba.org>
Date: Mon Aug 5 16:12:13 2013 +0200
auth/gensec: make it possible to implement async backends
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 6a7a44db5999af7262478eb1c186d784d6075beb
Author: Stefan Metzmacher <me...@samba.org>
Date: Mon Aug 5 10:39:16 2013 +0200
auth/gensec: avoid talloc_reference in gensec_security_mechs()
We now always copy.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 3e3534f882651880093381f5a7846c0938df6501
Author: Stefan Metzmacher <me...@samba.org>
Date: Mon Aug 5 10:37:26 2013 +0200
auth/gensec: avoid talloc_reference in gensec_use_kerberos_mechs()
We now always copy.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 71c63e85e7a09acb57f6b75284358f2b3b29eeed
Author: Stefan Metzmacher <me...@samba.org>
Date: Mon Aug 5 07:12:01 2013 +0200
auth/gensec: introduce gensec_internal.h
We should treat most gensec related structures private.
It's a long way, but this is a start.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 57bcbb9c50f0a0252110a1e04a2883b511cd9165
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Aug 2 15:42:21 2013 +0200
libcli/auth/schannel: remove unused schannel_position
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 4c978b68d9a87001f625c10421e7d4cc140b4554
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Aug 2 13:37:54 2013 +0200
libcli/auth/schannel: make struct schannel_state private
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit e90e1b5c76db4cf589adf8856eb32e5f0d955734
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat Aug 3 11:32:31 2013 +0200
s4:gensec/schannel: only require librpc/gen_ndr/dcerpc.h
We just need DCERPC_AUTH_TYPE_SCHANNEL
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 9b9ab1ae6963b3819dc2b095cbe9e1432f3459b7
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat Aug 3 11:27:55 2013 +0200
s4:gensec/schannel: there's no point in having schannel_session_key()
gensec_session_key() will return NT_STATUS_NO_USER_SESSION_KEY
before calling schannel_session_key(), as we don't provide
GENSEC_FEATURE_SESSION_KEY.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit a07049a839729e29ca888bae353cd37fd6238486
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat Aug 3 11:21:32 2013 +0200
s4:gensec/schannel: GENSEC_FEATURE_ASYNC_REPLIES is not supported
There's a sequence number attached to the connection,
which needs to be incremented with each message...
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit b5104768225ae0308aa3f22f8d9bca389ef3cb3a
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Aug 2 13:25:20 2013 +0200
s4:gensec/schannel: use the correct computer_name from
netlogon_creds_CredentialState
We need to use the same computer_name we used in the netr_Authenticate3
request.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 49f347eb11bd12a3f25b0fcb8ba36d4a36594868
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Aug 2 13:04:07 2013 +0200
s4:gensec/schannel: simplify the code by using netsec_create_state()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 4cad5dcb6d5e49cc9bb1aa4ca454f369e00e8c6f
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Aug 2 12:31:41 2013 +0200
s4:gensec/schannel: remove unused dcerpc_schannel_creds()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 2ea3a24dced0814100e352bbbca124011be73602
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Aug 2 10:08:54 2013 +0200
s4:torture: avoid usage of dcerpc_schannel_creds()
We use cli_credentials_get_netlogon_creds() which returns the same value.
dcerpc_schannel_creds() is a layer violation.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit c0144273af8f0956a05d102113c40cec77069f7a
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Aug 2 10:08:54 2013 +0200
s4:libnet: avoid usage of dcerpc_schannel_creds()
We use cli_credentials_get_netlogon_creds() which returns the same value.
dcerpc_schannel_creds() is a layer violation.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit a36ccdc83edb7437dd00601c459421286fd79db4
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Aug 2 13:36:30 2013 +0200
s3:dcerpc_helpers: remove unused DEBUG message of schannel_state->seq_num.
This is a layer violation and not needed anymore as we know
how the seqnum handling works now.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit a964309bf7631f4f6953e0d6556f8ed8e5300dcc
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Aug 2 13:33:37 2013 +0200
s3:rpc_server: make use of netsec_create_state()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit af4dc306846a30a5a1201306cc2cbf4d494e16e7
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat Aug 3 08:50:54 2013 +0200
s3:cli_pipe.c: return NO_USER_SESSION_KEY in cli_get_session_key() for
schannel
SCHANNEL connections don't have a user session key,
they're like anonymous connections.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 838cb539621ef19cac6badb4b10678dcc3a6f68a
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Aug 2 13:28:59 2013 +0200
s3:cli_pipe: pass down creds->computer_name to NL_AUTH_MESSAGE
We need to use the same computer_name value as in the netr_Authenticate3()
request.
We abuse cli->auth->user_name to pass the value down.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit e96142fc439efb7c90719f9c387778c4218ae637
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Aug 2 13:28:11 2013 +0200
s3:cli_pipe: make use of netsec_create_state()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 33215398f32c76f4b8ada7b547c6d0741cb2ac16
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Aug 2 12:53:42 2013 +0200
libcli/auth: add netsec_create_state()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 9f2e81ae02549369db49c05edf7071612a03a8b8
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Apr 24 12:33:28 2013 +0200
libcli/auth: maintain the sequence number for the NETLOGON SSP as 64bit
See [MS-NPRC] 3.3.4.2 The Netlogon Signature Token.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 59b09564a7edac8dc241269587146342244ce58b
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat Aug 3 11:43:58 2013 +0200
auth/gensec: add gensec_security_by_auth_type()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 45c74c8084d2db14fef6a79cd98068be2ab73f30
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat Aug 3 11:26:13 2013 +0200
auth/gensec: first check GENSEC_FEATURE_SESSION_KEY before returning
NOT_IMPLEMENTED
Preferr NT_STATUS_NO_USER_SESSION_KEY as return value of
gensec_session_key().
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 04938cbeecc777f7b799a11f1ca0461b351d968a
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Apr 25 19:33:28 2013 +0200
s3:rpc_client: remove unused cli_rpc_pipe_open_ntlmssp_auth_schannel()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 3302356226cca474f0afab9a129220241c16663f
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Apr 25 18:30:36 2013 +0200
s3:rpc_client: remove netr_LogonGetCapabilities check from rpc_pipe_bind*
It's done in the caller now.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit eecb5bafba5b362d4fdf33d6a2a32e4ee56f30a4
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Apr 25 19:34:13 2013 +0200
s3:rpc_client: add netr_LogonGetCapabilities to
cli_rpc_pipe_open_schannel_with_key()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit e9c8e3fb92143525f846523e446e2213e5b55d9d
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Apr 25 19:45:52 2013 +0200
s3:rpc_client: use netlogon_creds_copy before rpc_pipe_bind
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 90e28c1825b2c48714d7b34fdb57d3878116d07e
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Apr 25 19:57:09 2013 +0200
s3:rpc_client: fix/add AES downgrade detection to
rpc_pipe_bind_step_two_done()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit e77a64f505fc43628e487e832033d0cd8ec4de8e
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat Jun 15 09:41:52 2013 +0200
s3:rpcclient: try to use NETLOGON_NEG_SUPPORTS_AES
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 04600634b3e761d7c56f699fd4ba80b4cd2926a1
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat Jun 15 09:41:52 2013 +0200
s3:rpc_client: try to use NETLOGON_NEG_SUPPORTS_AES
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit beba32619a91977543f882432fd08acc9de78fd3
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat Jun 15 09:41:52 2013 +0200
s3:libnet_join: try to use NETLOGON_NEG_SUPPORTS_AES
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit d82ab70579ff2bcb69f997068482b198f321d1ef
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat Jun 15 09:41:52 2013 +0200
s3:auth_domain: try to use NETLOGON_NEG_SUPPORTS_AES
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 11e0be0e72cfc4bc65ba2b0ffd10cbae3ad69b2d
Author: Stefan Metzmacher <me...@samba.org>
Date: Mon Aug 5 20:26:54 2013 +0200
s3:libsmb: remove unused cli_state->is_guestlogin
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/gensec/gensec.c | 210 +++++++++++++++++------
auth/gensec/gensec.h | 119 ++-----------
auth/gensec/gensec_internal.h | 134 ++++++++++++++
auth/gensec/gensec_start.c | 142 +++++++++------
auth/gensec/gensec_util.c | 1 +
auth/gensec/spnego.c | 11 +-
auth/ntlmssp/gensec_ntlmssp.c | 1 +
auth/ntlmssp/gensec_ntlmssp_server.c | 1 +
auth/ntlmssp/ntlmssp.c | 1 +
auth/ntlmssp/ntlmssp_client.c | 1 +
auth/ntlmssp/ntlmssp_server.c | 1 +
libcli/auth/schannel.h | 13 --
libcli/auth/schannel_proto.h | 3 +
libcli/auth/schannel_sign.c | 45 +++++-
libcli/auth/spnego.h | 2 +-
libcli/auth/spnego_parse.c | 36 +++-
libcli/auth/spnego_proto.h | 2 +-
source3/auth/auth_domain.c | 3 +-
source3/auth/auth_generic.c | 15 +-
source3/include/client.h | 1 -
source3/libads/authdata.c | 12 +-
source3/libnet/libnet_join.c | 3 +-
source3/librpc/crypto/gse.c | 1 +
source3/librpc/rpc/dcerpc_helpers.c | 3 -
source3/libsmb/auth_generic.c | 15 +-
source3/libsmb/cliconnect.c | 5 -
source3/libsmb/ntlmssp_wrap.c | 1 +
source3/rpc_client/cli_netlogon.c | 3 +-
source3/rpc_client/cli_pipe.c | 301 ++++++++++++-------------------
source3/rpc_client/cli_pipe.h | 9 -
source3/rpc_client/cli_pipe_schannel.c | 82 +---------
source3/rpc_server/srv_pipe.c | 12 +-
source3/rpcclient/cmd_netlogon.c | 3 +-
source3/rpcclient/rpcclient.c | 3 +-
source3/utils/ntlm_auth.c | 25 ++--
source4/auth/gensec/cyrus_sasl.c | 1 +
source4/auth/gensec/gensec_gssapi.c | 1 +
source4/auth/gensec/gensec_krb5.c | 1 +
source4/auth/gensec/pygensec.c | 1 +
source4/auth/gensec/schannel.c | 141 ++++-----------
source4/auth/gensec/schannel.h | 26 ---
source4/ldap_server/ldap_backend.c | 5 +-
source4/libcli/ldap/ldap_bind.c | 1 +
source4/libnet/libnet_samsync.c | 7 +-
source4/torture/auth/ntlmssp.c | 1 +
source4/torture/rpc/samlogon.c | 5 +-
source4/torture/rpc/samr.c | 6 +-
source4/torture/rpc/samsync.c | 11 +-
source4/torture/rpc/schannel.c | 6 +-
source4/utils/ntlm_auth.c | 1 +
50 files changed, 705 insertions(+), 729 deletions(-)
create mode 100644 auth/gensec/gensec_internal.h
delete mode 100644 source4/auth/gensec/schannel.h
Changeset truncated at 500 lines:
diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
index ea62861..abcbcb9 100644
--- a/auth/gensec/gensec.c
+++ b/auth/gensec/gensec.c
@@ -26,6 +26,7 @@
#include "lib/tsocket/tsocket.h"
#include "lib/util/tevent_ntstatus.h"
#include "auth/gensec/gensec.h"
+#include "auth/gensec/gensec_internal.h"
#include "librpc/rpc/dcerpc.h"
/*
@@ -155,13 +156,14 @@ _PUBLIC_ NTSTATUS gensec_session_key(struct
gensec_security *gensec_security,
TALLOC_CTX *mem_ctx,
DATA_BLOB *session_key)
{
- if (!gensec_security->ops->session_key) {
- return NT_STATUS_NOT_IMPLEMENTED;
- }
if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SESSION_KEY)) {
return NT_STATUS_NO_USER_SESSION_KEY;
}
+ if (!gensec_security->ops->session_key) {
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+
return gensec_security->ops->session_key(gensec_security, mem_ctx,
session_key);
}
@@ -216,61 +218,92 @@ _PUBLIC_ NTSTATUS gensec_update(struct gensec_security
*gensec_security, TALLOC_
const DATA_BLOB in, DATA_BLOB *out)
{
NTSTATUS status;
+ const struct gensec_security_ops *ops = gensec_security->ops;
+ TALLOC_CTX *frame = NULL;
+ struct tevent_req *subreq = NULL;
+ bool ok;
- status = gensec_security->ops->update(gensec_security, out_mem_ctx,
- ev, in, out);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
+ if (ops->update_send == NULL) {
- /*
- * Because callers using the
- * gensec_start_mech_by_auth_type() never call
- * gensec_want_feature(), it isn't sensible for them
- * to have to call gensec_have_feature() manually, and
- * these are not points of negotiation, but are
- * asserted by the client
- */
- switch (gensec_security->dcerpc_auth_level) {
- case DCERPC_AUTH_LEVEL_INTEGRITY:
- if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN))
{
- DEBUG(0,("Did not manage to negotiate mandetory feature
"
- "SIGN for dcerpc auth_level %u\n",
- gensec_security->dcerpc_auth_level));
- return NT_STATUS_ACCESS_DENIED;
- }
- break;
- case DCERPC_AUTH_LEVEL_PRIVACY:
- if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN))
{
- DEBUG(0,("Did not manage to negotiate mandetory feature
"
- "SIGN for dcerpc auth_level %u\n",
- gensec_security->dcerpc_auth_level));
- return NT_STATUS_ACCESS_DENIED;
+ status = ops->update(gensec_security, out_mem_ctx,
+ ev, in, out);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
- if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL))
{
- DEBUG(0,("Did not manage to negotiate mandetory feature
"
- "SEAL for dcerpc auth_level %u\n",
- gensec_security->dcerpc_auth_level));
- return NT_STATUS_ACCESS_DENIED;
+
+ /*
+ * Because callers using the
+ * gensec_start_mech_by_auth_type() never call
+ * gensec_want_feature(), it isn't sensible for them
+ * to have to call gensec_have_feature() manually, and
+ * these are not points of negotiation, but are
+ * asserted by the client
+ */
+ switch (gensec_security->dcerpc_auth_level) {
+ case DCERPC_AUTH_LEVEL_INTEGRITY:
+ if (!gensec_have_feature(gensec_security,
GENSEC_FEATURE_SIGN)) {
+ DEBUG(0,("Did not manage to negotiate mandetory
feature "
+ "SIGN for dcerpc auth_level %u\n",
+ gensec_security->dcerpc_auth_level));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ break;
+ case DCERPC_AUTH_LEVEL_PRIVACY:
+ if (!gensec_have_feature(gensec_security,
GENSEC_FEATURE_SIGN)) {
+ DEBUG(0,("Did not manage to negotiate mandetory
feature "
+ "SIGN for dcerpc auth_level %u\n",
+ gensec_security->dcerpc_auth_level));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ if (!gensec_have_feature(gensec_security,
GENSEC_FEATURE_SEAL)) {
+ DEBUG(0,("Did not manage to negotiate mandetory
feature "
+ "SEAL for dcerpc auth_level %u\n",
+ gensec_security->dcerpc_auth_level));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ break;
+ default:
+ break;
}
- break;
- default:
- break;
+
+ return NT_STATUS_OK;
}
- return NT_STATUS_OK;
+ frame = talloc_stackframe();
+
+ subreq = ops->update_send(frame, ev, gensec_security, in);
+ if (subreq == NULL) {
+ goto fail;
+ }
+ ok = tevent_req_poll_ntstatus(subreq, ev, &status);
+ if (!ok) {
+ goto fail;
+ }
+ status = ops->update_recv(subreq, out_mem_ctx, out);
+ fail:
+ TALLOC_FREE(frame);
+ return status;
}
struct gensec_update_state {
- struct tevent_immediate *im;
+ const struct gensec_security_ops *ops;
+ struct tevent_req *subreq;
struct gensec_security *gensec_security;
- DATA_BLOB in;
DATA_BLOB out;
+
+ /*
+ * only for sync backends, we should remove this
+ * once all backends are async.
+ */
+ struct tevent_immediate *im;
+ DATA_BLOB in;
};
static void gensec_update_async_trigger(struct tevent_context *ctx,
struct tevent_immediate *im,
void *private_data);
+static void gensec_update_subreq_done(struct tevent_req *subreq);
+
/**
* Next state function for the GENSEC state machine async version
*
@@ -296,17 +329,31 @@ _PUBLIC_ struct tevent_req *gensec_update_send(TALLOC_CTX
*mem_ctx,
return NULL;
}
- state->gensec_security = gensec_security;
- state->in = in;
- state->out = data_blob(NULL, 0);
- state->im = tevent_create_immediate(state);
- if (tevent_req_nomem(state->im, req)) {
+ state->ops = gensec_security->ops;
+ state->gensec_security = gensec_security;
+
+ if (state->ops->update_send == NULL) {
+ state->in = in;
+ state->im = tevent_create_immediate(state);
+ if (tevent_req_nomem(state->im, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ tevent_schedule_immediate(state->im, ev,
+ gensec_update_async_trigger,
+ req);
+
+ return req;
+ }
+
+ state->subreq = state->ops->update_send(state, ev, gensec_security, in);
+ if (tevent_req_nomem(state->subreq, req)) {
return tevent_req_post(req, ev);
}
- tevent_schedule_immediate(state->im, ev,
- gensec_update_async_trigger,
- req);
+ tevent_req_set_callback(state->subreq,
+ gensec_update_subreq_done,
+ req);
return req;
}
@@ -321,12 +368,71 @@ static void gensec_update_async_trigger(struct
tevent_context *ctx,
tevent_req_data(req, struct gensec_update_state);
NTSTATUS status;
- status = gensec_update(state->gensec_security, state, ctx,
- state->in, &state->out);
+ status = state->ops->update(state->gensec_security, state, ctx,
+ state->in, &state->out);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+
+ tevent_req_done(req);
+}
+
+static void gensec_update_subreq_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req =
+ tevent_req_callback_data(subreq,
+ struct tevent_req);
+ struct gensec_update_state *state =
+ tevent_req_data(req,
+ struct gensec_update_state);
+ NTSTATUS status;
+
+ state->subreq = NULL;
+
+ status = state->ops->update_recv(subreq, state, &state->out);
+ TALLOC_FREE(subreq);
if (tevent_req_nterror(req, status)) {
return;
}
+ /*
+ * Because callers using the
+ * gensec_start_mech_by_authtype() never call
+ * gensec_want_feature(), it isn't sensible for them
+ * to have to call gensec_have_feature() manually, and
+ * these are not points of negotiation, but are
+ * asserted by the client
+ */
+ switch (state->gensec_security->dcerpc_auth_level) {
+ case DCERPC_AUTH_LEVEL_INTEGRITY:
+ if (!gensec_have_feature(state->gensec_security,
GENSEC_FEATURE_SIGN)) {
+ DEBUG(0,("Did not manage to negotiate mandetory feature
"
+ "SIGN for dcerpc auth_level %u\n",
+ state->gensec_security->dcerpc_auth_level));
+ tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
+ return;
+ }
+ break;
+ case DCERPC_AUTH_LEVEL_PRIVACY:
+ if (!gensec_have_feature(state->gensec_security,
GENSEC_FEATURE_SIGN)) {
+ DEBUG(0,("Did not manage to negotiate mandetory feature
"
+ "SIGN for dcerpc auth_level %u\n",
+ state->gensec_security->dcerpc_auth_level));
+ tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
+ return;
+ }
+ if (!gensec_have_feature(state->gensec_security,
GENSEC_FEATURE_SEAL)) {
+ DEBUG(0,("Did not manage to negotiate mandetory feature
"
+ "SEAL for dcerpc auth_level %u\n",
+ state->gensec_security->dcerpc_auth_level));
+ tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
+ return;
+ }
+ break;
+ default:
+ break;
+ }
+
tevent_req_done(req);
}
diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
index 396a16d..ac1fadf 100644
--- a/auth/gensec/gensec.h
+++ b/auth/gensec/gensec.h
@@ -76,6 +76,7 @@ struct gensec_settings;
struct tevent_context;
struct tevent_req;
struct smb_krb5_context;
+struct tsocket_address;
struct gensec_settings {
struct loadparm_context *lp_ctx;
@@ -84,7 +85,7 @@ struct gensec_settings {
/* this allows callers to specify a specific set of ops that
* should be used, rather than those loaded by the plugin
* mechanism */
- struct gensec_security_ops **backends;
+ const struct gensec_security_ops * const *backends;
/* To fill in our own name in the NTLMSSP server */
const char *server_dns_domain;
@@ -93,106 +94,13 @@ struct gensec_settings {
const char *server_netbios_name;
};
-struct gensec_security_ops {
- const char *name;
- const char *sasl_name;
- uint8_t auth_type; /* 0 if not offered on DCE-RPC */
- const char **oid; /* NULL if not offered by SPNEGO */
- NTSTATUS (*client_start)(struct gensec_security *gensec_security);
- NTSTATUS (*server_start)(struct gensec_security *gensec_security);
- /**
- Determine if a packet has the right 'magic' for this mechanism
- */
- NTSTATUS (*magic)(struct gensec_security *gensec_security,
- const DATA_BLOB *first_packet);
- NTSTATUS (*update)(struct gensec_security *gensec_security, TALLOC_CTX
*out_mem_ctx,
- struct tevent_context *ev,
- const DATA_BLOB in, DATA_BLOB *out);
- NTSTATUS (*seal_packet)(struct gensec_security *gensec_security,
TALLOC_CTX *sig_mem_ctx,
- uint8_t *data, size_t length,
- const uint8_t *whole_pdu, size_t pdu_length,
- DATA_BLOB *sig);
- NTSTATUS (*sign_packet)(struct gensec_security *gensec_security,
TALLOC_CTX *sig_mem_ctx,
- const uint8_t *data, size_t length,
- const uint8_t *whole_pdu, size_t pdu_length,
- DATA_BLOB *sig);
- size_t (*sig_size)(struct gensec_security *gensec_security, size_t
data_size);
- size_t (*max_input_size)(struct gensec_security *gensec_security);
- size_t (*max_wrapped_size)(struct gensec_security *gensec_security);
- NTSTATUS (*check_packet)(struct gensec_security *gensec_security,
- const uint8_t *data, size_t length,
- const uint8_t *whole_pdu, size_t pdu_length,
- const DATA_BLOB *sig);
- NTSTATUS (*unseal_packet)(struct gensec_security *gensec_security,
- uint8_t *data, size_t length,
- const uint8_t *whole_pdu, size_t pdu_length,
- const DATA_BLOB *sig);
- NTSTATUS (*wrap)(struct gensec_security *gensec_security,
- TALLOC_CTX *mem_ctx,
- const DATA_BLOB *in,
- DATA_BLOB *out);
- NTSTATUS (*unwrap)(struct gensec_security *gensec_security,
- TALLOC_CTX *mem_ctx,
- const DATA_BLOB *in,
- DATA_BLOB *out);
- NTSTATUS (*wrap_packets)(struct gensec_security *gensec_security,
- TALLOC_CTX *mem_ctx,
- const DATA_BLOB *in,
- DATA_BLOB *out,
- size_t *len_processed);
- NTSTATUS (*unwrap_packets)(struct gensec_security *gensec_security,
- TALLOC_CTX *mem_ctx,
- const DATA_BLOB *in,
- DATA_BLOB *out,
- size_t *len_processed);
- NTSTATUS (*packet_full_request)(struct gensec_security *gensec_security,
- DATA_BLOB blob, size_t *size);
- NTSTATUS (*session_key)(struct gensec_security *gensec_security,
TALLOC_CTX *mem_ctx,
- DATA_BLOB *session_key);
- NTSTATUS (*session_info)(struct gensec_security *gensec_security,
TALLOC_CTX *mem_ctx,
- struct auth_session_info **session_info);
- void (*want_feature)(struct gensec_security *gensec_security,
- uint32_t feature);
- bool (*have_feature)(struct gensec_security *gensec_security,
- uint32_t feature);
- NTTIME (*expire_time)(struct gensec_security *gensec_security);
- bool enabled;
- bool kerberos;
- enum gensec_priority priority;
-};
-
-struct gensec_security_ops_wrapper {
- const struct gensec_security_ops *op;
- const char *oid;
-};
+struct gensec_security_ops;
+struct gensec_security_ops_wrapper;
#define GENSEC_INTERFACE_VERSION 0
-struct gensec_security {
- const struct gensec_security_ops *ops;
- void *private_data;
- struct cli_credentials *credentials;
- struct gensec_target target;
- enum gensec_role gensec_role;
- bool subcontext;
- uint32_t want_features;
- uint32_t max_update_size;
- uint8_t dcerpc_auth_level;
- struct tsocket_address *local_addr, *remote_addr;
- struct gensec_settings *settings;
-
- /* When we are a server, this may be filled in to provide an
- * NTLM authentication backend, and user lookup (such as if no
- * PAC is found) */
- struct auth4_context *auth_context;
-};
-
/* this structure is used by backends to determine the size of some critical
types */
-struct gensec_critical_sizes {
- int interface_version;
- int sizeof_gensec_security_ops;
- int sizeof_gensec_security;
-};
+struct gensec_critical_sizes;
const struct gensec_critical_sizes *gensec_interface_version(void);
/* Socket wrapper */
@@ -268,12 +176,15 @@ const struct gensec_security_ops
*gensec_security_by_oid(struct gensec_security
const char
*oid_string);
const struct gensec_security_ops *gensec_security_by_sasl_name(struct
gensec_security *gensec_security,
const char
*sasl_name);
-struct gensec_security_ops **gensec_security_mechs(struct gensec_security
*gensec_security,
+const struct gensec_security_ops *gensec_security_by_auth_type(
+ struct gensec_security *gensec_security,
+ uint32_t auth_type);
+const struct gensec_security_ops **gensec_security_mechs(struct
gensec_security *gensec_security,
TALLOC_CTX *mem_ctx);
const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
struct gensec_security *gensec_security,
TALLOC_CTX *mem_ctx,
- const char **oid_strings,
+ const char * const *oid_strings,
const char *skip);
const char **gensec_security_oids(struct gensec_security *gensec_security,
TALLOC_CTX *mem_ctx,
@@ -332,11 +243,11 @@ NTSTATUS gensec_wrap(struct gensec_security
*gensec_security,
const DATA_BLOB *in,
DATA_BLOB *out);
-struct gensec_security_ops **gensec_security_all(void);
-bool gensec_security_ops_enabled(struct gensec_security_ops *ops, struct
gensec_security *security);
-struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx,
- struct
gensec_security_ops **old_gensec_list,
- struct cli_credentials
*creds);
+const struct gensec_security_ops * const *gensec_security_all(void);
+bool gensec_security_ops_enabled(const struct gensec_security_ops *ops, struct
gensec_security *security);
+const struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX
*mem_ctx,
+ const struct gensec_security_ops * const
*old_gensec_list,
+ struct cli_credentials *creds);
NTSTATUS gensec_start_mech_by_sasl_name(struct gensec_security
*gensec_security,
const char *sasl_name);
diff --git a/auth/gensec/gensec_internal.h b/auth/gensec/gensec_internal.h
new file mode 100644
index 0000000..c04164a
--- /dev/null
+++ b/auth/gensec/gensec_internal.h
@@ -0,0 +1,134 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Generic Authentication Interface
+
+ Copyright (C) Andrew Tridgell 2003
+ Copyright (C) Andrew Bartlett <abart...@samba.org> 2004-2005
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef __GENSEC_INTERNAL_H__
+#define __GENSEC_INTERNAL_H__
+
+struct gensec_security;
+
+struct gensec_security_ops {
+ const char *name;
+ const char *sasl_name;
+ uint8_t auth_type; /* 0 if not offered on DCE-RPC */
+ const char **oid; /* NULL if not offered by SPNEGO */
+ NTSTATUS (*client_start)(struct gensec_security *gensec_security);
+ NTSTATUS (*server_start)(struct gensec_security *gensec_security);
+ /**
+ Determine if a packet has the right 'magic' for this mechanism
+ */
+ NTSTATUS (*magic)(struct gensec_security *gensec_security,
+ const DATA_BLOB *first_packet);
+ NTSTATUS (*update)(struct gensec_security *gensec_security, TALLOC_CTX
*out_mem_ctx,
+ struct tevent_context *ev,
+ const DATA_BLOB in, DATA_BLOB *out);
+ struct tevent_req *(*update_send)(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct gensec_security
*gensec_security,
+ const DATA_BLOB in);
+ NTSTATUS (*update_recv)(struct tevent_req *req,
+ TALLOC_CTX *out_mem_ctx,
+ DATA_BLOB *out);
+ NTSTATUS (*seal_packet)(struct gensec_security *gensec_security,
TALLOC_CTX *sig_mem_ctx,
+ uint8_t *data, size_t length,
+ const uint8_t *whole_pdu, size_t pdu_length,
--
Samba Shared Repository
