summaryrefslogtreecommitdiff
path: root/auth/gensec/spnego.c
Commit message (Collapse)AuthorAgeFilesLines
* auth/gensec: introduce gensec_security_ops.glue in order to avoid depending ↵Stefan Metzmacher2017-07-251-1/+2
| | | | | | | | | | on GENSEC_OID_SPNEGO being special In future we have get more backends that can negotiate other backends, we should keep all of them even if we require kerberos. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/spnego: Use talloc_get_type_abort() in gsensec_spnego_update_out()Andreas Schneider2017-07-251-1/+3
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth/spnego: Use talloc_get_type_abort() in gsensec_spnego_update_in()Andreas Schneider2017-07-251-1/+3
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth/spnego: Rename gensec_spnego_update_sub_abort()Andreas Schneider2017-07-251-8/+8
| | | | | | | | The name is not ideal as someone might think we will panic and abort the process. So rename it to gensec_spnego_reset_sub_sec(). Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth/spnego: replace gensec_spnego_neg_loop() by real async processing of ↵Stefan Metzmacher2017-07-251-167/+107
| | | | | | | {start,step,finish}_fn() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/spnego: split gensec_spnego_server_negTokenTarg() into subfunctionsStefan Metzmacher2017-07-251-29/+96
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/spnego: split gensec_spnego_server_negTokenInit() into subfunctionsStefan Metzmacher2017-07-251-75/+151
| | | | | | | Check with git show -U15 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/spnego: split gensec_spnego_client_negTokenTarg() into subfunctionsStefan Metzmacher2017-07-251-35/+111
| | | | | | | Check with git show -U15 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/spnego: split gensec_spnego_client_negTokenInit() into subfunctionsStefan Metzmacher2017-07-251-71/+112
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/spnego: split gensec_spnego_create_negTokenInit() into subfunctionsStefan Metzmacher2017-07-251-72/+253
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds and uses the gensec_spnego_neg_loop() abstraction, which abstracts start, step and finish hooks. The start hook does the initial processing on the incoming paket and may start the first possible subcontext. It indicates that gensec_update() is required on the subcontext by returning NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the caller should treat 'in_next' as const and don't attempt to free the content. NT_STATUS_OK indicates the finish hook should be invoked directly withing the need of gensec_update() on the subcontext. Every other error indicates an error that's returned to the caller. The step hook processes the result of a failed gensec_update() and can decide to ignore a failure or continue the negotiation by setting up the next possible subcontext. It indicates that gensec_update() is required on the subcontext by returning NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the caller should treat 'in_next' as const and don't attempt to free the content. NT_STATUS_OK indicates the finish hook should be invoced directly withing the need of gensec_update() on the subcontext. Every other error indicated an error that's returned to the caller. The finish hook processes the result of a successful gensec_update() (NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED). It forms the response pdu that will be returned from the toplevel gensec_update() together with NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED. It may also alter the state machine to prepare receiving the next pdu from the peer. This is the start of using this abstraction for the initial client or server start with on empty input token from the peer. This abstraction will be applied to all four other spnego states, gensec_spnego_{client,server}_negToken{Init,Targ}() in the following commits. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/spnego: don't produce an output token for errors in ↵Stefan Metzmacher2017-07-251-5/+0
| | | | | | | | | gensec_spnego_server_response() gensec_spnego_server_response() is never called with a fatal error anymore. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/spnego: don't call gensec_spnego_server_response() with a fatal errorStefan Metzmacher2017-07-251-4/+11
| | | | | | | | | | | | It doesn't make sense to produce an output token without returning OK or MORE_PROCESSING_REQUIRED. Even in v4-0-test we had gensec_spnego_update_wrapper() which only passed the constructed output token to the caller with OK or MORE_PROCESSING_REQUIRED. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/spnego: generate a valid packet if gensec_spnego_client_negTokenTarg() ↵Stefan Metzmacher2017-07-251-6/+4
| | | | | | | | | | gives MORE_PROCESSING_REQUIRED If we wait for the mechListMIC from the server we should send a valid paket instead of an empty blob. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/spnego: make sure we don't return OK without sub_sec_ready in ↵Stefan Metzmacher2017-07-251-0/+6
| | | | | | | gensec_spnego_client_negTokenTarg() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/spnego: do an early return for the success case in ↵Stefan Metzmacher2017-07-251-21/+22
| | | | | | | | | gensec_spnego_client_negTokenTarg() Check with git show -w Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/spnego: use better variable names in gensec_spnego_create_negTokenInit()Stefan Metzmacher2017-07-251-10/+17
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/spnego: introduce an early return in gensec_spnego_create_negTokenInit()Stefan Metzmacher2017-07-251-4/+10
| | | | | | | This avoids print two debug message for the same failure. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/spnego: add more error checking to gensec_spnego_create_negTokenInit()Stefan Metzmacher2017-07-251-0/+13
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/spnego: rename 'nt_status' to 'status' in ↵Stefan Metzmacher2017-07-251-15/+15
| | | | | | | | | gensec_spnego_create_negTokenInit() This makes future diffs smaller. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/spnego: make the debug messages in gensec_spnego_create_negTokenInit() ↵Stefan Metzmacher2017-07-251-8/+10
| | | | | | | more useful Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/spnego: remove one more useless indentation level in ↵Stefan Metzmacher2017-07-251-33/+31
| | | | | | | | | gensec_spnego_create_negTokenInit() Check with git show -w -U20 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/spnego: introduce an early goto reply: for the server in ↵Stefan Metzmacher2017-07-251-41/+46
| | | | | | | | | | | gensec_spnego_create_negTokenInit() This removes a useless indentation level and simplifies future patches. Check with git show -w Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/spnego: move the output generation to the end of ↵Stefan Metzmacher2017-07-251-42/+44
| | | | | | | | | | | gensec_spnego_create_negTokenInit() This will simplify the diff of future patches. Check with git show -w Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/spnego: make the SPNEGO_FALLBACK continuation completely asyncStefan Metzmacher2017-07-251-12/+62
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/spnego: invert the fallback logic in gensec_spnego_client_negTokenInit()Stefan Metzmacher2017-07-251-7/+6
| | | | | | | We should do the return first, that will simplify further changes. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/spnego: split out gensec_spnego_update_pre/post() functionsStefan Metzmacher2017-07-251-81/+153
| | | | | | | | | | | For now we keep doing sync processing only, in future we'll do some preprocessing before a gensec_update_send() on the subcontext in gensec_spnego_update_pre() and handle the the result of gensec_update_recv() in gensec_spnego_update_post(). Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/spnego: inline gensec_spnego_parse_negTokenInit() into ↵Stefan Metzmacher2017-07-251-144/+123
| | | | | | | gensec_spnego_server_negTokenInit() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/spnego: remove more dead code from gensec_spnego_parse_negTokenInit()Stefan Metzmacher2017-07-251-39/+1
| | | | | | | Now we finally have a logic that someone can understand while reading it. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/spnego: add an early return for OK or MORE PROCESSING in ↵Stefan Metzmacher2017-07-251-1/+1
| | | | | | | gensec_spnego_parse_negTokenInit() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/spnego: add an early return for a hard error in ↵Stefan Metzmacher2017-07-251-0/+7
| | | | | | | gensec_spnego_parse_negTokenInit() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/spnego: do an early return when we downgraded the mech in ↵Stefan Metzmacher2017-07-251-1/+1
| | | | | | | gensec_spnego_parse_negTokenInit() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/spnego: remove one more useless indentation level from ↵Stefan Metzmacher2017-07-251-54/+58
| | | | | | | | | | gensec_spnego_parse_negTokenInit() Check with 'git show -w -U45' and carefully check the 'break' vs. 'continue' changes. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/spnego: remove dead code from gensec_spnego_parse_negTokenInit()Stefan Metzmacher2017-07-251-85/+0
| | | | | | | Check with git show -U15 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/spnego: remove unused indentation level from ↵Stefan Metzmacher2017-07-251-63/+65
| | | | | | | | | gensec_spnego_parse_negTokenInit() gensec_spnego_parse_negTokenInit() is only used as server now. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/spnego: inline gensec_spnego_parse_negTokenInit() client logic into ↵Stefan Metzmacher2017-07-251-7/+121
| | | | | | | gensec_spnego_client_negTokenInit() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/spnego: let gensec_spnego_parse_negTokenInit() require client provides ↵Stefan Metzmacher2017-07-251-0/+7
| | | | | | | mechs Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/spnego: inline gensec_spnego_update_server() into ↵Stefan Metzmacher2017-07-251-36/+10
| | | | | | | gensec_spnego_update_send() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/spnego: inline gensec_spnego_update_client() into ↵Stefan Metzmacher2017-07-251-38/+10
| | | | | | | gensec_spnego_update_send() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/spnego: split out a gensec_spnego_server_negTokenTarg() functionStefan Metzmacher2017-07-251-115/+125
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/spnego: introduce a 'struct spnego_negTokenTarg *ta' helper variable in ↵Stefan Metzmacher2017-07-251-6/+7
| | | | | | | gensec_spnego_update_server() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/spnego: split out a gensec_spnego_client_negTokenTarg() functionStefan Metzmacher2017-07-251-295/+324
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/spnego: make more use of the 'ta' helper variable in ↵Stefan Metzmacher2017-07-251-15/+15
| | | | | | | gensec_spnego_update_client() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/spnego: split out a gensec_spnego_server_negTokenInit() function.Stefan Metzmacher2017-07-251-31/+42
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/spnego: split out a gensec_spnego_client_negTokenInit() function.Stefan Metzmacher2017-07-251-55/+68
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/spnego: make use of GENSEC_UPDATE_IS_NTERROR() in ↵Stefan Metzmacher2017-07-251-3/+2
| | | | | | | gensec_spnego_update_client() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/spnego: make use of GENSEC_UPDATE_IS_NTERROR() in ↵Stefan Metzmacher2017-07-251-2/+1
| | | | | | | gensec_spnego_create_negTokenInit() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/spnego: make use of GENSEC_UPDATE_IS_NTERROR() in ↵Stefan Metzmacher2017-07-251-17/+14
| | | | | | | | | gensec_spnego_update_send() Check with git show -U15 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/spnego: simplify the error handling logic in ↵Stefan Metzmacher2017-07-251-4/+2
| | | | | | | | | | | | gensec_spnego_parse_negTokenInit() We can just use GENSEC_UPDATE_IS_NTERROR() as NT_STATUS_INVALID_PARAMETER is mapped to NT_STATUS_MORE_PROCESSING_REQUIRED in the lines above. Check with git show -U10 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/spnego: call gensec_spnego_create_negTokenInit() directly in ↵Stefan Metzmacher2017-07-251-15/+18
| | | | | | | | | gensec_spnego_update_send() This simplifies further refactoring. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/spnego: do parse the incoming blob already in gensec_spnego_update_send()Stefan Metzmacher2017-07-251-124/+85
| | | | | | | It's easier to have this in one central place. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
View Lorry Controller Status