summaryrefslogtreecommitdiff
path: root/auth/gensec
Commit message (Collapse)AuthorAgeFilesLines
* spelling: connnect encrytion exisit expection explicit invalide missmatch ↵Michael Tokarev2022-06-101-2/+2
| | | | | | | | | | | | | | | | | | paramater paramter partion privilige relase reponse seperate unkown verson authencication progagated Tree-wide spellcheck for some common misspellings. source3/utils/status.c has misspelled local variable (unkown_dialect). "missmatch" is a known historical misspelling, only the incorrect misspellings are fixed. source3/locale/net/de.po has the spelling error (unkown) in two msgids - it probably should be updated with current source. Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* lib/util: Change function to mem_equal_const_time()Joseph Sutton2022-06-091-5/+5
| | | | | | | | | | Since memcmp_const_time() doesn't act as an exact replacement for memcmp(), and its return value is only ever compared with zero, simplify it and emphasize the intention of checking equality by returning a bool instead. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth: Use constant-time memcmp when comparing sensitive buffersJoseph Sutton2022-06-091-2/+2
| | | | | | | | | This helps to avoid timing attacks. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15010 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth: Fix a typo in auth/gensec/ncalrpc.cVolker Lendecke2021-12-101-1/+1
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* IPA DC: add missing checksAlexander Bokovoy2021-11-131-0/+1
| | | | | | | | | | | | | | | When introducing FreeIPA support, two places were forgotten: - schannel gensec module needs to be aware of IPA DC - _lsa_QueryInfoPolicy should treat IPA DC as PDC BUG: https://bugzilla.samba.org/show_bug.cgi?id=14903 Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org> Autobuild-User(master): Alexander Bokovoy <ab@samba.org> Autobuild-Date(master): Sat Nov 13 07:01:26 UTC 2021 on sn-devel-184
* CVE-2020-25719 CVE-2020-25717: auth/gensec: always require a PAC in domain ↵Stefan Metzmacher2021-11-091-4/+23
| | | | | | | | | | | | | | | | | | | mode (DC or member) AD domains always provide a PAC unless UF_NO_AUTH_DATA_REQUIRED is set on the service account, which can only be explicitly configured, but that's an invalid configuration! We still try to support standalone servers in an MIT realm, as legacy setup. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> [jsutton@samba.org Removed knownfail entries]
* auth:gensec: Use lpcfg_weak_crypto()Andreas Schneider2021-08-031-2/+3
| | | | | | Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* gensec: Slightly simplify gensec_generate_session_info_pac()Volker Lendecke2021-04-271-11/+19
| | | | | | | Reduce indentation by an early error return and by introducing a helper variable. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* gensec: Remove gensec_security_all(), it was only used internallyVolker Lendecke2021-04-062-9/+2
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* auth:creds: Rename CRED_USE_KERBEROS valuesAndreas Schneider2020-11-031-4/+4
| | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
* auth:gensec: If Kerberos is required, keep schannel for machine account authStefan Metzmacher2020-09-071-0/+9
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org>
* auth:gensec: Pass use_kerberos and keep_schannel to gensec_use_kerberos_mechs()Stefan Metzmacher2020-09-071-12/+14
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth:gensec: Make gensec_use_kerberos_mechs() a static functionStefan Metzmacher2020-09-072-6/+4
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth:gensec: Add gensec_security_sasl_names()Stefan Metzmacher2020-09-072-0/+89
| | | | | | | Pair-Programmed-With: Andreas Schneider <asn@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* lib/util: remove extra safe_string.h fileMatthew DeVore2020-08-281-0/+2
| | | | | | | | | | | | | | | | | | lib/util/safe_string.h is similar to source3/include/safe_string.h, but the former has fewer checks. It is missing bcopy, strcasecmp, and strncasecmp. Add the missing elements to lib/util/safe_string.h remove the other safe_string.h which is in the source3-specific path. To accomodate existing uses of str(n?)casecmp, add #undef lines to source files where they are used. Signed-off-by: Matthew DeVore <matvore@google.com> Reviewed-by: David Mulder <dmulder@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Fri Aug 28 02:18:40 UTC 2020 on sn-devel-184
* gensec: Fix a typoVolker Lendecke2020-08-171-1/+1
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* CVE-2020-10704: lib util asn1: Add ASN.1 max tree depthGary Lockyer2020-05-041-1/+1
| | | | | | | | | | | | | Add maximum parse tree depth to the call to asn1_init, which will be used to limit the depth of the ASN.1 parse tree. Credit to OSS-Fuzz REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* gensec: Add a check if a gensec module implements weak cryptoAndreas Schneider2020-03-192-1/+13
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: map NT_STATUS_{INVALID_ACCOUNT_NAME,NO_SUCH_DOMAIN} to ↵Stefan Metzmacher2020-02-101-2/+37
| | | | | | | | | | NT_STATUS_NO_SUCH_USER This means nt_status_squash() will map NT_STATUS_NO_SUCH_USER to LOGON_FAILURE later. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* gensec/spnego: fallback on INVALID_{ACCOUNT,COMPUTER}_NAME and NO_SUCH_DOMAINStefan Metzmacher2020-02-101-0/+3
| | | | | | | | | I think it's better to handle them in spnego.c, instead of squashing them already in the gssapi/gse modules. This is related to KRB5KDC_ERR_{C,S}_PRINCIPAL_UNKNOWN and KRB5_REALM_UNKNOWN. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* spnego: fix server handling of no optimistic exchangeIsaac Boukris2019-10-121-0/+13
| | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106 Signed-off-by: Isaac Boukris <iboukris@redhat.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Sat Oct 12 15:51:42 UTC 2019 on sn-devel-184
* spnego: add client option to omit sending an optimistic tokenIsaac Boukris2019-10-121-0/+11
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106 Signed-off-by: Isaac Boukris <iboukris@redhat.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* spnego: ignore server mech_types listIsaac Boukris2019-10-121-5/+26
| | | | | | | | | | | | | We should not use the mech list sent by the server in the last 'negotiate' packet in CIFS protocol, as it is not protected and may be subject to downgrade attacks. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106 Signed-off-by: Isaac Boukris <iboukris@redhat.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth/gensec: fix AES schannel seal and unsealGünther Deschner2019-10-071-17/+30
| | | | | | | | | | | | | Workaround bug present in gnutls 3.6.8: gnutls_cipher_decrypt() uses an optimization internally that breaks decryption when processing buffers with their length not being a multiple of the blocksize. Signed-off-by: Stefan Metzmacher <metze@samba.org> Pair-Programmed-With: Guenther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/gensec: fix non-AES schannel sealGünther Deschner2019-10-071-0/+9
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14134 Guenther Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* Spelling fixes s/withing/within/Mathieu Parent2019-09-011-2/+2
| | | | | | Signed-off-by: Mathieu Parent <math.parent@gmail.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
* auth/gensec: Use gnutls_error_to_ntstatus() in netsec_do_seal()Andrew Bartlett2019-08-211-12/+4
| | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth:gensec: Use GnuTLS AES CFB8 in netsec_do_seal()Andreas Schneider2019-08-211-1/+94
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: Use gnutls_error_to_ntstatus() consistently in schannelAndrew Bartlett2019-08-211-9/+7
| | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth:gensec: Use GnuTLS AES128 CFB8 in netsec_do_seq_num()Andreas Schneider2019-08-211-0/+40
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: clang: Fix 'Value stored to 'status' is never read'Noel Power2019-07-111-2/+0
| | | | | | | | | | | | Fixes: auth/gensec/spnego.c:877:2: warning: Value stored to 'status' is never read <--[clang] status = sub_status; ^ ~~~~~~~~~~ 1 warning generated. Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
* auth:gensec: Return NTSTATUS for netsec_do_seal()Andreas Schneider2019-06-271-18/+33
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:gensec: Use GnuTLS RC4 in netsec_do_seal()Andreas Schneider2019-06-271-6/+31
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:gensec: Use GnuTLS RC4 in netsec_do_seq_num()Andreas Schneider2019-06-271-5/+24
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* lib/crypto: move gnutls error wrapper to own subsystemAndrew Bartlett2019-06-272-2/+2
| | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth:gensec: Use gnutls_error_to_ntstatus() in schannelAndreas Schneider2019-06-241-25/+14
| | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:gensec: Return NTSTATUS for netsec_do_seq_num()Andreas Schneider2019-05-211-8/+26
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:gensec: Use GnuTLS HMAC MD5 and MD5 in netsec_do_sign()Andreas Schneider2019-05-211-11/+49
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:gensec: Use GnuTLS HMAC MD5 in netsec_do_seal()Andreas Schneider2019-05-211-2/+24
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:gensec: Use GnuTLS HMAC MD5 in netsec_do_seq_num()Andreas Schneider2019-05-211-2/+25
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:gensec: Add return code for netsec_do_sign()Andreas Schneider2019-04-301-16/+34
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:gensec: Use GnuTLS SHA256 HMAC for schannelAndreas Schneider2019-04-301-10/+34
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:gensec: Make sure we zero the checksum after useAndreas Schneider2019-02-271-0/+2
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* auth:gensec: Use C99 initializer in schannelAndreas Schneider2019-01-281-1/+3
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* auth/gensec: enforce that all DCERPC contexts support SIGN_PKT_HEADERStefan Metzmacher2018-12-231-0/+16
| | | | | | | | | | | | | | | That's currently always the case and will simplifies the callers. WORKS now??? TDB_NO_FSYNC=1 buildnice make -j test FAIL_IMMEDIATELY=1 SOCKET_WRAPPER_KEEP_PCAP=1 TESTS='samba4.rpc.lsa.secrets.*ncacn_np.*Kerberos.*Samba3.*fl2000dc' and TDB_NO_FSYNC=1 buildnice make -j test FAIL_IMMEDIATELY=1 SOCKET_WRAPPER_KEEP_PCAP=1 TESTS='samba3.rpc.lsa.*ncacn_ip_tcp.*nt4_dc' Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Sun Dec 23 21:33:51 CET 2018 on sn-devel-144
* auth:gensec: Add FALL_THROUGH statements in spnego.cAndreas Schneider2018-03-011-1/+1
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* define DBGC_AUTH classkkplein2018-01-087-0/+21
| | | | | | Signed-off-by: Mourik Jan C Heupink <heupink@merit.unu.edu> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: finally remove unused gensec_update_ev()Stefan Metzmacher2017-07-252-37/+23
| | | | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Tue Jul 25 17:42:55 CEST 2017 on sn-devel-144
* auth/gensec: don't allow gensec_update[_ev] to be called on a subcontextStefan Metzmacher2017-07-251-0/+7
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/gensec: make use of gensec_update_send/recv in gensec_update_ev()Stefan Metzmacher2017-07-251-20/+2
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
View Lorry Controller Status