summaryrefslogtreecommitdiff
path: root/auth
Commit message (Collapse)AuthorAgeFilesLines
* CVE-2020-10704: lib util asn1: Add ASN.1 max tree depthGary Lockyer2020-04-211-1/+1
| | | | | | | | | | | | | Add maximum parse tree depth to the call to asn1_init, which will be used to limit the depth of the ASN.1 parse tree. Credit to OSS-Fuzz REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* spnego: fix server handling of no optimistic exchangeIsaac Boukris2019-10-161-0/+13
| | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106 Signed-off-by: Isaac Boukris <iboukris@redhat.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Sat Oct 12 15:51:42 UTC 2019 on sn-devel-184
* spnego: add client option to omit sending an optimistic tokenIsaac Boukris2019-10-161-0/+11
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106 Signed-off-by: Isaac Boukris <iboukris@redhat.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* spnego: ignore server mech_types listIsaac Boukris2019-10-161-5/+26
| | | | | | | | | | | | | We should not use the mech list sent by the server in the last 'negotiate' packet in CIFS protocol, as it is not protected and may be subject to downgrade attacks. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106 Signed-off-by: Isaac Boukris <iboukris@redhat.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth/gensec: fix non-AES schannel sealGünther Deschner2019-10-161-0/+9
| | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14134 Guenther Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> (cherry picked from commit 709d54d68a9c2cb3cda91d9ab63228a7adbaceb4)
* auth/kerberos: clang: Fix same instances of 'Value stored is never read'Noel Power2019-07-081-7/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes: auth/kerberos/gssapi_pac.c:136:3: warning: Value stored to 'gss_maj' is never read <--[clang] gss_maj = gss_release_buffer(&gss_min, &pac_buffer); ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ auth/kerberos/gssapi_pac.c:137:3: warning: Value stored to 'gss_maj' is never read <--[clang] gss_maj = gss_release_buffer(&gss_min, &pac_display_buffer); ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ auth/kerberos/gssapi_pac.c:265:4: warning: Value stored to 'gss_maj' is never read <--[clang] gss_maj = gss_release_buffer_set(&gss_min, &set); ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ auth/kerberos/gssapi_pac.c:273:4: warning: Value stored to 'gss_maj' is never read <--[clang] gss_maj = gss_release_buffer_set(&gss_min, &set); ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ auth/kerberos/gssapi_pac.c:279:4: warning: Value stored to 'gss_maj' is never read <--[clang] gss_maj = gss_release_buffer_set(&gss_min, &set); ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ auth/kerberos/gssapi_pac.c:285:5: warning: Value stored to 'gss_maj' is never read <--[clang] gss_maj = gss_release_buffer_set(&gss_min, &set); ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ auth/kerberos/gssapi_pac.c:291:2: warning: Value stored to 'gss_maj' is never read <--[clang] gss_maj = gss_release_buffer_set(&gss_min, &set); ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 7 warnings generated. Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> Autobuild-User(master): Noel Power <npower@samba.org> Autobuild-Date(master): Mon Jul 8 11:04:15 UTC 2019 on sn-devel-184
* Add PrimaryGroupId to group array in DC responseIsaac Boukris2019-07-031-2/+6
| | | | | | | | | | | | | | | | This is a simplified version of the original patch by: Felix Botner <botner@univention.de> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11362 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Isaac Boukris <iboukris@gmail.com> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Wed Jul 3 13:52:55 UTC 2019 on sn-devel-184
* auth:ntlmssp: Use GnuTLS RC4 in ntlmssp serverAndreas Schneider2019-06-271-3/+23
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:gensec: Return NTSTATUS for netsec_do_seal()Andreas Schneider2019-06-271-18/+33
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:gensec: Use GnuTLS RC4 in netsec_do_seal()Andreas Schneider2019-06-271-6/+31
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:gensec: Use GnuTLS RC4 in netsec_do_seq_num()Andreas Schneider2019-06-271-5/+24
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli:auth: Return NTSTATUS for netlogon_creds_arcfour_crypt()Andreas Schneider2019-06-271-3/+8
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* lib/crypto: move gnutls error wrapper to own subsystemAndrew Bartlett2019-06-278-7/+8
| | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* py3: Remove PyStr_FromString() compatability macroAndrew Bartlett2019-06-241-1/+1
| | | | | | | | We no longer need Samba to be py2/py3 compatible so we choose to return to the standard function names. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Noel Power <noel.power@suse.com>
* auth:creds: Use gnutls_error_to_ntstatus() in credentials_ntlmAndreas Schneider2019-06-241-8/+3
| | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:ntlmssp: Use gnutls_error_to_ntstatus() in ntlmssp_signAndreas Schneider2019-06-241-16/+8
| | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:ntlmssp: Use gnutls_error_to_ntstatus() in ntlmssp_serverAndreas Schneider2019-06-241-17/+9
| | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:ntlmssp: Use gnutls_error_to_ntstatus() in ntlmssp_clientAndreas Schneider2019-06-241-7/+5
| | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:gensec: Use gnutls_error_to_ntstatus() in schannelAndreas Schneider2019-06-241-25/+14
| | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth auth_log: csbuild unused parm transport_protectionGary Lockyer2019-06-131-2/+0
| | | | | | | | | | | | | | Fixes csbuild errors. Error: COMPILER_WARNING: auth/auth_log.c: scope_hint: In function ‘log_successful_authz_event_human_readable’ auth/auth_log.c:728:14: warning: unused parameter ‘transport_protection’ [-Wunused-param eter] Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth auth_log: csbuild unused parm unix_usernameGary Lockyer2019-06-132-7/+0
| | | | | | | | | | | | | | | | | | Fixes csbuild errors Error: COMPILER_WARNING: auth/auth_log.c: scope_hint: In function ‘log_authentication_event_json’ auth/auth_log.c:146:14: warning: unused parameter ‘unix_username’ [-Wunused-parameter] Error: COMPILER_WARNING: auth/auth_log.c: scope_hint: In function ‘log_authentication_event_human_readable’ auth/auth_log.c:586:14: warning: unused parameter ‘unix_username’ [-Wunused-parameter] Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth:gensec: Return NTSTATUS for netsec_do_seq_num()Andreas Schneider2019-05-211-8/+26
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:gensec: Use GnuTLS HMAC MD5 and MD5 in netsec_do_sign()Andreas Schneider2019-05-211-11/+49
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:gensec: Use GnuTLS HMAC MD5 in netsec_do_seal()Andreas Schneider2019-05-211-2/+24
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:gensec: Use GnuTLS HMAC MD5 in netsec_do_seq_num()Andreas Schneider2019-05-211-2/+25
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:creds: Use GnuTLS MD5 in ntlm credsAndreas Schneider2019-05-211-7/+32
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:ntlmssp: Use GnuTLS MD5 and HMAC MD5 in ntlmssp signAndreas Schneider2019-05-211-25/+92
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:ntlmssp: Use GnuTLS MD5 and HMAC MD5 in ntlmssp serverAndreas Schneider2019-05-211-31/+87
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:ntlmssp: Use GnuTLS HMAC MD5 in ntlmssp clientAndreas Schneider2019-05-211-12/+45
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* squash 'cast between incompatible function types' warningNoel Power2019-05-161-1/+3
| | | | | | | | | | | | To avoid warning above produced by using -Wcast-function-type we; + ensure PyCFunctions of type METH_NOARGS defined dummy arg + ensure PyCFunctions of type METH_KEYWORDS use PY_DISCARD_FUNC_SIG macro Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/creds/torture: add a test showing segfaultDouglas Bagnall2019-05-091-1/+45
| | | | | | | This file isn't actually run... Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
* auth/creds/guess: avoid segfault with NULL lp (CID 241187)Douglas Bagnall2019-05-091-1/+2
| | | | | Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
* auth:gensec: Add return code for netsec_do_sign()Andreas Schneider2019-04-301-16/+34
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:gensec: Use GnuTLS SHA256 HMAC for schannelAndreas Schneider2019-04-301-10/+34
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* credentials: Workaround krb5_cc_remove_cred not implemented in MIT kerberosSamuel Cabrero2019-04-291-0/+149
| | | | | | | | | Signed-off-by: Samuel Cabrero <scabrero@suse.de> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Mon Apr 29 19:15:48 UTC 2019 on sn-devel-184
* credentials: Initialize krb5 client to retrieve creds from ccacheSamuel Cabrero2019-04-291-0/+15
| | | | | | | | | MIT kerberos require krb5_creds.client to be initialized to match krb5_creds.server with the cached credentials. Signed-off-by: Samuel Cabrero <scabrero@suse.de> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* auth: Add necessary decoration to auth/auth_util.hVolker Lendecke2019-04-031-0/+9
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* auth:creds: Prefer the principal over DOMAIN/username when using NTLMAndreas Schneider2019-04-021-1/+1
| | | | | | | | | | | | | If we want to authenticate using -Wadmin@otherdomain the DC should do take care of the authentication with the right DC for us. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861 Pair-Programmed-With: Guenther Deschner <gd@samba.org> Signed-off-by: Guenther Deschner <gd@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:ntlmssp: Add back CRAP ndr debug outputGuenther Deschner2019-04-021-0/+32
| | | | | | | | | | | | This got lost somehow during refactoring. This is still viable information when trying to figure out what is going wrong when authenticating a user over NTLMSSP. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861 Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* build: Remove bld.gen_python_environments()Andrew Bartlett2019-03-211-8/+7
| | | | | | | This was part of --extra-python support. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* auth:gensec: Make sure we zero the checksum after useAndreas Schneider2019-02-271-0/+2
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* auth log: Log the netlogon logon id.Gary Lockyer2019-02-202-1/+11
| | | | | | | | | | Add code to log the logonId in the JSON Authentication messages. The version number for Authentication messages changes from 1.1 to 1.2 to reflect this. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* Decrement references to python objects passed to Py_BuildValueNoel Power2019-02-071-3/+4
| | | | | | | | | | | | | | Py_BuildValue when processing format 'O' will 'Pass a Python object untouched (except for its reference count, which is incremented by one' Basically this means if you are using a new reference to a PyObject to pass to BuildValue (to be used with the 'O' format) the reference *isn't* stolen so you really do need to DECREF it in order to ensure it gets cleaned up. Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* auth:gensec: Use C99 initializer in schannelAndreas Schneider2019-01-281-1/+3
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* auth:creds: Use C99 initializer for PyMethodDefAndreas Schneider2019-01-281-120/+279
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* auth/credentials: use 'et' as format for ParseTuple with python2Noel Power2019-01-131-1/+1
| | | | | Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* auth/gensec: enforce that all DCERPC contexts support SIGN_PKT_HEADERStefan Metzmacher2018-12-231-0/+16
| | | | | | | | | | | | | | | That's currently always the case and will simplifies the callers. WORKS now??? TDB_NO_FSYNC=1 buildnice make -j test FAIL_IMMEDIATELY=1 SOCKET_WRAPPER_KEEP_PCAP=1 TESTS='samba4.rpc.lsa.secrets.*ncacn_np.*Kerberos.*Samba3.*fl2000dc' and TDB_NO_FSYNC=1 buildnice make -j test FAIL_IMMEDIATELY=1 SOCKET_WRAPPER_KEEP_PCAP=1 TESTS='samba3.rpc.lsa.*ncacn_ip_tcp.*nt4_dc' Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Sun Dec 23 21:33:51 CET 2018 on sn-devel-144
* auth log: Increment Authentication versionGary Lockyer2018-12-141-1/+1
| | | | | | | | Update the minor version of the Authorisation to reflect the addition of the "eventId" and "logonType" elements. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth log: Add windows logon type codesGary Lockyer2018-12-141-0/+29
| | | | | | | | | | | Add a new "logonType" element to the Authorisation JSON log messages. This contains a Windows Logon Type, the supported logon types are: 2 Interactive 3 Network 8 NetworkCleartext Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth log: Add windows event codesGary Lockyer2018-12-141-0/+12
| | | | | | | | | | Add a new "eventId" element to the Authorisation JSON log messages. This contains a Windows Event Code Id either: 4624 Successful logon 4625 Unsuccessful logon Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
View Lorry Controller Status