summaryrefslogtreecommitdiff
path: root/auth
Commit message (Collapse)AuthorAgeFilesLines
* Fix clang 9 missing-field-initializer warningsGary Lockyer2020-05-081-1/+1
| | | | Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2020-10704: lib util asn1: Add ASN.1 max tree depthGary Lockyer2020-05-041-1/+1
| | | | | | | | | | | | | Add maximum parse tree depth to the call to asn1_init, which will be used to limit the depth of the ASN.1 parse tree. Credit to OSS-Fuzz REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* py3: Remove #define PyInt_FromLong PyLong_FromLongAndrew Bartlett2020-03-231-22/+22
| | | | | | | This allows us to end the use of Python 2/3 compatability macros. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Noel Power
* auth:ntlmssp: Mark as weak_cryptoAndreas Schneider2020-03-191-0/+2
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* gensec: Add a check if a gensec module implements weak cryptoAndreas Schneider2020-03-192-1/+13
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/credentials: Test connecting to LDAP with a "virtual user" style accountAndrew Bartlett2020-02-141-1/+51
| | | | | | | | | | | This type of account is often used by e-mail hosting platforms that do not wish to create an AD domain for each DNS domain that they host mail for. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13598 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Isaac Boukris <iboukris@samba.org>
* auth/gensec: map NT_STATUS_{INVALID_ACCOUNT_NAME,NO_SUCH_DOMAIN} to ↵Stefan Metzmacher2020-02-101-2/+37
| | | | | | | | | | NT_STATUS_NO_SUCH_USER This means nt_status_squash() will map NT_STATUS_NO_SUCH_USER to LOGON_FAILURE later. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* gensec/spnego: fallback on INVALID_{ACCOUNT,COMPUTER}_NAME and NO_SUCH_DOMAINStefan Metzmacher2020-02-101-0/+3
| | | | | | | | | I think it's better to handle them in spnego.c, instead of squashing them already in the gssapi/gse modules. This is related to KRB5KDC_ERR_{C,S}_PRINCIPAL_UNKNOWN and KRB5_REALM_UNKNOWN. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/kerberos: add auth4_context_{for,get}_PAC_DATA_CTR() helpersStefan Metzmacher2020-02-102-0/+95
| | | | | | | | This adds a generic way to get to the raw (verified) PAC and will be used in multiple places in future. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* pytests: heed assertEquals deprecation warning en-masseDouglas Bagnall2020-02-071-3/+3
| | | | | | | | | | | TestCase.assertEquals() is an alias for TestCase.assertEqual() and has been deprecated since Python 2.7. When we run our tests with in python developer mode (`PYTHONDEVMODE=1 make test`) we get 580 DeprecationWarnings about this. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Noel Power <npower@samba.org>
* auth: Simplify struct auth4_contextVolker Lendecke2020-01-062-53/+6
| | | | | | | | | | | | The fake async code has been pushed down into the 3 users, remove the sync callback. Overall it's more lines of code, but the central interface is simplified. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Mon Jan 6 23:34:00 UTC 2020 on sn-devel-184
* smbdes: convert E_P24() and SMBOWFencrypt to use gnutlsIsaac Boukris2019-12-101-9/+22
| | | | | Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* SMBsesskeygen_lm_sess_key: use gnutls and return NTSTATUSIsaac Boukris2019-12-102-8/+23
| | | | | Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:pycreds: Check return code of netlogon_creds_client_authenticator()Andreas Schneider2019-11-141-3/+8
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* spnego: fix server handling of no optimistic exchangeIsaac Boukris2019-10-121-0/+13
| | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106 Signed-off-by: Isaac Boukris <iboukris@redhat.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Sat Oct 12 15:51:42 UTC 2019 on sn-devel-184
* spnego: add client option to omit sending an optimistic tokenIsaac Boukris2019-10-121-0/+11
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106 Signed-off-by: Isaac Boukris <iboukris@redhat.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* spnego: ignore server mech_types listIsaac Boukris2019-10-121-5/+26
| | | | | | | | | | | | | We should not use the mech list sent by the server in the last 'negotiate' packet in CIFS protocol, as it is not protected and may be subject to downgrade attacks. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106 Signed-off-by: Isaac Boukris <iboukris@redhat.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth/gensec: fix AES schannel seal and unsealGünther Deschner2019-10-071-17/+30
| | | | | | | | | | | | | Workaround bug present in gnutls 3.6.8: gnutls_cipher_decrypt() uses an optimization internally that breaks decryption when processing buffers with their length not being a multiple of the blocksize. Signed-off-by: Stefan Metzmacher <metze@samba.org> Pair-Programmed-With: Guenther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/gensec: fix non-AES schannel sealGünther Deschner2019-10-071-0/+9
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14134 Guenther Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* Spelling fixes s/withing/within/Mathieu Parent2019-09-011-2/+2
| | | | | | Signed-off-by: Mathieu Parent <math.parent@gmail.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
* auth/gensec: Use gnutls_error_to_ntstatus() in netsec_do_seal()Andrew Bartlett2019-08-211-12/+4
| | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth:gensec: Use GnuTLS AES CFB8 in netsec_do_seal()Andreas Schneider2019-08-211-1/+94
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: Use gnutls_error_to_ntstatus() consistently in schannelAndrew Bartlett2019-08-211-9/+7
| | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth:gensec: Use GnuTLS AES128 CFB8 in netsec_do_seq_num()Andreas Schneider2019-08-211-0/+40
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/credentials: Check NTSTATUS return from netlogon_creds_aes_encrypt()Andrew Bartlett2019-08-211-7/+7
| | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth:ntlmssp: Use generate_random_buffer() for session keysAndreas Schneider2019-08-141-1/+1
| | | | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Autobuild-User(master): Alexander Bokovoy <ab@samba.org> Autobuild-Date(master): Wed Aug 14 16:26:47 UTC 2019 on sn-devel-184
* auth:ntlmssp: Use GnuTLS RC4 for ntlmssp signingAndreas Schneider2019-07-262-43/+174
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:ntlmssp: Use GnuTLS RC4 in ntlmssp clientAndreas Schneider2019-07-261-1/+27
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/pycreds/encrypt_netr_crypt_password: don't pretend arg is optionalDouglas Bagnall2019-07-221-1/+1
| | | | | | | | | | | The "|O" signature is saying the password argument is optional, which makes no sense in terms of the funxtion and immediately leads to a TypeError (or until last commit, segfault). Removing the "|" leaves it with a TypeError, but it is better worded and faster. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/pycreds/encrypt_netr_crypt_password: don't segfaultDouglas Bagnall2019-07-221-0/+5
| | | | | | | | Non-talloc objects were treated as talloc objects, to no good effect Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* pycredentials.h: use import to ensure python type correctnessDouglas Bagnall2019-07-222-10/+12
| | | | | | | | | Because we include pyrpc_util.h, pycredentials doesn't need its own PyStringFromStringOrNull(). Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/pycredentials: always check self is a Credentials objectDouglas Bagnall2019-07-221-39/+247
| | | | | | | | | | | | This prevents a segfault with credentials.Credentials.guess(x) where x is not a Credentials object. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: clang: Fix 'Value stored to 'status' is never read'Noel Power2019-07-111-2/+0
| | | | | | | | | | | | Fixes: auth/gensec/spnego.c:877:2: warning: Value stored to 'status' is never read <--[clang] status = sub_status; ^ ~~~~~~~~~~ 1 warning generated. Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
* auth/kerberos: clang: Fix same instances of 'Value stored is never read'Noel Power2019-07-081-7/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes: auth/kerberos/gssapi_pac.c:136:3: warning: Value stored to 'gss_maj' is never read <--[clang] gss_maj = gss_release_buffer(&gss_min, &pac_buffer); ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ auth/kerberos/gssapi_pac.c:137:3: warning: Value stored to 'gss_maj' is never read <--[clang] gss_maj = gss_release_buffer(&gss_min, &pac_display_buffer); ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ auth/kerberos/gssapi_pac.c:265:4: warning: Value stored to 'gss_maj' is never read <--[clang] gss_maj = gss_release_buffer_set(&gss_min, &set); ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ auth/kerberos/gssapi_pac.c:273:4: warning: Value stored to 'gss_maj' is never read <--[clang] gss_maj = gss_release_buffer_set(&gss_min, &set); ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ auth/kerberos/gssapi_pac.c:279:4: warning: Value stored to 'gss_maj' is never read <--[clang] gss_maj = gss_release_buffer_set(&gss_min, &set); ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ auth/kerberos/gssapi_pac.c:285:5: warning: Value stored to 'gss_maj' is never read <--[clang] gss_maj = gss_release_buffer_set(&gss_min, &set); ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ auth/kerberos/gssapi_pac.c:291:2: warning: Value stored to 'gss_maj' is never read <--[clang] gss_maj = gss_release_buffer_set(&gss_min, &set); ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 7 warnings generated. Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> Autobuild-User(master): Noel Power <npower@samba.org> Autobuild-Date(master): Mon Jul 8 11:04:15 UTC 2019 on sn-devel-184
* Add PrimaryGroupId to group array in DC responseIsaac Boukris2019-07-031-2/+6
| | | | | | | | | | | | | | | | This is a simplified version of the original patch by: Felix Botner <botner@univention.de> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11362 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Isaac Boukris <iboukris@gmail.com> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Wed Jul 3 13:52:55 UTC 2019 on sn-devel-184
* auth:ntlmssp: Use GnuTLS RC4 in ntlmssp serverAndreas Schneider2019-06-271-3/+23
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:gensec: Return NTSTATUS for netsec_do_seal()Andreas Schneider2019-06-271-18/+33
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:gensec: Use GnuTLS RC4 in netsec_do_seal()Andreas Schneider2019-06-271-6/+31
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:gensec: Use GnuTLS RC4 in netsec_do_seq_num()Andreas Schneider2019-06-271-5/+24
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli:auth: Return NTSTATUS for netlogon_creds_arcfour_crypt()Andreas Schneider2019-06-271-3/+8
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* lib/crypto: move gnutls error wrapper to own subsystemAndrew Bartlett2019-06-278-7/+8
| | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* py3: Remove PyStr_FromString() compatability macroAndrew Bartlett2019-06-241-1/+1
| | | | | | | | We no longer need Samba to be py2/py3 compatible so we choose to return to the standard function names. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Noel Power <noel.power@suse.com>
* auth:creds: Use gnutls_error_to_ntstatus() in credentials_ntlmAndreas Schneider2019-06-241-8/+3
| | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:ntlmssp: Use gnutls_error_to_ntstatus() in ntlmssp_signAndreas Schneider2019-06-241-16/+8
| | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:ntlmssp: Use gnutls_error_to_ntstatus() in ntlmssp_serverAndreas Schneider2019-06-241-17/+9
| | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:ntlmssp: Use gnutls_error_to_ntstatus() in ntlmssp_clientAndreas Schneider2019-06-241-7/+5
| | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:gensec: Use gnutls_error_to_ntstatus() in schannelAndreas Schneider2019-06-241-25/+14
| | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth auth_log: csbuild unused parm transport_protectionGary Lockyer2019-06-131-2/+0
| | | | | | | | | | | | | | Fixes csbuild errors. Error: COMPILER_WARNING: auth/auth_log.c: scope_hint: In function ‘log_successful_authz_event_human_readable’ auth/auth_log.c:728:14: warning: unused parameter ‘transport_protection’ [-Wunused-param eter] Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth auth_log: csbuild unused parm unix_usernameGary Lockyer2019-06-132-7/+0
| | | | | | | | | | | | | | | | | | Fixes csbuild errors Error: COMPILER_WARNING: auth/auth_log.c: scope_hint: In function ‘log_authentication_event_json’ auth/auth_log.c:146:14: warning: unused parameter ‘unix_username’ [-Wunused-parameter] Error: COMPILER_WARNING: auth/auth_log.c: scope_hint: In function ‘log_authentication_event_human_readable’ auth/auth_log.c:586:14: warning: unused parameter ‘unix_username’ [-Wunused-parameter] Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth:gensec: Return NTSTATUS for netsec_do_seq_num()Andreas Schneider2019-05-211-8/+26
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>