summaryrefslogtreecommitdiff
path: root/auth
Commit message (Collapse)AuthorAgeFilesLines
* spnego: fix server handling of no optimistic exchangeIsaac Boukris2019-10-121-0/+13
| | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106 Signed-off-by: Isaac Boukris <iboukris@redhat.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Sat Oct 12 15:51:42 UTC 2019 on sn-devel-184
* spnego: add client option to omit sending an optimistic tokenIsaac Boukris2019-10-121-0/+11
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106 Signed-off-by: Isaac Boukris <iboukris@redhat.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* spnego: ignore server mech_types listIsaac Boukris2019-10-121-5/+26
| | | | | | | | | | | | | We should not use the mech list sent by the server in the last 'negotiate' packet in CIFS protocol, as it is not protected and may be subject to downgrade attacks. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106 Signed-off-by: Isaac Boukris <iboukris@redhat.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth/gensec: fix AES schannel seal and unsealGünther Deschner2019-10-071-17/+30
| | | | | | | | | | | | | Workaround bug present in gnutls 3.6.8: gnutls_cipher_decrypt() uses an optimization internally that breaks decryption when processing buffers with their length not being a multiple of the blocksize. Signed-off-by: Stefan Metzmacher <metze@samba.org> Pair-Programmed-With: Guenther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/gensec: fix non-AES schannel sealGünther Deschner2019-10-071-0/+9
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14134 Guenther Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* Spelling fixes s/withing/within/Mathieu Parent2019-09-011-2/+2
| | | | | | Signed-off-by: Mathieu Parent <math.parent@gmail.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
* auth/gensec: Use gnutls_error_to_ntstatus() in netsec_do_seal()Andrew Bartlett2019-08-211-12/+4
| | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth:gensec: Use GnuTLS AES CFB8 in netsec_do_seal()Andreas Schneider2019-08-211-1/+94
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: Use gnutls_error_to_ntstatus() consistently in schannelAndrew Bartlett2019-08-211-9/+7
| | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth:gensec: Use GnuTLS AES128 CFB8 in netsec_do_seq_num()Andreas Schneider2019-08-211-0/+40
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/credentials: Check NTSTATUS return from netlogon_creds_aes_encrypt()Andrew Bartlett2019-08-211-7/+7
| | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth:ntlmssp: Use generate_random_buffer() for session keysAndreas Schneider2019-08-141-1/+1
| | | | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Autobuild-User(master): Alexander Bokovoy <ab@samba.org> Autobuild-Date(master): Wed Aug 14 16:26:47 UTC 2019 on sn-devel-184
* auth:ntlmssp: Use GnuTLS RC4 for ntlmssp signingAndreas Schneider2019-07-262-43/+174
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:ntlmssp: Use GnuTLS RC4 in ntlmssp clientAndreas Schneider2019-07-261-1/+27
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/pycreds/encrypt_netr_crypt_password: don't pretend arg is optionalDouglas Bagnall2019-07-221-1/+1
| | | | | | | | | | | The "|O" signature is saying the password argument is optional, which makes no sense in terms of the funxtion and immediately leads to a TypeError (or until last commit, segfault). Removing the "|" leaves it with a TypeError, but it is better worded and faster. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/pycreds/encrypt_netr_crypt_password: don't segfaultDouglas Bagnall2019-07-221-0/+5
| | | | | | | | Non-talloc objects were treated as talloc objects, to no good effect Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* pycredentials.h: use import to ensure python type correctnessDouglas Bagnall2019-07-222-10/+12
| | | | | | | | | Because we include pyrpc_util.h, pycredentials doesn't need its own PyStringFromStringOrNull(). Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/pycredentials: always check self is a Credentials objectDouglas Bagnall2019-07-221-39/+247
| | | | | | | | | | | | This prevents a segfault with credentials.Credentials.guess(x) where x is not a Credentials object. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/gensec: clang: Fix 'Value stored to 'status' is never read'Noel Power2019-07-111-2/+0
| | | | | | | | | | | | Fixes: auth/gensec/spnego.c:877:2: warning: Value stored to 'status' is never read <--[clang] status = sub_status; ^ ~~~~~~~~~~ 1 warning generated. Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
* auth/kerberos: clang: Fix same instances of 'Value stored is never read'Noel Power2019-07-081-7/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes: auth/kerberos/gssapi_pac.c:136:3: warning: Value stored to 'gss_maj' is never read <--[clang] gss_maj = gss_release_buffer(&gss_min, &pac_buffer); ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ auth/kerberos/gssapi_pac.c:137:3: warning: Value stored to 'gss_maj' is never read <--[clang] gss_maj = gss_release_buffer(&gss_min, &pac_display_buffer); ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ auth/kerberos/gssapi_pac.c:265:4: warning: Value stored to 'gss_maj' is never read <--[clang] gss_maj = gss_release_buffer_set(&gss_min, &set); ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ auth/kerberos/gssapi_pac.c:273:4: warning: Value stored to 'gss_maj' is never read <--[clang] gss_maj = gss_release_buffer_set(&gss_min, &set); ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ auth/kerberos/gssapi_pac.c:279:4: warning: Value stored to 'gss_maj' is never read <--[clang] gss_maj = gss_release_buffer_set(&gss_min, &set); ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ auth/kerberos/gssapi_pac.c:285:5: warning: Value stored to 'gss_maj' is never read <--[clang] gss_maj = gss_release_buffer_set(&gss_min, &set); ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ auth/kerberos/gssapi_pac.c:291:2: warning: Value stored to 'gss_maj' is never read <--[clang] gss_maj = gss_release_buffer_set(&gss_min, &set); ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 7 warnings generated. Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> Autobuild-User(master): Noel Power <npower@samba.org> Autobuild-Date(master): Mon Jul 8 11:04:15 UTC 2019 on sn-devel-184
* Add PrimaryGroupId to group array in DC responseIsaac Boukris2019-07-031-2/+6
| | | | | | | | | | | | | | | | This is a simplified version of the original patch by: Felix Botner <botner@univention.de> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11362 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Isaac Boukris <iboukris@gmail.com> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Wed Jul 3 13:52:55 UTC 2019 on sn-devel-184
* auth:ntlmssp: Use GnuTLS RC4 in ntlmssp serverAndreas Schneider2019-06-271-3/+23
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:gensec: Return NTSTATUS for netsec_do_seal()Andreas Schneider2019-06-271-18/+33
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:gensec: Use GnuTLS RC4 in netsec_do_seal()Andreas Schneider2019-06-271-6/+31
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:gensec: Use GnuTLS RC4 in netsec_do_seq_num()Andreas Schneider2019-06-271-5/+24
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli:auth: Return NTSTATUS for netlogon_creds_arcfour_crypt()Andreas Schneider2019-06-271-3/+8
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* lib/crypto: move gnutls error wrapper to own subsystemAndrew Bartlett2019-06-278-7/+8
| | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* py3: Remove PyStr_FromString() compatability macroAndrew Bartlett2019-06-241-1/+1
| | | | | | | | We no longer need Samba to be py2/py3 compatible so we choose to return to the standard function names. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Noel Power <noel.power@suse.com>
* auth:creds: Use gnutls_error_to_ntstatus() in credentials_ntlmAndreas Schneider2019-06-241-8/+3
| | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:ntlmssp: Use gnutls_error_to_ntstatus() in ntlmssp_signAndreas Schneider2019-06-241-16/+8
| | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:ntlmssp: Use gnutls_error_to_ntstatus() in ntlmssp_serverAndreas Schneider2019-06-241-17/+9
| | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:ntlmssp: Use gnutls_error_to_ntstatus() in ntlmssp_clientAndreas Schneider2019-06-241-7/+5
| | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:gensec: Use gnutls_error_to_ntstatus() in schannelAndreas Schneider2019-06-241-25/+14
| | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth auth_log: csbuild unused parm transport_protectionGary Lockyer2019-06-131-2/+0
| | | | | | | | | | | | | | Fixes csbuild errors. Error: COMPILER_WARNING: auth/auth_log.c: scope_hint: In function ‘log_successful_authz_event_human_readable’ auth/auth_log.c:728:14: warning: unused parameter ‘transport_protection’ [-Wunused-param eter] Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth auth_log: csbuild unused parm unix_usernameGary Lockyer2019-06-132-7/+0
| | | | | | | | | | | | | | | | | | Fixes csbuild errors Error: COMPILER_WARNING: auth/auth_log.c: scope_hint: In function ‘log_authentication_event_json’ auth/auth_log.c:146:14: warning: unused parameter ‘unix_username’ [-Wunused-parameter] Error: COMPILER_WARNING: auth/auth_log.c: scope_hint: In function ‘log_authentication_event_human_readable’ auth/auth_log.c:586:14: warning: unused parameter ‘unix_username’ [-Wunused-parameter] Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth:gensec: Return NTSTATUS for netsec_do_seq_num()Andreas Schneider2019-05-211-8/+26
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:gensec: Use GnuTLS HMAC MD5 and MD5 in netsec_do_sign()Andreas Schneider2019-05-211-11/+49
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:gensec: Use GnuTLS HMAC MD5 in netsec_do_seal()Andreas Schneider2019-05-211-2/+24
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:gensec: Use GnuTLS HMAC MD5 in netsec_do_seq_num()Andreas Schneider2019-05-211-2/+25
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:creds: Use GnuTLS MD5 in ntlm credsAndreas Schneider2019-05-211-7/+32
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:ntlmssp: Use GnuTLS MD5 and HMAC MD5 in ntlmssp signAndreas Schneider2019-05-211-25/+92
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:ntlmssp: Use GnuTLS MD5 and HMAC MD5 in ntlmssp serverAndreas Schneider2019-05-211-31/+87
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:ntlmssp: Use GnuTLS HMAC MD5 in ntlmssp clientAndreas Schneider2019-05-211-12/+45
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* squash 'cast between incompatible function types' warningNoel Power2019-05-161-1/+3
| | | | | | | | | | | | To avoid warning above produced by using -Wcast-function-type we; + ensure PyCFunctions of type METH_NOARGS defined dummy arg + ensure PyCFunctions of type METH_KEYWORDS use PY_DISCARD_FUNC_SIG macro Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/creds/torture: add a test showing segfaultDouglas Bagnall2019-05-091-1/+45
| | | | | | | This file isn't actually run... Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
* auth/creds/guess: avoid segfault with NULL lp (CID 241187)Douglas Bagnall2019-05-091-1/+2
| | | | | Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
* auth:gensec: Add return code for netsec_do_sign()Andreas Schneider2019-04-301-16/+34
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:gensec: Use GnuTLS SHA256 HMAC for schannelAndreas Schneider2019-04-301-10/+34
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* credentials: Workaround krb5_cc_remove_cred not implemented in MIT kerberosSamuel Cabrero2019-04-291-0/+149
| | | | | | | | | Signed-off-by: Samuel Cabrero <scabrero@suse.de> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Mon Apr 29 19:15:48 UTC 2019 on sn-devel-184
* credentials: Initialize krb5 client to retrieve creds from ccacheSamuel Cabrero2019-04-291-0/+15
| | | | | | | | | MIT kerberos require krb5_creds.client to be initialized to match krb5_creds.server with the cached credentials. Signed-off-by: Samuel Cabrero <scabrero@suse.de> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
View Lorry Controller Status