samba.git/auth, branch talloc-2.4.0 Unnamed repository; edit this file 'description' to name the repository. auth/creds: fix a typo in a comment 2023-01-17T17:21:38+00:00 Björn Baumbach bb@sernet.de 2023-01-17T11:26:10+00:00 86fde91621b9190df1a8df290441575ca284e6ed Signed-off-by: Björn Baumbach <bb@sernet.de> Reviewed-by: Ralph Boehme <slow@samba.org> 
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Ralph Boehme <slow@samba.org>
build: Remove unused dependencies 2022-11-08T02:39:37+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2022-11-03T04:31:20+00:00 77bb72d67204b58d0ae7a183e2a8988597faf15c We don't need to include these any more, and removing them allows us to simplify the build system for system Heimdal builds. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
We don't need to include these any more, and removing them allows us to
simplify the build system for system Heimdal builds.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
CVE-2022-2031 auth: Add ticket type field to auth_user_info_dc and auth_session_info 2022-07-27T10:52:36+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2022-06-10T07:18:07+00:00 6a10e890a086b4dc05d460ef3e0c2cd9cd8f1f42 This field may be used to convey whether we were provided with a TGT or a non-TGT. We ensure both structures are zeroed out to avoid incorrect results being produced by an uninitialised field. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org> 
This field may be used to convey whether we were provided with a TGT or
a non-TGT. We ensure both structures are zeroed out to avoid incorrect
results being produced by an uninitialised field.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
auth/credentials: Add get_aes256_key() 2022-06-26T22:10:29+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2022-05-09T02:37:58+00:00 f33aa94c9ee26a44132feca8fc4c460f88a48ee2 This makes it possible to generate AES256 keys in Python from a given password and salt. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
This makes it possible to generate AES256 keys in Python from a given
password and salt.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
auth/credentials: Add cli_credentials_get_aes256_key() 2022-06-26T22:10:29+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2022-05-09T02:35:05+00:00 0d9835e1e497d667ce49f00d5127d2231055793f This allows us to generate AES256 keys from a given password and salt. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
This allows us to generate AES256 keys from a given password and salt.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s4-auth: For LDAP simple bind, fall back to checking the ENCTYPE_AES256_CTS_HMAC_SHA1_96 if stored 2022-06-26T22:10:29+00:00 Andrew Bartlett abartlet@samba.org 2022-06-10T00:47:01+00:00 6029e2250c4dc837ed4f6b4613f988ae6dff49e3 Since we don't store a salt per-key, but only a single salt, when we do not have the NT hash in the unicodePwd (eg ntlm auth = disabled), the check will fail for a previous password if the account was renamed prior to a newer password being set. Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> 
Since we don't store a salt per-key, but only a single salt, when we do
not have the NT hash in the unicodePwd (eg ntlm auth = disabled), the check
will fail for a previous password if the account was renamed prior to a
newer password being set.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
spelling: connnect encrytion exisit expection explicit invalide missmatch paramater paramter partion privilige relase reponse seperate unkown verson authencication progagated 2022-06-10T18:12:33+00:00 Michael Tokarev mjt@tls.msk.ru 2022-04-01T07:07:47+00:00 17c733d946af693f28f3f55bc2a5369c87a932e0 Tree-wide spellcheck for some common misspellings. source3/utils/status.c has misspelled local variable (unkown_dialect). "missmatch" is a known historical misspelling, only the incorrect misspellings are fixed. source3/locale/net/de.po has the spelling error (unkown) in two msgids - it probably should be updated with current source. Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> 
Tree-wide spellcheck for some common misspellings.

source3/utils/status.c has misspelled local variable (unkown_dialect).

"missmatch" is a known historical misspelling, only the incorrect
misspellings are fixed.

source3/locale/net/de.po has the spelling error (unkown) in two msgids -
it probably should be updated with current source.

Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
lib/util: Change function to mem_equal_const_time() 2022-06-09T22:49:29+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2022-05-11T00:07:43+00:00 feb36dbebf1f0f48f4d9f2549471d355b4ead788 Since memcmp_const_time() doesn't act as an exact replacement for memcmp(), and its return value is only ever compared with zero, simplify it and emphasize the intention of checking equality by returning a bool instead. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Since memcmp_const_time() doesn't act as an exact replacement for
memcmp(), and its return value is only ever compared with zero, simplify
it and emphasize the intention of checking equality by returning a bool
instead.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
auth: Use constant-time memcmp when comparing sensitive buffers 2022-06-09T22:49:29+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2022-02-17T02:35:42+00:00 ae6634c78774d2368e815dea650ba71650dd1861 This helps to avoid timing attacks. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15010 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
This helps to avoid timing attacks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15010

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
auth: Covscan: unchecked return value for cli_credentials_set_smb_encryption() 2022-05-14T03:49:32+00:00 Pavel Filipenský pfilipen@redhat.com 2022-05-11T10:11:21+00:00 3960af99e58f3f107f874489b3ab1294eb285cd6 Signed-off-by: Pavel Filipenský <pfilipen@redhat.com> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> 
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>