samba.git/libcli/auth/credentials.c, branch talloc-2.3.3 Unnamed repository; edit this file 'description' to name the repository. CVE-2020-1472(ZeroLogon): libcli/auth: reject weak client challenges in netlogon_creds_server_init() 2020-09-18T12:48:38+00:00 Stefan Metzmacher metze@samba.org 2020-09-16T14:17:29+00:00 d3123858fb59046e826cf2c7ec2a3839e6508624 This implements the note from MS-NRPC 3.1.4.1 Session-Key Negotiation: 7. If none of the first 5 bytes of the client challenge is unique, the server MUST fail session-key negotiation without further processing of the following steps. It lets ./zerologon_tester.py from https://github.com/SecuraBV/CVE-2020-1472.git report: "Attack failed. Target is probably patched." BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> 
This implements the note from MS-NRPC 3.1.4.1 Session-Key Negotiation:

 7. If none of the first 5 bytes of the client challenge is unique, the
    server MUST fail session-key negotiation without further processing of
    the following steps.

It lets ./zerologon_tester.py from
https://github.com/SecuraBV/CVE-2020-1472.git
report: "Attack failed. Target is probably patched."

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
CVE-2020-1472(ZeroLogon): libcli/auth: add netlogon_creds_is_random_challenge() to avoid weak values 2020-09-18T12:48:38+00:00 Stefan Metzmacher metze@samba.org 2020-09-16T14:15:26+00:00 53528c71ffdb3377c4e73ac596c8507bc3898e83 This is the check Windows is using, so we won't generate challenges, which are rejected by Windows DCs (and future Samba DCs). BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> 
This is the check Windows is using, so we won't generate challenges,
which are rejected by Windows DCs (and future Samba DCs).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
CVE-2020-1472(ZeroLogon): libcli/auth: add netlogon_creds_random_challenge() 2020-09-18T12:48:38+00:00 Stefan Metzmacher metze@samba.org 2020-09-16T14:04:57+00:00 b813cdcac377210c3ab18e0d0a0c1a76870b1d74 It's good to have just a single isolated function that will generate random challenges, in future we can add some logic in order to avoid weak values, which are likely to be rejected by a server. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> 
It's good to have just a single isolated function that will generate
random challenges, in future we can add some logic in order to
avoid weak values, which are likely to be rejected by a server.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
smbdes: convert des_crypt112_16 to use gnutls 2019-12-10T00:30:31+00:00 Isaac Boukris iboukris@gmail.com 2019-11-20T15:02:16+00:00 dcc33103d5c0927bb3757974d4663df888dce95e Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
smbdes: convert des_crypt112 to use gnutls 2019-12-10T00:30:31+00:00 Isaac Boukris iboukris@gmail.com 2019-11-20T14:41:02+00:00 254739137bdaebca31163f1683bfd7111dfefe67 Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
smbdes: convert des_crypt128() to use gnutls 2019-12-10T00:30:30+00:00 Isaac Boukris iboukris@gmail.com 2019-11-08T16:49:48+00:00 c57f429574243adbcd43dca4f35d125df8d69ba0 Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
netlogon_creds_des_encrypt/decrypt_LMKey: use gnutls and return NTSTATUS 2019-12-10T00:30:30+00:00 Isaac Boukris iboukris@gmail.com 2019-11-07T11:53:52+00:00 38189f76d8b958fff8a6351f3fb21f6ed04b76da Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
libcli:auth Check return code of netlogon_creds_aes_encrypt() 2019-11-14T09:25:36+00:00 Andrew Bartlett abartlet@samba.org 2019-11-13T22:16:09+00:00 0361a26e395723296899c3d48cff86d532372710 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Thu Nov 14 09:25:36 UTC 2019 on sn-devel-184 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Nov 14 09:25:36 UTC 2019 on sn-devel-184
libcli:auth: Check return code of netlogon_creds_step_crypt() 2019-11-14T08:01:44+00:00 Andreas Schneider asn@samba.org 2019-11-13T09:13:53+00:00 32e75bb4cca994af80bb8440009446e4a0ff5d40 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
libcli:auth: Check return code of netlogon_creds_step() 2019-11-14T08:01:44+00:00 Andreas Schneider asn@samba.org 2019-11-13T09:12:41+00:00 05f59cbcf803d57ab41b4c7fa4f81da50cd02cd6 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>