samba.git/source4/auth/ntlm, branch talloc-2.4.0 Unnamed repository; edit this file 'description' to name the repository. CVE-2021-20251: s4:auth: fix use after free in authsam_logon_success_accounting() 2022-11-24T11:01:37+00:00 Stefan Metzmacher metze@samba.org 2022-11-07T16:21:44+00:00 1414269dccfd7cb831889cc92df35920b034457c This fixes a use after free problem introduced by commit 7b8e32efc336fb728e0c7e3dd6fbe2ed54122124, which has msg = current; which means the lifetime of the 'msg' memory is no longer in the scope of th caller. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15253 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
This fixes a use after free problem introduced by
commit 7b8e32efc336fb728e0c7e3dd6fbe2ed54122124,
which has msg = current; which means the lifetime
of the 'msg' memory is no longer in the scope of th
caller.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15253

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s4-auth: Add missing newlines to log messages 2022-10-05T04:23:32+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2022-04-29T00:19:35+00:00 d2c5a297f25a48c74a9f93beb2a18d50f3352b43 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
CVE-2021-20251 s4:auth_winbind: Check return status of authsam_logon_success_accounting() 2022-09-12T23:07:38+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2022-07-04T08:51:38+00:00 268ea7bef5af4b9c8a02f4f5856113ff0664d9e8 This may return an error if we find the account is locked out. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
This may return an error if we find the account is locked out.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
CVE-2021-20251 s4-auth: Pass through error code from badPwdCount update 2022-09-12T23:07:37+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2022-07-09T03:53:51+00:00 d8a862cb811489abb67d4cf3a7fbd83d05c7e5cb The error code may be NT_STATUS_ACCOUNT_LOCKED_OUT, which we use in preference to NT_STATUS_WRONG_PASSWORD. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
The error code may be NT_STATUS_ACCOUNT_LOCKED_OUT, which we use in
preference to NT_STATUS_WRONG_PASSWORD.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
CVE-2022-2031 auth: Add ticket type field to auth_user_info_dc and auth_session_info 2022-07-27T10:52:36+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2022-06-10T07:18:07+00:00 6a10e890a086b4dc05d460ef3e0c2cd9cd8f1f42 This field may be used to convey whether we were provided with a TGT or a non-TGT. We ensure both structures are zeroed out to avoid incorrect results being produced by an uninitialised field. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org> 
This field may be used to convey whether we were provided with a TGT or
a non-TGT. We ensure both structures are zeroed out to avoid incorrect
results being produced by an uninitialised field.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
s4-auth: For LDAP simple bind, fall back to checking the ENCTYPE_AES256_CTS_HMAC_SHA1_96 if stored 2022-06-26T22:10:29+00:00 Andrew Bartlett abartlet@samba.org 2022-06-10T00:47:01+00:00 6029e2250c4dc837ed4f6b4613f988ae6dff49e3 Since we don't store a salt per-key, but only a single salt, when we do not have the NT hash in the unicodePwd (eg ntlm auth = disabled), the check will fail for a previous password if the account was renamed prior to a newer password being set. Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> 
Since we don't store a salt per-key, but only a single salt, when we do
not have the NT hash in the unicodePwd (eg ntlm auth = disabled), the check
will fail for a previous password if the account was renamed prior to a
newer password being set.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
dsdb/common: Make some parameters const 2022-06-14T07:21:29+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2022-06-03T07:29:00+00:00 48bff3c44f6ed4fcf4671351801d3536115c7314 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 lib/util: Change function to mem_equal_const_time() 2022-06-09T22:49:29+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2022-05-11T00:07:43+00:00 feb36dbebf1f0f48f4d9f2549471d355b4ead788 Since memcmp_const_time() doesn't act as an exact replacement for memcmp(), and its return value is only ever compared with zero, simplify it and emphasize the intention of checking equality by returning a bool instead. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Since memcmp_const_time() doesn't act as an exact replacement for
memcmp(), and its return value is only ever compared with zero, simplify
it and emphasize the intention of checking equality by returning a bool
instead.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
auth: Use constant-time memcmp when comparing sensitive buffers 2022-06-09T22:49:29+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2022-02-17T02:35:42+00:00 ae6634c78774d2368e815dea650ba71650dd1861 This helps to avoid timing attacks. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15010 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
This helps to avoid timing attacks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15010

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s4-auth: Remove last traces of LanMan authentiation support in the AD DC. 2022-03-29T03:32:57+00:00 Andrew Bartlett abartlet@samba.org 2022-03-24T23:18:01+00:00 d7a91a855c7edfb0e09c93cbe4c56df0437fa467 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Tue Mar 29 03:32:57 UTC 2022 on sn-devel-184 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Mar 29 03:32:57 UTC 2022 on sn-devel-184