summaryrefslogtreecommitdiff
path: root/libcli/auth/credentials.c
AgeCommit message (Collapse)AuthorFilesLines
2026-03-31auth: Call talloc_keep_secret() for sensitive memoryPavel Filipenský1-0/+2
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2026-03-31auth: Call ZERO_ARRAY()/ZERO_STRUCT() for sensitive variables on stackPavel Filipenský1-0/+8
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-12libcli/auth: add infrastructure for netr_ServerAuthenticateKerberos()Stefan Metzmacher1-19/+313
This shows that STRONG_KEY without ARCFOUR means no encryption for ServerPasswordSet2. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-12libcli/auth: add let netlogon_creds_alloc() use _talloc_keep_secret()Stefan Metzmacher1-0/+3
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05libcli/auth: let netlogon_creds_crypt_samlogon_validation handle generic infoStefan Metzmacher1-0/+27
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05schannel.idl: change netlogon_creds_CredentialState layout for 4.22Stefan Metzmacher1-10/+4
This breaks compat with 4.21 and moves stuff out of netlogon_creds_CredentialState_extra_info. It also prepares support for netr_ServerAuthenticateKerberos() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05netlogon.idl: add NetlogonTicketLogonInformation/NetlogonValidationTicketLogonStefan Metzmacher1-0/+9
I have basic tests, which have shown that the payload is not encrypted at application level. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2024-11-28libcli/auth: let netlogon_creds_copy() make use of ndr_deepcopy_struct()Stefan Metzmacher1-20/+6
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Thu Nov 28 13:53:25 UTC 2024 on atb-devel-224
2024-10-30libcli/auth: let netlogon_creds_copy() copy all scalar elementsStefan Metzmacher1-8/+1
This version is good for now, as we want it to be backportable. For master we'll add a ndr_deepcopy_struct() helper in order to avoid future problems. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: split out netlogon_creds_client_verify() that takes ↵Stefan Metzmacher1-2/+22
auth_{type,level} This will make it easier to implement netr_ServerAuthenticateKerberos() later... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: pass auth_{type,level} to netlogon_creds_server_step_check()Stefan Metzmacher1-1/+3
This will make it easier to implement netr_ServerAuthenticateKerberos() later... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: return INVALID_PARAMETER for DES in ↵Stefan Metzmacher1-0/+1
netlogon_creds_{de,en}crypt_samlogon_logon For the NetlogonGenericInformation case we want an error instead of no encryption if only DES was negotiated... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: make sure low level crypto function are not used directlyStefan Metzmacher1-0/+6
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: make netlogon_creds_des_{de,en}crypt_LMKey() staticStefan Metzmacher1-2/+2
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: add netlogon_creds_{de,en}crypt_SendToSam()Stefan Metzmacher1-0/+53
These will simplify adding the logic for netr_ServerAuthenticateKerberos... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: add netlogon_creds_{de,en}crypt_samr_CryptPassword()Stefan Metzmacher1-0/+48
These will simplify adding the logic for netr_ServerAuthenticateKerberos... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: add netlogon_creds_{de,en}crypt_samr_Password()Stefan Metzmacher1-0/+47
These will simplify adding the logic for netr_ServerAuthenticateKerberos... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: pass auth_{type,level} to ↵Stefan Metzmacher1-4/+20
netlogon_creds_{de,en}crypt_samlogon_logon() This will be needed when we implement netr_ServerAuthenticateKerberos... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: pass auth_{type,level} to ↵Stefan Metzmacher1-2/+12
netlogon_creds_{de,en}crypt_samlogon_validation() This will be needed when we implement netr_ServerAuthenticateKerberos... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: split out netlogon_creds_alloc()Stefan Metzmacher1-53/+65
Review with: git show --patience BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: also use netlogon_creds_CredentialState_extra_info for the clientStefan Metzmacher1-1/+14
In order to allow backports and cluster updates we simulate a dom_sid, so that the old code is able to parse the blob. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: remember client_requested_flags and auth_time in ↵Stefan Metzmacher1-0/+5
netlogon_creds_server_init() BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: remove unused creds->sidStefan Metzmacher1-8/+0
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: split out netlogon_creds_CredentialState_extra_infoStefan Metzmacher1-5/+17
As server we are free to change the netlogon_creds_CredentialState database record format at will as it uses CLEAR_IF_FIRST. For now that format doesn't really changes, because we only move dom_sid into a wrapper structure. In order to avoid changing all callers in this commit, we maintain creds->sid as in memory pointer. In the following patches we'll also use it in order to store client related information... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: pass client_sid to netlogon_creds_server_init()Stefan Metzmacher1-0/+7
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: remove unused netlogon_creds_client_init_session_key()Stefan Metzmacher1-19/+0
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-11-30libcli/auth: Call correct function to get HMAC output lengthJoseph Sutton1-1/+1
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-30libcli/auth: Use correct enumeration constantJoseph Sutton1-1/+1
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08libcli/auth: Fix code spellingJoseph Sutton1-1/+1
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-30Remove rudundent check and fallback for AES CFB8 as we now require GnuTLS 3.6.13Andrew Bartlett1-24/+0
This allows us to remove a lot of conditionally compiled code and so know with more certaintly that our tests are covering our codepaths. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2022-06-09lib/util: Change function to mem_equal_const_time()Joseph Sutton1-2/+2
Since memcmp_const_time() doesn't act as an exact replacement for memcmp(), and its return value is only ever compared with zero, simplify it and emphasize the intention of checking equality by returning a bool instead. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-06-09auth: Use constant-time memcmp when comparing sensitive buffersJoseph Sutton1-2/+2
This helps to avoid timing attacks. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15010 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-09-18CVE-2020-1472(ZeroLogon): libcli/auth: reject weak client challenges in ↵Stefan Metzmacher1-1/+16
netlogon_creds_server_init() This implements the note from MS-NRPC 3.1.4.1 Session-Key Negotiation: 7. If none of the first 5 bytes of the client challenge is unique, the server MUST fail session-key negotiation without further processing of the following steps. It lets ./zerologon_tester.py from https://github.com/SecuraBV/CVE-2020-1472.git report: "Attack failed. Target is probably patched." BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-09-18CVE-2020-1472(ZeroLogon): libcli/auth: add ↵Stefan Metzmacher1-1/+22
netlogon_creds_is_random_challenge() to avoid weak values This is the check Windows is using, so we won't generate challenges, which are rejected by Windows DCs (and future Samba DCs). BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-09-18CVE-2020-1472(ZeroLogon): libcli/auth: add netlogon_creds_random_challenge()Stefan Metzmacher1-0/+6
It's good to have just a single isolated function that will generate random challenges, in future we can add some logic in order to avoid weak values, which are likely to be rejected by a server. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-12-10smbdes: convert des_crypt112_16 to use gnutlsIsaac Boukris1-8/+30
Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10smbdes: convert des_crypt112 to use gnutlsIsaac Boukris1-1/+7
Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10smbdes: convert des_crypt128() to use gnutlsIsaac Boukris1-1/+5
Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10netlogon_creds_des_encrypt/decrypt_LMKey: use gnutls and return NTSTATUSIsaac Boukris1-9/+27
Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-14libcli:auth Check return code of netlogon_creds_aes_encrypt()Andrew Bartlett1-1/+7
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Thu Nov 14 09:25:36 UTC 2019 on sn-devel-184
2019-11-14libcli:auth: Check return code of netlogon_creds_step_crypt()Andreas Schneider1-7/+29
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-14libcli:auth: Check return code of netlogon_creds_step()Andreas Schneider1-3/+17
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-14libcli:auth: Return NTSTATUS for netlogon_creds_client_authenticator()Andreas Schneider1-2/+5
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-14libcli:auth: Check return status of netlogon_creds_first_step()Andreas Schneider1-5/+19
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-14libcli:auth: Check return status of netlogon_creds_init_64bit()Andreas Schneider1-7/+22
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-14libcli:auth: Check return value of netlogon_creds_init_128bit()Andreas Schneider1-4/+10
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-08-21libcli:auth Check NTSTATUS from netlogon_creds_aes_{en,de}crypt()Andrew Bartlett1-23/+53
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2019-08-21libcli:auth Return NTSTATUS from netlogon_creds_aes_decrypt()Andrew Bartlett1-7/+8
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2019-08-21libcli:auth: Use GnuTLS AES128 CFB for netlogon_creds_aes_decrypt()Andreas Schneider1-1/+40
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-08-21libcli:auth: Return NTSTATUS for netlogon_creds_aes_encrypt()Andreas Schneider1-7/+8
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Adapted by Andrew Bartlett to use gnutls_error_to_ntstatus() Signed-off-by: Andrew Bartlett <abartlet@samba.org>
generated by cgit v1.2.3 (git 2.25.1) at 2026-05-06 19:54:30 +0000