summaryrefslogtreecommitdiff
path: root/libcli/auth
AgeCommit message (Collapse)AuthorFilesLines
2020-09-18CVE-2020-1472(ZeroLogon): libcli/auth: reject weak client challenges in ↵Stefan Metzmacher2-2/+17
netlogon_creds_server_init() This implements the note from MS-NRPC 3.1.4.1 Session-Key Negotiation: 7. If none of the first 5 bytes of the client challenge is unique, the server MUST fail session-key negotiation without further processing of the following steps. It lets ./zerologon_tester.py from https://github.com/SecuraBV/CVE-2020-1472.git report: "Attack failed. Target is probably patched." BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-09-18CVE-2020-1472(ZeroLogon): libcli/auth: add ↵Stefan Metzmacher2-1/+23
netlogon_creds_is_random_challenge() to avoid weak values This is the check Windows is using, so we won't generate challenges, which are rejected by Windows DCs (and future Samba DCs). BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-09-18CVE-2020-1472(ZeroLogon): libcli/auth: make use of ↵Stefan Metzmacher1-2/+1
netlogon_creds_random_challenge() in netlogon_creds_cli.c This will avoid getting rejected by the server if we generate a weak challenge. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-09-18CVE-2020-1472(ZeroLogon): libcli/auth: add netlogon_creds_random_challenge()Stefan Metzmacher2-0/+8
It's good to have just a single isolated function that will generate random challenges, in future we can add some logic in order to avoid weak values, which are likely to be rejected by a server. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-05-04CVE-2020-10704: lib util asn1: Add ASN.1 max tree depthGary Lockyer1-3/+3
Add maximum parse tree depth to the call to asn1_init, which will be used to limit the depth of the ASN.1 parse tree. Credit to OSS-Fuzz REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-01-06auth: Avoid casts in ntlm_check.cVolker Lendecke1-16/+15
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> Autobuild-User(master): Gary Lockyer <gary@samba.org> Autobuild-Date(master): Mon Jan 6 03:12:20 UTC 2020 on sn-devel-184
2020-01-06auth: Check for talloc failure in smb_sess_key_ntlmv2()Volker Lendecke1-0/+4
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-01-06auth: Slightly simplify smb_pwd_check_ntlmv1()Volker Lendecke1-11/+13
Do an early return for the failure case Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-01-06auth: Check for talloc failure in smb_pwd_check_ntlmv1()Volker Lendecke1-0/+4
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-01-06auth: Slightly simplify smb_pwd_check_ntlmv2()Volker Lendecke1-15/+17
Do an early return for the failure case Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-01-06auth: Check for talloc failure in smb_pwd_check_ntlmv2()Volker Lendecke1-0/+4
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-12-10smbdes: remove old unused DES builtin-cryptoIsaac Boukris3-271/+0
Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10sess_crypt_blob can only crypt blobs whose size divides by 8Isaac Boukris1-3/+6
Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10session: convert sess_crypt_blob to use gnutlsIsaac Boukris3-14/+39
Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10smbdes: convert des_crypt112_16 to use gnutlsIsaac Boukris5-22/+69
Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10smbdes: convert des_crypt112 to use gnutlsIsaac Boukris4-11/+32
Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10smbdes: convert E_old_pw_hash to use gnutlsIsaac Boukris3-5/+13
Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10smbdes: convert des_crypt128() to use gnutlsIsaac Boukris4-6/+18
Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10smbdes: convert E_P24() and SMBOWFencrypt to use gnutlsIsaac Boukris5-21/+49
Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10smbdes: remove D_P16() (not used)Isaac Boukris2-7/+0
Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10smbdes: convert E_P16() to use gnutlsIsaac Boukris4-6/+19
Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10smbdes: convert sam_rid_crypt() to use gnutlsIsaac Boukris3-6/+15
Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10SMBsesskeygen_lm_sess_key: use gnutls and return NTSTATUSIsaac Boukris3-7/+18
Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10netlogon_creds_des_encrypt/decrypt_LMKey: use gnutls and return NTSTATUSIsaac Boukris2-11/+31
Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10smbdes: add des_crypt56_gnutls() using DES-CBC with zeroed IVIsaac Boukris4-1/+71
Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10selftest: test sess_crypt_blobIsaac Boukris1-0/+29
Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10selftest: test SMBsesskeygen_lm_sess_keyIsaac Boukris1-0/+23
Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10selftest: test des_crypt112_16Isaac Boukris1-0/+26
Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10selftest: test des_crypt112 and fix (unused) decryptionIsaac Boukris2-2/+31
Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10selftest: test des_crypt128Isaac Boukris1-0/+20
Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10selftest: test E_old_pw_hashIsaac Boukris1-0/+22
Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10selftest: test E_P24 and SMBOWFencryptIsaac Boukris1-0/+44
Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10selftest: test sam_rid_cryptIsaac Boukris1-0/+23
Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10selftest: test E_P16Isaac Boukris1-0/+20
Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10libcli/auth: test des_crypt56() and add test_gnutls to selftestIsaac Boukris2-0/+25
Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10auth:tests: Only enable torture_gnutls_aes_128_cfb() on GnuTLS >= 3.6.11Andreas Schneider1-2/+2
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10auth:tests: Improve debug output of test_gnutlsAndreas Schneider1-2/+8
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-22build: Do not build selftest binaries for builds without --enable-selftestAndrew Bartlett1-4/+4
Add new for_selftest option to SAMBA_BINARY() and SAMBA3_BINARY() This allows us to be much more consistent (at least in the core Samba) and documents clearly why the binary should not be installed. Not modified are - test_lp_load - notifyd-tests - gendrandperf - test* from examples/libsmbclient - dbwrap_torture - split_tokens - locktest2 - msgtest - msg_sink - msg_source - versiontest - rpc_open_tcp - test_headers As these are not tested in selftest so any change would also be untested. Of course they probably should be added in a different MR. Also not modified (because they are not tests, nor part of the build system) are: - smb2mount - notifydd - log2pacp - debug2html - smbfilter - destroy_netlogon_creds_cli - spotlight2* - tevent_glib_tracker These do however appear to be untested. For now, the source4 forked client tools are left unchanged: - smbclient4 - nmblookup4 Finally, the heimdal binaries are left as install=False as they are either part of the build system or end-user tools that we just don't want to install. These are however tested. The motivation is commit like c34ec003b7d45aa4196ff93a0ac29694b25e5309 and da87fa998ab71328f30bcdf5b41aee8675aee48a, which are both totally correct but are not needed if the selftest is not run on MacOS. There are likely other platforms or build environments where building our test binaries is more pain than valuable, see for example also https://lists.samba.org/archive/samba/2019-November/227137.html Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Isaac Boukris <iboukris@samba.org> Autobuild-User(master): Isaac Boukris <iboukris@samba.org> Autobuild-Date(master): Fri Nov 22 11:48:59 UTC 2019 on sn-devel-184
2019-11-19libcli:auth: Remove unused E_md5hash()Andreas Schneider2-41/+0
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-14lib: Fix an error path memleak in schannel_get_creds_state()Volker Lendecke1-0/+1
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2019-11-14libcli:auth Check return code of netlogon_creds_aes_encrypt()Andrew Bartlett2-7/+21
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Thu Nov 14 09:25:36 UTC 2019 on sn-devel-184
2019-11-14libcli:auth: Check return code of netlogon_creds_step_crypt()Andreas Schneider1-7/+29
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-14libcli:auth: Check return code of netlogon_creds_step()Andreas Schneider1-3/+17
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-14libcli:auth: Check return code of netlogon_creds_client_authenticator()Andreas Schneider1-15/+41
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-14libcli:auth: Return NTSTATUS for netlogon_creds_client_authenticator()Andreas Schneider2-4/+8
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-14libcli:auth: Check return status of netlogon_creds_first_step()Andreas Schneider1-5/+19
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-14libcli:auth: Check return status of netlogon_creds_init_64bit()Andreas Schneider1-7/+22
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-14libcli:auth: Check return value of netlogon_creds_init_128bit()Andreas Schneider1-4/+10
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-14libcli:auth: Check return code of SMBOWFencrypt_ntv2()Andreas Schneider2-5/+33
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-14libcli:auth: Return NTSTATUS for SMBOWFencrypt_ntv2()Andreas Schneider2-14/+19
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
generated by cgit v1.2.3 (git 2.25.1) at 2026-06-10 16:04:50 +0000