summaryrefslogtreecommitdiff
path: root/libcli/auth
AgeCommit message (Collapse)AuthorFilesLines
2026-03-31auth: Use secure variant data_blob_talloc_s() to zero sensitive data blobsPavel Filipenský3-28/+64
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2026-03-31auth: Call talloc_keep_secret() for sensitive memoryPavel Filipenský1-0/+2
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2026-03-31auth: Call ZERO_ARRAY()/ZERO_STRUCT() for sensitive variables on stackPavel Filipenský5-9/+103
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2026-01-20lib: Remove &data_blob_null refsVolker Lendecke1-1/+2
The next patch will remove the data_blob_null global constant. The APIs here are a bit weird in that they don't work fine with a NULL pointer but require a reference to a NULL blob. But that's few enough to add the special case in the callers. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
2026-01-13auth: Fix typo "pass-though" -> "pass-through"Pavel Filipenský1-2/+2
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2026-01-13libcli:auth: Fix trailing whitespaces in ntlm_check.cPavel Filipenský1-51/+51
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2026-01-07lib: Don't call a function to initialize an empty DATA_BLOBVolker Lendecke1-1/+1
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
2025-12-08libcli/auth: Zero out password in smbencrypt.cPavel Filipenský1-1/+1
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org> Autobuild-Date(master): Mon Dec 8 18:21:45 UTC 2025 on atb-devel-224
2025-02-22libcli/auth: let NTLMv2_RESPONSE_verify_netlogon_creds() check RODC callers ↵Stefan Metzmacher1-2/+10
check computer_name Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
2025-02-22libcli/auth: let NTLMv2_RESPONSE_verify_netlogon_creds() return the ↵Stefan Metzmacher2-2/+29
computer_name This will be used to implement the MS-NRPC 3.5.4.5.1.2 RODC server cachability validation. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
2025-02-22libcli/auth: add NTLMv2_RESPONSE_verify_trust() checkingStefan Metzmacher1-5/+419
This implements MS-NRPC 3.5.4.5.1.1 Pass-through domain name validation. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
2025-02-22libcli/auth: pass trust_forest_domain_info array to ↵Stefan Metzmacher2-2/+14
NTLMv2_RESPONSE_verify_netlogon_creds This will be used in the next commits in order to implement MS-NRPC 3.5.4.5.1.1 Pass-through domain name validation. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
2025-02-22libcli/auth: split out NTLMv2_RESPONSE_verify_workstation()Stefan Metzmacher1-73/+125
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
2025-01-13libcli/auth: add support for ServerAuthenticateKerberos()Stefan Metzmacher1-3/+198
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
2025-01-13libcli/auth: add netlogon_creds_cli_use_kerberos() helperStefan Metzmacher2-0/+23
This allows the calling code to decide if a krb5 or anonymous netlogon connection should be tried. Currently we don't try ServerAuthenticateKerberos, but that will change in a few commits. But before we need to prepare the callers... Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
2024-12-12libcli/auth: let schannel_check_creds_state() take an access_check callbackStefan Metzmacher2-3/+23
This allows the callback to decide if the updated creds should be stored or not. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-12libcli/auth: add infrastructure for netr_ServerAuthenticateKerberos()Stefan Metzmacher2-19/+321
This shows that STRONG_KEY without ARCFOUR means no encryption for ServerPasswordSet2. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-12libcli/auth: add let netlogon_creds_alloc() use _talloc_keep_secret()Stefan Metzmacher1-0/+3
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05libcli/auth: let netlogon_creds_crypt_samlogon_validation handle generic infoStefan Metzmacher1-0/+27
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05libcli/auth: return RESOURCE_REQUIREMENTS_CHANGED is the proposed flags changedStefan Metzmacher1-0/+6
This will be important when we add support for netr_ServerAuthenticateKerberos(). Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05schannel.idl: change netlogon_creds_CredentialState layout for 4.22Stefan Metzmacher3-25/+6
This breaks compat with 4.21 and moves stuff out of netlogon_creds_CredentialState_extra_info. It also prepares support for netr_ServerAuthenticateKerberos() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05Revert "libcli/auth: let netlogon_creds_cli_store_internal check ↵Stefan Metzmacher1-13/+0
netlogon_creds_CredentialState_legacy" This reverts commit c3fa132fbe179bd4e1451240ce572ec791356a16. We break the compat of the netlogon_creds_cli.tdb records compared to 4.21 with the next commits. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05libcli/auth: don't loose server_dns_domain in ↵Stefan Metzmacher1-1/+5
netlogon_creds_cli_context_global() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05netlogon.idl: add NetlogonTicketLogonInformation/NetlogonValidationTicketLogonStefan Metzmacher2-0/+10
I have basic tests, which have shown that the payload is not encrypted at application level. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2024-11-28libcli/auth: let netlogon_creds_copy() make use of ndr_deepcopy_struct()Stefan Metzmacher1-20/+6
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Thu Nov 28 13:53:25 UTC 2024 on atb-devel-224
2024-11-07libcli/auth: make use of netlogon_creds_cli_check_transport() in more placesStefan Metzmacher1-78/+18
This was somehow missing in commit 7a5ad9f64a905f5744430c6e0796c646baf9432e BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Thu Nov 7 09:14:33 UTC 2024 on atb-devel-224
2024-11-06libcli:auth:msrpc_parse: s/the the/is the/ in commentsDouglas Bagnall2-2/+2
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Volker Lendecke <vl@samba.org>
2024-10-30libcli/auth: split out netlogon_creds_cli_check_transport()Stefan Metzmacher1-73/+65
This will make it easier to implement netr_ServerAuthenticateKerberos() later... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: let netlogon_creds_copy() copy all scalar elementsStefan Metzmacher1-8/+1
This version is good for now, as we want it to be backportable. For master we'll add a ndr_deepcopy_struct() helper in order to avoid future problems. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: make use of netlogon_creds_client_verify()Stefan Metzmacher1-62/+62
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: split out netlogon_creds_client_verify() that takes ↵Stefan Metzmacher2-2/+26
auth_{type,level} This will make it easier to implement netr_ServerAuthenticateKerberos() later... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: pass auth_{type,level} to netlogon_creds_server_step_check()Stefan Metzmacher3-3/+9
This will make it easier to implement netr_ServerAuthenticateKerberos() later... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: pass auth_{type,level} to schannel_check_creds_state()Stefan Metzmacher2-0/+4
This will make it easier to implement netr_ServerAuthenticateKerberos() later... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: return INVALID_PARAMETER for DES in ↵Stefan Metzmacher1-0/+1
netlogon_creds_{de,en}crypt_samlogon_logon For the NetlogonGenericInformation case we want an error instead of no encryption if only DES was negotiated... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: make sure low level crypto function are not used directlyStefan Metzmacher2-0/+13
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: make use of netlogon_creds_{de,en}crypt_samr_PasswordStefan Metzmacher1-22/+18
This will make it easier to implement netr_ServerAuthenticateKerberos() later... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: make use of netlogon_creds_encrypt_SendToSamStefan Metzmacher1-16/+8
This will help when implementing netr_ServerAuthenticateKerberos()... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: make use of netlogon_creds_encrypt_samr_CryptPasswordStefan Metzmacher1-16/+7
This will help when implementing netr_ServerAuthenticateKerberos()... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: make netlogon_creds_des_{de,en}crypt_LMKey() staticStefan Metzmacher2-6/+2
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: add netlogon_creds_{de,en}crypt_SendToSam()Stefan Metzmacher2-0/+63
These will simplify adding the logic for netr_ServerAuthenticateKerberos... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: add netlogon_creds_{de,en}crypt_samr_CryptPassword()Stefan Metzmacher2-0/+56
These will simplify adding the logic for netr_ServerAuthenticateKerberos... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: add netlogon_creds_{de,en}crypt_samr_Password()Stefan Metzmacher2-0/+55
These will simplify adding the logic for netr_ServerAuthenticateKerberos... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: pass auth_{type,level} to ↵Stefan Metzmacher3-8/+32
netlogon_creds_{de,en}crypt_samlogon_logon() This will be needed when we implement netr_ServerAuthenticateKerberos... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: pass auth_{type,level} to ↵Stefan Metzmacher4-6/+31
netlogon_creds_{de,en}crypt_samlogon_validation() This will be needed when we implement netr_ServerAuthenticateKerberos... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: split out netlogon_creds_alloc()Stefan Metzmacher1-53/+65
Review with: git show --patience BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: let netlogon_creds_cli_store_internal check ↵Stefan Metzmacher1-0/+13
netlogon_creds_CredentialState_legacy Before storing the structure into a ctdb managed volatile database we check against netlogon_creds_CredentialState_legacy (the structure used before recent changes). This makes sure unpatched cluster nodes would not get a parsing error. We'll remove this again in master when we try to implement netr_ServerAuthenticateKerberos() and the related changes to netlogon_creds_CredentialState, which will break the compat... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: let netlogon_creds_cli_store_internal() use talloc_stackframe()Stefan Metzmacher1-2/+5
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: also use netlogon_creds_CredentialState_extra_info for the clientStefan Metzmacher3-4/+25
In order to allow backports and cluster updates we simulate a dom_sid, so that the old code is able to parse the blob. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: remember client_requested_flags and auth_time in ↵Stefan Metzmacher2-0/+6
netlogon_creds_server_init() BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: remove unused creds->sidStefan Metzmacher2-14/+0
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
generated by cgit v1.2.3 (git 2.25.1) at 2026-05-06 19:08:49 +0000