IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This shows that STRONG_KEY without ARCFOUR means no encryption
for ServerPasswordSet2.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This breaks compat with 4.21 and moves stuff out of
netlogon_creds_CredentialState_extra_info.
It also prepares support for netr_ServerAuthenticateKerberos()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
I have basic tests, which have shown that the payload is not
encrypted at application level.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This version is good for now, as we want it to be backportable.
For master we'll add a ndr_deepcopy_struct() helper in order
to avoid future problems.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This will make it easier to implement netr_ServerAuthenticateKerberos()
later...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This will make it easier to implement netr_ServerAuthenticateKerberos() later...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
For the NetlogonGenericInformation case we want an error instead of no
encryption if only DES was negotiated...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
These will simplify adding the logic for netr_ServerAuthenticateKerberos...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
These will simplify adding the logic for netr_ServerAuthenticateKerberos...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
These will simplify adding the logic for netr_ServerAuthenticateKerberos...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This will be needed when we implement netr_ServerAuthenticateKerberos...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This will be needed when we implement netr_ServerAuthenticateKerberos...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Review with: git show --patience
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
In order to allow backports and cluster updates we simulate a
dom_sid, so that the old code is able to parse the blob.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
As server we are free to change the netlogon_creds_CredentialState
database record format at will as it uses CLEAR_IF_FIRST.
For now that format doesn't really changes, because we
only move dom_sid into a wrapper structure.
In order to avoid changing all callers in this commit,
we maintain creds->sid as in memory pointer.
In the following patches we'll also use it in order
to store client related information...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This allows us to remove a lot of conditionally compiled code and so
know with more certaintly that our tests are covering our codepaths.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Since memcmp_const_time() doesn't act as an exact replacement for
memcmp(), and its return value is only ever compared with zero, simplify
it and emphasize the intention of checking equality by returning a bool
instead.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This helps to avoid timing attacks.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15010
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This implements the note from MS-NRPC 3.1.4.1 Session-Key Negotiation:
7. If none of the first 5 bytes of the client challenge is unique, the
server MUST fail session-key negotiation without further processing of
the following steps.
It lets ./zerologon_tester.py from
https://github.com/SecuraBV/CVE-2020-1472.git
report: "Attack failed. Target is probably patched."
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
This is the check Windows is using, so we won't generate challenges,
which are rejected by Windows DCs (and future Samba DCs).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
It's good to have just a single isolated function that will generate
random challenges, in future we can add some logic in order to
avoid weak values, which are likely to be rejected by a server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Nov 14 09:25:36 UTC 2019 on sn-devel-184
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Adapted by Andrew Bartlett to use gnutls_error_to_ntstatus()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
