samba-mirror

mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00

Author	SHA1	Message	Date
Andreas Schneider	2daf3e7975	auth:gensec: Use lpcfg_weak_crypto() Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2021-08-03 09:28:38 +00:00
Volker Lendecke	ad7628b2cb	gensec: Slightly simplify gensec_generate_session_info_pac() Reduce indentation by an early error return and by introducing a helper variable. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-04-27 13:24:35 +00:00
Volker Lendecke	69a3d0fa4b	gensec: Remove gensec_security_all(), it was only used internally Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>	2021-04-06 22:29:34 +00:00
Andreas Schneider	1298280a22	auth:creds: Rename CRED_USE_KERBEROS values Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>	2020-11-03 15:25:37 +00:00
Stefan Metzmacher	515cffb1f2	auth:gensec: If Kerberos is required, keep schannel for machine account auth Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org>	2020-09-07 12:02:15 +00:00
Stefan Metzmacher	a33a40bbc8	auth:gensec: Pass use_kerberos and keep_schannel to gensec_use_kerberos_mechs() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2020-09-07 12:02:15 +00:00
Stefan Metzmacher	2186d4131a	auth:gensec: Make gensec_use_kerberos_mechs() a static function Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2020-09-07 12:02:15 +00:00
Stefan Metzmacher	b34e8dc898	auth:gensec: Add gensec_security_sasl_names() Pair-Programmed-With: Andreas Schneider <asn@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>	2020-09-07 12:02:15 +00:00
Matthew DeVore	232054c09b	lib/util: remove extra safe_string.h file lib/util/safe_string.h is similar to source3/include/safe_string.h, but the former has fewer checks. It is missing bcopy, strcasecmp, and strncasecmp. Add the missing elements to lib/util/safe_string.h remove the other safe_string.h which is in the source3-specific path. To accomodate existing uses of str(n?)casecmp, add #undef lines to source files where they are used. Signed-off-by: Matthew DeVore <matvore@google.com> Reviewed-by: David Mulder <dmulder@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Fri Aug 28 02:18:40 UTC 2020 on sn-devel-184	2020-08-28 02:18:40 +00:00
Volker Lendecke	af34a411b9	gensec: Fix a typo Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>	2020-08-17 19:35:37 +00:00
Gary Lockyer	f467727db5	CVE-2020-10704: lib util asn1: Add ASN.1 max tree depth Add maximum parse tree depth to the call to asn1_init, which will be used to limit the depth of the ASN.1 parse tree. Credit to OSS-Fuzz REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2020-05-04 02:59:31 +00:00
Andreas Schneider	6ada071d62	gensec: Add a check if a gensec module implements weak crypto Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2020-03-19 20:46:41 +00:00
Stefan Metzmacher	98d2d5a403	auth/gensec: map NT_STATUS_{INVALID_ACCOUNT_NAME,NO_SUCH_DOMAIN} to NT_STATUS_NO_SUCH_USER This means nt_status_squash() will map NT_STATUS_NO_SUCH_USER to LOGON_FAILURE later. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2020-02-10 16:32:37 +00:00
Stefan Metzmacher	28d9493d23	gensec/spnego: fallback on INVALID_{ACCOUNT,COMPUTER}_NAME and NO_SUCH_DOMAIN I think it's better to handle them in spnego.c, instead of squashing them already in the gssapi/gse modules. This is related to KRB5KDC_ERR_{C,S}_PRINCIPAL_UNKNOWN and KRB5_REALM_UNKNOWN. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2020-02-10 16:32:37 +00:00
Isaac Boukris	23ea12e98e	spnego: fix server handling of no optimistic exchange BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106 Signed-off-by: Isaac Boukris <iboukris@redhat.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Sat Oct 12 15:51:42 UTC 2019 on sn-devel-184	2019-10-12 15:51:42 +00:00
Isaac Boukris	d7e57ef7dd	spnego: add client option to omit sending an optimistic token BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106 Signed-off-by: Isaac Boukris <iboukris@redhat.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>	2019-10-12 14:33:33 +00:00
Isaac Boukris	37daeb220e	spnego: ignore server mech_types list We should not use the mech list sent by the server in the last 'negotiate' packet in CIFS protocol, as it is not protected and may be subject to downgrade attacks. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106 Signed-off-by: Isaac Boukris <iboukris@redhat.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>	2019-10-12 14:33:32 +00:00
Günther Deschner	f988756599	auth/gensec: fix AES schannel seal and unseal Workaround bug present in gnutls 3.6.8: gnutls_cipher_decrypt() uses an optimization internally that breaks decryption when processing buffers with their length not being a multiple of the blocksize. Signed-off-by: Stefan Metzmacher <metze@samba.org> Pair-Programmed-With: Guenther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2019-10-07 08:13:44 +00:00
Günther Deschner	709d54d68a	auth/gensec: fix non-AES schannel seal BUG: https://bugzilla.samba.org/show_bug.cgi?id=14134 Guenther Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2019-10-07 08:13:44 +00:00
Mathieu Parent	105bb06318	Spelling fixes s/withing/within/ Signed-off-by: Mathieu Parent <math.parent@gmail.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>	2019-09-01 22:21:28 +00:00
Andrew Bartlett	fa8eddc39b	auth/gensec: Use gnutls_error_to_ntstatus() in netsec_do_seal() Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2019-08-21 09:57:31 +00:00
Andreas Schneider	025f6a135f	auth:gensec: Use GnuTLS AES CFB8 in netsec_do_seal() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2019-08-21 09:57:30 +00:00
Andrew Bartlett	3b27fd8a49	auth/gensec: Use gnutls_error_to_ntstatus() consistently in schannel Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2019-08-21 09:57:30 +00:00
Andreas Schneider	58c781dc93	auth:gensec: Use GnuTLS AES128 CFB8 in netsec_do_seq_num() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2019-08-21 09:57:30 +00:00
Noel Power	f004f8a234	auth/gensec: clang: Fix 'Value stored to 'status' is never read' Fixes: auth/gensec/spnego.c:877:2: warning: Value stored to 'status' is never read <--[clang] status = sub_status; ^ ~~~~~~~~~~ 1 warning generated. Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>	2019-07-11 04:08:13 +00:00
Andreas Schneider	ba96534eb3	auth:gensec: Return NTSTATUS for netsec_do_seal() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2019-06-27 12:54:23 +00:00
Andreas Schneider	6148cd9c97	auth:gensec: Use GnuTLS RC4 in netsec_do_seal() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2019-06-27 12:54:23 +00:00
Andreas Schneider	d5ca7ff40f	auth:gensec: Use GnuTLS RC4 in netsec_do_seq_num() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2019-06-27 12:54:23 +00:00
Andrew Bartlett	8f4c30f785	lib/crypto: move gnutls error wrapper to own subsystem Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2019-06-27 12:54:22 +00:00
Andreas Schneider	232c3b6f80	auth:gensec: Use gnutls_error_to_ntstatus() in schannel Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2019-06-24 06:11:16 +00:00
Andreas Schneider	6317095023	auth:gensec: Return NTSTATUS for netsec_do_seq_num() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2019-05-21 00:03:22 +00:00
Andreas Schneider	6aa30669a1	auth:gensec: Use GnuTLS HMAC MD5 and MD5 in netsec_do_sign() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2019-05-21 00:03:22 +00:00
Andreas Schneider	71926c6e4f	auth:gensec: Use GnuTLS HMAC MD5 in netsec_do_seal() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2019-05-21 00:03:21 +00:00
Andreas Schneider	6b413dab0b	auth:gensec: Use GnuTLS HMAC MD5 in netsec_do_seq_num() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2019-05-21 00:03:21 +00:00
Andreas Schneider	83d228b66a	auth:gensec: Add return code for netsec_do_sign() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2019-04-30 23:18:28 +00:00
Andreas Schneider	c04571d47c	auth:gensec: Use GnuTLS SHA256 HMAC for schannel Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2019-04-30 23:18:28 +00:00
Andreas Schneider	b451168d72	auth:gensec: Make sure we zero the checksum after use Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>	2019-02-27 01:35:19 +01:00
Andreas Schneider	14c7d19b63	auth:gensec: Use C99 initializer in schannel Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>	2019-01-28 10:29:21 +01:00
Stefan Metzmacher	be2a67319d	auth/gensec: enforce that all DCERPC contexts support SIGN_PKT_HEADER That's currently always the case and will simplifies the callers. WORKS now??? TDB_NO_FSYNC=1 buildnice make -j test FAIL_IMMEDIATELY=1 SOCKET_WRAPPER_KEEP_PCAP=1 TESTS='samba4.rpc.lsa.secrets.ncacn_np.Kerberos.Samba3.fl2000dc' and TDB_NO_FSYNC=1 buildnice make -j test FAIL_IMMEDIATELY=1 SOCKET_WRAPPER_KEEP_PCAP=1 TESTS='samba3.rpc.lsa.ncacn_ip_tcp.nt4_dc' Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Sun Dec 23 21:33:51 CET 2018 on sn-devel-144	2018-12-23 21:33:51 +01:00
Andreas Schneider	2a646a7485	auth:gensec: Add FALL_THROUGH statements in spnego.c Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2018-03-01 04:37:43 +01:00
kkplein	d39664fc66	define DBGC_AUTH class Signed-off-by: Mourik Jan C Heupink <heupink@merit.unu.edu> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2018-01-08 03:34:17 +01:00
Stefan Metzmacher	ee9f4374ed	auth/gensec: finally remove unused gensec_update_ev() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Tue Jul 25 17:42:55 CEST 2017 on sn-devel-144	2017-07-25 17:42:55 +02:00
Stefan Metzmacher	39353c9a6e	auth/gensec: don't allow gensec_update[_ev] to be called on a subcontext Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2017-07-25 13:51:12 +02:00
Stefan Metzmacher	a7f401243c	auth/gensec: make use of gensec_update_send/recv in gensec_update_ev() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2017-07-25 13:51:12 +02:00
Stefan Metzmacher	eb6b2b63e9	auth/gensec: introduce gensec_security_ops.glue in order to avoid depending on GENSEC_OID_SPNEGO being special In future we have get more backends that can negotiate other backends, we should keep all of them even if we require kerberos. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2017-07-25 13:51:11 +02:00
Stefan Metzmacher	692425f09a	auth/gensec: add some useful debugging to gensec_update_send/gensec_update_done This makes it easier to spot problems with all the abstraction and async layers. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2017-07-25 13:51:11 +02:00
Andreas Schneider	97788f4a75	auth/spnego: Use talloc_get_type_abort() in gsensec_spnego_update_out() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>	2017-07-25 13:51:11 +02:00
Andreas Schneider	62ffe20fcb	auth/spnego: Use talloc_get_type_abort() in gsensec_spnego_update_in() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>	2017-07-25 13:51:11 +02:00
Andreas Schneider	e492950184	auth/spnego: Rename gensec_spnego_update_sub_abort() The name is not ideal as someone might think we will panic and abort the process. So rename it to gensec_spnego_reset_sub_sec(). Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>	2017-07-25 13:51:11 +02:00
Stefan Metzmacher	832e9ff594	auth/spnego: replace gensec_spnego_neg_loop() by real async processing of {start,step,finish}_fn() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2017-07-25 13:51:11 +02:00

1 2 3 4 5 ...

271 Commits