1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

29 Commits

Author SHA1 Message Date
Pavel Filipenský
959dc9068d librpc:crypto: SAFE_FREE() -> krb5_free_enctypes()
Reported by Red Hat internal covscan

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-28 10:48:32 +00:00
Joseph Sutton
feb36dbebf lib/util: Change function to mem_equal_const_time()
Since memcmp_const_time() doesn't act as an exact replacement for
memcmp(), and its return value is only ever compared with zero, simplify
it and emphasize the intention of checking equality by returning a bool
instead.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-06-09 22:49:29 +00:00
Joseph Sutton
ae6634c787 auth: Use constant-time memcmp when comparing sensitive buffers
This helps to avoid timing attacks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15010

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-06-09 22:49:29 +00:00
Pavel Filipenský
a8a0667263 s3:librpc: Improve calling of krb5_kt_end_seq_get()
Remove indentation with early return, best reviewed with
git show -b

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Nov  3 08:36:00 UTC 2021 on sn-devel-184
2021-11-03 08:36:00 +00:00
Andrew Bartlett
7b4aef782c gse_krb5: Provide keytab name in fill_mem_keytab_from_dedicated_keytab() error strings.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-06-15 22:41:34 +00:00
Matthew DeVore
c2ac923c6a s3: safe_string: do not include string_wrappers.h
Rather than have safe_string.h #include string_wrappers.h, make users of
string_wrappers.h include it explicitly.

includes.h now no longer includes string_wrappers.h transitively. Still
allow includes.h to #include safe_string.h for now so that as many
modules as possible get the safety checks in it.

Signed-off-by: Matthew DeVore <matvore@google.com>
Reviewed-by: David Mulder <dmulder@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-08-28 00:56:34 +00:00
Noel Power
018c93f35a s3/librpc/crypto: clang: Fixes Value stored to 'ret' is never read
Fixes:

source3/librpc/crypto/gse_krb5.c:63:3: warning: Value stored to 'ret' is never read <--[clang]
                ret = smb_krb5_kt_free_entry(krbctx, &kt_entry);
                ^     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
2019-09-25 09:47:32 +00:00
Volker Lendecke
877266f775 librpc/crypto: Fix a misleading comment
Probably cut&paste error

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Jun 18 18:34:51 CEST 2018 on sn-devel-144
2018-06-18 18:34:51 +02:00
Stefan Metzmacher
cd813f7fd9 s3:gse_krb5: make use of precalculated krb5 keys in fill_mem_keytab_from_secrets()
This avoids a lot of cpu cycles, which were wasted for each single smb
connection, even if the client didn't use kerberos.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12973

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Aug 18 10:04:57 CEST 2017 on sn-devel-144
2017-08-18 10:04:56 +02:00
Stefan Metzmacher
1d1cf9792f s3:gse_krb5: simplify fill_keytab_from_password() by using kerberos_fetch_salt_princ()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:44 +02:00
Michael Saxl
a9780a2eaa s3:gse_krb5: fix a possible crash in fill_mem_keytab_from_system_keytab()
If the keytab file isn't readable, we may call
krb5_kt_end_seq_get() with an invalid kt_cursor.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10490

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Michael Saxl <mike@mwsys.mine.bz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:42 +02:00
Andreas Schneider
2f83cfdb90 s3:librpc: Make sure kt_curser and kt_entry are initialized
Found by covscan.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12592

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-02-23 03:18:10 +01:00
Volker Lendecke
25465b118a librpc: Use "all_zero" where appropriate
... Saves a few bytes of footprint

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-01-03 16:04:28 +01:00
Andreas Schneider
430c2d1844 s3:crypto: Use smb_krb5_kt_open_relative() for MEMORY keytab
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-12-16 01:55:13 +01:00
Volker Lendecke
46fac3b796 lib: Fix a signed/unsigned hickup
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-10-19 01:26:14 +02:00
Andreas Schneider
aa1cca9f27 krb5_wrap: Rename smb_krb5_open_keytab()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-31 20:59:15 +02:00
Andreas Schneider
d1de425385 krb5_wrap: Rename smb_get_enctype_from_kt_entry()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-31 20:59:15 +02:00
Andreas Schneider
2622e16d76 krb5_wrap: Rename get_kerberos_allowed_etypes()
Use consistent naming.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-31 20:59:13 +02:00
Volker Lendecke
3940d4e386 crypto: Fix CID 1356314 Resource leak
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-18 00:29:13 +01:00
Andreas Schneider
1e1e12a825 s3-libads: Pass down the salt principal in smb_krb5_kt_add_entry()
This is a preparation to move smb_krb5_kt_add_entry() to krb5_wrap.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-03-10 06:52:25 +01:00
Andrew Bartlett
82c0ecbb2c gse_krb5: Avoid a segfault when we can not read the dedicated keytab file
This improved code simply cleans up the memory as soon as possible,
rather than using memcmp().  Otherwise, we segfault if
krb5_kt_start_seq_get fails, as it can set the fd element in the
handle to -1.

Change-Id: Ib4821ef944a7e12cd8a891ae07dbfc0567c65495
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Nov 27 07:38:02 CET 2014 on sn-devel-104
2014-11-27 07:38:02 +01:00
Jeremy Allison
b70f23c2b5 Correctly check for errors in strlower_m() returns. 2012-08-09 12:08:18 -07:00
Andrew Bartlett
f3562424b6 lib/param: Move all enum declarations to lib/param
This is in preperation for the parameter table being made common.

Andrew Bartlett

Pair-Programmed-With: Andrew Tridgell <tridge@samba.org>
2012-07-24 11:01:17 +02:00
Stefan Metzmacher
6f0f10c798 s3-gse: implement fill_mem_keytab_from_[system|dedicated]_keytab
metze
2012-01-20 23:55:53 +01:00
Stefan Metzmacher
6158ea1abd s3-gse: create memory keytab in gse_krb5_get_server_keytab()
The other functions just add entries to it.

metze
2012-01-20 23:55:53 +01:00
Stefan Metzmacher
f86ab29470 s3-gse: fix SECRETS_AND_KEYTAB fallback in gse_krb5_get_server_keytab()
metze
2012-01-20 23:55:53 +01:00
Andrew Bartlett
74eed8f3ed s3-param Remove special case for global_myname(), rename to lp_netbios_name()
There is no reason this can't be a normal constant string in the
loadparm system, now that we have lp_set_cmdline() to handle overrides
correctly.

Andrew Bartlett
2011-06-09 12:40:09 +02:00
Andrew Bartlett
0415a5736e s3-librpc Fix creation of in-memory keytab for previous password
We set the current password twice, rather than the current and old
password.

Andrew Bartlett
2011-04-06 12:34:58 +10:00
Simo Sorce
0e5eb82a6f s3-dcerpc: move crypto stuff in /librpc/crypto
Signed-off-by: Günther Deschner <gd@samba.org>
2010-09-23 10:36:54 -07:00