1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

69 Commits

Author SHA1 Message Date
Joseph Sutton
cee483fd4a libcli/auth: Use correct enumeration constant
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-30 00:02:33 +00:00
Joseph Sutton
2b33c919c5 libcli/auth: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:36 +00:00
Andrew Bartlett
a21ca8ac9c Remove rudundent check and fallback for AES CFB8 as we now require GnuTLS 3.6.13
This allows us to remove a lot of conditionally compiled code and so
know with more certaintly that our tests are covering our codepaths.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-06-30 14:00:38 +00:00
Joseph Sutton
feb36dbebf lib/util: Change function to mem_equal_const_time()
Since memcmp_const_time() doesn't act as an exact replacement for
memcmp(), and its return value is only ever compared with zero, simplify
it and emphasize the intention of checking equality by returning a bool
instead.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-06-09 22:49:29 +00:00
Joseph Sutton
ae6634c787 auth: Use constant-time memcmp when comparing sensitive buffers
This helps to avoid timing attacks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15010

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-06-09 22:49:29 +00:00
Stefan Metzmacher
d3123858fb CVE-2020-1472(ZeroLogon): libcli/auth: reject weak client challenges in netlogon_creds_server_init()
This implements the note from MS-NRPC 3.1.4.1 Session-Key Negotiation:

 7. If none of the first 5 bytes of the client challenge is unique, the
    server MUST fail session-key negotiation without further processing of
    the following steps.

It lets ./zerologon_tester.py from
https://github.com/SecuraBV/CVE-2020-1472.git
report: "Attack failed. Target is probably patched."

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-09-18 12:48:38 +00:00
Stefan Metzmacher
53528c71ff CVE-2020-1472(ZeroLogon): libcli/auth: add netlogon_creds_is_random_challenge() to avoid weak values
This is the check Windows is using, so we won't generate challenges,
which are rejected by Windows DCs (and future Samba DCs).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-09-18 12:48:38 +00:00
Stefan Metzmacher
b813cdcac3 CVE-2020-1472(ZeroLogon): libcli/auth: add netlogon_creds_random_challenge()
It's good to have just a single isolated function that will generate
random challenges, in future we can add some logic in order to
avoid weak values, which are likely to be rejected by a server.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-09-18 12:48:38 +00:00
Isaac Boukris
dcc33103d5 smbdes: convert des_crypt112_16 to use gnutls
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10 00:30:31 +00:00
Isaac Boukris
254739137b smbdes: convert des_crypt112 to use gnutls
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10 00:30:31 +00:00
Isaac Boukris
c57f429574 smbdes: convert des_crypt128() to use gnutls
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10 00:30:30 +00:00
Isaac Boukris
38189f76d8 netlogon_creds_des_encrypt/decrypt_LMKey: use gnutls and return NTSTATUS
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10 00:30:30 +00:00
Andrew Bartlett
0361a26e39 libcli:auth Check return code of netlogon_creds_aes_encrypt()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Nov 14 09:25:36 UTC 2019 on sn-devel-184
2019-11-14 09:25:36 +00:00
Andreas Schneider
32e75bb4cc libcli:auth: Check return code of netlogon_creds_step_crypt()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-14 08:01:44 +00:00
Andreas Schneider
05f59cbcf8 libcli:auth: Check return code of netlogon_creds_step()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-14 08:01:44 +00:00
Andreas Schneider
7c7dc855ba libcli:auth: Return NTSTATUS for netlogon_creds_client_authenticator()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-14 08:01:44 +00:00
Andreas Schneider
0ed92e3e60 libcli:auth: Check return status of netlogon_creds_first_step()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-14 08:01:44 +00:00
Andreas Schneider
e4ae1ba451 libcli:auth: Check return status of netlogon_creds_init_64bit()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-14 08:01:44 +00:00
Andreas Schneider
2c21cd6d49 libcli:auth: Check return value of netlogon_creds_init_128bit()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-14 08:01:44 +00:00
Andrew Bartlett
d515b255aa libcli:auth Check NTSTATUS from netlogon_creds_aes_{en,de}crypt()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2019-08-21 09:57:30 +00:00
Andrew Bartlett
8ec796f1a1 libcli:auth Return NTSTATUS from netlogon_creds_aes_decrypt()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2019-08-21 09:57:30 +00:00
Andreas Schneider
a967285861 libcli:auth: Use GnuTLS AES128 CFB for netlogon_creds_aes_decrypt()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-08-21 09:57:30 +00:00
Andreas Schneider
ded5aad21b libcli:auth: Return NTSTATUS for netlogon_creds_aes_encrypt()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Adapted by Andrew Bartlett to use gnutls_error_to_ntstatus()

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2019-08-21 09:57:29 +00:00
Andreas Schneider
054efd118d libcli:auth: Use GnuTLS AES128 CFB for netlogon_creds_aes_encrypt()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-08-21 09:57:29 +00:00
Andreas Schneider
cd97c47873 libcli:auth: Use netlogon_creds_aes_encrypt() in netlogon_creds_step_crypt()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-08-21 09:57:29 +00:00
Andreas Schneider
67e6a9af2c libcli:auth: Return NTSTATUS for netlogon_creds_arcfour_crypt()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-06-27 12:54:23 +00:00
Andreas Schneider
99d250a3ab libcli:auth: Return NTSTATUS for netlogon_creds_crypt_samlogon_logon()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-06-27 12:54:23 +00:00
Andreas Schneider
cad3adb0b4 libcli:auth: Return NTSTATUS for netlogon_creds_decrypt_samlogon_logon()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-06-27 12:54:23 +00:00
Andreas Schneider
31f110317f libcli:auth: Return NTSTATUS for netlogon_creds_encrypt_samlogon_logon()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-06-27 12:54:23 +00:00
Andreas Schneider
8c9cf56fe9 libcli:auth: Return NTSTATUS for netlogon_creds_server_step_check()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-06-27 12:54:23 +00:00
Andreas Schneider
2e6fe27bad libcli:auth: Return NTSTATUS for netlogon_creds_decrypt_samlogon_validation()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-06-27 12:54:23 +00:00
Andreas Schneider
00dd1a8bf8 libcli:auth: Return NTSTATUS for netlogon_creds_encrypt_samlogon_validation()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-06-27 12:54:23 +00:00
Andreas Schneider
f825fa6d90 libcli:auth: Use GnuTLS RC4 for netlogon credentials
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-06-27 12:54:23 +00:00
Andrew Bartlett
8f4c30f785 lib/crypto: move gnutls error wrapper to own subsystem
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2019-06-27 12:54:22 +00:00
Andreas Schneider
702ae15853 libcli:auth: Use gnutls_error_to_ntstatus() in credentials
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-06-24 06:11:17 +00:00
Andreas Schneider
75ee0c83c1 libcli:auth: Add return codes for netlogon_creds_init_128bit()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-05-21 00:03:20 +00:00
Andreas Schneider
1810daaf9c libcli:auth: Use GnuTLS MD5 and HMAC MD5 in netlogon_creds_init_128bit
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-05-21 00:03:20 +00:00
Andreas Schneider
5d87610976 libcli:auth: Add return code for netlogon_creds_init_hmac_sha256()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-04-30 23:18:27 +00:00
Andreas Schneider
8bed91c999 libcli:auth: Use GnuTLS SHA256 HMAC for credentials
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-04-30 23:18:27 +00:00
Andreas Schneider
0045a919b4 libcli:auth: Avoid explicit ZERO_STRUCT
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Feb 27 03:22:50 CET 2019 on sn-devel-144
2019-02-27 03:22:50 +01:00
Andreas Schneider
6b2c6c0e56 libcli:auth: Use C99 initializers or ZERO_ARRAY instead of ZERO_STRUCT
ZERO_STRUCT is not wrong here, it will give the same result, but better
use macros with correct naming as it makes clear what happens when you
read the code.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-12-20 12:16:40 +01:00
Volker Lendecke
602ec8884b libcli: Apply some const
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-09-16 08:36:18 +02:00
Volker Lendecke
3d9b1bdf6c libcli: Use "all_zero" where appropriate
... Saves a few bytes of footprint

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-01-03 16:04:28 +01:00
Stefan Metzmacher
409cf45147 libcli/auth: add some const to netlogon_creds_server_{init,step_check}()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-03-20 20:43:11 +01:00
Stefan Metzmacher
cd648ec00f libcli/auth: s/encrypt/do_encrypt
This avoids compiler warnings.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-04-02 09:03:42 +02:00
Stefan Metzmacher
e6afeae695 libcli/auth: try to use the current timestamp creds->sequence
If the last usage of netlogon_creds_client_authenticator()
is in the past try to use the current timestamp and increment
more than just 2.

If we use netlogon_creds_client_authenticator() a lot within a
second, we increment keep incrementing by 2.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Dec 24 13:18:18 CET 2013 on sn-devel-104
2013-12-24 13:18:18 +01:00
Stefan Metzmacher
636daac3b7 libcli/auth: remove bogus comment regarding replay attacks
creds->sequence (timestamp) is the value that is used to increment the internal
state, it's not a real sequence number. The sequence comes
from adding all timestamps of the whole session.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-12-24 09:10:06 +01:00
Stefan Metzmacher
202bcf9096 libcli/auth: set the return_authenticator->timestamp = 0
This is what windows returns, the value is ignored by the client anyway.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-12-24 09:10:06 +01:00
Stefan Metzmacher
2ea749a1a4 libcli/auth: add netlogon_creds_shallow_copy_logon()
This can be used before netlogon_creds_encrypt_samlogon_logon()
in order to keep the provided buffers unchanged.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2013-08-05 10:30:01 +02:00
Stefan Metzmacher
c7319fce60 libcli/auth: add netlogon_creds_[de|en]crypt_samlogon_logon()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2013-08-05 10:30:01 +02:00