summaryrefslogtreecommitdiff
path: root/libcli/auth
Commit message (Collapse)AuthorAgeFilesLines
* auth: Return status code if configuration prohibits NTLMJoseph Sutton2023-05-162-0/+9
| | | | | | | | Currently, we rely on ‘stored_nt’ being NULL to give an NT_STATUS_WRONG_PASSWORD error. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli:auth: Fix code spellingAndreas Schneider2023-04-275-9/+9
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
* CVE-2022-37966 libcli/auth: let netlogon_creds_cli_warn_options() about ↵Stefan Metzmacher2022-12-131-0/+15
| | | | | | | | | | "kerberos encryption types=legacy" BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 servers' default to yesStefan Metzmacher2022-12-131-2/+2
| | | | | | | | | | | | | | | | AES is supported by Windows >= 2008R2 and Samba >= 4.0 so there's no reason to allow md5 servers by default. Note the change in netlogon_creds_cli_context_global() is only cosmetic, but avoids confusion while reading the code. Check with: git show -U35 libcli/auth/netlogon_creds_cli.c BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* CVE-2022-38023 libcli/auth: add/use netlogon_creds_cli_warn_options()Stefan Metzmacher2022-12-132-0/+68
| | | | | | | | | | This warns the admin about insecure options BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* CVE-2022-38023 libcli/auth: pass lp_ctx to netlogon_creds_cli_set_global_db()Stefan Metzmacher2022-12-132-2/+3
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* s3:g_lock: add callback function to g_lock_lock_send()Stefan Metzmacher2022-09-201-2/+4
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* libcli/auth/proto.h: remove unneeded path details.Douglas Bagnall2022-09-162-5/+5
| | | | | Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli:auth: Keep passwords from convert_string_talloc() secretJoseph Sutton2022-09-121-0/+2
| | | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli:auth: Add test for decode_pwd_string_from_buffer514()Andreas Schneider2022-07-281-0/+17
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* libcli:auth: Add decode_pwd_string_from_buffer514()Andreas Schneider2022-07-282-0/+49
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* libcli:auth: Add test for extract_pwd_blob_from_buffer514()Andreas Schneider2022-07-281-0/+17
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* libcli:auth: Add extract_pwd_blob_from_buffer514()Andreas Schneider2022-07-282-0/+48
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* libcli:auth: Implment a common create_pw_buffer_from_blob()Andreas Schneider2022-07-281-5/+38
| | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* libcli:auth: Use extract_pw_from_buffer() in decode_pw_buffer()Andreas Schneider2022-07-281-20/+16
| | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* libcli:auth: Keep data of extract_pw_from_buffer() secretAndreas Schneider2022-07-281-0/+1
| | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* libcli:auth: Add test for encode_pwd_buffer514_from_str()Andreas Schneider2022-07-282-0/+137
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* libcli:auth: Add encode_pw_buffer_from_str()Andreas Schneider2022-07-282-0/+41
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* libcli:auth: Implement a generic encode_pwd_buffer_from_str()Andreas Schneider2022-07-281-18/+59
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* libcli:auth: Remove trailing spaces from proto.hAndreas Schneider2022-07-281-21/+21
| | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* lib/util: Change function to mem_equal_const_time()Joseph Sutton2022-06-093-13/+13
| | | | | | | | | | Since memcmp_const_time() doesn't act as an exact replacement for memcmp(), and its return value is only ever compared with zero, simplify it and emphasize the intention of checking equality by returning a bool instead. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* lib/util: Change function to data_blob_equal_const_time()Joseph Sutton2022-06-091-3/+3
| | | | | | | | | | Since data_blob_cmp_const_time() doesn't act as an exact replacement for data_blob_cmp(), and its return value is only ever compared with zero, simplify it and emphasize the intention of checking equality by returning a bool instead. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth: Use constant-time memcmp when comparing sensitive buffersJoseph Sutton2022-06-093-11/+11
| | | | | | | | | This helps to avoid timing attacks. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15010 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli/auth: let NTLMv2_RESPONSE_verify_netlogon_creds ignore invalid netapp ↵Stefan Metzmacher2022-01-041-0/+63
| | | | | | | | | | | | | | requests We should avoid spamming the logs with wellknown messages like: ndr_pull_error(Buffer Size Error): Pull bytes 39016 They just confuse admins (and developers). BUG: https://bugzilla.samba.org/show_bug.cgi?id=14932 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* libcli/auth: let NTLMv2_RESPONSE_verify_netlogon_creds ignore BUFFER_TOO_SMALLStefan Metzmacher2022-01-041-5/+21
| | | | | | | | | | Windows doesn't complain about invalid av_pair blobs, we need to do the same. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14932 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* libcli:auth: Allow to connect to netlogon server offering only AESAndreas Schneider2021-12-021-10/+38
| | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14912 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Thu Dec 2 14:49:35 UTC 2021 on sn-devel-184
* netlogon_creds_cli: add netlogon_creds_cli_SendToSam_recv() and don't ignore ↵Stefan Metzmacher2021-10-192-4/+17
| | | | | | | | | | | | | | result This is a low level function that should not ignore results. If the caller doesn't care it's his choice. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Tue Oct 19 20:20:00 UTC 2021 on sn-devel-184
* netlogon:schannel: If weak crypto is disabled, do not announce RC4 support.Andreas Schneider2021-08-031-0/+12
| | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* Fix gcc11 compiler issue "-Werror=maybe-uninitialized"Günther Deschner2021-05-071-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14699 ../../source4/dsdb/common/util_links.c: In function ‘ndr_guid_compare’: ../../source4/dsdb/common/util_links.c:38:29: error: ‘v1_data’ may be used uninitialized [-Werror=maybe-uninitialized] 38 | struct ldb_val v1 = data_blob_const(v1_data, sizeof(v1_data)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In file included from ../../source4/../lib/util/samba_util.h:48, from ../../source4/include/includes.h:62, from ../../source4/dsdb/common/util_links.c:22: ../../lib/util/data_blob.h:116:20: note: by argument 1 of type ‘const void *’ to ‘data_blob_const’ declared here 116 | _PUBLIC_ DATA_BLOB data_blob_const(const void *p, size_t length); | ^~~~~~~~~~~~~~~ ../../source4/dsdb/common/util_links.c:37:17: note: ‘v1_data’ declared here 37 | uint8_t v1_data[16]; | ^~~~~~~ cc1: all warnings being treated as errors [1729/3991] Compiling source3/smbd/smbXsrv_open.c ../../libcli/auth/smbencrypt.c: In function ‘decode_wkssvc_join_password_buffer’: ../../libcli/auth/smbencrypt.c:1045:32: error: ‘_confounder’ may be used uninitialized [-Werror=maybe-uninitialized] 1045 | DATA_BLOB confounder = data_blob_const(_confounder, 8); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In file included from ../../source4/../lib/util/samba_util.h:48, from ../../source4/include/includes.h:62, from ../../libcli/auth/smbencrypt.c:24: ../../lib/util/data_blob.h:116:20: note: by argument 1 of type ‘const void *’ to ‘data_blob_const’ declared here 116 | _PUBLIC_ DATA_BLOB data_blob_const(const void *p, size_t length); | ^~~~~~~~~~~~~~~ ../../libcli/auth/smbencrypt.c:1044:17: note: ‘_confounder’ declared here 1044 | uint8_t _confounder[8]; | ^~~~~~~~~~~ cc1: all warnings being treated as errors [2624/3991] Compiling source4/torture/rpc/samr.c ../../source3/rpc_client/cli_samr.c: In function ‘dcerpc_samr_chgpasswd_user2’: ../../source3/rpc_client/cli_samr.c:158:33: error: ‘old_nt_hash’ may be used uninitialized [-Werror=maybe-uninitialized] 158 | DATA_BLOB session_key = data_blob_const(old_nt_hash, 16); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In file included from ../../source3/../lib/util/samba_util.h:48, from ../../source3/include/includes.h:256, from ../../source3/rpc_client/cli_samr.c:24: ../../lib/util/data_blob.h:116:20: note: by argument 1 of type ‘const void *’ to ‘data_blob_const’ declared here 116 | _PUBLIC_ DATA_BLOB data_blob_const(const void *p, size_t length); | ^~~~~~~~~~~~~~~ ../../source3/rpc_client/cli_samr.c:152:17: note: ‘old_nt_hash’ declared here 152 | uint8_t old_nt_hash[16]; | ^~~~~~~~~~~ ../../source3/rpc_client/cli_samr.c: In function ‘dcerpc_samr_chgpasswd_user3’: ../../source3/rpc_client/cli_samr.c:365:33: error: ‘old_nt_hash’ may be used uninitialized [-Werror=maybe-uninitialized] 365 | DATA_BLOB session_key = data_blob_const(old_nt_hash, 16); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In file included from ../../source3/../lib/util/samba_util.h:48, from ../../source3/include/includes.h:256, from ../../source3/rpc_client/cli_samr.c:24: ../../lib/util/data_blob.h:116:20: note: by argument 1 of type ‘const void *’ to ‘data_blob_const’ declared here 116 | _PUBLIC_ DATA_BLOB data_blob_const(const void *p, size_t length); | ^~~~~~~~~~~~~~~ ../../source3/rpc_client/cli_samr.c:358:17: note: ‘old_nt_hash’ declared here 358 | uint8_t old_nt_hash[16]; | ^~~~~~~~~~~ cc1: all warnings being treated as errors [3399/3991] Compiling source3/rpcclient/cmd_spotlight.c ../../source3/smbd/smbXsrv_open.c: In function ‘smbXsrv_open_set_replay_cache’: ../../source3/smbd/smbXsrv_open.c:936:26: error: ‘data’ may be used uninitialized [-Werror=maybe-uninitialized] 936 | DATA_BLOB blob = data_blob_const(data, ARRAY_SIZE(data)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In file included from ../../source3/../lib/util/samba_util.h:48, from ../../source3/include/includes.h:256, from ../../source3/smbd/smbXsrv_open.c:21: ../../lib/util/data_blob.h:116:20: note: by argument 1 of type ‘const void *’ to ‘data_blob_const’ declared here 116 | _PUBLIC_ DATA_BLOB data_blob_const(const void *p, size_t length); | ^~~~~~~~~~~~~~~ ../../source3/smbd/smbXsrv_open.c:935:17: note: ‘data’ declared here 935 | uint8_t data[SMBXSRV_OPEN_REPLAY_CACHE_FIXED_SIZE]; | ^~~~ cc1: all warnings being treated as errors ../../source3/rpcclient/cmd_spotlight.c: In function ‘cmd_mdssvc_fetch_properties’: ../../source3/rpcclient/cmd_spotlight.c:60:18: error: ‘share_path’ may be used uninitialized [-Werror=maybe-uninitialized] 60 | status = dcerpc_mdssvc_open(b, mem_ctx, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 61 | &device_id, | ~~~~~~~~~~~ 62 | &unkn1, | ~~~~~~~ 63 | &unkn2, | ~~~~~~~ 64 | argv[2], | ~~~~~~~~ 65 | argv[1], | ~~~~~~~~ 66 | share_path, | ~~~~~~~~~~~ 67 | &share_handle); | ~~~~~~~~~~~~~~ In file included from ../../source3/rpcclient/cmd_spotlight.c:24: source3/../librpc/gen_ndr/ndr_mdssvc_c.h:26:10: note: by argument 8 of type ‘const char *’ to ‘dcerpc_mdssvc_open’ declared here 26 | NTSTATUS dcerpc_mdssvc_open(struct dcerpc_binding_handle *h, | ^~~~~~~~~~~~~~~~~~ ../../source3/rpcclient/cmd_spotlight.c:40:14: note: ‘share_path’ declared here 40 | char share_path[1025]; | ^~~~~~~~~~ cc1: all warnings being treated as errors ../../source4/torture/rpc/samr.c: In function ‘test_ChangePasswordUser2’: ../../source4/torture/rpc/samr.c:2266:19: error: ‘old_nt_hash’ may be used uninitialized [-Werror=maybe-uninitialized] 2266 | = data_blob_const(old_nt_hash, sizeof(old_nt_hash)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In file included from ../../source4/../lib/util/samba_util.h:48, from ../../source4/include/includes.h:62, from ../../source4/torture/rpc/samr.c:24: ../../lib/util/data_blob.h:116:20: note: by argument 1 of type ‘const void *’ to ‘data_blob_const’ declared here 116 | _PUBLIC_ DATA_BLOB data_blob_const(const void *p, size_t length); | ^~~~~~~~~~~~~~~ ../../source4/torture/rpc/samr.c:2263:17: note: ‘old_nt_hash’ declared here 2263 | uint8_t old_nt_hash[16], new_nt_hash[16]; | ^~~~~~~~~~~ ../../source4/torture/rpc/samr.c: In function ‘test_ChangePasswordUser2_ntstatus’: ../../source4/torture/rpc/samr.c:2371:19: error: ‘old_nt_hash’ may be used uninitialized [-Werror=maybe-uninitialized] 2371 | = data_blob_const(old_nt_hash, sizeof(old_nt_hash)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In file included from ../../source4/../lib/util/samba_util.h:48, from ../../source4/include/includes.h:62, from ../../source4/torture/rpc/samr.c:24: ../../lib/util/data_blob.h:116:20: note: by argument 1 of type ‘const void *’ to ‘data_blob_const’ declared here 116 | _PUBLIC_ DATA_BLOB data_blob_const(const void *p, size_t length); | ^~~~~~~~~~~~~~~ ../../source4/torture/rpc/samr.c:2368:17: note: ‘old_nt_hash’ declared here 2368 | uint8_t old_nt_hash[16], new_nt_hash[16]; | ^~~~~~~~~~~ ../../source4/torture/rpc/samr.c: In function ‘test_ChangePasswordUser3’: ../../source4/torture/rpc/samr.c:2478:38: error: ‘old_nt_hash’ may be used uninitialized [-Werror=maybe-uninitialized] 2478 | DATA_BLOB old_nt_hash_blob = data_blob_const(old_nt_hash, 16); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In file included from ../../source4/../lib/util/samba_util.h:48, from ../../source4/include/includes.h:62, from ../../source4/torture/rpc/samr.c:24: ../../lib/util/data_blob.h:116:20: note: by argument 1 of type ‘const void *’ to ‘data_blob_const’ declared here 116 | _PUBLIC_ DATA_BLOB data_blob_const(const void *p, size_t length); | ^~~~~~~~~~~~~~~ ../../source4/torture/rpc/samr.c:2473:17: note: ‘old_nt_hash’ declared here 2473 | uint8_t old_nt_hash[16], new_nt_hash[16]; | ^~~~~~~~~~~ ../../source4/torture/rpc/samr.c: In function ‘test_ChangePasswordRandomBytes’: ../../source4/torture/rpc/samr.c:2794:19: error: ‘old_nt_hash’ may be used uninitialized [-Werror=maybe-uninitialized] 2794 | = data_blob_const(old_nt_hash, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ 2795 | sizeof(old_nt_hash)); | ~~~~~~~~~~~~~~~~~~~~ In file included from ../../source4/../lib/util/samba_util.h:48, from ../../source4/include/includes.h:62, from ../../source4/torture/rpc/samr.c:24: ../../lib/util/data_blob.h:116:20: note: by argument 1 of type ‘const void *’ to ‘data_blob_const’ declared here 116 | _PUBLIC_ DATA_BLOB data_blob_const(const void *p, size_t length); | ^~~~~~~~~~~~~~~ ../../source4/torture/rpc/samr.c:2792:17: note: ‘old_nt_hash’ declared here 2792 | uint8_t old_nt_hash[16], new_nt_hash[16]; | ^~~~~~~~~~~ cc1: all warnings being treated as errors Guenther Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* librpc: Remove the gensec dependency from library dcerpc-bindingVolker Lendecke2021-04-061-1/+9
| | | | | | | | | | | | This means yet another library, but having to depend on gensec just for dcerpc_parse_binding() and basic packet parsing seems like a bit overkill to me. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Tue Apr 6 23:33:14 UTC 2021 on sn-devel-184
* CVE-2020-1472(ZeroLogon): libcli/auth: reject weak client challenges in ↵Stefan Metzmacher2020-09-182-2/+17
| | | | | | | | | | | | | | | | | | | netlogon_creds_server_init() This implements the note from MS-NRPC 3.1.4.1 Session-Key Negotiation: 7. If none of the first 5 bytes of the client challenge is unique, the server MUST fail session-key negotiation without further processing of the following steps. It lets ./zerologon_tester.py from https://github.com/SecuraBV/CVE-2020-1472.git report: "Attack failed. Target is probably patched." BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
* CVE-2020-1472(ZeroLogon): libcli/auth: add ↵Stefan Metzmacher2020-09-182-1/+23
| | | | | | | | | | | | netlogon_creds_is_random_challenge() to avoid weak values This is the check Windows is using, so we won't generate challenges, which are rejected by Windows DCs (and future Samba DCs). BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
* CVE-2020-1472(ZeroLogon): libcli/auth: make use of ↵Stefan Metzmacher2020-09-181-2/+1
| | | | | | | | | | | | netlogon_creds_random_challenge() in netlogon_creds_cli.c This will avoid getting rejected by the server if we generate a weak challenge. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
* CVE-2020-1472(ZeroLogon): libcli/auth: add netlogon_creds_random_challenge()Stefan Metzmacher2020-09-182-0/+8
| | | | | | | | | | | It's good to have just a single isolated function that will generate random challenges, in future we can add some logic in order to avoid weak values, which are likely to be rejected by a server. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
* CVE-2020-10704: lib util asn1: Add ASN.1 max tree depthGary Lockyer2020-05-041-3/+3
| | | | | | | | | | | | | Add maximum parse tree depth to the call to asn1_init, which will be used to limit the depth of the ASN.1 parse tree. Credit to OSS-Fuzz REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth: Avoid casts in ntlm_check.cVolker Lendecke2020-01-061-16/+15
| | | | | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> Autobuild-User(master): Gary Lockyer <gary@samba.org> Autobuild-Date(master): Mon Jan 6 03:12:20 UTC 2020 on sn-devel-184
* auth: Check for talloc failure in smb_sess_key_ntlmv2()Volker Lendecke2020-01-061-0/+4
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
* auth: Slightly simplify smb_pwd_check_ntlmv1()Volker Lendecke2020-01-061-11/+13
| | | | | | | Do an early return for the failure case Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
* auth: Check for talloc failure in smb_pwd_check_ntlmv1()Volker Lendecke2020-01-061-0/+4
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
* auth: Slightly simplify smb_pwd_check_ntlmv2()Volker Lendecke2020-01-061-15/+17
| | | | | | | Do an early return for the failure case Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
* auth: Check for talloc failure in smb_pwd_check_ntlmv2()Volker Lendecke2020-01-061-0/+4
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
* smbdes: remove old unused DES builtin-cryptoIsaac Boukris2019-12-103-271/+0
| | | | | Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* sess_crypt_blob can only crypt blobs whose size divides by 8Isaac Boukris2019-12-101-3/+6
| | | | | Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* session: convert sess_crypt_blob to use gnutlsIsaac Boukris2019-12-103-14/+39
| | | | | Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* smbdes: convert des_crypt112_16 to use gnutlsIsaac Boukris2019-12-105-22/+69
| | | | | Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* smbdes: convert des_crypt112 to use gnutlsIsaac Boukris2019-12-104-11/+32
| | | | | Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* smbdes: convert E_old_pw_hash to use gnutlsIsaac Boukris2019-12-103-5/+13
| | | | | Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* smbdes: convert des_crypt128() to use gnutlsIsaac Boukris2019-12-104-6/+18
| | | | | Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* smbdes: convert E_P24() and SMBOWFencrypt to use gnutlsIsaac Boukris2019-12-105-21/+49
| | | | | Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* smbdes: remove D_P16() (not used)Isaac Boukris2019-12-102-7/+0
| | | | | Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
View Lorry Controller Status