[SCM] Samba Shared Repository - branch master updated
Andreas Schneider
asn at samba.org
Wed Aug 21 11:15:05 UTC 2019
The branch, master has been updated
via c3f96981755 lib:crypto: Do not build AES-CMAC if we use GnuTLS that supports it
via 70ff03ecb68 libcli/smb: Use gnutls_error_to_ntstatus() in smb2_signing_check_pdu()
via 1490f926006 libcli:smb: Use GnuTLS AES128 CMAC in smb2_signing_check_pdu()
via 9d8ffc81a53 libcli/smb: Use gnutls_error_to_ntstatus() in smb2_signing_sign_pdu()
via ee11e3ffd8d libcli:smb: Use GnuTLS AES128 CMAC in smb2_signing_sign_pdu()
via 69be6b84161 waf: Check for AES128 CMAC support in GnuTLS
via 33bca1fb808 s3:smbd: Use GnuTLS for AES constants
via b51c4293f74 s3:smbd: Use smb2_signing_key structure for the decryption key
via 95e1c85a47e s3:smbd: Use smb2_signing_key structure for the encryption key
via 87832f6140a libcli:smb: Use a smb2_signing_key for storing the decryption key
via 48116a30d51 libcli:smb: Use a smb2_signing_key for storing the encryption key
via 37dc63e8afa libcli:smb: Add gnutls_aead_cipher_hd_t to smb2_signing_key structure
via 1b384f378c9 libcli:smb: Use GnuTLS for AES constants
via 43a941f51b2 libcli:smb: Define SMB2_AES_128_CCM_NONCE_SIZE
via 068da56a20a build: Remove explicit check for HAVE_GNUTLS_AEAD as we require GnuTLS 3.4.7
via 85a1c497392 s4-samdb: Remove duplicate encrypted_secrets code using internal Samba AES
via e9859ad356b lib/crypto: Remove unused RC4 code from Samba
via 2d54559aad9 s4-rpc_server/backupkey: consistently check error codes from GnuTLS
via 52b91cb33c2 s4-rpc_server: Remove Heimdal-based BackupKey server
via 974cebdf953 build: Set minimum GnuTLS version at 3.4.7
via 1f6104f09a3 lib:crypto: Prepare not to build AES or AES-CMAC if we use GnuTLS support it
via fa8eddc39b4 auth/gensec: Use gnutls_error_to_ntstatus() in netsec_do_seal()
via 025f6a135f9 auth:gensec: Use GnuTLS AES CFB8 in netsec_do_seal()
via 3b27fd8a490 auth/gensec: Use gnutls_error_to_ntstatus() consistently in schannel
via 58c781dc93e auth:gensec: Use GnuTLS AES128 CFB8 in netsec_do_seq_num()
via fefd95091cc auth/credentials: Check NTSTATUS return from netlogon_creds_aes_encrypt()
via 1aa249e7f4a s3-librpc: Remove unused init_netr_CryptPassword()
via 1e427f55d71 s4-rpc_server: Check NTSTATUS return value from netlogon_creds_aes_decrypt()
via 2f827bec8ca s3-rpc_server: Check NTSTATUS return value from netlogon_creds_aes_decrypt()
via d515b255aa6 libcli:auth Check NTSTATUS from netlogon_creds_aes_{en,de}crypt()
via 5ae119e7e9d crypto: Update REQUIREMENTS file with new minimum version
via 8ec796f1a1d libcli:auth Return NTSTATUS from netlogon_creds_aes_decrypt()
via a9672858615 libcli:auth: Use GnuTLS AES128 CFB for netlogon_creds_aes_decrypt()
via ded5aad21b5 libcli:auth: Return NTSTATUS for netlogon_creds_aes_encrypt()
via 054efd118d7 libcli:auth: Use GnuTLS AES128 CFB for netlogon_creds_aes_encrypt()
via cd97c478730 libcli:auth: Use netlogon_creds_aes_encrypt() in netlogon_creds_step_crypt()
via 20a42459df4 waf: Check for GNUTLS AES CFB support
via d46e538d524 s4:samdb: Only include necessary header files in encrypted_secrets
via 7bf3c5d7640 s4:samdb: Remove dual-stack mode from (test_)encrypted_secrets
via 92b9cdf99da encrypted_secrets: Add known and expected value test
via feccdebe153 s4:samdb: Add test_gnutls_value_decryption()
from 1b599e5c0d0 s3: net: net_ads: fix a typo in comment
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit c3f969817553dc9c9db88741bad51100b4d24604
Author: Andreas Schneider <asn at samba.org>
Date: Fri Mar 15 14:54:13 2019 +0100
lib:crypto: Do not build AES-CMAC if we use GnuTLS that supports it
This requires GnuTLS >= 3.6.5.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Wed Aug 21 11:14:11 UTC 2019 on sn-devel-184
commit 70ff03ecb6826525727d87ef8807428f91f4e506
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Aug 16 15:50:03 2019 +1200
libcli/smb: Use gnutls_error_to_ntstatus() in smb2_signing_check_pdu()
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 1490f9260060104b31beefac9e61addd36b1919a
Author: Andreas Schneider <asn at samba.org>
Date: Fri Mar 15 16:58:21 2019 +0100
libcli:smb: Use GnuTLS AES128 CMAC in smb2_signing_check_pdu()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9d8ffc81a53b6b3d7c29f0da8fd71e696ca7e9d8
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Aug 16 15:47:49 2019 +1200
libcli/smb: Use gnutls_error_to_ntstatus() in smb2_signing_sign_pdu()
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit ee11e3ffd8d801cb5988bb73dbccd1e2f0cbe7b0
Author: Andreas Schneider <asn at samba.org>
Date: Wed Feb 27 14:40:30 2019 +0100
libcli:smb: Use GnuTLS AES128 CMAC in smb2_signing_sign_pdu()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Adapted by Andrew Bartlett to followup from earlier patch to
allow compile without GnuTLS over the whole series.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 69be6b8416198cfa8e2404a0a62ce6432425adef
Author: Andreas Schneider <asn at samba.org>
Date: Wed Feb 27 14:40:07 2019 +0100
waf: Check for AES128 CMAC support in GnuTLS
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 33bca1fb8087f7392a8ff0d295a5bdc01f1012e7
Author: Andreas Schneider <asn at samba.org>
Date: Tue Feb 26 18:11:27 2019 +0100
s3:smbd: Use GnuTLS for AES constants
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Adapted to remove Samba AES
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit b51c4293f7430b5ce6a81599fb0c7be5dc444c46
Author: Andreas Schneider <asn at samba.org>
Date: Thu Mar 14 10:10:34 2019 +0100
s3:smbd: Use smb2_signing_key structure for the decryption key
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 95e1c85a47e925fdb9105b85f0e1dbea1ff09950
Author: Andreas Schneider <asn at samba.org>
Date: Thu Mar 14 10:02:27 2019 +0100
s3:smbd: Use smb2_signing_key structure for the encryption key
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 87832f6140aa5afb42983a1291ba6faa250c7ea3
Author: Andreas Schneider <asn at samba.org>
Date: Thu Mar 14 09:48:54 2019 +0100
libcli:smb: Use a smb2_signing_key for storing the decryption key
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 48116a30d51d9bac6201a8b94262aa78b451ad63
Author: Andreas Schneider <asn at samba.org>
Date: Thu Mar 14 09:34:23 2019 +0100
libcli:smb: Use a smb2_signing_key for storing the encryption key
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 37dc63e8afab8e1f88dc8a4b77c6ef3337933eb1
Author: Andreas Schneider <asn at samba.org>
Date: Thu Mar 14 09:26:04 2019 +0100
libcli:smb: Add gnutls_aead_cipher_hd_t to smb2_signing_key structure
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Adapted to remove Samba AES support
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 1b384f378c95f550718ac697271327442e3d09dd
Author: Andreas Schneider <asn at samba.org>
Date: Tue Feb 26 18:12:57 2019 +0100
libcli:smb: Use GnuTLS for AES constants
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Adapted to remove Samba AES support
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 43a941f51b2954ffa1a7ab8a9d5c4a18e654b9f6
Author: Andreas Schneider <asn at samba.org>
Date: Tue Feb 26 18:06:46 2019 +0100
libcli:smb: Define SMB2_AES_128_CCM_NONCE_SIZE
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 068da56a20a2712e498fb3724407836bda2f977b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Aug 15 17:28:30 2019 +1200
build: Remove explicit check for HAVE_GNUTLS_AEAD as we require GnuTLS 3.4.7
We strictly require it and if this were to fail we would want the compile to fail.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 85a1c4973921fdf9412ec56a3ed6a77f3ab84116
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Jul 31 16:37:00 2019 +1200
s4-samdb: Remove duplicate encrypted_secrets code using internal Samba AES
We now rely on GnuTLS 3.4.7 or later.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit e9859ad356b42f39585dcef1a38def97a50a3744
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Aug 15 14:23:35 2019 +1200
lib/crypto: Remove unused RC4 code from Samba
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 2d54559aad9af81cf21d223dad28b48184c59f44
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Aug 16 16:08:57 2019 +1200
s4-rpc_server/backupkey: consistently check error codes from GnuTLS
This uses the new gnutls_error_to_werror()
This should resolve Coverity 1452111 as forwarded by Volker.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 52b91cb33c281aeecc6270824cadac6cefbcb136
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Jul 31 16:13:38 2019 +1200
s4-rpc_server: Remove Heimdal-based BackupKey server
We rely on a modern GnuTLS now.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 974cebdf953259f41ecfc7375bc31d72af53f51e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Aug 15 14:25:41 2019 +1200
build: Set minimum GnuTLS version at 3.4.7
This will soon be required for encrypted_secrets in the AD DC, the BackupKey server
and SMB2 as we remove use of the internal AES code.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 1f6104f09a30cf3816fd5a580ce1b4be5b94848c
Author: Andreas Schneider <asn at samba.org>
Date: Fri Mar 15 14:54:13 2019 +0100
lib:crypto: Prepare not to build AES or AES-CMAC if we use GnuTLS support it
Samba will soon require GnuTLS >= 3.4.7.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Adjusted by Andrew Bartlett from an earlier more comprehensive patch by Andreas
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit fa8eddc39b4ea9d316201019b603025df5c2fa5e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Aug 16 15:45:43 2019 +1200
auth/gensec: Use gnutls_error_to_ntstatus() in netsec_do_seal()
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 025f6a135f930264ddcf1cd1b9e1004464618194
Author: Andreas Schneider <asn at samba.org>
Date: Mon Mar 18 16:24:54 2019 +0100
auth:gensec: Use GnuTLS AES CFB8 in netsec_do_seal()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3b27fd8a490f29cbc94b8ac377b3a2cb6db7598c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Aug 16 15:43:01 2019 +1200
auth/gensec: Use gnutls_error_to_ntstatus() consistently in schannel
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 58c781dc93e24895b2c4b97fa311c66af30e278e
Author: Andreas Schneider <asn at samba.org>
Date: Fri Mar 1 17:55:02 2019 +0100
auth:gensec: Use GnuTLS AES128 CFB8 in netsec_do_seq_num()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit fefd95091cc52f5e2655fa392312a8b1fa1d35fd
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Aug 16 14:29:45 2019 +1200
auth/credentials: Check NTSTATUS return from netlogon_creds_aes_encrypt()
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 1aa249e7f4a1c4222b4cc79bac64c8b95c89d868
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Aug 16 14:22:42 2019 +1200
s3-librpc: Remove unused init_netr_CryptPassword()
Unused since 38d4dba37406515181e4d6f1a1faffc18e652e27 in 2013
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 1e427f55d71350b25a8a26e94a5cb7895d8efdf6
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Aug 16 14:15:45 2019 +1200
s4-rpc_server: Check NTSTATUS return value from netlogon_creds_aes_decrypt()
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 2f827bec8ca831fb486c8ebedc6b89b7f1cb99e2
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Aug 16 14:05:38 2019 +1200
s3-rpc_server: Check NTSTATUS return value from netlogon_creds_aes_decrypt()
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit d515b255aa67186ff375af0b465c49722eb56427
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Aug 16 13:55:49 2019 +1200
libcli:auth Check NTSTATUS from netlogon_creds_aes_{en,de}crypt()
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 5ae119e7e9ddcfb3473e14585ba6079147a307bd
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Aug 16 13:52:36 2019 +1200
crypto: Update REQUIREMENTS file with new minimum version
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 8ec796f1a1daa444bba06f34a50d2b62ee4a2ef9
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Aug 16 12:34:28 2019 +1200
libcli:auth Return NTSTATUS from netlogon_creds_aes_decrypt()
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit a96728586150768957b88a0714b15f13ee9f81af
Author: Andreas Schneider <asn at samba.org>
Date: Mon Mar 18 15:13:08 2019 +0100
libcli:auth: Use GnuTLS AES128 CFB for netlogon_creds_aes_decrypt()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ded5aad21b54b8783f7390fb2eca483d3861eeff
Author: Andreas Schneider <asn at samba.org>
Date: Wed May 29 16:38:09 2019 +0200
libcli:auth: Return NTSTATUS for netlogon_creds_aes_encrypt()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Adapted by Andrew Bartlett to use gnutls_error_to_ntstatus()
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 054efd118d7500e28f118722312aaae0df2749b0
Author: Andreas Schneider <asn at samba.org>
Date: Fri Mar 1 17:41:11 2019 +0100
libcli:auth: Use GnuTLS AES128 CFB for netlogon_creds_aes_encrypt()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit cd97c47873007bfc502926070a758b520d95abf1
Author: Andreas Schneider <asn at samba.org>
Date: Fri Mar 1 17:33:01 2019 +0100
libcli:auth: Use netlogon_creds_aes_encrypt() in netlogon_creds_step_crypt()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 20a42459df4fdd57cdf1807a3d97dc5b1c553476
Author: Andreas Schneider <asn at samba.org>
Date: Fri Mar 1 17:35:02 2019 +0100
waf: Check for GNUTLS AES CFB support
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d46e538d52433f5f30a5696e5b18bc4b82101951
Author: Andreas Schneider <asn at samba.org>
Date: Tue Feb 26 18:33:09 2019 +0100
s4:samdb: Only include necessary header files in encrypted_secrets
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7bf3c5d7640daaf5dc799eaf698618903ec09127
Author: Andreas Schneider <asn at samba.org>
Date: Tue Feb 26 18:32:34 2019 +0100
s4:samdb: Remove dual-stack mode from (test_)encrypted_secrets
Now we either build with GnuTLS or Samba crypto. If a modern GnuTLS
version is detected that will be used and Samba crypto wont be
available.
This removes the dual-stack mode that encrypted with one and decrypted
with the other in the testsuite.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Commit message clarified by Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 92b9cdf99da1f8657c166d413c5136c8db938a9e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Aug 15 15:27:30 2019 +1200
encrypted_secrets: Add known and expected value test
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit feccdebe1532030e984e788a6a2c306c0f5c38c5
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jul 29 09:21:11 2019 +0200
s4:samdb: Add test_gnutls_value_decryption()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/credentials.c | 14 +-
auth/gensec/schannel.c | 131 +-
lib/crypto/REQUIREMENTS | 3 +-
lib/crypto/arcfour.c | 93 -
lib/crypto/arcfour.h | 17 -
lib/crypto/wscript_build | 59 +-
libcli/auth/credentials.c | 166 +-
libcli/auth/proto.h | 8 +-
libcli/smb/smb2_constants.h | 3 +
libcli/smb/smb2_signing.c | 76 +
libcli/smb/smb2_signing.h | 3 +
libcli/smb/smbXcli_base.c | 59 +-
source3/librpc/idl/smbXsrv.idl | 2 +
source3/rpc_client/cli_netlogon.c | 1 -
source3/rpc_client/init_netlogon.c | 50 -
source3/rpc_client/init_netlogon.h | 29 -
source3/rpc_server/netlogon/srv_netlog_nt.c | 10 +-
source3/smbd/smb2_server.c | 19 +-
source3/smbd/smb2_sesssetup.c | 55 +-
source3/wscript_build | 5 -
source4/dsdb/samdb/ldb_modules/encrypted_secrets.c | 271 +--
.../ldb_modules/tests/test_encrypted_secrets.c | 429 ++--
source4/rpc_server/backupkey/dcesrv_backupkey.c | 146 +-
.../backupkey/dcesrv_backupkey_heimdal.c | 1861 -----------------
source4/rpc_server/netlogon/dcerpc_netlogon.c | 21 +-
source4/rpc_server/wscript_build | 24 +-
source4/torture/local/local.c | 7 +
source4/torture/rpc/backupkey_heimdal.c | 2160 --------------------
source4/torture/wscript_build | 9 +-
wscript_configure_system_gnutls | 30 +-
30 files changed, 736 insertions(+), 5025 deletions(-)
delete mode 100644 lib/crypto/arcfour.c
delete mode 100644 lib/crypto/arcfour.h
delete mode 100644 source3/rpc_client/init_netlogon.c
delete mode 100644 source3/rpc_client/init_netlogon.h
delete mode 100644 source4/rpc_server/backupkey/dcesrv_backupkey_heimdal.c
delete mode 100644 source4/torture/rpc/backupkey_heimdal.c
Changeset truncated at 500 lines:
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index 5ebec483705..81f9dbb9eb3 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -1333,19 +1333,19 @@ _PUBLIC_ NTSTATUS netlogon_creds_session_encrypt(
return NT_STATUS_INVALID_PARAMETER;
}
if (state->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
- netlogon_creds_aes_encrypt(state,
- data.data,
- data.length);
+ status = netlogon_creds_aes_encrypt(state,
+ data.data,
+ data.length);
} else if (state->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
status = netlogon_creds_arcfour_crypt(state,
data.data,
data.length);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
} else {
DBG_ERR("Unsupported encryption option negotiated");
- return NT_STATUS_NOT_SUPPORTED;
+ status = NT_STATUS_NOT_SUPPORTED;
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
return NT_STATUS_OK;
}
diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
index 8ba1eafc76d..18ed92b703b 100644
--- a/auth/gensec/schannel.c
+++ b/auth/gensec/schannel.c
@@ -33,9 +33,12 @@
#include "librpc/gen_ndr/dcerpc.h"
#include "param/param.h"
#include "auth/gensec/gensec_toplevel_proto.h"
-#include "lib/crypto/aes.h"
#include "libds/common/roles.h"
+#ifndef HAVE_GNUTLS_AES_CFB8
+#include "lib/crypto/aes.h"
+#endif
+
#include "lib/crypto/gnutls_helpers.h"
#include <gnutls/gnutls.h>
#include <gnutls/crypto.h>
@@ -147,6 +150,43 @@ static NTSTATUS netsec_do_seq_num(struct schannel_state *state,
uint8_t seq_num[8])
{
if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+#ifdef HAVE_GNUTLS_AES_CFB8
+ gnutls_cipher_hd_t cipher_hnd = NULL;
+ gnutls_datum_t key = {
+ .data = state->creds->session_key,
+ .size = sizeof(state->creds->session_key),
+ };
+ uint32_t iv_size =
+ gnutls_cipher_get_iv_size(GNUTLS_CIPHER_AES_128_CFB8);
+ uint8_t _iv[iv_size];
+ gnutls_datum_t iv = {
+ .data = _iv,
+ .size = iv_size,
+ };
+ int rc;
+
+ ZERO_ARRAY(_iv);
+
+ memcpy(iv.data + 0, checksum, 8);
+ memcpy(iv.data + 8, checksum, 8);
+
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_AES_128_CFB8,
+ &key,
+ &iv);
+ if (rc < 0) {
+ return gnutls_error_to_ntstatus(rc,
+ NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ }
+
+ rc = gnutls_cipher_encrypt(cipher_hnd, seq_num, 8);
+ gnutls_cipher_deinit(cipher_hnd);
+ if (rc < 0) {
+ return gnutls_error_to_ntstatus(rc,
+ NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ }
+
+#else /* NOT HAVE_GNUTLS_AES_CFB8 */
AES_KEY key;
uint8_t iv[AES_BLOCK_SIZE];
@@ -156,6 +196,7 @@ static NTSTATUS netsec_do_seq_num(struct schannel_state *state,
memcpy(iv+8, checksum, 8);
aes_cfb8_encrypt(seq_num, seq_num, 8, &key, iv, AES_ENCRYPT);
+#endif /* HAVE_GNUTLS_AES_CFB8 */
} else {
static const uint8_t zeros[4];
uint8_t _sequence_key[16];
@@ -220,6 +261,87 @@ static NTSTATUS netsec_do_seal(struct schannel_state *state,
bool forward)
{
if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+#ifdef HAVE_GNUTLS_AES_CFB8
+ gnutls_cipher_hd_t cipher_hnd = NULL;
+ uint8_t sess_kf0[16] = {0};
+ gnutls_datum_t key = {
+ .data = sess_kf0,
+ .size = sizeof(sess_kf0),
+ };
+ uint32_t iv_size =
+ gnutls_cipher_get_iv_size(GNUTLS_CIPHER_AES_128_CFB8);
+ uint8_t _iv[iv_size];
+ gnutls_datum_t iv = {
+ .data = _iv,
+ .size = iv_size,
+ };
+ uint32_t i;
+ int rc;
+
+ for (i = 0; i < key.size; i++) {
+ key.data[i] = state->creds->session_key[i] ^ 0xf0;
+ }
+
+ ZERO_ARRAY(_iv);
+
+ memcpy(iv.data + 0, seq_num, 8);
+ memcpy(iv.data + 8, seq_num, 8);
+
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_AES_128_CFB8,
+ &key,
+ &iv);
+ if (rc < 0) {
+ DBG_ERR("ERROR: gnutls_cipher_init: %s\n",
+ gnutls_strerror(rc));
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (forward) {
+ rc = gnutls_cipher_encrypt(cipher_hnd,
+ confounder,
+ 8);
+ if (rc < 0) {
+ gnutls_cipher_deinit(cipher_hnd);
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ }
+
+ /*
+ * Looks like we have to reuse the initial IV which is
+ * cryptographically wrong!
+ */
+ gnutls_cipher_set_iv(cipher_hnd, iv.data, iv.size);
+ rc = gnutls_cipher_encrypt(cipher_hnd,
+ data,
+ length);
+ if (rc < 0) {
+ gnutls_cipher_deinit(cipher_hnd);
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ }
+ } else {
+ rc = gnutls_cipher_decrypt(cipher_hnd,
+ confounder,
+ 8);
+ if (rc < 0) {
+ gnutls_cipher_deinit(cipher_hnd);
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ }
+
+ /*
+ * Looks like we have to reuse the initial IV which is
+ * cryptographically wrong!
+ */
+ gnutls_cipher_set_iv(cipher_hnd, iv.data, iv.size);
+ rc = gnutls_cipher_decrypt(cipher_hnd,
+ data,
+ length);
+ if (rc < 0) {
+ gnutls_cipher_deinit(cipher_hnd);
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ }
+ }
+ gnutls_cipher_deinit(cipher_hnd);
+#else /* NOT HAVE_GNUTLS_AES_CFB8 */
AES_KEY key;
uint8_t iv[AES_BLOCK_SIZE];
uint8_t sess_kf0[16];
@@ -241,6 +363,7 @@ static NTSTATUS netsec_do_seal(struct schannel_state *state,
aes_cfb8_encrypt(confounder, confounder, 8, &key, iv, AES_DECRYPT);
aes_cfb8_encrypt(data, data, length, &key, iv, AES_DECRYPT);
}
+#endif /* HAVE_GNUTLS_AES_CFB8 */
} else {
gnutls_cipher_hd_t cipher_hnd;
uint8_t _sealing_key[16];
@@ -266,7 +389,7 @@ static NTSTATUS netsec_do_seal(struct schannel_state *state,
digest2);
if (rc < 0) {
ZERO_ARRAY(digest2);
- return NT_STATUS_INTERNAL_ERROR;
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
}
rc = gnutls_hmac_fast(GNUTLS_MAC_MD5,
@@ -278,7 +401,7 @@ static NTSTATUS netsec_do_seal(struct schannel_state *state,
ZERO_ARRAY(digest2);
if (rc < 0) {
- return NT_STATUS_INTERNAL_ERROR;
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
}
rc = gnutls_cipher_init(&cipher_hnd,
@@ -328,7 +451,7 @@ static NTSTATUS netsec_do_sign(struct schannel_state *state,
state->creds->session_key,
sizeof(state->creds->session_key));
if (rc < 0) {
- return NT_STATUS_NO_MEMORY;
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
}
if (confounder) {
diff --git a/lib/crypto/REQUIREMENTS b/lib/crypto/REQUIREMENTS
index ff91a2f9174..5ebf3ba0e05 100644
--- a/lib/crypto/REQUIREMENTS
+++ b/lib/crypto/REQUIREMENTS
@@ -4,8 +4,7 @@ This list is to allow research into using external crypto libraries.
Those possibly supported in the git version of GnuTLS are indicated as '# GNUTLS'
Those possibly supported in the git version of nettle are indicated as '# NETTLE'
-For Samba AD with Heimdal gnutls >= 3.0.0 is required
-For Samba AD with MIT kerberos gnutls >= 3.4.7 is required
+Samba in general gnutls >= 3.4.7 is required
Samba FS with MS Catalog support will require gnutls >= 3.5.6
GnuTLS Milestone for Samba support:
diff --git a/lib/crypto/arcfour.c b/lib/crypto/arcfour.c
deleted file mode 100644
index af9b20cc01e..00000000000
--- a/lib/crypto/arcfour.c
+++ /dev/null
@@ -1,93 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
-
- An implementation of the arcfour algorithm
-
- Copyright (C) Andrew Tridgell 1998
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#include "replace.h"
-#include "../lib/crypto/arcfour.h"
-
-/* initialise the arcfour sbox with key */
-_PUBLIC_ void arcfour_init(struct arcfour_state *state, const DATA_BLOB *key)
-{
- size_t ind;
- uint8_t j = 0;
- for (ind = 0; ind < sizeof(state->sbox); ind++) {
- state->sbox[ind] = (uint8_t)ind;
- }
-
- for (ind = 0; ind < sizeof(state->sbox); ind++) {
- uint8_t tc;
-
- j += (state->sbox[ind] + key->data[ind%key->length]);
-
- tc = state->sbox[ind];
- state->sbox[ind] = state->sbox[j];
- state->sbox[j] = tc;
- }
- state->index_i = 0;
- state->index_j = 0;
-}
-
-/* crypt the data with arcfour */
-_PUBLIC_ void arcfour_crypt_sbox(struct arcfour_state *state, uint8_t *data,
- int len)
-{
- int ind;
-
- for (ind = 0; ind < len; ind++) {
- uint8_t tc;
- uint8_t t;
-
- state->index_i++;
- state->index_j += state->sbox[state->index_i];
-
- tc = state->sbox[state->index_i];
- state->sbox[state->index_i] = state->sbox[state->index_j];
- state->sbox[state->index_j] = tc;
-
- t = state->sbox[state->index_i] + state->sbox[state->index_j];
- data[ind] = data[ind] ^ state->sbox[t];
- }
-}
-
-/*
- arcfour encryption with a blob key
-*/
-_PUBLIC_ void arcfour_crypt_blob(uint8_t *data, int len, const DATA_BLOB *key)
-{
- struct arcfour_state state;
- arcfour_init(&state, key);
- arcfour_crypt_sbox(&state, data, len);
-}
-
-/*
- a variant that assumes a 16 byte key. This should be removed
- when the last user is gone
-*/
-_PUBLIC_ void arcfour_crypt(uint8_t *data, const uint8_t keystr[16], int len)
-{
- uint8_t keycopy[16];
- DATA_BLOB key = { .data = keycopy, .length = sizeof(keycopy) };
-
- memcpy(keycopy, keystr, sizeof(keycopy));
-
- arcfour_crypt_blob(data, len, &key);
-}
-
-
diff --git a/lib/crypto/arcfour.h b/lib/crypto/arcfour.h
deleted file mode 100644
index a9f80c474d5..00000000000
--- a/lib/crypto/arcfour.h
+++ /dev/null
@@ -1,17 +0,0 @@
-#ifndef ARCFOUR_HEADER_H
-#define ARCFOUR_HEADER_H
-
-#include "../lib/util/data_blob.h"
-
-struct arcfour_state {
- uint8_t sbox[256];
- uint8_t index_i;
- uint8_t index_j;
-};
-
-void arcfour_init(struct arcfour_state *state, const DATA_BLOB *key);
-void arcfour_crypt_sbox(struct arcfour_state *state, uint8_t *data, int len);
-void arcfour_crypt_blob(uint8_t *data, int len, const DATA_BLOB *key);
-void arcfour_crypt(uint8_t *data, const uint8_t keystr[16], int len);
-
-#endif /* ARCFOUR_HEADER_H */
diff --git a/lib/crypto/wscript_build b/lib/crypto/wscript_build
index a26c10b627b..4f1665a7fd9 100644
--- a/lib/crypto/wscript_build
+++ b/lib/crypto/wscript_build
@@ -12,35 +12,60 @@ bld.SAMBA_SUBSYSTEM('GNUTLS_HELPERS',
''',
deps='gnutls samba-errors');
-# We have a GnuTLS DCEPRC backupkey implementation for the server and the test.
-# However this is only working with GnuTLS >= 3.4.7. So we need to keep this
-# around till we can require at least GnuTLS in a newer version.
-bld.SAMBA_SUBSYSTEM('LIBCRYPTO_RC4',
- source='arcfour.c',
+bld.SAMBA_SUBSYSTEM('LIBCRYPTO_AES_CCM',
+ source='aes_ccm_128.c',
+ deps='talloc')
+
+bld.SAMBA_SUBSYSTEM('LIBCRYPTO_AES_GCM',
+ source='aes_gcm_128.c',
+ deps='talloc')
+
+bld.SAMBA_SUBSYSTEM('LIBCRYPTO_AES',
+ source='aes.c rijndael-alg-fst.c',
+ deps='talloc')
+
+bld.SAMBA_SUBSYSTEM('LIBCRYPTO_AES_CMAC',
+ source='aes_cmac_128.c',
deps='talloc',
- enabled=not bld.CONFIG_SET('HAVE_GNUTLS_3_4_7'))
+ enabled=not bld.CONFIG_SET('HAVE_GNUTLS_AES_CMAC'))
bld.SAMBA_SUBSYSTEM('LIBCRYPTO',
source='''
md4.c
- aes.c
- rijndael-alg-fst.c
- aes_cmac_128.c
- aes_ccm_128.c
- aes_gcm_128.c
''',
deps='''
talloc
- LIBCRYPTO_RC4
+ LIBCRYPTO_AES
+ LIBCRYPTO_AES_CCM
+ LIBCRYPTO_AES_GCM
+ LIBCRYPTO_AES_CMAC
''' + extra_deps)
+bld.SAMBA_SUBSYSTEM('TORTURE_LIBCRYPTO_AES_CCM',
+ source='aes_ccm_128_test.c',
+ autoproto='aes_ccm_test_proto.h',
+ deps='talloc')
+
+bld.SAMBA_SUBSYSTEM('TORTURE_LIBCRYPTO_AES_GCM',
+ source='aes_gcm_128_test.c',
+ autoproto='aes_gcm_test_proto.h',
+ deps='talloc')
+
+bld.SAMBA_SUBSYSTEM('TORTURE_LIBCRYPTO_AES_CMAC',
+ source='aes_cmac_128_test.c',
+ autoproto='aes_cmac_test_proto.h',
+ deps='talloc',
+ enabled=not bld.CONFIG_SET('HAVE_GNUTLS_AES_CMAC'))
+
bld.SAMBA_SUBSYSTEM('TORTURE_LIBCRYPTO',
- source='''md4test.c
- aes_cmac_128_test.c aes_ccm_128_test.c aes_gcm_128_test.c
- ''',
+ source='md4test.c',
autoproto='test_proto.h',
- deps='LIBCRYPTO'
- )
+ deps='''
+ LIBCRYPTO
+ TORTURE_LIBCRYPTO_AES_CCM
+ TORTURE_LIBCRYPTO_AES_GCM
+ TORTURE_LIBCRYPTO_AES_CMAC
+ ''')
bld.SAMBA_PYTHON('python_crypto',
source='py_crypto.c',
diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index 319dacdac0b..baa436df71b 100644
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -22,10 +22,13 @@
#include "includes.h"
#include "system/time.h"
-#include "../lib/crypto/crypto.h"
#include "libcli/auth/libcli_auth.h"
#include "../libcli/security/dom_sid.h"
+#ifndef HAVE_GNUTLS_AES_CFB8
+#include "lib/crypto/aes.h"
+#endif
+
#include "lib/crypto/gnutls_helpers.h"
#include <gnutls/gnutls.h>
#include <gnutls/crypto.h>
@@ -35,12 +38,9 @@ static void netlogon_creds_step_crypt(struct netlogon_creds_CredentialState *cre
struct netr_Credential *out)
{
if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
- AES_KEY key;
- uint8_t iv[AES_BLOCK_SIZE] = {0};
-
- AES_set_encrypt_key(creds->session_key, 128, &key);
+ memcpy(out->data, in->data, sizeof(out->data));
- aes_cfb8_encrypt(in->data, out->data, 8, &key, iv, AES_ENCRYPT);
+ netlogon_creds_aes_encrypt(creds, out->data, sizeof(out->data));
} else {
des_crypt112(out->data, in->data, creds->session_key, 1);
}
@@ -296,27 +296,101 @@ NTSTATUS netlogon_creds_arcfour_crypt(struct netlogon_creds_CredentialState *cre
/*
AES encrypt a password buffer using the session key
*/
-void netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len)
+NTSTATUS netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds,
+ uint8_t *data,
+ size_t len)
{
+#ifdef HAVE_GNUTLS_AES_CFB8
+ gnutls_cipher_hd_t cipher_hnd = NULL;
+ gnutls_datum_t key = {
+ .data = creds->session_key,
+ .size = sizeof(creds->session_key),
+ };
+ uint32_t iv_size =
+ gnutls_cipher_get_iv_size(GNUTLS_CIPHER_AES_128_CFB8);
+ uint8_t _iv[iv_size];
+ gnutls_datum_t iv = {
+ .data = _iv,
+ .size = iv_size,
+ };
+ int rc;
+
--
Samba Shared Repository
More information about the samba-cvs
mailing list