[SCM] Samba Shared Repository - branch master updated
Andreas Schneider
asn at samba.org
Tue Jul 9 13:32:02 UTC 2019
The branch, master has been updated
via ccf3e76625c s3:profile: Allow profile subsystem to use SHA1 in FIPS mode
via 31a943fa089 lib:crypto: Add GNUTLS_FIPS140_SET_(LAX|STRICT)_MODE to helpers
via a31a40b41a1 lib:crypto: Fix path to header file in gnutls_helpers.h
via 6fe2193b17a s3:profile: Use SHA1 for hashing in profiling functions.
from 36f021f74d9 WHATSNEW: Start release notes for Samba 4.12.0pre1.
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit ccf3e76625c42f5aceea0882971a232a9f56a971
Author: Andreas Schneider <asn at samba.org>
Date: Wed May 15 08:41:12 2019 +0200
s3:profile: Allow profile subsystem to use SHA1 in FIPS mode
This is non-cryptographic use.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Tue Jul 9 13:31:46 UTC 2019 on sn-devel-184
commit 31a943fa0890438cffc67a566373f36c94c0a5a8
Author: Andreas Schneider <asn at samba.org>
Date: Fri Jul 5 10:38:44 2019 +0200
lib:crypto: Add GNUTLS_FIPS140_SET_(LAX|STRICT)_MODE to helpers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit a31a40b41a18ae09a4e2e76f41c95b011ed30bea
Author: Andreas Schneider <asn at samba.org>
Date: Fri Jul 5 16:28:27 2019 +0200
lib:crypto: Fix path to header file in gnutls_helpers.h
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 6fe2193b17ac2d57c559d3b936b37238d06d6be8
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jul 1 16:54:15 2019 +0200
s3:profile: Use SHA1 for hashing in profiling functions.
This can use SHA NI instructions if the CPU supports it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
-----------------------------------------------------------------------
Summary of changes:
lib/crypto/gnutls_helpers.h | 15 +++++++++++++--
source3/modules/hash_inode.c | 10 +---------
source3/profile/profile.c | 18 ++++++++++++------
3 files changed, 26 insertions(+), 17 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/crypto/gnutls_helpers.h b/lib/crypto/gnutls_helpers.h
index b8288c25649..8a2a49baf73 100644
--- a/lib/crypto/gnutls_helpers.h
+++ b/lib/crypto/gnutls_helpers.h
@@ -18,8 +18,19 @@
#ifndef _GNUTLS_HELPERS_H
#define _GNUTLS_HELPERS_H
-#include "ntstatus.h"
-#include "werror.h"
+#include <gnutls/gnutls.h>
+
+#include "libcli/util/ntstatus.h"
+#include "libcli/util/werror.h"
+
+/* Those macros are only available in GnuTLS >= 3.6.4 */
+#ifndef GNUTLS_FIPS140_SET_LAX_MODE
+#define GNUTLS_FIPS140_SET_LAX_MODE()
+#endif
+
+#ifndef GNUTLS_FIPS140_SET_STRICT_MODE
+#define GNUTLS_FIPS140_SET_STRICT_MODE()
+#endif
NTSTATUS _gnutls_error_to_ntstatus(int gnutls_rc,
NTSTATUS blocked_status,
diff --git a/source3/modules/hash_inode.c b/source3/modules/hash_inode.c
index 231538c72cb..a9144621901 100644
--- a/source3/modules/hash_inode.c
+++ b/source3/modules/hash_inode.c
@@ -22,15 +22,7 @@
#include <gnutls/gnutls.h>
#include <gnutls/crypto.h>
-
-/* Those macros are only available in GnuTLS >= 3.6.4 */
-#ifndef GNUTLS_FIPS140_SET_LAX_MODE
-#define GNUTLS_FIPS140_SET_LAX_MODE()
-#endif
-
-#ifndef GNUTLS_FIPS140_SET_STRICT_MODE
-#define GNUTLS_FIPS140_SET_STRICT_MODE()
-#endif
+#include "lib/crypto/gnutls_helpers.h"
SMB_INO_T hash_inode(const SMB_STRUCT_STAT *sbuf, const char *sname)
{
diff --git a/source3/profile/profile.c b/source3/profile/profile.c
index df0ba5b0af3..7e17d065d75 100644
--- a/source3/profile/profile.c
+++ b/source3/profile/profile.c
@@ -35,6 +35,7 @@
#include <gnutls/gnutls.h>
#include <gnutls/crypto.h>
+#include "lib/crypto/gnutls_helpers.h"
struct profile_stats *profile_p;
struct smbprofile_global_state smbprofile_state;
@@ -124,7 +125,7 @@ static void reqprofile_message(struct messaging_context *msg_ctx,
******************************************************************/
bool profile_setup(struct messaging_context *msg_ctx, bool rdonly)
{
- unsigned char tmp[16] = {};
+ uint8_t digest[gnutls_hash_get_len(GNUTLS_DIG_SHA1)];
gnutls_hash_hd_t hash_hnd = NULL;
char *db_name;
bool ok = false;
@@ -154,7 +155,9 @@ bool profile_setup(struct messaging_context *msg_ctx, bool rdonly)
reqprofile_message);
}
- rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
+ GNUTLS_FIPS140_SET_LAX_MODE();
+
+ rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_SHA1);
if (rc < 0) {
goto out;
}
@@ -210,18 +213,21 @@ bool profile_setup(struct messaging_context *msg_ctx, bool rdonly)
goto out;
}
- gnutls_hash_deinit(hash_hnd, tmp);
+ gnutls_hash_deinit(hash_hnd, digest);
+
+ GNUTLS_FIPS140_SET_STRICT_MODE();
profile_p = &smbprofile_state.stats.global;
- profile_p->magic = BVAL(tmp, 0);
+ profile_p->magic = BVAL(digest, 0);
if (profile_p->magic == 0) {
- profile_p->magic = BVAL(tmp, 8);
+ profile_p->magic = BVAL(digest, 8);
}
- ZERO_ARRAY(tmp);
ok = true;
out:
+ GNUTLS_FIPS140_SET_STRICT_MODE();
+
return ok;
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list