[SCM] Samba Shared Repository - branch master updated

Andreas Schneider asn at samba.org
Tue Jul 9 13:32:02 UTC 2019 

The branch, master has been updated
       via  ccf3e76625c s3:profile: Allow profile subsystem to use SHA1 in FIPS mode
       via  31a943fa089 lib:crypto: Add GNUTLS_FIPS140_SET_(LAX|STRICT)_MODE to helpers
       via  a31a40b41a1 lib:crypto: Fix path to header file in gnutls_helpers.h
       via  6fe2193b17a s3:profile: Use SHA1 for hashing in profiling functions.
      from  36f021f74d9 WHATSNEW: Start release notes for Samba 4.12.0pre1.

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit ccf3e76625c42f5aceea0882971a232a9f56a971
Author: Andreas Schneider <asn at samba.org>
Date:   Wed May 15 08:41:12 2019 +0200

    s3:profile: Allow profile subsystem to use SHA1 in FIPS mode
    
    This is non-cryptographic use.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    
    Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
    Autobuild-Date(master): Tue Jul  9 13:31:46 UTC 2019 on sn-devel-184

commit 31a943fa0890438cffc67a566373f36c94c0a5a8
Author: Andreas Schneider <asn at samba.org>
Date:   Fri Jul 5 10:38:44 2019 +0200

    lib:crypto: Add GNUTLS_FIPS140_SET_(LAX|STRICT)_MODE to helpers
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit a31a40b41a18ae09a4e2e76f41c95b011ed30bea
Author: Andreas Schneider <asn at samba.org>
Date:   Fri Jul 5 16:28:27 2019 +0200

    lib:crypto: Fix path to header file in gnutls_helpers.h
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 6fe2193b17ac2d57c559d3b936b37238d06d6be8
Author: Andreas Schneider <asn at samba.org>
Date:   Mon Jul 1 16:54:15 2019 +0200

    s3:profile: Use SHA1 for hashing in profiling functions.
    
    This can use SHA NI instructions if the CPU supports it.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 lib/crypto/gnutls_helpers.h  | 15 +++++++++++++--
 source3/modules/hash_inode.c | 10 +---------
 source3/profile/profile.c    | 18 ++++++++++++------
 3 files changed, 26 insertions(+), 17 deletions(-)


Changeset truncated at 500 lines:

diff --git a/lib/crypto/gnutls_helpers.h b/lib/crypto/gnutls_helpers.h
index b8288c25649..8a2a49baf73 100644
--- a/lib/crypto/gnutls_helpers.h
+++ b/lib/crypto/gnutls_helpers.h
@@ -18,8 +18,19 @@
 #ifndef _GNUTLS_HELPERS_H
 #define _GNUTLS_HELPERS_H
 
-#include "ntstatus.h"
-#include "werror.h"
+#include <gnutls/gnutls.h>
+
+#include "libcli/util/ntstatus.h"
+#include "libcli/util/werror.h"
+
+/* Those macros are only available in GnuTLS >= 3.6.4 */
+#ifndef GNUTLS_FIPS140_SET_LAX_MODE
+#define GNUTLS_FIPS140_SET_LAX_MODE()
+#endif
+
+#ifndef GNUTLS_FIPS140_SET_STRICT_MODE
+#define GNUTLS_FIPS140_SET_STRICT_MODE()
+#endif
 
 NTSTATUS _gnutls_error_to_ntstatus(int gnutls_rc,
 				   NTSTATUS blocked_status,
diff --git a/source3/modules/hash_inode.c b/source3/modules/hash_inode.c
index 231538c72cb..a9144621901 100644
--- a/source3/modules/hash_inode.c
+++ b/source3/modules/hash_inode.c
@@ -22,15 +22,7 @@
 
 #include <gnutls/gnutls.h>
 #include <gnutls/crypto.h>
-
-/* Those macros are only available in GnuTLS >= 3.6.4 */
-#ifndef GNUTLS_FIPS140_SET_LAX_MODE
-#define GNUTLS_FIPS140_SET_LAX_MODE()
-#endif
-
-#ifndef GNUTLS_FIPS140_SET_STRICT_MODE
-#define GNUTLS_FIPS140_SET_STRICT_MODE()
-#endif
+#include "lib/crypto/gnutls_helpers.h"
 
 SMB_INO_T hash_inode(const SMB_STRUCT_STAT *sbuf, const char *sname)
 {
diff --git a/source3/profile/profile.c b/source3/profile/profile.c
index df0ba5b0af3..7e17d065d75 100644
--- a/source3/profile/profile.c
+++ b/source3/profile/profile.c
@@ -35,6 +35,7 @@
 
 #include <gnutls/gnutls.h>
 #include <gnutls/crypto.h>
+#include "lib/crypto/gnutls_helpers.h"
 
 struct profile_stats *profile_p;
 struct smbprofile_global_state smbprofile_state;
@@ -124,7 +125,7 @@ static void reqprofile_message(struct messaging_context *msg_ctx,
   ******************************************************************/
 bool profile_setup(struct messaging_context *msg_ctx, bool rdonly)
 {
-	unsigned char tmp[16] = {};
+	uint8_t digest[gnutls_hash_get_len(GNUTLS_DIG_SHA1)];
 	gnutls_hash_hd_t hash_hnd = NULL;
 	char *db_name;
 	bool ok = false;
@@ -154,7 +155,9 @@ bool profile_setup(struct messaging_context *msg_ctx, bool rdonly)
 				   reqprofile_message);
 	}
 
-	rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
+	GNUTLS_FIPS140_SET_LAX_MODE();
+
+	rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_SHA1);
 	if (rc < 0) {
 		goto out;
 	}
@@ -210,18 +213,21 @@ bool profile_setup(struct messaging_context *msg_ctx, bool rdonly)
 		goto out;
 	}
 
-	gnutls_hash_deinit(hash_hnd, tmp);
+	gnutls_hash_deinit(hash_hnd, digest);
+
+	GNUTLS_FIPS140_SET_STRICT_MODE();
 
 	profile_p = &smbprofile_state.stats.global;
 
-	profile_p->magic = BVAL(tmp, 0);
+	profile_p->magic = BVAL(digest, 0);
 	if (profile_p->magic == 0) {
-		profile_p->magic = BVAL(tmp, 8);
+		profile_p->magic = BVAL(digest, 8);
 	}
-	ZERO_ARRAY(tmp);
 
 	ok = true;
 out:
+	GNUTLS_FIPS140_SET_STRICT_MODE();
+
 	return ok;
 }
 


-- 
Samba Shared Repository

More information about the samba-cvs mailing list