[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Wed May 1 01:11:11 UTC 2019
The branch, master has been updated
via 2ee72cc6154 traffic: load dns query from file and write stats to file
via 35e52ebdd64 traffic: define kerberos_state to simplify code
via e98340e3e21 traffic: make code more pythonic
via e387cf92884 traffic_replay: Avoid Exception if no packet rate is specified
via 641d74cb267 traffic_replay: Assign users to groups by default
via 826e37218df lib:crypto: Remove unused SHA256 and HMAC SHA256
via 83d228b66a8 auth:gensec: Add return code for netsec_do_sign()
via c04571d47cc auth:gensec: Use GnuTLS SHA256 HMAC for schannel
via 015e4d2dc27 libcli:smb: Use smb2_signing_key for smb2_signing_check_pdu()
via dcf37228e1d libcli:smb: Use smb2_signing_key for smb2_signing_sign_pdu()
via 3f252816ad8 libcli:smb: Add smb2_signing_key_destructor()
via 9e16adff08c s3:smbd: Start to use the smb2_signing_key structure
via f7929c6630d s3:librpc: Add smb2_signing_key to smbXsrv.idl
via d02f7907241 s3:librpc: Rename the data blobs for keys in smbXsrv.idl
via 17e22e020fc libcli:smb: Use 'struct smb2_signing_key' in smbXcli_base.c
via 11e3552c9f0 libcli:smb: Introduce a structure for the smb2_singing_key
via 604c0b2620a libcli:smb: Use GnuTLS SHA256 HMAC in smb2_signing_check_pdu()
via eca425ef5b6 libcli:smb: Use GnuTLS SHA256 HMAC in smb2_signing_sign_pdu()
via cda938cd9c4 libcli:smb: Use GnuTLS SHA256 HMAC in smb2_key_derivation()
via 5d87610976d libcli:auth: Add return code for netlogon_creds_init_hmac_sha256()
via 8bed91c999f libcli:auth: Use GnuTLS SHA256 HMAC for credentials
via 75d45f6d2b7 s4:libcli:smb2: Use GnuTLS SHA256 HMAC for signing
via 6fb7837385e s4:utils: Use gnutls SHA256 in oLschema2ldif
via 9bbb9f7bdf0 s3:modules: Use GnuTLS SHA256 in vfs_acl_common
via 712e464fb71 waf: Remove unused GNUTLS defines
via 155f697e870 waf: Move check for gnutls_aead_cipher_init to main gnutls wscript
via e35a8598c6b waf: Add check for gnutls_x509_crt_set_subject_unique_id()
via 324a2eec867 waf: Move gnutls_pkcs7_get_embedded_data_oid to main gnutls file
via 1fa3c9a3cca waf: Remove configure steps from source4/lib/tls
via b63bf2956e2 s4:rpc_server: Remove obsolete gcrypt init
via daa128f81b7 s3:tls: Remove #ifdef for GnuTLS
via 382d5908a45 waf: Add mandatory requirement for GnuTLS >= 3.2.0
via 8ad4c157580 lib:util: Sync memory.h with replace.h
via 9d1d44dcb72 replace: Add ZERO_ARRAY_LEN() macro
via 4f2af93a7fc .gitlab-ci.yml: Allow overriding the default image using a variable
from 4dd8db321f1 gitlab-ci: Update for building new containers
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 2ee72cc6154370ed78bb1113ee0c9896d106d2f8
Author: Joe Guo <joeg at catalyst.net.nz>
Date: Tue Mar 26 17:48:39 2019 +1300
traffic: load dns query from file and write stats to file
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed May 1 01:10:42 UTC 2019 on sn-devel-184
commit 35e52ebdd6498b2edcf57484a55439cb66319e45
Author: Joe Guo <joeg at catalyst.net.nz>
Date: Tue Mar 26 19:50:35 2019 +1300
traffic: define kerberos_state to simplify code
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit e98340e3e2132c73ed002166e2e01dc761765b25
Author: Joe Guo <joeg at catalyst.net.nz>
Date: Mon Mar 25 12:59:44 2019 +1300
traffic: make code more pythonic
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit e387cf92884c55b7945fbd7898312896fbf9cfd9
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Wed Apr 10 13:12:30 2019 +1200
traffic_replay: Avoid Exception if no packet rate is specified
traffic_replay would throw an exception if you didn't specify some sort
of packet rate. We can avoid this by using --scale-traffic=1.0 as the
default if nothing else was specified.
script/traffic_replay model.txt $SERVER.$REALM --duration=10
--fixed-password=blahblah12# -U$USERNAME%$PASSWORD
INFO 2019-04-10 01:03:01,809 pid:47755 script/traffic_replay #280: Using
the specified model file to generate conversations
Traceback (most recent call last):
File "script/traffic_replay", line 438, in <module>
main()
File "script/traffic_replay", line 293, in main
opts.conversation_persistence)
File "bin/python/samba/emulate/traffic.py", line 1295, in
generate_conversation_sequences
target_packets = int(packet_rate * duration)
TypeError: unsupported operand type(s) for *: 'NoneType' and 'float'
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 641d74cb267e87a22df8f9a3d285e3ab4343ce50
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Wed Apr 10 12:55:26 2019 +1200
traffic_replay: Assign users to groups by default
The traffic_replay script has a myriad of options, but by default when
it creates user accounts it does not assign these users to any groups
(you have to specify extra options to do that). This isn't really a fair
test of samba performance, because it's unlikely that real world setups
will have users that are in no groups (other than the default ones).
This patch changes the default behaviour so that it will assign the new
users to groups automatically, if no other group options were
specified.
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 826e37218df691f42c79b4cce693853b5af9ddc9
Author: Andreas Schneider <asn at samba.org>
Date: Thu Oct 11 18:36:00 2018 +0200
lib:crypto: Remove unused SHA256 and HMAC SHA256
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 83d228b66a857afb2f70abf8d3495b2cc75a5783
Author: Andreas Schneider <asn at samba.org>
Date: Tue Dec 4 09:22:03 2018 +0100
auth:gensec: Add return code for netsec_do_sign()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c04571d47cc4ab94bba74c397afb05c7b25ba5e5
Author: Andreas Schneider <asn at samba.org>
Date: Thu Oct 11 14:51:18 2018 +0200
auth:gensec: Use GnuTLS SHA256 HMAC for schannel
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 015e4d2dc2776d7d56edd51a1b9cad510f24e537
Author: Andreas Schneider <asn at samba.org>
Date: Thu Mar 14 17:42:34 2019 +0100
libcli:smb: Use smb2_signing_key for smb2_signing_check_pdu()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit dcf37228e1d920f753d4cf72204ce7ca6b1fa6e1
Author: Andreas Schneider <asn at samba.org>
Date: Wed Mar 13 19:34:23 2019 +0100
libcli:smb: Use smb2_signing_key for smb2_signing_sign_pdu()
This caches the gnutls hmac handle in the struct so we only allocate it
once.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3f252816ad80ca356d80dbc90ecfdaa4ed9b5942
Author: Andreas Schneider <asn at samba.org>
Date: Wed Mar 13 18:56:05 2019 +0100
libcli:smb: Add smb2_signing_key_destructor()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9e16adff08c5bd14e5e2e8f528fc44ad22f3cfd2
Author: Andreas Schneider <asn at samba.org>
Date: Wed Mar 13 18:07:17 2019 +0100
s3:smbd: Start to use the smb2_signing_key structure
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f7929c6630d515a402fff3bc7286526f610b8529
Author: Andreas Schneider <asn at samba.org>
Date: Wed Mar 13 16:45:47 2019 +0100
s3:librpc: Add smb2_signing_key to smbXsrv.idl
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d02f790724109f04b5ecd711e060e0b468d3042f
Author: Andreas Schneider <asn at samba.org>
Date: Wed Mar 13 16:44:53 2019 +0100
s3:librpc: Rename the data blobs for keys in smbXsrv.idl
The original names will be used with a new structure to cache mac and
cipher handles for gnutls later.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 17e22e020fcb84fb9ddda350915369dc9ea28ef1
Author: Andreas Schneider <asn at samba.org>
Date: Mon Mar 4 16:59:51 2019 +0100
libcli:smb: Use 'struct smb2_signing_key' in smbXcli_base.c
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 11e3552c9f0ee3c64408c083794c310d3d2c5640
Author: Andreas Schneider <asn at samba.org>
Date: Mon Mar 4 16:53:39 2019 +0100
libcli:smb: Introduce a structure for the smb2_singing_key
This also adds a new function to validate the structure.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 604c0b2620a46f39d1d1d5cda2498d82c6bf8621
Author: Andreas Schneider <asn at samba.org>
Date: Thu Mar 14 17:22:57 2019 +0100
libcli:smb: Use GnuTLS SHA256 HMAC in smb2_signing_check_pdu()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit eca425ef5b6a05f1facf6fb94b73fa1aea6d7007
Author: Andreas Schneider <asn at samba.org>
Date: Thu Mar 14 17:22:22 2019 +0100
libcli:smb: Use GnuTLS SHA256 HMAC in smb2_signing_sign_pdu()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit cda938cd9c4293e48967b4d52608f595f4868342
Author: Andreas Schneider <asn at samba.org>
Date: Wed Oct 10 15:47:37 2018 +0200
libcli:smb: Use GnuTLS SHA256 HMAC in smb2_key_derivation()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5d87610976d53d7e89950c953dc08c08f491a6b0
Author: Andreas Schneider <asn at samba.org>
Date: Tue Dec 4 09:13:31 2018 +0100
libcli:auth: Add return code for netlogon_creds_init_hmac_sha256()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8bed91c999f86c010a68dc9415d0f0688cff5555
Author: Andreas Schneider <asn at samba.org>
Date: Wed Oct 10 15:37:18 2018 +0200
libcli:auth: Use GnuTLS SHA256 HMAC for credentials
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 75d45f6d2b7aa31b1a9f20f7ac8372544df37637
Author: Andreas Schneider <asn at samba.org>
Date: Thu Oct 11 18:23:12 2018 +0200
s4:libcli:smb2: Use GnuTLS SHA256 HMAC for signing
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6fb7837385ea8bcf9c96f674ac8f30d7a0ccff98
Author: Andreas Schneider <asn at samba.org>
Date: Thu Oct 11 18:29:11 2018 +0200
s4:utils: Use gnutls SHA256 in oLschema2ldif
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9bbb9f7bdf05e92498e01fb1ffacc770432d6709
Author: Andreas Schneider <asn at samba.org>
Date: Thu Oct 11 14:43:24 2018 +0200
s3:modules: Use GnuTLS SHA256 in vfs_acl_common
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 712e464fb71e90dbee0560a0c15210b1606fcab6
Author: Andreas Schneider <asn at samba.org>
Date: Wed Oct 10 14:50:34 2018 +0200
waf: Remove unused GNUTLS defines
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 155f697e870469958db9c2cb4cd76dab26f99183
Author: Andreas Schneider <asn at samba.org>
Date: Wed Oct 10 14:44:44 2018 +0200
waf: Move check for gnutls_aead_cipher_init to main gnutls wscript
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e35a8598c6b123cb64bff6946b80acdf48ad2eec
Author: Andreas Schneider <asn at samba.org>
Date: Mon Apr 29 11:05:07 2019 +0200
waf: Add check for gnutls_x509_crt_set_subject_unique_id()
This is used by the GnuTLS backupkey implementation.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 324a2eec8675b18c6f0e85a1f7f7dbccb4524189
Author: Andreas Schneider <asn at samba.org>
Date: Wed Oct 10 14:38:24 2018 +0200
waf: Move gnutls_pkcs7_get_embedded_data_oid to main gnutls file
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1fa3c9a3cca704d9b647daa002e896f58f42d6e4
Author: Andreas Schneider <asn at samba.org>
Date: Wed Oct 10 14:34:24 2018 +0200
waf: Remove configure steps from source4/lib/tls
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b63bf2956e244c8a1ab38e99beddebbeae44c186
Author: Andreas Schneider <asn at samba.org>
Date: Wed Oct 10 14:49:47 2018 +0200
s4:rpc_server: Remove obsolete gcrypt init
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit daa128f81b71feed15d3d0b490efa9b531e59670
Author: Andreas Schneider <asn at samba.org>
Date: Wed Oct 10 14:24:51 2018 +0200
s3:tls: Remove #ifdef for GnuTLS
This is a requirement now.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 382d5908a45f7a4a0bb6df98b3b8fa884ed9729a
Author: Andreas Schneider <asn at samba.org>
Date: Wed Oct 10 14:20:11 2018 +0200
waf: Add mandatory requirement for GnuTLS >= 3.2.0
We plan to move to GnuTLS for crypto in Samba, this is the first step to
make it mandatory and to require a version which is in LTS
distributions.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8ad4c1575805cc5d00e6873e55144ee6f8bc4b33
Author: Andreas Schneider <asn at samba.org>
Date: Mon Dec 3 15:37:03 2018 +0100
lib:util: Sync memory.h with replace.h
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9d1d44dcb72f24aa078dd050da0c7c1aecd3513e
Author: Andreas Schneider <asn at samba.org>
Date: Mon Dec 3 15:32:55 2018 +0100
replace: Add ZERO_ARRAY_LEN() macro
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4f2af93a7fc736f2ef3dfe0dbc8bf8c3a2eb4161
Author: Samuel Cabrero <scabrero at suse.de>
Date: Thu Apr 25 13:12:42 2019 +0200
.gitlab-ci.yml: Allow overriding the default image using a variable
This way one can run all tests in a different container without having
to modify the gitlab ci file, just setting the SAMBA_CI_CONTAINER_IMAGE
variable in the gitlab's GUI.
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
-----------------------------------------------------------------------
Summary of changes:
.gitlab-ci.yml | 7 +-
auth/gensec/schannel.c | 84 +++++--
lib/crypto/crypto.h | 2 -
lib/crypto/hmacsha256.c | 92 --------
lib/crypto/hmacsha256.h | 38 ----
lib/crypto/sha256.c | 253 ---------------------
lib/crypto/sha256.h | 94 --------
lib/crypto/wscript_build | 2 +-
lib/crypto/wscript_configure | 2 -
lib/mscat/wscript | 6 -
lib/replace/replace.h | 5 +
lib/util/memory.h | 5 +
libcli/auth/credentials.c | 77 +++++--
libcli/auth/wscript_build | 2 +-
libcli/smb/smb2_signing.c | 163 ++++++++++---
libcli/smb/smb2_signing.h | 16 +-
libcli/smb/smbXcli_base.c | 125 ++++++----
libcli/smb/wscript | 2 +-
python/samba/emulate/traffic.py | 129 +++++++----
script/traffic_replay | 18 +-
source3/librpc/idl/smbXsrv.idl | 10 +-
source3/modules/vfs_acl_common.c | 18 +-
source3/smbd/reply.c | 6 +-
source3/smbd/sesssetup.c | 44 +++-
source3/smbd/smb2_server.c | 48 ++--
source3/smbd/smb2_sesssetup.c | 92 +++++---
source4/dsdb/samdb/ldb_modules/wscript | 10 -
source4/lib/tls/tls.c | 38 ----
source4/lib/tls/tls_tstream.c | 186 +--------------
source4/lib/tls/tlscert.c | 20 --
source4/lib/tls/wscript | 87 -------
source4/lib/tls/wscript_build | 17 ++
source4/libcli/smb2/signing.c | 49 ++--
.../backupkey/dcesrv_backupkey_heimdal.c | 8 +-
source4/rpc_server/wscript_build | 4 +-
source4/torture/wscript_build | 2 +-
source4/utils/oLschema2ldif/lib.c | 18 +-
wscript | 4 +-
wscript_configure_system_gnutls | 35 +++
39 files changed, 705 insertions(+), 1113 deletions(-)
delete mode 100644 lib/crypto/hmacsha256.c
delete mode 100644 lib/crypto/hmacsha256.h
delete mode 100644 lib/crypto/sha256.c
delete mode 100644 lib/crypto/sha256.h
delete mode 100644 source4/lib/tls/wscript
create mode 100644 source4/lib/tls/wscript_build
create mode 100644 wscript_configure_system_gnutls
Changeset truncated at 500 lines:
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 86fd2fb2778..5401a9e27b9 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -20,6 +20,9 @@ variables:
# which is generated by bootstrap/template.py --render
#
SAMBA_CI_CONTAINER_TAG: 4cc4709edd40e4e7c64f9eb255f953eed7924b1f
+ # We use the ubuntu1804 image as default as
+ # it matches what we have on sn-devel-184.
+ SAMBA_CI_CONTAINER_IMAGE: ubuntu1804
#
# The following images are available
# Please see the samba-o3 sections at the end of this file!
@@ -39,9 +42,7 @@ include:
.shared_template:
variables:
AUTOBUILD_JOB_NAME: $CI_JOB_NAME
- # We use the ubuntu1804 image as default as
- # it matches what we have on sn-devel-184.
- image: $SAMBA_CI_CONTAINER_IMAGE_ubuntu1804
+ image: ${SAMBA_CI_CONTAINER_REGISTRY}/samba-ci-${SAMBA_CI_CONTAINER_IMAGE}:${SAMBA_CI_CONTAINER_TAG}
stage: build
tags:
- docker
diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
index 441801bac47..7fb18566dd7 100644
--- a/auth/gensec/schannel.c
+++ b/auth/gensec/schannel.c
@@ -36,6 +36,9 @@
#include "lib/crypto/crypto.h"
#include "libds/common/roles.h"
+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
+
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
@@ -216,18 +219,23 @@ static void netsec_do_seal(struct schannel_state *state,
Create a digest over the entire packet (including the data), and
MD5 it with the session key.
********************************************************************/
-static void netsec_do_sign(struct schannel_state *state,
- const uint8_t *confounder,
- const uint8_t *data, size_t length,
- uint8_t header[8],
- uint8_t *checksum)
+static NTSTATUS netsec_do_sign(struct schannel_state *state,
+ const uint8_t *confounder,
+ const uint8_t *data, size_t length,
+ uint8_t header[8],
+ uint8_t *checksum)
{
if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
- struct HMACSHA256Context ctx;
-
- hmac_sha256_init(state->creds->session_key,
- sizeof(state->creds->session_key),
- &ctx);
+ gnutls_hmac_hd_t hmac_hnd = NULL;
+ int rc;
+
+ rc = gnutls_hmac_init(&hmac_hnd,
+ GNUTLS_MAC_SHA256,
+ state->creds->session_key,
+ sizeof(state->creds->session_key));
+ if (rc < 0) {
+ return NT_STATUS_NO_MEMORY;
+ }
if (confounder) {
SSVAL(header, 0, NL_SIGN_HMAC_SHA256);
@@ -235,20 +243,36 @@ static void netsec_do_sign(struct schannel_state *state,
SSVAL(header, 4, 0xFFFF);
SSVAL(header, 6, 0x0000);
- hmac_sha256_update(header, 8, &ctx);
- hmac_sha256_update(confounder, 8, &ctx);
+ rc = gnutls_hmac(hmac_hnd, header, 8);
+ if (rc < 0) {
+ gnutls_hmac_deinit(hmac_hnd, NULL);
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+ rc = gnutls_hmac(hmac_hnd, confounder, 8);
+ if (rc < 0) {
+ gnutls_hmac_deinit(hmac_hnd, NULL);
+ return NT_STATUS_INTERNAL_ERROR;
+ }
} else {
SSVAL(header, 0, NL_SIGN_HMAC_SHA256);
SSVAL(header, 2, NL_SEAL_NONE);
SSVAL(header, 4, 0xFFFF);
SSVAL(header, 6, 0x0000);
- hmac_sha256_update(header, 8, &ctx);
+ rc = gnutls_hmac(hmac_hnd, header, 8);
+ if (rc < 0) {
+ gnutls_hmac_deinit(hmac_hnd, NULL);
+ return NT_STATUS_INTERNAL_ERROR;
+ }
}
- hmac_sha256_update(data, length, &ctx);
+ rc = gnutls_hmac(hmac_hnd, data, length);
+ if (rc < 0) {
+ gnutls_hmac_deinit(hmac_hnd, NULL);
+ return NT_STATUS_INTERNAL_ERROR;
+ }
- hmac_sha256_final(checksum, &ctx);
+ gnutls_hmac_deinit(hmac_hnd, checksum);
} else {
uint8_t packet_digest[16];
static const uint8_t zeros[4];
@@ -279,6 +303,8 @@ static void netsec_do_sign(struct schannel_state *state,
packet_digest, sizeof(packet_digest),
checksum);
}
+
+ return NT_STATUS_OK;
}
static NTSTATUS netsec_incoming_packet(struct schannel_state *state,
@@ -298,6 +324,7 @@ static NTSTATUS netsec_incoming_packet(struct schannel_state *state,
int ret;
const uint8_t *sign_data = NULL;
size_t sign_length = 0;
+ NTSTATUS status;
netsec_offset_and_sizes(state,
do_unseal,
@@ -334,9 +361,16 @@ static NTSTATUS netsec_incoming_packet(struct schannel_state *state,
sign_length = length;
}
- netsec_do_sign(state, confounder,
- sign_data, sign_length,
- header, checksum);
+ status = netsec_do_sign(state,
+ confounder,
+ sign_data,
+ sign_length,
+ header,
+ checksum);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_WARNING("netsec_do_sign failed: %s\n", nt_errstr(status));
+ return NT_STATUS_ACCESS_DENIED;
+ }
ret = memcmp(checksum, sig->data+16, checksum_length);
if (ret != 0) {
@@ -391,6 +425,7 @@ static NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
uint8_t seq_num[8];
const uint8_t *sign_data = NULL;
size_t sign_length = 0;
+ NTSTATUS status;
netsec_offset_and_sizes(state,
do_seal,
@@ -416,9 +451,16 @@ static NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
sign_length = length;
}
- netsec_do_sign(state, confounder,
- sign_data, sign_length,
- header, checksum);
+ status = netsec_do_sign(state,
+ confounder,
+ sign_data,
+ sign_length,
+ header,
+ checksum);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_WARNING("netsec_do_sign failed: %s\n", nt_errstr(status));
+ return NT_STATUS_ACCESS_DENIED;
+ }
if (do_seal) {
netsec_do_seal(state, seq_num,
diff --git a/lib/crypto/crypto.h b/lib/crypto/crypto.h
index dc99f6c437d..20abb13016a 100644
--- a/lib/crypto/crypto.h
+++ b/lib/crypto/crypto.h
@@ -23,8 +23,6 @@
#include "../lib/crypto/md4.h"
#include "../lib/crypto/md5.h"
#include "../lib/crypto/hmacmd5.h"
-#include "../lib/crypto/sha256.h"
-#include "../lib/crypto/hmacsha256.h"
#include "../lib/crypto/arcfour.h"
#include "../lib/crypto/aes.h"
#include "../lib/crypto/aes_cmac_128.h"
diff --git a/lib/crypto/hmacsha256.c b/lib/crypto/hmacsha256.c
deleted file mode 100644
index 15a74ef6f5e..00000000000
--- a/lib/crypto/hmacsha256.c
+++ /dev/null
@@ -1,92 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
-
- Interface header: HMAC SHA-256 code
-
- Copyright (C) Andrew Tridgell 2008
-
- based in hmacsha1.c which is:
- Copyright (C) Stefan Metzmacher
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-/*
- taken direct from rfc2202 implementation and modified for suitable use
- */
-
-#include "replace.h"
-#include "lib/crypto/sha256.h"
-#include "lib/crypto/hmacsha256.h"
-
-/***********************************************************************
- the rfc 2104/2202 version of hmac_sha256 initialisation.
-***********************************************************************/
-_PUBLIC_ void hmac_sha256_init(const uint8_t *key, size_t key_len, struct HMACSHA256Context *ctx)
-{
- int i;
- uint8_t tk[SHA256_DIGEST_LENGTH];
-
- /* if key is longer than 64 bytes reset it to key=HASH(key) */
- if (key_len > 64)
- {
- SHA256_CTX tctx;
-
- samba_SHA256_Init(&tctx);
- samba_SHA256_Update(&tctx, key, key_len);
- samba_SHA256_Final(tk, &tctx);
-
- key = tk;
- key_len = SHA256_DIGEST_LENGTH;
- }
-
- /* start out by storing key in pads */
- ZERO_STRUCT(ctx->k_ipad);
- ZERO_STRUCT(ctx->k_opad);
- memcpy( ctx->k_ipad, key, key_len);
- memcpy( ctx->k_opad, key, key_len);
-
- /* XOR key with ipad and opad values */
- for (i=0; i<64; i++)
- {
- ctx->k_ipad[i] ^= 0x36;
- ctx->k_opad[i] ^= 0x5c;
- }
-
- samba_SHA256_Init(&ctx->ctx);
- samba_SHA256_Update(&ctx->ctx, ctx->k_ipad, 64);
-}
-
-/***********************************************************************
- update hmac_sha256 "inner" buffer
-***********************************************************************/
-_PUBLIC_ void hmac_sha256_update(const uint8_t *data, size_t data_len, struct HMACSHA256Context *ctx)
-{
- samba_SHA256_Update(&ctx->ctx, data, data_len); /* then text of datagram */
-}
-
-/***********************************************************************
- finish off hmac_sha256 "inner" buffer and generate outer one.
-***********************************************************************/
-_PUBLIC_ void hmac_sha256_final(uint8_t digest[SHA256_DIGEST_LENGTH], struct HMACSHA256Context *ctx)
-{
- SHA256_CTX ctx_o;
-
- samba_SHA256_Final(digest, &ctx->ctx);
-
- samba_SHA256_Init(&ctx_o);
- samba_SHA256_Update(&ctx_o, ctx->k_opad, 64);
- samba_SHA256_Update(&ctx_o, digest, SHA256_DIGEST_LENGTH);
- samba_SHA256_Final(digest, &ctx_o);
-}
diff --git a/lib/crypto/hmacsha256.h b/lib/crypto/hmacsha256.h
deleted file mode 100644
index d9ecac7af40..00000000000
--- a/lib/crypto/hmacsha256.h
+++ /dev/null
@@ -1,38 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
-
- Interface header: HMAC SHA256 code
-
- Copyright (C) Andrew Tridgell 2008
-
- based on hmacsha1.h which is:
-
- Copyright (C) Stefan Metzmacher 2006
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#ifndef _HMAC_SHA256_H
-
-struct HMACSHA256Context {
- SHA256_CTX ctx;
- uint8_t k_ipad[65];
- uint8_t k_opad[65];
-};
-
-void hmac_sha256_init(const uint8_t *key, size_t key_len, struct HMACSHA256Context *ctx);
-void hmac_sha256_update(const uint8_t *data, size_t data_len, struct HMACSHA256Context *ctx);
-void hmac_sha256_final(uint8_t digest[SHA256_DIGEST_LENGTH], struct HMACSHA256Context *ctx);
-
-#endif /* _HMAC_SHA256_H */
diff --git a/lib/crypto/sha256.c b/lib/crypto/sha256.c
deleted file mode 100644
index 02e2259f1bc..00000000000
--- a/lib/crypto/sha256.c
+++ /dev/null
@@ -1,253 +0,0 @@
-/*
- based on heildal lib/hcrypto/sha256.c. Copied to lib/crypto to avoid a link
- problem. Hopefully will be removed once we solve this link problem
-
- (tridge)
- */
-
-/*
- * Copyright (c) 2006 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * 3. Neither the name of the Institute nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "replace.h"
-#include "sha256.h"
-
-#define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
-#define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
-
-#define ROTR(x,n) (((x)>>(n)) | ((x) << (32 - (n))))
-
-#define Sigma0(x) (ROTR(x,2) ^ ROTR(x,13) ^ ROTR(x,22))
-#define Sigma1(x) (ROTR(x,6) ^ ROTR(x,11) ^ ROTR(x,25))
-#define sigma0(x) (ROTR(x,7) ^ ROTR(x,18) ^ ((x)>>3))
-#define sigma1(x) (ROTR(x,17) ^ ROTR(x,19) ^ ((x)>>10))
-
-#define A m->counter[0]
-#define B m->counter[1]
-#define C m->counter[2]
-#define D m->counter[3]
-#define E m->counter[4]
-#define F m->counter[5]
-#define G m->counter[6]
-#define H m->counter[7]
-
-static const uint32_t constant_256[64] = {
- 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
- 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
- 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
- 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
- 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
- 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
- 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
- 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
- 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
- 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
- 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
- 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
- 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
- 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
- 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
- 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
-};
-
-void
-samba_SHA256_Init (SHA256_CTX *m)
-{
- m->sz[0] = 0;
- m->sz[1] = 0;
- A = 0x6a09e667;
- B = 0xbb67ae85;
- C = 0x3c6ef372;
- D = 0xa54ff53a;
- E = 0x510e527f;
- F = 0x9b05688c;
- G = 0x1f83d9ab;
- H = 0x5be0cd19;
-}
-
-static void
-calc (SHA256_CTX *m, uint32_t *in)
-{
- uint32_t AA, BB, CC, DD, EE, FF, GG, HH;
- uint32_t data[64];
- int i;
-
- AA = A;
- BB = B;
- CC = C;
- DD = D;
- EE = E;
- FF = F;
- GG = G;
- HH = H;
-
- for (i = 0; i < 16; ++i)
- data[i] = in[i];
- for (i = 16; i < 64; ++i)
- data[i] = sigma1(data[i-2]) + data[i-7] +
- sigma0(data[i-15]) + data[i - 16];
-
- for (i = 0; i < 64; i++) {
- uint32_t T1, T2;
-
- T1 = HH + Sigma1(EE) + Ch(EE, FF, GG) + constant_256[i] + data[i];
- T2 = Sigma0(AA) + Maj(AA,BB,CC);
-
- HH = GG;
- GG = FF;
- FF = EE;
- EE = DD + T1;
- DD = CC;
- CC = BB;
- BB = AA;
- AA = T1 + T2;
- }
-
- A += AA;
- B += BB;
- C += CC;
- D += DD;
- E += EE;
- F += FF;
- G += GG;
- H += HH;
-}
-
-/*
- * From `Performance analysis of MD5' by Joseph D. Touch <touch at isi.edu>
- */
-
-#if !defined(WORDS_BIGENDIAN) || defined(_CRAY)
-/* Vector Crays doesn't have a good 32-bit type, or more precisely,
- int32_t as defined by <bind/bitypes.h> isn't 32 bits, and we don't
- want to depend in being able to redefine this type. To cope with
- this we have to clamp the result in some places to [0,2^32); no
- need to do this on other machines. Did I say this was a mess?
- */
-
-#ifdef _CRAY
-#define CRAYFIX(X) ((X) & 0xffffffff)
-#else
--
Samba Shared Repository
More information about the samba-cvs
mailing list