[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Tue Nov 19 06:13:04 UTC 2019
The branch, master has been updated
via c34ec003b7d utils: only compile test_oLschema2ldif if fmemopen exists
via 71816984c31 s4:lib:tls: Fix cert and privkey types
via e19b115dd27 libcli:auth: Remove unused E_md5hash()
via 4199d1040f0 s3:winbind: Replace E_md5hash() with GnuTLS calls
via 10499507c4f s3:winbindd: Replace E_md5hash() with GnuTLS calls
via a377214dce2 s3:rpc_server: Replace E_md5hash() with GnuTLS calls
from 93b9fc3da86 build: add missing crypt dependency for auth4_unix
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit c34ec003b7d45aa4196ff93a0ac29694b25e5309
Author: Robert Scott <code at humanleg.org.uk>
Date: Sat Nov 16 17:46:51 2019 +0000
utils: only compile test_oLschema2ldif if fmemopen exists
in the vein of da87fa998ab71328f30bcdf5b41aee8675aee48a
Signed-off-by: Robert Scott <code at humanleg.org.uk>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue Nov 19 06:12:29 UTC 2019 on sn-devel-184
commit 71816984c31cd1a392355afdbfdadb0da2d05765
Author: Andreas Schneider <asn at samba.org>
Date: Mon Nov 18 16:33:23 2019 +0100
s4:lib:tls: Fix cert and privkey types
../../source4/lib/tls/tlscert.c:42:2: warning: ‘gnutls_x509_crt’ is
deprecated [-Wdeprecated-declarations]
42 | gnutls_x509_crt cacrt, crt;
| ^~~~~~~~~~~~~~~
../../source4/lib/tls/tlscert.c:43:2: warning: ‘gnutls_x509_privkey’ is
deprecated [-Wdeprecated-declarations]
43 | gnutls_x509_privkey key, cakey;
| ^~~~~~~~~~~~~~~~~~~
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e19b115dd27891896364f5e943b0ce7fcc89344e
Author: Andreas Schneider <asn at samba.org>
Date: Mon Nov 18 10:29:55 2019 +0100
libcli:auth: Remove unused E_md5hash()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4199d1040f09b5d95522d0cbdbaeec78b7d7b9a6
Author: Andreas Schneider <asn at samba.org>
Date: Mon Nov 18 10:28:59 2019 +0100
s3:winbind: Replace E_md5hash() with GnuTLS calls
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 10499507c4fd91751898696b866ce32b1e38f605
Author: Andreas Schneider <asn at samba.org>
Date: Mon Nov 18 10:24:56 2019 +0100
s3:winbindd: Replace E_md5hash() with GnuTLS calls
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a377214dce2e9d71f880949fe745d799c75f57a9
Author: Andreas Schneider <asn at samba.org>
Date: Mon Nov 18 10:21:06 2019 +0100
s3:rpc_server: Replace E_md5hash() with GnuTLS calls
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
libcli/auth/proto.h | 8 -------
libcli/auth/smbencrypt.c | 33 ----------------------------
source3/rpc_server/samr/srv_samr_chgpasswd.c | 20 ++++++++++++++++-
source3/winbindd/winbindd_cache.c | 23 ++++++++++++++++++-
source3/winbindd/winbindd_pam.c | 23 ++++++++++++++++++-
source4/lib/tls/tlscert.c | 4 ++--
source4/utils/oLschema2ldif/wscript_build | 1 +
7 files changed, 66 insertions(+), 46 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
index eef1c8dc095..eb725c83d15 100644
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -105,14 +105,6 @@ bool SMBencrypt(const char *passwd, const uint8_t *c8, uint8_t p24[24]);
*/
bool E_md4hash(const char *passwd, uint8_t p16[16]);
-/**
- * Creates the MD5 Hash of a combination of 16 byte salt and 16 byte NT hash.
- * @param 16 byte salt.
- * @param 16 byte NT hash.
- * @param 16 byte return hashed with md5, caller allocated 16 byte buffer
- */
-void E_md5hash(const uint8_t salt[16], const uint8_t nthash[16], uint8_t hash_out[16]);
-
/**
* Creates the DES forward-only Hash of the users password in DOS ASCII charset
* @param passwd password in 'unix' charset.
diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c
index e33d29de19d..ab2c47ad9bb 100644
--- a/libcli/auth/smbencrypt.c
+++ b/libcli/auth/smbencrypt.c
@@ -94,39 +94,6 @@ bool E_md4hash(const char *passwd, uint8_t p16[16])
return true;
}
-/**
- * Creates the MD5 Hash of a combination of 16 byte salt and 16 byte NT hash.
- * @param 16 byte salt.
- * @param 16 byte NT hash.
- * @param 16 byte return hashed with md5, caller allocated 16 byte buffer
- */
-
-void E_md5hash(const uint8_t salt[16], const uint8_t nthash[16], uint8_t hash_out[16])
-{
- gnutls_hash_hd_t hash_hnd = NULL;
- int rc;
-
- rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
- if (rc < 0) {
- goto out;
- }
-
- rc = gnutls_hash(hash_hnd, salt, 16);
- if (rc < 0) {
- gnutls_hash_deinit(hash_hnd, NULL);
- goto out;
- }
- rc = gnutls_hash(hash_hnd, nthash, 16);
- if (rc < 0) {
- gnutls_hash_deinit(hash_hnd, NULL);
- goto out;
- }
- gnutls_hash_deinit(hash_hnd, hash_out);
-
-out:
- return;
-}
-
/**
* Creates the DES forward-only Hash of the users password in DOS ASCII charset
* @param passwd password in 'unix' charset.
diff --git a/source3/rpc_server/samr/srv_samr_chgpasswd.c b/source3/rpc_server/samr/srv_samr_chgpasswd.c
index fc509494ebc..8c9cf73bdd8 100644
--- a/source3/rpc_server/samr/srv_samr_chgpasswd.c
+++ b/source3/rpc_server/samr/srv_samr_chgpasswd.c
@@ -901,11 +901,29 @@ static bool password_in_history(uint8_t nt_pw[NT_HASH_LEN],
return true;
}
} else {
+ gnutls_hash_hd_t hash_hnd = NULL;
+ int rc;
+
/*
* Old format: md5sum of salted nt hash.
* Create salted version of new pw to compare.
*/
- E_md5hash(current_salt, nt_pw, new_nt_pw_salted_md5_hash);
+ rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
+ if (rc < 0) {
+ return false;
+ }
+
+ rc = gnutls_hash(hash_hnd, current_salt, 16);
+ if (rc < 0) {
+ gnutls_hash_deinit(hash_hnd, NULL);
+ return false;
+ }
+ rc = gnutls_hash(hash_hnd, nt_pw, 16);
+ if (rc < 0) {
+ gnutls_hash_deinit(hash_hnd, NULL);
+ return false;
+ }
+ gnutls_hash_deinit(hash_hnd, new_nt_pw_salted_md5_hash);
if (memcmp(new_nt_pw_salted_md5_hash,
old_nt_pw_salted_md5_hash,
diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
index 394b0c774a9..3e7afdaa546 100644
--- a/source3/winbindd/winbindd_cache.c
+++ b/source3/winbindd/winbindd_cache.c
@@ -37,6 +37,9 @@
#include "libsmb/samlogon_cache.h"
#include "lib/namemap_cache.h"
+#include "lib/crypto/gnutls_helpers.h"
+#include <gnutls/crypto.h>
+
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_WINBIND
@@ -1364,6 +1367,8 @@ NTSTATUS wcache_save_creds(struct winbindd_domain *domain,
uint32_t rid;
uint8_t cred_salt[NT_HASH_LEN];
uint8_t salted_hash[NT_HASH_LEN];
+ gnutls_hash_hd_t hash_hnd = NULL;
+ int rc;
if (is_null_sid(sid)) {
return NT_STATUS_INVALID_SID;
@@ -1384,7 +1389,23 @@ NTSTATUS wcache_save_creds(struct winbindd_domain *domain,
/* Create a salt and then salt the hash. */
generate_random_buffer(cred_salt, NT_HASH_LEN);
- E_md5hash(cred_salt, nt_pass, salted_hash);
+
+ rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
+ if (rc < 0) {
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
+ }
+
+ rc = gnutls_hash(hash_hnd, cred_salt, 16);
+ if (rc < 0) {
+ gnutls_hash_deinit(hash_hnd, NULL);
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
+ }
+ rc = gnutls_hash(hash_hnd, nt_pass, 16);
+ if (rc < 0) {
+ gnutls_hash_deinit(hash_hnd, NULL);
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
+ }
+ gnutls_hash_deinit(hash_hnd, salted_hash);
centry_put_hash16(centry, salted_hash);
centry_put_hash16(centry, cred_salt);
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 28b77fc2e93..771a130bd6e 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -48,6 +48,9 @@
#include "param/param.h"
#include "messaging/messaging.h"
+#include "lib/crypto/gnutls_helpers.h"
+#include <gnutls/crypto.h>
+
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_WINBIND
@@ -1086,7 +1089,25 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
/* In this case we didn't store the nt_hash itself,
but the MD5 combination of salt + nt_hash. */
uchar salted_hash[NT_HASH_LEN];
- E_md5hash(cached_salt, new_nt_pass, salted_hash);
+ gnutls_hash_hd_t hash_hnd = NULL;
+ int rc;
+
+ rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
+ if (rc < 0) {
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
+ }
+
+ rc = gnutls_hash(hash_hnd, cached_salt, 16);
+ if (rc < 0) {
+ gnutls_hash_deinit(hash_hnd, NULL);
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
+ }
+ rc = gnutls_hash(hash_hnd, new_nt_pass, 16);
+ if (rc < 0) {
+ gnutls_hash_deinit(hash_hnd, NULL);
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
+ }
+ gnutls_hash_deinit(hash_hnd, salted_hash);
password_good = (memcmp(cached_nt_pass, salted_hash,
NT_HASH_LEN) == 0);
diff --git a/source4/lib/tls/tlscert.c b/source4/lib/tls/tlscert.c
index f5e9a1f2d39..9379ab094d1 100644
--- a/source4/lib/tls/tlscert.c
+++ b/source4/lib/tls/tlscert.c
@@ -39,8 +39,8 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx,
const char *keyfile, const char *certfile,
const char *cafile)
{
- gnutls_x509_crt cacrt, crt;
- gnutls_x509_privkey key, cakey;
+ gnutls_x509_crt_t cacrt, crt;
+ gnutls_x509_privkey_t key, cakey;
uint32_t serial = (uint32_t)time(NULL);
unsigned char keyid[100];
char buf[4096];
diff --git a/source4/utils/oLschema2ldif/wscript_build b/source4/utils/oLschema2ldif/wscript_build
index 527c99dc2f2..e8ee31a7f8f 100644
--- a/source4/utils/oLschema2ldif/wscript_build
+++ b/source4/utils/oLschema2ldif/wscript_build
@@ -15,5 +15,6 @@ bld.SAMBA_BINARY('test_oLschema2ldif',
source='test.c',
deps='cmocka oLschema2ldif-lib',
local_include=False,
+ enabled=bld.CONFIG_SET('HAVE_FMEMOPEN'),
install=False,
)
--
Samba Shared Repository
More information about the samba-cvs
mailing list