[SCM] Samba Shared Repository - branch master updated

Andrew Bartlett abartlet at samba.org
Tue Nov 19 06:13:04 UTC 2019


The branch, master has been updated
       via  c34ec003b7d utils: only compile test_oLschema2ldif if fmemopen exists
       via  71816984c31 s4:lib:tls: Fix cert and privkey types
       via  e19b115dd27 libcli:auth: Remove unused E_md5hash()
       via  4199d1040f0 s3:winbind: Replace E_md5hash() with GnuTLS calls
       via  10499507c4f s3:winbindd: Replace E_md5hash() with GnuTLS calls
       via  a377214dce2 s3:rpc_server: Replace E_md5hash() with GnuTLS calls
      from  93b9fc3da86 build: add missing crypt dependency for auth4_unix

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit c34ec003b7d45aa4196ff93a0ac29694b25e5309
Author: Robert Scott <code at humanleg.org.uk>
Date:   Sat Nov 16 17:46:51 2019 +0000

    utils: only compile test_oLschema2ldif if fmemopen exists
    
    in the vein of da87fa998ab71328f30bcdf5b41aee8675aee48a
    
    Signed-off-by: Robert Scott <code at humanleg.org.uk>
    Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    
    Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date(master): Tue Nov 19 06:12:29 UTC 2019 on sn-devel-184

commit 71816984c31cd1a392355afdbfdadb0da2d05765
Author: Andreas Schneider <asn at samba.org>
Date:   Mon Nov 18 16:33:23 2019 +0100

    s4:lib:tls: Fix cert and privkey types
    
    ../../source4/lib/tls/tlscert.c:42:2: warning: ‘gnutls_x509_crt’ is
        deprecated [-Wdeprecated-declarations]
       42 |  gnutls_x509_crt cacrt, crt;
          |  ^~~~~~~~~~~~~~~
    ../../source4/lib/tls/tlscert.c:43:2: warning: ‘gnutls_x509_privkey’ is
        deprecated [-Wdeprecated-declarations]
       43 |  gnutls_x509_privkey key, cakey;
          |  ^~~~~~~~~~~~~~~~~~~
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit e19b115dd27891896364f5e943b0ce7fcc89344e
Author: Andreas Schneider <asn at samba.org>
Date:   Mon Nov 18 10:29:55 2019 +0100

    libcli:auth: Remove unused E_md5hash()
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 4199d1040f09b5d95522d0cbdbaeec78b7d7b9a6
Author: Andreas Schneider <asn at samba.org>
Date:   Mon Nov 18 10:28:59 2019 +0100

    s3:winbind: Replace E_md5hash() with GnuTLS calls
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 10499507c4fd91751898696b866ce32b1e38f605
Author: Andreas Schneider <asn at samba.org>
Date:   Mon Nov 18 10:24:56 2019 +0100

    s3:winbindd: Replace E_md5hash() with GnuTLS calls
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit a377214dce2e9d71f880949fe745d799c75f57a9
Author: Andreas Schneider <asn at samba.org>
Date:   Mon Nov 18 10:21:06 2019 +0100

    s3:rpc_server: Replace E_md5hash() with GnuTLS calls
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 libcli/auth/proto.h                          |  8 -------
 libcli/auth/smbencrypt.c                     | 33 ----------------------------
 source3/rpc_server/samr/srv_samr_chgpasswd.c | 20 ++++++++++++++++-
 source3/winbindd/winbindd_cache.c            | 23 ++++++++++++++++++-
 source3/winbindd/winbindd_pam.c              | 23 ++++++++++++++++++-
 source4/lib/tls/tlscert.c                    |  4 ++--
 source4/utils/oLschema2ldif/wscript_build    |  1 +
 7 files changed, 66 insertions(+), 46 deletions(-)


Changeset truncated at 500 lines:

diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
index eef1c8dc095..eb725c83d15 100644
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -105,14 +105,6 @@ bool SMBencrypt(const char *passwd, const uint8_t *c8, uint8_t p24[24]);
  */
 bool E_md4hash(const char *passwd, uint8_t p16[16]);
 
-/**
- * Creates the MD5 Hash of a combination of 16 byte salt and 16 byte NT hash.
- * @param 16 byte salt.
- * @param 16 byte NT hash.
- * @param 16 byte return hashed with md5, caller allocated 16 byte buffer
- */
-void E_md5hash(const uint8_t salt[16], const uint8_t nthash[16], uint8_t hash_out[16]);
-
 /**
  * Creates the DES forward-only Hash of the users password in DOS ASCII charset
  * @param passwd password in 'unix' charset.
diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c
index e33d29de19d..ab2c47ad9bb 100644
--- a/libcli/auth/smbencrypt.c
+++ b/libcli/auth/smbencrypt.c
@@ -94,39 +94,6 @@ bool E_md4hash(const char *passwd, uint8_t p16[16])
 	return true;
 }
 
-/**
- * Creates the MD5 Hash of a combination of 16 byte salt and 16 byte NT hash.
- * @param 16 byte salt.
- * @param 16 byte NT hash.
- * @param 16 byte return hashed with md5, caller allocated 16 byte buffer
- */
-
-void E_md5hash(const uint8_t salt[16], const uint8_t nthash[16], uint8_t hash_out[16])
-{
-	gnutls_hash_hd_t hash_hnd = NULL;
-	int rc;
-
-	rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
-	if (rc < 0) {
-		goto out;
-	}
-
-	rc = gnutls_hash(hash_hnd, salt, 16);
-	if (rc < 0) {
-		gnutls_hash_deinit(hash_hnd, NULL);
-		goto out;
-	}
-	rc = gnutls_hash(hash_hnd, nthash, 16);
-	if (rc < 0) {
-		gnutls_hash_deinit(hash_hnd, NULL);
-		goto out;
-	}
-	gnutls_hash_deinit(hash_hnd, hash_out);
-
-out:
-	return;
-}
-
 /**
  * Creates the DES forward-only Hash of the users password in DOS ASCII charset
  * @param passwd password in 'unix' charset.
diff --git a/source3/rpc_server/samr/srv_samr_chgpasswd.c b/source3/rpc_server/samr/srv_samr_chgpasswd.c
index fc509494ebc..8c9cf73bdd8 100644
--- a/source3/rpc_server/samr/srv_samr_chgpasswd.c
+++ b/source3/rpc_server/samr/srv_samr_chgpasswd.c
@@ -901,11 +901,29 @@ static bool password_in_history(uint8_t nt_pw[NT_HASH_LEN],
 				return true;
 			}
 		} else {
+			gnutls_hash_hd_t hash_hnd = NULL;
+			int rc;
+
 			/*
 			 * Old format: md5sum of salted nt hash.
 			 * Create salted version of new pw to compare.
 			 */
-			E_md5hash(current_salt, nt_pw, new_nt_pw_salted_md5_hash);
+			rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
+			if (rc < 0) {
+				return false;
+			}
+
+			rc = gnutls_hash(hash_hnd, current_salt, 16);
+			if (rc < 0) {
+				gnutls_hash_deinit(hash_hnd, NULL);
+				return false;
+			}
+			rc = gnutls_hash(hash_hnd, nt_pw, 16);
+			if (rc < 0) {
+				gnutls_hash_deinit(hash_hnd, NULL);
+				return false;
+			}
+			gnutls_hash_deinit(hash_hnd, new_nt_pw_salted_md5_hash);
 
 			if (memcmp(new_nt_pw_salted_md5_hash,
 				   old_nt_pw_salted_md5_hash,
diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
index 394b0c774a9..3e7afdaa546 100644
--- a/source3/winbindd/winbindd_cache.c
+++ b/source3/winbindd/winbindd_cache.c
@@ -37,6 +37,9 @@
 #include "libsmb/samlogon_cache.h"
 #include "lib/namemap_cache.h"
 
+#include "lib/crypto/gnutls_helpers.h"
+#include <gnutls/crypto.h>
+
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_WINBIND
 
@@ -1364,6 +1367,8 @@ NTSTATUS wcache_save_creds(struct winbindd_domain *domain,
 	uint32_t rid;
 	uint8_t cred_salt[NT_HASH_LEN];
 	uint8_t salted_hash[NT_HASH_LEN];
+	gnutls_hash_hd_t hash_hnd = NULL;
+	int rc;
 
 	if (is_null_sid(sid)) {
 		return NT_STATUS_INVALID_SID;
@@ -1384,7 +1389,23 @@ NTSTATUS wcache_save_creds(struct winbindd_domain *domain,
 
 	/* Create a salt and then salt the hash. */
 	generate_random_buffer(cred_salt, NT_HASH_LEN);
-	E_md5hash(cred_salt, nt_pass, salted_hash);
+
+	rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
+	if (rc < 0) {
+		return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
+	}
+
+	rc = gnutls_hash(hash_hnd, cred_salt, 16);
+	if (rc < 0) {
+		gnutls_hash_deinit(hash_hnd, NULL);
+		return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
+	}
+	rc = gnutls_hash(hash_hnd, nt_pass, 16);
+	if (rc < 0) {
+		gnutls_hash_deinit(hash_hnd, NULL);
+		return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
+	}
+	gnutls_hash_deinit(hash_hnd, salted_hash);
 
 	centry_put_hash16(centry, salted_hash);
 	centry_put_hash16(centry, cred_salt);
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 28b77fc2e93..771a130bd6e 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -48,6 +48,9 @@
 #include "param/param.h"
 #include "messaging/messaging.h"
 
+#include "lib/crypto/gnutls_helpers.h"
+#include <gnutls/crypto.h>
+
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_WINBIND
 
@@ -1086,7 +1089,25 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
 		/* In this case we didn't store the nt_hash itself,
 		   but the MD5 combination of salt + nt_hash. */
 		uchar salted_hash[NT_HASH_LEN];
-		E_md5hash(cached_salt, new_nt_pass, salted_hash);
+		gnutls_hash_hd_t hash_hnd = NULL;
+		int rc;
+
+		rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
+		if (rc < 0) {
+			return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
+		}
+
+		rc = gnutls_hash(hash_hnd, cached_salt, 16);
+		if (rc < 0) {
+			gnutls_hash_deinit(hash_hnd, NULL);
+			return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
+		}
+		rc = gnutls_hash(hash_hnd, new_nt_pass, 16);
+		if (rc < 0) {
+			gnutls_hash_deinit(hash_hnd, NULL);
+			return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
+		}
+		gnutls_hash_deinit(hash_hnd, salted_hash);
 
 		password_good = (memcmp(cached_nt_pass, salted_hash,
 					NT_HASH_LEN) == 0);
diff --git a/source4/lib/tls/tlscert.c b/source4/lib/tls/tlscert.c
index f5e9a1f2d39..9379ab094d1 100644
--- a/source4/lib/tls/tlscert.c
+++ b/source4/lib/tls/tlscert.c
@@ -39,8 +39,8 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx,
 		       const char *keyfile, const char *certfile,
 		       const char *cafile)
 {
-	gnutls_x509_crt cacrt, crt;
-	gnutls_x509_privkey key, cakey;
+	gnutls_x509_crt_t cacrt, crt;
+	gnutls_x509_privkey_t key, cakey;
 	uint32_t serial = (uint32_t)time(NULL);
 	unsigned char keyid[100];
 	char buf[4096];
diff --git a/source4/utils/oLschema2ldif/wscript_build b/source4/utils/oLschema2ldif/wscript_build
index 527c99dc2f2..e8ee31a7f8f 100644
--- a/source4/utils/oLschema2ldif/wscript_build
+++ b/source4/utils/oLschema2ldif/wscript_build
@@ -15,5 +15,6 @@ bld.SAMBA_BINARY('test_oLschema2ldif',
 	source='test.c',
 	deps='cmocka oLschema2ldif-lib',
 	local_include=False,
+	enabled=bld.CONFIG_SET('HAVE_FMEMOPEN'),
 	install=False,
 	)


-- 
Samba Shared Repository



More information about the samba-cvs mailing list