[SCM] Samba Shared Repository - branch master updated

Andreas Schneider asn at samba.org
Tue Oct 8 14:13:04 UTC 2019 

The branch, master has been updated
       via  4a24d949975 libcli:smb: Use gnutls_aead_cipher_decryptv2() for AES GCM or CCM
       via  70fdd4821aa libcli:smb: Use gnutls_aead_cipher_encryptv2() for AES GCM or CCM
       via  fa255a36df8 waf: Check for gnutls_aead_cipher_encryptv2()
       via  5a084994144 samba-tool: create working private krb5.conf
      from  0abd1189a60 s3: VFS: Use SMB_VFS_FCNTL to set fd flags in open_file()

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 4a24d9499757dea377b4e3d8beb7f2c10fd5c5d0
Author: Andreas Schneider <asn at samba.org>
Date:   Fri Aug 23 09:12:21 2019 +0200

    libcli:smb: Use gnutls_aead_cipher_decryptv2() for AES GCM or CCM
    
    This is a new call which has been added with GnuTLS 3.6.10 and will
    recuduce memory allocations and copying of data.
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Simo Sorce <idra at samba.org>
    
    Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
    Autobuild-Date(master): Tue Oct  8 14:12:44 UTC 2019 on sn-devel-184

commit 70fdd4821aa811f90944bee17cc85e3ae9302279
Author: Andreas Schneider <asn at samba.org>
Date:   Fri Aug 23 08:54:54 2019 +0200

    libcli:smb: Use gnutls_aead_cipher_encryptv2() for AES GCM or CCM
    
    This is a new call which has been added with GnuTLS 3.6.10 and will
    recuduce memory allocations and copying of data.
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Simo Sorce <idra at samba.org>

commit fa255a36df87e41717d9630ea96ac9439e186062
Author: Andreas Schneider <asn at samba.org>
Date:   Fri Aug 23 08:40:00 2019 +0200

    waf: Check for gnutls_aead_cipher_encryptv2()
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Simo Sorce <idra at samba.org>

commit 5a084994144704a6c146b94f8a22cf57ce08deab
Author: Alexander Bokovoy <ab at samba.org>
Date:   Mon Oct 7 18:24:28 2019 +0300

    samba-tool: create working private krb5.conf
    
    DNS update tool uses private krb5.conf which should have enough details
    to authenticate with GSS-TSIG when running nsupdate.
    
    Unfortunately, the configuration we provide is not enough. We set
    defaults to not lookup REALM via DNS but at the same time we don't
    provide any realm definition. As result, MIT Kerberos cannot actually
    find a working realm for Samba AD deployment because it cannot query DNS
    for a realm discovery or pick it up from the configuration.
    
    Extend private krb5.conf with a realm definition that will allow MIT
    Kerberos to look up KDC over DNS.
    
    Signed-off-by: Alexander Bokovoy <ab at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 libcli/smb/smb2_signing.c       | 61 ++++++++++++++++++++++++++++++++++++++---
 source4/setup/krb5.conf         |  8 ++++++
 wscript_configure_system_gnutls |  3 ++
 3 files changed, 68 insertions(+), 4 deletions(-)


Changeset truncated at 500 lines:

diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c
index c39f8e4780a..166ab9d83ff 100644
--- a/libcli/smb/smb2_signing.c
+++ b/libcli/smb/smb2_signing.c
@@ -392,12 +392,11 @@ NTSTATUS smb2_signing_encrypt_pdu(struct smb2_signing_key *encryption_key,
 				  int count)
 {
 	uint8_t *tf;
-	int i;
 	size_t a_total;
 	ssize_t m_total;
 	uint32_t iv_size = 0;
 	uint32_t key_size = 0;
-	uint32_t tag_size = 0;
+	size_t tag_size = 0;
 	uint8_t _key[16] = {0};
 	gnutls_cipher_algorithm_t algo = 0;
 	gnutls_datum_t key;
@@ -479,12 +478,40 @@ NTSTATUS smb2_signing_encrypt_pdu(struct smb2_signing_key *encryption_key,
 	       0,
 	       16 - iv_size);
 
+#ifdef HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2
+	{
+		uint8_t tag[tag_size];
+		giovec_t auth_iov[1];
+
+		auth_iov[0] = (giovec_t) {
+			.iov_base = tf + SMB2_TF_NONCE,
+			.iov_len  = a_total,
+		};
+
+		rc = gnutls_aead_cipher_encryptv2(encryption_key->cipher_hnd,
+						  iv.data,
+						  iv.size,
+						  auth_iov,
+						  1,
+						  &vector[1],
+						  count - 1,
+						  tag,
+						  &tag_size);
+		if (rc < 0) {
+			status = gnutls_error_to_ntstatus(rc, NT_STATUS_INTERNAL_ERROR);
+			goto out;
+		}
+
+		memcpy(tf + SMB2_TF_SIGNATURE, tag, tag_size);
+	}
+#else /* HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 */
 	{
 		size_t ptext_size = m_total;
 		uint8_t *ptext = NULL;
 		size_t ctext_size = m_total + tag_size;
 		uint8_t *ctext = NULL;
 		size_t len = 0;
+		int i;
 
 		ptext = talloc_size(talloc_tos(), ptext_size);
 		if (ptext == NULL) {
@@ -543,6 +570,7 @@ NTSTATUS smb2_signing_encrypt_pdu(struct smb2_signing_key *encryption_key,
 		TALLOC_FREE(ptext);
 		TALLOC_FREE(ctext);
 	}
+#endif /* HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 */
 
 	DBG_INFO("Enencrypted SMB2 message\n");
 
@@ -560,13 +588,12 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key *decryption_key,
 {
 	uint8_t *tf;
 	uint16_t flags;
-	int i;
 	size_t a_total;
 	ssize_t m_total;
 	uint32_t msg_size = 0;
 	uint32_t iv_size = 0;
 	uint32_t key_size = 0;
-	uint32_t tag_size = 0;
+	size_t tag_size = 0;
 	uint8_t _key[16] = {0};
 	gnutls_cipher_algorithm_t algo = 0;
 	gnutls_datum_t key;
@@ -652,12 +679,37 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key *decryption_key,
 		}
 	}
 
+#ifdef HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2
+	{
+		giovec_t auth_iov[1];
+
+		auth_iov[0] = (giovec_t) {
+			.iov_base = tf + SMB2_TF_NONCE,
+			.iov_len  = a_total,
+		};
+
+		rc = gnutls_aead_cipher_decryptv2(decryption_key->cipher_hnd,
+						  iv.data,
+						  iv.size,
+						  auth_iov,
+						  1,
+						  &vector[1],
+						  count - 1,
+						  tf + SMB2_TF_SIGNATURE,
+						  tag_size);
+		if (rc < 0) {
+			status = gnutls_error_to_ntstatus(rc, NT_STATUS_INTERNAL_ERROR);
+			goto out;
+		}
+	}
+#else /* HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 */
 	{
 		size_t ctext_size = m_total + tag_size;
 		uint8_t *ctext = NULL;
 		size_t ptext_size = m_total;
 		uint8_t *ptext = NULL;
 		size_t len = 0;
+		int i;
 
 		/* GnuTLS doesn't have a iovec API for decryption yet */
 
@@ -723,6 +775,7 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key *decryption_key,
 		TALLOC_FREE(ptext);
 		TALLOC_FREE(ctext);
 	}
+#endif /* HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 */
 
 	DBG_INFO("Decrypted SMB2 message\n");
 
diff --git a/source4/setup/krb5.conf b/source4/setup/krb5.conf
index b1bf6cf907d..ad6f2818fb5 100644
--- a/source4/setup/krb5.conf
+++ b/source4/setup/krb5.conf
@@ -2,3 +2,11 @@
 	default_realm = ${REALM}
 	dns_lookup_realm = false
 	dns_lookup_kdc = true
+
+[realms]
+${REALM} = {
+	default_domain = ${DNSDOMAIN}
+}
+
+[domain_realm]
+	${HOSTNAME} = ${REALM}
diff --git a/wscript_configure_system_gnutls b/wscript_configure_system_gnutls
index f71fd4fb97f..f6d9ac3c65e 100644
--- a/wscript_configure_system_gnutls
+++ b/wscript_configure_system_gnutls
@@ -15,6 +15,9 @@ conf.SET_TARGET_TYPE('gnutls', 'SYSLIB')
 # Check for gnutls_pkcs7_get_embedded_data_oid (>= 3.5.5) required by libmscat
 conf.CHECK_FUNCS_IN('gnutls_pkcs7_get_embedded_data_oid', 'gnutls')
 
+# Check for gnutls_aead_cipher_encryptv2 (>= 3.6.10)
+conf.CHECK_FUNCS_IN('gnutls_aead_cipher_encryptv2', 'gnutls')
+
 if conf.CHECK_VALUEOF('GNUTLS_CIPHER_AES_128_CFB8', headers='gnutls/gnutls.h'):
     conf.DEFINE('HAVE_GNUTLS_AES_CFB8', 1)
 else:


-- 
Samba Shared Repository

More information about the samba-cvs mailing list