[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Thu Mar 19 22:24:02 UTC 2020
The branch, master has been updated
via 2321b11f1fc s4/param: py_sid shouldn't be decref'ed after insertion into dict
via 9e84f1e5767 s4/param: treat NULL value passed to dict_insert as error
via 32d56271eb7 s4/param: don't decref object we don't own
via e10910f8de5 bootstrap: Bring back a Ubuntu 16.04 build but just for the samba-fuzz task
via ee5c07cb0f1 build: Allow a fuzzing build with Python 3.5
via 5406205382f python/samba/gp_parse: Fix test errors with python3.8
via ff70d7cc3ae tests: Add test for weak crypto
via 0b84bc03e81 waf: Check if GnuTLS has support for crypto policies
via 32f83be8f63 auth:ntlmssp: Mark as weak_crypto
via 6ada071d620 gensec: Add a check if a gensec module implements weak crypto
via 7d09c1cc877 lib:param: Add lp(cfg)_weak_crypto()
via 3d1ecef173a s3:utils: Add weak crypto information to testparm
via cb034a9f601 lib:crypto: Add samba_gnutls_weak_crypto()
from 81c1a14e327 smbd: let delayed update handler also update on-disk timestamps
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 2321b11f1fcde41d58d3381437118b8b726ab6d5
Author: Noel Power <noel.power at suse.com>
Date: Mon Mar 16 16:00:24 2020 +0000
s4/param: py_sid shouldn't be decref'ed after insertion into dict
This was causing samba.tests.net_join_no_spnego(ad_dc) to
core dumps sometimes on tumbleweed with python3.8
with...
===============================================================
INTERNAL ERROR: Signal 11 in pid 1781 (4.12.0)
If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting
===============================================================
smb_panic_default: PANIC (pid 1781): internal error
BACKTRACE: 64 stack frames:
7128 #0 bin/shared/libsamba-util.so.0(log_stack_trace+0x1f) [0x7fa541c5b220]
7129 #1 bin/shared/libsamba-util.so.0(+0x1efc8) [0x7fa541c5afc8]
7130 #2 bin/shared/libsamba-util.so.0(log_stack_trace+0) [0x7fa541c5b201]
7131 #3 bin/shared/libsamba-util.so.0(+0x1eed9) [0x7fa541c5aed9]
7132 #4 bin/shared/libsamba-util.so.0(+0x1eeee) [0x7fa541c5aeee]
7133 #5 /lib64/libc.so.6(+0x3bf20) [0x7fa542631f20]
7134 #6 /usr/lib64/libpython3.8.so.1.0(PyObject_GC_UnTrack+0xd) [0x7fa542386c1d]
7135 #7 /usr/lib64/libpython3.8.so.1.0(+0x12d599) [0x7fa542387599]
7136 #8 /usr/lib64/libpython3.8.so.1.0(_PyEval_EvalFrameDefault+0x4d6d) [0x7fa5424269ed]
7137 #9 /usr/lib64/libpython3.8.so.1.0(_PyEval_EvalCodeWithName+0x30c) [0x7fa5423eaf5c]
7138 #10 /usr/lib64/libpython3.8.so.1.0(_PyFunction_Vectorcall+0x18e) [0x7fa5423ebcbe]
7139 #11 /usr/lib64/libpython3.8.so.1.0(_PyEval_EvalFrameDefault+0x4a3a) [0x7fa5424266ba]
etc....
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Mar 19 22:23:52 UTC 2020 on sn-devel-184
commit 9e84f1e5767c23c0e75a0954ac9c3668d18baa30
Author: Noel Power <noel.power at suse.com>
Date: Mon Mar 16 15:54:00 2020 +0000
s4/param: treat NULL value passed to dict_insert as error
insert_dict is used as a convenience to decrement the values to
prevent leaks with orpahaned PyObjects and avoid excessive creation of
temp variables.
if (!dict_insert(parameters,
"rootdn",
PyUnicode_FromString(settings->root_dn_str))) {
status = NT_STATUS_UNSUCCESSFUL;
goto out;
}
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 32d56271eb7ebf694c08c226c80fdf97a885fe46
Author: Noel Power <noel.power at suse.com>
Date: Mon Mar 16 15:27:15 2020 +0000
s4/param: don't decref object we don't own
provision_fn is a borrowed reference we should not
call Py_CLEAR on it
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e10910f8de542b0be9b89942791bd37288b7a32a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Mar 17 16:49:02 2020 +1300
bootstrap: Bring back a Ubuntu 16.04 build but just for the samba-fuzz task
This is needed to restore oss-fuzz support, as this uses the Ubuntu 16.04 package list
because all the docker images provided start with a Ubuntu 16.04 base.
REF: https://github.com/google/oss-fuzz/issues/3505
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21189
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit ee5c07cb0f1c85a56a3f330a692b1b04553213cc
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Mar 17 17:07:02 2020 +1300
build: Allow a fuzzing build with Python 3.5
The Python 3.6 changes are only in actual .py files, not in the build system
nor the C side of things, so relax this so we can still build on oss-fuzz
which is based on Ubuntu 16.04 for now.
REF: https://github.com/google/oss-fuzz/issues/3505
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21189
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 5406205382fa8177ea0993a5b0996dc5e7cb5abe
Author: Noel Power <noel.power at suse.com>
Date: Fri Mar 13 17:32:20 2020 +0000
python/samba/gp_parse: Fix test errors with python3.8
UNEXPECTED(failure): samba.tests.samba_tool.gpo.samba.tests.samba_tool.gpo.GpoCmdTestCase.test_backup_restore_generalize(ad_dc:local)
REASON: Exception: Exception: Traceback (most recent call last):
File "/tmp/samba-testbase/b28/samba-ad-dc-1/bin/python/samba/tests/samba_tool/gpo.py", line 434, in test_backup_restore_generalize
self.assertIsNone(has_difference(os.path.join(new_path, 'policy',
This caused because prior to 3.8 minodom.toprettyxml() was sorting the
attribute order, now it preserves the attribute order specified by the user
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ff70d7cc3ae60a0e6868f95357ee486ed7491e9a
Author: Andreas Schneider <asn at samba.org>
Date: Wed Mar 11 18:35:57 2020 +0100
tests: Add test for weak crypto
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0b84bc03e819938422e66fb278eb2e4d15efa8d2
Author: Andreas Schneider <asn at samba.org>
Date: Thu Mar 12 07:13:00 2020 +0100
waf: Check if GnuTLS has support for crypto policies
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 32f83be8f63c8df34e0d82c4575babaa132765dc
Author: Andreas Schneider <asn at samba.org>
Date: Mon Nov 11 16:39:24 2019 +0100
auth:ntlmssp: Mark as weak_crypto
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6ada071d6208addcff21bbbba4f757ac2e63e66f
Author: Andreas Schneider <asn at samba.org>
Date: Wed Dec 11 17:45:39 2019 +0100
gensec: Add a check if a gensec module implements weak crypto
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7d09c1cc8771d0822480f90b77b9f883d67b5658
Author: Andreas Schneider <asn at samba.org>
Date: Mon Nov 4 17:15:14 2019 +0100
lib:param: Add lp(cfg)_weak_crypto()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3d1ecef173a372474c86d3fe8cd42c2f2e69185d
Author: Andreas Schneider <asn at samba.org>
Date: Mon Nov 4 17:26:48 2019 +0100
s3:utils: Add weak crypto information to testparm
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit cb034a9f60189806d5def2502ed39b06f002ed4a
Author: Andreas Schneider <asn at samba.org>
Date: Mon Nov 4 17:01:50 2019 +0100
lib:crypto: Add samba_gnutls_weak_crypto()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
.gitlab-ci.yml | 3 +-
auth/gensec/gensec_internal.h | 1 +
auth/gensec/gensec_start.c | 13 +++++-
auth/ntlmssp/ntlmssp.c | 2 +
bootstrap/.gitlab-ci.yml | 11 ++++-
bootstrap/config.py | 11 +++++
bootstrap/generated-dists/Vagrantfile | 7 +++
.../{debian10 => ubuntu1604}/Dockerfile | 2 +-
.../{ubuntu1804 => ubuntu1604}/bootstrap.sh | 4 +-
.../{centos7 => ubuntu1604}/locale.sh | 0
.../{ubuntu1804 => ubuntu1604}/packages.yml | 4 +-
bootstrap/sha1sum.txt | 2 +-
buildtools/wafsamba/samba_python.py | 3 ++
lib/crypto/gnutls_helpers.h | 7 +++
.../gnutls_weak_crypto.c} | 50 ++++++++++------------
lib/crypto/wscript_build | 1 +
lib/param/loadparm.c | 15 +++++++
lib/param/loadparm.h | 10 ++++-
lib/param/wscript_build | 2 +-
python/samba/gp_parse/gp_pol.py | 2 +-
source3/include/proto.h | 1 +
source3/param/loadparm.c | 14 ++++++
source3/utils/testparm.c | 9 ++++
source3/utils/wscript_build | 1 +
source4/param/provision.c | 14 +++---
source4/selftest/tests.py | 5 +++
testprogs/blackbox/test_weak_crypto.sh | 41 ++++++++++++++++++
wscript_configure_system_gnutls | 4 ++
28 files changed, 188 insertions(+), 51 deletions(-)
copy bootstrap/generated-dists/{debian10 => ubuntu1604}/Dockerfile (91%)
copy bootstrap/generated-dists/{ubuntu1804 => ubuntu1604}/bootstrap.sh (95%)
copy bootstrap/generated-dists/{centos7 => ubuntu1604}/locale.sh (100%)
copy bootstrap/generated-dists/{ubuntu1804 => ubuntu1604}/packages.yml (94%)
copy lib/{util/talloc_keep_secret.c => crypto/gnutls_weak_crypto.c} (56%)
create mode 100755 testprogs/blackbox/test_weak_crypto.sh
Changeset truncated at 500 lines:
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 6114ccced99..05f410bde3d 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -22,7 +22,7 @@ variables:
# Set this to the contents of bootstrap/sha1sum.txt
# which is generated by bootstrap/template.py --render
#
- SAMBA_CI_CONTAINER_TAG: 2b0275df23424240774afcd61fae8abed8663996
+ SAMBA_CI_CONTAINER_TAG: 6bb2eeaf8203467d9a93a722071b0f081027410e
#
# We use the ubuntu1804 image as default as
# it matches what we have on sn-devel-184.
@@ -154,6 +154,7 @@ samba-static:
samba-fuzz:
extends: .shared_template
+ image: ${SAMBA_CI_CONTAINER_REGISTRY}/samba-ci-ubuntu1604:${SAMBA_CI_CONTAINER_TAG}
ctdb:
extends: .shared_template
diff --git a/auth/gensec/gensec_internal.h b/auth/gensec/gensec_internal.h
index 911b48b52d6..8efb1bdff0f 100644
--- a/auth/gensec/gensec_internal.h
+++ b/auth/gensec/gensec_internal.h
@@ -28,6 +28,7 @@ struct gensec_security;
struct gensec_security_ops {
const char *name;
const char *sasl_name;
+ bool weak_crypto;
uint8_t auth_type; /* 0 if not offered on DCE-RPC */
const char **oid; /* NULL if not offered by SPNEGO */
NTSTATUS (*client_start)(struct gensec_security *gensec_security);
diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
index 50f4de73110..d2d62d6652e 100644
--- a/auth/gensec/gensec_start.c
+++ b/auth/gensec/gensec_start.c
@@ -32,6 +32,7 @@
#include "lib/util/tsort.h"
#include "lib/util/samba_modules.h"
#include "lib/util/base64.h"
+#include "lib/crypto/gnutls_helpers.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
@@ -49,7 +50,17 @@ _PUBLIC_ const struct gensec_security_ops * const *gensec_security_all(void)
bool gensec_security_ops_enabled(const struct gensec_security_ops *ops, struct gensec_security *security)
{
- return lpcfg_parm_bool(security->settings->lp_ctx, NULL, "gensec", ops->name, ops->enabled);
+ bool ok = lpcfg_parm_bool(security->settings->lp_ctx,
+ NULL,
+ "gensec",
+ ops->name,
+ ops->enabled);
+
+ if (!samba_gnutls_weak_crypto_allowed() && ops->weak_crypto) {
+ ok = false;
+ }
+
+ return ok;
}
/* Sometimes we want to force only kerberos, sometimes we want to
diff --git a/auth/ntlmssp/ntlmssp.c b/auth/ntlmssp/ntlmssp.c
index 37434fbb0c2..745f2628d21 100644
--- a/auth/ntlmssp/ntlmssp.c
+++ b/auth/ntlmssp/ntlmssp.c
@@ -305,6 +305,7 @@ static const struct gensec_security_ops gensec_ntlmssp_security_ops = {
.name = "ntlmssp",
.sasl_name = GENSEC_SASL_NAME_NTLMSSP, /* "NTLM" */
.auth_type = DCERPC_AUTH_TYPE_NTLMSSP,
+ .weak_crypto = true,
.oid = gensec_ntlmssp_oids,
.client_start = gensec_ntlmssp_client_start,
.server_start = gensec_ntlmssp_server_start,
@@ -329,6 +330,7 @@ static const struct gensec_security_ops gensec_ntlmssp_security_ops = {
static const struct gensec_security_ops gensec_ntlmssp_resume_ccache_ops = {
.name = "ntlmssp_resume_ccache",
+ .weak_crypto = true,
.client_start = gensec_ntlmssp_resume_ccache_start,
.update_send = gensec_ntlmssp_update_send,
.update_recv = gensec_ntlmssp_update_recv,
diff --git a/bootstrap/.gitlab-ci.yml b/bootstrap/.gitlab-ci.yml
index 4e52da09dcc..ecd9f4d4223 100644
--- a/bootstrap/.gitlab-ci.yml
+++ b/bootstrap/.gitlab-ci.yml
@@ -9,6 +9,7 @@ services:
- gce
variables:
SAMBA_CI_IS_BROKEN_IMAGE: "no"
+ SAMBA_CI_TEST_JOB: "samba-o3"
before_script:
# Ensure we are generating correct the container
- uname -a
@@ -40,9 +41,9 @@ services:
docker run --volume $(pwd):${samba_repo_root} --workdir ${samba_repo_root} ${ci_image_name} \
bootstrap/template.py --sha1sum > /tmp/sha1sum-template.txt
diff -u bootstrap/sha1sum.txt /tmp/sha1sum-template.txt
- # run smoke test with samba-o3
+ # run smoke test with samba-o3 or samba-fuzz
docker run --volume $(pwd):${samba_repo_root} --workdir ${samba_repo_root} ${ci_image_name} \
- /bin/bash -c "sudo chown -R samba:samba ./** && export PKG_CONFIG_PATH=/usr/lib64/compat-gnutls34/pkgconfig:/usr/lib64/compat-nettle32/pkgconfig && script/autobuild.py samba-o3 --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase"
+ /bin/bash -c "sudo chown -R samba:samba ./** && export PKG_CONFIG_PATH=/usr/lib64/compat-gnutls34/pkgconfig:/usr/lib64/compat-nettle32/pkgconfig && script/autobuild.py ${SAMBA_CI_TEST_JOB} --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase"
docker tag ${ci_image_name} ${ci_image_path}:${SAMBA_CI_CONTAINER_TAG}
docker tag ${ci_image_name} ${ci_image_path}:${timestamp_tag}
# We build all images, but only upload is it's not marked as broken
@@ -83,6 +84,12 @@ services:
#
- $SAMBA_CI_REBUILD_BROKEN_IMAGES == "yes"
+# This is ONLY for oss-fuzz, so we test a fuzz build not a real one
+ubuntu1604:
+ extends: .build_image_template
+ variables:
+ SAMBA_CI_TEST_JOB: "samba-fuzz"
+
ubuntu1804:
extends: .build_image_template
diff --git a/bootstrap/config.py b/bootstrap/config.py
index 19a2cf08b9d..ff9bb150672 100644
--- a/bootstrap/config.py
+++ b/bootstrap/config.py
@@ -382,6 +382,17 @@ DEB_DISTS = {
'liburing-dev': '', # not available
}
},
+ 'ubuntu1604': {
+ 'docker_image': 'ubuntu:16.04',
+ 'vagrant_box': 'ubuntu/xenial64',
+ 'replace': {
+ 'python-gpg': 'python-gpgme',
+ 'python3-gpg': 'python3-gpgme',
+ 'glusterfs-common': '',
+ 'libcephfs-dev': '',
+ 'liburing-dev': '', # not available
+ }
+ },
'ubuntu1804': {
'docker_image': 'ubuntu:18.04',
'vagrant_box': 'ubuntu/bionic64',
diff --git a/bootstrap/generated-dists/Vagrantfile b/bootstrap/generated-dists/Vagrantfile
index 091c65488cb..47c58d5a87b 100644
--- a/bootstrap/generated-dists/Vagrantfile
+++ b/bootstrap/generated-dists/Vagrantfile
@@ -66,6 +66,13 @@ Vagrant.configure("2") do |config|
v.vm.provision :shell, path: "opensuse151/locale.sh"
end
+ config.vm.define "ubuntu1604" do |v|
+ v.vm.box = "ubuntu/xenial64"
+ v.vm.hostname = "ubuntu1604"
+ v.vm.provision :shell, path: "ubuntu1604/bootstrap.sh"
+ v.vm.provision :shell, path: "ubuntu1604/locale.sh"
+ end
+
config.vm.define "ubuntu1804" do |v|
v.vm.box = "ubuntu/bionic64"
v.vm.hostname = "ubuntu1804"
diff --git a/bootstrap/generated-dists/debian10/Dockerfile b/bootstrap/generated-dists/ubuntu1604/Dockerfile
similarity index 91%
copy from bootstrap/generated-dists/debian10/Dockerfile
copy to bootstrap/generated-dists/ubuntu1604/Dockerfile
index a7141db7e17..93001fcdcca 100644
--- a/bootstrap/generated-dists/debian10/Dockerfile
+++ b/bootstrap/generated-dists/ubuntu1604/Dockerfile
@@ -3,7 +3,7 @@
# See also bootstrap/config.py
#
-FROM debian:10
+FROM ubuntu:16.04
# pass in with --build-arg while build
ARG SHA1SUM
diff --git a/bootstrap/generated-dists/ubuntu1804/bootstrap.sh b/bootstrap/generated-dists/ubuntu1604/bootstrap.sh
similarity index 95%
copy from bootstrap/generated-dists/ubuntu1804/bootstrap.sh
copy to bootstrap/generated-dists/ubuntu1604/bootstrap.sh
index 97d32815d72..a8f47762ded 100755
--- a/bootstrap/generated-dists/ubuntu1804/bootstrap.sh
+++ b/bootstrap/generated-dists/ubuntu1604/bootstrap.sh
@@ -29,7 +29,6 @@ apt-get -y install \
gcc \
gdb \
git \
- glusterfs-common \
gzip \
heimdal-multidev \
hostname \
@@ -46,7 +45,6 @@ apt-get -y install \
libblkid-dev \
libbsd-dev \
libcap-dev \
- libcephfs-dev \
libcups2-dev \
libdbus-1-dev \
libglib2.0-dev \
@@ -85,7 +83,7 @@ apt-get -y install \
python3-dbg \
python3-dev \
python3-dnspython \
- python3-gpg \
+ python3-gpgme \
python3-iso8601 \
python3-markdown \
python3-matplotlib \
diff --git a/bootstrap/generated-dists/centos7/locale.sh b/bootstrap/generated-dists/ubuntu1604/locale.sh
similarity index 100%
copy from bootstrap/generated-dists/centos7/locale.sh
copy to bootstrap/generated-dists/ubuntu1604/locale.sh
diff --git a/bootstrap/generated-dists/ubuntu1804/packages.yml b/bootstrap/generated-dists/ubuntu1604/packages.yml
similarity index 94%
copy from bootstrap/generated-dists/ubuntu1804/packages.yml
copy to bootstrap/generated-dists/ubuntu1604/packages.yml
index f45deb2c808..c3cd9af9c3e 100644
--- a/bootstrap/generated-dists/ubuntu1804/packages.yml
+++ b/bootstrap/generated-dists/ubuntu1604/packages.yml
@@ -18,7 +18,6 @@ packages:
- gcc
- gdb
- git
- - glusterfs-common
- gzip
- heimdal-multidev
- hostname
@@ -35,7 +34,6 @@ packages:
- libblkid-dev
- libbsd-dev
- libcap-dev
- - libcephfs-dev
- libcups2-dev
- libdbus-1-dev
- libglib2.0-dev
@@ -74,7 +72,7 @@ packages:
- python3-dbg
- python3-dev
- python3-dnspython
- - python3-gpg
+ - python3-gpgme
- python3-iso8601
- python3-markdown
- python3-matplotlib
diff --git a/bootstrap/sha1sum.txt b/bootstrap/sha1sum.txt
index 7344075d11d..1c9d01d5e7d 100644
--- a/bootstrap/sha1sum.txt
+++ b/bootstrap/sha1sum.txt
@@ -1 +1 @@
-2b0275df23424240774afcd61fae8abed8663996
+6bb2eeaf8203467d9a93a722071b0f081027410e
diff --git a/buildtools/wafsamba/samba_python.py b/buildtools/wafsamba/samba_python.py
index 994190fdeb2..d71ce47a831 100644
--- a/buildtools/wafsamba/samba_python.py
+++ b/buildtools/wafsamba/samba_python.py
@@ -10,6 +10,9 @@ def SAMBA_CHECK_PYTHON(conf, version=(3,6,0)):
if conf.env.disable_python:
version=(2,6,0)
+ if conf.env.enable_fuzzing:
+ version=(3,5,0)
+
# enable tool to build python extensions
if conf.env.HAVE_PYTHON_H:
conf.check_python_version(version)
diff --git a/lib/crypto/gnutls_helpers.h b/lib/crypto/gnutls_helpers.h
index 49689e4c860..e74dcc833f2 100644
--- a/lib/crypto/gnutls_helpers.h
+++ b/lib/crypto/gnutls_helpers.h
@@ -108,4 +108,11 @@ int samba_gnutls_arcfour_confounded_md5(const DATA_BLOB *key_input1,
DATA_BLOB *data,
enum samba_gnutls_direction encrypt);
+/**
+ * @brief Check if weak crypto is allowed.
+ *
+ * @return true if weak crypo is allowed, false otherwise.
+ */
+bool samba_gnutls_weak_crypto_allowed(void);
+
#endif /* _GNUTLS_HELPERS_H */
diff --git a/lib/util/talloc_keep_secret.c b/lib/crypto/gnutls_weak_crypto.c
similarity index 56%
copy from lib/util/talloc_keep_secret.c
copy to lib/crypto/gnutls_weak_crypto.c
index d6aa38265f6..68ce588243f 100644
--- a/lib/util/talloc_keep_secret.c
+++ b/lib/crypto/gnutls_weak_crypto.c
@@ -16,37 +16,33 @@
*/
#include "includes.h"
-#include "talloc_keep_secret.h"
+#include "lib/crypto/gnutls_helpers.h"
-static int talloc_keep_secret_destructor(void *ptr)
-{
- size_t size = talloc_get_size(ptr);
-
- if (unlikely(size == 0)) {
- return 0;
- }
-
- memset_s(ptr, size, 0, size);
+#include <gnutls/crypto.h>
+#include <gnutls/gnutls.h>
- return 0;
-}
-
-void _talloc_keep_secret(void *ptr, const char *name)
+bool samba_gnutls_weak_crypto_allowed(void)
{
- size_t size;
-
- if (unlikely(ptr == NULL)) {
-#ifdef DEVELOPER
- smb_panic("Invalid talloc pointer");
-#endif
- return;
+ gnutls_cipher_hd_t cipher_hnd = NULL;
+ gnutls_datum_t key = {
+ .data = discard_const_p(unsigned char, "SystemLibraryDTC"),
+ .size = 16,
+ };
+ int rc;
+
+ /*
+ * If RC4 is not allowed to be initialzed then weak crypto is not
+ * allowed.
+ */
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &key,
+ NULL);
+ if (rc == GNUTLS_E_UNWANTED_ALGORITHM) {
+ return false;
}
- size = talloc_get_size(ptr);
- if (unlikely(size == 0)) {
- return;
- }
+ gnutls_cipher_deinit(cipher_hnd);
- talloc_set_name_const(ptr, name);
- talloc_set_destructor(ptr, talloc_keep_secret_destructor);
+ return true;
}
diff --git a/lib/crypto/wscript_build b/lib/crypto/wscript_build
index eb67af63f26..e5766042541 100644
--- a/lib/crypto/wscript_build
+++ b/lib/crypto/wscript_build
@@ -10,6 +10,7 @@ bld.SAMBA_SUBSYSTEM('GNUTLS_HELPERS',
source='''
gnutls_error.c
gnutls_arcfour_confounded_md5.c
+ gnutls_weak_crypto.c
''',
deps='gnutls samba-errors');
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 611c1b240af..4bee921e3c7 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -72,6 +72,7 @@
#include "libds/common/roles.h"
#include "lib/util/samba_util.h"
#include "libcli/auth/ntlm_check.h"
+#include "lib/crypto/gnutls_helpers.h"
#ifdef HAVE_HTTPCONNECTENCRYPT
#include <cups/http.h>
@@ -96,6 +97,19 @@ int lpcfg_rpc_high_port(struct loadparm_context *lp_ctx)
return lp_ctx->globals->rpc_high_port;
}
+enum samba_weak_crypto lpcfg_weak_crypto(struct loadparm_context *lp_ctx)
+{
+ if (lp_ctx->globals->weak_crypto == SAMBA_WEAK_CRYPTO_UNKNOWN) {
+ lp_ctx->globals->weak_crypto = SAMBA_WEAK_CRYPTO_DISALLOWED;
+
+ if (samba_gnutls_weak_crypto_allowed()) {
+ lp_ctx->globals->weak_crypto = SAMBA_WEAK_CRYPTO_ALLOWED;
+ }
+ }
+
+ return lp_ctx->globals->weak_crypto;
+}
+
/**
* Convenience routine to grab string parameters into temporary memory
* and run standard_sub_basic on them.
@@ -2607,6 +2621,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lp_ctx->globals->ctx = lp_ctx->globals;
lp_ctx->globals->rpc_low_port = SERVER_TCP_LOW_PORT;
lp_ctx->globals->rpc_high_port = SERVER_TCP_HIGH_PORT;
+ lp_ctx->globals->weak_crypto = SAMBA_WEAK_CRYPTO_UNKNOWN;
lp_ctx->sDefault = talloc_zero(lp_ctx, struct loadparm_service);
lp_ctx->flags = talloc_zero_array(lp_ctx, unsigned int, num_parameters());
diff --git a/lib/param/loadparm.h b/lib/param/loadparm.h
index 65ff62cc3b9..323fcf84523 100644
--- a/lib/param/loadparm.h
+++ b/lib/param/loadparm.h
@@ -255,6 +255,13 @@ enum spotlight_backend_options {
SPOTLIGHT_BACKEND_ES,
};
+/* FIPS values */
+enum samba_weak_crypto {
+ SAMBA_WEAK_CRYPTO_UNKNOWN,
+ SAMBA_WEAK_CRYPTO_ALLOWED,
+ SAMBA_WEAK_CRYPTO_DISALLOWED,
+};
+
/*
* Default passwd chat script.
*/
@@ -292,7 +299,8 @@ enum spotlight_backend_options {
struct parmlist_entry *param_opt; \
char *dnsdomain; \
int rpc_low_port; \
- int rpc_high_port;
+ int rpc_high_port; \
+ enum samba_weak_crypto weak_crypto;
const char* server_role_str(uint32_t role);
int lp_find_server_role(int server_role, int security, int domain_logons, int domain_master);
diff --git a/lib/param/wscript_build b/lib/param/wscript_build
index 20c8bcab22a..864975a5884 100644
--- a/lib/param/wscript_build
+++ b/lib/param/wscript_build
@@ -40,7 +40,7 @@ bld.SAMBA_LIBRARY('samba-hostconfig',
pc_files='samba-hostconfig.pc',
vnum='0.0.1',
deps='DYNCONFIG server-role tdb',
- public_deps='samba-util param_local.h',
+ public_deps='GNUTLS_HELPERS samba-util param_local.h',
public_headers='param.h',
autoproto='param_proto.h'
)
diff --git a/python/samba/gp_parse/gp_pol.py b/python/samba/gp_parse/gp_pol.py
index 67ecd584dc0..8a3d5f58ec1 100644
--- a/python/samba/gp_parse/gp_pol.py
+++ b/python/samba/gp_parse/gp_pol.py
@@ -101,9 +101,9 @@ class GPPolParser(GPParser):
def write_xml(self, filename):
with open(filename, 'wb') as f:
root = Element('PolFile')
+ root.attrib['num_entries'] = str(self.pol_file.num_entries)
root.attrib['signature'] = self.pol_file.header.signature
root.attrib['version'] = str(self.pol_file.header.version)
- root.attrib['num_entries'] = str(self.pol_file.num_entries)
for entry in self.pol_file.entries:
child = SubElement(root, 'Entry')
# child.attrib['size'] = str(entry.size)
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 6ac70a22beb..6ac0c3d1935 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -765,6 +765,7 @@ bool lp_widelinks(int );
int lp_rpc_low_port(void);
int lp_rpc_high_port(void);
bool lp_lanman_auth(void);
+enum samba_weak_crypto lp_weak_crypto(void);
int lp_wi_scan_global_parametrics(
const char *regex, size_t max_matches,
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index ce41477097a..5a2c9983b47 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -73,6 +73,7 @@
#include "librpc/gen_ndr/nbt.h"
#include "source4/lib/tls/tls.h"
#include "libcli/auth/ntlm_check.h"
+#include "lib/crypto/gnutls_helpers.h"
#ifdef HAVE_SYS_SYSCTL_H
#include <sys/sysctl.h>
@@ -4736,3 +4737,16 @@ unsigned int * get_flags(void)
return flags_list;
}
+
+enum samba_weak_crypto lp_weak_crypto()
+{
+ if (Globals.weak_crypto == SAMBA_WEAK_CRYPTO_UNKNOWN) {
+ Globals.weak_crypto = SAMBA_WEAK_CRYPTO_DISALLOWED;
+
+ if (samba_gnutls_weak_crypto_allowed()) {
+ Globals.weak_crypto = SAMBA_WEAK_CRYPTO_ALLOWED;
+ }
+ }
+
+ return Globals.weak_crypto;
+}
diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
--
Samba Shared Repository
More information about the samba-cvs
mailing list