[SCM] Samba Shared Repository - branch master updated
Andreas Schneider
asn at samba.org
Mon Nov 9 10:23:02 UTC 2020
The branch, master has been updated
via b8913401304 sefltest: Enable the dcerpc.createtrustrelax test against ad_dc_fips
via c75dd1ea178 s4:rpc_server: Allow to use RC4 for creating trusts
via 4425f2c113a s3:rpc_server: Allow to use RC4 for creating trusts
via c93ccebdfed s4:rpc_server: Use gnutls_cipher_decrypt() in get_trustdom_auth_blob()
via 6c11e5f42ba s3:rpc_server: Use gnutls_cipher_decrypt() in get_trustdom_auth_blob()
from e5e1759057a s3: spoolss: Make parameters in call to user_ok_token() match all other uses.
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit b89134013041e772418c2c8bcfffe8a9ade6db91
Author: Andreas Schneider <asn at samba.org>
Date: Fri Nov 6 10:13:48 2020 +0100
sefltest: Enable the dcerpc.createtrustrelax test against ad_dc_fips
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Mon Nov 9 10:22:51 UTC 2020 on sn-devel-184
commit c75dd1ea178325b8f65343cb5c35bb93f43a49a3
Author: Andreas Schneider <asn at samba.org>
Date: Thu Aug 20 13:51:39 2020 +0200
s4:rpc_server: Allow to use RC4 for creating trusts
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 4425f2c113a4dc33a8dc609d84a92018d61b4d2e
Author: Andreas Schneider <asn at samba.org>
Date: Thu Aug 20 13:40:21 2020 +0200
s3:rpc_server: Allow to use RC4 for creating trusts
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit c93ccebdfedd60c1d19f1b1436ac30062259952a
Author: Andreas Schneider <asn at samba.org>
Date: Fri Nov 6 14:33:38 2020 +0100
s4:rpc_server: Use gnutls_cipher_decrypt() in get_trustdom_auth_blob()
It doesn't matter for RC4, but just to be correct.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 6c11e5f42ba3248c97d85c989d422b256d2465a9
Author: Andreas Schneider <asn at samba.org>
Date: Fri Nov 6 14:30:26 2020 +0100
s3:rpc_server: Use gnutls_cipher_decrypt() in get_trustdom_auth_blob()
It doesn't matter for RC4, but just to be correct.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
-----------------------------------------------------------------------
Summary of changes:
selftest/knownfail.d/createtrustrelax_server | 1 -
source3/rpc_server/lsa/srv_lsa_nt.c | 15 ++++++++++++++-
source4/rpc_server/lsa/dcesrv_lsa.c | 20 +++++++++++++++++++-
3 files changed, 33 insertions(+), 3 deletions(-)
delete mode 100644 selftest/knownfail.d/createtrustrelax_server
Changeset truncated at 500 lines:
diff --git a/selftest/knownfail.d/createtrustrelax_server b/selftest/knownfail.d/createtrustrelax_server
deleted file mode 100644
index 80effda8343..00000000000
--- a/selftest/knownfail.d/createtrustrelax_server
+++ /dev/null
@@ -1 +0,0 @@
-^samba.tests.dcerpc.createtrustrelax.samba.tests.dcerpc.createtrustrelax.CreateTrustedDomainRelaxTest.test_create_trust_relax_encrypt\(ad_dc_fips\)
diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c
index 198387424e6..d6d606ddeca 100644
--- a/source3/rpc_server/lsa/srv_lsa_nt.c
+++ b/source3/rpc_server/lsa/srv_lsa_nt.c
@@ -51,6 +51,8 @@
#include "../libcli/lsarpc/util_lsarpc.h"
#include "lsa.h"
#include "librpc/rpc/dcesrv_core.h"
+#include "librpc/rpc/dcerpc_helper.h"
+#include "lib/param/loadparm.h"
#include "lib/crypto/gnutls_helpers.h"
#include <gnutls/gnutls.h>
@@ -1706,6 +1708,14 @@ static NTSTATUS get_trustdom_auth_blob(struct pipes_struct *p,
gnutls_datum_t my_session_key;
NTSTATUS status;
int rc;
+ bool encrypted;
+
+ encrypted =
+ dcerpc_is_transport_encrypted(p->session_info);
+ if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED &&
+ !encrypted) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
status = session_extract_session_key(p->session_info, &lsession_key, KEY_USE_16BYTES);
if (!NT_STATUS_IS_OK(status)) {
@@ -1717,19 +1727,22 @@ static NTSTATUS get_trustdom_auth_blob(struct pipes_struct *p,
.size = lsession_key.length,
};
+ GNUTLS_FIPS140_SET_LAX_MODE();
rc = gnutls_cipher_init(&cipher_hnd,
GNUTLS_CIPHER_ARCFOUR_128,
&my_session_key,
NULL);
if (rc < 0) {
+ GNUTLS_FIPS140_SET_STRICT_MODE();
status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
goto out;
}
- rc = gnutls_cipher_encrypt(cipher_hnd,
+ rc = gnutls_cipher_decrypt(cipher_hnd,
auth_blob->data,
auth_blob->length);
gnutls_cipher_deinit(cipher_hnd);
+ GNUTLS_FIPS140_SET_STRICT_MODE();
if (rc < 0) {
status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
goto out;
diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index ebe259ff81e..15b068aec62 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -34,6 +34,8 @@
#include "lib/messaging/irpc.h"
#include "libds/common/roles.h"
#include "lib/util/smb_strtox.h"
+#include "lib/param/loadparm.h"
+#include "librpc/rpc/dcerpc_helper.h"
#include "lib/crypto/gnutls_helpers.h"
#include <gnutls/gnutls.h>
@@ -872,6 +874,19 @@ static NTSTATUS get_trustdom_auth_blob(struct dcesrv_call_state *dce_call,
gnutls_cipher_hd_t cipher_hnd = NULL;
gnutls_datum_t _session_key;
int rc;
+ struct auth_session_info *session_info =
+ dcesrv_call_session_info(dce_call);
+ struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
+ bool encrypted;
+
+ encrypted =
+ dcerpc_is_transport_encrypted(session_info);
+ if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED &&
+ !encrypted) {
+ DBG_ERR("Transport isn't encrypted and weak crypto disallowed!\n");
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
nt_status = dcesrv_transport_session_key(dce_call, &session_key);
if (!NT_STATUS_IS_OK(nt_status)) {
@@ -883,19 +898,22 @@ static NTSTATUS get_trustdom_auth_blob(struct dcesrv_call_state *dce_call,
.size = session_key.length,
};
+ GNUTLS_FIPS140_SET_LAX_MODE();
rc = gnutls_cipher_init(&cipher_hnd,
GNUTLS_CIPHER_ARCFOUR_128,
&_session_key,
NULL);
if (rc < 0) {
+ GNUTLS_FIPS140_SET_STRICT_MODE();
nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
goto out;
}
- rc = gnutls_cipher_encrypt(cipher_hnd,
+ rc = gnutls_cipher_decrypt(cipher_hnd,
auth_blob->data,
auth_blob->length);
gnutls_cipher_deinit(cipher_hnd);
+ GNUTLS_FIPS140_SET_STRICT_MODE();
if (rc < 0) {
nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
goto out;
--
Samba Shared Repository
More information about the samba-cvs
mailing list