[SCM] Samba Shared Repository - branch master updated

Andreas Schneider asn at samba.org
Mon Nov 9 10:23:02 UTC 2020 

The branch, master has been updated
       via  b8913401304 sefltest: Enable the dcerpc.createtrustrelax test against ad_dc_fips
       via  c75dd1ea178 s4:rpc_server: Allow to use RC4 for creating trusts
       via  4425f2c113a s3:rpc_server: Allow to use RC4 for creating trusts
       via  c93ccebdfed s4:rpc_server: Use gnutls_cipher_decrypt() in get_trustdom_auth_blob()
       via  6c11e5f42ba s3:rpc_server: Use gnutls_cipher_decrypt() in get_trustdom_auth_blob()
      from  e5e1759057a s3: spoolss: Make parameters in call to user_ok_token() match all other uses.

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit b89134013041e772418c2c8bcfffe8a9ade6db91
Author: Andreas Schneider <asn at samba.org>
Date:   Fri Nov 6 10:13:48 2020 +0100

    sefltest: Enable the dcerpc.createtrustrelax test against ad_dc_fips
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Alexander Bokovoy <ab at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    
    Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
    Autobuild-Date(master): Mon Nov  9 10:22:51 UTC 2020 on sn-devel-184

commit c75dd1ea178325b8f65343cb5c35bb93f43a49a3
Author: Andreas Schneider <asn at samba.org>
Date:   Thu Aug 20 13:51:39 2020 +0200

    s4:rpc_server: Allow to use RC4 for creating trusts
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Alexander Bokovoy <ab at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 4425f2c113a4dc33a8dc609d84a92018d61b4d2e
Author: Andreas Schneider <asn at samba.org>
Date:   Thu Aug 20 13:40:21 2020 +0200

    s3:rpc_server: Allow to use RC4 for creating trusts
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Alexander Bokovoy <ab at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit c93ccebdfedd60c1d19f1b1436ac30062259952a
Author: Andreas Schneider <asn at samba.org>
Date:   Fri Nov 6 14:33:38 2020 +0100

    s4:rpc_server: Use gnutls_cipher_decrypt() in get_trustdom_auth_blob()
    
    It doesn't matter for RC4, but just to be correct.
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Alexander Bokovoy <ab at samba.org>

commit 6c11e5f42ba3248c97d85c989d422b256d2465a9
Author: Andreas Schneider <asn at samba.org>
Date:   Fri Nov 6 14:30:26 2020 +0100

    s3:rpc_server: Use gnutls_cipher_decrypt() in get_trustdom_auth_blob()
    
    It doesn't matter for RC4, but just to be correct.
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Alexander Bokovoy <ab at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 selftest/knownfail.d/createtrustrelax_server |  1 -
 source3/rpc_server/lsa/srv_lsa_nt.c          | 15 ++++++++++++++-
 source4/rpc_server/lsa/dcesrv_lsa.c          | 20 +++++++++++++++++++-
 3 files changed, 33 insertions(+), 3 deletions(-)
 delete mode 100644 selftest/knownfail.d/createtrustrelax_server


Changeset truncated at 500 lines:

diff --git a/selftest/knownfail.d/createtrustrelax_server b/selftest/knownfail.d/createtrustrelax_server
deleted file mode 100644
index 80effda8343..00000000000
--- a/selftest/knownfail.d/createtrustrelax_server
+++ /dev/null
@@ -1 +0,0 @@
-^samba.tests.dcerpc.createtrustrelax.samba.tests.dcerpc.createtrustrelax.CreateTrustedDomainRelaxTest.test_create_trust_relax_encrypt\(ad_dc_fips\)
diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c
index 198387424e6..d6d606ddeca 100644
--- a/source3/rpc_server/lsa/srv_lsa_nt.c
+++ b/source3/rpc_server/lsa/srv_lsa_nt.c
@@ -51,6 +51,8 @@
 #include "../libcli/lsarpc/util_lsarpc.h"
 #include "lsa.h"
 #include "librpc/rpc/dcesrv_core.h"
+#include "librpc/rpc/dcerpc_helper.h"
+#include "lib/param/loadparm.h"
 
 #include "lib/crypto/gnutls_helpers.h"
 #include <gnutls/gnutls.h>
@@ -1706,6 +1708,14 @@ static NTSTATUS get_trustdom_auth_blob(struct pipes_struct *p,
 	gnutls_datum_t my_session_key;
 	NTSTATUS status;
 	int rc;
+	bool encrypted;
+
+	encrypted =
+		dcerpc_is_transport_encrypted(p->session_info);
+	if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED &&
+	    !encrypted) {
+		return NT_STATUS_ACCESS_DENIED;
+	}
 
 	status = session_extract_session_key(p->session_info, &lsession_key, KEY_USE_16BYTES);
 	if (!NT_STATUS_IS_OK(status)) {
@@ -1717,19 +1727,22 @@ static NTSTATUS get_trustdom_auth_blob(struct pipes_struct *p,
 		.size = lsession_key.length,
 	};
 
+	GNUTLS_FIPS140_SET_LAX_MODE();
 	rc = gnutls_cipher_init(&cipher_hnd,
 				GNUTLS_CIPHER_ARCFOUR_128,
 				&my_session_key,
 				NULL);
 	if (rc < 0) {
+		GNUTLS_FIPS140_SET_STRICT_MODE();
 		status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
 		goto out;
 	}
 
-	rc = gnutls_cipher_encrypt(cipher_hnd,
+	rc = gnutls_cipher_decrypt(cipher_hnd,
 				   auth_blob->data,
 				   auth_blob->length);
 	gnutls_cipher_deinit(cipher_hnd);
+	GNUTLS_FIPS140_SET_STRICT_MODE();
 	if (rc < 0) {
 		status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
 		goto out;
diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index ebe259ff81e..15b068aec62 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -34,6 +34,8 @@
 #include "lib/messaging/irpc.h"
 #include "libds/common/roles.h"
 #include "lib/util/smb_strtox.h"
+#include "lib/param/loadparm.h"
+#include "librpc/rpc/dcerpc_helper.h"
 
 #include "lib/crypto/gnutls_helpers.h"
 #include <gnutls/gnutls.h>
@@ -872,6 +874,19 @@ static NTSTATUS get_trustdom_auth_blob(struct dcesrv_call_state *dce_call,
 	gnutls_cipher_hd_t cipher_hnd = NULL;
 	gnutls_datum_t _session_key;
 	int rc;
+	struct auth_session_info *session_info =
+		dcesrv_call_session_info(dce_call);
+	struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
+	bool encrypted;
+
+	encrypted =
+		dcerpc_is_transport_encrypted(session_info);
+	if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED &&
+	    !encrypted) {
+		DBG_ERR("Transport isn't encrypted and weak crypto disallowed!\n");
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
 
 	nt_status = dcesrv_transport_session_key(dce_call, &session_key);
 	if (!NT_STATUS_IS_OK(nt_status)) {
@@ -883,19 +898,22 @@ static NTSTATUS get_trustdom_auth_blob(struct dcesrv_call_state *dce_call,
 		.size = session_key.length,
 	};
 
+	GNUTLS_FIPS140_SET_LAX_MODE();
 	rc = gnutls_cipher_init(&cipher_hnd,
 				GNUTLS_CIPHER_ARCFOUR_128,
 				&_session_key,
 				NULL);
 	if (rc < 0) {
+		GNUTLS_FIPS140_SET_STRICT_MODE();
 		nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
 		goto out;
 	}
 
-	rc = gnutls_cipher_encrypt(cipher_hnd,
+	rc = gnutls_cipher_decrypt(cipher_hnd,
 				   auth_blob->data,
 				   auth_blob->length);
 	gnutls_cipher_deinit(cipher_hnd);
+	GNUTLS_FIPS140_SET_STRICT_MODE();
 	if (rc < 0) {
 		nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
 		goto out;


-- 
Samba Shared Repository

More information about the samba-cvs mailing list