[SCM] Samba Shared Repository - branch master updated
Andreas Schneider
asn at samba.org
Thu Oct 29 15:42:02 UTC 2020
The branch, master has been updated
via ebd687335b9 python:tests: Add SAMR password change tests for fips
via 9a3ba502d81 python:tests: Add SAMR password change tests for fips
via 7d54e4b49c2 s4:param: Add 'weak crypto' getter to pyparam
via 32d4c75d6cb lib:crypto: Add py binding for set_relax/strict fips mode
via a9c532c6d3e s4:rpc_server: Allow to use RC4 for setting passwords
via c6a21e18979 s3:rpc_server: Allow to use RC4 for setting passwords
via 5f1a73be631 s3:smbd: Use defines to set 'srv_smb_encrypt'
via 8bbe5c8c94a librpc: Add dcerpc helper dcerpc_is_transport_encrypted()
via 905c2b9722a s3:smbd: Add SMB3 connection information to session info
via 56879ec5876 idl: Add SID_SAMBA_SMB3
from 3076566d656 s3: smbd: Ensure change notifies can't get set unless the directory handle is open for SEC_DIR_LIST.
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit ebd687335b9accfdbae7dbc65c9882ab4d5c0986
Author: Andreas Schneider <asn at samba.org>
Date: Wed Oct 21 10:09:22 2020 +0200
python:tests: Add SAMR password change tests for fips
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Thu Oct 29 15:41:37 UTC 2020 on sn-devel-184
commit 9a3ba502d8193b25799ef92917efafd52de2e8c2
Author: Andreas Schneider <asn at samba.org>
Date: Wed Oct 21 10:09:22 2020 +0200
python:tests: Add SAMR password change tests for fips
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 7d54e4b49c235dc571f47d15e6b0a6fa63340773
Author: Andreas Schneider <asn at samba.org>
Date: Wed Oct 28 17:05:36 2020 +0100
s4:param: Add 'weak crypto' getter to pyparam
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 32d4c75d6cbf9153068a0487347097707afb356a
Author: Isaac Boukris <iboukris at gmail.com>
Date: Thu Aug 20 12:45:49 2020 +0200
lib:crypto: Add py binding for set_relax/strict fips mode
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit a9c532c6d3e85fbe49b7040254cfc66ab54074bc
Author: Andreas Schneider <asn at samba.org>
Date: Fri Nov 15 13:49:40 2019 +0100
s4:rpc_server: Allow to use RC4 for setting passwords
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit c6a21e1897985f267bcfc681179cea95165c3c57
Author: Andreas Schneider <asn at samba.org>
Date: Tue Nov 12 16:56:45 2019 +0100
s3:rpc_server: Allow to use RC4 for setting passwords
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 5f1a73be6311c68a21a550c0de5078baeb78f4ee
Author: Andreas Schneider <asn at samba.org>
Date: Fri Aug 28 16:31:17 2020 +0200
s3:smbd: Use defines to set 'srv_smb_encrypt'
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 8bbe5c8c94aaf75d715f558c363e5b2de49f7bf9
Author: Andreas Schneider <asn at samba.org>
Date: Thu Mar 12 14:11:56 2020 +0100
librpc: Add dcerpc helper dcerpc_is_transport_encrypted()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 905c2b9722a64ee57f3fbcff51e6bb591c6e3edc
Author: Andreas Schneider <asn at samba.org>
Date: Fri Feb 7 16:48:29 2020 +0100
s3:smbd: Add SMB3 connection information to session info
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 56879ec5876625346df89110f62d52e3fd5b8934
Author: Andreas Schneider <asn at samba.org>
Date: Fri Feb 7 16:48:16 2020 +0100
idl: Add SID_SAMBA_SMB3
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
-----------------------------------------------------------------------
Summary of changes:
lib/crypto/py_crypto.c | 16 ++
librpc/idl/security.idl | 3 +
librpc/rpc/dcerpc_helper.c | 137 +++++++++++++++
.../mscat_private.h => librpc/rpc/dcerpc_helper.h | 15 +-
librpc/wscript_build | 9 +
python/samba/tests/dcerpc/samr_change_password.py | 188 +++++++++++++++++++++
selftest/target/Samba4.pm | 2 +-
selftest/tests.py | 2 +
source3/include/vfs.h | 1 +
source3/rpc_server/samr/srv_samr_chgpasswd.c | 3 +
source3/rpc_server/samr/srv_samr_nt.c | 78 ++++++++-
source3/rpc_server/wscript_build | 2 +-
source3/smbd/pipes.c | 83 ++++++++-
source3/smbd/smb2_server.c | 5 +
source4/param/pyparam.c | 22 +++
source4/rpc_server/samr/samr_password.c | 30 ++++
source4/rpc_server/wscript_build | 2 +-
17 files changed, 585 insertions(+), 13 deletions(-)
create mode 100644 librpc/rpc/dcerpc_helper.c
copy lib/mscat/mscat_private.h => librpc/rpc/dcerpc_helper.h (68%)
create mode 100644 python/samba/tests/dcerpc/samr_change_password.py
Changeset truncated at 500 lines:
diff --git a/lib/crypto/py_crypto.c b/lib/crypto/py_crypto.c
index 32b946eee8f..ad18d3ada0f 100644
--- a/lib/crypto/py_crypto.c
+++ b/lib/crypto/py_crypto.c
@@ -24,6 +24,7 @@
#include <gnutls/gnutls.h>
#include <gnutls/crypto.h>
+#include "lib/crypto/gnutls_helpers.h"
static PyObject *py_crypto_arcfour_crypt_blob(PyObject *module, PyObject *args)
{
@@ -85,12 +86,27 @@ static PyObject *py_crypto_arcfour_crypt_blob(PyObject *module, PyObject *args)
return result;
}
+static PyObject *py_crypto_set_relax_mode(PyObject *module)
+{
+ GNUTLS_FIPS140_SET_LAX_MODE();
+
+ Py_RETURN_NONE;
+}
+
+static PyObject *py_crypto_set_strict_mode(PyObject *module)
+{
+ GNUTLS_FIPS140_SET_STRICT_MODE();
+
+ Py_RETURN_NONE;
+}
static const char py_crypto_arcfour_crypt_blob_doc[] = "arcfour_crypt_blob(data, key)\n"
"Encrypt the data with RC4 algorithm using the key";
static PyMethodDef py_crypto_methods[] = {
{ "arcfour_crypt_blob", (PyCFunction)py_crypto_arcfour_crypt_blob, METH_VARARGS, py_crypto_arcfour_crypt_blob_doc },
+ { "set_relax_mode", (PyCFunction)py_crypto_set_relax_mode, METH_NOARGS, "Set fips to relax mode" },
+ { "set_strict_mode", (PyCFunction)py_crypto_set_strict_mode, METH_NOARGS, "Set fips to strict mode" },
{0},
};
diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
index a92e8f1518e..06bf7449a70 100644
--- a/librpc/idl/security.idl
+++ b/librpc/idl/security.idl
@@ -282,6 +282,9 @@ interface security
const string SID_SAMBA_UNIX_USER_OWNER = "S-1-22-1";
const string SID_SAMBA_UNIX_GROUP_OWNER = "S-1-22-2";
+ /* Information passing via security token */
+ const string SID_SAMBA_SMB3 = "S-1-22-1397571891";
+
/* SECURITY_NT_SERVICE */
const string NAME_NT_SERVICE = "NT SERVICE";
diff --git a/librpc/rpc/dcerpc_helper.c b/librpc/rpc/dcerpc_helper.c
new file mode 100644
index 00000000000..c5443764628
--- /dev/null
+++ b/librpc/rpc/dcerpc_helper.c
@@ -0,0 +1,137 @@
+/*
+ * Copyright (c) 2020 Andreas Schneider <asn at samba.org>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+#include "librpc/gen_ndr/security.h"
+#include "librpc/gen_ndr/auth.h"
+#include "lib/crypto/gnutls_helpers.h"
+#include "libcli/security/dom_sid.h"
+#include "libcli/smb/smb2_constants.h"
+
+#include "dcerpc_helper.h"
+
+static bool smb3_sid_parse(const struct dom_sid *sid,
+ uint16_t *pdialect,
+ uint16_t *pencrypt,
+ uint16_t *pcipher)
+{
+ uint16_t dialect;
+ uint16_t encrypt;
+ uint16_t cipher;
+
+ if (sid->sub_auths[0] != 1397571891) {
+ return false;
+ }
+
+ dialect = sid->sub_auths[1];
+ if (dialect > 0x03ff) {
+ return false;
+ }
+
+ encrypt = sid->sub_auths[2];
+ if (encrypt > 0x0002) {
+ return false;
+ }
+
+ cipher = sid->sub_auths[3];
+ if (cipher > SMB2_ENCRYPTION_AES128_GCM) {
+ return false;
+ }
+
+ if (pdialect != NULL) {
+ *pdialect = dialect;
+ }
+
+ if (pencrypt != NULL) {
+ *pencrypt = encrypt;
+ }
+
+ if (pcipher != NULL) {
+ *pcipher = cipher;
+ }
+
+ return true;
+}
+
+bool dcerpc_is_transport_encrypted(struct auth_session_info *session_info)
+{
+ struct security_token *token = session_info->security_token;
+ struct dom_sid smb3_dom_sid;
+ const struct dom_sid *smb3_sid = NULL;
+ uint16_t dialect = 0;
+ uint16_t encrypt = 0;
+ uint16_t cipher = 0;
+ uint32_t i;
+ bool ok;
+
+ ok = dom_sid_parse(SID_SAMBA_SMB3, &smb3_dom_sid);
+ if (!ok) {
+ return false;
+ }
+
+ for (i = 0; i < token->num_sids; i++) {
+ int cmp;
+
+ /* There is only one SMB3 SID allowed! */
+ cmp = dom_sid_compare_domain(&token->sids[i], &smb3_dom_sid);
+ if (cmp == 0) {
+ if (smb3_sid == NULL) {
+ smb3_sid = &token->sids[i];
+ } else {
+ DBG_ERR("ERROR: The SMB3 SID has been detected "
+ "multiple times\n");
+ return false;
+ }
+ }
+ }
+
+ if (smb3_sid == NULL) {
+ return false;
+ }
+
+ ok = smb3_sid_parse(smb3_sid, &dialect, &encrypt, &cipher);
+ if (!ok) {
+ DBG_ERR("Failed to parse SMB3 SID!\n");
+ return false;
+ }
+
+ DBG_DEBUG("SMB SID - dialect: %#04x, encrypt: %#04x, cipher: %#04x\n",
+ dialect,
+ encrypt,
+ cipher);
+
+ if (dialect < SMB3_DIALECT_REVISION_300) {
+ DBG_DEBUG("Invalid SMB3 dialect!\n");
+ return false;
+ }
+
+ if (encrypt != DCERPC_SMB_ENCRYPTION_REQUIRED) {
+ DBG_DEBUG("Invalid SMB3 encryption!\n");
+ return false;
+ }
+
+ switch (cipher) {
+ case SMB2_ENCRYPTION_AES128_CCM:
+ case SMB2_ENCRYPTION_AES128_GCM:
+ break;
+ default:
+ DBG_DEBUG("Invalid SMB3 cipher!\n");
+ return false;
+ }
+
+ return true;
+}
diff --git a/lib/mscat/mscat_private.h b/librpc/rpc/dcerpc_helper.h
similarity index 68%
copy from lib/mscat/mscat_private.h
copy to librpc/rpc/dcerpc_helper.h
index d79b364ceb0..c0f09ee494e 100644
--- a/lib/mscat/mscat_private.h
+++ b/librpc/rpc/dcerpc_helper.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2016 Andreas Schneider <asn at samba.org>
+ * Copyright (c) 2020 Andreas Schneider <asn at samba.org>
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -15,13 +15,12 @@
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
-#ifndef _MSCAT_PRIVATE_H
-#define _MSCAT_PRIVATE_H
+#ifndef _DCERPC_HELPER_H
+#define _DCERPC_HELPER_H
-#include <gnutls/pkcs7.h>
+#define DCERPC_SMB_ENCRYPTION_OFF 0x0000
+#define DCERPC_SMB_ENCRYPTION_REQUIRED 0x0002
-struct mscat_pkcs7 {
- gnutls_pkcs7_t c;
-};
+bool dcerpc_is_transport_encrypted(struct auth_session_info *session_info);
-#endif /* _MSCAT_PRIVATE_H */
+#endif /* _DCERPC_HELPER_H */
diff --git a/librpc/wscript_build b/librpc/wscript_build
index 398fff7167e..02b7640046e 100644
--- a/librpc/wscript_build
+++ b/librpc/wscript_build
@@ -669,6 +669,15 @@ bld.SAMBA_LIBRARY('dcerpc-server-core',
autoproto='rpc/dcesrv_core_proto.h',
vnum='0.0.1')
+bld.SAMBA_SUBSYSTEM('DCERPC_HELPER',
+ source='rpc/dcerpc_helper.c',
+ public_deps='''
+ samba-hostconfig
+ samba-security
+ gnutls
+ GNUTLS_HELPERS
+ ''')
+
bld.SAMBA_SUBSYSTEM('NDR_WINBIND',
source='gen_ndr/ndr_winbind.c',
public_deps='ndr NDR_LSA'
diff --git a/python/samba/tests/dcerpc/samr_change_password.py b/python/samba/tests/dcerpc/samr_change_password.py
new file mode 100644
index 00000000000..109eeea98cc
--- /dev/null
+++ b/python/samba/tests/dcerpc/samr_change_password.py
@@ -0,0 +1,188 @@
+# Unix SMB/CIFS implementation.
+#
+# Copyright © 2020 Andreas Schneider <asn at samba.org>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+"""Tests for samba.dcerpc.samr.password"""
+
+import os
+import ctypes
+import samba.tests
+
+from samba import crypto, generate_random_password, generate_random_bytes, ntstatus
+from samba.auth import system_session
+from samba.credentials import Credentials
+from samba.credentials import SMB_ENCRYPTION_REQUIRED
+from samba.dcerpc import samr, security, lsa
+from samba.samdb import SamDB
+from samba.tests import RpcInterfaceTestCase
+
+
+class SamrPasswordTests(RpcInterfaceTestCase):
+ def setUp(self):
+ super(SamrPasswordTests, self).setUp()
+ self.open_samdb()
+
+ self.create_user_account(10000)
+
+ self.remote_server = samba.tests.env_get_var_value('SERVER')
+ self.remote_domain = samba.tests.env_get_var_value('DOMAIN')
+ self.remote_user = samba.tests.env_get_var_value('USERNAME')
+ self.remote_password = samba.tests.env_get_var_value('PASSWORD')
+ self.remote_binding_string = "ncacn_np:%s[krb5]" % (self.remote_server)
+
+ self.remote_creds = Credentials()
+ self.remote_creds.guess(self.lp)
+ self.remote_creds.set_username(self.remote_user)
+ self.remote_creds.set_password(self.remote_password)
+
+ def tearDown(self):
+ super(SamrPasswordTests, self).tearDown()
+
+ samr.Close(self.user_handle)
+ samr.Close(self.domain_handle)
+ samr.Close(self.handle)
+
+ samba.tests.delete_force(self.samdb, self.user_dn)
+
+ #
+ # Open the samba database
+ #
+ def open_samdb(self):
+ self.lp = samba.tests.env_loadparm()
+
+ self.local_creds = Credentials()
+ self.local_creds.guess(self.lp)
+ self.session = system_session()
+ self.samdb = SamDB(session_info=self.session,
+ credentials=self.local_creds,
+ lp=self.lp)
+
+ #
+ # Open a SAMR Domain handle
+ #
+ def open_domain_handle(self):
+ self.handle = self.conn.Connect2(None,
+ security.SEC_FLAG_MAXIMUM_ALLOWED)
+
+ self.domain_sid = self.conn.LookupDomain(self.handle,
+ lsa.String(self.remote_domain))
+
+ self.domain_handle = self.conn.OpenDomain(self.handle,
+ security.SEC_FLAG_MAXIMUM_ALLOWED,
+ self.domain_sid)
+
+ def open_user_handle(self):
+ name = lsa.String(self.user_name)
+
+ rids = self.conn.LookupNames(self.domain_handle, [name])
+
+ self.user_handle = self.conn.OpenUser(self.domain_handle,
+ security.SEC_FLAG_MAXIMUM_ALLOWED,
+ rids[0].ids[0])
+ #
+ # Create a test user account
+ #
+ def create_user_account(self, user_id):
+ self.user_name = ("SAMR_USER_%d" % user_id)
+ self.user_pass = generate_random_password(32, 32)
+ self.user_dn = "cn=%s,cn=users,%s" % (self.user_name, self.samdb.domain_dn())
+
+ samba.tests.delete_force(self.samdb, self.user_dn)
+
+ self.samdb.newuser(self.user_name,
+ self.user_pass,
+ description="Password for " + self.user_name + " is " + self.user_pass,
+ givenname=self.user_name,
+ surname=self.user_name)
+
+
+ def init_samr_CryptPassword(self, password, session_key):
+
+ def encode_pw_buffer(password):
+ data = bytearray([0] * 516)
+
+ p = samba.string_to_byte_array(password.encode('utf-16-le'))
+ plen = len(p)
+
+ b = generate_random_bytes(512 - plen)
+
+ i = 512 - plen
+ data[0:i] = b
+ data[i:i+plen] = p
+ data[512:516] = plen.to_bytes(4, byteorder='little')
+
+ return bytes(data)
+
+ # This is a test, so always allow to encrypt using RC4
+ try:
+ crypto.set_relax_mode()
+ encrypted_blob = samba.arcfour_encrypt(session_key, encode_pw_buffer(password))
+ finally:
+ crypto.set_strict_mode()
+
+ out_blob = samr.CryptPassword()
+ out_blob.data = list(encrypted_blob)
+
+ return out_blob
+
+
+ def test_setUserInfo2_Password(self, password='P at ssw0rd'):
+ self.conn = samr.samr(self.remote_binding_string,
+ self.get_loadparm(),
+ self.remote_creds)
+ self.open_domain_handle()
+ self.open_user_handle()
+
+ password='P at ssw0rd'
+
+ level = 24
+ info = samr.UserInfo24()
+
+ info.password_expired = 0
+ info.password = self.init_samr_CryptPassword(password, self.conn.session_key)
+
+ # If the server is in FIPS mode, it should reject the password change!
+ try:
+ self.conn.SetUserInfo2(self.user_handle, level, info)
+ except samba.NTSTATUSError as e:
+ code = ctypes.c_uint32(e.args[0]).value
+ print(code)
+ if ((code == ntstatus.NT_STATUS_ACCESS_DENIED) and
+ (self.lp.weak_crypto == 'disallowed')):
+ pass
+ else:
+ raise
+
+
+ def test_setUserInfo2_Password_Encrypted(self, password='P at ssw0rd'):
+ self.remote_creds.set_smb_encryption(SMB_ENCRYPTION_REQUIRED)
+
+ self.conn = samr.samr(self.remote_binding_string,
+ self.get_loadparm(),
+ self.remote_creds)
+ self.open_domain_handle()
+ self.open_user_handle()
+
+ password='P at ssw0rd'
+
+ level = 24
+ info = samr.UserInfo24()
+
+ info.password_expired = 0
+ info.password = self.init_samr_CryptPassword(password, self.conn.session_key)
+
+ self.conn.SetUserInfo2(self.user_handle, level, info)
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 649e923ff9a..1ebdf2a5484 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -1040,7 +1040,7 @@ servicePrincipalName: http/testupnspn.$ctx->{dnsname}
$samba_tool_cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
$samba_tool_cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" ";
$samba_tool_cmd .= Samba::bindir_path($self, "samba-tool")
- . " group addmembers --configfile=$ctx->{smb_conf} 'Allowed RODC Password Replication Group' '$testallowed_account'";
+ . " group addmembers --configfile=$ctx->{smb_conf} 'Allowed RODC Password Replication Group' '$testallowed_account' -d10";
unless (system($samba_tool_cmd) == 0) {
warn("Unable to add '$testallowed_account' user to 'Allowed RODC Password Replication Group': \n$samba_tool_cmd\n");
return undef;
diff --git a/selftest/tests.py b/selftest/tests.py
index adcb5b53189..86cab3f8046 100644
--- a/selftest/tests.py
+++ b/selftest/tests.py
@@ -93,6 +93,8 @@ planpythontestsuite(
os.path.join(samba4srcdir, "..", "third_party", "waf")])
planpythontestsuite("fileserver", "samba.tests.smbd_fuzztest")
planpythontestsuite("nt4_dc_smb1", "samba.tests.dcerpc.binding")
+for env in [ 'ad_dc:local', 'ad_dc_fips:local' ]:
+ planpythontestsuite(env, "samba.tests.dcerpc.samr_change_password")
def cmdline(script, *args):
diff --git a/source3/include/vfs.h b/source3/include/vfs.h
index 22c139607e2..7aff0c67ada 100644
--- a/source3/include/vfs.h
+++ b/source3/include/vfs.h
@@ -414,6 +414,7 @@ typedef struct files_struct {
bool use_ofd_locks : 1;
bool closing : 1;
bool lock_failure_seen : 1;
+ bool encryption_required : 1;
} fsp_flags;
struct tevent_timer *update_write_time_event;
diff --git a/source3/rpc_server/samr/srv_samr_chgpasswd.c b/source3/rpc_server/samr/srv_samr_chgpasswd.c
index cb9837ecf01..e326745169e 100644
--- a/source3/rpc_server/samr/srv_samr_chgpasswd.c
+++ b/source3/rpc_server/samr/srv_samr_chgpasswd.c
@@ -769,11 +769,13 @@ static NTSTATUS check_oem_password(const char *user,
.size = 16,
};
+ GNUTLS_FIPS140_SET_LAX_MODE();
rc = gnutls_cipher_init(&cipher_hnd,
GNUTLS_CIPHER_ARCFOUR_128,
&enc_key,
NULL);
if (rc < 0) {
+ GNUTLS_FIPS140_SET_STRICT_MODE();
return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list