[SCM] Samba Shared Repository - branch master updated
Andreas Schneider
asn at samba.org
Thu Jul 28 12:48:01 UTC 2022
The branch, master has been updated
via 3469895aca6 s3:winbind: Implement dcerpc_samr_chgpasswd_user4 for PamAuthChangePassword
via 8b80b104064 s3:libsmb: Add dcerpc_samr_chgpasswd_user4 to remote_password_change()
via f39cda78cb8 s3:test: Print the output to understand what was going wrong
via 83dac5ce89f s4:libnet: Add support for samr_ChangePasswordUser4()
via 0c961b16f19 s4:libnet: Move code using RC4 into its own function
via da0e0c8aeb2 s4:libnet: Remove unused code in libnet_ChangePassword_samr()
via 8733fabd581 s4:torture: Add test for dcerpc_samr_ChangePasswordUser4
via 1ca42e12ef2 s3:rpc_server: Implement dcesrv_samr_ChangePasswordUser4()
via 68b7863f19f s3:passdb: Correctly burn the plaintext_pw with samu_destroy()
via 16e97c5e2d7 s3:passdb: Remove trailing whitespaces
via 85b7179a582 s4:rpc_server: Implement dcesrv_samr_ChangePasswordUser4()
via c4ef3dbf738 s4:dsdb: Burn the memory of hashes returned by samdb_result_hashes()
via 56297449f9c s4:dsdb: Remove trailing whitespaces from util.c
via fd4368797e4 s3:rpcclient: Implement cmd chpasswd4
via c557259dd95 docs-xml: Remove trailing whitespaces in rpcclient.1.xml
via c8daa5fb007 s3:rpc_client: Implement dcerpc_samr_chgpasswd_user4()
via b46064f8b5d s3:rpc_client: Fix trailing whitespaces in cli_samr.c
via cc1cac94233 lib:util: Add generate_random_u64_range()
via 9fcd1b7498e lib:util: Remove trailing whitespaces in samba_util.h
via 3d6b9ca8520 lib:crypto: Add test for pbkdf2
via 36b6be3ce1a waf: Check for gnutls_pbkdf2()
via d725e4ca9fe s4:torture: Implement test for SAMR SetUserInfo(2) level 32
via f904f41820a s3:rpc_server: Implement SAMR SetUserInfo(2) level 32
via 54766eed2e0 s4:rpc_server: Implement support for SetUserInfo(2) level 32
via 5797d59bfcb s4:torture: Implement test for SAMR SetUserInfo(2) level 31
via 3f72918a164 s3:rpc_server: Implement support for SAMR SetUserInfo level 31
via c26f6961693 s3:rpc_server: Remove obosolete copy_id26_to_sam_passwd()
via c975394edf3 s3:rpc_server: Use copy_pwd_expired_to_sam_passwd() in set_user_info_26()
via cb2d9429a85 s3:rpc_server: Add copy_pwd_expired_to_sam_passwd() for SAMR
via b54188cbe39 s3:rpc_server: Set missing debug class for srv_samr_chgpasswd
via 63c4b16d2fc libcli:auth: Add test for decode_pwd_string_from_buffer514()
via 2f4a80322b9 libcli:auth: Add decode_pwd_string_from_buffer514()
via cef5bb02239 s4:rpc_server: Implement support for SAMR SetUserInfo(2) level 31
via 835de358ec4 s4:rpc_server: Add samr_set_password_aes()
via 1aa403517ff s4:rpc_server: Add transaction for dcesrv_samr_SetUserInfo()
via 1b3d7f81168 s4:rpc_server: Use sam_ctx consistently in dcesrv_samr_SetUserInfo()
via a246ae993fd s3:rpc_server: Use a done goto label for dcesrv_samr_SetUserInfo()
via 2226806ce0d libcli:auth: Add test for extract_pwd_blob_from_buffer514()
via 12f4bb9cc11 libcli:auth: Add extract_pwd_blob_from_buffer514()
via b39abe916d7 libcli:auth: Implment a common create_pw_buffer_from_blob()
via 626b0f4891b libcli:auth: Use extract_pw_from_buffer() in decode_pw_buffer()
via e87facfd890 libcli:auth: Keep data of extract_pw_from_buffer() secret
via 91121071670 s3:rpcclient: Implement setuserinfo2 level 31
via 6f60c98c087 s3:rpcclient: Encrypt the password buffers only if really needed
via 2454b86c882 s3:rpc_client: Implement init_samr_CryptPasswordAES()
via 2ecdbe17e86 samr.idl: Add samr_ChangePasswordUser4()
via 308f89ce6a9 samr:idl: add samr_SupportedFeatures for samr_Connect5()
via e845afe11aa samr.idl: Add support for new AES encrypted password buffer
via e181dd7b763 libcli:auth: Add test for encode_pwd_buffer514_from_str()
via 1b142b72bd2 libcli:auth: Add encode_pw_buffer_from_str()
via 5da60573b5d libcli:auth: Implement a generic encode_pwd_buffer_from_str()
via ed22f0c43c8 libcli:auth: Remove trailing spaces from proto.h
via 0813ea5bf86 lib:crypto: Add test for samba_gnutls_aead_aes_256_cbc_hmac_sha512_decrypt()
via 0d059e44255 lib:crypto: Add samba_gnutls_aead_aes_256_cbc_hmac_sha512_decrypt()
via 10249fbb1c7 lib:crypto: Add test for samba_gnutls_aead_aes_256_cbc_hmac_sha512_encrypt()
via e42ebd22e93 librpc:rpc: Add SAMR encryption and mac key salt definitions
via dc7f0f15ce0 lib:crypto: Implement samba_gnutls_aead_aes_256_cbc_hmac_sha512_encrypt()
via 8b22b448e84 lib:replace: Add macros to burn data from memory
via 61aeb774076 lib:crypto: Merge wscript_build into wscript
via a519d57cef8 lib:crypto: Merge wscript_configure into wscript
via b24c8f540f1 lib:crypto: Reformat wscript
from dde461868f7 ctdb-tests: Add tests for cluster mutex I/O timeout
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 3469895aca624cf3fcf56c612fe4469bb03a8b5d
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jul 26 16:54:36 2022 +0200
s3:winbind: Implement dcerpc_samr_chgpasswd_user4 for PamAuthChangePassword
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Thu Jul 28 12:47:31 UTC 2022 on sn-devel-184
commit 8b80b1040641420c64e27e4390041f7ede27541c
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jul 26 16:27:32 2022 +0200
s3:libsmb: Add dcerpc_samr_chgpasswd_user4 to remote_password_change()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit f39cda78cb83f3e5c98a568f6080cb4292f6be4d
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jul 26 20:54:44 2022 +0200
s3:test: Print the output to understand what was going wrong
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 83dac5ce89f96704de1bbc4ae67dbba5298eca37
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jul 26 15:43:31 2022 +0200
s4:libnet: Add support for samr_ChangePasswordUser4()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 0c961b16f1913fd4b16ad7b7a4b2da2f83fe349c
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jul 26 15:13:08 2022 +0200
s4:libnet: Move code using RC4 into its own function
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit da0e0c8aeb2426ff017e890593a0f7e65cba6b03
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jul 26 14:47:53 2022 +0200
s4:libnet: Remove unused code in libnet_ChangePassword_samr()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 8733fabd581ff6ecd766e19daa85d1c88966676a
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jul 5 13:26:37 2022 +0200
s4:torture: Add test for dcerpc_samr_ChangePasswordUser4
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 1ca42e12ef27eea29787bb4cebacf325be3e2f9f
Author: Andreas Schneider <asn at samba.org>
Date: Mon Feb 28 13:51:40 2022 +0100
s3:rpc_server: Implement dcesrv_samr_ChangePasswordUser4()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 68b7863f19fcd02a75cc86b7377ab9a7aebb46df
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jul 18 14:38:38 2022 +0200
s3:passdb: Correctly burn the plaintext_pw with samu_destroy()
memset() can be removed from the optimizer.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 16e97c5e2d70e7e2b708e9ba225b7c0c86f809ef
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jul 18 14:38:26 2022 +0200
s3:passdb: Remove trailing whitespaces
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 85b7179a582558b0e645851bd246c14394f29ef8
Author: Andreas Schneider <asn at samba.org>
Date: Mon Aug 30 17:47:22 2021 +0200
s4:rpc_server: Implement dcesrv_samr_ChangePasswordUser4()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit c4ef3dbf738febc595e5b201caaaa8d452bfffe0
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jul 26 11:31:54 2022 +0200
s4:dsdb: Burn the memory of hashes returned by samdb_result_hashes()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 56297449f9c2e94505a72a70a3a3c5990d00d37f
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jul 26 11:31:35 2022 +0200
s4:dsdb: Remove trailing whitespaces from util.c
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit fd4368797e4315284b9ff4a17adfd8607ea8a49e
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jul 11 15:24:59 2022 +0200
s3:rpcclient: Implement cmd chpasswd4
Manually tested against Windows Server 2022.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit c557259dd9589e10ed9ed613532ba3d88cf2f795
Author: Andreas Schneider <asn at samba.org>
Date: Thu Jul 14 10:05:53 2022 +0200
docs-xml: Remove trailing whitespaces in rpcclient.1.xml
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit c8daa5fb00777541dd5608d330f1d1e336e1dd77
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jul 5 10:34:12 2022 +0200
s3:rpc_client: Implement dcerpc_samr_chgpasswd_user4()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit b46064f8b5d606c20aed2e4e0c591015b3e92977
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jul 5 10:30:47 2022 +0200
s3:rpc_client: Fix trailing whitespaces in cli_samr.c
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit cc1cac9423384bad26e3d17f9409a41321fd2714
Author: Andreas Schneider <asn at samba.org>
Date: Thu Jul 14 07:56:39 2022 +0200
lib:util: Add generate_random_u64_range()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 9fcd1b7498e3d32c4edfbdbb52141392fd03c692
Author: Andreas Schneider <asn at samba.org>
Date: Thu Jul 14 08:05:07 2022 +0200
lib:util: Remove trailing whitespaces in samba_util.h
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 3d6b9ca8520f4eda1c41e496f343bc4ec23bb5a0
Author: Andreas Schneider <asn at samba.org>
Date: Fri Jul 15 09:06:04 2022 +0200
lib:crypto: Add test for pbkdf2
This is just that we use the right parameters for gnutls_pbkdf2() and
reach the values from Windows.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 36b6be3ce1a178c1206a798813ff943ea5aa4b6b
Author: Andreas Schneider <asn at samba.org>
Date: Mon Aug 30 17:06:10 2021 +0200
waf: Check for gnutls_pbkdf2()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit d725e4ca9fefac1555ac2561c5edf12c9d5c46de
Author: Andreas Schneider <asn at samba.org>
Date: Tue Aug 24 11:39:19 2021 +0200
s4:torture: Implement test for SAMR SetUserInfo(2) level 32
make test TESTS="samba4.rpc.samr.passwords"
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit f904f41820a05b568ea09c89f468a18f11256aec
Author: Andreas Schneider <asn at samba.org>
Date: Tue Aug 24 15:00:37 2021 +0200
s3:rpc_server: Implement SAMR SetUserInfo(2) level 32
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 54766eed2e06153b5dbda5c1a4f27619fad76394
Author: Andreas Schneider <asn at samba.org>
Date: Tue Aug 24 14:23:53 2021 +0200
s4:rpc_server: Implement support for SetUserInfo(2) level 32
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 5797d59bfcbdd42f95d196610a528b720c24b808
Author: Andreas Schneider <asn at samba.org>
Date: Thu Aug 19 09:44:10 2021 +0200
s4:torture: Implement test for SAMR SetUserInfo(2) level 31
We can't apply this patch earlier as there are no individual tests we could
mark as knownfail. Reorganizing the whole test is a too big task for now.
However this test is working and also found some bugs.
make test TESTS="samba4.rpc.samr.passwords"
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 3f72918a164f9195adfac7498db4f6685d8db0c5
Author: Andreas Schneider <asn at samba.org>
Date: Sun Aug 22 18:38:52 2021 +0200
s3:rpc_server: Implement support for SAMR SetUserInfo level 31
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit c26f6961693443a66237b1dbdf00530727c47365
Author: Andreas Schneider <asn at samba.org>
Date: Mon Aug 23 11:31:32 2021 +0200
s3:rpc_server: Remove obosolete copy_id26_to_sam_passwd()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit c975394edf36601cb1ac912c8f98745b74bbc6f4
Author: Andreas Schneider <asn at samba.org>
Date: Mon Aug 23 11:30:40 2021 +0200
s3:rpc_server: Use copy_pwd_expired_to_sam_passwd() in set_user_info_26()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit cb2d9429a85f63c512b4b9529c878f15eab16957
Author: Andreas Schneider <asn at samba.org>
Date: Sun Aug 22 18:37:28 2021 +0200
s3:rpc_server: Add copy_pwd_expired_to_sam_passwd() for SAMR
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit b54188cbe39796f1a827fcac98d3a480220bb854
Author: Andreas Schneider <asn at samba.org>
Date: Fri Jul 15 11:10:47 2022 +0200
s3:rpc_server: Set missing debug class for srv_samr_chgpasswd
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 63c4b16d2fce6f8f547cb99f9bc626668e6ad379
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jul 25 12:12:52 2022 +0200
libcli:auth: Add test for decode_pwd_string_from_buffer514()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 2f4a80322b9e4b1617839e8e1185a9e620b89a51
Author: Andreas Schneider <asn at samba.org>
Date: Mon Aug 23 15:03:19 2021 +0200
libcli:auth: Add decode_pwd_string_from_buffer514()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit cef5bb0223973bc50c9de879dc313ec3173cbaf8
Author: Andreas Schneider <asn at samba.org>
Date: Wed Aug 18 16:22:19 2021 +0200
s4:rpc_server: Implement support for SAMR SetUserInfo(2) level 31
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 835de358ec4c60976f34654bbb7f21e3687b0f9f
Author: Andreas Schneider <asn at samba.org>
Date: Wed Aug 18 16:21:59 2021 +0200
s4:rpc_server: Add samr_set_password_aes()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 1aa403517ffc0d43df72ddc9fa2ce86ab5c33873
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jul 26 11:04:29 2022 +0200
s4:rpc_server: Add transaction for dcesrv_samr_SetUserInfo()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 1b3d7f811680f9ac66ca5822950b3eee081a06b0
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jul 26 10:59:13 2022 +0200
s4:rpc_server: Use sam_ctx consistently in dcesrv_samr_SetUserInfo()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit a246ae993fd8553bf66aa8ee1700eb68b85f2857
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jul 26 10:57:19 2022 +0200
s3:rpc_server: Use a done goto label for dcesrv_samr_SetUserInfo()
This will be used in the following commits.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 2226806ce0d3c53afcf66e26cabcb6784a44f29c
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jul 25 12:06:05 2022 +0200
libcli:auth: Add test for extract_pwd_blob_from_buffer514()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 12f4bb9cc1187eb1fe4e44393377d94d155c7d49
Author: Andreas Schneider <asn at samba.org>
Date: Fri Aug 20 09:45:27 2021 +0200
libcli:auth: Add extract_pwd_blob_from_buffer514()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit b39abe916d72ec31d7ceab07b083c89b88e9981b
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jul 25 10:29:01 2022 +0200
libcli:auth: Implment a common create_pw_buffer_from_blob()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 626b0f4891b48f53d35f92e4050bada2cdb54ee2
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jul 25 10:14:12 2022 +0200
libcli:auth: Use extract_pw_from_buffer() in decode_pw_buffer()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit e87facfd890241cf207349668e731abd76bbd3f9
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jul 25 08:42:39 2022 +0200
libcli:auth: Keep data of extract_pw_from_buffer() secret
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 91121071670ee40b64041a1443359a62782e0cca
Author: Andreas Schneider <asn at samba.org>
Date: Mon Aug 2 15:41:23 2021 +0200
s3:rpcclient: Implement setuserinfo2 level 31
Manually tested against Windows Server 2022.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 6f60c98c08729d4613d74949c3ff74dd911076a3
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jul 18 15:48:36 2022 +0200
s3:rpcclient: Encrypt the password buffers only if really needed
If we are in FIPS mode certain ciphers like RC4 are not available, so
we should make sure we do not call them. We will add AES support in the
next patch.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 2454b86c8825db21e366bfeaf431e1a0d69d1e49
Author: Andreas Schneider <asn at samba.org>
Date: Fri Jul 30 16:24:37 2021 +0200
s3:rpc_client: Implement init_samr_CryptPasswordAES()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 2ecdbe17e86957db5303eaf4a7a8647ce7622b71
Author: Andreas Schneider <asn at samba.org>
Date: Thu Aug 26 17:37:59 2021 +0200
samr.idl: Add samr_ChangePasswordUser4()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 308f89ce6a95e8566bc5f4d1c633a5d9ac11958c
Author: Andreas Schneider <asn at samba.org>
Date: Wed Aug 25 14:11:28 2021 +0200
samr:idl: add samr_SupportedFeatures for samr_Connect5()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit e845afe11aa2ac1bd9abdd3e052487602d5656c0
Author: Andreas Schneider <asn at samba.org>
Date: Fri Jul 30 11:12:07 2021 +0200
samr.idl: Add support for new AES encrypted password buffer
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit e181dd7b7633cdc14bcfc4b4ef71044062e0c6b6
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jul 25 11:25:09 2022 +0200
libcli:auth: Add test for encode_pwd_buffer514_from_str()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 1b142b72bd271ee19f493db60e49883cd0d31c3c
Author: Andreas Schneider <asn at samba.org>
Date: Thu Aug 19 11:29:04 2021 +0200
libcli:auth: Add encode_pw_buffer_from_str()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 5da60573b5d3749292ca488b7dc1030679d6255b
Author: Andreas Schneider <asn at samba.org>
Date: Fri Jul 22 14:26:43 2022 +0200
libcli:auth: Implement a generic encode_pwd_buffer_from_str()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit ed22f0c43c8790c8dc440ab1ac5a7cc93a465ece
Author: Andreas Schneider <asn at samba.org>
Date: Thu Aug 19 11:28:37 2021 +0200
libcli:auth: Remove trailing spaces from proto.h
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 0813ea5bf86b9aead6c3529b356744241cff770b
Author: Andreas Schneider <asn at samba.org>
Date: Tue Aug 17 11:19:01 2021 +0200
lib:crypto: Add test for samba_gnutls_aead_aes_256_cbc_hmac_sha512_decrypt()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 0d059e4425587a196332477ed4e75293ced47296
Author: Andreas Schneider <asn at samba.org>
Date: Mon Aug 16 17:14:19 2021 +0200
lib:crypto: Add samba_gnutls_aead_aes_256_cbc_hmac_sha512_decrypt()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 10249fbb1c7dd9fef69a0d37249de95a20e2a7e4
Author: Andreas Schneider <asn at samba.org>
Date: Tue Aug 3 14:14:07 2021 +0200
lib:crypto: Add test for samba_gnutls_aead_aes_256_cbc_hmac_sha512_encrypt()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit e42ebd22e934b0921a2713fde1293bc2c97b5029
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jul 18 13:42:07 2022 +0200
librpc:rpc: Add SAMR encryption and mac key salt definitions
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit dc7f0f15ce05065bac2fbe134ae80dd87f6af4d0
Author: Andreas Schneider <asn at samba.org>
Date: Mon Aug 2 16:21:19 2021 +0200
lib:crypto: Implement samba_gnutls_aead_aes_256_cbc_hmac_sha512_encrypt()
This is for [MS-SAMR] 3.2.2.4 AES Cipher Usage
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 8b22b448e84269f6f18c0e08d9ff1f0edeae0d31
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jul 19 13:36:57 2022 +0200
lib:replace: Add macros to burn data from memory
This will explicitly zero data from memory. This is guaranteed to be not
optimized away.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 61aeb7740764b202db0ddba559e83c3b2953ae36
Author: Andreas Schneider <asn at samba.org>
Date: Mon Aug 2 16:34:05 2021 +0200
lib:crypto: Merge wscript_build into wscript
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit a519d57cef82ec4f43d0579bcff4b54333ce6cef
Author: Andreas Schneider <asn at samba.org>
Date: Mon Aug 2 16:28:53 2021 +0200
lib:crypto: Merge wscript_configure into wscript
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit b24c8f540f10406ac8b348a26912d19f6427ccb5
Author: Andreas Schneider <asn at samba.org>
Date: Mon Aug 2 16:27:04 2021 +0200
lib:crypto: Reformat wscript
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
-----------------------------------------------------------------------
Summary of changes:
docs-xml/manpages/rpcclient.1.xml | 161 ++++-----
lib/crypto/gnutls_aead_aes_256_cbc_hmac_sha512.c | 393 +++++++++++++++++++++
lib/crypto/gnutls_helpers.h | 95 ++++-
.../test_gnutls_aead_aes_256_cbc_hmac_sha512.c | 324 +++++++++++++++++
lib/crypto/wscript | 92 ++++-
lib/crypto/wscript_build | 54 ---
lib/crypto/wscript_configure | 15 -
lib/replace/replace.h | 18 +
lib/util/genrand_util.c | 14 +
lib/util/samba_util.h | 36 +-
libcli/auth/proto.h | 94 +++--
libcli/auth/smbencrypt.c | 239 ++++++++++---
libcli/auth/tests/test_encode_decode.c | 162 +++++++++
libcli/auth/wscript_build | 9 +
librpc/idl/samr.idl | 67 +++-
librpc/rpc/dcerpc_samr.h | 42 +++
selftest/tests.py | 4 +
source3/libsmb/passchange.c | 40 +++
source3/passdb/passdb.c | 138 ++++----
source3/rpc_client/cli_samr.c | 116 +++++-
source3/rpc_client/cli_samr.h | 8 +
source3/rpc_client/init_samr.c | 56 +++
source3/rpc_client/init_samr.h | 21 ++
source3/rpc_server/samr/srv_samr_chgpasswd.c | 64 ++++
source3/rpc_server/samr/srv_samr_nt.c | 393 ++++++++++++++++++++-
source3/rpc_server/samr/srv_samr_util.c | 27 +-
source3/rpc_server/samr/srv_samr_util.h | 11 +-
source3/rpcclient/cmd_samr.c | 93 ++++-
source3/script/tests/test_smbpasswd.sh | 1 +
source3/winbindd/winbindd_pam.c | 29 ++
source4/dsdb/common/util.c | 133 +++----
source4/libnet/libnet_passwd.c | 363 ++++++++++++-------
source4/libnet/wscript_build | 1 +
source4/rpc_server/samr/dcesrv_samr.c | 364 ++++++++++++++++---
source4/rpc_server/samr/samr_password.c | 240 +++++++++++++
source4/torture/rpc/samr.c | 390 +++++++++++++++++++-
source4/torture/rpc/samr_accessmask.c | 2 +-
source4/torture/rpc/samr_handletype.c | 2 +-
wscript_configure_system_gnutls | 3 +
39 files changed, 3730 insertions(+), 584 deletions(-)
create mode 100644 lib/crypto/gnutls_aead_aes_256_cbc_hmac_sha512.c
create mode 100644 lib/crypto/tests/test_gnutls_aead_aes_256_cbc_hmac_sha512.c
delete mode 100644 lib/crypto/wscript_build
delete mode 100644 lib/crypto/wscript_configure
create mode 100644 libcli/auth/tests/test_encode_decode.c
create mode 100644 librpc/rpc/dcerpc_samr.h
Changeset truncated at 500 lines:
diff --git a/docs-xml/manpages/rpcclient.1.xml b/docs-xml/manpages/rpcclient.1.xml
index 7c0c380cd8d..e57d614247f 100644
--- a/docs-xml/manpages/rpcclient.1.xml
+++ b/docs-xml/manpages/rpcclient.1.xml
@@ -13,7 +13,7 @@
<refnamediv>
<refname>rpcclient</refname>
- <refpurpose>tool for executing client side
+ <refpurpose>tool for executing client side
MS-RPC functions</refpurpose>
</refnamediv>
@@ -62,9 +62,9 @@
<manvolnum>7</manvolnum></citerefentry> suite.</para>
<para><command>rpcclient</command> is a utility initially developed
- to test MS-RPC functionality in Samba itself. It has undergone
+ to test MS-RPC functionality in Samba itself. It has undergone
several stages of development and stability. Many system administrators
- have now written scripts around it to manage Windows NT clients from
+ have now written scripts around it to manage Windows NT clients from
their UNIX workstation. </para>
</refsect1>
@@ -148,22 +148,22 @@
below) </para></listitem>
</varlistentry>
-
+
<varlistentry>
<term>-I|--dest-ip IP-address</term>
- <listitem><para><replaceable>IP address</replaceable> is the address of the server to connect to.
+ <listitem><para><replaceable>IP address</replaceable> is the address of the server to connect to.
It should be specified in standard "a.b.c.d" notation. </para>
- <para>Normally the client would attempt to locate a named
- SMB/CIFS server by looking it up via the NetBIOS name resolution
- mechanism described above in the <parameter>name resolve order</parameter>
+ <para>Normally the client would attempt to locate a named
+ SMB/CIFS server by looking it up via the NetBIOS name resolution
+ mechanism described above in the <parameter>name resolve order</parameter>
parameter above. Using this parameter will force the client
- to assume that the server is on the machine with the specified IP
- address and the NetBIOS name component of the resource being
+ to assume that the server is on the machine with the specified IP
+ address and the NetBIOS name component of the resource being
connected to will be ignored. </para>
- <para>There is no default for this parameter. If not supplied,
- it will be determined automatically by the client as described
+ <para>There is no default for this parameter. If not supplied,
+ it will be determined automatically by the client as described
above. </para></listitem>
</varlistentry>
@@ -311,7 +311,8 @@
<varlistentry><term>lookupdomain</term><listitem><para>Lookup Domain Name</para></listitem></varlistentry>
<varlistentry><term>chgpasswd</term><listitem><para>Change user password</para></listitem></varlistentry>
<varlistentry><term>chgpasswd2</term><listitem><para>Change user password</para></listitem></varlistentry>
- <varlistentry><term>chgpasswd3</term><listitem><para>Change user password</para></listitem></varlistentry>
+ <varlistentry><term>chgpasswd3</term><listitem><para>Change user password (RC4 encrypted)</para></listitem></varlistentry>
+ <varlistentry><term>chgpasswd4</term><listitem><para>Change user password (AES encrypted)</para></listitem></varlistentry>
<varlistentry><term>getdispinfoidx</term><listitem><para>Get Display Information Index</para></listitem></varlistentry>
<varlistentry><term>setuserinfo</term><listitem><para>Set user info</para></listitem></varlistentry>
<varlistentry><term>setuserinfo2</term><listitem><para>Set user info2</para></listitem></varlistentry>
@@ -323,17 +324,17 @@
<title>SPOOLSS</title>
<variablelist>
- <varlistentry><term>adddriver <arch> <config> [<version>]</term>
+ <varlistentry><term>adddriver <arch> <config> [<version>]</term>
<listitem><para>
- Execute an AddPrinterDriver() RPC to install the printer driver
- information on the server. Note that the driver files should
- already exist in the directory returned by
- <command>getdriverdir</command>. Possible values for
- <parameter>arch</parameter> are the same as those for
+ Execute an AddPrinterDriver() RPC to install the printer driver
+ information on the server. Note that the driver files should
+ already exist in the directory returned by
+ <command>getdriverdir</command>. Possible values for
+ <parameter>arch</parameter> are the same as those for
the <command>getdriverdir</command> command.
- The <parameter>config</parameter> parameter is defined as
+ The <parameter>config</parameter> parameter is defined as
follows: </para>
-
+
<para><programlisting>
Long Driver Name:\
Driver File Name:\
@@ -346,12 +347,12 @@ Comma Separated list of Files
</programlisting></para>
<para>Any empty fields should be enter as the string "NULL". </para>
-
+
<para>Samba does not need to support the concept of Print Monitors
since these only apply to local printers whose driver can make
- use of a bi-directional link for communication. This field should
- be "NULL". On a remote NT print server, the Print Monitor for a
- driver must already be installed prior to adding the driver or
+ use of a bi-directional link for communication. This field should
+ be "NULL". On a remote NT print server, the Print Monitor for a
+ driver must already be installed prior to adding the driver or
else the RPC will fail. </para>
<para>The <parameter>version</parameter> parameter lets you
@@ -360,12 +361,12 @@ Comma Separated list of Files
be used. This option can be used to upload Windows 2000
(version 3) printer drivers.</para></listitem></varlistentry>
- <varlistentry><term>addprinter <printername>
+ <varlistentry><term>addprinter <printername>
<sharename> <drivername> <port></term>
<listitem><para>
- Add a printer on the remote server. This printer
- will be automatically shared. Be aware that the printer driver
- must already be installed on the server (see <command>adddriver</command>)
+ Add a printer on the remote server. This printer
+ will be automatically shared. Be aware that the printer driver
+ must already be installed on the server (see <command>adddriver</command>)
and the <parameter>port</parameter>must be a valid port name (see
<command>enumports</command>.</para>
</listitem></varlistentry>
@@ -385,9 +386,9 @@ Comma Separated list of Files
of 3 requests (DPD_DELETE_UNUSED_FILES | DPD_DELETE_SPECIFIC_VERSION).
</para></listitem></varlistentry>
- <varlistentry><term>enumdata</term><listitem><para>Enumerate all
- printer setting data stored on the server. On Windows NT clients,
- these values are stored in the registry, while Samba servers
+ <varlistentry><term>enumdata</term><listitem><para>Enumerate all
+ printer setting data stored on the server. On Windows NT clients,
+ these values are stored in the registry, while Samba servers
store them in the printers TDB. This command corresponds
to the MS Platform SDK GetPrinterData() function (* This
command is currently unimplemented).</para></listitem></varlistentry>
@@ -397,8 +398,8 @@ Comma Separated list of Files
<varlistentry><term>enumkey</term><listitem><para>Enumerate printer keys</para></listitem></varlistentry>
<varlistentry><term>enumjobs <printer></term>
- <listitem><para>List the jobs and status of a given printer.
- This command corresponds to the MS Platform SDK EnumJobs()
+ <listitem><para>List the jobs and status of a given printer.
+ This command corresponds to the MS Platform SDK EnumJobs()
function</para></listitem></varlistentry>
<varlistentry><term>getjob</term><listitem><para>Get print job</para></listitem></varlistentry>
@@ -407,38 +408,38 @@ Comma Separated list of Files
<varlistentry><term>enumports [level]</term>
<listitem><para>
- Executes an EnumPorts() call using the specified
- info level. Currently only info levels 1 and 2 are supported.
+ Executes an EnumPorts() call using the specified
+ info level. Currently only info levels 1 and 2 are supported.
</para></listitem></varlistentry>
- <varlistentry><term>enumdrivers [level]</term>
+ <varlistentry><term>enumdrivers [level]</term>
<listitem><para>
- Execute an EnumPrinterDrivers() call. This lists the various installed
- printer drivers for all architectures. Refer to the MS Platform SDK
- documentation for more details of the various flags and calling
+ Execute an EnumPrinterDrivers() call. This lists the various installed
+ printer drivers for all architectures. Refer to the MS Platform SDK
+ documentation for more details of the various flags and calling
options. Currently supported info levels are 1, 2, and 3.</para></listitem></varlistentry>
<varlistentry><term>enumprinters [level]</term>
- <listitem><para>Execute an EnumPrinters() call. This lists the various installed
- and share printers. Refer to the MS Platform SDK documentation for
+ <listitem><para>Execute an EnumPrinters() call. This lists the various installed
+ and share printers. Refer to the MS Platform SDK documentation for
more details of the various flags and calling options. Currently
supported info levels are 1, 2 and 5.</para></listitem></varlistentry>
- <varlistentry><term>getdata <printername> <valuename;></term>
- <listitem><para>Retrieve the data for a given printer setting. See
- the <command>enumdata</command> command for more information.
- This command corresponds to the GetPrinterData() MS Platform
+ <varlistentry><term>getdata <printername> <valuename;></term>
+ <listitem><para>Retrieve the data for a given printer setting. See
+ the <command>enumdata</command> command for more information.
+ This command corresponds to the GetPrinterData() MS Platform
SDK function. </para></listitem></varlistentry>
<varlistentry><term>getdataex</term><listitem><para>Get
printer driver data with
keyname</para></listitem></varlistentry>
-
+
<varlistentry><term>getdriver <printername></term>
<listitem><para>
- Retrieve the printer driver information (such as driver file,
- config file, dependent files, etc...) for
+ Retrieve the printer driver information (such as driver file,
+ config file, dependent files, etc...) for
the given printer. This command corresponds to the GetPrinterDriver()
MS Platform SDK function. Currently info level 1, 2, and 3 are supported.
</para></listitem></varlistentry>
@@ -446,23 +447,23 @@ Comma Separated list of Files
<varlistentry><term>getdriverdir <arch></term>
<listitem><para>
Execute a GetPrinterDriverDirectory()
- RPC to retrieve the SMB share name and subdirectory for
- storing printer driver files for a given architecture. Possible
- values for <parameter>arch</parameter> are "Windows 4.0"
+ RPC to retrieve the SMB share name and subdirectory for
+ storing printer driver files for a given architecture. Possible
+ values for <parameter>arch</parameter> are "Windows 4.0"
(for Windows 95/98), "Windows NT x86", "Windows NT PowerPC", "Windows
Alpha_AXP", and "Windows NT R4000". </para></listitem></varlistentry>
<varlistentry><term>getdriverpackagepath</term>
<listitem><para>Get print driver package download directory</para></listitem></varlistentry>
- <varlistentry><term>getprinter <printername></term>
- <listitem><para>Retrieve the current printer information. This command
- corresponds to the GetPrinter() MS Platform SDK function.
+ <varlistentry><term>getprinter <printername></term>
+ <listitem><para>Retrieve the current printer information. This command
+ corresponds to the GetPrinter() MS Platform SDK function.
</para></listitem></varlistentry>
- <varlistentry><term>openprinter <printername></term>
- <listitem><para>Execute an OpenPrinterEx() and ClosePrinter() RPC
+ <varlistentry><term>openprinter <printername></term>
+ <listitem><para>Execute an OpenPrinterEx() and ClosePrinter() RPC
against a given printer. </para></listitem></varlistentry>
<varlistentry><term>openprinter_ex <printername></term>
@@ -474,7 +475,7 @@ Comma Separated list of Files
associated with an installed printer. The printer driver must
already be correctly installed on the print server. </para>
- <para>See also the <command>enumprinters</command> and
+ <para>See also the <command>enumprinters</command> and
<command>enumdrivers</command> commands for obtaining a list of
of installed printers and drivers.</para></listitem></varlistentry>
@@ -705,28 +706,28 @@ Comma Separated list of Files
<refsect1>
<title>BUGS</title>
-
- <para><command>rpcclient</command> is designed as a developer testing tool
- and may not be robust in certain areas (such as command line parsing).
- It has been known to generate a core dump upon failures when invalid
+
+ <para><command>rpcclient</command> is designed as a developer testing tool
+ and may not be robust in certain areas (such as command line parsing).
+ It has been known to generate a core dump upon failures when invalid
parameters where passed to the interpreter. </para>
<para>From Luke Leighton's original rpcclient man page:</para>
-
- <para><emphasis>WARNING!</emphasis> The MSRPC over SMB code has
- been developed from examining Network traces. No documentation is
- available from the original creators (Microsoft) on how MSRPC over
- SMB works, or how the individual MSRPC services work. Microsoft's
- implementation of these services has been demonstrated (and reported)
+
+ <para><emphasis>WARNING!</emphasis> The MSRPC over SMB code has
+ been developed from examining Network traces. No documentation is
+ available from the original creators (Microsoft) on how MSRPC over
+ SMB works, or how the individual MSRPC services work. Microsoft's
+ implementation of these services has been demonstrated (and reported)
to be... a bit flaky in places. </para>
- <para>The development of Samba's implementation is also a bit rough,
- and as more of the services are understood, it can even result in
+ <para>The development of Samba's implementation is also a bit rough,
+ and as more of the services are understood, it can even result in
versions of <citerefentry><refentrytitle>smbd</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> and <citerefentry><refentrytitle>rpcclient</refentrytitle>
- <manvolnum>1</manvolnum></citerefentry> that are incompatible for some commands or services. Additionally,
- the developers are sending reports to Microsoft, and problems found
- or reported to Microsoft are fixed in Service Packs, which may
+ <manvolnum>1</manvolnum></citerefentry> that are incompatible for some commands or services. Additionally,
+ the developers are sending reports to Microsoft, and problems found
+ or reported to Microsoft are fixed in Service Packs, which may
result in incompatibilities.</para>
</refsect1>
@@ -740,15 +741,15 @@ Comma Separated list of Files
<refsect1>
<title>AUTHOR</title>
-
- <para>The original Samba software and related utilities
+
+ <para>The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
- by the Samba Team as an Open Source project similar
+ by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed.</para>
-
- <para>The original rpcclient man page was written by Matthew
- Geddes, Luke Kenneth Casson Leighton, and rewritten by Gerald Carter.
- The conversion to DocBook for Samba 2.2 was done by Gerald
+
+ <para>The original rpcclient man page was written by Matthew
+ Geddes, Luke Kenneth Casson Leighton, and rewritten by Gerald Carter.
+ The conversion to DocBook for Samba 2.2 was done by Gerald
Carter. The conversion to DocBook XML 4.2 for Samba 3.0 was
done by Alexander Bokovoy.</para>
</refsect1>
diff --git a/lib/crypto/gnutls_aead_aes_256_cbc_hmac_sha512.c b/lib/crypto/gnutls_aead_aes_256_cbc_hmac_sha512.c
new file mode 100644
index 00000000000..a05aa8a323c
--- /dev/null
+++ b/lib/crypto/gnutls_aead_aes_256_cbc_hmac_sha512.c
@@ -0,0 +1,393 @@
+/*
+ * Copyright (c) 2021-2022 Andreas Schneider <asn at samba.org>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+#include "lib/util/data_blob.h"
+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
+#include "gnutls_helpers.h"
+
+#define SAMR_AES_VERSION_BYTE 0x01
+#define SAMR_AES_VERSION_BYTE_LEN 1
+
+static NTSTATUS calculate_enc_key(const DATA_BLOB *cek,
+ const DATA_BLOB *key_salt,
+ uint8_t enc_key[32])
+{
+ gnutls_mac_algorithm_t hash_algo = GNUTLS_MAC_SHA512;
+ size_t hmac_size = gnutls_hmac_get_len(hash_algo);
+ uint8_t enc_key_data[hmac_size];
+ int rc;
+
+ rc = gnutls_hmac_fast(hash_algo,
+ cek->data,
+ cek->length,
+ key_salt->data,
+ key_salt->length,
+ enc_key_data);
+ if (rc < 0) {
+ return gnutls_error_to_ntstatus(rc,
+ NT_STATUS_ENCRYPTION_FAILED);
+ }
+
+ /* The key gets truncated to 32 byte */
+ memcpy(enc_key, enc_key_data, 32);
+ BURN_DATA(enc_key_data);
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS calculate_mac_key(const DATA_BLOB *cek,
+ const DATA_BLOB *mac_salt,
+ uint8_t mac_key[64])
+{
+ int rc;
+
+ rc = gnutls_hmac_fast(GNUTLS_MAC_SHA512,
+ cek->data,
+ cek->length,
+ mac_salt->data,
+ mac_salt->length,
+ mac_key);
+ if (rc < 0) {
+ return gnutls_error_to_ntstatus(rc,
+ NT_STATUS_ENCRYPTION_FAILED);
+ }
+
+ return NT_STATUS_OK;
+}
+
+/* This is an implementation of [MS-SAMR] 3.2.2.4 AES Cipher Usage */
+
+NTSTATUS
+samba_gnutls_aead_aes_256_cbc_hmac_sha512_encrypt(TALLOC_CTX *mem_ctx,
+ const DATA_BLOB *plaintext,
+ const DATA_BLOB *cek,
+ const DATA_BLOB *key_salt,
+ const DATA_BLOB *mac_salt,
+ const DATA_BLOB *iv,
+ DATA_BLOB *pciphertext,
+ uint8_t pauth_tag[64])
+{
+ gnutls_hmac_hd_t hmac_hnd = NULL;
+ gnutls_mac_algorithm_t hmac_algo = GNUTLS_MAC_SHA512;
+ size_t hmac_size = gnutls_hmac_get_len(hmac_algo);
+ gnutls_cipher_hd_t cipher_hnd = NULL;
+ gnutls_cipher_algorithm_t cipher_algo = GNUTLS_CIPHER_AES_256_CBC;
+ uint32_t aes_block_size = gnutls_cipher_get_block_size(cipher_algo);
+ gnutls_datum_t iv_datum = {
+ .data = iv->data,
+ .size = iv->length,
+ };
+ uint8_t enc_key_data[32] = {0};
+ gnutls_datum_t enc_key = {
+ .data = enc_key_data,
+ .size = sizeof(enc_key_data),
+ };
+ uint8_t *cipher_text = NULL;
+ size_t cipher_text_len = 0;
+ uint8_t mac_key_data[64] = {0};
+ gnutls_datum_t mac_key = {
+ .data = mac_key_data,
+ .size = sizeof(mac_key_data),
+ };
+ uint8_t version_byte = SAMR_AES_VERSION_BYTE;
+ uint8_t version_byte_len = SAMR_AES_VERSION_BYTE_LEN;
+ uint8_t auth_data[hmac_size];
+ DATA_BLOB padded_plaintext;
+ size_t padding;
+ NTSTATUS status;
+ int rc;
+
+ if (plaintext->length == 0 || cek->length == 0 ||
+ key_salt->length == 0 || mac_salt->length == 0 || iv->length == 0) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ /*
+ * PKCS#7 padding
+ *
+ * TODO: Use gnutls_cipher_encrypt3()
+ */
+
+ if (plaintext->length + aes_block_size < plaintext->length) {
+ return NT_STATUS_INVALID_BUFFER_SIZE;
+ }
+
+ padded_plaintext.length =
+ aes_block_size * (plaintext->length / aes_block_size) +
+ aes_block_size;
+
+ padding = padded_plaintext.length - plaintext->length;
+
+ padded_plaintext =
+ data_blob_talloc(mem_ctx, NULL, padded_plaintext.length);
+ if (padded_plaintext.data == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* Allocate buffer for cipher text */
+ cipher_text_len = padded_plaintext.length;
+ cipher_text = talloc_size(mem_ctx, cipher_text_len);
+ if (cipher_text == NULL) {
+ data_blob_free(&padded_plaintext);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ memcpy(padded_plaintext.data, plaintext->data, plaintext->length);
+ memset(padded_plaintext.data + plaintext->length, padding, padding);
+
+ status = calculate_enc_key(cek, key_salt, enc_key_data);
+ if (!NT_STATUS_IS_OK(status)) {
+ data_blob_clear_free(&padded_plaintext);
+ return status;
+ }
+
+ /* Encrypt plaintext */
+ rc = gnutls_cipher_init(&cipher_hnd, cipher_algo, &enc_key, &iv_datum);
+ if (rc < 0) {
+ data_blob_clear_free(&padded_plaintext);
+ BURN_DATA(enc_key_data);
+ TALLOC_FREE(cipher_text);
+ return gnutls_error_to_ntstatus(rc,
+ NT_STATUS_ENCRYPTION_FAILED);
+ }
+
+ rc = gnutls_cipher_encrypt2(cipher_hnd,
+ padded_plaintext.data,
+ padded_plaintext.length,
+ cipher_text,
+ cipher_text_len);
+ gnutls_cipher_deinit(cipher_hnd);
+ data_blob_clear_free(&padded_plaintext);
+ BURN_DATA(enc_key_data);
+ if (rc < 0) {
+ TALLOC_FREE(cipher_text);
+ return gnutls_error_to_ntstatus(rc,
+ NT_STATUS_ENCRYPTION_FAILED);
--
Samba Shared Repository
More information about the samba-cvs
mailing list