The branch, master has been updated via 9d5044fe97b s3:modules: Use hash_inode() in vfs_streams_xattr via 10f828629bb s3:modules: Use hash_inode() in vfs_fruit via 855540a8998 s3:modules: Allow SHA1 usage for file IDs in FIPS mode via cf0442bff13 s3:modules: Add hash_inode() function based on SHA1 from fa2d5b3daa0 lib: Fix return of server_id_db_prune_name()
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 9d5044fe97b16158260c504979a1fc808fa901d4 Author: Andreas Schneider <a...@samba.org> Date: Tue Jun 18 17:09:29 2019 +0200 s3:modules: Use hash_inode() in vfs_streams_xattr Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> Autobuild-User(master): Andreas Schneider <a...@cryptomilk.org> Autobuild-Date(master): Wed Jul 3 12:37:12 UTC 2019 on sn-devel-184 commit 10f828629bb81a651b9e8aab002a84c053f37387 Author: Andreas Schneider <a...@samba.org> Date: Tue Jun 18 16:58:29 2019 +0200 s3:modules: Use hash_inode() in vfs_fruit Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit 855540a8998630646477f2dce8911170e252e633 Author: Andreas Schneider <a...@samba.org> Date: Mon Jul 1 16:36:13 2019 +0200 s3:modules: Allow SHA1 usage for file IDs in FIPS mode This is non-cryptographic use! Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit cf0442bff13e37507bc37455f2823d0179f783aa Author: Andreas Schneider <a...@samba.org> Date: Tue Jun 18 16:56:43 2019 +0200 s3:modules: Add hash_inode() function based on SHA1 This should use SHA1 as modern CPUs have SHA NI instruction support. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> ----------------------------------------------------------------------- Summary of changes: source3/modules/hash_inode.c | 95 ++++++++++++++++++++++ .../modules/hash_inode.h | 16 ++-- source3/modules/vfs_fruit.c | 80 +++--------------- source3/modules/vfs_streams_xattr.c | 65 +-------------- source3/modules/wscript_build | 8 +- 5 files changed, 122 insertions(+), 142 deletions(-) create mode 100644 source3/modules/hash_inode.c copy lib/mscat/mscat_private.h => source3/modules/hash_inode.h (73%) Changeset truncated at 500 lines: diff --git a/source3/modules/hash_inode.c b/source3/modules/hash_inode.c new file mode 100644 index 00000000000..231538c72cb --- /dev/null +++ b/source3/modules/hash_inode.c @@ -0,0 +1,95 @@ +/* + * Unix SMB/Netbios implementation. + * + * Copyright (c) 2019 Andreas Schneider <a...@samba.org> + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + +#include "includes.h" +#include "hash_inode.h" + +#include <gnutls/gnutls.h> +#include <gnutls/crypto.h> + +/* Those macros are only available in GnuTLS >= 3.6.4 */ +#ifndef GNUTLS_FIPS140_SET_LAX_MODE +#define GNUTLS_FIPS140_SET_LAX_MODE() +#endif + +#ifndef GNUTLS_FIPS140_SET_STRICT_MODE +#define GNUTLS_FIPS140_SET_STRICT_MODE() +#endif + +SMB_INO_T hash_inode(const SMB_STRUCT_STAT *sbuf, const char *sname) +{ + gnutls_hash_hd_t hash_hnd = NULL; + uint8_t digest[gnutls_hash_get_len(GNUTLS_DIG_SHA1)]; + char *upper_sname = NULL; + SMB_INO_T result = 0; + int rc; + + DBG_DEBUG("hash_inode called for %ju/%ju [%s]\n", + (uintmax_t)sbuf->st_ex_dev, + (uintmax_t)sbuf->st_ex_ino, + sname); + + upper_sname = talloc_strdup_upper(talloc_tos(), sname); + SMB_ASSERT(upper_sname != NULL); + + GNUTLS_FIPS140_SET_LAX_MODE(); + + rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_SHA1); + if (rc < 0) { + goto out; + } + + rc = gnutls_hash(hash_hnd, + &(sbuf->st_ex_dev), + sizeof(sbuf->st_ex_dev)); + if (rc < 0) { + gnutls_hash_deinit(hash_hnd, NULL); + goto out; + } + rc = gnutls_hash(hash_hnd, + &(sbuf->st_ex_ino), + sizeof(sbuf->st_ex_ino)); + if (rc < 0) { + gnutls_hash_deinit(hash_hnd, NULL); + goto out; + } + rc = gnutls_hash(hash_hnd, + upper_sname, + talloc_get_size(upper_sname) - 1); + if (rc < 0) { + gnutls_hash_deinit(hash_hnd, NULL); + goto out; + } + + gnutls_hash_deinit(hash_hnd, digest); + + memcpy(&result, digest, sizeof(result)); + DBG_DEBUG("fruit_inode \"%s\": ino=%ju\n", + sname, (uintmax_t)result); + +out: + GNUTLS_FIPS140_SET_STRICT_MODE(); + TALLOC_FREE(upper_sname); + + DBG_DEBUG("hash_inode '%s': ino=%ju\n", + sname, + (uintmax_t)result); + + return result; +} diff --git a/lib/mscat/mscat_private.h b/source3/modules/hash_inode.h similarity index 73% copy from lib/mscat/mscat_private.h copy to source3/modules/hash_inode.h index d79b364ceb0..e08fc48aa15 100644 --- a/lib/mscat/mscat_private.h +++ b/source3/modules/hash_inode.h @@ -1,5 +1,7 @@ /* - * Copyright (c) 2016 Andreas Schneider <a...@samba.org> + * Unix SMB/Netbios implementation. + * + * Copyright (c) 2019 Andreas Schneider <a...@samba.org> * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -15,13 +17,9 @@ * along with this program. If not, see <http://www.gnu.org/licenses/>. */ -#ifndef _MSCAT_PRIVATE_H -#define _MSCAT_PRIVATE_H - -#include <gnutls/pkcs7.h> +#ifndef _HASH_INODE_H +#define _HASH_INODE_H -struct mscat_pkcs7 { - gnutls_pkcs7_t c; -}; +SMB_INO_T hash_inode(const SMB_STRUCT_STAT *sbuf, const char *sname); -#endif /* _MSCAT_PRIVATE_H */ +#endif /* _HASH_INODE_H */ diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c index 78ea5140464..b5b8538457e 100644 --- a/source3/modules/vfs_fruit.c +++ b/source3/modules/vfs_fruit.c @@ -32,9 +32,7 @@ #include "lib/util/tevent_unix.h" #include "offload_token.h" #include "string_replace.h" - -#include <gnutls/gnutls.h> -#include <gnutls/crypto.h> +#include "hash_inode.h" /* * Enhanced OS X and Netatalk compatibility @@ -2364,64 +2362,6 @@ static AfpInfo *afpinfo_unpack(TALLOC_CTX *ctx, const void *data) return ai; } -/** - * Fake an inode number from the md5 hash of the (xattr) name - **/ -static SMB_INO_T fruit_inode(const SMB_STRUCT_STAT *sbuf, const char *sname) -{ - gnutls_hash_hd_t hash_hnd = NULL; - unsigned char hash[16]; - SMB_INO_T result = 0; - char *upper_sname; - int rc; - - DBG_DEBUG("fruit_inode called for %ju/%ju [%s]\n", - (uintmax_t)sbuf->st_ex_dev, - (uintmax_t)sbuf->st_ex_ino, sname); - - upper_sname = talloc_strdup_upper(talloc_tos(), sname); - SMB_ASSERT(upper_sname != NULL); - - rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5); - if (rc < 0) { - goto out; - } - - rc = gnutls_hash(hash_hnd, &(sbuf->st_ex_dev), sizeof(sbuf->st_ex_dev)); - if (rc < 0) { - gnutls_hash_deinit(hash_hnd, NULL); - goto out; - } - rc = gnutls_hash(hash_hnd, - &(sbuf->st_ex_ino), - sizeof(sbuf->st_ex_ino)); - if (rc < 0) { - gnutls_hash_deinit(hash_hnd, NULL); - goto out; - } - rc = gnutls_hash(hash_hnd, - upper_sname, - talloc_get_size(upper_sname) - 1); - if (rc < 0) { - gnutls_hash_deinit(hash_hnd, NULL); - goto out; - } - - gnutls_hash_deinit(hash_hnd, hash); - - /* Hopefully all the variation is in the lower 4 (or 8) bytes! */ - memcpy(&result, hash, sizeof(result)); - ZERO_ARRAY(hash); - - DBG_DEBUG("fruit_inode \"%s\": ino=%ju\n", - sname, (uintmax_t)result); - -out: - TALLOC_FREE(upper_sname); - - return result; -} - static bool add_fruit_stream(TALLOC_CTX *mem_ctx, unsigned int *num_streams, struct stream_struct **streams, const char *name, off_t size, @@ -5013,7 +4953,7 @@ static int fruit_stat_meta_stream(vfs_handle_struct *handle, return -1; } - ino = fruit_inode(&smb_fname->st, smb_fname->stream_name); + ino = hash_inode(&smb_fname->st, smb_fname->stream_name); if (follow_links) { ret = SMB_VFS_NEXT_STAT(handle, smb_fname); @@ -5046,7 +4986,7 @@ static int fruit_stat_meta_netatalk(vfs_handle_struct *handle, return -1; } smb_fname->st.st_ex_size = AFP_INFO_SIZE; - smb_fname->st.st_ex_ino = fruit_inode(&smb_fname->st, + smb_fname->st.st_ex_ino = hash_inode(&smb_fname->st, smb_fname->stream_name); return 0; } @@ -5099,7 +5039,7 @@ static int fruit_stat_rsrc_netatalk(vfs_handle_struct *handle, } smb_fname->st.st_ex_size = ad_getentrylen(ad, ADEID_RFORK); - smb_fname->st.st_ex_ino = fruit_inode(&smb_fname->st, + smb_fname->st.st_ex_ino = hash_inode(&smb_fname->st, smb_fname->stream_name); TALLOC_FREE(ad); return 0; @@ -5151,8 +5091,8 @@ static int fruit_stat_rsrc_xattr(vfs_handle_struct *handle, close(fd); fd = -1; - smb_fname->st.st_ex_ino = fruit_inode(&smb_fname->st, - smb_fname->stream_name); + smb_fname->st.st_ex_ino = hash_inode(&smb_fname->st, + smb_fname->stream_name); return ret; @@ -5293,7 +5233,7 @@ static int fruit_fstat_meta_stream(vfs_handle_struct *handle, *sbuf = fsp->base_fsp->fsp_name->st; sbuf->st_ex_size = AFP_INFO_SIZE; - sbuf->st_ex_ino = fruit_inode(sbuf, fsp->fsp_name->stream_name); + sbuf->st_ex_ino = hash_inode(sbuf, fsp->fsp_name->stream_name); return 0; } @@ -5307,7 +5247,7 @@ static int fruit_fstat_meta_stream(vfs_handle_struct *handle, } *sbuf = smb_fname.st; - ino = fruit_inode(sbuf, fsp->fsp_name->stream_name); + ino = hash_inode(sbuf, fsp->fsp_name->stream_name); ret = SMB_VFS_NEXT_FSTAT(handle, fsp, sbuf); if (ret != 0) { @@ -5331,7 +5271,7 @@ static int fruit_fstat_meta_netatalk(vfs_handle_struct *handle, *sbuf = fsp->base_fsp->fsp_name->st; sbuf->st_ex_size = AFP_INFO_SIZE; - sbuf->st_ex_ino = fruit_inode(sbuf, fsp->fsp_name->stream_name); + sbuf->st_ex_ino = hash_inode(sbuf, fsp->fsp_name->stream_name); return 0; } @@ -5401,7 +5341,7 @@ static int fruit_fstat_rsrc_adouble(vfs_handle_struct *handle, *sbuf = fsp->base_fsp->fsp_name->st; sbuf->st_ex_size = ad_getentrylen(ad, ADEID_RFORK); - sbuf->st_ex_ino = fruit_inode(sbuf, fsp->fsp_name->stream_name); + sbuf->st_ex_ino = hash_inode(sbuf, fsp->fsp_name->stream_name); TALLOC_FREE(ad); return 0; diff --git a/source3/modules/vfs_streams_xattr.c b/source3/modules/vfs_streams_xattr.c index 4050d9319fe..3e840d9535e 100644 --- a/source3/modules/vfs_streams_xattr.c +++ b/source3/modules/vfs_streams_xattr.c @@ -26,9 +26,7 @@ #include "system/filesys.h" #include "lib/util/tevent_unix.h" #include "librpc/gen_ndr/ioctl.h" - -#include <gnutls/gnutls.h> -#include <gnutls/crypto.h> +#include "hash_inode.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_VFS @@ -47,61 +45,6 @@ struct stream_io { vfs_handle_struct *handle; }; -static SMB_INO_T stream_inode(const SMB_STRUCT_STAT *sbuf, const char *sname) -{ - unsigned char hash[16]; - gnutls_hash_hd_t hash_hnd = NULL; - SMB_INO_T result = 0; - char *upper_sname; - int rc; - - DEBUG(10, ("stream_inode called for %lu/%lu [%s]\n", - (unsigned long)sbuf->st_ex_dev, - (unsigned long)sbuf->st_ex_ino, sname)); - - upper_sname = talloc_strdup_upper(talloc_tos(), sname); - SMB_ASSERT(upper_sname != NULL); - - rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5); - if (rc < 0) { - goto out; - } - - rc = gnutls_hash(hash_hnd, &(sbuf->st_ex_dev), sizeof(sbuf->st_ex_dev)); - if (rc < 0) { - gnutls_hash_deinit(hash_hnd, NULL); - goto out; - } - rc = gnutls_hash(hash_hnd, - &(sbuf->st_ex_ino), - sizeof(sbuf->st_ex_ino)); - if (rc < 0) { - gnutls_hash_deinit(hash_hnd, NULL); - goto out; - } - rc = gnutls_hash(hash_hnd, - upper_sname, - talloc_get_size(upper_sname) - 1); - if (rc < 0) { - gnutls_hash_deinit(hash_hnd, NULL); - goto out; - } - - gnutls_hash_deinit(hash_hnd, hash); - - - /* Hopefully all the variation is in the lower 4 (or 8) bytes! */ - memcpy(&result, hash, sizeof(result)); - ZERO_ARRAY(hash); - - DEBUG(10, ("stream_inode returns %lu\n", (unsigned long)result)); - -out: - TALLOC_FREE(upper_sname); - - return result; -} - static ssize_t get_xattr_size(connection_struct *conn, const struct smb_filename *smb_fname, const char *xattr_name) @@ -304,7 +247,7 @@ static int streams_xattr_fstat(vfs_handle_struct *handle, files_struct *fsp, DEBUG(10, ("sbuf->st_ex_size = %d\n", (int)sbuf->st_ex_size)); - sbuf->st_ex_ino = stream_inode(sbuf, io->xattr_name); + sbuf->st_ex_ino = hash_inode(sbuf, io->xattr_name); sbuf->st_ex_mode &= ~S_IFMT; sbuf->st_ex_mode &= ~S_IFDIR; sbuf->st_ex_mode |= S_IFREG; @@ -359,7 +302,7 @@ static int streams_xattr_stat(vfs_handle_struct *handle, goto fail; } - smb_fname->st.st_ex_ino = stream_inode(&smb_fname->st, xattr_name); + smb_fname->st.st_ex_ino = hash_inode(&smb_fname->st, xattr_name); smb_fname->st.st_ex_mode &= ~S_IFMT; smb_fname->st.st_ex_mode &= ~S_IFDIR; smb_fname->st.st_ex_mode |= S_IFREG; @@ -412,7 +355,7 @@ static int streams_xattr_lstat(vfs_handle_struct *handle, goto fail; } - smb_fname->st.st_ex_ino = stream_inode(&smb_fname->st, xattr_name); + smb_fname->st.st_ex_ino = hash_inode(&smb_fname->st, xattr_name); smb_fname->st.st_ex_mode &= ~S_IFMT; smb_fname->st.st_ex_mode |= S_IFREG; smb_fname->st.st_ex_blocks = diff --git a/source3/modules/wscript_build b/source3/modules/wscript_build index 35010bb0e3b..5e0047da917 100644 --- a/source3/modules/wscript_build +++ b/source3/modules/wscript_build @@ -36,6 +36,10 @@ bld.SAMBA3_SUBSYSTEM('OFFLOAD_TOKEN', bld.SAMBA3_SUBSYSTEM('STRING_REPLACE', source='string_replace.c') +bld.SAMBA3_SUBSYSTEM('HASH_INODE', + source='hash_inode.c', + deps='gnutls') + # # This is always be static, see # source3/wscript: required_static_modules @@ -119,7 +123,7 @@ bld.SAMBA3_MODULE('vfs_netatalk', bld.SAMBA3_MODULE('vfs_fruit', subsystem='vfs', source='vfs_fruit.c', - deps='samba-util OFFLOAD_TOKEN STRING_REPLACE', + deps='samba-util OFFLOAD_TOKEN STRING_REPLACE HASH_INODE', init_function='', internal_module=bld.SAMBA3_IS_STATIC_MODULE('vfs_fruit'), enabled=bld.SAMBA3_IS_ENABLED_MODULE('vfs_fruit')) @@ -311,7 +315,7 @@ bld.SAMBA3_MODULE('vfs_catia', bld.SAMBA3_MODULE('vfs_streams_xattr', subsystem='vfs', source='vfs_streams_xattr.c', - deps='samba-util', + deps='samba-util HASH_INODE', init_function='', internal_module=bld.SAMBA3_IS_STATIC_MODULE('vfs_streams_xattr'), enabled=bld.SAMBA3_IS_ENABLED_MODULE('vfs_streams_xattr')) -- Samba Shared Repository