The branch, master has been updated
via 1f923e067db s3:rpc_server: Only dump passwords in developer builds
via 93d424528f1 netlogon: Fix potential use of uninitialized variable
via 1c84bda3616 s3:rpc_server: Use a stackframe for temporary memory
via 52b3f921ad2 s3:utils: Use a stackframe for temporary memory
via 9158a6ba869 s3:rpcclient: Use a stackframe for temporary memory
via fa09e811ca6 s3:lib: Use the passed mem_ctx instead of talloc_tos()
via 9ede63fbada lib:crypto: Don't build RC4 if we have GnuTLS >= 3.4.7
via 14c4a075875 lib:crypto: Remove arcfour.h from crypto.h
via fc4ae06001f lib:crypto: Use GnuTLS RC4 in py_crypto
via 301544ab2b0 s4:torture: Use init_samr_CryptPassword in testjoin RPC
test
via 5740e9516f3 s4:torture: Use samba_gnutls_arcfour_confounded_md5()
in test_ChangePasswordRandomBytes
via 82a6480611f s4:torture: Use GnuTLS RC4 in
test_ChangePasswordRandomBytes
via 19d9c2c01a5 s4:torture: Use init_samr_CryptPassword in
test_ChangePasswordRandomBytes
via 8380668be79 s4:torture: clarify comments and variable names in
"ChangePasswordUser3 tests
via 5b7c21fca57 s4:torture: Use init_samr_CryptPassword in
test_ChangePasswordUser3
via a476a2e3322 s4:torture: Use GnuTLS RC4 in
test_ChangePasswordUser2_ntstatus
via 9cbdf7b2e5f s4_torture: Use GnuTLS RC4 in test_ChangePasswordUser2
via 1b1c302a7db s4:torture: Use init_samr_CryptPassword in
test_ChangePasswordUser2_ntstatus
via dfda49472e0 s4:torture: Use init_samr_CryptPassword in
test_ChangePasswordUser2
via b512b597449 s4:torture: Use GnuTLS RC4 in
test_OemChangePasswordUser2
via f45ba47afb1 s4:torture: Use init_samr_CryptPassword in
test_SetUserPass_level_ex
via 3b9496d9054 s4:torture: Use init_samr_CryptPassword in
test_SetUserPass_25
via e398ecbd8e3 s4:torture: Use init_samr_CryptPassword in
test_SetUserPassEx
via b0b9cabc4de s4:torture: Use init_samr_CryptPassword in
test_SetUserPass_23
via 70e05d7eb78 s4:torture: Use init_samr_CryptPassword in
test_SetUserPass
via 80f5beb4804 s4:torture: Use init_samr_CryptPassword(Ex) in
samba3rpc test
via 811c412da5c s4:torture: Use GnuTLS RC4 for RAP SAM test
via 4326e7de6ba s4:rpc_server: Use GnuTLS RC4 for samr password
via 9363abfb5fc s4:rpc_server: Use
samba_gnutls_arcfour_confounded_md5() in samr_set_password_ex()
via 359ae5be0d2 s3:utils: Use GnuTLS RC4 in ntlm_auth
via cd0b5e5d937 s3:rpc_server: Use GnuTLS RC4 to decrypt samr password
buffers
via d31f6a6803c s3:rpc_server: Use GnuTLS RC4 in samr password check
via a95647e12ac s3:rpc_client: Use init_samr_CryptPassword in cli_samr
rpc_client
via 0947d8388de s3:libsmb: Use GnuTLS RC4 in clirap
via 7bd502dcdb4 auth:ntlmssp: Use GnuTLS RC4 for ntlmssp signing
via cb4025a5023 auth:ntlmssp: Use GnuTLS RC4 in ntlmssp client
via bcf7808d3aa libcli:auth: Use samba_gnutls_arcfour_confounded_md5()
in decode_wkssvc_join_password_buffer()
via 85e2a3c96ad libcli:auth: Use samba_gnutls_arcfour_confounded_md5()
in encode_wkssvc_join_password_buffer()
via f4a16bfba8d libcli:auth: Add test for
(encode|decode)_wkssvc_join_password_buffer
via 576bcf61555 libcli:auth: Return WERROR for
encode_wkssvc_join_password_buffer()
via 9ea736590d9 s4:libnet: Use GnuTLS RC4 in
libnet_ChangePassword_samr()
via cdb4e127652 s4:libnet: Use GnuTLS RC4 in
libnet_SetPassword_samr_handle_23()
via 18937f9ceb5 s4:libnet: Use GnuTLS RC4 in
libnet_SetPassword_samr_handle_24()
via e44ba0397c7 s4:libnet: Use encode_rc4_passwd_buffer() in
libnet_SetPassword_samr_handle_25()
via 5afa402bb7b s4:libnet: Use encode_rc4_passwd_buffer() in
libnet_SetPassword_samr_handle_26()
via f0c0cf299eb s3:rpc_client: Use encode_rc4_passwd_buffer() in
init_samr_CryptPasswordEx()
via fe00b3735a7 libcli:auth: Add test for encode_rc4_passwd_buffer()
via 06d46c447e6 libcli:auth: Add encode_rc4_passwd_buffer()
via 79ca72ec3d1 libcli:auth: Pass samr_CryptPasswordEx to
decode_rc4_passwd_buffer()
via 89f8b028e2d libcli:auth: Rename
encode_or_decode_arc4_passwd_buffer()
via dea160820a3 libcli:auth: Use samba_gnutls_arcfour_confounded_md5()
for rc4 passwd buffer
via 95db9a81db0 s3:rpc_client: Use GnuTLS RC4 in
init_samr_CryptPassword()
via 2075019ca90 s3:rpc_client: Use samba_gnutls_arcfour_confounded_md5
in init_samr_CryptPasswordEx
via 7ccc76f951a libcli:auth: Add test for decoding an RC4 password
buffer
via 57dd415ba49 libcli:auth: Return NTSTATUS for
encode_or_decode_arc4_passwd_buffer()
via 7915a48e53c s3:rpc_client: Return NTSTATUS for
init_samr_CryptPasswordEx()
via 4b9b1dbe9c8 s3:rpc_client: Return NTSTATUS for
init_samr_CryptPassword()
via baa96ef2094 lib:crypto: Document
samba_gnutls_arcfour_confounded_md5()
via e43678b84a3 lib:crypto: Document gnutls_error_to_werror()
via 5e62358fbf9 lib:crypto: Document gnutls_error_to_ntstatus()
from 3913b9a4088 s3/lib: clang: Fix 'access to field results in a deref
of a null pointer'
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 1f923e067dbe358c17cbccfe179baa811aa3b8b3
Author: Andreas Schneider <a...@samba.org>
Date: Tue Jul 16 16:13:17 2019 +0200
s3:rpc_server: Only dump passwords in developer builds
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
Autobuild-Date(master): Fri Jul 26 03:05:01 UTC 2019 on sn-devel-184
commit 93d424528f1c3d0d50ebd8a784f4624b2721d416
Author: David Disseldorp <dd...@samba.org>
Date: Fri Jul 12 17:29:23 2019 +0200
netlogon: Fix potential use of uninitialized variable
The _netr_NetrEnumerateTrustedDomains()->dcerpc_lsa_open_policy2() error
path checks the policy handle and closes it if non-empty. The policy
handle may be uninitialized in this code-path - fix this.
Signed-off-by: David Disseldorp <dd...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 1c84bda361678cb6c4685cff17a2d5a5026f2bce
Author: Andreas Schneider <a...@samba.org>
Date: Tue Jul 16 16:02:12 2019 +0200
s3:rpc_server: Use a stackframe for temporary memory
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 52b3f921ad2d04cb30232a6aadf261c9fc9aafb2
Author: Andreas Schneider <a...@samba.org>
Date: Tue Jul 16 15:49:43 2019 +0200
s3:utils: Use a stackframe for temporary memory
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 9158a6ba8693070f3b2b71dd15089488869ab6cd
Author: Andreas Schneider <a...@samba.org>
Date: Tue Jul 16 15:45:51 2019 +0200
s3:rpcclient: Use a stackframe for temporary memory
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit fa09e811ca6fb08a66940380b310ce9794397071
Author: Andreas Schneider <a...@samba.org>
Date: Tue Jul 16 15:20:23 2019 +0200
s3:lib: Use the passed mem_ctx instead of talloc_tos()
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 9ede63fbada7842cd9ae120936bc6bd4b6ad16ac
Author: Andreas Schneider <a...@samba.org>
Date: Fri Feb 22 13:28:01 2019 +0100
lib:crypto: Don't build RC4 if we have GnuTLS >= 3.4.7
We have a GnuTLS DCEPRC backupkey implementation for the server and the
test. However this is only working with GnuTLS >= 3.4.7. So we need to
keep this around till we can require at least GnuTLS in a newer version.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 14c4a075875860e709a9e2e52aad83aa4c58a5ad
Author: Andreas Schneider <a...@samba.org>
Date: Tue Feb 26 18:18:36 2019 +0100
lib:crypto: Remove arcfour.h from crypto.h
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit fc4ae06001fbb0045318a8cec7af6af81241c60e
Author: Andreas Schneider <a...@samba.org>
Date: Fri Feb 22 12:59:13 2019 +0100
lib:crypto: Use GnuTLS RC4 in py_crypto
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 301544ab2b0c85752d5307f2daab59652c08e1e0
Author: Andreas Schneider <a...@samba.org>
Date: Fri Feb 22 13:06:34 2019 +0100
s4:torture: Use init_samr_CryptPassword in testjoin RPC test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 5740e9516f3587e3a9f72cf52cfe1eedd940b2a9
Author: Andrew Bartlett <abart...@samba.org>
Date: Thu Jul 25 13:07:48 2019 +1200
s4:torture: Use samba_gnutls_arcfour_confounded_md5() in
test_ChangePasswordRandomBytes
This ensures GnuTLS is used as the underlying RC4 crypto engine
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 82a6480611f791a3c26fcf70975e6f8b3b1757ad
Author: Andreas Schneider <a...@samba.org>
Date: Wed Jul 24 16:01:31 2019 +0200
s4:torture: Use GnuTLS RC4 in test_ChangePasswordRandomBytes
Signed-off-by: Andreas Schneider <a...@samba.org>
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 19d9c2c01a54957bc3852e2565d92c1cdd89498b
Author: Andrew Bartlett <abart...@samba.org>
Date: Thu Jul 25 17:43:23 2019 +1200
s4:torture: Use init_samr_CryptPassword in test_ChangePasswordRandomBytes
This allows the use of GnuTLS for the underlying RC4 crypto
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 8380668be7963b74cbbd31bfab3d01d1f3089034
Author: Andrew Bartlett <abart...@samba.org>
Date: Thu Jul 25 17:18:50 2019 +1200
s4:torture: clarify comments and variable names in "ChangePasswordUser3
tests
There is no session key here, the buffers are directly encrypted
with the long-term passwords.
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 5b7c21fca576bf6e44233d69b47273058b9197c8
Author: Andreas Schneider <a...@samba.org>
Date: Wed Jul 24 16:01:02 2019 +0200
s4:torture: Use init_samr_CryptPassword in test_ChangePasswordUser3
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit a476a2e3322a550e2857cb5a66096fa3e46416d3
Author: Andreas Schneider <a...@samba.org>
Date: Wed Jul 24 16:00:32 2019 +0200
s4:torture: Use GnuTLS RC4 in test_ChangePasswordUser2_ntstatus
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 9cbdf7b2e5f734e9b5e0e447d54d720d18977950
Author: Andreas Schneider <a...@samba.org>
Date: Wed Jul 24 16:24:18 2019 +0200
s4_torture: Use GnuTLS RC4 in test_ChangePasswordUser2
This uses STR_ASCII as string encodings.
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 1b1c302a7db23bf4377b8fa742ebf7ae913e3511
Author: Andrew Bartlett <abart...@samba.org>
Date: Thu Jul 25 16:52:41 2019 +1200
s4:torture: Use init_samr_CryptPassword in test_ChangePasswordUser2_ntstatus
This allows the use of GnuTLS for the RC4 crypto operation
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit dfda49472e0b4a81653963e80d8d65788f80a591
Author: Andrew Bartlett <abart...@samba.org>
Date: Thu Jul 25 16:46:06 2019 +1200
s4:torture: Use init_samr_CryptPassword in test_ChangePasswordUser2
This allows the use of GnuTLS for the RC4 crypto operation
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit b512b5974494fe41010800f60df0f248b8ea850e
Author: Andreas Schneider <a...@samba.org>
Date: Wed Jul 24 16:49:53 2019 +0200
s4:torture: Use GnuTLS RC4 in test_OemChangePasswordUser2
This uses STR_ASCII for password encoding!
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit f45ba47afb11c1f7bbb8c5c84670395500e1afc1
Author: Andreas Schneider <a...@samba.org>
Date: Wed Jul 24 15:59:19 2019 +0200
s4:torture: Use init_samr_CryptPassword in test_SetUserPass_level_ex
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 3b9496d905408b75c21919b35b2105e2b0b0325f
Author: Andreas Schneider <a...@samba.org>
Date: Wed Jul 24 15:58:38 2019 +0200
s4:torture: Use init_samr_CryptPassword in test_SetUserPass_25
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit e398ecbd8e32bb428073f3635d9178abfae28255
Author: Andreas Schneider <a...@samba.org>
Date: Wed Jul 24 15:58:06 2019 +0200
s4:torture: Use init_samr_CryptPassword in test_SetUserPassEx
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit b0b9cabc4de64497140d33d0fdaf2927f2915987
Author: Andreas Schneider <a...@samba.org>
Date: Wed Jul 24 15:57:25 2019 +0200
s4:torture: Use init_samr_CryptPassword in test_SetUserPass_23
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 70e05d7eb78a0c363dbd72cbbf4f3a264636c840
Author: Andreas Schneider <a...@samba.org>
Date: Wed Jul 24 15:56:08 2019 +0200
s4:torture: Use init_samr_CryptPassword in test_SetUserPass
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 80f5beb4804c694ee6e5f5b450e751f538677593
Author: Andreas Schneider <a...@samba.org>
Date: Thu Feb 21 10:21:39 2019 +0100
s4:torture: Use init_samr_CryptPassword(Ex) in samba3rpc test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 811c412da5c24d7274f9aa4c7d653bbb1191e6a6
Author: Andreas Schneider <a...@samba.org>
Date: Wed Feb 20 15:52:49 2019 +0100
s4:torture: Use GnuTLS RC4 for RAP SAM test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 4326e7de6ba0ce02ab23af7297d2f7242988daa4
Author: Andreas Schneider <a...@samba.org>
Date: Tue Feb 19 17:40:29 2019 +0100
s4:rpc_server: Use GnuTLS RC4 for samr password
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 9363abfb5fcfeff30295ce0cf94c18941a6c4e9f
Author: Andrew Bartlett <abart...@samba.org>
Date: Thu Jul 25 12:50:57 2019 +1200
s4:rpc_server: Use samba_gnutls_arcfour_confounded_md5() in
samr_set_password_ex()
This allows the use of GnuTLS for the underlying RC4 crypto operations.
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 359ae5be0d21e7ab235035aab65710c9459e9593
Author: Andreas Schneider <a...@samba.org>
Date: Thu Jan 17 12:40:21 2019 +0100
s3:utils: Use GnuTLS RC4 in ntlm_auth
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit cd0b5e5d9377bc79b4468081f3999ad39be3cb8f
Author: Andreas Schneider <a...@samba.org>
Date: Wed May 15 14:04:31 2019 +0200
s3:rpc_server: Use GnuTLS RC4 to decrypt samr password buffers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit d31f6a6803c86b8de0a97927731091f5a7bee4f1
Author: Andreas Schneider <a...@samba.org>
Date: Wed Jan 16 17:40:13 2019 +0100
s3:rpc_server: Use GnuTLS RC4 in samr password check
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit a95647e12ac75ffda42d95b41144596a078aebd6
Author: Andreas Schneider <a...@samba.org>
Date: Wed Jan 16 12:41:32 2019 +0100
s3:rpc_client: Use init_samr_CryptPassword in cli_samr rpc_client
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 0947d8388def40b01b322d0deee4dba386983410
Author: Andreas Schneider <a...@samba.org>
Date: Tue Jan 15 18:14:17 2019 +0100
s3:libsmb: Use GnuTLS RC4 in clirap
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 7bd502dcdb44c7d0f8a56b2ba489ae8cf2b886bd
Author: Andreas Schneider <a...@samba.org>
Date: Thu Dec 6 18:11:14 2018 +0100
auth:ntlmssp: Use GnuTLS RC4 for ntlmssp signing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit cb4025a50232f24139f21d87e50b6e6ea69238ba
Author: Andreas Schneider <a...@samba.org>
Date: Fri Nov 9 12:29:55 2018 +0100
auth:ntlmssp: Use GnuTLS RC4 in ntlmssp client
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit bcf7808d3aa8a5932a40955e4b764f55061e07d7
Author: Andreas Schneider <a...@samba.org>
Date: Mon Jul 8 18:21:18 2019 +0200
libcli:auth: Use samba_gnutls_arcfour_confounded_md5() in
decode_wkssvc_join_password_buffer()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 85e2a3c96ad9acc1a85db189f6418c9d880b4718
Author: Andreas Schneider <a...@samba.org>
Date: Mon Jul 8 18:03:00 2019 +0200
libcli:auth: Use samba_gnutls_arcfour_confounded_md5() in
encode_wkssvc_join_password_buffer()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit f4a16bfba8d87de883d3d2e54cdc825fc5e01c2b
Author: Andreas Schneider <a...@samba.org>
Date: Mon Jul 8 17:36:58 2019 +0200
libcli:auth: Add test for (encode|decode)_wkssvc_join_password_buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 576bcf61555fb641b2919ad84a6b26b242b57061
Author: Andreas Schneider <a...@samba.org>
Date: Wed May 29 15:50:45 2019 +0200
libcli:auth: Return WERROR for encode_wkssvc_join_password_buffer()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 9ea736590d9b22a7518f86b18e8c55b0d0e213d5
Author: Andreas Schneider <a...@samba.org>
Date: Thu Jul 25 15:15:46 2019 +1200
s4:libnet: Use GnuTLS RC4 in libnet_ChangePassword_samr()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <a...@samba.org>
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit cdb4e12765266ae767021d932870fbfcd55ccbf6
Author: Andreas Schneider <a...@samba.org>
Date: Fri Feb 1 13:38:21 2019 +0100
s4:libnet: Use GnuTLS RC4 in libnet_SetPassword_samr_handle_23()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 18937f9ceb5aca23899555c5a34fe359f6fcb126
Author: Andreas Schneider <a...@samba.org>
Date: Fri Feb 1 13:38:21 2019 +0100
s4:libnet: Use GnuTLS RC4 in libnet_SetPassword_samr_handle_24()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit e44ba0397c7558e1da6a46cc38237a3b0e5cef49
Author: Andreas Schneider <a...@samba.org>
Date: Tue Jul 9 13:11:54 2019 +0200
s4:libnet: Use encode_rc4_passwd_buffer() in
libnet_SetPassword_samr_handle_25()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 5afa402bb7ba11a8eefc6e14047eeec1f3327681
Author: Andreas Schneider <a...@samba.org>
Date: Tue Jul 9 13:01:49 2019 +0200
s4:libnet: Use encode_rc4_passwd_buffer() in
libnet_SetPassword_samr_handle_26()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit f0c0cf299eb99e7b78be2f04141b6d415bf525e2
Author: Andreas Schneider <a...@samba.org>
Date: Wed Jul 24 11:44:51 2019 +0200
s3:rpc_client: Use encode_rc4_passwd_buffer() in init_samr_CryptPasswordEx()
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit fe00b3735a7e8ae16fb6443965769f1e947a6aa6
Author: Andreas Schneider <a...@samba.org>
Date: Tue Jul 9 13:06:49 2019 +0200
libcli:auth: Add test for encode_rc4_passwd_buffer()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 06d46c447e69a6b384c0089863c343b4924c7caf
Author: Andreas Schneider <a...@samba.org>
Date: Tue Jul 9 13:01:10 2019 +0200
libcli:auth: Add encode_rc4_passwd_buffer()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 79ca72ec3d13fea5d2ad608415757ca9870035a3
Author: Andreas Schneider <a...@samba.org>
Date: Tue Jul 9 12:53:31 2019 +0200
libcli:auth: Pass samr_CryptPasswordEx to decode_rc4_passwd_buffer()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 89f8b028e2d595348f9996854488d7aa552ae905
Author: Andreas Schneider <a...@samba.org>
Date: Fri Jul 5 10:12:43 2019 +0200
libcli:auth: Rename encode_or_decode_arc4_passwd_buffer()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit dea160820a393be51985a4e761a3f73da83972e7
Author: Andreas Schneider <a...@samba.org>
Date: Fri Jul 5 10:09:32 2019 +0200
libcli:auth: Use samba_gnutls_arcfour_confounded_md5() for rc4 passwd buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 95db9a81db093488e625b4ef385a184a5e517ede
Author: Andreas Schneider <a...@samba.org>
Date: Wed Jan 16 13:15:08 2019 +0100
s3:rpc_client: Use GnuTLS RC4 in init_samr_CryptPassword()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 2075019ca90d7d474003c87b2f0202239891eba5
Author: Andreas Schneider <a...@samba.org>
Date: Thu Jul 4 16:22:48 2019 +0200
s3:rpc_client: Use samba_gnutls_arcfour_confounded_md5 in
init_samr_CryptPasswordEx
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 7ccc76f951a626a25d553ac85c5bf30eb29ffa2b
Author: Andreas Schneider <a...@samba.org>
Date: Fri Jul 5 09:39:02 2019 +0200
libcli:auth: Add test for decoding an RC4 password buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 57dd415ba49b9621deddf604a5bf148c10ebc37e
Author: Andreas Schneider <a...@samba.org>
Date: Wed May 29 14:57:52 2019 +0200
libcli:auth: Return NTSTATUS for encode_or_decode_arc4_passwd_buffer()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 7915a48e53c8f72ba56da2f433427b961feeb16f
Author: Andreas Schneider <a...@samba.org>
Date: Wed May 29 17:16:26 2019 +0200
s3:rpc_client: Return NTSTATUS for init_samr_CryptPasswordEx()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 4b9b1dbe9c8c988a39b1318a4f7aac031bc1ea8b
Author: Andreas Schneider <a...@samba.org>
Date: Wed May 29 16:22:11 2019 +0200
s3:rpc_client: Return NTSTATUS for init_samr_CryptPassword()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit baa96ef20945638fb5ee76b03543c7b611e9c7d7
Author: Andreas Schneider <a...@samba.org>
Date: Thu Jul 18 13:33:54 2019 +0200
lib:crypto: Document samba_gnutls_arcfour_confounded_md5()
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit e43678b84a3434b977f44b265599f1d9207d3b78
Author: Andreas Schneider <a...@samba.org>
Date: Thu Jul 18 13:27:57 2019 +0200
lib:crypto: Document gnutls_error_to_werror()
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 5e62358fbf9ed107ed4a5eb82b62e82ae5638262
Author: Andreas Schneider <a...@samba.org>
Date: Thu Jul 18 09:03:51 2019 +0200
lib:crypto: Document gnutls_error_to_ntstatus()
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/ntlmssp/ntlmssp_client.c | 28 +-
auth/ntlmssp/ntlmssp_private.h | 5 +-
auth/ntlmssp/ntlmssp_sign.c | 212 ++++++++++++---
lib/crypto/crypto.h | 1 -
lib/crypto/gnutls_helpers.h | 50 ++++
lib/crypto/py_crypto.c | 34 ++-
lib/crypto/wscript_build | 32 ++-
libcli/auth/proto.h | 18 +-
libcli/auth/smbencrypt.c | 215 +++++++--------
libcli/auth/tests/test_rc4_passwd_buffer.c | 336 +++++++++++++++++++++++
libcli/auth/wscript_build | 9 +
selftest/tests.py | 2 +
source3/lib/netapi/joindomain.c | 44 ++--
source3/lib/netapi/user.c | 26 +-
source3/libnet/libnet_join.c | 19 +-
source3/libsmb/clirap.c | 27 +-
source3/rpc_client/cli_samr.c | 59 ++++-
source3/rpc_client/init_samr.c | 87 +++---
source3/rpc_client/init_samr.h | 12 +-
source3/rpc_server/netlogon/srv_netlog_nt.c | 30 ++-
source3/rpc_server/samr/srv_samr_chgpasswd.c | 30 ++-
source3/rpc_server/samr/srv_samr_nt.c | 82 +++++-
source3/rpcclient/cmd_samr.c | 62 +++--
source3/utils/net_rpc.c | 30 ++-
source3/utils/ntlm_auth.c | 45 +++-
source3/wscript_build | 2 +-
source4/libnet/libnet_passwd.c | 258 ++++++++++++------
source4/rpc_server/samr/samr_password.c | 139 +++++++---
source4/torture/rap/sam.c | 19 +-
source4/torture/rpc/samba3rpc.c | 43 ++-
source4/torture/rpc/samr.c | 380 +++++++++++++++++++--------
source4/torture/rpc/testjoin.c | 11 +-
source4/torture/rpc/wkssvc.c | 20 +-
33 files changed, 1772 insertions(+), 595 deletions(-)
create mode 100644 libcli/auth/tests/test_rc4_passwd_buffer.c
Changeset truncated at 500 lines:
diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
index df891f8d933..b8d1190466b 100644
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -690,17 +690,43 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security
*gensec_security,
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
/* Make up a new session key */
uint8_t client_session_key[16];
+ gnutls_cipher_hd_t cipher_hnd;
+ gnutls_datum_t enc_session_key = {
+ .data = session_key.data,
+ .size = session_key.length,
+ };
+
generate_secret_buffer(client_session_key,
sizeof(client_session_key));
/* Encrypt the new session key with the old one */
encrypted_session_key = data_blob_talloc(ntlmssp_state,
client_session_key,
sizeof(client_session_key));
dump_data_pw("KEY_EXCH session key:\n",
encrypted_session_key.data, encrypted_session_key.length);
- arcfour_crypt(encrypted_session_key.data, session_key.data,
encrypted_session_key.length);
+
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &enc_session_key,
+ NULL);
+ if (rc < 0) {
+ nt_status = gnutls_error_to_ntstatus(rc,
NT_STATUS_NTLM_BLOCKED);
+ ZERO_ARRAY(client_session_key);
+ goto done;
+ }
+ rc = gnutls_cipher_encrypt(cipher_hnd,
+ encrypted_session_key.data,
+ encrypted_session_key.length);
+ gnutls_cipher_deinit(cipher_hnd);
+ if (rc < 0) {
+ nt_status = gnutls_error_to_ntstatus(rc,
NT_STATUS_NTLM_BLOCKED);
+ ZERO_ARRAY(client_session_key);
+ goto done;
+ }
+
dump_data_pw("KEY_EXCH session key (enc):\n",
encrypted_session_key.data, encrypted_session_key.length);
/* Mark the new session key as the 'real' session key */
session_key = data_blob_talloc(mem_ctx, client_session_key,
sizeof(client_session_key));
+ ZERO_ARRAY(client_session_key);
}
/* this generates the actual auth packet */
diff --git a/auth/ntlmssp/ntlmssp_private.h b/auth/ntlmssp/ntlmssp_private.h
index 95ec6374f51..4d84e3347b6 100644
--- a/auth/ntlmssp/ntlmssp_private.h
+++ b/auth/ntlmssp/ntlmssp_private.h
@@ -20,14 +20,15 @@
/* For structures internal to the NTLMSSP implementation that should not be
exposed */
-#include "../lib/crypto/arcfour.h"
+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
struct auth_session_info;
struct ntlmssp_crypt_direction {
uint32_t seq_num;
uint8_t sign_key[16];
- struct arcfour_state seal_state;
+ gnutls_cipher_hd_t seal_state;
};
union ntlmssp_crypt_state {
diff --git a/auth/ntlmssp/ntlmssp_sign.c b/auth/ntlmssp/ntlmssp_sign.c
index 8ba2e246b34..89f1aa04f7a 100644
--- a/auth/ntlmssp/ntlmssp_sign.c
+++ b/auth/ntlmssp/ntlmssp_sign.c
@@ -47,9 +47,9 @@
*/
static void dump_arc4_state(const char *description,
- struct arcfour_state *state)
+ gnutls_cipher_hd_t *state)
{
- dump_data_pw(description, state->sbox, sizeof(state->sbox));
+ DBG_DEBUG("%s\n", description);
}
static NTSTATUS calc_ntlmv2_key(uint8_t subkey[16],
@@ -90,13 +90,13 @@ static NTSTATUS ntlmssp_make_packet_signature(struct
ntlmssp_state *ntlmssp_stat
enum ntlmssp_direction direction,
DATA_BLOB *sig, bool encrypt_sig)
{
- NTSTATUS status;
+ NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+ int rc;
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
gnutls_hmac_hd_t hmac_hnd = NULL;
uint8_t digest[16];
uint8_t seq_num[4];
- int rc;
*sig = data_blob_talloc(sig_mem_ctx, NULL, NTLMSSP_SIG_SIZE);
if (!sig->data) {
@@ -158,14 +158,24 @@ static NTSTATUS ntlmssp_make_packet_signature(struct
ntlmssp_state *ntlmssp_stat
if (encrypt_sig && (ntlmssp_state->neg_flags &
NTLMSSP_NEGOTIATE_KEY_EXCH)) {
switch (direction) {
case NTLMSSP_SEND:
-
arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm2.sending.seal_state,
- digest, 8);
+ rc =
gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm2.sending.seal_state,
+ digest,
+ 8);
break;
case NTLMSSP_RECEIVE:
-
arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm2.receiving.seal_state,
- digest, 8);
+ rc =
gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm2.receiving.seal_state,
+ digest,
+ 8);
break;
}
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_encrypt for NTLMv2 EXCH "
+ "%s packet signature failed: %s\n",
+ direction == NTLMSSP_SEND ?
+ "send" : "receive",
+ gnutls_strerror(rc));
+ return gnutls_error_to_ntstatus(rc,
NT_STATUS_NTLM_BLOCKED);
+ }
}
SIVAL(sig->data, 0, NTLMSSP_SIGN_VERSION);
@@ -194,8 +204,15 @@ static NTSTATUS ntlmssp_make_packet_signature(struct
ntlmssp_state *ntlmssp_stat
dump_arc4_state("ntlmssp hash: \n",
&ntlmssp_state->crypt->ntlm.seal_state);
- arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm.seal_state,
- sig->data+4, sig->length-4);
+ rc =
gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm.seal_state,
+ sig->data + 4,
+ sig->length - 4);
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_encrypt for NTLM packet "
+ "signature failed: %s\n",
+ gnutls_strerror(rc));
+ return gnutls_error_to_ntstatus(rc,
NT_STATUS_NTLM_BLOCKED);
+ }
}
return NT_STATUS_OK;
@@ -317,6 +334,8 @@ NTSTATUS ntlmssp_seal_packet(struct ntlmssp_state
*ntlmssp_state,
const uint8_t *whole_pdu, size_t pdu_length,
DATA_BLOB *sig)
{
+ int rc;
+
if (!(ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
DEBUG(3, ("NTLMSSP Sealing not negotiated - cannot seal
packet!\n"));
return NT_STATUS_INVALID_PARAMETER;
@@ -353,11 +372,25 @@ NTSTATUS ntlmssp_seal_packet(struct ntlmssp_state
*ntlmssp_state,
return nt_status;
}
-
arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm2.sending.seal_state,
- data, length);
+ rc =
gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm2.sending.seal_state,
+ data,
+ length);
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_encrypt ntlmv2 sealing the data "
+ "failed: %s\n",
+ gnutls_strerror(rc));
+ return gnutls_error_to_ntstatus(rc,
NT_STATUS_NTLM_BLOCKED);
+ }
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
-
arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm2.sending.seal_state,
- sig->data+4, 8);
+ rc =
gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm2.sending.seal_state,
+ sig->data + 4,
+ 8);
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_encrypt ntlmv2 sealing "
+ "the EXCH signature data failed: %s\n",
+ gnutls_strerror(rc));
+ return gnutls_error_to_ntstatus(rc,
NT_STATUS_NTLM_BLOCKED);
+ }
}
} else {
NTSTATUS status;
@@ -381,17 +414,30 @@ NTSTATUS ntlmssp_seal_packet(struct ntlmssp_state
*ntlmssp_state,
* is not constant, but is is rather updated with
* each iteration
*/
-
dump_arc4_state("ntlmv1 arc4 state:\n",
&ntlmssp_state->crypt->ntlm.seal_state);
- arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm.seal_state,
- data, length);
+ rc =
gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm.seal_state,
+ data,
+ length);
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_encrypt ntlmv1 sealing data"
+ "failed: %s\n",
+ gnutls_strerror(rc));
+ return gnutls_error_to_ntstatus(rc,
NT_STATUS_NTLM_BLOCKED);
+ }
dump_arc4_state("ntlmv1 arc4 state:\n",
&ntlmssp_state->crypt->ntlm.seal_state);
- arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm.seal_state,
- sig->data+4, sig->length-4);
+ rc =
gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm.seal_state,
+ sig->data + 4,
+ sig->length - 4);
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_encrypt ntlmv1 sealing signing "
+ "data failed: %s\n",
+ gnutls_strerror(rc));
+ return gnutls_error_to_ntstatus(rc,
NT_STATUS_NTLM_BLOCKED);
+ }
ntlmssp_state->crypt->ntlm.seq_num++;
}
@@ -412,6 +458,8 @@ NTSTATUS ntlmssp_unseal_packet(struct ntlmssp_state
*ntlmssp_state,
const DATA_BLOB *sig)
{
NTSTATUS status;
+ int rc;
+
if (!ntlmssp_state->session_key.length) {
DEBUG(3, ("NO session key, cannot unseal packet\n"));
return NT_STATUS_NO_USER_SESSION_KEY;
@@ -422,14 +470,29 @@ NTSTATUS ntlmssp_unseal_packet(struct ntlmssp_state
*ntlmssp_state,
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
/* First unseal the data. */
-
arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm2.receiving.seal_state,
- data, length);
+ rc =
gnutls_cipher_decrypt(ntlmssp_state->crypt->ntlm2.receiving.seal_state,
+ data,
+ length);
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_decrypt ntlmv2 unsealing the "
+ "data failed: %s\n",
+ gnutls_strerror(rc));
+ return gnutls_error_to_ntstatus(rc,
NT_STATUS_NTLM_BLOCKED);
+ }
dump_data_pw("ntlmv2 clear data\n", data, length);
} else {
- arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm.seal_state,
- data, length);
+ rc =
gnutls_cipher_decrypt(ntlmssp_state->crypt->ntlm.seal_state,
+ data,
+ length);
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_decrypt ntlmv1 unsealing the "
+ "data failed: %s\n",
+ gnutls_strerror(rc));
+ return gnutls_error_to_ntstatus(rc,
NT_STATUS_NTLM_BLOCKED);
+ }
dump_data_pw("ntlmv1 clear data\n", data, length);
}
+
status = ntlmssp_check_packet(ntlmssp_state,
data, length,
whole_pdu, pdu_length,
@@ -555,6 +618,8 @@ NTSTATUS ntlmssp_unwrap(struct ntlmssp_state *ntlmssp_state,
NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state *ntlmssp_state,
bool reset_seqnums)
{
+ int rc;
+
DEBUG(3, ("NTLMSSP Sign/Seal - Initialising with flags:\n"));
debug_ntlmssp_flags(ntlmssp_state->neg_flags);
@@ -584,12 +649,16 @@ NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state
*ntlmssp_state,
const char *send_seal_const;
const char *recv_sign_const;
const char *recv_seal_const;
- uint8_t send_seal_key[16];
- DATA_BLOB send_seal_blob = data_blob_const(send_seal_key,
- sizeof(send_seal_key));
- uint8_t recv_seal_key[16];
- DATA_BLOB recv_seal_blob = data_blob_const(recv_seal_key,
- sizeof(recv_seal_key));
+ uint8_t send_seal_key[16] = {0};
+ gnutls_datum_t send_seal_blob = {
+ .data = send_seal_key,
+ .size = sizeof(send_seal_key),
+ };
+ uint8_t recv_seal_key[16] = {0};
+ gnutls_datum_t recv_seal_blob = {
+ .data = recv_seal_key,
+ .size = sizeof(recv_seal_key),
+ };
NTSTATUS status;
switch (ntlmssp_state->role) {
@@ -648,10 +717,22 @@ NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state
*ntlmssp_state,
if (!NT_STATUS_IS_OK(status)) {
return status;
}
- dump_data_pw("NTLMSSP send seal key:\n", send_seal_key, 16);
+ dump_data_pw("NTLMSSP send seal key:\n",
+ send_seal_key,
+ sizeof(send_seal_key));
- arcfour_init(&ntlmssp_state->crypt->ntlm2.sending.seal_state,
- &send_seal_blob);
+ if (ntlmssp_state->crypt->ntlm2.sending.seal_state != NULL) {
+
gnutls_cipher_deinit(ntlmssp_state->crypt->ntlm2.sending.seal_state);
+ }
+ rc =
gnutls_cipher_init(&ntlmssp_state->crypt->ntlm2.sending.seal_state,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &send_seal_blob,
+ NULL);
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_init failed: %s\n",
+ gnutls_strerror(rc));
+ return gnutls_error_to_ntstatus(rc,
NT_STATUS_NTLM_BLOCKED);
+ }
dump_arc4_state("NTLMSSP send seal arc4 state:\n",
&ntlmssp_state->crypt->ntlm2.sending.seal_state);
@@ -677,10 +758,22 @@ NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state
*ntlmssp_state,
if (!NT_STATUS_IS_OK(status)) {
return status;
}
- dump_data_pw("NTLMSSP recv seal key:\n", recv_seal_key, 16);
+ dump_data_pw("NTLMSSP recv seal key:\n",
+ recv_seal_key,
+ sizeof(recv_seal_key));
- arcfour_init(&ntlmssp_state->crypt->ntlm2.receiving.seal_state,
- &recv_seal_blob);
+ if (ntlmssp_state->crypt->ntlm2.receiving.seal_state != NULL) {
+
gnutls_cipher_deinit(ntlmssp_state->crypt->ntlm2.receiving.seal_state);
+ }
+ rc =
gnutls_cipher_init(&ntlmssp_state->crypt->ntlm2.receiving.seal_state,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &recv_seal_blob,
+ NULL);
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_init failed: %s\n",
+ gnutls_strerror(rc));
+ return gnutls_error_to_ntstatus(rc,
NT_STATUS_NTLM_BLOCKED);
+ }
dump_arc4_state("NTLMSSP recv seal arc4 state:\n",
&ntlmssp_state->crypt->ntlm2.receiving.seal_state);
@@ -690,8 +783,10 @@ NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state
*ntlmssp_state,
ntlmssp_state->crypt->ntlm2.receiving.seq_num = 0;
}
} else {
- uint8_t weak_session_key[8];
- DATA_BLOB seal_session_key = ntlmssp_state->session_key;
+ gnutls_datum_t seal_session_key = {
+ .data = ntlmssp_state->session_key.data,
+ .size = ntlmssp_state->session_key.length,
+ };
bool do_weak = false;
DEBUG(5, ("NTLMSSP Sign/Seal - using NTLM1\n"));
@@ -709,14 +804,19 @@ NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state
*ntlmssp_state,
* Nothing to weaken.
* We certainly don't want to 'extend' the length...
*/
- if (seal_session_key.length < 16) {
+ if (ntlmssp_state->session_key.length < 16) {
/* TODO: is this really correct? */
do_weak = false;
}
if (do_weak) {
+ uint8_t weak_session_key[8];
+
memcpy(weak_session_key, seal_session_key.data, 8);
- seal_session_key = data_blob_const(weak_session_key, 8);
+ seal_session_key = (gnutls_datum_t) {
+ .data = weak_session_key,
+ .size = sizeof(weak_session_key),
+ };
/*
* LM key doesn't support 128 bit crypto, so this is
@@ -732,8 +832,18 @@ NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state
*ntlmssp_state,
}
}
- arcfour_init(&ntlmssp_state->crypt->ntlm.seal_state,
- &seal_session_key);
+ if (ntlmssp_state->crypt->ntlm.seal_state != NULL) {
+
gnutls_cipher_deinit(ntlmssp_state->crypt->ntlm.seal_state);
+ }
+ rc = gnutls_cipher_init(&ntlmssp_state->crypt->ntlm.seal_state,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &seal_session_key,
+ NULL);
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_init failed: %s\n",
+ gnutls_strerror(rc));
+ return gnutls_error_to_ntstatus(rc,
NT_STATUS_NTLM_BLOCKED);
+ }
dump_arc4_state("NTLMv1 arc4 state:\n",
&ntlmssp_state->crypt->ntlm.seal_state);
@@ -746,6 +856,24 @@ NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state
*ntlmssp_state,
return NT_STATUS_OK;
}
+static int ntlmssp_crypt_free_gnutls_cipher_state(union ntlmssp_crypt_state *c)
+{
+ if (c->ntlm2.sending.seal_state != NULL) {
+ gnutls_cipher_deinit(c->ntlm2.sending.seal_state);
+ c->ntlm2.sending.seal_state = NULL;
+ }
+ if (c->ntlm2.receiving.seal_state != NULL) {
+ gnutls_cipher_deinit(c->ntlm2.receiving.seal_state);
+ c->ntlm2.receiving.seal_state = NULL;
+ }
+ if (c->ntlm.seal_state != NULL) {
+ gnutls_cipher_deinit(c->ntlm.seal_state);
+ c->ntlm.seal_state = NULL;
+ }
+
+ return 0;
+}
+
NTSTATUS ntlmssp_sign_init(struct ntlmssp_state *ntlmssp_state)
{
if (ntlmssp_state->session_key.length < 8) {
@@ -758,6 +886,8 @@ NTSTATUS ntlmssp_sign_init(struct ntlmssp_state
*ntlmssp_state)
if (ntlmssp_state->crypt == NULL) {
return NT_STATUS_NO_MEMORY;
}
+ talloc_set_destructor(ntlmssp_state->crypt,
+ ntlmssp_crypt_free_gnutls_cipher_state);
return ntlmssp_sign_reset(ntlmssp_state, true);
}
diff --git a/lib/crypto/crypto.h b/lib/crypto/crypto.h
index 12aebaecefd..d7409f9a46d 100644
--- a/lib/crypto/crypto.h
+++ b/lib/crypto/crypto.h
@@ -21,7 +21,6 @@
#define _SAMBA_CRYPTO_H_
#include "../lib/crypto/md4.h"
-#include "../lib/crypto/arcfour.h"
#include "../lib/crypto/aes.h"
#include "../lib/crypto/aes_cmac_128.h"
#include "../lib/crypto/aes_ccm_128.h"
diff --git a/lib/crypto/gnutls_helpers.h b/lib/crypto/gnutls_helpers.h
index 8a2a49baf73..45dec2b5db6 100644
--- a/lib/crypto/gnutls_helpers.h
+++ b/lib/crypto/gnutls_helpers.h
@@ -32,6 +32,21 @@
#define GNUTLS_FIPS140_SET_STRICT_MODE()
#endif
+#ifdef DOXYGEN
+/**
+ * @brief Convert a gnutls error code to a corresponding NTSTATUS.
+ *
+ * @param[in] gnutls_rc The GnuTLS return code.
+ *
+ * @param[in] blocked_status The NTSTATUS return code which should be returned
+ * in case the e.g. the cipher might be blocked due
+ * to FIPS mode.
+ *
+ * @return A corresponding NTSTATUS code.
+ */
+NTSTATUS gnutls_error_to_ntstatus(int gnutls_rc,
+ NTSTATUS blocked_status);
+#else
NTSTATUS _gnutls_error_to_ntstatus(int gnutls_rc,
NTSTATUS blocked_status,
const char *function,
@@ -39,7 +54,23 @@ NTSTATUS _gnutls_error_to_ntstatus(int gnutls_rc,
#define gnutls_error_to_ntstatus(gnutls_rc, blocked_status) \
_gnutls_error_to_ntstatus(gnutls_rc, blocked_status, \
__FUNCTION__, __location__)
+#endif
+#ifdef DOXYGEN
+/**
+ * @brief Convert a gnutls error code to a corresponding WERROR.
+ *
+ * @param[in] gnutls_rc The GnuTLS return code.
+ *
+ * @param[in] blocked_werr The WERROR code which should be returned if e.g
+ * the cipher we want to used it not allowed to be
+ * used because of FIPS mode.
+ *
+ * @return A corresponding WERROR code.
+ */
+WERROR gnutls_error_to_werror(int gnutls_rc,
+ WERROR blocked_werr);
--
Samba Shared Repository
