The branch, master has been updated via b8913401304 sefltest: Enable the dcerpc.createtrustrelax test against ad_dc_fips via c75dd1ea178 s4:rpc_server: Allow to use RC4 for creating trusts via 4425f2c113a s3:rpc_server: Allow to use RC4 for creating trusts via c93ccebdfed s4:rpc_server: Use gnutls_cipher_decrypt() in get_trustdom_auth_blob() via 6c11e5f42ba s3:rpc_server: Use gnutls_cipher_decrypt() in get_trustdom_auth_blob() from e5e1759057a s3: spoolss: Make parameters in call to user_ok_token() match all other uses.
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit b89134013041e772418c2c8bcfffe8a9ade6db91 Author: Andreas Schneider <a...@samba.org> Date: Fri Nov 6 10:13:48 2020 +0100 sefltest: Enable the dcerpc.createtrustrelax test against ad_dc_fips Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Autobuild-User(master): Andreas Schneider <a...@cryptomilk.org> Autobuild-Date(master): Mon Nov 9 10:22:51 UTC 2020 on sn-devel-184 commit c75dd1ea178325b8f65343cb5c35bb93f43a49a3 Author: Andreas Schneider <a...@samba.org> Date: Thu Aug 20 13:51:39 2020 +0200 s4:rpc_server: Allow to use RC4 for creating trusts Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 4425f2c113a4dc33a8dc609d84a92018d61b4d2e Author: Andreas Schneider <a...@samba.org> Date: Thu Aug 20 13:40:21 2020 +0200 s3:rpc_server: Allow to use RC4 for creating trusts Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit c93ccebdfedd60c1d19f1b1436ac30062259952a Author: Andreas Schneider <a...@samba.org> Date: Fri Nov 6 14:33:38 2020 +0100 s4:rpc_server: Use gnutls_cipher_decrypt() in get_trustdom_auth_blob() It doesn't matter for RC4, but just to be correct. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> commit 6c11e5f42ba3248c97d85c989d422b256d2465a9 Author: Andreas Schneider <a...@samba.org> Date: Fri Nov 6 14:30:26 2020 +0100 s3:rpc_server: Use gnutls_cipher_decrypt() in get_trustdom_auth_blob() It doesn't matter for RC4, but just to be correct. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> ----------------------------------------------------------------------- Summary of changes: selftest/knownfail.d/createtrustrelax_server | 1 - source3/rpc_server/lsa/srv_lsa_nt.c | 15 ++++++++++++++- source4/rpc_server/lsa/dcesrv_lsa.c | 20 +++++++++++++++++++- 3 files changed, 33 insertions(+), 3 deletions(-) delete mode 100644 selftest/knownfail.d/createtrustrelax_server Changeset truncated at 500 lines: diff --git a/selftest/knownfail.d/createtrustrelax_server b/selftest/knownfail.d/createtrustrelax_server deleted file mode 100644 index 80effda8343..00000000000 --- a/selftest/knownfail.d/createtrustrelax_server +++ /dev/null @@ -1 +0,0 @@ -^samba.tests.dcerpc.createtrustrelax.samba.tests.dcerpc.createtrustrelax.CreateTrustedDomainRelaxTest.test_create_trust_relax_encrypt\(ad_dc_fips\) diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c index 198387424e6..d6d606ddeca 100644 --- a/source3/rpc_server/lsa/srv_lsa_nt.c +++ b/source3/rpc_server/lsa/srv_lsa_nt.c @@ -51,6 +51,8 @@ #include "../libcli/lsarpc/util_lsarpc.h" #include "lsa.h" #include "librpc/rpc/dcesrv_core.h" +#include "librpc/rpc/dcerpc_helper.h" +#include "lib/param/loadparm.h" #include "lib/crypto/gnutls_helpers.h" #include <gnutls/gnutls.h> @@ -1706,6 +1708,14 @@ static NTSTATUS get_trustdom_auth_blob(struct pipes_struct *p, gnutls_datum_t my_session_key; NTSTATUS status; int rc; + bool encrypted; + + encrypted = + dcerpc_is_transport_encrypted(p->session_info); + if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED && + !encrypted) { + return NT_STATUS_ACCESS_DENIED; + } status = session_extract_session_key(p->session_info, &lsession_key, KEY_USE_16BYTES); if (!NT_STATUS_IS_OK(status)) { @@ -1717,19 +1727,22 @@ static NTSTATUS get_trustdom_auth_blob(struct pipes_struct *p, .size = lsession_key.length, }; + GNUTLS_FIPS140_SET_LAX_MODE(); rc = gnutls_cipher_init(&cipher_hnd, GNUTLS_CIPHER_ARCFOUR_128, &my_session_key, NULL); if (rc < 0) { + GNUTLS_FIPS140_SET_STRICT_MODE(); status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); goto out; } - rc = gnutls_cipher_encrypt(cipher_hnd, + rc = gnutls_cipher_decrypt(cipher_hnd, auth_blob->data, auth_blob->length); gnutls_cipher_deinit(cipher_hnd); + GNUTLS_FIPS140_SET_STRICT_MODE(); if (rc < 0) { status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); goto out; diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c index ebe259ff81e..15b068aec62 100644 --- a/source4/rpc_server/lsa/dcesrv_lsa.c +++ b/source4/rpc_server/lsa/dcesrv_lsa.c @@ -34,6 +34,8 @@ #include "lib/messaging/irpc.h" #include "libds/common/roles.h" #include "lib/util/smb_strtox.h" +#include "lib/param/loadparm.h" +#include "librpc/rpc/dcerpc_helper.h" #include "lib/crypto/gnutls_helpers.h" #include <gnutls/gnutls.h> @@ -872,6 +874,19 @@ static NTSTATUS get_trustdom_auth_blob(struct dcesrv_call_state *dce_call, gnutls_cipher_hd_t cipher_hnd = NULL; gnutls_datum_t _session_key; int rc; + struct auth_session_info *session_info = + dcesrv_call_session_info(dce_call); + struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx; + bool encrypted; + + encrypted = + dcerpc_is_transport_encrypted(session_info); + if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED && + !encrypted) { + DBG_ERR("Transport isn't encrypted and weak crypto disallowed!\n"); + return NT_STATUS_ACCESS_DENIED; + } + nt_status = dcesrv_transport_session_key(dce_call, &session_key); if (!NT_STATUS_IS_OK(nt_status)) { @@ -883,19 +898,22 @@ static NTSTATUS get_trustdom_auth_blob(struct dcesrv_call_state *dce_call, .size = session_key.length, }; + GNUTLS_FIPS140_SET_LAX_MODE(); rc = gnutls_cipher_init(&cipher_hnd, GNUTLS_CIPHER_ARCFOUR_128, &_session_key, NULL); if (rc < 0) { + GNUTLS_FIPS140_SET_STRICT_MODE(); nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); goto out; } - rc = gnutls_cipher_encrypt(cipher_hnd, + rc = gnutls_cipher_decrypt(cipher_hnd, auth_blob->data, auth_blob->length); gnutls_cipher_deinit(cipher_hnd); + GNUTLS_FIPS140_SET_STRICT_MODE(); if (rc < 0) { nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); goto out; -- Samba Shared Repository