[SCM] Samba Shared Repository - branch master updated

Mon, 09 Nov 2020 02:23:46 -0800 

The branch, master has been updated
       via  b8913401304 sefltest: Enable the dcerpc.createtrustrelax test 
against ad_dc_fips
       via  c75dd1ea178 s4:rpc_server: Allow to use RC4 for creating trusts
       via  4425f2c113a s3:rpc_server: Allow to use RC4 for creating trusts
       via  c93ccebdfed s4:rpc_server: Use gnutls_cipher_decrypt() in 
get_trustdom_auth_blob()
       via  6c11e5f42ba s3:rpc_server: Use gnutls_cipher_decrypt() in 
get_trustdom_auth_blob()
      from  e5e1759057a s3: spoolss: Make parameters in call to user_ok_token() 
match all other uses.

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit b89134013041e772418c2c8bcfffe8a9ade6db91
Author: Andreas Schneider <a...@samba.org>
Date:   Fri Nov 6 10:13:48 2020 +0100

    sefltest: Enable the dcerpc.createtrustrelax test against ad_dc_fips
    
    Signed-off-by: Andreas Schneider <a...@samba.org>
    Reviewed-by: Alexander Bokovoy <a...@samba.org>
    Reviewed-by: Stefan Metzmacher <me...@samba.org>
    
    Autobuild-User(master): Andreas Schneider <a...@cryptomilk.org>
    Autobuild-Date(master): Mon Nov  9 10:22:51 UTC 2020 on sn-devel-184

commit c75dd1ea178325b8f65343cb5c35bb93f43a49a3
Author: Andreas Schneider <a...@samba.org>
Date:   Thu Aug 20 13:51:39 2020 +0200

    s4:rpc_server: Allow to use RC4 for creating trusts
    
    Signed-off-by: Andreas Schneider <a...@samba.org>
    Reviewed-by: Alexander Bokovoy <a...@samba.org>
    Reviewed-by: Stefan Metzmacher <me...@samba.org>

commit 4425f2c113a4dc33a8dc609d84a92018d61b4d2e
Author: Andreas Schneider <a...@samba.org>
Date:   Thu Aug 20 13:40:21 2020 +0200

    s3:rpc_server: Allow to use RC4 for creating trusts
    
    Signed-off-by: Andreas Schneider <a...@samba.org>
    Reviewed-by: Alexander Bokovoy <a...@samba.org>
    Reviewed-by: Stefan Metzmacher <me...@samba.org>

commit c93ccebdfedd60c1d19f1b1436ac30062259952a
Author: Andreas Schneider <a...@samba.org>
Date:   Fri Nov 6 14:33:38 2020 +0100

    s4:rpc_server: Use gnutls_cipher_decrypt() in get_trustdom_auth_blob()
    
    It doesn't matter for RC4, but just to be correct.
    
    Signed-off-by: Andreas Schneider <a...@samba.org>
    Reviewed-by: Alexander Bokovoy <a...@samba.org>

commit 6c11e5f42ba3248c97d85c989d422b256d2465a9
Author: Andreas Schneider <a...@samba.org>
Date:   Fri Nov 6 14:30:26 2020 +0100

    s3:rpc_server: Use gnutls_cipher_decrypt() in get_trustdom_auth_blob()
    
    It doesn't matter for RC4, but just to be correct.
    
    Signed-off-by: Andreas Schneider <a...@samba.org>
    Reviewed-by: Alexander Bokovoy <a...@samba.org>

-----------------------------------------------------------------------

Summary of changes:
 selftest/knownfail.d/createtrustrelax_server |  1 -
 source3/rpc_server/lsa/srv_lsa_nt.c          | 15 ++++++++++++++-
 source4/rpc_server/lsa/dcesrv_lsa.c          | 20 +++++++++++++++++++-
 3 files changed, 33 insertions(+), 3 deletions(-)
 delete mode 100644 selftest/knownfail.d/createtrustrelax_server


Changeset truncated at 500 lines:

diff --git a/selftest/knownfail.d/createtrustrelax_server 
b/selftest/knownfail.d/createtrustrelax_server
deleted file mode 100644
index 80effda8343..00000000000
--- a/selftest/knownfail.d/createtrustrelax_server
+++ /dev/null
@@ -1 +0,0 @@
-^samba.tests.dcerpc.createtrustrelax.samba.tests.dcerpc.createtrustrelax.CreateTrustedDomainRelaxTest.test_create_trust_relax_encrypt\(ad_dc_fips\)
diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c 
b/source3/rpc_server/lsa/srv_lsa_nt.c
index 198387424e6..d6d606ddeca 100644
--- a/source3/rpc_server/lsa/srv_lsa_nt.c
+++ b/source3/rpc_server/lsa/srv_lsa_nt.c
@@ -51,6 +51,8 @@
 #include "../libcli/lsarpc/util_lsarpc.h"
 #include "lsa.h"
 #include "librpc/rpc/dcesrv_core.h"
+#include "librpc/rpc/dcerpc_helper.h"
+#include "lib/param/loadparm.h"
 
 #include "lib/crypto/gnutls_helpers.h"
 #include <gnutls/gnutls.h>
@@ -1706,6 +1708,14 @@ static NTSTATUS get_trustdom_auth_blob(struct 
pipes_struct *p,
        gnutls_datum_t my_session_key;
        NTSTATUS status;
        int rc;
+       bool encrypted;
+
+       encrypted =
+               dcerpc_is_transport_encrypted(p->session_info);
+       if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED &&
+           !encrypted) {
+               return NT_STATUS_ACCESS_DENIED;
+       }
 
        status = session_extract_session_key(p->session_info, &lsession_key, 
KEY_USE_16BYTES);
        if (!NT_STATUS_IS_OK(status)) {
@@ -1717,19 +1727,22 @@ static NTSTATUS get_trustdom_auth_blob(struct 
pipes_struct *p,
                .size = lsession_key.length,
        };
 
+       GNUTLS_FIPS140_SET_LAX_MODE();
        rc = gnutls_cipher_init(&cipher_hnd,
                                GNUTLS_CIPHER_ARCFOUR_128,
                                &my_session_key,
                                NULL);
        if (rc < 0) {
+               GNUTLS_FIPS140_SET_STRICT_MODE();
                status = gnutls_error_to_ntstatus(rc, 
NT_STATUS_CRYPTO_SYSTEM_INVALID);
                goto out;
        }
 
-       rc = gnutls_cipher_encrypt(cipher_hnd,
+       rc = gnutls_cipher_decrypt(cipher_hnd,
                                   auth_blob->data,
                                   auth_blob->length);
        gnutls_cipher_deinit(cipher_hnd);
+       GNUTLS_FIPS140_SET_STRICT_MODE();
        if (rc < 0) {
                status = gnutls_error_to_ntstatus(rc, 
NT_STATUS_CRYPTO_SYSTEM_INVALID);
                goto out;
diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c 
b/source4/rpc_server/lsa/dcesrv_lsa.c
index ebe259ff81e..15b068aec62 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -34,6 +34,8 @@
 #include "lib/messaging/irpc.h"
 #include "libds/common/roles.h"
 #include "lib/util/smb_strtox.h"
+#include "lib/param/loadparm.h"
+#include "librpc/rpc/dcerpc_helper.h"
 
 #include "lib/crypto/gnutls_helpers.h"
 #include <gnutls/gnutls.h>
@@ -872,6 +874,19 @@ static NTSTATUS get_trustdom_auth_blob(struct 
dcesrv_call_state *dce_call,
        gnutls_cipher_hd_t cipher_hnd = NULL;
        gnutls_datum_t _session_key;
        int rc;
+       struct auth_session_info *session_info =
+               dcesrv_call_session_info(dce_call);
+       struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
+       bool encrypted;
+
+       encrypted =
+               dcerpc_is_transport_encrypted(session_info);
+       if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED &&
+           !encrypted) {
+               DBG_ERR("Transport isn't encrypted and weak crypto 
disallowed!\n");
+               return NT_STATUS_ACCESS_DENIED;
+       }
+
 
        nt_status = dcesrv_transport_session_key(dce_call, &session_key);
        if (!NT_STATUS_IS_OK(nt_status)) {
@@ -883,19 +898,22 @@ static NTSTATUS get_trustdom_auth_blob(struct 
dcesrv_call_state *dce_call,
                .size = session_key.length,
        };
 
+       GNUTLS_FIPS140_SET_LAX_MODE();
        rc = gnutls_cipher_init(&cipher_hnd,
                                GNUTLS_CIPHER_ARCFOUR_128,
                                &_session_key,
                                NULL);
        if (rc < 0) {
+               GNUTLS_FIPS140_SET_STRICT_MODE();
                nt_status = gnutls_error_to_ntstatus(rc, 
NT_STATUS_CRYPTO_SYSTEM_INVALID);
                goto out;
        }
 
-       rc = gnutls_cipher_encrypt(cipher_hnd,
+       rc = gnutls_cipher_decrypt(cipher_hnd,
                                   auth_blob->data,
                                   auth_blob->length);
        gnutls_cipher_deinit(cipher_hnd);
+       GNUTLS_FIPS140_SET_STRICT_MODE();
        if (rc < 0) {
                nt_status = gnutls_error_to_ntstatus(rc, 
NT_STATUS_CRYPTO_SYSTEM_INVALID);
                goto out;


-- 
Samba Shared Repository

Reply via email to