From 65ca219ab2356044ff65d13199407291b3a7e7f8 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 3 Nov 2020 06:51:03 -0500 Subject: [PATCH] import samba-4.12.3-12.el8.3 --- .gitignore | 2 +- .samba.metadata | 2 +- ...HA1-for-hashing-in-profiling-functio.patch | 61 - ...ath-to-header-file-in-gnutls_helpers.patch | 33 - ...NUTLS_FIPS140_SET_-LAX-STRICT-_MODE-.patch | 65 - ...-profile-subsystem-to-use-SHA1-in-FI.patch | 63 - ...TLS-random-number-generator-in-genra.patch | 114 - ...ypto-Document-gnutls_error_to_werror.patch | 49 - ...ent-samba_gnutls_arcfour_confounded_.patch | 45 - ...turn-NTSTATUS-for-init_samr_CryptPas.patch | 150 - ...turn-NTSTATUS-for-init_samr_CryptPas.patch | 199 - ...rn-NTSTATUS-for-encode_or_decode_arc.patch | 115 - ...test-for-decoding-an-RC4-password-bu.patch | 234 - ...e-samba_gnutls_arcfour_confounded_md.patch | 94 - ...e-GnuTLS-RC4-in-init_samr_CryptPassw.patch | 65 - ...samba_gnutls_arcfour_confounded_md5-.patch | 73 - ...me-encode_or_decode_arc4_passwd_buff.patch | 97 - ...-samr_CryptPasswordEx-to-decode_rc4_.patch | 115 - ...li-auth-Add-encode_rc4_passwd_buffer.patch | 89 - ...dd-test-for-encode_rc4_passwd_buffer.patch | 65 - ...e-encode_rc4_passwd_buffer-in-init_s.patch | 60 - ...code_rc4_passwd_buffer-in-libnet_Set.patch | 108 - ...code_rc4_passwd_buffer-in-libnet_Set.patch | 95 - ...uTLS-RC4-in-libnet_SetPassword_samr_.patch | 72 - ...uTLS-RC4-in-libnet_SetPassword_samr_.patch | 72 - ...uTLS-RC4-in-libnet_ChangePassword_sa.patch | 174 - ...rn-WERROR-for-encode_wkssvc_join_pas.patch | 236 - ...test-for-encode-decode-_wkssvc_join_.patch | 172 - ...samba_gnutls_arcfour_confounded_md5-.patch | 111 - ...samba_gnutls_arcfour_confounded_md5-.patch | 117 - ...ssp-Use-GnuTLS-RC4-in-ntlmssp-client.patch | 66 - ...p-Use-GnuTLS-RC4-for-ntlmssp-signing.patch | 411 -- ...1-s3-libsmb-Use-GnuTLS-RC4-in-clirap.patch | 76 - ...e-init_samr_CryptPassword-in-cli_sam.patch | 160 - ...se-GnuTLS-RC4-in-samr-password-check.patch | 77 - ...e-GnuTLS-RC4-to-decrypt-samr-passwor.patch | 119 - ...s3-utils-Use-GnuTLS-RC4-in-ntlm_auth.patch | 110 - ...e-samba_gnutls_arcfour_confounded_md.patch | 76 - ...ver-Use-GnuTLS-RC4-for-samr-password.patch | 195 - ...ture-Use-GnuTLS-RC4-for-RAP-SAM-test.patch | 64 - ...nit_samr_CryptPassword-Ex-in-samba3r.patch | 121 - ...nit_samr_CryptPassword-in-test_SetUs.patch | 60 - ...nit_samr_CryptPassword-in-test_SetUs.patch | 72 - ...nit_samr_CryptPassword-in-test_SetUs.patch | 87 - ...nit_samr_CryptPassword-in-test_SetUs.patch | 88 - ...nit_samr_CryptPassword-in-test_SetUs.patch | 116 - ...nuTLS-RC4-in-test_OemChangePasswordU.patch | 91 - ...nit_samr_CryptPassword-in-test_Chang.patch | 53 - ...nit_samr_CryptPassword-in-test_Chang.patch | 54 - ...nuTLS-RC4-in-test_ChangePasswordUser.patch | 57 - ...nuTLS-RC4-in-test_ChangePasswordUser.patch | 61 - ...nit_samr_CryptPassword-in-test_Chang.patch | 119 - ...fy-comments-and-variable-names-in-Ch.patch | 130 - ...nit_samr_CryptPassword-in-test_Chang.patch | 48 - ...nuTLS-RC4-in-test_ChangePasswordRand.patch | 51 - ...amba_gnutls_arcfour_confounded_md5-i.patch | 84 - ...nit_samr_CryptPassword-in-testjoin-R.patch | 68 - ...b-crypto-Use-GnuTLS-RC4-in-py_crypto.patch | 91 - ...rypto-Remove-arcfour.h-from-crypto.h.patch | 29 - ...-t-build-RC4-if-we-have-GnuTLS-3.4.7.patch | 59 - ...passed-mem_ctx-instead-of-talloc_tos.patch | 56 - ...se-a-stackframe-for-temporary-memory.patch | 188 - ...se-a-stackframe-for-temporary-memory.patch | 104 - ...se-a-stackframe-for-temporary-memory.patch | 96 - ...ential-use-of-uninitialized-variable.patch | 32 - ...ly-dump-passwords-in-developer-build.patch | 64 - ...orward-declaration-for-gnutls_hmac_h.patch | 38 - ...s-Link-vfs_acl_common-against-gnutls.patch | 29 - ...7-lib-util-Add-generate_nonce_buffer.patch | 62 - ...enerate_nonce_buffer-for-AES-CCM-and.patch | 31 - ...rate_nonce_buffer-for-AES-CCM-and-AE.patch | 31 - ...ter-documentation-for-generate_secre.patch | 70 - ...e-generate_secret_buffer-to-create-a.patch | 33 - ...e-generate_secret_buffer-for-backupk.patch | 30 - ...e-generate_secret_buffer-for-netlogo.patch | 30 - ...generate_secret_buffer-for-netlogon-.patch | 34 - ...umentation-for-random-number-functio.patch | 72 - ...th-Use-generate_secret_buffer-for-ne.patch | 31 - ...rver-Use-generate_secret_buffer-for-.patch | 31 - ...rver-Use-generate_secret_buffer-for-.patch | 31 - ...rver-Use-generate_secret_buffer-to-c.patch | 34 - ...erate_secret_buffer-for-long-term-pa.patch | 47 - ...erate_nonce_buffer-for-AEC-GCM-nonce.patch | 29 - ...nerate_secret_buffer-for-generating-.patch | 30 - ...-generate_random_buffer-for-session-.patch | 33 - ...ts-Add-known-and-expected-value-test.patch | 84 - ...dual-stack-mode-from-test_-encrypted.patch | 154 - ...clude-necessary-header-files-in-encr.patch | 30 - ...waf-Check-for-GNUTLS-AES-CFB-support.patch | 29 - ...netlogon_creds_aes_encrypt-in-netlog.patch | 35 - ...GnuTLS-AES128-CFB-for-netlogon_creds.patch | 69 - ...rn-NTSTATUS-for-netlogon_creds_aes_e.patch | 82 - ...GnuTLS-AES128-CFB-for-netlogon_creds.patch | 84 - ...rn-NTSTATUS-from-netlogon_creds_aes_.patch | 78 - ...QUIREMENTS-file-with-new-minimum-ver.patch | 30 - ...k-NTSTATUS-from-netlogon_creds_aes_-.patch | 134 - ...eck-NTSTATUS-return-value-from-netlo.patch | 41 - ...eck-NTSTATUS-return-value-from-netlo.patch | 63 - ...emove-unused-init_netr_CryptPassword.patch | 148 - ...-Check-NTSTATUS-return-from-netlogon.patch | 47 - ...GnuTLS-AES128-CFB8-in-netsec_do_seq_.patch | 74 - ...gnutls_error_to_ntstatus-consistentl.patch | 69 - ...se-GnuTLS-AES-CFB8-in-netsec_do_seal.patch | 137 - ...gnutls_error_to_ntstatus-in-netsec_d.patch | 67 - ...re-not-to-build-AES-or-AES-CMAC-if-w.patch | 111 - ...-Set-minimum-GnuTLS-version-at-3.4.7.patch | 48 - ...emove-Heimdal-based-BackupKey-server.patch | 4135 ----------------- ...ckupkey-consistently-check-error-cod.patch | 271 -- ...to-Remove-unused-RC4-code-from-Samba.patch | 168 - ...duplicate-encrypted_secrets-code-usi.patch | 705 --- ...licit-check-for-HAVE_GNUTLS_AEAD-as-.patch | 37 - ...b-Define-SMB2_AES_128_CCM_NONCE_SIZE.patch | 27 - ...cli-smb-Use-GnuTLS-for-AES-constants.patch | 46 - ...nutls_aead_cipher_hd_t-to-smb2_signi.patch | 54 - ...-smb2_signing_key-for-storing-the-en.patch | 102 - ...-smb2_signing_key-for-storing-the-de.patch | 82 - ..._signing_key-structure-for-the-encry.patch | 131 - ..._signing_key-structure-for-the-decry.patch | 92 - ...s3-smbd-Use-GnuTLS-for-AES-constants.patch | 46 - ...ck-for-AES128-CMAC-support-in-GnuTLS.patch | 28 - ...nuTLS-AES128-CMAC-in-smb2_signing_si.patch | 79 - ...nutls_error_to_ntstatus-in-smb2_sign.patch | 38 - ...nuTLS-AES128-CMAC-in-smb2_signing_ch.patch | 72 - ...nutls_error_to_ntstatus-in-smb2_sign.patch | 51 - ...t-build-AES-CMAC-if-we-use-GnuTLS-th.patch | 72 - ...rt-GnuTLS-AES-CCM-and-GCM-in-smb2_si.patch | 225 - ...rt-GnuTLS-AES-CCM-and-GCM-in-smb2_si.patch | 231 - ...mb2_signing_key-in-smb2_signing_decr.patch | 176 - ...nutls_error_to_ntstatus-in-smb2_sign.patch | 41 - ...mb2_signing_key-in-smb2_signing_encr.patch | 223 - ...nutls_error_to_ntstatus-in-smb2_sign.patch | 42 - ...fer-AES-GCM-over-AES-CCM-with-GnuTLS.patch | 41 - ...fer-AES-GCM-over-AES-CCM-with-GnuTLS.patch | 41 - ...uth-gensec-fix-non-AES-schannel-seal.patch | 49 - ...sec-fix-AES-schannel-seal-and-unseal.patch | 106 - ...gnutls-test-for-aes-128-cfb8-cipher-.patch | 286 -- ...eck-for-gnutls_aead_cipher_encryptv2.patch | 29 - ...nutls_aead_cipher_encryptv2-for-AES-.patch | 86 - ...nutls_aead_cipher_decryptv2-for-AES-.patch | 88 - ...t-use-gnutls_aead_cipher_encryptv2-w.patch | 47 - ...turn-NTSTATUS-for-SMBOWFencrypt_ntv2.patch | 76 - ...k-return-codes-of-SMBsesskeygen_ntv2.patch | 102 - ...turn-NTSTATUS-for-SMBOWFencrypt_ntv2.patch | 97 - ...ck-return-code-of-SMBOWFencrypt_ntv2.patch | 120 - ...server-Remove-gnutls_global_-de-init.patch | 38 - ...e-gnutls_global_-de-init-from-libtls.patch | 69 - ...e-calls-to-gnutls_global_-de-init-in.patch | 238 - ...k-return-value-of-netlogon_creds_ini.patch | 57 - ...k-return-status-of-netlogon_creds_in.patch | 79 - ...k-return-status-of-netlogon_creds_fi.patch | 73 - ...rn-NTSTATUS-for-netlogon_creds_clien.patch | 60 - ...ck-return-code-of-netlogon_creds_cli.patch | 47 - ...k-return-code-of-netlogon_creds_clie.patch | 120 - ...return-code-of-netlogon_creds_client.patch | 40 - ...k-return-code-of-netlogon_creds_step.patch | 86 - ...k-return-code-of-netlogon_creds_step.patch | 94 - ...k-return-code-of-netlogon_creds_aes_.patch | 83 - ...-Replace-E_md5hash-with-GnuTLS-calls.patch | 52 - ...-Replace-E_md5hash-with-GnuTLS-calls.patch | 65 - ...-Replace-E_md5hash-with-GnuTLS-calls.patch | 58 - ...-libcli-auth-Remove-unused-E_md5hash.patch | 81 - ...4-lib-tls-Fix-cert-and-privkey-types.patch | 42 - ...inbind-Fix-CID-1455915-Resource-leak.patch | 40 - ...-Improve-debug-output-of-test_gnutls.patch | 58 - ...enable-torture_gnutls_aes_128_cfb-on.patch | 39 - ...-des_crypt56-and-add-test_gnutls-to-.patch | 90 - SOURCES/0165-selftest-test-E_P16.patch | 52 - .../0166-selftest-test-sam_rid_crypt.patch | 56 - ...elftest-test-E_P24-and-SMBOWFencrypt.patch | 77 - .../0168-selftest-test-E_old_pw_hash.patch | 55 - SOURCES/0169-selftest-test-des_crypt128.patch | 53 - ...s_crypt112-and-fix-unused-decryption.patch | 79 - .../0171-selftest-test-des_crypt112_16.patch | 59 - ...ftest-test-SMBsesskeygen_lm_sess_key.patch | 56 - .../0173-selftest-test-sess_crypt_blob.patch | 62 - ...rypt56_gnutls-using-DES-CBC-with-zer.patch | 184 - ...es_encrypt-decrypt_LMKey-use-gnutls-.patch | 103 - ..._sess_key-use-gnutls-and-return-NTST.patch | 159 - ...-convert-sam_rid_crypt-to-use-gnutls.patch | 197 - ...8-smbdes-convert-E_P16-to-use-gnutls.patch | 96 - .../0179-smbdes-remove-D_P16-not-used.patch | 45 - ..._P24-and-SMBOWFencrypt-to-use-gnutls.patch | 519 --- ...s-convert-des_crypt128-to-use-gnutls.patch | 96 - ...-convert-E_old_pw_hash-to-use-gnutls.patch | 427 -- ...s-convert-des_crypt112-to-use-gnutls.patch | 118 - ...onvert-des_crypt112_16-to-use-gnutls.patch | 296 -- ...onvert-sess_crypt_blob-to-use-gnutls.patch | 449 -- ...can-only-crypt-blobs-whose-size-divi.patch | 48 - ...remove-old-unused-DES-builtin-crypto.patch | 328 -- ...Remove-our-implementation-of-AES-CCM.patch | 749 --- ...Remove-our-implementation-of-AES-GCM.patch | 672 --- ...y-build-AES-code-if-we-need-AES-CMAC.patch | 29 - ...-intel-aes-ni-only-if-GnuTLS-doesn-t.patch | 49 - ...-crypto-Add-samba_gnutls_weak_crypto.patch | 98 - ...-weak-crypto-information-to-testparm.patch | 60 - ...94-lib-param-Add-lp-cfg-_weak_crypto.patch | 139 - ...ck-if-a-gensec-module-implements-wea.patch | 50 - ...196-auth-ntlmssp-Mark-as-weak_crypto.patch | 46 - ...MB-encryption-for-DECRPC-over-named-.patch | 33 - ...low-SMB-3.0-for-DCERPC-client-connec.patch | 37 - ...low-RC4-encrypted-buffers-in-samr_Se.patch | 82 - ...low-to-use-RC4-for-setting-passwords.patch | 45 - ...ly-announce-RC4-in-netlogon-server-i.patch | 37 - ...ly-announce-RC4-in-netlogon-server-i.patch | 46 - ...-to-hash-password-using-MD5-in-samdb.patch | 51 - ...ow-py_crypto-to-use-RC4-in-FIPS-mode.patch | 56 - ...-weak-crypto-for-kerberos-if-disallo.patch | 93 - ...-weak-crypto-in-ldap-server-if-disal.patch | 103 - ...eak-crypto-is-disallowed-reject-md5-.patch | 52 - ...y-use-RC4-if-our-systems-supports-it.patch | 36 - ...-security-level-check-for-DsRGetFore.patch | 84 - SOURCES/CVE-2019-14907-4.11.patch | 100 - SOURCES/dnshostname_all.patch | 986 ++++ SOURCES/krb5_no_des_411.patch | 613 --- SOURCES/ldapsslads-v4-12.patch | 609 +++ SOURCES/samba-4.10-fix-netbios-join.patch | 723 --- SOURCES/samba-4.11.2.tar.asc | 7 - ...ba-4.11.3-fix_smb1_cli_qpathinfo_2_3.patch | 172 - ...only_link_libnsl_libsocket_if_needed.patch | 85 - ...ix_segfault_in_smbd_do_qfilepathinfo.patch | 33 - ...amba-4.11.7-fix_smbclient_debug_spam.patch | 48 - .../samba-4.12-fix_pam_winbind_manpage.patch | 41 + .../samba-4.12-fix_winbind_lookuprids.patch | 130 + SOURCES/samba-4.12-gnutls-priority-list.patch | 342 ++ SOURCES/samba-4.12-user-gencache.patch | 478 ++ SOURCES/samba-4.12-vfs_ChDir.patch | 203 + SOURCES/samba-4.12.3.tar.asc | 7 + SPECS/samba.spec | 1800 ++++--- 228 files changed, 3648 insertions(+), 27661 deletions(-) delete mode 100644 SOURCES/0001-s3-profile-Use-SHA1-for-hashing-in-profiling-functio.patch delete mode 100644 SOURCES/0002-lib-crypto-Fix-path-to-header-file-in-gnutls_helpers.patch delete mode 100644 SOURCES/0003-lib-crypto-Add-GNUTLS_FIPS140_SET_-LAX-STRICT-_MODE-.patch delete mode 100644 SOURCES/0004-s3-profile-Allow-profile-subsystem-to-use-SHA1-in-FI.patch delete mode 100644 SOURCES/0005-lib-util-Use-GnuTLS-random-number-generator-in-genra.patch delete mode 100644 SOURCES/0006-lib-crypto-Document-gnutls_error_to_werror.patch delete mode 100644 SOURCES/0007-lib-crypto-Document-samba_gnutls_arcfour_confounded_.patch delete mode 100644 SOURCES/0008-s3-rpc_client-Return-NTSTATUS-for-init_samr_CryptPas.patch delete mode 100644 SOURCES/0009-s3-rpc_client-Return-NTSTATUS-for-init_samr_CryptPas.patch delete mode 100644 SOURCES/0010-libcli-auth-Return-NTSTATUS-for-encode_or_decode_arc.patch delete mode 100644 SOURCES/0011-libcli-auth-Add-test-for-decoding-an-RC4-password-bu.patch delete mode 100644 SOURCES/0012-s3-rpc_client-Use-samba_gnutls_arcfour_confounded_md.patch delete mode 100644 SOURCES/0013-s3-rpc_client-Use-GnuTLS-RC4-in-init_samr_CryptPassw.patch delete mode 100644 SOURCES/0014-libcli-auth-Use-samba_gnutls_arcfour_confounded_md5-.patch delete mode 100644 SOURCES/0015-libcli-auth-Rename-encode_or_decode_arc4_passwd_buff.patch delete mode 100644 SOURCES/0016-libcli-auth-Pass-samr_CryptPasswordEx-to-decode_rc4_.patch delete mode 100644 SOURCES/0017-libcli-auth-Add-encode_rc4_passwd_buffer.patch delete mode 100644 SOURCES/0018-libcli-auth-Add-test-for-encode_rc4_passwd_buffer.patch delete mode 100644 SOURCES/0019-s3-rpc_client-Use-encode_rc4_passwd_buffer-in-init_s.patch delete mode 100644 SOURCES/0020-s4-libnet-Use-encode_rc4_passwd_buffer-in-libnet_Set.patch delete mode 100644 SOURCES/0021-s4-libnet-Use-encode_rc4_passwd_buffer-in-libnet_Set.patch delete mode 100644 SOURCES/0022-s4-libnet-Use-GnuTLS-RC4-in-libnet_SetPassword_samr_.patch delete mode 100644 SOURCES/0023-s4-libnet-Use-GnuTLS-RC4-in-libnet_SetPassword_samr_.patch delete mode 100644 SOURCES/0024-s4-libnet-Use-GnuTLS-RC4-in-libnet_ChangePassword_sa.patch delete mode 100644 SOURCES/0025-libcli-auth-Return-WERROR-for-encode_wkssvc_join_pas.patch delete mode 100644 SOURCES/0026-libcli-auth-Add-test-for-encode-decode-_wkssvc_join_.patch delete mode 100644 SOURCES/0027-libcli-auth-Use-samba_gnutls_arcfour_confounded_md5-.patch delete mode 100644 SOURCES/0028-libcli-auth-Use-samba_gnutls_arcfour_confounded_md5-.patch delete mode 100644 SOURCES/0029-auth-ntlmssp-Use-GnuTLS-RC4-in-ntlmssp-client.patch delete mode 100644 SOURCES/0030-auth-ntlmssp-Use-GnuTLS-RC4-for-ntlmssp-signing.patch delete mode 100644 SOURCES/0031-s3-libsmb-Use-GnuTLS-RC4-in-clirap.patch delete mode 100644 SOURCES/0032-s3-rpc_client-Use-init_samr_CryptPassword-in-cli_sam.patch delete mode 100644 SOURCES/0033-s3-rpc_server-Use-GnuTLS-RC4-in-samr-password-check.patch delete mode 100644 SOURCES/0034-s3-rpc_server-Use-GnuTLS-RC4-to-decrypt-samr-passwor.patch delete mode 100644 SOURCES/0035-s3-utils-Use-GnuTLS-RC4-in-ntlm_auth.patch delete mode 100644 SOURCES/0036-s4-rpc_server-Use-samba_gnutls_arcfour_confounded_md.patch delete mode 100644 SOURCES/0037-s4-rpc_server-Use-GnuTLS-RC4-for-samr-password.patch delete mode 100644 SOURCES/0038-s4-torture-Use-GnuTLS-RC4-for-RAP-SAM-test.patch delete mode 100644 SOURCES/0039-s4-torture-Use-init_samr_CryptPassword-Ex-in-samba3r.patch delete mode 100644 SOURCES/0040-s4-torture-Use-init_samr_CryptPassword-in-test_SetUs.patch delete mode 100644 SOURCES/0041-s4-torture-Use-init_samr_CryptPassword-in-test_SetUs.patch delete mode 100644 SOURCES/0042-s4-torture-Use-init_samr_CryptPassword-in-test_SetUs.patch delete mode 100644 SOURCES/0043-s4-torture-Use-init_samr_CryptPassword-in-test_SetUs.patch delete mode 100644 SOURCES/0044-s4-torture-Use-init_samr_CryptPassword-in-test_SetUs.patch delete mode 100644 SOURCES/0045-s4-torture-Use-GnuTLS-RC4-in-test_OemChangePasswordU.patch delete mode 100644 SOURCES/0046-s4-torture-Use-init_samr_CryptPassword-in-test_Chang.patch delete mode 100644 SOURCES/0047-s4-torture-Use-init_samr_CryptPassword-in-test_Chang.patch delete mode 100644 SOURCES/0048-s4_torture-Use-GnuTLS-RC4-in-test_ChangePasswordUser.patch delete mode 100644 SOURCES/0049-s4-torture-Use-GnuTLS-RC4-in-test_ChangePasswordUser.patch delete mode 100644 SOURCES/0050-s4-torture-Use-init_samr_CryptPassword-in-test_Chang.patch delete mode 100644 SOURCES/0051-s4-torture-clarify-comments-and-variable-names-in-Ch.patch delete mode 100644 SOURCES/0052-s4-torture-Use-init_samr_CryptPassword-in-test_Chang.patch delete mode 100644 SOURCES/0053-s4-torture-Use-GnuTLS-RC4-in-test_ChangePasswordRand.patch delete mode 100644 SOURCES/0054-s4-torture-Use-samba_gnutls_arcfour_confounded_md5-i.patch delete mode 100644 SOURCES/0055-s4-torture-Use-init_samr_CryptPassword-in-testjoin-R.patch delete mode 100644 SOURCES/0056-lib-crypto-Use-GnuTLS-RC4-in-py_crypto.patch delete mode 100644 SOURCES/0057-lib-crypto-Remove-arcfour.h-from-crypto.h.patch delete mode 100644 SOURCES/0058-lib-crypto-Don-t-build-RC4-if-we-have-GnuTLS-3.4.7.patch delete mode 100644 SOURCES/0059-s3-lib-Use-the-passed-mem_ctx-instead-of-talloc_tos.patch delete mode 100644 SOURCES/0060-s3-rpcclient-Use-a-stackframe-for-temporary-memory.patch delete mode 100644 SOURCES/0061-s3-utils-Use-a-stackframe-for-temporary-memory.patch delete mode 100644 SOURCES/0062-s3-rpc_server-Use-a-stackframe-for-temporary-memory.patch delete mode 100644 SOURCES/0063-netlogon-Fix-potential-use-of-uninitialized-variable.patch delete mode 100644 SOURCES/0064-s3-rpc_server-Only-dump-passwords-in-developer-build.patch delete mode 100644 SOURCES/0065-libcli-smb-Add-forward-declaration-for-gnutls_hmac_h.patch delete mode 100644 SOURCES/0066-s3-modules-Link-vfs_acl_common-against-gnutls.patch delete mode 100644 SOURCES/0067-lib-util-Add-generate_nonce_buffer.patch delete mode 100644 SOURCES/0068-libcli-smb-Use-generate_nonce_buffer-for-AES-CCM-and.patch delete mode 100644 SOURCES/0069-s3-smbd-Use-generate_nonce_buffer-for-AES-CCM-and-AE.patch delete mode 100644 SOURCES/0070-lib-util-Add-better-documentation-for-generate_secre.patch delete mode 100644 SOURCES/0071-s4-rpc_server-Use-generate_secret_buffer-to-create-a.patch delete mode 100644 SOURCES/0072-s4-rpc_server-Use-generate_secret_buffer-for-backupk.patch delete mode 100644 SOURCES/0073-s4-rpc_server-Use-generate_secret_buffer-for-netlogo.patch delete mode 100644 SOURCES/0074-libcli-auth-Use-generate_secret_buffer-for-netlogon-.patch delete mode 100644 SOURCES/0075-lib-util-Fix-documentation-for-random-number-functio.patch delete mode 100644 SOURCES/0076-Revert-libcli-auth-Use-generate_secret_buffer-for-ne.patch delete mode 100644 SOURCES/0077-Revert-s4-rpc_server-Use-generate_secret_buffer-for-.patch delete mode 100644 SOURCES/0078-Revert-s4-rpc_server-Use-generate_secret_buffer-for-.patch delete mode 100644 SOURCES/0079-Revert-s4-rpc_server-Use-generate_secret_buffer-to-c.patch delete mode 100644 SOURCES/0080-lib-util-Use-generate_secret_buffer-for-long-term-pa.patch delete mode 100644 SOURCES/0081-s4-samdb-Use-generate_nonce_buffer-for-AEC-GCM-nonce.patch delete mode 100644 SOURCES/0082-s3-passdb-Use-generate_secret_buffer-for-generating-.patch delete mode 100644 SOURCES/0083-auth-ntlmssp-Use-generate_random_buffer-for-session-.patch delete mode 100644 SOURCES/0084-encrypted_secrets-Add-known-and-expected-value-test.patch delete mode 100644 SOURCES/0085-s4-samdb-Remove-dual-stack-mode-from-test_-encrypted.patch delete mode 100644 SOURCES/0086-s4-samdb-Only-include-necessary-header-files-in-encr.patch delete mode 100644 SOURCES/0087-waf-Check-for-GNUTLS-AES-CFB-support.patch delete mode 100644 SOURCES/0088-libcli-auth-Use-netlogon_creds_aes_encrypt-in-netlog.patch delete mode 100644 SOURCES/0089-libcli-auth-Use-GnuTLS-AES128-CFB-for-netlogon_creds.patch delete mode 100644 SOURCES/0090-libcli-auth-Return-NTSTATUS-for-netlogon_creds_aes_e.patch delete mode 100644 SOURCES/0091-libcli-auth-Use-GnuTLS-AES128-CFB-for-netlogon_creds.patch delete mode 100644 SOURCES/0092-libcli-auth-Return-NTSTATUS-from-netlogon_creds_aes_.patch delete mode 100644 SOURCES/0093-crypto-Update-REQUIREMENTS-file-with-new-minimum-ver.patch delete mode 100644 SOURCES/0094-libcli-auth-Check-NTSTATUS-from-netlogon_creds_aes_-.patch delete mode 100644 SOURCES/0095-s3-rpc_server-Check-NTSTATUS-return-value-from-netlo.patch delete mode 100644 SOURCES/0096-s4-rpc_server-Check-NTSTATUS-return-value-from-netlo.patch delete mode 100644 SOURCES/0097-s3-librpc-Remove-unused-init_netr_CryptPassword.patch delete mode 100644 SOURCES/0098-auth-credentials-Check-NTSTATUS-return-from-netlogon.patch delete mode 100644 SOURCES/0099-auth-gensec-Use-GnuTLS-AES128-CFB8-in-netsec_do_seq_.patch delete mode 100644 SOURCES/0100-auth-gensec-Use-gnutls_error_to_ntstatus-consistentl.patch delete mode 100644 SOURCES/0101-auth-gensec-Use-GnuTLS-AES-CFB8-in-netsec_do_seal.patch delete mode 100644 SOURCES/0102-auth-gensec-Use-gnutls_error_to_ntstatus-in-netsec_d.patch delete mode 100644 SOURCES/0103-lib-crypto-Prepare-not-to-build-AES-or-AES-CMAC-if-w.patch delete mode 100644 SOURCES/0104-build-Set-minimum-GnuTLS-version-at-3.4.7.patch delete mode 100644 SOURCES/0105-s4-rpc_server-Remove-Heimdal-based-BackupKey-server.patch delete mode 100644 SOURCES/0106-s4-rpc_server-backupkey-consistently-check-error-cod.patch delete mode 100644 SOURCES/0107-lib-crypto-Remove-unused-RC4-code-from-Samba.patch delete mode 100644 SOURCES/0108-s4-samdb-Remove-duplicate-encrypted_secrets-code-usi.patch delete mode 100644 SOURCES/0109-build-Remove-explicit-check-for-HAVE_GNUTLS_AEAD-as-.patch delete mode 100644 SOURCES/0110-libcli-smb-Define-SMB2_AES_128_CCM_NONCE_SIZE.patch delete mode 100644 SOURCES/0111-libcli-smb-Use-GnuTLS-for-AES-constants.patch delete mode 100644 SOURCES/0112-libcli-smb-Add-gnutls_aead_cipher_hd_t-to-smb2_signi.patch delete mode 100644 SOURCES/0113-libcli-smb-Use-a-smb2_signing_key-for-storing-the-en.patch delete mode 100644 SOURCES/0114-libcli-smb-Use-a-smb2_signing_key-for-storing-the-de.patch delete mode 100644 SOURCES/0115-s3-smbd-Use-smb2_signing_key-structure-for-the-encry.patch delete mode 100644 SOURCES/0116-s3-smbd-Use-smb2_signing_key-structure-for-the-decry.patch delete mode 100644 SOURCES/0117-s3-smbd-Use-GnuTLS-for-AES-constants.patch delete mode 100644 SOURCES/0118-waf-Check-for-AES128-CMAC-support-in-GnuTLS.patch delete mode 100644 SOURCES/0119-libcli-smb-Use-GnuTLS-AES128-CMAC-in-smb2_signing_si.patch delete mode 100644 SOURCES/0120-libcli-smb-Use-gnutls_error_to_ntstatus-in-smb2_sign.patch delete mode 100644 SOURCES/0121-libcli-smb-Use-GnuTLS-AES128-CMAC-in-smb2_signing_ch.patch delete mode 100644 SOURCES/0122-libcli-smb-Use-gnutls_error_to_ntstatus-in-smb2_sign.patch delete mode 100644 SOURCES/0123-lib-crypto-Do-not-build-AES-CMAC-if-we-use-GnuTLS-th.patch delete mode 100644 SOURCES/0124-libcli-smb-Support-GnuTLS-AES-CCM-and-GCM-in-smb2_si.patch delete mode 100644 SOURCES/0125-libcli-smb-Support-GnuTLS-AES-CCM-and-GCM-in-smb2_si.patch delete mode 100644 SOURCES/0126-libcli-smb-Use-smb2_signing_key-in-smb2_signing_decr.patch delete mode 100644 SOURCES/0127-libcli-smb-Use-gnutls_error_to_ntstatus-in-smb2_sign.patch delete mode 100644 SOURCES/0128-libcli-smb-Use-smb2_signing_key-in-smb2_signing_encr.patch delete mode 100644 SOURCES/0129-libcli-smb-Use-gnutls_error_to_ntstatus-in-smb2_sign.patch delete mode 100644 SOURCES/0130-libcli-smb-Prefer-AES-GCM-over-AES-CCM-with-GnuTLS.patch delete mode 100644 SOURCES/0131-s3-smbd-Prefer-AES-GCM-over-AES-CCM-with-GnuTLS.patch delete mode 100644 SOURCES/0132-auth-gensec-fix-non-AES-schannel-seal.patch delete mode 100644 SOURCES/0133-auth-gensec-fix-AES-schannel-seal-and-unseal.patch delete mode 100644 SOURCES/0134-libcli-auth-add-gnutls-test-for-aes-128-cfb8-cipher-.patch delete mode 100644 SOURCES/0135-waf-Check-for-gnutls_aead_cipher_encryptv2.patch delete mode 100644 SOURCES/0136-libcli-smb-Use-gnutls_aead_cipher_encryptv2-for-AES-.patch delete mode 100644 SOURCES/0137-libcli-smb-Use-gnutls_aead_cipher_decryptv2-for-AES-.patch delete mode 100644 SOURCES/0138-libcli-smb-Do-not-use-gnutls_aead_cipher_encryptv2-w.patch delete mode 100644 SOURCES/0139-libcli-auth-Return-NTSTATUS-for-SMBOWFencrypt_ntv2.patch delete mode 100644 SOURCES/0140-libcli-auth-Check-return-codes-of-SMBsesskeygen_ntv2.patch delete mode 100644 SOURCES/0141-libcli-auth-Return-NTSTATUS-for-SMBOWFencrypt_ntv2.patch delete mode 100644 SOURCES/0142-libcli-auth-Check-return-code-of-SMBOWFencrypt_ntv2.patch delete mode 100644 SOURCES/0143-s4-rpc_server-Remove-gnutls_global_-de-init.patch delete mode 100644 SOURCES/0144-s4-lib-Remove-gnutls_global_-de-init-from-libtls.patch delete mode 100644 SOURCES/0145-s4-torture-Remove-calls-to-gnutls_global_-de-init-in.patch delete mode 100644 SOURCES/0146-libcli-auth-Check-return-value-of-netlogon_creds_ini.patch delete mode 100644 SOURCES/0147-libcli-auth-Check-return-status-of-netlogon_creds_in.patch delete mode 100644 SOURCES/0148-libcli-auth-Check-return-status-of-netlogon_creds_fi.patch delete mode 100644 SOURCES/0149-libcli-auth-Return-NTSTATUS-for-netlogon_creds_clien.patch delete mode 100644 SOURCES/0150-auth-pycreds-Check-return-code-of-netlogon_creds_cli.patch delete mode 100644 SOURCES/0151-libcli-auth-Check-return-code-of-netlogon_creds_clie.patch delete mode 100644 SOURCES/0152-s4-librpc-Check-return-code-of-netlogon_creds_client.patch delete mode 100644 SOURCES/0153-libcli-auth-Check-return-code-of-netlogon_creds_step.patch delete mode 100644 SOURCES/0154-libcli-auth-Check-return-code-of-netlogon_creds_step.patch delete mode 100644 SOURCES/0155-libcli-auth-Check-return-code-of-netlogon_creds_aes_.patch delete mode 100644 SOURCES/0156-s3-rpc_server-Replace-E_md5hash-with-GnuTLS-calls.patch delete mode 100644 SOURCES/0157-s3-winbindd-Replace-E_md5hash-with-GnuTLS-calls.patch delete mode 100644 SOURCES/0158-s3-winbind-Replace-E_md5hash-with-GnuTLS-calls.patch delete mode 100644 SOURCES/0159-libcli-auth-Remove-unused-E_md5hash.patch delete mode 100644 SOURCES/0160-s4-lib-tls-Fix-cert-and-privkey-types.patch delete mode 100644 SOURCES/0161-winbind-Fix-CID-1455915-Resource-leak.patch delete mode 100644 SOURCES/0162-auth-tests-Improve-debug-output-of-test_gnutls.patch delete mode 100644 SOURCES/0163-auth-tests-Only-enable-torture_gnutls_aes_128_cfb-on.patch delete mode 100644 SOURCES/0164-libcli-auth-test-des_crypt56-and-add-test_gnutls-to-.patch delete mode 100644 SOURCES/0165-selftest-test-E_P16.patch delete mode 100644 SOURCES/0166-selftest-test-sam_rid_crypt.patch delete mode 100644 SOURCES/0167-selftest-test-E_P24-and-SMBOWFencrypt.patch delete mode 100644 SOURCES/0168-selftest-test-E_old_pw_hash.patch delete mode 100644 SOURCES/0169-selftest-test-des_crypt128.patch delete mode 100644 SOURCES/0170-selftest-test-des_crypt112-and-fix-unused-decryption.patch delete mode 100644 SOURCES/0171-selftest-test-des_crypt112_16.patch delete mode 100644 SOURCES/0172-selftest-test-SMBsesskeygen_lm_sess_key.patch delete mode 100644 SOURCES/0173-selftest-test-sess_crypt_blob.patch delete mode 100644 SOURCES/0174-smbdes-add-des_crypt56_gnutls-using-DES-CBC-with-zer.patch delete mode 100644 SOURCES/0175-netlogon_creds_des_encrypt-decrypt_LMKey-use-gnutls-.patch delete mode 100644 SOURCES/0176-SMBsesskeygen_lm_sess_key-use-gnutls-and-return-NTST.patch delete mode 100644 SOURCES/0177-smbdes-convert-sam_rid_crypt-to-use-gnutls.patch delete mode 100644 SOURCES/0178-smbdes-convert-E_P16-to-use-gnutls.patch delete mode 100644 SOURCES/0179-smbdes-remove-D_P16-not-used.patch delete mode 100644 SOURCES/0180-smbdes-convert-E_P24-and-SMBOWFencrypt-to-use-gnutls.patch delete mode 100644 SOURCES/0181-smbdes-convert-des_crypt128-to-use-gnutls.patch delete mode 100644 SOURCES/0182-smbdes-convert-E_old_pw_hash-to-use-gnutls.patch delete mode 100644 SOURCES/0183-smbdes-convert-des_crypt112-to-use-gnutls.patch delete mode 100644 SOURCES/0184-smbdes-convert-des_crypt112_16-to-use-gnutls.patch delete mode 100644 SOURCES/0185-session-convert-sess_crypt_blob-to-use-gnutls.patch delete mode 100644 SOURCES/0186-sess_crypt_blob-can-only-crypt-blobs-whose-size-divi.patch delete mode 100644 SOURCES/0187-smbdes-remove-old-unused-DES-builtin-crypto.patch delete mode 100644 SOURCES/0188-lib-crypto-Remove-our-implementation-of-AES-CCM.patch delete mode 100644 SOURCES/0189-lib-crypto-Remove-our-implementation-of-AES-GCM.patch delete mode 100644 SOURCES/0190-lib-crypto-Only-build-AES-code-if-we-need-AES-CMAC.patch delete mode 100644 SOURCES/0191-lib-crypto-Build-intel-aes-ni-only-if-GnuTLS-doesn-t.patch delete mode 100644 SOURCES/0192-lib-crypto-Add-samba_gnutls_weak_crypto.patch delete mode 100644 SOURCES/0193-s3-utils-Add-weak-crypto-information-to-testparm.patch delete mode 100644 SOURCES/0194-lib-param-Add-lp-cfg-_weak_crypto.patch delete mode 100644 SOURCES/0195-gensec-Add-a-check-if-a-gensec-module-implements-wea.patch delete mode 100644 SOURCES/0196-auth-ntlmssp-Mark-as-weak_crypto.patch delete mode 100644 SOURCES/0197-s3-param-Force-SMB-encryption-for-DECRPC-over-named-.patch delete mode 100644 SOURCES/0198-s3-param-Only-allow-SMB-3.0-for-DCERPC-client-connec.patch delete mode 100644 SOURCES/0199-s3-rpc_server-Allow-RC4-encrypted-buffers-in-samr_Se.patch delete mode 100644 SOURCES/0200-s4-rpc_server-Allow-to-use-RC4-for-setting-passwords.patch delete mode 100644 SOURCES/0201-s3-rpc_server-Only-announce-RC4-in-netlogon-server-i.patch delete mode 100644 SOURCES/0202-s4-rpc_server-Only-announce-RC4-in-netlogon-server-i.patch delete mode 100644 SOURCES/0203-s4-samdb-Allow-to-hash-password-using-MD5-in-samdb.patch delete mode 100644 SOURCES/0204-lib-crypto-Allow-py_crypto-to-use-RC4-in-FIPS-mode.patch delete mode 100644 SOURCES/0205-param-Do-not-use-weak-crypto-for-kerberos-if-disallo.patch delete mode 100644 SOURCES/0206-param-Do-not-use-weak-crypto-in-ldap-server-if-disal.patch delete mode 100644 SOURCES/0207-libcli-auth-If-weak-crypto-is-disallowed-reject-md5-.patch delete mode 100644 SOURCES/0208-s3-librpc-Only-use-RC4-if-our-systems-supports-it.patch delete mode 100644 SOURCES/0209-s3-rpcserver-fix-security-level-check-for-DsRGetFore.patch delete mode 100644 SOURCES/CVE-2019-14907-4.11.patch create mode 100644 SOURCES/dnshostname_all.patch delete mode 100644 SOURCES/krb5_no_des_411.patch create mode 100644 SOURCES/ldapsslads-v4-12.patch delete mode 100644 SOURCES/samba-4.10-fix-netbios-join.patch delete mode 100644 SOURCES/samba-4.11.2.tar.asc delete mode 100644 SOURCES/samba-4.11.3-fix_smb1_cli_qpathinfo_2_3.patch delete mode 100644 SOURCES/samba-4.11.3-only_link_libnsl_libsocket_if_needed.patch delete mode 100644 SOURCES/samba-4.11.7-fix_segfault_in_smbd_do_qfilepathinfo.patch delete mode 100644 SOURCES/samba-4.11.7-fix_smbclient_debug_spam.patch create mode 100644 SOURCES/samba-4.12-fix_pam_winbind_manpage.patch create mode 100644 SOURCES/samba-4.12-fix_winbind_lookuprids.patch create mode 100644 SOURCES/samba-4.12-gnutls-priority-list.patch create mode 100644 SOURCES/samba-4.12-user-gencache.patch create mode 100644 SOURCES/samba-4.12-vfs_ChDir.patch create mode 100644 SOURCES/samba-4.12.3.tar.asc diff --git a/.gitignore b/.gitignore index a0f2568..ef5deb1 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ SOURCES/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg -SOURCES/samba-4.11.2.tar.xz +SOURCES/samba-4.12.3.tar.xz diff --git a/.samba.metadata b/.samba.metadata index 791c4ac..cddda37 100644 --- a/.samba.metadata +++ b/.samba.metadata @@ -1,2 +1,2 @@ 6bf33724c18b74427453f0e3fc0180f84ff60818 SOURCES/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg -e920c3d96119b51c1d12a2428e8830000b331fe5 SOURCES/samba-4.11.2.tar.xz +5e1f1a069527fbb3eba6e484c60348cb84c8433f SOURCES/samba-4.12.3.tar.xz diff --git a/SOURCES/0001-s3-profile-Use-SHA1-for-hashing-in-profiling-functio.patch b/SOURCES/0001-s3-profile-Use-SHA1-for-hashing-in-profiling-functio.patch deleted file mode 100644 index c0139ce..0000000 --- a/SOURCES/0001-s3-profile-Use-SHA1-for-hashing-in-profiling-functio.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 826e500242004b269219ad3deeacf0e01d136933 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 1 Jul 2019 16:54:15 +0200 -Subject: [PATCH 001/187] s3:profile: Use SHA1 for hashing in profiling - functions. - -This can use SHA NI instructions if the CPU supports it. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 - -Signed-off-by: Andreas Schneider -Reviewed-by: Ralph Boehme -(cherry picked from commit 6fe2193b17ac2d57c559d3b936b37238d06d6be8) ---- - source3/profile/profile.c | 11 +++++------ - 1 file changed, 5 insertions(+), 6 deletions(-) - -diff --git a/source3/profile/profile.c b/source3/profile/profile.c -index df0ba5b0af3..90a30f01f58 100644 ---- a/source3/profile/profile.c -+++ b/source3/profile/profile.c -@@ -124,7 +124,7 @@ static void reqprofile_message(struct messaging_context *msg_ctx, - ******************************************************************/ - bool profile_setup(struct messaging_context *msg_ctx, bool rdonly) - { -- unsigned char tmp[16] = {}; -+ uint8_t digest[gnutls_hash_get_len(GNUTLS_DIG_SHA1)]; - gnutls_hash_hd_t hash_hnd = NULL; - char *db_name; - bool ok = false; -@@ -154,7 +154,7 @@ bool profile_setup(struct messaging_context *msg_ctx, bool rdonly) - reqprofile_message); - } - -- rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5); -+ rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_SHA1); - if (rc < 0) { - goto out; - } -@@ -210,15 +210,14 @@ bool profile_setup(struct messaging_context *msg_ctx, bool rdonly) - goto out; - } - -- gnutls_hash_deinit(hash_hnd, tmp); -+ gnutls_hash_deinit(hash_hnd, digest); - - profile_p = &smbprofile_state.stats.global; - -- profile_p->magic = BVAL(tmp, 0); -+ profile_p->magic = BVAL(digest, 0); - if (profile_p->magic == 0) { -- profile_p->magic = BVAL(tmp, 8); -+ profile_p->magic = BVAL(digest, 8); - } -- ZERO_ARRAY(tmp); - - ok = true; - out: --- -2.23.0 - diff --git a/SOURCES/0002-lib-crypto-Fix-path-to-header-file-in-gnutls_helpers.patch b/SOURCES/0002-lib-crypto-Fix-path-to-header-file-in-gnutls_helpers.patch deleted file mode 100644 index 7c82b01..0000000 --- a/SOURCES/0002-lib-crypto-Fix-path-to-header-file-in-gnutls_helpers.patch +++ /dev/null @@ -1,33 +0,0 @@ -From bb29683ddc7cdacfe9129074652d97a11a9084af Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 5 Jul 2019 16:28:27 +0200 -Subject: [PATCH 002/187] lib:crypto: Fix path to header file in - gnutls_helpers.h - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 - -Signed-off-by: Andreas Schneider -Reviewed-by: Ralph Boehme -(cherry picked from commit a31a40b41a18ae09a4e2e76f41c95b011ed30bea) ---- - lib/crypto/gnutls_helpers.h | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/lib/crypto/gnutls_helpers.h b/lib/crypto/gnutls_helpers.h -index b8288c25649..7c950c79525 100644 ---- a/lib/crypto/gnutls_helpers.h -+++ b/lib/crypto/gnutls_helpers.h -@@ -18,8 +18,8 @@ - #ifndef _GNUTLS_HELPERS_H - #define _GNUTLS_HELPERS_H - --#include "ntstatus.h" --#include "werror.h" -+#include "libcli/util/ntstatus.h" -+#include "libcli/util/werror.h" - - NTSTATUS _gnutls_error_to_ntstatus(int gnutls_rc, - NTSTATUS blocked_status, --- -2.23.0 - diff --git a/SOURCES/0003-lib-crypto-Add-GNUTLS_FIPS140_SET_-LAX-STRICT-_MODE-.patch b/SOURCES/0003-lib-crypto-Add-GNUTLS_FIPS140_SET_-LAX-STRICT-_MODE-.patch deleted file mode 100644 index 9e58569..0000000 --- a/SOURCES/0003-lib-crypto-Add-GNUTLS_FIPS140_SET_-LAX-STRICT-_MODE-.patch +++ /dev/null @@ -1,65 +0,0 @@ -From bd6da0ff651385f14f8414ecb440e228d5a8a7d1 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 5 Jul 2019 10:38:44 +0200 -Subject: [PATCH 003/187] lib:crypto: Add GNUTLS_FIPS140_SET_(LAX|STRICT)_MODE - to helpers - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 - -Signed-off-by: Andreas Schneider -Reviewed-by: Ralph Boehme -(cherry picked from commit 31a943fa0890438cffc67a566373f36c94c0a5a8) ---- - lib/crypto/gnutls_helpers.h | 11 +++++++++++ - source3/modules/hash_inode.c | 10 +--------- - 2 files changed, 12 insertions(+), 9 deletions(-) - -diff --git a/lib/crypto/gnutls_helpers.h b/lib/crypto/gnutls_helpers.h -index 7c950c79525..8a2a49baf73 100644 ---- a/lib/crypto/gnutls_helpers.h -+++ b/lib/crypto/gnutls_helpers.h -@@ -18,9 +18,20 @@ - #ifndef _GNUTLS_HELPERS_H - #define _GNUTLS_HELPERS_H - -+#include -+ - #include "libcli/util/ntstatus.h" - #include "libcli/util/werror.h" - -+/* Those macros are only available in GnuTLS >= 3.6.4 */ -+#ifndef GNUTLS_FIPS140_SET_LAX_MODE -+#define GNUTLS_FIPS140_SET_LAX_MODE() -+#endif -+ -+#ifndef GNUTLS_FIPS140_SET_STRICT_MODE -+#define GNUTLS_FIPS140_SET_STRICT_MODE() -+#endif -+ - NTSTATUS _gnutls_error_to_ntstatus(int gnutls_rc, - NTSTATUS blocked_status, - const char *function, -diff --git a/source3/modules/hash_inode.c b/source3/modules/hash_inode.c -index 231538c72cb..a9144621901 100644 ---- a/source3/modules/hash_inode.c -+++ b/source3/modules/hash_inode.c -@@ -22,15 +22,7 @@ - - #include - #include -- --/* Those macros are only available in GnuTLS >= 3.6.4 */ --#ifndef GNUTLS_FIPS140_SET_LAX_MODE --#define GNUTLS_FIPS140_SET_LAX_MODE() --#endif -- --#ifndef GNUTLS_FIPS140_SET_STRICT_MODE --#define GNUTLS_FIPS140_SET_STRICT_MODE() --#endif -+#include "lib/crypto/gnutls_helpers.h" - - SMB_INO_T hash_inode(const SMB_STRUCT_STAT *sbuf, const char *sname) - { --- -2.23.0 - diff --git a/SOURCES/0004-s3-profile-Allow-profile-subsystem-to-use-SHA1-in-FI.patch b/SOURCES/0004-s3-profile-Allow-profile-subsystem-to-use-SHA1-in-FI.patch deleted file mode 100644 index 853541d..0000000 --- a/SOURCES/0004-s3-profile-Allow-profile-subsystem-to-use-SHA1-in-FI.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 4728c82b9a9d857bac4cf04434856daa8d739995 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 15 May 2019 08:41:12 +0200 -Subject: [PATCH 004/187] s3:profile: Allow profile subsystem to use SHA1 in - FIPS mode - -This is non-cryptographic use. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 - -Signed-off-by: Andreas Schneider -Reviewed-by: Ralph Boehme - -Autobuild-User(master): Andreas Schneider -Autobuild-Date(master): Tue Jul 9 13:31:46 UTC 2019 on sn-devel-184 - -(cherry picked from commit ccf3e76625c42f5aceea0882971a232a9f56a971) ---- - source3/profile/profile.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/source3/profile/profile.c b/source3/profile/profile.c -index 90a30f01f58..7e17d065d75 100644 ---- a/source3/profile/profile.c -+++ b/source3/profile/profile.c -@@ -35,6 +35,7 @@ - - #include - #include -+#include "lib/crypto/gnutls_helpers.h" - - struct profile_stats *profile_p; - struct smbprofile_global_state smbprofile_state; -@@ -154,6 +155,8 @@ bool profile_setup(struct messaging_context *msg_ctx, bool rdonly) - reqprofile_message); - } - -+ GNUTLS_FIPS140_SET_LAX_MODE(); -+ - rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_SHA1); - if (rc < 0) { - goto out; -@@ -212,6 +215,8 @@ bool profile_setup(struct messaging_context *msg_ctx, bool rdonly) - - gnutls_hash_deinit(hash_hnd, digest); - -+ GNUTLS_FIPS140_SET_STRICT_MODE(); -+ - profile_p = &smbprofile_state.stats.global; - - profile_p->magic = BVAL(digest, 0); -@@ -221,6 +226,8 @@ bool profile_setup(struct messaging_context *msg_ctx, bool rdonly) - - ok = true; - out: -+ GNUTLS_FIPS140_SET_STRICT_MODE(); -+ - return ok; - } - --- -2.23.0 - diff --git a/SOURCES/0005-lib-util-Use-GnuTLS-random-number-generator-in-genra.patch b/SOURCES/0005-lib-util-Use-GnuTLS-random-number-generator-in-genra.patch deleted file mode 100644 index b939f95..0000000 --- a/SOURCES/0005-lib-util-Use-GnuTLS-random-number-generator-in-genra.patch +++ /dev/null @@ -1,114 +0,0 @@ -From 290c078652ffcacd69b0b00ea5e5413515c5de22 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 18 Mar 2019 17:03:30 +0100 -Subject: [PATCH 005/187] lib:util: Use GnuTLS random number generator in - genrand.c - -FIPS requires that a random number generator from a certified crypto -library is used. - -Signed-off-by: Andreas Schneider -Reviewed-by: Jeremy Allison - -Autobuild-User(master): Jeremy Allison -Autobuild-Date(master): Thu Jul 18 01:30:20 UTC 2019 on sn-devel-184 - -(cherry picked from commit 664eed2e926f8f572b81e6d7c8e09b7ccbafb908) ---- - lib/util/genrand.c | 31 +++++++------------------------ - lib/util/genrand.h | 11 ++++------- - lib/util/wscript_build | 2 +- - 3 files changed, 12 insertions(+), 32 deletions(-) - -diff --git a/lib/util/genrand.c b/lib/util/genrand.c -index a775535c49e..55997c3dd55 100644 ---- a/lib/util/genrand.c -+++ b/lib/util/genrand.c -@@ -20,35 +20,17 @@ - */ - - #include "replace.h" --#include "system/filesys.h" - #include "lib/util/genrand.h" --#include "sys_rw_data.h" --#include "lib/util/blocking.h" - --static int urand_fd = -1; -+#include -+#include - --static void open_urandom(void) --{ -- if (urand_fd != -1) { -- return; -- } -- urand_fd = open( "/dev/urandom", O_RDONLY,0); -- if (urand_fd == -1) { -- abort(); -- } -- smb_set_close_on_exec(urand_fd); --} -+/* TODO: Add API for generating nonce or use gnutls_rnd directly everywhere. */ - - _PUBLIC_ void generate_random_buffer(uint8_t *out, int len) - { -- ssize_t rw_ret; -- -- open_urandom(); -- -- rw_ret = read_data(urand_fd, out, len); -- if (rw_ret != len) { -- abort(); -- } -+ /* Thread and fork safe random number generator for temporary keys. */ -+ gnutls_rnd(GNUTLS_RND_RANDOM, out, len); - } - - /* -@@ -57,5 +39,6 @@ _PUBLIC_ void generate_random_buffer(uint8_t *out, int len) - */ - _PUBLIC_ void generate_secret_buffer(uint8_t *out, int len) - { -- generate_random_buffer(out, len); -+ /* Thread and fork safe random number generator for long term keys. */ -+ gnutls_rnd(GNUTLS_RND_KEY, out, len); - } -diff --git a/lib/util/genrand.h b/lib/util/genrand.h -index ef6bbc64157..899ce8badc0 100644 ---- a/lib/util/genrand.h -+++ b/lib/util/genrand.h -@@ -20,14 +20,11 @@ - */ - - /** -- Interface to the (hopefully) good crypto random number generator. -- Will use our internal PRNG if more than 40 bytes of random generation -- has been requested, otherwise tries to read from /dev/random --**/ -+ * Thread and fork safe random number generator for temporary keys. -+ */ - void generate_random_buffer(uint8_t *out, int len); - - /** -- Interface to the (hopefully) good crypto random number generator. -- Will always use /dev/urandom if available. --**/ -+ * Thread and fork safe random number generator for long term keys. -+ */ - void generate_secret_buffer(uint8_t *out, int len); -diff --git a/lib/util/wscript_build b/lib/util/wscript_build -index ff1c76e3686..5f005c41e49 100644 ---- a/lib/util/wscript_build -+++ b/lib/util/wscript_build -@@ -104,7 +104,7 @@ else: - - bld.SAMBA_LIBRARY('genrand', - source='genrand.c', -- deps='replace socket-blocking sys_rw', -+ deps='replace gnutls', - local_include=False, - private_library=True) - --- -2.23.0 - diff --git a/SOURCES/0006-lib-crypto-Document-gnutls_error_to_werror.patch b/SOURCES/0006-lib-crypto-Document-gnutls_error_to_werror.patch deleted file mode 100644 index c26f699..0000000 --- a/SOURCES/0006-lib-crypto-Document-gnutls_error_to_werror.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 8391caf4f4aa8fed5167b5e5cf04197a29ba40e8 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 18 Jul 2019 13:27:57 +0200 -Subject: [PATCH 006/187] lib:crypto: Document gnutls_error_to_werror() - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit e43678b84a3434b977f44b265599f1d9207d3b78) ---- - lib/crypto/gnutls_helpers.h | 16 ++++++++++++++++ - 1 file changed, 16 insertions(+) - -diff --git a/lib/crypto/gnutls_helpers.h b/lib/crypto/gnutls_helpers.h -index 8a2a49baf73..debaa701554 100644 ---- a/lib/crypto/gnutls_helpers.h -+++ b/lib/crypto/gnutls_helpers.h -@@ -40,6 +40,21 @@ NTSTATUS _gnutls_error_to_ntstatus(int gnutls_rc, - _gnutls_error_to_ntstatus(gnutls_rc, blocked_status, \ - __FUNCTION__, __location__) - -+#ifdef DOXYGEN -+/** -+ * @brief Convert a gnutls error code to a corresponding WERROR. -+ * -+ * @param[in] gnutls_rc The GnuTLS return code. -+ * -+ * @param[in] blocked_werr The WERROR code which should be returned if e.g -+ * the cipher we want to used it not allowed to be -+ * used because of FIPS mode. -+ * -+ * @return A corresponding WERROR code. -+ */ -+WERROR gnutls_error_to_werror(int gnutls_rc, -+ WERROR blocked_werr); -+#else - WERROR _gnutls_error_to_werror(int gnutls_rc, - WERROR blocked_werr, - const char *function, -@@ -47,6 +62,7 @@ WERROR _gnutls_error_to_werror(int gnutls_rc, - #define gnutls_error_to_werror(gnutls_rc, blocked_werr) \ - _gnutls_error_to_werror(gnutls_rc, blocked_werr, \ - __FUNCTION__, __location__) -+#endif - - enum samba_gnutls_direction { - SAMBA_GNUTLS_ENCRYPT, --- -2.23.0 - diff --git a/SOURCES/0007-lib-crypto-Document-samba_gnutls_arcfour_confounded_.patch b/SOURCES/0007-lib-crypto-Document-samba_gnutls_arcfour_confounded_.patch deleted file mode 100644 index 297b242..0000000 --- a/SOURCES/0007-lib-crypto-Document-samba_gnutls_arcfour_confounded_.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 47f922c797006a3158fa3e077a7086086917b5e4 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 18 Jul 2019 13:33:54 +0200 -Subject: [PATCH 007/187] lib:crypto: Document - samba_gnutls_arcfour_confounded_md5() - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit baa96ef20945638fb5ee76b03543c7b611e9c7d7) ---- - lib/crypto/gnutls_helpers.h | 18 ++++++++++++++++++ - 1 file changed, 18 insertions(+) - -diff --git a/lib/crypto/gnutls_helpers.h b/lib/crypto/gnutls_helpers.h -index debaa701554..d6000c7b316 100644 ---- a/lib/crypto/gnutls_helpers.h -+++ b/lib/crypto/gnutls_helpers.h -@@ -69,6 +69,24 @@ enum samba_gnutls_direction { - SAMBA_GNUTLS_DECRYPT - }; - -+/** -+ * @brief Encrypt or decrypt a data blob using RC4 with a key and salt. -+ * -+ * One of the key input should be a session key and the other a confounder -+ * (aka salt). Which one depends on the implementation details of the -+ * protocol. -+ * -+ * @param[in] key_input1 Either a session_key or a confounder. -+ * -+ * @param[in] key_input2 Either a session_key or a confounder. -+ * -+ * @param[in] data The data blob ot either encrypt or decrypt. The data -+ * will be encrypted or decrypted in place. -+ * -+ * @param[in] encrypt The encryption direction. -+ * -+ * @return A gnutls error code. -+ */ - int samba_gnutls_arcfour_confounded_md5(const DATA_BLOB *key_input1, - const DATA_BLOB *key_input2, - DATA_BLOB *data, --- -2.23.0 - diff --git a/SOURCES/0008-s3-rpc_client-Return-NTSTATUS-for-init_samr_CryptPas.patch b/SOURCES/0008-s3-rpc_client-Return-NTSTATUS-for-init_samr_CryptPas.patch deleted file mode 100644 index d3f8436..0000000 --- a/SOURCES/0008-s3-rpc_client-Return-NTSTATUS-for-init_samr_CryptPas.patch +++ /dev/null @@ -1,150 +0,0 @@ -From bcbc9eca11583426d9b0e7ce4d4e51b16bda32f0 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 29 May 2019 16:22:11 +0200 -Subject: [PATCH 008/187] s3:rpc_client: Return NTSTATUS for - init_samr_CryptPassword() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 4b9b1dbe9c8c988a39b1318a4f7aac031bc1ea8b) ---- - source3/lib/netapi/user.c | 9 ++++++--- - source3/libnet/libnet_join.c | 10 +++++++--- - source3/rpc_client/init_samr.c | 14 ++++++++++---- - source3/rpc_client/init_samr.h | 6 +++--- - source3/rpcclient/cmd_samr.c | 5 ++++- - source3/utils/net_rpc.c | 9 ++++++--- - 6 files changed, 36 insertions(+), 17 deletions(-) - -diff --git a/source3/lib/netapi/user.c b/source3/lib/netapi/user.c -index 4b66dab2f99..2136ef47ee6 100644 ---- a/source3/lib/netapi/user.c -+++ b/source3/lib/netapi/user.c -@@ -326,9 +326,12 @@ static NTSTATUS set_user_info_USER_INFO_X(TALLOC_CTX *ctx, - - user_info.info23.info = info21; - -- init_samr_CryptPassword(uX->usriX_password, -- session_key, -- &user_info.info23.password); -+ status = init_samr_CryptPassword(uX->usriX_password, -+ session_key, -+ &user_info.info23.password); -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; -+ } - - status = dcerpc_samr_SetUserInfo2(b, talloc_tos(), - user_handle, -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c -index 9d4f656ffec..abf8672d050 100644 ---- a/source3/libnet/libnet_join.c -+++ b/source3/libnet/libnet_join.c -@@ -1570,9 +1570,12 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, - - /* retry with level 24 */ - -- init_samr_CryptPassword(r->in.machine_password, -- &session_key, -- &crypt_pwd); -+ status = init_samr_CryptPassword(r->in.machine_password, -+ &session_key, -+ &crypt_pwd); -+ if (!NT_STATUS_IS_OK(status)) { -+ goto error; -+ } - - user_info.info24.password = crypt_pwd; - user_info.info24.password_expired = PASS_DONT_CHANGE_AT_NEXT_LOGON; -@@ -1584,6 +1587,7 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, - &result); - } - -+error: - old_timeout = rpccli_set_timeout(pipe_hnd, old_timeout); - - if (!NT_STATUS_IS_OK(status)) { -diff --git a/source3/rpc_client/init_samr.c b/source3/rpc_client/init_samr.c -index d116ece576f..8b41ec2f10f 100644 ---- a/source3/rpc_client/init_samr.c -+++ b/source3/rpc_client/init_samr.c -@@ -81,12 +81,18 @@ out: - inits a samr_CryptPassword structure - *************************************************************************/ - --void init_samr_CryptPassword(const char *pwd, -- DATA_BLOB *session_key, -- struct samr_CryptPassword *pwd_buf) -+NTSTATUS init_samr_CryptPassword(const char *pwd, -+ DATA_BLOB *session_key, -+ struct samr_CryptPassword *pwd_buf) - { - /* samr_CryptPassword */ -+ bool ok; - -- encode_pw_buffer(pwd_buf->data, pwd, STR_UNICODE); -+ ok = encode_pw_buffer(pwd_buf->data, pwd, STR_UNICODE); -+ if (!ok) { -+ return NT_STATUS_INTERNAL_ERROR; -+ } - arcfour_crypt_blob(pwd_buf->data, 516, session_key); -+ -+ return NT_STATUS_OK; - } -diff --git a/source3/rpc_client/init_samr.h b/source3/rpc_client/init_samr.h -index 223fa91e3d9..4214ab55a04 100644 ---- a/source3/rpc_client/init_samr.h -+++ b/source3/rpc_client/init_samr.h -@@ -25,8 +25,8 @@ - void init_samr_CryptPasswordEx(const char *pwd, - DATA_BLOB *session_key, - struct samr_CryptPasswordEx *pwd_buf); --void init_samr_CryptPassword(const char *pwd, -- DATA_BLOB *session_key, -- struct samr_CryptPassword *pwd_buf); -+NTSTATUS init_samr_CryptPassword(const char *pwd, -+ DATA_BLOB *session_key, -+ struct samr_CryptPassword *pwd_buf); - - #endif /* _RPC_CLIENT_INIT_SAMR_H_ */ -diff --git a/source3/rpcclient/cmd_samr.c b/source3/rpcclient/cmd_samr.c -index 8cbf8ab24bd..ccaec1ada40 100644 ---- a/source3/rpcclient/cmd_samr.c -+++ b/source3/rpcclient/cmd_samr.c -@@ -3063,7 +3063,10 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli, - return status; - } - -- init_samr_CryptPassword(param, &session_key, &pwd_buf); -+ status = init_samr_CryptPassword(param, &session_key, &pwd_buf); -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; -+ } - init_samr_CryptPasswordEx(param, &session_key, &pwd_buf_ex); - nt_lm_owf_gen(param, nt_hash, lm_hash); - -diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c -index a56190f7be5..f6fb892a2d9 100644 ---- a/source3/utils/net_rpc.c -+++ b/source3/utils/net_rpc.c -@@ -6195,9 +6195,12 @@ static NTSTATUS rpc_trustdom_add_internals(struct net_context *c, - - ZERO_STRUCT(info.info23); - -- init_samr_CryptPassword(argv[1], -- &session_key, -- &crypt_pwd); -+ status = init_samr_CryptPassword(argv[1], -+ &session_key, -+ &crypt_pwd); -+ if (!NT_STATUS_IS_OK(status)) { -+ goto done; -+ } - - info.info23.info.fields_present = SAMR_FIELD_ACCT_FLAGS | - SAMR_FIELD_NT_PASSWORD_PRESENT; --- -2.23.0 - diff --git a/SOURCES/0009-s3-rpc_client-Return-NTSTATUS-for-init_samr_CryptPas.patch b/SOURCES/0009-s3-rpc_client-Return-NTSTATUS-for-init_samr_CryptPas.patch deleted file mode 100644 index 81ce920..0000000 --- a/SOURCES/0009-s3-rpc_client-Return-NTSTATUS-for-init_samr_CryptPas.patch +++ /dev/null @@ -1,199 +0,0 @@ -From 97f9ec9431ebf22ae06f61c97c183e04b59d6e7f Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 29 May 2019 17:16:26 +0200 -Subject: [PATCH 009/187] s3:rpc_client: Return NTSTATUS for - init_samr_CryptPasswordEx() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 7915a48e53c8f72ba56da2f433427b961feeb16f) ---- - source3/lib/netapi/user.c | 9 ++++--- - source3/libnet/libnet_join.c | 9 ++++--- - source3/rpc_client/init_samr.c | 27 +++++++++++++++------ - source3/rpc_client/init_samr.h | 6 ++--- - source3/rpc_server/netlogon/srv_netlog_nt.c | 9 ++++--- - source3/rpcclient/cmd_samr.c | 5 +++- - 6 files changed, 44 insertions(+), 21 deletions(-) - -diff --git a/source3/lib/netapi/user.c b/source3/lib/netapi/user.c -index 2136ef47ee6..827b7902040 100644 ---- a/source3/lib/netapi/user.c -+++ b/source3/lib/netapi/user.c -@@ -313,9 +313,12 @@ static NTSTATUS set_user_info_USER_INFO_X(TALLOC_CTX *ctx, - - user_info.info25.info = info21; - -- init_samr_CryptPasswordEx(uX->usriX_password, -- session_key, -- &user_info.info25.password); -+ status = init_samr_CryptPasswordEx(uX->usriX_password, -+ session_key, -+ &user_info.info25.password); -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; -+ } - - status = dcerpc_samr_SetUserInfo2(b, talloc_tos(), - user_handle, -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c -index abf8672d050..eb8e0ea17f7 100644 ---- a/source3/libnet/libnet_join.c -+++ b/source3/libnet/libnet_join.c -@@ -1553,9 +1553,12 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, - */ - old_timeout = rpccli_set_timeout(pipe_hnd, 600000); - -- init_samr_CryptPasswordEx(r->in.machine_password, -- &session_key, -- &crypt_pwd_ex); -+ status = init_samr_CryptPasswordEx(r->in.machine_password, -+ &session_key, -+ &crypt_pwd_ex); -+ if (!NT_STATUS_IS_OK(status)) { -+ goto error; -+ } - - user_info.info26.password = crypt_pwd_ex; - user_info.info26.password_expired = PASS_DONT_CHANGE_AT_NEXT_LOGON; -diff --git a/source3/rpc_client/init_samr.c b/source3/rpc_client/init_samr.c -index 8b41ec2f10f..5f6cbc5d3c7 100644 ---- a/source3/rpc_client/init_samr.c -+++ b/source3/rpc_client/init_samr.c -@@ -22,6 +22,7 @@ - #include "../lib/crypto/arcfour.h" - #include "rpc_client/init_samr.h" - -+#include "lib/crypto/gnutls_helpers.h" - #include - #include - -@@ -29,9 +30,9 @@ - inits a samr_CryptPasswordEx structure - *************************************************************************/ - --void init_samr_CryptPasswordEx(const char *pwd, -- DATA_BLOB *session_key, -- struct samr_CryptPasswordEx *pwd_buf) -+NTSTATUS init_samr_CryptPasswordEx(const char *pwd, -+ DATA_BLOB *session_key, -+ struct samr_CryptPasswordEx *pwd_buf) - { - /* samr_CryptPasswordEx */ - -@@ -39,42 +40,52 @@ void init_samr_CryptPasswordEx(const char *pwd, - gnutls_hash_hd_t hash_hnd = NULL; - uint8_t confounder[16]; - DATA_BLOB confounded_session_key = data_blob(NULL, 16); -+ NTSTATUS status; -+ bool ok; - int rc; - -- encode_pw_buffer(pwbuf, pwd, STR_UNICODE); -+ ok = encode_pw_buffer(pwbuf, pwd, STR_UNICODE); -+ if (!ok) { -+ status = NT_STATUS_INTERNAL_ERROR; -+ goto out; -+ } - - generate_random_buffer((uint8_t *)confounder, 16); - - rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5); - if (rc < 0) { -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED); - goto out; - } - - rc = gnutls_hash(hash_hnd, confounder, 16); - if (rc < 0) { - gnutls_hash_deinit(hash_hnd, NULL); -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED); - goto out; - } - rc = gnutls_hash(hash_hnd, session_key->data, session_key->length); - if (rc < 0) { - gnutls_hash_deinit(hash_hnd, NULL); -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED); - goto out; - } - - gnutls_hash_deinit(hash_hnd, confounded_session_key.data); - - arcfour_crypt_blob(pwbuf, 516, &confounded_session_key); -- ZERO_ARRAY_LEN(confounded_session_key.data, -- confounded_session_key.length); -- data_blob_free(&confounded_session_key); -+ data_blob_clear_free(&confounded_session_key); - - memcpy(&pwbuf[516], confounder, 16); - ZERO_ARRAY(confounder); - - memcpy(pwd_buf->data, pwbuf, sizeof(pwbuf)); - ZERO_ARRAY(pwbuf); -+ -+ status = NT_STATUS_OK; - out: -- return; -+ data_blob_clear_free(&confounded_session_key); -+ return status; - } - - /************************************************************************* -diff --git a/source3/rpc_client/init_samr.h b/source3/rpc_client/init_samr.h -index 4214ab55a04..3f0dc847dd2 100644 ---- a/source3/rpc_client/init_samr.h -+++ b/source3/rpc_client/init_samr.h -@@ -22,9 +22,9 @@ - - /* The following definitions come from rpc_client/init_samr.c */ - --void init_samr_CryptPasswordEx(const char *pwd, -- DATA_BLOB *session_key, -- struct samr_CryptPasswordEx *pwd_buf); -+NTSTATUS init_samr_CryptPasswordEx(const char *pwd, -+ DATA_BLOB *session_key, -+ struct samr_CryptPasswordEx *pwd_buf); - NTSTATUS init_samr_CryptPassword(const char *pwd, - DATA_BLOB *session_key, - struct samr_CryptPassword *pwd_buf); -diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c -index c9aaa90cbb9..d5267bf7062 100644 ---- a/source3/rpc_server/netlogon/srv_netlog_nt.c -+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c -@@ -1226,9 +1226,12 @@ static NTSTATUS netr_set_machine_account_password(TALLOC_CTX *mem_ctx, - - infolevel = UserInternal5InformationNew; - -- init_samr_CryptPasswordEx(cr->creds.password, -- &session_key, -- &info26.password); -+ status = init_samr_CryptPasswordEx(cr->creds.password, -+ &session_key, -+ &info26.password); -+ if (!NT_STATUS_IS_OK(status)) { -+ goto out; -+ } - - info26.password_expired = PASS_DONT_CHANGE_AT_NEXT_LOGON; - info->info26 = info26; -diff --git a/source3/rpcclient/cmd_samr.c b/source3/rpcclient/cmd_samr.c -index ccaec1ada40..b1b7c06515c 100644 ---- a/source3/rpcclient/cmd_samr.c -+++ b/source3/rpcclient/cmd_samr.c -@@ -3067,7 +3067,10 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli, - if (!NT_STATUS_IS_OK(status)) { - return status; - } -- init_samr_CryptPasswordEx(param, &session_key, &pwd_buf_ex); -+ status = init_samr_CryptPasswordEx(param, &session_key, &pwd_buf_ex); -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; -+ } - nt_lm_owf_gen(param, nt_hash, lm_hash); - - switch (level) { --- -2.23.0 - diff --git a/SOURCES/0010-libcli-auth-Return-NTSTATUS-for-encode_or_decode_arc.patch b/SOURCES/0010-libcli-auth-Return-NTSTATUS-for-encode_or_decode_arc.patch deleted file mode 100644 index 8f97449..0000000 --- a/SOURCES/0010-libcli-auth-Return-NTSTATUS-for-encode_or_decode_arc.patch +++ /dev/null @@ -1,115 +0,0 @@ -From 6125794925d054da191cf6c21a76ceb904848710 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 29 May 2019 14:57:52 +0200 -Subject: [PATCH 010/187] libcli:auth: Return NTSTATUS for - encode_or_decode_arc4_passwd_buffer() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 57dd415ba49b9621deddf604a5bf148c10ebc37e) ---- - libcli/auth/proto.h | 3 ++- - libcli/auth/smbencrypt.c | 10 ++++++++-- - source3/rpc_server/samr/srv_samr_nt.c | 10 ++++++++-- - 3 files changed, 18 insertions(+), 5 deletions(-) - -diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h -index afd7f0d148d..651f1139cf5 100644 ---- a/libcli/auth/proto.h -+++ b/libcli/auth/proto.h -@@ -184,7 +184,8 @@ bool decode_pw_buffer(TALLOC_CTX *ctx, - /*********************************************************** - Decode an arc4 encrypted password change buffer. - ************************************************************/ --void encode_or_decode_arc4_passwd_buffer(unsigned char pw_buf[532], const DATA_BLOB *psession_key); -+NTSTATUS encode_or_decode_arc4_passwd_buffer(unsigned char pw_buf[532], -+ const DATA_BLOB *psession_key); - - /*********************************************************** - encode a password buffer with an already unicode password. The -diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c -index a74ccf09b02..ae97f3cc93e 100644 ---- a/libcli/auth/smbencrypt.c -+++ b/libcli/auth/smbencrypt.c -@@ -843,27 +843,32 @@ bool decode_pw_buffer(TALLOC_CTX *ctx, - Decode an arc4 encrypted password change buffer. - ************************************************************/ - --void encode_or_decode_arc4_passwd_buffer(unsigned char pw_buf[532], const DATA_BLOB *psession_key) -+NTSTATUS encode_or_decode_arc4_passwd_buffer(unsigned char pw_buf[532], -+ const DATA_BLOB *psession_key) - { - gnutls_hash_hd_t hash_hnd = NULL; - unsigned char key_out[16]; -+ NTSTATUS status; - int rc; - - /* Confounder is last 16 bytes. */ - - rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5); - if (rc < 0) { -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED); - goto out; - } - - rc = gnutls_hash(hash_hnd, &pw_buf[516], 16); - if (rc < 0) { - gnutls_hash_deinit(hash_hnd, NULL); -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED); - goto out; - } - rc = gnutls_hash(hash_hnd, psession_key->data, psession_key->length); - if (rc < 0) { - gnutls_hash_deinit(hash_hnd, NULL); -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED); - goto out; - } - gnutls_hash_deinit(hash_hnd, key_out); -@@ -873,8 +878,9 @@ void encode_or_decode_arc4_passwd_buffer(unsigned char pw_buf[532], const DATA_B - - ZERO_ARRAY(key_out); - -+ status = NT_STATUS_OK; - out: -- return; -+ return status; - } - - /*********************************************************** -diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c -index 124d6d38cd7..c2be8bfc19a 100644 ---- a/source3/rpc_server/samr/srv_samr_nt.c -+++ b/source3/rpc_server/samr/srv_samr_nt.c -@@ -5185,9 +5185,12 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p, - if(!NT_STATUS_IS_OK(status)) { - break; - } -- encode_or_decode_arc4_passwd_buffer( -+ status = encode_or_decode_arc4_passwd_buffer( - info->info25.password.data, - &session_key); -+ if (!NT_STATUS_IS_OK(status)) { -+ break; -+ } - - dump_data(100, info->info25.password.data, 532); - -@@ -5201,9 +5204,12 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p, - if(!NT_STATUS_IS_OK(status)) { - break; - } -- encode_or_decode_arc4_passwd_buffer( -+ status = encode_or_decode_arc4_passwd_buffer( - info->info26.password.data, - &session_key); -+ if (!NT_STATUS_IS_OK(status)) { -+ break; -+ } - - dump_data(100, info->info26.password.data, 516); - --- -2.23.0 - diff --git a/SOURCES/0011-libcli-auth-Add-test-for-decoding-an-RC4-password-bu.patch b/SOURCES/0011-libcli-auth-Add-test-for-decoding-an-RC4-password-bu.patch deleted file mode 100644 index 6213705..0000000 --- a/SOURCES/0011-libcli-auth-Add-test-for-decoding-an-RC4-password-bu.patch +++ /dev/null @@ -1,234 +0,0 @@ -From f0d4f6ec31079506b01502f7b515245ace03227d Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 5 Jul 2019 09:39:02 +0200 -Subject: [PATCH 011/187] libcli:auth: Add test for decoding an RC4 password - buffer - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 7ccc76f951a626a25d553ac85c5bf30eb29ffa2b) ---- - libcli/auth/tests/test_rc4_passwd_buffer.c | 177 +++++++++++++++++++++ - libcli/auth/wscript_build | 9 ++ - selftest/tests.py | 2 + - 3 files changed, 188 insertions(+) - create mode 100644 libcli/auth/tests/test_rc4_passwd_buffer.c - -diff --git a/libcli/auth/tests/test_rc4_passwd_buffer.c b/libcli/auth/tests/test_rc4_passwd_buffer.c -new file mode 100644 -index 00000000000..f40ac3a5655 ---- /dev/null -+++ b/libcli/auth/tests/test_rc4_passwd_buffer.c -@@ -0,0 +1,177 @@ -+/* -+ * Unix SMB/CIFS implementation. -+ * -+ * Copyright (C) 2018-2019 Andreas Schneider -+ * -+ * This program is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU General Public License as published by -+ * the Free Software Foundation; either version 3 of the License, or -+ * (at your option) any later version. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program. If not, see . -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+ -+#include "includes.h" -+#include "libcli/auth/libcli_auth.h" -+#include "rpc_client/init_samr.h" -+ -+#define PASSWORD "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" -+ -+static const uint8_t encrypted_test_blob[] = { -+ 0x37, 0x8e, 0x1d, 0xd5, 0xd3, 0x9f, 0xca, 0x8e, -+ 0x2f, 0x2d, 0xee, 0xc3, 0xb5, 0x50, 0xcd, 0x4e, -+ 0xc9, 0x08, 0x04, 0x68, 0x32, 0xc3, 0xac, 0x8e, -+ 0x53, 0x69, 0xd6, 0xb7, 0x56, 0xcc, 0xc0, 0xbe, -+ 0x4e, 0x96, 0xa7, 0x74, 0xe9, 0xaa, 0x10, 0x3d, -+ 0xd5, 0x8c, 0xaa, 0x12, 0x56, 0xb6, 0xf1, 0x85, -+ 0x21, 0xfa, 0xe9, 0xa1, 0x76, 0xe6, 0xa5, 0x33, -+ 0x33, 0x2f, 0x47, 0x29, 0xd6, 0xbd, 0xde, 0x64, -+ 0x4d, 0x15, 0x3e, 0x6a, 0x11, 0x9b, 0x52, 0xbf, -+ 0x7e, 0x3a, 0xeb, 0x1c, 0x55, 0xd1, 0xb2, 0xa4, -+ 0x35, 0x03, 0x6c, 0x39, 0x61, 0x28, 0x98, 0xc3, -+ 0x2d, 0xd4, 0x70, 0x69, 0x8b, 0x83, 0xe9, 0x62, -+ 0xbe, 0xd8, 0x72, 0x4e, 0xdf, 0xd4, 0xe9, 0xe3, -+ 0x46, 0x2a, 0xf9, 0x3c, 0x0f, 0x41, 0x62, 0xe1, -+ 0x43, 0xf0, 0x91, 0xbe, 0x72, 0xa0, 0xc9, 0x08, -+ 0x73, 0x20, 0x1f, 0x0d, 0x68, 0x2e, 0x32, 0xa1, -+ 0xb8, 0x9b, 0x08, 0xa1, 0xb4, 0x81, 0x6b, 0xf1, -+ 0xde, 0x0c, 0x28, 0x34, 0xe2, 0x65, 0x62, 0x54, -+ 0xeb, 0xc0, 0x71, 0x14, 0xad, 0x36, 0x43, 0x0e, -+ 0x92, 0x4d, 0x11, 0xe8, 0xdd, 0x2d, 0x5f, 0x05, -+ 0xff, 0x07, 0xda, 0x81, 0x4e, 0x27, 0x42, 0xa8, -+ 0xa9, 0x64, 0x4c, 0x74, 0xc8, 0x05, 0xbb, 0x83, -+ 0x5a, 0xd9, 0x90, 0x3e, 0x0d, 0x9d, 0xe5, 0x2f, -+ 0x08, 0xf9, 0x1b, 0xbd, 0x26, 0xc3, 0x0d, 0xac, -+ 0x43, 0xd5, 0x17, 0xf2, 0x61, 0xf5, 0x74, 0x9b, -+ 0xf3, 0x5b, 0x5f, 0xe1, 0x8a, 0xa6, 0xfd, 0xdf, -+ 0xff, 0xb5, 0x8b, 0xf1, 0x26, 0xf7, 0xe0, 0xa7, -+ 0x4f, 0x5b, 0xb8, 0x6d, 0xeb, 0xf6, 0x52, 0x68, -+ 0x8d, 0xa3, 0xd4, 0x7f, 0x56, 0x43, 0xaa, 0xec, -+ 0x58, 0x47, 0x03, 0xee, 0x9b, 0x59, 0xd9, 0x78, -+ 0x9a, 0xfb, 0x9e, 0xe9, 0xa6, 0x61, 0x4e, 0x6d, -+ 0x92, 0x35, 0xd3, 0x37, 0x6e, 0xf2, 0x34, 0x39, -+ 0xd4, 0xd2, 0xeb, 0xcf, 0x1c, 0x10, 0xb3, 0x2b, -+ 0x3e, 0x07, 0x42, 0x3e, 0x20, 0x90, 0x07, 0x3e, -+ 0xc7, 0xed, 0xd4, 0xdf, 0x50, 0xe5, 0xff, 0xaf, -+ 0x05, 0xce, 0x29, 0xbe, 0x01, 0xf8, 0xb0, 0x30, -+ 0x96, 0xae, 0x1b, 0x62, 0x23, 0x93, 0x91, 0x1a, -+ 0x52, 0x98, 0xd9, 0x59, 0xb8, 0x11, 0xec, 0xb8, -+ 0xcf, 0x20, 0x32, 0x90, 0x9e, 0xf2, 0x06, 0x43, -+ 0xb8, 0x36, 0xe3, 0x33, 0x4e, 0x6f, 0x75, 0xeb, -+ 0xf7, 0x6c, 0xac, 0x06, 0x5f, 0x24, 0x8e, 0x4a, -+ 0x03, 0xdf, 0x50, 0x31, 0xaa, 0x91, 0xd5, 0x85, -+ 0x95, 0x78, 0x5b, 0xf4, 0x7f, 0x3e, 0xbc, 0x41, -+ 0xfa, 0x10, 0xd3, 0x0f, 0x86, 0x8b, 0x23, 0xed, -+ 0xfc, 0xcc, 0x3e, 0x7d, 0x8c, 0xb4, 0x7c, 0xec, -+ 0x04, 0x7d, 0x12, 0x53, 0xa1, 0x30, 0xc5, 0xac, -+ 0xf3, 0x1e, 0x54, 0x1f, 0x97, 0x05, 0x86, 0x74, -+ 0x51, 0x13, 0x45, 0x98, 0xb8, 0x50, 0x62, 0x18, -+ 0x0f, 0x6d, 0x66, 0xa4, 0x88, 0x31, 0x76, 0xa3, -+ 0xb0, 0x75, 0x55, 0x44, 0x18, 0x7c, 0x67, 0xc7, -+ 0x09, 0x9c, 0xab, 0x53, 0x49, 0xc0, 0xc9, 0x27, -+ 0x53, 0xa6, 0x99, 0x01, 0x10, 0x49, 0x67, 0x8e, -+ 0x5b, 0x12, 0x96, 0x40, 0x16, 0x39, 0x11, 0x53, -+ 0x44, 0x8f, 0xa9, 0xbe, 0x84, 0xbe, 0xe0, 0x45, -+ 0xe3, 0xfd, 0x48, 0x46, 0x43, 0x53, 0x13, 0x5f, -+ 0xfa, 0xcf, 0x09, 0x67, 0x90, 0xa3, 0x94, 0xaa, -+ 0x0d, 0x1f, 0xc2, 0xc3, 0xd4, 0x7e, 0xc8, 0x14, -+ 0xbe, 0x84, 0xa5, 0x55, 0xee, 0x49, 0x8e, 0x03, -+ 0x1d, 0xaf, 0xad, 0x65, 0x2f, 0xf0, 0xd5, 0x90, -+ 0x5e, 0x8d, 0x29, 0x40, 0xba, 0x57, 0x26, 0xa8, -+ 0x6c, 0x4b, 0x59, 0x40, 0x4e, 0xc2, 0xc4, 0x88, -+ 0x0a, 0x06, 0x2b, 0x6c, 0x2a, 0xc7, 0x3f, 0xfe, -+ 0x37, 0x2c, 0x41, 0x58, 0xfe, 0x7e, 0xaf, 0xd1, -+ 0xd9, 0xd2, 0x9c, 0xd7, 0x8a, 0x01, 0x0e, 0x8c, -+ 0x9e, 0x8b, 0x5d, 0x72, 0x54, 0x00, 0xbe, 0xb2, -+ 0x9a, 0xc7, 0xfd, 0x83, 0x1e, 0x9c, 0x79, 0xdd, -+ 0x15, 0x13, 0xdc, 0x15, -+}; -+ -+static void torture_decode_rc4_passwd_buffer(void **state) -+{ -+ char *password_decoded = NULL; -+ size_t password_decoded_len = 0; -+ DATA_BLOB session_key = data_blob_const("SystemLibraryDTC", 16); -+ struct samr_CryptPasswordEx out_pwd_buf = { -+ .data = {0}, -+ }; -+ NTSTATUS status; -+ bool ok; -+ -+ memcpy(out_pwd_buf.data, -+ encrypted_test_blob, -+ sizeof(out_pwd_buf.data)); -+ -+ status = encode_or_decode_arc4_passwd_buffer(out_pwd_buf.data, -+ &session_key); -+ assert_true(NT_STATUS_IS_OK(status)); -+ -+ ok = decode_pw_buffer(NULL, -+ out_pwd_buf.data, -+ &password_decoded, -+ &password_decoded_len, -+ CH_UTF16); -+ assert_true(ok); -+ assert_int_equal(password_decoded_len, strlen(PASSWORD)); -+ assert_string_equal(password_decoded, PASSWORD); -+} -+ -+static void torture_rc4_passwd_buffer(void **state) -+{ -+ char *password_decoded = NULL; -+ size_t password_decoded_len = 0; -+ DATA_BLOB session_key = data_blob_const("SystemLibraryDTC", 16); -+ struct samr_CryptPasswordEx out_pwd_buf = { -+ .data = {0}, -+ }; -+ NTSTATUS status; -+ bool ok; -+ -+ status = init_samr_CryptPasswordEx(PASSWORD, -+ &session_key, -+ &out_pwd_buf); -+ assert_true(NT_STATUS_IS_OK(status)); -+ -+ status = encode_or_decode_arc4_passwd_buffer(out_pwd_buf.data, -+ &session_key); -+ assert_true(NT_STATUS_IS_OK(status)); -+ -+ ok = decode_pw_buffer(NULL, -+ out_pwd_buf.data, -+ &password_decoded, -+ &password_decoded_len, -+ CH_UTF16); -+ assert_true(ok); -+ assert_int_equal(password_decoded_len, strlen(PASSWORD)); -+ assert_string_equal(password_decoded, PASSWORD); -+} -+ -+int main(int argc, char *argv[]) -+{ -+ int rc; -+ const struct CMUnitTest tests[] = { -+ cmocka_unit_test(torture_decode_rc4_passwd_buffer), -+ cmocka_unit_test(torture_rc4_passwd_buffer), -+ }; -+ -+ if (argc == 2) { -+ cmocka_set_test_filter(argv[1]); -+ } -+ cmocka_set_message_output(CM_OUTPUT_SUBUNIT); -+ -+ rc = cmocka_run_group_tests(tests, NULL, NULL); -+ -+ return rc; -+} -diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build -index 04e2b09eadf..eabf3814ba1 100644 ---- a/libcli/auth/wscript_build -+++ b/libcli/auth/wscript_build -@@ -62,3 +62,12 @@ bld.SAMBA_BINARY('test_schannel', - cmocka - ''', - install=False) -+ -+bld.SAMBA_BINARY('test_rc4_passwd_buffer', -+ source='tests/test_rc4_passwd_buffer.c', -+ deps=''' -+ INIT_SAMR -+ LIBCLI_AUTH -+ cmocka -+ ''', -+ install=False) -diff --git a/selftest/tests.py b/selftest/tests.py -index bbb5709ee47..c91d9b445fe 100644 ---- a/selftest/tests.py -+++ b/selftest/tests.py -@@ -392,6 +392,8 @@ plantestsuite("samba.unittests.ntlm_check", "none", - [os.path.join(bindir(), "default/libcli/auth/test_ntlm_check")]) - plantestsuite("samba.unittests.schannel", "none", - [os.path.join(bindir(), "default/libcli/auth/test_schannel")]) -+plantestsuite("samba.unittests.rc4_passwd_buffer", "none", -+ [os.path.join(bindir(), "default/libcli/auth/test_rc4_passwd_buffer")]) - plantestsuite("samba.unittests.test_registry_regfio", "none", - [os.path.join(bindir(), "default/source3/test_registry_regfio")]) - plantestsuite("samba.unittests.test_oLschema2ldif", "none", --- -2.23.0 - diff --git a/SOURCES/0012-s3-rpc_client-Use-samba_gnutls_arcfour_confounded_md.patch b/SOURCES/0012-s3-rpc_client-Use-samba_gnutls_arcfour_confounded_md.patch deleted file mode 100644 index c83542b..0000000 --- a/SOURCES/0012-s3-rpc_client-Use-samba_gnutls_arcfour_confounded_md.patch +++ /dev/null @@ -1,94 +0,0 @@ -From 6546e97d27e45db9cbfd2f7d8c4838b2fd8d6a6a Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 4 Jul 2019 16:22:48 +0200 -Subject: [PATCH 012/187] s3:rpc_client: Use - samba_gnutls_arcfour_confounded_md5 in init_samr_CryptPasswordEx - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 2075019ca90d7d474003c87b2f0202239891eba5) ---- - source3/rpc_client/init_samr.c | 50 ++++++++++------------------------ - 1 file changed, 15 insertions(+), 35 deletions(-) - -diff --git a/source3/rpc_client/init_samr.c b/source3/rpc_client/init_samr.c -index 5f6cbc5d3c7..3968dfea99f 100644 ---- a/source3/rpc_client/init_samr.c -+++ b/source3/rpc_client/init_samr.c -@@ -36,56 +36,36 @@ NTSTATUS init_samr_CryptPasswordEx(const char *pwd, - { - /* samr_CryptPasswordEx */ - -- uint8_t pwbuf[532]; -- gnutls_hash_hd_t hash_hnd = NULL; -- uint8_t confounder[16]; -- DATA_BLOB confounded_session_key = data_blob(NULL, 16); -- NTSTATUS status; -+ uint8_t _confounder[16] = {0}; -+ DATA_BLOB confounder = data_blob_const(_confounder, 16); -+ uint8_t pwbuf[532] = {0}; -+ DATA_BLOB encrypt_pwbuf = data_blob_const(pwbuf, 516); - bool ok; - int rc; - - ok = encode_pw_buffer(pwbuf, pwd, STR_UNICODE); - if (!ok) { -- status = NT_STATUS_INTERNAL_ERROR; -- goto out; -+ return NT_STATUS_INTERNAL_ERROR; - } - -- generate_random_buffer((uint8_t *)confounder, 16); -+ generate_random_buffer(_confounder, sizeof(_confounder)); - -- rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5); -+ rc = samba_gnutls_arcfour_confounded_md5(&confounder, -+ session_key, -+ &encrypt_pwbuf, -+ SAMBA_GNUTLS_ENCRYPT); - if (rc < 0) { -- status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED); -- goto out; -+ ZERO_ARRAY(_confounder); -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); - } - -- rc = gnutls_hash(hash_hnd, confounder, 16); -- if (rc < 0) { -- gnutls_hash_deinit(hash_hnd, NULL); -- status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED); -- goto out; -- } -- rc = gnutls_hash(hash_hnd, session_key->data, session_key->length); -- if (rc < 0) { -- gnutls_hash_deinit(hash_hnd, NULL); -- status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED); -- goto out; -- } -- -- gnutls_hash_deinit(hash_hnd, confounded_session_key.data); -- -- arcfour_crypt_blob(pwbuf, 516, &confounded_session_key); -- data_blob_clear_free(&confounded_session_key); -- -- memcpy(&pwbuf[516], confounder, 16); -- ZERO_ARRAY(confounder); -+ memcpy(&pwbuf[516], confounder.data, confounder.length); -+ ZERO_ARRAY(_confounder); - - memcpy(pwd_buf->data, pwbuf, sizeof(pwbuf)); - ZERO_ARRAY(pwbuf); - -- status = NT_STATUS_OK; --out: -- data_blob_clear_free(&confounded_session_key); -- return status; -+ return NT_STATUS_OK; - } - - /************************************************************************* --- -2.23.0 - diff --git a/SOURCES/0013-s3-rpc_client-Use-GnuTLS-RC4-in-init_samr_CryptPassw.patch b/SOURCES/0013-s3-rpc_client-Use-GnuTLS-RC4-in-init_samr_CryptPassw.patch deleted file mode 100644 index 7eac25c..0000000 --- a/SOURCES/0013-s3-rpc_client-Use-GnuTLS-RC4-in-init_samr_CryptPassw.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 9913d8e981dd39fd1f7e260644f35aa6718c9bd2 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 16 Jan 2019 13:15:08 +0100 -Subject: [PATCH 013/187] s3:rpc_client: Use GnuTLS RC4 in - init_samr_CryptPassword() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 95db9a81db093488e625b4ef385a184a5e517ede) ---- - source3/rpc_client/init_samr.c | 23 +++++++++++++++++++++-- - 1 file changed, 21 insertions(+), 2 deletions(-) - -diff --git a/source3/rpc_client/init_samr.c b/source3/rpc_client/init_samr.c -index 3968dfea99f..0eb50c54525 100644 ---- a/source3/rpc_client/init_samr.c -+++ b/source3/rpc_client/init_samr.c -@@ -19,7 +19,6 @@ - - #include "includes.h" - #include "../libcli/auth/libcli_auth.h" --#include "../lib/crypto/arcfour.h" - #include "rpc_client/init_samr.h" - - #include "lib/crypto/gnutls_helpers.h" -@@ -77,13 +76,33 @@ NTSTATUS init_samr_CryptPassword(const char *pwd, - struct samr_CryptPassword *pwd_buf) - { - /* samr_CryptPassword */ -+ gnutls_cipher_hd_t cipher_hnd = NULL; -+ gnutls_datum_t sess_key = { -+ .data = session_key->data, -+ .size = session_key->length, -+ }; - bool ok; -+ int rc; - - ok = encode_pw_buffer(pwd_buf->data, pwd, STR_UNICODE); - if (!ok) { - return NT_STATUS_INTERNAL_ERROR; - } -- arcfour_crypt_blob(pwd_buf->data, 516, session_key); -+ -+ rc = gnutls_cipher_init(&cipher_hnd, -+ GNUTLS_CIPHER_ARCFOUR_128, -+ &sess_key, -+ NULL); -+ if (rc != 0) { -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ } -+ rc = gnutls_cipher_encrypt(cipher_hnd, -+ pwd_buf->data, -+ 516); -+ gnutls_cipher_deinit(cipher_hnd); -+ if (rc != 0) { -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ } - - return NT_STATUS_OK; - } --- -2.23.0 - diff --git a/SOURCES/0014-libcli-auth-Use-samba_gnutls_arcfour_confounded_md5-.patch b/SOURCES/0014-libcli-auth-Use-samba_gnutls_arcfour_confounded_md5-.patch deleted file mode 100644 index f5580d9..0000000 --- a/SOURCES/0014-libcli-auth-Use-samba_gnutls_arcfour_confounded_md5-.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 15ca4ae322f88f797c571ad7801a9e44a6262d73 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 5 Jul 2019 10:09:32 +0200 -Subject: [PATCH 014/187] libcli:auth: Use - samba_gnutls_arcfour_confounded_md5() for rc4 passwd buffer - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit dea160820a393be51985a4e761a3f73da83972e7) ---- - libcli/auth/smbencrypt.c | 39 +++++++++------------------------------ - 1 file changed, 9 insertions(+), 30 deletions(-) - -diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c -index ae97f3cc93e..17c1e1f69ff 100644 ---- a/libcli/auth/smbencrypt.c -+++ b/libcli/auth/smbencrypt.c -@@ -846,41 +846,20 @@ bool decode_pw_buffer(TALLOC_CTX *ctx, - NTSTATUS encode_or_decode_arc4_passwd_buffer(unsigned char pw_buf[532], - const DATA_BLOB *psession_key) - { -- gnutls_hash_hd_t hash_hnd = NULL; -- unsigned char key_out[16]; -- NTSTATUS status; -- int rc; -- - /* Confounder is last 16 bytes. */ -+ DATA_BLOB confounder = data_blob_const(&pw_buf[516], 16); -+ DATA_BLOB pw_data = data_blob_const(pw_buf, 516); -+ int rc; - -- rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5); -+ rc = samba_gnutls_arcfour_confounded_md5(&confounder, -+ psession_key, -+ &pw_data, -+ SAMBA_GNUTLS_DECRYPT); - if (rc < 0) { -- status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED); -- goto out; -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); - } - -- rc = gnutls_hash(hash_hnd, &pw_buf[516], 16); -- if (rc < 0) { -- gnutls_hash_deinit(hash_hnd, NULL); -- status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED); -- goto out; -- } -- rc = gnutls_hash(hash_hnd, psession_key->data, psession_key->length); -- if (rc < 0) { -- gnutls_hash_deinit(hash_hnd, NULL); -- status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED); -- goto out; -- } -- gnutls_hash_deinit(hash_hnd, key_out); -- -- /* arc4 with key_out. */ -- arcfour_crypt(pw_buf, key_out, 516); -- -- ZERO_ARRAY(key_out); -- -- status = NT_STATUS_OK; --out: -- return status; -+ return NT_STATUS_OK; - } - - /*********************************************************** --- -2.23.0 - diff --git a/SOURCES/0015-libcli-auth-Rename-encode_or_decode_arc4_passwd_buff.patch b/SOURCES/0015-libcli-auth-Rename-encode_or_decode_arc4_passwd_buff.patch deleted file mode 100644 index 5da71fc..0000000 --- a/SOURCES/0015-libcli-auth-Rename-encode_or_decode_arc4_passwd_buff.patch +++ /dev/null @@ -1,97 +0,0 @@ -From 228c16e06b82a3d7a33c2d4440aa258518c8c29f Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 5 Jul 2019 10:12:43 +0200 -Subject: [PATCH 015/187] libcli:auth: Rename - encode_or_decode_arc4_passwd_buffer() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 89f8b028e2d595348f9996854488d7aa552ae905) ---- - libcli/auth/proto.h | 4 ++-- - libcli/auth/smbencrypt.c | 4 ++-- - libcli/auth/tests/test_rc4_passwd_buffer.c | 6 ++---- - source3/rpc_server/samr/srv_samr_nt.c | 4 ++-- - 4 files changed, 8 insertions(+), 10 deletions(-) - -diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h -index 651f1139cf5..1bcbeddb228 100644 ---- a/libcli/auth/proto.h -+++ b/libcli/auth/proto.h -@@ -184,8 +184,8 @@ bool decode_pw_buffer(TALLOC_CTX *ctx, - /*********************************************************** - Decode an arc4 encrypted password change buffer. - ************************************************************/ --NTSTATUS encode_or_decode_arc4_passwd_buffer(unsigned char pw_buf[532], -- const DATA_BLOB *psession_key); -+NTSTATUS decode_rc4_passwd_buffer(unsigned char pw_buf[532], -+ const DATA_BLOB *psession_key); - - /*********************************************************** - encode a password buffer with an already unicode password. The -diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c -index 17c1e1f69ff..7e343f71577 100644 ---- a/libcli/auth/smbencrypt.c -+++ b/libcli/auth/smbencrypt.c -@@ -843,8 +843,8 @@ bool decode_pw_buffer(TALLOC_CTX *ctx, - Decode an arc4 encrypted password change buffer. - ************************************************************/ - --NTSTATUS encode_or_decode_arc4_passwd_buffer(unsigned char pw_buf[532], -- const DATA_BLOB *psession_key) -+NTSTATUS decode_rc4_passwd_buffer(unsigned char pw_buf[532], -+ const DATA_BLOB *psession_key) - { - /* Confounder is last 16 bytes. */ - DATA_BLOB confounder = data_blob_const(&pw_buf[516], 16); -diff --git a/libcli/auth/tests/test_rc4_passwd_buffer.c b/libcli/auth/tests/test_rc4_passwd_buffer.c -index f40ac3a5655..eb737703230 100644 ---- a/libcli/auth/tests/test_rc4_passwd_buffer.c -+++ b/libcli/auth/tests/test_rc4_passwd_buffer.c -@@ -114,8 +114,7 @@ static void torture_decode_rc4_passwd_buffer(void **state) - encrypted_test_blob, - sizeof(out_pwd_buf.data)); - -- status = encode_or_decode_arc4_passwd_buffer(out_pwd_buf.data, -- &session_key); -+ status = decode_rc4_passwd_buffer(out_pwd_buf.data, &session_key); - assert_true(NT_STATUS_IS_OK(status)); - - ok = decode_pw_buffer(NULL, -@@ -144,8 +143,7 @@ static void torture_rc4_passwd_buffer(void **state) - &out_pwd_buf); - assert_true(NT_STATUS_IS_OK(status)); - -- status = encode_or_decode_arc4_passwd_buffer(out_pwd_buf.data, -- &session_key); -+ status = decode_rc4_passwd_buffer(out_pwd_buf.data, &session_key); - assert_true(NT_STATUS_IS_OK(status)); - - ok = decode_pw_buffer(NULL, -diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c -index c2be8bfc19a..4dc9132511f 100644 ---- a/source3/rpc_server/samr/srv_samr_nt.c -+++ b/source3/rpc_server/samr/srv_samr_nt.c -@@ -5185,7 +5185,7 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p, - if(!NT_STATUS_IS_OK(status)) { - break; - } -- status = encode_or_decode_arc4_passwd_buffer( -+ status = decode_rc4_passwd_buffer( - info->info25.password.data, - &session_key); - if (!NT_STATUS_IS_OK(status)) { -@@ -5204,7 +5204,7 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p, - if(!NT_STATUS_IS_OK(status)) { - break; - } -- status = encode_or_decode_arc4_passwd_buffer( -+ status = decode_rc4_passwd_buffer( - info->info26.password.data, - &session_key); - if (!NT_STATUS_IS_OK(status)) { --- -2.23.0 - diff --git a/SOURCES/0016-libcli-auth-Pass-samr_CryptPasswordEx-to-decode_rc4_.patch b/SOURCES/0016-libcli-auth-Pass-samr_CryptPasswordEx-to-decode_rc4_.patch deleted file mode 100644 index a2adbc3..0000000 --- a/SOURCES/0016-libcli-auth-Pass-samr_CryptPasswordEx-to-decode_rc4_.patch +++ /dev/null @@ -1,115 +0,0 @@ -From 3eb3f3bdabd103c3858323e08a9180913c223e16 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 9 Jul 2019 12:53:31 +0200 -Subject: [PATCH 016/187] libcli:auth: Pass samr_CryptPasswordEx to - decode_rc4_passwd_buffer() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 79ca72ec3d13fea5d2ad608415757ca9870035a3) ---- - libcli/auth/proto.h | 4 ++-- - libcli/auth/smbencrypt.c | 8 ++++---- - libcli/auth/tests/test_rc4_passwd_buffer.c | 5 +++-- - source3/rpc_server/samr/srv_samr_nt.c | 10 ++++------ - 4 files changed, 13 insertions(+), 14 deletions(-) - -diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h -index 1bcbeddb228..a67c89d8552 100644 ---- a/libcli/auth/proto.h -+++ b/libcli/auth/proto.h -@@ -184,8 +184,8 @@ bool decode_pw_buffer(TALLOC_CTX *ctx, - /*********************************************************** - Decode an arc4 encrypted password change buffer. - ************************************************************/ --NTSTATUS decode_rc4_passwd_buffer(unsigned char pw_buf[532], -- const DATA_BLOB *psession_key); -+NTSTATUS decode_rc4_passwd_buffer(const DATA_BLOB *psession_key, -+ struct samr_CryptPasswordEx *inout_crypt_pwd); - - /*********************************************************** - encode a password buffer with an already unicode password. The -diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c -index 7e343f71577..b7b17130f07 100644 ---- a/libcli/auth/smbencrypt.c -+++ b/libcli/auth/smbencrypt.c -@@ -843,12 +843,12 @@ bool decode_pw_buffer(TALLOC_CTX *ctx, - Decode an arc4 encrypted password change buffer. - ************************************************************/ - --NTSTATUS decode_rc4_passwd_buffer(unsigned char pw_buf[532], -- const DATA_BLOB *psession_key) -+NTSTATUS decode_rc4_passwd_buffer(const DATA_BLOB *psession_key, -+ struct samr_CryptPasswordEx *inout_crypt_pwd) - { - /* Confounder is last 16 bytes. */ -- DATA_BLOB confounder = data_blob_const(&pw_buf[516], 16); -- DATA_BLOB pw_data = data_blob_const(pw_buf, 516); -+ DATA_BLOB confounder = data_blob_const(&inout_crypt_pwd->data[516], 16); -+ DATA_BLOB pw_data = data_blob_const(&inout_crypt_pwd->data, 516); - int rc; - - rc = samba_gnutls_arcfour_confounded_md5(&confounder, -diff --git a/libcli/auth/tests/test_rc4_passwd_buffer.c b/libcli/auth/tests/test_rc4_passwd_buffer.c -index eb737703230..3bf371c5dd5 100644 ---- a/libcli/auth/tests/test_rc4_passwd_buffer.c -+++ b/libcli/auth/tests/test_rc4_passwd_buffer.c -@@ -114,7 +114,7 @@ static void torture_decode_rc4_passwd_buffer(void **state) - encrypted_test_blob, - sizeof(out_pwd_buf.data)); - -- status = decode_rc4_passwd_buffer(out_pwd_buf.data, &session_key); -+ status = decode_rc4_passwd_buffer(&session_key, &out_pwd_buf); - assert_true(NT_STATUS_IS_OK(status)); - - ok = decode_pw_buffer(NULL, -@@ -143,7 +143,7 @@ static void torture_rc4_passwd_buffer(void **state) - &out_pwd_buf); - assert_true(NT_STATUS_IS_OK(status)); - -- status = decode_rc4_passwd_buffer(out_pwd_buf.data, &session_key); -+ status = decode_rc4_passwd_buffer(&session_key, &out_pwd_buf); - assert_true(NT_STATUS_IS_OK(status)); - - ok = decode_pw_buffer(NULL, -@@ -154,6 +154,7 @@ static void torture_rc4_passwd_buffer(void **state) - assert_true(ok); - assert_int_equal(password_decoded_len, strlen(PASSWORD)); - assert_string_equal(password_decoded, PASSWORD); -+ talloc_free(password_decoded); - } - - int main(int argc, char *argv[]) -diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c -index 4dc9132511f..fd5c453e0eb 100644 ---- a/source3/rpc_server/samr/srv_samr_nt.c -+++ b/source3/rpc_server/samr/srv_samr_nt.c -@@ -5185,9 +5185,8 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p, - if(!NT_STATUS_IS_OK(status)) { - break; - } -- status = decode_rc4_passwd_buffer( -- info->info25.password.data, -- &session_key); -+ status = decode_rc4_passwd_buffer(&session_key, -+ &info->info25.password); - if (!NT_STATUS_IS_OK(status)) { - break; - } -@@ -5204,9 +5203,8 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p, - if(!NT_STATUS_IS_OK(status)) { - break; - } -- status = decode_rc4_passwd_buffer( -- info->info26.password.data, -- &session_key); -+ status = decode_rc4_passwd_buffer(&session_key, -+ &info->info26.password); - if (!NT_STATUS_IS_OK(status)) { - break; - } --- -2.23.0 - diff --git a/SOURCES/0017-libcli-auth-Add-encode_rc4_passwd_buffer.patch b/SOURCES/0017-libcli-auth-Add-encode_rc4_passwd_buffer.patch deleted file mode 100644 index 61eb21d..0000000 --- a/SOURCES/0017-libcli-auth-Add-encode_rc4_passwd_buffer.patch +++ /dev/null @@ -1,89 +0,0 @@ -From 13dfa7d5a1c96d78eca81eb0eb97bc0668561738 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 9 Jul 2019 13:01:10 +0200 -Subject: [PATCH 017/187] libcli:auth: Add encode_rc4_passwd_buffer() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 06d46c447e69a6b384c0089863c343b4924c7caf) ---- - libcli/auth/proto.h | 7 +++++++ - libcli/auth/smbencrypt.c | 42 ++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 49 insertions(+) - -diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h -index a67c89d8552..67caaca8c41 100644 ---- a/libcli/auth/proto.h -+++ b/libcli/auth/proto.h -@@ -181,6 +181,13 @@ bool decode_pw_buffer(TALLOC_CTX *ctx, - size_t *new_pw_len, - charset_t string_charset); - -+/*********************************************************** -+ Encode an arc4 password change buffer. -+************************************************************/ -+NTSTATUS encode_rc4_passwd_buffer(const char *passwd, -+ const DATA_BLOB *session_key, -+ struct samr_CryptPasswordEx *out_crypt_pwd); -+ - /*********************************************************** - Decode an arc4 encrypted password change buffer. - ************************************************************/ -diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c -index b7b17130f07..793012553b2 100644 ---- a/libcli/auth/smbencrypt.c -+++ b/libcli/auth/smbencrypt.c -@@ -839,6 +839,48 @@ bool decode_pw_buffer(TALLOC_CTX *ctx, - return true; - } - -+/*********************************************************** -+ Encode an arc4 password change buffer. -+************************************************************/ -+NTSTATUS encode_rc4_passwd_buffer(const char *passwd, -+ const DATA_BLOB *session_key, -+ struct samr_CryptPasswordEx *out_crypt_pwd) -+{ -+ uint8_t _confounder[16] = {0}; -+ DATA_BLOB confounder = data_blob_const(_confounder, 16); -+ DATA_BLOB pw_data = data_blob_const(out_crypt_pwd->data, 516); -+ bool ok; -+ int rc; -+ -+ ok = encode_pw_buffer(pw_data.data, passwd, STR_UNICODE); -+ if (!ok) { -+ return NT_STATUS_INVALID_PARAMETER; -+ } -+ -+ generate_random_buffer(confounder.data, confounder.length); -+ -+ rc = samba_gnutls_arcfour_confounded_md5(&confounder, -+ session_key, -+ &pw_data, -+ SAMBA_GNUTLS_ENCRYPT); -+ if (rc < 0) { -+ ZERO_ARRAY(_confounder); -+ data_blob_clear(&pw_data); -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ } -+ -+ /* -+ * The packet format is the 516 byte RC4 encrypted -+ * pasword followed by the 16 byte counfounder -+ * The confounder is a salt to prevent pre-computed hash attacks on the -+ * database. -+ */ -+ memcpy(&out_crypt_pwd->data[516], confounder.data, confounder.length); -+ ZERO_ARRAY(_confounder); -+ -+ return NT_STATUS_OK; -+} -+ - /*********************************************************** - Decode an arc4 encrypted password change buffer. - ************************************************************/ --- -2.23.0 - diff --git a/SOURCES/0018-libcli-auth-Add-test-for-encode_rc4_passwd_buffer.patch b/SOURCES/0018-libcli-auth-Add-test-for-encode_rc4_passwd_buffer.patch deleted file mode 100644 index 7ed5a49..0000000 --- a/SOURCES/0018-libcli-auth-Add-test-for-encode_rc4_passwd_buffer.patch +++ /dev/null @@ -1,65 +0,0 @@ -From fe1f6278c7a5c54d948f6ca031686745ad653a94 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 9 Jul 2019 13:06:49 +0200 -Subject: [PATCH 018/187] libcli:auth: Add test for encode_rc4_passwd_buffer() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit fe00b3735a7e8ae16fb6443965769f1e947a6aa6) ---- - libcli/auth/tests/test_rc4_passwd_buffer.c | 31 ++++++++++++++++++++++ - 1 file changed, 31 insertions(+) - -diff --git a/libcli/auth/tests/test_rc4_passwd_buffer.c b/libcli/auth/tests/test_rc4_passwd_buffer.c -index 3bf371c5dd5..db6ca3f3f4c 100644 ---- a/libcli/auth/tests/test_rc4_passwd_buffer.c -+++ b/libcli/auth/tests/test_rc4_passwd_buffer.c -@@ -157,12 +157,43 @@ static void torture_rc4_passwd_buffer(void **state) - talloc_free(password_decoded); - } - -+static void torture_endode_decode_rc4_passwd_buffer(void **state) -+{ -+ char *password_decoded = NULL; -+ size_t password_decoded_len = 0; -+ DATA_BLOB session_key = data_blob_const("SystemLibraryDTC", 16); -+ struct samr_CryptPasswordEx out_pwd_buf = { -+ .data = {0}, -+ }; -+ NTSTATUS status; -+ bool ok; -+ -+ status = encode_rc4_passwd_buffer(PASSWORD, -+ &session_key, -+ &out_pwd_buf); -+ assert_true(NT_STATUS_IS_OK(status)); -+ -+ status = decode_rc4_passwd_buffer(&session_key, &out_pwd_buf); -+ assert_true(NT_STATUS_IS_OK(status)); -+ -+ ok = decode_pw_buffer(NULL, -+ out_pwd_buf.data, -+ &password_decoded, -+ &password_decoded_len, -+ CH_UTF16); -+ assert_true(ok); -+ assert_int_equal(password_decoded_len, strlen(PASSWORD)); -+ assert_string_equal(password_decoded, PASSWORD); -+ talloc_free(password_decoded); -+} -+ - int main(int argc, char *argv[]) - { - int rc; - const struct CMUnitTest tests[] = { - cmocka_unit_test(torture_decode_rc4_passwd_buffer), - cmocka_unit_test(torture_rc4_passwd_buffer), -+ cmocka_unit_test(torture_endode_decode_rc4_passwd_buffer), - }; - - if (argc == 2) { --- -2.23.0 - diff --git a/SOURCES/0019-s3-rpc_client-Use-encode_rc4_passwd_buffer-in-init_s.patch b/SOURCES/0019-s3-rpc_client-Use-encode_rc4_passwd_buffer-in-init_s.patch deleted file mode 100644 index 53605d5..0000000 --- a/SOURCES/0019-s3-rpc_client-Use-encode_rc4_passwd_buffer-in-init_s.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 26b7ab9339d9e6530244bf35e38a3658d7fc8aa9 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 24 Jul 2019 11:44:51 +0200 -Subject: [PATCH 019/187] s3:rpc_client: Use encode_rc4_passwd_buffer() in - init_samr_CryptPasswordEx() - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit f0c0cf299eb99e7b78be2f04141b6d415bf525e2) ---- - source3/rpc_client/init_samr.c | 33 +-------------------------------- - 1 file changed, 1 insertion(+), 32 deletions(-) - -diff --git a/source3/rpc_client/init_samr.c b/source3/rpc_client/init_samr.c -index 0eb50c54525..a98d50e3f6a 100644 ---- a/source3/rpc_client/init_samr.c -+++ b/source3/rpc_client/init_samr.c -@@ -33,38 +33,7 @@ NTSTATUS init_samr_CryptPasswordEx(const char *pwd, - DATA_BLOB *session_key, - struct samr_CryptPasswordEx *pwd_buf) - { -- /* samr_CryptPasswordEx */ -- -- uint8_t _confounder[16] = {0}; -- DATA_BLOB confounder = data_blob_const(_confounder, 16); -- uint8_t pwbuf[532] = {0}; -- DATA_BLOB encrypt_pwbuf = data_blob_const(pwbuf, 516); -- bool ok; -- int rc; -- -- ok = encode_pw_buffer(pwbuf, pwd, STR_UNICODE); -- if (!ok) { -- return NT_STATUS_INTERNAL_ERROR; -- } -- -- generate_random_buffer(_confounder, sizeof(_confounder)); -- -- rc = samba_gnutls_arcfour_confounded_md5(&confounder, -- session_key, -- &encrypt_pwbuf, -- SAMBA_GNUTLS_ENCRYPT); -- if (rc < 0) { -- ZERO_ARRAY(_confounder); -- return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -- } -- -- memcpy(&pwbuf[516], confounder.data, confounder.length); -- ZERO_ARRAY(_confounder); -- -- memcpy(pwd_buf->data, pwbuf, sizeof(pwbuf)); -- ZERO_ARRAY(pwbuf); -- -- return NT_STATUS_OK; -+ return encode_rc4_passwd_buffer(pwd, session_key, pwd_buf); - } - - /************************************************************************* --- -2.23.0 - diff --git a/SOURCES/0020-s4-libnet-Use-encode_rc4_passwd_buffer-in-libnet_Set.patch b/SOURCES/0020-s4-libnet-Use-encode_rc4_passwd_buffer-in-libnet_Set.patch deleted file mode 100644 index 151c7c8..0000000 --- a/SOURCES/0020-s4-libnet-Use-encode_rc4_passwd_buffer-in-libnet_Set.patch +++ /dev/null @@ -1,108 +0,0 @@ -From c82322be0012f8bf467d75681bd82322eba11145 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 9 Jul 2019 13:01:49 +0200 -Subject: [PATCH 020/187] s4:libnet: Use encode_rc4_passwd_buffer() in - libnet_SetPassword_samr_handle_26() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 5afa402bb7ba11a8eefc6e14047eeec1f3327681) ---- - source4/libnet/libnet_passwd.c | 47 ++++++++-------------------------- - 1 file changed, 11 insertions(+), 36 deletions(-) - -diff --git a/source4/libnet/libnet_passwd.c b/source4/libnet/libnet_passwd.c -index 97ce7f58ddf..0beea077bd0 100644 ---- a/source4/libnet/libnet_passwd.c -+++ b/source4/libnet/libnet_passwd.c -@@ -23,6 +23,7 @@ - #include "../lib/crypto/crypto.h" - #include "libcli/auth/libcli_auth.h" - #include "librpc/gen_ndr/ndr_samr_c.h" -+#include "source4/librpc/rpc/dcerpc.h" - - #include "lib/crypto/gnutls_helpers.h" - #include -@@ -276,10 +277,6 @@ static NTSTATUS libnet_SetPassword_samr_handle_26(struct libnet_context *ctx, TA - struct samr_SetUserInfo2 sui; - union samr_UserInfo u_info; - DATA_BLOB session_key; -- DATA_BLOB confounded_session_key = data_blob_talloc(mem_ctx, NULL, 16); -- uint8_t confounder[16]; -- gnutls_hash_hd_t hash_hnd = NULL; -- int rc; - - if (r->samr_handle.in.info21) { - return NT_STATUS_INVALID_PARAMETER_MIX; -@@ -287,9 +284,8 @@ static NTSTATUS libnet_SetPassword_samr_handle_26(struct libnet_context *ctx, TA - - /* prepare samr_SetUserInfo2 level 26 */ - ZERO_STRUCT(u_info); -- encode_pw_buffer(u_info.info26.password.data, r->samr_handle.in.newpassword, STR_UNICODE); - u_info.info26.password_expired = 0; -- -+ - status = dcerpc_fetch_session_key(r->samr_handle.in.dcerpc_pipe, &session_key); - if (!NT_STATUS_IS_OK(status)) { - r->samr_handle.out.error_string = talloc_asprintf(mem_ctx, -@@ -297,38 +293,18 @@ static NTSTATUS libnet_SetPassword_samr_handle_26(struct libnet_context *ctx, TA - nt_errstr(status)); - return status; - } -- -- generate_random_buffer((uint8_t *)confounder, 16); -- -- rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5); -- if (rc < 0) { -- status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED); -- goto out; -- } - -- rc = gnutls_hash(hash_hnd, confounder, 16); -- if (rc < 0) { -- gnutls_hash_deinit(hash_hnd, NULL); -- status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED); -- goto out; -- } -- rc = gnutls_hash(hash_hnd, session_key.data, session_key.length); -- if (rc < 0) { -- gnutls_hash_deinit(hash_hnd, NULL); -- status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED); -- goto out; -+ status = encode_rc4_passwd_buffer(r->samr_handle.in.newpassword, -+ &session_key, -+ &u_info.info26.password); -+ if (!NT_STATUS_IS_OK(status)) { -+ r->samr_handle.out.error_string = -+ talloc_asprintf(mem_ctx, -+ "encode_rc4_passwd_buffer failed: %s", -+ nt_errstr(status)); -+ return status; - } - -- gnutls_hash_deinit(hash_hnd, confounded_session_key.data); -- -- arcfour_crypt_blob(u_info.info26.password.data, 516, &confounded_session_key); -- ZERO_ARRAY_LEN(confounded_session_key.data, -- confounded_session_key.length); -- data_blob_free(&confounded_session_key); -- -- memcpy(&u_info.info26.password.data[516], confounder, 16); -- ZERO_ARRAY(confounder); -- - sui.in.user_handle = r->samr_handle.in.user_handle; - sui.in.info = &u_info; - sui.in.level = 26; -@@ -346,7 +322,6 @@ static NTSTATUS libnet_SetPassword_samr_handle_26(struct libnet_context *ctx, TA - r->samr_handle.in.account_name, nt_errstr(status)); - } - --out: - return status; - } - --- -2.23.0 - diff --git a/SOURCES/0021-s4-libnet-Use-encode_rc4_passwd_buffer-in-libnet_Set.patch b/SOURCES/0021-s4-libnet-Use-encode_rc4_passwd_buffer-in-libnet_Set.patch deleted file mode 100644 index eeac450..0000000 --- a/SOURCES/0021-s4-libnet-Use-encode_rc4_passwd_buffer-in-libnet_Set.patch +++ /dev/null @@ -1,95 +0,0 @@ -From c162d52b14947990fb6102180a7e2fd6a7d8d1d5 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 9 Jul 2019 13:11:54 +0200 -Subject: [PATCH 021/187] s4:libnet: Use encode_rc4_passwd_buffer() in - libnet_SetPassword_samr_handle_25() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit e44ba0397c7558e1da6a46cc38237a3b0e5cef49) ---- - source4/libnet/libnet_passwd.c | 43 +++++++--------------------------- - 1 file changed, 9 insertions(+), 34 deletions(-) - -diff --git a/source4/libnet/libnet_passwd.c b/source4/libnet/libnet_passwd.c -index 0beea077bd0..b2105121523 100644 ---- a/source4/libnet/libnet_passwd.c -+++ b/source4/libnet/libnet_passwd.c -@@ -331,10 +331,6 @@ static NTSTATUS libnet_SetPassword_samr_handle_25(struct libnet_context *ctx, TA - struct samr_SetUserInfo2 sui; - union samr_UserInfo u_info; - DATA_BLOB session_key; -- DATA_BLOB confounded_session_key = data_blob_talloc(mem_ctx, NULL, 16); -- uint8_t confounder[16]; -- gnutls_hash_hd_t hash_hnd = NULL; -- int rc; - - if (!r->samr_handle.in.info21) { - return NT_STATUS_INVALID_PARAMETER_MIX; -@@ -344,7 +340,6 @@ static NTSTATUS libnet_SetPassword_samr_handle_25(struct libnet_context *ctx, TA - ZERO_STRUCT(u_info); - u_info.info25.info = *r->samr_handle.in.info21; - u_info.info25.info.fields_present |= SAMR_FIELD_NT_PASSWORD_PRESENT; -- encode_pw_buffer(u_info.info25.password.data, r->samr_handle.in.newpassword, STR_UNICODE); - - status = dcerpc_fetch_session_key(r->samr_handle.in.dcerpc_pipe, &session_key); - if (!NT_STATUS_IS_OK(status)) { -@@ -354,36 +349,17 @@ static NTSTATUS libnet_SetPassword_samr_handle_25(struct libnet_context *ctx, TA - return status; - } - -- generate_random_buffer((uint8_t *)confounder, 16); -- -- rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5); -- if (rc < 0) { -- status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED); -- goto out; -- } -- -- rc = gnutls_hash(hash_hnd, confounder, 16); -- if (rc < 0) { -- gnutls_hash_deinit(hash_hnd, NULL); -- status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED); -- goto out; -- } -- rc = gnutls_hash(hash_hnd, session_key.data, session_key.length); -- if (rc < 0) { -- gnutls_hash_deinit(hash_hnd, NULL); -- status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED); -- goto out; -+ status = encode_rc4_passwd_buffer(r->samr_handle.in.newpassword, -+ &session_key, -+ &u_info.info25.password); -+ if (!NT_STATUS_IS_OK(status)) { -+ r->samr_handle.out.error_string = -+ talloc_asprintf(mem_ctx, -+ "encode_rc4_passwd_buffer failed: %s", -+ nt_errstr(status)); -+ return status; - } - -- gnutls_hash_deinit(hash_hnd, confounded_session_key.data); -- -- arcfour_crypt_blob(u_info.info25.password.data, 516, &confounded_session_key); -- ZERO_ARRAY_LEN(confounded_session_key.data, -- confounded_session_key.length); -- data_blob_free(&confounded_session_key); -- -- memcpy(&u_info.info25.password.data[516], confounder, 16); -- ZERO_ARRAY(confounder); - - sui.in.user_handle = r->samr_handle.in.user_handle; - sui.in.info = &u_info; -@@ -401,7 +377,6 @@ static NTSTATUS libnet_SetPassword_samr_handle_25(struct libnet_context *ctx, TA - r->samr_handle.in.account_name, nt_errstr(status)); - } - --out: - return status; - } - --- -2.23.0 - diff --git a/SOURCES/0022-s4-libnet-Use-GnuTLS-RC4-in-libnet_SetPassword_samr_.patch b/SOURCES/0022-s4-libnet-Use-GnuTLS-RC4-in-libnet_SetPassword_samr_.patch deleted file mode 100644 index a771e6e..0000000 --- a/SOURCES/0022-s4-libnet-Use-GnuTLS-RC4-in-libnet_SetPassword_samr_.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 5b0f5925814742ca8b7e772f1a7f4558b770c45b Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 1 Feb 2019 13:38:21 +0100 -Subject: [PATCH 022/187] s4:libnet: Use GnuTLS RC4 in - libnet_SetPassword_samr_handle_24() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 18937f9ceb5aca23899555c5a34fe359f6fcb126) ---- - source4/libnet/libnet_passwd.c | 29 ++++++++++++++++++++++++++++- - 1 file changed, 28 insertions(+), 1 deletion(-) - -diff --git a/source4/libnet/libnet_passwd.c b/source4/libnet/libnet_passwd.c -index b2105121523..064ef98879a 100644 ---- a/source4/libnet/libnet_passwd.c -+++ b/source4/libnet/libnet_passwd.c -@@ -386,6 +386,9 @@ static NTSTATUS libnet_SetPassword_samr_handle_24(struct libnet_context *ctx, TA - struct samr_SetUserInfo2 sui; - union samr_UserInfo u_info; - DATA_BLOB session_key; -+ gnutls_cipher_hd_t cipher_hnd = NULL; -+ gnutls_datum_t enc_session_key; -+ int rc; - - if (r->samr_handle.in.info21) { - return NT_STATUS_INVALID_PARAMETER_MIX; -@@ -404,7 +407,28 @@ static NTSTATUS libnet_SetPassword_samr_handle_24(struct libnet_context *ctx, TA - return status; - } - -- arcfour_crypt_blob(u_info.info24.password.data, 516, &session_key); -+ enc_session_key = (gnutls_datum_t) { -+ .data = session_key.data, -+ .size = session_key.length, -+ }; -+ -+ rc = gnutls_cipher_init(&cipher_hnd, -+ GNUTLS_CIPHER_ARCFOUR_128, -+ &enc_session_key, -+ NULL); -+ if (rc < 0) { -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); -+ goto out; -+ } -+ -+ rc = gnutls_cipher_encrypt(cipher_hnd, -+ u_info.info24.password.data, -+ 516); -+ gnutls_cipher_deinit(cipher_hnd); -+ if (rc < 0) { -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); -+ goto out; -+ } - - sui.in.user_handle = r->samr_handle.in.user_handle; - sui.in.info = &u_info; -@@ -421,6 +445,9 @@ static NTSTATUS libnet_SetPassword_samr_handle_24(struct libnet_context *ctx, TA - "SetUserInfo2 level 24 for [%s] failed: %s", - r->samr_handle.in.account_name, nt_errstr(status)); - } -+ -+out: -+ data_blob_clear(&session_key); - return status; - } - --- -2.23.0 - diff --git a/SOURCES/0023-s4-libnet-Use-GnuTLS-RC4-in-libnet_SetPassword_samr_.patch b/SOURCES/0023-s4-libnet-Use-GnuTLS-RC4-in-libnet_SetPassword_samr_.patch deleted file mode 100644 index 07b7252..0000000 --- a/SOURCES/0023-s4-libnet-Use-GnuTLS-RC4-in-libnet_SetPassword_samr_.patch +++ /dev/null @@ -1,72 +0,0 @@ -From e5e6605b40f80eee699f3fde275a620022979f05 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 1 Feb 2019 13:38:21 +0100 -Subject: [PATCH 023/187] s4:libnet: Use GnuTLS RC4 in - libnet_SetPassword_samr_handle_23() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit cdb4e12765266ae767021d932870fbfcd55ccbf6) ---- - source4/libnet/libnet_passwd.c | 29 ++++++++++++++++++++++++++++- - 1 file changed, 28 insertions(+), 1 deletion(-) - -diff --git a/source4/libnet/libnet_passwd.c b/source4/libnet/libnet_passwd.c -index 064ef98879a..dce3813de38 100644 ---- a/source4/libnet/libnet_passwd.c -+++ b/source4/libnet/libnet_passwd.c -@@ -457,6 +457,9 @@ static NTSTATUS libnet_SetPassword_samr_handle_23(struct libnet_context *ctx, TA - struct samr_SetUserInfo2 sui; - union samr_UserInfo u_info; - DATA_BLOB session_key; -+ gnutls_cipher_hd_t cipher_hnd = NULL; -+ gnutls_datum_t _session_key; -+ int rc; - - if (!r->samr_handle.in.info21) { - return NT_STATUS_INVALID_PARAMETER_MIX; -@@ -477,7 +480,29 @@ static NTSTATUS libnet_SetPassword_samr_handle_23(struct libnet_context *ctx, TA - return status; - } - -- arcfour_crypt_blob(u_info.info23.password.data, 516, &session_key); -+ _session_key = (gnutls_datum_t) { -+ .data = session_key.data, -+ .size = session_key.length, -+ }; -+ -+ rc = gnutls_cipher_init(&cipher_hnd, -+ GNUTLS_CIPHER_ARCFOUR_128, -+ &_session_key, -+ NULL); -+ if (rc < 0) { -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); -+ goto out; -+ } -+ -+ rc = gnutls_cipher_encrypt(cipher_hnd, -+ u_info.info23.password.data, -+ 516); -+ data_blob_clear_free(&session_key); -+ gnutls_cipher_deinit(cipher_hnd); -+ if (rc < 0) { -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); -+ goto out; -+ } - - sui.in.user_handle = r->samr_handle.in.user_handle; - sui.in.info = &u_info; -@@ -494,6 +519,8 @@ static NTSTATUS libnet_SetPassword_samr_handle_23(struct libnet_context *ctx, TA - "SetUserInfo2 level 23 for [%s] failed: %s", - r->samr_handle.in.account_name, nt_errstr(status)); - } -+ -+out: - return status; - } - --- -2.23.0 - diff --git a/SOURCES/0024-s4-libnet-Use-GnuTLS-RC4-in-libnet_ChangePassword_sa.patch b/SOURCES/0024-s4-libnet-Use-GnuTLS-RC4-in-libnet_ChangePassword_sa.patch deleted file mode 100644 index 772ffa7..0000000 --- a/SOURCES/0024-s4-libnet-Use-GnuTLS-RC4-in-libnet_ChangePassword_sa.patch +++ /dev/null @@ -1,174 +0,0 @@ -From 01c0b0ac77baae946d270d44d1c40dbdf17a8ee3 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 25 Jul 2019 15:15:46 +1200 -Subject: [PATCH 024/187] s4:libnet: Use GnuTLS RC4 in - libnet_ChangePassword_samr() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 - -Signed-off-by: Andreas Schneider -Signed-off-by: Andrew Bartlett -Reviewed-by: Andrew Bartlett -(cherry picked from commit 9ea736590d9b22a7518f86b18e8c55b0d0e213d5) ---- - source4/libnet/libnet_passwd.c | 110 +++++++++++++++++++++++++++++++-- - 1 file changed, 104 insertions(+), 6 deletions(-) - -diff --git a/source4/libnet/libnet_passwd.c b/source4/libnet/libnet_passwd.c -index dce3813de38..704a94a5864 100644 ---- a/source4/libnet/libnet_passwd.c -+++ b/source4/libnet/libnet_passwd.c -@@ -20,7 +20,6 @@ - - #include "includes.h" - #include "libnet/libnet.h" --#include "../lib/crypto/crypto.h" - #include "libcli/auth/libcli_auth.h" - #include "librpc/gen_ndr/ndr_samr_c.h" - #include "source4/librpc/rpc/dcerpc.h" -@@ -57,6 +56,16 @@ static NTSTATUS libnet_ChangePassword_samr(struct libnet_context *ctx, TALLOC_CT - uint8_t old_lm_hash[16], new_lm_hash[16]; - struct samr_DomInfo1 *dominfo = NULL; - struct userPwdChangeFailureInformation *reject = NULL; -+ gnutls_cipher_hd_t cipher_hnd = NULL; -+ gnutls_datum_t nt_session_key = { -+ .data = old_nt_hash, -+ .size = sizeof(old_nt_hash), -+ }; -+ gnutls_datum_t lm_session_key = { -+ .data = old_lm_hash, -+ .size = sizeof(old_lm_hash), -+ }; -+ int rc; - - ZERO_STRUCT(c); - -@@ -87,11 +96,47 @@ static NTSTATUS libnet_ChangePassword_samr(struct libnet_context *ctx, TALLOC_CT - - /* prepare samr_ChangePasswordUser3 */ - encode_pw_buffer(lm_pass.data, r->samr.in.newpassword, STR_UNICODE); -- arcfour_crypt(lm_pass.data, old_nt_hash, 516); -+ -+ rc = gnutls_cipher_init(&cipher_hnd, -+ GNUTLS_CIPHER_ARCFOUR_128, -+ &nt_session_key, -+ NULL); -+ if (rc < 0) { -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); -+ goto disconnect; -+ } -+ -+ rc = gnutls_cipher_encrypt(cipher_hnd, -+ lm_pass.data, -+ 516); -+ gnutls_cipher_deinit(cipher_hnd); -+ if (rc < 0) { -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); -+ goto disconnect; -+ } -+ - E_old_pw_hash(new_lm_hash, old_lm_hash, lm_verifier.hash); - - encode_pw_buffer(nt_pass.data, r->samr.in.newpassword, STR_UNICODE); -- arcfour_crypt(nt_pass.data, old_nt_hash, 516); -+ -+ rc = gnutls_cipher_init(&cipher_hnd, -+ GNUTLS_CIPHER_ARCFOUR_128, -+ &nt_session_key, -+ NULL); -+ if (rc < 0) { -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); -+ goto disconnect; -+ } -+ -+ rc = gnutls_cipher_encrypt(cipher_hnd, -+ nt_pass.data, -+ 516); -+ gnutls_cipher_deinit(cipher_hnd); -+ if (rc < 0) { -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); -+ goto disconnect; -+ } -+ - E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash); - - pw3.in.server = &server; -@@ -125,11 +170,46 @@ static NTSTATUS libnet_ChangePassword_samr(struct libnet_context *ctx, TALLOC_CT - - /* prepare samr_ChangePasswordUser2 */ - encode_pw_buffer(lm_pass.data, r->samr.in.newpassword, STR_ASCII|STR_TERMINATE); -- arcfour_crypt(lm_pass.data, old_lm_hash, 516); -+ -+ rc = gnutls_cipher_init(&cipher_hnd, -+ GNUTLS_CIPHER_ARCFOUR_128, -+ &lm_session_key, -+ NULL); -+ if (rc < 0) { -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); -+ goto disconnect; -+ } -+ -+ rc = gnutls_cipher_encrypt(cipher_hnd, -+ lm_pass.data, -+ 516); -+ gnutls_cipher_deinit(cipher_hnd); -+ if (rc < 0) { -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); -+ goto disconnect; -+ } -+ - E_old_pw_hash(new_lm_hash, old_lm_hash, lm_verifier.hash); - - encode_pw_buffer(nt_pass.data, r->samr.in.newpassword, STR_UNICODE); -- arcfour_crypt(nt_pass.data, old_nt_hash, 516); -+ -+ rc = gnutls_cipher_init(&cipher_hnd, -+ GNUTLS_CIPHER_ARCFOUR_128, -+ &nt_session_key, -+ NULL); -+ if (rc < 0) { -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); -+ goto disconnect; -+ } -+ rc = gnutls_cipher_encrypt(cipher_hnd, -+ nt_pass.data, -+ 516); -+ gnutls_cipher_deinit(cipher_hnd); -+ if (rc < 0) { -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); -+ goto disconnect; -+ } -+ - E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash); - - pw2.in.server = &server; -@@ -161,7 +241,25 @@ static NTSTATUS libnet_ChangePassword_samr(struct libnet_context *ctx, TALLOC_CT - a_account.string = r->samr.in.account_name; - - encode_pw_buffer(lm_pass.data, r->samr.in.newpassword, STR_ASCII); -- arcfour_crypt(lm_pass.data, old_lm_hash, 516); -+ -+ rc = gnutls_cipher_init(&cipher_hnd, -+ GNUTLS_CIPHER_ARCFOUR_128, -+ &lm_session_key, -+ NULL); -+ if (rc < 0) { -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); -+ goto disconnect; -+ } -+ -+ rc = gnutls_cipher_encrypt(cipher_hnd, -+ lm_pass.data, -+ 516); -+ gnutls_cipher_deinit(cipher_hnd); -+ if (rc < 0) { -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); -+ goto disconnect; -+ } -+ - E_old_pw_hash(new_lm_hash, old_lm_hash, lm_verifier.hash); - - oe2.in.server = &a_server; --- -2.23.0 - diff --git a/SOURCES/0025-libcli-auth-Return-WERROR-for-encode_wkssvc_join_pas.patch b/SOURCES/0025-libcli-auth-Return-WERROR-for-encode_wkssvc_join_pas.patch deleted file mode 100644 index 0500388..0000000 --- a/SOURCES/0025-libcli-auth-Return-WERROR-for-encode_wkssvc_join_pas.patch +++ /dev/null @@ -1,236 +0,0 @@ -From 2d6f95107af7357d1084a4ba272f865c8249510a Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 29 May 2019 15:50:45 +0200 -Subject: [PATCH 025/187] libcli:auth: Return WERROR for - encode_wkssvc_join_password_buffer() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 576bcf61555fb641b2919ad84a6b26b242b57061) ---- - libcli/auth/proto.h | 8 +++--- - libcli/auth/smbencrypt.c | 20 ++++++++++----- - source3/lib/netapi/joindomain.c | 44 +++++++++++++++++++++------------ - source4/torture/rpc/wkssvc.c | 20 ++++++++++++--- - 4 files changed, 62 insertions(+), 30 deletions(-) - -diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h -index 67caaca8c41..65ee06215dc 100644 ---- a/libcli/auth/proto.h -+++ b/libcli/auth/proto.h -@@ -207,10 +207,10 @@ bool set_pw_in_buffer(uint8_t buffer[516], const DATA_BLOB *password); - bool extract_pw_from_buffer(TALLOC_CTX *mem_ctx, - uint8_t in_buffer[516], DATA_BLOB *new_pass); - struct wkssvc_PasswordBuffer; --void encode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx, -- const char *pwd, -- DATA_BLOB *session_key, -- struct wkssvc_PasswordBuffer **pwd_buf); -+WERROR encode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx, -+ const char *pwd, -+ DATA_BLOB *session_key, -+ struct wkssvc_PasswordBuffer **pwd_buf); - WERROR decode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx, - struct wkssvc_PasswordBuffer *pwd_buf, - DATA_BLOB *session_key, -diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c -index 793012553b2..745f47999cd 100644 ---- a/libcli/auth/smbencrypt.c -+++ b/libcli/auth/smbencrypt.c -@@ -965,10 +965,10 @@ bool extract_pw_from_buffer(TALLOC_CTX *mem_ctx, - * buffer), calling MD5Update() first with session_key and then with confounder - * (vice versa in samr) - Guenther */ - --void encode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx, -- const char *pwd, -- DATA_BLOB *session_key, -- struct wkssvc_PasswordBuffer **pwd_buf) -+WERROR encode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx, -+ const char *pwd, -+ DATA_BLOB *session_key, -+ struct wkssvc_PasswordBuffer **pwd_buf) - { - uint8_t buffer[516]; - gnutls_hash_hd_t hash_hnd = NULL; -@@ -976,11 +976,12 @@ void encode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx, - DATA_BLOB confounded_session_key; - int confounder_len = 8; - uint8_t confounder[8]; -+ WERROR werr; - int rc; - - my_pwd_buf = talloc_zero(mem_ctx, struct wkssvc_PasswordBuffer); - if (!my_pwd_buf) { -- return; -+ return WERR_NOT_ENOUGH_MEMORY; - } - - confounded_session_key = data_blob_talloc(mem_ctx, NULL, 16); -@@ -991,17 +992,23 @@ void encode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx, - - rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5); - if (rc < 0) { -+ werr = gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR); -+ - goto out; - } - - rc = gnutls_hash(hash_hnd, session_key->data, session_key->length); - if (rc < 0) { - gnutls_hash_deinit(hash_hnd, NULL); -+ werr = gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR); -+ - goto out; - } - rc = gnutls_hash(hash_hnd, confounder, confounder_len); - if (rc < 0) { - gnutls_hash_deinit(hash_hnd, NULL); -+ werr = gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR); -+ - goto out; - } - gnutls_hash_deinit(hash_hnd, confounded_session_key.data); -@@ -1017,8 +1024,9 @@ void encode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx, - - *pwd_buf = my_pwd_buf; - -+ werr = WERR_OK; - out: -- return; -+ return werr; - } - - WERROR decode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx, -diff --git a/source3/lib/netapi/joindomain.c b/source3/lib/netapi/joindomain.c -index 8d0752f4531..f2d36fc00db 100644 ---- a/source3/lib/netapi/joindomain.c -+++ b/source3/lib/netapi/joindomain.c -@@ -137,10 +137,13 @@ WERROR NetJoinDomain_r(struct libnetapi_ctx *ctx, - goto done; - } - -- encode_wkssvc_join_password_buffer(ctx, -- r->in.password, -- &session_key, -- &encrypted_password); -+ werr = encode_wkssvc_join_password_buffer(ctx, -+ r->in.password, -+ &session_key, -+ &encrypted_password); -+ if (!W_ERROR_IS_OK(werr)) { -+ goto done; -+ } - } - - old_timeout = rpccli_set_timeout(pipe_cli, 600000); -@@ -279,10 +282,13 @@ WERROR NetUnjoinDomain_r(struct libnetapi_ctx *ctx, - goto done; - } - -- encode_wkssvc_join_password_buffer(ctx, -- r->in.password, -- &session_key, -- &encrypted_password); -+ werr = encode_wkssvc_join_password_buffer(ctx, -+ r->in.password, -+ &session_key, -+ &encrypted_password); -+ if (!W_ERROR_IS_OK(werr)) { -+ goto done; -+ } - } - - old_timeout = rpccli_set_timeout(pipe_cli, 60000); -@@ -484,10 +490,13 @@ WERROR NetGetJoinableOUs_r(struct libnetapi_ctx *ctx, - goto done; - } - -- encode_wkssvc_join_password_buffer(ctx, -- r->in.password, -- &session_key, -- &encrypted_password); -+ werr = encode_wkssvc_join_password_buffer(ctx, -+ r->in.password, -+ &session_key, -+ &encrypted_password); -+ if (!W_ERROR_IS_OK(werr)) { -+ goto done; -+ } - } - - status = dcerpc_wkssvc_NetrGetJoinableOus2(b, talloc_tos(), -@@ -537,10 +546,13 @@ WERROR NetRenameMachineInDomain_r(struct libnetapi_ctx *ctx, - goto done; - } - -- encode_wkssvc_join_password_buffer(ctx, -- r->in.password, -- &session_key, -- &encrypted_password); -+ werr = encode_wkssvc_join_password_buffer(ctx, -+ r->in.password, -+ &session_key, -+ &encrypted_password); -+ if (!W_ERROR_IS_OK(werr)) { -+ goto done; -+ } - } - - status = dcerpc_wkssvc_NetrRenameMachineInDomain2(b, talloc_tos(), -diff --git a/source4/torture/rpc/wkssvc.c b/source4/torture/rpc/wkssvc.c -index c98ac92b39b..4bc1f9cd0c7 100644 ---- a/source4/torture/rpc/wkssvc.c -+++ b/source4/torture/rpc/wkssvc.c -@@ -1199,6 +1199,7 @@ static bool test_NetrJoinDomain2(struct torture_context *tctx, - enum wkssvc_NetJoinStatus join_status; - const char *join_name = NULL; - WERROR expected_err; -+ WERROR werr; - DATA_BLOB session_key; - struct dcerpc_binding_handle *b = p->binding_handle; - -@@ -1240,8 +1241,13 @@ static bool test_NetrJoinDomain2(struct torture_context *tctx, - return false; - } - -- encode_wkssvc_join_password_buffer(tctx, domain_admin_password, -- &session_key, &pwd_buf); -+ werr = encode_wkssvc_join_password_buffer(tctx, -+ domain_admin_password, -+ &session_key, -+ &pwd_buf); -+ if (!W_ERROR_IS_OK(werr)) { -+ return false; -+ } - - r.in.server_name = dcerpc_server_name(p); - r.in.domain_name = domain_name; -@@ -1284,6 +1290,7 @@ static bool test_NetrUnjoinDomain2(struct torture_context *tctx, - enum wkssvc_NetJoinStatus join_status; - const char *join_name = NULL; - WERROR expected_err; -+ WERROR werr; - DATA_BLOB session_key; - struct dcerpc_binding_handle *b = p->binding_handle; - -@@ -1322,8 +1329,13 @@ static bool test_NetrUnjoinDomain2(struct torture_context *tctx, - return false; - } - -- encode_wkssvc_join_password_buffer(tctx, domain_admin_password, -- &session_key, &pwd_buf); -+ werr = encode_wkssvc_join_password_buffer(tctx, -+ domain_admin_password, -+ &session_key, -+ &pwd_buf); -+ if (!W_ERROR_IS_OK(werr)) { -+ return false; -+ } - - r.in.server_name = dcerpc_server_name(p); - r.in.account = domain_admin_account; --- -2.23.0 - diff --git a/SOURCES/0026-libcli-auth-Add-test-for-encode-decode-_wkssvc_join_.patch b/SOURCES/0026-libcli-auth-Add-test-for-encode-decode-_wkssvc_join_.patch deleted file mode 100644 index 77ecc50..0000000 --- a/SOURCES/0026-libcli-auth-Add-test-for-encode-decode-_wkssvc_join_.patch +++ /dev/null @@ -1,172 +0,0 @@ -From 32004f3011bb6bb45f21d39c6e2830a47ec43f3e Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 8 Jul 2019 17:36:58 +0200 -Subject: [PATCH 026/187] libcli:auth: Add test for - (encode|decode)_wkssvc_join_password_buffer - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit f4a16bfba8d87de883d3d2e54cdc825fc5e01c2b) ---- - libcli/auth/tests/test_rc4_passwd_buffer.c | 129 +++++++++++++++++++++ - 1 file changed, 129 insertions(+) - -diff --git a/libcli/auth/tests/test_rc4_passwd_buffer.c b/libcli/auth/tests/test_rc4_passwd_buffer.c -index db6ca3f3f4c..6d97ac6e2f7 100644 ---- a/libcli/auth/tests/test_rc4_passwd_buffer.c -+++ b/libcli/auth/tests/test_rc4_passwd_buffer.c -@@ -99,6 +99,76 @@ static const uint8_t encrypted_test_blob[] = { - 0x15, 0x13, 0xdc, 0x15, - }; - -+ -+static const uint8_t encrypted_wkssvc_test_blob[] = { -+ 0x13, 0x79, 0x1f, 0x1a, 0x02, 0x15, 0x72, 0x1c, -+ 0xa6, 0x26, 0x37, 0xeb, 0x1d, 0x41, 0x7f, 0x76, -+ 0x11, 0x3f, 0x49, 0x4c, 0xf9, 0x69, 0x17, 0xc8, -+ 0x90, 0x92, 0x53, 0xb9, 0x3f, 0xcd, 0x06, 0xfe, -+ 0x5c, 0x17, 0x82, 0xbd, 0x86, 0xab, 0x49, 0xee, -+ 0x61, 0x76, 0x55, 0xc0, 0x10, 0x51, 0xcd, 0xd9, -+ 0x6f, 0x12, 0x86, 0xc6, 0x19, 0x59, 0x9a, 0x2f, -+ 0x27, 0x1d, 0x99, 0x30, 0x60, 0x0d, 0x65, 0xc6, -+ 0x43, 0xd6, 0xda, 0x6b, 0x66, 0x95, 0xd4, 0xca, -+ 0xf5, 0x04, 0xf7, 0x01, 0x5a, 0x55, 0xb0, 0x5e, -+ 0x72, 0x8a, 0x75, 0xe5, 0x33, 0x4c, 0xd8, 0xc4, -+ 0x0e, 0xf4, 0x6d, 0x23, 0xdd, 0x05, 0x90, 0xff, -+ 0xe0, 0x91, 0x7b, 0x62, 0x86, 0xee, 0x78, 0x31, -+ 0x07, 0xad, 0x8b, 0xf9, 0xdf, 0x6f, 0x8b, 0xbd, -+ 0x15, 0xde, 0x1b, 0xae, 0x84, 0x68, 0xe5, 0x41, -+ 0x7a, 0xe3, 0x47, 0x99, 0xba, 0x61, 0xe5, 0x51, -+ 0x64, 0x9a, 0xa0, 0x41, 0x44, 0xa1, 0x3a, 0x52, -+ 0x59, 0x7d, 0x6c, 0xcf, 0xcc, 0xf0, 0x11, 0xbc, -+ 0xb7, 0x51, 0xa9, 0xd8, 0xfd, 0xbf, 0x58, 0x77, -+ 0x28, 0x86, 0xa1, 0x27, 0x94, 0xe5, 0xf6, 0x1a, -+ 0x6b, 0x76, 0xf7, 0x72, 0x6e, 0x17, 0x09, 0xd8, -+ 0x3c, 0x6f, 0x39, 0x91, 0xea, 0x48, 0x98, 0xdc, -+ 0x1d, 0x50, 0x2e, 0x02, 0x6e, 0x7f, 0x80, 0x5d, -+ 0x6e, 0x96, 0xe1, 0xcf, 0x8b, 0x6b, 0xb6, 0xed, -+ 0xb4, 0x6a, 0x08, 0xd2, 0x45, 0x09, 0x88, 0x86, -+ 0x32, 0x58, 0xd8, 0x5e, 0x33, 0x8c, 0x29, 0x1a, -+ 0x8f, 0xc5, 0x54, 0x9b, 0xa8, 0x32, 0xb2, 0xc1, -+ 0x72, 0x14, 0x6c, 0x5d, 0x9d, 0xd3, 0xf2, 0x6c, -+ 0x6e, 0xa4, 0x84, 0x52, 0x26, 0x73, 0x7a, 0x30, -+ 0x56, 0x75, 0xef, 0xd1, 0x9d, 0xcd, 0xb7, 0x87, -+ 0xa9, 0x5c, 0xaf, 0xe6, 0xda, 0x1d, 0x3c, 0x9c, -+ 0xa3, 0xb1, 0x03, 0xb0, 0x8e, 0xf6, 0xc8, 0x8f, -+ 0x57, 0x1c, 0xce, 0x05, 0x54, 0x99, 0xf1, 0xf9, -+ 0x35, 0xe6, 0xf7, 0x67, 0x94, 0xb2, 0x67, 0x5b, -+ 0xe7, 0xa0, 0xa2, 0x1e, 0xa2, 0x74, 0xd3, 0x99, -+ 0x9c, 0xd5, 0xd9, 0x90, 0x86, 0x24, 0x0e, 0x1a, -+ 0x0d, 0xc8, 0x9e, 0x68, 0x4c, 0x43, 0x2f, 0x42, -+ 0xb1, 0x7c, 0xce, 0x1e, 0xb6, 0xac, 0x56, 0xb0, -+ 0x8d, 0x93, 0xf1, 0x53, 0x7d, 0x0e, 0x00, 0x46, -+ 0xba, 0x2e, 0x14, 0x7a, 0x0b, 0xaa, 0xcb, 0x07, -+ 0x9b, 0x09, 0x05, 0xa0, 0xd3, 0xa1, 0x80, 0xc2, -+ 0xd3, 0x59, 0x92, 0x27, 0x66, 0x1f, 0xdd, 0x76, -+ 0x36, 0xb3, 0x3c, 0xeb, 0xd7, 0x61, 0x94, 0xb1, -+ 0xf8, 0x3a, 0xe0, 0xba, 0x91, 0x0f, 0xef, 0x72, -+ 0x2b, 0x26, 0xc6, 0xb8, 0x6d, 0x0b, 0xdb, 0x60, -+ 0xf8, 0xb4, 0x98, 0xd7, 0x8b, 0x8d, 0xfb, 0xa7, -+ 0x4e, 0x27, 0xeb, 0x00, 0xe8, 0xf7, 0x5a, 0xec, -+ 0xf5, 0x60, 0x28, 0x37, 0xb2, 0xc4, 0x13, 0x48, -+ 0x2a, 0xe1, 0x34, 0xb2, 0x53, 0xcb, 0x44, 0x34, -+ 0x08, 0x7e, 0x56, 0x5c, 0x2b, 0x9b, 0xe2, 0xca, -+ 0x90, 0xb0, 0x57, 0xee, 0x10, 0x88, 0x39, 0x84, -+ 0xc6, 0x66, 0x07, 0x50, 0x63, 0xcc, 0x2a, 0x7c, -+ 0x99, 0x8c, 0x05, 0xf9, 0xf0, 0xb8, 0x62, 0xf0, -+ 0x92, 0xf7, 0x2a, 0x4a, 0x17, 0x14, 0x78, 0xa1, -+ 0x71, 0xb6, 0x42, 0xf0, 0x87, 0xa8, 0xa4, 0x48, -+ 0xeb, 0xdb, 0xed, 0x8a, 0x15, 0x19, 0x1a, 0xd9, -+ 0xfe, 0x6f, 0x07, 0x93, 0x5d, 0x39, 0xe8, 0x0e, -+ 0x47, 0xe6, 0x7a, 0x7d, 0x52, 0x2e, 0x40, 0x6f, -+ 0x31, 0x1b, 0xf6, 0x0c, 0xc2, 0x83, 0xae, 0xc1, -+ 0xf0, 0xf5, 0x71, 0xcd, 0xe2, 0xf5, 0x19, 0xb6, -+ 0xd8, 0xb0, 0x4d, 0xa9, 0x51, 0x1c, 0xb4, 0xaf, -+ 0x69, 0x9a, 0x89, 0xb6, 0x5b, 0x4d, 0xfa, 0x1b, -+ 0xca, 0xc8, 0x61, 0x92, 0x3a, 0xd6, 0x76, 0xad, -+ 0x5d, 0xa6, 0x17, 0x60, 0x3e, 0xea, 0x94, 0xcf, -+ 0x6d, 0x1b, 0x98, 0x5c, 0x19, 0x9e, 0x4e, 0xd3, -+ 0x21, 0x55, 0xda, 0xe3, -+}; -+ - static void torture_decode_rc4_passwd_buffer(void **state) - { - char *password_decoded = NULL; -@@ -187,6 +257,63 @@ static void torture_endode_decode_rc4_passwd_buffer(void **state) - talloc_free(password_decoded); - } - -+static void torture_decode_wkssvc_join_password_buffer(void **state) -+{ -+ DATA_BLOB session_key = data_blob_const("SystemLibraryDTC", 16); -+ struct wkssvc_PasswordBuffer pwd_buf = { -+ .data = {0}, -+ }; -+ char *password_decoded = NULL; -+ TALLOC_CTX *mem_ctx = NULL; -+ WERROR werr; -+ -+ mem_ctx = talloc_new(NULL); -+ assert_non_null(mem_ctx); -+ -+ memcpy(pwd_buf.data, -+ encrypted_wkssvc_test_blob, -+ sizeof(pwd_buf.data)); -+ -+ werr = decode_wkssvc_join_password_buffer(mem_ctx, -+ &pwd_buf, -+ &session_key, -+ &password_decoded); -+ assert_true(W_ERROR_IS_OK(werr)); -+ assert_non_null(password_decoded); -+ assert_string_equal(password_decoded, PASSWORD); -+ -+ TALLOC_FREE(mem_ctx); -+} -+ -+static void torture_wkssvc_join_password_buffer(void **state) -+{ -+ DATA_BLOB session_key = data_blob_const("SystemLibraryDTC", 16); -+ struct wkssvc_PasswordBuffer *pwd_buf = NULL; -+ char *password_decoded = NULL; -+ TALLOC_CTX *mem_ctx = NULL; -+ WERROR werr; -+ -+ mem_ctx = talloc_new(NULL); -+ assert_non_null(mem_ctx); -+ -+ werr = encode_wkssvc_join_password_buffer(mem_ctx, -+ PASSWORD, -+ &session_key, -+ &pwd_buf); -+ assert_true(W_ERROR_IS_OK(werr)); -+ assert_non_null(pwd_buf); -+ -+ werr = decode_wkssvc_join_password_buffer(mem_ctx, -+ pwd_buf, -+ &session_key, -+ &password_decoded); -+ assert_true(W_ERROR_IS_OK(werr)); -+ assert_non_null(password_decoded); -+ assert_string_equal(password_decoded, PASSWORD); -+ -+ TALLOC_FREE(mem_ctx); -+} -+ - int main(int argc, char *argv[]) - { - int rc; -@@ -194,6 +321,8 @@ int main(int argc, char *argv[]) - cmocka_unit_test(torture_decode_rc4_passwd_buffer), - cmocka_unit_test(torture_rc4_passwd_buffer), - cmocka_unit_test(torture_endode_decode_rc4_passwd_buffer), -+ cmocka_unit_test(torture_decode_wkssvc_join_password_buffer), -+ cmocka_unit_test(torture_wkssvc_join_password_buffer), - }; - - if (argc == 2) { --- -2.23.0 - diff --git a/SOURCES/0027-libcli-auth-Use-samba_gnutls_arcfour_confounded_md5-.patch b/SOURCES/0027-libcli-auth-Use-samba_gnutls_arcfour_confounded_md5-.patch deleted file mode 100644 index c9baa44..0000000 --- a/SOURCES/0027-libcli-auth-Use-samba_gnutls_arcfour_confounded_md5-.patch +++ /dev/null @@ -1,111 +0,0 @@ -From cbabf1224f61900eb96ea15841950c26b8b88cb5 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 8 Jul 2019 18:03:00 +0200 -Subject: [PATCH 027/187] libcli:auth: Use - samba_gnutls_arcfour_confounded_md5() in encode_wkssvc_join_password_buffer() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 85e2a3c96ad9acc1a85db189f6418c9d880b4718) ---- - libcli/auth/smbencrypt.c | 69 ++++++++++++++-------------------------- - 1 file changed, 23 insertions(+), 46 deletions(-) - -diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c -index 745f47999cd..823e16a3387 100644 ---- a/libcli/auth/smbencrypt.c -+++ b/libcli/auth/smbencrypt.c -@@ -968,65 +968,42 @@ bool extract_pw_from_buffer(TALLOC_CTX *mem_ctx, - WERROR encode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx, - const char *pwd, - DATA_BLOB *session_key, -- struct wkssvc_PasswordBuffer **pwd_buf) -+ struct wkssvc_PasswordBuffer **out_pwd_buf) - { -- uint8_t buffer[516]; -- gnutls_hash_hd_t hash_hnd = NULL; -- struct wkssvc_PasswordBuffer *my_pwd_buf = NULL; -- DATA_BLOB confounded_session_key; -- int confounder_len = 8; -- uint8_t confounder[8]; -- WERROR werr; -+ struct wkssvc_PasswordBuffer *pwd_buf = NULL; -+ uint8_t _confounder[8] = {0}; -+ DATA_BLOB confounder = data_blob_const(_confounder, 8); -+ uint8_t pwbuf[516] = {0}; -+ DATA_BLOB encrypt_pwbuf = data_blob_const(pwbuf, 516); - int rc; - -- my_pwd_buf = talloc_zero(mem_ctx, struct wkssvc_PasswordBuffer); -- if (!my_pwd_buf) { -+ pwd_buf = talloc_zero(mem_ctx, struct wkssvc_PasswordBuffer); -+ if (pwd_buf == NULL) { - return WERR_NOT_ENOUGH_MEMORY; - } - -- confounded_session_key = data_blob_talloc(mem_ctx, NULL, 16); -- -- encode_pw_buffer(buffer, pwd, STR_UNICODE); -+ encode_pw_buffer(pwbuf, pwd, STR_UNICODE); - -- generate_random_buffer((uint8_t *)confounder, confounder_len); -- -- rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5); -- if (rc < 0) { -- werr = gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR); -- -- goto out; -- } -- -- rc = gnutls_hash(hash_hnd, session_key->data, session_key->length); -- if (rc < 0) { -- gnutls_hash_deinit(hash_hnd, NULL); -- werr = gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR); -+ generate_random_buffer(_confounder, sizeof(_confounder)); - -- goto out; -- } -- rc = gnutls_hash(hash_hnd, confounder, confounder_len); -+ rc = samba_gnutls_arcfour_confounded_md5(session_key, -+ &confounder, -+ &encrypt_pwbuf, -+ SAMBA_GNUTLS_ENCRYPT); - if (rc < 0) { -- gnutls_hash_deinit(hash_hnd, NULL); -- werr = gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR); -- -- goto out; -+ ZERO_ARRAY(_confounder); -+ TALLOC_FREE(pwd_buf); -+ return gnutls_error_to_werror(rc, WERR_CONTENT_BLOCKED); - } -- gnutls_hash_deinit(hash_hnd, confounded_session_key.data); - -- arcfour_crypt_blob(buffer, 516, &confounded_session_key); -- -- memcpy(&my_pwd_buf->data[0], confounder, confounder_len); -- ZERO_ARRAY(confounder); -- memcpy(&my_pwd_buf->data[8], buffer, 516); -- ZERO_ARRAY(buffer); -- -- data_blob_clear_free(&confounded_session_key); -+ memcpy(&pwd_buf->data[0], confounder.data, confounder.length); -+ ZERO_ARRAY(_confounder); -+ memcpy(&pwd_buf->data[8], encrypt_pwbuf.data, encrypt_pwbuf.length); -+ ZERO_ARRAY(pwbuf); - -- *pwd_buf = my_pwd_buf; -+ *out_pwd_buf = pwd_buf; - -- werr = WERR_OK; --out: -- return werr; -+ return WERR_OK; - } - - WERROR decode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx, --- -2.23.0 - diff --git a/SOURCES/0028-libcli-auth-Use-samba_gnutls_arcfour_confounded_md5-.patch b/SOURCES/0028-libcli-auth-Use-samba_gnutls_arcfour_confounded_md5-.patch deleted file mode 100644 index 1fdb6bd..0000000 --- a/SOURCES/0028-libcli-auth-Use-samba_gnutls_arcfour_confounded_md5-.patch +++ /dev/null @@ -1,117 +0,0 @@ -From 0d2898429e7eb2ca144885d5a1f9485cca620464 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 8 Jul 2019 18:21:18 +0200 -Subject: [PATCH 028/187] libcli:auth: Use - samba_gnutls_arcfour_confounded_md5() in decode_wkssvc_join_password_buffer() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit bcf7808d3aa8a5932a40955e4b764f55061e07d7) ---- - libcli/auth/smbencrypt.c | 71 ++++++++++++++-------------------------- - 1 file changed, 24 insertions(+), 47 deletions(-) - -diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c -index 823e16a3387..cc5e1fbb899 100644 ---- a/libcli/auth/smbencrypt.c -+++ b/libcli/auth/smbencrypt.c -@@ -1011,70 +1011,47 @@ WERROR decode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx, - DATA_BLOB *session_key, - char **pwd) - { -- gnutls_hash_hd_t hash_hnd = NULL; -- uint8_t buffer[516]; -- size_t pwd_len; -- WERROR result; -+ uint8_t _confounder[8]; -+ DATA_BLOB confounder = data_blob_const(_confounder, 8); -+ uint8_t pwbuf[516] = {0}; -+ DATA_BLOB decrypt_pwbuf = data_blob_const(pwbuf, 516); - bool ok; - int rc; - -- DATA_BLOB confounded_session_key; -- -- int confounder_len = 8; -- uint8_t confounder[8]; -- -- *pwd = NULL; -- -- if (!pwd_buf) { -+ if (pwd_buf == NULL) { - return WERR_INVALID_PASSWORD; - } - -+ *pwd = NULL; -+ - if (session_key->length != 16) { - DEBUG(10,("invalid session key\n")); - return WERR_INVALID_PASSWORD; - } - -- confounded_session_key = data_blob_talloc(mem_ctx, NULL, 16); -+ confounder = data_blob_const(&pwd_buf->data[0], 8); -+ memcpy(&pwbuf, &pwd_buf->data[8], 516); - -- memcpy(&confounder, &pwd_buf->data[0], confounder_len); -- memcpy(&buffer, &pwd_buf->data[8], 516); -- -- rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5); -- if (rc < 0) { -- result = gnutls_error_to_werror(rc, WERR_CONTENT_BLOCKED); -- goto out; -- } -- -- rc = gnutls_hash(hash_hnd, session_key->data, session_key->length); -- if (rc < 0) { -- gnutls_hash_deinit(hash_hnd, NULL); -- result = gnutls_error_to_werror(rc, WERR_CONTENT_BLOCKED); -- goto out; -- } -- rc = gnutls_hash(hash_hnd, confounder, confounder_len); -+ rc = samba_gnutls_arcfour_confounded_md5(session_key, -+ &confounder, -+ &decrypt_pwbuf, -+ SAMBA_GNUTLS_ENCRYPT); - if (rc < 0) { -- gnutls_hash_deinit(hash_hnd, NULL); -- result = gnutls_error_to_werror(rc, WERR_CONTENT_BLOCKED); -- goto out; -+ ZERO_ARRAY(_confounder); -+ TALLOC_FREE(pwd_buf); -+ return gnutls_error_to_werror(rc, WERR_CONTENT_BLOCKED); - } -- gnutls_hash_deinit(hash_hnd, confounded_session_key.data); - -- arcfour_crypt_blob(buffer, 516, &confounded_session_key); -- -- ok = decode_pw_buffer(mem_ctx, buffer, pwd, &pwd_len, CH_UTF16); -- -- ZERO_ARRAY(confounder); -- ZERO_ARRAY(buffer); -- -- data_blob_clear_free(&confounded_session_key); -+ ok = decode_pw_buffer(mem_ctx, -+ decrypt_pwbuf.data, -+ pwd, -+ &decrypt_pwbuf.length, -+ CH_UTF16); -+ ZERO_ARRAY(pwbuf); - - if (!ok) { -- result = WERR_INVALID_PASSWORD; -- goto out; -+ return WERR_INVALID_PASSWORD; - } - -- result = WERR_OK; --out: -- return result; -+ return WERR_OK; - } -- --- -2.23.0 - diff --git a/SOURCES/0029-auth-ntlmssp-Use-GnuTLS-RC4-in-ntlmssp-client.patch b/SOURCES/0029-auth-ntlmssp-Use-GnuTLS-RC4-in-ntlmssp-client.patch deleted file mode 100644 index 3eb4f73..0000000 --- a/SOURCES/0029-auth-ntlmssp-Use-GnuTLS-RC4-in-ntlmssp-client.patch +++ /dev/null @@ -1,66 +0,0 @@ -From ba125c495c950570017d84b1cb2a223679250961 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 9 Nov 2018 12:29:55 +0100 -Subject: [PATCH 029/187] auth:ntlmssp: Use GnuTLS RC4 in ntlmssp client - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit cb4025a50232f24139f21d87e50b6e6ea69238ba) ---- - auth/ntlmssp/ntlmssp_client.c | 28 +++++++++++++++++++++++++++- - 1 file changed, 27 insertions(+), 1 deletion(-) - -diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c -index df891f8d933..b8d1190466b 100644 ---- a/auth/ntlmssp/ntlmssp_client.c -+++ b/auth/ntlmssp/ntlmssp_client.c -@@ -690,17 +690,43 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, - if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) { - /* Make up a new session key */ - uint8_t client_session_key[16]; -+ gnutls_cipher_hd_t cipher_hnd; -+ gnutls_datum_t enc_session_key = { -+ .data = session_key.data, -+ .size = session_key.length, -+ }; -+ - generate_secret_buffer(client_session_key, sizeof(client_session_key)); - - /* Encrypt the new session key with the old one */ - encrypted_session_key = data_blob_talloc(ntlmssp_state, - client_session_key, sizeof(client_session_key)); - dump_data_pw("KEY_EXCH session key:\n", encrypted_session_key.data, encrypted_session_key.length); -- arcfour_crypt(encrypted_session_key.data, session_key.data, encrypted_session_key.length); -+ -+ rc = gnutls_cipher_init(&cipher_hnd, -+ GNUTLS_CIPHER_ARCFOUR_128, -+ &enc_session_key, -+ NULL); -+ if (rc < 0) { -+ nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); -+ ZERO_ARRAY(client_session_key); -+ goto done; -+ } -+ rc = gnutls_cipher_encrypt(cipher_hnd, -+ encrypted_session_key.data, -+ encrypted_session_key.length); -+ gnutls_cipher_deinit(cipher_hnd); -+ if (rc < 0) { -+ nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); -+ ZERO_ARRAY(client_session_key); -+ goto done; -+ } -+ - dump_data_pw("KEY_EXCH session key (enc):\n", encrypted_session_key.data, encrypted_session_key.length); - - /* Mark the new session key as the 'real' session key */ - session_key = data_blob_talloc(mem_ctx, client_session_key, sizeof(client_session_key)); -+ ZERO_ARRAY(client_session_key); - } - - /* this generates the actual auth packet */ --- -2.23.0 - diff --git a/SOURCES/0030-auth-ntlmssp-Use-GnuTLS-RC4-for-ntlmssp-signing.patch b/SOURCES/0030-auth-ntlmssp-Use-GnuTLS-RC4-for-ntlmssp-signing.patch deleted file mode 100644 index 34d448c..0000000 --- a/SOURCES/0030-auth-ntlmssp-Use-GnuTLS-RC4-for-ntlmssp-signing.patch +++ /dev/null @@ -1,411 +0,0 @@ -From 73f0d5f5a62edbcfeb8f79fffa422416b83edf3e Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 6 Dec 2018 18:11:14 +0100 -Subject: [PATCH 030/187] auth:ntlmssp: Use GnuTLS RC4 for ntlmssp signing - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 7bd502dcdb44c7d0f8a56b2ba489ae8cf2b886bd) ---- - auth/ntlmssp/ntlmssp_private.h | 5 +- - auth/ntlmssp/ntlmssp_sign.c | 212 ++++++++++++++++++++++++++------- - 2 files changed, 174 insertions(+), 43 deletions(-) - -diff --git a/auth/ntlmssp/ntlmssp_private.h b/auth/ntlmssp/ntlmssp_private.h -index 95ec6374f51..4d84e3347b6 100644 ---- a/auth/ntlmssp/ntlmssp_private.h -+++ b/auth/ntlmssp/ntlmssp_private.h -@@ -20,14 +20,15 @@ - - /* For structures internal to the NTLMSSP implementation that should not be exposed */ - --#include "../lib/crypto/arcfour.h" -+#include -+#include - - struct auth_session_info; - - struct ntlmssp_crypt_direction { - uint32_t seq_num; - uint8_t sign_key[16]; -- struct arcfour_state seal_state; -+ gnutls_cipher_hd_t seal_state; - }; - - union ntlmssp_crypt_state { -diff --git a/auth/ntlmssp/ntlmssp_sign.c b/auth/ntlmssp/ntlmssp_sign.c -index 8ba2e246b34..89f1aa04f7a 100644 ---- a/auth/ntlmssp/ntlmssp_sign.c -+++ b/auth/ntlmssp/ntlmssp_sign.c -@@ -47,9 +47,9 @@ - */ - - static void dump_arc4_state(const char *description, -- struct arcfour_state *state) -+ gnutls_cipher_hd_t *state) - { -- dump_data_pw(description, state->sbox, sizeof(state->sbox)); -+ DBG_DEBUG("%s\n", description); - } - - static NTSTATUS calc_ntlmv2_key(uint8_t subkey[16], -@@ -90,13 +90,13 @@ static NTSTATUS ntlmssp_make_packet_signature(struct ntlmssp_state *ntlmssp_stat - enum ntlmssp_direction direction, - DATA_BLOB *sig, bool encrypt_sig) - { -- NTSTATUS status; -+ NTSTATUS status = NT_STATUS_UNSUCCESSFUL; -+ int rc; - - if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { - gnutls_hmac_hd_t hmac_hnd = NULL; - uint8_t digest[16]; - uint8_t seq_num[4]; -- int rc; - - *sig = data_blob_talloc(sig_mem_ctx, NULL, NTLMSSP_SIG_SIZE); - if (!sig->data) { -@@ -158,14 +158,24 @@ static NTSTATUS ntlmssp_make_packet_signature(struct ntlmssp_state *ntlmssp_stat - if (encrypt_sig && (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) { - switch (direction) { - case NTLMSSP_SEND: -- arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm2.sending.seal_state, -- digest, 8); -+ rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm2.sending.seal_state, -+ digest, -+ 8); - break; - case NTLMSSP_RECEIVE: -- arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm2.receiving.seal_state, -- digest, 8); -+ rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm2.receiving.seal_state, -+ digest, -+ 8); - break; - } -+ if (rc < 0) { -+ DBG_ERR("gnutls_cipher_encrypt for NTLMv2 EXCH " -+ "%s packet signature failed: %s\n", -+ direction == NTLMSSP_SEND ? -+ "send" : "receive", -+ gnutls_strerror(rc)); -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); -+ } - } - - SIVAL(sig->data, 0, NTLMSSP_SIGN_VERSION); -@@ -194,8 +204,15 @@ static NTSTATUS ntlmssp_make_packet_signature(struct ntlmssp_state *ntlmssp_stat - - dump_arc4_state("ntlmssp hash: \n", - &ntlmssp_state->crypt->ntlm.seal_state); -- arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm.seal_state, -- sig->data+4, sig->length-4); -+ rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm.seal_state, -+ sig->data + 4, -+ sig->length - 4); -+ if (rc < 0) { -+ DBG_ERR("gnutls_cipher_encrypt for NTLM packet " -+ "signature failed: %s\n", -+ gnutls_strerror(rc)); -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); -+ } - } - - return NT_STATUS_OK; -@@ -317,6 +334,8 @@ NTSTATUS ntlmssp_seal_packet(struct ntlmssp_state *ntlmssp_state, - const uint8_t *whole_pdu, size_t pdu_length, - DATA_BLOB *sig) - { -+ int rc; -+ - if (!(ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) { - DEBUG(3, ("NTLMSSP Sealing not negotiated - cannot seal packet!\n")); - return NT_STATUS_INVALID_PARAMETER; -@@ -353,11 +372,25 @@ NTSTATUS ntlmssp_seal_packet(struct ntlmssp_state *ntlmssp_state, - return nt_status; - } - -- arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm2.sending.seal_state, -- data, length); -+ rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm2.sending.seal_state, -+ data, -+ length); -+ if (rc < 0) { -+ DBG_ERR("gnutls_cipher_encrypt ntlmv2 sealing the data " -+ "failed: %s\n", -+ gnutls_strerror(rc)); -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); -+ } - if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) { -- arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm2.sending.seal_state, -- sig->data+4, 8); -+ rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm2.sending.seal_state, -+ sig->data + 4, -+ 8); -+ if (rc < 0) { -+ DBG_ERR("gnutls_cipher_encrypt ntlmv2 sealing " -+ "the EXCH signature data failed: %s\n", -+ gnutls_strerror(rc)); -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); -+ } - } - } else { - NTSTATUS status; -@@ -381,17 +414,30 @@ NTSTATUS ntlmssp_seal_packet(struct ntlmssp_state *ntlmssp_state, - * is not constant, but is is rather updated with - * each iteration - */ -- - dump_arc4_state("ntlmv1 arc4 state:\n", - &ntlmssp_state->crypt->ntlm.seal_state); -- arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm.seal_state, -- data, length); -+ rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm.seal_state, -+ data, -+ length); -+ if (rc < 0) { -+ DBG_ERR("gnutls_cipher_encrypt ntlmv1 sealing data" -+ "failed: %s\n", -+ gnutls_strerror(rc)); -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); -+ } - - dump_arc4_state("ntlmv1 arc4 state:\n", - &ntlmssp_state->crypt->ntlm.seal_state); - -- arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm.seal_state, -- sig->data+4, sig->length-4); -+ rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm.seal_state, -+ sig->data + 4, -+ sig->length - 4); -+ if (rc < 0) { -+ DBG_ERR("gnutls_cipher_encrypt ntlmv1 sealing signing " -+ "data failed: %s\n", -+ gnutls_strerror(rc)); -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); -+ } - - ntlmssp_state->crypt->ntlm.seq_num++; - } -@@ -412,6 +458,8 @@ NTSTATUS ntlmssp_unseal_packet(struct ntlmssp_state *ntlmssp_state, - const DATA_BLOB *sig) - { - NTSTATUS status; -+ int rc; -+ - if (!ntlmssp_state->session_key.length) { - DEBUG(3, ("NO session key, cannot unseal packet\n")); - return NT_STATUS_NO_USER_SESSION_KEY; -@@ -422,14 +470,29 @@ NTSTATUS ntlmssp_unseal_packet(struct ntlmssp_state *ntlmssp_state, - - if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { - /* First unseal the data. */ -- arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm2.receiving.seal_state, -- data, length); -+ rc = gnutls_cipher_decrypt(ntlmssp_state->crypt->ntlm2.receiving.seal_state, -+ data, -+ length); -+ if (rc < 0) { -+ DBG_ERR("gnutls_cipher_decrypt ntlmv2 unsealing the " -+ "data failed: %s\n", -+ gnutls_strerror(rc)); -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); -+ } - dump_data_pw("ntlmv2 clear data\n", data, length); - } else { -- arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm.seal_state, -- data, length); -+ rc = gnutls_cipher_decrypt(ntlmssp_state->crypt->ntlm.seal_state, -+ data, -+ length); -+ if (rc < 0) { -+ DBG_ERR("gnutls_cipher_decrypt ntlmv1 unsealing the " -+ "data failed: %s\n", -+ gnutls_strerror(rc)); -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); -+ } - dump_data_pw("ntlmv1 clear data\n", data, length); - } -+ - status = ntlmssp_check_packet(ntlmssp_state, - data, length, - whole_pdu, pdu_length, -@@ -555,6 +618,8 @@ NTSTATUS ntlmssp_unwrap(struct ntlmssp_state *ntlmssp_state, - NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state *ntlmssp_state, - bool reset_seqnums) - { -+ int rc; -+ - DEBUG(3, ("NTLMSSP Sign/Seal - Initialising with flags:\n")); - debug_ntlmssp_flags(ntlmssp_state->neg_flags); - -@@ -584,12 +649,16 @@ NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state *ntlmssp_state, - const char *send_seal_const; - const char *recv_sign_const; - const char *recv_seal_const; -- uint8_t send_seal_key[16]; -- DATA_BLOB send_seal_blob = data_blob_const(send_seal_key, -- sizeof(send_seal_key)); -- uint8_t recv_seal_key[16]; -- DATA_BLOB recv_seal_blob = data_blob_const(recv_seal_key, -- sizeof(recv_seal_key)); -+ uint8_t send_seal_key[16] = {0}; -+ gnutls_datum_t send_seal_blob = { -+ .data = send_seal_key, -+ .size = sizeof(send_seal_key), -+ }; -+ uint8_t recv_seal_key[16] = {0}; -+ gnutls_datum_t recv_seal_blob = { -+ .data = recv_seal_key, -+ .size = sizeof(recv_seal_key), -+ }; - NTSTATUS status; - - switch (ntlmssp_state->role) { -@@ -648,10 +717,22 @@ NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state *ntlmssp_state, - if (!NT_STATUS_IS_OK(status)) { - return status; - } -- dump_data_pw("NTLMSSP send seal key:\n", send_seal_key, 16); -+ dump_data_pw("NTLMSSP send seal key:\n", -+ send_seal_key, -+ sizeof(send_seal_key)); - -- arcfour_init(&ntlmssp_state->crypt->ntlm2.sending.seal_state, -- &send_seal_blob); -+ if (ntlmssp_state->crypt->ntlm2.sending.seal_state != NULL) { -+ gnutls_cipher_deinit(ntlmssp_state->crypt->ntlm2.sending.seal_state); -+ } -+ rc = gnutls_cipher_init(&ntlmssp_state->crypt->ntlm2.sending.seal_state, -+ GNUTLS_CIPHER_ARCFOUR_128, -+ &send_seal_blob, -+ NULL); -+ if (rc < 0) { -+ DBG_ERR("gnutls_cipher_init failed: %s\n", -+ gnutls_strerror(rc)); -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); -+ } - - dump_arc4_state("NTLMSSP send seal arc4 state:\n", - &ntlmssp_state->crypt->ntlm2.sending.seal_state); -@@ -677,10 +758,22 @@ NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state *ntlmssp_state, - if (!NT_STATUS_IS_OK(status)) { - return status; - } -- dump_data_pw("NTLMSSP recv seal key:\n", recv_seal_key, 16); -+ dump_data_pw("NTLMSSP recv seal key:\n", -+ recv_seal_key, -+ sizeof(recv_seal_key)); - -- arcfour_init(&ntlmssp_state->crypt->ntlm2.receiving.seal_state, -- &recv_seal_blob); -+ if (ntlmssp_state->crypt->ntlm2.receiving.seal_state != NULL) { -+ gnutls_cipher_deinit(ntlmssp_state->crypt->ntlm2.receiving.seal_state); -+ } -+ rc = gnutls_cipher_init(&ntlmssp_state->crypt->ntlm2.receiving.seal_state, -+ GNUTLS_CIPHER_ARCFOUR_128, -+ &recv_seal_blob, -+ NULL); -+ if (rc < 0) { -+ DBG_ERR("gnutls_cipher_init failed: %s\n", -+ gnutls_strerror(rc)); -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); -+ } - - dump_arc4_state("NTLMSSP recv seal arc4 state:\n", - &ntlmssp_state->crypt->ntlm2.receiving.seal_state); -@@ -690,8 +783,10 @@ NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state *ntlmssp_state, - ntlmssp_state->crypt->ntlm2.receiving.seq_num = 0; - } - } else { -- uint8_t weak_session_key[8]; -- DATA_BLOB seal_session_key = ntlmssp_state->session_key; -+ gnutls_datum_t seal_session_key = { -+ .data = ntlmssp_state->session_key.data, -+ .size = ntlmssp_state->session_key.length, -+ }; - bool do_weak = false; - - DEBUG(5, ("NTLMSSP Sign/Seal - using NTLM1\n")); -@@ -709,14 +804,19 @@ NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state *ntlmssp_state, - * Nothing to weaken. - * We certainly don't want to 'extend' the length... - */ -- if (seal_session_key.length < 16) { -+ if (ntlmssp_state->session_key.length < 16) { - /* TODO: is this really correct? */ - do_weak = false; - } - - if (do_weak) { -+ uint8_t weak_session_key[8]; -+ - memcpy(weak_session_key, seal_session_key.data, 8); -- seal_session_key = data_blob_const(weak_session_key, 8); -+ seal_session_key = (gnutls_datum_t) { -+ .data = weak_session_key, -+ .size = sizeof(weak_session_key), -+ }; - - /* - * LM key doesn't support 128 bit crypto, so this is -@@ -732,8 +832,18 @@ NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state *ntlmssp_state, - } - } - -- arcfour_init(&ntlmssp_state->crypt->ntlm.seal_state, -- &seal_session_key); -+ if (ntlmssp_state->crypt->ntlm.seal_state != NULL) { -+ gnutls_cipher_deinit(ntlmssp_state->crypt->ntlm.seal_state); -+ } -+ rc = gnutls_cipher_init(&ntlmssp_state->crypt->ntlm.seal_state, -+ GNUTLS_CIPHER_ARCFOUR_128, -+ &seal_session_key, -+ NULL); -+ if (rc < 0) { -+ DBG_ERR("gnutls_cipher_init failed: %s\n", -+ gnutls_strerror(rc)); -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED); -+ } - - dump_arc4_state("NTLMv1 arc4 state:\n", - &ntlmssp_state->crypt->ntlm.seal_state); -@@ -746,6 +856,24 @@ NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state *ntlmssp_state, - return NT_STATUS_OK; - } - -+static int ntlmssp_crypt_free_gnutls_cipher_state(union ntlmssp_crypt_state *c) -+{ -+ if (c->ntlm2.sending.seal_state != NULL) { -+ gnutls_cipher_deinit(c->ntlm2.sending.seal_state); -+ c->ntlm2.sending.seal_state = NULL; -+ } -+ if (c->ntlm2.receiving.seal_state != NULL) { -+ gnutls_cipher_deinit(c->ntlm2.receiving.seal_state); -+ c->ntlm2.receiving.seal_state = NULL; -+ } -+ if (c->ntlm.seal_state != NULL) { -+ gnutls_cipher_deinit(c->ntlm.seal_state); -+ c->ntlm.seal_state = NULL; -+ } -+ -+ return 0; -+} -+ - NTSTATUS ntlmssp_sign_init(struct ntlmssp_state *ntlmssp_state) - { - if (ntlmssp_state->session_key.length < 8) { -@@ -758,6 +886,8 @@ NTSTATUS ntlmssp_sign_init(struct ntlmssp_state *ntlmssp_state) - if (ntlmssp_state->crypt == NULL) { - return NT_STATUS_NO_MEMORY; - } -+ talloc_set_destructor(ntlmssp_state->crypt, -+ ntlmssp_crypt_free_gnutls_cipher_state); - - return ntlmssp_sign_reset(ntlmssp_state, true); - } --- -2.23.0 - diff --git a/SOURCES/0031-s3-libsmb-Use-GnuTLS-RC4-in-clirap.patch b/SOURCES/0031-s3-libsmb-Use-GnuTLS-RC4-in-clirap.patch deleted file mode 100644 index 44e1ed0..0000000 --- a/SOURCES/0031-s3-libsmb-Use-GnuTLS-RC4-in-clirap.patch +++ /dev/null @@ -1,76 +0,0 @@ -From c7e79b33a10a8e393df78fd7adf60a5a3dbebcc6 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 15 Jan 2019 18:14:17 +0100 -Subject: [PATCH 031/187] s3:libsmb: Use GnuTLS RC4 in clirap - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 0947d8388def40b01b322d0deee4dba386983410) ---- - source3/libsmb/clirap.c | 27 +++++++++++++++++++++++++-- - 1 file changed, 25 insertions(+), 2 deletions(-) - -diff --git a/source3/libsmb/clirap.c b/source3/libsmb/clirap.c -index b4b40ebdab4..c0b9dcdff39 100644 ---- a/source3/libsmb/clirap.c -+++ b/source3/libsmb/clirap.c -@@ -22,7 +22,6 @@ - #include "includes.h" - #include "../libcli/auth/libcli_auth.h" - #include "../librpc/gen_ndr/rap.h" --#include "../lib/crypto/arcfour.h" - #include "../lib/util/tevent_ntstatus.h" - #include "async_smb.h" - #include "libsmb/libsmb.h" -@@ -31,6 +30,9 @@ - #include "../libcli/smb/smbXcli_base.h" - #include "cli_smb2_fnum.h" - -+#include -+#include -+ - #define PIPE_LANMAN "\\PIPE\\LANMAN" - - /**************************************************************************** -@@ -508,6 +510,12 @@ bool cli_oem_change_password(struct cli_state *cli, const char *user, const char - char *rparam = NULL; - char *rdata = NULL; - unsigned int rprcnt, rdrcnt; -+ gnutls_cipher_hd_t cipher_hnd = NULL; -+ gnutls_datum_t old_pw_key = { -+ .data = old_pw_hash, -+ .size = sizeof(old_pw_hash), -+ }; -+ int rc; - - if (strlen(user) >= sizeof(fstring)-1) { - DEBUG(0,("cli_oem_change_password: user name %s is too long.\n", user)); -@@ -539,7 +547,22 @@ bool cli_oem_change_password(struct cli_state *cli, const char *user, const char - DEBUG(100,("make_oem_passwd_hash\n")); - dump_data(100, data, 516); - #endif -- arcfour_crypt( (unsigned char *)data, (unsigned char *)old_pw_hash, 516); -+ rc = gnutls_cipher_init(&cipher_hnd, -+ GNUTLS_CIPHER_ARCFOUR_128, -+ &old_pw_key, -+ NULL); -+ if (rc < 0) { -+ DBG_ERR("gnutls_cipher_init failed: %s\n", -+ gnutls_strerror(rc)); -+ return false; -+ } -+ rc = gnutls_cipher_encrypt(cipher_hnd, -+ data, -+ 516); -+ gnutls_cipher_deinit(cipher_hnd); -+ if (rc < 0) { -+ return false; -+ } - - /* - * Now place the old password hash in the data. --- -2.23.0 - diff --git a/SOURCES/0032-s3-rpc_client-Use-init_samr_CryptPassword-in-cli_sam.patch b/SOURCES/0032-s3-rpc_client-Use-init_samr_CryptPassword-in-cli_sam.patch deleted file mode 100644 index cfd6340..0000000 --- a/SOURCES/0032-s3-rpc_client-Use-init_samr_CryptPassword-in-cli_sam.patch +++ /dev/null @@ -1,160 +0,0 @@ -From 36dfd6496dc9b954b2243bbb5293af8ce332cf4f Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 16 Jan 2019 12:41:32 +0100 -Subject: [PATCH 032/187] s3:rpc_client: Use init_samr_CryptPassword in - cli_samr rpc_client - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit a95647e12ac75ffda42d95b41144596a078aebd6) ---- - source3/rpc_client/cli_samr.c | 59 ++++++++++++++++++++++++++++------- - source3/wscript_build | 2 +- - 2 files changed, 48 insertions(+), 13 deletions(-) - -diff --git a/source3/rpc_client/cli_samr.c b/source3/rpc_client/cli_samr.c -index 7764e1a8540..452e9593f6a 100644 ---- a/source3/rpc_client/cli_samr.c -+++ b/source3/rpc_client/cli_samr.c -@@ -26,8 +26,8 @@ - #include "../libcli/auth/libcli_auth.h" - #include "../librpc/gen_ndr/ndr_samr_c.h" - #include "rpc_client/cli_samr.h" --#include "../lib/crypto/arcfour.h" - #include "rpc_client/init_lsa.h" -+#include "rpc_client/init_samr.h" - - /* User change password */ - -@@ -128,6 +128,8 @@ NTSTATUS dcerpc_samr_chgpasswd_user2(struct dcerpc_binding_handle *h, - uint8_t new_lanman_hash[16]; - struct lsa_String server, account; - -+ DATA_BLOB session_key = data_blob_const(old_nt_hash, 16); -+ - DEBUG(10,("rpccli_samr_chgpasswd_user2\n")); - - init_lsa_String(&server, srv_name_slash); -@@ -144,19 +146,25 @@ NTSTATUS dcerpc_samr_chgpasswd_user2(struct dcerpc_binding_handle *h, - DOS chars). This allows us to match Win2k, which - does not store a LM hash for these passwords (which - would reduce the effective password length to 14) */ -+ status = init_samr_CryptPassword(newpassword, -+ &session_key, -+ &new_lm_password); -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; -+ } - -- encode_pw_buffer(new_lm_password.data, newpassword, STR_UNICODE); -- -- arcfour_crypt(new_lm_password.data, old_nt_hash, 516); - E_old_pw_hash(new_nt_hash, old_lanman_hash, old_lanman_hash_enc.hash); - } else { - ZERO_STRUCT(new_lm_password); - ZERO_STRUCT(old_lanman_hash_enc); - } - -- encode_pw_buffer(new_nt_password.data, newpassword, STR_UNICODE); -- -- arcfour_crypt(new_nt_password.data, old_nt_hash, 516); -+ status = init_samr_CryptPassword(newpassword, -+ &session_key, -+ &new_nt_password); -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; -+ } - E_old_pw_hash(new_nt_hash, old_nt_hash, old_nt_hash_enc.hash); - - status = dcerpc_samr_ChangePasswordUser2(h, -@@ -170,6 +178,15 @@ NTSTATUS dcerpc_samr_chgpasswd_user2(struct dcerpc_binding_handle *h, - &old_lanman_hash_enc, - presult); - -+ ZERO_STRUCT(new_nt_password); -+ ZERO_STRUCT(new_lm_password); -+ ZERO_STRUCT(old_nt_hash_enc); -+ ZERO_STRUCT(old_lanman_hash_enc); -+ ZERO_ARRAY(new_nt_hash); -+ ZERO_ARRAY(new_lanman_hash); -+ ZERO_ARRAY(old_nt_hash); -+ ZERO_ARRAY(old_lanman_hash); -+ - return status; - } - -@@ -308,6 +325,8 @@ NTSTATUS dcerpc_samr_chgpasswd_user3(struct dcerpc_binding_handle *h, - - struct lsa_String server, account; - -+ DATA_BLOB session_key = data_blob_const(old_nt_hash, 16); -+ - DEBUG(10,("rpccli_samr_chgpasswd_user3\n")); - - init_lsa_String(&server, srv_name_slash); -@@ -324,19 +343,26 @@ NTSTATUS dcerpc_samr_chgpasswd_user3(struct dcerpc_binding_handle *h, - DOS chars). This allows us to match Win2k, which - does not store a LM hash for these passwords (which - would reduce the effective password length to 14) */ -+ status = init_samr_CryptPassword(newpassword, -+ &session_key, -+ &new_lm_password); -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; -+ } - -- encode_pw_buffer(new_lm_password.data, newpassword, STR_UNICODE); -- -- arcfour_crypt(new_lm_password.data, old_nt_hash, 516); - E_old_pw_hash(new_nt_hash, old_lanman_hash, old_lanman_hash_enc.hash); - } else { - ZERO_STRUCT(new_lm_password); - ZERO_STRUCT(old_lanman_hash_enc); - } - -- encode_pw_buffer(new_nt_password.data, newpassword, STR_UNICODE); -+ status = init_samr_CryptPassword(newpassword, -+ &session_key, -+ &new_nt_password); -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; -+ } - -- arcfour_crypt(new_nt_password.data, old_nt_hash, 516); - E_old_pw_hash(new_nt_hash, old_nt_hash, old_nt_hash_enc.hash); - - status = dcerpc_samr_ChangePasswordUser3(h, -@@ -353,6 +379,15 @@ NTSTATUS dcerpc_samr_chgpasswd_user3(struct dcerpc_binding_handle *h, - reject, - presult); - -+ ZERO_STRUCT(new_nt_password); -+ ZERO_STRUCT(new_lm_password); -+ ZERO_STRUCT(old_nt_hash_enc); -+ ZERO_STRUCT(old_lanman_hash_enc); -+ ZERO_ARRAY(new_nt_hash); -+ ZERO_ARRAY(new_lanman_hash); -+ ZERO_ARRAY(old_nt_hash); -+ ZERO_ARRAY(old_lanman_hash); -+ - return status; - } - -diff --git a/source3/wscript_build b/source3/wscript_build -index aa3c7175202..b73f6dc0664 100644 ---- a/source3/wscript_build -+++ b/source3/wscript_build -@@ -1009,7 +1009,7 @@ bld.SAMBA3_SUBSYSTEM('errors3', - - bld.SAMBA3_SUBSYSTEM('LIBCLI_SAMR', - source='rpc_client/cli_samr.c', -- deps='RPC_NDR_SAMR') -+ deps='RPC_NDR_SAMR INIT_SAMR') - - bld.SAMBA3_LIBRARY('libcli_lsa3', - source='rpc_client/cli_lsarpc.c', --- -2.23.0 - diff --git a/SOURCES/0033-s3-rpc_server-Use-GnuTLS-RC4-in-samr-password-check.patch b/SOURCES/0033-s3-rpc_server-Use-GnuTLS-RC4-in-samr-password-check.patch deleted file mode 100644 index 143e695..0000000 --- a/SOURCES/0033-s3-rpc_server-Use-GnuTLS-RC4-in-samr-password-check.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 07925f22341c508792b3ce8feeae2abc939a61f2 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 16 Jan 2019 17:40:13 +0100 -Subject: [PATCH 033/187] s3:rpc_server: Use GnuTLS RC4 in samr password check - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit d31f6a6803c86b8de0a97927731091f5a7bee4f1) ---- - source3/rpc_server/samr/srv_samr_chgpasswd.c | 30 ++++++++++++++++++-- - 1 file changed, 28 insertions(+), 2 deletions(-) - -diff --git a/source3/rpc_server/samr/srv_samr_chgpasswd.c b/source3/rpc_server/samr/srv_samr_chgpasswd.c -index 3749edbb044..fc509494ebc 100644 ---- a/source3/rpc_server/samr/srv_samr_chgpasswd.c -+++ b/source3/rpc_server/samr/srv_samr_chgpasswd.c -@@ -50,12 +50,15 @@ - #include "system/passwd.h" - #include "system/filesys.h" - #include "../libcli/auth/libcli_auth.h" --#include "../lib/crypto/arcfour.h" - #include "rpc_server/samr/srv_samr_util.h" - #include "passdb.h" - #include "auth.h" - #include "lib/util/sys_rw.h" - -+#include "lib/crypto/gnutls_helpers.h" -+#include -+#include -+ - #ifndef ALLOW_CHANGE_PASSWORD - #if (defined(HAVE_TERMIOS_H) && defined(HAVE_DUP2) && defined(HAVE_SETSID)) - #define ALLOW_CHANGE_PASSWORD 1 -@@ -685,6 +688,10 @@ static NTSTATUS check_oem_password(const char *user, - bool lm_pass_set = (password_encrypted_with_lm_hash && old_lm_hash_encrypted); - enum ntlm_auth_level ntlm_auth_level = lp_ntlm_auth(); - -+ gnutls_cipher_hd_t cipher_hnd = NULL; -+ gnutls_datum_t enc_key; -+ int rc; -+ - /* this call should be disabled without NTLM auth */ - if (ntlm_auth_level == NTLM_AUTH_DISABLED) { - DBG_WARNING("NTLM password changes not" -@@ -752,7 +759,26 @@ static NTSTATUS check_oem_password(const char *user, - /* - * Decrypt the password with the key - */ -- arcfour_crypt( password_encrypted, encryption_key, 516); -+ enc_key = (gnutls_datum_t) { -+ .data = discard_const_p(unsigned char, encryption_key), -+ .size = 16, -+ }; -+ -+ rc = gnutls_cipher_init(&cipher_hnd, -+ GNUTLS_CIPHER_ARCFOUR_128, -+ &enc_key, -+ NULL); -+ if (rc < 0) { -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); -+ } -+ -+ rc = gnutls_cipher_decrypt(cipher_hnd, -+ password_encrypted, -+ 516); -+ gnutls_cipher_deinit(cipher_hnd); -+ if (rc < 0) { -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); -+ } - - if (!decode_pw_buffer(talloc_tos(), - password_encrypted, --- -2.23.0 - diff --git a/SOURCES/0034-s3-rpc_server-Use-GnuTLS-RC4-to-decrypt-samr-passwor.patch b/SOURCES/0034-s3-rpc_server-Use-GnuTLS-RC4-to-decrypt-samr-passwor.patch deleted file mode 100644 index 99c6513..0000000 --- a/SOURCES/0034-s3-rpc_server-Use-GnuTLS-RC4-to-decrypt-samr-passwor.patch +++ /dev/null @@ -1,119 +0,0 @@ -From 6eb8a45387ae6400d4b48d838ec89510afe2b37a Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 15 May 2019 14:04:31 +0200 -Subject: [PATCH 034/187] s3:rpc_server: Use GnuTLS RC4 to decrypt samr - password buffers - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit cd0b5e5d9377bc79b4468081f3999ad39be3cb8f) ---- - source3/rpc_server/samr/srv_samr_nt.c | 58 ++++++++++++++++++++++++--- - 1 file changed, 52 insertions(+), 6 deletions(-) - -diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c -index fd5c453e0eb..ad1d1853bda 100644 ---- a/source3/rpc_server/samr/srv_samr_nt.c -+++ b/source3/rpc_server/samr/srv_samr_nt.c -@@ -37,7 +37,6 @@ - #include "ntdomain.h" - #include "../librpc/gen_ndr/srv_samr.h" - #include "rpc_server/samr/srv_samr_util.h" --#include "../lib/crypto/arcfour.h" - #include "secrets.h" - #include "rpc_client/init_lsa.h" - #include "../libcli/security/security.h" -@@ -47,6 +46,10 @@ - #include "../lib/tsocket/tsocket.h" - #include "lib/util/base64.h" - -+#include "lib/crypto/gnutls_helpers.h" -+#include -+#include -+ - #undef DBGC_CLASS - #define DBGC_CLASS DBGC_RPC_SRV - -@@ -4946,6 +4949,41 @@ static uint32_t samr_set_user_info_map_fields_to_access_mask(uint32_t fields) - return acc_required; - } - -+static NTSTATUS arc4_decrypt_data(DATA_BLOB session_key, -+ uint8_t *data, -+ size_t data_size) -+{ -+ gnutls_cipher_hd_t cipher_hnd = NULL; -+ gnutls_datum_t my_session_key = { -+ .data = session_key.data, -+ .size = session_key.length, -+ }; -+ NTSTATUS status = NT_STATUS_INTERNAL_ERROR; -+ int rc; -+ -+ rc = gnutls_cipher_init(&cipher_hnd, -+ GNUTLS_CIPHER_ARCFOUR_128, -+ &my_session_key, -+ NULL); -+ if (rc < 0) { -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); -+ goto out; -+ } -+ -+ rc = gnutls_cipher_decrypt(cipher_hnd, -+ data, -+ data_size); -+ gnutls_cipher_deinit(cipher_hnd); -+ if (rc < 0) { -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); -+ goto out; -+ } -+ -+ status = NT_STATUS_OK; -+out: -+ return status; -+} -+ - /******************************************************************* - samr_SetUserInfo - ********************************************************************/ -@@ -5153,8 +5191,12 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p, - if(!NT_STATUS_IS_OK(status)) { - break; - } -- arcfour_crypt_blob(info->info23.password.data, 516, -- &session_key); -+ status = arc4_decrypt_data(session_key, -+ info->info23.password.data, -+ 516); -+ if(!NT_STATUS_IS_OK(status)) { -+ break; -+ } - - dump_data(100, info->info23.password.data, 516); - -@@ -5165,13 +5207,17 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p, - break; - - case 24: -+ - status = session_extract_session_key(p->session_info, &session_key, KEY_USE_16BYTES); - if(!NT_STATUS_IS_OK(status)) { - break; - } -- arcfour_crypt_blob(info->info24.password.data, -- 516, -- &session_key); -+ status = arc4_decrypt_data(session_key, -+ info->info24.password.data, -+ 516); -+ if(!NT_STATUS_IS_OK(status)) { -+ break; -+ } - - dump_data(100, info->info24.password.data, 516); - --- -2.23.0 - diff --git a/SOURCES/0035-s3-utils-Use-GnuTLS-RC4-in-ntlm_auth.patch b/SOURCES/0035-s3-utils-Use-GnuTLS-RC4-in-ntlm_auth.patch deleted file mode 100644 index 33cd2ba..0000000 --- a/SOURCES/0035-s3-utils-Use-GnuTLS-RC4-in-ntlm_auth.patch +++ /dev/null @@ -1,110 +0,0 @@ -From ef374b9b3b98b498545d40f0aa2e537bdf81ae59 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 17 Jan 2019 12:40:21 +0100 -Subject: [PATCH 035/187] s3:utils: Use GnuTLS RC4 in ntlm_auth - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 359ae5be0d21e7ab235035aab65710c9459e9593) ---- - source3/utils/ntlm_auth.c | 45 ++++++++++++++++++++++++++++++++++++--- - 1 file changed, 42 insertions(+), 3 deletions(-) - -diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c -index 87f6554ae4f..8a6218ac9ec 100644 ---- a/source3/utils/ntlm_auth.c -+++ b/source3/utils/ntlm_auth.c -@@ -37,7 +37,6 @@ - #include "librpc/crypto/gse.h" - #include "smb_krb5.h" - #include "lib/util/tiniparser.h" --#include "../lib/crypto/arcfour.h" - #include "nsswitch/winbind_client.h" - #include "librpc/gen_ndr/krb5pac.h" - #include "../lib/util/asn1.h" -@@ -49,6 +48,9 @@ - #include "lib/util/base64.h" - #include "cmdline_contexts.h" - -+#include -+#include -+ - #ifdef HAVE_KRB5 - #include "auth/kerberos/pac_utils.h" - #endif -@@ -1937,6 +1939,13 @@ static void manage_ntlm_change_password_1_request(enum stdio_helper_mode stdio_h - uchar new_nt_hash[16]; - uchar new_lm_hash[16]; - -+ gnutls_cipher_hd_t cipher_hnd = NULL; -+ gnutls_datum_t old_nt_key = { -+ .data = old_nt_hash, -+ .size = sizeof(old_nt_hash), -+ }; -+ int rc; -+ - new_nt_pswd = data_blob(NULL, 516); - old_nt_hash_enc = data_blob(NULL, 16); - -@@ -1956,6 +1965,19 @@ static void manage_ntlm_change_password_1_request(enum stdio_helper_mode stdio_h - Likewise, obey the admin's restriction - */ - -+ rc = gnutls_cipher_init(&cipher_hnd, -+ GNUTLS_CIPHER_ARCFOUR_128, -+ &old_nt_key, -+ NULL); -+ if (rc < 0) { -+ DBG_ERR("gnutls_cipher_init failed: %s\n", -+ gnutls_strerror(rc)); -+ if (rc == GNUTLS_E_UNWANTED_ALGORITHM) { -+ DBG_ERR("Running in FIPS mode, NTLM blocked\n"); -+ } -+ return; -+ } -+ - if (lp_client_lanman_auth() && - E_deshash(newpswd, new_lm_hash) && - E_deshash(oldpswd, old_lm_hash)) { -@@ -1964,7 +1986,13 @@ static void manage_ntlm_change_password_1_request(enum stdio_helper_mode stdio_h - encode_pw_buffer(new_lm_pswd.data, newpswd, - STR_UNICODE); - -- arcfour_crypt(new_lm_pswd.data, old_nt_hash, 516); -+ rc = gnutls_cipher_encrypt(cipher_hnd, -+ new_lm_pswd.data, -+ 516); -+ if (rc < 0) { -+ gnutls_cipher_deinit(cipher_hnd); -+ return; -+ } - E_old_pw_hash(new_nt_hash, old_lm_hash, - old_lm_hash_enc.data); - } else { -@@ -1977,9 +2005,20 @@ static void manage_ntlm_change_password_1_request(enum stdio_helper_mode stdio_h - encode_pw_buffer(new_nt_pswd.data, newpswd, - STR_UNICODE); - -- arcfour_crypt(new_nt_pswd.data, old_nt_hash, 516); -+ rc = gnutls_cipher_encrypt(cipher_hnd, -+ new_nt_pswd.data, -+ 516); -+ gnutls_cipher_deinit(cipher_hnd); -+ if (rc < 0) { -+ return; -+ } - E_old_pw_hash(new_nt_hash, old_nt_hash, - old_nt_hash_enc.data); -+ -+ ZERO_ARRAY(old_nt_hash); -+ ZERO_ARRAY(old_lm_hash); -+ ZERO_ARRAY(new_nt_hash); -+ ZERO_ARRAY(new_lm_hash); - } - - if (!full_username && !username) { --- -2.23.0 - diff --git a/SOURCES/0036-s4-rpc_server-Use-samba_gnutls_arcfour_confounded_md.patch b/SOURCES/0036-s4-rpc_server-Use-samba_gnutls_arcfour_confounded_md.patch deleted file mode 100644 index 85da370..0000000 --- a/SOURCES/0036-s4-rpc_server-Use-samba_gnutls_arcfour_confounded_md.patch +++ /dev/null @@ -1,76 +0,0 @@ -From e81c7a540896c9a3fed8d6a8b080f76c83d70369 Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Thu, 25 Jul 2019 12:50:57 +1200 -Subject: [PATCH 036/187] s4:rpc_server: Use - samba_gnutls_arcfour_confounded_md5() in samr_set_password_ex() - -This allows the use of GnuTLS for the underlying RC4 crypto operations. - -Signed-off-by: Andrew Bartlett -Reviewed-by: Andreas Schneider -(cherry picked from commit 9363abfb5fcfeff30295ce0cf94c18941a6c4e9f) ---- - source4/rpc_server/samr/samr_password.c | 34 ++++++------------------- - 1 file changed, 8 insertions(+), 26 deletions(-) - -diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c -index 7c441f38ce2..fde0de2c3cc 100644 ---- a/source4/rpc_server/samr/samr_password.c -+++ b/source4/rpc_server/samr/samr_password.c -@@ -586,9 +586,11 @@ NTSTATUS samr_set_password_ex(struct dcesrv_call_state *dce_call, - { - NTSTATUS nt_status; - DATA_BLOB new_password; -- DATA_BLOB co_session_key; -+ -+ /* The confounder is in the last 16 bytes of the buffer */ -+ DATA_BLOB confounder = data_blob_const(&pwbuf->data[516], 16); -+ DATA_BLOB pw_data = data_blob_const(pwbuf->data, 516); - DATA_BLOB session_key = data_blob(NULL, 0); -- gnutls_hash_hd_t hash_hnd = NULL; - int rc; - - nt_status = dcesrv_transport_session_key(dce_call, &session_key); -@@ -599,35 +601,15 @@ NTSTATUS samr_set_password_ex(struct dcesrv_call_state *dce_call, - return NT_STATUS_WRONG_PASSWORD; - } - -- co_session_key = data_blob_talloc(mem_ctx, NULL, 16); -- if (!co_session_key.data) { -- return NT_STATUS_NO_MEMORY; -- } -- -- rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5); -+ rc = samba_gnutls_arcfour_confounded_md5(&confounder, -+ &session_key, -+ &pw_data, -+ SAMBA_GNUTLS_DECRYPT); - if (rc < 0) { - nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED); - goto out; - } - -- rc = gnutls_hash(hash_hnd, &pwbuf->data[516], 16); -- if (rc < 0) { -- gnutls_hash_deinit(hash_hnd, NULL); -- nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED); -- goto out; -- } -- rc = gnutls_hash(hash_hnd, session_key.data, session_key.length); -- if (rc < 0) { -- gnutls_hash_deinit(hash_hnd, NULL); -- nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED); -- goto out; -- } -- gnutls_hash_deinit(hash_hnd, co_session_key.data); -- -- arcfour_crypt_blob(pwbuf->data, 516, &co_session_key); -- ZERO_ARRAY_LEN(co_session_key.data, -- co_session_key.length); -- - if (!extract_pw_from_buffer(mem_ctx, pwbuf->data, &new_password)) { - DEBUG(3,("samr: failed to decode password buffer\n")); - nt_status = NT_STATUS_WRONG_PASSWORD; --- -2.23.0 - diff --git a/SOURCES/0037-s4-rpc_server-Use-GnuTLS-RC4-for-samr-password.patch b/SOURCES/0037-s4-rpc_server-Use-GnuTLS-RC4-for-samr-password.patch deleted file mode 100644 index a9c5115..0000000 --- a/SOURCES/0037-s4-rpc_server-Use-GnuTLS-RC4-for-samr-password.patch +++ /dev/null @@ -1,195 +0,0 @@ -From 23f422c0df67c0f9e701e0deb5f1708a930a98bd Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 19 Feb 2019 17:40:29 +0100 -Subject: [PATCH 037/187] s4:rpc_server: Use GnuTLS RC4 for samr password - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 4326e7de6ba0ce02ab23af7297d2f7242988daa4) ---- - source4/rpc_server/samr/samr_password.c | 105 ++++++++++++++++++++---- - 1 file changed, 89 insertions(+), 16 deletions(-) - -diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c -index fde0de2c3cc..b04e37f06f3 100644 ---- a/source4/rpc_server/samr/samr_password.c -+++ b/source4/rpc_server/samr/samr_password.c -@@ -24,7 +24,7 @@ - #include "rpc_server/dcerpc_server.h" - #include "rpc_server/samr/dcesrv_samr.h" - #include "system/time.h" --#include "../lib/crypto/crypto.h" -+#include "lib/crypto/md4.h" - #include "dsdb/samdb/samdb.h" - #include "auth/auth.h" - #include "libcli/auth/libcli_auth.h" -@@ -119,13 +119,15 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call, - "samAccountName", - NULL }; - struct samr_Password *lm_pwd; -- DATA_BLOB lm_pwd_blob; - uint8_t new_lm_hash[16]; - struct samr_Password lm_verifier; - size_t unicode_pw_len; - size_t converted_size = 0; - const char *user_samAccountName = NULL; - struct dom_sid *user_objectSid = NULL; -+ gnutls_cipher_hd_t cipher_hnd = NULL; -+ gnutls_datum_t lm_session_key; -+ int rc; - - if (pwbuf == NULL) { - return NT_STATUS_INVALID_PARAMETER; -@@ -179,9 +181,28 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call, - } - - /* decrypt the password we have been given */ -- lm_pwd_blob = data_blob(lm_pwd->hash, sizeof(lm_pwd->hash)); -- arcfour_crypt_blob(pwbuf->data, 516, &lm_pwd_blob); -- data_blob_free(&lm_pwd_blob); -+ lm_session_key = (gnutls_datum_t) { -+ .data = lm_pwd->hash, -+ .size = sizeof(lm_pwd->hash), -+ }; -+ -+ rc = gnutls_cipher_init(&cipher_hnd, -+ GNUTLS_CIPHER_ARCFOUR_128, -+ &lm_session_key, -+ NULL); -+ if (rc < 0) { -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); -+ goto failed; -+ } -+ -+ rc = gnutls_cipher_decrypt(cipher_hnd, -+ pwbuf->data, -+ 516); -+ gnutls_cipher_deinit(cipher_hnd); -+ if (rc < 0) { -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); -+ goto failed; -+ } - - if (!extract_pw_from_buffer(mem_ctx, pwbuf->data, &new_password)) { - DEBUG(3,("samr: failed to decode password buffer\n")); -@@ -315,7 +336,6 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call, - "badPwdCount", "badPasswordTime", - "objectSid", NULL }; - struct samr_Password *nt_pwd, *lm_pwd; -- DATA_BLOB nt_pwd_blob; - struct samr_DomInfo1 *dominfo = NULL; - struct userPwdChangeFailureInformation *reject = NULL; - enum samPwdChangeReason reason = SAM_PWD_CHANGE_NO_ERROR; -@@ -325,6 +345,9 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call, - struct dom_sid *user_objectSid = NULL; - enum ntlm_auth_level ntlm_auth_level - = lpcfg_ntlm_auth(dce_call->conn->dce_ctx->lp_ctx); -+ gnutls_cipher_hd_t cipher_hnd = NULL; -+ gnutls_datum_t nt_session_key; -+ int rc; - - *r->out.dominfo = NULL; - *r->out.reject = NULL; -@@ -381,9 +404,28 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call, - } - - /* decrypt the password we have been given */ -- nt_pwd_blob = data_blob(nt_pwd->hash, sizeof(nt_pwd->hash)); -- arcfour_crypt_blob(r->in.nt_password->data, 516, &nt_pwd_blob); -- data_blob_free(&nt_pwd_blob); -+ nt_session_key = (gnutls_datum_t) { -+ .data = nt_pwd->hash, -+ .size = sizeof(nt_pwd->hash), -+ }; -+ -+ rc = gnutls_cipher_init(&cipher_hnd, -+ GNUTLS_CIPHER_ARCFOUR_128, -+ &nt_session_key, -+ NULL); -+ if (rc < 0) { -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); -+ goto failed; -+ } -+ -+ rc = gnutls_cipher_decrypt(cipher_hnd, -+ r->in.nt_password->data, -+ 516); -+ gnutls_cipher_deinit(cipher_hnd); -+ if (rc < 0) { -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); -+ goto failed; -+ } - - if (!extract_pw_from_buffer(mem_ctx, r->in.nt_password->data, &new_password)) { - DEBUG(3,("samr: failed to decode password buffer\n")); -@@ -547,6 +589,9 @@ NTSTATUS samr_set_password(struct dcesrv_call_state *dce_call, - NTSTATUS nt_status; - DATA_BLOB new_password; - DATA_BLOB session_key = data_blob(NULL, 0); -+ gnutls_cipher_hd_t cipher_hnd = NULL; -+ gnutls_datum_t _session_key; -+ int rc; - - nt_status = dcesrv_transport_session_key(dce_call, &session_key); - if (!NT_STATUS_IS_OK(nt_status)) { -@@ -556,7 +601,28 @@ NTSTATUS samr_set_password(struct dcesrv_call_state *dce_call, - return NT_STATUS_WRONG_PASSWORD; - } - -- arcfour_crypt_blob(pwbuf->data, 516, &session_key); -+ _session_key = (gnutls_datum_t) { -+ .data = session_key.data, -+ .size = session_key.length, -+ }; -+ -+ rc = gnutls_cipher_init(&cipher_hnd, -+ GNUTLS_CIPHER_ARCFOUR_128, -+ &_session_key, -+ NULL); -+ if (rc < 0) { -+ nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); -+ goto out; -+ } -+ -+ rc = gnutls_cipher_decrypt(cipher_hnd, -+ pwbuf->data, -+ 516); -+ gnutls_cipher_deinit(cipher_hnd); -+ if (rc < 0) { -+ nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); -+ goto out; -+ } - - if (!extract_pw_from_buffer(mem_ctx, pwbuf->data, &new_password)) { - DEBUG(3,("samr: failed to decode password buffer\n")); -@@ -565,12 +631,19 @@ NTSTATUS samr_set_password(struct dcesrv_call_state *dce_call, - - /* set the password - samdb needs to know both the domain and user DNs, - so the domain password policy can be used */ -- return samdb_set_password(sam_ctx, mem_ctx, -- account_dn, domain_dn, -- &new_password, -- NULL, NULL, -- NULL, NULL, /* This is a password set, not change */ -- NULL, NULL); -+ nt_status = samdb_set_password(sam_ctx, -+ mem_ctx, -+ account_dn, -+ domain_dn, -+ &new_password, -+ NULL, -+ NULL, -+ NULL, -+ NULL, /* This is a password set, not change */ -+ NULL, -+ NULL); -+out: -+ return nt_status; - } - - --- -2.23.0 - diff --git a/SOURCES/0038-s4-torture-Use-GnuTLS-RC4-for-RAP-SAM-test.patch b/SOURCES/0038-s4-torture-Use-GnuTLS-RC4-for-RAP-SAM-test.patch deleted file mode 100644 index 36d396c..0000000 --- a/SOURCES/0038-s4-torture-Use-GnuTLS-RC4-for-RAP-SAM-test.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 7839408010ba413f766e950192dd5a0632234ce7 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 20 Feb 2019 15:52:49 +0100 -Subject: [PATCH 038/187] s4:torture: Use GnuTLS RC4 for RAP SAM test - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 811c412da5c24d7274f9aa4c7d653bbb1191e6a6) ---- - source4/torture/rap/sam.c | 19 +++++++++++++++++-- - 1 file changed, 17 insertions(+), 2 deletions(-) - -diff --git a/source4/torture/rap/sam.c b/source4/torture/rap/sam.c -index 4ca7b793dec..3c13849b398 100644 ---- a/source4/torture/rap/sam.c -+++ b/source4/torture/rap/sam.c -@@ -26,10 +26,12 @@ - #include "torture/util.h" - #include "libcli/rap/rap.h" - #include "torture/rap/proto.h" --#include "../lib/crypto/crypto.h" - #include "../libcli/auth/libcli_auth.h" - #include "torture/rpc/torture_rpc.h" - -+#include -+#include -+ - #define TEST_RAP_USER "torture_rap_user" - - static char *samr_rand_pass(TALLOC_CTX *mem_ctx, int min_len) -@@ -137,6 +139,11 @@ static bool test_oemchangepassword_args(struct torture_context *tctx, - char *newpass = samr_rand_pass(tctx, 9); - uint8_t old_pw_hash[16]; - uint8_t new_pw_hash[16]; -+ gnutls_cipher_hd_t cipher_hnd = NULL; -+ gnutls_datum_t pw_key = { -+ .data = old_pw_hash, -+ .size = sizeof(old_pw_hash), -+ }; - - r.in.UserName = username; - -@@ -144,7 +151,15 @@ static bool test_oemchangepassword_args(struct torture_context *tctx, - E_deshash(newpass, new_pw_hash); - - encode_pw_buffer(r.in.crypt_password, newpass, STR_ASCII); -- arcfour_crypt(r.in.crypt_password, old_pw_hash, 516); -+ -+ gnutls_cipher_init(&cipher_hnd, -+ GNUTLS_CIPHER_ARCFOUR_128, -+ &pw_key, -+ NULL); -+ gnutls_cipher_encrypt(cipher_hnd, -+ r.in.crypt_password, -+ 516); -+ gnutls_cipher_deinit(cipher_hnd); - E_old_pw_hash(new_pw_hash, old_pw_hash, r.in.password_hash); - - torture_comment(tctx, "Testing rap_NetOEMChangePassword(%s)\n", r.in.UserName); --- -2.23.0 - diff --git a/SOURCES/0039-s4-torture-Use-init_samr_CryptPassword-Ex-in-samba3r.patch b/SOURCES/0039-s4-torture-Use-init_samr_CryptPassword-Ex-in-samba3r.patch deleted file mode 100644 index 868677f..0000000 --- a/SOURCES/0039-s4-torture-Use-init_samr_CryptPassword-Ex-in-samba3r.patch +++ /dev/null @@ -1,121 +0,0 @@ -From d68771ee1f47bc238a2967ac43ccded3717d4bb5 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 21 Feb 2019 10:21:39 +0100 -Subject: [PATCH 039/187] s4:torture: Use init_samr_CryptPassword(Ex) in - samba3rpc test - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 80f5beb4804c694ee6e5f5b450e751f538677593) ---- - source4/torture/rpc/samba3rpc.c | 43 ++++++++++++++------------------- - 1 file changed, 18 insertions(+), 25 deletions(-) - -diff --git a/source4/torture/rpc/samba3rpc.c b/source4/torture/rpc/samba3rpc.c -index bf1de04a5b5..d55d6c47b57 100644 ---- a/source4/torture/rpc/samba3rpc.c -+++ b/source4/torture/rpc/samba3rpc.c -@@ -36,7 +36,6 @@ - #include "libcli/libcli.h" - #include "libcli/smb_composite/smb_composite.h" - #include "libcli/auth/libcli_auth.h" --#include "../lib/crypto/crypto.h" - #include "libcli/security/security.h" - #include "param/param.h" - #include "lib/registry/registry.h" -@@ -47,9 +46,7 @@ - #include "librpc/rpc/dcerpc.h" - #include "librpc/rpc/dcerpc_proto.h" - #include "libcli/smb/smbXcli_base.h" -- --#include --#include -+#include "source3/rpc_client/init_samr.h" - - /* - * open pipe and bind, given an IPC$ context -@@ -666,7 +663,6 @@ static bool create_user(struct torture_context *tctx, - union samr_UserInfo *info; - DATA_BLOB session_key; - -- - ZERO_STRUCT(u_info); - encode_pw_buffer(u_info.info23.password.data, password, - STR_UNICODE); -@@ -676,8 +672,15 @@ static bool create_user(struct torture_context *tctx, - torture_comment(tctx, "dcerpc_fetch_session_key failed\n"); - goto done; - } -- arcfour_crypt_blob(u_info.info23.password.data, 516, -- &session_key); -+ -+ status = init_samr_CryptPassword(password, -+ &session_key, -+ &u_info.info23.password); -+ if (!NT_STATUS_IS_OK(status)) { -+ torture_comment(tctx, "init_samr_CryptPassword failed\n"); -+ goto done; -+ } -+ - u_info.info23.info.password_expired = 0; - u_info.info23.info.fields_present = SAMR_FIELD_NT_PASSWORD_PRESENT | - SAMR_FIELD_LM_PASSWORD_PRESENT | -@@ -872,10 +875,6 @@ static bool join3(struct torture_context *tctx, - union samr_UserInfo u_info; - struct samr_UserInfo21 *i21 = &u_info.info25.info; - DATA_BLOB session_key; -- DATA_BLOB confounded_session_key = data_blob_talloc( -- mem_ctx, NULL, 16); -- gnutls_hash_hd_t hash_hnd; -- uint8_t confounder[16]; - - ZERO_STRUCT(u_info); - -@@ -890,25 +889,16 @@ static bool join3(struct torture_context *tctx, - i21->password_expired = 1; - */ - -- encode_pw_buffer(u_info.info25.password.data, -- cli_credentials_get_password(wks_creds), -- STR_UNICODE); - status = dcerpc_fetch_session_key(samr_pipe, &session_key); - if (!NT_STATUS_IS_OK(status)) { - torture_comment(tctx, "dcerpc_fetch_session_key failed: %s\n", - nt_errstr(status)); - goto done; - } -- generate_random_buffer((uint8_t *)confounder, 16); - -- gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5); -- gnutls_hash(hash_hnd, confounder, 16); -- gnutls_hash(hash_hnd, session_key.data, session_key.length); -- gnutls_hash_deinit(hash_hnd, confounded_session_key.data); -- -- arcfour_crypt_blob(u_info.info25.password.data, 516, -- &confounded_session_key); -- memcpy(&u_info.info25.password.data[516], confounder, 16); -+ status = init_samr_CryptPasswordEx(cli_credentials_get_password(wks_creds), -+ &session_key, -+ &u_info.info25.password); - - sui2.in.user_handle = wks_handle; - sui2.in.level = 25; -@@ -942,8 +932,11 @@ static bool join3(struct torture_context *tctx, - torture_comment(tctx, "dcerpc_fetch_session_key failed\n"); - goto done; - } -- arcfour_crypt_blob(u_info.info24.password.data, 516, -- &session_key); -+ -+ status = init_samr_CryptPassword(cli_credentials_get_password(wks_creds), -+ &session_key, -+ &u_info.info24.password); -+ - sui2.in.user_handle = wks_handle; - sui2.in.info = &u_info; - sui2.in.level = 24; --- -2.23.0 - diff --git a/SOURCES/0040-s4-torture-Use-init_samr_CryptPassword-in-test_SetUs.patch b/SOURCES/0040-s4-torture-Use-init_samr_CryptPassword-in-test_SetUs.patch deleted file mode 100644 index a77f5d5..0000000 --- a/SOURCES/0040-s4-torture-Use-init_samr_CryptPassword-in-test_SetUs.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 92a1bd505e5bb9c793f05b386d4e9ee2b2b74027 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 24 Jul 2019 15:56:08 +0200 -Subject: [PATCH 040/187] s4:torture: Use init_samr_CryptPassword in - test_SetUserPass - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 70e05d7eb78a0c363dbd72cbbf4f3a264636c840) ---- - source4/torture/rpc/samr.c | 12 +++++++++--- - 1 file changed, 9 insertions(+), 3 deletions(-) - -diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c -index eb1bb14a555..f281be654cc 100644 ---- a/source4/torture/rpc/samr.c -+++ b/source4/torture/rpc/samr.c -@@ -31,7 +31,7 @@ - #include "librpc/gen_ndr/ndr_netlogon_c.h" - #include "librpc/gen_ndr/ndr_samr_c.h" - #include "librpc/gen_ndr/ndr_lsa_c.h" --#include "../lib/crypto/crypto.h" -+#include "lib/crypto/crypto.h" - #include "libcli/auth/libcli_auth.h" - #include "libcli/security/security.h" - #include "torture/rpc/torture_rpc.h" -@@ -40,6 +40,8 @@ - #include "auth/gensec/gensec_proto.h" - #include "../libcli/auth/schannel.h" - #include "torture/util.h" -+#include "source4/librpc/rpc/dcerpc.h" -+#include "source3/rpc_client/init_samr.h" - - #define TEST_ACCOUNT_NAME "samrtorturetest" - #define TEST_ACCOUNT_NAME_PWD "samrpwdlastset" -@@ -637,7 +639,6 @@ static bool test_SetUserPass(struct dcerpc_pipe *p, struct torture_context *tctx - s.in.info = &u; - s.in.level = 24; - -- encode_pw_buffer(u.info24.password.data, newpass, STR_UNICODE); - u.info24.password_expired = 0; - - status = dcerpc_fetch_session_key(p, &session_key); -@@ -647,7 +648,12 @@ static bool test_SetUserPass(struct dcerpc_pipe *p, struct torture_context *tctx - return false; - } - -- arcfour_crypt_blob(u.info24.password.data, 516, &session_key); -+ status = init_samr_CryptPassword(newpass, -+ &session_key, -+ &u.info24.password); -+ torture_assert_ntstatus_ok(tctx, -+ status, -+ "init_samr_CryptPassword failed"); - - torture_comment(tctx, "Testing SetUserInfo level 24 (set password)\n"); - --- -2.23.0 - diff --git a/SOURCES/0041-s4-torture-Use-init_samr_CryptPassword-in-test_SetUs.patch b/SOURCES/0041-s4-torture-Use-init_samr_CryptPassword-in-test_SetUs.patch deleted file mode 100644 index f1c1ae2..0000000 --- a/SOURCES/0041-s4-torture-Use-init_samr_CryptPassword-in-test_SetUs.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 2f7cd9ededefa6499f4fad15758fec27a15a5de3 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 24 Jul 2019 15:57:25 +0200 -Subject: [PATCH 041/187] s4:torture: Use init_samr_CryptPassword in - test_SetUserPass_23 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit b0b9cabc4de64497140d33d0fdaf2927f2915987) ---- - source4/torture/rpc/samr.c | 24 +++++++++++++++++------- - 1 file changed, 17 insertions(+), 7 deletions(-) - -diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c -index f281be654cc..543ef64e9ac 100644 ---- a/source4/torture/rpc/samr.c -+++ b/source4/torture/rpc/samr.c -@@ -706,8 +706,6 @@ static bool test_SetUserPass_23(struct dcerpc_pipe *p, struct torture_context *t - - u.info23.info.fields_present = fields_present; - -- encode_pw_buffer(u.info23.password.data, newpass, STR_UNICODE); -- - status = dcerpc_fetch_session_key(p, &session_key); - if (!NT_STATUS_IS_OK(status)) { - torture_result(tctx, TORTURE_FAIL, "SetUserInfo level %u - no session key - %s\n", -@@ -715,7 +713,12 @@ static bool test_SetUserPass_23(struct dcerpc_pipe *p, struct torture_context *t - return false; - } - -- arcfour_crypt_blob(u.info23.password.data, 516, &session_key); -+ status = init_samr_CryptPassword(newpass, -+ &session_key, -+ &u.info23.password); -+ torture_assert_ntstatus_ok(tctx, -+ status, -+ "init_samr_CryptPassword failed"); - - torture_comment(tctx, "Testing SetUserInfo level 23 (set password)\n"); - -@@ -732,8 +735,6 @@ static bool test_SetUserPass_23(struct dcerpc_pipe *p, struct torture_context *t - *password = newpass; - } - -- encode_pw_buffer(u.info23.password.data, newpass, STR_UNICODE); -- - status = dcerpc_fetch_session_key(p, &session_key); - if (!NT_STATUS_IS_OK(status)) { - torture_result(tctx, TORTURE_FAIL, "SetUserInfo level %u - no session key - %s\n", -@@ -742,8 +743,17 @@ static bool test_SetUserPass_23(struct dcerpc_pipe *p, struct torture_context *t - } - - /* This should break the key nicely */ -- session_key.length--; -- arcfour_crypt_blob(u.info23.password.data, 516, &session_key); -+ session_key.data[0]++; -+ -+ status = init_samr_CryptPassword(newpass, -+ &session_key, -+ &u.info23.password); -+ torture_assert_ntstatus_ok(tctx, -+ status, -+ "init_samr_CryptPassword failed"); -+ -+ /* Reset the session key */ -+ session_key.data[0]--; - - torture_comment(tctx, "Testing SetUserInfo level 23 (set password) with wrong password\n"); - --- -2.23.0 - diff --git a/SOURCES/0042-s4-torture-Use-init_samr_CryptPassword-in-test_SetUs.patch b/SOURCES/0042-s4-torture-Use-init_samr_CryptPassword-in-test_SetUs.patch deleted file mode 100644 index 3ab9eb6..0000000 --- a/SOURCES/0042-s4-torture-Use-init_samr_CryptPassword-in-test_SetUs.patch +++ /dev/null @@ -1,87 +0,0 @@ -From d56d8f629ea89a9a3cc7aecc17331ac5c57a61fa Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 24 Jul 2019 15:58:06 +0200 -Subject: [PATCH 042/187] s4:torture: Use init_samr_CryptPassword in - test_SetUserPassEx - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit e398ecbd8e32bb428073f3635d9178abfae28255) ---- - source4/torture/rpc/samr.c | 33 +++++++++++++++++---------------- - 1 file changed, 17 insertions(+), 16 deletions(-) - -diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c -index 543ef64e9ac..0e9989449be 100644 ---- a/source4/torture/rpc/samr.c -+++ b/source4/torture/rpc/samr.c -@@ -781,14 +781,12 @@ static bool test_SetUserPassEx(struct dcerpc_pipe *p, struct torture_context *tc - union samr_UserInfo u; - bool ret = true; - DATA_BLOB session_key; -- DATA_BLOB confounded_session_key = data_blob_talloc(tctx, NULL, 16); -- uint8_t confounder[16]; - char *newpass; - struct dcerpc_binding_handle *b = p->binding_handle; -- gnutls_hash_hd_t hash_hnd; - struct samr_GetUserPwInfo pwp; - struct samr_PwInfo info; - int policy_min_pw_len = 0; -+ - pwp.in.user_handle = handle; - pwp.out.info = &info; - -@@ -807,7 +805,6 @@ static bool test_SetUserPassEx(struct dcerpc_pipe *p, struct torture_context *tc - s.in.info = &u; - s.in.level = 26; - -- encode_pw_buffer(u.info26.password.data, newpass, STR_UNICODE); - u.info26.password_expired = 0; - - status = dcerpc_fetch_session_key(p, &session_key); -@@ -817,15 +814,12 @@ static bool test_SetUserPassEx(struct dcerpc_pipe *p, struct torture_context *tc - return false; - } - -- generate_random_buffer((uint8_t *)confounder, 16); -- -- gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5); -- gnutls_hash(hash_hnd, confounder, 16); -- gnutls_hash(hash_hnd, session_key.data, session_key.length); -- gnutls_hash_deinit(hash_hnd, confounded_session_key.data); -- -- arcfour_crypt_blob(u.info26.password.data, 516, &confounded_session_key); -- memcpy(&u.info26.password.data[516], confounder, 16); -+ status = init_samr_CryptPasswordEx(newpass, -+ &session_key, -+ &u.info26.password); -+ torture_assert_ntstatus_ok(tctx, -+ status, -+ "init_samr_CryptPasswordEx failed"); - - torture_comment(tctx, "Testing SetUserInfo level 26 (set password ex)\n"); - -@@ -843,10 +837,17 @@ static bool test_SetUserPassEx(struct dcerpc_pipe *p, struct torture_context *tc - } - - /* This should break the key nicely */ -- confounded_session_key.data[0]++; -+ session_key.data[0]++; - -- arcfour_crypt_blob(u.info26.password.data, 516, &confounded_session_key); -- memcpy(&u.info26.password.data[516], confounder, 16); -+ status = init_samr_CryptPasswordEx(newpass, -+ &session_key, -+ &u.info26.password); -+ torture_assert_ntstatus_ok(tctx, -+ status, -+ "init_samr_CryptPasswordEx failed"); -+ -+ /* Reset the key */ -+ session_key.data[0]--; - - torture_comment(tctx, "Testing SetUserInfo level 26 (set password ex) with wrong session key\n"); - --- -2.23.0 - diff --git a/SOURCES/0043-s4-torture-Use-init_samr_CryptPassword-in-test_SetUs.patch b/SOURCES/0043-s4-torture-Use-init_samr_CryptPassword-in-test_SetUs.patch deleted file mode 100644 index 7a51b7f..0000000 --- a/SOURCES/0043-s4-torture-Use-init_samr_CryptPassword-in-test_SetUs.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 9f2f94aff0be089658eabd0c62896775332e1acb Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 24 Jul 2019 15:58:38 +0200 -Subject: [PATCH 043/187] s4:torture: Use init_samr_CryptPassword in - test_SetUserPass_25 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 3b9496d905408b75c21919b35b2105e2b0b0325f) ---- - source4/torture/rpc/samr.c | 34 +++++++++++++++++----------------- - 1 file changed, 17 insertions(+), 17 deletions(-) - -diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c -index 0e9989449be..2f67bcf6be7 100644 ---- a/source4/torture/rpc/samr.c -+++ b/source4/torture/rpc/samr.c -@@ -876,14 +876,12 @@ static bool test_SetUserPass_25(struct dcerpc_pipe *p, struct torture_context *t - union samr_UserInfo u; - bool ret = true; - DATA_BLOB session_key; -- DATA_BLOB confounded_session_key = data_blob_talloc(tctx, NULL, 16); -- gnutls_hash_hd_t hash_hnd; -- uint8_t confounder[16]; - char *newpass; - struct dcerpc_binding_handle *b = p->binding_handle; - struct samr_GetUserPwInfo pwp; - struct samr_PwInfo info; - int policy_min_pw_len = 0; -+ - pwp.in.user_handle = handle; - pwp.out.info = &info; - -@@ -902,8 +900,6 @@ static bool test_SetUserPass_25(struct dcerpc_pipe *p, struct torture_context *t - - u.info25.info.fields_present = fields_present; - -- encode_pw_buffer(u.info25.password.data, newpass, STR_UNICODE); -- - status = dcerpc_fetch_session_key(p, &session_key); - if (!NT_STATUS_IS_OK(status)) { - torture_result(tctx, TORTURE_FAIL, "SetUserInfo level %u - no session key - %s\n", -@@ -911,15 +907,12 @@ static bool test_SetUserPass_25(struct dcerpc_pipe *p, struct torture_context *t - return false; - } - -- generate_random_buffer((uint8_t *)confounder, 16); -- -- gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5); -- gnutls_hash(hash_hnd, confounder, 16); -- gnutls_hash(hash_hnd, session_key.data, session_key.length); -- gnutls_hash_deinit(hash_hnd, confounded_session_key.data); -- -- arcfour_crypt_blob(u.info25.password.data, 516, &confounded_session_key); -- memcpy(&u.info25.password.data[516], confounder, 16); -+ status = init_samr_CryptPasswordEx(newpass, -+ &session_key, -+ &u.info25.password); -+ torture_assert_ntstatus_ok(tctx, -+ status, -+ "init_samr_CryptPasswordEx failed"); - - torture_comment(tctx, "Testing SetUserInfo level 25 (set password ex)\n"); - -@@ -937,10 +930,17 @@ static bool test_SetUserPass_25(struct dcerpc_pipe *p, struct torture_context *t - } - - /* This should break the key nicely */ -- confounded_session_key.data[0]++; -+ session_key.data[0]++; - -- arcfour_crypt_blob(u.info25.password.data, 516, &confounded_session_key); -- memcpy(&u.info25.password.data[516], confounder, 16); -+ status = init_samr_CryptPasswordEx(newpass, -+ &session_key, -+ &u.info25.password); -+ torture_assert_ntstatus_ok(tctx, -+ status, -+ "init_samr_CryptPasswordEx failed"); -+ -+ /* Reset the key */ -+ session_key.data[0]--; - - torture_comment(tctx, "Testing SetUserInfo level 25 (set password ex) with wrong session key\n"); - --- -2.23.0 - diff --git a/SOURCES/0044-s4-torture-Use-init_samr_CryptPassword-in-test_SetUs.patch b/SOURCES/0044-s4-torture-Use-init_samr_CryptPassword-in-test_SetUs.patch deleted file mode 100644 index 05ba0aa..0000000 --- a/SOURCES/0044-s4-torture-Use-init_samr_CryptPassword-in-test_SetUs.patch +++ /dev/null @@ -1,116 +0,0 @@ -From 905ffa85002a4100172835c550547bab024ef30f Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 24 Jul 2019 15:59:19 +0200 -Subject: [PATCH 044/187] s4:torture: Use init_samr_CryptPassword in - test_SetUserPass_level_ex - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit f45ba47afb11c1f7bbb8c5c84670395500e1afc1) ---- - source4/torture/rpc/samr.c | 48 +++++++++++++++++++------------------- - 1 file changed, 24 insertions(+), 24 deletions(-) - -diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c -index 2f67bcf6be7..530c457bbd9 100644 ---- a/source4/torture/rpc/samr.c -+++ b/source4/torture/rpc/samr.c -@@ -1166,9 +1166,6 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p, - union samr_UserInfo u; - bool ret = true; - DATA_BLOB session_key; -- DATA_BLOB confounded_session_key = data_blob_talloc(tctx, NULL, 16); -- gnutls_hash_hd_t hash_hnd; -- uint8_t confounder[16]; - char *newpass; - struct dcerpc_binding_handle *b = p->binding_handle; - struct samr_GetUserPwInfo pwp; -@@ -1244,28 +1241,20 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p, - u.info23.info.password_expired = password_expired; - u.info23.info.comment.string = comment; - -- encode_pw_buffer(u.info23.password.data, newpass, STR_UNICODE); -- - break; - case 24: - u.info24.password_expired = password_expired; - -- encode_pw_buffer(u.info24.password.data, newpass, STR_UNICODE); -- - break; - case 25: - u.info25.info.fields_present = fields_present; - u.info25.info.password_expired = password_expired; - u.info25.info.comment.string = comment; - -- encode_pw_buffer(u.info25.password.data, newpass, STR_UNICODE); -- - break; - case 26: - u.info26.password_expired = password_expired; - -- encode_pw_buffer(u.info26.password.data, newpass, STR_UNICODE); -- - break; - } - -@@ -1276,13 +1265,6 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p, - return false; - } - -- generate_random_buffer((uint8_t *)confounder, 16); -- -- gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5); -- gnutls_hash(hash_hnd, confounder, 16); -- gnutls_hash(hash_hnd, session_key.data, session_key.length); -- gnutls_hash_deinit(hash_hnd, confounded_session_key.data); -- - switch (level) { - case 18: - { -@@ -1320,18 +1302,36 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p, - } - break; - case 23: -- arcfour_crypt_blob(u.info23.password.data, 516, &session_key); -+ status = init_samr_CryptPassword(newpass, -+ &session_key, -+ &u.info23.password); -+ torture_assert_ntstatus_ok(tctx, -+ status, -+ "init_samr_CryptPassword failed"); - break; - case 24: -- arcfour_crypt_blob(u.info24.password.data, 516, &session_key); -+ status = init_samr_CryptPassword(newpass, -+ &session_key, -+ &u.info24.password); -+ torture_assert_ntstatus_ok(tctx, -+ status, -+ "init_samr_CryptPassword failed"); - break; - case 25: -- arcfour_crypt_blob(u.info25.password.data, 516, &confounded_session_key); -- memcpy(&u.info25.password.data[516], confounder, 16); -+ status = init_samr_CryptPasswordEx(newpass, -+ &session_key, -+ &u.info25.password); -+ torture_assert_ntstatus_ok(tctx, -+ status, -+ "init_samr_CryptPasswordEx failed"); - break; - case 26: -- arcfour_crypt_blob(u.info26.password.data, 516, &confounded_session_key); -- memcpy(&u.info26.password.data[516], confounder, 16); -+ status = init_samr_CryptPasswordEx(newpass, -+ &session_key, -+ &u.info26.password); -+ torture_assert_ntstatus_ok(tctx, -+ status, -+ "init_samr_CryptPasswordEx failed"); - break; - } - --- -2.23.0 - diff --git a/SOURCES/0045-s4-torture-Use-GnuTLS-RC4-in-test_OemChangePasswordU.patch b/SOURCES/0045-s4-torture-Use-GnuTLS-RC4-in-test_OemChangePasswordU.patch deleted file mode 100644 index 140daba..0000000 --- a/SOURCES/0045-s4-torture-Use-GnuTLS-RC4-in-test_OemChangePasswordU.patch +++ /dev/null @@ -1,91 +0,0 @@ -From 752f6efc6ac65cba6b8ebf125b19a6685a0d40c2 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 24 Jul 2019 16:49:53 +0200 -Subject: [PATCH 045/187] s4:torture: Use GnuTLS RC4 in - test_OemChangePasswordUser2 - -This uses STR_ASCII for password encoding! - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit b512b5974494fe41010800f60df0f248b8ea850e) ---- - source4/torture/rpc/samr.c | 34 ++++++++++++++++++++++++++++++---- - 1 file changed, 30 insertions(+), 4 deletions(-) - -diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c -index 530c457bbd9..eb032905dc8 100644 ---- a/source4/torture/rpc/samr.c -+++ b/source4/torture/rpc/samr.c -@@ -2032,6 +2032,11 @@ static bool test_OemChangePasswordUser2(struct dcerpc_pipe *p, - char *newpass; - struct dcerpc_binding_handle *b = p->binding_handle; - uint8_t old_lm_hash[16], new_lm_hash[16]; -+ gnutls_cipher_hd_t cipher_hnd = NULL; -+ gnutls_datum_t session_key = { -+ .data = old_lm_hash, -+ .size = 16 -+ }; - - struct samr_GetDomPwInfo dom_pw_info; - struct samr_PwInfo info; -@@ -2065,7 +2070,13 @@ static bool test_OemChangePasswordUser2(struct dcerpc_pipe *p, - E_deshash(newpass, new_lm_hash); - - encode_pw_buffer(lm_pass.data, newpass, STR_ASCII); -- arcfour_crypt(lm_pass.data, old_lm_hash, 516); -+ -+ gnutls_cipher_init(&cipher_hnd, -+ GNUTLS_CIPHER_ARCFOUR_128, -+ &session_key, -+ NULL); -+ gnutls_cipher_encrypt(cipher_hnd, lm_pass.data, 516); -+ gnutls_cipher_deinit(cipher_hnd); - E_old_pw_hash(new_lm_hash, old_lm_hash, lm_verifier.hash); - - r.in.server = &server; -@@ -2092,7 +2103,12 @@ static bool test_OemChangePasswordUser2(struct dcerpc_pipe *p, - encode_pw_buffer(lm_pass.data, newpass, STR_ASCII); - /* Break the old password */ - old_lm_hash[0]++; -- arcfour_crypt(lm_pass.data, old_lm_hash, 516); -+ gnutls_cipher_init(&cipher_hnd, -+ GNUTLS_CIPHER_ARCFOUR_128, -+ &session_key, -+ NULL); -+ gnutls_cipher_encrypt(cipher_hnd, lm_pass.data, 516); -+ gnutls_cipher_deinit(cipher_hnd); - /* unbreak it for the next operation */ - old_lm_hash[0]--; - E_old_pw_hash(new_lm_hash, old_lm_hash, lm_verifier.hash); -@@ -2116,7 +2132,12 @@ static bool test_OemChangePasswordUser2(struct dcerpc_pipe *p, - } - - encode_pw_buffer(lm_pass.data, newpass, STR_ASCII); -- arcfour_crypt(lm_pass.data, old_lm_hash, 516); -+ gnutls_cipher_init(&cipher_hnd, -+ GNUTLS_CIPHER_ARCFOUR_128, -+ &session_key, -+ NULL); -+ gnutls_cipher_encrypt(cipher_hnd, lm_pass.data, 516); -+ gnutls_cipher_deinit(cipher_hnd); - - r.in.server = &server; - r.in.account = &account; -@@ -2192,7 +2213,12 @@ static bool test_OemChangePasswordUser2(struct dcerpc_pipe *p, - E_deshash(newpass, new_lm_hash); - - encode_pw_buffer(lm_pass.data, newpass, STR_ASCII); -- arcfour_crypt(lm_pass.data, old_lm_hash, 516); -+ gnutls_cipher_init(&cipher_hnd, -+ GNUTLS_CIPHER_ARCFOUR_128, -+ &session_key, -+ NULL); -+ gnutls_cipher_encrypt(cipher_hnd, lm_pass.data, 516); -+ gnutls_cipher_deinit(cipher_hnd); - E_old_pw_hash(new_lm_hash, old_lm_hash, lm_verifier.hash); - - r.in.server = &server; --- -2.23.0 - diff --git a/SOURCES/0046-s4-torture-Use-init_samr_CryptPassword-in-test_Chang.patch b/SOURCES/0046-s4-torture-Use-init_samr_CryptPassword-in-test_Chang.patch deleted file mode 100644 index f32323c..0000000 --- a/SOURCES/0046-s4-torture-Use-init_samr_CryptPassword-in-test_Chang.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 88d136aae60d4aa8b6fe622e0e92a8bddbba1b1e Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Thu, 25 Jul 2019 16:46:06 +1200 -Subject: [PATCH 046/187] s4:torture: Use init_samr_CryptPassword in - test_ChangePasswordUser2 - -This allows the use of GnuTLS for the RC4 crypto operation - -Signed-off-by: Andrew Bartlett -Reviewed-by: Andreas Schneider -(cherry picked from commit dfda49472e0b4a81653963e80d8d65788f80a591) ---- - source4/torture/rpc/samr.c | 13 ++++++++++--- - 1 file changed, 10 insertions(+), 3 deletions(-) - -diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c -index eb032905dc8..6cc508a2d44 100644 ---- a/source4/torture/rpc/samr.c -+++ b/source4/torture/rpc/samr.c -@@ -2259,11 +2259,13 @@ static bool test_ChangePasswordUser2(struct dcerpc_pipe *p, struct torture_conte - struct dcerpc_binding_handle *b = p->binding_handle; - uint8_t old_nt_hash[16], new_nt_hash[16]; - uint8_t old_lm_hash[16], new_lm_hash[16]; -- -+ DATA_BLOB old_nt_hash_blob -+ = data_blob_const(old_nt_hash, sizeof(old_nt_hash)); - struct samr_GetDomPwInfo dom_pw_info; - struct samr_PwInfo info; - - struct lsa_String domain_name; -+ NTSTATUS status; - - domain_name.string = ""; - dom_pw_info.in.domain_name = &domain_name; -@@ -2299,8 +2301,13 @@ static bool test_ChangePasswordUser2(struct dcerpc_pipe *p, struct torture_conte - arcfour_crypt(lm_pass.data, old_lm_hash, 516); - E_old_pw_hash(new_nt_hash, old_lm_hash, lm_verifier.hash); - -- encode_pw_buffer(nt_pass.data, newpass, STR_UNICODE); -- arcfour_crypt(nt_pass.data, old_nt_hash, 516); -+ status = init_samr_CryptPassword(newpass, -+ &old_nt_hash_blob, -+ &nt_pass); -+ torture_assert_ntstatus_ok(tctx, -+ status, -+ "init_samr_CryptPassword failed"); -+ - E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash); - - r.in.server = &server; --- -2.23.0 - diff --git a/SOURCES/0047-s4-torture-Use-init_samr_CryptPassword-in-test_Chang.patch b/SOURCES/0047-s4-torture-Use-init_samr_CryptPassword-in-test_Chang.patch deleted file mode 100644 index f4b58d8..0000000 --- a/SOURCES/0047-s4-torture-Use-init_samr_CryptPassword-in-test_Chang.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 90bdf8b2063c05576450975df0983953d6febd95 Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Thu, 25 Jul 2019 16:52:41 +1200 -Subject: [PATCH 047/187] s4:torture: Use init_samr_CryptPassword in - test_ChangePasswordUser2_ntstatus - -This allows the use of GnuTLS for the RC4 crypto operation - -Signed-off-by: Andrew Bartlett -Reviewed-by: Andreas Schneider -(cherry picked from commit 1b1c302a7db23bf4377b8fa742ebf7ae913e3511) ---- - source4/torture/rpc/samr.c | 13 +++++++++++-- - 1 file changed, 11 insertions(+), 2 deletions(-) - -diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c -index 6cc508a2d44..5bf758e2fb2 100644 ---- a/source4/torture/rpc/samr.c -+++ b/source4/torture/rpc/samr.c -@@ -2349,11 +2349,15 @@ static bool test_ChangePasswordUser2_ntstatus(struct dcerpc_pipe *p, struct tort - struct dcerpc_binding_handle *b = p->binding_handle; - uint8_t old_nt_hash[16], new_nt_hash[16]; - uint8_t old_lm_hash[16], new_lm_hash[16]; -+ DATA_BLOB old_nt_hash_blob -+ = data_blob_const(old_nt_hash, sizeof(old_nt_hash)); - - struct samr_GetDomPwInfo dom_pw_info; - struct samr_PwInfo info; - - struct lsa_String domain_name; -+ NTSTATUS crypt_status; -+ - char *newpass; - int policy_min_pw_len = 0; - -@@ -2386,8 +2390,13 @@ static bool test_ChangePasswordUser2_ntstatus(struct dcerpc_pipe *p, struct tort - arcfour_crypt(lm_pass.data, old_lm_hash, 516); - E_old_pw_hash(new_nt_hash, old_lm_hash, lm_verifier.hash); - -- encode_pw_buffer(nt_pass.data, newpass, STR_UNICODE); -- arcfour_crypt(nt_pass.data, old_nt_hash, 516); -+ crypt_status = init_samr_CryptPassword(newpass, -+ &old_nt_hash_blob, -+ &nt_pass); -+ torture_assert_ntstatus_ok(tctx, -+ crypt_status, -+ "init_samr_CryptPassword failed"); -+ - E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash); - - r.in.server = &server; --- -2.23.0 - diff --git a/SOURCES/0048-s4_torture-Use-GnuTLS-RC4-in-test_ChangePasswordUser.patch b/SOURCES/0048-s4_torture-Use-GnuTLS-RC4-in-test_ChangePasswordUser.patch deleted file mode 100644 index 2ab75d9..0000000 --- a/SOURCES/0048-s4_torture-Use-GnuTLS-RC4-in-test_ChangePasswordUser.patch +++ /dev/null @@ -1,57 +0,0 @@ -From b21a4ac4a6d92d720e1e04b9eadf50cc59a4ebe5 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 24 Jul 2019 16:24:18 +0200 -Subject: [PATCH 048/187] s4_torture: Use GnuTLS RC4 in - test_ChangePasswordUser2 - -This uses STR_ASCII as string encodings. - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 9cbdf7b2e5f734e9b5e0e447d54d720d18977950) ---- - source4/torture/rpc/samr.c | 21 ++++++++++++++++++++- - 1 file changed, 20 insertions(+), 1 deletion(-) - -diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c -index 5bf758e2fb2..7f1da86d19a 100644 ---- a/source4/torture/rpc/samr.c -+++ b/source4/torture/rpc/samr.c -@@ -2267,6 +2267,16 @@ static bool test_ChangePasswordUser2(struct dcerpc_pipe *p, struct torture_conte - struct lsa_String domain_name; - NTSTATUS status; - -+ gnutls_cipher_hd_t cipher_hnd = NULL; -+ gnutls_datum_t old_lm_key = { -+ .data = old_lm_hash, -+ .size = sizeof(old_lm_hash), -+ }; -+ gnutls_datum_t old_nt_key = { -+ .data = old_nt_hash, -+ .size = sizeof(old_nt_hash), -+ }; -+ - domain_name.string = ""; - dom_pw_info.in.domain_name = &domain_name; - dom_pw_info.out.info = &info; -@@ -2298,7 +2308,16 @@ static bool test_ChangePasswordUser2(struct dcerpc_pipe *p, struct torture_conte - E_deshash(newpass, new_lm_hash); - - encode_pw_buffer(lm_pass.data, newpass, STR_ASCII|STR_TERMINATE); -- arcfour_crypt(lm_pass.data, old_lm_hash, 516); -+ -+ gnutls_cipher_init(&cipher_hnd, -+ GNUTLS_CIPHER_ARCFOUR_128, -+ &old_lm_key, -+ NULL); -+ gnutls_cipher_encrypt(cipher_hnd, -+ lm_pass.data, -+ 516); -+ gnutls_cipher_deinit(cipher_hnd); -+ - E_old_pw_hash(new_nt_hash, old_lm_hash, lm_verifier.hash); - - status = init_samr_CryptPassword(newpass, --- -2.23.0 - diff --git a/SOURCES/0049-s4-torture-Use-GnuTLS-RC4-in-test_ChangePasswordUser.patch b/SOURCES/0049-s4-torture-Use-GnuTLS-RC4-in-test_ChangePasswordUser.patch deleted file mode 100644 index e4f81c2..0000000 --- a/SOURCES/0049-s4-torture-Use-GnuTLS-RC4-in-test_ChangePasswordUser.patch +++ /dev/null @@ -1,61 +0,0 @@ -From b7700aa619a69f652b350b89a5a67a989658a474 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 24 Jul 2019 16:00:32 +0200 -Subject: [PATCH 049/187] s4:torture: Use GnuTLS RC4 in - test_ChangePasswordUser2_ntstatus - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit a476a2e3322a550e2857cb5a66096fa3e46416d3) ---- - source4/torture/rpc/samr.c | 20 +++++++++++++++----- - 1 file changed, 15 insertions(+), 5 deletions(-) - -diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c -index 7f1da86d19a..307b0b03594 100644 ---- a/source4/torture/rpc/samr.c -+++ b/source4/torture/rpc/samr.c -@@ -2272,10 +2272,6 @@ static bool test_ChangePasswordUser2(struct dcerpc_pipe *p, struct torture_conte - .data = old_lm_hash, - .size = sizeof(old_lm_hash), - }; -- gnutls_datum_t old_nt_key = { -- .data = old_nt_hash, -- .size = sizeof(old_nt_hash), -- }; - - domain_name.string = ""; - dom_pw_info.in.domain_name = &domain_name; -@@ -2370,6 +2366,11 @@ static bool test_ChangePasswordUser2_ntstatus(struct dcerpc_pipe *p, struct tort - uint8_t old_lm_hash[16], new_lm_hash[16]; - DATA_BLOB old_nt_hash_blob - = data_blob_const(old_nt_hash, sizeof(old_nt_hash)); -+ gnutls_cipher_hd_t cipher_hnd = NULL; -+ gnutls_datum_t old_lm_key = { -+ .data = old_lm_hash, -+ .size = sizeof(old_lm_hash), -+ }; - - struct samr_GetDomPwInfo dom_pw_info; - struct samr_PwInfo info; -@@ -2406,7 +2407,16 @@ static bool test_ChangePasswordUser2_ntstatus(struct dcerpc_pipe *p, struct tort - E_deshash(newpass, new_lm_hash); - - encode_pw_buffer(lm_pass.data, newpass, STR_ASCII|STR_TERMINATE); -- arcfour_crypt(lm_pass.data, old_lm_hash, 516); -+ -+ gnutls_cipher_init(&cipher_hnd, -+ GNUTLS_CIPHER_ARCFOUR_128, -+ &old_lm_key, -+ NULL); -+ gnutls_cipher_encrypt(cipher_hnd, -+ lm_pass.data, -+ 516); -+ gnutls_cipher_deinit(cipher_hnd); -+ - E_old_pw_hash(new_nt_hash, old_lm_hash, lm_verifier.hash); - - crypt_status = init_samr_CryptPassword(newpass, --- -2.23.0 - diff --git a/SOURCES/0050-s4-torture-Use-init_samr_CryptPassword-in-test_Chang.patch b/SOURCES/0050-s4-torture-Use-init_samr_CryptPassword-in-test_Chang.patch deleted file mode 100644 index c6cb255..0000000 --- a/SOURCES/0050-s4-torture-Use-init_samr_CryptPassword-in-test_Chang.patch +++ /dev/null @@ -1,119 +0,0 @@ -From e3c6cd617dc324d86212a50555adbeffb966555c Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 24 Jul 2019 16:01:02 +0200 -Subject: [PATCH 050/187] s4:torture: Use init_samr_CryptPassword in - test_ChangePasswordUser3 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 5b7c21fca576bf6e44233d69b47273058b9197c8) ---- - source4/torture/rpc/samr.c | 64 +++++++++++++++++++++++++++++--------- - 1 file changed, 49 insertions(+), 15 deletions(-) - -diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c -index 307b0b03594..55059a26b43 100644 ---- a/source4/torture/rpc/samr.c -+++ b/source4/torture/rpc/samr.c -@@ -2472,6 +2472,8 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct - NTTIME t; - struct samr_DomInfo1 *dominfo = NULL; - struct userPwdChangeFailureInformation *reject = NULL; -+ DATA_BLOB session_key = data_blob_const(old_nt_hash, 16); -+ NTSTATUS status; - - torture_comment(tctx, "Testing ChangePasswordUser3\n"); - -@@ -2500,12 +2502,22 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct - E_deshash(oldpass, old_lm_hash); - E_deshash(newpass, new_lm_hash); - -- encode_pw_buffer(lm_pass.data, newpass, STR_UNICODE); -- arcfour_crypt(lm_pass.data, old_nt_hash, 516); -+ status = init_samr_CryptPassword(newpass, -+ &session_key, -+ &lm_pass); -+ torture_assert_ntstatus_ok(tctx, -+ status, -+ "init_samr_CryptPassword"); -+ - E_old_pw_hash(new_nt_hash, old_lm_hash, lm_verifier.hash); - -- encode_pw_buffer(nt_pass.data, newpass, STR_UNICODE); -- arcfour_crypt(nt_pass.data, old_nt_hash, 516); -+ status = init_samr_CryptPassword(newpass, -+ &session_key, -+ &nt_pass); -+ torture_assert_ntstatus_ok(tctx, -+ status, -+ "init_samr_CryptPassword"); -+ - E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash); - - /* Break the verification */ -@@ -2534,16 +2546,28 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct - ret = false; - } - -- encode_pw_buffer(lm_pass.data, newpass, STR_UNICODE); -- arcfour_crypt(lm_pass.data, old_nt_hash, 516); -+ status = init_samr_CryptPassword(newpass, -+ &session_key, -+ &lm_pass); -+ torture_assert_ntstatus_ok(tctx, -+ status, -+ "init_samr_CryptPassword"); -+ - E_old_pw_hash(new_nt_hash, old_lm_hash, lm_verifier.hash); - -- encode_pw_buffer(nt_pass.data, newpass, STR_UNICODE); -- /* Break the NT hash */ -- old_nt_hash[0]++; -- arcfour_crypt(nt_pass.data, old_nt_hash, 516); -+ /* Break the session key */ -+ session_key.data[0]++; -+ -+ status = init_samr_CryptPassword(newpass, -+ &session_key, -+ &nt_pass); -+ torture_assert_ntstatus_ok(tctx, -+ status, -+ "init_samr_CryptPassword"); -+ - /* Unbreak it again */ -- old_nt_hash[0]--; -+ session_key.data[0]--; -+ - E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash); - - r.in.server = &server; -@@ -2590,12 +2614,22 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct - E_deshash(oldpass, old_lm_hash); - E_deshash(newpass, new_lm_hash); - -- encode_pw_buffer(lm_pass.data, newpass, STR_UNICODE); -- arcfour_crypt(lm_pass.data, old_nt_hash, 516); -+ status = init_samr_CryptPassword(newpass, -+ &session_key, -+ &lm_pass); -+ torture_assert_ntstatus_ok(tctx, -+ status, -+ "init_samr_CryptPassword"); -+ - E_old_pw_hash(new_nt_hash, old_lm_hash, lm_verifier.hash); - -- encode_pw_buffer(nt_pass.data, newpass, STR_UNICODE); -- arcfour_crypt(nt_pass.data, old_nt_hash, 516); -+ status = init_samr_CryptPassword(newpass, -+ &session_key, -+ &nt_pass); -+ torture_assert_ntstatus_ok(tctx, -+ status, -+ "init_samr_CryptPassword"); -+ - E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash); - - r.in.server = &server; --- -2.23.0 - diff --git a/SOURCES/0051-s4-torture-clarify-comments-and-variable-names-in-Ch.patch b/SOURCES/0051-s4-torture-clarify-comments-and-variable-names-in-Ch.patch deleted file mode 100644 index d0243ab..0000000 --- a/SOURCES/0051-s4-torture-clarify-comments-and-variable-names-in-Ch.patch +++ /dev/null @@ -1,130 +0,0 @@ -From f0d05dc2dce30f851f9e1eb6a1952730dfe907f6 Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Thu, 25 Jul 2019 17:18:50 +1200 -Subject: [PATCH 051/187] s4:torture: clarify comments and variable names in - "ChangePasswordUser3 tests - -There is no session key here, the buffers are directly encrypted -with the long-term passwords. - -Signed-off-by: Andrew Bartlett -Reviewed-by: Andreas Schneider -(cherry picked from commit 8380668be7963b74cbbd31bfab3d01d1f3089034) ---- - source4/torture/rpc/samr.c | 43 +++++++++++++++++++++++++++++--------- - 1 file changed, 33 insertions(+), 10 deletions(-) - -diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c -index 55059a26b43..20afa9392e2 100644 ---- a/source4/torture/rpc/samr.c -+++ b/source4/torture/rpc/samr.c -@@ -2472,7 +2472,7 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct - NTTIME t; - struct samr_DomInfo1 *dominfo = NULL; - struct userPwdChangeFailureInformation *reject = NULL; -- DATA_BLOB session_key = data_blob_const(old_nt_hash, 16); -+ DATA_BLOB old_nt_hash_blob = data_blob_const(old_nt_hash, 16); - NTSTATUS status; - - torture_comment(tctx, "Testing ChangePasswordUser3\n"); -@@ -2502,22 +2502,45 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct - E_deshash(oldpass, old_lm_hash); - E_deshash(newpass, new_lm_hash); - -+ /* -+ * The new plaintext password is encrypted using RC4 with the -+ * old NT password hash (directly, with no confounder). The -+ * password is at the end of the random padded buffer, -+ * offering a little protection. -+ * -+ * This is almost certainly wrong, it should be the old LM -+ * hash, it was switched in an unrelated commit -+ * 579c13da43d5b40ac6d6c1436399fbc1d8dfd054 in 2004. -+ */ - status = init_samr_CryptPassword(newpass, -- &session_key, -+ &old_nt_hash_blob, - &lm_pass); - torture_assert_ntstatus_ok(tctx, - status, - "init_samr_CryptPassword"); - -+ /* -+ * Now we prepare a DES cross-hash of the old LM and new NT -+ * passwords to link the two buffers -+ */ - E_old_pw_hash(new_nt_hash, old_lm_hash, lm_verifier.hash); - -+ /* -+ * The new plaintext password is also encrypted using RC4 with -+ * the old NT password hash (directly, with no confounder). -+ * The password is at the end of the random padded buffer, -+ * offering a little protection. -+ */ - status = init_samr_CryptPassword(newpass, -- &session_key, -+ &old_nt_hash_blob, - &nt_pass); - torture_assert_ntstatus_ok(tctx, - status, - "init_samr_CryptPassword"); - -+ /* -+ * Another DES based cross-hash -+ */ - E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash); - - /* Break the verification */ -@@ -2547,7 +2570,7 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct - } - - status = init_samr_CryptPassword(newpass, -- &session_key, -+ &old_nt_hash_blob, - &lm_pass); - torture_assert_ntstatus_ok(tctx, - status, -@@ -2555,18 +2578,18 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct - - E_old_pw_hash(new_nt_hash, old_lm_hash, lm_verifier.hash); - -- /* Break the session key */ -- session_key.data[0]++; -+ /* Break the NT Hash */ -+ old_nt_hash[0]++; - - status = init_samr_CryptPassword(newpass, -- &session_key, -+ &old_nt_hash_blob, - &nt_pass); - torture_assert_ntstatus_ok(tctx, - status, - "init_samr_CryptPassword"); - - /* Unbreak it again */ -- session_key.data[0]--; -+ old_nt_hash[0]--; - - E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash); - -@@ -2615,7 +2638,7 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct - E_deshash(newpass, new_lm_hash); - - status = init_samr_CryptPassword(newpass, -- &session_key, -+ &old_nt_hash_blob, - &lm_pass); - torture_assert_ntstatus_ok(tctx, - status, -@@ -2624,7 +2647,7 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct - E_old_pw_hash(new_nt_hash, old_lm_hash, lm_verifier.hash); - - status = init_samr_CryptPassword(newpass, -- &session_key, -+ &old_nt_hash_blob, - &nt_pass); - torture_assert_ntstatus_ok(tctx, - status, --- -2.23.0 - diff --git a/SOURCES/0052-s4-torture-Use-init_samr_CryptPassword-in-test_Chang.patch b/SOURCES/0052-s4-torture-Use-init_samr_CryptPassword-in-test_Chang.patch deleted file mode 100644 index 55095de..0000000 --- a/SOURCES/0052-s4-torture-Use-init_samr_CryptPassword-in-test_Chang.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 7ce6d4730f7ff8c5008ad91d665a172fec8e5ba8 Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Thu, 25 Jul 2019 17:43:23 +1200 -Subject: [PATCH 052/187] s4:torture: Use init_samr_CryptPassword in - test_ChangePasswordRandomBytes - -This allows the use of GnuTLS for the underlying RC4 crypto - -Signed-off-by: Andrew Bartlett -Reviewed-by: Andreas Schneider -(cherry picked from commit 19d9c2c01a54957bc3852e2565d92c1cdd89498b) ---- - source4/torture/rpc/samr.c | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - -diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c -index 20afa9392e2..10377850314 100644 ---- a/source4/torture/rpc/samr.c -+++ b/source4/torture/rpc/samr.c -@@ -2790,6 +2790,9 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex - char *oldpass; - struct dcerpc_binding_handle *b = p->binding_handle; - uint8_t old_nt_hash[16], new_nt_hash[16]; -+ DATA_BLOB old_nt_hash_blob -+ = data_blob_const(old_nt_hash, -+ sizeof(old_nt_hash)); - NTTIME t; - struct samr_DomInfo1 *dominfo = NULL; - struct userPwdChangeFailureInformation *reject = NULL; -@@ -2893,8 +2896,13 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex - - E_md4hash(newpass, new_nt_hash); - -- encode_pw_buffer(nt_pass.data, newpass, STR_UNICODE); -- arcfour_crypt(nt_pass.data, old_nt_hash, 516); -+ status = init_samr_CryptPassword(newpass, -+ &old_nt_hash_blob, -+ &nt_pass); -+ torture_assert_ntstatus_ok(tctx, -+ status, -+ "init_samr_CryptPassword failed"); -+ - E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash); - - r.in.server = &server; --- -2.23.0 - diff --git a/SOURCES/0053-s4-torture-Use-GnuTLS-RC4-in-test_ChangePasswordRand.patch b/SOURCES/0053-s4-torture-Use-GnuTLS-RC4-in-test_ChangePasswordRand.patch deleted file mode 100644 index ef6822c..0000000 --- a/SOURCES/0053-s4-torture-Use-GnuTLS-RC4-in-test_ChangePasswordRand.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 74f61d6ecf74311a12e8454f2ce12a4b63bbfe90 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 24 Jul 2019 16:01:31 +0200 -Subject: [PATCH 053/187] s4:torture: Use GnuTLS RC4 in - test_ChangePasswordRandomBytes - -Signed-off-by: Andreas Schneider -Signed-off-by: Andrew Bartlett -Reviewed-by: Andrew Bartlett -(cherry picked from commit 82a6480611f791a3c26fcf70975e6f8b3b1757ad) ---- - source4/torture/rpc/samr.c | 16 +++++++++++++++- - 1 file changed, 15 insertions(+), 1 deletion(-) - -diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c -index 10377850314..10bdd52fd47 100644 ---- a/source4/torture/rpc/samr.c -+++ b/source4/torture/rpc/samr.c -@@ -2796,6 +2796,11 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex - NTTIME t; - struct samr_DomInfo1 *dominfo = NULL; - struct userPwdChangeFailureInformation *reject = NULL; -+ gnutls_cipher_hd_t cipher_hnd = NULL; -+ gnutls_datum_t old_nt_key = { -+ .data = old_nt_hash, -+ .size = sizeof(old_nt_hash), -+ }; - - new_random_pass = samr_very_rand_pass(tctx, 128); - -@@ -2855,7 +2860,16 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex - mdfour(new_nt_hash, new_random_pass.data, new_random_pass.length); - - set_pw_in_buffer(nt_pass.data, &new_random_pass); -- arcfour_crypt(nt_pass.data, old_nt_hash, 516); -+ -+ gnutls_cipher_init(&cipher_hnd, -+ GNUTLS_CIPHER_ARCFOUR_128, -+ &old_nt_key, -+ NULL); -+ gnutls_cipher_encrypt(cipher_hnd, -+ nt_pass.data, -+ 516); -+ gnutls_cipher_deinit(cipher_hnd); -+ - E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash); - - r.in.server = &server; --- -2.23.0 - diff --git a/SOURCES/0054-s4-torture-Use-samba_gnutls_arcfour_confounded_md5-i.patch b/SOURCES/0054-s4-torture-Use-samba_gnutls_arcfour_confounded_md5-i.patch deleted file mode 100644 index 659209c..0000000 --- a/SOURCES/0054-s4-torture-Use-samba_gnutls_arcfour_confounded_md5-i.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 0f56ee5720764eec28ce23bc82a01c16411df5fb Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Thu, 25 Jul 2019 13:07:48 +1200 -Subject: [PATCH 054/187] s4:torture: Use samba_gnutls_arcfour_confounded_md5() - in test_ChangePasswordRandomBytes - -This ensures GnuTLS is used as the underlying RC4 crypto engine - -Signed-off-by: Andrew Bartlett -Reviewed-by: Andreas Schneider -(cherry picked from commit 5740e9516f3587e3a9f72cf52cfe1eedd940b2a9) ---- - source4/torture/rpc/samr.c | 25 +++++++++++++++---------- - 1 file changed, 15 insertions(+), 10 deletions(-) - -diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c -index 10bdd52fd47..4b3ad093bf6 100644 ---- a/source4/torture/rpc/samr.c -+++ b/source4/torture/rpc/samr.c -@@ -42,6 +42,7 @@ - #include "torture/util.h" - #include "source4/librpc/rpc/dcerpc.h" - #include "source3/rpc_client/init_samr.h" -+#include "lib/crypto/gnutls_helpers.h" - - #define TEST_ACCOUNT_NAME "samrtorturetest" - #define TEST_ACCOUNT_NAME_PWD "samrpwdlastset" -@@ -2777,9 +2778,6 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex - struct samr_SetUserInfo s; - union samr_UserInfo u; - DATA_BLOB session_key; -- DATA_BLOB confounded_session_key = data_blob_talloc(tctx, NULL, 16); -- uint8_t confounder[16]; -- gnutls_hash_hd_t hash_hnd; - - bool ret = true; - struct lsa_String server, account; -@@ -2797,6 +2795,11 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex - struct samr_DomInfo1 *dominfo = NULL; - struct userPwdChangeFailureInformation *reject = NULL; - gnutls_cipher_hd_t cipher_hnd = NULL; -+ uint8_t _confounder[16] = {0}; -+ DATA_BLOB confounder -+ = data_blob_const(_confounder, -+ sizeof(_confounder)); -+ DATA_BLOB pw_data; - gnutls_datum_t old_nt_key = { - .data = old_nt_hash, - .size = sizeof(old_nt_hash), -@@ -2821,6 +2824,8 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex - - set_pw_in_buffer(u.info25.password.data, &new_random_pass); - -+ pw_data = data_blob_const(u.info25.password.data, 516); -+ - status = dcerpc_fetch_session_key(p, &session_key); - if (!NT_STATUS_IS_OK(status)) { - torture_result(tctx, TORTURE_FAIL, "SetUserInfo level %u - no session key - %s\n", -@@ -2828,15 +2833,15 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex - return false; - } - -- generate_random_buffer((uint8_t *)confounder, 16); -+ generate_random_buffer(_confounder, -+ sizeof(_confounder)); - -- gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5); -- gnutls_hash(hash_hnd, confounder, 16); -- gnutls_hash(hash_hnd, session_key.data, session_key.length); -- gnutls_hash_deinit(hash_hnd, confounded_session_key.data); -+ samba_gnutls_arcfour_confounded_md5(&confounder, -+ &session_key, -+ &pw_data, -+ SAMBA_GNUTLS_ENCRYPT); - -- arcfour_crypt_blob(u.info25.password.data, 516, &confounded_session_key); -- memcpy(&u.info25.password.data[516], confounder, 16); -+ memcpy(&u.info25.password.data[516], _confounder, sizeof(_confounder)); - - torture_comment(tctx, "Testing SetUserInfo level 25 (set password ex) with a password made up of only random bytes\n"); - --- -2.23.0 - diff --git a/SOURCES/0055-s4-torture-Use-init_samr_CryptPassword-in-testjoin-R.patch b/SOURCES/0055-s4-torture-Use-init_samr_CryptPassword-in-testjoin-R.patch deleted file mode 100644 index f06f4f9..0000000 --- a/SOURCES/0055-s4-torture-Use-init_samr_CryptPassword-in-testjoin-R.patch +++ /dev/null @@ -1,68 +0,0 @@ -From e1fd1c24002f30d31367d1caa59ccb057e8c9794 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 22 Feb 2019 13:06:34 +0100 -Subject: [PATCH 055/187] s4:torture: Use init_samr_CryptPassword in testjoin - RPC test - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 301544ab2b0c85752d5307f2daab59652c08e1e0) ---- - source4/torture/rpc/testjoin.c | 11 +++++++---- - 1 file changed, 7 insertions(+), 4 deletions(-) - -diff --git a/source4/torture/rpc/testjoin.c b/source4/torture/rpc/testjoin.c -index c4e287d579b..11394b1c277 100644 ---- a/source4/torture/rpc/testjoin.c -+++ b/source4/torture/rpc/testjoin.c -@@ -26,7 +26,6 @@ - - #include "includes.h" - #include "system/time.h" --#include "../lib/crypto/crypto.h" - #include "libnet/libnet.h" - #include "lib/cmdline/popt_common.h" - #include "librpc/gen_ndr/ndr_lsa_c.h" -@@ -36,6 +35,7 @@ - #include "torture/rpc/torture_rpc.h" - #include "libcli/security/security.h" - #include "param/param.h" -+#include "source3/rpc_client/init_samr.h" - - struct test_join { - struct dcerpc_pipe *p; -@@ -145,7 +145,6 @@ struct test_join *torture_create_testuser_max_pwlen(struct torture_context *tctx - char *random_pw; - const char *dc_binding = torture_setting_string(tctx, "dc_binding", NULL); - struct dcerpc_binding_handle *b = NULL; -- - join = talloc(NULL, struct test_join); - if (join == NULL) { - return NULL; -@@ -330,7 +329,6 @@ again: - s.in.info = &u; - s.in.level = 24; - -- encode_pw_buffer(u.info24.password.data, random_pw, STR_UNICODE); - u.info24.password_expired = 0; - - status = dcerpc_fetch_session_key(join->p, &session_key); -@@ -341,7 +339,12 @@ again: - goto failed; - } - -- arcfour_crypt_blob(u.info24.password.data, 516, &session_key); -+ status = init_samr_CryptPassword(random_pw, -+ &session_key, -+ &u.info24.password); -+ torture_assert_ntstatus_ok(tctx, -+ status, -+ "init_samr_CryptPassword failed"); - - status = dcerpc_samr_SetUserInfo_r(b, join, &s); - if (!NT_STATUS_IS_OK(status)) { --- -2.23.0 - diff --git a/SOURCES/0056-lib-crypto-Use-GnuTLS-RC4-in-py_crypto.patch b/SOURCES/0056-lib-crypto-Use-GnuTLS-RC4-in-py_crypto.patch deleted file mode 100644 index 41c94b4..0000000 --- a/SOURCES/0056-lib-crypto-Use-GnuTLS-RC4-in-py_crypto.patch +++ /dev/null @@ -1,91 +0,0 @@ -From f20d681243aed9c4e2c1a669cb04964b380413f3 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 22 Feb 2019 12:59:13 +0100 -Subject: [PATCH 056/187] lib:crypto: Use GnuTLS RC4 in py_crypto - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit fc4ae06001fbb0045318a8cec7af6af81241c60e) ---- - lib/crypto/py_crypto.c | 34 +++++++++++++++++++++++++++++----- - lib/crypto/wscript_build | 7 +++---- - 2 files changed, 32 insertions(+), 9 deletions(-) - -diff --git a/lib/crypto/py_crypto.c b/lib/crypto/py_crypto.c -index 13e2569945d..c85cd2c13d2 100644 ---- a/lib/crypto/py_crypto.c -+++ b/lib/crypto/py_crypto.c -@@ -21,13 +21,18 @@ - #include - #include "includes.h" - #include "python/py3compat.h" --#include "lib/crypto/arcfour.h" -+ -+#include -+#include - - static PyObject *py_crypto_arcfour_crypt_blob(PyObject *module, PyObject *args) - { -- DATA_BLOB data, key; -+ DATA_BLOB data; - PyObject *py_data, *py_key, *result; - TALLOC_CTX *ctx; -+ gnutls_cipher_hd_t cipher_hnd = NULL; -+ gnutls_datum_t key; -+ int rc; - - if (!PyArg_ParseTuple(args, "OO", &py_data, &py_key)) - return NULL; -@@ -51,10 +56,29 @@ static PyObject *py_crypto_arcfour_crypt_blob(PyObject *module, PyObject *args) - return PyErr_NoMemory(); - } - -- key.data = (uint8_t *)PyBytes_AsString(py_key); -- key.length = PyBytes_Size(py_key); -+ key = (gnutls_datum_t) { -+ .data = (uint8_t *)PyBytes_AsString(py_key), -+ .size = PyBytes_Size(py_key), -+ }; - -- arcfour_crypt_blob(data.data, data.length, &key); -+ rc = gnutls_cipher_init(&cipher_hnd, -+ GNUTLS_CIPHER_ARCFOUR_128, -+ &key, -+ NULL); -+ if (rc < 0) { -+ talloc_free(ctx); -+ PyErr_Format(PyExc_OSError, "encryption failed"); -+ return NULL; -+ } -+ rc = gnutls_cipher_encrypt(cipher_hnd, -+ data.data, -+ data.length); -+ gnutls_cipher_deinit(cipher_hnd); -+ if (rc < 0) { -+ talloc_free(ctx); -+ PyErr_Format(PyExc_OSError, "encryption failed"); -+ return NULL; -+ } - - result = PyBytes_FromStringAndSize((const char*) data.data, data.length); - talloc_free(ctx); -diff --git a/lib/crypto/wscript_build b/lib/crypto/wscript_build -index 2ad8dfe2cd0..46b0e084328 100644 ---- a/lib/crypto/wscript_build -+++ b/lib/crypto/wscript_build -@@ -28,7 +28,6 @@ bld.SAMBA_SUBSYSTEM('TORTURE_LIBCRYPTO', - ) - - bld.SAMBA_PYTHON('python_crypto', -- source='py_crypto.c', -- deps='LIBCRYPTO', -- realname='samba/crypto.so' -- ) -+ source='py_crypto.c', -+ deps='gnutls talloc', -+ realname='samba/crypto.so') --- -2.23.0 - diff --git a/SOURCES/0057-lib-crypto-Remove-arcfour.h-from-crypto.h.patch b/SOURCES/0057-lib-crypto-Remove-arcfour.h-from-crypto.h.patch deleted file mode 100644 index fe1f7f8..0000000 --- a/SOURCES/0057-lib-crypto-Remove-arcfour.h-from-crypto.h.patch +++ /dev/null @@ -1,29 +0,0 @@ -From d40afca3d8b1881ecebc171fede2aa36aa0240d0 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 26 Feb 2019 18:18:36 +0100 -Subject: [PATCH 057/187] lib:crypto: Remove arcfour.h from crypto.h - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 14c4a075875860e709a9e2e52aad83aa4c58a5ad) ---- - lib/crypto/crypto.h | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/lib/crypto/crypto.h b/lib/crypto/crypto.h -index 12aebaecefd..d7409f9a46d 100644 ---- a/lib/crypto/crypto.h -+++ b/lib/crypto/crypto.h -@@ -21,7 +21,6 @@ - #define _SAMBA_CRYPTO_H_ - - #include "../lib/crypto/md4.h" --#include "../lib/crypto/arcfour.h" - #include "../lib/crypto/aes.h" - #include "../lib/crypto/aes_cmac_128.h" - #include "../lib/crypto/aes_ccm_128.h" --- -2.23.0 - diff --git a/SOURCES/0058-lib-crypto-Don-t-build-RC4-if-we-have-GnuTLS-3.4.7.patch b/SOURCES/0058-lib-crypto-Don-t-build-RC4-if-we-have-GnuTLS-3.4.7.patch deleted file mode 100644 index 63bbfc8..0000000 --- a/SOURCES/0058-lib-crypto-Don-t-build-RC4-if-we-have-GnuTLS-3.4.7.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 32aea65d8f1c896a78f93d1183fb9bdf88eee7df Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 22 Feb 2019 13:28:01 +0100 -Subject: [PATCH 058/187] lib:crypto: Don't build RC4 if we have GnuTLS >= - 3.4.7 - -We have a GnuTLS DCEPRC backupkey implementation for the server and the -test. However this is only working with GnuTLS >= 3.4.7. So we need to -keep this around till we can require at least GnuTLS in a newer version. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 9ede63fbada7842cd9ae120936bc6bd4b6ad16ac) ---- - lib/crypto/wscript_build | 25 ++++++++++++++++++++----- - 1 file changed, 20 insertions(+), 5 deletions(-) - -diff --git a/lib/crypto/wscript_build b/lib/crypto/wscript_build -index 46b0e084328..a26c10b627b 100644 ---- a/lib/crypto/wscript_build -+++ b/lib/crypto/wscript_build -@@ -12,12 +12,27 @@ bld.SAMBA_SUBSYSTEM('GNUTLS_HELPERS', - ''', - deps='gnutls samba-errors'); - -+# We have a GnuTLS DCEPRC backupkey implementation for the server and the test. -+# However this is only working with GnuTLS >= 3.4.7. So we need to keep this -+# around till we can require at least GnuTLS in a newer version. -+bld.SAMBA_SUBSYSTEM('LIBCRYPTO_RC4', -+ source='arcfour.c', -+ deps='talloc', -+ enabled=not bld.CONFIG_SET('HAVE_GNUTLS_3_4_7')) -+ - bld.SAMBA_SUBSYSTEM('LIBCRYPTO', -- source='''md4.c arcfour.c -- aes.c rijndael-alg-fst.c aes_cmac_128.c aes_ccm_128.c aes_gcm_128.c -- ''', -- deps='talloc' + extra_deps -- ) -+ source=''' -+ md4.c -+ aes.c -+ rijndael-alg-fst.c -+ aes_cmac_128.c -+ aes_ccm_128.c -+ aes_gcm_128.c -+ ''', -+ deps=''' -+ talloc -+ LIBCRYPTO_RC4 -+ ''' + extra_deps) - - bld.SAMBA_SUBSYSTEM('TORTURE_LIBCRYPTO', - source='''md4test.c --- -2.23.0 - diff --git a/SOURCES/0059-s3-lib-Use-the-passed-mem_ctx-instead-of-talloc_tos.patch b/SOURCES/0059-s3-lib-Use-the-passed-mem_ctx-instead-of-talloc_tos.patch deleted file mode 100644 index d6c0e1a..0000000 --- a/SOURCES/0059-s3-lib-Use-the-passed-mem_ctx-instead-of-talloc_tos.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 0fb7a341e75794027de988894da7547a5258d705 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 16 Jul 2019 15:20:23 +0200 -Subject: [PATCH 059/187] s3:lib: Use the passed mem_ctx instead of - talloc_tos() - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit fa09e811ca6fb08a66940380b310ce9794397071) ---- - source3/lib/netapi/user.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/source3/lib/netapi/user.c b/source3/lib/netapi/user.c -index 827b7902040..fc236e55d1f 100644 ---- a/source3/lib/netapi/user.c -+++ b/source3/lib/netapi/user.c -@@ -290,7 +290,7 @@ static NTSTATUS construct_USER_INFO_X(uint32_t level, - /**************************************************************** - ****************************************************************/ - --static NTSTATUS set_user_info_USER_INFO_X(TALLOC_CTX *ctx, -+static NTSTATUS set_user_info_USER_INFO_X(TALLOC_CTX *mem_ctx, - struct rpc_pipe_client *pipe_cli, - DATA_BLOB *session_key, - struct policy_handle *user_handle, -@@ -320,7 +320,7 @@ static NTSTATUS set_user_info_USER_INFO_X(TALLOC_CTX *ctx, - return status; - } - -- status = dcerpc_samr_SetUserInfo2(b, talloc_tos(), -+ status = dcerpc_samr_SetUserInfo2(b, mem_ctx, - user_handle, - 25, - &user_info, -@@ -336,7 +336,7 @@ static NTSTATUS set_user_info_USER_INFO_X(TALLOC_CTX *ctx, - return status; - } - -- status = dcerpc_samr_SetUserInfo2(b, talloc_tos(), -+ status = dcerpc_samr_SetUserInfo2(b, mem_ctx, - user_handle, - 23, - &user_info, -@@ -353,7 +353,7 @@ static NTSTATUS set_user_info_USER_INFO_X(TALLOC_CTX *ctx, - - user_info.info21 = info21; - -- status = dcerpc_samr_SetUserInfo(b, talloc_tos(), -+ status = dcerpc_samr_SetUserInfo(b, mem_ctx, - user_handle, - 21, - &user_info, --- -2.23.0 - diff --git a/SOURCES/0060-s3-rpcclient-Use-a-stackframe-for-temporary-memory.patch b/SOURCES/0060-s3-rpcclient-Use-a-stackframe-for-temporary-memory.patch deleted file mode 100644 index 2139a62..0000000 --- a/SOURCES/0060-s3-rpcclient-Use-a-stackframe-for-temporary-memory.patch +++ /dev/null @@ -1,188 +0,0 @@ -From a2b0dcbb525b7aa3a6f79ca8f8cca4ef7fc2f8f7 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 16 Jul 2019 15:45:51 +0200 -Subject: [PATCH 060/187] s3:rpcclient: Use a stackframe for temporary memory - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 9158a6ba8693070f3b2b71dd15089488869ab6cd) ---- - source3/rpcclient/cmd_samr.c | 56 +++++++++++++++++++++++++----------- - 1 file changed, 39 insertions(+), 17 deletions(-) - -diff --git a/source3/rpcclient/cmd_samr.c b/source3/rpcclient/cmd_samr.c -index b1b7c06515c..0cd8b50058e 100644 ---- a/source3/rpcclient/cmd_samr.c -+++ b/source3/rpcclient/cmd_samr.c -@@ -3043,6 +3043,7 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli, - DATA_BLOB session_key; - uint8_t password_expired = 0; - struct dcerpc_binding_handle *b = cli->binding_handle; -+ TALLOC_CTX *frame = NULL; - - if (argc < 4) { - printf("Usage: %s username level password [password_expired]\n", -@@ -3050,6 +3051,8 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli, - return NT_STATUS_INVALID_PARAMETER; - } - -+ frame = talloc_stackframe(); -+ - user = argv[1]; - level = atoi(argv[2]); - param = argv[3]; -@@ -3058,18 +3061,18 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli, - password_expired = atoi(argv[4]); - } - -- status = cli_get_session_key(mem_ctx, cli, &session_key); -+ status = cli_get_session_key(frame, cli, &session_key); - if (!NT_STATUS_IS_OK(status)) { -- return status; -+ goto done; - } - - status = init_samr_CryptPassword(param, &session_key, &pwd_buf); - if (!NT_STATUS_IS_OK(status)) { -- return status; -+ goto done; - } - status = init_samr_CryptPasswordEx(param, &session_key, &pwd_buf_ex); - if (!NT_STATUS_IS_OK(status)) { -- return status; -+ goto done; - } - nt_lm_owf_gen(param, nt_hash, lm_hash); - -@@ -3078,14 +3081,22 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli, - { - DATA_BLOB in,out; - in = data_blob_const(nt_hash, 16); -- out = data_blob_talloc_zero(mem_ctx, 16); -+ out = data_blob_talloc_zero(frame, 16); -+ if (out.data == NULL) { -+ status = NT_STATUS_NO_MEMORY; -+ goto done; -+ } - sess_crypt_blob(&out, &in, &session_key, true); - memcpy(nt_hash, out.data, out.length); - } - { - DATA_BLOB in,out; - in = data_blob_const(lm_hash, 16); -- out = data_blob_talloc_zero(mem_ctx, 16); -+ out = data_blob_talloc_zero(frame, 15); -+ if (out.data == NULL) { -+ status = NT_STATUS_NO_MEMORY; -+ goto done; -+ } - sess_crypt_blob(&out, &in, &session_key, true); - memcpy(lm_hash, out.data, out.length); - } -@@ -3118,18 +3129,26 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli, - { - DATA_BLOB in,out; - in = data_blob_const(nt_hash, 16); -- out = data_blob_talloc_zero(mem_ctx, 16); -+ out = data_blob_talloc_zero(frame, 16); -+ if (out.data == NULL) { -+ status = NT_STATUS_NO_MEMORY; -+ goto done; -+ } - sess_crypt_blob(&out, &in, &session_key, true); - info.info21.nt_owf_password.array = -- (uint16_t *)talloc_memdup(mem_ctx, out.data, 16); -+ (uint16_t *)talloc_memdup(frame, out.data, 16); - } - { - DATA_BLOB in,out; - in = data_blob_const(lm_hash, 16); -- out = data_blob_talloc_zero(mem_ctx, 16); -+ out = data_blob_talloc_zero(frame, 16); - sess_crypt_blob(&out, &in, &session_key, true); - info.info21.lm_owf_password.array = -- (uint16_t *)talloc_memdup(mem_ctx, out.data, 16); -+ (uint16_t *)talloc_memdup(frame, out.data, 16); -+ if (out.data == NULL) { -+ status = NT_STATUS_NO_MEMORY; -+ goto done; -+ } - } - - break; -@@ -3175,7 +3194,7 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli, - - /* Get sam policy handle */ - -- status = rpccli_try_samr_connects(cli, mem_ctx, -+ status = rpccli_try_samr_connects(cli, frame, - MAXIMUM_ALLOWED_ACCESS, - &connect_pol); - if (!NT_STATUS_IS_OK(status)) { -@@ -3184,7 +3203,7 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli, - - /* Get domain policy handle */ - -- status = dcerpc_samr_OpenDomain(b, mem_ctx, -+ status = dcerpc_samr_OpenDomain(b, frame, - &connect_pol, - access_mask, - &domain_sid, -@@ -3200,7 +3219,7 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli, - - user_rid = strtol(user, NULL, 0); - if (user_rid) { -- status = dcerpc_samr_OpenUser(b, mem_ctx, -+ status = dcerpc_samr_OpenUser(b, frame, - &domain_pol, - access_mask, - user_rid, -@@ -3222,7 +3241,7 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli, - - init_lsa_String(&lsa_acct_name, user); - -- status = dcerpc_samr_LookupNames(b, mem_ctx, -+ status = dcerpc_samr_LookupNames(b, frame, - &domain_pol, - 1, - &lsa_acct_name, -@@ -3242,7 +3261,7 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli, - return NT_STATUS_INVALID_NETWORK_RESPONSE; - } - -- status = dcerpc_samr_OpenUser(b, mem_ctx, -+ status = dcerpc_samr_OpenUser(b, frame, - &domain_pol, - access_mask, - rids.ids[0], -@@ -3258,14 +3277,14 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli, - - switch (opcode) { - case NDR_SAMR_SETUSERINFO: -- status = dcerpc_samr_SetUserInfo(b, mem_ctx, -+ status = dcerpc_samr_SetUserInfo(b, frame, - &user_pol, - level, - &info, - &result); - break; - case NDR_SAMR_SETUSERINFO2: -- status = dcerpc_samr_SetUserInfo2(b, mem_ctx, -+ status = dcerpc_samr_SetUserInfo2(b, frame, - &user_pol, - level, - &info, -@@ -3283,7 +3302,10 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli, - DEBUG(0,("result: %s\n", nt_errstr(status))); - goto done; - } -+ -+ status = NT_STATUS_OK; - done: -+ TALLOC_FREE(frame); - return status; - } - --- -2.23.0 - diff --git a/SOURCES/0061-s3-utils-Use-a-stackframe-for-temporary-memory.patch b/SOURCES/0061-s3-utils-Use-a-stackframe-for-temporary-memory.patch deleted file mode 100644 index 896dca3..0000000 --- a/SOURCES/0061-s3-utils-Use-a-stackframe-for-temporary-memory.patch +++ /dev/null @@ -1,104 +0,0 @@ -From 5a4fb7d50cfa71a57ce62fdd0e090b70da56b33c Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 16 Jul 2019 15:49:43 +0200 -Subject: [PATCH 061/187] s3:utils: Use a stackframe for temporary memory - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 52b3f921ad2d04cb30232a6aadf261c9fc9aafb2) ---- - source3/utils/net_rpc.c | 21 +++++++++++++-------- - 1 file changed, 13 insertions(+), 8 deletions(-) - -diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c -index f6fb892a2d9..03462d89e1b 100644 ---- a/source3/utils/net_rpc.c -+++ b/source3/utils/net_rpc.c -@@ -6095,6 +6095,7 @@ static NTSTATUS rpc_trustdom_add_internals(struct net_context *c, - unsigned int orig_timeout; - struct dcerpc_binding_handle *b = pipe_hnd->binding_handle; - DATA_BLOB session_key = data_blob_null; -+ TALLOC_CTX *frame = NULL; - - if (argc != 2) { - d_printf("%s\n%s", -@@ -6104,22 +6105,24 @@ static NTSTATUS rpc_trustdom_add_internals(struct net_context *c, - return NT_STATUS_INVALID_PARAMETER; - } - -+ frame = talloc_stackframe(); -+ - /* - * Make valid trusting domain account (ie. uppercased and with '$' appended) - */ - - if (asprintf(&acct_name, "%s$", argv[0]) < 0) { -- return NT_STATUS_NO_MEMORY; -+ status = NT_STATUS_NO_MEMORY; - } - - if (!strupper_m(acct_name)) { -- SAFE_FREE(acct_name); -- return NT_STATUS_INVALID_PARAMETER; -+ status = NT_STATUS_INVALID_PARAMETER; -+ goto done; - } - - init_lsa_String(&lsa_acct_name, acct_name); - -- status = cli_get_session_key(mem_ctx, pipe_hnd, &session_key); -+ status = cli_get_session_key(frame, pipe_hnd, &session_key); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0,("Error getting session_key of SAM pipe. Error was %s\n", - nt_errstr(status))); -@@ -6127,7 +6130,7 @@ static NTSTATUS rpc_trustdom_add_internals(struct net_context *c, - } - - /* Get samr policy handle */ -- status = dcerpc_samr_Connect2(b, mem_ctx, -+ status = dcerpc_samr_Connect2(b, frame, - pipe_hnd->desthost, - MAXIMUM_ALLOWED_ACCESS, - &connect_pol, -@@ -6141,7 +6144,7 @@ static NTSTATUS rpc_trustdom_add_internals(struct net_context *c, - } - - /* Get domain policy handle */ -- status = dcerpc_samr_OpenDomain(b, mem_ctx, -+ status = dcerpc_samr_OpenDomain(b, frame, - &connect_pol, - MAXIMUM_ALLOWED_ACCESS, - discard_const_p(struct dom_sid2, domain_sid), -@@ -6168,7 +6171,7 @@ static NTSTATUS rpc_trustdom_add_internals(struct net_context *c, - SAMR_USER_ACCESS_GET_ATTRIBUTES | - SAMR_USER_ACCESS_SET_ATTRIBUTES; - -- status = dcerpc_samr_CreateUser2(b, mem_ctx, -+ status = dcerpc_samr_CreateUser2(b, frame, - &domain_pol, - &lsa_acct_name, - acb_info, -@@ -6207,7 +6210,7 @@ static NTSTATUS rpc_trustdom_add_internals(struct net_context *c, - info.info23.info.acct_flags = ACB_DOMTRUST; - info.info23.password = crypt_pwd; - -- status = dcerpc_samr_SetUserInfo2(b, mem_ctx, -+ status = dcerpc_samr_SetUserInfo2(b, frame, - &user_pol, - 23, - &info, -@@ -6224,9 +6227,11 @@ static NTSTATUS rpc_trustdom_add_internals(struct net_context *c, - } - } - -+ status = NT_STATUS_OK; - done: - SAFE_FREE(acct_name); - data_blob_clear_free(&session_key); -+ TALLOC_FREE(frame); - return status; - } - --- -2.23.0 - diff --git a/SOURCES/0062-s3-rpc_server-Use-a-stackframe-for-temporary-memory.patch b/SOURCES/0062-s3-rpc_server-Use-a-stackframe-for-temporary-memory.patch deleted file mode 100644 index 5f9d636..0000000 --- a/SOURCES/0062-s3-rpc_server-Use-a-stackframe-for-temporary-memory.patch +++ /dev/null @@ -1,96 +0,0 @@ -From cb51fd8abb0f0d3fa672452cd15d49af193de6ee Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 16 Jul 2019 16:02:12 +0200 -Subject: [PATCH 062/187] s3:rpc_server: Use a stackframe for temporary memory - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 1c84bda361678cb6c4685cff17a2d5a5026f2bce) ---- - source3/rpc_server/netlogon/srv_netlog_nt.c | 20 +++++++++++++------- - 1 file changed, 13 insertions(+), 7 deletions(-) - -diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c -index d5267bf7062..791aa7acaff 100644 ---- a/source3/rpc_server/netlogon/srv_netlog_nt.c -+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c -@@ -1134,6 +1134,7 @@ static NTSTATUS netr_set_machine_account_password(TALLOC_CTX *mem_ctx, - int rc; - DATA_BLOB session_key; - enum samr_UserInfoLevel infolevel; -+ TALLOC_CTX *frame = talloc_stackframe(); - - ZERO_STRUCT(user_handle); - -@@ -1144,7 +1145,7 @@ static NTSTATUS netr_set_machine_account_password(TALLOC_CTX *mem_ctx, - goto out; - } - -- rc = tsocket_address_inet_from_strings(mem_ctx, -+ rc = tsocket_address_inet_from_strings(frame, - "ip", - "127.0.0.1", - 0, -@@ -1154,7 +1155,7 @@ static NTSTATUS netr_set_machine_account_password(TALLOC_CTX *mem_ctx, - goto out; - } - -- status = rpcint_binding_handle(mem_ctx, -+ status = rpcint_binding_handle(frame, - &ndr_table_samr, - local, - NULL, -@@ -1166,7 +1167,7 @@ static NTSTATUS netr_set_machine_account_password(TALLOC_CTX *mem_ctx, - } - - become_root(); -- status = samr_find_machine_account(mem_ctx, -+ status = samr_find_machine_account(frame, - h, - account_name, - SEC_FLAG_MAXIMUM_ALLOWED, -@@ -1179,7 +1180,7 @@ static NTSTATUS netr_set_machine_account_password(TALLOC_CTX *mem_ctx, - } - - status = dcerpc_samr_QueryUserInfo2(h, -- mem_ctx, -+ frame, - &user_handle, - UserControlInformation, - &info, -@@ -1213,7 +1214,11 @@ static NTSTATUS netr_set_machine_account_password(TALLOC_CTX *mem_ctx, - infolevel = UserInternal1Information; - - in = data_blob_const(cr->creds.nt_hash, 16); -- out = data_blob_talloc_zero(mem_ctx, 16); -+ out = data_blob_talloc_zero(frame, 16); -+ if (out.data == NULL) { -+ status = NT_STATUS_NO_MEMORY; -+ goto out; -+ } - sess_crypt_blob(&out, &in, &session_key, true); - memcpy(info18.nt_pwd.hash, out.data, out.length); - -@@ -1244,7 +1249,7 @@ static NTSTATUS netr_set_machine_account_password(TALLOC_CTX *mem_ctx, - - become_root(); - status = dcerpc_samr_SetUserInfo2(h, -- mem_ctx, -+ frame, - &user_handle, - infolevel, - info, -@@ -1260,8 +1265,9 @@ static NTSTATUS netr_set_machine_account_password(TALLOC_CTX *mem_ctx, - - out: - if (h && is_valid_policy_hnd(&user_handle)) { -- dcerpc_samr_Close(h, mem_ctx, &user_handle, &result); -+ dcerpc_samr_Close(h, frame, &user_handle, &result); - } -+ TALLOC_FREE(frame); - - return status; - } --- -2.23.0 - diff --git a/SOURCES/0063-netlogon-Fix-potential-use-of-uninitialized-variable.patch b/SOURCES/0063-netlogon-Fix-potential-use-of-uninitialized-variable.patch deleted file mode 100644 index b2a7151..0000000 --- a/SOURCES/0063-netlogon-Fix-potential-use-of-uninitialized-variable.patch +++ /dev/null @@ -1,32 +0,0 @@ -From b26c0a881c5a71ee310a942ffd65960974eabea8 Mon Sep 17 00:00:00 2001 -From: David Disseldorp -Date: Fri, 12 Jul 2019 17:29:23 +0200 -Subject: [PATCH 063/187] netlogon: Fix potential use of uninitialized variable - -The _netr_NetrEnumerateTrustedDomains()->dcerpc_lsa_open_policy2() error -path checks the policy handle and closes it if non-empty. The policy -handle may be uninitialized in this code-path - fix this. - -Signed-off-by: David Disseldorp -Reviewed-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 93d424528f1c3d0d50ebd8a784f4624b2721d416) ---- - source3/rpc_server/netlogon/srv_netlog_nt.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c -index 791aa7acaff..08bce367bf0 100644 ---- a/source3/rpc_server/netlogon/srv_netlog_nt.c -+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c -@@ -419,6 +419,7 @@ NTSTATUS _netr_NetrEnumerateTrustedDomains(struct pipes_struct *p, - int i; - uint32_t max_size = (uint32_t)-1; - -+ ZERO_STRUCT(pol); - DEBUG(6,("_netr_NetrEnumerateTrustedDomains: %d\n", __LINE__)); - - status = rpcint_binding_handle(p->mem_ctx, --- -2.23.0 - diff --git a/SOURCES/0064-s3-rpc_server-Only-dump-passwords-in-developer-build.patch b/SOURCES/0064-s3-rpc_server-Only-dump-passwords-in-developer-build.patch deleted file mode 100644 index 34e2ab3..0000000 --- a/SOURCES/0064-s3-rpc_server-Only-dump-passwords-in-developer-build.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 8746734f6874d62825209a49b29b06f28183559d Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 16 Jul 2019 16:13:17 +0200 -Subject: [PATCH 064/187] s3:rpc_server: Only dump passwords in developer - builds - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett - -Autobuild-User(master): Andrew Bartlett -Autobuild-Date(master): Fri Jul 26 03:05:01 UTC 2019 on sn-devel-184 - -(cherry picked from commit 1f923e067dbe358c17cbccfe179baa811aa3b8b3) ---- - source3/rpc_server/samr/srv_samr_nt.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c -index ad1d1853bda..87214b2899e 100644 ---- a/source3/rpc_server/samr/srv_samr_nt.c -+++ b/source3/rpc_server/samr/srv_samr_nt.c -@@ -5198,7 +5198,9 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p, - break; - } - -+#ifdef DEBUG_PASSWORD - dump_data(100, info->info23.password.data, 516); -+#endif - - status = set_user_info_23(p->mem_ctx, - &info->info23, -@@ -5219,7 +5221,9 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p, - break; - } - -+#ifdef DEBUG_PASSWORD - dump_data(100, info->info24.password.data, 516); -+#endif - - status = set_user_info_24(p->mem_ctx, - rhost, -@@ -5237,7 +5241,9 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p, - break; - } - -+#ifdef DEBUG_PASSWORD - dump_data(100, info->info25.password.data, 532); -+#endif - - status = set_user_info_25(p->mem_ctx, - rhost, -@@ -5255,7 +5261,9 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p, - break; - } - -+#ifdef DEBUG_PASSWORD - dump_data(100, info->info26.password.data, 516); -+#endif - - status = set_user_info_26(p->mem_ctx, - rhost, --- -2.23.0 - diff --git a/SOURCES/0065-libcli-smb-Add-forward-declaration-for-gnutls_hmac_h.patch b/SOURCES/0065-libcli-smb-Add-forward-declaration-for-gnutls_hmac_h.patch deleted file mode 100644 index be2ef40..0000000 --- a/SOURCES/0065-libcli-smb-Add-forward-declaration-for-gnutls_hmac_h.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 595df06b59c80cbb7a484a893e1ebaf917ddddb6 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 8 Aug 2019 11:57:02 +0200 -Subject: [PATCH 065/187] libcli:smb: Add forward declaration for - gnutls_hmac_hd_t - -This file is basically included everywhere. So use a forward declaration -for gnutls_hmac_hd_t. This way we don't have to link everthing against -gnutls to get access to the header path. - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 6bf6cb1643ae5e8fff66a7cbec50f58ede632666) ---- - libcli/smb/smb2_signing.h | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/libcli/smb/smb2_signing.h b/libcli/smb/smb2_signing.h -index 6e1682955c9..96a002f4a0c 100644 ---- a/libcli/smb/smb2_signing.h -+++ b/libcli/smb/smb2_signing.h -@@ -21,10 +21,10 @@ - #ifndef _LIBCLI_SMB_SMB2_SIGNING_H_ - #define _LIBCLI_SMB_SMB2_SIGNING_H_ - --#include --#include -- - struct iovec; -+ /* Forward declaration of GnuTLS typedefs */ -+struct hmac_hd_st; -+typedef struct hmac_hd_st* gnutls_hmac_hd_t; - - struct smb2_signing_key { - gnutls_hmac_hd_t hmac_hnd; --- -2.23.0 - diff --git a/SOURCES/0066-s3-modules-Link-vfs_acl_common-against-gnutls.patch b/SOURCES/0066-s3-modules-Link-vfs_acl_common-against-gnutls.patch deleted file mode 100644 index d4c3e79..0000000 --- a/SOURCES/0066-s3-modules-Link-vfs_acl_common-against-gnutls.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 5132a12a30ccc008644be11fa6af4a3d253a8a27 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 8 Aug 2019 13:14:45 +0200 -Subject: [PATCH 066/187] s3:modules: Link vfs_acl_common against gnutls - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit b81cb04d03d57b8175d862ba48ac476fedf23636) ---- - source3/modules/wscript_build | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/source3/modules/wscript_build b/source3/modules/wscript_build -index 80b0ce9ff90..b8b965c8edd 100644 ---- a/source3/modules/wscript_build -+++ b/source3/modules/wscript_build -@@ -10,7 +10,8 @@ bld.SAMBA3_BINARY('test_nfs4_acls', - install=False) - - bld.SAMBA3_SUBSYSTEM('vfs_acl_common', -- source='vfs_acl_common.c') -+ source='vfs_acl_common.c', -+ deps='gnutls') - - bld.SAMBA3_SUBSYSTEM('POSIXACL_XATTR', - source='posixacl_xattr.c', --- -2.23.0 - diff --git a/SOURCES/0067-lib-util-Add-generate_nonce_buffer.patch b/SOURCES/0067-lib-util-Add-generate_nonce_buffer.patch deleted file mode 100644 index fe1730b..0000000 --- a/SOURCES/0067-lib-util-Add-generate_nonce_buffer.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 45c34e04c2018d839be71371bee594bc4794de2d Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 31 Jul 2019 15:16:37 +0200 -Subject: [PATCH 067/187] lib:util: Add generate_nonce_buffer() - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 70ff216935acc099b762b527033b6191ba3307d0) ---- - lib/util/genrand.c | 12 ++++++++++-- - lib/util/genrand.h | 11 +++++++++++ - 2 files changed, 21 insertions(+), 2 deletions(-) - -diff --git a/lib/util/genrand.c b/lib/util/genrand.c -index 55997c3dd55..76c2cb81962 100644 ---- a/lib/util/genrand.c -+++ b/lib/util/genrand.c -@@ -25,8 +25,6 @@ - #include - #include - --/* TODO: Add API for generating nonce or use gnutls_rnd directly everywhere. */ -- - _PUBLIC_ void generate_random_buffer(uint8_t *out, int len) - { - /* Thread and fork safe random number generator for temporary keys. */ -@@ -42,3 +40,13 @@ _PUBLIC_ void generate_secret_buffer(uint8_t *out, int len) - /* Thread and fork safe random number generator for long term keys. */ - gnutls_rnd(GNUTLS_RND_KEY, out, len); - } -+ -+_PUBLIC_ void generate_nonce_buffer(uint8_t *out, int len) -+{ -+ /* -+ * The nonce generator will reseed after outputting a fixed amount of -+ * bytes (typically few megabytes), or after few hours of operation -+ * without reaching the limit has passed. -+ */ -+ gnutls_rnd(GNUTLS_RND_NONCE, out, len); -+} -diff --git a/lib/util/genrand.h b/lib/util/genrand.h -index 899ce8badc0..5af23100596 100644 ---- a/lib/util/genrand.h -+++ b/lib/util/genrand.h -@@ -28,3 +28,14 @@ void generate_random_buffer(uint8_t *out, int len); - * Thread and fork safe random number generator for long term keys. - */ - void generate_secret_buffer(uint8_t *out, int len); -+ -+/** -+ * @brief Generate random values for a nonce buffer. -+ * -+ * This is also known as initialization vector. -+ * -+ * @param[in] out A pointer to the buffer to fill with random data. -+ * -+ * @param[in] len The size of the buffer to fill. -+ */ -+void generate_nonce_buffer(uint8_t *out, int len); --- -2.23.0 - diff --git a/SOURCES/0068-libcli-smb-Use-generate_nonce_buffer-for-AES-CCM-and.patch b/SOURCES/0068-libcli-smb-Use-generate_nonce_buffer-for-AES-CCM-and.patch deleted file mode 100644 index 783a98f..0000000 --- a/SOURCES/0068-libcli-smb-Use-generate_nonce_buffer-for-AES-CCM-and.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 85272ea8c52056f559b7bfde79805ce2b7ab4f72 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 31 Jul 2019 15:25:35 +0200 -Subject: [PATCH 068/187] libcli:smb: Use generate_nonce_buffer() for AES-CCM - and AES-GCM nonce - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit b2506f2407429efb40c3e4e4c360f5817ac13d27) ---- - libcli/smb/smbXcli_base.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c -index c9b396106ae..5db86720c9c 100644 ---- a/libcli/smb/smbXcli_base.c -+++ b/libcli/smb/smbXcli_base.c -@@ -6253,8 +6253,8 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session, - * - * NOTE: We assume nonces greater than 8 bytes. - */ -- generate_random_buffer((uint8_t *)&session->smb2->nonce_high_random, -- sizeof(session->smb2->nonce_high_random)); -+ generate_nonce_buffer((uint8_t *)&session->smb2->nonce_high_random, -+ sizeof(session->smb2->nonce_high_random)); - switch (conn->smb2.server.cipher) { - case SMB2_ENCRYPTION_AES128_CCM: - nonce_size = AES_CCM_128_NONCE_SIZE; --- -2.23.0 - diff --git a/SOURCES/0069-s3-smbd-Use-generate_nonce_buffer-for-AES-CCM-and-AE.patch b/SOURCES/0069-s3-smbd-Use-generate_nonce_buffer-for-AES-CCM-and-AE.patch deleted file mode 100644 index bda42f9..0000000 --- a/SOURCES/0069-s3-smbd-Use-generate_nonce_buffer-for-AES-CCM-and-AE.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 230457a6c024e236815b6f9f0351b236044ad515 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 31 Jul 2019 15:28:34 +0200 -Subject: [PATCH 069/187] s3:smbd: Use generate_nonce_buffer() for AES-CCM and - AES-GCM nonce - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 2b2df6cd398c9cb62989710f9b1642665ec89406) ---- - source3/smbd/smb2_sesssetup.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c -index 770c22b00f1..591d5c37160 100644 ---- a/source3/smbd/smb2_sesssetup.c -+++ b/source3/smbd/smb2_sesssetup.c -@@ -419,8 +419,8 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session, - * - * NOTE: We assume nonces greater than 8 bytes. - */ -- generate_random_buffer((uint8_t *)&x->nonce_high_random, -- sizeof(x->nonce_high_random)); -+ generate_nonce_buffer((uint8_t *)&x->nonce_high_random, -+ sizeof(x->nonce_high_random)); - switch (xconn->smb2.server.cipher) { - case SMB2_ENCRYPTION_AES128_CCM: - nonce_size = AES_CCM_128_NONCE_SIZE; --- -2.23.0 - diff --git a/SOURCES/0070-lib-util-Add-better-documentation-for-generate_secre.patch b/SOURCES/0070-lib-util-Add-better-documentation-for-generate_secre.patch deleted file mode 100644 index 60978d4..0000000 --- a/SOURCES/0070-lib-util-Add-better-documentation-for-generate_secre.patch +++ /dev/null @@ -1,70 +0,0 @@ -From deeb93c2fb7cc131741ced4877b75bcd3a64cef4 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 31 Jul 2019 15:38:50 +0200 -Subject: [PATCH 070/187] lib:util: Add better documentation for - generate_secret_buffer() - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit bf52ab7d2982de84a68a1b9c6d2f68250b7e7cca) ---- - lib/util/genrand.c | 17 ++++++++++++----- - lib/util/genrand.h | 6 +++++- - 2 files changed, 17 insertions(+), 6 deletions(-) - -diff --git a/lib/util/genrand.c b/lib/util/genrand.c -index 76c2cb81962..a5809aa2bc9 100644 ---- a/lib/util/genrand.c -+++ b/lib/util/genrand.c -@@ -25,19 +25,26 @@ - #include - #include - -+/* -+ * Details about the GnuTLS CSPRNG: -+ * -+ * https://nikmav.blogspot.com/2017/03/improving-by-simplifying-gnutls-prng.html -+ */ -+ - _PUBLIC_ void generate_random_buffer(uint8_t *out, int len) - { - /* Thread and fork safe random number generator for temporary keys. */ - gnutls_rnd(GNUTLS_RND_RANDOM, out, len); - } - --/* -- * Keep generate_secret_buffer in case we ever want to do something -- * different -- */ - _PUBLIC_ void generate_secret_buffer(uint8_t *out, int len) - { -- /* Thread and fork safe random number generator for long term keys. */ -+ /* The key generator, will re-seed after a fixed amount of bytes is -+ * generated (typically less than the nonce), and will also re-seed -+ * based on time, i.e., after few hours of operation without reaching -+ * the limit for a re-seed. For its re-seed it mixes mixes data obtained -+ * from the OS random device with the previous key. -+ */ - gnutls_rnd(GNUTLS_RND_KEY, out, len); - } - -diff --git a/lib/util/genrand.h b/lib/util/genrand.h -index 5af23100596..abb8ce2c10a 100644 ---- a/lib/util/genrand.h -+++ b/lib/util/genrand.h -@@ -25,7 +25,11 @@ - void generate_random_buffer(uint8_t *out, int len); - - /** -- * Thread and fork safe random number generator for long term keys. -+ * @brief Generate random values for key buffers (e.g. session keys) -+ * -+ * @param[in] out A pointer to the buffer to fill with random data. -+ * -+ * @param[in] len The size of the buffer to fill. - */ - void generate_secret_buffer(uint8_t *out, int len); - --- -2.23.0 - diff --git a/SOURCES/0071-s4-rpc_server-Use-generate_secret_buffer-to-create-a.patch b/SOURCES/0071-s4-rpc_server-Use-generate_secret_buffer-to-create-a.patch deleted file mode 100644 index d9c53b1..0000000 --- a/SOURCES/0071-s4-rpc_server-Use-generate_secret_buffer-to-create-a.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 299dd35d7816770560a17a0e30886c08d9687589 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 31 Jul 2019 15:40:12 +0200 -Subject: [PATCH 071/187] s4:rpc_server: Use generate_secret_buffer() to create - a session key - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 4b2480518bd3887be3a6cfb713523ac084e09fd5) ---- - source4/rpc_server/samr/samr_password.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c -index b04e37f06f3..6bf907181c8 100644 ---- a/source4/rpc_server/samr/samr_password.c -+++ b/source4/rpc_server/samr/samr_password.c -@@ -733,9 +733,10 @@ NTSTATUS samr_set_password_buffers(struct dcesrv_call_state *dce_call, - nt_errstr(nt_status))); - - /* -- * Windows just uses a random key -+ * Windows just uses a random key. We need to use a CSPRNG -+ * which reseeds for generating session keys. - */ -- generate_random_buffer(random_session_key, -+ generate_secret_buffer(random_session_key, - sizeof(random_session_key)); - session_key = data_blob_const(random_session_key, - sizeof(random_session_key)); --- -2.23.0 - diff --git a/SOURCES/0072-s4-rpc_server-Use-generate_secret_buffer-for-backupk.patch b/SOURCES/0072-s4-rpc_server-Use-generate_secret_buffer-for-backupk.patch deleted file mode 100644 index 0813c0f..0000000 --- a/SOURCES/0072-s4-rpc_server-Use-generate_secret_buffer-for-backupk.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 5cd54770ca2055eee9ae651510b0ff5d1c914f6c Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 31 Jul 2019 15:41:29 +0200 -Subject: [PATCH 072/187] s4:rpc_server: Use generate_secret_buffer() for - backupkey wap_key - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 5a62056b4530e4c509444be9164a1fca1dce193f) ---- - source4/rpc_server/backupkey/dcesrv_backupkey.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/source4/rpc_server/backupkey/dcesrv_backupkey.c b/source4/rpc_server/backupkey/dcesrv_backupkey.c -index a826ae083f4..d192858e468 100644 ---- a/source4/rpc_server/backupkey/dcesrv_backupkey.c -+++ b/source4/rpc_server/backupkey/dcesrv_backupkey.c -@@ -1263,7 +1263,8 @@ static WERROR generate_bkrp_server_wrap_key(TALLOC_CTX *ctx, struct ldb_context - char *secret_name; - TALLOC_CTX *frame = talloc_stackframe(); - -- generate_random_buffer(wrap_key.key, sizeof(wrap_key.key)); -+ /* We need to use a CSPRNG which reseeds for generating session keys. */ -+ generate_secret_buffer(wrap_key.key, sizeof(wrap_key.key)); - - ndr_err = ndr_push_struct_blob(&blob_wrap_key, ctx, &wrap_key, (ndr_push_flags_fn_t)ndr_push_bkrp_dc_serverwrap_key); - if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { --- -2.23.0 - diff --git a/SOURCES/0073-s4-rpc_server-Use-generate_secret_buffer-for-netlogo.patch b/SOURCES/0073-s4-rpc_server-Use-generate_secret_buffer-for-netlogo.patch deleted file mode 100644 index 466851b..0000000 --- a/SOURCES/0073-s4-rpc_server-Use-generate_secret_buffer-for-netlogo.patch +++ /dev/null @@ -1,30 +0,0 @@ -From a9efbcf21a5dc8b8b8195916b8a5eaa03ccbf5a5 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 31 Jul 2019 15:42:26 +0200 -Subject: [PATCH 073/187] s4:rpc_server: Use generate_secret_buffer() for - netlogon challange - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit a21770cfdffd2a21045a1bc87e489af0f4c6f130) ---- - source4/rpc_server/netlogon/dcerpc_netlogon.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c -index ac745e32b02..f4e24b7fd7f 100644 ---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c -+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c -@@ -90,7 +90,8 @@ static NTSTATUS dcesrv_netr_ServerReqChallenge(struct dcesrv_call_state *dce_cal - - pipe_state->client_challenge = *r->in.credentials; - -- generate_random_buffer(pipe_state->server_challenge.data, -+ /* We need to use a CSPRNG which reseeds for generating session keys. */ -+ generate_secret_buffer(pipe_state->server_challenge.data, - sizeof(pipe_state->server_challenge.data)); - - *r->out.return_credentials = pipe_state->server_challenge; --- -2.23.0 - diff --git a/SOURCES/0074-libcli-auth-Use-generate_secret_buffer-for-netlogon-.patch b/SOURCES/0074-libcli-auth-Use-generate_secret_buffer-for-netlogon-.patch deleted file mode 100644 index 31f8907..0000000 --- a/SOURCES/0074-libcli-auth-Use-generate_secret_buffer-for-netlogon-.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 34c4199f21f5d2dfbf3d732fd4da7be390ce095b Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 31 Jul 2019 15:44:24 +0200 -Subject: [PATCH 074/187] libcli:auth: Use generate_secret_buffer() for - netlogon challenge - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett - -Autobuild-User(master): Andreas Schneider -Autobuild-Date(master): Mon Aug 12 10:42:35 UTC 2019 on sn-devel-184 - -(cherry picked from commit c3ba556f52b15dd80efc26e4fb8f43ce2ee3a7f0) ---- - libcli/auth/netlogon_creds_cli.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c -index 50a5f50a57d..18143ca36d0 100644 ---- a/libcli/auth/netlogon_creds_cli.c -+++ b/libcli/auth/netlogon_creds_cli.c -@@ -1177,7 +1177,8 @@ static void netlogon_creds_cli_auth_challenge_start(struct tevent_req *req) - - TALLOC_FREE(state->creds); - -- generate_random_buffer(state->client_challenge.data, -+ /* We need to use a CSPRNG which reseeds for generating session keys. */ -+ generate_secret_buffer(state->client_challenge.data, - sizeof(state->client_challenge.data)); - - subreq = dcerpc_netr_ServerReqChallenge_send(state, state->ev, --- -2.23.0 - diff --git a/SOURCES/0075-lib-util-Fix-documentation-for-random-number-functio.patch b/SOURCES/0075-lib-util-Fix-documentation-for-random-number-functio.patch deleted file mode 100644 index 4266de9..0000000 --- a/SOURCES/0075-lib-util-Fix-documentation-for-random-number-functio.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 5d53f417762503b9c73edcdb1364834f3b665e74 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 12 Aug 2019 16:10:20 +0200 -Subject: [PATCH 075/187] lib:util: Fix documentation for random number - functions - -Signed-off-by: Andreas Schneider -Reviewed-by: Alexander Bokovoy -(cherry picked from commit 97c441d7c28feb29168e81ebbc5c55b09a845087) ---- - lib/util/genrand.c | 9 +++++++-- - lib/util/genrand.h | 8 ++++++-- - 2 files changed, 13 insertions(+), 4 deletions(-) - -diff --git a/lib/util/genrand.c b/lib/util/genrand.c -index a5809aa2bc9..18ffa0d95e6 100644 ---- a/lib/util/genrand.c -+++ b/lib/util/genrand.c -@@ -33,13 +33,16 @@ - - _PUBLIC_ void generate_random_buffer(uint8_t *out, int len) - { -- /* Thread and fork safe random number generator for temporary keys. */ -+ /* Random number generator for temporary keys. */ - gnutls_rnd(GNUTLS_RND_RANDOM, out, len); - } - - _PUBLIC_ void generate_secret_buffer(uint8_t *out, int len) - { -- /* The key generator, will re-seed after a fixed amount of bytes is -+ /* -+ * Random number generator for long term keys. -+ * -+ * The key generator, will re-seed after a fixed amount of bytes is - * generated (typically less than the nonce), and will also re-seed - * based on time, i.e., after few hours of operation without reaching - * the limit for a re-seed. For its re-seed it mixes mixes data obtained -@@ -51,6 +54,8 @@ _PUBLIC_ void generate_secret_buffer(uint8_t *out, int len) - _PUBLIC_ void generate_nonce_buffer(uint8_t *out, int len) - { - /* -+ * Random number generator for nonce and initialization vectors. -+ * - * The nonce generator will reseed after outputting a fixed amount of - * bytes (typically few megabytes), or after few hours of operation - * without reaching the limit has passed. -diff --git a/lib/util/genrand.h b/lib/util/genrand.h -index abb8ce2c10a..70f36312e58 100644 ---- a/lib/util/genrand.h -+++ b/lib/util/genrand.h -@@ -20,12 +20,16 @@ - */ - - /** -- * Thread and fork safe random number generator for temporary keys. -+ * @brief Generate random values for session and temporary keys. -+ * -+ * @param[in] out A pointer to the buffer to fill with random data. -+ * -+ * @param[in] len The size of the buffer to fill. - */ - void generate_random_buffer(uint8_t *out, int len); - - /** -- * @brief Generate random values for key buffers (e.g. session keys) -+ * @brief Generate random values for long term keys and passwords. - * - * @param[in] out A pointer to the buffer to fill with random data. - * --- -2.23.0 - diff --git a/SOURCES/0076-Revert-libcli-auth-Use-generate_secret_buffer-for-ne.patch b/SOURCES/0076-Revert-libcli-auth-Use-generate_secret_buffer-for-ne.patch deleted file mode 100644 index bc01509..0000000 --- a/SOURCES/0076-Revert-libcli-auth-Use-generate_secret_buffer-for-ne.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 5b8d3df9856f081cbca601926ca909085cc73f05 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 12 Aug 2019 18:49:31 +0200 -Subject: [PATCH 076/187] Revert "libcli:auth: Use generate_secret_buffer() for - netlogon challenge" - -This reverts commit c3ba556f52b15dd80efc26e4fb8f43ce2ee3a7f0. - -Reviewed-by: Alexander Bokovoy -(cherry picked from commit 689760f26521fe5b4c8964a25ddd3ab1c9e9977c) ---- - libcli/auth/netlogon_creds_cli.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c -index 18143ca36d0..50a5f50a57d 100644 ---- a/libcli/auth/netlogon_creds_cli.c -+++ b/libcli/auth/netlogon_creds_cli.c -@@ -1177,8 +1177,7 @@ static void netlogon_creds_cli_auth_challenge_start(struct tevent_req *req) - - TALLOC_FREE(state->creds); - -- /* We need to use a CSPRNG which reseeds for generating session keys. */ -- generate_secret_buffer(state->client_challenge.data, -+ generate_random_buffer(state->client_challenge.data, - sizeof(state->client_challenge.data)); - - subreq = dcerpc_netr_ServerReqChallenge_send(state, state->ev, --- -2.23.0 - diff --git a/SOURCES/0077-Revert-s4-rpc_server-Use-generate_secret_buffer-for-.patch b/SOURCES/0077-Revert-s4-rpc_server-Use-generate_secret_buffer-for-.patch deleted file mode 100644 index fea4ddc..0000000 --- a/SOURCES/0077-Revert-s4-rpc_server-Use-generate_secret_buffer-for-.patch +++ /dev/null @@ -1,31 +0,0 @@ -From c08b8c1b2ccbd3c180c730940d7efce8fcef8b5b Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 12 Aug 2019 18:49:37 +0200 -Subject: [PATCH 077/187] Revert "s4:rpc_server: Use generate_secret_buffer() - for netlogon challange" - -This reverts commit a21770cfdffd2a21045a1bc87e489af0f4c6f130. - -Reviewed-by: Alexander Bokovoy -(cherry picked from commit 1c68085404cd467c217640e3eabfc4b7f8b1ce9f) ---- - source4/rpc_server/netlogon/dcerpc_netlogon.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c -index f4e24b7fd7f..ac745e32b02 100644 ---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c -+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c -@@ -90,8 +90,7 @@ static NTSTATUS dcesrv_netr_ServerReqChallenge(struct dcesrv_call_state *dce_cal - - pipe_state->client_challenge = *r->in.credentials; - -- /* We need to use a CSPRNG which reseeds for generating session keys. */ -- generate_secret_buffer(pipe_state->server_challenge.data, -+ generate_random_buffer(pipe_state->server_challenge.data, - sizeof(pipe_state->server_challenge.data)); - - *r->out.return_credentials = pipe_state->server_challenge; --- -2.23.0 - diff --git a/SOURCES/0078-Revert-s4-rpc_server-Use-generate_secret_buffer-for-.patch b/SOURCES/0078-Revert-s4-rpc_server-Use-generate_secret_buffer-for-.patch deleted file mode 100644 index 30c7e4e..0000000 --- a/SOURCES/0078-Revert-s4-rpc_server-Use-generate_secret_buffer-for-.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 5576562cc327cfa6cc77d5962ee8ec85d9ca0ad6 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 12 Aug 2019 18:49:52 +0200 -Subject: [PATCH 078/187] Revert "s4:rpc_server: Use generate_secret_buffer() - for backupkey wap_key" - -This reverts commit 5a62056b4530e4c509444be9164a1fca1dce193f. - -Reviewed-by: Alexander Bokovoy -(cherry picked from commit 38b0695ddac244c67b2a33eb927ad3e95d2e8bd6) ---- - source4/rpc_server/backupkey/dcesrv_backupkey.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/source4/rpc_server/backupkey/dcesrv_backupkey.c b/source4/rpc_server/backupkey/dcesrv_backupkey.c -index d192858e468..a826ae083f4 100644 ---- a/source4/rpc_server/backupkey/dcesrv_backupkey.c -+++ b/source4/rpc_server/backupkey/dcesrv_backupkey.c -@@ -1263,8 +1263,7 @@ static WERROR generate_bkrp_server_wrap_key(TALLOC_CTX *ctx, struct ldb_context - char *secret_name; - TALLOC_CTX *frame = talloc_stackframe(); - -- /* We need to use a CSPRNG which reseeds for generating session keys. */ -- generate_secret_buffer(wrap_key.key, sizeof(wrap_key.key)); -+ generate_random_buffer(wrap_key.key, sizeof(wrap_key.key)); - - ndr_err = ndr_push_struct_blob(&blob_wrap_key, ctx, &wrap_key, (ndr_push_flags_fn_t)ndr_push_bkrp_dc_serverwrap_key); - if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { --- -2.23.0 - diff --git a/SOURCES/0079-Revert-s4-rpc_server-Use-generate_secret_buffer-to-c.patch b/SOURCES/0079-Revert-s4-rpc_server-Use-generate_secret_buffer-to-c.patch deleted file mode 100644 index e38e467..0000000 --- a/SOURCES/0079-Revert-s4-rpc_server-Use-generate_secret_buffer-to-c.patch +++ /dev/null @@ -1,34 +0,0 @@ -From ea69efd5e269e3ec0c93121d0448a1f6fb4275ac Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 12 Aug 2019 18:50:02 +0200 -Subject: [PATCH 079/187] Revert "s4:rpc_server: Use generate_secret_buffer() - to create a session key" - -This reverts commit 4b2480518bd3887be3a6cfb713523ac084e09fd5. - -Reviewed-by: Alexander Bokovoy -(cherry picked from commit d73be972ea58d564c770698bf6374a6074f111fe) ---- - source4/rpc_server/samr/samr_password.c | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c -index 6bf907181c8..b04e37f06f3 100644 ---- a/source4/rpc_server/samr/samr_password.c -+++ b/source4/rpc_server/samr/samr_password.c -@@ -733,10 +733,9 @@ NTSTATUS samr_set_password_buffers(struct dcesrv_call_state *dce_call, - nt_errstr(nt_status))); - - /* -- * Windows just uses a random key. We need to use a CSPRNG -- * which reseeds for generating session keys. -+ * Windows just uses a random key - */ -- generate_secret_buffer(random_session_key, -+ generate_random_buffer(random_session_key, - sizeof(random_session_key)); - session_key = data_blob_const(random_session_key, - sizeof(random_session_key)); --- -2.23.0 - diff --git a/SOURCES/0080-lib-util-Use-generate_secret_buffer-for-long-term-pa.patch b/SOURCES/0080-lib-util-Use-generate_secret_buffer-for-long-term-pa.patch deleted file mode 100644 index dd413c1..0000000 --- a/SOURCES/0080-lib-util-Use-generate_secret_buffer-for-long-term-pa.patch +++ /dev/null @@ -1,47 +0,0 @@ -From d2cc9f2ef31092c1ce5e5ad967a6be4f3bc84c06 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 12 Aug 2019 18:55:56 +0200 -Subject: [PATCH 080/187] lib:util: Use generate_secret_buffer() for long term - passwords - -Signed-off-by: Andreas Schneider -Reviewed-by: Alexander Bokovoy -(cherry picked from commit 93196dd823e114f260a68d28bb59eac3909c30d8) ---- - lib/util/genrand_util.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/lib/util/genrand_util.c b/lib/util/genrand_util.c -index d7b74c6cf1a..05d1f3ef6e5 100644 ---- a/lib/util/genrand_util.c -+++ b/lib/util/genrand_util.c -@@ -185,7 +185,7 @@ _PUBLIC_ char *generate_random_str_list(TALLOC_CTX *mem_ctx, size_t len, const c - char *retstr = talloc_array(mem_ctx, char, len + 1); - if (!retstr) return NULL; - -- generate_random_buffer((uint8_t *)retstr, len); -+ generate_secret_buffer((uint8_t *)retstr, len); - for (i = 0; i < len; i++) { - retstr[i] = list[retstr[i] % list_len]; - } -@@ -247,7 +247,7 @@ _PUBLIC_ char *generate_random_password(TALLOC_CTX *mem_ctx, size_t min, size_t - if (diff > 0 ) { - size_t tmp; - -- generate_random_buffer((uint8_t *)&tmp, sizeof(tmp)); -+ generate_secret_buffer((uint8_t *)&tmp, sizeof(tmp)); - - tmp %= diff; - -@@ -317,7 +317,7 @@ _PUBLIC_ char *generate_random_machine_password(TALLOC_CTX *mem_ctx, size_t min, - if (diff > 0) { - size_t tmp; - -- generate_random_buffer((uint8_t *)&tmp, sizeof(tmp)); -+ generate_secret_buffer((uint8_t *)&tmp, sizeof(tmp)); - - tmp %= diff; - --- -2.23.0 - diff --git a/SOURCES/0081-s4-samdb-Use-generate_nonce_buffer-for-AEC-GCM-nonce.patch b/SOURCES/0081-s4-samdb-Use-generate_nonce_buffer-for-AEC-GCM-nonce.patch deleted file mode 100644 index 1abba96..0000000 --- a/SOURCES/0081-s4-samdb-Use-generate_nonce_buffer-for-AEC-GCM-nonce.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 3a22faf5aa81b8a2e918e250cb201440094f9757 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 12 Aug 2019 18:56:35 +0200 -Subject: [PATCH 081/187] s4:samdb: Use generate_nonce_buffer() for AEC GCM - nonce - -Signed-off-by: Andreas Schneider -Reviewed-by: Alexander Bokovoy -(cherry picked from commit a3e36dd8f43a5c06969ae158fa54fbc649f44d03) ---- - source4/dsdb/samdb/ldb_modules/encrypted_secrets.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c b/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c -index b2df15c08f4..deaa03cbb35 100644 ---- a/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c -+++ b/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c -@@ -447,7 +447,7 @@ static struct ldb_val samba_encrypt_aead(int *err, - goto error_exit; - } - -- generate_random_buffer(iv, AES_GCM_128_IV_SIZE); -+ generate_nonce_buffer(iv, AES_GCM_128_IV_SIZE); - - es->iv.length = AES_GCM_128_IV_SIZE; - es->iv.data = iv; --- -2.23.0 - diff --git a/SOURCES/0082-s3-passdb-Use-generate_secret_buffer-for-generating-.patch b/SOURCES/0082-s3-passdb-Use-generate_secret_buffer-for-generating-.patch deleted file mode 100644 index 39ed0eb..0000000 --- a/SOURCES/0082-s3-passdb-Use-generate_secret_buffer-for-generating-.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 8057d84f33d96a3143b1908b47e65e6a89d4f861 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 12 Aug 2019 18:57:06 +0200 -Subject: [PATCH 082/187] s3:passdb: Use generate_secret_buffer() for - generating passwords - -Signed-off-by: Andreas Schneider -Reviewed-by: Alexander Bokovoy -(cherry picked from commit 6fa3e4de7c168dc7c869ec9966729a36bda27f57) ---- - source3/passdb/pdb_nds.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/source3/passdb/pdb_nds.c b/source3/passdb/pdb_nds.c -index 349ea0b6c38..216c9e6b50b 100644 ---- a/source3/passdb/pdb_nds.c -+++ b/source3/passdb/pdb_nds.c -@@ -814,7 +814,8 @@ static NTSTATUS pdb_nds_update_login_attempts(struct pdb_methods *methods, - got_clear_text_pw = True; - } - } else { -- generate_random_buffer((unsigned char *)clear_text_pw, 24); -+ /* This is a long term key */ -+ generate_secret_buffer((unsigned char *)clear_text_pw, 24); - clear_text_pw[24] = '\0'; - DEBUG(5,("pdb_nds_update_login_attempts: using random password %s\n", clear_text_pw)); - } --- -2.23.0 - diff --git a/SOURCES/0083-auth-ntlmssp-Use-generate_random_buffer-for-session-.patch b/SOURCES/0083-auth-ntlmssp-Use-generate_random_buffer-for-session-.patch deleted file mode 100644 index 1d4f07e..0000000 --- a/SOURCES/0083-auth-ntlmssp-Use-generate_random_buffer-for-session-.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 9a257522e3c811853b2b9f0b93992b07ecdad5d9 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 12 Aug 2019 19:07:15 +0200 -Subject: [PATCH 083/187] auth:ntlmssp: Use generate_random_buffer() for - session keys - -Signed-off-by: Andreas Schneider -Reviewed-by: Alexander Bokovoy - -Autobuild-User(master): Alexander Bokovoy -Autobuild-Date(master): Wed Aug 14 16:26:47 UTC 2019 on sn-devel-184 - -(cherry picked from commit 9b7825d2d387bcb2515154418a990669ab96358d) ---- - auth/ntlmssp/ntlmssp_client.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c -index b8d1190466b..2a80feb4fed 100644 ---- a/auth/ntlmssp/ntlmssp_client.c -+++ b/auth/ntlmssp/ntlmssp_client.c -@@ -696,7 +696,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, - .size = session_key.length, - }; - -- generate_secret_buffer(client_session_key, sizeof(client_session_key)); -+ generate_random_buffer(client_session_key, sizeof(client_session_key)); - - /* Encrypt the new session key with the old one */ - encrypted_session_key = data_blob_talloc(ntlmssp_state, --- -2.23.0 - diff --git a/SOURCES/0084-encrypted_secrets-Add-known-and-expected-value-test.patch b/SOURCES/0084-encrypted_secrets-Add-known-and-expected-value-test.patch deleted file mode 100644 index 28df652..0000000 --- a/SOURCES/0084-encrypted_secrets-Add-known-and-expected-value-test.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 40a13974c5279d43fa2e13b8a274ba41ec051533 Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Thu, 15 Aug 2019 15:27:30 +1200 -Subject: [PATCH 084/187] encrypted_secrets: Add known and expected value test - -Signed-off-by: Andrew Bartlett -Reviewed-by: Andreas Schneider -(cherry picked from commit 92b9cdf99da1f8657c166d413c5136c8db938a9e) ---- - .../tests/test_encrypted_secrets.c | 51 +++++++++++++++++++ - 1 file changed, 51 insertions(+) - -diff --git a/source4/dsdb/samdb/ldb_modules/tests/test_encrypted_secrets.c b/source4/dsdb/samdb/ldb_modules/tests/test_encrypted_secrets.c -index 258e1ba829f..cfea95ae544 100644 ---- a/source4/dsdb/samdb/ldb_modules/tests/test_encrypted_secrets.c -+++ b/source4/dsdb/samdb/ldb_modules/tests/test_encrypted_secrets.c -@@ -1101,6 +1101,53 @@ static void test_unencrypted_secret(void **state) - assert_int_equal(LDB_ERR_OPERATIONS_ERROR, ret); - } - -+/* -+ * Test full decryption of a static value with static key -+ */ -+static void test_record_decryption(void **state) -+{ -+ struct ldbtest_ctx *test_ctx = -+ talloc_get_type_abort(*state, struct ldbtest_ctx); -+ unsigned char plain_data[] = { -+ 0xe6, 0xa6, 0xb8, 0xff, 0xdf, 0x06, 0x6c, 0xe3, -+ 0xea, 0xd0, 0x94, 0xbb, 0x79, 0xbd, 0x0a, 0x24 -+ }; -+ unsigned char encrypted_data[] = { -+ 0x0c, 0x00, 0x00, 0x00, 0x33, 0x91, 0x74, 0x25, -+ 0x26, 0xcc, 0x0b, 0x8c, 0x21, 0xc1, 0x13, 0xe2, -+ 0xed, 0xad, 0x5c, 0xca, 0x01, 0x00, 0x00, 0x00, -+ 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -+ 0x1a, 0xdc, 0xc9, 0x11, 0x08, 0xca, 0x2c, 0xfb, -+ 0xc8, 0x32, 0x6b, 0x1b, 0x25, 0x7f, 0x52, 0xbb, -+ 0xae, 0x9b, 0x88, 0x52, 0xb0, 0x18, 0x6d, 0x9d, -+ 0x9b, 0xdd, 0xcd, 0x1b, 0x5f, 0x4a, 0x5c, 0x29, -+ 0xca, 0x0b, 0x36, 0xaa -+ }; -+ struct ldb_val cipher_text -+ = data_blob_const(encrypted_data, -+ sizeof(encrypted_data)); -+ unsigned char es_keys_blob[] = { -+ 0x1d, 0xae, 0xf5, 0xaa, 0xa3, 0x85, 0x0d, 0x0a, -+ 0x8c, 0x24, 0x5c, 0x4c, 0xa7, 0x0f, 0x81, 0x79 -+ }; -+ struct es_data data = { -+ .encrypt_secrets = true, -+ .keys[0] = { -+ .data = es_keys_blob, -+ .length = sizeof(es_keys_blob), -+ }, -+#ifdef HAVE_GNUTLS_AEAD -+ .encryption_algorithm = GNUTLS_CIPHER_AES_128_GCM, -+#endif -+ }; -+ int err = LDB_SUCCESS; -+ struct ldb_val dec = decrypt_value(&err, test_ctx, test_ctx->ldb, cipher_text, -+ &data); -+ assert_int_equal(LDB_SUCCESS, err); -+ assert_int_equal(sizeof(plain_data), dec.length); -+ assert_memory_equal(dec.data, plain_data, sizeof(plain_data)); -+} -+ - - int main(void) { - const struct CMUnitTest tests[] = { -@@ -1166,6 +1213,10 @@ int main(void) { - test_unencrypted_secret, - setup_with_key, - teardown), -+ cmocka_unit_test_setup_teardown( -+ test_record_decryption, -+ setup_with_key, -+ teardown), - }; - - cmocka_set_message_output(CM_OUTPUT_SUBUNIT); --- -2.23.0 - diff --git a/SOURCES/0085-s4-samdb-Remove-dual-stack-mode-from-test_-encrypted.patch b/SOURCES/0085-s4-samdb-Remove-dual-stack-mode-from-test_-encrypted.patch deleted file mode 100644 index a2fa5bb..0000000 --- a/SOURCES/0085-s4-samdb-Remove-dual-stack-mode-from-test_-encrypted.patch +++ /dev/null @@ -1,154 +0,0 @@ -From ce7a5f793d0d5983504be61189ec7c57cfbf07d0 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 26 Feb 2019 18:32:34 +0100 -Subject: [PATCH 085/187] s4:samdb: Remove dual-stack mode from - (test_)encrypted_secrets - -Now we either build with GnuTLS or Samba crypto. If a modern GnuTLS -version is detected that will be used and Samba crypto wont be -available. - -This removes the dual-stack mode that encrypted with one and decrypted -with the other in the testsuite. - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett - -Commit message clarified by Andrew Bartlett - -Signed-off-by: Andrew Bartlett -(cherry picked from commit 7bf3c5d7640daaf5dc799eaf698618903ec09127) ---- - .../samdb/ldb_modules/encrypted_secrets.c | 16 ++---- - .../tests/test_encrypted_secrets.c | 49 ++----------------- - 2 files changed, 10 insertions(+), 55 deletions(-) - -diff --git a/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c b/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c -index deaa03cbb35..5f8cd8747ea 100644 ---- a/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c -+++ b/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c -@@ -39,18 +39,12 @@ - #include "dsdb/samdb/samdb.h" - #include "dsdb/samdb/ldb_modules/util.h" - --#ifdef TEST_ENCRYPTED_SECRETS -+/* Build either with GnuTLS crypto or Samba crypto. */ -+#ifdef HAVE_GNUTLS_AEAD -+ #define BUILD_WITH_GNUTLS_AEAD -+#else /* !HAVE_GNUTLS_AEAD */ - #define BUILD_WITH_SAMBA_AES_GCM -- #ifdef HAVE_GNUTLS_AEAD -- #define BUILD_WITH_GNUTLS_AEAD -- #endif --#else -- #ifdef HAVE_GNUTLS_AEAD -- #define BUILD_WITH_GNUTLS_AEAD -- #else -- #define BUILD_WITH_SAMBA_AES_GCM -- #endif --#endif -+#endif /* HAVE_GNUTLS_AEAD */ - - #ifdef BUILD_WITH_GNUTLS_AEAD - #include -diff --git a/source4/dsdb/samdb/ldb_modules/tests/test_encrypted_secrets.c b/source4/dsdb/samdb/ldb_modules/tests/test_encrypted_secrets.c -index cfea95ae544..a33781d703d 100644 ---- a/source4/dsdb/samdb/ldb_modules/tests/test_encrypted_secrets.c -+++ b/source4/dsdb/samdb/ldb_modules/tests/test_encrypted_secrets.c -@@ -390,26 +390,6 @@ static void test_gnutls_value_encryption(void **state) - &decrypted->cleartext, - &plain_text)); - } -- -- { -- struct PlaintextSecret *decrypted = -- talloc_zero(test_ctx, struct PlaintextSecret); -- samba_decrypt_aead( -- &err, -- test_ctx, -- test_ctx->ldb, -- &es, -- decrypted, -- data); -- assert_int_equal(LDB_SUCCESS, err); -- assert_int_equal( -- plain_text.length, -- decrypted->cleartext.length); -- assert_int_equal(0, -- data_blob_cmp( -- &decrypted->cleartext, -- &plain_text)); -- } - } - #endif /* HAVE_GNUTLS_AEAD */ - -@@ -613,9 +593,11 @@ static void test_gnutls_altered_iv(void **state) - } - } - #endif /* HAVE_GNUTLS_AEAD */ -+ - /* - * Test samba encryption and decryption and decryption. - */ -+#ifndef HAVE_GNUTLS_AEAD - static void test_samba_value_encryption(void **state) - { - struct ldbtest_ctx *test_ctx = -@@ -647,29 +629,6 @@ static void test_samba_value_encryption(void **state) - assert_true(NDR_ERR_CODE_IS_SUCCESS(rc)); - assert_true(check_header(&es)); - --#ifdef HAVE_GNUTLS_AEAD -- { -- struct PlaintextSecret *decrypted = -- talloc_zero(test_ctx, struct PlaintextSecret); -- gnutls_decrypt_aead( -- &err, -- test_ctx, -- test_ctx->ldb, -- &es, -- decrypted, -- data); -- assert_int_equal(LDB_SUCCESS, err); -- assert_int_equal( -- plain_text.length, -- decrypted->cleartext.length); -- assert_int_equal(0, -- data_blob_cmp( -- &decrypted->cleartext, -- &plain_text)); -- } --#endif /* HAVE_GNUTLS_AEAD */ -- -- - { - struct PlaintextSecret *decrypted = - talloc_zero(test_ctx, struct PlaintextSecret); -@@ -886,6 +845,7 @@ static void test_samba_altered_iv(void **state) - assert_int_equal(LDB_ERR_OPERATIONS_ERROR, err); - } - } -+#endif - - /* - * Test message encryption. -@@ -1188,7 +1148,7 @@ int main(void) { - test_gnutls_altered_iv, - setup_with_key, - teardown), --#endif /* HAVE_GNUTLS_AEAD */ -+#else - cmocka_unit_test_setup_teardown( - test_samba_value_encryption, - setup_with_key, -@@ -1205,6 +1165,7 @@ int main(void) { - test_samba_altered_iv, - setup_with_key, - teardown), -+#endif /* HAVE_GNUTLS_AEAD */ - cmocka_unit_test_setup_teardown( - test_message_encryption_decryption, - setup_with_key, --- -2.23.0 - diff --git a/SOURCES/0086-s4-samdb-Only-include-necessary-header-files-in-encr.patch b/SOURCES/0086-s4-samdb-Only-include-necessary-header-files-in-encr.patch deleted file mode 100644 index 36a587e..0000000 --- a/SOURCES/0086-s4-samdb-Only-include-necessary-header-files-in-encr.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 23e2849f8f5b119ebce9cb0aeee098a8c1a388e0 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 26 Feb 2019 18:33:09 +0100 -Subject: [PATCH 086/187] s4:samdb: Only include necessary header files in - encrypted_secrets - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit d46e538d52433f5f30a5696e5b18bc4b82101951) ---- - source4/dsdb/samdb/ldb_modules/encrypted_secrets.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c b/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c -index 5f8cd8747ea..e0932858588 100644 ---- a/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c -+++ b/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c -@@ -52,7 +52,8 @@ - #endif /* BUILD_WITH_GNUTLS_AEAD */ - - #ifdef BUILD_WITH_SAMBA_AES_GCM -- #include "lib/crypto/crypto.h" -+ #include "lib/crypto/aes.h" -+ #include "lib/crypto/aes_gcm_128.h" - #endif /* BUILD_WITH_SAMBA_AES_GCM */ - - static const char * const secret_attributes[] = {DSDB_SECRET_ATTRIBUTES}; --- -2.23.0 - diff --git a/SOURCES/0087-waf-Check-for-GNUTLS-AES-CFB-support.patch b/SOURCES/0087-waf-Check-for-GNUTLS-AES-CFB-support.patch deleted file mode 100644 index 4ad05c2..0000000 --- a/SOURCES/0087-waf-Check-for-GNUTLS-AES-CFB-support.patch +++ /dev/null @@ -1,29 +0,0 @@ -From ea3711fc1f4459a9654dd237ffbc71a42375629c Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 1 Mar 2019 17:35:02 +0100 -Subject: [PATCH 087/187] waf: Check for GNUTLS AES CFB support - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 20a42459df4fdd57cdf1807a3d97dc5b1c553476) ---- - wscript_configure_system_gnutls | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/wscript_configure_system_gnutls b/wscript_configure_system_gnutls -index cc9a2b035a2..85824aad4ed 100644 ---- a/wscript_configure_system_gnutls -+++ b/wscript_configure_system_gnutls -@@ -36,3 +36,9 @@ if conf.CHECK_FUNCS_IN('gnutls_aead_cipher_init', - conf.DEFINE('HAVE_GNUTLS_AEAD', '1') - else: - Logs.warn('No gnutls support for AEAD encryption') -+ -+if conf.CHECK_VALUEOF('GNUTLS_CIPHER_AES_128_CFB8', headers='gnutls/gnutls.h'): -+ conf.DEFINE('HAVE_GNUTLS_AES_CFB8', 1) -+ conf.DEFINE('HAVE_GNUTLS_3_4_7', 1) -+else: -+ Logs.warn('No gnutls support for AES CFB8') --- -2.23.0 - diff --git a/SOURCES/0088-libcli-auth-Use-netlogon_creds_aes_encrypt-in-netlog.patch b/SOURCES/0088-libcli-auth-Use-netlogon_creds_aes_encrypt-in-netlog.patch deleted file mode 100644 index 6d50e27..0000000 --- a/SOURCES/0088-libcli-auth-Use-netlogon_creds_aes_encrypt-in-netlog.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 563e6a454706f29171b4bf06473cc40c557b0eed Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 1 Mar 2019 17:33:01 +0100 -Subject: [PATCH 088/187] libcli:auth: Use netlogon_creds_aes_encrypt() in - netlogon_creds_step_crypt() - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit cd97c47873007bfc502926070a758b520d95abf1) ---- - libcli/auth/credentials.c | 7 ++----- - 1 file changed, 2 insertions(+), 5 deletions(-) - -diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c -index 319dacdac0b..3b31d1e0300 100644 ---- a/libcli/auth/credentials.c -+++ b/libcli/auth/credentials.c -@@ -35,12 +35,9 @@ static void netlogon_creds_step_crypt(struct netlogon_creds_CredentialState *cre - struct netr_Credential *out) - { - if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { -- AES_KEY key; -- uint8_t iv[AES_BLOCK_SIZE] = {0}; -+ memcpy(out->data, in->data, sizeof(out->data)); - -- AES_set_encrypt_key(creds->session_key, 128, &key); -- -- aes_cfb8_encrypt(in->data, out->data, 8, &key, iv, AES_ENCRYPT); -+ netlogon_creds_aes_encrypt(creds, out->data, sizeof(out->data)); - } else { - des_crypt112(out->data, in->data, creds->session_key, 1); - } --- -2.23.0 - diff --git a/SOURCES/0089-libcli-auth-Use-GnuTLS-AES128-CFB-for-netlogon_creds.patch b/SOURCES/0089-libcli-auth-Use-GnuTLS-AES128-CFB-for-netlogon_creds.patch deleted file mode 100644 index 232ab2f..0000000 --- a/SOURCES/0089-libcli-auth-Use-GnuTLS-AES128-CFB-for-netlogon_creds.patch +++ /dev/null @@ -1,69 +0,0 @@ -From efe2ed9aa8d1a1be574149f591015cc063c24fb7 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 1 Mar 2019 17:41:11 +0100 -Subject: [PATCH 089/187] libcli:auth: Use GnuTLS AES128 CFB for - netlogon_creds_aes_encrypt() - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 054efd118d7500e28f118722312aaae0df2749b0) ---- - libcli/auth/credentials.c | 36 ++++++++++++++++++++++++++++++++++++ - 1 file changed, 36 insertions(+) - -diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c -index 3b31d1e0300..5a1692ef436 100644 ---- a/libcli/auth/credentials.c -+++ b/libcli/auth/credentials.c -@@ -295,12 +295,48 @@ NTSTATUS netlogon_creds_arcfour_crypt(struct netlogon_creds_CredentialState *cre - */ - void netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len) - { -+#ifdef HAVE_GNUTLS_AES_CFB8 -+ gnutls_cipher_hd_t cipher_hnd = NULL; -+ gnutls_datum_t key = { -+ .data = creds->session_key, -+ .size = sizeof(creds->session_key), -+ }; -+ uint32_t iv_size = -+ gnutls_cipher_get_iv_size(GNUTLS_CIPHER_AES_128_CFB8); -+ uint8_t _iv[iv_size]; -+ gnutls_datum_t iv = { -+ .data = _iv, -+ .size = iv_size, -+ }; -+ int rc; -+ -+ ZERO_ARRAY(_iv); -+ -+ rc = gnutls_cipher_init(&cipher_hnd, -+ GNUTLS_CIPHER_AES_128_CFB8, -+ &key, -+ &iv); -+ if (rc < 0) { -+ DBG_ERR("ERROR: gnutls_cipher_init: %s\n", -+ gnutls_strerror(rc)); -+ return; -+ } -+ -+ rc = gnutls_cipher_encrypt(cipher_hnd, data, len); -+ gnutls_cipher_deinit(cipher_hnd); -+ if (rc < 0) { -+ DBG_ERR("ERROR: gnutls_cipher_encrypt: %s\n", -+ gnutls_strerror(rc)); -+ return; -+ } -+#else /* NOT HAVE_GNUTLS_AES_CFB8 */ - AES_KEY key; - uint8_t iv[AES_BLOCK_SIZE] = {0}; - - AES_set_encrypt_key(creds->session_key, 128, &key); - - aes_cfb8_encrypt(data, data, len, &key, iv, AES_ENCRYPT); -+#endif /* HAVE_GNUTLS_AES_CFB8 */ - } - - /* --- -2.23.0 - diff --git a/SOURCES/0090-libcli-auth-Return-NTSTATUS-for-netlogon_creds_aes_e.patch b/SOURCES/0090-libcli-auth-Return-NTSTATUS-for-netlogon_creds_aes_e.patch deleted file mode 100644 index e09d0d6..0000000 --- a/SOURCES/0090-libcli-auth-Return-NTSTATUS-for-netlogon_creds_aes_e.patch +++ /dev/null @@ -1,82 +0,0 @@ -From cd45ceb7c38ef77ad9d6cc42ad8184ebc6829cf7 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 29 May 2019 16:38:09 +0200 -Subject: [PATCH 090/187] libcli:auth: Return NTSTATUS for - netlogon_creds_aes_encrypt() - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett - -Adapted by Andrew Bartlett to use gnutls_error_to_ntstatus() - -Signed-off-by: Andrew Bartlett -(cherry picked from commit ded5aad21b54b8783f7390fb2eca483d3861eeff) ---- - libcli/auth/credentials.c | 15 ++++++++------- - libcli/auth/proto.h | 4 +++- - 2 files changed, 11 insertions(+), 8 deletions(-) - -diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c -index 5a1692ef436..87f8820238e 100644 ---- a/libcli/auth/credentials.c -+++ b/libcli/auth/credentials.c -@@ -293,7 +293,9 @@ NTSTATUS netlogon_creds_arcfour_crypt(struct netlogon_creds_CredentialState *cre - /* - AES encrypt a password buffer using the session key - */ --void netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len) -+NTSTATUS netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds, -+ uint8_t *data, -+ size_t len) - { - #ifdef HAVE_GNUTLS_AES_CFB8 - gnutls_cipher_hd_t cipher_hnd = NULL; -@@ -317,18 +319,15 @@ void netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds, ui - &key, - &iv); - if (rc < 0) { -- DBG_ERR("ERROR: gnutls_cipher_init: %s\n", -- gnutls_strerror(rc)); -- return; -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); - } - - rc = gnutls_cipher_encrypt(cipher_hnd, data, len); - gnutls_cipher_deinit(cipher_hnd); - if (rc < 0) { -- DBG_ERR("ERROR: gnutls_cipher_encrypt: %s\n", -- gnutls_strerror(rc)); -- return; -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); - } -+ - #else /* NOT HAVE_GNUTLS_AES_CFB8 */ - AES_KEY key; - uint8_t iv[AES_BLOCK_SIZE] = {0}; -@@ -337,6 +336,8 @@ void netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds, ui - - aes_cfb8_encrypt(data, data, len, &key, iv, AES_ENCRYPT); - #endif /* HAVE_GNUTLS_AES_CFB8 */ -+ -+ return NT_STATUS_OK; - } - - /* -diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h -index 65ee06215dc..639a50425e5 100644 ---- a/libcli/auth/proto.h -+++ b/libcli/auth/proto.h -@@ -18,7 +18,9 @@ void netlogon_creds_des_decrypt(struct netlogon_creds_CredentialState *creds, st - NTSTATUS netlogon_creds_arcfour_crypt(struct netlogon_creds_CredentialState *creds, - uint8_t *data, - size_t len); --void netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len); -+NTSTATUS netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds, -+ uint8_t *data, -+ size_t len); - void netlogon_creds_aes_decrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len); - - /***************************************************************** --- -2.23.0 - diff --git a/SOURCES/0091-libcli-auth-Use-GnuTLS-AES128-CFB-for-netlogon_creds.patch b/SOURCES/0091-libcli-auth-Use-GnuTLS-AES128-CFB-for-netlogon_creds.patch deleted file mode 100644 index db39b96..0000000 --- a/SOURCES/0091-libcli-auth-Use-GnuTLS-AES128-CFB-for-netlogon_creds.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 9b5fa6c165e98ddec38bc976bac0cfee62fd0d72 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 18 Mar 2019 15:13:08 +0100 -Subject: [PATCH 091/187] libcli:auth: Use GnuTLS AES128 CFB for - netlogon_creds_aes_decrypt() - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit a96728586150768957b88a0714b15f13ee9f81af) ---- - libcli/auth/credentials.c | 41 ++++++++++++++++++++++++++++++++++++++- - 1 file changed, 40 insertions(+), 1 deletion(-) - -diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c -index 87f8820238e..cfeab6efdcd 100644 ---- a/libcli/auth/credentials.c -+++ b/libcli/auth/credentials.c -@@ -22,10 +22,13 @@ - - #include "includes.h" - #include "system/time.h" --#include "../lib/crypto/crypto.h" - #include "libcli/auth/libcli_auth.h" - #include "../libcli/security/dom_sid.h" - -+#ifndef HAVE_GNUTLS_AES_CFB8 -+#include "lib/crypto/aes.h" -+#endif -+ - #include "lib/crypto/gnutls_helpers.h" - #include - #include -@@ -345,12 +348,48 @@ NTSTATUS netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds - */ - void netlogon_creds_aes_decrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len) - { -+#ifdef HAVE_GNUTLS_AES_CFB8 -+ gnutls_cipher_hd_t cipher_hnd = NULL; -+ gnutls_datum_t key = { -+ .data = creds->session_key, -+ .size = sizeof(creds->session_key), -+ }; -+ uint32_t iv_size = -+ gnutls_cipher_get_iv_size(GNUTLS_CIPHER_AES_128_CFB8); -+ uint8_t _iv[iv_size]; -+ gnutls_datum_t iv = { -+ .data = _iv, -+ .size = iv_size, -+ }; -+ int rc; -+ -+ ZERO_ARRAY(_iv); -+ -+ rc = gnutls_cipher_init(&cipher_hnd, -+ GNUTLS_CIPHER_AES_128_CFB8, -+ &key, -+ &iv); -+ if (rc < 0) { -+ DBG_ERR("ERROR: gnutls_cipher_init: %s\n", -+ gnutls_strerror(rc)); -+ return; -+ } -+ -+ rc = gnutls_cipher_decrypt(cipher_hnd, data, len); -+ gnutls_cipher_deinit(cipher_hnd); -+ if (rc < 0) { -+ DBG_ERR("ERROR: gnutls_cipher_decrypt: %s\n", -+ gnutls_strerror(rc)); -+ return; -+ } -+#else /* NOT HAVE_GNUTLS_AES_CFB8 */ - AES_KEY key; - uint8_t iv[AES_BLOCK_SIZE] = {0}; - - AES_set_encrypt_key(creds->session_key, 128, &key); - - aes_cfb8_encrypt(data, data, len, &key, iv, AES_DECRYPT); -+#endif /* HAVE_GNUTLS_AES_CFB8 */ - } - - /***************************************************************** --- -2.23.0 - diff --git a/SOURCES/0092-libcli-auth-Return-NTSTATUS-from-netlogon_creds_aes_.patch b/SOURCES/0092-libcli-auth-Return-NTSTATUS-from-netlogon_creds_aes_.patch deleted file mode 100644 index bdeeaca..0000000 --- a/SOURCES/0092-libcli-auth-Return-NTSTATUS-from-netlogon_creds_aes_.patch +++ /dev/null @@ -1,78 +0,0 @@ -From a5149014cc8a0da7b8c664a465f6108c390d127d Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Fri, 16 Aug 2019 12:34:28 +1200 -Subject: [PATCH 092/187] libcli:auth Return NTSTATUS from - netlogon_creds_aes_decrypt() - -Signed-off-by: Andrew Bartlett -Reviewed-by: Andreas Schneider -(cherry picked from commit 8ec796f1a1daa444bba06f34a50d2b62ee4a2ef9) ---- - libcli/auth/credentials.c | 15 ++++++++------- - libcli/auth/proto.h | 4 +++- - 2 files changed, 11 insertions(+), 8 deletions(-) - -diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c -index cfeab6efdcd..955e08b7385 100644 ---- a/libcli/auth/credentials.c -+++ b/libcli/auth/credentials.c -@@ -346,7 +346,7 @@ NTSTATUS netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds - /* - AES decrypt a password buffer using the session key - */ --void netlogon_creds_aes_decrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len) -+NTSTATUS netlogon_creds_aes_decrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len) - { - #ifdef HAVE_GNUTLS_AES_CFB8 - gnutls_cipher_hd_t cipher_hnd = NULL; -@@ -370,18 +370,17 @@ void netlogon_creds_aes_decrypt(struct netlogon_creds_CredentialState *creds, ui - &key, - &iv); - if (rc < 0) { -- DBG_ERR("ERROR: gnutls_cipher_init: %s\n", -- gnutls_strerror(rc)); -- return; -+ return gnutls_error_to_ntstatus(rc, -+ NT_STATUS_CRYPTO_SYSTEM_INVALID); - } - - rc = gnutls_cipher_decrypt(cipher_hnd, data, len); - gnutls_cipher_deinit(cipher_hnd); - if (rc < 0) { -- DBG_ERR("ERROR: gnutls_cipher_decrypt: %s\n", -- gnutls_strerror(rc)); -- return; -+ return gnutls_error_to_ntstatus(rc, -+ NT_STATUS_CRYPTO_SYSTEM_INVALID); - } -+ - #else /* NOT HAVE_GNUTLS_AES_CFB8 */ - AES_KEY key; - uint8_t iv[AES_BLOCK_SIZE] = {0}; -@@ -390,6 +389,8 @@ void netlogon_creds_aes_decrypt(struct netlogon_creds_CredentialState *creds, ui - - aes_cfb8_encrypt(data, data, len, &key, iv, AES_DECRYPT); - #endif /* HAVE_GNUTLS_AES_CFB8 */ -+ -+ return NT_STATUS_OK; - } - - /***************************************************************** -diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h -index 639a50425e5..714652bdb76 100644 ---- a/libcli/auth/proto.h -+++ b/libcli/auth/proto.h -@@ -21,7 +21,9 @@ NTSTATUS netlogon_creds_arcfour_crypt(struct netlogon_creds_CredentialState *cre - NTSTATUS netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds, - uint8_t *data, - size_t len); --void netlogon_creds_aes_decrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len); -+NTSTATUS netlogon_creds_aes_decrypt(struct netlogon_creds_CredentialState *creds, -+ uint8_t *data, -+ size_t len); - - /***************************************************************** - The above functions are common to the client and server interface --- -2.23.0 - diff --git a/SOURCES/0093-crypto-Update-REQUIREMENTS-file-with-new-minimum-ver.patch b/SOURCES/0093-crypto-Update-REQUIREMENTS-file-with-new-minimum-ver.patch deleted file mode 100644 index d002f49..0000000 --- a/SOURCES/0093-crypto-Update-REQUIREMENTS-file-with-new-minimum-ver.patch +++ /dev/null @@ -1,30 +0,0 @@ -From fb7713126043eaa2bffcf4b73d63fe371781cc1c Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Fri, 16 Aug 2019 13:52:36 +1200 -Subject: [PATCH 093/187] crypto: Update REQUIREMENTS file with new minimum - version - -Signed-off-by: Andrew Bartlett -Reviewed-by: Andreas Schneider -(cherry picked from commit 5ae119e7e9ddcfb3473e14585ba6079147a307bd) ---- - lib/crypto/REQUIREMENTS | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/lib/crypto/REQUIREMENTS b/lib/crypto/REQUIREMENTS -index ff91a2f9174..5ebf3ba0e05 100644 ---- a/lib/crypto/REQUIREMENTS -+++ b/lib/crypto/REQUIREMENTS -@@ -4,8 +4,7 @@ This list is to allow research into using external crypto libraries. - Those possibly supported in the git version of GnuTLS are indicated as '# GNUTLS' - Those possibly supported in the git version of nettle are indicated as '# NETTLE' - --For Samba AD with Heimdal gnutls >= 3.0.0 is required --For Samba AD with MIT kerberos gnutls >= 3.4.7 is required -+Samba in general gnutls >= 3.4.7 is required - Samba FS with MS Catalog support will require gnutls >= 3.5.6 - - GnuTLS Milestone for Samba support: --- -2.23.0 - diff --git a/SOURCES/0094-libcli-auth-Check-NTSTATUS-from-netlogon_creds_aes_-.patch b/SOURCES/0094-libcli-auth-Check-NTSTATUS-from-netlogon_creds_aes_-.patch deleted file mode 100644 index dc1b31d..0000000 --- a/SOURCES/0094-libcli-auth-Check-NTSTATUS-from-netlogon_creds_aes_-.patch +++ /dev/null @@ -1,134 +0,0 @@ -From d054df5519b1a25d031f95e098c1f40d59083c3d Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Fri, 16 Aug 2019 13:55:49 +1200 -Subject: [PATCH 094/187] libcli:auth Check NTSTATUS from - netlogon_creds_aes_{en,de}crypt() - -Signed-off-by: Andrew Bartlett -Reviewed-by: Andreas Schneider -(cherry picked from commit d515b255aa67186ff375af0b465c49722eb56427) ---- - libcli/auth/credentials.c | 76 +++++++++++++++++++++++++++------------ - 1 file changed, 53 insertions(+), 23 deletions(-) - -diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c -index 955e08b7385..baa436df71b 100644 ---- a/libcli/auth/credentials.c -+++ b/libcli/auth/credentials.c -@@ -712,27 +712,36 @@ static NTSTATUS netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_C - /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */ - if (!all_zero(base->key.key, sizeof(base->key.key))) { - if (do_encrypt) { -- netlogon_creds_aes_encrypt(creds, -- base->key.key, -- sizeof(base->key.key)); -+ status = netlogon_creds_aes_encrypt( -+ creds, -+ base->key.key, -+ sizeof(base->key.key)); - } else { -- netlogon_creds_aes_decrypt(creds, -- base->key.key, -- sizeof(base->key.key)); -+ status = netlogon_creds_aes_decrypt( -+ creds, -+ base->key.key, -+ sizeof(base->key.key)); -+ } -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; - } - } - - if (!all_zero(base->LMSessKey.key, - sizeof(base->LMSessKey.key))) { - if (do_encrypt) { -- netlogon_creds_aes_encrypt(creds, -- base->LMSessKey.key, -- sizeof(base->LMSessKey.key)); -- -+ status = netlogon_creds_aes_encrypt( -+ creds, -+ base->LMSessKey.key, -+ sizeof(base->LMSessKey.key)); - } else { -- netlogon_creds_aes_decrypt(creds, -- base->LMSessKey.key, -- sizeof(base->LMSessKey.key)); -+ status = netlogon_creds_aes_decrypt( -+ creds, -+ base->LMSessKey.key, -+ sizeof(base->LMSessKey.key)); -+ } -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; - } - } - } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { -@@ -818,18 +827,34 @@ static NTSTATUS netlogon_creds_crypt_samlogon_logon(struct netlogon_creds_Creden - h = logon->password->lmpassword.hash; - if (!all_zero(h, 16)) { - if (do_encrypt) { -- netlogon_creds_aes_encrypt(creds, h, 16); -+ status = netlogon_creds_aes_encrypt( -+ creds, -+ h, -+ 16); - } else { -- netlogon_creds_aes_decrypt(creds, h, 16); -+ status = netlogon_creds_aes_decrypt( -+ creds, -+ h, -+ 16); -+ } -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; - } - } - - h = logon->password->ntpassword.hash; - if (!all_zero(h, 16)) { - if (do_encrypt) { -- netlogon_creds_aes_encrypt(creds, h, 16); -+ status = netlogon_creds_aes_encrypt(creds, -+ h, -+ 16); - } else { -- netlogon_creds_aes_decrypt(creds, h, 16); -+ status = netlogon_creds_aes_decrypt(creds, -+ h, -+ 16); -+ } -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; - } - } - } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { -@@ -887,13 +912,18 @@ static NTSTATUS netlogon_creds_crypt_samlogon_logon(struct netlogon_creds_Creden - - if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { - if (do_encrypt) { -- netlogon_creds_aes_encrypt(creds, -- logon->generic->data, -- logon->generic->length); -+ status = netlogon_creds_aes_encrypt( -+ creds, -+ logon->generic->data, -+ logon->generic->length); - } else { -- netlogon_creds_aes_decrypt(creds, -- logon->generic->data, -- logon->generic->length); -+ status = netlogon_creds_aes_decrypt( -+ creds, -+ logon->generic->data, -+ logon->generic->length); -+ } -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; - } - } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { - status = netlogon_creds_arcfour_crypt(creds, --- -2.23.0 - diff --git a/SOURCES/0095-s3-rpc_server-Check-NTSTATUS-return-value-from-netlo.patch b/SOURCES/0095-s3-rpc_server-Check-NTSTATUS-return-value-from-netlo.patch deleted file mode 100644 index 8b22567..0000000 --- a/SOURCES/0095-s3-rpc_server-Check-NTSTATUS-return-value-from-netlo.patch +++ /dev/null @@ -1,41 +0,0 @@ -From ca38586a27089b6bf8769b3701e8fc7ccd5f9215 Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Fri, 16 Aug 2019 14:05:38 +1200 -Subject: [PATCH 095/187] s3-rpc_server: Check NTSTATUS return value from - netlogon_creds_aes_decrypt() - -Signed-off-by: Andrew Bartlett -Reviewed-by: Andreas Schneider -(cherry picked from commit 2f827bec8ca831fb486c8ebedc6b89b7f1cb99e2) ---- - source3/rpc_server/netlogon/srv_netlog_nt.c | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c -index 08bce367bf0..671300676ff 100644 ---- a/source3/rpc_server/netlogon/srv_netlog_nt.c -+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c -@@ -1369,14 +1369,16 @@ NTSTATUS _netr_ServerPasswordSet2(struct pipes_struct *p, - SIVAL(password_buf.data, 512, r->in.new_password->length); - - if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { -- netlogon_creds_aes_decrypt(creds, password_buf.data, 516); -+ status = netlogon_creds_aes_decrypt(creds, -+ password_buf.data, -+ 516); - } else { - status = netlogon_creds_arcfour_crypt(creds, - password_buf.data, - 516); -- if (!NT_STATUS_IS_OK(status)) { -- return status; -- } -+ } -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; - } - - if (!decode_pw_buffer(p->mem_ctx, --- -2.23.0 - diff --git a/SOURCES/0096-s4-rpc_server-Check-NTSTATUS-return-value-from-netlo.patch b/SOURCES/0096-s4-rpc_server-Check-NTSTATUS-return-value-from-netlo.patch deleted file mode 100644 index a2dfae5..0000000 --- a/SOURCES/0096-s4-rpc_server-Check-NTSTATUS-return-value-from-netlo.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 2558252a6fc918cfe5e9bdfc0d7b98a1324ab61b Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Fri, 16 Aug 2019 14:15:45 +1200 -Subject: [PATCH 096/187] s4-rpc_server: Check NTSTATUS return value from - netlogon_creds_aes_decrypt() - -Signed-off-by: Andrew Bartlett -Reviewed-by: Andreas Schneider -(cherry picked from commit 1e427f55d71350b25a8a26e94a5cb7895d8efdf6) ---- - source4/rpc_server/netlogon/dcerpc_netlogon.c | 21 ++++++++++++------- - 1 file changed, 13 insertions(+), 8 deletions(-) - -diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c -index ac745e32b02..49a075137ff 100644 ---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c -+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c -@@ -747,14 +747,17 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet2(struct dcesrv_call_state *dce_cal - SIVAL(password_buf.data, 512, r->in.new_password->length); - - if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { -- netlogon_creds_aes_decrypt(creds, password_buf.data, 516); -+ nt_status = netlogon_creds_aes_decrypt(creds, -+ password_buf.data, -+ 516); - } else { - nt_status = netlogon_creds_arcfour_crypt(creds, - password_buf.data, - 516); -- if (!NT_STATUS_IS_OK(nt_status)) { -- return nt_status; -- } -+ } -+ -+ if (!NT_STATUS_IS_OK(nt_status)) { -+ return nt_status; - } - - switch (creds->secure_channel_type) { -@@ -2803,14 +2806,16 @@ static NTSTATUS dcesrv_netr_NetrLogonSendToSam(struct dcesrv_call_state *dce_cal - - /* Buffer is meant to be 16-bit aligned */ - if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { -- netlogon_creds_aes_decrypt(creds, r->in.opaque_buffer, r->in.buffer_len); -+ nt_status = netlogon_creds_aes_decrypt(creds, -+ r->in.opaque_buffer, -+ r->in.buffer_len); - } else { - nt_status = netlogon_creds_arcfour_crypt(creds, - r->in.opaque_buffer, - r->in.buffer_len); -- if (!NT_STATUS_IS_OK(nt_status)) { -- return nt_status; -- } -+ } -+ if (!NT_STATUS_IS_OK(nt_status)) { -+ return nt_status; - } - - decrypted_blob.data = r->in.opaque_buffer; --- -2.23.0 - diff --git a/SOURCES/0097-s3-librpc-Remove-unused-init_netr_CryptPassword.patch b/SOURCES/0097-s3-librpc-Remove-unused-init_netr_CryptPassword.patch deleted file mode 100644 index f7fb55a..0000000 --- a/SOURCES/0097-s3-librpc-Remove-unused-init_netr_CryptPassword.patch +++ /dev/null @@ -1,148 +0,0 @@ -From 5913cd056fae4d3a147326a30182a2d30bfe7857 Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Fri, 16 Aug 2019 14:22:42 +1200 -Subject: [PATCH 097/187] s3-librpc: Remove unused init_netr_CryptPassword() - -Unused since 38d4dba37406515181e4d6f1a1faffc18e652e27 in 2013 - -Signed-off-by: Andrew Bartlett -Reviewed-by: Andreas Schneider -(cherry picked from commit 1aa249e7f4a1c4222b4cc79bac64c8b95c89d868) ---- - source3/rpc_client/cli_netlogon.c | 1 - - source3/rpc_client/init_netlogon.c | 50 ------------------------------ - source3/rpc_client/init_netlogon.h | 29 ----------------- - source3/wscript_build | 5 --- - 4 files changed, 85 deletions(-) - delete mode 100644 source3/rpc_client/init_netlogon.c - delete mode 100644 source3/rpc_client/init_netlogon.h - -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c -index 505a1d015bc..ea9cb757048 100644 ---- a/source3/rpc_client/cli_netlogon.c -+++ b/source3/rpc_client/cli_netlogon.c -@@ -30,7 +30,6 @@ - #include "../librpc/gen_ndr/ndr_netlogon_c.h" - #include "../librpc/gen_ndr/schannel.h" - #include "rpc_client/cli_netlogon.h" --#include "rpc_client/init_netlogon.h" - #include "rpc_client/util_netlogon.h" - #include "../libcli/security/security.h" - #include "lib/param/param.h" -diff --git a/source3/rpc_client/init_netlogon.c b/source3/rpc_client/init_netlogon.c -deleted file mode 100644 -index 26deaba8065..00000000000 ---- a/source3/rpc_client/init_netlogon.c -+++ /dev/null -@@ -1,50 +0,0 @@ --/* -- * Unix SMB/CIFS implementation. -- * RPC Pipe client / server routines -- * Copyright (C) Guenther Deschner 2008,2012 -- * -- * This program is free software; you can redistribute it and/or modify -- * it under the terms of the GNU General Public License as published by -- * the Free Software Foundation; either version 3 of the License, or -- * (at your option) any later version. -- * -- * This program is distributed in the hope that it will be useful, -- * but WITHOUT ANY WARRANTY; without even the implied warranty of -- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -- * GNU General Public License for more details. -- * -- * You should have received a copy of the GNU General Public License -- * along with this program; if not, see . -- */ -- --#include "includes.h" --#include "../libcli/auth/libcli_auth.h" --#include "../lib/crypto/crypto.h" --#include "rpc_client/init_netlogon.h" -- --/************************************************************************* -- inits a netr_CryptPassword structure -- *************************************************************************/ -- --void init_netr_CryptPassword(const char *pwd, -- struct netlogon_creds_CredentialState *creds, -- struct netr_CryptPassword *pwd_buf) --{ -- struct samr_CryptPassword password_buf; -- NTSTATUS status; -- -- encode_pw_buffer(password_buf.data, pwd, STR_UNICODE); -- -- if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { -- netlogon_creds_aes_encrypt(creds, password_buf.data, 516); -- } else { -- status = netlogon_creds_arcfour_crypt(creds, -- password_buf.data, -- 516); -- if (!NT_STATUS_IS_OK(status)) { -- return; -- } -- } -- memcpy(pwd_buf->data, password_buf.data, 512); -- pwd_buf->length = IVAL(password_buf.data, 512); --} -diff --git a/source3/rpc_client/init_netlogon.h b/source3/rpc_client/init_netlogon.h -deleted file mode 100644 -index bb4496b4cd9..00000000000 ---- a/source3/rpc_client/init_netlogon.h -+++ /dev/null -@@ -1,29 +0,0 @@ --/* -- * Unix SMB/CIFS implementation. -- * RPC Pipe client / server routines -- * Copyright (C) Guenther Deschner 2008. -- * -- * This program is free software; you can redistribute it and/or modify -- * it under the terms of the GNU General Public License as published by -- * the Free Software Foundation; either version 3 of the License, or -- * (at your option) any later version. -- * -- * This program is distributed in the hope that it will be useful, -- * but WITHOUT ANY WARRANTY; without even the implied warranty of -- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -- * GNU General Public License for more details. -- * -- * You should have received a copy of the GNU General Public License -- * along with this program; if not, see . -- */ -- --#ifndef _RPC_CLIENT_INIT_NETLOGON_H_ --#define _RPC_CLIENT_INIT_NETLOGON_H_ -- --/* The following definitions come from rpc_client/init_netlogon.c */ -- --void init_netr_CryptPassword(const char *pwd, -- struct netlogon_creds_CredentialState *creds, -- struct netr_CryptPassword *pwd_buf); -- --#endif /* _RPC_CLIENT_INIT_NETLOGON_H_ */ -diff --git a/source3/wscript_build b/source3/wscript_build -index b73f6dc0664..ce3fa362bc2 100644 ---- a/source3/wscript_build -+++ b/source3/wscript_build -@@ -1024,7 +1024,6 @@ bld.SAMBA3_LIBRARY('libcli_netlogon3', - deps=''' - msrpc3 - RPC_NDR_NETLOGON -- INIT_NETLOGON - cliauth - smbconf - NETLOGON_CREDS_CLI''', -@@ -1057,10 +1056,6 @@ bld.SAMBA3_SUBSYSTEM('INIT_LSA', - source='rpc_client/init_lsa.c', - deps='samba-util') - --bld.SAMBA3_SUBSYSTEM('INIT_NETLOGON', -- source='rpc_client/init_netlogon.c', -- deps='samba-util') -- - bld.SAMBA3_SUBSYSTEM('INIT_SAMR', - source='rpc_client/init_samr.c', - deps='samba-util GNUTLS_HELPERS') --- -2.23.0 - diff --git a/SOURCES/0098-auth-credentials-Check-NTSTATUS-return-from-netlogon.patch b/SOURCES/0098-auth-credentials-Check-NTSTATUS-return-from-netlogon.patch deleted file mode 100644 index fdd9693..0000000 --- a/SOURCES/0098-auth-credentials-Check-NTSTATUS-return-from-netlogon.patch +++ /dev/null @@ -1,47 +0,0 @@ -From cef95d8835a04065b9c7422a637f60efdb9a93fe Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Fri, 16 Aug 2019 14:29:45 +1200 -Subject: [PATCH 098/187] auth/credentials: Check NTSTATUS return from - netlogon_creds_aes_encrypt() - -Signed-off-by: Andrew Bartlett -Reviewed-by: Andreas Schneider -(cherry picked from commit fefd95091cc52f5e2655fa392312a8b1fa1d35fd) ---- - auth/credentials/credentials.c | 14 +++++++------- - 1 file changed, 7 insertions(+), 7 deletions(-) - -diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c -index 5ebec483705..81f9dbb9eb3 100644 ---- a/auth/credentials/credentials.c -+++ b/auth/credentials/credentials.c -@@ -1333,19 +1333,19 @@ _PUBLIC_ NTSTATUS netlogon_creds_session_encrypt( - return NT_STATUS_INVALID_PARAMETER; - } - if (state->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { -- netlogon_creds_aes_encrypt(state, -- data.data, -- data.length); -+ status = netlogon_creds_aes_encrypt(state, -+ data.data, -+ data.length); - } else if (state->negotiate_flags & NETLOGON_NEG_ARCFOUR) { - status = netlogon_creds_arcfour_crypt(state, - data.data, - data.length); -- if (!NT_STATUS_IS_OK(status)) { -- return status; -- } - } else { - DBG_ERR("Unsupported encryption option negotiated"); -- return NT_STATUS_NOT_SUPPORTED; -+ status = NT_STATUS_NOT_SUPPORTED; -+ } -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; - } - return NT_STATUS_OK; - } --- -2.23.0 - diff --git a/SOURCES/0099-auth-gensec-Use-GnuTLS-AES128-CFB8-in-netsec_do_seq_.patch b/SOURCES/0099-auth-gensec-Use-GnuTLS-AES128-CFB8-in-netsec_do_seq_.patch deleted file mode 100644 index da56ce3..0000000 --- a/SOURCES/0099-auth-gensec-Use-GnuTLS-AES128-CFB8-in-netsec_do_seq_.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 9be58c7b284bad6a721363354603a25a9aa4b29b Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 1 Mar 2019 17:55:02 +0100 -Subject: [PATCH 099/187] auth:gensec: Use GnuTLS AES128 CFB8 in - netsec_do_seq_num() - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 58c781dc93e24895b2c4b97fa311c66af30e278e) ---- - auth/gensec/schannel.c | 40 ++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 40 insertions(+) - -diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c -index 74a3eb5c690..719849fa0cc 100644 ---- a/auth/gensec/schannel.c -+++ b/auth/gensec/schannel.c -@@ -147,6 +147,45 @@ static NTSTATUS netsec_do_seq_num(struct schannel_state *state, - uint8_t seq_num[8]) - { - if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { -+#ifdef HAVE_GNUTLS_AES_CFB8 -+ gnutls_cipher_hd_t cipher_hnd = NULL; -+ gnutls_datum_t key = { -+ .data = state->creds->session_key, -+ .size = sizeof(state->creds->session_key), -+ }; -+ uint32_t iv_size = -+ gnutls_cipher_get_iv_size(GNUTLS_CIPHER_AES_128_CFB8); -+ uint8_t _iv[iv_size]; -+ gnutls_datum_t iv = { -+ .data = _iv, -+ .size = iv_size, -+ }; -+ int rc; -+ -+ ZERO_ARRAY(_iv); -+ -+ memcpy(iv.data + 0, checksum, 8); -+ memcpy(iv.data + 8, checksum, 8); -+ -+ rc = gnutls_cipher_init(&cipher_hnd, -+ GNUTLS_CIPHER_AES_128_CFB8, -+ &key, -+ &iv); -+ if (rc < 0) { -+ DBG_ERR("ERROR: gnutls_cipher_init: %s\n", -+ gnutls_strerror(rc)); -+ return NT_STATUS_INTERNAL_ERROR; -+ } -+ -+ rc = gnutls_cipher_encrypt(cipher_hnd, seq_num, 8); -+ gnutls_cipher_deinit(cipher_hnd); -+ if (rc < 0) { -+ DBG_ERR("ERROR: gnutls_cipher_encrypt: %s\n", -+ gnutls_strerror(rc)); -+ return NT_STATUS_INTERNAL_ERROR; -+ } -+ -+#else /* NOT HAVE_GNUTLS_AES_CFB8 */ - AES_KEY key; - uint8_t iv[AES_BLOCK_SIZE]; - -@@ -156,6 +195,7 @@ static NTSTATUS netsec_do_seq_num(struct schannel_state *state, - memcpy(iv+8, checksum, 8); - - aes_cfb8_encrypt(seq_num, seq_num, 8, &key, iv, AES_ENCRYPT); -+#endif /* HAVE_GNUTLS_AES_CFB8 */ - } else { - static const uint8_t zeros[4]; - uint8_t _sequence_key[16]; --- -2.23.0 - diff --git a/SOURCES/0100-auth-gensec-Use-gnutls_error_to_ntstatus-consistentl.patch b/SOURCES/0100-auth-gensec-Use-gnutls_error_to_ntstatus-consistentl.patch deleted file mode 100644 index de1f97f..0000000 --- a/SOURCES/0100-auth-gensec-Use-gnutls_error_to_ntstatus-consistentl.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 1a04e7bc20749e262a61ce52c8173245af8fb69d Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Fri, 16 Aug 2019 15:43:01 +1200 -Subject: [PATCH 100/187] auth/gensec: Use gnutls_error_to_ntstatus() - consistently in schannel - -Signed-off-by: Andrew Bartlett -Reviewed-by: Andreas Schneider -(cherry picked from commit 3b27fd8a490f29cbc94b8ac377b3a2cb6db7598c) ---- - auth/gensec/schannel.c | 16 +++++++--------- - 1 file changed, 7 insertions(+), 9 deletions(-) - -diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c -index 719849fa0cc..2a36d0cfa7d 100644 ---- a/auth/gensec/schannel.c -+++ b/auth/gensec/schannel.c -@@ -172,17 +172,15 @@ static NTSTATUS netsec_do_seq_num(struct schannel_state *state, - &key, - &iv); - if (rc < 0) { -- DBG_ERR("ERROR: gnutls_cipher_init: %s\n", -- gnutls_strerror(rc)); -- return NT_STATUS_INTERNAL_ERROR; -+ return gnutls_error_to_ntstatus(rc, -+ NT_STATUS_CRYPTO_SYSTEM_INVALID); - } - - rc = gnutls_cipher_encrypt(cipher_hnd, seq_num, 8); - gnutls_cipher_deinit(cipher_hnd); - if (rc < 0) { -- DBG_ERR("ERROR: gnutls_cipher_encrypt: %s\n", -- gnutls_strerror(rc)); -- return NT_STATUS_INTERNAL_ERROR; -+ return gnutls_error_to_ntstatus(rc, -+ NT_STATUS_CRYPTO_SYSTEM_INVALID); - } - - #else /* NOT HAVE_GNUTLS_AES_CFB8 */ -@@ -306,7 +304,7 @@ static NTSTATUS netsec_do_seal(struct schannel_state *state, - digest2); - if (rc < 0) { - ZERO_ARRAY(digest2); -- return NT_STATUS_INTERNAL_ERROR; -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED); - } - - rc = gnutls_hmac_fast(GNUTLS_MAC_MD5, -@@ -318,7 +316,7 @@ static NTSTATUS netsec_do_seal(struct schannel_state *state, - - ZERO_ARRAY(digest2); - if (rc < 0) { -- return NT_STATUS_INTERNAL_ERROR; -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED); - } - - rc = gnutls_cipher_init(&cipher_hnd, -@@ -377,7 +375,7 @@ static NTSTATUS netsec_do_sign(struct schannel_state *state, - state->creds->session_key, - sizeof(state->creds->session_key)); - if (rc < 0) { -- return NT_STATUS_NO_MEMORY; -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED); - } - - if (confounder) { --- -2.23.0 - diff --git a/SOURCES/0101-auth-gensec-Use-GnuTLS-AES-CFB8-in-netsec_do_seal.patch b/SOURCES/0101-auth-gensec-Use-GnuTLS-AES-CFB8-in-netsec_do_seal.patch deleted file mode 100644 index 7dd8cd0..0000000 --- a/SOURCES/0101-auth-gensec-Use-GnuTLS-AES-CFB8-in-netsec_do_seal.patch +++ /dev/null @@ -1,137 +0,0 @@ -From a156d18abb509a48c45525da2f4e4db9cfdd1f30 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 18 Mar 2019 16:24:54 +0100 -Subject: [PATCH 101/187] auth:gensec: Use GnuTLS AES CFB8 in netsec_do_seal() - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 025f6a135f930264ddcf1cd1b9e1004464618194) ---- - auth/gensec/schannel.c | 95 +++++++++++++++++++++++++++++++++++++++++- - 1 file changed, 94 insertions(+), 1 deletion(-) - -diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c -index 2a36d0cfa7d..20b0a74e37f 100644 ---- a/auth/gensec/schannel.c -+++ b/auth/gensec/schannel.c -@@ -33,9 +33,12 @@ - #include "librpc/gen_ndr/dcerpc.h" - #include "param/param.h" - #include "auth/gensec/gensec_toplevel_proto.h" --#include "lib/crypto/aes.h" - #include "libds/common/roles.h" - -+#ifndef HAVE_GNUTLS_AES_CFB8 -+#include "lib/crypto/aes.h" -+#endif -+ - #include "lib/crypto/gnutls_helpers.h" - #include - #include -@@ -258,6 +261,95 @@ static NTSTATUS netsec_do_seal(struct schannel_state *state, - bool forward) - { - if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { -+#ifdef HAVE_GNUTLS_AES_CFB8 -+ gnutls_cipher_hd_t cipher_hnd = NULL; -+ uint8_t sess_kf0[16] = {0}; -+ gnutls_datum_t key = { -+ .data = sess_kf0, -+ .size = sizeof(sess_kf0), -+ }; -+ uint32_t iv_size = -+ gnutls_cipher_get_iv_size(GNUTLS_CIPHER_AES_128_CFB8); -+ uint8_t _iv[iv_size]; -+ gnutls_datum_t iv = { -+ .data = _iv, -+ .size = iv_size, -+ }; -+ uint32_t i; -+ int rc; -+ -+ for (i = 0; i < key.size; i++) { -+ key.data[i] = state->creds->session_key[i] ^ 0xf0; -+ } -+ -+ ZERO_ARRAY(_iv); -+ -+ memcpy(iv.data + 0, seq_num, 8); -+ memcpy(iv.data + 8, seq_num, 8); -+ -+ rc = gnutls_cipher_init(&cipher_hnd, -+ GNUTLS_CIPHER_AES_128_CFB8, -+ &key, -+ &iv); -+ if (rc < 0) { -+ DBG_ERR("ERROR: gnutls_cipher_init: %s\n", -+ gnutls_strerror(rc)); -+ return NT_STATUS_NO_MEMORY; -+ } -+ -+ if (forward) { -+ rc = gnutls_cipher_encrypt(cipher_hnd, -+ confounder, -+ 8); -+ if (rc < 0) { -+ DBG_ERR("ERROR: gnutls_cipher_encrypt: %s\n", -+ gnutls_strerror(errno)); -+ gnutls_cipher_deinit(cipher_hnd); -+ return NT_STATUS_INTERNAL_ERROR; -+ } -+ -+ /* -+ * Looks like we have to reuse the initial IV which is -+ * cryptographically wrong! -+ */ -+ gnutls_cipher_set_iv(cipher_hnd, iv.data, iv.size); -+ rc = gnutls_cipher_encrypt(cipher_hnd, -+ data, -+ length); -+ if (rc < 0) { -+ DBG_ERR("ERROR: gnutls_cipher_encrypt: %s\n", -+ gnutls_strerror(errno)); -+ gnutls_cipher_deinit(cipher_hnd); -+ return NT_STATUS_INTERNAL_ERROR; -+ } -+ } else { -+ rc = gnutls_cipher_decrypt(cipher_hnd, -+ confounder, -+ 8); -+ if (rc < 0) { -+ DBG_ERR("ERROR: gnutls_cipher_decrypt: %s\n", -+ gnutls_strerror(errno)); -+ gnutls_cipher_deinit(cipher_hnd); -+ return NT_STATUS_INTERNAL_ERROR; -+ } -+ -+ /* -+ * Looks like we have to reuse the initial IV which is -+ * cryptographically wrong! -+ */ -+ gnutls_cipher_set_iv(cipher_hnd, iv.data, iv.size); -+ rc = gnutls_cipher_decrypt(cipher_hnd, -+ data, -+ length); -+ if (rc < 0) { -+ DBG_ERR("ERROR: gnutls_cipher_decrypt: %s\n", -+ gnutls_strerror(errno)); -+ gnutls_cipher_deinit(cipher_hnd); -+ return NT_STATUS_INTERNAL_ERROR; -+ } -+ } -+ gnutls_cipher_deinit(cipher_hnd); -+#else /* NOT HAVE_GNUTLS_AES_CFB8 */ - AES_KEY key; - uint8_t iv[AES_BLOCK_SIZE]; - uint8_t sess_kf0[16]; -@@ -279,6 +371,7 @@ static NTSTATUS netsec_do_seal(struct schannel_state *state, - aes_cfb8_encrypt(confounder, confounder, 8, &key, iv, AES_DECRYPT); - aes_cfb8_encrypt(data, data, length, &key, iv, AES_DECRYPT); - } -+#endif /* HAVE_GNUTLS_AES_CFB8 */ - } else { - gnutls_cipher_hd_t cipher_hnd; - uint8_t _sealing_key[16]; --- -2.23.0 - diff --git a/SOURCES/0102-auth-gensec-Use-gnutls_error_to_ntstatus-in-netsec_d.patch b/SOURCES/0102-auth-gensec-Use-gnutls_error_to_ntstatus-in-netsec_d.patch deleted file mode 100644 index c3d1f4a..0000000 --- a/SOURCES/0102-auth-gensec-Use-gnutls_error_to_ntstatus-in-netsec_d.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 8fc821bcdc457b9f22726eb6a83f5a3a08213040 Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Fri, 16 Aug 2019 15:45:43 +1200 -Subject: [PATCH 102/187] auth/gensec: Use gnutls_error_to_ntstatus() in - netsec_do_seal() - -Signed-off-by: Andrew Bartlett -Reviewed-by: Andreas Schneider -(cherry picked from commit fa8eddc39b4ea9d316201019b603025df5c2fa5e) ---- - auth/gensec/schannel.c | 16 ++++------------ - 1 file changed, 4 insertions(+), 12 deletions(-) - -diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c -index 20b0a74e37f..b5e6289ef3f 100644 ---- a/auth/gensec/schannel.c -+++ b/auth/gensec/schannel.c -@@ -302,10 +302,8 @@ static NTSTATUS netsec_do_seal(struct schannel_state *state, - confounder, - 8); - if (rc < 0) { -- DBG_ERR("ERROR: gnutls_cipher_encrypt: %s\n", -- gnutls_strerror(errno)); - gnutls_cipher_deinit(cipher_hnd); -- return NT_STATUS_INTERNAL_ERROR; -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); - } - - /* -@@ -317,20 +315,16 @@ static NTSTATUS netsec_do_seal(struct schannel_state *state, - data, - length); - if (rc < 0) { -- DBG_ERR("ERROR: gnutls_cipher_encrypt: %s\n", -- gnutls_strerror(errno)); - gnutls_cipher_deinit(cipher_hnd); -- return NT_STATUS_INTERNAL_ERROR; -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); - } - } else { - rc = gnutls_cipher_decrypt(cipher_hnd, - confounder, - 8); - if (rc < 0) { -- DBG_ERR("ERROR: gnutls_cipher_decrypt: %s\n", -- gnutls_strerror(errno)); - gnutls_cipher_deinit(cipher_hnd); -- return NT_STATUS_INTERNAL_ERROR; -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); - } - - /* -@@ -342,10 +336,8 @@ static NTSTATUS netsec_do_seal(struct schannel_state *state, - data, - length); - if (rc < 0) { -- DBG_ERR("ERROR: gnutls_cipher_decrypt: %s\n", -- gnutls_strerror(errno)); - gnutls_cipher_deinit(cipher_hnd); -- return NT_STATUS_INTERNAL_ERROR; -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); - } - } - gnutls_cipher_deinit(cipher_hnd); --- -2.23.0 - diff --git a/SOURCES/0103-lib-crypto-Prepare-not-to-build-AES-or-AES-CMAC-if-w.patch b/SOURCES/0103-lib-crypto-Prepare-not-to-build-AES-or-AES-CMAC-if-w.patch deleted file mode 100644 index aaaaca8..0000000 --- a/SOURCES/0103-lib-crypto-Prepare-not-to-build-AES-or-AES-CMAC-if-w.patch +++ /dev/null @@ -1,111 +0,0 @@ -From e2d47f1a730131017b7d4d71713a174da6cb270c Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 15 Mar 2019 14:54:13 +0100 -Subject: [PATCH 103/187] lib:crypto: Prepare not to build AES or AES-CMAC if - we use GnuTLS support it - -Samba will soon require GnuTLS >= 3.4.7. - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett - -Adjusted by Andrew Bartlett from an earlier more comprehensive patch by Andreas - -Signed-off-by: Andrew Bartlett -(cherry picked from commit 1f6104f09a30cf3816fd5a580ce1b4be5b94848c) ---- - lib/crypto/wscript_build | 52 ++++++++++++++++++++++++++++------- - source4/torture/local/local.c | 3 ++ - 2 files changed, 45 insertions(+), 10 deletions(-) - -diff --git a/lib/crypto/wscript_build b/lib/crypto/wscript_build -index a26c10b627b..9a7c715754d 100644 ---- a/lib/crypto/wscript_build -+++ b/lib/crypto/wscript_build -@@ -20,27 +20,59 @@ bld.SAMBA_SUBSYSTEM('LIBCRYPTO_RC4', - deps='talloc', - enabled=not bld.CONFIG_SET('HAVE_GNUTLS_3_4_7')) - -+bld.SAMBA_SUBSYSTEM('LIBCRYPTO_AES_CCM', -+ source='aes_ccm_128.c', -+ deps='talloc') -+ -+bld.SAMBA_SUBSYSTEM('LIBCRYPTO_AES_GCM', -+ source='aes_gcm_128.c', -+ deps='talloc') -+ -+bld.SAMBA_SUBSYSTEM('LIBCRYPTO_AES', -+ source='aes.c rijndael-alg-fst.c', -+ deps='talloc') -+ -+bld.SAMBA_SUBSYSTEM('LIBCRYPTO_AES_CMAC', -+ source='aes_cmac_128.c', -+ deps='talloc') -+ - bld.SAMBA_SUBSYSTEM('LIBCRYPTO', - source=''' - md4.c -- aes.c -- rijndael-alg-fst.c -- aes_cmac_128.c -- aes_ccm_128.c -- aes_gcm_128.c - ''', - deps=''' - talloc - LIBCRYPTO_RC4 -+ LIBCRYPTO_AES -+ LIBCRYPTO_AES_CCM -+ LIBCRYPTO_AES_GCM -+ LIBCRYPTO_AES_CMAC - ''' + extra_deps) - -+bld.SAMBA_SUBSYSTEM('TORTURE_LIBCRYPTO_AES_CCM', -+ source='aes_ccm_128_test.c', -+ autoproto='aes_ccm_test_proto.h', -+ deps='talloc') -+ -+bld.SAMBA_SUBSYSTEM('TORTURE_LIBCRYPTO_AES_GCM', -+ source='aes_gcm_128_test.c', -+ autoproto='aes_gcm_test_proto.h', -+ deps='talloc') -+ -+bld.SAMBA_SUBSYSTEM('TORTURE_LIBCRYPTO_AES_CMAC', -+ source='aes_cmac_128_test.c', -+ autoproto='aes_cmac_test_proto.h', -+ deps='talloc') -+ - bld.SAMBA_SUBSYSTEM('TORTURE_LIBCRYPTO', -- source='''md4test.c -- aes_cmac_128_test.c aes_ccm_128_test.c aes_gcm_128_test.c -- ''', -+ source='md4test.c', - autoproto='test_proto.h', -- deps='LIBCRYPTO' -- ) -+ deps=''' -+ LIBCRYPTO -+ TORTURE_LIBCRYPTO_AES_CCM -+ TORTURE_LIBCRYPTO_AES_GCM -+ TORTURE_LIBCRYPTO_AES_CMAC -+ ''') - - bld.SAMBA_PYTHON('python_crypto', - source='py_crypto.c', -diff --git a/source4/torture/local/local.c b/source4/torture/local/local.c -index acd88772ab7..fa4061c108b 100644 ---- a/source4/torture/local/local.c -+++ b/source4/torture/local/local.c -@@ -23,6 +23,9 @@ - #include "torture/ndr/proto.h" - #include "torture/auth/proto.h" - #include "../lib/crypto/test_proto.h" -+#include "../lib/crypto/aes_ccm_test_proto.h" -+#include "../lib/crypto/aes_gcm_test_proto.h" -+#include "../lib/crypto/aes_cmac_test_proto.h" - #include "lib/registry/tests/proto.h" - #include "lib/replace/replace-testsuite.h" - --- -2.23.0 - diff --git a/SOURCES/0104-build-Set-minimum-GnuTLS-version-at-3.4.7.patch b/SOURCES/0104-build-Set-minimum-GnuTLS-version-at-3.4.7.patch deleted file mode 100644 index acf8bab..0000000 --- a/SOURCES/0104-build-Set-minimum-GnuTLS-version-at-3.4.7.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 50d864024d5f165e3a649371c811cefd695fc2db Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Thu, 15 Aug 2019 14:25:41 +1200 -Subject: [PATCH 104/187] build: Set minimum GnuTLS version at 3.4.7 - -This will soon be required for encrypted_secrets in the AD DC, the BackupKey server -and SMB2 as we remove use of the internal AES code. - -Signed-off-by: Andrew Bartlett -Reviewed-by: Andreas Schneider -(cherry picked from commit 974cebdf953259f41ecfc7375bc31d72af53f51e) ---- - wscript_configure_system_gnutls | 11 +---------- - 1 file changed, 1 insertion(+), 10 deletions(-) - -diff --git a/wscript_configure_system_gnutls b/wscript_configure_system_gnutls -index 85824aad4ed..8ff0529e10c 100644 ---- a/wscript_configure_system_gnutls -+++ b/wscript_configure_system_gnutls -@@ -1,17 +1,9 @@ - from waflib import Options - --gnutls_min_required_version = "3.2.0" -+gnutls_min_required_version = "3.4.7" - - gnutls_required_version = gnutls_min_required_version - --# --# If we build with MIT Kerberos we need at least GnuTLS 3.4.7 for the backupkey --# protocol. --# --if Options.options.with_system_mitkrb5 and conf.env.AD_DC_BUILD_IS_ENABLED: -- gnutls_required_version = "3.4.7" -- conf.DEFINE('HAVE_GNUTLS_3_4_7', 1) -- - conf.CHECK_CFG(package='gnutls', - args=('"gnutls >= %s" --cflags --libs' % gnutls_required_version), - msg='Checking for GnuTLS >= %s' % gnutls_required_version, -@@ -39,6 +31,5 @@ else: - - if conf.CHECK_VALUEOF('GNUTLS_CIPHER_AES_128_CFB8', headers='gnutls/gnutls.h'): - conf.DEFINE('HAVE_GNUTLS_AES_CFB8', 1) -- conf.DEFINE('HAVE_GNUTLS_3_4_7', 1) - else: - Logs.warn('No gnutls support for AES CFB8') --- -2.23.0 - diff --git a/SOURCES/0105-s4-rpc_server-Remove-Heimdal-based-BackupKey-server.patch b/SOURCES/0105-s4-rpc_server-Remove-Heimdal-based-BackupKey-server.patch deleted file mode 100644 index eafa3a6..0000000 --- a/SOURCES/0105-s4-rpc_server-Remove-Heimdal-based-BackupKey-server.patch +++ /dev/null @@ -1,4135 +0,0 @@ -From dc3c16cd089f6d245afc84aa0560f76346d5e4fe Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Wed, 31 Jul 2019 16:13:38 +1200 -Subject: [PATCH 105/187] s4-rpc_server: Remove Heimdal-based BackupKey server - -We rely on a modern GnuTLS now. - -Signed-off-by: Andrew Bartlett -Reviewed-by: Andreas Schneider -(backported from commit 52b91cb33c281aeecc6270824cadac6cefbcb136) ---- - .../backupkey/dcesrv_backupkey_heimdal.c | 1861 -------------- - source4/rpc_server/wscript_build | 24 +- - source4/torture/rpc/backupkey_heimdal.c | 2160 ----------------- - source4/torture/wscript_build | 9 +- - wscript_configure_system_gnutls | 6 - - 5 files changed, 8 insertions(+), 4052 deletions(-) - delete mode 100644 source4/rpc_server/backupkey/dcesrv_backupkey_heimdal.c - delete mode 100644 source4/torture/rpc/backupkey_heimdal.c - -diff --git a/source4/rpc_server/backupkey/dcesrv_backupkey_heimdal.c b/source4/rpc_server/backupkey/dcesrv_backupkey_heimdal.c -deleted file mode 100644 -index 806f144a24b..00000000000 ---- a/source4/rpc_server/backupkey/dcesrv_backupkey_heimdal.c -+++ /dev/null -@@ -1,1861 +0,0 @@ --/* -- Unix SMB/CIFS implementation. -- -- endpoint server for the backupkey interface -- -- Copyright (C) Matthieu Patou 2010 -- -- This program is free software; you can redistribute it and/or modify -- it under the terms of the GNU General Public License as published by -- the Free Software Foundation; either version 3 of the License, or -- (at your option) any later version. -- -- This program is distributed in the hope that it will be useful, -- but WITHOUT ANY WARRANTY; without even the implied warranty of -- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -- GNU General Public License for more details. -- -- You should have received a copy of the GNU General Public License -- along with this program. If not, see . --*/ -- --#include "includes.h" --#include "rpc_server/dcerpc_server.h" --#include "rpc_server/common/common.h" --#include "librpc/gen_ndr/ndr_backupkey.h" --#include "dsdb/common/util.h" --#include "dsdb/samdb/samdb.h" --#include "lib/ldb/include/ldb_errors.h" --#include "../lib/util/util_ldb.h" --#include "param/param.h" --#include "auth/session.h" --#include "system/network.h" --#include --#include --#include --#include --#include --#include --#include --#include --#include "../lib/tsocket/tsocket.h" --#include "../libcli/security/security.h" --#include "librpc/gen_ndr/ndr_security.h" --#include "lib/crypto/arcfour.h" --#include "libds/common/roles.h" --#include --#include -- --#define DCESRV_INTERFACE_BACKUPKEY_BIND(context, iface) \ -- dcesrv_interface_backupkey_bind(context, iface) --static NTSTATUS dcesrv_interface_backupkey_bind(struct dcesrv_connection_context *context, -- const struct dcesrv_interface *iface) --{ -- return dcesrv_interface_bind_require_privacy(context, iface); --} -- --static const unsigned rsa_with_var_num[] = { 1, 2, 840, 113549, 1, 1, 1 }; --/* Equivalent to asn1_oid_id_pkcs1_rsaEncryption*/ --static const AlgorithmIdentifier _hx509_signature_rsa_with_var_num = { -- { 7, discard_const_p(unsigned, rsa_with_var_num) }, NULL --}; -- --static NTSTATUS set_lsa_secret(TALLOC_CTX *mem_ctx, -- struct ldb_context *ldb, -- const char *name, -- const DATA_BLOB *lsa_secret) --{ -- struct ldb_message *msg; -- struct ldb_result *res; -- struct ldb_dn *domain_dn; -- struct ldb_dn *system_dn; -- struct ldb_val val; -- int ret; -- char *name2; -- struct timeval now = timeval_current(); -- NTTIME nt_now = timeval_to_nttime(&now); -- const char *attrs[] = { -- NULL -- }; -- -- domain_dn = ldb_get_default_basedn(ldb); -- if (!domain_dn) { -- return NT_STATUS_INTERNAL_ERROR; -- } -- -- msg = ldb_msg_new(mem_ctx); -- if (msg == NULL) { -- return NT_STATUS_NO_MEMORY; -- } -- -- /* -- * This function is a lot like dcesrv_lsa_CreateSecret -- * in the rpc_server/lsa directory -- * The reason why we duplicate the effort here is that: -- * * we want to keep the former function static -- * * we want to avoid the burden of doing LSA calls -- * when we can just manipulate the secrets directly -- * * taillor the function to the particular needs of backup protocol -- */ -- -- system_dn = samdb_search_dn(ldb, msg, domain_dn, "(&(objectClass=container)(cn=System))"); -- if (system_dn == NULL) { -- talloc_free(msg); -- return NT_STATUS_NO_MEMORY; -- } -- -- name2 = talloc_asprintf(msg, "%s Secret", name); -- if (name2 == NULL) { -- talloc_free(msg); -- return NT_STATUS_NO_MEMORY; -- } -- -- ret = ldb_search(ldb, mem_ctx, &res, system_dn, LDB_SCOPE_SUBTREE, attrs, -- "(&(cn=%s)(objectclass=secret))", -- ldb_binary_encode_string(mem_ctx, name2)); -- -- if (ret != LDB_SUCCESS || res->count != 0 ) { -- DEBUG(2, ("Secret %s already exists !\n", name2)); -- talloc_free(msg); -- return NT_STATUS_OBJECT_NAME_COLLISION; -- } -- -- /* -- * We don't care about previous value as we are -- * here only if the key didn't exists before -- */ -- -- msg->dn = ldb_dn_copy(mem_ctx, system_dn); -- if (msg->dn == NULL) { -- talloc_free(msg); -- return NT_STATUS_NO_MEMORY; -- } -- if (!ldb_dn_add_child_fmt(msg->dn, "cn=%s", name2)) { -- talloc_free(msg); -- return NT_STATUS_NO_MEMORY; -- } -- -- ret = ldb_msg_add_string(msg, "cn", name2); -- if (ret != LDB_SUCCESS) { -- talloc_free(msg); -- return NT_STATUS_NO_MEMORY; -- } -- ret = ldb_msg_add_string(msg, "objectClass", "secret"); -- if (ret != LDB_SUCCESS) { -- talloc_free(msg); -- return NT_STATUS_NO_MEMORY; -- } -- ret = samdb_msg_add_uint64(ldb, mem_ctx, msg, "priorSetTime", nt_now); -- if (ret != LDB_SUCCESS) { -- talloc_free(msg); -- return NT_STATUS_NO_MEMORY; -- } -- val.data = lsa_secret->data; -- val.length = lsa_secret->length; -- ret = ldb_msg_add_value(msg, "currentValue", &val, NULL); -- if (ret != LDB_SUCCESS) { -- talloc_free(msg); -- return NT_STATUS_NO_MEMORY; -- } -- ret = samdb_msg_add_uint64(ldb, mem_ctx, msg, "lastSetTime", nt_now); -- if (ret != LDB_SUCCESS) { -- talloc_free(msg); -- return NT_STATUS_NO_MEMORY; -- } -- -- /* -- * create the secret with DSDB_MODIFY_RELAX -- * otherwise dsdb/samdb/ldb_modules/objectclass.c forbid -- * the create of LSA secret object -- */ -- ret = dsdb_add(ldb, msg, DSDB_MODIFY_RELAX); -- if (ret != LDB_SUCCESS) { -- DEBUG(2,("Failed to create secret record %s: %s\n", -- ldb_dn_get_linearized(msg->dn), -- ldb_errstring(ldb))); -- talloc_free(msg); -- return NT_STATUS_ACCESS_DENIED; -- } -- -- talloc_free(msg); -- return NT_STATUS_OK; --} -- --/* This function is pretty much like dcesrv_lsa_QuerySecret */ --static NTSTATUS get_lsa_secret(TALLOC_CTX *mem_ctx, -- struct ldb_context *ldb, -- const char *name, -- DATA_BLOB *lsa_secret) --{ -- TALLOC_CTX *tmp_mem; -- struct ldb_result *res; -- struct ldb_dn *domain_dn; -- struct ldb_dn *system_dn; -- const struct ldb_val *val; -- uint8_t *data; -- const char *attrs[] = { -- "currentValue", -- NULL -- }; -- int ret; -- -- lsa_secret->data = NULL; -- lsa_secret->length = 0; -- -- domain_dn = ldb_get_default_basedn(ldb); -- if (!domain_dn) { -- return NT_STATUS_INTERNAL_ERROR; -- } -- -- tmp_mem = talloc_new(mem_ctx); -- if (tmp_mem == NULL) { -- return NT_STATUS_NO_MEMORY; -- } -- -- system_dn = samdb_search_dn(ldb, tmp_mem, domain_dn, "(&(objectClass=container)(cn=System))"); -- if (system_dn == NULL) { -- talloc_free(tmp_mem); -- return NT_STATUS_NO_MEMORY; -- } -- -- ret = ldb_search(ldb, mem_ctx, &res, system_dn, LDB_SCOPE_SUBTREE, attrs, -- "(&(cn=%s Secret)(objectclass=secret))", -- ldb_binary_encode_string(tmp_mem, name)); -- -- if (ret != LDB_SUCCESS) { -- talloc_free(tmp_mem); -- return NT_STATUS_INTERNAL_DB_CORRUPTION; -- } -- if (res->count == 0) { -- talloc_free(tmp_mem); -- return NT_STATUS_RESOURCE_NAME_NOT_FOUND; -- } -- if (res->count > 1) { -- DEBUG(2, ("Secret %s collision\n", name)); -- talloc_free(tmp_mem); -- return NT_STATUS_INTERNAL_DB_CORRUPTION; -- } -- -- val = ldb_msg_find_ldb_val(res->msgs[0], "currentValue"); -- if (val == NULL) { -- /* -- * The secret object is here but we don't have the secret value -- * The most common case is a RODC -- */ -- *lsa_secret = data_blob_null; -- talloc_free(tmp_mem); -- return NT_STATUS_OK; -- } -- -- data = val->data; -- lsa_secret->data = talloc_move(mem_ctx, &data); -- lsa_secret->length = val->length; -- -- talloc_free(tmp_mem); -- return NT_STATUS_OK; --} -- --static DATA_BLOB *reverse_and_get_blob(TALLOC_CTX *mem_ctx, BIGNUM *bn) --{ -- DATA_BLOB blob; -- DATA_BLOB *rev = talloc(mem_ctx, DATA_BLOB); -- uint32_t i; -- -- blob.length = BN_num_bytes(bn); -- blob.data = talloc_array(mem_ctx, uint8_t, blob.length); -- -- if (blob.data == NULL) { -- return NULL; -- } -- -- BN_bn2bin(bn, blob.data); -- -- rev->data = talloc_array(mem_ctx, uint8_t, blob.length); -- if (rev->data == NULL) { -- return NULL; -- } -- -- for(i=0; i < blob.length; i++) { -- rev->data[i] = blob.data[blob.length - i -1]; -- } -- rev->length = blob.length; -- talloc_free(blob.data); -- return rev; --} -- --static BIGNUM *reverse_and_get_bignum(TALLOC_CTX *mem_ctx, DATA_BLOB *blob) --{ -- BIGNUM *ret; -- DATA_BLOB rev; -- uint32_t i; -- -- rev.data = talloc_array(mem_ctx, uint8_t, blob->length); -- if (rev.data == NULL) { -- return NULL; -- } -- -- for(i=0; i < blob->length; i++) { -- rev.data[i] = blob->data[blob->length - i -1]; -- } -- rev.length = blob->length; -- -- ret = BN_bin2bn(rev.data, rev.length, NULL); -- talloc_free(rev.data); -- -- return ret; --} -- --static NTSTATUS get_pk_from_raw_keypair_params(TALLOC_CTX *ctx, -- struct bkrp_exported_RSA_key_pair *keypair, -- hx509_private_key *pk) --{ -- hx509_context hctx; -- RSA *rsa; -- struct hx509_private_key_ops *ops; -- hx509_private_key privkey = NULL; -- -- hx509_context_init(&hctx); -- ops = hx509_find_private_alg(&_hx509_signature_rsa_with_var_num.algorithm); -- if (ops == NULL) { -- DEBUG(2, ("Not supported algorithm\n")); -- hx509_context_free(&hctx); -- return NT_STATUS_INTERNAL_ERROR; -- } -- -- if (hx509_private_key_init(&privkey, ops, NULL) != 0) { -- hx509_context_free(&hctx); -- return NT_STATUS_NO_MEMORY; -- } -- -- rsa = RSA_new(); -- if (rsa ==NULL) { -- hx509_private_key_free(&privkey); -- hx509_context_free(&hctx); -- return NT_STATUS_INVALID_PARAMETER; -- } -- -- rsa->n = reverse_and_get_bignum(ctx, &(keypair->modulus)); -- if (rsa->n == NULL) { -- RSA_free(rsa); -- hx509_private_key_free(&privkey); -- hx509_context_free(&hctx); -- return NT_STATUS_INVALID_PARAMETER; -- } -- rsa->d = reverse_and_get_bignum(ctx, &(keypair->private_exponent)); -- if (rsa->d == NULL) { -- RSA_free(rsa); -- hx509_private_key_free(&privkey); -- hx509_context_free(&hctx); -- return NT_STATUS_INVALID_PARAMETER; -- } -- rsa->p = reverse_and_get_bignum(ctx, &(keypair->prime1)); -- if (rsa->p == NULL) { -- RSA_free(rsa); -- hx509_private_key_free(&privkey); -- hx509_context_free(&hctx); -- return NT_STATUS_INVALID_PARAMETER; -- } -- rsa->q = reverse_and_get_bignum(ctx, &(keypair->prime2)); -- if (rsa->q == NULL) { -- RSA_free(rsa); -- hx509_private_key_free(&privkey); -- hx509_context_free(&hctx); -- return NT_STATUS_INVALID_PARAMETER; -- } -- rsa->dmp1 = reverse_and_get_bignum(ctx, &(keypair->exponent1)); -- if (rsa->dmp1 == NULL) { -- RSA_free(rsa); -- hx509_private_key_free(&privkey); -- hx509_context_free(&hctx); -- return NT_STATUS_INVALID_PARAMETER; -- } -- rsa->dmq1 = reverse_and_get_bignum(ctx, &(keypair->exponent2)); -- if (rsa->dmq1 == NULL) { -- RSA_free(rsa); -- hx509_private_key_free(&privkey); -- hx509_context_free(&hctx); -- return NT_STATUS_INVALID_PARAMETER; -- } -- rsa->iqmp = reverse_and_get_bignum(ctx, &(keypair->coefficient)); -- if (rsa->iqmp == NULL) { -- RSA_free(rsa); -- hx509_private_key_free(&privkey); -- hx509_context_free(&hctx); -- return NT_STATUS_INVALID_PARAMETER; -- } -- rsa->e = reverse_and_get_bignum(ctx, &(keypair->public_exponent)); -- if (rsa->e == NULL) { -- RSA_free(rsa); -- hx509_private_key_free(&privkey); -- hx509_context_free(&hctx); -- return NT_STATUS_INVALID_PARAMETER; -- } -- -- *pk = privkey; -- -- hx509_private_key_assign_rsa(*pk, rsa); -- -- hx509_context_free(&hctx); -- return NT_STATUS_OK; --} -- --static WERROR get_and_verify_access_check(TALLOC_CTX *sub_ctx, -- uint32_t version, -- uint8_t *key_and_iv, -- uint8_t *access_check, -- uint32_t access_check_len, -- struct auth_session_info *session_info) --{ -- heim_octet_string iv; -- heim_octet_string access_check_os; -- hx509_crypto crypto; -- -- DATA_BLOB blob_us; -- uint32_t key_len; -- uint32_t iv_len; -- int res; -- enum ndr_err_code ndr_err; -- hx509_context hctx; -- -- struct dom_sid *access_sid = NULL; -- struct dom_sid *caller_sid = NULL; -- -- /* This one should not be freed */ -- const AlgorithmIdentifier *alg; -- -- switch (version) { -- case 2: -- key_len = 24; -- iv_len = 8; -- alg = hx509_crypto_des_rsdi_ede3_cbc(); -- break; -- -- case 3: -- key_len = 32; -- iv_len = 16; -- alg =hx509_crypto_aes256_cbc(); -- break; -- -- default: -- return WERR_INVALID_DATA; -- } -- -- hx509_context_init(&hctx); -- res = hx509_crypto_init(hctx, NULL, -- &(alg->algorithm), -- &crypto); -- hx509_context_free(&hctx); -- -- if (res != 0) { -- return WERR_INVALID_DATA; -- } -- -- res = hx509_crypto_set_key_data(crypto, key_and_iv, key_len); -- -- iv.data = talloc_memdup(sub_ctx, key_len + key_and_iv, iv_len); -- iv.length = iv_len; -- -- if (res != 0) { -- hx509_crypto_destroy(crypto); -- return WERR_INVALID_DATA; -- } -- -- hx509_crypto_set_padding(crypto, HX509_CRYPTO_PADDING_NONE); -- res = hx509_crypto_decrypt(crypto, -- access_check, -- access_check_len, -- &iv, -- &access_check_os); -- -- if (res != 0) { -- hx509_crypto_destroy(crypto); -- return WERR_INVALID_DATA; -- } -- -- blob_us.data = access_check_os.data; -- blob_us.length = access_check_os.length; -- -- hx509_crypto_destroy(crypto); -- -- switch (version) { -- case 2: -- { -- uint32_t hash_size = 20; -- uint8_t hash[hash_size]; -- struct sha sctx; -- struct bkrp_access_check_v2 uncrypted_accesscheckv2; -- -- ndr_err = ndr_pull_struct_blob(&blob_us, sub_ctx, &uncrypted_accesscheckv2, -- (ndr_pull_flags_fn_t)ndr_pull_bkrp_access_check_v2); -- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { -- /* Unable to unmarshall */ -- der_free_octet_string(&access_check_os); -- return WERR_INVALID_DATA; -- } -- if (uncrypted_accesscheckv2.magic != 0x1) { -- /* wrong magic */ -- der_free_octet_string(&access_check_os); -- return WERR_INVALID_DATA; -- } -- -- SHA1_Init(&sctx); -- SHA1_Update(&sctx, blob_us.data, blob_us.length - hash_size); -- SHA1_Final(hash, &sctx); -- der_free_octet_string(&access_check_os); -- /* -- * We free it after the sha1 calculation because blob.data -- * point to the same area -- */ -- -- if (memcmp(hash, uncrypted_accesscheckv2.hash, hash_size) != 0) { -- DEBUG(2, ("Wrong hash value in the access check in backup key remote protocol\n")); -- return WERR_INVALID_DATA; -- } -- access_sid = &(uncrypted_accesscheckv2.sid); -- break; -- } -- case 3: -- { -- uint32_t hash_size = 64; -- uint8_t hash[hash_size]; -- struct hc_sha512state sctx; -- struct bkrp_access_check_v3 uncrypted_accesscheckv3; -- -- ndr_err = ndr_pull_struct_blob(&blob_us, sub_ctx, &uncrypted_accesscheckv3, -- (ndr_pull_flags_fn_t)ndr_pull_bkrp_access_check_v3); -- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { -- /* Unable to unmarshall */ -- der_free_octet_string(&access_check_os); -- return WERR_INVALID_DATA; -- } -- if (uncrypted_accesscheckv3.magic != 0x1) { -- /* wrong magic */ -- der_free_octet_string(&access_check_os); -- return WERR_INVALID_DATA; -- } -- -- SHA512_Init(&sctx); -- SHA512_Update(&sctx, blob_us.data, blob_us.length - hash_size); -- SHA512_Final(hash, &sctx); -- der_free_octet_string(&access_check_os); -- /* -- * We free it after the sha1 calculation because blob.data -- * point to the same area -- */ -- -- if (memcmp(hash, uncrypted_accesscheckv3.hash, hash_size) != 0) { -- DEBUG(2, ("Wrong hash value in the access check in backup key remote protocol\n")); -- return WERR_INVALID_DATA; -- } -- access_sid = &(uncrypted_accesscheckv3.sid); -- break; -- } -- default: -- /* Never reached normally as we filtered at the switch / case level */ -- return WERR_INVALID_DATA; -- } -- -- caller_sid = &session_info->security_token->sids[PRIMARY_USER_SID_INDEX]; -- -- if (!dom_sid_equal(caller_sid, access_sid)) { -- return WERR_INVALID_ACCESS; -- } -- return WERR_OK; --} -- --/* -- * We have some data, such as saved website or IMAP passwords that the -- * client has in profile on-disk. This needs to be decrypted. This -- * version gives the server the data over the network (protected by -- * the X.509 certificate and public key encryption, and asks that it -- * be decrypted returned for short-term use, protected only by the -- * negotiated transport encryption. -- * -- * The data is NOT stored in the LSA, but a X.509 certificate, public -- * and private keys used to encrypt the data will be stored. There is -- * only one active encryption key pair and certificate per domain, it -- * is pointed at with G$BCKUPKEY_PREFERRED in the LSA secrets store. -- * -- * The potentially multiple valid decrypting key pairs are in turn -- * stored in the LSA secrets store as G$BCKUPKEY_keyGuidString. -- * -- */ --static WERROR bkrp_client_wrap_decrypt_data(struct dcesrv_call_state *dce_call, -- TALLOC_CTX *mem_ctx, -- struct bkrp_BackupKey *r, -- struct ldb_context *ldb_ctx) --{ -- struct auth_session_info *session_info = -- dcesrv_call_session_info(dce_call); -- struct bkrp_client_side_wrapped uncrypt_request; -- DATA_BLOB blob; -- enum ndr_err_code ndr_err; -- char *guid_string; -- char *cert_secret_name; -- DATA_BLOB lsa_secret; -- DATA_BLOB *uncrypted_data = NULL; -- NTSTATUS status; -- uint32_t requested_version; -- -- blob.data = r->in.data_in; -- blob.length = r->in.data_in_len; -- -- if (r->in.data_in_len < 4 || r->in.data_in == NULL) { -- return WERR_INVALID_PARAMETER; -- } -- -- /* -- * We check for the version here, so we can actually print the -- * message as we are unlikely to parse it with NDR. -- */ -- requested_version = IVAL(r->in.data_in, 0); -- if ((requested_version != BACKUPKEY_CLIENT_WRAP_VERSION2) -- && (requested_version != BACKUPKEY_CLIENT_WRAP_VERSION3)) { -- DEBUG(1, ("Request for unknown BackupKey sub-protocol %d\n", requested_version)); -- return WERR_INVALID_PARAMETER; -- } -- -- ndr_err = ndr_pull_struct_blob(&blob, mem_ctx, &uncrypt_request, -- (ndr_pull_flags_fn_t)ndr_pull_bkrp_client_side_wrapped); -- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { -- return WERR_INVALID_PARAMETER; -- } -- -- if ((uncrypt_request.version != BACKUPKEY_CLIENT_WRAP_VERSION2) -- && (uncrypt_request.version != BACKUPKEY_CLIENT_WRAP_VERSION3)) { -- DEBUG(1, ("Request for unknown BackupKey sub-protocol %d\n", uncrypt_request.version)); -- return WERR_INVALID_PARAMETER; -- } -- -- guid_string = GUID_string(mem_ctx, &uncrypt_request.guid); -- if (guid_string == NULL) { -- return WERR_NOT_ENOUGH_MEMORY; -- } -- -- cert_secret_name = talloc_asprintf(mem_ctx, -- "BCKUPKEY_%s", -- guid_string); -- if (cert_secret_name == NULL) { -- return WERR_NOT_ENOUGH_MEMORY; -- } -- -- status = get_lsa_secret(mem_ctx, -- ldb_ctx, -- cert_secret_name, -- &lsa_secret); -- if (!NT_STATUS_IS_OK(status)) { -- DEBUG(10, ("Error while fetching secret %s\n", cert_secret_name)); -- return WERR_INVALID_DATA; -- } else if (lsa_secret.length == 0) { -- /* we do not have the real secret attribute, like if we are an RODC */ -- return WERR_INVALID_PARAMETER; -- } else { -- hx509_context hctx; -- struct bkrp_exported_RSA_key_pair keypair; -- hx509_private_key pk; -- uint32_t i, res; -- heim_octet_string reversed_secret; -- heim_octet_string uncrypted_secret; -- AlgorithmIdentifier alg; -- DATA_BLOB blob_us; -- WERROR werr; -- -- ndr_err = ndr_pull_struct_blob(&lsa_secret, mem_ctx, &keypair, (ndr_pull_flags_fn_t)ndr_pull_bkrp_exported_RSA_key_pair); -- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { -- DEBUG(2, ("Unable to parse the ndr encoded cert in key %s\n", cert_secret_name)); -- return WERR_FILE_NOT_FOUND; -- } -- -- status = get_pk_from_raw_keypair_params(mem_ctx, &keypair, &pk); -- if (!NT_STATUS_IS_OK(status)) { -- return WERR_INTERNAL_ERROR; -- } -- -- reversed_secret.data = talloc_array(mem_ctx, uint8_t, -- uncrypt_request.encrypted_secret_len); -- if (reversed_secret.data == NULL) { -- hx509_private_key_free(&pk); -- return WERR_NOT_ENOUGH_MEMORY; -- } -- -- /* The secret has to be reversed ... */ -- for(i=0; i< uncrypt_request.encrypted_secret_len; i++) { -- uint8_t *reversed = (uint8_t *)reversed_secret.data; -- uint8_t *uncrypt = uncrypt_request.encrypted_secret; -- reversed[i] = uncrypt[uncrypt_request.encrypted_secret_len - 1 - i]; -- } -- reversed_secret.length = uncrypt_request.encrypted_secret_len; -- -- /* -- * Let's try to decrypt the secret now that -- * we have the private key ... -- */ -- hx509_context_init(&hctx); -- res = hx509_private_key_private_decrypt(hctx, &reversed_secret, -- &alg.algorithm, pk, -- &uncrypted_secret); -- hx509_context_free(&hctx); -- hx509_private_key_free(&pk); -- if (res != 0) { -- /* We are not able to decrypt the secret, looks like something is wrong */ -- return WERR_INVALID_PARAMETER; -- } -- blob_us.data = uncrypted_secret.data; -- blob_us.length = uncrypted_secret.length; -- -- if (uncrypt_request.version == 2) { -- struct bkrp_encrypted_secret_v2 uncrypted_secretv2; -- -- ndr_err = ndr_pull_struct_blob(&blob_us, mem_ctx, &uncrypted_secretv2, -- (ndr_pull_flags_fn_t)ndr_pull_bkrp_encrypted_secret_v2); -- der_free_octet_string(&uncrypted_secret); -- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { -- /* Unable to unmarshall */ -- return WERR_INVALID_DATA; -- } -- if (uncrypted_secretv2.magic != 0x20) { -- /* wrong magic */ -- return WERR_INVALID_DATA; -- } -- -- werr = get_and_verify_access_check(mem_ctx, 2, -- uncrypted_secretv2.payload_key, -- uncrypt_request.access_check, -- uncrypt_request.access_check_len, -- session_info); -- if (!W_ERROR_IS_OK(werr)) { -- return werr; -- } -- uncrypted_data = talloc(mem_ctx, DATA_BLOB); -- if (uncrypted_data == NULL) { -- return WERR_INVALID_DATA; -- } -- -- uncrypted_data->data = uncrypted_secretv2.secret; -- uncrypted_data->length = uncrypted_secretv2.secret_len; -- } -- if (uncrypt_request.version == 3) { -- struct bkrp_encrypted_secret_v3 uncrypted_secretv3; -- -- ndr_err = ndr_pull_struct_blob(&blob_us, mem_ctx, &uncrypted_secretv3, -- (ndr_pull_flags_fn_t)ndr_pull_bkrp_encrypted_secret_v3); -- -- der_free_octet_string(&uncrypted_secret); -- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { -- /* Unable to unmarshall */ -- return WERR_INVALID_DATA; -- } -- -- if (uncrypted_secretv3.magic1 != 0x30 || -- uncrypted_secretv3.magic2 != 0x6610 || -- uncrypted_secretv3.magic3 != 0x800e) { -- /* wrong magic */ -- return WERR_INVALID_DATA; -- } -- -- /* -- * Confirm that the caller is permitted to -- * read this particular data. Because one key -- * pair is used per domain, the caller could -- * have stolen the profile data on-disk and -- * would otherwise be able to read the -- * passwords. -- */ -- -- werr = get_and_verify_access_check(mem_ctx, 3, -- uncrypted_secretv3.payload_key, -- uncrypt_request.access_check, -- uncrypt_request.access_check_len, -- session_info); -- if (!W_ERROR_IS_OK(werr)) { -- return werr; -- } -- -- uncrypted_data = talloc(mem_ctx, DATA_BLOB); -- if (uncrypted_data == NULL) { -- return WERR_INVALID_DATA; -- } -- -- uncrypted_data->data = uncrypted_secretv3.secret; -- uncrypted_data->length = uncrypted_secretv3.secret_len; -- } -- -- /* -- * Yeah if we are here all looks pretty good: -- * - hash is ok -- * - user sid is the same as the one in access check -- * - we were able to decrypt the whole stuff -- */ -- } -- -- if (uncrypted_data->data == NULL) { -- return WERR_INVALID_DATA; -- } -- -- /* There is a magic value a the beginning of the data -- * we can use an adhoc structure but as the -- * parent structure is just an array of bytes it a lot of work -- * work just prepending 4 bytes -- */ -- *(r->out.data_out) = talloc_zero_array(mem_ctx, uint8_t, uncrypted_data->length + 4); -- W_ERROR_HAVE_NO_MEMORY(*(r->out.data_out)); -- memcpy(4+*(r->out.data_out), uncrypted_data->data, uncrypted_data->length); -- *(r->out.data_out_len) = uncrypted_data->length + 4; -- -- return WERR_OK; --} -- --/* -- * Strictly, this function no longer uses Heimdal in order to generate an RSA -- * key, but GnuTLS. -- * -- * The resulting key is then imported into Heimdal's RSA structure. -- * -- * We use GnuTLS because it can reliably generate 2048 bit keys every time. -- * Windows clients strictly require 2048, no more since it won't fit and no -- * less either. Heimdal would almost always generate a smaller key. -- */ --static WERROR create_heimdal_rsa_key(TALLOC_CTX *ctx, hx509_context *hctx, -- hx509_private_key *pk, RSA **rsa) --{ -- int ret; -- uint8_t *p0 = NULL; -- const uint8_t *p; -- size_t len; -- int bits = 2048; -- int RSA_returned_bits; -- gnutls_x509_privkey_t gtls_key; -- WERROR werr; -- -- *rsa = NULL; -- -- ret = gnutls_global_init(); -- if (ret != GNUTLS_E_SUCCESS) { -- DBG_ERR("TLS error: %s\n", gnutls_strerror(ret)); -- return WERR_INTERNAL_ERROR; -- } -- -- ret = gnutls_x509_privkey_init(>ls_key); -- if (ret != 0) { -- gnutls_global_deinit(); -- return WERR_INTERNAL_ERROR; -- } -- -- /* -- * Unlike Heimdal's RSA_generate_key_ex(), this generates a -- * 2048 bit key 100% of the time. The heimdal code had a ~1/8 -- * chance of doing so, chewing vast quantities of computation -- * and entropy in the process. -- */ -- -- ret = gnutls_x509_privkey_generate(gtls_key, GNUTLS_PK_RSA, bits, 0); -- if (ret != 0) { -- werr = WERR_INTERNAL_ERROR; -- goto done; -- } -- -- /* No need to check error code, this SHOULD fail */ -- gnutls_x509_privkey_export(gtls_key, GNUTLS_X509_FMT_DER, NULL, &len); -- -- if (len < 1) { -- werr = WERR_INTERNAL_ERROR; -- goto done; -- } -- -- p0 = talloc_size(ctx, len); -- if (p0 == NULL) { -- werr = WERR_NOT_ENOUGH_MEMORY; -- goto done; -- } -- p = p0; -- -- /* -- * Only this GnuTLS export function correctly exports the key, -- * we can't use gnutls_rsa_params_export_raw() because while -- * it appears to be fixed in more recent versions, in the -- * Ubuntu 14.04 version 2.12.23 (at least) it incorrectly -- * exports one of the key parameters (qInv). Additionally, we -- * would have to work around subtle differences in big number -- * representations. -- * -- * We need access to the RSA parameters directly (in the -- * parameter RSA **rsa) as the caller has to manually encode -- * them in a non-standard data structure. -- */ -- ret = gnutls_x509_privkey_export(gtls_key, GNUTLS_X509_FMT_DER, p0, &len); -- -- if (ret != 0) { -- werr = WERR_INTERNAL_ERROR; -- goto done; -- } -- -- /* -- * To dump the key we can use : -- * rk_dumpdata("h5lkey", p0, len); -- */ -- ret = hx509_parse_private_key(*hctx, &_hx509_signature_rsa_with_var_num , -- p0, len, HX509_KEY_FORMAT_DER, pk); -- -- if (ret != 0) { -- werr = WERR_INTERNAL_ERROR; -- goto done; -- } -- -- *rsa = d2i_RSAPrivateKey(NULL, &p, len); -- TALLOC_FREE(p0); -- -- if (*rsa == NULL) { -- hx509_private_key_free(pk); -- werr = WERR_INTERNAL_ERROR; -- goto done; -- } -- -- RSA_returned_bits = BN_num_bits((*rsa)->n); -- DEBUG(6, ("GnuTLS returned an RSA private key with %d bits\n", RSA_returned_bits)); -- -- if (RSA_returned_bits != bits) { -- DEBUG(0, ("GnuTLS unexpectedly returned an RSA private key with %d bits, needed %d\n", RSA_returned_bits, bits)); -- hx509_private_key_free(pk); -- werr = WERR_INTERNAL_ERROR; -- goto done; -- } -- -- werr = WERR_OK; -- --done: -- if (p0 != NULL) { -- memset(p0, 0, len); -- TALLOC_FREE(p0); -- } -- -- gnutls_x509_privkey_deinit(gtls_key); -- gnutls_global_deinit(); -- return werr; --} -- --static WERROR self_sign_cert(TALLOC_CTX *ctx, hx509_context *hctx, hx509_request *req, -- time_t lifetime, hx509_private_key *private_key, -- hx509_cert *cert, DATA_BLOB *guidblob) --{ -- SubjectPublicKeyInfo spki; -- hx509_name subject = NULL; -- hx509_ca_tbs tbs; -- struct heim_bit_string uniqueid; -- struct heim_integer serialnumber; -- int ret, i; -- -- uniqueid.data = talloc_memdup(ctx, guidblob->data, guidblob->length); -- if (uniqueid.data == NULL) { -- return WERR_NOT_ENOUGH_MEMORY; -- } -- /* uniqueid is a bit string in which each byte represent 1 bit (1 or 0) -- * so as 1 byte is 8 bits we need to provision 8 times more space as in the -- * blob -- */ -- uniqueid.length = 8 * guidblob->length; -- -- serialnumber.data = talloc_array(ctx, uint8_t, -- guidblob->length); -- if (serialnumber.data == NULL) { -- talloc_free(uniqueid.data); -- return WERR_NOT_ENOUGH_MEMORY; -- } -- -- /* Native AD generates certificates with serialnumber in reversed notation */ -- for (i = 0; i < guidblob->length; i++) { -- uint8_t *reversed = (uint8_t *)serialnumber.data; -- uint8_t *uncrypt = guidblob->data; -- reversed[i] = uncrypt[guidblob->length - 1 - i]; -- } -- serialnumber.length = guidblob->length; -- serialnumber.negative = 0; -- -- memset(&spki, 0, sizeof(spki)); -- -- ret = hx509_request_get_name(*hctx, *req, &subject); -- if (ret !=0) { -- goto fail_subject; -- } -- ret = hx509_request_get_SubjectPublicKeyInfo(*hctx, *req, &spki); -- if (ret !=0) { -- goto fail_spki; -- } -- -- ret = hx509_ca_tbs_init(*hctx, &tbs); -- if (ret !=0) { -- goto fail_tbs; -- } -- -- ret = hx509_ca_tbs_set_spki(*hctx, tbs, &spki); -- if (ret !=0) { -- goto fail; -- } -- ret = hx509_ca_tbs_set_subject(*hctx, tbs, subject); -- if (ret !=0) { -- goto fail; -- } -- ret = hx509_ca_tbs_set_notAfter_lifetime(*hctx, tbs, lifetime); -- if (ret !=0) { -- goto fail; -- } -- ret = hx509_ca_tbs_set_unique(*hctx, tbs, &uniqueid, &uniqueid); -- if (ret !=0) { -- goto fail; -- } -- ret = hx509_ca_tbs_set_serialnumber(*hctx, tbs, &serialnumber); -- if (ret !=0) { -- goto fail; -- } -- ret = hx509_ca_sign_self(*hctx, tbs, *private_key, cert); -- if (ret !=0) { -- goto fail; -- } -- hx509_name_free(&subject); -- free_SubjectPublicKeyInfo(&spki); -- hx509_ca_tbs_free(&tbs); -- -- return WERR_OK; -- --fail: -- hx509_ca_tbs_free(&tbs); --fail_tbs: -- free_SubjectPublicKeyInfo(&spki); --fail_spki: -- hx509_name_free(&subject); --fail_subject: -- talloc_free(uniqueid.data); -- talloc_free(serialnumber.data); -- return WERR_INTERNAL_ERROR; --} -- --static WERROR create_req(TALLOC_CTX *ctx, hx509_context *hctx, hx509_request *req, -- hx509_private_key *signer,RSA **rsa, const char *dn) --{ -- int ret; -- SubjectPublicKeyInfo key; -- -- hx509_name name; -- WERROR werr; -- -- werr = create_heimdal_rsa_key(ctx, hctx, signer, rsa); -- if (!W_ERROR_IS_OK(werr)) { -- return werr; -- } -- -- hx509_request_init(*hctx, req); -- ret = hx509_parse_name(*hctx, dn, &name); -- if (ret != 0) { -- RSA_free(*rsa); -- hx509_private_key_free(signer); -- hx509_request_free(req); -- hx509_name_free(&name); -- return WERR_INTERNAL_ERROR; -- } -- -- ret = hx509_request_set_name(*hctx, *req, name); -- if (ret != 0) { -- RSA_free(*rsa); -- hx509_private_key_free(signer); -- hx509_request_free(req); -- hx509_name_free(&name); -- return WERR_INTERNAL_ERROR; -- } -- hx509_name_free(&name); -- -- ret = hx509_private_key2SPKI(*hctx, *signer, &key); -- if (ret != 0) { -- RSA_free(*rsa); -- hx509_private_key_free(signer); -- hx509_request_free(req); -- return WERR_INTERNAL_ERROR; -- } -- ret = hx509_request_set_SubjectPublicKeyInfo(*hctx, *req, &key); -- if (ret != 0) { -- RSA_free(*rsa); -- hx509_private_key_free(signer); -- free_SubjectPublicKeyInfo(&key); -- hx509_request_free(req); -- return WERR_INTERNAL_ERROR; -- } -- -- free_SubjectPublicKeyInfo(&key); -- -- return WERR_OK; --} -- --/* Return an error when we fail to generate a certificate */ --static WERROR generate_bkrp_cert(TALLOC_CTX *ctx, struct dcesrv_call_state *dce_call, struct ldb_context *ldb_ctx, const char *dn) --{ -- heim_octet_string data; -- WERROR werr; -- RSA *rsa; -- hx509_context hctx; -- hx509_private_key pk; -- hx509_request req; -- hx509_cert cert; -- DATA_BLOB blob; -- DATA_BLOB blobkeypair; -- DATA_BLOB *tmp; -- int ret; -- bool ok = true; -- struct GUID guid = GUID_random(); -- NTSTATUS status; -- char *secret_name; -- struct bkrp_exported_RSA_key_pair keypair; -- enum ndr_err_code ndr_err; -- uint32_t nb_seconds_validity = 3600 * 24 * 365; -- -- DEBUG(6, ("Trying to generate a certificate\n")); -- hx509_context_init(&hctx); -- werr = create_req(ctx, &hctx, &req, &pk, &rsa, dn); -- if (!W_ERROR_IS_OK(werr)) { -- hx509_context_free(&hctx); -- return werr; -- } -- -- status = GUID_to_ndr_blob(&guid, ctx, &blob); -- if (!NT_STATUS_IS_OK(status)) { -- hx509_context_free(&hctx); -- hx509_private_key_free(&pk); -- RSA_free(rsa); -- return WERR_INVALID_DATA; -- } -- -- werr = self_sign_cert(ctx, &hctx, &req, nb_seconds_validity, &pk, &cert, &blob); -- if (!W_ERROR_IS_OK(werr)) { -- hx509_private_key_free(&pk); -- hx509_context_free(&hctx); -- return WERR_INVALID_DATA; -- } -- -- ret = hx509_cert_binary(hctx, cert, &data); -- if (ret !=0) { -- hx509_cert_free(cert); -- hx509_private_key_free(&pk); -- hx509_context_free(&hctx); -- return WERR_INVALID_DATA; -- } -- -- keypair.cert.data = talloc_memdup(ctx, data.data, data.length); -- keypair.cert.length = data.length; -- -- /* -- * Heimdal's bignum are big endian and the -- * structure expect it to be in little endian -- * so we reverse the buffer to make it work -- */ -- tmp = reverse_and_get_blob(ctx, rsa->e); -- if (tmp == NULL) { -- ok = false; -- } else { -- keypair.public_exponent = *tmp; -- SMB_ASSERT(tmp->length <= 4); -- /* -- * The value is now in little endian but if can happen that the length is -- * less than 4 bytes. -- * So if we have less than 4 bytes we pad with zeros so that it correctly -- * fit into the structure. -- */ -- if (tmp->length < 4) { -- /* -- * We need the expo to fit 4 bytes -- */ -- keypair.public_exponent.data = talloc_zero_array(ctx, uint8_t, 4); -- memcpy(keypair.public_exponent.data, tmp->data, tmp->length); -- keypair.public_exponent.length = 4; -- } -- } -- -- tmp = reverse_and_get_blob(ctx,rsa->d); -- if (tmp == NULL) { -- ok = false; -- } else { -- keypair.private_exponent = *tmp; -- } -- -- tmp = reverse_and_get_blob(ctx,rsa->n); -- if (tmp == NULL) { -- ok = false; -- } else { -- keypair.modulus = *tmp; -- } -- -- tmp = reverse_and_get_blob(ctx,rsa->p); -- if (tmp == NULL) { -- ok = false; -- } else { -- keypair.prime1 = *tmp; -- } -- -- tmp = reverse_and_get_blob(ctx,rsa->q); -- if (tmp == NULL) { -- ok = false; -- } else { -- keypair.prime2 = *tmp; -- } -- -- tmp = reverse_and_get_blob(ctx,rsa->dmp1); -- if (tmp == NULL) { -- ok = false; -- } else { -- keypair.exponent1 = *tmp; -- } -- -- tmp = reverse_and_get_blob(ctx,rsa->dmq1); -- if (tmp == NULL) { -- ok = false; -- } else { -- keypair.exponent2 = *tmp; -- } -- -- tmp = reverse_and_get_blob(ctx,rsa->iqmp); -- if (tmp == NULL) { -- ok = false; -- } else { -- keypair.coefficient = *tmp; -- } -- -- /* One of the keypair allocation was wrong */ -- if (ok == false) { -- der_free_octet_string(&data); -- hx509_cert_free(cert); -- hx509_private_key_free(&pk); -- hx509_context_free(&hctx); -- RSA_free(rsa); -- return WERR_INVALID_DATA; -- } -- keypair.certificate_len = keypair.cert.length; -- ndr_err = ndr_push_struct_blob(&blobkeypair, ctx, &keypair, (ndr_push_flags_fn_t)ndr_push_bkrp_exported_RSA_key_pair); -- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { -- der_free_octet_string(&data); -- hx509_cert_free(cert); -- hx509_private_key_free(&pk); -- hx509_context_free(&hctx); -- RSA_free(rsa); -- return WERR_INVALID_DATA; -- } -- -- secret_name = talloc_asprintf(ctx, "BCKUPKEY_%s", GUID_string(ctx, &guid)); -- if (secret_name == NULL) { -- der_free_octet_string(&data); -- hx509_cert_free(cert); -- hx509_private_key_free(&pk); -- hx509_context_free(&hctx); -- RSA_free(rsa); -- return WERR_OUTOFMEMORY; -- } -- -- status = set_lsa_secret(ctx, ldb_ctx, secret_name, &blobkeypair); -- if (!NT_STATUS_IS_OK(status)) { -- DEBUG(2, ("Failed to save the secret %s\n", secret_name)); -- } -- talloc_free(secret_name); -- -- GUID_to_ndr_blob(&guid, ctx, &blob); -- status = set_lsa_secret(ctx, ldb_ctx, "BCKUPKEY_PREFERRED", &blob); -- if (!NT_STATUS_IS_OK(status)) { -- DEBUG(2, ("Failed to save the secret BCKUPKEY_PREFERRED\n")); -- } -- -- der_free_octet_string(&data); -- hx509_cert_free(cert); -- hx509_private_key_free(&pk); -- hx509_context_free(&hctx); -- RSA_free(rsa); -- return WERR_OK; --} -- --static WERROR bkrp_retrieve_client_wrap_key(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, -- struct bkrp_BackupKey *r, struct ldb_context *ldb_ctx) --{ -- struct GUID guid; -- char *guid_string; -- DATA_BLOB lsa_secret; -- enum ndr_err_code ndr_err; -- NTSTATUS status; -- -- /* -- * here we basicaly need to return our certificate -- * search for lsa secret BCKUPKEY_PREFERRED first -- */ -- -- status = get_lsa_secret(mem_ctx, -- ldb_ctx, -- "BCKUPKEY_PREFERRED", -- &lsa_secret); -- if (NT_STATUS_EQUAL(status, NT_STATUS_RESOURCE_NAME_NOT_FOUND)) { -- /* Ok we can be in this case if there was no certs */ -- struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx; -- char *dn = talloc_asprintf(mem_ctx, "CN=%s", -- lpcfg_realm(lp_ctx)); -- -- WERROR werr = generate_bkrp_cert(mem_ctx, dce_call, ldb_ctx, dn); -- if (!W_ERROR_IS_OK(werr)) { -- return WERR_INVALID_PARAMETER; -- } -- status = get_lsa_secret(mem_ctx, -- ldb_ctx, -- "BCKUPKEY_PREFERRED", -- &lsa_secret); -- -- if (!NT_STATUS_IS_OK(status)) { -- /* Ok we really don't manage to get this certs ...*/ -- DEBUG(2, ("Unable to locate BCKUPKEY_PREFERRED after cert generation\n")); -- return WERR_FILE_NOT_FOUND; -- } -- } else if (!NT_STATUS_IS_OK(status)) { -- return WERR_INTERNAL_ERROR; -- } -- -- if (lsa_secret.length == 0) { -- DEBUG(1, ("No secret in BCKUPKEY_PREFERRED, are we an undetected RODC?\n")); -- return WERR_INTERNAL_ERROR; -- } else { -- char *cert_secret_name; -- -- status = GUID_from_ndr_blob(&lsa_secret, &guid); -- if (!NT_STATUS_IS_OK(status)) { -- return WERR_FILE_NOT_FOUND; -- } -- -- guid_string = GUID_string(mem_ctx, &guid); -- if (guid_string == NULL) { -- /* We return file not found because the client -- * expect this error -- */ -- return WERR_FILE_NOT_FOUND; -- } -- -- cert_secret_name = talloc_asprintf(mem_ctx, -- "BCKUPKEY_%s", -- guid_string); -- status = get_lsa_secret(mem_ctx, -- ldb_ctx, -- cert_secret_name, -- &lsa_secret); -- if (!NT_STATUS_IS_OK(status)) { -- return WERR_FILE_NOT_FOUND; -- } -- -- if (lsa_secret.length != 0) { -- struct bkrp_exported_RSA_key_pair keypair; -- ndr_err = ndr_pull_struct_blob(&lsa_secret, mem_ctx, &keypair, -- (ndr_pull_flags_fn_t)ndr_pull_bkrp_exported_RSA_key_pair); -- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { -- return WERR_FILE_NOT_FOUND; -- } -- *(r->out.data_out_len) = keypair.cert.length; -- *(r->out.data_out) = talloc_memdup(mem_ctx, keypair.cert.data, keypair.cert.length); -- W_ERROR_HAVE_NO_MEMORY(*(r->out.data_out)); -- return WERR_OK; -- } else { -- DEBUG(1, ("No or broken secret called %s\n", cert_secret_name)); -- return WERR_INTERNAL_ERROR; -- } -- } -- -- return WERR_NOT_SUPPORTED; --} -- --static WERROR generate_bkrp_server_wrap_key(TALLOC_CTX *ctx, struct ldb_context *ldb_ctx) --{ -- struct GUID guid = GUID_random(); -- enum ndr_err_code ndr_err; -- DATA_BLOB blob_wrap_key, guid_blob; -- struct bkrp_dc_serverwrap_key wrap_key; -- NTSTATUS status; -- char *secret_name; -- TALLOC_CTX *frame = talloc_stackframe(); -- -- generate_random_buffer(wrap_key.key, sizeof(wrap_key.key)); -- -- ndr_err = ndr_push_struct_blob(&blob_wrap_key, ctx, &wrap_key, (ndr_push_flags_fn_t)ndr_push_bkrp_dc_serverwrap_key); -- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { -- TALLOC_FREE(frame); -- return WERR_INVALID_DATA; -- } -- -- secret_name = talloc_asprintf(frame, "BCKUPKEY_%s", GUID_string(ctx, &guid)); -- if (secret_name == NULL) { -- TALLOC_FREE(frame); -- return WERR_NOT_ENOUGH_MEMORY; -- } -- -- status = set_lsa_secret(frame, ldb_ctx, secret_name, &blob_wrap_key); -- if (!NT_STATUS_IS_OK(status)) { -- DEBUG(2, ("Failed to save the secret %s\n", secret_name)); -- TALLOC_FREE(frame); -- return WERR_INTERNAL_ERROR; -- } -- -- status = GUID_to_ndr_blob(&guid, frame, &guid_blob); -- if (!NT_STATUS_IS_OK(status)) { -- DEBUG(2, ("Failed to save the secret %s\n", secret_name)); -- TALLOC_FREE(frame); -- } -- -- status = set_lsa_secret(frame, ldb_ctx, "BCKUPKEY_P", &guid_blob); -- if (!NT_STATUS_IS_OK(status)) { -- DEBUG(2, ("Failed to save the secret %s\n", secret_name)); -- TALLOC_FREE(frame); -- return WERR_INTERNAL_ERROR; -- } -- -- TALLOC_FREE(frame); -- -- return WERR_OK; --} -- --/* -- * Find the specified decryption keys from the LSA secrets store as -- * G$BCKUPKEY_keyGuidString. -- */ -- --static WERROR bkrp_do_retrieve_server_wrap_key(TALLOC_CTX *mem_ctx, struct ldb_context *ldb_ctx, -- struct bkrp_dc_serverwrap_key *server_key, -- struct GUID *guid) --{ -- NTSTATUS status; -- DATA_BLOB lsa_secret; -- char *secret_name; -- char *guid_string; -- enum ndr_err_code ndr_err; -- -- guid_string = GUID_string(mem_ctx, guid); -- if (guid_string == NULL) { -- /* We return file not found because the client -- * expect this error -- */ -- return WERR_FILE_NOT_FOUND; -- } -- -- secret_name = talloc_asprintf(mem_ctx, "BCKUPKEY_%s", guid_string); -- if (secret_name == NULL) { -- return WERR_NOT_ENOUGH_MEMORY; -- } -- -- status = get_lsa_secret(mem_ctx, ldb_ctx, secret_name, &lsa_secret); -- if (!NT_STATUS_IS_OK(status)) { -- DEBUG(10, ("Error while fetching secret %s\n", secret_name)); -- return WERR_INVALID_DATA; -- } -- if (lsa_secret.length == 0) { -- /* RODC case, we do not have secrets locally */ -- DEBUG(1, ("Unable to fetch value for secret %s, are we an undetected RODC?\n", -- secret_name)); -- return WERR_INTERNAL_ERROR; -- } -- ndr_err = ndr_pull_struct_blob(&lsa_secret, mem_ctx, server_key, -- (ndr_pull_flags_fn_t)ndr_pull_bkrp_dc_serverwrap_key); -- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { -- DEBUG(2, ("Unable to parse the ndr encoded server wrap key %s\n", secret_name)); -- return WERR_INVALID_DATA; -- } -- -- return WERR_OK; --} -- --/* -- * Find the current, preferred ServerWrap Key by looking at -- * G$BCKUPKEY_P in the LSA secrets store. -- * -- * Then find the current decryption keys from the LSA secrets store as -- * G$BCKUPKEY_keyGuidString. -- */ -- --static WERROR bkrp_do_retrieve_default_server_wrap_key(TALLOC_CTX *mem_ctx, -- struct ldb_context *ldb_ctx, -- struct bkrp_dc_serverwrap_key *server_key, -- struct GUID *returned_guid) --{ -- NTSTATUS status; -- DATA_BLOB guid_binary; -- -- status = get_lsa_secret(mem_ctx, ldb_ctx, "BCKUPKEY_P", &guid_binary); -- if (!NT_STATUS_IS_OK(status)) { -- DEBUG(10, ("Error while fetching secret BCKUPKEY_P to find current GUID\n")); -- return WERR_FILE_NOT_FOUND; -- } else if (guid_binary.length == 0) { -- /* RODC case, we do not have secrets locally */ -- DEBUG(1, ("Unable to fetch value for secret BCKUPKEY_P, are we an undetected RODC?\n")); -- return WERR_INTERNAL_ERROR; -- } -- -- status = GUID_from_ndr_blob(&guid_binary, returned_guid); -- if (!NT_STATUS_IS_OK(status)) { -- return WERR_FILE_NOT_FOUND; -- } -- -- return bkrp_do_retrieve_server_wrap_key(mem_ctx, ldb_ctx, -- server_key, returned_guid); --} -- --static WERROR bkrp_server_wrap_decrypt_data(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, -- struct bkrp_BackupKey *r ,struct ldb_context *ldb_ctx) --{ -- struct auth_session_info *session_info = -- dcesrv_call_session_info(dce_call); -- WERROR werr; -- struct bkrp_server_side_wrapped decrypt_request; -- DATA_BLOB sid_blob, encrypted_blob, symkey_blob; -- DATA_BLOB blob; -- enum ndr_err_code ndr_err; -- struct bkrp_dc_serverwrap_key server_key; -- struct bkrp_rc4encryptedpayload rc4payload; -- struct dom_sid *caller_sid; -- uint8_t symkey[20]; /* SHA-1 hash len */ -- uint8_t mackey[20]; /* SHA-1 hash len */ -- uint8_t mac[20]; /* SHA-1 hash len */ -- unsigned int hash_len; -- HMAC_CTX ctx; -- -- blob.data = r->in.data_in; -- blob.length = r->in.data_in_len; -- -- if (r->in.data_in_len == 0 || r->in.data_in == NULL) { -- return WERR_INVALID_PARAMETER; -- } -- -- ndr_err = ndr_pull_struct_blob_all(&blob, mem_ctx, &decrypt_request, -- (ndr_pull_flags_fn_t)ndr_pull_bkrp_server_side_wrapped); -- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { -- return WERR_INVALID_PARAMETER; -- } -- -- if (decrypt_request.magic != BACKUPKEY_SERVER_WRAP_VERSION) { -- return WERR_INVALID_PARAMETER; -- } -- -- werr = bkrp_do_retrieve_server_wrap_key(mem_ctx, ldb_ctx, &server_key, -- &decrypt_request.guid); -- if (!W_ERROR_IS_OK(werr)) { -- return werr; -- } -- -- dump_data_pw("server_key: \n", server_key.key, sizeof(server_key.key)); -- -- dump_data_pw("r2: \n", decrypt_request.r2, sizeof(decrypt_request.r2)); -- -- /* -- * This is *not* the leading 64 bytes, as indicated in MS-BKRP 3.1.4.1.1 -- * BACKUPKEY_BACKUP_GUID, it really is the whole key -- */ -- HMAC(EVP_sha1(), server_key.key, sizeof(server_key.key), -- decrypt_request.r2, sizeof(decrypt_request.r2), -- symkey, &hash_len); -- -- dump_data_pw("symkey: \n", symkey, hash_len); -- -- /* rc4 decrypt sid and secret using sym key */ -- symkey_blob = data_blob_const(symkey, sizeof(symkey)); -- -- encrypted_blob = data_blob_const(decrypt_request.rc4encryptedpayload, -- decrypt_request.ciphertext_length); -- -- arcfour_crypt_blob(encrypted_blob.data, encrypted_blob.length, &symkey_blob); -- -- ndr_err = ndr_pull_struct_blob_all(&encrypted_blob, mem_ctx, &rc4payload, -- (ndr_pull_flags_fn_t)ndr_pull_bkrp_rc4encryptedpayload); -- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { -- return WERR_INVALID_PARAMETER; -- } -- -- if (decrypt_request.payload_length != rc4payload.secret_data.length) { -- return WERR_INVALID_PARAMETER; -- } -- -- dump_data_pw("r3: \n", rc4payload.r3, sizeof(rc4payload.r3)); -- -- /* -- * This is *not* the leading 64 bytes, as indicated in MS-BKRP 3.1.4.1.1 -- * BACKUPKEY_BACKUP_GUID, it really is the whole key -- */ -- HMAC(EVP_sha1(), server_key.key, sizeof(server_key.key), -- rc4payload.r3, sizeof(rc4payload.r3), -- mackey, &hash_len); -- -- dump_data_pw("mackey: \n", mackey, sizeof(mackey)); -- -- ndr_err = ndr_push_struct_blob(&sid_blob, mem_ctx, &rc4payload.sid, -- (ndr_push_flags_fn_t)ndr_push_dom_sid); -- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { -- return WERR_INTERNAL_ERROR; -- } -- -- HMAC_CTX_init(&ctx); -- HMAC_Init_ex(&ctx, mackey, hash_len, EVP_sha1(), NULL); -- /* SID field */ -- HMAC_Update(&ctx, sid_blob.data, sid_blob.length); -- /* Secret field */ -- HMAC_Update(&ctx, rc4payload.secret_data.data, rc4payload.secret_data.length); -- HMAC_Final(&ctx, mac, &hash_len); -- HMAC_CTX_cleanup(&ctx); -- -- dump_data_pw("mac: \n", mac, sizeof(mac)); -- dump_data_pw("rc4payload.mac: \n", rc4payload.mac, sizeof(rc4payload.mac)); -- -- if (memcmp(mac, rc4payload.mac, sizeof(mac)) != 0) { -- return WERR_INVALID_ACCESS; -- } -- -- caller_sid = &session_info->security_token->sids[PRIMARY_USER_SID_INDEX]; -- -- if (!dom_sid_equal(&rc4payload.sid, caller_sid)) { -- return WERR_INVALID_ACCESS; -- } -- -- *(r->out.data_out) = rc4payload.secret_data.data; -- *(r->out.data_out_len) = rc4payload.secret_data.length; -- -- return WERR_OK; --} -- --/* -- * For BACKUPKEY_RESTORE_GUID we need to check the first 4 bytes to -- * determine what type of restore is wanted. -- * -- * See MS-BKRP 3.1.4.1.4 BACKUPKEY_RESTORE_GUID point 1. -- */ -- --static WERROR bkrp_generic_decrypt_data(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, -- struct bkrp_BackupKey *r, struct ldb_context *ldb_ctx) --{ -- if (r->in.data_in_len < 4 || r->in.data_in == NULL) { -- return WERR_INVALID_PARAMETER; -- } -- -- if (IVAL(r->in.data_in, 0) == BACKUPKEY_SERVER_WRAP_VERSION) { -- return bkrp_server_wrap_decrypt_data(dce_call, mem_ctx, r, ldb_ctx); -- } -- -- return bkrp_client_wrap_decrypt_data(dce_call, mem_ctx, r, ldb_ctx); --} -- --/* -- * We have some data, such as saved website or IMAP passwords that the -- * client would like to put into the profile on-disk. This needs to -- * be encrypted. This version gives the server the data over the -- * network (protected only by the negotiated transport encryption), -- * and asks that it be encrypted and returned for long-term storage. -- * -- * The data is NOT stored in the LSA, but a key to encrypt the data -- * will be stored. There is only one active encryption key per domain, -- * it is pointed at with G$BCKUPKEY_P in the LSA secrets store. -- * -- * The potentially multiple valid decryptiong keys (and the encryption -- * key) are in turn stored in the LSA secrets store as -- * G$BCKUPKEY_keyGuidString. -- * -- */ -- --static WERROR bkrp_server_wrap_encrypt_data(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, -- struct bkrp_BackupKey *r ,struct ldb_context *ldb_ctx) --{ -- struct auth_session_info *session_info = -- dcesrv_call_session_info(dce_call); -- DATA_BLOB sid_blob, encrypted_blob, symkey_blob, server_wrapped_blob; -- WERROR werr; -- struct dom_sid *caller_sid; -- uint8_t symkey[20]; /* SHA-1 hash len */ -- uint8_t mackey[20]; /* SHA-1 hash len */ -- unsigned int hash_len; -- struct bkrp_rc4encryptedpayload rc4payload; -- HMAC_CTX ctx; -- struct bkrp_dc_serverwrap_key server_key; -- enum ndr_err_code ndr_err; -- struct bkrp_server_side_wrapped server_side_wrapped; -- struct GUID guid; -- -- if (r->in.data_in_len == 0 || r->in.data_in == NULL) { -- return WERR_INVALID_PARAMETER; -- } -- -- werr = bkrp_do_retrieve_default_server_wrap_key(mem_ctx, -- ldb_ctx, &server_key, -- &guid); -- -- if (!W_ERROR_IS_OK(werr)) { -- if (W_ERROR_EQUAL(werr, WERR_FILE_NOT_FOUND)) { -- /* Generate the server wrap key since one wasn't found */ -- werr = generate_bkrp_server_wrap_key(mem_ctx, -- ldb_ctx); -- if (!W_ERROR_IS_OK(werr)) { -- return WERR_INVALID_PARAMETER; -- } -- werr = bkrp_do_retrieve_default_server_wrap_key(mem_ctx, -- ldb_ctx, -- &server_key, -- &guid); -- -- if (W_ERROR_EQUAL(werr, WERR_FILE_NOT_FOUND)) { -- /* Ok we really don't manage to get this secret ...*/ -- return WERR_FILE_NOT_FOUND; -- } -- } else { -- /* In theory we should NEVER reach this point as it -- should only appear in a rodc server */ -- /* we do not have the real secret attribute */ -- return WERR_INVALID_PARAMETER; -- } -- } -- -- caller_sid = &session_info->security_token->sids[PRIMARY_USER_SID_INDEX]; -- -- dump_data_pw("server_key: \n", server_key.key, sizeof(server_key.key)); -- -- /* -- * This is the key derivation step, so that the HMAC and RC4 -- * operations over the user-supplied data are not able to -- * disclose the master key. By using random data, the symkey -- * and mackey values are unique for this operation, and -- * discovering these (by reversing the RC4 over the -- * attacker-controlled data) does not return something able to -- * be used to decyrpt the encrypted data of other users -- */ -- generate_random_buffer(server_side_wrapped.r2, sizeof(server_side_wrapped.r2)); -- -- dump_data_pw("r2: \n", server_side_wrapped.r2, sizeof(server_side_wrapped.r2)); -- -- generate_random_buffer(rc4payload.r3, sizeof(rc4payload.r3)); -- -- dump_data_pw("r3: \n", rc4payload.r3, sizeof(rc4payload.r3)); -- -- -- /* -- * This is *not* the leading 64 bytes, as indicated in MS-BKRP 3.1.4.1.1 -- * BACKUPKEY_BACKUP_GUID, it really is the whole key -- */ -- HMAC(EVP_sha1(), server_key.key, sizeof(server_key.key), -- server_side_wrapped.r2, sizeof(server_side_wrapped.r2), -- symkey, &hash_len); -- -- dump_data_pw("symkey: \n", symkey, hash_len); -- -- /* -- * This is *not* the leading 64 bytes, as indicated in MS-BKRP 3.1.4.1.1 -- * BACKUPKEY_BACKUP_GUID, it really is the whole key -- */ -- HMAC(EVP_sha1(), server_key.key, sizeof(server_key.key), -- rc4payload.r3, sizeof(rc4payload.r3), -- mackey, &hash_len); -- -- dump_data_pw("mackey: \n", mackey, sizeof(mackey)); -- -- ndr_err = ndr_push_struct_blob(&sid_blob, mem_ctx, caller_sid, -- (ndr_push_flags_fn_t)ndr_push_dom_sid); -- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { -- return WERR_INTERNAL_ERROR; -- } -- -- rc4payload.secret_data.data = r->in.data_in; -- rc4payload.secret_data.length = r->in.data_in_len; -- -- HMAC_CTX_init(&ctx); -- HMAC_Init_ex(&ctx, mackey, 20, EVP_sha1(), NULL); -- /* SID field */ -- HMAC_Update(&ctx, sid_blob.data, sid_blob.length); -- /* Secret field */ -- HMAC_Update(&ctx, rc4payload.secret_data.data, rc4payload.secret_data.length); -- HMAC_Final(&ctx, rc4payload.mac, &hash_len); -- HMAC_CTX_cleanup(&ctx); -- -- dump_data_pw("rc4payload.mac: \n", rc4payload.mac, sizeof(rc4payload.mac)); -- -- rc4payload.sid = *caller_sid; -- -- ndr_err = ndr_push_struct_blob(&encrypted_blob, mem_ctx, &rc4payload, -- (ndr_push_flags_fn_t)ndr_push_bkrp_rc4encryptedpayload); -- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { -- return WERR_INTERNAL_ERROR; -- } -- -- /* rc4 encrypt sid and secret using sym key */ -- symkey_blob = data_blob_const(symkey, sizeof(symkey)); -- arcfour_crypt_blob(encrypted_blob.data, encrypted_blob.length, &symkey_blob); -- -- /* create server wrap structure */ -- -- server_side_wrapped.payload_length = rc4payload.secret_data.length; -- server_side_wrapped.ciphertext_length = encrypted_blob.length; -- server_side_wrapped.guid = guid; -- server_side_wrapped.rc4encryptedpayload = encrypted_blob.data; -- -- ndr_err = ndr_push_struct_blob(&server_wrapped_blob, mem_ctx, &server_side_wrapped, -- (ndr_push_flags_fn_t)ndr_push_bkrp_server_side_wrapped); -- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { -- return WERR_INTERNAL_ERROR; -- } -- -- *(r->out.data_out) = server_wrapped_blob.data; -- *(r->out.data_out_len) = server_wrapped_blob.length; -- -- return WERR_OK; --} -- --static WERROR dcesrv_bkrp_BackupKey(struct dcesrv_call_state *dce_call, -- TALLOC_CTX *mem_ctx, struct bkrp_BackupKey *r) --{ -- WERROR error = WERR_INVALID_PARAMETER; -- struct ldb_context *ldb_ctx; -- bool is_rodc; -- const char *addr = "unknown"; -- /* At which level we start to add more debug of what is done in the protocol */ -- const int debuglevel = 4; -- -- if (DEBUGLVL(debuglevel)) { -- const struct tsocket_address *remote_address; -- remote_address = dcesrv_connection_get_remote_address(dce_call->conn); -- if (tsocket_address_is_inet(remote_address, "ip")) { -- addr = tsocket_address_inet_addr_string(remote_address, mem_ctx); -- W_ERROR_HAVE_NO_MEMORY(addr); -- } -- } -- -- if (lpcfg_server_role(dce_call->conn->dce_ctx->lp_ctx) != ROLE_ACTIVE_DIRECTORY_DC) { -- return WERR_NOT_SUPPORTED; -- } -- -- /* -- * Save the current remote session details so they can used by the -- * audit logging module. This allows the audit logging to report the -- * remote users details, rather than the system users details. -- */ -- ldb_ctx = dcesrv_samdb_connect_as_system(mem_ctx, dce_call); -- if (samdb_rodc(ldb_ctx, &is_rodc) != LDB_SUCCESS) { -- talloc_unlink(mem_ctx, ldb_ctx); -- return WERR_INVALID_PARAMETER; -- } -- -- if (!is_rodc) { -- if(strncasecmp(GUID_string(mem_ctx, r->in.guidActionAgent), -- BACKUPKEY_RESTORE_GUID, strlen(BACKUPKEY_RESTORE_GUID)) == 0) { -- DEBUG(debuglevel, ("Client %s requested to decrypt a wrapped secret\n", addr)); -- error = bkrp_generic_decrypt_data(dce_call, mem_ctx, r, ldb_ctx); -- } -- -- if (strncasecmp(GUID_string(mem_ctx, r->in.guidActionAgent), -- BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID, strlen(BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID)) == 0) { -- DEBUG(debuglevel, ("Client %s requested certificate for client wrapped secret\n", addr)); -- error = bkrp_retrieve_client_wrap_key(dce_call, mem_ctx, r, ldb_ctx); -- } -- -- if (strncasecmp(GUID_string(mem_ctx, r->in.guidActionAgent), -- BACKUPKEY_RESTORE_GUID_WIN2K, strlen(BACKUPKEY_RESTORE_GUID_WIN2K)) == 0) { -- DEBUG(debuglevel, ("Client %s requested to decrypt a server side wrapped secret\n", addr)); -- error = bkrp_server_wrap_decrypt_data(dce_call, mem_ctx, r, ldb_ctx); -- } -- -- if (strncasecmp(GUID_string(mem_ctx, r->in.guidActionAgent), -- BACKUPKEY_BACKUP_GUID, strlen(BACKUPKEY_BACKUP_GUID)) == 0) { -- DEBUG(debuglevel, ("Client %s requested a server wrapped secret\n", addr)); -- error = bkrp_server_wrap_encrypt_data(dce_call, mem_ctx, r, ldb_ctx); -- } -- } -- /*else: I am a RODC so I don't handle backup key protocol */ -- -- talloc_unlink(mem_ctx, ldb_ctx); -- return error; --} -- --/* include the generated boilerplate */ --#include "librpc/gen_ndr/ndr_backupkey_s.c" -diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build -index a7459d6b851..a5c1c1d9a2c 100644 ---- a/source4/rpc_server/wscript_build -+++ b/source4/rpc_server/wscript_build -@@ -119,23 +119,13 @@ bld.SAMBA_MODULE('dcerpc_lsarpc', - ) - - --if (bld.CONFIG_SET('HAVE_GNUTLS_PRIVKEY_EXPORT_X509') and -- bld.CONFIG_SET('HAVE_GNUTLS_X509_CRT_SET_SUBJECT_UNIQUE_ID')): -- bld.SAMBA_MODULE('dcerpc_backupkey', -- source='backupkey/dcesrv_backupkey.c ', -- autoproto='backupkey/proto.h', -- subsystem='dcerpc_server', -- init_function='dcerpc_server_backupkey_init', -- deps='samdb DCERPC_COMMON NDR_BACKUPKEY RPC_NDR_BACKUPKEY gnutls', -- ) --else: -- bld.SAMBA_MODULE('dcerpc_backupkey', -- source='backupkey/dcesrv_backupkey_heimdal.c ', -- autoproto='backupkey/proto.h', -- subsystem='dcerpc_server', -- init_function='dcerpc_server_backupkey_init', -- deps='samdb DCERPC_COMMON NDR_BACKUPKEY RPC_NDR_BACKUPKEY krb5 hx509 hcrypto gnutls DCERPC_COMMON', -- ) -+bld.SAMBA_MODULE('dcerpc_backupkey', -+ source='backupkey/dcesrv_backupkey.c ', -+ autoproto='backupkey/proto.h', -+ subsystem='dcerpc_server', -+ init_function='dcerpc_server_backupkey_init', -+ deps='samdb DCERPC_COMMON NDR_BACKUPKEY RPC_NDR_BACKUPKEY gnutls', -+ ) - - - bld.SAMBA_MODULE('dcerpc_drsuapi', -diff --git a/source4/torture/rpc/backupkey_heimdal.c b/source4/torture/rpc/backupkey_heimdal.c -deleted file mode 100644 -index 79b45e7aab8..00000000000 ---- a/source4/torture/rpc/backupkey_heimdal.c -+++ /dev/null -@@ -1,2160 +0,0 @@ --/* -- Unix SMB/CIFS implementation. -- test suite for backupkey remote protocol rpc operations -- -- Copyright (C) Matthieu Patou 2010-2011 -- -- This program is free software; you can redistribute it and/or modify -- it under the terms of the GNU General Public License as published by -- the Free Software Foundation; either version 3 of the License, or -- (at your option) any later version. -- -- This program is distributed in the hope that it will be useful, -- but WITHOUT ANY WARRANTY; without even the implied warranty of -- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -- GNU General Public License for more details. -- -- You should have received a copy of the GNU General Public License -- along with this program. If not, see . --*/ -- --#include "includes.h" --#include "../libcli/security/security.h" -- --#include "torture/rpc/torture_rpc.h" --#include "torture/ndr/ndr.h" -- --#include "librpc/gen_ndr/ndr_backupkey_c.h" --#include "librpc/gen_ndr/ndr_backupkey.h" --#include "librpc/gen_ndr/ndr_lsa_c.h" --#include "librpc/gen_ndr/ndr_security.h" --#include "lib/cmdline/popt_common.h" --#include "libcli/auth/proto.h" --#include "lib/crypto/arcfour.h" --#include --#include --#include --#include --#include --#include --#include --#include --#include -- --enum test_wrong { -- WRONG_MAGIC, -- WRONG_R2, -- WRONG_PAYLOAD_LENGTH, -- WRONG_CIPHERTEXT_LENGTH, -- SHORT_PAYLOAD_LENGTH, -- SHORT_CIPHERTEXT_LENGTH, -- ZERO_PAYLOAD_LENGTH, -- ZERO_CIPHERTEXT_LENGTH, -- RIGHT_KEY, -- WRONG_KEY, -- WRONG_SID, --}; -- --/* Our very special and valued secret */ --/* No need to put const as we cast the array in uint8_t -- * we will get a warning about the discared const -- */ --static const char secret[] = "tata yoyo mais qu'est ce qu'il y a sous ton grand chapeau ?"; -- --/* Get the SID from a user */ --static struct dom_sid *get_user_sid(struct torture_context *tctx, -- TALLOC_CTX *mem_ctx, -- const char *user) --{ -- struct lsa_ObjectAttribute attr; -- struct lsa_QosInfo qos; -- struct lsa_OpenPolicy2 r; -- struct lsa_Close c; -- NTSTATUS status; -- struct policy_handle handle; -- struct lsa_LookupNames l; -- struct lsa_TransSidArray sids; -- struct lsa_RefDomainList *domains = NULL; -- struct lsa_String lsa_name; -- uint32_t count = 0; -- struct dom_sid *result; -- TALLOC_CTX *tmp_ctx; -- struct dcerpc_pipe *p2; -- struct dcerpc_binding_handle *b; -- -- const char *domain = cli_credentials_get_domain( -- popt_get_cmdline_credentials()); -- -- torture_assert_ntstatus_ok(tctx, -- torture_rpc_connection(tctx, &p2, &ndr_table_lsarpc), -- "could not open lsarpc pipe"); -- b = p2->binding_handle; -- -- if (!(tmp_ctx = talloc_new(mem_ctx))) { -- return NULL; -- } -- qos.len = 0; -- qos.impersonation_level = 2; -- qos.context_mode = 1; -- qos.effective_only = 0; -- -- attr.len = 0; -- attr.root_dir = NULL; -- attr.object_name = NULL; -- attr.attributes = 0; -- attr.sec_desc = NULL; -- attr.sec_qos = &qos; -- -- r.in.system_name = "\\"; -- r.in.attr = &attr; -- r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED; -- r.out.handle = &handle; -- -- status = dcerpc_lsa_OpenPolicy2_r(b, tmp_ctx, &r); -- if (!NT_STATUS_IS_OK(status)) { -- torture_comment(tctx, -- "OpenPolicy2 failed - %s\n", -- nt_errstr(status)); -- talloc_free(tmp_ctx); -- return NULL; -- } -- if (!NT_STATUS_IS_OK(r.out.result)) { -- torture_comment(tctx, -- "OpenPolicy2_ failed - %s\n", -- nt_errstr(r.out.result)); -- talloc_free(tmp_ctx); -- return NULL; -- } -- -- sids.count = 0; -- sids.sids = NULL; -- -- lsa_name.string = talloc_asprintf(tmp_ctx, "%s\\%s", domain, user); -- -- l.in.handle = &handle; -- l.in.num_names = 1; -- l.in.names = &lsa_name; -- l.in.sids = &sids; -- l.in.level = 1; -- l.in.count = &count; -- l.out.count = &count; -- l.out.sids = &sids; -- l.out.domains = &domains; -- -- status = dcerpc_lsa_LookupNames_r(b, tmp_ctx, &l); -- if (!NT_STATUS_IS_OK(status)) { -- torture_comment(tctx, -- "LookupNames of %s failed - %s\n", -- lsa_name.string, -- nt_errstr(status)); -- talloc_free(tmp_ctx); -- return NULL; -- } -- -- if (domains->count == 0) { -- return NULL; -- } -- -- result = dom_sid_add_rid(mem_ctx, -- domains->domains[0].sid, -- l.out.sids->sids[0].rid); -- c.in.handle = &handle; -- c.out.handle = &handle; -- -- status = dcerpc_lsa_Close_r(b, tmp_ctx, &c); -- -- if (!NT_STATUS_IS_OK(status)) { -- torture_comment(tctx, -- "dcerpc_lsa_Close failed - %s\n", -- nt_errstr(status)); -- talloc_free(tmp_ctx); -- return NULL; -- } -- -- if (!NT_STATUS_IS_OK(c.out.result)) { -- torture_comment(tctx, -- "dcerpc_lsa_Close failed - %s\n", -- nt_errstr(c.out.result)); -- talloc_free(tmp_ctx); -- return NULL; -- } -- -- talloc_free(tmp_ctx); -- talloc_free(p2); -- -- torture_comment(tctx, "Get_user_sid finished\n"); -- return result; --} -- --/* -- * Create a bkrp_encrypted_secret_vX structure -- * the version depends on the version parameter -- * the structure is returned as a blob. -- * The broken flag is to indicate if we want -- * to create a non conform to specification structre -- */ --static DATA_BLOB *create_unencryptedsecret(TALLOC_CTX *mem_ctx, -- bool broken, -- int version) --{ -- TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); -- DATA_BLOB *blob = talloc_zero(mem_ctx, DATA_BLOB); -- enum ndr_err_code ndr_err; -- -- if (version == 2) { -- struct bkrp_encrypted_secret_v2 unenc_sec; -- -- ZERO_STRUCT(unenc_sec); -- unenc_sec.secret_len = sizeof(secret); -- unenc_sec.secret = discard_const_p(uint8_t, secret); -- generate_random_buffer(unenc_sec.payload_key, -- sizeof(unenc_sec.payload_key)); -- -- ndr_err = ndr_push_struct_blob(blob, blob, &unenc_sec, -- (ndr_push_flags_fn_t)ndr_push_bkrp_encrypted_secret_v2); -- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { -- return NULL; -- } -- -- if (broken) { -- /* The magic value is correctly set by the NDR push -- * but we want to test the behavior of the server -- * if a differrent value is provided -- */ -- ((uint8_t*)blob->data)[4] = 79; /* A great year !!! */ -- } -- } -- -- if (version == 3) { -- struct bkrp_encrypted_secret_v3 unenc_sec; -- -- ZERO_STRUCT(unenc_sec); -- unenc_sec.secret_len = sizeof(secret); -- unenc_sec.secret = discard_const_p(uint8_t, secret); -- generate_random_buffer(unenc_sec.payload_key, -- sizeof(unenc_sec.payload_key)); -- -- ndr_err = ndr_push_struct_blob(blob, blob, &unenc_sec, -- (ndr_push_flags_fn_t)ndr_push_bkrp_encrypted_secret_v3); -- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { -- return NULL; -- } -- -- if (broken) { -- /* -- * The magic value is correctly set by the NDR push -- * but we want to test the behavior of the server -- * if a differrent value is provided -- */ -- ((uint8_t*)blob->data)[4] = 79; /* A great year !!! */ -- } -- } -- talloc_free(tmp_ctx); -- return blob; --} -- --/* -- * Create an access check structure, the format depends on the version parameter. -- * If broken is specified then we create a stucture that isn't conform to the -- * specification. -- * -- * If the structure can't be created then NULL is returned. -- */ --static DATA_BLOB *create_access_check(struct torture_context *tctx, -- struct dcerpc_pipe *p, -- TALLOC_CTX *mem_ctx, -- const char *user, -- bool broken, -- uint32_t version) --{ -- TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); -- DATA_BLOB *blob = talloc_zero(mem_ctx, DATA_BLOB); -- enum ndr_err_code ndr_err; -- const struct dom_sid *sid = get_user_sid(tctx, tmp_ctx, user); -- -- if (sid == NULL) { -- return NULL; -- } -- -- if (version == 2) { -- struct bkrp_access_check_v2 access_struct; -- struct sha sctx; -- uint8_t nonce[32]; -- -- ZERO_STRUCT(access_struct); -- generate_random_buffer(nonce, sizeof(nonce)); -- access_struct.nonce_len = sizeof(nonce); -- access_struct.nonce = nonce; -- access_struct.sid = *sid; -- -- ndr_err = ndr_push_struct_blob(blob, blob, &access_struct, -- (ndr_push_flags_fn_t)ndr_push_bkrp_access_check_v2); -- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { -- return NULL; -- } -- -- /* -- * We pushed the whole structure including a null hash -- * but the hash need to be calculated only up to the hash field -- * so we reduce the size of what has to be calculated -- */ -- -- SHA1_Init(&sctx); -- SHA1_Update(&sctx, blob->data, -- blob->length - sizeof(access_struct.hash)); -- SHA1_Final(blob->data + blob->length - sizeof(access_struct.hash), -- &sctx); -- -- /* Altering the SHA */ -- if (broken) { -- blob->data[blob->length - 1]++; -- } -- } -- -- if (version == 3) { -- struct bkrp_access_check_v3 access_struct; -- struct hc_sha512state sctx; -- uint8_t nonce[32]; -- -- ZERO_STRUCT(access_struct); -- generate_random_buffer(nonce, sizeof(nonce)); -- access_struct.nonce_len = sizeof(nonce); -- access_struct.nonce = nonce; -- access_struct.sid = *sid; -- -- ndr_err = ndr_push_struct_blob(blob, blob, &access_struct, -- (ndr_push_flags_fn_t)ndr_push_bkrp_access_check_v3); -- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { -- return NULL; -- } -- -- /*We pushed the whole structure including a null hash -- * but the hash need to be calculated only up to the hash field -- * so we reduce the size of what has to be calculated -- */ -- -- SHA512_Init(&sctx); -- SHA512_Update(&sctx, blob->data, -- blob->length - sizeof(access_struct.hash)); -- SHA512_Final(blob->data + blob->length - sizeof(access_struct.hash), -- &sctx); -- -- /* Altering the SHA */ -- if (broken) { -- blob->data[blob->length -1]++; -- } -- } -- talloc_free(tmp_ctx); -- return blob; --} -- -- --static DATA_BLOB *encrypt_blob(struct torture_context *tctx, -- TALLOC_CTX *mem_ctx, -- DATA_BLOB *key, -- DATA_BLOB *iv, -- DATA_BLOB *to_encrypt, -- const AlgorithmIdentifier *alg) --{ -- hx509_crypto crypto; -- hx509_context hctx; -- heim_octet_string ivos; -- heim_octet_string *encrypted; -- DATA_BLOB *blob = talloc_zero(mem_ctx, DATA_BLOB); -- int res; -- -- ivos.data = talloc_array(mem_ctx, uint8_t, iv->length); -- ivos.length = iv->length; -- memcpy(ivos.data, iv->data, iv->length); -- -- hx509_context_init(&hctx); -- res = hx509_crypto_init(hctx, NULL, &alg->algorithm, &crypto); -- if (res) { -- torture_comment(tctx, -- "error while doing the init of the crypto object\n"); -- hx509_context_free(&hctx); -- return NULL; -- } -- res = hx509_crypto_set_key_data(crypto, key->data, key->length); -- if (res) { -- torture_comment(tctx, -- "error while setting the key of the crypto object\n"); -- hx509_context_free(&hctx); -- return NULL; -- } -- -- hx509_crypto_set_padding(crypto, HX509_CRYPTO_PADDING_NONE); -- res = hx509_crypto_encrypt(crypto, -- to_encrypt->data, -- to_encrypt->length, -- &ivos, -- &encrypted); -- if (res) { -- torture_comment(tctx, "error while encrypting\n"); -- hx509_crypto_destroy(crypto); -- hx509_context_free(&hctx); -- return NULL; -- } -- -- *blob = data_blob_talloc(blob, encrypted->data, encrypted->length); -- der_free_octet_string(encrypted); -- free(encrypted); -- hx509_crypto_destroy(crypto); -- hx509_context_free(&hctx); -- return blob; --} -- --/* -- * Certs used for this protocol have a GUID in the issuer_uniq_id field. -- * This function fetch it. -- */ --static struct GUID *get_cert_guid(struct torture_context *tctx, -- TALLOC_CTX *mem_ctx, -- uint8_t *cert_data, -- uint32_t cert_len) --{ -- hx509_context hctx; -- hx509_cert cert; -- heim_bit_string issuer_unique_id; -- DATA_BLOB data; -- int hret; -- uint32_t size; -- struct GUID *guid = talloc_zero(mem_ctx, struct GUID); -- NTSTATUS status; -- -- hx509_context_init(&hctx); -- -- hret = hx509_cert_init_data(hctx, cert_data, cert_len, &cert); -- if (hret) { -- torture_comment(tctx, "error while loading the cert\n"); -- hx509_context_free(&hctx); -- return NULL; -- } -- hret = hx509_cert_get_issuer_unique_id(hctx, cert, &issuer_unique_id); -- if (hret) { -- torture_comment(tctx, "error while getting the issuer_uniq_id\n"); -- hx509_cert_free(cert); -- hx509_context_free(&hctx); -- return NULL; -- } -- -- /* The issuer_unique_id is a bit string, -- * which means that the real size has to be divided by 8 -- * to have the number of bytes -- */ -- hx509_cert_free(cert); -- hx509_context_free(&hctx); -- size = issuer_unique_id.length / 8; -- data = data_blob_const(issuer_unique_id.data, size); -- -- status = GUID_from_data_blob(&data, guid); -- der_free_bit_string(&issuer_unique_id); -- if (!NT_STATUS_IS_OK(status)) { -- return NULL; -- } -- -- return guid; --} -- --/* -- * Encrypt a blob with the private key of the certificate -- * passed as a parameter. -- */ --static DATA_BLOB *encrypt_blob_pk(struct torture_context *tctx, -- TALLOC_CTX *mem_ctx, -- uint8_t *cert_data, -- uint32_t cert_len, -- DATA_BLOB *to_encrypt) --{ -- hx509_context hctx; -- hx509_cert cert; -- heim_octet_string secretdata; -- heim_octet_string encrypted; -- heim_oid encryption_oid; -- DATA_BLOB *blob; -- int hret; -- -- hx509_context_init(&hctx); -- -- hret = hx509_cert_init_data(hctx, cert_data, cert_len, &cert); -- if (hret) { -- torture_comment(tctx, "error while loading the cert\n"); -- hx509_context_free(&hctx); -- return NULL; -- } -- -- secretdata.data = to_encrypt->data; -- secretdata.length = to_encrypt->length; -- hret = hx509_cert_public_encrypt(hctx, &secretdata, -- cert, &encryption_oid, -- &encrypted); -- hx509_cert_free(cert); -- hx509_context_free(&hctx); -- if (hret) { -- torture_comment(tctx, "error while encrypting\n"); -- return NULL; -- } -- -- blob = talloc_zero(mem_ctx, DATA_BLOB); -- if (blob == NULL) { -- der_free_oid(&encryption_oid); -- der_free_octet_string(&encrypted); -- return NULL; -- } -- -- *blob = data_blob_talloc(blob, encrypted.data, encrypted.length); -- der_free_octet_string(&encrypted); -- der_free_oid(&encryption_oid); -- if (blob->data == NULL) { -- return NULL; -- } -- -- return blob; --} -- -- --static struct bkrp_BackupKey *createRetrieveBackupKeyGUIDStruct(struct torture_context *tctx, -- struct dcerpc_pipe *p, int version, DATA_BLOB *out) --{ -- struct dcerpc_binding *binding; -- struct bkrp_client_side_wrapped data; -- struct GUID *g = talloc(tctx, struct GUID); -- struct bkrp_BackupKey *r = talloc_zero(tctx, struct bkrp_BackupKey); -- enum ndr_err_code ndr_err; -- DATA_BLOB blob; -- NTSTATUS status; -- -- if (r == NULL) { -- return NULL; -- } -- -- binding = dcerpc_binding_dup(tctx, p->binding); -- if (binding == NULL) { -- return NULL; -- } -- -- status = dcerpc_binding_set_flags(binding, DCERPC_SEAL|DCERPC_AUTH_SPNEGO, 0); -- if (!NT_STATUS_IS_OK(status)) { -- return NULL; -- } -- -- ZERO_STRUCT(data); -- status = GUID_from_string(BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID, g); -- if (!NT_STATUS_IS_OK(status)) { -- return NULL; -- } -- -- r->in.guidActionAgent = g; -- data.version = version; -- ndr_err = ndr_push_struct_blob(&blob, tctx, &data, -- (ndr_push_flags_fn_t)ndr_push_bkrp_client_side_wrapped); -- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { -- return NULL; -- } -- r->in.data_in = blob.data; -- r->in.data_in_len = blob.length; -- r->out.data_out = &out->data; -- r->out.data_out_len = talloc(r, uint32_t); -- return r; --} -- --static struct bkrp_BackupKey *createRestoreGUIDStruct(struct torture_context *tctx, -- struct dcerpc_pipe *p, int version, DATA_BLOB *out, -- bool norevert, -- bool broken_version, -- bool broken_user, -- bool broken_magic_secret, -- bool broken_magic_access, -- bool broken_hash_access, -- bool broken_cert_guid) --{ -- struct dcerpc_binding_handle *b = p->binding_handle; -- struct bkrp_client_side_wrapped data; -- DATA_BLOB *xs; -- DATA_BLOB *sec; -- DATA_BLOB *enc_sec = NULL; -- DATA_BLOB *enc_xs = NULL; -- DATA_BLOB *blob2; -- DATA_BLOB enc_sec_reverted; -- DATA_BLOB des3_key; -- DATA_BLOB aes_key; -- DATA_BLOB iv; -- DATA_BLOB out_blob; -- struct GUID *guid, *g; -- int t; -- uint32_t size; -- enum ndr_err_code ndr_err; -- NTSTATUS status; -- const char *user; -- struct bkrp_BackupKey *r = createRetrieveBackupKeyGUIDStruct(tctx, p, version, &out_blob); -- if (r == NULL) { -- return NULL; -- } -- -- if (broken_user) { -- /* we take a fake user*/ -- user = "guest"; -- } else { -- user = cli_credentials_get_username( -- popt_get_cmdline_credentials()); -- } -- -- -- torture_assert_ntstatus_ok(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r), -- "Get GUID"); -- torture_assert_werr_ok(tctx, r->out.result, -- "Get GUID"); -- -- /* -- * We have to set it outside of the function createRetrieveBackupKeyGUIDStruct -- * the len of the blob, this is due to the fact that they don't have the -- * same size (one is 32bits the other 64bits) -- */ -- out_blob.length = *r->out.data_out_len; -- -- sec = create_unencryptedsecret(tctx, broken_magic_secret, version); -- if (sec == NULL) { -- return NULL; -- } -- -- xs = create_access_check(tctx, p, tctx, user, broken_hash_access, version); -- if (xs == NULL) { -- return NULL; -- } -- -- if (broken_magic_access){ -- /* The start of the access_check structure contains the -- * GUID of the certificate -- */ -- xs->data[0]++; -- } -- -- enc_sec = encrypt_blob_pk(tctx, tctx, out_blob.data, out_blob.length, sec); -- if (!enc_sec) { -- return NULL; -- } -- enc_sec_reverted.data = talloc_array(tctx, uint8_t, enc_sec->length); -- if (enc_sec_reverted.data == NULL) { -- return NULL; -- } -- enc_sec_reverted.length = enc_sec->length; -- -- /* -- * We DO NOT revert the array on purpose it's in order to check that -- * when the server is not able to decrypt then it answer the correct error -- */ -- if (norevert) { -- for(t=0; t< enc_sec->length; t++) { -- enc_sec_reverted.data[t] = ((uint8_t*)enc_sec->data)[t]; -- } -- } else { -- for(t=0; t< enc_sec->length; t++) { -- enc_sec_reverted.data[t] = ((uint8_t*)enc_sec->data)[enc_sec->length - t -1]; -- } -- } -- -- size = sec->length; -- if (version ==2) { -- const AlgorithmIdentifier *alg = hx509_crypto_des_rsdi_ede3_cbc(); -- iv.data = sec->data+(size - 8); -- iv.length = 8; -- -- des3_key.data = sec->data+(size - 32); -- des3_key.length = 24; -- -- enc_xs = encrypt_blob(tctx, tctx, &des3_key, &iv, xs, alg); -- } -- if (version == 3) { -- const AlgorithmIdentifier *alg = hx509_crypto_aes256_cbc(); -- iv.data = sec->data+(size-16); -- iv.length = 16; -- -- aes_key.data = sec->data+(size-48); -- aes_key.length = 32; -- -- enc_xs = encrypt_blob(tctx, tctx, &aes_key, &iv, xs, alg); -- } -- -- if (!enc_xs) { -- return NULL; -- } -- -- /* To cope with the fact that heimdal do padding at the end for the moment */ -- enc_xs->length = xs->length; -- -- guid = get_cert_guid(tctx, tctx, out_blob.data, out_blob.length); -- if (guid == NULL) { -- return NULL; -- } -- -- if (broken_version) { -- data.version = 1; -- } else { -- data.version = version; -- } -- -- data.guid = *guid; -- data.encrypted_secret = enc_sec_reverted.data; -- data.access_check = enc_xs->data; -- data.encrypted_secret_len = enc_sec->length; -- data.access_check_len = enc_xs->length; -- -- /* We want the blob to persist after this function so we don't -- * allocate it in the stack -- */ -- blob2 = talloc(tctx, DATA_BLOB); -- if (blob2 == NULL) { -- return NULL; -- } -- -- ndr_err = ndr_push_struct_blob(blob2, tctx, &data, -- (ndr_push_flags_fn_t)ndr_push_bkrp_client_side_wrapped); -- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { -- return NULL; -- } -- -- if (broken_cert_guid) { -- blob2->data[12]++; -- } -- -- ZERO_STRUCT(*r); -- -- g = talloc(tctx, struct GUID); -- if (g == NULL) { -- return NULL; -- } -- -- status = GUID_from_string(BACKUPKEY_RESTORE_GUID, g); -- if (!NT_STATUS_IS_OK(status)) { -- return NULL; -- } -- -- r->in.guidActionAgent = g; -- r->in.data_in = blob2->data; -- r->in.data_in_len = blob2->length; -- r->in.param = 0; -- r->out.data_out = &(out->data); -- r->out.data_out_len = talloc(r, uint32_t); -- return r; --} -- --/* Check that we are able to receive the certificate of the DCs -- * used for client wrap version of the backup key protocol -- */ --static bool test_RetrieveBackupKeyGUID(struct torture_context *tctx, -- struct dcerpc_pipe *p) --{ -- struct dcerpc_binding_handle *b = p->binding_handle; -- DATA_BLOB out_blob; -- struct bkrp_BackupKey *r = createRetrieveBackupKeyGUIDStruct(tctx, p, 2, &out_blob); -- enum dcerpc_AuthType auth_type; -- enum dcerpc_AuthLevel auth_level; -- -- if (r == NULL) { -- return false; -- } -- -- dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level); -- -- if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { -- torture_assert_ntstatus_ok(tctx, -- dcerpc_bkrp_BackupKey_r(b, tctx, r), -- "Get GUID"); -- -- out_blob.length = *r->out.data_out_len; -- torture_assert_werr_equal(tctx, -- r->out.result, -- WERR_OK, -- "Wrong dce/rpc error code"); -- } else { -- torture_assert_ntstatus_equal(tctx, -- dcerpc_bkrp_BackupKey_r(b, tctx, r), -- NT_STATUS_ACCESS_DENIED, -- "Get GUID"); -- } -- return true; --} -- --/* Test to check the failure to recover a secret because the -- * secret blob is not reversed -- */ --static bool test_RestoreGUID_ko(struct torture_context *tctx, -- struct dcerpc_pipe *p) --{ -- enum ndr_err_code ndr_err; -- struct dcerpc_binding_handle *b = p->binding_handle; -- DATA_BLOB out_blob; -- struct bkrp_client_side_unwrapped resp; -- enum dcerpc_AuthType auth_type; -- enum dcerpc_AuthLevel auth_level; -- -- dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level); -- -- if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { -- struct bkrp_BackupKey *r = createRestoreGUIDStruct(tctx, p, 2, &out_blob, -- true, false, false, false, false, false, false); -- torture_assert(tctx, r != NULL, "createRestoreGUIDStruct failed"); -- torture_assert_ntstatus_ok(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r), "Restore GUID"); -- out_blob.length = *r->out.data_out_len; -- ndr_err = ndr_pull_struct_blob(&out_blob, tctx, &resp, (ndr_pull_flags_fn_t)ndr_pull_bkrp_client_side_unwrapped); -- torture_assert_int_equal(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), 0, "Unable to unmarshall bkrp_client_side_unwrapped"); -- if (!W_ERROR_EQUAL(r->out.result, WERR_INVALID_PARAMETER)) { -- torture_assert_werr_equal(tctx, r->out.result, -- WERR_INVALID_DATA, -- "Wrong error code"); -- } -- } else { -- struct bkrp_BackupKey *r = createRetrieveBackupKeyGUIDStruct(tctx, p, 2, &out_blob); -- torture_assert_ntstatus_equal(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r), -- NT_STATUS_ACCESS_DENIED, "Get GUID"); -- } -- return true; --} -- --static bool test_RestoreGUID_wrongversion(struct torture_context *tctx, -- struct dcerpc_pipe *p) --{ -- enum ndr_err_code ndr_err; -- struct dcerpc_binding_handle *b = p->binding_handle; -- DATA_BLOB out_blob; -- struct bkrp_client_side_unwrapped resp; -- enum dcerpc_AuthType auth_type; -- enum dcerpc_AuthLevel auth_level; -- -- dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level); -- -- if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { -- struct bkrp_BackupKey *r = createRestoreGUIDStruct(tctx, p, 2, &out_blob, -- false, true, false, false, false, false, false); -- torture_assert(tctx, r != NULL, "createRestoreGUIDStruct failed"); -- torture_assert_ntstatus_ok(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r), "Restore GUID"); -- out_blob.length = *r->out.data_out_len; -- ndr_err = ndr_pull_struct_blob(&out_blob, tctx, &resp, (ndr_pull_flags_fn_t)ndr_pull_bkrp_client_side_unwrapped); -- torture_assert_int_equal(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), 0, "Unable to unmarshall bkrp_client_side_unwrapped"); -- torture_assert_werr_equal(tctx, r->out.result, WERR_INVALID_PARAMETER, "Wrong error code on wrong version"); -- } else { -- struct bkrp_BackupKey *r = createRetrieveBackupKeyGUIDStruct(tctx, p, 2, &out_blob); -- torture_assert_ntstatus_equal(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r), -- NT_STATUS_ACCESS_DENIED, "Get GUID"); -- } -- return true; --} -- --static bool test_RestoreGUID_wronguser(struct torture_context *tctx, -- struct dcerpc_pipe *p) --{ -- enum ndr_err_code ndr_err; -- struct dcerpc_binding_handle *b = p->binding_handle; -- DATA_BLOB out_blob; -- struct bkrp_client_side_unwrapped resp; -- enum dcerpc_AuthType auth_type; -- enum dcerpc_AuthLevel auth_level; -- -- dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level); -- -- if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { -- struct bkrp_BackupKey *r = createRestoreGUIDStruct(tctx, p, 2, &out_blob, -- false, false, true, false, false, false, false); -- torture_assert(tctx, r != NULL, "createRestoreGUIDStruct failed"); -- torture_assert_ntstatus_ok(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r), "Restore GUID"); -- out_blob.length = *r->out.data_out_len; -- ndr_err = ndr_pull_struct_blob(&out_blob, tctx, &resp, (ndr_pull_flags_fn_t)ndr_pull_bkrp_client_side_unwrapped); -- torture_assert_int_equal(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), 0, "Unable to unmarshall bkrp_client_side_unwrapped"); -- torture_assert_werr_equal(tctx, r->out.result, WERR_INVALID_ACCESS, "Restore GUID"); -- } else { -- struct bkrp_BackupKey *r = createRetrieveBackupKeyGUIDStruct(tctx, p, 2, &out_blob); -- torture_assert_ntstatus_equal(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r), -- NT_STATUS_ACCESS_DENIED, "Get GUID"); -- } -- return true; --} -- --static bool test_RestoreGUID_v3(struct torture_context *tctx, -- struct dcerpc_pipe *p) --{ -- enum ndr_err_code ndr_err; -- struct dcerpc_binding_handle *b = p->binding_handle; -- DATA_BLOB out_blob; -- struct bkrp_client_side_unwrapped resp; -- enum dcerpc_AuthType auth_type; -- enum dcerpc_AuthLevel auth_level; -- -- dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level); -- -- if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { -- struct bkrp_BackupKey *r = createRestoreGUIDStruct(tctx, p, 3, &out_blob, -- false, false, false, false, false, false, false); -- torture_assert(tctx, r != NULL, "createRestoreGUIDStruct failed"); -- torture_assert_ntstatus_ok(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r), "Restore GUID"); -- out_blob.length = *r->out.data_out_len; -- ndr_err = ndr_pull_struct_blob(&out_blob, tctx, &resp, (ndr_pull_flags_fn_t)ndr_pull_bkrp_client_side_unwrapped); -- torture_assert_int_equal(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), 1, "Unable to unmarshall bkrp_client_side_unwrapped"); -- torture_assert_werr_equal(tctx, r->out.result, WERR_OK, "Restore GUID"); -- torture_assert_str_equal(tctx, (char*)resp.secret.data, secret, "Wrong secret"); -- } else { -- struct bkrp_BackupKey *r = createRetrieveBackupKeyGUIDStruct(tctx, p, 2, &out_blob); -- torture_assert_ntstatus_equal(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r), -- NT_STATUS_ACCESS_DENIED, "Get GUID"); -- } -- return true; --} -- --static bool test_RestoreGUID(struct torture_context *tctx, -- struct dcerpc_pipe *p) --{ -- struct dcerpc_binding_handle *b = p->binding_handle; -- DATA_BLOB out_blob; -- struct bkrp_client_side_unwrapped resp; -- enum dcerpc_AuthType auth_type; -- enum dcerpc_AuthLevel auth_level; -- -- dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level); -- -- if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { -- struct bkrp_BackupKey *r = createRestoreGUIDStruct(tctx, p, 2, &out_blob, -- false, false, false, false, false, false, false); -- torture_assert(tctx, r != NULL, "createRestoreGUIDStruct failed"); -- torture_assert_ntstatus_ok(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r), "Restore GUID"); -- out_blob.length = *r->out.data_out_len; -- torture_assert_werr_equal(tctx, r->out.result, WERR_OK, "Restore GUID"); -- torture_assert_ndr_err_equal(tctx, -- ndr_pull_struct_blob(&out_blob, tctx, &resp, -- (ndr_pull_flags_fn_t)ndr_pull_bkrp_client_side_unwrapped), -- NDR_ERR_SUCCESS, -- "Unable to unmarshall bkrp_client_side_unwrapped"); -- torture_assert_str_equal(tctx, (char*)resp.secret.data, secret, "Wrong secret"); -- } else { -- struct bkrp_BackupKey *r = createRetrieveBackupKeyGUIDStruct(tctx, p, 2, &out_blob); -- torture_assert_ntstatus_equal(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r), -- NT_STATUS_ACCESS_DENIED, "Get GUID"); -- } -- return true; --} -- --static bool test_RestoreGUID_badmagiconsecret(struct torture_context *tctx, -- struct dcerpc_pipe *p) --{ -- enum ndr_err_code ndr_err; -- struct dcerpc_binding_handle *b = p->binding_handle; -- DATA_BLOB out_blob; -- struct bkrp_client_side_unwrapped resp; -- enum dcerpc_AuthType auth_type; -- enum dcerpc_AuthLevel auth_level; -- -- dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level); -- -- if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { -- struct bkrp_BackupKey *r = createRestoreGUIDStruct(tctx, p, 3, &out_blob, -- false, false, false, true, false, false, false); -- torture_assert(tctx, r != NULL, "createRestoreGUIDStruct failed"); -- torture_assert_ntstatus_ok(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r), "Restore GUID"); -- out_blob.length = *r->out.data_out_len; -- ndr_err = ndr_pull_struct_blob(&out_blob, tctx, &resp, (ndr_pull_flags_fn_t)ndr_pull_bkrp_client_side_unwrapped); -- torture_assert_int_equal(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), 0, "Unable to unmarshall bkrp_client_side_unwrapped"); -- torture_assert_werr_equal(tctx, r->out.result, WERR_INVALID_DATA, "Wrong error code while providing bad magic in secret"); -- } else { -- struct bkrp_BackupKey *r = createRetrieveBackupKeyGUIDStruct(tctx, p, 2, &out_blob); -- torture_assert_ntstatus_equal(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r), -- NT_STATUS_ACCESS_DENIED, "Get GUID"); -- } -- return true; --} -- --static bool test_RestoreGUID_emptyrequest(struct torture_context *tctx, -- struct dcerpc_pipe *p) --{ -- struct dcerpc_binding_handle *b = p->binding_handle; -- DATA_BLOB out_blob; -- enum dcerpc_AuthType auth_type; -- enum dcerpc_AuthLevel auth_level; -- -- dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level); -- -- if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { -- struct bkrp_BackupKey *r = createRestoreGUIDStruct(tctx, p, 3, &out_blob, -- false, false, false, true, false, false, true); -- -- torture_assert(tctx, r != NULL, "createRestoreGUIDStruct failed"); -- r->in.data_in = talloc(tctx, uint8_t); -- r->in.data_in_len = 0; -- r->in.param = 0; -- torture_assert_ntstatus_ok(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r), "Restore GUID"); -- out_blob.length = *r->out.data_out_len; -- torture_assert_werr_equal(tctx, r->out.result, WERR_INVALID_PARAMETER, "Bad error code on wrong has in access check"); -- } else { -- struct bkrp_BackupKey *r = createRetrieveBackupKeyGUIDStruct(tctx, p, 2, &out_blob); -- torture_assert_ntstatus_equal(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r), -- NT_STATUS_ACCESS_DENIED, "Get GUID"); -- } -- return true; --} -- --static bool test_RestoreGUID_badcertguid(struct torture_context *tctx, -- struct dcerpc_pipe *p) --{ -- enum ndr_err_code ndr_err; -- struct dcerpc_binding_handle *b = p->binding_handle; -- DATA_BLOB out_blob; -- struct bkrp_client_side_unwrapped resp; -- enum dcerpc_AuthType auth_type; -- enum dcerpc_AuthLevel auth_level; -- -- dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level); -- -- if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { -- struct bkrp_BackupKey *r = createRestoreGUIDStruct(tctx, p, 3, &out_blob, -- false, false, false, false, false, false, true); -- torture_assert(tctx, r != NULL, "createRestoreGUIDStruct() failed"); -- torture_assert_ntstatus_ok(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r), "Restore GUID"); -- out_blob.length = *r->out.data_out_len; -- ndr_err = ndr_pull_struct_blob(&out_blob, tctx, &resp, (ndr_pull_flags_fn_t)ndr_pull_bkrp_client_side_unwrapped); -- torture_assert_int_equal(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), 0, "Unable to unmarshall bkrp_client_side_unwrapped"); -- -- /* -- * Windows 2012R2 has, presumably, a programming error -- * returning an NTSTATUS code on this interface -- */ -- if (W_ERROR_V(r->out.result) != NT_STATUS_V(NT_STATUS_OBJECT_NAME_NOT_FOUND)) { -- torture_assert_werr_equal(tctx, r->out.result, WERR_INVALID_DATA, "Bad error code on wrong has in access check"); -- } -- } else { -- struct bkrp_BackupKey *r = createRetrieveBackupKeyGUIDStruct(tctx, p, 2, &out_blob); -- torture_assert_ntstatus_equal(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r), -- NT_STATUS_ACCESS_DENIED, "Get GUID"); -- } -- return true; --} -- --static bool test_RestoreGUID_badmagicaccesscheck(struct torture_context *tctx, -- struct dcerpc_pipe *p) --{ -- enum ndr_err_code ndr_err; -- struct dcerpc_binding_handle *b = p->binding_handle; -- DATA_BLOB out_blob; -- struct bkrp_client_side_unwrapped resp; -- enum dcerpc_AuthType auth_type; -- enum dcerpc_AuthLevel auth_level; -- -- dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level); -- -- if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { -- struct bkrp_BackupKey *r = createRestoreGUIDStruct(tctx, p, 2, &out_blob, -- false, false, false, false, true, false, false); -- torture_assert(tctx, r != NULL, "createRestoreGUIDStruct failed"); -- torture_assert_ntstatus_ok(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r), "Restore GUID"); -- out_blob.length = *r->out.data_out_len; -- ndr_err = ndr_pull_struct_blob(&out_blob, tctx, &resp, (ndr_pull_flags_fn_t)ndr_pull_bkrp_client_side_unwrapped); -- torture_assert_int_equal(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), 0, "Unable to unmarshall bkrp_client_side_unwrapped"); -- torture_assert_werr_equal(tctx, r->out.result, WERR_INVALID_DATA, "Bad error code on wrong has in access check"); -- } else { -- struct bkrp_BackupKey *r = createRetrieveBackupKeyGUIDStruct(tctx, p, 2, &out_blob); -- torture_assert_ntstatus_equal(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r), -- NT_STATUS_ACCESS_DENIED, "Get GUID"); -- } -- return true; --} -- --static bool test_RestoreGUID_badhashaccesscheck(struct torture_context *tctx, -- struct dcerpc_pipe *p) --{ -- enum ndr_err_code ndr_err; -- struct dcerpc_binding_handle *b = p->binding_handle; -- DATA_BLOB out_blob; -- struct bkrp_client_side_unwrapped resp; -- enum dcerpc_AuthType auth_type; -- enum dcerpc_AuthLevel auth_level; -- -- dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level); -- -- if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { -- struct bkrp_BackupKey *r = createRestoreGUIDStruct(tctx, p, 2, &out_blob, -- false, false, false, false, false, true, false); -- torture_assert(tctx, r != NULL, "createRestoreGUIDStruct failed"); -- torture_assert_ntstatus_ok(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r), "Restore GUID"); -- out_blob.length = *r->out.data_out_len; -- ndr_err = ndr_pull_struct_blob(&out_blob, tctx, &resp, (ndr_pull_flags_fn_t)ndr_pull_bkrp_client_side_unwrapped); -- torture_assert_int_equal(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), 0, "Unable to unmarshall bkrp_client_side_unwrapped"); -- torture_assert_werr_equal(tctx, r->out.result, WERR_INVALID_DATA, "Bad error code on wrong has in access check"); -- } else { -- struct bkrp_BackupKey *r = createRetrieveBackupKeyGUIDStruct(tctx, p, 2, &out_blob); -- torture_assert_ntstatus_equal(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r), -- NT_STATUS_ACCESS_DENIED, "Get GUID"); -- } -- return true; --} -- --/* -- * Check that the RSA modulus in the certificate of the DCs has 2048 bits. -- */ --static bool test_RetrieveBackupKeyGUID_2048bits(struct torture_context *tctx, -- struct dcerpc_pipe *p) --{ -- struct dcerpc_binding_handle *b = p->binding_handle; -- DATA_BLOB out_blob; -- struct bkrp_BackupKey *r = createRetrieveBackupKeyGUIDStruct(tctx, p, 2, &out_blob); -- enum dcerpc_AuthType auth_type; -- enum dcerpc_AuthLevel auth_level; -- -- hx509_context hctx; -- int hret; -- hx509_cert cert; -- SubjectPublicKeyInfo spki; -- RSA *rsa; -- int RSA_returned_bits; -- -- torture_assert(tctx, r != NULL, "createRetrieveBackupKeyGUIDStruct failed"); -- -- hx509_context_init(&hctx); -- -- if (r == NULL) { -- return false; -- } -- -- dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level); -- -- if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { -- const unsigned char *spki_spk_data; -- torture_assert_ntstatus_ok(tctx, -- dcerpc_bkrp_BackupKey_r(b, tctx, r), -- "Get GUID"); -- -- torture_assert_werr_ok(tctx, r->out.result, -- "Get GUID"); -- -- out_blob.length = *r->out.data_out_len; -- -- hret = hx509_cert_init_data(hctx, out_blob.data, out_blob.length, &cert); -- torture_assert_int_equal(tctx, hret, 0, "hx509_cert_init_data failed"); -- -- hret = hx509_cert_get_SPKI(hctx, cert , &spki); -- torture_assert_int_equal(tctx, hret, 0, "hx509_cert_get_SPKI failed"); -- -- /* We must take a copy, as d2i_RSAPublicKey *changes* the input parameter */ -- spki_spk_data = spki.subjectPublicKey.data; -- rsa = d2i_RSAPublicKey(NULL, &spki_spk_data, spki.subjectPublicKey.length / 8); -- torture_assert_int_equal(tctx, rsa != NULL, 1, "d2i_RSAPublicKey failed"); -- -- RSA_returned_bits = BN_num_bits(rsa->n); -- torture_assert_int_equal(tctx, -- RSA_returned_bits, -- 2048, -- "RSA Key doesn't have 2048 bits"); -- -- RSA_free(rsa); -- -- /* -- * Because we prevented spki from being changed above, -- * we can now safely call this to free it -- */ -- free_SubjectPublicKeyInfo(&spki); -- hx509_cert_free(cert); -- hx509_context_free(&hctx); -- -- } else { -- torture_assert_ntstatus_equal(tctx, -- dcerpc_bkrp_BackupKey_r(b, tctx, r), -- NT_STATUS_ACCESS_DENIED, -- "Get GUID"); -- } -- return true; --} -- --static bool test_ServerWrap_encrypt_decrypt(struct torture_context *tctx, -- struct dcerpc_pipe *p) --{ -- struct bkrp_BackupKey r; -- struct GUID guid; -- DATA_BLOB plaintext = data_blob_const(secret, sizeof(secret)); -- DATA_BLOB encrypted; -- uint32_t enclen; -- DATA_BLOB decrypted; -- uint32_t declen; -- struct dcerpc_binding_handle *b = p->binding_handle; -- enum dcerpc_AuthType auth_type; -- enum dcerpc_AuthLevel auth_level; -- ZERO_STRUCT(r); -- -- dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level); -- -- /* Encrypt */ -- torture_assert_ntstatus_ok(tctx, -- GUID_from_string(BACKUPKEY_BACKUP_GUID, &guid), -- "obtain GUID"); -- -- r.in.guidActionAgent = &guid; -- r.in.data_in = plaintext.data; -- r.in.data_in_len = plaintext.length; -- r.in.param = 0; -- r.out.data_out = &encrypted.data; -- r.out.data_out_len = &enclen; -- if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { -- torture_assert_ntstatus_ok(tctx, -- dcerpc_bkrp_BackupKey_r(b, tctx, &r), -- "encrypt"); -- } else { -- torture_assert_ntstatus_equal(tctx, -- dcerpc_bkrp_BackupKey_r(b, tctx, &r), -- NT_STATUS_ACCESS_DENIED, -- "encrypt"); -- return true; -- } -- torture_assert_werr_ok(tctx, -- r.out.result, -- "encrypt"); -- encrypted.length = *r.out.data_out_len; -- -- /* Decrypt */ -- torture_assert_ntstatus_ok(tctx, -- GUID_from_string(BACKUPKEY_RESTORE_GUID, &guid), -- "obtain GUID"); -- -- r.in.guidActionAgent = &guid; -- r.in.data_in = encrypted.data; -- r.in.data_in_len = encrypted.length; -- r.in.param = 0; -- r.out.data_out = &(decrypted.data); -- r.out.data_out_len = &declen; -- torture_assert_ntstatus_ok(tctx, -- dcerpc_bkrp_BackupKey_r(b, tctx, &r), -- "decrypt"); -- torture_assert_werr_ok(tctx, -- r.out.result, -- "decrypt"); -- decrypted.length = *r.out.data_out_len; -- -- /* Compare */ -- torture_assert_data_blob_equal(tctx, plaintext, decrypted, "Decrypt failed"); -- -- /* Decrypt */ -- torture_assert_ntstatus_ok(tctx, -- GUID_from_string(BACKUPKEY_RESTORE_GUID_WIN2K, &guid), -- "obtain GUID"); -- -- r.in.guidActionAgent = &guid; -- r.in.data_in = encrypted.data; -- r.in.data_in_len = encrypted.length; -- r.in.param = 0; -- r.out.data_out = &(decrypted.data); -- r.out.data_out_len = &declen; -- torture_assert_ntstatus_ok(tctx, -- dcerpc_bkrp_BackupKey_r(b, tctx, &r), -- "decrypt"); -- torture_assert_werr_ok(tctx, -- r.out.result, -- "decrypt"); -- decrypted.length = *r.out.data_out_len; -- -- /* Compare */ -- torture_assert_data_blob_equal(tctx, plaintext, decrypted, "Decrypt failed"); -- return true; --} -- --static bool test_ServerWrap_decrypt_wrong_keyGUID(struct torture_context *tctx, -- struct dcerpc_pipe *p) --{ -- struct bkrp_BackupKey r; -- struct GUID guid; -- DATA_BLOB plaintext = data_blob_const(secret, sizeof(secret)); -- DATA_BLOB encrypted; -- uint32_t enclen; -- DATA_BLOB decrypted; -- uint32_t declen; -- struct dcerpc_binding_handle *b = p->binding_handle; -- enum ndr_err_code ndr_err; -- struct bkrp_server_side_wrapped server_side_wrapped; -- enum dcerpc_AuthType auth_type; -- enum dcerpc_AuthLevel auth_level; -- ZERO_STRUCT(r); -- -- dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level); -- -- /* Encrypt */ -- torture_assert_ntstatus_ok(tctx, -- GUID_from_string(BACKUPKEY_BACKUP_GUID, &guid), -- "obtain GUID"); -- -- r.in.guidActionAgent = &guid; -- r.in.data_in = plaintext.data; -- r.in.data_in_len = plaintext.length; -- r.in.param = 0; -- r.out.data_out = &encrypted.data; -- r.out.data_out_len = &enclen; -- if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { -- torture_assert_ntstatus_ok(tctx, -- dcerpc_bkrp_BackupKey_r(b, tctx, &r), -- "encrypt"); -- } else { -- torture_assert_ntstatus_equal(tctx, -- dcerpc_bkrp_BackupKey_r(b, tctx, &r), -- NT_STATUS_ACCESS_DENIED, -- "encrypt"); -- return true; -- } -- torture_assert_werr_ok(tctx, -- r.out.result, -- "encrypt"); -- encrypted.length = *r.out.data_out_len; -- -- ndr_err = ndr_pull_struct_blob(&encrypted, tctx, &server_side_wrapped, -- (ndr_pull_flags_fn_t)ndr_pull_bkrp_server_side_wrapped); -- torture_assert_ndr_err_equal(tctx, ndr_err, NDR_ERR_SUCCESS, "pull of server_side_wrapped"); -- -- /* Change the GUID */ -- server_side_wrapped.guid = GUID_random(); -- -- ndr_err = ndr_push_struct_blob(&encrypted, tctx, &server_side_wrapped, -- (ndr_push_flags_fn_t)ndr_push_bkrp_server_side_wrapped); -- torture_assert_ndr_err_equal(tctx, ndr_err, NDR_ERR_SUCCESS, "push of server_side_wrapped"); -- -- /* Decrypt */ -- torture_assert_ntstatus_ok(tctx, -- GUID_from_string(BACKUPKEY_RESTORE_GUID, &guid), -- "obtain GUID"); -- -- r.in.guidActionAgent = &guid; -- r.in.data_in = encrypted.data; -- r.in.data_in_len = encrypted.length; -- r.in.param = 0; -- r.out.data_out = &(decrypted.data); -- r.out.data_out_len = &declen; -- torture_assert_ntstatus_ok(tctx, -- dcerpc_bkrp_BackupKey_r(b, tctx, &r), -- "decrypt"); -- torture_assert_werr_equal(tctx, -- r.out.result, -- WERR_INVALID_DATA, -- "decrypt should fail with WERR_INVALID_DATA"); -- -- /* Decrypt */ -- torture_assert_ntstatus_ok(tctx, -- GUID_from_string(BACKUPKEY_RESTORE_GUID_WIN2K, &guid), -- "obtain GUID"); -- -- r.in.guidActionAgent = &guid; -- r.in.data_in = encrypted.data; -- r.in.data_in_len = encrypted.length; -- r.in.param = 0; -- r.out.data_out = &(decrypted.data); -- r.out.data_out_len = &declen; -- torture_assert_ntstatus_ok(tctx, -- dcerpc_bkrp_BackupKey_r(b, tctx, &r), -- "decrypt"); -- torture_assert_werr_equal(tctx, -- r.out.result, -- WERR_INVALID_DATA, -- "decrypt should fail with WERR_INVALID_DATA"); -- -- return true; --} -- --static bool test_ServerWrap_decrypt_empty_request(struct torture_context *tctx, -- struct dcerpc_pipe *p) --{ -- struct bkrp_BackupKey r; -- struct GUID guid; -- DATA_BLOB decrypted; -- uint32_t declen; -- struct dcerpc_binding_handle *b = p->binding_handle; -- uint8_t short_request[4] = { 1, 0, 0, 0 }; -- enum dcerpc_AuthType auth_type; -- enum dcerpc_AuthLevel auth_level; -- ZERO_STRUCT(r); -- -- dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level); -- -- /* Decrypt */ -- torture_assert_ntstatus_ok(tctx, -- GUID_from_string(BACKUPKEY_RESTORE_GUID, &guid), -- "obtain GUID"); -- -- r.in.guidActionAgent = &guid; -- r.in.data_in = short_request; -- r.in.data_in_len = 0; -- r.in.param = 0; -- r.out.data_out = &(decrypted.data); -- r.out.data_out_len = &declen; -- if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { -- torture_assert_ntstatus_ok(tctx, -- dcerpc_bkrp_BackupKey_r(b, tctx, &r), -- "encrypt"); -- } else { -- torture_assert_ntstatus_equal(tctx, -- dcerpc_bkrp_BackupKey_r(b, tctx, &r), -- NT_STATUS_ACCESS_DENIED, -- "encrypt"); -- return true; -- } -- torture_assert_werr_equal(tctx, -- r.out.result, -- WERR_INVALID_PARAMETER, -- "decrypt should fail with WERR_INVALID_PARAMETER"); -- -- /* Decrypt */ -- torture_assert_ntstatus_ok(tctx, -- GUID_from_string(BACKUPKEY_RESTORE_GUID_WIN2K, &guid), -- "obtain GUID"); -- -- r.in.guidActionAgent = &guid; -- r.in.data_in = short_request; -- r.in.data_in_len = 0; -- r.in.param = 0; -- r.out.data_out = &(decrypted.data); -- r.out.data_out_len = &declen; -- torture_assert_ntstatus_ok(tctx, -- dcerpc_bkrp_BackupKey_r(b, tctx, &r), -- "decrypt"); -- torture_assert_werr_equal(tctx, -- r.out.result, -- WERR_INVALID_PARAMETER, -- "decrypt should fail with WERR_INVALID_PARAMETER"); -- -- /* Decrypt */ -- torture_assert_ntstatus_ok(tctx, -- GUID_from_string(BACKUPKEY_RESTORE_GUID, &guid), -- "obtain GUID"); -- -- r.in.guidActionAgent = &guid; -- r.in.data_in = NULL; -- r.in.data_in_len = 0; -- r.in.param = 0; -- r.out.data_out = &(decrypted.data); -- r.out.data_out_len = &declen; -- torture_assert_ntstatus_equal(tctx, -- dcerpc_bkrp_BackupKey_r(b, tctx, &r), -- NT_STATUS_INVALID_PARAMETER_MIX, -- "decrypt"); -- -- /* Decrypt */ -- torture_assert_ntstatus_ok(tctx, -- GUID_from_string(BACKUPKEY_RESTORE_GUID_WIN2K, &guid), -- "obtain GUID"); -- -- r.in.guidActionAgent = &guid; -- r.in.data_in = NULL; -- r.in.data_in_len = 0; -- r.in.param = 0; -- r.out.data_out = &(decrypted.data); -- r.out.data_out_len = &declen; -- torture_assert_ntstatus_equal(tctx, -- dcerpc_bkrp_BackupKey_r(b, tctx, &r), -- NT_STATUS_INVALID_PARAMETER_MIX, -- "decrypt"); -- -- return true; --} -- -- --static bool test_ServerWrap_decrypt_short_request(struct torture_context *tctx, -- struct dcerpc_pipe *p) --{ -- struct bkrp_BackupKey r; -- struct GUID guid; -- DATA_BLOB decrypted; -- uint32_t declen; -- struct dcerpc_binding_handle *b = p->binding_handle; -- uint8_t short_request[4] = { 1, 0, 0, 0 }; -- enum dcerpc_AuthType auth_type; -- enum dcerpc_AuthLevel auth_level; -- ZERO_STRUCT(r); -- -- dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level); -- -- /* Decrypt */ -- torture_assert_ntstatus_ok(tctx, -- GUID_from_string(BACKUPKEY_RESTORE_GUID, &guid), -- "obtain GUID"); -- -- r.in.guidActionAgent = &guid; -- r.in.data_in = short_request; -- r.in.data_in_len = 4; -- r.in.param = 0; -- r.out.data_out = &(decrypted.data); -- r.out.data_out_len = &declen; -- if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { -- torture_assert_ntstatus_ok(tctx, -- dcerpc_bkrp_BackupKey_r(b, tctx, &r), -- "encrypt"); -- } else { -- torture_assert_ntstatus_equal(tctx, -- dcerpc_bkrp_BackupKey_r(b, tctx, &r), -- NT_STATUS_ACCESS_DENIED, -- "encrypt"); -- return true; -- } -- torture_assert_werr_equal(tctx, -- r.out.result, -- WERR_INVALID_PARAMETER, -- "decrypt should fail with WERR_INVALID_PARAMETER"); -- -- /* Decrypt */ -- torture_assert_ntstatus_ok(tctx, -- GUID_from_string(BACKUPKEY_RESTORE_GUID_WIN2K, &guid), -- "obtain GUID"); -- -- r.in.guidActionAgent = &guid; -- r.in.data_in = short_request; -- r.in.data_in_len = 4; -- r.in.param = 0; -- r.out.data_out = &(decrypted.data); -- r.out.data_out_len = &declen; -- torture_assert_ntstatus_ok(tctx, -- dcerpc_bkrp_BackupKey_r(b, tctx, &r), -- "decrypt"); -- torture_assert_werr_equal(tctx, -- r.out.result, -- WERR_INVALID_PARAMETER, -- "decrypt should fail with WERR_INVALID_PARAMETER"); -- -- /* Decrypt */ -- torture_assert_ntstatus_ok(tctx, -- GUID_from_string(BACKUPKEY_RESTORE_GUID, &guid), -- "obtain GUID"); -- -- r.in.guidActionAgent = &guid; -- r.in.data_in = short_request; -- r.in.data_in_len = 1; -- r.in.param = 0; -- r.out.data_out = &(decrypted.data); -- r.out.data_out_len = &declen; -- torture_assert_ntstatus_ok(tctx, -- dcerpc_bkrp_BackupKey_r(b, tctx, &r), -- "decrypt"); -- torture_assert_werr_equal(tctx, -- r.out.result, -- WERR_INVALID_PARAMETER, -- "decrypt should fail with WERR_INVALID_PARAMETER"); -- -- /* Decrypt */ -- torture_assert_ntstatus_ok(tctx, -- GUID_from_string(BACKUPKEY_RESTORE_GUID_WIN2K, &guid), -- "obtain GUID"); -- -- r.in.guidActionAgent = &guid; -- r.in.data_in = short_request; -- r.in.data_in_len = 1; -- r.in.param = 0; -- r.out.data_out = &(decrypted.data); -- r.out.data_out_len = &declen; -- torture_assert_ntstatus_ok(tctx, -- dcerpc_bkrp_BackupKey_r(b, tctx, &r), -- "decrypt"); -- torture_assert_werr_equal(tctx, -- r.out.result, -- WERR_INVALID_PARAMETER, -- "decrypt should fail with WERR_INVALID_PARAMETER"); -- -- return true; --} -- --static bool test_ServerWrap_encrypt_decrypt_manual(struct torture_context *tctx, -- struct bkrp_server_side_wrapped *server_side_wrapped, -- enum test_wrong wrong) --{ -- char *lsa_binding_string = NULL; -- struct dcerpc_binding *lsa_binding = NULL; -- struct dcerpc_pipe *lsa_p = NULL; -- struct dcerpc_binding_handle *lsa_b = NULL; -- struct lsa_OpenSecret r_secret; -- struct lsa_QuerySecret r_query_secret; -- struct policy_handle *handle, sec_handle; -- struct bkrp_BackupKey r; -- struct GUID preferred_key_guid; -- DATA_BLOB plaintext = data_blob_const(secret, sizeof(secret)); -- DATA_BLOB preferred_key, preferred_key_clear, session_key, -- decrypt_key, decrypt_key_clear, encrypted_blob, symkey_blob, -- sid_blob; -- struct bkrp_dc_serverwrap_key server_key; -- struct lsa_DATA_BUF_PTR bufp1; -- char *key_guid_string; -- struct bkrp_rc4encryptedpayload rc4payload; -- struct dom_sid *caller_sid; -- uint8_t symkey[20]; /* SHA-1 hash len */ -- uint8_t mackey[20]; /* SHA-1 hash len */ -- uint8_t mac[20]; /* SHA-1 hash len */ -- unsigned int hash_len; -- HMAC_CTX ctx; -- ZERO_STRUCT(r); -- ZERO_STRUCT(r_secret); -- ZERO_STRUCT(r_query_secret); -- -- /* Now read BCKUPKEY_P and prove we can do a matching decrypt and encrypt */ -- -- /* lsa_OpenSecret only works with ncacn_np and AUTH_LEVEL_NONE */ -- lsa_binding_string = talloc_asprintf(tctx, "ncacn_np:%s", -- torture_setting_string(tctx, "host", NULL)); -- torture_assert(tctx, lsa_binding_string != NULL, "lsa_binding_string"); -- -- torture_assert_ntstatus_ok(tctx, -- dcerpc_parse_binding(tctx, lsa_binding_string, &lsa_binding), -- "Failed to parse dcerpc binding"); -- -- torture_assert_ntstatus_ok(tctx, -- dcerpc_pipe_connect_b(tctx, &lsa_p, -- lsa_binding, &ndr_table_lsarpc, -- popt_get_cmdline_credentials(), -- tctx->ev, tctx->lp_ctx), -- "Opening LSA pipe"); -- lsa_b = lsa_p->binding_handle; -- -- torture_assert(tctx, test_lsa_OpenPolicy2(lsa_b, tctx, &handle), "OpenPolicy failed"); -- r_secret.in.name.string = "G$BCKUPKEY_P"; -- -- r_secret.in.handle = handle; -- r_secret.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED; -- r_secret.out.sec_handle = &sec_handle; -- -- torture_comment(tctx, "Testing OpenSecret\n"); -- -- torture_assert_ntstatus_ok(tctx, dcerpc_lsa_OpenSecret_r(lsa_b, tctx, &r_secret), -- "OpenSecret failed"); -- torture_assert_ntstatus_ok(tctx, r_secret.out.result, -- "OpenSecret failed"); -- -- r_query_secret.in.sec_handle = &sec_handle; -- r_query_secret.in.new_val = &bufp1; -- bufp1.buf = NULL; -- -- torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QuerySecret_r(lsa_b, tctx, &r_query_secret), -- "QuerySecret failed"); -- torture_assert_ntstatus_ok(tctx, r_query_secret.out.result, -- "QuerySecret failed"); -- -- -- preferred_key.data = r_query_secret.out.new_val->buf->data; -- preferred_key.length = r_query_secret.out.new_val->buf->size; -- torture_assert_ntstatus_ok(tctx, dcerpc_fetch_session_key(lsa_p, &session_key), -- "dcerpc_fetch_session_key failed"); -- -- torture_assert_ntstatus_ok(tctx, -- sess_decrypt_blob(tctx, -- &preferred_key, &session_key, &preferred_key_clear), -- "sess_decrypt_blob failed"); -- -- torture_assert_ntstatus_ok(tctx, GUID_from_ndr_blob(&preferred_key_clear, &preferred_key_guid), -- "GUID parse failed"); -- -- torture_assert_guid_equal(tctx, server_side_wrapped->guid, -- preferred_key_guid, -- "GUID didn't match value pointed at by G$BCKUPKEY_P"); -- -- /* And read BCKUPKEY_ and get the actual key */ -- -- key_guid_string = GUID_string(tctx, &server_side_wrapped->guid); -- r_secret.in.name.string = talloc_asprintf(tctx, "G$BCKUPKEY_%s", key_guid_string); -- -- r_secret.in.handle = handle; -- r_secret.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED; -- r_secret.out.sec_handle = &sec_handle; -- -- torture_comment(tctx, "Testing OpenSecret\n"); -- -- torture_assert_ntstatus_ok(tctx, dcerpc_lsa_OpenSecret_r(lsa_b, tctx, &r_secret), -- "OpenSecret failed"); -- torture_assert_ntstatus_ok(tctx, r_secret.out.result, -- "OpenSecret failed"); -- -- r_query_secret.in.sec_handle = &sec_handle; -- r_query_secret.in.new_val = &bufp1; -- -- torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QuerySecret_r(lsa_b, tctx, &r_query_secret), -- "QuerySecret failed"); -- torture_assert_ntstatus_ok(tctx, r_query_secret.out.result, -- "QuerySecret failed"); -- -- -- decrypt_key.data = r_query_secret.out.new_val->buf->data; -- decrypt_key.length = r_query_secret.out.new_val->buf->size; -- -- torture_assert_ntstatus_ok(tctx, -- sess_decrypt_blob(tctx, -- &decrypt_key, &session_key, &decrypt_key_clear), -- "sess_decrypt_blob failed"); -- -- torture_assert_ndr_err_equal(tctx, ndr_pull_struct_blob(&decrypt_key_clear, tctx, &server_key, -- (ndr_pull_flags_fn_t)ndr_pull_bkrp_dc_serverwrap_key), -- NDR_ERR_SUCCESS, "Failed to parse server_key"); -- -- torture_assert_int_equal(tctx, server_key.magic, 1, "Failed to correctly decrypt server key"); -- -- /* -- * This is *not* the leading 64 bytes, as indicated in MS-BKRP 3.1.4.1.1 -- * BACKUPKEY_BACKUP_GUID, it really is the whole key -- */ -- HMAC(EVP_sha1(), server_key.key, sizeof(server_key.key), -- server_side_wrapped->r2, sizeof(server_side_wrapped->r2), -- symkey, &hash_len); -- -- /* rc4 decrypt sid and secret using sym key */ -- symkey_blob = data_blob_const(symkey, sizeof(symkey)); -- -- encrypted_blob = data_blob_talloc(tctx, server_side_wrapped->rc4encryptedpayload, -- server_side_wrapped->ciphertext_length); -- -- arcfour_crypt_blob(encrypted_blob.data, encrypted_blob.length, &symkey_blob); -- -- torture_assert_ndr_err_equal(tctx, ndr_pull_struct_blob(&encrypted_blob, tctx, &rc4payload, -- (ndr_pull_flags_fn_t)ndr_pull_bkrp_rc4encryptedpayload), -- NDR_ERR_SUCCESS, "Failed to parse rc4encryptedpayload"); -- -- torture_assert_int_equal(tctx, rc4payload.secret_data.length, -- server_side_wrapped->payload_length, -- "length of decrypted payload not the length declared in surrounding structure"); -- -- /* -- * This is *not* the leading 64 bytes, as indicated in MS-BKRP 3.1.4.1.1 -- * BACKUPKEY_BACKUP_GUID, it really is the whole key -- */ -- HMAC(EVP_sha1(), server_key.key, sizeof(server_key.key), -- rc4payload.r3, sizeof(rc4payload.r3), -- mackey, &hash_len); -- -- torture_assert_ndr_err_equal(tctx, ndr_push_struct_blob(&sid_blob, tctx, &rc4payload.sid, -- (ndr_push_flags_fn_t)ndr_push_dom_sid), -- NDR_ERR_SUCCESS, "unable to push SID"); -- -- HMAC_CTX_init(&ctx); -- HMAC_Init_ex(&ctx, mackey, hash_len, EVP_sha1(), NULL); -- /* SID field */ -- HMAC_Update(&ctx, sid_blob.data, sid_blob.length); -- /* Secret field */ -- HMAC_Update(&ctx, rc4payload.secret_data.data, rc4payload.secret_data.length); -- HMAC_Final(&ctx, mac, &hash_len); -- HMAC_CTX_cleanup(&ctx); -- -- torture_assert_mem_equal(tctx, mac, rc4payload.mac, sizeof(mac), "mac not correct"); -- torture_assert_int_equal(tctx, rc4payload.secret_data.length, -- plaintext.length, "decrypted data is not correct length"); -- torture_assert_mem_equal(tctx, rc4payload.secret_data.data, -- plaintext.data, plaintext.length, -- "decrypted data is not correct"); -- -- /* Not strictly correct all the time, but good enough for this test */ -- caller_sid = get_user_sid(tctx, tctx, -- cli_credentials_get_username( -- popt_get_cmdline_credentials())); -- -- torture_assert_sid_equal(tctx, &rc4payload.sid, caller_sid, "Secret saved with wrong SID"); -- -- -- /* RE-encrypt */ -- -- if (wrong == WRONG_SID) { -- rc4payload.sid.sub_auths[rc4payload.sid.num_auths - 1] = DOMAIN_RID_KRBTGT; -- } -- -- dump_data_pw("mackey: \n", mackey, sizeof(mackey)); -- -- torture_assert_ndr_err_equal(tctx, -- ndr_push_struct_blob(&sid_blob, tctx, &rc4payload.sid, -- (ndr_push_flags_fn_t)ndr_push_dom_sid), -- NDR_ERR_SUCCESS, -- "push of sid failed"); -- -- HMAC_CTX_init(&ctx); -- HMAC_Init_ex(&ctx, mackey, 20, EVP_sha1(), NULL); -- /* SID field */ -- HMAC_Update(&ctx, sid_blob.data, sid_blob.length); -- /* Secret field */ -- HMAC_Update(&ctx, rc4payload.secret_data.data, rc4payload.secret_data.length); -- HMAC_Final(&ctx, rc4payload.mac, &hash_len); -- HMAC_CTX_cleanup(&ctx); -- -- dump_data_pw("rc4payload.mac: \n", rc4payload.mac, sizeof(rc4payload.mac)); -- -- torture_assert_ndr_err_equal(tctx, -- ndr_push_struct_blob(&encrypted_blob, tctx, &rc4payload, -- (ndr_push_flags_fn_t)ndr_push_bkrp_rc4encryptedpayload), -- NDR_ERR_SUCCESS, -- "push of rc4payload failed"); -- -- if (wrong == WRONG_KEY) { -- symkey_blob.data[0] = 78; -- symkey_blob.data[1] = 78; -- symkey_blob.data[2] = 78; -- } -- -- /* rc4 encrypt sid and secret using sym key */ -- arcfour_crypt_blob(encrypted_blob.data, encrypted_blob.length, &symkey_blob); -- -- /* re-create server wrap structure */ -- -- torture_assert_int_equal(tctx, encrypted_blob.length, -- server_side_wrapped->ciphertext_length, -- "expected encrypted length not to change"); -- if (wrong == RIGHT_KEY) { -- torture_assert_mem_equal(tctx, server_side_wrapped->rc4encryptedpayload, -- encrypted_blob.data, -- encrypted_blob.length, -- "expected encrypted data not to change"); -- } -- -- server_side_wrapped->payload_length = rc4payload.secret_data.length; -- server_side_wrapped->ciphertext_length = encrypted_blob.length; -- server_side_wrapped->rc4encryptedpayload = encrypted_blob.data; -- -- return true; --} -- -- --static bool test_ServerWrap_decrypt_wrong_stuff(struct torture_context *tctx, -- struct dcerpc_pipe *p, -- enum test_wrong wrong) --{ -- struct bkrp_BackupKey r; -- struct GUID guid; -- DATA_BLOB plaintext = data_blob_const(secret, sizeof(secret)); -- DATA_BLOB encrypted; -- uint32_t enclen; -- DATA_BLOB decrypted; -- uint32_t declen; -- struct dcerpc_binding_handle *b = p->binding_handle; -- enum ndr_err_code ndr_err; -- struct bkrp_server_side_wrapped server_side_wrapped; -- bool repush = false; -- enum dcerpc_AuthType auth_type; -- enum dcerpc_AuthLevel auth_level; -- ZERO_STRUCT(r); -- -- dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level); -- -- /* Encrypt */ -- torture_assert_ntstatus_ok(tctx, -- GUID_from_string(BACKUPKEY_BACKUP_GUID, &guid), -- "obtain GUID"); -- -- r.in.guidActionAgent = &guid; -- r.in.data_in = plaintext.data; -- r.in.data_in_len = plaintext.length; -- r.in.param = 0; -- r.out.data_out = &encrypted.data; -- r.out.data_out_len = &enclen; -- if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { -- torture_assert_ntstatus_ok(tctx, -- dcerpc_bkrp_BackupKey_r(b, tctx, &r), -- "encrypt"); -- } else { -- torture_assert_ntstatus_equal(tctx, -- dcerpc_bkrp_BackupKey_r(b, tctx, &r), -- NT_STATUS_ACCESS_DENIED, -- "encrypt"); -- return true; -- } -- torture_assert_werr_ok(tctx, -- r.out.result, -- "encrypt"); -- encrypted.length = *r.out.data_out_len; -- -- ndr_err = ndr_pull_struct_blob(&encrypted, tctx, &server_side_wrapped, -- (ndr_pull_flags_fn_t)ndr_pull_bkrp_server_side_wrapped); -- torture_assert_ndr_err_equal(tctx, ndr_err, NDR_ERR_SUCCESS, "pull of server_side_wrapped"); -- -- torture_assert_int_equal(tctx, server_side_wrapped.payload_length, plaintext.length, -- "wrong payload length"); -- -- switch (wrong) { -- case WRONG_MAGIC: -- /* Change the magic. Forced by our NDR layer, so do it raw */ -- SIVAL(encrypted.data, 0, 78); /* valid values are 1-3 */ -- break; -- case WRONG_R2: -- server_side_wrapped.r2[0] = 78; -- server_side_wrapped.r2[1] = 78; -- server_side_wrapped.r2[3] = 78; -- repush = true; -- break; -- case WRONG_PAYLOAD_LENGTH: -- server_side_wrapped.payload_length = UINT32_MAX - 8; -- repush = true; -- break; -- case WRONG_CIPHERTEXT_LENGTH: -- /* -- * Change the ciphertext len. We can't push this if -- * we have it wrong, so do it raw -- */ -- SIVAL(encrypted.data, 8, UINT32_MAX - 8); /* valid values are 1-3 */ -- break; -- case SHORT_PAYLOAD_LENGTH: -- server_side_wrapped.payload_length = server_side_wrapped.payload_length - 8; -- repush = true; -- break; -- case SHORT_CIPHERTEXT_LENGTH: -- /* -- * Change the ciphertext len. We can't push this if -- * we have it wrong, so do it raw -- */ -- SIVAL(encrypted.data, 8, server_side_wrapped.ciphertext_length - 8); /* valid values are 1-3 */ -- break; -- case ZERO_PAYLOAD_LENGTH: -- server_side_wrapped.payload_length = 0; -- repush = true; -- break; -- case ZERO_CIPHERTEXT_LENGTH: -- /* -- * Change the ciphertext len. We can't push this if -- * we have it wrong, so do it raw -- */ -- SIVAL(encrypted.data, 8, 0); /* valid values are 1-3 */ -- break; -- -- case RIGHT_KEY: -- case WRONG_KEY: -- case WRONG_SID: -- torture_assert(tctx, -- test_ServerWrap_encrypt_decrypt_manual(tctx, &server_side_wrapped, wrong), -- "test_ServerWrap_encrypt_decrypt_manual failed"); -- repush = true; -- break; -- } -- -- if (repush) { -- ndr_err = ndr_push_struct_blob(&encrypted, tctx, &server_side_wrapped, -- (ndr_push_flags_fn_t)ndr_push_bkrp_server_side_wrapped); -- torture_assert_ndr_err_equal(tctx, ndr_err, NDR_ERR_SUCCESS, "push of server_side_wrapped"); -- } -- -- /* Decrypt */ -- torture_assert_ntstatus_ok(tctx, -- GUID_from_string(BACKUPKEY_RESTORE_GUID, &guid), -- "obtain GUID"); -- -- r.in.guidActionAgent = &guid; -- r.in.data_in = encrypted.data; -- r.in.data_in_len = encrypted.length; -- r.in.param = 0; -- r.out.data_out = &(decrypted.data); -- r.out.data_out_len = &declen; -- torture_assert_ntstatus_ok(tctx, -- dcerpc_bkrp_BackupKey_r(b, tctx, &r), -- "decrypt"); -- -- if ((wrong == WRONG_R2 || wrong == WRONG_KEY) -- && W_ERROR_EQUAL(r.out.result, WERR_INVALID_SID)) { -- torture_assert_werr_equal(tctx, -- r.out.result, -- WERR_INVALID_SID, -- "decrypt should fail with WERR_INVALID_SID or WERR_INVALID_PARAMETER"); -- } else if (wrong == RIGHT_KEY) { -- torture_assert_werr_equal(tctx, -- r.out.result, -- WERR_OK, -- "decrypt should succeed!"); -- } else if (wrong == WRONG_SID) { -- torture_assert_werr_equal(tctx, -- r.out.result, -- WERR_INVALID_ACCESS, -- "decrypt should fail with WERR_INVALID_ACCESS"); -- } else { -- if (!W_ERROR_EQUAL(r.out.result, WERR_INVALID_PARAMETER)) { -- torture_assert_werr_equal(tctx, -- r.out.result, -- WERR_INVALID_ACCESS, -- "decrypt should fail with WERR_INVALID_ACCESS or WERR_INVALID_PARAMETER"); -- } -- } -- -- /* Decrypt */ -- torture_assert_ntstatus_ok(tctx, -- GUID_from_string(BACKUPKEY_RESTORE_GUID_WIN2K, &guid), -- "obtain GUID"); -- -- r.in.guidActionAgent = &guid; -- r.in.data_in = encrypted.data; -- r.in.data_in_len = encrypted.length; -- r.in.param = 0; -- r.out.data_out = &(decrypted.data); -- r.out.data_out_len = &declen; -- torture_assert_ntstatus_ok(tctx, -- dcerpc_bkrp_BackupKey_r(b, tctx, &r), -- "decrypt"); -- -- if ((wrong == WRONG_R2 || wrong == WRONG_KEY) -- && W_ERROR_EQUAL(r.out.result, WERR_INVALID_SID)) { -- torture_assert_werr_equal(tctx, -- r.out.result, -- WERR_INVALID_SID, -- "decrypt should fail with WERR_INVALID_SID or WERR_INVALID_PARAMETER"); -- } else if (wrong == RIGHT_KEY) { -- torture_assert_werr_equal(tctx, -- r.out.result, -- WERR_OK, -- "decrypt should succeed!"); -- } else if (wrong == WRONG_SID) { -- torture_assert_werr_equal(tctx, -- r.out.result, -- WERR_INVALID_ACCESS, -- "decrypt should fail with WERR_INVALID_ACCESS"); -- } else { -- if (!W_ERROR_EQUAL(r.out.result, WERR_INVALID_ACCESS) -- && !W_ERROR_EQUAL(r.out.result, WERR_INVALID_PARAMETER)) { -- torture_assert_werr_equal(tctx, r.out.result, -- WERR_INVALID_DATA, -- "decrypt should fail with WERR_INVALID_ACCESS, WERR_INVALID_PARAMETER or WERR_INVALID_DATA"); -- } -- } -- -- return true; --} -- --static bool test_ServerWrap_decrypt_wrong_magic(struct torture_context *tctx, -- struct dcerpc_pipe *p) --{ -- return test_ServerWrap_decrypt_wrong_stuff(tctx, p, WRONG_MAGIC); --} -- --static bool test_ServerWrap_decrypt_wrong_r2(struct torture_context *tctx, -- struct dcerpc_pipe *p) --{ -- return test_ServerWrap_decrypt_wrong_stuff(tctx, p, WRONG_R2); --} -- --static bool test_ServerWrap_decrypt_wrong_payload_length(struct torture_context *tctx, -- struct dcerpc_pipe *p) --{ -- return test_ServerWrap_decrypt_wrong_stuff(tctx, p, WRONG_PAYLOAD_LENGTH); --} -- --static bool test_ServerWrap_decrypt_short_payload_length(struct torture_context *tctx, -- struct dcerpc_pipe *p) --{ -- return test_ServerWrap_decrypt_wrong_stuff(tctx, p, SHORT_PAYLOAD_LENGTH); --} -- --static bool test_ServerWrap_decrypt_zero_payload_length(struct torture_context *tctx, -- struct dcerpc_pipe *p) --{ -- return test_ServerWrap_decrypt_wrong_stuff(tctx, p, ZERO_PAYLOAD_LENGTH); --} -- --static bool test_ServerWrap_decrypt_wrong_ciphertext_length(struct torture_context *tctx, -- struct dcerpc_pipe *p) --{ -- return test_ServerWrap_decrypt_wrong_stuff(tctx, p, WRONG_CIPHERTEXT_LENGTH); --} -- --static bool test_ServerWrap_decrypt_short_ciphertext_length(struct torture_context *tctx, -- struct dcerpc_pipe *p) --{ -- return test_ServerWrap_decrypt_wrong_stuff(tctx, p, SHORT_CIPHERTEXT_LENGTH); --} -- --static bool test_ServerWrap_decrypt_zero_ciphertext_length(struct torture_context *tctx, -- struct dcerpc_pipe *p) --{ -- return test_ServerWrap_decrypt_wrong_stuff(tctx, p, ZERO_CIPHERTEXT_LENGTH); --} -- --static bool test_ServerWrap_encrypt_decrypt_remote_key(struct torture_context *tctx, -- struct dcerpc_pipe *p) --{ -- return test_ServerWrap_decrypt_wrong_stuff(tctx, p, RIGHT_KEY); --} -- --static bool test_ServerWrap_encrypt_decrypt_wrong_key(struct torture_context *tctx, -- struct dcerpc_pipe *p) --{ -- return test_ServerWrap_decrypt_wrong_stuff(tctx, p, WRONG_KEY); --} -- --static bool test_ServerWrap_encrypt_decrypt_wrong_sid(struct torture_context *tctx, -- struct dcerpc_pipe *p) --{ -- return test_ServerWrap_decrypt_wrong_stuff(tctx, p, WRONG_SID); --} -- --struct torture_suite *torture_rpc_backupkey(TALLOC_CTX *mem_ctx) --{ -- struct torture_suite *suite = torture_suite_create(mem_ctx, "backupkey"); -- -- struct torture_rpc_tcase *tcase; -- -- tcase = torture_suite_add_rpc_iface_tcase(suite, "backupkey", -- &ndr_table_backupkey); -- -- torture_rpc_tcase_add_test(tcase, "retreive_backup_key_guid", -- test_RetrieveBackupKeyGUID); -- -- torture_rpc_tcase_add_test(tcase, "restore_guid", -- test_RestoreGUID); -- -- torture_rpc_tcase_add_test(tcase, "restore_guid version 3", -- test_RestoreGUID_v3); -- --/* We double the test in order to be sure that we don't mess stuff (ie. freeing static stuff) */ -- -- torture_rpc_tcase_add_test(tcase, "restore_guid_2nd", -- test_RestoreGUID); -- -- torture_rpc_tcase_add_test(tcase, "unable_to_decrypt_secret", -- test_RestoreGUID_ko); -- -- torture_rpc_tcase_add_test(tcase, "wrong_user_restore_guid", -- test_RestoreGUID_wronguser); -- -- torture_rpc_tcase_add_test(tcase, "wrong_version_restore_guid", -- test_RestoreGUID_wrongversion); -- -- torture_rpc_tcase_add_test(tcase, "bad_magic_on_secret_restore_guid", -- test_RestoreGUID_badmagiconsecret); -- -- torture_rpc_tcase_add_test(tcase, "bad_hash_on_secret_restore_guid", -- test_RestoreGUID_badhashaccesscheck); -- -- torture_rpc_tcase_add_test(tcase, "bad_magic_on_accesscheck_restore_guid", -- test_RestoreGUID_badmagicaccesscheck); -- -- torture_rpc_tcase_add_test(tcase, "bad_cert_guid_restore_guid", -- test_RestoreGUID_badcertguid); -- -- torture_rpc_tcase_add_test(tcase, "empty_request_restore_guid", -- test_RestoreGUID_emptyrequest); -- -- torture_rpc_tcase_add_test(tcase, "retreive_backup_key_guid_2048_bits", -- test_RetrieveBackupKeyGUID_2048bits); -- -- torture_rpc_tcase_add_test(tcase, "server_wrap_encrypt_decrypt", -- test_ServerWrap_encrypt_decrypt); -- -- torture_rpc_tcase_add_test(tcase, "server_wrap_decrypt_wrong_keyGUID", -- test_ServerWrap_decrypt_wrong_keyGUID); -- -- torture_rpc_tcase_add_test(tcase, "server_wrap_empty_request", -- test_ServerWrap_decrypt_empty_request); -- -- torture_rpc_tcase_add_test(tcase, "server_wrap_decrypt_short_request", -- test_ServerWrap_decrypt_short_request); -- -- torture_rpc_tcase_add_test(tcase, "server_wrap_decrypt_wrong_magic", -- test_ServerWrap_decrypt_wrong_magic); -- -- torture_rpc_tcase_add_test(tcase, "server_wrap_decrypt_wrong_r2", -- test_ServerWrap_decrypt_wrong_r2); -- -- torture_rpc_tcase_add_test(tcase, "server_wrap_decrypt_wrong_payload_length", -- test_ServerWrap_decrypt_wrong_payload_length); -- -- torture_rpc_tcase_add_test(tcase, "server_wrap_decrypt_short_payload_length", -- test_ServerWrap_decrypt_short_payload_length); -- -- torture_rpc_tcase_add_test(tcase, "server_wrap_decrypt_zero_payload_length", -- test_ServerWrap_decrypt_zero_payload_length); -- -- torture_rpc_tcase_add_test(tcase, "server_wrap_decrypt_wrong_ciphertext_length", -- test_ServerWrap_decrypt_wrong_ciphertext_length); -- -- torture_rpc_tcase_add_test(tcase, "server_wrap_decrypt_short_ciphertext_length", -- test_ServerWrap_decrypt_short_ciphertext_length); -- -- torture_rpc_tcase_add_test(tcase, "server_wrap_decrypt_zero_ciphertext_length", -- test_ServerWrap_decrypt_zero_ciphertext_length); -- -- torture_rpc_tcase_add_test(tcase, "server_wrap_encrypt_decrypt_remote_key", -- test_ServerWrap_encrypt_decrypt_remote_key); -- -- torture_rpc_tcase_add_test(tcase, "server_wrap_encrypt_decrypt_wrong_key", -- test_ServerWrap_encrypt_decrypt_wrong_key); -- -- torture_rpc_tcase_add_test(tcase, "server_wrap_encrypt_decrypt_wrong_sid", -- test_ServerWrap_encrypt_decrypt_wrong_sid); -- -- return suite; --} -diff --git a/source4/torture/wscript_build b/source4/torture/wscript_build -index 7dde54fefba..d9fbcbb6ebe 100644 ---- a/source4/torture/wscript_build -+++ b/source4/torture/wscript_build -@@ -82,13 +82,6 @@ bld.SAMBA_SUBSYSTEM('IREMOTEWINSPOOL_COMMON', - deps='talloc', - enabled=bld.PYTHON_BUILD_IS_ENABLED()) - --torture_rpc_backupkey = '' --if bld.AD_DC_BUILD_IS_ENABLED(): -- if (bld.CONFIG_SET('HAVE_GNUTLS_PRIVKEY_EXPORT_X509') and -- bld.CONFIG_SET('HAVE_GNUTLS_X509_CRT_SET_SUBJECT_UNIQUE_ID')): -- torture_rpc_backupkey = 'rpc/backupkey.c' -- else: -- torture_rpc_backupkey = 'rpc/backupkey_heimdal.c' - bld.SAMBA_MODULE('torture_rpc', - source=''' - rpc/join.c -@@ -145,7 +138,7 @@ bld.SAMBA_MODULE('torture_rpc', - rpc/witness.c - rpc/iremotewinspool.c - rpc/iremotewinspool_driver.c -- ''' + torture_rpc_backupkey + ntvfs_specific['source'], -+ rpc/backupkey.c''' + ntvfs_specific['source'], - autoproto='rpc/proto.h', - subsystem='smbtorture', - init_function='torture_rpc_init', -diff --git a/wscript_configure_system_gnutls b/wscript_configure_system_gnutls -index 8ff0529e10c..02e6567ba2f 100644 ---- a/wscript_configure_system_gnutls -+++ b/wscript_configure_system_gnutls -@@ -12,12 +12,6 @@ conf.CHECK_CFG(package='gnutls', - # Define gnutls as a system library - conf.SET_TARGET_TYPE('gnutls', 'SYSLIB') - --# Check for gnutls_privkey_export_x509 (>= 3.4.0) required by backupkey --conf.CHECK_FUNCS_IN('gnutls_privkey_export_x509', 'gnutls') -- --# Check for gnutls_x509_crt_set_subject_unique_id (>= 3.4.7) required by backupkey --conf.CHECK_FUNCS_IN('gnutls_x509_crt_set_subject_unique_id', 'gnutls') -- - # Check for gnutls_pkcs7_get_embedded_data_oid (>= 3.5.5) required by libmscat - conf.CHECK_FUNCS_IN('gnutls_pkcs7_get_embedded_data_oid', 'gnutls') - --- -2.23.0 - diff --git a/SOURCES/0106-s4-rpc_server-backupkey-consistently-check-error-cod.patch b/SOURCES/0106-s4-rpc_server-backupkey-consistently-check-error-cod.patch deleted file mode 100644 index bd4031b..0000000 --- a/SOURCES/0106-s4-rpc_server-backupkey-consistently-check-error-cod.patch +++ /dev/null @@ -1,271 +0,0 @@ -From ac505bb247d1f63d6c22d380e4db5a5f84cd2ff1 Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Fri, 16 Aug 2019 16:08:57 +1200 -Subject: [PATCH 106/187] s4-rpc_server/backupkey: consistently check error - codes from GnuTLS - -This uses the new gnutls_error_to_werror() - -This should resolve Coverity 1452111 as forwarded by Volker. - -Signed-off-by: Andrew Bartlett -Reviewed-by: Andreas Schneider -(cherry picked from commit 2d54559aad9af81cf21d223dad28b48184c59f44) ---- - .../rpc_server/backupkey/dcesrv_backupkey.c | 146 +++++++++++------- - source4/rpc_server/wscript_build | 2 +- - 2 files changed, 92 insertions(+), 56 deletions(-) - -diff --git a/source4/rpc_server/backupkey/dcesrv_backupkey.c b/source4/rpc_server/backupkey/dcesrv_backupkey.c -index a826ae083f4..cea6a28e4e2 100644 ---- a/source4/rpc_server/backupkey/dcesrv_backupkey.c -+++ b/source4/rpc_server/backupkey/dcesrv_backupkey.c -@@ -42,6 +42,8 @@ - #include - #include - -+#include "lib/crypto/gnutls_helpers.h" -+ - #define DCESRV_INTERFACE_BACKUPKEY_BIND(context, iface) \ - dcesrv_interface_backupkey_bind(context, iface) - static NTSTATUS dcesrv_interface_backupkey_bind(struct dcesrv_connection_context *context, -@@ -1439,15 +1441,23 @@ static WERROR bkrp_server_wrap_decrypt_data(struct dcesrv_call_state *dce_call, - * BACKUPKEY_BACKUP_GUID, it really is the whole key - */ - -- gnutls_hmac_init(&hmac_hnd, -- GNUTLS_MAC_SHA1, -- server_key.key, -- sizeof(server_key.key)); -- gnutls_hmac(hmac_hnd, -+ rc = gnutls_hmac_init(&hmac_hnd, -+ GNUTLS_MAC_SHA1, -+ server_key.key, -+ sizeof(server_key.key)); -+ if (rc != GNUTLS_E_SUCCESS) { -+ return gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR); -+ } -+ -+ rc = gnutls_hmac(hmac_hnd, - decrypt_request.r2, - sizeof(decrypt_request.r2)); -- gnutls_hmac_output(hmac_hnd, symkey); - -+ if (rc != GNUTLS_E_SUCCESS) { -+ return gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR); -+ } -+ -+ gnutls_hmac_output(hmac_hnd, symkey); - dump_data_pw("symkey: \n", symkey, sizeof(symkey)); - - /* rc4 decrypt sid and secret using sym key */ -@@ -1462,9 +1472,7 @@ static WERROR bkrp_server_wrap_decrypt_data(struct dcesrv_call_state *dce_call, - &cipher_key, - NULL); - if (rc != GNUTLS_E_SUCCESS) { -- DBG_ERR("gnutls_cipher_init failed - %s\n", -- gnutls_strerror(rc)); -- return WERR_INVALID_PARAMETER; -+ return gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR); - } - rc = gnutls_cipher_encrypt2(cipher_hnd, - encrypted_blob.data, -@@ -1473,9 +1481,7 @@ static WERROR bkrp_server_wrap_decrypt_data(struct dcesrv_call_state *dce_call, - encrypted_blob.length); - gnutls_cipher_deinit(cipher_hnd); - if (rc != GNUTLS_E_SUCCESS) { -- DBG_ERR("gnutls_cipher_encrypt2 failed - %s\n", -- gnutls_strerror(rc)); -- return WERR_INVALID_PARAMETER; -+ return gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR); - } - - ndr_err = ndr_pull_struct_blob_all(&encrypted_blob, mem_ctx, &rc4payload, -@@ -1494,9 +1500,13 @@ static WERROR bkrp_server_wrap_decrypt_data(struct dcesrv_call_state *dce_call, - * This is *not* the leading 64 bytes, as indicated in MS-BKRP 3.1.4.1.1 - * BACKUPKEY_BACKUP_GUID, it really is the whole key - */ -- gnutls_hmac(hmac_hnd, -- rc4payload.r3, -- sizeof(rc4payload.r3)); -+ rc = gnutls_hmac(hmac_hnd, -+ rc4payload.r3, -+ sizeof(rc4payload.r3)); -+ if (rc != GNUTLS_E_SUCCESS) { -+ return gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR); -+ } -+ - gnutls_hmac_deinit(hmac_hnd, mackey); - - dump_data_pw("mackey: \n", mackey, sizeof(mackey)); -@@ -1507,20 +1517,31 @@ static WERROR bkrp_server_wrap_decrypt_data(struct dcesrv_call_state *dce_call, - return WERR_INTERNAL_ERROR; - } - -- gnutls_hmac_init(&hmac_hnd, -- GNUTLS_MAC_SHA1, -- mackey, -- sizeof(mackey)); -+ rc = gnutls_hmac_init(&hmac_hnd, -+ GNUTLS_MAC_SHA1, -+ mackey, -+ sizeof(mackey)); -+ if (rc != GNUTLS_E_SUCCESS) { -+ return gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR); -+ } -+ - /* SID field */ -- gnutls_hmac(hmac_hnd, -- sid_blob.data, -- sid_blob.length); -+ rc = gnutls_hmac(hmac_hnd, -+ sid_blob.data, -+ sid_blob.length); -+ if (rc != GNUTLS_E_SUCCESS) { -+ return gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR); -+ } -+ - /* Secret field */ -- gnutls_hmac(hmac_hnd, -- rc4payload.secret_data.data, -- rc4payload.secret_data.length); -- gnutls_hmac_deinit(hmac_hnd, mac); -+ rc = gnutls_hmac(hmac_hnd, -+ rc4payload.secret_data.data, -+ rc4payload.secret_data.length); -+ if (rc != GNUTLS_E_SUCCESS) { -+ return gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR); -+ } - -+ gnutls_hmac_deinit(hmac_hnd, mac); - dump_data_pw("mac: \n", mac, sizeof(mac)); - dump_data_pw("rc4payload.mac: \n", rc4payload.mac, sizeof(rc4payload.mac)); - -@@ -1657,26 +1678,34 @@ static WERROR bkrp_server_wrap_encrypt_data(struct dcesrv_call_state *dce_call, - * This is *not* the leading 64 bytes, as indicated in MS-BKRP 3.1.4.1.1 - * BACKUPKEY_BACKUP_GUID, it really is the whole key - */ -- gnutls_hmac_init(&hmac_hnd, -- GNUTLS_MAC_SHA1, -- server_key.key, -- sizeof(server_key.key)); -- gnutls_hmac(hmac_hnd, -- server_side_wrapped.r2, -- sizeof(server_side_wrapped.r2)); -- gnutls_hmac_output(hmac_hnd, symkey); -+ rc = gnutls_hmac_init(&hmac_hnd, -+ GNUTLS_MAC_SHA1, -+ server_key.key, -+ sizeof(server_key.key)); -+ if (rc != GNUTLS_E_SUCCESS) { -+ return gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR); -+ } - -+ rc = gnutls_hmac(hmac_hnd, -+ server_side_wrapped.r2, -+ sizeof(server_side_wrapped.r2)); -+ if (rc != GNUTLS_E_SUCCESS) { -+ return gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR); -+ } -+ gnutls_hmac_output(hmac_hnd, symkey); - dump_data_pw("symkey: \n", symkey, sizeof(symkey)); - - /* - * This is *not* the leading 64 bytes, as indicated in MS-BKRP 3.1.4.1.1 - * BACKUPKEY_BACKUP_GUID, it really is the whole key - */ -- gnutls_hmac(hmac_hnd, -- rc4payload.r3, -- sizeof(rc4payload.r3)); -+ rc = gnutls_hmac(hmac_hnd, -+ rc4payload.r3, -+ sizeof(rc4payload.r3)); -+ if (rc != GNUTLS_E_SUCCESS) { -+ return gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR); -+ } - gnutls_hmac_deinit(hmac_hnd, mackey); -- - dump_data_pw("mackey: \n", mackey, sizeof(mackey)); - - ndr_err = ndr_push_struct_blob(&sid_blob, mem_ctx, caller_sid, -@@ -1688,20 +1717,31 @@ static WERROR bkrp_server_wrap_encrypt_data(struct dcesrv_call_state *dce_call, - rc4payload.secret_data.data = r->in.data_in; - rc4payload.secret_data.length = r->in.data_in_len; - -- gnutls_hmac_init(&hmac_hnd, -- GNUTLS_MAC_SHA1, -- mackey, -- sizeof(mackey)); -+ rc = gnutls_hmac_init(&hmac_hnd, -+ GNUTLS_MAC_SHA1, -+ mackey, -+ sizeof(mackey)); -+ if (rc != GNUTLS_E_SUCCESS) { -+ return gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR); -+ } -+ - /* SID field */ -- gnutls_hmac(hmac_hnd, -- sid_blob.data, -- sid_blob.length); -+ rc = gnutls_hmac(hmac_hnd, -+ sid_blob.data, -+ sid_blob.length); -+ if (rc != GNUTLS_E_SUCCESS) { -+ return gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR); -+ } -+ - /* Secret field */ -- gnutls_hmac(hmac_hnd, -- rc4payload.secret_data.data, -- rc4payload.secret_data.length); -- gnutls_hmac_deinit(hmac_hnd, rc4payload.mac); -+ rc = gnutls_hmac(hmac_hnd, -+ rc4payload.secret_data.data, -+ rc4payload.secret_data.length); -+ if (rc != GNUTLS_E_SUCCESS) { -+ return gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR); -+ } - -+ gnutls_hmac_deinit(hmac_hnd, rc4payload.mac); - dump_data_pw("rc4payload.mac: \n", rc4payload.mac, sizeof(rc4payload.mac)); - - rc4payload.sid = *caller_sid; -@@ -1721,9 +1761,7 @@ static WERROR bkrp_server_wrap_encrypt_data(struct dcesrv_call_state *dce_call, - &cipher_key, - NULL); - if (rc != GNUTLS_E_SUCCESS) { -- DBG_ERR("gnutls_cipher_init failed - %s\n", -- gnutls_strerror(rc)); -- return WERR_INVALID_PARAMETER; -+ return gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR); - } - rc = gnutls_cipher_encrypt2(cipher_hnd, - encrypted_blob.data, -@@ -1732,9 +1770,7 @@ static WERROR bkrp_server_wrap_encrypt_data(struct dcesrv_call_state *dce_call, - encrypted_blob.length); - gnutls_cipher_deinit(cipher_hnd); - if (rc != GNUTLS_E_SUCCESS) { -- DBG_ERR("gnutls_cipher_encrypt2 failed - %s\n", -- gnutls_strerror(rc)); -- return WERR_INVALID_PARAMETER; -+ return gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR); - } - - /* create server wrap structure */ -diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build -index a5c1c1d9a2c..18ec5aef894 100644 ---- a/source4/rpc_server/wscript_build -+++ b/source4/rpc_server/wscript_build -@@ -124,7 +124,7 @@ bld.SAMBA_MODULE('dcerpc_backupkey', - autoproto='backupkey/proto.h', - subsystem='dcerpc_server', - init_function='dcerpc_server_backupkey_init', -- deps='samdb DCERPC_COMMON NDR_BACKUPKEY RPC_NDR_BACKUPKEY gnutls', -+ deps='samdb DCERPC_COMMON NDR_BACKUPKEY RPC_NDR_BACKUPKEY gnutls GNUTLS_HELPERS', - ) - - --- -2.23.0 - diff --git a/SOURCES/0107-lib-crypto-Remove-unused-RC4-code-from-Samba.patch b/SOURCES/0107-lib-crypto-Remove-unused-RC4-code-from-Samba.patch deleted file mode 100644 index 5987744..0000000 --- a/SOURCES/0107-lib-crypto-Remove-unused-RC4-code-from-Samba.patch +++ /dev/null @@ -1,168 +0,0 @@ -From 2bdfe3735e50438213359e3c7a070ea873cf30be Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Thu, 15 Aug 2019 14:23:35 +1200 -Subject: [PATCH 107/187] lib/crypto: Remove unused RC4 code from Samba - -Signed-off-by: Andrew Bartlett -Reviewed-by: Andreas Schneider -(cherry picked from commit e9859ad356b42f39585dcef1a38def97a50a3744) ---- - lib/crypto/arcfour.c | 93 ---------------------------------------- - lib/crypto/arcfour.h | 17 -------- - lib/crypto/wscript_build | 9 ---- - 3 files changed, 119 deletions(-) - delete mode 100644 lib/crypto/arcfour.c - delete mode 100644 lib/crypto/arcfour.h - -diff --git a/lib/crypto/arcfour.c b/lib/crypto/arcfour.c -deleted file mode 100644 -index af9b20cc01e..00000000000 ---- a/lib/crypto/arcfour.c -+++ /dev/null -@@ -1,93 +0,0 @@ --/* -- Unix SMB/CIFS implementation. -- -- An implementation of the arcfour algorithm -- -- Copyright (C) Andrew Tridgell 1998 -- -- This program is free software; you can redistribute it and/or modify -- it under the terms of the GNU General Public License as published by -- the Free Software Foundation; either version 3 of the License, or -- (at your option) any later version. -- -- This program is distributed in the hope that it will be useful, -- but WITHOUT ANY WARRANTY; without even the implied warranty of -- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -- GNU General Public License for more details. -- -- You should have received a copy of the GNU General Public License -- along with this program. If not, see . --*/ -- --#include "replace.h" --#include "../lib/crypto/arcfour.h" -- --/* initialise the arcfour sbox with key */ --_PUBLIC_ void arcfour_init(struct arcfour_state *state, const DATA_BLOB *key) --{ -- size_t ind; -- uint8_t j = 0; -- for (ind = 0; ind < sizeof(state->sbox); ind++) { -- state->sbox[ind] = (uint8_t)ind; -- } -- -- for (ind = 0; ind < sizeof(state->sbox); ind++) { -- uint8_t tc; -- -- j += (state->sbox[ind] + key->data[ind%key->length]); -- -- tc = state->sbox[ind]; -- state->sbox[ind] = state->sbox[j]; -- state->sbox[j] = tc; -- } -- state->index_i = 0; -- state->index_j = 0; --} -- --/* crypt the data with arcfour */ --_PUBLIC_ void arcfour_crypt_sbox(struct arcfour_state *state, uint8_t *data, -- int len) --{ -- int ind; -- -- for (ind = 0; ind < len; ind++) { -- uint8_t tc; -- uint8_t t; -- -- state->index_i++; -- state->index_j += state->sbox[state->index_i]; -- -- tc = state->sbox[state->index_i]; -- state->sbox[state->index_i] = state->sbox[state->index_j]; -- state->sbox[state->index_j] = tc; -- -- t = state->sbox[state->index_i] + state->sbox[state->index_j]; -- data[ind] = data[ind] ^ state->sbox[t]; -- } --} -- --/* -- arcfour encryption with a blob key --*/ --_PUBLIC_ void arcfour_crypt_blob(uint8_t *data, int len, const DATA_BLOB *key) --{ -- struct arcfour_state state; -- arcfour_init(&state, key); -- arcfour_crypt_sbox(&state, data, len); --} -- --/* -- a variant that assumes a 16 byte key. This should be removed -- when the last user is gone --*/ --_PUBLIC_ void arcfour_crypt(uint8_t *data, const uint8_t keystr[16], int len) --{ -- uint8_t keycopy[16]; -- DATA_BLOB key = { .data = keycopy, .length = sizeof(keycopy) }; -- -- memcpy(keycopy, keystr, sizeof(keycopy)); -- -- arcfour_crypt_blob(data, len, &key); --} -- -- -diff --git a/lib/crypto/arcfour.h b/lib/crypto/arcfour.h -deleted file mode 100644 -index a9f80c474d5..00000000000 ---- a/lib/crypto/arcfour.h -+++ /dev/null -@@ -1,17 +0,0 @@ --#ifndef ARCFOUR_HEADER_H --#define ARCFOUR_HEADER_H -- --#include "../lib/util/data_blob.h" -- --struct arcfour_state { -- uint8_t sbox[256]; -- uint8_t index_i; -- uint8_t index_j; --}; -- --void arcfour_init(struct arcfour_state *state, const DATA_BLOB *key); --void arcfour_crypt_sbox(struct arcfour_state *state, uint8_t *data, int len); --void arcfour_crypt_blob(uint8_t *data, int len, const DATA_BLOB *key); --void arcfour_crypt(uint8_t *data, const uint8_t keystr[16], int len); -- --#endif /* ARCFOUR_HEADER_H */ -diff --git a/lib/crypto/wscript_build b/lib/crypto/wscript_build -index 9a7c715754d..dcac8fcd30c 100644 ---- a/lib/crypto/wscript_build -+++ b/lib/crypto/wscript_build -@@ -12,14 +12,6 @@ bld.SAMBA_SUBSYSTEM('GNUTLS_HELPERS', - ''', - deps='gnutls samba-errors'); - --# We have a GnuTLS DCEPRC backupkey implementation for the server and the test. --# However this is only working with GnuTLS >= 3.4.7. So we need to keep this --# around till we can require at least GnuTLS in a newer version. --bld.SAMBA_SUBSYSTEM('LIBCRYPTO_RC4', -- source='arcfour.c', -- deps='talloc', -- enabled=not bld.CONFIG_SET('HAVE_GNUTLS_3_4_7')) -- - bld.SAMBA_SUBSYSTEM('LIBCRYPTO_AES_CCM', - source='aes_ccm_128.c', - deps='talloc') -@@ -42,7 +34,6 @@ bld.SAMBA_SUBSYSTEM('LIBCRYPTO', - ''', - deps=''' - talloc -- LIBCRYPTO_RC4 - LIBCRYPTO_AES - LIBCRYPTO_AES_CCM - LIBCRYPTO_AES_GCM --- -2.23.0 - diff --git a/SOURCES/0108-s4-samdb-Remove-duplicate-encrypted_secrets-code-usi.patch b/SOURCES/0108-s4-samdb-Remove-duplicate-encrypted_secrets-code-usi.patch deleted file mode 100644 index e3019fb..0000000 --- a/SOURCES/0108-s4-samdb-Remove-duplicate-encrypted_secrets-code-usi.patch +++ /dev/null @@ -1,705 +0,0 @@ -From d2a0904b915c4f9ffe8ca7f8015ef201dd8b827d Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Wed, 31 Jul 2019 16:37:00 +1200 -Subject: [PATCH 108/187] s4-samdb: Remove duplicate encrypted_secrets code - using internal Samba AES - -We now rely on GnuTLS 3.4.7 or later. - -Signed-off-by: Andrew Bartlett -Reviewed-by: Andreas Schneider -(cherry picked from commit 85a1c4973921fdf9412ec56a3ed6a77f3ab84116) ---- - .../samdb/ldb_modules/encrypted_secrets.c | 266 +---------------- - .../tests/test_encrypted_secrets.c | 278 ------------------ - 2 files changed, 2 insertions(+), 542 deletions(-) - -diff --git a/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c b/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c -index e0932858588..0d46031ec64 100644 ---- a/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c -+++ b/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c -@@ -39,22 +39,8 @@ - #include "dsdb/samdb/samdb.h" - #include "dsdb/samdb/ldb_modules/util.h" - --/* Build either with GnuTLS crypto or Samba crypto. */ --#ifdef HAVE_GNUTLS_AEAD -- #define BUILD_WITH_GNUTLS_AEAD --#else /* !HAVE_GNUTLS_AEAD */ -- #define BUILD_WITH_SAMBA_AES_GCM --#endif /* HAVE_GNUTLS_AEAD */ -- --#ifdef BUILD_WITH_GNUTLS_AEAD -- #include -- #include --#endif /* BUILD_WITH_GNUTLS_AEAD */ -- --#ifdef BUILD_WITH_SAMBA_AES_GCM -- #include "lib/crypto/aes.h" -- #include "lib/crypto/aes_gcm_128.h" --#endif /* BUILD_WITH_SAMBA_AES_GCM */ -+#include -+#include - - static const char * const secret_attributes[] = {DSDB_SECRET_ATTRIBUTES}; - static const size_t num_secret_attributes = ARRAY_SIZE(secret_attributes); -@@ -74,12 +60,10 @@ struct es_data { - * Encryption keys for secret attributes - */ - DATA_BLOB keys[NUMBER_OF_KEYS]; --#ifdef BUILD_WITH_GNUTLS_AEAD - /* - * The gnutls algorithm used to encrypt attributes - */ - int encryption_algorithm; --#endif /* BUILD_WITH_GNUTLS_AEAD */ - }; - - /* -@@ -262,9 +246,7 @@ static int load_keys(struct ldb_module *module, struct es_data *data) - - data->keys[0] = key; - data->encrypt_secrets = true; --#ifdef BUILD_WITH_GNUTLS_AEAD - data->encryption_algorithm = GNUTLS_CIPHER_AES_128_GCM; --#endif - TALLOC_FREE(frame); - - return LDB_SUCCESS; -@@ -299,7 +281,6 @@ static bool should_encrypt(const struct ldb_message_element *el) - * - * @return Size rounded up to the nearest multiple of block_size - */ --#ifdef BUILD_WITH_GNUTLS_AEAD - static size_t round_to_block_size(size_t block_size, size_t size) - { - if ((size % block_size) == 0) { -@@ -308,7 +289,6 @@ static size_t round_to_block_size(size_t block_size, size_t size) - return ((int)(size/block_size) + 1) * block_size; - } - } --#endif /* BUILD_WITH_GNUTLS_AEAD */ - - /* - * @brief Create an new EncryptedSecret owned by the supplied talloc context. -@@ -375,239 +355,6 @@ static DATA_BLOB makePlainText(TALLOC_CTX *ctx, - return pt; - } - --#ifdef BUILD_WITH_SAMBA_AES_GCM --/* -- * @brief Encrypt an ldb value using an aead algorithm. -- * -- * This function uses the samba internal implementation to perform the encryption. However -- * the encrypted data and tag are stored in a manner compatible with gnutls, -- * so the gnutls aead functions can be used to decrypt and verify the data. -- * -- * @param err Pointer to an error code, set to: -- * LDB_SUCESS If the value was successfully encrypted -- * LDB_ERR_OPERATIONS_ERROR If there was an error. -- * -- * @param ctx Talloc memory context the will own the memory allocated -- * @param ldb ldb context, to allow logging. -- * @param val The ldb value to encrypt, not altered or freed -- * @param data The context data for this module. -- * -- * @return The encrypted ldb_val, or data_blob_null if there was an error. -- */ --static struct ldb_val samba_encrypt_aead(int *err, -- TALLOC_CTX *ctx, -- struct ldb_context *ldb, -- const struct ldb_val val, -- const struct es_data *data) --{ -- struct aes_gcm_128_context cctx; -- struct EncryptedSecret *es = NULL; -- DATA_BLOB pt = data_blob_null; -- struct ldb_val enc = data_blob_null; -- DATA_BLOB key_blob = data_blob_null; -- int rc; -- TALLOC_CTX *frame = talloc_stackframe(); -- -- es = makeEncryptedSecret(ldb, frame); -- if (es == NULL) { -- goto error_exit; -- } -- -- pt = makePlainText(frame, ldb, val); -- if (pt.length == 0) { -- goto error_exit; -- } -- -- /* -- * Set the encryption key -- */ -- key_blob = get_key(data); -- if (key_blob.length != AES_BLOCK_SIZE) { -- ldb_asprintf_errstring(ldb, -- "Invalid EncryptedSecrets key size, " -- "expected %u bytes and is %zu bytes\n", -- AES_BLOCK_SIZE, -- key_blob.length); -- goto error_exit; -- } -- -- /* -- * Set the initialisation vector -- */ -- { -- uint8_t *iv = talloc_zero_size(frame, AES_GCM_128_IV_SIZE); -- if (iv == NULL) { -- ldb_set_errstring(ldb, -- "Out of memory allocating iv\n"); -- goto error_exit; -- } -- -- generate_nonce_buffer(iv, AES_GCM_128_IV_SIZE); -- -- es->iv.length = AES_GCM_128_IV_SIZE; -- es->iv.data = iv; -- } -- -- /* -- * Encrypt the value, and append the GCM digest to the encrypted -- * data so that it can be decrypted and validated by the -- * gnutls aead decryption routines. -- */ -- { -- uint8_t *ct = talloc_zero_size(frame, pt.length + AES_BLOCK_SIZE); -- if (ct == NULL) { -- ldb_oom(ldb); -- goto error_exit; -- } -- -- memcpy(ct, pt.data, pt.length); -- es->encrypted.length = pt.length + AES_BLOCK_SIZE; -- es->encrypted.data = ct; -- } -- -- aes_gcm_128_init(&cctx, key_blob.data, es->iv.data); -- aes_gcm_128_updateA(&cctx, -- (uint8_t *)&es->header, -- sizeof(struct EncryptedSecretHeader)); -- aes_gcm_128_crypt(&cctx, es->encrypted.data, pt.length); -- aes_gcm_128_updateC(&cctx, es->encrypted.data, pt.length); -- aes_gcm_128_digest(&cctx, &es->encrypted.data[pt.length]); -- -- rc = ndr_push_struct_blob(&enc, -- ctx, -- es, -- (ndr_push_flags_fn_t) -- ndr_push_EncryptedSecret); -- if (!NDR_ERR_CODE_IS_SUCCESS(rc)) { -- ldb_set_errstring(ldb, -- "Unable to ndr push EncryptedSecret\n"); -- goto error_exit; -- } -- TALLOC_FREE(frame); -- return enc; -- --error_exit: -- *err = LDB_ERR_OPERATIONS_ERROR; -- TALLOC_FREE(frame); -- return data_blob_null; --} -- --/* -- * @brief Decrypt data encrypted using an aead algorithm. -- * -- * Decrypt the data in ed and insert it into ev. The data was encrypted -- * with the samba aes gcm implementation. -- * -- * @param err Pointer to an error code, set to: -- * LDB_SUCESS If the value was successfully decrypted -- * LDB_ERR_OPERATIONS_ERROR If there was an error. -- * -- * @param ctx Talloc memory context that will own the memory allocated -- * @param ldb ldb context, to allow logging. -- * @param ev The value to be updated with the decrypted data. -- * @param ed The data to decrypt. -- * @param data The context data for this module. -- * -- * @return ev is updated with the unencrypted data. -- */ --static void samba_decrypt_aead(int *err, -- TALLOC_CTX *ctx, -- struct ldb_context *ldb, -- struct EncryptedSecret *es, -- struct PlaintextSecret *ps, -- const struct es_data *data) --{ -- struct aes_gcm_128_context cctx; -- DATA_BLOB pt = data_blob_null; -- DATA_BLOB key_blob = data_blob_null; -- uint8_t sig[AES_BLOCK_SIZE] = {0, }; -- int rc; -- int cmp; -- TALLOC_CTX *frame = talloc_stackframe(); -- -- /* -- * Set the encryption key -- */ -- key_blob = get_key(data); -- if (key_blob.length != AES_BLOCK_SIZE) { -- ldb_asprintf_errstring(ldb, -- "Invalid EncryptedSecrets key size, " -- "expected %u bytes and is %zu bytes\n", -- AES_BLOCK_SIZE, -- key_blob.length); -- goto error_exit; -- } -- -- if (es->iv.length < AES_GCM_128_IV_SIZE) { -- ldb_asprintf_errstring(ldb, -- "Invalid EncryptedSecrets iv size, " -- "expected %u bytes and is %zu bytes\n", -- AES_GCM_128_IV_SIZE, -- es->iv.length); -- goto error_exit; -- } -- -- if (es->encrypted.length < AES_BLOCK_SIZE) { -- ldb_asprintf_errstring(ldb, -- "Invalid EncryptedData size, " -- "expected %u bytes and is %zu bytes\n", -- AES_BLOCK_SIZE, -- es->encrypted.length); -- goto error_exit; -- } -- -- pt.length = es->encrypted.length - AES_BLOCK_SIZE; -- pt.data = talloc_zero_size(ctx, pt.length); -- if (pt.data == NULL) { -- ldb_set_errstring(ldb, -- "Out of memory allocating space for " -- "plain text\n"); -- goto error_exit; -- } -- memcpy(pt.data, es->encrypted.data, pt.length); -- -- aes_gcm_128_init(&cctx, key_blob.data, es->iv.data); -- aes_gcm_128_updateA(&cctx, -- (uint8_t *)&es->header, -- sizeof(struct EncryptedSecretHeader)); -- aes_gcm_128_updateC(&cctx, pt.data, pt.length); -- aes_gcm_128_crypt(&cctx, pt.data, pt.length); -- aes_gcm_128_digest(&cctx, sig); -- -- /* -- * Check the authentication tag -- */ -- cmp = memcmp(&es->encrypted.data[pt.length], sig, AES_BLOCK_SIZE); -- if (cmp != 0) { -- ldb_set_errstring(ldb, -- "Tag does not match, " -- "data corrupted or altered\n"); -- goto error_exit; -- } -- -- rc = ndr_pull_struct_blob(&pt, -- ctx, -- ps, -- (ndr_pull_flags_fn_t) -- ndr_pull_PlaintextSecret); -- if(!NDR_ERR_CODE_IS_SUCCESS(rc)) { -- ldb_asprintf_errstring(ldb, -- "Error(%d) unpacking decrypted data, " -- "data possibly corrupted or altered\n", -- rc); -- goto error_exit; -- } -- TALLOC_FREE(frame); -- return; -- --error_exit: -- *err = LDB_ERR_OPERATIONS_ERROR; -- TALLOC_FREE(frame); -- return; --} --#endif /* BUILD_WITH_SAMBA_AES_GCM */ -- --#ifdef BUILD_WITH_GNUTLS_AEAD - - /* - * Helper function converts a data blob to a gnutls_datum_t. -@@ -946,7 +693,6 @@ error_exit: - *err = LDB_ERR_OPERATIONS_ERROR; - return; - } --#endif /* BUILD_WITH_GNUTLS_AEAD */ - - /* - * @brief Encrypt an attribute value using the default encryption algorithm. -@@ -972,11 +718,7 @@ static struct ldb_val encrypt_value(int *err, - const struct ldb_val val, - const struct es_data *data) - { --#ifdef BUILD_WITH_GNUTLS_AEAD - return gnutls_encrypt_aead(err, ctx, ldb, val, data); --#elif defined BUILD_WITH_SAMBA_AES_GCM -- return samba_encrypt_aead(err, ctx, ldb, val, data); --#endif - } - - /* -@@ -1206,11 +948,7 @@ static struct ldb_val decrypt_value(int *err, - *err = LDB_ERR_OPERATIONS_ERROR; - return data_blob_null; - } --#ifdef BUILD_WITH_GNUTLS_AEAD - gnutls_decrypt_aead(err, frame, ldb, &es, &ps, data); --#elif defined BUILD_WITH_SAMBA_AES_GCM -- samba_decrypt_aead(err, frame, ldb, &es, &ps, data); --#endif - - if (*err != LDB_SUCCESS) { - TALLOC_FREE(frame); -diff --git a/source4/dsdb/samdb/ldb_modules/tests/test_encrypted_secrets.c b/source4/dsdb/samdb/ldb_modules/tests/test_encrypted_secrets.c -index a33781d703d..b9516815f75 100644 ---- a/source4/dsdb/samdb/ldb_modules/tests/test_encrypted_secrets.c -+++ b/source4/dsdb/samdb/ldb_modules/tests/test_encrypted_secrets.c -@@ -336,7 +336,6 @@ static void test_key_file_long_key(void **state) - assert_int_equal(0, data_blob_cmp(&key, &data->keys[0])); - } - --#ifdef HAVE_GNUTLS_AEAD - /* - * Test gnutls_encryption and decryption. - */ -@@ -391,9 +390,7 @@ static void test_gnutls_value_encryption(void **state) - &plain_text)); - } - } --#endif /* HAVE_GNUTLS_AEAD */ - --#ifdef HAVE_GNUTLS_AEAD - static void test_gnutls_altered_header(void **state) - { - struct ldbtest_ctx *test_ctx = -@@ -458,9 +455,7 @@ static void test_gnutls_altered_header(void **state) - assert_int_equal(LDB_ERR_OPERATIONS_ERROR, err); - } - } --#endif /* HAVE_GNUTLS_AEAD */ - --#ifdef HAVE_GNUTLS_AEAD - static void test_gnutls_altered_data(void **state) - { - struct ldbtest_ctx *test_ctx = -@@ -525,9 +520,7 @@ static void test_gnutls_altered_data(void **state) - assert_int_equal(LDB_ERR_OPERATIONS_ERROR, err); - } - } --#endif /* HAVE_GNUTLS_AEAD */ - --#ifdef HAVE_GNUTLS_AEAD - static void test_gnutls_altered_iv(void **state) - { - struct ldbtest_ctx *test_ctx = -@@ -592,260 +585,10 @@ static void test_gnutls_altered_iv(void **state) - assert_int_equal(LDB_ERR_OPERATIONS_ERROR, err); - } - } --#endif /* HAVE_GNUTLS_AEAD */ - - /* - * Test samba encryption and decryption and decryption. - */ --#ifndef HAVE_GNUTLS_AEAD --static void test_samba_value_encryption(void **state) --{ -- struct ldbtest_ctx *test_ctx = -- talloc_get_type_abort(*state, struct ldbtest_ctx); -- struct ldb_val plain_text = data_blob_null; -- struct ldb_val cipher_text = data_blob_null; -- struct EncryptedSecret es; -- -- struct es_data *data = talloc_get_type( -- ldb_module_get_private(test_ctx->module), -- struct es_data); -- int err = LDB_SUCCESS; -- int rc; -- -- plain_text = data_blob_string_const("A text value"); -- cipher_text = samba_encrypt_aead( -- &err, -- test_ctx, -- test_ctx->ldb, -- plain_text, -- data); -- assert_int_equal(LDB_SUCCESS, err); -- -- rc = ndr_pull_struct_blob( -- &cipher_text, -- test_ctx, -- &es, -- (ndr_pull_flags_fn_t) ndr_pull_EncryptedSecret); -- assert_true(NDR_ERR_CODE_IS_SUCCESS(rc)); -- assert_true(check_header(&es)); -- -- { -- struct PlaintextSecret *decrypted = -- talloc_zero(test_ctx, struct PlaintextSecret); -- samba_decrypt_aead( -- &err, -- test_ctx, -- test_ctx->ldb, -- &es, -- decrypted, -- data); -- assert_int_equal(LDB_SUCCESS, err); -- assert_int_equal( -- plain_text.length, -- decrypted->cleartext.length); -- assert_int_equal(0, -- data_blob_cmp( -- &decrypted->cleartext, -- &plain_text)); -- } -- --} -- --static void test_samba_altered_header(void **state) --{ -- struct ldbtest_ctx *test_ctx = -- talloc_get_type_abort(*state, struct ldbtest_ctx); -- struct ldb_val plain_text = data_blob_null; -- struct ldb_val cipher_text = data_blob_null; -- struct EncryptedSecret es; -- -- struct es_data *data = talloc_get_type( -- ldb_module_get_private(test_ctx->module), -- struct es_data); -- int err = LDB_SUCCESS; -- int rc; -- -- plain_text = data_blob_string_const("A text value"); -- cipher_text = samba_encrypt_aead( -- &err, -- test_ctx, -- test_ctx->ldb, -- plain_text, -- data); -- assert_int_equal(LDB_SUCCESS, err); -- -- rc = ndr_pull_struct_blob( -- &cipher_text, -- test_ctx, -- &es, -- (ndr_pull_flags_fn_t) ndr_pull_EncryptedSecret); -- assert_true(NDR_ERR_CODE_IS_SUCCESS(rc)); -- assert_true(check_header(&es)); -- -- { -- struct PlaintextSecret *decrypted = -- talloc_zero(test_ctx, struct PlaintextSecret); -- samba_decrypt_aead( -- &err, -- test_ctx, -- test_ctx->ldb, -- &es, -- decrypted, -- data); -- assert_int_equal(LDB_SUCCESS, err); -- assert_int_equal( -- plain_text.length, -- decrypted->cleartext.length); -- assert_int_equal(0, -- data_blob_cmp( -- &decrypted->cleartext, -- &plain_text)); -- } -- es.header.flags = es.header.flags ^ 0xffffffff; -- { -- struct PlaintextSecret *decrypted = -- talloc_zero(test_ctx, struct PlaintextSecret); -- samba_decrypt_aead( -- &err, -- test_ctx, -- test_ctx->ldb, -- &es, -- decrypted, -- data); -- assert_int_equal(LDB_ERR_OPERATIONS_ERROR, err); -- } --} -- --static void test_samba_altered_data(void **state) --{ -- struct ldbtest_ctx *test_ctx = -- talloc_get_type_abort(*state, struct ldbtest_ctx); -- struct ldb_val plain_text = data_blob_null; -- struct ldb_val cipher_text = data_blob_null; -- struct EncryptedSecret es; -- -- struct es_data *data = talloc_get_type( -- ldb_module_get_private(test_ctx->module), -- struct es_data); -- int err = LDB_SUCCESS; -- int rc; -- -- plain_text = data_blob_string_const("A text value"); -- cipher_text = samba_encrypt_aead( -- &err, -- test_ctx, -- test_ctx->ldb, -- plain_text, -- data); -- assert_int_equal(LDB_SUCCESS, err); -- -- rc = ndr_pull_struct_blob( -- &cipher_text, -- test_ctx, -- &es, -- (ndr_pull_flags_fn_t) ndr_pull_EncryptedSecret); -- assert_true(NDR_ERR_CODE_IS_SUCCESS(rc)); -- assert_true(check_header(&es)); -- -- { -- struct PlaintextSecret *decrypted = -- talloc_zero(test_ctx, struct PlaintextSecret); -- samba_decrypt_aead( -- &err, -- test_ctx, -- test_ctx->ldb, -- &es, -- decrypted, -- data); -- assert_int_equal(LDB_SUCCESS, err); -- assert_int_equal( -- plain_text.length, -- decrypted->cleartext.length); -- assert_int_equal(0, -- data_blob_cmp( -- &decrypted->cleartext, -- &plain_text)); -- } -- es.encrypted.data[0] = es.encrypted.data[0] ^ 0xff; -- { -- struct PlaintextSecret *decrypted = -- talloc_zero(test_ctx, struct PlaintextSecret); -- samba_decrypt_aead( -- &err, -- test_ctx, -- test_ctx->ldb, -- &es, -- decrypted, -- data); -- assert_int_equal(LDB_ERR_OPERATIONS_ERROR, err); -- } --} -- --static void test_samba_altered_iv(void **state) --{ -- struct ldbtest_ctx *test_ctx = -- talloc_get_type_abort(*state, struct ldbtest_ctx); -- struct ldb_val plain_text = data_blob_null; -- struct ldb_val cipher_text = data_blob_null; -- struct EncryptedSecret es; -- -- struct es_data *data = talloc_get_type( -- ldb_module_get_private(test_ctx->module), -- struct es_data); -- int err = LDB_SUCCESS; -- int rc; -- -- plain_text = data_blob_string_const("A text value"); -- cipher_text = samba_encrypt_aead( -- &err, -- test_ctx, -- test_ctx->ldb, -- plain_text, -- data); -- assert_int_equal(LDB_SUCCESS, err); -- -- rc = ndr_pull_struct_blob( -- &cipher_text, -- test_ctx, -- &es, -- (ndr_pull_flags_fn_t) ndr_pull_EncryptedSecret); -- assert_true(NDR_ERR_CODE_IS_SUCCESS(rc)); -- assert_true(check_header(&es)); -- -- { -- struct PlaintextSecret *decrypted = -- talloc_zero(test_ctx, struct PlaintextSecret); -- samba_decrypt_aead( -- &err, -- test_ctx, -- test_ctx->ldb, -- &es, -- decrypted, -- data); -- assert_int_equal(LDB_SUCCESS, err); -- assert_int_equal( -- plain_text.length, -- decrypted->cleartext.length); -- assert_int_equal(0, -- data_blob_cmp( -- &decrypted->cleartext, -- &plain_text)); -- } -- es.iv.data[0] = es.iv.data[0] ^ 0xff; -- { -- struct PlaintextSecret *decrypted = -- talloc_zero(test_ctx, struct PlaintextSecret); -- samba_decrypt_aead( -- &err, -- test_ctx, -- test_ctx->ldb, -- &es, -- decrypted, -- data); -- assert_int_equal(LDB_ERR_OPERATIONS_ERROR, err); -- } --} --#endif - - /* - * Test message encryption. -@@ -1096,9 +839,7 @@ static void test_record_decryption(void **state) - .data = es_keys_blob, - .length = sizeof(es_keys_blob), - }, --#ifdef HAVE_GNUTLS_AEAD - .encryption_algorithm = GNUTLS_CIPHER_AES_128_GCM, --#endif - }; - int err = LDB_SUCCESS; - struct ldb_val dec = decrypt_value(&err, test_ctx, test_ctx->ldb, cipher_text, -@@ -1131,7 +872,6 @@ int main(void) { - test_check_header, - setup, - teardown), --#ifdef HAVE_GNUTLS_AEAD - cmocka_unit_test_setup_teardown( - test_gnutls_value_encryption, - setup_with_key, -@@ -1148,24 +888,6 @@ int main(void) { - test_gnutls_altered_iv, - setup_with_key, - teardown), --#else -- cmocka_unit_test_setup_teardown( -- test_samba_value_encryption, -- setup_with_key, -- teardown), -- cmocka_unit_test_setup_teardown( -- test_samba_altered_header, -- setup_with_key, -- teardown), -- cmocka_unit_test_setup_teardown( -- test_samba_altered_data, -- setup_with_key, -- teardown), -- cmocka_unit_test_setup_teardown( -- test_samba_altered_iv, -- setup_with_key, -- teardown), --#endif /* HAVE_GNUTLS_AEAD */ - cmocka_unit_test_setup_teardown( - test_message_encryption_decryption, - setup_with_key, --- -2.23.0 - diff --git a/SOURCES/0109-build-Remove-explicit-check-for-HAVE_GNUTLS_AEAD-as-.patch b/SOURCES/0109-build-Remove-explicit-check-for-HAVE_GNUTLS_AEAD-as-.patch deleted file mode 100644 index a608ec4..0000000 --- a/SOURCES/0109-build-Remove-explicit-check-for-HAVE_GNUTLS_AEAD-as-.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 858d3355e4f7de925ce653a7cb3604d58f54a8a0 Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Thu, 15 Aug 2019 17:28:30 +1200 -Subject: [PATCH 109/187] build: Remove explicit check for HAVE_GNUTLS_AEAD as - we require GnuTLS 3.4.7 - -We strictly require it and if this were to fail we would want the compile to fail. - -Signed-off-by: Andrew Bartlett -Reviewed-by: Andreas Schneider -(cherry picked from commit 068da56a20a2712e498fb3724407836bda2f977b) ---- - wscript_configure_system_gnutls | 8 -------- - 1 file changed, 8 deletions(-) - -diff --git a/wscript_configure_system_gnutls b/wscript_configure_system_gnutls -index 02e6567ba2f..68cc306e3dc 100644 ---- a/wscript_configure_system_gnutls -+++ b/wscript_configure_system_gnutls -@@ -15,14 +15,6 @@ conf.SET_TARGET_TYPE('gnutls', 'SYSLIB') - # Check for gnutls_pkcs7_get_embedded_data_oid (>= 3.5.5) required by libmscat - conf.CHECK_FUNCS_IN('gnutls_pkcs7_get_embedded_data_oid', 'gnutls') - --# Check for gnutls_aead_cipher_init (>= 3.4.0) used by encrypted_secrets --if conf.CHECK_FUNCS_IN('gnutls_aead_cipher_init', -- 'gnutls', -- headers='gnutls/gnutls.h'): -- conf.DEFINE('HAVE_GNUTLS_AEAD', '1') --else: -- Logs.warn('No gnutls support for AEAD encryption') -- - if conf.CHECK_VALUEOF('GNUTLS_CIPHER_AES_128_CFB8', headers='gnutls/gnutls.h'): - conf.DEFINE('HAVE_GNUTLS_AES_CFB8', 1) - else: --- -2.23.0 - diff --git a/SOURCES/0110-libcli-smb-Define-SMB2_AES_128_CCM_NONCE_SIZE.patch b/SOURCES/0110-libcli-smb-Define-SMB2_AES_128_CCM_NONCE_SIZE.patch deleted file mode 100644 index 37a2c38..0000000 --- a/SOURCES/0110-libcli-smb-Define-SMB2_AES_128_CCM_NONCE_SIZE.patch +++ /dev/null @@ -1,27 +0,0 @@ -From b31a1e4fd75654c5995d631ac1961ee56fe3e937 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 26 Feb 2019 18:06:46 +0100 -Subject: [PATCH 110/187] libcli:smb: Define SMB2_AES_128_CCM_NONCE_SIZE - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 43a941f51b2954ffa1a7ab8a9d5c4a18e654b9f6) ---- - libcli/smb/smb2_constants.h | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/libcli/smb/smb2_constants.h b/libcli/smb/smb2_constants.h -index 1430f02689c..5832c0e7f83 100644 ---- a/libcli/smb/smb2_constants.h -+++ b/libcli/smb/smb2_constants.h -@@ -282,4 +282,7 @@ - */ - #define SMB2_DHANDLE_FLAG_PERSISTENT 0x00000002 - -+/* The AES CCM nonce N of 15 - L octets. Where L=4 */ -+#define SMB2_AES_128_CCM_NONCE_SIZE 11 -+ - #endif --- -2.23.0 - diff --git a/SOURCES/0111-libcli-smb-Use-GnuTLS-for-AES-constants.patch b/SOURCES/0111-libcli-smb-Use-GnuTLS-for-AES-constants.patch deleted file mode 100644 index 6dc9072..0000000 --- a/SOURCES/0111-libcli-smb-Use-GnuTLS-for-AES-constants.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 198ddcb18122e922f148c1380d08aec832701c7d Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 26 Feb 2019 18:12:57 +0100 -Subject: [PATCH 111/187] libcli:smb: Use GnuTLS for AES constants - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett - -Adapted to remove Samba AES support - -Signed-off-by: Andrew Bartlett -(cherry picked from commit 1b384f378c95f550718ac697271327442e3d09dd) ---- - libcli/smb/smbXcli_base.c | 7 ++----- - 1 file changed, 2 insertions(+), 5 deletions(-) - -diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c -index 5db86720c9c..bfc85ecc225 100644 ---- a/libcli/smb/smbXcli_base.c -+++ b/libcli/smb/smbXcli_base.c -@@ -34,9 +34,6 @@ - #include "librpc/ndr/libndr.h" - #include "libcli/smb/smb2_negotiate_context.h" - #include "libcli/smb/smb2_signing.h" --#include "lib/crypto/aes.h" --#include "lib/crypto/aes_ccm_128.h" --#include "lib/crypto/aes_gcm_128.h" - - #include "lib/crypto/gnutls_helpers.h" - #include -@@ -6257,10 +6254,10 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session, - sizeof(session->smb2->nonce_high_random)); - switch (conn->smb2.server.cipher) { - case SMB2_ENCRYPTION_AES128_CCM: -- nonce_size = AES_CCM_128_NONCE_SIZE; -+ nonce_size = SMB2_AES_128_CCM_NONCE_SIZE; - break; - case SMB2_ENCRYPTION_AES128_GCM: -- nonce_size = AES_GCM_128_IV_SIZE; -+ nonce_size = gnutls_cipher_get_iv_size(GNUTLS_CIPHER_AES_128_GCM); - break; - default: - nonce_size = 0; --- -2.23.0 - diff --git a/SOURCES/0112-libcli-smb-Add-gnutls_aead_cipher_hd_t-to-smb2_signi.patch b/SOURCES/0112-libcli-smb-Add-gnutls_aead_cipher_hd_t-to-smb2_signi.patch deleted file mode 100644 index 182803d..0000000 --- a/SOURCES/0112-libcli-smb-Add-gnutls_aead_cipher_hd_t-to-smb2_signi.patch +++ /dev/null @@ -1,54 +0,0 @@ -From de4a182c0fab70125cd7e572a8f913c2f686f827 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 14 Mar 2019 09:26:04 +0100 -Subject: [PATCH 112/187] libcli:smb: Add gnutls_aead_cipher_hd_t to - smb2_signing_key structure - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett - -Adapted to remove Samba AES support - -Signed-off-by: Andrew Bartlett -(cherry picked from commit 37dc63e8afab8e1f88dc8a4b77c6ef3337933eb1) ---- - libcli/smb/smb2_signing.c | 5 +++++ - libcli/smb/smb2_signing.h | 3 +++ - 2 files changed, 8 insertions(+) - -diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c -index 2f9bae4ba8e..01027d55fbe 100644 ---- a/libcli/smb/smb2_signing.c -+++ b/libcli/smb/smb2_signing.c -@@ -35,6 +35,11 @@ int smb2_signing_key_destructor(struct smb2_signing_key *key) - key->hmac_hnd = NULL; - } - -+ if (key->cipher_hnd != NULL) { -+ gnutls_aead_cipher_deinit(key->cipher_hnd); -+ key->cipher_hnd = NULL; -+ } -+ - return 0; - } - -diff --git a/libcli/smb/smb2_signing.h b/libcli/smb/smb2_signing.h -index 96a002f4a0c..13fb54e4e4e 100644 ---- a/libcli/smb/smb2_signing.h -+++ b/libcli/smb/smb2_signing.h -@@ -25,9 +25,12 @@ struct iovec; - /* Forward declaration of GnuTLS typedefs */ - struct hmac_hd_st; - typedef struct hmac_hd_st* gnutls_hmac_hd_t; -+struct api_aead_cipher_hd_st; -+typedef struct api_aead_cipher_hd_st *gnutls_aead_cipher_hd_t; - - struct smb2_signing_key { - gnutls_hmac_hd_t hmac_hnd; -+ gnutls_aead_cipher_hd_t cipher_hnd; - DATA_BLOB blob; - }; - --- -2.23.0 - diff --git a/SOURCES/0113-libcli-smb-Use-a-smb2_signing_key-for-storing-the-en.patch b/SOURCES/0113-libcli-smb-Use-a-smb2_signing_key-for-storing-the-en.patch deleted file mode 100644 index b155d73..0000000 --- a/SOURCES/0113-libcli-smb-Use-a-smb2_signing_key-for-storing-the-en.patch +++ /dev/null @@ -1,102 +0,0 @@ -From 5076ca90caf92b56a5708cf185835e74ddfe3cfb Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 14 Mar 2019 09:34:23 +0100 -Subject: [PATCH 113/187] libcli:smb: Use a smb2_signing_key for storing the - encryption key - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 48116a30d51d9bac6201a8b94262aa78b451ad63) ---- - libcli/smb/smbXcli_base.c | 29 +++++++++++++++++++---------- - 1 file changed, 19 insertions(+), 10 deletions(-) - -diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c -index bfc85ecc225..52bc438c389 100644 ---- a/libcli/smb/smbXcli_base.c -+++ b/libcli/smb/smbXcli_base.c -@@ -154,7 +154,7 @@ struct smb2cli_session { - struct smb2_signing_key *signing_key; - bool should_sign; - bool should_encrypt; -- DATA_BLOB encryption_key; -+ struct smb2_signing_key *encryption_key; - DATA_BLOB decryption_key; - uint64_t nonce_high_random; - uint64_t nonce_high_max; -@@ -3090,7 +3090,7 @@ NTSTATUS smb2cli_req_compound_submit(struct tevent_req **reqs, - struct iovec *iov; - int i, num_iov, nbt_len; - int tf_iov = -1; -- const DATA_BLOB *encryption_key = NULL; -+ const struct smb2_signing_key *encryption_key = NULL; - uint64_t encryption_session_id = 0; - uint64_t nonce_high = UINT64_MAX; - uint64_t nonce_low = UINT64_MAX; -@@ -3137,8 +3137,8 @@ NTSTATUS smb2cli_req_compound_submit(struct tevent_req **reqs, - continue; - } - -- encryption_key = &state->session->smb2->encryption_key; -- if (encryption_key->length == 0) { -+ encryption_key = state->session->smb2->encryption_key; -+ if (!smb2_signing_key_valid(encryption_key)) { - return NT_STATUS_INVALID_PARAMETER_MIX; - } - -@@ -3379,7 +3379,7 @@ skip_credits: - buf += v->iov_len; - } - -- status = smb2_signing_encrypt_pdu(*encryption_key, -+ status = smb2_signing_encrypt_pdu(encryption_key->blob, - state->conn->smb2.server.cipher, - &iov[tf_iov], num_iov - tf_iov); - if (!NT_STATUS_IS_OK(status)) { -@@ -5723,11 +5723,11 @@ NTSTATUS smb2cli_session_encryption_key(struct smbXcli_session *session, - return NT_STATUS_NO_USER_SESSION_KEY; - } - -- if (session->smb2->encryption_key.length == 0) { -+ if (!smb2_signing_key_valid(session->smb2->encryption_key)) { - return NT_STATUS_NO_USER_SESSION_KEY; - } - -- *key = data_blob_dup_talloc(mem_ctx, session->smb2->encryption_key); -+ *key = data_blob_dup_talloc(mem_ctx, session->smb2->encryption_key->blob); - if (key->data == NULL) { - return NT_STATUS_NO_MEMORY; - } -@@ -6121,9 +6121,18 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session, - } - - session->smb2->encryption_key = -- data_blob_dup_talloc(session, -+ talloc_zero(session, struct smb2_signing_key); -+ if (session->smb2->encryption_key == NULL) { -+ ZERO_STRUCT(session_key); -+ return NT_STATUS_NO_MEMORY; -+ } -+ talloc_set_destructor(session->smb2->encryption_key, -+ smb2_signing_key_destructor); -+ -+ session->smb2->encryption_key->blob = -+ data_blob_dup_talloc(session->smb2->encryption_key, - session->smb2->signing_key->blob); -- if (session->smb2->encryption_key.data == NULL) { -+ if (!smb2_signing_key_valid(session->smb2->encryption_key)) { - ZERO_STRUCT(session_key); - return NT_STATUS_NO_MEMORY; - } -@@ -6134,7 +6143,7 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session, - status = smb2_key_derivation(session_key, sizeof(session_key), - d->label.data, d->label.length, - d->context.data, d->context.length, -- session->smb2->encryption_key.data); -+ session->smb2->encryption_key->blob.data); - if (!NT_STATUS_IS_OK(status)) { - return status; - } --- -2.23.0 - diff --git a/SOURCES/0114-libcli-smb-Use-a-smb2_signing_key-for-storing-the-de.patch b/SOURCES/0114-libcli-smb-Use-a-smb2_signing_key-for-storing-the-de.patch deleted file mode 100644 index 03234bf..0000000 --- a/SOURCES/0114-libcli-smb-Use-a-smb2_signing_key-for-storing-the-de.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 225ae1ca2ea83fe0cb212b6675770d8053ff07ce Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 14 Mar 2019 09:48:54 +0100 -Subject: [PATCH 114/187] libcli:smb: Use a smb2_signing_key for storing the - decryption key - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 87832f6140aa5afb42983a1291ba6faa250c7ea3) ---- - libcli/smb/smbXcli_base.c | 23 ++++++++++++++++------- - 1 file changed, 16 insertions(+), 7 deletions(-) - -diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c -index 52bc438c389..aa69c374d49 100644 ---- a/libcli/smb/smbXcli_base.c -+++ b/libcli/smb/smbXcli_base.c -@@ -155,7 +155,7 @@ struct smb2cli_session { - bool should_sign; - bool should_encrypt; - struct smb2_signing_key *encryption_key; -- DATA_BLOB decryption_key; -+ struct smb2_signing_key *decryption_key; - uint64_t nonce_high_random; - uint64_t nonce_high_max; - uint64_t nonce_high; -@@ -3567,7 +3567,7 @@ static NTSTATUS smb2cli_inbuf_parse_compound(struct smbXcli_conn *conn, - tf_iov[1].iov_base = (void *)hdr; - tf_iov[1].iov_len = enc_len; - -- status = smb2_signing_decrypt_pdu(s->smb2->decryption_key, -+ status = smb2_signing_decrypt_pdu(s->smb2->decryption_key->blob, - conn->smb2.server.cipher, - tf_iov, 2); - if (!NT_STATUS_IS_OK(status)) { -@@ -5747,11 +5747,11 @@ NTSTATUS smb2cli_session_decryption_key(struct smbXcli_session *session, - return NT_STATUS_NO_USER_SESSION_KEY; - } - -- if (session->smb2->decryption_key.length == 0) { -+ if (!smb2_signing_key_valid(session->smb2->decryption_key)) { - return NT_STATUS_NO_USER_SESSION_KEY; - } - -- *key = data_blob_dup_talloc(mem_ctx, session->smb2->decryption_key); -+ *key = data_blob_dup_talloc(mem_ctx, session->smb2->decryption_key->blob); - if (key->data == NULL) { - return NT_STATUS_NO_MEMORY; - } -@@ -6150,9 +6150,18 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session, - } - - session->smb2->decryption_key = -- data_blob_dup_talloc(session, -+ talloc_zero(session, struct smb2_signing_key); -+ if (session->smb2->decryption_key == NULL) { -+ ZERO_STRUCT(session_key); -+ return NT_STATUS_NO_MEMORY; -+ } -+ talloc_set_destructor(session->smb2->decryption_key, -+ smb2_signing_key_destructor); -+ -+ session->smb2->decryption_key->blob = -+ data_blob_dup_talloc(session->smb2->decryption_key, - session->smb2->signing_key->blob); -- if (session->smb2->decryption_key.data == NULL) { -+ if (!smb2_signing_key_valid(session->smb2->decryption_key)) { - ZERO_STRUCT(session_key); - return NT_STATUS_NO_MEMORY; - } -@@ -6163,7 +6172,7 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session, - status = smb2_key_derivation(session_key, sizeof(session_key), - d->label.data, d->label.length, - d->context.data, d->context.length, -- session->smb2->decryption_key.data); -+ session->smb2->decryption_key->blob.data); - if (!NT_STATUS_IS_OK(status)) { - return status; - } --- -2.23.0 - diff --git a/SOURCES/0115-s3-smbd-Use-smb2_signing_key-structure-for-the-encry.patch b/SOURCES/0115-s3-smbd-Use-smb2_signing_key-structure-for-the-encry.patch deleted file mode 100644 index dec2b57..0000000 --- a/SOURCES/0115-s3-smbd-Use-smb2_signing_key-structure-for-the-encry.patch +++ /dev/null @@ -1,131 +0,0 @@ -From e644d8953c09ec4c73f1cc623f5b70fcdd65ccc1 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 14 Mar 2019 10:02:27 +0100 -Subject: [PATCH 115/187] s3:smbd: Use smb2_signing_key structure for the - encryption key - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 95e1c85a47e925fdb9105b85f0e1dbea1ff09950) ---- - source3/librpc/idl/smbXsrv.idl | 1 + - source3/smbd/smb2_server.c | 17 ++++++++++------- - source3/smbd/smb2_sesssetup.c | 24 +++++++++++++++++------- - 3 files changed, 28 insertions(+), 14 deletions(-) - -diff --git a/source3/librpc/idl/smbXsrv.idl b/source3/librpc/idl/smbXsrv.idl -index 72017bc3e15..f7acb2198fb 100644 ---- a/source3/librpc/idl/smbXsrv.idl -+++ b/source3/librpc/idl/smbXsrv.idl -@@ -229,6 +229,7 @@ interface smbXsrv - [noprint] DATA_BLOB signing_key_blob; - [ignore] smb2_signing_key *signing_key; - [noprint] DATA_BLOB encryption_key_blob; -+ [ignore] smb2_signing_key *encryption_key; - [noprint] DATA_BLOB decryption_key_blob; - [noprint] DATA_BLOB application_key; - [range(1, 1024)] uint32 num_channels; -diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c -index c0c4a0272d1..b708fdb90b9 100644 ---- a/source3/smbd/smb2_server.c -+++ b/source3/smbd/smb2_server.c -@@ -1737,9 +1737,9 @@ static void smbd_smb2_request_pending_timer(struct tevent_context *ev, - - if (req->do_encryption) { - struct smbXsrv_session *x = req->session; -- DATA_BLOB encryption_key = x->global->encryption_key_blob; -+ struct smb2_signing_key *encryption_key = x->global->encryption_key; - -- status = smb2_signing_encrypt_pdu(encryption_key, -+ status = smb2_signing_encrypt_pdu(encryption_key->blob, - xconn->smb2.server.cipher, - &state->vector[1+SMBD_SMB2_TF_IOV_OFS], - SMBD_SMB2_NUM_IOV_PER_REQ); -@@ -2852,9 +2852,10 @@ static NTSTATUS smbd_smb2_request_reply(struct smbd_smb2_request *req) - (firsttf->iov_len == 0) && - (req->first_key.length == 0) && - (req->session != NULL) && -- (req->session->global->encryption_key_blob.length != 0)) -+ smb2_signing_key_valid(req->session->global->encryption_key)) - { -- DATA_BLOB encryption_key = req->session->global->encryption_key_blob; -+ struct smb2_signing_key *encryption_key = -+ req->session->global->encryption_key; - uint8_t *tf; - uint64_t session_id = req->session->global->session_wire_id; - uint64_t nonce_high; -@@ -2878,7 +2879,8 @@ static NTSTATUS smbd_smb2_request_reply(struct smbd_smb2_request *req) - * we are sure that we do not change - * the header again. - */ -- req->first_key = data_blob_dup_talloc(req, encryption_key); -+ req->first_key = data_blob_dup_talloc(req, -+ encryption_key->blob); - if (req->first_key.data == NULL) { - return NT_STATUS_NO_MEMORY; - } -@@ -3414,9 +3416,10 @@ static NTSTATUS smbd_smb2_send_break(struct smbXsrv_connection *xconn, - } - - if (do_encryption) { -- DATA_BLOB encryption_key = session->global->encryption_key_blob; -+ struct smb2_signing_key *encryption_key = -+ session->global->encryption_key; - -- status = smb2_signing_encrypt_pdu(encryption_key, -+ status = smb2_signing_encrypt_pdu(encryption_key->blob, - xconn->smb2.server.cipher, - &state->vector[1+SMBD_SMB2_TF_IOV_OFS], - SMBD_SMB2_NUM_IOV_PER_REQ); -diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c -index 591d5c37160..c2725825d7a 100644 ---- a/source3/smbd/smb2_sesssetup.c -+++ b/source3/smbd/smb2_sesssetup.c -@@ -394,18 +394,28 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session, - struct _derivation *d = &derivation.encryption; - size_t nonce_size; - -- x->global->encryption_key_blob = data_blob_talloc(x->global, -- session_key, -- sizeof(session_key)); -- if (x->global->encryption_key_blob.data == NULL) { -+ x->global->encryption_key = -+ talloc_zero(x->global, struct smb2_signing_key); -+ if (x->global->encryption_key == NULL) { -+ ZERO_STRUCT(session_key); -+ return NT_STATUS_NO_MEMORY; -+ } -+ -+ x->global->encryption_key->blob = -+ x->global->encryption_key_blob = -+ data_blob_talloc(x->global->encryption_key, -+ session_key, -+ sizeof(session_key)); -+ if (!smb2_signing_key_valid(x->global->encryption_key)) { - ZERO_STRUCT(session_key); - return NT_STATUS_NO_MEMORY; - } -+ talloc_keep_secret(x->global->encryption_key->blob.data); - - status = smb2_key_derivation(session_key, sizeof(session_key), - d->label.data, d->label.length, - d->context.data, d->context.length, -- x->global->encryption_key_blob.data); -+ x->global->encryption_key->blob.data); - if (!NT_STATUS_IS_OK(status)) { - return status; - } -@@ -477,8 +487,8 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session, - dump_data(0, x->global->decryption_key_blob.data, - x->global->decryption_key_blob.length); - DEBUGADD(0, ("ServerOut Key ")); -- dump_data(0, x->global->encryption_key_blob.data, -- x->global->encryption_key_blob.length); -+ dump_data(0, x->global->encryption_key->blob.data, -+ x->global->encryption_key->blob.length); - } - - ZERO_STRUCT(session_key); --- -2.23.0 - diff --git a/SOURCES/0116-s3-smbd-Use-smb2_signing_key-structure-for-the-decry.patch b/SOURCES/0116-s3-smbd-Use-smb2_signing_key-structure-for-the-decry.patch deleted file mode 100644 index a93dd46..0000000 --- a/SOURCES/0116-s3-smbd-Use-smb2_signing_key-structure-for-the-decry.patch +++ /dev/null @@ -1,92 +0,0 @@ -From 4dc911798e6e5a534c194cb2519c955a0589bf66 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 14 Mar 2019 10:10:34 +0100 -Subject: [PATCH 116/187] s3:smbd: Use smb2_signing_key structure for the - decryption key - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit b51c4293f7430b5ce6a81599fb0c7be5dc444c46) ---- - source3/librpc/idl/smbXsrv.idl | 1 + - source3/smbd/smb2_server.c | 2 +- - source3/smbd/smb2_sesssetup.c | 24 +++++++++++++++++------- - 3 files changed, 19 insertions(+), 8 deletions(-) - -diff --git a/source3/librpc/idl/smbXsrv.idl b/source3/librpc/idl/smbXsrv.idl -index f7acb2198fb..330c6896114 100644 ---- a/source3/librpc/idl/smbXsrv.idl -+++ b/source3/librpc/idl/smbXsrv.idl -@@ -231,6 +231,7 @@ interface smbXsrv - [noprint] DATA_BLOB encryption_key_blob; - [ignore] smb2_signing_key *encryption_key; - [noprint] DATA_BLOB decryption_key_blob; -+ [ignore] smb2_signing_key *decryption_key; - [noprint] DATA_BLOB application_key; - [range(1, 1024)] uint32 num_channels; - smbXsrv_channel_global0 channels[num_channels]; -diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c -index b708fdb90b9..56e7b70696b 100644 ---- a/source3/smbd/smb2_server.c -+++ b/source3/smbd/smb2_server.c -@@ -432,7 +432,7 @@ static NTSTATUS smbd_smb2_inbuf_parse_compound(struct smbXsrv_connection *xconn, - tf_iov[1].iov_base = (void *)hdr; - tf_iov[1].iov_len = enc_len; - -- status = smb2_signing_decrypt_pdu(s->global->decryption_key_blob, -+ status = smb2_signing_decrypt_pdu(s->global->decryption_key->blob, - xconn->smb2.server.cipher, - tf_iov, 2); - if (!NT_STATUS_IS_OK(status)) { -diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c -index c2725825d7a..d6900665a95 100644 ---- a/source3/smbd/smb2_sesssetup.c -+++ b/source3/smbd/smb2_sesssetup.c -@@ -373,18 +373,28 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session, - if (xconn->protocol >= PROTOCOL_SMB2_24) { - struct _derivation *d = &derivation.decryption; - -- x->global->decryption_key_blob = data_blob_talloc(x->global, -- session_key, -- sizeof(session_key)); -- if (x->global->decryption_key_blob.data == NULL) { -+ x->global->decryption_key = -+ talloc_zero(x->global, struct smb2_signing_key); -+ if (x->global->decryption_key == NULL) { -+ ZERO_STRUCT(session_key); -+ return NT_STATUS_NO_MEMORY; -+ } -+ -+ x->global->decryption_key->blob = -+ x->global->decryption_key_blob = -+ data_blob_talloc(x->global->decryption_key, -+ session_key, -+ sizeof(session_key)); -+ if (!smb2_signing_key_valid(x->global->decryption_key)) { - ZERO_STRUCT(session_key); - return NT_STATUS_NO_MEMORY; - } -+ talloc_keep_secret(x->global->decryption_key->blob.data); - - status = smb2_key_derivation(session_key, sizeof(session_key), - d->label.data, d->label.length, - d->context.data, d->context.length, -- x->global->decryption_key_blob.data); -+ x->global->decryption_key->blob.data); - if (!NT_STATUS_IS_OK(status)) { - return status; - } -@@ -484,8 +494,8 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session, - /* In server code, ServerIn is the decryption key */ - - DEBUGADD(0, ("ServerIn Key ")); -- dump_data(0, x->global->decryption_key_blob.data, -- x->global->decryption_key_blob.length); -+ dump_data(0, x->global->decryption_key->blob.data, -+ x->global->decryption_key->blob.length); - DEBUGADD(0, ("ServerOut Key ")); - dump_data(0, x->global->encryption_key->blob.data, - x->global->encryption_key->blob.length); --- -2.23.0 - diff --git a/SOURCES/0117-s3-smbd-Use-GnuTLS-for-AES-constants.patch b/SOURCES/0117-s3-smbd-Use-GnuTLS-for-AES-constants.patch deleted file mode 100644 index 589327a..0000000 --- a/SOURCES/0117-s3-smbd-Use-GnuTLS-for-AES-constants.patch +++ /dev/null @@ -1,46 +0,0 @@ -From ad4ee458c404dda36480a9c501e1ffb221b35b61 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 26 Feb 2019 18:11:27 +0100 -Subject: [PATCH 117/187] s3:smbd: Use GnuTLS for AES constants - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett - -Adapted to remove Samba AES - -Signed-off-by: Andrew Bartlett -(cherry picked from commit 33bca1fb8087f7392a8ff0d295a5bdc01f1012e7) ---- - source3/smbd/smb2_sesssetup.c | 7 ++----- - 1 file changed, 2 insertions(+), 5 deletions(-) - -diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c -index d6900665a95..82ac1182ecc 100644 ---- a/source3/smbd/smb2_sesssetup.c -+++ b/source3/smbd/smb2_sesssetup.c -@@ -28,9 +28,6 @@ - #include "../lib/tsocket/tsocket.h" - #include "../libcli/security/security.h" - #include "../lib/util/tevent_ntstatus.h" --#include "lib/crypto/aes.h" --#include "lib/crypto/aes_ccm_128.h" --#include "lib/crypto/aes_gcm_128.h" - - #include "lib/crypto/gnutls_helpers.h" - #include -@@ -443,10 +440,10 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session, - sizeof(x->nonce_high_random)); - switch (xconn->smb2.server.cipher) { - case SMB2_ENCRYPTION_AES128_CCM: -- nonce_size = AES_CCM_128_NONCE_SIZE; -+ nonce_size = SMB2_AES_128_CCM_NONCE_SIZE; - break; - case SMB2_ENCRYPTION_AES128_GCM: -- nonce_size = AES_GCM_128_IV_SIZE; -+ nonce_size = gnutls_cipher_get_iv_size(GNUTLS_CIPHER_AES_128_GCM); - break; - default: - nonce_size = 0; --- -2.23.0 - diff --git a/SOURCES/0118-waf-Check-for-AES128-CMAC-support-in-GnuTLS.patch b/SOURCES/0118-waf-Check-for-AES128-CMAC-support-in-GnuTLS.patch deleted file mode 100644 index 919bf3b..0000000 --- a/SOURCES/0118-waf-Check-for-AES128-CMAC-support-in-GnuTLS.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 9dbaac0a6d4bc0a5dfd3b08ceeab5e0e0245e090 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 27 Feb 2019 14:40:07 +0100 -Subject: [PATCH 118/187] waf: Check for AES128 CMAC support in GnuTLS - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 69be6b8416198cfa8e2404a0a62ce6432425adef) ---- - wscript_configure_system_gnutls | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/wscript_configure_system_gnutls b/wscript_configure_system_gnutls -index 68cc306e3dc..f71fd4fb97f 100644 ---- a/wscript_configure_system_gnutls -+++ b/wscript_configure_system_gnutls -@@ -19,3 +19,8 @@ if conf.CHECK_VALUEOF('GNUTLS_CIPHER_AES_128_CFB8', headers='gnutls/gnutls.h'): - conf.DEFINE('HAVE_GNUTLS_AES_CFB8', 1) - else: - Logs.warn('No gnutls support for AES CFB8') -+ -+if conf.CHECK_VALUEOF('GNUTLS_MAC_AES_CMAC_128', headers='gnutls/gnutls.h'): -+ conf.DEFINE('HAVE_GNUTLS_AES_CMAC', 1) -+else: -+ Logs.warn('No gnutls support for AES CMAC') --- -2.23.0 - diff --git a/SOURCES/0119-libcli-smb-Use-GnuTLS-AES128-CMAC-in-smb2_signing_si.patch b/SOURCES/0119-libcli-smb-Use-GnuTLS-AES128-CMAC-in-smb2_signing_si.patch deleted file mode 100644 index ad98e9e..0000000 --- a/SOURCES/0119-libcli-smb-Use-GnuTLS-AES128-CMAC-in-smb2_signing_si.patch +++ /dev/null @@ -1,79 +0,0 @@ -From d693c836b1d5f37d9dae8a6dbefc7b731863eacb Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 27 Feb 2019 14:40:30 +0100 -Subject: [PATCH 119/187] libcli:smb: Use GnuTLS AES128 CMAC in - smb2_signing_sign_pdu() - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett - -Adapted by Andrew Bartlett to followup from earlier patch to -allow compile without GnuTLS over the whole series. - -Signed-off-by: Andrew Bartlett -(cherry picked from commit ee11e3ffd8d801cb5988bb73dbccd1e2f0cbe7b0) ---- - libcli/smb/smb2_signing.c | 33 +++++++++++++++++++++++++++++++++ - 1 file changed, 33 insertions(+) - -diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c -index 01027d55fbe..b7c0be528b7 100644 ---- a/libcli/smb/smb2_signing.c -+++ b/libcli/smb/smb2_signing.c -@@ -24,6 +24,11 @@ - #include "../lib/crypto/crypto.h" - #include "lib/util/iov_buf.h" - -+#ifndef HAVE_GNUTLS_AES_CMAC -+#include "lib/crypto/aes.h" -+#include "lib/crypto/aes_cmac_128.h" -+#endif -+ - #include "lib/crypto/gnutls_helpers.h" - #include - #include -@@ -96,6 +101,33 @@ NTSTATUS smb2_signing_sign_pdu(struct smb2_signing_key *signing_key, - SIVAL(hdr, SMB2_HDR_FLAGS, IVAL(hdr, SMB2_HDR_FLAGS) | SMB2_HDR_FLAG_SIGNED); - - if (protocol >= PROTOCOL_SMB2_24) { -+#ifdef HAVE_GNUTLS_AES_CMAC -+ gnutls_datum_t key = { -+ .data = signing_key->blob.data, -+ .size = MIN(signing_key->blob.length, 16), -+ }; -+ int rc; -+ -+ if (signing_key->hmac_hnd == NULL) { -+ rc = gnutls_hmac_init(&signing_key->hmac_hnd, -+ GNUTLS_MAC_AES_CMAC_128, -+ key.data, -+ key.size); -+ if (rc < 0) { -+ return NT_STATUS_NO_MEMORY; -+ } -+ } -+ -+ for (i = 0; i < count; i++) { -+ rc = gnutls_hmac(signing_key->hmac_hnd, -+ vector[i].iov_base, -+ vector[i].iov_len); -+ if (rc < 0) { -+ return NT_STATUS_INTERNAL_ERROR; -+ } -+ } -+ gnutls_hmac_output(signing_key->hmac_hnd, res); -+#else /* NOT HAVE_GNUTLS_AES_CMAC */ - struct aes_cmac_128_context ctx; - uint8_t key[AES_BLOCK_SIZE] = {0}; - -@@ -112,6 +144,7 @@ NTSTATUS smb2_signing_sign_pdu(struct smb2_signing_key *signing_key, - aes_cmac_128_final(&ctx, res); - - ZERO_ARRAY(key); -+#endif /* HAVE_GNUTLS_AES_CMAC */ - } else { - uint8_t digest[gnutls_hmac_get_len(GNUTLS_MAC_SHA256)]; - int rc; --- -2.23.0 - diff --git a/SOURCES/0120-libcli-smb-Use-gnutls_error_to_ntstatus-in-smb2_sign.patch b/SOURCES/0120-libcli-smb-Use-gnutls_error_to_ntstatus-in-smb2_sign.patch deleted file mode 100644 index cc4684b..0000000 --- a/SOURCES/0120-libcli-smb-Use-gnutls_error_to_ntstatus-in-smb2_sign.patch +++ /dev/null @@ -1,38 +0,0 @@ -From a7169122940d8eb3e37320dc1dca4c99e0c6f37a Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Fri, 16 Aug 2019 15:47:49 +1200 -Subject: [PATCH 120/187] libcli/smb: Use gnutls_error_to_ntstatus() in - smb2_signing_sign_pdu() - -Signed-off-by: Andrew Bartlett -Reviewed-by: Andreas Schneider -(cherry picked from commit 9d8ffc81a53b6b3d7c29f0da8fd71e696ca7e9d8) ---- - libcli/smb/smb2_signing.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c -index b7c0be528b7..466fe9a49e3 100644 ---- a/libcli/smb/smb2_signing.c -+++ b/libcli/smb/smb2_signing.c -@@ -114,7 +114,7 @@ NTSTATUS smb2_signing_sign_pdu(struct smb2_signing_key *signing_key, - key.data, - key.size); - if (rc < 0) { -- return NT_STATUS_NO_MEMORY; -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED); - } - } - -@@ -123,7 +123,7 @@ NTSTATUS smb2_signing_sign_pdu(struct smb2_signing_key *signing_key, - vector[i].iov_base, - vector[i].iov_len); - if (rc < 0) { -- return NT_STATUS_INTERNAL_ERROR; -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED); - } - } - gnutls_hmac_output(signing_key->hmac_hnd, res); --- -2.23.0 - diff --git a/SOURCES/0121-libcli-smb-Use-GnuTLS-AES128-CMAC-in-smb2_signing_ch.patch b/SOURCES/0121-libcli-smb-Use-GnuTLS-AES128-CMAC-in-smb2_signing_ch.patch deleted file mode 100644 index 2638564..0000000 --- a/SOURCES/0121-libcli-smb-Use-GnuTLS-AES128-CMAC-in-smb2_signing_ch.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 7f4ab026bdb4b276a76c8359481124ff77597a42 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 15 Mar 2019 16:58:21 +0100 -Subject: [PATCH 121/187] libcli:smb: Use GnuTLS AES128 CMAC in - smb2_signing_check_pdu() - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 1490f9260060104b31beefac9e61addd36b1919a) ---- - libcli/smb/smb2_signing.c | 38 ++++++++++++++++++++++++++++++++++++++ - 1 file changed, 38 insertions(+) - -diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c -index 466fe9a49e3..5bf61bd477b 100644 ---- a/libcli/smb/smb2_signing.c -+++ b/libcli/smb/smb2_signing.c -@@ -216,6 +216,43 @@ NTSTATUS smb2_signing_check_pdu(struct smb2_signing_key *signing_key, - sig = hdr+SMB2_HDR_SIGNATURE; - - if (protocol >= PROTOCOL_SMB2_24) { -+#ifdef HAVE_GNUTLS_AES_CMAC -+ gnutls_datum_t key = { -+ .data = signing_key->blob.data, -+ .size = MIN(signing_key->blob.length, 16), -+ }; -+ int rc; -+ -+ if (signing_key->hmac_hnd == NULL) { -+ rc = gnutls_hmac_init(&signing_key->hmac_hnd, -+ GNUTLS_MAC_AES_CMAC_128, -+ key.data, -+ key.size); -+ if (rc < 0) { -+ return NT_STATUS_NO_MEMORY; -+ } -+ } -+ -+ rc = gnutls_hmac(signing_key->hmac_hnd, hdr, SMB2_HDR_SIGNATURE); -+ if (rc < 0) { -+ return NT_STATUS_INTERNAL_ERROR; -+ } -+ -+ rc = gnutls_hmac(signing_key->hmac_hnd, zero_sig, 16); -+ if (rc < 0) { -+ return NT_STATUS_INTERNAL_ERROR; -+ } -+ -+ for (i = 1; i < count; i++) { -+ rc = gnutls_hmac(signing_key->hmac_hnd, -+ vector[i].iov_base, -+ vector[i].iov_len); -+ if (rc < 0) { -+ return NT_STATUS_INTERNAL_ERROR; -+ } -+ } -+ gnutls_hmac_output(signing_key->hmac_hnd, res); -+#else /* NOT HAVE_GNUTLS_AES_CMAC */ - struct aes_cmac_128_context ctx; - uint8_t key[AES_BLOCK_SIZE] = {0}; - -@@ -234,6 +271,7 @@ NTSTATUS smb2_signing_check_pdu(struct smb2_signing_key *signing_key, - aes_cmac_128_final(&ctx, res); - - ZERO_ARRAY(key); -+#endif - } else { - uint8_t digest[gnutls_hash_get_len(GNUTLS_MAC_SHA256)]; - int rc; --- -2.23.0 - diff --git a/SOURCES/0122-libcli-smb-Use-gnutls_error_to_ntstatus-in-smb2_sign.patch b/SOURCES/0122-libcli-smb-Use-gnutls_error_to_ntstatus-in-smb2_sign.patch deleted file mode 100644 index 2018bb7..0000000 --- a/SOURCES/0122-libcli-smb-Use-gnutls_error_to_ntstatus-in-smb2_sign.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 1aa93773ac48915c8eaabc959ae2bf65037a368c Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Fri, 16 Aug 2019 15:50:03 +1200 -Subject: [PATCH 122/187] libcli/smb: Use gnutls_error_to_ntstatus() in - smb2_signing_check_pdu() - -Signed-off-by: Andrew Bartlett -Reviewed-by: Andreas Schneider -(cherry picked from commit 70ff03ecb6826525727d87ef8807428f91f4e506) ---- - libcli/smb/smb2_signing.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c -index 5bf61bd477b..1ec60a4f9a5 100644 ---- a/libcli/smb/smb2_signing.c -+++ b/libcli/smb/smb2_signing.c -@@ -229,18 +229,18 @@ NTSTATUS smb2_signing_check_pdu(struct smb2_signing_key *signing_key, - key.data, - key.size); - if (rc < 0) { -- return NT_STATUS_NO_MEMORY; -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED); - } - } - - rc = gnutls_hmac(signing_key->hmac_hnd, hdr, SMB2_HDR_SIGNATURE); - if (rc < 0) { -- return NT_STATUS_INTERNAL_ERROR; -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED); - } - - rc = gnutls_hmac(signing_key->hmac_hnd, zero_sig, 16); - if (rc < 0) { -- return NT_STATUS_INTERNAL_ERROR; -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED); - } - - for (i = 1; i < count; i++) { -@@ -248,7 +248,7 @@ NTSTATUS smb2_signing_check_pdu(struct smb2_signing_key *signing_key, - vector[i].iov_base, - vector[i].iov_len); - if (rc < 0) { -- return NT_STATUS_INTERNAL_ERROR; -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED); - } - } - gnutls_hmac_output(signing_key->hmac_hnd, res); --- -2.23.0 - diff --git a/SOURCES/0123-lib-crypto-Do-not-build-AES-CMAC-if-we-use-GnuTLS-th.patch b/SOURCES/0123-lib-crypto-Do-not-build-AES-CMAC-if-we-use-GnuTLS-th.patch deleted file mode 100644 index ce22e15..0000000 --- a/SOURCES/0123-lib-crypto-Do-not-build-AES-CMAC-if-we-use-GnuTLS-th.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 5c7eee2facbfc51078ecbdfcfe895a1215e56029 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 15 Mar 2019 14:54:13 +0100 -Subject: [PATCH 123/187] lib:crypto: Do not build AES-CMAC if we use GnuTLS - that supports it - -This requires GnuTLS >= 3.6.5. - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett - -Autobuild-User(master): Andreas Schneider -Autobuild-Date(master): Wed Aug 21 11:14:11 UTC 2019 on sn-devel-184 - -(cherry picked from commit c3f969817553dc9c9db88741bad51100b4d24604) ---- - lib/crypto/wscript_build | 6 ++++-- - source4/torture/local/local.c | 4 ++++ - 2 files changed, 8 insertions(+), 2 deletions(-) - -diff --git a/lib/crypto/wscript_build b/lib/crypto/wscript_build -index dcac8fcd30c..4f1665a7fd9 100644 ---- a/lib/crypto/wscript_build -+++ b/lib/crypto/wscript_build -@@ -26,7 +26,8 @@ bld.SAMBA_SUBSYSTEM('LIBCRYPTO_AES', - - bld.SAMBA_SUBSYSTEM('LIBCRYPTO_AES_CMAC', - source='aes_cmac_128.c', -- deps='talloc') -+ deps='talloc', -+ enabled=not bld.CONFIG_SET('HAVE_GNUTLS_AES_CMAC')) - - bld.SAMBA_SUBSYSTEM('LIBCRYPTO', - source=''' -@@ -53,7 +54,8 @@ bld.SAMBA_SUBSYSTEM('TORTURE_LIBCRYPTO_AES_GCM', - bld.SAMBA_SUBSYSTEM('TORTURE_LIBCRYPTO_AES_CMAC', - source='aes_cmac_128_test.c', - autoproto='aes_cmac_test_proto.h', -- deps='talloc') -+ deps='talloc', -+ enabled=not bld.CONFIG_SET('HAVE_GNUTLS_AES_CMAC')) - - bld.SAMBA_SUBSYSTEM('TORTURE_LIBCRYPTO', - source='md4test.c', -diff --git a/source4/torture/local/local.c b/source4/torture/local/local.c -index fa4061c108b..5812f4dd20c 100644 ---- a/source4/torture/local/local.c -+++ b/source4/torture/local/local.c -@@ -25,7 +25,9 @@ - #include "../lib/crypto/test_proto.h" - #include "../lib/crypto/aes_ccm_test_proto.h" - #include "../lib/crypto/aes_gcm_test_proto.h" -+#ifndef HAVE_GNUTLS_AES_CMAC - #include "../lib/crypto/aes_cmac_test_proto.h" -+#endif - #include "lib/registry/tests/proto.h" - #include "lib/replace/replace-testsuite.h" - -@@ -94,8 +96,10 @@ NTSTATUS torture_local_init(TALLOC_CTX *ctx) - - torture_suite_add_simple_test(suite, - "crypto.md4", torture_local_crypto_md4); -+#ifndef HAVE_GNUTLS_AES_CMAC - torture_suite_add_simple_test(suite, "crypto.aes_cmac_128", - torture_local_crypto_aes_cmac_128); -+#endif - torture_suite_add_simple_test(suite, "crypto.aes_ccm_128", - torture_local_crypto_aes_ccm_128); - torture_suite_add_simple_test(suite, "crypto.aes_gcm_128", --- -2.23.0 - diff --git a/SOURCES/0124-libcli-smb-Support-GnuTLS-AES-CCM-and-GCM-in-smb2_si.patch b/SOURCES/0124-libcli-smb-Support-GnuTLS-AES-CCM-and-GCM-in-smb2_si.patch deleted file mode 100644 index aa3f7c0..0000000 --- a/SOURCES/0124-libcli-smb-Support-GnuTLS-AES-CCM-and-GCM-in-smb2_si.patch +++ /dev/null @@ -1,225 +0,0 @@ -From c69a481c6777b156165fe1226b3af7c4be365be4 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 25 Feb 2019 18:05:16 +0100 -Subject: [PATCH 124/187] libcli:smb: Support GnuTLS AES CCM and GCM in - smb2_signing_encrypt_pdu() - -This requires GnuTLS >= 3.4.0. - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett - -Adapted to remove Samba AES support - -Signed-off-by: Andrew Bartlett -(cherry picked from commit f43da2adf64a8ff20ce6478f656927e531bc42af) ---- - libcli/smb/smb2_signing.c | 169 ++++++++++++++++++++++++++++---------- - 1 file changed, 124 insertions(+), 45 deletions(-) - -diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c -index 1ec60a4f9a5..52209d9553b 100644 ---- a/libcli/smb/smb2_signing.c -+++ b/libcli/smb/smb2_signing.c -@@ -392,15 +392,19 @@ NTSTATUS smb2_signing_encrypt_pdu(DATA_BLOB encryption_key, - int count) - { - uint8_t *tf; -- uint8_t sig[16]; - int i; - size_t a_total; - ssize_t m_total; -- union { -- struct aes_ccm_128_context ccm; -- struct aes_gcm_128_context gcm; -- } c; -- uint8_t key[AES_BLOCK_SIZE]; -+ uint32_t iv_size = 0; -+ uint32_t key_size = 0; -+ uint32_t tag_size = 0; -+ uint8_t _key[16] = {0}; -+ gnutls_cipher_algorithm_t algo = 0; -+ gnutls_aead_cipher_hd_t cipher_hnd = NULL; -+ gnutls_datum_t key; -+ gnutls_datum_t iv; -+ NTSTATUS status; -+ int rc; - - if (count < 1) { - return NT_STATUS_INVALID_PARAMETER; -@@ -428,58 +432,133 @@ NTSTATUS smb2_signing_encrypt_pdu(DATA_BLOB encryption_key, - SSVAL(tf, SMB2_TF_FLAGS, SMB2_TF_FLAGS_ENCRYPTED); - SIVAL(tf, SMB2_TF_MSG_SIZE, m_total); - -- ZERO_STRUCT(key); -- memcpy(key, encryption_key.data, -- MIN(encryption_key.length, AES_BLOCK_SIZE)); -- - switch (cipher_id) { - case SMB2_ENCRYPTION_AES128_CCM: -- aes_ccm_128_init(&c.ccm, key, -- tf + SMB2_TF_NONCE, -- a_total, m_total); -- memset(tf + SMB2_TF_NONCE + AES_CCM_128_NONCE_SIZE, 0, -- 16 - AES_CCM_128_NONCE_SIZE); -- aes_ccm_128_update(&c.ccm, tf + SMB2_TF_NONCE, a_total); -- for (i=1; i < count; i++) { -- aes_ccm_128_update(&c.ccm, -- (const uint8_t *)vector[i].iov_base, -- vector[i].iov_len); -- aes_ccm_128_crypt(&c.ccm, -- (uint8_t *)vector[i].iov_base, -- vector[i].iov_len); -- } -- aes_ccm_128_digest(&c.ccm, sig); -+ algo = GNUTLS_CIPHER_AES_128_CCM; -+ iv_size = SMB2_AES_128_CCM_NONCE_SIZE; - break; -- - case SMB2_ENCRYPTION_AES128_GCM: -- aes_gcm_128_init(&c.gcm, key, tf + SMB2_TF_NONCE); -- memset(tf + SMB2_TF_NONCE + AES_GCM_128_IV_SIZE, 0, -- 16 - AES_GCM_128_IV_SIZE); -- aes_gcm_128_updateA(&c.gcm, tf + SMB2_TF_NONCE, a_total); -- for (i=1; i < count; i++) { -- aes_gcm_128_crypt(&c.gcm, -- (uint8_t *)vector[i].iov_base, -- vector[i].iov_len); -- aes_gcm_128_updateC(&c.gcm, -- (const uint8_t *)vector[i].iov_base, -- vector[i].iov_len); -- } -- aes_gcm_128_digest(&c.gcm, sig); -+ algo = GNUTLS_CIPHER_AES_128_GCM; -+ iv_size = gnutls_cipher_get_iv_size(algo); - break; -- - default: -- ZERO_STRUCT(key); - return NT_STATUS_INVALID_PARAMETER; - } -- ZERO_STRUCT(key); - -- memcpy(tf + SMB2_TF_SIGNATURE, sig, 16); -+ key_size = gnutls_cipher_get_key_size(algo); -+ tag_size = gnutls_cipher_get_tag_size(algo); - -- DEBUG(5,("encrypt SMB2 message\n")); -+ if (key_size > sizeof(_key)) { -+ return NT_STATUS_BUFFER_TOO_SMALL; -+ } - -- return NT_STATUS_OK; -+ key = (gnutls_datum_t) { -+ .data = _key, -+ .size = key_size, -+ }; -+ -+ memcpy(key.data, -+ encryption_key.data, -+ MIN(encryption_key.length, key.size)); -+ -+ iv = (gnutls_datum_t) { -+ .data = tf + SMB2_TF_NONCE, -+ .size = iv_size, -+ }; -+ -+ rc = gnutls_aead_cipher_init(&cipher_hnd, -+ algo, -+ &key); -+ if (rc < 0) { -+ status = NT_STATUS_NO_MEMORY; -+ goto out; -+ } -+ -+ memset(tf + SMB2_TF_NONCE + iv_size, -+ 0, -+ 16 - iv_size); -+ -+ { -+ size_t ptext_size = m_total; -+ uint8_t *ptext = NULL; -+ size_t ctext_size = m_total + tag_size; -+ uint8_t *ctext = NULL; -+ size_t len = 0; -+ -+ ptext = talloc_size(talloc_tos(), ptext_size); -+ if (ptext == NULL) { -+ gnutls_aead_cipher_deinit(cipher_hnd); -+ status = NT_STATUS_NO_MEMORY; -+ goto out; -+ } -+ -+ ctext = talloc_size(talloc_tos(), ctext_size); -+ if (ctext == NULL) { -+ gnutls_aead_cipher_deinit(cipher_hnd); -+ status = NT_STATUS_NO_MEMORY; -+ goto out; -+ } -+ -+ for (i = 1; i < count; i++) { -+ memcpy(ptext + len, -+ vector[i].iov_base, -+ vector[i].iov_len); -+ -+ len += vector[i].iov_len; -+ if (len > ptext_size) { -+ TALLOC_FREE(ptext); -+ TALLOC_FREE(ctext); -+ gnutls_aead_cipher_deinit(cipher_hnd); -+ status = NT_STATUS_INTERNAL_ERROR; -+ goto out; -+ } -+ } -+ -+ rc = gnutls_aead_cipher_encrypt(cipher_hnd, -+ iv.data, -+ iv.size, -+ tf + SMB2_TF_NONCE, -+ a_total, -+ tag_size, -+ ptext, -+ ptext_size, -+ ctext, -+ &ctext_size); -+ if (rc < 0 || ctext_size != m_total + tag_size) { -+ DBG_ERR("ERROR: %s\n", gnutls_strerror(rc)); -+ TALLOC_FREE(ptext); -+ TALLOC_FREE(ctext); -+ gnutls_aead_cipher_deinit(cipher_hnd); -+ status = NT_STATUS_INTERNAL_ERROR; -+ goto out; -+ } -+ -+ len = 0; -+ for (i = 1; i < count; i++) { -+ memcpy(vector[i].iov_base, -+ ctext + len, -+ vector[i].iov_len); -+ -+ len += vector[i].iov_len; -+ } -+ -+ memcpy(tf + SMB2_TF_SIGNATURE, ctext + m_total, tag_size); -+ -+ TALLOC_FREE(ptext); -+ TALLOC_FREE(ctext); -+ } -+ gnutls_aead_cipher_deinit(cipher_hnd); -+ -+ DBG_INFO("Enencrypted SMB2 message\n"); -+ -+ status = NT_STATUS_OK; -+out: -+ ZERO_ARRAY(_key); -+ -+ return status; - } - -+ - NTSTATUS smb2_signing_decrypt_pdu(DATA_BLOB decryption_key, - uint16_t cipher_id, - struct iovec *vector, --- -2.23.0 - diff --git a/SOURCES/0125-libcli-smb-Support-GnuTLS-AES-CCM-and-GCM-in-smb2_si.patch b/SOURCES/0125-libcli-smb-Support-GnuTLS-AES-CCM-and-GCM-in-smb2_si.patch deleted file mode 100644 index 0b77f9f..0000000 --- a/SOURCES/0125-libcli-smb-Support-GnuTLS-AES-CCM-and-GCM-in-smb2_si.patch +++ /dev/null @@ -1,231 +0,0 @@ -From 94b8f3071fafea18ceb59098f8611a0f2cb5a655 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 26 Feb 2019 16:43:36 +0100 -Subject: [PATCH 125/187] libcli:smb: Support GnuTLS AES CCM and GCM in - smb2_signing_decrypt_pdu() - -This requires GnuTLS >= 3.4.0. - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett - -Adapted to remove Samba AES support - -Signed-off-by: Andrew Bartlett -(cherry picked from commit 3d2de36d9a08354fb775a5d93a9b40012bf6966f) ---- - libcli/smb/smb2_signing.c | 170 ++++++++++++++++++++++++++++---------- - 1 file changed, 125 insertions(+), 45 deletions(-) - -diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c -index 52209d9553b..1d9c99337d8 100644 ---- a/libcli/smb/smb2_signing.c -+++ b/libcli/smb/smb2_signing.c -@@ -558,7 +558,6 @@ out: - return status; - } - -- - NTSTATUS smb2_signing_decrypt_pdu(DATA_BLOB decryption_key, - uint16_t cipher_id, - struct iovec *vector, -@@ -566,17 +565,20 @@ NTSTATUS smb2_signing_decrypt_pdu(DATA_BLOB decryption_key, - { - uint8_t *tf; - uint16_t flags; -- uint8_t *sig_ptr = NULL; -- uint8_t sig[16]; - int i; - size_t a_total; - ssize_t m_total; - uint32_t msg_size = 0; -- union { -- struct aes_ccm_128_context ccm; -- struct aes_gcm_128_context gcm; -- } c; -- uint8_t key[AES_BLOCK_SIZE]; -+ uint32_t iv_size = 0; -+ uint32_t key_size = 0; -+ uint32_t tag_size = 0; -+ uint8_t _key[16] = {0}; -+ gnutls_cipher_algorithm_t algo = 0; -+ gnutls_aead_cipher_hd_t cipher_hnd = NULL; -+ gnutls_datum_t key; -+ gnutls_datum_t iv; -+ NTSTATUS status; -+ int rc; - - if (count < 1) { - return NT_STATUS_INVALID_PARAMETER; -@@ -612,53 +614,131 @@ NTSTATUS smb2_signing_decrypt_pdu(DATA_BLOB decryption_key, - return NT_STATUS_INTERNAL_ERROR; - } - -- ZERO_STRUCT(key); -- memcpy(key, decryption_key.data, -- MIN(decryption_key.length, AES_BLOCK_SIZE)); -- - switch (cipher_id) { - case SMB2_ENCRYPTION_AES128_CCM: -- aes_ccm_128_init(&c.ccm, key, -- tf + SMB2_TF_NONCE, -- a_total, m_total); -- aes_ccm_128_update(&c.ccm, tf + SMB2_TF_NONCE, a_total); -- for (i=1; i < count; i++) { -- aes_ccm_128_crypt(&c.ccm, -- (uint8_t *)vector[i].iov_base, -- vector[i].iov_len); -- aes_ccm_128_update(&c.ccm, -- ( uint8_t *)vector[i].iov_base, -- vector[i].iov_len); -- } -- aes_ccm_128_digest(&c.ccm, sig); -+ algo = GNUTLS_CIPHER_AES_128_CCM; -+ iv_size = SMB2_AES_128_CCM_NONCE_SIZE; - break; -- - case SMB2_ENCRYPTION_AES128_GCM: -- aes_gcm_128_init(&c.gcm, key, tf + SMB2_TF_NONCE); -- aes_gcm_128_updateA(&c.gcm, tf + SMB2_TF_NONCE, a_total); -- for (i=1; i < count; i++) { -- aes_gcm_128_updateC(&c.gcm, -- (const uint8_t *)vector[i].iov_base, -- vector[i].iov_len); -- aes_gcm_128_crypt(&c.gcm, -- (uint8_t *)vector[i].iov_base, -- vector[i].iov_len); -- } -- aes_gcm_128_digest(&c.gcm, sig); -+ algo = GNUTLS_CIPHER_AES_128_GCM; -+ iv_size = gnutls_cipher_get_iv_size(algo); - break; -- - default: -- ZERO_STRUCT(key); - return NT_STATUS_INVALID_PARAMETER; - } -- ZERO_STRUCT(key); - -- sig_ptr = tf + SMB2_TF_SIGNATURE; -- if (memcmp(sig_ptr, sig, 16) != 0) { -- return NT_STATUS_ACCESS_DENIED; -+ key_size = gnutls_cipher_get_key_size(algo); -+ tag_size = gnutls_cipher_get_tag_size(algo); -+ -+ if (key_size > sizeof(_key)) { -+ return NT_STATUS_BUFFER_TOO_SMALL; - } - -- DEBUG(5,("decrypt SMB2 message\n")); -+ key = (gnutls_datum_t) { -+ .data = _key, -+ .size = key_size, -+ }; - -- return NT_STATUS_OK; -+ memcpy(key.data, -+ decryption_key.data, -+ MIN(decryption_key.length, key.size)); -+ -+ iv = (gnutls_datum_t) { -+ .data = tf + SMB2_TF_NONCE, -+ .size = iv_size, -+ }; -+ -+ rc = gnutls_aead_cipher_init(&cipher_hnd, -+ algo, -+ &key); -+ if (rc < 0) { -+ status = NT_STATUS_NO_MEMORY; -+ goto out; -+ } -+ -+ { -+ size_t ctext_size = m_total + tag_size; -+ uint8_t *ctext = NULL; -+ size_t ptext_size = m_total; -+ uint8_t *ptext = NULL; -+ size_t len = 0; -+ -+ /* GnuTLS doesn't have a iovec API for decryption yet */ -+ -+ ptext = talloc_size(talloc_tos(), ptext_size); -+ if (ptext == NULL) { -+ gnutls_aead_cipher_deinit(cipher_hnd); -+ status = NT_STATUS_NO_MEMORY; -+ goto out; -+ } -+ -+ ctext = talloc_size(talloc_tos(), ctext_size); -+ if (ctext == NULL) { -+ TALLOC_FREE(ptext); -+ gnutls_aead_cipher_deinit(cipher_hnd); -+ status = NT_STATUS_NO_MEMORY; -+ goto out; -+ } -+ -+ -+ for (i = 1; i < count; i++) { -+ memcpy(ctext + len, -+ vector[i].iov_base, -+ vector[i].iov_len); -+ -+ len += vector[i].iov_len; -+ } -+ if (len != m_total) { -+ TALLOC_FREE(ptext); -+ TALLOC_FREE(ctext); -+ gnutls_aead_cipher_deinit(cipher_hnd); -+ status = NT_STATUS_INTERNAL_ERROR; -+ goto out; -+ } -+ -+ memcpy(ctext + len, -+ tf + SMB2_TF_SIGNATURE, -+ tag_size); -+ -+ /* This function will verify the tag */ -+ rc = gnutls_aead_cipher_decrypt(cipher_hnd, -+ iv.data, -+ iv.size, -+ tf + SMB2_TF_NONCE, -+ a_total, -+ tag_size, -+ ctext, -+ ctext_size, -+ ptext, -+ &ptext_size); -+ if (rc < 0 || ptext_size != m_total) { -+ DBG_ERR("ERROR: %s\n", gnutls_strerror(rc)); -+ TALLOC_FREE(ptext); -+ TALLOC_FREE(ctext); -+ gnutls_aead_cipher_deinit(cipher_hnd); -+ status = NT_STATUS_INTERNAL_ERROR; -+ goto out; -+ } -+ -+ len = 0; -+ for (i = 1; i < count; i++) { -+ memcpy(vector[i].iov_base, -+ ptext + len, -+ vector[i].iov_len); -+ -+ len += vector[i].iov_len; -+ } -+ -+ TALLOC_FREE(ptext); -+ TALLOC_FREE(ctext); -+ } -+ gnutls_aead_cipher_deinit(cipher_hnd); -+ -+ DBG_INFO("Decrypted SMB2 message\n"); -+ -+ status = NT_STATUS_OK; -+out: -+ ZERO_ARRAY(_key); -+ -+ return status; - } --- -2.23.0 - diff --git a/SOURCES/0126-libcli-smb-Use-smb2_signing_key-in-smb2_signing_decr.patch b/SOURCES/0126-libcli-smb-Use-smb2_signing_key-in-smb2_signing_decr.patch deleted file mode 100644 index 9ab31ce..0000000 --- a/SOURCES/0126-libcli-smb-Use-smb2_signing_key-in-smb2_signing_decr.patch +++ /dev/null @@ -1,176 +0,0 @@ -From fcbef176770dc8531ab9eb8bb091b44b3923f405 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 14 Mar 2019 10:53:23 +0100 -Subject: [PATCH 126/187] libcli:smb: Use smb2_signing_key in - smb2_signing_decrypt_pdu() - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett - -Adaped to remove Samba AES support - -Signed-off-by: Andrew Bartlett -(cherry picked from commit 7f56e91dbe404bc1ee40e4843c4046336945b057) ---- - libcli/smb/smb2_signing.c | 34 +++++++++++++++------------------- - libcli/smb/smb2_signing.h | 2 +- - libcli/smb/smbXcli_base.c | 2 +- - source3/smbd/smb2_server.c | 2 +- - 4 files changed, 18 insertions(+), 22 deletions(-) - -diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c -index 1d9c99337d8..9f40e8bbea5 100644 ---- a/libcli/smb/smb2_signing.c -+++ b/libcli/smb/smb2_signing.c -@@ -558,7 +558,7 @@ out: - return status; - } - --NTSTATUS smb2_signing_decrypt_pdu(DATA_BLOB decryption_key, -+NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key *decryption_key, - uint16_t cipher_id, - struct iovec *vector, - int count) -@@ -574,7 +574,6 @@ NTSTATUS smb2_signing_decrypt_pdu(DATA_BLOB decryption_key, - uint32_t tag_size = 0; - uint8_t _key[16] = {0}; - gnutls_cipher_algorithm_t algo = 0; -- gnutls_aead_cipher_hd_t cipher_hnd = NULL; - gnutls_datum_t key; - gnutls_datum_t iv; - NTSTATUS status; -@@ -590,9 +589,9 @@ NTSTATUS smb2_signing_decrypt_pdu(DATA_BLOB decryption_key, - - tf = (uint8_t *)vector[0].iov_base; - -- if (decryption_key.length == 0) { -- DEBUG(2,("Wrong decryption key length %u for SMB2 signing\n", -- (unsigned)decryption_key.length)); -+ if (!smb2_signing_key_valid(decryption_key)) { -+ DBG_WARNING("Wrong decryption key length %zu for SMB2 signing\n", -+ decryption_key->blob.length); - return NT_STATUS_ACCESS_DENIED; - } - -@@ -640,20 +639,22 @@ NTSTATUS smb2_signing_decrypt_pdu(DATA_BLOB decryption_key, - }; - - memcpy(key.data, -- decryption_key.data, -- MIN(decryption_key.length, key.size)); -+ decryption_key->blob.data, -+ MIN(decryption_key->blob.length, key.size)); - - iv = (gnutls_datum_t) { - .data = tf + SMB2_TF_NONCE, - .size = iv_size, - }; - -- rc = gnutls_aead_cipher_init(&cipher_hnd, -- algo, -- &key); -- if (rc < 0) { -- status = NT_STATUS_NO_MEMORY; -- goto out; -+ if (decryption_key->cipher_hnd == NULL) { -+ rc = gnutls_aead_cipher_init(&decryption_key->cipher_hnd, -+ algo, -+ &key); -+ if (rc < 0) { -+ status = NT_STATUS_NO_MEMORY; -+ goto out; -+ } - } - - { -@@ -667,7 +668,6 @@ NTSTATUS smb2_signing_decrypt_pdu(DATA_BLOB decryption_key, - - ptext = talloc_size(talloc_tos(), ptext_size); - if (ptext == NULL) { -- gnutls_aead_cipher_deinit(cipher_hnd); - status = NT_STATUS_NO_MEMORY; - goto out; - } -@@ -675,7 +675,6 @@ NTSTATUS smb2_signing_decrypt_pdu(DATA_BLOB decryption_key, - ctext = talloc_size(talloc_tos(), ctext_size); - if (ctext == NULL) { - TALLOC_FREE(ptext); -- gnutls_aead_cipher_deinit(cipher_hnd); - status = NT_STATUS_NO_MEMORY; - goto out; - } -@@ -691,7 +690,6 @@ NTSTATUS smb2_signing_decrypt_pdu(DATA_BLOB decryption_key, - if (len != m_total) { - TALLOC_FREE(ptext); - TALLOC_FREE(ctext); -- gnutls_aead_cipher_deinit(cipher_hnd); - status = NT_STATUS_INTERNAL_ERROR; - goto out; - } -@@ -701,7 +699,7 @@ NTSTATUS smb2_signing_decrypt_pdu(DATA_BLOB decryption_key, - tag_size); - - /* This function will verify the tag */ -- rc = gnutls_aead_cipher_decrypt(cipher_hnd, -+ rc = gnutls_aead_cipher_decrypt(decryption_key->cipher_hnd, - iv.data, - iv.size, - tf + SMB2_TF_NONCE, -@@ -715,7 +713,6 @@ NTSTATUS smb2_signing_decrypt_pdu(DATA_BLOB decryption_key, - DBG_ERR("ERROR: %s\n", gnutls_strerror(rc)); - TALLOC_FREE(ptext); - TALLOC_FREE(ctext); -- gnutls_aead_cipher_deinit(cipher_hnd); - status = NT_STATUS_INTERNAL_ERROR; - goto out; - } -@@ -732,7 +729,6 @@ NTSTATUS smb2_signing_decrypt_pdu(DATA_BLOB decryption_key, - TALLOC_FREE(ptext); - TALLOC_FREE(ctext); - } -- gnutls_aead_cipher_deinit(cipher_hnd); - - DBG_INFO("Decrypted SMB2 message\n"); - -diff --git a/libcli/smb/smb2_signing.h b/libcli/smb/smb2_signing.h -index 13fb54e4e4e..7eefad93b3e 100644 ---- a/libcli/smb/smb2_signing.h -+++ b/libcli/smb/smb2_signing.h -@@ -57,7 +57,7 @@ NTSTATUS smb2_signing_encrypt_pdu(DATA_BLOB encryption_key, - uint16_t cipher_id, - struct iovec *vector, - int count); --NTSTATUS smb2_signing_decrypt_pdu(DATA_BLOB decryption_key, -+NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key *decryption_key, - uint16_t cipher_id, - struct iovec *vector, - int count); -diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c -index aa69c374d49..421fc434305 100644 ---- a/libcli/smb/smbXcli_base.c -+++ b/libcli/smb/smbXcli_base.c -@@ -3567,7 +3567,7 @@ static NTSTATUS smb2cli_inbuf_parse_compound(struct smbXcli_conn *conn, - tf_iov[1].iov_base = (void *)hdr; - tf_iov[1].iov_len = enc_len; - -- status = smb2_signing_decrypt_pdu(s->smb2->decryption_key->blob, -+ status = smb2_signing_decrypt_pdu(s->smb2->decryption_key, - conn->smb2.server.cipher, - tf_iov, 2); - if (!NT_STATUS_IS_OK(status)) { -diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c -index 56e7b70696b..9df22b5a6ac 100644 ---- a/source3/smbd/smb2_server.c -+++ b/source3/smbd/smb2_server.c -@@ -432,7 +432,7 @@ static NTSTATUS smbd_smb2_inbuf_parse_compound(struct smbXsrv_connection *xconn, - tf_iov[1].iov_base = (void *)hdr; - tf_iov[1].iov_len = enc_len; - -- status = smb2_signing_decrypt_pdu(s->global->decryption_key->blob, -+ status = smb2_signing_decrypt_pdu(s->global->decryption_key, - xconn->smb2.server.cipher, - tf_iov, 2); - if (!NT_STATUS_IS_OK(status)) { --- -2.23.0 - diff --git a/SOURCES/0127-libcli-smb-Use-gnutls_error_to_ntstatus-in-smb2_sign.patch b/SOURCES/0127-libcli-smb-Use-gnutls_error_to_ntstatus-in-smb2_sign.patch deleted file mode 100644 index 659d4a2..0000000 --- a/SOURCES/0127-libcli-smb-Use-gnutls_error_to_ntstatus-in-smb2_sign.patch +++ /dev/null @@ -1,41 +0,0 @@ -From c75283e42d0758247fca67b6f59ac5a76ace2dd7 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 23 Aug 2019 09:27:35 +0200 -Subject: [PATCH 127/187] libcli:smb: Use gnutls_error_to_ntstatus() in - smb2_signing_decrypt_pdu() - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit b9c4990f57aa778942c310b802437e6df1d17e04) ---- - libcli/smb/smb2_signing.c | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c -index 9f40e8bbea5..15dbf3d8b2a 100644 ---- a/libcli/smb/smb2_signing.c -+++ b/libcli/smb/smb2_signing.c -@@ -652,7 +652,7 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key *decryption_key, - algo, - &key); - if (rc < 0) { -- status = NT_STATUS_NO_MEMORY; -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_INTERNAL_ERROR); - goto out; - } - } -@@ -710,10 +710,9 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key *decryption_key, - ptext, - &ptext_size); - if (rc < 0 || ptext_size != m_total) { -- DBG_ERR("ERROR: %s\n", gnutls_strerror(rc)); - TALLOC_FREE(ptext); - TALLOC_FREE(ctext); -- status = NT_STATUS_INTERNAL_ERROR; -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_INTERNAL_ERROR); - goto out; - } - --- -2.23.0 - diff --git a/SOURCES/0128-libcli-smb-Use-smb2_signing_key-in-smb2_signing_encr.patch b/SOURCES/0128-libcli-smb-Use-smb2_signing_key-in-smb2_signing_encr.patch deleted file mode 100644 index 2958ffa..0000000 --- a/SOURCES/0128-libcli-smb-Use-smb2_signing_key-in-smb2_signing_encr.patch +++ /dev/null @@ -1,223 +0,0 @@ -From 89fa1828d7b01416da929c234ec8612f113d6d60 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 14 Mar 2019 10:27:06 +0100 -Subject: [PATCH 128/187] libcli:smb: Use smb2_signing_key in - smb2_signing_encrypt_pdu() - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett - -Adaped to remove Samba AES support - -Signed-off-by: Andrew Bartlett -(cherry picked from commit eb65fe5505e32f451d4cf5d0203abce77c05dae4) ---- - libcli/smb/smb2_signing.c | 34 +++++++++++++++------------------- - libcli/smb/smb2_signing.h | 2 +- - libcli/smb/smbXcli_base.c | 4 ++-- - source3/smbd/smb2_server.c | 16 ++++++++++++---- - 4 files changed, 30 insertions(+), 26 deletions(-) - -diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c -index 15dbf3d8b2a..682327bb21b 100644 ---- a/libcli/smb/smb2_signing.c -+++ b/libcli/smb/smb2_signing.c -@@ -386,7 +386,7 @@ NTSTATUS smb2_key_derivation(const uint8_t *KI, size_t KI_len, - return NT_STATUS_OK; - } - --NTSTATUS smb2_signing_encrypt_pdu(DATA_BLOB encryption_key, -+NTSTATUS smb2_signing_encrypt_pdu(struct smb2_signing_key *encryption_key, - uint16_t cipher_id, - struct iovec *vector, - int count) -@@ -400,7 +400,6 @@ NTSTATUS smb2_signing_encrypt_pdu(DATA_BLOB encryption_key, - uint32_t tag_size = 0; - uint8_t _key[16] = {0}; - gnutls_cipher_algorithm_t algo = 0; -- gnutls_aead_cipher_hd_t cipher_hnd = NULL; - gnutls_datum_t key; - gnutls_datum_t iv; - NTSTATUS status; -@@ -416,9 +415,9 @@ NTSTATUS smb2_signing_encrypt_pdu(DATA_BLOB encryption_key, - - tf = (uint8_t *)vector[0].iov_base; - -- if (encryption_key.length == 0) { -- DEBUG(2,("Wrong encryption key length %u for SMB2 signing\n", -- (unsigned)encryption_key.length)); -+ if (!smb2_signing_key_valid(encryption_key)) { -+ DBG_WARNING("Wrong encryption key length %zu for SMB2 signing\n", -+ encryption_key->blob.length); - return NT_STATUS_ACCESS_DENIED; - } - -@@ -458,20 +457,22 @@ NTSTATUS smb2_signing_encrypt_pdu(DATA_BLOB encryption_key, - }; - - memcpy(key.data, -- encryption_key.data, -- MIN(encryption_key.length, key.size)); -+ encryption_key->blob.data, -+ MIN(encryption_key->blob.length, key.size)); - - iv = (gnutls_datum_t) { - .data = tf + SMB2_TF_NONCE, - .size = iv_size, - }; - -- rc = gnutls_aead_cipher_init(&cipher_hnd, -- algo, -- &key); -- if (rc < 0) { -- status = NT_STATUS_NO_MEMORY; -- goto out; -+ if (encryption_key->cipher_hnd == NULL) { -+ rc = gnutls_aead_cipher_init(&encryption_key->cipher_hnd, -+ algo, -+ &key); -+ if (rc < 0) { -+ status = NT_STATUS_NO_MEMORY; -+ goto out; -+ } - } - - memset(tf + SMB2_TF_NONCE + iv_size, -@@ -487,14 +488,12 @@ NTSTATUS smb2_signing_encrypt_pdu(DATA_BLOB encryption_key, - - ptext = talloc_size(talloc_tos(), ptext_size); - if (ptext == NULL) { -- gnutls_aead_cipher_deinit(cipher_hnd); - status = NT_STATUS_NO_MEMORY; - goto out; - } - - ctext = talloc_size(talloc_tos(), ctext_size); - if (ctext == NULL) { -- gnutls_aead_cipher_deinit(cipher_hnd); - status = NT_STATUS_NO_MEMORY; - goto out; - } -@@ -508,13 +507,12 @@ NTSTATUS smb2_signing_encrypt_pdu(DATA_BLOB encryption_key, - if (len > ptext_size) { - TALLOC_FREE(ptext); - TALLOC_FREE(ctext); -- gnutls_aead_cipher_deinit(cipher_hnd); - status = NT_STATUS_INTERNAL_ERROR; - goto out; - } - } - -- rc = gnutls_aead_cipher_encrypt(cipher_hnd, -+ rc = gnutls_aead_cipher_encrypt(encryption_key->cipher_hnd, - iv.data, - iv.size, - tf + SMB2_TF_NONCE, -@@ -528,7 +526,6 @@ NTSTATUS smb2_signing_encrypt_pdu(DATA_BLOB encryption_key, - DBG_ERR("ERROR: %s\n", gnutls_strerror(rc)); - TALLOC_FREE(ptext); - TALLOC_FREE(ctext); -- gnutls_aead_cipher_deinit(cipher_hnd); - status = NT_STATUS_INTERNAL_ERROR; - goto out; - } -@@ -547,7 +544,6 @@ NTSTATUS smb2_signing_encrypt_pdu(DATA_BLOB encryption_key, - TALLOC_FREE(ptext); - TALLOC_FREE(ctext); - } -- gnutls_aead_cipher_deinit(cipher_hnd); - - DBG_INFO("Enencrypted SMB2 message\n"); - -diff --git a/libcli/smb/smb2_signing.h b/libcli/smb/smb2_signing.h -index 7eefad93b3e..e28b5c8de9a 100644 ---- a/libcli/smb/smb2_signing.h -+++ b/libcli/smb/smb2_signing.h -@@ -53,7 +53,7 @@ NTSTATUS smb2_key_derivation(const uint8_t *KI, size_t KI_len, - const uint8_t *Context, size_t Context_len, - uint8_t KO[16]); - --NTSTATUS smb2_signing_encrypt_pdu(DATA_BLOB encryption_key, -+NTSTATUS smb2_signing_encrypt_pdu(struct smb2_signing_key *encryption_key, - uint16_t cipher_id, - struct iovec *vector, - int count); -diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c -index 421fc434305..d9837d48083 100644 ---- a/libcli/smb/smbXcli_base.c -+++ b/libcli/smb/smbXcli_base.c -@@ -3090,7 +3090,7 @@ NTSTATUS smb2cli_req_compound_submit(struct tevent_req **reqs, - struct iovec *iov; - int i, num_iov, nbt_len; - int tf_iov = -1; -- const struct smb2_signing_key *encryption_key = NULL; -+ struct smb2_signing_key *encryption_key = NULL; - uint64_t encryption_session_id = 0; - uint64_t nonce_high = UINT64_MAX; - uint64_t nonce_low = UINT64_MAX; -@@ -3379,7 +3379,7 @@ skip_credits: - buf += v->iov_len; - } - -- status = smb2_signing_encrypt_pdu(encryption_key->blob, -+ status = smb2_signing_encrypt_pdu(encryption_key, - state->conn->smb2.server.cipher, - &iov[tf_iov], num_iov - tf_iov); - if (!NT_STATUS_IS_OK(status)) { -diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c -index 9df22b5a6ac..0776fa2bdd2 100644 ---- a/source3/smbd/smb2_server.c -+++ b/source3/smbd/smb2_server.c -@@ -1336,10 +1336,14 @@ static NTSTATUS smb2_send_async_interim_response(const struct smbd_smb2_request - * we need to sign/encrypt here with the last/first key we remembered - */ - if (firsttf->iov_len == SMB2_TF_HDR_SIZE) { -- status = smb2_signing_encrypt_pdu(req->first_key, -+ struct smb2_signing_key key = { -+ .blob = req->first_key, -+ }; -+ status = smb2_signing_encrypt_pdu(&key, - xconn->smb2.server.cipher, - firsttf, - nreq->out.vector_count - first_idx); -+ smb2_signing_key_destructor(&key); - if (!NT_STATUS_IS_OK(status)) { - return status; - } -@@ -1739,7 +1743,7 @@ static void smbd_smb2_request_pending_timer(struct tevent_context *ev, - struct smbXsrv_session *x = req->session; - struct smb2_signing_key *encryption_key = x->global->encryption_key; - -- status = smb2_signing_encrypt_pdu(encryption_key->blob, -+ status = smb2_signing_encrypt_pdu(encryption_key, - xconn->smb2.server.cipher, - &state->vector[1+SMBD_SMB2_TF_IOV_OFS], - SMBD_SMB2_NUM_IOV_PER_REQ); -@@ -2994,10 +2998,14 @@ static NTSTATUS smbd_smb2_request_reply(struct smbd_smb2_request *req) - * now check if we need to sign the current response - */ - if (firsttf->iov_len == SMB2_TF_HDR_SIZE) { -- status = smb2_signing_encrypt_pdu(req->first_key, -+ struct smb2_signing_key key = { -+ .blob = req->first_key, -+ }; -+ status = smb2_signing_encrypt_pdu(&key, - xconn->smb2.server.cipher, - firsttf, - req->out.vector_count - first_idx); -+ smb2_signing_key_destructor(&key); - if (!NT_STATUS_IS_OK(status)) { - return status; - } -@@ -3419,7 +3427,7 @@ static NTSTATUS smbd_smb2_send_break(struct smbXsrv_connection *xconn, - struct smb2_signing_key *encryption_key = - session->global->encryption_key; - -- status = smb2_signing_encrypt_pdu(encryption_key->blob, -+ status = smb2_signing_encrypt_pdu(encryption_key, - xconn->smb2.server.cipher, - &state->vector[1+SMBD_SMB2_TF_IOV_OFS], - SMBD_SMB2_NUM_IOV_PER_REQ); --- -2.23.0 - diff --git a/SOURCES/0129-libcli-smb-Use-gnutls_error_to_ntstatus-in-smb2_sign.patch b/SOURCES/0129-libcli-smb-Use-gnutls_error_to_ntstatus-in-smb2_sign.patch deleted file mode 100644 index 4866084..0000000 --- a/SOURCES/0129-libcli-smb-Use-gnutls_error_to_ntstatus-in-smb2_sign.patch +++ /dev/null @@ -1,42 +0,0 @@ -From b72fbb819de245fe77b4d5bdb2465fc65488cc62 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 23 Aug 2019 09:28:28 +0200 -Subject: [PATCH 129/187] libcli:smb: Use gnutls_error_to_ntstatus() in - smb2_signing_encrypt_pdu() - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -Signed-off-by: Andrew Bartlett -(cherry picked from commit f24f26aaa58b9223e2c0cfd3e5086278b27903f1) ---- - libcli/smb/smb2_signing.c | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c -index 682327bb21b..c39f8e4780a 100644 ---- a/libcli/smb/smb2_signing.c -+++ b/libcli/smb/smb2_signing.c -@@ -470,7 +470,7 @@ NTSTATUS smb2_signing_encrypt_pdu(struct smb2_signing_key *encryption_key, - algo, - &key); - if (rc < 0) { -- status = NT_STATUS_NO_MEMORY; -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_INTERNAL_ERROR); - goto out; - } - } -@@ -523,10 +523,9 @@ NTSTATUS smb2_signing_encrypt_pdu(struct smb2_signing_key *encryption_key, - ctext, - &ctext_size); - if (rc < 0 || ctext_size != m_total + tag_size) { -- DBG_ERR("ERROR: %s\n", gnutls_strerror(rc)); - TALLOC_FREE(ptext); - TALLOC_FREE(ctext); -- status = NT_STATUS_INTERNAL_ERROR; -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_INTERNAL_ERROR); - goto out; - } - --- -2.23.0 - diff --git a/SOURCES/0130-libcli-smb-Prefer-AES-GCM-over-AES-CCM-with-GnuTLS.patch b/SOURCES/0130-libcli-smb-Prefer-AES-GCM-over-AES-CCM-with-GnuTLS.patch deleted file mode 100644 index 8c70c02..0000000 --- a/SOURCES/0130-libcli-smb-Prefer-AES-GCM-over-AES-CCM-with-GnuTLS.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 146a33a845cd38089f0aed6953387123f59bc652 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 15 Mar 2019 16:25:28 +0100 -Subject: [PATCH 130/187] libcli:smb: Prefer AES-GCM over AES-CCM with GnuTLS - -The AES-GCM implementation in GnuTLS is faster. - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett - -Adapted to remove Samba AES support - -Signed-off-by: Andrew Bartlett -(cherry picked from commit 454ed53221b1374ad8148e922b64c3788ad4998e) ---- - libcli/smb/smbXcli_base.c | 9 +++------ - 1 file changed, 3 insertions(+), 6 deletions(-) - -diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c -index d9837d48083..f0ba7803a53 100644 ---- a/libcli/smb/smbXcli_base.c -+++ b/libcli/smb/smbXcli_base.c -@@ -4788,12 +4788,9 @@ static struct tevent_req *smbXcli_negprot_smb2_subreq(struct smbXcli_negprot_sta - } - - SSVAL(p, 0, 2); /* ChiperCount */ -- /* -- * For now we preferr CCM because our implementation -- * is faster than GCM, see bug #11451. -- */ -- SSVAL(p, 2, SMB2_ENCRYPTION_AES128_CCM); -- SSVAL(p, 4, SMB2_ENCRYPTION_AES128_GCM); -+ -+ SSVAL(p, 2, SMB2_ENCRYPTION_AES128_GCM); -+ SSVAL(p, 4, SMB2_ENCRYPTION_AES128_CCM); - - status = smb2_negotiate_context_add( - state, &c, SMB2_ENCRYPTION_CAPABILITIES, p, 6); --- -2.23.0 - diff --git a/SOURCES/0131-s3-smbd-Prefer-AES-GCM-over-AES-CCM-with-GnuTLS.patch b/SOURCES/0131-s3-smbd-Prefer-AES-GCM-over-AES-CCM-with-GnuTLS.patch deleted file mode 100644 index 1c46101..0000000 --- a/SOURCES/0131-s3-smbd-Prefer-AES-GCM-over-AES-CCM-with-GnuTLS.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 728fe099d044b2890eb98a84c0deb9702bdd9971 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 15 Mar 2019 16:28:12 +0100 -Subject: [PATCH 131/187] s3:smbd: Prefer AES-GCM over AES-CCM with GnuTLS - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett - -Adapted to remove Samba AES support - -Signed-off-by: Andrew Bartlett -(cherry picked from commit 2ee1764ca88c882cddcc0a17f7d83950ec709b5d) ---- - source3/smbd/smb2_negprot.c | 10 +++------- - 1 file changed, 3 insertions(+), 7 deletions(-) - -diff --git a/source3/smbd/smb2_negprot.c b/source3/smbd/smb2_negprot.c -index 528d3f8cc74..6e7201b1cd8 100644 ---- a/source3/smbd/smb2_negprot.c -+++ b/source3/smbd/smb2_negprot.c -@@ -492,14 +492,10 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req) - } - } - -- /* -- * For now we preferr CCM because our implementation -- * is faster than GCM, see bug #11451. -- */ -- if (aes_128_ccm_supported) { -- xconn->smb2.server.cipher = SMB2_ENCRYPTION_AES128_CCM; -- } else if (aes_128_gcm_supported) { -+ if (aes_128_gcm_supported) { - xconn->smb2.server.cipher = SMB2_ENCRYPTION_AES128_GCM; -+ } else if (aes_128_ccm_supported) { -+ xconn->smb2.server.cipher = SMB2_ENCRYPTION_AES128_CCM; - } - - SSVAL(buf, 0, 1); /* ChiperCount */ --- -2.23.0 - diff --git a/SOURCES/0132-auth-gensec-fix-non-AES-schannel-seal.patch b/SOURCES/0132-auth-gensec-fix-non-AES-schannel-seal.patch deleted file mode 100644 index 4e6d6e9..0000000 --- a/SOURCES/0132-auth-gensec-fix-non-AES-schannel-seal.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 7d0f882b196ce9045488dee68ec979b4fb96d6d5 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= -Date: Fri, 20 Sep 2019 18:32:43 +0200 -Subject: [PATCH 132/187] auth/gensec: fix non-AES schannel seal - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14134 - -Guenther - -Signed-off-by: Guenther Deschner -Reviewed-by: Andreas Schneider -(cherry picked from commit 709d54d68a9c2cb3cda91d9ab63228a7adbaceb4) ---- - auth/gensec/schannel.c | 9 +++++++++ - selftest/knownfail | 1 + - 2 files changed, 10 insertions(+) - -diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c -index b5e6289ef3f..9f2611e5f04 100644 ---- a/auth/gensec/schannel.c -+++ b/auth/gensec/schannel.c -@@ -428,6 +428,15 @@ static NTSTATUS netsec_do_seal(struct schannel_state *state, - ZERO_ARRAY(_sealing_key); - return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); - } -+ gnutls_cipher_deinit(cipher_hnd); -+ rc = gnutls_cipher_init(&cipher_hnd, -+ GNUTLS_CIPHER_ARCFOUR_128, -+ &sealing_key, -+ NULL); -+ if (rc < 0) { -+ ZERO_ARRAY(_sealing_key); -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); -+ } - rc = gnutls_cipher_encrypt(cipher_hnd, - data, - length); -diff --git a/selftest/knownfail b/selftest/knownfail -index 7b54b77a708..95db97a44e0 100644 ---- a/selftest/knownfail -+++ b/selftest/knownfail -@@ -374,3 +374,4 @@ - ^samba.tests.ntlmdisabled.python\(ktest\).python2.ntlmdisabled.NtlmDisabledTests.test_samr_change_password\(ktest\) - ^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).python3.ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ad_dc_no_ntlm\) - ^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).python2.ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ad_dc_no_ntlm\) -+^samba.unittests.schannel.torture_schannel_seal_aes --- -2.23.0 - diff --git a/SOURCES/0133-auth-gensec-fix-AES-schannel-seal-and-unseal.patch b/SOURCES/0133-auth-gensec-fix-AES-schannel-seal-and-unseal.patch deleted file mode 100644 index b09c9d8..0000000 --- a/SOURCES/0133-auth-gensec-fix-AES-schannel-seal-and-unseal.patch +++ /dev/null @@ -1,106 +0,0 @@ -From 279d31dfa642126ce7670292390e02b2e33ea36e Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= -Date: Tue, 17 Sep 2019 22:37:06 +0200 -Subject: [PATCH 133/187] auth/gensec: fix AES schannel seal and unseal - -Workaround bug present in gnutls 3.6.8: - -gnutls_cipher_decrypt() uses an optimization -internally that breaks decryption when processing -buffers with their length not being a multiple -of the blocksize. - -Signed-off-by: Stefan Metzmacher -Pair-Programmed-With: Guenther Deschner -Reviewed-by: Andreas Schneider -(cherry picked from commit f988756599c2f7253989f2ca1dea2975dd89e6ea) ---- - auth/gensec/schannel.c | 47 +++++++++++++++++++++++++++--------------- - selftest/knownfail | 1 - - 2 files changed, 30 insertions(+), 18 deletions(-) - -diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c -index 9f2611e5f04..ea2a8b201ce 100644 ---- a/auth/gensec/schannel.c -+++ b/auth/gensec/schannel.c -@@ -306,11 +306,6 @@ static NTSTATUS netsec_do_seal(struct schannel_state *state, - return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); - } - -- /* -- * Looks like we have to reuse the initial IV which is -- * cryptographically wrong! -- */ -- gnutls_cipher_set_iv(cipher_hnd, iv.data, iv.size); - rc = gnutls_cipher_encrypt(cipher_hnd, - data, - length); -@@ -319,26 +314,44 @@ static NTSTATUS netsec_do_seal(struct schannel_state *state, - return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); - } - } else { -- rc = gnutls_cipher_decrypt(cipher_hnd, -- confounder, -- 8); -- if (rc < 0) { -- gnutls_cipher_deinit(cipher_hnd); -- return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); -- } - - /* -- * Looks like we have to reuse the initial IV which is -- * cryptographically wrong! -+ * Workaround bug present in gnutls 3.6.8: -+ * -+ * gnutls_cipher_decrypt() uses an optimization -+ * internally that breaks decryption when processing -+ * buffers with their length not being a multiple -+ * of the blocksize. - */ -- gnutls_cipher_set_iv(cipher_hnd, iv.data, iv.size); -+ -+ uint8_t tmp[16] = { 0, }; -+ uint32_t tmp_dlength = MIN(length, sizeof(tmp) - 8); -+ -+ memcpy(tmp, confounder, 8); -+ memcpy(tmp + 8, data, tmp_dlength); -+ - rc = gnutls_cipher_decrypt(cipher_hnd, -- data, -- length); -+ tmp, -+ 8 + tmp_dlength); - if (rc < 0) { -+ ZERO_STRUCT(tmp); - gnutls_cipher_deinit(cipher_hnd); - return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); - } -+ -+ memcpy(confounder, tmp, 8); -+ memcpy(data, tmp + 8, tmp_dlength); -+ ZERO_STRUCT(tmp); -+ -+ if (length > tmp_dlength) { -+ rc = gnutls_cipher_decrypt(cipher_hnd, -+ data + tmp_dlength, -+ length - tmp_dlength); -+ if (rc < 0) { -+ gnutls_cipher_deinit(cipher_hnd); -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); -+ } -+ } - } - gnutls_cipher_deinit(cipher_hnd); - #else /* NOT HAVE_GNUTLS_AES_CFB8 */ -diff --git a/selftest/knownfail b/selftest/knownfail -index 95db97a44e0..7b54b77a708 100644 ---- a/selftest/knownfail -+++ b/selftest/knownfail -@@ -374,4 +374,3 @@ - ^samba.tests.ntlmdisabled.python\(ktest\).python2.ntlmdisabled.NtlmDisabledTests.test_samr_change_password\(ktest\) - ^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).python3.ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ad_dc_no_ntlm\) - ^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).python2.ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ad_dc_no_ntlm\) --^samba.unittests.schannel.torture_schannel_seal_aes --- -2.23.0 - diff --git a/SOURCES/0134-libcli-auth-add-gnutls-test-for-aes-128-cfb8-cipher-.patch b/SOURCES/0134-libcli-auth-add-gnutls-test-for-aes-128-cfb8-cipher-.patch deleted file mode 100644 index 5d4c5e2..0000000 --- a/SOURCES/0134-libcli-auth-add-gnutls-test-for-aes-128-cfb8-cipher-.patch +++ /dev/null @@ -1,286 +0,0 @@ -From 3160995484a1e56bb878a28d3f3b0fb4e1eb2869 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= -Date: Sat, 28 Sep 2019 13:10:32 +0200 -Subject: [PATCH 134/187] libcli/auth: add gnutls test for aes-128-cfb8 cipher - bug - -Guenther - -Signed-off-by: Guenther Deschner -Reviewed-by: Andreas Schneider - -Autobuild-User(master): Andreas Schneider -Autobuild-Date(master): Mon Oct 7 09:31:35 UTC 2019 on sn-devel-184 - -(cherry picked from commit 7c2745d41e808b7240358f5d0702dfe7abdc93a1) ---- - libcli/auth/tests/test_gnutls.c | 239 ++++++++++++++++++++++++++++++++ - libcli/auth/wscript_build | 9 ++ - 2 files changed, 248 insertions(+) - create mode 100644 libcli/auth/tests/test_gnutls.c - -diff --git a/libcli/auth/tests/test_gnutls.c b/libcli/auth/tests/test_gnutls.c -new file mode 100644 -index 00000000000..f4ef4ec19c8 ---- /dev/null -+++ b/libcli/auth/tests/test_gnutls.c -@@ -0,0 +1,239 @@ -+/* -+ * Unix SMB/CIFS implementation. -+ * -+ * Copyright (C) 2019 Guenther Deschner -+ * -+ * This program is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU General Public License as published by -+ * the Free Software Foundation; either version 3 of the License, or -+ * (at your option) any later version. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program. If not, see . -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+ -+#include "includes.h" -+ -+#include "lib/crypto/gnutls_helpers.h" -+#include -+#include -+ -+#ifdef HAVE_GNUTLS_AES_CFB8 -+static void torture_gnutls_aes_128_cfb_flags(void **state, -+ const DATA_BLOB session_key, -+ const DATA_BLOB seq_num_initial, -+ const DATA_BLOB confounder_initial, -+ const DATA_BLOB confounder_expected, -+ const DATA_BLOB clear_initial, -+ const DATA_BLOB crypt_expected) -+{ -+ uint8_t confounder[8]; -+ DATA_BLOB io; -+ gnutls_cipher_hd_t cipher_hnd = NULL; -+ uint8_t sess_kf0[16] = {0}; -+ gnutls_datum_t key = { -+ .data = sess_kf0, -+ .size = sizeof(sess_kf0), -+ }; -+ uint32_t iv_size = -+ gnutls_cipher_get_iv_size(GNUTLS_CIPHER_AES_128_CFB8); -+ uint8_t _iv[iv_size]; -+ gnutls_datum_t iv = { -+ .data = _iv, -+ .size = iv_size, -+ }; -+ uint32_t i; -+ int rc; -+ -+ assert_int_equal(session_key.length, 16); -+ assert_int_equal(seq_num_initial.length, 8); -+ assert_int_equal(confounder_initial.length, 8); -+ assert_int_equal(confounder_expected.length, 8); -+ assert_int_equal(clear_initial.length, crypt_expected.length); -+ -+ DEBUG(0,("checking buffer size: %d\n", (int)clear_initial.length)); -+ -+ io = data_blob_dup_talloc(NULL, clear_initial); -+ assert_non_null(io.data); -+ assert_int_equal(io.length, clear_initial.length); -+ -+ memcpy(confounder, confounder_initial.data, 8); -+ -+ DEBUG(0,("confounder before crypt:\n")); -+ dump_data(0, confounder, 8); -+ dump_data(0, seq_num_initial.data, 8); -+ dump_data(0, io.data, io.length); -+ -+ for (i = 0; i < key.size; i++) { -+ key.data[i] = session_key.data[i] ^ 0xf0; -+ } -+ -+ ZERO_ARRAY(_iv); -+ -+ memcpy(iv.data + 0, seq_num_initial.data, 8); -+ memcpy(iv.data + 8, seq_num_initial.data, 8); -+ -+ rc = gnutls_cipher_init(&cipher_hnd, -+ GNUTLS_CIPHER_AES_128_CFB8, -+ &key, -+ &iv); -+ assert_int_equal(rc, 0); -+ -+ rc = gnutls_cipher_encrypt(cipher_hnd, -+ confounder, -+ 8); -+ assert_int_equal(rc, 0); -+ -+ rc = gnutls_cipher_encrypt(cipher_hnd, -+ io.data, -+ io.length); -+ assert_int_equal(rc, 0); -+ -+ dump_data(0, io.data, io.length); -+ DEBUG(0,("confounder after crypt:\n")); -+ dump_data(0, confounder, 8); -+ dump_data(0, seq_num_initial.data, 8); -+ assert_memory_equal(io.data, crypt_expected.data, crypt_expected.length); -+ assert_memory_equal(confounder, confounder_expected.data, confounder_expected.length); -+ -+ rc = gnutls_cipher_decrypt(cipher_hnd, -+ confounder, -+ 8); -+ assert_int_equal(rc, 0); -+ -+ rc = gnutls_cipher_decrypt(cipher_hnd, -+ io.data, -+ io.length); -+ assert_int_equal(rc, 0); -+ gnutls_cipher_deinit(cipher_hnd); -+ -+ dump_data(0, io.data, io.length); -+ DEBUG(0,("confounder after decrypt:\n")); -+ dump_data(0, confounder, 8); -+ dump_data(0, seq_num_initial.data, 8); -+ assert_memory_equal(io.data, clear_initial.data, clear_initial.length); -+ assert_memory_equal(confounder, confounder_initial.data, confounder_initial.length); -+} -+#endif -+ -+static void torture_gnutls_aes_128_cfb(void **state) -+{ -+#ifdef HAVE_GNUTLS_AES_CFB8 -+ const uint8_t _session_key[16] = { -+ 0x8E, 0xE8, 0x27, 0x85, 0x83, 0x41, 0x3C, 0x8D, -+ 0xC9, 0x54, 0x70, 0x75, 0x8E, 0xC9, 0x69, 0x91 -+ }; -+ const DATA_BLOB session_key = data_blob_const(_session_key, 16); -+ const uint8_t _seq_num_initial[8] = { -+ 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00 -+ }; -+ const DATA_BLOB seq_num_initial = -+ data_blob_const(_seq_num_initial, 8); -+ const uint8_t _confounder_initial[8] = { -+ 0x6E, 0x09, 0x25, 0x94, 0x01, 0xA0, 0x09, 0x31 -+ }; -+ const DATA_BLOB confounder_initial = -+ data_blob_const(_confounder_initial, 8); -+ const uint8_t _confounder_expected[8] = { -+ 0xCA, 0xFB, 0xAC, 0xFB, 0xA8, 0x26, 0x75, 0x2A -+ }; -+ const DATA_BLOB confounder_expected = -+ data_blob_const(_confounder_expected, 8); -+ const uint8_t _clear_initial[] = { -+ 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, -+ 0x01, 0x00, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00, -+ 0x01, 0x00, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -+ 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -+ 0x8A, 0xE3, 0x13, 0x71, 0x02, 0xF4, 0x36, 0x71, -+ 0x01, 0x00, 0x04, 0x00, 0x01, 0x00, 0x00, 0x00, -+ 0x02, 0x40, 0x28, 0x00, 0x78, 0x57, 0x34, 0x12, -+ 0x34, 0x12, 0xCD, 0xAB, 0xEF, 0x00, 0x01, 0x23, -+ 0x45, 0x67, 0x89, 0xAB, 0x00, 0x00, 0x00, 0x00, -+ 0x04, 0x5D, 0x88, 0x8A, 0xEB, 0x1C, 0xC9, 0x11, -+ 0x9F, 0xE8, 0x08, 0x00, 0x2B, 0x10, 0x48, 0x60, -+ 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 -+ }; -+ const DATA_BLOB clear_initial = data_blob_const(_clear_initial, -+ sizeof(_clear_initial)); -+ const uint8_t crypt_buffer[] = { -+ 0xE2, 0xE5, 0xE3, 0x26, 0x45, 0xFB, 0xFC, 0xF3, -+ 0x9C, 0x14, 0xDD, 0xE1, 0x39, 0x23, 0xE0, 0x55, -+ 0xED, 0x8F, 0xF4, 0x92, 0xA1, 0xBD, 0xDC, 0x40, -+ 0x58, 0x6F, 0xD2, 0x5B, 0xF9, 0xC9, 0xA3, 0x87, -+ 0x46, 0x4B, 0x7F, 0xB2, 0x03, 0xD2, 0x35, 0x22, -+ 0x3E, 0x70, 0x9F, 0x1E, 0x3F, 0x1F, 0xDB, 0x7D, -+ 0x79, 0x88, 0x5A, 0x3D, 0xD3, 0x40, 0x1E, 0x69, -+ 0xD7, 0xE2, 0x1D, 0x5A, 0xE9, 0x3B, 0xE1, 0xE2, -+ 0x98, 0xFD, 0xCB, 0x3A, 0xF7, 0xB5, 0x1C, 0xF8, -+ 0xCA, 0x02, 0x00, 0x99, 0x9F, 0x0C, 0x01, 0xE6, -+ 0xD2, 0x00, 0xAF, 0xE0, 0x51, 0x88, 0x62, 0x50, -+ 0xB7, 0xE8, 0x6D, 0x63, 0x4B, 0x97, 0x05, 0xC1, -+ 0xD4, 0x83, 0x96, 0x29, 0x80, 0xAE, 0xD8, 0xA2, -+ 0xED, 0xC9, 0x5D, 0x0D, 0x29, 0xFF, 0x2C, 0x23, -+ 0x02, 0xFA, 0x3B, 0xEE, 0xE8, 0xBA, 0x06, 0x01, -+ 0x95, 0xDF, 0x80, 0x76, 0x0B, 0x17, 0x0E, 0xD8 -+ }; -+ const DATA_BLOB crypt_expected = data_blob_const(crypt_buffer, -+ sizeof(crypt_buffer)); -+ int buffer_sizes[] = { -+ 0, 1, 3, 7, 8, 9, 15, 16, 17 -+ }; -+ int i; -+ -+ torture_gnutls_aes_128_cfb_flags(state, -+ session_key, -+ seq_num_initial, -+ confounder_initial, -+ confounder_expected, -+ clear_initial, -+ crypt_expected); -+ -+ /* repeat the test for varying buffer sizes */ -+ -+ for (i = 0; i < ARRAY_SIZE(buffer_sizes); i++) { -+ DATA_BLOB clear_initial_trunc = -+ data_blob_const(clear_initial.data, buffer_sizes[i]); -+ DATA_BLOB crypt_expected_trunc = -+ data_blob_const(crypt_expected.data, buffer_sizes[i]); -+ torture_gnutls_aes_128_cfb_flags(state, -+ session_key, -+ seq_num_initial, -+ confounder_initial, -+ confounder_expected, -+ clear_initial_trunc, -+ crypt_expected_trunc); -+ } -+#endif -+} -+ -+int main(int argc, char *argv[]) -+{ -+ int rc; -+ const struct CMUnitTest tests[] = { -+ cmocka_unit_test(torture_gnutls_aes_128_cfb), -+ }; -+ -+ if (argc == 2) { -+ cmocka_set_test_filter(argv[1]); -+ } -+ cmocka_set_message_output(CM_OUTPUT_SUBUNIT); -+ -+ rc = cmocka_run_group_tests(tests, NULL, NULL); -+ -+ return rc; -+} -diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build -index eabf3814ba1..7b765cd9e43 100644 ---- a/libcli/auth/wscript_build -+++ b/libcli/auth/wscript_build -@@ -71,3 +71,12 @@ bld.SAMBA_BINARY('test_rc4_passwd_buffer', - cmocka - ''', - install=False) -+ -+bld.SAMBA_BINARY('test_gnutls', -+ source='tests/test_gnutls.c', -+ deps=''' -+ gnutls -+ cmocka -+ samba-util -+ ''', -+ install=False) --- -2.23.0 - diff --git a/SOURCES/0135-waf-Check-for-gnutls_aead_cipher_encryptv2.patch b/SOURCES/0135-waf-Check-for-gnutls_aead_cipher_encryptv2.patch deleted file mode 100644 index b82c980..0000000 --- a/SOURCES/0135-waf-Check-for-gnutls_aead_cipher_encryptv2.patch +++ /dev/null @@ -1,29 +0,0 @@ -From e4823cc53490b21661eac22a0cf9799af6d1fd91 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 23 Aug 2019 08:40:00 +0200 -Subject: [PATCH 135/187] waf: Check for gnutls_aead_cipher_encryptv2() - -Signed-off-by: Andreas Schneider -Reviewed-by: Simo Sorce -(cherry picked from commit fa255a36df87e41717d9630ea96ac9439e186062) ---- - wscript_configure_system_gnutls | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/wscript_configure_system_gnutls b/wscript_configure_system_gnutls -index f71fd4fb97f..f6d9ac3c65e 100644 ---- a/wscript_configure_system_gnutls -+++ b/wscript_configure_system_gnutls -@@ -15,6 +15,9 @@ conf.SET_TARGET_TYPE('gnutls', 'SYSLIB') - # Check for gnutls_pkcs7_get_embedded_data_oid (>= 3.5.5) required by libmscat - conf.CHECK_FUNCS_IN('gnutls_pkcs7_get_embedded_data_oid', 'gnutls') - -+# Check for gnutls_aead_cipher_encryptv2 (>= 3.6.10) -+conf.CHECK_FUNCS_IN('gnutls_aead_cipher_encryptv2', 'gnutls') -+ - if conf.CHECK_VALUEOF('GNUTLS_CIPHER_AES_128_CFB8', headers='gnutls/gnutls.h'): - conf.DEFINE('HAVE_GNUTLS_AES_CFB8', 1) - else: --- -2.23.0 - diff --git a/SOURCES/0136-libcli-smb-Use-gnutls_aead_cipher_encryptv2-for-AES-.patch b/SOURCES/0136-libcli-smb-Use-gnutls_aead_cipher_encryptv2-for-AES-.patch deleted file mode 100644 index 088e589..0000000 --- a/SOURCES/0136-libcli-smb-Use-gnutls_aead_cipher_encryptv2-for-AES-.patch +++ /dev/null @@ -1,86 +0,0 @@ -From d841537e0e835cda608d3f2b654d10d36d539bc5 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 23 Aug 2019 08:54:54 +0200 -Subject: [PATCH 136/187] libcli:smb: Use gnutls_aead_cipher_encryptv2() for - AES GCM or CCM - -This is a new call which has been added with GnuTLS 3.6.10 and will -recuduce memory allocations and copying of data. - -Signed-off-by: Andreas Schneider -Reviewed-by: Simo Sorce -(cherry picked from commit 70fdd4821aa811f90944bee17cc85e3ae9302279) ---- - libcli/smb/smb2_signing.c | 32 ++++++++++++++++++++++++++++++-- - 1 file changed, 30 insertions(+), 2 deletions(-) - -diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c -index c39f8e4780a..ac0f6f4d29f 100644 ---- a/libcli/smb/smb2_signing.c -+++ b/libcli/smb/smb2_signing.c -@@ -392,12 +392,11 @@ NTSTATUS smb2_signing_encrypt_pdu(struct smb2_signing_key *encryption_key, - int count) - { - uint8_t *tf; -- int i; - size_t a_total; - ssize_t m_total; - uint32_t iv_size = 0; - uint32_t key_size = 0; -- uint32_t tag_size = 0; -+ size_t tag_size = 0; - uint8_t _key[16] = {0}; - gnutls_cipher_algorithm_t algo = 0; - gnutls_datum_t key; -@@ -479,12 +478,40 @@ NTSTATUS smb2_signing_encrypt_pdu(struct smb2_signing_key *encryption_key, - 0, - 16 - iv_size); - -+#ifdef HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 -+ { -+ uint8_t tag[tag_size]; -+ giovec_t auth_iov[1]; -+ -+ auth_iov[0] = (giovec_t) { -+ .iov_base = tf + SMB2_TF_NONCE, -+ .iov_len = a_total, -+ }; -+ -+ rc = gnutls_aead_cipher_encryptv2(encryption_key->cipher_hnd, -+ iv.data, -+ iv.size, -+ auth_iov, -+ 1, -+ &vector[1], -+ count - 1, -+ tag, -+ &tag_size); -+ if (rc < 0) { -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_INTERNAL_ERROR); -+ goto out; -+ } -+ -+ memcpy(tf + SMB2_TF_SIGNATURE, tag, tag_size); -+ } -+#else /* HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 */ - { - size_t ptext_size = m_total; - uint8_t *ptext = NULL; - size_t ctext_size = m_total + tag_size; - uint8_t *ctext = NULL; - size_t len = 0; -+ int i; - - ptext = talloc_size(talloc_tos(), ptext_size); - if (ptext == NULL) { -@@ -543,6 +570,7 @@ NTSTATUS smb2_signing_encrypt_pdu(struct smb2_signing_key *encryption_key, - TALLOC_FREE(ptext); - TALLOC_FREE(ctext); - } -+#endif /* HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 */ - - DBG_INFO("Enencrypted SMB2 message\n"); - --- -2.23.0 - diff --git a/SOURCES/0137-libcli-smb-Use-gnutls_aead_cipher_decryptv2-for-AES-.patch b/SOURCES/0137-libcli-smb-Use-gnutls_aead_cipher_decryptv2-for-AES-.patch deleted file mode 100644 index cac5963..0000000 --- a/SOURCES/0137-libcli-smb-Use-gnutls_aead_cipher_decryptv2-for-AES-.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 8b5c3ae97f0e30e8df78e81c53b4ba02365a299d Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 23 Aug 2019 09:12:21 +0200 -Subject: [PATCH 137/187] libcli:smb: Use gnutls_aead_cipher_decryptv2() for - AES GCM or CCM - -This is a new call which has been added with GnuTLS 3.6.10 and will -recuduce memory allocations and copying of data. - -Signed-off-by: Andreas Schneider -Reviewed-by: Simo Sorce - -Autobuild-User(master): Andreas Schneider -Autobuild-Date(master): Tue Oct 8 14:12:44 UTC 2019 on sn-devel-184 - -(cherry picked from commit 4a24d9499757dea377b4e3d8beb7f2c10fd5c5d0) ---- - libcli/smb/smb2_signing.c | 29 +++++++++++++++++++++++++++-- - 1 file changed, 27 insertions(+), 2 deletions(-) - -diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c -index ac0f6f4d29f..166ab9d83ff 100644 ---- a/libcli/smb/smb2_signing.c -+++ b/libcli/smb/smb2_signing.c -@@ -588,13 +588,12 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key *decryption_key, - { - uint8_t *tf; - uint16_t flags; -- int i; - size_t a_total; - ssize_t m_total; - uint32_t msg_size = 0; - uint32_t iv_size = 0; - uint32_t key_size = 0; -- uint32_t tag_size = 0; -+ size_t tag_size = 0; - uint8_t _key[16] = {0}; - gnutls_cipher_algorithm_t algo = 0; - gnutls_datum_t key; -@@ -680,12 +679,37 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key *decryption_key, - } - } - -+#ifdef HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 -+ { -+ giovec_t auth_iov[1]; -+ -+ auth_iov[0] = (giovec_t) { -+ .iov_base = tf + SMB2_TF_NONCE, -+ .iov_len = a_total, -+ }; -+ -+ rc = gnutls_aead_cipher_decryptv2(decryption_key->cipher_hnd, -+ iv.data, -+ iv.size, -+ auth_iov, -+ 1, -+ &vector[1], -+ count - 1, -+ tf + SMB2_TF_SIGNATURE, -+ tag_size); -+ if (rc < 0) { -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_INTERNAL_ERROR); -+ goto out; -+ } -+ } -+#else /* HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 */ - { - size_t ctext_size = m_total + tag_size; - uint8_t *ctext = NULL; - size_t ptext_size = m_total; - uint8_t *ptext = NULL; - size_t len = 0; -+ int i; - - /* GnuTLS doesn't have a iovec API for decryption yet */ - -@@ -751,6 +775,7 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key *decryption_key, - TALLOC_FREE(ptext); - TALLOC_FREE(ctext); - } -+#endif /* HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 */ - - DBG_INFO("Decrypted SMB2 message\n"); - --- -2.23.0 - diff --git a/SOURCES/0138-libcli-smb-Do-not-use-gnutls_aead_cipher_encryptv2-w.patch b/SOURCES/0138-libcli-smb-Do-not-use-gnutls_aead_cipher_encryptv2-w.patch deleted file mode 100644 index 9b90d9b..0000000 --- a/SOURCES/0138-libcli-smb-Do-not-use-gnutls_aead_cipher_encryptv2-w.patch +++ /dev/null @@ -1,47 +0,0 @@ -From d2c3c0ccc6ec7f38b995545d31431d013bd7e047 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 4 Nov 2019 08:40:34 +0100 -Subject: [PATCH 138/187] libcli:smb: Do not use gnutls_aead_cipher_encryptv2() - with GnuTLS 3.6.10 - -The gnutls_aead_cipher_encryptv2() implementation was released with a -bug. This wont be fixed before 3.6.11. - -See https://gitlab.com/gnutls/gnutls/merge_requests/1085 - -Signed-off-by: Andreas Schneider -Reviewed-by: Alexander Bokovoy -(cherry picked from commit 176d0f0364bc1deb3c8df2f3bb928e01f89f216b) ---- - libcli/smb/smb2_signing.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c -index 166ab9d83ff..7561a7a858d 100644 ---- a/libcli/smb/smb2_signing.c -+++ b/libcli/smb/smb2_signing.c -@@ -478,7 +478,9 @@ NTSTATUS smb2_signing_encrypt_pdu(struct smb2_signing_key *encryption_key, - 0, - 16 - iv_size); - --#ifdef HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 -+/* gnutls_aead_cipher_encryptv2() has a bug in version 3.6.10 */ -+#if defined(HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2) && \ -+ GNUTLS_VERSION_NUMBER > 0x03060a - { - uint8_t tag[tag_size]; - giovec_t auth_iov[1]; -@@ -679,7 +681,9 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key *decryption_key, - } - } - --#ifdef HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 -+/* gnutls_aead_cipher_encryptv2() has a bug in version 3.6.10 */ -+#if defined(HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2) && \ -+ GNUTLS_VERSION_NUMBER > 0x03060a - { - giovec_t auth_iov[1]; - --- -2.23.0 - diff --git a/SOURCES/0139-libcli-auth-Return-NTSTATUS-for-SMBOWFencrypt_ntv2.patch b/SOURCES/0139-libcli-auth-Return-NTSTATUS-for-SMBOWFencrypt_ntv2.patch deleted file mode 100644 index 3bd6149..0000000 --- a/SOURCES/0139-libcli-auth-Return-NTSTATUS-for-SMBOWFencrypt_ntv2.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 3900f0a63c3aedee8b5a53e4eda4c41a6b0f0f3e Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 13 Nov 2019 12:40:02 +0100 -Subject: [PATCH 139/187] libcli:auth: Return NTSTATUS for SMBOWFencrypt_ntv2() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 045b9eb3f088c66e20bd19e144a2ce3597328d93) ---- - libcli/auth/proto.h | 5 +++-- - libcli/auth/smbencrypt.c | 24 ++++++++++++++++-------- - 2 files changed, 19 insertions(+), 10 deletions(-) - -diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h -index 714652bdb76..4c20783124b 100644 ---- a/libcli/auth/proto.h -+++ b/libcli/auth/proto.h -@@ -139,8 +139,9 @@ void SMBOWFencrypt_ntv2(const uint8_t kr[16], - const DATA_BLOB *srv_chal, - const DATA_BLOB *smbcli_chal, - uint8_t resp_buf[16]); --void SMBsesskeygen_ntv2(const uint8_t kr[16], -- const uint8_t * nt_resp, uint8_t sess_key[16]); -+NTSTATUS SMBsesskeygen_ntv2(const uint8_t kr[16], -+ const uint8_t *nt_resp, -+ uint8_t sess_key[16]); - void SMBsesskeygen_ntv1(const uint8_t kr[16], uint8_t sess_key[16]); - void SMBsesskeygen_lm_sess_key(const uint8_t lm_hash[16], - const uint8_t lm_resp[24], /* only uses 8 */ -diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c -index cc5e1fbb899..904d2c38219 100644 ---- a/libcli/auth/smbencrypt.c -+++ b/libcli/auth/smbencrypt.c -@@ -370,21 +370,29 @@ void SMBOWFencrypt_ntv2(const uint8_t kr[16], - #endif - } - --void SMBsesskeygen_ntv2(const uint8_t kr[16], -- const uint8_t * nt_resp, uint8_t sess_key[16]) -+NTSTATUS SMBsesskeygen_ntv2(const uint8_t kr[16], -+ const uint8_t *nt_resp, -+ uint8_t sess_key[16]) - { -+ int rc; -+ - /* a very nice, 128 bit, variable session key */ -- gnutls_hmac_fast(GNUTLS_MAC_MD5, -- kr, -- 16, -- nt_resp, -- 16, -- sess_key); -+ rc = gnutls_hmac_fast(GNUTLS_MAC_MD5, -+ kr, -+ 16, -+ nt_resp, -+ 16, -+ sess_key); -+ if (rc != 0) { -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED); -+ } - - #ifdef DEBUG_PASSWORD - DEBUG(100, ("SMBsesskeygen_ntv2:\n")); - dump_data(100, sess_key, 16); - #endif -+ -+ return NT_STATUS_OK; - } - - void SMBsesskeygen_ntv1(const uint8_t kr[16], uint8_t sess_key[16]) --- -2.23.0 - diff --git a/SOURCES/0140-libcli-auth-Check-return-codes-of-SMBsesskeygen_ntv2.patch b/SOURCES/0140-libcli-auth-Check-return-codes-of-SMBsesskeygen_ntv2.patch deleted file mode 100644 index 0727178..0000000 --- a/SOURCES/0140-libcli-auth-Check-return-codes-of-SMBsesskeygen_ntv2.patch +++ /dev/null @@ -1,102 +0,0 @@ -From 042dc64f099a2aa2dd44ba9a00c29e05eed0848b Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 13 Nov 2019 12:45:04 +0100 -Subject: [PATCH 140/187] libcli:auth: Check return codes of - SMBsesskeygen_ntv2() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 0914824684b3a69a9926402d447e1d5781f2ec02) ---- - libcli/auth/ntlm_check.c | 17 +++++++++++++++-- - libcli/auth/smbencrypt.c | 15 +++++++++++++-- - 2 files changed, 28 insertions(+), 4 deletions(-) - -diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c -index 3844abde528..ba0051d7aea 100644 ---- a/libcli/auth/ntlm_check.c -+++ b/libcli/auth/ntlm_check.c -@@ -142,8 +142,15 @@ static bool smb_pwd_check_ntlmv2(TALLOC_CTX *mem_ctx, - data_blob_clear_free(&client_key_data); - if (memcmp(value_from_encryption, ntv2_response->data, 16) == 0) { - if (user_sess_key != NULL) { -+ NTSTATUS status; - *user_sess_key = data_blob_talloc(mem_ctx, NULL, 16); -- SMBsesskeygen_ntv2(kr, value_from_encryption, user_sess_key->data); -+ -+ status = SMBsesskeygen_ntv2(kr, -+ value_from_encryption, -+ user_sess_key->data); -+ if (!NT_STATUS_IS_OK(status)) { -+ return false; -+ } - } - return true; - } -@@ -166,6 +173,7 @@ static bool smb_sess_key_ntlmv2(TALLOC_CTX *mem_ctx, - uint8_t kr[16]; - uint8_t value_from_encryption[16]; - DATA_BLOB client_key_data; -+ NTSTATUS status; - - if (part_passwd == NULL) { - DEBUG(10,("No password set - DISALLOWING access\n")); -@@ -196,7 +204,12 @@ static bool smb_sess_key_ntlmv2(TALLOC_CTX *mem_ctx, - - SMBOWFencrypt_ntv2(kr, sec_blob, &client_key_data, value_from_encryption); - *user_sess_key = data_blob_talloc(mem_ctx, NULL, 16); -- SMBsesskeygen_ntv2(kr, value_from_encryption, user_sess_key->data); -+ status = SMBsesskeygen_ntv2(kr, -+ value_from_encryption, -+ user_sess_key->data); -+ if (!NT_STATUS_IS_OK(status)) { -+ return false; -+ } - return true; - } - -diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c -index 904d2c38219..1412274dd21 100644 ---- a/libcli/auth/smbencrypt.c -+++ b/libcli/auth/smbencrypt.c -@@ -551,6 +551,7 @@ bool SMBNTLMv2encrypt_hash(TALLOC_CTX *mem_ctx, - DATA_BLOB *lm_session_key, DATA_BLOB *user_session_key) - { - uint8_t ntlm_v2_hash[16]; -+ NTSTATUS status; - - /* We don't use the NT# directly. Instead we use it mashed up with - the username and domain. -@@ -580,7 +581,12 @@ bool SMBNTLMv2encrypt_hash(TALLOC_CTX *mem_ctx, - - /* The NTLMv2 calculations also provide a session key, for signing etc later */ - /* use only the first 16 bytes of nt_response for session key */ -- SMBsesskeygen_ntv2(ntlm_v2_hash, nt_response->data, user_session_key->data); -+ status = SMBsesskeygen_ntv2(ntlm_v2_hash, -+ nt_response->data, -+ user_session_key->data); -+ if (!NT_STATUS_IS_OK(status)) { -+ return false; -+ } - } - } - -@@ -599,7 +605,12 @@ bool SMBNTLMv2encrypt_hash(TALLOC_CTX *mem_ctx, - - /* The NTLMv2 calculations also provide a session key, for signing etc later */ - /* use only the first 16 bytes of lm_response for session key */ -- SMBsesskeygen_ntv2(ntlm_v2_hash, lm_response->data, lm_session_key->data); -+ status = SMBsesskeygen_ntv2(ntlm_v2_hash, -+ lm_response->data, -+ lm_session_key->data); -+ if (!NT_STATUS_IS_OK(status)) { -+ return false; -+ } - } - } - --- -2.23.0 - diff --git a/SOURCES/0141-libcli-auth-Return-NTSTATUS-for-SMBOWFencrypt_ntv2.patch b/SOURCES/0141-libcli-auth-Return-NTSTATUS-for-SMBOWFencrypt_ntv2.patch deleted file mode 100644 index ad7fedd..0000000 --- a/SOURCES/0141-libcli-auth-Return-NTSTATUS-for-SMBOWFencrypt_ntv2.patch +++ /dev/null @@ -1,97 +0,0 @@ -From ca20c23eb8c468d96f7e302ab32362d61adb4d8f Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 13 Nov 2019 12:48:18 +0100 -Subject: [PATCH 141/187] libcli:auth: Return NTSTATUS for SMBOWFencrypt_ntv2() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit dc75a5f27eb32caf2f2adc289bc82fb0f8042cb3) ---- - libcli/auth/proto.h | 8 ++++---- - libcli/auth/smbencrypt.c | 25 +++++++++++++++---------- - 2 files changed, 19 insertions(+), 14 deletions(-) - -diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h -index 4c20783124b..52a33d8d457 100644 ---- a/libcli/auth/proto.h -+++ b/libcli/auth/proto.h -@@ -135,10 +135,10 @@ bool ntv2_owf_gen(const uint8_t owf[16], - void SMBOWFencrypt(const uint8_t passwd[16], const uint8_t *c8, uint8_t p24[24]); - void SMBNTencrypt_hash(const uint8_t nt_hash[16], const uint8_t *c8, uint8_t *p24); - void SMBNTencrypt(const char *passwd, const uint8_t *c8, uint8_t *p24); --void SMBOWFencrypt_ntv2(const uint8_t kr[16], -- const DATA_BLOB *srv_chal, -- const DATA_BLOB *smbcli_chal, -- uint8_t resp_buf[16]); -+NTSTATUS SMBOWFencrypt_ntv2(const uint8_t kr[16], -+ const DATA_BLOB *srv_chal, -+ const DATA_BLOB *smbcli_chal, -+ uint8_t resp_buf[16]); - NTSTATUS SMBsesskeygen_ntv2(const uint8_t kr[16], - const uint8_t *nt_resp, - uint8_t sess_key[16]); -diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c -index 1412274dd21..e7ed0630cdc 100644 ---- a/libcli/auth/smbencrypt.c -+++ b/libcli/auth/smbencrypt.c -@@ -334,12 +334,13 @@ void SMBNTencrypt(const char *passwd, const uint8_t *c8, uint8_t *p24) - - - /* Does the md5 encryption from the Key Response for NTLMv2. */ --void SMBOWFencrypt_ntv2(const uint8_t kr[16], -- const DATA_BLOB *srv_chal, -- const DATA_BLOB *smbcli_chal, -- uint8_t resp_buf[16]) -+NTSTATUS SMBOWFencrypt_ntv2(const uint8_t kr[16], -+ const DATA_BLOB *srv_chal, -+ const DATA_BLOB *smbcli_chal, -+ uint8_t resp_buf[16]) - { - gnutls_hmac_hd_t hmac_hnd = NULL; -+ NTSTATUS status; - int rc; - - rc = gnutls_hmac_init(&hmac_hnd, -@@ -347,27 +348,31 @@ void SMBOWFencrypt_ntv2(const uint8_t kr[16], - kr, - 16); - if (rc < 0) { -- return; -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED); - } - - rc = gnutls_hmac(hmac_hnd, srv_chal->data, srv_chal->length); - if (rc < 0) { -- return; -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED); -+ goto out; - } - rc = gnutls_hmac(hmac_hnd, smbcli_chal->data, smbcli_chal->length); - if (rc < 0) { -- gnutls_hmac_deinit(hmac_hnd, NULL); -- return; -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED); -+ goto out; - } - -- gnutls_hmac_deinit(hmac_hnd, resp_buf); -- - #ifdef DEBUG_PASSWORD - DEBUG(100, ("SMBOWFencrypt_ntv2: srv_chal, smbcli_chal, resp_buf\n")); - dump_data(100, srv_chal->data, srv_chal->length); - dump_data(100, smbcli_chal->data, smbcli_chal->length); - dump_data(100, resp_buf, 16); - #endif -+ -+ status = NT_STATUS_OK; -+out: -+ gnutls_hmac_deinit(hmac_hnd, resp_buf); -+ return status; - } - - NTSTATUS SMBsesskeygen_ntv2(const uint8_t kr[16], --- -2.23.0 - diff --git a/SOURCES/0142-libcli-auth-Check-return-code-of-SMBOWFencrypt_ntv2.patch b/SOURCES/0142-libcli-auth-Check-return-code-of-SMBOWFencrypt_ntv2.patch deleted file mode 100644 index f6bf2c9..0000000 --- a/SOURCES/0142-libcli-auth-Check-return-code-of-SMBOWFencrypt_ntv2.patch +++ /dev/null @@ -1,120 +0,0 @@ -From 7dbe3c67368a1b5d81564b61650f1e85beb4e1c8 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 13 Nov 2019 12:52:44 +0100 -Subject: [PATCH 142/187] libcli:auth: Check return code of - SMBOWFencrypt_ntv2() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 3db2ca2dcf367a6c57071a76668d19f3cbf62565) ---- - libcli/auth/ntlm_check.c | 18 +++++++++++++++--- - libcli/auth/smbencrypt.c | 20 ++++++++++++++++++-- - 2 files changed, 33 insertions(+), 5 deletions(-) - -diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c -index ba0051d7aea..5058add3811 100644 ---- a/libcli/auth/ntlm_check.c -+++ b/libcli/auth/ntlm_check.c -@@ -93,6 +93,7 @@ static bool smb_pwd_check_ntlmv2(TALLOC_CTX *mem_ctx, - uint8_t kr[16]; - uint8_t value_from_encryption[16]; - DATA_BLOB client_key_data; -+ NTSTATUS status; - - if (part_passwd == NULL) { - DEBUG(10,("No password set - DISALLOWING access\n")); -@@ -125,7 +126,13 @@ static bool smb_pwd_check_ntlmv2(TALLOC_CTX *mem_ctx, - return false; - } - -- SMBOWFencrypt_ntv2(kr, sec_blob, &client_key_data, value_from_encryption); -+ status = SMBOWFencrypt_ntv2(kr, -+ sec_blob, -+ &client_key_data, -+ value_from_encryption); -+ if (!NT_STATUS_IS_OK(status)) { -+ return false; -+ } - - #if DEBUG_PASSWORD - DEBUG(100,("Part password (P16) was |\n")); -@@ -142,7 +149,6 @@ static bool smb_pwd_check_ntlmv2(TALLOC_CTX *mem_ctx, - data_blob_clear_free(&client_key_data); - if (memcmp(value_from_encryption, ntv2_response->data, 16) == 0) { - if (user_sess_key != NULL) { -- NTSTATUS status; - *user_sess_key = data_blob_talloc(mem_ctx, NULL, 16); - - status = SMBsesskeygen_ntv2(kr, -@@ -202,7 +208,13 @@ static bool smb_sess_key_ntlmv2(TALLOC_CTX *mem_ctx, - return false; - } - -- SMBOWFencrypt_ntv2(kr, sec_blob, &client_key_data, value_from_encryption); -+ status = SMBOWFencrypt_ntv2(kr, -+ sec_blob, -+ &client_key_data, -+ value_from_encryption); -+ if (!NT_STATUS_IS_OK(status)) { -+ return false; -+ } - *user_sess_key = data_blob_talloc(mem_ctx, NULL, 16); - status = SMBsesskeygen_ntv2(kr, - value_from_encryption, -diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c -index e7ed0630cdc..e33d29de19d 100644 ---- a/libcli/auth/smbencrypt.c -+++ b/libcli/auth/smbencrypt.c -@@ -493,6 +493,7 @@ static DATA_BLOB NTLMv2_generate_response(TALLOC_CTX *out_mem_ctx, - uint8_t ntlmv2_response[16]; - DATA_BLOB ntlmv2_client_data; - DATA_BLOB final_response; -+ NTSTATUS status; - - TALLOC_CTX *mem_ctx = talloc_named(out_mem_ctx, 0, - "NTLMv2_generate_response internal context"); -@@ -507,7 +508,14 @@ static DATA_BLOB NTLMv2_generate_response(TALLOC_CTX *out_mem_ctx, - ntlmv2_client_data = NTLMv2_generate_client_data(mem_ctx, nttime, names_blob); - - /* Given that data, and the challenge from the server, generate a response */ -- SMBOWFencrypt_ntv2(ntlm_v2_hash, server_chal, &ntlmv2_client_data, ntlmv2_response); -+ status = SMBOWFencrypt_ntv2(ntlm_v2_hash, -+ server_chal, -+ &ntlmv2_client_data, -+ ntlmv2_response); -+ if (!NT_STATUS_IS_OK(status)) { -+ talloc_free(mem_ctx); -+ return data_blob(NULL, 0); -+ } - - final_response = data_blob_talloc(out_mem_ctx, NULL, sizeof(ntlmv2_response) + ntlmv2_client_data.length); - -@@ -528,13 +536,21 @@ static DATA_BLOB LMv2_generate_response(TALLOC_CTX *mem_ctx, - uint8_t lmv2_response[16]; - DATA_BLOB lmv2_client_data = data_blob_talloc(mem_ctx, NULL, 8); - DATA_BLOB final_response = data_blob_talloc(mem_ctx, NULL,24); -+ NTSTATUS status; - - /* LMv2 */ - /* client-supplied random data */ - generate_random_buffer(lmv2_client_data.data, lmv2_client_data.length); - - /* Given that data, and the challenge from the server, generate a response */ -- SMBOWFencrypt_ntv2(ntlm_v2_hash, server_chal, &lmv2_client_data, lmv2_response); -+ status = SMBOWFencrypt_ntv2(ntlm_v2_hash, -+ server_chal, -+ &lmv2_client_data, -+ lmv2_response); -+ if (!NT_STATUS_IS_OK(status)) { -+ data_blob_free(&lmv2_client_data); -+ return data_blob(NULL, 0); -+ } - memcpy(final_response.data, lmv2_response, sizeof(lmv2_response)); - - /* after the first 16 bytes is the random data we generated above, --- -2.23.0 - diff --git a/SOURCES/0143-s4-rpc_server-Remove-gnutls_global_-de-init.patch b/SOURCES/0143-s4-rpc_server-Remove-gnutls_global_-de-init.patch deleted file mode 100644 index fedf22d..0000000 --- a/SOURCES/0143-s4-rpc_server-Remove-gnutls_global_-de-init.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 3c980ebcb7449db0082b68660fafcae6113d2645 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 13 Nov 2019 13:57:53 +0100 -Subject: [PATCH 143/187] s4:rpc_server: Remove gnutls_global_(de)init() - -This is done by the gnutls library constructor/destructor. - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit afb5cb669ceeb68bf93ef8db07abcc5d424580cd) ---- - source4/rpc_server/backupkey/dcesrv_backupkey.c | 3 --- - 1 file changed, 3 deletions(-) - -diff --git a/source4/rpc_server/backupkey/dcesrv_backupkey.c b/source4/rpc_server/backupkey/dcesrv_backupkey.c -index cea6a28e4e2..36f5e5823eb 100644 ---- a/source4/rpc_server/backupkey/dcesrv_backupkey.c -+++ b/source4/rpc_server/backupkey/dcesrv_backupkey.c -@@ -1802,8 +1802,6 @@ static WERROR dcesrv_bkrp_BackupKey(struct dcesrv_call_state *dce_call, - /* At which level we start to add more debug of what is done in the protocol */ - const int debuglevel = 4; - -- gnutls_global_init(); -- - if (DEBUGLVL(debuglevel)) { - const struct tsocket_address *remote_address; - remote_address = dcesrv_connection_get_remote_address(dce_call->conn); -@@ -1856,7 +1854,6 @@ static WERROR dcesrv_bkrp_BackupKey(struct dcesrv_call_state *dce_call, - } - /*else: I am a RODC so I don't handle backup key protocol */ - -- gnutls_global_deinit(); - talloc_unlink(mem_ctx, ldb_ctx); - return error; - } --- -2.23.0 - diff --git a/SOURCES/0144-s4-lib-Remove-gnutls_global_-de-init-from-libtls.patch b/SOURCES/0144-s4-lib-Remove-gnutls_global_-de-init-from-libtls.patch deleted file mode 100644 index df1562a..0000000 --- a/SOURCES/0144-s4-lib-Remove-gnutls_global_-de-init-from-libtls.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 85dab1964a66f2c520a88b368cacf655abdb89db Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 13 Nov 2019 13:59:30 +0100 -Subject: [PATCH 144/187] s4:lib: Remove gnutls_global_(de)init() from libtls - -This is handled by the gnutls library constructor/destructor. - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 0e159b725ecf2f9a6d026170253e2d1eb73ed0c2) ---- - source4/lib/tls/tls_tstream.c | 12 ------------ - source4/lib/tls/tlscert.c | 3 --- - 2 files changed, 15 deletions(-) - -diff --git a/source4/lib/tls/tls_tstream.c b/source4/lib/tls/tls_tstream.c -index b68996db894..55bca036776 100644 ---- a/source4/lib/tls/tls_tstream.c -+++ b/source4/lib/tls/tls_tstream.c -@@ -903,12 +903,6 @@ NTSTATUS tstream_tls_params_client(TALLOC_CTX *mem_ctx, - struct tstream_tls_params *tlsp; - int ret; - -- ret = gnutls_global_init(); -- if (ret != GNUTLS_E_SUCCESS) { -- DEBUG(0,("TLS %s - %s\n", __location__, gnutls_strerror(ret))); -- return NT_STATUS_NOT_SUPPORTED; -- } -- - tlsp = talloc_zero(mem_ctx, struct tstream_tls_params); - NT_STATUS_HAVE_NO_MEMORY(tlsp); - -@@ -1123,12 +1117,6 @@ NTSTATUS tstream_tls_params_server(TALLOC_CTX *mem_ctx, - return NT_STATUS_OK; - } - -- ret = gnutls_global_init(); -- if (ret != GNUTLS_E_SUCCESS) { -- DEBUG(0,("TLS %s - %s\n", __location__, gnutls_strerror(ret))); -- return NT_STATUS_NOT_SUPPORTED; -- } -- - tlsp = talloc_zero(mem_ctx, struct tstream_tls_params); - NT_STATUS_HAVE_NO_MEMORY(tlsp); - -diff --git a/source4/lib/tls/tlscert.c b/source4/lib/tls/tlscert.c -index e02ee13d7e9..f5e9a1f2d39 100644 ---- a/source4/lib/tls/tlscert.c -+++ b/source4/lib/tls/tlscert.c -@@ -62,8 +62,6 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx, - } \ - } while (0) - -- TLSCHECK(gnutls_global_init()); -- - DEBUG(0,("Attempting to autogenerate TLS self-signed keys for https for hostname '%s'\n", - hostname)); - -@@ -150,7 +148,6 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx, - gnutls_x509_privkey_deinit(cakey); - gnutls_x509_crt_deinit(cacrt); - gnutls_x509_crt_deinit(crt); -- gnutls_global_deinit(); - - DEBUG(0,("TLS self-signed keys generated OK\n")); - return; --- -2.23.0 - diff --git a/SOURCES/0145-s4-torture-Remove-calls-to-gnutls_global_-de-init-in.patch b/SOURCES/0145-s4-torture-Remove-calls-to-gnutls_global_-de-init-in.patch deleted file mode 100644 index 0216ac8..0000000 --- a/SOURCES/0145-s4-torture-Remove-calls-to-gnutls_global_-de-init-in.patch +++ /dev/null @@ -1,238 +0,0 @@ -From 080c82dfa589f72f72f84e761adeb91e0b112072 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 13 Nov 2019 14:01:46 +0100 -Subject: [PATCH 145/187] s4:torture: Remove calls to gnutls_global_(de)init() - in backupkey test - -This is handled by the gnutls library constructor/destructor. - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit fbfb11b0f7ebd69cc4b1b545b398a367720d5473) ---- - source4/torture/rpc/backupkey.c | 48 --------------------------------- - 1 file changed, 48 deletions(-) - -diff --git a/source4/torture/rpc/backupkey.c b/source4/torture/rpc/backupkey.c -index b955f933430..284488f84ea 100644 ---- a/source4/torture/rpc/backupkey.c -+++ b/source4/torture/rpc/backupkey.c -@@ -834,8 +834,6 @@ static bool test_RestoreGUID_ko(struct torture_context *tctx, - enum dcerpc_AuthType auth_type; - enum dcerpc_AuthLevel auth_level; - -- gnutls_global_init(); -- - dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level); - - if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { -@@ -853,8 +851,6 @@ static bool test_RestoreGUID_ko(struct torture_context *tctx, - NT_STATUS_ACCESS_DENIED, "Get GUID"); - } - -- gnutls_global_deinit(); -- - return true; - } - -@@ -868,8 +864,6 @@ static bool test_RestoreGUID_wrongversion(struct torture_context *tctx, - enum dcerpc_AuthType auth_type; - enum dcerpc_AuthLevel auth_level; - -- gnutls_global_init(); -- - dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level); - - if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { -@@ -887,8 +881,6 @@ static bool test_RestoreGUID_wrongversion(struct torture_context *tctx, - NT_STATUS_ACCESS_DENIED, "Get GUID"); - } - -- gnutls_global_deinit(); -- - return true; - } - -@@ -902,8 +894,6 @@ static bool test_RestoreGUID_wronguser(struct torture_context *tctx, - enum dcerpc_AuthType auth_type; - enum dcerpc_AuthLevel auth_level; - -- gnutls_global_init(); -- - dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level); - - if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { -@@ -921,8 +911,6 @@ static bool test_RestoreGUID_wronguser(struct torture_context *tctx, - NT_STATUS_ACCESS_DENIED, "Get GUID"); - } - -- gnutls_global_deinit(); -- - return true; - } - -@@ -936,8 +924,6 @@ static bool test_RestoreGUID_v3(struct torture_context *tctx, - enum dcerpc_AuthType auth_type; - enum dcerpc_AuthLevel auth_level; - -- gnutls_global_init(); -- - dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level); - - if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { -@@ -956,8 +942,6 @@ static bool test_RestoreGUID_v3(struct torture_context *tctx, - NT_STATUS_ACCESS_DENIED, "Get GUID"); - } - -- gnutls_global_deinit(); -- - return true; - } - -@@ -970,8 +954,6 @@ static bool test_RestoreGUID(struct torture_context *tctx, - enum dcerpc_AuthType auth_type; - enum dcerpc_AuthLevel auth_level; - -- gnutls_global_init(); -- - dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level); - - if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { -@@ -993,8 +975,6 @@ static bool test_RestoreGUID(struct torture_context *tctx, - NT_STATUS_ACCESS_DENIED, "Get GUID"); - } - -- gnutls_global_deinit(); -- - return true; - } - -@@ -1008,8 +988,6 @@ static bool test_RestoreGUID_badmagiconsecret(struct torture_context *tctx, - enum dcerpc_AuthType auth_type; - enum dcerpc_AuthLevel auth_level; - -- gnutls_global_init(); -- - dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level); - - if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { -@@ -1027,8 +1005,6 @@ static bool test_RestoreGUID_badmagiconsecret(struct torture_context *tctx, - NT_STATUS_ACCESS_DENIED, "Get GUID"); - } - -- gnutls_global_deinit(); -- - return true; - } - -@@ -1040,8 +1016,6 @@ static bool test_RestoreGUID_emptyrequest(struct torture_context *tctx, - enum dcerpc_AuthType auth_type; - enum dcerpc_AuthLevel auth_level; - -- gnutls_global_init(); -- - dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level); - - if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { -@@ -1061,8 +1035,6 @@ static bool test_RestoreGUID_emptyrequest(struct torture_context *tctx, - NT_STATUS_ACCESS_DENIED, "Get GUID"); - } - -- gnutls_global_deinit(); -- - return true; - } - -@@ -1076,8 +1048,6 @@ static bool test_RestoreGUID_badcertguid(struct torture_context *tctx, - enum dcerpc_AuthType auth_type; - enum dcerpc_AuthLevel auth_level; - -- gnutls_global_init(); -- - dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level); - - if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { -@@ -1102,8 +1072,6 @@ static bool test_RestoreGUID_badcertguid(struct torture_context *tctx, - NT_STATUS_ACCESS_DENIED, "Get GUID"); - } - -- gnutls_global_deinit(); -- - return true; - } - -@@ -1117,8 +1085,6 @@ static bool test_RestoreGUID_badmagicaccesscheck(struct torture_context *tctx, - enum dcerpc_AuthType auth_type; - enum dcerpc_AuthLevel auth_level; - -- gnutls_global_init(); -- - dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level); - - if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { -@@ -1136,8 +1102,6 @@ static bool test_RestoreGUID_badmagicaccesscheck(struct torture_context *tctx, - NT_STATUS_ACCESS_DENIED, "Get GUID"); - } - -- gnutls_global_deinit(); -- - return true; - } - -@@ -1151,8 +1115,6 @@ static bool test_RestoreGUID_badhashaccesscheck(struct torture_context *tctx, - enum dcerpc_AuthType auth_type; - enum dcerpc_AuthLevel auth_level; - -- gnutls_global_init(); -- - dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level); - - if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { -@@ -1170,8 +1132,6 @@ static bool test_RestoreGUID_badhashaccesscheck(struct torture_context *tctx, - NT_STATUS_ACCESS_DENIED, "Get GUID"); - } - -- gnutls_global_init(); -- - return true; - } - -@@ -1187,8 +1147,6 @@ static bool test_RetrieveBackupKeyGUID_validate(struct torture_context *tctx, - enum dcerpc_AuthType auth_type; - enum dcerpc_AuthLevel auth_level; - -- gnutls_global_init(); -- - torture_assert(tctx, r != NULL, "test_RetrieveBackupKeyGUID_validate failed"); - - if (r == NULL) { -@@ -1376,8 +1334,6 @@ static bool test_RetrieveBackupKeyGUID_validate(struct torture_context *tctx, - "Get GUID"); - } - -- gnutls_global_deinit(); -- - return true; - } - -@@ -2091,8 +2047,6 @@ static bool test_ServerWrap_decrypt_wrong_stuff(struct torture_context *tctx, - enum dcerpc_AuthLevel auth_level; - ZERO_STRUCT(r); - -- gnutls_global_init(); -- - dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level); - - /* Encrypt */ -@@ -2268,8 +2222,6 @@ static bool test_ServerWrap_decrypt_wrong_stuff(struct torture_context *tctx, - "decrypt should fail with WERR_INVALID_PARAMETER"); - } - -- gnutls_global_deinit(); -- - return true; - } - --- -2.23.0 - diff --git a/SOURCES/0146-libcli-auth-Check-return-value-of-netlogon_creds_ini.patch b/SOURCES/0146-libcli-auth-Check-return-value-of-netlogon_creds_ini.patch deleted file mode 100644 index 7f82a61..0000000 --- a/SOURCES/0146-libcli-auth-Check-return-value-of-netlogon_creds_ini.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 8075ae29c9e3e0af99f035883f4ddc545d5e328b Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 13 Nov 2019 09:39:19 +0100 -Subject: [PATCH 146/187] libcli:auth: Check return value of - netlogon_creds_init_128bit() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 2c21cd6d49d56611acb2f364473d8c2e73e74545) ---- - libcli/auth/credentials.c | 14 ++++++++++---- - 1 file changed, 10 insertions(+), 4 deletions(-) - -diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c -index baa436df71b..1c01930a9d9 100644 ---- a/libcli/auth/credentials.c -+++ b/libcli/auth/credentials.c -@@ -580,6 +580,8 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me - { - - struct netlogon_creds_CredentialState *creds = talloc_zero(mem_ctx, struct netlogon_creds_CredentialState); -+ NTSTATUS status; -+ - - if (!creds) { - return NULL; -@@ -604,8 +606,6 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me - } - - if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { -- NTSTATUS status; -- - status = netlogon_creds_init_hmac_sha256(creds, - client_challenge, - server_challenge, -@@ -615,8 +615,14 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me - return NULL; - } - } else if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) { -- netlogon_creds_init_128bit(creds, client_challenge, server_challenge, -- machine_password); -+ status = netlogon_creds_init_128bit(creds, -+ client_challenge, -+ server_challenge, -+ machine_password); -+ if (!NT_STATUS_IS_OK(status)) { -+ talloc_free(creds); -+ return NULL; -+ } - } else { - netlogon_creds_init_64bit(creds, client_challenge, server_challenge, - machine_password); --- -2.23.0 - diff --git a/SOURCES/0147-libcli-auth-Check-return-status-of-netlogon_creds_in.patch b/SOURCES/0147-libcli-auth-Check-return-status-of-netlogon_creds_in.patch deleted file mode 100644 index 5f54c79..0000000 --- a/SOURCES/0147-libcli-auth-Check-return-status-of-netlogon_creds_in.patch +++ /dev/null @@ -1,79 +0,0 @@ -From 7ebffca28d3caa496e36467618f80725e8864efe Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 13 Nov 2019 09:41:18 +0100 -Subject: [PATCH 147/187] libcli:auth: Check return status of - netlogon_creds_init_64bit() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit e4ae1ba451d408b3b5c74d303493cb7c38e6e1c8) ---- - libcli/auth/credentials.c | 29 ++++++++++++++++++++++------- - 1 file changed, 22 insertions(+), 7 deletions(-) - -diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c -index 1c01930a9d9..36d0368d198 100644 ---- a/libcli/auth/credentials.c -+++ b/libcli/auth/credentials.c -@@ -51,10 +51,10 @@ static void netlogon_creds_step_crypt(struct netlogon_creds_CredentialState *cre - - this call is made after the netr_ServerReqChallenge call - */ --static void netlogon_creds_init_64bit(struct netlogon_creds_CredentialState *creds, -- const struct netr_Credential *client_challenge, -- const struct netr_Credential *server_challenge, -- const struct samr_Password *machine_password) -+static NTSTATUS netlogon_creds_init_64bit(struct netlogon_creds_CredentialState *creds, -+ const struct netr_Credential *client_challenge, -+ const struct netr_Credential *server_challenge, -+ const struct samr_Password *machine_password) - { - uint32_t sum[2]; - uint8_t sum2[8]; -@@ -68,6 +68,8 @@ static void netlogon_creds_init_64bit(struct netlogon_creds_CredentialState *cre - ZERO_ARRAY(creds->session_key); - - des_crypt128(creds->session_key, sum2, machine_password->hash); -+ -+ return NT_STATUS_OK; - } - - /* -@@ -458,7 +460,14 @@ struct netlogon_creds_CredentialState *netlogon_creds_client_init(TALLOC_CTX *me - return NULL; - } - } else { -- netlogon_creds_init_64bit(creds, client_challenge, server_challenge, machine_password); -+ status = netlogon_creds_init_64bit(creds, -+ client_challenge, -+ server_challenge, -+ machine_password); -+ if (!NT_STATUS_IS_OK(status)) { -+ talloc_free(creds); -+ return NULL; -+ } - } - - netlogon_creds_first_step(creds, client_challenge, server_challenge); -@@ -624,8 +633,14 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me - return NULL; - } - } else { -- netlogon_creds_init_64bit(creds, client_challenge, server_challenge, -- machine_password); -+ status = netlogon_creds_init_64bit(creds, -+ client_challenge, -+ server_challenge, -+ machine_password); -+ if (!NT_STATUS_IS_OK(status)) { -+ talloc_free(creds); -+ return NULL; -+ } - } - - netlogon_creds_first_step(creds, client_challenge, server_challenge); --- -2.23.0 - diff --git a/SOURCES/0148-libcli-auth-Check-return-status-of-netlogon_creds_fi.patch b/SOURCES/0148-libcli-auth-Check-return-status-of-netlogon_creds_fi.patch deleted file mode 100644 index b92a54d..0000000 --- a/SOURCES/0148-libcli-auth-Check-return-status-of-netlogon_creds_fi.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 86c2e733c461f0311eac38eb5cef1eb245aa584c Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 13 Nov 2019 09:44:32 +0100 -Subject: [PATCH 148/187] libcli:auth: Check return status of - netlogon_creds_first_step() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 0ed92e3e60684bfb02b01479d985535d525a5be5) ---- - libcli/auth/credentials.c | 24 +++++++++++++++++++----- - 1 file changed, 19 insertions(+), 5 deletions(-) - -diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c -index 36d0368d198..359ba8c4b90 100644 ---- a/libcli/auth/credentials.c -+++ b/libcli/auth/credentials.c -@@ -174,15 +174,17 @@ static NTSTATUS netlogon_creds_init_hmac_sha256(struct netlogon_creds_Credential - return NT_STATUS_OK; - } - --static void netlogon_creds_first_step(struct netlogon_creds_CredentialState *creds, -- const struct netr_Credential *client_challenge, -- const struct netr_Credential *server_challenge) -+static NTSTATUS netlogon_creds_first_step(struct netlogon_creds_CredentialState *creds, -+ const struct netr_Credential *client_challenge, -+ const struct netr_Credential *server_challenge) - { - netlogon_creds_step_crypt(creds, client_challenge, &creds->client); - - netlogon_creds_step_crypt(creds, server_challenge, &creds->server); - - creds->seed = creds->client; -+ -+ return NT_STATUS_OK; - } - - /* -@@ -470,7 +472,13 @@ struct netlogon_creds_CredentialState *netlogon_creds_client_init(TALLOC_CTX *me - } - } - -- netlogon_creds_first_step(creds, client_challenge, server_challenge); -+ status = netlogon_creds_first_step(creds, -+ client_challenge, -+ server_challenge); -+ if (!NT_STATUS_IS_OK(status)) { -+ talloc_free(creds); -+ return NULL; -+ } - - dump_data_pw("Session key", creds->session_key, 16); - dump_data_pw("Credential ", creds->client.data, 8); -@@ -643,7 +651,13 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me - } - } - -- netlogon_creds_first_step(creds, client_challenge, server_challenge); -+ status = netlogon_creds_first_step(creds, -+ client_challenge, -+ server_challenge); -+ if (!NT_STATUS_IS_OK(status)) { -+ talloc_free(creds); -+ return NULL; -+ } - - dump_data_pw("Session key", creds->session_key, 16); - dump_data_pw("Client Credential ", creds->client.data, 8); --- -2.23.0 - diff --git a/SOURCES/0149-libcli-auth-Return-NTSTATUS-for-netlogon_creds_clien.patch b/SOURCES/0149-libcli-auth-Return-NTSTATUS-for-netlogon_creds_clien.patch deleted file mode 100644 index 0a352c6..0000000 --- a/SOURCES/0149-libcli-auth-Return-NTSTATUS-for-netlogon_creds_clien.patch +++ /dev/null @@ -1,60 +0,0 @@ -From d5b5b280fefca55a96456b9348b20b78a36fc227 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 13 Nov 2019 09:52:53 +0100 -Subject: [PATCH 149/187] libcli:auth: Return NTSTATUS for - netlogon_creds_client_authenticator() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 7c7dc855ba982a37cb5040752ca473aab3446d6c) ---- - libcli/auth/credentials.c | 7 +++++-- - libcli/auth/proto.h | 5 +++-- - 2 files changed, 8 insertions(+), 4 deletions(-) - -diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c -index 359ba8c4b90..e5bf2c4703c 100644 ---- a/libcli/auth/credentials.c -+++ b/libcli/auth/credentials.c -@@ -513,8 +513,9 @@ struct netlogon_creds_CredentialState *netlogon_creds_client_init_session_key(TA - produce the next authenticator in the sequence ready to send to - the server - */ --void netlogon_creds_client_authenticator(struct netlogon_creds_CredentialState *creds, -- struct netr_Authenticator *next) -+NTSTATUS -+netlogon_creds_client_authenticator(struct netlogon_creds_CredentialState *creds, -+ struct netr_Authenticator *next) - { - uint32_t t32n = (uint32_t)time(NULL); - -@@ -543,6 +544,8 @@ void netlogon_creds_client_authenticator(struct netlogon_creds_CredentialState * - - next->cred = creds->client; - next->timestamp = creds->sequence; -+ -+ return NT_STATUS_OK; - } - - /* -diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h -index 52a33d8d457..eef1c8dc095 100644 ---- a/libcli/auth/proto.h -+++ b/libcli/auth/proto.h -@@ -40,8 +40,9 @@ struct netlogon_creds_CredentialState *netlogon_creds_client_init(TALLOC_CTX *me - uint32_t negotiate_flags); - struct netlogon_creds_CredentialState *netlogon_creds_client_init_session_key(TALLOC_CTX *mem_ctx, - const uint8_t session_key[16]); --void netlogon_creds_client_authenticator(struct netlogon_creds_CredentialState *creds, -- struct netr_Authenticator *next); -+NTSTATUS -+netlogon_creds_client_authenticator(struct netlogon_creds_CredentialState *creds, -+ struct netr_Authenticator *next); - bool netlogon_creds_client_check(struct netlogon_creds_CredentialState *creds, - const struct netr_Credential *received_credentials); - struct netlogon_creds_CredentialState *netlogon_creds_copy( --- -2.23.0 - diff --git a/SOURCES/0150-auth-pycreds-Check-return-code-of-netlogon_creds_cli.patch b/SOURCES/0150-auth-pycreds-Check-return-code-of-netlogon_creds_cli.patch deleted file mode 100644 index 5e8888e..0000000 --- a/SOURCES/0150-auth-pycreds-Check-return-code-of-netlogon_creds_cli.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 0e97b1a6d9e46a3810d89bd6bcb863eded30399a Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 13 Nov 2019 10:06:20 +0100 -Subject: [PATCH 150/187] auth:pycreds: Check return code of - netlogon_creds_client_authenticator() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit d3fffca5e9ab45b43fa3f460ad6051356c9a00a9) ---- - auth/credentials/pycredentials.c | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - -diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c -index 1aef16a0145..84407314d48 100644 ---- a/auth/credentials/pycredentials.c -+++ b/auth/credentials/pycredentials.c -@@ -644,6 +644,7 @@ static PyObject *py_creds_new_client_authenticator(PyObject *self, - struct cli_credentials *creds = NULL; - struct netlogon_creds_CredentialState *nc = NULL; - PyObject *ret = NULL; -+ NTSTATUS status; - - creds = PyCredentials_AsCliCredentials(self); - if (creds == NULL) { -@@ -660,9 +661,13 @@ static PyObject *py_creds_new_client_authenticator(PyObject *self, - return NULL; - } - -- netlogon_creds_client_authenticator( -- nc, -- &auth); -+ status = netlogon_creds_client_authenticator(nc, &auth); -+ if (!NT_STATUS_IS_OK(status)) { -+ PyErr_SetString(PyExc_ValueError, -+ "Failed to create client authenticator"); -+ return NULL; -+ } -+ - ret = Py_BuildValue("{s"PYARG_BYTES_LEN"si}", - "credential", - (const char *) &auth.cred, sizeof(auth.cred), --- -2.23.0 - diff --git a/SOURCES/0151-libcli-auth-Check-return-code-of-netlogon_creds_clie.patch b/SOURCES/0151-libcli-auth-Check-return-code-of-netlogon_creds_clie.patch deleted file mode 100644 index e432af1..0000000 --- a/SOURCES/0151-libcli-auth-Check-return-code-of-netlogon_creds_clie.patch +++ /dev/null @@ -1,120 +0,0 @@ -From bf554cd1d46a4e2955f5dad40f08f8e574760bde Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 13 Nov 2019 10:06:20 +0100 -Subject: [PATCH 151/187] libcli:auth: Check return code of - netlogon_creds_client_authenticator() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 0906848936c410f49b26f7688df7ce1a0e1097f5) ---- - libcli/auth/netlogon_creds_cli.c | 49 +++++++++++++++++++++++--------- - 1 file changed, 36 insertions(+), 13 deletions(-) - -diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c -index 50a5f50a57d..2123862dbd2 100644 ---- a/libcli/auth/netlogon_creds_cli.c -+++ b/libcli/auth/netlogon_creds_cli.c -@@ -1547,7 +1547,11 @@ struct tevent_req *netlogon_creds_cli_check_send(TALLOC_CTX *mem_ctx, - */ - tevent_req_defer_callback(req, state->ev); - -- netlogon_creds_client_authenticator(state->creds, &state->req_auth); -+ status = netlogon_creds_client_authenticator(state->creds, -+ &state->req_auth); -+ if (tevent_req_nterror(req, status)) { -+ return tevent_req_post(req, ev); -+ } - ZERO_STRUCT(state->rep_auth); - - subreq = dcerpc_netr_LogonGetCapabilities_send(state, state->ev, -@@ -1981,8 +1985,11 @@ static void netlogon_creds_cli_ServerPasswordSet_locked(struct tevent_req *subre - tevent_req_defer_callback(req, state->ev); - - state->tmp_creds = *state->creds; -- netlogon_creds_client_authenticator(&state->tmp_creds, -- &state->req_auth); -+ status = netlogon_creds_client_authenticator(&state->tmp_creds, -+ &state->req_auth); -+ if (tevent_req_nterror(req, status)) { -+ return; -+ } - ZERO_STRUCT(state->rep_auth); - - if (state->tmp_creds.negotiate_flags & NETLOGON_NEG_PASSWORD_SET2) { -@@ -2416,8 +2423,12 @@ static void netlogon_creds_cli_LogonSamLogon_start(struct tevent_req *req) - } - - state->tmp_creds = *state->lk_creds; -- netlogon_creds_client_authenticator(&state->tmp_creds, -- &state->req_auth); -+ status = netlogon_creds_client_authenticator(&state->tmp_creds, -+ &state->req_auth); -+ if (tevent_req_nterror(req, status)) { -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status); -+ return; -+ } - ZERO_STRUCT(state->rep_auth); - - state->logon = netlogon_creds_shallow_copy_logon(state, -@@ -2848,8 +2859,11 @@ static void netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_locked(struct t - tevent_req_defer_callback(req, state->ev); - - state->tmp_creds = *state->creds; -- netlogon_creds_client_authenticator(&state->tmp_creds, -- &state->req_auth); -+ status = netlogon_creds_client_authenticator(&state->tmp_creds, -+ &state->req_auth); -+ if (tevent_req_nterror(req, status)) { -+ return; -+ } - ZERO_STRUCT(state->rep_auth); - - subreq = dcerpc_netr_DsrUpdateReadOnlyServerDnsRecords_send(state, state->ev, -@@ -3100,8 +3114,11 @@ static void netlogon_creds_cli_ServerGetTrustInfo_locked(struct tevent_req *subr - tevent_req_defer_callback(req, state->ev); - - state->tmp_creds = *state->creds; -- netlogon_creds_client_authenticator(&state->tmp_creds, -- &state->req_auth); -+ status = netlogon_creds_client_authenticator(&state->tmp_creds, -+ &state->req_auth); -+ if (tevent_req_nterror(req, status)) { -+ return; -+ } - ZERO_STRUCT(state->rep_auth); - - subreq = dcerpc_netr_ServerGetTrustInfo_send(state, state->ev, -@@ -3402,8 +3419,11 @@ static void netlogon_creds_cli_GetForestTrustInformation_locked(struct tevent_re - tevent_req_defer_callback(req, state->ev); - - state->tmp_creds = *state->creds; -- netlogon_creds_client_authenticator(&state->tmp_creds, -- &state->req_auth); -+ status = netlogon_creds_client_authenticator(&state->tmp_creds, -+ &state->req_auth); -+ if (tevent_req_nterror(req, status)) { -+ return; -+ } - ZERO_STRUCT(state->rep_auth); - - subreq = dcerpc_netr_GetForestTrustInformation_send(state, state->ev, -@@ -3680,8 +3700,11 @@ static void netlogon_creds_cli_SendToSam_locked(struct tevent_req *subreq) - tevent_req_defer_callback(req, state->ev); - - state->tmp_creds = *state->creds; -- netlogon_creds_client_authenticator(&state->tmp_creds, -- &state->req_auth); -+ status = netlogon_creds_client_authenticator(&state->tmp_creds, -+ &state->req_auth); -+ if (tevent_req_nterror(req, status)) { -+ return; -+ } - ZERO_STRUCT(state->rep_auth); - - if (state->tmp_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { --- -2.23.0 - diff --git a/SOURCES/0152-s4-librpc-Check-return-code-of-netlogon_creds_client.patch b/SOURCES/0152-s4-librpc-Check-return-code-of-netlogon_creds_client.patch deleted file mode 100644 index c11b392..0000000 --- a/SOURCES/0152-s4-librpc-Check-return-code-of-netlogon_creds_client.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 499521611bdba1bd17104bfc9b15bb029ad60c19 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 13 Nov 2019 10:06:20 +0100 -Subject: [PATCH 152/187] s4:librpc: Check return code of - netlogon_creds_client_authenticator() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit a64a5b7e17d80a4363774d4e35d3ee676ecf426d) ---- - source4/librpc/rpc/dcerpc_schannel.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c -index 36edf4b95d7..d12647222eb 100644 ---- a/source4/librpc/rpc/dcerpc_schannel.c -+++ b/source4/librpc/rpc/dcerpc_schannel.c -@@ -456,10 +456,16 @@ static void continue_bind_auth(struct composite_context *ctx) - /* if we have a AES encrypted connection, verify the capabilities */ - if (ndr_syntax_id_equal(&s->table->syntax_id, - &ndr_table_netlogon.syntax_id)) { -+ NTSTATUS status; - ZERO_STRUCT(s->return_auth); - - s->save_creds_state = *s->creds_state; -- netlogon_creds_client_authenticator(&s->save_creds_state, &s->auth); -+ status = netlogon_creds_client_authenticator(&s->save_creds_state, -+ &s->auth); -+ if (!NT_STATUS_IS_OK(status)) { -+ composite_error(c, status); -+ return; -+ } - - s->c.in.server_name = talloc_asprintf(c, - "\\\\%s", --- -2.23.0 - diff --git a/SOURCES/0153-libcli-auth-Check-return-code-of-netlogon_creds_step.patch b/SOURCES/0153-libcli-auth-Check-return-code-of-netlogon_creds_step.patch deleted file mode 100644 index f7b6fb9..0000000 --- a/SOURCES/0153-libcli-auth-Check-return-code-of-netlogon_creds_step.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 13601560c9b48466b70ad577ebab245fea1f50b5 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 13 Nov 2019 10:12:41 +0100 -Subject: [PATCH 153/187] libcli:auth: Check return code of - netlogon_creds_step() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 05f59cbcf803d57ab41b4c7fa4f81da50cd02cd6) ---- - libcli/auth/credentials.c | 20 +++++++++++++++++--- - 1 file changed, 17 insertions(+), 3 deletions(-) - -diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c -index e5bf2c4703c..3dd50a11bce 100644 ---- a/libcli/auth/credentials.c -+++ b/libcli/auth/credentials.c -@@ -191,9 +191,10 @@ static NTSTATUS netlogon_creds_first_step(struct netlogon_creds_CredentialState - step the credentials to the next element in the chain, updating the - current client and server credentials and the seed - */ --static void netlogon_creds_step(struct netlogon_creds_CredentialState *creds) -+static NTSTATUS netlogon_creds_step(struct netlogon_creds_CredentialState *creds) - { - struct netr_Credential time_cred; -+ NTSTATUS status; - - DEBUG(5,("\tseed %08x:%08x\n", - IVAL(creds->seed.data, 0), IVAL(creds->seed.data, 4))); -@@ -220,6 +221,8 @@ static void netlogon_creds_step(struct netlogon_creds_CredentialState *creds) - IVAL(creds->server.data, 0), IVAL(creds->server.data, 4))); - - creds->seed = time_cred; -+ -+ return NT_STATUS_OK; - } - - -@@ -518,6 +521,7 @@ netlogon_creds_client_authenticator(struct netlogon_creds_CredentialState *creds - struct netr_Authenticator *next) - { - uint32_t t32n = (uint32_t)time(NULL); -+ NTSTATUS status; - - /* - * we always increment and ignore an overflow here -@@ -540,7 +544,10 @@ netlogon_creds_client_authenticator(struct netlogon_creds_CredentialState *creds - } - } - -- netlogon_creds_step(creds); -+ status = netlogon_creds_step(creds); -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; -+ } - - next->cred = creds->client; - next->timestamp = creds->sequence; -@@ -686,6 +693,8 @@ NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState - const struct netr_Authenticator *received_authenticator, - struct netr_Authenticator *return_authenticator) - { -+ NTSTATUS status; -+ - if (!received_authenticator || !return_authenticator) { - return NT_STATUS_INVALID_PARAMETER; - } -@@ -695,7 +704,12 @@ NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState - } - - creds->sequence = received_authenticator->timestamp; -- netlogon_creds_step(creds); -+ status = netlogon_creds_step(creds); -+ if (!NT_STATUS_IS_OK(status)) { -+ ZERO_STRUCTP(return_authenticator); -+ return status; -+ } -+ - if (netlogon_creds_server_check_internal(creds, &received_authenticator->cred)) { - return_authenticator->cred = creds->server; - return_authenticator->timestamp = 0; --- -2.23.0 - diff --git a/SOURCES/0154-libcli-auth-Check-return-code-of-netlogon_creds_step.patch b/SOURCES/0154-libcli-auth-Check-return-code-of-netlogon_creds_step.patch deleted file mode 100644 index 7d9c111..0000000 --- a/SOURCES/0154-libcli-auth-Check-return-code-of-netlogon_creds_step.patch +++ /dev/null @@ -1,94 +0,0 @@ -From 760fc5d0b41a6c12c79f19ec2834925cbd651b80 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 13 Nov 2019 10:13:53 +0100 -Subject: [PATCH 154/187] libcli:auth: Check return code of - netlogon_creds_step_crypt() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 32e75bb4cca994af80bb8440009446e4a0ff5d40) ---- - libcli/auth/credentials.c | 36 +++++++++++++++++++++++++++++------- - 1 file changed, 29 insertions(+), 7 deletions(-) - -diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c -index 3dd50a11bce..c78f2012bf2 100644 ---- a/libcli/auth/credentials.c -+++ b/libcli/auth/credentials.c -@@ -33,9 +33,9 @@ - #include - #include - --static void netlogon_creds_step_crypt(struct netlogon_creds_CredentialState *creds, -- const struct netr_Credential *in, -- struct netr_Credential *out) -+static NTSTATUS netlogon_creds_step_crypt(struct netlogon_creds_CredentialState *creds, -+ const struct netr_Credential *in, -+ struct netr_Credential *out) - { - if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { - memcpy(out->data, in->data, sizeof(out->data)); -@@ -44,6 +44,8 @@ static void netlogon_creds_step_crypt(struct netlogon_creds_CredentialState *cre - } else { - des_crypt112(out->data, in->data, creds->session_key, 1); - } -+ -+ return NT_STATUS_OK; - } - - /* -@@ -178,9 +180,21 @@ static NTSTATUS netlogon_creds_first_step(struct netlogon_creds_CredentialState - const struct netr_Credential *client_challenge, - const struct netr_Credential *server_challenge) - { -- netlogon_creds_step_crypt(creds, client_challenge, &creds->client); -+ NTSTATUS status; - -- netlogon_creds_step_crypt(creds, server_challenge, &creds->server); -+ status = netlogon_creds_step_crypt(creds, -+ client_challenge, -+ &creds->client); -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; -+ } -+ -+ status = netlogon_creds_step_crypt(creds, -+ server_challenge, -+ &creds->server); -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; -+ } - - creds->seed = creds->client; - -@@ -204,7 +218,12 @@ static NTSTATUS netlogon_creds_step(struct netlogon_creds_CredentialState *creds - - DEBUG(5,("\tseed+time %08x:%08x\n", IVAL(time_cred.data, 0), IVAL(time_cred.data, 4))); - -- netlogon_creds_step_crypt(creds, &time_cred, &creds->client); -+ status = netlogon_creds_step_crypt(creds, -+ &time_cred, -+ &creds->client); -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; -+ } - - DEBUG(5,("\tCLIENT %08x:%08x\n", - IVAL(creds->client.data, 0), IVAL(creds->client.data, 4))); -@@ -215,7 +234,10 @@ static NTSTATUS netlogon_creds_step(struct netlogon_creds_CredentialState *creds - DEBUG(5,("\tseed+time+1 %08x:%08x\n", - IVAL(time_cred.data, 0), IVAL(time_cred.data, 4))); - -- netlogon_creds_step_crypt(creds, &time_cred, &creds->server); -+ status = netlogon_creds_step_crypt(creds, &time_cred, &creds->server); -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; -+ } - - DEBUG(5,("\tSERVER %08x:%08x\n", - IVAL(creds->server.data, 0), IVAL(creds->server.data, 4))); --- -2.23.0 - diff --git a/SOURCES/0155-libcli-auth-Check-return-code-of-netlogon_creds_aes_.patch b/SOURCES/0155-libcli-auth-Check-return-code-of-netlogon_creds_aes_.patch deleted file mode 100644 index 31e9648..0000000 --- a/SOURCES/0155-libcli-auth-Check-return-code-of-netlogon_creds_aes_.patch +++ /dev/null @@ -1,83 +0,0 @@ -From 63820f4d509c10993de827bc99115f57151e8ef4 Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Thu, 14 Nov 2019 11:16:09 +1300 -Subject: [PATCH 155/187] libcli:auth Check return code of - netlogon_creds_aes_encrypt() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 - -Signed-off-by: Andrew Bartlett -Reviewed-by: Andrew Bartlett - -Autobuild-User(master): Andreas Schneider -Autobuild-Date(master): Thu Nov 14 09:25:36 UTC 2019 on sn-devel-184 - -(cherry picked from commit 0361a26e395723296899c3d48cff86d532372710) ---- - libcli/auth/credentials.c | 8 +++++++- - libcli/auth/netlogon_creds_cli.c | 20 ++++++++++++++------ - 2 files changed, 21 insertions(+), 7 deletions(-) - -diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c -index c78f2012bf2..f1088a1d8e0 100644 ---- a/libcli/auth/credentials.c -+++ b/libcli/auth/credentials.c -@@ -37,10 +37,16 @@ static NTSTATUS netlogon_creds_step_crypt(struct netlogon_creds_CredentialState - const struct netr_Credential *in, - struct netr_Credential *out) - { -+ NTSTATUS status; - if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { - memcpy(out->data, in->data, sizeof(out->data)); - -- netlogon_creds_aes_encrypt(creds, out->data, sizeof(out->data)); -+ status = netlogon_creds_aes_encrypt(creds, -+ out->data, -+ sizeof(out->data)); -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; -+ } - } else { - des_crypt112(out->data, in->data, creds->session_key, 1); - } -diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c -index 2123862dbd2..0378f302ffa 100644 ---- a/libcli/auth/netlogon_creds_cli.c -+++ b/libcli/auth/netlogon_creds_cli.c -@@ -1995,9 +1995,13 @@ static void netlogon_creds_cli_ServerPasswordSet_locked(struct tevent_req *subre - if (state->tmp_creds.negotiate_flags & NETLOGON_NEG_PASSWORD_SET2) { - - if (state->tmp_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { -- netlogon_creds_aes_encrypt(&state->tmp_creds, -- state->samr_crypt_password.data, -- 516); -+ status = netlogon_creds_aes_encrypt(&state->tmp_creds, -+ state->samr_crypt_password.data, -+ 516); -+ if (tevent_req_nterror(req, status)) { -+ netlogon_creds_cli_ServerPasswordSet_cleanup(req, status); -+ return; -+ } - } else { - status = netlogon_creds_arcfour_crypt(&state->tmp_creds, - state->samr_crypt_password.data, -@@ -3708,9 +3712,13 @@ static void netlogon_creds_cli_SendToSam_locked(struct tevent_req *subreq) - ZERO_STRUCT(state->rep_auth); - - if (state->tmp_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { -- netlogon_creds_aes_encrypt(&state->tmp_creds, -- state->opaque.data, -- state->opaque.length); -+ status = netlogon_creds_aes_encrypt(&state->tmp_creds, -+ state->opaque.data, -+ state->opaque.length); -+ if (tevent_req_nterror(req, status)) { -+ netlogon_creds_cli_SendToSam_cleanup(req, status); -+ return; -+ } - } else { - status = netlogon_creds_arcfour_crypt(&state->tmp_creds, - state->opaque.data, --- -2.23.0 - diff --git a/SOURCES/0156-s3-rpc_server-Replace-E_md5hash-with-GnuTLS-calls.patch b/SOURCES/0156-s3-rpc_server-Replace-E_md5hash-with-GnuTLS-calls.patch deleted file mode 100644 index d8d7efb..0000000 --- a/SOURCES/0156-s3-rpc_server-Replace-E_md5hash-with-GnuTLS-calls.patch +++ /dev/null @@ -1,52 +0,0 @@ -From baf13627d2bc6ade8cb6c05c6ada027fde601844 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 18 Nov 2019 10:21:06 +0100 -Subject: [PATCH 156/187] s3:rpc_server: Replace E_md5hash() with GnuTLS calls - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit a377214dce2e9d71f880949fe745d799c75f57a9) ---- - source3/rpc_server/samr/srv_samr_chgpasswd.c | 20 +++++++++++++++++++- - 1 file changed, 19 insertions(+), 1 deletion(-) - -diff --git a/source3/rpc_server/samr/srv_samr_chgpasswd.c b/source3/rpc_server/samr/srv_samr_chgpasswd.c -index fc509494ebc..8c9cf73bdd8 100644 ---- a/source3/rpc_server/samr/srv_samr_chgpasswd.c -+++ b/source3/rpc_server/samr/srv_samr_chgpasswd.c -@@ -901,11 +901,29 @@ static bool password_in_history(uint8_t nt_pw[NT_HASH_LEN], - return true; - } - } else { -+ gnutls_hash_hd_t hash_hnd = NULL; -+ int rc; -+ - /* - * Old format: md5sum of salted nt hash. - * Create salted version of new pw to compare. - */ -- E_md5hash(current_salt, nt_pw, new_nt_pw_salted_md5_hash); -+ rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5); -+ if (rc < 0) { -+ return false; -+ } -+ -+ rc = gnutls_hash(hash_hnd, current_salt, 16); -+ if (rc < 0) { -+ gnutls_hash_deinit(hash_hnd, NULL); -+ return false; -+ } -+ rc = gnutls_hash(hash_hnd, nt_pw, 16); -+ if (rc < 0) { -+ gnutls_hash_deinit(hash_hnd, NULL); -+ return false; -+ } -+ gnutls_hash_deinit(hash_hnd, new_nt_pw_salted_md5_hash); - - if (memcmp(new_nt_pw_salted_md5_hash, - old_nt_pw_salted_md5_hash, --- -2.23.0 - diff --git a/SOURCES/0157-s3-winbindd-Replace-E_md5hash-with-GnuTLS-calls.patch b/SOURCES/0157-s3-winbindd-Replace-E_md5hash-with-GnuTLS-calls.patch deleted file mode 100644 index aae1fe0..0000000 --- a/SOURCES/0157-s3-winbindd-Replace-E_md5hash-with-GnuTLS-calls.patch +++ /dev/null @@ -1,65 +0,0 @@ -From ed65e74773c0c8d3d3a9c23aa97b93baea31d9ae Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 18 Nov 2019 10:24:56 +0100 -Subject: [PATCH 157/187] s3:winbindd: Replace E_md5hash() with GnuTLS calls - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 10499507c4fd91751898696b866ce32b1e38f605) ---- - source3/winbindd/winbindd_cache.c | 23 ++++++++++++++++++++++- - 1 file changed, 22 insertions(+), 1 deletion(-) - -diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c -index 394b0c774a9..3e7afdaa546 100644 ---- a/source3/winbindd/winbindd_cache.c -+++ b/source3/winbindd/winbindd_cache.c -@@ -37,6 +37,9 @@ - #include "libsmb/samlogon_cache.h" - #include "lib/namemap_cache.h" - -+#include "lib/crypto/gnutls_helpers.h" -+#include -+ - #undef DBGC_CLASS - #define DBGC_CLASS DBGC_WINBIND - -@@ -1364,6 +1367,8 @@ NTSTATUS wcache_save_creds(struct winbindd_domain *domain, - uint32_t rid; - uint8_t cred_salt[NT_HASH_LEN]; - uint8_t salted_hash[NT_HASH_LEN]; -+ gnutls_hash_hd_t hash_hnd = NULL; -+ int rc; - - if (is_null_sid(sid)) { - return NT_STATUS_INVALID_SID; -@@ -1384,7 +1389,23 @@ NTSTATUS wcache_save_creds(struct winbindd_domain *domain, - - /* Create a salt and then salt the hash. */ - generate_random_buffer(cred_salt, NT_HASH_LEN); -- E_md5hash(cred_salt, nt_pass, salted_hash); -+ -+ rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5); -+ if (rc < 0) { -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED); -+ } -+ -+ rc = gnutls_hash(hash_hnd, cred_salt, 16); -+ if (rc < 0) { -+ gnutls_hash_deinit(hash_hnd, NULL); -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED); -+ } -+ rc = gnutls_hash(hash_hnd, nt_pass, 16); -+ if (rc < 0) { -+ gnutls_hash_deinit(hash_hnd, NULL); -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED); -+ } -+ gnutls_hash_deinit(hash_hnd, salted_hash); - - centry_put_hash16(centry, salted_hash); - centry_put_hash16(centry, cred_salt); --- -2.23.0 - diff --git a/SOURCES/0158-s3-winbind-Replace-E_md5hash-with-GnuTLS-calls.patch b/SOURCES/0158-s3-winbind-Replace-E_md5hash-with-GnuTLS-calls.patch deleted file mode 100644 index 438550d..0000000 --- a/SOURCES/0158-s3-winbind-Replace-E_md5hash-with-GnuTLS-calls.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 89693b474a37c393ceb47afd668e8a96282a98b0 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 18 Nov 2019 10:28:59 +0100 -Subject: [PATCH 158/187] s3:winbind: Replace E_md5hash() with GnuTLS calls - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 4199d1040f09b5d95522d0cbdbaeec78b7d7b9a6) ---- - source3/winbindd/winbindd_pam.c | 23 ++++++++++++++++++++++- - 1 file changed, 22 insertions(+), 1 deletion(-) - -diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c -index c5b7c09b5c1..8946dd70f99 100644 ---- a/source3/winbindd/winbindd_pam.c -+++ b/source3/winbindd/winbindd_pam.c -@@ -48,6 +48,9 @@ - #include "param/param.h" - #include "messaging/messaging.h" - -+#include "lib/crypto/gnutls_helpers.h" -+#include -+ - #undef DBGC_CLASS - #define DBGC_CLASS DBGC_WINBIND - -@@ -1086,7 +1089,25 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, - /* In this case we didn't store the nt_hash itself, - but the MD5 combination of salt + nt_hash. */ - uchar salted_hash[NT_HASH_LEN]; -- E_md5hash(cached_salt, new_nt_pass, salted_hash); -+ gnutls_hash_hd_t hash_hnd = NULL; -+ int rc; -+ -+ rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5); -+ if (rc < 0) { -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED); -+ } -+ -+ rc = gnutls_hash(hash_hnd, cached_salt, 16); -+ if (rc < 0) { -+ gnutls_hash_deinit(hash_hnd, NULL); -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED); -+ } -+ rc = gnutls_hash(hash_hnd, new_nt_pass, 16); -+ if (rc < 0) { -+ gnutls_hash_deinit(hash_hnd, NULL); -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED); -+ } -+ gnutls_hash_deinit(hash_hnd, salted_hash); - - password_good = (memcmp(cached_nt_pass, salted_hash, - NT_HASH_LEN) == 0); --- -2.23.0 - diff --git a/SOURCES/0159-libcli-auth-Remove-unused-E_md5hash.patch b/SOURCES/0159-libcli-auth-Remove-unused-E_md5hash.patch deleted file mode 100644 index 6343a93..0000000 --- a/SOURCES/0159-libcli-auth-Remove-unused-E_md5hash.patch +++ /dev/null @@ -1,81 +0,0 @@ -From a2430d2ddcabca282d49e8dcd66cc0aaa1e85918 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 18 Nov 2019 10:29:55 +0100 -Subject: [PATCH 159/187] libcli:auth: Remove unused E_md5hash() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit e19b115dd27891896364f5e943b0ce7fcc89344e) ---- - libcli/auth/proto.h | 8 -------- - libcli/auth/smbencrypt.c | 33 --------------------------------- - 2 files changed, 41 deletions(-) - -diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h -index eef1c8dc095..eb725c83d15 100644 ---- a/libcli/auth/proto.h -+++ b/libcli/auth/proto.h -@@ -105,14 +105,6 @@ bool SMBencrypt(const char *passwd, const uint8_t *c8, uint8_t p24[24]); - */ - bool E_md4hash(const char *passwd, uint8_t p16[16]); - --/** -- * Creates the MD5 Hash of a combination of 16 byte salt and 16 byte NT hash. -- * @param 16 byte salt. -- * @param 16 byte NT hash. -- * @param 16 byte return hashed with md5, caller allocated 16 byte buffer -- */ --void E_md5hash(const uint8_t salt[16], const uint8_t nthash[16], uint8_t hash_out[16]); -- - /** - * Creates the DES forward-only Hash of the users password in DOS ASCII charset - * @param passwd password in 'unix' charset. -diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c -index e33d29de19d..ab2c47ad9bb 100644 ---- a/libcli/auth/smbencrypt.c -+++ b/libcli/auth/smbencrypt.c -@@ -94,39 +94,6 @@ bool E_md4hash(const char *passwd, uint8_t p16[16]) - return true; - } - --/** -- * Creates the MD5 Hash of a combination of 16 byte salt and 16 byte NT hash. -- * @param 16 byte salt. -- * @param 16 byte NT hash. -- * @param 16 byte return hashed with md5, caller allocated 16 byte buffer -- */ -- --void E_md5hash(const uint8_t salt[16], const uint8_t nthash[16], uint8_t hash_out[16]) --{ -- gnutls_hash_hd_t hash_hnd = NULL; -- int rc; -- -- rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5); -- if (rc < 0) { -- goto out; -- } -- -- rc = gnutls_hash(hash_hnd, salt, 16); -- if (rc < 0) { -- gnutls_hash_deinit(hash_hnd, NULL); -- goto out; -- } -- rc = gnutls_hash(hash_hnd, nthash, 16); -- if (rc < 0) { -- gnutls_hash_deinit(hash_hnd, NULL); -- goto out; -- } -- gnutls_hash_deinit(hash_hnd, hash_out); -- --out: -- return; --} -- - /** - * Creates the DES forward-only Hash of the users password in DOS ASCII charset - * @param passwd password in 'unix' charset. --- -2.23.0 - diff --git a/SOURCES/0160-s4-lib-tls-Fix-cert-and-privkey-types.patch b/SOURCES/0160-s4-lib-tls-Fix-cert-and-privkey-types.patch deleted file mode 100644 index 4dacc9b..0000000 --- a/SOURCES/0160-s4-lib-tls-Fix-cert-and-privkey-types.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 38c91edbe9f634ba4ab90f51b5f2e69742e49f8a Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 18 Nov 2019 16:33:23 +0100 -Subject: [PATCH 160/187] s4:lib:tls: Fix cert and privkey types -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -../../source4/lib/tls/tlscert.c:42:2: warning: ‘gnutls_x509_crt’ is - deprecated [-Wdeprecated-declarations] - 42 | gnutls_x509_crt cacrt, crt; - | ^~~~~~~~~~~~~~~ -../../source4/lib/tls/tlscert.c:43:2: warning: ‘gnutls_x509_privkey’ is - deprecated [-Wdeprecated-declarations] - 43 | gnutls_x509_privkey key, cakey; - | ^~~~~~~~~~~~~~~~~~~ - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 71816984c31cd1a392355afdbfdadb0da2d05765) ---- - source4/lib/tls/tlscert.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/source4/lib/tls/tlscert.c b/source4/lib/tls/tlscert.c -index f5e9a1f2d39..9379ab094d1 100644 ---- a/source4/lib/tls/tlscert.c -+++ b/source4/lib/tls/tlscert.c -@@ -39,8 +39,8 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx, - const char *keyfile, const char *certfile, - const char *cafile) - { -- gnutls_x509_crt cacrt, crt; -- gnutls_x509_privkey key, cakey; -+ gnutls_x509_crt_t cacrt, crt; -+ gnutls_x509_privkey_t key, cakey; - uint32_t serial = (uint32_t)time(NULL); - unsigned char keyid[100]; - char buf[4096]; --- -2.23.0 - diff --git a/SOURCES/0161-winbind-Fix-CID-1455915-Resource-leak.patch b/SOURCES/0161-winbind-Fix-CID-1455915-Resource-leak.patch deleted file mode 100644 index 0f4c18f..0000000 --- a/SOURCES/0161-winbind-Fix-CID-1455915-Resource-leak.patch +++ /dev/null @@ -1,40 +0,0 @@ -From aa688caadf30b5f212e2b5614a62268946174888 Mon Sep 17 00:00:00 2001 -From: Volker Lendecke -Date: Tue, 19 Nov 2019 14:20:14 +0100 -Subject: [PATCH 161/187] winbind: Fix CID 1455915 Resource leak - -Signed-off-by: Volker Lendecke -Reviewed-by: Andreas Schneider -(cherry picked from commit b9e74928ab99a169c76dcd3b401da70cbd1b3985) ---- - source3/winbindd/winbindd_cache.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c -index 3e7afdaa546..9122e2bc5d6 100644 ---- a/source3/winbindd/winbindd_cache.c -+++ b/source3/winbindd/winbindd_cache.c -@@ -1392,17 +1392,20 @@ NTSTATUS wcache_save_creds(struct winbindd_domain *domain, - - rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5); - if (rc < 0) { -+ centry_free(centry); - return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED); - } - - rc = gnutls_hash(hash_hnd, cred_salt, 16); - if (rc < 0) { - gnutls_hash_deinit(hash_hnd, NULL); -+ centry_free(centry); - return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED); - } - rc = gnutls_hash(hash_hnd, nt_pass, 16); - if (rc < 0) { - gnutls_hash_deinit(hash_hnd, NULL); -+ centry_free(centry); - return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED); - } - gnutls_hash_deinit(hash_hnd, salted_hash); --- -2.23.0 - diff --git a/SOURCES/0162-auth-tests-Improve-debug-output-of-test_gnutls.patch b/SOURCES/0162-auth-tests-Improve-debug-output-of-test_gnutls.patch deleted file mode 100644 index 1e2a70c..0000000 --- a/SOURCES/0162-auth-tests-Improve-debug-output-of-test_gnutls.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 0cafa1b290e7f28f75d2796d0253d4f3a2839562 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 6 Dec 2019 08:12:34 +0100 -Subject: [PATCH 162/187] auth:tests: Improve debug output of test_gnutls - -Signed-off-by: Andreas Schneider -Reviewed-by: Isaac Boukris -Reviewed-by: Andrew Bartlett -(cherry picked from commit 1c65f1fddba77e94edc5338af81c9a25e0d4e970) ---- - libcli/auth/tests/test_gnutls.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/libcli/auth/tests/test_gnutls.c b/libcli/auth/tests/test_gnutls.c -index f4ef4ec19c8..066d5cf0a9d 100644 ---- a/libcli/auth/tests/test_gnutls.c -+++ b/libcli/auth/tests/test_gnutls.c -@@ -72,7 +72,9 @@ static void torture_gnutls_aes_128_cfb_flags(void **state, - - DEBUG(0,("confounder before crypt:\n")); - dump_data(0, confounder, 8); -+ DEBUG(0,("initial seq num:\n")); - dump_data(0, seq_num_initial.data, 8); -+ DEBUG(0,("io data before crypt:\n")); - dump_data(0, io.data, io.length); - - for (i = 0; i < key.size; i++) { -@@ -100,10 +102,12 @@ static void torture_gnutls_aes_128_cfb_flags(void **state, - io.length); - assert_int_equal(rc, 0); - -- dump_data(0, io.data, io.length); - DEBUG(0,("confounder after crypt:\n")); - dump_data(0, confounder, 8); -+ DEBUG(0,("initial seq num:\n")); - dump_data(0, seq_num_initial.data, 8); -+ DEBUG(0,("io data after crypt:\n")); -+ dump_data(0, io.data, io.length); - assert_memory_equal(io.data, crypt_expected.data, crypt_expected.length); - assert_memory_equal(confounder, confounder_expected.data, confounder_expected.length); - -@@ -118,10 +122,12 @@ static void torture_gnutls_aes_128_cfb_flags(void **state, - assert_int_equal(rc, 0); - gnutls_cipher_deinit(cipher_hnd); - -- dump_data(0, io.data, io.length); - DEBUG(0,("confounder after decrypt:\n")); - dump_data(0, confounder, 8); -+ DEBUG(0,("initial seq num:\n")); - dump_data(0, seq_num_initial.data, 8); -+ DEBUG(0,("io data after decrypt:\n")); -+ dump_data(0, io.data, io.length); - assert_memory_equal(io.data, clear_initial.data, clear_initial.length); - assert_memory_equal(confounder, confounder_initial.data, confounder_initial.length); - } --- -2.23.0 - diff --git a/SOURCES/0163-auth-tests-Only-enable-torture_gnutls_aes_128_cfb-on.patch b/SOURCES/0163-auth-tests-Only-enable-torture_gnutls_aes_128_cfb-on.patch deleted file mode 100644 index d493f43..0000000 --- a/SOURCES/0163-auth-tests-Only-enable-torture_gnutls_aes_128_cfb-on.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 1e72f0d5b636d4f9a5ad39e2ac01230fcb2badd8 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 6 Dec 2019 08:49:54 +0100 -Subject: [PATCH 163/187] auth:tests: Only enable torture_gnutls_aes_128_cfb() - on GnuTLS >= 3.6.11 - -Signed-off-by: Andreas Schneider -Reviewed-by: Isaac Boukris -Reviewed-by: Andrew Bartlett -(cherry picked from commit 01f531ba6ba1306e99d2e4715dadae073eb0a8ec) ---- - libcli/auth/tests/test_gnutls.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/libcli/auth/tests/test_gnutls.c b/libcli/auth/tests/test_gnutls.c -index 066d5cf0a9d..412a454b762 100644 ---- a/libcli/auth/tests/test_gnutls.c -+++ b/libcli/auth/tests/test_gnutls.c -@@ -29,7 +29,7 @@ - #include - #include - --#ifdef HAVE_GNUTLS_AES_CFB8 -+#if defined(HAVE_GNUTLS_AES_CFB8) && GNUTLS_VERSION_NUMBER > 0x03060a - static void torture_gnutls_aes_128_cfb_flags(void **state, - const DATA_BLOB session_key, - const DATA_BLOB seq_num_initial, -@@ -135,7 +135,7 @@ static void torture_gnutls_aes_128_cfb_flags(void **state, - - static void torture_gnutls_aes_128_cfb(void **state) - { --#ifdef HAVE_GNUTLS_AES_CFB8 -+#if defined(HAVE_GNUTLS_AES_CFB8) && GNUTLS_VERSION_NUMBER > 0x03060a - const uint8_t _session_key[16] = { - 0x8E, 0xE8, 0x27, 0x85, 0x83, 0x41, 0x3C, 0x8D, - 0xC9, 0x54, 0x70, 0x75, 0x8E, 0xC9, 0x69, 0x91 --- -2.23.0 - diff --git a/SOURCES/0164-libcli-auth-test-des_crypt56-and-add-test_gnutls-to-.patch b/SOURCES/0164-libcli-auth-test-des_crypt56-and-add-test_gnutls-to-.patch deleted file mode 100644 index 707d736..0000000 --- a/SOURCES/0164-libcli-auth-test-des_crypt56-and-add-test_gnutls-to-.patch +++ /dev/null @@ -1,90 +0,0 @@ -From c1258172d502955442704264ec1c7ea926784b35 Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Sat, 9 Nov 2019 17:47:33 +0100 -Subject: [PATCH 164/187] libcli/auth: test des_crypt56() and add test_gnutls - to selftest - -Signed-off-by: Isaac Boukris -Reviewed-by: Andrew Bartlett -(cherry picked from commit 07b4606f893fabd50c2685307d58e86f55defae5) ---- - libcli/auth/tests/test_gnutls.c | 24 ++++++++++++++++++++++++ - libcli/auth/wscript_build | 1 + - selftest/tests.py | 2 ++ - 3 files changed, 27 insertions(+) - -diff --git a/libcli/auth/tests/test_gnutls.c b/libcli/auth/tests/test_gnutls.c -index 412a454b762..7847d01a4dc 100644 ---- a/libcli/auth/tests/test_gnutls.c -+++ b/libcli/auth/tests/test_gnutls.c -@@ -24,6 +24,7 @@ - #include - - #include "includes.h" -+#include "libcli/auth/libcli_auth.h" - - #include "lib/crypto/gnutls_helpers.h" - #include -@@ -227,11 +228,34 @@ static void torture_gnutls_aes_128_cfb(void **state) - #endif - } - -+static void torture_gnutls_des_crypt56(void **state) -+{ -+ static const uint8_t key[7] = { -+ 0x69, 0x88, 0x96, 0x8E, 0xB5, 0x3A, 0x24 -+ }; -+ static const uint8_t clear[8] = { -+ 0x3F, 0x49, 0x5B, 0x20, 0xA7, 0x84, 0xC2, 0x34 -+ }; -+ static const uint8_t crypt_expected[8] = { -+ 0x54, 0x86, 0xCF, 0x51, 0x49, 0x3A, 0x53, 0x5B -+ }; -+ -+ uint8_t crypt[8]; -+ uint8_t decrypt[8]; -+ -+ des_crypt56(crypt, clear, key, 1); -+ assert_memory_equal(crypt, crypt_expected, 8); -+ -+ des_crypt56(decrypt, crypt, key, 0); -+ assert_memory_equal(decrypt, clear, 8); -+} -+ - int main(int argc, char *argv[]) - { - int rc; - const struct CMUnitTest tests[] = { - cmocka_unit_test(torture_gnutls_aes_128_cfb), -+ cmocka_unit_test(torture_gnutls_des_crypt56), - }; - - if (argc == 2) { -diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build -index 7b765cd9e43..8e856d07ddf 100644 ---- a/libcli/auth/wscript_build -+++ b/libcli/auth/wscript_build -@@ -76,6 +76,7 @@ bld.SAMBA_BINARY('test_gnutls', - source='tests/test_gnutls.c', - deps=''' - gnutls -+ LIBCLI_AUTH - cmocka - samba-util - ''', -diff --git a/selftest/tests.py b/selftest/tests.py -index c91d9b445fe..20809678104 100644 ---- a/selftest/tests.py -+++ b/selftest/tests.py -@@ -390,6 +390,8 @@ plantestsuite("samba.unittests.byteorder", "none", - [os.path.join(bindir(), "default/lib/util/test_byteorder")]) - plantestsuite("samba.unittests.ntlm_check", "none", - [os.path.join(bindir(), "default/libcli/auth/test_ntlm_check")]) -+plantestsuite("samba.unittests.gnutls", "none", -+ [os.path.join(bindir(), "default/libcli/auth/test_gnutls")]) - plantestsuite("samba.unittests.schannel", "none", - [os.path.join(bindir(), "default/libcli/auth/test_schannel")]) - plantestsuite("samba.unittests.rc4_passwd_buffer", "none", --- -2.23.0 - diff --git a/SOURCES/0165-selftest-test-E_P16.patch b/SOURCES/0165-selftest-test-E_P16.patch deleted file mode 100644 index 26e83af..0000000 --- a/SOURCES/0165-selftest-test-E_P16.patch +++ /dev/null @@ -1,52 +0,0 @@ -From b99a520661dbfcdd69da38be9ab35ed8a69a0b6d Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Tue, 19 Nov 2019 09:46:18 +0100 -Subject: [PATCH 165/187] selftest: test E_P16 - -Signed-off-by: Isaac Boukris -Reviewed-by: Andrew Bartlett -(cherry picked from commit 7044a41a30e43dda34eecb6df3da82ed5d568eec) ---- - libcli/auth/tests/test_gnutls.c | 20 ++++++++++++++++++++ - 1 file changed, 20 insertions(+) - -diff --git a/libcli/auth/tests/test_gnutls.c b/libcli/auth/tests/test_gnutls.c -index 7847d01a4dc..a2b7cb896d0 100644 ---- a/libcli/auth/tests/test_gnutls.c -+++ b/libcli/auth/tests/test_gnutls.c -@@ -250,12 +250,32 @@ static void torture_gnutls_des_crypt56(void **state) - assert_memory_equal(decrypt, clear, 8); - } - -+static void torture_gnutls_E_P16(void **state) -+{ -+ static const uint8_t key[14] = { -+ 0x98, 0xFD, 0xCB, 0x3A, 0xF7, 0xB5, 0x1C, 0xF8, -+ 0x69, 0x88, 0x96, 0x8E, 0xB5, 0x3A -+ }; -+ uint8_t buffer[16] = { -+ 0x9C, 0x14, 0xDD, 0xE1, 0x39, 0x23, 0xE0, 0x55, -+ 0x3F, 0x49, 0x5B, 0x20, 0xA7, 0x84, 0xC2, 0x34 -+ }; -+ static const uint8_t crypt_expected[16] = { -+ 0x41, 0x4A, 0x7B, 0xEA, 0xAB, 0xBB, 0x95, 0xCE, -+ 0x1D, 0xEA, 0xD9, 0xFF, 0xB0, 0xA9, 0xA4, 0x05 -+ }; -+ -+ E_P16(key, buffer); -+ assert_memory_equal(buffer, crypt_expected, 16); -+} -+ - int main(int argc, char *argv[]) - { - int rc; - const struct CMUnitTest tests[] = { - cmocka_unit_test(torture_gnutls_aes_128_cfb), - cmocka_unit_test(torture_gnutls_des_crypt56), -+ cmocka_unit_test(torture_gnutls_E_P16), - }; - - if (argc == 2) { --- -2.23.0 - diff --git a/SOURCES/0166-selftest-test-sam_rid_crypt.patch b/SOURCES/0166-selftest-test-sam_rid_crypt.patch deleted file mode 100644 index b6dd08a..0000000 --- a/SOURCES/0166-selftest-test-sam_rid_crypt.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 439a78c470c7536c4e30604e05c5c03c6a22384d Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Tue, 19 Nov 2019 16:08:49 +0100 -Subject: [PATCH 166/187] selftest: test sam_rid_crypt - -Signed-off-by: Isaac Boukris -Reviewed-by: Andrew Bartlett -(cherry picked from commit 0923f94bdc21a80cbf40aaa65c4928c13c298d82) ---- - libcli/auth/tests/test_gnutls.c | 23 +++++++++++++++++++++++ - 1 file changed, 23 insertions(+) - -diff --git a/libcli/auth/tests/test_gnutls.c b/libcli/auth/tests/test_gnutls.c -index a2b7cb896d0..bef4b5d3cc2 100644 ---- a/libcli/auth/tests/test_gnutls.c -+++ b/libcli/auth/tests/test_gnutls.c -@@ -269,6 +269,28 @@ static void torture_gnutls_E_P16(void **state) - assert_memory_equal(buffer, crypt_expected, 16); - } - -+static void torture_gnutls_sam_rid_crypt(void **state) -+{ -+ static const uint8_t clear[16] = { -+ 0x02, 0xFA, 0x3B, 0xEE, 0xE8, 0xBA, 0x06, 0x01, -+ 0x3F, 0x49, 0x5B, 0x20, 0xA7, 0x84, 0xC2, 0x34 -+ }; -+ static const uint8_t crypt_expected[16] = { -+ 0x1E, 0x38, 0x27, 0x5B, 0x3B, 0xB8, 0x67, 0xEB, -+ 0xFB, 0x67, 0x99, 0xA4, 0x83, 0xF3, 0xD4, 0xED -+ }; -+ -+ uint8_t crypt[16]; -+ uint8_t decrypt[16]; -+ int rid = 500; -+ -+ sam_rid_crypt(rid, clear, crypt, 1); -+ assert_memory_equal(crypt, crypt_expected, 16); -+ -+ sam_rid_crypt(rid, crypt, decrypt, 0); -+ assert_memory_equal(decrypt, clear, 16); -+} -+ - int main(int argc, char *argv[]) - { - int rc; -@@ -276,6 +298,7 @@ int main(int argc, char *argv[]) - cmocka_unit_test(torture_gnutls_aes_128_cfb), - cmocka_unit_test(torture_gnutls_des_crypt56), - cmocka_unit_test(torture_gnutls_E_P16), -+ cmocka_unit_test(torture_gnutls_sam_rid_crypt), - }; - - if (argc == 2) { --- -2.23.0 - diff --git a/SOURCES/0167-selftest-test-E_P24-and-SMBOWFencrypt.patch b/SOURCES/0167-selftest-test-E_P24-and-SMBOWFencrypt.patch deleted file mode 100644 index f9c6d37..0000000 --- a/SOURCES/0167-selftest-test-E_P24-and-SMBOWFencrypt.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 5568783eefaeae47e883f1896dbe12a1bffb374b Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Tue, 19 Nov 2019 18:26:13 +0100 -Subject: [PATCH 167/187] selftest: test E_P24 and SMBOWFencrypt - -Signed-off-by: Isaac Boukris -Reviewed-by: Andrew Bartlett -(cherry picked from commit dfad082596a53a7c6225da427447922fd4b7f0e2) ---- - libcli/auth/tests/test_gnutls.c | 44 +++++++++++++++++++++++++++++++++ - 1 file changed, 44 insertions(+) - -diff --git a/libcli/auth/tests/test_gnutls.c b/libcli/auth/tests/test_gnutls.c -index bef4b5d3cc2..3f6efa62424 100644 ---- a/libcli/auth/tests/test_gnutls.c -+++ b/libcli/auth/tests/test_gnutls.c -@@ -269,6 +269,48 @@ static void torture_gnutls_E_P16(void **state) - assert_memory_equal(buffer, crypt_expected, 16); - } - -+static void torture_gnutls_E_P24(void **state) -+{ -+ static const uint8_t key[21] = { -+ 0xFB, 0x67, 0x99, 0xA4, 0x83, 0xF3, 0xD4, 0xED, -+ 0x98, 0xFD, 0xCB, 0x3A, 0xF7, 0xB5, 0x1C, 0xF8, -+ 0x69, 0x88, 0x96, 0x8E, 0x3A -+ }; -+ const uint8_t c8[8] = { -+ 0x44, 0xFB, 0xAC, 0xFB, 0x83, 0xB6, 0x75, 0x2A -+ }; -+ static const uint8_t crypt_expected[24] = { -+ 0x1A, 0x5E, 0x11, 0xA1, 0x59, 0xA9, 0x6B, 0x4E, -+ 0x12, 0x5D, 0x81, 0x75, 0xA6, 0x62, 0x15, 0x6D, -+ 0x5D, 0x20, 0x25, 0xC1, 0xA3, 0x92, 0xB3, 0x28 -+ }; -+ -+ uint8_t crypt[24]; -+ -+ E_P24(key, c8, crypt); -+ assert_memory_equal(crypt, crypt_expected, 24); -+} -+ -+static void torture_gnutls_SMBOWFencrypt(void **state) -+{ -+ static const uint8_t password[16] = { -+ 'M', 'y', 'p', 'a', 's', 's', 'w', 'o', -+ 'r', 'd', 'i', 's', '1', '1', '1', '1' -+ }; -+ const uint8_t c8[8] = { -+ 0x79, 0x88, 0x5A, 0x3D, 0xD3, 0x40, 0x1E, 0x69 -+ }; -+ static const uint8_t crypt_expected[24] = { -+ 0x3F, 0xE3, 0x53, 0x75, 0x81, 0xB4, 0xF0, 0xE7, -+ 0x0C, 0xDE, 0xCD, 0xAE, 0x39, 0x1F, 0x14, 0xB4, -+ 0xA4, 0x2B, 0x3E, 0x39, 0x16, 0xFD, 0x1D, 0x62 -+ }; -+ -+ uint8_t crypt[24]; -+ -+ SMBOWFencrypt(password, c8, crypt); -+ assert_memory_equal(crypt, crypt_expected, 24); -+} - static void torture_gnutls_sam_rid_crypt(void **state) - { - static const uint8_t clear[16] = { -@@ -298,6 +340,8 @@ int main(int argc, char *argv[]) - cmocka_unit_test(torture_gnutls_aes_128_cfb), - cmocka_unit_test(torture_gnutls_des_crypt56), - cmocka_unit_test(torture_gnutls_E_P16), -+ cmocka_unit_test(torture_gnutls_E_P24), -+ cmocka_unit_test(torture_gnutls_SMBOWFencrypt), - cmocka_unit_test(torture_gnutls_sam_rid_crypt), - }; - --- -2.23.0 - diff --git a/SOURCES/0168-selftest-test-E_old_pw_hash.patch b/SOURCES/0168-selftest-test-E_old_pw_hash.patch deleted file mode 100644 index d7da542..0000000 --- a/SOURCES/0168-selftest-test-E_old_pw_hash.patch +++ /dev/null @@ -1,55 +0,0 @@ -From b074df7982a4783c88b23a4973662e144362eb2e Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Tue, 19 Nov 2019 18:49:58 +0100 -Subject: [PATCH 168/187] selftest: test E_old_pw_hash - -Signed-off-by: Isaac Boukris -Reviewed-by: Andrew Bartlett -(cherry picked from commit 8f042ba532fc645f2389a0a9d3e83d27c070fde4) ---- - libcli/auth/tests/test_gnutls.c | 22 ++++++++++++++++++++++ - 1 file changed, 22 insertions(+) - -diff --git a/libcli/auth/tests/test_gnutls.c b/libcli/auth/tests/test_gnutls.c -index 3f6efa62424..1e6f8dd5b5b 100644 ---- a/libcli/auth/tests/test_gnutls.c -+++ b/libcli/auth/tests/test_gnutls.c -@@ -311,6 +311,27 @@ static void torture_gnutls_SMBOWFencrypt(void **state) - SMBOWFencrypt(password, c8, crypt); - assert_memory_equal(crypt, crypt_expected, 24); - } -+ -+static void torture_gnutls_E_old_pw_hash(void **state) -+{ -+ static uint8_t key[14] = { -+ 0x98, 0xFD, 0xCB, 0x3A, 0xF7, 0xB5, 0x1C, 0xF8, -+ 0x69, 0x88, 0x96, 0x8E, 0xB5, 0x3A -+ }; -+ uint8_t clear[16] = { -+ 0x9C, 0x14, 0xDD, 0xE1, 0x39, 0x23, 0xE0, 0x55, -+ 0x3F, 0x49, 0x5B, 0x20, 0xA7, 0x84, 0xC2, 0x34 -+ }; -+ static const uint8_t crypt_expected[16] = { -+ 0x6A, 0xC7, 0x08, 0xCA, 0x2A, 0xC1, 0xAA, 0x64, -+ 0x37, 0xEF, 0xBE, 0x58, 0xC2, 0x59, 0x33, 0xEC -+ }; -+ uint8_t crypt[16]; -+ -+ E_old_pw_hash(key, clear, crypt); -+ assert_memory_equal(crypt, crypt_expected, 16); -+} -+ - static void torture_gnutls_sam_rid_crypt(void **state) - { - static const uint8_t clear[16] = { -@@ -342,6 +363,7 @@ int main(int argc, char *argv[]) - cmocka_unit_test(torture_gnutls_E_P16), - cmocka_unit_test(torture_gnutls_E_P24), - cmocka_unit_test(torture_gnutls_SMBOWFencrypt), -+ cmocka_unit_test(torture_gnutls_E_old_pw_hash), - cmocka_unit_test(torture_gnutls_sam_rid_crypt), - }; - --- -2.23.0 - diff --git a/SOURCES/0169-selftest-test-des_crypt128.patch b/SOURCES/0169-selftest-test-des_crypt128.patch deleted file mode 100644 index 1449361..0000000 --- a/SOURCES/0169-selftest-test-des_crypt128.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 620713d0e16e07f44fb4c086290161da81d37f1f Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Tue, 19 Nov 2019 19:10:18 +0100 -Subject: [PATCH 169/187] selftest: test des_crypt128 - -Signed-off-by: Isaac Boukris -Reviewed-by: Andrew Bartlett -(cherry picked from commit e2f8f686d1e3fce91f10aadb9667854cf2a1219a) ---- - libcli/auth/tests/test_gnutls.c | 20 ++++++++++++++++++++ - 1 file changed, 20 insertions(+) - -diff --git a/libcli/auth/tests/test_gnutls.c b/libcli/auth/tests/test_gnutls.c -index 1e6f8dd5b5b..b1129db14c9 100644 ---- a/libcli/auth/tests/test_gnutls.c -+++ b/libcli/auth/tests/test_gnutls.c -@@ -332,6 +332,25 @@ static void torture_gnutls_E_old_pw_hash(void **state) - assert_memory_equal(crypt, crypt_expected, 16); - } - -+static void torture_gnutls_des_crypt128(void **state) -+{ -+ static uint8_t key[16] = { -+ 0x98, 0xFD, 0xCB, 0x3A, 0xF7, 0xB5, 0x1C, 0xF8, -+ 0xA9, 0x69, 0x88, 0x96, 0x8E, 0xB5, 0x3A, 0x24 -+ }; -+ static const uint8_t clear[8] = { -+ 0x3F, 0x49, 0x5B, 0x20, 0xA7, 0x84, 0xC2, 0x34 -+ }; -+ static const uint8_t crypt_expected[8] = { -+ 0x4C, 0xB4, 0x4B, 0xD3, 0xC8, 0xC1, 0xA5, 0x50 -+ }; -+ -+ uint8_t crypt[8]; -+ -+ des_crypt128(crypt, clear, key); -+ assert_memory_equal(crypt, crypt_expected, 8); -+} -+ - static void torture_gnutls_sam_rid_crypt(void **state) - { - static const uint8_t clear[16] = { -@@ -364,6 +383,7 @@ int main(int argc, char *argv[]) - cmocka_unit_test(torture_gnutls_E_P24), - cmocka_unit_test(torture_gnutls_SMBOWFencrypt), - cmocka_unit_test(torture_gnutls_E_old_pw_hash), -+ cmocka_unit_test(torture_gnutls_des_crypt128), - cmocka_unit_test(torture_gnutls_sam_rid_crypt), - }; - --- -2.23.0 - diff --git a/SOURCES/0170-selftest-test-des_crypt112-and-fix-unused-decryption.patch b/SOURCES/0170-selftest-test-des_crypt112-and-fix-unused-decryption.patch deleted file mode 100644 index c28a54c..0000000 --- a/SOURCES/0170-selftest-test-des_crypt112-and-fix-unused-decryption.patch +++ /dev/null @@ -1,79 +0,0 @@ -From bd993cbccae8002dd3125d015c6525060fd8914e Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Tue, 19 Nov 2019 19:49:09 +0100 -Subject: [PATCH 170/187] selftest: test des_crypt112 and fix (unused) - decryption - -Signed-off-by: Isaac Boukris -Reviewed-by: Andrew Bartlett -(cherry picked from commit 394debac6b2f0838cde5d850335e0cdff14b411d) ---- - libcli/auth/smbdes.c | 9 +++++++-- - libcli/auth/tests/test_gnutls.c | 24 ++++++++++++++++++++++++ - 2 files changed, 31 insertions(+), 2 deletions(-) - -diff --git a/libcli/auth/smbdes.c b/libcli/auth/smbdes.c -index 6d9a6dc2ce8..59cb45d81f0 100644 ---- a/libcli/auth/smbdes.c -+++ b/libcli/auth/smbdes.c -@@ -342,8 +342,13 @@ void des_crypt128(uint8_t out[8], const uint8_t in[8], const uint8_t key[16]) - void des_crypt112(uint8_t out[8], const uint8_t in[8], const uint8_t key[14], int forw) - { - uint8_t buf[8]; -- des_crypt56(buf, in, key, forw); -- des_crypt56(out, buf, key+7, forw); -+ if (forw) { -+ des_crypt56(buf, in, key, forw); -+ des_crypt56(out, buf, key+7, forw); -+ } else { -+ des_crypt56(buf, in, key+7, forw); -+ des_crypt56(out, buf, key, forw); -+ } - } - - /* des encryption of a 16 byte lump of data with a 112 bit key */ -diff --git a/libcli/auth/tests/test_gnutls.c b/libcli/auth/tests/test_gnutls.c -index b1129db14c9..4ae99b64c31 100644 ---- a/libcli/auth/tests/test_gnutls.c -+++ b/libcli/auth/tests/test_gnutls.c -@@ -351,6 +351,29 @@ static void torture_gnutls_des_crypt128(void **state) - assert_memory_equal(crypt, crypt_expected, 8); - } - -+static void torture_gnutls_des_crypt112(void **state) -+{ -+ static uint8_t key[14] = { -+ 0x98, 0xFD, 0xCB, 0x3A, 0xF7, 0xB5, 0x1C, 0xF8, -+ 0x88, 0x96, 0x8E, 0xB5, 0x3A, 0x24 -+ }; -+ static const uint8_t clear[8] = { -+ 0x2F, 0x49, 0x5B, 0x20, 0xD7, 0x84, 0xC2, 0x34 -+ }; -+ static const uint8_t crypt_expected[8] = { -+ 0x87, 0x35, 0xFA, 0xA4, 0x5D, 0x7A, 0xA5, 0x05 -+ }; -+ -+ uint8_t crypt[8]; -+ uint8_t decrypt[8]; -+ -+ des_crypt112(crypt, clear, key, 1); -+ assert_memory_equal(crypt, crypt_expected, 8); -+ -+ des_crypt112(decrypt, crypt, key, 0); -+ assert_memory_equal(decrypt, clear, 8); -+} -+ - static void torture_gnutls_sam_rid_crypt(void **state) - { - static const uint8_t clear[16] = { -@@ -384,6 +407,7 @@ int main(int argc, char *argv[]) - cmocka_unit_test(torture_gnutls_SMBOWFencrypt), - cmocka_unit_test(torture_gnutls_E_old_pw_hash), - cmocka_unit_test(torture_gnutls_des_crypt128), -+ cmocka_unit_test(torture_gnutls_des_crypt112), - cmocka_unit_test(torture_gnutls_sam_rid_crypt), - }; - --- -2.23.0 - diff --git a/SOURCES/0171-selftest-test-des_crypt112_16.patch b/SOURCES/0171-selftest-test-des_crypt112_16.patch deleted file mode 100644 index 7f0d013..0000000 --- a/SOURCES/0171-selftest-test-des_crypt112_16.patch +++ /dev/null @@ -1,59 +0,0 @@ -From c47b882674c667bd8e0f7b059360738e72a565c9 Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Tue, 19 Nov 2019 20:02:49 +0100 -Subject: [PATCH 171/187] selftest: test des_crypt112_16 - -Signed-off-by: Isaac Boukris -Reviewed-by: Andrew Bartlett -(cherry picked from commit a4ec427e54b52307ee2e22079449ff3e59279298) ---- - libcli/auth/tests/test_gnutls.c | 26 ++++++++++++++++++++++++++ - 1 file changed, 26 insertions(+) - -diff --git a/libcli/auth/tests/test_gnutls.c b/libcli/auth/tests/test_gnutls.c -index 4ae99b64c31..2e6ed7ba98c 100644 ---- a/libcli/auth/tests/test_gnutls.c -+++ b/libcli/auth/tests/test_gnutls.c -@@ -374,6 +374,31 @@ static void torture_gnutls_des_crypt112(void **state) - assert_memory_equal(decrypt, clear, 8); - } - -+static void torture_gnutls_des_crypt112_16(void **state) -+{ -+ static uint8_t key[14] = { -+ 0x1E, 0x38, 0x27, 0x5B, 0x3B, 0xB8, 0x67, 0xEB, -+ 0x88, 0x96, 0x8E, 0xB5, 0x3A, 0x24 -+ }; -+ static const uint8_t clear[16] = { -+ 0x02, 0xFA, 0x3B, 0xEE, 0xE8, 0xBA, 0x06, 0x01, -+ 0xFB, 0x67, 0x99, 0xA4, 0x83, 0xF3, 0xD4, 0xED -+ }; -+ static const uint8_t crypt_expected[16] = { -+ 0x3C, 0x10, 0x37, 0x67, 0x96, 0x95, 0xF7, 0x96, -+ 0xAA, 0x03, 0xB9, 0xEA, 0xD6, 0xB3, 0xC3, 0x2D -+ }; -+ -+ uint8_t crypt[16]; -+ uint8_t decrypt[16]; -+ -+ des_crypt112_16(crypt, clear, key, 1); -+ assert_memory_equal(crypt, crypt_expected, 16); -+ -+ des_crypt112_16(decrypt, crypt, key, 0); -+ assert_memory_equal(decrypt, clear, 16); -+} -+ - static void torture_gnutls_sam_rid_crypt(void **state) - { - static const uint8_t clear[16] = { -@@ -408,6 +433,7 @@ int main(int argc, char *argv[]) - cmocka_unit_test(torture_gnutls_E_old_pw_hash), - cmocka_unit_test(torture_gnutls_des_crypt128), - cmocka_unit_test(torture_gnutls_des_crypt112), -+ cmocka_unit_test(torture_gnutls_des_crypt112_16), - cmocka_unit_test(torture_gnutls_sam_rid_crypt), - }; - --- -2.23.0 - diff --git a/SOURCES/0172-selftest-test-SMBsesskeygen_lm_sess_key.patch b/SOURCES/0172-selftest-test-SMBsesskeygen_lm_sess_key.patch deleted file mode 100644 index 35969c1..0000000 --- a/SOURCES/0172-selftest-test-SMBsesskeygen_lm_sess_key.patch +++ /dev/null @@ -1,56 +0,0 @@ -From dd0fb9bcd71e8fdf9d609c8d5e6c5d952f6ec63f Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Wed, 20 Nov 2019 00:14:31 +0100 -Subject: [PATCH 172/187] selftest: test SMBsesskeygen_lm_sess_key - -Signed-off-by: Isaac Boukris -Reviewed-by: Andrew Bartlett -(cherry picked from commit 6c5f153e4793c0613dd843b1566bd27632912a7c) ---- - libcli/auth/tests/test_gnutls.c | 23 +++++++++++++++++++++++ - 1 file changed, 23 insertions(+) - -diff --git a/libcli/auth/tests/test_gnutls.c b/libcli/auth/tests/test_gnutls.c -index 2e6ed7ba98c..368c4f74640 100644 ---- a/libcli/auth/tests/test_gnutls.c -+++ b/libcli/auth/tests/test_gnutls.c -@@ -421,6 +421,28 @@ static void torture_gnutls_sam_rid_crypt(void **state) - assert_memory_equal(decrypt, clear, 16); - } - -+static void torture_gnutls_SMBsesskeygen_lm_sess_key(void **state) -+{ -+ static const uint8_t lm_hash[16] = { -+ 0xFB, 0x67, 0x99, 0xA4, 0x83, 0xF3, 0xD4, 0xED, -+ 0x9C, 0x14, 0xDD, 0xE1, 0x39, 0x23, 0xE0, 0x55 -+ }; -+ static const uint8_t lm_resp[24] = { -+ 0x02, 0xFA, 0x3B, 0xEE, 0xE8, 0xBA, 0x06, 0x01, -+ 0x02, 0xFA, 0x3B, 0xEE, 0xE8, 0xBA, 0x06, 0x01, -+ 0x1E, 0x38, 0x27, 0x5B, 0x3B, 0xB8, 0x67, 0xEB -+ }; -+ static const uint8_t crypt_expected[16] = { -+ 0x52, 0x8D, 0xB2, 0xD3, 0x89, 0x83, 0xFB, 0x9C, -+ 0x96, 0x45, 0x15, 0x4B, 0xC3, 0xF5, 0xD5, 0x7F -+ }; -+ -+ uint8_t crypt_sess_key[16]; -+ -+ SMBsesskeygen_lm_sess_key(lm_hash, lm_resp, crypt_sess_key); -+ assert_memory_equal(crypt_sess_key, crypt_expected, 16); -+} -+ - int main(int argc, char *argv[]) - { - int rc; -@@ -435,6 +457,7 @@ int main(int argc, char *argv[]) - cmocka_unit_test(torture_gnutls_des_crypt112), - cmocka_unit_test(torture_gnutls_des_crypt112_16), - cmocka_unit_test(torture_gnutls_sam_rid_crypt), -+ cmocka_unit_test(torture_gnutls_SMBsesskeygen_lm_sess_key), - }; - - if (argc == 2) { --- -2.23.0 - diff --git a/SOURCES/0173-selftest-test-sess_crypt_blob.patch b/SOURCES/0173-selftest-test-sess_crypt_blob.patch deleted file mode 100644 index 163d73e..0000000 --- a/SOURCES/0173-selftest-test-sess_crypt_blob.patch +++ /dev/null @@ -1,62 +0,0 @@ -From bb2986ee6b696da256698750e4e1df1a1b1cea0b Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Wed, 20 Nov 2019 23:44:10 +0100 -Subject: [PATCH 173/187] selftest: test sess_crypt_blob - -Signed-off-by: Isaac Boukris -Reviewed-by: Andrew Bartlett -(cherry picked from commit 2c470c8035be6d70ce3fc8d1e12be284566a7037) ---- - libcli/auth/tests/test_gnutls.c | 29 +++++++++++++++++++++++++++++ - 1 file changed, 29 insertions(+) - -diff --git a/libcli/auth/tests/test_gnutls.c b/libcli/auth/tests/test_gnutls.c -index 368c4f74640..d9ce8a765cf 100644 ---- a/libcli/auth/tests/test_gnutls.c -+++ b/libcli/auth/tests/test_gnutls.c -@@ -443,6 +443,34 @@ static void torture_gnutls_SMBsesskeygen_lm_sess_key(void **state) - assert_memory_equal(crypt_sess_key, crypt_expected, 16); - } - -+static void torture_gnutls_sess_crypt_blob(void **state) -+{ -+ static uint8_t _key[16] = { -+ 0x1E, 0x38, 0x27, 0x5B, 0x3B, 0xB8, 0x67, 0xEB, -+ 0xFA, 0xEE, 0xE8, 0xBA, 0x06, 0x01, 0x2D, 0x95 -+ }; -+ DATA_BLOB key = data_blob_const(_key, 16); -+ static const uint8_t _clear[24] = { -+ 0x98, 0xFD, 0xCB, 0x3A, 0xF7, 0xB5, 0x1C, 0xF8, -+ 0x02, 0xFA, 0x3B, 0xEE, 0xE8, 0xBA, 0x06, 0x01, -+ 0x3F, 0x49, 0x5B, 0x20, 0xA7, 0x84, 0xC2, 0x34 -+ }; -+ DATA_BLOB clear = data_blob_const(_clear, 24); -+ static const uint8_t crypt_expected[24] = { -+ 0x2B, 0xDD, 0x3B, 0xFA, 0x48, 0xC9, 0x63, 0x56, -+ 0xAE, 0x8B, 0x3E, 0xCF, 0xEF, 0xDF, 0x7A, 0x42, -+ 0xB3, 0x00, 0x71, 0x7F, 0x5D, 0x1D, 0xE4, 0x70 -+ }; -+ DATA_BLOB crypt = data_blob(NULL, 24); -+ DATA_BLOB decrypt = data_blob(NULL, 24); -+ -+ sess_crypt_blob(&crypt, &clear, &key, true); -+ assert_memory_equal(crypt.data, crypt_expected, 24); -+ -+ sess_crypt_blob(&decrypt, &crypt, &key, false); -+ assert_memory_equal(decrypt.data, clear.data, 24); -+} -+ - int main(int argc, char *argv[]) - { - int rc; -@@ -458,6 +486,7 @@ int main(int argc, char *argv[]) - cmocka_unit_test(torture_gnutls_des_crypt112_16), - cmocka_unit_test(torture_gnutls_sam_rid_crypt), - cmocka_unit_test(torture_gnutls_SMBsesskeygen_lm_sess_key), -+ cmocka_unit_test(torture_gnutls_sess_crypt_blob), - }; - - if (argc == 2) { --- -2.23.0 - diff --git a/SOURCES/0174-smbdes-add-des_crypt56_gnutls-using-DES-CBC-with-zer.patch b/SOURCES/0174-smbdes-add-des_crypt56_gnutls-using-DES-CBC-with-zer.patch deleted file mode 100644 index f994535..0000000 --- a/SOURCES/0174-smbdes-add-des_crypt56_gnutls-using-DES-CBC-with-zer.patch +++ /dev/null @@ -1,184 +0,0 @@ -From 806c921c8be6d76bb8d01cf290112bceca513b42 Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Sat, 19 Oct 2019 23:48:19 +0300 -Subject: [PATCH 174/187] smbdes: add des_crypt56_gnutls() using DES-CBC with - zeroed IV - -Signed-off-by: Isaac Boukris -Reviewed-by: Andrew Bartlett -(cherry picked from commit 0f855f1ab955e3ecf47689c5e4578eb67ebe8f27) ---- - libcli/auth/proto.h | 4 +++ - libcli/auth/smbdes.c | 57 ++++++++++++++++++++++++++++++++ - libcli/auth/tests/test_gnutls.c | 9 +++++ - libcli/auth/wscript_build | 2 +- - source3/passdb/wscript_build | 2 +- - source3/rpc_server/wscript_build | 3 +- - 6 files changed, 74 insertions(+), 3 deletions(-) - -diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h -index eb725c83d15..e7c9923abf3 100644 ---- a/libcli/auth/proto.h -+++ b/libcli/auth/proto.h -@@ -4,6 +4,8 @@ - #undef _PRINTF_ATTRIBUTE - #define _PRINTF_ATTRIBUTE(a1, a2) PRINTF_ATTRIBUTE(a1, a2) - -+#include "lib/crypto/gnutls_helpers.h" -+ - /* this file contains prototypes for functions that are private - * to this subsystem or library. These functions should not be - * used outside this particular subsystem! */ -@@ -217,6 +219,8 @@ WERROR decode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx, - /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/smbdes.c */ - - void des_crypt56(uint8_t out[8], const uint8_t in[8], const uint8_t key[7], int forw); -+int des_crypt56_gnutls(uint8_t out[8], const uint8_t in[8], const uint8_t key[7], -+ enum samba_gnutls_direction encrypt); - void E_P16(const uint8_t *p14,uint8_t *p16); - void E_P24(const uint8_t *p21, const uint8_t *c8, uint8_t *p24); - void D_P16(const uint8_t *p14, const uint8_t *in, uint8_t *out); -diff --git a/libcli/auth/smbdes.c b/libcli/auth/smbdes.c -index 59cb45d81f0..f384ef132a7 100644 ---- a/libcli/auth/smbdes.c -+++ b/libcli/auth/smbdes.c -@@ -23,6 +23,9 @@ - #include "includes.h" - #include "libcli/auth/libcli_auth.h" - -+#include -+#include -+ - /* NOTES: - - This code makes no attempt to be fast! In fact, it is a very -@@ -273,6 +276,60 @@ static void str_to_key(const uint8_t *str,uint8_t *key) - } - } - -+int des_crypt56_gnutls(uint8_t out[8], const uint8_t in[8], -+ const uint8_t key_in[7], -+ enum samba_gnutls_direction encrypt) -+{ -+ /* -+ * A single block DES-CBC op, with an all-zero IV is the same as DES -+ * because the IV is combined with the data using XOR. -+ * This allows us to use GNUTLS_CIPHER_DES_CBC from GnuTLS and not -+ * implement single-DES in Samba. -+ * -+ * In turn this is used to build DES-ECB, which is used -+ * for example in the NTLM challenge/response calculation. -+ */ -+ static const uint8_t iv8[8]; -+ gnutls_datum_t iv = { discard_const(iv8), 8 }; -+ gnutls_datum_t key; -+ gnutls_cipher_hd_t ctx; -+ uint8_t key2[8]; -+ uint8_t outb[8]; -+ int ret; -+ -+ memset(out, 0, 8); -+ -+ str_to_key(key_in, key2); -+ -+ key.data = key2; -+ key.size = 8; -+ -+ ret = gnutls_global_init(); -+ if (ret != 0) { -+ return ret; -+ } -+ -+ ret = gnutls_cipher_init(&ctx, GNUTLS_CIPHER_DES_CBC, &key, &iv); -+ if (ret != 0) { -+ return ret; -+ } -+ -+ memcpy(outb, in, 8); -+ if (encrypt == SAMBA_GNUTLS_ENCRYPT) { -+ ret = gnutls_cipher_encrypt(ctx, outb, 8); -+ } else { -+ ret = gnutls_cipher_decrypt(ctx, outb, 8); -+ } -+ -+ if (ret == 0) { -+ memcpy(out, outb, 8); -+ } -+ -+ gnutls_cipher_deinit(ctx); -+ -+ return ret; -+} -+ - /* - basic des crypt using a 56 bit (7 byte) key - */ -diff --git a/libcli/auth/tests/test_gnutls.c b/libcli/auth/tests/test_gnutls.c -index d9ce8a765cf..121848341e6 100644 ---- a/libcli/auth/tests/test_gnutls.c -+++ b/libcli/auth/tests/test_gnutls.c -@@ -242,12 +242,21 @@ static void torture_gnutls_des_crypt56(void **state) - - uint8_t crypt[8]; - uint8_t decrypt[8]; -+ int rc; - - des_crypt56(crypt, clear, key, 1); - assert_memory_equal(crypt, crypt_expected, 8); - - des_crypt56(decrypt, crypt, key, 0); - assert_memory_equal(decrypt, clear, 8); -+ -+ rc = des_crypt56_gnutls(crypt, clear, key, SAMBA_GNUTLS_ENCRYPT); -+ assert_int_equal(rc, 0); -+ assert_memory_equal(crypt, crypt_expected, 8); -+ -+ rc = des_crypt56_gnutls(decrypt, crypt, key, SAMBA_GNUTLS_DECRYPT); -+ assert_int_equal(rc, 0); -+ assert_memory_equal(decrypt, clear, 8); - } - - static void torture_gnutls_E_P16(void **state) -diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build -index 8e856d07ddf..0a3de9a1f7b 100644 ---- a/libcli/auth/wscript_build -+++ b/libcli/auth/wscript_build -@@ -13,7 +13,7 @@ bld.SAMBA_SUBSYSTEM('MSRPC_PARSE', - - bld.SAMBA_SUBSYSTEM('NTLM_CHECK', - source='ntlm_check.c', -- deps = 'talloc' -+ deps = 'talloc LIBCLI_AUTH' - ) - - bld.SAMBA_SUBSYSTEM('LIBCLI_AUTH', -diff --git a/source3/passdb/wscript_build b/source3/passdb/wscript_build -index faa0cc4b495..7facc1fed79 100644 ---- a/source3/passdb/wscript_build -+++ b/source3/passdb/wscript_build -@@ -10,7 +10,7 @@ bld.SAMBA3_MODULE('pdb_tdbsam', - - bld.SAMBA3_MODULE('pdb_ldapsam', - subsystem='pdb', -- deps='smbldap smbldaphelper', -+ deps='smbldap smbldaphelper LIBCLI_AUTH', - source='pdb_ldap.c pdb_nds.c', - init_function='', - internal_module=bld.SAMBA3_IS_STATIC_MODULE('pdb_ldapsam'), -diff --git a/source3/rpc_server/wscript_build b/source3/rpc_server/wscript_build -index 3dec6ee3f5b..357d9c3a29f 100644 ---- a/source3/rpc_server/wscript_build -+++ b/source3/rpc_server/wscript_build -@@ -86,7 +86,8 @@ bld.SAMBA3_SUBSYSTEM('RPC_NETDFS', - - bld.SAMBA3_SUBSYSTEM('RPC_NETLOGON', - source='''netlogon/srv_netlog_nt.c -- ../../librpc/gen_ndr/srv_netlogon.c''') -+ ../../librpc/gen_ndr/srv_netlogon.c''', -+ deps='LIBCLI_AUTH') - - bld.SAMBA3_SUBSYSTEM('RPC_NTSVCS', - source='''ntsvcs/srv_ntsvcs_nt.c --- -2.23.0 - diff --git a/SOURCES/0175-netlogon_creds_des_encrypt-decrypt_LMKey-use-gnutls-.patch b/SOURCES/0175-netlogon_creds_des_encrypt-decrypt_LMKey-use-gnutls-.patch deleted file mode 100644 index 946a937..0000000 --- a/SOURCES/0175-netlogon_creds_des_encrypt-decrypt_LMKey-use-gnutls-.patch +++ /dev/null @@ -1,103 +0,0 @@ -From a3d360ba0c46c077643559b4eee9df632080ef1a Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Thu, 7 Nov 2019 12:53:52 +0100 -Subject: [PATCH 175/187] netlogon_creds_des_encrypt/decrypt_LMKey: use gnutls - and return NTSTATUS - -Signed-off-by: Isaac Boukris -Reviewed-by: Andrew Bartlett -(cherry picked from commit 38189f76d8b958fff8a6351f3fb21f6ed04b76da) ---- - libcli/auth/credentials.c | 36 +++++++++++++++++++++++++++--------- - libcli/auth/proto.h | 6 ++++-- - 2 files changed, 31 insertions(+), 11 deletions(-) - -diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c -index f1088a1d8e0..d9237f3875b 100644 ---- a/libcli/auth/credentials.c -+++ b/libcli/auth/credentials.c -@@ -253,25 +253,40 @@ static NTSTATUS netlogon_creds_step(struct netlogon_creds_CredentialState *creds - return NT_STATUS_OK; - } - -- - /* - DES encrypt a 8 byte LMSessionKey buffer using the Netlogon session key - */ --void netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key) -+NTSTATUS netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState *creds, -+ struct netr_LMSessionKey *key) - { -+ int rc; - struct netr_LMSessionKey tmp; -- des_crypt56(tmp.key, key->key, creds->session_key, 1); -+ -+ rc = des_crypt56_gnutls(tmp.key, key->key, creds->session_key, SAMBA_GNUTLS_ENCRYPT); -+ if (rc < 0) { -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ } - *key = tmp; -+ -+ return NT_STATUS_OK; - } - - /* - DES decrypt a 8 byte LMSessionKey buffer using the Netlogon session key - */ --void netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key) -+NTSTATUS netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState *creds, -+ struct netr_LMSessionKey *key) - { -+ int rc; - struct netr_LMSessionKey tmp; -- des_crypt56(tmp.key, key->key, creds->session_key, 0); -+ -+ rc = des_crypt56_gnutls(tmp.key, key->key, creds->session_key, SAMBA_GNUTLS_DECRYPT); -+ if (rc < 0) { -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ } - *key = tmp; -+ -+ return NT_STATUS_OK; - } - - /* -@@ -849,11 +864,14 @@ static NTSTATUS netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_C - if (!all_zero(base->LMSessKey.key, - sizeof(base->LMSessKey.key))) { - if (do_encrypt) { -- netlogon_creds_des_encrypt_LMKey(creds, -- &base->LMSessKey); -+ status = netlogon_creds_des_encrypt_LMKey(creds, -+ &base->LMSessKey); - } else { -- netlogon_creds_des_decrypt_LMKey(creds, -- &base->LMSessKey); -+ status = netlogon_creds_des_decrypt_LMKey(creds, -+ &base->LMSessKey); -+ } -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; - } - } - } -diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h -index e7c9923abf3..4a817e210b2 100644 ---- a/libcli/auth/proto.h -+++ b/libcli/auth/proto.h -@@ -13,8 +13,10 @@ - - /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/credentials.c */ - --void netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key); --void netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key); -+NTSTATUS netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState *creds, -+ struct netr_LMSessionKey *key); -+NTSTATUS netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState *creds, -+ struct netr_LMSessionKey *key); - void netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass); - void netlogon_creds_des_decrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass); - NTSTATUS netlogon_creds_arcfour_crypt(struct netlogon_creds_CredentialState *creds, --- -2.23.0 - diff --git a/SOURCES/0176-SMBsesskeygen_lm_sess_key-use-gnutls-and-return-NTST.patch b/SOURCES/0176-SMBsesskeygen_lm_sess_key-use-gnutls-and-return-NTST.patch deleted file mode 100644 index 041d132..0000000 --- a/SOURCES/0176-SMBsesskeygen_lm_sess_key-use-gnutls-and-return-NTST.patch +++ /dev/null @@ -1,159 +0,0 @@ -From 404e810a0e3ea7a86c3efad7711f55abec6d2d0c Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Thu, 7 Nov 2019 13:39:20 +0100 -Subject: [PATCH 176/187] SMBsesskeygen_lm_sess_key: use gnutls and return - NTSTATUS - -Signed-off-by: Isaac Boukris -Reviewed-by: Andrew Bartlett -(cherry picked from commit bbcf568f317960229caa7486322858093f5d0d04) ---- - auth/ntlmssp/ntlmssp_client.c | 16 ++++++++++++---- - auth/ntlmssp/ntlmssp_server.c | 15 +++++++++++---- - libcli/auth/proto.h | 6 +++--- - libcli/auth/smbencrypt.c | 15 ++++++++++++--- - libcli/auth/tests/test_gnutls.c | 4 +++- - 5 files changed, 41 insertions(+), 15 deletions(-) - -diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c -index 2a80feb4fed..58e4e3d6f42 100644 ---- a/auth/ntlmssp/ntlmssp_client.c -+++ b/auth/ntlmssp/ntlmssp_client.c -@@ -673,12 +673,20 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, - && ntlmssp_state->allow_lm_key && lm_session_key.length == 16) { - DATA_BLOB new_session_key = data_blob_talloc(mem_ctx, NULL, 16); - if (lm_response.length == 24) { -- SMBsesskeygen_lm_sess_key(lm_session_key.data, lm_response.data, -- new_session_key.data); -+ nt_status = SMBsesskeygen_lm_sess_key(lm_session_key.data, -+ lm_response.data, -+ new_session_key.data); -+ if (!NT_STATUS_IS_OK(nt_status)) { -+ return nt_status; -+ } - } else { - static const uint8_t zeros[24]; -- SMBsesskeygen_lm_sess_key(lm_session_key.data, zeros, -- new_session_key.data); -+ nt_status = SMBsesskeygen_lm_sess_key(lm_session_key.data, -+ zeros, -+ new_session_key.data); -+ if (!NT_STATUS_IS_OK(nt_status)) { -+ return nt_status; -+ } - } - session_key = new_session_key; - dump_data_pw("LM session key\n", session_key.data, session_key.length); -diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c -index 5a56a4db99f..29559b3fe02 100644 ---- a/auth/ntlmssp/ntlmssp_server.c -+++ b/auth/ntlmssp/ntlmssp_server.c -@@ -970,8 +970,12 @@ static NTSTATUS ntlmssp_server_postauth(struct gensec_security *gensec_security, - if (session_key.data == NULL) { - return NT_STATUS_NO_MEMORY; - } -- SMBsesskeygen_lm_sess_key(lm_session_key.data, ntlmssp_state->lm_resp.data, -- session_key.data); -+ nt_status = SMBsesskeygen_lm_sess_key(lm_session_key.data, -+ ntlmssp_state->lm_resp.data, -+ session_key.data); -+ if (!NT_STATUS_IS_OK(nt_status)) { -+ return nt_status; -+ } - DEBUG(10,("ntlmssp_server_auth: Created NTLM session key.\n")); - } else { - static const uint8_t zeros[24] = {0, }; -@@ -980,8 +984,11 @@ static NTSTATUS ntlmssp_server_postauth(struct gensec_security *gensec_security, - if (session_key.data == NULL) { - return NT_STATUS_NO_MEMORY; - } -- SMBsesskeygen_lm_sess_key(zeros, zeros, -- session_key.data); -+ nt_status = SMBsesskeygen_lm_sess_key(zeros, zeros, -+ session_key.data); -+ if (!NT_STATUS_IS_OK(nt_status)) { -+ return nt_status; -+ } - DEBUG(10,("ntlmssp_server_auth: Created NTLM session key.\n")); - } - dump_data_pw("LM session key:\n", session_key.data, -diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h -index 4a817e210b2..b7a976c048b 100644 ---- a/libcli/auth/proto.h -+++ b/libcli/auth/proto.h -@@ -140,9 +140,9 @@ NTSTATUS SMBsesskeygen_ntv2(const uint8_t kr[16], - const uint8_t *nt_resp, - uint8_t sess_key[16]); - void SMBsesskeygen_ntv1(const uint8_t kr[16], uint8_t sess_key[16]); --void SMBsesskeygen_lm_sess_key(const uint8_t lm_hash[16], -- const uint8_t lm_resp[24], /* only uses 8 */ -- uint8_t sess_key[16]); -+NTSTATUS SMBsesskeygen_lm_sess_key(const uint8_t lm_hash[16], -+ const uint8_t lm_resp[24], /* only uses 8 */ -+ uint8_t sess_key[16]); - DATA_BLOB NTLMv2_generate_names_blob(TALLOC_CTX *mem_ctx, - const char *hostname, - const char *domain); -diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c -index ab2c47ad9bb..b1d4f985ecf 100644 ---- a/libcli/auth/smbencrypt.c -+++ b/libcli/auth/smbencrypt.c -@@ -380,7 +380,7 @@ void SMBsesskeygen_ntv1(const uint8_t kr[16], uint8_t sess_key[16]) - #endif - } - --void SMBsesskeygen_lm_sess_key(const uint8_t lm_hash[16], -+NTSTATUS SMBsesskeygen_lm_sess_key(const uint8_t lm_hash[16], - const uint8_t lm_resp[24], /* only uses 8 */ - uint8_t sess_key[16]) - { -@@ -388,12 +388,19 @@ void SMBsesskeygen_lm_sess_key(const uint8_t lm_hash[16], - but changes with each session) */ - uint8_t p24[24]; - uint8_t partial_lm_hash[14]; -+ int rc; - - memcpy(partial_lm_hash, lm_hash, 8); - memset(partial_lm_hash + 8, 0xbd, 6); - -- des_crypt56(p24, lm_resp, partial_lm_hash, 1); -- des_crypt56(p24+8, lm_resp, partial_lm_hash + 7, 1); -+ rc = des_crypt56_gnutls(p24, lm_resp, partial_lm_hash, SAMBA_GNUTLS_ENCRYPT); -+ if (rc < 0) { -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ } -+ rc = des_crypt56_gnutls(p24+8, lm_resp, partial_lm_hash + 7, SAMBA_GNUTLS_ENCRYPT); -+ if (rc < 0) { -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ } - - memcpy(sess_key, p24, 16); - -@@ -401,6 +408,8 @@ void SMBsesskeygen_lm_sess_key(const uint8_t lm_hash[16], - DEBUG(100, ("SMBsesskeygen_lm_sess_key: \n")); - dump_data(100, sess_key, 16); - #endif -+ -+ return NT_STATUS_OK; - } - - DATA_BLOB NTLMv2_generate_names_blob(TALLOC_CTX *mem_ctx, -diff --git a/libcli/auth/tests/test_gnutls.c b/libcli/auth/tests/test_gnutls.c -index 121848341e6..5bb75c2bab2 100644 ---- a/libcli/auth/tests/test_gnutls.c -+++ b/libcli/auth/tests/test_gnutls.c -@@ -447,8 +447,10 @@ static void torture_gnutls_SMBsesskeygen_lm_sess_key(void **state) - }; - - uint8_t crypt_sess_key[16]; -+ NTSTATUS status; - -- SMBsesskeygen_lm_sess_key(lm_hash, lm_resp, crypt_sess_key); -+ status = SMBsesskeygen_lm_sess_key(lm_hash, lm_resp, crypt_sess_key); -+ assert_true(NT_STATUS_IS_OK(status)); - assert_memory_equal(crypt_sess_key, crypt_expected, 16); - } - --- -2.23.0 - diff --git a/SOURCES/0177-smbdes-convert-sam_rid_crypt-to-use-gnutls.patch b/SOURCES/0177-smbdes-convert-sam_rid_crypt-to-use-gnutls.patch deleted file mode 100644 index c3c1011..0000000 --- a/SOURCES/0177-smbdes-convert-sam_rid_crypt-to-use-gnutls.patch +++ /dev/null @@ -1,197 +0,0 @@ -From 4b4197975987be299535e6c78958c81ae2c63334 Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Thu, 7 Nov 2019 18:40:03 +0100 -Subject: [PATCH 177/187] smbdes: convert sam_rid_crypt() to use gnutls - -Signed-off-by: Isaac Boukris -Reviewed-by: Andrew Bartlett -(cherry picked from commit ecee1998034b84026ab604dbe4400d9e53dcafd4) ---- - libcli/auth/proto.h | 3 ++- - libcli/auth/smbdes.c | 11 +++++++--- - libcli/auth/tests/test_gnutls.c | 7 +++++-- - libcli/drsuapi/repl_decrypt.c | 16 +++++++++++++-- - libcli/samsync/decrypt.c | 36 +++++++++++++++++++++++++-------- - 5 files changed, 57 insertions(+), 16 deletions(-) - -diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h -index b7a976c048b..7dad549fc43 100644 ---- a/libcli/auth/proto.h -+++ b/libcli/auth/proto.h -@@ -230,7 +230,8 @@ void E_old_pw_hash( uint8_t *p14, const uint8_t *in, uint8_t *out); - void des_crypt128(uint8_t out[8], const uint8_t in[8], const uint8_t key[16]); - void des_crypt112(uint8_t out[8], const uint8_t in[8], const uint8_t key[14], int forw); - void des_crypt112_16(uint8_t out[16], const uint8_t in[16], const uint8_t key[14], int forw); --void sam_rid_crypt(unsigned int rid, const uint8_t *in, uint8_t *out, int forw); -+int sam_rid_crypt(unsigned int rid, const uint8_t *in, uint8_t *out, -+ enum samba_gnutls_direction encrypt); - #undef _PRINTF_ATTRIBUTE - #define _PRINTF_ATTRIBUTE(a1, a2) - -diff --git a/libcli/auth/smbdes.c b/libcli/auth/smbdes.c -index f384ef132a7..fe397592fbb 100644 ---- a/libcli/auth/smbdes.c -+++ b/libcli/auth/smbdes.c -@@ -418,15 +418,20 @@ void des_crypt112_16(uint8_t out[16], const uint8_t in[16], const uint8_t key[14 - /* Decode a sam password hash into a password. The password hash is the - same method used to store passwords in the NT registry. The DES key - used is based on the RID of the user. */ --void sam_rid_crypt(unsigned int rid, const uint8_t *in, uint8_t *out, int forw) -+int sam_rid_crypt(unsigned int rid, const uint8_t *in, uint8_t *out, -+ enum samba_gnutls_direction encrypt) - { - uint8_t s[14]; -+ int ret; - - s[0] = s[4] = s[8] = s[12] = (uint8_t)(rid & 0xFF); - s[1] = s[5] = s[9] = s[13] = (uint8_t)((rid >> 8) & 0xFF); - s[2] = s[6] = s[10] = (uint8_t)((rid >> 16) & 0xFF); - s[3] = s[7] = s[11] = (uint8_t)((rid >> 24) & 0xFF); - -- des_crypt56(out, in, s, forw); -- des_crypt56(out+8, in+8, s+7, forw); -+ ret = des_crypt56_gnutls(out, in, s, encrypt); -+ if (ret != 0) { -+ return ret; -+ } -+ return des_crypt56_gnutls(out+8, in+8, s+7, encrypt); - } -diff --git a/libcli/auth/tests/test_gnutls.c b/libcli/auth/tests/test_gnutls.c -index 5bb75c2bab2..f603fa819e8 100644 ---- a/libcli/auth/tests/test_gnutls.c -+++ b/libcli/auth/tests/test_gnutls.c -@@ -422,11 +422,14 @@ static void torture_gnutls_sam_rid_crypt(void **state) - uint8_t crypt[16]; - uint8_t decrypt[16]; - int rid = 500; -+ int rc; - -- sam_rid_crypt(rid, clear, crypt, 1); -+ rc = sam_rid_crypt(rid, clear, crypt, SAMBA_GNUTLS_ENCRYPT); -+ assert_int_equal(rc, 0); - assert_memory_equal(crypt, crypt_expected, 16); - -- sam_rid_crypt(rid, crypt, decrypt, 0); -+ rc = sam_rid_crypt(rid, crypt, decrypt, SAMBA_GNUTLS_DECRYPT); -+ assert_int_equal(rc, 0); - assert_memory_equal(decrypt, clear, 16); - } - -diff --git a/libcli/drsuapi/repl_decrypt.c b/libcli/drsuapi/repl_decrypt.c -index 83275360c7d..30b3c64379f 100644 ---- a/libcli/drsuapi/repl_decrypt.c -+++ b/libcli/drsuapi/repl_decrypt.c -@@ -135,7 +135,13 @@ static WERROR drsuapi_decrypt_attribute_value(TALLOC_CTX *mem_ctx, - num_hashes = plain_buffer.length / 16; - for (i = 0; i < num_hashes; i++) { - uint32_t offset = i * 16; -- sam_rid_crypt(rid, checked_buffer.data + offset, plain_buffer.data + offset, 0); -+ rc = sam_rid_crypt(rid, checked_buffer.data + offset, -+ plain_buffer.data + offset, -+ SAMBA_GNUTLS_DECRYPT); -+ if (rc != 0) { -+ result = gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR); -+ goto out; -+ } - } - } - -@@ -255,7 +261,13 @@ static WERROR drsuapi_encrypt_attribute_value(TALLOC_CTX *mem_ctx, - num_hashes = rid_crypt_out.length / 16; - for (i = 0; i < num_hashes; i++) { - uint32_t offset = i * 16; -- sam_rid_crypt(rid, in->data + offset, rid_crypt_out.data + offset, 1); -+ rc = sam_rid_crypt(rid, in->data + offset, -+ rid_crypt_out.data + offset, -+ SAMBA_GNUTLS_ENCRYPT); -+ if (rc != 0) { -+ result = gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR); -+ goto out; -+ } - } - in = &rid_crypt_out; - } -diff --git a/libcli/samsync/decrypt.c b/libcli/samsync/decrypt.c -index 5cda966fb42..77ef93251bc 100644 ---- a/libcli/samsync/decrypt.c -+++ b/libcli/samsync/decrypt.c -@@ -25,6 +25,7 @@ - #include "../libcli/auth/libcli_auth.h" - #include "../libcli/samsync/samsync.h" - #include "librpc/gen_ndr/ndr_netlogon.h" -+#include "lib/crypto/gnutls_helpers.h" - - /** - * Decrypt and extract the user's passwords. -@@ -43,13 +44,19 @@ static NTSTATUS fix_user(TALLOC_CTX *mem_ctx, - struct netr_DELTA_USER *user = delta->delta_union.user; - struct samr_Password lm_hash; - struct samr_Password nt_hash; -+ int rc; - - /* Note that win2000 may send us all zeros - * for the hashes if it doesn't - * think this channel is secure enough. */ - if (user->lm_password_present) { - if (!all_zero(user->lmpassword.hash, 16)) { -- sam_rid_crypt(rid, user->lmpassword.hash, lm_hash.hash, 0); -+ rc = sam_rid_crypt(rid, user->lmpassword.hash, -+ lm_hash.hash, SAMBA_GNUTLS_DECRYPT); -+ if (rc != 0) { -+ return gnutls_error_to_ntstatus(rc, -+ NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ } - } else { - memset(lm_hash.hash, '\0', sizeof(lm_hash.hash)); - } -@@ -58,7 +65,12 @@ static NTSTATUS fix_user(TALLOC_CTX *mem_ctx, - - if (user->nt_password_present) { - if (!all_zero(user->ntpassword.hash, 16)) { -- sam_rid_crypt(rid, user->ntpassword.hash, nt_hash.hash, 0); -+ rc = sam_rid_crypt(rid, user->ntpassword.hash, -+ nt_hash.hash, SAMBA_GNUTLS_DECRYPT); -+ if (rc != 0) { -+ return gnutls_error_to_ntstatus(rc, -+ NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ } - } else { - memset(nt_hash.hash, '\0', sizeof(nt_hash.hash)); - } -@@ -97,9 +109,13 @@ static NTSTATUS fix_user(TALLOC_CTX *mem_ctx, - if (keys.keys.keys2.lmpassword.length == 16) { - if (!all_zero(keys.keys.keys2.lmpassword.pwd.hash, - 16)) { -- sam_rid_crypt(rid, -- keys.keys.keys2.lmpassword.pwd.hash, -- lm_hash.hash, 0); -+ rc = sam_rid_crypt(rid, -+ keys.keys.keys2.lmpassword.pwd.hash, -+ lm_hash.hash, SAMBA_GNUTLS_DECRYPT); -+ if (rc != 0) { -+ return gnutls_error_to_ntstatus(rc, -+ NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ } - } else { - memset(lm_hash.hash, '\0', sizeof(lm_hash.hash)); - } -@@ -109,9 +125,13 @@ static NTSTATUS fix_user(TALLOC_CTX *mem_ctx, - if (keys.keys.keys2.ntpassword.length == 16) { - if (!all_zero(keys.keys.keys2.ntpassword.pwd.hash, - 16)) { -- sam_rid_crypt(rid, -- keys.keys.keys2.ntpassword.pwd.hash, -- nt_hash.hash, 0); -+ rc = sam_rid_crypt(rid, -+ keys.keys.keys2.ntpassword.pwd.hash, -+ nt_hash.hash, SAMBA_GNUTLS_DECRYPT); -+ if (rc != 0) { -+ return gnutls_error_to_ntstatus(rc, -+ NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ } - } else { - memset(nt_hash.hash, '\0', sizeof(nt_hash.hash)); - } --- -2.23.0 - diff --git a/SOURCES/0178-smbdes-convert-E_P16-to-use-gnutls.patch b/SOURCES/0178-smbdes-convert-E_P16-to-use-gnutls.patch deleted file mode 100644 index 7592cb8..0000000 --- a/SOURCES/0178-smbdes-convert-E_P16-to-use-gnutls.patch +++ /dev/null @@ -1,96 +0,0 @@ -From 8fbf828c6b2e22f3ce56d7214156c75c73147e0c Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Thu, 7 Nov 2019 16:16:26 +0100 -Subject: [PATCH 178/187] smbdes: convert E_P16() to use gnutls - -Signed-off-by: Isaac Boukris -Reviewed-by: Andrew Bartlett -(cherry picked from commit 9fb6361a8b09fd575bab2f5572fa9e10bd538eed) ---- - libcli/auth/proto.h | 2 +- - libcli/auth/smbdes.c | 12 +++++++++--- - libcli/auth/smbencrypt.c | 6 +++++- - libcli/auth/tests/test_gnutls.c | 5 ++++- - 4 files changed, 19 insertions(+), 6 deletions(-) - -diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h -index 7dad549fc43..9ae62efca31 100644 ---- a/libcli/auth/proto.h -+++ b/libcli/auth/proto.h -@@ -223,7 +223,7 @@ WERROR decode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx, - void des_crypt56(uint8_t out[8], const uint8_t in[8], const uint8_t key[7], int forw); - int des_crypt56_gnutls(uint8_t out[8], const uint8_t in[8], const uint8_t key[7], - enum samba_gnutls_direction encrypt); --void E_P16(const uint8_t *p14,uint8_t *p16); -+int E_P16(const uint8_t *p14,uint8_t *p16); - void E_P24(const uint8_t *p21, const uint8_t *c8, uint8_t *p24); - void D_P16(const uint8_t *p14, const uint8_t *in, uint8_t *out); - void E_old_pw_hash( uint8_t *p14, const uint8_t *in, uint8_t *out); -diff --git a/libcli/auth/smbdes.c b/libcli/auth/smbdes.c -index fe397592fbb..c0d10278179 100644 ---- a/libcli/auth/smbdes.c -+++ b/libcli/auth/smbdes.c -@@ -361,11 +361,17 @@ void des_crypt56(uint8_t out[8], const uint8_t in[8], const uint8_t key[7], int - } - } - --void E_P16(const uint8_t *p14,uint8_t *p16) -+int E_P16(const uint8_t *p14,uint8_t *p16) - { - const uint8_t sp8[8] = {0x4b, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25}; -- des_crypt56(p16, sp8, p14, 1); -- des_crypt56(p16+8, sp8, p14+7, 1); -+ int ret; -+ -+ ret = des_crypt56_gnutls(p16, sp8, p14, SAMBA_GNUTLS_ENCRYPT); -+ if (ret != 0) { -+ return ret; -+ } -+ -+ return des_crypt56_gnutls(p16+8, sp8, p14+7, SAMBA_GNUTLS_ENCRYPT); - } - - void E_P24(const uint8_t *p21, const uint8_t *c8, uint8_t *p24) -diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c -index b1d4f985ecf..f2f446eda97 100644 ---- a/libcli/auth/smbencrypt.c -+++ b/libcli/auth/smbencrypt.c -@@ -105,6 +105,7 @@ bool E_md4hash(const char *passwd, uint8_t p16[16]) - bool E_deshash(const char *passwd, uint8_t p16[16]) - { - bool ret; -+ int rc; - uint8_t dospwd[14]; - TALLOC_CTX *frame = talloc_stackframe(); - -@@ -133,7 +134,10 @@ bool E_deshash(const char *passwd, uint8_t p16[16]) - * case to avoid returning a fixed 'password' buffer, but - * callers should not use it when E_deshash returns false */ - -- E_P16((const uint8_t *)dospwd, p16); -+ rc = E_P16((const uint8_t *)dospwd, p16); -+ if (rc != 0) { -+ ret = false; -+ } - - ZERO_STRUCT(dospwd); - -diff --git a/libcli/auth/tests/test_gnutls.c b/libcli/auth/tests/test_gnutls.c -index f603fa819e8..a6e8fd5b352 100644 ---- a/libcli/auth/tests/test_gnutls.c -+++ b/libcli/auth/tests/test_gnutls.c -@@ -274,7 +274,10 @@ static void torture_gnutls_E_P16(void **state) - 0x1D, 0xEA, 0xD9, 0xFF, 0xB0, 0xA9, 0xA4, 0x05 - }; - -- E_P16(key, buffer); -+ int rc; -+ -+ rc = E_P16(key, buffer); -+ assert_int_equal(rc, 0); - assert_memory_equal(buffer, crypt_expected, 16); - } - --- -2.23.0 - diff --git a/SOURCES/0179-smbdes-remove-D_P16-not-used.patch b/SOURCES/0179-smbdes-remove-D_P16-not-used.patch deleted file mode 100644 index 06e777a..0000000 --- a/SOURCES/0179-smbdes-remove-D_P16-not-used.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 4f4e9952664e23b5aea4816ac2fda311415719de Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Fri, 8 Nov 2019 12:04:48 +0100 -Subject: [PATCH 179/187] smbdes: remove D_P16() (not used) - -Signed-off-by: Isaac Boukris -Reviewed-by: Andrew Bartlett -(cherry picked from commit 2eef12904f2c08257394a2ee869960f7c2e09112) ---- - libcli/auth/proto.h | 1 - - libcli/auth/smbdes.c | 6 ------ - 2 files changed, 7 deletions(-) - -diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h -index 9ae62efca31..212b46bb0e8 100644 ---- a/libcli/auth/proto.h -+++ b/libcli/auth/proto.h -@@ -225,7 +225,6 @@ int des_crypt56_gnutls(uint8_t out[8], const uint8_t in[8], const uint8_t key[7] - enum samba_gnutls_direction encrypt); - int E_P16(const uint8_t *p14,uint8_t *p16); - void E_P24(const uint8_t *p21, const uint8_t *c8, uint8_t *p24); --void D_P16(const uint8_t *p14, const uint8_t *in, uint8_t *out); - void E_old_pw_hash( uint8_t *p14, const uint8_t *in, uint8_t *out); - void des_crypt128(uint8_t out[8], const uint8_t in[8], const uint8_t key[16]); - void des_crypt112(uint8_t out[8], const uint8_t in[8], const uint8_t key[14], int forw); -diff --git a/libcli/auth/smbdes.c b/libcli/auth/smbdes.c -index c0d10278179..46fd5849f5b 100644 ---- a/libcli/auth/smbdes.c -+++ b/libcli/auth/smbdes.c -@@ -381,12 +381,6 @@ void E_P24(const uint8_t *p21, const uint8_t *c8, uint8_t *p24) - des_crypt56(p24+16, c8, p21+14, 1); - } - --void D_P16(const uint8_t *p14, const uint8_t *in, uint8_t *out) --{ -- des_crypt56(out, in, p14, 0); -- des_crypt56(out+8, in+8, p14+7, 0); --} -- - void E_old_pw_hash( uint8_t *p14, const uint8_t *in, uint8_t *out) - { - des_crypt56(out, in, p14, 1); --- -2.23.0 - diff --git a/SOURCES/0180-smbdes-convert-E_P24-and-SMBOWFencrypt-to-use-gnutls.patch b/SOURCES/0180-smbdes-convert-E_P24-and-SMBOWFencrypt-to-use-gnutls.patch deleted file mode 100644 index 0133983..0000000 --- a/SOURCES/0180-smbdes-convert-E_P24-and-SMBOWFencrypt-to-use-gnutls.patch +++ /dev/null @@ -1,519 +0,0 @@ -From 9d3ec4680cb1d460650cab011ab17f12c9cd0d69 Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Fri, 8 Nov 2019 15:40:01 +0100 -Subject: [PATCH 180/187] smbdes: convert E_P24() and SMBOWFencrypt to use - gnutls - -Signed-off-by: Isaac Boukris -Reviewed-by: Andrew Bartlett -(cherry picked from commit a5548af018643f2e78c482e33ef0e6073db149e4) ---- - auth/credentials/credentials_ntlm.c | 31 ++++++++++++++++++++--------- - libcli/auth/ntlm_check.c | 6 +++++- - libcli/auth/proto.h | 10 +++++----- - libcli/auth/smbdes.c | 18 +++++++++++++---- - libcli/auth/smbencrypt.c | 28 +++++++++++++++++--------- - libcli/auth/tests/test_gnutls.c | 8 ++++++-- - source3/auth/auth_util.c | 19 +++++++++++++----- - source3/rpc_client/cli_netlogon.c | 8 +++++++- - source3/torture/pdbtest.c | 9 +++++++-- - source3/winbindd/winbindd_pam.c | 9 ++++++++- - source4/auth/ntlm/auth_util.c | 13 +++++++++--- - source4/torture/rpc/samsync.c | 14 +++++++++++-- - 12 files changed, 129 insertions(+), 44 deletions(-) - -diff --git a/auth/credentials/credentials_ntlm.c b/auth/credentials/credentials_ntlm.c -index bf55ab97b04..f1b22a6c9e2 100644 ---- a/auth/credentials/credentials_ntlm.c -+++ b/auth/credentials/credentials_ntlm.c -@@ -51,6 +51,7 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred - DATA_BLOB lm_session_key = data_blob_null; - DATA_BLOB session_key = data_blob_null; - const struct samr_Password *nt_hash = NULL; -+ int rc; - - if (cred->use_kerberos == CRED_MUST_USE_KERBEROS) { - TALLOC_FREE(frame); -@@ -159,7 +160,6 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred - uint8_t session_nonce[16]; - uint8_t session_nonce_hash[16]; - uint8_t user_session_key[16]; -- int rc; - - lm_response = data_blob_talloc_zero(frame, 24); - if (lm_response.data == NULL) { -@@ -188,9 +188,13 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred - TALLOC_FREE(frame); - return NT_STATUS_NO_MEMORY; - } -- SMBOWFencrypt(nt_hash->hash, -- session_nonce_hash, -- nt_response.data); -+ rc = SMBOWFencrypt(nt_hash->hash, -+ session_nonce_hash, -+ nt_response.data); -+ if (rc != 0) { -+ TALLOC_FREE(frame); -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ } - - ZERO_ARRAY(session_nonce_hash); - -@@ -228,8 +232,12 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred - TALLOC_FREE(frame); - return NT_STATUS_NO_MEMORY; - } -- SMBOWFencrypt(nt_hash->hash, challenge.data, -- nt_response.data); -+ rc = SMBOWFencrypt(nt_hash->hash, challenge.data, -+ nt_response.data); -+ if (rc != 0) { -+ TALLOC_FREE(frame); -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ } - - session_key = data_blob_talloc_zero(frame, 16); - if (session_key.data == NULL) { -@@ -254,9 +262,14 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred - return NT_STATUS_NO_MEMORY; - } - -- SMBencrypt_hash(lm_hash, -- challenge.data, -- lm_response.data); -+ rc = SMBencrypt_hash(lm_hash, -+ challenge.data, -+ lm_response.data); -+ if (rc != 0) { -+ ZERO_STRUCT(lm_hash); -+ TALLOC_FREE(frame); -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ } - } else { - /* just copy the nt_response */ - lm_response = data_blob_dup_talloc(frame, nt_response); -diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c -index 5058add3811..9f779f85fa1 100644 ---- a/libcli/auth/ntlm_check.c -+++ b/libcli/auth/ntlm_check.c -@@ -36,6 +36,7 @@ static bool smb_pwd_check_ntlmv1(TALLOC_CTX *mem_ctx, - { - /* Finish the encryption of part_passwd. */ - uint8_t p24[24]; -+ int rc; - - if (part_passwd == NULL) { - DEBUG(10,("No password set - DISALLOWING access\n")); -@@ -55,7 +56,10 @@ static bool smb_pwd_check_ntlmv1(TALLOC_CTX *mem_ctx, - return false; - } - -- SMBOWFencrypt(part_passwd, sec_blob->data, p24); -+ rc = SMBOWFencrypt(part_passwd, sec_blob->data, p24); -+ if (rc != 0) { -+ return false; -+ } - - #if DEBUG_PASSWORD - DEBUG(100,("Part password (P16) was |\n")); -diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h -index 212b46bb0e8..5209d6766e4 100644 ---- a/libcli/auth/proto.h -+++ b/libcli/auth/proto.h -@@ -99,7 +99,7 @@ NTSTATUS sess_decrypt_blob(TALLOC_CTX *mem_ctx, const DATA_BLOB *blob, const DAT - - /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/smbencrypt.c */ - --void SMBencrypt_hash(const uint8_t lm_hash[16], const uint8_t *c8, uint8_t p24[24]); -+int SMBencrypt_hash(const uint8_t lm_hash[16], const uint8_t *c8, uint8_t p24[24]); - bool SMBencrypt(const char *passwd, const uint8_t *c8, uint8_t p24[24]); - - /** -@@ -129,9 +129,9 @@ void nt_lm_owf_gen(const char *pwd, uint8_t nt_p16[16], uint8_t p16[16]); - bool ntv2_owf_gen(const uint8_t owf[16], - const char *user_in, const char *domain_in, - uint8_t kr_buf[16]); --void SMBOWFencrypt(const uint8_t passwd[16], const uint8_t *c8, uint8_t p24[24]); --void SMBNTencrypt_hash(const uint8_t nt_hash[16], const uint8_t *c8, uint8_t *p24); --void SMBNTencrypt(const char *passwd, const uint8_t *c8, uint8_t *p24); -+int SMBOWFencrypt(const uint8_t passwd[16], const uint8_t *c8, uint8_t p24[24]); -+int SMBNTencrypt_hash(const uint8_t nt_hash[16], const uint8_t *c8, uint8_t *p24); -+int SMBNTencrypt(const char *passwd, const uint8_t *c8, uint8_t *p24); - NTSTATUS SMBOWFencrypt_ntv2(const uint8_t kr[16], - const DATA_BLOB *srv_chal, - const DATA_BLOB *smbcli_chal, -@@ -224,7 +224,7 @@ void des_crypt56(uint8_t out[8], const uint8_t in[8], const uint8_t key[7], int - int des_crypt56_gnutls(uint8_t out[8], const uint8_t in[8], const uint8_t key[7], - enum samba_gnutls_direction encrypt); - int E_P16(const uint8_t *p14,uint8_t *p16); --void E_P24(const uint8_t *p21, const uint8_t *c8, uint8_t *p24); -+int E_P24(const uint8_t *p21, const uint8_t *c8, uint8_t *p24); - void E_old_pw_hash( uint8_t *p14, const uint8_t *in, uint8_t *out); - void des_crypt128(uint8_t out[8], const uint8_t in[8], const uint8_t key[16]); - void des_crypt112(uint8_t out[8], const uint8_t in[8], const uint8_t key[14], int forw); -diff --git a/libcli/auth/smbdes.c b/libcli/auth/smbdes.c -index 46fd5849f5b..4e3499f9d26 100644 ---- a/libcli/auth/smbdes.c -+++ b/libcli/auth/smbdes.c -@@ -374,11 +374,21 @@ int E_P16(const uint8_t *p14,uint8_t *p16) - return des_crypt56_gnutls(p16+8, sp8, p14+7, SAMBA_GNUTLS_ENCRYPT); - } - --void E_P24(const uint8_t *p21, const uint8_t *c8, uint8_t *p24) -+int E_P24(const uint8_t *p21, const uint8_t *c8, uint8_t *p24) - { -- des_crypt56(p24, c8, p21, 1); -- des_crypt56(p24+8, c8, p21+7, 1); -- des_crypt56(p24+16, c8, p21+14, 1); -+ int ret; -+ -+ ret = des_crypt56_gnutls(p24, c8, p21, SAMBA_GNUTLS_ENCRYPT); -+ if (ret != 0) { -+ return ret; -+ } -+ -+ ret = des_crypt56_gnutls(p24+8, c8, p21+7, SAMBA_GNUTLS_ENCRYPT); -+ if (ret != 0) { -+ return ret; -+ } -+ -+ return des_crypt56_gnutls(p24+16, c8, p21+14, SAMBA_GNUTLS_ENCRYPT); - } - - void E_old_pw_hash( uint8_t *p14, const uint8_t *in, uint8_t *out) -diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c -index f2f446eda97..337e89ef559 100644 ---- a/libcli/auth/smbencrypt.c -+++ b/libcli/auth/smbencrypt.c -@@ -32,14 +32,15 @@ - #include - #include - --void SMBencrypt_hash(const uint8_t lm_hash[16], const uint8_t *c8, uint8_t p24[24]) -+int SMBencrypt_hash(const uint8_t lm_hash[16], const uint8_t *c8, uint8_t p24[24]) - { - uint8_t p21[21]; -+ int rc; - - memset(p21,'\0',21); - memcpy(p21, lm_hash, 16); - -- SMBOWFencrypt(p21, c8, p24); -+ rc = SMBOWFencrypt(p21, c8, p24); - - #ifdef DEBUG_PASSWORD - DEBUG(100,("SMBencrypt_hash: lm#, challenge, response\n")); -@@ -47,6 +48,8 @@ void SMBencrypt_hash(const uint8_t lm_hash[16], const uint8_t *c8, uint8_t p24[2 - dump_data(100, c8, 8); - dump_data(100, p24, 24); - #endif -+ -+ return rc; - } - - /* -@@ -61,9 +64,13 @@ bool SMBencrypt(const char *passwd, const uint8_t *c8, uint8_t p24[24]) - { - bool ret; - uint8_t lm_hash[16]; -+ int rc; - - ret = E_deshash(passwd, lm_hash); -- SMBencrypt_hash(lm_hash, c8, p24); -+ rc = SMBencrypt_hash(lm_hash, c8, p24); -+ if (rc != 0) { -+ ret = false; -+ } - return ret; - } - -@@ -266,25 +273,26 @@ out: - } - - /* Does the des encryption from the NT or LM MD4 hash. */ --void SMBOWFencrypt(const uint8_t passwd[16], const uint8_t *c8, uint8_t p24[24]) -+int SMBOWFencrypt(const uint8_t passwd[16], const uint8_t *c8, uint8_t p24[24]) - { - uint8_t p21[21]; - - ZERO_STRUCT(p21); - - memcpy(p21, passwd, 16); -- E_P24(p21, c8, p24); -+ return E_P24(p21, c8, p24); - } - - /* Does the des encryption. */ - --void SMBNTencrypt_hash(const uint8_t nt_hash[16], const uint8_t *c8, uint8_t *p24) -+int SMBNTencrypt_hash(const uint8_t nt_hash[16], const uint8_t *c8, uint8_t *p24) - { - uint8_t p21[21]; -+ int rc; - - memset(p21,'\0',21); - memcpy(p21, nt_hash, 16); -- SMBOWFencrypt(p21, c8, p24); -+ rc = SMBOWFencrypt(p21, c8, p24); - - #ifdef DEBUG_PASSWORD - DEBUG(100,("SMBNTencrypt: nt#, challenge, response\n")); -@@ -292,15 +300,17 @@ void SMBNTencrypt_hash(const uint8_t nt_hash[16], const uint8_t *c8, uint8_t *p2 - dump_data(100, c8, 8); - dump_data(100, p24, 24); - #endif -+ -+ return rc; - } - - /* Does the NT MD4 hash then des encryption. Plaintext version of the above. */ - --void SMBNTencrypt(const char *passwd, const uint8_t *c8, uint8_t *p24) -+int SMBNTencrypt(const char *passwd, const uint8_t *c8, uint8_t *p24) - { - uint8_t nt_hash[16]; - E_md4hash(passwd, nt_hash); -- SMBNTencrypt_hash(nt_hash, c8, p24); -+ return SMBNTencrypt_hash(nt_hash, c8, p24); - } - - -diff --git a/libcli/auth/tests/test_gnutls.c b/libcli/auth/tests/test_gnutls.c -index a6e8fd5b352..9fafe2a767b 100644 ---- a/libcli/auth/tests/test_gnutls.c -+++ b/libcli/auth/tests/test_gnutls.c -@@ -298,8 +298,10 @@ static void torture_gnutls_E_P24(void **state) - }; - - uint8_t crypt[24]; -+ int rc; - -- E_P24(key, c8, crypt); -+ rc = E_P24(key, c8, crypt); -+ assert_int_equal(rc, 0); - assert_memory_equal(crypt, crypt_expected, 24); - } - -@@ -319,8 +321,10 @@ static void torture_gnutls_SMBOWFencrypt(void **state) - }; - - uint8_t crypt[24]; -+ int rc; - -- SMBOWFencrypt(password, c8, crypt); -+ rc = SMBOWFencrypt(password, c8, crypt); -+ assert_int_equal(rc, 0); - assert_memory_equal(crypt, crypt_expected, 24); - } - -diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c -index d0be7e6c576..546a2d347e4 100644 ---- a/source3/auth/auth_util.c -+++ b/source3/auth/auth_util.c -@@ -207,6 +207,7 @@ bool make_user_info_netlogon_interactive(TALLOC_CTX *mem_ctx, - struct samr_Password nt_pwd; - unsigned char local_lm_response[24]; - unsigned char local_nt_response[24]; -+ int rc; - - if (lm_interactive_pwd) - memcpy(lm_pwd.hash, lm_interactive_pwd, sizeof(lm_pwd.hash)); -@@ -214,13 +215,21 @@ bool make_user_info_netlogon_interactive(TALLOC_CTX *mem_ctx, - if (nt_interactive_pwd) - memcpy(nt_pwd.hash, nt_interactive_pwd, sizeof(nt_pwd.hash)); - -- if (lm_interactive_pwd) -- SMBOWFencrypt(lm_pwd.hash, chal, -- local_lm_response); -+ if (lm_interactive_pwd) { -+ rc = SMBOWFencrypt(lm_pwd.hash, chal, -+ local_lm_response); -+ if (rc != 0) { -+ return false; -+ } -+ } - -- if (nt_interactive_pwd) -- SMBOWFencrypt(nt_pwd.hash, chal, -+ if (nt_interactive_pwd) { -+ rc = SMBOWFencrypt(nt_pwd.hash, chal, - local_nt_response); -+ if (rc != 0) { -+ return false; -+ } -+ } - - { - bool ret; -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c -index ea9cb757048..175f83d6750 100644 ---- a/source3/rpc_client/cli_netlogon.c -+++ b/source3/rpc_client/cli_netlogon.c -@@ -37,6 +37,7 @@ - #include "dbwrap/dbwrap.h" - #include "dbwrap/dbwrap_open.h" - #include "util_tdb.h" -+#include "lib/crypto/gnutls_helpers.h" - - - NTSTATUS rpccli_pre_open_netlogon_creds(void) -@@ -528,6 +529,7 @@ NTSTATUS rpccli_netlogon_password_logon( - case NetlogonNetworkTransitiveInformation: { - struct netr_NetworkInfo *network_info; - uint8_t chal[8]; -+ int rc; - - ZERO_STRUCT(lm); - ZERO_STRUCT(nt); -@@ -541,7 +543,11 @@ NTSTATUS rpccli_netlogon_password_logon( - generate_random_buffer(chal, 8); - - SMBencrypt(password, chal, local_lm_response); -- SMBNTencrypt(password, chal, local_nt_response); -+ rc = SMBNTencrypt(password, chal, local_nt_response); -+ if (rc != 0) { -+ TALLOC_FREE(frame); -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ } - - lm.length = 24; - lm.data = local_lm_response; -diff --git a/source3/torture/pdbtest.c b/source3/torture/pdbtest.c -index fdf72187b6c..5d74aa9ab78 100644 ---- a/source3/torture/pdbtest.c -+++ b/source3/torture/pdbtest.c -@@ -278,9 +278,14 @@ static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry) - NTSTATUS status; - bool ok; - uint8_t authoritative = 0; -+ int rc; -+ -+ rc = SMBOWFencrypt(pdb_get_nt_passwd(pdb_entry), challenge_8, -+ local_nt_response); -+ if (rc != 0) { -+ return False; -+ } - -- SMBOWFencrypt(pdb_get_nt_passwd(pdb_entry), challenge_8, -- local_nt_response); - SMBsesskeygen_ntv1(pdb_get_nt_passwd(pdb_entry), local_nt_session_key); - - if (tsocket_address_inet_from_strings(NULL, "ip", NULL, 0, &remote_address) != 0) { -diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c -index 8946dd70f99..b456a3994f8 100644 ---- a/source3/winbindd/winbindd_pam.c -+++ b/source3/winbindd/winbindd_pam.c -@@ -47,6 +47,7 @@ - #include "libads/krb5_errs.h" - #include "param/param.h" - #include "messaging/messaging.h" -+#include "lib/crypto/gnutls_helpers.h" - - #include "lib/crypto/gnutls_helpers.h" - #include -@@ -1792,8 +1793,14 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon( - } - data_blob_free(&names_blob); - } else { -+ int rc; - lm_resp = data_blob_null; -- SMBNTencrypt(pass, chal, local_nt_response); -+ rc = SMBNTencrypt(pass, chal, local_nt_response); -+ if (rc != 0) { -+ DEBUG(0, ("winbindd_pam_auth: SMBNTencrypt() failed!\n")); -+ result = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ goto done; -+ } - - nt_resp = data_blob_talloc(mem_ctx, local_nt_response, - sizeof(local_nt_response)); -diff --git a/source4/auth/ntlm/auth_util.c b/source4/auth/ntlm/auth_util.c -index 7e72cb5123d..a0d061dca2a 100644 ---- a/source4/auth/ntlm/auth_util.c -+++ b/source4/auth/ntlm/auth_util.c -@@ -28,6 +28,7 @@ - #include "auth/ntlm/auth_proto.h" - #include "librpc/gen_ndr/drsuapi.h" - #include "dsdb/samdb/samdb.h" -+#include "lib/crypto/gnutls_helpers.h" - - #undef DBGC_CLASS - #define DBGC_CLASS DBGC_AUTH -@@ -41,6 +42,7 @@ NTSTATUS encrypt_user_info(TALLOC_CTX *mem_ctx, struct auth4_context *auth_conte - const struct auth_usersupplied_info *user_info_in, - const struct auth_usersupplied_info **user_info_encrypted) - { -+ int rc; - NTSTATUS nt_status; - struct auth_usersupplied_info *user_info_temp; - switch (to_state) { -@@ -103,12 +105,17 @@ NTSTATUS encrypt_user_info(TALLOC_CTX *mem_ctx, struct auth4_context *auth_conte - data_blob_free(&ntlmv2_session_key); - } else { - DATA_BLOB blob = data_blob_talloc(mem_ctx, NULL, 24); -- SMBOWFencrypt(user_info_in->password.hash.nt->hash, chal, blob.data); -- -+ rc = SMBOWFencrypt(user_info_in->password.hash.nt->hash, chal, blob.data); -+ if (rc != 0) { -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ } - user_info_temp->password.response.nt = blob; - if (lpcfg_client_lanman_auth(auth_context->lp_ctx) && user_info_in->password.hash.lanman) { - DATA_BLOB lm_blob = data_blob_talloc(mem_ctx, NULL, 24); -- SMBOWFencrypt(user_info_in->password.hash.lanman->hash, chal, blob.data); -+ rc = SMBOWFencrypt(user_info_in->password.hash.lanman->hash, chal, blob.data); -+ if (rc != 0) { -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ } - user_info_temp->password.response.lanman = lm_blob; - } else { - /* if not sending the LM password, send the NT password twice */ -diff --git a/source4/torture/rpc/samsync.c b/source4/torture/rpc/samsync.c -index 869d3ba96b6..6b9759b88fd 100644 ---- a/source4/torture/rpc/samsync.c -+++ b/source4/torture/rpc/samsync.c -@@ -36,6 +36,7 @@ - #include "librpc/gen_ndr/ndr_samr_c.h" - #include "librpc/gen_ndr/ndr_security.h" - #include "param/param.h" -+#include "lib/crypto/gnutls_helpers.h" - - #define TEST_MACHINE_NAME "samsynctest" - #define TEST_WKSTA_MACHINE_NAME "samsynctest2" -@@ -61,6 +62,7 @@ static NTSTATUS test_SamLogon(struct torture_context *tctx, - union netr_Validation validation; - uint8_t authoritative; - struct dcerpc_binding_handle *b = p->binding_handle; -+ int rc; - - ninfo.identity_info.domain_name.string = domain; - ninfo.identity_info.parameter_control = 0; -@@ -72,7 +74,11 @@ static NTSTATUS test_SamLogon(struct torture_context *tctx, - if (nt_hash) { - ninfo.nt.length = 24; - ninfo.nt.data = talloc_array(mem_ctx, uint8_t, 24); -- SMBOWFencrypt(nt_hash->hash, ninfo.challenge, ninfo.nt.data); -+ rc = SMBOWFencrypt(nt_hash->hash, ninfo.challenge, -+ ninfo.nt.data); -+ if (rc != 0) { -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ } - } else { - ninfo.nt.length = 0; - ninfo.nt.data = NULL; -@@ -81,7 +87,11 @@ static NTSTATUS test_SamLogon(struct torture_context *tctx, - if (lm_hash) { - ninfo.lm.length = 24; - ninfo.lm.data = talloc_array(mem_ctx, uint8_t, 24); -- SMBOWFencrypt(lm_hash->hash, ninfo.challenge, ninfo.lm.data); -+ rc = SMBOWFencrypt(lm_hash->hash, ninfo.challenge, -+ ninfo.lm.data); -+ if (rc != 0) { -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ } - } else { - ninfo.lm.length = 0; - ninfo.lm.data = NULL; --- -2.23.0 - diff --git a/SOURCES/0181-smbdes-convert-des_crypt128-to-use-gnutls.patch b/SOURCES/0181-smbdes-convert-des_crypt128-to-use-gnutls.patch deleted file mode 100644 index e06089a..0000000 --- a/SOURCES/0181-smbdes-convert-des_crypt128-to-use-gnutls.patch +++ /dev/null @@ -1,96 +0,0 @@ -From 20bd9ca871f318ba8360525b51f56010f8607fbb Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Fri, 8 Nov 2019 17:49:48 +0100 -Subject: [PATCH 181/187] smbdes: convert des_crypt128() to use gnutls - -Signed-off-by: Isaac Boukris -Reviewed-by: Andrew Bartlett -(cherry picked from commit c57f429574243adbcd43dca4f35d125df8d69ba0) ---- - libcli/auth/credentials.c | 6 +++++- - libcli/auth/proto.h | 2 +- - libcli/auth/smbdes.c | 12 +++++++++--- - libcli/auth/tests/test_gnutls.c | 4 +++- - 4 files changed, 18 insertions(+), 6 deletions(-) - -diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c -index d9237f3875b..1b94a06ebfb 100644 ---- a/libcli/auth/credentials.c -+++ b/libcli/auth/credentials.c -@@ -66,6 +66,7 @@ static NTSTATUS netlogon_creds_init_64bit(struct netlogon_creds_CredentialState - { - uint32_t sum[2]; - uint8_t sum2[8]; -+ int rc; - - sum[0] = IVAL(client_challenge->data, 0) + IVAL(server_challenge->data, 0); - sum[1] = IVAL(client_challenge->data, 4) + IVAL(server_challenge->data, 4); -@@ -75,7 +76,10 @@ static NTSTATUS netlogon_creds_init_64bit(struct netlogon_creds_CredentialState - - ZERO_ARRAY(creds->session_key); - -- des_crypt128(creds->session_key, sum2, machine_password->hash); -+ rc = des_crypt128(creds->session_key, sum2, machine_password->hash); -+ if (rc != 0) { -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ } - - return NT_STATUS_OK; - } -diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h -index 5209d6766e4..2ea4eca822a 100644 ---- a/libcli/auth/proto.h -+++ b/libcli/auth/proto.h -@@ -226,7 +226,7 @@ int des_crypt56_gnutls(uint8_t out[8], const uint8_t in[8], const uint8_t key[7] - int E_P16(const uint8_t *p14,uint8_t *p16); - int E_P24(const uint8_t *p21, const uint8_t *c8, uint8_t *p24); - void E_old_pw_hash( uint8_t *p14, const uint8_t *in, uint8_t *out); --void des_crypt128(uint8_t out[8], const uint8_t in[8], const uint8_t key[16]); -+int des_crypt128(uint8_t out[8], const uint8_t in[8], const uint8_t key[16]); - void des_crypt112(uint8_t out[8], const uint8_t in[8], const uint8_t key[14], int forw); - void des_crypt112_16(uint8_t out[16], const uint8_t in[16], const uint8_t key[14], int forw); - int sam_rid_crypt(unsigned int rid, const uint8_t *in, uint8_t *out, -diff --git a/libcli/auth/smbdes.c b/libcli/auth/smbdes.c -index 4e3499f9d26..6a4f4d1d42a 100644 ---- a/libcli/auth/smbdes.c -+++ b/libcli/auth/smbdes.c -@@ -398,11 +398,17 @@ void E_old_pw_hash( uint8_t *p14, const uint8_t *in, uint8_t *out) - } - - /* des encryption with a 128 bit key */ --void des_crypt128(uint8_t out[8], const uint8_t in[8], const uint8_t key[16]) -+int des_crypt128(uint8_t out[8], const uint8_t in[8], const uint8_t key[16]) - { - uint8_t buf[8]; -- des_crypt56(buf, in, key, 1); -- des_crypt56(out, buf, key+9, 1); -+ int ret; -+ -+ ret = des_crypt56_gnutls(buf, in, key, SAMBA_GNUTLS_ENCRYPT); -+ if (ret != 0) { -+ return ret; -+ } -+ -+ return des_crypt56_gnutls(out, buf, key+9, SAMBA_GNUTLS_ENCRYPT); - } - - /* des encryption with a 112 bit (14 byte) key */ -diff --git a/libcli/auth/tests/test_gnutls.c b/libcli/auth/tests/test_gnutls.c -index 9fafe2a767b..d9acfb67075 100644 ---- a/libcli/auth/tests/test_gnutls.c -+++ b/libcli/auth/tests/test_gnutls.c -@@ -362,8 +362,10 @@ static void torture_gnutls_des_crypt128(void **state) - }; - - uint8_t crypt[8]; -+ int rc; - -- des_crypt128(crypt, clear, key); -+ rc = des_crypt128(crypt, clear, key); -+ assert_int_equal(rc, 0); - assert_memory_equal(crypt, crypt_expected, 8); - } - --- -2.23.0 - diff --git a/SOURCES/0182-smbdes-convert-E_old_pw_hash-to-use-gnutls.patch b/SOURCES/0182-smbdes-convert-E_old_pw_hash-to-use-gnutls.patch deleted file mode 100644 index eabcd8d..0000000 --- a/SOURCES/0182-smbdes-convert-E_old_pw_hash-to-use-gnutls.patch +++ /dev/null @@ -1,427 +0,0 @@ -From 6e0fa4cf34ffb9a3f453269f8bd19b4aaf4be030 Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Wed, 20 Nov 2019 15:28:39 +0100 -Subject: [PATCH 182/187] smbdes: convert E_old_pw_hash to use gnutls - -Signed-off-by: Isaac Boukris -Reviewed-by: Andrew Bartlett -(cherry picked from commit dce944e8a1119034f184336f6b71a28080152a0a) ---- - libcli/auth/proto.h | 2 +- - libcli/auth/smbdes.c | 12 +++- - libcli/auth/tests/test_gnutls.c | 4 +- - source3/libsmb/clirap.c | 6 +- - source3/rpc_client/cli_samr.c | 66 +++++++++++++++++--- - source3/rpc_server/samr/srv_samr_chgpasswd.c | 18 +++++- - source3/utils/ntlm_auth.c | 14 ++++- - source4/libnet/libnet_passwd.c | 30 +++++++-- - source4/rpc_server/samr/samr_password.c | 16 ++++- - 9 files changed, 140 insertions(+), 28 deletions(-) - -diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h -index 2ea4eca822a..5e88d7527fd 100644 ---- a/libcli/auth/proto.h -+++ b/libcli/auth/proto.h -@@ -225,7 +225,7 @@ int des_crypt56_gnutls(uint8_t out[8], const uint8_t in[8], const uint8_t key[7] - enum samba_gnutls_direction encrypt); - int E_P16(const uint8_t *p14,uint8_t *p16); - int E_P24(const uint8_t *p21, const uint8_t *c8, uint8_t *p24); --void E_old_pw_hash( uint8_t *p14, const uint8_t *in, uint8_t *out); -+int E_old_pw_hash( uint8_t *p14, const uint8_t *in, uint8_t *out); - int des_crypt128(uint8_t out[8], const uint8_t in[8], const uint8_t key[16]); - void des_crypt112(uint8_t out[8], const uint8_t in[8], const uint8_t key[14], int forw); - void des_crypt112_16(uint8_t out[16], const uint8_t in[16], const uint8_t key[14], int forw); -diff --git a/libcli/auth/smbdes.c b/libcli/auth/smbdes.c -index 6a4f4d1d42a..ec922da4727 100644 ---- a/libcli/auth/smbdes.c -+++ b/libcli/auth/smbdes.c -@@ -391,10 +391,16 @@ int E_P24(const uint8_t *p21, const uint8_t *c8, uint8_t *p24) - return des_crypt56_gnutls(p24+16, c8, p21+14, SAMBA_GNUTLS_ENCRYPT); - } - --void E_old_pw_hash( uint8_t *p14, const uint8_t *in, uint8_t *out) -+int E_old_pw_hash( uint8_t *p14, const uint8_t *in, uint8_t *out) - { -- des_crypt56(out, in, p14, 1); -- des_crypt56(out+8, in+8, p14+7, 1); -+ int ret; -+ -+ ret = des_crypt56_gnutls(out, in, p14, SAMBA_GNUTLS_ENCRYPT); -+ if (ret != 0) { -+ return ret; -+ } -+ -+ return des_crypt56_gnutls(out+8, in+8, p14+7, SAMBA_GNUTLS_ENCRYPT); - } - - /* des encryption with a 128 bit key */ -diff --git a/libcli/auth/tests/test_gnutls.c b/libcli/auth/tests/test_gnutls.c -index d9acfb67075..087afee09db 100644 ---- a/libcli/auth/tests/test_gnutls.c -+++ b/libcli/auth/tests/test_gnutls.c -@@ -343,8 +343,10 @@ static void torture_gnutls_E_old_pw_hash(void **state) - 0x37, 0xEF, 0xBE, 0x58, 0xC2, 0x59, 0x33, 0xEC - }; - uint8_t crypt[16]; -+ int rc; - -- E_old_pw_hash(key, clear, crypt); -+ rc = E_old_pw_hash(key, clear, crypt); -+ assert_int_equal(rc, 0); - assert_memory_equal(crypt, crypt_expected, 16); - } - -diff --git a/source3/libsmb/clirap.c b/source3/libsmb/clirap.c -index c0b9dcdff39..bf2a9ed4fdc 100644 ---- a/source3/libsmb/clirap.c -+++ b/source3/libsmb/clirap.c -@@ -569,7 +569,11 @@ bool cli_oem_change_password(struct cli_state *cli, const char *user, const char - */ - E_deshash(new_password, new_pw_hash); - -- E_old_pw_hash( new_pw_hash, old_pw_hash, (uchar *)&data[516]); -+ rc = E_old_pw_hash( new_pw_hash, old_pw_hash, (uchar *)&data[516]); -+ if (rc != 0) { -+ DBG_ERR("E_old_pw_hash failed: %s\n", gnutls_strerror(rc)); -+ return false; -+ } - - data_len = 532; - -diff --git a/source3/rpc_client/cli_samr.c b/source3/rpc_client/cli_samr.c -index 452e9593f6a..8a151c751f5 100644 ---- a/source3/rpc_client/cli_samr.c -+++ b/source3/rpc_client/cli_samr.c -@@ -39,6 +39,7 @@ NTSTATUS dcerpc_samr_chgpasswd_user(struct dcerpc_binding_handle *h, - NTSTATUS *presult) - { - NTSTATUS status; -+ int rc; - struct samr_Password hash1, hash2, hash3, hash4, hash5, hash6; - - uint8_t old_nt_hash[16] = {0}; -@@ -54,12 +55,36 @@ NTSTATUS dcerpc_samr_chgpasswd_user(struct dcerpc_binding_handle *h, - E_deshash(oldpassword, old_lm_hash); - E_deshash(newpassword, new_lm_hash); - -- E_old_pw_hash(new_lm_hash, old_lm_hash, hash1.hash); -- E_old_pw_hash(old_lm_hash, new_lm_hash, hash2.hash); -- E_old_pw_hash(new_nt_hash, old_nt_hash, hash3.hash); -- E_old_pw_hash(old_nt_hash, new_nt_hash, hash4.hash); -- E_old_pw_hash(old_lm_hash, new_nt_hash, hash5.hash); -- E_old_pw_hash(old_nt_hash, new_lm_hash, hash6.hash); -+ rc = E_old_pw_hash(new_lm_hash, old_lm_hash, hash1.hash); -+ if (rc != 0) { -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ goto done; -+ } -+ rc = E_old_pw_hash(old_lm_hash, new_lm_hash, hash2.hash); -+ if (rc != 0) { -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ goto done; -+ } -+ rc = E_old_pw_hash(new_nt_hash, old_nt_hash, hash3.hash); -+ if (rc != 0) { -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ goto done; -+ } -+ rc = E_old_pw_hash(old_nt_hash, new_nt_hash, hash4.hash); -+ if (rc != 0) { -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ goto done; -+ } -+ rc = E_old_pw_hash(old_lm_hash, new_nt_hash, hash5.hash); -+ if (rc != 0) { -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ goto done; -+ } -+ rc = E_old_pw_hash(old_nt_hash, new_lm_hash, hash6.hash); -+ if (rc != 0) { -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ goto done; -+ } - - status = dcerpc_samr_ChangePasswordUser(h, - mem_ctx, -@@ -76,6 +101,7 @@ NTSTATUS dcerpc_samr_chgpasswd_user(struct dcerpc_binding_handle *h, - &hash6, - presult); - -+done: - ZERO_ARRAY(old_nt_hash); - ZERO_ARRAY(old_lm_hash); - ZERO_ARRAY(new_nt_hash); -@@ -117,6 +143,7 @@ NTSTATUS dcerpc_samr_chgpasswd_user2(struct dcerpc_binding_handle *h, - NTSTATUS *presult) - { - NTSTATUS status; -+ int rc; - struct samr_CryptPassword new_nt_password; - struct samr_CryptPassword new_lm_password; - struct samr_Password old_nt_hash_enc; -@@ -153,7 +180,11 @@ NTSTATUS dcerpc_samr_chgpasswd_user2(struct dcerpc_binding_handle *h, - return status; - } - -- E_old_pw_hash(new_nt_hash, old_lanman_hash, old_lanman_hash_enc.hash); -+ rc = E_old_pw_hash(new_nt_hash, old_lanman_hash, old_lanman_hash_enc.hash); -+ if (rc != 0) { -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ goto done; -+ } - } else { - ZERO_STRUCT(new_lm_password); - ZERO_STRUCT(old_lanman_hash_enc); -@@ -165,7 +196,11 @@ NTSTATUS dcerpc_samr_chgpasswd_user2(struct dcerpc_binding_handle *h, - if (!NT_STATUS_IS_OK(status)) { - return status; - } -- E_old_pw_hash(new_nt_hash, old_nt_hash, old_nt_hash_enc.hash); -+ rc = E_old_pw_hash(new_nt_hash, old_nt_hash, old_nt_hash_enc.hash); -+ if (rc != 0) { -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ goto done; -+ } - - status = dcerpc_samr_ChangePasswordUser2(h, - mem_ctx, -@@ -178,6 +213,7 @@ NTSTATUS dcerpc_samr_chgpasswd_user2(struct dcerpc_binding_handle *h, - &old_lanman_hash_enc, - presult); - -+done: - ZERO_STRUCT(new_nt_password); - ZERO_STRUCT(new_lm_password); - ZERO_STRUCT(old_nt_hash_enc); -@@ -312,6 +348,7 @@ NTSTATUS dcerpc_samr_chgpasswd_user3(struct dcerpc_binding_handle *h, - NTSTATUS *presult) - { - NTSTATUS status; -+ int rc; - - struct samr_CryptPassword new_nt_password; - struct samr_CryptPassword new_lm_password; -@@ -350,7 +387,11 @@ NTSTATUS dcerpc_samr_chgpasswd_user3(struct dcerpc_binding_handle *h, - return status; - } - -- E_old_pw_hash(new_nt_hash, old_lanman_hash, old_lanman_hash_enc.hash); -+ rc = E_old_pw_hash(new_nt_hash, old_lanman_hash, old_lanman_hash_enc.hash); -+ if (rc != 0) { -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ goto done; -+ } - } else { - ZERO_STRUCT(new_lm_password); - ZERO_STRUCT(old_lanman_hash_enc); -@@ -363,7 +404,11 @@ NTSTATUS dcerpc_samr_chgpasswd_user3(struct dcerpc_binding_handle *h, - return status; - } - -- E_old_pw_hash(new_nt_hash, old_nt_hash, old_nt_hash_enc.hash); -+ rc = E_old_pw_hash(new_nt_hash, old_nt_hash, old_nt_hash_enc.hash); -+ if (rc != 0) { -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ goto done; -+ } - - status = dcerpc_samr_ChangePasswordUser3(h, - mem_ctx, -@@ -379,6 +424,7 @@ NTSTATUS dcerpc_samr_chgpasswd_user3(struct dcerpc_binding_handle *h, - reject, - presult); - -+done: - ZERO_STRUCT(new_nt_password); - ZERO_STRUCT(new_lm_password); - ZERO_STRUCT(old_nt_hash_enc); -diff --git a/source3/rpc_server/samr/srv_samr_chgpasswd.c b/source3/rpc_server/samr/srv_samr_chgpasswd.c -index 8c9cf73bdd8..79d4b3068e5 100644 ---- a/source3/rpc_server/samr/srv_samr_chgpasswd.c -+++ b/source3/rpc_server/samr/srv_samr_chgpasswd.c -@@ -804,7 +804,11 @@ static NTSTATUS check_oem_password(const char *user, - /* - * check the NT verifier - */ -- E_old_pw_hash(new_nt_hash, nt_pw, verifier); -+ rc = E_old_pw_hash(new_nt_hash, nt_pw, verifier); -+ if (rc != 0) { -+ NTSTATUS status = NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER; -+ return gnutls_error_to_ntstatus(rc, status); -+ } - if (memcmp(verifier, old_nt_hash_encrypted, 16)) { - DEBUG(0, ("check_oem_password: old nt " - "password doesn't match.\n")); -@@ -831,7 +835,11 @@ static NTSTATUS check_oem_password(const char *user, - /* - * check the lm verifier - */ -- E_old_pw_hash(new_nt_hash, lanman_pw, verifier); -+ rc = E_old_pw_hash(new_nt_hash, lanman_pw, verifier); -+ if (rc != 0) { -+ NTSTATUS status = NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER; -+ return gnutls_error_to_ntstatus(rc, status); -+ } - if (memcmp(verifier, old_lm_hash_encrypted, 16)) { - DEBUG(0,("check_oem_password: old lm password doesn't match.\n")); - return NT_STATUS_WRONG_PASSWORD; -@@ -851,7 +859,11 @@ static NTSTATUS check_oem_password(const char *user, - /* - * check the lm verifier - */ -- E_old_pw_hash(new_lm_hash, lanman_pw, verifier); -+ rc = E_old_pw_hash(new_lm_hash, lanman_pw, verifier); -+ if (rc != 0) { -+ NTSTATUS status = NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER; -+ return gnutls_error_to_ntstatus(rc, status); -+ } - if (memcmp(verifier, old_lm_hash_encrypted, 16)) { - DEBUG(0,("check_oem_password: old lm password doesn't match.\n")); - return NT_STATUS_WRONG_PASSWORD; -diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c -index 8a6218ac9ec..22258b3b84c 100644 ---- a/source3/utils/ntlm_auth.c -+++ b/source3/utils/ntlm_auth.c -@@ -1993,8 +1993,13 @@ static void manage_ntlm_change_password_1_request(enum stdio_helper_mode stdio_h - gnutls_cipher_deinit(cipher_hnd); - return; - } -- E_old_pw_hash(new_nt_hash, old_lm_hash, -+ rc = E_old_pw_hash(new_nt_hash, old_lm_hash, - old_lm_hash_enc.data); -+ if (rc != 0) { -+ DBG_ERR("E_old_pw_hash failed: %s\n", -+ gnutls_strerror(rc)); -+ return; -+ } - } else { - new_lm_pswd.data = NULL; - new_lm_pswd.length = 0; -@@ -2012,8 +2017,13 @@ static void manage_ntlm_change_password_1_request(enum stdio_helper_mode stdio_h - if (rc < 0) { - return; - } -- E_old_pw_hash(new_nt_hash, old_nt_hash, -+ rc = E_old_pw_hash(new_nt_hash, old_nt_hash, - old_nt_hash_enc.data); -+ if (rc != 0) { -+ DBG_ERR("E_old_pw_hash failed: %s\n", -+ gnutls_strerror(rc)); -+ return; -+ } - - ZERO_ARRAY(old_nt_hash); - ZERO_ARRAY(old_lm_hash); -diff --git a/source4/libnet/libnet_passwd.c b/source4/libnet/libnet_passwd.c -index 704a94a5864..868f9442cd0 100644 ---- a/source4/libnet/libnet_passwd.c -+++ b/source4/libnet/libnet_passwd.c -@@ -115,7 +115,11 @@ static NTSTATUS libnet_ChangePassword_samr(struct libnet_context *ctx, TALLOC_CT - goto disconnect; - } - -- E_old_pw_hash(new_lm_hash, old_lm_hash, lm_verifier.hash); -+ rc = E_old_pw_hash(new_lm_hash, old_lm_hash, lm_verifier.hash); -+ if (rc != 0) { -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ goto disconnect; -+ } - - encode_pw_buffer(nt_pass.data, r->samr.in.newpassword, STR_UNICODE); - -@@ -137,7 +141,11 @@ static NTSTATUS libnet_ChangePassword_samr(struct libnet_context *ctx, TALLOC_CT - goto disconnect; - } - -- E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash); -+ rc = E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash); -+ if (rc != 0) { -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ goto disconnect; -+ } - - pw3.in.server = &server; - pw3.in.account = &account; -@@ -189,7 +197,11 @@ static NTSTATUS libnet_ChangePassword_samr(struct libnet_context *ctx, TALLOC_CT - goto disconnect; - } - -- E_old_pw_hash(new_lm_hash, old_lm_hash, lm_verifier.hash); -+ rc = E_old_pw_hash(new_lm_hash, old_lm_hash, lm_verifier.hash); -+ if (rc != 0) { -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ goto disconnect; -+ } - - encode_pw_buffer(nt_pass.data, r->samr.in.newpassword, STR_UNICODE); - -@@ -210,7 +222,11 @@ static NTSTATUS libnet_ChangePassword_samr(struct libnet_context *ctx, TALLOC_CT - goto disconnect; - } - -- E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash); -+ rc = E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash); -+ if (rc != 0) { -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ goto disconnect; -+ } - - pw2.in.server = &server; - pw2.in.account = &account; -@@ -260,7 +276,11 @@ static NTSTATUS libnet_ChangePassword_samr(struct libnet_context *ctx, TALLOC_CT - goto disconnect; - } - -- E_old_pw_hash(new_lm_hash, old_lm_hash, lm_verifier.hash); -+ rc = E_old_pw_hash(new_lm_hash, old_lm_hash, lm_verifier.hash); -+ if (rc != 0) { -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ goto disconnect; -+ } - - oe2.in.server = &a_server; - oe2.in.account = &a_account; -diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c -index b04e37f06f3..4fa00bf6360 100644 ---- a/source4/rpc_server/samr/samr_password.c -+++ b/source4/rpc_server/samr/samr_password.c -@@ -235,7 +235,11 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call, - new_unicode_password.length = unicode_pw_len; - - E_deshash(new_pass, new_lm_hash); -- E_old_pw_hash(new_lm_hash, lm_pwd->hash, lm_verifier.hash); -+ rc = E_old_pw_hash(new_lm_hash, lm_pwd->hash, lm_verifier.hash); -+ if (rc != 0) { -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ goto failed; -+ } - if (memcmp(lm_verifier.hash, r->in.hash->hash, 16) != 0) { - authsam_update_bad_pwd_count(sam_ctx, res[0], ldb_get_default_basedn(sam_ctx)); - status = NT_STATUS_WRONG_PASSWORD; -@@ -442,6 +446,10 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call, - mdfour(new_nt_hash, new_password.data, new_password.length); - - E_old_pw_hash(new_nt_hash, nt_pwd->hash, nt_verifier.hash); -+ if (rc != 0) { -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ goto failed; -+ } - if (memcmp(nt_verifier.hash, r->in.nt_verifier->hash, 16) != 0) { - status = NT_STATUS_WRONG_PASSWORD; - goto failed; -@@ -460,7 +468,11 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call, - new_password.length, - (void **)&new_pass, &converted_size)) { - E_deshash(new_pass, new_lm_hash); -- E_old_pw_hash(new_nt_hash, lm_pwd->hash, lm_verifier.hash); -+ rc = E_old_pw_hash(new_nt_hash, lm_pwd->hash, lm_verifier.hash); -+ if (rc != 0) { -+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ goto failed; -+ } - if (memcmp(lm_verifier.hash, r->in.lm_verifier->hash, 16) != 0) { - status = NT_STATUS_WRONG_PASSWORD; - goto failed; --- -2.23.0 - diff --git a/SOURCES/0183-smbdes-convert-des_crypt112-to-use-gnutls.patch b/SOURCES/0183-smbdes-convert-des_crypt112-to-use-gnutls.patch deleted file mode 100644 index 1ad3c9b..0000000 --- a/SOURCES/0183-smbdes-convert-des_crypt112-to-use-gnutls.patch +++ /dev/null @@ -1,118 +0,0 @@ -From 41f45d98f22a7bae8d29fb3828452324c6b88eef Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Wed, 20 Nov 2019 15:41:02 +0100 -Subject: [PATCH 183/187] smbdes: convert des_crypt112 to use gnutls - -Signed-off-by: Isaac Boukris -Reviewed-by: Andrew Bartlett -(cherry picked from commit 254739137bdaebca31163f1683bfd7111dfefe67) ---- - libcli/auth/credentials.c | 8 +++++++- - libcli/auth/proto.h | 3 ++- - libcli/auth/smbdes.c | 25 ++++++++++++++++++------- - libcli/auth/tests/test_gnutls.c | 7 +++++-- - 4 files changed, 32 insertions(+), 11 deletions(-) - -diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c -index 1b94a06ebfb..5f65428a1d7 100644 ---- a/libcli/auth/credentials.c -+++ b/libcli/auth/credentials.c -@@ -38,6 +38,8 @@ static NTSTATUS netlogon_creds_step_crypt(struct netlogon_creds_CredentialState - struct netr_Credential *out) - { - NTSTATUS status; -+ int rc; -+ - if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { - memcpy(out->data, in->data, sizeof(out->data)); - -@@ -48,7 +50,11 @@ static NTSTATUS netlogon_creds_step_crypt(struct netlogon_creds_CredentialState - return status; - } - } else { -- des_crypt112(out->data, in->data, creds->session_key, 1); -+ rc = des_crypt112(out->data, in->data, creds->session_key, SAMBA_GNUTLS_ENCRYPT); -+ if (rc != 0) { -+ return gnutls_error_to_ntstatus(rc, -+ NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ } - } - - return NT_STATUS_OK; -diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h -index 5e88d7527fd..3994db20a36 100644 ---- a/libcli/auth/proto.h -+++ b/libcli/auth/proto.h -@@ -227,7 +227,8 @@ int E_P16(const uint8_t *p14,uint8_t *p16); - int E_P24(const uint8_t *p21, const uint8_t *c8, uint8_t *p24); - int E_old_pw_hash( uint8_t *p14, const uint8_t *in, uint8_t *out); - int des_crypt128(uint8_t out[8], const uint8_t in[8], const uint8_t key[16]); --void des_crypt112(uint8_t out[8], const uint8_t in[8], const uint8_t key[14], int forw); -+int des_crypt112(uint8_t out[8], const uint8_t in[8], const uint8_t key[14], -+ enum samba_gnutls_direction encrypt); - void des_crypt112_16(uint8_t out[16], const uint8_t in[16], const uint8_t key[14], int forw); - int sam_rid_crypt(unsigned int rid, const uint8_t *in, uint8_t *out, - enum samba_gnutls_direction encrypt); -diff --git a/libcli/auth/smbdes.c b/libcli/auth/smbdes.c -index ec922da4727..8dc4fc4097c 100644 ---- a/libcli/auth/smbdes.c -+++ b/libcli/auth/smbdes.c -@@ -418,16 +418,27 @@ int des_crypt128(uint8_t out[8], const uint8_t in[8], const uint8_t key[16]) - } - - /* des encryption with a 112 bit (14 byte) key */ --void des_crypt112(uint8_t out[8], const uint8_t in[8], const uint8_t key[14], int forw) -+int des_crypt112(uint8_t out[8], const uint8_t in[8], const uint8_t key[14], -+ enum samba_gnutls_direction encrypt) - { - uint8_t buf[8]; -- if (forw) { -- des_crypt56(buf, in, key, forw); -- des_crypt56(out, buf, key+7, forw); -- } else { -- des_crypt56(buf, in, key+7, forw); -- des_crypt56(out, buf, key, forw); -+ int ret; -+ -+ if (encrypt == SAMBA_GNUTLS_ENCRYPT) { -+ ret = des_crypt56_gnutls(buf, in, key, SAMBA_GNUTLS_ENCRYPT); -+ if (ret != 0) { -+ return ret; -+ } -+ -+ return des_crypt56_gnutls(out, buf, key+7, SAMBA_GNUTLS_ENCRYPT); - } -+ -+ ret = des_crypt56_gnutls(buf, in, key+7, SAMBA_GNUTLS_DECRYPT); -+ if (ret != 0) { -+ return ret; -+ } -+ -+ return des_crypt56_gnutls(out, buf, key, SAMBA_GNUTLS_DECRYPT); - } - - /* des encryption of a 16 byte lump of data with a 112 bit key */ -diff --git a/libcli/auth/tests/test_gnutls.c b/libcli/auth/tests/test_gnutls.c -index 087afee09db..68a27adc894 100644 ---- a/libcli/auth/tests/test_gnutls.c -+++ b/libcli/auth/tests/test_gnutls.c -@@ -386,11 +386,14 @@ static void torture_gnutls_des_crypt112(void **state) - - uint8_t crypt[8]; - uint8_t decrypt[8]; -+ int rc; - -- des_crypt112(crypt, clear, key, 1); -+ rc = des_crypt112(crypt, clear, key, SAMBA_GNUTLS_ENCRYPT); -+ assert_int_equal(rc, 0); - assert_memory_equal(crypt, crypt_expected, 8); - -- des_crypt112(decrypt, crypt, key, 0); -+ rc = des_crypt112(decrypt, crypt, key, SAMBA_GNUTLS_DECRYPT); -+ assert_int_equal(rc, 0); - assert_memory_equal(decrypt, clear, 8); - } - --- -2.23.0 - diff --git a/SOURCES/0184-smbdes-convert-des_crypt112_16-to-use-gnutls.patch b/SOURCES/0184-smbdes-convert-des_crypt112_16-to-use-gnutls.patch deleted file mode 100644 index 31bbad8..0000000 --- a/SOURCES/0184-smbdes-convert-des_crypt112_16-to-use-gnutls.patch +++ /dev/null @@ -1,296 +0,0 @@ -From 8d840662df55c11616338af5c3b4b062485b19a4 Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Wed, 20 Nov 2019 16:02:16 +0100 -Subject: [PATCH 184/187] smbdes: convert des_crypt112_16 to use gnutls - -Signed-off-by: Isaac Boukris -Reviewed-by: Andrew Bartlett -(cherry picked from commit dcc33103d5c0927bb3757974d4663df888dce95e) ---- - libcli/auth/credentials.c | 38 +++++++++++++++---- - libcli/auth/netlogon_creds_cli.c | 24 +++++++++--- - libcli/auth/proto.h | 9 +++-- - libcli/auth/smbdes.c | 13 +++++-- - libcli/auth/tests/test_gnutls.c | 7 +++- - source3/rpc_server/netlogon/srv_netlog_nt.c | 16 ++++++-- - source4/rpc_server/netlogon/dcerpc_netlogon.c | 13 +++++-- - 7 files changed, 92 insertions(+), 28 deletions(-) - -diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c -index 5f65428a1d7..c541eeff470 100644 ---- a/libcli/auth/credentials.c -+++ b/libcli/auth/credentials.c -@@ -302,21 +302,37 @@ NTSTATUS netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState - /* - DES encrypt a 16 byte password buffer using the session key - */ --void netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass) -+NTSTATUS netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds, -+ struct samr_Password *pass) - { - struct samr_Password tmp; -- des_crypt112_16(tmp.hash, pass->hash, creds->session_key, 1); -+ int rc; -+ -+ rc = des_crypt112_16(tmp.hash, pass->hash, creds->session_key, SAMBA_GNUTLS_ENCRYPT); -+ if (rc < 0) { -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ } - *pass = tmp; -+ -+ return NT_STATUS_OK; - } - - /* - DES decrypt a 16 byte password buffer using the session key - */ --void netlogon_creds_des_decrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass) -+NTSTATUS netlogon_creds_des_decrypt(struct netlogon_creds_CredentialState *creds, -+ struct samr_Password *pass) - { - struct samr_Password tmp; -- des_crypt112_16(tmp.hash, pass->hash, creds->session_key, 0); -+ int rc; -+ -+ rc = des_crypt112_16(tmp.hash, pass->hash, creds->session_key, SAMBA_GNUTLS_DECRYPT); -+ if (rc < 0) { -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ } - *pass = tmp; -+ -+ return NT_STATUS_OK; - } - - /* -@@ -993,17 +1009,23 @@ static NTSTATUS netlogon_creds_crypt_samlogon_logon(struct netlogon_creds_Creden - p = &logon->password->lmpassword; - if (!all_zero(p->hash, 16)) { - if (do_encrypt) { -- netlogon_creds_des_encrypt(creds, p); -+ status = netlogon_creds_des_encrypt(creds, p); - } else { -- netlogon_creds_des_decrypt(creds, p); -+ status = netlogon_creds_des_decrypt(creds, p); -+ } -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; - } - } - p = &logon->password->ntpassword; - if (!all_zero(p->hash, 16)) { - if (do_encrypt) { -- netlogon_creds_des_encrypt(creds, p); -+ status = netlogon_creds_des_encrypt(creds, p); - } else { -- netlogon_creds_des_decrypt(creds, p); -+ status = netlogon_creds_des_decrypt(creds, p); -+ } -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; - } - } - } -diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c -index 0378f302ffa..c8f4227a924 100644 ---- a/libcli/auth/netlogon_creds_cli.c -+++ b/libcli/auth/netlogon_creds_cli.c -@@ -2032,8 +2032,12 @@ static void netlogon_creds_cli_ServerPasswordSet_locked(struct tevent_req *subre - return; - } - } else { -- netlogon_creds_des_encrypt(&state->tmp_creds, -- &state->samr_password); -+ status = netlogon_creds_des_encrypt(&state->tmp_creds, -+ &state->samr_password); -+ if (tevent_req_nterror(req, status)) { -+ netlogon_creds_cli_ServerPasswordSet_cleanup(req, status); -+ return; -+ } - - subreq = dcerpc_netr_ServerPasswordSet_send(state, state->ev, - state->binding_handle, -@@ -3187,14 +3191,22 @@ static void netlogon_creds_cli_ServerGetTrustInfo_done(struct tevent_req *subreq - cmp = memcmp(state->new_owf_password.hash, - zero.hash, sizeof(zero.hash)); - if (cmp != 0) { -- netlogon_creds_des_decrypt(&state->tmp_creds, -- &state->new_owf_password); -+ status = netlogon_creds_des_decrypt(&state->tmp_creds, -+ &state->new_owf_password); -+ if (tevent_req_nterror(req, status)) { -+ netlogon_creds_cli_ServerGetTrustInfo_cleanup(req, status); -+ return; -+ } - } - cmp = memcmp(state->old_owf_password.hash, - zero.hash, sizeof(zero.hash)); - if (cmp != 0) { -- netlogon_creds_des_decrypt(&state->tmp_creds, -- &state->old_owf_password); -+ status = netlogon_creds_des_decrypt(&state->tmp_creds, -+ &state->old_owf_password); -+ if (tevent_req_nterror(req, status)) { -+ netlogon_creds_cli_ServerGetTrustInfo_cleanup(req, status); -+ return; -+ } - } - - *state->creds = state->tmp_creds; -diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h -index 3994db20a36..4c6d7af6763 100644 ---- a/libcli/auth/proto.h -+++ b/libcli/auth/proto.h -@@ -17,8 +17,10 @@ NTSTATUS netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState - struct netr_LMSessionKey *key); - NTSTATUS netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState *creds, - struct netr_LMSessionKey *key); --void netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass); --void netlogon_creds_des_decrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass); -+NTSTATUS netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds, -+ struct samr_Password *pass); -+NTSTATUS netlogon_creds_des_decrypt(struct netlogon_creds_CredentialState *creds, -+ struct samr_Password *pass); - NTSTATUS netlogon_creds_arcfour_crypt(struct netlogon_creds_CredentialState *creds, - uint8_t *data, - size_t len); -@@ -229,7 +231,8 @@ int E_old_pw_hash( uint8_t *p14, const uint8_t *in, uint8_t *out); - int des_crypt128(uint8_t out[8], const uint8_t in[8], const uint8_t key[16]); - int des_crypt112(uint8_t out[8], const uint8_t in[8], const uint8_t key[14], - enum samba_gnutls_direction encrypt); --void des_crypt112_16(uint8_t out[16], const uint8_t in[16], const uint8_t key[14], int forw); -+int des_crypt112_16(uint8_t out[16], const uint8_t in[16], const uint8_t key[14], -+ enum samba_gnutls_direction encrypt); - int sam_rid_crypt(unsigned int rid, const uint8_t *in, uint8_t *out, - enum samba_gnutls_direction encrypt); - #undef _PRINTF_ATTRIBUTE -diff --git a/libcli/auth/smbdes.c b/libcli/auth/smbdes.c -index 8dc4fc4097c..8fc79dc5c71 100644 ---- a/libcli/auth/smbdes.c -+++ b/libcli/auth/smbdes.c -@@ -442,10 +442,17 @@ int des_crypt112(uint8_t out[8], const uint8_t in[8], const uint8_t key[14], - } - - /* des encryption of a 16 byte lump of data with a 112 bit key */ --void des_crypt112_16(uint8_t out[16], const uint8_t in[16], const uint8_t key[14], int forw) -+int des_crypt112_16(uint8_t out[16], const uint8_t in[16], const uint8_t key[14], -+ enum samba_gnutls_direction encrypt) - { -- des_crypt56(out, in, key, forw); -- des_crypt56(out + 8, in + 8, key+7, forw); -+ int ret; -+ -+ ret = des_crypt56_gnutls(out, in, key, encrypt); -+ if (ret != 0) { -+ return ret; -+ } -+ -+ return des_crypt56_gnutls(out + 8, in + 8, key+7, encrypt); - } - - /* Decode a sam password hash into a password. The password hash is the -diff --git a/libcli/auth/tests/test_gnutls.c b/libcli/auth/tests/test_gnutls.c -index 68a27adc894..a6692b9a913 100644 ---- a/libcli/auth/tests/test_gnutls.c -+++ b/libcli/auth/tests/test_gnutls.c -@@ -414,11 +414,14 @@ static void torture_gnutls_des_crypt112_16(void **state) - - uint8_t crypt[16]; - uint8_t decrypt[16]; -+ int rc; - -- des_crypt112_16(crypt, clear, key, 1); -+ rc = des_crypt112_16(crypt, clear, key, SAMBA_GNUTLS_ENCRYPT); -+ assert_int_equal(rc, 0); - assert_memory_equal(crypt, crypt_expected, 16); - -- des_crypt112_16(decrypt, crypt, key, 0); -+ rc = des_crypt112_16(decrypt, crypt, key, SAMBA_GNUTLS_DECRYPT); -+ assert_int_equal(rc, 0); - assert_memory_equal(decrypt, clear, 16); - } - -diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c -index 671300676ff..124bae95064 100644 ---- a/source3/rpc_server/netlogon/srv_netlog_nt.c -+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c -@@ -1311,7 +1311,10 @@ NTSTATUS _netr_ServerPasswordSet(struct pipes_struct *p, - DEBUG(3,("_netr_ServerPasswordSet: Server Password Set by remote machine:[%s] on account [%s]\n", - r->in.computer_name, creds->computer_name)); - -- netlogon_creds_des_decrypt(creds, r->in.new_password); -+ status = netlogon_creds_des_decrypt(creds, r->in.new_password); -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; -+ } - - DEBUG(100,("_netr_ServerPasswordSet: new given value was :\n")); - for(i = 0; i < sizeof(r->in.new_password->hash); i++) -@@ -2560,6 +2563,7 @@ static NTSTATUS get_password_from_trustAuth(TALLOC_CTX *mem_ctx, - { - enum ndr_err_code ndr_err; - struct trustAuthInOutBlob trustAuth; -+ NTSTATUS status; - - ndr_err = ndr_pull_struct_blob_all(trustAuth_blob, mem_ctx, &trustAuth, - (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob); -@@ -2572,7 +2576,10 @@ static NTSTATUS get_password_from_trustAuth(TALLOC_CTX *mem_ctx, - mdfour(current_pw_enc->hash, - trustAuth.current.array[0].AuthInfo.clear.password, - trustAuth.current.array[0].AuthInfo.clear.size); -- netlogon_creds_des_encrypt(creds, current_pw_enc); -+ status = netlogon_creds_des_encrypt(creds, current_pw_enc); -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; -+ } - } else { - return NT_STATUS_UNSUCCESSFUL; - } -@@ -2583,7 +2590,10 @@ static NTSTATUS get_password_from_trustAuth(TALLOC_CTX *mem_ctx, - mdfour(previous_pw_enc->hash, - trustAuth.previous.array[0].AuthInfo.clear.password, - trustAuth.previous.array[0].AuthInfo.clear.size); -- netlogon_creds_des_encrypt(creds, previous_pw_enc); -+ status = netlogon_creds_des_encrypt(creds, previous_pw_enc); -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; -+ } - } else { - ZERO_STRUCTP(previous_pw_enc); - } -diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c -index 49a075137ff..6c92db7b53a 100644 ---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c -+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c -@@ -678,7 +678,8 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet(struct dcesrv_call_state *dce_call - return NT_STATUS_INVALID_SYSTEM_SERVICE; - } - -- netlogon_creds_des_decrypt(creds, r->in.new_password); -+ nt_status = netlogon_creds_des_decrypt(creds, r->in.new_password); -+ NT_STATUS_NOT_OK_RETURN(nt_status); - - /* fetch the old password hashes (the NT hash has to exist) */ - -@@ -4193,11 +4194,17 @@ static NTSTATUS dcesrv_netr_ServerGetTrustInfo(struct dcesrv_call_state *dce_cal - - if (curNtHash != NULL) { - *r->out.new_owf_password = *curNtHash; -- netlogon_creds_des_encrypt(creds, r->out.new_owf_password); -+ nt_status = netlogon_creds_des_encrypt(creds, r->out.new_owf_password); -+ if (!NT_STATUS_IS_OK(nt_status)) { -+ return nt_status; -+ } - } - if (prevNtHash != NULL) { - *r->out.old_owf_password = *prevNtHash; -- netlogon_creds_des_encrypt(creds, r->out.old_owf_password); -+ nt_status = netlogon_creds_des_encrypt(creds, r->out.old_owf_password); -+ if (!NT_STATUS_IS_OK(nt_status)) { -+ return nt_status; -+ } - } - - if (trust_info != NULL) { --- -2.23.0 - diff --git a/SOURCES/0185-session-convert-sess_crypt_blob-to-use-gnutls.patch b/SOURCES/0185-session-convert-sess_crypt_blob-to-use-gnutls.patch deleted file mode 100644 index 8d540a8..0000000 --- a/SOURCES/0185-session-convert-sess_crypt_blob-to-use-gnutls.patch +++ /dev/null @@ -1,449 +0,0 @@ -From 3f2ab4815d9ddf6a6d4a6d8904f528f05d1802cf Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Thu, 21 Nov 2019 14:02:03 +0100 -Subject: [PATCH 185/187] session: convert sess_crypt_blob to use gnutls - -Signed-off-by: Isaac Boukris -Reviewed-by: Andrew Bartlett -(cherry picked from commit a75ca8d5d515aef1229acf5a30489ee5f5ced3e1) ---- - libcli/auth/proto.h | 4 +- - libcli/auth/session.c | 42 ++++++++++++++++----- - libcli/auth/tests/test_gnutls.c | 7 +++- - source3/rpc_server/netlogon/srv_netlog_nt.c | 7 +++- - source3/rpc_server/samr/srv_samr_nt.c | 27 +++++++++++-- - source3/rpcclient/cmd_samr.c | 25 ++++++++++-- - source4/rpc_server/samr/samr_password.c | 13 ++++++- - source4/torture/rpc/samr.c | 16 ++++---- - 8 files changed, 108 insertions(+), 33 deletions(-) - -diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h -index 4c6d7af6763..09ff3687fb7 100644 ---- a/libcli/auth/proto.h -+++ b/libcli/auth/proto.h -@@ -90,8 +90,8 @@ union netr_LogonLevel *netlogon_creds_shallow_copy_logon(TALLOC_CTX *mem_ctx, - - /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/session.c */ - --void sess_crypt_blob(DATA_BLOB *out, const DATA_BLOB *in, const DATA_BLOB *session_key, -- bool forward); -+int sess_crypt_blob(DATA_BLOB *out, const DATA_BLOB *in, const DATA_BLOB *session_key, -+ enum samba_gnutls_direction encrypt); - DATA_BLOB sess_encrypt_string(const char *str, const DATA_BLOB *session_key); - char *sess_decrypt_string(TALLOC_CTX *mem_ctx, - DATA_BLOB *blob, const DATA_BLOB *session_key); -diff --git a/libcli/auth/session.c b/libcli/auth/session.c -index 10c728662db..4af70d361af 100644 ---- a/libcli/auth/session.c -+++ b/libcli/auth/session.c -@@ -29,10 +29,10 @@ - before calling, the out blob must be initialised to be the same size - as the in blob - */ --void sess_crypt_blob(DATA_BLOB *out, const DATA_BLOB *in, const DATA_BLOB *session_key, -- bool forward) -+int sess_crypt_blob(DATA_BLOB *out, const DATA_BLOB *in, const DATA_BLOB *session_key, -+ enum samba_gnutls_direction encrypt) - { -- int i, k; -+ int i, k, rc; - - for (i=0,k=0; - ilength; -@@ -47,10 +47,14 @@ void sess_crypt_blob(DATA_BLOB *out, const DATA_BLOB *in, const DATA_BLOB *sessi - } - memcpy(key, &session_key->data[k], 7); - -- des_crypt56(bout, bin, key, forward?1:0); -+ rc = des_crypt56_gnutls(bout, bin, key, encrypt); -+ if (rc != 0) { -+ return rc; -+ } - - memcpy(&out->data[i], bout, MIN(8, in->length-i)); - } -+ return 0; - } - - -@@ -67,6 +71,7 @@ DATA_BLOB sess_encrypt_string(const char *str, const DATA_BLOB *session_key) - DATA_BLOB ret, src; - int slen = strlen(str); - int dlen = (slen+7) & ~7; -+ int rc; - - src = data_blob(NULL, 8+dlen); - if (!src.data) { -@@ -84,9 +89,13 @@ DATA_BLOB sess_encrypt_string(const char *str, const DATA_BLOB *session_key) - memset(src.data+8, 0, dlen); - memcpy(src.data+8, str, slen); - -- sess_crypt_blob(&ret, &src, session_key, true); -+ rc = sess_crypt_blob(&ret, &src, session_key, SAMBA_GNUTLS_ENCRYPT); - - data_blob_free(&src); -+ if (rc != 0) { -+ data_blob_free(&ret); -+ return data_blob(NULL, 0); -+ } - - return ret; - } -@@ -100,7 +109,7 @@ char *sess_decrypt_string(TALLOC_CTX *mem_ctx, - DATA_BLOB *blob, const DATA_BLOB *session_key) - { - DATA_BLOB out; -- int slen; -+ int rc, slen; - char *ret; - - if (blob->length < 8) { -@@ -112,7 +121,11 @@ char *sess_decrypt_string(TALLOC_CTX *mem_ctx, - return NULL; - } - -- sess_crypt_blob(&out, blob, session_key, false); -+ rc = sess_crypt_blob(&out, blob, session_key, SAMBA_GNUTLS_DECRYPT); -+ if (rc != 0) { -+ data_blob_free(&out); -+ return NULL; -+ } - - if (IVAL(out.data, 4) != 1) { - DEBUG(0,("Unexpected revision number %d in session crypted string\n", -@@ -149,6 +162,7 @@ DATA_BLOB sess_encrypt_blob(TALLOC_CTX *mem_ctx, DATA_BLOB *blob_in, const DATA_ - { - DATA_BLOB ret, src; - int dlen = (blob_in->length+7) & ~7; -+ int rc; - - src = data_blob_talloc(mem_ctx, NULL, 8+dlen); - if (!src.data) { -@@ -166,9 +180,13 @@ DATA_BLOB sess_encrypt_blob(TALLOC_CTX *mem_ctx, DATA_BLOB *blob_in, const DATA_ - memset(src.data+8, 0, dlen); - memcpy(src.data+8, blob_in->data, blob_in->length); - -- sess_crypt_blob(&ret, &src, session_key, true); -+ rc = sess_crypt_blob(&ret, &src, session_key, SAMBA_GNUTLS_ENCRYPT); - - data_blob_free(&src); -+ if (rc != 0) { -+ data_blob_free(&ret); -+ return data_blob(NULL, 0); -+ } - - return ret; - } -@@ -180,7 +198,7 @@ NTSTATUS sess_decrypt_blob(TALLOC_CTX *mem_ctx, const DATA_BLOB *blob, const DAT - DATA_BLOB *ret) - { - DATA_BLOB out; -- int slen; -+ int rc, slen; - - if (blob->length < 8) { - DEBUG(0, ("Unexpected length %d in session crypted secret (BLOB)\n", -@@ -193,7 +211,11 @@ NTSTATUS sess_decrypt_blob(TALLOC_CTX *mem_ctx, const DATA_BLOB *blob, const DAT - return NT_STATUS_NO_MEMORY; - } - -- sess_crypt_blob(&out, blob, session_key, false); -+ rc = sess_crypt_blob(&out, blob, session_key, SAMBA_GNUTLS_DECRYPT); -+ if (rc != 0) { -+ data_blob_free(&out); -+ return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ } - - if (IVAL(out.data, 4) != 1) { - DEBUG(2,("Unexpected revision number %d in session crypted secret (BLOB)\n", -diff --git a/libcli/auth/tests/test_gnutls.c b/libcli/auth/tests/test_gnutls.c -index a6692b9a913..707a1bcecc3 100644 ---- a/libcli/auth/tests/test_gnutls.c -+++ b/libcli/auth/tests/test_gnutls.c -@@ -494,11 +494,14 @@ static void torture_gnutls_sess_crypt_blob(void **state) - }; - DATA_BLOB crypt = data_blob(NULL, 24); - DATA_BLOB decrypt = data_blob(NULL, 24); -+ int rc; - -- sess_crypt_blob(&crypt, &clear, &key, true); -+ rc = sess_crypt_blob(&crypt, &clear, &key, SAMBA_GNUTLS_ENCRYPT); -+ assert_int_equal(rc, 0); - assert_memory_equal(crypt.data, crypt_expected, 24); - -- sess_crypt_blob(&decrypt, &crypt, &key, false); -+ rc = sess_crypt_blob(&decrypt, &crypt, &key, SAMBA_GNUTLS_DECRYPT); -+ assert_int_equal(rc, 0); - assert_memory_equal(decrypt.data, clear.data, 24); - } - -diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c -index 124bae95064..cbbf9feedc7 100644 ---- a/source3/rpc_server/netlogon/srv_netlog_nt.c -+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c -@@ -1220,7 +1220,12 @@ static NTSTATUS netr_set_machine_account_password(TALLOC_CTX *mem_ctx, - status = NT_STATUS_NO_MEMORY; - goto out; - } -- sess_crypt_blob(&out, &in, &session_key, true); -+ rc = sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT); -+ if (rc != 0) { -+ status = gnutls_error_to_ntstatus(rc, -+ NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ goto out; -+ } - memcpy(info18.nt_pwd.hash, out.data, out.length); - - info18.nt_pwd_active = true; -diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c -index 87214b2899e..91771e34502 100644 ---- a/source3/rpc_server/samr/srv_samr_nt.c -+++ b/source3/rpc_server/samr/srv_samr_nt.c -@@ -4411,6 +4411,8 @@ static NTSTATUS set_user_info_18(struct samr_UserInfo18 *id18, - DATA_BLOB *session_key, - struct samu *pwd) - { -+ int rc; -+ - if (id18 == NULL) { - DEBUG(2, ("set_user_info_18: id18 is NULL\n")); - return NT_STATUS_INVALID_PARAMETER; -@@ -4429,7 +4431,11 @@ static NTSTATUS set_user_info_18(struct samr_UserInfo18 *id18, - in = data_blob_const(id18->nt_pwd.hash, 16); - out = data_blob_talloc_zero(mem_ctx, 16); - -- sess_crypt_blob(&out, &in, session_key, false); -+ rc = sess_crypt_blob(&out, &in, session_key, SAMBA_GNUTLS_DECRYPT); -+ if (rc != 0) { -+ return gnutls_error_to_ntstatus(rc, -+ NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ } - - if (!pdb_set_nt_passwd(pwd, out.data, PDB_CHANGED)) { - return NT_STATUS_ACCESS_DENIED; -@@ -4445,7 +4451,11 @@ static NTSTATUS set_user_info_18(struct samr_UserInfo18 *id18, - in = data_blob_const(id18->lm_pwd.hash, 16); - out = data_blob_talloc_zero(mem_ctx, 16); - -- sess_crypt_blob(&out, &in, session_key, false); -+ rc = sess_crypt_blob(&out, &in, session_key, SAMBA_GNUTLS_DECRYPT); -+ if (rc != 0) { -+ return gnutls_error_to_ntstatus(rc, -+ NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ } - - if (!pdb_set_lanman_passwd(pwd, out.data, PDB_CHANGED)) { - return NT_STATUS_ACCESS_DENIED; -@@ -4487,6 +4497,7 @@ static NTSTATUS set_user_info_21(struct samr_UserInfo21 *id21, - struct samu *pwd) - { - NTSTATUS status; -+ int rc; - - if (id21 == NULL) { - DEBUG(5, ("set_user_info_21: NULL id21\n")); -@@ -4517,7 +4528,11 @@ static NTSTATUS set_user_info_21(struct samr_UserInfo21 *id21, - in = data_blob_const(id21->nt_owf_password.array, 16); - out = data_blob_talloc_zero(mem_ctx, 16); - -- sess_crypt_blob(&out, &in, session_key, false); -+ rc = sess_crypt_blob(&out, &in, session_key, SAMBA_GNUTLS_DECRYPT); -+ if (rc != 0) { -+ return gnutls_error_to_ntstatus(rc, -+ NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ } - - pdb_set_nt_passwd(pwd, out.data, PDB_CHANGED); - pdb_set_pass_last_set_time(pwd, time(NULL), PDB_CHANGED); -@@ -4540,7 +4555,11 @@ static NTSTATUS set_user_info_21(struct samr_UserInfo21 *id21, - in = data_blob_const(id21->lm_owf_password.array, 16); - out = data_blob_talloc_zero(mem_ctx, 16); - -- sess_crypt_blob(&out, &in, session_key, false); -+ rc = sess_crypt_blob(&out, &in, session_key, SAMBA_GNUTLS_DECRYPT); -+ if (rc != 0) { -+ return gnutls_error_to_ntstatus(rc, -+ NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ } - - pdb_set_lanman_passwd(pwd, out.data, PDB_CHANGED); - pdb_set_pass_last_set_time(pwd, time(NULL), PDB_CHANGED); -diff --git a/source3/rpcclient/cmd_samr.c b/source3/rpcclient/cmd_samr.c -index 0cd8b50058e..de95eb2160d 100644 ---- a/source3/rpcclient/cmd_samr.c -+++ b/source3/rpcclient/cmd_samr.c -@@ -3044,6 +3044,7 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli, - uint8_t password_expired = 0; - struct dcerpc_binding_handle *b = cli->binding_handle; - TALLOC_CTX *frame = NULL; -+ int rc; - - if (argc < 4) { - printf("Usage: %s username level password [password_expired]\n", -@@ -3086,7 +3087,11 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli, - status = NT_STATUS_NO_MEMORY; - goto done; - } -- sess_crypt_blob(&out, &in, &session_key, true); -+ rc = sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT); -+ if (rc != 0) { -+ status = gnutls_error_to_ntstatus(rc, -+ NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ } - memcpy(nt_hash, out.data, out.length); - } - { -@@ -3097,7 +3102,11 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli, - status = NT_STATUS_NO_MEMORY; - goto done; - } -- sess_crypt_blob(&out, &in, &session_key, true); -+ rc = sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT); -+ if (rc != 0) { -+ status = gnutls_error_to_ntstatus(rc, -+ NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ } - memcpy(lm_hash, out.data, out.length); - } - -@@ -3134,7 +3143,11 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli, - status = NT_STATUS_NO_MEMORY; - goto done; - } -- sess_crypt_blob(&out, &in, &session_key, true); -+ rc = sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT); -+ if (rc != 0) { -+ status = gnutls_error_to_ntstatus(rc, -+ NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ } - info.info21.nt_owf_password.array = - (uint16_t *)talloc_memdup(frame, out.data, 16); - } -@@ -3142,7 +3155,11 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli, - DATA_BLOB in,out; - in = data_blob_const(lm_hash, 16); - out = data_blob_talloc_zero(frame, 16); -- sess_crypt_blob(&out, &in, &session_key, true); -+ rc = sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT); -+ if (rc != 0) { -+ status = gnutls_error_to_ntstatus(rc, -+ NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ } - info.info21.lm_owf_password.array = - (uint16_t *)talloc_memdup(frame, out.data, 16); - if (out.data == NULL) { -diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c -index 4fa00bf6360..fba236ebdd7 100644 ---- a/source4/rpc_server/samr/samr_password.c -+++ b/source4/rpc_server/samr/samr_password.c -@@ -737,6 +737,7 @@ NTSTATUS samr_set_password_buffers(struct dcesrv_call_state *dce_call, - DATA_BLOB session_key = data_blob(NULL, 0); - DATA_BLOB in, out; - NTSTATUS nt_status = NT_STATUS_OK; -+ int rc; - - nt_status = dcesrv_transport_session_key(dce_call, &session_key); - if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_USER_SESSION_KEY)) { -@@ -761,7 +762,11 @@ NTSTATUS samr_set_password_buffers(struct dcesrv_call_state *dce_call, - in = data_blob_const(lm_pwd_hash, 16); - out = data_blob_talloc_zero(mem_ctx, 16); - -- sess_crypt_blob(&out, &in, &session_key, false); -+ rc = sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_DECRYPT); -+ if (rc != 0) { -+ return gnutls_error_to_ntstatus(rc, -+ NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ } - - d_lm_pwd_hash = (struct samr_Password *) out.data; - } -@@ -769,7 +774,11 @@ NTSTATUS samr_set_password_buffers(struct dcesrv_call_state *dce_call, - in = data_blob_const(nt_pwd_hash, 16); - out = data_blob_talloc_zero(mem_ctx, 16); - -- sess_crypt_blob(&out, &in, &session_key, false); -+ rc = sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_DECRYPT); -+ if (rc != 0) { -+ return gnutls_error_to_ntstatus(rc, -+ NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); -+ } - - d_nt_pwd_hash = (struct samr_Password *) out.data; - } -diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c -index 4b3ad093bf6..1961c05b5f6 100644 ---- a/source4/torture/rpc/samr.c -+++ b/source4/torture/rpc/samr.c -@@ -1007,14 +1007,14 @@ static bool test_SetUserPass_18(struct dcerpc_pipe *p, struct torture_context *t - DATA_BLOB in,out; - in = data_blob_const(nt_hash, 16); - out = data_blob_talloc_zero(tctx, 16); -- sess_crypt_blob(&out, &in, &session_key, true); -+ sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT); - memcpy(u.info18.nt_pwd.hash, out.data, out.length); - } - { - DATA_BLOB in,out; - in = data_blob_const(lm_hash, 16); - out = data_blob_talloc_zero(tctx, 16); -- sess_crypt_blob(&out, &in, &session_key, true); -+ sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT); - memcpy(u.info18.lm_pwd.hash, out.data, out.length); - } - -@@ -1096,7 +1096,7 @@ static bool test_SetUserPass_21(struct dcerpc_pipe *p, struct torture_context *t - in = data_blob_const(u.info21.lm_owf_password.array, - u.info21.lm_owf_password.length); - out = data_blob_talloc_zero(tctx, 16); -- sess_crypt_blob(&out, &in, &session_key, true); -+ sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT); - u.info21.lm_owf_password.array = (uint16_t *)out.data; - } - -@@ -1105,7 +1105,7 @@ static bool test_SetUserPass_21(struct dcerpc_pipe *p, struct torture_context *t - in = data_blob_const(u.info21.nt_owf_password.array, - u.info21.nt_owf_password.length); - out = data_blob_talloc_zero(tctx, 16); -- sess_crypt_blob(&out, &in, &session_key, true); -+ sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT); - u.info21.nt_owf_password.array = (uint16_t *)out.data; - } - -@@ -1272,14 +1272,14 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p, - DATA_BLOB in,out; - in = data_blob_const(u.info18.nt_pwd.hash, 16); - out = data_blob_talloc_zero(tctx, 16); -- sess_crypt_blob(&out, &in, &session_key, true); -+ sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT); - memcpy(u.info18.nt_pwd.hash, out.data, out.length); - } - { - DATA_BLOB in,out; - in = data_blob_const(u.info18.lm_pwd.hash, 16); - out = data_blob_talloc_zero(tctx, 16); -- sess_crypt_blob(&out, &in, &session_key, true); -+ sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT); - memcpy(u.info18.lm_pwd.hash, out.data, out.length); - } - -@@ -1290,7 +1290,7 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p, - in = data_blob_const(u.info21.lm_owf_password.array, - u.info21.lm_owf_password.length); - out = data_blob_talloc_zero(tctx, 16); -- sess_crypt_blob(&out, &in, &session_key, true); -+ sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT); - u.info21.lm_owf_password.array = (uint16_t *)out.data; - } - if (fields_present & SAMR_FIELD_NT_PASSWORD_PRESENT) { -@@ -1298,7 +1298,7 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p, - in = data_blob_const(u.info21.nt_owf_password.array, - u.info21.nt_owf_password.length); - out = data_blob_talloc_zero(tctx, 16); -- sess_crypt_blob(&out, &in, &session_key, true); -+ sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT); - u.info21.nt_owf_password.array = (uint16_t *)out.data; - } - break; --- -2.23.0 - diff --git a/SOURCES/0186-sess_crypt_blob-can-only-crypt-blobs-whose-size-divi.patch b/SOURCES/0186-sess_crypt_blob-can-only-crypt-blobs-whose-size-divi.patch deleted file mode 100644 index 8d365a1..0000000 --- a/SOURCES/0186-sess_crypt_blob-can-only-crypt-blobs-whose-size-divi.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 211f398a262298286029df78530a42fae0c7390d Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Thu, 21 Nov 2019 15:13:19 +0100 -Subject: [PATCH 186/187] sess_crypt_blob can only crypt blobs whose size - divides by 8 - -Signed-off-by: Isaac Boukris -Reviewed-by: Andrew Bartlett -(cherry picked from commit b5d8f1f78a04719c6a5d15aa92ae398be326fe56) ---- - libcli/auth/session.c | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git a/libcli/auth/session.c b/libcli/auth/session.c -index 4af70d361af..43ce9d54fdc 100644 ---- a/libcli/auth/session.c -+++ b/libcli/auth/session.c -@@ -34,13 +34,16 @@ int sess_crypt_blob(DATA_BLOB *out, const DATA_BLOB *in, const DATA_BLOB *sessio - { - int i, k, rc; - -+ if (in->length % 8 != 0) { -+ return GNUTLS_E_INVALID_REQUEST; -+ } -+ - for (i=0,k=0; - ilength; - i += 8, k += 7) { - uint8_t bin[8], bout[8], key[7]; - -- memset(bin, 0, 8); -- memcpy(bin, &in->data[i], MIN(8, in->length-i)); -+ memcpy(bin, &in->data[i], 8); - - if (k + 7 > session_key->length) { - k = (session_key->length - k); -@@ -52,7 +55,7 @@ int sess_crypt_blob(DATA_BLOB *out, const DATA_BLOB *in, const DATA_BLOB *sessio - return rc; - } - -- memcpy(&out->data[i], bout, MIN(8, in->length-i)); -+ memcpy(&out->data[i], bout, 8); - } - return 0; - } --- -2.23.0 - diff --git a/SOURCES/0187-smbdes-remove-old-unused-DES-builtin-crypto.patch b/SOURCES/0187-smbdes-remove-old-unused-DES-builtin-crypto.patch deleted file mode 100644 index 7195224..0000000 --- a/SOURCES/0187-smbdes-remove-old-unused-DES-builtin-crypto.patch +++ /dev/null @@ -1,328 +0,0 @@ -From eb167a425b9a3c50d8cf1237ed1d5f726d58a3b8 Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Mon, 21 Oct 2019 20:03:04 +0300 -Subject: [PATCH 187/187] smbdes: remove old unused DES builtin-crypto - -Signed-off-by: Isaac Boukris -Reviewed-by: Andrew Bartlett -(cherry picked from commit fe2577a40c19c99c29dd54c7c43e12f3d43493be) ---- - libcli/auth/proto.h | 1 - - libcli/auth/smbdes.c | 264 -------------------------------- - libcli/auth/tests/test_gnutls.c | 6 - - 3 files changed, 271 deletions(-) - -diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h -index 09ff3687fb7..88f4a7c6c50 100644 ---- a/libcli/auth/proto.h -+++ b/libcli/auth/proto.h -@@ -222,7 +222,6 @@ WERROR decode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx, - - /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/smbdes.c */ - --void des_crypt56(uint8_t out[8], const uint8_t in[8], const uint8_t key[7], int forw); - int des_crypt56_gnutls(uint8_t out[8], const uint8_t in[8], const uint8_t key[7], - enum samba_gnutls_direction encrypt); - int E_P16(const uint8_t *p14,uint8_t *p16); -diff --git a/libcli/auth/smbdes.c b/libcli/auth/smbdes.c -index 8fc79dc5c71..c6c44419306 100644 ---- a/libcli/auth/smbdes.c -+++ b/libcli/auth/smbdes.c -@@ -26,239 +26,6 @@ - #include - #include - --/* NOTES: -- -- This code makes no attempt to be fast! In fact, it is a very -- slow implementation -- -- This code is NOT a complete DES implementation. It implements only -- the minimum necessary for SMB authentication, as used by all SMB -- products (including every copy of Microsoft Windows95 ever sold) -- -- In particular, it can only do a unchained forward DES pass. This -- means it is not possible to use this code for encryption/decryption -- of data, instead it is only useful as a "hash" algorithm. -- -- There is no entry point into this code that allows normal DES operation. -- -- I believe this means that this code does not come under ITAR -- regulations but this is NOT a legal opinion. If you are concerned -- about the applicability of ITAR regulations to this code then you -- should confirm it for yourself (and maybe let me know if you come -- up with a different answer to the one above) --*/ -- -- --static const uint8_t perm1[56] = {57, 49, 41, 33, 25, 17, 9, -- 1, 58, 50, 42, 34, 26, 18, -- 10, 2, 59, 51, 43, 35, 27, -- 19, 11, 3, 60, 52, 44, 36, -- 63, 55, 47, 39, 31, 23, 15, -- 7, 62, 54, 46, 38, 30, 22, -- 14, 6, 61, 53, 45, 37, 29, -- 21, 13, 5, 28, 20, 12, 4}; -- --static const uint8_t perm2[48] = {14, 17, 11, 24, 1, 5, -- 3, 28, 15, 6, 21, 10, -- 23, 19, 12, 4, 26, 8, -- 16, 7, 27, 20, 13, 2, -- 41, 52, 31, 37, 47, 55, -- 30, 40, 51, 45, 33, 48, -- 44, 49, 39, 56, 34, 53, -- 46, 42, 50, 36, 29, 32}; -- --static const uint8_t perm3[64] = {58, 50, 42, 34, 26, 18, 10, 2, -- 60, 52, 44, 36, 28, 20, 12, 4, -- 62, 54, 46, 38, 30, 22, 14, 6, -- 64, 56, 48, 40, 32, 24, 16, 8, -- 57, 49, 41, 33, 25, 17, 9, 1, -- 59, 51, 43, 35, 27, 19, 11, 3, -- 61, 53, 45, 37, 29, 21, 13, 5, -- 63, 55, 47, 39, 31, 23, 15, 7}; -- --static const uint8_t perm4[48] = { 32, 1, 2, 3, 4, 5, -- 4, 5, 6, 7, 8, 9, -- 8, 9, 10, 11, 12, 13, -- 12, 13, 14, 15, 16, 17, -- 16, 17, 18, 19, 20, 21, -- 20, 21, 22, 23, 24, 25, -- 24, 25, 26, 27, 28, 29, -- 28, 29, 30, 31, 32, 1}; -- --static const uint8_t perm5[32] = { 16, 7, 20, 21, -- 29, 12, 28, 17, -- 1, 15, 23, 26, -- 5, 18, 31, 10, -- 2, 8, 24, 14, -- 32, 27, 3, 9, -- 19, 13, 30, 6, -- 22, 11, 4, 25}; -- -- --static const uint8_t perm6[64] ={ 40, 8, 48, 16, 56, 24, 64, 32, -- 39, 7, 47, 15, 55, 23, 63, 31, -- 38, 6, 46, 14, 54, 22, 62, 30, -- 37, 5, 45, 13, 53, 21, 61, 29, -- 36, 4, 44, 12, 52, 20, 60, 28, -- 35, 3, 43, 11, 51, 19, 59, 27, -- 34, 2, 42, 10, 50, 18, 58, 26, -- 33, 1, 41, 9, 49, 17, 57, 25}; -- -- --static const uint8_t sc[16] = {1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1}; -- --static const uint8_t sbox[8][4][16] = { -- {{14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7}, -- {0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8}, -- {4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0}, -- {15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13}}, -- -- {{15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10}, -- {3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5}, -- {0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15}, -- {13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9}}, -- -- {{10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8}, -- {13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1}, -- {13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7}, -- {1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12}}, -- -- {{7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15}, -- {13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9}, -- {10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4}, -- {3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14}}, -- -- {{2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9}, -- {14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6}, -- {4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14}, -- {11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3}}, -- -- {{12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11}, -- {10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8}, -- {9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6}, -- {4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13}}, -- -- {{4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1}, -- {13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6}, -- {1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2}, -- {6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12}}, -- -- {{13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7}, -- {1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2}, -- {7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8}, -- {2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11}}}; -- --static void permute(char *out, const char *in, const uint8_t *p, int n) --{ -- int i; -- for (i=0;i -Date: Tue, 10 Dec 2019 17:52:36 +0100 -Subject: [PATCH 188/191] lib:crypto: Remove our implementation of AES CCM - -We require GnuTLS >= 3.4.7 which provides AES CCM. - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit c3250ff7ab66fb45c9b5a66c7e3a9453fb22777b) ---- - lib/crypto/aes_ccm_128.c | 198 ------------------ - lib/crypto/aes_ccm_128.h | 58 ------ - lib/crypto/aes_ccm_128_test.c | 377 ---------------------------------- - lib/crypto/crypto.h | 1 - - lib/crypto/wscript_build | 11 - - source4/torture/local/local.c | 3 - - 6 files changed, 648 deletions(-) - delete mode 100644 lib/crypto/aes_ccm_128.c - delete mode 100644 lib/crypto/aes_ccm_128.h - delete mode 100644 lib/crypto/aes_ccm_128_test.c - -diff --git a/lib/crypto/aes_ccm_128.c b/lib/crypto/aes_ccm_128.c -deleted file mode 100644 -index 0cbc05567a8..00000000000 ---- a/lib/crypto/aes_ccm_128.c -+++ /dev/null -@@ -1,198 +0,0 @@ --/* -- AES-CCM-128 (rfc 3610) -- -- Copyright (C) Stefan Metzmacher 2012 -- -- This program is free software; you can redistribute it and/or modify -- it under the terms of the GNU General Public License as published by -- the Free Software Foundation; either version 3 of the License, or -- (at your option) any later version. -- -- This program is distributed in the hope that it will be useful, -- but WITHOUT ANY WARRANTY; without even the implied warranty of -- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -- GNU General Public License for more details. -- -- You should have received a copy of the GNU General Public License -- along with this program. If not, see . --*/ -- --#include "replace.h" --#include "lib/crypto/aes.h" --#include "lib/crypto/aes_ccm_128.h" --#include "lib/util/byteorder.h" -- --#define M_ ((AES_CCM_128_M - 2) / 2) --#define L_ (AES_CCM_128_L - 1) -- --void aes_ccm_128_init(struct aes_ccm_128_context *ctx, -- const uint8_t K[AES_BLOCK_SIZE], -- const uint8_t N[AES_CCM_128_NONCE_SIZE], -- size_t a_total, size_t m_total) --{ -- ZERO_STRUCTP(ctx); -- -- AES_set_encrypt_key(K, 128, &ctx->aes_key); -- memcpy(ctx->nonce, N, AES_CCM_128_NONCE_SIZE); -- ctx->a_remain = a_total; -- ctx->m_remain = m_total; -- -- /* -- * prepare B_0 -- */ -- ctx->B_i[0] = L_; -- ctx->B_i[0] += 8 * M_; -- if (a_total > 0) { -- ctx->B_i[0] += 64; -- } -- memcpy(&ctx->B_i[1], ctx->nonce, AES_CCM_128_NONCE_SIZE); -- RSIVAL(ctx->B_i, (AES_BLOCK_SIZE - AES_CCM_128_L), m_total); -- -- /* -- * prepare X_1 -- */ -- AES_encrypt(ctx->B_i, ctx->X_i, &ctx->aes_key); -- -- /* -- * prepare B_1 -- */ -- ZERO_STRUCT(ctx->B_i); -- if (a_total >= UINT32_MAX) { -- RSSVAL(ctx->B_i, 0, 0xFFFF); -- RSBVAL(ctx->B_i, 2, (uint64_t)a_total); -- ctx->B_i_ofs = 10; -- } else if (a_total >= 0xFF00) { -- RSSVAL(ctx->B_i, 0, 0xFFFE); -- RSIVAL(ctx->B_i, 2, a_total); -- ctx->B_i_ofs = 6; -- } else if (a_total > 0) { -- RSSVAL(ctx->B_i, 0, a_total); -- ctx->B_i_ofs = 2; -- } -- -- /* -- * prepare A_i -- */ -- ctx->A_i[0] = L_; -- memcpy(&ctx->A_i[1], ctx->nonce, AES_CCM_128_NONCE_SIZE); -- -- ctx->S_i_ofs = AES_BLOCK_SIZE; --} -- --void aes_ccm_128_update(struct aes_ccm_128_context *ctx, -- const uint8_t *v, size_t v_len) --{ -- size_t *remain; -- -- if (v_len == 0) { -- return; -- } -- -- if (ctx->a_remain > 0) { -- remain = &ctx->a_remain; -- } else { -- remain = &ctx->m_remain; -- } -- -- if (unlikely(v_len > *remain)) { -- abort(); -- } -- -- if (ctx->B_i_ofs > 0) { -- size_t n = MIN(AES_BLOCK_SIZE - ctx->B_i_ofs, v_len); -- -- memcpy(&ctx->B_i[ctx->B_i_ofs], v, n); -- v += n; -- v_len -= n; -- ctx->B_i_ofs += n; -- *remain -= n; -- } -- -- if ((ctx->B_i_ofs == AES_BLOCK_SIZE) || (*remain == 0)) { -- aes_block_xor(ctx->X_i, ctx->B_i, ctx->B_i); -- AES_encrypt(ctx->B_i, ctx->X_i, &ctx->aes_key); -- ctx->B_i_ofs = 0; -- } -- -- while (v_len >= AES_BLOCK_SIZE) { -- aes_block_xor(ctx->X_i, v, ctx->B_i); -- AES_encrypt(ctx->B_i, ctx->X_i, &ctx->aes_key); -- v += AES_BLOCK_SIZE; -- v_len -= AES_BLOCK_SIZE; -- *remain -= AES_BLOCK_SIZE; -- } -- -- if (v_len > 0) { -- ZERO_STRUCT(ctx->B_i); -- memcpy(ctx->B_i, v, v_len); -- ctx->B_i_ofs += v_len; -- *remain -= v_len; -- v = NULL; -- v_len = 0; -- } -- -- if (*remain > 0) { -- return; -- } -- -- if (ctx->B_i_ofs > 0) { -- aes_block_xor(ctx->X_i, ctx->B_i, ctx->B_i); -- AES_encrypt(ctx->B_i, ctx->X_i, &ctx->aes_key); -- ctx->B_i_ofs = 0; -- } --} -- --static inline void aes_ccm_128_S_i(struct aes_ccm_128_context *ctx, -- uint8_t S_i[AES_BLOCK_SIZE], -- size_t i) --{ -- RSIVAL(ctx->A_i, (AES_BLOCK_SIZE - AES_CCM_128_L), i); -- AES_encrypt(ctx->A_i, S_i, &ctx->aes_key); --} -- --void aes_ccm_128_crypt(struct aes_ccm_128_context *ctx, -- uint8_t *m, size_t m_len) --{ -- while (m_len > 0) { -- if (ctx->S_i_ofs == AES_BLOCK_SIZE) { -- ctx->S_i_ctr += 1; -- aes_ccm_128_S_i(ctx, ctx->S_i, ctx->S_i_ctr); -- ctx->S_i_ofs = 0; -- } -- -- if (likely(ctx->S_i_ofs == 0 && m_len >= AES_BLOCK_SIZE)) { -- aes_block_xor(m, ctx->S_i, m); -- m += AES_BLOCK_SIZE; -- m_len -= AES_BLOCK_SIZE; -- ctx->S_i_ctr += 1; -- aes_ccm_128_S_i(ctx, ctx->S_i, ctx->S_i_ctr); -- continue; -- } -- -- m[0] ^= ctx->S_i[ctx->S_i_ofs]; -- m += 1; -- m_len -= 1; -- ctx->S_i_ofs += 1; -- } --} -- --void aes_ccm_128_digest(struct aes_ccm_128_context *ctx, -- uint8_t digest[AES_BLOCK_SIZE]) --{ -- if (unlikely(ctx->a_remain != 0)) { -- abort(); -- } -- if (unlikely(ctx->m_remain != 0)) { -- abort(); -- } -- -- /* prepare S_0 */ -- aes_ccm_128_S_i(ctx, ctx->S_i, 0); -- -- /* -- * note X_i is T here -- */ -- aes_block_xor(ctx->X_i, ctx->S_i, digest); -- -- ZERO_STRUCTP(ctx); --} -diff --git a/lib/crypto/aes_ccm_128.h b/lib/crypto/aes_ccm_128.h -deleted file mode 100644 -index 1382ee704b9..00000000000 ---- a/lib/crypto/aes_ccm_128.h -+++ /dev/null -@@ -1,58 +0,0 @@ --/* -- AES-CCM-128 (rfc 3610) -- -- Copyright (C) Stefan Metzmacher 2012 -- -- This program is free software; you can redistribute it and/or modify -- it under the terms of the GNU General Public License as published by -- the Free Software Foundation; either version 3 of the License, or -- (at your option) any later version. -- -- This program is distributed in the hope that it will be useful, -- but WITHOUT ANY WARRANTY; without even the implied warranty of -- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -- GNU General Public License for more details. -- -- You should have received a copy of the GNU General Public License -- along with this program. If not, see . --*/ -- --#ifndef LIB_CRYPTO_AES_CCM_128_H --#define LIB_CRYPTO_AES_CCM_128_H -- --#define AES_CCM_128_M 16 --#define AES_CCM_128_L 4 --#define AES_CCM_128_NONCE_SIZE (15 - AES_CCM_128_L) -- --struct aes_ccm_128_context { -- AES_KEY aes_key; -- -- uint8_t nonce[AES_CCM_128_NONCE_SIZE]; -- -- size_t a_remain; -- size_t m_remain; -- -- uint64_t __align; -- -- uint8_t X_i[AES_BLOCK_SIZE]; -- uint8_t B_i[AES_BLOCK_SIZE]; -- uint8_t A_i[AES_BLOCK_SIZE]; -- uint8_t S_i[AES_BLOCK_SIZE]; -- -- size_t B_i_ofs; -- size_t S_i_ofs; -- size_t S_i_ctr; --}; -- --void aes_ccm_128_init(struct aes_ccm_128_context *ctx, -- const uint8_t K[AES_BLOCK_SIZE], -- const uint8_t N[AES_CCM_128_NONCE_SIZE], -- size_t a_total, size_t m_total); --void aes_ccm_128_update(struct aes_ccm_128_context *ctx, -- const uint8_t *v, size_t v_len); --void aes_ccm_128_crypt(struct aes_ccm_128_context *ctx, -- uint8_t *m, size_t m_len); --void aes_ccm_128_digest(struct aes_ccm_128_context *ctx, -- uint8_t digest[AES_BLOCK_SIZE]); -- --#endif /* LIB_CRYPTO_AES_CCM_128_H */ -diff --git a/lib/crypto/aes_ccm_128_test.c b/lib/crypto/aes_ccm_128_test.c -deleted file mode 100644 -index 67745e3e1ae..00000000000 ---- a/lib/crypto/aes_ccm_128_test.c -+++ /dev/null -@@ -1,377 +0,0 @@ --/* -- AES-CCM-128 tests -- -- Copyright (C) Stefan Metzmacher 2015 -- -- This program is free software; you can redistribute it and/or modify -- it under the terms of the GNU General Public License as published by -- the Free Software Foundation; either version 3 of the License, or -- (at your option) any later version. -- -- This program is distributed in the hope that it will be useful, -- but WITHOUT ANY WARRANTY; without even the implied warranty of -- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -- GNU General Public License for more details. -- -- You should have received a copy of the GNU General Public License -- along with this program. If not, see . --*/ --#include "replace.h" --#include "../lib/util/samba_util.h" --#include "lib/crypto/aes.h" --#include "lib/crypto/aes_ccm_128.h" --#include "lib/crypto/aes_test.h" -- --#ifndef AES_CCM_128_ONLY_TESTVECTORS --struct torture_context; --bool torture_local_crypto_aes_ccm_128(struct torture_context *torture); -- --/* -- This uses our own test values as we rely on a 11 byte nonce -- and the values from rfc rfc3610 use 13 byte nonce. --*/ --bool torture_local_crypto_aes_ccm_128(struct torture_context *tctx) --{ -- bool ret = true; -- uint32_t i; -- struct aes_mode_testvector testarray[] = { --#endif /* AES_CCM_128_ONLY_TESTVECTORS */ --#define AES_CCM_128_TESTVECTOR(_k, _n, _a, _p, _c, _t) \ -- AES_MODE_TESTVECTOR(aes_ccm_128, _k, _n, _a, _p, _c, _t) -- -- AES_CCM_128_TESTVECTOR( -- /* K */ -- "8BF9FBC2B8149484FF11AB1F3A544FF6", -- /* N */ -- "010000000000000077F7A8", -- /* A */ -- "010000000000000077F7A80000000000" -- "A8000000000001004100002C00980000", -- /* P */ -- "FE534D4240000100000000000B00811F" -- "00000000000000000600000000000000" -- "00000000010000004100002C00980000" -- "00000000000000000000000000000000" -- "3900000094010600FFFFFFFFFFFFFFFF" -- "FFFFFFFFFFFFFFFF7800000030000000" -- "000000007800000000000000FFFF0000" -- "0100000000000000" -- "03005C003100370032002E0033003100" -- "2E0039002E003100380033005C006E00" -- "650074006C006F0067006F006E000000", -- /* C */ -- "25985364BF9AF90EB0B9C8FB55B7C446" -- "780F310F1EC4677726BFBF34E38E6408" -- "057EE228814F11CBAAB794A79F7A1F78" -- "2DE73B7477985360A02D35A7A347ABF7" -- "9F18DD8687767423BB08F18642B6EFEE" -- "8B1543D83091AF5952F58BB4BD89FF6B" -- "0206E7170481C7BC61F06653D0CF10F7" -- "C78380389382C276" -- "7B8BF34D687A5C3D4F783F926F7755C0" -- "2D44C30848C69CFDD8E54395F1881611" -- "E5502285870A7179068923105190C837", -- /* T */ -- "3C11F652F8EA5600C8607D2E0FEAFD42" -- ), -- AES_CCM_128_TESTVECTOR( -- /* K */ -- "f9fdca4ac64fe7f014de0f43039c7571", -- /* N */ -- "5a8aa485c316e947125478", -- /* A */ -- "3796cf51b8726652a4204733b8fbb047" -- "cf00fb91a9837e22ec22b1a268f88e2c", -- /* P */ -- "a265480ca88d5f536db0dc6abc40faf0" -- "d05be7a9669777682345647586786983", -- /* C */ -- "65F8D8422006FB77FB7CCEFDFFF93729" -- "B3EFCB06A0FAF3A2ABAB485723373F53", -- /* T */ -- "2C62BD82AD231887A7B326E1E045BC91" -- ), -- AES_CCM_128_TESTVECTOR( -- /* K */ -- "197afb02ffbd8f699dacae87094d5243", -- /* N */ -- "5a8aa485c316e947125478", -- /* A */ -- "", -- /* P */ -- "3796cf51b8726652a4204733b8fbb047" -- "cf00fb91a9837e22", -- /* C */ -- "CA53910394115C5DAB5D7250F04D6A27" -- "2BCFA4329528F3AC", -- /* T */ -- "38E3A318F9BA88D4DD2FAF3521820001" -- ), -- AES_CCM_128_TESTVECTOR( -- /* K */ -- "90929a4b0ac65b350ad1591611fe4829", -- /* N */ -- "5a8aa485c316e9403aff85", -- /* A */ -- "", -- /* P */ -- "a16a2e741f1cd9717285b6d882c1fc53" -- "655e9773761ad697", -- /* C */ -- "ACA5E98D2784D131AE76E3C8BF9C3988" -- "35C0206C71893F26", -- /* T */ -- "AE67C0EA38C5383BFDC7967F4E9D1678" -- ), -- AES_CCM_128_TESTVECTOR( -- /* K */ -- "f9fdca4ac64fe7f014de0f43039c7571", -- /* N */ -- "5a8aa485c316e947125478", -- /* A */ -- "3796cf51b8726652a4204733b8fbb047" -- "cf00fb91a9837e22ec22b1a268f88e2c", -- /* P */ -- "a265480ca88d5f536db0dc6abc40faf0" -- "d05be7a966977768", -- /* C */ -- "65F8D8422006FB77FB7CCEFDFFF93729" -- "B3EFCB06A0FAF3A2", -- /* T */ -- "03C6E244586AFAB9B60D9F6DBDF7EB1A" -- ), -- AES_CCM_128_TESTVECTOR( -- /* K */ -- "26511fb51fcfa75cb4b44da75a6e5a0e", -- /* N */ -- "5a8aa485c316e9403aff85", -- /* A */ -- "a16a2e741f1cd9717285b6d882c1fc53" -- "655e9773761ad697a7ee6410184c7982", -- /* P */ -- "8739b4bea1a099fe547499cbc6d1b13d" -- "849b8084c9b6acc5", -- /* C */ -- "D31F9FC23674D5272125375E0A2F5365" -- "41B1FAF1DD68C819", -- /* T */ -- "4F315233A76C4DD99972561C5158AB3B" -- ), -- AES_CCM_128_TESTVECTOR( -- /* K */ -- "f9fdca4ac64fe7f014de0f43039c7571", -- /* N */ -- "5a8aa485c316e947125478", -- /* A */ -- "3796cf51b8726652a4204733b8fbb047" -- "cf00fb91a9837e22ec22b1a268", -- /* P */ -- "a265480ca88d5f536db0dc6abc40faf0" -- "d05be7a9669777682376345745", -- /* C */ -- "65F8D8422006FB77FB7CCEFDFFF93729" -- "B3EFCB06A0FAF3A2AB981875E0", -- /* T */ -- "EA93AAEDA607226E9E79D2EE5C4B62F8" -- ), -- AES_CCM_128_TESTVECTOR( -- /* K */ -- "26511fb51fcfa75cb4b44da75a6e5a0e", -- /* N */ -- "5a8aa485c316e9403aff85", -- /* A */ -- "a16a2e741f1cd9717285b6d882c1fc53" -- "65", -- /* P */ -- "8739b4bea1a099fe547499cbc6d1b13d" -- "84", -- /* C */ -- "D31F9FC23674D5272125375E0A2F5365" -- "41", -- /* T */ -- "036F58DA2372B29BD0E01C58A0E7F9EE" -- ), -- AES_CCM_128_TESTVECTOR( -- /* K */ -- "00000000000000000000000000000000", -- /* N */ -- "0000000000000000000000", -- /* A */ -- "", -- /* P */ -- "00", -- /* C */ -- "2E", -- /* T */ -- "61787D2C432A58293B73D01154E61B6B" -- ), -- AES_CCM_128_TESTVECTOR( -- /* K */ -- "00000000000000000000000000000000", -- /* N */ -- "0000000000000000000000", -- /* A */ -- "00", -- /* P */ -- "00", -- /* C */ -- "2E", -- /* T */ -- "E4284A0E813F0FFA146CF59F9ADAFBD7" -- ), --#ifndef AES_CCM_128_ONLY_TESTVECTORS -- }; -- -- for (i=0; i < ARRAY_SIZE(testarray); i++) { -- struct aes_ccm_128_context ctx; -- uint8_t T[AES_BLOCK_SIZE]; -- DATA_BLOB _T = data_blob_const(T, sizeof(T)); -- DATA_BLOB C; -- int e; -- -- C = data_blob_dup_talloc(tctx, testarray[i].P); -- -- aes_ccm_128_init(&ctx, testarray[i].K.data, testarray[i].N.data, -- testarray[i].A.length, testarray[i].P.length); -- aes_ccm_128_update(&ctx, -- testarray[i].A.data, -- testarray[i].A.length); -- aes_ccm_128_update(&ctx, C.data, C.length); -- aes_ccm_128_crypt(&ctx, C.data, C.length); -- aes_ccm_128_digest(&ctx, T); -- -- e = memcmp(testarray[i].T.data, T, sizeof(T)); -- if (e != 0) { -- aes_mode_testvector_debug(&testarray[i], NULL, &C, &_T); -- ret = false; -- goto fail; -- } -- -- e = memcmp(testarray[i].C.data, C.data, C.length); -- if (e != 0) { -- aes_mode_testvector_debug(&testarray[i], NULL, &C, &_T); -- ret = false; -- goto fail; -- } -- } -- -- for (i=0; i < ARRAY_SIZE(testarray); i++) { -- struct aes_ccm_128_context ctx; -- uint8_t T[AES_BLOCK_SIZE]; -- DATA_BLOB _T = data_blob_const(T, sizeof(T)); -- DATA_BLOB C; -- int e; -- size_t j; -- -- C = data_blob_dup_talloc(tctx, testarray[i].P); -- -- aes_ccm_128_init(&ctx, testarray[i].K.data, testarray[i].N.data, -- testarray[i].A.length, testarray[i].P.length); -- for (j=0; j < testarray[i].A.length; j++) { -- aes_ccm_128_update(&ctx, NULL, 0); -- aes_ccm_128_update(&ctx, &testarray[i].A.data[j], 1); -- aes_ccm_128_update(&ctx, NULL, 0); -- } -- for (j=0; j < C.length; j++) { -- aes_ccm_128_crypt(&ctx, NULL, 0); -- aes_ccm_128_update(&ctx, NULL, 0); -- aes_ccm_128_update(&ctx, &C.data[j], 1); -- aes_ccm_128_crypt(&ctx, &C.data[j], 1); -- aes_ccm_128_crypt(&ctx, NULL, 0); -- aes_ccm_128_update(&ctx, NULL, 0); -- } -- aes_ccm_128_digest(&ctx, T); -- -- e = memcmp(testarray[i].T.data, T, sizeof(T)); -- if (e != 0) { -- aes_mode_testvector_debug(&testarray[i], NULL, &C, &_T); -- ret = false; -- goto fail; -- } -- -- e = memcmp(testarray[i].C.data, C.data, C.length); -- if (e != 0) { -- aes_mode_testvector_debug(&testarray[i], NULL, &C, &_T); -- ret = false; -- goto fail; -- } -- } -- -- for (i=0; i < ARRAY_SIZE(testarray); i++) { -- struct aes_ccm_128_context ctx; -- uint8_t T[AES_BLOCK_SIZE]; -- DATA_BLOB _T = data_blob_const(T, sizeof(T)); -- DATA_BLOB P; -- int e; -- size_t j; -- -- P = data_blob_dup_talloc(tctx, testarray[i].C); -- -- aes_ccm_128_init(&ctx, testarray[i].K.data, testarray[i].N.data, -- testarray[i].A.length, testarray[i].P.length); -- for (j=0; j < testarray[i].A.length; j++) { -- aes_ccm_128_update(&ctx, NULL, 0); -- aes_ccm_128_update(&ctx, &testarray[i].A.data[j], 1); -- aes_ccm_128_update(&ctx, NULL, 0); -- } -- for (j=0; j < P.length; j++) { -- aes_ccm_128_crypt(&ctx, NULL, 0); -- aes_ccm_128_update(&ctx, NULL, 0); -- aes_ccm_128_crypt(&ctx, &P.data[j], 1); -- aes_ccm_128_update(&ctx, &P.data[j], 1); -- aes_ccm_128_crypt(&ctx, NULL, 0); -- aes_ccm_128_update(&ctx, NULL, 0); -- } -- aes_ccm_128_digest(&ctx, T); -- -- e = memcmp(testarray[i].T.data, T, sizeof(T)); -- if (e != 0) { -- aes_mode_testvector_debug(&testarray[i], &P, NULL, &_T); -- ret = false; -- goto fail; -- } -- -- e = memcmp(testarray[i].P.data, P.data, P.length); -- if (e != 0) { -- aes_mode_testvector_debug(&testarray[i], &P, NULL, &_T); -- ret = false; -- goto fail; -- } -- } -- -- for (i=0; i < ARRAY_SIZE(testarray); i++) { -- struct aes_ccm_128_context ctx; -- uint8_t T[AES_BLOCK_SIZE]; -- DATA_BLOB _T = data_blob_const(T, sizeof(T)); -- DATA_BLOB P; -- int e; -- -- P = data_blob_dup_talloc(tctx, testarray[i].C); -- -- aes_ccm_128_init(&ctx, testarray[i].K.data, testarray[i].N.data, -- testarray[i].A.length, testarray[i].P.length); -- aes_ccm_128_update(&ctx, testarray[i].A.data, testarray[i].A.length); -- aes_ccm_128_crypt(&ctx, P.data, P.length); -- aes_ccm_128_update(&ctx, P.data, P.length); -- aes_ccm_128_digest(&ctx, T); -- -- e = memcmp(testarray[i].T.data, T, sizeof(T)); -- if (e != 0) { -- aes_mode_testvector_debug(&testarray[i], &P, NULL, &_T); -- ret = false; -- goto fail; -- } -- -- e = memcmp(testarray[i].P.data, P.data, P.length); -- if (e != 0) { -- aes_mode_testvector_debug(&testarray[i], &P, NULL, &_T); -- ret = false; -- goto fail; -- } -- } -- -- fail: -- return ret; --} -- --#endif /* AES_CCM_128_ONLY_TESTVECTORS */ -diff --git a/lib/crypto/crypto.h b/lib/crypto/crypto.h -index d7409f9a46d..66767935925 100644 ---- a/lib/crypto/crypto.h -+++ b/lib/crypto/crypto.h -@@ -23,7 +23,6 @@ - #include "../lib/crypto/md4.h" - #include "../lib/crypto/aes.h" - #include "../lib/crypto/aes_cmac_128.h" --#include "../lib/crypto/aes_ccm_128.h" - #include "../lib/crypto/aes_gcm_128.h" - - #endif /* _SAMBA_CRYPTO_H_ */ -diff --git a/lib/crypto/wscript_build b/lib/crypto/wscript_build -index 4f1665a7fd9..a019ebe60cf 100644 ---- a/lib/crypto/wscript_build -+++ b/lib/crypto/wscript_build -@@ -12,10 +12,6 @@ bld.SAMBA_SUBSYSTEM('GNUTLS_HELPERS', - ''', - deps='gnutls samba-errors'); - --bld.SAMBA_SUBSYSTEM('LIBCRYPTO_AES_CCM', -- source='aes_ccm_128.c', -- deps='talloc') -- - bld.SAMBA_SUBSYSTEM('LIBCRYPTO_AES_GCM', - source='aes_gcm_128.c', - deps='talloc') -@@ -36,16 +32,10 @@ bld.SAMBA_SUBSYSTEM('LIBCRYPTO', - deps=''' - talloc - LIBCRYPTO_AES -- LIBCRYPTO_AES_CCM - LIBCRYPTO_AES_GCM - LIBCRYPTO_AES_CMAC - ''' + extra_deps) - --bld.SAMBA_SUBSYSTEM('TORTURE_LIBCRYPTO_AES_CCM', -- source='aes_ccm_128_test.c', -- autoproto='aes_ccm_test_proto.h', -- deps='talloc') -- - bld.SAMBA_SUBSYSTEM('TORTURE_LIBCRYPTO_AES_GCM', - source='aes_gcm_128_test.c', - autoproto='aes_gcm_test_proto.h', -@@ -62,7 +52,6 @@ bld.SAMBA_SUBSYSTEM('TORTURE_LIBCRYPTO', - autoproto='test_proto.h', - deps=''' - LIBCRYPTO -- TORTURE_LIBCRYPTO_AES_CCM - TORTURE_LIBCRYPTO_AES_GCM - TORTURE_LIBCRYPTO_AES_CMAC - ''') -diff --git a/source4/torture/local/local.c b/source4/torture/local/local.c -index 5812f4dd20c..8f9148b1988 100644 ---- a/source4/torture/local/local.c -+++ b/source4/torture/local/local.c -@@ -23,7 +23,6 @@ - #include "torture/ndr/proto.h" - #include "torture/auth/proto.h" - #include "../lib/crypto/test_proto.h" --#include "../lib/crypto/aes_ccm_test_proto.h" - #include "../lib/crypto/aes_gcm_test_proto.h" - #ifndef HAVE_GNUTLS_AES_CMAC - #include "../lib/crypto/aes_cmac_test_proto.h" -@@ -100,8 +99,6 @@ NTSTATUS torture_local_init(TALLOC_CTX *ctx) - torture_suite_add_simple_test(suite, "crypto.aes_cmac_128", - torture_local_crypto_aes_cmac_128); - #endif -- torture_suite_add_simple_test(suite, "crypto.aes_ccm_128", -- torture_local_crypto_aes_ccm_128); - torture_suite_add_simple_test(suite, "crypto.aes_gcm_128", - torture_local_crypto_aes_gcm_128); - --- -2.23.0 - diff --git a/SOURCES/0189-lib-crypto-Remove-our-implementation-of-AES-GCM.patch b/SOURCES/0189-lib-crypto-Remove-our-implementation-of-AES-GCM.patch deleted file mode 100644 index deeba45..0000000 --- a/SOURCES/0189-lib-crypto-Remove-our-implementation-of-AES-GCM.patch +++ /dev/null @@ -1,672 +0,0 @@ -From 969dbe9f0cd3386a8188f2c42177433aaa9b8ff1 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 10 Dec 2019 18:01:43 +0100 -Subject: [PATCH 189/191] lib:crypto: Remove our implementation of AES GCM - -We require GnuTLS >= 3.4.7 which provides AES GCM. - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 337c51c9f503adef58c9b875bfb4f522cfb7d9ae) ---- - lib/crypto/aes_gcm_128.c | 208 ------------------------ - lib/crypto/aes_gcm_128.h | 55 ------- - lib/crypto/aes_gcm_128_test.c | 295 ---------------------------------- - lib/crypto/crypto.h | 1 - - lib/crypto/wscript_build | 11 -- - source4/torture/local/local.c | 3 - - 6 files changed, 573 deletions(-) - delete mode 100644 lib/crypto/aes_gcm_128.c - delete mode 100644 lib/crypto/aes_gcm_128.h - delete mode 100644 lib/crypto/aes_gcm_128_test.c - -diff --git a/lib/crypto/aes_gcm_128.c b/lib/crypto/aes_gcm_128.c -deleted file mode 100644 -index 6b5a385cbd8..00000000000 ---- a/lib/crypto/aes_gcm_128.c -+++ /dev/null -@@ -1,208 +0,0 @@ --/* -- AES-GCM-128 -- -- Copyright (C) Stefan Metzmacher 2014 -- -- This program is free software; you can redistribute it and/or modify -- it under the terms of the GNU General Public License as published by -- the Free Software Foundation; either version 3 of the License, or -- (at your option) any later version. -- -- This program is distributed in the hope that it will be useful, -- but WITHOUT ANY WARRANTY; without even the implied warranty of -- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -- GNU General Public License for more details. -- -- You should have received a copy of the GNU General Public License -- along with this program. If not, see . --*/ -- --#include "replace.h" --#include "lib/crypto/aes.h" --#include "lib/crypto/aes_gcm_128.h" --#include "lib/util/byteorder.h" -- --static inline void aes_gcm_128_inc32(uint8_t inout[AES_BLOCK_SIZE]) --{ -- uint32_t v; -- -- v = RIVAL(inout, AES_BLOCK_SIZE - 4); -- v += 1; -- RSIVAL(inout, AES_BLOCK_SIZE - 4, v); --} -- --static inline void aes_gcm_128_mul(const uint8_t x[AES_BLOCK_SIZE], -- const uint8_t y[AES_BLOCK_SIZE], -- uint8_t v[AES_BLOCK_SIZE], -- uint8_t z[AES_BLOCK_SIZE]) --{ -- uint8_t i; -- /* 11100001 || 0^120 */ -- static const uint8_t r[AES_BLOCK_SIZE] = { -- 0xE1, 0x00, 0x00, 0x00, -- 0x00, 0x00, 0x00, 0x00, -- 0x00, 0x00, 0x00, 0x00, -- 0x00, 0x00, 0x00, 0x00, -- }; -- -- memset(z, 0, AES_BLOCK_SIZE); -- memcpy(v, y, AES_BLOCK_SIZE); -- -- for (i = 0; i < AES_BLOCK_SIZE; i++) { -- uint8_t mask; -- for (mask = 0x80; mask != 0 ; mask >>= 1) { -- uint8_t v_lsb = v[AES_BLOCK_SIZE-1] & 1; -- if (x[i] & mask) { -- aes_block_xor(z, v, z); -- } -- -- aes_block_rshift(v, v); -- if (v_lsb != 0) { -- aes_block_xor(v, r, v); -- } -- } -- } --} -- --static inline void aes_gcm_128_ghash_block(struct aes_gcm_128_context *ctx, -- const uint8_t in[AES_BLOCK_SIZE]) --{ -- aes_block_xor(ctx->Y, in, ctx->y.block); -- aes_gcm_128_mul(ctx->y.block, ctx->H, ctx->v.block, ctx->Y); --} -- --void aes_gcm_128_init(struct aes_gcm_128_context *ctx, -- const uint8_t K[AES_BLOCK_SIZE], -- const uint8_t IV[AES_GCM_128_IV_SIZE]) --{ -- ZERO_STRUCTP(ctx); -- -- AES_set_encrypt_key(K, 128, &ctx->aes_key); -- -- /* -- * Step 1: generate H (ctx->Y is the zero block here) -- */ -- AES_encrypt(ctx->Y, ctx->H, &ctx->aes_key); -- -- /* -- * Step 2: generate J0 -- */ -- memcpy(ctx->J0, IV, AES_GCM_128_IV_SIZE); -- aes_gcm_128_inc32(ctx->J0); -- -- /* -- * We need to prepare CB with J0. -- */ -- memcpy(ctx->CB, ctx->J0, AES_BLOCK_SIZE); -- ctx->c.ofs = AES_BLOCK_SIZE; --} -- --static inline void aes_gcm_128_update_tmp(struct aes_gcm_128_context *ctx, -- struct aes_gcm_128_tmp *tmp, -- const uint8_t *v, size_t v_len) --{ -- tmp->total += v_len; -- -- if (tmp->ofs > 0) { -- size_t copy = MIN(AES_BLOCK_SIZE - tmp->ofs, v_len); -- -- memcpy(tmp->block + tmp->ofs, v, copy); -- tmp->ofs += copy; -- v += copy; -- v_len -= copy; -- } -- -- if (tmp->ofs == AES_BLOCK_SIZE) { -- aes_gcm_128_ghash_block(ctx, tmp->block); -- tmp->ofs = 0; -- } -- -- while (v_len >= AES_BLOCK_SIZE) { -- aes_gcm_128_ghash_block(ctx, v); -- v += AES_BLOCK_SIZE; -- v_len -= AES_BLOCK_SIZE; -- } -- -- if (v_len == 0) { -- return; -- } -- -- ZERO_STRUCT(tmp->block); -- memcpy(tmp->block, v, v_len); -- tmp->ofs = v_len; --} -- --void aes_gcm_128_updateA(struct aes_gcm_128_context *ctx, -- const uint8_t *a, size_t a_len) --{ -- aes_gcm_128_update_tmp(ctx, &ctx->A, a, a_len); --} -- --void aes_gcm_128_updateC(struct aes_gcm_128_context *ctx, -- const uint8_t *c, size_t c_len) --{ -- if (ctx->A.ofs > 0) { -- aes_gcm_128_ghash_block(ctx, ctx->A.block); -- ctx->A.ofs = 0; -- } -- -- aes_gcm_128_update_tmp(ctx, &ctx->C, c, c_len); --} -- --static inline void aes_gcm_128_crypt_tmp(struct aes_gcm_128_context *ctx, -- struct aes_gcm_128_tmp *tmp, -- uint8_t *m, size_t m_len) --{ -- tmp->total += m_len; -- -- while (m_len > 0) { -- if (tmp->ofs == AES_BLOCK_SIZE) { -- aes_gcm_128_inc32(ctx->CB); -- AES_encrypt(ctx->CB, tmp->block, &ctx->aes_key); -- tmp->ofs = 0; -- } -- -- if (likely(tmp->ofs == 0 && m_len >= AES_BLOCK_SIZE)) { -- aes_block_xor(m, tmp->block, m); -- m += AES_BLOCK_SIZE; -- m_len -= AES_BLOCK_SIZE; -- aes_gcm_128_inc32(ctx->CB); -- AES_encrypt(ctx->CB, tmp->block, &ctx->aes_key); -- continue; -- } -- -- m[0] ^= tmp->block[tmp->ofs]; -- m += 1; -- m_len -= 1; -- tmp->ofs += 1; -- } --} -- --void aes_gcm_128_crypt(struct aes_gcm_128_context *ctx, -- uint8_t *m, size_t m_len) --{ -- aes_gcm_128_crypt_tmp(ctx, &ctx->c, m, m_len); --} -- --void aes_gcm_128_digest(struct aes_gcm_128_context *ctx, -- uint8_t T[AES_BLOCK_SIZE]) --{ -- if (ctx->A.ofs > 0) { -- aes_gcm_128_ghash_block(ctx, ctx->A.block); -- ctx->A.ofs = 0; -- } -- -- if (ctx->C.ofs > 0) { -- aes_gcm_128_ghash_block(ctx, ctx->C.block); -- ctx->C.ofs = 0; -- } -- -- RSBVAL(ctx->AC, 0, ctx->A.total * 8); -- RSBVAL(ctx->AC, 8, ctx->C.total * 8); -- aes_gcm_128_ghash_block(ctx, ctx->AC); -- -- AES_encrypt(ctx->J0, ctx->c.block, &ctx->aes_key); -- aes_block_xor(ctx->c.block, ctx->Y, T); -- -- ZERO_STRUCTP(ctx); --} -diff --git a/lib/crypto/aes_gcm_128.h b/lib/crypto/aes_gcm_128.h -deleted file mode 100644 -index 8df11c2f6bd..00000000000 ---- a/lib/crypto/aes_gcm_128.h -+++ /dev/null -@@ -1,55 +0,0 @@ --/* -- AES-GCM-128 -- -- Copyright (C) Stefan Metzmacher 2014 -- -- This program is free software; you can redistribute it and/or modify -- it under the terms of the GNU General Public License as published by -- the Free Software Foundation; either version 3 of the License, or -- (at your option) any later version. -- -- This program is distributed in the hope that it will be useful, -- but WITHOUT ANY WARRANTY; without even the implied warranty of -- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -- GNU General Public License for more details. -- -- You should have received a copy of the GNU General Public License -- along with this program. If not, see . --*/ -- --#ifndef LIB_CRYPTO_AES_GCM_128_H --#define LIB_CRYPTO_AES_GCM_128_H -- --#define AES_GCM_128_IV_SIZE (12) -- --struct aes_gcm_128_context { -- AES_KEY aes_key; -- -- uint64_t __align; -- -- struct aes_gcm_128_tmp { -- size_t ofs; -- size_t total; -- uint8_t block[AES_BLOCK_SIZE]; -- } A, C, c, v, y; -- -- uint8_t H[AES_BLOCK_SIZE]; -- uint8_t J0[AES_BLOCK_SIZE]; -- uint8_t CB[AES_BLOCK_SIZE]; -- uint8_t Y[AES_BLOCK_SIZE]; -- uint8_t AC[AES_BLOCK_SIZE]; --}; -- --void aes_gcm_128_init(struct aes_gcm_128_context *ctx, -- const uint8_t K[AES_BLOCK_SIZE], -- const uint8_t IV[AES_GCM_128_IV_SIZE]); --void aes_gcm_128_updateA(struct aes_gcm_128_context *ctx, -- const uint8_t *a, size_t a_len); --void aes_gcm_128_updateC(struct aes_gcm_128_context *ctx, -- const uint8_t *c, size_t c_len); --void aes_gcm_128_crypt(struct aes_gcm_128_context *ctx, -- uint8_t *m, size_t m_len); --void aes_gcm_128_digest(struct aes_gcm_128_context *ctx, -- uint8_t T[AES_BLOCK_SIZE]); -- --#endif /* LIB_CRYPTO_AES_GCM_128_H */ -diff --git a/lib/crypto/aes_gcm_128_test.c b/lib/crypto/aes_gcm_128_test.c -deleted file mode 100644 -index fdd87ff532d..00000000000 ---- a/lib/crypto/aes_gcm_128_test.c -+++ /dev/null -@@ -1,295 +0,0 @@ --/* -- AES-GCM-128 tests -- -- Copyright (C) Stefan Metzmacher 2014 -- -- This program is free software; you can redistribute it and/or modify -- it under the terms of the GNU General Public License as published by -- the Free Software Foundation; either version 3 of the License, or -- (at your option) any later version. -- -- This program is distributed in the hope that it will be useful, -- but WITHOUT ANY WARRANTY; without even the implied warranty of -- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -- GNU General Public License for more details. -- -- You should have received a copy of the GNU General Public License -- along with this program. If not, see . --*/ --#include "replace.h" --#include "../lib/util/samba_util.h" --#include "lib/crypto/aes.h" --#include "lib/crypto/aes_gcm_128.h" --#include "lib/crypto/aes_test.h" -- --#ifndef AES_GCM_128_ONLY_TESTVECTORS --struct torture_context; --bool torture_local_crypto_aes_gcm_128(struct torture_context *tctx); -- --/* -- This uses the test values from ... --*/ --bool torture_local_crypto_aes_gcm_128(struct torture_context *tctx) --{ -- bool ret = true; -- uint32_t i; -- struct aes_mode_testvector testarray[] = { --#endif /* AES_GCM_128_ONLY_TESTVECTORS */ --#define AES_GCM_128_TESTVECTOR(_k, _n, _a, _p, _c, _t) \ -- AES_MODE_TESTVECTOR(aes_gcm_128, _k, _n, _a, _p, _c, _t) -- -- AES_GCM_128_TESTVECTOR( -- /* K */ -- "8BF9FBC2B8149484FF11AB1F3A544FF6", -- /* N */ -- "010000000000000077F7A8FF", -- /* A */ -- "010000000000000077F7A80000000000" -- "A8000000000001004100002C00980000", -- /* P */ -- "FE534D4240000100000000000B00811F" -- "00000000000000000600000000000000" -- "00000000010000004100002C00980000" -- "00000000000000000000000000000000" -- "3900000094010600FFFFFFFFFFFFFFFF" -- "FFFFFFFFFFFFFFFF7800000030000000" -- "000000007800000000000000FFFF0000" -- "0100000000000000" -- "03005C003100370032002E0033003100" -- "2E0039002E003100380033005C006E00" -- "650074006C006F0067006F006E000000", -- /* C */ -- "863C07C1FBFA82D741A080C97DF52CFF" -- "432A63A37E5ACFA3865AE4E6E422D502" -- "FA7C6FBB9A7418F28C43F00A3869F687" -- "257CA665E25E62A0F458C42AA9E95DC4" -- "6CB351A0A497FABB7DCE58FEE5B20B08" -- "522E0E701B112FB93B36E7A0FB084D35" -- "62C0F3FDF0421079DD96BBCCA40949B3" -- "A7FC1AA635A72384" -- "2037DE3CA6385465D1884B29D7140790" -- "88AD3E770E2528D527B302536B7E5B1B" -- "430E048230AFE785DB89F4D87FC1F816", -- /* T */ -- "BC9B5871EBFA89ADE21439ACDCD65D22" -- ), -- AES_GCM_128_TESTVECTOR( -- /* K */ -- "00000000000000000000000000000000", -- /* N */ -- "000000000000000000000000", -- /* A */ -- "", -- /* P */ -- "", -- /* C */ -- "", -- /* T */ -- "58e2fccefa7e3061367f1d57a4e7455a" -- ), -- AES_GCM_128_TESTVECTOR( -- /* K */ -- "00000000000000000000000000000000", -- /* N */ -- "000000000000000000000000", -- /* A */ -- "", -- /* P */ -- "00000000000000000000000000000000", -- /* C */ -- "0388dace60b6a392f328c2b971b2fe78", -- /* T */ -- "ab6e47d42cec13bdf53a67b21257bddf" -- ), -- AES_GCM_128_TESTVECTOR( -- /* K */ -- "feffe9928665731c6d6a8f9467308308", -- /* N */ -- "cafebabefacedbaddecaf888", -- /* A */ -- "", -- /* P */ -- "d9313225f88406e5a55909c5aff5269a" -- "86a7a9531534f7da2e4c303d8a318a72" -- "1c3c0c95956809532fcf0e2449a6b525" -- "b16aedf5aa0de657ba637b391aafd255", -- /* C */ -- "42831ec2217774244b7221b784d0d49c" -- "e3aa212f2c02a4e035c17e2329aca12e" -- "21d514b25466931c7d8f6a5aac84aa05" -- "1ba30b396a0aac973d58e091473f5985", -- /* T */ -- "4d5c2af327cd64a62cf35abd2ba6fab4" -- ), -- AES_GCM_128_TESTVECTOR( -- /* K */ -- "feffe9928665731c6d6a8f9467308308", -- /* N */ -- "cafebabefacedbaddecaf888", -- /* A */ -- "feedfacedeadbeeffeedfacedeadbeef" -- "abaddad2", -- /* P */ -- "d9313225f88406e5a55909c5aff5269a" -- "86a7a9531534f7da2e4c303d8a318a72" -- "1c3c0c95956809532fcf0e2449a6b525" -- "b16aedf5aa0de657ba637b39", -- /* C */ -- "42831ec2217774244b7221b784d0d49c" -- "e3aa212f2c02a4e035c17e2329aca12e" -- "21d514b25466931c7d8f6a5aac84aa05" -- "1ba30b396a0aac973d58e091", -- /* T */ -- "5bc94fbc3221a5db94fae95ae7121a47" -- ), --#ifndef AES_GCM_128_ONLY_TESTVECTORS -- }; -- -- for (i=0; i < ARRAY_SIZE(testarray); i++) { -- struct aes_gcm_128_context ctx; -- uint8_t T[AES_BLOCK_SIZE]; -- DATA_BLOB _T = data_blob_const(T, sizeof(T)); -- DATA_BLOB C; -- int e; -- -- C = data_blob_dup_talloc(tctx, testarray[i].P); -- -- aes_gcm_128_init(&ctx, testarray[i].K.data, testarray[i].N.data); -- aes_gcm_128_updateA(&ctx, -- testarray[i].A.data, -- testarray[i].A.length); -- aes_gcm_128_crypt(&ctx, C.data, C.length); -- aes_gcm_128_updateC(&ctx, C.data, C.length); -- aes_gcm_128_digest(&ctx, T); -- -- e = memcmp(testarray[i].T.data, T, sizeof(T)); -- if (e != 0) { -- aes_mode_testvector_debug(&testarray[i], NULL, &C, &_T); -- ret = false; -- goto fail; -- } -- -- e = memcmp(testarray[i].C.data, C.data, C.length); -- if (e != 0) { -- aes_mode_testvector_debug(&testarray[i], NULL, &C, &_T); -- ret = false; -- goto fail; -- } -- } -- -- for (i=0; i < ARRAY_SIZE(testarray); i++) { -- struct aes_gcm_128_context ctx; -- uint8_t T[AES_BLOCK_SIZE]; -- DATA_BLOB _T = data_blob_const(T, sizeof(T)); -- DATA_BLOB C; -- int e; -- size_t j; -- -- C = data_blob_dup_talloc(tctx, testarray[i].P); -- -- aes_gcm_128_init(&ctx, testarray[i].K.data, testarray[i].N.data); -- for (j=0; j < testarray[i].A.length; j++) { -- aes_gcm_128_updateA(&ctx, NULL, 0); -- aes_gcm_128_updateA(&ctx, &testarray[i].A.data[j], 1); -- aes_gcm_128_updateA(&ctx, NULL, 0); -- } -- for (j=0; j < C.length; j++) { -- aes_gcm_128_crypt(&ctx, NULL, 0); -- aes_gcm_128_updateC(&ctx, NULL, 0); -- aes_gcm_128_crypt(&ctx, &C.data[j], 1); -- aes_gcm_128_updateC(&ctx, &C.data[j], 1); -- aes_gcm_128_crypt(&ctx, NULL, 0); -- aes_gcm_128_updateC(&ctx, NULL, 0); -- } -- aes_gcm_128_digest(&ctx, T); -- -- e = memcmp(testarray[i].T.data, T, sizeof(T)); -- if (e != 0) { -- aes_mode_testvector_debug(&testarray[i], NULL, &C, &_T); -- ret = false; -- goto fail; -- } -- -- e = memcmp(testarray[i].C.data, C.data, C.length); -- if (e != 0) { -- aes_mode_testvector_debug(&testarray[i], NULL, &C, &_T); -- ret = false; -- goto fail; -- } -- } -- -- for (i=0; i < ARRAY_SIZE(testarray); i++) { -- struct aes_gcm_128_context ctx; -- uint8_t T[AES_BLOCK_SIZE]; -- DATA_BLOB _T = data_blob_const(T, sizeof(T)); -- DATA_BLOB P; -- int e; -- size_t j; -- -- P = data_blob_dup_talloc(tctx, testarray[i].C); -- -- aes_gcm_128_init(&ctx, testarray[i].K.data, testarray[i].N.data); -- for (j=0; j < testarray[i].A.length; j++) { -- aes_gcm_128_updateA(&ctx, NULL, 0); -- aes_gcm_128_updateA(&ctx, &testarray[i].A.data[j], 1); -- aes_gcm_128_updateA(&ctx, NULL, 0); -- } -- for (j=0; j < P.length; j++) { -- aes_gcm_128_updateC(&ctx, NULL, 0); -- aes_gcm_128_crypt(&ctx, NULL, 0); -- aes_gcm_128_updateC(&ctx, &P.data[j], 1); -- aes_gcm_128_crypt(&ctx, &P.data[j], 1); -- aes_gcm_128_updateC(&ctx, NULL, 0); -- aes_gcm_128_crypt(&ctx, NULL, 0); -- } -- aes_gcm_128_digest(&ctx, T); -- -- e = memcmp(testarray[i].T.data, T, sizeof(T)); -- if (e != 0) { -- aes_mode_testvector_debug(&testarray[i], &P, NULL, &_T); -- ret = false; -- goto fail; -- } -- -- e = memcmp(testarray[i].P.data, P.data, P.length); -- if (e != 0) { -- aes_mode_testvector_debug(&testarray[i], &P, NULL, &_T); -- ret = false; -- goto fail; -- } -- } -- -- for (i=0; i < ARRAY_SIZE(testarray); i++) { -- struct aes_gcm_128_context ctx; -- uint8_t T[AES_BLOCK_SIZE]; -- DATA_BLOB _T = data_blob_const(T, sizeof(T)); -- DATA_BLOB P; -- int e; -- -- P = data_blob_dup_talloc(tctx, testarray[i].C); -- -- aes_gcm_128_init(&ctx, testarray[i].K.data, testarray[i].N.data); -- aes_gcm_128_updateA(&ctx, testarray[i].A.data, testarray[i].A.length); -- aes_gcm_128_updateC(&ctx, P.data, P.length); -- aes_gcm_128_crypt(&ctx, P.data, P.length); -- aes_gcm_128_digest(&ctx, T); -- -- e = memcmp(testarray[i].T.data, T, sizeof(T)); -- if (e != 0) { -- aes_mode_testvector_debug(&testarray[i], &P, NULL, &_T); -- ret = false; -- goto fail; -- } -- -- e = memcmp(testarray[i].P.data, P.data, P.length); -- if (e != 0) { -- aes_mode_testvector_debug(&testarray[i], &P, NULL, &_T); -- ret = false; -- goto fail; -- } -- } -- -- fail: -- return ret; --} --#endif /* AES_GCM_128_ONLY_TESTVECTORS */ -diff --git a/lib/crypto/crypto.h b/lib/crypto/crypto.h -index 66767935925..d8f13f8fadd 100644 ---- a/lib/crypto/crypto.h -+++ b/lib/crypto/crypto.h -@@ -23,6 +23,5 @@ - #include "../lib/crypto/md4.h" - #include "../lib/crypto/aes.h" - #include "../lib/crypto/aes_cmac_128.h" --#include "../lib/crypto/aes_gcm_128.h" - - #endif /* _SAMBA_CRYPTO_H_ */ -diff --git a/lib/crypto/wscript_build b/lib/crypto/wscript_build -index a019ebe60cf..cd136165a0d 100644 ---- a/lib/crypto/wscript_build -+++ b/lib/crypto/wscript_build -@@ -12,10 +12,6 @@ bld.SAMBA_SUBSYSTEM('GNUTLS_HELPERS', - ''', - deps='gnutls samba-errors'); - --bld.SAMBA_SUBSYSTEM('LIBCRYPTO_AES_GCM', -- source='aes_gcm_128.c', -- deps='talloc') -- - bld.SAMBA_SUBSYSTEM('LIBCRYPTO_AES', - source='aes.c rijndael-alg-fst.c', - deps='talloc') -@@ -32,15 +28,9 @@ bld.SAMBA_SUBSYSTEM('LIBCRYPTO', - deps=''' - talloc - LIBCRYPTO_AES -- LIBCRYPTO_AES_GCM - LIBCRYPTO_AES_CMAC - ''' + extra_deps) - --bld.SAMBA_SUBSYSTEM('TORTURE_LIBCRYPTO_AES_GCM', -- source='aes_gcm_128_test.c', -- autoproto='aes_gcm_test_proto.h', -- deps='talloc') -- - bld.SAMBA_SUBSYSTEM('TORTURE_LIBCRYPTO_AES_CMAC', - source='aes_cmac_128_test.c', - autoproto='aes_cmac_test_proto.h', -@@ -52,7 +42,6 @@ bld.SAMBA_SUBSYSTEM('TORTURE_LIBCRYPTO', - autoproto='test_proto.h', - deps=''' - LIBCRYPTO -- TORTURE_LIBCRYPTO_AES_GCM - TORTURE_LIBCRYPTO_AES_CMAC - ''') - -diff --git a/source4/torture/local/local.c b/source4/torture/local/local.c -index 8f9148b1988..cd20b1691f5 100644 ---- a/source4/torture/local/local.c -+++ b/source4/torture/local/local.c -@@ -23,7 +23,6 @@ - #include "torture/ndr/proto.h" - #include "torture/auth/proto.h" - #include "../lib/crypto/test_proto.h" --#include "../lib/crypto/aes_gcm_test_proto.h" - #ifndef HAVE_GNUTLS_AES_CMAC - #include "../lib/crypto/aes_cmac_test_proto.h" - #endif -@@ -99,8 +98,6 @@ NTSTATUS torture_local_init(TALLOC_CTX *ctx) - torture_suite_add_simple_test(suite, "crypto.aes_cmac_128", - torture_local_crypto_aes_cmac_128); - #endif -- torture_suite_add_simple_test(suite, "crypto.aes_gcm_128", -- torture_local_crypto_aes_gcm_128); - - for (i = 0; suite_generators[i]; i++) - torture_suite_add_suite(suite, --- -2.23.0 - diff --git a/SOURCES/0190-lib-crypto-Only-build-AES-code-if-we-need-AES-CMAC.patch b/SOURCES/0190-lib-crypto-Only-build-AES-code-if-we-need-AES-CMAC.patch deleted file mode 100644 index 0051222..0000000 --- a/SOURCES/0190-lib-crypto-Only-build-AES-code-if-we-need-AES-CMAC.patch +++ /dev/null @@ -1,29 +0,0 @@ -From bc018d1b01ae605472b83b9b6a5c0206830b49da Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 10 Dec 2019 18:03:57 +0100 -Subject: [PATCH 190/191] lib:crypto: Only build AES code if we need AES CMAC - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 6713617724bfe4cba633f0e61052a703c4ca9f3e) ---- - lib/crypto/wscript_build | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/lib/crypto/wscript_build b/lib/crypto/wscript_build -index cd136165a0d..46ae5e9ba80 100644 ---- a/lib/crypto/wscript_build -+++ b/lib/crypto/wscript_build -@@ -14,7 +14,8 @@ bld.SAMBA_SUBSYSTEM('GNUTLS_HELPERS', - - bld.SAMBA_SUBSYSTEM('LIBCRYPTO_AES', - source='aes.c rijndael-alg-fst.c', -- deps='talloc') -+ deps='talloc', -+ enabled=not bld.CONFIG_SET('HAVE_GNUTLS_AES_CMAC')) - - bld.SAMBA_SUBSYSTEM('LIBCRYPTO_AES_CMAC', - source='aes_cmac_128.c', --- -2.23.0 - diff --git a/SOURCES/0191-lib-crypto-Build-intel-aes-ni-only-if-GnuTLS-doesn-t.patch b/SOURCES/0191-lib-crypto-Build-intel-aes-ni-only-if-GnuTLS-doesn-t.patch deleted file mode 100644 index 7e1dd16..0000000 --- a/SOURCES/0191-lib-crypto-Build-intel-aes-ni-only-if-GnuTLS-doesn-t.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 2d058fe332a9aae11607a86c349aee33fa580542 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 10 Dec 2019 18:06:29 +0100 -Subject: [PATCH 191/191] lib:crypto: Build intel aes-ni only if GnuTLS doesn't - provide AES CMAC - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett - -Autobuild-User(master): Andreas Schneider -Autobuild-Date(master): Tue Dec 10 20:30:57 UTC 2019 on sn-devel-184 - -(cherry picked from commit 20b9cae63d5a5881cc6100a2533fab683cc307aa) ---- - lib/crypto/wscript_build | 3 ++- - third_party/aesni-intel/wscript | 3 ++- - 2 files changed, 4 insertions(+), 2 deletions(-) - -diff --git a/lib/crypto/wscript_build b/lib/crypto/wscript_build -index 46ae5e9ba80..eb67af63f26 100644 ---- a/lib/crypto/wscript_build -+++ b/lib/crypto/wscript_build -@@ -2,7 +2,8 @@ - - extra_deps = '' - --if bld.CONFIG_SET("HAVE_AESNI_INTEL"): -+if (bld.CONFIG_SET("HAVE_AESNI_INTEL") and -+ not bld.CONFIG_SET('HAVE_GNUTLS_AES_CMAC')): - extra_deps += ' aesni-intel' - - bld.SAMBA_SUBSYSTEM('GNUTLS_HELPERS', -diff --git a/third_party/aesni-intel/wscript b/third_party/aesni-intel/wscript -index 955b5162140..382b3c6a7ff 100644 ---- a/third_party/aesni-intel/wscript -+++ b/third_party/aesni-intel/wscript -@@ -21,7 +21,8 @@ def configure(conf): - raise Errors.WafError('--accel-aes=intelaesni selected and linker rejects -z noexecstack') - - def build(bld): -- if not bld.CONFIG_SET('HAVE_AESNI_INTEL'): -+ if (not bld.CONFIG_SET('HAVE_AESNI_INTEL') or -+ bld.CONFIG_SET('HAVE_GNUTLS_AES_CMAC')): - return - - bld.SAMBA_LIBRARY('aesni-intel', --- -2.23.0 - diff --git a/SOURCES/0192-lib-crypto-Add-samba_gnutls_weak_crypto.patch b/SOURCES/0192-lib-crypto-Add-samba_gnutls_weak_crypto.patch deleted file mode 100644 index f0aa160..0000000 --- a/SOURCES/0192-lib-crypto-Add-samba_gnutls_weak_crypto.patch +++ /dev/null @@ -1,98 +0,0 @@ -From 3c64a236dfecbe396766ec0e8d326443358d4ab3 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 4 Nov 2019 17:01:50 +0100 -Subject: [PATCH 192/208] lib:crypto: Add samba_gnutls_weak_crypto() - -Signed-off-by: Andreas Schneider ---- - lib/crypto/gnutls_helpers.h | 7 +++++ - lib/crypto/gnutls_weak_crypto.c | 48 +++++++++++++++++++++++++++++++++ - lib/crypto/wscript_build | 1 + - 3 files changed, 56 insertions(+) - create mode 100644 lib/crypto/gnutls_weak_crypto.c - -diff --git a/lib/crypto/gnutls_helpers.h b/lib/crypto/gnutls_helpers.h -index d6000c7b316..a985c028e9d 100644 ---- a/lib/crypto/gnutls_helpers.h -+++ b/lib/crypto/gnutls_helpers.h -@@ -92,4 +92,11 @@ int samba_gnutls_arcfour_confounded_md5(const DATA_BLOB *key_input1, - DATA_BLOB *data, - enum samba_gnutls_direction encrypt); - -+/** -+ * @brief Check if weak crypto is allowed. -+ * -+ * @return true if weak crypo is allowed, false otherwise. -+ */ -+bool samba_gnutls_weak_crypto_allowed(void); -+ - #endif /* _GNUTLS_HELPERS_H */ -diff --git a/lib/crypto/gnutls_weak_crypto.c b/lib/crypto/gnutls_weak_crypto.c -new file mode 100644 -index 00000000000..68ce588243f ---- /dev/null -+++ b/lib/crypto/gnutls_weak_crypto.c -@@ -0,0 +1,48 @@ -+/* -+ * Copyright (c) 2019 Andreas Schneider -+ * -+ * This program is free software: you can redistribute it and/or modify -+ * it under the terms of the GNU General Public License as published by -+ * the Free Software Foundation, either version 3 of the License, or -+ * (at your option) any later version. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program. If not, see . -+ */ -+ -+#include "includes.h" -+#include "lib/crypto/gnutls_helpers.h" -+ -+#include -+#include -+ -+bool samba_gnutls_weak_crypto_allowed(void) -+{ -+ gnutls_cipher_hd_t cipher_hnd = NULL; -+ gnutls_datum_t key = { -+ .data = discard_const_p(unsigned char, "SystemLibraryDTC"), -+ .size = 16, -+ }; -+ int rc; -+ -+ /* -+ * If RC4 is not allowed to be initialzed then weak crypto is not -+ * allowed. -+ */ -+ rc = gnutls_cipher_init(&cipher_hnd, -+ GNUTLS_CIPHER_ARCFOUR_128, -+ &key, -+ NULL); -+ if (rc == GNUTLS_E_UNWANTED_ALGORITHM) { -+ return false; -+ } -+ -+ gnutls_cipher_deinit(cipher_hnd); -+ -+ return true; -+} -diff --git a/lib/crypto/wscript_build b/lib/crypto/wscript_build -index eb67af63f26..e5766042541 100644 ---- a/lib/crypto/wscript_build -+++ b/lib/crypto/wscript_build -@@ -10,6 +10,7 @@ bld.SAMBA_SUBSYSTEM('GNUTLS_HELPERS', - source=''' - gnutls_error.c - gnutls_arcfour_confounded_md5.c -+ gnutls_weak_crypto.c - ''', - deps='gnutls samba-errors'); - --- -2.23.0 - diff --git a/SOURCES/0193-s3-utils-Add-weak-crypto-information-to-testparm.patch b/SOURCES/0193-s3-utils-Add-weak-crypto-information-to-testparm.patch deleted file mode 100644 index 3057803..0000000 --- a/SOURCES/0193-s3-utils-Add-weak-crypto-information-to-testparm.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 067a5405a729c6d3b91a30ab0f16c0fa10db0498 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 4 Nov 2019 17:26:48 +0100 -Subject: [PATCH 193/208] s3:utils: Add weak crypto information to testparm - -Signed-off-by: Andreas Schneider ---- - source3/utils/testparm.c | 9 +++++++++ - source3/utils/wscript_build | 1 + - 2 files changed, 10 insertions(+) - -diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c -index f4e94b6ef74..c5001e01679 100644 ---- a/source3/utils/testparm.c -+++ b/source3/utils/testparm.c -@@ -35,6 +35,7 @@ - #include "system/filesys.h" - #include "popt_common.h" - #include "lib/param/loadparm.h" -+#include "lib/crypto/gnutls_helpers.h" - #include "cmdline_contexts.h" - - #include -@@ -647,6 +648,7 @@ static void do_per_share_checks(int s) - const char *caddr; - static int show_defaults; - static int skip_logic_checks = 0; -+ const char *weak_crypo_str = ""; - - struct poptOption long_options[] = { - POPT_AUTOHELP -@@ -752,6 +754,13 @@ static void do_per_share_checks(int s) - - fprintf(stderr,"Loaded services file OK.\n"); - -+ if (samba_gnutls_weak_crypto_allowed()) { -+ weak_crypo_str = "allowed"; -+ } else { -+ weak_crypo_str = "disallowed"; -+ } -+ fprintf(stderr, "Weak crypto is %s\n", weak_crypo_str); -+ - if (skip_logic_checks == 0) { - ret = do_global_checks(); - } -diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build -index 9d9aa56bf37..618cc955647 100644 ---- a/source3/utils/wscript_build -+++ b/source3/utils/wscript_build -@@ -175,6 +175,7 @@ bld.SAMBA3_BINARY('testparm', - smbconf - popt_samba3 - cmdline_contexts -+ GNUTLS_HELPERS - ''') - - bld.SAMBA3_BINARY('net', --- -2.23.0 - diff --git a/SOURCES/0194-lib-param-Add-lp-cfg-_weak_crypto.patch b/SOURCES/0194-lib-param-Add-lp-cfg-_weak_crypto.patch deleted file mode 100644 index 841c77e..0000000 --- a/SOURCES/0194-lib-param-Add-lp-cfg-_weak_crypto.patch +++ /dev/null @@ -1,139 +0,0 @@ -From fa0c97dd4960e56864b6446ae4f5ff072763b6a2 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 4 Nov 2019 17:15:14 +0100 -Subject: [PATCH 194/208] lib:param: Add lp(cfg)_weak_crypto() - -Signed-off-by: Andreas Schneider ---- - lib/param/loadparm.c | 15 +++++++++++++++ - lib/param/loadparm.h | 10 +++++++++- - lib/param/wscript_build | 2 +- - source3/include/proto.h | 1 + - source3/param/loadparm.c | 14 ++++++++++++++ - 5 files changed, 40 insertions(+), 2 deletions(-) - -diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c -index 883d4167bf4..83dc111c05c 100644 ---- a/lib/param/loadparm.c -+++ b/lib/param/loadparm.c -@@ -71,6 +71,7 @@ - #include "libds/common/roles.h" - #include "lib/util/samba_util.h" - #include "libcli/auth/ntlm_check.h" -+#include "lib/crypto/gnutls_helpers.h" - - #ifdef HAVE_HTTPCONNECTENCRYPT - #include -@@ -95,6 +96,19 @@ int lpcfg_rpc_high_port(struct loadparm_context *lp_ctx) - return lp_ctx->globals->rpc_high_port; - } - -+enum samba_weak_crypto lpcfg_weak_crypto(struct loadparm_context *lp_ctx) -+{ -+ if (lp_ctx->globals->weak_crypto == SAMBA_WEAK_CRYPTO_UNKNOWN) { -+ lp_ctx->globals->weak_crypto = SAMBA_WEAK_CRYPTO_DISALLOWED; -+ -+ if (samba_gnutls_weak_crypto_allowed()) { -+ lp_ctx->globals->weak_crypto = SAMBA_WEAK_CRYPTO_ALLOWED; -+ } -+ } -+ -+ return lp_ctx->globals->weak_crypto; -+} -+ - /** - * Convenience routine to grab string parameters into temporary memory - * and run standard_sub_basic on them. -@@ -2592,6 +2606,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) - lp_ctx->globals->ctx = lp_ctx->globals; - lp_ctx->globals->rpc_low_port = SERVER_TCP_LOW_PORT; - lp_ctx->globals->rpc_high_port = SERVER_TCP_HIGH_PORT; -+ lp_ctx->globals->weak_crypto = SAMBA_WEAK_CRYPTO_UNKNOWN; - lp_ctx->sDefault = talloc_zero(lp_ctx, struct loadparm_service); - lp_ctx->flags = talloc_zero_array(lp_ctx, unsigned int, num_parameters()); - -diff --git a/lib/param/loadparm.h b/lib/param/loadparm.h -index 0b2e302d2a9..897031985f8 100644 ---- a/lib/param/loadparm.h -+++ b/lib/param/loadparm.h -@@ -248,6 +248,13 @@ enum inheritowner_options { - /* mangled names options */ - enum mangled_names_options {MANGLED_NAMES_NO, MANGLED_NAMES_YES, MANGLED_NAMES_ILLEGAL}; - -+/* FIPS values */ -+enum samba_weak_crypto { -+ SAMBA_WEAK_CRYPTO_UNKNOWN, -+ SAMBA_WEAK_CRYPTO_ALLOWED, -+ SAMBA_WEAK_CRYPTO_DISALLOWED, -+}; -+ - /* - * Default passwd chat script. - */ -@@ -285,7 +292,8 @@ enum mangled_names_options {MANGLED_NAMES_NO, MANGLED_NAMES_YES, MANGLED_NAMES_I - struct parmlist_entry *param_opt; \ - char *dnsdomain; \ - int rpc_low_port; \ -- int rpc_high_port; -+ int rpc_high_port; \ -+ enum samba_weak_crypto weak_crypto; - - const char* server_role_str(uint32_t role); - int lp_find_server_role(int server_role, int security, int domain_logons, int domain_master); -diff --git a/lib/param/wscript_build b/lib/param/wscript_build -index 20c8bcab22a..864975a5884 100644 ---- a/lib/param/wscript_build -+++ b/lib/param/wscript_build -@@ -40,7 +40,7 @@ bld.SAMBA_LIBRARY('samba-hostconfig', - pc_files='samba-hostconfig.pc', - vnum='0.0.1', - deps='DYNCONFIG server-role tdb', -- public_deps='samba-util param_local.h', -+ public_deps='GNUTLS_HELPERS samba-util param_local.h', - public_headers='param.h', - autoproto='param_proto.h' - ) -diff --git a/source3/include/proto.h b/source3/include/proto.h -index 43a4b8f8b4d..956a328b626 100644 ---- a/source3/include/proto.h -+++ b/source3/include/proto.h -@@ -755,6 +755,7 @@ bool lp_widelinks(int ); - int lp_rpc_low_port(void); - int lp_rpc_high_port(void); - bool lp_lanman_auth(void); -+enum samba_weak_crypto lp_weak_crypto(void); - - int lp_wi_scan_global_parametrics( - const char *regex, size_t max_matches, -diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c -index a8d5fdc5954..923c2473662 100644 ---- a/source3/param/loadparm.c -+++ b/source3/param/loadparm.c -@@ -72,6 +72,7 @@ - #include "librpc/gen_ndr/nbt.h" - #include "source4/lib/tls/tls.h" - #include "libcli/auth/ntlm_check.h" -+#include "lib/crypto/gnutls_helpers.h" - - #ifdef HAVE_SYS_SYSCTL_H - #include -@@ -4677,3 +4678,16 @@ unsigned int * get_flags(void) - - return flags_list; - } -+ -+enum samba_weak_crypto lp_weak_crypto() -+{ -+ if (Globals.weak_crypto == SAMBA_WEAK_CRYPTO_UNKNOWN) { -+ Globals.weak_crypto = SAMBA_WEAK_CRYPTO_DISALLOWED; -+ -+ if (samba_gnutls_weak_crypto_allowed()) { -+ Globals.weak_crypto = SAMBA_WEAK_CRYPTO_ALLOWED; -+ } -+ } -+ -+ return Globals.weak_crypto; -+} --- -2.23.0 - diff --git a/SOURCES/0195-gensec-Add-a-check-if-a-gensec-module-implements-wea.patch b/SOURCES/0195-gensec-Add-a-check-if-a-gensec-module-implements-wea.patch deleted file mode 100644 index e4dfc83..0000000 --- a/SOURCES/0195-gensec-Add-a-check-if-a-gensec-module-implements-wea.patch +++ /dev/null @@ -1,50 +0,0 @@ -From c8b68454839618abf0e0c467ceaa08ef88717b22 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 11 Dec 2019 17:45:39 +0100 -Subject: [PATCH 195/208] gensec: Add a check if a gensec module implements - weak crypto - -Signed-off-by: Andreas Schneider ---- - auth/gensec/gensec_internal.h | 1 + - auth/gensec/gensec_start.c | 12 +++++++++++- - 2 files changed, 12 insertions(+), 1 deletion(-) - -diff --git a/auth/gensec/gensec_internal.h b/auth/gensec/gensec_internal.h -index 911b48b52d6..8efb1bdff0f 100644 ---- a/auth/gensec/gensec_internal.h -+++ b/auth/gensec/gensec_internal.h -@@ -28,6 +28,7 @@ struct gensec_security; - struct gensec_security_ops { - const char *name; - const char *sasl_name; -+ bool weak_crypto; - uint8_t auth_type; /* 0 if not offered on DCE-RPC */ - const char **oid; /* NULL if not offered by SPNEGO */ - NTSTATUS (*client_start)(struct gensec_security *gensec_security); -diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c -index 50f4de73110..860c974f056 100644 ---- a/auth/gensec/gensec_start.c -+++ b/auth/gensec/gensec_start.c -@@ -49,7 +49,17 @@ _PUBLIC_ const struct gensec_security_ops * const *gensec_security_all(void) - - bool gensec_security_ops_enabled(const struct gensec_security_ops *ops, struct gensec_security *security) - { -- return lpcfg_parm_bool(security->settings->lp_ctx, NULL, "gensec", ops->name, ops->enabled); -+ bool ok = lpcfg_parm_bool(security->settings->lp_ctx, -+ NULL, -+ "gensec", -+ ops->name, -+ ops->enabled); -+ -+ if (!samba_gnutls_weak_crypto_allowed() && ops->weak_crypto) { -+ ok = false; -+ } -+ -+ return ok; - } - - /* Sometimes we want to force only kerberos, sometimes we want to --- -2.23.0 - diff --git a/SOURCES/0196-auth-ntlmssp-Mark-as-weak_crypto.patch b/SOURCES/0196-auth-ntlmssp-Mark-as-weak_crypto.patch deleted file mode 100644 index 2c191a0..0000000 --- a/SOURCES/0196-auth-ntlmssp-Mark-as-weak_crypto.patch +++ /dev/null @@ -1,46 +0,0 @@ -From fdbe1754e49e1820976ce24707d60e10c9745552 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 11 Nov 2019 16:39:24 +0100 -Subject: [PATCH 196/208] auth:ntlmssp: Mark as weak_crypto - -Signed-off-by: Andreas Schneider ---- - auth/gensec/gensec_start.c | 1 + - auth/ntlmssp/ntlmssp.c | 2 ++ - 2 files changed, 3 insertions(+) - -diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c -index 860c974f056..d2d62d6652e 100644 ---- a/auth/gensec/gensec_start.c -+++ b/auth/gensec/gensec_start.c -@@ -32,6 +32,7 @@ - #include "lib/util/tsort.h" - #include "lib/util/samba_modules.h" - #include "lib/util/base64.h" -+#include "lib/crypto/gnutls_helpers.h" - - #undef DBGC_CLASS - #define DBGC_CLASS DBGC_AUTH -diff --git a/auth/ntlmssp/ntlmssp.c b/auth/ntlmssp/ntlmssp.c -index 37434fbb0c2..745f2628d21 100644 ---- a/auth/ntlmssp/ntlmssp.c -+++ b/auth/ntlmssp/ntlmssp.c -@@ -305,6 +305,7 @@ static const struct gensec_security_ops gensec_ntlmssp_security_ops = { - .name = "ntlmssp", - .sasl_name = GENSEC_SASL_NAME_NTLMSSP, /* "NTLM" */ - .auth_type = DCERPC_AUTH_TYPE_NTLMSSP, -+ .weak_crypto = true, - .oid = gensec_ntlmssp_oids, - .client_start = gensec_ntlmssp_client_start, - .server_start = gensec_ntlmssp_server_start, -@@ -329,6 +330,7 @@ static const struct gensec_security_ops gensec_ntlmssp_security_ops = { - - static const struct gensec_security_ops gensec_ntlmssp_resume_ccache_ops = { - .name = "ntlmssp_resume_ccache", -+ .weak_crypto = true, - .client_start = gensec_ntlmssp_resume_ccache_start, - .update_send = gensec_ntlmssp_update_send, - .update_recv = gensec_ntlmssp_update_recv, --- -2.23.0 - diff --git a/SOURCES/0197-s3-param-Force-SMB-encryption-for-DECRPC-over-named-.patch b/SOURCES/0197-s3-param-Force-SMB-encryption-for-DECRPC-over-named-.patch deleted file mode 100644 index d1abeab..0000000 --- a/SOURCES/0197-s3-param-Force-SMB-encryption-for-DECRPC-over-named-.patch +++ /dev/null @@ -1,33 +0,0 @@ -From d88a2d900f5eaab0acda0d0715a5c8ad7e92b315 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 16 Apr 2019 11:41:46 +0200 -Subject: [PATCH 197/208] s3:param: Force SMB encryption for DECRPC over named - pipes - -If we do not allow weak crypto, we need to secure DCERPC with strong -crypto. - -Signed-off-by: Andreas Schneider ---- - source3/param/loadparm.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c -index 923c2473662..b52e2bcb036 100644 ---- a/source3/param/loadparm.c -+++ b/source3/param/loadparm.c -@@ -1616,6 +1616,11 @@ static bool lp_add_ipc(const char *ipc_name, bool guest_ok) - ServicePtrs[i]->browseable = sDefault.browseable; - ServicePtrs[i]->autoloaded = false; - -+ /* Force SMB encryption for DECRPC over named pipes. */ -+ if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) { -+ ServicePtrs[i]->smb_encrypt = SMB_SIGNING_REQUIRED; -+ } -+ - DEBUG(3, ("adding IPC service\n")); - - TALLOC_FREE(comment); --- -2.23.0 - diff --git a/SOURCES/0198-s3-param-Only-allow-SMB-3.0-for-DCERPC-client-connec.patch b/SOURCES/0198-s3-param-Only-allow-SMB-3.0-for-DCERPC-client-connec.patch deleted file mode 100644 index fb52411..0000000 --- a/SOURCES/0198-s3-param-Only-allow-SMB-3.0-for-DCERPC-client-connec.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 499fd673befa6fed6bd0e542d9bb06cb49bd150e Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 11 Apr 2019 11:40:11 +0200 -Subject: [PATCH 198/208] s3:param: Only allow SMB 3.0+ for DCERPC client - connections over named pipes - -We need an AES encrypted transport as some RPC services only encrypt -secrets using RC4, e.g. password changes over SAMR. - -Signed-off-by: Andreas Schneider ---- - source3/param/loadparm.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c -index b52e2bcb036..c1d02cf5bc6 100644 ---- a/source3/param/loadparm.c -+++ b/source3/param/loadparm.c -@@ -4614,6 +4614,15 @@ int lp_client_max_protocol(void) - int lp_client_ipc_min_protocol(void) - { - int client_ipc_min_protocol = lp__client_ipc_min_protocol(); -+ -+ /* -+ * If weak crypto is not allowed, force at least SMB3 which offers AES -+ * encrypted connections. -+ */ -+ if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) { -+ return MAX(client_ipc_min_protocol, PROTOCOL_SMB3_00); -+ } -+ - if (client_ipc_min_protocol == PROTOCOL_DEFAULT) { - client_ipc_min_protocol = lp_client_min_protocol(); - } --- -2.23.0 - diff --git a/SOURCES/0199-s3-rpc_server-Allow-RC4-encrypted-buffers-in-samr_Se.patch b/SOURCES/0199-s3-rpc_server-Allow-RC4-encrypted-buffers-in-samr_Se.patch deleted file mode 100644 index c4c528b..0000000 --- a/SOURCES/0199-s3-rpc_server-Allow-RC4-encrypted-buffers-in-samr_Se.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 007b56943bbec3c3b9b28be08c3088b0d28ba2d8 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 12 Nov 2019 16:56:45 +0100 -Subject: [PATCH 199/208] s3:rpc_server: Allow RC4 encrypted buffers in - samr_SetUserInfo() - -This is only allowed if we have a sealed connections! - -Signed-off-by: Andreas Schneider ---- - source3/rpc_server/samr/srv_samr_nt.c | 24 ++++++++++++++++++++++++ - 1 file changed, 24 insertions(+) - -diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c -index 91771e34502..509bce57a3b 100644 ---- a/source3/rpc_server/samr/srv_samr_nt.c -+++ b/source3/rpc_server/samr/srv_samr_nt.c -@@ -5210,9 +5210,15 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p, - if(!NT_STATUS_IS_OK(status)) { - break; - } -+ /* -+ * This can be allowed as it requires a session key -+ * which we only have if we have a SMB session. -+ */ -+ GNUTLS_FIPS140_SET_LAX_MODE(); - status = arc4_decrypt_data(session_key, - info->info23.password.data, - 516); -+ GNUTLS_FIPS140_SET_STRICT_MODE(); - if(!NT_STATUS_IS_OK(status)) { - break; - } -@@ -5233,9 +5239,15 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p, - if(!NT_STATUS_IS_OK(status)) { - break; - } -+ /* -+ * This can be allowed as it requires a session key -+ * which we only have if we have a SMB session. -+ */ -+ GNUTLS_FIPS140_SET_LAX_MODE(); - status = arc4_decrypt_data(session_key, - info->info24.password.data, - 516); -+ GNUTLS_FIPS140_SET_STRICT_MODE(); - if(!NT_STATUS_IS_OK(status)) { - break; - } -@@ -5254,8 +5266,14 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p, - if(!NT_STATUS_IS_OK(status)) { - break; - } -+ /* -+ * This can be allowed as it requires a session key -+ * which we only have if we have a SMB session. -+ */ -+ GNUTLS_FIPS140_SET_LAX_MODE(); - status = decode_rc4_passwd_buffer(&session_key, - &info->info25.password); -+ GNUTLS_FIPS140_SET_STRICT_MODE(); - if (!NT_STATUS_IS_OK(status)) { - break; - } -@@ -5274,8 +5292,14 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p, - if(!NT_STATUS_IS_OK(status)) { - break; - } -+ /* -+ * This can be allowed as it requires a session key -+ * which we only have if we have a SMB session. -+ */ -+ GNUTLS_FIPS140_SET_LAX_MODE(); - status = decode_rc4_passwd_buffer(&session_key, - &info->info26.password); -+ GNUTLS_FIPS140_SET_STRICT_MODE(); - if (!NT_STATUS_IS_OK(status)) { - break; - } --- -2.23.0 - diff --git a/SOURCES/0200-s4-rpc_server-Allow-to-use-RC4-for-setting-passwords.patch b/SOURCES/0200-s4-rpc_server-Allow-to-use-RC4-for-setting-passwords.patch deleted file mode 100644 index 4314363..0000000 --- a/SOURCES/0200-s4-rpc_server-Allow-to-use-RC4-for-setting-passwords.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 00351ef5dd8fb5ab1d036850a99d7dee07dadca1 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 15 Nov 2019 13:49:40 +0100 -Subject: [PATCH 200/208] s4:rpc_server: Allow to use RC4 for setting passwords - -Signed-off-by: Andreas Schneider ---- - source4/rpc_server/samr/samr_password.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c -index fba236ebdd7..e5e339842b1 100644 ---- a/source4/rpc_server/samr/samr_password.c -+++ b/source4/rpc_server/samr/samr_password.c -@@ -618,6 +618,11 @@ NTSTATUS samr_set_password(struct dcesrv_call_state *dce_call, - .size = session_key.length, - }; - -+ /* -+ * This is safe to support as we only have a session key -+ * over a SMB connection which we force to be encrypted. -+ */ -+ GNUTLS_FIPS140_SET_LAX_MODE(); - rc = gnutls_cipher_init(&cipher_hnd, - GNUTLS_CIPHER_ARCFOUR_128, - &_session_key, -@@ -635,6 +640,7 @@ NTSTATUS samr_set_password(struct dcesrv_call_state *dce_call, - nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); - goto out; - } -+ GNUTLS_FIPS140_SET_STRICT_MODE(); - - if (!extract_pw_from_buffer(mem_ctx, pwbuf->data, &new_password)) { - DEBUG(3,("samr: failed to decode password buffer\n")); -@@ -655,6 +661,7 @@ NTSTATUS samr_set_password(struct dcesrv_call_state *dce_call, - NULL, - NULL); - out: -+ GNUTLS_FIPS140_SET_STRICT_MODE(); - return nt_status; - } - --- -2.23.0 - diff --git a/SOURCES/0201-s3-rpc_server-Only-announce-RC4-in-netlogon-server-i.patch b/SOURCES/0201-s3-rpc_server-Only-announce-RC4-in-netlogon-server-i.patch deleted file mode 100644 index 3bde1ce..0000000 --- a/SOURCES/0201-s3-rpc_server-Only-announce-RC4-in-netlogon-server-i.patch +++ /dev/null @@ -1,37 +0,0 @@ -From f719db12774d7b22b818adb56c2abd64ab036caf Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 11 Apr 2019 16:06:14 +0200 -Subject: [PATCH 201/208] s3:rpc_server: Only announce RC4 in netlogon server - if available - -Signed-off-by: Andreas Schneider ---- - source3/rpc_server/netlogon/srv_netlog_nt.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c -index cbbf9feedc7..3dd8ecf5ca8 100644 ---- a/source3/rpc_server/netlogon/srv_netlog_nt.c -+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c -@@ -909,7 +909,6 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p, - /* 0x000001ff */ - srv_flgs = NETLOGON_NEG_ACCOUNT_LOCKOUT | - NETLOGON_NEG_PERSISTENT_SAMREPL | -- NETLOGON_NEG_ARCFOUR | - NETLOGON_NEG_PROMOTION_COUNT | - NETLOGON_NEG_CHANGELOG_BDC | - NETLOGON_NEG_FULL_SYNC_REPL | -@@ -918,6 +917,10 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p, - NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL | - NETLOGON_NEG_PASSWORD_SET2; - -+ if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_ALLOWED) { -+ srv_flgs |= NETLOGON_NEG_ARCFOUR; -+ } -+ - /* Ensure we support strong (128-bit) keys. */ - if (in_neg_flags & NETLOGON_NEG_STRONG_KEYS) { - srv_flgs |= NETLOGON_NEG_STRONG_KEYS; --- -2.23.0 - diff --git a/SOURCES/0202-s4-rpc_server-Only-announce-RC4-in-netlogon-server-i.patch b/SOURCES/0202-s4-rpc_server-Only-announce-RC4-in-netlogon-server-i.patch deleted file mode 100644 index 685801d..0000000 --- a/SOURCES/0202-s4-rpc_server-Only-announce-RC4-in-netlogon-server-i.patch +++ /dev/null @@ -1,46 +0,0 @@ -From e34285778e869f8cb706e4836213651b00b6e425 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 18 Nov 2019 17:10:25 +0100 -Subject: [PATCH 202/208] s4:rpc_server: Only announce RC4 in netlogon server - if available - -Signed-off-by: Andreas Schneider ---- - source4/rpc_server/netlogon/dcerpc_netlogon.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c -index 6c92db7b53a..bc3f8e6765f 100644 ---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c -+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c -@@ -44,6 +44,7 @@ - #include "lib/socket/netif.h" - #include "rpc_server/common/sid_helper.h" - #include "lib/util/util_str_escape.h" -+#include "lib/param/loadparm.h" - - #define DCESRV_INTERFACE_NETLOGON_BIND(context, iface) \ - dcesrv_interface_netlogon_bind(context, iface) -@@ -198,7 +199,6 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( - - server_flags = NETLOGON_NEG_ACCOUNT_LOCKOUT | - NETLOGON_NEG_PERSISTENT_SAMREPL | -- NETLOGON_NEG_ARCFOUR | - NETLOGON_NEG_PROMOTION_COUNT | - NETLOGON_NEG_CHANGELOG_BDC | - NETLOGON_NEG_FULL_SYNC_REPL | -@@ -222,6 +222,11 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( - NETLOGON_NEG_AUTHENTICATED_RPC_LSASS | - NETLOGON_NEG_AUTHENTICATED_RPC; - -+ if (lpcfg_weak_crypto(dce_call->conn->dce_ctx->lp_ctx) == -+ SAMBA_WEAK_CRYPTO_ALLOWED) { -+ server_flags |= NETLOGON_NEG_ARCFOUR; -+ } -+ - negotiate_flags = *r->in.negotiate_flags & server_flags; - - if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) { --- -2.23.0 - diff --git a/SOURCES/0203-s4-samdb-Allow-to-hash-password-using-MD5-in-samdb.patch b/SOURCES/0203-s4-samdb-Allow-to-hash-password-using-MD5-in-samdb.patch deleted file mode 100644 index 4ce8e57..0000000 --- a/SOURCES/0203-s4-samdb-Allow-to-hash-password-using-MD5-in-samdb.patch +++ /dev/null @@ -1,51 +0,0 @@ -From f1fe9abde9375d06cd4b6f0265ee1af483bbfd14 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 15 May 2019 08:46:56 +0200 -Subject: [PATCH 203/208] s4:samdb: Allow to hash password using MD5 in samdb - -Those passwords are stored in the local database. - -Signed-off-by: Andreas Schneider ---- - source4/dsdb/samdb/ldb_modules/password_hash.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c -index 006e35c46d5..1e94bb8f01c 100644 ---- a/source4/dsdb/samdb/ldb_modules/password_hash.c -+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c -@@ -48,7 +48,7 @@ - #include "auth/common_auth.h" - #include "lib/messaging/messaging.h" - --#include -+#include "lib/crypto/gnutls_helpers.h" - #include - - #ifdef ENABLE_GPGME -@@ -1372,6 +1372,8 @@ static int setup_primary_wdigest(struct setup_password_fields_io *io, - for (i=0; i < ARRAY_SIZE(wdigest); i++) { - gnutls_hash_hd_t hash_hnd = NULL; - -+ GNUTLS_FIPS140_SET_LAX_MODE(); -+ - rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5); - if (rc < 0) { - rc = ldb_oom(ldb); -@@ -1436,10 +1438,13 @@ static int setup_primary_wdigest(struct setup_password_fields_io *io, - } - - gnutls_hash_deinit(hash_hnd, pdb->hashes[i].hash); -+ -+ GNUTLS_FIPS140_SET_STRICT_MODE(); - } - - rc = LDB_SUCCESS; - out: -+ GNUTLS_FIPS140_SET_STRICT_MODE(); - return rc; - } - --- -2.23.0 - diff --git a/SOURCES/0204-lib-crypto-Allow-py_crypto-to-use-RC4-in-FIPS-mode.patch b/SOURCES/0204-lib-crypto-Allow-py_crypto-to-use-RC4-in-FIPS-mode.patch deleted file mode 100644 index 7f03e3d..0000000 --- a/SOURCES/0204-lib-crypto-Allow-py_crypto-to-use-RC4-in-FIPS-mode.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 4e54b3526ae140a419fc50eae3a2e30e25373529 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 21 May 2019 09:31:02 +0200 -Subject: [PATCH 204/208] lib:crypto: Allow py_crypto to use RC4 in FIPS mode - -This is a public functions, so it can be consumed by others. E.g. -FreeIPA is using it to establish trusts. Not sure if this is -a problem with FIPS. - -Signed-off-by: Andreas Schneider ---- - lib/crypto/py_crypto.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/lib/crypto/py_crypto.c b/lib/crypto/py_crypto.c -index c85cd2c13d2..f4b5b745daf 100644 ---- a/lib/crypto/py_crypto.c -+++ b/lib/crypto/py_crypto.c -@@ -22,7 +22,7 @@ - #include "includes.h" - #include "python/py3compat.h" - --#include -+#include "gnutls_helpers.h" - #include - - static PyObject *py_crypto_arcfour_crypt_blob(PyObject *module, PyObject *args) -@@ -61,11 +61,15 @@ static PyObject *py_crypto_arcfour_crypt_blob(PyObject *module, PyObject *args) - .size = PyBytes_Size(py_key), - }; - -+ GNUTLS_FIPS140_SET_LAX_MODE(); -+ - rc = gnutls_cipher_init(&cipher_hnd, - GNUTLS_CIPHER_ARCFOUR_128, - &key, - NULL); - if (rc < 0) { -+ GNUTLS_FIPS140_SET_STRICT_MODE(); -+ - talloc_free(ctx); - PyErr_Format(PyExc_OSError, "encryption failed"); - return NULL; -@@ -74,6 +78,9 @@ static PyObject *py_crypto_arcfour_crypt_blob(PyObject *module, PyObject *args) - data.data, - data.length); - gnutls_cipher_deinit(cipher_hnd); -+ -+ GNUTLS_FIPS140_SET_STRICT_MODE(); -+ - if (rc < 0) { - talloc_free(ctx); - PyErr_Format(PyExc_OSError, "encryption failed"); --- -2.23.0 - diff --git a/SOURCES/0205-param-Do-not-use-weak-crypto-for-kerberos-if-disallo.patch b/SOURCES/0205-param-Do-not-use-weak-crypto-for-kerberos-if-disallo.patch deleted file mode 100644 index c38a4c5..0000000 --- a/SOURCES/0205-param-Do-not-use-weak-crypto-for-kerberos-if-disallo.patch +++ /dev/null @@ -1,93 +0,0 @@ -From b018dd4ae5c176d61115b6ec7bf3e2bd19c559a4 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 18 Nov 2019 17:30:18 +0100 -Subject: [PATCH 205/208] param: Do not use weak crypto for kerberos if - disallowed - -Signed-off-by: Andreas Schneider ---- - .../smbdotconf/security/kerberosencryptiontypes.xml | 5 +++++ - lib/param/loadparm.c | 10 ++++++++++ - source3/include/proto.h | 1 + - source3/param/loadparm.c | 9 +++++++++ - 4 files changed, 25 insertions(+) - -diff --git a/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml b/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml -index 2c3c6c5d5fc..5b0c1a40fcc 100644 ---- a/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml -+++ b/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml -@@ -2,6 +2,7 @@ - context="G" - type="enum" - enumlist="enum_kerberos_encryption_types_vals" -+ function="_kerberos_encryption_types" - xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - - This parameter determines the encryption types to use when operating -@@ -47,6 +48,10 @@ - encryption. It is assumed of course that the weaker legacy - encryption types are acceptable for the setup. - -+ -+ If weak cryptography is not allowed by the system, then this -+ variable will be forced to strong. In this case -+ it is not possible to override this value. - - - all -diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c -index 83dc111c05c..41a4c110195 100644 ---- a/lib/param/loadparm.c -+++ b/lib/param/loadparm.c -@@ -96,6 +96,16 @@ int lpcfg_rpc_high_port(struct loadparm_context *lp_ctx) - return lp_ctx->globals->rpc_high_port; - } - -+int lpcfg_kerberos_encryption_types(struct loadparm_context *lp_ctx) -+{ -+ if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) { -+ return KERBEROS_ETYPES_STRONG; -+ } -+ -+ return lpcfg__kerberos_encryption_types(lp_ctx); -+} -+ -+ - enum samba_weak_crypto lpcfg_weak_crypto(struct loadparm_context *lp_ctx) - { - if (lp_ctx->globals->weak_crypto == SAMBA_WEAK_CRYPTO_UNKNOWN) { -diff --git a/source3/include/proto.h b/source3/include/proto.h -index 956a328b626..aaa101fc63c 100644 ---- a/source3/include/proto.h -+++ b/source3/include/proto.h -@@ -755,6 +755,7 @@ bool lp_widelinks(int ); - int lp_rpc_low_port(void); - int lp_rpc_high_port(void); - bool lp_lanman_auth(void); -+int lp_kerberos_encryption_types(void); - enum samba_weak_crypto lp_weak_crypto(void); - - int lp_wi_scan_global_parametrics( -diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c -index c1d02cf5bc6..e68140ae5f0 100644 ---- a/source3/param/loadparm.c -+++ b/source3/param/loadparm.c -@@ -4679,6 +4679,15 @@ bool lp_lanman_auth(void) - } - } - -+int lp_kerberos_encryption_types(void) -+{ -+ if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) { -+ return KERBEROS_ETYPES_STRONG; -+ } -+ -+ return lp__kerberos_encryption_types(); -+} -+ - struct loadparm_global * get_globals(void) - { - return &Globals; --- -2.23.0 - diff --git a/SOURCES/0206-param-Do-not-use-weak-crypto-in-ldap-server-if-disal.patch b/SOURCES/0206-param-Do-not-use-weak-crypto-in-ldap-server-if-disal.patch deleted file mode 100644 index a79d527..0000000 --- a/SOURCES/0206-param-Do-not-use-weak-crypto-in-ldap-server-if-disal.patch +++ /dev/null @@ -1,103 +0,0 @@ -From a1c732637f1ed984e1ff76fa8179d6fd3aa036fb Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 18 Nov 2019 17:42:11 +0100 -Subject: [PATCH 206/208] param: Do not use weak crypto in ldap server if - disallowed - -Signed-off-by: Andreas Schneider ---- - .../ldap/ldapserverrequirestrongauth.xml | 5 +++++ - lib/param/loadparm.c | 8 ++++++++ - source3/include/proto.h | 1 + - source3/param/loadparm.c | 14 +++++++++++++- - 4 files changed, 27 insertions(+), 1 deletion(-) - -diff --git a/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml b/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml -index 02bdd811491..e40ac06dfe6 100644 ---- a/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml -+++ b/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml -@@ -2,6 +2,7 @@ - context="G" - type="enum" - enumlist="enum_ldap_server_require_strong_auth_vals" -+ function="_ldap_server_require_strong_auth" - xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - - -@@ -21,6 +22,10 @@ - A value of yes allows only simple binds - over TLS encrypted connections. Unencrypted connections only - allow sasl binds with sign or seal. -+ -+ If weak cryptography is not allowed by the system, then this -+ variable will default to allow_sasl_over_tls -+ and setting it to no will not have any effect. - - yes - -diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c -index 41a4c110195..b1497f00aaa 100644 ---- a/lib/param/loadparm.c -+++ b/lib/param/loadparm.c -@@ -105,6 +105,14 @@ int lpcfg_kerberos_encryption_types(struct loadparm_context *lp_ctx) - return lpcfg__kerberos_encryption_types(lp_ctx); - } - -+enum ldap_server_require_strong_auth lpcfg_ldap_server_require_strong_auth(struct loadparm_context *lp_ctx) -+{ -+ if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) { -+ return LDAP_SERVER_REQUIRE_STRONG_AUTH_YES; -+ } -+ -+ return lpcfg__ldap_server_require_strong_auth(lp_ctx); -+} - - enum samba_weak_crypto lpcfg_weak_crypto(struct loadparm_context *lp_ctx) - { -diff --git a/source3/include/proto.h b/source3/include/proto.h -index aaa101fc63c..c758c31ea67 100644 ---- a/source3/include/proto.h -+++ b/source3/include/proto.h -@@ -756,6 +756,7 @@ int lp_rpc_low_port(void); - int lp_rpc_high_port(void); - bool lp_lanman_auth(void); - int lp_kerberos_encryption_types(void); -+enum ldap_server_require_strong_auth lp_ldap_server_require_strong_auth(void); - enum samba_weak_crypto lp_weak_crypto(void); - - int lp_wi_scan_global_parametrics( -diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c -index e68140ae5f0..da2af1f9f46 100644 ---- a/source3/param/loadparm.c -+++ b/source3/param/loadparm.c -@@ -754,7 +754,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) - - Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SIGN; - -- Globals.ldap_server_require_strong_auth = -+ Globals._ldap_server_require_strong_auth = - LDAP_SERVER_REQUIRE_STRONG_AUTH_YES; - - /* This is what we tell the afs client. in reality we set the token -@@ -4688,6 +4688,18 @@ int lp_kerberos_encryption_types(void) - return lp__kerberos_encryption_types(); - } - -+enum ldap_server_require_strong_auth lp_ldap_server_require_strong_auth(void) -+{ -+ enum ldap_server_require_strong_auth a = -+ lp__ldap_server_require_strong_auth(); -+ -+ if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) { -+ return MAX(a, LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS); -+ } -+ -+ return a; -+} -+ - struct loadparm_global * get_globals(void) - { - return &Globals; --- -2.23.0 - diff --git a/SOURCES/0207-libcli-auth-If-weak-crypto-is-disallowed-reject-md5-.patch b/SOURCES/0207-libcli-auth-If-weak-crypto-is-disallowed-reject-md5-.patch deleted file mode 100644 index 906db24..0000000 --- a/SOURCES/0207-libcli-auth-If-weak-crypto-is-disallowed-reject-md5-.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 693540a9ac017afbaeea5800f9025b75e390f53b Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 19 Nov 2019 14:52:44 +0100 -Subject: [PATCH 207/208] libcli:auth: If weak crypto is disallowed reject md5 - servers - -Signed-off-by: Andreas Schneider ---- - docs-xml/smbdotconf/winbind/rejectmd5servers.xml | 2 ++ - libcli/auth/netlogon_creds_cli.c | 6 ++++++ - 2 files changed, 8 insertions(+) - -diff --git a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml -index 37656293aa4..e8b06615a9c 100644 ---- a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml -+++ b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml -@@ -16,6 +16,8 @@ - by using 'reject md5 servers:NETBIOSDOMAIN = yes' as option. - - This option takes precedence to the option. -+ -+ If weak cryptography is not allowed by the system, md5 servers will *always* be rejected. - - - no -diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c -index c8f4227a924..fe453c268cf 100644 ---- a/libcli/auth/netlogon_creds_cli.c -+++ b/libcli/auth/netlogon_creds_cli.c -@@ -39,6 +39,7 @@ - #include "libds/common/roles.h" - #include "lib/crypto/md4.h" - #include "auth/credentials/credentials.h" -+#include "loadparm.h" - - struct netlogon_creds_cli_locked_state; - -@@ -303,6 +304,11 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx, - server_netbios_domain, - reject_md5_servers); - -+ if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) { -+ reject_md5_servers = true; -+ } -+ -+ - /* - * allow overwrite per domain - * require strong key: --- -2.23.0 - diff --git a/SOURCES/0208-s3-librpc-Only-use-RC4-if-our-systems-supports-it.patch b/SOURCES/0208-s3-librpc-Only-use-RC4-if-our-systems-supports-it.patch deleted file mode 100644 index 3ad0a40..0000000 --- a/SOURCES/0208-s3-librpc-Only-use-RC4-if-our-systems-supports-it.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 88fed59d4c29b9ff7964db462ff56f1f92eedf3a Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 20 Nov 2019 11:18:21 +0100 -Subject: [PATCH 208/208] s3:librpc: Only use RC4 if our systems supports it - -Signed-off-by: Andreas Schneider ---- - source4/librpc/rpc/dcerpc_schannel.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c -index d12647222eb..8a82fdf60b5 100644 ---- a/source4/librpc/rpc/dcerpc_schannel.c -+++ b/source4/librpc/rpc/dcerpc_schannel.c -@@ -31,6 +31,7 @@ - #include "auth/credentials/credentials.h" - #include "librpc/rpc/dcerpc_proto.h" - #include "param/param.h" -+#include "lib/param/loadparm.h" - - struct schannel_key_state { - struct dcerpc_pipe *pipe; -@@ -341,6 +342,10 @@ static struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx, - s->dcerpc_schannel_auto = true; - } - -+ if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) { -+ s->local_negotiate_flags &= ~NETLOGON_NEG_ARCFOUR; -+ } -+ - /* type of authentication depends on schannel type */ - if (schannel_type == SEC_CHAN_RODC) { - s->local_negotiate_flags |= NETLOGON_NEG_RODC_PASSTHROUGH; --- -2.23.0 - diff --git a/SOURCES/0209-s3-rpcserver-fix-security-level-check-for-DsRGetFore.patch b/SOURCES/0209-s3-rpcserver-fix-security-level-check-for-DsRGetFore.patch deleted file mode 100644 index 90ec59d..0000000 --- a/SOURCES/0209-s3-rpcserver-fix-security-level-check-for-DsRGetFore.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 2a7249a43c82d720191e29510db5633f3a92a08c Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Tue, 7 Jan 2020 19:25:53 +0200 -Subject: [PATCH 209/209] s3-rpcserver: fix security level check for - DsRGetForestTrustInformation -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Harmonize _netr_DsRGetForestTrustInformation with source4/ logic which -didn't change since DCE RPC channel refactoring. - -With the current code we return RPC faul as can be seen in the logs: - -2019/12/11 17:12:55.463081, 1, pid=20939, effective(1284200000, 1284200000), real(1284200000, 0), class=rpc_parse] ../librpc/ndr/ndr.c:471(ndr_print_function_debug) - netr_DsRGetForestTrustInformation: struct netr_DsRGetForestTrustInformation - in: struct netr_DsRGetForestTrustInformation - server_name : * - server_name : '\\some-dc.example.com' - trusted_domain_name : NULL - flags : 0x00000000 (0) -[2019/12/11 17:12:55.463122, 4, pid=20939, effective(1284200000, 1284200000), real(1284200000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1561(api_rpcTNP) - api_rpcTNP: fault(5) return. - -This is due to this check in processing a request: - if (!(p->pipe_bound && (p->auth.auth_type != DCERPC_AUTH_TYPE_NONE) - && (p->auth.auth_level != DCERPC_AUTH_LEVEL_NONE))) { - p->fault_state = DCERPC_FAULT_ACCESS_DENIED; - return WERR_ACCESS_DENIED; - } - -and since we get AuthZ response, - - Successful AuthZ: [netlogon,ncacn_np] user [EXAMPLE]\[admin] [S-1-5-21-1234567-890123456-500] at [Wed, 11 Dec 2019 17:12:55.461164 UTC] - Remote host [ipv4:Y.Y.Y.Y:59017] local host [ipv4:X.X.X.X:445] -[2019/12/11 17:12:55.461584, 4, pid=20939, effective(0, 0), real(0, 0)] ../lib/audit_logging/audit_logging.c:141(audit_log_json) - JSON Authorization: {"timestamp": "2019-12-11T17:12:55.461491+0000", - "type": "Authorization", "Authorization": {"version": {"major": 1, "minor": 1}, - "localAddress": "ipv4:X.X.X.X:445", "remoteAddress": "ipv4:Y.Y.Y.Y:59017", - "serviceDescription": "netlogon", "authType": "ncacn_np", - "domain": "EXAMPLE", "account": "admin", "sid": "S-1-5-21-1234567-890123456-500", - "sessionId": "c5a2386f-f2cc-4241-9a9e-d104cf5859d5", "logonServer": "SOME-DC", - "transportProtection": "SMB", "accountFlags": "0x00000010"}} - -this means we are actually getting anonymous DCE/RPC access to netlogon -on top of authenticated SMB connection. In such case we have exactly -auth_type set to DCERPC_AUTH_TYPE_NONE and auth_level set to -DCERPC_AUTH_LEVEL_NONE in the pipe->auth. Thus, returning an error. - -Update the code to follow the same security level check as in s4 variant -of the call. - -Signed-off-by: Alexander Bokovoy -Reviewed-by: Guenther Deschner - -Autobuild-User(master): Günther Deschner -Autobuild-Date(master): Mon Jan 13 15:05:28 UTC 2020 on sn-devel-184 - -(cherry picked from commit c6d880a115095c336b8b74f45854a99abb1bbb87) ---- - source3/rpc_server/netlogon/srv_netlog_nt.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c -index 3dd8ecf5ca8..3fb62d3f82e 100644 ---- a/source3/rpc_server/netlogon/srv_netlog_nt.c -+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c -@@ -2454,10 +2454,10 @@ WERROR _netr_DsRGetForestTrustInformation(struct pipes_struct *p, - { - NTSTATUS status; - struct lsa_ForestTrustInformation *info, **info_ptr; -+ enum security_user_level security_level; - -- if (!(p->pipe_bound && (p->auth.auth_type != DCERPC_AUTH_TYPE_NONE) -- && (p->auth.auth_level != DCERPC_AUTH_LEVEL_NONE))) { -- p->fault_state = DCERPC_FAULT_ACCESS_DENIED; -+ security_level = security_session_user_level(p->session_info, NULL); -+ if (security_level < SECURITY_USER) { - return WERR_ACCESS_DENIED; - } - --- -2.24.1 - diff --git a/SOURCES/CVE-2019-14907-4.11.patch b/SOURCES/CVE-2019-14907-4.11.patch deleted file mode 100644 index 1465ec8..0000000 --- a/SOURCES/CVE-2019-14907-4.11.patch +++ /dev/null @@ -1,100 +0,0 @@ -From 588b74189958630b39cb393c47495d39dead83a1 Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Fri, 29 Nov 2019 20:58:47 +1300 -Subject: [PATCH] CVE-2019-14907 lib/util: Do not print the failed to convert - string into the logs -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The string may be in another charset, or may be sensitive and -certainly may not be terminated. It is not safe to just print. - -Found by Robert Święcki using a fuzzer he wrote for smbd. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14208 -Signed-off-by: Andrew Bartlett ---- - lib/util/charset/convert_string.c | 38 ++++++++++++++++--------------- - 1 file changed, 20 insertions(+), 18 deletions(-) - -diff --git a/lib/util/charset/convert_string.c b/lib/util/charset/convert_string.c -index d274e305a0c..b725b53cb5a 100644 ---- a/lib/util/charset/convert_string.c -+++ b/lib/util/charset/convert_string.c -@@ -293,31 +293,31 @@ bool convert_string_handle(struct smb_iconv_handle *ic, - switch(errno) { - case EINVAL: - reason="Incomplete multibyte sequence"; -- DEBUG(3,("convert_string_internal: Conversion error: %s(%s)\n", -- reason, (const char *)src)); -+ DBG_NOTICE("Conversion error: %s\n", -+ reason); - break; - case E2BIG: - { - reason="No more room"; - if (from == CH_UNIX) { -- DEBUG(3,("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u - '%s' error: %s\n", -- charset_name(ic, from), charset_name(ic, to), -- (unsigned int)srclen, (unsigned int)destlen, (const char *)src, reason)); -+ DBG_NOTICE("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u error: %s\n", -+ charset_name(ic, from), charset_name(ic, to), -+ (unsigned int)srclen, (unsigned int)destlen, reason); - } else { -- DEBUG(3,("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u error: %s\n", -- charset_name(ic, from), charset_name(ic, to), -- (unsigned int)srclen, (unsigned int)destlen, reason)); -+ DBG_NOTICE("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u error: %s\n", -+ charset_name(ic, from), charset_name(ic, to), -+ (unsigned int)srclen, (unsigned int)destlen, reason); - } - break; - } - case EILSEQ: - reason="Illegal multibyte sequence"; -- DEBUG(3,("convert_string_internal: Conversion error: %s(%s)\n", -- reason, (const char *)src)); -+ DBG_NOTICE("convert_string_internal: Conversion error: %s\n", -+ reason); - break; - default: -- DEBUG(0,("convert_string_internal: Conversion error: %s(%s)\n", -- reason, (const char *)src)); -+ DBG_ERR("convert_string_internal: Conversion error: %s\n", -+ reason); - break; - } - /* smb_panic(reason); */ -@@ -427,20 +427,22 @@ bool convert_string_talloc_handle(TALLOC_CTX *ctx, struct smb_iconv_handle *ic, - switch(errno) { - case EINVAL: - reason="Incomplete multibyte sequence"; -- DEBUG(3,("convert_string_talloc: Conversion error: %s(%s)\n",reason,inbuf)); -+ DBG_NOTICE("Conversion error: %s\n", -+ reason); - break; - case E2BIG: - reason = "output buffer is too small"; -- DBG_NOTICE("convert_string_talloc: " -- "Conversion error: %s(%s)\n", -- reason, inbuf); -+ DBG_NOTICE("Conversion error: %s\n", -+ reason); - break; - case EILSEQ: - reason="Illegal multibyte sequence"; -- DEBUG(3,("convert_string_talloc: Conversion error: %s(%s)\n",reason,inbuf)); -+ DBG_NOTICE("Conversion error: %s\n", -+ reason); - break; - default: -- DEBUG(0,("Conversion error: %s(%s)\n",reason,inbuf)); -+ DBG_ERR("Conversion error: %s\n", -+ reason); - break; - } - /* smb_panic(reason); */ --- -2.17.1 - diff --git a/SOURCES/dnshostname_all.patch b/SOURCES/dnshostname_all.patch new file mode 100644 index 0000000..9611cbc --- /dev/null +++ b/SOURCES/dnshostname_all.patch @@ -0,0 +1,986 @@ +From 881e3b47a17d7d0b3687ef26d782fc3281a8faa3 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Fri, 29 Nov 2019 13:48:24 +0100 +Subject: [PATCH 1/7] s3:libads: prefer ENCTYPE_AES256_CTS_HMAC_SHA1_96 in + ads_keytab_add_entry() + +This is currently not critical as we only use keytabs +only as acceptor, but in future we'll also use them +for kinit() and there we should prefer the newest type. + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andreas Schneider +--- + source3/libads/kerberos_keytab.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c +index 7d193e1a600..bc35d5edbe4 100644 +--- a/source3/libads/kerberos_keytab.c ++++ b/source3/libads/kerberos_keytab.c +@@ -240,11 +240,11 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads) + krb5_data password; + krb5_kvno kvno; + krb5_enctype enctypes[6] = { +-#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 +- ENCTYPE_AES128_CTS_HMAC_SHA1_96, +-#endif + #ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 + ENCTYPE_AES256_CTS_HMAC_SHA1_96, ++#endif ++#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 ++ ENCTYPE_AES128_CTS_HMAC_SHA1_96, + #endif + ENCTYPE_ARCFOUR_HMAC, + 0 +-- +2.24.1 + + +From bc27267b33d989468d7d993e4db2bd9b649bd996 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Wed, 27 May 2020 16:50:45 +0200 +Subject: [PATCH 2/7] Add a test to check dNSHostName with netbios aliases + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396 + +Signed-off-by: Isaac Boukris +Reviewed-by: Andreas Schneider +--- + selftest/knownfail.d/nb_alias_dnshostname | 2 ++ + testprogs/blackbox/test_net_ads.sh | 14 ++++++++++++++ + 2 files changed, 16 insertions(+) + create mode 100644 selftest/knownfail.d/nb_alias_dnshostname + +diff --git a/selftest/knownfail.d/nb_alias_dnshostname b/selftest/knownfail.d/nb_alias_dnshostname +new file mode 100644 +index 00000000000..3c14e9931b9 +--- /dev/null ++++ b/selftest/knownfail.d/nb_alias_dnshostname +@@ -0,0 +1,2 @@ ++^samba4.blackbox.net_ads.nb_alias check dNSHostName ++^samba4.blackbox.net_ads.nb_alias check main SPN +diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh +index 95c0cf76f90..6073ea972f9 100755 +--- a/testprogs/blackbox/test_net_ads.sh ++++ b/testprogs/blackbox/test_net_ads.sh +@@ -220,6 +220,20 @@ testit_grep "dns alias addl" $dns_alias2 $VALGRIND $net_tool ads search -P samac + ##Goodbye... + testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + ++# netbios aliases tests ++testit "join nb_alias" $VALGRIND $net_tool --option=netbiosaliases=nb_alias1,nb_alias2 ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` ++ ++testit "testjoin nb_alias" $VALGRIND $net_tool ads testjoin || failed=`expr $failed + 1` ++ ++testit_grep "nb_alias check dNSHostName" $fqdn $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ dNSHostName || failed=`expr $failed + 1` ++testit_grep "nb_alias check main SPN" ${uc_netbios}.${lc_realm} $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1` ++ ++testit_grep "nb_alias1 SPN" nb_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1` ++testit_grep "nb_alias2 SPN" nb_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1` ++ ++##Goodbye... ++testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` ++ + # + # Test createcomputer option of 'net ads join' + # +-- +2.24.1 + + +From f270db1ce1c0c6efc38fc467c8c0c89b13aaa479 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Wed, 27 May 2020 15:52:46 +0200 +Subject: [PATCH 3/7] Fix accidental overwrite of dnsHostName by the last + netbios alias + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396 + +Signed-off-by: Isaac Boukris +Reviewed-by: Andreas Schneider +--- + selftest/knownfail.d/nb_alias_dnshostname | 2 -- + source3/libnet/libnet_join.c | 5 +++-- + 2 files changed, 3 insertions(+), 4 deletions(-) + delete mode 100644 selftest/knownfail.d/nb_alias_dnshostname + +diff --git a/selftest/knownfail.d/nb_alias_dnshostname b/selftest/knownfail.d/nb_alias_dnshostname +deleted file mode 100644 +index 3c14e9931b9..00000000000 +--- a/selftest/knownfail.d/nb_alias_dnshostname ++++ /dev/null +@@ -1,2 +0,0 @@ +-^samba4.blackbox.net_ads.nb_alias check dNSHostName +-^samba4.blackbox.net_ads.nb_alias check main SPN +diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c +index eb8e0ea17f7..22162186f61 100644 +--- a/source3/libnet/libnet_join.c ++++ b/source3/libnet/libnet_join.c +@@ -507,6 +507,7 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, + ADS_STATUS status; + ADS_MODLIST mods; + fstring my_fqdn; ++ fstring my_alias; + const char **spn_array = NULL; + size_t num_spns = 0; + char *spn = NULL; +@@ -587,11 +588,11 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, + /* + * Add HOST/netbiosname.domainname + */ +- fstr_sprintf(my_fqdn, "%s.%s", ++ fstr_sprintf(my_alias, "%s.%s", + *netbios_aliases, + lp_dnsdomain()); + +- spn = talloc_asprintf(frame, "HOST/%s", my_fqdn); ++ spn = talloc_asprintf(frame, "HOST/%s", my_alias); + if (spn == NULL) { + status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); + goto done; +-- +2.24.1 + + +From 3ab241317947fbb6b75060f67c47e57be6fb1459 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Wed, 27 May 2020 13:25:17 +0200 +Subject: [PATCH 4/7] Refactor ads_keytab_add_entry() to make it iterable + +so we can more easily add msDS-AdditionalDnsHostName entries. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396 + +Signed-off-by: Isaac Boukris +Reviewed-by: Andreas Schneider +--- + source3/libads/kerberos_keytab.c | 197 +++++++++++++++++-------------- + 1 file changed, 107 insertions(+), 90 deletions(-) + +diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c +index bc35d5edbe4..c46e98a4270 100644 +--- a/source3/libads/kerberos_keytab.c ++++ b/source3/libads/kerberos_keytab.c +@@ -228,18 +228,16 @@ out: + return ok; + } + +-/********************************************************************** +- Adds a single service principal, i.e. 'host' to the system keytab +-***********************************************************************/ +- +-int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads) ++static int add_kt_entry_etypes(krb5_context context, TALLOC_CTX *tmpctx, ++ ADS_STRUCT *ads, const char *salt_princ_s, ++ krb5_keytab keytab, krb5_kvno kvno, ++ const char *srvPrinc, const char *my_fqdn, ++ krb5_data *password, bool update_ads) + { + krb5_error_code ret = 0; +- krb5_context context = NULL; +- krb5_keytab keytab = NULL; +- krb5_data password; +- krb5_kvno kvno; +- krb5_enctype enctypes[6] = { ++ char *princ_s = NULL; ++ char *short_princ_s = NULL; ++ krb5_enctype enctypes[4] = { + #ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 + ENCTYPE_AES256_CTS_HMAC_SHA1_96, + #endif +@@ -249,65 +247,7 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads) + ENCTYPE_ARCFOUR_HMAC, + 0 + }; +- char *princ_s = NULL; +- char *short_princ_s = NULL; +- char *salt_princ_s = NULL; +- char *password_s = NULL; +- char *my_fqdn; +- TALLOC_CTX *tmpctx = NULL; +- int i; +- +- ret = smb_krb5_init_context_common(&context); +- if (ret) { +- DBG_ERR("kerberos init context failed (%s)\n", +- error_message(ret)); +- return -1; +- } +- +- ret = ads_keytab_open(context, &keytab); +- if (ret != 0) { +- goto out; +- } +- +- /* retrieve the password */ +- if (!secrets_init()) { +- DEBUG(1, (__location__ ": secrets_init failed\n")); +- ret = -1; +- goto out; +- } +- password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL); +- if (!password_s) { +- DEBUG(1, (__location__ ": failed to fetch machine password\n")); +- ret = -1; +- goto out; +- } +- ZERO_STRUCT(password); +- password.data = password_s; +- password.length = strlen(password_s); +- +- /* we need the dNSHostName value here */ +- tmpctx = talloc_init(__location__); +- if (!tmpctx) { +- DEBUG(0, (__location__ ": talloc_init() failed!\n")); +- ret = -1; +- goto out; +- } +- +- my_fqdn = ads_get_dnshostname(ads, tmpctx, lp_netbios_name()); +- if (!my_fqdn) { +- DEBUG(0, (__location__ ": unable to determine machine " +- "account's dns name in AD!\n")); +- ret = -1; +- goto out; +- } +- +- /* make sure we have a single instance of a the computer account */ +- if (!ads_has_samaccountname(ads, tmpctx, lp_netbios_name())) { +- DEBUG(0, (__location__ ": unable to determine machine " +- "account's short name in AD!\n")); +- ret = -1; +- goto out; +- } ++ size_t i; + + /* Construct our principal */ + if (strchr_m(srvPrinc, '@')) { +@@ -356,22 +296,6 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads) + } + } + +- kvno = (krb5_kvno)ads_get_machine_kvno(ads, lp_netbios_name()); +- if (kvno == -1) { +- /* -1 indicates failure, everything else is OK */ +- DEBUG(1, (__location__ ": ads_get_machine_kvno failed to " +- "determine the system's kvno.\n")); +- ret = -1; +- goto out; +- } +- +- salt_princ_s = kerberos_secrets_fetch_salt_princ(); +- if (salt_princ_s == NULL) { +- DBG_WARNING("kerberos_secrets_fetch_salt_princ() failed\n"); +- ret = -1; +- goto out; +- } +- + for (i = 0; enctypes[i]; i++) { + + /* add the fqdn principal to the keytab */ +@@ -381,11 +305,11 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads) + princ_s, + salt_princ_s, + enctypes[i], +- &password, ++ password, + false, + false); + if (ret) { +- DEBUG(1, (__location__ ": Failed to add entry to keytab\n")); ++ DBG_WARNING("Failed to add entry to keytab\n"); + goto out; + } + +@@ -397,16 +321,109 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads) + short_princ_s, + salt_princ_s, + enctypes[i], +- &password, ++ password, + false, + false); + if (ret) { +- DEBUG(1, (__location__ +- ": Failed to add short entry to keytab\n")); ++ DBG_WARNING("Failed to add short entry to keytab\n"); + goto out; + } + } + } ++out: ++ return ret; ++} ++ ++/********************************************************************** ++ Adds a single service principal, i.e. 'host' to the system keytab ++***********************************************************************/ ++ ++int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads) ++{ ++ krb5_error_code ret = 0; ++ krb5_context context = NULL; ++ krb5_keytab keytab = NULL; ++ krb5_data password; ++ krb5_kvno kvno; ++ char *salt_princ_s = NULL; ++ char *password_s = NULL; ++ char *my_fqdn; ++ TALLOC_CTX *tmpctx = NULL; ++ ++ ret = smb_krb5_init_context_common(&context); ++ if (ret) { ++ DBG_ERR("kerberos init context failed (%s)\n", ++ error_message(ret)); ++ return -1; ++ } ++ ++ ret = ads_keytab_open(context, &keytab); ++ if (ret != 0) { ++ goto out; ++ } ++ ++ /* retrieve the password */ ++ if (!secrets_init()) { ++ DBG_WARNING("secrets_init failed\n"); ++ ret = -1; ++ goto out; ++ } ++ password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL); ++ if (!password_s) { ++ DBG_WARNING("failed to fetch machine password\n"); ++ ret = -1; ++ goto out; ++ } ++ ZERO_STRUCT(password); ++ password.data = password_s; ++ password.length = strlen(password_s); ++ ++ /* we need the dNSHostName value here */ ++ tmpctx = talloc_init(__location__); ++ if (!tmpctx) { ++ DBG_ERR("talloc_init() failed!\n"); ++ ret = -1; ++ goto out; ++ } ++ ++ my_fqdn = ads_get_dnshostname(ads, tmpctx, lp_netbios_name()); ++ if (!my_fqdn) { ++ DBG_ERR("unable to determine machine account's dns name in " ++ "AD!\n"); ++ ret = -1; ++ goto out; ++ } ++ ++ /* make sure we have a single instance of a the computer account */ ++ if (!ads_has_samaccountname(ads, tmpctx, lp_netbios_name())) { ++ DBG_ERR("unable to determine machine account's short name in " ++ "AD!\n"); ++ ret = -1; ++ goto out; ++ } ++ ++ kvno = (krb5_kvno)ads_get_machine_kvno(ads, lp_netbios_name()); ++ if (kvno == -1) { ++ /* -1 indicates failure, everything else is OK */ ++ DBG_WARNING("ads_get_machine_kvno failed to determine the " ++ "system's kvno.\n"); ++ ret = -1; ++ goto out; ++ } ++ ++ salt_princ_s = kerberos_secrets_fetch_salt_princ(); ++ if (salt_princ_s == NULL) { ++ DBG_WARNING("kerberos_secrets_fetch_salt_princ() failed\n"); ++ ret = -1; ++ goto out; ++ } ++ ++ ret = add_kt_entry_etypes(context, tmpctx, ads, salt_princ_s, keytab, ++ kvno, srvPrinc, my_fqdn, &password, ++ update_ads); ++ if (ret != 0) { ++ goto out; ++ } + + out: + SAFE_FREE(salt_princ_s); +-- +2.24.1 + + +From 42936021a1af2214b7a43f56f67d4c130fdde080 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Wed, 27 May 2020 17:55:12 +0200 +Subject: [PATCH 5/7] Add a test for msDS-AdditionalDnsHostName entries in + keytab + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396 + +Signed-off-by: Isaac Boukris +Reviewed-by: Andreas Schneider +--- + selftest/knownfail.d/dns_alias_keytab | 2 ++ + testprogs/blackbox/test_net_ads.sh | 9 +++++++++ + 2 files changed, 11 insertions(+) + create mode 100644 selftest/knownfail.d/dns_alias_keytab + +diff --git a/selftest/knownfail.d/dns_alias_keytab b/selftest/knownfail.d/dns_alias_keytab +new file mode 100644 +index 00000000000..216592e1210 +--- /dev/null ++++ b/selftest/knownfail.d/dns_alias_keytab +@@ -0,0 +1,2 @@ ++^samba4.blackbox.net_ads.dns alias1 check keytab ++^samba4.blackbox.net_ads.dns alias2 check keytab +diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh +index 6073ea972f9..a40b477a173 100755 +--- a/testprogs/blackbox/test_net_ads.sh ++++ b/testprogs/blackbox/test_net_ads.sh +@@ -217,6 +217,15 @@ testit_grep "dns alias SPN" $dns_alias2 $VALGRIND $net_tool ads search -P samacc + testit_grep "dns alias addl" $dns_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1` + testit_grep "dns alias addl" $dns_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1` + ++dedicated_keytab_file="$PREFIX_ABS/test_dns_aliases_dedicated_krb5.keytab" ++ ++testit "dns alias create_keytab" $VALGRIND $net_tool ads keytab create --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` ++ ++testit_grep "dns alias1 check keytab" "host/${dns_alias1}@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` ++testit_grep "dns alias2 check keytab" "host/${dns_alias2}@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` ++ ++rm -f $dedicated_keytab_file ++ + ##Goodbye... + testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +-- +2.24.1 + + +From f45843d11260e10c88bea1d21314093c77ff07a0 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Wed, 27 May 2020 15:36:28 +0200 +Subject: [PATCH 6/7] Add msDS-AdditionalDnsHostName entries to the keytab + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396 + +Signed-off-by: Isaac Boukris +Reviewed-by: Andreas Schneider +--- + selftest/knownfail.d/dns_alias_keytab | 2 -- + source3/libads/ads_proto.h | 5 +++ + source3/libads/kerberos_keytab.c | 21 +++++++++++++ + source3/libads/ldap.c | 45 +++++++++++++++++++++++++++ + 4 files changed, 71 insertions(+), 2 deletions(-) + delete mode 100644 selftest/knownfail.d/dns_alias_keytab + +diff --git a/selftest/knownfail.d/dns_alias_keytab b/selftest/knownfail.d/dns_alias_keytab +deleted file mode 100644 +index 216592e1210..00000000000 +--- a/selftest/knownfail.d/dns_alias_keytab ++++ /dev/null +@@ -1,2 +0,0 @@ +-^samba4.blackbox.net_ads.dns alias1 check keytab +-^samba4.blackbox.net_ads.dns alias2 check keytab +diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h +index 495ef5d3325..cd9c1082681 100644 +--- a/source3/libads/ads_proto.h ++++ b/source3/libads/ads_proto.h +@@ -137,6 +137,11 @@ ADS_STATUS ads_get_sid_from_extended_dn(TALLOC_CTX *mem_ctx, + enum ads_extended_dn_flags flags, + struct dom_sid *sid); + char* ads_get_dnshostname( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name ); ++ADS_STATUS ads_get_additional_dns_hostnames(TALLOC_CTX *mem_ctx, ++ ADS_STRUCT *ads, ++ const char *machine_name, ++ char ***hostnames_array, ++ size_t *num_hostnames); + char* ads_get_upn( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name ); + bool ads_has_samaccountname( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name ); + ADS_STATUS ads_join_realm(ADS_STRUCT *ads, const char *machine_name, +diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c +index c46e98a4270..da363741d10 100644 +--- a/source3/libads/kerberos_keytab.c ++++ b/source3/libads/kerberos_keytab.c +@@ -349,6 +349,8 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads) + char *password_s = NULL; + char *my_fqdn; + TALLOC_CTX *tmpctx = NULL; ++ char **hostnames_array = NULL; ++ size_t num_hostnames = 0; + + ret = smb_krb5_init_context_common(&context); + if (ret) { +@@ -425,6 +427,25 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads) + goto out; + } + ++ if (ADS_ERR_OK(ads_get_additional_dns_hostnames(tmpctx, ads, ++ lp_netbios_name(), ++ &hostnames_array, ++ &num_hostnames))) { ++ size_t i; ++ ++ for (i = 0; i < num_hostnames; i++) { ++ ++ ret = add_kt_entry_etypes(context, tmpctx, ads, ++ salt_princ_s, keytab, ++ kvno, srvPrinc, ++ hostnames_array[i], ++ &password, update_ads); ++ if (ret != 0) { ++ goto out; ++ } ++ } ++ } ++ + out: + SAFE_FREE(salt_princ_s); + TALLOC_FREE(tmpctx); +diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c +index f0fcf9fcd56..f6fde5e19e1 100755 +--- a/source3/libads/ldap.c ++++ b/source3/libads/ldap.c +@@ -1377,6 +1377,7 @@ char *ads_parent_dn(const char *dn) + "unicodePwd", + + /* Additional attributes Samba checks */ ++ "msDS-AdditionalDnsHostName", + "msDS-SupportedEncryptionTypes", + "nTSecurityDescriptor", + +@@ -3668,6 +3669,50 @@ out: + /******************************************************************** + ********************************************************************/ + ++ADS_STATUS ads_get_additional_dns_hostnames(TALLOC_CTX *mem_ctx, ++ ADS_STRUCT *ads, ++ const char *machine_name, ++ char ***hostnames_array, ++ size_t *num_hostnames) ++{ ++ ADS_STATUS status; ++ LDAPMessage *res = NULL; ++ int count; ++ ++ status = ads_find_machine_acct(ads, ++ &res, ++ machine_name); ++ if (!ADS_ERR_OK(status)) { ++ DEBUG(1,("Host Account for %s not found... skipping operation.\n", ++ machine_name)); ++ return status; ++ } ++ ++ count = ads_count_replies(ads, res); ++ if (count != 1) { ++ status = ADS_ERROR(LDAP_NO_SUCH_OBJECT); ++ goto done; ++ } ++ ++ *hostnames_array = ads_pull_strings(ads, mem_ctx, res, ++ "msDS-AdditionalDnsHostName", ++ num_hostnames); ++ if (*hostnames_array == NULL) { ++ DEBUG(1, ("Host account for %s does not have msDS-AdditionalDnsHostName.\n", ++ machine_name)); ++ status = ADS_ERROR(LDAP_NO_SUCH_OBJECT); ++ goto done; ++ } ++ ++done: ++ ads_msgfree(ads, res); ++ ++ return status; ++} ++ ++/******************************************************************** ++********************************************************************/ ++ + char* ads_get_upn( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name ) + { + LDAPMessage *res = NULL; +-- +2.24.1 + + +From f039d0ae9f1a2f110d1b73dc4ee41aa030efe06e Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Wed, 27 May 2020 15:54:12 +0200 +Subject: [PATCH 7/7] Add net-ads-join dnshostname=fqdn option + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396 + +Signed-off-by: Isaac Boukris +Reviewed-by: Andreas Schneider + +Autobuild-User(master): Andreas Schneider +Autobuild-Date(master): Fri May 29 13:33:28 UTC 2020 on sn-devel-184 +--- + docs-xml/manpages/net.8.xml | 7 ++++++- + source3/libnet/libnet_join.c | 7 ++++++- + source3/librpc/idl/libnet_join.idl | 1 + + source3/utils/net_ads.c | 9 ++++++++- + testprogs/blackbox/test_net_ads.sh | 15 +++++++++++++++ + 5 files changed, 36 insertions(+), 3 deletions(-) + +diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml +index 37dd30b7864..cbab9c63a5e 100644 +--- a/docs-xml/manpages/net.8.xml ++++ b/docs-xml/manpages/net.8.xml +@@ -481,7 +481,7 @@ The remote server must be specified with the -S option. + + + [RPC|ADS] JOIN [TYPE] [--no-dns-updates] [-U username[%password]] +-[createupn=UPN] [createcomputer=OU] [machinepass=PASS] ++[dnshostname=FQDN] [createupn=UPN] [createcomputer=OU] [machinepass=PASS] + [osName=string osVer=string] [options] + + +@@ -496,6 +496,11 @@ be created. + joining the domain. + + ++ ++[FQDN] (ADS only) set the dnsHosName attribute during the join. ++The default format is netbiosname.dnsdomain. ++ ++ + + [UPN] (ADS only) set the principalname attribute during the join. The default + format is host/netbiosname@REALM. +diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c +index 22162186f61..a087587bba7 100644 +--- a/source3/libnet/libnet_join.c ++++ b/source3/libnet/libnet_join.c +@@ -546,7 +546,12 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, + goto done; + } + +- fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name, lp_dnsdomain()); ++ if (r->in.dnshostname != NULL) { ++ fstr_sprintf(my_fqdn, "%s", r->in.dnshostname); ++ } else { ++ fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name, ++ lp_dnsdomain()); ++ } + + if (!strlower_m(my_fqdn)) { + status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); +diff --git a/source3/librpc/idl/libnet_join.idl b/source3/librpc/idl/libnet_join.idl +index e45034d40da..03d919863b5 100644 +--- a/source3/librpc/idl/libnet_join.idl ++++ b/source3/librpc/idl/libnet_join.idl +@@ -37,6 +37,7 @@ interface libnetjoin + [in] string os_servicepack, + [in] boolean8 create_upn, + [in] string upn, ++ [in] string dnshostname, + [in] boolean8 modify_config, + [in,unique] ads_struct *ads, + [in] boolean8 debug, +diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c +index 95a6ed74b78..dd3c650be8b 100644 +--- a/source3/utils/net_ads.c ++++ b/source3/utils/net_ads.c +@@ -1710,6 +1710,8 @@ static int net_ads_join_usage(struct net_context *c, int argc, const char **argv + { + d_printf(_("net ads join [--no-dns-updates] [options]\n" + "Valid options:\n")); ++ d_printf(_(" dnshostname=FQDN Set the dnsHostName attribute during the join.\n" ++ " The default is in the form netbiosname.dnsdomain\n")); + d_printf(_(" createupn[=UPN] Set the userPrincipalName attribute during the join.\n" + " The default UPN is in the form host/netbiosname@REALM.\n")); + d_printf(_(" createcomputer=OU Precreate the computer account in a specific OU.\n" +@@ -1830,6 +1832,7 @@ int net_ads_join(struct net_context *c, int argc, const char **argv) + const char *domain = lp_realm(); + WERROR werr = WERR_NERR_SETUPNOTJOINED; + bool createupn = false; ++ const char *dnshostname = NULL; + const char *machineupn = NULL; + const char *machine_password = NULL; + const char *create_in_ou = NULL; +@@ -1870,7 +1873,10 @@ int net_ads_join(struct net_context *c, int argc, const char **argv) + /* process additional command line args */ + + for ( i=0; iin.domain_name_type = domain_name_type; + r->in.create_upn = createupn; + r->in.upn = machineupn; ++ r->in.dnshostname = dnshostname; + r->in.account_ou = create_in_ou; + r->in.os_name = os_name; + r->in.os_version = os_version; +diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh +index a40b477a173..85257f445d8 100755 +--- a/testprogs/blackbox/test_net_ads.sh ++++ b/testprogs/blackbox/test_net_ads.sh +@@ -277,6 +277,21 @@ rm -f $dedicated_keytab_file + + testit "leave+createupn" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + ++# ++# Test dnshostname option of 'net ads join' ++# ++testit "join+dnshostname" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD dnshostname="alt.hostname.$HOSTNAME" || failed=`expr $failed + 1` ++ ++testit_grep "check dnshostname opt" "dNSHostName: alt.hostname.$HOSTNAME" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM -s base -b "CN=$HOSTNAME,CN=Computers,$base_dn" || failed=`expr $failed + 1` ++ ++testit "create_keytab+dnshostname" $VALGRIND $net_tool ads keytab create --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` ++ ++testit_grep "check dnshostname+keytab" "host/alt.hostname.$HOSTNAME@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` ++ ++rm -f $dedicated_keytab_file ++ ++testit "leave+dnshostname" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` ++ + rm -rf $BASEDIR/$WORKDIR + + exit $failed +-- +2.24.1 + +From e5fde8987d365631c5c8b5efc1f5d1a0fc73861d Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Thu, 11 Jun 2020 21:05:07 +0300 +Subject: [PATCH 1/4] Fix a typo in recent net man page changes + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406 + +Signed-off-by: Isaac Boukris +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/net.8.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml +index cbab9c63a5e..951ddcd7c3a 100644 +--- a/docs-xml/manpages/net.8.xml ++++ b/docs-xml/manpages/net.8.xml +@@ -497,7 +497,7 @@ joining the domain. + + + +-[FQDN] (ADS only) set the dnsHosName attribute during the join. ++[FQDN] (ADS only) set the dnsHostName attribute during the join. + The default format is netbiosname.dnsdomain. + + +-- +2.25.4 + + +From 626fe6a01845692b652fb3ae2119d9defbc6f173 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Tue, 16 Jun 2020 22:01:49 +0300 +Subject: [PATCH 2/4] selftest: add tests for binary msDS-AdditionalDnsHostName + +Like the short names added implicitly by Windows DC. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406 + +Signed-off-by: Isaac Boukris +Reviewed-by: Andreas Schneider +--- + selftest/knownfail.d/binary_addl_hostname | 3 +++ + testprogs/blackbox/test_net_ads.sh | 22 ++++++++++++++++++++++ + 2 files changed, 25 insertions(+) + create mode 100644 selftest/knownfail.d/binary_addl_hostname + +diff --git a/selftest/knownfail.d/binary_addl_hostname b/selftest/knownfail.d/binary_addl_hostname +new file mode 100644 +index 00000000000..559db1df507 +--- /dev/null ++++ b/selftest/knownfail.d/binary_addl_hostname +@@ -0,0 +1,3 @@ ++^samba4.blackbox.net_ads.dns alias1 check keytab ++^samba4.blackbox.net_ads.dns alias2 check keytab ++^samba4.blackbox.net_ads.addl short check keytab +diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh +index 85257f445d8..eef4a31a6a7 100755 +--- a/testprogs/blackbox/test_net_ads.sh ++++ b/testprogs/blackbox/test_net_ads.sh +@@ -41,6 +41,11 @@ if [ -x "$BINDIR/ldbdel" ]; then + ldbdel="$BINDIR/ldbdel" + fi + ++ldbmodify="ldbmodify" ++if [ -x "$BINDIR/ldbmodify" ]; then ++ ldbmodify="$BINDIR/ldbmodify" ++fi ++ + # Load test functions + . `dirname $0`/subunit.sh + +@@ -217,12 +222,29 @@ testit_grep "dns alias SPN" $dns_alias2 $VALGRIND $net_tool ads search -P samacc + testit_grep "dns alias addl" $dns_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1` + testit_grep "dns alias addl" $dns_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1` + ++# Test binary msDS-AdditionalDnsHostName like ones added by Windows DC ++short_alias_file="$PREFIX_ABS/short_alias_file" ++printf 'short_alias\0$' > $short_alias_file ++cat > $PREFIX_ABS/tmpldbmodify < +Date: Thu, 11 Jun 2020 16:51:27 +0300 +Subject: [PATCH 3/4] Properly handle msDS-AdditionalDnsHostName returned from + Windows DC + +Windows DC adds short names for each specified msDS-AdditionalDnsHostName +attribute, but these have a suffix of "\0$" and thus fail with +ldap_get_values(), use ldap_get_values_len() instead. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406 + +Signed-off-by: Isaac Boukris +Reviewed-by: Andreas Schneider +--- + selftest/knownfail.d/binary_addl_hostname | 3 -- + source3/libads/ldap.c | 38 +++++++++++++++++++++-- + 2 files changed, 35 insertions(+), 6 deletions(-) + delete mode 100644 selftest/knownfail.d/binary_addl_hostname + +diff --git a/selftest/knownfail.d/binary_addl_hostname b/selftest/knownfail.d/binary_addl_hostname +deleted file mode 100644 +index 559db1df507..00000000000 +--- a/selftest/knownfail.d/binary_addl_hostname ++++ /dev/null +@@ -1,3 +0,0 @@ +-^samba4.blackbox.net_ads.dns alias1 check keytab +-^samba4.blackbox.net_ads.dns alias2 check keytab +-^samba4.blackbox.net_ads.addl short check keytab +diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c +index f6fde5e19e1..ed52d4a969e 100755 +--- a/source3/libads/ldap.c ++++ b/source3/libads/ldap.c +@@ -3669,6 +3669,40 @@ out: + /******************************************************************** + ********************************************************************/ + ++static char **get_addl_hosts(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, ++ LDAPMessage *msg, size_t *num_values) ++{ ++ const char *field = "msDS-AdditionalDnsHostName"; ++ struct berval **values = NULL; ++ char **ret = NULL; ++ size_t i, converted_size; ++ ++ values = ldap_get_values_len(ads->ldap.ld, msg, field); ++ if (values == NULL) { ++ return NULL; ++ } ++ ++ *num_values = ldap_count_values_len(values); ++ ++ ret = talloc_array(mem_ctx, char *, *num_values + 1); ++ if (ret == NULL) { ++ ldap_value_free_len(values); ++ return NULL; ++ } ++ ++ for (i = 0; i < *num_values; i++) { ++ if (!pull_utf8_talloc(mem_ctx, &ret[i], values[i]->bv_val, ++ &converted_size)) { ++ ldap_value_free_len(values); ++ return NULL; ++ } ++ } ++ ret[i] = NULL; ++ ++ ldap_value_free_len(values); ++ return ret; ++} ++ + ADS_STATUS ads_get_additional_dns_hostnames(TALLOC_CTX *mem_ctx, + ADS_STRUCT *ads, + const char *machine_name, +@@ -3694,9 +3728,7 @@ ADS_STATUS ads_get_additional_dns_hostnames(TALLOC_CTX *mem_ctx, + goto done; + } + +- *hostnames_array = ads_pull_strings(ads, mem_ctx, res, +- "msDS-AdditionalDnsHostName", +- num_hostnames); ++ *hostnames_array = get_addl_hosts(ads, mem_ctx, res, num_hostnames); + if (*hostnames_array == NULL) { + DEBUG(1, ("Host account for %s does not have msDS-AdditionalDnsHostName.\n", + machine_name)); +-- +2.25.4 + + +From bb712cccd55b8a68865f72ebe48bdceae9995a94 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Sat, 20 Jun 2020 17:17:33 +0200 +Subject: [PATCH 4/4] Fix usage of ldap_get_values_len for + msDS-AdditionalDnsHostName + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406 + +Signed-off-by: Isaac Boukris +Reviewed-by: Andreas Schneider + +Autobuild-User(master): Andreas Schneider +Autobuild-Date(master): Mon Jun 22 09:59:04 UTC 2020 on sn-devel-184 +--- + source3/libads/ldap.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c +index ed52d4a969e..7ef7e7e8420 100755 +--- a/source3/libads/ldap.c ++++ b/source3/libads/ldap.c +@@ -3691,8 +3691,12 @@ static char **get_addl_hosts(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, + } + + for (i = 0; i < *num_values; i++) { +- if (!pull_utf8_talloc(mem_ctx, &ret[i], values[i]->bv_val, +- &converted_size)) { ++ ret[i] = NULL; ++ if (!convert_string_talloc(mem_ctx, CH_UTF8, CH_UNIX, ++ values[i]->bv_val, ++ strnlen(values[i]->bv_val, ++ values[i]->bv_len), ++ &ret[i], &converted_size)) { + ldap_value_free_len(values); + return NULL; + } +-- +2.25.4 + diff --git a/SOURCES/krb5_no_des_411.patch b/SOURCES/krb5_no_des_411.patch deleted file mode 100644 index 0fd1286..0000000 --- a/SOURCES/krb5_no_des_411.patch +++ /dev/null @@ -1,613 +0,0 @@ -From d8c48f3773d72a5e36bb46a1c09ba11fc64ae38d Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Wed, 6 Nov 2019 09:17:52 +0100 -Subject: [PATCH 01/10] selftest/remote_pac: remove - test_PACVerify_workstation_des - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202 - -Signed-off-by: Isaac Boukris -Reviewed-by: Andrew Bartlett ---- - source4/torture/rpc/remote_pac.c | 37 -------------------------------- - 1 file changed, 37 deletions(-) - -diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c -index 7a5cda74b74..f12060e3c8f 100644 ---- a/source4/torture/rpc/remote_pac.c -+++ b/source4/torture/rpc/remote_pac.c -@@ -38,7 +38,6 @@ - - #define TEST_MACHINE_NAME_BDC "torturepacbdc" - #define TEST_MACHINE_NAME_WKSTA "torturepacwksta" --#define TEST_MACHINE_NAME_WKSTA_DES "torturepacwkdes" - #define TEST_MACHINE_NAME_S4U2SELF_BDC "tests4u2selfbdc" - #define TEST_MACHINE_NAME_S4U2SELF_WKSTA "tests4u2selfwk" - -@@ -581,39 +580,6 @@ static bool test_PACVerify_workstation_aes(struct torture_context *tctx, - NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES); - } - --static bool test_PACVerify_workstation_des(struct torture_context *tctx, -- struct dcerpc_pipe *p, struct cli_credentials *credentials, struct test_join *join_ctx) --{ -- struct samr_SetUserInfo r; -- union samr_UserInfo user_info; -- struct dcerpc_pipe *samr_pipe = torture_join_samr_pipe(join_ctx); -- struct smb_krb5_context *smb_krb5_context; -- krb5_error_code ret; -- -- ret = cli_credentials_get_krb5_context(popt_get_cmdline_credentials(), -- tctx->lp_ctx, &smb_krb5_context); -- torture_assert_int_equal(tctx, ret, 0, "cli_credentials_get_krb5_context() failed"); -- -- if (smb_krb5_get_allowed_weak_crypto(smb_krb5_context->krb5_context) == FALSE) { -- torture_skip(tctx, "Cannot test DES without [libdefaults] allow_weak_crypto = yes"); -- } -- -- /* Mark this workstation with DES-only */ -- user_info.info16.acct_flags = ACB_USE_DES_KEY_ONLY | ACB_WSTRUST; -- r.in.user_handle = torture_join_samr_user_policy(join_ctx); -- r.in.level = 16; -- r.in.info = &user_info; -- -- torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetUserInfo_r(samr_pipe->binding_handle, tctx, &r), -- "failed to set DES info account flags"); -- torture_assert_ntstatus_ok(tctx, r.out.result, -- "failed to set DES into account flags"); -- -- return test_PACVerify(tctx, p, credentials, SEC_CHAN_WKSTA, -- TEST_MACHINE_NAME_WKSTA_DES, -- NETLOGON_NEG_AUTH2_ADS_FLAGS); --} -- - #ifdef SAMBA4_USES_HEIMDAL - static NTSTATUS check_primary_group_in_validation(TALLOC_CTX *mem_ctx, - uint16_t validation_level, -@@ -1000,9 +966,6 @@ struct torture_suite *torture_rpc_remote_pac(TALLOC_CTX *mem_ctx) - &ndr_table_netlogon, TEST_MACHINE_NAME_WKSTA); - torture_rpc_tcase_add_test_creds(tcase, "verify-sig-aes", test_PACVerify_workstation_aes); - -- tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netlogon-member-des", -- &ndr_table_netlogon, TEST_MACHINE_NAME_WKSTA_DES); -- torture_rpc_tcase_add_test_join(tcase, "verify-sig", test_PACVerify_workstation_des); - #ifdef SAMBA4_USES_HEIMDAL - tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netr-bdc-arcfour", - &ndr_table_netlogon, TEST_MACHINE_NAME_S4U2SELF_BDC); --- -2.24.1 - - -From c19bef15eba2f8436d3ffafae5e640c6581fdb81 Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Thu, 31 Oct 2019 19:41:46 +0100 -Subject: [PATCH 02/10] selftest: exclude msDS-SupportedEncryptionType in - ldapcmp - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202 - -Pair-Programmed-With: Alexander Bokovoy - -Signed-off-by: Isaac Boukris -Reviewed-by: Andrew Bartlett ---- - testprogs/blackbox/dbcheck-oldrelease.sh | 2 +- - testprogs/blackbox/functionalprep.sh | 2 +- - testprogs/blackbox/upgradeprovision-oldrelease.sh | 2 +- - 3 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/testprogs/blackbox/dbcheck-oldrelease.sh b/testprogs/blackbox/dbcheck-oldrelease.sh -index 3d0ee2c165a..41c55178d4e 100755 ---- a/testprogs/blackbox/dbcheck-oldrelease.sh -+++ b/testprogs/blackbox/dbcheck-oldrelease.sh -@@ -388,7 +388,7 @@ referenceprovision() { - - ldapcmp() { - if [ x$RELEASE = x"release-4-0-0" ]; then -- $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName -+ $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName,msDS-SupportedEncryptionTypes - fi - } - -diff --git a/testprogs/blackbox/functionalprep.sh b/testprogs/blackbox/functionalprep.sh -index 80e82252d45..1d37611ef7a 100755 ---- a/testprogs/blackbox/functionalprep.sh -+++ b/testprogs/blackbox/functionalprep.sh -@@ -61,7 +61,7 @@ provision_2012r2() { - ldapcmp_ignore() { - # At some point we will need to ignore, but right now, it should be perfect - IGNORE_ATTRS=$1 -- $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/$2/private/sam.ldb tdb://$PREFIX_ABS/$3/private/sam.ldb --two --skip-missing-dn -+ $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/$2/private/sam.ldb tdb://$PREFIX_ABS/$3/private/sam.ldb --two --skip-missing-dn --filter msDS-SupportedEncryptionTypes - } - - ldapcmp() { -diff --git a/testprogs/blackbox/upgradeprovision-oldrelease.sh b/testprogs/blackbox/upgradeprovision-oldrelease.sh -index 76276168011..208baa54a02 100755 ---- a/testprogs/blackbox/upgradeprovision-oldrelease.sh -+++ b/testprogs/blackbox/upgradeprovision-oldrelease.sh -@@ -106,7 +106,7 @@ referenceprovision() { - - ldapcmp() { - if [ x$RELEASE != x"alpha13" ]; then -- $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_upgrade_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName -+ $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_upgrade_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName,msDS-SupportedEncryptionTypes - fi - } - --- -2.24.1 - - -From afb8e18c42122841111b6077bb26bd5dd95e5c55 Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Thu, 24 Oct 2019 12:20:05 +0300 -Subject: [PATCH 03/10] kerberos: remove single DES enctypes from ENC_ALL_TYPES - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202 - -Signed-off-by: Isaac Boukris -Reviewed-by: Andrew Bartlett ---- - source4/auth/kerberos/kerberos.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source4/auth/kerberos/kerberos.h b/source4/auth/kerberos/kerberos.h -index 2ff9e3868af..1dd63acc838 100644 ---- a/source4/auth/kerberos/kerberos.h -+++ b/source4/auth/kerberos/kerberos.h -@@ -50,7 +50,7 @@ struct keytab_container { - #define TOK_ID_GSS_GETMIC ((const uint8_t *)"\x01\x01") - #define TOK_ID_GSS_WRAP ((const uint8_t *)"\x02\x01") - --#define ENC_ALL_TYPES (ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5 | \ -+#define ENC_ALL_TYPES (ENC_RC4_HMAC_MD5 | \ - ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256) - - #ifndef HAVE_KRB5_SET_DEFAULT_TGS_KTYPES --- -2.24.1 - - -From 4747d04bd8c9d694b613cdec92640312208aee9d Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Thu, 24 Oct 2019 18:53:34 +0300 -Subject: [PATCH 04/10] kdc/db-glue: do not fetch single DES keys from db - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202 - -Signed-off-by: Isaac Boukris -Reviewed-by: Andrew Bartlett ---- - source4/kdc/db-glue.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c -index f62a633c6c7..023ae7b580d 100644 ---- a/source4/kdc/db-glue.c -+++ b/source4/kdc/db-glue.c -@@ -359,10 +359,10 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, - - /* If UF_USE_DES_KEY_ONLY has been set, then don't allow use of the newer enc types */ - if (userAccountControl & UF_USE_DES_KEY_ONLY) { -- supported_enctypes = ENC_CRC32|ENC_RSA_MD5; -+ supported_enctypes = 0; - } else { - /* Otherwise, add in the default enc types */ -- supported_enctypes |= ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5; -+ supported_enctypes |= ENC_RC4_HMAC_MD5; - } - - /* Is this the krbtgt or a RODC krbtgt */ --- -2.24.1 - - -From 5c460fe678eb5db9f0f2eed67a6be8c07ca8d53c Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Thu, 24 Oct 2019 18:32:37 +0300 -Subject: [PATCH 05/10] password_hash: do not generate single DES keys - -Per RFC-6649 single DES enctypes should not be used. - -MIT has retired single DES encryption types, see: -https://web.mit.edu/kerberos/krb5-1.12/doc/admin/advanced/retiring-des.html - -As a workaround, store random keys instead, making the usage of signle DES -encryption types virtually impossible. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202 - -Signed-off-by: Isaac Boukris -Reviewed-by: Andrew Bartlett ---- - .../dsdb/samdb/ldb_modules/password_hash.c | 49 +++---------------- - 1 file changed, 7 insertions(+), 42 deletions(-) - -diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c -index 006e35c46d5..ffd48da616e 100644 ---- a/source4/dsdb/samdb/ldb_modules/password_hash.c -+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c -@@ -783,56 +783,21 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io) - } - - /* -- * create ENCTYPE_DES_CBC_MD5 key out of -- * the salt and the cleartext password -+ * As per RFC-6649 single DES encryption types are no longer considered -+ * secure to be used in Kerberos, we store random keys instead of the -+ * ENCTYPE_DES_CBC_MD5 and ENCTYPE_DES_CBC_CRC keys. - */ -- krb5_ret = smb_krb5_create_key_from_string(io->smb_krb5_context->krb5_context, -- NULL, -- &salt, -- &cleartext_data, -- ENCTYPE_DES_CBC_MD5, -- &key); -- if (krb5_ret) { -- ldb_asprintf_errstring(ldb, -- "setup_kerberos_keys: " -- "generation of a des-cbc-md5 key failed: %s", -- smb_get_krb5_error_message(io->smb_krb5_context->krb5_context, -- krb5_ret, io->ac)); -- return LDB_ERR_OPERATIONS_ERROR; -- } -- io->g.des_md5 = data_blob_talloc(io->ac, -- KRB5_KEY_DATA(&key), -- KRB5_KEY_LENGTH(&key)); -- krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key); -+ io->g.des_md5 = data_blob_talloc(io->ac, NULL, 8); - if (!io->g.des_md5.data) { - return ldb_oom(ldb); - } -+ generate_secret_buffer(io->g.des_md5.data, 8); - -- /* -- * create ENCTYPE_DES_CBC_CRC key out of -- * the salt and the cleartext password -- */ -- krb5_ret = smb_krb5_create_key_from_string(io->smb_krb5_context->krb5_context, -- NULL, -- &salt, -- &cleartext_data, -- ENCTYPE_DES_CBC_CRC, -- &key); -- if (krb5_ret) { -- ldb_asprintf_errstring(ldb, -- "setup_kerberos_keys: " -- "generation of a des-cbc-crc key failed: %s", -- smb_get_krb5_error_message(io->smb_krb5_context->krb5_context, -- krb5_ret, io->ac)); -- return LDB_ERR_OPERATIONS_ERROR; -- } -- io->g.des_crc = data_blob_talloc(io->ac, -- KRB5_KEY_DATA(&key), -- KRB5_KEY_LENGTH(&key)); -- krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key); -+ io->g.des_crc = data_blob_talloc(io->ac, NULL, 8); - if (!io->g.des_crc.data) { - return ldb_oom(ldb); - } -+ generate_secret_buffer(io->g.des_crc.data, 8); - - return LDB_SUCCESS; - } --- -2.24.1 - - -From 000abe4e405ce5fa4eae6235335bfca2a8152e3c Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Thu, 24 Oct 2019 19:04:51 +0300 -Subject: [PATCH 06/10] kerberos_keytab: do not add single DES keys to keytab - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202 - -Signed-off-by: Isaac Boukris -Reviewed-by: Andrew Bartlett ---- - source3/libads/kerberos_keytab.c | 2 -- - testprogs/blackbox/test_export_keytab_heimdal.sh | 16 ++++++++-------- - 2 files changed, 8 insertions(+), 10 deletions(-) - -diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c -index 97d5535041c..7d193e1a600 100644 ---- a/source3/libads/kerberos_keytab.c -+++ b/source3/libads/kerberos_keytab.c -@@ -240,8 +240,6 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads) - krb5_data password; - krb5_kvno kvno; - krb5_enctype enctypes[6] = { -- ENCTYPE_DES_CBC_CRC, -- ENCTYPE_DES_CBC_MD5, - #ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 - ENCTYPE_AES128_CTS_HMAC_SHA1_96, - #endif -diff --git a/testprogs/blackbox/test_export_keytab_heimdal.sh b/testprogs/blackbox/test_export_keytab_heimdal.sh -index cfa245fd4de..6a2595cd684 100755 ---- a/testprogs/blackbox/test_export_keytab_heimdal.sh -+++ b/testprogs/blackbox/test_export_keytab_heimdal.sh -@@ -43,7 +43,7 @@ test_keytab() { - - echo "test: $testname" - -- NKEYS=$($VALGRIND $samba4ktutil $keytab | grep -i "$principal" | egrep -c "des|aes|arcfour") -+ NKEYS=$($VALGRIND $samba4ktutil $keytab | grep -i "$principal" | egrep -c "aes|arcfour") - status=$? - if [ x$status != x0 ]; then - echo "failure: $testname" -@@ -64,22 +64,22 @@ unc="//$SERVER/tmp" - testit "create user locally" $VALGRIND $PYTHON $newuser nettestuser $USERPASS $@ || failed=`expr $failed + 1` - - testit "dump keytab from domain" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab $@ || failed=`expr $failed + 1` --test_keytab "read keytab from domain" "$PREFIX/tmpkeytab" "$SERVER\\\$" 5 -+test_keytab "read keytab from domain" "$PREFIX/tmpkeytab" "$SERVER\\\$" 3 - testit "dump keytab from domain (2nd time)" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab $@ || failed=`expr $failed + 1` --test_keytab "read keytab from domain (2nd time)" "$PREFIX/tmpkeytab" "$SERVER\\\$" 5 -+test_keytab "read keytab from domain (2nd time)" "$PREFIX/tmpkeytab" "$SERVER\\\$" 3 - - testit "dump keytab from domain for cifs principal" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-server --principal=cifs/$SERVER_FQDN $@ || failed=`expr $failed + 1` --test_keytab "read keytab from domain for cifs principal" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 5 -+test_keytab "read keytab from domain for cifs principal" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 3 - testit "dump keytab from domain for cifs principal (2nd time)" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-server --principal=cifs/$SERVER_FQDN $@ || failed=`expr $failed + 1` --test_keytab "read keytab from domain for cifs principal (2nd time)" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 5 -+test_keytab "read keytab from domain for cifs principal (2nd time)" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 3 - - testit "dump keytab from domain for user principal" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-2 --principal=nettestuser $@ || failed=`expr $failed + 1` --test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 5 -+test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 3 - testit "dump keytab from domain for user principal (2nd time)" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-2 --principal=nettestuser@$REALM $@ || failed=`expr $failed + 1` --test_keytab "dump keytab from domain for user principal (2nd time)" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 5 -+test_keytab "dump keytab from domain for user principal (2nd time)" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 3 - - testit "dump keytab from domain for user principal with SPN as UPN" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-3 --principal=http/testupnspn.$DNSDOMAIN $@ || failed=`expr $failed + 1` --test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-3" "http/testupnspn.$DNSDOMAIN@$REALM" 5 -+test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-3" "http/testupnspn.$DNSDOMAIN@$REALM" 3 - - KRB5CCNAME="$PREFIX/tmpuserccache" - export KRB5CCNAME --- -2.24.1 - - -From 4e96a263c2c038bc4c835b78161623cc4d050c61 Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Mon, 16 Sep 2019 15:17:08 +0300 -Subject: [PATCH 07/10] machine_account_secrets: do not generate single DES - keys - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202 - -Signed-off-by: Isaac Boukris -Reviewed-by: Andrew Bartlett ---- - source3/passdb/machine_account_secrets.c | 36 ------------------------ - 1 file changed, 36 deletions(-) - -diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c -index dfc21f295a1..efba80f1474 100644 ---- a/source3/passdb/machine_account_secrets.c -+++ b/source3/passdb/machine_account_secrets.c -@@ -1031,7 +1031,6 @@ static int secrets_domain_info_kerberos_keys(struct secrets_domain_info1_passwor - krb5_keyblock key; - DATA_BLOB aes_256_b = data_blob_null; - DATA_BLOB aes_128_b = data_blob_null; -- DATA_BLOB des_md5_b = data_blob_null; - bool ok; - #endif /* HAVE_ADS */ - DATA_BLOB arc4_b = data_blob_null; -@@ -1177,32 +1176,6 @@ static int secrets_domain_info_kerberos_keys(struct secrets_domain_info1_passwor - return ENOMEM; - } - -- krb5_ret = smb_krb5_create_key_from_string(krb5_ctx, -- NULL, -- &salt, -- &cleartext_utf8, -- ENCTYPE_DES_CBC_MD5, -- &key); -- if (krb5_ret != 0) { -- DBG_ERR("generation of a des-cbc-md5 key failed: %s\n", -- smb_get_krb5_error_message(krb5_ctx, krb5_ret, keys)); -- krb5_free_context(krb5_ctx); -- TALLOC_FREE(keys); -- TALLOC_FREE(salt_data); -- return krb5_ret; -- } -- des_md5_b = data_blob_talloc(keys, -- KRB5_KEY_DATA(&key), -- KRB5_KEY_LENGTH(&key)); -- krb5_free_keyblock_contents(krb5_ctx, &key); -- if (des_md5_b.data == NULL) { -- DBG_ERR("data_blob_talloc failed for des-cbc-md5.\n"); -- krb5_free_context(krb5_ctx); -- TALLOC_FREE(keys); -- TALLOC_FREE(salt_data); -- return ENOMEM; -- } -- - krb5_free_context(krb5_ctx); - no_kerberos: - -@@ -1227,15 +1200,6 @@ no_kerberos: - keys[idx].value = arc4_b; - idx += 1; - --#ifdef HAVE_ADS -- if (des_md5_b.length != 0) { -- keys[idx].keytype = ENCTYPE_DES_CBC_MD5; -- keys[idx].iteration_count = 4096; -- keys[idx].value = des_md5_b; -- idx += 1; -- } --#endif /* HAVE_ADS */ -- - p->salt_data = salt_data; - p->default_iteration_count = 4096; - p->num_keys = idx; --- -2.24.1 - - -From 79fce8cfb906ca8b5bfa5f1954bf81ff950c3d23 Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Tue, 12 Nov 2019 12:00:34 +0100 -Subject: [PATCH 08/10] selftest: mitm-s4u2self: use zlib for CRC32_checksum - calc - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202 - -Signed-off-by: Isaac Boukris -Reviewed-by: Andrew Bartlett ---- - source4/torture/krb5/kdc-canon-heimdal.c | 19 +++++++++++++------ - 1 file changed, 13 insertions(+), 6 deletions(-) - -diff --git a/source4/torture/krb5/kdc-canon-heimdal.c b/source4/torture/krb5/kdc-canon-heimdal.c -index ee3045181dc..7dec67bc49b 100644 ---- a/source4/torture/krb5/kdc-canon-heimdal.c -+++ b/source4/torture/krb5/kdc-canon-heimdal.c -@@ -33,6 +33,7 @@ - #include "auth/auth_sam_reply.h" - #include "auth/gensec/gensec.h" - #include "param/param.h" -+#include "zlib.h" - - #define TEST_CANONICALIZE 0x0000001 - #define TEST_ENTERPRISE 0x0000002 -@@ -214,6 +215,17 @@ static bool test_accept_ticket(struct torture_context *tctx, - return true; - } - -+static void -+zCRC32_checksum(const void *data, -+ size_t len, -+ Checksum *C) -+{ -+ uint32_t *crc = C->checksum.data; -+ *crc = ~(crc32(0xffffffff, data, len)); -+ C->checksum.length = 4; -+ C->cksumtype = 1; -+} -+ - krb5_error_code - _krb5_s4u2self_to_checksumdata(krb5_context context, - const PA_S4U2Self *self, -@@ -252,11 +264,7 @@ static bool change_for_user_principal(struct torture_krb5_context *test_context, - torture_assert_int_equal(test_context->tctx, - _krb5_s4u2self_to_checksumdata(k5_ctx, &mod_self, &cksum_data), - 0, "_krb5_s4u2self_to_checksumdata() failed"); -- torture_assert_int_equal(test_context->tctx, -- krb5_create_checksum(k5_ctx, NULL, KRB5_KU_OTHER_CKSUM, -- CKSUMTYPE_CRC32, cksum_data.data, -- cksum_data.length, &mod_self.cksum), -- 0, "krb5_create_checksum() failed"); -+ zCRC32_checksum(cksum_data.data, cksum_data.length, &mod_self.cksum); - - ASN1_MALLOC_ENCODE(PA_S4U2Self, for_user->padata_value.data, for_user->padata_value.length, - &mod_self, &used, ret); -@@ -270,7 +278,6 @@ static bool change_for_user_principal(struct torture_krb5_context *test_context, - - free_PA_S4U2Self(&self); - krb5_data_free(&cksum_data); -- free_Checksum(&mod_self.cksum); - - return true; - } --- -2.24.1 - - -From 1a658936884a9a18616fcb1d13b8f9b6be587322 Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Sat, 16 Nov 2019 22:46:19 +0100 -Subject: [PATCH 09/10] selftest: allow any kdc error in mitm-s4u2self test - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202 - -Signed-off-by: Isaac Boukris -Reviewed-by: Andrew Bartlett ---- - source4/torture/krb5/kdc-canon-heimdal.c | 14 ++++++-------- - 1 file changed, 6 insertions(+), 8 deletions(-) - -diff --git a/source4/torture/krb5/kdc-canon-heimdal.c b/source4/torture/krb5/kdc-canon-heimdal.c -index 7dec67bc49b..5315afa9252 100644 ---- a/source4/torture/krb5/kdc-canon-heimdal.c -+++ b/source4/torture/krb5/kdc-canon-heimdal.c -@@ -737,13 +737,12 @@ static bool torture_krb5_post_recv_tgs_req_canon_test(struct torture_krb5_contex - error.pvno, 5, - "Got wrong error.pvno"); - expected_error = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN - KRB5KDC_ERR_NONE; -- if (error.error_code != expected_error && test_context->test_data->mitm_s4u2self) { -- expected_error = KRB5KRB_AP_ERR_INAPP_CKSUM - KRB5KDC_ERR_NONE; -+ if (!test_context->test_data->mitm_s4u2self) { -+ torture_assert_int_equal(test_context->tctx, -+ error.error_code, -+ expected_error, -+ "Got wrong error.error_code"); - } -- torture_assert_int_equal(test_context->tctx, -- error.error_code, -- expected_error, -- "Got wrong error.error_code"); - } else { - torture_assert_int_equal(test_context->tctx, - decode_TGS_REP(recv_buf->data, recv_buf->length, -@@ -2090,8 +2089,7 @@ static bool torture_krb5_as_req_canon(struct torture_context *tctx, const void * - || test_data->upn == false)) { - - if (test_data->mitm_s4u2self) { -- torture_assert_int_equal(tctx, k5ret, KRB5KRB_AP_ERR_INAPP_CKSUM, -- assertion_message); -+ torture_assert_int_not_equal(tctx, k5ret, 0, assertion_message); - /* Done testing mitm-s4u2self */ - return true; - } --- -2.24.1 - - -From 80ebb75804312a848df4cf5ab883291eaf816130 Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Sat, 16 Nov 2019 23:03:34 +0100 -Subject: [PATCH 10/10] heimdal: do not compile weak crypto - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202 - -Signed-off-by: Isaac Boukris -Reviewed-by: Andrew Bartlett ---- - selftest/target/Samba.pm | 1 - - source4/heimdal_build/roken.h | 3 --- - 2 files changed, 4 deletions(-) - -diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm -index c30f6fe33ce..3f5ac64c8c2 100644 ---- a/selftest/target/Samba.pm -+++ b/selftest/target/Samba.pm -@@ -261,7 +261,6 @@ sub mk_krb5_conf($$) - dns_lookup_kdc = true - ticket_lifetime = 24h - forwardable = yes -- allow_weak_crypto = yes - - # We are running on the same machine, do not correct - # system clock differences -diff --git a/source4/heimdal_build/roken.h b/source4/heimdal_build/roken.h -index 9752c04a741..559021c0a0e 100644 ---- a/source4/heimdal_build/roken.h -+++ b/source4/heimdal_build/roken.h -@@ -6,9 +6,6 @@ - - #include "config.h" - --/* Support 'weak' keys for now, it can't be worse than NTLM and we don't want to hard-code the behaviour at this point */ --#define HEIM_WEAK_CRYPTO 1 -- - /* path to sysconf - should we force this to samba LIBDIR ? */ - #define SYSCONFDIR "/etc" - --- -2.24.1 - diff --git a/SOURCES/ldapsslads-v4-12.patch b/SOURCES/ldapsslads-v4-12.patch new file mode 100644 index 0000000..b8bb84d --- /dev/null +++ b/SOURCES/ldapsslads-v4-12.patch @@ -0,0 +1,609 @@ +From 9691c65234f2833792977d6e25a314baca724c64 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= +Date: Mon, 10 Feb 2020 19:19:44 +0100 +Subject: [PATCH 1/7] s3-libads: use dns name to open a ldap session +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Required for working certificate verification. + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=13124 +Signed-off-by: Björn Baumbach +Reviewed-by: Bjoern Jacke + +Autobuild-User(master): Björn Baumbach +Autobuild-Date(master): Thu Mar 5 12:29:26 UTC 2020 on sn-devel-184 + +(cherry picked from commit e45e0912d99335f4feec7f937180ea21f7f62a72) +--- + source3/libads/ldap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c +index 7ef7e7e8420..b7f819d876b 100755 +--- a/source3/libads/ldap.c ++++ b/source3/libads/ldap.c +@@ -669,7 +669,7 @@ got_connection: + + /* Otherwise setup the TCP LDAP session */ + +- ads->ldap.ld = ldap_open_with_timeout(addr, ++ ads->ldap.ld = ldap_open_with_timeout(ads->config.ldap_server_name, + &ads->ldap.ss, + ads->ldap.port, lp_ldap_timeout()); + if (ads->ldap.ld == NULL) { +-- +2.25.4 + + +From b0cdea726ef5d90c531a49d2bf8b343cdb788719 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= +Date: Wed, 3 Jun 2020 19:40:59 +0200 +Subject: [PATCH 2/7] s3-libads: use ldap_init_fd() to initialize a ldap + session if possible +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Use the known ip address of the ldap server to open the connection and +initialize the ldap session with ldap_init_fd(). + +This avoid unnecessary DNS lookups which might block or prevent the +successful connection. + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=13124 + +Signed-off-by: Björn Baumbach +Reviewed-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +(cherry picked from commit c8080bbd708eaa3212fa516861ac9e3b267989a0) +--- + source3/libads/ldap.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c +index b7f819d876b..36e73440495 100755 +--- a/source3/libads/ldap.c ++++ b/source3/libads/ldap.c +@@ -92,7 +92,23 @@ static void gotalarm_sig(int signum) + return NULL; + } + +-#ifdef HAVE_LDAP_INITIALIZE ++#ifdef HAVE_LDAP_INIT_FD ++ { ++ int fd = -1; ++ NTSTATUS status = NT_STATUS_UNSUCCESSFUL; ++ ++ status = open_socket_out(ss, port, to, &fd); ++ if (!NT_STATUS_IS_OK(status)) { ++ return NULL; ++ } ++ ++/* define LDAP_PROTO_TCP from openldap.h if required */ ++#ifndef LDAP_PROTO_TCP ++#define LDAP_PROTO_TCP 1 ++#endif ++ ldap_err = ldap_init_fd(fd, LDAP_PROTO_TCP, uri, &ldp); ++ } ++#elif defined(HAVE_LDAP_INITIALIZE) + ldap_err = ldap_initialize(&ldp, uri); + #else + ldp = ldap_open(server, port); +-- +2.25.4 + + +From 6c5b4317b150d3d2aed77c207dd3cb0039392bd6 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Mon, 29 Jun 2020 16:55:33 +0300 +Subject: [PATCH 3/7] selftest: add tests for net-ads over TLS + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439 + +Signed-off-by: Isaac Boukris +Reviewed-by: Andreas Schneider +--- + selftest/knownfail.d/net_ads_ntlm_fallback | 10 +++ + selftest/knownfail.d/net_ads_tls | 1 + + source4/selftest/tests.py | 7 ++ + testprogs/blackbox/test_net_ads_base.sh | 76 ++++++++++++++++++++++ + 4 files changed, 94 insertions(+) + create mode 100644 selftest/knownfail.d/net_ads_ntlm_fallback + create mode 100644 selftest/knownfail.d/net_ads_tls + create mode 100755 testprogs/blackbox/test_net_ads_base.sh + +diff --git a/selftest/knownfail.d/net_ads_ntlm_fallback b/selftest/knownfail.d/net_ads_ntlm_fallback +new file mode 100644 +index 00000000000..b16a39d134d +--- /dev/null ++++ b/selftest/knownfail.d/net_ads_ntlm_fallback +@@ -0,0 +1,10 @@ ++# net-ads commands that fail with: --option=gensec:gse_krb5=no ++^samba4.blackbox.net_ads_base.nomech=gse_krb5.testjoin ++^samba4.blackbox.net_ads_base.nomech=gse_krb5.check dNSHostName ++^samba4.blackbox.net_ads_base.nomech=gse_krb5.check SPN ++^samba4.blackbox.net_ads_base.nomech=gse_krb5.test setspn list ++^samba4.blackbox.net_ads_tls.nomech=gse_krb5.testjoin ++^samba4.blackbox.net_ads_tls.nomech=gse_krb5.check dNSHostName ++^samba4.blackbox.net_ads_tls.nomech=gse_krb5.check ldapssl=off ++^samba4.blackbox.net_ads_tls.nomech=gse_krb5.check SPN ++^samba4.blackbox.net_ads_tls.nomech=gse_krb5.test setspn list +diff --git a/selftest/knownfail.d/net_ads_tls b/selftest/knownfail.d/net_ads_tls +new file mode 100644 +index 00000000000..251c948b6a9 +--- /dev/null ++++ b/selftest/knownfail.d/net_ads_tls +@@ -0,0 +1 @@ ++^samba4.blackbox.net_ads_tls +diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py +index 1d965c751a4..a394afa177f 100755 +--- a/source4/selftest/tests.py ++++ b/source4/selftest/tests.py +@@ -511,6 +511,13 @@ plantestsuite("samba4.blackbox.client_etypes_legacy(ad_dc:client)", "ad_dc:clien + plantestsuite("samba4.blackbox.client_etypes_strong(ad_dc:client)", "ad_dc:client", [os.path.join(bbdir, "test_client_etypes.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$PREFIX_ABS', 'strong', '17_18']) + plantestsuite("samba4.blackbox.net_ads_dns(ad_member:local)", "ad_member:local", [os.path.join(bbdir, "test_net_ads_dns.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$REALM', '$USERNAME', '$PASSWORD']) + plantestsuite("samba4.blackbox.samba-tool_ntacl(ad_member:local)", "ad_member:local", [os.path.join(bbdir, "test_samba-tool_ntacl.sh"), '$PREFIX', '$DOMSID']) ++ ++for nomech in ["none", "gse_krb5", "ntlmssp"]: ++ # we can't test TLS with ad_dc env as it doesn't allow SASL over TLS ++ plantestsuite("samba4.blackbox.net_ads_base.nomech=%s" % nomech, "ad_dc:client", [os.path.join(bbdir, "test_net_ads_base.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', 'no', nomech, '$PREFIX_ABS']) ++ plantestsuite("samba4.blackbox.net_ads_tls.nomech=%s" % nomech, "fl2008dc:client", [os.path.join(bbdir, "test_net_ads_base.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', 'yes', nomech, '$PREFIX_ABS']) ++ plantestsuite("samba4.blackbox.net_ads_tls.nomech=%s" % nomech, "fl2008r2dc:client", [os.path.join(bbdir, "test_net_ads_base.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', 'noverify', nomech, '$PREFIX_ABS']) ++ + plantestsuite_loadlist("samba4.rpc.echo against NetBIOS alias", "ad_dc_ntvfs", [valgrindify(smbtorture4), "$LISTOPT", "$LOADLIST", 'ncacn_np:$NETBIOSALIAS', '-U$DOMAIN/$USERNAME%$PASSWORD', 'rpc.echo']) + # json tests hook into ``chgdcpass'' to make them run in contributor CI on + # gitlab +diff --git a/testprogs/blackbox/test_net_ads_base.sh b/testprogs/blackbox/test_net_ads_base.sh +new file mode 100755 +index 00000000000..59e3da67a7f +--- /dev/null ++++ b/testprogs/blackbox/test_net_ads_base.sh +@@ -0,0 +1,76 @@ ++#!/bin/sh ++ ++if [ $# -lt 5 ]; then ++cat </dev/null | sha1sum | cut -b 1-10` ++HOSTNAME=`echo hn$HOSTNAME | tr '[:lower:]' '[:upper:]'` ++LCHOSTNAME=`echo $HOSTNAME | tr '[:upper:]' '[:lower:]'` ++ ++RUNDIR=`pwd` ++cd $BASEDIR ++WORKDIR=`mktemp -d -p .` ++WORKDIR=`basename $WORKDIR` ++cp -a client/* $WORKDIR/ ++sed -ri "s@(dir|directory) = (.*)/client/@\1 = \2/$WORKDIR/@" $WORKDIR/client.conf ++sed -ri "s/netbios name = .*/netbios name = $HOSTNAME/" $WORKDIR/client.conf ++sed -ri "s/workgroup = .*/workgroup = $DOMAIN/" $WORKDIR/client.conf ++sed -ri "s/realm = .*/realm = $REALM/" $WORKDIR/client.conf ++rm -f $WORKDIR/private/secrets.tdb ++cd $RUNDIR ++ ++failed=0 ++ ++export LDAPTLS_CACERT=$(grep "tls cafile" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1') ++ ++xoptions="" ++if [ $TLS_MODE != "no" ]; then ++ xoptions="--option=ldapsslads=yes" ++fi ++ ++if [ $NO_MECH != "none" ]; then ++ xoptions="$xoptions --option=gensec:$NO_MECH=no" ++fi ++ ++if [ $TLS_MODE = "noverify" ]; then ++ export LDAPTLS_REQCERT=allow ++fi ++ ++net_tool="$VALGRIND $BINDIR/net -s $BASEDIR/$WORKDIR/client.conf --option=security=ads -k $xoptions" ++ ++# Load test functions ++. `dirname $0`/subunit.sh ++ ++testit "join" $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD --no-dns-updates || failed=`expr $failed + 1` ++ ++testit "testjoin" $net_tool ads testjoin -P || failed=`expr $failed + 1` ++ ++testit_grep "check dNSHostName" $LCHOSTNAME $net_tool ads search -P samaccountname=$HOSTNAME\$ dNSHostName || failed=`expr $failed + 1` ++ ++tls_log="StartTLS issued: using a TLS connection" ++opt="-d3 --option=ldapssl=off" ++if [ $TLS_MODE != "no" ]; then ++ testit_grep "check ldapssl=off" "$tls_log" $net_tool $opt ads search -P samaccountname=$HOSTNAME\$ dn || failed=`expr $failed + 1` ++fi ++ ++testit_grep "check SPN" "HOST/$HOSTNAME" $net_tool ads search -P samaccountname=$HOSTNAME\$ servicePrincipalName || failed=`expr $failed + 1` ++ ++testit_grep "test setspn list" "HOST/$HOSTNAME" $net_tool ads setspn list $HOSTNAME -P || failed=`expr $failed + 1` ++ ++testit "leave" $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` ++ ++rm -rf $BASEDIR/$WORKDIR ++ ++exit $failed +-- +2.25.4 + + +From 94d20b09d565c0f4b0809e1cd778f7082e4733f8 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Wed, 24 Jun 2020 15:28:45 +0300 +Subject: [PATCH 4/7] Decouple ldap-ssl-ads from ldap-ssl option + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439 + +Signed-off-by: Isaac Boukris +Reviewed-by: Andreas Schneider +--- + WHATSNEW.txt | 6 +++++ + docs-xml/smbdotconf/ldap/ldapsslads.xml | 7 ++---- + source3/include/smbldap.h | 1 + + source3/lib/ABI/smbldap-2.1.0.sigs | 33 +++++++++++++++++++++++++ + source3/lib/smbldap.c | 19 +++++++++----- + source3/libads/ldap.c | 2 +- + source3/wscript_build | 2 +- + 7 files changed, 57 insertions(+), 13 deletions(-) + create mode 100644 source3/lib/ABI/smbldap-2.1.0.sigs + +diff --git a/WHATSNEW.txt b/WHATSNEW.txt +index a5b554fe11f..8935876d247 100644 +--- a/WHATSNEW.txt ++++ b/WHATSNEW.txt +@@ -557,6 +557,12 @@ CTDB changes + helper exits. This triggers an election. + + ++The "ldap ssl ads" option no longer depends on "ldap ssl" option: ++----------------------------------------------------------------- ++With this release, the "ldap ssl ads" can be set to "yes" even if "ldap ssl" ++is off. ++ ++ + REMOVED FEATURES + ================ + +diff --git a/docs-xml/smbdotconf/ldap/ldapsslads.xml b/docs-xml/smbdotconf/ldap/ldapsslads.xml +index 98c39651f1e..f99afe5bbad 100644 +--- a/docs-xml/smbdotconf/ldap/ldapsslads.xml ++++ b/docs-xml/smbdotconf/ldap/ldapsslads.xml +@@ -7,13 +7,10 @@ + This option is used to define whether or not Samba should + use SSL when connecting to the ldap server using + ads methods. +- Rpc methods are not affected by this parameter. Please note, that +- this parameter won't have any effect if +- is set to no. ++ Rpc methods are not affected by this parameter. + + +- See smb.conf5 +- for more information on . ++ See also . + + + +diff --git a/source3/include/smbldap.h b/source3/include/smbldap.h +index 878268aebd6..d063f44afbc 100644 +--- a/source3/include/smbldap.h ++++ b/source3/include/smbldap.h +@@ -72,6 +72,7 @@ int smbldap_modify(struct smbldap_state *ldap_state, + const char *dn, + LDAPMod *attrs[]); + int smbldap_start_tls(LDAP *ldap_struct, int version); ++int smbldap_start_tls_start(LDAP *ldap_struct, int version); + int smbldap_setup_full_conn(LDAP **ldap_struct, const char *uri); + int smbldap_search(struct smbldap_state *ldap_state, + const char *base, int scope, const char *filter, +diff --git a/source3/lib/ABI/smbldap-2.1.0.sigs b/source3/lib/ABI/smbldap-2.1.0.sigs +new file mode 100644 +index 00000000000..67dcc9a8a78 +--- /dev/null ++++ b/source3/lib/ABI/smbldap-2.1.0.sigs +@@ -0,0 +1,33 @@ ++smbldap_add: int (struct smbldap_state *, const char *, LDAPMod **) ++smbldap_delete: int (struct smbldap_state *, const char *) ++smbldap_extended_operation: int (struct smbldap_state *, const char *, struct berval *, LDAPControl **, LDAPControl **, char **, struct berval **) ++smbldap_free_struct: void (struct smbldap_state **) ++smbldap_get_ldap: LDAP *(struct smbldap_state *) ++smbldap_get_paged_results: bool (struct smbldap_state *) ++smbldap_get_single_attribute: bool (LDAP *, LDAPMessage *, const char *, char *, int) ++smbldap_has_control: bool (LDAP *, const char *) ++smbldap_has_extension: bool (LDAP *, const char *) ++smbldap_has_naming_context: bool (LDAP *, const char *) ++smbldap_init: NTSTATUS (TALLOC_CTX *, struct tevent_context *, const char *, bool, const char *, const char *, struct smbldap_state **) ++smbldap_make_mod: void (LDAP *, LDAPMessage *, LDAPMod ***, const char *, const char *) ++smbldap_make_mod_blob: void (LDAP *, LDAPMessage *, LDAPMod ***, const char *, const DATA_BLOB *) ++smbldap_modify: int (struct smbldap_state *, const char *, LDAPMod **) ++smbldap_pull_sid: bool (LDAP *, LDAPMessage *, const char *, struct dom_sid *) ++smbldap_search: int (struct smbldap_state *, const char *, int, const char *, const char **, int, LDAPMessage **) ++smbldap_search_paged: int (struct smbldap_state *, const char *, int, const char *, const char **, int, int, LDAPMessage **, void **) ++smbldap_search_suffix: int (struct smbldap_state *, const char *, const char **, LDAPMessage **) ++smbldap_set_bind_callback: void (struct smbldap_state *, smbldap_bind_callback_fn, void *) ++smbldap_set_creds: bool (struct smbldap_state *, bool, const char *, const char *) ++smbldap_set_mod: void (LDAPMod ***, int, const char *, const char *) ++smbldap_set_mod_blob: void (LDAPMod ***, int, const char *, const DATA_BLOB *) ++smbldap_set_paged_results: void (struct smbldap_state *, bool) ++smbldap_setup_full_conn: int (LDAP **, const char *) ++smbldap_start_tls: int (LDAP *, int) ++smbldap_start_tls_start: int (LDAP *, int) ++smbldap_talloc_autofree_ldapmod: void (TALLOC_CTX *, LDAPMod **) ++smbldap_talloc_autofree_ldapmsg: void (TALLOC_CTX *, LDAPMessage *) ++smbldap_talloc_dn: char *(TALLOC_CTX *, LDAP *, LDAPMessage *) ++smbldap_talloc_first_attribute: char *(LDAP *, LDAPMessage *, const char *, TALLOC_CTX *) ++smbldap_talloc_single_attribute: char *(LDAP *, LDAPMessage *, const char *, TALLOC_CTX *) ++smbldap_talloc_single_blob: bool (TALLOC_CTX *, LDAP *, LDAPMessage *, const char *, DATA_BLOB *) ++smbldap_talloc_smallest_attribute: char *(LDAP *, LDAPMessage *, const char *, TALLOC_CTX *) +diff --git a/source3/lib/smbldap.c b/source3/lib/smbldap.c +index 34c841f9243..4815dd81fc3 100644 +--- a/source3/lib/smbldap.c ++++ b/source3/lib/smbldap.c +@@ -598,20 +598,27 @@ static void smbldap_store_state(LDAP *ld, struct smbldap_state *smbldap_state) + } + + /******************************************************************** +- start TLS on an existing LDAP connection ++ start TLS on an existing LDAP connection per config + *******************************************************************/ + + int smbldap_start_tls(LDAP *ldap_struct, int version) +-{ +-#ifdef LDAP_OPT_X_TLS +- int rc,tls; +-#endif +- ++{ + if (lp_ldap_ssl() != LDAP_SSL_START_TLS) { + return LDAP_SUCCESS; + } + ++ return smbldap_start_tls_start(ldap_struct, version); ++} ++ ++/******************************************************************** ++ start TLS on an existing LDAP connection unconditionally ++*******************************************************************/ ++ ++int smbldap_start_tls_start(LDAP *ldap_struct, int version) ++{ + #ifdef LDAP_OPT_X_TLS ++ int rc,tls; ++ + /* check if we use ldaps already */ + ldap_get_option(ldap_struct, LDAP_OPT_X_TLS, &tls); + if (tls == LDAP_OPT_X_TLS_HARD) { +diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c +index 36e73440495..16c32b2d5a7 100755 +--- a/source3/libads/ldap.c ++++ b/source3/libads/ldap.c +@@ -703,7 +703,7 @@ got_connection: + ldap_set_option(ads->ldap.ld, LDAP_OPT_PROTOCOL_VERSION, &version); + + if ( lp_ldap_ssl_ads() ) { +- status = ADS_ERROR(smbldap_start_tls(ads->ldap.ld, version)); ++ status = ADS_ERROR(smbldap_start_tls_start(ads->ldap.ld, version)); + if (!ADS_ERR_OK(status)) { + goto out; + } +diff --git a/source3/wscript_build b/source3/wscript_build +index 10d9f71ae76..76d01a78f64 100644 +--- a/source3/wscript_build ++++ b/source3/wscript_build +@@ -520,7 +520,7 @@ bld.SAMBA3_LIBRARY('smbldap', + abi_directory='lib/ABI', + abi_match='smbldap_*', + pc_files=[], +- vnum='2', ++ vnum='2.1.0', + public_headers='include/smbldap.h include/smb_ldap.h') + + bld.SAMBA3_LIBRARY('ads', +-- +2.25.4 + + +From a7d674b519b363c6e20fa5784ab998fc622c9859 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Thu, 2 Jul 2020 10:59:18 +0200 +Subject: [PATCH 5/7] Fix ads_set_sasl_wrap_flags to only change sasl flags + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439 + +Signed-off-by: Isaac Boukris +Reviewed-by: Andreas Schneider +--- + source3/libads/ads_proto.h | 2 +- + source3/libads/ads_struct.c | 8 ++++++-- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h +index cd9c1082681..6cdde0cf6eb 100644 +--- a/source3/libads/ads_proto.h ++++ b/source3/libads/ads_proto.h +@@ -47,7 +47,7 @@ ADS_STRUCT *ads_init(const char *realm, + const char *workgroup, + const char *ldap_server, + enum ads_sasl_state_e sasl_state); +-bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, int flags); ++bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, unsigned flags); + void ads_destroy(ADS_STRUCT **ads); + + /* The following definitions come from libads/disp_sec.c */ +diff --git a/source3/libads/ads_struct.c b/source3/libads/ads_struct.c +index 043a1b21247..67a9a7cf75e 100644 +--- a/source3/libads/ads_struct.c ++++ b/source3/libads/ads_struct.c +@@ -176,13 +176,17 @@ ADS_STRUCT *ads_init(const char *realm, + /**************************************************************** + ****************************************************************/ + +-bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, int flags) ++bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, unsigned flags) + { ++ unsigned other_flags; ++ + if (!ads) { + return false; + } + +- ads->auth.flags = flags; ++ other_flags = ads->auth.flags & ~(ADS_AUTH_SASL_SIGN|ADS_AUTH_SASL_SEAL); ++ ++ ads->auth.flags = flags | other_flags; + + return true; + } +-- +2.25.4 + + +From e75511bf6b6b516db3336cd5f1d8f27307805801 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Thu, 2 Jul 2020 09:33:12 +0200 +Subject: [PATCH 6/7] ads: set sasl-wrapping to plain when over TLS + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439 + +Signed-off-by: Isaac Boukris +Reviewed-by: Andreas Schneider +--- + WHATSNEW.txt | 5 +++++ + selftest/knownfail.d/net_ads_tls | 1 - + source3/libads/ldap.c | 4 ++++ + 3 files changed, 9 insertions(+), 1 deletion(-) + delete mode 100644 selftest/knownfail.d/net_ads_tls + +diff --git a/WHATSNEW.txt b/WHATSNEW.txt +index 8935876d247..927b9a0fa59 100644 +--- a/WHATSNEW.txt ++++ b/WHATSNEW.txt +@@ -562,6 +562,11 @@ The "ldap ssl ads" option no longer depends on "ldap ssl" option: + With this release, the "ldap ssl ads" can be set to "yes" even if "ldap ssl" + is off. + ++The "ldap ssl ads" no longer requires sasl-wrapping to be set to plain: ++----------------------------------------------------------------------- ++This is now done implicitly when over TLS, so "client ldap sasl wrapping" ++does not need to be set to "plain" in order for it to work. ++ + + REMOVED FEATURES + ================ +diff --git a/selftest/knownfail.d/net_ads_tls b/selftest/knownfail.d/net_ads_tls +deleted file mode 100644 +index 251c948b6a9..00000000000 +--- a/selftest/knownfail.d/net_ads_tls ++++ /dev/null +@@ -1 +0,0 @@ +-^samba4.blackbox.net_ads_tls +diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c +index 16c32b2d5a7..3f41e990085 100755 +--- a/source3/libads/ldap.c ++++ b/source3/libads/ldap.c +@@ -707,6 +707,10 @@ got_connection: + if (!ADS_ERR_OK(status)) { + goto out; + } ++ if (!ads_set_sasl_wrap_flags(ads, 0)) { ++ status = ADS_ERROR(LDAP_OPERATIONS_ERROR); ++ goto out; ++ } + } + + /* fill in the current time and offsets */ +-- +2.25.4 + + +From 43694fbfa79b255a27a4becaf8743d2b110495e9 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Sat, 11 Jul 2020 05:04:59 +0200 +Subject: [PATCH 7/7] net: ignore possible SIGPIPE upon ldap_unbind when over + TLS + +From local tests with strace: + +socket(AF_UNIX, SOCK_STREAM, 0) = 12 +write(2, "Connecting to 10.53.57.21 at por"..., 38) = 38 +... +write(2, "ads_domain_func_level: 3\n", 25) = 25 +write(12, "\27\3\3\0\37\0\0\0\0\0\0\0\16nl[\374\375i\325\334\25\227kxG@\326\311R\225x"..., 36) = 36 +write(12, "\25\3\3\0\32\0\0\0\0\0\0\0\17Hh\304\254\244\17\342<\334\210L&\20_\177\307\232P", 31) = -1 EPIPE (Broken pipe) +--- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=12089, si_uid=1000} --- ++++ killed by SIGPIPE +++ + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439 + +Signed-off-by: Isaac Boukris +Reviewed-by: Andreas Schneider + +Autobuild-User(master): Isaac Boukris +Autobuild-Date(master): Mon Jul 13 12:06:07 UTC 2020 on sn-devel-184 +--- + source3/utils/net.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/source3/utils/net.c b/source3/utils/net.c +index 683b46794e4..e289b2814bc 100644 +--- a/source3/utils/net.c ++++ b/source3/utils/net.c +@@ -1289,6 +1289,9 @@ static void get_credentials_file(struct net_context *c, + POPT_TABLEEND + }; + ++ /* Ignore possible SIGPIPE upon ldap_unbind when over TLS */ ++ BlockSignals(True, SIGPIPE); ++ + zero_sockaddr(&c->opt_dest_ip); + + setup_logging(argv[0], DEBUG_STDERR); +-- +2.25.4 + +From 0a58060cb223a1ee6629f4ba706834369dd42a3d Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Tue, 14 Jul 2020 22:38:06 +0200 +Subject: [PATCH] s3-libads: pass timeout to open_socket_out in ms + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13124 + +Signed-off-by: Isaac Boukris +--- + source3/libads/ldap.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c +index 1ffe96d32c9..d431156912f 100755 +--- a/source3/libads/ldap.c ++++ b/source3/libads/ldap.c +@@ -96,9 +96,11 @@ static void gotalarm_sig(int signum) + { + int fd = -1; + NTSTATUS status = NT_STATUS_UNSUCCESSFUL; ++ unsigned timeout_ms = 1000 * to; + +- status = open_socket_out(ss, port, to, &fd); ++ status = open_socket_out(ss, port, timeout_ms, &fd); + if (!NT_STATUS_IS_OK(status)) { ++ DEBUG(3, ("open_socket_out: failed to open socket\n")); + return NULL; + } + +-- +2.25.4 + diff --git a/SOURCES/samba-4.10-fix-netbios-join.patch b/SOURCES/samba-4.10-fix-netbios-join.patch deleted file mode 100644 index 9dd2eec..0000000 --- a/SOURCES/samba-4.10-fix-netbios-join.patch +++ /dev/null @@ -1,723 +0,0 @@ -From 05f7e9a72a1769af9d41b1ca40fe6a14b3f069d1 Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Fri, 30 Aug 2019 00:22:15 +0300 -Subject: [PATCH 1/6] libnet_join: build dnsHostName from netbios name and - lp_dnsdomain() - -This make the join process much more reliable, and avoids "Constraint -violation" error when the fqdn returned from getaddrinfo has already -got assigned an SPN. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116 - -Signed-off-by: Isaac Boukris -Reviewed-by: Ralph Boehme -Reviewed-by: Alexander Bokovoy ---- - source3/libnet/libnet_join.c | 31 +++++++++++------------------- - testprogs/blackbox/test_net_ads.sh | 7 +++++-- - 2 files changed, 16 insertions(+), 22 deletions(-) - -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c -index 7943bef2cf6..818b3039cb9 100644 ---- a/source3/libnet/libnet_join.c -+++ b/source3/libnet/libnet_join.c -@@ -533,29 +533,23 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, - } - } - -- if (!name_to_fqdn(my_fqdn, r->in.machine_name) -- || (strchr(my_fqdn, '.') == NULL)) { -- fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name, -- r->out.dns_domain_name); -- } -+ fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name, lp_dnsdomain()); - - if (!strlower_m(my_fqdn)) { - return ADS_ERROR_LDAP(LDAP_NO_MEMORY); - } - -- if (!strequal(my_fqdn, r->in.machine_name)) { -- spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn); -- if (!spn) { -- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -- } -+ spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn); -+ if (spn == NULL) { -+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ } - -- ok = ads_element_in_array(spn_array, num_spns, spn); -+ ok = ads_element_in_array(spn_array, num_spns, spn); -+ if (!ok) { -+ ok = add_string_to_array(spn_array, spn, -+ &spn_array, &num_spns); - if (!ok) { -- ok = add_string_to_array(spn_array, spn, -- &spn_array, &num_spns); -- if (!ok) { -- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -- } -+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY); - } - } - -@@ -591,12 +585,9 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, - /* - * Add HOST/netbiosname.domainname - */ -- if (r->out.dns_domain_name == NULL) { -- continue; -- } - fstr_sprintf(my_fqdn, "%s.%s", - *netbios_aliases, -- r->out.dns_domain_name); -+ lp_dnsdomain()); - - spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn); - if (spn == NULL) { -diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh -index cc8345c4624..ef6f99ddea4 100755 ---- a/testprogs/blackbox/test_net_ads.sh -+++ b/testprogs/blackbox/test_net_ads.sh -@@ -81,7 +81,7 @@ testit "testjoin (dedicated keytab)" $VALGRIND $net_tool ads testjoin -kP || fai - netbios=$(grep "netbios name" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1') - uc_netbios=$(echo $netbios | tr '[:lower:]' '[:upper:]') - lc_realm=$(echo $REALM | tr '[:upper:]' '[:lower:]') --fqdns="$netbios.$lc_realm" -+fqdn="$netbios.$lc_realm" - - krb_princ="primary/instance@$REALM" - testit "test (dedicated keytab) add a fully qualified krb5 principal" $VALGRIND $net_tool ads keytab add $krb_princ -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` -@@ -99,7 +99,7 @@ testit "test (dedicated keytab) at least one krb5 principal created from $machin - service="nfs" - testit "test (dedicated keytab) add a $service service to keytab" $VALGRIND $net_tool ads keytab add $service -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` - --search_str="$service/$fqdns@$REALM" -+search_str="$service/$fqdn@$REALM" - found=`$net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $search_str | wc -l` - testit "test (dedicated keytab) at least one (long form) krb5 principal created from service added is present in keytab" test $found -gt 1 || failed=`expr $failed + 1` - -@@ -206,6 +206,9 @@ testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed - - testit "testjoin" $VALGRIND $net_tool ads testjoin || failed=`expr $failed + 1` - -+testit_grep "check dNSHostName" $fqdn $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ dNSHostName || failed=`expr $failed + 1` -+testit_grep "check SPN" ${uc_netbios}.${lc_realm} $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1` -+ - ##Goodbye... - testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` - --- -2.21.0 - - -From 4cbad1eb46896bbd74c5b19dbb0a8937ffde90c2 Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Wed, 18 Sep 2019 20:00:34 +0300 -Subject: [PATCH 2/6] libnet_join_set_machine_spn: improve style and make a bit - room for indentation - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116 - -Signed-off-by: Isaac Boukris -Reviewed-by: Ralph Boehme -Reviewed-by: Alexander Bokovoy ---- - source3/libnet/libnet_join.c | 95 ++++++++++++++++++------------------ - 1 file changed, 47 insertions(+), 48 deletions(-) - -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c -index 818b3039cb9..67ab50c68a8 100644 ---- a/source3/libnet/libnet_join.c -+++ b/source3/libnet/libnet_join.c -@@ -517,7 +517,7 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, - /* Windows only creates HOST/shortname & HOST/fqdn. */ - - spn = talloc_asprintf(mem_ctx, "HOST/%s", r->in.machine_name); -- if (!spn) { -+ if (spn == NULL) { - return ADS_ERROR_LDAP(LDAP_NO_MEMORY); - } - if (!strupper_m(spn)) { -@@ -553,60 +553,59 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, - } - } - -- netbios_aliases = lp_netbios_aliases(); -- if (netbios_aliases != NULL) { -- for (; *netbios_aliases != NULL; netbios_aliases++) { -- /* -- * Add HOST/NETBIOSNAME -- */ -- spn = talloc_asprintf(mem_ctx, "HOST/%s", *netbios_aliases); -- if (spn == NULL) { -- TALLOC_FREE(spn); -- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -- } -- if (!strupper_m(spn)) { -- TALLOC_FREE(spn); -- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -- } -+ for (netbios_aliases = lp_netbios_aliases(); -+ netbios_aliases != NULL && *netbios_aliases != NULL; -+ netbios_aliases++) { -+ /* -+ * Add HOST/NETBIOSNAME -+ */ -+ spn = talloc_asprintf(mem_ctx, "HOST/%s", *netbios_aliases); -+ if (spn == NULL) { -+ TALLOC_FREE(spn); -+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ } -+ if (!strupper_m(spn)) { -+ TALLOC_FREE(spn); -+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ } - -- ok = ads_element_in_array(spn_array, num_spns, spn); -- if (ok) { -- TALLOC_FREE(spn); -- continue; -- } -- ok = add_string_to_array(spn_array, spn, -- &spn_array, &num_spns); -- if (!ok) { -- TALLOC_FREE(spn); -- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -- } -+ ok = ads_element_in_array(spn_array, num_spns, spn); -+ if (ok) { -+ TALLOC_FREE(spn); -+ continue; -+ } -+ ok = add_string_to_array(spn_array, spn, -+ &spn_array, &num_spns); -+ if (!ok) { - TALLOC_FREE(spn); -+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ } -+ TALLOC_FREE(spn); - -- /* -- * Add HOST/netbiosname.domainname -- */ -- fstr_sprintf(my_fqdn, "%s.%s", -- *netbios_aliases, -- lp_dnsdomain()); -+ /* -+ * Add HOST/netbiosname.domainname -+ */ -+ fstr_sprintf(my_fqdn, "%s.%s", -+ *netbios_aliases, -+ lp_dnsdomain()); - -- spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn); -- if (spn == NULL) { -- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -- } -+ spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn); -+ if (spn == NULL) { -+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ } - -- ok = ads_element_in_array(spn_array, num_spns, spn); -- if (ok) { -- TALLOC_FREE(spn); -- continue; -- } -- ok = add_string_to_array(spn_array, spn, -- &spn_array, &num_spns); -- if (!ok) { -- TALLOC_FREE(spn); -- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -- } -+ ok = ads_element_in_array(spn_array, num_spns, spn); -+ if (ok) { -+ TALLOC_FREE(spn); -+ continue; -+ } -+ ok = add_string_to_array(spn_array, spn, -+ &spn_array, &num_spns); -+ if (!ok) { - TALLOC_FREE(spn); -+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY); - } -+ TALLOC_FREE(spn); - } - - /* make sure to NULL terminate the array */ --- -2.21.0 - - -From b8e1264ececf38681ca9a519a51e8336044673f0 Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Wed, 18 Sep 2019 21:29:47 +0300 -Subject: [PATCH 3/6] libnet_join_set_machine_spn: simplify memory handling - -and avoid a possible memory leak when passing null to -add_string_to_array() as mem_ctx. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116 - -Signed-off-by: Isaac Boukris -Reviewed-by: Ralph Boehme -Reviewed-by: Alexander Bokovoy ---- - source3/libnet/libnet_join.c | 74 ++++++++++++++++++++---------------- - 1 file changed, 42 insertions(+), 32 deletions(-) - -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c -index 67ab50c68a8..43035370526 100644 ---- a/source3/libnet/libnet_join.c -+++ b/source3/libnet/libnet_join.c -@@ -490,6 +490,7 @@ static ADS_STATUS libnet_join_get_machine_spns(TALLOC_CTX *mem_ctx, - static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, - struct libnet_JoinCtx *r) - { -+ TALLOC_CTX *frame = talloc_stackframe(); - ADS_STATUS status; - ADS_MODLIST mods; - fstring my_fqdn; -@@ -506,7 +507,7 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, - return status; - } - -- status = libnet_join_get_machine_spns(mem_ctx, -+ status = libnet_join_get_machine_spns(frame, - r, - discard_const_p(char **, &spn_array), - &num_spns); -@@ -516,40 +517,46 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, - - /* Windows only creates HOST/shortname & HOST/fqdn. */ - -- spn = talloc_asprintf(mem_ctx, "HOST/%s", r->in.machine_name); -+ spn = talloc_asprintf(frame, "HOST/%s", r->in.machine_name); - if (spn == NULL) { -- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ goto done; - } - if (!strupper_m(spn)) { -- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ goto done; - } - - ok = ads_element_in_array(spn_array, num_spns, spn); - if (!ok) { -- ok = add_string_to_array(spn_array, spn, -+ ok = add_string_to_array(frame, spn, - &spn_array, &num_spns); - if (!ok) { -- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ goto done; - } - } - - fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name, lp_dnsdomain()); - - if (!strlower_m(my_fqdn)) { -- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ goto done; - } - -- spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn); -+ spn = talloc_asprintf(frame, "HOST/%s", my_fqdn); - if (spn == NULL) { -- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ goto done; - } - - ok = ads_element_in_array(spn_array, num_spns, spn); - if (!ok) { -- ok = add_string_to_array(spn_array, spn, -+ ok = add_string_to_array(frame, spn, - &spn_array, &num_spns); - if (!ok) { -- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ goto done; - } - } - -@@ -559,28 +566,26 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, - /* - * Add HOST/NETBIOSNAME - */ -- spn = talloc_asprintf(mem_ctx, "HOST/%s", *netbios_aliases); -+ spn = talloc_asprintf(frame, "HOST/%s", *netbios_aliases); - if (spn == NULL) { -- TALLOC_FREE(spn); -- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ goto done; - } - if (!strupper_m(spn)) { -- TALLOC_FREE(spn); -- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ goto done; - } - - ok = ads_element_in_array(spn_array, num_spns, spn); - if (ok) { -- TALLOC_FREE(spn); - continue; - } - ok = add_string_to_array(spn_array, spn, - &spn_array, &num_spns); - if (!ok) { -- TALLOC_FREE(spn); -- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ goto done; - } -- TALLOC_FREE(spn); - - /* - * Add HOST/netbiosname.domainname -@@ -589,51 +594,56 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, - *netbios_aliases, - lp_dnsdomain()); - -- spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn); -+ spn = talloc_asprintf(frame, "HOST/%s", my_fqdn); - if (spn == NULL) { -- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ goto done; - } - - ok = ads_element_in_array(spn_array, num_spns, spn); - if (ok) { -- TALLOC_FREE(spn); - continue; - } - ok = add_string_to_array(spn_array, spn, - &spn_array, &num_spns); - if (!ok) { -- TALLOC_FREE(spn); -- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ goto done; - } -- TALLOC_FREE(spn); - } - - /* make sure to NULL terminate the array */ -- spn_array = talloc_realloc(mem_ctx, spn_array, const char *, num_spns + 1); -+ spn_array = talloc_realloc(frame, spn_array, const char *, num_spns + 1); - if (spn_array == NULL) { -- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ goto done; - } - spn_array[num_spns] = NULL; - - mods = ads_init_mods(mem_ctx); - if (!mods) { -- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ goto done; - } - - /* fields of primary importance */ - - status = ads_mod_str(mem_ctx, &mods, "dNSHostName", my_fqdn); - if (!ADS_ERR_OK(status)) { -- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ goto done; - } - - status = ads_mod_strlist(mem_ctx, &mods, "servicePrincipalName", - spn_array); - if (!ADS_ERR_OK(status)) { -- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ goto done; - } - -- return ads_gen_mod(r->in.ads, r->out.dn, mods); -+ status = ads_gen_mod(r->in.ads, r->out.dn, mods); -+ -+done: -+ TALLOC_FREE(frame); -+ return status; - } - - /**************************************************************** --- -2.21.0 - - -From 3e65f72b141a7ee256ae581e5f48f1d930aed76a Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Wed, 18 Sep 2019 23:15:57 +0300 -Subject: [PATCH 4/6] libnet_join_set_machine_spn: simplify adding uniq spn to - array - -and do not skip adding a fully qualified spn to netbios-aliases -in case a short spn already existed. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116 - -Signed-off-by: Isaac Boukris -Reviewed-by: Ralph Boehme -Reviewed-by: Alexander Bokovoy ---- - source3/libnet/libnet_join.c | 56 +++++++++++++++--------------------- - 1 file changed, 23 insertions(+), 33 deletions(-) - -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c -index 43035370526..a1d8a25bbc2 100644 ---- a/source3/libnet/libnet_join.c -+++ b/source3/libnet/libnet_join.c -@@ -483,6 +483,19 @@ static ADS_STATUS libnet_join_get_machine_spns(TALLOC_CTX *mem_ctx, - return status; - } - -+static ADS_STATUS add_uniq_spn(TALLOC_CTX *mem_ctx, const char *spn, -+ const char ***array, size_t *num) -+{ -+ bool ok = ads_element_in_array(*array, *num, spn); -+ if (!ok) { -+ ok = add_string_to_array(mem_ctx, spn, array, num); -+ if (!ok) { -+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ } -+ } -+ return ADS_SUCCESS; -+} -+ - /**************************************************************** - Set a machines dNSHostName and servicePrincipalName attributes - ****************************************************************/ -@@ -497,7 +510,6 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, - const char **spn_array = NULL; - size_t num_spns = 0; - char *spn = NULL; -- bool ok; - const char **netbios_aliases = NULL; - - /* Find our DN */ -@@ -527,14 +539,9 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, - goto done; - } - -- ok = ads_element_in_array(spn_array, num_spns, spn); -- if (!ok) { -- ok = add_string_to_array(frame, spn, -- &spn_array, &num_spns); -- if (!ok) { -- status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); -- goto done; -- } -+ status = add_uniq_spn(frame, spn, &spn_array, &num_spns); -+ if (!ADS_ERR_OK(status)) { -+ goto done; - } - - fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name, lp_dnsdomain()); -@@ -550,14 +557,9 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, - goto done; - } - -- ok = ads_element_in_array(spn_array, num_spns, spn); -- if (!ok) { -- ok = add_string_to_array(frame, spn, -- &spn_array, &num_spns); -- if (!ok) { -- status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); -- goto done; -- } -+ status = add_uniq_spn(frame, spn, &spn_array, &num_spns); -+ if (!ADS_ERR_OK(status)) { -+ goto done; - } - - for (netbios_aliases = lp_netbios_aliases(); -@@ -576,14 +578,8 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, - goto done; - } - -- ok = ads_element_in_array(spn_array, num_spns, spn); -- if (ok) { -- continue; -- } -- ok = add_string_to_array(spn_array, spn, -- &spn_array, &num_spns); -- if (!ok) { -- status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ status = add_uniq_spn(frame, spn, &spn_array, &num_spns); -+ if (!ADS_ERR_OK(status)) { - goto done; - } - -@@ -600,14 +596,8 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, - goto done; - } - -- ok = ads_element_in_array(spn_array, num_spns, spn); -- if (ok) { -- continue; -- } -- ok = add_string_to_array(spn_array, spn, -- &spn_array, &num_spns); -- if (!ok) { -- status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ status = add_uniq_spn(frame, spn, &spn_array, &num_spns); -+ if (!ADS_ERR_OK(status)) { - goto done; - } - } --- -2.21.0 - - -From db7560ff0fb861552406bb4c422cff55c82f58bf Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Tue, 17 Sep 2019 21:38:07 +0300 -Subject: [PATCH 5/6] docs-xml: add "additional dns hostnames" smb.conf option - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116 - -Signed-off-by: Isaac Boukris -Reviewed-by: Ralph Boehme -Reviewed-by: Alexander Bokovoy ---- - docs-xml/smbdotconf/base/additionaldnshostnames.xml | 11 +++++++++++ - 1 file changed, 11 insertions(+) - create mode 100644 docs-xml/smbdotconf/base/additionaldnshostnames.xml - -diff --git a/docs-xml/smbdotconf/base/additionaldnshostnames.xml b/docs-xml/smbdotconf/base/additionaldnshostnames.xml -new file mode 100644 -index 00000000000..ddc04ee9f81 ---- /dev/null -+++ b/docs-xml/smbdotconf/base/additionaldnshostnames.xml -@@ -0,0 +1,11 @@ -+ -+ -+ A list of additional DNS names by which this host can be identified -+ -+ -+empty string (no additional dns names) -+ host2.example.com host3.other.com -+ --- -2.21.0 - - -From 2669cecc51f8f7d6675b4dac9b345b3c5a7fc879 Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Fri, 13 Sep 2019 10:56:10 +0300 -Subject: [PATCH 6/6] libnet_join: add SPNs for additional-dns-hostnames - entries -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -and set msDS-AdditionalDnsHostName to the specified list. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116 - -Signed-off-by: Isaac Boukris -Reviewed-by: Ralph Boehme -Reviewed-by: Alexander Bokovoy - -Autobuild-User(master): Ralph Böhme -Autobuild-Date(master): Fri Oct 25 10:43:08 UTC 2019 on sn-devel-184 ---- - source3/libnet/libnet_join.c | 27 +++++++++++++++++++++++++++ - testprogs/blackbox/test_net_ads.sh | 10 +++++++++- - 2 files changed, 36 insertions(+), 1 deletion(-) - -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c -index a1d8a25bbc2..eb8e0ea17f7 100644 ---- a/source3/libnet/libnet_join.c -+++ b/source3/libnet/libnet_join.c -@@ -511,6 +511,7 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, - size_t num_spns = 0; - char *spn = NULL; - const char **netbios_aliases = NULL; -+ const char **addl_hostnames = NULL; - - /* Find our DN */ - -@@ -602,6 +603,22 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, - } - } - -+ for (addl_hostnames = lp_additional_dns_hostnames(); -+ addl_hostnames != NULL && *addl_hostnames != NULL; -+ addl_hostnames++) { -+ -+ spn = talloc_asprintf(frame, "HOST/%s", *addl_hostnames); -+ if (spn == NULL) { -+ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ goto done; -+ } -+ -+ status = add_uniq_spn(frame, spn, &spn_array, &num_spns); -+ if (!ADS_ERR_OK(status)) { -+ goto done; -+ } -+ } -+ - /* make sure to NULL terminate the array */ - spn_array = talloc_realloc(frame, spn_array, const char *, num_spns + 1); - if (spn_array == NULL) { -@@ -629,6 +646,16 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, - goto done; - } - -+ addl_hostnames = lp_additional_dns_hostnames(); -+ if (addl_hostnames != NULL && *addl_hostnames != NULL) { -+ status = ads_mod_strlist(mem_ctx, &mods, -+ "msDS-AdditionalDnsHostName", -+ addl_hostnames); -+ if (!ADS_ERR_OK(status)) { -+ goto done; -+ } -+ } -+ - status = ads_gen_mod(r->in.ads, r->out.dn, mods); - - done: -diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh -index ef6f99ddea4..8bcff006b8e 100755 ---- a/testprogs/blackbox/test_net_ads.sh -+++ b/testprogs/blackbox/test_net_ads.sh -@@ -202,13 +202,21 @@ base_dn="DC=addom,DC=samba,DC=example,DC=com" - computers_dn="CN=Computers,$base_dn" - testit "ldb check for existence of machine account" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM -s base -b "cn=$HOSTNAME,$computers_dn" || failed=`expr $failed + 1` - --testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` -+dns_alias1="${netbios}_alias1.other.${lc_realm}" -+dns_alias2="${netbios}_alias2.other2.${lc_realm}" -+testit "join" $VALGRIND $net_tool --option=additionaldnshostnames=$dns_alias1,$dns_alias2 ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` - - testit "testjoin" $VALGRIND $net_tool ads testjoin || failed=`expr $failed + 1` - - testit_grep "check dNSHostName" $fqdn $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ dNSHostName || failed=`expr $failed + 1` - testit_grep "check SPN" ${uc_netbios}.${lc_realm} $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1` - -+testit_grep "dns alias SPN" $dns_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1` -+testit_grep "dns alias SPN" $dns_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1` -+ -+testit_grep "dns alias addl" $dns_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1` -+testit_grep "dns alias addl" $dns_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1` -+ - ##Goodbye... - testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` - --- -2.21.0 - diff --git a/SOURCES/samba-4.11.2.tar.asc b/SOURCES/samba-4.11.2.tar.asc deleted file mode 100644 index 004f448..0000000 --- a/SOURCES/samba-4.11.2.tar.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iHMEABECADMWIQRS+8C4bZVLCEMyTNxvM5FbZWi36gUCXbFv2hUcc2FtYmEtYnVn -c0BzYW1iYS5vcmcACgkQbzORW2Vot+rLpwCgkrZUeff9Ct6UDh5TH8ZBHV9tNDYA -oJ650zGhAVJEsuzoJGkEM0WeeT6N -=BZ0i ------END PGP SIGNATURE----- diff --git a/SOURCES/samba-4.11.3-fix_smb1_cli_qpathinfo_2_3.patch b/SOURCES/samba-4.11.3-fix_smb1_cli_qpathinfo_2_3.patch deleted file mode 100644 index b8afd92..0000000 --- a/SOURCES/samba-4.11.3-fix_smb1_cli_qpathinfo_2_3.patch +++ /dev/null @@ -1,172 +0,0 @@ -From f38cf794fe16e5b160db1a3f4f17d5e5c7601d5c Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Thu, 17 Oct 2019 11:39:02 -0700 -Subject: [PATCH 1/2] s3: libsmb: Ensure SMB1 cli_qpathinfo2() doesn't return - an inode number. - -The info level it uses doesn't return that, previously we -were using the field that is returned as the EA size as -the inode number (which is usually zero, so the code in -libsmbclient would then synthesize an inode number from -a hash of the pathname, which is all it can do for SMB1). - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14161 - -Signed-off-by: Jeremy Allison -Reviewed-by: Andreas Schneider -(cherry picked from commit d495074ee27a5f528d5156a69800ee58d799b1eb) ---- - source3/libsmb/clirap.c | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - -diff --git a/source3/libsmb/clirap.c b/source3/libsmb/clirap.c -index e80dfc92a77..b4b40ebdab4 100644 ---- a/source3/libsmb/clirap.c -+++ b/source3/libsmb/clirap.c -@@ -855,7 +855,15 @@ NTSTATUS cli_qpathinfo2_recv(struct tevent_req *req, - *size = IVAL2_TO_SMB_BIG_UINT(state->data,48); - } - if (ino) { -- *ino = IVAL(state->data, 64); -+ /* -+ * SMB1 qpathinfo2 uses SMB_QUERY_FILE_ALL_INFO -+ * which doesn't return an inode number (fileid). -+ * We can't change this to one of the FILE_ID -+ * info levels as only Win2003 and above support -+ * these [MS-SMB: 2.2.2.3.1] and the SMB1 code -+ * needs to support older servers. -+ */ -+ *ino = 0; - } - return NT_STATUS_OK; - } --- -2.23.0.866.gb869b98d4c-goog - - -From 9c1abe9348c83a2ecd63563f2b47ddf22fd814be Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Thu, 17 Oct 2019 12:41:08 -0700 -Subject: [PATCH 2/2] s3: torture: Ensure SMB1 cli_qpathinfo2() doesn't return - an inode number. - -Piggyback on existing tests, ensure we don't regress on: - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14161 - -Signed-off-by: Jeremy Allison -Reviewed-by: Andreas Schneider -(cherry picked from commit 8e55a8562951924e4b1aad5a6d67fc8b309590c1) ---- - source3/torture/torture.c | 49 +++++++++++++++++++++++++++++++++++++-- - 1 file changed, 47 insertions(+), 2 deletions(-) - -diff --git a/source3/torture/torture.c b/source3/torture/torture.c -index 66dc0cf4d1c..a795e61125f 100644 ---- a/source3/torture/torture.c -+++ b/source3/torture/torture.c -@@ -4211,6 +4211,7 @@ static bool run_trans2test(int dummy) - bool correct = True; - NTSTATUS status; - uint32_t fs_attr; -+ uint64_t ino; - - printf("starting trans2 test\n"); - -@@ -4218,6 +4219,14 @@ static bool run_trans2test(int dummy) - return False; - } - -+ if (smbXcli_conn_protocol(cli->conn) >= PROTOCOL_SMB2_02) { -+ /* Ensure ino is zero, SMB2 gets a real one. */ -+ ino = 0; -+ } else { -+ /* Ensure ino is -1, SMB1 never gets a real one. */ -+ ino = (uint64_t)-1; -+ } -+ - status = cli_get_fs_attr_info(cli, &fs_attr); - if (!NT_STATUS_IS_OK(status)) { - printf("ERROR: cli_get_fs_attr_info returned %s\n", -@@ -4289,7 +4298,7 @@ static bool run_trans2test(int dummy) - O_RDWR | O_CREAT | O_TRUNC, DENY_NONE, &fnum); - cli_close(cli, fnum); - status = cli_qpathinfo2(cli, fname, &c_time_ts, &a_time_ts, &w_time_ts, -- &m_time_ts, &size, NULL, NULL); -+ &m_time_ts, &size, NULL, &ino); - if (!NT_STATUS_IS_OK(status)) { - printf("ERROR: qpathinfo2 failed (%s)\n", nt_errstr(status)); - correct = False; -@@ -4299,6 +4308,19 @@ static bool run_trans2test(int dummy) - printf("This system appears to set a initial 0 write time\n"); - correct = False; - } -+ if (smbXcli_conn_protocol(cli->conn) >= PROTOCOL_SMB2_02) { -+ /* SMB2 should always return an inode. */ -+ if (ino == 0) { -+ printf("SMB2 bad inode (0)\n"); -+ correct = false; -+ } -+ } else { -+ /* SMB1 must always return zero here. */ -+ if (ino != 0) { -+ printf("SMB1 bad inode (!0)\n"); -+ correct = false; -+ } -+ } - } - - cli_unlink(cli, fname, FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN); -@@ -11593,11 +11615,20 @@ static bool run_dir_createtime(int dummy) - struct timespec create_time1; - uint16_t fnum; - bool ret = false; -+ uint64_t ino; - - if (!torture_open_connection(&cli, 0)) { - return false; - } - -+ if (smbXcli_conn_protocol(cli->conn) >= PROTOCOL_SMB2_02) { -+ /* Ensure ino is zero, SMB2 gets a real one. */ -+ ino = 0; -+ } else { -+ /* Ensure ino is -1, SMB1 never gets a real one. */ -+ ino = (uint64_t)-1; -+ } -+ - cli_unlink(cli, fname, FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN); - cli_rmdir(cli, dname); - -@@ -11608,13 +11639,27 @@ static bool run_dir_createtime(int dummy) - } - - status = cli_qpathinfo2(cli, dname, &create_time, NULL, NULL, NULL, -- NULL, NULL, NULL); -+ NULL, NULL, &ino); - if (!NT_STATUS_IS_OK(status)) { - printf("cli_qpathinfo2 returned %s\n", - nt_errstr(status)); - goto out; - } - -+ if (smbXcli_conn_protocol(cli->conn) >= PROTOCOL_SMB2_02) { -+ /* SMB2 should always return an inode. */ -+ if (ino == 0) { -+ printf("SMB2 bad inode (0)\n"); -+ goto out; -+ } -+ } else { -+ /* SMB1 must always return zero here. */ -+ if (ino != 0) { -+ printf("SMB1 bad inode (!0)\n"); -+ goto out; -+ } -+ } -+ - /* Sleep 3 seconds, then create a file. */ - sleep(3); - --- -2.23.0.866.gb869b98d4c-goog - diff --git a/SOURCES/samba-4.11.3-only_link_libnsl_libsocket_if_needed.patch b/SOURCES/samba-4.11.3-only_link_libnsl_libsocket_if_needed.patch deleted file mode 100644 index 11d8e78..0000000 --- a/SOURCES/samba-4.11.3-only_link_libnsl_libsocket_if_needed.patch +++ /dev/null @@ -1,85 +0,0 @@ -From 2958016c30a8d9f80a45b64e91a20d8ebf995d85 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 21 Oct 2019 17:08:08 +0200 -Subject: [PATCH] replace: Only link libnsl and libsocket if requrired - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14168 - -Signed-off-by: Andreas Schneider -Reviewed-by: Alexander Bokovoy - -Autobuild-User(master): Andreas Schneider -Autobuild-Date(master): Wed Oct 23 08:23:13 UTC 2019 on sn-devel-184 - -(cherry picked from commit 263bec1b8d0744da73dd92e4a361fb7430289ab3) - -Autobuild-User(v4-11-test): Karolin Seeger -Autobuild-Date(v4-11-test): Mon Nov 4 09:31:23 UTC 2019 on sn-devel-184 ---- - lib/replace/wscript | 36 +++++++++++++++++++++++++++++++----- - 1 file changed, 31 insertions(+), 5 deletions(-) - -diff --git a/lib/replace/wscript b/lib/replace/wscript -index 240d730cbee..56e2a22de49 100644 ---- a/lib/replace/wscript -+++ b/lib/replace/wscript -@@ -190,10 +190,35 @@ def configure(conf): - conf.CHECK_TYPE_IN('sig_atomic_t', 'signal.h', define='HAVE_SIG_ATOMIC_T_TYPE') - conf.CHECK_FUNCS('sigsetmask siggetmask sigprocmask sigblock sigaction sigset') - -- conf.CHECK_FUNCS_IN('''inet_ntoa inet_aton inet_ntop inet_pton connect gethostbyname -- getaddrinfo getnameinfo freeaddrinfo gai_strerror socketpair''', -- 'socket nsl', checklibc=True, -- headers='sys/socket.h netinet/in.h arpa/inet.h netdb.h') -+ # Those functions are normally available in libc -+ if not conf.CHECK_FUNCS(''' -+ inet_ntoa -+ inet_aton -+ inet_ntop -+ inet_pton -+ connect -+ gethostbyname -+ getaddrinfo -+ getnameinfo -+ freeaddrinfo -+ gai_strerror -+ socketpair''', -+ headers='sys/socket.h netinet/in.h arpa/inet.h netdb.h'): -+ conf.CHECK_FUNCS_IN(''' -+ inet_ntoa -+ inet_aton -+ inet_ntop -+ inet_pton -+ connect -+ gethostbyname -+ getaddrinfo -+ getnameinfo -+ freeaddrinfo -+ gai_strerror -+ socketpair''', -+ 'socket nsl', -+ headers='sys/socket.h netinet/in.h arpa/inet.h netdb.h') -+ conf.DEFINE('REPLACE_REQUIRES_LIBSOCKET_LIBNSL', 1) - - conf.CHECK_FUNCS('memset_s memset_explicit') - -@@ -836,6 +861,7 @@ def build(bld): - extra_libs = '' - if bld.CONFIG_SET('HAVE_LIBBSD'): extra_libs += ' bsd' - if bld.CONFIG_SET('HAVE_LIBRT'): extra_libs += ' rt' -+ if bld.CONFIG_SET('REPLACE_REQUIRES_LIBSOCKET_LIBNSL'): extra_libs += ' socket nsl' - - bld.SAMBA_SUBSYSTEM('LIBREPLACE_HOSTCC', - REPLACE_HOSTCC_SOURCE, -@@ -876,7 +902,7 @@ def build(bld): - # at the moment: - # hide_symbols=bld.BUILTIN_LIBRARY('replace'), - private_library=True, -- deps='crypt dl nsl socket attr' + extra_libs) -+ deps='crypt dl attr' + extra_libs) - - replace_test_cflags = '' - if bld.CONFIG_SET('HAVE_WNO_FORMAT_TRUNCATION'): --- -2.23.0 - diff --git a/SOURCES/samba-4.11.7-fix_segfault_in_smbd_do_qfilepathinfo.patch b/SOURCES/samba-4.11.7-fix_segfault_in_smbd_do_qfilepathinfo.patch deleted file mode 100644 index d079d31..0000000 --- a/SOURCES/samba-4.11.7-fix_segfault_in_smbd_do_qfilepathinfo.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 7de67a994e84c2fadccb48c2448f2cba529a57fd Mon Sep 17 00:00:00 2001 -From: Volker Lendecke -Date: Wed, 31 Jul 2019 10:42:24 +0200 -Subject: [PATCH] smbd: Fix the build with clang - -clang correctly complains that "close_fsp" is used uninitialized if -"get_posix_fsp" fails and we end up in "goto out;". - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14251 - -Signed-off-by: Volker Lendecke -Reviewed-by: Jeremy Allison -(cherry picked from commit a8a1ca3f83dce6d725392989cbc97271cbf52f4a) ---- - source3/smbd/trans2.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c -index b0616f15ade..8164c8fd213 100644 ---- a/source3/smbd/trans2.c -+++ b/source3/smbd/trans2.c -@@ -4848,7 +4848,7 @@ static NTSTATUS smb_query_posix_acl(connection_struct *conn, - unsigned int size_needed = 0; - NTSTATUS status; - bool ok; -- bool close_fsp; -+ bool close_fsp = false; - - /* - * Ensure we always operate on a file descriptor, not just --- -2.24.1 - diff --git a/SOURCES/samba-4.11.7-fix_smbclient_debug_spam.patch b/SOURCES/samba-4.11.7-fix_smbclient_debug_spam.patch deleted file mode 100644 index ff175fe..0000000 --- a/SOURCES/samba-4.11.7-fix_smbclient_debug_spam.patch +++ /dev/null @@ -1,48 +0,0 @@ -From c50d91d16292a13d29b1125c0aa85c7a7963de5f Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 27 Jan 2020 14:58:10 +0100 -Subject: [PATCH] lib:util: Log mkdir error on correct debug levels -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -For smbd we want an error and for smbclient we only want it in NOTICE -debug level. -The default log level of smbclient is log level 1 so we need notice to -not spam the user. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14253 - -Signed-off-by: Andreas Schneider -Reviewed-by: Guenther Deschner - -Autobuild-User(master): Günther Deschner -Autobuild-Date(master): Mon Jan 27 15:55:24 UTC 2020 on sn-devel-184 - -(cherry picked from commit 0ad6a243b259d284064c0c5abcc7d430d55be7e1) ---- - lib/util/util.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/lib/util/util.c b/lib/util/util.c -index 3bdeded5c1b..0d9ffe5cb7b 100644 ---- a/lib/util/util.c -+++ b/lib/util/util.c -@@ -353,9 +353,12 @@ _PUBLIC_ bool directory_create_or_exist(const char *dname, - old_umask = umask(0); - ret = mkdir(dname, dir_perms); - if (ret == -1 && errno != EEXIST) { -- DBG_WARNING("mkdir failed on directory %s: %s\n", -+ int dbg_level = geteuid() == 0 ? DBGLVL_ERR : DBGLVL_NOTICE; -+ -+ DBG_PREFIX(dbg_level, -+ ("mkdir failed on directory %s: %s\n", - dname, -- strerror(errno)); -+ strerror(errno))); - umask(old_umask); - return false; - } --- -2.25.0 - diff --git a/SOURCES/samba-4.12-fix_pam_winbind_manpage.patch b/SOURCES/samba-4.12-fix_pam_winbind_manpage.patch new file mode 100644 index 0000000..3b488f8 --- /dev/null +++ b/SOURCES/samba-4.12-fix_pam_winbind_manpage.patch @@ -0,0 +1,41 @@ +From 069ba5774a5ccc72dcc3567bc6d17141d68ddff5 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 9 Jul 2020 11:48:26 +0200 +Subject: [PATCH] docs: Fix documentation for require_membership_of of + pam_winbind + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14358 + +Signed-off-by: Andreas Schneider +Reviewed-by: Alexander Bokovoy + +Autobuild-User(master): Andreas Schneider +Autobuild-Date(master): Fri Jul 10 09:40:37 UTC 2020 on sn-devel-184 + +(cherry picked from commit 4c74db6978c682f8ba4e74a6ee8157cfcbb54971) +--- + docs-xml/manpages/pam_winbind.8.xml | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/docs-xml/manpages/pam_winbind.8.xml b/docs-xml/manpages/pam_winbind.8.xml +index a9a227f1647..a61fb2d58e5 100644 +--- a/docs-xml/manpages/pam_winbind.8.xml ++++ b/docs-xml/manpages/pam_winbind.8.xml +@@ -84,9 +84,11 @@ + If this option is set, pam_winbind will only succeed if the user is a member of the given SID or NAME. A SID + can be either a group-SID, an alias-SID or even an user-SID. It is also possible to give a NAME instead of the + SID. That name must have the form: MYDOMAIN\mygroup or +- MYDOMAIN\myuser. pam_winbind will, in that case, lookup the SID internally. Note that +- NAME may not contain any spaces. It is thus recommended to only use SIDs. You can verify the list of SIDs a +- user is a member of with wbinfo --user-sids=SID. ++ MYDOMAIN\myuser (where '\' character corresponds to the value of ++ winbind separator parameter). It is also possible to use a UPN in the form ++ user@REALM or group@REALM. pam_winbind will, in that case, lookup ++ the SID internally. Note that NAME may not contain any spaces. It is thus recommended to only use SIDs. You can ++ verify the list of SIDs a user is a member of with wbinfo --user-sids=SID. + + + +-- +2.27.0 + diff --git a/SOURCES/samba-4.12-fix_winbind_lookuprids.patch b/SOURCES/samba-4.12-fix_winbind_lookuprids.patch new file mode 100644 index 0000000..43cda48 --- /dev/null +++ b/SOURCES/samba-4.12-fix_winbind_lookuprids.patch @@ -0,0 +1,130 @@ +From 3b8312df417b1a1fbd712b9494d5dad495e33f6d Mon Sep 17 00:00:00 2001 +From: Volker Lendecke +Date: Wed, 8 Jul 2020 15:00:49 +0200 +Subject: [PATCH 1/2] winbind: Add test for lookuprids cache problem + +When reading entries from gencache, wb_cache_rids_to_names() can +return STATUS_SOME_UNMAPPED, which _wbint_LookupRids() does not handle +correctly. + +This test enforces this situation by filling gencache with one wbinfo +-R and then erasing the winbindd_cache.tdb. This forces winbind to +enter the domain helper process, which will then read from gencache +filled with the previous wbinfo -R. + +Without having the entries cached this does not happen because +wb_cache_rids_to_names() via the do_query: path calls deep inside +calls dcerpc_lsa_lookup_sids_noalloc(), which hides the +STATUS_SOME_UNMAPPED that came in as lsa_LookupSids result value. + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=14435 +Signed-off-by: Volker Lendecke +Reviewed-by: Ralph Boehme +(cherry picked from commit 04eafce653afcff517317d2b190acc4f0cbf4c61) +--- + selftest/knownfail.d/lookuprids_cache | 1 + + .../tests/test_wbinfo_lookuprids_cache.sh | 21 +++++++++++++++++++ + source3/selftest/tests.py | 5 +++++ + 3 files changed, 27 insertions(+) + create mode 100644 selftest/knownfail.d/lookuprids_cache + create mode 100755 source3/script/tests/test_wbinfo_lookuprids_cache.sh + +diff --git a/selftest/knownfail.d/lookuprids_cache b/selftest/knownfail.d/lookuprids_cache +new file mode 100644 +index 00000000000..d3c40a62b45 +--- /dev/null ++++ b/selftest/knownfail.d/lookuprids_cache +@@ -0,0 +1 @@ ++^samba.wbinfo_lookuprids_cache.lookuprids2\(nt4_member:local\) +\ No newline at end of file +diff --git a/source3/script/tests/test_wbinfo_lookuprids_cache.sh b/source3/script/tests/test_wbinfo_lookuprids_cache.sh +new file mode 100755 +index 00000000000..0b21ffcd7c9 +--- /dev/null ++++ b/source3/script/tests/test_wbinfo_lookuprids_cache.sh +@@ -0,0 +1,21 @@ ++#!/bin/sh ++ ++WBINFO="$VALGRIND ${WBINFO:-$BINDIR/wbinfo}" ++TDBTOOL="${TDBTOOL:-$BINDIR/tdbtool}" ++TDBDUMP="${TDBDUMP:-$BINDIR/tdbdump}" ++NET="$VALGRIND ${NET:-$BINDIR/net}" ++ ++cache="$LOCK_DIR"/winbindd_cache.tdb ++ ++incdir=`dirname $0`/../../../testprogs/blackbox ++. $incdir/subunit.sh ++ ++testit "flush" "$NET" "cache" "flush" || failed=`expr $failed + 1` ++testit "lookuprids1" "$WBINFO" "-R" "512,12345" || failed=`expr $failed + 1` ++ ++key=$("$TDBDUMP" "$cache" | grep ^key.*NDR.*/16/ | cut -d\" -f2) ++ ++testit "delete" "$TDBTOOL" "$cache" delete "$key" ++testit "lookuprids2" "$WBINFO" "-R" "512,12345" || failed=`expr $failed + 1` ++ ++testok $0 $failed +diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py +index dc44160e50d..b01a3c1aad1 100755 +--- a/source3/selftest/tests.py ++++ b/source3/selftest/tests.py +@@ -332,6 +332,11 @@ env = "nt4_member:local" + plantestsuite("samba3.wbinfo_sids_to_xids", env, + [os.path.join(srcdir(), + "nsswitch/tests/test_wbinfo_sids_to_xids.sh")]) ++plantestsuite( ++ "samba.wbinfo_lookuprids_cache", ++ env, ++ [os.path.join(samba3srcdir, ++ "script/tests/test_wbinfo_lookuprids_cache.sh")]) + + env = "ad_member" + t = "WBCLIENT-MULTI-PING" +-- +2.20.1 + + +From 7389996f5e04acb79a760cb72b9d5c5a617262b8 Mon Sep 17 00:00:00 2001 +From: Volker Lendecke +Date: Wed, 8 Jul 2020 15:09:45 +0200 +Subject: [PATCH 2/2] winbind: Fix lookuprids cache problem + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=14435 +Signed-off-by: Volker Lendecke +Reviewed-by: Ralph Boehme + +Autobuild-User(master): Volker Lendecke +Autobuild-Date(master): Thu Jul 9 21:40:52 UTC 2020 on sn-devel-184 + +(cherry picked from commit cd4122d91e942ca465c03505d5e148117f505ba4) +--- + selftest/knownfail.d/lookuprids_cache | 1 - + source3/winbindd/winbindd_dual_srv.c | 3 ++- + 2 files changed, 2 insertions(+), 2 deletions(-) + delete mode 100644 selftest/knownfail.d/lookuprids_cache + +diff --git a/selftest/knownfail.d/lookuprids_cache b/selftest/knownfail.d/lookuprids_cache +deleted file mode 100644 +index d3c40a62b45..00000000000 +--- a/selftest/knownfail.d/lookuprids_cache ++++ /dev/null +@@ -1 +0,0 @@ +-^samba.wbinfo_lookuprids_cache.lookuprids2\(nt4_member:local\) +\ No newline at end of file +diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c +index 13345caa41b..63bb614a0ca 100644 +--- a/source3/winbindd/winbindd_dual_srv.c ++++ b/source3/winbindd/winbindd_dual_srv.c +@@ -672,7 +672,8 @@ NTSTATUS _wbint_LookupRids(struct pipes_struct *p, struct wbint_LookupRids *r) + r->in.rids->rids, r->in.rids->num_rids, + &domain_name, &names, &types); + reset_cm_connection_on_error(domain, NULL, status); +- if (!NT_STATUS_IS_OK(status)) { ++ if (!NT_STATUS_IS_OK(status) && ++ !NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED)) { + return status; + } + +-- +2.20.1 + diff --git a/SOURCES/samba-4.12-gnutls-priority-list.patch b/SOURCES/samba-4.12-gnutls-priority-list.patch new file mode 100644 index 0000000..4b143d9 --- /dev/null +++ b/SOURCES/samba-4.12-gnutls-priority-list.patch @@ -0,0 +1,342 @@ +From 2840bd0becee307f4ee896b26e9f29baac03c347 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 15 Jun 2020 11:50:16 +0200 +Subject: [PATCH 1/2] s3:lib:tls: Use better priority lists for modern GnuTLS + +We should use the default priority list. That is a good practice, +because TLS protocol hardening and phasing out of legacy algorithms, +is easier to co-ordinate when happens at a single place. See crypto +policies of Fedora. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14408 + +Signed-off-by: Andreas Schneider +Reviewed-by: Alexander Bokovoy + +Autobuild-User(master): Andreas Schneider +Autobuild-Date(master): Wed Jun 17 17:42:02 UTC 2020 on sn-devel-184 +--- + docs-xml/smbdotconf/security/tlspriority.xml | 10 ++--- + lib/param/loadparm.c | 10 ++++- + python/samba/tests/docs.py | 20 ++++++++++ + source3/param/loadparm.c | 11 +++++- + source4/lib/tls/tls_tstream.c | 40 +++++++++++++++----- + wscript_configure_system_gnutls | 3 ++ + 6 files changed, 76 insertions(+), 18 deletions(-) + +diff --git a/docs-xml/smbdotconf/security/tlspriority.xml b/docs-xml/smbdotconf/security/tlspriority.xml +index d7214a4c1ea..6d1f0dcb912 100644 +--- a/docs-xml/smbdotconf/security/tlspriority.xml ++++ b/docs-xml/smbdotconf/security/tlspriority.xml +@@ -7,15 +7,15 @@ + to be supported in the parts of Samba that use GnuTLS, specifically + the AD DC. + +- The default turns off SSLv3, as this protocol is no longer considered +- secure after CVE-2014-3566 (otherwise known as POODLE) impacted SSLv3 use +- in HTTPS applications. +- ++ The string is appended to the default priority list of GnuTLS. + The valid options are described in the + GNUTLS + Priority-Strings documentation at http://gnutls.org/manual/html_node/Priority-Strings.html + ++ By default it will try to find a config file matching "SAMBA", but if ++ that does not exist will use the entry for "SYSTEM" and last fallback to ++ NORMAL. In all cases the SSL3.0 protocol will be disabled. + + +- NORMAL:-VERS-SSL3.0 ++ @SAMBA,SYSTEM,NORMAL:!-VERS-SSL3.0 + +diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c +index 63291283905..8fdd844fbaa 100644 +--- a/lib/param/loadparm.c ++++ b/lib/param/loadparm.c +@@ -2803,7 +2803,15 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) + lpcfg_do_global_parameter(lp_ctx, "tls keyfile", "tls/key.pem"); + lpcfg_do_global_parameter(lp_ctx, "tls certfile", "tls/cert.pem"); + lpcfg_do_global_parameter(lp_ctx, "tls cafile", "tls/ca.pem"); +- lpcfg_do_global_parameter(lp_ctx, "tls priority", "NORMAL:-VERS-SSL3.0"); ++#ifdef HAVE_GNUTLS_SET_DEFAULT_PRIORITY_APPEND ++ lpcfg_do_global_parameter(lp_ctx, ++ "tls priority", ++ "@SAMBA,SYSTEM,NORMAL:!-VERS-SSL3.0"); ++#else ++ lpcfg_do_global_parameter(lp_ctx, ++ "tls priority", ++ "NORMAL:-VERS-SSL3.0"); ++#endif + + lpcfg_do_global_parameter(lp_ctx, "nsupdate command", "/usr/bin/nsupdate -g"); + +diff --git a/python/samba/tests/docs.py b/python/samba/tests/docs.py +index 32a16a98fbc..789865221cb 100644 +--- a/python/samba/tests/docs.py ++++ b/python/samba/tests/docs.py +@@ -26,6 +26,21 @@ import os + import subprocess + import xml.etree.ElementTree as ET + ++config_h = os.path.join("bin/default/include/config.h") ++config_hash = dict() ++ ++if os.path.exists(config_h): ++ config_hash = dict() ++ f = open(config_h, 'r') ++ try: ++ lines = f.readlines() ++ config_hash = dict((x[0], ' '.join(x[1:])) ++ for x in map(lambda line: line.strip().split(' ')[1:], ++ list(filter(lambda line: (line[0:7] == '#define') and (len(line.split(' ')) > 2), lines)))) ++ finally: ++ f.close() ++ ++have_gnutls_system_config_support = ("HAVE_GNUTLS_SET_DEFAULT_PRIORITY_APPEND" in config_hash) + + class TestCase(samba.tests.TestCaseInTempDir): + +@@ -127,6 +142,11 @@ class SmbDotConfTests(TestCase): + 'smbd max async dosmode', + ]) + ++ # 'tls priority' has a legacy default value if we don't link against a ++ # modern GnuTLS version. ++ if not have_gnutls_system_config_support: ++ special_cases.add('tls priority') ++ + def setUp(self): + super(SmbDotConfTests, self).setUp() + # create a minimal smb.conf file for testparm +diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c +index d3d81f6ece5..2b1a63998d6 100644 +--- a/source3/param/loadparm.c ++++ b/source3/param/loadparm.c +@@ -885,8 +885,15 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) + lpcfg_string_set(Globals.ctx, &Globals._tls_keyfile, "tls/key.pem"); + lpcfg_string_set(Globals.ctx, &Globals._tls_certfile, "tls/cert.pem"); + lpcfg_string_set(Globals.ctx, &Globals._tls_cafile, "tls/ca.pem"); +- lpcfg_string_set(Globals.ctx, &Globals.tls_priority, +- "NORMAL:-VERS-SSL3.0"); ++#ifdef HAVE_GNUTLS_SET_DEFAULT_PRIORITY_APPEND ++ lpcfg_string_set(Globals.ctx, ++ &Globals.tls_priority, ++ "@SAMBA,SYSTEM,NORMAL:!-VERS-SSL3.0"); ++#else ++ lpcfg_string_set(Globals.ctx, ++ &Globals.tls_priority, ++ "NORMAL!-VERS-SSL3.0"); ++#endif + + lpcfg_string_set(Globals.ctx, &Globals.share_backend, "classic"); + +diff --git a/source4/lib/tls/tls_tstream.c b/source4/lib/tls/tls_tstream.c +index 55bca036776..d984addeec5 100644 +--- a/source4/lib/tls/tls_tstream.c ++++ b/source4/lib/tls/tls_tstream.c +@@ -1035,16 +1035,26 @@ struct tevent_req *_tstream_tls_connect_send(TALLOC_CTX *mem_ctx, + return tevent_req_post(req, ev); + } + +- ret = gnutls_priority_set_direct(tlss->tls_session, +- tls_params->tls_priority, +- &error_pos); ++ ret = gnutls_set_default_priority(tlss->tls_session); + if (ret != GNUTLS_E_SUCCESS) { +- DEBUG(0,("TLS %s - %s. Check 'tls priority' option at '%s'\n", +- __location__, gnutls_strerror(ret), error_pos)); ++ DBG_ERR("TLS %s - %s. Failed to set default priorities\n", ++ __location__, gnutls_strerror(ret)); + tevent_req_error(req, EINVAL); + return tevent_req_post(req, ev); + } + ++ if (strlen(tls_params->tls_priority) > 0) { ++ ret = gnutls_priority_set_direct(tlss->tls_session, ++ tls_params->tls_priority, ++ &error_pos); ++ if (ret != GNUTLS_E_SUCCESS) { ++ DEBUG(0,("TLS %s - %s. Check 'tls priority' option at '%s'\n", ++ __location__, gnutls_strerror(ret), error_pos)); ++ tevent_req_error(req, EINVAL); ++ return tevent_req_post(req, ev); ++ } ++ } ++ + ret = gnutls_credentials_set(tlss->tls_session, + GNUTLS_CRD_CERTIFICATE, + tls_params->x509_cred); +@@ -1284,16 +1294,26 @@ struct tevent_req *_tstream_tls_accept_send(TALLOC_CTX *mem_ctx, + return tevent_req_post(req, ev); + } + +- ret = gnutls_priority_set_direct(tlss->tls_session, +- tlsp->tls_priority, +- &error_pos); ++ ret = gnutls_set_default_priority(tlss->tls_session); + if (ret != GNUTLS_E_SUCCESS) { +- DEBUG(0,("TLS %s - %s. Check 'tls priority' option at '%s'\n", +- __location__, gnutls_strerror(ret), error_pos)); ++ DBG_ERR("TLS %s - %s. Failed to set default priorities\n", ++ __location__, gnutls_strerror(ret)); + tevent_req_error(req, EINVAL); + return tevent_req_post(req, ev); + } + ++ if (strlen(tlsp->tls_priority) > 0) { ++ ret = gnutls_priority_set_direct(tlss->tls_session, ++ tlsp->tls_priority, ++ &error_pos); ++ if (ret != GNUTLS_E_SUCCESS) { ++ DEBUG(0,("TLS %s - %s. Check 'tls priority' option at '%s'\n", ++ __location__, gnutls_strerror(ret), error_pos)); ++ tevent_req_error(req, EINVAL); ++ return tevent_req_post(req, ev); ++ } ++ } ++ + ret = gnutls_credentials_set(tlss->tls_session, GNUTLS_CRD_CERTIFICATE, + tlsp->x509_cred); + if (ret != GNUTLS_E_SUCCESS) { +diff --git a/wscript_configure_system_gnutls b/wscript_configure_system_gnutls +index b2b955f3c90..631405fa34c 100644 +--- a/wscript_configure_system_gnutls ++++ b/wscript_configure_system_gnutls +@@ -20,6 +20,9 @@ conf.SET_TARGET_TYPE('gnutls', 'SYSLIB') + # Check for gnutls_pkcs7_get_embedded_data_oid (>= 3.5.5) required by libmscat + conf.CHECK_FUNCS_IN('gnutls_pkcs7_get_embedded_data_oid', 'gnutls') + ++# Check for gnutls_set_default_priority_append (>= 3.6.3) ++conf.CHECK_FUNCS_IN('gnutls_set_default_priority_append', 'gnutls') ++ + # Check for gnutls_aead_cipher_encryptv2 + # + # This is available since version 3.6.10, but 3.6.10 has a bug which got fixed +-- +2.26.2 + + +From fdcf9f23f659025f174b32109a273e80b2ad289e Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 30 Jun 2020 17:12:17 +0200 +Subject: [PATCH 2/2] tls: Use NORMAL:-VERS-SSL3.0 as the default configuration + +This seems to be really broken in GnuTLS and the documentation is also +not correct. + +This partially reverts 53e3a959b958a3b099df6ecc5f6e294e96bd948e + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14408 + +Signed-off-by: Andreas Schneider +Reviewed-by: Alexander Bokovoy + +Autobuild-User(master): Andrew Bartlett +Autobuild-Date(master): Wed Jul 1 14:56:33 UTC 2020 on sn-devel-184 +--- + docs-xml/smbdotconf/security/tlspriority.xml | 6 ++---- + lib/param/loadparm.c | 6 ------ + python/samba/tests/docs.py | 21 -------------------- + source3/param/loadparm.c | 8 +------- + 4 files changed, 3 insertions(+), 38 deletions(-) + +diff --git a/docs-xml/smbdotconf/security/tlspriority.xml b/docs-xml/smbdotconf/security/tlspriority.xml +index 6d1f0dcb912..471dc25ba3b 100644 +--- a/docs-xml/smbdotconf/security/tlspriority.xml ++++ b/docs-xml/smbdotconf/security/tlspriority.xml +@@ -12,10 +12,8 @@ + GNUTLS + Priority-Strings documentation at http://gnutls.org/manual/html_node/Priority-Strings.html + +- By default it will try to find a config file matching "SAMBA", but if +- that does not exist will use the entry for "SYSTEM" and last fallback to +- NORMAL. In all cases the SSL3.0 protocol will be disabled. ++ The SSL3.0 protocol will be disabled. + + +- @SAMBA,SYSTEM,NORMAL:!-VERS-SSL3.0 ++ NORMAL:-VERS-SSL3.0 + +diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c +index 8fdd844fbaa..4e7e3f599dd 100644 +--- a/lib/param/loadparm.c ++++ b/lib/param/loadparm.c +@@ -2803,15 +2803,9 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) + lpcfg_do_global_parameter(lp_ctx, "tls keyfile", "tls/key.pem"); + lpcfg_do_global_parameter(lp_ctx, "tls certfile", "tls/cert.pem"); + lpcfg_do_global_parameter(lp_ctx, "tls cafile", "tls/ca.pem"); +-#ifdef HAVE_GNUTLS_SET_DEFAULT_PRIORITY_APPEND +- lpcfg_do_global_parameter(lp_ctx, +- "tls priority", +- "@SAMBA,SYSTEM,NORMAL:!-VERS-SSL3.0"); +-#else + lpcfg_do_global_parameter(lp_ctx, + "tls priority", + "NORMAL:-VERS-SSL3.0"); +-#endif + + lpcfg_do_global_parameter(lp_ctx, "nsupdate command", "/usr/bin/nsupdate -g"); + +diff --git a/python/samba/tests/docs.py b/python/samba/tests/docs.py +index 789865221cb..654a192b510 100644 +--- a/python/samba/tests/docs.py ++++ b/python/samba/tests/docs.py +@@ -26,22 +26,6 @@ import os + import subprocess + import xml.etree.ElementTree as ET + +-config_h = os.path.join("bin/default/include/config.h") +-config_hash = dict() +- +-if os.path.exists(config_h): +- config_hash = dict() +- f = open(config_h, 'r') +- try: +- lines = f.readlines() +- config_hash = dict((x[0], ' '.join(x[1:])) +- for x in map(lambda line: line.strip().split(' ')[1:], +- list(filter(lambda line: (line[0:7] == '#define') and (len(line.split(' ')) > 2), lines)))) +- finally: +- f.close() +- +-have_gnutls_system_config_support = ("HAVE_GNUTLS_SET_DEFAULT_PRIORITY_APPEND" in config_hash) +- + class TestCase(samba.tests.TestCaseInTempDir): + + def _format_message(self, parameters, message): +@@ -142,11 +126,6 @@ class SmbDotConfTests(TestCase): + 'smbd max async dosmode', + ]) + +- # 'tls priority' has a legacy default value if we don't link against a +- # modern GnuTLS version. +- if not have_gnutls_system_config_support: +- special_cases.add('tls priority') +- + def setUp(self): + super(SmbDotConfTests, self).setUp() + # create a minimal smb.conf file for testparm +diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c +index 2b1a63998d6..901f01b1c6a 100644 +--- a/source3/param/loadparm.c ++++ b/source3/param/loadparm.c +@@ -885,15 +885,9 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) + lpcfg_string_set(Globals.ctx, &Globals._tls_keyfile, "tls/key.pem"); + lpcfg_string_set(Globals.ctx, &Globals._tls_certfile, "tls/cert.pem"); + lpcfg_string_set(Globals.ctx, &Globals._tls_cafile, "tls/ca.pem"); +-#ifdef HAVE_GNUTLS_SET_DEFAULT_PRIORITY_APPEND + lpcfg_string_set(Globals.ctx, + &Globals.tls_priority, +- "@SAMBA,SYSTEM,NORMAL:!-VERS-SSL3.0"); +-#else +- lpcfg_string_set(Globals.ctx, +- &Globals.tls_priority, +- "NORMAL!-VERS-SSL3.0"); +-#endif ++ "NORMAL:-VERS-SSL3.0"); + + lpcfg_string_set(Globals.ctx, &Globals.share_backend, "classic"); + +-- +2.26.2 + diff --git a/SOURCES/samba-4.12-user-gencache.patch b/SOURCES/samba-4.12-user-gencache.patch new file mode 100644 index 0000000..7836c91 --- /dev/null +++ b/SOURCES/samba-4.12-user-gencache.patch @@ -0,0 +1,478 @@ +From 3dbdb8c3d8cd0498e1afb47758fea700f5061435 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 7 May 2020 12:25:24 +0200 +Subject: [PATCH 1/4] lib:util: Add path_expand_tilde() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14370 + +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher +(cherry picked from commit 15457254be0ab1235c327bd305dfeee19b2ea7a1) +--- + lib/util/util_paths.c | 72 +++++++++++++++++++++++++++++++++++++++++++ + lib/util/util_paths.h | 9 ++++++ + 2 files changed, 81 insertions(+) + +diff --git a/lib/util/util_paths.c b/lib/util/util_paths.c +index 0473557dfc6..c05246a7407 100644 +--- a/lib/util/util_paths.c ++++ b/lib/util/util_paths.c +@@ -6,6 +6,7 @@ + Copyright (C) Simo Sorce 2001 + Copyright (C) Jim McDonough 2003 + Copyright (C) James Peach 2006 ++ Copyright (c) 2020 Andreas Schneider + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by +@@ -24,6 +25,7 @@ + #include "includes.h" + #include "dynconfig/dynconfig.h" + #include "lib/util/util_paths.h" ++#include "system/passwd.h" + + /** + * @brief Returns an absolute path to a file in the Samba modules directory. +@@ -62,3 +64,73 @@ const char *shlib_ext(void) + return get_dyn_SHLIBEXT(); + } + ++static char *get_user_home_dir(TALLOC_CTX *mem_ctx) ++{ ++ struct passwd pwd = {0}; ++ struct passwd *pwdbuf = NULL; ++ char buf[NSS_BUFLEN_PASSWD] = {0}; ++ int rc; ++ ++ rc = getpwuid_r(getuid(), &pwd, buf, NSS_BUFLEN_PASSWD, &pwdbuf); ++ if (rc != 0 || pwdbuf == NULL ) { ++ const char *szPath = getenv("HOME"); ++ if (szPath == NULL) { ++ return NULL; ++ } ++ snprintf(buf, sizeof(buf), "%s", szPath); ++ ++ return talloc_strdup(mem_ctx, buf); ++ } ++ ++ return talloc_strdup(mem_ctx, pwd.pw_dir); ++} ++ ++char *path_expand_tilde(TALLOC_CTX *mem_ctx, const char *d) ++{ ++ char *h = NULL, *r = NULL; ++ const char *p = NULL; ++ struct stat sb = {0}; ++ int rc; ++ ++ if (d[0] != '~') { ++ return talloc_strdup(mem_ctx, d); ++ } ++ d++; ++ ++ /* handle ~user/path */ ++ p = strchr(d, '/'); ++ if (p != NULL && p > d) { ++ struct passwd *pw; ++ size_t s = p - d; ++ char u[128]; ++ ++ if (s >= sizeof(u)) { ++ return NULL; ++ } ++ memcpy(u, d, s); ++ u[s] = '\0'; ++ ++ pw = getpwnam(u); ++ if (pw == NULL) { ++ return NULL; ++ } ++ h = talloc_strdup(mem_ctx, pw->pw_dir); ++ } else { ++ p = d; ++ h = get_user_home_dir(mem_ctx); ++ } ++ if (h == NULL) { ++ return NULL; ++ } ++ ++ rc = stat(h, &sb); ++ if (rc != 0) { ++ TALLOC_FREE(h); ++ return NULL; ++ } ++ ++ r = talloc_asprintf(mem_ctx, "%s%s", h, p); ++ TALLOC_FREE(h); ++ ++ return r; ++} +diff --git a/lib/util/util_paths.h b/lib/util/util_paths.h +index 80e8aaac6e9..cf34f691e5f 100644 +--- a/lib/util/util_paths.h ++++ b/lib/util/util_paths.h +@@ -51,4 +51,13 @@ char *data_path(TALLOC_CTX *mem_ctx, const char *name); + **/ + const char *shlib_ext(void); + ++/** ++ * @brief Expand a directory starting with a tilde '~' ++ * ++ * @param[in] d The directory to expand. ++ * ++ * @return The expanded directory, NULL on error. ++ */ ++char *path_expand_tilde(TALLOC_CTX *mem_ctx, const char *d); ++ + #endif +-- +2.26.2 + + +From d43c586576353cba5082ba396c521dde1cde4929 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 11 May 2020 12:50:11 +0200 +Subject: [PATCH 2/4] lib:util: Add test for path_expand_tilde() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14370 + +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher +(backported from commit a15bd5493b696c66c6803d8ca65bc13f1cfcdf0a) +--- + lib/util/tests/test_util_paths.c | 127 +++++++++++++++++++++++++++++++ + lib/util/wscript_build | 6 ++ + selftest/tests.py | 2 + + 3 files changed, 135 insertions(+) + create mode 100644 lib/util/tests/test_util_paths.c + +diff --git a/lib/util/tests/test_util_paths.c b/lib/util/tests/test_util_paths.c +new file mode 100644 +index 00000000000..b89abf0aea1 +--- /dev/null ++++ b/lib/util/tests/test_util_paths.c +@@ -0,0 +1,127 @@ ++/* ++ * Unix SMB/CIFS implementation. ++ * ++ * Copyright (C) 2020 Andreas Schneider ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program. If not, see . ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++ ++#include ++ ++#include "lib/replace/replace.h" ++#include "lib/util/util_paths.c" ++ ++static int setup(void **state) ++{ ++ TALLOC_CTX *mem_ctx = talloc_new(NULL); ++ ++ assert_non_null(mem_ctx); ++ *state = mem_ctx; ++ ++ return 0; ++} ++ ++static int teardown(void **state) ++{ ++ TALLOC_CTX *mem_ctx = *state; ++ TALLOC_FREE(mem_ctx); ++ ++ return 0; ++} ++ ++static void test_get_user_home_dir(void **state) ++{ ++ TALLOC_CTX *mem_ctx = *state; ++ struct passwd *pwd = getpwuid(getuid()); ++ char *user; ++ ++ user = get_user_home_dir(mem_ctx); ++ assert_non_null(user); ++ assert_string_equal(user, pwd->pw_dir); ++ ++ TALLOC_FREE(user); ++} ++ ++static void test_path_expand_tilde(void **state) ++{ ++ TALLOC_CTX *mem_ctx = *state; ++ char h[256] = {0}; ++ char *d = NULL; ++ const char *user = NULL; ++ char *home = NULL; ++ ++ user = getenv("USER"); ++ if (user == NULL){ ++ user = getenv("LOGNAME"); ++ } ++ ++ /* In certain CIs there no such variables */ ++ if (user == NULL) { ++ struct passwd *pw = getpwuid(getuid()); ++ if (pw){ ++ user = pw->pw_name; ++ } ++ } ++ ++ home = getenv("HOME"); ++ assert_non_null(home); ++ snprintf(h, sizeof(h), "%s/.cache", home); ++ ++ d = path_expand_tilde(mem_ctx, "~/.cache"); ++ assert_non_null(d); ++ assert_string_equal(d, h); ++ TALLOC_FREE(d); ++ ++ snprintf(h, sizeof(h), "%s/.cache/X~", home); ++ d = path_expand_tilde(mem_ctx, "~/.cache/X~"); ++ assert_string_equal(d, h); ++ TALLOC_FREE(d); ++ ++ d = path_expand_tilde(mem_ctx, "/guru/meditation"); ++ assert_non_null(d); ++ assert_string_equal(d, "/guru/meditation"); ++ TALLOC_FREE(d); ++ ++ snprintf(h, sizeof(h), "~%s/.cache", user); ++ d = path_expand_tilde(mem_ctx, h); ++ assert_non_null(d); ++ ++ snprintf(h, sizeof(h), "%s/.cache", home); ++ assert_string_equal(d, h); ++ TALLOC_FREE(d); ++} ++ ++int main(int argc, char *argv[]) ++{ ++ int rc; ++ const struct CMUnitTest tests[] = { ++ cmocka_unit_test(test_get_user_home_dir), ++ cmocka_unit_test(test_path_expand_tilde), ++ }; ++ ++ if (argc == 2) { ++ cmocka_set_test_filter(argv[1]); ++ } ++ cmocka_set_message_output(CM_OUTPUT_SUBUNIT); ++ ++ rc = cmocka_run_group_tests(tests, setup, teardown); ++ ++ return rc; ++} +diff --git a/lib/util/wscript_build b/lib/util/wscript_build +index a827eea3ed9..608f7b3dd73 100644 +--- a/lib/util/wscript_build ++++ b/lib/util/wscript_build +@@ -288,3 +288,9 @@ else: + deps='cmocka replace samba-util', + local_include=False, + for_selftest=True) ++ ++ bld.SAMBA_BINARY('test_util_paths', ++ source='tests/test_util_paths.c', ++ deps='cmocka replace talloc samba-util', ++ local_include=False, ++ for_selftest=True) +diff --git a/selftest/tests.py b/selftest/tests.py +index 96d3f8d6317..b72a6fb65eb 100644 +--- a/selftest/tests.py ++++ b/selftest/tests.py +@@ -389,6 +389,8 @@ plantestsuite("samba.unittests.ms_fnmatch", "none", + [os.path.join(bindir(), "default/lib/util/test_ms_fnmatch")]) + plantestsuite("samba.unittests.byteorder", "none", + [os.path.join(bindir(), "default/lib/util/test_byteorder")]) ++plantestsuite("samba.unittests.util_paths", "none", ++ [os.path.join(bindir(), "default/lib/util/test_util_paths")]) + plantestsuite("samba.unittests.ntlm_check", "none", + [os.path.join(bindir(), "default/libcli/auth/test_ntlm_check")]) + plantestsuite("samba.unittests.gnutls", "none", +-- +2.26.2 + + +From 133edb95814adc43072fd33876caf9d720eaac1f Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Wed, 6 May 2020 17:10:51 +0200 +Subject: [PATCH 3/4] s3:gencache: Allow to open gencache as read-only + +This allows client tools to access the cache for ready-only operations +as a normal user. + +Example: + net ads status + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14370 + +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher + +Autobuild-User(master): Andreas Schneider +Autobuild-Date(master): Fri May 15 14:40:32 UTC 2020 on sn-devel-184 + +(cherry picked from commit 04f0c45475de383a0be4ca355ab9aa7784e61c27) +--- + source3/lib/gencache.c | 63 ++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 60 insertions(+), 3 deletions(-) + +diff --git a/source3/lib/gencache.c b/source3/lib/gencache.c +index 9ad85bbf55f..896bf50cbd7 100644 +--- a/source3/lib/gencache.c ++++ b/source3/lib/gencache.c +@@ -29,10 +29,13 @@ + #include "tdb_wrap/tdb_wrap.h" + #include "zlib.h" + #include "lib/util/strv.h" ++#include "lib/util/util_paths.h" + + #undef DBGC_CLASS + #define DBGC_CLASS DBGC_TDB + ++#define GENCACHE_USER_PATH "~/.cache/samba/gencache.tdb" ++ + static struct tdb_wrap *cache; + + /** +@@ -68,6 +71,7 @@ static bool gencache_init(void) + { + char* cache_fname = NULL; + int open_flags = O_RDWR|O_CREAT; ++ int tdb_flags = TDB_INCOMPATIBLE_HASH|TDB_NOSYNC|TDB_MUTEX_LOCKING; + int hash_size; + + /* skip file open if it's already opened */ +@@ -85,10 +89,63 @@ static bool gencache_init(void) + DEBUG(5, ("Opening cache file at %s\n", cache_fname)); + + cache = tdb_wrap_open(NULL, cache_fname, hash_size, +- TDB_INCOMPATIBLE_HASH| +- TDB_NOSYNC| +- TDB_MUTEX_LOCKING, ++ tdb_flags, + open_flags, 0644); ++ /* ++ * Allow client tools to create a gencache in the home directory ++ * as a normal user. ++ */ ++ if (cache == NULL && errno == EACCES && geteuid() != 0) { ++ char *cache_dname = NULL, *tmp = NULL; ++ bool ok; ++ ++ TALLOC_FREE(cache_fname); ++ ++ cache_fname = path_expand_tilde(talloc_tos(), ++ GENCACHE_USER_PATH); ++ if (cache_fname == NULL) { ++ DBG_ERR("Failed to expand path: %s\n", ++ GENCACHE_USER_PATH); ++ return false; ++ } ++ ++ tmp = talloc_strdup(talloc_tos(), cache_fname); ++ if (tmp == NULL) { ++ DBG_ERR("No memory!\n"); ++ TALLOC_FREE(cache_fname); ++ return false; ++ } ++ ++ cache_dname = dirname(tmp); ++ if (cache_dname == NULL) { ++ DBG_ERR("Invalid path: %s\n", cache_fname); ++ TALLOC_FREE(tmp); ++ TALLOC_FREE(cache_fname); ++ return false; ++ } ++ ++ ok = directory_create_or_exist(cache_dname, 0700); ++ if (!ok) { ++ DBG_ERR("Failed to create directory: %s - %s\n", ++ cache_dname, strerror(errno)); ++ TALLOC_FREE(tmp); ++ TALLOC_FREE(cache_fname); ++ return false; ++ } ++ TALLOC_FREE(tmp); ++ ++ cache = tdb_wrap_open(NULL, ++ cache_fname, ++ hash_size, ++ tdb_flags, ++ open_flags, ++ 0644); ++ if (cache != NULL) { ++ DBG_INFO("Opening user cache file %s.\n", ++ cache_fname); ++ } ++ } ++ + if (cache == NULL) { + DEBUG(5, ("Opening %s failed: %s\n", cache_fname, + strerror(errno))); +-- +2.26.2 + + +From de71248d86e29ca7d1d2df0f197b930ae8472d5b Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Fri, 15 May 2020 12:18:02 -0700 +Subject: [PATCH 4/4] s3: lib: Paranoia around use of snprintf copying into a + fixed-size buffer from a getenv() pointer. + +Post checks for overflow/error. + +Signed-off-by: Jeremy Allison +Reviewed-by: Andrew Bartlett + +Autobuild-User(master): Jeremy Allison +Autobuild-Date(master): Mon May 18 23:42:57 UTC 2020 on sn-devel-184 + +(cherry picked from commit dd1f750293ef4361455a5d5b63fc7a89495715b7) +--- + lib/util/util_paths.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/lib/util/util_paths.c b/lib/util/util_paths.c +index c05246a7407..c0ee5c32c30 100644 +--- a/lib/util/util_paths.c ++++ b/lib/util/util_paths.c +@@ -73,12 +73,16 @@ static char *get_user_home_dir(TALLOC_CTX *mem_ctx) + + rc = getpwuid_r(getuid(), &pwd, buf, NSS_BUFLEN_PASSWD, &pwdbuf); + if (rc != 0 || pwdbuf == NULL ) { ++ int len_written; + const char *szPath = getenv("HOME"); + if (szPath == NULL) { + return NULL; + } +- snprintf(buf, sizeof(buf), "%s", szPath); +- ++ len_written = snprintf(buf, sizeof(buf), "%s", szPath); ++ if (len_written >= sizeof(buf) || len_written < 0) { ++ /* Output was truncated or an error. */ ++ return NULL; ++ } + return talloc_strdup(mem_ctx, buf); + } + +-- +2.26.2 + diff --git a/SOURCES/samba-4.12-vfs_ChDir.patch b/SOURCES/samba-4.12-vfs_ChDir.patch new file mode 100644 index 0000000..54cc35b --- /dev/null +++ b/SOURCES/samba-4.12-vfs_ChDir.patch @@ -0,0 +1,203 @@ +From 222b16ac61329dc819ab5b9ccd3276c5a1a01c8f Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Thu, 2 Jul 2020 14:32:34 +0200 +Subject: [PATCH 1/3] s4:torture/smb2: add smb2.delete-on-close-perms.BUG14427 + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14427 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Ralph Boehme +(cherry picked from commit bcba4bb210d9482be4c2c8dadfb5cc185046cbaa) +--- + selftest/knownfail.d/bug14427 | 1 + + source4/torture/smb2/delete-on-close.c | 43 +++++++++++++++++++++++++- + 2 files changed, 43 insertions(+), 1 deletion(-) + create mode 100644 selftest/knownfail.d/bug14427 + +diff --git a/selftest/knownfail.d/bug14427 b/selftest/knownfail.d/bug14427 +new file mode 100644 +index 00000000000..e136465ef87 +--- /dev/null ++++ b/selftest/knownfail.d/bug14427 +@@ -0,0 +1 @@ ++^samba3.smb2.delete-on-close-perms.BUG14427 +diff --git a/source4/torture/smb2/delete-on-close.c b/source4/torture/smb2/delete-on-close.c +index 3c495750f43..05242876dcb 100644 +--- a/source4/torture/smb2/delete-on-close.c ++++ b/source4/torture/smb2/delete-on-close.c +@@ -698,6 +698,46 @@ static bool test_doc_read_only(struct torture_context *tctx, + return ret; + } + ++/* ++ * This is a regression test for ++ * https://bugzilla.samba.org/show_bug.cgi?id=14427 ++ * ++ * It's not really a delete-on-close specific test. ++ */ ++static bool test_doc_bug14427(struct torture_context *tctx, struct smb2_tree *tree1) ++{ ++ struct smb2_tree *tree2 = NULL; ++ NTSTATUS status; ++ char fname[256]; ++ bool ret = false; ++ bool ok; ++ ++ /* Add some random component to the file name. */ ++ snprintf(fname, sizeof(fname), "doc_bug14427_%s.dat", ++ generate_random_str(tctx, 8)); ++ ++ ok = torture_smb2_tree_connect(tctx, tree1->session, tctx, &tree2); ++ torture_assert_goto(tctx, ok, ret, done, ++ "torture_smb2_tree_connect() failed.\n"); ++ ++ status = torture_setup_simple_file(tctx, tree1, fname); ++ torture_assert_ntstatus_ok_goto(tctx, status, ret, done, ++ "torture_setup_simple_file() failed on tree1.\n"); ++ ++ status = smb2_util_unlink(tree2, fname); ++ torture_assert_ntstatus_ok_goto(tctx, status, ret, done, ++ "smb2_util_unlink() failed on tree2.\n"); ++ TALLOC_FREE(tree2); ++ ret = true; ++done: ++ if (tree2 != NULL) { ++ TALLOC_FREE(tree2); ++ smb2_util_unlink(tree1, fname); ++ } ++ ++ TALLOC_FREE(tree1); ++ return ret; ++} + + /* + * Extreme testing of Delete On Close and permissions +@@ -713,7 +753,8 @@ struct torture_suite *torture_smb2_doc_init(TALLOC_CTX *ctx) + torture_suite_add_1smb2_test(suite, "CREATE_IF", test_doc_create_if); + torture_suite_add_1smb2_test(suite, "CREATE_IF Existing", test_doc_create_if_exist); + torture_suite_add_1smb2_test(suite, "FIND_and_set_DOC", test_doc_find_and_set_doc); +- torture_suite_add_1smb2_test(suite, "READONLY", test_doc_read_only); ++ torture_suite_add_1smb2_test(suite, "READONLY", test_doc_read_only); ++ torture_suite_add_1smb2_test(suite, "BUG14427", test_doc_bug14427); + + suite->description = talloc_strdup(suite, "SMB2-Delete-on-Close-Perms tests"); + +-- +2.26.2 + + +From a6005fb5155a7c7886b179e7672b198a55e69380 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Thu, 2 Jul 2020 12:06:28 +0200 +Subject: [PATCH 2/3] s3:smbd: reformat if statement for caching in vfs_ChDir() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14427 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Ralph Boehme +(cherry picked from commit b2b5ae090ee8796609eb0b5794bc4e62c24414ef) +--- + source3/smbd/vfs.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/source3/smbd/vfs.c b/source3/smbd/vfs.c +index 96067e45005..7c8f99bbd41 100644 +--- a/source3/smbd/vfs.c ++++ b/source3/smbd/vfs.c +@@ -879,8 +879,9 @@ int vfs_ChDir(connection_struct *conn, const struct smb_filename *smb_fname) + return 0; + } + +- if (*smb_fname->base_name == '/' && +- strcsequal(LastDir,smb_fname->base_name)) { ++ if (smb_fname->base_name[0] == '/' && ++ strcsequal(LastDir,smb_fname->base_name)) ++ { + return 0; + } + +-- +2.26.2 + + +From 735fd5fe21b4c365946806e79df668cec22b3210 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 1 Jul 2020 09:38:58 +0200 +Subject: [PATCH 3/3] s3:smbd: make sure vfs_ChDir() always sets + conn->cwd_fsp->fh->fd = AT_FDCWD + +This is what all consumers of conn->cwd_fsp->fh->fd expect! + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14427 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Ralph Boehme +(cherry picked from commit f3f330f61db983f6d213a097d9a4d91b1057ecb1) +--- + selftest/knownfail.d/bug14427 | 1 - + source3/smbd/vfs.c | 35 +++++++++++++++++++++++++++++++++++ + 2 files changed, 35 insertions(+), 1 deletion(-) + delete mode 100644 selftest/knownfail.d/bug14427 + +diff --git a/selftest/knownfail.d/bug14427 b/selftest/knownfail.d/bug14427 +deleted file mode 100644 +index e136465ef87..00000000000 +--- a/selftest/knownfail.d/bug14427 ++++ /dev/null +@@ -1 +0,0 @@ +-^samba3.smb2.delete-on-close-perms.BUG14427 +diff --git a/source3/smbd/vfs.c b/source3/smbd/vfs.c +index 7c8f99bbd41..411999c3856 100644 +--- a/source3/smbd/vfs.c ++++ b/source3/smbd/vfs.c +@@ -876,12 +876,47 @@ int vfs_ChDir(connection_struct *conn, const struct smb_filename *smb_fname) + } + + if (ISDOT(smb_fname->base_name)) { ++ /* ++ * passing a '.' is a noop, ++ * and we only expect this after ++ * everything is initialized. ++ * ++ * So the first vfs_ChDir() on a given ++ * connection_struct must not be '.'. ++ * ++ * Note: conn_new() sets ++ * conn->cwd_fsp->fh->fd = -1 ++ * and vfs_ChDir() leaves with ++ * conn->cwd_fsp->fh->fd = AT_FDCWD ++ * on success! ++ */ ++ if (conn->cwd_fsp->fh->fd != AT_FDCWD) { ++ /* ++ * This should never happen and ++ * we might change this to ++ * SMB_ASSERT() in future. ++ */ ++ DBG_ERR("Called with '.' as first operation!\n"); ++ log_stack_trace(); ++ errno = EINVAL; ++ return -1; ++ } + return 0; + } + + if (smb_fname->base_name[0] == '/' && + strcsequal(LastDir,smb_fname->base_name)) + { ++ /* ++ * conn->cwd_fsp->fsp_name and the kernel ++ * are already correct, but conn->cwd_fsp->fh->fd ++ * might still be -1 as initialized in conn_new(). ++ * ++ * This can happen when a client made a 2nd ++ * tree connect to a share with the same underlying ++ * path (may or may not the same share). ++ */ ++ conn->cwd_fsp->fh->fd = AT_FDCWD; + return 0; + } + +-- +2.26.2 + diff --git a/SOURCES/samba-4.12.3.tar.asc b/SOURCES/samba-4.12.3.tar.asc new file mode 100644 index 0000000..4705752 --- /dev/null +++ b/SOURCES/samba-4.12.3.tar.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- + +iHMEABECADMWIQRS+8C4bZVLCEMyTNxvM5FbZWi36gUCXsOxqhUcc2FtYmEtYnVn +c0BzYW1iYS5vcmcACgkQbzORW2Vot+qdhwCdFYBB+shlPkgPHklKcr7s0gzg0k0A +nRkKiNJ0zpNWUNY67XzoRvYWf3ys +=5Y06 +-----END PGP SIGNATURE----- diff --git a/SPECS/samba.spec b/SPECS/samba.spec index 51f3b9c..d647af0 100644 --- a/SPECS/samba.spec +++ b/SPECS/samba.spec @@ -6,13 +6,15 @@ # ctdb is enabled by default, you can disable it with: --without clustering %bcond_without clustering -%define main_release 13 +%define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not") -%define samba_version 4.11.2 -%define talloc_version 2.2.0 -%define tdb_version 1.4.2 -%define tevent_version 0.10.0 -%define ldb_version 2.0.7 +%define main_release 12 + +%define samba_version 4.12.3 +%define talloc_version 2.3.1 +%define tdb_version 1.4.3 +%define tevent_version 0.10.2 +%define ldb_version 2.1.3 # This should be rc1 or nil %define pre_release %nil @@ -73,7 +75,7 @@ %global with_dc 1 %endif -%global required_mit_krb5 1.15.1 +%global required_mit_krb5 1.18 %global with_clustering_support 0 @@ -81,11 +83,25 @@ %global with_clustering_support 1 %endif +%global with_winexe 1 +%if 0%{?rhel} +%global with_winexe 0 +%endif + +%global with_vfs_io_uring 0 +# We need liburing >= 0.4 which is not available in RHEL yet +%if 0%{?fedora} +%ifarch aarch64 ppc64le s390x x86_64 i686 +%global with_vfs_io_uring 1 +%endif +# /fedora +%endif + %global _systemd_extra "Environment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba" Name: samba Version: %{samba_version} -Release: %{samba_release} +Release: %{samba_release}.3 %if 0%{?rhel} Epoch: 0 @@ -117,223 +133,13 @@ Source14: samba.pamd Source201: README.downgrade -Patch0001: 0001-s3-profile-Use-SHA1-for-hashing-in-profiling-functio.patch -Patch0002: 0002-lib-crypto-Fix-path-to-header-file-in-gnutls_helpers.patch -Patch0003: 0003-lib-crypto-Add-GNUTLS_FIPS140_SET_-LAX-STRICT-_MODE-.patch -Patch0004: 0004-s3-profile-Allow-profile-subsystem-to-use-SHA1-in-FI.patch -Patch0005: 0005-lib-util-Use-GnuTLS-random-number-generator-in-genra.patch -Patch0006: 0006-lib-crypto-Document-gnutls_error_to_werror.patch -Patch0007: 0007-lib-crypto-Document-samba_gnutls_arcfour_confounded_.patch -Patch0008: 0008-s3-rpc_client-Return-NTSTATUS-for-init_samr_CryptPas.patch -Patch0009: 0009-s3-rpc_client-Return-NTSTATUS-for-init_samr_CryptPas.patch -Patch0010: 0010-libcli-auth-Return-NTSTATUS-for-encode_or_decode_arc.patch -Patch0011: 0011-libcli-auth-Add-test-for-decoding-an-RC4-password-bu.patch -Patch0012: 0012-s3-rpc_client-Use-samba_gnutls_arcfour_confounded_md.patch -Patch0013: 0013-s3-rpc_client-Use-GnuTLS-RC4-in-init_samr_CryptPassw.patch -Patch0014: 0014-libcli-auth-Use-samba_gnutls_arcfour_confounded_md5-.patch -Patch0015: 0015-libcli-auth-Rename-encode_or_decode_arc4_passwd_buff.patch -Patch0016: 0016-libcli-auth-Pass-samr_CryptPasswordEx-to-decode_rc4_.patch -Patch0017: 0017-libcli-auth-Add-encode_rc4_passwd_buffer.patch -Patch0018: 0018-libcli-auth-Add-test-for-encode_rc4_passwd_buffer.patch -Patch0019: 0019-s3-rpc_client-Use-encode_rc4_passwd_buffer-in-init_s.patch -Patch0020: 0020-s4-libnet-Use-encode_rc4_passwd_buffer-in-libnet_Set.patch -Patch0021: 0021-s4-libnet-Use-encode_rc4_passwd_buffer-in-libnet_Set.patch -Patch0022: 0022-s4-libnet-Use-GnuTLS-RC4-in-libnet_SetPassword_samr_.patch -Patch0023: 0023-s4-libnet-Use-GnuTLS-RC4-in-libnet_SetPassword_samr_.patch -Patch0024: 0024-s4-libnet-Use-GnuTLS-RC4-in-libnet_ChangePassword_sa.patch -Patch0025: 0025-libcli-auth-Return-WERROR-for-encode_wkssvc_join_pas.patch -Patch0026: 0026-libcli-auth-Add-test-for-encode-decode-_wkssvc_join_.patch -Patch0027: 0027-libcli-auth-Use-samba_gnutls_arcfour_confounded_md5-.patch -Patch0028: 0028-libcli-auth-Use-samba_gnutls_arcfour_confounded_md5-.patch -Patch0029: 0029-auth-ntlmssp-Use-GnuTLS-RC4-in-ntlmssp-client.patch -Patch0030: 0030-auth-ntlmssp-Use-GnuTLS-RC4-for-ntlmssp-signing.patch -Patch0031: 0031-s3-libsmb-Use-GnuTLS-RC4-in-clirap.patch -Patch0032: 0032-s3-rpc_client-Use-init_samr_CryptPassword-in-cli_sam.patch -Patch0033: 0033-s3-rpc_server-Use-GnuTLS-RC4-in-samr-password-check.patch -Patch0034: 0034-s3-rpc_server-Use-GnuTLS-RC4-to-decrypt-samr-passwor.patch -Patch0035: 0035-s3-utils-Use-GnuTLS-RC4-in-ntlm_auth.patch -Patch0036: 0036-s4-rpc_server-Use-samba_gnutls_arcfour_confounded_md.patch -Patch0037: 0037-s4-rpc_server-Use-GnuTLS-RC4-for-samr-password.patch -Patch0038: 0038-s4-torture-Use-GnuTLS-RC4-for-RAP-SAM-test.patch -Patch0039: 0039-s4-torture-Use-init_samr_CryptPassword-Ex-in-samba3r.patch -Patch0040: 0040-s4-torture-Use-init_samr_CryptPassword-in-test_SetUs.patch -Patch0041: 0041-s4-torture-Use-init_samr_CryptPassword-in-test_SetUs.patch -Patch0042: 0042-s4-torture-Use-init_samr_CryptPassword-in-test_SetUs.patch -Patch0043: 0043-s4-torture-Use-init_samr_CryptPassword-in-test_SetUs.patch -Patch0044: 0044-s4-torture-Use-init_samr_CryptPassword-in-test_SetUs.patch -Patch0045: 0045-s4-torture-Use-GnuTLS-RC4-in-test_OemChangePasswordU.patch -Patch0046: 0046-s4-torture-Use-init_samr_CryptPassword-in-test_Chang.patch -Patch0047: 0047-s4-torture-Use-init_samr_CryptPassword-in-test_Chang.patch -Patch0048: 0048-s4_torture-Use-GnuTLS-RC4-in-test_ChangePasswordUser.patch -Patch0049: 0049-s4-torture-Use-GnuTLS-RC4-in-test_ChangePasswordUser.patch -Patch0050: 0050-s4-torture-Use-init_samr_CryptPassword-in-test_Chang.patch -Patch0051: 0051-s4-torture-clarify-comments-and-variable-names-in-Ch.patch -Patch0052: 0052-s4-torture-Use-init_samr_CryptPassword-in-test_Chang.patch -Patch0053: 0053-s4-torture-Use-GnuTLS-RC4-in-test_ChangePasswordRand.patch -Patch0054: 0054-s4-torture-Use-samba_gnutls_arcfour_confounded_md5-i.patch -Patch0055: 0055-s4-torture-Use-init_samr_CryptPassword-in-testjoin-R.patch -Patch0056: 0056-lib-crypto-Use-GnuTLS-RC4-in-py_crypto.patch -Patch0057: 0057-lib-crypto-Remove-arcfour.h-from-crypto.h.patch -Patch0058: 0058-lib-crypto-Don-t-build-RC4-if-we-have-GnuTLS-3.4.7.patch -Patch0059: 0059-s3-lib-Use-the-passed-mem_ctx-instead-of-talloc_tos.patch -Patch0060: 0060-s3-rpcclient-Use-a-stackframe-for-temporary-memory.patch -Patch0061: 0061-s3-utils-Use-a-stackframe-for-temporary-memory.patch -Patch0062: 0062-s3-rpc_server-Use-a-stackframe-for-temporary-memory.patch -Patch0063: 0063-netlogon-Fix-potential-use-of-uninitialized-variable.patch -Patch0064: 0064-s3-rpc_server-Only-dump-passwords-in-developer-build.patch -Patch0065: 0065-libcli-smb-Add-forward-declaration-for-gnutls_hmac_h.patch -Patch0066: 0066-s3-modules-Link-vfs_acl_common-against-gnutls.patch -Patch0067: 0067-lib-util-Add-generate_nonce_buffer.patch -Patch0068: 0068-libcli-smb-Use-generate_nonce_buffer-for-AES-CCM-and.patch -Patch0069: 0069-s3-smbd-Use-generate_nonce_buffer-for-AES-CCM-and-AE.patch -Patch0070: 0070-lib-util-Add-better-documentation-for-generate_secre.patch -Patch0071: 0071-s4-rpc_server-Use-generate_secret_buffer-to-create-a.patch -Patch0072: 0072-s4-rpc_server-Use-generate_secret_buffer-for-backupk.patch -Patch0073: 0073-s4-rpc_server-Use-generate_secret_buffer-for-netlogo.patch -Patch0074: 0074-libcli-auth-Use-generate_secret_buffer-for-netlogon-.patch -Patch0075: 0075-lib-util-Fix-documentation-for-random-number-functio.patch -Patch0076: 0076-Revert-libcli-auth-Use-generate_secret_buffer-for-ne.patch -Patch0077: 0077-Revert-s4-rpc_server-Use-generate_secret_buffer-for-.patch -Patch0078: 0078-Revert-s4-rpc_server-Use-generate_secret_buffer-for-.patch -Patch0079: 0079-Revert-s4-rpc_server-Use-generate_secret_buffer-to-c.patch -Patch0080: 0080-lib-util-Use-generate_secret_buffer-for-long-term-pa.patch -Patch0081: 0081-s4-samdb-Use-generate_nonce_buffer-for-AEC-GCM-nonce.patch -Patch0082: 0082-s3-passdb-Use-generate_secret_buffer-for-generating-.patch -Patch0083: 0083-auth-ntlmssp-Use-generate_random_buffer-for-session-.patch -Patch0084: 0084-encrypted_secrets-Add-known-and-expected-value-test.patch -Patch0085: 0085-s4-samdb-Remove-dual-stack-mode-from-test_-encrypted.patch -Patch0086: 0086-s4-samdb-Only-include-necessary-header-files-in-encr.patch -Patch0087: 0087-waf-Check-for-GNUTLS-AES-CFB-support.patch -Patch0088: 0088-libcli-auth-Use-netlogon_creds_aes_encrypt-in-netlog.patch -Patch0089: 0089-libcli-auth-Use-GnuTLS-AES128-CFB-for-netlogon_creds.patch -Patch0090: 0090-libcli-auth-Return-NTSTATUS-for-netlogon_creds_aes_e.patch -Patch0091: 0091-libcli-auth-Use-GnuTLS-AES128-CFB-for-netlogon_creds.patch -Patch0092: 0092-libcli-auth-Return-NTSTATUS-from-netlogon_creds_aes_.patch -Patch0093: 0093-crypto-Update-REQUIREMENTS-file-with-new-minimum-ver.patch -Patch0094: 0094-libcli-auth-Check-NTSTATUS-from-netlogon_creds_aes_-.patch -Patch0095: 0095-s3-rpc_server-Check-NTSTATUS-return-value-from-netlo.patch -Patch0096: 0096-s4-rpc_server-Check-NTSTATUS-return-value-from-netlo.patch -Patch0097: 0097-s3-librpc-Remove-unused-init_netr_CryptPassword.patch -Patch0098: 0098-auth-credentials-Check-NTSTATUS-return-from-netlogon.patch -Patch0099: 0099-auth-gensec-Use-GnuTLS-AES128-CFB8-in-netsec_do_seq_.patch -Patch0100: 0100-auth-gensec-Use-gnutls_error_to_ntstatus-consistentl.patch -Patch0101: 0101-auth-gensec-Use-GnuTLS-AES-CFB8-in-netsec_do_seal.patch -Patch0102: 0102-auth-gensec-Use-gnutls_error_to_ntstatus-in-netsec_d.patch -Patch0103: 0103-lib-crypto-Prepare-not-to-build-AES-or-AES-CMAC-if-w.patch -Patch0104: 0104-build-Set-minimum-GnuTLS-version-at-3.4.7.patch -Patch0105: 0105-s4-rpc_server-Remove-Heimdal-based-BackupKey-server.patch -Patch0106: 0106-s4-rpc_server-backupkey-consistently-check-error-cod.patch -Patch0107: 0107-lib-crypto-Remove-unused-RC4-code-from-Samba.patch -Patch0108: 0108-s4-samdb-Remove-duplicate-encrypted_secrets-code-usi.patch -Patch0109: 0109-build-Remove-explicit-check-for-HAVE_GNUTLS_AEAD-as-.patch -Patch0110: 0110-libcli-smb-Define-SMB2_AES_128_CCM_NONCE_SIZE.patch -Patch0111: 0111-libcli-smb-Use-GnuTLS-for-AES-constants.patch -Patch0112: 0112-libcli-smb-Add-gnutls_aead_cipher_hd_t-to-smb2_signi.patch -Patch0113: 0113-libcli-smb-Use-a-smb2_signing_key-for-storing-the-en.patch -Patch0114: 0114-libcli-smb-Use-a-smb2_signing_key-for-storing-the-de.patch -Patch0115: 0115-s3-smbd-Use-smb2_signing_key-structure-for-the-encry.patch -Patch0116: 0116-s3-smbd-Use-smb2_signing_key-structure-for-the-decry.patch -Patch0117: 0117-s3-smbd-Use-GnuTLS-for-AES-constants.patch -Patch0118: 0118-waf-Check-for-AES128-CMAC-support-in-GnuTLS.patch -Patch0119: 0119-libcli-smb-Use-GnuTLS-AES128-CMAC-in-smb2_signing_si.patch -Patch0120: 0120-libcli-smb-Use-gnutls_error_to_ntstatus-in-smb2_sign.patch -Patch0121: 0121-libcli-smb-Use-GnuTLS-AES128-CMAC-in-smb2_signing_ch.patch -Patch0122: 0122-libcli-smb-Use-gnutls_error_to_ntstatus-in-smb2_sign.patch -Patch0123: 0123-lib-crypto-Do-not-build-AES-CMAC-if-we-use-GnuTLS-th.patch -Patch0124: 0124-libcli-smb-Support-GnuTLS-AES-CCM-and-GCM-in-smb2_si.patch -Patch0125: 0125-libcli-smb-Support-GnuTLS-AES-CCM-and-GCM-in-smb2_si.patch -Patch0126: 0126-libcli-smb-Use-smb2_signing_key-in-smb2_signing_decr.patch -Patch0127: 0127-libcli-smb-Use-gnutls_error_to_ntstatus-in-smb2_sign.patch -Patch0128: 0128-libcli-smb-Use-smb2_signing_key-in-smb2_signing_encr.patch -Patch0129: 0129-libcli-smb-Use-gnutls_error_to_ntstatus-in-smb2_sign.patch -Patch0130: 0130-libcli-smb-Prefer-AES-GCM-over-AES-CCM-with-GnuTLS.patch -Patch0131: 0131-s3-smbd-Prefer-AES-GCM-over-AES-CCM-with-GnuTLS.patch -Patch0132: 0132-auth-gensec-fix-non-AES-schannel-seal.patch -Patch0133: 0133-auth-gensec-fix-AES-schannel-seal-and-unseal.patch -Patch0134: 0134-libcli-auth-add-gnutls-test-for-aes-128-cfb8-cipher-.patch -Patch0135: 0135-waf-Check-for-gnutls_aead_cipher_encryptv2.patch -Patch0136: 0136-libcli-smb-Use-gnutls_aead_cipher_encryptv2-for-AES-.patch -Patch0137: 0137-libcli-smb-Use-gnutls_aead_cipher_decryptv2-for-AES-.patch -Patch0138: 0138-libcli-smb-Do-not-use-gnutls_aead_cipher_encryptv2-w.patch -Patch0139: 0139-libcli-auth-Return-NTSTATUS-for-SMBOWFencrypt_ntv2.patch -Patch0140: 0140-libcli-auth-Check-return-codes-of-SMBsesskeygen_ntv2.patch -Patch0141: 0141-libcli-auth-Return-NTSTATUS-for-SMBOWFencrypt_ntv2.patch -Patch0142: 0142-libcli-auth-Check-return-code-of-SMBOWFencrypt_ntv2.patch -Patch0143: 0143-s4-rpc_server-Remove-gnutls_global_-de-init.patch -Patch0144: 0144-s4-lib-Remove-gnutls_global_-de-init-from-libtls.patch -Patch0145: 0145-s4-torture-Remove-calls-to-gnutls_global_-de-init-in.patch -Patch0146: 0146-libcli-auth-Check-return-value-of-netlogon_creds_ini.patch -Patch0147: 0147-libcli-auth-Check-return-status-of-netlogon_creds_in.patch -Patch0148: 0148-libcli-auth-Check-return-status-of-netlogon_creds_fi.patch -Patch0149: 0149-libcli-auth-Return-NTSTATUS-for-netlogon_creds_clien.patch -Patch0150: 0150-auth-pycreds-Check-return-code-of-netlogon_creds_cli.patch -Patch0151: 0151-libcli-auth-Check-return-code-of-netlogon_creds_clie.patch -Patch0152: 0152-s4-librpc-Check-return-code-of-netlogon_creds_client.patch -Patch0153: 0153-libcli-auth-Check-return-code-of-netlogon_creds_step.patch -Patch0154: 0154-libcli-auth-Check-return-code-of-netlogon_creds_step.patch -Patch0155: 0155-libcli-auth-Check-return-code-of-netlogon_creds_aes_.patch -Patch0156: 0156-s3-rpc_server-Replace-E_md5hash-with-GnuTLS-calls.patch -Patch0157: 0157-s3-winbindd-Replace-E_md5hash-with-GnuTLS-calls.patch -Patch0158: 0158-s3-winbind-Replace-E_md5hash-with-GnuTLS-calls.patch -Patch0159: 0159-libcli-auth-Remove-unused-E_md5hash.patch -Patch0160: 0160-s4-lib-tls-Fix-cert-and-privkey-types.patch -Patch0161: 0161-winbind-Fix-CID-1455915-Resource-leak.patch -Patch0162: 0162-auth-tests-Improve-debug-output-of-test_gnutls.patch -Patch0163: 0163-auth-tests-Only-enable-torture_gnutls_aes_128_cfb-on.patch -Patch0164: 0164-libcli-auth-test-des_crypt56-and-add-test_gnutls-to-.patch -Patch0165: 0165-selftest-test-E_P16.patch -Patch0166: 0166-selftest-test-sam_rid_crypt.patch -Patch0167: 0167-selftest-test-E_P24-and-SMBOWFencrypt.patch -Patch0168: 0168-selftest-test-E_old_pw_hash.patch -Patch0169: 0169-selftest-test-des_crypt128.patch -Patch0170: 0170-selftest-test-des_crypt112-and-fix-unused-decryption.patch -Patch0171: 0171-selftest-test-des_crypt112_16.patch -Patch0172: 0172-selftest-test-SMBsesskeygen_lm_sess_key.patch -Patch0173: 0173-selftest-test-sess_crypt_blob.patch -Patch0174: 0174-smbdes-add-des_crypt56_gnutls-using-DES-CBC-with-zer.patch -Patch0175: 0175-netlogon_creds_des_encrypt-decrypt_LMKey-use-gnutls-.patch -Patch0176: 0176-SMBsesskeygen_lm_sess_key-use-gnutls-and-return-NTST.patch -Patch0177: 0177-smbdes-convert-sam_rid_crypt-to-use-gnutls.patch -Patch0178: 0178-smbdes-convert-E_P16-to-use-gnutls.patch -Patch0179: 0179-smbdes-remove-D_P16-not-used.patch -Patch0180: 0180-smbdes-convert-E_P24-and-SMBOWFencrypt-to-use-gnutls.patch -Patch0181: 0181-smbdes-convert-des_crypt128-to-use-gnutls.patch -Patch0182: 0182-smbdes-convert-E_old_pw_hash-to-use-gnutls.patch -Patch0183: 0183-smbdes-convert-des_crypt112-to-use-gnutls.patch -Patch0184: 0184-smbdes-convert-des_crypt112_16-to-use-gnutls.patch -Patch0185: 0185-session-convert-sess_crypt_blob-to-use-gnutls.patch -Patch0186: 0186-sess_crypt_blob-can-only-crypt-blobs-whose-size-divi.patch -Patch0187: 0187-smbdes-remove-old-unused-DES-builtin-crypto.patch -Patch0188: 0188-lib-crypto-Remove-our-implementation-of-AES-CCM.patch -Patch0189: 0189-lib-crypto-Remove-our-implementation-of-AES-GCM.patch -Patch0190: 0190-lib-crypto-Only-build-AES-code-if-we-need-AES-CMAC.patch -Patch0191: 0191-lib-crypto-Build-intel-aes-ni-only-if-GnuTLS-doesn-t.patch -Patch0192: 0192-lib-crypto-Add-samba_gnutls_weak_crypto.patch -Patch0193: 0193-s3-utils-Add-weak-crypto-information-to-testparm.patch -Patch0194: 0194-lib-param-Add-lp-cfg-_weak_crypto.patch -Patch0195: 0195-gensec-Add-a-check-if-a-gensec-module-implements-wea.patch -Patch0196: 0196-auth-ntlmssp-Mark-as-weak_crypto.patch -Patch0197: 0197-s3-param-Force-SMB-encryption-for-DECRPC-over-named-.patch -Patch0198: 0198-s3-param-Only-allow-SMB-3.0-for-DCERPC-client-connec.patch -Patch0199: 0199-s3-rpc_server-Allow-RC4-encrypted-buffers-in-samr_Se.patch -Patch0200: 0200-s4-rpc_server-Allow-to-use-RC4-for-setting-passwords.patch -Patch0201: 0201-s3-rpc_server-Only-announce-RC4-in-netlogon-server-i.patch -Patch0202: 0202-s4-rpc_server-Only-announce-RC4-in-netlogon-server-i.patch -Patch0203: 0203-s4-samdb-Allow-to-hash-password-using-MD5-in-samdb.patch -Patch0204: 0204-lib-crypto-Allow-py_crypto-to-use-RC4-in-FIPS-mode.patch -Patch0205: 0205-param-Do-not-use-weak-crypto-for-kerberos-if-disallo.patch -Patch0206: 0206-param-Do-not-use-weak-crypto-in-ldap-server-if-disal.patch -Patch0207: 0207-libcli-auth-If-weak-crypto-is-disallowed-reject-md5-.patch -Patch0208: 0208-s3-librpc-Only-use-RC4-if-our-systems-supports-it.patch -Patch0209: 0209-s3-rpcserver-fix-security-level-check-for-DsRGetFore.patch - -Patch1000: samba-4.11.3-only_link_libnsl_libsocket_if_needed.patch -Patch1001: CVE-2019-14907-4.11.patch -Patch1002: krb5_no_des_411.patch -Patch1003: samba-4.11.7-fix_smbclient_debug_spam.patch -Patch1004: samba-4.11.3-fix_smb1_cli_qpathinfo_2_3.patch -Patch1005: samba-4.11.7-fix_segfault_in_smbd_do_qfilepathinfo.patch -Patch1006: samba-4.10-fix-netbios-join.patch +Patch0: samba-4.12-gnutls-priority-list.patch +Patch1: dnshostname_all.patch +Patch2: samba-4.12-fix_pam_winbind_manpage.patch +Patch3: ldapsslads-v4-12.patch +Patch4: samba-4.12-fix_winbind_lookuprids.patch +Patch5: samba-4.12-user-gencache.patch +Patch6: samba-4.12-vfs_ChDir.patch Requires(pre): /usr/sbin/groupadd Requires(post): systemd @@ -372,10 +178,12 @@ Obsoletes: samba4-swat < %{samba_depver} BuildRequires: gcc BuildRequires: avahi-devel +BuildRequires: bison BuildRequires: cups-devel BuildRequires: dbus-devel BuildRequires: docbook-style-xsl BuildRequires: e2fsprogs-devel +BuildRequires: flex BuildRequires: gawk BuildRequires: gnupg2 BuildRequires: gnutls-devel >= 3.4.7 @@ -387,12 +195,17 @@ BuildRequires: libaio-devel BuildRequires: libarchive-devel BuildRequires: libattr-devel BuildRequires: libcap-devel +BuildRequires: libicu-devel BuildRequires: libcmocka-devel BuildRequires: libnsl2-devel BuildRequires: libtirpc-devel BuildRequires: libuuid-devel BuildRequires: libxslt BuildRequires: lmdb +%if %{with_winexe} +BuildRequires: mingw32-gcc +BuildRequires: mingw64-gcc +%endif BuildRequires: ncurses-devel BuildRequires: openldap-devel BuildRequires: pam-devel @@ -425,6 +238,10 @@ BuildRequires: glusterfs-devel >= 3.4.0.16 BuildRequires: libcephfs-devel %endif +%if %{with_vfs_io_uring} +BuildRequires: liburing-devel >= 0.4 +%endif + %if %{with_dc} # Add python3-iso8601 to avoid that the # version in Samba is being packaged @@ -437,6 +254,7 @@ BuildRequires: krb5-server >= %{required_mit_krb5} # pidl requirements BuildRequires: perl(ExtUtils::MakeMaker) +BuildRequires: perl(FindBin) BuildRequires: perl(Parse::Yapp) BuildRequires: libtalloc-devel >= %{talloc_version} @@ -578,7 +396,7 @@ Requires: ldb-tools # Force using libldb version to be the same as build version # Otherwise LDB modules will not be loaded and samba-tool will fail # See bug 1507420 -%requires_eq libldb +%samba_requires_eq libldb Requires: python3-crypto Requires: python3-%{name} = %{samba_depver} @@ -597,7 +415,7 @@ Summary: Samba AD files to provision a DC BuildArch: noarch %description dc-provision -The samba-dc-provision package provides files to setup a domoin controller +The samba-dc-provision package provides files to setup a domain controller ### DC-LIBS %package dc-libs @@ -800,6 +618,7 @@ to manage Samba AD. %package pidl Summary: Perl IDL compiler Requires: perl-interpreter +Requires: perl(FindBin) Requires: perl(Parse::Yapp) Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) BuildArch: noarch @@ -941,6 +760,16 @@ Requires: pam The samba-winbind-modules package provides the NSS library and a PAM module necessary to communicate to the Winbind Daemon +### WINEXE +%if %{with_winexe} +%package winexe +Summary: Samba Winexe Windows Binary +License: GPLv3 + +%description winexe +Winexe is a Remote Windows®-command executor +%endif + ### CTDB %if %with_clustering_support %package -n ctdb @@ -1019,7 +848,7 @@ xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} - %global _samba_idmap_modules idmap_ad,idmap_rid,idmap_ldap,idmap_hash,idmap_tdb2 %global _samba_pdb_modules pdb_tdbsam,pdb_ldap,pdb_smbpasswd,pdb_wbc_sam,pdb_samba4 -%global _samba_auth_modules auth_wbc,auth_unix,auth_server,auth_script,auth_samba4 +%global _samba_auth_modules auth_wbc,auth_unix,auth_server,auth_samba4 %global _samba_vfs_modules vfs_dfs_samba4 %global _samba_modules %{_samba_idmap_modules},%{_samba_pdb_modules},%{_samba_auth_modules},%{_samba_vfs_modules} @@ -1096,8 +925,6 @@ make %{?_smp_mflags} popd %install -rm -rf %{buildroot} - make %{?_smp_mflags} install DESTDIR=%{buildroot} install -d -m 0755 %{buildroot}/usr/{sbin,bin} @@ -1250,6 +1077,15 @@ for i in \ done %endif +%if ! %{with_vfs_glusterfs} +rm -f %{buildroot}%{_mandir}/man8/vfs_glusterfs.8* +%endif + +%if ! %{with_vfs_cephfs} +rm -f %{buildroot}%{_mandir}/man8/vfs_ceph.8* +rm -f %{buildroot}%{_mandir}/man8/vfs_ceph_snapshots.8* +%endif + # This makes the right links, as rpmlint requires that # the ldconfig-created links be recorded in the RPM. /sbin/ldconfig -N -n %{buildroot}%{_libdir} @@ -1385,7 +1221,8 @@ fi # check removes the alternatives files manually if that is the case. if [ $1 -eq 0 ]; then if [ "`readlink %{_libdir}/libwbclient.so`" == "libwbclient.so.%{libwbc_alternatives_version}" ]; then - /bin/rm -f /etc/alternatives/libwbclient.so%{libwbc_alternatives_suffix} \ + /bin/rm -f \ + /etc/alternatives/libwbclient.so%{libwbc_alternatives_suffix} \ /var/lib/alternatives/libwbclient.so%{libwbc_alternatives_suffix} 2> /dev/null else %{_sbindir}/update-alternatives \ @@ -1459,7 +1296,6 @@ fi %{_libdir}/samba/libdfs-server-ad-samba4.so %endif %dir %{_libdir}/samba/auth -%{_libdir}/samba/auth/script.so %{_libdir}/samba/auth/unix.so %dir %{_libdir}/samba/vfs %{_libdir}/samba/vfs/acl_tdb.so @@ -1485,9 +1321,11 @@ fi %{_libdir}/samba/vfs/full_audit.so %{_libdir}/samba/vfs/gpfs.so %{_libdir}/samba/vfs/glusterfs_fuse.so +%if %{with_vfs_io_uring} +%{_libdir}/samba/vfs/io_uring.so +%endif %{_libdir}/samba/vfs/linux_xfs_sgid.so %{_libdir}/samba/vfs/media_harmony.so -%{_libdir}/samba/vfs/netatalk.so %{_libdir}/samba/vfs/offline.so %{_libdir}/samba/vfs/preopen.so %{_libdir}/samba/vfs/readahead.so @@ -1506,6 +1344,10 @@ fi %{_libdir}/samba/vfs/worm.so %{_libdir}/samba/vfs/xattr_tdb.so +%dir %{_datadir}/samba +%dir %{_datadir}/samba/mdssvc +%{_datadir}/samba/mdssvc/elasticsearch_mappings.json + %{_unitdir}/nmb.service %{_unitdir}/smb.service %attr(1777,root,root) %dir /var/spool/samba @@ -1535,9 +1377,11 @@ fi %{_mandir}/man8/vfs_full_audit.8* %{_mandir}/man8/vfs_gpfs.8* %{_mandir}/man8/vfs_glusterfs_fuse.8* +%if %{with_vfs_io_uring} +%{_mandir}/man8/vfs_io_uring.8* +%endif %{_mandir}/man8/vfs_linux_xfs_sgid.8* %{_mandir}/man8/vfs_media_harmony.8* -%{_mandir}/man8/vfs_netatalk.8* %{_mandir}/man8/vfs_offline.8* %{_mandir}/man8/vfs_preopen.8* %{_mandir}/man8/vfs_readahead.8* @@ -1556,15 +1400,6 @@ fi %{_mandir}/man8/vfs_worm.8* %{_mandir}/man8/vfs_xattr_tdb.8* -%if ! %{with_vfs_glusterfs} -%exclude %{_mandir}/man8/vfs_glusterfs.8* -%endif - -%if ! %{with_vfs_cephfs} -%exclude %{_mandir}/man8/vfs_ceph.8* -%exclude %{_mandir}/man8/vfs_ceph_snapshots.8* -%endif - %attr(775,root,printadmin) %dir /var/lib/samba/drivers ### CLIENT @@ -1575,6 +1410,7 @@ fi %{_bindir}/dumpmscat %{_bindir}/findsmb %{_bindir}/mvxattr +%{_bindir}/mdfind %{_bindir}/nmblookup %{_bindir}/oLschema2ldif %{_bindir}/regdiff @@ -1603,6 +1439,7 @@ fi %{_mandir}/man1/regtree.1* %{_mandir}/man1/findsmb.1* %{_mandir}/man1/log2pcap.1* +%{_mandir}/man1/mdfind.1* %{_mandir}/man1/mvxattr.1* %{_mandir}/man1/rpcclient.1* %{_mandir}/man1/sharesec.1* @@ -1710,6 +1547,7 @@ fi %{_libdir}/samba/libsmbldaphelper-samba4.so %{_libdir}/samba/libsys-rw-samba4.so %{_libdir}/samba/libsocket-blocking-samba4.so +%{_libdir}/samba/libtalloc-report-printf-samba4.so %{_libdir}/samba/libtalloc-report-samba4.so %{_libdir}/samba/libtdb-wrap-samba4.so %{_libdir}/samba/libtime-basic-samba4.so @@ -1819,7 +1657,6 @@ fi %{_libdir}/samba/ldb/lazy_commit.so %{_libdir}/samba/ldb/ldbsamba_extensions.so %{_libdir}/samba/ldb/linked_attributes.so -%{_libdir}/samba/ldb/local_password.so %{_libdir}/samba/ldb/new_partition.so %{_libdir}/samba/ldb/objectclass.so %{_libdir}/samba/ldb/objectclass_attrs.so @@ -1841,8 +1678,6 @@ fi %{_libdir}/samba/ldb/schema_load.so %{_libdir}/samba/ldb/secrets_tdb_sync.so %{_libdir}/samba/ldb/show_deleted.so -%{_libdir}/samba/ldb/simple_dn.so -%{_libdir}/samba/ldb/simple_ldap_map.so %{_libdir}/samba/ldb/subtree_delete.so %{_libdir}/samba/ldb/subtree_rename.so %{_libdir}/samba/ldb/tombstone_reanimate.so @@ -1858,6 +1693,7 @@ fi %{_mandir}/man8/samba-tool.8* %files dc-provision +%license source4/setup/ad-schema/licence.txt %{_datadir}/samba/setup ### DC-LIBS @@ -1912,6 +1748,7 @@ fi %{_includedir}/samba-4.0/core/werror_gen.h %{_includedir}/samba-4.0/credentials.h %{_includedir}/samba-4.0/dcerpc.h +%{_includedir}/samba-4.0/dcesrv_core.h %{_includedir}/samba-4.0/domain_credentials.h %{_includedir}/samba-4.0/gen_ndr/atsvc.h %{_includedir}/samba-4.0/gen_ndr/auth.h @@ -1986,6 +1823,7 @@ fi %{_includedir}/samba-4.0/util_ldb.h %{_libdir}/libdcerpc-binding.so %{_libdir}/libdcerpc-samr.so +%{_libdir}/libdcerpc-server-core.so %{_libdir}/libdcerpc.so %{_libdir}/libndr-krb5pac.so %{_libdir}/libndr-nbt.so @@ -2053,6 +1891,7 @@ fi ### LIBS %files libs %{_libdir}/libdcerpc-samr.so.* +%{_libdir}/libdcerpc-server-core.so.* %{_libdir}/samba/libLIBWBCLIENT-OLD-samba4.so %{_libdir}/samba/libauth4-samba4.so @@ -2097,6 +1936,7 @@ fi %dir %{perl_vendorlib}/Parse %attr(644,root,root) %{perl_vendorlib}/Parse/Pidl.pm %dir %{perl_vendorlib}/Parse/Pidl +%attr(644,root,root) %{perl_vendorlib}/Parse/Pidl/Base.pm %attr(644,root,root) %{perl_vendorlib}/Parse/Pidl/CUtil.pm %attr(644,root,root) %{perl_vendorlib}/Parse/Pidl/Samba4.pm %attr(644,root,root) %{perl_vendorlib}/Parse/Pidl/Expr.pm @@ -2140,6 +1980,7 @@ fi %{python3_sitearch}/samba/__init__.py %dir %{python3_sitearch}/samba/__pycache__ %{python3_sitearch}/samba/__pycache__/__init__.*.pyc +%{python3_sitearch}/samba/__pycache__/auth_util.*.pyc %{python3_sitearch}/samba/__pycache__/colour.*.pyc %{python3_sitearch}/samba/__pycache__/common.*.pyc %{python3_sitearch}/samba/__pycache__/compat.*.pyc @@ -2170,6 +2011,7 @@ fi %{python3_sitearch}/samba/_glue.*.so %{python3_sitearch}/samba/_ldb.*.so %{python3_sitearch}/samba/auth.*.so +%{python3_sitearch}/samba/auth_util.py %{python3_sitearch}/samba/dbchecker.py %{python3_sitearch}/samba/colour.py %{python3_sitearch}/samba/common.py @@ -2197,6 +2039,7 @@ fi %{python3_sitearch}/samba/dcerpc/krb5pac.*.so %{python3_sitearch}/samba/dcerpc/lsa.*.so %{python3_sitearch}/samba/dcerpc/messaging.*.so +%{python3_sitearch}/samba/dcerpc/mdssvc.*.so %{python3_sitearch}/samba/dcerpc/mgmt.*.so %{python3_sitearch}/samba/dcerpc/misc.*.so %{python3_sitearch}/samba/dcerpc/nbt.*.so @@ -2332,6 +2175,7 @@ fi %dir %{python3_sitearch}/samba/samba3/__pycache__ %{python3_sitearch}/samba/samba3/__pycache__/__init__.*.pyc %{python3_sitearch}/samba/samba3/libsmb_samba_internal.*.so +%{python3_sitearch}/samba/samba3/mdscli.*.so %{python3_sitearch}/samba/samba3/param.*.so %{python3_sitearch}/samba/samba3/passdb.*.so %{python3_sitearch}/samba/samba3/smbd.*.so @@ -2475,6 +2319,7 @@ fi %{python3_sitearch}/samba/tests/__pycache__/hostconfig.*.pyc %{python3_sitearch}/samba/tests/__pycache__/join.*.pyc %{python3_sitearch}/samba/tests/__pycache__/krb5_credentials.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/ldap_raw.*.pyc %{python3_sitearch}/samba/tests/__pycache__/ldap_referrals.*.pyc %{python3_sitearch}/samba/tests/__pycache__/loadparm.*.pyc %{python3_sitearch}/samba/tests/__pycache__/libsmb.*.pyc @@ -2515,6 +2360,7 @@ fi %{python3_sitearch}/samba/tests/__pycache__/s3passdb.*.pyc %{python3_sitearch}/samba/tests/__pycache__/s3registry.*.pyc %{python3_sitearch}/samba/tests/__pycache__/s3windb.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/samba_upgradedns_lmdb.*.pyc %{python3_sitearch}/samba/tests/__pycache__/samba3sam.*.pyc %{python3_sitearch}/samba/tests/__pycache__/samdb.*.pyc %{python3_sitearch}/samba/tests/__pycache__/samdb_api.*.pyc @@ -2522,6 +2368,7 @@ fi %{python3_sitearch}/samba/tests/__pycache__/segfault.*.pyc %{python3_sitearch}/samba/tests/__pycache__/smb.*.pyc %{python3_sitearch}/samba/tests/__pycache__/smbd_base.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/smbd_fuzztest.*.pyc %{python3_sitearch}/samba/tests/__pycache__/source.*.pyc %{python3_sitearch}/samba/tests/__pycache__/strings.*.pyc %{python3_sitearch}/samba/tests/__pycache__/subunitrun.*.pyc @@ -2550,6 +2397,7 @@ fi %{python3_sitearch}/samba/tests/blackbox/__pycache__/bug13653.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/check_output.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/downgradedatabase.*.pyc +%{python3_sitearch}/samba/tests/blackbox/__pycache__/mdfind.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/ndrdump.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/netads_json.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/samba_dnsupdate.*.pyc @@ -2561,6 +2409,7 @@ fi %{python3_sitearch}/samba/tests/blackbox/bug13653.py %{python3_sitearch}/samba/tests/blackbox/check_output.py %{python3_sitearch}/samba/tests/blackbox/downgradedatabase.py +%{python3_sitearch}/samba/tests/blackbox/mdfind.py %{python3_sitearch}/samba/tests/blackbox/ndrdump.py %{python3_sitearch}/samba/tests/blackbox/netads_json.py %{python3_sitearch}/samba/tests/blackbox/samba_dnsupdate.py @@ -2581,6 +2430,7 @@ fi %{python3_sitearch}/samba/tests/dcerpc/__pycache__/bare.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/dnsserver.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/integer.*.pyc +%{python3_sitearch}/samba/tests/dcerpc/__pycache__/mdssvc.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/misc.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/raw_protocol.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/raw_testcase.*.pyc @@ -2596,6 +2446,7 @@ fi %{python3_sitearch}/samba/tests/dcerpc/bare.py %{python3_sitearch}/samba/tests/dcerpc/dnsserver.py %{python3_sitearch}/samba/tests/dcerpc/integer.py +%{python3_sitearch}/samba/tests/dcerpc/mdssvc.py %{python3_sitearch}/samba/tests/dcerpc/misc.py %{python3_sitearch}/samba/tests/dcerpc/raw_protocol.py %{python3_sitearch}/samba/tests/dcerpc/raw_testcase.py @@ -2654,6 +2505,7 @@ fi %{python3_sitearch}/samba/tests/kcc/kcc_utils.py %{python3_sitearch}/samba/tests/kcc/ldif_import_export.py %{python3_sitearch}/samba/tests/krb5_credentials.py +%{python3_sitearch}/samba/tests/ldap_raw.py %{python3_sitearch}/samba/tests/ldap_referrals.py %{python3_sitearch}/samba/tests/libsmb.py %{python3_sitearch}/samba/tests/loadparm.py @@ -2695,6 +2547,7 @@ fi %{python3_sitearch}/samba/tests/s3registry.py %{python3_sitearch}/samba/tests/s3windb.py %{python3_sitearch}/samba/tests/samba3sam.py +%{python3_sitearch}/samba/tests/samba_upgradedns_lmdb.py %dir %{python3_sitearch}/samba/tests/samba_tool %{python3_sitearch}/samba/tests/samba_tool/__init__.py %dir %{python3_sitearch}/samba/tests/samba_tool/__pycache__ @@ -2767,6 +2620,7 @@ fi %{python3_sitearch}/samba/tests/segfault.py %{python3_sitearch}/samba/tests/smb.py %{python3_sitearch}/samba/tests/smbd_base.py +%{python3_sitearch}/samba/tests/smbd_fuzztest.py %{python3_sitearch}/samba/tests/source.py %{python3_sitearch}/samba/tests/strings.py %{python3_sitearch}/samba/tests/subunitrun.py @@ -2954,11 +2808,13 @@ fi %dir %{_libexecdir}/ctdb %dir %{_libexecdir}/ctdb/tests +%{_libexecdir}/ctdb/tests/cluster_mutex_test %{_libexecdir}/ctdb/tests/cmdline_test %{_libexecdir}/ctdb/tests/comm_client_test %{_libexecdir}/ctdb/tests/comm_server_test %{_libexecdir}/ctdb/tests/comm_test %{_libexecdir}/ctdb/tests/conf_test +%{_libexecdir}/ctdb/tests/ctdb-db-test %{_libexecdir}/ctdb/tests/ctdb_io_test %{_libexecdir}/ctdb/tests/ctdb_packet_parse %{_libexecdir}/ctdb/tests/ctdb_takeover_tests @@ -3004,727 +2860,771 @@ fi %{_libexecdir}/ctdb/tests/update_record_persistent %dir %{_datadir}/ctdb/tests +%dir %{_datadir}/ctdb/tests/CLUSTER +%dir %{_datadir}/ctdb/tests/CLUSTER/complex +%{_datadir}/ctdb/tests/CLUSTER/complex/11_ctdb_delip_removes_ip.sh +%{_datadir}/ctdb/tests/CLUSTER/complex/18_ctdb_reloadips.sh +%{_datadir}/ctdb/tests/CLUSTER/complex/30_nfs_tickle_killtcp.sh +%{_datadir}/ctdb/tests/CLUSTER/complex/31_nfs_tickle.sh +%{_datadir}/ctdb/tests/CLUSTER/complex/32_cifs_tickle.sh +%{_datadir}/ctdb/tests/CLUSTER/complex/33_gratuitous_arp.sh +%{_datadir}/ctdb/tests/CLUSTER/complex/34_nfs_tickle_restart.sh +%{_datadir}/ctdb/tests/CLUSTER/complex/36_smb_reset_server.sh +%{_datadir}/ctdb/tests/CLUSTER/complex/37_nfs_reset_server.sh +%{_datadir}/ctdb/tests/CLUSTER/complex/41_failover_ping_discrete.sh +%{_datadir}/ctdb/tests/CLUSTER/complex/42_failover_ssh_hostname.sh +%{_datadir}/ctdb/tests/CLUSTER/complex/43_failover_nfs_basic.sh +%{_datadir}/ctdb/tests/CLUSTER/complex/44_failover_nfs_oneway.sh +%{_datadir}/ctdb/tests/CLUSTER/complex/45_failover_nfs_kill.sh +%{_datadir}/ctdb/tests/CLUSTER/complex/60_rogueip_releaseip.sh +%{_datadir}/ctdb/tests/CLUSTER/complex/61_rogueip_takeip.sh +%{_datadir}/ctdb/tests/CLUSTER/complex/README -%dir %{_datadir}/ctdb/tests/complex -%{_datadir}/ctdb/tests/complex/README -%{_datadir}/ctdb/tests/complex/11_ctdb_delip_removes_ip.sh -%{_datadir}/ctdb/tests/complex/18_ctdb_reloadips.sh -%{_datadir}/ctdb/tests/complex/30_nfs_tickle_killtcp.sh -%{_datadir}/ctdb/tests/complex/31_nfs_tickle.sh -%{_datadir}/ctdb/tests/complex/32_cifs_tickle.sh -%{_datadir}/ctdb/tests/complex/33_gratuitous_arp.sh -%{_datadir}/ctdb/tests/complex/34_nfs_tickle_restart.sh -%{_datadir}/ctdb/tests/complex/36_smb_reset_server.sh -%{_datadir}/ctdb/tests/complex/37_nfs_reset_server.sh -%{_datadir}/ctdb/tests/complex/41_failover_ping_discrete.sh -%{_datadir}/ctdb/tests/complex/42_failover_ssh_hostname.sh -%{_datadir}/ctdb/tests/complex/43_failover_nfs_basic.sh -%{_datadir}/ctdb/tests/complex/44_failover_nfs_oneway.sh -%{_datadir}/ctdb/tests/complex/45_failover_nfs_kill.sh -%{_datadir}/ctdb/tests/complex/60_rogueip_releaseip.sh -%{_datadir}/ctdb/tests/complex/61_rogueip_takeip.sh +%dir %{_datadir}/ctdb/tests/CLUSTER/complex/scripts +%{_datadir}/ctdb/tests/CLUSTER/complex/scripts/local.bash -%dir %{_datadir}/ctdb/tests/complex/scripts -%{_datadir}/ctdb/tests/complex/scripts/local.bash - -%dir %{_datadir}/ctdb/tests/cunit -%{_datadir}/ctdb/tests/cunit/cmdline_test_001.sh -%{_datadir}/ctdb/tests/cunit/comm_test_001.sh -%{_datadir}/ctdb/tests/cunit/comm_test_002.sh -%{_datadir}/ctdb/tests/cunit/conf_test_001.sh -%{_datadir}/ctdb/tests/cunit/config_test_001.sh -%{_datadir}/ctdb/tests/cunit/config_test_002.sh -%{_datadir}/ctdb/tests/cunit/config_test_003.sh -%{_datadir}/ctdb/tests/cunit/config_test_004.sh -%{_datadir}/ctdb/tests/cunit/config_test_005.sh -%{_datadir}/ctdb/tests/cunit/config_test_006.sh -%{_datadir}/ctdb/tests/cunit/config_test_007.sh -%{_datadir}/ctdb/tests/cunit/ctdb_io_test_001.sh -%{_datadir}/ctdb/tests/cunit/db_hash_test_001.sh -%{_datadir}/ctdb/tests/cunit/event_protocol_test_001.sh -%{_datadir}/ctdb/tests/cunit/event_script_test_001.sh -%{_datadir}/ctdb/tests/cunit/hash_count_test_001.sh -%{_datadir}/ctdb/tests/cunit/line_test_001.sh -%{_datadir}/ctdb/tests/cunit/path_tests_001.sh -%{_datadir}/ctdb/tests/cunit/pidfile_test_001.sh -%{_datadir}/ctdb/tests/cunit/pkt_read_001.sh -%{_datadir}/ctdb/tests/cunit/pkt_write_001.sh -%{_datadir}/ctdb/tests/cunit/porting_tests_001.sh -%{_datadir}/ctdb/tests/cunit/protocol_test_001.sh -%{_datadir}/ctdb/tests/cunit/protocol_test_002.sh -%{_datadir}/ctdb/tests/cunit/protocol_test_012.sh -%{_datadir}/ctdb/tests/cunit/protocol_test_101.sh -%{_datadir}/ctdb/tests/cunit/protocol_test_111.sh -%{_datadir}/ctdb/tests/cunit/protocol_test_201.sh -%{_datadir}/ctdb/tests/cunit/rb_test_001.sh -%{_datadir}/ctdb/tests/cunit/reqid_test_001.sh -%{_datadir}/ctdb/tests/cunit/run_event_001.sh -%{_datadir}/ctdb/tests/cunit/run_proc_001.sh -%{_datadir}/ctdb/tests/cunit/sock_daemon_test_001.sh -%{_datadir}/ctdb/tests/cunit/sock_io_test_001.sh -%{_datadir}/ctdb/tests/cunit/srvid_test_001.sh -%{_datadir}/ctdb/tests/cunit/system_socket_test_001.sh %dir %{_datadir}/ctdb/tests/etc-ctdb %dir %{_datadir}/ctdb/tests/etc-ctdb/events %dir %{_datadir}/ctdb/tests/etc-ctdb/events/legacy %{_datadir}/ctdb/tests/etc-ctdb/events/legacy/00.test.script -%dir %{_datadir}/ctdb/tests/eventd -%{_datadir}/ctdb/tests/eventd/README -%dir %{_datadir}/ctdb/tests/eventd/etc-ctdb -%{_datadir}/ctdb/tests/eventd/etc-ctdb/ctdb.conf -%{_datadir}/ctdb/tests/eventd/etc-ctdb/debug-script.sh -%dir %{_datadir}/ctdb/tests/eventd/etc-ctdb/events -%dir %{_datadir}/ctdb/tests/eventd/etc-ctdb/events/data -%{_datadir}/ctdb/tests/eventd/etc-ctdb/events/data/README -%{_datadir}/ctdb/tests/eventd/etc-ctdb/events/data/03.notalink.script -%dir %{_datadir}/ctdb/tests/eventd/etc-ctdb/events/empty -%{_datadir}/ctdb/tests/eventd/etc-ctdb/events/empty/README -%dir %{_datadir}/ctdb/tests/eventd/etc-ctdb/events/multi -%{_datadir}/ctdb/tests/eventd/etc-ctdb/events/multi/01.test.script -%{_datadir}/ctdb/tests/eventd/etc-ctdb/events/multi/02.test.script -%{_datadir}/ctdb/tests/eventd/etc-ctdb/events/multi/03.test.script -%dir %{_datadir}/ctdb/tests/eventd/etc-ctdb/events/random -%{_datadir}/ctdb/tests/eventd/etc-ctdb/events/random/01.disabled.script -%{_datadir}/ctdb/tests/eventd/etc-ctdb/events/random/02.enabled.script -%{_datadir}/ctdb/tests/eventd/etc-ctdb/events/random/README.script -%{_datadir}/ctdb/tests/eventd/etc-ctdb/events/random/a.script -%dir %{_datadir}/ctdb/tests/eventd/etc-ctdb/share -%dir %{_datadir}/ctdb/tests/eventd/etc-ctdb/share/events/ -%dir %{_datadir}/ctdb/tests/eventd/etc-ctdb/share/events/data -%{_datadir}/ctdb/tests/eventd/etc-ctdb/share/events/data/01.dummy.script -%{_datadir}/ctdb/tests/eventd/etc-ctdb/share/events/data/02.disabled.script -%dir %{_datadir}/ctdb/tests/eventd/etc-ctdb/share/events/empty -%{_datadir}/ctdb/tests/eventd/etc-ctdb/share/events/empty/README -%dir %{_datadir}/ctdb/tests/eventd/etc-ctdb/share/events/random -%{_datadir}/ctdb/tests/eventd/etc-ctdb/share/events/random/01.disabled.script -%{_datadir}/ctdb/tests/eventd/etc-ctdb/share/events/random/02.enabled.script -%{_datadir}/ctdb/tests/eventd/etc-ctdb/share/events/random/a.script -%{_datadir}/ctdb/tests/eventd/etc-ctdb/share/events/random/README.script -%{_datadir}/ctdb/tests/eventd/eventd_001.sh -%{_datadir}/ctdb/tests/eventd/eventd_002.sh -%{_datadir}/ctdb/tests/eventd/eventd_003.sh -%{_datadir}/ctdb/tests/eventd/eventd_004.sh -%{_datadir}/ctdb/tests/eventd/eventd_005.sh -%{_datadir}/ctdb/tests/eventd/eventd_006.sh -%{_datadir}/ctdb/tests/eventd/eventd_007.sh -%{_datadir}/ctdb/tests/eventd/eventd_008.sh -%{_datadir}/ctdb/tests/eventd/eventd_009.sh -%{_datadir}/ctdb/tests/eventd/eventd_011.sh -%{_datadir}/ctdb/tests/eventd/eventd_012.sh -%{_datadir}/ctdb/tests/eventd/eventd_013.sh -%{_datadir}/ctdb/tests/eventd/eventd_014.sh -%{_datadir}/ctdb/tests/eventd/eventd_021.sh -%{_datadir}/ctdb/tests/eventd/eventd_022.sh -%{_datadir}/ctdb/tests/eventd/eventd_023.sh -%{_datadir}/ctdb/tests/eventd/eventd_024.sh -%{_datadir}/ctdb/tests/eventd/eventd_031.sh -%{_datadir}/ctdb/tests/eventd/eventd_032.sh -%{_datadir}/ctdb/tests/eventd/eventd_033.sh -%{_datadir}/ctdb/tests/eventd/eventd_041.sh -%{_datadir}/ctdb/tests/eventd/eventd_042.sh -%{_datadir}/ctdb/tests/eventd/eventd_043.sh -%{_datadir}/ctdb/tests/eventd/eventd_044.sh -%{_datadir}/ctdb/tests/eventd/eventd_051.sh -%{_datadir}/ctdb/tests/eventd/eventd_052.sh -%dir %{_datadir}/ctdb/tests/eventd/scripts -%{_datadir}/ctdb/tests/eventd/scripts/local.sh - -%dir %{_datadir}/ctdb/tests/eventscripts -%{_datadir}/ctdb/tests/eventscripts/README -%{_datadir}/ctdb/tests/eventscripts/00.ctdb.init.001.sh -%{_datadir}/ctdb/tests/eventscripts/00.ctdb.init.002.sh -%{_datadir}/ctdb/tests/eventscripts/00.ctdb.init.003.sh -%{_datadir}/ctdb/tests/eventscripts/00.ctdb.init.004.sh -%{_datadir}/ctdb/tests/eventscripts/00.ctdb.init.005.sh -%{_datadir}/ctdb/tests/eventscripts/00.ctdb.init.006.sh -%{_datadir}/ctdb/tests/eventscripts/00.ctdb.init.007.sh -%{_datadir}/ctdb/tests/eventscripts/00.ctdb.init.008.sh -%{_datadir}/ctdb/tests/eventscripts/00.ctdb.init.009.sh -%{_datadir}/ctdb/tests/eventscripts/00.ctdb.setup.001.sh -%{_datadir}/ctdb/tests/eventscripts/00.ctdb.setup.002.sh -%{_datadir}/ctdb/tests/eventscripts/00.ctdb.setup.003.sh -%{_datadir}/ctdb/tests/eventscripts/00.ctdb.setup.004.sh -%{_datadir}/ctdb/tests/eventscripts/01.reclock.monitor.001.sh -%{_datadir}/ctdb/tests/eventscripts/01.reclock.monitor.002.sh -%{_datadir}/ctdb/tests/eventscripts/01.reclock.monitor.003.sh -%{_datadir}/ctdb/tests/eventscripts/01.reclock.monitor.004.sh -%{_datadir}/ctdb/tests/eventscripts/01.reclock.monitor.005.sh -%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.001.sh -%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.002.sh -%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.003.sh -%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.004.sh -%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.005.sh -%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.006.sh -%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.007.sh -%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.011.sh -%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.012.sh -%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.014.sh -%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.015.sh -%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.017.sh -%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.018.sh -%{_datadir}/ctdb/tests/eventscripts/06.nfs.releaseip.001.sh -%{_datadir}/ctdb/tests/eventscripts/06.nfs.releaseip.002.sh -%{_datadir}/ctdb/tests/eventscripts/06.nfs.takeip.001.sh -%{_datadir}/ctdb/tests/eventscripts/06.nfs.takeip.002.sh -%{_datadir}/ctdb/tests/eventscripts/10.interface.010.sh -%{_datadir}/ctdb/tests/eventscripts/10.interface.011.sh -%{_datadir}/ctdb/tests/eventscripts/10.interface.012.sh -%{_datadir}/ctdb/tests/eventscripts/10.interface.013.sh -%{_datadir}/ctdb/tests/eventscripts/10.interface.init.001.sh -%{_datadir}/ctdb/tests/eventscripts/10.interface.init.002.sh -%{_datadir}/ctdb/tests/eventscripts/10.interface.init.021.sh -%{_datadir}/ctdb/tests/eventscripts/10.interface.init.022.sh -%{_datadir}/ctdb/tests/eventscripts/10.interface.init.023.sh -%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.001.sh -%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.002.sh -%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.003.sh -%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.004.sh -%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.005.sh -%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.006.sh -%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.009.sh -%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.010.sh -%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.011.sh -%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.012.sh -%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.013.sh -%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.014.sh -%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.015.sh -%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.016.sh -%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.017.sh -%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.018.sh -%{_datadir}/ctdb/tests/eventscripts/10.interface.multi.001.sh -%{_datadir}/ctdb/tests/eventscripts/10.interface.releaseip.001.sh -%{_datadir}/ctdb/tests/eventscripts/10.interface.releaseip.002.sh -%{_datadir}/ctdb/tests/eventscripts/10.interface.startup.001.sh -%{_datadir}/ctdb/tests/eventscripts/10.interface.startup.002.sh -%{_datadir}/ctdb/tests/eventscripts/10.interface.takeip.001.sh -%{_datadir}/ctdb/tests/eventscripts/10.interface.takeip.002.sh -%{_datadir}/ctdb/tests/eventscripts/10.interface.takeip.003.sh -%{_datadir}/ctdb/tests/eventscripts/11.natgw.001.sh -%{_datadir}/ctdb/tests/eventscripts/11.natgw.002.sh -%{_datadir}/ctdb/tests/eventscripts/11.natgw.003.sh -%{_datadir}/ctdb/tests/eventscripts/11.natgw.004.sh -%{_datadir}/ctdb/tests/eventscripts/11.natgw.011.sh -%{_datadir}/ctdb/tests/eventscripts/11.natgw.012.sh -%{_datadir}/ctdb/tests/eventscripts/11.natgw.013.sh -%{_datadir}/ctdb/tests/eventscripts/11.natgw.014.sh -%{_datadir}/ctdb/tests/eventscripts/11.natgw.015.sh -%{_datadir}/ctdb/tests/eventscripts/11.natgw.021.sh -%{_datadir}/ctdb/tests/eventscripts/11.natgw.022.sh -%{_datadir}/ctdb/tests/eventscripts/11.natgw.023.sh -%{_datadir}/ctdb/tests/eventscripts/11.natgw.024.sh -%{_datadir}/ctdb/tests/eventscripts/11.natgw.025.sh -%{_datadir}/ctdb/tests/eventscripts/11.natgw.031.sh -%{_datadir}/ctdb/tests/eventscripts/11.natgw.041.sh -%{_datadir}/ctdb/tests/eventscripts/11.natgw.042.sh -%{_datadir}/ctdb/tests/eventscripts/11.natgw.051.sh -%{_datadir}/ctdb/tests/eventscripts/11.natgw.052.sh -%{_datadir}/ctdb/tests/eventscripts/11.natgw.053.sh -%{_datadir}/ctdb/tests/eventscripts/11.natgw.054.sh -%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.001.sh -%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.002.sh -%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.003.sh -%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.004.sh -%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.005.sh -%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.006.sh -%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.007.sh -%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.008.sh -%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.009.sh -%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.010.sh -%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.011.sh -%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.012.sh -%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.013.sh -%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.014.sh -%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.015.sh -%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.016.sh -%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.017.sh -%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.018.sh -%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.019.sh -%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.021.sh -%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.022.sh -%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.023.sh -%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.024.sh -%{_datadir}/ctdb/tests/eventscripts/20.multipathd.monitor.001.sh -%{_datadir}/ctdb/tests/eventscripts/20.multipathd.monitor.002.sh -%{_datadir}/ctdb/tests/eventscripts/20.multipathd.monitor.003.sh -%{_datadir}/ctdb/tests/eventscripts/20.multipathd.monitor.004.sh -%{_datadir}/ctdb/tests/eventscripts/31.clamd.monitor.002.sh -%{_datadir}/ctdb/tests/eventscripts/31.clamd.monitor.003.sh -%{_datadir}/ctdb/tests/eventscripts/40.vsftpd.monitor.002.sh -%{_datadir}/ctdb/tests/eventscripts/40.vsftpd.shutdown.002.sh -%{_datadir}/ctdb/tests/eventscripts/40.vsftpd.startup.002.sh -%{_datadir}/ctdb/tests/eventscripts/41.httpd.monitor.002.sh -%{_datadir}/ctdb/tests/eventscripts/41.httpd.shutdown.002.sh -%{_datadir}/ctdb/tests/eventscripts/41.httpd.startup.002.sh -%{_datadir}/ctdb/tests/eventscripts/49.winbind.monitor.101.sh -%{_datadir}/ctdb/tests/eventscripts/49.winbind.monitor.102.sh -%{_datadir}/ctdb/tests/eventscripts/49.winbind.shutdown.002.sh -%{_datadir}/ctdb/tests/eventscripts/49.winbind.startup.002.sh -%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.101.sh -%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.103.sh -%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.104.sh -%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.105.sh -%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.106.sh -%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.110.sh -%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.111.sh -%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.112.sh -%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.113.sh -%{_datadir}/ctdb/tests/eventscripts/50.samba.shutdown.001.sh -%{_datadir}/ctdb/tests/eventscripts/50.samba.shutdown.002.sh -%{_datadir}/ctdb/tests/eventscripts/50.samba.shutdown.011.sh -%{_datadir}/ctdb/tests/eventscripts/50.samba.startup.011.sh -%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.101.sh -%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.102.sh -%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.103.sh -%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.104.sh -%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.105.sh -%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.106.sh -%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.107.sh -%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.108.sh -%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.109.sh -%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.111.sh -%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.112.sh -%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.113.sh -%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.114.sh -%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.121.sh -%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.122.sh -%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.131.sh -%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.132.sh -%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.141.sh -%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.142.sh -%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.143.sh -%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.144.sh -%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.151.sh -%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.152.sh -%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.153.sh -%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.161.sh -%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.162.sh -%{_datadir}/ctdb/tests/eventscripts/60.nfs.multi.001.sh -%{_datadir}/ctdb/tests/eventscripts/60.nfs.multi.002.sh -%{_datadir}/ctdb/tests/eventscripts/60.nfs.releaseip.001.sh -%{_datadir}/ctdb/tests/eventscripts/60.nfs.releaseip.002.sh -%{_datadir}/ctdb/tests/eventscripts/60.nfs.shutdown.001.sh -%{_datadir}/ctdb/tests/eventscripts/60.nfs.shutdown.002.sh -%{_datadir}/ctdb/tests/eventscripts/60.nfs.startup.001.sh -%{_datadir}/ctdb/tests/eventscripts/60.nfs.startup.002.sh -%{_datadir}/ctdb/tests/eventscripts/60.nfs.takeip.001.sh -%{_datadir}/ctdb/tests/eventscripts/60.nfs.takeip.002.sh -%{_datadir}/ctdb/tests/eventscripts/91.lvs.001.sh -%{_datadir}/ctdb/tests/eventscripts/91.lvs.ipreallocated.011.sh -%{_datadir}/ctdb/tests/eventscripts/91.lvs.ipreallocated.012.sh -%{_datadir}/ctdb/tests/eventscripts/91.lvs.ipreallocated.013.sh -%{_datadir}/ctdb/tests/eventscripts/91.lvs.ipreallocated.014.sh -%{_datadir}/ctdb/tests/eventscripts/91.lvs.monitor.001.sh -%{_datadir}/ctdb/tests/eventscripts/91.lvs.monitor.002.sh -%{_datadir}/ctdb/tests/eventscripts/91.lvs.monitor.003.sh -%{_datadir}/ctdb/tests/eventscripts/91.lvs.shutdown.001.sh -%{_datadir}/ctdb/tests/eventscripts/91.lvs.shutdown.002.sh -%{_datadir}/ctdb/tests/eventscripts/91.lvs.startup.001.sh -%{_datadir}/ctdb/tests/eventscripts/91.lvs.startup.002.sh -%{_datadir}/ctdb/tests/eventscripts/statd-callout.001.sh -%{_datadir}/ctdb/tests/eventscripts/statd-callout.002.sh -%{_datadir}/ctdb/tests/eventscripts/statd-callout.003.sh -%{_datadir}/ctdb/tests/eventscripts/statd-callout.004.sh -%{_datadir}/ctdb/tests/eventscripts/statd-callout.005.sh -%{_datadir}/ctdb/tests/eventscripts/statd-callout.006.sh -%{_datadir}/ctdb/tests/eventscripts/statd-callout.007.sh - -%dir %{_datadir}/ctdb/tests/eventscripts/etc-ctdb -%{_datadir}/ctdb/tests/eventscripts/etc-ctdb/public_addresses -%{_datadir}/ctdb/tests/eventscripts/etc-ctdb/rc.local - -%dir %{_datadir}/ctdb/tests/eventscripts/etc -%dir %{_datadir}/ctdb/tests/eventscripts/etc/init.d -%{_datadir}/ctdb/tests/eventscripts/etc/init.d/nfs -%{_datadir}/ctdb/tests/eventscripts/etc/init.d/nfslock - -%dir %{_datadir}/ctdb/tests/eventscripts/etc/samba -%{_datadir}/ctdb/tests/eventscripts/etc/samba/smb.conf - -%dir %{_datadir}/ctdb/tests/eventscripts/etc/sysconfig -%{_datadir}/ctdb/tests/eventscripts/etc/sysconfig/nfs - -%dir %{_datadir}/ctdb/tests/eventscripts/scripts -%{_datadir}/ctdb/tests/eventscripts/scripts/local.sh -%{_datadir}/ctdb/tests/eventscripts/scripts/00.ctdb.sh -%{_datadir}/ctdb/tests/eventscripts/scripts/01.reclock.sh -%{_datadir}/ctdb/tests/eventscripts/scripts/05.system.sh -%{_datadir}/ctdb/tests/eventscripts/scripts/06.nfs.sh -%{_datadir}/ctdb/tests/eventscripts/scripts/10.interface.sh -%{_datadir}/ctdb/tests/eventscripts/scripts/11.natgw.sh -%{_datadir}/ctdb/tests/eventscripts/scripts/13.per_ip_routing.sh -%{_datadir}/ctdb/tests/eventscripts/scripts/20.multipathd.sh -%{_datadir}/ctdb/tests/eventscripts/scripts/31.clamd.sh -%{_datadir}/ctdb/tests/eventscripts/scripts/40.vsftpd.sh -%{_datadir}/ctdb/tests/eventscripts/scripts/41.httpd.sh -%{_datadir}/ctdb/tests/eventscripts/scripts/49.winbind.sh -%{_datadir}/ctdb/tests/eventscripts/scripts/50.samba.sh -%{_datadir}/ctdb/tests/eventscripts/scripts/60.nfs.sh -%{_datadir}/ctdb/tests/eventscripts/scripts/91.lvs.sh -%{_datadir}/ctdb/tests/eventscripts/scripts/statd-callout.sh - -%dir %{_datadir}/ctdb/tests/eventscripts/stubs -%{_datadir}/ctdb/tests/eventscripts/stubs/ctdb -%{_datadir}/ctdb/tests/eventscripts/stubs/ctdb-config -%{_datadir}/ctdb/tests/eventscripts/stubs/ctdb_killtcp -%{_datadir}/ctdb/tests/eventscripts/stubs/ctdb_lvs -%{_datadir}/ctdb/tests/eventscripts/stubs/ctdb_natgw -%{_datadir}/ctdb/tests/eventscripts/stubs/date -%{_datadir}/ctdb/tests/eventscripts/stubs/df -%{_datadir}/ctdb/tests/eventscripts/stubs/ethtool -%{_datadir}/ctdb/tests/eventscripts/stubs/exportfs -%{_datadir}/ctdb/tests/eventscripts/stubs/id -%{_datadir}/ctdb/tests/eventscripts/stubs/ip -%{_datadir}/ctdb/tests/eventscripts/stubs/ip6tables -%{_datadir}/ctdb/tests/eventscripts/stubs/iptables -%{_datadir}/ctdb/tests/eventscripts/stubs/ipvsadm -%{_datadir}/ctdb/tests/eventscripts/stubs/kill -%{_datadir}/ctdb/tests/eventscripts/stubs/killall -%{_datadir}/ctdb/tests/eventscripts/stubs/multipath -%{_datadir}/ctdb/tests/eventscripts/stubs/net -%{_datadir}/ctdb/tests/eventscripts/stubs/pidof -%{_datadir}/ctdb/tests/eventscripts/stubs/pkill -%{_datadir}/ctdb/tests/eventscripts/stubs/ps -%{_datadir}/ctdb/tests/eventscripts/stubs/rm -%{_datadir}/ctdb/tests/eventscripts/stubs/rpc.lockd -%{_datadir}/ctdb/tests/eventscripts/stubs/rpc.mountd -%{_datadir}/ctdb/tests/eventscripts/stubs/rpc.rquotad -%{_datadir}/ctdb/tests/eventscripts/stubs/rpc.statd -%{_datadir}/ctdb/tests/eventscripts/stubs/rpcinfo -%{_datadir}/ctdb/tests/eventscripts/stubs/service -%{_datadir}/ctdb/tests/eventscripts/stubs/sleep -%{_datadir}/ctdb/tests/eventscripts/stubs/smnotify -%{_datadir}/ctdb/tests/eventscripts/stubs/ss -%{_datadir}/ctdb/tests/eventscripts/stubs/tdbdump -%{_datadir}/ctdb/tests/eventscripts/stubs/tdbtool -%{_datadir}/ctdb/tests/eventscripts/stubs/testparm -%{_datadir}/ctdb/tests/eventscripts/stubs/timeout -%{_datadir}/ctdb/tests/eventscripts/stubs/wbinfo - -%dir %{_datadir}/ctdb/tests/onnode -%{_datadir}/ctdb/tests/onnode/0001.sh -%{_datadir}/ctdb/tests/onnode/0002.sh -%{_datadir}/ctdb/tests/onnode/0003.sh -%{_datadir}/ctdb/tests/onnode/0004.sh -%{_datadir}/ctdb/tests/onnode/0005.sh -%{_datadir}/ctdb/tests/onnode/0006.sh -%{_datadir}/ctdb/tests/onnode/0010.sh -%{_datadir}/ctdb/tests/onnode/0011.sh -%{_datadir}/ctdb/tests/onnode/0070.sh -%{_datadir}/ctdb/tests/onnode/0071.sh -%{_datadir}/ctdb/tests/onnode/0072.sh -%{_datadir}/ctdb/tests/onnode/0075.sh - -%dir %{_datadir}/ctdb/tests/onnode/etc-ctdb -%{_datadir}/ctdb/tests/onnode/etc-ctdb/nodes - -%dir %{_datadir}/ctdb/tests/onnode/scripts -%{_datadir}/ctdb/tests/onnode/scripts/local.sh - -%dir %{_datadir}/ctdb/tests/onnode/stubs -%{_datadir}/ctdb/tests/onnode/stubs/ctdb -%{_datadir}/ctdb/tests/onnode/stubs/ssh - +%dir %{_datadir}/ctdb/tests/INTEGRATION +%dir %{_datadir}/ctdb/tests/INTEGRATION/database +%{_datadir}/ctdb/tests/INTEGRATION/database/basics.001.attach.sh +%{_datadir}/ctdb/tests/INTEGRATION/database/basics.002.attach.sh +%{_datadir}/ctdb/tests/INTEGRATION/database/basics.003.detach.sh +%{_datadir}/ctdb/tests/INTEGRATION/database/basics.004.wipe.sh +%{_datadir}/ctdb/tests/INTEGRATION/database/basics.010.backup_restore.sh +%{_datadir}/ctdb/tests/INTEGRATION/database/fetch.001.ring.sh +%{_datadir}/ctdb/tests/INTEGRATION/database/readonly.001.basic.sh +%{_datadir}/ctdb/tests/INTEGRATION/database/recovery.001.volatile.sh +%{_datadir}/ctdb/tests/INTEGRATION/database/recovery.002.large.sh +%{_datadir}/ctdb/tests/INTEGRATION/database/recovery.003.no_resurrect.sh +%{_datadir}/ctdb/tests/INTEGRATION/database/recovery.010.persistent.sh +%{_datadir}/ctdb/tests/INTEGRATION/database/recovery.011.continue.sh +%dir %{_datadir}/ctdb/tests/INTEGRATION/database/scripts +%{_datadir}/ctdb/tests/INTEGRATION/database/scripts/local.bash +%{_datadir}/ctdb/tests/INTEGRATION/database/transaction.001.ptrans.sh +%{_datadir}/ctdb/tests/INTEGRATION/database/transaction.002.loop.sh +%{_datadir}/ctdb/tests/INTEGRATION/database/transaction.003.loop_recovery.sh +%{_datadir}/ctdb/tests/INTEGRATION/database/transaction.004.update_record.sh +%{_datadir}/ctdb/tests/INTEGRATION/database/transaction.010.loop_recovery.sh +%{_datadir}/ctdb/tests/INTEGRATION/database/traverse.001.one.sh +%{_datadir}/ctdb/tests/INTEGRATION/database/traverse.002.many.sh +%{_datadir}/ctdb/tests/INTEGRATION/database/vacuum.001.fast.sh +%{_datadir}/ctdb/tests/INTEGRATION/database/vacuum.002.full.sh +%{_datadir}/ctdb/tests/INTEGRATION/database/vacuum.003.recreate.sh +%{_datadir}/ctdb/tests/INTEGRATION/database/vacuum.030.locked.sh +%{_datadir}/ctdb/tests/INTEGRATION/database/vacuum.031.locked.sh +%{_datadir}/ctdb/tests/INTEGRATION/database/vacuum.032.locked.sh +%{_datadir}/ctdb/tests/INTEGRATION/database/vacuum.033.locked.sh +%{_datadir}/ctdb/tests/INTEGRATION/database/vacuum.034.locked.sh +%dir %{_datadir}/ctdb/tests/INTEGRATION/failover +%{_datadir}/ctdb/tests/INTEGRATION/failover/pubips.001.list.sh +%{_datadir}/ctdb/tests/INTEGRATION/failover/pubips.010.addip.sh +%{_datadir}/ctdb/tests/INTEGRATION/failover/pubips.011.delip.sh +%{_datadir}/ctdb/tests/INTEGRATION/failover/pubips.012.reloadips.sh +%{_datadir}/ctdb/tests/INTEGRATION/failover/pubips.013.failover_noop.sh +%{_datadir}/ctdb/tests/INTEGRATION/failover/pubips.014.iface_gc.sh +%{_datadir}/ctdb/tests/INTEGRATION/failover/pubips.020.moveip.sh +%{_datadir}/ctdb/tests/INTEGRATION/failover/pubips.030.disable_enable.sh +%{_datadir}/ctdb/tests/INTEGRATION/failover/pubips.032.stop_continue.sh +%{_datadir}/ctdb/tests/INTEGRATION/failover/pubips.040.NoIPTakeover.sh +%{_datadir}/ctdb/tests/INTEGRATION/failover/pubips.050.missing_ip.sh +%dir %{_datadir}/ctdb/tests/INTEGRATION/simple +%{_datadir}/ctdb/tests/INTEGRATION/simple/basics.000.onnode.sh +%{_datadir}/ctdb/tests/INTEGRATION/simple/basics.001.listnodes.sh +%{_datadir}/ctdb/tests/INTEGRATION/simple/basics.002.tunables.sh +%{_datadir}/ctdb/tests/INTEGRATION/simple/basics.003.ping.sh +%{_datadir}/ctdb/tests/INTEGRATION/simple/basics.004.getpid.sh +%{_datadir}/ctdb/tests/INTEGRATION/simple/basics.005.process_exists.sh +%{_datadir}/ctdb/tests/INTEGRATION/simple/basics.010.statistics.sh +%{_datadir}/ctdb/tests/INTEGRATION/simple/basics.011.statistics_reset.sh +%{_datadir}/ctdb/tests/INTEGRATION/simple/cluster.001.isnotrecmaster.sh +%{_datadir}/ctdb/tests/INTEGRATION/simple/cluster.002.recmaster_yield.sh +%{_datadir}/ctdb/tests/INTEGRATION/simple/cluster.010.getrelock.sh +%{_datadir}/ctdb/tests/INTEGRATION/simple/cluster.012.reclock_command.sh +%{_datadir}/ctdb/tests/INTEGRATION/simple/cluster.015.reclock_remove_lock.sh +%{_datadir}/ctdb/tests/INTEGRATION/simple/cluster.016.reclock_move_lock_dir.sh +%{_datadir}/ctdb/tests/INTEGRATION/simple/cluster.020.message_ring.sh +%{_datadir}/ctdb/tests/INTEGRATION/simple/cluster.021.tunnel_ring.sh +%{_datadir}/ctdb/tests/INTEGRATION/simple/cluster.090.unreachable.sh +%{_datadir}/ctdb/tests/INTEGRATION/simple/cluster.091.version_check.sh +%{_datadir}/ctdb/tests/INTEGRATION/simple/debug.001.getdebug.sh +%{_datadir}/ctdb/tests/INTEGRATION/simple/debug.002.setdebug.sh +%{_datadir}/ctdb/tests/INTEGRATION/simple/debug.003.dumpmemory.sh +%{_datadir}/ctdb/tests/INTEGRATION/simple/eventscripts.001.zero_scripts.sh +%{_datadir}/ctdb/tests/INTEGRATION/simple/eventscripts.090.debug_hung.sh +%{_datadir}/ctdb/tests/INTEGRATION/simple/README %dir %{_datadir}/ctdb/tests/scripts +%{_datadir}/ctdb/tests/scripts/cluster.bash %{_datadir}/ctdb/tests/scripts/common.sh %{_datadir}/ctdb/tests/scripts/integration.bash +%{_datadir}/ctdb/tests/scripts/integration_local_daemons.bash +%{_datadir}/ctdb/tests/scripts/integration_real_cluster.bash %{_datadir}/ctdb/tests/scripts/script_install_paths.sh %{_datadir}/ctdb/tests/scripts/test_wrap %{_datadir}/ctdb/tests/scripts/unit.sh - -%dir %{_datadir}/ctdb/tests/shellcheck -%{_datadir}/ctdb/tests/shellcheck/base_scripts.sh -%{_datadir}/ctdb/tests/shellcheck/ctdb_helpers.sh -%{_datadir}/ctdb/tests/shellcheck/ctdbd_wrapper.sh -%{_datadir}/ctdb/tests/shellcheck/event_scripts.sh -%{_datadir}/ctdb/tests/shellcheck/functions.sh -%{_datadir}/ctdb/tests/shellcheck/init_script.sh -%{_datadir}/ctdb/tests/shellcheck/tools.sh - -%dir %{_datadir}/ctdb/tests/shellcheck/scripts -%{_datadir}/ctdb/tests/shellcheck/scripts/local.sh - -%dir %{_datadir}/ctdb/tests/simple -%{_datadir}/ctdb/tests/simple/README -%{_datadir}/ctdb/tests/simple/00_ctdb_onnode.sh -%{_datadir}/ctdb/tests/simple/01_ctdb_reclock_command.sh -%{_datadir}/ctdb/tests/simple/02_ctdb_tunables.sh -%{_datadir}/ctdb/tests/simple/05_ctdb_listnodes.sh -%{_datadir}/ctdb/tests/simple/06_ctdb_getpid.sh -%{_datadir}/ctdb/tests/simple/07_ctdb_process_exists.sh -%{_datadir}/ctdb/tests/simple/08_ctdb_isnotrecmaster.sh -%{_datadir}/ctdb/tests/simple/09_ctdb_ping.sh -%{_datadir}/ctdb/tests/simple/11_ctdb_ip.sh -%{_datadir}/ctdb/tests/simple/12_ctdb_getdebug.sh -%{_datadir}/ctdb/tests/simple/13_ctdb_setdebug.sh -%{_datadir}/ctdb/tests/simple/14_ctdb_statistics.sh -%{_datadir}/ctdb/tests/simple/15_ctdb_statisticsreset.sh -%{_datadir}/ctdb/tests/simple/16_ctdb_config_add_ip.sh -%{_datadir}/ctdb/tests/simple/17_ctdb_config_delete_ip.sh -%{_datadir}/ctdb/tests/simple/18_ctdb_reloadips.sh -%{_datadir}/ctdb/tests/simple/19_ip_takeover_noop.sh -%{_datadir}/ctdb/tests/simple/20_delip_iface_gc.sh -%{_datadir}/ctdb/tests/simple/21_ctdb_attach.sh -%{_datadir}/ctdb/tests/simple/23_ctdb_moveip.sh -%{_datadir}/ctdb/tests/simple/24_ctdb_getdbmap.sh -%{_datadir}/ctdb/tests/simple/25_dumpmemory.sh -%{_datadir}/ctdb/tests/simple/26_ctdb_config_check_error_on_unreachable_ctdb.sh -%{_datadir}/ctdb/tests/simple/27_ctdb_detach.sh -%{_datadir}/ctdb/tests/simple/28_zero_eventscripts.sh -%{_datadir}/ctdb/tests/simple/32_ctdb_disable_enable.sh -%{_datadir}/ctdb/tests/simple/35_ctdb_getreclock.sh -%{_datadir}/ctdb/tests/simple/42_ctdb_stop_continue.sh -%{_datadir}/ctdb/tests/simple/43_stop_recmaster_yield.sh -%{_datadir}/ctdb/tests/simple/51_message_ring.sh -%{_datadir}/ctdb/tests/simple/52_fetch_ring.sh -%{_datadir}/ctdb/tests/simple/53_transaction_loop.sh -%{_datadir}/ctdb/tests/simple/54_transaction_loop_recovery.sh -%{_datadir}/ctdb/tests/simple/55_ctdb_ptrans.sh -%{_datadir}/ctdb/tests/simple/56_replicated_transaction_recovery.sh -%{_datadir}/ctdb/tests/simple/58_ctdb_restoredb.sh -%{_datadir}/ctdb/tests/simple/60_recoverd_missing_ip.sh -%{_datadir}/ctdb/tests/simple/69_recovery_resurrect_deleted.sh -%{_datadir}/ctdb/tests/simple/70_recoverpdbbyseqnum.sh -%{_datadir}/ctdb/tests/simple/71_ctdb_wipedb.sh -%{_datadir}/ctdb/tests/simple/72_update_record_persistent.sh -%{_datadir}/ctdb/tests/simple/73_tunable_NoIPTakeover.sh -%{_datadir}/ctdb/tests/simple/75_readonly_records_basic.sh -%{_datadir}/ctdb/tests/simple/76_ctdb_pdb_recovery.sh -%{_datadir}/ctdb/tests/simple/77_ctdb_db_recovery.sh -%{_datadir}/ctdb/tests/simple/78_ctdb_large_db_recovery.sh -%{_datadir}/ctdb/tests/simple/79_volatile_db_traverse.sh -%{_datadir}/ctdb/tests/simple/80_ctdb_traverse.sh -%{_datadir}/ctdb/tests/simple/81_tunnel_ring.sh -%{_datadir}/ctdb/tests/simple/90_debug_hung_script.sh -%{_datadir}/ctdb/tests/simple/91_version_check.sh - - -%dir %{_datadir}/ctdb/tests/simple/scripts -%{_datadir}/ctdb/tests/simple/scripts/local.bash -%{_datadir}/ctdb/tests/simple/scripts/local_daemons.bash - -%dir %{_datadir}/ctdb/tests/takeover -%{_datadir}/ctdb/tests/takeover/README -%{_datadir}/ctdb/tests/takeover/det.001.sh -%{_datadir}/ctdb/tests/takeover/det.002.sh -%{_datadir}/ctdb/tests/takeover/det.003.sh -%{_datadir}/ctdb/tests/takeover/lcp2.001.sh -%{_datadir}/ctdb/tests/takeover/lcp2.002.sh -%{_datadir}/ctdb/tests/takeover/lcp2.003.sh -%{_datadir}/ctdb/tests/takeover/lcp2.004.sh -%{_datadir}/ctdb/tests/takeover/lcp2.005.sh -%{_datadir}/ctdb/tests/takeover/lcp2.006.sh -%{_datadir}/ctdb/tests/takeover/lcp2.007.sh -%{_datadir}/ctdb/tests/takeover/lcp2.008.sh -%{_datadir}/ctdb/tests/takeover/lcp2.009.sh -%{_datadir}/ctdb/tests/takeover/lcp2.010.sh -%{_datadir}/ctdb/tests/takeover/lcp2.011.sh -%{_datadir}/ctdb/tests/takeover/lcp2.012.sh -%{_datadir}/ctdb/tests/takeover/lcp2.013.sh -%{_datadir}/ctdb/tests/takeover/lcp2.014.sh -%{_datadir}/ctdb/tests/takeover/lcp2.015.sh -%{_datadir}/ctdb/tests/takeover/lcp2.016.sh -%{_datadir}/ctdb/tests/takeover/lcp2.024.sh -%{_datadir}/ctdb/tests/takeover/lcp2.025.sh -%{_datadir}/ctdb/tests/takeover/lcp2.027.sh -%{_datadir}/ctdb/tests/takeover/lcp2.028.sh -%{_datadir}/ctdb/tests/takeover/lcp2.029.sh -%{_datadir}/ctdb/tests/takeover/lcp2.030.sh -%{_datadir}/ctdb/tests/takeover/lcp2.031.sh -%{_datadir}/ctdb/tests/takeover/lcp2.032.sh -%{_datadir}/ctdb/tests/takeover/lcp2.033.sh -%{_datadir}/ctdb/tests/takeover/lcp2.034.sh -%{_datadir}/ctdb/tests/takeover/lcp2.035.sh -%{_datadir}/ctdb/tests/takeover/nondet.001.sh -%{_datadir}/ctdb/tests/takeover/nondet.002.sh -%{_datadir}/ctdb/tests/takeover/nondet.003.sh - -%dir %{_datadir}/ctdb/tests/takeover/scripts -%{_datadir}/ctdb/tests/takeover/scripts/local.sh - -%dir %{_datadir}/ctdb/tests/takeover_helper -%{_datadir}/ctdb/tests/takeover_helper/000.sh -%{_datadir}/ctdb/tests/takeover_helper/010.sh -%{_datadir}/ctdb/tests/takeover_helper/011.sh -%{_datadir}/ctdb/tests/takeover_helper/012.sh -%{_datadir}/ctdb/tests/takeover_helper/013.sh -%{_datadir}/ctdb/tests/takeover_helper/014.sh -%{_datadir}/ctdb/tests/takeover_helper/016.sh -%{_datadir}/ctdb/tests/takeover_helper/017.sh -%{_datadir}/ctdb/tests/takeover_helper/018.sh -%{_datadir}/ctdb/tests/takeover_helper/019.sh -%{_datadir}/ctdb/tests/takeover_helper/021.sh -%{_datadir}/ctdb/tests/takeover_helper/022.sh -%{_datadir}/ctdb/tests/takeover_helper/023.sh -%{_datadir}/ctdb/tests/takeover_helper/024.sh -%{_datadir}/ctdb/tests/takeover_helper/025.sh -%{_datadir}/ctdb/tests/takeover_helper/026.sh -%{_datadir}/ctdb/tests/takeover_helper/027.sh -%{_datadir}/ctdb/tests/takeover_helper/028.sh -%{_datadir}/ctdb/tests/takeover_helper/030.sh -%{_datadir}/ctdb/tests/takeover_helper/031.sh -%{_datadir}/ctdb/tests/takeover_helper/110.sh -%{_datadir}/ctdb/tests/takeover_helper/111.sh -%{_datadir}/ctdb/tests/takeover_helper/120.sh -%{_datadir}/ctdb/tests/takeover_helper/121.sh -%{_datadir}/ctdb/tests/takeover_helper/122.sh -%{_datadir}/ctdb/tests/takeover_helper/130.sh -%{_datadir}/ctdb/tests/takeover_helper/131.sh -%{_datadir}/ctdb/tests/takeover_helper/132.sh -%{_datadir}/ctdb/tests/takeover_helper/140.sh -%{_datadir}/ctdb/tests/takeover_helper/150.sh -%{_datadir}/ctdb/tests/takeover_helper/160.sh -%{_datadir}/ctdb/tests/takeover_helper/210.sh -%{_datadir}/ctdb/tests/takeover_helper/211.sh -%{_datadir}/ctdb/tests/takeover_helper/220.sh -%{_datadir}/ctdb/tests/takeover_helper/230.sh -%{_datadir}/ctdb/tests/takeover_helper/240.sh -%{_datadir}/ctdb/tests/takeover_helper/250.sh -%{_datadir}/ctdb/tests/takeover_helper/260.sh - -%dir %{_datadir}/ctdb/tests/takeover_helper/scripts -%{_datadir}/ctdb/tests/takeover_helper/scripts/local.sh - -%dir %{_datadir}/ctdb/tests/tool -%{_datadir}/ctdb/tests/tool/README -%{_datadir}/ctdb/tests/tool/ctdb.attach.001.sh -%{_datadir}/ctdb/tests/tool/ctdb.attach.002.sh -%{_datadir}/ctdb/tests/tool/ctdb.attach.003.sh -%{_datadir}/ctdb/tests/tool/ctdb.ban.001.sh -%{_datadir}/ctdb/tests/tool/ctdb.ban.002.sh -%{_datadir}/ctdb/tests/tool/ctdb.ban.003.sh -%{_datadir}/ctdb/tests/tool/ctdb.catdb.001.sh -%{_datadir}/ctdb/tests/tool/ctdb.catdb.002.sh -%{_datadir}/ctdb/tests/tool/ctdb.cattdb.001.sh -%{_datadir}/ctdb/tests/tool/ctdb.cattdb.002.sh -%{_datadir}/ctdb/tests/tool/ctdb.continue.001.sh -%{_datadir}/ctdb/tests/tool/ctdb.continue.002.sh -%{_datadir}/ctdb/tests/tool/ctdb.continue.003.sh -%{_datadir}/ctdb/tests/tool/ctdb.deletekey.001.sh -%{_datadir}/ctdb/tests/tool/ctdb.disable.001.sh -%{_datadir}/ctdb/tests/tool/ctdb.disable.002.sh -%{_datadir}/ctdb/tests/tool/ctdb.disable.003.sh -%{_datadir}/ctdb/tests/tool/ctdb.disable.004.sh -%{_datadir}/ctdb/tests/tool/ctdb.enable.001.sh -%{_datadir}/ctdb/tests/tool/ctdb.enable.002.sh -%{_datadir}/ctdb/tests/tool/ctdb.enable.003.sh -%{_datadir}/ctdb/tests/tool/ctdb.getcapabilities.001.sh -%{_datadir}/ctdb/tests/tool/ctdb.getcapabilities.002.sh -%{_datadir}/ctdb/tests/tool/ctdb.getcapabilities.003.sh -%{_datadir}/ctdb/tests/tool/ctdb.getcapabilities.004.sh -%{_datadir}/ctdb/tests/tool/ctdb.getdbmap.001.sh -%{_datadir}/ctdb/tests/tool/ctdb.getdbseqnum.001.sh -%{_datadir}/ctdb/tests/tool/ctdb.getdbseqnum.002.sh -%{_datadir}/ctdb/tests/tool/ctdb.getdbstatus.001.sh -%{_datadir}/ctdb/tests/tool/ctdb.getdbstatus.002.sh -%{_datadir}/ctdb/tests/tool/ctdb.getpid.001.sh -%{_datadir}/ctdb/tests/tool/ctdb.getreclock.001.sh -%{_datadir}/ctdb/tests/tool/ctdb.getreclock.002.sh -%{_datadir}/ctdb/tests/tool/ctdb.getvar.001.sh -%{_datadir}/ctdb/tests/tool/ctdb.getvar.002.sh -%{_datadir}/ctdb/tests/tool/ctdb.ifaces.001.sh -%{_datadir}/ctdb/tests/tool/ctdb.ip.001.sh -%{_datadir}/ctdb/tests/tool/ctdb.ip.002.sh -%{_datadir}/ctdb/tests/tool/ctdb.ip.003.sh -%{_datadir}/ctdb/tests/tool/ctdb.ip.004.sh -%{_datadir}/ctdb/tests/tool/ctdb.ip.005.sh -%{_datadir}/ctdb/tests/tool/ctdb.ip.006.sh -%{_datadir}/ctdb/tests/tool/ctdb.ip.007.sh -%{_datadir}/ctdb/tests/tool/ctdb.ipinfo.001.sh -%{_datadir}/ctdb/tests/tool/ctdb.ipinfo.002.sh -%{_datadir}/ctdb/tests/tool/ctdb.ipinfo.003.sh -%{_datadir}/ctdb/tests/tool/ctdb.listnodes.001.sh -%{_datadir}/ctdb/tests/tool/ctdb.listnodes.002.sh -%{_datadir}/ctdb/tests/tool/ctdb.listvars.001.sh -%{_datadir}/ctdb/tests/tool/ctdb.lvs.001.sh -%{_datadir}/ctdb/tests/tool/ctdb.lvs.002.sh -%{_datadir}/ctdb/tests/tool/ctdb.lvs.003.sh -%{_datadir}/ctdb/tests/tool/ctdb.lvs.004.sh -%{_datadir}/ctdb/tests/tool/ctdb.lvs.005.sh -%{_datadir}/ctdb/tests/tool/ctdb.lvs.006.sh -%{_datadir}/ctdb/tests/tool/ctdb.lvs.007.sh -%{_datadir}/ctdb/tests/tool/ctdb.lvs.008.sh -%{_datadir}/ctdb/tests/tool/ctdb.natgw.001.sh -%{_datadir}/ctdb/tests/tool/ctdb.natgw.002.sh -%{_datadir}/ctdb/tests/tool/ctdb.natgw.003.sh -%{_datadir}/ctdb/tests/tool/ctdb.natgw.004.sh -%{_datadir}/ctdb/tests/tool/ctdb.natgw.005.sh -%{_datadir}/ctdb/tests/tool/ctdb.natgw.006.sh -%{_datadir}/ctdb/tests/tool/ctdb.natgw.007.sh -%{_datadir}/ctdb/tests/tool/ctdb.natgw.008.sh -%{_datadir}/ctdb/tests/tool/ctdb.nodestatus.001.sh -%{_datadir}/ctdb/tests/tool/ctdb.nodestatus.002.sh -%{_datadir}/ctdb/tests/tool/ctdb.nodestatus.003.sh -%{_datadir}/ctdb/tests/tool/ctdb.nodestatus.004.sh -%{_datadir}/ctdb/tests/tool/ctdb.nodestatus.005.sh -%{_datadir}/ctdb/tests/tool/ctdb.nodestatus.006.sh -%{_datadir}/ctdb/tests/tool/ctdb.pdelete.001.sh -%{_datadir}/ctdb/tests/tool/ctdb.ping.001.sh -%{_datadir}/ctdb/tests/tool/ctdb.pnn.001.sh -%{_datadir}/ctdb/tests/tool/ctdb.process-exists.001.sh -%{_datadir}/ctdb/tests/tool/ctdb.process-exists.002.sh -%{_datadir}/ctdb/tests/tool/ctdb.process-exists.003.sh -%{_datadir}/ctdb/tests/tool/ctdb.pstore.001.sh -%{_datadir}/ctdb/tests/tool/ctdb.ptrans.001.sh -%{_datadir}/ctdb/tests/tool/ctdb.readkey.001.sh -%{_datadir}/ctdb/tests/tool/ctdb.recmaster.001.sh -%{_datadir}/ctdb/tests/tool/ctdb.recmaster.002.sh -%{_datadir}/ctdb/tests/tool/ctdb.recover.001.sh -%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.001.sh -%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.002.sh -%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.003.sh -%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.011.sh -%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.012.sh -%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.013.sh -%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.014.sh -%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.015.sh -%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.016.sh -%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.017.sh -%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.018.sh -%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.019.sh -%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.020.sh -%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.021.sh -%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.023.sh -%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.024.sh -%{_datadir}/ctdb/tests/tool/ctdb.runstate.001.sh -%{_datadir}/ctdb/tests/tool/ctdb.runstate.002.sh -%{_datadir}/ctdb/tests/tool/ctdb.runstate.003.sh -%{_datadir}/ctdb/tests/tool/ctdb.runstate.004.sh -%{_datadir}/ctdb/tests/tool/ctdb.runstate.005.sh -%{_datadir}/ctdb/tests/tool/ctdb.setdbreadonly.001.sh -%{_datadir}/ctdb/tests/tool/ctdb.setdbreadonly.002.sh -%{_datadir}/ctdb/tests/tool/ctdb.setdbreadonly.003.sh -%{_datadir}/ctdb/tests/tool/ctdb.setdbreadonly.004.sh -%{_datadir}/ctdb/tests/tool/ctdb.setdbreadonly.005.sh -%{_datadir}/ctdb/tests/tool/ctdb.setdbsticky.001.sh -%{_datadir}/ctdb/tests/tool/ctdb.setdbsticky.002.sh -%{_datadir}/ctdb/tests/tool/ctdb.setdbsticky.003.sh -%{_datadir}/ctdb/tests/tool/ctdb.setdbsticky.004.sh -%{_datadir}/ctdb/tests/tool/ctdb.setdbsticky.005.sh -%{_datadir}/ctdb/tests/tool/ctdb.setdebug.001.sh -%{_datadir}/ctdb/tests/tool/ctdb.setdebug.002.sh -%{_datadir}/ctdb/tests/tool/ctdb.setdebug.003.sh -%{_datadir}/ctdb/tests/tool/ctdb.setifacelink.001.sh -%{_datadir}/ctdb/tests/tool/ctdb.setifacelink.002.sh -%{_datadir}/ctdb/tests/tool/ctdb.setvar.001.sh -%{_datadir}/ctdb/tests/tool/ctdb.setvar.002.sh -%{_datadir}/ctdb/tests/tool/ctdb.status.001.sh -%{_datadir}/ctdb/tests/tool/ctdb.status.002.sh -%{_datadir}/ctdb/tests/tool/ctdb.stop.001.sh -%{_datadir}/ctdb/tests/tool/ctdb.stop.002.sh -%{_datadir}/ctdb/tests/tool/ctdb.stop.003.sh -%{_datadir}/ctdb/tests/tool/ctdb.unban.001.sh -%{_datadir}/ctdb/tests/tool/ctdb.unban.002.sh -%{_datadir}/ctdb/tests/tool/ctdb.unban.003.sh -%{_datadir}/ctdb/tests/tool/ctdb.uptime.001.sh -%{_datadir}/ctdb/tests/tool/ctdb.writekey.001.sh - -%dir %{_datadir}/ctdb/tests/tool/scripts -%{_datadir}/ctdb/tests/tool/scripts/local.sh +%dir %{_datadir}/ctdb/tests/UNIT +%dir %{_datadir}/ctdb/tests/UNIT/cunit +%{_datadir}/ctdb/tests/UNIT/cunit/cluster_mutex_001.sh +%{_datadir}/ctdb/tests/UNIT/cunit/cluster_mutex_002.sh +%{_datadir}/ctdb/tests/UNIT/cunit/cluster_mutex_003.sh +%{_datadir}/ctdb/tests/UNIT/cunit/cmdline_test_001.sh +%{_datadir}/ctdb/tests/UNIT/cunit/comm_test_001.sh +%{_datadir}/ctdb/tests/UNIT/cunit/comm_test_002.sh +%{_datadir}/ctdb/tests/UNIT/cunit/config_test_001.sh +%{_datadir}/ctdb/tests/UNIT/cunit/config_test_002.sh +%{_datadir}/ctdb/tests/UNIT/cunit/config_test_003.sh +%{_datadir}/ctdb/tests/UNIT/cunit/config_test_004.sh +%{_datadir}/ctdb/tests/UNIT/cunit/config_test_005.sh +%{_datadir}/ctdb/tests/UNIT/cunit/config_test_006.sh +%{_datadir}/ctdb/tests/UNIT/cunit/config_test_007.sh +%{_datadir}/ctdb/tests/UNIT/cunit/conf_test_001.sh +%{_datadir}/ctdb/tests/UNIT/cunit/ctdb_io_test_001.sh +%{_datadir}/ctdb/tests/UNIT/cunit/db_hash_test_001.sh +%{_datadir}/ctdb/tests/UNIT/cunit/event_protocol_test_001.sh +%{_datadir}/ctdb/tests/UNIT/cunit/event_script_test_001.sh +%{_datadir}/ctdb/tests/UNIT/cunit/hash_count_test_001.sh +%{_datadir}/ctdb/tests/UNIT/cunit/line_test_001.sh +%{_datadir}/ctdb/tests/UNIT/cunit/path_tests_001.sh +%{_datadir}/ctdb/tests/UNIT/cunit/pidfile_test_001.sh +%{_datadir}/ctdb/tests/UNIT/cunit/pkt_read_001.sh +%{_datadir}/ctdb/tests/UNIT/cunit/pkt_write_001.sh +%{_datadir}/ctdb/tests/UNIT/cunit/porting_tests_001.sh +%{_datadir}/ctdb/tests/UNIT/cunit/protocol_test_001.sh +%{_datadir}/ctdb/tests/UNIT/cunit/protocol_test_002.sh +%{_datadir}/ctdb/tests/UNIT/cunit/protocol_test_012.sh +%{_datadir}/ctdb/tests/UNIT/cunit/protocol_test_101.sh +%{_datadir}/ctdb/tests/UNIT/cunit/protocol_test_111.sh +%{_datadir}/ctdb/tests/UNIT/cunit/protocol_test_201.sh +%{_datadir}/ctdb/tests/UNIT/cunit/rb_test_001.sh +%{_datadir}/ctdb/tests/UNIT/cunit/reqid_test_001.sh +%{_datadir}/ctdb/tests/UNIT/cunit/run_event_001.sh +%{_datadir}/ctdb/tests/UNIT/cunit/run_proc_001.sh +%{_datadir}/ctdb/tests/UNIT/cunit/sock_daemon_test_001.sh +%{_datadir}/ctdb/tests/UNIT/cunit/sock_io_test_001.sh +%{_datadir}/ctdb/tests/UNIT/cunit/srvid_test_001.sh +%{_datadir}/ctdb/tests/UNIT/cunit/system_socket_test_001.sh +%dir %{_datadir}/ctdb/tests/UNIT/eventd +%dir %{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb +%{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/ctdb.conf +%{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/debug-script.sh +%dir %{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/events +%dir %{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/events/data +%{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/events/data/03.notalink.script +%{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/events/data/README +%dir %{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/events/empty +%{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/events/empty/README +%dir %{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/events/multi +%{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/events/multi/01.test.script +%{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/events/multi/02.test.script +%{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/events/multi/03.test.script +%dir %{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/events/random +%{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/events/random/01.disabled.script +%{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/events/random/02.enabled.script +%{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/events/random/a.script +%{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/events/random/README.script +%dir %{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/share +%dir %{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/share/events +%dir %{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/share/events/data +%{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/share/events/data/01.dummy.script +%{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/share/events/data/02.disabled.script +%dir %{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/share/events/empty +%{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/share/events/empty/README +%dir %{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/share/events/random +%{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/share/events/random/01.disabled.script +%{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/share/events/random/02.enabled.script +%{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/share/events/random/a.script +%{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/share/events/random/README.script +%{_datadir}/ctdb/tests/UNIT/eventd/eventd_001.sh +%{_datadir}/ctdb/tests/UNIT/eventd/eventd_002.sh +%{_datadir}/ctdb/tests/UNIT/eventd/eventd_003.sh +%{_datadir}/ctdb/tests/UNIT/eventd/eventd_004.sh +%{_datadir}/ctdb/tests/UNIT/eventd/eventd_005.sh +%{_datadir}/ctdb/tests/UNIT/eventd/eventd_006.sh +%{_datadir}/ctdb/tests/UNIT/eventd/eventd_007.sh +%{_datadir}/ctdb/tests/UNIT/eventd/eventd_008.sh +%{_datadir}/ctdb/tests/UNIT/eventd/eventd_009.sh +%{_datadir}/ctdb/tests/UNIT/eventd/eventd_011.sh +%{_datadir}/ctdb/tests/UNIT/eventd/eventd_012.sh +%{_datadir}/ctdb/tests/UNIT/eventd/eventd_013.sh +%{_datadir}/ctdb/tests/UNIT/eventd/eventd_014.sh +%{_datadir}/ctdb/tests/UNIT/eventd/eventd_021.sh +%{_datadir}/ctdb/tests/UNIT/eventd/eventd_022.sh +%{_datadir}/ctdb/tests/UNIT/eventd/eventd_023.sh +%{_datadir}/ctdb/tests/UNIT/eventd/eventd_024.sh +%{_datadir}/ctdb/tests/UNIT/eventd/eventd_031.sh +%{_datadir}/ctdb/tests/UNIT/eventd/eventd_032.sh +%{_datadir}/ctdb/tests/UNIT/eventd/eventd_033.sh +%{_datadir}/ctdb/tests/UNIT/eventd/eventd_041.sh +%{_datadir}/ctdb/tests/UNIT/eventd/eventd_042.sh +%{_datadir}/ctdb/tests/UNIT/eventd/eventd_043.sh +%{_datadir}/ctdb/tests/UNIT/eventd/eventd_044.sh +%{_datadir}/ctdb/tests/UNIT/eventd/eventd_051.sh +%{_datadir}/ctdb/tests/UNIT/eventd/eventd_052.sh +%{_datadir}/ctdb/tests/UNIT/eventd/README +%dir %{_datadir}/ctdb/tests/UNIT/eventd/scripts +%{_datadir}/ctdb/tests/UNIT/eventd/scripts/local.sh +%dir %{_datadir}/ctdb/tests/UNIT/eventscripts +%{_datadir}/ctdb/tests/UNIT/eventscripts/00.ctdb.init.001.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/00.ctdb.init.002.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/00.ctdb.init.003.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/00.ctdb.init.004.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/00.ctdb.init.005.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/00.ctdb.init.006.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/00.ctdb.init.007.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/00.ctdb.init.008.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/00.ctdb.init.009.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/00.ctdb.setup.001.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/00.ctdb.setup.002.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/00.ctdb.setup.003.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/00.ctdb.setup.004.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/01.reclock.init.001.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/01.reclock.init.002.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/01.reclock.init.003.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/05.system.monitor.001.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/05.system.monitor.002.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/05.system.monitor.003.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/05.system.monitor.004.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/05.system.monitor.005.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/05.system.monitor.006.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/05.system.monitor.007.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/05.system.monitor.011.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/05.system.monitor.012.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/05.system.monitor.014.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/05.system.monitor.015.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/05.system.monitor.017.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/05.system.monitor.018.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/06.nfs.releaseip.001.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/06.nfs.releaseip.002.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/06.nfs.takeip.001.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/06.nfs.takeip.002.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.010.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.011.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.012.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.013.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.init.001.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.init.002.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.init.021.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.init.022.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.init.023.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.monitor.001.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.monitor.002.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.monitor.003.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.monitor.004.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.monitor.005.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.monitor.006.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.monitor.009.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.monitor.010.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.monitor.011.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.monitor.012.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.monitor.013.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.monitor.014.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.monitor.015.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.monitor.016.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.monitor.017.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.monitor.018.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.multi.001.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.releaseip.001.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.releaseip.002.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.startup.001.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.startup.002.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.takeip.001.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.takeip.002.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.takeip.003.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/11.natgw.001.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/11.natgw.002.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/11.natgw.003.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/11.natgw.004.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/11.natgw.011.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/11.natgw.012.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/11.natgw.013.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/11.natgw.014.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/11.natgw.015.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/11.natgw.021.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/11.natgw.022.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/11.natgw.023.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/11.natgw.024.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/11.natgw.025.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/11.natgw.031.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/11.natgw.041.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/11.natgw.042.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/11.natgw.051.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/11.natgw.052.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/11.natgw.053.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/11.natgw.054.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/13.per_ip_routing.001.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/13.per_ip_routing.002.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/13.per_ip_routing.003.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/13.per_ip_routing.004.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/13.per_ip_routing.005.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/13.per_ip_routing.006.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/13.per_ip_routing.007.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/13.per_ip_routing.008.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/13.per_ip_routing.009.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/13.per_ip_routing.010.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/13.per_ip_routing.011.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/13.per_ip_routing.012.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/13.per_ip_routing.013.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/13.per_ip_routing.014.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/13.per_ip_routing.015.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/13.per_ip_routing.016.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/13.per_ip_routing.017.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/13.per_ip_routing.018.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/13.per_ip_routing.019.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/13.per_ip_routing.021.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/13.per_ip_routing.022.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/13.per_ip_routing.023.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/13.per_ip_routing.024.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/20.multipathd.monitor.001.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/20.multipathd.monitor.002.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/20.multipathd.monitor.003.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/20.multipathd.monitor.004.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/31.clamd.monitor.002.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/31.clamd.monitor.003.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/40.vsftpd.monitor.002.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/40.vsftpd.shutdown.002.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/40.vsftpd.startup.002.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/41.httpd.monitor.002.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/41.httpd.shutdown.002.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/41.httpd.startup.002.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/49.winbind.monitor.101.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/49.winbind.monitor.102.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/49.winbind.shutdown.002.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/49.winbind.startup.002.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/50.samba.monitor.101.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/50.samba.monitor.103.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/50.samba.monitor.104.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/50.samba.monitor.105.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/50.samba.monitor.106.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/50.samba.monitor.110.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/50.samba.monitor.111.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/50.samba.monitor.112.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/50.samba.monitor.113.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/50.samba.shutdown.001.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/50.samba.shutdown.002.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/50.samba.shutdown.011.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/50.samba.startup.011.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.101.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.102.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.103.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.104.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.105.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.106.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.107.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.108.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.109.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.111.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.112.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.113.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.114.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.121.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.122.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.131.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.132.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.141.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.142.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.143.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.144.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.151.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.152.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.153.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.161.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.162.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.multi.001.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.multi.002.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.releaseip.001.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.releaseip.002.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.shutdown.001.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.shutdown.002.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.startup.001.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.startup.002.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.takeip.001.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.takeip.002.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/91.lvs.001.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/91.lvs.ipreallocated.011.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/91.lvs.ipreallocated.012.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/91.lvs.ipreallocated.013.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/91.lvs.ipreallocated.014.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/91.lvs.monitor.001.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/91.lvs.monitor.002.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/91.lvs.monitor.003.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/91.lvs.shutdown.001.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/91.lvs.shutdown.002.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/91.lvs.startup.001.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/91.lvs.startup.002.sh +%dir %{_datadir}/ctdb/tests/UNIT/eventscripts/etc +%dir %{_datadir}/ctdb/tests/UNIT/eventscripts/etc-ctdb +%{_datadir}/ctdb/tests/UNIT/eventscripts/etc-ctdb/public_addresses +%{_datadir}/ctdb/tests/UNIT/eventscripts/etc-ctdb/rc.local +%dir %{_datadir}/ctdb/tests/UNIT/eventscripts/etc/init.d +%{_datadir}/ctdb/tests/UNIT/eventscripts/etc/init.d/nfs +%{_datadir}/ctdb/tests/UNIT/eventscripts/etc/init.d/nfslock +%dir %{_datadir}/ctdb/tests/UNIT/eventscripts/etc/samba +%{_datadir}/ctdb/tests/UNIT/eventscripts/etc/samba/smb.conf +%dir %{_datadir}/ctdb/tests/UNIT/eventscripts/etc/sysconfig +%{_datadir}/ctdb/tests/UNIT/eventscripts/etc/sysconfig/nfs +%{_datadir}/ctdb/tests/UNIT/eventscripts/README +%dir %{_datadir}/ctdb/tests/UNIT/eventscripts/scripts +%{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/00.ctdb.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/01.reclock.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/05.system.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/06.nfs.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/10.interface.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/11.natgw.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/13.per_ip_routing.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/20.multipathd.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/31.clamd.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/40.vsftpd.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/41.httpd.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/49.winbind.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/50.samba.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/60.nfs.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/91.lvs.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/local.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/statd-callout.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/statd-callout.001.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/statd-callout.002.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/statd-callout.003.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/statd-callout.004.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/statd-callout.005.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/statd-callout.006.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/statd-callout.007.sh +%dir %{_datadir}/ctdb/tests/UNIT/eventscripts/stubs +%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/ctdb +%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/ctdb-config +%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/ctdb_killtcp +%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/ctdb_lvs +%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/ctdb_natgw +%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/date +%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/df +%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/ethtool +%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/exportfs +%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/id +%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/ip +%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/ip6tables +%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/iptables +%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/ipvsadm +%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/kill +%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/killall +%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/multipath +%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/net +%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/pidof +%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/pkill +%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/ps +%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/rm +%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/rpcinfo +%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/rpc.lockd +%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/rpc.mountd +%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/rpc.rquotad +%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/rpc.statd +%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/service +%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/sleep +%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/smnotify +%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/ss +%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/tdbdump +%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/tdbtool +%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/testparm +%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/timeout +%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/wbinfo +%dir %{_datadir}/ctdb/tests/UNIT/onnode +%{_datadir}/ctdb/tests/UNIT/onnode/0001.sh +%{_datadir}/ctdb/tests/UNIT/onnode/0002.sh +%{_datadir}/ctdb/tests/UNIT/onnode/0003.sh +%{_datadir}/ctdb/tests/UNIT/onnode/0004.sh +%{_datadir}/ctdb/tests/UNIT/onnode/0005.sh +%{_datadir}/ctdb/tests/UNIT/onnode/0006.sh +%{_datadir}/ctdb/tests/UNIT/onnode/0010.sh +%{_datadir}/ctdb/tests/UNIT/onnode/0011.sh +%{_datadir}/ctdb/tests/UNIT/onnode/0070.sh +%{_datadir}/ctdb/tests/UNIT/onnode/0071.sh +%{_datadir}/ctdb/tests/UNIT/onnode/0072.sh +%{_datadir}/ctdb/tests/UNIT/onnode/0075.sh +%dir %{_datadir}/ctdb/tests/UNIT/onnode/etc-ctdb +%{_datadir}/ctdb/tests/UNIT/onnode/etc-ctdb/nodes +%dir %{_datadir}/ctdb/tests/UNIT/onnode/scripts +%{_datadir}/ctdb/tests/UNIT/onnode/scripts/local.sh +%dir %{_datadir}/ctdb/tests/UNIT/onnode/stubs +%{_datadir}/ctdb/tests/UNIT/onnode/stubs/ctdb +%{_datadir}/ctdb/tests/UNIT/onnode/stubs/ssh +%dir %{_datadir}/ctdb/tests/UNIT/shellcheck +%{_datadir}/ctdb/tests/UNIT/shellcheck/base_scripts.sh +%{_datadir}/ctdb/tests/UNIT/shellcheck/ctdbd_wrapper.sh +%{_datadir}/ctdb/tests/UNIT/shellcheck/ctdb_helpers.sh +%{_datadir}/ctdb/tests/UNIT/shellcheck/event_scripts.sh +%{_datadir}/ctdb/tests/UNIT/shellcheck/functions.sh +%{_datadir}/ctdb/tests/UNIT/shellcheck/init_script.sh +%dir %{_datadir}/ctdb/tests/UNIT/shellcheck/scripts +%{_datadir}/ctdb/tests/UNIT/shellcheck/scripts/local.sh +%{_datadir}/ctdb/tests/UNIT/shellcheck/tests.sh +%{_datadir}/ctdb/tests/UNIT/shellcheck/tools.sh +%dir %{_datadir}/ctdb/tests/UNIT/takeover +%{_datadir}/ctdb/tests/UNIT/takeover/det.001.sh +%{_datadir}/ctdb/tests/UNIT/takeover/det.002.sh +%{_datadir}/ctdb/tests/UNIT/takeover/det.003.sh +%dir %{_datadir}/ctdb/tests/UNIT/takeover_helper +%{_datadir}/ctdb/tests/UNIT/takeover_helper/000.sh +%{_datadir}/ctdb/tests/UNIT/takeover_helper/010.sh +%{_datadir}/ctdb/tests/UNIT/takeover_helper/011.sh +%{_datadir}/ctdb/tests/UNIT/takeover_helper/012.sh +%{_datadir}/ctdb/tests/UNIT/takeover_helper/013.sh +%{_datadir}/ctdb/tests/UNIT/takeover_helper/014.sh +%{_datadir}/ctdb/tests/UNIT/takeover_helper/016.sh +%{_datadir}/ctdb/tests/UNIT/takeover_helper/017.sh +%{_datadir}/ctdb/tests/UNIT/takeover_helper/018.sh +%{_datadir}/ctdb/tests/UNIT/takeover_helper/019.sh +%{_datadir}/ctdb/tests/UNIT/takeover_helper/021.sh +%{_datadir}/ctdb/tests/UNIT/takeover_helper/022.sh +%{_datadir}/ctdb/tests/UNIT/takeover_helper/023.sh +%{_datadir}/ctdb/tests/UNIT/takeover_helper/024.sh +%{_datadir}/ctdb/tests/UNIT/takeover_helper/025.sh +%{_datadir}/ctdb/tests/UNIT/takeover_helper/026.sh +%{_datadir}/ctdb/tests/UNIT/takeover_helper/027.sh +%{_datadir}/ctdb/tests/UNIT/takeover_helper/028.sh +%{_datadir}/ctdb/tests/UNIT/takeover_helper/030.sh +%{_datadir}/ctdb/tests/UNIT/takeover_helper/031.sh +%{_datadir}/ctdb/tests/UNIT/takeover_helper/110.sh +%{_datadir}/ctdb/tests/UNIT/takeover_helper/111.sh +%{_datadir}/ctdb/tests/UNIT/takeover_helper/120.sh +%{_datadir}/ctdb/tests/UNIT/takeover_helper/121.sh +%{_datadir}/ctdb/tests/UNIT/takeover_helper/122.sh +%{_datadir}/ctdb/tests/UNIT/takeover_helper/130.sh +%{_datadir}/ctdb/tests/UNIT/takeover_helper/131.sh +%{_datadir}/ctdb/tests/UNIT/takeover_helper/132.sh +%{_datadir}/ctdb/tests/UNIT/takeover_helper/140.sh +%{_datadir}/ctdb/tests/UNIT/takeover_helper/150.sh +%{_datadir}/ctdb/tests/UNIT/takeover_helper/160.sh +%{_datadir}/ctdb/tests/UNIT/takeover_helper/210.sh +%{_datadir}/ctdb/tests/UNIT/takeover_helper/211.sh +%{_datadir}/ctdb/tests/UNIT/takeover_helper/220.sh +%{_datadir}/ctdb/tests/UNIT/takeover_helper/230.sh +%{_datadir}/ctdb/tests/UNIT/takeover_helper/240.sh +%{_datadir}/ctdb/tests/UNIT/takeover_helper/250.sh +%{_datadir}/ctdb/tests/UNIT/takeover_helper/260.sh +%dir %{_datadir}/ctdb/tests/UNIT/takeover_helper/scripts +%{_datadir}/ctdb/tests/UNIT/takeover_helper/scripts/local.sh +%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.001.sh +%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.002.sh +%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.003.sh +%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.004.sh +%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.005.sh +%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.006.sh +%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.007.sh +%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.008.sh +%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.009.sh +%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.010.sh +%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.011.sh +%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.012.sh +%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.013.sh +%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.014.sh +%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.015.sh +%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.016.sh +%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.024.sh +%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.025.sh +%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.027.sh +%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.028.sh +%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.029.sh +%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.030.sh +%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.031.sh +%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.032.sh +%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.033.sh +%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.034.sh +%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.035.sh +%{_datadir}/ctdb/tests/UNIT/takeover/nondet.001.sh +%{_datadir}/ctdb/tests/UNIT/takeover/nondet.002.sh +%{_datadir}/ctdb/tests/UNIT/takeover/nondet.003.sh +%{_datadir}/ctdb/tests/UNIT/takeover/README +%dir %{_datadir}/ctdb/tests/UNIT/takeover/scripts +%{_datadir}/ctdb/tests/UNIT/takeover/scripts/local.sh +%dir %{_datadir}/ctdb/tests/UNIT/tool +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.attach.001.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.attach.002.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.attach.003.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.ban.001.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.ban.002.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.ban.003.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.catdb.001.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.catdb.002.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.cattdb.001.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.cattdb.002.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.continue.001.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.continue.002.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.continue.003.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.deletekey.001.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.disable.001.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.disable.002.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.disable.003.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.disable.004.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.enable.001.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.enable.002.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.enable.003.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.getcapabilities.001.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.getcapabilities.002.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.getcapabilities.003.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.getcapabilities.004.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.getdbmap.001.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.getdbseqnum.001.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.getdbseqnum.002.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.getdbstatus.001.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.getdbstatus.002.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.getpid.001.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.getreclock.001.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.getreclock.002.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.getvar.001.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.getvar.002.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.ifaces.001.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.ip.001.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.ip.002.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.ip.003.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.ip.004.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.ip.005.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.ip.006.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.ip.007.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.ipinfo.001.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.ipinfo.002.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.ipinfo.003.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.listnodes.001.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.listnodes.002.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.listvars.001.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.lvs.001.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.lvs.002.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.lvs.003.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.lvs.004.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.lvs.005.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.lvs.006.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.lvs.007.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.lvs.008.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.natgw.001.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.natgw.002.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.natgw.003.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.natgw.004.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.natgw.005.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.natgw.006.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.natgw.007.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.natgw.008.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.nodestatus.001.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.nodestatus.002.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.nodestatus.003.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.nodestatus.004.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.nodestatus.005.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.nodestatus.006.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.pdelete.001.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.ping.001.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.pnn.001.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.process-exists.001.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.process-exists.002.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.process-exists.003.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.pstore.001.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.ptrans.001.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.readkey.001.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.recmaster.001.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.recmaster.002.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.recover.001.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.reloadnodes.001.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.reloadnodes.002.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.reloadnodes.003.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.reloadnodes.011.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.reloadnodes.012.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.reloadnodes.013.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.reloadnodes.014.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.reloadnodes.015.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.reloadnodes.016.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.reloadnodes.017.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.reloadnodes.018.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.reloadnodes.019.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.reloadnodes.020.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.reloadnodes.021.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.reloadnodes.023.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.reloadnodes.024.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.runstate.001.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.runstate.002.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.runstate.003.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.runstate.004.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.runstate.005.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.setdbreadonly.001.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.setdbreadonly.002.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.setdbreadonly.003.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.setdbreadonly.004.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.setdbreadonly.005.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.setdbsticky.001.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.setdbsticky.002.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.setdbsticky.003.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.setdbsticky.004.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.setdbsticky.005.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.setdebug.001.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.setdebug.002.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.setdebug.003.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.setifacelink.001.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.setifacelink.002.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.setvar.001.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.setvar.002.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.status.001.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.status.002.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.stop.001.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.stop.002.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.stop.003.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.unban.001.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.unban.002.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.unban.003.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.uptime.001.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.writekey.001.sh +%{_datadir}/ctdb/tests/UNIT/tool/README +%dir %{_datadir}/ctdb/tests/UNIT/tool/scripts +%{_datadir}/ctdb/tests/UNIT/tool/scripts/local.sh #endif with_clustering_support %endif +%if %{with_winexe} +### WINEXE +%files winexe +%{_bindir}/winexe +%endif + %changelog +* Wed Aug 12 2020 Alexander Bokovoy - 4.12.3-12 +- resolves: #1868558 - cannot create a directory in home over SMB2, mkdirat returns EBADF + +* Wed Jul 22 2020 Andreas Schneider - 4.12.3-11 +- resolves: #1859277 - Allow a user to use gencache + +* Wed Jul 15 2020 Isaac Boukris - 4.12.3-10 +- related: #1856315 - Fix net-ads-join with LDAP over TLS + +* Tue Jul 14 2020 Andreas Schneider - 4.12.3-9 +- related: #1817557 - Move DECRPC mdssvc data files to correct package +- resolves: #1856676 - Fix lookuprids in winbind + +* Mon Jul 13 2020 Isaac Boukris - 4.12.3-8 +- resolves: #1856315 - Fix net-ads-join with LDAP over TLS + +* Fri Jul 10 2020 Andreas Schneider - 4.12.3-7 +- resolves: #1855711 - Fix 'require_membership_of' documentation in + pam_winbind manpage + +* Thu Jul 09 2020 Andreas Schneider - 4.12.3-6 +- related: #1842844 - Fix TLS connections with GnuTLS + +* Wed Jul 01 2020 Andreas Schneider - 4.12.3-5 +- resolves: #1823612 - Fix segfault in 'net ads dns gethostbyname' +- resolves: #1792553 - Fix 'net ads join createcomputer=OU' + +* Fri Jun 26 2020 Isaac Boukris - 4.12.3-4 +- resolves: #1850980 - Add "additional dns hostname" to keytab +- resolves: #1850981 - Add net-ads-join dnshostname=fqdn option + +* Fri Jun 19 2020 Andreas Schneider - 4.12.3-1 +- resolves: #1666737 - Add a new smbc_readdirplus2() function to libsmbclient +- resolves: #1842844 - Fix GnuTLS priority list for TLS connections + +* Tue Jun 02 2020 Andreas Schneider - 4.12.3-0 +- resolves: #1817557 - Rebase to version 4.12.3 +- resolves: #1813833 - Fix 'net ads join createupn=' + +* Fri May 29 2020 Alexander Bokovoy - 4.11.2-14 +- Rebuild with krb5 1.18 +- Resolves: #1817578 - support krb5 1.18 + * Thu Feb 13 2020 Isaac Boukris - 4.11.2-13 - resolves: #1802182 - Fix join using netbios name