The branch, master has been updated
via 9b7825d2d38 auth:ntlmssp: Use generate_random_buffer() for session
keys
via 6fa3e4de7c1 s3:passdb: Use generate_secret_buffer() for generating
passwords
via a3e36dd8f43 s4:samdb: Use generate_nonce_buffer() for AEC GCM nonce
via 93196dd823e lib:util: Use generate_secret_buffer() for long term
passwords
via d73be972ea5 Revert "s4:rpc_server: Use generate_secret_buffer() to
create a session key"
via 38b0695ddac Revert "s4:rpc_server: Use generate_secret_buffer() for
backupkey wap_key"
via 1c68085404c Revert "s4:rpc_server: Use generate_secret_buffer() for
netlogon challange"
via 689760f2652 Revert "libcli:auth: Use generate_secret_buffer() for
netlogon challenge"
via 97c441d7c28 lib:util: Fix documentation for random number functions
from 4d276a93fc6 smbtorture: extend rpc.lsa to lookup machine over
forest-wide LookupNames
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 9b7825d2d387bcb2515154418a990669ab96358d
Author: Andreas Schneider <a...@samba.org>
Date: Mon Aug 12 19:07:15 2019 +0200
auth:ntlmssp: Use generate_random_buffer() for session keys
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Alexander Bokovoy <a...@samba.org>
Autobuild-User(master): Alexander Bokovoy <a...@samba.org>
Autobuild-Date(master): Wed Aug 14 16:26:47 UTC 2019 on sn-devel-184
commit 6fa3e4de7c168dc7c869ec9966729a36bda27f57
Author: Andreas Schneider <a...@samba.org>
Date: Mon Aug 12 18:57:06 2019 +0200
s3:passdb: Use generate_secret_buffer() for generating passwords
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Alexander Bokovoy <a...@samba.org>
commit a3e36dd8f43a5c06969ae158fa54fbc649f44d03
Author: Andreas Schneider <a...@samba.org>
Date: Mon Aug 12 18:56:35 2019 +0200
s4:samdb: Use generate_nonce_buffer() for AEC GCM nonce
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Alexander Bokovoy <a...@samba.org>
commit 93196dd823e114f260a68d28bb59eac3909c30d8
Author: Andreas Schneider <a...@samba.org>
Date: Mon Aug 12 18:55:56 2019 +0200
lib:util: Use generate_secret_buffer() for long term passwords
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Alexander Bokovoy <a...@samba.org>
commit d73be972ea58d564c770698bf6374a6074f111fe
Author: Andreas Schneider <a...@samba.org>
Date: Mon Aug 12 18:50:02 2019 +0200
Revert "s4:rpc_server: Use generate_secret_buffer() to create a session key"
This reverts commit 4b2480518bd3887be3a6cfb713523ac084e09fd5.
Reviewed-by: Alexander Bokovoy <a...@samba.org>
commit 38b0695ddac244c67b2a33eb927ad3e95d2e8bd6
Author: Andreas Schneider <a...@samba.org>
Date: Mon Aug 12 18:49:52 2019 +0200
Revert "s4:rpc_server: Use generate_secret_buffer() for backupkey wap_key"
This reverts commit 5a62056b4530e4c509444be9164a1fca1dce193f.
Reviewed-by: Alexander Bokovoy <a...@samba.org>
commit 1c68085404cd467c217640e3eabfc4b7f8b1ce9f
Author: Andreas Schneider <a...@samba.org>
Date: Mon Aug 12 18:49:37 2019 +0200
Revert "s4:rpc_server: Use generate_secret_buffer() for netlogon challange"
This reverts commit a21770cfdffd2a21045a1bc87e489af0f4c6f130.
Reviewed-by: Alexander Bokovoy <a...@samba.org>
commit 689760f26521fe5b4c8964a25ddd3ab1c9e9977c
Author: Andreas Schneider <a...@samba.org>
Date: Mon Aug 12 18:49:31 2019 +0200
Revert "libcli:auth: Use generate_secret_buffer() for netlogon challenge"
This reverts commit c3ba556f52b15dd80efc26e4fb8f43ce2ee3a7f0.
Reviewed-by: Alexander Bokovoy <a...@samba.org>
commit 97c441d7c28feb29168e81ebbc5c55b09a845087
Author: Andreas Schneider <a...@samba.org>
Date: Mon Aug 12 16:10:20 2019 +0200
lib:util: Fix documentation for random number functions
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Alexander Bokovoy <a...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/ntlmssp/ntlmssp_client.c | 2 +-
lib/util/genrand.c | 9 +++++++--
lib/util/genrand.h | 8 ++++++--
lib/util/genrand_util.c | 6 +++---
libcli/auth/netlogon_creds_cli.c | 3 +--
source3/passdb/pdb_nds.c | 3 ++-
source4/dsdb/samdb/ldb_modules/encrypted_secrets.c | 2 +-
source4/rpc_server/backupkey/dcesrv_backupkey.c | 3 +--
source4/rpc_server/netlogon/dcerpc_netlogon.c | 3 +--
source4/rpc_server/samr/samr_password.c | 5 ++---
10 files changed, 25 insertions(+), 19 deletions(-)
Changeset truncated at 500 lines:
diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
index b8d1190466b..2a80feb4fed 100644
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -696,7 +696,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security
*gensec_security,
.size = session_key.length,
};
- generate_secret_buffer(client_session_key,
sizeof(client_session_key));
+ generate_random_buffer(client_session_key,
sizeof(client_session_key));
/* Encrypt the new session key with the old one */
encrypted_session_key = data_blob_talloc(ntlmssp_state,
diff --git a/lib/util/genrand.c b/lib/util/genrand.c
index a5809aa2bc9..18ffa0d95e6 100644
--- a/lib/util/genrand.c
+++ b/lib/util/genrand.c
@@ -33,13 +33,16 @@
_PUBLIC_ void generate_random_buffer(uint8_t *out, int len)
{
- /* Thread and fork safe random number generator for temporary keys. */
+ /* Random number generator for temporary keys. */
gnutls_rnd(GNUTLS_RND_RANDOM, out, len);
}
_PUBLIC_ void generate_secret_buffer(uint8_t *out, int len)
{
- /* The key generator, will re-seed after a fixed amount of bytes is
+ /*
+ * Random number generator for long term keys.
+ *
+ * The key generator, will re-seed after a fixed amount of bytes is
* generated (typically less than the nonce), and will also re-seed
* based on time, i.e., after few hours of operation without reaching
* the limit for a re-seed. For its re-seed it mixes mixes data obtained
@@ -51,6 +54,8 @@ _PUBLIC_ void generate_secret_buffer(uint8_t *out, int len)
_PUBLIC_ void generate_nonce_buffer(uint8_t *out, int len)
{
/*
+ * Random number generator for nonce and initialization vectors.
+ *
* The nonce generator will reseed after outputting a fixed amount of
* bytes (typically few megabytes), or after few hours of operation
* without reaching the limit has passed.
diff --git a/lib/util/genrand.h b/lib/util/genrand.h
index abb8ce2c10a..70f36312e58 100644
--- a/lib/util/genrand.h
+++ b/lib/util/genrand.h
@@ -20,12 +20,16 @@
*/
/**
- * Thread and fork safe random number generator for temporary keys.
+ * @brief Generate random values for session and temporary keys.
+ *
+ * @param[in] out A pointer to the buffer to fill with random data.
+ *
+ * @param[in] len The size of the buffer to fill.
*/
void generate_random_buffer(uint8_t *out, int len);
/**
- * @brief Generate random values for key buffers (e.g. session keys)
+ * @brief Generate random values for long term keys and passwords.
*
* @param[in] out A pointer to the buffer to fill with random data.
*
diff --git a/lib/util/genrand_util.c b/lib/util/genrand_util.c
index d7b74c6cf1a..05d1f3ef6e5 100644
--- a/lib/util/genrand_util.c
+++ b/lib/util/genrand_util.c
@@ -185,7 +185,7 @@ _PUBLIC_ char *generate_random_str_list(TALLOC_CTX
*mem_ctx, size_t len, const c
char *retstr = talloc_array(mem_ctx, char, len + 1);
if (!retstr) return NULL;
- generate_random_buffer((uint8_t *)retstr, len);
+ generate_secret_buffer((uint8_t *)retstr, len);
for (i = 0; i < len; i++) {
retstr[i] = list[retstr[i] % list_len];
}
@@ -247,7 +247,7 @@ _PUBLIC_ char *generate_random_password(TALLOC_CTX
*mem_ctx, size_t min, size_t
if (diff > 0 ) {
size_t tmp;
- generate_random_buffer((uint8_t *)&tmp, sizeof(tmp));
+ generate_secret_buffer((uint8_t *)&tmp, sizeof(tmp));
tmp %= diff;
@@ -317,7 +317,7 @@ _PUBLIC_ char *generate_random_machine_password(TALLOC_CTX
*mem_ctx, size_t min,
if (diff > 0) {
size_t tmp;
- generate_random_buffer((uint8_t *)&tmp, sizeof(tmp));
+ generate_secret_buffer((uint8_t *)&tmp, sizeof(tmp));
tmp %= diff;
diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index 18143ca36d0..50a5f50a57d 100644
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -1177,8 +1177,7 @@ static void
netlogon_creds_cli_auth_challenge_start(struct tevent_req *req)
TALLOC_FREE(state->creds);
- /* We need to use a CSPRNG which reseeds for generating session keys. */
- generate_secret_buffer(state->client_challenge.data,
+ generate_random_buffer(state->client_challenge.data,
sizeof(state->client_challenge.data));
subreq = dcerpc_netr_ServerReqChallenge_send(state, state->ev,
diff --git a/source3/passdb/pdb_nds.c b/source3/passdb/pdb_nds.c
index 349ea0b6c38..216c9e6b50b 100644
--- a/source3/passdb/pdb_nds.c
+++ b/source3/passdb/pdb_nds.c
@@ -814,7 +814,8 @@ static NTSTATUS pdb_nds_update_login_attempts(struct
pdb_methods *methods,
got_clear_text_pw = True;
}
} else {
- generate_random_buffer((unsigned char *)clear_text_pw,
24);
+ /* This is a long term key */
+ generate_secret_buffer((unsigned char *)clear_text_pw,
24);
clear_text_pw[24] = '\0';
DEBUG(5,("pdb_nds_update_login_attempts: using random
password %s\n", clear_text_pw));
}
diff --git a/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c
b/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c
index b2df15c08f4..deaa03cbb35 100644
--- a/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c
+++ b/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c
@@ -447,7 +447,7 @@ static struct ldb_val samba_encrypt_aead(int *err,
goto error_exit;
}
- generate_random_buffer(iv, AES_GCM_128_IV_SIZE);
+ generate_nonce_buffer(iv, AES_GCM_128_IV_SIZE);
es->iv.length = AES_GCM_128_IV_SIZE;
es->iv.data = iv;
diff --git a/source4/rpc_server/backupkey/dcesrv_backupkey.c
b/source4/rpc_server/backupkey/dcesrv_backupkey.c
index d192858e468..a826ae083f4 100644
--- a/source4/rpc_server/backupkey/dcesrv_backupkey.c
+++ b/source4/rpc_server/backupkey/dcesrv_backupkey.c
@@ -1263,8 +1263,7 @@ static WERROR generate_bkrp_server_wrap_key(TALLOC_CTX
*ctx, struct ldb_context
char *secret_name;
TALLOC_CTX *frame = talloc_stackframe();
- /* We need to use a CSPRNG which reseeds for generating session keys. */
- generate_secret_buffer(wrap_key.key, sizeof(wrap_key.key));
+ generate_random_buffer(wrap_key.key, sizeof(wrap_key.key));
ndr_err = ndr_push_struct_blob(&blob_wrap_key, ctx, &wrap_key,
(ndr_push_flags_fn_t)ndr_push_bkrp_dc_serverwrap_key);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c
b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index f4e24b7fd7f..ac745e32b02 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -90,8 +90,7 @@ static NTSTATUS dcesrv_netr_ServerReqChallenge(struct
dcesrv_call_state *dce_cal
pipe_state->client_challenge = *r->in.credentials;
- /* We need to use a CSPRNG which reseeds for generating session keys. */
- generate_secret_buffer(pipe_state->server_challenge.data,
+ generate_random_buffer(pipe_state->server_challenge.data,
sizeof(pipe_state->server_challenge.data));
*r->out.return_credentials = pipe_state->server_challenge;
diff --git a/source4/rpc_server/samr/samr_password.c
b/source4/rpc_server/samr/samr_password.c
index 6bf907181c8..b04e37f06f3 100644
--- a/source4/rpc_server/samr/samr_password.c
+++ b/source4/rpc_server/samr/samr_password.c
@@ -733,10 +733,9 @@ NTSTATUS samr_set_password_buffers(struct
dcesrv_call_state *dce_call,
nt_errstr(nt_status)));
/*
- * Windows just uses a random key. We need to use a CSPRNG
- * which reseeds for generating session keys.
+ * Windows just uses a random key
*/
- generate_secret_buffer(random_session_key,
+ generate_random_buffer(random_session_key,
sizeof(random_session_key));
session_key = data_blob_const(random_session_key,
sizeof(random_session_key));
--
Samba Shared Repository
