The branch, master has been updated via c34ec003b7d utils: only compile test_oLschema2ldif if fmemopen exists via 71816984c31 s4:lib:tls: Fix cert and privkey types via e19b115dd27 libcli:auth: Remove unused E_md5hash() via 4199d1040f0 s3:winbind: Replace E_md5hash() with GnuTLS calls via 10499507c4f s3:winbindd: Replace E_md5hash() with GnuTLS calls via a377214dce2 s3:rpc_server: Replace E_md5hash() with GnuTLS calls from 93b9fc3da86 build: add missing crypt dependency for auth4_unix
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit c34ec003b7d45aa4196ff93a0ac29694b25e5309 Author: Robert Scott <c...@humanleg.org.uk> Date: Sat Nov 16 17:46:51 2019 +0000 utils: only compile test_oLschema2ldif if fmemopen exists in the vein of da87fa998ab71328f30bcdf5b41aee8675aee48a Signed-off-by: Robert Scott <c...@humanleg.org.uk> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Tue Nov 19 06:12:29 UTC 2019 on sn-devel-184 commit 71816984c31cd1a392355afdbfdadb0da2d05765 Author: Andreas Schneider <a...@samba.org> Date: Mon Nov 18 16:33:23 2019 +0100 s4:lib:tls: Fix cert and privkey types ../../source4/lib/tls/tlscert.c:42:2: warning: ‘gnutls_x509_crt’ is deprecated [-Wdeprecated-declarations] 42 | gnutls_x509_crt cacrt, crt; | ^~~~~~~~~~~~~~~ ../../source4/lib/tls/tlscert.c:43:2: warning: ‘gnutls_x509_privkey’ is deprecated [-Wdeprecated-declarations] 43 | gnutls_x509_privkey key, cakey; | ^~~~~~~~~~~~~~~~~~~ Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit e19b115dd27891896364f5e943b0ce7fcc89344e Author: Andreas Schneider <a...@samba.org> Date: Mon Nov 18 10:29:55 2019 +0100 libcli:auth: Remove unused E_md5hash() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 4199d1040f09b5d95522d0cbdbaeec78b7d7b9a6 Author: Andreas Schneider <a...@samba.org> Date: Mon Nov 18 10:28:59 2019 +0100 s3:winbind: Replace E_md5hash() with GnuTLS calls BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 10499507c4fd91751898696b866ce32b1e38f605 Author: Andreas Schneider <a...@samba.org> Date: Mon Nov 18 10:24:56 2019 +0100 s3:winbindd: Replace E_md5hash() with GnuTLS calls BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit a377214dce2e9d71f880949fe745d799c75f57a9 Author: Andreas Schneider <a...@samba.org> Date: Mon Nov 18 10:21:06 2019 +0100 s3:rpc_server: Replace E_md5hash() with GnuTLS calls BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: libcli/auth/proto.h | 8 ------- libcli/auth/smbencrypt.c | 33 ---------------------------- source3/rpc_server/samr/srv_samr_chgpasswd.c | 20 ++++++++++++++++- source3/winbindd/winbindd_cache.c | 23 ++++++++++++++++++- source3/winbindd/winbindd_pam.c | 23 ++++++++++++++++++- source4/lib/tls/tlscert.c | 4 ++-- source4/utils/oLschema2ldif/wscript_build | 1 + 7 files changed, 66 insertions(+), 46 deletions(-) Changeset truncated at 500 lines: diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h index eef1c8dc095..eb725c83d15 100644 --- a/libcli/auth/proto.h +++ b/libcli/auth/proto.h @@ -105,14 +105,6 @@ bool SMBencrypt(const char *passwd, const uint8_t *c8, uint8_t p24[24]); */ bool E_md4hash(const char *passwd, uint8_t p16[16]); -/** - * Creates the MD5 Hash of a combination of 16 byte salt and 16 byte NT hash. - * @param 16 byte salt. - * @param 16 byte NT hash. - * @param 16 byte return hashed with md5, caller allocated 16 byte buffer - */ -void E_md5hash(const uint8_t salt[16], const uint8_t nthash[16], uint8_t hash_out[16]); - /** * Creates the DES forward-only Hash of the users password in DOS ASCII charset * @param passwd password in 'unix' charset. diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c index e33d29de19d..ab2c47ad9bb 100644 --- a/libcli/auth/smbencrypt.c +++ b/libcli/auth/smbencrypt.c @@ -94,39 +94,6 @@ bool E_md4hash(const char *passwd, uint8_t p16[16]) return true; } -/** - * Creates the MD5 Hash of a combination of 16 byte salt and 16 byte NT hash. - * @param 16 byte salt. - * @param 16 byte NT hash. - * @param 16 byte return hashed with md5, caller allocated 16 byte buffer - */ - -void E_md5hash(const uint8_t salt[16], const uint8_t nthash[16], uint8_t hash_out[16]) -{ - gnutls_hash_hd_t hash_hnd = NULL; - int rc; - - rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5); - if (rc < 0) { - goto out; - } - - rc = gnutls_hash(hash_hnd, salt, 16); - if (rc < 0) { - gnutls_hash_deinit(hash_hnd, NULL); - goto out; - } - rc = gnutls_hash(hash_hnd, nthash, 16); - if (rc < 0) { - gnutls_hash_deinit(hash_hnd, NULL); - goto out; - } - gnutls_hash_deinit(hash_hnd, hash_out); - -out: - return; -} - /** * Creates the DES forward-only Hash of the users password in DOS ASCII charset * @param passwd password in 'unix' charset. diff --git a/source3/rpc_server/samr/srv_samr_chgpasswd.c b/source3/rpc_server/samr/srv_samr_chgpasswd.c index fc509494ebc..8c9cf73bdd8 100644 --- a/source3/rpc_server/samr/srv_samr_chgpasswd.c +++ b/source3/rpc_server/samr/srv_samr_chgpasswd.c @@ -901,11 +901,29 @@ static bool password_in_history(uint8_t nt_pw[NT_HASH_LEN], return true; } } else { + gnutls_hash_hd_t hash_hnd = NULL; + int rc; + /* * Old format: md5sum of salted nt hash. * Create salted version of new pw to compare. */ - E_md5hash(current_salt, nt_pw, new_nt_pw_salted_md5_hash); + rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5); + if (rc < 0) { + return false; + } + + rc = gnutls_hash(hash_hnd, current_salt, 16); + if (rc < 0) { + gnutls_hash_deinit(hash_hnd, NULL); + return false; + } + rc = gnutls_hash(hash_hnd, nt_pw, 16); + if (rc < 0) { + gnutls_hash_deinit(hash_hnd, NULL); + return false; + } + gnutls_hash_deinit(hash_hnd, new_nt_pw_salted_md5_hash); if (memcmp(new_nt_pw_salted_md5_hash, old_nt_pw_salted_md5_hash, diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c index 394b0c774a9..3e7afdaa546 100644 --- a/source3/winbindd/winbindd_cache.c +++ b/source3/winbindd/winbindd_cache.c @@ -37,6 +37,9 @@ #include "libsmb/samlogon_cache.h" #include "lib/namemap_cache.h" +#include "lib/crypto/gnutls_helpers.h" +#include <gnutls/crypto.h> + #undef DBGC_CLASS #define DBGC_CLASS DBGC_WINBIND @@ -1364,6 +1367,8 @@ NTSTATUS wcache_save_creds(struct winbindd_domain *domain, uint32_t rid; uint8_t cred_salt[NT_HASH_LEN]; uint8_t salted_hash[NT_HASH_LEN]; + gnutls_hash_hd_t hash_hnd = NULL; + int rc; if (is_null_sid(sid)) { return NT_STATUS_INVALID_SID; @@ -1384,7 +1389,23 @@ NTSTATUS wcache_save_creds(struct winbindd_domain *domain, /* Create a salt and then salt the hash. */ generate_random_buffer(cred_salt, NT_HASH_LEN); - E_md5hash(cred_salt, nt_pass, salted_hash); + + rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5); + if (rc < 0) { + return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED); + } + + rc = gnutls_hash(hash_hnd, cred_salt, 16); + if (rc < 0) { + gnutls_hash_deinit(hash_hnd, NULL); + return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED); + } + rc = gnutls_hash(hash_hnd, nt_pass, 16); + if (rc < 0) { + gnutls_hash_deinit(hash_hnd, NULL); + return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED); + } + gnutls_hash_deinit(hash_hnd, salted_hash); centry_put_hash16(centry, salted_hash); centry_put_hash16(centry, cred_salt); diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 28b77fc2e93..771a130bd6e 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -48,6 +48,9 @@ #include "param/param.h" #include "messaging/messaging.h" +#include "lib/crypto/gnutls_helpers.h" +#include <gnutls/crypto.h> + #undef DBGC_CLASS #define DBGC_CLASS DBGC_WINBIND @@ -1086,7 +1089,25 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, /* In this case we didn't store the nt_hash itself, but the MD5 combination of salt + nt_hash. */ uchar salted_hash[NT_HASH_LEN]; - E_md5hash(cached_salt, new_nt_pass, salted_hash); + gnutls_hash_hd_t hash_hnd = NULL; + int rc; + + rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5); + if (rc < 0) { + return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED); + } + + rc = gnutls_hash(hash_hnd, cached_salt, 16); + if (rc < 0) { + gnutls_hash_deinit(hash_hnd, NULL); + return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED); + } + rc = gnutls_hash(hash_hnd, new_nt_pass, 16); + if (rc < 0) { + gnutls_hash_deinit(hash_hnd, NULL); + return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED); + } + gnutls_hash_deinit(hash_hnd, salted_hash); password_good = (memcmp(cached_nt_pass, salted_hash, NT_HASH_LEN) == 0); diff --git a/source4/lib/tls/tlscert.c b/source4/lib/tls/tlscert.c index f5e9a1f2d39..9379ab094d1 100644 --- a/source4/lib/tls/tlscert.c +++ b/source4/lib/tls/tlscert.c @@ -39,8 +39,8 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx, const char *keyfile, const char *certfile, const char *cafile) { - gnutls_x509_crt cacrt, crt; - gnutls_x509_privkey key, cakey; + gnutls_x509_crt_t cacrt, crt; + gnutls_x509_privkey_t key, cakey; uint32_t serial = (uint32_t)time(NULL); unsigned char keyid[100]; char buf[4096]; diff --git a/source4/utils/oLschema2ldif/wscript_build b/source4/utils/oLschema2ldif/wscript_build index 527c99dc2f2..e8ee31a7f8f 100644 --- a/source4/utils/oLschema2ldif/wscript_build +++ b/source4/utils/oLschema2ldif/wscript_build @@ -15,5 +15,6 @@ bld.SAMBA_BINARY('test_oLschema2ldif', source='test.c', deps='cmocka oLschema2ldif-lib', local_include=False, + enabled=bld.CONFIG_SET('HAVE_FMEMOPEN'), install=False, ) -- Samba Shared Repository