The branch, master has been updated via 2321b11f1fc s4/param: py_sid shouldn't be decref'ed after insertion into dict via 9e84f1e5767 s4/param: treat NULL value passed to dict_insert as error via 32d56271eb7 s4/param: don't decref object we don't own via e10910f8de5 bootstrap: Bring back a Ubuntu 16.04 build but just for the samba-fuzz task via ee5c07cb0f1 build: Allow a fuzzing build with Python 3.5 via 5406205382f python/samba/gp_parse: Fix test errors with python3.8 via ff70d7cc3ae tests: Add test for weak crypto via 0b84bc03e81 waf: Check if GnuTLS has support for crypto policies via 32f83be8f63 auth:ntlmssp: Mark as weak_crypto via 6ada071d620 gensec: Add a check if a gensec module implements weak crypto via 7d09c1cc877 lib:param: Add lp(cfg)_weak_crypto() via 3d1ecef173a s3:utils: Add weak crypto information to testparm via cb034a9f601 lib:crypto: Add samba_gnutls_weak_crypto() from 81c1a14e327 smbd: let delayed update handler also update on-disk timestamps
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 2321b11f1fcde41d58d3381437118b8b726ab6d5 Author: Noel Power <noel.po...@suse.com> Date: Mon Mar 16 16:00:24 2020 +0000 s4/param: py_sid shouldn't be decref'ed after insertion into dict This was causing samba.tests.net_join_no_spnego(ad_dc) to core dumps sometimes on tumbleweed with python3.8 with... =============================================================== INTERNAL ERROR: Signal 11 in pid 1781 (4.12.0) If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting =============================================================== smb_panic_default: PANIC (pid 1781): internal error BACKTRACE: 64 stack frames: 7128 #0 bin/shared/libsamba-util.so.0(log_stack_trace+0x1f) [0x7fa541c5b220] 7129 #1 bin/shared/libsamba-util.so.0(+0x1efc8) [0x7fa541c5afc8] 7130 #2 bin/shared/libsamba-util.so.0(log_stack_trace+0) [0x7fa541c5b201] 7131 #3 bin/shared/libsamba-util.so.0(+0x1eed9) [0x7fa541c5aed9] 7132 #4 bin/shared/libsamba-util.so.0(+0x1eeee) [0x7fa541c5aeee] 7133 #5 /lib64/libc.so.6(+0x3bf20) [0x7fa542631f20] 7134 #6 /usr/lib64/libpython3.8.so.1.0(PyObject_GC_UnTrack+0xd) [0x7fa542386c1d] 7135 #7 /usr/lib64/libpython3.8.so.1.0(+0x12d599) [0x7fa542387599] 7136 #8 /usr/lib64/libpython3.8.so.1.0(_PyEval_EvalFrameDefault+0x4d6d) [0x7fa5424269ed] 7137 #9 /usr/lib64/libpython3.8.so.1.0(_PyEval_EvalCodeWithName+0x30c) [0x7fa5423eaf5c] 7138 #10 /usr/lib64/libpython3.8.so.1.0(_PyFunction_Vectorcall+0x18e) [0x7fa5423ebcbe] 7139 #11 /usr/lib64/libpython3.8.so.1.0(_PyEval_EvalFrameDefault+0x4a3a) [0x7fa5424266ba] etc.... Signed-off-by: Noel Power <noel.po...@suse.com> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Thu Mar 19 22:23:52 UTC 2020 on sn-devel-184 commit 9e84f1e5767c23c0e75a0954ac9c3668d18baa30 Author: Noel Power <noel.po...@suse.com> Date: Mon Mar 16 15:54:00 2020 +0000 s4/param: treat NULL value passed to dict_insert as error insert_dict is used as a convenience to decrement the values to prevent leaks with orpahaned PyObjects and avoid excessive creation of temp variables. if (!dict_insert(parameters, "rootdn", PyUnicode_FromString(settings->root_dn_str))) { status = NT_STATUS_UNSUCCESSFUL; goto out; } Signed-off-by: Noel Power <noel.po...@suse.com> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 32d56271eb7ebf694c08c226c80fdf97a885fe46 Author: Noel Power <noel.po...@suse.com> Date: Mon Mar 16 15:27:15 2020 +0000 s4/param: don't decref object we don't own provision_fn is a borrowed reference we should not call Py_CLEAR on it Signed-off-by: Noel Power <noel.po...@suse.com> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit e10910f8de542b0be9b89942791bd37288b7a32a Author: Andrew Bartlett <abart...@samba.org> Date: Tue Mar 17 16:49:02 2020 +1300 bootstrap: Bring back a Ubuntu 16.04 build but just for the samba-fuzz task This is needed to restore oss-fuzz support, as this uses the Ubuntu 16.04 package list because all the docker images provided start with a Ubuntu 16.04 base. REF: https://github.com/google/oss-fuzz/issues/3505 REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21189 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Gary Lockyer <g...@catalyst.net.nz> commit ee5c07cb0f1c85a56a3f330a692b1b04553213cc Author: Andrew Bartlett <abart...@samba.org> Date: Tue Mar 17 17:07:02 2020 +1300 build: Allow a fuzzing build with Python 3.5 The Python 3.6 changes are only in actual .py files, not in the build system nor the C side of things, so relax this so we can still build on oss-fuzz which is based on Ubuntu 16.04 for now. REF: https://github.com/google/oss-fuzz/issues/3505 REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21189 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Gary Lockyer <g...@catalyst.net.nz> commit 5406205382fa8177ea0993a5b0996dc5e7cb5abe Author: Noel Power <noel.po...@suse.com> Date: Fri Mar 13 17:32:20 2020 +0000 python/samba/gp_parse: Fix test errors with python3.8 UNEXPECTED(failure): samba.tests.samba_tool.gpo.samba.tests.samba_tool.gpo.GpoCmdTestCase.test_backup_restore_generalize(ad_dc:local) REASON: Exception: Exception: Traceback (most recent call last): File "/tmp/samba-testbase/b28/samba-ad-dc-1/bin/python/samba/tests/samba_tool/gpo.py", line 434, in test_backup_restore_generalize self.assertIsNone(has_difference(os.path.join(new_path, 'policy', This caused because prior to 3.8 minodom.toprettyxml() was sorting the attribute order, now it preserves the attribute order specified by the user Signed-off-by: Noel Power <noel.po...@suse.com> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit ff70d7cc3ae60a0e6868f95357ee486ed7491e9a Author: Andreas Schneider <a...@samba.org> Date: Wed Mar 11 18:35:57 2020 +0100 tests: Add test for weak crypto Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 0b84bc03e819938422e66fb278eb2e4d15efa8d2 Author: Andreas Schneider <a...@samba.org> Date: Thu Mar 12 07:13:00 2020 +0100 waf: Check if GnuTLS has support for crypto policies Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 32f83be8f63c8df34e0d82c4575babaa132765dc Author: Andreas Schneider <a...@samba.org> Date: Mon Nov 11 16:39:24 2019 +0100 auth:ntlmssp: Mark as weak_crypto Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 6ada071d6208addcff21bbbba4f757ac2e63e66f Author: Andreas Schneider <a...@samba.org> Date: Wed Dec 11 17:45:39 2019 +0100 gensec: Add a check if a gensec module implements weak crypto Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 7d09c1cc8771d0822480f90b77b9f883d67b5658 Author: Andreas Schneider <a...@samba.org> Date: Mon Nov 4 17:15:14 2019 +0100 lib:param: Add lp(cfg)_weak_crypto() Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 3d1ecef173a372474c86d3fe8cd42c2f2e69185d Author: Andreas Schneider <a...@samba.org> Date: Mon Nov 4 17:26:48 2019 +0100 s3:utils: Add weak crypto information to testparm Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit cb034a9f60189806d5def2502ed39b06f002ed4a Author: Andreas Schneider <a...@samba.org> Date: Mon Nov 4 17:01:50 2019 +0100 lib:crypto: Add samba_gnutls_weak_crypto() Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: .gitlab-ci.yml | 3 +- auth/gensec/gensec_internal.h | 1 + auth/gensec/gensec_start.c | 13 +++++- auth/ntlmssp/ntlmssp.c | 2 + bootstrap/.gitlab-ci.yml | 11 ++++- bootstrap/config.py | 11 +++++ bootstrap/generated-dists/Vagrantfile | 7 +++ .../{debian10 => ubuntu1604}/Dockerfile | 2 +- .../{ubuntu1804 => ubuntu1604}/bootstrap.sh | 4 +- .../{centos7 => ubuntu1604}/locale.sh | 0 .../{ubuntu1804 => ubuntu1604}/packages.yml | 4 +- bootstrap/sha1sum.txt | 2 +- buildtools/wafsamba/samba_python.py | 3 ++ lib/crypto/gnutls_helpers.h | 7 +++ .../gnutls_weak_crypto.c} | 50 ++++++++++------------ lib/crypto/wscript_build | 1 + lib/param/loadparm.c | 15 +++++++ lib/param/loadparm.h | 10 ++++- lib/param/wscript_build | 2 +- python/samba/gp_parse/gp_pol.py | 2 +- source3/include/proto.h | 1 + source3/param/loadparm.c | 14 ++++++ source3/utils/testparm.c | 9 ++++ source3/utils/wscript_build | 1 + source4/param/provision.c | 14 +++--- source4/selftest/tests.py | 5 +++ testprogs/blackbox/test_weak_crypto.sh | 41 ++++++++++++++++++ wscript_configure_system_gnutls | 4 ++ 28 files changed, 188 insertions(+), 51 deletions(-) copy bootstrap/generated-dists/{debian10 => ubuntu1604}/Dockerfile (91%) copy bootstrap/generated-dists/{ubuntu1804 => ubuntu1604}/bootstrap.sh (95%) copy bootstrap/generated-dists/{centos7 => ubuntu1604}/locale.sh (100%) copy bootstrap/generated-dists/{ubuntu1804 => ubuntu1604}/packages.yml (94%) copy lib/{util/talloc_keep_secret.c => crypto/gnutls_weak_crypto.c} (56%) create mode 100755 testprogs/blackbox/test_weak_crypto.sh Changeset truncated at 500 lines: diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 6114ccced99..05f410bde3d 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -22,7 +22,7 @@ variables: # Set this to the contents of bootstrap/sha1sum.txt # which is generated by bootstrap/template.py --render # - SAMBA_CI_CONTAINER_TAG: 2b0275df23424240774afcd61fae8abed8663996 + SAMBA_CI_CONTAINER_TAG: 6bb2eeaf8203467d9a93a722071b0f081027410e # # We use the ubuntu1804 image as default as # it matches what we have on sn-devel-184. @@ -154,6 +154,7 @@ samba-static: samba-fuzz: extends: .shared_template + image: ${SAMBA_CI_CONTAINER_REGISTRY}/samba-ci-ubuntu1604:${SAMBA_CI_CONTAINER_TAG} ctdb: extends: .shared_template diff --git a/auth/gensec/gensec_internal.h b/auth/gensec/gensec_internal.h index 911b48b52d6..8efb1bdff0f 100644 --- a/auth/gensec/gensec_internal.h +++ b/auth/gensec/gensec_internal.h @@ -28,6 +28,7 @@ struct gensec_security; struct gensec_security_ops { const char *name; const char *sasl_name; + bool weak_crypto; uint8_t auth_type; /* 0 if not offered on DCE-RPC */ const char **oid; /* NULL if not offered by SPNEGO */ NTSTATUS (*client_start)(struct gensec_security *gensec_security); diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c index 50f4de73110..d2d62d6652e 100644 --- a/auth/gensec/gensec_start.c +++ b/auth/gensec/gensec_start.c @@ -32,6 +32,7 @@ #include "lib/util/tsort.h" #include "lib/util/samba_modules.h" #include "lib/util/base64.h" +#include "lib/crypto/gnutls_helpers.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH @@ -49,7 +50,17 @@ _PUBLIC_ const struct gensec_security_ops * const *gensec_security_all(void) bool gensec_security_ops_enabled(const struct gensec_security_ops *ops, struct gensec_security *security) { - return lpcfg_parm_bool(security->settings->lp_ctx, NULL, "gensec", ops->name, ops->enabled); + bool ok = lpcfg_parm_bool(security->settings->lp_ctx, + NULL, + "gensec", + ops->name, + ops->enabled); + + if (!samba_gnutls_weak_crypto_allowed() && ops->weak_crypto) { + ok = false; + } + + return ok; } /* Sometimes we want to force only kerberos, sometimes we want to diff --git a/auth/ntlmssp/ntlmssp.c b/auth/ntlmssp/ntlmssp.c index 37434fbb0c2..745f2628d21 100644 --- a/auth/ntlmssp/ntlmssp.c +++ b/auth/ntlmssp/ntlmssp.c @@ -305,6 +305,7 @@ static const struct gensec_security_ops gensec_ntlmssp_security_ops = { .name = "ntlmssp", .sasl_name = GENSEC_SASL_NAME_NTLMSSP, /* "NTLM" */ .auth_type = DCERPC_AUTH_TYPE_NTLMSSP, + .weak_crypto = true, .oid = gensec_ntlmssp_oids, .client_start = gensec_ntlmssp_client_start, .server_start = gensec_ntlmssp_server_start, @@ -329,6 +330,7 @@ static const struct gensec_security_ops gensec_ntlmssp_security_ops = { static const struct gensec_security_ops gensec_ntlmssp_resume_ccache_ops = { .name = "ntlmssp_resume_ccache", + .weak_crypto = true, .client_start = gensec_ntlmssp_resume_ccache_start, .update_send = gensec_ntlmssp_update_send, .update_recv = gensec_ntlmssp_update_recv, diff --git a/bootstrap/.gitlab-ci.yml b/bootstrap/.gitlab-ci.yml index 4e52da09dcc..ecd9f4d4223 100644 --- a/bootstrap/.gitlab-ci.yml +++ b/bootstrap/.gitlab-ci.yml @@ -9,6 +9,7 @@ services: - gce variables: SAMBA_CI_IS_BROKEN_IMAGE: "no" + SAMBA_CI_TEST_JOB: "samba-o3" before_script: # Ensure we are generating correct the container - uname -a @@ -40,9 +41,9 @@ services: docker run --volume $(pwd):${samba_repo_root} --workdir ${samba_repo_root} ${ci_image_name} \ bootstrap/template.py --sha1sum > /tmp/sha1sum-template.txt diff -u bootstrap/sha1sum.txt /tmp/sha1sum-template.txt - # run smoke test with samba-o3 + # run smoke test with samba-o3 or samba-fuzz docker run --volume $(pwd):${samba_repo_root} --workdir ${samba_repo_root} ${ci_image_name} \ - /bin/bash -c "sudo chown -R samba:samba ./** && export PKG_CONFIG_PATH=/usr/lib64/compat-gnutls34/pkgconfig:/usr/lib64/compat-nettle32/pkgconfig && script/autobuild.py samba-o3 --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase" + /bin/bash -c "sudo chown -R samba:samba ./** && export PKG_CONFIG_PATH=/usr/lib64/compat-gnutls34/pkgconfig:/usr/lib64/compat-nettle32/pkgconfig && script/autobuild.py ${SAMBA_CI_TEST_JOB} --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase" docker tag ${ci_image_name} ${ci_image_path}:${SAMBA_CI_CONTAINER_TAG} docker tag ${ci_image_name} ${ci_image_path}:${timestamp_tag} # We build all images, but only upload is it's not marked as broken @@ -83,6 +84,12 @@ services: # - $SAMBA_CI_REBUILD_BROKEN_IMAGES == "yes" +# This is ONLY for oss-fuzz, so we test a fuzz build not a real one +ubuntu1604: + extends: .build_image_template + variables: + SAMBA_CI_TEST_JOB: "samba-fuzz" + ubuntu1804: extends: .build_image_template diff --git a/bootstrap/config.py b/bootstrap/config.py index 19a2cf08b9d..ff9bb150672 100644 --- a/bootstrap/config.py +++ b/bootstrap/config.py @@ -382,6 +382,17 @@ DEB_DISTS = { 'liburing-dev': '', # not available } }, + 'ubuntu1604': { + 'docker_image': 'ubuntu:16.04', + 'vagrant_box': 'ubuntu/xenial64', + 'replace': { + 'python-gpg': 'python-gpgme', + 'python3-gpg': 'python3-gpgme', + 'glusterfs-common': '', + 'libcephfs-dev': '', + 'liburing-dev': '', # not available + } + }, 'ubuntu1804': { 'docker_image': 'ubuntu:18.04', 'vagrant_box': 'ubuntu/bionic64', diff --git a/bootstrap/generated-dists/Vagrantfile b/bootstrap/generated-dists/Vagrantfile index 091c65488cb..47c58d5a87b 100644 --- a/bootstrap/generated-dists/Vagrantfile +++ b/bootstrap/generated-dists/Vagrantfile @@ -66,6 +66,13 @@ Vagrant.configure("2") do |config| v.vm.provision :shell, path: "opensuse151/locale.sh" end + config.vm.define "ubuntu1604" do |v| + v.vm.box = "ubuntu/xenial64" + v.vm.hostname = "ubuntu1604" + v.vm.provision :shell, path: "ubuntu1604/bootstrap.sh" + v.vm.provision :shell, path: "ubuntu1604/locale.sh" + end + config.vm.define "ubuntu1804" do |v| v.vm.box = "ubuntu/bionic64" v.vm.hostname = "ubuntu1804" diff --git a/bootstrap/generated-dists/debian10/Dockerfile b/bootstrap/generated-dists/ubuntu1604/Dockerfile similarity index 91% copy from bootstrap/generated-dists/debian10/Dockerfile copy to bootstrap/generated-dists/ubuntu1604/Dockerfile index a7141db7e17..93001fcdcca 100644 --- a/bootstrap/generated-dists/debian10/Dockerfile +++ b/bootstrap/generated-dists/ubuntu1604/Dockerfile @@ -3,7 +3,7 @@ # See also bootstrap/config.py # -FROM debian:10 +FROM ubuntu:16.04 # pass in with --build-arg while build ARG SHA1SUM diff --git a/bootstrap/generated-dists/ubuntu1804/bootstrap.sh b/bootstrap/generated-dists/ubuntu1604/bootstrap.sh similarity index 95% copy from bootstrap/generated-dists/ubuntu1804/bootstrap.sh copy to bootstrap/generated-dists/ubuntu1604/bootstrap.sh index 97d32815d72..a8f47762ded 100755 --- a/bootstrap/generated-dists/ubuntu1804/bootstrap.sh +++ b/bootstrap/generated-dists/ubuntu1604/bootstrap.sh @@ -29,7 +29,6 @@ apt-get -y install \ gcc \ gdb \ git \ - glusterfs-common \ gzip \ heimdal-multidev \ hostname \ @@ -46,7 +45,6 @@ apt-get -y install \ libblkid-dev \ libbsd-dev \ libcap-dev \ - libcephfs-dev \ libcups2-dev \ libdbus-1-dev \ libglib2.0-dev \ @@ -85,7 +83,7 @@ apt-get -y install \ python3-dbg \ python3-dev \ python3-dnspython \ - python3-gpg \ + python3-gpgme \ python3-iso8601 \ python3-markdown \ python3-matplotlib \ diff --git a/bootstrap/generated-dists/centos7/locale.sh b/bootstrap/generated-dists/ubuntu1604/locale.sh similarity index 100% copy from bootstrap/generated-dists/centos7/locale.sh copy to bootstrap/generated-dists/ubuntu1604/locale.sh diff --git a/bootstrap/generated-dists/ubuntu1804/packages.yml b/bootstrap/generated-dists/ubuntu1604/packages.yml similarity index 94% copy from bootstrap/generated-dists/ubuntu1804/packages.yml copy to bootstrap/generated-dists/ubuntu1604/packages.yml index f45deb2c808..c3cd9af9c3e 100644 --- a/bootstrap/generated-dists/ubuntu1804/packages.yml +++ b/bootstrap/generated-dists/ubuntu1604/packages.yml @@ -18,7 +18,6 @@ packages: - gcc - gdb - git - - glusterfs-common - gzip - heimdal-multidev - hostname @@ -35,7 +34,6 @@ packages: - libblkid-dev - libbsd-dev - libcap-dev - - libcephfs-dev - libcups2-dev - libdbus-1-dev - libglib2.0-dev @@ -74,7 +72,7 @@ packages: - python3-dbg - python3-dev - python3-dnspython - - python3-gpg + - python3-gpgme - python3-iso8601 - python3-markdown - python3-matplotlib diff --git a/bootstrap/sha1sum.txt b/bootstrap/sha1sum.txt index 7344075d11d..1c9d01d5e7d 100644 --- a/bootstrap/sha1sum.txt +++ b/bootstrap/sha1sum.txt @@ -1 +1 @@ -2b0275df23424240774afcd61fae8abed8663996 +6bb2eeaf8203467d9a93a722071b0f081027410e diff --git a/buildtools/wafsamba/samba_python.py b/buildtools/wafsamba/samba_python.py index 994190fdeb2..d71ce47a831 100644 --- a/buildtools/wafsamba/samba_python.py +++ b/buildtools/wafsamba/samba_python.py @@ -10,6 +10,9 @@ def SAMBA_CHECK_PYTHON(conf, version=(3,6,0)): if conf.env.disable_python: version=(2,6,0) + if conf.env.enable_fuzzing: + version=(3,5,0) + # enable tool to build python extensions if conf.env.HAVE_PYTHON_H: conf.check_python_version(version) diff --git a/lib/crypto/gnutls_helpers.h b/lib/crypto/gnutls_helpers.h index 49689e4c860..e74dcc833f2 100644 --- a/lib/crypto/gnutls_helpers.h +++ b/lib/crypto/gnutls_helpers.h @@ -108,4 +108,11 @@ int samba_gnutls_arcfour_confounded_md5(const DATA_BLOB *key_input1, DATA_BLOB *data, enum samba_gnutls_direction encrypt); +/** + * @brief Check if weak crypto is allowed. + * + * @return true if weak crypo is allowed, false otherwise. + */ +bool samba_gnutls_weak_crypto_allowed(void); + #endif /* _GNUTLS_HELPERS_H */ diff --git a/lib/util/talloc_keep_secret.c b/lib/crypto/gnutls_weak_crypto.c similarity index 56% copy from lib/util/talloc_keep_secret.c copy to lib/crypto/gnutls_weak_crypto.c index d6aa38265f6..68ce588243f 100644 --- a/lib/util/talloc_keep_secret.c +++ b/lib/crypto/gnutls_weak_crypto.c @@ -16,37 +16,33 @@ */ #include "includes.h" -#include "talloc_keep_secret.h" +#include "lib/crypto/gnutls_helpers.h" -static int talloc_keep_secret_destructor(void *ptr) -{ - size_t size = talloc_get_size(ptr); - - if (unlikely(size == 0)) { - return 0; - } - - memset_s(ptr, size, 0, size); +#include <gnutls/crypto.h> +#include <gnutls/gnutls.h> - return 0; -} - -void _talloc_keep_secret(void *ptr, const char *name) +bool samba_gnutls_weak_crypto_allowed(void) { - size_t size; - - if (unlikely(ptr == NULL)) { -#ifdef DEVELOPER - smb_panic("Invalid talloc pointer"); -#endif - return; + gnutls_cipher_hd_t cipher_hnd = NULL; + gnutls_datum_t key = { + .data = discard_const_p(unsigned char, "SystemLibraryDTC"), + .size = 16, + }; + int rc; + + /* + * If RC4 is not allowed to be initialzed then weak crypto is not + * allowed. + */ + rc = gnutls_cipher_init(&cipher_hnd, + GNUTLS_CIPHER_ARCFOUR_128, + &key, + NULL); + if (rc == GNUTLS_E_UNWANTED_ALGORITHM) { + return false; } - size = talloc_get_size(ptr); - if (unlikely(size == 0)) { - return; - } + gnutls_cipher_deinit(cipher_hnd); - talloc_set_name_const(ptr, name); - talloc_set_destructor(ptr, talloc_keep_secret_destructor); + return true; } diff --git a/lib/crypto/wscript_build b/lib/crypto/wscript_build index eb67af63f26..e5766042541 100644 --- a/lib/crypto/wscript_build +++ b/lib/crypto/wscript_build @@ -10,6 +10,7 @@ bld.SAMBA_SUBSYSTEM('GNUTLS_HELPERS', source=''' gnutls_error.c gnutls_arcfour_confounded_md5.c + gnutls_weak_crypto.c ''', deps='gnutls samba-errors'); diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index 611c1b240af..4bee921e3c7 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -72,6 +72,7 @@ #include "libds/common/roles.h" #include "lib/util/samba_util.h" #include "libcli/auth/ntlm_check.h" +#include "lib/crypto/gnutls_helpers.h" #ifdef HAVE_HTTPCONNECTENCRYPT #include <cups/http.h> @@ -96,6 +97,19 @@ int lpcfg_rpc_high_port(struct loadparm_context *lp_ctx) return lp_ctx->globals->rpc_high_port; } +enum samba_weak_crypto lpcfg_weak_crypto(struct loadparm_context *lp_ctx) +{ + if (lp_ctx->globals->weak_crypto == SAMBA_WEAK_CRYPTO_UNKNOWN) { + lp_ctx->globals->weak_crypto = SAMBA_WEAK_CRYPTO_DISALLOWED; + + if (samba_gnutls_weak_crypto_allowed()) { + lp_ctx->globals->weak_crypto = SAMBA_WEAK_CRYPTO_ALLOWED; + } + } + + return lp_ctx->globals->weak_crypto; +} + /** * Convenience routine to grab string parameters into temporary memory * and run standard_sub_basic on them. @@ -2607,6 +2621,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) lp_ctx->globals->ctx = lp_ctx->globals; lp_ctx->globals->rpc_low_port = SERVER_TCP_LOW_PORT; lp_ctx->globals->rpc_high_port = SERVER_TCP_HIGH_PORT; + lp_ctx->globals->weak_crypto = SAMBA_WEAK_CRYPTO_UNKNOWN; lp_ctx->sDefault = talloc_zero(lp_ctx, struct loadparm_service); lp_ctx->flags = talloc_zero_array(lp_ctx, unsigned int, num_parameters()); diff --git a/lib/param/loadparm.h b/lib/param/loadparm.h index 65ff62cc3b9..323fcf84523 100644 --- a/lib/param/loadparm.h +++ b/lib/param/loadparm.h @@ -255,6 +255,13 @@ enum spotlight_backend_options { SPOTLIGHT_BACKEND_ES, }; +/* FIPS values */ +enum samba_weak_crypto { + SAMBA_WEAK_CRYPTO_UNKNOWN, + SAMBA_WEAK_CRYPTO_ALLOWED, + SAMBA_WEAK_CRYPTO_DISALLOWED, +}; + /* * Default passwd chat script. */ @@ -292,7 +299,8 @@ enum spotlight_backend_options { struct parmlist_entry *param_opt; \ char *dnsdomain; \ int rpc_low_port; \ - int rpc_high_port; + int rpc_high_port; \ + enum samba_weak_crypto weak_crypto; const char* server_role_str(uint32_t role); int lp_find_server_role(int server_role, int security, int domain_logons, int domain_master); diff --git a/lib/param/wscript_build b/lib/param/wscript_build index 20c8bcab22a..864975a5884 100644 --- a/lib/param/wscript_build +++ b/lib/param/wscript_build @@ -40,7 +40,7 @@ bld.SAMBA_LIBRARY('samba-hostconfig', pc_files='samba-hostconfig.pc', vnum='0.0.1', deps='DYNCONFIG server-role tdb', - public_deps='samba-util param_local.h', + public_deps='GNUTLS_HELPERS samba-util param_local.h', public_headers='param.h', autoproto='param_proto.h' ) diff --git a/python/samba/gp_parse/gp_pol.py b/python/samba/gp_parse/gp_pol.py index 67ecd584dc0..8a3d5f58ec1 100644 --- a/python/samba/gp_parse/gp_pol.py +++ b/python/samba/gp_parse/gp_pol.py @@ -101,9 +101,9 @@ class GPPolParser(GPParser): def write_xml(self, filename): with open(filename, 'wb') as f: root = Element('PolFile') + root.attrib['num_entries'] = str(self.pol_file.num_entries) root.attrib['signature'] = self.pol_file.header.signature root.attrib['version'] = str(self.pol_file.header.version) - root.attrib['num_entries'] = str(self.pol_file.num_entries) for entry in self.pol_file.entries: child = SubElement(root, 'Entry') # child.attrib['size'] = str(entry.size) diff --git a/source3/include/proto.h b/source3/include/proto.h index 6ac70a22beb..6ac0c3d1935 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -765,6 +765,7 @@ bool lp_widelinks(int ); int lp_rpc_low_port(void); int lp_rpc_high_port(void); bool lp_lanman_auth(void); +enum samba_weak_crypto lp_weak_crypto(void); int lp_wi_scan_global_parametrics( const char *regex, size_t max_matches, diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index ce41477097a..5a2c9983b47 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -73,6 +73,7 @@ #include "librpc/gen_ndr/nbt.h" #include "source4/lib/tls/tls.h" #include "libcli/auth/ntlm_check.h" +#include "lib/crypto/gnutls_helpers.h" #ifdef HAVE_SYS_SYSCTL_H #include <sys/sysctl.h> @@ -4736,3 +4737,16 @@ unsigned int * get_flags(void) return flags_list; } + +enum samba_weak_crypto lp_weak_crypto() +{ + if (Globals.weak_crypto == SAMBA_WEAK_CRYPTO_UNKNOWN) { + Globals.weak_crypto = SAMBA_WEAK_CRYPTO_DISALLOWED; + + if (samba_gnutls_weak_crypto_allowed()) { + Globals.weak_crypto = SAMBA_WEAK_CRYPTO_ALLOWED; + } + } + + return Globals.weak_crypto; +} diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c -- Samba Shared Repository