The branch, v4-17-stable has been updated
       via  ed12d43518f VERSION: Disable GIT_SNAPSHOT for the 4.17.1 release.
       via  cda9e1cc60f WHATSNEW: Add release notes for Samba 4.17.1.
       via  142a771d854 s3: libsmbclient: Fix smbc_stat() to return ENOENT on a 
non-existent file.
       via  09ec2b13e7c s4: torture: libsmbclient: Add a torture test to ensure 
smbc_stat() returns ENOENT on a non-existent file.
       via  7540755de6a s4:messaging: let imessaging_client_init() use 
imessaging_init_discard_incoming()
       via  28c65ce3e92 s3:auth_samba4: make use of 
imessaging_init_discard_incoming()
       via  68a0ef3b521 s4:messaging: add imessaging_init_discard_incoming()
       via  93d6f403e38 s3/utils: check result of talloc_strdup
       via  d5e39d1ba70 s3/utils: Check return of talloc_strdup
       via  fac483e3dad s3/param: Check return of talloc_strdup
       via  ee2858ab4ff s4/lib/registry: Fix use after free with popt 1.19
       via  21890fcb526 s3/utils: Fix use after free with popt 1.19
       via  3a9733ce71f s3/utils: Fix use after free with popt 1.19
       via  1e8652100da s3/utils: Add missing poptFreeContext
       via  4c03cfd6b67 s3/param: Fix use after free with popt-1.19
       via  e0ae633216d s3/rpcclient: Duplicate string returned from poptGetArg
       via  a1453f16aea vfs_fruit: add missing calls to tevent_req_received()
       via  54d4b0f607e s3: VFS: fruit. Implement fsync_send()/fsync_recv().
       via  4c6b7983ed5 s4: smbtorture: Add fsync_resource_fork test to fruit 
tests.
       via  6d05908e3ca smbXsrv_client: handle NAME_NOT_FOUND from 
smb2srv_client_connection_{pass,drop}()
       via  4a44febbc46 smbXsrv_client: make sure we only wait for 
smb2srv_client_mc_negprot_filter once and only when needed
       via  fd4c80fcc6f smbXsrv_client: call 
smb2srv_client_connection_{pass,drop}() before dbwrap_watched_watch_send()
       via  abc48aec20a smbXsrv_client: fix a debug message in 
smbXsrv_client_global_verify_record()
       via  41e016e41c5 smbXsrv_client: ignore NAME_NOT_FOUND from 
smb2srv_client_connection_passed
       via  cb27978c461 vfs_glusterfs: Remove special handling of O_CREAT flag
       via  bac9532f0a9 python-drs: Add client-side debug and fallback for 
GET_ANC
       via  79283760616 s4-libnet: Add messages to object count mismatch 
failures
       via  eb939d4b805 selftest: Enable "old Samba" mode regarding 
GET_ANC/GET_TGT
       via  a64c4a7e04d s4-rpc_server:getncchanges Add "old Samba" mode 
regarding GET_ANC/GET_TGT
       via  7bde5d32bf7 selftest: Add tests for GetNCChanges GET_ANC using 
samba-tool drs clone-dc-database
       via  6671f6f50c3 selftest: Prepare for "old Samba" mode regarding 
getncchanges GET_ANC/GET_TGT
       via  4425351fbff pytest/samba_tool_drs_no_dns: use 
TestCaseInTempDir.rm_files/.rm_dirs
       via  e80ec63f746 pytest/samba_tool_drs: use 
TestCaseInTempDir.rm_files/.rm_dirs
       via  6cc1ac327a0 pytest/samdb: use TestCaseInTempDir.rm_files/.rm_dirs
       via  ad768b1ccac pytest/join: use TestCaseInTempDir.rm_files/dirs
       via  79b5156ec81 pytest/samdb_api: use TestCaseInTempDir.rm_files
       via  4486028b86e pytest/downgradedatabase: use TestCaseInTempDir.rm_files
       via  02ededec938 pytest: add file removal helpers for TestCaseInTempDir
       via  df5d4e48307 s3:auth: Flush the GETPWSID in memory cache for NTLM 
auth
       via  7bef45d9304 s3: smbd: Fix memory leak in 
smbd_server_connection_terminate_done().
       via  ecf8a66e0cc vfs_gpfs: Protect against timestamps before the Unix 
epoch
       via  9364c930fb6 lib: Map ERANGE to NT_STATUS_INTEGER_OVERFLOW
       via  1b4f782caf1 vfs_gpfs: Prevent mangling of GPFS timestamps after 2106
       via  bb86d2f3a10 CVE-2021-20251 s3: Ensure bad password count atomic 
updates for SAMR AES password change
       via  9aabf78216f CVE-2021-20251 s3:rpc_server: Split 
change_oem_password() call out of samr_set_password_aes()
       via  619ffc2a2fb CVE-2021-20251 dsdb/common: Remove transaction logic 
from samdb_set_password()
       via  7fe10442b76 CVE-2021-20251 s4-rpc_server: Extend scope of 
transaction for ChangePasswordUser3
       via  7b28bd10803 CVE-2021-20251 s4-rpc_server: Use user privileges for 
SAMR password change
       via  b8c123d02d0 CVE-2021-20251 s4-rpc_server: Use 
authsam_search_account() to find the user
       via  0044f598dd4 s3:rpc_server: Use BURN_STR() to zero password
       via  3d7a2a3603e lib:replace: Add macro BURN_STR() to zero memory of a 
string
       via  beb63ae03b7 libcli:auth: Keep passwords from 
convert_string_talloc() secret
       via  c3d6964fccd lib:util: Check memset_s() error code in 
talloc_keep_secret_destructor()
       via  3e54aabd9e3 CVE-2021-20251 s3: Ensure bad password count atomic 
updates for SAMR password change
       via  5c8bbe3e74c CVE-2021-20251 s3: ensure bad password count atomic 
updates
       via  13efa626188 CVE-2021-20251 s4:auth_winbind: Check return status of 
authsam_logon_success_accounting()
       via  b3f48fae13e CVE-2021-20251 s4-rpc_server: Check badPwdCount update 
return status
       via  5befe31c651 CVE-2021-20251 s4:kdc: Check badPwdCount update return 
status
       via  4adcada4104 CVE-2021-20251 s4:kdc: Check return status of 
authsam_logon_success_accounting()
       via  5f1bafdd3f0 CVE-2021-20251 s4:kdc: Move logon success accounting 
code into existing branch
       via  4d0cba69c8f CVE-2021-20251 s4:dsdb: Make badPwdCount update atomic
       via  254e94892cd CVE-2021-20251 s4:dsdb: Update bad password count 
inside transaction
       via  3a96ccbb841 CVE-2021-20251 s4-auth: Pass through error code from 
badPwdCount update
       via  446cfe34523 CVE-2021-20251 auth4: Avoid reading the database twice 
by precaculating some variables
       via  11673522912 CVE-2021-20251 auth4: Inline 
samdb_result_effective_badPwdCount() in authsam_logon_success_accounting()
       via  ffe43511bb9 CVE-2021-20251 auth4: Split 
authsam_calculate_lastlogon_sync_interval() out
       via  fa22c9bf2be CVE-2021-20251 auth4: Return only the result message 
and free the surrounding result
       via  e0fdfce1327 CVE-2021-20251 auth4: Add missing newline to debug 
message on PSO read failure
       via  d07f34ec394 CVE-2021-20251 s4 auth: make bad password count 
increment atomic
       via  180784c49b3 CVE-2021-20251 auth4: Detect ACCOUNT_LOCKED_OUT error 
for password change
       via  2e4c6196d88 CVE-2021-20251 s4 auth test: Unit tests for 
source4/auth/sam.c
       via  674dbeaca07 CVE-2021-20251 auth4: Reread the user record if a bad 
password is noticed.
       via  d57c4ea9599 CVE-2021-20251 s4 auth: Prepare to make bad password 
count increment atomic
       via  2dc965ad1d8 CVE-2021-20251 auth4: split 
samdb_result_msds_LockoutObservationWindow() out
       via  276d81368ec CVE-2021-20251 s4-rpc_server: Use 
authsam_search_account() to find the user
       via  b82543978d1 CVE-2021-20251 tests/krb5: Add tests for password 
lockout race
       via  0b3604e6e0d CVE-2021-20251 lib:crypto: Add Python functions for AES 
SAMR password change
       via  518818b3c10 CVE-2021-20251 lib:crypto: Add md4_hash_blob() for 
hashing data with MD4
       via  d4ae8610ea3 CVE-2021-20251 lib:crypto: Add des_crypt_blob_16() for 
encrypting data with DES
       via  1263a8a5213 lib:crypto: Use constant time memory comparison to 
check HMAC
       via  af7c57e0376 lib:crypto: Check for overflow before filling pauth_tag 
array
       via  7656b3e7b95 s4:torture: Zero samr_UserInfo union in password set 
test
       via  1b0f292ecd0 lib:crypto: Zero auth_tag array in encryption test
       via  cb7fbb42df6 s3:rpc_server: Fix typo in error message
       via  31bfee4b7a6 VERSION: Bump version up to Samba 4.17.1...
      from  fbec737d9d3 VERSION: Disable GIT_SNAPSHOT for the 4.17.0 release.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-17-stable


- Log -----------------------------------------------------------------
-----------------------------------------------------------------------

Summary of changes:
 VERSION                                            |    2 +-
 WHATSNEW.txt                                       |   87 +
 lib/crypto/gnutls_aead_aes_256_cbc_hmac_sha512.c   |   14 +-
 lib/crypto/py_crypto.c                             |  321 +++
 .../test_gnutls_aead_aes_256_cbc_hmac_sha512.c     |    2 +-
 lib/crypto/wscript                                 |    2 +-
 lib/replace/replace.h                              |   11 +
 lib/util/talloc_keep_secret.c                      |   15 +-
 libcli/auth/smbencrypt.c                           |    2 +
 python/samba/drs_utils.py                          |   47 +-
 python/samba/join.py                               |   54 +-
 python/samba/tests/__init__.py                     |   35 +
 python/samba/tests/blackbox/downgradedatabase.py   |   14 +-
 python/samba/tests/join.py                         |    6 +-
 python/samba/tests/krb5/lockout_tests.py           | 1088 ++++++++
 python/samba/tests/krb5/raw_testcase.py            |   10 +-
 python/samba/tests/krb5/rfc4120_constants.py       |    1 +
 python/samba/tests/samdb.py                        |    8 +-
 python/samba/tests/samdb_api.py                    |   10 +-
 python/samba/tests/usage.py                        |    1 +
 selftest/knownfail.d/samba-4.5-emulation           |    4 +
 selftest/knownfail_mit_kdc                         |   10 +
 selftest/target/Samba4.pm                          |   12 +
 selftest/tests.py                                  |    2 +
 source3/auth/auth_samba4.c                         |    8 +-
 source3/auth/check_samsec.c                        |   85 +-
 source3/lib/errmap_unix.c                          |    3 +
 source3/libsmb/libsmb_file.c                       |   34 +-
 source3/modules/vfs_fruit.c                        |  114 +-
 source3/modules/vfs_glusterfs.c                    |   78 +-
 source3/modules/vfs_gpfs.c                         |   43 +-
 source3/param/test_lp_load.c                       |    7 +-
 source3/rpc_server/samr/srv_samr_chgpasswd.c       |  119 +-
 source3/rpc_server/samr/srv_samr_nt.c              |  149 +-
 source3/rpc_server/samr/srv_samr_util.h            |    8 +-
 source3/rpcclient/rpcclient.c                      |    2 +-
 source3/smbd/smb2_server.c                         |    1 +
 source3/smbd/smbXsrv_client.c                      |   99 +-
 source3/utils/mdsearch.c                           |    1 +
 source3/utils/pdbedit.c                            |   12 +-
 source3/utils/testparm.c                           |   11 +-
 source4/auth/ntlm/auth_sam.c                       |    6 +-
 source4/auth/ntlm/auth_winbind.c                   |    5 +-
 source4/auth/sam.c                                 |  707 ++++-
 source4/auth/tests/sam.c                           | 2746 ++++++++++++++++++++
 source4/auth/wscript_build                         |   11 +
 source4/dsdb/common/util.c                         |   57 +-
 source4/dsdb/repl/replicated_objects.c             |   11 +
 source4/dsdb/samdb/ldb_modules/password_hash.c     |   62 +-
 source4/kdc/hdb-samba4.c                           |   51 +-
 source4/lib/messaging/messaging.c                  |   74 +-
 source4/lib/messaging/messaging.h                  |    5 +
 source4/lib/messaging/messaging_internal.h         |    9 +
 source4/lib/registry/tools/regpatch.c              |    2 +-
 source4/rpc_server/drsuapi/getncchanges.c          |   52 +-
 source4/rpc_server/samr/dcesrv_samr.c              |    9 +-
 source4/rpc_server/samr/samr_password.c            |  159 +-
 source4/selftest/tests.py                          |   30 +-
 source4/torture/drs/python/samba_tool_drs.py       |   13 +-
 .../torture/drs/python/samba_tool_drs_critical.py  |   98 +
 .../torture/drs/python/samba_tool_drs_no_dns.py    |   14 +-
 source4/torture/libsmbclient/libsmbclient.c        |   63 +
 source4/torture/rpc/samr.c                         |    2 +
 source4/torture/vfs/fruit.c                        |   80 +
 64 files changed, 6348 insertions(+), 450 deletions(-)
 create mode 100755 python/samba/tests/krb5/lockout_tests.py
 create mode 100644 selftest/knownfail.d/samba-4.5-emulation
 create mode 100644 source4/auth/tests/sam.c
 create mode 100644 source4/torture/drs/python/samba_tool_drs_critical.py


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 0709d888a3a..ef2a40f07e8 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 ########################################################
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=17
-SAMBA_VERSION_RELEASE=0
+SAMBA_VERSION_RELEASE=1
 
 ########################################################
 # If a official release has a serious bug              #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 128bf7230b3..307c166a98e 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,90 @@
+                   ==============================
+                   Release Notes for Samba 4.17.1
+                          October 19, 2022
+                   ==============================
+
+
+This is the latest stable release of the Samba 4.17 release series.
+
+
+Changes since 4.17.0
+--------------------
+
+o  Jeremy Allison <j...@samba.org>
+   * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
+     atomically.
+   * BUG 15174: smbXsrv_connection_shutdown_send result leaked.
+   * BUG 15182: Flush on a named stream never completes.
+   * BUG 15195: Permission denied calling SMBC_getatr when file not exists.
+
+o  Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
+   * BUG 15189: Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later
+     over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC.
+   * BUG 15191: pytest: add file removal helpers for TestCaseInTempDir.
+
+o  Andrew Bartlett <abart...@samba.org>
+   * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
+     atomically.
+   * BUG 15189: Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later.
+     over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC.
+
+o  Ralph Boehme <s...@samba.org>
+   * BUG 15182: Flush on a named stream never completes.
+
+o  Volker Lendecke <v...@samba.org>
+   * BUG 15151: vfs_gpfs silently garbles timestamps > year 2106.
+
+o  Gary Lockyer <g...@catalyst.net.nz>
+   * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
+     atomically.
+
+o  Stefan Metzmacher <me...@samba.org>
+   * BUG 15200: multi-channel socket passing may hit a race if one of the
+     involved processes already existed.
+   * BUG 15201: memory leak on temporary of struct imessaging_post_state and
+     struct tevent_immediate on struct imessaging_context (in
+     rpcd_spoolss and maybe others).
+
+o  Noel Power <noel.po...@suse.com>
+   * BUG 15205: Since popt1.19 various use after free errors using result of
+     poptGetArg are now exposed.
+
+o  Anoop C S <anoo...@samba.org>
+   * BUG 15192: Remove special case for O_CREAT in SMB_VFS_OPENAT from
+     vfs_glusterfs.
+
+o  Andreas Schneider <a...@samba.org>
+   * BUG 15169: GETPWSID in memory cache grows indefinetly with each NTLM auth.
+
+o  Joseph Sutton <josephsut...@catalyst.net.nz>
+   * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
+     atomically.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
                    ==============================
                    Release Notes for Samba 4.17.0
                          September 13, 2022
diff --git a/lib/crypto/gnutls_aead_aes_256_cbc_hmac_sha512.c 
b/lib/crypto/gnutls_aead_aes_256_cbc_hmac_sha512.c
index a05aa8a323c..e0877a03f52 100644
--- a/lib/crypto/gnutls_aead_aes_256_cbc_hmac_sha512.c
+++ b/lib/crypto/gnutls_aead_aes_256_cbc_hmac_sha512.c
@@ -124,6 +124,14 @@ 
samba_gnutls_aead_aes_256_cbc_hmac_sha512_encrypt(TALLOC_CTX *mem_ctx,
         * TODO: Use gnutls_cipher_encrypt3()
         */
 
+       if (hmac_size > 64) {
+               /*
+                * We don't want to overflow 'pauth_tag', which is 64 bytes in
+                * size.
+                */
+               return NT_STATUS_INVALID_BUFFER_SIZE;
+       }
+
        if (plaintext->length + aes_block_size < plaintext->length) {
                return NT_STATUS_INVALID_BUFFER_SIZE;
        }
@@ -274,7 +282,7 @@ 
samba_gnutls_aead_aes_256_cbc_hmac_sha512_decrypt(TALLOC_CTX *mem_ctx,
        uint8_t padding;
        size_t i;
        NTSTATUS status;
-       int cmp;
+       bool equal;
        int rc;
 
        if (cdk->length == 0 || ciphertext->length == 0 ||
@@ -325,8 +333,8 @@ 
samba_gnutls_aead_aes_256_cbc_hmac_sha512_decrypt(TALLOC_CTX *mem_ctx,
        }
        gnutls_hmac_deinit(hmac_hnd, auth_data);
 
-       cmp = memcmp(auth_data, auth_tag, sizeof(auth_data));
-       if (cmp != 0) {
+       equal = mem_equal_const_time(auth_data, auth_tag, sizeof(auth_data));
+       if (!equal) {
                return NT_STATUS_DECRYPTION_FAILED;
        }
 
diff --git a/lib/crypto/py_crypto.c b/lib/crypto/py_crypto.c
index ad18d3ada0f..11659556884 100644
--- a/lib/crypto/py_crypto.c
+++ b/lib/crypto/py_crypto.c
@@ -25,6 +25,53 @@
 #include <gnutls/gnutls.h>
 #include <gnutls/crypto.h>
 #include "lib/crypto/gnutls_helpers.h"
+#include "lib/crypto/md4.h"
+#include "libcli/auth/libcli_auth.h"
+#include "libcli/util/pyerrors.h"
+
+#ifdef HAVE_GNUTLS_PBKDF2
+static bool samba_gnutls_datum_from_PyObject(PyObject *py_obj,
+                                            gnutls_datum_t *datum)
+{
+       uint8_t *data = NULL;
+       Py_ssize_t size;
+
+       int ret;
+
+       ret = PyBytes_AsStringAndSize(py_obj,
+                                     (char **)&data,
+                                     &size);
+       if (ret != 0) {
+               return false;
+       }
+
+       datum->data = data;
+       datum->size = size;
+
+       return true;
+}
+#endif /* HAVE_GNUTLS_PBKDF2 */
+
+static bool samba_DATA_BLOB_from_PyObject(PyObject *py_obj,
+                                         DATA_BLOB *blob)
+{
+       uint8_t *data = NULL;
+       Py_ssize_t size;
+
+       int ret;
+
+       ret = PyBytes_AsStringAndSize(py_obj,
+                                     (char **)&data,
+                                     &size);
+       if (ret != 0) {
+               return false;
+       }
+
+       blob->data = data;
+       blob->length = size;
+
+       return true;
+}
 
 static PyObject *py_crypto_arcfour_crypt_blob(PyObject *module, PyObject *args)
 {
@@ -100,13 +147,287 @@ static PyObject *py_crypto_set_strict_mode(PyObject 
*module)
        Py_RETURN_NONE;
 }
 
+static PyObject *py_crypto_des_crypt_blob_16(PyObject *self, PyObject *args)
+{
+       PyObject *py_data = NULL;
+       uint8_t *data = NULL;
+       Py_ssize_t data_size;
+
+       PyObject *py_key = NULL;
+       uint8_t *key = NULL;
+       Py_ssize_t key_size;
+
+       uint8_t result[16];
+
+       bool ok;
+       int ret;
+
+       ok = PyArg_ParseTuple(args, "SS",
+                             &py_data, &py_key);
+       if (!ok) {
+               return NULL;
+       }
+
+       ret = PyBytes_AsStringAndSize(py_data,
+                                     (char **)&data,
+                                     &data_size);
+       if (ret != 0) {
+               return NULL;
+       }
+
+       ret = PyBytes_AsStringAndSize(py_key,
+                                     (char **)&key,
+                                     &key_size);
+       if (ret != 0) {
+               return NULL;
+       }
+
+       if (data_size != 16) {
+               return PyErr_Format(PyExc_ValueError,
+                                   "Expected data size of 16 bytes; got %zd",
+                                   data_size);
+       }
+
+       if (key_size != 14) {
+               return PyErr_Format(PyExc_ValueError,
+                                   "Expected key size of 14 bytes; got %zd",
+                                   key_size);
+       }
+
+       ret = des_crypt112_16(result, data, key,
+                             SAMBA_GNUTLS_ENCRYPT);
+       if (ret != 0) {
+               return PyErr_Format(PyExc_RuntimeError,
+                                   "des_crypt112_16() failed: %d",
+                                   ret);
+       }
+
+       return PyBytes_FromStringAndSize((const char *)result,
+                                        sizeof(result));
+}
+
+static PyObject *py_crypto_md4_hash_blob(PyObject *self, PyObject *args)
+{
+       PyObject *py_data = NULL;
+       uint8_t *data = NULL;
+       Py_ssize_t data_size;
+
+       uint8_t result[16];
+
+       bool ok;
+       int ret;
+
+       ok = PyArg_ParseTuple(args, "S",
+                             &py_data);
+       if (!ok) {
+               return NULL;
+       }
+
+       ret = PyBytes_AsStringAndSize(py_data,
+                                     (char **)&data,
+                                     &data_size);
+       if (ret != 0) {
+               return NULL;
+       }
+
+       mdfour(result, data, data_size);
+
+       return PyBytes_FromStringAndSize((const char *)result,
+                                        sizeof(result));
+}
+
+static PyObject *py_crypto_sha512_pbkdf2(PyObject *self, PyObject *args)
+{
+#ifdef HAVE_GNUTLS_PBKDF2
+       PyObject *py_key = NULL;
+       uint8_t *key = NULL;
+       gnutls_datum_t key_datum = {0};
+
+       PyObject *py_salt = NULL;
+       gnutls_datum_t salt_datum = {0};
+
+       uint8_t result[16];
+
+       unsigned iterations = 0;
+
+       bool ok;
+       int ret;
+       NTSTATUS status;
+
+       ok = PyArg_ParseTuple(args, "SSI",
+                             &py_key, &py_salt, &iterations);
+       if (!ok) {
+               return NULL;
+       }
+
+       ok = samba_gnutls_datum_from_PyObject(py_key, &key_datum);
+       if (!ok) {
+               return NULL;
+       }
+
+       ok = samba_gnutls_datum_from_PyObject(py_salt, &salt_datum);
+       if (!ok) {
+               return NULL;
+       }
+
+       ret = gnutls_pbkdf2(GNUTLS_MAC_SHA512,
+                           &key_datum,
+                           &salt_datum,
+                           iterations,
+                           result,
+                           sizeof(result));
+       BURN_DATA(key);
+       if (ret < 0) {
+               status = gnutls_error_to_ntstatus(ret, 
NT_STATUS_CRYPTO_SYSTEM_INVALID);
+               PyErr_SetNTSTATUS(status);
+               return NULL;
+       }
+
+       return PyBytes_FromStringAndSize((const char *)result,
+                                        sizeof(result));
+#else /* HAVE_GNUTLS_PBKDF2 */
+       PyErr_SetString(PyExc_NotImplementedError, "gnutls_pbkdf2() is not 
available");
+       return NULL;
+#endif /* HAVE_GNUTLS_PBKDF2 */
+}
+
+static PyObject *py_crypto_aead_aes_256_cbc_hmac_sha512_blob(PyObject *self, 
PyObject *args)
+{
+       TALLOC_CTX *ctx = NULL;
+
+       PyObject *py_ciphertext = NULL;
+       DATA_BLOB ciphertext_blob = {0};
+
+       PyObject *py_auth_data = NULL;
+       PyObject *py_result = NULL;
+
+       PyObject *py_plaintext = NULL;
+       DATA_BLOB plaintext_blob = {0};
+       PyObject *py_cek = NULL;
+       DATA_BLOB cek_blob = {0};
+       PyObject *py_key_salt = NULL;
+       DATA_BLOB key_salt_blob = {0};
+       PyObject *py_mac_salt = NULL;
+       DATA_BLOB mac_salt_blob = {0};
+       PyObject *py_iv = NULL;
+       DATA_BLOB iv_blob = {0};
+
+       uint8_t auth_data[64];
+
+       bool ok;
+       NTSTATUS status;
+
+       ok = PyArg_ParseTuple(args, "SSSSS",
+                             &py_plaintext,
+                             &py_cek,
+                             &py_key_salt,
+                             &py_mac_salt,
+                             &py_iv);
+       if (!ok) {
+               return NULL;
+       }
+
+       /* Create data blobs from the contents of the function parameters. */
+
+       ok = samba_DATA_BLOB_from_PyObject(py_plaintext, &plaintext_blob);
+       if (!ok) {
+               return NULL;
+       }
+
+       ok = samba_DATA_BLOB_from_PyObject(py_cek, &cek_blob);
+       if (!ok) {
+               return NULL;
+       }
+
+       ok = samba_DATA_BLOB_from_PyObject(py_key_salt, &key_salt_blob);
+       if (!ok) {
+               return NULL;
+       }
+
+       ok = samba_DATA_BLOB_from_PyObject(py_mac_salt, &mac_salt_blob);
+       if (!ok) {
+               return NULL;
+       }
+
+       ok = samba_DATA_BLOB_from_PyObject(py_iv, &iv_blob);
+       if (!ok) {
+               return NULL;
+       }
+
+       ctx = talloc_new(NULL);
+       if (ctx == NULL) {
+               return PyErr_NoMemory();
+       }
+
+       /* Encrypt the plaintext. */
+       status = samba_gnutls_aead_aes_256_cbc_hmac_sha512_encrypt(ctx,
+                                                                  
&plaintext_blob,
+                                                                  &cek_blob,
+                                                                  
&key_salt_blob,
+                                                                  
&mac_salt_blob,
+                                                                  &iv_blob,
+                                                                  
&ciphertext_blob,
+                                                                  auth_data);
+       if (!NT_STATUS_IS_OK(status)) {
+               PyErr_SetNTSTATUS(status);
+               talloc_free(ctx);
+               return NULL;
+       }
+
+       /* Convert the output into Python 'bytes' objects. */
+       py_ciphertext = PyBytes_FromStringAndSize((const char 
*)ciphertext_blob.data,
+                                                 ciphertext_blob.length);
+       talloc_free(ctx);
+       if (py_ciphertext == NULL) {
+               return NULL;
+       }
+       py_auth_data = PyBytes_FromStringAndSize((const char *)auth_data,
+                                                sizeof(auth_data));
+       if (py_auth_data == NULL) {
+               return NULL;
+       }
+
+       /* Steal ciphertext and auth_data into a new tuple. */
+       py_result = Py_BuildValue("(NN)", py_ciphertext, py_auth_data);
+
+       return py_result;
+}
+
+
+
 static const char py_crypto_arcfour_crypt_blob_doc[] = 
"arcfour_crypt_blob(data, key)\n"
                                         "Encrypt the data with RC4 algorithm 
using the key";
 
+static const char py_crypto_des_crypt_blob_16_doc[] = "des_crypt_blob_16(data, 
key) -> bytes\n"
+                                                     "Encrypt the 16-byte data 
with DES using "
+                                                     "the 14-byte key";
+
+static const char py_crypto_md4_hash_blob_doc[] = "md4_hash_blob(data) -> 
bytes\n"
+                                                 "Hash the data with MD4 
algorithm";
+
+static const char py_crypto_sha512_pbkdf2_doc[] = "sha512_pbkdf2(key, salt, 
iterations) -> bytes\n"
+                                                 "Derive a key from an 
existing one with SHA512 "
+                                                 "algorithm";
+
+static const char py_crypto_aead_aes_256_cbc_hmac_sha512_blob_doc[] =
+       "aead_aes_256_cbc_hmac_sha512_blob(plaintext, cek, key_salt, "
+       "mac_salt, iv) -> ciphertext, auth_data\n"
+       "Encrypt the plaintext with AES256 as specified in "
+       "[MS-SAMR] 3.2.2.4 AES Cipher Usage";
+
 static PyMethodDef py_crypto_methods[] = {
        { "arcfour_crypt_blob", (PyCFunction)py_crypto_arcfour_crypt_blob, 
METH_VARARGS, py_crypto_arcfour_crypt_blob_doc },
        { "set_relax_mode", (PyCFunction)py_crypto_set_relax_mode, METH_NOARGS, 
"Set fips to relax mode" },
        { "set_strict_mode", (PyCFunction)py_crypto_set_strict_mode, 
METH_NOARGS, "Set fips to strict mode" },
+       { "des_crypt_blob_16", (PyCFunction)py_crypto_des_crypt_blob_16, 
METH_VARARGS, py_crypto_des_crypt_blob_16_doc },
+       { "md4_hash_blob", (PyCFunction)py_crypto_md4_hash_blob, METH_VARARGS, 
py_crypto_md4_hash_blob_doc },
+       { "sha512_pbkdf2", (PyCFunction)py_crypto_sha512_pbkdf2, METH_VARARGS, 
py_crypto_sha512_pbkdf2_doc },
+       {
+               "aead_aes_256_cbc_hmac_sha512_blob",
+               (PyCFunction)py_crypto_aead_aes_256_cbc_hmac_sha512_blob,
+               METH_VARARGS,
+               py_crypto_aead_aes_256_cbc_hmac_sha512_blob_doc
+       },
        {0},
 };
 
diff --git a/lib/crypto/tests/test_gnutls_aead_aes_256_cbc_hmac_sha512.c 
b/lib/crypto/tests/test_gnutls_aead_aes_256_cbc_hmac_sha512.c
index 51f125f42d6..bc6a191cd90 100644
--- a/lib/crypto/tests/test_gnutls_aead_aes_256_cbc_hmac_sha512.c
+++ b/lib/crypto/tests/test_gnutls_aead_aes_256_cbc_hmac_sha512.c
@@ -187,7 +187,7 @@ static void torture_encrypt(void **state)
                .length = sizeof(salt_data),
        };


-- 
Samba Shared Repository

Reply via email to