From eda1022b599a98edcd8da3440bfa7675f987cec0 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 27 Oct 2022 09:57:06 +1300 Subject: [PATCH] crypto: Rely on GnuTLS 3.6.13 and gnutls_pbkdf2() This removes a lot of inline #ifdef and means this feature is always tested. We can do this as we have chosen GnuTLS 3.6.13 as the new minimum version. Signed-off-by: Andrew Bartlett Reviewed-by: Andreas Schneider --- lib/crypto/py_crypto.c | 7 ------- .../tests/test_gnutls_aead_aes_256_cbc_hmac_sha512.c | 4 ---- python/samba/tests/auth_log_pass_change.py | 11 +---------- python/samba/tests/krb5/lockout_tests.py | 10 ---------- python/samba/tests/krb5/raw_testcase.py | 7 ------- source3/rpc_client/cli_samr.c | 4 ---- source3/rpc_server/samr/srv_samr_nt.c | 5 ----- source4/libnet/libnet_passwd.c | 4 ---- source4/rpc_server/samr/samr_password.c | 4 ---- source4/selftest/tests.py | 12 +++--------- source4/torture/rpc/samr.c | 2 -- wscript_configure_system_gnutls | 3 --- 12 files changed, 4 insertions(+), 69 deletions(-) diff --git a/lib/crypto/py_crypto.c b/lib/crypto/py_crypto.c index 11659556884..5b3c307057a 100644 --- a/lib/crypto/py_crypto.c +++ b/lib/crypto/py_crypto.c @@ -29,7 +29,6 @@ #include "libcli/auth/libcli_auth.h" #include "libcli/util/pyerrors.h" -#ifdef HAVE_GNUTLS_PBKDF2 static bool samba_gnutls_datum_from_PyObject(PyObject *py_obj, gnutls_datum_t *datum) { @@ -50,7 +49,6 @@ static bool samba_gnutls_datum_from_PyObject(PyObject *py_obj, return true; } -#endif /* HAVE_GNUTLS_PBKDF2 */ static bool samba_DATA_BLOB_from_PyObject(PyObject *py_obj, DATA_BLOB *blob) @@ -238,7 +236,6 @@ static PyObject *py_crypto_md4_hash_blob(PyObject *self, PyObject *args) static PyObject *py_crypto_sha512_pbkdf2(PyObject *self, PyObject *args) { -#ifdef HAVE_GNUTLS_PBKDF2 PyObject *py_key = NULL; uint8_t *key = NULL; gnutls_datum_t key_datum = {0}; @@ -285,10 +282,6 @@ static PyObject *py_crypto_sha512_pbkdf2(PyObject *self, PyObject *args) return PyBytes_FromStringAndSize((const char *)result, sizeof(result)); -#else /* HAVE_GNUTLS_PBKDF2 */ - PyErr_SetString(PyExc_NotImplementedError, "gnutls_pbkdf2() is not available"); - return NULL; -#endif /* HAVE_GNUTLS_PBKDF2 */ } static PyObject *py_crypto_aead_aes_256_cbc_hmac_sha512_blob(PyObject *self, PyObject *args) diff --git a/lib/crypto/tests/test_gnutls_aead_aes_256_cbc_hmac_sha512.c b/lib/crypto/tests/test_gnutls_aead_aes_256_cbc_hmac_sha512.c index bc6a191cd90..1b6b75f4b22 100644 --- a/lib/crypto/tests/test_gnutls_aead_aes_256_cbc_hmac_sha512.c +++ b/lib/crypto/tests/test_gnutls_aead_aes_256_cbc_hmac_sha512.c @@ -256,7 +256,6 @@ static void torture_encrypt_decrypt(void **state) TALLOC_FREE(frame); } -#ifdef HAVE_GNUTLS_PBKDF2 /* The following hexdumps are from a Windows Server 2022 time trace */ static uint8_t pbkdf2_nt_hash[] = { 0xf8, 0x48, 0x54, 0xde, 0xb8, 0x36, 0x10, 0x33, @@ -298,7 +297,6 @@ static void torture_pbkdf2(void **state) expected_pbkdf2_derived_key, sizeof(derived_key)); } -#endif /* HAVE_GNUTLS_PBKDF2 */ int main(int argc, char *argv[]) { @@ -308,9 +306,7 @@ int main(int argc, char *argv[]) cmocka_unit_test(torture_mac_key), cmocka_unit_test(torture_encrypt), cmocka_unit_test(torture_encrypt_decrypt), -#ifdef HAVE_GNUTLS_PBKDF2 cmocka_unit_test(torture_pbkdf2), -#endif /* HAVE_GNUTLS_PBKDF2 */ }; if (argc == 2) { diff --git a/python/samba/tests/auth_log_pass_change.py b/python/samba/tests/auth_log_pass_change.py index bbc14a5a7e1..b8737effca6 100644 --- a/python/samba/tests/auth_log_pass_change.py +++ b/python/samba/tests/auth_log_pass_change.py @@ -67,18 +67,9 @@ class AuthLogPassChangeTests(samba.tests.auth_log_base.AuthLogTestBase): # discard any auth log messages for the password setup type(self).discardMessages() - gnutls_pbkdf2_support = samba.tests.env_get_var_value( - 'GNUTLS_PBKDF2_SUPPORT', - allow_missing=True) - if gnutls_pbkdf2_support is None: - gnutls_pbkdf2_support = '0' - self.gnutls_pbkdf2_support = bool(int(gnutls_pbkdf2_support)) def _authDescription(self): - if self.gnutls_pbkdf2_support: - return "samr_ChangePasswordUser4" - else: - return "samr_ChangePasswordUser3" + return "samr_ChangePasswordUser4" def tearDown(self): super(AuthLogPassChangeTests, self).tearDown() diff --git a/python/samba/tests/krb5/lockout_tests.py b/python/samba/tests/krb5/lockout_tests.py index 25be0ce36dc..3fe098a662d 100755 --- a/python/samba/tests/krb5/lockout_tests.py +++ b/python/samba/tests/krb5/lockout_tests.py @@ -618,8 +618,6 @@ class LockoutTests(KDCBaseTest): self.do_lockout_transaction(connect_samr) def test_lockout_transaction_samr_aes(self): - if not self.gnutls_pbkdf2_support: - self.skipTest('gnutls_pbkdf2() is not available') self.do_lockout_transaction(connect_samr_aes) def test_lockout_transaction_ldap_pw_change(self): @@ -659,8 +657,6 @@ class LockoutTests(KDCBaseTest): self.do_lockout_transaction(connect_samr, correct_pw=False) def test_lockout_transaction_bad_pwd_samr_aes(self): - if not self.gnutls_pbkdf2_support: - self.skipTest('gnutls_pbkdf2() is not available') self.do_lockout_transaction(connect_samr_aes, correct_pw=False) def test_lockout_transaction_bad_pwd_ldap_pw_change(self): @@ -676,8 +672,6 @@ class LockoutTests(KDCBaseTest): self.do_bad_pwd_count_transaction(connect_samr) def test_bad_pwd_count_transaction_samr_aes(self): - if not self.gnutls_pbkdf2_support: - self.skipTest('gnutls_pbkdf2() is not available') self.do_bad_pwd_count_transaction(connect_samr_aes) def test_bad_pwd_count_transaction_ldap_pw_change(self): @@ -705,8 +699,6 @@ class LockoutTests(KDCBaseTest): self.do_lockout_race(connect_samr) def test_lockout_race_samr_aes(self): - if not self.gnutls_pbkdf2_support: - self.skipTest('gnutls_pbkdf2() is not available') self.do_lockout_race(connect_samr_aes) def test_lockout_race_ldap_pw_change(self): @@ -728,8 +720,6 @@ class LockoutTests(KDCBaseTest): self.do_logon(connect_samr) def test_logon_samr_aes(self): - if not self.gnutls_pbkdf2_support: - self.skipTest('gnutls_pbkdf2() is not available') self.do_logon(connect_samr_aes) def test_logon_ldap_pw_change(self): diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 4fb60e09069..9c77f705bee 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -691,13 +691,6 @@ class RawKerberosTest(TestCase): full_sig_support = '0' cls.full_sig_support = bool(int(full_sig_support)) - gnutls_pbkdf2_support = samba.tests.env_get_var_value( - 'GNUTLS_PBKDF2_SUPPORT', - allow_missing=True) - if gnutls_pbkdf2_support is None: - gnutls_pbkdf2_support = '1' - cls.gnutls_pbkdf2_support = bool(int(gnutls_pbkdf2_support)) - expect_pac = samba.tests.env_get_var_value('EXPECT_PAC', allow_missing=True) if expect_pac is None: diff --git a/source3/rpc_client/cli_samr.c b/source3/rpc_client/cli_samr.c index fdeff14b19d..d48e8485af3 100644 --- a/source3/rpc_client/cli_samr.c +++ b/source3/rpc_client/cli_samr.c @@ -476,7 +476,6 @@ NTSTATUS dcerpc_samr_chgpasswd_user4(struct dcerpc_binding_handle *h, const char *newpassword, NTSTATUS *presult) { -#ifdef HAVE_GNUTLS_PBKDF2 struct lsa_String server, user_account; uint8_t old_nt_key_data[16] = {0}; gnutls_datum_t old_nt_key = { @@ -565,9 +564,6 @@ NTSTATUS dcerpc_samr_chgpasswd_user4(struct dcerpc_binding_handle *h, data_blob_free(&ciphertext); return status; -#else /* HAVE_GNUTLS_PBKDF2 */ - return NT_STATUS_NOT_IMPLEMENTED; -#endif /* HAVE_GNUTLS_PBKDF2 */ } /* This function returns the bizzare set of (max_entries, max_size) required diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c index 17136ba8449..86169b64afd 100644 --- a/source3/rpc_server/samr/srv_samr_nt.c +++ b/source3/rpc_server/samr/srv_samr_nt.c @@ -7670,7 +7670,6 @@ void _samr_Opnum72NotUsedOnWire(struct pipes_struct *p, NTSTATUS _samr_ChangePasswordUser4(struct pipes_struct *p, struct samr_ChangePasswordUser4 *r) { -#ifdef HAVE_GNUTLS_PBKDF2 TALLOC_CTX *frame = talloc_stackframe(); struct dcesrv_call_state *dce_call = p->dce_call; struct dcesrv_connection *dcesrv_conn = dce_call->conn; @@ -7904,10 +7903,6 @@ done: } return status; -#else /* HAVE_GNUTLS_PBKDF2 */ - p->fault_state = DCERPC_FAULT_OP_RNG_ERROR; - return NT_STATUS_NOT_IMPLEMENTED; -#endif /* HAVE_GNUTLS_PBKDF2 */ } /* include the generated boilerplate */ diff --git a/source4/libnet/libnet_passwd.c b/source4/libnet/libnet_passwd.c index d7e9400b559..e24ebe2757e 100644 --- a/source4/libnet/libnet_passwd.c +++ b/source4/libnet/libnet_passwd.c @@ -42,7 +42,6 @@ static NTSTATUS libnet_ChangePassword_samr_aes(TALLOC_CTX *mem_ctx, const char *new_password, const char **error_string) { -#ifdef HAVE_GNUTLS_PBKDF2 struct samr_ChangePasswordUser4 r; uint8_t old_nt_key_data[16] = {0}; gnutls_datum_t old_nt_key = { @@ -122,9 +121,6 @@ done: BURN_DATA(pwd_buf); return status; -#else /* HAVE_GNUTLS_PBKDF2 */ - return NT_STATUS_NOT_IMPLEMENTED; -#endif /* HAVE_GNUTLS_PBKDF2 */ } static NTSTATUS libnet_ChangePassword_samr_rc4(TALLOC_CTX *mem_ctx, diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c index 3142707fdc7..2b5cd4aad7f 100644 --- a/source4/rpc_server/samr/samr_password.c +++ b/source4/rpc_server/samr/samr_password.c @@ -119,7 +119,6 @@ NTSTATUS dcesrv_samr_ChangePasswordUser4(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct samr_ChangePasswordUser4 *r) { -#ifdef HAVE_GNUTLS_PBKDF2 struct ldb_context *sam_ctx = NULL; struct ldb_message *msg = NULL; struct ldb_dn *dn = NULL; @@ -298,9 +297,6 @@ done: } return status; -#else /* HAVE_GNUTLS_PBKDF2 */ - DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); -#endif /* HAVE_GNUTLS_PBKDF2 */ } static NTSTATUS dcesrv_samr_ChangePasswordUser_impl(struct dcesrv_call_state *dce_call, diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 29f6181e96e..13b3b1ce6ab 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -1200,8 +1200,6 @@ if 'SAMBA4_USES_HEIMDAL' in config_hash: else: full_sig_support = 0 -gnutls_pbkdf2_support = int('HAVE_GNUTLS_PBKDF2' in config_hash) - if 'HAVE_MIT_KRB5_1_20' in config_hash: kadmin_is_tgs = 1 else: @@ -1226,7 +1224,6 @@ krb5_environ = { 'COMPOUND_ID_SUPPORT': compound_id_support, 'TKT_SIG_SUPPORT': tkt_sig_support, 'FULL_SIG_SUPPORT': full_sig_support, - 'GNUTLS_PBKDF2_SUPPORT': gnutls_pbkdf2_support, 'EXPECT_PAC': expect_pac, 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers, 'CHECK_CNAME': check_cname, @@ -1305,11 +1302,9 @@ if have_heimdal_support: environ={'CLIENT_IP': '10.53.57.11', 'SOCKET_WRAPPER_DEFAULT_IFACE': 11}) planoldpythontestsuite("ad_dc_smb1", "samba.tests.auth_log_pass_change", - extra_args=['-U"$USERNAME%$PASSWORD"'], - environ={'GNUTLS_PBKDF2_SUPPORT': gnutls_pbkdf2_support}) + extra_args=['-U"$USERNAME%$PASSWORD"']) planoldpythontestsuite("ad_dc_ntvfs", "samba.tests.auth_log_pass_change", - extra_args=['-U"$USERNAME%$PASSWORD"'], - environ={'GNUTLS_PBKDF2_SUPPORT': gnutls_pbkdf2_support}) + extra_args=['-U"$USERNAME%$PASSWORD"']) # these tests use a NCA local RPC connection, so always run on the # :local testenv, and so don't need to fake a client connection @@ -1326,8 +1321,7 @@ if have_heimdal_support: "samba.tests.auth_log_winbind", extra_args=['-U"$DC_USERNAME%$DC_PASSWORD"']) planoldpythontestsuite("ad_dc", "samba.tests.audit_log_pass_change", - extra_args=['-U"$USERNAME%$PASSWORD"'], - environ={'GNUTLS_PBKDF2_SUPPORT': gnutls_pbkdf2_support}) + extra_args=['-U"$USERNAME%$PASSWORD"']) planoldpythontestsuite("ad_dc", "samba.tests.audit_log_dsdb", extra_args=['-U"$USERNAME%$PASSWORD"']) planoldpythontestsuite("ad_dc", "samba.tests.group_audit", diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c index 70da47b3beb..a303c87fd77 100644 --- a/source4/torture/rpc/samr.c +++ b/source4/torture/rpc/samr.c @@ -3052,7 +3052,6 @@ bool test_ChangePasswordUser4(struct dcerpc_pipe *p, char **password, const char *newpassword) { -#ifdef HAVE_GNUTLS_PBKDF2 struct dcerpc_binding_handle *b = p->binding_handle; struct samr_ChangePasswordUser4 r; const char *oldpassword = *password; @@ -3158,7 +3157,6 @@ bool test_ChangePasswordUser4(struct dcerpc_pipe *p, torture_assert_ntstatus_ok(tctx, status, "ChangePasswordUser4 failed"); *password = talloc_strdup(tctx, newpassword); -#endif /* HAVE_GNUTLS_PBKDF2 */ return true; } diff --git a/wscript_configure_system_gnutls b/wscript_configure_system_gnutls index baace37495a..9f6fde2f204 100644 --- a/wscript_configure_system_gnutls +++ b/wscript_configure_system_gnutls @@ -29,9 +29,6 @@ conf.CHECK_FUNCS_IN('gnutls_pkcs7_get_embedded_data_oid', 'gnutls') # Check for gnutls_set_default_priority_append (>= 3.6.3) conf.CHECK_FUNCS_IN('gnutls_set_default_priority_append', 'gnutls') -# Check for gnutls_pbkdf2 (>= 3.6.13) -conf.CHECK_FUNCS_IN('gnutls_pbkdf2', 'gnutls') - # Check for gnutls_aead_cipher_encryptv2 # # This is available since version 3.6.10, but 3.6.10 has a bug which got fixed -- 2.34.1