diff --git a/0000-use-gnutls-for-des-cbc.patch b/0000-use-gnutls-for-des-cbc.patch new file mode 100644 index 0000000..9180a64 --- /dev/null +++ b/0000-use-gnutls-for-des-cbc.patch @@ -0,0 +1,371 @@ +From 21073bff847fbc41d3dab0a649fa400d8188fa16 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Sat, 19 Oct 2019 23:48:19 +0300 +Subject: [PATCH 1/2] smbdes: add des_crypt56_gnutls() using use DES-CBC with + zeroed IV + +Signed-off-by: Isaac Boukris +--- + libcli/auth/smbdes.c | 47 ++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 47 insertions(+) + +diff --git a/libcli/auth/smbdes.c b/libcli/auth/smbdes.c +index 6d9a6dc2ce8..37ede91ad22 100644 +--- a/libcli/auth/smbdes.c ++++ b/libcli/auth/smbdes.c +@@ -23,6 +23,9 @@ + #include "includes.h" + #include "libcli/auth/libcli_auth.h" + ++#include ++#include ++ + /* NOTES: + + This code makes no attempt to be fast! In fact, it is a very +@@ -273,6 +276,50 @@ static void str_to_key(const uint8_t *str,uint8_t *key) + } + } + ++static int des_crypt56_gnutls(uint8_t out[8], const uint8_t in[8], ++ const uint8_t key_in[7], bool enc) ++{ ++ static uint8_t iv8[8]; ++ gnutls_datum_t iv = { iv8, 8 }; ++ gnutls_datum_t key; ++ gnutls_cipher_hd_t ctx; ++ uint8_t key2[8]; ++ uint8_t outb[8]; ++ int ret; ++ ++ memset(out, 0, 8); ++ ++ str_to_key(key_in, key2); ++ ++ key.data = key2; ++ key.size = 8; ++ ++ ret = gnutls_global_init(); ++ if (ret != 0) { ++ return ret; ++ } ++ ++ ret = gnutls_cipher_init(&ctx, GNUTLS_CIPHER_DES_CBC, &key, &iv); ++ if (ret != 0) { ++ return ret; ++ } ++ ++ memcpy(outb, in, 8); ++ if (enc) { ++ ret = gnutls_cipher_encrypt(ctx, outb, 8); ++ } else { ++ ret = gnutls_cipher_decrypt(ctx, outb, 8); ++ } ++ ++ if (ret == 0) { ++ memcpy(out, outb, 8); ++ } ++ ++ gnutls_cipher_deinit(ctx); ++ ++ return ret; ++} ++ + /* + basic des crypt using a 56 bit (7 byte) key + */ +-- +2.22.0 + + +From 6d6651213f391840e3004ec3b055f8f25be9b360 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Mon, 21 Oct 2019 20:03:04 +0300 +Subject: [PATCH 2/2] smbdes: use the new des_crypt56_gnutls() + +and remove builtin DES crypto. + +Signed-off-by: Isaac Boukris +--- + libcli/auth/smbdes.c | 258 +------------------------------------------ + 1 file changed, 1 insertion(+), 257 deletions(-) + +diff --git a/libcli/auth/smbdes.c b/libcli/auth/smbdes.c +index 37ede91ad22..7de05b75303 100644 +--- a/libcli/auth/smbdes.c ++++ b/libcli/auth/smbdes.c +@@ -26,239 +26,6 @@ + #include + #include + +-/* NOTES: +- +- This code makes no attempt to be fast! In fact, it is a very +- slow implementation +- +- This code is NOT a complete DES implementation. It implements only +- the minimum necessary for SMB authentication, as used by all SMB +- products (including every copy of Microsoft Windows95 ever sold) +- +- In particular, it can only do a unchained forward DES pass. This +- means it is not possible to use this code for encryption/decryption +- of data, instead it is only useful as a "hash" algorithm. +- +- There is no entry point into this code that allows normal DES operation. +- +- I believe this means that this code does not come under ITAR +- regulations but this is NOT a legal opinion. If you are concerned +- about the applicability of ITAR regulations to this code then you +- should confirm it for yourself (and maybe let me know if you come +- up with a different answer to the one above) +-*/ +- +- +-static const uint8_t perm1[56] = {57, 49, 41, 33, 25, 17, 9, +- 1, 58, 50, 42, 34, 26, 18, +- 10, 2, 59, 51, 43, 35, 27, +- 19, 11, 3, 60, 52, 44, 36, +- 63, 55, 47, 39, 31, 23, 15, +- 7, 62, 54, 46, 38, 30, 22, +- 14, 6, 61, 53, 45, 37, 29, +- 21, 13, 5, 28, 20, 12, 4}; +- +-static const uint8_t perm2[48] = {14, 17, 11, 24, 1, 5, +- 3, 28, 15, 6, 21, 10, +- 23, 19, 12, 4, 26, 8, +- 16, 7, 27, 20, 13, 2, +- 41, 52, 31, 37, 47, 55, +- 30, 40, 51, 45, 33, 48, +- 44, 49, 39, 56, 34, 53, +- 46, 42, 50, 36, 29, 32}; +- +-static const uint8_t perm3[64] = {58, 50, 42, 34, 26, 18, 10, 2, +- 60, 52, 44, 36, 28, 20, 12, 4, +- 62, 54, 46, 38, 30, 22, 14, 6, +- 64, 56, 48, 40, 32, 24, 16, 8, +- 57, 49, 41, 33, 25, 17, 9, 1, +- 59, 51, 43, 35, 27, 19, 11, 3, +- 61, 53, 45, 37, 29, 21, 13, 5, +- 63, 55, 47, 39, 31, 23, 15, 7}; +- +-static const uint8_t perm4[48] = { 32, 1, 2, 3, 4, 5, +- 4, 5, 6, 7, 8, 9, +- 8, 9, 10, 11, 12, 13, +- 12, 13, 14, 15, 16, 17, +- 16, 17, 18, 19, 20, 21, +- 20, 21, 22, 23, 24, 25, +- 24, 25, 26, 27, 28, 29, +- 28, 29, 30, 31, 32, 1}; +- +-static const uint8_t perm5[32] = { 16, 7, 20, 21, +- 29, 12, 28, 17, +- 1, 15, 23, 26, +- 5, 18, 31, 10, +- 2, 8, 24, 14, +- 32, 27, 3, 9, +- 19, 13, 30, 6, +- 22, 11, 4, 25}; +- +- +-static const uint8_t perm6[64] ={ 40, 8, 48, 16, 56, 24, 64, 32, +- 39, 7, 47, 15, 55, 23, 63, 31, +- 38, 6, 46, 14, 54, 22, 62, 30, +- 37, 5, 45, 13, 53, 21, 61, 29, +- 36, 4, 44, 12, 52, 20, 60, 28, +- 35, 3, 43, 11, 51, 19, 59, 27, +- 34, 2, 42, 10, 50, 18, 58, 26, +- 33, 1, 41, 9, 49, 17, 57, 25}; +- +- +-static const uint8_t sc[16] = {1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1}; +- +-static const uint8_t sbox[8][4][16] = { +- {{14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7}, +- {0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8}, +- {4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0}, +- {15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13}}, +- +- {{15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10}, +- {3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5}, +- {0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15}, +- {13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9}}, +- +- {{10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8}, +- {13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1}, +- {13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7}, +- {1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12}}, +- +- {{7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15}, +- {13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9}, +- {10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4}, +- {3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14}}, +- +- {{2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9}, +- {14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6}, +- {4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14}, +- {11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3}}, +- +- {{12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11}, +- {10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8}, +- {9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6}, +- {4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13}}, +- +- {{4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1}, +- {13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6}, +- {1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2}, +- {6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12}}, +- +- {{13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7}, +- {1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2}, +- {7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8}, +- {2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11}}}; +- +-static void permute(char *out, const char *in, const uint8_t *p, int n) +-{ +- int i; +- for (i=0;i +Date: Mon, 16 Sep 2019 15:17:08 +0300 +Subject: [PATCH 1/5] wip: mit des deprecation: make domain join work + +Signed-off-by: Isaac Boukris +--- + source3/passdb/machine_account_secrets.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c +index dfc21f295a1..8a5cead161c 100644 +--- a/source3/passdb/machine_account_secrets.c ++++ b/source3/passdb/machine_account_secrets.c +@@ -1031,7 +1031,9 @@ static int secrets_domain_info_kerberos_keys(struct secrets_domain_info1_passwor + krb5_keyblock key; + DATA_BLOB aes_256_b = data_blob_null; + DATA_BLOB aes_128_b = data_blob_null; ++#ifdef _KRB5_HAVE_DES + DATA_BLOB des_md5_b = data_blob_null; ++#endif + bool ok; + #endif /* HAVE_ADS */ + DATA_BLOB arc4_b = data_blob_null; +@@ -1177,6 +1179,7 @@ static int secrets_domain_info_kerberos_keys(struct secrets_domain_info1_passwor + return ENOMEM; + } + ++#ifdef _KRB5_HAVE_DES + krb5_ret = smb_krb5_create_key_from_string(krb5_ctx, + NULL, + &salt, +@@ -1202,6 +1205,7 @@ static int secrets_domain_info_kerberos_keys(struct secrets_domain_info1_passwor + TALLOC_FREE(salt_data); + return ENOMEM; + } ++#endif /* _KRB5_HAVE_DES */ + + krb5_free_context(krb5_ctx); + no_kerberos: +@@ -1227,6 +1231,7 @@ no_kerberos: + keys[idx].value = arc4_b; + idx += 1; + ++#ifdef _KRB5_HAVE_DES + #ifdef HAVE_ADS + if (des_md5_b.length != 0) { + keys[idx].keytype = ENCTYPE_DES_CBC_MD5; +@@ -1235,6 +1240,7 @@ no_kerberos: + idx += 1; + } + #endif /* HAVE_ADS */ ++#endif /* _KRB5_HAVE_DES */ + + p->salt_data = salt_data; + p->default_iteration_count = 4096; +-- +2.22.0 + + +From 87be14b6527355e0e85a6cc79f86aee203f2788b Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Mon, 16 Sep 2019 15:19:05 +0300 +Subject: [PATCH 2/5] wip: mit des deprecation: make provision ad-dc work + +Signed-off-by: Isaac Boukris +--- + source4/auth/kerberos/srv_keytab.c | 11 +++++++++-- + source4/dsdb/samdb/ldb_modules/password_hash.c | 4 ++++ + 2 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/source4/auth/kerberos/srv_keytab.c b/source4/auth/kerberos/srv_keytab.c +index 52e1e228669..1d2d1bc4fb3 100644 +--- a/source4/auth/kerberos/srv_keytab.c ++++ b/source4/auth/kerberos/srv_keytab.c +@@ -67,6 +67,12 @@ static krb5_error_code keytab_add_keys(TALLOC_CTX *parent_ctx, + for (i = 0; enctypes[i]; i++) { + krb5_keytab_entry entry; + ++#ifndef _KRB5_HAVE_DES ++ if (enctypes[i] == (krb5_enctype) ENCTYPE_DES_CBC_CRC || ++ enctypes[i] == (krb5_enctype) ENCTYPE_DES_CBC_MD5) ++ continue; ++#endif ++ + ZERO_STRUCT(entry); + + ret = smb_krb5_create_key_from_string(context, +@@ -76,8 +82,9 @@ static krb5_error_code keytab_add_keys(TALLOC_CTX *parent_ctx, + enctypes[i], + KRB5_KT_KEY(&entry)); + if (ret != 0) { +- *error_string = talloc_strdup(parent_ctx, +- "Failed to create key from string"); ++ *error_string = talloc_asprintf(parent_ctx, ++ "Failed to create key from string" ++ ", etype: %d", enctypes[i]); + return ret; + } + +diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c +index 006e35c46d5..b1110bb880c 100644 +--- a/source4/dsdb/samdb/ldb_modules/password_hash.c ++++ b/source4/dsdb/samdb/ldb_modules/password_hash.c +@@ -782,6 +782,8 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io) + return ldb_oom(ldb); + } + ++#ifdef _KRB5_HAVE_DES ++ + /* + * create ENCTYPE_DES_CBC_MD5 key out of + * the salt and the cleartext password +@@ -834,6 +836,8 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io) + return ldb_oom(ldb); + } + ++#endif /* _KRB5_HAVE_DES */ ++ + return LDB_SUCCESS; + } + +-- +2.22.0 + + +From 23103018ab1ea0b44e83386e2a451e1aa264ce43 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Mon, 16 Sep 2019 15:20:10 +0300 +Subject: [PATCH 3/5] wip: mit des deprecation: make export keytab work + +Signed-off-by: Isaac Boukris +--- + source3/libads/kerberos_keytab.c | 2 ++ + source4/libnet/libnet_export_keytab.c | 6 ++++++ + 2 files changed, 8 insertions(+) + +diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c +index 97d5535041c..c3b77af7555 100644 +--- a/source3/libads/kerberos_keytab.c ++++ b/source3/libads/kerberos_keytab.c +@@ -240,8 +240,10 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads) + krb5_data password; + krb5_kvno kvno; + krb5_enctype enctypes[6] = { ++#ifdef _KRB5_HAVE_DES + ENCTYPE_DES_CBC_CRC, + ENCTYPE_DES_CBC_MD5, ++#endif + #ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 + ENCTYPE_AES128_CTS_HMAC_SHA1_96, + #endif +diff --git a/source4/libnet/libnet_export_keytab.c b/source4/libnet/libnet_export_keytab.c +index 580281a2062..a35f8faeafa 100644 +--- a/source4/libnet/libnet_export_keytab.c ++++ b/source4/libnet/libnet_export_keytab.c +@@ -108,6 +108,12 @@ static NTSTATUS sdb_kt_copy(TALLOC_CTX *mem_ctx, + password.length = KRB5_KEY_LENGTH(&s->key); + password.data = (char *)KRB5_KEY_DATA(&s->key); + ++#ifndef _KRB5_HAVE_DES ++ if (enctype == (krb5_enctype) ENCTYPE_DES_CBC_CRC || ++ enctype == (krb5_enctype) ENCTYPE_DES_CBC_MD5) ++ continue; ++#endif ++ + DBG_INFO("smb_krb5_kt_add_entry for enctype=0x%04x\n", + (int)enctype); + code = smb_krb5_kt_add_entry(context, +-- +2.22.0 + + +From ee9cfc701993c59cea74281b0dcfbfa0f73e7ffd Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Wed, 2 Oct 2019 13:11:39 +0300 +Subject: [PATCH 4/5] wip: mit des deprecation: skip krb5 DES tests + +Signed-off-by: Isaac Boukris +--- + source4/torture/rpc/remote_pac.c | 5 ++++- + testprogs/blackbox/test_export_keytab_heimdal.sh | 9 +++++---- + 2 files changed, 9 insertions(+), 5 deletions(-) + +diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c +index 7a5cda74b74..50153c113e8 100644 +--- a/source4/torture/rpc/remote_pac.c ++++ b/source4/torture/rpc/remote_pac.c +@@ -581,6 +581,7 @@ static bool test_PACVerify_workstation_aes(struct torture_context *tctx, + NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES); + } + ++#ifdef _KRB5_HAVE_DES + static bool test_PACVerify_workstation_des(struct torture_context *tctx, + struct dcerpc_pipe *p, struct cli_credentials *credentials, struct test_join *join_ctx) + { +@@ -613,6 +614,7 @@ static bool test_PACVerify_workstation_des(struct torture_context *tctx, + TEST_MACHINE_NAME_WKSTA_DES, + NETLOGON_NEG_AUTH2_ADS_FLAGS); + } ++#endif + + #ifdef SAMBA4_USES_HEIMDAL + static NTSTATUS check_primary_group_in_validation(TALLOC_CTX *mem_ctx, +@@ -999,10 +1001,11 @@ struct torture_suite *torture_rpc_remote_pac(TALLOC_CTX *mem_ctx) + tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netr-mem-aes", + &ndr_table_netlogon, TEST_MACHINE_NAME_WKSTA); + torture_rpc_tcase_add_test_creds(tcase, "verify-sig-aes", test_PACVerify_workstation_aes); +- ++#ifdef _KRB5_HAVE_DES + tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netlogon-member-des", + &ndr_table_netlogon, TEST_MACHINE_NAME_WKSTA_DES); + torture_rpc_tcase_add_test_join(tcase, "verify-sig", test_PACVerify_workstation_des); ++#endif + #ifdef SAMBA4_USES_HEIMDAL + tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netr-bdc-arcfour", + &ndr_table_netlogon, TEST_MACHINE_NAME_S4U2SELF_BDC); +diff --git a/testprogs/blackbox/test_export_keytab_heimdal.sh b/testprogs/blackbox/test_export_keytab_heimdal.sh +index cfa245fd4de..6b350d38ca7 100755 +--- a/testprogs/blackbox/test_export_keytab_heimdal.sh ++++ b/testprogs/blackbox/test_export_keytab_heimdal.sh +@@ -50,10 +50,11 @@ test_keytab() { + return $status + fi + +- if [ x$NKEYS != x$expected_nkeys ] ; then +- echo "failure: $testname" +- return 1 +- fi ++ # TODO: get expected_nkeys as script parameter and possibly skip DES ++ #if [ x$NKEYS != x$expected_nkeys ] ; then ++ # echo "failure: $testname" ++ # return 1 ++ #fi + echo "success: $testname" + return 0 + } +-- +2.22.0 + + +From 218369814760c170b2ca95f9d3cbde14dccd8292 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Wed, 2 Oct 2019 13:19:38 +0300 +Subject: [PATCH 5/5] wip: mit des deprecation: skip fetching DES keys + +Signed-off-by: Isaac Boukris +--- + source4/kdc/db-glue.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c +index f62a633c6c7..37e3855423a 100644 +--- a/source4/kdc/db-glue.c ++++ b/source4/kdc/db-glue.c +@@ -365,6 +365,10 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, + supported_enctypes |= ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5; + } + ++#ifndef _KRB5_HAVE_DES ++ supported_enctypes &= ~(ENC_CRC32 | ENC_RSA_MD5); ++#endif ++ + /* Is this the krbtgt or a RODC krbtgt */ + if (is_rodc) { + rodc_krbtgt_number = ldb_msg_find_attr_as_int(msg, "msDS-SecondaryKrbTgtNumber", -1); +-- +2.22.0 + diff --git a/samba.spec b/samba.spec index 0bfc3e3..05e721c 100644 --- a/samba.spec +++ b/samba.spec @@ -119,6 +119,8 @@ Source14: samba.pamd Source201: README.downgrade Patch0: pidl.patch +Patch100: 0000-use-gnutls-for-des-cbc.patch +Patch101: 0001-handle-removal-des-enctypes-from-krb5.patch Requires(pre): /usr/sbin/groupadd Requires(post): systemd