This removes a lot of inline #ifdef and means this feature is always tested.
We can do this as we have chosen GnuTLS 3.6.13 as the new minimum version.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
#include "libcli/auth/libcli_auth.h"
#include "libcli/util/pyerrors.h"
-#ifdef HAVE_GNUTLS_PBKDF2
static bool samba_gnutls_datum_from_PyObject(PyObject *py_obj,
gnutls_datum_t *datum)
{
return true;
}
-#endif /* HAVE_GNUTLS_PBKDF2 */
static bool samba_DATA_BLOB_from_PyObject(PyObject *py_obj,
DATA_BLOB *blob)
static PyObject *py_crypto_sha512_pbkdf2(PyObject *self, PyObject *args)
{
-#ifdef HAVE_GNUTLS_PBKDF2
PyObject *py_key = NULL;
uint8_t *key = NULL;
gnutls_datum_t key_datum = {0};
return PyBytes_FromStringAndSize((const char *)result,
sizeof(result));
-#else /* HAVE_GNUTLS_PBKDF2 */
- PyErr_SetString(PyExc_NotImplementedError, "gnutls_pbkdf2() is not available");
- return NULL;
-#endif /* HAVE_GNUTLS_PBKDF2 */
}
static PyObject *py_crypto_aead_aes_256_cbc_hmac_sha512_blob(PyObject *self, PyObject *args)
TALLOC_FREE(frame);
}
-#ifdef HAVE_GNUTLS_PBKDF2
/* The following hexdumps are from a Windows Server 2022 time trace */
static uint8_t pbkdf2_nt_hash[] = {
0xf8, 0x48, 0x54, 0xde, 0xb8, 0x36, 0x10, 0x33,
expected_pbkdf2_derived_key,
sizeof(derived_key));
}
-#endif /* HAVE_GNUTLS_PBKDF2 */
int main(int argc, char *argv[])
{
cmocka_unit_test(torture_mac_key),
cmocka_unit_test(torture_encrypt),
cmocka_unit_test(torture_encrypt_decrypt),
-#ifdef HAVE_GNUTLS_PBKDF2
cmocka_unit_test(torture_pbkdf2),
-#endif /* HAVE_GNUTLS_PBKDF2 */
};
if (argc == 2) {
# discard any auth log messages for the password setup
type(self).discardMessages()
- gnutls_pbkdf2_support = samba.tests.env_get_var_value(
- 'GNUTLS_PBKDF2_SUPPORT',
- allow_missing=True)
- if gnutls_pbkdf2_support is None:
- gnutls_pbkdf2_support = '0'
- self.gnutls_pbkdf2_support = bool(int(gnutls_pbkdf2_support))
def _authDescription(self):
- if self.gnutls_pbkdf2_support:
- return "samr_ChangePasswordUser4"
- else:
- return "samr_ChangePasswordUser3"
+ return "samr_ChangePasswordUser4"
def tearDown(self):
super(AuthLogPassChangeTests, self).tearDown()
self.do_lockout_transaction(connect_samr)
def test_lockout_transaction_samr_aes(self):
- if not self.gnutls_pbkdf2_support:
- self.skipTest('gnutls_pbkdf2() is not available')
self.do_lockout_transaction(connect_samr_aes)
def test_lockout_transaction_ldap_pw_change(self):
self.do_lockout_transaction(connect_samr, correct_pw=False)
def test_lockout_transaction_bad_pwd_samr_aes(self):
- if not self.gnutls_pbkdf2_support:
- self.skipTest('gnutls_pbkdf2() is not available')
self.do_lockout_transaction(connect_samr_aes, correct_pw=False)
def test_lockout_transaction_bad_pwd_ldap_pw_change(self):
self.do_bad_pwd_count_transaction(connect_samr)
def test_bad_pwd_count_transaction_samr_aes(self):
- if not self.gnutls_pbkdf2_support:
- self.skipTest('gnutls_pbkdf2() is not available')
self.do_bad_pwd_count_transaction(connect_samr_aes)
def test_bad_pwd_count_transaction_ldap_pw_change(self):
self.do_lockout_race(connect_samr)
def test_lockout_race_samr_aes(self):
- if not self.gnutls_pbkdf2_support:
- self.skipTest('gnutls_pbkdf2() is not available')
self.do_lockout_race(connect_samr_aes)
def test_lockout_race_ldap_pw_change(self):
self.do_logon(connect_samr)
def test_logon_samr_aes(self):
- if not self.gnutls_pbkdf2_support:
- self.skipTest('gnutls_pbkdf2() is not available')
self.do_logon(connect_samr_aes)
def test_logon_ldap_pw_change(self):
full_sig_support = '0'
cls.full_sig_support = bool(int(full_sig_support))
- gnutls_pbkdf2_support = samba.tests.env_get_var_value(
- 'GNUTLS_PBKDF2_SUPPORT',
- allow_missing=True)
- if gnutls_pbkdf2_support is None:
- gnutls_pbkdf2_support = '1'
- cls.gnutls_pbkdf2_support = bool(int(gnutls_pbkdf2_support))
-
expect_pac = samba.tests.env_get_var_value('EXPECT_PAC',
allow_missing=True)
if expect_pac is None:
const char *newpassword,
NTSTATUS *presult)
{
-#ifdef HAVE_GNUTLS_PBKDF2
struct lsa_String server, user_account;
uint8_t old_nt_key_data[16] = {0};
gnutls_datum_t old_nt_key = {
data_blob_free(&ciphertext);
return status;
-#else /* HAVE_GNUTLS_PBKDF2 */
- return NT_STATUS_NOT_IMPLEMENTED;
-#endif /* HAVE_GNUTLS_PBKDF2 */
}
/* This function returns the bizzare set of (max_entries, max_size) required
NTSTATUS _samr_ChangePasswordUser4(struct pipes_struct *p,
struct samr_ChangePasswordUser4 *r)
{
-#ifdef HAVE_GNUTLS_PBKDF2
TALLOC_CTX *frame = talloc_stackframe();
struct dcesrv_call_state *dce_call = p->dce_call;
struct dcesrv_connection *dcesrv_conn = dce_call->conn;
}
return status;
-#else /* HAVE_GNUTLS_PBKDF2 */
- p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
- return NT_STATUS_NOT_IMPLEMENTED;
-#endif /* HAVE_GNUTLS_PBKDF2 */
}
/* include the generated boilerplate */
const char *new_password,
const char **error_string)
{
-#ifdef HAVE_GNUTLS_PBKDF2
struct samr_ChangePasswordUser4 r;
uint8_t old_nt_key_data[16] = {0};
gnutls_datum_t old_nt_key = {
BURN_DATA(pwd_buf);
return status;
-#else /* HAVE_GNUTLS_PBKDF2 */
- return NT_STATUS_NOT_IMPLEMENTED;
-#endif /* HAVE_GNUTLS_PBKDF2 */
}
static NTSTATUS libnet_ChangePassword_samr_rc4(TALLOC_CTX *mem_ctx,
TALLOC_CTX *mem_ctx,
struct samr_ChangePasswordUser4 *r)
{
-#ifdef HAVE_GNUTLS_PBKDF2
struct ldb_context *sam_ctx = NULL;
struct ldb_message *msg = NULL;
struct ldb_dn *dn = NULL;
}
return status;
-#else /* HAVE_GNUTLS_PBKDF2 */
- DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
-#endif /* HAVE_GNUTLS_PBKDF2 */
}
static NTSTATUS dcesrv_samr_ChangePasswordUser_impl(struct dcesrv_call_state *dce_call,
else:
full_sig_support = 0
-gnutls_pbkdf2_support = int('HAVE_GNUTLS_PBKDF2' in config_hash)
-
if 'HAVE_MIT_KRB5_1_20' in config_hash:
kadmin_is_tgs = 1
else:
'COMPOUND_ID_SUPPORT': compound_id_support,
'TKT_SIG_SUPPORT': tkt_sig_support,
'FULL_SIG_SUPPORT': full_sig_support,
- 'GNUTLS_PBKDF2_SUPPORT': gnutls_pbkdf2_support,
'EXPECT_PAC': expect_pac,
'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers,
'CHECK_CNAME': check_cname,
environ={'CLIENT_IP': '10.53.57.11',
'SOCKET_WRAPPER_DEFAULT_IFACE': 11})
planoldpythontestsuite("ad_dc_smb1", "samba.tests.auth_log_pass_change",
- extra_args=['-U"$USERNAME%$PASSWORD"'],
- environ={'GNUTLS_PBKDF2_SUPPORT': gnutls_pbkdf2_support})
+ extra_args=['-U"$USERNAME%$PASSWORD"'])
planoldpythontestsuite("ad_dc_ntvfs", "samba.tests.auth_log_pass_change",
- extra_args=['-U"$USERNAME%$PASSWORD"'],
- environ={'GNUTLS_PBKDF2_SUPPORT': gnutls_pbkdf2_support})
+ extra_args=['-U"$USERNAME%$PASSWORD"'])
# these tests use a NCA local RPC connection, so always run on the
# :local testenv, and so don't need to fake a client connection
"samba.tests.auth_log_winbind",
extra_args=['-U"$DC_USERNAME%$DC_PASSWORD"'])
planoldpythontestsuite("ad_dc", "samba.tests.audit_log_pass_change",
- extra_args=['-U"$USERNAME%$PASSWORD"'],
- environ={'GNUTLS_PBKDF2_SUPPORT': gnutls_pbkdf2_support})
+ extra_args=['-U"$USERNAME%$PASSWORD"'])
planoldpythontestsuite("ad_dc", "samba.tests.audit_log_dsdb",
extra_args=['-U"$USERNAME%$PASSWORD"'])
planoldpythontestsuite("ad_dc", "samba.tests.group_audit",
char **password,
const char *newpassword)
{
-#ifdef HAVE_GNUTLS_PBKDF2
struct dcerpc_binding_handle *b = p->binding_handle;
struct samr_ChangePasswordUser4 r;
const char *oldpassword = *password;
torture_assert_ntstatus_ok(tctx, status, "ChangePasswordUser4 failed");
*password = talloc_strdup(tctx, newpassword);
-#endif /* HAVE_GNUTLS_PBKDF2 */
return true;
}
# Check for gnutls_set_default_priority_append (>= 3.6.3)
conf.CHECK_FUNCS_IN('gnutls_set_default_priority_append', 'gnutls')
-# Check for gnutls_pbkdf2 (>= 3.6.13)
-conf.CHECK_FUNCS_IN('gnutls_pbkdf2', 'gnutls')
-
# Check for gnutls_aead_cipher_encryptv2
#
# This is available since version 3.6.10, but 3.6.10 has a bug which got fixed