mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
dsdb encrypted secrets module
Encrypt the samba secret attributes on disk. This is intended to mitigate the inadvertent disclosure of the sam.ldb file, and to mitigate memory read attacks. Currently the key file is stored in the same directory as sam.ldb but this could be changed at a later date to use an HSM or similar mechanism to protect the key. Data is encrypted with AES 128 GCM. The encryption uses gnutls where available and if it supports AES 128 GCM AEAD modes, otherwise nettle is used. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
b29ab3a0c1
commit
1d3ae2d92f
@ -721,4 +721,34 @@ interface drsblobs {
|
||||
[nopython] void decode_ForestTrustInfo(
|
||||
[in] ForestTrustInfo blob
|
||||
);
|
||||
|
||||
typedef enum {
|
||||
ENC_SECRET_AES_128_AEAD = 1
|
||||
} EncryptedSecretAlgorithm;
|
||||
|
||||
const uint32 ENCRYPTED_SECRET_MAGIC_VALUE = 0xCA5CADED;
|
||||
|
||||
typedef [public] struct {
|
||||
DATA_BLOB cleartext;
|
||||
} PlaintextSecret;
|
||||
|
||||
/* The AEAD routines uses this as the additional authenticated data */
|
||||
typedef [public] struct {
|
||||
uint32 magic;
|
||||
uint32 version;
|
||||
uint32 algorithm;
|
||||
uint32 flags;
|
||||
} EncryptedSecretHeader;
|
||||
|
||||
typedef [public] struct {
|
||||
/*
|
||||
* The iv is before the header to ensure that the first bytes of
|
||||
* the encrypted values are not predictable.
|
||||
* We do this so that if the decryption gets disabled, we don't
|
||||
* end up with predictable unicodePasswords.
|
||||
*/
|
||||
DATA_BLOB iv;
|
||||
EncryptedSecretHeader header;
|
||||
[flag(NDR_REMAINING)] DATA_BLOB encrypted;
|
||||
} EncryptedSecret;
|
||||
}
|
||||
|
1755
source4/dsdb/samdb/ldb_modules/encrypted_secrets.c
Normal file
1755
source4/dsdb/samdb/ldb_modules/encrypted_secrets.c
Normal file
File diff suppressed because it is too large
Load Diff
1186
source4/dsdb/samdb/ldb_modules/tests/test_encrypted_secrets.c
Normal file
1186
source4/dsdb/samdb/ldb_modules/tests/test_encrypted_secrets.c
Normal file
File diff suppressed because it is too large
Load Diff
@ -12,6 +12,38 @@ def set_options(opt):
|
||||
return
|
||||
|
||||
def configure(conf):
|
||||
conf.SET_TARGET_TYPE('nettle', 'EMPTY')
|
||||
if conf.CHECK_CFG(
|
||||
package="nettle",
|
||||
args="--cflags --libs",
|
||||
msg='Checking for nettle support'):
|
||||
|
||||
if conf.CHECK_FUNCS_IN(
|
||||
'nettle_gcm_aes_encrypt',
|
||||
'nettle',
|
||||
headers='nettle/gcm.h'):
|
||||
|
||||
conf.DEFINE('HAVE_NETTLE_AES_GCM', '1')
|
||||
else:
|
||||
Logs.warn('No nettle support for AES GCM')
|
||||
else:
|
||||
Logs.warn('No nettle encryption libraries')
|
||||
|
||||
if conf.env.HAVE_GNUTLS:
|
||||
if conf.CHECK_FUNCS_IN(
|
||||
'gnutls_aead_cipher_init',
|
||||
'gnutls',
|
||||
headers='gnutls/gnutls.h'):
|
||||
|
||||
conf.DEFINE('HAVE_GNUTLS_AEAD', '1')
|
||||
else:
|
||||
Logs.warn('No gnutls support for AEAD encryption')
|
||||
|
||||
if not conf.env.HAVE_GNUTLS_AEAD and not conf.env.HAVE_NETTLE_AES_GCM:
|
||||
conf.fatal("No AES GCM AEAD support"
|
||||
"Try installing gnutls if that does not support AEAD "
|
||||
"try installing nettle-dev or nettle-devel")
|
||||
|
||||
conf.SET_TARGET_TYPE('gpgme', 'EMPTY')
|
||||
|
||||
if Options.options.with_gpgme != False:
|
||||
|
@ -28,6 +28,19 @@ bld.SAMBA_BINARY('test_unique_object_sids',
|
||||
DSDB_MODULE_HELPERS
|
||||
''',
|
||||
install=False)
|
||||
bld.SAMBA_BINARY('test_encrypted_secrets',
|
||||
source='tests/test_encrypted_secrets.c',
|
||||
deps='''
|
||||
talloc
|
||||
samba-util
|
||||
samdb-common
|
||||
samdb
|
||||
cmocka
|
||||
nettle
|
||||
gnutls
|
||||
DSDB_MODULE_HELPERS
|
||||
''',
|
||||
install=False)
|
||||
|
||||
if bld.AD_DC_BUILD_IS_ENABLED():
|
||||
bld.PROCESS_SEPARATE_RULE("server")
|
||||
|
@ -409,3 +409,20 @@ bld.SAMBA_MODULE('ldb_unique_object_sids',
|
||||
deps='samdb-common DSDB_MODULE_HELPERS',
|
||||
subsystem='ldb'
|
||||
)
|
||||
|
||||
bld.SAMBA_MODULE('ldb_encrypted_secrets',
|
||||
source='encrypted_secrets.c',
|
||||
subsystem='ldb',
|
||||
init_function='ldb_encrypted_secrets_module_init',
|
||||
module_init_name='ldb_init_module',
|
||||
internal_module=False,
|
||||
deps='''
|
||||
talloc
|
||||
samba-util
|
||||
samdb-common
|
||||
DSDB_MODULE_HELPERS
|
||||
samdb
|
||||
nettle
|
||||
gnutls
|
||||
'''
|
||||
)
|
||||
|
@ -332,5 +332,6 @@ struct dsdb_extended_sec_desc_propagation_op {
|
||||
#define SAMBA_FEATURES_SUPPORTED_FLAG "@SAMBA_FEATURES_SUPPORTED"
|
||||
|
||||
#define SAMBA_SORTED_LINKS_FEATURE "sortedLinks"
|
||||
#define SAMBA_ENCRYPTED_SECRETS_FEATURE "encryptedSecrets"
|
||||
|
||||
#endif /* __SAMDB_H__ */
|
||||
|
@ -1008,3 +1008,5 @@ for env in ["ad_dc_ntvfs", "ad_dc", "fl2000dc", "fl2003dc", "fl2008r2dc", 'vampi
|
||||
#
|
||||
plantestsuite("samba4.dsdb.samdb.ldb_modules.unique_object_sids" , "none",
|
||||
[os.path.join(bindir(), "test_unique_object_sids")])
|
||||
plantestsuite("samba4.dsdb.samdb.ldb_modules.encrypted_secrets", "none",
|
||||
[os.path.join(bindir(), "test_encrypted_secrets")])
|
||||
|
Loading…
Reference in New Issue
Block a user