mirror of
https://github.com/samba-team/samba.git
synced 2025-01-03 01:18:10 +03:00
5ae119e7e9
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
140 lines
3.2 KiB
Plaintext
140 lines
3.2 KiB
Plaintext
A list of the crypto operations that we require, and what uses them.
|
|
|
|
This list is to allow research into using external crypto libraries.
|
|
Those possibly supported in the git version of GnuTLS are indicated as '# GNUTLS'
|
|
Those possibly supported in the git version of nettle are indicated as '# NETTLE'
|
|
|
|
Samba in general gnutls >= 3.4.7 is required
|
|
Samba FS with MS Catalog support will require gnutls >= 3.5.6
|
|
|
|
GnuTLS Milestone for Samba support:
|
|
- https://gitlab.com/gnutls/gnutls/milestones/14
|
|
|
|
ARCFOUR (RC4)
|
|
- the old SamOEMHash
|
|
- Password encryption on SAMR for password set/get
|
|
- NETLOGON SamLogon session keys
|
|
- Schannel
|
|
- DRSUAPI replication replicated secrets
|
|
|
|
# GNUTLS >= 3.0.0
|
|
# NETTLE
|
|
|
|
DES
|
|
- NTLM challenge-response
|
|
- LSA QuerySecret et al
|
|
- NETLOGON SamLogon session keys
|
|
- ServerGetTrustInfo returned passwords
|
|
- RID encryption of passwords
|
|
|
|
# No support in gnutls, it cannot be a certified use of crypto
|
|
# NETTLE (any version)
|
|
|
|
3DES
|
|
- NETLOGON Credentials (can't find any use in Samba)
|
|
|
|
3DES-CBC
|
|
- backupkey (uses heimdal lib or gnutls with mit krb5)
|
|
|
|
# gnutls >= 3.4.7 (3des cbc with 192 bit key is supported); can no longer be a certified use of crypto
|
|
# NETTLE
|
|
|
|
CRC32
|
|
- DRSUAPI replication replicated secrets
|
|
|
|
This is no crypto
|
|
|
|
AES 128 in 8-bit CFB mode
|
|
- SCHANNEL
|
|
- NETLOGON SamLogon session keys
|
|
|
|
# Missing in GNUTLS -> Bug opened
|
|
# NETTLE 3.4 contains CFB - possibly 128-bit mode (AES-NI available)
|
|
|
|
AES128 CCM
|
|
- SMB2 2.24 SMB encryption
|
|
|
|
# GNUTLS >= 3.4.0
|
|
# NETTLE (AES-NI available)
|
|
|
|
AES128 GCM
|
|
- SMB2 3.10 SMB encryption
|
|
- encrypted_secrets ldb module (encrypt secrets within sam.ldb)
|
|
|
|
# GNUTLS >= 3.0.0
|
|
# NETTLE (AES-NI available)
|
|
|
|
AES128 CMAC
|
|
- SMB2 0x224 SMB Signing
|
|
|
|
# Missing in GNUTLS - > Bug opened
|
|
# Missing in NETTLE -> Bug opened
|
|
|
|
MD4
|
|
- NTLM password hash
|
|
|
|
# Cannot be certified; considered non-crypto
|
|
# NETTLE
|
|
|
|
MD5
|
|
- NTLM2 (can be considered non-crypto use of MD5)
|
|
- SCHANNEL (it's ok to fail in FIPS140 mode, as there are alternatives)
|
|
- NTLMSSP (it's ok to fail in FIPS140 mode, replaced by kerberos)
|
|
- NETLOGON computer credentials (it's ok to fail in FIPS140 mode, as there are alternatives)
|
|
- DRSUAPI blob encryption (can be considered non-crypto use as it is over DC-RPC which is encrypted)
|
|
- SAMR/wkssvc password change/set encryption
|
|
- vfs_fruit
|
|
- vfs_streams_xattr
|
|
- passdb old password history format
|
|
- dsdb password_hash module
|
|
- SMB1 SMB signing
|
|
- NTP ntp_signd
|
|
|
|
maybe use gnutls_fips140_mode_enabled() and enable only SMB2/3 when in fips mode?
|
|
|
|
# GNUTLS >= 3.0.0 (Will fail in FIPS mode, for non-crypto -> https://gitlab.com/gnutls/gnutls/merge_requests/572 , open bug for RC4, MD5 being available for non-crypto use )
|
|
# NETTLE
|
|
|
|
HMAC-MD5
|
|
- NTLMv2
|
|
|
|
# GNUTLS >= 3.0.0 (non-crypto)
|
|
# NETTLE
|
|
|
|
HMAC-SHA256
|
|
- SMB2 < 2.24 SMB signing
|
|
- SMB2 Key derivation
|
|
|
|
# GNUTLS (>= 3.0.0)
|
|
# NETTLE
|
|
|
|
HMAC-SHA1
|
|
- BackupKey ServerWrap
|
|
|
|
# GNUTLS (>= 3.0.0)
|
|
# NETTLE
|
|
|
|
SHA256
|
|
- Security Descriptor hash for vfs_acl_xattr
|
|
- oLschema2ldif
|
|
|
|
# GNUTLS (>= 3.0.0)
|
|
# NETTLE
|
|
|
|
SHA512
|
|
- SMB2 Pre-auth integrity verification
|
|
- BackupKey ClientWrap
|
|
|
|
# GNUTLS (>= 3.0.0)
|
|
# NETTLE
|
|
|
|
RSA
|
|
- BackupKey ClientWrap
|
|
|
|
# GNUTLS (>= 3.0.0)
|
|
# NETTLE
|
|
|
|
|
|
GNUTLS
|
|
Use gnutls_rnd() in generate_random_buffer() to increase speed
|