1 A list of the crypto operations that we require, and what uses them.
3 This list is to allow research into using external crypto libraries.
4 Those possibly supported in the git version of GnuTLS are indicated as '# GNUTLS'
5 Those possibly supported in the git version of nettle are indicated as '# NETTLE'
7 For Samba AD with Heimdal gnutls >= 3.0.0 is required
8 For Samba AD with MIT kerberos gnutls >= 3.4.7 is required
9 Samba FS with MS Catalog support will require gnutls >= 3.5.6
11 GnuTLS Milestone for Samba support:
12 - https://gitlab.com/gnutls/gnutls/milestones/14
16 - Password encryption on SAMR for password set/get
17 - NETLOGON SamLogon session keys
19 - DRSUAPI replication replicated secrets
25 - NTLM challenge-response
26 - LSA QuerySecret et al
27 - NETLOGON SamLogon session keys
28 - ServerGetTrustInfo returned passwords
29 - RID encryption of passwords
31 # No support in gnutls, it cannot be a certified use of crypto
32 # NETTLE (any version)
35 - NETLOGON Credentials (can't find any use in Samba)
38 - backupkey (uses heimdal lib or gnutls with mit krb5)
40 # gnutls >= 3.4.7 (3des cbc with 192 bit key is supported); can no longer be a certified use of crypto
44 - DRSUAPI replication replicated secrets
48 AES 128 in 8-bit CFB mode
50 - NETLOGON SamLogon session keys
52 # Missing in GNUTLS -> Bug opened
53 # NETTLE 3.4 contains CFB - possibly 128-bit mode (AES-NI available)
56 - SMB2 2.24 SMB encryption
59 # NETTLE (AES-NI available)
62 - SMB2 3.10 SMB encryption
63 - encrypted_secrets ldb module (encrypt secrets within sam.ldb)
66 # NETTLE (AES-NI available)
69 - SMB2 0x224 SMB Signing
71 # Missing in GNUTLS - > Bug opened
72 # Missing in NETTLE -> Bug opened
77 # Cannot be certified; considered non-crypto
81 - NTLM2 (can be considered non-crypto use of MD5)
82 - SCHANNEL (it's ok to fail in FIPS140 mode, as there are alternatives)
83 - NTLMSSP (it's ok to fail in FIPS140 mode, replaced by kerberos)
84 - NETLOGON computer credentials (it's ok to fail in FIPS140 mode, as there are alternatives)
85 - DRSUAPI blob encryption (can be considered non-crypto use as it is over DC-RPC which is encrypted)
86 - SAMR/wkssvc password change/set encryption
89 - passdb old password history format
90 - dsdb password_hash module
94 maybe use gnutls_fips140_mode_enabled() and enable only SMB2/3 when in fips mode?
96 # GNUTLS >= 3.0.0 (Will fail in FIPS mode, for non-crypto -> https://gitlab.com/gnutls/gnutls/merge_requests/572 , open bug for RC4, MD5 being available for non-crypto use )
102 # GNUTLS >= 3.0.0 (non-crypto)
106 - SMB2 < 2.24 SMB signing
107 - SMB2 Key derivation
113 - BackupKey ServerWrap
119 - Security Descriptor hash for vfs_acl_xattr
126 - SMB2 Pre-auth integrity verification
127 - BackupKey ClientWrap
133 - BackupKey ClientWrap
140 Use gnutls_rnd() in generate_random_buffer() to increase speed