diff options
Diffstat (limited to '')
-rw-r--r-- | lib/crypto/REQUIREMENTS | 139 |
1 files changed, 139 insertions, 0 deletions
diff --git a/lib/crypto/REQUIREMENTS b/lib/crypto/REQUIREMENTS new file mode 100644 index 0000000..5ebf3ba --- /dev/null +++ b/lib/crypto/REQUIREMENTS @@ -0,0 +1,139 @@ +A list of the crypto operations that we require, and what uses them. + +This list is to allow research into using external crypto libraries. +Those possibly supported in the git version of GnuTLS are indicated as '# GNUTLS' +Those possibly supported in the git version of nettle are indicated as '# NETTLE' + +Samba in general gnutls >= 3.4.7 is required +Samba FS with MS Catalog support will require gnutls >= 3.5.6 + +GnuTLS Milestone for Samba support: + - https://gitlab.com/gnutls/gnutls/milestones/14 + +ARCFOUR (RC4) + - the old SamOEMHash + - Password encryption on SAMR for password set/get + - NETLOGON SamLogon session keys + - Schannel + - DRSUAPI replication replicated secrets + + # GNUTLS >= 3.0.0 + # NETTLE + +DES + - NTLM challenge-response + - LSA QuerySecret et al + - NETLOGON SamLogon session keys + - ServerGetTrustInfo returned passwords + - RID encryption of passwords + + # No support in gnutls, it cannot be a certified use of crypto + # NETTLE (any version) + +3DES + - NETLOGON Credentials (can't find any use in Samba) + +3DES-CBC + - backupkey (uses heimdal lib or gnutls with mit krb5) + + # gnutls >= 3.4.7 (3des cbc with 192 bit key is supported); can no longer be a certified use of crypto + # NETTLE + +CRC32 + - DRSUAPI replication replicated secrets + +This is no crypto + +AES 128 in 8-bit CFB mode + - SCHANNEL + - NETLOGON SamLogon session keys + + # Missing in GNUTLS -> Bug opened + # NETTLE 3.4 contains CFB - possibly 128-bit mode (AES-NI available) + +AES128 CCM + - SMB2 2.24 SMB encryption + + # GNUTLS >= 3.4.0 + # NETTLE (AES-NI available) + +AES128 GCM + - SMB2 3.10 SMB encryption + - encrypted_secrets ldb module (encrypt secrets within sam.ldb) + + # GNUTLS >= 3.0.0 + # NETTLE (AES-NI available) + +AES128 CMAC + - SMB2 0x224 SMB Signing + + # Missing in GNUTLS - > Bug opened + # Missing in NETTLE -> Bug opened + +MD4 + - NTLM password hash + + # Cannot be certified; considered non-crypto + # NETTLE + +MD5 + - NTLM2 (can be considered non-crypto use of MD5) + - SCHANNEL (it's ok to fail in FIPS140 mode, as there are alternatives) + - NTLMSSP (it's ok to fail in FIPS140 mode, replaced by kerberos) + - NETLOGON computer credentials (it's ok to fail in FIPS140 mode, as there are alternatives) + - DRSUAPI blob encryption (can be considered non-crypto use as it is over DC-RPC which is encrypted) + - SAMR/wkssvc password change/set encryption + - vfs_fruit + - vfs_streams_xattr + - passdb old password history format + - dsdb password_hash module + - SMB1 SMB signing + - NTP ntp_signd + +maybe use gnutls_fips140_mode_enabled() and enable only SMB2/3 when in fips mode? + + # GNUTLS >= 3.0.0 (Will fail in FIPS mode, for non-crypto -> https://gitlab.com/gnutls/gnutls/merge_requests/572 , open bug for RC4, MD5 being available for non-crypto use ) + # NETTLE + +HMAC-MD5 + - NTLMv2 + + # GNUTLS >= 3.0.0 (non-crypto) + # NETTLE + +HMAC-SHA256 + - SMB2 < 2.24 SMB signing + - SMB2 Key derivation + + # GNUTLS (>= 3.0.0) + # NETTLE + +HMAC-SHA1 + - BackupKey ServerWrap + + # GNUTLS (>= 3.0.0) + # NETTLE + +SHA256 + - Security Descriptor hash for vfs_acl_xattr + - oLschema2ldif + + # GNUTLS (>= 3.0.0) + # NETTLE + +SHA512 + - SMB2 Pre-auth integrity verification + - BackupKey ClientWrap + + # GNUTLS (>= 3.0.0) + # NETTLE + +RSA + - BackupKey ClientWrap + + # GNUTLS (>= 3.0.0) + # NETTLE + + +GNUTLS +Use gnutls_rnd() in generate_random_buffer() to increase speed |