summaryrefslogtreecommitdiffstats
path: root/lib/crypto/REQUIREMENTS
diff options
context:
space:
mode:
Diffstat (limited to 'lib/crypto/REQUIREMENTS')
-rw-r--r--lib/crypto/REQUIREMENTS139
1 files changed, 139 insertions, 0 deletions
diff --git a/lib/crypto/REQUIREMENTS b/lib/crypto/REQUIREMENTS
new file mode 100644
index 0000000..5ebf3ba
--- /dev/null
+++ b/lib/crypto/REQUIREMENTS
@@ -0,0 +1,139 @@
+A list of the crypto operations that we require, and what uses them.
+
+This list is to allow research into using external crypto libraries.
+Those possibly supported in the git version of GnuTLS are indicated as '# GNUTLS'
+Those possibly supported in the git version of nettle are indicated as '# NETTLE'
+
+Samba in general gnutls >= 3.4.7 is required
+Samba FS with MS Catalog support will require gnutls >= 3.5.6
+
+GnuTLS Milestone for Samba support:
+ - https://gitlab.com/gnutls/gnutls/milestones/14
+
+ARCFOUR (RC4)
+ - the old SamOEMHash
+ - Password encryption on SAMR for password set/get
+ - NETLOGON SamLogon session keys
+ - Schannel
+ - DRSUAPI replication replicated secrets
+
+ # GNUTLS >= 3.0.0
+ # NETTLE
+
+DES
+ - NTLM challenge-response
+ - LSA QuerySecret et al
+ - NETLOGON SamLogon session keys
+ - ServerGetTrustInfo returned passwords
+ - RID encryption of passwords
+
+ # No support in gnutls, it cannot be a certified use of crypto
+ # NETTLE (any version)
+
+3DES
+ - NETLOGON Credentials (can't find any use in Samba)
+
+3DES-CBC
+ - backupkey (uses heimdal lib or gnutls with mit krb5)
+
+ # gnutls >= 3.4.7 (3des cbc with 192 bit key is supported); can no longer be a certified use of crypto
+ # NETTLE
+
+CRC32
+ - DRSUAPI replication replicated secrets
+
+This is no crypto
+
+AES 128 in 8-bit CFB mode
+ - SCHANNEL
+ - NETLOGON SamLogon session keys
+
+ # Missing in GNUTLS -> Bug opened
+ # NETTLE 3.4 contains CFB - possibly 128-bit mode (AES-NI available)
+
+AES128 CCM
+ - SMB2 2.24 SMB encryption
+
+ # GNUTLS >= 3.4.0
+ # NETTLE (AES-NI available)
+
+AES128 GCM
+ - SMB2 3.10 SMB encryption
+ - encrypted_secrets ldb module (encrypt secrets within sam.ldb)
+
+ # GNUTLS >= 3.0.0
+ # NETTLE (AES-NI available)
+
+AES128 CMAC
+ - SMB2 0x224 SMB Signing
+
+ # Missing in GNUTLS - > Bug opened
+ # Missing in NETTLE -> Bug opened
+
+MD4
+ - NTLM password hash
+
+ # Cannot be certified; considered non-crypto
+ # NETTLE
+
+MD5
+ - NTLM2 (can be considered non-crypto use of MD5)
+ - SCHANNEL (it's ok to fail in FIPS140 mode, as there are alternatives)
+ - NTLMSSP (it's ok to fail in FIPS140 mode, replaced by kerberos)
+ - NETLOGON computer credentials (it's ok to fail in FIPS140 mode, as there are alternatives)
+ - DRSUAPI blob encryption (can be considered non-crypto use as it is over DC-RPC which is encrypted)
+ - SAMR/wkssvc password change/set encryption
+ - vfs_fruit
+ - vfs_streams_xattr
+ - passdb old password history format
+ - dsdb password_hash module
+ - SMB1 SMB signing
+ - NTP ntp_signd
+
+maybe use gnutls_fips140_mode_enabled() and enable only SMB2/3 when in fips mode?
+
+ # GNUTLS >= 3.0.0 (Will fail in FIPS mode, for non-crypto -> https://gitlab.com/gnutls/gnutls/merge_requests/572 , open bug for RC4, MD5 being available for non-crypto use )
+ # NETTLE
+
+HMAC-MD5
+ - NTLMv2
+
+ # GNUTLS >= 3.0.0 (non-crypto)
+ # NETTLE
+
+HMAC-SHA256
+ - SMB2 < 2.24 SMB signing
+ - SMB2 Key derivation
+
+ # GNUTLS (>= 3.0.0)
+ # NETTLE
+
+HMAC-SHA1
+ - BackupKey ServerWrap
+
+ # GNUTLS (>= 3.0.0)
+ # NETTLE
+
+SHA256
+ - Security Descriptor hash for vfs_acl_xattr
+ - oLschema2ldif
+
+ # GNUTLS (>= 3.0.0)
+ # NETTLE
+
+SHA512
+ - SMB2 Pre-auth integrity verification
+ - BackupKey ClientWrap
+
+ # GNUTLS (>= 3.0.0)
+ # NETTLE
+
+RSA
+ - BackupKey ClientWrap
+
+ # GNUTLS (>= 3.0.0)
+ # NETTLE
+
+
+GNUTLS
+Use gnutls_rnd() in generate_random_buffer() to increase speed