[SCM] Samba Shared Repository - branch v4-11-test updated
Karolin Seeger
kseeger at samba.org
Wed Oct 16 20:40:03 UTC 2019
The branch, v4-11-test has been updated
via 7f5334a92c4 s3:libsmb: Link libsmb against pthread
via 6902275b6f3 nsswitch: Link stress-nss-libwbclient against pthread
via 41e658f446a s3:libads: Do not turn on canonicalization flag for MIT Kerberos
via c191a37848b lib:krb5_wrap: Do not create a temporary file for MEMORY keytabs
via 0d292ca72a3 spnego: fix server handling of no optimistic exchange
via f3a02fdf780 python/tests/gensec: add spnego downgrade python tests
via 9c4cb9ba956 python/tests/gensec: make it possible to add knownfail tests for gensec.update()
via 425ac58f58c selftest: add tests for no optimistic spnego exchange
via 27982255d64 spnego: add client option to omit sending an optimistic token
via 7e40d859283 selftest: s3: add a test for spnego downgrade from krb5 to ntlm
via 5a6fed646c6 s3:libsmb: Do not check the SPNEGO neg token for KRB5
via 88abbea5065 spnego: ignore server mech_types list
via c79e3957191 s3:smbd: add a comment explaining the File-ID semantics when a file is created
via f9803360061 s3:smbd: ensure a created stream picks up the File-ID from the basefile
via 8f44a25e2a6 s3:lib: add is_named_stream()
via c48a5c6b8c9 s3:lib: use strequal_m() in is_ntfs_default_stream_smb_fname()
via 42bc7f28e1a s3:lib: implement logic directly in is_ntfs_default_stream_smb_fname()
via 23b4938c18a s3:lib: expand a comment with the function doc for is_ntfs_stream_smb_fname
via d7a2e7c3390 s3:lib: factor out stream name asserts to helper function
via 2ef4d9883f4 s3:lib: assert stream_name is NULL for POSIX paths
via 2da0f65cd91 s3:lib: rework a return expression into an if block
via 2d62bd58db9 s3:smbd: when storing DOS attribute call dos_mode() beforehand
via 459acf2728a s3:smbd: change the place where we call dos_mode() when processing SMB2_CREATE
via 2204788e596 torture:smb2: add a File-ID test on directories
via f5c8dea0ae7 torture:smb2: extend test for File-IDs
via fc0efd56d05 auth/gensec: fix non-AES schannel seal
via 8f4603fdc4e libcli/auth: add test for gensec_schannel code
via 8d426b146e7 testprogs: Add test for 'net ads join createcomputer='
via 440c8890798 s3:libads: Just change the machine password if account already exists
via 8fa84176dbc s3:libnet: Improve debug messages
via 86e86cddcb5 s3:libads: Fix creating machine account using LDAP
via e0be43a863b s3:libads: Don't set supported encryption types during account creation
via 8cc6e035b6e s3:libads: Fix detection if acount already exists in ads_find_machine_count()
via 023a59d4262 s3:libads: Use a talloc_asprintf in ads_find_machine_acct()
via 96ee2408f5c s3:libads: Cleanup error code paths in ads_create_machine_acct()
via 2fa6dc27f37 s3:libnet: Require sealed LDAP SASL connections for joining
via 90566a8ef44 s3:libads: Use ldap_add_ext_s() in ads_gen_add()
via adfcddc6815 testprogs: Fix failure count in test_net_ads.sh
via 2ce14ef46a5 s3: smbclient: Stop an SMB2-connection from blundering into SMB1-specific calls.
via e8cba5a8a88 ctdb-vacuum: Process all records not deleted on a remote node
from 42d530b0dbc winbind: provide passwd struct for group sid with ID_TYPE_BOTH mapping (again)
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-11-test
- Log -----------------------------------------------------------------
commit 7f5334a92c4a378f88c0ee8c5fde46dd087a9dc0
Author: Isaac Boukris <iboukris at gmail.com>
Date: Tue Oct 15 17:01:48 2019 +0300
s3:libsmb: Link libsmb against pthread
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14140
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit 7259197bf716f8b81dea74beefe6ee3b1239f172)
Autobuild-User(v4-11-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-11-test): Wed Oct 16 20:39:04 UTC 2019 on sn-devel-184
commit 6902275b6f3c337a4ba5d1fea3f1e0f81fa34a4a
Author: Isaac Boukris <iboukris at gmail.com>
Date: Tue Oct 15 13:52:42 2019 +0300
nsswitch: Link stress-nss-libwbclient against pthread
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14140
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit d473f1e38c2822746030516269b4d70032cf9b2e)
commit 41e658f446adaf4a373ece4fbb1d009a69a293dc
Author: Andreas Schneider <asn at samba.org>
Date: Wed Oct 9 16:32:47 2019 +0200
s3:libads: Do not turn on canonicalization flag for MIT Kerberos
This partially reverts 303b7e59a286896888ee2473995fc50bb2b5ce5e.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14155
Pair-Programmed-With: Isaac Boukris <iboukris at redhat.com>
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Isaac Boukris <iboukris at redhat.com>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 123584294cfd153acc2d9a5be9d71c395c847a25)
commit c191a37848ba01f503ee5fc5000d4ea1a1474500
Author: Andreas Schneider <asn at samba.org>
Date: Wed Oct 9 20:11:03 2019 +0200
lib:krb5_wrap: Do not create a temporary file for MEMORY keytabs
The autobuild cleanup script fails with:
The tree has 3 new uncommitted files!!!
git clean -n
Would remove MEMORY:tmp_smb_creds_SK98Lv
Would remove MEMORY:tmp_smb_creds_kornU6
Would remove MEMORY:tmp_smb_creds_ljR828
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit d888655244b4d8ec7a69a042e0ff3c074585b0de)
commit 0d292ca72a389010306e79e7f782783b452cc603
Author: Isaac Boukris <iboukris at gmail.com>
Date: Wed Sep 4 17:04:12 2019 +0300
spnego: fix server handling of no optimistic exchange
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
Signed-off-by: Isaac Boukris <iboukris at redhat.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Sat Oct 12 15:51:42 UTC 2019 on sn-devel-184
commit f3a02fdf780578194d4ad722ebd822a04a2dd886
Author: Isaac Boukris <iboukris at gmail.com>
Date: Fri Oct 11 00:20:16 2019 +0300
python/tests/gensec: add spnego downgrade python tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 9c4cb9ba9568e9ba0589f041959e71bb496313dd
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Oct 11 13:23:17 2019 +0200
python/tests/gensec: make it possible to add knownfail tests for gensec.update()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 425ac58f58c999007f740ca0362269977d1380e4
Author: Isaac Boukris <iboukris at gmail.com>
Date: Wed Sep 4 16:39:43 2019 +0300
selftest: add tests for no optimistic spnego exchange
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
Signed-off-by: Isaac Boukris <iboukris at redhat.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 27982255d6454841d3d17c8de3b3d4eac9d84adb
Author: Isaac Boukris <iboukris at gmail.com>
Date: Wed Sep 4 16:31:21 2019 +0300
spnego: add client option to omit sending an optimistic token
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
Signed-off-by: Isaac Boukris <iboukris at redhat.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 7e40d859283100791602c2504005f7c99ec86996
Author: Isaac Boukris <iboukris at gmail.com>
Date: Mon Oct 7 23:51:19 2019 +0300
selftest: s3: add a test for spnego downgrade from krb5 to ntlm
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
Signed-off-by: Isaac Boukris <iboukris at redhat.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 5a6fed646c6e8f679bcd2fc285406933f518146e
Author: Andreas Schneider <asn at samba.org>
Date: Thu Oct 10 16:18:21 2019 +0200
s3:libsmb: Do not check the SPNEGO neg token for KRB5
The list is not protected and this could be a downgrade attack.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
Pair-Programmed-With: Isaac Boukris <iboukris at redhat.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Isaac Boukris <iboukris at redhat.com>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 88abbea50659a00a5881ef80ae885914b446d121
Author: Isaac Boukris <iboukris at gmail.com>
Date: Thu Oct 3 13:09:29 2019 +0300
spnego: ignore server mech_types list
We should not use the mech list sent by the server in the last
'negotiate' packet in CIFS protocol, as it is not protected and
may be subject to downgrade attacks.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
Signed-off-by: Isaac Boukris <iboukris at redhat.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit c79e39571910d52cb9336212417f072df82a98b2
Author: Ralph Boehme <slow at samba.org>
Date: Thu Sep 26 10:41:37 2019 -0700
s3:smbd: add a comment explaining the File-ID semantics when a file is created
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14137
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit c190f3efa9eb4f633df28074b481ff884b67e65f)
commit f98033600613e1c26d233063a99d2a7f7207a74f
Author: Ralph Boehme <slow at samba.org>
Date: Tue Sep 24 12:49:38 2019 -0700
s3:smbd: ensure a created stream picks up the File-ID from the basefile
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14137
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 90a14c90c4bcede1ef5414e0800aa4c84cbcf1c9)
commit 8f44a25e2a630a28d908392603eae5987ec4e91e
Author: Ralph Boehme <slow at samba.org>
Date: Thu Sep 26 10:05:40 2019 -0700
s3:lib: add is_named_stream()
Add a new utility functions that checks whether a struct smb_filename points to
a real named stream, excluding the default stream "::$DATA".
foo -> false
foo::$DATA -> false
foo:bar -> true
foo:bar:$DATA -> true
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14137
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 091e3fdab61217251de1cf5111f070ff295d1649)
commit c48a5c6b8c995595a519e9069e3efbe24291f190
Author: Ralph Boehme <slow at samba.org>
Date: Wed Sep 25 11:29:04 2019 -0700
s3:lib: use strequal_m() in is_ntfs_default_stream_smb_fname()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14137
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 780a8dcba998471bb154e8bae4391786b793e332)
commit 42bc7f28e1a1662f73bce606dbb3b862e399a40d
Author: Ralph Boehme <slow at samba.org>
Date: Wed Sep 25 11:19:26 2019 -0700
s3:lib: implement logic directly in is_ntfs_default_stream_smb_fname()
This allows changing the semantics of is_ntfs_stream_smb_fname() in the next
commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14137
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 3f8bc1ce3e094f943363921c46803fd5ec9f73bb)
commit 23b4938c18a4f51609ca588878f935ef1eb6d9a2
Author: Ralph Boehme <slow at samba.org>
Date: Thu Sep 26 10:38:06 2019 -0700
s3:lib: expand a comment with the function doc for is_ntfs_stream_smb_fname
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 2584b4cdeae3f83962cd11538cd4e441104c8274)
commit d7a2e7c33907ece55dad26c75b076aba3facc057
Author: Ralph Boehme <slow at samba.org>
Date: Wed Sep 25 10:18:03 2019 -0700
s3:lib: factor out stream name asserts to helper function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14137
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit f9fdb8a2a6b9ad0fbb89a9734e81a8b1f527966f)
commit 2ef4d9883f4b11098e8666143192840a3b574b30
Author: Ralph Boehme <slow at samba.org>
Date: Wed Sep 25 10:15:27 2019 -0700
s3:lib: assert stream_name is NULL for POSIX paths
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14137
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 6c1647ca7a2f68825c34e9ccc18b86ef911e14ac)
commit 2da0f65cd911e439d4c033f999a7549bc3610714
Author: Ralph Boehme <slow at samba.org>
Date: Wed Sep 25 08:53:29 2019 -0700
s3:lib: rework a return expression into an if block
Needed to add additional stuff after the if block in the next commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14137
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit d7dc85990a177954925644f9ff332b3481a03cc7)
commit 2d62bd58db9f7c7e72b35ef1c62660107f06b8c9
Author: Ralph Boehme <slow at samba.org>
Date: Mon Sep 23 15:16:58 2019 -0700
s3:smbd: when storing DOS attribute call dos_mode() beforehand
This is required to ensure File-ID info is populated with the correct on-disk
value, before calling file_set_dosmode() which will update the on-disk value.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14137
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 49a754b82d33fb523cda4151a865584ae52a2e2f)
commit 459acf2728aa0c3bc935227998cdc59ead5a2e7c
Author: Ralph Boehme <slow at samba.org>
Date: Mon Sep 23 15:15:31 2019 -0700
s3:smbd: change the place where we call dos_mode() when processing SMB2_CREATE
This is needed for ordinary file or directory opens so the QFID create context
response gets the correct File-ID value via dos_mode() from the DOS attributes
xattr.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14137
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit e1dfaa2b038d91e43d8d34bf1526b7728dba58a5)
commit 2204788e596478d9635f1577ccb7dd76ed66e6a6
Author: Ralph Boehme <slow at samba.org>
Date: Tue Sep 24 13:09:03 2019 -0700
torture:smb2: add a File-ID test on directories
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14137
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 300b47442b023532bd65417fcec04d811f40ef76)
commit f5c8dea0ae75e2d24fd3268e2b5b427cb81225c9
Author: Ralph Boehme <slow at samba.org>
Date: Mon Sep 23 15:15:01 2019 -0700
torture:smb2: extend test for File-IDs
This now hopefully covers most possible combinations of creating and opening
files plus, checking the file's File-ID after every operation.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14137
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 432202413f4d11d761c62f46a50747fcb9b6f0cf)
commit fc0efd56d0584d8ca950ad837bd19e7341833dbf
Author: Günther Deschner <gd at samba.org>
Date: Fri Sep 20 18:32:43 2019 +0200
auth/gensec: fix non-AES schannel seal
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14134
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 709d54d68a9c2cb3cda91d9ab63228a7adbaceb4)
commit 8f4603fdc4e096cfdfd6aa998b0aa399acb3a5b8
Author: Günther Deschner <gd at samba.org>
Date: Wed Sep 25 23:44:49 2019 +0200
libcli/auth: add test for gensec_schannel code
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 7eae4280d23404be7d27f65a0c817bea2e0084b6)
commit 8d426b146e7f9ba04dc07779d810bd7c8fcd4b10
Author: Andreas Schneider <asn at samba.org>
Date: Thu Aug 22 16:31:30 2019 +0200
testprogs: Add test for 'net ads join createcomputer='
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Wed Oct 9 08:26:17 UTC 2019 on sn-devel-184
(cherry picked from commit 459b43e5776180dc1540cd845b72ff78747ecd6f)
commit 440c8890798d6ac7a75f41f0ea0d1f98d234eb6b
Author: Andreas Schneider <asn at samba.org>
Date: Thu Aug 8 14:40:04 2019 +0200
s3:libads: Just change the machine password if account already exists
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13884
Pair-Programmed-With: Guenther Deschner <gd at samba.org>
Signed-off-by: Guenther Deschner <gd at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit 14f320fa1e40ecc3a43dabb0cecd57430270a521)
commit 8fa84176dbcc268492f07f92d8baf3156877f78a
Author: Andreas Schneider <asn at samba.org>
Date: Wed Aug 14 10:15:19 2019 +0200
s3:libnet: Improve debug messages
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit 39b8c8b30a5d5bd70f8da3a02cf77f7592788b94)
commit 86e86cddcb5b6e0319605e1c46fe1932b3e81bf1
Author: Andreas Schneider <asn at samba.org>
Date: Tue Aug 13 16:34:34 2019 +0200
s3:libads: Fix creating machine account using LDAP
This implements the same behaviour as Windows.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13884
Pair-Programmed-With: Guenther Deschner <gd at samba.org>
Signed-off-by: Guenther Deschner <gd at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit ce7762935051c862ecdd3e82d93096aac61dd292)
commit e0be43a863bba4be3df81b8a7b7a95f99bfb4783
Author: Andreas Schneider <asn at samba.org>
Date: Wed Aug 14 12:17:20 2019 +0200
s3:libads: Don't set supported encryption types during account creation
This is already handled by libnet_join_post_processing_ads_modify()
which calls libnet_join_set_etypes() if encrytion types should be set.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit b755a6438022579dab1a403c81d60b1ed7efca38)
commit 8cc6e035b6e68267d608e1d727d6e66b92823655
Author: Andreas Schneider <asn at samba.org>
Date: Wed Aug 14 13:01:19 2019 +0200
s3:libads: Fix detection if acount already exists in ads_find_machine_count()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit 4f389c1f78cdc2424795e3b2a1ce43818c400c2d)
commit 023a59d4262c1de4b0d62de0c75a905c0ea658e8
Author: Andreas Schneider <asn at samba.org>
Date: Wed Aug 21 12:22:32 2019 +0200
s3:libads: Use a talloc_asprintf in ads_find_machine_acct()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit 35f3e4aed1f1c2ba1c8dc50921f238937f343357)
commit 96ee2408f5ca85d84e341d642848a2532661a1f5
Author: Andreas Schneider <asn at samba.org>
Date: Tue Aug 13 16:30:07 2019 +0200
s3:libads: Cleanup error code paths in ads_create_machine_acct()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit 8ed993789f93624b7b60dd5314fe5472e69e903a)
commit 2fa6dc27f37652a4ccc9cd0e5e159e69364b7064
Author: Andreas Schneider <asn at samba.org>
Date: Tue Aug 13 17:41:40 2019 +0200
s3:libnet: Require sealed LDAP SASL connections for joining
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit b84abb3a46211dc84e52ef95750627e4dd081f2f)
commit 90566a8ef442fefbd9b8b10789eaebd6349ef266
Author: Andreas Schneider <asn at samba.org>
Date: Tue Aug 13 17:06:58 2019 +0200
s3:libads: Use ldap_add_ext_s() in ads_gen_add()
ldap_add_s() is marked as deprecated.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit 456322a61319a10aaedda5244488ea4e5aa5cb64)
commit adfcddc681564ff278cbbf243f1a245ec62f0dbe
Author: Andreas Schneider <asn at samba.org>
Date: Thu Aug 8 14:35:38 2019 +0200
testprogs: Fix failure count in test_net_ads.sh
There are missing ` at the end of the line.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13884
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit 320b5be4dce95d8dac4b3c0847faf5b730754a37)
commit 2ce14ef46a5d5d9ab6b9c30f1fb00debc1be71a4
Author: Jeremy Allison <jra at samba.org>
Date: Thu Oct 3 14:02:13 2019 -0700
s3: smbclient: Stop an SMB2-connection from blundering into SMB1-specific calls.
Fix in the same way this was done in SMBC_opendir_ctx() for libsmbclient.
This fix means the admin no longer has to remember to set 'min client protocol ='
when connecting to an SMB2-only server (MacOSX for example) and trying to
list shares.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14152
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit ea82bca8cef0d736305a7a40b3198fc55ea66af8)
commit e8cba5a8a88b47274305b56132a399117d074476
Author: Amitay Isaacs <amitay at gmail.com>
Date: Mon Sep 30 16:34:35 2019 +1000
ctdb-vacuum: Process all records not deleted on a remote node
This currently skips the last record.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14147
RN: Avoid potential data loss during recovery after vacuuming error
Signed-off-by: Amitay Isaacs <amitay at gmail.com>
Reviewed-by: Martin Schwenke <martin at meltin.net>
(cherry picked from commit 33f1c9d9654fbdcb99c23f9d23c4bbe2cc596b98)
-----------------------------------------------------------------------
Summary of changes:
auth/gensec/schannel.c | 9 +
auth/gensec/spnego.c | 55 ++-
ctdb/server/ctdb_vacuum.c | 2 +-
lib/krb5_wrap/krb5_samba.c | 19 +-
libcli/auth/tests/test_schannel.c | 305 +++++++++++++++
libcli/auth/wscript_build | 8 +
libgpo/pygpo.c | 2 +-
nsswitch/wscript_build | 2 +-
python/samba/tests/gensec.py | 34 +-
selftest/target/Samba3.pm | 9 +
selftest/tests.py | 2 +
source3/client/client.c | 4 +
source3/include/proto.h | 1 +
source3/lib/filename_util.c | 53 ++-
source3/lib/netapi/joindomain.c | 5 +-
source3/libads/ads_proto.h | 13 +-
source3/libads/ads_struct.c | 14 +-
source3/libads/krb5_setpw.c | 15 +
source3/libads/ldap.c | 339 ++++++++++++++---
source3/libnet/libnet_join.c | 31 +-
source3/libsmb/cliconnect.c | 50 ---
source3/libsmb/namequery_dc.c | 2 +-
source3/libsmb/wscript | 1 +
source3/printing/nt_printing_ads.c | 6 +-
source3/script/tests/test_smbd_no_krb5.sh | 46 +++
source3/selftest/tests.py | 4 +
source3/smbd/open.c | 12 +-
source3/smbd/smb2_create.c | 5 +-
source3/utils/net_ads.c | 13 +-
source3/winbindd/winbindd_ads.c | 5 +-
source3/winbindd/winbindd_cm.c | 5 +-
source4/selftest/tests.py | 4 +
source4/torture/smb2/create.c | 613 ++++++++++++++++++++++++++++--
testprogs/blackbox/test_net_ads.sh | 36 +-
34 files changed, 1527 insertions(+), 197 deletions(-)
create mode 100644 libcli/auth/tests/test_schannel.c
create mode 100755 source3/script/tests/test_smbd_no_krb5.sh
Changeset truncated at 500 lines:
diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
index 8ba1eafc76d..74a3eb5c690 100644
--- a/auth/gensec/schannel.c
+++ b/auth/gensec/schannel.c
@@ -296,6 +296,15 @@ static NTSTATUS netsec_do_seal(struct schannel_state *state,
ZERO_ARRAY(_sealing_key);
return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
}
+ gnutls_cipher_deinit(cipher_hnd);
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &sealing_key,
+ NULL);
+ if (rc < 0) {
+ ZERO_ARRAY(_sealing_key);
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ }
rc = gnutls_cipher_encrypt(cipher_hnd,
data,
length);
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 0b3fbdce7ac..ddbe03c5d6b 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -136,6 +136,7 @@ struct spnego_state {
bool done_mic_check;
bool simulate_w2k;
+ bool no_optimistic;
/*
* The following is used to implement
@@ -187,6 +188,10 @@ static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_securi
spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings,
"spnego", "simulate_w2k", false);
+ spnego_state->no_optimistic = gensec_setting_bool(gensec_security->settings,
+ "spnego",
+ "client_no_optimistic",
+ false);
gensec_security->private_data = spnego_state;
return NT_STATUS_OK;
@@ -511,7 +516,11 @@ static NTSTATUS gensec_spnego_client_negTokenInit_start(
}
n->mech_idx = 0;
- n->mech_types = spnego_in->negTokenInit.mechTypes;
+
+ /* Do not use server mech list as it isn't protected. Instead, get all
+ * supported mechs (excluding SPNEGO). */
+ n->mech_types = gensec_security_oids(gensec_security, n,
+ GENSEC_OID_SPNEGO);
if (n->mech_types == NULL) {
return NT_STATUS_INVALID_PARAMETER;
}
@@ -658,13 +667,30 @@ static NTSTATUS gensec_spnego_client_negTokenInit_finish(
DATA_BLOB *out)
{
struct spnego_data spnego_out;
- const char *my_mechs[] = {NULL, NULL};
+ const char * const *mech_types = NULL;
bool ok;
- my_mechs[0] = spnego_state->neg_oid;
+ if (n->mech_types == NULL) {
+ DBG_WARNING("No mech_types list\n");
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ for (mech_types = n->mech_types; *mech_types != NULL; mech_types++) {
+ int cmp = strcmp(*mech_types, spnego_state->neg_oid);
+
+ if (cmp == 0) {
+ break;
+ }
+ }
+
+ if (*mech_types == NULL) {
+ DBG_ERR("Can't find selected sub mechanism in mech_types\n");
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
/* compose reply */
spnego_out.type = SPNEGO_NEG_TOKEN_INIT;
- spnego_out.negTokenInit.mechTypes = my_mechs;
+ spnego_out.negTokenInit.mechTypes = mech_types;
spnego_out.negTokenInit.reqFlags = data_blob_null;
spnego_out.negTokenInit.reqFlagsPadding = 0;
spnego_out.negTokenInit.mechListMIC = data_blob_null;
@@ -676,7 +702,7 @@ static NTSTATUS gensec_spnego_client_negTokenInit_finish(
}
ok = spnego_write_mech_types(spnego_state,
- my_mechs,
+ mech_types,
&spnego_state->mech_types);
if (!ok) {
DBG_ERR("failed to write mechTypes\n");
@@ -1295,6 +1321,10 @@ static NTSTATUS gensec_spnego_server_negTokenInit_step(
spnego_state->mic_requested = true;
}
+ if (sub_in.length == 0) {
+ spnego_state->no_optimistic = true;
+ }
+
/*
* Note that 'cur_sec' is temporary memory, but
* cur_sec->oid points to a const string in the
@@ -1923,6 +1953,21 @@ static void gensec_spnego_update_pre(struct tevent_req *req)
* blob and NT_STATUS_OK.
*/
state->sub.status = NT_STATUS_OK;
+ } else if (spnego_state->state_position == SPNEGO_CLIENT_START &&
+ spnego_state->no_optimistic) {
+ /*
+ * Skip optimistic token per conf.
+ */
+ state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ } else if (spnego_state->state_position == SPNEGO_SERVER_START &&
+ state->sub.in.length == 0 && spnego_state->no_optimistic) {
+ /*
+ * If we didn't like the mechanism for which the client sent us
+ * an optimistic token, or if he didn't send any, don't call
+ * the sub mechanism just yet.
+ */
+ state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ spnego_state->no_optimistic = false;
} else {
/*
* MORE_PROCESSING_REQUIRED =>
diff --git a/ctdb/server/ctdb_vacuum.c b/ctdb/server/ctdb_vacuum.c
index 0c3770267bc..4fd11e3738c 100644
--- a/ctdb/server/ctdb_vacuum.c
+++ b/ctdb/server/ctdb_vacuum.c
@@ -814,7 +814,7 @@ static void ctdb_process_delete_list(struct ctdb_db_context *ctdb_db,
*/
records = (struct ctdb_marshall_buffer *)outdata.dptr;
rec = (struct ctdb_rec_data_old *)&records->data[0];
- while (records->count-- > 1) {
+ while (records->count-- > 0) {
TDB_DATA reckey, recdata;
struct ctdb_ltdb_header *rechdr;
struct delete_record_data *dd;
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index a4e73c64f00..5aceae44eec 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -2002,26 +2002,23 @@ krb5_error_code smb_krb5_kinit_keyblock_ccache(krb5_context ctx,
krb_options);
#elif defined(HAVE_KRB5_GET_INIT_CREDS_KEYTAB)
{
-#define SMB_CREDS_KEYTAB "MEMORY:tmp_smb_creds_XXXXXX"
- char tmp_name[sizeof(SMB_CREDS_KEYTAB)];
+#define SMB_CREDS_KEYTAB "MEMORY:tmp_kinit_keyblock_ccache"
+ char tmp_name[64] = {0};
krb5_keytab_entry entry;
krb5_keytab keytab;
- int tmpfd;
- mode_t mask;
+ int rc;
memset(&entry, 0, sizeof(entry));
entry.principal = principal;
*(KRB5_KT_KEY(&entry)) = *keyblock;
- memcpy(tmp_name, SMB_CREDS_KEYTAB, sizeof(SMB_CREDS_KEYTAB));
- mask = umask(S_IRWXO | S_IRWXG);
- tmpfd = mkstemp(tmp_name);
- umask(mask);
- if (tmpfd == -1) {
- DBG_ERR("Failed to mkstemp %s\n", tmp_name);
+ rc = snprintf(tmp_name, sizeof(tmp_name),
+ "%s-%p",
+ SMB_CREDS_KEYTAB,
+ &my_creds);
+ if (rc < 0) {
return KRB5_KT_BADNAME;
}
- close(tmpfd);
code = krb5_kt_resolve(ctx, tmp_name, &keytab);
if (code) {
return code;
diff --git a/libcli/auth/tests/test_schannel.c b/libcli/auth/tests/test_schannel.c
new file mode 100644
index 00000000000..b1c88fdf667
--- /dev/null
+++ b/libcli/auth/tests/test_schannel.c
@@ -0,0 +1,305 @@
+/*
+ * Unix SMB/CIFS implementation.
+ *
+ * Copyright (C) 2019 Guenther Deschner <gd at samba.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+#include "includes.h"
+#include "auth/gensec/schannel.c"
+
+static void torture_schannel_seal_flags(void **state, uint32_t flags,
+ const DATA_BLOB session_key,
+ const DATA_BLOB seq_num_initial,
+ const DATA_BLOB confounder_initial,
+ const DATA_BLOB confounder_expected,
+ const DATA_BLOB clear_initial,
+ const DATA_BLOB crypt_expected)
+{
+ NTSTATUS status;
+ struct schannel_state *schannel_state;
+ struct netlogon_creds_CredentialState *creds;
+ uint8_t confounder[8];
+ DATA_BLOB io;
+
+ assert_int_equal(session_key.length, 16);
+ assert_int_equal(seq_num_initial.length, 8);
+ assert_int_equal(confounder_initial.length, 8);
+ assert_int_equal(confounder_expected.length, 8);
+ assert_int_equal(clear_initial.length, crypt_expected.length);
+
+ DEBUG(0,("checking buffer size: %d\n", (int)clear_initial.length));
+
+ schannel_state = talloc_zero(NULL, struct schannel_state);
+ assert_non_null(schannel_state);
+ creds = talloc_zero(schannel_state,
+ struct netlogon_creds_CredentialState);
+ assert_non_null(creds);
+ schannel_state->creds = creds;
+
+ io = data_blob_dup_talloc(schannel_state, clear_initial);
+ assert_non_null(io.data);
+ assert_int_equal(io.length, clear_initial.length);
+
+ schannel_state->creds->negotiate_flags = flags;
+ memcpy(schannel_state->creds->session_key, session_key.data, 16);
+
+ memcpy(confounder, confounder_initial.data, 8);
+
+ DEBUG(0,("confounder before crypt:\n"));
+ dump_data(0, confounder, 8);
+ dump_data(0, seq_num_initial.data, 8);
+ dump_data(0, io.data, io.length);
+
+ status = netsec_do_seal(schannel_state,
+ seq_num_initial.data,
+ confounder,
+ io.data,
+ io.length,
+ true);
+
+ assert_true(NT_STATUS_IS_OK(status));
+ dump_data(0, io.data, io.length);
+ DEBUG(0,("confounder after crypt:\n"));
+ dump_data(0, confounder, 8);
+ dump_data(0, seq_num_initial.data, 8);
+ assert_memory_equal(io.data, crypt_expected.data, crypt_expected.length);
+ assert_memory_equal(confounder, confounder_expected.data, confounder_expected.length);
+
+ status = netsec_do_seal(schannel_state,
+ seq_num_initial.data,
+ confounder,
+ io.data,
+ io.length,
+ false);
+
+ assert_true(NT_STATUS_IS_OK(status));
+ dump_data(0, io.data, io.length);
+ DEBUG(0,("confounder after decrypt:\n"));
+ dump_data(0, confounder, 8);
+ dump_data(0, seq_num_initial.data, 8);
+ assert_memory_equal(io.data, clear_initial.data, clear_initial.length);
+ assert_memory_equal(confounder, confounder_initial.data, confounder_initial.length);
+
+ talloc_free(schannel_state);
+}
+
+static void torture_schannel_seal_rc4(void **state)
+{
+ const uint8_t _session_key[16] = {
+ 0x14, 0xD5, 0x7F, 0x8D, 0x8E, 0xCF, 0xFB, 0x56,
+ 0x71, 0x29, 0x9D, 0x9C, 0x2A, 0x75, 0x00, 0xA1
+ };
+ const DATA_BLOB session_key = data_blob_const(_session_key, 16);
+ const uint8_t _seq_num_initial[8] = {
+ 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00
+ };
+ const DATA_BLOB seq_num_initial =
+ data_blob_const(_seq_num_initial, 8);
+ const uint8_t _confounder_initial[8] = {
+ 0x1A, 0x5A, 0xE8, 0xC7, 0xBE, 0x4F, 0x1F, 0x07
+ };
+ const DATA_BLOB confounder_initial =
+ data_blob_const(_confounder_initial, 8);
+ const uint8_t _confounder_expected[8] = {
+ 0x25, 0x4A, 0x9C, 0x15, 0x82, 0x3E, 0x4A, 0x42
+ };
+ const DATA_BLOB confounder_expected =
+ data_blob_const(_confounder_expected, 8);
+ const uint8_t _clear_initial[] = {
+ 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
+ 0x01, 0x00, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00,
+ 0x01, 0x00, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x8A, 0xE3, 0x13, 0x71, 0x02, 0xF4, 0x36, 0x71,
+ 0x01, 0x00, 0x04, 0x00, 0x01, 0x00, 0x00, 0x00,
+ 0x02, 0x40, 0x28, 0x00, 0x78, 0x57, 0x34, 0x12,
+ 0x34, 0x12, 0xCD, 0xAB, 0xEF, 0x00, 0x01, 0x23,
+ 0x45, 0x67, 0x89, 0xAB, 0x00, 0x00, 0x00, 0x00,
+ 0x04, 0x5D, 0x88, 0x8A, 0xEB, 0x1C, 0xC9, 0x11,
+ 0x9F, 0xE8, 0x08, 0x00, 0x2B, 0x10, 0x48, 0x60,
+ 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+ };
+ const DATA_BLOB clear_initial = data_blob_const(_clear_initial,
+ sizeof(_clear_initial));
+ const uint8_t crypt_buffer[] = {
+ 0x3E, 0x10, 0x74, 0xD2, 0x3C, 0x71, 0x57, 0x45,
+ 0xB8, 0xAA, 0xCF, 0xE3, 0x84, 0xBE, 0xC4, 0x00,
+ 0xF4, 0x4D, 0x88, 0x0A, 0x9B, 0xCC, 0x53, 0xFC,
+ 0x32, 0xAA, 0x8E, 0x4B, 0x0E, 0xDE, 0x5F, 0x7D,
+ 0x6D, 0x31, 0x4E, 0xAB, 0xE0, 0x7D, 0x37, 0x9D,
+ 0x3D, 0x16, 0xD8, 0xBA, 0x6A, 0xB0, 0xD0, 0x99,
+ 0x14, 0x05, 0x37, 0xCF, 0x63, 0xD3, 0xD7, 0x60,
+ 0x63, 0x3C, 0x03, 0x0A, 0x30, 0xA0, 0x3E, 0xC7,
+ 0xDA, 0x94, 0x3B, 0x40, 0x63, 0x74, 0xEF, 0xCF,
+ 0xE5, 0x48, 0x87, 0xE9, 0x6A, 0x5A, 0xC7, 0x61,
+ 0xF7, 0x09, 0xB7, 0x7C, 0xDE, 0xDB, 0xB0, 0x94,
+ 0x9B, 0x99, 0xC0, 0xA7, 0x7E, 0x78, 0x09, 0x35,
+ 0xB4, 0xF4, 0x11, 0xC3, 0xB3, 0x77, 0xB5, 0x77,
+ 0x25, 0xEE, 0xFD, 0x2F, 0x9A, 0x15, 0x95, 0x27,
+ 0x08, 0xDA, 0xD0, 0x28, 0xD6, 0x31, 0xB4, 0xB7,
+ 0x7A, 0x19, 0xBB, 0xF3, 0x78, 0xF8, 0xC2, 0x5B
+ };
+ const DATA_BLOB crypt_expected = data_blob_const(crypt_buffer,
+ sizeof(crypt_buffer));
+ int buffer_sizes[] = {
+ 0, 1, 3, 7, 8, 9, 15, 16, 17
+ };
+ int i;
+
+ torture_schannel_seal_flags(state, 0,
+ session_key,
+ seq_num_initial,
+ confounder_initial,
+ confounder_expected,
+ clear_initial,
+ crypt_expected);
+
+ /* repeat the test for varying buffer sizes */
+
+ for (i = 0; i < ARRAY_SIZE(buffer_sizes); i++) {
+ DATA_BLOB clear_initial_trunc =
+ data_blob_const(clear_initial.data, buffer_sizes[i]);
+ DATA_BLOB crypt_expected_trunc =
+ data_blob_const(crypt_expected.data, buffer_sizes[i]);
+ torture_schannel_seal_flags(state, 0,
+ session_key,
+ seq_num_initial,
+ confounder_initial,
+ confounder_expected,
+ clear_initial_trunc,
+ crypt_expected_trunc);
+ }
+}
+
+static void torture_schannel_seal_aes(void **state)
+{
+ const uint8_t _session_key[16] = {
+ 0x8E, 0xE8, 0x27, 0x85, 0x83, 0x41, 0x3C, 0x8D,
+ 0xC9, 0x54, 0x70, 0x75, 0x8E, 0xC9, 0x69, 0x91
+ };
+ const DATA_BLOB session_key = data_blob_const(_session_key, 16);
+ const uint8_t _seq_num_initial[8] = {
+ 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00
+ };
+ const DATA_BLOB seq_num_initial =
+ data_blob_const(_seq_num_initial, 8);
+ const uint8_t _confounder_initial[8] = {
+ 0x6E, 0x09, 0x25, 0x94, 0x01, 0xA0, 0x09, 0x31
+ };
+ const DATA_BLOB confounder_initial =
+ data_blob_const(_confounder_initial, 8);
+ const uint8_t _confounder_expected[8] = {
+ 0xCA, 0xFB, 0xAC, 0xFB, 0xA8, 0x26, 0x75, 0x2A
+ };
+ const DATA_BLOB confounder_expected =
+ data_blob_const(_confounder_expected, 8);
+ const uint8_t _clear_initial[] = {
+ 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
+ 0x01, 0x00, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00,
+ 0x01, 0x00, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x8A, 0xE3, 0x13, 0x71, 0x02, 0xF4, 0x36, 0x71,
+ 0x01, 0x00, 0x04, 0x00, 0x01, 0x00, 0x00, 0x00,
+ 0x02, 0x40, 0x28, 0x00, 0x78, 0x57, 0x34, 0x12,
+ 0x34, 0x12, 0xCD, 0xAB, 0xEF, 0x00, 0x01, 0x23,
+ 0x45, 0x67, 0x89, 0xAB, 0x00, 0x00, 0x00, 0x00,
+ 0x04, 0x5D, 0x88, 0x8A, 0xEB, 0x1C, 0xC9, 0x11,
+ 0x9F, 0xE8, 0x08, 0x00, 0x2B, 0x10, 0x48, 0x60,
+ 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+ };
+ const DATA_BLOB clear_initial = data_blob_const(_clear_initial,
+ sizeof(_clear_initial));
+ const uint8_t crypt_buffer[] = {
+ 0xE2, 0xE5, 0xE3, 0x26, 0x45, 0xFB, 0xFC, 0xF3,
+ 0x9C, 0x14, 0xDD, 0xE1, 0x39, 0x23, 0xE0, 0x55,
+ 0xED, 0x8F, 0xF4, 0x92, 0xA1, 0xBD, 0xDC, 0x40,
+ 0x58, 0x6F, 0xD2, 0x5B, 0xF9, 0xC9, 0xA3, 0x87,
+ 0x46, 0x4B, 0x7F, 0xB2, 0x03, 0xD2, 0x35, 0x22,
+ 0x3E, 0x70, 0x9F, 0x1E, 0x3F, 0x1F, 0xDB, 0x7D,
+ 0x79, 0x88, 0x5A, 0x3D, 0xD3, 0x40, 0x1E, 0x69,
+ 0xD7, 0xE2, 0x1D, 0x5A, 0xE9, 0x3B, 0xE1, 0xE2,
+ 0x98, 0xFD, 0xCB, 0x3A, 0xF7, 0xB5, 0x1C, 0xF8,
+ 0xCA, 0x02, 0x00, 0x99, 0x9F, 0x0C, 0x01, 0xE6,
+ 0xD2, 0x00, 0xAF, 0xE0, 0x51, 0x88, 0x62, 0x50,
+ 0xB7, 0xE8, 0x6D, 0x63, 0x4B, 0x97, 0x05, 0xC1,
+ 0xD4, 0x83, 0x96, 0x29, 0x80, 0xAE, 0xD8, 0xA2,
+ 0xED, 0xC9, 0x5D, 0x0D, 0x29, 0xFF, 0x2C, 0x23,
+ 0x02, 0xFA, 0x3B, 0xEE, 0xE8, 0xBA, 0x06, 0x01,
+ 0x95, 0xDF, 0x80, 0x76, 0x0B, 0x17, 0x0E, 0xD8
+ };
+ const DATA_BLOB crypt_expected = data_blob_const(crypt_buffer,
+ sizeof(crypt_buffer));
+ int buffer_sizes[] = {
+ 0, 1, 3, 7, 8, 9, 15, 16, 17
+ };
+ int i;
+
+ torture_schannel_seal_flags(state, NETLOGON_NEG_SUPPORTS_AES,
+ session_key,
+ seq_num_initial,
+ confounder_initial,
+ confounder_expected,
+ clear_initial,
+ crypt_expected);
+
+ /* repeat the test for varying buffer sizes */
+
+ for (i = 0; i < ARRAY_SIZE(buffer_sizes); i++) {
+ DATA_BLOB clear_initial_trunc =
+ data_blob_const(clear_initial.data, buffer_sizes[i]);
+ DATA_BLOB crypt_expected_trunc =
+ data_blob_const(crypt_expected.data, buffer_sizes[i]);
+ torture_schannel_seal_flags(state, NETLOGON_NEG_SUPPORTS_AES,
+ session_key,
+ seq_num_initial,
+ confounder_initial,
+ confounder_expected,
+ clear_initial_trunc,
+ crypt_expected_trunc);
+ }
+}
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ const struct CMUnitTest tests[] = {
+ cmocka_unit_test(torture_schannel_seal_rc4),
+ cmocka_unit_test(torture_schannel_seal_aes),
+ };
+
+ if (argc == 2) {
+ cmocka_set_test_filter(argv[1]);
+ }
+ cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
+
+ rc = cmocka_run_group_tests(tests, NULL, NULL);
+
+ return rc;
+}
diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build
index 39489c20b4e..04e2b09eadf 100644
--- a/libcli/auth/wscript_build
+++ b/libcli/auth/wscript_build
@@ -54,3 +54,11 @@ bld.SAMBA_BINARY(
--
Samba Shared Repository
More information about the samba-cvs
mailing list