[SCM] Samba Shared Repository - branch v4-14-stable updated

Jule Anger janger at samba.org
Wed Jul 27 10:31:52 UTC 2022


The branch, v4-14-stable has been updated
       via  ad06fd82945 VERSION: Disable GIT_SNAPSHOT for the 4.14.14 release.
       via  0e6fc4fb33a WHATSNEW: Add release notes for Samba 4.14.14.
       via  7720e0acfd7 CVE-2022-32742: s3: smbd: Harden the smbreq_bufrem() macro.
       via  f6e1750c4fc CVE-2022-32742: s4: torture: Add raw.write.bad-write test.
       via  a6231af1f1c CVE-2022-2031 testprogs: Add test for short-lived ticket across an incoming trust
       via  d5af460403d CVE-2022-2031 s4:kpasswd: Do not accept TGTs as kpasswd tickets
       via  89c6e36938c CVE-2022-2031 s4:auth: Use PAC to determine whether ticket is a TGT
       via  4b61092459b CVE-2022-2031 auth: Add ticket type field to auth_user_info_dc and auth_session_info
       via  95afbc2da9b CVE-2022-2031 tests/krb5: Add test that we cannot provide a TGT to kpasswd
       via  340181bc110 CVE-2022-32744 s4:kpasswd: Ensure we pass the kpasswd server principal into krb5_rd_req_ctx()
       via  c0c4b7a4bd2 CVE-2022-32744 s4:kdc: Modify HDB plugin to only look up kpasswd principal
       via  997f50c6647 s4:kdc: Remove kadmin mode from HDB plugin
       via  42ba919c06c CVE-2022-32744 s4:kdc: Rename keytab_name -> kpasswd_keytab_name
       via  d40593be831 CVE-2022-2031 s4:kdc: Don't use strncmp to compare principal components
       via  389851bcf39 CVE-2022-2031 tests/krb5: Test truncated forms of server principals
       via  abdac4241dd CVE-2022-2031 s4:kdc: Reject tickets during the last two minutes of their life
       via  531e7b596d3 CVE-2022-2031 s4:kdc: Limit kpasswd ticket lifetime to two minutes or less
       via  3cab6289366 CVE-2022-2031 s4:kdc: Fix canonicalisation of kadmin/changepw principal
       via  fa4742e1b9d CVE-2022-2031 s4:kdc: Refactor samba_kdc_get_entry_principal()
       via  f68877af829 CVE-2022-2031 s4:kdc: Split out a samba_kdc_get_entry_principal() function
       via  36d94ffb9c9 CVE-2022-2031 s4:kdc: Implement is_kadmin_changepw() helper function
       via  91a1b0955a0 CVE-2022-2031 testprogs: Add kadmin/changepw canonicalization test with MIT kpasswd
       via  b5adf7cc6d7 CVE-2022-2031 testprogs: Fix auth with smbclient and krb5 ccache
       via  69e742e6208 s4:kpasswd: Restructure code for clarity
       via  6c4fd575d70 CVE-2022-2031 s4:kpasswd: Require an initial ticket
       via  198256e2184 CVE-2022-2031 gensec_krb5: Add helper function to check if client sent an initial ticket
       via  cf749fac346 CVE-2022-2031 s4:kpasswd: Return a kpasswd error code in KRB-ERROR
       via  cf9e3760440 CVE-2022-2031 lib:krb5_wrap: Generate valid error codes in smb_krb5_mk_error()
       via  3a8da51396f CVE-2022-2031 s4:kpasswd: Don't return AP-REP on failure
       via  29ec8b2369b CVE-2022-2031 s4:kpasswd: Correctly generate error strings
       via  450ff39d1c9 CVE-2022-2031 tests/krb5: Add tests for kpasswd service
       via  cf2d5d2ab38 CVE-2022-32744 selftest: Specify Administrator kvno for Python krb5 tests
       via  668825ad56f CVE-2022-2031 tests/krb5: Add kpasswd_exchange() method
       via  5c41e20fae2 CVE-2022-2031 tests/krb5: Allow requesting a TGT to a different sname and realm
       via  5b030b176b8 tests/krb5: Add option for creating accounts with expired passwords
       via  ca582250fca tests/krb5: Fix enum typo
       via  13fe7e013ec CVE-2022-2031 tests/krb5: Add methods to send and receive generic messages
       via  ae7dd875cd4 CVE-2022-2031 tests/krb5: Add 'port' parameter to connect()
       via  695c662bdc2 CVE-2022-2031 tests/krb5: Add methods to create ASN1 kpasswd structures
       via  f7fad997cc0 CVE-2022-2031 tests/krb5: Add new definitions for kpasswd
       via  245d9a42329 CVE-2022-32744 tests/krb5: Correctly calculate salt for pre-existing accounts
       via  8917979641a CVE-2022-2031 tests/krb5: Split out _make_tgs_request()
       via  6305a558702 CVE-2022-32744 tests/krb5: Correctly handle specifying account kvno
       via  f6c5a60336d CVE-2022-2031 s4:kpasswd: Add MIT fallback for decoding setpw structure
       via  1b38a28bcae CVE-2022-2031 s4:kpasswd: Account for missing target principal
       via  6843c44a450 heimdal:kdc: Accommodate NULL data parameter in krb5_pac_get_buffer()
       via  c0395578c50 CVE-2022-2031 s4:kdc: Add MIT support for ATTRIBUTES_INFO and REQUESTER_SID PAC buffers
       via  bff1978187d selftest: Simplify krb5 test environments
       via  c0977bee5b8 tests/krb5: Add helper function to modify ticket flags
       via  787405ef59b tests/krb5: Correctly determine whether tickets are service tickets
       via  3fc519edec0 kdc: Canonicalize realm for enterprise principals
       via  49aafce0a70 kdc: Require that PAC_REQUESTER_SID buffer is present for TGTs
       via  65bb0e3201d heimdal:kdc: Do not generate extra PAC buffers for S4U2Self service ticket
       via  8585333a8ef selftest: Properly check extra PAC buffers with Heimdal
       via  8f97f78dd80 heimdal:kdc: Always generate a PAC for S4U2Self
       via  d3436300745 tests/krb5: Add a test for S4U2Self with no authorization data required
       via  29f15fe2d92 kdc: Remove PAC_TYPE_ATTRIBUTES_INFO from RODC-issued tickets
       via  72afa2641c2 kdc: Don't include extra PAC buffers in service tickets
       via  925f63f3e46 Revert "CVE-2020-25719 s4/torture: Expect additional PAC buffers"
       via  4cd44326ce3 tests/krb5: Add tests for renewal and validation of RODC TGTs with PAC requests
       via  93a5264dd68 kdc: Always add the PAC if the header TGT is from an RODC
       via  46b05cbf803 kdc: Match Windows error code for mismatching sname
       via  c62a2b7a218 tests/krb5: Add test for S4U2Self with wrong sname
       via  5556f97c782 kdc: Adjust SID mismatch error code to match Windows
       via  02ceb9be33d heimdal:kdc: Adjust no-PAC error code to match Windows
       via  33d5e5ad3a0 s4:torture: Fix typo
       via  6dbed53756f heimdal:kdc: Fix error message for user-to-user
       via  69233dd323b tests/krb5: Add comments for tests that fail against Windows
       via  3fdfbd08b94 tests/krb5: Add tests for validation with requester SID PAC buffer
       via  5375e2b99cd tests/krb5: Align PAC buffer checking to more closely match Windows with PacRequestorEnforcement=2
       via  1d616e8e9c0 tests/krb5: Add TGS-REQ tests with FAST
       via  645d30ff371 tests/krb5: Add tests for TGS requests with a non-TGT
       via  eb0ed5f4f6d tests/krb5: Add tests for invalid TGTs
       via  ea82822a5c4 tests/krb5: Remove unnecessary expect_pac arguments
       via  1e9ad4246ce tests/krb5: Adjust error codes to better match Windows with PacRequestorEnforcement=2
       via  651db77b1c1 tests/krb5: Split out methods to create renewable or invalid tickets
       via  bf1aa092789 tests/krb5: Allow PasswordKey_create() to use s2kparams
       via  3d48ade670b tests/krb5: Run test_rpc against member server
       via  837453d3479 tests/krb5: Deduplicate AS-REQ tests
       via  6a4ed078902 tests/krb5: Remove unused variable
       via  b4005403032 selftest: Check received LDB error code when STRICT_CHECKING=0
       via  06a0a75b16b s4:kdc: Also cannoicalize krbtgt principals when enforcing canonicalization
       via  34eb92a2066 s4:mit-kdb: Force canonicalization for looking up principals
       via  65d96369fa4 CVE-2022-32745 s4/dsdb/util: Correctly copy values into message element
       via  4d2d30c21b1 CVE-2022-32745 s4/dsdb/util: Don't call memcpy() with a NULL pointer
       via  7c8427e5d2f CVE-2022-32745 s4/dsdb/util: Use correct value for loop count limit
       via  6237c855653 CVE-2022-32745 s4/dsdb/samldb: Check for empty values array
       via  7270b683866 CVE-2022-32746 ldb: Release LDB 2.3.4
       via  f419753d1c7 CVE-2022-32746 ldb: Make use of functions for appending to an ldb_message
       via  512a2617b15 CVE-2022-32746 ldb: Add functions for appending to an ldb_message
       via  4e5fb78c3dc CVE-2022-32746 ldb: Ensure shallow copy modifications do not affect original message
       via  faa61ab3053 CVE-2022-32746 ldb: Add flag to mark message element values as shared
       via  49dd9042f4e CVE-2022-32746 s4/registry: Use LDB_FLAG_MOD_TYPE() for flags equality check
       via  bedd0b768c3 CVE-2022-32746 s4/dsdb/tombstone_reanimate: Use LDB_FLAG_MOD_TYPE() for flags equality check
       via  535b5a366a2 CVE-2022-32746 s4/dsdb/repl_meta_data: Use LDB_FLAG_MOD_TYPE() for flags equality check
       via  2869b5aa314 CVE-2022-32746 ldb:rdn_name: Use LDB_FLAG_MOD_TYPE() for flags equality check
       via  0526d27e9ed CVE-2022-32746 s4/dsdb/acl: Fix LDB flags comparison
       via  582ac171364 CVE-2022-32746 s4:torture: Fix LDB flags comparison
       via  a68553792a8 CVE-2022-32746 s4/dsdb/partition: Fix LDB flags comparison
       via  51cbeff886f CVE-2022-32746 s4:dsdb:tests: Add test for deleting a disallowed SPN
       via  5d958156c7e CVE-2022-32746 s4/dsdb/objectclass_attrs: Fix typo
       via  93bd8b08a09 VERSION: Bump version up to Samba 4.14.14...
      from  744c4b0cc69 VERSION: Disable GIT_SNAPSHOT for the 4.14.13 release.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-14-stable


- Log -----------------------------------------------------------------
commit ad06fd8294503b6a27729118dd8c80558d41924a
Author: Jule Anger <janger at samba.org>
Date:   Sun Jul 24 11:47:55 2022 +0200

    VERSION: Disable GIT_SNAPSHOT for the 4.14.14 release.
    
    Signed-off-by: Jule Anger <janger at samba.org>

commit 0e6fc4fb33aa8005a71e84c6ce38479592f6c59f
Author: Jule Anger <janger at samba.org>
Date:   Sun Jul 24 11:42:38 2022 +0200

    WHATSNEW: Add release notes for Samba 4.14.14.
    
    Signed-off-by: Jule Anger <janger at samba.org>

commit 7720e0acfd7ea6a2339f3e389aa8dcedd6174095
Author: Jeremy Allison <jra at samba.org>
Date:   Wed Jun 8 13:50:51 2022 -0700

    CVE-2022-32742: s3: smbd: Harden the smbreq_bufrem() macro.
    
    Fixes the raw.write.bad-write test.
    
    NB. We need the two (==0) changes in source3/smbd/reply.c
    as the gcc optimizer now knows that the return from
    smbreq_bufrem() can never be less than zero.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15085
    
    Remove knownfail.
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: David Disseldorp <ddiss at samba.org>

commit f6e1750c4fc966c29c2e0663d3c04e87057fa0c3
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Jun 7 09:40:45 2022 -0700

    CVE-2022-32742: s4: torture: Add raw.write.bad-write test.
    
    Reproduces the test code in:
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15085
    
    Add knownfail.
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: David Disseldorp <ddiss at samba.org>

commit a6231af1f1c03cd81614332f867916e1748e03a8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Thu Jun 23 13:59:11 2022 +1200

    CVE-2022-2031 testprogs: Add test for short-lived ticket across an incoming trust
    
    We ensure that the KDC does not reject a TGS-REQ with our short-lived
    TGT over an incoming trust.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    
    [jsutton at samba.org Changed --use-krb5-ccache to -k yes to match
     surrounding usage]

commit d5af460403d3949ba266f5c74f051247cd7ce752
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Fri Jun 10 19:18:53 2022 +1200

    CVE-2022-2031 s4:kpasswd: Do not accept TGTs as kpasswd tickets
    
    If TGTs can be used as kpasswd tickets, the two-minute lifetime of a
    authentic kpasswd ticket may be bypassed. Furthermore, kpasswd tickets
    are not supposed to be cached, but using this flaw, a stolen credentials
    cache containing a TGT may be used to change that account's password,
    and thus is made more valuable to an attacker.
    
    Since all TGTs should be issued with a REQUESTER_SID PAC buffer, and
    service tickets without it, we assert the absence of this buffer to
    ensure we're not accepting a TGT.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    
    [jsutton at samba.org Fixed knownfail conflicts]
    
    [jsutton at samba.org Fixed knownfail conflicts]

commit 89c6e36938c27b572573b06d1b35db210bfda99b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Fri Jun 10 19:18:35 2022 +1200

    CVE-2022-2031 s4:auth: Use PAC to determine whether ticket is a TGT
    
    We use the presence or absence of a REQUESTER_SID PAC buffer to
    determine whether the ticket is a TGT. We will later use this to reject
    TGTs where a service ticket is expected.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 4b61092459b403b2945daa9082052366f3508b69
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Fri Jun 10 19:18:07 2022 +1200

    CVE-2022-2031 auth: Add ticket type field to auth_user_info_dc and auth_session_info
    
    This field may be used to convey whether we were provided with a TGT or
    a non-TGT. We ensure both structures are zeroed out to avoid incorrect
    results being produced by an uninitialised field.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 95afbc2da9b541fb8f2eebdcd411f5873d1675ac
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Fri Jun 10 19:17:11 2022 +1200

    CVE-2022-2031 tests/krb5: Add test that we cannot provide a TGT to kpasswd
    
    The kpasswd service should require a kpasswd service ticket, and
    disallow TGTs.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    
    [jsutton at samba.org Fixed knownfail conflicts]
    
    [jsutton at samba.org Fixed knownfail conflicts]

commit 340181bc1100fa31c63af88214a3d8328b944fe9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Mon May 30 19:16:02 2022 +1200

    CVE-2022-32744 s4:kpasswd: Ensure we pass the kpasswd server principal into krb5_rd_req_ctx()
    
    To ensure that, when decrypting the kpasswd ticket, we look up the
    correct principal and don't trust the sname from the ticket, we should
    pass the principal name of the kpasswd service into krb5_rd_req_ctx().
    However, gensec_krb5_update_internal() will pass in NULL unless the
    principal in our credentials is CRED_SPECIFIED.
    
    At present, our principal will be considered obtained as CRED_SMB_CONF
    (from the cli_credentials_set_conf() a few lines up), so we explicitly
    set the realm again, but this time as CRED_SPECIFIED. Now the value of
    server_in_keytab that we provide to smb_krb5_rd_req_decoded() will not
    be NULL.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    
    [jsutton at samba.org Removed knownfail as KDC no longer panics]

commit c0c4b7a4bd229bd36d586faec6249baaba8e7adc
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Thu May 26 16:39:20 2022 +1200

    CVE-2022-32744 s4:kdc: Modify HDB plugin to only look up kpasswd principal
    
    This plugin is now only used by the kpasswd service. Thus, ensuring we
    only look up the kadmin/changepw principal means we can't be fooled into
    accepting tickets for other service principals. We make sure not to
    specify a specific kvno, to ensure that we do not accept RODC-issued
    tickets.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    
    [jsutton at samba.org Fixed knownfail conflicts]
    
    [jsutton at samba.org Renamed entry to entry_ex; fixed knownfail conflicts;
     retained knownfail for test_kpasswd_from_rodc which now causes the KDC
     to panic]

commit 997f50c66471071efb8e02d8efbe4bf5d932e7ee
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Jun 8 13:53:29 2022 +1200

    s4:kdc: Remove kadmin mode from HDB plugin
    
    It appears we no longer require it.
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 42ba919c06c24c42ef123304de0c2ca8c689591a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Thu May 26 16:36:30 2022 +1200

    CVE-2022-32744 s4:kdc: Rename keytab_name -> kpasswd_keytab_name
    
    This makes explicitly clear the purpose of this keytab.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    
    [jsutton at samba.org Fixed conflicts due to lacking HDBGET support]

commit d40593be83144713cfc43e4eb1c7bc2d925a0da0
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed May 25 20:00:55 2022 +1200

    CVE-2022-2031 s4:kdc: Don't use strncmp to compare principal components
    
    We would only compare the first 'n' characters, where 'n' is the length
    of the principal component string, so 'k at REALM' would erroneously be
    considered equal to 'krbtgt at REALM'.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 389851bcf399f9511e2cb797350c37ce91aa5849
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Jun 14 15:23:55 2022 +1200

    CVE-2022-2031 tests/krb5: Test truncated forms of server principals
    
    We should not be able to use krb at REALM instead of krbtgt at REALM.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    
    [jsutton at samba.org Fixed conflicts due to having older version of
     _run_as_req_enc_timestamp()]

commit abdac4241dd08dd90a08db877edd799f3833c2b4
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Mon May 30 19:18:17 2022 +1200

    CVE-2022-2031 s4:kdc: Reject tickets during the last two minutes of their life
    
    For Heimdal, this now matches the behaviour of Windows. The object of
    this requirement is to ensure we don't allow kpasswd tickets, not having
    a lifetime of more than two minutes, to be passed off as TGTs.
    
    An existing requirement for TGTs to contain a REQUESTER_SID PAC buffer
    suffices to prevent kpasswd ticket misuse, so this is just an additional
    precaution on top.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    
    [jsutton at samba.org As we don't have access to the ticket or the request
     in the plugin, rewrote check directly in Heimdal KDC]

commit 531e7b596d35785bee61f3b4289e38ece1530f94
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue May 24 17:53:49 2022 +1200

    CVE-2022-2031 s4:kdc: Limit kpasswd ticket lifetime to two minutes or less
    
    This matches the behaviour of Windows.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    
    [jsutton at samba.org Adapted entry to entry_ex->entry; included
     samba_kdc.h header file]
    
    [jsutton at samba.org Fixed conflicts]

commit 3cab62893668742781551dae6505558e47cf08b5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed May 18 16:56:01 2022 +1200

    CVE-2022-2031 s4:kdc: Fix canonicalisation of kadmin/changepw principal
    
    Since this principal goes through the samba_kdc_fetch_server() path,
    setting the canonicalisation flag would cause the principal to be
    replaced with the sAMAccountName; this meant requests to
    kadmin/changepw at REALM would result in a ticket to krbtgt at REALM. Now we
    properly handle canonicalisation for the kadmin/changepw principal.
    
    View with 'git show -b'.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    
    Pair-Programmed-With: Andreas Schneider <asn at samba.org>
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    
    [jsutton at samba.org Adapted entry to entry_ex->entry; removed MIT KDC
     1.20-specific knownfails]

commit fa4742e1b9dea0b9c379f00666478bd41c021634
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed May 25 17:19:58 2022 +1200

    CVE-2022-2031 s4:kdc: Refactor samba_kdc_get_entry_principal()
    
    This eliminates some duplicate branches.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Pair-Programmed-With: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit f68877af829bf73da8e965c9458a9846d1757038
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed May 18 16:56:01 2022 +1200

    CVE-2022-2031 s4:kdc: Split out a samba_kdc_get_entry_principal() function
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    
    [jsutton at samba.org Adapted entry to entry_ex->entry]
    
    [jsutton at samba.org Fixed conflicts caused by superfluous whitespace]

commit 36d94ffb9c99f3e515024424020e3e03e98f34f5
Author: Andreas Schneider <asn at samba.org>
Date:   Tue May 24 09:54:18 2022 +0200

    CVE-2022-2031 s4:kdc: Implement is_kadmin_changepw() helper function
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    
    [jsutton at samba.org Adapted entry to entry_ex->entry]

commit 91a1b0955a053f73e6d531f0f12eaa604aca79d7
Author: Andreas Schneider <asn at samba.org>
Date:   Thu May 19 16:35:28 2022 +0200

    CVE-2022-2031 testprogs: Add kadmin/changepw canonicalization test with MIT kpasswd
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit b5adf7cc6d740c8f4f7b5888f106de24a1181da7
Author: Andreas Schneider <asn at samba.org>
Date:   Tue May 24 10:17:00 2022 +0200

    CVE-2022-2031 testprogs: Fix auth with smbclient and krb5 ccache
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    
    [jsutton at samba.org Fixed conflict and renamed --use-krb5-ccache to
     --krb5-ccache]

commit 69e742e6208bd471eb509795bd753a0c98392bf6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed May 18 17:11:49 2022 +1200

    s4:kpasswd: Restructure code for clarity
    
    View with 'git show -b'.
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 6c4fd575d706b2695090941ad7947b30abdb9071
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed May 18 16:52:41 2022 +1200

    CVE-2022-2031 s4:kpasswd: Require an initial ticket
    
    Ensure that for password changes the client uses an AS-REQ to get the
    ticket to kpasswd, and not a TGS-REQ.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    
    [jsutton at samba.org Removed MIT KDC 1.20-specific knownfails]

commit 198256e2184897300e1cea4343437c3b7b6f74ad
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed May 18 16:06:31 2022 +1200

    CVE-2022-2031 gensec_krb5: Add helper function to check if client sent an initial ticket
    
    This will be used in the kpasswd service to ensure that the client has
    an initial ticket to kadmin/changepw, and not a service ticket.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit cf749fac346ef59c91a9ea87f5e7ddec2e5649c7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed May 18 16:49:43 2022 +1200

    CVE-2022-2031 s4:kpasswd: Return a kpasswd error code in KRB-ERROR
    
    If we attempt to return an error code outside of Heimdal's allowed range
    [KRB5KDC_ERR_NONE, KRB5_ERR_RCSID), it will be replaced with a GENERIC
    error, and the error text will be set to the meaningless result of
    krb5_get_error_message(). Avoid this by ensuring the error code is in
    the correct range.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit cf9e37604409ba0c3c5904af40beb2975c309ad4
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Fri May 27 19:29:34 2022 +1200

    CVE-2022-2031 lib:krb5_wrap: Generate valid error codes in smb_krb5_mk_error()
    
    The error code passed in will be an offset from ERROR_TABLE_BASE_krb5,
    so we need to subtract that before creating the error. Heimdal does this
    internally, so it isn't needed there.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 3a8da51396f3bf9d4caf8dbd4e75a0314aa47046
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed May 18 16:48:59 2022 +1200

    CVE-2022-2031 s4:kpasswd: Don't return AP-REP on failure
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    
    [jsutton at samba.org Removed MIT KDC 1.20-specific knownfails]

commit 29ec8b2369b5f5e2a660a3165d2528982514a0f2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Fri May 27 19:21:06 2022 +1200

    CVE-2022-2031 s4:kpasswd: Correctly generate error strings
    
    The error_data we create already has an explicit length, and should not
    be zero-terminated, so we omit the trailing null byte. Previously,
    Heimdal builds would leave a superfluous trailing null byte on error
    strings, while MIT builds would omit the final character.
    
    The two bytes added to the string's length are for the prepended error
    code.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    
    [jsutton at samba.org Removed MIT KDC 1.20-specific knownfails]

commit 450ff39d1c9f538bd828b7b2bee75c88d3dc1ee2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue May 24 19:59:16 2022 +1200

    CVE-2022-2031 tests/krb5: Add tests for kpasswd service
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    
    [jsutton at samba.org Fixed conflicts in usage.py and knownfails; removed
     MIT KDC 1.20-specific knownfails as it's not supported]
    
    [jsutton at samba.org Fixed conflicts in usage.py, knownfails, and
     tests.py]

commit cf2d5d2ab382ea31e2c14f2da3a575ef0857e126
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Thu May 26 16:35:03 2022 +1200

    CVE-2022-32744 selftest: Specify Administrator kvno for Python krb5 tests
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 668825ad56ff70715c626bc3209a6868409e4969
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue May 24 19:57:57 2022 +1200

    CVE-2022-2031 tests/krb5: Add kpasswd_exchange() method
    
    Now we can test the kpasswd service from Python.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    
    [jsutton at samba.org Fixed conflicts in imports]

commit 5c41e20fae268e04aa05e821c7f388ea090727af
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue May 24 19:34:59 2022 +1200

    CVE-2022-2031 tests/krb5: Allow requesting a TGT to a different sname and realm
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    
    [jsutton at samba.org Fixed conflict due to lacking rc4_support parameter]
    
    [jsutton at samba.org Fixed conflicts due to lacking client_name_type and
     expected_cname parameters]

commit 5b030b176b853938b1895ec255e838147d8e7fa9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue May 24 19:30:12 2022 +1200

    tests/krb5: Add option for creating accounts with expired passwords
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit ca582250fcaf2ad3c585f7e31a1a4ce568b7ddb7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue May 24 19:26:56 2022 +1200

    tests/krb5: Fix enum typo
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 13fe7e013eccca2c86258084f4443ddb7abaf089
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue May 24 19:20:28 2022 +1200

    CVE-2022-2031 tests/krb5: Add methods to send and receive generic messages
    
    This allows us to send and receive kpasswd messages, while avoiding the
    existing logic for encoding and decoding other Kerberos message types.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit ae7dd875cd4362ed4346716db493164c421b889f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue May 24 19:21:37 2022 +1200

    CVE-2022-2031 tests/krb5: Add 'port' parameter to connect()
    
    This allows us to use the kpasswd port, 464.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 695c662bdc286d7a4699025f00656f8339ceecd8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue May 24 19:17:45 2022 +1200

    CVE-2022-2031 tests/krb5: Add methods to create ASN1 kpasswd structures
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit f7fad997cc06a14c9ffd101b26e16598f334148b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue May 24 19:13:54 2022 +1200

    CVE-2022-2031 tests/krb5: Add new definitions for kpasswd
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 245d9a42329a1bfeb3db8431ef105e7758080e14
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue May 24 19:06:53 2022 +1200

    CVE-2022-32744 tests/krb5: Correctly calculate salt for pre-existing accounts
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 8917979641abb03ef858ba72b652178475b6e918
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Thu May 26 20:52:04 2022 +1200

    CVE-2022-2031 tests/krb5: Split out _make_tgs_request()
    
    This allows us to make use of it in other tests.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    
    [jsutton at samba.org Fixed conflicts due to having older version of
     _make_tgs_request()]

commit 6305a55870287191ce4268f6af7fe278ca7f2a30
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Thu May 26 16:34:01 2022 +1200

    CVE-2022-32744 tests/krb5: Correctly handle specifying account kvno
    
    The environment variable is a string, but we expect an integer.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit f6c5a60336de8fd67a2ef371dd2ee4cf75c53904
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Mon May 30 19:17:41 2022 +1200

    CVE-2022-2031 s4:kpasswd: Add MIT fallback for decoding setpw structure
    
    The target principal and realm fields of the setpw structure are
    supposed to be optional, but in MIT Kerberos they are mandatory. For
    better compatibility and ease of testing, fall back to parsing the
    simpler (containing only the new password) structure if the MIT function
    fails to decode it.
    
    Although the target principal and realm fields should be optional, one
    is not supposed to specified without the other, so we don't have to deal
    with the case where only one is specified.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 1b38a28bcaebdae0128518605a422a194747a60f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Fri May 27 19:17:02 2022 +1200

    CVE-2022-2031 s4:kpasswd: Account for missing target principal
    
    This field is supposed to be optional.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 6843c44a45044808f90687f85183e7111a465d1f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Thu Jun 16 10:33:29 2022 +1200

    heimdal:kdc: Accommodate NULL data parameter in krb5_pac_get_buffer()
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit c0395578c50fbc4f1946e2f5a065d94f67212eb0
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Jun 15 19:37:39 2022 +1200

    CVE-2022-2031 s4:kdc: Add MIT support for ATTRIBUTES_INFO and REQUESTER_SID PAC buffers
    
    So that we do not confuse TGTs and kpasswd tickets, it is critical to
    check that the REQUESTER_SID buffer exists in TGTs, and to ensure that
    it is not propagated to service tickets.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    
    [jsutton at samba.org Brought in changes to add ATTRIBUTES_INFO and
     REQUESTER_SID buffers to new PACs, and updated knownfails]
    
    [jsutton at samba.org Adjusted MIT knownfails]

commit bff1978187d530164888f2a0c3daa3d6a4ae2245
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Fri Mar 4 16:57:27 2022 +1300

    selftest: Simplify krb5 test environments
    
    It's not necessary to repeat the required environment variables for
    every test.
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    (cherry picked from commit e729606631b5bfaf7c4ad8c1e70697adf8274777)
    
    [jsutton at samba.org Fixed conflicts caused by missing check_cname,
     check_padata and fast_support variables]
    
    [jsutton at samba.org Fixed conflicts]

commit c0977bee5b8c2f72cb5467e95a6ab034f696eee7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Feb 8 12:15:36 2022 +1300

    tests/krb5: Add helper function to modify ticket flags
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    (cherry picked from commit ded5115f73dff5b8b2f3212988e03f9dbe0c2aa3)

commit 787405ef59b70cef011f005a6ed98898c5d43adb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Dec 14 19:16:00 2021 +1300

    tests/krb5: Correctly determine whether tickets are service tickets
    
    Previously we expected tickets to contain a ticket checksum if the sname
    was not the krbtgt. However, the ticket checksum should not be present
    if we are performing an AS-REQ to our own account. Now we determine a
    ticket is a service ticket only if the request is also a TGS-REQ.
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 100be7eb8e70ba270a8e92957a5e47466160a901)

commit 3fc519edec0159535baa0b659861b73f40632110
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Dec 7 13:15:38 2021 +1300

    kdc: Canonicalize realm for enterprise principals
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    
    Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date(master): Tue Dec  7 04:54:35 UTC 2021 on sn-devel-184
    
    (cherry picked from commit 8bd7b316bd61ef35f6e0baa0b65f0ef00910112c)

commit 49aafce0a705d47ffd4753ce6c6f452c4f7aa882
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Nov 24 20:41:54 2021 +1300

    kdc: Require that PAC_REQUESTER_SID buffer is present for TGTs
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    
    Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date(master): Tue Nov 30 03:33:26 UTC 2021 on sn-devel-184
    
    (cherry picked from commit 38c5bad4a853b19fe9a51fb059e150b153c4632a)

commit 65bb0e3201d60d87a3f228ea161644d9a5f918c5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Nov 23 19:38:35 2021 +1300

    heimdal:kdc: Do not generate extra PAC buffers for S4U2Self service ticket
    
    Normally samba_wdc_get_pac() is used to generate the PAC for a TGT, but
    when generating a service ticket for S4U2Self, we want to avoid adding
    the additional PAC_ATTRIBUTES_INFO and PAC_REQUESTER_SID buffers.
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 9bd26804852d957f81cb311e5142f9190f9afa65)

commit 8585333a8ef54295a60faf47689a8978c0740361
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Thu Nov 25 09:29:42 2021 +1300

    selftest: Properly check extra PAC buffers with Heimdal
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit ee4aa21c487fa80082a548b2e4f115a791e30340)
    
    [jsutton at samba.org Fixed conflicts]

commit 8f97f78dd8023d88d76fc7de063661d94ebe5400
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Nov 23 17:30:50 2021 +1300

    heimdal:kdc: Always generate a PAC for S4U2Self
    
    If we decided not to put a PAC into the ticket, mspac would be NULL
    here, and the resulting ticket would not contain a PAC. This could
    happen if there was a request to omit the PAC or the service did not
    require authorization data. Ensure that we always generate a PAC.
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 1f4f3018c5001b289b91959a72d00575c8fc0ac1)

commit d3436300745c41226d7ed146f269c929133f8f49
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Thu Nov 25 12:46:40 2021 +1300

    tests/krb5: Add a test for S4U2Self with no authorization data required
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 192d6edfe912105ec344dc554f872a24c03540a3)

commit 29f15fe2d92831dcf5f4eb6d295df866ff689ee3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Thu Nov 25 10:53:49 2021 +1300

    kdc: Remove PAC_TYPE_ATTRIBUTES_INFO from RODC-issued tickets
    
    Windows ignores PAC_TYPE_ATTRIBUTES_INFO and always issues a PAC when
    presented with an RODC-issued TGT. By removing this PAC buffer from
    RODC-issued tickets, we ensure that an RODC-issued ticket will still
    result in a PAC if it is first renewed or validated by the main DC.
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 4b60e9516497c2e7f1545fe50887d0336b9893f2)

commit 72afa2641c24bd18a32463f0b0de7e91feb54290
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Nov 24 20:42:22 2021 +1300

    kdc: Don't include extra PAC buffers in service tickets
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 90025b6a4d250a15c0f988a9a9150ecfb63069ef)

commit 925f63f3e464c0fdb91aaa5ed523a6ddb481bfff
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Thu Nov 25 13:24:57 2021 +1300

    Revert "CVE-2020-25719 s4/torture: Expect additional PAC buffers"
    
    This reverts commit fa4c9bcefdeed0a7106aab84df20b02435febc1f.
    
    We should not be generating these additional PAC buffers for service
    tickets, only for TGTs.
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit e61983c7f2c4daade83b237efb990d0c0645b3a3)

commit 4cd44326ce38187965c46c71322caedb7a2fbf6c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Thu Nov 25 10:32:44 2021 +1300

    tests/krb5: Add tests for renewal and validation of RODC TGTs with PAC requests
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 73a48063469205099f02efdf3b8f0f1040dc7a3d)

commit 93a5264dd68da57e172af50020f670631eeef263
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Nov 23 20:15:41 2021 +1300

    kdc: Always add the PAC if the header TGT is from an RODC
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 690a00a40c0a3f77da6e4dca42b630f2793a98b8)

commit 46b05cbf803c54cf56dca228fe95a3454027d0cc
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Nov 23 20:00:07 2021 +1300

    kdc: Match Windows error code for mismatching sname
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit b6a25f5f016aef39c3b1d7be8b3ecfe021c03c83)

commit c62a2b7a218e2c4bdbd476a055049e78b8c0f4ce
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Thu Nov 25 10:05:17 2021 +1300

    tests/krb5: Add test for S4U2Self with wrong sname
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit bac5f75059450898937be891e863826e1350b62c)

commit 5556f97c782c9be9af47c76f2432bb8480bc0622
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Nov 24 20:41:45 2021 +1300

    kdc: Adjust SID mismatch error code to match Windows
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit d5d22bf84a71492342287e54b555c9f024e7e71c)

commit 02ceb9be33dca0e3a885fd7d85b1199f76e04670
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Nov 24 20:41:34 2021 +1300

    heimdal:kdc: Adjust no-PAC error code to match Windows
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit f7a2fef8f49a86f63c3dc2f6a2d7d979fb53238a)

commit 33d5e5ad3a06ca6a1a62e64d323580ca60f068b8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Thu Nov 18 16:22:34 2021 +1300

    s4:torture: Fix typo
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 9cfb88ba04818b5e9cec3c96422e8e4a3080d490)

commit 6dbed53756f6bac8f63847644b3e9cbb7b6181b0
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Thu Nov 18 13:14:51 2021 +1300

    heimdal:kdc: Fix error message for user-to-user
    
    We were checking the wrong variable to see whether a PAC was found or not.
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 11fb9476ad3c09415d12b3cdf7934c293cbefcb2)

commit 69233dd323b1ce715387e6015542ed234d909295
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Nov 24 15:32:32 2021 +1300

    tests/krb5: Add comments for tests that fail against Windows
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 749349efab9b401d33a4fc286473a924364a41c9)

commit 3fdfbd08b9460fb486f100d7091984f41ebd9429
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Nov 24 13:10:52 2021 +1300

    tests/krb5: Add tests for validation with requester SID PAC buffer
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit ca80c47406e0f2b6fac2c55229306e21ccef9745)

commit 5375e2b99cd5fd9e40d6d5f94eb7d46f366f525e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Nov 24 12:37:08 2021 +1300

    tests/krb5: Align PAC buffer checking to more closely match Windows with PacRequestorEnforcement=2
    
    We set EXPECT_EXTRA_PAC_BUFFERS to 0 for the moment. This signifies that
    these checks are currently not enforced, which avoids a lot of test
    failures.
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit ebc9137cee94dee9dcf0e47d5bc0dc83de7aaaa1)
    
    [jsutton at samba.org Fixed conflicts]

commit 1d616e8e9c0dceabebd1f079fc4d652d6bf2060d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Nov 24 12:09:18 2021 +1300

    tests/krb5: Add TGS-REQ tests with FAST
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit ec823c2a83c639f1d7c422153a53d366750e5f2a)

commit 645d30ff371fdf3e16cb1fa69f2e93a848d20bdb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Nov 24 12:10:45 2021 +1300

    tests/krb5: Add tests for TGS requests with a non-TGT
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 778029c1dc443b87f4ed4b9d2c613d0e6fc45b0d)

commit eb0ed5f4f6d725c49fda97bc8f7aae89f90bd913
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Nov 30 09:26:40 2021 +1300

    tests/krb5: Add tests for invalid TGTs
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 7574ba9f580fca552b80532a49d00e657fbdf4fd)
    
    [jsutton at samba.org Removed some MIT knownfail changes]

commit ea82822a5c451df50feed15c5da3501df2b5c106
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Nov 24 12:04:36 2021 +1300

    tests/krb5: Remove unnecessary expect_pac arguments
    
    The value of expect_pac is not considered if we are expecting an error.
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 28d501875a98fa2817262eb8ec68bf91528428c2)

commit 1e9ad4246ce7fe7a212da4357e6e11c5ac22a8b2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Nov 24 11:52:31 2021 +1300

    tests/krb5: Adjust error codes to better match Windows with PacRequestorEnforcement=2
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit d95705172bcf6fe24817800a4c0009e9cc8be595)
    
    [jsutton at samba.org Fixed MIT knownfail conflict]

commit 651db77b1c19c036cf229c44b764b0155e1dc399
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Nov 24 11:40:35 2021 +1300

    tests/krb5: Split out methods to create renewable or invalid tickets
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit e930274aa43810d6485c3c8a7c82958ecb409630)

commit bf1aa0927895b1007ecea738681235b5be2e6208
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Nov 24 11:37:35 2021 +1300

    tests/krb5: Allow PasswordKey_create() to use s2kparams
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit a560c2e9ad8abb824d1805c86c656943745f81eb)

commit 3d48ade670bb5b026d7bc0a26a4fa6775b21653b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Nov 24 16:02:00 2021 +1300

    tests/krb5: Run test_rpc against member server
    
    We were instead always running against the DC.
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 167bd2070483004cd0b9a96ffb40ea73c6ddf579)

commit 837453d34799f44653d0d6d690d3e3d5eb074993
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Nov 24 11:34:11 2021 +1300

    tests/krb5: Deduplicate AS-REQ tests
    
    salt_tests was running the tests defined in the base class as well as
    its own tests.
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit f0b222e3ecf72c8562bc97bedd9f3a92980b60d5)

commit 6a4ed078902dcc57ab14f701c88e76ec0ac375e7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Nov 24 11:53:18 2021 +1300

    tests/krb5: Remove unused variable
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 57b1b76154d699b9d70ad04fa5e94c4b30f0e4bf)

commit b4005403032b0b33ca88d3abcbf085621b32bd5b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Nov 24 11:30:38 2021 +1300

    selftest: Check received LDB error code when STRICT_CHECKING=0
    
    We were instead only checking the expected error.
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit ad4d6fb01fd8083e68f07c427af8932574810cdc)

commit 06a0a75b16bace9c29568653d9e4bde4050c5ee5
Author: Andreas Schneider <asn at samba.org>
Date:   Tue Dec 21 12:17:11 2021 +0100

    s4:kdc: Also cannoicalize krbtgt principals when enforcing canonicalization
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    (cherry picked from commit f1ec950aeb47283a504018bafa21f54c3282e70c)

commit 34eb92a2066cc403aac5a3708257b04a40ba19ee
Author: Isaac Boukris <iboukris at gmail.com>
Date:   Sat Sep 19 14:16:20 2020 +0200

    s4:mit-kdb: Force canonicalization for looking up principals
    
    See also
    https://github.com/krb5/krb5/commit/ac8865a22138ab0c657208c41be8fd6bc7968148
    
    Pair-Programmed-With: Andreas Schneider <asn at samba.org>
    Signed-off-by: Isaac Boukris <iboukris at gmail.com>
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Alexander Bokovoy <ab at samba.org>
    
    Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
    Autobuild-Date(master): Mon Nov 29 09:32:26 UTC 2021 on sn-devel-184
    
    (cherry picked from commit 90febd2a33b88af49af595fe0e995d6ba0f33a1b)
    
    [jsutton at samba.org Removed MIT knownfail changes]

commit 65d96369fa4f915f01e203cfc8b15e48c5b4b440
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Fri Jun 3 16:16:31 2022 +1200

    CVE-2022-32745 s4/dsdb/util: Correctly copy values into message element
    
    To use memcpy(), we need to specify the number of bytes to copy, rather
    than the number of ldb_val structures.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit 4d2d30c21b16a53d5547cb803efe49cb6304ce37
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Thu Feb 17 11:13:38 2022 +1300

    CVE-2022-32745 s4/dsdb/util: Don't call memcpy() with a NULL pointer
    
    Doing so is undefined behaviour.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit 7c8427e5d2f247921ab44996829acfed1f5f2360
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Thu Feb 17 11:11:53 2022 +1300

    CVE-2022-32745 s4/dsdb/util: Use correct value for loop count limit
    
    Currently, we can crash the server by sending a large number of values
    of a specific attribute (such as sAMAccountName) spread across a few
    message elements. If val_count is larger than the total number of
    elements, we get an access beyond the elements array.
    
    Similarly, we can include unrelated message elements prior to the
    message elements of the attribute in question, so that not all of the
    attribute's values are copied into the returned elements values array.
    This can cause the server to access uninitialised data, likely resulting
    in a crash or unexpected behaviour.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit 6237c85565332e0be1890dd57cc7e25fb76571d7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Feb 16 17:03:10 2022 +1300

    CVE-2022-32745 s4/dsdb/samldb: Check for empty values array
    
    This avoids potentially trying to access the first element of an empty
    array.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit 7270b68386692829f97d5c51c50108db395b263e
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Jun 14 15:43:26 2022 +1200

    CVE-2022-32746 ldb: Release LDB 2.3.4
    
    * CVE-2022-32746 Use-after-free occurring in database audit logging module (bug 15009)
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>

commit f419753d1c7a373fb32ffe20930a6e084e44b44d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Mon Feb 21 16:27:37 2022 +1300

    CVE-2022-32746 ldb: Make use of functions for appending to an ldb_message
    
    This aims to minimise usage of the error-prone pattern of searching for
    a just-added message element in order to make modifications to it (and
    potentially finding the wrong element).
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit 512a2617b1593bdc16caeeeda4312a581cbb34e9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Feb 16 16:30:03 2022 +1300

    CVE-2022-32746 ldb: Add functions for appending to an ldb_message
    
    Currently, there are many places where we use ldb_msg_add_empty() to add
    an empty element to a message, and then call ldb_msg_add_value() or
    similar to add values to that element. However, this performs an
    unnecessary search of the message's elements to locate the new element.
    Moreover, if an element with the same attribute name already exists
    earlier in the message, the values will be added to that element,
    instead of to the intended newly added element.
    
    A similar pattern exists where we add values to a message, and then call
    ldb_msg_find_element() to locate that message element and sets its flags
    to (e.g.) LDB_FLAG_MOD_REPLACE. This also performs an unnecessary
    search, and may locate the wrong message element for setting the flags.
    
    To avoid these problems, add functions for appending a value to a
    message, so that a particular value can be added to the end of a message
    in a single operation.
    
    For ADD requests, it is important that no two message elements share the
    same attribute name, otherwise things will break. (Normally,
    ldb_msg_normalize() is called before processing the request to help
    ensure this.) Thus, we must be careful not to append an attribute to an
    ADD message, unless we are sure (e.g. through ldb_msg_find_element())
    that an existing element for that attribute is not present.
    
    These functions will be used in the next commit.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit 4e5fb78c3dcff60aa8fd4b07dad4660bbb30532b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Feb 16 12:35:13 2022 +1300

    CVE-2022-32746 ldb: Ensure shallow copy modifications do not affect original message
    
    Using the newly added ldb flag, we can now detect when a message has
    been shallow-copied so that its elements share their values with the
    original message elements. Then when adding values to the copied
    message, we now make a copy of the shared values array first.
    
    This should prevent a use-after-free that occurred in LDB modules when
    new values were added to a shallow copy of a message by calling
    talloc_realloc() on the original values array, invalidating the 'values'
    pointer in the original message element. The original values pointer can
    later be used in the database audit logging module which logs database
    requests, and potentially cause a crash.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit faa61ab3053d077ac9d0aa67e955217e85b660f4
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Mon Feb 21 16:10:32 2022 +1300

    CVE-2022-32746 ldb: Add flag to mark message element values as shared
    
    When making a shallow copy of an ldb message, mark the message elements
    of the copy as sharing their values with the message elements in the
    original message.
    
    This flag value will be heeded in the next commit.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit 49dd9042f4ee380fa1dafcebcb54d0e1f0852463
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Jun 14 21:12:39 2022 +1200

    CVE-2022-32746 s4/registry: Use LDB_FLAG_MOD_TYPE() for flags equality check
    
    Now unrelated flags will no longer affect the result.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit bedd0b768c3f92645af033399aefd7ee971d9150
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Jun 14 21:11:33 2022 +1200

    CVE-2022-32746 s4/dsdb/tombstone_reanimate: Use LDB_FLAG_MOD_TYPE() for flags equality check
    
    Now unrelated flags will no longer affect the result.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit 535b5a366a2ad054f729e57e282e402cf13b2efc
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Jun 14 19:49:19 2022 +1200

    CVE-2022-32746 s4/dsdb/repl_meta_data: Use LDB_FLAG_MOD_TYPE() for flags equality check
    
    Now unrelated flags will no longer affect the result.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit 2869b5aa3148869edf0d079266542aef6e64608e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Feb 16 12:43:52 2022 +1300

    CVE-2022-32746 ldb:rdn_name: Use LDB_FLAG_MOD_TYPE() for flags equality check
    
    Now unrelated flags will no longer affect the result.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit 0526d27e9eddd9c2a54434cf0dcdb136a6c659e4
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Jun 21 15:22:47 2022 +1200

    CVE-2022-32746 s4/dsdb/acl: Fix LDB flags comparison
    
    LDB_FLAG_MOD_* values are not actually flags, and the previous
    comparison was equivalent to
    
    (el->flags & LDB_FLAG_MOD_MASK) == 0
    
    which is only true if none of the LDB_FLAG_MOD_* values are set, so we
    would not successfully return if the element was a DELETE. Correct the
    expression to what it was intended to be.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit 582ac171364f0c28f54eaf4f21b5bfa7569b5233
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Jun 21 14:49:51 2022 +1200

    CVE-2022-32746 s4:torture: Fix LDB flags comparison
    
    LDB_FLAG_MOD_* values are not actually flags, and the previous
    comparison was equivalent to
    
    (el->flags & LDB_FLAG_MOD_MASK) == 0
    
    which is only true if none of the LDB_FLAG_MOD_* values are set. Correct
    the expression to what it was probably intended to be.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit a68553792a8512a2d266bbb86f064f78b5482a65
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Jun 21 14:41:02 2022 +1200

    CVE-2022-32746 s4/dsdb/partition: Fix LDB flags comparison
    
    LDB_FLAG_MOD_* values are not actually flags, and the previous
    comparison was equivalent to
    
    (req_msg->elements[el_idx].flags & LDB_FLAG_MOD_MASK) != 0
    
    which is true whenever any of the LDB_FLAG_MOD_* values are set. Correct
    the expression to what it was probably intended to be.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit 51cbeff886fe01db463448f8655a43d10040dc8b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Jun 21 15:37:15 2022 +1200

    CVE-2022-32746 s4:dsdb:tests: Add test for deleting a disallowed SPN
    
    If an account has an SPN that requires Write Property to set, we should
    still be able to delete it with just Validated Write.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit 5d958156c7e5d6c1da61d18fe4fd105b22639b56
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Jun 14 21:09:53 2022 +1200

    CVE-2022-32746 s4/dsdb/objectclass_attrs: Fix typo
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>

-----------------------------------------------------------------------

Summary of changes:
 VERSION                                            |    2 +-
 WHATSNEW.txt                                       |   74 +-
 auth/auth_sam_reply.c                              |    2 +-
 auth/auth_util.c                                   |    2 +-
 lib/krb5_wrap/krb5_samba.c                         |    2 +-
 lib/ldb/ABI/{ldb-2.0.5.sigs => ldb-2.3.4.sigs}     |    8 +
 ...pyldb-util-2.1.0.sigs => pyldb-util-2.3.4.sigs} |    0
 lib/ldb/common/ldb_msg.c                           |  260 ++++-
 lib/ldb/include/ldb.h                              |   30 +
 lib/ldb/include/ldb_module.h                       |    6 +
 lib/ldb/ldb_map/ldb_map.c                          |    5 +-
 lib/ldb/ldb_map/ldb_map_inbound.c                  |    9 +-
 lib/ldb/modules/rdn_name.c                         |   24 +-
 lib/ldb/wscript                                    |    2 +-
 librpc/idl/auth.idl                                |   23 +
 python/samba/tests/krb5/alias_tests.py             |    7 +-
 python/samba/tests/krb5/as_req_tests.py            |  199 ++--
 python/samba/tests/krb5/compatability_tests.py     |   10 +-
 python/samba/tests/krb5/kdc_base_test.py           |  129 ++-
 python/samba/tests/krb5/kdc_tgs_tests.py           |  795 +++++++++++----
 python/samba/tests/krb5/kpasswd_tests.py           | 1049 ++++++++++++++++++++
 .../krb5/ms_kile_client_principal_lookup_tests.py  |   39 +-
 python/samba/tests/krb5/raw_testcase.py            |  491 +++++++--
 python/samba/tests/krb5/rfc4120.asn1               |    6 +
 python/samba/tests/krb5/rfc4120_constants.py       |   14 +
 python/samba/tests/krb5/rfc4120_pyasn1.py          |   13 +-
 python/samba/tests/krb5/rodc_tests.py              |    4 +-
 python/samba/tests/krb5/s4u_tests.py               |  140 ++-
 python/samba/tests/krb5/salt_tests.py              |    4 +-
 python/samba/tests/krb5/test_rpc.py                |   17 +-
 python/samba/tests/usage.py                        |    1 +
 selftest/knownfail.d/kdc-enterprise                |   63 --
 selftest/knownfail_heimdal_kdc                     |   20 +-
 selftest/knownfail_mit_kdc                         |   86 +-
 source3/include/smb_macros.h                       |    2 +-
 source3/passdb/pdb_samba_dsdb.c                    |   14 +-
 source3/smbd/reply.c                               |    4 +-
 source4/auth/gensec/gensec_krb5.c                  |   20 +-
 source4/auth/gensec/gensec_krb5_helpers.c          |   72 ++
 .../auth/gensec/gensec_krb5_helpers.h              |   25 +-
 .../auth/gensec/gensec_krb5_internal.h             |   37 +-
 source4/auth/gensec/wscript_build                  |    4 +
 source4/auth/kerberos/kerberos_pac.c               |   44 +
 source4/auth/ntlm/auth_developer.c                 |    2 +-
 source4/auth/sam.c                                 |    2 +-
 source4/auth/session.c                             |    2 +
 source4/auth/system_session.c                      |    6 +-
 source4/dns_server/dnsserver_common.c              |   12 +-
 source4/dsdb/common/util.c                         |  134 ++-
 source4/dsdb/samdb/ldb_modules/acl.c               |    5 +-
 source4/dsdb/samdb/ldb_modules/descriptor.c        |   10 +-
 source4/dsdb/samdb/ldb_modules/objectclass_attrs.c |    2 +-
 source4/dsdb/samdb/ldb_modules/objectguid.c        |   20 +-
 source4/dsdb/samdb/ldb_modules/partition.c         |    4 +-
 source4/dsdb/samdb/ldb_modules/partition_init.c    |   14 +-
 source4/dsdb/samdb/ldb_modules/repl_meta_data.c    |   32 +-
 source4/dsdb/samdb/ldb_modules/samldb.c            |   82 +-
 .../dsdb/samdb/ldb_modules/tombstone_reanimate.c   |   16 +-
 source4/dsdb/samdb/ldb_modules/util.c              |   14 +-
 source4/dsdb/tests/python/acl.py                   |   26 +
 source4/dsdb/tests/python/priv_attrs.py            |    2 +-
 source4/heimdal/kdc/kerberos5.c                    |    2 +-
 source4/heimdal/kdc/krb5tgs.c                      |   37 +-
 source4/heimdal/kdc/windc.c                        |    5 +-
 source4/heimdal/kdc/windc_plugin.h                 |    2 +
 source4/heimdal/lib/hdb/hdb.h                      |    1 +
 source4/heimdal/lib/krb5/pac.c                     |   10 +-
 source4/kdc/db-glue.c                              |  241 +++--
 source4/kdc/hdb-samba4-plugin.c                    |   37 +-
 source4/kdc/hdb-samba4.c                           |   66 ++
 source4/kdc/kdc-glue.h                             |    3 +
 source4/kdc/kdc-heimdal.c                          |    4 +-
 source4/kdc/kdc-server.h                           |    2 +-
 source4/kdc/kdc-service-mit.c                      |    4 +-
 source4/kdc/kpasswd-helper.c                       |   33 +-
 source4/kdc/kpasswd-helper.h                       |    2 +
 source4/kdc/kpasswd-service-heimdal.c              |   76 +-
 source4/kdc/kpasswd-service-mit.c                  |  146 ++-
 source4/kdc/kpasswd-service.c                      |   36 +-
 source4/kdc/mit-kdb/kdb_samba_policies.c           |    5 +-
 source4/kdc/mit-kdb/kdb_samba_principals.c         |    2 +-
 source4/kdc/mit_samba.c                            |  101 +-
 source4/kdc/mit_samba.h                            |    1 +
 source4/kdc/pac-glue.c                             |    6 +-
 source4/kdc/samba_kdc.h                            |    2 +
 source4/kdc/sdb.h                                  |    1 +
 source4/kdc/wdc-samba4.c                           |   48 +-
 source4/kdc/wscript_build                          |    1 +
 source4/lib/registry/ldb.c                         |    2 +-
 source4/nbt_server/wins/winsdb.c                   |   13 +-
 source4/rpc_server/lsa/dcesrv_lsa.c                |   55 +-
 source4/selftest/tests.py                          |  178 +---
 source4/torture/drs/rpc/dssync.c                   |    4 +-
 source4/torture/krb5/kdc-canon-heimdal.c           |    2 +-
 source4/torture/raw/write.c                        |   89 ++
 source4/torture/rpc/remote_pac.c                   |   24 +-
 source4/winbind/idmap.c                            |   10 +-
 testprogs/blackbox/test_kinit_trusts_heimdal.sh    |    6 +-
 testprogs/blackbox/test_kpasswd_heimdal.sh         |   39 +-
 99 files changed, 4179 insertions(+), 1260 deletions(-)
 copy lib/ldb/ABI/{ldb-2.0.5.sigs => ldb-2.3.4.sigs} (96%)
 copy lib/ldb/ABI/{pyldb-util-2.1.0.sigs => pyldb-util-2.3.4.sigs} (100%)
 create mode 100755 python/samba/tests/krb5/kpasswd_tests.py
 delete mode 100644 selftest/knownfail.d/kdc-enterprise
 create mode 100644 source4/auth/gensec/gensec_krb5_helpers.c
 copy source3/include/srvstr.h => source4/auth/gensec/gensec_krb5_helpers.h (65%)
 copy libcli/smbreadline/smbreadline.h => source4/auth/gensec/gensec_krb5_internal.h (51%)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index aa9e9870799..18ee45d7d0e 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 ########################################################
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=14
-SAMBA_VERSION_RELEASE=13
+SAMBA_VERSION_RELEASE=14
 
 ########################################################
 # If a official release has a serious bug              #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 491a388ca9c..1aaeb74eade 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,74 @@
+                   ===============================
+                   Release Notes for Samba 4.14.14
+                            July 27, 2022
+                   ===============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2022-2031:  Samba AD users can bypass certain restrictions associated with
+                  changing passwords.
+                  https://www.samba.org/samba/security/CVE-2022-2031.html
+
+o CVE-2022-32744: Samba AD users can forge password change requests for any user.
+                  https://www.samba.org/samba/security/CVE-2022-32744.html
+
+o CVE-2022-32745: Samba AD users can crash the server process with an LDAP add
+                  or modify request.
+                  https://www.samba.org/samba/security/CVE-2022-32745.html
+
+o CVE-2022-32746: Samba AD users can induce a use-after-free in the server
+                  process with an LDAP add or modify request.
+                  https://www.samba.org/samba/security/CVE-2022-32746.html
+
+o CVE-2022-32742: Server memory information leak via SMB1.
+                  https://www.samba.org/samba/security/CVE-2022-32742.html
+
+Changes since 4.14.13
+---------------------
+
+o  Jeremy Allison <jra at samba.org>
+   * BUG 15085: CVE-2022-32742.
+
+o  Andrew Bartlett <abartlet at samba.org>
+   * BUG 15009: CVE-2022-32746.
+
+o  Andreas Schneider <asn at samba.org>
+   * BUG 15047: CVE-2022-2031.
+
+o  Isaac Boukris <iboukris at gmail.com>
+   * BUG 15047: CVE-2022-2031.
+
+o  Joseph Sutton <josephsutton at catalyst.net.nz>
+   * BUG 15008: CVE-2022-32745.
+   * BUG 15009: CVE-2022-32746.
+   * BUG 15047: CVE-2022-2031.
+   * BUG 15074: CVE-2022-32744.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
                    ===============================
                    Release Notes for Samba 4.14.13
                            April 04, 2022
@@ -88,8 +159,7 @@ database (https://bugzilla.samba.org/).
 ======================================================================
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
                    ===============================
                    Release Notes for Samba 4.14.12
                           January 31, 2022
diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c
index b5b6362dc93..2e27e5715d1 100644
--- a/auth/auth_sam_reply.c
+++ b/auth/auth_sam_reply.c
@@ -416,7 +416,7 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_INVALID_LEVEL;
 	}
 
-	user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
+	user_info_dc = talloc_zero(mem_ctx, struct auth_user_info_dc);
 	NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
 
 	/*
diff --git a/auth/auth_util.c b/auth/auth_util.c
index fe01babd107..ec9094d0f15 100644
--- a/auth/auth_util.c
+++ b/auth/auth_util.c
@@ -44,7 +44,7 @@ struct auth_session_info *copy_session_info(TALLOC_CTX *mem_ctx,
 		return NULL;
 	}
 
-	dst = talloc(mem_ctx, struct auth_session_info);
+	dst = talloc_zero(mem_ctx, struct auth_session_info);
 	if (dst == NULL) {
 		DBG_ERR("talloc failed\n");
 		TALLOC_FREE(frame);
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 76c2dcd2126..610efcc9b87 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -237,7 +237,7 @@ krb5_error_code smb_krb5_mk_error(krb5_context context,
 		return code;
 	}
 
-	errpkt.error = error_code;
+	errpkt.error = error_code - ERROR_TABLE_BASE_krb5;
 
 	errpkt.text.length = 0;
 	if (e_text != NULL) {
diff --git a/lib/ldb/ABI/ldb-2.0.5.sigs b/lib/ldb/ABI/ldb-2.3.4.sigs
similarity index 96%
copy from lib/ldb/ABI/ldb-2.0.5.sigs
copy to lib/ldb/ABI/ldb-2.3.4.sigs
index 5049dc64ce1..40388d9e330 100644
--- a/lib/ldb/ABI/ldb-2.0.5.sigs
+++ b/lib/ldb/ABI/ldb-2.3.4.sigs
@@ -155,7 +155,14 @@ ldb_msg_add_linearized_dn: int (struct ldb_message *, const char *, struct ldb_d
 ldb_msg_add_steal_string: int (struct ldb_message *, const char *, char *)
 ldb_msg_add_steal_value: int (struct ldb_message *, const char *, struct ldb_val *)
 ldb_msg_add_string: int (struct ldb_message *, const char *, const char *)
+ldb_msg_add_string_flags: int (struct ldb_message *, const char *, const char *, int)
 ldb_msg_add_value: int (struct ldb_message *, const char *, const struct ldb_val *, struct ldb_message_element **)
+ldb_msg_append_fmt: int (struct ldb_message *, int, const char *, const char *, ...)
+ldb_msg_append_linearized_dn: int (struct ldb_message *, const char *, struct ldb_dn *, int)
+ldb_msg_append_steal_string: int (struct ldb_message *, const char *, char *, int)
+ldb_msg_append_steal_value: int (struct ldb_message *, const char *, struct ldb_val *, int)
+ldb_msg_append_string: int (struct ldb_message *, const char *, const char *, int)
+ldb_msg_append_value: int (struct ldb_message *, const char *, const struct ldb_val *, int)
 ldb_msg_canonicalize: struct ldb_message *(struct ldb_context *, const struct ldb_message *)
 ldb_msg_check_string_attribute: int (const struct ldb_message *, const char *, const char *)
 ldb_msg_copy: struct ldb_message *(TALLOC_CTX *, const struct ldb_message *)
@@ -163,6 +170,7 @@ ldb_msg_copy_attr: int (struct ldb_message *, const char *, const char *)
 ldb_msg_copy_shallow: struct ldb_message *(TALLOC_CTX *, const struct ldb_message *)
 ldb_msg_diff: struct ldb_message *(struct ldb_context *, struct ldb_message *, struct ldb_message *)
 ldb_msg_difference: int (struct ldb_context *, TALLOC_CTX *, struct ldb_message *, struct ldb_message *, struct ldb_message **)
+ldb_msg_element_add_value: int (TALLOC_CTX *, struct ldb_message_element *, const struct ldb_val *)
 ldb_msg_element_compare: int (struct ldb_message_element *, struct ldb_message_element *)
 ldb_msg_element_compare_name: int (struct ldb_message_element *, struct ldb_message_element *)
 ldb_msg_element_equal_ordered: bool (const struct ldb_message_element *, const struct ldb_message_element *)
diff --git a/lib/ldb/ABI/pyldb-util-2.1.0.sigs b/lib/ldb/ABI/pyldb-util-2.3.4.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util-2.1.0.sigs
copy to lib/ldb/ABI/pyldb-util-2.3.4.sigs
diff --git a/lib/ldb/common/ldb_msg.c b/lib/ldb/common/ldb_msg.c
index 57dfc5a04c2..9cd7998e21c 100644
--- a/lib/ldb/common/ldb_msg.c
+++ b/lib/ldb/common/ldb_msg.c
@@ -417,6 +417,47 @@ int ldb_msg_add(struct ldb_message *msg,
 	return LDB_SUCCESS;
 }
 
+/*
+ * add a value to a message element
+ */
+int ldb_msg_element_add_value(TALLOC_CTX *mem_ctx,
+			      struct ldb_message_element *el,
+			      const struct ldb_val *val)
+{
+	struct ldb_val *vals;
+
+	if (el->flags & LDB_FLAG_INTERNAL_SHARED_VALUES) {
+		/*
+		 * Another message is using this message element's values array,
+		 * so we don't want to make any modifications to the original
+		 * message, or potentially invalidate its own values by calling
+		 * talloc_realloc(). Make a copy instead.
+		 */
+		el->flags &= ~LDB_FLAG_INTERNAL_SHARED_VALUES;
+
+		vals = talloc_array(mem_ctx, struct ldb_val,
+				    el->num_values + 1);
+		if (vals == NULL) {
+			return LDB_ERR_OPERATIONS_ERROR;
+		}
+
+		if (el->values != NULL) {
+			memcpy(vals, el->values, el->num_values * sizeof(struct ldb_val));
+		}
+	} else {
+		vals = talloc_realloc(mem_ctx, el->values, struct ldb_val,
+				      el->num_values + 1);
+		if (vals == NULL) {
+			return LDB_ERR_OPERATIONS_ERROR;
+		}
+	}
+	el->values = vals;
+	el->values[el->num_values] = *val;
+	el->num_values++;
+
+	return LDB_SUCCESS;
+}
+
 /*
   add a value to a message
 */
@@ -426,7 +467,6 @@ int ldb_msg_add_value(struct ldb_message *msg,
 		      struct ldb_message_element **return_el)
 {
 	struct ldb_message_element *el;
-	struct ldb_val *vals;
 	int ret;
 
 	el = ldb_msg_find_element(msg, attr_name);
@@ -437,14 +477,10 @@ int ldb_msg_add_value(struct ldb_message *msg,
 		}
 	}
 
-	vals = talloc_realloc(msg->elements, el->values, struct ldb_val,
-			      el->num_values+1);
-	if (!vals) {
-		return LDB_ERR_OPERATIONS_ERROR;
+	ret = ldb_msg_element_add_value(msg->elements, el, val);
+	if (ret != LDB_SUCCESS) {
+		return ret;
 	}
-	el->values = vals;
-	el->values[el->num_values] = *val;
-	el->num_values++;
 
 	if (return_el) {
 		*return_el = el;
@@ -473,12 +509,15 @@ int ldb_msg_add_steal_value(struct ldb_message *msg,
 
 
 /*
-  add a string element to a message
+  add a string element to a message, specifying flags
 */
-int ldb_msg_add_string(struct ldb_message *msg,
-		       const char *attr_name, const char *str)
+int ldb_msg_add_string_flags(struct ldb_message *msg,
+			     const char *attr_name, const char *str,
+			     int flags)
 {
 	struct ldb_val val;
+	int ret;
+	struct ldb_message_element *el = NULL;
 
 	val.data = discard_const_p(uint8_t, str);
 	val.length = strlen(str);
@@ -488,7 +527,25 @@ int ldb_msg_add_string(struct ldb_message *msg,
 		return LDB_SUCCESS;
 	}
 
-	return ldb_msg_add_value(msg, attr_name, &val, NULL);
+	ret = ldb_msg_add_value(msg, attr_name, &val, &el);
+	if (ret != LDB_SUCCESS) {
+		return ret;
+	}
+
+	if (flags != 0) {
+		el->flags = flags;
+	}
+
+	return LDB_SUCCESS;
+}
+
+/*
+  add a string element to a message
+*/
+int ldb_msg_add_string(struct ldb_message *msg,
+		       const char *attr_name, const char *str)
+{
+	return ldb_msg_add_string_flags(msg, attr_name, str, 0);
 }
 
 /*
@@ -550,6 +607,142 @@ int ldb_msg_add_fmt(struct ldb_message *msg,
 	return ldb_msg_add_steal_value(msg, attr_name, &val);
 }
 
+static int ldb_msg_append_value_impl(struct ldb_message *msg,
+				     const char *attr_name,
+				     const struct ldb_val *val,
+				     int flags,
+				     struct ldb_message_element **return_el)
+{
+	struct ldb_message_element *el = NULL;
+	int ret;
+
+	ret = ldb_msg_add_empty(msg, attr_name, flags, &el);
+	if (ret != LDB_SUCCESS) {
+		return ret;
+	}
+
+	ret = ldb_msg_element_add_value(msg->elements, el, val);
+	if (ret != LDB_SUCCESS) {
+		return ret;
+	}
+
+	if (return_el != NULL) {
+		*return_el = el;
+	}
+
+	return LDB_SUCCESS;
+}
+
+/*
+  append a value to a message
+*/
+int ldb_msg_append_value(struct ldb_message *msg,
+			 const char *attr_name,
+			 const struct ldb_val *val,
+			 int flags)
+{
+	return ldb_msg_append_value_impl(msg, attr_name, val, flags, NULL);
+}
+
+/*
+  append a value to a message, stealing it into the 'right' place
+*/
+int ldb_msg_append_steal_value(struct ldb_message *msg,
+			       const char *attr_name,
+			       struct ldb_val *val,
+			       int flags)
+{
+	int ret;
+	struct ldb_message_element *el = NULL;
+
+	ret = ldb_msg_append_value_impl(msg, attr_name, val, flags, &el);
+	if (ret == LDB_SUCCESS) {
+		talloc_steal(el->values, val->data);
+	}
+	return ret;
+}
+
+/*
+  append a string element to a message, stealing it into the 'right' place
+*/
+int ldb_msg_append_steal_string(struct ldb_message *msg,
+				const char *attr_name, char *str,
+				int flags)
+{
+	struct ldb_val val;
+
+	val.data = (uint8_t *)str;
+	val.length = strlen(str);
+
+	if (val.length == 0) {
+		/* allow empty strings as non-existent attributes */
+		return LDB_SUCCESS;
+	}
+
+	return ldb_msg_append_steal_value(msg, attr_name, &val, flags);
+}
+
+/*
+  append a string element to a message
+*/
+int ldb_msg_append_string(struct ldb_message *msg,
+			  const char *attr_name, const char *str, int flags)
+{
+	struct ldb_val val;
+
+	val.data = discard_const_p(uint8_t, str);
+	val.length = strlen(str);
+
+	if (val.length == 0) {
+		/* allow empty strings as non-existent attributes */
+		return LDB_SUCCESS;
+	}
+
+	return ldb_msg_append_value(msg, attr_name, &val, flags);
+}
+
+/*
+  append a DN element to a message
+  WARNING: this uses the linearized string from the dn, and does not
+  copy the string.
+*/
+int ldb_msg_append_linearized_dn(struct ldb_message *msg, const char *attr_name,
+				 struct ldb_dn *dn, int flags)
+{
+	char *str = ldb_dn_alloc_linearized(msg, dn);
+
+	if (str == NULL) {
+		/* we don't want to have unknown DNs added */
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	return ldb_msg_append_steal_string(msg, attr_name, str, flags);
+}
+
+/*
+  append a printf formatted element to a message
+*/
+int ldb_msg_append_fmt(struct ldb_message *msg, int flags,
+		       const char *attr_name, const char *fmt, ...)
+{
+	struct ldb_val val;
+	va_list ap;
+	char *str = NULL;
+
+	va_start(ap, fmt);
+	str = talloc_vasprintf(msg, fmt, ap);
+	va_end(ap);
+
+	if (str == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	val.data   = (uint8_t *)str;
+	val.length = strlen(str);
+
+	return ldb_msg_append_steal_value(msg, attr_name, &val, flags);
+}
+
 /*
   compare two ldb_message_element structures
   assumes case sensitive comparison
@@ -833,11 +1026,7 @@ void ldb_msg_sort_elements(struct ldb_message *msg)
 		       ldb_msg_element_compare_name);
 }
 
-/*
-  shallow copy a message - copying only the elements array so that the caller
-  can safely add new elements without changing the message
-*/
-struct ldb_message *ldb_msg_copy_shallow(TALLOC_CTX *mem_ctx,
+static struct ldb_message *ldb_msg_copy_shallow_impl(TALLOC_CTX *mem_ctx,
 					 const struct ldb_message *msg)
 {
 	struct ldb_message *msg2;
@@ -863,6 +1052,35 @@ failed:
 	return NULL;
 }
 
+/*
+  shallow copy a message - copying only the elements array so that the caller
+  can safely add new elements without changing the message
+*/
+struct ldb_message *ldb_msg_copy_shallow(TALLOC_CTX *mem_ctx,
+					 const struct ldb_message *msg)
+{
+	struct ldb_message *msg2;
+	unsigned int i;
+
+	msg2 = ldb_msg_copy_shallow_impl(mem_ctx, msg);
+	if (msg2 == NULL) {
+		return NULL;
+	}
+
+	for (i = 0; i < msg2->num_elements; ++i) {
+		/*
+		 * Mark this message's elements as sharing their values with the
+		 * original message, so that we don't inadvertently modify or
+		 * free them. We don't mark the original message element as
+		 * shared, so the original message element should not be
+		 * modified or freed while the shallow copy lives.
+		 */
+		struct ldb_message_element *el = &msg2->elements[i];
+		el->flags |= LDB_FLAG_INTERNAL_SHARED_VALUES;
+	}
+
+        return msg2;
+}
 
 /*
   copy a message, allocating new memory for all parts
@@ -873,7 +1091,7 @@ struct ldb_message *ldb_msg_copy(TALLOC_CTX *mem_ctx,
 	struct ldb_message *msg2;
 	unsigned int i, j;
 
-	msg2 = ldb_msg_copy_shallow(mem_ctx, msg);
+	msg2 = ldb_msg_copy_shallow_impl(mem_ctx, msg);
 	if (msg2 == NULL) return NULL;
 
 	if (msg2->dn != NULL) {


-- 
Samba Shared Repository



More information about the samba-cvs mailing list