[SCM] Samba Shared Repository - branch v4-15-stable updated
Jule Anger
janger at samba.org
Tue Oct 25 09:12:25 UTC 2022
The branch, v4-15-stable has been updated
via 37595203ef3 VERSION: Disable GIT_SNAPSHOT for the 4.15.11 release.
via c074cc854b9 WHATSNEW: Add release notes for Samba 4.15.11.
via e9db0373600 CVE-2022-3437 source4/heimdal: Pass correct length to _gssapi_verify_pad()
via 77e0f2febaa CVE-2022-3437 source4/heimdal: Check for overflow in _gsskrb5_get_mech()
via 1aca3451551 CVE-2022-3437 source4/heimdal: Check buffer length against overflow for DES{,3} unwrap
via ebac8bf0478 CVE-2022-3437 source4/heimdal: Check the result of _gsskrb5_get_mech()
via 5a62eb5734d CVE-2022-3437 source4/heimdal: Avoid undefined behaviour in _gssapi_verify_pad()
via 9f6f1e01aca CVE-2022-3437 source4/heimdal: Don't pass NULL pointers to memcpy() in DES unwrap
via 5f6dbf2ab29 CVE-2022-3437 source4/heimdal: Use constant-time memcmp() in unwrap_des3()
via c22914f845b CVE-2022-3437 source4/heimdal: Use constant-time memcmp() for arcfour unwrap
via 310bffc0855 CVE-2022-3437 s4/auth/tests: Add unit tests for unwrap_des3()
via a49a3ac8e08 CVE-2022-3437 source4/heimdal_build: Add gssapi-subsystem subsystem
via fe1204d9da2 CVE-2022-3437 source4/heimdal: Remove __func__ compatibility workaround
via 9f658aa5fe2 .gitlab-ci: Work around new git restrictions arising from CVE-2022-24765
via 52ed3d07fd5 bootstrap: Migrate to CentOS8 Stream
via ae64b3bfc18 bootstrap: chown the whole cloned repo, not just the subfolders
via 6881b17bf27 bootstrap: Fix CentOS8 runner
via 1ad45400995 VERSION: Bump version up to Samba 4.15.11...
from c3bff29ce35 VERSION: Disable GIT_SNAPSHOT for the 4.15.10 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-stable
- Log -----------------------------------------------------------------
commit 37595203ef30b1a631b94075328f8d0d604e6e71
Author: Jule Anger <janger at samba.org>
Date: Mon Oct 24 12:35:24 2022 +0200
VERSION: Disable GIT_SNAPSHOT for the 4.15.11 release.
Signed-off-by: Jule Anger <janger at samba.org>
commit c074cc854b9ae6e85f0e667523778b655c49da16
Author: Jule Anger <janger at samba.org>
Date: Mon Oct 24 12:19:04 2022 +0200
WHATSNEW: Add release notes for Samba 4.15.11.
Signed-off-by: Jule Anger <janger at samba.org>
commit e9db03736007721e37c4fba847ce4aa0c4520924
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 12 13:57:33 2022 +1300
CVE-2022-3437 source4/heimdal: Pass correct length to _gssapi_verify_pad()
We later subtract 8 when calculating the length of the output message
buffer. If padlength is excessively high, this calculation can underflow
and result in a very large positive value.
Now we properly constrain the value of padlength so underflow shouldn't
be possible.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 77e0f2febaaf4d6e5e42f8e73a1f8f3c0e4a2985
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 10 20:33:09 2022 +1300
CVE-2022-3437 source4/heimdal: Check for overflow in _gsskrb5_get_mech()
If len_len is equal to total_len - 1 (i.e. the input consists only of a
0x60 byte and a length), the expression 'total_len - 1 - len_len - 1',
used as the 'len' parameter to der_get_length(), will overflow to
SIZE_MAX. Then der_get_length() will proceed to read, unconstrained,
whatever data follows in memory. Add a check to ensure that doesn't
happen.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1aca34515515f2cb00fbf5ad8b9212b319f01836
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Aug 15 16:54:23 2022 +1200
CVE-2022-3437 source4/heimdal: Check buffer length against overflow for DES{,3} unwrap
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ebac8bf0478e19849f83af6d44b73d7ab3afd25b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Aug 15 16:53:55 2022 +1200
CVE-2022-3437 source4/heimdal: Check the result of _gsskrb5_get_mech()
We should make sure that the result of 'total_len - mech_len' won't
overflow, and that we don't memcmp() past the end of the buffer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5a62eb5734d50fe556934aefa3bac5698372f00e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Aug 15 16:53:45 2022 +1200
CVE-2022-3437 source4/heimdal: Avoid undefined behaviour in _gssapi_verify_pad()
By decrementing 'pad' only when we know it's safe, we ensure we can't
stray backwards past the start of a buffer, which would be undefined
behaviour.
In the previous version of the loop, 'i' is the number of bytes left to
check, and 'pad' is the current byte we're checking. 'pad' was
decremented at the end of each loop iteration. If 'i' was 1 (so we
checked the final byte), 'pad' could potentially be pointing to the
first byte of the input buffer, and the decrement would put it one
byte behind the buffer.
That would be undefined behaviour.
The patch changes it so that 'pad' is the byte we previously checked,
which allows us to ensure that we only decrement it when we know we
have a byte to check.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9f6f1e01aca4f00a5d23127803c81939253e0577
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 12 13:57:42 2022 +1300
CVE-2022-3437 source4/heimdal: Don't pass NULL pointers to memcpy() in DES unwrap
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5f6dbf2ab29bcd30c701cab3daecf5a6a53a44cd
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 12 13:57:55 2022 +1300
CVE-2022-3437 source4/heimdal: Use constant-time memcmp() in unwrap_des3()
The surrounding checks all use ct_memcmp(), so this one was presumably
meant to as well.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c22914f845b3eba1c9ad444333f3d044352b7e2c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 12 13:57:13 2022 +1300
CVE-2022-3437 source4/heimdal: Use constant-time memcmp() for arcfour unwrap
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[jsutton at samba.org Adapted to small differences in comparisons, and
removed erroneous duplicate code in conflicting region]
commit 310bffc085514f9ceba5b3501ddef15807c53809
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 12 13:55:39 2022 +1300
CVE-2022-3437 s4/auth/tests: Add unit tests for unwrap_des3()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[jsutton at samba.org Adapted to lack of 'samba.unittests.auth.sam' test,
renamed 'third_party' to 'source4' in paths, defined
HEIMDAL_NORETURN_ATTRIBUTE and HEIMDAL_PRINTF_ATTRIBUTE to fix compiler
error]
commit a49a3ac8e082921c2793a073b5991c4693f167ab
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 12 13:55:51 2022 +1300
CVE-2022-3437 source4/heimdal_build: Add gssapi-subsystem subsystem
This allows us to access (and so test) functions internal to GSSAPI by
depending on this subsystem.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[jsutton at samba.org Adapted to older wscript_build file]
commit fe1204d9da2c6f761c4dc4421f67057b10eaf430
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 12 13:56:08 2022 +1300
CVE-2022-3437 source4/heimdal: Remove __func__ compatibility workaround
As described by the C standard, __func__ is a variable, not a macro.
Hence this #ifndef check does not work as intended, and only serves to
unconditionally disable __func__. A nonoperating __func__ prevents
cmocka operating correctly, so remove this definition.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9f658aa5fe2d64780b4cd25a456ae0c6e4b7c2a4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri May 6 17:53:29 2022 +1200
.gitlab-ci: Work around new git restrictions arising from CVE-2022-24765
It was realised that git would run commands found in a git repo
(eg from configuration).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15193
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit dd568490089ae6d5bcf03068bfc4ca6b9103badb)
commit 52ed3d07fd5269163b006985e56921cf015a32f9
Author: Andreas Schneider <asn at samba.org>
Date: Thu Feb 3 15:43:54 2022 +0100
bootstrap: Migrate to CentOS8 Stream
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15193
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Fri Feb 4 21:11:40 UTC 2022 on sn-devel-184
[adapted from commit 136ec5bc01e2648bae34a1158f923fbf5a86d561 in the
hope of getting lmdb-devel to be available for the CentoS 8 image]
commit ae64b3bfc1823c4efd03f506f6908722e8fa513b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri May 6 13:29:05 2022 +1200
bootstrap: chown the whole cloned repo, not just the subfolders
Modern git versions have started to notice the possible security issue.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15193
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
[abartlet at samba.org adapted from commit c771d197eeebf2b01d46451cc51b698a99502935
with new sha1sum]
commit 6881b17bf277c7b4958f66de7af5bdbdecc32eac
Author: Andreas Schneider <asn at samba.org>
Date: Thu Feb 3 07:53:33 2022 +0100
bootstrap: Fix CentOS8 runner
CentOS8 is EOL since December 31, 2021. The packages move to vault.centos.org.
We should migrate to CentOS8 Stream soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15193
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Thu Feb 3 14:31:01 UTC 2022 on sn-devel-184
[abartlet at samba.org Adapted from commit 0c6554aa0d6812343a8155fca3d7a7993cd5c703
by updating sha1sum]
-----------------------------------------------------------------------
Summary of changes:
.gitlab-ci-main.yml | 10 +-
VERSION | 2 +-
WHATSNEW.txt | 54 +-
bootstrap/.gitlab-ci.yml | 4 +-
bootstrap/config.py | 15 +-
bootstrap/generated-dists/Vagrantfile | 10 +-
.../{centos8 => centos8s}/Dockerfile | 2 +-
.../{centos8 => centos8s}/bootstrap.sh | 5 +-
.../{centos8 => centos8s}/locale.sh | 0
.../{centos8 => centos8s}/packages.yml | 0
bootstrap/sha1sum.txt | 2 +-
selftest/tests.py | 5 +
source4/auth/tests/heimdal_unwrap_des.c | 1247 ++++++++++++++++++++
source4/auth/wscript_build | 21 +
source4/heimdal/lib/gssapi/krb5/arcfour.c | 24 +-
source4/heimdal/lib/gssapi/krb5/decapsulate.c | 12 +-
source4/heimdal/lib/gssapi/krb5/unwrap.c | 34 +-
source4/heimdal/lib/krb5/krb5_locl.h | 4 -
source4/heimdal_build/wscript_build | 14 +-
19 files changed, 1401 insertions(+), 64 deletions(-)
rename bootstrap/generated-dists/{centos8 => centos8s}/Dockerfile (90%)
rename bootstrap/generated-dists/{centos8 => centos8s}/bootstrap.sh (93%)
rename bootstrap/generated-dists/{centos8 => centos8s}/locale.sh (100%)
rename bootstrap/generated-dists/{centos8 => centos8s}/packages.yml (100%)
create mode 100644 source4/auth/tests/heimdal_unwrap_des.c
Changeset truncated at 500 lines:
diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml
index 125b3901832..e0b9b9d20b9 100644
--- a/.gitlab-ci-main.yml
+++ b/.gitlab-ci-main.yml
@@ -42,7 +42,7 @@ variables:
# Set this to the contents of bootstrap/sha1sum.txt
# which is generated by bootstrap/template.py --render
#
- SAMBA_CI_CONTAINER_TAG: dd2b9a1848eed2d200e1a525695e40f06c23d888
+ SAMBA_CI_CONTAINER_TAG: fbf9c4c8a2055936d4ca279878df7811af46d86d
#
# We use the ubuntu1804 image as default as
# it matches what we have on sn-devel-184.
@@ -64,7 +64,7 @@ variables:
SAMBA_CI_CONTAINER_IMAGE_fedora33: fedora33
SAMBA_CI_CONTAINER_IMAGE_fedora34: fedora34
SAMBA_CI_CONTAINER_IMAGE_centos7: centos7
- SAMBA_CI_CONTAINER_IMAGE_centos8: centos8
+ SAMBA_CI_CONTAINER_IMAGE_centos8s: centos8s
include:
# The image creation details are specified in a separate file
@@ -137,6 +137,8 @@ include:
- export CXX="ccache c++"
- ccache -z -M 500M
- ccache -s
+ # We are already running .gitlab-ci directives from this repo, remove additional checks that break our CI
+ - git config --global --add safe.directory `pwd`
after_script:
- mount
- df -h
@@ -594,10 +596,10 @@ centos7-samba-o3:
# We need a newer GnuTLS version on CentOS7
PKG_CONFIG_PATH: "/usr/lib64/compat-gnutls34/pkgconfig:/usr/lib64/compat-nettle32/pkgconfig"
-centos8-samba-o3:
+centos8s-samba-o3:
extends: .samba-o3-template
variables:
- SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_centos8}
+ SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_centos8s}
fedora33-samba-o3:
extends: .samba-o3-template
diff --git a/VERSION b/VERSION
index 5762c28f102..342a497a486 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=15
-SAMBA_VERSION_RELEASE=10
+SAMBA_VERSION_RELEASE=11
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 8c22b675d54..b62e20cbc53 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,54 @@
+ ===============================
+ Release Notes for Samba 4.15.11
+ October 25, 2022
+ ===============================
+
+
+This is a security release in order to address the following defect:
+
+o CVE-2022-3437: There is a limited write heap buffer overflow in the GSSAPI
+ unwrap_des() and unwrap_des3() routines of Heimdal (included
+ in Samba).
+ https://www.samba.org/samba/security/CVE-2022-3437.html
+
+Changes since 4.15.10
+---------------------
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 15193: Allow rebuild of Centos 8 images after move to vault for Samba
+ 4.15.
+
+o Andreas Schneider <asn at samba.org>
+ * BUG 15193: Allow rebuild of Centos 8 images after move to vault for Samba
+ 4.15.
+
+o Joseph Sutton <josephsutton at catalyst.net.nz>
+ * BUG 15134: CVE-2022-3437.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
===============================
Release Notes for Samba 4.15.10
September 28, 2022
@@ -61,8 +112,7 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
==============================
Release Notes for Samba 4.15.9
July 27, 2022
diff --git a/bootstrap/.gitlab-ci.yml b/bootstrap/.gitlab-ci.yml
index 33534f5f1dd..58e0642a70d 100644
--- a/bootstrap/.gitlab-ci.yml
+++ b/bootstrap/.gitlab-ci.yml
@@ -47,7 +47,7 @@ services:
diff -u bootstrap/sha1sum.txt /tmp/sha1sum-template.txt
# run smoke test with samba-o3 or samba-fuzz
docker run --volume $(pwd):${samba_repo_root} --workdir ${samba_repo_root} ${ci_image_name} \
- /bin/bash -c "sudo chown -R samba:samba ./** && export PKG_CONFIG_PATH=/usr/lib64/compat-gnutls34/pkgconfig:/usr/lib64/compat-nettle32/pkgconfig && script/autobuild.py ${SAMBA_CI_TEST_JOB} --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase"
+ /bin/bash -c "sudo chown -R samba:samba ${samba_repo_root} && export PKG_CONFIG_PATH=/usr/lib64/compat-gnutls34/pkgconfig:/usr/lib64/compat-nettle32/pkgconfig && script/autobuild.py ${SAMBA_CI_TEST_JOB} --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase"
docker tag ${ci_image_name} ${ci_image_path}:${SAMBA_CI_CONTAINER_TAG}
docker tag ${ci_image_name} ${ci_image_path}:${timestamp_tag}
# We build all images, but only upload is it's not marked as broken
@@ -112,7 +112,7 @@ fedora33:
fedora34:
extends: .build_image_template
-centos8:
+centos8s:
extends: .build_image_template
centos7:
diff --git a/bootstrap/config.py b/bootstrap/config.py
index fd75a771252..164ab306329 100644
--- a/bootstrap/config.py
+++ b/bootstrap/config.py
@@ -230,7 +230,7 @@ if [ ! -f /usr/bin/python3 ]; then
fi
"""
-CENTOS8_YUM_BOOTSTRAP = r"""
+CENTOS8S_YUM_BOOTSTRAP = r"""
#!/bin/bash
{GENERATED_MARKER}
set -xueo pipefail
@@ -240,10 +240,9 @@ yum install -y dnf-plugins-core
yum install -y epel-release
yum -v repolist all
-yum config-manager --set-enabled PowerTools -y || \
+yum config-manager --set-enabled powertools -y || \
yum config-manager --set-enabled powertools -y
-yum config-manager --set-enabled Devel -y || \
- yum config-manager --set-enabled devel -y
+
yum update -y
yum install -y \
@@ -471,10 +470,10 @@ RPM_DISTS = {
'tracker-devel': '', # do not install
}
},
- 'centos8': {
- 'docker_image': 'centos:8',
- 'vagrant_box': 'centos/8',
- 'bootstrap': CENTOS8_YUM_BOOTSTRAP,
+ 'centos8s': {
+ 'docker_image': 'quay.io/centos/centos:stream8',
+ 'vagrant_box': 'centos/stream8',
+ 'bootstrap': CENTOS8S_YUM_BOOTSTRAP,
'replace': {
'lsb-release': 'redhat-lsb',
'@development-tools': '"@Development Tools"', # add quotes
diff --git a/bootstrap/generated-dists/Vagrantfile b/bootstrap/generated-dists/Vagrantfile
index 780320ec7c8..10075800c01 100644
--- a/bootstrap/generated-dists/Vagrantfile
+++ b/bootstrap/generated-dists/Vagrantfile
@@ -17,11 +17,11 @@ Vagrant.configure("2") do |config|
v.vm.provision :shell, path: "centos7/locale.sh"
end
- config.vm.define "centos8" do |v|
- v.vm.box = "centos/8"
- v.vm.hostname = "centos8"
- v.vm.provision :shell, path: "centos8/bootstrap.sh"
- v.vm.provision :shell, path: "centos8/locale.sh"
+ config.vm.define "centos8s" do |v|
+ v.vm.box = "centos/stream8"
+ v.vm.hostname = "centos8s"
+ v.vm.provision :shell, path: "centos8s/bootstrap.sh"
+ v.vm.provision :shell, path: "centos8s/locale.sh"
end
config.vm.define "debian10" do |v|
diff --git a/bootstrap/generated-dists/centos8/Dockerfile b/bootstrap/generated-dists/centos8s/Dockerfile
similarity index 90%
rename from bootstrap/generated-dists/centos8/Dockerfile
rename to bootstrap/generated-dists/centos8s/Dockerfile
index f6343e9d5a2..1c932f58a94 100644
--- a/bootstrap/generated-dists/centos8/Dockerfile
+++ b/bootstrap/generated-dists/centos8s/Dockerfile
@@ -3,7 +3,7 @@
# See also bootstrap/config.py
#
-FROM centos:8
+FROM quay.io/centos/centos:stream8
# pass in with --build-arg while build
ARG SHA1SUM
diff --git a/bootstrap/generated-dists/centos8/bootstrap.sh b/bootstrap/generated-dists/centos8s/bootstrap.sh
similarity index 93%
rename from bootstrap/generated-dists/centos8/bootstrap.sh
rename to bootstrap/generated-dists/centos8s/bootstrap.sh
index 60cf3937cf7..1111450c400 100755
--- a/bootstrap/generated-dists/centos8/bootstrap.sh
+++ b/bootstrap/generated-dists/centos8s/bootstrap.sh
@@ -12,10 +12,9 @@ yum install -y dnf-plugins-core
yum install -y epel-release
yum -v repolist all
-yum config-manager --set-enabled PowerTools -y || \
+yum config-manager --set-enabled powertools -y || \
yum config-manager --set-enabled powertools -y
-yum config-manager --set-enabled Devel -y || \
- yum config-manager --set-enabled devel -y
+
yum update -y
yum install -y \
diff --git a/bootstrap/generated-dists/centos8/locale.sh b/bootstrap/generated-dists/centos8s/locale.sh
similarity index 100%
rename from bootstrap/generated-dists/centos8/locale.sh
rename to bootstrap/generated-dists/centos8s/locale.sh
diff --git a/bootstrap/generated-dists/centos8/packages.yml b/bootstrap/generated-dists/centos8s/packages.yml
similarity index 100%
rename from bootstrap/generated-dists/centos8/packages.yml
rename to bootstrap/generated-dists/centos8s/packages.yml
diff --git a/bootstrap/sha1sum.txt b/bootstrap/sha1sum.txt
index 11369ced5f7..120d935186d 100644
--- a/bootstrap/sha1sum.txt
+++ b/bootstrap/sha1sum.txt
@@ -1 +1 @@
-dd2b9a1848eed2d200e1a525695e40f06c23d888
+fbf9c4c8a2055936d4ca279878df7811af46d86d
diff --git a/selftest/tests.py b/selftest/tests.py
index c87b41c1a66..1331a6841e0 100644
--- a/selftest/tests.py
+++ b/selftest/tests.py
@@ -47,6 +47,8 @@ with_pam = ("WITH_PAM" in config_hash)
with_elasticsearch_backend = ("HAVE_SPOTLIGHT_BACKEND_ES" in config_hash)
pam_wrapper_so_path = config_hash.get("LIBPAM_WRAPPER_SO_PATH")
pam_set_items_so_path = config_hash.get("PAM_SET_ITEMS_SO_PATH")
+have_heimdal_support = "SAMBA4_USES_HEIMDAL" in config_hash
+using_system_gssapi = "USING_SYSTEM_GSSAPI" in config_hash
planpythontestsuite("none", "samba.tests.source")
if have_man_pages_support:
@@ -429,6 +431,9 @@ plantestsuite("samba.unittests.test_registry_regfio", "none",
[os.path.join(bindir(), "default/source3/test_registry_regfio")])
plantestsuite("samba.unittests.test_oLschema2ldif", "none",
[os.path.join(bindir(), "default/source4/utils/oLschema2ldif/test_oLschema2ldif")])
+if have_heimdal_support and not using_system_gssapi:
+ plantestsuite("samba.unittests.auth.heimdal_gensec_unwrap_des", "none",
+ [valgrindify(os.path.join(bindir(), "test_heimdal_gensec_unwrap_des"))])
if with_elasticsearch_backend:
plantestsuite("samba.unittests.mdsparser_es", "none",
[os.path.join(bindir(), "default/source3/test_mdsparser_es")] + [configuration])
diff --git a/source4/auth/tests/heimdal_unwrap_des.c b/source4/auth/tests/heimdal_unwrap_des.c
new file mode 100644
index 00000000000..dc31e9d0ad1
--- /dev/null
+++ b/source4/auth/tests/heimdal_unwrap_des.c
@@ -0,0 +1,1247 @@
+/*
+ * Unit tests for source4/heimdal/lib/gssapi/krb5/unwrap.c
+ *
+ * Copyright (C) Catalyst.NET Ltd 2022
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+/*
+ * from cmocka.c:
+ * These headers or their equivalents should be included prior to
+ * including
+ * this header file.
+ *
+ * #include <stdarg.h>
+ * #include <stddef.h>
+ * #include <setjmp.h>
+ *
+ * This allows test applications to use custom definitions of C standard
+ * library functions and types.
+ *
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+
+#include <cmocka.h>
+
+#include "includes.h"
+#include "replace.h"
+
+#define HEIMDAL_NORETURN_ATTRIBUTE _NORETURN_
+#define HEIMDAL_PRINTF_ATTRIBUTE(x) FORMAT_ATTRIBUTE(x)
+
+#include "../../../source4/heimdal/lib/gssapi/gssapi/gssapi.h"
+#include "gsskrb5_locl.h"
+
+/******************************************************************************
+ * Helper functions
+ ******************************************************************************/
+
+const uint8_t *valid_range_begin;
+const uint8_t *valid_range_end;
+const uint8_t *invalid_range_end;
+
+/*
+ * 'array_len' is the size of the passed in array. 'buffer_len' is the size to
+ * report in the resulting buffer.
+ */
+static const gss_buffer_desc get_input_buffer(TALLOC_CTX *mem_ctx,
+ const uint8_t array[],
+ const size_t array_len,
+ const size_t buffer_len)
+{
+ gss_buffer_desc buf;
+
+ /* Add some padding to catch invalid memory accesses. */
+ const size_t padding = 0x100;
+ const size_t padded_len = array_len + padding;
+
+ uint8_t *data = talloc_size(mem_ctx, padded_len);
+ assert_non_null(data);
+
+ memcpy(data, array, array_len);
+ memset(data + array_len, 0, padding);
+
+ assert_in_range(buffer_len, 0, array_len);
+
+ buf.value = data;
+ buf.length = buffer_len;
+
+ valid_range_begin = buf.value;
+ valid_range_end = valid_range_begin + buf.length;
+ invalid_range_end = valid_range_begin + padded_len;
+
+ return buf;
+}
+
+static void assert_mem_in_valid_range(const uint8_t *ptr, const size_t len)
+{
+ /* Ensure we've set up the range pointers properly. */
+ assert_non_null(valid_range_begin);
+ assert_non_null(valid_range_end);
+ assert_non_null(invalid_range_end);
+
+ /*
+ * Ensure the length isn't excessively large (a symptom of integer
+ * underflow).
+ */
+ assert_in_range(len, 0, 0x1000);
+
+ /* Ensure the memory is in our valid range. */
+ assert_in_range(ptr, valid_range_begin, valid_range_end);
+ assert_in_range(ptr + len, valid_range_begin, valid_range_end);
+}
+
+/*
+ * This function takes a pointer to volatile to allow it to be called from the
+ * ct_memcmp() wrapper.
+ */
+static void assert_mem_outside_invalid_range(const volatile uint8_t *ptr,
+ const size_t len)
+{
+ const LargestIntegralType _valid_range_end
+ = cast_ptr_to_largest_integral_type(valid_range_end);
+ const LargestIntegralType _invalid_range_end
+ = cast_ptr_to_largest_integral_type(invalid_range_end);
+ const LargestIntegralType _ptr = cast_ptr_to_largest_integral_type(ptr);
+ const LargestIntegralType _len = cast_to_largest_integral_type(len);
+
+ /* Ensure we've set up the range pointers properly. */
+ assert_non_null(valid_range_begin);
+ assert_non_null(valid_range_end);
+ assert_non_null(invalid_range_end);
+
+ /*
+ * Ensure the length isn't excessively large (a symptom of integer
+ * underflow).
+ */
+ assert_in_range(len, 0, 0x1000);
+
+ /* Ensure the memory is outside the invalid range. */
+ if (_ptr < _invalid_range_end && _ptr + _len > _valid_range_end) {
+ fail();
+ }
+}
+
+/*****************************************************************************
+ * wrapped functions
+ *****************************************************************************/
+
+krb5_keyblock dummy_key;
+
+krb5_error_code __wrap_krb5_auth_con_getlocalsubkey(krb5_context context,
+ krb5_auth_context auth_context,
+ krb5_keyblock **keyblock);
+krb5_error_code __wrap_krb5_auth_con_getlocalsubkey(krb5_context context,
+ krb5_auth_context auth_context,
+ krb5_keyblock **keyblock)
+{
+ *keyblock = &dummy_key;
+ return 0;
+}
+
+void __wrap_krb5_free_keyblock(krb5_context context,
+ krb5_keyblock *keyblock);
+void __wrap_krb5_free_keyblock(krb5_context context,
+ krb5_keyblock *keyblock)
+{
+ assert_ptr_equal(&dummy_key, keyblock);
+}
+
+struct krb5_crypto_data dummy_crypto;
+
+krb5_error_code __wrap_krb5_crypto_init(krb5_context context,
+ const krb5_keyblock *key,
+ krb5_enctype etype,
+ krb5_crypto *crypto);
+krb5_error_code __wrap_krb5_crypto_init(krb5_context context,
+ const krb5_keyblock *key,
+ krb5_enctype etype,
+ krb5_crypto *crypto)
+{
+ static const LargestIntegralType etypes[] = {ETYPE_DES3_CBC_NONE, 0};
+
+ assert_ptr_equal(&dummy_key, key);
+ assert_in_set(etype, etypes, ARRAY_SIZE(etypes));
+
+ *crypto = &dummy_crypto;
+
+ return 0;
+}
+
+krb5_error_code __wrap_krb5_decrypt(krb5_context context,
+ krb5_crypto crypto,
+ unsigned usage,
+ void *data,
+ size_t len,
+ krb5_data *result);
+krb5_error_code __wrap_krb5_decrypt(krb5_context context,
+ krb5_crypto crypto,
+ unsigned usage,
+ void *data,
+ size_t len,
+ krb5_data *result)
+{
+ assert_ptr_equal(&dummy_crypto, crypto);
+ assert_int_equal(KRB5_KU_USAGE_SEAL, usage);
+
+ assert_mem_in_valid_range(data, len);
+
+ check_expected(len);
+ check_expected_ptr(data);
+
+ result->data = malloc(len);
+ assert_non_null(result->data);
+ result->length = len;
--
Samba Shared Repository
More information about the samba-cvs
mailing list