1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

162 Commits

Author SHA1 Message Date
Andrew Bartlett
a836bcf22c CVE-2022-37966 kdc: Implement new Kerberos session key behaviour since ENC_HMAC_SHA1_96_AES256_SK was added
ENC_HMAC_SHA1_96_AES256_SK is a flag introduced for by Microsoft in this
CVE to indicate that additionally, AES session keys are available. We
set the etypes available for session keys depending on the encryption
types that are supported by the principal.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15219

Pair-Programmed-With: Joseph Sutton <josephsutton@catalyst.net.nz>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

(similar to commit 975e43fc45)
[jsutton@samba.org Fixed knownfail conflicts]

[jsutton@samba.org Adapted to older KDC code; fixed knownfail conflicts]
2022-12-14 10:28:16 +00:00
Joseph Sutton
31543f2902 CVE-2022-37966 third_party/heimdal: Fix error message typo
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit d6b3d68efc)
2022-12-14 10:28:16 +00:00
Joseph Sutton
0601bb94c6 CVE-2022-37967 Add new PAC checksum
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15231

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

(similar to commit a50a2be622)
[jsutton@samba.org Fixed conflicts in krb5pac.idl and raw_testcase.py]

[jsutton@samba.org Fixed conflicts in kdc_base_test.py, raw_testcase.py,
 knownfails, tests.py. Adapted KDC PAC changes to older function.]
2022-12-14 10:28:16 +00:00
Andrew Bartlett
a9c836d044 CVE-2022-37966 HEIMDAL: Look up the server keys to combine with clients etype list to select a session key
We need to select server, not client, to compare client etypes against.

(It is not useful to compare the client-supplied encryption types with
the client's own long-term keys.)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

(similar to commit 538315a2aa)
[jsutton@samba.org Fixed knownfail conflicts]

[jsutton@samba.org Fixed knownfail conflicts]
2022-12-14 10:28:16 +00:00
Nicolas Williams
2736d267aa CVE-2022-44640 HEIMDAL: asn1: invalid free in ASN.1 codec
Heimdal's ASN.1 compiler generates code that allows specially
crafted DER encodings of CHOICEs to invoke the wrong free function
on the decoded structure upon decode error.  This is known to impact
the Heimdal KDC, leading to an invalid free() of an address partly
or wholly under the control of the attacker, in turn leading to a
potential remote code execution (RCE) vulnerability.

This error affects the DER codec for all CHOICE types used in
Heimdal, though not all cases will be exploitable.  We have not
completed a thorough analysis of all the Heimdal components
affected, thus the Kerberos client, the X.509 library, and other
parts, may be affected as well.

This bug has been in Heimdal since 2005.  It was first reported by
Douglas Bagnall, though it had been found independently by the
Heimdal maintainers via fuzzing a few weeks earlier.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14929

(cherry-picked from Heimdal commit 9c9dac2b169255bad9071eea99fa90b980dde767)

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Dec  6 13:41:05 UTC 2022 on sn-devel-184

(cherry picked from commit 68fc909a7f)

Autobuild-User(v4-16-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-16-test): Tue Dec  6 15:28:49 UTC 2022 on sn-devel-184
2022-12-06 15:28:49 +00:00
Stefan Metzmacher
7edddbc684 CVE-2022-42898: HEIMDAL: lib/krb5: fix _krb5_get_int64 on systems where 'unsigned long' is just 32-bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15203

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Wed Nov 23 15:58:56 UTC 2022 on sn-devel-184
2022-11-23 15:58:56 +00:00
Jule Anger
722abdcf35 samba: tag release samba-4.16.7
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmNzpVsACgkQqplEL7aA
 tiDKVBAAsFoRwB7QKhq05IRkV74uQ+WlCBmzgcn7zv5fLn/9wRGMRZNTHpDql1S7
 njP+oPkCBgELR91ivuBXHlBojRllZIxzT0wSh7nk5tK1udV0AnNnCU3unF/rAfM1
 K6F/u4+7qU4ivYSs+kYawmeIz16jhhanxS3aZEBLc1dCLefwPS66KToM0h5TbUVR
 UTJBUHbLeaYzw9glxYKmAYqT+fP8s3BI1BSLcp+7t3NfmZiLU1bqh8mKLwnZlpfx
 9nt0wz3PZDjvZNBHNWn9ZJZfgrgMq2YuSsqnScYvf0zcotqooIt93TOoxvAMe7mf
 50NWP0roMbDj7cTwrQQBYz9duMnmps3FMGMpO15BTvGTDFCG3tb7qwzQICLBuyAk
 quXZ4EPuUQoUgL381tK294ElH3ETvFLrvl0KcGGjVhwQqHcFUPpyQ0uGLtXrqZEm
 fMI2QJGo4iBuJEBmB78+KY6aFpc75k+MaCr6Y5IKo10H4Edjv7Y6CDgKCShKyJCW
 cWvptn8UyVKuUtQX8abuQ6A5oe5+YUgW9uGP52Pcb5OdiWMPT67aOPSbcLLCd9Ws
 4YusPBkgWWjcrjZeRxOrkk/QLVM/QrORFRJiUOrkQy3C3gBCaSpJjlEI+uX9WU5D
 pCKWLtS+49kZ4xcG55q+wFKBaLAyxf8xKxTUeiOJ49dgg7/dGlE=
 =vwwy
 -----END PGP SIGNATURE-----

Merge tag 'samba-4.16.7' into v4-16-test

samba: tag release samba-4.16.7

Signed-off-by: Jule Anger <janger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2022-11-15 15:54:55 +01:00
Joseph Sutton
a8ef840d43 CVE-2022-42898 third_party/heimdal: PAC parse integer overflows
Catch overflows that result from adding PAC_INFO_BUFFER_SIZE.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15203

Heavily edited by committer Nico Williams <nico@twosigma.com>, original by
Joseph Sutton <josephsutton@catalyst.net.nz>.

Signed-off-by: Nico Williams <nico@twosigma.com>

[jsutton@samba.org Zero-initialised header_size in krb5_pac_parse() to
 avoid a maybe-uninitialized error; added a missing check for ret == 0]
2022-11-15 15:41:08 +01:00
Volker Lendecke
b57c2bb472 heimdal: Fix the 32-bit build on FreeBSD
REF: https://github.com/heimdal/heimdal/pull/1004
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15220

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit ab4c7bda8d)

Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Tue Nov  8 14:09:47 UTC 2022 on sn-devel-184
2022-11-08 14:09:47 +00:00
Joseph Sutton
eeea6587e9 third_party/heimdal: Introduce macro for common plugin structure elements
Heimdal's HDB plugin interface, and hence Samba's KDC that depends upon
it, doesn't work on 32-bit builds due to structure fields being arranged
in the wrong order. This problem presents itself in the form of
segmentation faults on 32-bit systems, but goes unnoticed on 64-bit
builds thanks to extra structure padding absorbing the errant fields.

This commit reorders the HDB plugin structure fields to prevent crashes
and introduces a common macro to ensure every plugin presents a
consistent interface.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15110

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 074e928497)
2022-11-08 13:11:15 +00:00
Jule Anger
a901109313 samba: tag release samba-4.16.6
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmNWba0ACgkQqplEL7aA
 tiAj2w/8DgIpsNJSFaUM/yjCPc3brNMFmr1ljBDWIqDOuAuYmx+wBsrPsLaewalp
 0O99kP8Tcsqanwc0HQ+SJcCuprCsxk2qQCMz3SdjSr/lpdDjaIZTAf8ycb1BtjQ3
 U7LxAU7Rv0pmlH277HS6aZAPd1iHWOhUpZpFMZsECOHJLVjdIghXW+x8SDEPl41Y
 ulogbEj7xebJk62N2Z4HrbxlSsoPtPtKSRAytstclnDf4+QSK2pIO2magobsA5q9
 V0z7k7E+8qp/nWiTG2g1hkozZjUVV3UfvOOXmPnr2JatXFblr3Id1gTIRjrPqK2L
 UvQu1r4idA4IWmnbyYldqu7SeQuRtnXHWNa1RVoVa8K5vO6NlhgyfZdLxDFlxO4b
 hKCFV6CvYs2+gDH1Ir7mQc/dV0LUAIUmRdBGwX8BUidyOgYIuoXgyWJAIVKdBGQX
 U9WA3fCS3jPM9RNgeNZMY0RRBmuTVjH/uJA22MEeBfdOKD/iqdt4O9RboC5NlrdS
 s72tiECST6dItBEc5EDTa7jtTd5tQyZkXjhvBLn7DIND0Kdes93u8HCazi74HhRK
 Sq8nbwuadxmGoBEPiISBoxK4fkWucHTRtOgISMfuhqHHug1WCOiHf2Q1IYANKlW0
 rcfC1x2LhTnb1TeRukOfzvXriAksOEhvcTG/HnJolWFZvfwnrgY=
 =bBex
 -----END PGP SIGNATURE-----

Merge tag 'samba-4.16.6' into v4-16-test

samba: tag release samba-4.16.6

Signed-off-by: Jule Anger <janger@samba.org>
2022-10-25 11:55:25 +02:00
Joseph Sutton
5c31d5beb3 CVE-2022-3437 third_party/heimdal: Pass correct length to _gssapi_verify_pad()
We later subtract 8 when calculating the length of the output message
buffer. If padlength is excessively high, this calculation can underflow
and result in a very large positive value.

Now we properly constrain the value of padlength so underflow shouldn't
be possible.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-10-24 07:27:37 +02:00
Joseph Sutton
22dd9072c9 CVE-2022-3437 third_party/heimdal: Check for overflow in _gsskrb5_get_mech()
If len_len is equal to total_len - 1 (i.e. the input consists only of a
0x60 byte and a length), the expression 'total_len - 1 - len_len - 1',
used as the 'len' parameter to der_get_length(), will overflow to
SIZE_MAX. Then der_get_length() will proceed to read, unconstrained,
whatever data follows in memory. Add a check to ensure that doesn't
happen.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-10-24 07:27:37 +02:00
Joseph Sutton
d16ac1f405 CVE-2022-3437 third_party/heimdal: Check buffer length against overflow for DES{,3} unwrap
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-10-24 07:27:37 +02:00
Joseph Sutton
de77f01598 CVE-2022-3437 third_party/heimdal: Check the result of _gsskrb5_get_mech()
We should make sure that the result of 'total_len - mech_len' won't
overflow, and that we don't memcmp() past the end of the buffer.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-10-24 07:27:37 +02:00
Joseph Sutton
e1c2e2836e CVE-2022-3437 third_party/heimdal: Avoid undefined behaviour in _gssapi_verify_pad()
By decrementing 'pad' only when we know it's safe, we ensure we can't
stray backwards past the start of a buffer, which would be undefined
behaviour.

In the previous version of the loop, 'i' is the number of bytes left to
check, and 'pad' is the current byte we're checking. 'pad' was
decremented at the end of each loop iteration. If 'i' was 1 (so we
checked the final byte), 'pad' could potentially be pointing to the
first byte of the input buffer, and the decrement would put it one
byte behind the buffer.

That would be undefined behaviour.

The patch changes it so that 'pad' is the byte we previously checked,
which allows us to ensure that we only decrement it when we know we
have a byte to check.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-10-24 07:27:37 +02:00
Joseph Sutton
c944773adc CVE-2022-3437 third_party/heimdal: Don't pass NULL pointers to memcpy() in DES unwrap
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-10-24 07:27:37 +02:00
Joseph Sutton
9ca9408c5e CVE-2022-3437 third_party/heimdal: Use constant-time memcmp() in unwrap_des3()
The surrounding checks all use ct_memcmp(), so this one was presumably
meant to as well.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-10-24 07:27:37 +02:00
Joseph Sutton
e3c314ed69 CVE-2022-3437 third_party/heimdal: Use constant-time memcmp() for arcfour unwrap
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-10-24 07:27:37 +02:00
Joseph Sutton
c5dd87f488 CVE-2022-3437 third_party/heimdal_build: Add gssapi-subsystem subsystem
This allows us to access (and so test) functions internal to GSSAPI by
depending on this subsystem.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-10-24 07:27:37 +02:00
Joseph Sutton
0eaa68d193 CVE-2022-3437 third_party/heimdal: Remove __func__ compatibility workaround
As described by the C standard, __func__ is a variable, not a macro.
Hence this #ifndef check does not work as intended, and only serves to
unconditionally disable __func__. A nonoperating __func__ prevents
cmocka operating correctly, so remove this definition.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-10-24 07:27:37 +02:00
Andreas Schneider
d41566d1bd third_party: Update socket_wrapper to version 1.3.4
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 5dcb49bbd8)
2022-09-18 16:46:09 +00:00
Joseph Sutton
b77fb6e636 CVE-2022-2031 third_party/heimdal: Add function to get current KDC time
This allows the plugin to check the endtime of a ticket against the
KDC's current time, to see if the ticket will expire in the next two
minutes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-24 09:23:56 +02:00
Joseph Sutton
52b953bfc1 CVE-2022-2031 third_party/heimdal: Check generate_pac() return code
If the function fails, we should not issue a ticket missing the PAC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-24 09:23:55 +02:00
Samuel Cabrero
17451c5a17 third_party/heimdal: Fix build with gcc version 12.1
Split lib/krb5/crypto to its own subsystem to built with its own CFLAGS
and avoid the following error:

    [1510/4771] Compiling third_party/heimdal/lib/krb5/crypto.c
    ../../third_party/heimdal/lib/krb5/crypto.c: In function ‘_krb5_internal_hmac’:
    ../../third_party/heimdal/lib/krb5/crypto.c:302:24: warning: cast discards ‘const’ qualifier from pointer target type [-Wcast-qual]
      302 |     iov[0].data.data = (void *) data;
          |                        ^
    ../../third_party/heimdal/lib/krb5/crypto.c: In function ‘derive_key_sp800_hmac’:
    ../../third_party/heimdal/lib/krb5/crypto.c:2427:18: warning: cast discards ‘const’ qualifier from pointer target type [-Wcast-qual]
     2427 |     label.data = (void *)constant;
          |                  ^
    ../../third_party/heimdal/lib/krb5/crypto.c: In function ‘decrypt_internal_derived’:
    ../../third_party/heimdal/lib/krb5/crypto.c:1280:9: error: pointer ‘p’ may be used after ‘realloc’ [-Werror=use-after-free]
     1280 |         free(p);
          |         ^~~~~~~
    ../../third_party/heimdal/lib/krb5/crypto.c:1278:20: note: call to ‘realloc’ here
     1278 |     result->data = realloc(p, l);
          |                    ^~~~~~~~~~~~~
    ../../third_party/heimdal/lib/krb5/crypto.c: In function ‘decrypt_internal_enc_then_cksum’:
    ../../third_party/heimdal/lib/krb5/crypto.c:1365:9: error: pointer ‘p’ may be used after ‘realloc’ [-Werror=use-after-free]
     1365 |         free(p);
          |         ^~~~~~~
    ../../third_party/heimdal/lib/krb5/crypto.c:1363:20: note: call to ‘realloc’ here
     1363 |     result->data = realloc(p, l);
          |                    ^~~~~~~~~~~~~
    ../../third_party/heimdal/lib/krb5/crypto.c: In function ‘decrypt_internal’:
    ../../third_party/heimdal/lib/krb5/crypto.c:1431:9: error: pointer ‘p’ may be used after ‘realloc’ [-Werror=use-after-free]
     1431 |         free(p);
          |         ^~~~~~~
    ../../third_party/heimdal/lib/krb5/crypto.c:1429:20: note: call to ‘realloc’ here
     1429 |     result->data = realloc(p, l);
          |                    ^~~~~~~~~~~~~
    ../../third_party/heimdal/lib/krb5/crypto.c: In function ‘decrypt_internal_special’:
    ../../third_party/heimdal/lib/krb5/crypto.c:1478:9: error: pointer ‘p’ may be used after ‘realloc’ [-Werror=use-after-free]
     1478 |         free(p);
          |         ^~~~~~~
    ../../third_party/heimdal/lib/krb5/crypto.c:1476:20: note: call to ‘realloc’ here
     1476 |     result->data = realloc(p, sz);
          |                    ^~~~~~~~~~~~~~
    cc1: all warnings being treated as errors

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15095

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Samuel Cabrero <scabrero@samba.org>
Autobuild-Date(master): Tue Jun 14 10:16:18 UTC 2022 on sn-devel-184

(cherry picked from commit 971441ca52)
2022-07-18 08:47:13 +00:00
Andreas Schneider
b09a37cd82 third_party: Update waf to version 2.0.24
This fixes building of python libraries with Python 3.11!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15071

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon May 23 09:34:51 UTC 2022 on sn-devel-184

(cherry picked from commit d19dfe1efb)
2022-05-30 08:15:10 +00:00
Andreas Schneider
32a573463e third_party: Update waf to verison 2.0.23
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Feb 21 10:06:27 UTC 2022 on sn-devel-184

(cherry picked from commit fb175576b6)
2022-05-30 08:15:10 +00:00
Andreas Schneider
8385893f4c third_party:waf: Print the version of waf at the end of the update script
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit 6b8d30e0aa)
2022-05-30 08:15:10 +00:00
Stefan Metzmacher
9d819c9359 third_party/heimdal: import lorikeet-heimdal-202203101710 (commit df8d801544144949931cd742169be1207b239c3d)
This fixes the regressions against KDCs without FAST support.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15002
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Mar 11 18:06:47 UTC 2022 on sn-devel-184

(cherry picked from commit 9b48e7f7ed)
2022-03-14 14:27:13 +00:00
Stefan Metzmacher
2aa95f7820 third_party/heimdal: import lorikeet-heimdal-202203101709 (commit 47863866da25cc21d292ce335a976b8b33fa1864)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15002
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
(cherry picked from commit 67bdc922f9)
2022-03-14 14:27:13 +00:00
Stefan Metzmacher
302f9acb4a third_party/heimdal: import lorikeet-heimdal-202203031927 (commit 7abc451ddd74d0c2e57dbb32f3198bde8def73ab)
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14865

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit f33f73f82f)
2022-03-08 13:35:17 +00:00
Joseph Sutton
12a61bb741 s4:kdc: Adapt to hdb_entry_ex removal
Rather than having a 'free_entry' member that can be called to free an
hdb_entry, we now implement the free function in HDB. We perform the
free only if the context pointer is non-NULL.

We also remove the ZERO_STRUCTP() in sdb_entry_to_hdb_entry(), as the
context pointer is now part of the 'hdb_entry' structure itself, and
this would undesirably zero it out.

This is an adaptation to Heimdal commits:

commit c5551775e204d00c7ee8055ab6ddbba7e0590584
Author: Luke Howard <lukeh@padl.com>
Date:   Fri Jan 7 12:15:55 2022 +1100

    hdb: decorate HDB_entry with context member

    Decorate HDB_entry with context and move free_entry callback into HDB structure
    itself. Requires updating hdb_free_entry() signature to include HDB parameter.
    A follow-up commit will consolidate hdb_entry_ex (which has a single hdb_entry
    member) into hdb_entry.

commit 0e8c4ccc6ee0123ea39e53e8917fc3f6bb74e8c8
Author: Luke Howard <lukeh@padl.com>
Date:   Fri Jan 7 12:54:40 2022 +1100

    hdb: eliminate hdb_entry_ex

    Remove hdb_entry_ex and revert to the original design of hdb_entry (except with
    an additional context member in hdb_entry which is managed by the free_entry
    method in HDB).

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 94d387abd5)
2022-03-02 10:26:31 +00:00
Joseph Sutton
8ae5ce46e5 third_party/heimdal_build: Don't generate .x source files
This is an adaptation to Heimdal:

commit 9427796f1a65906f12768b28abdb5a928222f3c6
Author: Jeffrey Altman <jaltman@secure-endpoints.com>
Date:   Wed Jan 5 15:45:23 2022 -0500

    Generate .x source files as .c source files

    The generated .x source and .hx header files are plain C source files.
    Generate them as .c source files and avoid unnecessary file copying
    and special makefile rules.

    Change-Id: Ifc4bbe3c46dd357fdd642040ad964c7cfe1d395c

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 7cb68fdba7)
2022-03-02 10:26:31 +00:00
Joseph Sutton
0918e692fa third_party/heimdal_build: Add SFU source file
This is an adaptation to Heimdal:

commit 0287558838de79313e38026d2f0905ffc987d0b8
Author: Luke Howard <lukeh@padl.com>
Date:   Fri Dec 24 13:49:55 2021 +1100

    kdc: move Services for User implementation out of krb5tgs.c

    Move the Services for User (SFU/S4U) implementation -- protocol transition and
    constrained delegation -- into its own compilation unit, with an interface that
    only takes an astgs_request_t, so it can be easily factored out into a plugin
    module in the future.

    This refactoring is also careful to update all client names in the request
    structure after the SFU/S4U validation has successfully completed.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit b9f4ea8bdb)
2022-03-02 10:26:31 +00:00
Joseph Sutton
9e76300526 s4:kdc: Rename windc to kdc plugin
This is an adaptation to Heimdal:

commit fcff5933ade652343d7c169659da92fac0e6e0d4
Author: Luke Howard <lukeh@padl.com>
Date:   Mon Jan 3 11:10:18 2022 +1100

    kdc: rename windc to kdc plugin

    Rename the "windc" plugin API to the more general "kdc" plugin API, for two
    reasons: the Heimdal KDC uses the Windows PAC even when not emulating a domain
    controller, and the plugin API has accreted methods that are not specific to
    emulating a domain controller (such as referral_policy and finalize_reply).

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 83586e8f58)
2022-03-02 10:26:31 +00:00
Joseph Sutton
26880578a5 third_party/heimdal_build: Add source files to build
This is an adaptation to Heimdal:

commit be708ca3cf98900c61919f8ff7ced4428b5d1f32
Author: Nicolas Williams <nico@twosigma.com>
Date:   Wed Dec 22 17:01:12 2021 -0600

    gsskrb5: Add simple name attributes support

    This adds Kerberos mechanism support for:

     - composite principal name export/import
     - getting rudimentary name attributes from GSS names using
       gss_get_name_attribute():
        - all (raw) authorization data from the Ticket
        - all (raw) authorization data from the Authenticator
        - transit path
        - realm
        - component count
        - each component
     - gss_inquire_name()
     - gss_display_name_ext() (just for the hostbased service name type
                               though)

    The test exercises almost all of the functionality, except for:

     - getting the PAC
     - getting authz-data from the Authenticator
     - getting the transit path

    TBD (much) later:

     - amend test_context to do minimal name attribute checks as well
     - gss_set_name_attribute() (to request authz-data)
     - gss_delete_name_attribute()
     - getting specific authorization data elements via URN fragments (as
       opposed to all of them)
     - parsing the PAC, extracting SIDs (each one as a separate value)
     - some configurable local policy (?)
     - plugin interface for additional local policy

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit f2ca9c5db7)
2022-03-02 10:26:30 +00:00
Joseph Sutton
e26fbf420e third_party/heimdal: import lorikeet-heimdal-202203010107 (commit 0e7a12404c388e831fe6933fcc3c86e7eb334825)
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 51569b3152)
2022-03-02 10:26:30 +00:00
Joseph Sutton
c9a77ff43e third_party/heimdal_build: Define fallthrough macro for switch statements
This is an adaptation to Heimdal:

commit ddc61136100b32346c4c4efa2bb6ddb5baedfb3e
Author: Nicolas Williams <nico@twosigma.com>
Date:   Fri Jan 14 16:32:04 2022 -0600

    Use fallthrough statement attribute

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit fccf985978)
2022-03-02 10:26:30 +00:00
Joseph Sutton
947ad1581a third_party/heimdal_build: Determine whether time_t is signed
Without this, Heimdal will assume time_t is unsigned, and a wrong
assumption will cause 'infinite' ticket lifetimes to be reckoned as from
the past, and thus requests will fail with KDC_ERR_NEVER_VALID.

This is an adaptation to Heimdal:

commit 9ae9902249732237aa1711591604a6adf24963fe
Author: Nicolas Williams <nico@twosigma.com>
Date:   Tue Feb 15 17:01:00 2022 -0600

    cf: Check if time_t is signed

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Mar  1 18:07:50 UTC 2022 on sn-devel-184

(cherry picked from commit 9eb27f296a)
2022-03-02 10:26:30 +00:00
Joseph Sutton
77ed10e2ff third_party/heimdal_build: Add KDC_LIB macro definitions
This is an adaptation to Heimdal:

commit 7bb00a40eabbed2bc1c268f5244bfb9736d9bebe
Author: Luke Howard <lukeh@padl.com>
Date:   Tue Jan 4 13:08:35 2022 +1100

    kdc: fix Windows build

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 6d8fec7006)
2022-03-02 10:26:30 +00:00
Stefan Metzmacher
7055827b8f HEIMDAL: move code from source4/heimdal* to third_party/heimdal*
This makes it clearer that we always want to do heimdal changes
via the lorikeet-heimdal repository.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

Autobuild-User(master): Joseph Sutton <jsutton@samba.org>
Autobuild-Date(master): Wed Jan 19 21:41:59 UTC 2022 on sn-devel-184
2022-01-19 21:41:59 +00:00
Douglas Bagnall
1926335839 third_party/update: forget pep8
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>

Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Fri Nov 19 13:25:16 UTC 2021 on sn-devel-184
2021-11-19 13:25:16 +00:00
Douglas Bagnall
e94e649bbb third_party: remove pep8
This was a *partial* copy of the python linting tool that has been
known as 'pycodestyle' since 2017. I say partial copy, because it does
not seem to contain the pep8 binary itself, just some documentation
and tests. It has not been changed since it was added in 2015.

It is GOOD that people run python linters, but this doesn't help them
in the slightest.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
2021-11-19 12:35:39 +00:00
Andreas Schneider
e556b4067e waf: Fix resolv_wrapper with glibc 2.34
With glibc 2.34 we are not able to talk to the DNS server via socket_wrapper
anymore. The res_* symbols have been moved from libresolv to libc. We are not
able to intercept any traffic inside of libc.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2021-11-05 11:44:30 +00:00
Andreas Schneider
7f6f4777b4 third_party: Update pam_wrapper to version 1.1.4
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Oct 28 19:03:04 UTC 2021 on sn-devel-184
2021-10-28 19:03:04 +00:00
Andreas Schneider
59ed099285 third_party: Update waf to version 2.0.22
New in waf 2.0.22

* Fix stdin propagation with faulty vcvarsall scripts #2315
* Enable mixing Unix-style paths with destdir on Windows platforms #2337
* Fix shell escaping unit test parameters #2314
* Improve extras/clang_compilation_database and extras/swig compatibility #2336
* Propagate C++ flags to the Cuda compiler in extras/cuda #2311
* Fix detection of Qt 5.0.0 (preparation for Qt6) #2331
* Enable Haxe processing #2308
* Fix regression in MACOSX_DEPLOYMENT_TARGET caused by distutils #2330
* Fix extras/wafcache concurrent trimming issues #2312
* Fix extras/wafcache symlink handling #2327

The import was done like this:

./third_party/waf/update.sh

Then changing buildtools/bin/waf and buildtools/wafsamba/wafsamba.py
by hand.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Sep  2 21:22:17 UTC 2021 on sn-devel-184
2021-09-02 21:22:17 +00:00
Andreas Schneider
e41bc0f43f third_party: Add a script to update waf
./third_party/waf/update.sh

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-09-02 20:30:31 +00:00
Andreas Schneider
740a217264 third_party:cmocka: Fix build when used in lib/tevent
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-07-07 05:07:30 +00:00
Stefan Metzmacher
10c198827d third_party: Update socket_wrapper to version 1.3.3
This fixes a deadlock abort() when SOCKET_WRAPPER_KEEP_PCAP=1
is used.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14640

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Mar 17 23:53:04 UTC 2021 on sn-devel-184
2021-03-17 23:53:04 +00:00
Stefan Metzmacher
ab943babc3 third_party: Update socket_wrapper to version 1.3.2
This brings support for fd-passing of INET sockets.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11899

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-02-10 14:00:32 +00:00