diff --git a/net/samba413/Makefile b/net/samba413/Makefile index 1c1df27edb8a..5a3f59c6d26e 100644 --- a/net/samba413/Makefile +++ b/net/samba413/Makefile @@ -1,697 +1,699 @@ PORTNAME= ${SAMBA4_BASENAME}413 PORTVERSION= ${SAMBA4_VERSION} -PORTREVISION= 3 +PORTREVISION= 4 CATEGORIES?= net MASTER_SITES= SAMBA/samba/stable SAMBA/samba/rc DISTNAME= ${SAMBA4_DISTNAME} MAINTAINER= timur@FreeBSD.org COMMENT= Free SMB/CIFS and AD/DC server and client for Unix WWW= https://www.samba.org/ LICENSE= GPLv3+ LICENSE_FILE= ${WRKSRC}/COPYING IGNORE_NONTHREAD_PYTHON= needs port lang/python${PYTHON_SUFFIX} to be build with THREADS support CONFLICTS_INSTALL?= samba4* # bin/cifsdd bin/dbwrap_tool bin/dumpmscat bin/findsmb bin/gentest USES= cpe -EXTRA_PATCHES+= ${PATCHDIR}/0001-Zfs-provision-1.patch:-p1 +EXTRA_PATCHES+= ${PATCHDIR}/0001-Zfs-provision-1.patch:-p1 \ + ${PATCHDIR}/0001-Compact-and-simplify-modules-build-and-config-genera.patch:-p1 \ + ${PATCHDIR}/CVE-2022-3437-des3-overflow-v4a-4.12.patch:-p1 SAMBA4_BASENAME= samba SAMBA4_PORTNAME= ${SAMBA4_BASENAME}4 SAMBA4_VERSION= 4.13.17 SAMBA4_DISTNAME= ${SAMBA4_BASENAME}-${SAMBA4_VERSION:S|.p|pre|:S|.r|rc|:S|.t|tp|:S|.a|alpha|} WRKSRC?= ${WRKDIR}/${DISTNAME} PLIST?= ${PKGDIR}/pkg-plist CPE_VENDOR= samba CPE_PRODUCT= samba # Directories VARDIR= ${DESTDIR}/var SAMBA4_RUNDIR= ${VARDIR}/run/${SAMBA4_PORTNAME} SAMBA4_LOGDIR= ${VARDIR}/log/${SAMBA4_PORTNAME} SAMBA4_LOCKDIR= ${VARDIR}/db/${SAMBA4_PORTNAME} SAMBA4_BINDDNSDIR= ${SAMBA4_LOCKDIR}/bind-dns SAMBA4_PRIVATEDIR= ${SAMBA4_LOCKDIR}/private SAMBA4_PAMDIR= ${PREFIX}/lib SAMBA4_LIBDIR= ${PREFIX}/lib/${SAMBA4_PORTNAME} SAMBA4_INCLUDEDIR= ${PREFIX}/include/${SAMBA4_PORTNAME} SAMBA4_CONFDIR= ${PREFIX}/etc SAMBA4_CONFIG= smb4.conf SAMBA4_MODULES_CLASS= auth bind9 gensec gpext idmap ldb nss_info \ pdb perfcount process_model service vfs CONFIGURE_ARGS+= --mandir="${MANPREFIX}/man" \ --sysconfdir="${SAMBA4_CONFDIR}" \ --includedir="${SAMBA4_INCLUDEDIR}" \ --datadir="${DATADIR}" \ --libdir="${SAMBA4_LIBDIR}" \ --with-privatelibdir="${SAMBA4_LIBDIR}/private" \ --with-pammodulesdir="${SAMBA4_PAMDIR}" \ --with-modulesdir="${SAMBA4_MODULEDIR}" \ --with-pkgconfigdir="${PKGCONFIGDIR}" \ --localstatedir="${VARDIR}" \ --with-piddir="${SAMBA4_RUNDIR}" \ --with-sockets-dir="${SAMBA4_RUNDIR}" \ --with-privileged-socket-dir="${SAMBA4_RUNDIR}" \ --with-lockdir="${SAMBA4_LOCKDIR}" \ --with-statedir="${SAMBA4_LOCKDIR}" \ --with-cachedir="${SAMBA4_LOCKDIR}" \ --with-bind-dns-dir=${SAMBA4_BINDDNSDIR} \ --with-privatedir="${SAMBA4_PRIVATEDIR}" \ --with-logfilebase="${SAMBA4_LOGDIR}" # XXX: Flags CONFIGURE_ENV+= PTHREAD_LDFLAGS="-lpthread" MAKE_ENV+= PYTHONHASHSEED=1 USES+= compiler:c++11-lang iconv localbase:ldflags \ perl5 pkgconfig shebangfix waf gettext-runtime USE_PERL5= build USE_LDCONFIG= ${SAMBA4_LIBDIR} WAF_CMD= buildtools/bin/waf CONFIGURE_LOG= bin/config.log PKGCONFIGDIR?= ${PREFIX}/libdata/pkgconfig PKGCONFIGDIR_REL?= ${PKGCONFIGDIR:S,^${PREFIX}/,,} PLIST_SUB+= PKGCONFIGDIR=${PKGCONFIGDIR_REL} SUB_LIST+= PKGCONFIGDIR=${PKGCONFIGDIR_REL} ############################################################################## OPTIONS_SUB= yes OPTIONS_DEFINE= AD_DC ADS CLUSTER CUPS DOCS FAM GPGME \ LDAP MANDOC NTVFS PROFILE PYTHON3 QUOTAS \ SPOTLIGHT SYSLOG UTMP #OPTIONS_DEFINE+= DEVELOPER MEMORY_DEBUG OPTIONS_GROUP= VFS OPTIONS_GROUP_VFS= FRUIT GLUSTERFS OPTIONS_SINGLE= GSSAPI ZEROCONF OPTIONS_SINGLE_GSSAPI= GSSAPI_BUILTIN GSSAPI_MIT #GSSAPI_HEIMDAL OPTIONS_SINGLE_ZEROCONF= ZEROCONF_NONE AVAHI MDNSRESPONDER OPTIONS_RADIO= DNS OPTIONS_RADIO_DNS= NSUPDATE BIND916 BIND918 # Make those default options OPTIONS_DEFAULT= AD_DC ADS DOCS FAM LDAP \ PROFILE PYTHON3 QUOTAS SYSLOG UTMP \ FRUIT GSSAPI_BUILTIN AVAHI ############################################################################## ADS_DESC= Active Directory client(implies LDAP) AD_DC_DESC= Active Directory Domain Controller(implies PYTHON3) CLUSTER_DESC= Clustering support DEVELOPER_DESC= With developer framework(implies NTVFS) FAM_DESC= File Alteration Monitor GPGME_DESC= GpgME support LDAP_DESC= LDAP client LIBZFS_DESC= LibZFS SPOTLIGHT_DESC= Spotlight server-side search support MANDOC_DESC= Build manpages from DOCBOOK templates MEMORY_DEBUG_DESC= Debug memory allocator NTVFS_DESC= Build *DEPRECATED* NTVFS file server PICKY_DEVELOPER_DESC= Treat compiler warnings as errors(implies DEVELOPER) PROFILE_DESC= Profiling data QUOTAS_DESC= Disk quota support UTMP_DESC= UTMP accounting VFS_DESC= VFS modules GLUSTERFS_DESC= GlusterFS support FRUIT_DESC= MacOSX and TimeMachine support GSSAPI_BUILTIN_DESC= GSSAPI support via bundled Heimdal ZEROCONF_DESC= Zero configuration networking ZEROCONF_NONE_DESC= Zeroconf support is absent DNS_DESC= DNS frontend BIND916_DESC= Use Bind 9.16 as AD DC DNS server frontend BIND918_DESC= Use Bind 9.18 as AD DC DNS server frontend NSUPDATE_DESC= Use samba NSUPDATE utility for AD DC ############################################################################## # XXX: Unconditional dependencies which can't be switched off(if present in # the system) # Iconv(picked up unconditionaly) LIB_DEPENDS+= libiconv.so:converters/libiconv # unwind LIB_DEPENDS+= libunwind.so:devel/libunwind # Readline(sponsored by Python) # XXX: USES=readline pollutes CPPFLAGS, so we explicitly put dependency LIB_DEPENDS+= libreadline.so:devel/readline # popt LIB_DEPENDS+= libpopt.so:devel/popt # inotify LIB_DEPENDS+= libinotify.so:devel/libinotify # GNUTLS LIB_DEPENDS+= libgnutls.so:security/gnutls LIB_DEPENDS+= libgcrypt.so:security/libgcrypt # NFSv4 ACL glue LIB_DEPENDS+= libsunacl.so:sysutils/libsunacl # Jansson BUILD_DEPENDS+= jansson>=2.10:devel/jansson RUN_DEPENDS+= jansson>=2.10:devel/jansson # tasn1 BUILD_DEPENDS+= libtasn1>=3.8:security/libtasn1 RUN_DEPENDS+= libtasn1>=3.8:security/libtasn1 # External Samba dependencies # Needed for IDL compiler BUILD_DEPENDS+= p5-Parse-Yapp>=0:devel/p5-Parse-Yapp # Libarchive SAMBA4_BUNDLED_LIBS+= !libarchive BUILD_DEPENDS+= libarchive>=3.1.2:archivers/libarchive RUN_DEPENDS+= libarchive>=3.1.2:archivers/libarchive ### Bundled libraries SAMBA4_BUNDLED_CMOCKA?= no SAMBA4_BUNDLED_TALLOC?= no SAMBA4_BUNDLED_TEVENT?= no SAMBA4_BUNDLED_TDB?= no SAMBA4_BUNDLED_LDB?= yes # cmocka .if defined(SAMBA4_BUNDLED_CMOCKA) && ${SAMBA4_BUNDLED_CMOCKA} == yes SAMBA4_BUNDLED_LIBS+= cmocka CONFLICTS_INSTALL+= cmocka-1.* PLIST_SUB+= SAMBA4_BUNDLED_CMOCKA="" SUB_LIST+= SAMBA4_BUNDLED_CMOCKA="" .else SAMBA4_BUNDLED_LIBS+= !cmocka BUILD_DEPENDS+= cmocka>=1.1.3:sysutils/cmocka TEST_DEPENDS+= cmocka>=1.1.3:sysutils/cmocka PLIST_SUB+= SAMBA4_BUNDLED_CMOCKA="@comment " SUB_LIST+= SAMBA4_BUNDLED_CMOCKA="@comment " .endif # talloc .if defined(SAMBA4_BUNDLED_TALLOC) && ${SAMBA4_BUNDLED_TALLOC} == yes SAMBA4_BUNDLED_LIBS+= talloc CONFLICTS_INSTALL+= talloc-* talloc1-* PLIST_SUB+= SAMBA4_BUNDLED_TALLOC="" SUB_LIST+= SAMBA4_BUNDLED_TALLOC="" .else SAMBA4_BUNDLED_LIBS+= !talloc BUILD_DEPENDS+= talloc>=2.3.1:devel/talloc RUN_DEPENDS+= talloc>=2.3.1:devel/talloc PLIST_SUB+= SAMBA4_BUNDLED_TALLOC="@comment " SUB_LIST+= SAMBA4_BUNDLED_TALLOC="@comment " .endif # tevent .if defined(SAMBA4_BUNDLED_TEVENT) && ${SAMBA4_BUNDLED_TEVENT} == yes SAMBA4_BUNDLED_LIBS+= tevent CONFLICTS_INSTALL+= tevent-* tevent1-* PLIST_SUB+= SAMBA4_BUNDLED_TEVENT="" SUB_LIST+= SAMBA4_BUNDLED_TEVENT="" .else SAMBA4_BUNDLED_LIBS+= !tevent BUILD_DEPENDS+= tevent>=0.10.2:devel/tevent RUN_DEPENDS+= tevent>=0.10.2:devel/tevent PLIST_SUB+= SAMBA4_BUNDLED_TEVENT="@comment " SUB_LIST+= SAMBA4_BUNDLED_TEVENT="@comment " .endif # tdb .if defined(SAMBA4_BUNDLED_TDB) && ${SAMBA4_BUNDLED_TDB} == yes SAMBA4_BUNDLED_LIBS+= tdb CONFLICTS_INSTALL+= tdb-* tdb1-* PLIST_SUB+= SAMBA4_BUNDLED_TDB="" SUB_LIST+= SAMBA4_BUNDLED_TDB="" .else SAMBA4_BUNDLED_LIBS+= !tdb BUILD_DEPENDS+= tdb>=1.4.3:databases/tdb RUN_DEPENDS+= tdb>=1.4.3:databases/tdb PLIST_SUB+= SAMBA4_BUNDLED_TDB="@comment " SUB_LIST+= SAMBA4_BUNDLED_TDB="@comment " .endif # ldb .if defined(SAMBA4_BUNDLED_LDB) && ${SAMBA4_BUNDLED_LDB} == yes SAMBA4_BUNDLED_LDB= yes SAMBA4_BUNDLED_LIBS+= ldb PLIST_SUB+= SAMBA4_BUNDLED_LDB="" SUB_LIST+= SAMBA4_BUNDLED_LDB="" SAMBA4_MODULEDIR= ${SAMBA4_LIBDIR}/modules .else SAMBA4_BUNDLED_LIBS+= !ldb BUILD_DEPENDS+= ldb22>=2.2.0:databases/ldb22 RUN_DEPENDS+= ldb22>=2.2.0:databases/ldb22 PLIST_SUB+= SAMBA4_BUNDLED_LDB="@comment " SUB_LIST+= SAMBA4_BUNDLED_LDB="@comment " SAMBA4_MODULEDIR= ${PREFIX}/lib/shared-modules .endif .if (defined(SAMBA4_BUNDLED_TALLOC) && ${SAMBA4_BUNDLED_TALLOC} == yes) \ || (defined(SAMBA4_BUNDLED_TDB) && ${SAMBA4_BUNDLED_TDB} == yes) \ || (defined(SAMBA4_BUNDLED_LDB) && ${SAMBA4_BUNDLED_LDB} == yes) \ || (defined(SAMBA4_BUNDLED_TEVENT) && ${SAMBA4_BUNDLED_TEVENT} == yes) SAMBA4_BUNDLED_LIBS+= replace .endif # Don't use external libcom_err SAMBA4_BUNDLED_LIBS+= com_err # Set the test environment variables TEST_USES= python TEST_ENV+= PYTHON="${PYTHON_CMD}" \ SHA1SUM=/sbin/sha1 \ SHA256SUM=/sbin/sha256 \ MD5SUM=/sbin/md5 \ PYTHONDONTWRITEBYTECODE=1 TEST_DEPENDS+= bash:shells/bash \ tshark:net/tshark # External Python modules TEST_BUILD_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}iso8601>=0.1.11:devel/py-iso8601@${PY_FLAVOR} TEST_RUN_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}iso8601>=0.1.11:devel/py-iso8601@${PY_FLAVOR} ############################################################################## CONFIGURE_ARGS+= \ --with-pam \ --with-iconv \ --with-winbind \ --with-regedit \ --disable-rpath \ --without-lttng \ --without-gettext \ --enable-pthreadpool \ --without-fake-kaserver \ --without-systemd \ --with-libarchive \ --with-acl-support \ --with-sendfile-support \ --disable-ctdb-tests # ${ICONV_CONFIGURE_BASE} ############################################################################## FRUIT_PREVENTS= ZEROCONF_NONE FRUIT_PREVENTS_MSG= MacOSX support requires Zeroconf(AVAHI or MDNSRESPONDER) FRUIT_VARS= SAMBA4_MODULES+=vfs_fruit FRUIT_PLIST_FILES= man/man8/vfs_fruit.8.gz GLUSTERFS_CONFIGURE_ENABLE= glusterfs GLUSTERFS_LIB_DEPENDS= libglusterfs.so:net/glusterfs GLUSTERFS_VARS= SAMBA4_MODULES+=vfs_glusterfs GLUSTERFS_PLIST_FILES= man/man8/vfs_glusterfs.8.gz ZEROCONF_NONE_MAKE_ENV= ZEROCONF=none ############################################################################## AVAHI_CONFIGURE_ENABLE= avahi AVAHI_LIB_DEPENDS= libavahi-client.so:net/avahi-app AVAHI_VARS= SAMBA4_SERVICES+=avahi_daemon MDNSRESPONDER_CONFIGURE_ENABLE= dnssd MDNSRESPONDER_LIB_DEPENDS= libdns_sd.so:net/mDNSResponder MDNSRESPONDER_VARS= SAMBA4_SERVICES+=mdnsd ############################################################################## BIND916_RUN_DEPENDS= bind916>=9.16.0.0:dns/bind916 BIND918_RUN_DEPENDS= bind918>=9.18.0.0:dns/bind918 NSUPDATE_RUN_DEPENDS= samba-nsupdate:dns/samba-nsupdate ############################################################################## MEMORY_DEBUG_IMPLIES= DEBUG MEMORY_DEBUG_CONFIGURE_ENV= ADDITIONAL_CFLAGS="-DENABLE_JEMALLOC `pkg-config --cflags jemalloc`" ADDITIONAL_LDFLAGS="`pkg-config --libs jemalloc`" MEMORY_DEBUG_LIB_DEPENDS= libjemalloc.so.2:devel/jemalloc # https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=194046 GDB_CMD?= ${LOCALBASE}/bin/gdb # https://bugzilla.samba.org/show_bug.cgi?id=8969 PICKY_DEVELOPER_IMPLIES= DEVELOPER PICKY_DEVELOPER_CONFIGURE_ON= --picky-developer DEVELOPER_IMPLIES= NTVFS DEVELOPER_CONFIGURE_ON= --enable-developer --enable-selftest --abi-check-disable DEVELOPER_CONFIGURE_ENV= WAF_CMD_FORMAT=string DEVELOPER_RUN_DEPENDS= ${SAMBA4_LMDB_DEPENDS} DEVELOPER_BUILD_DEPENDS= ${GDB_CMD}:devel/gdb \ ${SAMBA4_LMDB_DEPENDS} DEVELOPER_TEST_DEPENDS= ${GDB_CMD}:devel/gdb DEVELOPER_VARS_OFF= GDB_CMD=true # XXX: Mostly used in conjuction with the DEVELOPER option, don't enable it # if you don't know what you are doing NTVFS_IMPLIES= AD_DC NTVFS_CONFIGURE_WITH= ntvfs-fileserver NTVFS_VARS= SAMBA4_MODULES+=service_smb NTVFS_PLIST_FILES= lib/samba4/private/libntvfs-samba4.so ############################################################################## AD_DC_IMPLIES= PYTHON3 AD_DC_CONFIGURE_OFF= --without-ad-dc AD_DC_BUILD_DEPENDS= ${SAMBA4_LMDB_DEPENDS} AD_DC_RUN_DEPENDS= ${SAMBA4_LMDB_DEPENDS} AD_DC_VARS= PLIST+=${PKGDIR}/pkg-plist.ad_dc ADS_IMPLIES= LDAP ADS_CONFIGURE_WITH= ads dnsupdate CLUSTER_CONFIGURE_WITH= cluster-support CLUSTER_VARS= PLIST+=${PKGDIR}/pkg-plist.cluster CUPS_CONFIGURE_ENABLE= cups iprint CUPS_LIB_DEPENDS= libcups.so:print/cups # https://bugzilla.samba.org/show_bug.cgi?id=9545 FAM_USES= fam FAM_CONFIGURE_WITH= fam GPGME_CONFIGURE_WITH= gpgme GPGME_LIB_DEPENDS= libgpgme.so:security/gpgme GSSAPI_MIT_CONFIGURE_ON= --with-system-mitkrb5 ${GSSAPIBASEDIR} \ --with-system-mitkdc=${GSSAPIBASEDIR}/sbin/krb5kdc \ --with-experimental-mit-ad-dc GSSAPI_MIT_USES= gssapi:mit GSSAPI_HEIMDAL_CONFIGURE_ON= --with-system-heimdalkrb5 ${GSSAPIBASEDIR} GSSAPI_HEIMDAL_USES= gssapi:heimdal GSSAPI_HEIMDAL_PREVENTS= AD_DC GSSAPI_HEIMDAL_PREVENTS_MSG= GSSAPI_HEIMDAL and AD_DC enable conflicting options LDAP_CONFIGURE_WITH= ldap LDAP_CONFIGURE_ON= --with-openldap=${LOCALBASE} LDAP_USE= OPENLDAP=yes LDAP_VARS= SAMBA4_MODULES+=idmap_ldap LIBZFS_CONFIGURE_WITH= libzfs LIBZFS_VARS= SAMBA4_MODULES+=vfs_zfs_space MANDOC_BUILD_DEPENDS= ${LOCALBASE}/share/xsl/docbook/manpages/docbook.xsl:textproc/docbook-xsl \ xsltproc:textproc/libxslt MANDOC_CONFIGURE_ENV_OFF= XSLTPROC="true" PROFILE_CONFIGURE_WITH= profiling-data QUOTAS_CONFIGURE_WITH= quotas SPOTLIGHT_CONFIGURE_ENABLE= spotlight SPOTLIGHT_BUILD_DEPENDS= tracker>=1.4.1:sysutils/tracker SPOTLIGHT_RUN_DEPENDS= tracker>=1.4.1:sysutils/tracker # ICU SPOTLIGHT_LIB_DEPENDS= libicuuc.so:devel/icu SPOTLIGHT_USES= bison gnome SPOTLIGHT_USE= gnome=glib20 SYSLOG_CONFIGURE_WITH= syslog UTMP_CONFIGURE_WITH= utmp ############################################################################## .include ############################################################################## .if !defined(WANT_EXP_MODULES) || empty(WANT_EXP_MODULES) WANT_EXP_MODULES= vfs_cacheprime .endif .if ${WANT_EXP_MODULES:Mvfs_snapper} # snapper needs dbus LIB_DEPENDS+= libdbus-1.so:devel/dbus LIB_DEPENDS+= libdbus-glib-1.so:devel/dbus-glib .endif SAMBA4_MODULES+= krb5_winbind_krb5_locator idmap_nss idmap_autorid \ idmap_rid idmap_hash idmap_tdb idmap_tdb2 idmap_script \ nss-info_hash # List of extra modules taken from RHEL build # https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=197320 .if ${PORT_OPTIONS:MADS} SAMBA4_MODULES+= idmap_ad idmap_rfc2307 nss-info_template \ nss-info_rfc2307 nss-info_sfu nss-info_sfu20 .endif # This kind of special for this distribution SAMBA4_MODULES+= vfs_freebsd SAMBA4_MODULES+= vfs_acl_tdb vfs_acl_xattr vfs_aio_fork vfs_aio_pthread \ vfs_audit vfs_cap vfs_catia vfs_commit vfs_crossrename \ vfs_default_quota vfs_dirsort vfs_expand_msdfs \ vfs_extd_audit vfs_fake_perms vfs_full_audit \ vfs_linux_xfs_sgid vfs_media_harmony vfs_offline \ vfs_preopen vfs_readahead vfs_readonly vfs_recycle \ vfs_shadow_copy vfs_shadow_copy2 vfs_shell_snap \ vfs_streams_depot vfs_streams_xattr vfs_syncops \ vfs_time_audit vfs_unityed_media vfs_virusfilter \ vfs_widelinks vfs_worm vfs_xattr_tdb vfs_zfsacl .if ${PORT_OPTIONS:MDEVELOPER} SAMBA4_MODULES+= auth_skel pdb_test gpext_security gpext_registry \ gpext_scripts perfcount_test vfs_fake_dfq \ vfs_skel_opaque vfs_skel_transparent \ vfs_shadow_copy_test vfs_fake_acls \ vfs_nfs4acl_xattr vfs_error_inject vfs_delay_inject .endif # Python bindings .if ! ${PORT_OPTIONS:MPYTHON3} || defined(NO_PYTHON) USES+= python:build,test CONFIGURE_ARGS+= --disable-python .else USES+= python:3.6+ PLIST+= ${PKGDIR}/pkg-plist.python # Don't cache Python modules CONFIGURE_ARGS+= --nopycache MAKE_ENV+= PYTHONDONTWRITEBYTECODE=1 . if defined(SAMBA4_BUNDLED_TALLOC) && ${SAMBA4_BUNDLED_TALLOC} == yes SAMBA4_BUNDLED_LIBS+= pytalloc-util . else SAMBA4_BUNDLED_LIBS+= !pytalloc-util . endif . if defined(SAMBA4_BUNDLED_TEVENT) && ${SAMBA4_BUNDLED_TEVENT} == yes SAMBA4_BUNDLED_LIBS+= pytevent . else SAMBA4_BUNDLED_LIBS+= !pytevent . endif . if defined(SAMBA4_BUNDLED_TDB) && ${SAMBA4_BUNDLED_TDB} == yes SAMBA4_BUNDLED_LIBS+= pytdb . else SAMBA4_BUNDLED_LIBS+= !pytdb . endif . if defined(SAMBA4_BUNDLED_LDB) && ${SAMBA4_BUNDLED_LDB} == yes SAMBA4_BUNDLED_LIBS+= pyldb pyldb-util . else SAMBA4_BUNDLED_LIBS+= !pyldb !pyldb-util . endif # samba-tool requires those for *upgrade . if ${PORT_OPTIONS:MAD_DC} RUN_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}dnspython>=1.15.0:dns/py-dnspython@${PY_FLAVOR} RUN_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}markdown>=2.6.11:textproc/py-markdown@${PY_FLAVOR} . if ${PORT_OPTIONS:MGPGME} RUN_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}gpgme>=1.14.0:security/py-gpgme@${PY_FLAVOR} . endif . endif .endif .if defined(WANT_EXP_MODULES) && !empty(WANT_EXP_MODULES) SAMBA4_MODULES+= ${WANT_EXP_MODULES} .endif .if defined(SAMBA4_BUNDLED_LIBS) && !empty(SAMBA4_BUNDLED_LIBS) CONFIGURE_ARGS+= --bundled-libraries="${SAMBA4_BUNDLED_LIBS:Q:C|(\\\\ )+|,|g:S|\\||g}" .endif .if defined(SAMBA4_MODULES) && !empty(SAMBA4_MODULES) CONFIGURE_ARGS+= --with-shared-modules="${SAMBA4_MODULES:C|-|_|:Q:C|(\\\\ )+|,|g:S|\\||g}" .endif # XXX: Hack for nss-info_* -> nss_info/* modules # Add selected modules to the plist .for module in ${SAMBA4_MODULES} PLIST_FILES+= ${SAMBA4_MODULEDIR}/${module:C|_|/|:C|-|_|}.so .endfor .for module_class in ${SAMBA4_MODULES_CLASS} PLIST_DIRS+= ${SAMBA4_MODULEDIR}/${module_class} .endfor PLIST_DIRS+= ${SAMBA4_MODULEDIR} .if defined(WITH_DEBUG) CONFIGURE_ARGS+= --verbose --enable-debug MAKE_ARGS+= --verbose DEBUG_FLAGS?= -g -ggdb3 -O0 .endif ############################################################################## .include ############################################################################## # Implemented in the gcrypt on AMD64 .if ${ARCH} == "amd64" CONFIGURE_ARGS+= --accel-aes=intelaesni .else CONFIGURE_ARGS+= --accel-aes=none .endif # Only for 64-bit architectures .if ${ARCH} != armv6 && ${ARCH} != armv7 && ${ARCH} != i386 && ${ARCH} != mips && ${ARCH} != powerpc && ${ARCH} != powerpcspe . if defined(SAMBA4_BUNDLED_LDB) && ${SAMBA4_BUNDLED_LDB} == yes && (${PORT_OPTIONS:MAD_DC} || ${PORT_OPTIONS:MDEVELOPER}) # LMDB SAMBA4_LMDB_DEPENDS= lmdb>=0.9.16:databases/lmdb PLIST_FILES+= ${SAMBA4_LIBDIR}/private/libldb-mdb-int-samba4.so \ ${SAMBA4_MODULEDIR}/ldb/mdb.so . endif .endif .if ${PORT_OPTIONS:MGSSAPI_MIT} PLIST_FILES+= ${SAMBA4_MODULEDIR}/krb5/winbind_krb5_localauth.so \ man/man8/winbind_krb5_localauth.8.gz . if ${PORT_OPTIONS:MAD_DC} PLIST_FILES+= ${SAMBA4_LIBDIR}/krb5/plugins/kdb/samba.so . endif .endif # for libexecinfo: (so that __builtin_frame_address() finds the top of the stack) CFLAGS_amd64+= -fno-omit-frame-pointer # No fancy color error messages CONFIGURE_ENV+= NOCOLOR=yes WAF_LOG_FORMAT='%(c1)s%(zone)s%(c2)s %(message)s' MAKE_ENV+= NOCOLOR=yes WAF_LOG_FORMAT='%(c1)s%(zone)s%(c2)s %(message)s' .if ${CHOSEN_COMPILER_TYPE} == clang CFLAGS+= -fno-color-diagnostics .endif # Allow rpcgen to find proper CPP MAKE_ENV+= RPCGEN_CPP="${CPP}" #.if ${readline_ARGS} == port #CFLAGS+= -D_FUNCTION_DEF #.endif # Make sure that the right version of Python is used by the tools # https://bugzilla.samba.org/show_bug.cgi?id=7305 SHEBANG_FILES= ${PATCH_WRKSRC}/source4/scripting/bin/* ${PATCH_WRKSRC}/selftest/* SAMBA4_SUB= SAMBA4_LOGDIR="${SAMBA4_LOGDIR}" \ SAMBA4_RUNDIR="${SAMBA4_RUNDIR}" \ SAMBA4_LOCKDIR="${SAMBA4_LOCKDIR}" \ SAMBA4_LIBDIR="${SAMBA4_LIBDIR}" \ SAMBA4_MODULEDIR="${SAMBA4_MODULEDIR}" \ SAMBA4_BINDDNSDIR="${SAMBA4_BINDDNSDIR}" \ SAMBA4_PRIVATEDIR="${SAMBA4_PRIVATEDIR}" \ SAMBA4_CONFDIR="${SAMBA4_CONFDIR}" \ SAMBA4_CONFIG="${SAMBA4_CONFIG}" \ SAMBA4_SERVICES="${SAMBA4_SERVICES}" PLIST_SUB+= ${SAMBA4_SUB} SUB_LIST+= ${SAMBA4_SUB} USE_RC_SUBR= samba_server SUB_FILES= pkg-message README.FreeBSD PORTDOCS= README.FreeBSD post-extract: @${RM} -r ${WRKSRC}/pidl/lib/Parse/Yapp post-patch: @${REINPLACE_CMD} -e 's|$${PKGCONFIGDIR}|${PKGCONFIGDIR}|g' \ ${PATCH_WRKSRC}/buildtools/wafsamba/pkgconfig.py @${REINPLACE_CMD} -e 's|%%LOCALBASE%%|${LOCALBASE}|g' \ ${PATCH_WRKSRC}/buildtools/wafsamba/wafsamba.py @${REINPLACE_CMD} -e 's|%%GDB_CMD%%|${GDB_CMD}|g' \ ${PATCH_WRKSRC}/buildtools/scripts/abi_gen.sh @${REINPLACE_CMD} -e 's|%%SAMBA4_CONFIG%%|${SAMBA4_CONFIG}|g' \ ${PATCH_WRKSRC}/dynconfig/wscript # Use threading (or multiprocessing) but not thread (renamed in python 3+). pre-configure: .if !${PORT_OPTIONS:MAD_DC} && ${PORT_OPTIONS:MNTVFS} @${ECHO_CMD}; \ ${ECHO_MSG} "===> NTVFS option requires AD_DC to be set"; \ ${ECHO_CMD}; \ ${FALSE} .endif .if (!${PORT_OPTIONS:MPYTHON3} || defined(NO_PYTHON)) && ${PORT_OPTIONS:MAD_DC} @${ECHO_CMD}; \ ${ECHO_MSG} "===> AD_DC option requires PYTHON3 to be set"; \ ${ECHO_CMD}; \ ${FALSE} .endif @if ! ${PYTHON_CMD} -c "import multiprocessing;" 2>/dev/null; then \ ${ECHO_CMD}; \ ${ECHO_MSG} "===> ${PKGNAME} "${IGNORE_NONTHREAD_PYTHON:Q}.; \ ${ECHO_CMD}; \ ${FALSE}; \ fi pre-build-MANDOC-off: ${MKDIR} ${BUILD_WRKSRC}/bin/default/docs-xml/ ${CP} -rp ${BUILD_WRKSRC}/docs/manpages ${BUILD_WRKSRC}/bin/default/docs-xml/ .for man in libcli/nbt/man/nmblookup4.1 \ librpc/tools/ndrdump.1 \ source4/lib/registry/man/regdiff.1 \ source4/lib/registry/man/regpatch.1 \ source4/lib/registry/man/regshell.1 \ source4/lib/registry/man/regtree.1 \ source4/scripting/man/samba-gpupdate.8 \ source4/torture/man/gentest.1 \ source4/torture/man/locktest.1 \ source4/torture/man/masktest.1 \ source4/torture/man/smbtorture.1 \ source4/utils/man/ntlm_auth4.1 \ source4/utils/oLschema2ldif/oLschema2ldif.1 \ lib/tdb/man/tdbdump.8 \ lib/tdb/man/tdbbackup.8 \ lib/tdb/man/tdbtool.8 \ lib/talloc/man/talloc.3 \ lib/tdb/man/tdbrestore.8 \ lib/ldb/man/ldbadd.1 \ lib/ldb/man/ldbsearch.1 \ lib/ldb/man/ldbmodify.1 \ lib/ldb/man/ldbrename.1 \ lib/ldb/man/ldbdel.1 \ lib/ldb/man/ldbedit.1 \ docs-xml/manpages/vfs_freebsd.8 ${MKDIR} `dirname ${BUILD_WRKSRC}/bin/default/${man}` ${INSTALL_MAN} ${FILESDIR}/man/`basename ${man}` ${BUILD_WRKSRC}/bin/default/${man} .endfor .if ${PORT_OPTIONS:MCLUSTER} ${MKDIR} ${BUILD_WRKSRC}/bin/default/ctdb/ . for man in ctdb_diagnostics.1 ctdb.1 ctdbd_wrapper.1 ctdbd.1 ltdbtool.1 onnode.1 ping_pong.1 \ ctdb.conf.5 ctdb.sysconfig.5 ctdb-script.options.5 \ ctdb.7 ctdb-statistics.7 ctdb-tunables.7 ${INSTALL_MAN} ${FILESDIR}/man/${man} ${BUILD_WRKSRC}/bin/default/ctdb/ . endfor .endif post-install-rm-junk: ${RM} -r ${STAGEDIR}${PYTHON_SITELIBDIR}/samba/third_party ${FIND} ${STAGEDIR}${PYTHON_SITELIBDIR} -name __pycache__ \ -type d -print0 | ${XARGS} -0 -n 1 -t ${RM} -r post-install-fix-manpages: .for f in vfs_aio_linux.8 vfs_btrfs.8 vfs_ceph.8 vfs_gpfs.8 ${RM} ${STAGEDIR}${PREFIX}/man/man8/${f} .endfor .if defined(SAMBA4_BUNDLED_LDB) && ${SAMBA4_BUNDLED_LDB} == yes . for f in ldbadd.1 ldbdel.1 ldbedit.1 ldbmodify.1 ldbrename.1 ldbsearch.1 ${MV} ${STAGEDIR}${PREFIX}/man/man1/${f} ${STAGEDIR}${PREFIX}/man/man1/samba-${f} . endfor .endif .if defined(SAMBA4_BUNDLED_TDB) && ${SAMBA4_BUNDLED_TDB} == yes . for f in tdbbackup.8 tdbdump.8 tdbrestore.8 tdbtool.8 ${MV} ${STAGEDIR}${PREFIX}/man/man8/${f} ${STAGEDIR}${PREFIX}/man/man8/samba-${f} . endfor .endif post-install: post-install-rm-junk post-install-fix-manpages ${LN} -sf smb.conf.5.gz ${STAGEDIR}${PREFIX}/man/man5/smb4.conf.5.gz # Run post-install script .for dir in ${SAMBA4_LOGDIR} ${SAMBA4_RUNDIR} ${SAMBA4_LOCKDIR} ${SAMBA4_MODULEDIR} ${INSTALL} -d -m 0755 "${STAGEDIR}${dir}" .endfor ${INSTALL} -d -m 0750 "${STAGEDIR}${SAMBA4_BINDDNSDIR}" ${INSTALL} -d -m 0750 "${STAGEDIR}${SAMBA4_PRIVATEDIR}" .for module_class in ${SAMBA4_MODULES_CLASS} ${INSTALL} -d -m 0755 "${STAGEDIR}${SAMBA4_MODULEDIR}/${module_class}" .endfor .if !defined(WITH_DEBUG) -${FIND} ${STAGEDIR}${PREFIX}/bin ${STAGEDIR}${PREFIX}/sbin ${STAGEDIR}${PREFIX}/libexec \ -type f -print0 | ${XARGS} -0 -n 1 -t ${STRIP_CMD} -${FIND} ${STAGEDIR}${PREFIX}/lib -name '*.so*' \ -type f -print0 | ${XARGS} -0 -n 1 -t ${STRIP_CMD} .endif post-install-FRUIT-off: ${RM} ${STAGEDIR}${SAMBA4_MODULEDIR}/vfs/fruit.so ${RM} ${STAGEDIR}${PREFIX}/man/man8/vfs_fruit.8 post-install-DOCS-on: ${MKDIR} ${STAGEDIR}${DOCSDIR} .for doc in ${PORTDOCS} ${INSTALL_DATA} ${WRKDIR}/${doc} ${STAGEDIR}${DOCSDIR} .endfor post-install-CLUSTER-on: ${LN} -nfs ../../../../share/ctdb/events/legacy/00.ctdb.script ${STAGEDIR}${PREFIX}/etc/ctdb/events/legacy/00.ctdb.script ${LN} -nfs ../../../../share/ctdb/events/legacy/10.interface.script ${STAGEDIR}${PREFIX}/etc/ctdb/events/legacy/10.interface.script ${LN} -nfs ../../../../share/ctdb/events/legacy/05.system.script ${STAGEDIR}${PREFIX}/etc/ctdb/events/legacy/05.system.script ${LN} -nfs ../../../../share/ctdb/events/legacy/01.reclock.script ${STAGEDIR}${PREFIX}/etc/ctdb/events/legacy/01.reclock.script .include diff --git a/net/samba413/files/0001-Compact-and-simplify-modules-build-and-config-genera.patch b/net/samba413/files/0001-Compact-and-simplify-modules-build-and-config-genera.patch new file mode 100644 index 000000000000..a73d038290c0 --- /dev/null +++ b/net/samba413/files/0001-Compact-and-simplify-modules-build-and-config-genera.patch @@ -0,0 +1,704 @@ +From 05e3cc236406680a55e19b204202b63cdaf48ea1 Mon Sep 17 00:00:00 2001 +From: "Timur I. Bakeyev" +Date: Mon, 1 Aug 2022 04:15:43 +0200 +Subject: [PATCH 01/28] Compact and simplify modules build and config + generation for Bind 9.x AD DLZ. + +Signed-off-by: Timur I. Bakeyev +--- + python/samba/provision/sambadns.py | 68 ++++++++++++------------------ + source4/dns_server/dlz_minimal.h | 44 +++++++++---------- + source4/dns_server/wscript_build | 62 +++------------------------ + source4/setup/named.conf.dlz | 25 +---------- + source4/torture/dns/wscript_build | 2 +- + 5 files changed, 55 insertions(+), 146 deletions(-) + +diff --git a/python/samba/provision/sambadns.py b/python/samba/provision/sambadns.py +index 404b346a885..8e5a8ba5f25 100644 +--- a/python/samba/provision/sambadns.py ++++ b/python/samba/provision/sambadns.py +@@ -21,6 +21,7 @@ + """DNS-related provisioning""" + + import os ++import re + import uuid + import shutil + import time +@@ -957,48 +958,37 @@ def create_named_conf(paths, realm, dnsdomain, dns_bac + stderr=subprocess.STDOUT, + cwd='.').communicate()[0] + bind_info = get_string(bind_info) +- bind9_8 = '#' +- bind9_9 = '#' +- bind9_10 = '#' +- bind9_11 = '#' +- bind9_12 = '#' +- bind9_14 = '#' +- bind9_16 = '#' +- if bind_info.upper().find('BIND 9.8') != -1: +- bind9_8 = '' +- elif bind_info.upper().find('BIND 9.9') != -1: +- bind9_9 = '' +- elif bind_info.upper().find('BIND 9.10') != -1: +- bind9_10 = '' +- elif bind_info.upper().find('BIND 9.11') != -1: +- bind9_11 = '' +- elif bind_info.upper().find('BIND 9.12') != -1: +- bind9_12 = '' +- elif bind_info.upper().find('BIND 9.14') != -1: +- bind9_14 = '' +- elif bind_info.upper().find('BIND 9.16') != -1: +- bind9_16 = '' +- elif bind_info.upper().find('BIND 9.7') != -1: +- raise ProvisioningError("DLZ option incompatible with BIND 9.7.") +- elif bind_info.upper().find('BIND_9.13') != -1: +- raise ProvisioningError("Only stable/esv releases of BIND are supported.") +- elif bind_info.upper().find('BIND_9.15') != -1: +- raise ProvisioningError("Only stable/esv releases of BIND are supported.") +- elif bind_info.upper().find('BIND_9.17') != -1: +- raise ProvisioningError("Only stable/esv releases of BIND are supported.") ++ bind9_release = re.search('BIND (9)\.(\d+)\.', bind_info, re.I) ++ if bind9_release: ++ bind9_disabled = '' ++ bind9_version = bind9_release.group(0) + "x" ++ bind9_version_major = int(bind9_release.group(1)) ++ bind9_version_minor = int(bind9_release.group(2)) ++ if bind9_version_minor == 7: ++ raise ProvisioningError("DLZ option incompatible with BIND 9.7.") ++ elif bind9_version_minor == 8: ++ bind9_dlz_version = "9" ++ elif bind9_version_minor in [13, 15, 17]: ++ raise ProvisioningError("Only stable/esv releases of BIND are supported.") ++ else: ++ bind9_dlz_version = "%d_%d" % (bind9_version_major, bind9_version_minor) + else: ++ bind9_disabled = '# ' ++ bind9_version = "BIND z.y.x" ++ bind9_dlz_version = "z_y" + logger.warning("BIND version unknown, please modify %s manually." % paths.namedconf) ++ ++ bind9_dlz = ( ++ ' # For %s\n' ++ ' %sdatabase "dlopen %s/bind9/dlz_bind%s.so";' ++ ) % ( ++ bind9_version, bind9_disabled, samba.param.modules_dir(), bind9_dlz_version ++ ) + setup_file(setup_path("named.conf.dlz"), paths.namedconf, { + "NAMED_CONF": paths.namedconf, + "MODULESDIR": samba.param.modules_dir(), +- "BIND9_8": bind9_8, +- "BIND9_9": bind9_9, +- "BIND9_10": bind9_10, +- "BIND9_11": bind9_11, +- "BIND9_12": bind9_12, +- "BIND9_14": bind9_14, +- "BIND9_16": bind9_16 +- }) ++ "BIND9_DLZ": bind9_dlz ++ }) + + + def create_named_txt(path, realm, dnsdomain, dnsname, binddns_dir, +diff --git a/source4/dns_server/dlz_minimal.h b/source4/dns_server/dlz_minimal.h +index b7e36e7f8e6..bbdb616deb2 100644 +--- a/source4/dns_server/dlz_minimal.h ++++ b/source4/dns_server/dlz_minimal.h +@@ -26,32 +26,31 @@ + #include + #include + +-#if defined (BIND_VERSION_9_8) +-# define DLZ_DLOPEN_VERSION 1 +-#elif defined (BIND_VERSION_9_9) +-# define DLZ_DLOPEN_VERSION 2 +-# define DNS_CLIENTINFO_VERSION 1 +-# define ISC_BOOLEAN_AS_BOOL 0 +-#elif defined (BIND_VERSION_9_10) +-# define DLZ_DLOPEN_VERSION 3 +-# define DNS_CLIENTINFO_VERSION 1 +-# define ISC_BOOLEAN_AS_BOOL 0 +-#elif defined (BIND_VERSION_9_11) +-# define DLZ_DLOPEN_VERSION 3 +-# define DNS_CLIENTINFO_VERSION 2 +-# define ISC_BOOLEAN_AS_BOOL 0 +-#elif defined (BIND_VERSION_9_12) +-# define DLZ_DLOPEN_VERSION 3 +-# define DNS_CLIENTINFO_VERSION 2 +-# define ISC_BOOLEAN_AS_BOOL 0 +-#elif defined (BIND_VERSION_9_14) +-# define DLZ_DLOPEN_VERSION 3 +-# define DNS_CLIENTINFO_VERSION 2 +-#elif defined (BIND_VERSION_9_16) +-# define DLZ_DLOPEN_VERSION 3 +-# define DNS_CLIENTINFO_VERSION 2 ++#if defined (BIND_VERSION) ++# if BIND_VERSION == 908 ++# define DLZ_DLOPEN_VERSION 1 ++# elif BIND_VERSION == 909 ++# define DLZ_DLOPEN_VERSION 2 ++# define DNS_CLIENTINFO_VERSION 1 ++# define ISC_BOOLEAN_AS_BOOL 0 ++# elif BIND_VERSION == 910 ++# define DLZ_DLOPEN_VERSION 3 ++# define DNS_CLIENTINFO_VERSION 1 ++# define ISC_BOOLEAN_AS_BOOL 0 ++# elif BIND_VERSION == 911 || BIND_VERSION == 912 ++# define DLZ_DLOPEN_VERSION 3 ++# define DNS_CLIENTINFO_VERSION 2 ++# define ISC_BOOLEAN_AS_BOOL 0 ++# elif BIND_VERSION >= 914 ++# define DLZ_DLOPEN_VERSION 3 ++# define DNS_CLIENTINFO_VERSION 2 ++# define ISC_BOOLEAN_AS_BOOL 1 ++# else ++# error Unsupported BIND version ++# endif + #else + # error Unsupported BIND version ++# error BIND_VERSION undefined + #endif + + #ifndef ISC_BOOLEAN_AS_BOOL +diff --git a/source4/dns_server/wscript_build b/source4/dns_server/wscript_build +index ab0a241b937..3743753504c 100644 +--- a/source4/dns_server/wscript_build ++++ b/source4/dns_server/wscript_build +@@ -18,79 +18,21 @@ bld.SAMBA_MODULE('service_dns', + ) + + # a bind9 dlz module giving access to the Samba DNS SAM +-bld.SAMBA_LIBRARY('dlz_bind9', ++for bind_version in (910, 911, 912, 914, 916, 918): ++ string_version='%d_%d' % (bind_version // 100, bind_version % 100) ++ bld.SAMBA_LIBRARY('dlz_bind%s' % (string_version), + source='dlz_bind9.c', +- cflags='-DBIND_VERSION_9_8', ++ cflags='-DBIND_VERSION=%d' % bind_version, + private_library=True, +- link_name='modules/bind9/dlz_bind9.so', +- realname='dlz_bind9.so', ++ link_name='modules/bind9/dlz_bind%s.so' % (string_version), ++ realname='dlz_bind%s.so' % (string_version), + install_path='${MODULESDIR}/bind9', + deps='samba-hostconfig samdb-common gensec popt dnsserver_common', + enabled=bld.AD_DC_BUILD_IS_ENABLED()) + +-bld.SAMBA_LIBRARY('dlz_bind9_9', +- source='dlz_bind9.c', +- cflags='-DBIND_VERSION_9_9', +- private_library=True, +- link_name='modules/bind9/dlz_bind9_9.so', +- realname='dlz_bind9_9.so', +- install_path='${MODULESDIR}/bind9', +- deps='samba-hostconfig samdb-common gensec popt dnsserver_common', +- enabled=bld.AD_DC_BUILD_IS_ENABLED()) +- +-bld.SAMBA_LIBRARY('dlz_bind9_10', +- source='dlz_bind9.c', +- cflags='-DBIND_VERSION_9_10', +- private_library=True, +- link_name='modules/bind9/dlz_bind9_10.so', +- realname='dlz_bind9_10.so', +- install_path='${MODULESDIR}/bind9', +- deps='samba-hostconfig samdb-common gensec popt dnsserver_common', +- enabled=bld.AD_DC_BUILD_IS_ENABLED()) +- +-bld.SAMBA_LIBRARY('dlz_bind9_11', +- source='dlz_bind9.c', +- cflags='-DBIND_VERSION_9_11', +- private_library=True, +- link_name='modules/bind9/dlz_bind9_11.so', +- realname='dlz_bind9_11.so', +- install_path='${MODULESDIR}/bind9', +- deps='samba-hostconfig samdb-common gensec popt dnsserver_common', +- enabled=bld.AD_DC_BUILD_IS_ENABLED()) +- +-bld.SAMBA_LIBRARY('dlz_bind9_12', +- source='dlz_bind9.c', +- cflags='-DBIND_VERSION_9_12', +- private_library=True, +- link_name='modules/bind9/dlz_bind9_12.so', +- realname='dlz_bind9_12.so', +- install_path='${MODULESDIR}/bind9', +- deps='samba-hostconfig samdb-common gensec popt dnsserver_common', +- enabled=bld.AD_DC_BUILD_IS_ENABLED()) +- +-bld.SAMBA_LIBRARY('dlz_bind9_14', +- source='dlz_bind9.c', +- cflags='-DBIND_VERSION_9_14', +- private_library=True, +- link_name='modules/bind9/dlz_bind9_14.so', +- realname='dlz_bind9_14.so', +- install_path='${MODULESDIR}/bind9', +- deps='samba-hostconfig samdb-common gensec popt dnsserver_common', +- enabled=bld.AD_DC_BUILD_IS_ENABLED()) +- +-bld.SAMBA_LIBRARY('dlz_bind9_16', +- source='dlz_bind9.c', +- cflags='-DBIND_VERSION_9_16', +- private_library=True, +- link_name='modules/bind9/dlz_bind9_16.so', +- realname='dlz_bind9_16.so', +- install_path='${MODULESDIR}/bind9', +- deps='samba-hostconfig samdb-common gensec popt dnsserver_common', +- enabled=bld.AD_DC_BUILD_IS_ENABLED()) +- + bld.SAMBA_LIBRARY('dlz_bind9_for_torture', + source='dlz_bind9.c', +- cflags='-DBIND_VERSION_9_8', ++ cflags='-DBIND_VERSION=918', + private_library=True, + deps='samba-hostconfig samdb-common gensec popt dnsserver_common', + enabled=bld.AD_DC_BUILD_IS_ENABLED()) +diff --git a/source4/setup/named.conf.dlz b/source4/setup/named.conf.dlz +index cbe7d805f58..32672768af4 100644 +--- a/source4/setup/named.conf.dlz ++++ b/source4/setup/named.conf.dlz +@@ -10,25 +10,6 @@ + # Uncomment only single database line, depending on your BIND version + # + dlz "AD DNS Zone" { +- # For BIND 9.8.x +- ${BIND9_8} database "dlopen ${MODULESDIR}/bind9/dlz_bind9.so"; +- +- # For BIND 9.9.x +- ${BIND9_9} database "dlopen ${MODULESDIR}/bind9/dlz_bind9_9.so"; +- +- # For BIND 9.10.x +- ${BIND9_10} database "dlopen ${MODULESDIR}/bind9/dlz_bind9_10.so"; +- +- # For BIND 9.11.x +- ${BIND9_11} database "dlopen ${MODULESDIR}/bind9/dlz_bind9_11.so"; +- +- # For BIND 9.12.x +- ${BIND9_12} database "dlopen ${MODULESDIR}/bind9/dlz_bind9_12.so"; +- +- # For BIND 9.14.x +- ${BIND9_14} database "dlopen ${MODULESDIR}/bind9/dlz_bind9_14.so"; +- +- # For BIND 9.16.x +- ${BIND9_16} database "dlopen ${MODULESDIR}/bind9/dlz_bind9_16.so"; ++${BIND9_DLZ} + }; + +diff --git a/source4/torture/dns/wscript_build b/source4/torture/dns/wscript_build +index 0b40e03e370..bf7415ff88a 100644 +--- a/source4/torture/dns/wscript_build ++++ b/source4/torture/dns/wscript_build +@@ -5,7 +5,7 @@ if bld.AD_DC_BUILD_IS_ENABLED(): + source='dlz_bind9.c', + subsystem='smbtorture', + init_function='torture_bind_dns_init', +- cflags='-DBIND_VERSION_9_8', ++ cflags='-DBIND_VERSION=918', + deps='torture talloc torturemain dlz_bind9_for_torture', + internal_module=True + ) +--- a/source4/torture/dns/dlz_bind9.c ++++ b/source4/torture/dns/dlz_bind9.c +@@ -19,6 +19,7 @@ + + #include "includes.h" + #include "torture/smbtorture.h" ++#include "system/network.h" + #include "dns_server/dlz_minimal.h" + #include + #include +@@ -88,7 +89,8 @@ static bool test_dlz_bind9_create(struct torture_conte + static bool calls_zone_hook = false; + + static isc_result_t dlz_bind9_writeable_zone_hook(dns_view_t *view, +- const char *zone_name) ++ dns_dlzdb_t *dlzdb, ++ const char *zone_name) + { + struct torture_context *tctx = talloc_get_type((void *)view, struct torture_context); + struct ldb_context *samdb = NULL; +@@ -128,7 +130,8 @@ static isc_result_t dlz_bind9_writeable_zone_hook(dns_ + + static bool test_dlz_bind9_configure(struct torture_context *tctx) + { +- void *dbdata; ++ void *dbdata = NULL; ++ dns_dlzdb_t *dlzdb = NULL; + const char *argv[] = { + "samba_dlz", + "-H", +@@ -143,7 +146,9 @@ static bool test_dlz_bind9_configure(struct torture_co + "Failed to create samba_dlz"); + + calls_zone_hook = false; +- torture_assert_int_equal(tctx, dlz_configure((void*)tctx, dbdata), ++ torture_assert_int_equal(tctx, dlz_configure((void*)tctx, ++ dlzdb, ++ dbdata), + ISC_R_SUCCESS, + "Failed to configure samba_dlz"); + +@@ -167,6 +172,7 @@ static bool configure_multiple_dlzs(struct torture_con + void **dbdata, int count) + { + int i, res; ++ dns_dlzdb_t *dlzdb = NULL; + const char *argv[] = { + "samba_dlz", + "-H", +@@ -183,7 +189,7 @@ static bool configure_multiple_dlzs(struct torture_con + torture_assert_int_equal(tctx, res, ISC_R_SUCCESS, + "Failed to create samba_dlz"); + +- res = dlz_configure((void*)tctx, dbdata[i]); ++ res = dlz_configure((void*)tctx, dlzdb, dbdata[i]); + torture_assert_int_equal(tctx, res, ISC_R_SUCCESS, + "Failed to configure samba_dlz"); + } +@@ -195,9 +201,14 @@ static bool test_dlz_bind9_destroy_oldest_first(struct + { + void *dbdata[NUM_DLZS_TO_CONFIGURE]; + int i; ++ bool ret = configure_multiple_dlzs(tctx, ++ dbdata, ++ NUM_DLZS_TO_CONFIGURE); ++ if (ret == false) { ++ /* failure: has already been printed */ ++ return false; ++ } + +- configure_multiple_dlzs(tctx, dbdata, NUM_DLZS_TO_CONFIGURE); +- + /* Reload faults are reported to happen on the first destroy */ + dlz_destroy(dbdata[0]); + +@@ -212,9 +223,14 @@ static bool test_dlz_bind9_destroy_newest_first(struct + { + void *dbdata[NUM_DLZS_TO_CONFIGURE]; + int i; ++ bool ret = configure_multiple_dlzs(tctx, ++ dbdata, ++ NUM_DLZS_TO_CONFIGURE); ++ if (ret == false) { ++ /* failure: has already been printed */ ++ return false; ++ } + +- configure_multiple_dlzs(tctx, dbdata, NUM_DLZS_TO_CONFIGURE); +- + for(i = NUM_DLZS_TO_CONFIGURE - 1; i >= 0; i--) { + dlz_destroy(dbdata[i]); + } +@@ -229,6 +245,7 @@ static bool test_dlz_bind9_destroy_newest_first(struct + static bool test_dlz_bind9_gensec(struct torture_context *tctx, const char *mech) + { + NTSTATUS status; ++ dns_dlzdb_t *dlzdb = NULL; + + struct gensec_security *gensec_client_context; + +@@ -248,7 +265,8 @@ static bool test_dlz_bind9_gensec(struct torture_conte + ISC_R_SUCCESS, + "Failed to create samba_dlz"); + +- torture_assert_int_equal(tctx, dlz_configure((void*)tctx, dbdata), ++ torture_assert_int_equal(tctx, dlz_configure((void*)tctx, ++ dlzdb, dbdata), + ISC_R_SUCCESS, + "Failed to configure samba_dlz"); + +@@ -273,6 +291,7 @@ static bool test_dlz_bind9_gensec(struct torture_conte + popt_get_cmdline_credentials()); + torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (client) failed"); + ++ + status = gensec_start_mech_by_sasl_name(gensec_client_context, mech); + torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (client) failed"); + +@@ -414,7 +433,10 @@ static isc_result_t dlz_bind9_putnamedrr_hook(dns_sdlz + static bool test_dlz_bind9_lookup(struct torture_context *tctx) + { + size_t i; +- void *dbdata; ++ void *dbdata = NULL; ++ dns_clientinfomethods_t *methods = NULL; ++ dns_clientinfo_t *clientinfo = NULL; ++ dns_dlzdb_t *dlzdb = NULL; + const char *argv[] = { + "samba_dlz", + "-H", +@@ -434,8 +456,9 @@ static bool test_dlz_bind9_lookup(struct torture_conte + ISC_R_SUCCESS, + "Failed to create samba_dlz"); + +- torture_assert_int_equal(tctx, dlz_configure((void*)tctx, dbdata), +- ISC_R_SUCCESS, ++ torture_assert_int_equal(tctx, ++ dlz_configure((void*)tctx, dlzdb, dbdata), ++ ISC_R_SUCCESS, + "Failed to configure samba_dlz"); + + expected1 = talloc_zero(tctx, struct test_expected_rr); +@@ -478,7 +501,8 @@ static bool test_dlz_bind9_lookup(struct torture_conte + + torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), + expected1->query_name, dbdata, +- (dns_sdlzlookup_t *)expected1), ++ (dns_sdlzlookup_t *)expected1, ++ methods, clientinfo), + ISC_R_SUCCESS, + "Failed to lookup @"); + for (i = 0; i < expected1->num_records; i++) { +@@ -514,7 +538,8 @@ static bool test_dlz_bind9_lookup(struct torture_conte + + torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), + expected2->query_name, dbdata, +- (dns_sdlzlookup_t *)expected2), ++ (dns_sdlzlookup_t *)expected2, ++ methods, clientinfo), + ISC_R_SUCCESS, + "Failed to lookup hostname"); + for (i = 0; i < expected2->num_records; i++) { +@@ -539,7 +564,8 @@ static bool test_dlz_bind9_lookup(struct torture_conte + static bool test_dlz_bind9_zonedump(struct torture_context *tctx) + { + size_t i; +- void *dbdata; ++ void *dbdata = NULL; ++ dns_dlzdb_t *dlzdb = NULL; + const char *argv[] = { + "samba_dlz", + "-H", +@@ -558,7 +584,7 @@ static bool test_dlz_bind9_zonedump(struct torture_con + ISC_R_SUCCESS, + "Failed to create samba_dlz"); + +- torture_assert_int_equal(tctx, dlz_configure((void*)tctx, dbdata), ++ torture_assert_int_equal(tctx, dlz_configure((void*)tctx, dlzdb, dbdata), + ISC_R_SUCCESS, + "Failed to configure samba_dlz"); + +@@ -650,7 +676,8 @@ static bool test_dlz_bind9_update01(struct torture_con + NTSTATUS status; + struct gensec_security *gensec_client_context; + DATA_BLOB client_to_server, server_to_client; +- void *dbdata; ++ void *dbdata = NULL; ++ dns_dlzdb_t *dlzdb = NULL; + void *version = NULL; + const char *argv[] = { + "samba_dlz", +@@ -664,6 +691,8 @@ static bool test_dlz_bind9_update01(struct torture_con + char *data1 = NULL; + char *data2 = NULL; + bool ret = false; ++ dns_clientinfomethods_t *methods = NULL; ++ dns_clientinfo_t *clientinfo = NULL; + + tctx_static = tctx; + torture_assert_int_equal(tctx, dlz_create("samba_dlz", 3, argv, &dbdata, +@@ -675,7 +704,7 @@ static bool test_dlz_bind9_update01(struct torture_con + ISC_R_SUCCESS, + "Failed to create samba_dlz"); + +- torture_assert_int_equal(tctx, dlz_configure((void*)tctx, dbdata), ++ torture_assert_int_equal(tctx, dlz_configure((void*)tctx, dlzdb, dbdata), + ISC_R_SUCCESS, + "Failed to configure samba_dlz"); + +@@ -813,7 +842,8 @@ static bool test_dlz_bind9_update01(struct torture_con + expected1->records[1].printed = false; + torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), + expected1->query_name, dbdata, +- (dns_sdlzlookup_t *)expected1), ++ (dns_sdlzlookup_t *)expected1, ++ methods, clientinfo), + ISC_R_NOTFOUND, + "Found hostname"); + torture_assert_int_equal(tctx, expected1->num_rr, 0, +@@ -863,7 +893,8 @@ static bool test_dlz_bind9_update01(struct torture_con + expected1->records[1].printed = false; + torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), + expected1->query_name, dbdata, +- (dns_sdlzlookup_t *)expected1), ++ (dns_sdlzlookup_t *)expected1, ++ methods, clientinfo), + ISC_R_SUCCESS, + "Not found hostname"); + torture_assert(tctx, expected1->records[0].printed, +@@ -892,7 +923,8 @@ static bool test_dlz_bind9_update01(struct torture_con + expected1->records[1].printed = false; + torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), + expected1->query_name, dbdata, +- (dns_sdlzlookup_t *)expected1), ++ (dns_sdlzlookup_t *)expected1, ++ methods, clientinfo), + ISC_R_SUCCESS, + "Not found hostname"); + torture_assert(tctx, expected1->records[0].printed, +@@ -926,7 +958,8 @@ static bool test_dlz_bind9_update01(struct torture_con + expected1->records[1].printed = false; + torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), + expected1->query_name, dbdata, +- (dns_sdlzlookup_t *)expected1), ++ (dns_sdlzlookup_t *)expected1, ++ methods, clientinfo), + ISC_R_SUCCESS, + "Not found hostname"); + torture_assert(tctx, expected1->records[0].printed, +@@ -960,7 +993,8 @@ static bool test_dlz_bind9_update01(struct torture_con + expected1->records[1].printed = false; + torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), + expected1->query_name, dbdata, +- (dns_sdlzlookup_t *)expected1), ++ (dns_sdlzlookup_t *)expected1, ++ methods, clientinfo), + ISC_R_SUCCESS, + "Not found hostname"); + torture_assert(tctx, expected1->records[1].printed, +@@ -989,7 +1023,8 @@ static bool test_dlz_bind9_update01(struct torture_con + expected1->records[1].printed = false; + torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), + expected1->query_name, dbdata, +- (dns_sdlzlookup_t *)expected1), ++ (dns_sdlzlookup_t *)expected1, ++ methods, clientinfo), + ISC_R_NOTFOUND, + "Found hostname"); + torture_assert_int_equal(tctx, expected1->num_rr, 0, +@@ -1013,7 +1048,8 @@ static bool test_dlz_bind9_update01(struct torture_con + expected1->records[1].printed = false; + torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), + expected1->query_name, dbdata, +- (dns_sdlzlookup_t *)expected1), ++ (dns_sdlzlookup_t *)expected1, ++ methods, clientinfo), + ISC_R_SUCCESS, + "Not found hostname"); + torture_assert(tctx, expected1->records[0].printed, +@@ -1042,7 +1078,8 @@ static bool test_dlz_bind9_update01(struct torture_con + expected1->records[1].printed = false; + torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), + expected1->query_name, dbdata, +- (dns_sdlzlookup_t *)expected1), ++ (dns_sdlzlookup_t *)expected1, ++ methods, clientinfo), + ISC_R_SUCCESS, + "Not found hostname"); + torture_assert(tctx, expected1->records[0].printed, +@@ -1076,7 +1113,8 @@ static bool test_dlz_bind9_update01(struct torture_con + expected1->records[1].printed = false; + torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), + expected1->query_name, dbdata, +- (dns_sdlzlookup_t *)expected1), ++ (dns_sdlzlookup_t *)expected1, ++ methods, clientinfo), + ISC_R_SUCCESS, + "Not found hostname"); + torture_assert(tctx, expected1->records[0].printed, +@@ -1110,7 +1148,8 @@ static bool test_dlz_bind9_update01(struct torture_con + expected1->records[1].printed = false; + torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), + expected1->query_name, dbdata, +- (dns_sdlzlookup_t *)expected1), ++ (dns_sdlzlookup_t *)expected1, ++ methods, clientinfo), + ISC_R_SUCCESS, + "Not found hostname"); + torture_assert(tctx, expected1->records[0].printed, +@@ -1146,7 +1185,8 @@ static bool test_dlz_bind9_update01(struct torture_con + expected1->records[1].printed = false; + torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), + expected1->query_name, dbdata, +- (dns_sdlzlookup_t *)expected1), ++ (dns_sdlzlookup_t *)expected1, ++ methods, clientinfo), + ISC_R_NOTFOUND, + "Found hostname"); + torture_assert_int_equal(tctx, expected1->num_rr, 0, +@@ -1161,6 +1201,76 @@ cancel_version: + return ret; + } + ++/* ++ * Test zone transfer requests restrictions ++ * ++ * 1: test that zone transfer is denied by default ++ * 2: with an authorized list of IPs set in smb.conf, test that zone transfer ++ * is accepted only for selected IPs. ++ */ ++static bool test_dlz_bind9_allowzonexfr(struct torture_context *tctx) ++{ ++ void *dbdata; ++ const char *argv[] = { ++ "samba_dlz", ++ "-H", ++ test_dlz_bind9_binddns_dir(tctx, "dns/sam.ldb"), ++ NULL ++ }; ++ isc_result_t ret; ++ dns_dlzdb_t *dlzdb = NULL; ++ bool ok; ++ ++ tctx_static = tctx; ++ torture_assert_int_equal(tctx, dlz_create("samba_dlz", 3, argv, &dbdata, ++ "log", dlz_bind9_log_wrapper, ++ "writeable_zone", dlz_bind9_writeable_zone_hook, ++ "putrr", dlz_bind9_putrr_hook, ++ "putnamedrr", dlz_bind9_putnamedrr_hook, ++ NULL), ++ ISC_R_SUCCESS, ++ "Failed to create samba_dlz"); ++ ++ torture_assert_int_equal(tctx, dlz_configure((void*)tctx, dlzdb, dbdata), ++ ISC_R_SUCCESS, ++ "Failed to configure samba_dlz"); ++ ++ /* Ask for zone transfer with no specific config => expect denied */ ++ ret = dlz_allowzonexfr(dbdata, lpcfg_dnsdomain(tctx->lp_ctx), "127.0.0.1"); ++ torture_assert_int_equal(tctx, ret, ISC_R_NOPERM, ++ "Zone transfer accepted with default settings"); ++ ++ /* Ask for zone transfer with authorizations set */ ++ ok = lpcfg_set_option(tctx->lp_ctx, "dns zone transfer clients allow=127.0.0.1,1234:5678::1,192.168.0."); ++ torture_assert(tctx, ok, "Failed to set dns zone transfer clients allow option."); ++ ++ ok = lpcfg_set_option(tctx->lp_ctx, "dns zone transfer clients deny=192.168.0.2"); ++ torture_assert(tctx, ok, "Failed to set dns zone transfer clients deny option."); ++ ++ ret = dlz_allowzonexfr(dbdata, lpcfg_dnsdomain(tctx->lp_ctx), "127.0.0.1"); ++ torture_assert_int_equal(tctx, ret, ISC_R_SUCCESS, ++ "Zone transfer refused for authorized IPv4 address"); ++ ++ ret = dlz_allowzonexfr(dbdata, lpcfg_dnsdomain(tctx->lp_ctx), "1234:5678::1"); ++ torture_assert_int_equal(tctx, ret, ISC_R_SUCCESS, ++ "Zone transfer refused for authorized IPv6 address."); ++ ++ ret = dlz_allowzonexfr(dbdata, lpcfg_dnsdomain(tctx->lp_ctx), "10.0.0.1"); ++ torture_assert_int_equal(tctx, ret, ISC_R_NOPERM, ++ "Zone transfer accepted for unauthorized IP"); ++ ++ ret = dlz_allowzonexfr(dbdata, lpcfg_dnsdomain(tctx->lp_ctx), "192.168.0.1"); ++ torture_assert_int_equal(tctx, ret, ISC_R_SUCCESS, ++ "Zone transfer refused for address in authorized IPv4 subnet."); ++ ++ ret = dlz_allowzonexfr(dbdata, lpcfg_dnsdomain(tctx->lp_ctx), "192.168.0.2"); ++ torture_assert_int_equal(tctx, ret, ISC_R_NOPERM, ++ "Zone transfer allowed for denied client."); ++ ++ dlz_destroy(dbdata); ++ return true; ++} ++ + static struct torture_suite *dlz_bind9_suite(TALLOC_CTX *ctx) + { + struct torture_suite *suite = torture_suite_create(ctx, "dlz_bind9"); +@@ -1182,6 +1292,7 @@ static struct torture_suite *dlz_bind9_suite(TALLOC_CT + torture_suite_add_simple_test(suite, "lookup", test_dlz_bind9_lookup); + torture_suite_add_simple_test(suite, "zonedump", test_dlz_bind9_zonedump); + torture_suite_add_simple_test(suite, "update01", test_dlz_bind9_update01); ++ torture_suite_add_simple_test(suite, "allowzonexfr", test_dlz_bind9_allowzonexfr); + return suite; + } + +-- +2.37.1 + diff --git a/net/samba413/files/CVE-2022-3437-des3-overflow-v4a-4.12.patch b/net/samba413/files/CVE-2022-3437-des3-overflow-v4a-4.12.patch new file mode 100644 index 000000000000..1d1a538a9cbd --- /dev/null +++ b/net/samba413/files/CVE-2022-3437-des3-overflow-v4a-4.12.patch @@ -0,0 +1,1897 @@ +From e63b31932441b6213ace55f4e627d098682965c3 Mon Sep 17 00:00:00 2001 +From: Joseph Sutton +Date: Wed, 12 Oct 2022 13:56:08 +1300 +Subject: [PATCH 01/11] CVE-2022-3437 source4/heimdal: Remove __func__ + compatibility workaround + +As described by the C standard, __func__ is a variable, not a macro. +Hence this #ifndef check does not work as intended, and only serves to +unconditionally disable __func__. A nonoperating __func__ prevents +cmocka operating correctly, so remove this definition. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 + +Signed-off-by: Joseph Sutton +Reviewed-by: Andrew Bartlett +--- + source4/heimdal/lib/krb5/krb5_locl.h | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/source4/heimdal/lib/krb5/krb5_locl.h b/source4/heimdal/lib/krb5/krb5_locl.h +index 49c614d5efe..d3360c556ce 100644 +--- a/source4/heimdal/lib/krb5/krb5_locl.h ++++ b/source4/heimdal/lib/krb5/krb5_locl.h +@@ -188,10 +188,6 @@ struct _krb5_krb_auth_data; + #define ALLOC(X, N) (X) = calloc((N), sizeof(*(X))) + #define ALLOC_SEQ(X, N) do { (X)->len = (N); ALLOC((X)->val, (N)); } while(0) + +-#ifndef __func__ +-#define __func__ "unknown-function" +-#endif +- + #define krb5_einval(context, argnum) _krb5_einval((context), __func__, (argnum)) + + #ifndef PATH_SEP +-- +2.25.1 + + +From f11ebd82b4b6e04433907a8fe15d0a8df11fac8a Mon Sep 17 00:00:00 2001 +From: Joseph Sutton +Date: Wed, 12 Oct 2022 13:55:51 +1300 +Subject: [PATCH 02/11] CVE-2022-3437 source4/heimdal_build: Add + gssapi-subsystem subsystem + +This allows us to access (and so test) functions internal to GSSAPI by +depending on this subsystem. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 + +Signed-off-by: Joseph Sutton +Reviewed-by: Andrew Bartlett + +[jsutton@samba.org Adapted to older wscript_build file] +--- + source4/heimdal_build/wscript_build | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/source4/heimdal_build/wscript_build b/source4/heimdal_build/wscript_build +index f151788dcfd..396656e0727 100644 +--- a/source4/heimdal_build/wscript_build ++++ b/source4/heimdal_build/wscript_build +@@ -556,8 +556,8 @@ if not bld.CONFIG_SET("USING_SYSTEM_GSSAPI"): + HEIMDAL_AUTOPROTO_PRIVATE('lib/gssapi/krb5/gsskrb5-private.h', + HEIMDAL_GSSAPI_KRB5_SOURCE) + +- HEIMDAL_LIBRARY('gssapi', +- HEIMDAL_GSSAPI_SPNEGO_SOURCE + HEIMDAL_GSSAPI_KRB5_SOURCE + ''' ++ HEIMDAL_SUBSYSTEM('gssapi-subsystem', ++ HEIMDAL_GSSAPI_SPNEGO_SOURCE + HEIMDAL_GSSAPI_KRB5_SOURCE + ''' + lib/gssapi/mech/context.c lib/gssapi/mech/gss_krb5.c lib/gssapi/mech/gss_mech_switch.c + lib/gssapi/mech/gss_process_context_token.c lib/gssapi/mech/gss_buffer_set.c + lib/gssapi/mech/gss_aeap.c lib/gssapi/mech/gss_add_cred.c lib/gssapi/mech/gss_cred.c +@@ -582,10 +582,16 @@ if not bld.CONFIG_SET("USING_SYSTEM_GSSAPI"): + lib/gssapi/mech/gss_set_cred_option.c lib/gssapi/mech/gss_pseudo_random.c ../heimdal_build/gssapi-glue.c''', + includes='../heimdal/lib/gssapi ../heimdal/lib/gssapi/gssapi ../heimdal/lib/gssapi/spnego ../heimdal/lib/gssapi/krb5 ../heimdal/lib/gssapi/mech', + deps='hcrypto asn1 HEIMDAL_SPNEGO_ASN1 HEIMDAL_GSSAPI_ASN1 roken krb5 com_err wind', +- vnum='2.0.0', +- version_script='lib/gssapi/version-script.map', + ) + ++ HEIMDAL_LIBRARY('gssapi', ++ '', ++ includes='../heimdal/lib/gssapi ../heimdal/lib/gssapi/gssapi ../heimdal/lib/gssapi/spnego ../heimdal/lib/gssapi/krb5 ../heimdal/lib/gssapi/mech', ++ deps='gssapi-subsystem', ++ vnum='2.0.0', ++ version_script='lib/gssapi/version-script.map', ++ ) ++ + if not bld.CONFIG_SET("USING_SYSTEM_KRB5"): + # expand_path.c needs some of the install paths + HEIMDAL_SUBSYSTEM('HEIMDAL_CONFIG', +-- +2.25.1 + + +From 04e71e8e5398f42c329db2a9a51c7f76a62a18b0 Mon Sep 17 00:00:00 2001 +From: Joseph Sutton +Date: Wed, 12 Oct 2022 13:55:39 +1300 +Subject: [PATCH 03/11] CVE-2022-3437 s4/auth/tests: Add unit tests for + unwrap_des3() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 + +Signed-off-by: Joseph Sutton +Reviewed-by: Andrew Bartlett +[jsutton@samba.org Adapted to lack of 'samba.unittests.auth.sam' test, + renamed 'third_party' to 'source4' in paths, defined + HEIMDAL_NORETURN_ATTRIBUTE and HEIMDAL_PRINTF_ATTRIBUTE to fix compiler + error] +[abartlet@samba.org backported to 4.12 required fixing merge conflicts + in wscript_build subsystem conversion (different deps) and tests.py test addition + (unrelated changes in context)] +--- + selftest/knownfail.d/heimdal-des-overflow | 9 + + selftest/tests.py | 5 + + source4/auth/tests/heimdal_unwrap_des.c | 1247 +++++++++++++++++++++ + source4/auth/wscript_build | 21 + + 4 files changed, 1282 insertions(+) + create mode 100644 selftest/knownfail.d/heimdal-des-overflow + create mode 100644 source4/auth/tests/heimdal_unwrap_des.c + +diff --git a/selftest/knownfail.d/heimdal-des-overflow b/selftest/knownfail.d/heimdal-des-overflow +new file mode 100644 +index 00000000000..23acbb43d31 +--- /dev/null ++++ b/selftest/knownfail.d/heimdal-des-overflow +@@ -0,0 +1,9 @@ ++^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_dce_style_missing_payload.none ++^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_dce_style_with_seal_missing_payload.none ++^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_missing_8_bytes.none ++^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_missing_payload.none ++^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_truncated_header_0.none ++^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_truncated_header_1.none ++^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_0.none ++^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_1.none ++^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_seal_missing_payload.none +diff --git a/selftest/tests.py b/selftest/tests.py +index 10648b19155..721c36ae4c3 100644 +--- a/selftest/tests.py ++++ b/selftest/tests.py +@@ -46,6 +46,8 @@ have_man_pages_support = ("XSLTPROC_MANPAGES" in config_hash) + with_pam = ("WITH_PAM" in config_hash) + pam_wrapper_so_path = config_hash["LIBPAM_WRAPPER_SO_PATH"] + pam_set_items_so_path = config_hash["PAM_SET_ITEMS_SO_PATH"] ++have_heimdal_support = "SAMBA4_USES_HEIMDAL" in config_hash ++using_system_gssapi = "USING_SYSTEM_GSSAPI" in config_hash + + planpythontestsuite("none", "samba.tests.source") + if have_man_pages_support: +@@ -409,5 +411,8 @@ plantestsuite("samba.unittests.test_registry_regfio", "none", + [os.path.join(bindir(), "default/source3/test_registry_regfio")]) + plantestsuite("samba.unittests.test_oLschema2ldif", "none", + [os.path.join(bindir(), "default/source4/utils/oLschema2ldif/test_oLschema2ldif")]) ++if have_heimdal_support and not using_system_gssapi: ++ plantestsuite("samba.unittests.auth.heimdal_gensec_unwrap_des", "none", ++ [valgrindify(os.path.join(bindir(), "test_heimdal_gensec_unwrap_des"))]) + plantestsuite("samba.unittests.mdsparser_es", "none", + [os.path.join(bindir(), "default/source3/test_mdsparser_es")] + [configuration]) +diff --git a/source4/auth/tests/heimdal_unwrap_des.c b/source4/auth/tests/heimdal_unwrap_des.c +new file mode 100644 +index 00000000000..dc31e9d0ad1 +--- /dev/null ++++ b/source4/auth/tests/heimdal_unwrap_des.c +@@ -0,0 +1,1247 @@ ++/* ++ * Unit tests for source4/heimdal/lib/gssapi/krb5/unwrap.c ++ * ++ * Copyright (C) Catalyst.NET Ltd 2022 ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program. If not, see . ++ * ++ */ ++ ++/* ++ * from cmocka.c: ++ * These headers or their equivalents should be included prior to ++ * including ++ * this header file. ++ * ++ * #include ++ * #include ++ * #include ++ * ++ * This allows test applications to use custom definitions of C standard ++ * library functions and types. ++ * ++ */ ++ ++#include ++#include ++#include ++ ++#include ++ ++#include "includes.h" ++#include "replace.h" ++ ++#define HEIMDAL_NORETURN_ATTRIBUTE _NORETURN_ ++#define HEIMDAL_PRINTF_ATTRIBUTE(x) FORMAT_ATTRIBUTE(x) ++ ++#include "../../../source4/heimdal/lib/gssapi/gssapi/gssapi.h" ++#include "gsskrb5_locl.h" ++ ++/****************************************************************************** ++ * Helper functions ++ ******************************************************************************/ ++ ++const uint8_t *valid_range_begin; ++const uint8_t *valid_range_end; ++const uint8_t *invalid_range_end; ++ ++/* ++ * 'array_len' is the size of the passed in array. 'buffer_len' is the size to ++ * report in the resulting buffer. ++ */ ++static const gss_buffer_desc get_input_buffer(TALLOC_CTX *mem_ctx, ++ const uint8_t array[], ++ const size_t array_len, ++ const size_t buffer_len) ++{ ++ gss_buffer_desc buf; ++ ++ /* Add some padding to catch invalid memory accesses. */ ++ const size_t padding = 0x100; ++ const size_t padded_len = array_len + padding; ++ ++ uint8_t *data = talloc_size(mem_ctx, padded_len); ++ assert_non_null(data); ++ ++ memcpy(data, array, array_len); ++ memset(data + array_len, 0, padding); ++ ++ assert_in_range(buffer_len, 0, array_len); ++ ++ buf.value = data; ++ buf.length = buffer_len; ++ ++ valid_range_begin = buf.value; ++ valid_range_end = valid_range_begin + buf.length; ++ invalid_range_end = valid_range_begin + padded_len; ++ ++ return buf; ++} ++ ++static void assert_mem_in_valid_range(const uint8_t *ptr, const size_t len) ++{ ++ /* Ensure we've set up the range pointers properly. */ ++ assert_non_null(valid_range_begin); ++ assert_non_null(valid_range_end); ++ assert_non_null(invalid_range_end); ++ ++ /* ++ * Ensure the length isn't excessively large (a symptom of integer ++ * underflow). ++ */ ++ assert_in_range(len, 0, 0x1000); ++ ++ /* Ensure the memory is in our valid range. */ ++ assert_in_range(ptr, valid_range_begin, valid_range_end); ++ assert_in_range(ptr + len, valid_range_begin, valid_range_end); ++} ++ ++/* ++ * This function takes a pointer to volatile to allow it to be called from the ++ * ct_memcmp() wrapper. ++ */ ++static void assert_mem_outside_invalid_range(const volatile uint8_t *ptr, ++ const size_t len) ++{ ++ const LargestIntegralType _valid_range_end ++ = cast_ptr_to_largest_integral_type(valid_range_end); ++ const LargestIntegralType _invalid_range_end ++ = cast_ptr_to_largest_integral_type(invalid_range_end); ++ const LargestIntegralType _ptr = cast_ptr_to_largest_integral_type(ptr); ++ const LargestIntegralType _len = cast_to_largest_integral_type(len); ++ ++ /* Ensure we've set up the range pointers properly. */ ++ assert_non_null(valid_range_begin); ++ assert_non_null(valid_range_end); ++ assert_non_null(invalid_range_end); ++ ++ /* ++ * Ensure the length isn't excessively large (a symptom of integer ++ * underflow). ++ */ ++ assert_in_range(len, 0, 0x1000); ++ ++ /* Ensure the memory is outside the invalid range. */ ++ if (_ptr < _invalid_range_end && _ptr + _len > _valid_range_end) { ++ fail(); ++ } ++} ++ ++/***************************************************************************** ++ * wrapped functions ++ *****************************************************************************/ ++ ++krb5_keyblock dummy_key; ++ ++krb5_error_code __wrap_krb5_auth_con_getlocalsubkey(krb5_context context, ++ krb5_auth_context auth_context, ++ krb5_keyblock **keyblock); ++krb5_error_code __wrap_krb5_auth_con_getlocalsubkey(krb5_context context, ++ krb5_auth_context auth_context, ++ krb5_keyblock **keyblock) ++{ ++ *keyblock = &dummy_key; ++ return 0; ++} ++ ++void __wrap_krb5_free_keyblock(krb5_context context, ++ krb5_keyblock *keyblock); ++void __wrap_krb5_free_keyblock(krb5_context context, ++ krb5_keyblock *keyblock) ++{ ++ assert_ptr_equal(&dummy_key, keyblock); ++} ++ ++struct krb5_crypto_data dummy_crypto; ++ ++krb5_error_code __wrap_krb5_crypto_init(krb5_context context, ++ const krb5_keyblock *key, ++ krb5_enctype etype, ++ krb5_crypto *crypto); ++krb5_error_code __wrap_krb5_crypto_init(krb5_context context, ++ const krb5_keyblock *key, ++ krb5_enctype etype, ++ krb5_crypto *crypto) ++{ ++ static const LargestIntegralType etypes[] = {ETYPE_DES3_CBC_NONE, 0}; ++ ++ assert_ptr_equal(&dummy_key, key); ++ assert_in_set(etype, etypes, ARRAY_SIZE(etypes)); ++ ++ *crypto = &dummy_crypto; ++ ++ return 0; ++} ++ ++krb5_error_code __wrap_krb5_decrypt(krb5_context context, ++ krb5_crypto crypto, ++ unsigned usage, ++ void *data, ++ size_t len, ++ krb5_data *result); ++krb5_error_code __wrap_krb5_decrypt(krb5_context context, ++ krb5_crypto crypto, ++ unsigned usage, ++ void *data, ++ size_t len, ++ krb5_data *result) ++{ ++ assert_ptr_equal(&dummy_crypto, crypto); ++ assert_int_equal(KRB5_KU_USAGE_SEAL, usage); ++ ++ assert_mem_in_valid_range(data, len); ++ ++ check_expected(len); ++ check_expected_ptr(data); ++ ++ result->data = malloc(len); ++ assert_non_null(result->data); ++ result->length = len; ++ ++ memcpy(result->data, data, len); ++ ++ return 0; ++} ++ ++krb5_error_code __wrap_krb5_decrypt_ivec(krb5_context context, ++ krb5_crypto crypto, ++ unsigned usage, ++ void *data, ++ size_t len, ++ krb5_data *result, ++ void *ivec); ++krb5_error_code __wrap_krb5_decrypt_ivec(krb5_context context, ++ krb5_crypto crypto, ++ unsigned usage, ++ void *data, ++ size_t len, ++ krb5_data *result, ++ void *ivec) ++{ ++ assert_ptr_equal(&dummy_crypto, crypto); ++ assert_int_equal(KRB5_KU_USAGE_SEQ, usage); ++ ++ assert_mem_in_valid_range(data, len); ++ ++ assert_int_equal(8, len); ++ check_expected_ptr(data); ++ check_expected_ptr(ivec); ++ ++ result->data = malloc(len); ++ assert_non_null(result->data); ++ result->length = len; ++ ++ memcpy(result->data, data, len); ++ ++ return 0; ++} ++ ++krb5_error_code __wrap_krb5_verify_checksum(krb5_context context, ++ krb5_crypto crypto, ++ krb5_key_usage usage, ++ void *data, ++ size_t len, ++ Checksum *cksum); ++krb5_error_code __wrap_krb5_verify_checksum(krb5_context context, ++ krb5_crypto crypto, ++ krb5_key_usage usage, ++ void *data, ++ size_t len, ++ Checksum *cksum) ++{ ++ assert_ptr_equal(&dummy_crypto, crypto); ++ assert_int_equal(KRB5_KU_USAGE_SIGN, usage); ++ ++ assert_mem_in_valid_range(data, len); ++ ++ check_expected(len); ++ check_expected_ptr(data); ++ ++ assert_non_null(cksum); ++ assert_int_equal(CKSUMTYPE_HMAC_SHA1_DES3, cksum->cksumtype); ++ assert_int_equal(20, cksum->checksum.length); ++ check_expected_ptr(cksum->checksum.data); ++ ++ return 0; ++} ++ ++krb5_error_code __wrap_krb5_crypto_destroy(krb5_context context, ++ krb5_crypto crypto); ++krb5_error_code __wrap_krb5_crypto_destroy(krb5_context context, ++ krb5_crypto crypto) ++{ ++ assert_ptr_equal(&dummy_crypto, crypto); ++ ++ return 0; ++} ++ ++ ++int __wrap_der_get_length(const unsigned char *p, ++ size_t len, ++ size_t *val, ++ size_t *size); ++int __real_der_get_length(const unsigned char *p, ++ size_t len, ++ size_t *val, ++ size_t *size); ++int __wrap_der_get_length(const unsigned char *p, ++ size_t len, ++ size_t *val, ++ size_t *size) ++{ ++ assert_mem_in_valid_range(p, len); ++ ++ return __real_der_get_length(p, len, val, size); ++} ++ ++int __wrap_ct_memcmp(const volatile void * volatile p1, ++ const volatile void * volatile p2, ++ size_t len); ++int __real_ct_memcmp(const volatile void * volatile p1, ++ const volatile void * volatile p2, ++ size_t len); ++int __wrap_ct_memcmp(const volatile void * volatile p1, ++ const volatile void * volatile p2, ++ size_t len) ++{ ++ assert_mem_outside_invalid_range(p1, len); ++ assert_mem_outside_invalid_range(p2, len); ++ ++ return __real_ct_memcmp(p1, p2, len); ++} ++ ++void *__wrap_malloc(size_t size); ++void *__real_malloc(size_t size); ++void *__wrap_malloc(size_t size) ++{ ++ /* ++ * Ensure the length isn't excessively large (a symptom of integer ++ * underflow). ++ */ ++ assert_in_range(size, 0, 0x10000); ++ ++ return __real_malloc(size); ++} ++ ++/***************************************************************************** ++ * Mock implementations ++ *****************************************************************************/ ++ ++/* ++ * Set the globals used by the mocked functions to a known and consistent state ++ * ++ */ ++static void init_mock_results(TALLOC_CTX *mem_ctx) ++{ ++ dummy_key.keytype = KRB5_ENCTYPE_DES3_CBC_MD5; ++ dummy_key.keyvalue.data = NULL; ++ dummy_key.keyvalue.length = 0; ++ ++ dummy_crypto = (struct krb5_crypto_data) {0}; ++ ++ valid_range_begin = NULL; ++ valid_range_end = NULL; ++ invalid_range_end = NULL; ++} ++ ++/***************************************************************************** ++ * Unit test set up and tear down ++ *****************************************************************************/ ++ ++struct context { ++ gss_ctx_id_t context_handle; ++}; ++ ++static int setup(void **state) { ++ struct context *ctx = NULL; ++ krb5_context context = NULL; ++ OM_uint32 major_status; ++ OM_uint32 minor_status; ++ krb5_error_code code; ++ ++ ctx = talloc_zero(NULL, struct context); ++ assert_non_null(ctx); ++ ++ init_mock_results(ctx); ++ ++ code = _gsskrb5_init(&context); ++ assert_int_equal(0, code); ++ ++ major_status = _gsskrb5_create_ctx(&minor_status, ++ &ctx->context_handle, ++ context, ++ GSS_C_NO_CHANNEL_BINDINGS, ++ ACCEPTOR_START); ++ assert_int_equal(GSS_S_COMPLETE, major_status); ++ ++ *state = ctx; ++ return 0; ++} ++ ++static int teardown(void **state) { ++ struct context *ctx = *state; ++ OM_uint32 major_status; ++ OM_uint32 minor_status; ++ ++ major_status = _gsskrb5_delete_sec_context(&minor_status, ++ &ctx->context_handle, ++ GSS_C_NO_BUFFER); ++ assert_int_equal(GSS_S_COMPLETE, major_status); ++ ++ TALLOC_FREE(ctx); ++ return 0; ++} ++ ++/***************************************************************************** ++ * _gsskrb5_unwrap unit tests ++ *****************************************************************************/ ++ ++static void test_unwrap_dce_style_missing_payload(void **state) { ++ struct context *ctx = *state; ++ OM_uint32 major_status; ++ OM_uint32 minor_status; ++ gsskrb5_ctx gss_ctx; ++ gss_buffer_desc input = {0}; ++ gss_buffer_desc output = {0}; ++ int conf_state; ++ gss_qop_t qop_state; ++ ++ /* See RFC 1964 for token format. */ ++ static const uint8_t data[] = { ++ 0x60, /* ASN.1 Application tag */ ++ 0x37, /* total length */ ++ 0x06, /* OBJECT IDENTIFIER */ ++ 0x09, /* mech length */ ++ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02, /* GSS KRB5 mech */ ++ 0x02, 0x01, /* TOK_ID */ ++ 0x04, 0x00, /* SGN_ALG (HMAC SHA1 DES3-KD) */ ++ 0xff, 0xff, /* SEAL_ALG (none) */ ++ 0xff, 0xff, /* Filler */ ++ 0xa0, 0xa1, 0xa2, 0xa3, /* encrypted sequence number */ ++ 0x00, 0x00, 0x00, 0x00, /* sequence number direction (remote) */ ++ /* checksum */ ++ 0xa4, 0xa5, 0xa6, 0xa7, 0xa8, ++ 0xa9, 0xaa, 0xab, 0xac, 0xad, ++ 0xae, 0xaf, 0xb0, 0xb1, 0xb2, ++ 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, ++ }; ++ ++ input = get_input_buffer(ctx, data, sizeof(data), 22); ++ ++ gss_ctx = (gsskrb5_ctx) ctx->context_handle; ++ gss_ctx->flags |= GSS_C_DCE_STYLE; ++ ++ major_status = _gsskrb5_unwrap(&minor_status, ++ ctx->context_handle, ++ &input, ++ &output, ++ &conf_state, ++ &qop_state); ++ assert_int_equal(GSS_S_BAD_MECH, major_status); ++} ++ ++static void test_unwrap_dce_style_valid(void **state) { ++ struct context *ctx = *state; ++ OM_uint32 major_status; ++ OM_uint32 minor_status; ++ gsskrb5_ctx gss_ctx; ++ gss_buffer_desc input = {0}; ++ gss_buffer_desc output = {0}; ++ int conf_state; ++ gss_qop_t qop_state; ++ ++ /* See RFC 1964 for token format. */ ++ static const uint8_t data[] = { ++ 0x60, /* ASN.1 Application tag */ ++ 0x37, /* total length */ ++ 0x06, /* OBJECT IDENTIFIER */ ++ 0x09, /* mech length */ ++ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02, /* GSS KRB5 mech */ ++ 0x02, 0x01, /* TOK_ID */ ++ 0x04, 0x00, /* SGN_ALG (HMAC SHA1 DES3-KD) */ ++ 0xff, 0xff, /* SEAL_ALG (none) */ ++ 0xff, 0xff, /* Filler */ ++ 0xa0, 0xa1, 0xa2, 0xa3, /* encrypted sequence number */ ++ 0x00, 0x00, 0x00, 0x00, /* sequence number direction (remote) */ ++ /* checksum */ ++ 0xa4, 0xa5, 0xa6, 0xa7, 0xa8, ++ 0xa9, 0xaa, 0xab, 0xac, 0xad, ++ 0xae, 0xaf, 0xb0, 0xb1, 0xb2, ++ 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, ++ /* unused */ ++ 0xb8, 0xb9, 0xba, 0xbb, ++ 0xbc, 0xbd, 0xbe, ++ 0x00, /* padding byte */ ++ }; ++ ++ input = get_input_buffer(ctx, data, sizeof(data), 57); ++ ++ gss_ctx = (gsskrb5_ctx) ctx->context_handle; ++ gss_ctx->flags |= GSS_C_DCE_STYLE; ++ ++ expect_value(__wrap_krb5_decrypt_ivec, data, (uint8_t *)input.value + 21); ++ expect_memory(__wrap_krb5_decrypt_ivec, ivec, ++ (uint8_t *)input.value + 29, DES_CBLOCK_LEN); ++ ++ expect_value(__wrap_krb5_verify_checksum, len, 16); ++ expect_value(__wrap_krb5_verify_checksum, data, (uint8_t *)input.value + 41); ++ expect_memory(__wrap_krb5_verify_checksum, cksum->checksum.data, ++ (uint8_t *)input.value + 29, 20); ++ ++ major_status = _gsskrb5_unwrap(&minor_status, ++ ctx->context_handle, ++ &input, ++ &output, ++ &conf_state, ++ &qop_state); ++ assert_int_equal(GSS_S_COMPLETE, major_status); ++ ++ assert_int_equal(0, conf_state); ++ assert_int_equal(GSS_C_QOP_DEFAULT, qop_state); ++ ++ assert_int_equal(output.length, 0); ++ ++ major_status = gss_release_buffer(&minor_status, &output); ++ assert_int_equal(GSS_S_COMPLETE, major_status); ++} ++ ++static void test_unwrap_dce_style_with_seal_missing_payload(void **state) { ++ struct context *ctx = *state; ++ OM_uint32 major_status; ++ OM_uint32 minor_status; ++ gsskrb5_ctx gss_ctx; ++ gss_buffer_desc input = {0}; ++ gss_buffer_desc output = {0}; ++ int conf_state; ++ gss_qop_t qop_state; ++ ++ /* See RFC 1964 for token format. */ ++ static const uint8_t data[] = { ++ 0x60, /* ASN.1 Application tag */ ++ 0x37, /* total length */ ++ 0x06, /* OBJECT IDENTIFIER */ ++ 0x09, /* mech length */ ++ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02, /* GSS KRB5 mech */ ++ 0x02, 0x01, /* TOK_ID */ ++ 0x04, 0x00, /* SGN_ALG (HMAC SHA1 DES3-KD) */ ++ 0x02, 0x00, /* SEAL_ALG (DES3-KD) */ ++ 0xff, 0xff, /* Filler */ ++ 0xa0, 0xa1, 0xa2, 0xa3, /* encrypted sequence number */ ++ 0x00, 0x00, 0x00, 0x00, /* sequence number direction (remote) */ ++ /* checksum */ ++ 0xa4, 0xa5, 0xa6, 0xa7, 0xa8, ++ 0xa9, 0xaa, 0xab, 0xac, 0xad, ++ 0xae, 0xaf, 0xb0, 0xb1, 0xb2, ++ 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, ++ }; ++ ++ input = get_input_buffer(ctx, data, sizeof(data), 22); ++ ++ gss_ctx = (gsskrb5_ctx) ctx->context_handle; ++ gss_ctx->flags |= GSS_C_DCE_STYLE; ++ ++ major_status = _gsskrb5_unwrap(&minor_status, ++ ctx->context_handle, ++ &input, ++ &output, ++ &conf_state, ++ &qop_state); ++ assert_int_equal(GSS_S_BAD_MECH, major_status); ++} ++ ++static void test_unwrap_dce_style_with_seal_valid(void **state) { ++ struct context *ctx = *state; ++ OM_uint32 major_status; ++ OM_uint32 minor_status; ++ gsskrb5_ctx gss_ctx; ++ gss_buffer_desc input = {0}; ++ gss_buffer_desc output = {0}; ++ int conf_state; ++ gss_qop_t qop_state; ++ ++ /* See RFC 1964 for token format. */ ++ static const uint8_t data[] = { ++ 0x60, /* ASN.1 Application tag */ ++ 0x37, /* total length */ ++ 0x06, /* OBJECT IDENTIFIER */ ++ 0x09, /* mech length */ ++ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02, /* GSS KRB5 mech */ ++ 0x02, 0x01, /* TOK_ID */ ++ 0x04, 0x00, /* SGN_ALG (HMAC SHA1 DES3-KD) */ ++ 0x02, 0x00, /* SEAL_ALG (DES3-KD) */ ++ 0xff, 0xff, /* Filler */ ++ 0xa0, 0xa1, 0xa2, 0xa3, /* encrypted sequence number */ ++ 0x00, 0x00, 0x00, 0x00, /* sequence number direction (remote) */ ++ /* checksum */ ++ 0xa4, 0xa5, 0xa6, 0xa7, 0xa8, ++ 0xa9, 0xaa, 0xab, 0xac, 0xad, ++ 0xae, 0xaf, 0xb0, 0xb1, 0xb2, ++ 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, ++ /* unused */ ++ 0xb8, 0xb9, 0xba, 0xbb, ++ 0xbc, 0xbd, 0xbe, ++ 0x00, /* padding byte */ ++ }; ++ ++ input = get_input_buffer(ctx, data, sizeof(data), 57); ++ ++ gss_ctx = (gsskrb5_ctx) ctx->context_handle; ++ gss_ctx->flags |= GSS_C_DCE_STYLE; ++ ++ expect_value(__wrap_krb5_decrypt, len, 8); ++ expect_value(__wrap_krb5_decrypt, data, (uint8_t *)input.value + 49); ++ ++ expect_value(__wrap_krb5_decrypt_ivec, data, (uint8_t *)input.value + 21); ++ expect_memory(__wrap_krb5_decrypt_ivec, ivec, ++ (uint8_t *)input.value + 29, DES_CBLOCK_LEN); ++ ++ expect_value(__wrap_krb5_verify_checksum, len, 16); ++ expect_value(__wrap_krb5_verify_checksum, data, (uint8_t *)input.value + 41); ++ expect_memory(__wrap_krb5_verify_checksum, cksum->checksum.data, ++ (uint8_t *)input.value + 29, 20); ++ ++ major_status = _gsskrb5_unwrap(&minor_status, ++ ctx->context_handle, ++ &input, ++ &output, ++ &conf_state, ++ &qop_state); ++ assert_int_equal(GSS_S_COMPLETE, major_status); ++ ++ assert_int_equal(1, conf_state); ++ assert_int_equal(GSS_C_QOP_DEFAULT, qop_state); ++ ++ assert_int_equal(output.length, 0); ++ ++ major_status = gss_release_buffer(&minor_status, &output); ++ assert_int_equal(GSS_S_COMPLETE, major_status); ++} ++ ++static void test_unwrap_missing_8_bytes(void **state) { ++ struct context *ctx = *state; ++ OM_uint32 major_status; ++ OM_uint32 minor_status; ++ gss_buffer_desc input = {0}; ++ gss_buffer_desc output = {0}; ++ int conf_state; ++ gss_qop_t qop_state; ++ ++ /* See RFC 1964 for token format. */ ++ static const uint8_t data[] = { ++ 0x60, /* ASN.1 Application tag */ ++ 0x2f, /* total length */ ++ 0x06, /* OBJECT IDENTIFIER */ ++ 0x09, /* mech length */ ++ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02, /* GSS KRB5 mech */ ++ 0x02, 0x01, /* TOK_ID */ ++ 0x04, 0x00, /* SGN_ALG (HMAC SHA1 DES3-KD) */ ++ 0xff, 0xff, /* SEAL_ALG (none) */ ++ 0xff, 0xff, /* Filler */ ++ 0xa0, 0xa1, 0xa2, 0xa3, /* encrypted sequence number */ ++ 0x00, 0x00, 0x00, 0x00, /* sequence number direction (remote) */ ++ /* checksum */ ++ 0xa4, 0xa5, 0xa6, 0xa7, 0xa8, ++ 0xa9, 0xaa, 0xab, 0xac, 0xad, ++ 0xae, 0xaf, 0xb0, 0xb1, 0xb2, ++ 0xb3, 0xb4, 0xb5, 0xb6, 0x00, /* padding byte */ ++ }; ++ ++ input = get_input_buffer(ctx, data, sizeof(data), 49); ++ ++ /* ++ * A fixed unwrap_des3() should fail before these wrappers are called, ++ * but we want the wrappers to have access to any required values in the ++ * event that they are called. Specifying WILL_RETURN_ONCE avoids a test ++ * failure if these values remain unused. ++ */ ++ expect_value_count(__wrap_krb5_decrypt_ivec, data, ++ (uint8_t *)input.value + 21, ++ WILL_RETURN_ONCE); ++ expect_memory_count(__wrap_krb5_decrypt_ivec, ivec, ++ (uint8_t *)input.value + 29, DES_CBLOCK_LEN, ++ WILL_RETURN_ONCE); ++ ++ expect_value_count(__wrap_krb5_verify_checksum, len, 8, WILL_RETURN_ONCE); ++ expect_value_count(__wrap_krb5_verify_checksum, data, ++ (uint8_t *)input.value + 41, ++ WILL_RETURN_ONCE); ++ expect_memory_count(__wrap_krb5_verify_checksum, cksum->checksum.data, ++ (uint8_t *)input.value + 29, 20, ++ WILL_RETURN_ONCE); ++ ++ major_status = _gsskrb5_unwrap(&minor_status, ++ ctx->context_handle, ++ &input, ++ &output, ++ &conf_state, ++ &qop_state); ++ assert_int_equal(GSS_S_BAD_MECH, major_status); ++} ++ ++static void test_unwrap_missing_payload(void **state) { ++ struct context *ctx = *state; ++ OM_uint32 major_status; ++ OM_uint32 minor_status; ++ gss_buffer_desc input = {0}; ++ gss_buffer_desc output = {0}; ++ int conf_state; ++ gss_qop_t qop_state; ++ ++ /* See RFC 1964 for token format. */ ++ static const uint8_t data[] = { ++ 0x60, /* ASN.1 Application tag */ ++ 0x14, /* total length */ ++ 0x06, /* OBJECT IDENTIFIER */ ++ 0x09, /* mech length */ ++ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02, /* GSS KRB5 mech */ ++ 0x02, 0x01, /* TOK_ID */ ++ 0x04, 0x00, /* SGN_ALG (HMAC SHA1 DES3-KD) */ ++ 0xff, 0xff, /* SEAL_ALG (none) */ ++ 0xff, 0xff, /* Filler */ ++ 0x00, 0xa1, 0xa2, 0xa3, /* padding byte / encrypted sequence number */ ++ 0x00, 0x00, 0x00, 0x00, /* sequence number direction (remote) */ ++ /* checksum */ ++ 0xa4, 0xa5, 0xa6, 0xa7, 0xa8, ++ 0xa9, 0xaa, 0xab, 0xac, 0xad, ++ 0xae, 0xaf, 0xb0, 0xb1, 0xb2, ++ 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, ++ }; ++ ++ input = get_input_buffer(ctx, data, sizeof(data), 22); ++ ++ major_status = _gsskrb5_unwrap(&minor_status, ++ ctx->context_handle, ++ &input, ++ &output, ++ &conf_state, ++ &qop_state); ++ assert_int_equal(GSS_S_BAD_MECH, major_status); ++} ++ ++static void test_unwrap_truncated_header_0(void **state) { ++ struct context *ctx = *state; ++ OM_uint32 major_status; ++ OM_uint32 minor_status; ++ gss_buffer_desc input = {0}; ++ gss_buffer_desc output = {0}; ++ int conf_state; ++ gss_qop_t qop_state; ++ ++ /* See RFC 1964 for token format. */ ++ static const uint8_t data[] = { ++ 0x60, /* ASN.1 Application tag */ ++ 0x00, /* total length */ ++ 0x06, /* OBJECT IDENTIFIER */ ++ }; ++ ++ input = get_input_buffer(ctx, data, sizeof(data), 2); ++ ++ major_status = _gsskrb5_unwrap(&minor_status, ++ ctx->context_handle, ++ &input, ++ &output, ++ &conf_state, ++ &qop_state); ++ assert_int_equal(GSS_S_DEFECTIVE_TOKEN, major_status); ++} ++ ++static void test_unwrap_truncated_header_1(void **state) { ++ struct context *ctx = *state; ++ OM_uint32 major_status; ++ OM_uint32 minor_status; ++ gss_buffer_desc input = {0}; ++ gss_buffer_desc output = {0}; ++ int conf_state; ++ gss_qop_t qop_state; ++ ++ /* See RFC 1964 for token format. */ ++ static const uint8_t data[] = { ++ 0x60, /* ASN.1 Application tag */ ++ 0x02, /* total length */ ++ 0x06, /* OBJECT IDENTIFIER */ ++ 0x09, /* mech length */ ++ 0xee, 0xee, 0xee, 0xee, 0xee, 0xee, 0xee, 0xee, 0xee, /* GSS KRB5 mech */ ++ }; ++ ++ input = get_input_buffer(ctx, data, sizeof(data), 4); ++ ++ major_status = _gsskrb5_unwrap(&minor_status, ++ ctx->context_handle, ++ &input, ++ &output, ++ &conf_state, ++ &qop_state); ++ assert_int_equal(GSS_S_BAD_MECH, major_status); ++} ++ ++static void test_unwrap_valid(void **state) { ++ struct context *ctx = *state; ++ OM_uint32 major_status; ++ OM_uint32 minor_status; ++ gss_buffer_desc input = {0}; ++ gss_buffer_desc output = {0}; ++ int conf_state; ++ gss_qop_t qop_state; ++ ++ /* See RFC 1964 for token format. */ ++ static const uint8_t data[] = { ++ 0x60, /* ASN.1 Application tag */ ++ 0x37, /* total length */ ++ 0x06, /* OBJECT IDENTIFIER */ ++ 0x09, /* mech length */ ++ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02, /* GSS KRB5 mech */ ++ 0x02, 0x01, /* TOK_ID */ ++ 0x04, 0x00, /* SGN_ALG (HMAC SHA1 DES3-KD) */ ++ 0xff, 0xff, /* SEAL_ALG (none) */ ++ 0xff, 0xff, /* Filler */ ++ 0xa0, 0xa1, 0xa2, 0xa3, /* encrypted sequence number */ ++ 0x00, 0x00, 0x00, 0x00, /* sequence number direction (remote) */ ++ /* checksum */ ++ 0xa4, 0xa5, 0xa6, 0xa7, 0xa8, ++ 0xa9, 0xaa, 0xab, 0xac, 0xad, ++ 0xae, 0xaf, 0xb0, 0xb1, 0xb2, ++ 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, ++ /* unused */ ++ 0xb8, 0xb9, 0xba, 0xbb, ++ 0xbc, 0xbd, 0xbe, ++ 0x00, /* padding byte */ ++ }; ++ ++ input = get_input_buffer(ctx, data, sizeof(data), 57); ++ ++ expect_value(__wrap_krb5_decrypt_ivec, data, (uint8_t *)input.value + 21); ++ expect_memory(__wrap_krb5_decrypt_ivec, ivec, ++ (uint8_t *)input.value + 29, DES_CBLOCK_LEN); ++ ++ expect_value(__wrap_krb5_verify_checksum, len, 16); ++ expect_value(__wrap_krb5_verify_checksum, data, (uint8_t *)input.value + 41); ++ expect_memory(__wrap_krb5_verify_checksum, cksum->checksum.data, ++ (uint8_t *)input.value + 29, 20); ++ ++ major_status = _gsskrb5_unwrap(&minor_status, ++ ctx->context_handle, ++ &input, ++ &output, ++ &conf_state, ++ &qop_state); ++ assert_int_equal(GSS_S_COMPLETE, major_status); ++ ++ assert_int_equal(0, conf_state); ++ assert_int_equal(GSS_C_QOP_DEFAULT, qop_state); ++ ++ assert_int_equal(output.length, 0); ++ ++ major_status = gss_release_buffer(&minor_status, &output); ++ assert_int_equal(GSS_S_COMPLETE, major_status); ++} ++ ++static void test_unwrap_with_padding_truncated_0(void **state) { ++ struct context *ctx = *state; ++ OM_uint32 major_status; ++ OM_uint32 minor_status; ++ gss_buffer_desc input = {0}; ++ gss_buffer_desc output = {0}; ++ int conf_state; ++ gss_qop_t qop_state; ++ ++ /* See RFC 1964 for token format. */ ++ static const uint8_t data[] = { ++ 0x60, /* ASN.1 Application tag */ ++ 0x37, /* total length */ ++ 0x06, /* OBJECT IDENTIFIER */ ++ 0x09, /* mech length */ ++ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02, /* GSS KRB5 mech */ ++ 0x02, 0x01, /* TOK_ID */ ++ 0x04, 0x00, /* SGN_ALG (HMAC SHA1 DES3-KD) */ ++ 0xff, 0xff, /* SEAL_ALG (none) */ ++ 0xff, 0xff, /* Filler */ ++ 0xa0, 0xa1, 0xa2, 0xa3, /* encrypted sequence number */ ++ 0x00, 0x00, 0x00, 0x00, /* sequence number direction (remote) */ ++ /* checksum */ ++ 0xa4, 0xa5, 0xa6, 0xa7, 0xa8, ++ 0xa9, 0xaa, 0xab, 0xac, 0xad, ++ 0xae, 0xaf, 0xb0, 0xb1, 0xb2, ++ 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, ++ /* unused */ ++ 0xb8, 0xb9, 0xba, 0xbb, ++ 0x04, 0x04, 0x04, 0x04, /* padding bytes */ ++ }; ++ ++ input = get_input_buffer(ctx, data, sizeof(data), 57); ++ ++ /* ++ * A fixed unwrap_des3() should fail before these wrappers are called, ++ * but we want the wrappers to have access to any required values in the ++ * event that they are called. Specifying WILL_RETURN_ONCE avoids a test ++ * failure if these values remain unused. ++ */ ++ expect_value_count(__wrap_krb5_decrypt_ivec, data, ++ (uint8_t *)input.value + 21, ++ WILL_RETURN_ONCE); ++ expect_memory_count(__wrap_krb5_decrypt_ivec, ivec, ++ (uint8_t *)input.value + 29, DES_CBLOCK_LEN, ++ WILL_RETURN_ONCE); ++ ++ expect_value_count(__wrap_krb5_verify_checksum, len, 16, WILL_RETURN_ONCE); ++ expect_value_count(__wrap_krb5_verify_checksum, data, ++ (uint8_t *)input.value + 41, ++ WILL_RETURN_ONCE); ++ expect_memory_count(__wrap_krb5_verify_checksum, cksum->checksum.data, ++ (uint8_t *)input.value + 29, 20, ++ WILL_RETURN_ONCE); ++ ++ major_status = _gsskrb5_unwrap(&minor_status, ++ ctx->context_handle, ++ &input, ++ &output, ++ &conf_state, ++ &qop_state); ++ assert_int_equal(GSS_S_BAD_MECH, major_status); ++} ++ ++static void test_unwrap_with_padding_truncated_1(void **state) { ++ struct context *ctx = *state; ++ OM_uint32 major_status; ++ OM_uint32 minor_status; ++ gss_buffer_desc input = {0}; ++ gss_buffer_desc output = {0}; ++ int conf_state; ++ gss_qop_t qop_state; ++ ++ /* See RFC 1964 for token format. */ ++ static const uint8_t data[] = { ++ 0x60, /* ASN.1 Application tag */ ++ 0x37, /* total length */ ++ 0x06, /* OBJECT IDENTIFIER */ ++ 0x09, /* mech length */ ++ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02, /* GSS KRB5 mech */ ++ 0x02, 0x01, /* TOK_ID */ ++ 0x04, 0x00, /* SGN_ALG (HMAC SHA1 DES3-KD) */ ++ 0xff, 0xff, /* SEAL_ALG (none) */ ++ 0xff, 0xff, /* Filler */ ++ 0x00, 0xa1, 0xa2, 0xa3, /* padding byte / encrypted sequence number */ ++ 0x00, 0x00, 0x00, 0x00, /* sequence number direction (remote) */ ++ /* checksum */ ++ 0xa4, 0xa5, 0xa6, 0xa7, 0xa8, ++ 0xa9, 0xaa, 0xab, 0xac, 0xad, ++ 0xae, 0xaf, 0xb0, 0xb1, 0xb2, ++ 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, ++ /* padding bytes */ ++ 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, ++ }; ++ ++ input = get_input_buffer(ctx, data, sizeof(data), 57); ++ ++ /* ++ * A fixed unwrap_des3() should fail before these wrappers are called, ++ * but we want the wrappers to have access to any required values in the ++ * event that they are called. Specifying WILL_RETURN_ONCE avoids a test ++ * failure if these values remain unused. ++ */ ++ expect_value_count(__wrap_krb5_decrypt_ivec, data, ++ (uint8_t *)input.value + 21, ++ WILL_RETURN_ONCE); ++ expect_memory_count(__wrap_krb5_decrypt_ivec, ivec, ++ (uint8_t *)input.value + 29, DES_CBLOCK_LEN, ++ WILL_RETURN_ONCE); ++ ++ expect_value_count(__wrap_krb5_verify_checksum, len, 16, WILL_RETURN_ONCE); ++ expect_value_count(__wrap_krb5_verify_checksum, data, ++ (uint8_t *)input.value + 41, ++ WILL_RETURN_ONCE); ++ expect_memory_count(__wrap_krb5_verify_checksum, cksum->checksum.data, ++ (uint8_t *)input.value + 29, 20, ++ WILL_RETURN_ONCE); ++ ++ major_status = _gsskrb5_unwrap(&minor_status, ++ ctx->context_handle, ++ &input, ++ &output, ++ &conf_state, ++ &qop_state); ++ assert_int_equal(GSS_S_BAD_MECH, major_status); ++} ++ ++static void test_unwrap_with_padding_valid(void **state) { ++ struct context *ctx = *state; ++ OM_uint32 major_status; ++ OM_uint32 minor_status; ++ gss_buffer_desc input = {0}; ++ gss_buffer_desc output = {0}; ++ int conf_state; ++ gss_qop_t qop_state; ++ ++ /* See RFC 1964 for token format. */ ++ static const uint8_t data[] = { ++ 0x60, /* ASN.1 Application tag */ ++ 0x3f, /* total length */ ++ 0x06, /* OBJECT IDENTIFIER */ ++ 0x09, /* mech length */ ++ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02, /* GSS KRB5 mech */ ++ 0x02, 0x01, /* TOK_ID */ ++ 0x04, 0x00, /* SGN_ALG (HMAC SHA1 DES3-KD) */ ++ 0xff, 0xff, /* SEAL_ALG (none) */ ++ 0xff, 0xff, /* Filler */ ++ 0xa0, 0xa1, 0xa2, 0xa3, /* encrypted sequence number */ ++ 0x00, 0x00, 0x00, 0x00, /* sequence number direction (remote) */ ++ /* checksum */ ++ 0xa4, 0xa5, 0xa6, 0xa7, 0xa8, ++ 0xa9, 0xaa, 0xab, 0xac, 0xad, ++ 0xae, 0xaf, 0xb0, 0xb1, 0xb2, ++ 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, ++ /* unused */ ++ 0xb8, 0xb9, 0xba, 0xbb, ++ 0xbc, 0xbd, 0xbe, 0xbf, ++ /* padding bytes */ ++ 0x08, 0x08, 0x08, 0x08, ++ 0x08, 0x08, 0x08, 0x08, ++ }; ++ ++ input = get_input_buffer(ctx, data, sizeof(data), 65); ++ ++ expect_value(__wrap_krb5_decrypt_ivec, data, (uint8_t *)input.value + 21); ++ expect_memory(__wrap_krb5_decrypt_ivec, ivec, ++ (uint8_t *)input.value + 29, DES_CBLOCK_LEN); ++ ++ expect_value(__wrap_krb5_verify_checksum, len, 24); ++ expect_value(__wrap_krb5_verify_checksum, data, (uint8_t *)input.value + 41); ++ expect_memory(__wrap_krb5_verify_checksum, cksum->checksum.data, ++ (uint8_t *)input.value + 29, 20); ++ ++ major_status = _gsskrb5_unwrap(&minor_status, ++ ctx->context_handle, ++ &input, ++ &output, ++ &conf_state, ++ &qop_state); ++ assert_int_equal(GSS_S_COMPLETE, major_status); ++ ++ assert_int_equal(0, conf_state); ++ assert_int_equal(GSS_C_QOP_DEFAULT, qop_state); ++ ++ assert_int_equal(output.length, 0); ++ ++ major_status = gss_release_buffer(&minor_status, &output); ++ assert_int_equal(GSS_S_COMPLETE, major_status); ++} ++ ++static void test_unwrap_with_seal_empty_token_valid(void **state) { ++ struct context *ctx = *state; ++ OM_uint32 major_status; ++ OM_uint32 minor_status; ++ gss_buffer_desc input = {0}; ++ gss_buffer_desc output = {0}; ++ int conf_state; ++ gss_qop_t qop_state; ++ ++ /* See RFC 1964 for token format. */ ++ static const uint8_t data[] = { ++ 0x60, /* ASN.1 Application tag */ ++ 0x37, /* total length */ ++ 0x06, /* OBJECT IDENTIFIER */ ++ 0x09, /* mech length */ ++ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02, /* GSS KRB5 mech */ ++ 0x02, 0x01, /* TOK_ID */ ++ 0x04, 0x00, /* SGN_ALG (HMAC SHA1 DES3-KD) */ ++ 0x02, 0x00, /* SEAL_ALG (DES3-KD) */ ++ 0xff, 0xff, /* Filler */ ++ 0xa0, 0xa1, 0xa2, 0xa3, /* encrypted sequence number */ ++ 0x00, 0x00, 0x00, 0x00, /* sequence number direction (remote) */ ++ /* checksum */ ++ 0xa4, 0xa5, 0xa6, 0xa7, 0xa8, ++ 0xa9, 0xaa, 0xab, 0xac, 0xad, ++ 0xae, 0xaf, 0xb0, 0xb1, 0xb2, ++ 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, ++ /* unused */ ++ 0xb8, 0xb9, 0xba, 0xbb, ++ 0xbc, 0xbd, 0xbe, ++ 0x00, /* padding byte */ ++ }; ++ ++ input = get_input_buffer(ctx, data, sizeof(data), 57); ++ ++ expect_value(__wrap_krb5_decrypt, len, 8); ++ expect_value(__wrap_krb5_decrypt, data, (uint8_t *)input.value + 49); ++ ++ expect_value(__wrap_krb5_decrypt_ivec, data, (uint8_t *)input.value + 21); ++ expect_memory(__wrap_krb5_decrypt_ivec, ivec, ++ (uint8_t *)input.value + 29, DES_CBLOCK_LEN); ++ ++ expect_value(__wrap_krb5_verify_checksum, len, 16); ++ expect_value(__wrap_krb5_verify_checksum, data, (uint8_t *)input.value + 41); ++ expect_memory(__wrap_krb5_verify_checksum, cksum->checksum.data, ++ (uint8_t *)input.value + 29, 20); ++ ++ major_status = _gsskrb5_unwrap(&minor_status, ++ ctx->context_handle, ++ &input, ++ &output, ++ &conf_state, ++ &qop_state); ++ assert_int_equal(GSS_S_COMPLETE, major_status); ++ ++ assert_int_equal(1, conf_state); ++ assert_int_equal(GSS_C_QOP_DEFAULT, qop_state); ++ ++ assert_int_equal(output.length, 0); ++ ++ major_status = gss_release_buffer(&minor_status, &output); ++ assert_int_equal(GSS_S_COMPLETE, major_status); ++} ++ ++static void test_unwrap_with_seal_missing_payload(void **state) { ++ struct context *ctx = *state; ++ OM_uint32 major_status; ++ OM_uint32 minor_status; ++ gss_buffer_desc input = {0}; ++ gss_buffer_desc output = {0}; ++ int conf_state; ++ gss_qop_t qop_state; ++ ++ /* See RFC 1964 for token format. */ ++ static const uint8_t data[] = { ++ 0x60, /* ASN.1 Application tag */ ++ 0x14, /* total length */ ++ 0x06, /* OBJECT IDENTIFIER */ ++ 0x09, /* mech length */ ++ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02, /* GSS KRB5 mech */ ++ 0x02, 0x01, /* TOK_ID */ ++ 0x04, 0x00, /* SGN_ALG (HMAC SHA1 DES3-KD) */ ++ 0x02, 0x00, /* SEAL_ALG (DES3-KD) */ ++ 0xff, 0xff, /* Filler */ ++ 0xa0, 0xa1, 0xa2, 0xa3, /* encrypted sequence number */ ++ 0x00, 0x00, 0x00, 0x00, /* sequence number direction (remote) */ ++ /* checksum */ ++ 0xa4, 0xa5, 0xa6, 0xa7, 0xa8, ++ 0xa9, 0xaa, 0xab, 0xac, 0xad, ++ 0xae, 0xaf, 0xb0, 0xb1, 0xb2, ++ 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, ++ }; ++ ++ input = get_input_buffer(ctx, data, sizeof(data), 22); ++ ++ major_status = _gsskrb5_unwrap(&minor_status, ++ ctx->context_handle, ++ &input, ++ &output, ++ &conf_state, ++ &qop_state); ++ assert_int_equal(GSS_S_BAD_MECH, major_status); ++} ++ ++static void test_unwrap_with_seal_valid(void **state) { ++ struct context *ctx = *state; ++ OM_uint32 major_status; ++ OM_uint32 minor_status; ++ gss_buffer_desc input = {0}; ++ gss_buffer_desc output = {0}; ++ int conf_state; ++ gss_qop_t qop_state; ++ ++ /* See RFC 1964 for token format. */ ++ static const uint8_t data[] = { ++ 0x60, /* ASN.1 Application tag */ ++ 0x3e, /* total length */ ++ 0x06, /* OBJECT IDENTIFIER */ ++ 0x09, /* mech length */ ++ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02, /* GSS KRB5 mech */ ++ 0x02, 0x01, /* TOK_ID */ ++ 0x04, 0x00, /* SGN_ALG (HMAC SHA1 DES3-KD) */ ++ 0x02, 0x00, /* SEAL_ALG (DES3-KD) */ ++ 0xff, 0xff, /* Filler */ ++ 0xa0, 0xa1, 0xa2, 0xa3, /* encrypted sequence number */ ++ 0x00, 0x00, 0x00, 0x00, /* sequence number direction (remote) */ ++ /* checksum */ ++ 0xa4, 0xa5, 0xa6, 0xa7, 0xa8, ++ 0xa9, 0xaa, 0xab, 0xac, 0xad, ++ 0xae, 0xaf, 0xb0, 0xb1, 0xb2, ++ 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, ++ /* unused */ ++ 0xb8, 0xb9, 0xba, 0xbb, ++ 0xbc, 0xbd, 0xbe, 0xbf, ++ 0xc0, 0xc1, 0xc2, 0xc3, ++ 0xc4, 0xc5, ++ 0x00, /* padding byte */ ++ }; ++ ++ input = get_input_buffer(ctx, data, sizeof(data), 64); ++ ++ expect_value(__wrap_krb5_decrypt, len, 15); ++ expect_value(__wrap_krb5_decrypt, data, (uint8_t *)input.value + 49); ++ ++ expect_value(__wrap_krb5_decrypt_ivec, data, (uint8_t *)input.value + 21); ++ expect_memory(__wrap_krb5_decrypt_ivec, ivec, ++ (uint8_t *)input.value + 29, DES_CBLOCK_LEN); ++ ++ expect_value(__wrap_krb5_verify_checksum, len, 23); ++ expect_value(__wrap_krb5_verify_checksum, data, (uint8_t *)input.value + 41); ++ expect_memory(__wrap_krb5_verify_checksum, cksum->checksum.data, ++ (uint8_t *)input.value + 29, 20); ++ ++ major_status = _gsskrb5_unwrap(&minor_status, ++ ctx->context_handle, ++ &input, ++ &output, ++ &conf_state, ++ &qop_state); ++ assert_int_equal(GSS_S_COMPLETE, major_status); ++ ++ assert_int_equal(1, conf_state); ++ assert_int_equal(GSS_C_QOP_DEFAULT, qop_state); ++ ++ assert_int_equal(output.length, 7); ++ assert_memory_equal((uint8_t *)input.value + 57, output.value, output.length); ++ ++ major_status = gss_release_buffer(&minor_status, &output); ++ assert_int_equal(GSS_S_COMPLETE, major_status); ++} ++ ++int main(int argc, const char **argv) ++{ ++ static const struct CMUnitTest tests[] = { ++ cmocka_unit_test_setup_teardown( ++ test_unwrap_dce_style_missing_payload, setup, teardown), ++ cmocka_unit_test_setup_teardown( ++ test_unwrap_dce_style_valid, setup, teardown), ++ cmocka_unit_test_setup_teardown( ++ test_unwrap_dce_style_with_seal_missing_payload, setup, teardown), ++ cmocka_unit_test_setup_teardown( ++ test_unwrap_dce_style_with_seal_valid, setup, teardown), ++ cmocka_unit_test_setup_teardown( ++ test_unwrap_missing_8_bytes, setup, teardown), ++ cmocka_unit_test_setup_teardown( ++ test_unwrap_missing_payload, setup, teardown), ++ cmocka_unit_test_setup_teardown( ++ test_unwrap_truncated_header_0, setup, teardown), ++ cmocka_unit_test_setup_teardown( ++ test_unwrap_truncated_header_1, setup, teardown), ++ cmocka_unit_test_setup_teardown( ++ test_unwrap_valid, setup, teardown), ++ cmocka_unit_test_setup_teardown( ++ test_unwrap_with_padding_truncated_0, setup, teardown), ++ cmocka_unit_test_setup_teardown( ++ test_unwrap_with_padding_truncated_1, setup, teardown), ++ cmocka_unit_test_setup_teardown( ++ test_unwrap_with_padding_valid, setup, teardown), ++ cmocka_unit_test_setup_teardown( ++ test_unwrap_with_seal_empty_token_valid, setup, teardown), ++ cmocka_unit_test_setup_teardown( ++ test_unwrap_with_seal_missing_payload, setup, teardown), ++ cmocka_unit_test_setup_teardown( ++ test_unwrap_with_seal_valid, setup, teardown), ++ }; ++ ++ cmocka_set_message_output(CM_OUTPUT_SUBUNIT); ++ return cmocka_run_group_tests(tests, NULL, NULL); ++} +diff --git a/source4/auth/wscript_build b/source4/auth/wscript_build +index 381a7b19bf0..01b2f280609 100644 +--- a/source4/auth/wscript_build ++++ b/source4/auth/wscript_build +@@ -49,6 +49,27 @@ bld.SAMBA_BINARY('test_kerberos', + for_selftest=True + ) + ++bld.SAMBA_BINARY('test_heimdal_gensec_unwrap_des', ++ source='tests/heimdal_unwrap_des.c', ++ deps='cmocka talloc gssapi-subsystem', ++ local_include=False, ++ for_selftest=True, ++ enabled=(bld.CONFIG_SET('SAMBA4_USES_HEIMDAL') and ++ not bld.CONFIG_SET('USING_SYSTEM_GSSAPI')), ++ ldflags=''' ++ -Wl,--wrap,ct_memcmp ++ -Wl,--wrap,der_get_length ++ -Wl,--wrap,krb5_auth_con_getlocalsubkey ++ -Wl,--wrap,krb5_crypto_destroy ++ -Wl,--wrap,krb5_crypto_init ++ -Wl,--wrap,krb5_decrypt ++ -Wl,--wrap,krb5_decrypt_ivec ++ -Wl,--wrap,krb5_free_keyblock ++ -Wl,--wrap,krb5_verify_checksum ++ -Wl,--wrap,malloc ++ ''' ++) ++ + pytalloc_util = bld.pyembed_libname('pytalloc-util') + pyparam_util = bld.pyembed_libname('pyparam_util') + pyldb_util = bld.pyembed_libname('pyldb-util') +-- +2.25.1 + + +From b4eefd391b2511d306637a050807c0d68aaaede1 Mon Sep 17 00:00:00 2001 +From: Joseph Sutton +Date: Wed, 12 Oct 2022 13:57:13 +1300 +Subject: [PATCH 04/11] CVE-2022-3437 source4/heimdal: Use constant-time + memcmp() for arcfour unwrap + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 + +Signed-off-by: Joseph Sutton +Reviewed-by: Andrew Bartlett + +[jsutton@samba.org Adapted to small differences in comparisons, and + removed erroneous duplicate code in conflicting region] +--- + source4/heimdal/lib/gssapi/krb5/arcfour.c | 24 +++++++---------------- + 1 file changed, 7 insertions(+), 17 deletions(-) + +diff --git a/source4/heimdal/lib/gssapi/krb5/arcfour.c b/source4/heimdal/lib/gssapi/krb5/arcfour.c +index a61f7686e95..c6b317ff683 100644 +--- a/source4/heimdal/lib/gssapi/krb5/arcfour.c ++++ b/source4/heimdal/lib/gssapi/krb5/arcfour.c +@@ -385,9 +385,9 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status, + _gsskrb5_decode_be_om_uint32(SND_SEQ, &seq_number); + + if (context_handle->more_flags & LOCAL) +- cmp = memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4); ++ cmp = ct_memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4); + else +- cmp = memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4); ++ cmp = ct_memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4); + + memset(SND_SEQ, 0, sizeof(SND_SEQ)); + if (cmp != 0) { +@@ -656,9 +656,9 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, + _gsskrb5_decode_be_om_uint32(SND_SEQ, &seq_number); + + if (context_handle->more_flags & LOCAL) +- cmp = memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4); ++ cmp = ct_memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4); + else +- cmp = memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4); ++ cmp = ct_memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4); + + if (cmp != 0) { + *minor_status = 0; +@@ -1266,19 +1266,9 @@ _gssapi_unwrap_iov_arcfour(OM_uint32 *minor_status, + _gsskrb5_decode_be_om_uint32(snd_seq, &seq_number); + + if (ctx->more_flags & LOCAL) { +- cmp = memcmp(&snd_seq[4], "\xff\xff\xff\xff", 4); ++ cmp = ct_memcmp(&snd_seq[4], "\xff\xff\xff\xff", 4); + } else { +- cmp = memcmp(&snd_seq[4], "\x00\x00\x00\x00", 4); +- } +- if (cmp != 0) { +- *minor_status = 0; +- return GSS_S_BAD_MIC; +- } +- +- if (ctx->more_flags & LOCAL) { +- cmp = memcmp(&snd_seq[4], "\xff\xff\xff\xff", 4); +- } else { +- cmp = memcmp(&snd_seq[4], "\x00\x00\x00\x00", 4); ++ cmp = ct_memcmp(&snd_seq[4], "\x00\x00\x00\x00", 4); + } + if (cmp != 0) { + *minor_status = 0; +@@ -1353,7 +1343,7 @@ _gssapi_unwrap_iov_arcfour(OM_uint32 *minor_status, + return GSS_S_FAILURE; + } + +- cmp = memcmp(cksum_data, p0 + 16, 8); /* SGN_CKSUM */ ++ cmp = ct_memcmp(cksum_data, p0 + 16, 8); /* SGN_CKSUM */ + if (cmp != 0) { + *minor_status = 0; + return GSS_S_BAD_MIC; +-- +2.25.1 + + +From 42b23fee3ad77aa29f6f7cbdcf8573756a68f95e Mon Sep 17 00:00:00 2001 +From: Joseph Sutton +Date: Wed, 12 Oct 2022 13:57:55 +1300 +Subject: [PATCH 05/11] CVE-2022-3437 source4/heimdal: Use constant-time + memcmp() in unwrap_des3() + +The surrounding checks all use ct_memcmp(), so this one was presumably +meant to as well. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 + +Signed-off-by: Joseph Sutton +Reviewed-by: Andrew Bartlett +--- + source4/heimdal/lib/gssapi/krb5/unwrap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source4/heimdal/lib/gssapi/krb5/unwrap.c b/source4/heimdal/lib/gssapi/krb5/unwrap.c +index b3da35ee9e2..7111a7944fe 100644 +--- a/source4/heimdal/lib/gssapi/krb5/unwrap.c ++++ b/source4/heimdal/lib/gssapi/krb5/unwrap.c +@@ -227,7 +227,7 @@ unwrap_des3 + if (ret) + return ret; + +- if (memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */ ++ if (ct_memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */ + return GSS_S_BAD_SIG; + p += 2; + if (ct_memcmp (p, "\x02\x00", 2) == 0) { +-- +2.25.1 + + +From 109a01fba88b641c988a04b14d911929ee82db92 Mon Sep 17 00:00:00 2001 +From: Joseph Sutton +Date: Wed, 12 Oct 2022 13:57:42 +1300 +Subject: [PATCH 06/11] CVE-2022-3437 source4/heimdal: Don't pass NULL pointers + to memcpy() in DES unwrap + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 + +Signed-off-by: Joseph Sutton +Reviewed-by: Andrew Bartlett +--- + source4/heimdal/lib/gssapi/krb5/unwrap.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/source4/heimdal/lib/gssapi/krb5/unwrap.c b/source4/heimdal/lib/gssapi/krb5/unwrap.c +index 7111a7944fe..9639091cb3a 100644 +--- a/source4/heimdal/lib/gssapi/krb5/unwrap.c ++++ b/source4/heimdal/lib/gssapi/krb5/unwrap.c +@@ -180,9 +180,10 @@ unwrap_des + output_message_buffer->value = malloc(output_message_buffer->length); + if(output_message_buffer->length != 0 && output_message_buffer->value == NULL) + return GSS_S_FAILURE; +- memcpy (output_message_buffer->value, +- p + 24, +- output_message_buffer->length); ++ if (output_message_buffer->value != NULL) ++ memcpy (output_message_buffer->value, ++ p + 24, ++ output_message_buffer->length); + return GSS_S_COMPLETE; + } + #endif +@@ -374,9 +375,10 @@ unwrap_des3 + output_message_buffer->value = malloc(output_message_buffer->length); + if(output_message_buffer->length != 0 && output_message_buffer->value == NULL) + return GSS_S_FAILURE; +- memcpy (output_message_buffer->value, +- p + 36, +- output_message_buffer->length); ++ if (output_message_buffer->value != NULL) ++ memcpy (output_message_buffer->value, ++ p + 36, ++ output_message_buffer->length); + return GSS_S_COMPLETE; + } + +-- +2.25.1 + + +From d466a7c156b0797ae9d6eaf49b2f4fd5c9e3e7eb Mon Sep 17 00:00:00 2001 +From: Joseph Sutton +Date: Mon, 15 Aug 2022 16:53:45 +1200 +Subject: [PATCH 07/11] CVE-2022-3437 source4/heimdal: Avoid undefined + behaviour in _gssapi_verify_pad() + +By decrementing 'pad' only when we know it's safe, we ensure we can't +stray backwards past the start of a buffer, which would be undefined +behaviour. + +In the previous version of the loop, 'i' is the number of bytes left to +check, and 'pad' is the current byte we're checking. 'pad' was +decremented at the end of each loop iteration. If 'i' was 1 (so we +checked the final byte), 'pad' could potentially be pointing to the +first byte of the input buffer, and the decrement would put it one +byte behind the buffer. + +That would be undefined behaviour. + +The patch changes it so that 'pad' is the byte we previously checked, +which allows us to ensure that we only decrement it when we know we +have a byte to check. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 + +Signed-off-by: Joseph Sutton +Reviewed-by: Andrew Bartlett +--- + source4/heimdal/lib/gssapi/krb5/decapsulate.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/source4/heimdal/lib/gssapi/krb5/decapsulate.c b/source4/heimdal/lib/gssapi/krb5/decapsulate.c +index 86085f56950..4e3fcd659e9 100644 +--- a/source4/heimdal/lib/gssapi/krb5/decapsulate.c ++++ b/source4/heimdal/lib/gssapi/krb5/decapsulate.c +@@ -193,13 +193,13 @@ _gssapi_verify_pad(gss_buffer_t wrapped_token, + if (wrapped_token->length < 1) + return GSS_S_BAD_MECH; + +- pad = (u_char *)wrapped_token->value + wrapped_token->length - 1; +- padlength = *pad; ++ pad = (u_char *)wrapped_token->value + wrapped_token->length; ++ padlength = pad[-1]; + + if (padlength > datalen) + return GSS_S_BAD_MECH; + +- for (i = padlength; i > 0 && *pad == padlength; i--, pad--) ++ for (i = padlength; i > 0 && *--pad == padlength; i--) + ; + if (i != 0) + return GSS_S_BAD_MIC; +-- +2.25.1 + + +From 73e28ffbce8894c93374feb95c4ed1a87f2e6051 Mon Sep 17 00:00:00 2001 +From: Joseph Sutton +Date: Mon, 15 Aug 2022 16:53:55 +1200 +Subject: [PATCH 08/11] CVE-2022-3437 source4/heimdal: Check the result of + _gsskrb5_get_mech() + +We should make sure that the result of 'total_len - mech_len' won't +overflow, and that we don't memcmp() past the end of the buffer. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 + +Signed-off-by: Joseph Sutton +Reviewed-by: Andrew Bartlett +--- + selftest/knownfail.d/heimdal-des-overflow | 1 - + source4/heimdal/lib/gssapi/krb5/decapsulate.c | 4 ++++ + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/selftest/knownfail.d/heimdal-des-overflow b/selftest/knownfail.d/heimdal-des-overflow +index 23acbb43d31..68b304530db 100644 +--- a/selftest/knownfail.d/heimdal-des-overflow ++++ b/selftest/knownfail.d/heimdal-des-overflow +@@ -3,7 +3,6 @@ + ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_missing_8_bytes.none + ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_missing_payload.none + ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_truncated_header_0.none +-^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_truncated_header_1.none + ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_0.none + ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_1.none + ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_seal_missing_payload.none +diff --git a/source4/heimdal/lib/gssapi/krb5/decapsulate.c b/source4/heimdal/lib/gssapi/krb5/decapsulate.c +index 4e3fcd659e9..031a621eabc 100644 +--- a/source4/heimdal/lib/gssapi/krb5/decapsulate.c ++++ b/source4/heimdal/lib/gssapi/krb5/decapsulate.c +@@ -80,6 +80,10 @@ _gssapi_verify_mech_header(u_char **str, + + if (mech_len != mech->length) + return GSS_S_BAD_MECH; ++ if (mech_len > total_len) ++ return GSS_S_BAD_MECH; ++ if (p - *str > total_len - mech_len) ++ return GSS_S_BAD_MECH; + if (ct_memcmp(p, + mech->elements, + mech->length) != 0) +-- +2.25.1 + + +From 3320c411c5cdf8bb9e4bc945e8bbe0947933d5e1 Mon Sep 17 00:00:00 2001 +From: Joseph Sutton +Date: Mon, 15 Aug 2022 16:54:23 +1200 +Subject: [PATCH 09/11] CVE-2022-3437 source4/heimdal: Check buffer length + against overflow for DES{,3} unwrap + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 + +Signed-off-by: Joseph Sutton +Reviewed-by: Andrew Bartlett +--- + selftest/knownfail.d/heimdal-des-overflow | 5 ----- + source4/heimdal/lib/gssapi/krb5/unwrap.c | 14 ++++++++++++++ + 2 files changed, 14 insertions(+), 5 deletions(-) + +diff --git a/selftest/knownfail.d/heimdal-des-overflow b/selftest/knownfail.d/heimdal-des-overflow +index 68b304530db..94a49bbee7f 100644 +--- a/selftest/knownfail.d/heimdal-des-overflow ++++ b/selftest/knownfail.d/heimdal-des-overflow +@@ -1,8 +1,3 @@ +-^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_dce_style_missing_payload.none +-^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_dce_style_with_seal_missing_payload.none +-^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_missing_8_bytes.none +-^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_missing_payload.none + ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_truncated_header_0.none + ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_0.none + ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_1.none +-^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_seal_missing_payload.none +diff --git a/source4/heimdal/lib/gssapi/krb5/unwrap.c b/source4/heimdal/lib/gssapi/krb5/unwrap.c +index 9639091cb3a..70d26a75ccf 100644 +--- a/source4/heimdal/lib/gssapi/krb5/unwrap.c ++++ b/source4/heimdal/lib/gssapi/krb5/unwrap.c +@@ -64,6 +64,8 @@ unwrap_des + + if (IS_DCE_STYLE(context_handle)) { + token_len = 22 + 8 + 15; /* 45 */ ++ if (input_message_buffer->length < token_len) ++ return GSS_S_BAD_MECH; + } else { + token_len = input_message_buffer->length; + } +@@ -76,6 +78,11 @@ unwrap_des + if (ret) + return ret; + ++ len = (p - (u_char *)input_message_buffer->value) ++ + 22 + 8; ++ if (input_message_buffer->length < len) ++ return GSS_S_BAD_MECH; ++ + if (memcmp (p, "\x00\x00", 2) != 0) + return GSS_S_BAD_SIG; + p += 2; +@@ -216,6 +223,8 @@ unwrap_des3 + + if (IS_DCE_STYLE(context_handle)) { + token_len = 34 + 8 + 15; /* 57 */ ++ if (input_message_buffer->length < token_len) ++ return GSS_S_BAD_MECH; + } else { + token_len = input_message_buffer->length; + } +@@ -228,6 +237,11 @@ unwrap_des3 + if (ret) + return ret; + ++ len = (p - (u_char *)input_message_buffer->value) ++ + 34 + 8; ++ if (input_message_buffer->length < len) ++ return GSS_S_BAD_MECH; ++ + if (ct_memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */ + return GSS_S_BAD_SIG; + p += 2; +-- +2.25.1 + + +From 9eb844370966625733f90d17a5d9ad611002567f Mon Sep 17 00:00:00 2001 +From: Joseph Sutton +Date: Mon, 10 Oct 2022 20:33:09 +1300 +Subject: [PATCH 10/11] CVE-2022-3437 source4/heimdal: Check for overflow in + _gsskrb5_get_mech() + +If len_len is equal to total_len - 1 (i.e. the input consists only of a +0x60 byte and a length), the expression 'total_len - 1 - len_len - 1', +used as the 'len' parameter to der_get_length(), will overflow to +SIZE_MAX. Then der_get_length() will proceed to read, unconstrained, +whatever data follows in memory. Add a check to ensure that doesn't +happen. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 + +Signed-off-by: Joseph Sutton +Reviewed-by: Andrew Bartlett +--- + selftest/knownfail.d/heimdal-des-overflow | 1 - + source4/heimdal/lib/gssapi/krb5/decapsulate.c | 2 ++ + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/selftest/knownfail.d/heimdal-des-overflow b/selftest/knownfail.d/heimdal-des-overflow +index 94a49bbee7f..a7416dc61d9 100644 +--- a/selftest/knownfail.d/heimdal-des-overflow ++++ b/selftest/knownfail.d/heimdal-des-overflow +@@ -1,3 +1,2 @@ +-^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_truncated_header_0.none + ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_0.none + ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_1.none +diff --git a/source4/heimdal/lib/gssapi/krb5/decapsulate.c b/source4/heimdal/lib/gssapi/krb5/decapsulate.c +index 031a621eabc..d7b75a64222 100644 +--- a/source4/heimdal/lib/gssapi/krb5/decapsulate.c ++++ b/source4/heimdal/lib/gssapi/krb5/decapsulate.c +@@ -54,6 +54,8 @@ _gsskrb5_get_mech (const u_char *ptr, + e = der_get_length (p, total_len - 1, &len, &len_len); + if (e || 1 + len_len + len != total_len) + return -1; ++ if (total_len < 1 + len_len + 1) ++ return -1; + p += len_len; + if (*p++ != 0x06) + return -1; +-- +2.25.1 + + +From 4c272bd20bbd512a63889e25f86506324957d232 Mon Sep 17 00:00:00 2001 +From: Joseph Sutton +Date: Wed, 12 Oct 2022 13:57:33 +1300 +Subject: [PATCH 11/11] CVE-2022-3437 source4/heimdal: Pass correct length to + _gssapi_verify_pad() + +We later subtract 8 when calculating the length of the output message +buffer. If padlength is excessively high, this calculation can underflow +and result in a very large positive value. + +Now we properly constrain the value of padlength so underflow shouldn't +be possible. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 + +Signed-off-by: Joseph Sutton +Reviewed-by: Andrew Bartlett +--- + selftest/knownfail.d/heimdal-des-overflow | 2 -- + source4/heimdal/lib/gssapi/krb5/unwrap.c | 4 ++-- + 2 files changed, 2 insertions(+), 4 deletions(-) + delete mode 100644 selftest/knownfail.d/heimdal-des-overflow + +diff --git a/selftest/knownfail.d/heimdal-des-overflow b/selftest/knownfail.d/heimdal-des-overflow +deleted file mode 100644 +index a7416dc61d9..00000000000 +--- a/selftest/knownfail.d/heimdal-des-overflow ++++ /dev/null +@@ -1,2 +0,0 @@ +-^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_0.none +-^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_1.none +diff --git a/source4/heimdal/lib/gssapi/krb5/unwrap.c b/source4/heimdal/lib/gssapi/krb5/unwrap.c +index 70d26a75ccf..ed8f7d78ffa 100644 +--- a/source4/heimdal/lib/gssapi/krb5/unwrap.c ++++ b/source4/heimdal/lib/gssapi/krb5/unwrap.c +@@ -124,7 +124,7 @@ unwrap_des + } else { + /* check pad */ + ret = _gssapi_verify_pad(input_message_buffer, +- input_message_buffer->length - len, ++ input_message_buffer->length - len - 8, + &padlength); + if (ret) + return ret; +@@ -289,7 +289,7 @@ unwrap_des3 + } else { + /* check pad */ + ret = _gssapi_verify_pad(input_message_buffer, +- input_message_buffer->length - len, ++ input_message_buffer->length - len - 8, + &padlength); + if (ret) + return ret; +-- +2.25.1 + diff --git a/net/samba413/files/patch-bind b/net/samba413/files/patch-bind deleted file mode 100644 index 137d00026136..000000000000 --- a/net/samba413/files/patch-bind +++ /dev/null @@ -1,274 +0,0 @@ ---- python/samba/provision/sambadns.py.orig 2020-11-03 14:33:19 UTC -+++ python/samba/provision/sambadns.py -@@ -27,6 +27,7 @@ import time - import ldb - from base64 import b64encode - import subprocess -+import re - import samba - from samba.tdb_util import tdb_copy - from samba.mdb_util import mdb_copy -@@ -957,47 +958,38 @@ def create_named_conf(paths, realm, dnsdomain, dns_bac - stderr=subprocess.STDOUT, - cwd='.').communicate()[0] - bind_info = get_string(bind_info) -- bind9_8 = '#' -- bind9_9 = '#' -- bind9_10 = '#' -- bind9_11 = '#' -- bind9_12 = '#' -- bind9_14 = '#' -- bind9_16 = '#' -- if bind_info.upper().find('BIND 9.8') != -1: -- bind9_8 = '' -- elif bind_info.upper().find('BIND 9.9') != -1: -- bind9_9 = '' -- elif bind_info.upper().find('BIND 9.10') != -1: -- bind9_10 = '' -- elif bind_info.upper().find('BIND 9.11') != -1: -- bind9_11 = '' -- elif bind_info.upper().find('BIND 9.12') != -1: -- bind9_12 = '' -- elif bind_info.upper().find('BIND 9.14') != -1: -- bind9_14 = '' -- elif bind_info.upper().find('BIND 9.16') != -1: -- bind9_16 = '' -- elif bind_info.upper().find('BIND 9.7') != -1: -- raise ProvisioningError("DLZ option incompatible with BIND 9.7.") -- elif bind_info.upper().find('BIND_9.13') != -1: -- raise ProvisioningError("Only stable/esv releases of BIND are supported.") -- elif bind_info.upper().find('BIND_9.15') != -1: -- raise ProvisioningError("Only stable/esv releases of BIND are supported.") -- elif bind_info.upper().find('BIND_9.17') != -1: -- raise ProvisioningError("Only stable/esv releases of BIND are supported.") -+ -+ bind9_release = re.search('BIND (9)\.(\d+)\.', bind_info, re.I) -+ if bind9_release: -+ bind9_disabled = '' -+ bind9_version = bind9_release.group(0) + "x" -+ bind9_version_major = int(bind9_release.group(1)) -+ bind9_version_minor = int(bind9_release.group(2)) -+ if bind9_version_minor == 7: -+ raise ProvisioningError("DLZ option incompatible with BIND 9.7.") -+ elif bind9_version_minor == 8: -+ bind9_dlz_version = "9" -+ elif bind9_version_minor in [13, 15, 17]: -+ raise ProvisioningError("Only stable/esv releases of BIND are supported.") -+ else: -+ bind9_dlz_version = "%d_%d" % (bind9_version_major, bind9_version_minor) - else: -+ bind9_disabled = '# ' -+ bind9_version = "BIND z.y.x" -+ bind9_dlz_version = "z_y" - logger.warning("BIND version unknown, please modify %s manually." % paths.namedconf) -+ -+ bind9_dlz = ( -+ ' # For %s\n' -+ ' %sdatabase "dlopen %s/bind9/dlz_bind%s.so";' -+ ) % ( -+ bind9_version, bind9_disabled, samba.param.modules_dir(), bind9_dlz_version -+ ) -+ - setup_file(setup_path("named.conf.dlz"), paths.namedconf, { - "NAMED_CONF": paths.namedconf, - "MODULESDIR": samba.param.modules_dir(), -- "BIND9_8": bind9_8, -- "BIND9_9": bind9_9, -- "BIND9_10": bind9_10, -- "BIND9_11": bind9_11, -- "BIND9_12": bind9_12, -- "BIND9_14": bind9_14, -- "BIND9_16": bind9_16 -+ "BIND9_DLZ": bind9_dlz - }) - - ---- source4/dns_server/dlz_minimal.h.orig 2019-12-06 10:10:30 UTC -+++ source4/dns_server/dlz_minimal.h -@@ -26,32 +26,31 @@ - #include - #include - --#if defined (BIND_VERSION_9_8) --# define DLZ_DLOPEN_VERSION 1 --#elif defined (BIND_VERSION_9_9) --# define DLZ_DLOPEN_VERSION 2 --# define DNS_CLIENTINFO_VERSION 1 --# define ISC_BOOLEAN_AS_BOOL 0 --#elif defined (BIND_VERSION_9_10) --# define DLZ_DLOPEN_VERSION 3 --# define DNS_CLIENTINFO_VERSION 1 --# define ISC_BOOLEAN_AS_BOOL 0 --#elif defined (BIND_VERSION_9_11) --# define DLZ_DLOPEN_VERSION 3 --# define DNS_CLIENTINFO_VERSION 2 --# define ISC_BOOLEAN_AS_BOOL 0 --#elif defined (BIND_VERSION_9_12) --# define DLZ_DLOPEN_VERSION 3 --# define DNS_CLIENTINFO_VERSION 2 --# define ISC_BOOLEAN_AS_BOOL 0 --#elif defined (BIND_VERSION_9_14) --# define DLZ_DLOPEN_VERSION 3 --# define DNS_CLIENTINFO_VERSION 2 --#elif defined (BIND_VERSION_9_16) --# define DLZ_DLOPEN_VERSION 3 --# define DNS_CLIENTINFO_VERSION 2 -+#if defined (BIND_VERSION) -+# if BIND_VERSION == 908 -+# define DLZ_DLOPEN_VERSION 1 -+# elif BIND_VERSION == 909 -+# define DLZ_DLOPEN_VERSION 2 -+# define DNS_CLIENTINFO_VERSION 1 -+# define ISC_BOOLEAN_AS_BOOL 0 -+# elif BIND_VERSION == 910 -+# define DLZ_DLOPEN_VERSION 3 -+# define DNS_CLIENTINFO_VERSION 1 -+# define ISC_BOOLEAN_AS_BOOL 0 -+# elif BIND_VERSION == 911 || BIND_VERSION == 912 -+# define DLZ_DLOPEN_VERSION 3 -+# define DNS_CLIENTINFO_VERSION 2 -+# define ISC_BOOLEAN_AS_BOOL 0 -+# elif BIND_VERSION >= 914 -+# define DLZ_DLOPEN_VERSION 3 -+# define DNS_CLIENTINFO_VERSION 2 -+# define ISC_BOOLEAN_AS_BOOL 1 -+# else -+# error Unsupported BIND version -+# endif - #else - # error Unsupported BIND version -+# error BIND_VERSION undefined - #endif - - #ifndef ISC_BOOLEAN_AS_BOOL ---- source4/dns_server/wscript_build.orig 2019-12-06 10:11:08 UTC -+++ source4/dns_server/wscript_build -@@ -20,7 +20,7 @@ bld.SAMBA_MODULE('service_dns', - # a bind9 dlz module giving access to the Samba DNS SAM - bld.SAMBA_LIBRARY('dlz_bind9', - source='dlz_bind9.c', -- cflags='-DBIND_VERSION_9_8', -+ cflags='-DBIND_VERSION=908', - private_library=True, - link_name='modules/bind9/dlz_bind9.so', - realname='dlz_bind9.so', -@@ -28,69 +28,21 @@ bld.SAMBA_LIBRARY('dlz_bind9', - deps='samba-hostconfig samdb-common gensec popt dnsserver_common', - enabled=bld.AD_DC_BUILD_IS_ENABLED()) - --bld.SAMBA_LIBRARY('dlz_bind9_9', -+for bind_version in (909, 910, 911, 912, 914, 916): -+ string_version='%d_%d' % (bind_version//100, bind_version % 100) -+ bld.SAMBA_LIBRARY('dlz_bind%s' % (string_version), - source='dlz_bind9.c', -- cflags='-DBIND_VERSION_9_9', -+ cflags='-DBIND_VERSION=%d' % bind_version, - private_library=True, -- link_name='modules/bind9/dlz_bind9_9.so', -- realname='dlz_bind9_9.so', -+ link_name='modules/bind9/dlz_bind%s.so' % (string_version), -+ realname='dlz_bind%s.so' % (string_version), - install_path='${MODULESDIR}/bind9', - deps='samba-hostconfig samdb-common gensec popt dnsserver_common', - enabled=bld.AD_DC_BUILD_IS_ENABLED()) - --bld.SAMBA_LIBRARY('dlz_bind9_10', -- source='dlz_bind9.c', -- cflags='-DBIND_VERSION_9_10', -- private_library=True, -- link_name='modules/bind9/dlz_bind9_10.so', -- realname='dlz_bind9_10.so', -- install_path='${MODULESDIR}/bind9', -- deps='samba-hostconfig samdb-common gensec popt dnsserver_common', -- enabled=bld.AD_DC_BUILD_IS_ENABLED()) -- --bld.SAMBA_LIBRARY('dlz_bind9_11', -- source='dlz_bind9.c', -- cflags='-DBIND_VERSION_9_11', -- private_library=True, -- link_name='modules/bind9/dlz_bind9_11.so', -- realname='dlz_bind9_11.so', -- install_path='${MODULESDIR}/bind9', -- deps='samba-hostconfig samdb-common gensec popt dnsserver_common', -- enabled=bld.AD_DC_BUILD_IS_ENABLED()) -- --bld.SAMBA_LIBRARY('dlz_bind9_12', -- source='dlz_bind9.c', -- cflags='-DBIND_VERSION_9_12', -- private_library=True, -- link_name='modules/bind9/dlz_bind9_12.so', -- realname='dlz_bind9_12.so', -- install_path='${MODULESDIR}/bind9', -- deps='samba-hostconfig samdb-common gensec popt dnsserver_common', -- enabled=bld.AD_DC_BUILD_IS_ENABLED()) -- --bld.SAMBA_LIBRARY('dlz_bind9_14', -- source='dlz_bind9.c', -- cflags='-DBIND_VERSION_9_14', -- private_library=True, -- link_name='modules/bind9/dlz_bind9_14.so', -- realname='dlz_bind9_14.so', -- install_path='${MODULESDIR}/bind9', -- deps='samba-hostconfig samdb-common gensec popt dnsserver_common', -- enabled=bld.AD_DC_BUILD_IS_ENABLED()) -- --bld.SAMBA_LIBRARY('dlz_bind9_16', -- source='dlz_bind9.c', -- cflags='-DBIND_VERSION_9_16', -- private_library=True, -- link_name='modules/bind9/dlz_bind9_16.so', -- realname='dlz_bind9_16.so', -- install_path='${MODULESDIR}/bind9', -- deps='samba-hostconfig samdb-common gensec popt dnsserver_common', -- enabled=bld.AD_DC_BUILD_IS_ENABLED()) -- - bld.SAMBA_LIBRARY('dlz_bind9_for_torture', - source='dlz_bind9.c', -- cflags='-DBIND_VERSION_9_8', -+ cflags='-DBIND_VERSION=908', - private_library=True, - deps='samba-hostconfig samdb-common gensec popt dnsserver_common', - enabled=bld.AD_DC_BUILD_IS_ENABLED()) ---- source4/setup/named.conf.dlz.orig 2019-12-06 10:10:31 UTC -+++ source4/setup/named.conf.dlz -@@ -7,28 +7,10 @@ - - # - # This configures dynamically loadable zones (DLZ) from AD schema --# Uncomment only single database line, depending on your BIND version - # - dlz "AD DNS Zone" { -- # For BIND 9.8.x -- ${BIND9_8} database "dlopen ${MODULESDIR}/bind9/dlz_bind9.so"; - -- # For BIND 9.9.x -- ${BIND9_9} database "dlopen ${MODULESDIR}/bind9/dlz_bind9_9.so"; -+${BIND9_DLZ} - -- # For BIND 9.10.x -- ${BIND9_10} database "dlopen ${MODULESDIR}/bind9/dlz_bind9_10.so"; -- -- # For BIND 9.11.x -- ${BIND9_11} database "dlopen ${MODULESDIR}/bind9/dlz_bind9_11.so"; -- -- # For BIND 9.12.x -- ${BIND9_12} database "dlopen ${MODULESDIR}/bind9/dlz_bind9_12.so"; -- -- # For BIND 9.14.x -- ${BIND9_14} database "dlopen ${MODULESDIR}/bind9/dlz_bind9_14.so"; -- -- # For BIND 9.16.x -- ${BIND9_16} database "dlopen ${MODULESDIR}/bind9/dlz_bind9_16.so"; - }; - ---- source4/torture/dns/wscript_build.orig 2020-04-11 03:26:46 UTC -+++ source4/torture/dns/wscript_build -@@ -5,7 +5,7 @@ if bld.AD_DC_BUILD_IS_ENABLED(): - source='dlz_bind9.c', - subsystem='smbtorture', - init_function='torture_bind_dns_init', -- cflags='-DBIND_VERSION_9_8', -+ cflags='-DBIND_VERSION=908', - deps='torture talloc torturemain dlz_bind9_for_torture', - internal_module=True - ) diff --git a/net/samba413/pkg-plist.ad_dc b/net/samba413/pkg-plist.ad_dc index b7c8a91fbba4..13cd9bee6fd3 100644 --- a/net/samba413/pkg-plist.ad_dc +++ b/net/samba413/pkg-plist.ad_dc @@ -1,173 +1,172 @@ bin/samba-tool sbin/samba_downgrade_db sbin/samba sbin/samba_dnsupdate sbin/samba_kcc sbin/samba_spnupdate sbin/samba_upgradedns include/samba4/dcerpc_server.h lib/samba4/libdcerpc-server.so lib/samba4/libdcerpc-server.so.0 lib/samba4/private/libdlz-bind9-for-torture-samba4.so lib/samba4/private/libprocess-model-samba4.so lib/samba4/private/libservice-samba4.so %%GSSAPI_BUILTIN%%lib/samba4/private/libHDB-SAMBA4-samba4.so lib/samba4/private/libdb-glue-samba4.so lib/samba4/private/libdfs-server-ad-samba4.so lib/samba4/private/libdnsserver-common-samba4.so lib/samba4/private/libdsdb-garbage-collect-tombstones-samba4.so lib/samba4/private/libpac-samba4.so lib/samba4/private/libscavenge-dns-records-samba4.so -%%SAMBA4_MODULEDIR%%/bind9/dlz_bind9.so -%%SAMBA4_MODULEDIR%%/bind9/dlz_bind9_9.so %%SAMBA4_MODULEDIR%%/bind9/dlz_bind9_10.so %%SAMBA4_MODULEDIR%%/bind9/dlz_bind9_11.so %%SAMBA4_MODULEDIR%%/bind9/dlz_bind9_12.so %%SAMBA4_MODULEDIR%%/bind9/dlz_bind9_14.so %%SAMBA4_MODULEDIR%%/bind9/dlz_bind9_16.so +%%SAMBA4_MODULEDIR%%/bind9/dlz_bind9_18.so %%SAMBA4_MODULEDIR%%/gensec/krb5.so %%SAMBA4_MODULEDIR%%/ldb/acl.so %%SAMBA4_MODULEDIR%%/ldb/aclread.so %%SAMBA4_MODULEDIR%%/ldb/anr.so %%SAMBA4_MODULEDIR%%/ldb/audit_log.so %%SAMBA4_MODULEDIR%%/ldb/descriptor.so %%SAMBA4_MODULEDIR%%/ldb/dirsync.so %%SAMBA4_MODULEDIR%%/ldb/dns_notify.so %%SAMBA4_MODULEDIR%%/ldb/dsdb_notification.so %%SAMBA4_MODULEDIR%%/ldb/encrypted_secrets.so %%SAMBA4_MODULEDIR%%/ldb/extended_dn_in.so %%SAMBA4_MODULEDIR%%/ldb/extended_dn_out.so %%SAMBA4_MODULEDIR%%/ldb/extended_dn_store.so %%SAMBA4_MODULEDIR%%/ldb/group_audit_log.so %%SAMBA4_MODULEDIR%%/ldb/instancetype.so %%SAMBA4_MODULEDIR%%/ldb/lazy_commit.so %%SAMBA4_MODULEDIR%%/ldb/linked_attributes.so %%SAMBA4_MODULEDIR%%/ldb/new_partition.so %%SAMBA4_MODULEDIR%%/ldb/objectclass_attrs.so %%SAMBA4_MODULEDIR%%/ldb/objectclass.so %%SAMBA4_MODULEDIR%%/ldb/objectguid.so %%SAMBA4_MODULEDIR%%/ldb/operational.so %%SAMBA4_MODULEDIR%%/ldb/paged_results.so %%SAMBA4_MODULEDIR%%/ldb/partition.so %%SAMBA4_MODULEDIR%%/ldb/password_hash.so %%SAMBA4_MODULEDIR%%/ldb/ranged_results.so %%SAMBA4_MODULEDIR%%/ldb/repl_meta_data.so %%SAMBA4_MODULEDIR%%/ldb/resolve_oids.so %%SAMBA4_MODULEDIR%%/ldb/rootdse.so %%SAMBA4_MODULEDIR%%/ldb/samba_dsdb.so %%SAMBA4_MODULEDIR%%/ldb/samba_secrets.so %%SAMBA4_MODULEDIR%%/ldb/samba3sam.so %%SAMBA4_MODULEDIR%%/ldb/samba3sid.so %%SAMBA4_MODULEDIR%%/ldb/samldb.so %%SAMBA4_MODULEDIR%%/ldb/schema_data.so %%SAMBA4_MODULEDIR%%/ldb/schema_load.so %%SAMBA4_MODULEDIR%%/ldb/secrets_tdb_sync.so %%SAMBA4_MODULEDIR%%/ldb/show_deleted.so %%SAMBA4_MODULEDIR%%/ldb/subtree_delete.so %%SAMBA4_MODULEDIR%%/ldb/subtree_rename.so %%SAMBA4_MODULEDIR%%/ldb/tombstone_reanimate.so %%SAMBA4_MODULEDIR%%/ldb/unique_object_sids.so %%SAMBA4_MODULEDIR%%/ldb/update_keytab.so %%SAMBA4_MODULEDIR%%/ldb/vlv.so %%SAMBA4_MODULEDIR%%/ldb/wins_ldb.so %%SAMBA4_MODULEDIR%%/process_model/prefork.so %%SAMBA4_MODULEDIR%%/process_model/standard.so %%SAMBA4_MODULEDIR%%/service/cldap.so %%SAMBA4_MODULEDIR%%/service/dcerpc.so %%SAMBA4_MODULEDIR%%/service/dns_update.so %%SAMBA4_MODULEDIR%%/service/dns.so %%SAMBA4_MODULEDIR%%/service/drepl.so %%SAMBA4_MODULEDIR%%/service/kcc.so %%SAMBA4_MODULEDIR%%/service/kdc.so %%SAMBA4_MODULEDIR%%/service/ldap.so %%SAMBA4_MODULEDIR%%/service/nbtd.so %%SAMBA4_MODULEDIR%%/service/ntp_signd.so %%SAMBA4_MODULEDIR%%/service/s3fs.so %%SAMBA4_MODULEDIR%%/service/winbindd.so %%SAMBA4_MODULEDIR%%/service/wrepl.so %%SAMBA4_MODULEDIR%%/vfs/posix_eadb.so %%PKGCONFIGDIR%%/dcerpc_server.pc %%DATADIR%%/samba/admx/en-US/samba.adml %%DATADIR%%/samba/admx/samba.admx %%DATADIR%%/setup/ad-schema/AD_DS_Attributes__Windows_Server_2012_R2.ldf %%DATADIR%%/setup/ad-schema/AD_DS_Attributes__Windows_Server_2016.ldf %%DATADIR%%/setup/ad-schema/AD_DS_Classes__Windows_Server_2012_R2.ldf %%DATADIR%%/setup/ad-schema/AD_DS_Classes__Windows_Server_2016.ldf %%DATADIR%%/setup/ad-schema/Attributes_for_AD_DS__Windows_Server_2008_R2.ldf %%DATADIR%%/setup/ad-schema/Attributes_for_AD_DS__Windows_Server_2012.ldf %%DATADIR%%/setup/ad-schema/Classes_for_AD_DS__Windows_Server_2008_R2.ldf %%DATADIR%%/setup/ad-schema/Classes_for_AD_DS__Windows_Server_2012.ldf %%DATADIR%%/setup/ad-schema/licence.txt %%DATADIR%%/setup/ad-schema/MS-AD_Schema_2K8_Attributes.txt %%DATADIR%%/setup/ad-schema/MS-AD_Schema_2K8_Classes.txt %%DATADIR%%/setup/ad-schema/MS-AD_Schema_2K8_R2_Attributes.txt %%DATADIR%%/setup/ad-schema/MS-AD_Schema_2K8_R2_Classes.txt %%DATADIR%%/setup/adprep/fix-forest-rev.ldf %%DATADIR%%/setup/adprep/WindowsServerDocs/Forest-Wide-Updates.md %%DATADIR%%/setup/adprep/WindowsServerDocs/Sch49.ldf.diff %%DATADIR%%/setup/adprep/WindowsServerDocs/Sch50.ldf.diff %%DATADIR%%/setup/adprep/WindowsServerDocs/Sch51.ldf.diff %%DATADIR%%/setup/adprep/WindowsServerDocs/Sch57.ldf.diff %%DATADIR%%/setup/adprep/WindowsServerDocs/Sch59.ldf.diff %%DATADIR%%/setup/adprep/WindowsServerDocs/Schema-Updates.md %%DATADIR%%/setup/aggregate_schema.ldif %%DATADIR%%/setup/display-specifiers/DisplaySpecifiers-Win2k0.txt %%DATADIR%%/setup/display-specifiers/DisplaySpecifiers-Win2k3.txt %%DATADIR%%/setup/display-specifiers/DisplaySpecifiers-Win2k3R2.txt %%DATADIR%%/setup/display-specifiers/DisplaySpecifiers-Win2k8.txt %%DATADIR%%/setup/display-specifiers/DisplaySpecifiers-Win2k8R2.txt %%DATADIR%%/setup/dns_update_list %%DATADIR%%/setup/extended-rights.ldif %%DATADIR%%/setup/idmap_init.ldif %%DATADIR%%/setup/krb5.conf %%DATADIR%%/setup/named.conf %%DATADIR%%/setup/named.conf.dlz %%DATADIR%%/setup/named.conf.update %%DATADIR%%/setup/named.txt %%DATADIR%%/setup/prefixMap.txt %%DATADIR%%/setup/provision_basedn_modify.ldif %%DATADIR%%/setup/provision_basedn_options.ldif %%DATADIR%%/setup/provision_basedn_references.ldif %%DATADIR%%/setup/provision_basedn.ldif %%DATADIR%%/setup/provision_computers_add.ldif %%DATADIR%%/setup/provision_computers_modify.ldif %%DATADIR%%/setup/provision_configuration_basedn.ldif %%DATADIR%%/setup/provision_configuration_modify.ldif %%DATADIR%%/setup/provision_configuration_references.ldif %%DATADIR%%/setup/provision_configuration.ldif %%DATADIR%%/setup/provision_dns_accounts_add.ldif %%DATADIR%%/setup/provision_dns_add_samba.ldif %%DATADIR%%/setup/provision_dnszones_add.ldif %%DATADIR%%/setup/provision_dnszones_modify.ldif %%DATADIR%%/setup/provision_dnszones_partitions.ldif %%DATADIR%%/setup/provision_group_policy.ldif %%DATADIR%%/setup/provision_init.ldif %%DATADIR%%/setup/provision_partitions.ldif %%DATADIR%%/setup/provision_privilege.ldif %%DATADIR%%/setup/provision_rootdse_add.ldif %%DATADIR%%/setup/provision_rootdse_modify.ldif %%DATADIR%%/setup/provision_schema_basedn_modify.ldif %%DATADIR%%/setup/provision_schema_basedn.ldif %%DATADIR%%/setup/provision_self_join_config.ldif %%DATADIR%%/setup/provision_self_join_modify_config.ldif %%DATADIR%%/setup/provision_self_join_modify_schema.ldif %%DATADIR%%/setup/provision_self_join_modify.ldif %%DATADIR%%/setup/provision_self_join.ldif %%DATADIR%%/setup/provision_users_add.ldif %%DATADIR%%/setup/provision_users_modify.ldif %%DATADIR%%/setup/provision_users.ldif %%DATADIR%%/setup/provision_well_known_sec_princ.ldif %%DATADIR%%/setup/provision.ldif %%DATADIR%%/setup/provision.reg %%DATADIR%%/setup/provision.zone %%DATADIR%%/setup/schema_samba4.ldif %%DATADIR%%/setup/secrets_dns.ldif %%DATADIR%%/setup/secrets_init.ldif %%DATADIR%%/setup/secrets.ldif %%DATADIR%%/setup/share.ldif %%DATADIR%%/setup/spn_update_list %%DATADIR%%/setup/ypServ30.ldif @dir %%DATADIR%%/setup/display-specifiers @dir %%DATADIR%%/setup/ad-schema @dir %%DATADIR%%/setup @dir %%DATADIR%%