14 changed files with 164 additions and 177 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,9 +1 @@
-/gssntlmssp-0.1.0.tar.gz
-/gssntlmssp-0.2.0.tar.gz
-/gssntlmssp-0.3.0.tar.gz
-/gssntlmssp-0.3.1.tar.gz
-/gssntlmssp-0.4.0.tar.gz
-/gssntlmssp-0.5.0.tar.gz
-/gssntlmssp-0.6.0.tar.gz
-/gssntlmssp-0.7.0.tar.gz
-/gssntlmssp-1.2.0.tar.gz
+SOURCES/gssntlmssp-0.7.0.tar.gz
--- a/.gssntlmssp.metadata
+++ b/.gssntlmssp.metadata
@ -0,0 +1 @@
+c8145411a1a40224a6d22acb45a8059dacaf8044 SOURCES/gssntlmssp-0.7.0.tar.gz
--- a/0001-Fix-potential-crash-when-no-target-name-is-present.patch
+++ b/0001-Fix-potential-crash-when-no-target-name-is-present.patch
@ -1,28 +0,0 @@
-From ddab884bf3a2de76c26559e962919e1145040f11 Mon Sep 17 00:00:00 2001
-From: Simo Sorce <simo@redhat.com>
-Date: Fri, 17 Mar 2023 09:08:13 -0400
-Subject: [PATCH] Fix potential crash when no target name is present
-
-Signed-off-by: Simo Sorce <simo@redhat.com>
---
- src/ntlm.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/src/ntlm.c b/src/ntlm.c
-index 0f71bfd..60a0787 100644
--- a/src/ntlm.c
-+++ b/src/ntlm.c
-@@ -325,7 +325,9 @@ done:
-         safefree(out);
-     } else {
-         /* make sure to terminate output string */
-        out[outlen] = '\0';
-+        if (out) {
-+            out[outlen] = '\0';
-+        }
-     }
- 
-     *str = out;
-- 
-2.39.2
-
--- a/SOURCES/0001-Add-compatibility-with-OpenSSL-1.1.0.patch
+++ b/SOURCES/0001-Add-compatibility-with-OpenSSL-1.1.0.patch
@ -0,0 +1,149 @@
+From e498737a96e8832a2cb9141ab1fe51e129185a48 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Wed, 29 Jun 2016 11:15:11 -0400
+Subject: [PATCH] Add compatibility with OpenSSL 1.1.0
+
+In their continued wisdom OpenSSL developers keep breaking APIs left and right
+with very poor documentation and forward/backward source compatibility.
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ src/crypto.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++------------
+ 1 file changed, 48 insertions(+), 12 deletions(-)
+
+diff --git a/src/crypto.c b/src/crypto.c
+index 9fe69f97cfe9a4c1c9a5fb1861fef3fdfb8ae596..33a0c3e9060df0fa14784e869b5edce2f462b238 100644
+--- a/src/crypto.c
+++ b/src/crypto.c
+@@ -27,6 +27,32 @@
+ 
+ #include "crypto.h"
+ 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+HMAC_CTX *HMAC_CTX_new(void)
+{
+    HMAC_CTX *ctx;
+
+    ctx = OPENSSL_malloc(sizeof(HMAC_CTX));
+    if (!ctx) return NULL;
+
+    HMAC_CTX_init(ctx);
+
+    return ctx;
+}
+
+void HMAC_CTX_free(HMAC_CTX *ctx)
+{
+    if (ctx == NULL) return;
+
+    HMAC_CTX_cleanup(ctx);
+    OPENSSL_free(ctx);
+}
+
+#define EVP_MD_CTX_new EVP_MD_CTX_create
+#define EVP_MD_CTX_free EVP_MD_CTX_destroy
+
+#endif
+
+ int RAND_BUFFER(struct ntlm_buffer *random)
+ {
+     int ret;
+@@ -42,30 +68,34 @@ int HMAC_MD5_IOV(struct ntlm_buffer *key,
+                  struct ntlm_iov *iov,
+                  struct ntlm_buffer *result)
+ {
+-    HMAC_CTX hmac_ctx;
+    HMAC_CTX *hmac_ctx;
+     unsigned int len;
+     size_t i;
+     int ret = 0;
+ 
+     if (result->length != 16) return EINVAL;
+ 
+-    HMAC_CTX_init(&hmac_ctx);
+    hmac_ctx = HMAC_CTX_new();
+    if (!hmac_ctx) {
+        ret = ERR_CRYPTO;
+        goto done;
+    }
+ 
+-    ret = HMAC_Init_ex(&hmac_ctx, key->data, key->length, EVP_md5(), NULL);
+    ret = HMAC_Init_ex(hmac_ctx, key->data, key->length, EVP_md5(), NULL);
+     if (ret == 0) {
+         ret = ERR_CRYPTO;
+         goto done;
+     }
+ 
+     for (i = 0; i < iov->num; i++) {
+-        ret = HMAC_Update(&hmac_ctx, iov->data[i]->data, iov->data[i]->length);
+        ret = HMAC_Update(hmac_ctx, iov->data[i]->data, iov->data[i]->length);
+         if (ret == 0) {
+             ret = ERR_CRYPTO;
+             goto done;
+         }
+     }
+ 
+-    ret = HMAC_Final(&hmac_ctx, result->data, &len);
+    ret = HMAC_Final(hmac_ctx, result->data, &len);
+     if (ret == 0) {
+         ret = ERR_CRYPTO;
+         goto done;
+@@ -74,7 +104,7 @@ int HMAC_MD5_IOV(struct ntlm_buffer *key,
+     ret = 0;
+ 
+ done:
+-    HMAC_CTX_cleanup(&hmac_ctx);
+    HMAC_CTX_free(hmac_ctx);
+     return ret;
+ }
+ 
+@@ -93,26 +123,32 @@ static int mdx_hash(const EVP_MD *type,
+                     struct ntlm_buffer *payload,
+                     struct ntlm_buffer *result)
+ {
+-    EVP_MD_CTX ctx;
+    EVP_MD_CTX *ctx;
+     unsigned int len;
+     int ret;
+ 
+     if (result->length != 16) return EINVAL;
+ 
+-    EVP_MD_CTX_init(&ctx);
+-    ret = EVP_DigestInit_ex(&ctx, type, NULL);
+    ctx = EVP_MD_CTX_new();
+    if (!ctx) {
+        ret = ERR_CRYPTO;
+        goto done;
+    }
+
+    EVP_MD_CTX_init(ctx);
+    ret = EVP_DigestInit_ex(ctx, type, NULL);
+     if (ret == 0) {
+         ret = ERR_CRYPTO;
+         goto done;
+     }
+ 
+-    ret = EVP_DigestUpdate(&ctx, payload->data, payload->length);
+    ret = EVP_DigestUpdate(ctx, payload->data, payload->length);
+     if (ret == 0) {
+         ret = ERR_CRYPTO;
+         goto done;
+     }
+ 
+-    ret = EVP_DigestFinal_ex(&ctx, result->data, &len);
+    ret = EVP_DigestFinal_ex(ctx, result->data, &len);
+     if (ret == 0) {
+         ret = ERR_CRYPTO;
+         goto done;
+@@ -121,7 +157,7 @@ static int mdx_hash(const EVP_MD *type,
+     ret = 0;
+ 
+ done:
+-    EVP_MD_CTX_cleanup(&ctx);
+    if (ctx) EVP_MD_CTX_free(ctx);
+     return ret;
+ }
+ 
+-- 
+2.9.3
+
--- a/SPECS/gssntlmssp.spec
+++ b/SPECS/gssntlmssp.spec
@ -1,16 +1,16 @@
-Name:           gssntlmssp
-Version:        1.2.0
-Release:        1%{?dist}
-Summary:        GSSAPI NTLMSSP Mechanism
+Name:		gssntlmssp
+Version:	0.7.0
+Release:	6%{?dist}
+Summary:	GSSAPI NTLMSSP Mechanism

-Group:          System Environment/Libraries
-License:        LGPLv3+
-URL:            https://github.com/gssapi/gss-ntlmssp
-Source0:        https://github.com/gssapi/gss-ntlmssp/releases/download/v%{version}/%{name}-%{version}.tar.gz
+Group:		System Environment/Libraries
+License:	LGPLv3+
+URL:		https://fedorahosted.org/gss-ntlmssp
+Source0:        https://fedorahosted.org/released/gss-ntlmssp/%{name}-%{version}.tar.gz

-Patch01: 0001-Fix-potential-crash-when-no-target-name-is-present.patch
+Patch01: 0001-Add-compatibility-with-OpenSSL-1.1.0.patch

-Requires: krb5-libs%{?_isa} >= 1.18.2-22
+Requires: krb5-libs%{?_isa} >= 1.12.1-9

 BuildRequires: autoconf
 BuildRequires: automake
@ -22,12 +22,10 @@ BuildRequires: docbook-style-xsl
 BuildRequires: doxygen
 BuildRequires: gettext-devel
 BuildRequires: pkgconfig
-BuildRequires: krb5-devel >= 1.18.2-22
+BuildRequires: krb5-devel >= 1.11.2
 BuildRequires: libunistring-devel
 BuildRequires: openssl-devel
 BuildRequires: pkgconfig(wbclient)
-BuildRequires: zlib-devel
-BuildRequires: make

 %description
 A GSSAPI Mechanism that implements NTLMSSP
@ -42,7 +40,8 @@ Adds a header file with definition for custom GSSAPI extensions for NTLMSSP


 %prep
-%autosetup -S git
+%setup -q
+%patch01 -p1

 %build
 autoreconf -fiv
@ -73,15 +72,6 @@ make test_gssntlmssp
 %{_includedir}/gssapi/gssapi_ntlmssp.h

 %changelog
-* Thu Mar 23 2023 Julien Rische <jrische@redhat.com> - 1.2.0-1
- New release 1.2.0
- Fix CVE-2023-25563: multiple out-of-bounds read when decoding NTLM fields
- Fix CVE-2023-25564: memory corruption when decoding UTF16 strings
- Fix CVE-2023-25565: incorrect free when decoding target information
- Fix CVE-2023-25566: memory leak when parsing usernames
- Fix CVE-2023-25567: out-of-bounds read when decoding target information
- Resolves: rhbz#2178907
-
 * Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.0-6
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild

--- a/gating.yaml
+++ b/gating.yaml
@ -1,6 +0,0 @@
--- !Policy
-product_versions:
-  - rhel-8
-decision_context: osci_compose_gate
-rules:
-  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
--- a/1
+++ b/1
@ -1 +0,0 @@
-SHA512 (gssntlmssp-1.2.0.tar.gz) = e918f24dface17ae1f22f30576ee03d209bab55eb439df1a3f9d386e7e57b4f5a7155b79a05bd76ab5acea7ff1a988c6394f14e166f4a48209141bff8b398747
--- a/tests/first-test/Makefile
+++ b/tests/first-test/Makefile
@ -1,46 +0,0 @@
-#
-# Author: Simo Sorce
-
-TOPLEVEL_NAMESPACE=/CoreOS
-PACKAGE_NAME=gssntlmssp
-RELATIVE_PATH=first-test
-
-export TEST=$(TOPLEVEL_NAMESPACE)/$(PACKAGE_NAME)/$(RELATIVE_PATH)
-export TESTVERSION=1.0
-
-.PHONY: all install download clean
-
-BUILT_FILES=
-FILES=$(METADATA) runtest.sh Makefile gss.conf ntlmfile httpd.service
-
-run: $(FILES) build
-	./runtest.sh
-
-build: $(BUILT_FILES)
-	chmod a+x ./runtest.sh
-
-clean:
-	rm -f *~ *.rpm $(BUILT_FILES)
-
-
-# Include Common Makefile
-include /usr/share/rhts/lib/rhts-make.include
-
-# Generate the testinfo.desc here:
-$(METADATA): Makefile
-	@touch $(METADATA)
-	@echo $(PACKAGE_NAME)
-	@echo "Owner:        Simo Sorce <ssorce@redhat.com>" > $(METADATA)
-	@echo "Name:         $(TEST)" >> $(METADATA)
-	@echo "Path:         $(TEST_DIR)" >> $(METADATA)
-	@echo "License:      GPL" >> $(METADATA)
-	@echo "TestVersion:  $(TESTVERSION)" >> $(METADATA)
-	@echo "Description:  Test gssntlmssp though mod_auth_gssapi and apache" >> $(METADATA)
-	@echo "TestTime:     1h" >> $(METADATA)
-	@echo "Type:         Install" >> $(METADATA)
-	@echo "Requires:     curl" >> $(METADATA)
-	@echo "Requires:     httpd" >> $(METADATA)
-	@echo "Requires:     mod_auth_gssapi" >> $(METADATA)
-	@echo "Requires:     gssntlmssp" >> $(METADATA)
-
-	rhts-lint $(METADATA)
--- a/tests/first-test/PURPOSE
+++ b/tests/first-test/PURPOSE
@ -1,2 +0,0 @@
-This test sets up and verifies gssntlmssp via HTTPD and mod_auth_gssapi
-
--- a/tests/first-test/gss.conf
+++ b/tests/first-test/gss.conf
@ -1,7 +0,0 @@
-<Location /private>
-  AuthType GSSAPI
-  AuthName "NTLMSSP"
-  GssapiAllowedMech ntlmssp
-  GssapiConnectionBound on
-  require valid-user
-</Location>
--- a/tests/first-test/httpd.service
+++ b/tests/first-test/httpd.service
@ -1,3 +0,0 @@
-.include /lib/systemd/system/httpd.service
-[Service]
-Environment=NTLM_USER_FILE=/etc/httpd/ntlmfile
--- a/tests/first-test/ntlmfile
+++ b/tests/first-test/ntlmfile
@ -1 +0,0 @@
-TESTDOM:testuser:testpassword
--- a/tests/first-test/runtest.sh
+++ b/tests/first-test/runtest.sh
@ -1,39 +0,0 @@
-#!/bin/bash
-
-# Author: Simo Sorce
-
-. /usr/bin/rhts-environment.sh
-echo "rhts-environment sourced, status = $?"
-
-. /usr/share/beakerlib/beakerlib.sh
-echo "beakerlib sourced, status = $?"
-
-rlJournalStart
-
-    rlPhaseStartSetup "Check than we have Apache"
-        export PACKAGES="httpd mod_auth_gssapi gssntlmssp"
-        rlAssertRpm --all
-    rlPhaseEnd
-
-    rlPhaseStartSetup "Setup httpd to use mod_auth_gssapi"
-        rlRun "mkdir -p /var/www/html"
-        rlRun "echo OK > /var/www/html/private"
-        rlRun "cp gss.conf /etc/httpd/conf.d/gss.conf"
-        rlRun "cp ntlmfile /etc/httpd/ntlmfile"
-        rlRun "cp -f httpd.service /etc/systemd/system/httpd.service"
-        rlRun "systemctl daemon-reload"
-        rlRun "systemctl restart httpd"
-    rlPhaseEnd
-
-    rlPhaseStartTest "Run HTTP requests against the setup"
-        export NTLM_USER_FILE=/etc/httpd/ntlmfile
-        rlRun "curl -si http://$( hostname )/private > /tmp/curl.out.$$"
-        rlAssertNotGrep "200 OK" /tmp/curl.out.$$
-        rlRun "curl --negotiate -u : -si http://$( hostname )/private > /tmp/curl.out.$$"
-        rlAssertGrep "200 OK" /tmp/curl.out.$$
-        rlAssertGrep "^OK$" /tmp/curl.out.$$
-    rlPhaseEnd
-
-rlJournalEnd
-rlJournalPrintText
-
--- a/tests/tests.yml
+++ b/tests/tests.yml
@ -1,12 +0,0 @@
- hosts: localhost
-  roles:
-  - role: standard-test-beakerlib
-    tags:
-    - classic
-    tests:
-    - first-test
-    required_packages:
-    - curl
-    - httpd
-    - mod_auth_gssapi
-
				`@ -0,0 +1 @@`
				`c8145411a1a40224a6d22acb45a8059dacaf8044 SOURCES/gssntlmssp-0.7.0.tar.gz`
				`@ -1 +0,0 @@`
				`SHA512 (gssntlmssp-1.2.0.tar.gz) = e918f24dface17ae1f22f30576ee03d209bab55eb439df1a3f9d386e7e57b4f5a7155b79a05bd76ab5acea7ff1a988c6394f14e166f4a48209141bff8b398747`
				`@ -1,2 +0,0 @@`
				`This test sets up and verifies gssntlmssp via HTTPD and mod_auth_gssapi`