Compare commits
No commits in common. "c8s" and "c8-beta" have entirely different histories.
10
.gitignore
vendored
10
.gitignore
vendored
@ -1,9 +1 @@
|
|||||||
/gssntlmssp-0.1.0.tar.gz
|
SOURCES/gssntlmssp-0.7.0.tar.gz
|
||||||
/gssntlmssp-0.2.0.tar.gz
|
|
||||||
/gssntlmssp-0.3.0.tar.gz
|
|
||||||
/gssntlmssp-0.3.1.tar.gz
|
|
||||||
/gssntlmssp-0.4.0.tar.gz
|
|
||||||
/gssntlmssp-0.5.0.tar.gz
|
|
||||||
/gssntlmssp-0.6.0.tar.gz
|
|
||||||
/gssntlmssp-0.7.0.tar.gz
|
|
||||||
/gssntlmssp-1.2.0.tar.gz
|
|
||||||
|
1
.gssntlmssp.metadata
Normal file
1
.gssntlmssp.metadata
Normal file
@ -0,0 +1 @@
|
|||||||
|
c8145411a1a40224a6d22acb45a8059dacaf8044 SOURCES/gssntlmssp-0.7.0.tar.gz
|
@ -1,28 +0,0 @@
|
|||||||
From ddab884bf3a2de76c26559e962919e1145040f11 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Simo Sorce <simo@redhat.com>
|
|
||||||
Date: Fri, 17 Mar 2023 09:08:13 -0400
|
|
||||||
Subject: [PATCH] Fix potential crash when no target name is present
|
|
||||||
|
|
||||||
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
||||||
---
|
|
||||||
src/ntlm.c | 4 +++-
|
|
||||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/ntlm.c b/src/ntlm.c
|
|
||||||
index 0f71bfd..60a0787 100644
|
|
||||||
--- a/src/ntlm.c
|
|
||||||
+++ b/src/ntlm.c
|
|
||||||
@@ -325,7 +325,9 @@ done:
|
|
||||||
safefree(out);
|
|
||||||
} else {
|
|
||||||
/* make sure to terminate output string */
|
|
||||||
- out[outlen] = '\0';
|
|
||||||
+ if (out) {
|
|
||||||
+ out[outlen] = '\0';
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
*str = out;
|
|
||||||
--
|
|
||||||
2.39.2
|
|
||||||
|
|
149
SOURCES/0001-Add-compatibility-with-OpenSSL-1.1.0.patch
Normal file
149
SOURCES/0001-Add-compatibility-with-OpenSSL-1.1.0.patch
Normal file
@ -0,0 +1,149 @@
|
|||||||
|
From e498737a96e8832a2cb9141ab1fe51e129185a48 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Simo Sorce <simo@redhat.com>
|
||||||
|
Date: Wed, 29 Jun 2016 11:15:11 -0400
|
||||||
|
Subject: [PATCH] Add compatibility with OpenSSL 1.1.0
|
||||||
|
|
||||||
|
In their continued wisdom OpenSSL developers keep breaking APIs left and right
|
||||||
|
with very poor documentation and forward/backward source compatibility.
|
||||||
|
|
||||||
|
Signed-off-by: Simo Sorce <simo@redhat.com>
|
||||||
|
---
|
||||||
|
src/crypto.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++------------
|
||||||
|
1 file changed, 48 insertions(+), 12 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/crypto.c b/src/crypto.c
|
||||||
|
index 9fe69f97cfe9a4c1c9a5fb1861fef3fdfb8ae596..33a0c3e9060df0fa14784e869b5edce2f462b238 100644
|
||||||
|
--- a/src/crypto.c
|
||||||
|
+++ b/src/crypto.c
|
||||||
|
@@ -27,6 +27,32 @@
|
||||||
|
|
||||||
|
#include "crypto.h"
|
||||||
|
|
||||||
|
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||||
|
+HMAC_CTX *HMAC_CTX_new(void)
|
||||||
|
+{
|
||||||
|
+ HMAC_CTX *ctx;
|
||||||
|
+
|
||||||
|
+ ctx = OPENSSL_malloc(sizeof(HMAC_CTX));
|
||||||
|
+ if (!ctx) return NULL;
|
||||||
|
+
|
||||||
|
+ HMAC_CTX_init(ctx);
|
||||||
|
+
|
||||||
|
+ return ctx;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+void HMAC_CTX_free(HMAC_CTX *ctx)
|
||||||
|
+{
|
||||||
|
+ if (ctx == NULL) return;
|
||||||
|
+
|
||||||
|
+ HMAC_CTX_cleanup(ctx);
|
||||||
|
+ OPENSSL_free(ctx);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+#define EVP_MD_CTX_new EVP_MD_CTX_create
|
||||||
|
+#define EVP_MD_CTX_free EVP_MD_CTX_destroy
|
||||||
|
+
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
int RAND_BUFFER(struct ntlm_buffer *random)
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
@@ -42,30 +68,34 @@ int HMAC_MD5_IOV(struct ntlm_buffer *key,
|
||||||
|
struct ntlm_iov *iov,
|
||||||
|
struct ntlm_buffer *result)
|
||||||
|
{
|
||||||
|
- HMAC_CTX hmac_ctx;
|
||||||
|
+ HMAC_CTX *hmac_ctx;
|
||||||
|
unsigned int len;
|
||||||
|
size_t i;
|
||||||
|
int ret = 0;
|
||||||
|
|
||||||
|
if (result->length != 16) return EINVAL;
|
||||||
|
|
||||||
|
- HMAC_CTX_init(&hmac_ctx);
|
||||||
|
+ hmac_ctx = HMAC_CTX_new();
|
||||||
|
+ if (!hmac_ctx) {
|
||||||
|
+ ret = ERR_CRYPTO;
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- ret = HMAC_Init_ex(&hmac_ctx, key->data, key->length, EVP_md5(), NULL);
|
||||||
|
+ ret = HMAC_Init_ex(hmac_ctx, key->data, key->length, EVP_md5(), NULL);
|
||||||
|
if (ret == 0) {
|
||||||
|
ret = ERR_CRYPTO;
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
for (i = 0; i < iov->num; i++) {
|
||||||
|
- ret = HMAC_Update(&hmac_ctx, iov->data[i]->data, iov->data[i]->length);
|
||||||
|
+ ret = HMAC_Update(hmac_ctx, iov->data[i]->data, iov->data[i]->length);
|
||||||
|
if (ret == 0) {
|
||||||
|
ret = ERR_CRYPTO;
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
- ret = HMAC_Final(&hmac_ctx, result->data, &len);
|
||||||
|
+ ret = HMAC_Final(hmac_ctx, result->data, &len);
|
||||||
|
if (ret == 0) {
|
||||||
|
ret = ERR_CRYPTO;
|
||||||
|
goto done;
|
||||||
|
@@ -74,7 +104,7 @@ int HMAC_MD5_IOV(struct ntlm_buffer *key,
|
||||||
|
ret = 0;
|
||||||
|
|
||||||
|
done:
|
||||||
|
- HMAC_CTX_cleanup(&hmac_ctx);
|
||||||
|
+ HMAC_CTX_free(hmac_ctx);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -93,26 +123,32 @@ static int mdx_hash(const EVP_MD *type,
|
||||||
|
struct ntlm_buffer *payload,
|
||||||
|
struct ntlm_buffer *result)
|
||||||
|
{
|
||||||
|
- EVP_MD_CTX ctx;
|
||||||
|
+ EVP_MD_CTX *ctx;
|
||||||
|
unsigned int len;
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
if (result->length != 16) return EINVAL;
|
||||||
|
|
||||||
|
- EVP_MD_CTX_init(&ctx);
|
||||||
|
- ret = EVP_DigestInit_ex(&ctx, type, NULL);
|
||||||
|
+ ctx = EVP_MD_CTX_new();
|
||||||
|
+ if (!ctx) {
|
||||||
|
+ ret = ERR_CRYPTO;
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ EVP_MD_CTX_init(ctx);
|
||||||
|
+ ret = EVP_DigestInit_ex(ctx, type, NULL);
|
||||||
|
if (ret == 0) {
|
||||||
|
ret = ERR_CRYPTO;
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
- ret = EVP_DigestUpdate(&ctx, payload->data, payload->length);
|
||||||
|
+ ret = EVP_DigestUpdate(ctx, payload->data, payload->length);
|
||||||
|
if (ret == 0) {
|
||||||
|
ret = ERR_CRYPTO;
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
- ret = EVP_DigestFinal_ex(&ctx, result->data, &len);
|
||||||
|
+ ret = EVP_DigestFinal_ex(ctx, result->data, &len);
|
||||||
|
if (ret == 0) {
|
||||||
|
ret = ERR_CRYPTO;
|
||||||
|
goto done;
|
||||||
|
@@ -121,7 +157,7 @@ static int mdx_hash(const EVP_MD *type,
|
||||||
|
ret = 0;
|
||||||
|
|
||||||
|
done:
|
||||||
|
- EVP_MD_CTX_cleanup(&ctx);
|
||||||
|
+ if (ctx) EVP_MD_CTX_free(ctx);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.9.3
|
||||||
|
|
@ -1,16 +1,16 @@
|
|||||||
Name: gssntlmssp
|
Name: gssntlmssp
|
||||||
Version: 1.2.0
|
Version: 0.7.0
|
||||||
Release: 1%{?dist}
|
Release: 6%{?dist}
|
||||||
Summary: GSSAPI NTLMSSP Mechanism
|
Summary: GSSAPI NTLMSSP Mechanism
|
||||||
|
|
||||||
Group: System Environment/Libraries
|
Group: System Environment/Libraries
|
||||||
License: LGPLv3+
|
License: LGPLv3+
|
||||||
URL: https://github.com/gssapi/gss-ntlmssp
|
URL: https://fedorahosted.org/gss-ntlmssp
|
||||||
Source0: https://github.com/gssapi/gss-ntlmssp/releases/download/v%{version}/%{name}-%{version}.tar.gz
|
Source0: https://fedorahosted.org/released/gss-ntlmssp/%{name}-%{version}.tar.gz
|
||||||
|
|
||||||
Patch01: 0001-Fix-potential-crash-when-no-target-name-is-present.patch
|
Patch01: 0001-Add-compatibility-with-OpenSSL-1.1.0.patch
|
||||||
|
|
||||||
Requires: krb5-libs%{?_isa} >= 1.18.2-22
|
Requires: krb5-libs%{?_isa} >= 1.12.1-9
|
||||||
|
|
||||||
BuildRequires: autoconf
|
BuildRequires: autoconf
|
||||||
BuildRequires: automake
|
BuildRequires: automake
|
||||||
@ -22,12 +22,10 @@ BuildRequires: docbook-style-xsl
|
|||||||
BuildRequires: doxygen
|
BuildRequires: doxygen
|
||||||
BuildRequires: gettext-devel
|
BuildRequires: gettext-devel
|
||||||
BuildRequires: pkgconfig
|
BuildRequires: pkgconfig
|
||||||
BuildRequires: krb5-devel >= 1.18.2-22
|
BuildRequires: krb5-devel >= 1.11.2
|
||||||
BuildRequires: libunistring-devel
|
BuildRequires: libunistring-devel
|
||||||
BuildRequires: openssl-devel
|
BuildRequires: openssl-devel
|
||||||
BuildRequires: pkgconfig(wbclient)
|
BuildRequires: pkgconfig(wbclient)
|
||||||
BuildRequires: zlib-devel
|
|
||||||
BuildRequires: make
|
|
||||||
|
|
||||||
%description
|
%description
|
||||||
A GSSAPI Mechanism that implements NTLMSSP
|
A GSSAPI Mechanism that implements NTLMSSP
|
||||||
@ -42,7 +40,8 @@ Adds a header file with definition for custom GSSAPI extensions for NTLMSSP
|
|||||||
|
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%autosetup -S git
|
%setup -q
|
||||||
|
%patch01 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
autoreconf -fiv
|
autoreconf -fiv
|
||||||
@ -73,15 +72,6 @@ make test_gssntlmssp
|
|||||||
%{_includedir}/gssapi/gssapi_ntlmssp.h
|
%{_includedir}/gssapi/gssapi_ntlmssp.h
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Thu Mar 23 2023 Julien Rische <jrische@redhat.com> - 1.2.0-1
|
|
||||||
- New release 1.2.0
|
|
||||||
- Fix CVE-2023-25563: multiple out-of-bounds read when decoding NTLM fields
|
|
||||||
- Fix CVE-2023-25564: memory corruption when decoding UTF16 strings
|
|
||||||
- Fix CVE-2023-25565: incorrect free when decoding target information
|
|
||||||
- Fix CVE-2023-25566: memory leak when parsing usernames
|
|
||||||
- Fix CVE-2023-25567: out-of-bounds read when decoding target information
|
|
||||||
- Resolves: rhbz#2178907
|
|
||||||
|
|
||||||
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.0-6
|
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.0-6
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||||
|
|
@ -1,6 +0,0 @@
|
|||||||
--- !Policy
|
|
||||||
product_versions:
|
|
||||||
- rhel-8
|
|
||||||
decision_context: osci_compose_gate
|
|
||||||
rules:
|
|
||||||
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
|
|
1
sources
1
sources
@ -1 +0,0 @@
|
|||||||
SHA512 (gssntlmssp-1.2.0.tar.gz) = e918f24dface17ae1f22f30576ee03d209bab55eb439df1a3f9d386e7e57b4f5a7155b79a05bd76ab5acea7ff1a988c6394f14e166f4a48209141bff8b398747
|
|
@ -1,46 +0,0 @@
|
|||||||
#
|
|
||||||
# Author: Simo Sorce
|
|
||||||
|
|
||||||
TOPLEVEL_NAMESPACE=/CoreOS
|
|
||||||
PACKAGE_NAME=gssntlmssp
|
|
||||||
RELATIVE_PATH=first-test
|
|
||||||
|
|
||||||
export TEST=$(TOPLEVEL_NAMESPACE)/$(PACKAGE_NAME)/$(RELATIVE_PATH)
|
|
||||||
export TESTVERSION=1.0
|
|
||||||
|
|
||||||
.PHONY: all install download clean
|
|
||||||
|
|
||||||
BUILT_FILES=
|
|
||||||
FILES=$(METADATA) runtest.sh Makefile gss.conf ntlmfile httpd.service
|
|
||||||
|
|
||||||
run: $(FILES) build
|
|
||||||
./runtest.sh
|
|
||||||
|
|
||||||
build: $(BUILT_FILES)
|
|
||||||
chmod a+x ./runtest.sh
|
|
||||||
|
|
||||||
clean:
|
|
||||||
rm -f *~ *.rpm $(BUILT_FILES)
|
|
||||||
|
|
||||||
|
|
||||||
# Include Common Makefile
|
|
||||||
include /usr/share/rhts/lib/rhts-make.include
|
|
||||||
|
|
||||||
# Generate the testinfo.desc here:
|
|
||||||
$(METADATA): Makefile
|
|
||||||
@touch $(METADATA)
|
|
||||||
@echo $(PACKAGE_NAME)
|
|
||||||
@echo "Owner: Simo Sorce <ssorce@redhat.com>" > $(METADATA)
|
|
||||||
@echo "Name: $(TEST)" >> $(METADATA)
|
|
||||||
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
|
||||||
@echo "License: GPL" >> $(METADATA)
|
|
||||||
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
|
||||||
@echo "Description: Test gssntlmssp though mod_auth_gssapi and apache" >> $(METADATA)
|
|
||||||
@echo "TestTime: 1h" >> $(METADATA)
|
|
||||||
@echo "Type: Install" >> $(METADATA)
|
|
||||||
@echo "Requires: curl" >> $(METADATA)
|
|
||||||
@echo "Requires: httpd" >> $(METADATA)
|
|
||||||
@echo "Requires: mod_auth_gssapi" >> $(METADATA)
|
|
||||||
@echo "Requires: gssntlmssp" >> $(METADATA)
|
|
||||||
|
|
||||||
rhts-lint $(METADATA)
|
|
@ -1,2 +0,0 @@
|
|||||||
This test sets up and verifies gssntlmssp via HTTPD and mod_auth_gssapi
|
|
||||||
|
|
@ -1,7 +0,0 @@
|
|||||||
<Location /private>
|
|
||||||
AuthType GSSAPI
|
|
||||||
AuthName "NTLMSSP"
|
|
||||||
GssapiAllowedMech ntlmssp
|
|
||||||
GssapiConnectionBound on
|
|
||||||
require valid-user
|
|
||||||
</Location>
|
|
@ -1,3 +0,0 @@
|
|||||||
.include /lib/systemd/system/httpd.service
|
|
||||||
[Service]
|
|
||||||
Environment=NTLM_USER_FILE=/etc/httpd/ntlmfile
|
|
@ -1 +0,0 @@
|
|||||||
TESTDOM:testuser:testpassword
|
|
@ -1,39 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
|
|
||||||
# Author: Simo Sorce
|
|
||||||
|
|
||||||
. /usr/bin/rhts-environment.sh
|
|
||||||
echo "rhts-environment sourced, status = $?"
|
|
||||||
|
|
||||||
. /usr/share/beakerlib/beakerlib.sh
|
|
||||||
echo "beakerlib sourced, status = $?"
|
|
||||||
|
|
||||||
rlJournalStart
|
|
||||||
|
|
||||||
rlPhaseStartSetup "Check than we have Apache"
|
|
||||||
export PACKAGES="httpd mod_auth_gssapi gssntlmssp"
|
|
||||||
rlAssertRpm --all
|
|
||||||
rlPhaseEnd
|
|
||||||
|
|
||||||
rlPhaseStartSetup "Setup httpd to use mod_auth_gssapi"
|
|
||||||
rlRun "mkdir -p /var/www/html"
|
|
||||||
rlRun "echo OK > /var/www/html/private"
|
|
||||||
rlRun "cp gss.conf /etc/httpd/conf.d/gss.conf"
|
|
||||||
rlRun "cp ntlmfile /etc/httpd/ntlmfile"
|
|
||||||
rlRun "cp -f httpd.service /etc/systemd/system/httpd.service"
|
|
||||||
rlRun "systemctl daemon-reload"
|
|
||||||
rlRun "systemctl restart httpd"
|
|
||||||
rlPhaseEnd
|
|
||||||
|
|
||||||
rlPhaseStartTest "Run HTTP requests against the setup"
|
|
||||||
export NTLM_USER_FILE=/etc/httpd/ntlmfile
|
|
||||||
rlRun "curl -si http://$( hostname )/private > /tmp/curl.out.$$"
|
|
||||||
rlAssertNotGrep "200 OK" /tmp/curl.out.$$
|
|
||||||
rlRun "curl --negotiate -u : -si http://$( hostname )/private > /tmp/curl.out.$$"
|
|
||||||
rlAssertGrep "200 OK" /tmp/curl.out.$$
|
|
||||||
rlAssertGrep "^OK$" /tmp/curl.out.$$
|
|
||||||
rlPhaseEnd
|
|
||||||
|
|
||||||
rlJournalEnd
|
|
||||||
rlJournalPrintText
|
|
||||||
|
|
@ -1,12 +0,0 @@
|
|||||||
- hosts: localhost
|
|
||||||
roles:
|
|
||||||
- role: standard-test-beakerlib
|
|
||||||
tags:
|
|
||||||
- classic
|
|
||||||
tests:
|
|
||||||
- first-test
|
|
||||||
required_packages:
|
|
||||||
- curl
|
|
||||||
- httpd
|
|
||||||
- mod_auth_gssapi
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user