[Pkg-freeipa-devel] [Git][freeipa-team/gss-ntlmssp][master] 16 commits: Update github actions
Timo Aaltonen (@tjaalton)
gitlab at salsa.debian.org
Tue Feb 24 08:46:34 GMT 2026
Timo Aaltonen pushed to branch master at FreeIPA packaging / gss-ntlmssp
Commits:
0e23ccd0 by Simo Sorce at 2023-02-12T14:28:05-05:00
Update github actions
Use new actions versions as deperecation notices recommend.
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
646c7fc5 by KarelChanivecky at 2023-03-13T15:27:13-04:00
Fix typo in header guard for src/ntlm.h
Header guard fails due to typo as the header guard is checking for a different macro identifier than it defines
- - - - -
a060d026 by Simo Sorce at 2023-03-17T14:40:51-04:00
Fix potential crash when no target name is present
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
b133254e by Simo Sorce at 2023-03-17T14:40:51-04:00
Add test to check target_name can be NULL
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
9492bfaf by Simo Sorce at 2023-04-27T14:34:42-04:00
Mark defined numbers as unsigned
Oss-Fuzz complains that shifting an "int" left by 31 is problematic
This is fine in practice at least on the compiler used in common
distributions.
But let's try to address this undefined bheavior by making it clear to
the compiler that we want to treat these numbers as unsigned ints.
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
7624c1ff by kchaniveckyga at 2023-05-17T14:39:46-04:00
BF: swap UTF16LE with UTF-16LE in libunistring calls
Signed-off-by: kchaniveckyga <kchaniveckyga at fortinet.com>
- - - - -
febb0bcf by Simo Sorce at 2024-02-26T16:21:28-05:00
Change the ossl3 context to be allocated once
Use a pthread_once guard to do initialization only once and a destructor
to deinitialize also only once on library unload.
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
e027bbde by Simo Sorce at 2024-02-26T16:23:25-05:00
Release version 1.3.0
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
7134b958 by Aleksandr Feoktistov at 2024-02-27T08:24:10-05:00
Make sending only filled MsvAvFlags field for CHALLENGE message
Signed-off-by: Aleksandr Feoktistov <fe0 at ya.ru>
- - - - -
3a24e457 by Simo Sorce at 2024-02-27T08:28:41-05:00
Release version 1.3.1
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
272b2bc5 by Timo Aaltonen at 2026-02-24T10:28:16+02:00
Merge branch 'upstream'
- - - - -
17544664 by Timo Aaltonen at 2026-02-24T10:29:34+02:00
version bump
- - - - -
d6d52692 by Timo Aaltonen at 2026-02-24T10:35:17+02:00
watch: Migrate to version 5.
- - - - -
4aa65319 by Timo Aaltonen at 2026-02-24T10:36:53+02:00
control: Migrate to pkgconf.
- - - - -
3660ce5c by Timo Aaltonen at 2026-02-24T10:40:26+02:00
Remove obsolete maintscripts.
- - - - -
4438743c by Timo Aaltonen at 2026-02-24T10:46:02+02:00
releasing package gss-ntlmssp version 1.3.1-1
- - - - -
14 changed files:
- .github/workflows/ccpp.yml
- debian/changelog
- debian/control
- − debian/gss-ntlmssp.postinst
- − debian/gss-ntlmssp.postrm
- − debian/gss-ntlmssp.preinst
- debian/watch
- src/crypto.c
- src/gss_sec_ctx.c
- src/ntlm.c
- src/ntlm.h
- src/ntlm_crypto.c
- tests/ntlmssptest.c
- version.m4
Changes:
=====================================
.github/workflows/ccpp.yml
=====================================
@@ -42,7 +42,7 @@ jobs:
elif command -v pacman; then
pacman -Sy --noconfirm automake autoconf docbook-xml docbook-xsl doxygen libtool libxslt gcc libxml2 m4 make zlib
fi
- - uses: actions/checkout at v2
+ - uses: actions/checkout at v3
- name: autoreconf
run: autoreconf -fi
- name: configure
@@ -57,8 +57,8 @@ jobs:
- name: make check
run: make check
- name: Upload logs
- uses: actions/upload-artifact at v1
+ uses: actions/upload-artifact at v3
if: failure()
with:
- name: testlogs
+ name: testlogs ${{ matrix.container }}
path: test-suite.log
=====================================
debian/changelog
=====================================
@@ -1,11 +1,18 @@
-gss-ntlmssp (1.2.0-2) UNRELEASED; urgency=medium
+gss-ntlmssp (1.3.1-1) unstable; urgency=medium
+ [ Debian Janitor ]
* Trim trailing whitespace.
* Use secure copyright file specification URI.
* Set upstream metadata fields: Bug-Database, Bug-Submit, Repository-Browse.
* Update standards version to 4.6.2, no changes needed.
- -- Debian Janitor <janitor at jelmer.uk> Thu, 16 Feb 2023 14:16:33 -0000
+ [ Timo Aaltonen ]
+ * New upstream release.
+ * watch: Migrate to version 5.
+ * control: Migrate to pkgconf.
+ * Remove obsolete maintscripts.
+
+ -- Timo Aaltonen <tjaalton at debian.org> Tue, 24 Feb 2026 10:45:53 +0200
gss-ntlmssp (1.2.0-1) unstable; urgency=medium
=====================================
debian/control
=====================================
@@ -12,7 +12,7 @@ Build-Depends: debhelper-compat (= 13),
libxml2-dev,
libxml2-utils,
libxslt1-dev,
- pkg-config,
+ pkgconf,
quilt,
xsltproc,
zlib1g-dev,
=====================================
debian/gss-ntlmssp.postinst deleted
=====================================
@@ -1,7 +0,0 @@
-#!/bin/sh
-set -e
-
-dpkg-maintscript-helper rm_conffile \
- /etc/gss/mech.d/mech.ntlmssp 0.7.0-2 gss-ntlmssp -- "$@"
-
-#DEBHELPER#
=====================================
debian/gss-ntlmssp.postrm deleted
=====================================
@@ -1,7 +0,0 @@
-#!/bin/sh
-set -e
-
-dpkg-maintscript-helper rm_conffile \
- /etc/gss/mech.d/mech.ntlmssp 0.7.0-2 gss-ntlmssp -- "$@"
-
-#DEBHELPER#
=====================================
debian/gss-ntlmssp.preinst deleted
=====================================
@@ -1,7 +0,0 @@
-#!/bin/sh
-set -e
-
-dpkg-maintscript-helper rm_conffile \
- /etc/gss/mech.d/mech.ntlmssp 0.7.0-2 gss-ntlmssp -- "$@"
-
-#DEBHELPER#
=====================================
debian/watch
=====================================
@@ -1,5 +1,4 @@
-version=4
-opts="\
- filenamemangle=s%v at ANY_VERSION@%gss-ntlmssp-$1.tar.gz%, \
- downloadurlmangle=s#/tag/#/download/#;s#@ANY_VERSION@$#$1/gssntlmssp-$1.tar.gz#" \
-https://github.com/gssapi/@PACKAGE@/tags .*/releases/tag/v at ANY_VERSION@
+Version: 5
+
+Source: https://github.com/gssapi/gss-ntlmssp/tags
+Filename-Mangle: s/@ANY_VERSION@$/gss-ntlmssp-$1/
=====================================
src/crypto.c
=====================================
@@ -98,15 +98,18 @@ typedef struct ossl3_library_context {
OSSL_PROVIDER *default_provider;
} ossl3_context_t;
-static ossl3_context_t *init_ossl3_ctx()
+static pthread_once_t global_ossl3_ctx_init = PTHREAD_ONCE_INIT;
+static ossl3_context_t *global_ossl3_ctx = NULL;
+
+static void init_global_ossl3_ctx(void)
{
ossl3_context_t *ctx = OPENSSL_malloc(sizeof(ossl3_context_t));
- if (!ctx) return NULL;
+ if (!ctx) return;
ctx->libctx = OSSL_LIB_CTX_new();
if (!ctx->libctx) {
OPENSSL_free(ctx);
- return NULL;
+ return;
}
/* Load both legacy and default provider as both may be needed */
@@ -114,11 +117,25 @@ static ossl3_context_t *init_ossl3_ctx()
* fetch the cipher later */
ctx->legacy_provider = OSSL_PROVIDER_load(ctx->libctx, "legacy");
ctx->default_provider = OSSL_PROVIDER_load(ctx->libctx, "default");
- return ctx;
+ global_ossl3_ctx = ctx;
+}
+
+static ossl3_context_t *get_ossl3_ctx()
+{
+ int ret;
+
+ ret = pthread_once(&global_ossl3_ctx_init, init_global_ossl3_ctx);
+ if (ret != 0) {
+ return NULL;
+ }
+
+ return global_ossl3_ctx;
}
-static void free_ossl3_ctx(ossl3_context_t *ctx)
+__attribute__((destructor))
+static void free_ossl3_ctx()
{
+ ossl3_context_t *ctx = global_ossl3_ctx;
if (ctx == NULL) return;
if (ctx->legacy_provider) OSSL_PROVIDER_unload(ctx->legacy_provider);
if (ctx->default_provider) OSSL_PROVIDER_unload(ctx->default_provider);
@@ -178,7 +195,7 @@ int MD4_HASH(struct ntlm_buffer *payload,
EVP_MD *md;
int ret;
- ossl3_ctx = init_ossl3_ctx();
+ ossl3_ctx = get_ossl3_ctx();
if (ossl3_ctx == NULL) {
ret = ERR_CRYPTO;
goto done;
@@ -193,7 +210,6 @@ int MD4_HASH(struct ntlm_buffer *payload,
ret = mdx_hash(md, payload, result);
done:
- free_ossl3_ctx(ossl3_ctx);
return ret;
#else
return mdx_hash(EVP_md4(), payload, result);
=====================================
src/gss_sec_ctx.c
=====================================
@@ -756,7 +756,8 @@ uint32_t gssntlm_accept_sec_context(uint32_t *minor_status,
nb_domain_name,
server_name->data.server.name,
NULL, NULL,
- &av_flags, ×tamp,
+ av_flags ? &av_flags : NULL, /* don't include empty MsvAvFlags */
+ ×tamp,
NULL,
server_name->data.server.spn,
NULL,
=====================================
src/ntlm.c
=====================================
@@ -78,12 +78,12 @@ int ntlm_init_ctx(struct ntlm_ctx **ctx)
_ctx = calloc(1, sizeof(struct ntlm_ctx));
if (!_ctx) return ENOMEM;
- _ctx->from_oem = iconv_open("UTF16LE", "UTF-8");
+ _ctx->from_oem = iconv_open("UTF-16LE", "UTF-8");
if (_ctx->from_oem == (iconv_t) -1) {
ret = errno;
}
- _ctx->to_oem = iconv_open("UTF-8", "UTF16LE");
+ _ctx->to_oem = iconv_open("UTF-8", "UTF-16LE");
if (_ctx->to_oem == (iconv_t) -1) {
iconv_close(_ctx->from_oem);
ret = errno;
@@ -325,7 +325,9 @@ done:
safefree(out);
} else {
/* make sure to terminate output string */
- out[outlen] = '\0';
+ if (out) {
+ out[outlen] = '\0';
+ }
}
*str = out;
=====================================
src/ntlm.h
=====================================
@@ -1,45 +1,45 @@
/* Copyright 2013 Simo Sorce <simo at samba.org>, see COPYING for license */
#ifndef _NTLM_H_
-#define _NTLM_H
+#define _NTLM_H_
#include <stdbool.h>
#include "ntlm_common.h"
/* Negotiate Flags */
-#define NTLMSSP_NEGOTIATE_56 (1 << 31)
-#define NTLMSSP_NEGOTIATE_KEY_EXCH (1 << 30)
-#define NTLMSSP_NEGOTIATE_128 (1 << 29)
-#define UNUSED_R1 (1 << 28)
-#define UNUSED_R2 (1 << 27)
-#define UNUSED_R3 (1 << 26)
-#define NTLMSSP_NEGOTIATE_VERSION (1 << 25)
-#define UNUSED_R4 (1 << 24)
-#define NTLMSSP_NEGOTIATE_TARGET_INFO (1 << 23)
-#define NTLMSSP_REQUEST_NON_NT_SESSION_KEY (1 << 22)
-#define UNUSED_R5 /* Davenport: NEGOTIATE_ACCEPT */ (1 << 21)
-#define NTLMSSP_NEGOTIATE_IDENTIFY (1 << 20)
-#define NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY (1 << 19)
-#define UNUSED_R6 /* Davenport:TARGET_TYPE_SHARE */ (1 << 18)
-#define NTLMSSP_TARGET_TYPE_SERVER (1 << 17)
-#define NTLMSSP_TARGET_TYPE_DOMAIN (1 << 16)
-#define NTLMSSP_NEGOTIATE_ALWAYS_SIGN (1 << 15)
-#define UNUSED_R7 /* Davenport:LOCAL_CALL */ (1 << 14)
-#define NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED (1 << 13)
-#define NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED (1 << 12)
-#define NTLMSSP_ANONYMOUS (1 << 11)
-#define UNUSED_R8 (1 << 10)
-#define NTLMSSP_NEGOTIATE_NTLM (1 << 9)
-#define UNUSED_R9 (1 << 8)
-#define NTLMSSP_NEGOTIATE_LM_KEY (1 << 7)
-#define NTLMSSP_NEGOTIATE_DATAGRAM (1 << 6)
-#define NTLMSSP_NEGOTIATE_SEAL (1 << 5)
-#define NTLMSSP_NEGOTIATE_SIGN (1 << 4)
-#define UNUSED_R10 (1 << 3)
-#define NTLMSSP_REQUEST_TARGET (1 << 2)
-#define NTLMSSP_NEGOTIATE_OEM (1 << 1)
-#define NTLMSSP_NEGOTIATE_UNICODE (1 << 0)
+#define NTLMSSP_NEGOTIATE_56 (1U << 31)
+#define NTLMSSP_NEGOTIATE_KEY_EXCH (1U << 30)
+#define NTLMSSP_NEGOTIATE_128 (1U << 29)
+#define UNUSED_R1 (1U << 28)
+#define UNUSED_R2 (1U << 27)
+#define UNUSED_R3 (1U << 26)
+#define NTLMSSP_NEGOTIATE_VERSION (1U << 25)
+#define UNUSED_R4 (1U << 24)
+#define NTLMSSP_NEGOTIATE_TARGET_INFO (1U << 23)
+#define NTLMSSP_REQUEST_NON_NT_SESSION_KEY (1U << 22)
+#define UNUSED_R5 /* Davenport: NEGOTIATE_ACCEPT */ (1U << 21)
+#define NTLMSSP_NEGOTIATE_IDENTIFY (1U << 20)
+#define NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY (1U << 19)
+#define UNUSED_R6 /* Davenport:TARGET_TYPE_SHARE */ (1U << 18)
+#define NTLMSSP_TARGET_TYPE_SERVER (1U << 17)
+#define NTLMSSP_TARGET_TYPE_DOMAIN (1U << 16)
+#define NTLMSSP_NEGOTIATE_ALWAYS_SIGN (1U << 15)
+#define UNUSED_R7 /* Davenport:LOCAL_CALL */ (1U << 14)
+#define NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED (1U << 13)
+#define NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED (1U << 12)
+#define NTLMSSP_ANONYMOUS (1U << 11)
+#define UNUSED_R8 (1U << 10)
+#define NTLMSSP_NEGOTIATE_NTLM (1U << 9)
+#define UNUSED_R9 (1U << 8)
+#define NTLMSSP_NEGOTIATE_LM_KEY (1U << 7)
+#define NTLMSSP_NEGOTIATE_DATAGRAM (1U << 6)
+#define NTLMSSP_NEGOTIATE_SEAL (1U << 5)
+#define NTLMSSP_NEGOTIATE_SIGN (1U << 4)
+#define UNUSED_R10 (1U << 3)
+#define NTLMSSP_REQUEST_TARGET (1U << 2)
+#define NTLMSSP_NEGOTIATE_OEM (1U << 1)
+#define NTLMSSP_NEGOTIATE_UNICODE (1U << 0)
/* (2.2.2.10 VERSION) */
#define WINDOWS_MAJOR_VERSION_5 0x05
=====================================
src/ntlm_crypto.c
=====================================
@@ -50,7 +50,7 @@ int NTOWFv1(const char *password, struct ntlm_key *result)
int ret;
len = strlen(password);
- retstr = u8_conv_to_encoding("UTF16LE", iconveh_error,
+ retstr = u8_conv_to_encoding("UTF-16LE", iconveh_error,
(const uint8_t *)password, len,
NULL, NULL, &out);
if (!retstr) return ERR_CRYPTO;
@@ -254,7 +254,7 @@ int NTOWFv2(struct ntlm_ctx *ctx, struct ntlm_key *nt_hash,
offs += len;
}
- retstr = (uint8_t *)u8_conv_to_encoding("UTF16LE", iconveh_error,
+ retstr = (uint8_t *)u8_conv_to_encoding("UTF-16LE", iconveh_error,
upcased, offs, NULL, NULL, &out);
if (!retstr) return ERR_CRYPTO;
=====================================
tests/ntlmssptest.c
=====================================
@@ -3132,6 +3132,48 @@ int test_debug(void)
return 0;
}
+int test_bad_challenge(struct ntlm_ctx *ctx)
+{
+ struct ntlm_buffer challenge = { T_ServerChallenge, 8 };
+ struct ntlm_buffer message = { 0 };
+ struct wire_chal_msg *msg;
+ uint32_t type;
+ uint32_t flags;
+ char *target_name = NULL;
+ uint8_t chal[8];
+ struct ntlm_buffer rchallenge = { chal, 8 };
+ int ret;
+
+ /* check we can decode encode/decode NULL target_name */
+ flags = T_NTLMv1.ChallengeFlags &
+ ~(NTLMSSP_TARGET_TYPE_SERVER | NTLMSSP_TARGET_TYPE_DOMAIN);
+ flags |= NTLMSSP_NEGOTIATE_UNICODE;
+
+ ret = ntlm_encode_chal_msg(ctx, flags, NULL,
+ &challenge, NULL, &message);
+ if (ret) return ret;
+
+ /* Doctor the message to set back NTLMSSP_TARGET_TYPE_SERVER */
+ msg = (struct wire_chal_msg *)message.data;
+ msg->neg_flags |= NTLMSSP_TARGET_TYPE_SERVER;
+
+ ret = ntlm_decode_msg_type(ctx, &message, &type);
+ if (ret) return ret;
+ if (type != 2) return EINVAL;
+
+ ret = ntlm_decode_chal_msg(ctx, &message, &flags, &target_name,
+ &rchallenge, NULL);
+ if (ret) return ret;
+
+ if (target_name != NULL) {
+ ret = EINVAL;
+ free(target_name);
+ }
+ free(message.data);
+
+ return ret;
+}
+
int main(int argc, const char *argv[])
{
struct ntlm_ctx *ctx;
@@ -3367,6 +3409,11 @@ int main(int argc, const char *argv[])
fprintf(stderr, "Test: %s\n", (ret ? "FAIL":"SUCCESS"));
if (ret) gret++;
+ fprintf(stderr, "Test Bad Challenge Message\n");
+ ret = test_bad_challenge(ctx);
+ fprintf(stderr, "Test: %s\n", (ret ? "FAIL":"SUCCESS"));
+ if (ret) gret++;
+
fprintf(stderr, "Test Acquired cred from with no name\n");
ret = test_ACQ_NO_NAME();
fprintf(stderr, "Test: %s\n", (ret ? "FAIL":"SUCCESS"));
=====================================
version.m4
=====================================
@@ -1,5 +1,5 @@
# Primary version number
-m4_define([VERSION_NUMBER], [1.2.0])
+m4_define([VERSION_NUMBER], [1.3.1])
# If the PRERELEASE_VERSION_NUMBER is set, we'll append
# it to the release tag when creating an RPM or SRPM
View it on GitLab: https://salsa.debian.org/freeipa-team/gss-ntlmssp/-/compare/443321e1062716dd0115b9fa79a00f9ac2e6c502...4438743c972fd2c10394855aa4bbe5347790a256
--
View it on GitLab: https://salsa.debian.org/freeipa-team/gss-ntlmssp/-/compare/443321e1062716dd0115b9fa79a00f9ac2e6c502...4438743c972fd2c10394855aa4bbe5347790a256
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20260224/84df4aa2/attachment-0001.htm>
More information about the Pkg-freeipa-devel
mailing list