FreeBSD Bugzilla – Attachment 236856 Details for
Bug 266641
net/samba413: Backport security fix from 4.14.14
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch file
net_samba413.patch (text/plain), 736.37 KB, created by
Yasuhiro Kimura
on 2022-09-27 03:26:34 UTC
(
hide
)
Description:
Patch file
Filename:
MIME Type:
Creator:
Yasuhiro Kimura
Created:
2022-09-27 03:26:34 UTC
Size:
736.37 KB
patch
obsolete
>From 0177f47c09f6b54cb35ce03d03b81f1fdce835bd Mon Sep 17 00:00:00 2001 >From: Yasuhiro Kimura <yasu@FreeBSD.org> >Date: Tue, 27 Sep 2022 08:47:17 +0900 >Subject: [PATCH] net/samba413: Backport security fix from 4.14.14 > >* Add upstream patch to fix configure error with Python 3.11. >* Fix plist error when AD_DC option is off and PYTHON3 option is on. >* Replace BIND911 option with BIND918 as dns/bind911 is removed from > ports tree and dns/bind918 is added instead. > >MFH: 2022Q3 >Security: CVE-2022-2031 >Security: CVE-2022-32742 >Security: CVE-2022-32744 >Security: CVE-2022-32745 >Security: CVE-2022-32746 >--- > net/samba413/Makefile | 8 +- > net/samba413/files/patch-samba-4.14.14 | 13366 +++++++++++++++++++++++ > net/samba413/files/patch-waf-2.0.20 | 1663 +++ > net/samba413/files/patch-waf-2.0.21 | 703 ++ > net/samba413/files/patch-waf-2.0.22 | 596 + > net/samba413/files/patch-waf-2.0.23 | 877 ++ > net/samba413/files/patch-waf-2.0.24 | 164 + > net/samba413/pkg-plist.ad_dc | 2 - > net/samba413/pkg-plist.python | 3 + > 9 files changed, 17376 insertions(+), 6 deletions(-) > create mode 100644 net/samba413/files/patch-samba-4.14.14 > create mode 100644 net/samba413/files/patch-waf-2.0.20 > create mode 100644 net/samba413/files/patch-waf-2.0.21 > create mode 100644 net/samba413/files/patch-waf-2.0.22 > create mode 100644 net/samba413/files/patch-waf-2.0.23 > create mode 100644 net/samba413/files/patch-waf-2.0.24 > >diff --git a/net/samba413/Makefile b/net/samba413/Makefile >index f1dea1c15f3d..ccbb438ecb6a 100644 >--- a/net/samba413/Makefile >+++ b/net/samba413/Makefile >@@ -1,6 +1,6 @@ > PORTNAME= ${SAMBA4_BASENAME}413 > PORTVERSION= ${SAMBA4_VERSION} >-PORTREVISION= 1 >+PORTREVISION= 2 > CATEGORIES?= net > MASTER_SITES= SAMBA/samba/stable SAMBA/samba/rc > DISTNAME= ${SAMBA4_DISTNAME} >@@ -96,7 +96,7 @@ OPTIONS_SINGLE_GSSAPI= GSSAPI_BUILTIN GSSAPI_MIT > OPTIONS_SINGLE_ZEROCONF= ZEROCONF_NONE AVAHI MDNSRESPONDER > > OPTIONS_RADIO= DNS >-OPTIONS_RADIO_DNS= NSUPDATE BIND911 BIND916 >+OPTIONS_RADIO_DNS= NSUPDATE BIND916 BIND918 > # Make those default options > OPTIONS_DEFAULT= AD_DC ADS DOCS FAM LDAP \ > PROFILE PYTHON3 QUOTAS SYSLOG UTMP \ >@@ -129,8 +129,8 @@ ZEROCONF_DESC= Zero configuration networking > ZEROCONF_NONE_DESC= Zeroconf support is absent > > DNS_DESC= DNS frontend >-BIND911_DESC= Use Bind 9.11 as AD DC DNS server frontend > BIND916_DESC= Use Bind 9.16 as AD DC DNS server frontend >+BIND918_DESC= Use Bind 9.18 as AD DC DNS server frontend > NSUPDATE_DESC= Use samba NSUPDATE utility for AD DC > ############################################################################## > # XXX: Unconditional dependencies which can't be switched off(if present in >@@ -299,8 +299,8 @@ MDNSRESPONDER_CONFIGURE_ENABLE= dnssd > MDNSRESPONDER_LIB_DEPENDS= libdns_sd.so:net/mDNSResponder > MDNSRESPONDER_VARS= SAMBA4_SERVICES+=mdnsd > ############################################################################## >-BIND911_RUN_DEPENDS= bind911>=9.11.0.0:dns/bind911 > BIND916_RUN_DEPENDS= bind916>=9.16.0.0:dns/bind916 >+BIND918_RUN_DEPENDS= bind918>=9.18.0.0:dns/bind918 > NSUPDATE_RUN_DEPENDS= samba-nsupdate:dns/samba-nsupdate > ############################################################################## > MEMORY_DEBUG_IMPLIES= DEBUG >diff --git a/net/samba413/files/patch-samba-4.14.14 b/net/samba413/files/patch-samba-4.14.14 >new file mode 100644 >index 000000000000..4127ab67308e >--- /dev/null >+++ b/net/samba413/files/patch-samba-4.14.14 >@@ -0,0 +1,13366 @@ >+From 5d958156c7e5d6c1da61d18fe4fd105b22639b56 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Tue, 14 Jun 2022 21:09:53 +1200 >+Subject: [PATCH 01/99] CVE-2022-32746 s4/dsdb/objectclass_attrs: Fix typo >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+--- >+ source4/dsdb/samdb/ldb_modules/objectclass_attrs.c | 2 +- >+ 1 file changed, 1 insertion(+), 1 deletion(-) >+ >+diff --git source4/dsdb/samdb/ldb_modules/objectclass_attrs.c source4/dsdb/samdb/ldb_modules/objectclass_attrs.c >+index 6ab46a729a2..2a77353cdfc 100644 >+--- source4/dsdb/samdb/ldb_modules/objectclass_attrs.c >++++ source4/dsdb/samdb/ldb_modules/objectclass_attrs.c >+@@ -263,7 +263,7 @@ static int attr_handler(struct oc_context *ac) >+ LDB_CONTROL_AS_SYSTEM_OID); >+ if (!dsdb_module_am_system(ac->module) && !as_system) { >+ ldb_asprintf_errstring(ldb, >+- "objectclass_attrs: attribute '%s' on entry '%s' must can only be modified as system", >++ "objectclass_attrs: attribute '%s' on entry '%s' can only be modified as system", >+ msg->elements[i].name, >+ ldb_dn_get_linearized(msg->dn)); >+ return LDB_ERR_CONSTRAINT_VIOLATION; >+-- >+2.25.1 >+ >+ >+From 51cbeff886fe01db463448f8655a43d10040dc8b Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Tue, 21 Jun 2022 15:37:15 +1200 >+Subject: [PATCH 02/99] CVE-2022-32746 s4:dsdb:tests: Add test for deleting a >+ disallowed SPN >+ >+If an account has an SPN that requires Write Property to set, we should >+still be able to delete it with just Validated Write. >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+--- >+ selftest/knownfail.d/acl-spn-delete | 1 + >+ source4/dsdb/tests/python/acl.py | 26 ++++++++++++++++++++++++++ >+ 2 files changed, 27 insertions(+) >+ create mode 100644 selftest/knownfail.d/acl-spn-delete >+ >+diff --git selftest/knownfail.d/acl-spn-delete selftest/knownfail.d/acl-spn-delete >+new file mode 100644 >+index 00000000000..32018413c49 >+--- /dev/null >++++ selftest/knownfail.d/acl-spn-delete >+@@ -0,0 +1 @@ >++^samba4.ldap.acl.python.*__main__.AclSPNTests.test_delete_disallowed_spn\( >+diff --git source4/dsdb/tests/python/acl.py source4/dsdb/tests/python/acl.py >+index df0fe12bf29..d90d3b3923f 100755 >+--- source4/dsdb/tests/python/acl.py >++++ source4/dsdb/tests/python/acl.py >+@@ -2286,6 +2286,32 @@ class AclSPNTests(AclTests): >+ else: >+ self.fail(f'able to add disallowed SPN {not_allowed_spn}') >+ >++ def test_delete_disallowed_spn(self): >++ # Grant Validated-SPN property. >++ mod = f'(OA;;SW;{security.GUID_DRS_VALIDATE_SPN};;{self.user_sid1})' >++ self.sd_utils.dacl_add_ace(self.computerdn, mod) >++ >++ spn_base = f'HOST/{self.computername}' >++ >++ not_allowed_spn = f'{spn_base}/{self.dcctx.get_domain_name()}' >++ >++ # Add a disallowed SPN as admin. >++ msg = Message(Dn(self.ldb_admin, self.computerdn)) >++ msg['servicePrincipalName'] = MessageElement(not_allowed_spn, >++ FLAG_MOD_ADD, >++ 'servicePrincipalName') >++ self.ldb_admin.modify(msg) >++ >++ # Ensure we are able to delete a disallowed SPN. >++ msg = Message(Dn(self.ldb_user1, self.computerdn)) >++ msg['servicePrincipalName'] = MessageElement(not_allowed_spn, >++ FLAG_MOD_DELETE, >++ 'servicePrincipalName') >++ try: >++ self.ldb_user1.modify(msg) >++ except LdbError: >++ self.fail(f'unable to delete disallowed SPN {not_allowed_spn}') >++ >+ >+ # tests SEC_ADS_LIST vs. SEC_ADS_LIST_OBJECT >+ @DynamicTestCase >+-- >+2.25.1 >+ >+ >+From a68553792a8512a2d266bbb86f064f78b5482a65 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Tue, 21 Jun 2022 14:41:02 +1200 >+Subject: [PATCH 03/99] CVE-2022-32746 s4/dsdb/partition: Fix LDB flags >+ comparison >+ >+LDB_FLAG_MOD_* values are not actually flags, and the previous >+comparison was equivalent to >+ >+(req_msg->elements[el_idx].flags & LDB_FLAG_MOD_MASK) != 0 >+ >+which is true whenever any of the LDB_FLAG_MOD_* values are set. Correct >+the expression to what it was probably intended to be. >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+--- >+ source4/dsdb/samdb/ldb_modules/partition.c | 4 ++-- >+ 1 file changed, 2 insertions(+), 2 deletions(-) >+ >+diff --git source4/dsdb/samdb/ldb_modules/partition.c source4/dsdb/samdb/ldb_modules/partition.c >+index 2544a106d13..2d90ca5d1b3 100644 >+--- source4/dsdb/samdb/ldb_modules/partition.c >++++ source4/dsdb/samdb/ldb_modules/partition.c >+@@ -493,8 +493,8 @@ static int partition_copy_all_callback_action( >+ * them here too >+ */ >+ for (el_idx=0; el_idx < req_msg->num_elements; el_idx++) { >+- if (req_msg->elements[el_idx].flags & LDB_FLAG_MOD_DELETE >+- || ((req_msg->elements[el_idx].flags & LDB_FLAG_MOD_REPLACE) && >++ if (LDB_FLAG_MOD_TYPE(req_msg->elements[el_idx].flags) == LDB_FLAG_MOD_DELETE >++ || ((LDB_FLAG_MOD_TYPE(req_msg->elements[el_idx].flags) == LDB_FLAG_MOD_REPLACE) && >+ req_msg->elements[el_idx].num_values == 0)) { >+ if (ldb_msg_find_element(modify_msg, >+ req_msg->elements[el_idx].name) != NULL) { >+-- >+2.25.1 >+ >+ >+From 582ac171364f0c28f54eaf4f21b5bfa7569b5233 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Tue, 21 Jun 2022 14:49:51 +1200 >+Subject: [PATCH 04/99] CVE-2022-32746 s4:torture: Fix LDB flags comparison >+ >+LDB_FLAG_MOD_* values are not actually flags, and the previous >+comparison was equivalent to >+ >+(el->flags & LDB_FLAG_MOD_MASK) == 0 >+ >+which is only true if none of the LDB_FLAG_MOD_* values are set. Correct >+the expression to what it was probably intended to be. >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+--- >+ source4/torture/drs/rpc/dssync.c | 4 +++- >+ 1 file changed, 3 insertions(+), 1 deletion(-) >+ >+diff --git source4/torture/drs/rpc/dssync.c source4/torture/drs/rpc/dssync.c >+index cde9f78692b..ff7ce2d9074 100644 >+--- source4/torture/drs/rpc/dssync.c >++++ source4/torture/drs/rpc/dssync.c >+@@ -527,7 +527,9 @@ static bool test_analyse_objects(struct torture_context *tctx, >+ el = &new_msg->elements[idx]; >+ a = dsdb_attribute_by_lDAPDisplayName(ldap_schema, >+ el->name); >+- if (!(el->flags & (LDB_FLAG_MOD_ADD|LDB_FLAG_MOD_REPLACE))) { >++ if (LDB_FLAG_MOD_TYPE(el->flags) != LDB_FLAG_MOD_ADD && >++ LDB_FLAG_MOD_TYPE(el->flags) != LDB_FLAG_MOD_REPLACE) >++ { >+ /* DRS only value */ >+ is_warning = false; >+ } else if (a->linkID & 1) { >+-- >+2.25.1 >+ >+ >+From 0526d27e9eddd9c2a54434cf0dcdb136a6c659e4 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Tue, 21 Jun 2022 15:22:47 +1200 >+Subject: [PATCH 05/99] CVE-2022-32746 s4/dsdb/acl: Fix LDB flags comparison >+ >+LDB_FLAG_MOD_* values are not actually flags, and the previous >+comparison was equivalent to >+ >+(el->flags & LDB_FLAG_MOD_MASK) == 0 >+ >+which is only true if none of the LDB_FLAG_MOD_* values are set, so we >+would not successfully return if the element was a DELETE. Correct the >+expression to what it was intended to be. >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+--- >+ selftest/knownfail.d/acl-spn-delete | 1 - >+ source4/dsdb/samdb/ldb_modules/acl.c | 5 +++-- >+ 2 files changed, 3 insertions(+), 3 deletions(-) >+ delete mode 100644 selftest/knownfail.d/acl-spn-delete >+ >+diff --git selftest/knownfail.d/acl-spn-delete selftest/knownfail.d/acl-spn-delete >+deleted file mode 100644 >+index 32018413c49..00000000000 >+--- selftest/knownfail.d/acl-spn-delete >++++ /dev/null >+@@ -1 +0,0 @@ >+-^samba4.ldap.acl.python.*__main__.AclSPNTests.test_delete_disallowed_spn\( >+diff --git source4/dsdb/samdb/ldb_modules/acl.c source4/dsdb/samdb/ldb_modules/acl.c >+index 21e83276bfd..8016a2d4bd0 100644 >+--- source4/dsdb/samdb/ldb_modules/acl.c >++++ source4/dsdb/samdb/ldb_modules/acl.c >+@@ -734,8 +734,9 @@ static int acl_check_spn(TALLOC_CTX *mem_ctx, >+ * If not add or replace (eg delete), >+ * return success >+ */ >+- if ((el->flags >+- & (LDB_FLAG_MOD_ADD|LDB_FLAG_MOD_REPLACE)) == 0) { >++ if (LDB_FLAG_MOD_TYPE(el->flags) != LDB_FLAG_MOD_ADD && >++ LDB_FLAG_MOD_TYPE(el->flags) != LDB_FLAG_MOD_REPLACE) >++ { >+ talloc_free(tmp_ctx); >+ return LDB_SUCCESS; >+ } >+-- >+2.25.1 >+ >+ >+From 2869b5aa3148869edf0d079266542aef6e64608e Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Wed, 16 Feb 2022 12:43:52 +1300 >+Subject: [PATCH 06/99] CVE-2022-32746 ldb:rdn_name: Use LDB_FLAG_MOD_TYPE() >+ for flags equality check >+ >+Now unrelated flags will no longer affect the result. >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+--- >+ lib/ldb/modules/rdn_name.c | 2 +- >+ 1 file changed, 1 insertion(+), 1 deletion(-) >+ >+diff --git lib/ldb/modules/rdn_name.c lib/ldb/modules/rdn_name.c >+index e69ad9315ae..25cffe07591 100644 >+--- lib/ldb/modules/rdn_name.c >++++ lib/ldb/modules/rdn_name.c >+@@ -545,7 +545,7 @@ static int rdn_name_modify(struct ldb_module *module, struct ldb_request *req) >+ if (e != NULL) { >+ ldb_asprintf_errstring(ldb, "Modify of 'distinguishedName' on %s not permitted, must use 'rename' operation instead", >+ ldb_dn_get_linearized(req->op.mod.message->dn)); >+- if (e->flags == LDB_FLAG_MOD_REPLACE) { >++ if (LDB_FLAG_MOD_TYPE(e->flags) == LDB_FLAG_MOD_REPLACE) { >+ return LDB_ERR_CONSTRAINT_VIOLATION; >+ } else { >+ return LDB_ERR_UNWILLING_TO_PERFORM; >+-- >+2.25.1 >+ >+ >+From 535b5a366a2ad054f729e57e282e402cf13b2efc Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Tue, 14 Jun 2022 19:49:19 +1200 >+Subject: [PATCH 07/99] CVE-2022-32746 s4/dsdb/repl_meta_data: Use >+ LDB_FLAG_MOD_TYPE() for flags equality check >+ >+Now unrelated flags will no longer affect the result. >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+--- >+ source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 8 ++++---- >+ 1 file changed, 4 insertions(+), 4 deletions(-) >+ >+diff --git source4/dsdb/samdb/ldb_modules/repl_meta_data.c source4/dsdb/samdb/ldb_modules/repl_meta_data.c >+index ab506cec488..29ffda75c87 100644 >+--- source4/dsdb/samdb/ldb_modules/repl_meta_data.c >++++ source4/dsdb/samdb/ldb_modules/repl_meta_data.c >+@@ -3525,7 +3525,7 @@ static int replmd_modify(struct ldb_module *module, struct ldb_request *req) >+ return ldb_module_operr(module); >+ } >+ >+- if (req->op.mod.message->elements[0].flags != LDB_FLAG_MOD_REPLACE) { >++ if (LDB_FLAG_MOD_TYPE(req->op.mod.message->elements[0].flags) != LDB_FLAG_MOD_REPLACE) { >+ return ldb_module_operr(module); >+ } >+ >+@@ -3558,11 +3558,11 @@ static int replmd_modify(struct ldb_module *module, struct ldb_request *req) >+ return ldb_module_operr(module); >+ } >+ >+- if (req->op.mod.message->elements[0].flags != LDB_FLAG_MOD_DELETE) { >++ if (LDB_FLAG_MOD_TYPE(req->op.mod.message->elements[0].flags) != LDB_FLAG_MOD_DELETE) { >+ return ldb_module_operr(module); >+ } >+ >+- if (req->op.mod.message->elements[1].flags != LDB_FLAG_MOD_ADD) { >++ if (LDB_FLAG_MOD_TYPE(req->op.mod.message->elements[1].flags) != LDB_FLAG_MOD_ADD) { >+ return ldb_module_operr(module); >+ } >+ >+@@ -3645,7 +3645,7 @@ static int replmd_modify(struct ldb_module *module, struct ldb_request *req) >+ return ldb_module_operr(module); >+ } >+ >+- if (msg->elements[0].flags != LDB_FLAG_MOD_ADD) { >++ if (LDB_FLAG_MOD_TYPE(msg->elements[0].flags) != LDB_FLAG_MOD_ADD) { >+ talloc_free(ac); >+ return ldb_module_operr(module); >+ } >+-- >+2.25.1 >+ >+ >+From bedd0b768c3f92645af033399aefd7ee971d9150 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Tue, 14 Jun 2022 21:11:33 +1200 >+Subject: [PATCH 08/99] CVE-2022-32746 s4/dsdb/tombstone_reanimate: Use >+ LDB_FLAG_MOD_TYPE() for flags equality check >+ >+Now unrelated flags will no longer affect the result. >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+--- >+ source4/dsdb/samdb/ldb_modules/tombstone_reanimate.c | 4 ++-- >+ 1 file changed, 2 insertions(+), 2 deletions(-) >+ >+diff --git source4/dsdb/samdb/ldb_modules/tombstone_reanimate.c source4/dsdb/samdb/ldb_modules/tombstone_reanimate.c >+index 64e05195798..5f8911c66be 100644 >+--- source4/dsdb/samdb/ldb_modules/tombstone_reanimate.c >++++ source4/dsdb/samdb/ldb_modules/tombstone_reanimate.c >+@@ -104,7 +104,7 @@ static bool is_tombstone_reanimate_request(struct ldb_request *req, >+ if (el_dn == NULL) { >+ return false; >+ } >+- if (el_dn->flags != LDB_FLAG_MOD_REPLACE) { >++ if (LDB_FLAG_MOD_TYPE(el_dn->flags) != LDB_FLAG_MOD_REPLACE) { >+ return false; >+ } >+ if (el_dn->num_values != 1) { >+@@ -117,7 +117,7 @@ static bool is_tombstone_reanimate_request(struct ldb_request *req, >+ return false; >+ } >+ >+- if (el_deleted->flags != LDB_FLAG_MOD_DELETE) { >++ if (LDB_FLAG_MOD_TYPE(el_deleted->flags) != LDB_FLAG_MOD_DELETE) { >+ return false; >+ } >+ >+-- >+2.25.1 >+ >+ >+From 49dd9042f4ee380fa1dafcebcb54d0e1f0852463 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Tue, 14 Jun 2022 21:12:39 +1200 >+Subject: [PATCH 09/99] CVE-2022-32746 s4/registry: Use LDB_FLAG_MOD_TYPE() for >+ flags equality check >+ >+Now unrelated flags will no longer affect the result. >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+--- >+ source4/lib/registry/ldb.c | 2 +- >+ 1 file changed, 1 insertion(+), 1 deletion(-) >+ >+diff --git source4/lib/registry/ldb.c source4/lib/registry/ldb.c >+index e089355975b..db383a560da 100644 >+--- source4/lib/registry/ldb.c >++++ source4/lib/registry/ldb.c >+@@ -859,7 +859,7 @@ static WERROR ldb_set_value(struct hive_key *parent, >+ >+ /* Try first a "modify" and if this doesn't work do try an "add" */ >+ for (i = 0; i < msg->num_elements; i++) { >+- if (msg->elements[i].flags != LDB_FLAG_MOD_DELETE) { >++ if (LDB_FLAG_MOD_TYPE(msg->elements[i].flags) != LDB_FLAG_MOD_DELETE) { >+ msg->elements[i].flags = LDB_FLAG_MOD_REPLACE; >+ } >+ } >+-- >+2.25.1 >+ >+ >+From faa61ab3053d077ac9d0aa67e955217e85b660f4 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Mon, 21 Feb 2022 16:10:32 +1300 >+Subject: [PATCH 10/99] CVE-2022-32746 ldb: Add flag to mark message element >+ values as shared >+ >+When making a shallow copy of an ldb message, mark the message elements >+of the copy as sharing their values with the message elements in the >+original message. >+ >+This flag value will be heeded in the next commit. >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+--- >+ lib/ldb/common/ldb_msg.c | 43 +++++++++++++++++++++++++++++++----- >+ lib/ldb/include/ldb_module.h | 6 +++++ >+ 2 files changed, 43 insertions(+), 6 deletions(-) >+ >+diff --git lib/ldb/common/ldb_msg.c lib/ldb/common/ldb_msg.c >+index 57dfc5a04c2..2a9ce384bb9 100644 >+--- lib/ldb/common/ldb_msg.c >++++ lib/ldb/common/ldb_msg.c >+@@ -833,11 +833,7 @@ void ldb_msg_sort_elements(struct ldb_message *msg) >+ ldb_msg_element_compare_name); >+ } >+ >+-/* >+- shallow copy a message - copying only the elements array so that the caller >+- can safely add new elements without changing the message >+-*/ >+-struct ldb_message *ldb_msg_copy_shallow(TALLOC_CTX *mem_ctx, >++static struct ldb_message *ldb_msg_copy_shallow_impl(TALLOC_CTX *mem_ctx, >+ const struct ldb_message *msg) >+ { >+ struct ldb_message *msg2; >+@@ -863,6 +859,35 @@ failed: >+ return NULL; >+ } >+ >++/* >++ shallow copy a message - copying only the elements array so that the caller >++ can safely add new elements without changing the message >++*/ >++struct ldb_message *ldb_msg_copy_shallow(TALLOC_CTX *mem_ctx, >++ const struct ldb_message *msg) >++{ >++ struct ldb_message *msg2; >++ unsigned int i; >++ >++ msg2 = ldb_msg_copy_shallow_impl(mem_ctx, msg); >++ if (msg2 == NULL) { >++ return NULL; >++ } >++ >++ for (i = 0; i < msg2->num_elements; ++i) { >++ /* >++ * Mark this message's elements as sharing their values with the >++ * original message, so that we don't inadvertently modify or >++ * free them. We don't mark the original message element as >++ * shared, so the original message element should not be >++ * modified or freed while the shallow copy lives. >++ */ >++ struct ldb_message_element *el = &msg2->elements[i]; >++ el->flags |= LDB_FLAG_INTERNAL_SHARED_VALUES; >++ } >++ >++ return msg2; >++} >+ >+ /* >+ copy a message, allocating new memory for all parts >+@@ -873,7 +898,7 @@ struct ldb_message *ldb_msg_copy(TALLOC_CTX *mem_ctx, >+ struct ldb_message *msg2; >+ unsigned int i, j; >+ >+- msg2 = ldb_msg_copy_shallow(mem_ctx, msg); >++ msg2 = ldb_msg_copy_shallow_impl(mem_ctx, msg); >+ if (msg2 == NULL) return NULL; >+ >+ if (msg2->dn != NULL) { >+@@ -894,6 +919,12 @@ struct ldb_message *ldb_msg_copy(TALLOC_CTX *mem_ctx, >+ goto failed; >+ } >+ } >++ >++ /* >++ * Since we copied this element's values, we can mark them as >++ * not shared. >++ */ >++ el->flags &= ~LDB_FLAG_INTERNAL_SHARED_VALUES; >+ } >+ >+ return msg2; >+diff --git lib/ldb/include/ldb_module.h lib/ldb/include/ldb_module.h >+index 8c1e5ee7936..4c7c85a17f0 100644 >+--- lib/ldb/include/ldb_module.h >++++ lib/ldb/include/ldb_module.h >+@@ -96,6 +96,12 @@ struct ldb_module; >+ */ >+ #define LDB_FLAG_INTERNAL_FORCE_UNIQUE_INDEX 0x100 >+ >++/* >++ * indicates that this element's values are shared with another element (for >++ * example, in a shallow copy of an ldb_message) and should not be freed >++ */ >++#define LDB_FLAG_INTERNAL_SHARED_VALUES 0x200 >++ >+ /* an extended match rule that always fails to match */ >+ #define SAMBA_LDAP_MATCH_ALWAYS_FALSE "1.3.6.1.4.1.7165.4.5.1" >+ >+-- >+2.25.1 >+ >+ >+From 4e5fb78c3dcff60aa8fd4b07dad4660bbb30532b Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Wed, 16 Feb 2022 12:35:13 +1300 >+Subject: [PATCH 11/99] CVE-2022-32746 ldb: Ensure shallow copy modifications >+ do not affect original message >+ >+Using the newly added ldb flag, we can now detect when a message has >+been shallow-copied so that its elements share their values with the >+original message elements. Then when adding values to the copied >+message, we now make a copy of the shared values array first. >+ >+This should prevent a use-after-free that occurred in LDB modules when >+new values were added to a shallow copy of a message by calling >+talloc_realloc() on the original values array, invalidating the 'values' >+pointer in the original message element. The original values pointer can >+later be used in the database audit logging module which logs database >+requests, and potentially cause a crash. >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+--- >+ lib/ldb/common/ldb_msg.c | 52 ++++++++++++++++++++++++++++++++------ >+ lib/ldb/include/ldb.h | 6 +++++ >+ source4/dsdb/common/util.c | 20 +++++---------- >+ 3 files changed, 56 insertions(+), 22 deletions(-) >+ >+diff --git lib/ldb/common/ldb_msg.c lib/ldb/common/ldb_msg.c >+index 2a9ce384bb9..44d3b29e9a7 100644 >+--- lib/ldb/common/ldb_msg.c >++++ lib/ldb/common/ldb_msg.c >+@@ -417,6 +417,47 @@ int ldb_msg_add(struct ldb_message *msg, >+ return LDB_SUCCESS; >+ } >+ >++/* >++ * add a value to a message element >++ */ >++int ldb_msg_element_add_value(TALLOC_CTX *mem_ctx, >++ struct ldb_message_element *el, >++ const struct ldb_val *val) >++{ >++ struct ldb_val *vals; >++ >++ if (el->flags & LDB_FLAG_INTERNAL_SHARED_VALUES) { >++ /* >++ * Another message is using this message element's values array, >++ * so we don't want to make any modifications to the original >++ * message, or potentially invalidate its own values by calling >++ * talloc_realloc(). Make a copy instead. >++ */ >++ el->flags &= ~LDB_FLAG_INTERNAL_SHARED_VALUES; >++ >++ vals = talloc_array(mem_ctx, struct ldb_val, >++ el->num_values + 1); >++ if (vals == NULL) { >++ return LDB_ERR_OPERATIONS_ERROR; >++ } >++ >++ if (el->values != NULL) { >++ memcpy(vals, el->values, el->num_values * sizeof(struct ldb_val)); >++ } >++ } else { >++ vals = talloc_realloc(mem_ctx, el->values, struct ldb_val, >++ el->num_values + 1); >++ if (vals == NULL) { >++ return LDB_ERR_OPERATIONS_ERROR; >++ } >++ } >++ el->values = vals; >++ el->values[el->num_values] = *val; >++ el->num_values++; >++ >++ return LDB_SUCCESS; >++} >++ >+ /* >+ add a value to a message >+ */ >+@@ -426,7 +467,6 @@ int ldb_msg_add_value(struct ldb_message *msg, >+ struct ldb_message_element **return_el) >+ { >+ struct ldb_message_element *el; >+- struct ldb_val *vals; >+ int ret; >+ >+ el = ldb_msg_find_element(msg, attr_name); >+@@ -437,14 +477,10 @@ int ldb_msg_add_value(struct ldb_message *msg, >+ } >+ } >+ >+- vals = talloc_realloc(msg->elements, el->values, struct ldb_val, >+- el->num_values+1); >+- if (!vals) { >+- return LDB_ERR_OPERATIONS_ERROR; >++ ret = ldb_msg_element_add_value(msg->elements, el, val); >++ if (ret != LDB_SUCCESS) { >++ return ret; >+ } >+- el->values = vals; >+- el->values[el->num_values] = *val; >+- el->num_values++; >+ >+ if (return_el) { >+ *return_el = el; >+diff --git lib/ldb/include/ldb.h lib/ldb/include/ldb.h >+index bc44157eaf4..129beefeaf5 100644 >+--- lib/ldb/include/ldb.h >++++ lib/ldb/include/ldb.h >+@@ -1981,6 +1981,12 @@ int ldb_msg_add_empty(struct ldb_message *msg, >+ int flags, >+ struct ldb_message_element **return_el); >+ >++/** >++ add a value to a message element >++*/ >++int ldb_msg_element_add_value(TALLOC_CTX *mem_ctx, >++ struct ldb_message_element *el, >++ const struct ldb_val *val); >+ /** >+ add a element to a ldb_message >+ */ >+diff --git source4/dsdb/common/util.c source4/dsdb/common/util.c >+index 5ce4c0a5e33..577b2a33873 100644 >+--- source4/dsdb/common/util.c >++++ source4/dsdb/common/util.c >+@@ -816,7 +816,7 @@ int samdb_msg_add_addval(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, >+ const char *value) >+ { >+ struct ldb_message_element *el; >+- struct ldb_val val, *vals; >++ struct ldb_val val; >+ char *v; >+ unsigned int i; >+ bool found = false; >+@@ -851,14 +851,10 @@ int samdb_msg_add_addval(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, >+ } >+ } >+ >+- vals = talloc_realloc(msg->elements, el->values, struct ldb_val, >+- el->num_values + 1); >+- if (vals == NULL) { >++ ret = ldb_msg_element_add_value(msg->elements, el, &val); >++ if (ret != LDB_SUCCESS) { >+ return ldb_oom(sam_ldb); >+ } >+- el->values = vals; >+- el->values[el->num_values] = val; >+- ++(el->num_values); >+ >+ return LDB_SUCCESS; >+ } >+@@ -872,7 +868,7 @@ int samdb_msg_add_delval(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, >+ const char *value) >+ { >+ struct ldb_message_element *el; >+- struct ldb_val val, *vals; >++ struct ldb_val val; >+ char *v; >+ unsigned int i; >+ bool found = false; >+@@ -907,14 +903,10 @@ int samdb_msg_add_delval(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, >+ } >+ } >+ >+- vals = talloc_realloc(msg->elements, el->values, struct ldb_val, >+- el->num_values + 1); >+- if (vals == NULL) { >++ ret = ldb_msg_element_add_value(msg->elements, el, &val); >++ if (ret != LDB_SUCCESS) { >+ return ldb_oom(sam_ldb); >+ } >+- el->values = vals; >+- el->values[el->num_values] = val; >+- ++(el->num_values); >+ >+ return LDB_SUCCESS; >+ } >+-- >+2.25.1 >+ >+ >+From 512a2617b1593bdc16caeeeda4312a581cbb34e9 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Wed, 16 Feb 2022 16:30:03 +1300 >+Subject: [PATCH 12/99] CVE-2022-32746 ldb: Add functions for appending to an >+ ldb_message >+ >+Currently, there are many places where we use ldb_msg_add_empty() to add >+an empty element to a message, and then call ldb_msg_add_value() or >+similar to add values to that element. However, this performs an >+unnecessary search of the message's elements to locate the new element. >+Moreover, if an element with the same attribute name already exists >+earlier in the message, the values will be added to that element, >+instead of to the intended newly added element. >+ >+A similar pattern exists where we add values to a message, and then call >+ldb_msg_find_element() to locate that message element and sets its flags >+to (e.g.) LDB_FLAG_MOD_REPLACE. This also performs an unnecessary >+search, and may locate the wrong message element for setting the flags. >+ >+To avoid these problems, add functions for appending a value to a >+message, so that a particular value can be added to the end of a message >+in a single operation. >+ >+For ADD requests, it is important that no two message elements share the >+same attribute name, otherwise things will break. (Normally, >+ldb_msg_normalize() is called before processing the request to help >+ensure this.) Thus, we must be careful not to append an attribute to an >+ADD message, unless we are sure (e.g. through ldb_msg_find_element()) >+that an existing element for that attribute is not present. >+ >+These functions will be used in the next commit. >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+--- >+ lib/ldb/common/ldb_msg.c | 165 ++++++++++++++++++++++++++++++++++++++- >+ lib/ldb/include/ldb.h | 24 ++++++ >+ 2 files changed, 185 insertions(+), 4 deletions(-) >+ >+diff --git lib/ldb/common/ldb_msg.c lib/ldb/common/ldb_msg.c >+index 44d3b29e9a7..9cd7998e21c 100644 >+--- lib/ldb/common/ldb_msg.c >++++ lib/ldb/common/ldb_msg.c >+@@ -509,12 +509,15 @@ int ldb_msg_add_steal_value(struct ldb_message *msg, >+ >+ >+ /* >+- add a string element to a message >++ add a string element to a message, specifying flags >+ */ >+-int ldb_msg_add_string(struct ldb_message *msg, >+- const char *attr_name, const char *str) >++int ldb_msg_add_string_flags(struct ldb_message *msg, >++ const char *attr_name, const char *str, >++ int flags) >+ { >+ struct ldb_val val; >++ int ret; >++ struct ldb_message_element *el = NULL; >+ >+ val.data = discard_const_p(uint8_t, str); >+ val.length = strlen(str); >+@@ -524,7 +527,25 @@ int ldb_msg_add_string(struct ldb_message *msg, >+ return LDB_SUCCESS; >+ } >+ >+- return ldb_msg_add_value(msg, attr_name, &val, NULL); >++ ret = ldb_msg_add_value(msg, attr_name, &val, &el); >++ if (ret != LDB_SUCCESS) { >++ return ret; >++ } >++ >++ if (flags != 0) { >++ el->flags = flags; >++ } >++ >++ return LDB_SUCCESS; >++} >++ >++/* >++ add a string element to a message >++*/ >++int ldb_msg_add_string(struct ldb_message *msg, >++ const char *attr_name, const char *str) >++{ >++ return ldb_msg_add_string_flags(msg, attr_name, str, 0); >+ } >+ >+ /* >+@@ -586,6 +607,142 @@ int ldb_msg_add_fmt(struct ldb_message *msg, >+ return ldb_msg_add_steal_value(msg, attr_name, &val); >+ } >+ >++static int ldb_msg_append_value_impl(struct ldb_message *msg, >++ const char *attr_name, >++ const struct ldb_val *val, >++ int flags, >++ struct ldb_message_element **return_el) >++{ >++ struct ldb_message_element *el = NULL; >++ int ret; >++ >++ ret = ldb_msg_add_empty(msg, attr_name, flags, &el); >++ if (ret != LDB_SUCCESS) { >++ return ret; >++ } >++ >++ ret = ldb_msg_element_add_value(msg->elements, el, val); >++ if (ret != LDB_SUCCESS) { >++ return ret; >++ } >++ >++ if (return_el != NULL) { >++ *return_el = el; >++ } >++ >++ return LDB_SUCCESS; >++} >++ >++/* >++ append a value to a message >++*/ >++int ldb_msg_append_value(struct ldb_message *msg, >++ const char *attr_name, >++ const struct ldb_val *val, >++ int flags) >++{ >++ return ldb_msg_append_value_impl(msg, attr_name, val, flags, NULL); >++} >++ >++/* >++ append a value to a message, stealing it into the 'right' place >++*/ >++int ldb_msg_append_steal_value(struct ldb_message *msg, >++ const char *attr_name, >++ struct ldb_val *val, >++ int flags) >++{ >++ int ret; >++ struct ldb_message_element *el = NULL; >++ >++ ret = ldb_msg_append_value_impl(msg, attr_name, val, flags, &el); >++ if (ret == LDB_SUCCESS) { >++ talloc_steal(el->values, val->data); >++ } >++ return ret; >++} >++ >++/* >++ append a string element to a message, stealing it into the 'right' place >++*/ >++int ldb_msg_append_steal_string(struct ldb_message *msg, >++ const char *attr_name, char *str, >++ int flags) >++{ >++ struct ldb_val val; >++ >++ val.data = (uint8_t *)str; >++ val.length = strlen(str); >++ >++ if (val.length == 0) { >++ /* allow empty strings as non-existent attributes */ >++ return LDB_SUCCESS; >++ } >++ >++ return ldb_msg_append_steal_value(msg, attr_name, &val, flags); >++} >++ >++/* >++ append a string element to a message >++*/ >++int ldb_msg_append_string(struct ldb_message *msg, >++ const char *attr_name, const char *str, int flags) >++{ >++ struct ldb_val val; >++ >++ val.data = discard_const_p(uint8_t, str); >++ val.length = strlen(str); >++ >++ if (val.length == 0) { >++ /* allow empty strings as non-existent attributes */ >++ return LDB_SUCCESS; >++ } >++ >++ return ldb_msg_append_value(msg, attr_name, &val, flags); >++} >++ >++/* >++ append a DN element to a message >++ WARNING: this uses the linearized string from the dn, and does not >++ copy the string. >++*/ >++int ldb_msg_append_linearized_dn(struct ldb_message *msg, const char *attr_name, >++ struct ldb_dn *dn, int flags) >++{ >++ char *str = ldb_dn_alloc_linearized(msg, dn); >++ >++ if (str == NULL) { >++ /* we don't want to have unknown DNs added */ >++ return LDB_ERR_OPERATIONS_ERROR; >++ } >++ >++ return ldb_msg_append_steal_string(msg, attr_name, str, flags); >++} >++ >++/* >++ append a printf formatted element to a message >++*/ >++int ldb_msg_append_fmt(struct ldb_message *msg, int flags, >++ const char *attr_name, const char *fmt, ...) >++{ >++ struct ldb_val val; >++ va_list ap; >++ char *str = NULL; >++ >++ va_start(ap, fmt); >++ str = talloc_vasprintf(msg, fmt, ap); >++ va_end(ap); >++ >++ if (str == NULL) { >++ return LDB_ERR_OPERATIONS_ERROR; >++ } >++ >++ val.data = (uint8_t *)str; >++ val.length = strlen(str); >++ >++ return ldb_msg_append_steal_value(msg, attr_name, &val, flags); >++} >++ >+ /* >+ compare two ldb_message_element structures >+ assumes case sensitive comparison >+diff --git lib/ldb/include/ldb.h lib/ldb/include/ldb.h >+index 129beefeaf5..63d8aedd672 100644 >+--- lib/ldb/include/ldb.h >++++ lib/ldb/include/ldb.h >+@@ -2002,12 +2002,36 @@ int ldb_msg_add_steal_value(struct ldb_message *msg, >+ struct ldb_val *val); >+ int ldb_msg_add_steal_string(struct ldb_message *msg, >+ const char *attr_name, char *str); >++int ldb_msg_add_string_flags(struct ldb_message *msg, >++ const char *attr_name, const char *str, >++ int flags); >+ int ldb_msg_add_string(struct ldb_message *msg, >+ const char *attr_name, const char *str); >+ int ldb_msg_add_linearized_dn(struct ldb_message *msg, const char *attr_name, >+ struct ldb_dn *dn); >+ int ldb_msg_add_fmt(struct ldb_message *msg, >+ const char *attr_name, const char *fmt, ...) PRINTF_ATTRIBUTE(3,4); >++/** >++ append a element to a ldb_message >++*/ >++int ldb_msg_append_value(struct ldb_message *msg, >++ const char *attr_name, >++ const struct ldb_val *val, >++ int flags); >++int ldb_msg_append_steal_value(struct ldb_message *msg, >++ const char *attr_name, >++ struct ldb_val *val, >++ int flags); >++int ldb_msg_append_steal_string(struct ldb_message *msg, >++ const char *attr_name, char *str, >++ int flags); >++int ldb_msg_append_string(struct ldb_message *msg, >++ const char *attr_name, const char *str, >++ int flags); >++int ldb_msg_append_linearized_dn(struct ldb_message *msg, const char *attr_name, >++ struct ldb_dn *dn, int flags); >++int ldb_msg_append_fmt(struct ldb_message *msg, int flags, >++ const char *attr_name, const char *fmt, ...) PRINTF_ATTRIBUTE(4,5); >+ >+ /** >+ compare two message elements - return 0 on match >+-- >+2.25.1 >+ >+ >+From f419753d1c7a373fb32ffe20930a6e084e44b44d Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Mon, 21 Feb 2022 16:27:37 +1300 >+Subject: [PATCH 13/99] CVE-2022-32746 ldb: Make use of functions for appending >+ to an ldb_message >+ >+This aims to minimise usage of the error-prone pattern of searching for >+a just-added message element in order to make modifications to it (and >+potentially finding the wrong element). >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+--- >+ lib/ldb/ldb_map/ldb_map.c | 5 +- >+ lib/ldb/ldb_map/ldb_map_inbound.c | 9 +- >+ lib/ldb/modules/rdn_name.c | 22 +--- >+ source3/passdb/pdb_samba_dsdb.c | 14 +-- >+ source4/dns_server/dnsserver_common.c | 12 +- >+ source4/dsdb/common/util.c | 114 ++++++++++++++---- >+ source4/dsdb/samdb/ldb_modules/descriptor.c | 10 +- >+ source4/dsdb/samdb/ldb_modules/objectguid.c | 20 +-- >+ .../dsdb/samdb/ldb_modules/partition_init.c | 14 +-- >+ .../dsdb/samdb/ldb_modules/repl_meta_data.c | 24 +--- >+ source4/dsdb/samdb/ldb_modules/samldb.c | 78 +++++------- >+ .../samdb/ldb_modules/tombstone_reanimate.c | 12 +- >+ source4/nbt_server/wins/winsdb.c | 13 +- >+ source4/rpc_server/lsa/dcesrv_lsa.c | 55 +++------ >+ source4/winbind/idmap.c | 10 +- >+ 15 files changed, 183 insertions(+), 229 deletions(-) >+ >+diff --git lib/ldb/ldb_map/ldb_map.c lib/ldb/ldb_map/ldb_map.c >+index b453dff80d2..c7b0c228631 100644 >+--- lib/ldb/ldb_map/ldb_map.c >++++ lib/ldb/ldb_map/ldb_map.c >+@@ -946,10 +946,7 @@ struct ldb_request *map_build_fixup_req(struct map_context *ac, >+ if ( ! dn || ! ldb_dn_validate(msg->dn)) { >+ goto failed; >+ } >+- if (ldb_msg_add_empty(msg, IS_MAPPED, LDB_FLAG_MOD_REPLACE, NULL) != 0) { >+- goto failed; >+- } >+- if (ldb_msg_add_string(msg, IS_MAPPED, dn) != 0) { >++ if (ldb_msg_append_string(msg, IS_MAPPED, dn, LDB_FLAG_MOD_REPLACE) != 0) { >+ goto failed; >+ } >+ >+diff --git lib/ldb/ldb_map/ldb_map_inbound.c lib/ldb/ldb_map/ldb_map_inbound.c >+index 324295737da..50b9427c26c 100644 >+--- lib/ldb/ldb_map/ldb_map_inbound.c >++++ lib/ldb/ldb_map/ldb_map_inbound.c >+@@ -569,12 +569,9 @@ static int map_modify_do_local(struct map_context *ac) >+ /* No local record present, add it instead */ >+ /* Add local 'IS_MAPPED' */ >+ /* TODO: use GUIDs here instead */ >+- if (ldb_msg_add_empty(ac->local_msg, IS_MAPPED, >+- LDB_FLAG_MOD_ADD, NULL) != 0) { >+- return LDB_ERR_OPERATIONS_ERROR; >+- } >+- ret = ldb_msg_add_linearized_dn(ac->local_msg, IS_MAPPED, >+- ac->remote_req->op.mod.message->dn); >++ ret = ldb_msg_append_linearized_dn(ac->local_msg, IS_MAPPED, >++ ac->remote_req->op.mod.message->dn, >++ LDB_FLAG_MOD_ADD); >+ if (ret != 0) { >+ return LDB_ERR_OPERATIONS_ERROR; >+ } >+diff --git lib/ldb/modules/rdn_name.c lib/ldb/modules/rdn_name.c >+index 25cffe07591..3cb62bf567b 100644 >+--- lib/ldb/modules/rdn_name.c >++++ lib/ldb/modules/rdn_name.c >+@@ -308,16 +308,10 @@ static int rdn_rename_callback(struct ldb_request *req, struct ldb_reply *ares) >+ } >+ rdn_val = ldb_val_dup(msg, rdn_val_p); >+ >+- if (ldb_msg_add_empty(msg, rdn_name, LDB_FLAG_MOD_REPLACE, NULL) != 0) { >++ if (ldb_msg_append_value(msg, rdn_name, &rdn_val, LDB_FLAG_MOD_REPLACE) != 0) { >+ goto error; >+ } >+- if (ldb_msg_add_value(msg, rdn_name, &rdn_val, NULL) != 0) { >+- goto error; >+- } >+- if (ldb_msg_add_empty(msg, "name", LDB_FLAG_MOD_REPLACE, NULL) != 0) { >+- goto error; >+- } >+- if (ldb_msg_add_value(msg, "name", &rdn_val, NULL) != 0) { >++ if (ldb_msg_append_value(msg, "name", &rdn_val, LDB_FLAG_MOD_REPLACE) != 0) { >+ goto error; >+ } >+ >+@@ -466,11 +460,7 @@ static int rdn_name_modify(struct ldb_module *module, struct ldb_request *req) >+ if (ret != 0) { >+ return ldb_module_oom(module); >+ } >+- ret = ldb_msg_add_empty(msg, rdn_name, LDB_FLAG_MOD_ADD, NULL); >+- if (ret != 0) { >+- return ldb_module_oom(module); >+- } >+- ret = ldb_msg_add_value(msg, rdn_name, &rdn_val, NULL); >++ ret = ldb_msg_append_value(msg, rdn_name, &rdn_val, LDB_FLAG_MOD_ADD); >+ if (ret != 0) { >+ return ldb_module_oom(module); >+ } >+@@ -479,11 +469,7 @@ static int rdn_name_modify(struct ldb_module *module, struct ldb_request *req) >+ if (ret != 0) { >+ return ldb_module_oom(module); >+ } >+- ret = ldb_msg_add_empty(msg, "name", LDB_FLAG_MOD_ADD, NULL); >+- if (ret != 0) { >+- return ldb_module_oom(module); >+- } >+- ret = ldb_msg_add_value(msg, "name", &rdn_val, NULL); >++ ret = ldb_msg_append_value(msg, "name", &rdn_val, LDB_FLAG_MOD_ADD); >+ if (ret != 0) { >+ return ldb_module_oom(module); >+ } >+diff --git source3/passdb/pdb_samba_dsdb.c source3/passdb/pdb_samba_dsdb.c >+index 93e8f5bebe6..b2063825c04 100644 >+--- source3/passdb/pdb_samba_dsdb.c >++++ source3/passdb/pdb_samba_dsdb.c >+@@ -2855,18 +2855,10 @@ static bool pdb_samba_dsdb_set_trusteddom_pw(struct pdb_methods *m, >+ } >+ >+ msg->num_elements = 0; >+- ret = ldb_msg_add_empty(msg, "trustAuthOutgoing", >+- LDB_FLAG_MOD_REPLACE, NULL); >++ ret = ldb_msg_append_value(msg, "trustAuthOutgoing", >++ &new_val, LDB_FLAG_MOD_REPLACE); >+ if (ret != LDB_SUCCESS) { >+- DEBUG(0, ("ldb_msg_add_empty() failed\n")); >+- TALLOC_FREE(tmp_ctx); >+- ldb_transaction_cancel(state->ldb); >+- return false; >+- } >+- ret = ldb_msg_add_value(msg, "trustAuthOutgoing", >+- &new_val, NULL); >+- if (ret != LDB_SUCCESS) { >+- DEBUG(0, ("ldb_msg_add_value() failed\n")); >++ DEBUG(0, ("ldb_msg_append_value() failed\n")); >+ TALLOC_FREE(tmp_ctx); >+ ldb_transaction_cancel(state->ldb); >+ return false; >+diff --git source4/dns_server/dnsserver_common.c source4/dns_server/dnsserver_common.c >+index bcb0d087faf..cb9a082ebf6 100644 >+--- source4/dns_server/dnsserver_common.c >++++ source4/dns_server/dnsserver_common.c >+@@ -1092,15 +1092,9 @@ WERROR dns_common_replace(struct ldb_context *samdb, >+ } >+ >+ if (was_tombstoned || become_tombstoned) { >+- ret = ldb_msg_add_empty(msg, "dNSTombstoned", >+- LDB_FLAG_MOD_REPLACE, NULL); >+- if (ret != LDB_SUCCESS) { >+- werr = DNS_ERR(SERVER_FAILURE); >+- goto exit; >+- } >+- >+- ret = ldb_msg_add_fmt(msg, "dNSTombstoned", "%s", >+- become_tombstoned ? "TRUE" : "FALSE"); >++ ret = ldb_msg_append_fmt(msg, LDB_FLAG_MOD_REPLACE, >++ "dNSTombstoned", "%s", >++ become_tombstoned ? "TRUE" : "FALSE"); >+ if (ret != LDB_SUCCESS) { >+ werr = DNS_ERR(SERVER_FAILURE); >+ goto exit; >+diff --git source4/dsdb/common/util.c source4/dsdb/common/util.c >+index 577b2a33873..10d6ea8883b 100644 >+--- source4/dsdb/common/util.c >++++ source4/dsdb/common/util.c >+@@ -924,6 +924,16 @@ int samdb_msg_add_int(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct l >+ return ldb_msg_add_string(msg, attr_name, s); >+ } >+ >++int samdb_msg_add_int_flags(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg, >++ const char *attr_name, int v, int flags) >++{ >++ const char *s = talloc_asprintf(mem_ctx, "%d", v); >++ if (s == NULL) { >++ return ldb_oom(sam_ldb); >++ } >++ return ldb_msg_add_string_flags(msg, attr_name, s, flags); >++} >++ >+ /* >+ * Add an unsigned int element to a message >+ * >+@@ -942,6 +952,12 @@ int samdb_msg_add_uint(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct >+ return samdb_msg_add_int(sam_ldb, mem_ctx, msg, attr_name, (int)v); >+ } >+ >++int samdb_msg_add_uint_flags(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg, >++ const char *attr_name, unsigned int v, int flags) >++{ >++ return samdb_msg_add_int_flags(sam_ldb, mem_ctx, msg, attr_name, (int)v, flags); >++} >++ >+ /* >+ add a (signed) int64_t element to a message >+ */ >+@@ -973,6 +989,68 @@ int samdb_msg_add_uint64(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struc >+ return samdb_msg_add_int64(sam_ldb, mem_ctx, msg, attr_name, (int64_t)v); >+ } >+ >++/* >++ append a int element to a message >++*/ >++int samdb_msg_append_int(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg, >++ const char *attr_name, int v, int flags) >++{ >++ const char *s = talloc_asprintf(mem_ctx, "%d", v); >++ if (s == NULL) { >++ return ldb_oom(sam_ldb); >++ } >++ return ldb_msg_append_string(msg, attr_name, s, flags); >++} >++ >++/* >++ * Append an unsigned int element to a message >++ * >++ * The issue here is that we have not yet first cast to int32_t explicitly, >++ * before we cast to an signed int to printf() into the %d or cast to a >++ * int64_t before we then cast to a long long to printf into a %lld. >++ * >++ * There are *no* unsigned integers in Active Directory LDAP, even the RID >++ * allocations and ms-DS-Secondary-KrbTgt-Number are *signed* quantities. >++ * (See the schema, and the syntax definitions in schema_syntax.c). >++ * >++ */ >++int samdb_msg_append_uint(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg, >++ const char *attr_name, unsigned int v, int flags) >++{ >++ return samdb_msg_append_int(sam_ldb, mem_ctx, msg, attr_name, (int)v, flags); >++} >++ >++/* >++ append a (signed) int64_t element to a message >++*/ >++int samdb_msg_append_int64(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg, >++ const char *attr_name, int64_t v, int flags) >++{ >++ const char *s = talloc_asprintf(mem_ctx, "%lld", (long long)v); >++ if (s == NULL) { >++ return ldb_oom(sam_ldb); >++ } >++ return ldb_msg_append_string(msg, attr_name, s, flags); >++} >++ >++/* >++ * Append an unsigned int64_t (uint64_t) element to a message >++ * >++ * The issue here is that we have not yet first cast to int32_t explicitly, >++ * before we cast to an signed int to printf() into the %d or cast to a >++ * int64_t before we then cast to a long long to printf into a %lld. >++ * >++ * There are *no* unsigned integers in Active Directory LDAP, even the RID >++ * allocations and ms-DS-Secondary-KrbTgt-Number are *signed* quantities. >++ * (See the schema, and the syntax definitions in schema_syntax.c). >++ * >++ */ >++int samdb_msg_append_uint64(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg, >++ const char *attr_name, uint64_t v, int flags) >++{ >++ return samdb_msg_append_int64(sam_ldb, mem_ctx, msg, attr_name, (int64_t)v, flags); >++} >++ >+ /* >+ add a samr_Password element to a message >+ */ >+@@ -2814,15 +2892,8 @@ NTSTATUS samdb_set_password_sid(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, >+ tdo_msg->num_elements = 0; >+ TALLOC_FREE(tdo_msg->elements); >+ >+- ret = ldb_msg_add_empty(tdo_msg, "trustAuthIncoming", >+- LDB_FLAG_MOD_REPLACE, NULL); >+- if (ret != LDB_SUCCESS) { >+- ldb_transaction_cancel(ldb); >+- TALLOC_FREE(frame); >+- return NT_STATUS_NO_MEMORY; >+- } >+- ret = ldb_msg_add_value(tdo_msg, "trustAuthIncoming", >+- &new_val, NULL); >++ ret = ldb_msg_append_value(tdo_msg, "trustAuthIncoming", >++ &new_val, LDB_FLAG_MOD_REPLACE); >+ if (ret != LDB_SUCCESS) { >+ ldb_transaction_cancel(ldb); >+ TALLOC_FREE(frame); >+@@ -3187,6 +3258,7 @@ int dsdb_find_guid_by_dn(struct ldb_context *ldb, >+ /* >+ adds the given GUID to the given ldb_message. This value is added >+ for the given attr_name (may be either "objectGUID" or "parentGUID"). >++ This function is used in processing 'add' requests. >+ */ >+ int dsdb_msg_add_guid(struct ldb_message *msg, >+ struct GUID *guid, >+@@ -5656,7 +5728,8 @@ int dsdb_user_obj_set_defaults(struct ldb_context *ldb, >+ } >+ >+ /** >+- * Sets 'sAMAccountType on user object based on userAccountControl >++ * Sets 'sAMAccountType on user object based on userAccountControl. >++ * This function is used in processing both 'add' and 'modify' requests. >+ * @param ldb Current ldb_context >+ * @param usr_obj ldb_message representing User object >+ * @param user_account_control Value for userAccountControl flags >+@@ -5668,21 +5741,19 @@ int dsdb_user_obj_set_account_type(struct ldb_context *ldb, struct ldb_message * >+ { >+ int ret; >+ uint32_t account_type; >+- struct ldb_message_element *el; >+ >+ account_type = ds_uf2atype(user_account_control); >+ if (account_type == 0) { >+ ldb_set_errstring(ldb, "dsdb: Unrecognized account type!"); >+ return LDB_ERR_UNWILLING_TO_PERFORM; >+ } >+- ret = samdb_msg_add_uint(ldb, usr_obj, usr_obj, >+- "sAMAccountType", >+- account_type); >++ ret = samdb_msg_add_uint_flags(ldb, usr_obj, usr_obj, >++ "sAMAccountType", >++ account_type, >++ LDB_FLAG_MOD_REPLACE); >+ if (ret != LDB_SUCCESS) { >+ return ret; >+ } >+- el = ldb_msg_find_element(usr_obj, "sAMAccountType"); >+- el->flags = LDB_FLAG_MOD_REPLACE; >+ >+ if (account_type_p) { >+ *account_type_p = account_type; >+@@ -5692,7 +5763,8 @@ int dsdb_user_obj_set_account_type(struct ldb_context *ldb, struct ldb_message * >+ } >+ >+ /** >+- * Determine and set primaryGroupID based on userAccountControl value >++ * Determine and set primaryGroupID based on userAccountControl value. >++ * This function is used in processing both 'add' and 'modify' requests. >+ * @param ldb Current ldb_context >+ * @param usr_obj ldb_message representing User object >+ * @param user_account_control Value for userAccountControl flags >+@@ -5704,17 +5776,15 @@ int dsdb_user_obj_set_primary_group_id(struct ldb_context *ldb, struct ldb_messa >+ { >+ int ret; >+ uint32_t rid; >+- struct ldb_message_element *el; >+ >+ rid = ds_uf2prim_group_rid(user_account_control); >+ >+- ret = samdb_msg_add_uint(ldb, usr_obj, usr_obj, >+- "primaryGroupID", rid); >++ ret = samdb_msg_add_uint_flags(ldb, usr_obj, usr_obj, >++ "primaryGroupID", rid, >++ LDB_FLAG_MOD_REPLACE); >+ if (ret != LDB_SUCCESS) { >+ return ret; >+ } >+- el = ldb_msg_find_element(usr_obj, "primaryGroupID"); >+- el->flags = LDB_FLAG_MOD_REPLACE; >+ >+ if (group_rid_p) { >+ *group_rid_p = rid; >+diff --git source4/dsdb/samdb/ldb_modules/descriptor.c source4/dsdb/samdb/ldb_modules/descriptor.c >+index daa08c2ebc7..4b01961dcb0 100644 >+--- source4/dsdb/samdb/ldb_modules/descriptor.c >++++ source4/dsdb/samdb/ldb_modules/descriptor.c >+@@ -857,14 +857,8 @@ static int descriptor_modify(struct ldb_module *module, struct ldb_request *req) >+ return ldb_module_done(req, NULL, NULL, LDB_SUCCESS); >+ } >+ >+- ret = ldb_msg_add_empty(msg, "nTSecurityDescriptor", >+- LDB_FLAG_MOD_REPLACE, >+- &sd_element); >+- if (ret != LDB_SUCCESS) { >+- return ldb_oom(ldb); >+- } >+- ret = ldb_msg_add_value(msg, "nTSecurityDescriptor", >+- sd, NULL); >++ ret = ldb_msg_append_value(msg, "nTSecurityDescriptor", >++ sd, LDB_FLAG_MOD_REPLACE); >+ if (ret != LDB_SUCCESS) { >+ return ldb_oom(ldb); >+ } >+diff --git source4/dsdb/samdb/ldb_modules/objectguid.c source4/dsdb/samdb/ldb_modules/objectguid.c >+index bc3260cf0d8..0fe995a5763 100644 >+--- source4/dsdb/samdb/ldb_modules/objectguid.c >++++ source4/dsdb/samdb/ldb_modules/objectguid.c >+@@ -41,7 +41,6 @@ >+ */ >+ static int add_time_element(struct ldb_message *msg, const char *attr, time_t t) >+ { >+- struct ldb_message_element *el; >+ char *s; >+ int ret; >+ >+@@ -54,16 +53,13 @@ static int add_time_element(struct ldb_message *msg, const char *attr, time_t t) >+ return LDB_ERR_OPERATIONS_ERROR; >+ } >+ >+- ret = ldb_msg_add_string(msg, attr, s); >++ /* always set as replace. This works because on add ops, the flag >++ is ignored */ >++ ret = ldb_msg_append_string(msg, attr, s, LDB_FLAG_MOD_REPLACE); >+ if (ret != LDB_SUCCESS) { >+ return ret; >+ } >+ >+- el = ldb_msg_find_element(msg, attr); >+- /* always set as replace. This works because on add ops, the flag >+- is ignored */ >+- el->flags = LDB_FLAG_MOD_REPLACE; >+- >+ return LDB_SUCCESS; >+ } >+ >+@@ -73,23 +69,19 @@ static int add_time_element(struct ldb_message *msg, const char *attr, time_t t) >+ static int add_uint64_element(struct ldb_context *ldb, struct ldb_message *msg, >+ const char *attr, uint64_t v) >+ { >+- struct ldb_message_element *el; >+ int ret; >+ >+ if (ldb_msg_find_element(msg, attr) != NULL) { >+ return LDB_SUCCESS; >+ } >+ >+- ret = samdb_msg_add_uint64(ldb, msg, msg, attr, v); >++ /* always set as replace. This works because on add ops, the flag >++ is ignored */ >++ ret = samdb_msg_append_uint64(ldb, msg, msg, attr, v, LDB_FLAG_MOD_REPLACE); >+ if (ret != LDB_SUCCESS) { >+ return ret; >+ } >+ >+- el = ldb_msg_find_element(msg, attr); >+- /* always set as replace. This works because on add ops, the flag >+- is ignored */ >+- el->flags = LDB_FLAG_MOD_REPLACE; >+- >+ return LDB_SUCCESS; >+ } >+ >+diff --git source4/dsdb/samdb/ldb_modules/partition_init.c source4/dsdb/samdb/ldb_modules/partition_init.c >+index 58c65ccedd0..484b5bffb27 100644 >+--- source4/dsdb/samdb/ldb_modules/partition_init.c >++++ source4/dsdb/samdb/ldb_modules/partition_init.c >+@@ -742,10 +742,6 @@ int partition_create(struct ldb_module *module, struct ldb_request *req) >+ } >+ >+ mod_msg->dn = ldb_dn_new(mod_msg, ldb, DSDB_PARTITION_DN); >+- ret = ldb_msg_add_empty(mod_msg, DSDB_PARTITION_ATTR, LDB_FLAG_MOD_ADD, NULL); >+- if (ret != LDB_SUCCESS) { >+- return ret; >+- } >+ >+ casefold_dn = ldb_dn_get_casefold(dn); >+ >+@@ -785,18 +781,16 @@ int partition_create(struct ldb_module *module, struct ldb_request *req) >+ } >+ partition_record = talloc_asprintf(mod_msg, "%s:%s", casefold_dn, filename); >+ >+- ret = ldb_msg_add_steal_string(mod_msg, DSDB_PARTITION_ATTR, partition_record); >++ ret = ldb_msg_append_steal_string(mod_msg, DSDB_PARTITION_ATTR, partition_record, >++ LDB_FLAG_MOD_ADD); >+ if (ret != LDB_SUCCESS) { >+ return ret; >+ } >+ >+ if (ldb_request_get_control(req, DSDB_CONTROL_PARTIAL_REPLICA)) { >+ /* this new partition is a partial replica */ >+- ret = ldb_msg_add_empty(mod_msg, "partialReplica", LDB_FLAG_MOD_ADD, NULL); >+- if (ret != LDB_SUCCESS) { >+- return ret; >+- } >+- ret = ldb_msg_add_fmt(mod_msg, "partialReplica", "%s", ldb_dn_get_linearized(dn)); >++ ret = ldb_msg_append_fmt(mod_msg, LDB_FLAG_MOD_ADD, >++ "partialReplica", "%s", ldb_dn_get_linearized(dn)); >+ if (ret != LDB_SUCCESS) { >+ return ret; >+ } >+diff --git source4/dsdb/samdb/ldb_modules/repl_meta_data.c source4/dsdb/samdb/ldb_modules/repl_meta_data.c >+index 29ffda75c87..eec1e639856 100644 >+--- source4/dsdb/samdb/ldb_modules/repl_meta_data.c >++++ source4/dsdb/samdb/ldb_modules/repl_meta_data.c >+@@ -3888,22 +3888,12 @@ static int replmd_rename_callback(struct ldb_request *req, struct ldb_reply *are >+ ldb_operr(ldb)); >+ } >+ >+- if (ldb_msg_add_empty(msg, rdn_name, LDB_FLAG_MOD_REPLACE, NULL) != 0) { >++ if (ldb_msg_append_value(msg, rdn_name, rdn_val, LDB_FLAG_MOD_REPLACE) != 0) { >+ talloc_free(ares); >+ return ldb_module_done(ac->req, NULL, NULL, >+ ldb_oom(ldb)); >+ } >+- if (ldb_msg_add_value(msg, rdn_name, rdn_val, NULL) != 0) { >+- talloc_free(ares); >+- return ldb_module_done(ac->req, NULL, NULL, >+- ldb_oom(ldb)); >+- } >+- if (ldb_msg_add_empty(msg, "name", LDB_FLAG_MOD_REPLACE, NULL) != 0) { >+- talloc_free(ares); >+- return ldb_module_done(ac->req, NULL, NULL, >+- ldb_oom(ldb)); >+- } >+- if (ldb_msg_add_value(msg, "name", rdn_val, NULL) != 0) { >++ if (ldb_msg_append_value(msg, "name", rdn_val, LDB_FLAG_MOD_REPLACE) != 0) { >+ talloc_free(ares); >+ return ldb_module_done(ac->req, NULL, NULL, >+ ldb_oom(ldb)); >+@@ -5161,16 +5151,10 @@ static int replmd_name_modify(struct replmd_replicated_request *ar, >+ goto failed; >+ } >+ >+- if (ldb_msg_add_empty(msg, rdn_name, LDB_FLAG_MOD_REPLACE, NULL) != 0) { >+- goto failed; >+- } >+- if (ldb_msg_add_value(msg, rdn_name, rdn_val, NULL) != 0) { >+- goto failed; >+- } >+- if (ldb_msg_add_empty(msg, "name", LDB_FLAG_MOD_REPLACE, NULL) != 0) { >++ if (ldb_msg_append_value(msg, rdn_name, rdn_val, LDB_FLAG_MOD_REPLACE) != 0) { >+ goto failed; >+ } >+- if (ldb_msg_add_value(msg, "name", rdn_val, NULL) != 0) { >++ if (ldb_msg_append_value(msg, "name", rdn_val, LDB_FLAG_MOD_REPLACE) != 0) { >+ goto failed; >+ } >+ >+diff --git source4/dsdb/samdb/ldb_modules/samldb.c source4/dsdb/samdb/ldb_modules/samldb.c >+index 5fb9c195c9a..107e643e492 100644 >+--- source4/dsdb/samdb/ldb_modules/samldb.c >++++ source4/dsdb/samdb/ldb_modules/samldb.c >+@@ -1103,14 +1103,11 @@ static int samldb_rodc_add(struct samldb_ctx *ac) >+ return LDB_ERR_OTHER; >+ >+ found: >+- ret = ldb_msg_add_empty(ac->msg, "msDS-SecondaryKrbTgtNumber", >+- LDB_FLAG_INTERNAL_DISABLE_VALIDATION, NULL); >+- if (ret != LDB_SUCCESS) { >+- return ldb_operr(ldb); >+- } >+ >+- ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, >+- "msDS-SecondaryKrbTgtNumber", krbtgt_number); >++ ldb_msg_remove_attr(ac->msg, "msDS-SecondaryKrbTgtNumber"); >++ ret = samdb_msg_append_uint(ldb, ac->msg, ac->msg, >++ "msDS-SecondaryKrbTgtNumber", krbtgt_number, >++ LDB_FLAG_INTERNAL_DISABLE_VALIDATION); >+ if (ret != LDB_SUCCESS) { >+ return ldb_operr(ldb); >+ } >+@@ -1792,7 +1789,7 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) >+ struct ldb_context *ldb = ldb_module_get_ctx(ac->module); >+ void *skip_allocate_sids = ldb_get_opaque(ldb, >+ "skip_allocate_sids"); >+- struct ldb_message_element *el, *el2; >++ struct ldb_message_element *el; >+ struct dom_sid *sid; >+ int ret; >+ >+@@ -1926,23 +1923,17 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) >+ /* "isCriticalSystemObject" might be set */ >+ if (user_account_control & >+ (UF_SERVER_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT)) { >+- ret = ldb_msg_add_string(ac->msg, "isCriticalSystemObject", >+- "TRUE"); >++ ret = ldb_msg_add_string_flags(ac->msg, "isCriticalSystemObject", >++ "TRUE", LDB_FLAG_MOD_REPLACE); >+ if (ret != LDB_SUCCESS) { >+ return ret; >+ } >+- el2 = ldb_msg_find_element(ac->msg, >+- "isCriticalSystemObject"); >+- el2->flags = LDB_FLAG_MOD_REPLACE; >+ } else if (user_account_control & UF_WORKSTATION_TRUST_ACCOUNT) { >+- ret = ldb_msg_add_string(ac->msg, "isCriticalSystemObject", >+- "FALSE"); >++ ret = ldb_msg_add_string_flags(ac->msg, "isCriticalSystemObject", >++ "FALSE", LDB_FLAG_MOD_REPLACE); >+ if (ret != LDB_SUCCESS) { >+ return ret; >+ } >+- el2 = ldb_msg_find_element(ac->msg, >+- "isCriticalSystemObject"); >+- el2->flags = LDB_FLAG_MOD_REPLACE; >+ } >+ >+ /* Step 1.4: "userAccountControl" -> "primaryGroupID" mapping */ >+@@ -2018,14 +2009,13 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) >+ ldb_set_errstring(ldb, "samldb: Unrecognized account type!"); >+ return LDB_ERR_UNWILLING_TO_PERFORM; >+ } >+- ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, >+- "sAMAccountType", >+- account_type); >++ ret = samdb_msg_add_uint_flags(ldb, ac->msg, ac->msg, >++ "sAMAccountType", >++ account_type, >++ LDB_FLAG_MOD_REPLACE); >+ if (ret != LDB_SUCCESS) { >+ return ret; >+ } >+- el2 = ldb_msg_find_element(ac->msg, "sAMAccountType"); >+- el2->flags = LDB_FLAG_MOD_REPLACE; >+ } >+ break; >+ } >+@@ -2945,26 +2935,23 @@ static int samldb_user_account_control_change(struct samldb_ctx *ac) >+ } >+ >+ if (old_atype != new_atype) { >+- ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, >+- "sAMAccountType", new_atype); >++ ret = samdb_msg_append_uint(ldb, ac->msg, ac->msg, >++ "sAMAccountType", new_atype, >++ LDB_FLAG_MOD_REPLACE); >+ if (ret != LDB_SUCCESS) { >+ return ret; >+ } >+- el = ldb_msg_find_element(ac->msg, "sAMAccountType"); >+- el->flags = LDB_FLAG_MOD_REPLACE; >+ } >+ >+ /* As per MS-SAMR 3.1.1.8.10 these flags have not to be set */ >+ if ((clear_uac & UF_LOCKOUT) && (old_lockoutTime != 0)) { >+ /* "lockoutTime" reset as per MS-SAMR 3.1.1.8.10 */ >+ ldb_msg_remove_attr(ac->msg, "lockoutTime"); >+- ret = samdb_msg_add_uint64(ldb, ac->msg, ac->msg, "lockoutTime", >+- (NTTIME)0); >++ ret = samdb_msg_append_uint64(ldb, ac->msg, ac->msg, "lockoutTime", >++ (NTTIME)0, LDB_FLAG_MOD_REPLACE); >+ if (ret != LDB_SUCCESS) { >+ return ret; >+ } >+- el = ldb_msg_find_element(ac->msg, "lockoutTime"); >+- el->flags = LDB_FLAG_MOD_REPLACE; >+ } >+ >+ /* >+@@ -2975,14 +2962,12 @@ static int samldb_user_account_control_change(struct samldb_ctx *ac) >+ * creating the attribute. >+ */ >+ if (old_is_critical != new_is_critical || old_atype != new_atype) { >+- ret = ldb_msg_add_string(ac->msg, "isCriticalSystemObject", >+- new_is_critical ? "TRUE": "FALSE"); >++ ret = ldb_msg_append_string(ac->msg, "isCriticalSystemObject", >++ new_is_critical ? "TRUE": "FALSE", >++ LDB_FLAG_MOD_REPLACE); >+ if (ret != LDB_SUCCESS) { >+ return ret; >+ } >+- el = ldb_msg_find_element(ac->msg, >+- "isCriticalSystemObject"); >+- el->flags = LDB_FLAG_MOD_REPLACE; >+ } >+ >+ if (!ldb_msg_find_element(ac->msg, "primaryGroupID") && >+@@ -2995,14 +2980,12 @@ static int samldb_user_account_control_change(struct samldb_ctx *ac) >+ } >+ } >+ >+- ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, >+- "primaryGroupID", new_pgrid); >++ ret = samdb_msg_append_uint(ldb, ac->msg, ac->msg, >++ "primaryGroupID", new_pgrid, >++ LDB_FLAG_MOD_REPLACE); >+ if (ret != LDB_SUCCESS) { >+ return ret; >+ } >+- el = ldb_msg_find_element(ac->msg, >+- "primaryGroupID"); >+- el->flags = LDB_FLAG_MOD_REPLACE; >+ } >+ >+ /* Propagate eventual "userAccountControl" attribute changes */ >+@@ -3205,13 +3188,12 @@ static int samldb_lockout_time(struct samldb_ctx *ac) >+ >+ /* lockoutTime == 0 resets badPwdCount */ >+ ldb_msg_remove_attr(ac->msg, "badPwdCount"); >+- ret = samdb_msg_add_int(ldb, ac->msg, ac->msg, >+- "badPwdCount", 0); >++ ret = samdb_msg_append_int(ldb, ac->msg, ac->msg, >++ "badPwdCount", 0, >++ LDB_FLAG_MOD_REPLACE); >+ if (ret != LDB_SUCCESS) { >+ return ret; >+ } >+- el = ldb_msg_find_element(ac->msg, "badPwdCount"); >+- el->flags = LDB_FLAG_MOD_REPLACE; >+ >+ return LDB_SUCCESS; >+ } >+@@ -3309,13 +3291,11 @@ static int samldb_group_type_change(struct samldb_ctx *ac) >+ ldb_set_errstring(ldb, "samldb: Unrecognized account type!"); >+ return LDB_ERR_UNWILLING_TO_PERFORM; >+ } >+- ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, "sAMAccountType", >+- account_type); >++ ret = samdb_msg_append_uint(ldb, ac->msg, ac->msg, "sAMAccountType", >++ account_type, LDB_FLAG_MOD_REPLACE); >+ if (ret != LDB_SUCCESS) { >+ return ret; >+ } >+- el = ldb_msg_find_element(ac->msg, "sAMAccountType"); >+- el->flags = LDB_FLAG_MOD_REPLACE; >+ >+ return LDB_SUCCESS; >+ } >+diff --git source4/dsdb/samdb/ldb_modules/tombstone_reanimate.c source4/dsdb/samdb/ldb_modules/tombstone_reanimate.c >+index 5f8911c66be..99c5955e9e7 100644 >+--- source4/dsdb/samdb/ldb_modules/tombstone_reanimate.c >++++ source4/dsdb/samdb/ldb_modules/tombstone_reanimate.c >+@@ -294,14 +294,13 @@ static int tr_prepare_attributes(struct tr_context *ac) >+ return ldb_error(ldb, LDB_ERR_UNWILLING_TO_PERFORM, >+ "reanimate: Unrecognized account type!"); >+ } >+- ret = samdb_msg_add_uint(ldb, ac->mod_msg, ac->mod_msg, >+- "sAMAccountType", account_type); >++ ret = samdb_msg_append_uint(ldb, ac->mod_msg, ac->mod_msg, >++ "sAMAccountType", account_type, >++ LDB_FLAG_MOD_REPLACE); >+ if (ret != LDB_SUCCESS) { >+ return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR, >+ "reanimate: Failed to add sAMAccountType to restored object."); >+ } >+- el = ldb_msg_find_element(ac->mod_msg, "sAMAccountType"); >+- el->flags = LDB_FLAG_MOD_REPLACE; >+ >+ /* Default values set by Windows */ >+ ret = samdb_find_or_add_attribute(ldb, ac->mod_msg, >+@@ -324,12 +323,11 @@ static int tr_prepare_attributes(struct tr_context *ac) >+ return ret; >+ } >+ >+- ret = ldb_msg_add_string(ac->mod_msg, "objectCategory", value); >++ ret = ldb_msg_append_string(ac->mod_msg, "objectCategory", value, >++ LDB_FLAG_MOD_ADD); >+ if (ret != LDB_SUCCESS) { >+ return ret; >+ } >+- el = ldb_msg_find_element(ac->mod_msg, "objectCategory"); >+- el->flags = LDB_FLAG_MOD_ADD; >+ } >+ >+ return LDB_SUCCESS; >+diff --git source4/nbt_server/wins/winsdb.c source4/nbt_server/wins/winsdb.c >+index e4a7c2042ed..2a05e96bca4 100644 >+--- source4/nbt_server/wins/winsdb.c >++++ source4/nbt_server/wins/winsdb.c >+@@ -102,13 +102,11 @@ uint64_t winsdb_set_maxVersion(struct winsdb_handle *h, uint64_t newMaxVersion) >+ msg->dn = dn; >+ >+ >+- ret = ldb_msg_add_empty(msg, "objectClass", LDB_FLAG_MOD_REPLACE, NULL); >++ ret = ldb_msg_append_string(msg, "objectClass", "winsMaxVersion", >++ LDB_FLAG_MOD_REPLACE); >+ if (ret != LDB_SUCCESS) goto failed; >+- ret = ldb_msg_add_string(msg, "objectClass", "winsMaxVersion"); >+- if (ret != LDB_SUCCESS) goto failed; >+- ret = ldb_msg_add_empty(msg, "maxVersion", LDB_FLAG_MOD_REPLACE, NULL); >+- if (ret != LDB_SUCCESS) goto failed; >+- ret = ldb_msg_add_fmt(msg, "maxVersion", "%llu", (long long)newMaxVersion); >++ ret = ldb_msg_append_fmt(msg, LDB_FLAG_MOD_REPLACE, >++ "maxVersion", "%llu", (long long)newMaxVersion); >+ if (ret != LDB_SUCCESS) goto failed; >+ >+ ret = ldb_modify(wins_db, msg); >+@@ -779,8 +777,7 @@ static struct ldb_message *winsdb_message(struct ldb_context *ldb, >+ ret |= ldb_msg_add_winsdb_addr(msg, rec, "address", rec->addresses[i]); >+ } >+ if (rec->registered_by) { >+- ret |= ldb_msg_add_empty(msg, "registeredBy", 0, NULL); >+- ret |= ldb_msg_add_string(msg, "registeredBy", rec->registered_by); >++ ret |= ldb_msg_append_string(msg, "registeredBy", rec->registered_by, 0); >+ } >+ if (ret != LDB_SUCCESS) goto failed; >+ return msg; >+diff --git source4/rpc_server/lsa/dcesrv_lsa.c source4/rpc_server/lsa/dcesrv_lsa.c >+index 15b068aec62..a165ab2b9d6 100644 >+--- source4/rpc_server/lsa/dcesrv_lsa.c >++++ source4/rpc_server/lsa/dcesrv_lsa.c >+@@ -1778,12 +1778,7 @@ static NTSTATUS update_uint32_t_value(TALLOC_CTX *mem_ctx, >+ goto done; >+ } >+ >+- ret = ldb_msg_add_empty(dest, attribute, flags, NULL); >+- if (ret != LDB_SUCCESS) { >+- return NT_STATUS_NO_MEMORY; >+- } >+- >+- ret = samdb_msg_add_uint(sam_ldb, dest, dest, attribute, value); >++ ret = samdb_msg_append_uint(sam_ldb, dest, dest, attribute, value, flags); >+ if (ret != LDB_SUCCESS) { >+ return NT_STATUS_NO_MEMORY; >+ } >+@@ -1874,13 +1869,7 @@ static NTSTATUS update_trust_user(TALLOC_CTX *mem_ctx, >+ continue; >+ } >+ >+- ret = ldb_msg_add_empty(msg, attribute, >+- LDB_FLAG_MOD_REPLACE, NULL); >+- if (ret != LDB_SUCCESS) { >+- return NT_STATUS_NO_MEMORY; >+- } >+- >+- ret = ldb_msg_add_value(msg, attribute, &v, NULL); >++ ret = ldb_msg_append_value(msg, attribute, &v, LDB_FLAG_MOD_REPLACE); >+ if (ret != LDB_SUCCESS) { >+ return NT_STATUS_NO_MEMORY; >+ } >+@@ -2166,28 +2155,30 @@ static NTSTATUS setInfoTrustedDomain_base(struct dcesrv_call_state *dce_call, >+ } >+ >+ if (add_incoming || del_incoming) { >+- ret = ldb_msg_add_empty(msg, "trustAuthIncoming", >+- LDB_FLAG_MOD_REPLACE, NULL); >+- if (ret != LDB_SUCCESS) { >+- return NT_STATUS_NO_MEMORY; >+- } >+ if (add_incoming) { >+- ret = ldb_msg_add_value(msg, "trustAuthIncoming", >+- &trustAuthIncoming, NULL); >++ ret = ldb_msg_append_value(msg, "trustAuthIncoming", >++ &trustAuthIncoming, LDB_FLAG_MOD_REPLACE); >++ if (ret != LDB_SUCCESS) { >++ return NT_STATUS_NO_MEMORY; >++ } >++ } else { >++ ret = ldb_msg_add_empty(msg, "trustAuthIncoming", >++ LDB_FLAG_MOD_REPLACE, NULL); >+ if (ret != LDB_SUCCESS) { >+ return NT_STATUS_NO_MEMORY; >+ } >+ } >+ } >+ if (add_outgoing || del_outgoing) { >+- ret = ldb_msg_add_empty(msg, "trustAuthOutgoing", >+- LDB_FLAG_MOD_REPLACE, NULL); >+- if (ret != LDB_SUCCESS) { >+- return NT_STATUS_NO_MEMORY; >+- } >+ if (add_outgoing) { >+- ret = ldb_msg_add_value(msg, "trustAuthOutgoing", >+- &trustAuthOutgoing, NULL); >++ ret = ldb_msg_append_value(msg, "trustAuthOutgoing", >++ &trustAuthOutgoing, LDB_FLAG_MOD_REPLACE); >++ if (ret != LDB_SUCCESS) { >++ return NT_STATUS_NO_MEMORY; >++ } >++ } else { >++ ret = ldb_msg_add_empty(msg, "trustAuthOutgoing", >++ LDB_FLAG_MOD_REPLACE, NULL); >+ if (ret != LDB_SUCCESS) { >+ return NT_STATUS_NO_MEMORY; >+ } >+@@ -4635,14 +4626,8 @@ static NTSTATUS dcesrv_lsa_lsaRSetForestTrustInformation(struct dcesrv_call_stat >+ goto done; >+ } >+ >+- ret = ldb_msg_add_empty(msg, "msDS-TrustForestTrustInfo", >+- LDB_FLAG_MOD_REPLACE, NULL); >+- if (ret != LDB_SUCCESS) { >+- status = NT_STATUS_NO_MEMORY; >+- goto done; >+- } >+- ret = ldb_msg_add_value(msg, "msDS-TrustForestTrustInfo", >+- &ft_blob, NULL); >++ ret = ldb_msg_append_value(msg, "msDS-TrustForestTrustInfo", >++ &ft_blob, LDB_FLAG_MOD_REPLACE); >+ if (ret != LDB_SUCCESS) { >+ status = NT_STATUS_NO_MEMORY; >+ goto done; >+diff --git source4/winbind/idmap.c source4/winbind/idmap.c >+index c4039be473a..c6375f8357a 100644 >+--- source4/winbind/idmap.c >++++ source4/winbind/idmap.c >+@@ -672,14 +672,8 @@ static NTSTATUS idmap_sid_to_xid(struct idmap_context *idmap_ctx, >+ vals[1].data = (uint8_t *)hwm_string; >+ vals[1].length = strlen(hwm_string); >+ } else { >+- ret = ldb_msg_add_empty(hwm_msg, "xidNumber", LDB_FLAG_MOD_ADD, >+- NULL); >+- if (ret != LDB_SUCCESS) { >+- status = NT_STATUS_NONE_MAPPED; >+- goto failed; >+- } >+- >+- ret = ldb_msg_add_string(hwm_msg, "xidNumber", hwm_string); >++ ret = ldb_msg_append_string(hwm_msg, "xidNumber", hwm_string, >++ LDB_FLAG_MOD_ADD); >+ if (ret != LDB_SUCCESS) >+ { >+ status = NT_STATUS_NONE_MAPPED; >+-- >+2.25.1 >+ >+ >+From 7270b68386692829f97d5c51c50108db395b263e Mon Sep 17 00:00:00 2001 >+From: Andrew Bartlett <abartlet@samba.org> >+Date: Tue, 14 Jun 2022 15:43:26 +1200 >+Subject: [PATCH 14/99] CVE-2022-32746 ldb: Release LDB 2.3.4 >+ >+* CVE-2022-32746 Use-after-free occurring in database audit logging module (bug 15009) >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 >+ >+Signed-off-by: Andrew Bartlett <abartlet@samba.org> >+--- >+ lib/ldb/ABI/ldb-2.3.4.sigs | 291 ++++++++++++++++++++++++++++++ >+ lib/ldb/ABI/pyldb-util-2.3.4.sigs | 3 + >+ lib/ldb/wscript | 2 +- >+ 3 files changed, 295 insertions(+), 1 deletion(-) >+ create mode 100644 lib/ldb/ABI/ldb-2.3.4.sigs >+ create mode 100644 lib/ldb/ABI/pyldb-util-2.3.4.sigs >+ >+diff --git lib/ldb/ABI/ldb-2.3.4.sigs lib/ldb/ABI/ldb-2.3.4.sigs >+new file mode 100644 >+index 00000000000..40388d9e330 >+--- /dev/null >++++ lib/ldb/ABI/ldb-2.3.4.sigs >+@@ -0,0 +1,291 @@ >++ldb_add: int (struct ldb_context *, const struct ldb_message *) >++ldb_any_comparison: int (struct ldb_context *, void *, ldb_attr_handler_t, const struct ldb_val *, const struct ldb_val *) >++ldb_asprintf_errstring: void (struct ldb_context *, const char *, ...) >++ldb_attr_casefold: char *(TALLOC_CTX *, const char *) >++ldb_attr_dn: int (const char *) >++ldb_attr_in_list: int (const char * const *, const char *) >++ldb_attr_list_copy: const char **(TALLOC_CTX *, const char * const *) >++ldb_attr_list_copy_add: const char **(TALLOC_CTX *, const char * const *, const char *) >++ldb_base64_decode: int (char *) >++ldb_base64_encode: char *(TALLOC_CTX *, const char *, int) >++ldb_binary_decode: struct ldb_val (TALLOC_CTX *, const char *) >++ldb_binary_encode: char *(TALLOC_CTX *, struct ldb_val) >++ldb_binary_encode_string: char *(TALLOC_CTX *, const char *) >++ldb_build_add_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, const struct ldb_message *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *) >++ldb_build_del_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, struct ldb_dn *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *) >++ldb_build_extended_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, const char *, void *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *) >++ldb_build_mod_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, const struct ldb_message *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *) >++ldb_build_rename_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, struct ldb_dn *, struct ldb_dn *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *) >++ldb_build_search_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, struct ldb_dn *, enum ldb_scope, const char *, const char * const *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *) >++ldb_build_search_req_ex: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, struct ldb_dn *, enum ldb_scope, struct ldb_parse_tree *, const char * const *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *) >++ldb_casefold: char *(struct ldb_context *, TALLOC_CTX *, const char *, size_t) >++ldb_casefold_default: char *(void *, TALLOC_CTX *, const char *, size_t) >++ldb_check_critical_controls: int (struct ldb_control **) >++ldb_comparison_binary: int (struct ldb_context *, void *, const struct ldb_val *, const struct ldb_val *) >++ldb_comparison_fold: int (struct ldb_context *, void *, const struct ldb_val *, const struct ldb_val *) >++ldb_connect: int (struct ldb_context *, const char *, unsigned int, const char **) >++ldb_control_to_string: char *(TALLOC_CTX *, const struct ldb_control *) >++ldb_controls_except_specified: struct ldb_control **(struct ldb_control **, TALLOC_CTX *, struct ldb_control *) >++ldb_debug: void (struct ldb_context *, enum ldb_debug_level, const char *, ...) >++ldb_debug_add: void (struct ldb_context *, const char *, ...) >++ldb_debug_end: void (struct ldb_context *, enum ldb_debug_level) >++ldb_debug_set: void (struct ldb_context *, enum ldb_debug_level, const char *, ...) >++ldb_delete: int (struct ldb_context *, struct ldb_dn *) >++ldb_dn_add_base: bool (struct ldb_dn *, struct ldb_dn *) >++ldb_dn_add_base_fmt: bool (struct ldb_dn *, const char *, ...) >++ldb_dn_add_child: bool (struct ldb_dn *, struct ldb_dn *) >++ldb_dn_add_child_fmt: bool (struct ldb_dn *, const char *, ...) >++ldb_dn_add_child_val: bool (struct ldb_dn *, const char *, struct ldb_val) >++ldb_dn_alloc_casefold: char *(TALLOC_CTX *, struct ldb_dn *) >++ldb_dn_alloc_linearized: char *(TALLOC_CTX *, struct ldb_dn *) >++ldb_dn_canonical_ex_string: char *(TALLOC_CTX *, struct ldb_dn *) >++ldb_dn_canonical_string: char *(TALLOC_CTX *, struct ldb_dn *) >++ldb_dn_check_local: bool (struct ldb_module *, struct ldb_dn *) >++ldb_dn_check_special: bool (struct ldb_dn *, const char *) >++ldb_dn_compare: int (struct ldb_dn *, struct ldb_dn *) >++ldb_dn_compare_base: int (struct ldb_dn *, struct ldb_dn *) >++ldb_dn_copy: struct ldb_dn *(TALLOC_CTX *, struct ldb_dn *) >++ldb_dn_escape_value: char *(TALLOC_CTX *, struct ldb_val) >++ldb_dn_extended_add_syntax: int (struct ldb_context *, unsigned int, const struct ldb_dn_extended_syntax *) >++ldb_dn_extended_filter: void (struct ldb_dn *, const char * const *) >++ldb_dn_extended_syntax_by_name: const struct ldb_dn_extended_syntax *(struct ldb_context *, const char *) >++ldb_dn_from_ldb_val: struct ldb_dn *(TALLOC_CTX *, struct ldb_context *, const struct ldb_val *) >++ldb_dn_get_casefold: const char *(struct ldb_dn *) >++ldb_dn_get_comp_num: int (struct ldb_dn *) >++ldb_dn_get_component_name: const char *(struct ldb_dn *, unsigned int) >++ldb_dn_get_component_val: const struct ldb_val *(struct ldb_dn *, unsigned int) >++ldb_dn_get_extended_comp_num: int (struct ldb_dn *) >++ldb_dn_get_extended_component: const struct ldb_val *(struct ldb_dn *, const char *) >++ldb_dn_get_extended_linearized: char *(TALLOC_CTX *, struct ldb_dn *, int) >++ldb_dn_get_ldb_context: struct ldb_context *(struct ldb_dn *) >++ldb_dn_get_linearized: const char *(struct ldb_dn *) >++ldb_dn_get_parent: struct ldb_dn *(TALLOC_CTX *, struct ldb_dn *) >++ldb_dn_get_rdn_name: const char *(struct ldb_dn *) >++ldb_dn_get_rdn_val: const struct ldb_val *(struct ldb_dn *) >++ldb_dn_has_extended: bool (struct ldb_dn *) >++ldb_dn_is_null: bool (struct ldb_dn *) >++ldb_dn_is_special: bool (struct ldb_dn *) >++ldb_dn_is_valid: bool (struct ldb_dn *) >++ldb_dn_map_local: struct ldb_dn *(struct ldb_module *, void *, struct ldb_dn *) >++ldb_dn_map_rebase_remote: struct ldb_dn *(struct ldb_module *, void *, struct ldb_dn *) >++ldb_dn_map_remote: struct ldb_dn *(struct ldb_module *, void *, struct ldb_dn *) >++ldb_dn_minimise: bool (struct ldb_dn *) >++ldb_dn_new: struct ldb_dn *(TALLOC_CTX *, struct ldb_context *, const char *) >++ldb_dn_new_fmt: struct ldb_dn *(TALLOC_CTX *, struct ldb_context *, const char *, ...) >++ldb_dn_remove_base_components: bool (struct ldb_dn *, unsigned int) >++ldb_dn_remove_child_components: bool (struct ldb_dn *, unsigned int) >++ldb_dn_remove_extended_components: void (struct ldb_dn *) >++ldb_dn_replace_components: bool (struct ldb_dn *, struct ldb_dn *) >++ldb_dn_set_component: int (struct ldb_dn *, int, const char *, const struct ldb_val) >++ldb_dn_set_extended_component: int (struct ldb_dn *, const char *, const struct ldb_val *) >++ldb_dn_update_components: int (struct ldb_dn *, const struct ldb_dn *) >++ldb_dn_validate: bool (struct ldb_dn *) >++ldb_dump_results: void (struct ldb_context *, struct ldb_result *, FILE *) >++ldb_error_at: int (struct ldb_context *, int, const char *, const char *, int) >++ldb_errstring: const char *(struct ldb_context *) >++ldb_extended: int (struct ldb_context *, const char *, void *, struct ldb_result **) >++ldb_extended_default_callback: int (struct ldb_request *, struct ldb_reply *) >++ldb_filter_attrs: int (struct ldb_context *, const struct ldb_message *, const char * const *, struct ldb_message *) >++ldb_filter_from_tree: char *(TALLOC_CTX *, const struct ldb_parse_tree *) >++ldb_get_config_basedn: struct ldb_dn *(struct ldb_context *) >++ldb_get_create_perms: unsigned int (struct ldb_context *) >++ldb_get_default_basedn: struct ldb_dn *(struct ldb_context *) >++ldb_get_event_context: struct tevent_context *(struct ldb_context *) >++ldb_get_flags: unsigned int (struct ldb_context *) >++ldb_get_opaque: void *(struct ldb_context *, const char *) >++ldb_get_root_basedn: struct ldb_dn *(struct ldb_context *) >++ldb_get_schema_basedn: struct ldb_dn *(struct ldb_context *) >++ldb_global_init: int (void) >++ldb_handle_get_event_context: struct tevent_context *(struct ldb_handle *) >++ldb_handle_new: struct ldb_handle *(TALLOC_CTX *, struct ldb_context *) >++ldb_handle_use_global_event_context: void (struct ldb_handle *) >++ldb_handler_copy: int (struct ldb_context *, void *, const struct ldb_val *, struct ldb_val *) >++ldb_handler_fold: int (struct ldb_context *, void *, const struct ldb_val *, struct ldb_val *) >++ldb_init: struct ldb_context *(TALLOC_CTX *, struct tevent_context *) >++ldb_ldif_message_redacted_string: char *(struct ldb_context *, TALLOC_CTX *, enum ldb_changetype, const struct ldb_message *) >++ldb_ldif_message_string: char *(struct ldb_context *, TALLOC_CTX *, enum ldb_changetype, const struct ldb_message *) >++ldb_ldif_parse_modrdn: int (struct ldb_context *, const struct ldb_ldif *, TALLOC_CTX *, struct ldb_dn **, struct ldb_dn **, bool *, struct ldb_dn **, struct ldb_dn **) >++ldb_ldif_read: struct ldb_ldif *(struct ldb_context *, int (*)(void *), void *) >++ldb_ldif_read_file: struct ldb_ldif *(struct ldb_context *, FILE *) >++ldb_ldif_read_file_state: struct ldb_ldif *(struct ldb_context *, struct ldif_read_file_state *) >++ldb_ldif_read_free: void (struct ldb_context *, struct ldb_ldif *) >++ldb_ldif_read_string: struct ldb_ldif *(struct ldb_context *, const char **) >++ldb_ldif_write: int (struct ldb_context *, int (*)(void *, const char *, ...), void *, const struct ldb_ldif *) >++ldb_ldif_write_file: int (struct ldb_context *, FILE *, const struct ldb_ldif *) >++ldb_ldif_write_redacted_trace_string: char *(struct ldb_context *, TALLOC_CTX *, const struct ldb_ldif *) >++ldb_ldif_write_string: char *(struct ldb_context *, TALLOC_CTX *, const struct ldb_ldif *) >++ldb_load_modules: int (struct ldb_context *, const char **) >++ldb_map_add: int (struct ldb_module *, struct ldb_request *) >++ldb_map_delete: int (struct ldb_module *, struct ldb_request *) >++ldb_map_init: int (struct ldb_module *, const struct ldb_map_attribute *, const struct ldb_map_objectclass *, const char * const *, const char *, const char *) >++ldb_map_modify: int (struct ldb_module *, struct ldb_request *) >++ldb_map_rename: int (struct ldb_module *, struct ldb_request *) >++ldb_map_search: int (struct ldb_module *, struct ldb_request *) >++ldb_match_message: int (struct ldb_context *, const struct ldb_message *, const struct ldb_parse_tree *, enum ldb_scope, bool *) >++ldb_match_msg: int (struct ldb_context *, const struct ldb_message *, const struct ldb_parse_tree *, struct ldb_dn *, enum ldb_scope) >++ldb_match_msg_error: int (struct ldb_context *, const struct ldb_message *, const struct ldb_parse_tree *, struct ldb_dn *, enum ldb_scope, bool *) >++ldb_match_msg_objectclass: int (const struct ldb_message *, const char *) >++ldb_mod_register_control: int (struct ldb_module *, const char *) >++ldb_modify: int (struct ldb_context *, const struct ldb_message *) >++ldb_modify_default_callback: int (struct ldb_request *, struct ldb_reply *) >++ldb_module_call_chain: char *(struct ldb_request *, TALLOC_CTX *) >++ldb_module_connect_backend: int (struct ldb_context *, const char *, const char **, struct ldb_module **) >++ldb_module_done: int (struct ldb_request *, struct ldb_control **, struct ldb_extended *, int) >++ldb_module_flags: uint32_t (struct ldb_context *) >++ldb_module_get_ctx: struct ldb_context *(struct ldb_module *) >++ldb_module_get_name: const char *(struct ldb_module *) >++ldb_module_get_ops: const struct ldb_module_ops *(struct ldb_module *) >++ldb_module_get_private: void *(struct ldb_module *) >++ldb_module_init_chain: int (struct ldb_context *, struct ldb_module *) >++ldb_module_load_list: int (struct ldb_context *, const char **, struct ldb_module *, struct ldb_module **) >++ldb_module_new: struct ldb_module *(TALLOC_CTX *, struct ldb_context *, const char *, const struct ldb_module_ops *) >++ldb_module_next: struct ldb_module *(struct ldb_module *) >++ldb_module_popt_options: struct poptOption **(struct ldb_context *) >++ldb_module_send_entry: int (struct ldb_request *, struct ldb_message *, struct ldb_control **) >++ldb_module_send_referral: int (struct ldb_request *, char *) >++ldb_module_set_next: void (struct ldb_module *, struct ldb_module *) >++ldb_module_set_private: void (struct ldb_module *, void *) >++ldb_modules_hook: int (struct ldb_context *, enum ldb_module_hook_type) >++ldb_modules_list_from_string: const char **(struct ldb_context *, TALLOC_CTX *, const char *) >++ldb_modules_load: int (const char *, const char *) >++ldb_msg_add: int (struct ldb_message *, const struct ldb_message_element *, int) >++ldb_msg_add_empty: int (struct ldb_message *, const char *, int, struct ldb_message_element **) >++ldb_msg_add_fmt: int (struct ldb_message *, const char *, const char *, ...) >++ldb_msg_add_linearized_dn: int (struct ldb_message *, const char *, struct ldb_dn *) >++ldb_msg_add_steal_string: int (struct ldb_message *, const char *, char *) >++ldb_msg_add_steal_value: int (struct ldb_message *, const char *, struct ldb_val *) >++ldb_msg_add_string: int (struct ldb_message *, const char *, const char *) >++ldb_msg_add_string_flags: int (struct ldb_message *, const char *, const char *, int) >++ldb_msg_add_value: int (struct ldb_message *, const char *, const struct ldb_val *, struct ldb_message_element **) >++ldb_msg_append_fmt: int (struct ldb_message *, int, const char *, const char *, ...) >++ldb_msg_append_linearized_dn: int (struct ldb_message *, const char *, struct ldb_dn *, int) >++ldb_msg_append_steal_string: int (struct ldb_message *, const char *, char *, int) >++ldb_msg_append_steal_value: int (struct ldb_message *, const char *, struct ldb_val *, int) >++ldb_msg_append_string: int (struct ldb_message *, const char *, const char *, int) >++ldb_msg_append_value: int (struct ldb_message *, const char *, const struct ldb_val *, int) >++ldb_msg_canonicalize: struct ldb_message *(struct ldb_context *, const struct ldb_message *) >++ldb_msg_check_string_attribute: int (const struct ldb_message *, const char *, const char *) >++ldb_msg_copy: struct ldb_message *(TALLOC_CTX *, const struct ldb_message *) >++ldb_msg_copy_attr: int (struct ldb_message *, const char *, const char *) >++ldb_msg_copy_shallow: struct ldb_message *(TALLOC_CTX *, const struct ldb_message *) >++ldb_msg_diff: struct ldb_message *(struct ldb_context *, struct ldb_message *, struct ldb_message *) >++ldb_msg_difference: int (struct ldb_context *, TALLOC_CTX *, struct ldb_message *, struct ldb_message *, struct ldb_message **) >++ldb_msg_element_add_value: int (TALLOC_CTX *, struct ldb_message_element *, const struct ldb_val *) >++ldb_msg_element_compare: int (struct ldb_message_element *, struct ldb_message_element *) >++ldb_msg_element_compare_name: int (struct ldb_message_element *, struct ldb_message_element *) >++ldb_msg_element_equal_ordered: bool (const struct ldb_message_element *, const struct ldb_message_element *) >++ldb_msg_find_attr_as_bool: int (const struct ldb_message *, const char *, int) >++ldb_msg_find_attr_as_dn: struct ldb_dn *(struct ldb_context *, TALLOC_CTX *, const struct ldb_message *, const char *) >++ldb_msg_find_attr_as_double: double (const struct ldb_message *, const char *, double) >++ldb_msg_find_attr_as_int: int (const struct ldb_message *, const char *, int) >++ldb_msg_find_attr_as_int64: int64_t (const struct ldb_message *, const char *, int64_t) >++ldb_msg_find_attr_as_string: const char *(const struct ldb_message *, const char *, const char *) >++ldb_msg_find_attr_as_uint: unsigned int (const struct ldb_message *, const char *, unsigned int) >++ldb_msg_find_attr_as_uint64: uint64_t (const struct ldb_message *, const char *, uint64_t) >++ldb_msg_find_common_values: int (struct ldb_context *, TALLOC_CTX *, struct ldb_message_element *, struct ldb_message_element *, uint32_t) >++ldb_msg_find_duplicate_val: int (struct ldb_context *, TALLOC_CTX *, const struct ldb_message_element *, struct ldb_val **, uint32_t) >++ldb_msg_find_element: struct ldb_message_element *(const struct ldb_message *, const char *) >++ldb_msg_find_ldb_val: const struct ldb_val *(const struct ldb_message *, const char *) >++ldb_msg_find_val: struct ldb_val *(const struct ldb_message_element *, struct ldb_val *) >++ldb_msg_new: struct ldb_message *(TALLOC_CTX *) >++ldb_msg_normalize: int (struct ldb_context *, TALLOC_CTX *, const struct ldb_message *, struct ldb_message **) >++ldb_msg_remove_attr: void (struct ldb_message *, const char *) >++ldb_msg_remove_element: void (struct ldb_message *, struct ldb_message_element *) >++ldb_msg_rename_attr: int (struct ldb_message *, const char *, const char *) >++ldb_msg_sanity_check: int (struct ldb_context *, const struct ldb_message *) >++ldb_msg_sort_elements: void (struct ldb_message *) >++ldb_next_del_trans: int (struct ldb_module *) >++ldb_next_end_trans: int (struct ldb_module *) >++ldb_next_init: int (struct ldb_module *) >++ldb_next_prepare_commit: int (struct ldb_module *) >++ldb_next_read_lock: int (struct ldb_module *) >++ldb_next_read_unlock: int (struct ldb_module *) >++ldb_next_remote_request: int (struct ldb_module *, struct ldb_request *) >++ldb_next_request: int (struct ldb_module *, struct ldb_request *) >++ldb_next_start_trans: int (struct ldb_module *) >++ldb_op_default_callback: int (struct ldb_request *, struct ldb_reply *) >++ldb_options_copy: const char **(TALLOC_CTX *, const char **) >++ldb_options_find: const char *(struct ldb_context *, const char **, const char *) >++ldb_options_get: const char **(struct ldb_context *) >++ldb_pack_data: int (struct ldb_context *, const struct ldb_message *, struct ldb_val *, uint32_t) >++ldb_parse_control_from_string: struct ldb_control *(struct ldb_context *, TALLOC_CTX *, const char *) >++ldb_parse_control_strings: struct ldb_control **(struct ldb_context *, TALLOC_CTX *, const char **) >++ldb_parse_tree: struct ldb_parse_tree *(TALLOC_CTX *, const char *) >++ldb_parse_tree_attr_replace: void (struct ldb_parse_tree *, const char *, const char *) >++ldb_parse_tree_copy_shallow: struct ldb_parse_tree *(TALLOC_CTX *, const struct ldb_parse_tree *) >++ldb_parse_tree_walk: int (struct ldb_parse_tree *, int (*)(struct ldb_parse_tree *, void *), void *) >++ldb_qsort: void (void * const, size_t, size_t, void *, ldb_qsort_cmp_fn_t) >++ldb_register_backend: int (const char *, ldb_connect_fn, bool) >++ldb_register_extended_match_rule: int (struct ldb_context *, const struct ldb_extended_match_rule *) >++ldb_register_hook: int (ldb_hook_fn) >++ldb_register_module: int (const struct ldb_module_ops *) >++ldb_rename: int (struct ldb_context *, struct ldb_dn *, struct ldb_dn *) >++ldb_reply_add_control: int (struct ldb_reply *, const char *, bool, void *) >++ldb_reply_get_control: struct ldb_control *(struct ldb_reply *, const char *) >++ldb_req_get_custom_flags: uint32_t (struct ldb_request *) >++ldb_req_is_untrusted: bool (struct ldb_request *) >++ldb_req_location: const char *(struct ldb_request *) >++ldb_req_mark_trusted: void (struct ldb_request *) >++ldb_req_mark_untrusted: void (struct ldb_request *) >++ldb_req_set_custom_flags: void (struct ldb_request *, uint32_t) >++ldb_req_set_location: void (struct ldb_request *, const char *) >++ldb_request: int (struct ldb_context *, struct ldb_request *) >++ldb_request_add_control: int (struct ldb_request *, const char *, bool, void *) >++ldb_request_done: int (struct ldb_request *, int) >++ldb_request_get_control: struct ldb_control *(struct ldb_request *, const char *) >++ldb_request_get_status: int (struct ldb_request *) >++ldb_request_replace_control: int (struct ldb_request *, const char *, bool, void *) >++ldb_request_set_state: void (struct ldb_request *, int) >++ldb_reset_err_string: void (struct ldb_context *) >++ldb_save_controls: int (struct ldb_control *, struct ldb_request *, struct ldb_control ***) >++ldb_schema_attribute_add: int (struct ldb_context *, const char *, unsigned int, const char *) >++ldb_schema_attribute_add_with_syntax: int (struct ldb_context *, const char *, unsigned int, const struct ldb_schema_syntax *) >++ldb_schema_attribute_by_name: const struct ldb_schema_attribute *(struct ldb_context *, const char *) >++ldb_schema_attribute_fill_with_syntax: int (struct ldb_context *, TALLOC_CTX *, const char *, unsigned int, const struct ldb_schema_syntax *, struct ldb_schema_attribute *) >++ldb_schema_attribute_remove: void (struct ldb_context *, const char *) >++ldb_schema_attribute_remove_flagged: void (struct ldb_context *, unsigned int) >++ldb_schema_attribute_set_override_handler: void (struct ldb_context *, ldb_attribute_handler_override_fn_t, void *) >++ldb_schema_set_override_GUID_index: void (struct ldb_context *, const char *, const char *) >++ldb_schema_set_override_indexlist: void (struct ldb_context *, bool) >++ldb_search: int (struct ldb_context *, TALLOC_CTX *, struct ldb_result **, struct ldb_dn *, enum ldb_scope, const char * const *, const char *, ...) >++ldb_search_default_callback: int (struct ldb_request *, struct ldb_reply *) >++ldb_sequence_number: int (struct ldb_context *, enum ldb_sequence_type, uint64_t *) >++ldb_set_create_perms: void (struct ldb_context *, unsigned int) >++ldb_set_debug: int (struct ldb_context *, void (*)(void *, enum ldb_debug_level, const char *, va_list), void *) >++ldb_set_debug_stderr: int (struct ldb_context *) >++ldb_set_default_dns: void (struct ldb_context *) >++ldb_set_errstring: void (struct ldb_context *, const char *) >++ldb_set_event_context: void (struct ldb_context *, struct tevent_context *) >++ldb_set_flags: void (struct ldb_context *, unsigned int) >++ldb_set_modules_dir: void (struct ldb_context *, const char *) >++ldb_set_opaque: int (struct ldb_context *, const char *, void *) >++ldb_set_require_private_event_context: void (struct ldb_context *) >++ldb_set_timeout: int (struct ldb_context *, struct ldb_request *, int) >++ldb_set_timeout_from_prev_req: int (struct ldb_context *, struct ldb_request *, struct ldb_request *) >++ldb_set_utf8_default: void (struct ldb_context *) >++ldb_set_utf8_fns: void (struct ldb_context *, void *, char *(*)(void *, void *, const char *, size_t)) >++ldb_setup_wellknown_attributes: int (struct ldb_context *) >++ldb_should_b64_encode: int (struct ldb_context *, const struct ldb_val *) >++ldb_standard_syntax_by_name: const struct ldb_schema_syntax *(struct ldb_context *, const char *) >++ldb_strerror: const char *(int) >++ldb_string_to_time: time_t (const char *) >++ldb_string_utc_to_time: time_t (const char *) >++ldb_timestring: char *(TALLOC_CTX *, time_t) >++ldb_timestring_utc: char *(TALLOC_CTX *, time_t) >++ldb_transaction_cancel: int (struct ldb_context *) >++ldb_transaction_cancel_noerr: int (struct ldb_context *) >++ldb_transaction_commit: int (struct ldb_context *) >++ldb_transaction_prepare_commit: int (struct ldb_context *) >++ldb_transaction_start: int (struct ldb_context *) >++ldb_unpack_data: int (struct ldb_context *, const struct ldb_val *, struct ldb_message *) >++ldb_unpack_data_flags: int (struct ldb_context *, const struct ldb_val *, struct ldb_message *, unsigned int) >++ldb_unpack_get_format: int (const struct ldb_val *, uint32_t *) >++ldb_val_dup: struct ldb_val (TALLOC_CTX *, const struct ldb_val *) >++ldb_val_equal_exact: int (const struct ldb_val *, const struct ldb_val *) >++ldb_val_map_local: struct ldb_val (struct ldb_module *, void *, const struct ldb_map_attribute *, const struct ldb_val *) >++ldb_val_map_remote: struct ldb_val (struct ldb_module *, void *, const struct ldb_map_attribute *, const struct ldb_val *) >++ldb_val_string_cmp: int (const struct ldb_val *, const char *) >++ldb_val_to_time: int (const struct ldb_val *, time_t *) >++ldb_valid_attr_name: int (const char *) >++ldb_vdebug: void (struct ldb_context *, enum ldb_debug_level, const char *, va_list) >++ldb_wait: int (struct ldb_handle *, enum ldb_wait_type) >+diff --git lib/ldb/ABI/pyldb-util-2.3.4.sigs lib/ldb/ABI/pyldb-util-2.3.4.sigs >+new file mode 100644 >+index 00000000000..164a806b2ff >+--- /dev/null >++++ lib/ldb/ABI/pyldb-util-2.3.4.sigs >+@@ -0,0 +1,3 @@ >++pyldb_Dn_FromDn: PyObject *(struct ldb_dn *) >++pyldb_Object_AsDn: bool (TALLOC_CTX *, PyObject *, struct ldb_context *, struct ldb_dn **) >++pyldb_check_type: bool (PyObject *, const char *) >+ >+-- >+2.25.1 >+ >+ >+From 6237c85565332e0be1890dd57cc7e25fb76571d7 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Wed, 16 Feb 2022 17:03:10 +1300 >+Subject: [PATCH 15/99] CVE-2022-32745 s4/dsdb/samldb: Check for empty values >+ array >+ >+This avoids potentially trying to access the first element of an empty >+array. >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+--- >+ source4/dsdb/samdb/ldb_modules/samldb.c | 4 ++-- >+ 1 file changed, 2 insertions(+), 2 deletions(-) >+ >+diff --git source4/dsdb/samdb/ldb_modules/samldb.c source4/dsdb/samdb/ldb_modules/samldb.c >+index 107e643e492..3625bb42e58 100644 >+--- source4/dsdb/samdb/ldb_modules/samldb.c >++++ source4/dsdb/samdb/ldb_modules/samldb.c >+@@ -751,7 +751,7 @@ static int samldb_schema_add_handle_linkid(struct samldb_ctx *ac) >+ return ret; >+ } >+ >+- if (el == NULL) { >++ if (el == NULL || el->num_values == 0) { >+ return LDB_SUCCESS; >+ } >+ >+@@ -919,7 +919,7 @@ static int samldb_schema_add_handle_mapiid(struct samldb_ctx *ac) >+ return ret; >+ } >+ >+- if (el == NULL) { >++ if (el == NULL || el->num_values == 0) { >+ return LDB_SUCCESS; >+ } >+ >+-- >+2.25.1 >+ >+ >+From 7c8427e5d2f247921ab44996829acfed1f5f2360 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Thu, 17 Feb 2022 11:11:53 +1300 >+Subject: [PATCH 16/99] CVE-2022-32745 s4/dsdb/util: Use correct value for loop >+ count limit >+ >+Currently, we can crash the server by sending a large number of values >+of a specific attribute (such as sAMAccountName) spread across a few >+message elements. If val_count is larger than the total number of >+elements, we get an access beyond the elements array. >+ >+Similarly, we can include unrelated message elements prior to the >+message elements of the attribute in question, so that not all of the >+attribute's values are copied into the returned elements values array. >+This can cause the server to access uninitialised data, likely resulting >+in a crash or unexpected behaviour. >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+--- >+ source4/dsdb/samdb/ldb_modules/util.c | 2 +- >+ 1 file changed, 1 insertion(+), 1 deletion(-) >+ >+diff --git source4/dsdb/samdb/ldb_modules/util.c source4/dsdb/samdb/ldb_modules/util.c >+index 405febf0b3d..14947746837 100644 >+--- source4/dsdb/samdb/ldb_modules/util.c >++++ source4/dsdb/samdb/ldb_modules/util.c >+@@ -1546,7 +1546,7 @@ int dsdb_get_expected_new_values(TALLOC_CTX *mem_ctx, >+ >+ v = _el->values; >+ >+- for (i = 0; i < val_count; i++) { >++ for (i = 0; i < msg->num_elements; i++) { >+ if (ldb_attr_cmp(msg->elements[i].name, attr_name) == 0) { >+ if ((operation == LDB_MODIFY) && >+ (LDB_FLAG_MOD_TYPE(msg->elements[i].flags) >+-- >+2.25.1 >+ >+ >+From 4d2d30c21b16a53d5547cb803efe49cb6304ce37 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Thu, 17 Feb 2022 11:13:38 +1300 >+Subject: [PATCH 17/99] CVE-2022-32745 s4/dsdb/util: Don't call memcpy() with a >+ NULL pointer >+ >+Doing so is undefined behaviour. >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+--- >+ source4/dsdb/samdb/ldb_modules/util.c | 12 ++++++++---- >+ 1 file changed, 8 insertions(+), 4 deletions(-) >+ >+diff --git source4/dsdb/samdb/ldb_modules/util.c source4/dsdb/samdb/ldb_modules/util.c >+index 14947746837..35ae110b5ef 100644 >+--- source4/dsdb/samdb/ldb_modules/util.c >++++ source4/dsdb/samdb/ldb_modules/util.c >+@@ -1548,15 +1548,19 @@ int dsdb_get_expected_new_values(TALLOC_CTX *mem_ctx, >+ >+ for (i = 0; i < msg->num_elements; i++) { >+ if (ldb_attr_cmp(msg->elements[i].name, attr_name) == 0) { >++ const struct ldb_message_element *tmp_el = &msg->elements[i]; >+ if ((operation == LDB_MODIFY) && >+- (LDB_FLAG_MOD_TYPE(msg->elements[i].flags) >++ (LDB_FLAG_MOD_TYPE(tmp_el->flags) >+ == LDB_FLAG_MOD_DELETE)) { >+ continue; >+ } >++ if (tmp_el->values == NULL || tmp_el->num_values == 0) { >++ continue; >++ } >+ memcpy(v, >+- msg->elements[i].values, >+- msg->elements[i].num_values); >+- v += msg->elements[i].num_values; >++ tmp_el->values, >++ tmp_el->num_values); >++ v += tmp_el->num_values; >+ } >+ } >+ >+-- >+2.25.1 >+ >+ >+From 65d96369fa4f915f01e203cfc8b15e48c5b4b440 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Fri, 3 Jun 2022 16:16:31 +1200 >+Subject: [PATCH 18/99] CVE-2022-32745 s4/dsdb/util: Correctly copy values into >+ message element >+ >+To use memcpy(), we need to specify the number of bytes to copy, rather >+than the number of ldb_val structures. >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+--- >+ source4/dsdb/samdb/ldb_modules/util.c | 2 +- >+ 1 file changed, 1 insertion(+), 1 deletion(-) >+ >+diff --git source4/dsdb/samdb/ldb_modules/util.c source4/dsdb/samdb/ldb_modules/util.c >+index 35ae110b5ef..e7fe8f855df 100644 >+--- source4/dsdb/samdb/ldb_modules/util.c >++++ source4/dsdb/samdb/ldb_modules/util.c >+@@ -1559,7 +1559,7 @@ int dsdb_get_expected_new_values(TALLOC_CTX *mem_ctx, >+ } >+ memcpy(v, >+ tmp_el->values, >+- tmp_el->num_values); >++ tmp_el->num_values * sizeof(*v)); >+ v += tmp_el->num_values; >+ } >+ } >+-- >+2.25.1 >+ >+ >+From 34eb92a2066cc403aac5a3708257b04a40ba19ee Mon Sep 17 00:00:00 2001 >+From: Isaac Boukris <iboukris@gmail.com> >+Date: Sat, 19 Sep 2020 14:16:20 +0200 >+Subject: [PATCH 19/99] s4:mit-kdb: Force canonicalization for looking up >+ principals >+ >+See also >+https://github.com/krb5/krb5/commit/ac8865a22138ab0c657208c41be8fd6bc7968148 >+ >+Pair-Programmed-With: Andreas Schneider <asn@samba.org> >+Signed-off-by: Isaac Boukris <iboukris@gmail.com> >+Signed-off-by: Andreas Schneider <asn@samba.org> >+Reviewed-by: Alexander Bokovoy <ab@samba.org> >+ >+Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> >+Autobuild-Date(master): Mon Nov 29 09:32:26 UTC 2021 on sn-devel-184 >+ >+(cherry picked from commit 90febd2a33b88af49af595fe0e995d6ba0f33a1b) >+ >+[jsutton@samba.org Removed MIT knownfail changes] >+--- >+ source4/heimdal/lib/hdb/hdb.h | 1 + >+ source4/kdc/db-glue.c | 7 ++++++- >+ source4/kdc/mit_samba.c | 8 ++++++++ >+ source4/kdc/sdb.h | 1 + >+ 4 files changed, 16 insertions(+), 1 deletion(-) >+ >+diff --git source4/heimdal/lib/hdb/hdb.h source4/heimdal/lib/hdb/hdb.h >+index 5ef9d9565f3..dafaffc6c2d 100644 >+--- source4/heimdal/lib/hdb/hdb.h >++++ source4/heimdal/lib/hdb/hdb.h >+@@ -63,6 +63,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK }; >+ #define HDB_F_ALL_KVNOS 2048 /* we want all the keys, live or not */ >+ #define HDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */ >+ #define HDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */ >++#define HDB_F_FORCE_CANON 16384 /* force canonicalition */ >+ >+ /* hdb_capability_flags */ >+ #define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1 >+diff --git source4/kdc/db-glue.c source4/kdc/db-glue.c >+index 3a7e2176653..ac47fe78373 100644 >+--- source4/kdc/db-glue.c >++++ source4/kdc/db-glue.c >+@@ -957,11 +957,16 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, >+ krb5_clear_error_message(context); >+ goto out; >+ } >+- } else if ((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) { >++ } else if ((flags & SDB_F_FORCE_CANON) || >++ ((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ))) { >+ /* >+ * SDB_F_CANON maps from the canonicalize flag in the >+ * packet, and has a different meaning between AS-REQ >+ * and TGS-REQ. We only change the principal in the AS-REQ case >++ * >++ * The SDB_F_FORCE_CANON if for new MIT KDC code that wants >++ * the canonical name in all lookups, and takes care to >++ * canonicalize only when appropriate. >+ */ >+ ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL); >+ if (ret) { >+diff --git source4/kdc/mit_samba.c source4/kdc/mit_samba.c >+index e015c5a52db..c2a604045d9 100644 >+--- source4/kdc/mit_samba.c >++++ source4/kdc/mit_samba.c >+@@ -195,6 +195,14 @@ int mit_samba_get_principal(struct mit_samba_context *ctx, >+ return ENOMEM; >+ } >+ >++#if KRB5_KDB_API_VERSION >= 10 >++ /* >++ * The MIT KDC code that wants the canonical name in all lookups, and >++ * takes care to canonicalize only when appropriate. >++ */ >++ sflags |= SDB_F_FORCE_CANON; >++#endif >++ >+ if (kflags & KRB5_KDB_FLAG_CANONICALIZE) { >+ sflags |= SDB_F_CANON; >+ } >+diff --git source4/kdc/sdb.h source4/kdc/sdb.h >+index c929acccce6..a9115ec23d7 100644 >+--- source4/kdc/sdb.h >++++ source4/kdc/sdb.h >+@@ -116,6 +116,7 @@ struct sdb_entry_ex { >+ #define SDB_F_KVNO_SPECIFIED 128 /* we want a particular KVNO */ >+ #define SDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */ >+ #define SDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */ >++#define SDB_F_FORCE_CANON 16384 /* force canonicalition */ >+ >+ void sdb_free_entry(struct sdb_entry_ex *e); >+ void free_sdb_entry(struct sdb_entry *s); >+-- >+2.25.1 >+ >+ >+From 06a0a75b16bace9c29568653d9e4bde4050c5ee5 Mon Sep 17 00:00:00 2001 >+From: Andreas Schneider <asn@samba.org> >+Date: Tue, 21 Dec 2021 12:17:11 +0100 >+Subject: [PATCH 20/99] s4:kdc: Also cannoicalize krbtgt principals when >+ enforcing canonicalization >+ >+Signed-off-by: Andreas Schneider <asn@samba.org> >+Reviewed-by: Stefan Metzmacher <metze@samba.org> >+(cherry picked from commit f1ec950aeb47283a504018bafa21f54c3282e70c) >+--- >+ source4/kdc/db-glue.c | 2 +- >+ 1 file changed, 1 insertion(+), 1 deletion(-) >+ >+diff --git source4/kdc/db-glue.c source4/kdc/db-glue.c >+index ac47fe78373..d017741e30a 100644 >+--- source4/kdc/db-glue.c >++++ source4/kdc/db-glue.c >+@@ -920,7 +920,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, >+ if (ent_type == SAMBA_KDC_ENT_TYPE_KRBTGT) { >+ p->is_krbtgt = true; >+ >+- if (flags & (SDB_F_CANON)) { >++ if (flags & (SDB_F_CANON|SDB_F_FORCE_CANON)) { >+ /* >+ * When requested to do so, ensure that the >+ * both realm values in the principal are set >+-- >+2.25.1 >+ >+ >+From b4005403032b0b33ca88d3abcbf085621b32bd5b Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Wed, 24 Nov 2021 11:30:38 +1300 >+Subject: [PATCH 21/99] selftest: Check received LDB error code when >+ STRICT_CHECKING=0 >+ >+We were instead only checking the expected error. >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andrew Bartlett <abartlet@samba.org> >+(cherry picked from commit ad4d6fb01fd8083e68f07c427af8932574810cdc) >+--- >+ source4/dsdb/tests/python/priv_attrs.py | 2 +- >+ 1 file changed, 1 insertion(+), 1 deletion(-) >+ >+diff --git source4/dsdb/tests/python/priv_attrs.py source4/dsdb/tests/python/priv_attrs.py >+index aa35dcc1317..4dfdfb9cbb8 100644 >+--- source4/dsdb/tests/python/priv_attrs.py >++++ source4/dsdb/tests/python/priv_attrs.py >+@@ -167,7 +167,7 @@ class PrivAttrsTests(samba.tests.TestCase): >+ creds_tmp.set_kerberos_state(DONT_USE_KERBEROS) # kinit is too expensive to use in a tight loop >+ return creds_tmp >+ >+- def assertGotLdbError(self, got, wanted): >++ def assertGotLdbError(self, wanted, got): >+ if not self.strict_checking: >+ self.assertNotEqual(got, ldb.SUCCESS) >+ else: >+-- >+2.25.1 >+ >+ >+From 6a4ed078902dcc57ab14f701c88e76ec0ac375e7 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Wed, 24 Nov 2021 11:53:18 +1300 >+Subject: [PATCH 22/99] tests/krb5: Remove unused variable >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andrew Bartlett <abartlet@samba.org> >+(cherry picked from commit 57b1b76154d699b9d70ad04fa5e94c4b30f0e4bf) >+--- >+ python/samba/tests/krb5/raw_testcase.py | 2 -- >+ 1 file changed, 2 deletions(-) >+ >+diff --git python/samba/tests/krb5/raw_testcase.py python/samba/tests/krb5/raw_testcase.py >+index 42f2e94f5aa..36a6134e6c9 100644 >+--- python/samba/tests/krb5/raw_testcase.py >++++ python/samba/tests/krb5/raw_testcase.py >+@@ -2855,7 +2855,6 @@ class RawKerberosTest(TestCaseInTempDir): >+ >+ expect_etype_info2 = () >+ expect_etype_info = False >+- unexpect_etype_info = True >+ expected_aes_type = 0 >+ expected_rc4_type = 0 >+ if kcrypto.Enctype.RC4 in proposed_etypes: >+@@ -2868,7 +2867,6 @@ class RawKerberosTest(TestCaseInTempDir): >+ if etype > expected_aes_type: >+ expected_aes_type = etype >+ if etype in (kcrypto.Enctype.RC4,) and error_code != 0: >+- unexpect_etype_info = False >+ if etype > expected_rc4_type: >+ expected_rc4_type = etype >+ >+-- >+2.25.1 >+ >+ >+From 837453d34799f44653d0d6d690d3e3d5eb074993 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Wed, 24 Nov 2021 11:34:11 +1300 >+Subject: [PATCH 23/99] tests/krb5: Deduplicate AS-REQ tests >+ >+salt_tests was running the tests defined in the base class as well as >+its own tests. >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andrew Bartlett <abartlet@samba.org> >+(cherry picked from commit f0b222e3ecf72c8562bc97bedd9f3a92980b60d5) >+--- >+ python/samba/tests/krb5/as_req_tests.py | 163 ++++++++++++------------ >+ python/samba/tests/krb5/salt_tests.py | 4 +- >+ 2 files changed, 85 insertions(+), 82 deletions(-) >+ >+diff --git python/samba/tests/krb5/as_req_tests.py python/samba/tests/krb5/as_req_tests.py >+index 08081928363..315720f85d6 100755 >+--- python/samba/tests/krb5/as_req_tests.py >++++ python/samba/tests/krb5/as_req_tests.py >+@@ -38,87 +38,8 @@ from samba.tests.krb5.rfc4120_constants import ( >+ global_asn1_print = False >+ global_hexdump = False >+ >+-@DynamicTestCase >+-class AsReqKerberosTests(KDCBaseTest): >+- >+- @classmethod >+- def setUpDynamicTestCases(cls): >+- for (name, idx) in cls.etype_test_permutation_name_idx(): >+- for pac in [None, True, False]: >+- tname = "%s_pac_%s" % (name, pac) >+- targs = (idx, pac) >+- cls.generate_dynamic_test("test_as_req_no_preauth", tname, *targs) >+- >+- def setUp(self): >+- super(AsReqKerberosTests, self).setUp() >+- self.do_asn1_print = global_asn1_print >+- self.do_hexdump = global_hexdump >+- >+- def _test_as_req_nopreauth(self, >+- initial_etypes, >+- pac=None, >+- initial_kdc_options=None): >+- client_creds = self.get_client_creds() >+- client_account = client_creds.get_username() >+- client_as_etypes = self.get_default_enctypes() >+- krbtgt_creds = self.get_krbtgt_creds(require_keys=False) >+- krbtgt_account = krbtgt_creds.get_username() >+- realm = krbtgt_creds.get_realm() >+- >+- cname = self.PrincipalName_create(name_type=NT_PRINCIPAL, >+- names=[client_account]) >+- sname = self.PrincipalName_create(name_type=NT_SRV_INST, >+- names=[krbtgt_account, realm]) >+- >+- expected_crealm = realm >+- expected_cname = cname >+- expected_srealm = realm >+- expected_sname = sname >+- expected_salt = client_creds.get_salt() >+- >+- if any(etype in client_as_etypes and etype in initial_etypes >+- for etype in (kcrypto.Enctype.AES256, >+- kcrypto.Enctype.AES128, >+- kcrypto.Enctype.RC4)): >+- expected_error_mode = KDC_ERR_PREAUTH_REQUIRED >+- else: >+- expected_error_mode = KDC_ERR_ETYPE_NOSUPP >+- >+- kdc_exchange_dict = self.as_exchange_dict( >+- expected_crealm=expected_crealm, >+- expected_cname=expected_cname, >+- expected_srealm=expected_srealm, >+- expected_sname=expected_sname, >+- generate_padata_fn=None, >+- check_error_fn=self.generic_check_kdc_error, >+- check_rep_fn=None, >+- expected_error_mode=expected_error_mode, >+- client_as_etypes=client_as_etypes, >+- expected_salt=expected_salt, >+- kdc_options=str(initial_kdc_options), >+- pac_request=pac) >+- >+- self._generic_kdc_exchange(kdc_exchange_dict, >+- cname=cname, >+- realm=realm, >+- sname=sname, >+- etypes=initial_etypes) >+- >+- def _test_as_req_no_preauth_with_args(self, etype_idx, pac): >+- name, etypes = self.etype_test_permutation_by_idx(etype_idx) >+- self._test_as_req_nopreauth( >+- pac=pac, >+- initial_etypes=etypes, >+- initial_kdc_options=krb5_asn1.KDCOptions('forwardable')) >+- >+- def test_as_req_enc_timestamp(self): >+- client_creds = self.get_client_creds() >+- self._run_as_req_enc_timestamp(client_creds) >+- >+- def test_as_req_enc_timestamp_mac(self): >+- client_creds = self.get_mach_creds() >+- self._run_as_req_enc_timestamp(client_creds) >+ >++class AsReqBaseTest(KDCBaseTest): >+ def _run_as_req_enc_timestamp(self, client_creds): >+ client_account = client_creds.get_username() >+ client_as_etypes = self.get_default_enctypes() >+@@ -207,6 +128,88 @@ class AsReqKerberosTests(KDCBaseTest): >+ return etype_info2 >+ >+ >++@DynamicTestCase >++class AsReqKerberosTests(AsReqBaseTest): >++ >++ @classmethod >++ def setUpDynamicTestCases(cls): >++ for (name, idx) in cls.etype_test_permutation_name_idx(): >++ for pac in [None, True, False]: >++ tname = "%s_pac_%s" % (name, pac) >++ targs = (idx, pac) >++ cls.generate_dynamic_test("test_as_req_no_preauth", tname, *targs) >++ >++ def setUp(self): >++ super(AsReqKerberosTests, self).setUp() >++ self.do_asn1_print = global_asn1_print >++ self.do_hexdump = global_hexdump >++ >++ def _test_as_req_nopreauth(self, >++ initial_etypes, >++ pac=None, >++ initial_kdc_options=None): >++ client_creds = self.get_client_creds() >++ client_account = client_creds.get_username() >++ client_as_etypes = self.get_default_enctypes() >++ krbtgt_creds = self.get_krbtgt_creds(require_keys=False) >++ krbtgt_account = krbtgt_creds.get_username() >++ realm = krbtgt_creds.get_realm() >++ >++ cname = self.PrincipalName_create(name_type=NT_PRINCIPAL, >++ names=[client_account]) >++ sname = self.PrincipalName_create(name_type=NT_SRV_INST, >++ names=[krbtgt_account, realm]) >++ >++ expected_crealm = realm >++ expected_cname = cname >++ expected_srealm = realm >++ expected_sname = sname >++ expected_salt = client_creds.get_salt() >++ >++ if any(etype in client_as_etypes and etype in initial_etypes >++ for etype in (kcrypto.Enctype.AES256, >++ kcrypto.Enctype.AES128, >++ kcrypto.Enctype.RC4)): >++ expected_error_mode = KDC_ERR_PREAUTH_REQUIRED >++ else: >++ expected_error_mode = KDC_ERR_ETYPE_NOSUPP >++ >++ kdc_exchange_dict = self.as_exchange_dict( >++ expected_crealm=expected_crealm, >++ expected_cname=expected_cname, >++ expected_srealm=expected_srealm, >++ expected_sname=expected_sname, >++ generate_padata_fn=None, >++ check_error_fn=self.generic_check_kdc_error, >++ check_rep_fn=None, >++ expected_error_mode=expected_error_mode, >++ client_as_etypes=client_as_etypes, >++ expected_salt=expected_salt, >++ kdc_options=str(initial_kdc_options), >++ pac_request=pac) >++ >++ self._generic_kdc_exchange(kdc_exchange_dict, >++ cname=cname, >++ realm=realm, >++ sname=sname, >++ etypes=initial_etypes) >++ >++ def _test_as_req_no_preauth_with_args(self, etype_idx, pac): >++ name, etypes = self.etype_test_permutation_by_idx(etype_idx) >++ self._test_as_req_nopreauth( >++ pac=pac, >++ initial_etypes=etypes, >++ initial_kdc_options=krb5_asn1.KDCOptions('forwardable')) >++ >++ def test_as_req_enc_timestamp(self): >++ client_creds = self.get_client_creds() >++ self._run_as_req_enc_timestamp(client_creds) >++ >++ def test_as_req_enc_timestamp_mac(self): >++ client_creds = self.get_mach_creds() >++ self._run_as_req_enc_timestamp(client_creds) >++ >++ >+ if __name__ == "__main__": >+ global_asn1_print = False >+ global_hexdump = False >+diff --git python/samba/tests/krb5/salt_tests.py python/samba/tests/krb5/salt_tests.py >+index ecbf618e40e..db777f8b7bc 100755 >+--- python/samba/tests/krb5/salt_tests.py >++++ python/samba/tests/krb5/salt_tests.py >+@@ -21,7 +21,7 @@ import os >+ >+ import ldb >+ >+-from samba.tests.krb5.as_req_tests import AsReqKerberosTests >++from samba.tests.krb5.as_req_tests import AsReqBaseTest >+ import samba.tests.krb5.kcrypto as kcrypto >+ >+ sys.path.insert(0, "bin/python") >+@@ -31,7 +31,7 @@ global_asn1_print = False >+ global_hexdump = False >+ >+ >+-class SaltTests(AsReqKerberosTests): >++class SaltTests(AsReqBaseTest): >+ >+ def setUp(self): >+ super().setUp() >+-- >+2.25.1 >+ >+ >+From 3d48ade670bb5b026d7bc0a26a4fa6775b21653b Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Wed, 24 Nov 2021 16:02:00 +1300 >+Subject: [PATCH 24/99] tests/krb5: Run test_rpc against member server >+ >+We were instead always running against the DC. >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andrew Bartlett <abartlet@samba.org> >+(cherry picked from commit 167bd2070483004cd0b9a96ffb40ea73c6ddf579) >+--- >+ python/samba/tests/krb5/test_rpc.py | 9 ++++----- >+ 1 file changed, 4 insertions(+), 5 deletions(-) >+ >+diff --git python/samba/tests/krb5/test_rpc.py python/samba/tests/krb5/test_rpc.py >+index 03c125f518a..2d483986e83 100755 >+--- python/samba/tests/krb5/test_rpc.py >++++ python/samba/tests/krb5/test_rpc.py >+@@ -58,7 +58,7 @@ class RpcTests(KDCBaseTest): >+ >+ samdb = self.get_samdb() >+ >+- mach_name = samdb.host_dns_name() >++ mach_name = self.host >+ service = "cifs" >+ >+ # Create the user account. >+@@ -67,7 +67,7 @@ class RpcTests(KDCBaseTest): >+ use_cache=False) >+ user_name = user_credentials.get_username() >+ >+- mach_credentials = self.get_dc_creds() >++ mach_credentials = self.get_server_creds() >+ >+ # Talk to the KDC to obtain the service ticket, which gets placed into >+ # the cache. The machine account name has to match the name in the >+@@ -114,8 +114,7 @@ class RpcTests(KDCBaseTest): >+ self.assertEqual(user_name, account_name.string) >+ >+ def test_rpc_anonymous(self): >+- samdb = self.get_samdb() >+- mach_name = samdb.host_dns_name() >++ mach_name = self.host >+ >+ anon_creds = credentials.Credentials() >+ anon_creds.set_anonymous() >+@@ -125,7 +124,7 @@ class RpcTests(KDCBaseTest): >+ >+ (account_name, _) = conn.GetUserName(None, None, None) >+ >+- self.assertEqual('ANONYMOUS LOGON', account_name.string) >++ self.assertEqual('ANONYMOUS LOGON', account_name.string.upper()) >+ >+ >+ if __name__ == "__main__": >+-- >+2.25.1 >+ >+ >+From bf1aa0927895b1007ecea738681235b5be2e6208 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Wed, 24 Nov 2021 11:37:35 +1300 >+Subject: [PATCH 25/99] tests/krb5: Allow PasswordKey_create() to use s2kparams >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andrew Bartlett <abartlet@samba.org> >+(cherry picked from commit a560c2e9ad8abb824d1805c86c656943745f81eb) >+--- >+ python/samba/tests/krb5/raw_testcase.py | 9 ++++++--- >+ 1 file changed, 6 insertions(+), 3 deletions(-) >+ >+diff --git python/samba/tests/krb5/raw_testcase.py python/samba/tests/krb5/raw_testcase.py >+index 36a6134e6c9..da3f69c79c6 100644 >+--- python/samba/tests/krb5/raw_testcase.py >++++ python/samba/tests/krb5/raw_testcase.py >+@@ -1167,10 +1167,11 @@ class RawKerberosTest(TestCaseInTempDir): >+ key = kcrypto.Key(etype, contents) >+ return RodcPacEncryptionKey(key, kvno) >+ >+- def PasswordKey_create(self, etype=None, pwd=None, salt=None, kvno=None): >++ def PasswordKey_create(self, etype=None, pwd=None, salt=None, kvno=None, >++ params=None): >+ self.assertIsNotNone(pwd) >+ self.assertIsNotNone(salt) >+- key = kcrypto.string_to_key(etype, pwd, salt) >++ key = kcrypto.string_to_key(etype, pwd, salt, params=params) >+ return RodcPacEncryptionKey(key, kvno) >+ >+ def PasswordKey_from_etype_info2(self, creds, etype_info2, kvno=None): >+@@ -1182,9 +1183,11 @@ class RawKerberosTest(TestCaseInTempDir): >+ nthash = creds.get_nt_hash() >+ return self.SessionKey_create(etype=e, contents=nthash, kvno=kvno) >+ >++ params = etype_info2.get('s2kparams') >++ >+ password = creds.get_password() >+ return self.PasswordKey_create( >+- etype=e, pwd=password, salt=salt, kvno=kvno) >++ etype=e, pwd=password, salt=salt, kvno=kvno, params=params) >+ >+ def TicketDecryptionKey_from_creds(self, creds, etype=None): >+ >+-- >+2.25.1 >+ >+ >+From 651db77b1c19c036cf229c44b764b0155e1dc399 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Wed, 24 Nov 2021 11:40:35 +1300 >+Subject: [PATCH 26/99] tests/krb5: Split out methods to create renewable or >+ invalid tickets >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andrew Bartlett <abartlet@samba.org> >+(cherry picked from commit e930274aa43810d6485c3c8a7c82958ecb409630) >+--- >+ python/samba/tests/krb5/kdc_tgs_tests.py | 68 +++++++++++++----------- >+ 1 file changed, 36 insertions(+), 32 deletions(-) >+ >+diff --git python/samba/tests/krb5/kdc_tgs_tests.py python/samba/tests/krb5/kdc_tgs_tests.py >+index abac5a47a56..0578969ba69 100755 >+--- python/samba/tests/krb5/kdc_tgs_tests.py >++++ python/samba/tests/krb5/kdc_tgs_tests.py >+@@ -1786,6 +1786,40 @@ class KdcTgsTests(KDCBaseTest): >+ >+ self._run_tgs(tgt, expected_error=KDC_ERR_C_PRINCIPAL_UNKNOWN) >+ >++ def _modify_renewable(self, enc_part): >++ # Set the renewable flag. >++ renewable_flag = krb5_asn1.TicketFlags('renewable') >++ pos = len(tuple(renewable_flag)) - 1 >++ >++ flags = enc_part['flags'] >++ self.assertLessEqual(pos, len(flags)) >++ >++ new_flags = flags[:pos] + '1' + flags[pos + 1:] >++ enc_part['flags'] = new_flags >++ >++ # Set the renew-till time to be in the future. >++ renew_till = self.get_KerberosTime(offset=100 * 60 * 60) >++ enc_part['renew-till'] = renew_till >++ >++ return enc_part >++ >++ def _modify_invalid(self, enc_part): >++ # Set the invalid flag. >++ invalid_flag = krb5_asn1.TicketFlags('invalid') >++ pos = len(tuple(invalid_flag)) - 1 >++ >++ flags = enc_part['flags'] >++ self.assertLessEqual(pos, len(flags)) >++ >++ new_flags = flags[:pos] + '1' + flags[pos + 1:] >++ enc_part['flags'] = new_flags >++ >++ # Set the ticket start time to be in the past. >++ past_time = self.get_KerberosTime(offset=-100 * 60 * 60) >++ enc_part['starttime'] = past_time >++ >++ return enc_part >++ >+ def _get_tgt(self, >+ client_creds, >+ renewable=False, >+@@ -1880,39 +1914,9 @@ class KdcTgsTests(KDCBaseTest): >+ } >+ >+ if renewable: >+- def flags_modify_fn(enc_part): >+- # Set the renewable flag. >+- renewable_flag = krb5_asn1.TicketFlags('renewable') >+- pos = len(tuple(renewable_flag)) - 1 >+- >+- flags = enc_part['flags'] >+- self.assertLessEqual(pos, len(flags)) >+- >+- new_flags = flags[:pos] + '1' + flags[pos + 1:] >+- enc_part['flags'] = new_flags >+- >+- # Set the renew-till time to be in the future. >+- renew_till = self.get_KerberosTime(offset=100 * 60 * 60) >+- enc_part['renew-till'] = renew_till >+- >+- return enc_part >++ flags_modify_fn = self._modify_renewable >+ elif invalid: >+- def flags_modify_fn(enc_part): >+- # Set the invalid flag. >+- invalid_flag = krb5_asn1.TicketFlags('invalid') >+- pos = len(tuple(invalid_flag)) - 1 >+- >+- flags = enc_part['flags'] >+- self.assertLessEqual(pos, len(flags)) >+- >+- new_flags = flags[:pos] + '1' + flags[pos + 1:] >+- enc_part['flags'] = new_flags >+- >+- # Set the ticket start time to be in the past. >+- past_time = self.get_KerberosTime(offset=-100 * 60 * 60) >+- enc_part['starttime'] = past_time >+- >+- return enc_part >++ flags_modify_fn = self._modify_invalid >+ else: >+ flags_modify_fn = None >+ >+-- >+2.25.1 >+ >+ >+From 1e9ad4246ce7fe7a212da4357e6e11c5ac22a8b2 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Wed, 24 Nov 2021 11:52:31 +1300 >+Subject: [PATCH 27/99] tests/krb5: Adjust error codes to better match Windows >+ with PacRequestorEnforcement=2 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andrew Bartlett <abartlet@samba.org> >+(cherry picked from commit d95705172bcf6fe24817800a4c0009e9cc8be595) >+ >+[jsutton@samba.org Fixed MIT knownfail conflict] >+--- >+ python/samba/tests/krb5/alias_tests.py | 7 +- >+ python/samba/tests/krb5/kdc_tgs_tests.py | 130 ++++++++---------- >+ .../ms_kile_client_principal_lookup_tests.py | 39 ++---- >+ python/samba/tests/krb5/s4u_tests.py | 57 ++++---- >+ python/samba/tests/krb5/test_rpc.py | 8 +- >+ selftest/knownfail_heimdal_kdc | 64 +++++++++ >+ selftest/knownfail_mit_kdc | 9 ++ >+ 7 files changed, 181 insertions(+), 133 deletions(-) >+ >+diff --git python/samba/tests/krb5/alias_tests.py python/samba/tests/krb5/alias_tests.py >+index 60213845a44..1f63775c189 100755 >+--- python/samba/tests/krb5/alias_tests.py >++++ python/samba/tests/krb5/alias_tests.py >+@@ -28,7 +28,7 @@ from samba.tests.krb5.kdc_base_test import KDCBaseTest >+ from samba.tests.krb5.rfc4120_constants import ( >+ AES256_CTS_HMAC_SHA1_96, >+ ARCFOUR_HMAC_MD5, >+- KDC_ERR_CLIENT_NAME_MISMATCH, >++ KDC_ERR_TGT_REVOKED, >+ NT_PRINCIPAL, >+ ) >+ >+@@ -168,7 +168,7 @@ class AliasTests(KDCBaseTest): >+ ctype=None) >+ return [padata], req_body >+ >+- expected_error_mode = KDC_ERR_CLIENT_NAME_MISMATCH >++ expected_error_mode = KDC_ERR_TGT_REVOKED >+ >+ # Make a request using S4U2Self. The request should fail. >+ kdc_exchange_dict = self.tgs_exchange_dict( >+@@ -184,7 +184,8 @@ class AliasTests(KDCBaseTest): >+ tgt=tgt, >+ authenticator_subkey=authenticator_subkey, >+ kdc_options='0', >+- expect_pac=True) >++ expect_pac=True, >++ expect_edata=False) >+ >+ rep = self._generic_kdc_exchange(kdc_exchange_dict, >+ cname=None, >+diff --git python/samba/tests/krb5/kdc_tgs_tests.py python/samba/tests/krb5/kdc_tgs_tests.py >+index 0578969ba69..7ea15f0fbab 100755 >+--- python/samba/tests/krb5/kdc_tgs_tests.py >++++ python/samba/tests/krb5/kdc_tgs_tests.py >+@@ -23,7 +23,7 @@ import os >+ import ldb >+ >+ >+-from samba import dsdb, ntstatus >++from samba import dsdb >+ >+ from samba.dcerpc import krb5pac, security >+ >+@@ -38,8 +38,6 @@ from samba.tests.krb5.rfc4120_constants import ( >+ KRB_ERROR, >+ KRB_TGS_REP, >+ KDC_ERR_BADMATCH, >+- KDC_ERR_BADOPTION, >+- KDC_ERR_CLIENT_NAME_MISMATCH, >+ KDC_ERR_GENERIC, >+ KDC_ERR_MODIFIED, >+ KDC_ERR_POLICY, >+@@ -262,7 +260,7 @@ class KdcTgsTests(KDCBaseTest): >+ authenticator_subkey = self.RandomKey(kcrypto.Enctype.AES256) >+ >+ if expect_error: >+- expected_error_mode = KDC_ERR_BADOPTION >++ expected_error_mode = KDC_ERR_TGT_REVOKED >+ check_error_fn = self.generic_check_kdc_error >+ check_rep_fn = None >+ else: >+@@ -288,7 +286,8 @@ class KdcTgsTests(KDCBaseTest): >+ authenticator_subkey=authenticator_subkey, >+ kdc_options=kdc_options, >+ pac_request=pac_request, >+- expect_pac=expect_pac) >++ expect_pac=expect_pac, >++ expect_edata=False) >+ >+ rep = self._generic_kdc_exchange(kdc_exchange_dict, >+ cname=cname, >+@@ -516,8 +515,7 @@ class KdcTgsTests(KDCBaseTest): >+ creds = self._get_creds() >+ tgt = self._get_tgt(creds, remove_requester_sid=True) >+ >+- self._run_tgs(tgt, expected_error=0, expect_pac=True, >+- expect_requester_sid=False) # Note: not expected >++ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) >+ >+ def test_tgs_req_no_pac_attrs(self): >+ creds = self._get_creds() >+@@ -531,11 +529,7 @@ class KdcTgsTests(KDCBaseTest): >+ revealed_to_rodc=True) >+ tgt = self._get_tgt(creds, from_rodc=True, remove_requester_sid=True) >+ >+- samdb = self.get_samdb() >+- sid = self.get_objectSid(samdb, creds.get_dn()) >+- >+- self._run_tgs(tgt, expected_error=0, expect_pac=True, >+- expect_requester_sid=True, expected_sid=sid) >++ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) >+ >+ def test_tgs_req_from_rodc_no_pac_attrs(self): >+ creds = self._get_creds(replication_allowed=True, >+@@ -548,101 +542,99 @@ class KdcTgsTests(KDCBaseTest): >+ def test_tgs_no_pac(self): >+ creds = self._get_creds() >+ tgt = self._get_tgt(creds, remove_pac=True) >+- self._run_tgs(tgt, expected_error=KDC_ERR_BADOPTION) >++ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) >+ >+ def test_renew_no_pac(self): >+ creds = self._get_creds() >+ tgt = self._get_tgt(creds, renewable=True, remove_pac=True) >+- self._renew_tgt(tgt, expected_error=KDC_ERR_BADOPTION) >++ self._renew_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) >+ >+ def test_validate_no_pac(self): >+ creds = self._get_creds() >+ tgt = self._get_tgt(creds, invalid=True, remove_pac=True) >+- self._validate_tgt(tgt, expected_error=KDC_ERR_BADOPTION) >++ self._validate_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) >+ >+ def test_s4u2self_no_pac(self): >+ creds = self._get_creds() >+ tgt = self._get_tgt(creds, remove_pac=True) >+ self._s4u2self(tgt, creds, >+- expected_error=(KDC_ERR_GENERIC, KDC_ERR_BADOPTION), >+- expected_status=ntstatus.NT_STATUS_INVALID_PARAMETER, >+- expect_edata=True) >++ expected_error=KDC_ERR_TGT_REVOKED, >++ expect_edata=False) >+ >+ def test_user2user_no_pac(self): >+ creds = self._get_creds() >+ tgt = self._get_tgt(creds, remove_pac=True) >+- self._user2user(tgt, creds, expected_error=KDC_ERR_BADOPTION) >++ self._user2user(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED) >+ >+ # Test making a request with authdata and without a PAC. >+ def test_tgs_authdata_no_pac(self): >+ creds = self._get_creds() >+ tgt = self._get_tgt(creds, remove_pac=True, allow_empty_authdata=True) >+- self._run_tgs(tgt, expected_error=KDC_ERR_BADOPTION) >++ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) >+ >+ def test_renew_authdata_no_pac(self): >+ creds = self._get_creds() >+ tgt = self._get_tgt(creds, renewable=True, remove_pac=True, >+ allow_empty_authdata=True) >+- self._renew_tgt(tgt, expected_error=KDC_ERR_BADOPTION) >++ self._renew_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) >+ >+ def test_validate_authdata_no_pac(self): >+ creds = self._get_creds() >+ tgt = self._get_tgt(creds, invalid=True, remove_pac=True, >+ allow_empty_authdata=True) >+- self._validate_tgt(tgt, expected_error=KDC_ERR_BADOPTION) >++ self._validate_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) >+ >+ def test_s4u2self_authdata_no_pac(self): >+ creds = self._get_creds() >+ tgt = self._get_tgt(creds, remove_pac=True, allow_empty_authdata=True) >+ self._s4u2self(tgt, creds, >+- expected_error=(KDC_ERR_GENERIC, KDC_ERR_BADOPTION), >+- expected_status=ntstatus.NT_STATUS_INVALID_PARAMETER, >+- expect_edata=True) >++ expected_error=KDC_ERR_TGT_REVOKED, >++ expect_edata=False) >+ >+ def test_user2user_authdata_no_pac(self): >+ creds = self._get_creds() >+ tgt = self._get_tgt(creds, remove_pac=True, allow_empty_authdata=True) >+- self._user2user(tgt, creds, expected_error=KDC_ERR_BADOPTION) >++ self._user2user(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED) >+ >+ # Test changing the SID in the PAC to that of another account. >+ def test_tgs_sid_mismatch_existing(self): >+ creds = self._get_creds() >+ existing_rid = self._get_existing_rid() >+ tgt = self._get_tgt(creds, new_rid=existing_rid) >+- self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) >++ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) >+ >+ def test_renew_sid_mismatch_existing(self): >+ creds = self._get_creds() >+ existing_rid = self._get_existing_rid() >+ tgt = self._get_tgt(creds, renewable=True, new_rid=existing_rid) >+- self._renew_tgt(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) >++ self._renew_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) >+ >+ def test_validate_sid_mismatch_existing(self): >+ creds = self._get_creds() >+ existing_rid = self._get_existing_rid() >+ tgt = self._get_tgt(creds, invalid=True, new_rid=existing_rid) >+- self._validate_tgt(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) >++ self._validate_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) >+ >+ def test_s4u2self_sid_mismatch_existing(self): >+ creds = self._get_creds() >+ existing_rid = self._get_existing_rid() >+ tgt = self._get_tgt(creds, new_rid=existing_rid) >+ self._s4u2self(tgt, creds, >+- expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) >++ expected_error=KDC_ERR_TGT_REVOKED) >+ >+ def test_user2user_sid_mismatch_existing(self): >+ creds = self._get_creds() >+ existing_rid = self._get_existing_rid() >+ tgt = self._get_tgt(creds, new_rid=existing_rid) >+ self._user2user(tgt, creds, >+- expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) >++ expected_error=KDC_ERR_TGT_REVOKED) >+ >+ def test_requester_sid_mismatch_existing(self): >+ creds = self._get_creds() >+ existing_rid = self._get_existing_rid() >+ tgt = self._get_tgt(creds, new_rid=existing_rid, >+ can_modify_logon_info=False) >+- self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) >++ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) >+ >+ def test_logon_info_sid_mismatch_existing(self): >+ creds = self._get_creds() >+@@ -656,49 +648,49 @@ class KdcTgsTests(KDCBaseTest): >+ existing_rid = self._get_existing_rid() >+ tgt = self._get_tgt(creds, new_rid=existing_rid, >+ remove_requester_sid=True) >+- self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) >++ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) >+ >+ # Test changing the SID in the PAC to a non-existent one. >+ def test_tgs_sid_mismatch_nonexisting(self): >+ creds = self._get_creds() >+ nonexistent_rid = self._get_non_existent_rid() >+ tgt = self._get_tgt(creds, new_rid=nonexistent_rid) >+- self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) >++ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) >+ >+ def test_renew_sid_mismatch_nonexisting(self): >+ creds = self._get_creds() >+ nonexistent_rid = self._get_non_existent_rid() >+ tgt = self._get_tgt(creds, renewable=True, >+ new_rid=nonexistent_rid) >+- self._renew_tgt(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) >++ self._renew_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) >+ >+ def test_validate_sid_mismatch_nonexisting(self): >+ creds = self._get_creds() >+ nonexistent_rid = self._get_non_existent_rid() >+ tgt = self._get_tgt(creds, invalid=True, >+ new_rid=nonexistent_rid) >+- self._validate_tgt(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) >++ self._validate_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) >+ >+ def test_s4u2self_sid_mismatch_nonexisting(self): >+ creds = self._get_creds() >+ nonexistent_rid = self._get_non_existent_rid() >+ tgt = self._get_tgt(creds, new_rid=nonexistent_rid) >+ self._s4u2self(tgt, creds, >+- expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) >++ expected_error=KDC_ERR_TGT_REVOKED) >+ >+ def test_user2user_sid_mismatch_nonexisting(self): >+ creds = self._get_creds() >+ nonexistent_rid = self._get_non_existent_rid() >+ tgt = self._get_tgt(creds, new_rid=nonexistent_rid) >+ self._user2user(tgt, creds, >+- expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) >++ expected_error=KDC_ERR_TGT_REVOKED) >+ >+ def test_requester_sid_mismatch_nonexisting(self): >+ creds = self._get_creds() >+ nonexistent_rid = self._get_non_existent_rid() >+ tgt = self._get_tgt(creds, new_rid=nonexistent_rid, >+ can_modify_logon_info=False) >+- self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) >++ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) >+ >+ def test_logon_info_sid_mismatch_nonexisting(self): >+ creds = self._get_creds() >+@@ -712,7 +704,7 @@ class KdcTgsTests(KDCBaseTest): >+ nonexistent_rid = self._get_non_existent_rid() >+ tgt = self._get_tgt(creds, new_rid=nonexistent_rid, >+ remove_requester_sid=True) >+- self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) >++ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) >+ >+ # Test with an RODC-issued ticket where the client is revealed to the RODC. >+ def test_tgs_rodc_revealed(self): >+@@ -753,7 +745,7 @@ class KdcTgsTests(KDCBaseTest): >+ existing_rid = self._get_existing_rid(replication_allowed=True, >+ revealed_to_rodc=True) >+ tgt = self._get_tgt(creds, from_rodc=True, new_rid=existing_rid) >+- self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) >++ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) >+ >+ def test_renew_rodc_sid_mismatch_existing(self): >+ creds = self._get_creds(replication_allowed=True, >+@@ -762,7 +754,7 @@ class KdcTgsTests(KDCBaseTest): >+ revealed_to_rodc=True) >+ tgt = self._get_tgt(creds, renewable=True, from_rodc=True, >+ new_rid=existing_rid) >+- self._renew_tgt(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) >++ self._renew_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) >+ >+ def test_validate_rodc_sid_mismatch_existing(self): >+ creds = self._get_creds(replication_allowed=True, >+@@ -771,7 +763,7 @@ class KdcTgsTests(KDCBaseTest): >+ revealed_to_rodc=True) >+ tgt = self._get_tgt(creds, invalid=True, from_rodc=True, >+ new_rid=existing_rid) >+- self._validate_tgt(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) >++ self._validate_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) >+ >+ def test_s4u2self_rodc_sid_mismatch_existing(self): >+ creds = self._get_creds(replication_allowed=True, >+@@ -779,7 +771,7 @@ class KdcTgsTests(KDCBaseTest): >+ existing_rid = self._get_existing_rid(replication_allowed=True, >+ revealed_to_rodc=True) >+ tgt = self._get_tgt(creds, from_rodc=True, new_rid=existing_rid) >+- self._s4u2self(tgt, creds, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) >++ self._s4u2self(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED) >+ >+ def test_user2user_rodc_sid_mismatch_existing(self): >+ creds = self._get_creds(replication_allowed=True, >+@@ -788,7 +780,7 @@ class KdcTgsTests(KDCBaseTest): >+ revealed_to_rodc=True) >+ tgt = self._get_tgt(creds, from_rodc=True, new_rid=existing_rid) >+ self._user2user(tgt, creds, >+- expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) >++ expected_error=KDC_ERR_TGT_REVOKED) >+ >+ def test_tgs_rodc_requester_sid_mismatch_existing(self): >+ creds = self._get_creds(replication_allowed=True, >+@@ -797,7 +789,7 @@ class KdcTgsTests(KDCBaseTest): >+ revealed_to_rodc=True) >+ tgt = self._get_tgt(creds, from_rodc=True, new_rid=existing_rid, >+ can_modify_logon_info=False) >+- self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) >++ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) >+ >+ def test_tgs_rodc_logon_info_sid_mismatch_existing(self): >+ creds = self._get_creds(replication_allowed=True, >+@@ -815,7 +807,7 @@ class KdcTgsTests(KDCBaseTest): >+ revealed_to_rodc=True) >+ tgt = self._get_tgt(creds, from_rodc=True, new_rid=existing_rid, >+ remove_requester_sid=True) >+- self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) >++ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) >+ >+ # Test with an RODC-issued ticket where the SID in the PAC is changed to a >+ # non-existent one. >+@@ -824,7 +816,7 @@ class KdcTgsTests(KDCBaseTest): >+ revealed_to_rodc=True) >+ nonexistent_rid = self._get_non_existent_rid() >+ tgt = self._get_tgt(creds, from_rodc=True, new_rid=nonexistent_rid) >+- self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) >++ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) >+ >+ def test_renew_rodc_sid_mismatch_nonexisting(self): >+ creds = self._get_creds(replication_allowed=True, >+@@ -832,7 +824,7 @@ class KdcTgsTests(KDCBaseTest): >+ nonexistent_rid = self._get_non_existent_rid() >+ tgt = self._get_tgt(creds, renewable=True, from_rodc=True, >+ new_rid=nonexistent_rid) >+- self._renew_tgt(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) >++ self._renew_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) >+ >+ def test_validate_rodc_sid_mismatch_nonexisting(self): >+ creds = self._get_creds(replication_allowed=True, >+@@ -840,14 +832,14 @@ class KdcTgsTests(KDCBaseTest): >+ nonexistent_rid = self._get_non_existent_rid() >+ tgt = self._get_tgt(creds, invalid=True, from_rodc=True, >+ new_rid=nonexistent_rid) >+- self._validate_tgt(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) >++ self._validate_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) >+ >+ def test_s4u2self_rodc_sid_mismatch_nonexisting(self): >+ creds = self._get_creds(replication_allowed=True, >+ revealed_to_rodc=True) >+ nonexistent_rid = self._get_non_existent_rid() >+ tgt = self._get_tgt(creds, from_rodc=True, new_rid=nonexistent_rid) >+- self._s4u2self(tgt, creds, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) >++ self._s4u2self(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED) >+ >+ def test_user2user_rodc_sid_mismatch_nonexisting(self): >+ creds = self._get_creds(replication_allowed=True, >+@@ -855,7 +847,7 @@ class KdcTgsTests(KDCBaseTest): >+ nonexistent_rid = self._get_non_existent_rid() >+ tgt = self._get_tgt(creds, from_rodc=True, new_rid=nonexistent_rid) >+ self._user2user(tgt, creds, >+- expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) >++ expected_error=KDC_ERR_TGT_REVOKED) >+ >+ def test_tgs_rodc_requester_sid_mismatch_nonexisting(self): >+ creds = self._get_creds(replication_allowed=True, >+@@ -863,7 +855,7 @@ class KdcTgsTests(KDCBaseTest): >+ nonexistent_rid = self._get_non_existent_rid() >+ tgt = self._get_tgt(creds, from_rodc=True, new_rid=nonexistent_rid, >+ can_modify_logon_info=False) >+- self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) >++ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) >+ >+ def test_tgs_rodc_logon_info_sid_mismatch_nonexisting(self): >+ creds = self._get_creds(replication_allowed=True, >+@@ -879,7 +871,7 @@ class KdcTgsTests(KDCBaseTest): >+ nonexistent_rid = self._get_non_existent_rid() >+ tgt = self._get_tgt(creds, from_rodc=True, new_rid=nonexistent_rid, >+ remove_requester_sid=True) >+- self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) >++ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) >+ >+ # Test with an RODC-issued ticket where the client is not revealed to the >+ # RODC. >+@@ -1111,8 +1103,7 @@ class KdcTgsTests(KDCBaseTest): >+ names=[user_name]) >+ >+ self._user2user(tgt, creds, sname=sname, >+- expected_error=(KDC_ERR_BADMATCH, >+- KDC_ERR_BADOPTION)) >++ expected_error=KDC_ERR_BADMATCH) >+ >+ def test_user2user_other_sname(self): >+ other_name = self.get_new_username() >+@@ -1134,8 +1125,7 @@ class KdcTgsTests(KDCBaseTest): >+ sname = self.get_krbtgt_sname() >+ >+ self._user2user(tgt, creds, sname=sname, >+- expected_error=(KDC_ERR_BADMATCH, >+- KDC_ERR_BADOPTION)) >++ expected_error=KDC_ERR_BADMATCH) >+ >+ def test_user2user_wrong_srealm(self): >+ creds = self._get_creds() >+@@ -1206,7 +1196,9 @@ class KdcTgsTests(KDCBaseTest): >+ >+ tgt = self._modify_tgt(tgt, cname=cname) >+ >+- self._user2user(tgt, creds, expected_error=KDC_ERR_C_PRINCIPAL_UNKNOWN) >++ self._user2user(tgt, creds, >++ expected_error=(KDC_ERR_TGT_REVOKED, >++ KDC_ERR_C_PRINCIPAL_UNKNOWN)) >+ >+ def test_user2user_non_existent_sname(self): >+ creds = self._get_creds() >+@@ -1522,8 +1514,7 @@ class KdcTgsTests(KDCBaseTest): >+ tgt = self._modify_tgt(tgt, renewable=True, >+ remove_requester_sid=True) >+ >+- self._renew_tgt(tgt, expected_error=0, expect_pac=True, >+- expect_requester_sid=False) # Note: not expected >++ self._renew_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) >+ >+ def test_tgs_requester_sid_missing_rodc_renew(self): >+ creds = self._get_creds(replication_allowed=True, >+@@ -1539,9 +1530,7 @@ class KdcTgsTests(KDCBaseTest): >+ tgt = self._modify_tgt(tgt, from_rodc=True, renewable=True, >+ remove_requester_sid=True) >+ >+- self._renew_tgt(tgt, expected_error=0, expect_pac=True, >+- expected_sid=sid, >+- expect_requester_sid=True) >++ self._renew_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) >+ >+ def test_tgs_pac_request_none(self): >+ creds = self._get_creds() >+@@ -1655,10 +1644,10 @@ class KdcTgsTests(KDCBaseTest): >+ creds = self._get_creds() >+ tgt = self.get_tgt(creds, pac_request=False, expect_pac=None) >+ >+- ticket = self._s4u2self(tgt, creds, expected_error=0, expect_pac=False) >++ ticket = self._s4u2self(tgt, creds, expected_error=0, expect_pac=True) >+ >+- pac = self.get_ticket_pac(ticket, expect_pac=False) >+- self.assertIsNone(pac) >++ pac = self.get_ticket_pac(ticket) >++ self.assertIsNotNone(pac) >+ >+ def test_s4u2self_pac_request_true(self): >+ creds = self._get_creds() >+@@ -1753,10 +1742,10 @@ class KdcTgsTests(KDCBaseTest): >+ tgt = self.get_tgt(creds, pac_request=False, expect_pac=None) >+ tgt = self._modify_tgt(tgt, from_rodc=True) >+ >+- ticket = self._run_tgs(tgt, expected_error=0, expect_pac=False) >++ ticket = self._run_tgs(tgt, expected_error=0, expect_pac=True) >+ >+ pac = self.get_ticket_pac(ticket, expect_pac=False) >+- self.assertIsNone(pac) >++ self.assertIsNotNone(pac) >+ >+ def test_tgs_rodc_pac_request_true(self): >+ creds = self._get_creds(replication_allowed=True, >+@@ -1784,7 +1773,8 @@ class KdcTgsTests(KDCBaseTest): >+ 'sAMAccountName') >+ samdb.modify(msg) >+ >+- self._run_tgs(tgt, expected_error=KDC_ERR_C_PRINCIPAL_UNKNOWN) >++ self._run_tgs(tgt, expected_error=(KDC_ERR_TGT_REVOKED, >++ KDC_ERR_C_PRINCIPAL_UNKNOWN)) >+ >+ def _modify_renewable(self, enc_part): >+ # Set the renewable flag. >+diff --git python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py >+index 0aa3309b814..e6b90d3e16a 100755 >+--- python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py >++++ python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py >+@@ -32,6 +32,7 @@ from samba.tests.krb5.rfc4120_constants import ( >+ NT_PRINCIPAL, >+ NT_SRV_INST, >+ KDC_ERR_C_PRINCIPAL_UNKNOWN, >++ KDC_ERR_TGT_REVOKED, >+ ) >+ >+ global_asn1_print = False >+@@ -322,21 +323,10 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): >+ >+ (rep, enc_part) = self.tgs_req( >+ cname, sname, uc.get_realm(), ticket, key, etype, >+- service_creds=mc, expect_pac=False) >+- self.check_tgs_reply(rep) >+- >+- # Check the contents of the service ticket >+- ticket = rep['ticket'] >+- enc_part = self.decode_service_ticket(mc, ticket) >+- # >+- # We get an empty authorization-data element in the ticket. >+- # i.e. no PAC >+- self.assertEqual([], enc_part['authorization-data']) >+- # check the crealm and cname >+- cname = enc_part['cname'] >+- self.assertEqual(NT_PRINCIPAL, cname['name-type']) >+- self.assertEqual(alt_name.encode('UTF8'), cname['name-string'][0]) >+- self.assertEqual(realm.upper().encode('UTF8'), enc_part['crealm']) >++ service_creds=mc, expect_pac=False, >++ expect_edata=False, >++ expected_error_mode=KDC_ERR_TGT_REVOKED) >++ self.check_error_rep(rep, KDC_ERR_TGT_REVOKED) >+ >+ def test_nt_principal_step_4_b(self): >+ ''' Step 4, pre-authentication >+@@ -703,21 +693,10 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): >+ >+ (rep, enc_part) = self.tgs_req( >+ cname, sname, uc.get_realm(), ticket, key, etype, >+- service_creds=mc, expect_pac=False) >+- self.check_tgs_reply(rep) >+- >+- # Check the contents of the service ticket >+- ticket = rep['ticket'] >+- enc_part = self.decode_service_ticket(mc, ticket) >+- # >+- # We get an empty authorization-data element in the ticket. >+- # i.e. no PAC >+- self.assertEqual([], enc_part['authorization-data']) >+- # check the crealm and cname >+- cname = enc_part['cname'] >+- self.assertEqual(NT_ENTERPRISE_PRINCIPAL, cname['name-type']) >+- self.assertEqual(ename.encode('UTF8'), cname['name-string'][0]) >+- self.assertEqual(realm.upper().encode('UTF8'), enc_part['crealm']) >++ service_creds=mc, expect_pac=False, >++ expect_edata=False, >++ expected_error_mode=KDC_ERR_TGT_REVOKED) >++ self.check_error_rep(rep, KDC_ERR_TGT_REVOKED) >+ >+ def test_nt_enterprise_principal_step_6_b(self): >+ ''' Step 4, pre-authentication >+diff --git python/samba/tests/krb5/s4u_tests.py python/samba/tests/krb5/s4u_tests.py >+index a80a7b3427e..5f37525f393 100755 >+--- python/samba/tests/krb5/s4u_tests.py >++++ python/samba/tests/krb5/s4u_tests.py >+@@ -42,6 +42,7 @@ from samba.tests.krb5.rfc4120_constants import ( >+ KDC_ERR_INAPP_CKSUM, >+ KDC_ERR_MODIFIED, >+ KDC_ERR_SUMTYPE_NOSUPP, >++ KDC_ERR_TGT_REVOKED, >+ KU_PA_ENC_TIMESTAMP, >+ KU_AS_REP_ENC_PART, >+ KU_TGS_REP_ENC_PART_SUB_KEY, >+@@ -278,6 +279,8 @@ class S4UKerberosTests(KDCBaseTest): >+ etypes = kdc_dict.pop('etypes', (AES256_CTS_HMAC_SHA1_96, >+ ARCFOUR_HMAC_MD5)) >+ >++ expect_edata = kdc_dict.pop('expect_edata', None) >++ >+ def generate_s4u2self_padata(_kdc_exchange_dict, >+ _callback_dict, >+ req_body): >+@@ -309,7 +312,8 @@ class S4UKerberosTests(KDCBaseTest): >+ tgt=service_tgt, >+ authenticator_subkey=authenticator_subkey, >+ kdc_options=str(kdc_options), >+- expect_claims=False) >++ expect_claims=False, >++ expect_edata=expect_edata) >+ >+ self._generic_kdc_exchange(kdc_exchange_dict, >+ cname=None, >+@@ -343,15 +347,14 @@ class S4UKerberosTests(KDCBaseTest): >+ >+ self._run_s4u2self_test( >+ { >+- 'expected_error_mode': (KDC_ERR_GENERIC, >+- KDC_ERR_BADOPTION), >+- 'expected_status': ntstatus.NT_STATUS_INVALID_PARAMETER, >++ 'expected_error_mode': KDC_ERR_TGT_REVOKED, >+ 'client_opts': { >+ 'not_delegated': False >+ }, >+ 'kdc_options': 'forwardable', >+ 'modify_service_tgt_fn': forwardable_no_pac, >+- 'expected_flags': 'forwardable' >++ 'expected_flags': 'forwardable', >++ 'expect_edata': False >+ }) >+ >+ # Test performing an S4U2Self operation without requesting a forwardable >+@@ -674,8 +677,8 @@ class S4UKerberosTests(KDCBaseTest): >+ # contain a PAC. >+ self._run_delegation_test( >+ { >+- 'expected_error_mode': (KDC_ERR_BADOPTION, >+- KDC_ERR_MODIFIED), >++ 'expected_error_mode': (KDC_ERR_MODIFIED, >++ KDC_ERR_TGT_REVOKED), >+ 'allow_delegation': True, >+ 'modify_client_tkt_fn': self.remove_ticket_pac, >+ 'expect_edata': False >+@@ -686,9 +689,10 @@ class S4UKerberosTests(KDCBaseTest): >+ # PAC. >+ self._run_delegation_test( >+ { >+- 'expected_error_mode': 0, >++ 'expected_error_mode': KDC_ERR_TGT_REVOKED, >+ 'allow_delegation': True, >+- 'modify_service_tgt_fn': self.remove_ticket_pac >++ 'modify_service_tgt_fn': self.remove_ticket_pac, >++ 'expect_edata': False >+ }) >+ >+ def test_constrained_delegation_no_client_pac_no_auth_data_required(self): >+@@ -696,8 +700,8 @@ class S4UKerberosTests(KDCBaseTest): >+ # contain a PAC. >+ self._run_delegation_test( >+ { >+- 'expected_error_mode': (KDC_ERR_BADOPTION, >+- KDC_ERR_MODIFIED), >++ 'expected_error_mode': (KDC_ERR_MODIFIED, >++ KDC_ERR_BADOPTION), >+ 'allow_delegation': True, >+ 'modify_client_tkt_fn': self.remove_ticket_pac, >+ 'expect_edata': False, >+@@ -711,13 +715,14 @@ class S4UKerberosTests(KDCBaseTest): >+ # PAC. >+ self._run_delegation_test( >+ { >+- 'expected_error_mode': (KDC_ERR_BADOPTION, >+- KDC_ERR_MODIFIED), >++ 'expected_error_mode': KDC_ERR_TGT_REVOKED, >+ 'allow_delegation': True, >+ 'modify_service_tgt_fn': self.remove_ticket_pac, >+ 'service2_opts': { >+ 'no_auth_data_required': True >+- } >++ }, >++ 'expect_pac': False, >++ 'expect_edata': False >+ }) >+ >+ def test_constrained_delegation_non_forwardable(self): >+@@ -812,12 +817,11 @@ class S4UKerberosTests(KDCBaseTest): >+ # PAC. >+ self._run_delegation_test( >+ { >+- 'expected_error_mode': KDC_ERR_BADOPTION, >+- 'expected_status': >+- ntstatus.NT_STATUS_NOT_FOUND, >++ 'expected_error_mode': KDC_ERR_TGT_REVOKED, >+ 'allow_rbcd': True, >+ 'pac_options': '0001', # supports RBCD >+- 'modify_service_tgt_fn': self.remove_ticket_pac >++ 'modify_service_tgt_fn': self.remove_ticket_pac, >++ 'expect_edata': False >+ }) >+ >+ def test_rbcd_no_client_pac_no_auth_data_required_a(self): >+@@ -858,15 +862,14 @@ class S4UKerberosTests(KDCBaseTest): >+ # PAC. >+ self._run_delegation_test( >+ { >+- 'expected_error_mode': KDC_ERR_BADOPTION, >+- 'expected_status': >+- ntstatus.NT_STATUS_NOT_FOUND, >++ 'expected_error_mode': KDC_ERR_TGT_REVOKED, >+ 'allow_rbcd': True, >+ 'pac_options': '0001', # supports RBCD >+ 'modify_service_tgt_fn': self.remove_ticket_pac, >+ 'service2_opts': { >+ 'no_auth_data_required': True >+- } >++ }, >++ 'expect_edata': False >+ }) >+ >+ def test_rbcd_non_forwardable(self): >+@@ -941,8 +944,8 @@ class S4UKerberosTests(KDCBaseTest): >+ for checksum in self.pac_checksum_types: >+ with self.subTest(checksum=checksum): >+ if checksum == krb5pac.PAC_TYPE_TICKET_CHECKSUM: >+- expected_error_mode = (KDC_ERR_BADOPTION, >+- KDC_ERR_MODIFIED) >++ expected_error_mode = (KDC_ERR_MODIFIED, >++ KDC_ERR_BADOPTION) >+ else: >+ expected_error_mode = KDC_ERR_GENERIC >+ >+@@ -1061,8 +1064,7 @@ class S4UKerberosTests(KDCBaseTest): >+ for checksum in self.pac_checksum_types: >+ with self.subTest(checksum=checksum): >+ if checksum == krb5pac.PAC_TYPE_SRV_CHECKSUM: >+- expected_error_mode = (KDC_ERR_MODIFIED, >+- KDC_ERR_BAD_INTEGRITY) >++ expected_error_mode = KDC_ERR_MODIFIED >+ expected_status = ntstatus.NT_STATUS_WRONG_PASSWORD >+ else: >+ expected_error_mode = 0 >+@@ -1162,8 +1164,7 @@ class S4UKerberosTests(KDCBaseTest): >+ with self.subTest(checksum=checksum, ctype=ctype): >+ if checksum == krb5pac.PAC_TYPE_SRV_CHECKSUM: >+ if ctype == Cksumtype.SHA1: >+- expected_error_mode = (KDC_ERR_SUMTYPE_NOSUPP, >+- KDC_ERR_BAD_INTEGRITY) >++ expected_error_mode = KDC_ERR_SUMTYPE_NOSUPP >+ expected_status = ntstatus.NT_STATUS_LOGON_FAILURE >+ else: >+ expected_error_mode = KDC_ERR_GENERIC >+diff --git python/samba/tests/krb5/test_rpc.py python/samba/tests/krb5/test_rpc.py >+index 2d483986e83..5a3c7339cea 100755 >+--- python/samba/tests/krb5/test_rpc.py >++++ python/samba/tests/krb5/test_rpc.py >+@@ -24,7 +24,10 @@ import ldb >+ >+ from samba import NTSTATUSError, credentials >+ from samba.dcerpc import lsa >+-from samba.ntstatus import NT_STATUS_NO_IMPERSONATION_TOKEN >++from samba.ntstatus import ( >++ NT_STATUS_ACCESS_DENIED, >++ NT_STATUS_NO_IMPERSONATION_TOKEN >++) >+ >+ from samba.tests.krb5.kdc_base_test import KDCBaseTest >+ >+@@ -103,7 +106,8 @@ class RpcTests(KDCBaseTest): >+ self.fail() >+ >+ enum, _ = e.args >+- self.assertEqual(NT_STATUS_NO_IMPERSONATION_TOKEN, enum) >++ self.assertIn(enum, {NT_STATUS_ACCESS_DENIED, >++ NT_STATUS_NO_IMPERSONATION_TOKEN}) >+ return >+ >+ (account_name, _) = conn.GetUserName(None, None, None) >+diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc >+index 7eba899966e..1b7e159c381 100644 >+--- selftest/knownfail_heimdal_kdc >++++ selftest/knownfail_heimdal_kdc >+@@ -233,16 +233,21 @@ >+ # S4U tests >+ # >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_bronze_bit_rbcd_old_checksum >++^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_client_pac(?!_no_auth_data_required) >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_service_pac\(.*\)$ >++^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_service_pac_no_auth_data_required >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_existing_delegation_info >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_missing_client_checksum >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_client_pac_a >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_client_pac_b >++^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_service_pac >++^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_service_pac_no_auth_data_required >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_unkeyed_client_checksum >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_unkeyed_service_checksum >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_client_checksum >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_service_checksum >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_forwardable >++^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_no_pac >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_empty_allowed >+ # >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_auth_data_required >+@@ -259,3 +264,62 @@ >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_not_revealed >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_not_revealed >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_not_revealed >++# >++# Alias tests >++# >++^samba.tests.krb5.alias_tests.samba.tests.krb5.alias_tests.AliasTests.test_create_alias_delete >++^samba.tests.krb5.alias_tests.samba.tests.krb5.alias_tests.AliasTests.test_create_alias_rename >++^samba.tests.krb5.alias_tests.samba.tests.krb5.alias_tests.AliasTests.test_dc_alias_delete >++^samba.tests.krb5.alias_tests.samba.tests.krb5.alias_tests.AliasTests.test_dc_alias_rename >++# >++# KDC TGS tests >++# >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_logon_info_only_sid_mismatch_existing >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_logon_info_only_sid_mismatch_nonexisting >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_remove_pac >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_remove_pac_client_no_auth_data_required >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_remove_pac_service_no_auth_data_required >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_authdata_no_pac >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_no_pac >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_existing >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_nonexisting >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_sid_mismatch_existing >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_sid_mismatch_nonexisting >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_requester_sid_mismatch_existing >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_requester_sid_mismatch_nonexisting >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_authdata_no_pac >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_no_pac >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_pac_request_false >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_sid_mismatch_existing >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_sid_mismatch_nonexisting >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_sid_mismatch_existing >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_sid_mismatch_nonexisting >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_authdata_no_pac >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_no_pac >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_from_rodc_no_requester_sid >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_no_requester_sid >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_renew >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_rodc_renew >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_logon_info_only_sid_mismatch_existing >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_logon_info_only_sid_mismatch_nonexisting >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_pac_request_false >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_requester_sid_mismatch_existing >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_requester_sid_mismatch_nonexisting >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_sid_mismatch_existing >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_sid_mismatch_nonexisting >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_sid_mismatch_existing >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_sid_mismatch_nonexisting >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_authdata_no_pac >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_no_pac >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_sid_mismatch_existing >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_sid_mismatch_nonexisting >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_sid_mismatch_existing >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_sid_mismatch_nonexisting >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_sname >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_sname_krbtgt >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_authdata_no_pac >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_no_pac >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_sid_mismatch_existing >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_sid_mismatch_nonexisting >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_sid_mismatch_existing >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_sid_mismatch_nonexisting >+diff --git selftest/knownfail_mit_kdc selftest/knownfail_mit_kdc >+index 8cd36fe2d96..cc12499bb50 100644 >+--- selftest/knownfail_mit_kdc >++++ selftest/knownfail_mit_kdc >+@@ -390,6 +390,8 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ >+ # >+ # KDC TGT tests >+ # >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_logon_info_only_sid_mismatch_existing >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_logon_info_only_sid_mismatch_nonexisting >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_authdata_no_pac >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_no_pac >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_allowed_denied >+@@ -401,6 +403,8 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_revealed >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_existing >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_nonexisting >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_sid_mismatch_existing >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_sid_mismatch_nonexisting >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_authdata_no_pac >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_no_pac >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_req >+@@ -418,6 +422,7 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_authdata_no_pac >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_no_pac >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rename >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_no_requester_sid >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_allowed_denied >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_denied >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_no_krbtgt_link >+@@ -427,6 +432,8 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_revealed >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_sid_mismatch_existing >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_sid_mismatch_nonexisting >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_sid_mismatch_existing >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_sid_mismatch_nonexisting >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_authdata_no_pac >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_no_pac >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_no_sname >+@@ -462,6 +469,8 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_revealed >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_sid_mismatch_existing >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_sid_mismatch_nonexisting >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_sid_mismatch_existing >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_sid_mismatch_nonexisting >+ # >+ # PAC attributes tests >+ # >+-- >+2.25.1 >+ >+ >+From ea82822a5c451df50feed15c5da3501df2b5c106 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Wed, 24 Nov 2021 12:04:36 +1300 >+Subject: [PATCH 28/99] tests/krb5: Remove unnecessary expect_pac arguments >+ >+The value of expect_pac is not considered if we are expecting an error. >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andrew Bartlett <abartlet@samba.org> >+(cherry picked from commit 28d501875a98fa2817262eb8ec68bf91528428c2) >+--- >+ python/samba/tests/krb5/kdc_tgs_tests.py | 6 +++--- >+ 1 file changed, 3 insertions(+), 3 deletions(-) >+ >+diff --git python/samba/tests/krb5/kdc_tgs_tests.py python/samba/tests/krb5/kdc_tgs_tests.py >+index 7ea15f0fbab..6160ef649e8 100755 >+--- python/samba/tests/krb5/kdc_tgs_tests.py >++++ python/samba/tests/krb5/kdc_tgs_tests.py >+@@ -412,7 +412,7 @@ class KdcTgsTests(KDCBaseTest): >+ self.assertIsNone(pac) >+ >+ self._make_tgs_request(client_creds, service_creds, tgt, >+- expect_pac=False, expect_error=True) >++ expect_error=True) >+ >+ def test_remove_pac_client_no_auth_data_required(self): >+ client_creds = self.get_cached_creds( >+@@ -427,7 +427,7 @@ class KdcTgsTests(KDCBaseTest): >+ self.assertIsNone(pac) >+ >+ self._make_tgs_request(client_creds, service_creds, tgt, >+- expect_pac=False, expect_error=True) >++ expect_error=True) >+ >+ def test_remove_pac(self): >+ client_creds = self.get_client_creds() >+@@ -440,7 +440,7 @@ class KdcTgsTests(KDCBaseTest): >+ self.assertIsNone(pac) >+ >+ self._make_tgs_request(client_creds, service_creds, tgt, >+- expect_pac=False, expect_error=True) >++ expect_error=True) >+ >+ def test_upn_dns_info_ex_user(self): >+ client_creds = self.get_client_creds() >+-- >+2.25.1 >+ >+ >+From eb0ed5f4f6d725c49fda97bc8f7aae89f90bd913 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Tue, 30 Nov 2021 09:26:40 +1300 >+Subject: [PATCH 29/99] tests/krb5: Add tests for invalid TGTs >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andrew Bartlett <abartlet@samba.org> >+(cherry picked from commit 7574ba9f580fca552b80532a49d00e657fbdf4fd) >+ >+[jsutton@samba.org Removed some MIT knownfail changes] >+--- >+ python/samba/tests/krb5/kdc_tgs_tests.py | 16 ++++++++++++++++ >+ python/samba/tests/krb5/rfc4120_constants.py | 1 + >+ selftest/knownfail_mit_kdc | 1 + >+ 3 files changed, 18 insertions(+) >+ >+diff --git python/samba/tests/krb5/kdc_tgs_tests.py python/samba/tests/krb5/kdc_tgs_tests.py >+index 6160ef649e8..f5f091610ac 100755 >+--- python/samba/tests/krb5/kdc_tgs_tests.py >++++ python/samba/tests/krb5/kdc_tgs_tests.py >+@@ -44,6 +44,7 @@ from samba.tests.krb5.rfc4120_constants import ( >+ KDC_ERR_C_PRINCIPAL_UNKNOWN, >+ KDC_ERR_S_PRINCIPAL_UNKNOWN, >+ KDC_ERR_TGT_REVOKED, >++ KRB_ERR_TKT_NYV, >+ KDC_ERR_WRONG_REALM, >+ NT_PRINCIPAL, >+ NT_SRV_INST, >+@@ -511,6 +512,21 @@ class KdcTgsTests(KDCBaseTest): >+ tgt = self._get_tgt(creds) >+ self._user2user(tgt, creds, expected_error=0) >+ >++ def test_tgs_req_invalid(self): >++ creds = self._get_creds() >++ tgt = self._get_tgt(creds, invalid=True) >++ self._run_tgs(tgt, expected_error=KRB_ERR_TKT_NYV) >++ >++ def test_s4u2self_req_invalid(self): >++ creds = self._get_creds() >++ tgt = self._get_tgt(creds, invalid=True) >++ self._s4u2self(tgt, creds, expected_error=KRB_ERR_TKT_NYV) >++ >++ def test_user2user_req_invalid(self): >++ creds = self._get_creds() >++ tgt = self._get_tgt(creds, invalid=True) >++ self._user2user(tgt, creds, expected_error=KRB_ERR_TKT_NYV) >++ >+ def test_tgs_req_no_requester_sid(self): >+ creds = self._get_creds() >+ tgt = self._get_tgt(creds, remove_requester_sid=True) >+diff --git python/samba/tests/krb5/rfc4120_constants.py python/samba/tests/krb5/rfc4120_constants.py >+index 5251e291fde..a9fdc5735dd 100644 >+--- python/samba/tests/krb5/rfc4120_constants.py >++++ python/samba/tests/krb5/rfc4120_constants.py >+@@ -76,6 +76,7 @@ KDC_ERR_TGT_REVOKED = 20 >+ KDC_ERR_PREAUTH_FAILED = 24 >+ KDC_ERR_PREAUTH_REQUIRED = 25 >+ KDC_ERR_BAD_INTEGRITY = 31 >++KRB_ERR_TKT_NYV = 33 >+ KDC_ERR_NOT_US = 35 >+ KDC_ERR_BADMATCH = 36 >+ KDC_ERR_SKEW = 37 >+diff --git selftest/knownfail_mit_kdc selftest/knownfail_mit_kdc >+index cc12499bb50..3aacec00870 100644 >+--- selftest/knownfail_mit_kdc >++++ selftest/knownfail_mit_kdc >+@@ -422,6 +422,7 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_authdata_no_pac >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_no_pac >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rename >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_invalid >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_no_requester_sid >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_allowed_denied >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_denied >+-- >+2.25.1 >+ >+ >+From 645d30ff371fdf3e16cb1fa69f2e93a848d20bdb Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Wed, 24 Nov 2021 12:10:45 +1300 >+Subject: [PATCH 30/99] tests/krb5: Add tests for TGS requests with a non-TGT >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andrew Bartlett <abartlet@samba.org> >+(cherry picked from commit 778029c1dc443b87f4ed4b9d2c613d0e6fc45b0d) >+--- >+ python/samba/tests/krb5/kdc_tgs_tests.py | 51 ++++++++++++++++++++++++ >+ selftest/knownfail_mit_kdc | 2 + >+ 2 files changed, 53 insertions(+) >+ >+diff --git python/samba/tests/krb5/kdc_tgs_tests.py python/samba/tests/krb5/kdc_tgs_tests.py >+index f5f091610ac..52297c963e8 100755 >+--- python/samba/tests/krb5/kdc_tgs_tests.py >++++ python/samba/tests/krb5/kdc_tgs_tests.py >+@@ -40,6 +40,7 @@ from samba.tests.krb5.rfc4120_constants import ( >+ KDC_ERR_BADMATCH, >+ KDC_ERR_GENERIC, >+ KDC_ERR_MODIFIED, >++ KDC_ERR_NOT_US, >+ KDC_ERR_POLICY, >+ KDC_ERR_C_PRINCIPAL_UNKNOWN, >+ KDC_ERR_S_PRINCIPAL_UNKNOWN, >+@@ -1234,6 +1235,56 @@ class KdcTgsTests(KDCBaseTest): >+ expected_error=(KDC_ERR_GENERIC, >+ KDC_ERR_S_PRINCIPAL_UNKNOWN)) >+ >++ def test_tgs_service_ticket(self): >++ creds = self._get_creds() >++ tgt = self._get_tgt(creds) >++ >++ service_creds = self.get_service_creds() >++ service_ticket = self.get_service_ticket(tgt, service_creds) >++ >++ self._run_tgs(service_ticket, >++ expected_error=(KDC_ERR_NOT_US, KDC_ERR_POLICY)) >++ >++ def test_renew_service_ticket(self): >++ creds = self._get_creds() >++ tgt = self._get_tgt(creds) >++ >++ service_creds = self.get_service_creds() >++ service_ticket = self.get_service_ticket(tgt, service_creds) >++ >++ service_ticket = self.modified_ticket( >++ service_ticket, >++ modify_fn=self._modify_renewable, >++ checksum_keys=self.get_krbtgt_checksum_key()) >++ >++ self._renew_tgt(service_ticket, >++ expected_error=KDC_ERR_POLICY) >++ >++ def test_validate_service_ticket(self): >++ creds = self._get_creds() >++ tgt = self._get_tgt(creds) >++ >++ service_creds = self.get_service_creds() >++ service_ticket = self.get_service_ticket(tgt, service_creds) >++ >++ service_ticket = self.modified_ticket( >++ service_ticket, >++ modify_fn=self._modify_invalid, >++ checksum_keys=self.get_krbtgt_checksum_key()) >++ >++ self._validate_tgt(service_ticket, >++ expected_error=KDC_ERR_POLICY) >++ >++ def test_s4u2self_service_ticket(self): >++ creds = self._get_creds() >++ tgt = self._get_tgt(creds) >++ >++ service_creds = self.get_service_creds() >++ service_ticket = self.get_service_ticket(tgt, service_creds) >++ >++ self._s4u2self(service_ticket, creds, >++ expected_error=(KDC_ERR_NOT_US, KDC_ERR_POLICY)) >++ >+ def test_user2user_service_ticket(self): >+ creds = self._get_creds() >+ tgt = self._get_tgt(creds) >+diff --git selftest/knownfail_mit_kdc selftest/knownfail_mit_kdc >+index 3aacec00870..98e8a34cd5f 100644 >+--- selftest/knownfail_mit_kdc >++++ selftest/knownfail_mit_kdc >+@@ -403,6 +403,7 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_revealed >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_existing >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_nonexisting >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_service_ticket >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_sid_mismatch_existing >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_sid_mismatch_nonexisting >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_authdata_no_pac >+@@ -470,6 +471,7 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_revealed >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_sid_mismatch_existing >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_sid_mismatch_nonexisting >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_service_ticket >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_sid_mismatch_existing >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_sid_mismatch_nonexisting >+ # >+-- >+2.25.1 >+ >+ >+From 1d616e8e9c0dceabebd1f079fc4d652d6bf2060d Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Wed, 24 Nov 2021 12:09:18 +1300 >+Subject: [PATCH 31/99] tests/krb5: Add TGS-REQ tests with FAST >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andrew Bartlett <abartlet@samba.org> >+(cherry picked from commit ec823c2a83c639f1d7c422153a53d366750e5f2a) >+--- >+ python/samba/tests/krb5/kdc_tgs_tests.py | 184 ++++++++++++++++++++++- >+ selftest/knownfail_heimdal_kdc | 13 ++ >+ selftest/knownfail_mit_kdc | 17 +++ >+ 3 files changed, 212 insertions(+), 2 deletions(-) >+ >+diff --git python/samba/tests/krb5/kdc_tgs_tests.py python/samba/tests/krb5/kdc_tgs_tests.py >+index 52297c963e8..99a91528fa8 100755 >+--- python/samba/tests/krb5/kdc_tgs_tests.py >++++ python/samba/tests/krb5/kdc_tgs_tests.py >+@@ -32,6 +32,7 @@ os.environ["PYTHONUNBUFFERED"] = "1" >+ >+ import samba.tests.krb5.kcrypto as kcrypto >+ from samba.tests.krb5.kdc_base_test import KDCBaseTest >++from samba.tests.krb5.raw_testcase import Krb5EncryptionKey >+ from samba.tests.krb5.rfc4120_constants import ( >+ AES256_CTS_HMAC_SHA1_96, >+ ARCFOUR_HMAC_MD5, >+@@ -513,6 +514,11 @@ class KdcTgsTests(KDCBaseTest): >+ tgt = self._get_tgt(creds) >+ self._user2user(tgt, creds, expected_error=0) >+ >++ def test_fast_req(self): >++ creds = self._get_creds() >++ tgt = self._get_tgt(creds) >++ self._fast(tgt, creds, expected_error=0) >++ >+ def test_tgs_req_invalid(self): >+ creds = self._get_creds() >+ tgt = self._get_tgt(creds, invalid=True) >+@@ -528,6 +534,12 @@ class KdcTgsTests(KDCBaseTest): >+ tgt = self._get_tgt(creds, invalid=True) >+ self._user2user(tgt, creds, expected_error=KRB_ERR_TKT_NYV) >+ >++ def test_fast_req_invalid(self): >++ creds = self._get_creds() >++ tgt = self._get_tgt(creds, invalid=True) >++ self._fast(tgt, creds, expected_error=KRB_ERR_TKT_NYV, >++ expected_sname=self.get_krbtgt_sname()) >++ >+ def test_tgs_req_no_requester_sid(self): >+ creds = self._get_creds() >+ tgt = self._get_tgt(creds, remove_requester_sid=True) >+@@ -583,6 +595,12 @@ class KdcTgsTests(KDCBaseTest): >+ tgt = self._get_tgt(creds, remove_pac=True) >+ self._user2user(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED) >+ >++ def test_fast_no_pac(self): >++ creds = self._get_creds() >++ tgt = self._get_tgt(creds, remove_pac=True) >++ self._fast(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED, >++ expected_sname=self.get_krbtgt_sname()) >++ >+ # Test making a request with authdata and without a PAC. >+ def test_tgs_authdata_no_pac(self): >+ creds = self._get_creds() >+@@ -613,6 +631,12 @@ class KdcTgsTests(KDCBaseTest): >+ tgt = self._get_tgt(creds, remove_pac=True, allow_empty_authdata=True) >+ self._user2user(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED) >+ >++ def test_fast_authdata_no_pac(self): >++ creds = self._get_creds() >++ tgt = self._get_tgt(creds, remove_pac=True, allow_empty_authdata=True) >++ self._fast(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED, >++ expected_sname=self.get_krbtgt_sname()) >++ >+ # Test changing the SID in the PAC to that of another account. >+ def test_tgs_sid_mismatch_existing(self): >+ creds = self._get_creds() >+@@ -646,6 +670,14 @@ class KdcTgsTests(KDCBaseTest): >+ self._user2user(tgt, creds, >+ expected_error=KDC_ERR_TGT_REVOKED) >+ >++ def test_fast_sid_mismatch_existing(self): >++ creds = self._get_creds() >++ existing_rid = self._get_existing_rid() >++ tgt = self._get_tgt(creds, new_rid=existing_rid) >++ self._fast(tgt, creds, >++ expected_error=KDC_ERR_TGT_REVOKED, >++ expected_sname=self.get_krbtgt_sname()) >++ >+ def test_requester_sid_mismatch_existing(self): >+ creds = self._get_creds() >+ existing_rid = self._get_existing_rid() >+@@ -702,6 +734,14 @@ class KdcTgsTests(KDCBaseTest): >+ self._user2user(tgt, creds, >+ expected_error=KDC_ERR_TGT_REVOKED) >+ >++ def test_fast_sid_mismatch_nonexisting(self): >++ creds = self._get_creds() >++ nonexistent_rid = self._get_non_existent_rid() >++ tgt = self._get_tgt(creds, new_rid=nonexistent_rid) >++ self._fast(tgt, creds, >++ expected_error=KDC_ERR_TGT_REVOKED, >++ expected_sname=self.get_krbtgt_sname()) >++ >+ def test_requester_sid_mismatch_nonexisting(self): >+ creds = self._get_creds() >+ nonexistent_rid = self._get_non_existent_rid() >+@@ -799,6 +839,16 @@ class KdcTgsTests(KDCBaseTest): >+ self._user2user(tgt, creds, >+ expected_error=KDC_ERR_TGT_REVOKED) >+ >++ def test_fast_rodc_sid_mismatch_existing(self): >++ creds = self._get_creds(replication_allowed=True, >++ revealed_to_rodc=True) >++ existing_rid = self._get_existing_rid(replication_allowed=True, >++ revealed_to_rodc=True) >++ tgt = self._get_tgt(creds, from_rodc=True, new_rid=existing_rid) >++ self._fast(tgt, creds, >++ expected_error=KDC_ERR_TGT_REVOKED, >++ expected_sname=self.get_krbtgt_sname()) >++ >+ def test_tgs_rodc_requester_sid_mismatch_existing(self): >+ creds = self._get_creds(replication_allowed=True, >+ revealed_to_rodc=True) >+@@ -866,6 +916,15 @@ class KdcTgsTests(KDCBaseTest): >+ self._user2user(tgt, creds, >+ expected_error=KDC_ERR_TGT_REVOKED) >+ >++ def test_fast_rodc_sid_mismatch_nonexisting(self): >++ creds = self._get_creds(replication_allowed=True, >++ revealed_to_rodc=True) >++ nonexistent_rid = self._get_non_existent_rid() >++ tgt = self._get_tgt(creds, from_rodc=True, new_rid=nonexistent_rid) >++ self._fast(tgt, creds, >++ expected_error=KDC_ERR_TGT_REVOKED, >++ expected_sname=self.get_krbtgt_sname()) >++ >+ def test_tgs_rodc_requester_sid_mismatch_nonexisting(self): >+ creds = self._get_creds(replication_allowed=True, >+ revealed_to_rodc=True) >+@@ -955,6 +1014,14 @@ class KdcTgsTests(KDCBaseTest): >+ self._remove_rodc_partial_secrets() >+ self._user2user(tgt, creds, expected_error=KDC_ERR_POLICY) >+ >++ def test_fast_rodc_no_partial_secrets(self): >++ creds = self._get_creds(replication_allowed=True, >++ revealed_to_rodc=True) >++ tgt = self._get_tgt(creds, from_rodc=True) >++ self._remove_rodc_partial_secrets() >++ self._fast(tgt, creds, expected_error=KDC_ERR_POLICY, >++ expected_sname=self.get_krbtgt_sname()) >++ >+ # Test with an RODC-issued ticket where the RODC account does not have an >+ # msDS-KrbTgtLink. >+ def test_tgs_rodc_no_krbtgt_link(self): >+@@ -992,6 +1059,14 @@ class KdcTgsTests(KDCBaseTest): >+ self._remove_rodc_krbtgt_link() >+ self._user2user(tgt, creds, expected_error=KDC_ERR_POLICY) >+ >++ def test_fast_rodc_no_krbtgt_link(self): >++ creds = self._get_creds(replication_allowed=True, >++ revealed_to_rodc=True) >++ tgt = self._get_tgt(creds, from_rodc=True) >++ self._remove_rodc_krbtgt_link() >++ self._fast(tgt, creds, expected_error=KDC_ERR_POLICY, >++ expected_sname=self.get_krbtgt_sname()) >++ >+ # Test with an RODC-issued ticket where the client is not allowed to >+ # replicate to the RODC. >+ def test_tgs_rodc_not_allowed(self): >+@@ -1019,6 +1094,12 @@ class KdcTgsTests(KDCBaseTest): >+ tgt = self._get_tgt(creds, from_rodc=True) >+ self._user2user(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED) >+ >++ def test_fast_rodc_not_allowed(self): >++ creds = self._get_creds(revealed_to_rodc=True) >++ tgt = self._get_tgt(creds, from_rodc=True) >++ self._fast(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED, >++ expected_sname=self.get_krbtgt_sname()) >++ >+ # Test with an RODC-issued ticket where the client is denied from >+ # replicating to the RODC. >+ def test_tgs_rodc_denied(self): >+@@ -1051,6 +1132,13 @@ class KdcTgsTests(KDCBaseTest): >+ tgt = self._get_tgt(creds, from_rodc=True) >+ self._user2user(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED) >+ >++ def test_fast_rodc_denied(self): >++ creds = self._get_creds(replication_denied=True, >++ revealed_to_rodc=True) >++ tgt = self._get_tgt(creds, from_rodc=True) >++ self._fast(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED, >++ expected_sname=self.get_krbtgt_sname()) >++ >+ # Test with an RODC-issued ticket where the client is both allowed and >+ # denied replicating to the RODC. >+ def test_tgs_rodc_allowed_denied(self): >+@@ -1088,6 +1176,14 @@ class KdcTgsTests(KDCBaseTest): >+ tgt = self._get_tgt(creds, from_rodc=True) >+ self._user2user(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED) >+ >++ def test_fast_rodc_allowed_denied(self): >++ creds = self._get_creds(replication_allowed=True, >++ replication_denied=True, >++ revealed_to_rodc=True) >++ tgt = self._get_tgt(creds, from_rodc=True) >++ self._fast(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED, >++ expected_sname=self.get_krbtgt_sname()) >++ >+ # Test user-to-user with incorrect service principal names. >+ def test_user2user_matching_sname_host(self): >+ creds = self._get_creds() >+@@ -1295,6 +1391,17 @@ class KdcTgsTests(KDCBaseTest): >+ self._user2user(service_ticket, creds, >+ expected_error=(KDC_ERR_MODIFIED, KDC_ERR_POLICY)) >+ >++ # Expected to fail against Windows, which does not produce a policy error. >++ def test_fast_service_ticket(self): >++ creds = self._get_creds() >++ tgt = self._get_tgt(creds) >++ >++ service_creds = self.get_service_creds() >++ service_ticket = self.get_service_ticket(tgt, service_creds) >++ >++ self._fast(service_ticket, creds, >++ expected_error=KDC_ERR_POLICY) >++ >+ def test_pac_attrs_none(self): >+ creds = self._get_creds() >+ self.get_tgt(creds, pac_request=None, >+@@ -1792,6 +1899,34 @@ class KdcTgsTests(KDCBaseTest): >+ pac = self.get_ticket_pac(ticket) >+ self.assertIsNotNone(pac) >+ >++ def test_fast_pac_request_none(self): >++ creds = self._get_creds() >++ tgt = self.get_tgt(creds, pac_request=None) >++ >++ ticket = self._fast(tgt, creds, expected_error=0, expect_pac=True) >++ >++ pac = self.get_ticket_pac(ticket) >++ self.assertIsNotNone(pac) >++ >++ def test_fast_pac_request_false(self): >++ creds = self._get_creds() >++ tgt = self.get_tgt(creds, pac_request=False) >++ >++ ticket = self._fast(tgt, creds, expected_error=0, >++ expect_pac=True) >++ >++ pac = self.get_ticket_pac(ticket, expect_pac=True) >++ self.assertIsNotNone(pac) >++ >++ def test_fast_pac_request_true(self): >++ creds = self._get_creds() >++ tgt = self.get_tgt(creds, pac_request=True) >++ >++ ticket = self._fast(tgt, creds, expected_error=0, expect_pac=True) >++ >++ pac = self.get_ticket_pac(ticket) >++ self.assertIsNotNone(pac) >++ >+ def test_tgs_rodc_pac_request_none(self): >+ creds = self._get_creds(replication_allowed=True, >+ revealed_to_rodc=True) >+@@ -2192,13 +2327,28 @@ class KdcTgsTests(KDCBaseTest): >+ srealm=srealm, >+ expect_pac=expect_pac) >+ >++ def _fast(self, armor_tgt, armor_tgt_creds, expected_error, >++ expected_sname=None, expect_pac=True): >++ user_creds = self._get_mach_creds() >++ user_tgt = self.get_tgt(user_creds) >++ >++ target_creds = self.get_service_creds() >++ >++ return self._tgs_req(user_tgt, expected_error, target_creds, >++ armor_tgt=armor_tgt, >++ expected_sname=expected_sname, >++ expect_pac=expect_pac) >++ >+ def _tgs_req(self, tgt, expected_error, target_creds, >++ armor_tgt=None, >+ kdc_options='0', >+ expected_cname=None, >++ expected_sname=None, >+ additional_ticket=None, >+ generate_padata_fn=None, >+ sname=None, >+ srealm=None, >++ use_fast=False, >+ expect_claims=True, >+ expect_pac=True, >+ expect_pac_attrs=None, >+@@ -2214,7 +2364,8 @@ class KdcTgsTests(KDCBaseTest): >+ >+ if sname is False: >+ sname = None >+- expected_sname = self.get_krbtgt_sname() >++ if expected_sname is None: >++ expected_sname = self.get_krbtgt_sname() >+ else: >+ if sname is None: >+ target_name = target_creds.get_username() >+@@ -2229,7 +2380,8 @@ class KdcTgsTests(KDCBaseTest): >+ name_type=NT_PRINCIPAL, >+ names=['host', target_name]) >+ >+- expected_sname = sname >++ if expected_sname is None: >++ expected_sname = sname >+ >+ if additional_ticket is not None: >+ additional_tickets = [additional_ticket.ticket] >+@@ -2241,6 +2393,28 @@ class KdcTgsTests(KDCBaseTest): >+ >+ subkey = self.RandomKey(tgt.session_key.etype) >+ >++ if armor_tgt is not None: >++ armor_subkey = self.RandomKey(subkey.etype) >++ explicit_armor_key = self.generate_armor_key(armor_subkey, >++ armor_tgt.session_key) >++ armor_key = kcrypto.cf2(explicit_armor_key.key, >++ subkey.key, >++ b'explicitarmor', >++ b'tgsarmor') >++ armor_key = Krb5EncryptionKey(armor_key, None) >++ >++ generate_fast_fn = self.generate_simple_fast >++ generate_fast_armor_fn = self.generate_ap_req >++ >++ pac_options = '1' # claims support >++ else: >++ armor_subkey = None >++ armor_key = None >++ generate_fast_fn = None >++ generate_fast_armor_fn = None >++ >++ pac_options = None >++ >+ etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) >+ >+ if expected_error: >+@@ -2260,12 +2434,18 @@ class KdcTgsTests(KDCBaseTest): >+ expected_sname=expected_sname, >+ ticket_decryption_key=decryption_key, >+ generate_padata_fn=generate_padata_fn, >++ generate_fast_fn=generate_fast_fn, >++ generate_fast_armor_fn=generate_fast_armor_fn, >+ check_error_fn=check_error_fn, >+ check_rep_fn=check_rep_fn, >+ check_kdc_private_fn=self.generic_check_kdc_private, >+ expected_error_mode=expected_error, >+ expected_status=expected_status, >+ tgt=tgt, >++ armor_key=armor_key, >++ armor_tgt=armor_tgt, >++ armor_subkey=armor_subkey, >++ pac_options=pac_options, >+ authenticator_subkey=subkey, >+ kdc_options=kdc_options, >+ expect_edata=expect_edata, >+diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc >+index 1b7e159c381..61de06659be 100644 >+--- selftest/knownfail_heimdal_kdc >++++ selftest/knownfail_heimdal_kdc >+@@ -274,6 +274,19 @@ >+ # >+ # KDC TGS tests >+ # >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_authdata_no_pac >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_no_pac >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_req_invalid >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_rodc_allowed_denied >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_rodc_denied >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_rodc_no_krbtgt_link >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_rodc_no_partial_secrets >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_rodc_not_allowed >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_rodc_sid_mismatch_existing >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_rodc_sid_mismatch_nonexisting >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_service_ticket >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_existing >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_nonexisting >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_logon_info_only_sid_mismatch_existing >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_logon_info_only_sid_mismatch_nonexisting >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_remove_pac >+diff --git selftest/knownfail_mit_kdc selftest/knownfail_mit_kdc >+index 98e8a34cd5f..3e19ee6c8b9 100644 >+--- selftest/knownfail_mit_kdc >++++ selftest/knownfail_mit_kdc >+@@ -390,6 +390,23 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ >+ # >+ # KDC TGT tests >+ # >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_authdata_no_pac >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_no_pac >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_pac_request_false >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_pac_request_none >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_pac_request_true >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_req >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_req_invalid >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_rodc_allowed_denied >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_rodc_denied >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_rodc_no_krbtgt_link >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_rodc_no_partial_secrets >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_rodc_not_allowed >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_rodc_sid_mismatch_existing >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_rodc_sid_mismatch_nonexisting >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_service_ticket >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_existing >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_nonexisting >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_logon_info_only_sid_mismatch_existing >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_logon_info_only_sid_mismatch_nonexisting >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_authdata_no_pac >+-- >+2.25.1 >+ >+ >+From 5375e2b99cd5fd9e40d6d5f94eb7d46f366f525e Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Wed, 24 Nov 2021 12:37:08 +1300 >+Subject: [PATCH 32/99] tests/krb5: Align PAC buffer checking to more closely >+ match Windows with PacRequestorEnforcement=2 >+ >+We set EXPECT_EXTRA_PAC_BUFFERS to 0 for the moment. This signifies that >+these checks are currently not enforced, which avoids a lot of test >+failures. >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andrew Bartlett <abartlet@samba.org> >+(cherry picked from commit ebc9137cee94dee9dcf0e47d5bc0dc83de7aaaa1) >+ >+[jsutton@samba.org Fixed conflicts] >+--- >+ python/samba/tests/krb5/kdc_tgs_tests.py | 121 ++++++++++++++++------- >+ python/samba/tests/krb5/raw_testcase.py | 39 ++++++-- >+ selftest/knownfail_heimdal_kdc | 9 ++ >+ selftest/knownfail_mit_kdc | 6 ++ >+ source4/selftest/tests.py | 58 +++++++---- >+ 5 files changed, 168 insertions(+), 65 deletions(-) >+ >+diff --git python/samba/tests/krb5/kdc_tgs_tests.py python/samba/tests/krb5/kdc_tgs_tests.py >+index 99a91528fa8..f14439a4ab5 100755 >+--- python/samba/tests/krb5/kdc_tgs_tests.py >++++ python/samba/tests/krb5/kdc_tgs_tests.py >+@@ -497,12 +497,18 @@ class KdcTgsTests(KDCBaseTest): >+ def test_renew_req(self): >+ creds = self._get_creds() >+ tgt = self._get_tgt(creds, renewable=True) >+- self._renew_tgt(tgt, expected_error=0) >++ self._renew_tgt(tgt, expected_error=0, >++ expect_pac_attrs=True, >++ expect_pac_attrs_pac_request=True, >++ expect_requester_sid=True) >+ >+ def test_validate_req(self): >+ creds = self._get_creds() >+ tgt = self._get_tgt(creds, invalid=True) >+- self._validate_tgt(tgt, expected_error=0) >++ self._validate_tgt(tgt, expected_error=0, >++ expect_pac_attrs=True, >++ expect_pac_attrs_pac_request=True, >++ expect_requester_sid=True) >+ >+ def test_s4u2self_req(self): >+ creds = self._get_creds() >+@@ -774,13 +780,17 @@ class KdcTgsTests(KDCBaseTest): >+ creds = self._get_creds(replication_allowed=True, >+ revealed_to_rodc=True) >+ tgt = self._get_tgt(creds, renewable=True, from_rodc=True) >+- self._renew_tgt(tgt, expected_error=0) >++ self._renew_tgt(tgt, expected_error=0, >++ expect_pac_attrs=False, >++ expect_requester_sid=True) >+ >+ def test_validate_rodc_revealed(self): >+ creds = self._get_creds(replication_allowed=True, >+ revealed_to_rodc=True) >+ tgt = self._get_tgt(creds, invalid=True, from_rodc=True) >+- self._validate_tgt(tgt, expected_error=0) >++ self._validate_tgt(tgt, expected_error=0, >++ expect_pac_attrs=False, >++ expect_requester_sid=True) >+ >+ def test_s4u2self_rodc_revealed(self): >+ creds = self._get_creds(replication_allowed=True, >+@@ -1434,7 +1444,8 @@ class KdcTgsTests(KDCBaseTest): >+ self._renew_tgt(tgt, expected_error=0, >+ expect_pac=True, >+ expect_pac_attrs=True, >+- expect_pac_attrs_pac_request=None) >++ expect_pac_attrs_pac_request=None, >++ expect_requester_sid=True) >+ >+ def test_pac_attrs_renew_false(self): >+ creds = self._get_creds() >+@@ -1447,7 +1458,8 @@ class KdcTgsTests(KDCBaseTest): >+ self._renew_tgt(tgt, expected_error=0, >+ expect_pac=True, >+ expect_pac_attrs=True, >+- expect_pac_attrs_pac_request=False) >++ expect_pac_attrs_pac_request=False, >++ expect_requester_sid=True) >+ >+ def test_pac_attrs_renew_true(self): >+ creds = self._get_creds() >+@@ -1460,7 +1472,8 @@ class KdcTgsTests(KDCBaseTest): >+ self._renew_tgt(tgt, expected_error=0, >+ expect_pac=True, >+ expect_pac_attrs=True, >+- expect_pac_attrs_pac_request=True) >++ expect_pac_attrs_pac_request=True, >++ expect_requester_sid=True) >+ >+ def test_pac_attrs_rodc_renew_none(self): >+ creds = self._get_creds(replication_allowed=True, >+@@ -1473,8 +1486,8 @@ class KdcTgsTests(KDCBaseTest): >+ >+ self._renew_tgt(tgt, expected_error=0, >+ expect_pac=True, >+- expect_pac_attrs=True, >+- expect_pac_attrs_pac_request=None) >++ expect_pac_attrs=False, >++ expect_requester_sid=True) >+ >+ def test_pac_attrs_rodc_renew_false(self): >+ creds = self._get_creds(replication_allowed=True, >+@@ -1487,8 +1500,8 @@ class KdcTgsTests(KDCBaseTest): >+ >+ self._renew_tgt(tgt, expected_error=0, >+ expect_pac=True, >+- expect_pac_attrs=True, >+- expect_pac_attrs_pac_request=False) >++ expect_pac_attrs=False, >++ expect_requester_sid=True) >+ >+ def test_pac_attrs_rodc_renew_true(self): >+ creds = self._get_creds(replication_allowed=True, >+@@ -1501,8 +1514,8 @@ class KdcTgsTests(KDCBaseTest): >+ >+ self._renew_tgt(tgt, expected_error=0, >+ expect_pac=True, >+- expect_pac_attrs=True, >+- expect_pac_attrs_pac_request=True) >++ expect_pac_attrs=False, >++ expect_requester_sid=True) >+ >+ def test_pac_attrs_missing_renew_none(self): >+ creds = self._get_creds() >+@@ -1515,7 +1528,8 @@ class KdcTgsTests(KDCBaseTest): >+ >+ self._renew_tgt(tgt, expected_error=0, >+ expect_pac=True, >+- expect_pac_attrs=False) >++ expect_pac_attrs=False, >++ expect_requester_sid=True) >+ >+ def test_pac_attrs_missing_renew_false(self): >+ creds = self._get_creds() >+@@ -1528,7 +1542,8 @@ class KdcTgsTests(KDCBaseTest): >+ >+ self._renew_tgt(tgt, expected_error=0, >+ expect_pac=True, >+- expect_pac_attrs=False) >++ expect_pac_attrs=False, >++ expect_requester_sid=True) >+ >+ def test_pac_attrs_missing_renew_true(self): >+ creds = self._get_creds() >+@@ -1541,7 +1556,8 @@ class KdcTgsTests(KDCBaseTest): >+ >+ self._renew_tgt(tgt, expected_error=0, >+ expect_pac=True, >+- expect_pac_attrs=False) >++ expect_pac_attrs=False, >++ expect_requester_sid=True) >+ >+ def test_pac_attrs_missing_rodc_renew_none(self): >+ creds = self._get_creds(replication_allowed=True, >+@@ -1555,7 +1571,8 @@ class KdcTgsTests(KDCBaseTest): >+ >+ self._renew_tgt(tgt, expected_error=0, >+ expect_pac=True, >+- expect_pac_attrs=False) >++ expect_pac_attrs=False, >++ expect_requester_sid=True) >+ >+ def test_pac_attrs_missing_rodc_renew_false(self): >+ creds = self._get_creds(replication_allowed=True, >+@@ -1569,7 +1586,8 @@ class KdcTgsTests(KDCBaseTest): >+ >+ self._renew_tgt(tgt, expected_error=0, >+ expect_pac=True, >+- expect_pac_attrs=False) >++ expect_pac_attrs=False, >++ expect_requester_sid=True) >+ >+ def test_pac_attrs_missing_rodc_renew_true(self): >+ creds = self._get_creds(replication_allowed=True, >+@@ -1583,7 +1601,8 @@ class KdcTgsTests(KDCBaseTest): >+ >+ self._renew_tgt(tgt, expected_error=0, >+ expect_pac=True, >+- expect_pac_attrs=False) >++ expect_pac_attrs=False, >++ expect_requester_sid=True) >+ >+ def test_tgs_pac_attrs_none(self): >+ creds = self._get_creds() >+@@ -1593,8 +1612,7 @@ class KdcTgsTests(KDCBaseTest): >+ expect_pac_attrs_pac_request=None) >+ >+ self._run_tgs(tgt, expected_error=0, expect_pac=True, >+- expect_pac_attrs=True, >+- expect_pac_attrs_pac_request=None) >++ expect_pac_attrs=False) >+ >+ def test_tgs_pac_attrs_false(self): >+ creds = self._get_creds() >+@@ -1603,7 +1621,8 @@ class KdcTgsTests(KDCBaseTest): >+ expect_pac_attrs=True, >+ expect_pac_attrs_pac_request=False) >+ >+- self._run_tgs(tgt, expected_error=0, expect_pac=False) >++ self._run_tgs(tgt, expected_error=0, expect_pac=False, >++ expect_pac_attrs=False) >+ >+ def test_tgs_pac_attrs_true(self): >+ creds = self._get_creds() >+@@ -1613,8 +1632,7 @@ class KdcTgsTests(KDCBaseTest): >+ expect_pac_attrs_pac_request=True) >+ >+ self._run_tgs(tgt, expected_error=0, expect_pac=True, >+- expect_pac_attrs=True, >+- expect_pac_attrs_pac_request=True) >++ expect_pac_attrs=False) >+ >+ def test_as_requester_sid(self): >+ creds = self._get_creds() >+@@ -1639,8 +1657,7 @@ class KdcTgsTests(KDCBaseTest): >+ expect_requester_sid=True) >+ >+ self._run_tgs(tgt, expected_error=0, expect_pac=True, >+- expected_sid=sid, >+- expect_requester_sid=True) >++ expect_requester_sid=False) >+ >+ def test_tgs_requester_sid_renew(self): >+ creds = self._get_creds() >+@@ -1655,6 +1672,8 @@ class KdcTgsTests(KDCBaseTest): >+ tgt = self._modify_tgt(tgt, renewable=True) >+ >+ self._renew_tgt(tgt, expected_error=0, expect_pac=True, >++ expect_pac_attrs=True, >++ expect_pac_attrs_pac_request=None, >+ expected_sid=sid, >+ expect_requester_sid=True) >+ >+@@ -1672,6 +1691,7 @@ class KdcTgsTests(KDCBaseTest): >+ tgt = self._modify_tgt(tgt, from_rodc=True, renewable=True) >+ >+ self._renew_tgt(tgt, expected_error=0, expect_pac=True, >++ expect_pac_attrs=False, >+ expected_sid=sid, >+ expect_requester_sid=True) >+ >+@@ -1738,7 +1758,10 @@ class KdcTgsTests(KDCBaseTest): >+ tgt = self.get_tgt(creds, pac_request=None) >+ tgt = self._modify_tgt(tgt, renewable=True) >+ >+- tgt = self._renew_tgt(tgt, expected_error=0, expect_pac=None) >++ tgt = self._renew_tgt(tgt, expected_error=0, expect_pac=None, >++ expect_pac_attrs=True, >++ expect_pac_attrs_pac_request=None, >++ expect_requester_sid=True) >+ >+ ticket = self._run_tgs(tgt, expected_error=0, expect_pac=True) >+ >+@@ -1750,7 +1773,10 @@ class KdcTgsTests(KDCBaseTest): >+ tgt = self.get_tgt(creds, pac_request=False, expect_pac=None) >+ tgt = self._modify_tgt(tgt, renewable=True) >+ >+- tgt = self._renew_tgt(tgt, expected_error=0, expect_pac=None) >++ tgt = self._renew_tgt(tgt, expected_error=0, expect_pac=None, >++ expect_pac_attrs=True, >++ expect_pac_attrs_pac_request=False, >++ expect_requester_sid=True) >+ >+ ticket = self._run_tgs(tgt, expected_error=0, expect_pac=False) >+ >+@@ -1762,7 +1788,10 @@ class KdcTgsTests(KDCBaseTest): >+ tgt = self.get_tgt(creds, pac_request=True) >+ tgt = self._modify_tgt(tgt, renewable=True) >+ >+- tgt = self._renew_tgt(tgt, expected_error=0, expect_pac=None) >++ tgt = self._renew_tgt(tgt, expected_error=0, expect_pac=None, >++ expect_pac_attrs=True, >++ expect_pac_attrs_pac_request=True, >++ expect_requester_sid=True) >+ >+ ticket = self._run_tgs(tgt, expected_error=0, expect_pac=True) >+ >+@@ -1774,7 +1803,10 @@ class KdcTgsTests(KDCBaseTest): >+ tgt = self.get_tgt(creds, pac_request=None) >+ tgt = self._modify_tgt(tgt, invalid=True) >+ >+- tgt = self._validate_tgt(tgt, expected_error=0, expect_pac=None) >++ tgt = self._validate_tgt(tgt, expected_error=0, expect_pac=None, >++ expect_pac_attrs=True, >++ expect_pac_attrs_pac_request=None, >++ expect_requester_sid=True) >+ >+ ticket = self._run_tgs(tgt, expected_error=0, expect_pac=True) >+ >+@@ -1786,7 +1818,10 @@ class KdcTgsTests(KDCBaseTest): >+ tgt = self.get_tgt(creds, pac_request=False, expect_pac=None) >+ tgt = self._modify_tgt(tgt, invalid=True) >+ >+- tgt = self._validate_tgt(tgt, expected_error=0, expect_pac=None) >++ tgt = self._validate_tgt(tgt, expected_error=0, expect_pac=None, >++ expect_pac_attrs=True, >++ expect_pac_attrs_pac_request=False, >++ expect_requester_sid=True) >+ >+ ticket = self._run_tgs(tgt, expected_error=0, expect_pac=False) >+ >+@@ -1798,7 +1833,10 @@ class KdcTgsTests(KDCBaseTest): >+ tgt = self.get_tgt(creds, pac_request=True) >+ tgt = self._modify_tgt(tgt, invalid=True) >+ >+- tgt = self._validate_tgt(tgt, expected_error=0, expect_pac=None) >++ tgt = self._validate_tgt(tgt, expected_error=0, expect_pac=None, >++ expect_pac_attrs=True, >++ expect_pac_attrs_pac_request=True, >++ expect_requester_sid=True) >+ >+ ticket = self._run_tgs(tgt, expected_error=0, expect_pac=True) >+ >+@@ -1946,7 +1984,7 @@ class KdcTgsTests(KDCBaseTest): >+ >+ ticket = self._run_tgs(tgt, expected_error=0, expect_pac=True) >+ >+- pac = self.get_ticket_pac(ticket, expect_pac=False) >++ pac = self.get_ticket_pac(ticket) >+ self.assertIsNotNone(pac) >+ >+ def test_tgs_rodc_pac_request_true(self): >+@@ -2279,12 +2317,21 @@ class KdcTgsTests(KDCBaseTest): >+ expect_requester_sid=expect_requester_sid, >+ expected_sid=expected_sid) >+ >+- def _validate_tgt(self, tgt, expected_error, expect_pac=True): >++ def _validate_tgt(self, tgt, expected_error, expect_pac=True, >++ expect_pac_attrs=None, >++ expect_pac_attrs_pac_request=None, >++ expect_requester_sid=None, >++ expected_sid=None): >+ krbtgt_creds = self.get_krbtgt_creds() >+ kdc_options = str(krb5_asn1.KDCOptions('validate')) >+- return self._tgs_req(tgt, expected_error, krbtgt_creds, >+- kdc_options=kdc_options, >+- expect_pac=expect_pac) >++ return self._tgs_req( >++ tgt, expected_error, krbtgt_creds, >++ kdc_options=kdc_options, >++ expect_pac=expect_pac, >++ expect_pac_attrs=expect_pac_attrs, >++ expect_pac_attrs_pac_request=expect_pac_attrs_pac_request, >++ expect_requester_sid=expect_requester_sid, >++ expected_sid=expected_sid) >+ >+ def _s4u2self(self, tgt, tgt_creds, expected_error, expect_pac=True, >+ expect_edata=False, expected_status=None): >+diff --git python/samba/tests/krb5/raw_testcase.py python/samba/tests/krb5/raw_testcase.py >+index da3f69c79c6..14e655313fc 100644 >+--- python/samba/tests/krb5/raw_testcase.py >++++ python/samba/tests/krb5/raw_testcase.py >+@@ -602,6 +602,13 @@ class RawKerberosTest(TestCaseInTempDir): >+ expect_pac = '1' >+ cls.expect_pac = bool(int(expect_pac)) >+ >++ expect_extra_pac_buffers = samba.tests.env_get_var_value( >++ 'EXPECT_EXTRA_PAC_BUFFERS', >++ allow_missing=True) >++ if expect_extra_pac_buffers is None: >++ expect_extra_pac_buffers = '1' >++ cls.expect_extra_pac_buffers = bool(int(expect_extra_pac_buffers)) >++ >+ def setUp(self): >+ super().setUp() >+ self.do_asn1_print = False >+@@ -2624,17 +2631,34 @@ class RawKerberosTest(TestCaseInTempDir): >+ if not self.tkt_sig_support: >+ require_strict.add(krb5pac.PAC_TYPE_TICKET_CHECKSUM) >+ >++ expect_extra_pac_buffers = rep_msg_type == KRB_AS_REP >++ >+ expect_pac_attrs = kdc_exchange_dict['expect_pac_attrs'] >++ >++ if expect_pac_attrs: >++ expect_pac_attrs_pac_request = kdc_exchange_dict[ >++ 'expect_pac_attrs_pac_request'] >++ else: >++ expect_pac_attrs_pac_request = kdc_exchange_dict[ >++ 'pac_request'] >++ >++ if expect_pac_attrs is None: >++ if self.expect_extra_pac_buffers: >++ expect_pac_attrs = expect_extra_pac_buffers >++ else: >++ require_strict.add(krb5pac.PAC_TYPE_ATTRIBUTES_INFO) >+ if expect_pac_attrs: >+ expected_types.append(krb5pac.PAC_TYPE_ATTRIBUTES_INFO) >+- elif expect_pac_attrs is None: >+- require_strict.add(krb5pac.PAC_TYPE_ATTRIBUTES_INFO) >+ >+ expect_requester_sid = kdc_exchange_dict['expect_requester_sid'] >++ >++ if expect_requester_sid is None: >++ if self.expect_extra_pac_buffers: >++ expect_requester_sid = expect_extra_pac_buffers >++ else: >++ require_strict.add(krb5pac.PAC_TYPE_REQUESTER_SID) >+ if expect_requester_sid: >+ expected_types.append(krb5pac.PAC_TYPE_REQUESTER_SID) >+- elif expect_requester_sid is None: >+- require_strict.add(krb5pac.PAC_TYPE_REQUESTER_SID) >+ >+ buffer_types = [pac_buffer.type >+ for pac_buffer in pac.buffers] >+@@ -2722,9 +2746,6 @@ class RawKerberosTest(TestCaseInTempDir): >+ requested_pac = bool(flags & 1) >+ given_pac = bool(flags & 2) >+ >+- expect_pac_attrs_pac_request = kdc_exchange_dict[ >+- 'expect_pac_attrs_pac_request'] >+- >+ self.assertEqual(expect_pac_attrs_pac_request is True, >+ requested_pac) >+ self.assertEqual(expect_pac_attrs_pac_request is None, >+@@ -2734,8 +2755,8 @@ class RawKerberosTest(TestCaseInTempDir): >+ and expect_requester_sid): >+ requester_sid = pac_buffer.info.sid >+ >+- self.assertIsNotNone(expected_sid) >+- self.assertEqual(expected_sid, str(requester_sid)) >++ if expected_sid is not None: >++ self.assertEqual(expected_sid, str(requester_sid)) >+ >+ def generic_check_kdc_error(self, >+ kdc_exchange_dict, >+diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc >+index 61de06659be..294e06027b1 100644 >+--- selftest/knownfail_heimdal_kdc >++++ selftest/knownfail_heimdal_kdc >+@@ -289,11 +289,15 @@ >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_nonexisting >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_logon_info_only_sid_mismatch_existing >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_logon_info_only_sid_mismatch_nonexisting >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_rodc_renew_false >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_rodc_renew_none >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_rodc_renew_true >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_remove_pac >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_remove_pac_client_no_auth_data_required >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_remove_pac_service_no_auth_data_required >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_authdata_no_pac >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_no_pac >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_revealed >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_existing >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_nonexisting >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_sid_mismatch_existing >+@@ -309,10 +313,14 @@ >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_sid_mismatch_nonexisting >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_authdata_no_pac >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_no_pac >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_pac_attrs_none >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_pac_attrs_true >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_from_rodc_no_requester_sid >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_no_requester_sid >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid(?!_) >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_renew >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_rodc_renew >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_rodc_renew >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_logon_info_only_sid_mismatch_existing >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_logon_info_only_sid_mismatch_nonexisting >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_pac_request_false >+@@ -332,6 +340,7 @@ >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_sname_krbtgt >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_authdata_no_pac >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_no_pac >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_revealed >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_sid_mismatch_existing >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_sid_mismatch_nonexisting >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_sid_mismatch_existing >+diff --git selftest/knownfail_mit_kdc selftest/knownfail_mit_kdc >+index 3e19ee6c8b9..6c74657e87d 100644 >+--- selftest/knownfail_mit_kdc >++++ selftest/knownfail_mit_kdc >+@@ -411,6 +411,9 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_logon_info_only_sid_mismatch_nonexisting >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_authdata_no_pac >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_no_pac >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_pac_request_none >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_pac_request_true >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_req >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_allowed_denied >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_denied >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_no_krbtgt_link >+@@ -479,6 +482,9 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_srealm >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_authdata_no_pac >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_no_pac >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_pac_request_none >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_pac_request_true >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_req >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_allowed_denied >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_denied >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_no_krbtgt_link >+ >+From 3fdfbd08b9460fb486f100d7091984f41ebd9429 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Wed, 24 Nov 2021 13:10:52 +1300 >+Subject: [PATCH 33/99] tests/krb5: Add tests for validation with requester SID >+ PAC buffer >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andrew Bartlett <abartlet@samba.org> >+(cherry picked from commit ca80c47406e0f2b6fac2c55229306e21ccef9745) >+--- >+ python/samba/tests/krb5/kdc_tgs_tests.py | 67 ++++++++++++++++++++++++ >+ selftest/knownfail_heimdal_kdc | 3 ++ >+ selftest/knownfail_mit_kdc | 4 ++ >+ 3 files changed, 74 insertions(+) >+ >+diff --git python/samba/tests/krb5/kdc_tgs_tests.py python/samba/tests/krb5/kdc_tgs_tests.py >+index f14439a4ab5..50079a1710c 100755 >+--- python/samba/tests/krb5/kdc_tgs_tests.py >++++ python/samba/tests/krb5/kdc_tgs_tests.py >+@@ -1726,6 +1726,73 @@ class KdcTgsTests(KDCBaseTest): >+ >+ self._renew_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) >+ >++ def test_tgs_requester_sid_validate(self): >++ creds = self._get_creds() >++ >++ samdb = self.get_samdb() >++ sid = self.get_objectSid(samdb, creds.get_dn()) >++ >++ tgt = self.get_tgt(creds, pac_request=None, >++ expect_pac=True, >++ expected_sid=sid, >++ expect_requester_sid=True) >++ tgt = self._modify_tgt(tgt, invalid=True) >++ >++ self._validate_tgt(tgt, expected_error=0, expect_pac=True, >++ expect_pac_attrs=True, >++ expect_pac_attrs_pac_request=None, >++ expected_sid=sid, >++ expect_requester_sid=True) >++ >++ def test_tgs_requester_sid_rodc_validate(self): >++ creds = self._get_creds(replication_allowed=True, >++ revealed_to_rodc=True) >++ >++ samdb = self.get_samdb() >++ sid = self.get_objectSid(samdb, creds.get_dn()) >++ >++ tgt = self.get_tgt(creds, pac_request=None, >++ expect_pac=True, >++ expected_sid=sid, >++ expect_requester_sid=True) >++ tgt = self._modify_tgt(tgt, from_rodc=True, invalid=True) >++ >++ self._validate_tgt(tgt, expected_error=0, expect_pac=True, >++ expect_pac_attrs=False, >++ expected_sid=sid, >++ expect_requester_sid=True) >++ >++ def test_tgs_requester_sid_missing_validate(self): >++ creds = self._get_creds() >++ >++ samdb = self.get_samdb() >++ sid = self.get_objectSid(samdb, creds.get_dn()) >++ >++ tgt = self.get_tgt(creds, pac_request=None, >++ expect_pac=True, >++ expected_sid=sid, >++ expect_requester_sid=True) >++ tgt = self._modify_tgt(tgt, invalid=True, >++ remove_requester_sid=True) >++ >++ self._validate_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) >++ >++ def test_tgs_requester_sid_missing_rodc_validate(self): >++ creds = self._get_creds(replication_allowed=True, >++ revealed_to_rodc=True) >++ >++ samdb = self.get_samdb() >++ sid = self.get_objectSid(samdb, creds.get_dn()) >++ >++ tgt = self.get_tgt(creds, pac_request=None, >++ expect_pac=True, >++ expected_sid=sid, >++ expect_requester_sid=True) >++ tgt = self._modify_tgt(tgt, from_rodc=True, invalid=True, >++ remove_requester_sid=True) >++ >++ self._validate_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) >++ >+ def test_tgs_pac_request_none(self): >+ creds = self._get_creds() >+ tgt = self.get_tgt(creds, pac_request=None) >+diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc >+index 294e06027b1..f7c5feda872 100644 >+--- selftest/knownfail_heimdal_kdc >++++ selftest/knownfail_heimdal_kdc >+@@ -320,7 +320,10 @@ >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid(?!_) >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_renew >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_rodc_renew >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_rodc_validate >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_validate >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_rodc_renew >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_rodc_validate >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_logon_info_only_sid_mismatch_existing >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_logon_info_only_sid_mismatch_nonexisting >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_pac_request_false >+diff --git selftest/knownfail_mit_kdc selftest/knownfail_mit_kdc >+index 6c74657e87d..ff287e6cd9d 100644 >+--- selftest/knownfail_mit_kdc >++++ selftest/knownfail_mit_kdc >+@@ -546,8 +546,12 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_renew >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_rodc_renew >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_rodc_validate >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_validate >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_renew >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_rodc_renew >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_rodc_validate >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_validate >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_logon_info_only_sid_mismatch_existing >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_logon_info_only_sid_mismatch_nonexisting >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_logon_info_sid_mismatch_existing >+-- >+2.25.1 >+ >+ >+From 69233dd323b1ce715387e6015542ed234d909295 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Wed, 24 Nov 2021 15:32:32 +1300 >+Subject: [PATCH 34/99] tests/krb5: Add comments for tests that fail against >+ Windows >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andrew Bartlett <abartlet@samba.org> >+(cherry picked from commit 749349efab9b401d33a4fc286473a924364a41c9) >+--- >+ python/samba/tests/krb5/kdc_tgs_tests.py | 6 ++++++ >+ 1 file changed, 6 insertions(+) >+ >+diff --git python/samba/tests/krb5/kdc_tgs_tests.py python/samba/tests/krb5/kdc_tgs_tests.py >+index 50079a1710c..ecc38538e61 100755 >+--- python/samba/tests/krb5/kdc_tgs_tests.py >++++ python/samba/tests/krb5/kdc_tgs_tests.py >+@@ -792,6 +792,8 @@ class KdcTgsTests(KDCBaseTest): >+ expect_pac_attrs=False, >+ expect_requester_sid=True) >+ >++ # This test fails on Windows, which gives KDC_ERR_C_PRINCIPAL_UNKNOWN when >++ # attempting to use S4U2Self with a TGT from an RODC. >+ def test_s4u2self_rodc_revealed(self): >+ creds = self._get_creds(replication_allowed=True, >+ revealed_to_rodc=True) >+@@ -2370,6 +2372,8 @@ class KdcTgsTests(KDCBaseTest): >+ expect_requester_sid=expect_requester_sid, >+ expected_sid=expected_sid) >+ >++ # These tests fail against Windows, which does not implement ticket >++ # renewal. >+ def _renew_tgt(self, tgt, expected_error, expect_pac=True, >+ expect_pac_attrs=None, expect_pac_attrs_pac_request=None, >+ expect_requester_sid=None, expected_sid=None): >+@@ -2384,6 +2388,8 @@ class KdcTgsTests(KDCBaseTest): >+ expect_requester_sid=expect_requester_sid, >+ expected_sid=expected_sid) >+ >++ # These tests fail against Windows, which does not implement ticket >++ # validation. >+ def _validate_tgt(self, tgt, expected_error, expect_pac=True, >+ expect_pac_attrs=None, >+ expect_pac_attrs_pac_request=None, >+-- >+2.25.1 >+ >+ >+From 6dbed53756f6bac8f63847644b3e9cbb7b6181b0 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Thu, 18 Nov 2021 13:14:51 +1300 >+Subject: [PATCH 35/99] heimdal:kdc: Fix error message for user-to-user >+ >+We were checking the wrong variable to see whether a PAC was found or not. >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andrew Bartlett <abartlet@samba.org> >+(cherry picked from commit 11fb9476ad3c09415d12b3cdf7934c293cbefcb2) >+--- >+ source4/heimdal/kdc/krb5tgs.c | 2 +- >+ 1 file changed, 1 insertion(+), 1 deletion(-) >+ >+diff --git source4/heimdal/kdc/krb5tgs.c source4/heimdal/kdc/krb5tgs.c >+index fb2ef8230c9..cde68b41714 100644 >+--- source4/heimdal/kdc/krb5tgs.c >++++ source4/heimdal/kdc/krb5tgs.c >+@@ -1629,7 +1629,7 @@ server_lookup: >+ ret = KRB5KDC_ERR_BADOPTION; >+ kdc_log(context, config, 0, >+ "Ticket not signed with PAC; user-to-user failed (%s).", >+- mspac ? "Ticket unsigned" : "No PAC"); >++ user2user_pac ? "Ticket unsigned" : "No PAC"); >+ goto out; >+ } >+ >+-- >+2.25.1 >+ >+ >+From 33d5e5ad3a06ca6a1a62e64d323580ca60f068b8 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Thu, 18 Nov 2021 16:22:34 +1300 >+Subject: [PATCH 36/99] s4:torture: Fix typo >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andrew Bartlett <abartlet@samba.org> >+(cherry picked from commit 9cfb88ba04818b5e9cec3c96422e8e4a3080d490) >+--- >+ source4/torture/krb5/kdc-canon-heimdal.c | 2 +- >+ 1 file changed, 1 insertion(+), 1 deletion(-) >+ >+diff --git source4/torture/krb5/kdc-canon-heimdal.c source4/torture/krb5/kdc-canon-heimdal.c >+index cd47182c0ef..059078a4ffb 100644 >+--- source4/torture/krb5/kdc-canon-heimdal.c >++++ source4/torture/krb5/kdc-canon-heimdal.c >+@@ -262,7 +262,7 @@ static bool torture_krb5_pre_send_as_req_test(struct torture_krb5_context *test_ >+ KRB5_NT_PRINCIPAL, >+ "krb5 libs unexpectedly " >+ "did not set principal " >+- "as NT_SRV_HST!"); >++ "as NT_PRINCIPAL!"); >+ } else { >+ torture_assert_int_equal(test_context->tctx, >+ test_context->as_req.req_body.cname->name_type, >+-- >+2.25.1 >+ >+ >+From 02ceb9be33dca0e3a885fd7d85b1199f76e04670 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Wed, 24 Nov 2021 20:41:34 +1300 >+Subject: [PATCH 37/99] heimdal:kdc: Adjust no-PAC error code to match Windows >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andrew Bartlett <abartlet@samba.org> >+(cherry picked from commit f7a2fef8f49a86f63c3dc2f6a2d7d979fb53238a) >+--- >+ selftest/knownfail_heimdal_kdc | 19 ------------------- >+ source4/heimdal/kdc/krb5tgs.c | 2 +- >+ 2 files changed, 1 insertion(+), 20 deletions(-) >+ >+diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc >+index f7c5feda872..9ff85fe18fc 100644 >+--- selftest/knownfail_heimdal_kdc >++++ selftest/knownfail_heimdal_kdc >+@@ -233,21 +233,15 @@ >+ # S4U tests >+ # >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_bronze_bit_rbcd_old_checksum >+-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_client_pac(?!_no_auth_data_required) >+-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_service_pac\(.*\)$ >+-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_service_pac_no_auth_data_required >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_existing_delegation_info >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_missing_client_checksum >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_client_pac_a >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_client_pac_b >+-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_service_pac >+-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_service_pac_no_auth_data_required >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_unkeyed_client_checksum >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_unkeyed_service_checksum >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_client_checksum >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_service_checksum >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_forwardable >+-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_no_pac >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_empty_allowed >+ # >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_auth_data_required >+@@ -292,11 +286,6 @@ >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_rodc_renew_false >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_rodc_renew_none >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_rodc_renew_true >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_remove_pac >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_remove_pac_client_no_auth_data_required >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_remove_pac_service_no_auth_data_required >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_authdata_no_pac >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_no_pac >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_revealed >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_existing >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_nonexisting >+@@ -304,15 +293,11 @@ >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_sid_mismatch_nonexisting >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_requester_sid_mismatch_existing >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_requester_sid_mismatch_nonexisting >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_authdata_no_pac >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_no_pac >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_pac_request_false >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_sid_mismatch_existing >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_sid_mismatch_nonexisting >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_sid_mismatch_existing >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_sid_mismatch_nonexisting >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_authdata_no_pac >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_no_pac >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_pac_attrs_none >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_pac_attrs_true >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_from_rodc_no_requester_sid >+@@ -333,16 +318,12 @@ >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_sid_mismatch_nonexisting >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_sid_mismatch_existing >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_sid_mismatch_nonexisting >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_authdata_no_pac >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_no_pac >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_sid_mismatch_existing >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_sid_mismatch_nonexisting >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_sid_mismatch_existing >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_sid_mismatch_nonexisting >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_sname >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_sname_krbtgt >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_authdata_no_pac >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_no_pac >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_revealed >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_sid_mismatch_existing >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_sid_mismatch_nonexisting >+diff --git source4/heimdal/kdc/krb5tgs.c source4/heimdal/kdc/krb5tgs.c >+index cde68b41714..6c5c51aa448 100644 >+--- source4/heimdal/kdc/krb5tgs.c >++++ source4/heimdal/kdc/krb5tgs.c >+@@ -78,7 +78,7 @@ check_PAC(krb5_context context, >+ return ret; >+ >+ if (pac == NULL) >+- return KRB5KDC_ERR_BADOPTION; >++ return KRB5KDC_ERR_TGT_REVOKED; >+ >+ /* Verify the server signature. */ >+ ret = krb5_pac_verify(context, pac, tkt->authtime, client_principal, >+-- >+2.25.1 >+ >+ >+From 5556f97c782c9be9af47c76f2432bb8480bc0622 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Wed, 24 Nov 2021 20:41:45 +1300 >+Subject: [PATCH 38/99] kdc: Adjust SID mismatch error code to match Windows >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andrew Bartlett <abartlet@samba.org> >+(cherry picked from commit d5d22bf84a71492342287e54b555c9f024e7e71c) >+--- >+ selftest/knownfail_heimdal_kdc | 35 ---------------------------------- >+ selftest/knownfail_mit_kdc | 8 -------- >+ source4/kdc/pac-glue.c | 6 +----- >+ 3 files changed, 1 insertion(+), 48 deletions(-) >+ >+diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc >+index 9ff85fe18fc..bc644587319 100644 >+--- selftest/knownfail_heimdal_kdc >++++ selftest/knownfail_heimdal_kdc >+@@ -259,13 +259,6 @@ >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_not_revealed >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_not_revealed >+ # >+-# Alias tests >+-# >+-^samba.tests.krb5.alias_tests.samba.tests.krb5.alias_tests.AliasTests.test_create_alias_delete >+-^samba.tests.krb5.alias_tests.samba.tests.krb5.alias_tests.AliasTests.test_create_alias_rename >+-^samba.tests.krb5.alias_tests.samba.tests.krb5.alias_tests.AliasTests.test_dc_alias_delete >+-^samba.tests.krb5.alias_tests.samba.tests.krb5.alias_tests.AliasTests.test_dc_alias_rename >+-# >+ # KDC TGS tests >+ # >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_authdata_no_pac >+@@ -281,23 +274,11 @@ >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_service_ticket >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_existing >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_nonexisting >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_logon_info_only_sid_mismatch_existing >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_logon_info_only_sid_mismatch_nonexisting >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_rodc_renew_false >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_rodc_renew_none >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_rodc_renew_true >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_revealed >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_existing >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_nonexisting >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_sid_mismatch_existing >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_sid_mismatch_nonexisting >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_requester_sid_mismatch_existing >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_requester_sid_mismatch_nonexisting >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_pac_request_false >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_sid_mismatch_existing >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_sid_mismatch_nonexisting >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_sid_mismatch_existing >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_sid_mismatch_nonexisting >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_pac_attrs_none >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_pac_attrs_true >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_from_rodc_no_requester_sid >+@@ -309,23 +290,7 @@ >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_validate >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_rodc_renew >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_rodc_validate >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_logon_info_only_sid_mismatch_existing >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_logon_info_only_sid_mismatch_nonexisting >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_pac_request_false >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_requester_sid_mismatch_existing >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_requester_sid_mismatch_nonexisting >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_sid_mismatch_existing >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_sid_mismatch_nonexisting >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_sid_mismatch_existing >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_sid_mismatch_nonexisting >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_sid_mismatch_existing >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_sid_mismatch_nonexisting >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_sid_mismatch_existing >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_sid_mismatch_nonexisting >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_sname >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_sname_krbtgt >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_revealed >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_sid_mismatch_existing >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_sid_mismatch_nonexisting >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_sid_mismatch_existing >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_sid_mismatch_nonexisting >+diff --git selftest/knownfail_mit_kdc selftest/knownfail_mit_kdc >+index ff287e6cd9d..c6dc1285837 100644 >+--- selftest/knownfail_mit_kdc >++++ selftest/knownfail_mit_kdc >+@@ -407,8 +407,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_service_ticket >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_existing >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_nonexisting >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_logon_info_only_sid_mismatch_existing >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_logon_info_only_sid_mismatch_nonexisting >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_authdata_no_pac >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_no_pac >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_pac_request_none >+@@ -424,8 +422,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_existing >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_nonexisting >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_service_ticket >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_sid_mismatch_existing >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_sid_mismatch_nonexisting >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_authdata_no_pac >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_no_pac >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_req >+@@ -454,8 +450,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_revealed >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_sid_mismatch_existing >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_sid_mismatch_nonexisting >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_sid_mismatch_existing >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_sid_mismatch_nonexisting >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_authdata_no_pac >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_no_pac >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_no_sname >+@@ -495,8 +489,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_sid_mismatch_existing >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_sid_mismatch_nonexisting >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_service_ticket >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_sid_mismatch_existing >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_sid_mismatch_nonexisting >+ # >+ # PAC attributes tests >+ # >+diff --git source4/kdc/pac-glue.c source4/kdc/pac-glue.c >+index e0e483662c0..2a96a683cd9 100644 >+--- source4/kdc/pac-glue.c >++++ source4/kdc/pac-glue.c >+@@ -1237,11 +1237,7 @@ krb5_error_code samba_kdc_validate_pac_blob( >+ "PAC[%s] != CLI[%s]\n", >+ dom_sid_str_buf(&pac_sid, &buf1), >+ dom_sid_str_buf(client_sid, &buf2)); >+-#if defined(KRB5KDC_ERR_CLIENT_NAME_MISMATCH) /* MIT */ >+- code = KRB5KDC_ERR_CLIENT_NAME_MISMATCH; >+-#else /* Heimdal (where this is an enum) */ >+- code = KRB5_KDC_ERR_CLIENT_NAME_MISMATCH; >+-#endif >++ code = KRB5KDC_ERR_TGT_REVOKED; >+ goto out; >+ } >+ >+-- >+2.25.1 >+ >+ >+From c62a2b7a218e2c4bdbd476a055049e78b8c0f4ce Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Thu, 25 Nov 2021 10:05:17 +1300 >+Subject: [PATCH 39/99] tests/krb5: Add test for S4U2Self with wrong sname >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andrew Bartlett <abartlet@samba.org> >+(cherry picked from commit bac5f75059450898937be891e863826e1350b62c) >+--- >+ python/samba/tests/krb5/s4u_tests.py | 32 +++++++++++++++++++++++++++- >+ selftest/knownfail_heimdal_kdc | 1 + >+ 2 files changed, 32 insertions(+), 1 deletion(-) >+ >+diff --git python/samba/tests/krb5/s4u_tests.py python/samba/tests/krb5/s4u_tests.py >+index 5f37525f393..2953766ef21 100755 >+--- python/samba/tests/krb5/s4u_tests.py >++++ python/samba/tests/krb5/s4u_tests.py >+@@ -36,6 +36,7 @@ from samba.tests.krb5.raw_testcase import ( >+ from samba.tests.krb5.rfc4120_constants import ( >+ AES256_CTS_HMAC_SHA1_96, >+ ARCFOUR_HMAC_MD5, >++ KDC_ERR_BADMATCH, >+ KDC_ERR_BADOPTION, >+ KDC_ERR_BAD_INTEGRITY, >+ KDC_ERR_GENERIC, >+@@ -243,7 +244,9 @@ class S4UKerberosTests(KDCBaseTest): >+ client_dn = client_creds.get_dn() >+ sid = self.get_objectSid(samdb, client_dn) >+ >+- service_name = service_creds.get_username()[:-1] >++ service_name = kdc_dict.pop('service_name', None) >++ if service_name is None: >++ service_name = service_creds.get_username()[:-1] >+ service_sname = self.PrincipalName_create(name_type=NT_PRINCIPAL, >+ names=['host', service_name]) >+ >+@@ -474,6 +477,33 @@ class S4UKerberosTests(KDCBaseTest): >+ 'expected_flags': 'forwardable' >+ }) >+ >++ # Do an S4U2Self with the sname in the request different to that of the >++ # service. We expect an error. >++ def test_s4u2self_wrong_sname(self): >++ other_creds = self.get_cached_creds( >++ account_type=self.AccountType.COMPUTER, >++ opts={ >++ 'trusted_to_auth_for_delegation': True, >++ 'id': 0 >++ }) >++ other_sname = other_creds.get_username()[:-1] >++ >++ self._run_s4u2self_test( >++ { >++ 'expected_error_mode': KDC_ERR_BADMATCH, >++ 'expect_edata': False, >++ 'client_opts': { >++ 'not_delegated': False >++ }, >++ 'service_opts': { >++ 'trusted_to_auth_for_delegation': True >++ }, >++ 'service_name': other_sname, >++ 'kdc_options': 'forwardable', >++ 'modify_service_tgt_fn': functools.partial( >++ self.set_ticket_forwardable, flag=True) >++ }) >++ >+ def _run_delegation_test(self, kdc_dict): >+ client_opts = kdc_dict.pop('client_opts', None) >+ client_creds = self.get_cached_creds( >+diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc >+index bc644587319..483145f1473 100644 >+--- selftest/knownfail_heimdal_kdc >++++ selftest/knownfail_heimdal_kdc >+@@ -243,6 +243,7 @@ >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_service_checksum >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_forwardable >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_empty_allowed >++^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_wrong_sname >+ # >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_auth_data_required >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_auth_data_required >+-- >+2.25.1 >+ >+ >+From 46b05cbf803c54cf56dca228fe95a3454027d0cc Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Tue, 23 Nov 2021 20:00:07 +1300 >+Subject: [PATCH 40/99] kdc: Match Windows error code for mismatching sname >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andrew Bartlett <abartlet@samba.org> >+(cherry picked from commit b6a25f5f016aef39c3b1d7be8b3ecfe021c03c83) >+--- >+ selftest/knownfail_heimdal_kdc | 3 --- >+ source4/kdc/db-glue.c | 2 +- >+ 2 files changed, 1 insertion(+), 4 deletions(-) >+ >+diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc >+index 483145f1473..981d7894158 100644 >+--- selftest/knownfail_heimdal_kdc >++++ selftest/knownfail_heimdal_kdc >+@@ -243,7 +243,6 @@ >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_service_checksum >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_forwardable >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_empty_allowed >+-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_wrong_sname >+ # >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_auth_data_required >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_auth_data_required >+@@ -292,6 +291,4 @@ >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_rodc_renew >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_rodc_validate >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_pac_request_false >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_sname >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_sname_krbtgt >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_revealed >+diff --git source4/kdc/db-glue.c source4/kdc/db-glue.c >+index d017741e30a..bed0ff773f9 100644 >+--- source4/kdc/db-glue.c >++++ source4/kdc/db-glue.c >+@@ -2599,7 +2599,7 @@ samba_kdc_check_s4u2self(krb5_context context, >+ */ >+ if (!(orig_sid && target_sid && dom_sid_equal(orig_sid, target_sid))) { >+ talloc_free(frame); >+- return KRB5KDC_ERR_BADOPTION; >++ return KRB5KRB_AP_ERR_BADMATCH; >+ } >+ >+ talloc_free(frame); >+-- >+2.25.1 >+ >+ >+From 93a5264dd68da57e172af50020f670631eeef263 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Tue, 23 Nov 2021 20:15:41 +1300 >+Subject: [PATCH 41/99] kdc: Always add the PAC if the header TGT is from an >+ RODC >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andrew Bartlett <abartlet@samba.org> >+(cherry picked from commit 690a00a40c0a3f77da6e4dca42b630f2793a98b8) >+--- >+ selftest/knownfail_heimdal_kdc | 1 - >+ source4/kdc/wdc-samba4.c | 2 +- >+ 2 files changed, 1 insertion(+), 2 deletions(-) >+ >+diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc >+index 981d7894158..94a4509f45a 100644 >+--- selftest/knownfail_heimdal_kdc >++++ selftest/knownfail_heimdal_kdc >+@@ -290,5 +290,4 @@ >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_validate >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_rodc_renew >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_rodc_validate >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_pac_request_false >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_revealed >+diff --git source4/kdc/wdc-samba4.c source4/kdc/wdc-samba4.c >+index ecd182702c3..8c3ce71529c 100644 >+--- source4/kdc/wdc-samba4.c >++++ source4/kdc/wdc-samba4.c >+@@ -471,7 +471,7 @@ static krb5_error_code samba_wdc_reget_pac2(krb5_context context, >+ goto out; >+ } >+ >+- if (!server_skdc_entry->is_krbtgt) { >++ if (!is_untrusted && !server_skdc_entry->is_krbtgt) { >+ /* >+ * The client may have requested no PAC when obtaining the >+ * TGT. >+-- >+2.25.1 >+ >+ >+From 4cd44326ce38187965c46c71322caedb7a2fbf6c Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Thu, 25 Nov 2021 10:32:44 +1300 >+Subject: [PATCH 42/99] tests/krb5: Add tests for renewal and validation of >+ RODC TGTs with PAC requests >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andrew Bartlett <abartlet@samba.org> >+(cherry picked from commit 73a48063469205099f02efdf3b8f0f1040dc7a3d) >+--- >+ python/samba/tests/krb5/kdc_tgs_tests.py | 90 ++++++++++++++++++++++++ >+ selftest/knownfail_heimdal_kdc | 6 ++ >+ selftest/knownfail_mit_kdc | 6 ++ >+ 3 files changed, 102 insertions(+) >+ >+diff --git python/samba/tests/krb5/kdc_tgs_tests.py python/samba/tests/krb5/kdc_tgs_tests.py >+index ecc38538e61..2923d53772a 100755 >+--- python/samba/tests/krb5/kdc_tgs_tests.py >++++ python/samba/tests/krb5/kdc_tgs_tests.py >+@@ -1867,6 +1867,51 @@ class KdcTgsTests(KDCBaseTest): >+ pac = self.get_ticket_pac(ticket) >+ self.assertIsNotNone(pac) >+ >++ def test_rodc_renew_pac_request_none(self): >++ creds = self._get_creds(replication_allowed=True, >++ revealed_to_rodc=True) >++ tgt = self.get_tgt(creds, pac_request=None) >++ tgt = self._modify_tgt(tgt, renewable=True, from_rodc=True) >++ >++ tgt = self._renew_tgt(tgt, expected_error=0, expect_pac=None, >++ expect_pac_attrs=False, >++ expect_requester_sid=True) >++ >++ ticket = self._run_tgs(tgt, expected_error=0, expect_pac=True) >++ >++ pac = self.get_ticket_pac(ticket) >++ self.assertIsNotNone(pac) >++ >++ def test_rodc_renew_pac_request_false(self): >++ creds = self._get_creds(replication_allowed=True, >++ revealed_to_rodc=True) >++ tgt = self.get_tgt(creds, pac_request=False, expect_pac=None) >++ tgt = self._modify_tgt(tgt, renewable=True, from_rodc=True) >++ >++ tgt = self._renew_tgt(tgt, expected_error=0, expect_pac=None, >++ expect_pac_attrs=False, >++ expect_requester_sid=True) >++ >++ ticket = self._run_tgs(tgt, expected_error=0, expect_pac=True) >++ >++ pac = self.get_ticket_pac(ticket) >++ self.assertIsNotNone(pac) >++ >++ def test_rodc_renew_pac_request_true(self): >++ creds = self._get_creds(replication_allowed=True, >++ revealed_to_rodc=True) >++ tgt = self.get_tgt(creds, pac_request=True) >++ tgt = self._modify_tgt(tgt, renewable=True, from_rodc=True) >++ >++ tgt = self._renew_tgt(tgt, expected_error=0, expect_pac=None, >++ expect_pac_attrs=False, >++ expect_requester_sid=True) >++ >++ ticket = self._run_tgs(tgt, expected_error=0, expect_pac=True) >++ >++ pac = self.get_ticket_pac(ticket) >++ self.assertIsNotNone(pac) >++ >+ def test_validate_pac_request_none(self): >+ creds = self._get_creds() >+ tgt = self.get_tgt(creds, pac_request=None) >+@@ -1912,6 +1957,51 @@ class KdcTgsTests(KDCBaseTest): >+ pac = self.get_ticket_pac(ticket) >+ self.assertIsNotNone(pac) >+ >++ def test_rodc_validate_pac_request_none(self): >++ creds = self._get_creds(replication_allowed=True, >++ revealed_to_rodc=True) >++ tgt = self.get_tgt(creds, pac_request=None) >++ tgt = self._modify_tgt(tgt, invalid=True, from_rodc=True) >++ >++ tgt = self._validate_tgt(tgt, expected_error=0, expect_pac=None, >++ expect_pac_attrs=False, >++ expect_requester_sid=True) >++ >++ ticket = self._run_tgs(tgt, expected_error=0, expect_pac=True) >++ >++ pac = self.get_ticket_pac(ticket) >++ self.assertIsNotNone(pac) >++ >++ def test_rodc_validate_pac_request_false(self): >++ creds = self._get_creds(replication_allowed=True, >++ revealed_to_rodc=True) >++ tgt = self.get_tgt(creds, pac_request=False, expect_pac=None) >++ tgt = self._modify_tgt(tgt, invalid=True, from_rodc=True) >++ >++ tgt = self._validate_tgt(tgt, expected_error=0, expect_pac=None, >++ expect_pac_attrs=False, >++ expect_requester_sid=True) >++ >++ ticket = self._run_tgs(tgt, expected_error=0, expect_pac=True) >++ >++ pac = self.get_ticket_pac(ticket) >++ self.assertIsNotNone(pac) >++ >++ def test_rodc_validate_pac_request_true(self): >++ creds = self._get_creds(replication_allowed=True, >++ revealed_to_rodc=True) >++ tgt = self.get_tgt(creds, pac_request=True) >++ tgt = self._modify_tgt(tgt, invalid=True, from_rodc=True) >++ >++ tgt = self._validate_tgt(tgt, expected_error=0, expect_pac=None, >++ expect_pac_attrs=False, >++ expect_requester_sid=True) >++ >++ ticket = self._run_tgs(tgt, expected_error=0, expect_pac=True) >++ >++ pac = self.get_ticket_pac(ticket) >++ self.assertIsNotNone(pac) >++ >+ def test_s4u2self_pac_request_none(self): >+ creds = self._get_creds() >+ tgt = self.get_tgt(creds, pac_request=None) >+diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc >+index 94a4509f45a..2de898e73c2 100644 >+--- selftest/knownfail_heimdal_kdc >++++ selftest/knownfail_heimdal_kdc >+@@ -278,6 +278,12 @@ >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_rodc_renew_none >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_rodc_renew_true >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_revealed >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_renew_pac_request_false >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_renew_pac_request_none >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_renew_pac_request_true >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_validate_pac_request_false >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_validate_pac_request_none >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_validate_pac_request_true >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_pac_request_false >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_pac_attrs_none >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_pac_attrs_true >+diff --git selftest/knownfail_mit_kdc selftest/knownfail_mit_kdc >+index c6dc1285837..73e64145e42 100644 >+--- selftest/knownfail_mit_kdc >++++ selftest/knownfail_mit_kdc >+@@ -422,6 +422,12 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_existing >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_nonexisting >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_service_ticket >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_renew_pac_request_false >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_renew_pac_request_none >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_renew_pac_request_true >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_validate_pac_request_false >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_validate_pac_request_none >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_validate_pac_request_true >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_authdata_no_pac >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_no_pac >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_req >+-- >+2.25.1 >+ >+ >+From 925f63f3e464c0fdb91aaa5ed523a6ddb481bfff Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Thu, 25 Nov 2021 13:24:57 +1300 >+Subject: [PATCH 43/99] Revert "CVE-2020-25719 s4/torture: Expect additional >+ PAC buffers" >+ >+This reverts commit fa4c9bcefdeed0a7106aab84df20b02435febc1f. >+ >+We should not be generating these additional PAC buffers for service >+tickets, only for TGTs. >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andrew Bartlett <abartlet@samba.org> >+(cherry picked from commit e61983c7f2c4daade83b237efb990d0c0645b3a3) >+--- >+ selftest/knownfail_heimdal_kdc | 39 ++++++++++++++++++++++++++++++++ >+ source4/torture/rpc/remote_pac.c | 24 ++------------------ >+ 2 files changed, 41 insertions(+), 22 deletions(-) >+ >+diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc >+index 2de898e73c2..65e4fee9510 100644 >+--- selftest/knownfail_heimdal_kdc >++++ selftest/knownfail_heimdal_kdc >+@@ -297,3 +297,42 @@ >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_rodc_renew >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_rodc_validate >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_revealed >++# >++# PAC tests >++# >++^samba4.blackbox.pkinit_pac.STEP1 remote.pac verification.ad_dc:local >++^samba4.blackbox.pkinit_pac.STEP1 remote.pac verification.ad_dc_ntvfs:local >++^samba4.blackbox.pkinit_pac.netr-bdc-aes.verify-sig-aes.ad_dc:local >++^samba4.blackbox.pkinit_pac.netr-bdc-aes.verify-sig-aes.ad_dc_ntvfs:local >++^samba4.blackbox.pkinit_pac.netr-mem-aes.s4u2proxy-aes.ad_dc:local >++^samba4.blackbox.pkinit_pac.netr-mem-aes.s4u2proxy-aes.ad_dc_ntvfs:local >++^samba4.blackbox.pkinit_pac.netr-mem-aes.verify-sig-aes.ad_dc:local >++^samba4.blackbox.pkinit_pac.netr-mem-aes.verify-sig-aes.ad_dc_ntvfs:local >++^samba4.blackbox.pkinit_pac.netr-mem-arcfour.s4u2proxy-arcfour.ad_dc:local >++^samba4.blackbox.pkinit_pac.netr-mem-arcfour.s4u2proxy-arcfour.ad_dc_ntvfs:local >++^samba4.blackbox.pkinit_pac.netr-mem-arcfour.verify-sig-arcfour.ad_dc:local >++^samba4.blackbox.pkinit_pac.netr-mem-arcfour.verify-sig-arcfour.ad_dc_ntvfs:local >++^samba4.rpc.pac on ncacn_np.netr-bdc-aes.verify-sig-aes.fl2000dc >++^samba4.rpc.pac on ncacn_np.netr-bdc-aes.verify-sig-aes.fl2003dc >++^samba4.rpc.pac on ncacn_np.netr-bdc-aes.verify-sig-aes.fl2008dc >++^samba4.rpc.pac on ncacn_np.netr-bdc-aes.verify-sig-aes.fl2008r2dc >++^samba4.rpc.pac on ncacn_np.netr-bdc-arcfour.verify-sig-arcfour.fl2000dc >++^samba4.rpc.pac on ncacn_np.netr-bdc-arcfour.verify-sig-arcfour.fl2003dc >++^samba4.rpc.pac on ncacn_np.netr-bdc-arcfour.verify-sig-arcfour.fl2008dc >++^samba4.rpc.pac on ncacn_np.netr-bdc-arcfour.verify-sig-arcfour.fl2008r2dc >++^samba4.rpc.pac on ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2000dc >++^samba4.rpc.pac on ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2003dc >++^samba4.rpc.pac on ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2008dc >++^samba4.rpc.pac on ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2008r2dc >++^samba4.rpc.pac on ncacn_np.netr-mem-aes.verify-sig-aes.fl2000dc >++^samba4.rpc.pac on ncacn_np.netr-mem-aes.verify-sig-aes.fl2003dc >++^samba4.rpc.pac on ncacn_np.netr-mem-aes.verify-sig-aes.fl2008dc >++^samba4.rpc.pac on ncacn_np.netr-mem-aes.verify-sig-aes.fl2008r2dc >++^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.s4u2proxy-arcfour.fl2000dc >++^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.s4u2proxy-arcfour.fl2003dc >++^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.s4u2proxy-arcfour.fl2008dc >++^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.s4u2proxy-arcfour.fl2008r2dc >++^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.verify-sig-arcfour.fl2000dc >++^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.verify-sig-arcfour.fl2003dc >++^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.verify-sig-arcfour.fl2008dc >++^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.verify-sig-arcfour.fl2008r2dc >+diff --git source4/torture/rpc/remote_pac.c source4/torture/rpc/remote_pac.c >+index c94decef5ce..14c23f674f1 100644 >+--- source4/torture/rpc/remote_pac.c >++++ source4/torture/rpc/remote_pac.c >+@@ -266,7 +266,7 @@ static bool test_PACVerify(struct torture_context *tctx, >+ (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA); >+ torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_pull_struct_blob of PAC_DATA structure failed"); >+ >+- num_pac_buffers = 7; >++ num_pac_buffers = 5; >+ if (expect_pac_upn_dns_info) { >+ num_pac_buffers += 1; >+ } >+@@ -323,18 +323,6 @@ static bool test_PACVerify(struct torture_context *tctx, >+ pac_buf->info != NULL, >+ "PAC_TYPE_TICKET_CHECKSUM info"); >+ >+- pac_buf = get_pac_buffer(&pac_data_struct, PAC_TYPE_ATTRIBUTES_INFO); >+- torture_assert_not_null(tctx, pac_buf, "PAC_TYPE_ATTRIBUTES_INFO"); >+- torture_assert(tctx, >+- pac_buf->info != NULL, >+- "PAC_TYPE_ATTRIBUTES_INFO info"); >+- >+- pac_buf = get_pac_buffer(&pac_data_struct, PAC_TYPE_REQUESTER_SID); >+- torture_assert_not_null(tctx, pac_buf, "PAC_TYPE_REQUESTER_SID"); >+- torture_assert(tctx, >+- pac_buf->info != NULL, >+- "PAC_TYPE_REQUESTER_SID info"); >+- >+ ok = netlogon_validate_pac(tctx, p, server_creds, secure_channel_type, test_machine_name, >+ negotiate_flags, pac_data, session_info); >+ >+@@ -1094,7 +1082,7 @@ static bool test_S4U2Proxy(struct torture_context *tctx, >+ (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA); >+ torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_pull_struct_blob of PAC_DATA structure failed"); >+ >+- num_pac_buffers = 9; >++ num_pac_buffers = 7; >+ >+ torture_assert_int_equal(tctx, pac_data_struct.version, 0, "version"); >+ torture_assert_int_equal(tctx, pac_data_struct.num_buffers, num_pac_buffers, "num_buffers"); >+@@ -1134,14 +1122,6 @@ static bool test_S4U2Proxy(struct torture_context *tctx, >+ talloc_asprintf(tctx, "%s@%s", self_princ, cli_credentials_get_realm(credentials)), >+ "wrong transited_services[0]"); >+ >+- pac_buf = get_pac_buffer(&pac_data_struct, PAC_TYPE_ATTRIBUTES_INFO); >+- torture_assert_not_null(tctx, pac_buf, "PAC_TYPE_ATTRIBUTES_INFO"); >+- torture_assert_not_null(tctx, pac_buf->info, "PAC_TYPE_ATTRIBUTES_INFO info"); >+- >+- pac_buf = get_pac_buffer(&pac_data_struct, PAC_TYPE_REQUESTER_SID); >+- torture_assert_not_null(tctx, pac_buf, "PAC_TYPE_REQUESTER_SID"); >+- torture_assert_not_null(tctx, pac_buf->info, "PAC_TYPE_REQUESTER_SID info"); >+- >+ return netlogon_validate_pac(tctx, p, server_creds, secure_channel_type, test_machine_name, >+ negotiate_flags, pac_data, session_info); >+ } >+-- >+2.25.1 >+ >+ >+From 72afa2641c24bd18a32463f0b0de7e91feb54290 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Wed, 24 Nov 2021 20:42:22 +1300 >+Subject: [PATCH 44/99] kdc: Don't include extra PAC buffers in service tickets >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andrew Bartlett <abartlet@samba.org> >+(cherry picked from commit 90025b6a4d250a15c0f988a9a9150ecfb63069ef) >+--- >+ selftest/knownfail_heimdal_kdc | 42 ---------------------------------- >+ source4/kdc/wdc-samba4.c | 31 +++++++++++++++++-------- >+ 2 files changed, 21 insertions(+), 52 deletions(-) >+ >+diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc >+index 65e4fee9510..ea08cb44122 100644 >+--- selftest/knownfail_heimdal_kdc >++++ selftest/knownfail_heimdal_kdc >+@@ -285,11 +285,8 @@ >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_validate_pac_request_none >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_validate_pac_request_true >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_pac_request_false >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_pac_attrs_none >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_pac_attrs_true >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_from_rodc_no_requester_sid >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_no_requester_sid >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid(?!_) >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_renew >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_rodc_renew >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_rodc_validate >+@@ -297,42 +294,3 @@ >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_rodc_renew >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_rodc_validate >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_revealed >+-# >+-# PAC tests >+-# >+-^samba4.blackbox.pkinit_pac.STEP1 remote.pac verification.ad_dc:local >+-^samba4.blackbox.pkinit_pac.STEP1 remote.pac verification.ad_dc_ntvfs:local >+-^samba4.blackbox.pkinit_pac.netr-bdc-aes.verify-sig-aes.ad_dc:local >+-^samba4.blackbox.pkinit_pac.netr-bdc-aes.verify-sig-aes.ad_dc_ntvfs:local >+-^samba4.blackbox.pkinit_pac.netr-mem-aes.s4u2proxy-aes.ad_dc:local >+-^samba4.blackbox.pkinit_pac.netr-mem-aes.s4u2proxy-aes.ad_dc_ntvfs:local >+-^samba4.blackbox.pkinit_pac.netr-mem-aes.verify-sig-aes.ad_dc:local >+-^samba4.blackbox.pkinit_pac.netr-mem-aes.verify-sig-aes.ad_dc_ntvfs:local >+-^samba4.blackbox.pkinit_pac.netr-mem-arcfour.s4u2proxy-arcfour.ad_dc:local >+-^samba4.blackbox.pkinit_pac.netr-mem-arcfour.s4u2proxy-arcfour.ad_dc_ntvfs:local >+-^samba4.blackbox.pkinit_pac.netr-mem-arcfour.verify-sig-arcfour.ad_dc:local >+-^samba4.blackbox.pkinit_pac.netr-mem-arcfour.verify-sig-arcfour.ad_dc_ntvfs:local >+-^samba4.rpc.pac on ncacn_np.netr-bdc-aes.verify-sig-aes.fl2000dc >+-^samba4.rpc.pac on ncacn_np.netr-bdc-aes.verify-sig-aes.fl2003dc >+-^samba4.rpc.pac on ncacn_np.netr-bdc-aes.verify-sig-aes.fl2008dc >+-^samba4.rpc.pac on ncacn_np.netr-bdc-aes.verify-sig-aes.fl2008r2dc >+-^samba4.rpc.pac on ncacn_np.netr-bdc-arcfour.verify-sig-arcfour.fl2000dc >+-^samba4.rpc.pac on ncacn_np.netr-bdc-arcfour.verify-sig-arcfour.fl2003dc >+-^samba4.rpc.pac on ncacn_np.netr-bdc-arcfour.verify-sig-arcfour.fl2008dc >+-^samba4.rpc.pac on ncacn_np.netr-bdc-arcfour.verify-sig-arcfour.fl2008r2dc >+-^samba4.rpc.pac on ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2000dc >+-^samba4.rpc.pac on ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2003dc >+-^samba4.rpc.pac on ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2008dc >+-^samba4.rpc.pac on ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2008r2dc >+-^samba4.rpc.pac on ncacn_np.netr-mem-aes.verify-sig-aes.fl2000dc >+-^samba4.rpc.pac on ncacn_np.netr-mem-aes.verify-sig-aes.fl2003dc >+-^samba4.rpc.pac on ncacn_np.netr-mem-aes.verify-sig-aes.fl2008dc >+-^samba4.rpc.pac on ncacn_np.netr-mem-aes.verify-sig-aes.fl2008r2dc >+-^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.s4u2proxy-arcfour.fl2000dc >+-^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.s4u2proxy-arcfour.fl2003dc >+-^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.s4u2proxy-arcfour.fl2008dc >+-^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.s4u2proxy-arcfour.fl2008r2dc >+-^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.verify-sig-arcfour.fl2000dc >+-^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.verify-sig-arcfour.fl2003dc >+-^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.verify-sig-arcfour.fl2008dc >+-^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.verify-sig-arcfour.fl2008r2dc >+diff --git source4/kdc/wdc-samba4.c source4/kdc/wdc-samba4.c >+index 8c3ce71529c..17af76f4edb 100644 >+--- source4/kdc/wdc-samba4.c >++++ source4/kdc/wdc-samba4.c >+@@ -132,6 +132,7 @@ static krb5_error_code samba_wdc_reget_pac2(krb5_context context, >+ krb5_error_code ret; >+ NTSTATUS nt_status; >+ bool is_in_db, is_untrusted; >++ bool is_krbtgt; >+ size_t num_types = 0; >+ uint32_t *types = NULL; >+ uint32_t forced_next_type = 0; >+@@ -471,7 +472,9 @@ static krb5_error_code samba_wdc_reget_pac2(krb5_context context, >+ goto out; >+ } >+ >+- if (!is_untrusted && !server_skdc_entry->is_krbtgt) { >++ is_krbtgt = krb5_principal_is_krbtgt(context, server->entry.principal); >++ >++ if (!is_untrusted && !is_krbtgt) { >+ /* >+ * The client may have requested no PAC when obtaining the >+ * TGT. >+@@ -576,17 +579,25 @@ static krb5_error_code samba_wdc_reget_pac2(krb5_context context, >+ type_blob = data_blob_const(&zero_byte, 1); >+ break; >+ case PAC_TYPE_ATTRIBUTES_INFO: >+- /* just copy... */ >+- break; >++ if (is_krbtgt) { >++ /* just copy... */ >++ break; >++ } else { >++ continue; >++ } >+ case PAC_TYPE_REQUESTER_SID: >+- /* >+- * Replace in the RODC case, otherwise >+- * requester_sid_blob is NULL and we just copy. >+- */ >+- if (requester_sid_blob != NULL) { >+- type_blob = *requester_sid_blob; >++ if (is_krbtgt) { >++ /* >++ * Replace in the RODC case, otherwise >++ * requester_sid_blob is NULL and we just copy. >++ */ >++ if (requester_sid_blob != NULL) { >++ type_blob = *requester_sid_blob; >++ } >++ break; >++ } else { >++ continue; >+ } >+- break; >+ default: >+ /* just copy... */ >+ break; >+-- >+2.25.1 >+ >+ >+From 29f15fe2d92831dcf5f4eb6d295df866ff689ee3 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Thu, 25 Nov 2021 10:53:49 +1300 >+Subject: [PATCH 45/99] kdc: Remove PAC_TYPE_ATTRIBUTES_INFO from RODC-issued >+ tickets >+ >+Windows ignores PAC_TYPE_ATTRIBUTES_INFO and always issues a PAC when >+presented with an RODC-issued TGT. By removing this PAC buffer from >+RODC-issued tickets, we ensure that an RODC-issued ticket will still >+result in a PAC if it is first renewed or validated by the main DC. >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andrew Bartlett <abartlet@samba.org> >+(cherry picked from commit 4b60e9516497c2e7f1545fe50887d0336b9893f2) >+--- >+ selftest/knownfail_heimdal_kdc | 13 ------------- >+ source4/kdc/wdc-samba4.c | 2 +- >+ 2 files changed, 1 insertion(+), 14 deletions(-) >+ >+diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc >+index ea08cb44122..5e94cb63d7a 100644 >+--- selftest/knownfail_heimdal_kdc >++++ selftest/knownfail_heimdal_kdc >+@@ -274,16 +274,6 @@ >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_service_ticket >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_existing >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_nonexisting >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_rodc_renew_false >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_rodc_renew_none >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_rodc_renew_true >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_revealed >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_renew_pac_request_false >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_renew_pac_request_none >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_renew_pac_request_true >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_validate_pac_request_false >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_validate_pac_request_none >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_validate_pac_request_true >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_pac_request_false >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_from_rodc_no_requester_sid >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_no_requester_sid >+@@ -291,6 +281,3 @@ >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_rodc_renew >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_rodc_validate >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_validate >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_rodc_renew >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_rodc_validate >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_revealed >+diff --git source4/kdc/wdc-samba4.c source4/kdc/wdc-samba4.c >+index 17af76f4edb..713720bcb99 100644 >+--- source4/kdc/wdc-samba4.c >++++ source4/kdc/wdc-samba4.c >+@@ -579,7 +579,7 @@ static krb5_error_code samba_wdc_reget_pac2(krb5_context context, >+ type_blob = data_blob_const(&zero_byte, 1); >+ break; >+ case PAC_TYPE_ATTRIBUTES_INFO: >+- if (is_krbtgt) { >++ if (!is_untrusted && is_krbtgt) { >+ /* just copy... */ >+ break; >+ } else { >+-- >+2.25.1 >+ >+ >+From d3436300745c41226d7ed146f269c929133f8f49 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Thu, 25 Nov 2021 12:46:40 +1300 >+Subject: [PATCH 46/99] tests/krb5: Add a test for S4U2Self with no >+ authorization data required >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andrew Bartlett <abartlet@samba.org> >+(cherry picked from commit 192d6edfe912105ec344dc554f872a24c03540a3) >+--- >+ python/samba/tests/krb5/s4u_tests.py | 34 ++++++++++++++++++++++++++++ >+ selftest/knownfail_heimdal_kdc | 1 + >+ 2 files changed, 35 insertions(+) >+ >+diff --git python/samba/tests/krb5/s4u_tests.py python/samba/tests/krb5/s4u_tests.py >+index 2953766ef21..6ec9af11423 100755 >+--- python/samba/tests/krb5/s4u_tests.py >++++ python/samba/tests/krb5/s4u_tests.py >+@@ -324,6 +324,13 @@ class S4UKerberosTests(KDCBaseTest): >+ sname=service_sname, >+ etypes=etypes) >+ >++ if not expected_error_mode: >++ # Check that the ticket contains a PAC. >++ ticket = kdc_exchange_dict['rep_ticket_creds'] >++ >++ pac = self.get_ticket_pac(ticket) >++ self.assertIsNotNone(pac) >++ >+ # Ensure we used all the parameters given to us. >+ self.assertEqual({}, kdc_dict) >+ >+@@ -504,6 +511,24 @@ class S4UKerberosTests(KDCBaseTest): >+ self.set_ticket_forwardable, flag=True) >+ }) >+ >++ # Do an S4U2Self where the service does not require authorization data. The >++ # resulting ticket should still contain a PAC. >++ def test_s4u2self_no_auth_data_required(self): >++ self._run_s4u2self_test( >++ { >++ 'client_opts': { >++ 'not_delegated': False >++ }, >++ 'service_opts': { >++ 'trusted_to_auth_for_delegation': True, >++ 'no_auth_data_required': True >++ }, >++ 'kdc_options': 'forwardable', >++ 'modify_service_tgt_fn': functools.partial( >++ self.set_ticket_forwardable, flag=True), >++ 'expected_flags': 'forwardable' >++ }) >++ >+ def _run_delegation_test(self, kdc_dict): >+ client_opts = kdc_dict.pop('client_opts', None) >+ client_creds = self.get_cached_creds( >+@@ -654,6 +679,15 @@ class S4UKerberosTests(KDCBaseTest): >+ etypes=etypes, >+ additional_tickets=additional_tickets) >+ >++ if not expected_error_mode: >++ # Check whether the ticket contains a PAC. >++ ticket = kdc_exchange_dict['rep_ticket_creds'] >++ pac = self.get_ticket_pac(ticket, expect_pac=expect_pac) >++ if expect_pac: >++ self.assertIsNotNone(pac) >++ else: >++ self.assertIsNone(pac) >++ >+ # Ensure we used all the parameters given to us. >+ self.assertEqual({}, kdc_dict) >+ >+diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc >+index 5e94cb63d7a..2025032a278 100644 >+--- selftest/knownfail_heimdal_kdc >++++ selftest/knownfail_heimdal_kdc >+@@ -242,6 +242,7 @@ >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_client_checksum >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_service_checksum >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_forwardable >++^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_no_auth_data_required >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_empty_allowed >+ # >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_auth_data_required >+-- >+2.25.1 >+ >+ >+From 8f97f78dd8023d88d76fc7de063661d94ebe5400 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Tue, 23 Nov 2021 17:30:50 +1300 >+Subject: [PATCH 47/99] heimdal:kdc: Always generate a PAC for S4U2Self >+ >+If we decided not to put a PAC into the ticket, mspac would be NULL >+here, and the resulting ticket would not contain a PAC. This could >+happen if there was a request to omit the PAC or the service did not >+require authorization data. Ensure that we always generate a PAC. >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andrew Bartlett <abartlet@samba.org> >+(cherry picked from commit 1f4f3018c5001b289b91959a72d00575c8fc0ac1) >+--- >+ selftest/knownfail_heimdal_kdc | 2 -- >+ source4/heimdal/kdc/krb5tgs.c | 13 +++++++------ >+ 2 files changed, 7 insertions(+), 8 deletions(-) >+ >+diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc >+index 2025032a278..53cc8e6b6a2 100644 >+--- selftest/knownfail_heimdal_kdc >++++ selftest/knownfail_heimdal_kdc >+@@ -242,7 +242,6 @@ >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_client_checksum >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_service_checksum >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_forwardable >+-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_no_auth_data_required >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_empty_allowed >+ # >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_auth_data_required >+@@ -275,7 +274,6 @@ >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_service_ticket >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_existing >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_nonexisting >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_pac_request_false >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_from_rodc_no_requester_sid >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_no_requester_sid >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_renew >+diff --git source4/heimdal/kdc/krb5tgs.c source4/heimdal/kdc/krb5tgs.c >+index 6c5c51aa448..dc356b4daa5 100644 >+--- source4/heimdal/kdc/krb5tgs.c >++++ source4/heimdal/kdc/krb5tgs.c >+@@ -1846,12 +1846,13 @@ server_lookup: >+ if (mspac) { >+ krb5_pac_free(context, mspac); >+ mspac = NULL; >+- ret = _kdc_pac_generate(context, s4u2self_impersonated_client, NULL, NULL, &mspac); >+- if (ret) { >+- kdc_log(context, config, 0, "PAC generation failed for -- %s", >+- tpn); >+- goto out; >+- } >++ } >++ >++ ret = _kdc_pac_generate(context, s4u2self_impersonated_client, NULL, NULL, &mspac); >++ if (ret) { >++ kdc_log(context, config, 0, "PAC generation failed for -- %s", >++ tpn); >++ goto out; >+ } >+ >+ /* >+-- >+2.25.1 >+ >+ >+From 8585333a8ef54295a60faf47689a8978c0740361 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Thu, 25 Nov 2021 09:29:42 +1300 >+Subject: [PATCH 48/99] selftest: Properly check extra PAC buffers with Heimdal >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andrew Bartlett <abartlet@samba.org> >+(cherry picked from commit ee4aa21c487fa80082a548b2e4f115a791e30340) >+ >+[jsutton@samba.org Fixed conflicts] >+--- >+ selftest/knownfail_heimdal_kdc | 12 ++++++++++++ >+ source4/selftest/tests.py | 2 +- >+ 2 files changed, 13 insertions(+), 1 deletion(-) >+ >+diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc >+index 53cc8e6b6a2..f71b95f306e 100644 >+--- selftest/knownfail_heimdal_kdc >++++ selftest/knownfail_heimdal_kdc >+@@ -241,8 +241,15 @@ >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_unkeyed_service_checksum >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_client_checksum >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_service_checksum >++^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_client_not_delegated >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_forwardable >++^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_no_auth_data_required >++^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_forwardable >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_empty_allowed >++^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_nonempty_allowed >++^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_trusted_empty_allowed >++^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_trusted_nonempty_allowed >++^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_without_forwardable >+ # >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_auth_data_required >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_auth_data_required >+@@ -274,6 +281,11 @@ >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_service_ticket >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_existing >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_nonexisting >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_pac_request_false >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_pac_request_none >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_pac_request_true >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_req(?!_invalid) >++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_revealed >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_from_rodc_no_requester_sid >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_no_requester_sid >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_renew >+ >+ >+From 65bb0e3201d60d87a3f228ea161644d9a5f918c5 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Tue, 23 Nov 2021 19:38:35 +1300 >+Subject: [PATCH 49/99] heimdal:kdc: Do not generate extra PAC buffers for >+ S4U2Self service ticket >+ >+Normally samba_wdc_get_pac() is used to generate the PAC for a TGT, but >+when generating a service ticket for S4U2Self, we want to avoid adding >+the additional PAC_ATTRIBUTES_INFO and PAC_REQUESTER_SID buffers. >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andrew Bartlett <abartlet@samba.org> >+(cherry picked from commit 9bd26804852d957f81cb311e5142f9190f9afa65) >+--- >+ selftest/knownfail_heimdal_kdc | 12 ------------ >+ source4/heimdal/kdc/kerberos5.c | 2 +- >+ source4/heimdal/kdc/krb5tgs.c | 3 ++- >+ source4/heimdal/kdc/windc.c | 5 +++-- >+ source4/heimdal/kdc/windc_plugin.h | 2 ++ >+ source4/kdc/wdc-samba4.c | 11 ++++++++--- >+ 6 files changed, 16 insertions(+), 19 deletions(-) >+ >+diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc >+index f71b95f306e..53cc8e6b6a2 100644 >+--- selftest/knownfail_heimdal_kdc >++++ selftest/knownfail_heimdal_kdc >+@@ -241,15 +241,8 @@ >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_unkeyed_service_checksum >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_client_checksum >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_service_checksum >+-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_client_not_delegated >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_forwardable >+-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_no_auth_data_required >+-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_forwardable >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_empty_allowed >+-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_nonempty_allowed >+-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_trusted_empty_allowed >+-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_trusted_nonempty_allowed >+-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_without_forwardable >+ # >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_auth_data_required >+ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_auth_data_required >+@@ -281,11 +274,6 @@ >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_service_ticket >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_existing >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_nonexisting >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_pac_request_false >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_pac_request_none >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_pac_request_true >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_req(?!_invalid) >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_revealed >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_from_rodc_no_requester_sid >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_no_requester_sid >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_renew >+diff --git source4/heimdal/kdc/kerberos5.c source4/heimdal/kdc/kerberos5.c >+index 9684364c519..a9e81336615 100644 >+--- source4/heimdal/kdc/kerberos5.c >++++ source4/heimdal/kdc/kerberos5.c >+@@ -1776,7 +1776,7 @@ _kdc_as_rep(krb5_context context, >+ >+ sent_pac_request = send_pac_p(context, req, &pac_request); >+ >+- ret = _kdc_pac_generate(context, client, pk_reply_key, >++ ret = _kdc_pac_generate(context, client, server, pk_reply_key, >+ sent_pac_request ? &pac_request : NULL, >+ &p); >+ if (ret) { >+diff --git source4/heimdal/kdc/krb5tgs.c source4/heimdal/kdc/krb5tgs.c >+index dc356b4daa5..38dba8493ae 100644 >+--- source4/heimdal/kdc/krb5tgs.c >++++ source4/heimdal/kdc/krb5tgs.c >+@@ -1848,7 +1848,8 @@ server_lookup: >+ mspac = NULL; >+ } >+ >+- ret = _kdc_pac_generate(context, s4u2self_impersonated_client, NULL, NULL, &mspac); >++ ret = _kdc_pac_generate(context, s4u2self_impersonated_client, server, >++ NULL, NULL, &mspac); >+ if (ret) { >+ kdc_log(context, config, 0, "PAC generation failed for -- %s", >+ tpn); >+diff --git source4/heimdal/kdc/windc.c source4/heimdal/kdc/windc.c >+index 93b973f576b..0a5ae5025ec 100644 >+--- source4/heimdal/kdc/windc.c >++++ source4/heimdal/kdc/windc.c >+@@ -73,6 +73,7 @@ krb5_kdc_windc_init(krb5_context context) >+ krb5_error_code >+ _kdc_pac_generate(krb5_context context, >+ hdb_entry_ex *client, >++ hdb_entry_ex *server, >+ const krb5_keyblock *pk_reply_key, >+ const krb5_boolean *pac_request, >+ krb5_pac *pac) >+@@ -88,9 +89,9 @@ _kdc_pac_generate(krb5_context context, >+ >+ if (windcft->pac_pk_generate != NULL && pk_reply_key != NULL) >+ return (windcft->pac_pk_generate)(windcctx, context, >+- client, pk_reply_key, >++ client, server, pk_reply_key, >+ pac_request, pac); >+- return (windcft->pac_generate)(windcctx, context, client, >++ return (windcft->pac_generate)(windcctx, context, client, server, >+ pac_request, pac); >+ } >+ >+diff --git source4/heimdal/kdc/windc_plugin.h source4/heimdal/kdc/windc_plugin.h >+index c7f2bcb5ed9..d239d0260e7 100644 >+--- source4/heimdal/kdc/windc_plugin.h >++++ source4/heimdal/kdc/windc_plugin.h >+@@ -55,12 +55,14 @@ struct hdb_entry_ex; >+ typedef krb5_error_code >+ (*krb5plugin_windc_pac_generate)(void *, krb5_context, >+ struct hdb_entry_ex *, /* client */ >++ struct hdb_entry_ex *, /* server */ >+ const krb5_boolean *, /* pac_request */ >+ krb5_pac *); >+ >+ typedef krb5_error_code >+ (*krb5plugin_windc_pac_pk_generate)(void *, krb5_context, >+ struct hdb_entry_ex *, /* client */ >++ struct hdb_entry_ex *, /* server */ >+ const krb5_keyblock *, /* pk_replykey */ >+ const krb5_boolean *, /* pac_request */ >+ krb5_pac *); >+diff --git source4/kdc/wdc-samba4.c source4/kdc/wdc-samba4.c >+index 713720bcb99..b1d011c09a9 100644 >+--- source4/kdc/wdc-samba4.c >++++ source4/kdc/wdc-samba4.c >+@@ -37,6 +37,7 @@ >+ */ >+ static krb5_error_code samba_wdc_get_pac(void *priv, krb5_context context, >+ struct hdb_entry_ex *client, >++ struct hdb_entry_ex *server, >+ const krb5_keyblock *pk_reply_key, >+ const krb5_boolean *pac_request, >+ krb5_pac *pac) >+@@ -55,6 +56,7 @@ static krb5_error_code samba_wdc_get_pac(void *priv, krb5_context context, >+ struct samba_kdc_entry *skdc_entry = >+ talloc_get_type_abort(client->ctx, >+ struct samba_kdc_entry); >++ bool is_krbtgt; >+ >+ mem_ctx = talloc_named(client->ctx, 0, "samba_get_pac context"); >+ if (!mem_ctx) { >+@@ -65,13 +67,15 @@ static krb5_error_code samba_wdc_get_pac(void *priv, krb5_context context, >+ cred_ndr_ptr = &cred_ndr; >+ } >+ >++ is_krbtgt = krb5_principal_is_krbtgt(context, server->entry.principal); >++ >+ nt_status = samba_kdc_get_pac_blobs(mem_ctx, skdc_entry, >+ &logon_blob, >+ cred_ndr_ptr, >+ &upn_blob, >+- &pac_attrs_blob, >++ is_krbtgt ? &pac_attrs_blob : NULL, >+ pac_request, >+- &requester_sid_blob, >++ is_krbtgt ? &requester_sid_blob : NULL, >+ NULL); >+ if (!NT_STATUS_IS_OK(nt_status)) { >+ talloc_free(mem_ctx); >+@@ -101,10 +105,11 @@ static krb5_error_code samba_wdc_get_pac(void *priv, krb5_context context, >+ >+ static krb5_error_code samba_wdc_get_pac_compat(void *priv, krb5_context context, >+ struct hdb_entry_ex *client, >++ struct hdb_entry_ex *server, >+ const krb5_boolean *pac_request, >+ krb5_pac *pac) >+ { >+- return samba_wdc_get_pac(priv, context, client, NULL, pac_request, pac); >++ return samba_wdc_get_pac(priv, context, client, server, NULL, pac_request, pac); >+ } >+ >+ static krb5_error_code samba_wdc_reget_pac2(krb5_context context, >+-- >+2.25.1 >+ >+ >+From 49aafce0a705d47ffd4753ce6c6f452c4f7aa882 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Wed, 24 Nov 2021 20:41:54 +1300 >+Subject: [PATCH 50/99] kdc: Require that PAC_REQUESTER_SID buffer is present >+ for TGTs >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andrew Bartlett <abartlet@samba.org> >+ >+Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> >+Autobuild-Date(master): Tue Nov 30 03:33:26 UTC 2021 on sn-devel-184 >+ >+(cherry picked from commit 38c5bad4a853b19fe9a51fb059e150b153c4632a) >+--- >+ selftest/knownfail_heimdal_kdc | 6 ------ >+ source4/kdc/wdc-samba4.c | 6 ++++++ >+ 2 files changed, 6 insertions(+), 6 deletions(-) >+ >+diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc >+index 53cc8e6b6a2..32465cb6042 100644 >+--- selftest/knownfail_heimdal_kdc >++++ selftest/knownfail_heimdal_kdc >+@@ -274,9 +274,3 @@ >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_service_ticket >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_existing >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_nonexisting >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_from_rodc_no_requester_sid >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_no_requester_sid >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_renew >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_rodc_renew >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_rodc_validate >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_validate >+diff --git source4/kdc/wdc-samba4.c source4/kdc/wdc-samba4.c >+index b1d011c09a9..d7ce34fb3a9 100644 >+--- source4/kdc/wdc-samba4.c >++++ source4/kdc/wdc-samba4.c >+@@ -459,6 +459,12 @@ static krb5_error_code samba_wdc_reget_pac2(krb5_context context, >+ talloc_free(mem_ctx); >+ return EINVAL; >+ } >++ if (delegated_proxy_principal == NULL && requester_sid_idx == -1) { >++ DEBUG(1, ("PAC_TYPE_REQUESTER_SID missing\n")); >++ SAFE_FREE(types); >++ talloc_free(mem_ctx); >++ return KRB5KDC_ERR_TGT_REVOKED; >++ } >+ >+ /* >+ * The server account may be set not to want the PAC. >+-- >+2.25.1 >+ >+ >+From 3fc519edec0159535baa0b659861b73f40632110 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Tue, 7 Dec 2021 13:15:38 +1300 >+Subject: [PATCH 51/99] kdc: Canonicalize realm for enterprise principals >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andrew Bartlett <abartlet@samba.org> >+ >+Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> >+Autobuild-Date(master): Tue Dec 7 04:54:35 UTC 2021 on sn-devel-184 >+ >+(cherry picked from commit 8bd7b316bd61ef35f6e0baa0b65f0ef00910112c) >+--- >+ selftest/knownfail.d/kdc-enterprise | 63 ----------------------------- >+ selftest/knownfail_heimdal_kdc | 3 -- >+ selftest/knownfail_mit_kdc | 36 +++++++++++++++++ >+ source4/kdc/db-glue.c | 24 +++++------ >+ 4 files changed, 47 insertions(+), 79 deletions(-) >+ delete mode 100644 selftest/knownfail.d/kdc-enterprise >+ >+diff --git selftest/knownfail.d/kdc-enterprise selftest/knownfail.d/kdc-enterprise >+deleted file mode 100644 >+index c9b6c98a2ee..00000000000 >+--- selftest/knownfail.d/kdc-enterprise >++++ /dev/null >+@@ -1,63 +0,0 @@ >+-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise\( >+-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm\( >+-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_RemoveDollar\( >+-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN\( >+-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN_RemoveDollar\( >+-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_RemoveDollar\( >+-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UPN\( >+-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UPN_RemoveDollar\( >+-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm\( >+-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_RemoveDollar\( >+-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN\( >+-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN_RemoveDollar\( >+-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm\( >+-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar\( >+-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN\( >+-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( >+-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName\( >+-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm\( >+-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_RemoveDollar\( >+-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN\( >+-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( >+-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_RemoveDollar\( >+-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_UPN\( >+-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_UPN_RemoveDollar\( >+-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise\( >+-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_NetbiosRealm\( >+-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_NetbiosRealm_UPN\( >+-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UPN\( >+-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_NetbiosRealm\( >+-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN\( >+-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm\( >+-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN\( >+-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperUserName\( >+-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperUserName_NetbiosRealm\( >+-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN\( >+-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperUserName_UPN\( >+- >+- >+- >+-^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_AsReqSelf\( >+-^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_AsReqSelf\( >+-^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_RemoveDollar_AsReqSelf\( >+-^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN_AsReqSelf\( >+-^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( >+-^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_RemoveDollar_AsReqSelf\( >+-^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UPN_AsReqSelf\( >+-^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UPN_RemoveDollar_AsReqSelf\( >+-^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_AsReqSelf\( >+-^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_RemoveDollar_AsReqSelf\( >+-^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN_AsReqSelf\( >+-^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( >+-^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_AsReqSelf\( >+-^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar_AsReqSelf\( >+-^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_AsReqSelf\( >+-^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( >+-^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_AsReqSelf\( >+-^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_AsReqSelf\( >+-^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_RemoveDollar_AsReqSelf\( >+-^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN_AsReqSelf\( >+-^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( >+-^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_RemoveDollar_AsReqSelf\( >+-^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_UPN_AsReqSelf\( >+-^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_UPN_RemoveDollar_AsReqSelf\( >+diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc >+index 32465cb6042..424a8b81c38 100644 >+--- selftest/knownfail_heimdal_kdc >++++ selftest/knownfail_heimdal_kdc >+@@ -5,9 +5,6 @@ >+ # >+ # Heimdal currently fails the following MS-KILE client principal lookup >+ # tests >+-^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_enterprise_principal_step_1_3 >+-^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_enterprise_principal_step_4 >+-^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_enterprise_principal_step_5 >+ ^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_enterprise_principal_step_6_a >+ ^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_enterprise_principal_step_6_b >+ ^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_4_a >+diff --git selftest/knownfail_mit_kdc selftest/knownfail_mit_kdc >+index 73e64145e42..4d685af7140 100644 >+--- selftest/knownfail_mit_kdc >++++ selftest/knownfail_mit_kdc >+@@ -56,17 +56,53 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ >+ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_UPN\( >+ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_UPN_RemoveDollar\( >+ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise\( >++samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_AsReqSelf\( >+ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm\( >++samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_AsReqSelf\( >++samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_RemoveDollar\( >++samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_RemoveDollar_AsReqSelf\( >+ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN\( >++samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN_AsReqSelf\( >++samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN_RemoveDollar\( >++samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( >++samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_RemoveDollar\( >++samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_RemoveDollar_AsReqSelf\( >+ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UPN\( >++samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UPN_AsReqSelf\( >++samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UPN_RemoveDollar\( >++samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UPN_RemoveDollar_AsReqSelf\( >+ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm\( >++samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_AsReqSelf\( >++samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_RemoveDollar\( >++samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_RemoveDollar_AsReqSelf\( >+ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN\( >++samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN_AsReqSelf\( >++samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN_RemoveDollar\( >++samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( >+ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm\( >++samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_AsReqSelf\( >++samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar\( >++samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar_AsReqSelf\( >+ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN\( >++samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_AsReqSelf\( >++samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( >++samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( >+ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName\( >++samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_AsReqSelf\( >+ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm\( >++samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_AsReqSelf\( >++samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_RemoveDollar\( >++samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_RemoveDollar_AsReqSelf\( >+ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN\( >++samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN_AsReqSelf\( >++samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( >++samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( >++samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_RemoveDollar\( >++samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_RemoveDollar_AsReqSelf\( >+ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_UPN\( >++samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_UPN_AsReqSelf\( >++samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_UPN_RemoveDollar\( >++samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_UPN_RemoveDollar_AsReqSelf\( >+ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm\( >+ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm_RemoveDollar\( >+ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm_UPN\( >+diff --git source4/kdc/db-glue.c source4/kdc/db-glue.c >+index bed0ff773f9..5752ffb821c 100644 >+--- source4/kdc/db-glue.c >++++ source4/kdc/db-glue.c >+@@ -980,19 +980,17 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, >+ goto out; >+ } >+ >+- if (smb_krb5_principal_get_type(context, principal) != KRB5_NT_ENTERPRISE_PRINCIPAL) { >+- /* While we have copied the client principal, tests >+- * show that Win2k3 returns the 'corrected' realm, not >+- * the client-specified realm. This code attempts to >+- * replace the client principal's realm with the one >+- * we determine from our records */ >+- >+- /* this has to be with malloc() */ >+- ret = smb_krb5_principal_set_realm(context, entry_ex->entry.principal, lpcfg_realm(lp_ctx)); >+- if (ret) { >+- krb5_clear_error_message(context); >+- goto out; >+- } >++ /* While we have copied the client principal, tests >++ * show that Win2k3 returns the 'corrected' realm, not >++ * the client-specified realm. This code attempts to >++ * replace the client principal's realm with the one >++ * we determine from our records */ >++ >++ /* this has to be with malloc() */ >++ ret = smb_krb5_principal_set_realm(context, entry_ex->entry.principal, lpcfg_realm(lp_ctx)); >++ if (ret) { >++ krb5_clear_error_message(context); >++ goto out; >+ } >+ } >+ >+-- >+2.25.1 >+ >+ >+From 787405ef59b70cef011f005a6ed98898c5d43adb Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Tue, 14 Dec 2021 19:16:00 +1300 >+Subject: [PATCH 52/99] tests/krb5: Correctly determine whether tickets are >+ service tickets >+ >+Previously we expected tickets to contain a ticket checksum if the sname >+was not the krbtgt. However, the ticket checksum should not be present >+if we are performing an AS-REQ to our own account. Now we determine a >+ticket is a service ticket only if the request is also a TGS-REQ. >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andrew Bartlett <abartlet@samba.org> >+(cherry picked from commit 100be7eb8e70ba270a8e92957a5e47466160a901) >+--- >+ python/samba/tests/krb5/compatability_tests.py | 10 ++++++---- >+ python/samba/tests/krb5/kdc_base_test.py | 2 +- >+ python/samba/tests/krb5/raw_testcase.py | 18 ++++++++++-------- >+ python/samba/tests/krb5/rodc_tests.py | 4 ++-- >+ 4 files changed, 19 insertions(+), 15 deletions(-) >+ >+diff --git python/samba/tests/krb5/compatability_tests.py python/samba/tests/krb5/compatability_tests.py >+index ed2dc565b6d..65e9e3788d5 100755 >+--- python/samba/tests/krb5/compatability_tests.py >++++ python/samba/tests/krb5/compatability_tests.py >+@@ -132,13 +132,14 @@ class SimpleKerberosTests(KDCBaseTest): >+ tgt = self.get_tgt(user_creds) >+ >+ # Ensure the PAC contains the expected checksums. >+- self.verify_ticket(tgt, key) >++ self.verify_ticket(tgt, key, service_ticket=False) >+ >+ # Get a service ticket from the DC. >+ service_ticket = self.get_service_ticket(tgt, target_creds) >+ >+ # Ensure the PAC contains the expected checksums. >+- self.verify_ticket(service_ticket, key, expect_ticket_checksum=True) >++ self.verify_ticket(service_ticket, key, service_ticket=True, >++ expect_ticket_checksum=True) >+ >+ def test_mit_ticket_signature(self): >+ # Ensure that a DC does not issue tickets signed with its krbtgt key. >+@@ -152,13 +153,14 @@ class SimpleKerberosTests(KDCBaseTest): >+ tgt = self.get_tgt(user_creds) >+ >+ # Ensure the PAC contains the expected checksums. >+- self.verify_ticket(tgt, key) >++ self.verify_ticket(tgt, key, service_ticket=False) >+ >+ # Get a service ticket from the DC. >+ service_ticket = self.get_service_ticket(tgt, target_creds) >+ >+ # Ensure the PAC does not contain the expected checksums. >+- self.verify_ticket(service_ticket, key, expect_ticket_checksum=False) >++ self.verify_ticket(service_ticket, key, service_ticket=True, >++ expect_ticket_checksum=False) >+ >+ def as_pre_auth_req(self, creds, etypes): >+ user = creds.get_username() >+diff --git python/samba/tests/krb5/kdc_base_test.py python/samba/tests/krb5/kdc_base_test.py >+index 6e96b982167..9506048ee2a 100644 >+--- python/samba/tests/krb5/kdc_base_test.py >++++ python/samba/tests/krb5/kdc_base_test.py >+@@ -1395,7 +1395,7 @@ class KDCBaseTest(RawKerberosTest): >+ krbtgt_creds = self.get_krbtgt_creds() >+ krbtgt_key = self.TicketDecryptionKey_from_creds(krbtgt_creds) >+ self.verify_ticket(service_ticket_creds, krbtgt_key, >+- expect_pac=expect_pac, >++ service_ticket=True, expect_pac=expect_pac, >+ expect_ticket_checksum=self.tkt_sig_support) >+ >+ self.tkt_cache[cache_key] = service_ticket_creds >+diff --git python/samba/tests/krb5/raw_testcase.py python/samba/tests/krb5/raw_testcase.py >+index 14e655313fc..a2241707d44 100644 >+--- python/samba/tests/krb5/raw_testcase.py >++++ python/samba/tests/krb5/raw_testcase.py >+@@ -2587,7 +2587,11 @@ class RawKerberosTest(TestCaseInTempDir): >+ self.assertIsNotNone(ticket_decryption_key) >+ >+ if ticket_decryption_key is not None: >+- self.verify_ticket(ticket_creds, krbtgt_keys, expect_pac=expect_pac, >++ service_ticket = (not self.is_tgs(expected_sname) >++ and rep_msg_type == KRB_TGS_REP) >++ self.verify_ticket(ticket_creds, krbtgt_keys, >++ service_ticket=service_ticket, >++ expect_pac=expect_pac, >+ expect_ticket_checksum=expect_ticket_checksum >+ or self.tkt_sig_support) >+ >+@@ -2624,14 +2628,14 @@ class RawKerberosTest(TestCaseInTempDir): >+ expected_types.append(krb5pac.PAC_TYPE_DEVICE_INFO) >+ expected_types.append(krb5pac.PAC_TYPE_DEVICE_CLAIMS_INFO) >+ >+- if not self.is_tgs(expected_sname): >++ if not self.is_tgs(expected_sname) and rep_msg_type == KRB_TGS_REP: >+ expected_types.append(krb5pac.PAC_TYPE_TICKET_CHECKSUM) >+ >+ require_strict = {krb5pac.PAC_TYPE_CLIENT_CLAIMS_INFO} >+ if not self.tkt_sig_support: >+ require_strict.add(krb5pac.PAC_TYPE_TICKET_CHECKSUM) >+ >+- expect_extra_pac_buffers = rep_msg_type == KRB_AS_REP >++ expect_extra_pac_buffers = self.is_tgs(expected_sname) >+ >+ expect_pac_attrs = kdc_exchange_dict['expect_pac_attrs'] >+ >+@@ -3233,11 +3237,9 @@ class RawKerberosTest(TestCaseInTempDir): >+ ticket_blob) >+ self.assertEqual(expected_checksum, checksum) >+ >+- def verify_ticket(self, ticket, krbtgt_keys, expect_pac=True, >++ def verify_ticket(self, ticket, krbtgt_keys, service_ticket, >++ expect_pac=True, >+ expect_ticket_checksum=True): >+- # Check if the ticket is a TGT. >+- is_tgt = self.is_tgt(ticket) >+- >+ # Decrypt the ticket. >+ >+ key = ticket.decryption_key >+@@ -3336,7 +3338,7 @@ class RawKerberosTest(TestCaseInTempDir): >+ kdc_ctype, >+ kdc_checksum) >+ >+- if is_tgt: >++ if not service_ticket: >+ self.assertNotIn(krb5pac.PAC_TYPE_TICKET_CHECKSUM, checksums) >+ else: >+ ticket_checksum, ticket_ctype = checksums.get( >+diff --git python/samba/tests/krb5/rodc_tests.py python/samba/tests/krb5/rodc_tests.py >+index 0e252d90262..83ee35d650a 100755 >+--- python/samba/tests/krb5/rodc_tests.py >++++ python/samba/tests/krb5/rodc_tests.py >+@@ -58,14 +58,14 @@ class RodcKerberosTests(KDCBaseTest): >+ tgt = self.get_tgt(user_creds, to_rodc=True) >+ >+ # Ensure the PAC contains the expected checksums. >+- self.verify_ticket(tgt, rodc_key) >++ self.verify_ticket(tgt, rodc_key, service_ticket=False) >+ >+ # Get a service ticket from the RODC. >+ service_ticket = self.get_service_ticket(tgt, target_creds, >+ to_rodc=True) >+ >+ # Ensure the PAC contains the expected checksums. >+- self.verify_ticket(service_ticket, rodc_key) >++ self.verify_ticket(service_ticket, rodc_key, service_ticket=True) >+ >+ >+ if __name__ == "__main__": >+-- >+2.25.1 >+ >+ >+From c0977bee5b8c2f72cb5467e95a6ab034f696eee7 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Tue, 8 Feb 2022 12:15:36 +1300 >+Subject: [PATCH 53/99] tests/krb5: Add helper function to modify ticket flags >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Stefan Metzmacher <metze@samba.org> >+(cherry picked from commit ded5115f73dff5b8b2f3212988e03f9dbe0c2aa3) >+--- >+ python/samba/tests/krb5/kdc_base_test.py | 14 ++++++++++++++ >+ python/samba/tests/krb5/kdc_tgs_tests.py | 18 ++---------------- >+ python/samba/tests/krb5/s4u_tests.py | 17 +++-------------- >+ 3 files changed, 19 insertions(+), 30 deletions(-) >+ >+diff --git python/samba/tests/krb5/kdc_base_test.py python/samba/tests/krb5/kdc_base_test.py >+index 9506048ee2a..58b87eab25b 100644 >+--- python/samba/tests/krb5/kdc_base_test.py >++++ python/samba/tests/krb5/kdc_base_test.py >+@@ -1602,6 +1602,20 @@ class KDCBaseTest(RawKerberosTest): >+ enc_part, asn1Spec=krb5_asn1.EncTicketPart()) >+ return enc_ticket_part >+ >++ def modify_ticket_flag(self, enc_part, flag, value): >++ self.assertIsInstance(value, bool) >++ >++ flag = krb5_asn1.TicketFlags(flag) >++ pos = len(tuple(flag)) - 1 >++ >++ flags = enc_part['flags'] >++ self.assertLessEqual(pos, len(flags)) >++ >++ new_flags = flags[:pos] + str(int(value)) + flags[pos + 1:] >++ enc_part['flags'] = new_flags >++ >++ return enc_part >++ >+ def get_objectSid(self, samdb, dn): >+ ''' Get the objectSID for a DN >+ Note: performs an Ldb query. >+diff --git python/samba/tests/krb5/kdc_tgs_tests.py python/samba/tests/krb5/kdc_tgs_tests.py >+index 2923d53772a..8cd27dec2aa 100755 >+--- python/samba/tests/krb5/kdc_tgs_tests.py >++++ python/samba/tests/krb5/kdc_tgs_tests.py >+@@ -2177,14 +2177,7 @@ class KdcTgsTests(KDCBaseTest): >+ >+ def _modify_renewable(self, enc_part): >+ # Set the renewable flag. >+- renewable_flag = krb5_asn1.TicketFlags('renewable') >+- pos = len(tuple(renewable_flag)) - 1 >+- >+- flags = enc_part['flags'] >+- self.assertLessEqual(pos, len(flags)) >+- >+- new_flags = flags[:pos] + '1' + flags[pos + 1:] >+- enc_part['flags'] = new_flags >++ enc_part = self.modify_ticket_flag(enc_part, 'renewable', value=True) >+ >+ # Set the renew-till time to be in the future. >+ renew_till = self.get_KerberosTime(offset=100 * 60 * 60) >+@@ -2194,14 +2187,7 @@ class KdcTgsTests(KDCBaseTest): >+ >+ def _modify_invalid(self, enc_part): >+ # Set the invalid flag. >+- invalid_flag = krb5_asn1.TicketFlags('invalid') >+- pos = len(tuple(invalid_flag)) - 1 >+- >+- flags = enc_part['flags'] >+- self.assertLessEqual(pos, len(flags)) >+- >+- new_flags = flags[:pos] + '1' + flags[pos + 1:] >+- enc_part['flags'] = new_flags >++ enc_part = self.modify_ticket_flag(enc_part, 'invalid', value=True) >+ >+ # Set the ticket start time to be in the past. >+ past_time = self.get_KerberosTime(offset=-100 * 60 * 60) >+diff --git python/samba/tests/krb5/s4u_tests.py python/samba/tests/krb5/s4u_tests.py >+index 6ec9af11423..49dd89cd764 100755 >+--- python/samba/tests/krb5/s4u_tests.py >++++ python/samba/tests/krb5/s4u_tests.py >+@@ -1336,20 +1336,9 @@ class S4UKerberosTests(KDCBaseTest): >+ modify_pac_fn=modify_pac_fn) >+ >+ def set_ticket_forwardable(self, ticket, flag, update_pac_checksums=True): >+- flag = '1' if flag else '0' >+- >+- def modify_fn(enc_part): >+- # Reset the forwardable flag >+- forwardable_pos = (len(tuple(krb5_asn1.TicketFlags('forwardable'))) >+- - 1) >+- >+- flags = enc_part['flags'] >+- self.assertLessEqual(forwardable_pos, len(flags)) >+- enc_part['flags'] = (flags[:forwardable_pos] + >+- flag + >+- flags[forwardable_pos+1:]) >+- >+- return enc_part >++ modify_fn = functools.partial(self.modify_ticket_flag, >++ flag='forwardable', >++ value=flag) >+ >+ if update_pac_checksums: >+ checksum_keys = self.get_krbtgt_checksum_key() >+-- >+2.25.1 >+ >+ >+From c0395578c50fbc4f1946e2f5a065d94f67212eb0 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Wed, 15 Jun 2022 19:37:39 +1200 >+Subject: [PATCH 55/99] CVE-2022-2031 s4:kdc: Add MIT support for >+ ATTRIBUTES_INFO and REQUESTER_SID PAC buffers >+ >+So that we do not confuse TGTs and kpasswd tickets, it is critical to >+check that the REQUESTER_SID buffer exists in TGTs, and to ensure that >+it is not propagated to service tickets. >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+ >+[jsutton@samba.org Brought in changes to add ATTRIBUTES_INFO and >+ REQUESTER_SID buffers to new PACs, and updated knownfails] >+ >+[jsutton@samba.org Adjusted MIT knownfails] >+--- >+ selftest/knownfail_mit_kdc | 17 ----- >+ source4/kdc/mit-kdb/kdb_samba_policies.c | 5 +- >+ source4/kdc/mit_samba.c | 93 +++++++++++++++++++++++- >+ source4/kdc/mit_samba.h | 1 + >+ 4 files changed, 94 insertions(+), 22 deletions(-) >+ >+diff --git selftest/knownfail_mit_kdc selftest/knownfail_mit_kdc >+index 4d685af7140..108c6055d0c 100644 >+--- selftest/knownfail_mit_kdc >++++ selftest/knownfail_mit_kdc >+@@ -445,7 +445,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_nonexisting >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_authdata_no_pac >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_no_pac >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_pac_request_none >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_pac_request_true >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_req >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_allowed_denied >+@@ -482,7 +481,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_no_pac >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rename >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_invalid >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_no_requester_sid >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_allowed_denied >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_denied >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_no_krbtgt_link >+@@ -518,7 +516,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_srealm >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_authdata_no_pac >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_no_pac >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_pac_request_none >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_pac_request_true >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_req >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_allowed_denied >+@@ -536,21 +533,17 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ >+ # >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_false >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_missing_renew_false >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_missing_renew_none >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_missing_renew_true >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_missing_rodc_renew_false >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_missing_rodc_renew_none >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_missing_rodc_renew_true >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_none >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_renew_false >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_renew_none >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_renew_true >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_rodc_renew_false >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_rodc_renew_none >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_rodc_renew_true >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_true >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_pac_attrs_false >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_pac_attrs_none >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_pac_attrs_true >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_from_rodc_no_pac_attrs >+ # >+@@ -571,21 +564,11 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ >+ # >+ # PAC requester SID tests >+ # >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_as_requester_sid >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_logon_info_sid_mismatch_existing >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_logon_info_sid_mismatch_nonexisting >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_requester_sid_mismatch_existing >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_requester_sid_mismatch_nonexisting >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_from_rodc_no_requester_sid >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_renew >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_rodc_renew >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_rodc_validate >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_validate >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_renew >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_rodc_renew >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_rodc_validate >+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_validate >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_logon_info_only_sid_mismatch_existing >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_logon_info_only_sid_mismatch_nonexisting >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_logon_info_sid_mismatch_existing >+diff --git source4/kdc/mit-kdb/kdb_samba_policies.c source4/kdc/mit-kdb/kdb_samba_policies.c >+index 7bc9a7b3347..3b25fff410b 100644 >+--- source4/kdc/mit-kdb/kdb_samba_policies.c >++++ source4/kdc/mit-kdb/kdb_samba_policies.c >+@@ -159,6 +159,7 @@ done: >+ >+ static krb5_error_code ks_get_pac(krb5_context context, >+ krb5_db_entry *client, >++ krb5_db_entry *server, >+ krb5_keyblock *client_key, >+ krb5_pac *pac) >+ { >+@@ -173,6 +174,7 @@ static krb5_error_code ks_get_pac(krb5_context context, >+ code = mit_samba_get_pac(mit_ctx, >+ context, >+ client, >++ server, >+ client_key, >+ pac); >+ if (code != 0) { >+@@ -439,7 +441,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, >+ */ >+ if (with_pac && generate_pac) { >+ DBG_DEBUG("Generate PAC for AS-REQ [%s]\n", client_name); >+- code = ks_get_pac(context, client_entry, client_key, &pac); >++ code = ks_get_pac(context, client_entry, server, client_key, &pac); >+ if (code != 0) { >+ goto done; >+ } >+@@ -490,6 +492,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, >+ >+ code = ks_get_pac(context, >+ client_entry, >++ server, >+ client_key, >+ &pac); >+ if (code != 0 && code != ENOENT) { >+diff --git source4/kdc/mit_samba.c source4/kdc/mit_samba.c >+index c2a604045d9..df2ba0a906f 100644 >+--- source4/kdc/mit_samba.c >++++ source4/kdc/mit_samba.c >+@@ -407,6 +407,7 @@ int mit_samba_get_nextkey(struct mit_samba_context *ctx, >+ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, >+ krb5_context context, >+ krb5_db_entry *client, >++ krb5_db_entry *server, >+ krb5_keyblock *client_key, >+ krb5_pac *pac) >+ { >+@@ -417,9 +418,12 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, >+ DATA_BLOB **cred_ndr_ptr = NULL; >+ DATA_BLOB cred_blob = data_blob_null; >+ DATA_BLOB *pcred_blob = NULL; >++ DATA_BLOB *pac_attrs_blob = NULL; >++ DATA_BLOB *requester_sid_blob = NULL; >+ NTSTATUS nt_status; >+ krb5_error_code code; >+ struct samba_kdc_entry *skdc_entry; >++ bool is_krbtgt; >+ >+ skdc_entry = talloc_get_type_abort(client->e_data, >+ struct samba_kdc_entry); >+@@ -438,12 +442,16 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, >+ } >+ #endif >+ >++ is_krbtgt = ks_is_tgs_principal(smb_ctx, server->princ); >++ >+ nt_status = samba_kdc_get_pac_blobs(tmp_ctx, >+ skdc_entry, >+ &logon_info_blob, >+ cred_ndr_ptr, >+ &upn_dns_info_blob, >+- NULL, NULL, NULL, >++ is_krbtgt ? &pac_attrs_blob : NULL, >++ NULL, >++ is_krbtgt ? &requester_sid_blob : NULL, >+ NULL); >+ if (!NT_STATUS_IS_OK(nt_status)) { >+ talloc_free(tmp_ctx); >+@@ -471,8 +479,8 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, >+ logon_info_blob, >+ pcred_blob, >+ upn_dns_info_blob, >+- NULL, >+- NULL, >++ pac_attrs_blob, >++ requester_sid_blob, >+ NULL, >+ pac); >+ >+@@ -496,6 +504,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, >+ DATA_BLOB *pac_blob = NULL; >+ DATA_BLOB *upn_blob = NULL; >+ DATA_BLOB *deleg_blob = NULL; >++ DATA_BLOB *requester_sid_blob = NULL; >+ struct samba_kdc_entry *client_skdc_entry = NULL; >+ struct samba_kdc_entry *krbtgt_skdc_entry = NULL; >+ struct samba_kdc_entry *server_skdc_entry = NULL; >+@@ -511,8 +520,12 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, >+ ssize_t upn_dns_info_idx = -1; >+ ssize_t srv_checksum_idx = -1; >+ ssize_t kdc_checksum_idx = -1; >++ ssize_t tkt_checksum_idx = -1; >++ ssize_t attrs_info_idx = -1; >++ ssize_t requester_sid_idx = -1; >+ krb5_pac new_pac = NULL; >+ bool ok; >++ bool is_krbtgt; >+ >+ /* Create a memory context early so code can use talloc_stackframe() */ >+ tmp_ctx = talloc_named(ctx, 0, "mit_samba_reget_pac context"); >+@@ -520,6 +533,8 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, >+ return ENOMEM; >+ } >+ >++ is_krbtgt = ks_is_tgs_principal(ctx, server->princ); >++ >+ if (client != NULL) { >+ client_skdc_entry = >+ talloc_get_type_abort(client->e_data, >+@@ -578,7 +593,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, >+ NULL, >+ &upn_blob, >+ NULL, NULL, >+- NULL, >++ &requester_sid_blob, >+ NULL); >+ if (!NT_STATUS_IS_OK(nt_status)) { >+ code = EINVAL; >+@@ -737,6 +752,45 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, >+ } >+ kdc_checksum_idx = i; >+ break; >++ case PAC_TYPE_TICKET_CHECKSUM: >++ if (tkt_checksum_idx != -1) { >++ DBG_WARNING("ticket checksum type[%u] twice " >++ "[%zd] and [%zu]: \n", >++ types[i], >++ tkt_checksum_idx, >++ i); >++ SAFE_FREE(types); >++ code = EINVAL; >++ goto done; >++ } >++ tkt_checksum_idx = i; >++ break; >++ case PAC_TYPE_ATTRIBUTES_INFO: >++ if (attrs_info_idx != -1) { >++ DBG_WARNING("attributes info type[%u] twice " >++ "[%zd] and [%zu]: \n", >++ types[i], >++ attrs_info_idx, >++ i); >++ SAFE_FREE(types); >++ code = EINVAL; >++ goto done; >++ } >++ attrs_info_idx = i; >++ break; >++ case PAC_TYPE_REQUESTER_SID: >++ if (requester_sid_idx != -1) { >++ DBG_WARNING("requester sid type[%u] twice" >++ "[%zd] and [%zu]: \n", >++ types[i], >++ requester_sid_idx, >++ i); >++ SAFE_FREE(types); >++ code = EINVAL; >++ goto done; >++ } >++ requester_sid_idx = i; >++ break; >+ default: >+ continue; >+ } >+@@ -766,6 +820,13 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, >+ code = EINVAL; >+ goto done; >+ } >++ if (!(flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) && >++ requester_sid_idx == -1) { >++ DEBUG(1, ("PAC_TYPE_REQUESTER_SID missing\n")); >++ SAFE_FREE(types); >++ code = KRB5KDC_ERR_TGT_REVOKED; >++ goto done; >++ } >+ >+ /* Build an updated PAC */ >+ code = krb5_pac_init(context, &new_pac); >+@@ -831,6 +892,10 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, >+ } >+ break; >+ case PAC_TYPE_SRV_CHECKSUM: >++ if (requester_sid_idx == -1 && requester_sid_blob != NULL) { >++ /* inject REQUESTER_SID */ >++ forced_next_type = PAC_TYPE_REQUESTER_SID; >++ } >+ /* >+ * This is generated in the main KDC code >+ */ >+@@ -840,6 +905,26 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, >+ * This is generated in the main KDC code >+ */ >+ continue; >++ case PAC_TYPE_ATTRIBUTES_INFO: >++ if (!is_untrusted && is_krbtgt) { >++ /* just copy... */ >++ break; >++ } >++ >++ continue; >++ case PAC_TYPE_REQUESTER_SID: >++ if (!is_krbtgt) { >++ continue; >++ } >++ >++ /* >++ * Replace in the RODC case, otherwise >++ * requester_sid_blob is NULL and we just copy. >++ */ >++ if (requester_sid_blob != NULL) { >++ type_blob = *requester_sid_blob; >++ } >++ break; >+ default: >+ /* just copy... */ >+ break; >+diff --git source4/kdc/mit_samba.h source4/kdc/mit_samba.h >+index 636c77ec97c..4431e82a1b2 100644 >+--- source4/kdc/mit_samba.h >++++ source4/kdc/mit_samba.h >+@@ -50,6 +50,7 @@ int mit_samba_get_nextkey(struct mit_samba_context *ctx, >+ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, >+ krb5_context context, >+ krb5_db_entry *client, >++ krb5_db_entry *server, >+ krb5_keyblock *client_key, >+ krb5_pac *pac); >+ >+-- >+2.25.1 >+ >+ >+From 6843c44a45044808f90687f85183e7111a465d1f Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Thu, 16 Jun 2022 10:33:29 +1200 >+Subject: [PATCH 56/99] heimdal:kdc: Accommodate NULL data parameter in >+ krb5_pac_get_buffer() >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+--- >+ source4/heimdal/lib/krb5/pac.c | 10 ++++++---- >+ 1 file changed, 6 insertions(+), 4 deletions(-) >+ >+diff --git source4/heimdal/lib/krb5/pac.c source4/heimdal/lib/krb5/pac.c >+index 05bcc523080..100de904662 100644 >+--- source4/heimdal/lib/krb5/pac.c >++++ source4/heimdal/lib/krb5/pac.c >+@@ -394,10 +394,12 @@ krb5_pac_get_buffer(krb5_context context, krb5_pac p, >+ if (p->pac->buffers[i].type != type) >+ continue; >+ >+- ret = krb5_data_copy(data, (unsigned char *)p->data.data + offset, len); >+- if (ret) { >+- krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); >+- return ret; >++ if (data) { >++ ret = krb5_data_copy(data, (unsigned char *)p->data.data + offset, len); >++ if (ret) { >++ krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); >++ return ret; >++ } >+ } >+ return 0; >+ } >+-- >+2.25.1 >+ >+ >+From 1b38a28bcaebdae0128518605a422a194747a60f Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Fri, 27 May 2022 19:17:02 +1200 >+Subject: [PATCH 57/99] CVE-2022-2031 s4:kpasswd: Account for missing target >+ principal >+ >+This field is supposed to be optional. >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andreas Schneider <asn@samba.org> >+--- >+ source4/kdc/kpasswd-service-mit.c | 22 ++++++++++++---------- >+ 1 file changed, 12 insertions(+), 10 deletions(-) >+ >+diff --git source4/kdc/kpasswd-service-mit.c source4/kdc/kpasswd-service-mit.c >+index 2117c1c1696..b53c1a4618a 100644 >+--- source4/kdc/kpasswd-service-mit.c >++++ source4/kdc/kpasswd-service-mit.c >+@@ -143,16 +143,18 @@ static krb5_error_code kpasswd_set_password(struct kdc_server *kdc, >+ return KRB5_KPASSWD_HARDERROR; >+ } >+ >+- target_realm = smb_krb5_principal_get_realm( >+- mem_ctx, context, target_principal); >+- code = krb5_unparse_name_flags(context, >+- target_principal, >+- KRB5_PRINCIPAL_UNPARSE_NO_REALM, >+- &target_name); >+- if (code != 0) { >+- DBG_WARNING("Failed to parse principal\n"); >+- *error_string = "String conversion failed"; >+- return KRB5_KPASSWD_HARDERROR; >++ if (target_principal != NULL) { >++ target_realm = smb_krb5_principal_get_realm( >++ mem_ctx, context, target_principal); >++ code = krb5_unparse_name_flags(context, >++ target_principal, >++ KRB5_PRINCIPAL_UNPARSE_NO_REALM, >++ &target_name); >++ if (code != 0) { >++ DBG_WARNING("Failed to parse principal\n"); >++ *error_string = "String conversion failed"; >++ return KRB5_KPASSWD_HARDERROR; >++ } >+ } >+ >+ if ((target_name != NULL && target_realm == NULL) || >+-- >+2.25.1 >+ >+ >+From f6c5a60336de8fd67a2ef371dd2ee4cf75c53904 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Mon, 30 May 2022 19:17:41 +1200 >+Subject: [PATCH 58/99] CVE-2022-2031 s4:kpasswd: Add MIT fallback for decoding >+ setpw structure >+ >+The target principal and realm fields of the setpw structure are >+supposed to be optional, but in MIT Kerberos they are mandatory. For >+better compatibility and ease of testing, fall back to parsing the >+simpler (containing only the new password) structure if the MIT function >+fails to decode it. >+ >+Although the target principal and realm fields should be optional, one >+is not supposed to specified without the other, so we don't have to deal >+with the case where only one is specified. >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andreas Schneider <asn@samba.org> >+--- >+ source4/kdc/kpasswd-service-mit.c | 94 ++++++++++++++++++++++++++----- >+ 1 file changed, 79 insertions(+), 15 deletions(-) >+ >+diff --git source4/kdc/kpasswd-service-mit.c source4/kdc/kpasswd-service-mit.c >+index b53c1a4618a..9c4d2801669 100644 >+--- source4/kdc/kpasswd-service-mit.c >++++ source4/kdc/kpasswd-service-mit.c >+@@ -28,6 +28,7 @@ >+ #include "kdc/kpasswd_glue.h" >+ #include "kdc/kpasswd-service.h" >+ #include "kdc/kpasswd-helper.h" >++#include "../lib/util/asn1.h" >+ >+ #define RFC3244_VERSION 0xff80 >+ >+@@ -35,6 +36,52 @@ krb5_error_code decode_krb5_setpw_req(const krb5_data *code, >+ krb5_data **password_out, >+ krb5_principal *target_out); >+ >++/* >++ * A fallback for when MIT refuses to parse a setpw structure without the >++ * (optional) target principal and realm >++ */ >++static bool decode_krb5_setpw_req_simple(TALLOC_CTX *mem_ctx, >++ const DATA_BLOB *decoded_data, >++ DATA_BLOB *clear_data) >++{ >++ struct asn1_data *asn1 = NULL; >++ bool ret; >++ >++ asn1 = asn1_init(mem_ctx, 3); >++ if (asn1 == NULL) { >++ return false; >++ } >++ >++ ret = asn1_load(asn1, *decoded_data); >++ if (!ret) { >++ goto out; >++ } >++ >++ ret = asn1_start_tag(asn1, ASN1_SEQUENCE(0)); >++ if (!ret) { >++ goto out; >++ } >++ ret = asn1_start_tag(asn1, ASN1_CONTEXT(0)); >++ if (!ret) { >++ goto out; >++ } >++ ret = asn1_read_OctetString(asn1, mem_ctx, clear_data); >++ if (!ret) { >++ goto out; >++ } >++ >++ ret = asn1_end_tag(asn1); >++ if (!ret) { >++ goto out; >++ } >++ ret = asn1_end_tag(asn1); >++ >++out: >++ asn1_free(asn1); >++ >++ return ret; >++} >++ >+ static krb5_error_code kpasswd_change_password(struct kdc_server *kdc, >+ TALLOC_CTX *mem_ctx, >+ struct auth_session_info *session_info, >+@@ -93,9 +140,10 @@ static krb5_error_code kpasswd_set_password(struct kdc_server *kdc, >+ const char **error_string) >+ { >+ krb5_context context = kdc->smb_krb5_context->krb5_context; >++ DATA_BLOB clear_data; >+ krb5_data k_dec_data; >+- krb5_data *k_clear_data; >+- krb5_principal target_principal; >++ krb5_data *k_clear_data = NULL; >++ krb5_principal target_principal = NULL; >+ krb5_error_code code; >+ DATA_BLOB password; >+ char *target_realm = NULL; >+@@ -114,29 +162,45 @@ static krb5_error_code kpasswd_set_password(struct kdc_server *kdc, >+ code = decode_krb5_setpw_req(&k_dec_data, >+ &k_clear_data, >+ &target_principal); >+- if (code != 0) { >+- DBG_WARNING("decode_krb5_setpw_req failed: %s\n", >+- error_message(code)); >+- ok = kpasswd_make_error_reply(mem_ctx, >+- KRB5_KPASSWD_MALFORMED, >+- "Failed to decode packet", >+- kpasswd_reply); >++ if (code == 0) { >++ clear_data.data = (uint8_t *)k_clear_data->data; >++ clear_data.length = k_clear_data->length; >++ } else { >++ target_principal = NULL; >++ >++ /* >++ * The MIT decode failed, so fall back to trying the simple >++ * case, without target_principal. >++ */ >++ ok = decode_krb5_setpw_req_simple(mem_ctx, >++ decoded_data, >++ &clear_data); >+ if (!ok) { >+- *error_string = "Failed to create reply"; >+- return KRB5_KPASSWD_HARDERROR; >++ DBG_WARNING("decode_krb5_setpw_req failed: %s\n", >++ error_message(code)); >++ ok = kpasswd_make_error_reply(mem_ctx, >++ KRB5_KPASSWD_MALFORMED, >++ "Failed to decode packet", >++ kpasswd_reply); >++ if (!ok) { >++ *error_string = "Failed to create reply"; >++ return KRB5_KPASSWD_HARDERROR; >++ } >++ return 0; >+ } >+- return 0; >+ } >+ >+ ok = convert_string_talloc_handle(mem_ctx, >+ lpcfg_iconv_handle(kdc->task->lp_ctx), >+ CH_UTF8, >+ CH_UTF16, >+- (const char *)k_clear_data->data, >+- k_clear_data->length, >++ clear_data.data, >++ clear_data.length, >+ (void **)&password.data, >+ &password.length); >+- krb5_free_data(context, k_clear_data); >++ if (k_clear_data != NULL) { >++ krb5_free_data(context, k_clear_data); >++ } >+ if (!ok) { >+ DBG_WARNING("String conversion failed\n"); >+ *error_string = "String conversion failed"; >+-- >+2.25.1 >+ >+ >+From 6305a55870287191ce4268f6af7fe278ca7f2a30 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Thu, 26 May 2022 16:34:01 +1200 >+Subject: [PATCH 59/99] CVE-2022-32744 tests/krb5: Correctly handle specifying >+ account kvno >+ >+The environment variable is a string, but we expect an integer. >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andreas Schneider <asn@samba.org> >+--- >+ python/samba/tests/krb5/raw_testcase.py | 2 +- >+ 1 file changed, 1 insertion(+), 1 deletion(-) >+ >+diff --git python/samba/tests/krb5/raw_testcase.py python/samba/tests/krb5/raw_testcase.py >+index a2241707d44..4120edf93b9 100644 >+--- python/samba/tests/krb5/raw_testcase.py >++++ python/samba/tests/krb5/raw_testcase.py >+@@ -724,7 +724,7 @@ class RawKerberosTest(TestCaseInTempDir): >+ fallback_default=False, >+ allow_missing=kvno_allow_missing) >+ if kvno is not None: >+- c.set_kvno(kvno) >++ c.set_kvno(int(kvno)) >+ aes256_key = self.env_get_var('AES256_KEY_HEX', prefix, >+ fallback_default=False, >+ allow_missing=aes256_allow_missing) >+-- >+2.25.1 >+ >+ >+From 8917979641abb03ef858ba72b652178475b6e918 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Thu, 26 May 2022 20:52:04 +1200 >+Subject: [PATCH 60/99] CVE-2022-2031 tests/krb5: Split out _make_tgs_request() >+ >+This allows us to make use of it in other tests. >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andreas Schneider <asn@samba.org> >+ >+[jsutton@samba.org Fixed conflicts due to having older version of >+ _make_tgs_request()] >+--- >+ python/samba/tests/krb5/kdc_base_test.py | 77 ++++++++++++++++++++++++ >+ python/samba/tests/krb5/kdc_tgs_tests.py | 76 ----------------------- >+ 2 files changed, 77 insertions(+), 76 deletions(-) >+ >+diff --git python/samba/tests/krb5/kdc_base_test.py python/samba/tests/krb5/kdc_base_test.py >+index 58b87eab25b..2117663b26b 100644 >+--- python/samba/tests/krb5/kdc_base_test.py >++++ python/samba/tests/krb5/kdc_base_test.py >+@@ -67,6 +67,7 @@ from samba.tests.krb5.rfc4120_constants import ( >+ AES256_CTS_HMAC_SHA1_96, >+ ARCFOUR_HMAC_MD5, >+ KDC_ERR_PREAUTH_REQUIRED, >++ KDC_ERR_TGT_REVOKED, >+ KRB_AS_REP, >+ KRB_TGS_REP, >+ KRB_ERROR, >+@@ -1538,6 +1539,82 @@ class KDCBaseTest(RawKerberosTest): >+ >+ return ticket_creds >+ >++ def _make_tgs_request(self, client_creds, service_creds, tgt, >++ pac_request=None, expect_pac=True, >++ expect_error=False, >++ expected_account_name=None, >++ expected_upn_name=None, >++ expected_sid=None): >++ client_account = client_creds.get_username() >++ cname = self.PrincipalName_create(name_type=NT_PRINCIPAL, >++ names=[client_account]) >++ >++ service_account = service_creds.get_username() >++ sname = self.PrincipalName_create(name_type=NT_PRINCIPAL, >++ names=[service_account]) >++ >++ realm = service_creds.get_realm() >++ >++ expected_crealm = realm >++ expected_cname = cname >++ expected_srealm = realm >++ expected_sname = sname >++ >++ expected_supported_etypes = service_creds.tgs_supported_enctypes >++ >++ etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) >++ >++ kdc_options = str(krb5_asn1.KDCOptions('canonicalize')) >++ >++ target_decryption_key = self.TicketDecryptionKey_from_creds( >++ service_creds) >++ >++ authenticator_subkey = self.RandomKey(kcrypto.Enctype.AES256) >++ >++ if expect_error: >++ expected_error_mode = KDC_ERR_TGT_REVOKED >++ check_error_fn = self.generic_check_kdc_error >++ check_rep_fn = None >++ else: >++ expected_error_mode = 0 >++ check_error_fn = None >++ check_rep_fn = self.generic_check_kdc_rep >++ >++ kdc_exchange_dict = self.tgs_exchange_dict( >++ expected_crealm=expected_crealm, >++ expected_cname=expected_cname, >++ expected_srealm=expected_srealm, >++ expected_sname=expected_sname, >++ expected_account_name=expected_account_name, >++ expected_upn_name=expected_upn_name, >++ expected_sid=expected_sid, >++ expected_supported_etypes=expected_supported_etypes, >++ ticket_decryption_key=target_decryption_key, >++ check_error_fn=check_error_fn, >++ check_rep_fn=check_rep_fn, >++ check_kdc_private_fn=self.generic_check_kdc_private, >++ expected_error_mode=expected_error_mode, >++ tgt=tgt, >++ authenticator_subkey=authenticator_subkey, >++ kdc_options=kdc_options, >++ pac_request=pac_request, >++ expect_pac=expect_pac, >++ expect_edata=False) >++ >++ rep = self._generic_kdc_exchange(kdc_exchange_dict, >++ cname=cname, >++ realm=realm, >++ sname=sname, >++ etypes=etypes) >++ if expect_error: >++ self.check_error_rep(rep, expected_error_mode) >++ >++ return None >++ else: >++ self.check_reply(rep, KRB_TGS_REP) >++ >++ return kdc_exchange_dict['rep_ticket_creds'] >++ >+ # Named tuple to contain values of interest when the PAC is decoded. >+ PacData = namedtuple( >+ "PacData", >+diff --git python/samba/tests/krb5/kdc_tgs_tests.py python/samba/tests/krb5/kdc_tgs_tests.py >+index 8cd27dec2aa..e52f46152fa 100755 >+--- python/samba/tests/krb5/kdc_tgs_tests.py >++++ python/samba/tests/krb5/kdc_tgs_tests.py >+@@ -230,82 +230,6 @@ class KdcTgsTests(KDCBaseTest): >+ pac_data.account_sid, >+ "rep = {%s},%s" % (rep, pac_data)) >+ >+- def _make_tgs_request(self, client_creds, service_creds, tgt, >+- pac_request=None, expect_pac=True, >+- expect_error=False, >+- expected_account_name=None, >+- expected_upn_name=None, >+- expected_sid=None): >+- client_account = client_creds.get_username() >+- cname = self.PrincipalName_create(name_type=NT_PRINCIPAL, >+- names=[client_account]) >+- >+- service_account = service_creds.get_username() >+- sname = self.PrincipalName_create(name_type=NT_PRINCIPAL, >+- names=[service_account]) >+- >+- realm = service_creds.get_realm() >+- >+- expected_crealm = realm >+- expected_cname = cname >+- expected_srealm = realm >+- expected_sname = sname >+- >+- expected_supported_etypes = service_creds.tgs_supported_enctypes >+- >+- etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) >+- >+- kdc_options = str(krb5_asn1.KDCOptions('canonicalize')) >+- >+- target_decryption_key = self.TicketDecryptionKey_from_creds( >+- service_creds) >+- >+- authenticator_subkey = self.RandomKey(kcrypto.Enctype.AES256) >+- >+- if expect_error: >+- expected_error_mode = KDC_ERR_TGT_REVOKED >+- check_error_fn = self.generic_check_kdc_error >+- check_rep_fn = None >+- else: >+- expected_error_mode = 0 >+- check_error_fn = None >+- check_rep_fn = self.generic_check_kdc_rep >+- >+- kdc_exchange_dict = self.tgs_exchange_dict( >+- expected_crealm=expected_crealm, >+- expected_cname=expected_cname, >+- expected_srealm=expected_srealm, >+- expected_sname=expected_sname, >+- expected_account_name=expected_account_name, >+- expected_upn_name=expected_upn_name, >+- expected_sid=expected_sid, >+- expected_supported_etypes=expected_supported_etypes, >+- ticket_decryption_key=target_decryption_key, >+- check_error_fn=check_error_fn, >+- check_rep_fn=check_rep_fn, >+- check_kdc_private_fn=self.generic_check_kdc_private, >+- expected_error_mode=expected_error_mode, >+- tgt=tgt, >+- authenticator_subkey=authenticator_subkey, >+- kdc_options=kdc_options, >+- pac_request=pac_request, >+- expect_pac=expect_pac, >+- expect_edata=False) >+- >+- rep = self._generic_kdc_exchange(kdc_exchange_dict, >+- cname=cname, >+- realm=realm, >+- sname=sname, >+- etypes=etypes) >+- if expect_error: >+- self.check_error_rep(rep, expected_error_mode) >+- >+- return None >+- else: >+- self.check_reply(rep, KRB_TGS_REP) >+- >+- return kdc_exchange_dict['rep_ticket_creds'] >+- >+ def test_request(self): >+ client_creds = self.get_client_creds() >+ service_creds = self.get_service_creds() >+-- >+2.25.1 >+ >+ >+From 245d9a42329a1bfeb3db8431ef105e7758080e14 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Tue, 24 May 2022 19:06:53 +1200 >+Subject: [PATCH 61/99] CVE-2022-32744 tests/krb5: Correctly calculate salt for >+ pre-existing accounts >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andreas Schneider <asn@samba.org> >+--- >+ python/samba/tests/krb5/kdc_base_test.py | 1 + >+ python/samba/tests/krb5/raw_testcase.py | 1 + >+ 2 files changed, 2 insertions(+) >+ >+diff --git python/samba/tests/krb5/kdc_base_test.py python/samba/tests/krb5/kdc_base_test.py >+index 2117663b26b..685a6f71f88 100644 >+--- python/samba/tests/krb5/kdc_base_test.py >++++ python/samba/tests/krb5/kdc_base_test.py >+@@ -1048,6 +1048,7 @@ class KDCBaseTest(RawKerberosTest): >+ >+ kvno = int(res[0]['msDS-KeyVersionNumber'][0]) >+ creds.set_kvno(kvno) >++ creds.set_workstation(username[:-1]) >+ creds.set_dn(dn) >+ >+ keys = self.get_keys(samdb, dn) >+diff --git python/samba/tests/krb5/raw_testcase.py python/samba/tests/krb5/raw_testcase.py >+index 4120edf93b9..a9a98c36cbf 100644 >+--- python/samba/tests/krb5/raw_testcase.py >++++ python/samba/tests/krb5/raw_testcase.py >+@@ -834,6 +834,7 @@ class RawKerberosTest(TestCaseInTempDir): >+ allow_missing_password=allow_missing_password, >+ allow_missing_keys=allow_missing_keys) >+ c.set_gensec_features(c.get_gensec_features() | FEATURE_SEAL) >++ c.set_workstation('') >+ return c >+ >+ def get_rodc_krbtgt_creds(self, >+-- >+2.25.1 >+ >+ >+From f7fad997cc06a14c9ffd101b26e16598f334148b Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Tue, 24 May 2022 19:13:54 +1200 >+Subject: [PATCH 62/99] CVE-2022-2031 tests/krb5: Add new definitions for >+ kpasswd >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andreas Schneider <asn@samba.org> >+--- >+ python/samba/tests/krb5/rfc4120.asn1 | 6 ++++++ >+ python/samba/tests/krb5/rfc4120_constants.py | 13 +++++++++++++ >+ python/samba/tests/krb5/rfc4120_pyasn1.py | 13 ++++++++++++- >+ 3 files changed, 31 insertions(+), 1 deletion(-) >+ >+diff --git python/samba/tests/krb5/rfc4120.asn1 python/samba/tests/krb5/rfc4120.asn1 >+index e0831e1f86f..cac884be985 100644 >+--- python/samba/tests/krb5/rfc4120.asn1 >++++ python/samba/tests/krb5/rfc4120.asn1 >+@@ -567,6 +567,12 @@ PA-FX-FAST-REPLY ::= CHOICE { >+ ... >+ } >+ >++ChangePasswdDataMS ::= SEQUENCE { >++ newpasswd [0] OCTET STRING, >++ targname [1] PrincipalName OPTIONAL, >++ targrealm [2] Realm OPTIONAL >++} >++ >+ -- MS-KILE End >+ -- >+ -- >+diff --git python/samba/tests/krb5/rfc4120_constants.py python/samba/tests/krb5/rfc4120_constants.py >+index a9fdc5735dd..7f0f44500c7 100644 >+--- python/samba/tests/krb5/rfc4120_constants.py >++++ python/samba/tests/krb5/rfc4120_constants.py >+@@ -27,11 +27,13 @@ ARCFOUR_HMAC_MD5 = int( >+ >+ # Message types >+ KRB_ERROR = int(krb5_asn1.MessageTypeValues('krb-error')) >++KRB_AP_REP = int(krb5_asn1.MessageTypeValues('krb-ap-rep')) >+ KRB_AP_REQ = int(krb5_asn1.MessageTypeValues('krb-ap-req')) >+ KRB_AS_REP = int(krb5_asn1.MessageTypeValues('krb-as-rep')) >+ KRB_AS_REQ = int(krb5_asn1.MessageTypeValues('krb-as-req')) >+ KRB_TGS_REP = int(krb5_asn1.MessageTypeValues('krb-tgs-rep')) >+ KRB_TGS_REQ = int(krb5_asn1.MessageTypeValues('krb-tgs-req')) >++KRB_PRIV = int(krb5_asn1.MessageTypeValues('krb-priv')) >+ >+ # PAData types >+ PADATA_ENC_TIMESTAMP = int( >+@@ -76,6 +78,7 @@ KDC_ERR_TGT_REVOKED = 20 >+ KDC_ERR_PREAUTH_FAILED = 24 >+ KDC_ERR_PREAUTH_REQUIRED = 25 >+ KDC_ERR_BAD_INTEGRITY = 31 >++KDC_ERR_TKT_EXPIRED = 32 >+ KRB_ERR_TKT_NYV = 33 >+ KDC_ERR_NOT_US = 35 >+ KDC_ERR_BADMATCH = 36 >+@@ -87,6 +90,16 @@ KDC_ERR_WRONG_REALM = 68 >+ KDC_ERR_CLIENT_NAME_MISMATCH = 75 >+ KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS = 93 >+ >++# Kpasswd error codes >++KPASSWD_SUCCESS = 0 >++KPASSWD_MALFORMED = 1 >++KPASSWD_HARDERROR = 2 >++KPASSWD_AUTHERROR = 3 >++KPASSWD_SOFTERROR = 4 >++KPASSWD_ACCESSDENIED = 5 >++KPASSWD_BAD_VERSION = 6 >++KPASSWD_INITIAL_FLAG_NEEDED = 7 >++ >+ # Extended error types >+ KERB_AP_ERR_TYPE_SKEW_RECOVERY = int( >+ krb5_asn1.KerbErrorDataTypeValues('kERB-AP-ERR-TYPE-SKEW-RECOVERY')) >+diff --git python/samba/tests/krb5/rfc4120_pyasn1.py python/samba/tests/krb5/rfc4120_pyasn1.py >+index 348dd8c63fb..3c02b0efbc1 100644 >+--- python/samba/tests/krb5/rfc4120_pyasn1.py >++++ python/samba/tests/krb5/rfc4120_pyasn1.py >+@@ -1,5 +1,5 @@ >+ # Auto-generated by asn1ate v.0.6.1.dev0 from rfc4120.asn1 >+-# (last modified on 2021-06-25 12:10:34.484667) >++# (last modified on 2022-05-13 20:03:06.039817) >+ >+ # KerberosV5Spec2 >+ from pyasn1.type import univ, char, namedtype, namedval, tag, constraint, useful >+@@ -364,6 +364,17 @@ Authenticator.componentType = namedtype.NamedTypes( >+ ) >+ >+ >++class ChangePasswdDataMS(univ.Sequence): >++ pass >++ >++ >++ChangePasswdDataMS.componentType = namedtype.NamedTypes( >++ namedtype.NamedType('newpasswd', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), >++ namedtype.OptionalNamedType('targname', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 1))), >++ namedtype.OptionalNamedType('targrealm', Realm().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))) >++) >++ >++ >+ class ChecksumTypeValues(univ.Integer): >+ pass >+ >+-- >+2.25.1 >+ >+ >+From 695c662bdc286d7a4699025f00656f8339ceecd8 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Tue, 24 May 2022 19:17:45 +1200 >+Subject: [PATCH 63/99] CVE-2022-2031 tests/krb5: Add methods to create ASN1 >+ kpasswd structures >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andreas Schneider <asn@samba.org> >+--- >+ python/samba/tests/krb5/raw_testcase.py | 95 +++++++++++++++++++++++++ >+ 1 file changed, 95 insertions(+) >+ >+diff --git python/samba/tests/krb5/raw_testcase.py python/samba/tests/krb5/raw_testcase.py >+index a9a98c36cbf..df41dff688d 100644 >+--- python/samba/tests/krb5/raw_testcase.py >++++ python/samba/tests/krb5/raw_testcase.py >+@@ -54,6 +54,7 @@ from samba.tests.krb5.rfc4120_constants import ( >+ KRB_AS_REP, >+ KRB_AS_REQ, >+ KRB_ERROR, >++ KRB_PRIV, >+ KRB_TGS_REP, >+ KRB_TGS_REQ, >+ KU_AP_REQ_AUTH, >+@@ -63,6 +64,7 @@ from samba.tests.krb5.rfc4120_constants import ( >+ KU_FAST_FINISHED, >+ KU_FAST_REP, >+ KU_FAST_REQ_CHKSUM, >++ KU_KRB_PRIV, >+ KU_NON_KERB_CKSUM_SALT, >+ KU_TGS_REP_ENC_PART_SESSION, >+ KU_TGS_REP_ENC_PART_SUB_KEY, >+@@ -1780,6 +1782,99 @@ class RawKerberosTest(TestCaseInTempDir): >+ PA_S4U2Self_obj, asn1Spec=krb5_asn1.PA_S4U2Self()) >+ return self.PA_DATA_create(PADATA_FOR_USER, pa_s4u2self) >+ >++ def ChangePasswdDataMS_create(self, >++ new_password, >++ target_princ=None, >++ target_realm=None): >++ ChangePasswdDataMS_obj = { >++ 'newpasswd': new_password, >++ } >++ if target_princ is not None: >++ ChangePasswdDataMS_obj['targname'] = target_princ >++ if target_realm is not None: >++ ChangePasswdDataMS_obj['targrealm'] = target_realm >++ >++ change_password_data = self.der_encode( >++ ChangePasswdDataMS_obj, asn1Spec=krb5_asn1.ChangePasswdDataMS()) >++ >++ return change_password_data >++ >++ def KRB_PRIV_create(self, >++ subkey, >++ user_data, >++ s_address, >++ timestamp=None, >++ usec=None, >++ seq_number=None, >++ r_address=None): >++ EncKrbPrivPart_obj = { >++ 'user-data': user_data, >++ 's-address': s_address, >++ } >++ if timestamp is not None: >++ EncKrbPrivPart_obj['timestamp'] = timestamp >++ if usec is not None: >++ EncKrbPrivPart_obj['usec'] = usec >++ if seq_number is not None: >++ EncKrbPrivPart_obj['seq-number'] = seq_number >++ if r_address is not None: >++ EncKrbPrivPart_obj['r-address'] = r_address >++ >++ enc_krb_priv_part = self.der_encode( >++ EncKrbPrivPart_obj, asn1Spec=krb5_asn1.EncKrbPrivPart()) >++ >++ enc_data = self.EncryptedData_create(subkey, >++ KU_KRB_PRIV, >++ enc_krb_priv_part) >++ >++ KRB_PRIV_obj = { >++ 'pvno': 5, >++ 'msg-type': KRB_PRIV, >++ 'enc-part': enc_data, >++ } >++ >++ krb_priv = self.der_encode( >++ KRB_PRIV_obj, asn1Spec=krb5_asn1.KRB_PRIV()) >++ >++ return krb_priv >++ >++ def kpasswd_create(self, >++ subkey, >++ user_data, >++ version, >++ seq_number, >++ ap_req, >++ local_address, >++ remote_address): >++ self.assertIsNotNone(self.s, 'call self.connect() first') >++ >++ timestamp, usec = self.get_KerberosTimeWithUsec() >++ >++ krb_priv = self.KRB_PRIV_create(subkey, >++ user_data, >++ s_address=local_address, >++ timestamp=timestamp, >++ usec=usec, >++ seq_number=seq_number, >++ r_address=remote_address) >++ >++ size = 6 + len(ap_req) + len(krb_priv) >++ self.assertLess(size, 0x10000) >++ >++ msg = bytearray() >++ msg.append(size >> 8) >++ msg.append(size & 0xff) >++ msg.append(version >> 8) >++ msg.append(version & 0xff) >++ msg.append(len(ap_req) >> 8) >++ msg.append(len(ap_req) & 0xff) >++ # Note: for sets, there could be a little-endian four-byte length here. >++ >++ msg.extend(ap_req) >++ msg.extend(krb_priv) >++ >++ return msg >++ >+ def _generic_kdc_exchange(self, >+ kdc_exchange_dict, # required >+ cname=None, # optional >+-- >+2.25.1 >+ >+ >+From ae7dd875cd4362ed4346716db493164c421b889f Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Tue, 24 May 2022 19:21:37 +1200 >+Subject: [PATCH 64/99] CVE-2022-2031 tests/krb5: Add 'port' parameter to >+ connect() >+ >+This allows us to use the kpasswd port, 464. >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andreas Schneider <asn@samba.org> >+--- >+ python/samba/tests/krb5/raw_testcase.py | 11 ++++++----- >+ 1 file changed, 6 insertions(+), 5 deletions(-) >+ >+diff --git python/samba/tests/krb5/raw_testcase.py python/samba/tests/krb5/raw_testcase.py >+index df41dff688d..421143781ae 100644 >+--- python/samba/tests/krb5/raw_testcase.py >++++ python/samba/tests/krb5/raw_testcase.py >+@@ -638,10 +638,11 @@ class RawKerberosTest(TestCaseInTempDir): >+ if self.do_hexdump: >+ sys.stderr.write("disconnect[%s]\n" % reason) >+ >+- def _connect_tcp(self, host): >+- tcp_port = 88 >++ def _connect_tcp(self, host, port=None): >++ if port is None: >++ port = 88 >+ try: >+- self.a = socket.getaddrinfo(host, tcp_port, socket.AF_UNSPEC, >++ self.a = socket.getaddrinfo(host, port, socket.AF_UNSPEC, >+ socket.SOCK_STREAM, socket.SOL_TCP, >+ 0) >+ self.s = socket.socket(self.a[0][0], self.a[0][1], self.a[0][2]) >+@@ -654,9 +655,9 @@ class RawKerberosTest(TestCaseInTempDir): >+ self.s.close() >+ raise >+ >+- def connect(self, host): >++ def connect(self, host, port=None): >+ self.assertNotConnected() >+- self._connect_tcp(host) >++ self._connect_tcp(host, port) >+ if self.do_hexdump: >+ sys.stderr.write("connected[%s]\n" % host) >+ >+-- >+2.25.1 >+ >+ >+From 13fe7e013eccca2c86258084f4443ddb7abaf089 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Tue, 24 May 2022 19:20:28 +1200 >+Subject: [PATCH 65/99] CVE-2022-2031 tests/krb5: Add methods to send and >+ receive generic messages >+ >+This allows us to send and receive kpasswd messages, while avoiding the >+existing logic for encoding and decoding other Kerberos message types. >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andreas Schneider <asn@samba.org> >+--- >+ python/samba/tests/krb5/raw_testcase.py | 44 +++++++++++++++---------- >+ 1 file changed, 27 insertions(+), 17 deletions(-) >+ >+diff --git python/samba/tests/krb5/raw_testcase.py python/samba/tests/krb5/raw_testcase.py >+index 421143781ae..2aed5530455 100644 >+--- python/samba/tests/krb5/raw_testcase.py >++++ python/samba/tests/krb5/raw_testcase.py >+@@ -920,24 +920,28 @@ class RawKerberosTest(TestCaseInTempDir): >+ return blob >+ >+ def send_pdu(self, req, asn1_print=None, hexdump=None): >++ k5_pdu = self.der_encode( >++ req, native_decode=False, asn1_print=asn1_print, hexdump=False) >++ self.send_msg(k5_pdu, hexdump=hexdump) >++ >++ def send_msg(self, msg, hexdump=None): >++ header = struct.pack('>I', len(msg)) >++ req_pdu = header >++ req_pdu += msg >++ self.hex_dump("send_msg", header, hexdump=hexdump) >++ self.hex_dump("send_msg", msg, hexdump=hexdump) >++ >+ try: >+- k5_pdu = self.der_encode( >+- req, native_decode=False, asn1_print=asn1_print, hexdump=False) >+- header = struct.pack('>I', len(k5_pdu)) >+- req_pdu = header >+- req_pdu += k5_pdu >+- self.hex_dump("send_pdu", header, hexdump=hexdump) >+- self.hex_dump("send_pdu", k5_pdu, hexdump=hexdump) >+ while True: >+ sent = self.s.send(req_pdu, 0) >+ if sent == len(req_pdu): >+- break >++ return >+ req_pdu = req_pdu[sent:] >+ except socket.error as e: >+- self._disconnect("send_pdu: %s" % e) >++ self._disconnect("send_msg: %s" % e) >+ raise >+ except IOError as e: >+- self._disconnect("send_pdu: %s" % e) >++ self._disconnect("send_msg: %s" % e) >+ raise >+ >+ def recv_raw(self, num_recv=0xffff, hexdump=None, timeout=None): >+@@ -963,16 +967,14 @@ class RawKerberosTest(TestCaseInTempDir): >+ return rep_pdu >+ >+ def recv_pdu_raw(self, asn1_print=None, hexdump=None, timeout=None): >+- rep_pdu = None >+- rep = None >+ raw_pdu = self.recv_raw( >+ num_recv=4, hexdump=hexdump, timeout=timeout) >+ if raw_pdu is None: >+- return (None, None) >++ return None >+ header = struct.unpack(">I", raw_pdu[0:4]) >+ k5_len = header[0] >+ if k5_len == 0: >+- return (None, "") >++ return "" >+ missing = k5_len >+ rep_pdu = b'' >+ while missing > 0: >+@@ -981,6 +983,14 @@ class RawKerberosTest(TestCaseInTempDir): >+ self.assertGreaterEqual(len(raw_pdu), 1) >+ rep_pdu += raw_pdu >+ missing = k5_len - len(rep_pdu) >++ return rep_pdu >++ >++ def recv_reply(self, asn1_print=None, hexdump=None, timeout=None): >++ rep_pdu = self.recv_pdu_raw(asn1_print=asn1_print, >++ hexdump=hexdump, >++ timeout=timeout) >++ if not rep_pdu: >++ return None, rep_pdu >+ k5_raw = self.der_decode( >+ rep_pdu, >+ asn1Spec=None, >+@@ -1002,9 +1012,9 @@ class RawKerberosTest(TestCaseInTempDir): >+ return (rep, rep_pdu) >+ >+ def recv_pdu(self, asn1_print=None, hexdump=None, timeout=None): >+- (rep, rep_pdu) = self.recv_pdu_raw(asn1_print=asn1_print, >+- hexdump=hexdump, >+- timeout=timeout) >++ (rep, rep_pdu) = self.recv_reply(asn1_print=asn1_print, >++ hexdump=hexdump, >++ timeout=timeout) >+ return rep >+ >+ def assertIsConnected(self): >+-- >+2.25.1 >+ >+ >+From ca582250fcaf2ad3c585f7e31a1a4ce568b7ddb7 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Tue, 24 May 2022 19:26:56 +1200 >+Subject: [PATCH 66/99] tests/krb5: Fix enum typo >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andreas Schneider <asn@samba.org> >+--- >+ python/samba/tests/krb5/kdc_base_test.py | 4 ++-- >+ 1 file changed, 2 insertions(+), 2 deletions(-) >+ >+diff --git python/samba/tests/krb5/kdc_base_test.py python/samba/tests/krb5/kdc_base_test.py >+index 685a6f71f88..14f1d1a243d 100644 >+--- python/samba/tests/krb5/kdc_base_test.py >++++ python/samba/tests/krb5/kdc_base_test.py >+@@ -248,9 +248,9 @@ class KDCBaseTest(RawKerberosTest): >+ which is used by tearDownClass to clean up the created accounts. >+ ''' >+ if ou is None: >+- if account_type is account_type.COMPUTER: >++ if account_type is self.AccountType.COMPUTER: >+ guid = DS_GUID_COMPUTERS_CONTAINER >+- elif account_type is account_type.SERVER: >++ elif account_type is self.AccountType.SERVER: >+ guid = DS_GUID_DOMAIN_CONTROLLERS_CONTAINER >+ else: >+ guid = DS_GUID_USERS_CONTAINER >+-- >+2.25.1 >+ >+ >+From 5b030b176b853938b1895ec255e838147d8e7fa9 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Tue, 24 May 2022 19:30:12 +1200 >+Subject: [PATCH 67/99] tests/krb5: Add option for creating accounts with >+ expired passwords >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andreas Schneider <asn@samba.org> >+--- >+ python/samba/tests/krb5/kdc_base_test.py | 10 ++++++++-- >+ 1 file changed, 8 insertions(+), 2 deletions(-) >+ >+diff --git python/samba/tests/krb5/kdc_base_test.py python/samba/tests/krb5/kdc_base_test.py >+index 14f1d1a243d..777b3b4aaf1 100644 >+--- python/samba/tests/krb5/kdc_base_test.py >++++ python/samba/tests/krb5/kdc_base_test.py >+@@ -242,7 +242,8 @@ class KDCBaseTest(RawKerberosTest): >+ >+ def create_account(self, samdb, name, account_type=AccountType.USER, >+ spn=None, upn=None, additional_details=None, >+- ou=None, account_control=0, add_dollar=True): >++ ou=None, account_control=0, add_dollar=True, >++ expired_password=False): >+ '''Create an account for testing. >+ The dn of the created account is added to self.accounts, >+ which is used by tearDownClass to clean up the created accounts. >+@@ -294,6 +295,8 @@ class KDCBaseTest(RawKerberosTest): >+ details["servicePrincipalName"] = spn >+ if upn is not None: >+ details["userPrincipalName"] = upn >++ if expired_password: >++ details["pwdLastSet"] = "0" >+ if additional_details is not None: >+ details.update(additional_details) >+ samdb.add(details) >+@@ -653,6 +656,7 @@ class KDCBaseTest(RawKerberosTest): >+ 'revealed_to_rodc': False, >+ 'revealed_to_mock_rodc': False, >+ 'no_auth_data_required': False, >++ 'expired_password': False, >+ 'supported_enctypes': None, >+ 'not_delegated': False, >+ 'delegation_to_spn': None, >+@@ -695,6 +699,7 @@ class KDCBaseTest(RawKerberosTest): >+ revealed_to_rodc, >+ revealed_to_mock_rodc, >+ no_auth_data_required, >++ expired_password, >+ supported_enctypes, >+ not_delegated, >+ delegation_to_spn, >+@@ -754,7 +759,8 @@ class KDCBaseTest(RawKerberosTest): >+ spn=spn, >+ additional_details=details, >+ account_control=user_account_control, >+- add_dollar=add_dollar) >++ add_dollar=add_dollar, >++ expired_password=expired_password) >+ >+ keys = self.get_keys(samdb, dn) >+ self.creds_set_keys(creds, keys) >+-- >+2.25.1 >+ >+ >+From 5c41e20fae268e04aa05e821c7f388ea090727af Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Tue, 24 May 2022 19:34:59 +1200 >+Subject: [PATCH 68/99] CVE-2022-2031 tests/krb5: Allow requesting a TGT to a >+ different sname and realm >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andreas Schneider <asn@samba.org> >+ >+[jsutton@samba.org Fixed conflict due to lacking rc4_support parameter] >+ >+[jsutton@samba.org Fixed conflicts due to lacking client_name_type and >+ expected_cname parameters] >+--- >+ python/samba/tests/krb5/kdc_base_test.py | 19 +++++++++++++------ >+ 1 file changed, 13 insertions(+), 6 deletions(-) >+ >+diff --git python/samba/tests/krb5/kdc_base_test.py python/samba/tests/krb5/kdc_base_test.py >+index 777b3b4aaf1..c0ca881985a 100644 >+--- python/samba/tests/krb5/kdc_base_test.py >++++ python/samba/tests/krb5/kdc_base_test.py >+@@ -1344,10 +1344,12 @@ class KDCBaseTest(RawKerberosTest): >+ expected_flags=None, unexpected_flags=None, >+ pac_request=True, expect_pac=True, fresh=False): >+ user_name = tgt.cname['name-string'][0] >++ ticket_sname = tgt.sname >+ if target_name is None: >+ target_name = target_creds.get_username()[:-1] >+ cache_key = (user_name, target_name, service, to_rodc, kdc_options, >+ pac_request, str(expected_flags), str(unexpected_flags), >++ str(ticket_sname), >+ expect_pac) >+ >+ if not fresh: >+@@ -1414,6 +1416,7 @@ class KDCBaseTest(RawKerberosTest): >+ expected_flags=None, unexpected_flags=None, >+ expected_account_name=None, expected_upn_name=None, >+ expected_sid=None, >++ sname=None, realm=None, >+ pac_request=True, expect_pac=True, >+ expect_pac_attrs=None, expect_pac_attrs_pac_request=None, >+ expect_requester_sid=None, >+@@ -1422,6 +1425,7 @@ class KDCBaseTest(RawKerberosTest): >+ cache_key = (user_name, to_rodc, kdc_options, pac_request, >+ str(expected_flags), str(unexpected_flags), >+ expected_account_name, expected_upn_name, expected_sid, >++ str(sname), str(realm), >+ expect_pac, expect_pac_attrs, >+ expect_pac_attrs_pac_request, expect_requester_sid) >+ >+@@ -1431,15 +1435,21 @@ class KDCBaseTest(RawKerberosTest): >+ if tgt is not None: >+ return tgt >+ >+- realm = creds.get_realm() >++ if realm is None: >++ realm = creds.get_realm() >+ >+ salt = creds.get_salt() >+ >+ etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) >+ cname = self.PrincipalName_create(name_type=NT_PRINCIPAL, >+ names=[user_name]) >+- sname = self.PrincipalName_create(name_type=NT_SRV_INST, >+- names=['krbtgt', realm]) >++ if sname is None: >++ sname = self.PrincipalName_create(name_type=NT_SRV_INST, >++ names=['krbtgt', realm]) >++ expected_sname = self.PrincipalName_create( >++ name_type=NT_SRV_INST, names=['krbtgt', realm.upper()]) >++ else: >++ expected_sname = sname >+ >+ till = self.get_KerberosTime(offset=36000) >+ >+@@ -1505,9 +1515,6 @@ class KDCBaseTest(RawKerberosTest): >+ >+ expected_realm = realm.upper() >+ >+- expected_sname = self.PrincipalName_create( >+- name_type=NT_SRV_INST, names=['krbtgt', realm.upper()]) >+- >+ rep, kdc_exchange_dict = self._test_as_exchange( >+ cname=cname, >+ realm=realm, >+-- >+2.25.1 >+ >+ >+From 668825ad56ff70715c626bc3209a6868409e4969 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Tue, 24 May 2022 19:57:57 +1200 >+Subject: [PATCH 69/99] CVE-2022-2031 tests/krb5: Add kpasswd_exchange() method >+ >+Now we can test the kpasswd service from Python. >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andreas Schneider <asn@samba.org> >+ >+[jsutton@samba.org Fixed conflicts in imports] >+--- >+ python/samba/tests/krb5/raw_testcase.py | 264 ++++++++++++++++++++++-- >+ 1 file changed, 251 insertions(+), 13 deletions(-) >+ >+diff --git python/samba/tests/krb5/raw_testcase.py python/samba/tests/krb5/raw_testcase.py >+index 2aed5530455..57010ae73bd 100644 >+--- python/samba/tests/krb5/raw_testcase.py >++++ python/samba/tests/krb5/raw_testcase.py >+@@ -26,6 +26,8 @@ import binascii >+ import itertools >+ import collections >+ >++from enum import Enum >++ >+ from pyasn1.codec.der.decoder import decode as pyasn1_der_decode >+ from pyasn1.codec.der.encoder import encode as pyasn1_der_encode >+ from pyasn1.codec.native.decoder import decode as pyasn1_native_decode >+@@ -33,6 +35,8 @@ from pyasn1.codec.native.encoder import encode as pyasn1_native_encode >+ >+ from pyasn1.codec.ber.encoder import BitStringEncoder >+ >++from pyasn1.error import PyAsn1Error >++ >+ from samba.credentials import Credentials >+ from samba.dcerpc import krb5pac, security >+ from samba.gensec import FEATURE_SEAL >+@@ -50,6 +54,7 @@ from samba.tests.krb5.rfc4120_constants import ( >+ KDC_ERR_PREAUTH_FAILED, >+ KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS, >+ KERB_ERR_TYPE_EXTENDED, >++ KRB_AP_REP, >+ KRB_AP_REQ, >+ KRB_AS_REP, >+ KRB_AS_REQ, >+@@ -59,6 +64,7 @@ from samba.tests.krb5.rfc4120_constants import ( >+ KRB_TGS_REQ, >+ KU_AP_REQ_AUTH, >+ KU_AS_REP_ENC_PART, >++ KU_AP_REQ_ENC_PART, >+ KU_ENC_CHALLENGE_KDC, >+ KU_FAST_ENC, >+ KU_FAST_FINISHED, >+@@ -73,6 +79,7 @@ from samba.tests.krb5.rfc4120_constants import ( >+ KU_TGS_REQ_AUTH_DAT_SESSION, >+ KU_TGS_REQ_AUTH_DAT_SUBKEY, >+ KU_TICKET, >++ NT_PRINCIPAL, >+ NT_SRV_INST, >+ NT_WELLKNOWN, >+ PADATA_ENCRYPTED_CHALLENGE, >+@@ -515,6 +522,10 @@ class KerberosTicketCreds: >+ class RawKerberosTest(TestCaseInTempDir): >+ """A raw Kerberos Test case.""" >+ >++ class KpasswdMode(Enum): >++ SET = object() >++ CHANGE = object() >++ >+ pac_checksum_types = {krb5pac.PAC_TYPE_SRV_CHECKSUM, >+ krb5pac.PAC_TYPE_KDC_CHECKSUM, >+ krb5pac.PAC_TYPE_TICKET_CHECKSUM} >+@@ -1886,6 +1897,224 @@ class RawKerberosTest(TestCaseInTempDir): >+ >+ return msg >+ >++ def get_enc_part(self, obj, key, usage): >++ self.assertElementEqual(obj, 'pvno', 5) >++ >++ enc_part = obj['enc-part'] >++ self.assertElementEqual(enc_part, 'etype', key.etype) >++ self.assertElementKVNO(enc_part, 'kvno', key.kvno) >++ >++ enc_part = key.decrypt(usage, enc_part['cipher']) >++ >++ return enc_part >++ >++ def kpasswd_exchange(self, >++ ticket, >++ new_password, >++ expected_code, >++ expected_msg, >++ mode, >++ target_princ=None, >++ target_realm=None, >++ ap_options=None, >++ send_seq_number=True): >++ if mode is self.KpasswdMode.SET: >++ version = 0xff80 >++ user_data = self.ChangePasswdDataMS_create(new_password, >++ target_princ, >++ target_realm) >++ elif mode is self.KpasswdMode.CHANGE: >++ self.assertIsNone(target_princ, >++ 'target_princ only valid for pw set') >++ self.assertIsNone(target_realm, >++ 'target_realm only valid for pw set') >++ >++ version = 1 >++ user_data = new_password.encode('utf-8') >++ else: >++ self.fail(f'invalid mode {mode}') >++ >++ subkey = self.RandomKey(kcrypto.Enctype.AES256) >++ >++ if ap_options is None: >++ ap_options = '0' >++ ap_options = str(krb5_asn1.APOptions(ap_options)) >++ >++ kdc_exchange_dict = { >++ 'tgt': ticket, >++ 'authenticator_subkey': subkey, >++ 'auth_data': None, >++ 'ap_options': ap_options, >++ } >++ >++ if send_seq_number: >++ seq_number = random.randint(0, 0xfffffffe) >++ else: >++ seq_number = None >++ >++ ap_req = self.generate_ap_req(kdc_exchange_dict, >++ None, >++ req_body=None, >++ armor=False, >++ usage=KU_AP_REQ_AUTH, >++ seq_number=seq_number) >++ >++ self.connect(self.host, port=464) >++ self.assertIsNotNone(self.s) >++ >++ family = self.s.family >++ >++ if family == socket.AF_INET: >++ addr_type = 2 # IPv4 >++ elif family == socket.AF_INET6: >++ addr_type = 24 # IPv6 >++ else: >++ self.fail(f'unknown family {family}') >++ >++ def create_address(ip): >++ return { >++ 'addr-type': addr_type, >++ 'address': socket.inet_pton(family, ip), >++ } >++ >++ local_ip = self.s.getsockname()[0] >++ local_address = create_address(local_ip) >++ >++ # remote_ip = self.s.getpeername()[0] >++ # remote_address = create_address(remote_ip) >++ >++ # TODO: due to a bug (?), MIT Kerberos will not accept the request >++ # unless r-address is set to our _local_ address. Heimdal, on the other >++ # hand, requires the r-address is set to the remote address (as >++ # expected). To avoid problems, avoid sending r-address for now. >++ remote_address = None >++ >++ msg = self.kpasswd_create(subkey, >++ user_data, >++ version, >++ seq_number, >++ ap_req, >++ local_address, >++ remote_address) >++ >++ self.send_msg(msg) >++ rep_pdu = self.recv_pdu_raw() >++ >++ self._disconnect('transaction done') >++ >++ self.assertIsNotNone(rep_pdu) >++ >++ header = rep_pdu[:6] >++ reply = rep_pdu[6:] >++ >++ reply_len = (header[0] << 8) | header[1] >++ reply_version = (header[2] << 8) | header[3] >++ ap_rep_len = (header[4] << 8) | header[5] >++ >++ self.assertEqual(reply_len, len(rep_pdu)) >++ self.assertEqual(1, reply_version) # KRB5_KPASSWD_VERS_CHANGEPW >++ self.assertLess(ap_rep_len, reply_len) >++ >++ self.assertNotEqual(0x7e, rep_pdu[1]) >++ self.assertNotEqual(0x5e, rep_pdu[1]) >++ >++ if ap_rep_len: >++ # We received an AP-REQ and KRB-PRIV as a response. This may or may >++ # not indicate an error, depending on the status code. >++ ap_rep = reply[:ap_rep_len] >++ krb_priv = reply[ap_rep_len:] >++ >++ key = ticket.session_key >++ >++ ap_rep = self.der_decode(ap_rep, asn1Spec=krb5_asn1.AP_REP()) >++ self.assertElementEqual(ap_rep, 'msg-type', KRB_AP_REP) >++ enc_part = self.get_enc_part(ap_rep, key, KU_AP_REQ_ENC_PART) >++ enc_part = self.der_decode( >++ enc_part, asn1Spec=krb5_asn1.EncAPRepPart()) >++ >++ self.assertElementPresent(enc_part, 'ctime') >++ self.assertElementPresent(enc_part, 'cusec') >++ # self.assertElementMissing(enc_part, 'subkey') # TODO >++ # self.assertElementPresent(enc_part, 'seq-number') # TODO >++ >++ try: >++ krb_priv = self.der_decode(krb_priv, asn1Spec=krb5_asn1.KRB_PRIV()) >++ except PyAsn1Error: >++ self.fail() >++ >++ self.assertElementEqual(krb_priv, 'msg-type', KRB_PRIV) >++ priv_enc_part = self.get_enc_part(krb_priv, subkey, KU_KRB_PRIV) >++ priv_enc_part = self.der_decode( >++ priv_enc_part, asn1Spec=krb5_asn1.EncKrbPrivPart()) >++ >++ self.assertElementMissing(priv_enc_part, 'timestamp') >++ self.assertElementMissing(priv_enc_part, 'usec') >++ # self.assertElementPresent(priv_enc_part, 'seq-number') # TODO >++ # self.assertElementEqual(priv_enc_part, 's-address', remote_address) # TODO >++ # self.assertElementMissing(priv_enc_part, 'r-address') # TODO >++ >++ result_data = priv_enc_part['user-data'] >++ else: >++ # We received a KRB-ERROR as a response, indicating an error. >++ krb_error = self.der_decode(reply, asn1Spec=krb5_asn1.KRB_ERROR()) >++ >++ sname = self.PrincipalName_create( >++ name_type=NT_PRINCIPAL, >++ names=['kadmin', 'changepw']) >++ realm = self.get_krbtgt_creds().get_realm().upper() >++ >++ self.assertElementEqual(krb_error, 'pvno', 5) >++ self.assertElementEqual(krb_error, 'msg-type', KRB_ERROR) >++ self.assertElementMissing(krb_error, 'ctime') >++ self.assertElementMissing(krb_error, 'usec') >++ self.assertElementPresent(krb_error, 'stime') >++ self.assertElementPresent(krb_error, 'susec') >++ >++ error_code = krb_error['error-code'] >++ if isinstance(expected_code, int): >++ self.assertEqual(error_code, expected_code) >++ else: >++ self.assertIn(error_code, expected_code) >++ >++ self.assertElementMissing(krb_error, 'crealm') >++ self.assertElementMissing(krb_error, 'cname') >++ self.assertElementEqual(krb_error, 'realm', realm.encode('utf-8')) >++ self.assertElementEqualPrincipal(krb_error, 'sname', sname) >++ self.assertElementMissing(krb_error, 'e-text') >++ >++ result_data = krb_error['e-data'] >++ >++ status = result_data[:2] >++ message = result_data[2:] >++ >++ status_code = (status[0] << 8) | status[1] >++ if isinstance(expected_code, int): >++ self.assertEqual(status_code, expected_code) >++ else: >++ self.assertIn(status_code, expected_code) >++ >++ if not message: >++ self.assertEqual(0, status_code, >++ 'got an error result, but no message') >++ return >++ >++ # Check the first character of the message. >++ if message[0]: >++ if isinstance(expected_msg, bytes): >++ self.assertEqual(message, expected_msg) >++ else: >++ self.assertIn(message, expected_msg) >++ else: >++ # We got AD password policy information. >++ self.assertEqual(30, len(message)) >++ >++ (empty_bytes, >++ min_length, >++ history_length, >++ properties, >++ expire_time, >++ min_age) = struct.unpack('>HIIIQQ', message) >++ >+ def _generic_kdc_exchange(self, >+ kdc_exchange_dict, # required >+ cname=None, # optional >+@@ -1996,7 +2225,7 @@ class RawKerberosTest(TestCaseInTempDir): >+ self.assertIsNotNone(generate_fast_fn) >+ fast_ap_req = generate_fast_armor_fn(kdc_exchange_dict, >+ callback_dict, >+- req_body, >++ None, >+ armor=True) >+ >+ fast_armor_type = kdc_exchange_dict['fast_armor_type'] >+@@ -3211,31 +3440,39 @@ class RawKerberosTest(TestCaseInTempDir): >+ kdc_exchange_dict, >+ _callback_dict, >+ req_body, >+- armor): >++ armor, >++ usage=None, >++ seq_number=None): >++ req_body_checksum = None >++ >+ if armor: >++ self.assertIsNone(req_body) >++ >+ tgt = kdc_exchange_dict['armor_tgt'] >+ authenticator_subkey = kdc_exchange_dict['armor_subkey'] >+- >+- req_body_checksum = None >+ else: >+ tgt = kdc_exchange_dict['tgt'] >+ authenticator_subkey = kdc_exchange_dict['authenticator_subkey'] >+- body_checksum_type = kdc_exchange_dict['body_checksum_type'] >+ >+- req_body_blob = self.der_encode(req_body, >+- asn1Spec=krb5_asn1.KDC_REQ_BODY()) >++ if req_body is not None: >++ body_checksum_type = kdc_exchange_dict['body_checksum_type'] >++ >++ req_body_blob = self.der_encode( >++ req_body, asn1Spec=krb5_asn1.KDC_REQ_BODY()) >+ >+- req_body_checksum = self.Checksum_create(tgt.session_key, >+- KU_TGS_REQ_AUTH_CKSUM, >+- req_body_blob, >+- ctype=body_checksum_type) >++ req_body_checksum = self.Checksum_create( >++ tgt.session_key, >++ KU_TGS_REQ_AUTH_CKSUM, >++ req_body_blob, >++ ctype=body_checksum_type) >+ >+ auth_data = kdc_exchange_dict['auth_data'] >+ >+ subkey_obj = None >+ if authenticator_subkey is not None: >+ subkey_obj = authenticator_subkey.export_obj() >+- seq_number = random.randint(0, 0xfffffffe) >++ if seq_number is None: >++ seq_number = random.randint(0, 0xfffffffe) >+ (ctime, cusec) = self.get_KerberosTimeWithUsec() >+ authenticator_obj = self.Authenticator_create( >+ crealm=tgt.crealm, >+@@ -3250,7 +3487,8 @@ class RawKerberosTest(TestCaseInTempDir): >+ authenticator_obj, >+ asn1Spec=krb5_asn1.Authenticator()) >+ >+- usage = KU_AP_REQ_AUTH if armor else KU_TGS_REQ_AUTH >++ if usage is None: >++ usage = KU_AP_REQ_AUTH if armor else KU_TGS_REQ_AUTH >+ authenticator = self.EncryptedData_create(tgt.session_key, >+ usage, >+ authenticator_blob) >+-- >+2.25.1 >+ >+ >+From 450ff39d1c9f538bd828b7b2bee75c88d3dc1ee2 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Tue, 24 May 2022 19:59:16 +1200 >+Subject: [PATCH 71/99] CVE-2022-2031 tests/krb5: Add tests for kpasswd service >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andreas Schneider <asn@samba.org> >+ >+[jsutton@samba.org Fixed conflicts in usage.py and knownfails; removed >+ MIT KDC 1.20-specific knownfails as it's not supported] >+ >+[jsutton@samba.org Fixed conflicts in usage.py, knownfails, and >+ tests.py] >+--- >+ python/samba/tests/krb5/kdc_base_test.py | 4 +- >+ python/samba/tests/krb5/kpasswd_tests.py | 1021 ++++++++++++++++++++++ >+ python/samba/tests/krb5/raw_testcase.py | 8 + >+ python/samba/tests/usage.py | 1 + >+ selftest/knownfail_heimdal_kdc | 26 + >+ selftest/knownfail_mit_kdc | 26 + >+ source4/selftest/tests.py | 4 + >+ 7 files changed, 1089 insertions(+), 1 deletion(-) >+ create mode 100755 python/samba/tests/krb5/kpasswd_tests.py >+ >+diff --git python/samba/tests/krb5/kdc_base_test.py python/samba/tests/krb5/kdc_base_test.py >+index c0ca881985a..f0306dde110 100644 >+--- python/samba/tests/krb5/kdc_base_test.py >++++ python/samba/tests/krb5/kdc_base_test.py >+@@ -1586,7 +1586,9 @@ class KDCBaseTest(RawKerberosTest): >+ authenticator_subkey = self.RandomKey(kcrypto.Enctype.AES256) >+ >+ if expect_error: >+- expected_error_mode = KDC_ERR_TGT_REVOKED >++ expected_error_mode = expect_error >++ if expected_error_mode is True: >++ expected_error_mode = KDC_ERR_TGT_REVOKED >+ check_error_fn = self.generic_check_kdc_error >+ check_rep_fn = None >+ else: >+diff --git python/samba/tests/krb5/kpasswd_tests.py python/samba/tests/krb5/kpasswd_tests.py >+new file mode 100755 >+index 00000000000..3a6c7d818dc >+--- /dev/null >++++ python/samba/tests/krb5/kpasswd_tests.py >+@@ -0,0 +1,1021 @@ >++#!/usr/bin/env python3 >++# Unix SMB/CIFS implementation. >++# Copyright (C) Stefan Metzmacher 2020 >++# Copyright (C) Catalyst.Net Ltd >++# >++# This program is free software; you can redistribute it and/or modify >++# it under the terms of the GNU General Public License as published by >++# the Free Software Foundation; either version 3 of the License, or >++# (at your option) any later version. >++# >++# This program is distributed in the hope that it will be useful, >++# but WITHOUT ANY WARRANTY; without even the implied warranty of >++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >++# GNU General Public License for more details. >++# >++# You should have received a copy of the GNU General Public License >++# along with this program. If not, see <http://www.gnu.org/licenses/>. >++# >++ >++import os >++import sys >++ >++from functools import partial >++ >++from samba import generate_random_password, unix2nttime >++from samba.dcerpc import krb5pac, security >++from samba.sd_utils import SDUtils >++ >++from samba.tests.krb5.kdc_base_test import KDCBaseTest >++from samba.tests.krb5.rfc4120_constants import ( >++ KDC_ERR_TGT_REVOKED, >++ KDC_ERR_TKT_EXPIRED, >++ KPASSWD_ACCESSDENIED, >++ KPASSWD_HARDERROR, >++ KPASSWD_INITIAL_FLAG_NEEDED, >++ KPASSWD_MALFORMED, >++ KPASSWD_SOFTERROR, >++ KPASSWD_SUCCESS, >++ NT_PRINCIPAL, >++ NT_SRV_INST, >++) >++ >++sys.path.insert(0, 'bin/python') >++os.environ['PYTHONUNBUFFERED'] = '1' >++ >++global_asn1_print = False >++global_hexdump = False >++ >++ >++# Note: these tests do not pass on Windows, which returns different error codes >++# to the ones we have chosen, and does not always return additional error data. >++class KpasswdTests(KDCBaseTest): >++ >++ def setUp(self): >++ super().setUp() >++ self.do_asn1_print = global_asn1_print >++ self.do_hexdump = global_hexdump >++ >++ samdb = self.get_samdb() >++ >++ # Get the old 'dSHeuristics' if it was set >++ dsheuristics = samdb.get_dsheuristics() >++ >++ # Reset the 'dSHeuristics' as they were before >++ self.addCleanup(samdb.set_dsheuristics, dsheuristics) >++ >++ # Set the 'dSHeuristics' to activate the correct 'userPassword' >++ # behaviour >++ samdb.set_dsheuristics('000000001') >++ >++ # Get the old 'minPwdAge' >++ minPwdAge = samdb.get_minPwdAge() >++ >++ # Reset the 'minPwdAge' as it was before >++ self.addCleanup(samdb.set_minPwdAge, minPwdAge) >++ >++ # Set it temporarily to '0' >++ samdb.set_minPwdAge('0') >++ >++ def _get_creds(self, expired=False): >++ opts = { >++ 'expired_password': expired >++ } >++ >++ # Create the account. >++ creds = self.get_cached_creds(account_type=self.AccountType.USER, >++ opts=opts, >++ use_cache=False) >++ >++ return creds >++ >++ def issued_by_rodc(self, ticket): >++ krbtgt_creds = self.get_mock_rodc_krbtgt_creds() >++ >++ krbtgt_key = self.TicketDecryptionKey_from_creds(krbtgt_creds) >++ checksum_keys = { >++ krb5pac.PAC_TYPE_KDC_CHECKSUM: krbtgt_key, >++ } >++ >++ return self.modified_ticket( >++ ticket, >++ new_ticket_key=krbtgt_key, >++ checksum_keys=checksum_keys) >++ >++ def get_kpasswd_sname(self): >++ return self.PrincipalName_create(name_type=NT_PRINCIPAL, >++ names=['kadmin', 'changepw']) >++ >++ def get_ticket_lifetime(self, ticket): >++ enc_part = ticket.ticket_private >++ >++ authtime = enc_part['authtime'] >++ starttime = enc_part.get('starttime', authtime) >++ endtime = enc_part['endtime'] >++ >++ starttime = self.get_EpochFromKerberosTime(starttime) >++ endtime = self.get_EpochFromKerberosTime(endtime) >++ >++ return endtime - starttime >++ >++ def add_requester_sid(self, pac, sid): >++ pac_buffers = pac.buffers >++ >++ buffer_types = [pac_buffer.type for pac_buffer in pac_buffers] >++ self.assertNotIn(krb5pac.PAC_TYPE_REQUESTER_SID, buffer_types) >++ >++ requester_sid = krb5pac.PAC_REQUESTER_SID() >++ requester_sid.sid = security.dom_sid(sid) >++ >++ requester_sid_buffer = krb5pac.PAC_BUFFER() >++ requester_sid_buffer.type = krb5pac.PAC_TYPE_REQUESTER_SID >++ requester_sid_buffer.info = requester_sid >++ >++ pac_buffers.append(requester_sid_buffer) >++ >++ pac.buffers = pac_buffers >++ pac.num_buffers += 1 >++ >++ return pac >++ >++ # Test setting a password with kpasswd. >++ def test_kpasswd_set(self): >++ # Create an account for testing. >++ creds = self._get_creds() >++ >++ # Get an initial ticket to kpasswd. >++ ticket = self.get_tgt(creds, sname=self.get_kpasswd_sname(), >++ kdc_options='0') >++ >++ expected_code = KPASSWD_SUCCESS >++ expected_msg = b'Password changed' >++ >++ # Set the password. >++ new_password = generate_random_password(32, 32) >++ self.kpasswd_exchange(ticket, >++ new_password, >++ expected_code, >++ expected_msg, >++ mode=self.KpasswdMode.SET) >++ >++ # Test the newly set password. >++ creds.update_password(new_password) >++ self.get_tgt(creds, fresh=True) >++ >++ # Test changing a password with kpasswd. >++ def test_kpasswd_change(self): >++ # Create an account for testing. >++ creds = self._get_creds() >++ >++ # Get an initial ticket to kpasswd. >++ ticket = self.get_tgt(creds, sname=self.get_kpasswd_sname(), >++ kdc_options='0') >++ >++ expected_code = KPASSWD_SUCCESS >++ expected_msg = b'Password changed' >++ >++ # Change the password. >++ new_password = generate_random_password(32, 32) >++ self.kpasswd_exchange(ticket, >++ new_password, >++ expected_code, >++ expected_msg, >++ mode=self.KpasswdMode.CHANGE) >++ >++ # Test the newly set password. >++ creds.update_password(new_password) >++ self.get_tgt(creds, fresh=True) >++ >++ # Test kpasswd without setting the canonicalize option. >++ def test_kpasswd_no_canonicalize(self): >++ # Create an account for testing. >++ creds = self._get_creds() >++ >++ sname = self.get_kpasswd_sname() >++ >++ # Get an initial ticket to kpasswd. >++ ticket = self.get_tgt(creds, sname=sname, >++ kdc_options='0') >++ >++ expected_code = KPASSWD_SUCCESS >++ expected_msg = b'Password changed' >++ >++ # Set the password. >++ new_password = generate_random_password(32, 32) >++ self.kpasswd_exchange(ticket, >++ new_password, >++ expected_code, >++ expected_msg, >++ mode=self.KpasswdMode.SET) >++ >++ creds.update_password(new_password) >++ >++ # Get an initial ticket to kpasswd. >++ ticket = self.get_tgt(creds, sname=sname, >++ kdc_options='0') >++ >++ # Change the password. >++ new_password = generate_random_password(32, 32) >++ self.kpasswd_exchange(ticket, >++ new_password, >++ expected_code, >++ expected_msg, >++ mode=self.KpasswdMode.CHANGE) >++ >++ # Test kpasswd with the canonicalize option reset and a non-canonical >++ # (by conversion to title case) realm. >++ def test_kpasswd_no_canonicalize_realm_case(self): >++ # Create an account for testing. >++ creds = self._get_creds() >++ >++ sname = self.get_kpasswd_sname() >++ realm = creds.get_realm().capitalize() # We use a title-cased realm. >++ >++ # Get an initial ticket to kpasswd. >++ ticket = self.get_tgt(creds, sname=sname, >++ realm=realm, >++ kdc_options='0') >++ >++ expected_code = KPASSWD_SUCCESS >++ expected_msg = b'Password changed' >++ >++ # Set the password. >++ new_password = generate_random_password(32, 32) >++ self.kpasswd_exchange(ticket, >++ new_password, >++ expected_code, >++ expected_msg, >++ mode=self.KpasswdMode.SET) >++ >++ creds.update_password(new_password) >++ >++ # Get an initial ticket to kpasswd. >++ ticket = self.get_tgt(creds, sname=sname, >++ realm=realm, >++ kdc_options='0') >++ >++ # Change the password. >++ new_password = generate_random_password(32, 32) >++ self.kpasswd_exchange(ticket, >++ new_password, >++ expected_code, >++ expected_msg, >++ mode=self.KpasswdMode.CHANGE) >++ >++ # Test kpasswd with the canonicalize option set. >++ def test_kpasswd_canonicalize(self): >++ # Create an account for testing. >++ creds = self._get_creds() >++ >++ # Get an initial ticket to kpasswd. We set the canonicalize flag here. >++ ticket = self.get_tgt(creds, sname=self.get_kpasswd_sname(), >++ kdc_options='canonicalize') >++ >++ expected_code = KPASSWD_SUCCESS >++ expected_msg = b'Password changed' >++ >++ # Set the password. >++ new_password = generate_random_password(32, 32) >++ self.kpasswd_exchange(ticket, >++ new_password, >++ expected_code, >++ expected_msg, >++ mode=self.KpasswdMode.SET) >++ >++ creds.update_password(new_password) >++ >++ # Get an initial ticket to kpasswd. We set the canonicalize flag here. >++ ticket = self.get_tgt(creds, sname=self.get_kpasswd_sname(), >++ kdc_options='canonicalize') >++ >++ # Change the password. >++ new_password = generate_random_password(32, 32) >++ self.kpasswd_exchange(ticket, >++ new_password, >++ expected_code, >++ expected_msg, >++ mode=self.KpasswdMode.CHANGE) >++ >++ # Test kpasswd with the canonicalize option set and a non-canonical (by >++ # conversion to title case) realm. >++ def test_kpasswd_canonicalize_realm_case(self): >++ # Create an account for testing. >++ creds = self._get_creds() >++ >++ sname = self.get_kpasswd_sname() >++ realm = creds.get_realm().capitalize() # We use a title-cased realm. >++ >++ # Get an initial ticket to kpasswd. We set the canonicalize flag here. >++ ticket = self.get_tgt(creds, sname=sname, >++ realm=realm, >++ kdc_options='canonicalize') >++ >++ expected_code = KPASSWD_SUCCESS >++ expected_msg = b'Password changed' >++ >++ # Set the password. >++ new_password = generate_random_password(32, 32) >++ self.kpasswd_exchange(ticket, >++ new_password, >++ expected_code, >++ expected_msg, >++ mode=self.KpasswdMode.SET) >++ >++ creds.update_password(new_password) >++ >++ # Get an initial ticket to kpasswd. We set the canonicalize flag here. >++ ticket = self.get_tgt(creds, sname=sname, >++ realm=realm, >++ kdc_options='canonicalize') >++ >++ # Change the password. >++ new_password = generate_random_password(32, 32) >++ self.kpasswd_exchange(ticket, >++ new_password, >++ expected_code, >++ expected_msg, >++ mode=self.KpasswdMode.CHANGE) >++ >++ # Test kpasswd rejects a password that does not meet complexity >++ # requirements. >++ def test_kpasswd_too_weak(self): >++ # Create an account for testing. >++ creds = self._get_creds() >++ >++ # Get an initial ticket to kpasswd. >++ ticket = self.get_tgt(creds, sname=self.get_kpasswd_sname(), >++ kdc_options='0') >++ >++ expected_code = KPASSWD_SOFTERROR >++ expected_msg = b'Password does not meet complexity requirements' >++ >++ # Set the password. >++ new_password = 'password' >++ self.kpasswd_exchange(ticket, >++ new_password, >++ expected_code, >++ expected_msg, >++ mode=self.KpasswdMode.SET) >++ >++ # Change the password. >++ self.kpasswd_exchange(ticket, >++ new_password, >++ expected_code, >++ expected_msg, >++ mode=self.KpasswdMode.CHANGE) >++ >++ # Test kpasswd rejects an empty new password. >++ def test_kpasswd_empty(self): >++ # Create an account for testing. >++ creds = self._get_creds() >++ >++ # Get an initial ticket to kpasswd. >++ ticket = self.get_tgt(creds, sname=self.get_kpasswd_sname(), >++ kdc_options='0') >++ >++ expected_code = KPASSWD_SOFTERROR, KPASSWD_HARDERROR >++ expected_msg = (b'Password too short, password must be at least 7 ' >++ b'characters long.', >++ b'String conversion failed!') >++ >++ # Set the password. >++ new_password = '' >++ self.kpasswd_exchange(ticket, >++ new_password, >++ expected_code, >++ expected_msg, >++ mode=self.KpasswdMode.SET) >++ >++ expected_code = KPASSWD_HARDERROR >++ expected_msg = b'String conversion failed!' >++ >++ # Change the password. >++ self.kpasswd_exchange(ticket, >++ new_password, >++ expected_code, >++ expected_msg, >++ mode=self.KpasswdMode.CHANGE) >++ >++ # Test kpasswd rejects a request that does not include a random sequence >++ # number. >++ def test_kpasswd_no_seq_number(self): >++ # Create an account for testing. >++ creds = self._get_creds() >++ >++ # Get an initial ticket to kpasswd. >++ ticket = self.get_tgt(creds, sname=self.get_kpasswd_sname(), >++ kdc_options='0') >++ >++ expected_code = KPASSWD_HARDERROR >++ expected_msg = b'gensec_unwrap failed - NT_STATUS_ACCESS_DENIED\n' >++ >++ # Set the password. >++ new_password = generate_random_password(32, 32) >++ self.kpasswd_exchange(ticket, >++ new_password, >++ expected_code, >++ expected_msg, >++ mode=self.KpasswdMode.SET, >++ send_seq_number=False) >++ >++ # Change the password. >++ self.kpasswd_exchange(ticket, >++ new_password, >++ expected_code, >++ expected_msg, >++ mode=self.KpasswdMode.CHANGE, >++ send_seq_number=False) >++ >++ # Test kpasswd rejects a ticket issued by an RODC. >++ def test_kpasswd_from_rodc(self): >++ # Create an account for testing. >++ creds = self._get_creds() >++ >++ # Get an initial ticket to kpasswd. >++ ticket = self.get_tgt(creds, sname=self.get_kpasswd_sname(), >++ kdc_options='0') >++ >++ # Have the ticket be issued by the RODC. >++ ticket = self.issued_by_rodc(ticket) >++ >++ expected_code = KPASSWD_HARDERROR >++ expected_msg = b'gensec_update failed - NT_STATUS_LOGON_FAILURE\n' >++ >++ # Set the password. >++ new_password = generate_random_password(32, 32) >++ self.kpasswd_exchange(ticket, >++ new_password, >++ expected_code, >++ expected_msg, >++ mode=self.KpasswdMode.SET) >++ >++ # Change the password. >++ self.kpasswd_exchange(ticket, >++ new_password, >++ expected_code, >++ expected_msg, >++ mode=self.KpasswdMode.CHANGE) >++ >++ # Test setting a password, specifying the principal of the target user. >++ def test_kpasswd_set_target_princ_only(self): >++ # Create an account for testing. >++ creds = self._get_creds() >++ username = creds.get_username() >++ >++ cname = self.PrincipalName_create(name_type=NT_PRINCIPAL, >++ names=username.split('/')) >++ >++ # Get an initial ticket to kpasswd. >++ ticket = self.get_tgt(creds, sname=self.get_kpasswd_sname(), >++ kdc_options='0') >++ >++ expected_code = KPASSWD_MALFORMED >++ expected_msg = (b'Realm and principal must be both present, or ' >++ b'neither present', >++ b'Failed to decode packet') >++ >++ # Change the password. >++ new_password = generate_random_password(32, 32) >++ self.kpasswd_exchange(ticket, >++ new_password, >++ expected_code, >++ expected_msg, >++ mode=self.KpasswdMode.SET, >++ target_princ=cname) >++ >++ # Test that kpasswd rejects a password set specifying only the realm of the >++ # target user. >++ def test_kpasswd_set_target_realm_only(self): >++ # Create an account for testing. >++ creds = self._get_creds() >++ >++ # Get an initial ticket to kpasswd. >++ ticket = self.get_tgt(creds, sname=self.get_kpasswd_sname(), >++ kdc_options='0') >++ >++ expected_code = KPASSWD_MALFORMED, KPASSWD_ACCESSDENIED >++ expected_msg = (b'Realm and principal must be both present, or ' >++ b'neither present', >++ b'Failed to decode packet', >++ b'No such user when changing password') >++ >++ # Change the password. >++ new_password = generate_random_password(32, 32) >++ self.kpasswd_exchange(ticket, >++ new_password, >++ expected_code, >++ expected_msg, >++ mode=self.KpasswdMode.SET, >++ target_realm=creds.get_realm()) >++ >++ # Show that a user cannot set a password, specifying both principal and >++ # realm of the target user, without having control access. >++ def test_kpasswd_set_target_princ_and_realm_no_access(self): >++ # Create an account for testing. >++ creds = self._get_creds() >++ username = creds.get_username() >++ >++ cname = self.PrincipalName_create(name_type=NT_PRINCIPAL, >++ names=username.split('/')) >++ >++ # Get an initial ticket to kpasswd. >++ ticket = self.get_tgt(creds, sname=self.get_kpasswd_sname(), >++ kdc_options='0') >++ >++ expected_code = KPASSWD_ACCESSDENIED >++ expected_msg = b'Not permitted to change password' >++ >++ # Change the password. >++ new_password = generate_random_password(32, 32) >++ self.kpasswd_exchange(ticket, >++ new_password, >++ expected_code, >++ expected_msg, >++ mode=self.KpasswdMode.SET, >++ target_princ=cname, >++ target_realm=creds.get_realm()) >++ >++ # Test setting a password, specifying both principal and realm of the >++ # target user, whem the user has control access on their account. >++ def test_kpasswd_set_target_princ_and_realm_access(self): >++ # Create an account for testing. >++ creds = self._get_creds() >++ username = creds.get_username() >++ tgt = self.get_tgt(creds) >++ >++ cname = self.PrincipalName_create(name_type=NT_PRINCIPAL, >++ names=username.split('/')) >++ >++ samdb = self.get_samdb() >++ sd_utils = SDUtils(samdb) >++ >++ user_dn = creds.get_dn() >++ user_sid = self.get_objectSid(samdb, user_dn) >++ >++ # Give the user control access on their account. >++ ace = f'(A;;CR;;;{user_sid})' >++ sd_utils.dacl_add_ace(user_dn, ace) >++ >++ # Get a non-initial ticket to kpasswd. Since we have the right to >++ # change the account's password, we don't need an initial ticket. >++ krbtgt_creds = self.get_krbtgt_creds() >++ ticket = self.get_service_ticket(tgt, >++ krbtgt_creds, >++ service='kadmin', >++ target_name='changepw', >++ kdc_options='0') >++ >++ expected_code = KPASSWD_SUCCESS >++ expected_msg = b'Password changed' >++ >++ # Change the password. >++ new_password = generate_random_password(32, 32) >++ self.kpasswd_exchange(ticket, >++ new_password, >++ expected_code, >++ expected_msg, >++ mode=self.KpasswdMode.SET, >++ target_princ=cname, >++ target_realm=creds.get_realm()) >++ >++ # Test setting a password when the existing password has expired. >++ def test_kpasswd_set_expired_password(self): >++ # Create an account for testing, with an expired password. >++ creds = self._get_creds(expired=True) >++ >++ # Get an initial ticket to kpasswd. >++ ticket = self.get_tgt(creds, sname=self.get_kpasswd_sname(), >++ kdc_options='0') >++ >++ expected_code = KPASSWD_SUCCESS >++ expected_msg = b'Password changed' >++ >++ # Set the password. >++ new_password = generate_random_password(32, 32) >++ self.kpasswd_exchange(ticket, >++ new_password, >++ expected_code, >++ expected_msg, >++ mode=self.KpasswdMode.SET) >++ >++ # Test changing a password when the existing password has expired. >++ def test_kpasswd_change_expired_password(self): >++ # Create an account for testing, with an expired password. >++ creds = self._get_creds(expired=True) >++ >++ # Get an initial ticket to kpasswd. >++ ticket = self.get_tgt(creds, sname=self.get_kpasswd_sname(), >++ kdc_options='0') >++ >++ expected_code = KPASSWD_SUCCESS >++ expected_msg = b'Password changed' >++ >++ # Change the password. >++ new_password = generate_random_password(32, 32) >++ self.kpasswd_exchange(ticket, >++ new_password, >++ expected_code, >++ expected_msg, >++ mode=self.KpasswdMode.CHANGE) >++ >++ # Check the lifetime of a kpasswd ticket is not more than two minutes. >++ def test_kpasswd_ticket_lifetime(self): >++ # Create an account for testing. >++ creds = self._get_creds() >++ >++ # Get an initial ticket to kpasswd. >++ ticket = self.get_tgt(creds, sname=self.get_kpasswd_sname(), >++ kdc_options='0') >++ >++ # Check the lifetime of the ticket is equal to two minutes. >++ lifetime = self.get_ticket_lifetime(ticket) >++ self.assertEqual(2 * 60, lifetime) >++ >++ # Ensure we cannot perform a TGS-REQ with a kpasswd ticket. >++ def test_kpasswd_ticket_tgs(self): >++ creds = self.get_client_creds() >++ >++ # Get an initial ticket to kpasswd. >++ ticket = self.get_tgt(creds, sname=self.get_kpasswd_sname(), >++ kdc_options='0') >++ >++ # Change the sname of the ticket to match that of a TGT. >++ realm = creds.get_realm() >++ krbtgt_sname = self.PrincipalName_create(name_type=NT_SRV_INST, >++ names=['krbtgt', realm]) >++ ticket.set_sname(krbtgt_sname) >++ >++ # Try to use that ticket to get a service ticket. >++ service_creds = self.get_service_creds() >++ >++ # This fails due to missing REQUESTER_SID buffer. >++ self._make_tgs_request(creds, service_creds, ticket, >++ expect_error=(KDC_ERR_TGT_REVOKED, >++ KDC_ERR_TKT_EXPIRED)) >++ >++ def modify_requester_sid_time(self, ticket, sid, lifetime): >++ # Get the krbtgt key. >++ krbtgt_creds = self.get_krbtgt_creds() >++ >++ krbtgt_key = self.TicketDecryptionKey_from_creds(krbtgt_creds) >++ checksum_keys = { >++ krb5pac.PAC_TYPE_KDC_CHECKSUM: krbtgt_key, >++ } >++ >++ # Set authtime and starttime to an hour in the past, to show that they >++ # do not affect ticket rejection. >++ start_time = self.get_KerberosTime(offset=-60 * 60) >++ >++ # Set the endtime of the ticket relative to our current time, so that >++ # the ticket has 'lifetime' seconds remaining to live. >++ end_time = self.get_KerberosTime(offset=lifetime) >++ >++ # Modify the times in the ticket. >++ def modify_ticket_times(enc_part): >++ enc_part['authtime'] = start_time >++ if 'starttime' in enc_part: >++ enc_part['starttime'] = start_time >++ >++ enc_part['endtime'] = end_time >++ >++ return enc_part >++ >++ # We have to set the times in both the ticket and the PAC, otherwise >++ # Heimdal will complain. >++ def modify_pac_time(pac): >++ pac_buffers = pac.buffers >++ >++ for pac_buffer in pac_buffers: >++ if pac_buffer.type == krb5pac.PAC_TYPE_LOGON_NAME: >++ logon_time = self.get_EpochFromKerberosTime(start_time) >++ pac_buffer.info.logon_time = unix2nttime(logon_time) >++ break >++ else: >++ self.fail('failed to find LOGON_NAME PAC buffer') >++ >++ pac.buffers = pac_buffers >++ >++ return pac >++ >++ # Add a requester SID to show that the KDC will then accept this >++ # kpasswd ticket as if it were a TGT. >++ def modify_pac_fn(pac): >++ pac = self.add_requester_sid(pac, sid=sid) >++ pac = modify_pac_time(pac) >++ return pac >++ >++ # Do the actual modification. >++ return self.modified_ticket(ticket, >++ new_ticket_key=krbtgt_key, >++ modify_fn=modify_ticket_times, >++ modify_pac_fn=modify_pac_fn, >++ checksum_keys=checksum_keys) >++ >++ # Ensure we cannot perform a TGS-REQ with a kpasswd ticket containing a >++ # requester SID and having a remaining lifetime of two minutes. >++ def test_kpasswd_ticket_requester_sid_tgs(self): >++ creds = self.get_client_creds() >++ >++ # Get an initial ticket to kpasswd. >++ ticket = self.get_tgt(creds, sname=self.get_kpasswd_sname(), >++ kdc_options='0') >++ >++ # Change the sname of the ticket to match that of a TGT. >++ realm = creds.get_realm() >++ krbtgt_sname = self.PrincipalName_create(name_type=NT_SRV_INST, >++ names=['krbtgt', realm]) >++ ticket.set_sname(krbtgt_sname) >++ >++ # Get the user's SID. >++ samdb = self.get_samdb() >++ >++ user_dn = creds.get_dn() >++ user_sid = self.get_objectSid(samdb, user_dn) >++ >++ # Modify the ticket to add a requester SID and give it two minutes to >++ # live. >++ ticket = self.modify_requester_sid_time(ticket, >++ sid=user_sid, >++ lifetime=2 * 60) >++ >++ # Try to use that ticket to get a service ticket. >++ service_creds = self.get_service_creds() >++ >++ # This fails due to the lifetime being too short. >++ self._make_tgs_request(creds, service_creds, ticket, >++ expect_error=KDC_ERR_TKT_EXPIRED) >++ >++ # Show we can perform a TGS-REQ with a kpasswd ticket containing a >++ # requester SID if the remaining lifetime exceeds two minutes. >++ def test_kpasswd_ticket_requester_sid_lifetime_tgs(self): >++ creds = self.get_client_creds() >++ >++ # Get an initial ticket to kpasswd. >++ ticket = self.get_tgt(creds, sname=self.get_kpasswd_sname(), >++ kdc_options='0') >++ >++ # Change the sname of the ticket to match that of a TGT. >++ realm = creds.get_realm() >++ krbtgt_sname = self.PrincipalName_create(name_type=NT_SRV_INST, >++ names=['krbtgt', realm]) >++ ticket.set_sname(krbtgt_sname) >++ >++ # Get the user's SID. >++ samdb = self.get_samdb() >++ >++ user_dn = creds.get_dn() >++ user_sid = self.get_objectSid(samdb, user_dn) >++ >++ # Modify the ticket to add a requester SID and give it two minutes and >++ # ten seconds to live. >++ ticket = self.modify_requester_sid_time(ticket, >++ sid=user_sid, >++ lifetime=2 * 60 + 10) >++ >++ # Try to use that ticket to get a service ticket. >++ service_creds = self.get_service_creds() >++ >++ # This succeeds. >++ self._make_tgs_request(creds, service_creds, ticket, >++ expect_error=False) >++ >++ # Test that kpasswd rejects requests with a service ticket. >++ def test_kpasswd_non_initial(self): >++ # Create an account for testing, and get a TGT. >++ creds = self._get_creds() >++ tgt = self.get_tgt(creds) >++ >++ # Get a non-initial ticket to kpasswd. >++ krbtgt_creds = self.get_krbtgt_creds() >++ ticket = self.get_service_ticket(tgt, >++ krbtgt_creds, >++ service='kadmin', >++ target_name='changepw', >++ kdc_options='0') >++ >++ expected_code = KPASSWD_INITIAL_FLAG_NEEDED >++ expected_msg = b'Expected an initial ticket' >++ >++ # Set the password. >++ new_password = generate_random_password(32, 32) >++ self.kpasswd_exchange(ticket, >++ new_password, >++ expected_code, >++ expected_msg, >++ mode=self.KpasswdMode.SET) >++ >++ # Change the password. >++ self.kpasswd_exchange(ticket, >++ new_password, >++ expected_code, >++ expected_msg, >++ mode=self.KpasswdMode.CHANGE) >++ >++ # Show that kpasswd accepts requests with a service ticket modified to set >++ # the 'initial' flag. >++ def test_kpasswd_initial(self): >++ # Create an account for testing, and get a TGT. >++ creds = self._get_creds() >++ >++ krbtgt_creds = self.get_krbtgt_creds() >++ >++ # Get a service ticket, and modify it to set the 'initial' flag. >++ def get_ticket(): >++ tgt = self.get_tgt(creds, fresh=True) >++ >++ # Get a non-initial ticket to kpasswd. >++ ticket = self.get_service_ticket(tgt, >++ krbtgt_creds, >++ service='kadmin', >++ target_name='changepw', >++ kdc_options='0', >++ fresh=True) >++ >++ set_initial_flag = partial(self.modify_ticket_flag, flag='initial', >++ value=True) >++ >++ checksum_keys = self.get_krbtgt_checksum_key() >++ return self.modified_ticket(ticket, >++ modify_fn=set_initial_flag, >++ checksum_keys=checksum_keys) >++ >++ expected_code = KPASSWD_SUCCESS >++ expected_msg = b'Password changed' >++ >++ ticket = get_ticket() >++ >++ # Set the password. >++ new_password = generate_random_password(32, 32) >++ self.kpasswd_exchange(ticket, >++ new_password, >++ expected_code, >++ expected_msg, >++ mode=self.KpasswdMode.SET) >++ >++ creds.update_password(new_password) >++ ticket = get_ticket() >++ >++ # Change the password. >++ new_password = generate_random_password(32, 32) >++ self.kpasswd_exchange(ticket, >++ new_password, >++ expected_code, >++ expected_msg, >++ mode=self.KpasswdMode.CHANGE) >++ >++ # Test that kpasswd rejects requests where the ticket is encrypted with a >++ # key other than the krbtgt's. >++ def test_kpasswd_wrong_key(self): >++ # Create an account for testing. >++ creds = self._get_creds() >++ >++ sname = self.get_kpasswd_sname() >++ >++ # Get an initial ticket to kpasswd. >++ ticket = self.get_tgt(creds, sname=sname, >++ kdc_options='0') >++ >++ # Get a key belonging to the Administrator account. >++ admin_creds = self.get_admin_creds() >++ admin_key = self.TicketDecryptionKey_from_creds(admin_creds) >++ self.assertIsNotNone(admin_key.kvno, >++ 'a kvno is required to tell the DB ' >++ 'which key to look up.') >++ checksum_keys = { >++ krb5pac.PAC_TYPE_KDC_CHECKSUM: admin_key, >++ } >++ >++ # Re-encrypt the ticket using the Administrator's key. >++ ticket = self.modified_ticket(ticket, >++ new_ticket_key=admin_key, >++ checksum_keys=checksum_keys) >++ >++ # Set the sname of the ticket to that of the Administrator account. >++ admin_sname = self.PrincipalName_create(name_type=NT_PRINCIPAL, >++ names=['Administrator']) >++ ticket.set_sname(admin_sname) >++ >++ expected_code = KPASSWD_HARDERROR >++ expected_msg = b'gensec_update failed - NT_STATUS_LOGON_FAILURE\n' >++ >++ # Set the password. >++ new_password = generate_random_password(32, 32) >++ self.kpasswd_exchange(ticket, >++ new_password, >++ expected_code, >++ expected_msg, >++ mode=self.KpasswdMode.SET) >++ >++ # Change the password. >++ self.kpasswd_exchange(ticket, >++ new_password, >++ expected_code, >++ expected_msg, >++ mode=self.KpasswdMode.CHANGE) >++ >++ def test_kpasswd_wrong_key_service(self): >++ # Create an account for testing. >++ creds = self.get_cached_creds(account_type=self.AccountType.COMPUTER, >++ use_cache=False) >++ >++ sname = self.get_kpasswd_sname() >++ >++ # Get an initial ticket to kpasswd. >++ ticket = self.get_tgt(creds, sname=sname, >++ kdc_options='0') >++ >++ # Get a key belonging to our account. >++ our_key = self.TicketDecryptionKey_from_creds(creds) >++ self.assertIsNotNone(our_key.kvno, >++ 'a kvno is required to tell the DB ' >++ 'which key to look up.') >++ checksum_keys = { >++ krb5pac.PAC_TYPE_KDC_CHECKSUM: our_key, >++ } >++ >++ # Re-encrypt the ticket using our key. >++ ticket = self.modified_ticket(ticket, >++ new_ticket_key=our_key, >++ checksum_keys=checksum_keys) >++ >++ # Set the sname of the ticket to that of our account. >++ username = creds.get_username() >++ sname = self.PrincipalName_create(name_type=NT_PRINCIPAL, >++ names=username.split('/')) >++ ticket.set_sname(sname) >++ >++ expected_code = KPASSWD_HARDERROR >++ expected_msg = b'gensec_update failed - NT_STATUS_LOGON_FAILURE\n' >++ >++ # Set the password. >++ new_password = generate_random_password(32, 32) >++ self.kpasswd_exchange(ticket, >++ new_password, >++ expected_code, >++ expected_msg, >++ mode=self.KpasswdMode.SET) >++ >++ # Change the password. >++ self.kpasswd_exchange(ticket, >++ new_password, >++ expected_code, >++ expected_msg, >++ mode=self.KpasswdMode.CHANGE) >++ >++ # Test that kpasswd rejects requests where the ticket is encrypted with a >++ # key belonging to a server account other than the krbtgt. >++ def test_kpasswd_wrong_key_server(self): >++ # Create an account for testing. >++ creds = self._get_creds() >++ >++ sname = self.get_kpasswd_sname() >++ >++ # Get an initial ticket to kpasswd. >++ ticket = self.get_tgt(creds, sname=sname, >++ kdc_options='0') >++ >++ # Get a key belonging to the DC's account. >++ dc_creds = self.get_dc_creds() >++ dc_key = self.TicketDecryptionKey_from_creds(dc_creds) >++ self.assertIsNotNone(dc_key.kvno, >++ 'a kvno is required to tell the DB ' >++ 'which key to look up.') >++ checksum_keys = { >++ krb5pac.PAC_TYPE_KDC_CHECKSUM: dc_key, >++ } >++ >++ # Re-encrypt the ticket using the DC's key. >++ ticket = self.modified_ticket(ticket, >++ new_ticket_key=dc_key, >++ checksum_keys=checksum_keys) >++ >++ # Set the sname of the ticket to that of the DC's account. >++ dc_username = dc_creds.get_username() >++ dc_sname = self.PrincipalName_create(name_type=NT_PRINCIPAL, >++ names=dc_username.split('/')) >++ ticket.set_sname(dc_sname) >++ >++ expected_code = KPASSWD_HARDERROR >++ expected_msg = b'gensec_update failed - NT_STATUS_LOGON_FAILURE\n' >++ >++ # Set the password. >++ new_password = generate_random_password(32, 32) >++ self.kpasswd_exchange(ticket, >++ new_password, >++ expected_code, >++ expected_msg, >++ mode=self.KpasswdMode.SET) >++ >++ # Change the password. >++ self.kpasswd_exchange(ticket, >++ new_password, >++ expected_code, >++ expected_msg, >++ mode=self.KpasswdMode.CHANGE) >++ >++ >++if __name__ == '__main__': >++ global_asn1_print = False >++ global_hexdump = False >++ import unittest >++ unittest.main() >+diff --git python/samba/tests/krb5/raw_testcase.py python/samba/tests/krb5/raw_testcase.py >+index 57010ae73bd..4a78a8eadf3 100644 >+--- python/samba/tests/krb5/raw_testcase.py >++++ python/samba/tests/krb5/raw_testcase.py >+@@ -500,6 +500,10 @@ class KerberosCredentials(Credentials): >+ def get_upn(self): >+ return self.upn >+ >++ def update_password(self, password): >++ self.set_password(password) >++ self.set_kvno(self.get_kvno() + 1) >++ >+ >+ class KerberosTicketCreds: >+ def __init__(self, ticket, session_key, >+@@ -518,6 +522,10 @@ class KerberosTicketCreds: >+ self.ticket_private = ticket_private >+ self.encpart_private = encpart_private >+ >++ def set_sname(self, sname): >++ self.ticket['sname'] = sname >++ self.sname = sname >++ >+ >+ class RawKerberosTest(TestCaseInTempDir): >+ """A raw Kerberos Test case.""" >+diff --git python/samba/tests/usage.py python/samba/tests/usage.py >+index 6bbd96e7a08..a1210ada579 100644 >+--- python/samba/tests/usage.py >++++ python/samba/tests/usage.py >+@@ -109,6 +109,7 @@ EXCLUDE_USAGE = { >+ 'python/samba/tests/krb5/alias_tests.py', >+ 'python/samba/tests/krb5/test_min_domain_uid.py', >+ 'python/samba/tests/krb5/test_idmap_nss.py', >++ 'python/samba/tests/krb5/kpasswd_tests.py', >+ } >+ >+ EXCLUDE_HELP = { >+diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc >+index 424a8b81c38..54e69a48bc1 100644 >+--- selftest/knownfail_heimdal_kdc >++++ selftest/knownfail_heimdal_kdc >+@@ -271,3 +271,29 @@ >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_service_ticket >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_existing >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_nonexisting >++# >++# Kpasswd tests >++# >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_change.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_change_expired_password.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_empty.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_from_rodc.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_initial.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize_realm_case.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_seq_number.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_non_initial.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_expired_password.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_target_princ_and_realm_access.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_target_princ_and_realm_no_access.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_target_princ_only.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_target_realm_only.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_lifetime.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_too_weak.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_service.ad_dc >+diff --git selftest/knownfail_mit_kdc selftest/knownfail_mit_kdc >+index 108c6055d0c..53638afc17a 100644 >+--- selftest/knownfail_mit_kdc >++++ selftest/knownfail_mit_kdc >+@@ -575,3 +575,29 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_logon_info_sid_mismatch_nonexisting >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_requester_sid_mismatch_existing >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_requester_sid_mismatch_nonexisting >++# >++# Kpasswd tests >++# >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_change.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_change_expired_password.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_empty.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_from_rodc.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_initial.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize_realm_case.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_seq_number.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_non_initial.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_expired_password.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_target_princ_and_realm_access.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_target_princ_and_realm_no_access.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_target_princ_only.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_target_realm_only.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_lifetime.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_too_weak.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_service.ad_dc >+-- >+2.25.1 >+ >+ >+From 29ec8b2369b5f5e2a660a3165d2528982514a0f2 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Fri, 27 May 2022 19:21:06 +1200 >+Subject: [PATCH 72/99] CVE-2022-2031 s4:kpasswd: Correctly generate error >+ strings >+ >+The error_data we create already has an explicit length, and should not >+be zero-terminated, so we omit the trailing null byte. Previously, >+Heimdal builds would leave a superfluous trailing null byte on error >+strings, while MIT builds would omit the final character. >+ >+The two bytes added to the string's length are for the prepended error >+code. >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andreas Schneider <asn@samba.org> >+ >+[jsutton@samba.org Removed MIT KDC 1.20-specific knownfails] >+--- >+ selftest/knownfail_heimdal_kdc | 12 ------------ >+ selftest/knownfail_mit_kdc | 15 --------------- >+ source4/kdc/kpasswd-helper.c | 13 ++++++------- >+ 3 files changed, 6 insertions(+), 34 deletions(-) >+ >+diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc >+index 54e69a48bc1..40e24f3155b 100644 >+--- selftest/knownfail_heimdal_kdc >++++ selftest/knownfail_heimdal_kdc >+@@ -276,24 +276,12 @@ >+ # >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_change.ad_dc >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_change_expired_password.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_empty.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_from_rodc.ad_dc >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_initial.ad_dc >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize.ad_dc >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize_realm_case.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_seq_number.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_non_initial.ad_dc >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set.ad_dc >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_expired_password.ad_dc >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_target_princ_and_realm_access.ad_dc >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_target_princ_and_realm_no_access.ad_dc >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_target_princ_only.ad_dc >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_target_realm_only.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_lifetime.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_too_weak.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_service.ad_dc >+diff --git selftest/knownfail_mit_kdc selftest/knownfail_mit_kdc >+index 53638afc17a..a914c4d3492 100644 >+--- selftest/knownfail_mit_kdc >++++ selftest/knownfail_mit_kdc >+@@ -578,26 +578,11 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ >+ # >+ # Kpasswd tests >+ # >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_change.ad_dc >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_change_expired_password.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_empty.ad_dc >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_from_rodc.ad_dc >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_initial.ad_dc >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize_realm_case.ad_dc >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_seq_number.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_non_initial.ad_dc >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set.ad_dc >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_expired_password.ad_dc >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_target_princ_and_realm_access.ad_dc >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_target_princ_and_realm_no_access.ad_dc >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_target_princ_only.ad_dc >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_target_realm_only.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_lifetime.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_too_weak.ad_dc >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_service.ad_dc >+diff --git source4/kdc/kpasswd-helper.c source4/kdc/kpasswd-helper.c >+index 995f54825b5..55a2f5b3bf6 100644 >+--- source4/kdc/kpasswd-helper.c >++++ source4/kdc/kpasswd-helper.c >+@@ -48,17 +48,16 @@ bool kpasswd_make_error_reply(TALLOC_CTX *mem_ctx, >+ } >+ >+ /* >+- * The string 's' has two terminating nul-bytes which are also >+- * reflected by 'slen'. Normally Kerberos doesn't expect that strings >+- * are nul-terminated, but Heimdal does! >++ * The string 's' has one terminating nul-byte which is also >++ * reflected by 'slen'. We subtract it from the length. >+ */ >+-#ifndef SAMBA4_USES_HEIMDAL >+- if (slen < 2) { >++ if (slen < 1) { >+ talloc_free(s); >+ return false; >+ } >+- slen -= 2; >+-#endif >++ slen--; >++ >++ /* Two bytes are added to the length to account for the error code. */ >+ if (2 + slen < slen) { >+ talloc_free(s); >+ return false; >+-- >+2.25.1 >+ >+ >+From 3a8da51396f3bf9d4caf8dbd4e75a0314aa47046 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Wed, 18 May 2022 16:48:59 +1200 >+Subject: [PATCH 73/99] CVE-2022-2031 s4:kpasswd: Don't return AP-REP on >+ failure >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andreas Schneider <asn@samba.org> >+ >+[jsutton@samba.org Removed MIT KDC 1.20-specific knownfails] >+--- >+ selftest/knownfail_mit_kdc | 1 - >+ source4/kdc/kpasswd-service.c | 2 ++ >+ 2 files changed, 2 insertions(+), 1 deletion(-) >+ >+diff --git selftest/knownfail_mit_kdc selftest/knownfail_mit_kdc >+index a914c4d3492..f64291e776d 100644 >+--- selftest/knownfail_mit_kdc >++++ selftest/knownfail_mit_kdc >+@@ -579,7 +579,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ >+ # Kpasswd tests >+ # >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_empty.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize_realm_case.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_non_initial.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_lifetime.ad_dc >+diff --git source4/kdc/kpasswd-service.c source4/kdc/kpasswd-service.c >+index 8f1679e4a28..a3c57a67dd1 100644 >+--- source4/kdc/kpasswd-service.c >++++ source4/kdc/kpasswd-service.c >+@@ -253,6 +253,7 @@ kdc_code kpasswd_process(struct kdc_server *kdc, >+ &kpasswd_dec_reply, >+ &error_string); >+ if (code != 0) { >++ ap_rep_blob = data_blob_null; >+ error_code = code; >+ goto reply; >+ } >+@@ -262,6 +263,7 @@ kdc_code kpasswd_process(struct kdc_server *kdc, >+ &kpasswd_dec_reply, >+ &enc_data_blob); >+ if (!NT_STATUS_IS_OK(status)) { >++ ap_rep_blob = data_blob_null; >+ error_code = KRB5_KPASSWD_HARDERROR; >+ error_string = talloc_asprintf(tmp_ctx, >+ "gensec_wrap failed - %s\n", >+-- >+2.25.1 >+ >+ >+From cf9e37604409ba0c3c5904af40beb2975c309ad4 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Fri, 27 May 2022 19:29:34 +1200 >+Subject: [PATCH 74/99] CVE-2022-2031 lib:krb5_wrap: Generate valid error codes >+ in smb_krb5_mk_error() >+ >+The error code passed in will be an offset from ERROR_TABLE_BASE_krb5, >+so we need to subtract that before creating the error. Heimdal does this >+internally, so it isn't needed there. >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andreas Schneider <asn@samba.org> >+--- >+ lib/krb5_wrap/krb5_samba.c | 2 +- >+ selftest/knownfail_mit_kdc | 4 ++++ >+ 2 files changed, 5 insertions(+), 1 deletion(-) >+ >+diff --git lib/krb5_wrap/krb5_samba.c lib/krb5_wrap/krb5_samba.c >+index 76c2dcd2126..610efcc9b87 100644 >+--- lib/krb5_wrap/krb5_samba.c >++++ lib/krb5_wrap/krb5_samba.c >+@@ -237,7 +237,7 @@ krb5_error_code smb_krb5_mk_error(krb5_context context, >+ return code; >+ } >+ >+- errpkt.error = error_code; >++ errpkt.error = error_code - ERROR_TABLE_BASE_krb5; >+ >+ errpkt.text.length = 0; >+ if (e_text != NULL) { >+diff --git selftest/knownfail_mit_kdc selftest/knownfail_mit_kdc >+index f64291e776d..633bf79e8e0 100644 >+--- selftest/knownfail_mit_kdc >++++ selftest/knownfail_mit_kdc >+@@ -579,9 +579,13 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ >+ # Kpasswd tests >+ # >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_empty.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_from_rodc.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize_realm_case.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_seq_number.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_non_initial.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_lifetime.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_service.ad_dc >+-- >+2.25.1 >+ >+ >+From cf749fac346ef59c91a9ea87f5e7ddec2e5649c7 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Wed, 18 May 2022 16:49:43 +1200 >+Subject: [PATCH 75/99] CVE-2022-2031 s4:kpasswd: Return a kpasswd error code >+ in KRB-ERROR >+ >+If we attempt to return an error code outside of Heimdal's allowed range >+[KRB5KDC_ERR_NONE, KRB5_ERR_RCSID), it will be replaced with a GENERIC >+error, and the error text will be set to the meaningless result of >+krb5_get_error_message(). Avoid this by ensuring the error code is in >+the correct range. >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andreas Schneider <asn@samba.org> >+--- >+ selftest/knownfail_heimdal_kdc | 2 -- >+ selftest/knownfail_mit_kdc | 4 ---- >+ source4/kdc/kpasswd-service.c | 2 +- >+ 3 files changed, 1 insertion(+), 7 deletions(-) >+ >+diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc >+index 40e24f3155b..3b494baa658 100644 >+--- selftest/knownfail_heimdal_kdc >++++ selftest/knownfail_heimdal_kdc >+@@ -276,9 +276,7 @@ >+ # >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_empty.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_from_rodc.ad_dc >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_seq_number.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_non_initial.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_lifetime.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc >+diff --git selftest/knownfail_mit_kdc selftest/knownfail_mit_kdc >+index 633bf79e8e0..f64291e776d 100644 >+--- selftest/knownfail_mit_kdc >++++ selftest/knownfail_mit_kdc >+@@ -579,13 +579,9 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ >+ # Kpasswd tests >+ # >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_empty.ad_dc >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_from_rodc.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize_realm_case.ad_dc >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_seq_number.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_non_initial.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_lifetime.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_service.ad_dc >+diff --git source4/kdc/kpasswd-service.c source4/kdc/kpasswd-service.c >+index a3c57a67dd1..b4706de1ad7 100644 >+--- source4/kdc/kpasswd-service.c >++++ source4/kdc/kpasswd-service.c >+@@ -312,7 +312,7 @@ reply: >+ } >+ >+ code = smb_krb5_mk_error(kdc->smb_krb5_context->krb5_context, >+- error_code, >++ KRB5KDC_ERR_NONE + error_code, >+ NULL, /* e_text */ >+ &k_dec_data, >+ NULL, /* client */ >+-- >+2.25.1 >+ >+ >+From 198256e2184897300e1cea4343437c3b7b6f74ad Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Wed, 18 May 2022 16:06:31 +1200 >+Subject: [PATCH 76/99] CVE-2022-2031 gensec_krb5: Add helper function to check >+ if client sent an initial ticket >+ >+This will be used in the kpasswd service to ensure that the client has >+an initial ticket to kadmin/changepw, and not a service ticket. >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andreas Schneider <asn@samba.org> >+--- >+ source4/auth/gensec/gensec_krb5.c | 20 +----- >+ source4/auth/gensec/gensec_krb5_helpers.c | 72 ++++++++++++++++++++++ >+ source4/auth/gensec/gensec_krb5_helpers.h | 32 ++++++++++ >+ source4/auth/gensec/gensec_krb5_internal.h | 47 ++++++++++++++ >+ source4/auth/gensec/wscript_build | 4 ++ >+ 5 files changed, 157 insertions(+), 18 deletions(-) >+ create mode 100644 source4/auth/gensec/gensec_krb5_helpers.c >+ create mode 100644 source4/auth/gensec/gensec_krb5_helpers.h >+ create mode 100644 source4/auth/gensec/gensec_krb5_internal.h >+ >+diff --git source4/auth/gensec/gensec_krb5.c source4/auth/gensec/gensec_krb5.c >+index 7d87b3ac6b9..104e4639c44 100644 >+--- source4/auth/gensec/gensec_krb5.c >++++ source4/auth/gensec/gensec_krb5.c >+@@ -44,27 +44,11 @@ >+ #include "../lib/util/asn1.h" >+ #include "auth/kerberos/pac_utils.h" >+ #include "gensec_krb5.h" >++#include "gensec_krb5_internal.h" >++#include "gensec_krb5_helpers.h" >+ >+ _PUBLIC_ NTSTATUS gensec_krb5_init(TALLOC_CTX *); >+ >+-enum GENSEC_KRB5_STATE { >+- GENSEC_KRB5_SERVER_START, >+- GENSEC_KRB5_CLIENT_START, >+- GENSEC_KRB5_CLIENT_MUTUAL_AUTH, >+- GENSEC_KRB5_DONE >+-}; >+- >+-struct gensec_krb5_state { >+- enum GENSEC_KRB5_STATE state_position; >+- struct smb_krb5_context *smb_krb5_context; >+- krb5_auth_context auth_context; >+- krb5_data enc_ticket; >+- krb5_keyblock *keyblock; >+- krb5_ticket *ticket; >+- bool gssapi; >+- krb5_flags ap_req_options; >+-}; >+- >+ static int gensec_krb5_destroy(struct gensec_krb5_state *gensec_krb5_state) >+ { >+ if (!gensec_krb5_state->smb_krb5_context) { >+diff --git source4/auth/gensec/gensec_krb5_helpers.c source4/auth/gensec/gensec_krb5_helpers.c >+new file mode 100644 >+index 00000000000..21f2f1e884e >+--- /dev/null >++++ source4/auth/gensec/gensec_krb5_helpers.c >+@@ -0,0 +1,72 @@ >++/* >++ Unix SMB/CIFS implementation. >++ >++ Kerberos backend for GENSEC >++ >++ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004 >++ Copyright (C) Andrew Tridgell 2001 >++ Copyright (C) Luke Howard 2002-2003 >++ Copyright (C) Stefan Metzmacher 2004-2005 >++ >++ This program is free software; you can redistribute it and/or modify >++ it under the terms of the GNU General Public License as published by >++ the Free Software Foundation; either version 3 of the License, or >++ (at your option) any later version. >++ >++ This program is distributed in the hope that it will be useful, >++ but WITHOUT ANY WARRANTY; without even the implied warranty of >++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >++ GNU General Public License for more details. >++ >++ >++ You should have received a copy of the GNU General Public License >++ along with this program. If not, see <http://www.gnu.org/licenses/>. >++*/ >++ >++#include "includes.h" >++#include "auth/auth.h" >++#include "auth/gensec/gensec.h" >++#include "auth/gensec/gensec_internal.h" >++#include "gensec_krb5_internal.h" >++#include "gensec_krb5_helpers.h" >++#include "system/kerberos.h" >++#include "auth/kerberos/kerberos.h" >++ >++static struct gensec_krb5_state *get_private_state(const struct gensec_security *gensec_security) >++{ >++ struct gensec_krb5_state *gensec_krb5_state = NULL; >++ >++ if (strcmp(gensec_security->ops->name, "krb5") != 0) { >++ /* We require that the krb5 mechanism is being used. */ >++ return NULL; >++ } >++ >++ gensec_krb5_state = talloc_get_type(gensec_security->private_data, >++ struct gensec_krb5_state); >++ return gensec_krb5_state; >++} >++ >++/* >++ * Returns 1 if our ticket has the initial flag set, 0 if not, and -1 in case of >++ * error. >++ */ >++int gensec_krb5_initial_ticket(const struct gensec_security *gensec_security) >++{ >++ struct gensec_krb5_state *gensec_krb5_state = NULL; >++ >++ gensec_krb5_state = get_private_state(gensec_security); >++ if (gensec_krb5_state == NULL) { >++ return -1; >++ } >++ >++ if (gensec_krb5_state->ticket == NULL) { >++ /* We don't have a ticket */ >++ return -1; >++ } >++ >++#ifdef SAMBA4_USES_HEIMDAL >++ return gensec_krb5_state->ticket->ticket.flags.initial; >++#else /* MIT KERBEROS */ >++ return (gensec_krb5_state->ticket->enc_part2->flags & TKT_FLG_INITIAL) ? 1 : 0; >++#endif /* SAMBA4_USES_HEIMDAL */ >++} >+diff --git source4/auth/gensec/gensec_krb5_helpers.h source4/auth/gensec/gensec_krb5_helpers.h >+new file mode 100644 >+index 00000000000..d7b694dad0c >+--- /dev/null >++++ source4/auth/gensec/gensec_krb5_helpers.h >+@@ -0,0 +1,32 @@ >++/* >++ Unix SMB/CIFS implementation. >++ >++ Kerberos backend for GENSEC >++ >++ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004 >++ Copyright (C) Andrew Tridgell 2001 >++ Copyright (C) Luke Howard 2002-2003 >++ Copyright (C) Stefan Metzmacher 2004-2005 >++ >++ This program is free software; you can redistribute it and/or modify >++ it under the terms of the GNU General Public License as published by >++ the Free Software Foundation; either version 3 of the License, or >++ (at your option) any later version. >++ >++ This program is distributed in the hope that it will be useful, >++ but WITHOUT ANY WARRANTY; without even the implied warranty of >++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >++ GNU General Public License for more details. >++ >++ >++ You should have received a copy of the GNU General Public License >++ along with this program. If not, see <http://www.gnu.org/licenses/>. >++*/ >++ >++struct gensec_security; >++ >++/* >++ * Returns 1 if our ticket has the initial flag set, 0 if not, and -1 in case of >++ * error. >++ */ >++int gensec_krb5_initial_ticket(const struct gensec_security *gensec_security); >+diff --git source4/auth/gensec/gensec_krb5_internal.h source4/auth/gensec/gensec_krb5_internal.h >+new file mode 100644 >+index 00000000000..0bb796f1b2a >+--- /dev/null >++++ source4/auth/gensec/gensec_krb5_internal.h >+@@ -0,0 +1,47 @@ >++/* >++ Unix SMB/CIFS implementation. >++ >++ Kerberos backend for GENSEC >++ >++ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004 >++ Copyright (C) Andrew Tridgell 2001 >++ Copyright (C) Luke Howard 2002-2003 >++ Copyright (C) Stefan Metzmacher 2004-2005 >++ >++ This program is free software; you can redistribute it and/or modify >++ it under the terms of the GNU General Public License as published by >++ the Free Software Foundation; either version 3 of the License, or >++ (at your option) any later version. >++ >++ This program is distributed in the hope that it will be useful, >++ but WITHOUT ANY WARRANTY; without even the implied warranty of >++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >++ GNU General Public License for more details. >++ >++ >++ You should have received a copy of the GNU General Public License >++ along with this program. If not, see <http://www.gnu.org/licenses/>. >++*/ >++ >++#include "includes.h" >++#include "auth/gensec/gensec.h" >++#include "system/kerberos.h" >++#include "auth/kerberos/kerberos.h" >++ >++enum GENSEC_KRB5_STATE { >++ GENSEC_KRB5_SERVER_START, >++ GENSEC_KRB5_CLIENT_START, >++ GENSEC_KRB5_CLIENT_MUTUAL_AUTH, >++ GENSEC_KRB5_DONE >++}; >++ >++struct gensec_krb5_state { >++ enum GENSEC_KRB5_STATE state_position; >++ struct smb_krb5_context *smb_krb5_context; >++ krb5_auth_context auth_context; >++ krb5_data enc_ticket; >++ krb5_keyblock *keyblock; >++ krb5_ticket *ticket; >++ bool gssapi; >++ krb5_flags ap_req_options; >++}; >+diff --git source4/auth/gensec/wscript_build source4/auth/gensec/wscript_build >+index d14a50ff273..20271f1665b 100644 >+--- source4/auth/gensec/wscript_build >++++ source4/auth/gensec/wscript_build >+@@ -18,6 +18,10 @@ bld.SAMBA_MODULE('gensec_krb5', >+ enabled=bld.AD_DC_BUILD_IS_ENABLED() >+ ) >+ >++bld.SAMBA_SUBSYSTEM('gensec_krb5_helpers', >++ source='gensec_krb5_helpers.c', >++ deps='gensec_krb5', >++ enabled=bld.AD_DC_BUILD_IS_ENABLED()) >+ >+ bld.SAMBA_MODULE('gensec_gssapi', >+ source='gensec_gssapi.c', >+-- >+2.25.1 >+ >+ >+From 6c4fd575d706b2695090941ad7947b30abdb9071 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Wed, 18 May 2022 16:52:41 +1200 >+Subject: [PATCH 77/99] CVE-2022-2031 s4:kpasswd: Require an initial ticket >+ >+Ensure that for password changes the client uses an AS-REQ to get the >+ticket to kpasswd, and not a TGS-REQ. >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andreas Schneider <asn@samba.org> >+ >+[jsutton@samba.org Removed MIT KDC 1.20-specific knownfails] >+--- >+ selftest/knownfail_heimdal_kdc | 1 - >+ selftest/knownfail_mit_kdc | 1 - >+ source4/kdc/kpasswd-service-heimdal.c | 17 +++++++++++++++++ >+ source4/kdc/kpasswd-service-mit.c | 17 +++++++++++++++++ >+ source4/kdc/wscript_build | 1 + >+ 5 files changed, 35 insertions(+), 2 deletions(-) >+ >+diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc >+index 3b494baa658..5cd8615f6a9 100644 >+--- selftest/knownfail_heimdal_kdc >++++ selftest/knownfail_heimdal_kdc >+@@ -277,7 +277,6 @@ >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_from_rodc.ad_dc >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_non_initial.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_lifetime.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key.ad_dc >+diff --git selftest/knownfail_mit_kdc selftest/knownfail_mit_kdc >+index f64291e776d..46b0f1fa9ed 100644 >+--- selftest/knownfail_mit_kdc >++++ selftest/knownfail_mit_kdc >+@@ -580,7 +580,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ >+ # >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize_realm_case.ad_dc >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_non_initial.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_lifetime.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc >+diff --git source4/kdc/kpasswd-service-heimdal.c source4/kdc/kpasswd-service-heimdal.c >+index c804852c3a7..1a6c2b60d03 100644 >+--- source4/kdc/kpasswd-service-heimdal.c >++++ source4/kdc/kpasswd-service-heimdal.c >+@@ -24,6 +24,7 @@ >+ #include "param/param.h" >+ #include "auth/auth.h" >+ #include "auth/gensec/gensec.h" >++#include "gensec_krb5_helpers.h" >+ #include "kdc/kdc-server.h" >+ #include "kdc/kpasswd_glue.h" >+ #include "kdc/kpasswd-service.h" >+@@ -31,6 +32,7 @@ >+ >+ static krb5_error_code kpasswd_change_password(struct kdc_server *kdc, >+ TALLOC_CTX *mem_ctx, >++ const struct gensec_security *gensec_security, >+ struct auth_session_info *session_info, >+ DATA_BLOB *password, >+ DATA_BLOB *kpasswd_reply, >+@@ -42,6 +44,17 @@ static krb5_error_code kpasswd_change_password(struct kdc_server *kdc, >+ const char *reject_string = NULL; >+ struct samr_DomInfo1 *dominfo; >+ bool ok; >++ int ret; >++ >++ /* >++ * We're doing a password change (rather than a password set), so check >++ * that we were given an initial ticket. >++ */ >++ ret = gensec_krb5_initial_ticket(gensec_security); >++ if (ret != 1) { >++ *error_string = "Expected an initial ticket"; >++ return KRB5_KPASSWD_INITIAL_FLAG_NEEDED; >++ } >+ >+ status = samdb_kpasswd_change_password(mem_ctx, >+ kdc->task->lp_ctx, >+@@ -81,6 +94,7 @@ static krb5_error_code kpasswd_change_password(struct kdc_server *kdc, >+ >+ static krb5_error_code kpasswd_set_password(struct kdc_server *kdc, >+ TALLOC_CTX *mem_ctx, >++ const struct gensec_security *gensec_security, >+ struct auth_session_info *session_info, >+ DATA_BLOB *decoded_data, >+ DATA_BLOB *kpasswd_reply, >+@@ -173,6 +187,7 @@ static krb5_error_code kpasswd_set_password(struct kdc_server *kdc, >+ free_ChangePasswdDataMS(&chpw); >+ return kpasswd_change_password(kdc, >+ mem_ctx, >++ gensec_security, >+ session_info, >+ &password, >+ kpasswd_reply, >+@@ -272,6 +287,7 @@ krb5_error_code kpasswd_handle_request(struct kdc_server *kdc, >+ >+ return kpasswd_change_password(kdc, >+ mem_ctx, >++ gensec_security, >+ session_info, >+ &password, >+ kpasswd_reply, >+@@ -280,6 +296,7 @@ krb5_error_code kpasswd_handle_request(struct kdc_server *kdc, >+ case KRB5_KPASSWD_VERS_SETPW: { >+ return kpasswd_set_password(kdc, >+ mem_ctx, >++ gensec_security, >+ session_info, >+ decoded_data, >+ kpasswd_reply, >+diff --git source4/kdc/kpasswd-service-mit.c source4/kdc/kpasswd-service-mit.c >+index 9c4d2801669..de4c6f3f622 100644 >+--- source4/kdc/kpasswd-service-mit.c >++++ source4/kdc/kpasswd-service-mit.c >+@@ -24,6 +24,7 @@ >+ #include "param/param.h" >+ #include "auth/auth.h" >+ #include "auth/gensec/gensec.h" >++#include "gensec_krb5_helpers.h" >+ #include "kdc/kdc-server.h" >+ #include "kdc/kpasswd_glue.h" >+ #include "kdc/kpasswd-service.h" >+@@ -84,6 +85,7 @@ out: >+ >+ static krb5_error_code kpasswd_change_password(struct kdc_server *kdc, >+ TALLOC_CTX *mem_ctx, >++ const struct gensec_security *gensec_security, >+ struct auth_session_info *session_info, >+ DATA_BLOB *password, >+ DATA_BLOB *kpasswd_reply, >+@@ -95,6 +97,17 @@ static krb5_error_code kpasswd_change_password(struct kdc_server *kdc, >+ const char *reject_string = NULL; >+ struct samr_DomInfo1 *dominfo; >+ bool ok; >++ int ret; >++ >++ /* >++ * We're doing a password change (rather than a password set), so check >++ * that we were given an initial ticket. >++ */ >++ ret = gensec_krb5_initial_ticket(gensec_security); >++ if (ret != 1) { >++ *error_string = "Expected an initial ticket"; >++ return KRB5_KPASSWD_INITIAL_FLAG_NEEDED; >++ } >+ >+ status = samdb_kpasswd_change_password(mem_ctx, >+ kdc->task->lp_ctx, >+@@ -134,6 +147,7 @@ static krb5_error_code kpasswd_change_password(struct kdc_server *kdc, >+ >+ static krb5_error_code kpasswd_set_password(struct kdc_server *kdc, >+ TALLOC_CTX *mem_ctx, >++ const struct gensec_security *gensec_security, >+ struct auth_session_info *session_info, >+ DATA_BLOB *decoded_data, >+ DATA_BLOB *kpasswd_reply, >+@@ -250,6 +264,7 @@ static krb5_error_code kpasswd_set_password(struct kdc_server *kdc, >+ >+ return kpasswd_change_password(kdc, >+ mem_ctx, >++ gensec_security, >+ session_info, >+ &password, >+ kpasswd_reply, >+@@ -350,6 +365,7 @@ krb5_error_code kpasswd_handle_request(struct kdc_server *kdc, >+ >+ return kpasswd_change_password(kdc, >+ mem_ctx, >++ gensec_security, >+ session_info, >+ &password, >+ kpasswd_reply, >+@@ -358,6 +374,7 @@ krb5_error_code kpasswd_handle_request(struct kdc_server *kdc, >+ case RFC3244_VERSION: { >+ return kpasswd_set_password(kdc, >+ mem_ctx, >++ gensec_security, >+ session_info, >+ decoded_data, >+ kpasswd_reply, >+diff --git source4/kdc/wscript_build source4/kdc/wscript_build >+index 0edca94e75f..13ba3947cf6 100644 >+--- source4/kdc/wscript_build >++++ source4/kdc/wscript_build >+@@ -88,6 +88,7 @@ bld.SAMBA_SUBSYSTEM('KPASSWD-SERVICE', >+ krb5samba >+ samba_server_gensec >+ KPASSWD_GLUE >++ gensec_krb5_helpers >+ ''') >+ >+ bld.SAMBA_SUBSYSTEM('KDC-GLUE', >+-- >+2.25.1 >+ >+ >+From 69e742e6208bd471eb509795bd753a0c98392bf6 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Wed, 18 May 2022 17:11:49 +1200 >+Subject: [PATCH 78/99] s4:kpasswd: Restructure code for clarity >+ >+View with 'git show -b'. >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andreas Schneider <asn@samba.org> >+--- >+ source4/kdc/kpasswd-service-heimdal.c | 46 +++++++++++++-------------- >+ 1 file changed, 22 insertions(+), 24 deletions(-) >+ >+diff --git source4/kdc/kpasswd-service-heimdal.c source4/kdc/kpasswd-service-heimdal.c >+index 1a6c2b60d03..a0352d1ad35 100644 >+--- source4/kdc/kpasswd-service-heimdal.c >++++ source4/kdc/kpasswd-service-heimdal.c >+@@ -160,30 +160,7 @@ static krb5_error_code kpasswd_set_password(struct kdc_server *kdc, >+ return 0; >+ } >+ >+- if (chpw.targname != NULL && chpw.targrealm != NULL) { >+- code = krb5_build_principal_ext(context, >+- &target_principal, >+- strlen(*chpw.targrealm), >+- *chpw.targrealm, >+- 0); >+- if (code != 0) { >+- free_ChangePasswdDataMS(&chpw); >+- return kpasswd_make_error_reply(mem_ctx, >+- KRB5_KPASSWD_MALFORMED, >+- "Failed to parse principal", >+- kpasswd_reply); >+- } >+- code = copy_PrincipalName(chpw.targname, >+- &target_principal->name); >+- if (code != 0) { >+- free_ChangePasswdDataMS(&chpw); >+- krb5_free_principal(context, target_principal); >+- return kpasswd_make_error_reply(mem_ctx, >+- KRB5_KPASSWD_MALFORMED, >+- "Failed to parse principal", >+- kpasswd_reply); >+- } >+- } else { >++ if (chpw.targname == NULL || chpw.targrealm == NULL) { >+ free_ChangePasswdDataMS(&chpw); >+ return kpasswd_change_password(kdc, >+ mem_ctx, >+@@ -193,7 +170,28 @@ static krb5_error_code kpasswd_set_password(struct kdc_server *kdc, >+ kpasswd_reply, >+ error_string); >+ } >++ code = krb5_build_principal_ext(context, >++ &target_principal, >++ strlen(*chpw.targrealm), >++ *chpw.targrealm, >++ 0); >++ if (code != 0) { >++ free_ChangePasswdDataMS(&chpw); >++ return kpasswd_make_error_reply(mem_ctx, >++ KRB5_KPASSWD_MALFORMED, >++ "Failed to parse principal", >++ kpasswd_reply); >++ } >++ code = copy_PrincipalName(chpw.targname, >++ &target_principal->name); >+ free_ChangePasswdDataMS(&chpw); >++ if (code != 0) { >++ krb5_free_principal(context, target_principal); >++ return kpasswd_make_error_reply(mem_ctx, >++ KRB5_KPASSWD_MALFORMED, >++ "Failed to parse principal", >++ kpasswd_reply); >++ } >+ >+ if (target_principal->name.name_string.len >= 2) { >+ is_service_principal = true; >+-- >+2.25.1 >+ >+ >+From b5adf7cc6d740c8f4f7b5888f106de24a1181da7 Mon Sep 17 00:00:00 2001 >+From: Andreas Schneider <asn@samba.org> >+Date: Tue, 24 May 2022 10:17:00 +0200 >+Subject: [PATCH 79/99] CVE-2022-2031 testprogs: Fix auth with smbclient and >+ krb5 ccache >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 >+ >+Signed-off-by: Andreas Schneider <asn@samba.org> >+Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+ >+[jsutton@samba.org Fixed conflict and renamed --use-krb5-ccache to >+ --krb5-ccache] >+--- >+ testprogs/blackbox/test_kpasswd_heimdal.sh | 4 ++-- >+ 1 file changed, 2 insertions(+), 2 deletions(-) >+ >+diff --git testprogs/blackbox/test_kpasswd_heimdal.sh testprogs/blackbox/test_kpasswd_heimdal.sh >+index 7351ce022d1..1e895daa162 100755 >+--- testprogs/blackbox/test_kpasswd_heimdal.sh >++++ testprogs/blackbox/test_kpasswd_heimdal.sh >+@@ -72,7 +72,7 @@ testit "kinit with user password" \ >+ do_kinit $TEST_PRINCIPAL $TEST_PASSWORD || failed=`expr $failed + 1` >+ >+ test_smbclient "Test login with user kerberos ccache" \ >+- "ls" "$SMB_UNC" -k yes || failed=`expr $failed + 1` >++ "ls" "$SMB_UNC" --krb5-ccache=${KRB5CCNAME} || failed=`expr $failed + 1` >+ >+ testit "change user password with 'samba-tool user password' (unforced)" \ >+ $VALGRIND $PYTHON $samba_tool user password -W$DOMAIN -U$TEST_USERNAME%$TEST_PASSWORD -k no --newpassword=$TEST_PASSWORD_NEW || failed=`expr $failed + 1` >+@@ -85,7 +85,7 @@ testit "kinit with user password" \ >+ do_kinit $TEST_PRINCIPAL $TEST_PASSWORD || failed=`expr $failed + 1` >+ >+ test_smbclient "Test login with user kerberos ccache" \ >+- "ls" "$SMB_UNC" -k yes || failed=`expr $failed + 1` >++ "ls" "$SMB_UNC" --krb5-ccache=${KRB5CCNAME} || failed=`expr $failed + 1` >+ >+ ########################################################### >+ ### check that a short password is rejected >+-- >+2.25.1 >+ >+ >+From 91a1b0955a053f73e6d531f0f12eaa604aca79d7 Mon Sep 17 00:00:00 2001 >+From: Andreas Schneider <asn@samba.org> >+Date: Thu, 19 May 2022 16:35:28 +0200 >+Subject: [PATCH 80/99] CVE-2022-2031 testprogs: Add kadmin/changepw >+ canonicalization test with MIT kpasswd >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 >+ >+Signed-off-by: Andreas Schneider <asn@samba.org> >+Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+--- >+ selftest/knownfail.d/kadmin_changepw | 1 + >+ testprogs/blackbox/test_kpasswd_heimdal.sh | 35 +++++++++++++++++++++- >+ 2 files changed, 35 insertions(+), 1 deletion(-) >+ create mode 100644 selftest/knownfail.d/kadmin_changepw >+ >+diff --git selftest/knownfail.d/kadmin_changepw selftest/knownfail.d/kadmin_changepw >+new file mode 100644 >+index 00000000000..97c14793ea5 >+--- /dev/null >++++ selftest/knownfail.d/kadmin_changepw >+@@ -0,0 +1 @@ >++^samba4.blackbox.kpasswd.MIT kpasswd.change.user.password >+diff --git testprogs/blackbox/test_kpasswd_heimdal.sh testprogs/blackbox/test_kpasswd_heimdal.sh >+index 1e895daa162..059b7a8e4d1 100755 >+--- testprogs/blackbox/test_kpasswd_heimdal.sh >++++ testprogs/blackbox/test_kpasswd_heimdal.sh >+@@ -7,7 +7,7 @@ >+ >+ if [ $# -lt 6 ]; then >+ cat <<EOF >+-Usage: test_passwords.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX SMBCLIENT >++Usage: test_kpasswd_heimdal.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX SMBCLIENT >+ EOF >+ exit 1; >+ fi >+@@ -27,6 +27,8 @@ smbclient="$samba_bindir/smbclient" >+ samba_kinit=$samba_bindir/samba4kinit >+ samba_kpasswd=$samba_bindir/samba4kpasswd >+ >++mit_kpasswd="$(command -v kpasswd)" >++ >+ samba_tool="$samba_bindir/samba-tool" >+ net_tool="$samba_bindir/net" >+ texpect="$samba_bindir/texpect" >+@@ -142,6 +144,37 @@ testit "kpasswd change user password" \ >+ TEST_PASSWORD=$TEST_PASSWORD_NEW >+ TEST_PASSWORD_NEW="testPaSS@03%" >+ >++########################################################### >++### CVE-2022-XXXXX >++########################################################### >++ >++if [ -n "${mit_kpasswd}" ]; then >++ cat > "${PREFIX}/tmpkpasswdscript" <<EOF >++expect Password for ${TEST_PRINCIPAL} >++password ${TEST_PASSWORD}\n >++expect Enter new password >++send ${TEST_PASSWORD_NEW}\n >++expect Enter it again >++send ${TEST_PASSWORD_NEW}\n >++expect Password changed. >++EOF >++ >++ SAVE_KRB5_CONFIG="${KRB5_CONFIG}" >++ KRB5_CONFIG="${PREFIX}/tmpkrb5.conf" >++ export KRB5_CONFIG >++ sed -e 's/\[libdefaults\]/[libdefaults]\n canonicalize = yes/' \ >++ "${SAVE_KRB5_CONFIG}" > "${KRB5_CONFIG}" >++ testit "MIT kpasswd change user password" \ >++ "${texpect}" "${PREFIX}/tmpkpasswdscript" "${mit_kpasswd}" \ >++ "${TEST_PRINCIPAL}" || >++ failed=$((failed + 1)) >++ KRB5_CONFIG="${SAVE_KRB5_CONFIG}" >++ export KRB5_CONFIG >++fi >++ >++TEST_PASSWORD="${TEST_PASSWORD_NEW}" >++TEST_PASSWORD_NEW="testPaSS@03force%" >++ >+ ########################################################### >+ ### Force password change at login >+ ########################################################### >+-- >+2.25.1 >+ >+ >+From 36d94ffb9c99f3e515024424020e3e03e98f34f5 Mon Sep 17 00:00:00 2001 >+From: Andreas Schneider <asn@samba.org> >+Date: Tue, 24 May 2022 09:54:18 +0200 >+Subject: [PATCH 81/99] CVE-2022-2031 s4:kdc: Implement is_kadmin_changepw() >+ helper function >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 >+ >+Signed-off-by: Andreas Schneider <asn@samba.org> >+Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+ >+[jsutton@samba.org Adapted entry to entry_ex->entry] >+--- >+ source4/kdc/db-glue.c | 16 +++++++++++----- >+ 1 file changed, 11 insertions(+), 5 deletions(-) >+ >+diff --git source4/kdc/db-glue.c source4/kdc/db-glue.c >+index 5752ffb821c..45159e6e64d 100644 >+--- source4/kdc/db-glue.c >++++ source4/kdc/db-glue.c >+@@ -816,6 +816,14 @@ static int principal_comp_strcmp(krb5_context context, >+ component, string, false); >+ } >+ >++static bool is_kadmin_changepw(krb5_context context, >++ krb5_const_principal principal) >++{ >++ return krb5_princ_size(context, principal) == 2 && >++ (principal_comp_strcmp(context, principal, 0, "kadmin") == 0) && >++ (principal_comp_strcmp(context, principal, 1, "changepw") == 0); >++} >++ >+ /* >+ * Construct an hdb_entry from a directory entry. >+ */ >+@@ -1110,11 +1118,9 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, >+ * 'change password', as otherwise we could get into >+ * trouble, and not enforce the password expirty. >+ * Instead, only do it when request is for the kpasswd service */ >+- if (ent_type == SAMBA_KDC_ENT_TYPE_SERVER >+- && krb5_princ_size(context, principal) == 2 >+- && (principal_comp_strcmp(context, principal, 0, "kadmin") == 0) >+- && (principal_comp_strcmp(context, principal, 1, "changepw") == 0) >+- && lpcfg_is_my_domain_or_realm(lp_ctx, realm)) { >++ if (ent_type == SAMBA_KDC_ENT_TYPE_SERVER && >++ is_kadmin_changepw(context, principal) && >++ lpcfg_is_my_domain_or_realm(lp_ctx, realm)) { >+ entry_ex->entry.flags.change_pw = 1; >+ } >+ >+-- >+2.25.1 >+ >+ >+From f68877af829bf73da8e965c9458a9846d1757038 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Wed, 18 May 2022 16:56:01 +1200 >+Subject: [PATCH 82/99] CVE-2022-2031 s4:kdc: Split out a >+ samba_kdc_get_entry_principal() function >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andreas Schneider <asn@samba.org> >+ >+[jsutton@samba.org Adapted entry to entry_ex->entry] >+ >+[jsutton@samba.org Fixed conflicts caused by superfluous whitespace] >+--- >+ source4/kdc/db-glue.c | 192 +++++++++++++++++++++++------------------- >+ 1 file changed, 107 insertions(+), 85 deletions(-) >+ >+diff --git source4/kdc/db-glue.c source4/kdc/db-glue.c >+index 45159e6e64d..ac0c206b5c1 100644 >+--- source4/kdc/db-glue.c >++++ source4/kdc/db-glue.c >+@@ -824,6 +824,101 @@ static bool is_kadmin_changepw(krb5_context context, >+ (principal_comp_strcmp(context, principal, 1, "changepw") == 0); >+ } >+ >++static krb5_error_code samba_kdc_get_entry_principal( >++ krb5_context context, >++ struct samba_kdc_db_context *kdc_db_ctx, >++ const char *samAccountName, >++ enum samba_kdc_ent_type ent_type, >++ unsigned flags, >++ krb5_const_principal in_princ, >++ krb5_principal *out_princ) >++{ >++ struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx; >++ krb5_error_code ret = 0; >++ >++ /* >++ * If we are set to canonicalize, we get back the fixed UPPER >++ * case realm, and the real username (ie matching LDAP >++ * samAccountName) >++ * >++ * Otherwise, if we are set to enterprise, we >++ * get back the whole principal as-sent >++ * >++ * Finally, if we are not set to canonicalize, we get back the >++ * fixed UPPER case realm, but the as-sent username >++ */ >++ >++ if (ent_type == SAMBA_KDC_ENT_TYPE_KRBTGT) { >++ if (flags & (SDB_F_CANON|SDB_F_FORCE_CANON)) { >++ /* >++ * When requested to do so, ensure that the >++ * both realm values in the principal are set >++ * to the upper case, canonical realm >++ */ >++ ret = smb_krb5_make_principal(context, out_princ, >++ lpcfg_realm(lp_ctx), "krbtgt", >++ lpcfg_realm(lp_ctx), NULL); >++ if (ret) { >++ return ret; >++ } >++ smb_krb5_principal_set_type(context, *out_princ, KRB5_NT_SRV_INST); >++ } else { >++ ret = krb5_copy_principal(context, in_princ, out_princ); >++ if (ret) { >++ return ret; >++ } >++ /* >++ * this appears to be required regardless of >++ * the canonicalize flag from the client >++ */ >++ ret = smb_krb5_principal_set_realm(context, *out_princ, lpcfg_realm(lp_ctx)); >++ if (ret) { >++ return ret; >++ } >++ } >++ >++ } else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && in_princ == NULL) { >++ ret = smb_krb5_make_principal(context, out_princ, lpcfg_realm(lp_ctx), samAccountName, NULL); >++ if (ret) { >++ return ret; >++ } >++ } else if ((flags & SDB_F_FORCE_CANON) || >++ ((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ))) { >++ /* >++ * SDB_F_CANON maps from the canonicalize flag in the >++ * packet, and has a different meaning between AS-REQ >++ * and TGS-REQ. We only change the principal in the AS-REQ case >++ * >++ * The SDB_F_FORCE_CANON if for new MIT KDC code that wants >++ * the canonical name in all lookups, and takes care to >++ * canonicalize only when appropriate. >++ */ >++ ret = smb_krb5_make_principal(context, out_princ, lpcfg_realm(lp_ctx), samAccountName, NULL); >++ if (ret) { >++ return ret; >++ } >++ } else { >++ ret = krb5_copy_principal(context, in_princ, out_princ); >++ if (ret) { >++ return ret; >++ } >++ >++ /* While we have copied the client principal, tests >++ * show that Win2k3 returns the 'corrected' realm, not >++ * the client-specified realm. This code attempts to >++ * replace the client principal's realm with the one >++ * we determine from our records */ >++ >++ /* this has to be with malloc() */ >++ ret = smb_krb5_principal_set_realm(context, *out_princ, lpcfg_realm(lp_ctx)); >++ if (ret) { >++ return ret; >++ } >++ } >++ >++ return 0; >++} >++ >+ /* >+ * Construct an hdb_entry from a directory entry. >+ */ >+@@ -913,93 +1008,8 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, >+ userAccountControl |= msDS_User_Account_Control_Computed; >+ } >+ >+- /* >+- * If we are set to canonicalize, we get back the fixed UPPER >+- * case realm, and the real username (ie matching LDAP >+- * samAccountName) >+- * >+- * Otherwise, if we are set to enterprise, we >+- * get back the whole principal as-sent >+- * >+- * Finally, if we are not set to canonicalize, we get back the >+- * fixed UPPER case realm, but the as-sent username >+- */ >+- >+ if (ent_type == SAMBA_KDC_ENT_TYPE_KRBTGT) { >+ p->is_krbtgt = true; >+- >+- if (flags & (SDB_F_CANON|SDB_F_FORCE_CANON)) { >+- /* >+- * When requested to do so, ensure that the >+- * both realm values in the principal are set >+- * to the upper case, canonical realm >+- */ >+- ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, >+- lpcfg_realm(lp_ctx), "krbtgt", >+- lpcfg_realm(lp_ctx), NULL); >+- if (ret) { >+- krb5_clear_error_message(context); >+- goto out; >+- } >+- smb_krb5_principal_set_type(context, entry_ex->entry.principal, KRB5_NT_SRV_INST); >+- } else { >+- ret = krb5_copy_principal(context, principal, &entry_ex->entry.principal); >+- if (ret) { >+- krb5_clear_error_message(context); >+- goto out; >+- } >+- /* >+- * this appears to be required regardless of >+- * the canonicalize flag from the client >+- */ >+- ret = smb_krb5_principal_set_realm(context, entry_ex->entry.principal, lpcfg_realm(lp_ctx)); >+- if (ret) { >+- krb5_clear_error_message(context); >+- goto out; >+- } >+- } >+- >+- } else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) { >+- ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL); >+- if (ret) { >+- krb5_clear_error_message(context); >+- goto out; >+- } >+- } else if ((flags & SDB_F_FORCE_CANON) || >+- ((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ))) { >+- /* >+- * SDB_F_CANON maps from the canonicalize flag in the >+- * packet, and has a different meaning between AS-REQ >+- * and TGS-REQ. We only change the principal in the AS-REQ case >+- * >+- * The SDB_F_FORCE_CANON if for new MIT KDC code that wants >+- * the canonical name in all lookups, and takes care to >+- * canonicalize only when appropriate. >+- */ >+- ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL); >+- if (ret) { >+- krb5_clear_error_message(context); >+- goto out; >+- } >+- } else { >+- ret = krb5_copy_principal(context, principal, &entry_ex->entry.principal); >+- if (ret) { >+- krb5_clear_error_message(context); >+- goto out; >+- } >+- >+- /* While we have copied the client principal, tests >+- * show that Win2k3 returns the 'corrected' realm, not >+- * the client-specified realm. This code attempts to >+- * replace the client principal's realm with the one >+- * we determine from our records */ >+- >+- /* this has to be with malloc() */ >+- ret = smb_krb5_principal_set_realm(context, entry_ex->entry.principal, lpcfg_realm(lp_ctx)); >+- if (ret) { >+- krb5_clear_error_message(context); >+- goto out; >+- } >+ } >+ >+ /* First try and figure out the flags based on the userAccountControl */ >+@@ -1185,6 +1195,18 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, >+ } >+ } >+ >++ ret = samba_kdc_get_entry_principal(context, >++ kdc_db_ctx, >++ samAccountName, >++ ent_type, >++ flags, >++ principal, >++ &entry_ex->entry.principal); >++ if (ret != 0) { >++ krb5_clear_error_message(context); >++ goto out; >++ } >++ >+ entry_ex->entry.valid_start = NULL; >+ >+ entry_ex->entry.max_life = malloc(sizeof(*entry_ex->entry.max_life)); >+-- >+2.25.1 >+ >+ >+From fa4742e1b9dea0b9c379f00666478bd41c021634 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Wed, 25 May 2022 17:19:58 +1200 >+Subject: [PATCH 83/99] CVE-2022-2031 s4:kdc: Refactor >+ samba_kdc_get_entry_principal() >+ >+This eliminates some duplicate branches. >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Pair-Programmed-With: Andreas Schneider <asn@samba.org> >+Reviewed-by: Andreas Schneider <asn@samba.org> >+--- >+ source4/kdc/db-glue.c | 116 ++++++++++++++++++++---------------------- >+ 1 file changed, 55 insertions(+), 61 deletions(-) >+ >+diff --git source4/kdc/db-glue.c source4/kdc/db-glue.c >+index ac0c206b5c1..385c118a073 100644 >+--- source4/kdc/db-glue.c >++++ source4/kdc/db-glue.c >+@@ -834,7 +834,8 @@ static krb5_error_code samba_kdc_get_entry_principal( >+ krb5_principal *out_princ) >+ { >+ struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx; >+- krb5_error_code ret = 0; >++ krb5_error_code code = 0; >++ bool canon = flags & (SDB_F_CANON|SDB_F_FORCE_CANON); >+ >+ /* >+ * If we are set to canonicalize, we get back the fixed UPPER >+@@ -848,75 +849,68 @@ static krb5_error_code samba_kdc_get_entry_principal( >+ * fixed UPPER case realm, but the as-sent username >+ */ >+ >+- if (ent_type == SAMBA_KDC_ENT_TYPE_KRBTGT) { >+- if (flags & (SDB_F_CANON|SDB_F_FORCE_CANON)) { >+- /* >+- * When requested to do so, ensure that the >+- * both realm values in the principal are set >+- * to the upper case, canonical realm >+- */ >+- ret = smb_krb5_make_principal(context, out_princ, >+- lpcfg_realm(lp_ctx), "krbtgt", >+- lpcfg_realm(lp_ctx), NULL); >+- if (ret) { >+- return ret; >+- } >+- smb_krb5_principal_set_type(context, *out_princ, KRB5_NT_SRV_INST); >+- } else { >+- ret = krb5_copy_principal(context, in_princ, out_princ); >+- if (ret) { >+- return ret; >+- } >+- /* >+- * this appears to be required regardless of >+- * the canonicalize flag from the client >+- */ >+- ret = smb_krb5_principal_set_realm(context, *out_princ, lpcfg_realm(lp_ctx)); >+- if (ret) { >+- return ret; >+- } >+- } >++ if (ent_type == SAMBA_KDC_ENT_TYPE_KRBTGT && canon) { >++ /* >++ * When requested to do so, ensure that the >++ * both realm values in the principal are set >++ * to the upper case, canonical realm >++ */ >++ code = smb_krb5_make_principal(context, >++ out_princ, >++ lpcfg_realm(lp_ctx), >++ "krbtgt", >++ lpcfg_realm(lp_ctx), >++ NULL); >++ if (code != 0) { >++ return code; >++ } >++ smb_krb5_principal_set_type(context, >++ *out_princ, >++ KRB5_NT_SRV_INST); >+ >+- } else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && in_princ == NULL) { >+- ret = smb_krb5_make_principal(context, out_princ, lpcfg_realm(lp_ctx), samAccountName, NULL); >+- if (ret) { >+- return ret; >+- } >+- } else if ((flags & SDB_F_FORCE_CANON) || >+- ((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ))) { >++ return 0; >++ } >++ >++ if ((canon && flags & (SDB_F_FORCE_CANON|SDB_F_FOR_AS_REQ)) || >++ (ent_type == SAMBA_KDC_ENT_TYPE_ANY && in_princ == NULL)) { >+ /* >+ * SDB_F_CANON maps from the canonicalize flag in the >+ * packet, and has a different meaning between AS-REQ >+- * and TGS-REQ. We only change the principal in the AS-REQ case >++ * and TGS-REQ. We only change the principal in the >++ * AS-REQ case. >+ * >+- * The SDB_F_FORCE_CANON if for new MIT KDC code that wants >+- * the canonical name in all lookups, and takes care to >+- * canonicalize only when appropriate. >++ * The SDB_F_FORCE_CANON if for new MIT KDC code that >++ * wants the canonical name in all lookups, and takes >++ * care to canonicalize only when appropriate. >+ */ >+- ret = smb_krb5_make_principal(context, out_princ, lpcfg_realm(lp_ctx), samAccountName, NULL); >+- if (ret) { >+- return ret; >+- } >+- } else { >+- ret = krb5_copy_principal(context, in_princ, out_princ); >+- if (ret) { >+- return ret; >+- } >+- >+- /* While we have copied the client principal, tests >+- * show that Win2k3 returns the 'corrected' realm, not >+- * the client-specified realm. This code attempts to >+- * replace the client principal's realm with the one >+- * we determine from our records */ >++ code = smb_krb5_make_principal(context, >++ out_princ, >++ lpcfg_realm(lp_ctx), >++ samAccountName, >++ NULL); >++ return code; >++ } >+ >+- /* this has to be with malloc() */ >+- ret = smb_krb5_principal_set_realm(context, *out_princ, lpcfg_realm(lp_ctx)); >+- if (ret) { >+- return ret; >+- } >++ /* >++ * For a krbtgt entry, this appears to be required regardless of the >++ * canonicalize flag from the client. >++ */ >++ code = krb5_copy_principal(context, in_princ, out_princ); >++ if (code != 0) { >++ return code; >+ } >+ >+- return 0; >++ /* >++ * While we have copied the client principal, tests show that Win2k3 >++ * returns the 'corrected' realm, not the client-specified realm. This >++ * code attempts to replace the client principal's realm with the one >++ * we determine from our records >++ */ >++ code = smb_krb5_principal_set_realm(context, >++ *out_princ, >++ lpcfg_realm(lp_ctx)); >++ >++ return code; >+ } >+ >+ /* >+-- >+2.25.1 >+ >+ >+From 3cab62893668742781551dae6505558e47cf08b5 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Wed, 18 May 2022 16:56:01 +1200 >+Subject: [PATCH 84/99] CVE-2022-2031 s4:kdc: Fix canonicalisation of >+ kadmin/changepw principal >+ >+Since this principal goes through the samba_kdc_fetch_server() path, >+setting the canonicalisation flag would cause the principal to be >+replaced with the sAMAccountName; this meant requests to >+kadmin/changepw@REALM would result in a ticket to krbtgt@REALM. Now we >+properly handle canonicalisation for the kadmin/changepw principal. >+ >+View with 'git show -b'. >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 >+ >+Pair-Programmed-With: Andreas Schneider <asn@samba.org> >+Signed-off-by: Andreas Schneider <asn@samba.org> >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andreas Schneider <asn@samba.org> >+ >+[jsutton@samba.org Adapted entry to entry_ex->entry; removed MIT KDC >+ 1.20-specific knownfails] >+--- >+ selftest/knownfail.d/kadmin_changepw | 1 - >+ selftest/knownfail_heimdal_kdc | 2 - >+ source4/kdc/db-glue.c | 84 +++++++++++++++------------- >+ 3 files changed, 46 insertions(+), 41 deletions(-) >+ delete mode 100644 selftest/knownfail.d/kadmin_changepw >+ >+diff --git selftest/knownfail.d/kadmin_changepw selftest/knownfail.d/kadmin_changepw >+deleted file mode 100644 >+index 97c14793ea5..00000000000 >+--- selftest/knownfail.d/kadmin_changepw >++++ /dev/null >+@@ -1 +0,0 @@ >+-^samba4.blackbox.kpasswd.MIT kpasswd.change.user.password >+diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc >+index 5cd8615f6a9..49ab29f115d 100644 >+--- selftest/knownfail_heimdal_kdc >++++ selftest/knownfail_heimdal_kdc >+@@ -274,8 +274,6 @@ >+ # >+ # Kpasswd tests >+ # >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize.ad_dc >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_from_rodc.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_lifetime.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc >+diff --git source4/kdc/db-glue.c source4/kdc/db-glue.c >+index 385c118a073..d2d7136608e 100644 >+--- source4/kdc/db-glue.c >++++ source4/kdc/db-glue.c >+@@ -830,6 +830,7 @@ static krb5_error_code samba_kdc_get_entry_principal( >+ const char *samAccountName, >+ enum samba_kdc_ent_type ent_type, >+ unsigned flags, >++ bool is_kadmin_changepw, >+ krb5_const_principal in_princ, >+ krb5_principal *out_princ) >+ { >+@@ -849,46 +850,52 @@ static krb5_error_code samba_kdc_get_entry_principal( >+ * fixed UPPER case realm, but the as-sent username >+ */ >+ >+- if (ent_type == SAMBA_KDC_ENT_TYPE_KRBTGT && canon) { >+- /* >+- * When requested to do so, ensure that the >+- * both realm values in the principal are set >+- * to the upper case, canonical realm >+- */ >+- code = smb_krb5_make_principal(context, >+- out_princ, >+- lpcfg_realm(lp_ctx), >+- "krbtgt", >+- lpcfg_realm(lp_ctx), >+- NULL); >+- if (code != 0) { >+- return code; >+- } >+- smb_krb5_principal_set_type(context, >+- *out_princ, >+- KRB5_NT_SRV_INST); >++ /* >++ * We need to ensure that the kadmin/changepw principal isn't able to >++ * issue krbtgt tickets, even if canonicalization is turned on. >++ */ >++ if (!is_kadmin_changepw) { >++ if (ent_type == SAMBA_KDC_ENT_TYPE_KRBTGT && canon) { >++ /* >++ * When requested to do so, ensure that the >++ * both realm values in the principal are set >++ * to the upper case, canonical realm >++ */ >++ code = smb_krb5_make_principal(context, >++ out_princ, >++ lpcfg_realm(lp_ctx), >++ "krbtgt", >++ lpcfg_realm(lp_ctx), >++ NULL); >++ if (code != 0) { >++ return code; >++ } >++ smb_krb5_principal_set_type(context, >++ *out_princ, >++ KRB5_NT_SRV_INST); >+ >+- return 0; >+- } >++ return 0; >++ } >+ >+- if ((canon && flags & (SDB_F_FORCE_CANON|SDB_F_FOR_AS_REQ)) || >+- (ent_type == SAMBA_KDC_ENT_TYPE_ANY && in_princ == NULL)) { >+- /* >+- * SDB_F_CANON maps from the canonicalize flag in the >+- * packet, and has a different meaning between AS-REQ >+- * and TGS-REQ. We only change the principal in the >+- * AS-REQ case. >+- * >+- * The SDB_F_FORCE_CANON if for new MIT KDC code that >+- * wants the canonical name in all lookups, and takes >+- * care to canonicalize only when appropriate. >+- */ >+- code = smb_krb5_make_principal(context, >+- out_princ, >+- lpcfg_realm(lp_ctx), >+- samAccountName, >+- NULL); >+- return code; >++ if ((canon && flags & (SDB_F_FORCE_CANON|SDB_F_FOR_AS_REQ)) || >++ (ent_type == SAMBA_KDC_ENT_TYPE_ANY && in_princ == NULL)) { >++ /* >++ * SDB_F_CANON maps from the canonicalize flag in the >++ * packet, and has a different meaning between AS-REQ >++ * and TGS-REQ. We only change the principal in the >++ * AS-REQ case. >++ * >++ * The SDB_F_FORCE_CANON if for new MIT KDC code that >++ * wants the canonical name in all lookups, and takes >++ * care to canonicalize only when appropriate. >++ */ >++ code = smb_krb5_make_principal(context, >++ out_princ, >++ lpcfg_realm(lp_ctx), >++ samAccountName, >++ NULL); >++ return code; >++ } >+ } >+ >+ /* >+@@ -1194,6 +1201,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, >+ samAccountName, >+ ent_type, >+ flags, >++ entry_ex->entry.flags.change_pw, >+ principal, >+ &entry_ex->entry.principal); >+ if (ret != 0) { >+-- >+2.25.1 >+ >+ >+From 531e7b596d35785bee61f3b4289e38ece1530f94 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Tue, 24 May 2022 17:53:49 +1200 >+Subject: [PATCH 85/99] CVE-2022-2031 s4:kdc: Limit kpasswd ticket lifetime to >+ two minutes or less >+ >+This matches the behaviour of Windows. >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andreas Schneider <asn@samba.org> >+ >+[jsutton@samba.org Adapted entry to entry_ex->entry; included >+ samba_kdc.h header file] >+ >+[jsutton@samba.org Fixed conflicts] >+--- >+ selftest/knownfail_heimdal_kdc | 1 - >+ selftest/knownfail_mit_kdc | 1 - >+ source4/kdc/db-glue.c | 5 +++++ >+ source4/kdc/mit-kdb/kdb_samba_principals.c | 2 +- >+ source4/kdc/samba_kdc.h | 2 ++ >+ 5 files changed, 8 insertions(+), 3 deletions(-) >+ >+diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc >+index 49ab29f115d..387ccea3ba7 100644 >+--- selftest/knownfail_heimdal_kdc >++++ selftest/knownfail_heimdal_kdc >+@@ -275,7 +275,6 @@ >+ # Kpasswd tests >+ # >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_from_rodc.ad_dc >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_lifetime.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc >+diff --git selftest/knownfail_mit_kdc selftest/knownfail_mit_kdc >+index 46b0f1fa9ed..c2a31b4a140 100644 >+--- selftest/knownfail_mit_kdc >++++ selftest/knownfail_mit_kdc >+@@ -580,7 +580,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ >+ # >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize_realm_case.ad_dc >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_lifetime.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_service.ad_dc >+diff --git source4/kdc/db-glue.c source4/kdc/db-glue.c >+index d2d7136608e..073ec83c8cf 100644 >+--- source4/kdc/db-glue.c >++++ source4/kdc/db-glue.c >+@@ -1226,6 +1226,11 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, >+ kdc_db_ctx->policy.usr_tkt_lifetime); >+ } >+ >++ if (entry_ex->entry.flags.change_pw) { >++ /* Limit lifetime of kpasswd tickets to two minutes or less. */ >++ *entry_ex->entry.max_life = MIN(*entry_ex->entry.max_life, CHANGEPW_LIFETIME); >++ } >++ >+ entry_ex->entry.max_renew = malloc(sizeof(*entry_ex->entry.max_life)); >+ if (entry_ex->entry.max_renew == NULL) { >+ ret = ENOMEM; >+diff --git source4/kdc/mit-kdb/kdb_samba_principals.c source4/kdc/mit-kdb/kdb_samba_principals.c >+index cc67c2392be..2059ffa855e 100644 >+--- source4/kdc/mit-kdb/kdb_samba_principals.c >++++ source4/kdc/mit-kdb/kdb_samba_principals.c >+@@ -27,11 +27,11 @@ >+ #include <profile.h> >+ #include <kdb.h> >+ >++#include "kdc/samba_kdc.h" >+ #include "kdc/mit_samba.h" >+ #include "kdb_samba.h" >+ >+ #define ADMIN_LIFETIME 60*60*3 /* 3 hours */ >+-#define CHANGEPW_LIFETIME 60*5 /* 5 minutes */ >+ >+ krb5_error_code ks_get_principal(krb5_context context, >+ krb5_const_principal principal, >+diff --git source4/kdc/samba_kdc.h source4/kdc/samba_kdc.h >+index e228a82ce6a..8010d7c35ed 100644 >+--- source4/kdc/samba_kdc.h >++++ source4/kdc/samba_kdc.h >+@@ -62,4 +62,6 @@ struct samba_kdc_entry { >+ >+ extern struct hdb_method hdb_samba4_interface; >+ >++#define CHANGEPW_LIFETIME 60*2 /* 2 minutes */ >++ >+ #endif /* _SAMBA_KDC_H_ */ >+-- >+2.25.1 >+ >+ >+From abdac4241dd08dd90a08db877edd799f3833c2b4 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Mon, 30 May 2022 19:18:17 +1200 >+Subject: [PATCH 86/99] CVE-2022-2031 s4:kdc: Reject tickets during the last >+ two minutes of their life >+ >+For Heimdal, this now matches the behaviour of Windows. The object of >+this requirement is to ensure we don't allow kpasswd tickets, not having >+a lifetime of more than two minutes, to be passed off as TGTs. >+ >+An existing requirement for TGTs to contain a REQUESTER_SID PAC buffer >+suffices to prevent kpasswd ticket misuse, so this is just an additional >+precaution on top. >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andreas Schneider <asn@samba.org> >+ >+[jsutton@samba.org As we don't have access to the ticket or the request >+ in the plugin, rewrote check directly in Heimdal KDC] >+--- >+ selftest/knownfail_heimdal_kdc | 1 - >+ source4/heimdal/kdc/krb5tgs.c | 19 ++++++++++++++++++- >+ 2 files changed, 18 insertions(+), 2 deletions(-) >+ >+diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc >+index 387ccea3ba7..afb9bcf1209 100644 >+--- selftest/knownfail_heimdal_kdc >++++ selftest/knownfail_heimdal_kdc >+@@ -275,7 +275,6 @@ >+ # Kpasswd tests >+ # >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_from_rodc.ad_dc >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_service.ad_dc >+diff --git source4/heimdal/kdc/krb5tgs.c source4/heimdal/kdc/krb5tgs.c >+index 38dba8493ae..15be136496f 100644 >+--- source4/heimdal/kdc/krb5tgs.c >++++ source4/heimdal/kdc/krb5tgs.c >+@@ -33,6 +33,9 @@ >+ >+ #include "kdc_locl.h" >+ >++/* Awful hack to get access to 'struct samba_kdc_entry'. */ >++#include "../../kdc/samba_kdc.h" >++ >+ /* >+ * return the realm of a krbtgt-ticket or NULL >+ */ >+@@ -130,6 +133,7 @@ check_PAC(krb5_context context, >+ static krb5_error_code >+ check_tgs_flags(krb5_context context, >+ krb5_kdc_configuration *config, >++ const hdb_entry_ex *krbtgt_in, >+ KDC_REQ_BODY *b, const EncTicketPart *tgt, EncTicketPart *et) >+ { >+ KDCOptions f = b->kdc_options; >+@@ -244,6 +248,17 @@ check_tgs_flags(krb5_context context, >+ et->endtime = min(*et->renew_till, et->endtime); >+ } >+ >++ if (tgt->endtime - kdc_time <= CHANGEPW_LIFETIME) { >++ /* Check that the ticket has not arrived across a trust. */ >++ const struct samba_kdc_entry *skdc_entry = krbtgt_in->ctx; >++ if (!skdc_entry->is_trust) { >++ /* This may be a kpasswd ticket rather than a TGT, so don't accept it. */ >++ kdc_log(context, config, 0, >++ "Ticket is not a ticket-granting ticket"); >++ return KRB5KRB_AP_ERR_TKT_EXPIRED; >++ } >++ } >++ >+ #if 0 >+ /* checks for excess flags */ >+ if(f.request_anonymous && !config->allow_anonymous){ >+@@ -510,6 +525,7 @@ tgs_make_reply(krb5_context context, >+ hdb_entry_ex *client, >+ krb5_principal client_principal, >+ const char *tgt_realm, >++ const hdb_entry_ex *krbtgt_in, >+ hdb_entry_ex *krbtgt, >+ krb5_pac mspac, >+ uint16_t rodc_id, >+@@ -538,7 +554,7 @@ tgs_make_reply(krb5_context context, >+ ALLOC(et.starttime); >+ *et.starttime = kdc_time; >+ >+- ret = check_tgs_flags(context, config, b, tgt, &et); >++ ret = check_tgs_flags(context, config, krbtgt_in, b, tgt, &et); >+ if(ret) >+ goto out; >+ >+@@ -2129,6 +2145,7 @@ server_lookup: >+ client, >+ cp, >+ tgt_realm, >++ krbtgt, >+ krbtgt_out, >+ mspac, >+ rodc_id, >+-- >+2.25.1 >+ >+ >+From 389851bcf399f9511e2cb797350c37ce91aa5849 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Tue, 14 Jun 2022 15:23:55 +1200 >+Subject: [PATCH 87/99] CVE-2022-2031 tests/krb5: Test truncated forms of >+ server principals >+ >+We should not be able to use krb@REALM instead of krbtgt@REALM. >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andreas Schneider <asn@samba.org> >+ >+[jsutton@samba.org Fixed conflicts due to having older version of >+ _run_as_req_enc_timestamp()] >+--- >+ python/samba/tests/krb5/as_req_tests.py | 40 ++++++++++++++++++++++--- >+ selftest/knownfail_heimdal_kdc | 4 +++ >+ selftest/knownfail_mit_kdc | 4 +++ >+ 3 files changed, 44 insertions(+), 4 deletions(-) >+ >+diff --git python/samba/tests/krb5/as_req_tests.py python/samba/tests/krb5/as_req_tests.py >+index 315720f85d6..054a49b64aa 100755 >+--- python/samba/tests/krb5/as_req_tests.py >++++ python/samba/tests/krb5/as_req_tests.py >+@@ -27,6 +27,7 @@ from samba.tests.krb5.kdc_base_test import KDCBaseTest >+ import samba.tests.krb5.kcrypto as kcrypto >+ import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 >+ from samba.tests.krb5.rfc4120_constants import ( >++ KDC_ERR_S_PRINCIPAL_UNKNOWN, >+ KDC_ERR_ETYPE_NOSUPP, >+ KDC_ERR_PREAUTH_REQUIRED, >+ KU_PA_ENC_TIMESTAMP, >+@@ -40,7 +41,8 @@ global_hexdump = False >+ >+ >+ class AsReqBaseTest(KDCBaseTest): >+- def _run_as_req_enc_timestamp(self, client_creds): >++ def _run_as_req_enc_timestamp(self, client_creds, sname=None, >++ expected_error=None): >+ client_account = client_creds.get_username() >+ client_as_etypes = self.get_default_enctypes() >+ client_kvno = client_creds.get_kvno() >+@@ -50,8 +52,9 @@ class AsReqBaseTest(KDCBaseTest): >+ >+ cname = self.PrincipalName_create(name_type=NT_PRINCIPAL, >+ names=[client_account]) >+- sname = self.PrincipalName_create(name_type=NT_SRV_INST, >+- names=[krbtgt_account, realm]) >++ if sname is None: >++ sname = self.PrincipalName_create(name_type=NT_SRV_INST, >++ names=[krbtgt_account, realm]) >+ >+ expected_crealm = realm >+ expected_cname = cname >+@@ -63,7 +66,10 @@ class AsReqBaseTest(KDCBaseTest): >+ >+ initial_etypes = client_as_etypes >+ initial_kdc_options = krb5_asn1.KDCOptions('forwardable') >+- initial_error_mode = KDC_ERR_PREAUTH_REQUIRED >++ if expected_error is not None: >++ initial_error_mode = expected_error >++ else: >++ initial_error_mode = KDC_ERR_PREAUTH_REQUIRED >+ >+ rep, kdc_exchange_dict = self._test_as_exchange(cname, >+ realm, >+@@ -80,6 +86,10 @@ class AsReqBaseTest(KDCBaseTest): >+ None, >+ initial_kdc_options, >+ pac_request=True) >++ >++ if expected_error is not None: >++ return None >++ >+ etype_info2 = kdc_exchange_dict['preauth_etype_info2'] >+ self.assertIsNotNone(etype_info2) >+ >+@@ -209,6 +219,28 @@ class AsReqKerberosTests(AsReqBaseTest): >+ client_creds = self.get_mach_creds() >+ self._run_as_req_enc_timestamp(client_creds) >+ >++ # Ensure we can't use truncated well-known principals such as krb@REALM >++ # instead of krbtgt@REALM. >++ def test_krbtgt_wrong_principal(self): >++ client_creds = self.get_client_creds() >++ >++ krbtgt_creds = self.get_krbtgt_creds() >++ >++ krbtgt_account = krbtgt_creds.get_username() >++ realm = krbtgt_creds.get_realm() >++ >++ # Truncate the name of the krbtgt principal. >++ krbtgt_account = krbtgt_account[:3] >++ >++ wrong_krbtgt_princ = self.PrincipalName_create( >++ name_type=NT_SRV_INST, >++ names=[krbtgt_account, realm]) >++ >++ self._run_as_req_enc_timestamp( >++ client_creds, >++ sname=wrong_krbtgt_princ, >++ expected_error=KDC_ERR_S_PRINCIPAL_UNKNOWN) >++ >+ >+ if __name__ == "__main__": >+ global_asn1_print = False >+diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc >+index afb9bcf1209..dbfff5784e6 100644 >+--- selftest/knownfail_heimdal_kdc >++++ selftest/knownfail_heimdal_kdc >+@@ -278,3 +278,7 @@ >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_service.ad_dc >++# >++# AS-REQ tests >++# >++^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_krbtgt_wrong_principal\( >+diff --git selftest/knownfail_mit_kdc selftest/knownfail_mit_kdc >+index c2a31b4a140..0f90ea10299 100644 >+--- selftest/knownfail_mit_kdc >++++ selftest/knownfail_mit_kdc >+@@ -583,3 +583,7 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_service.ad_dc >++# >++# AS-REQ tests >++# >++^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_krbtgt_wrong_principal\( >+-- >+2.25.1 >+ >+ >+From d40593be83144713cfc43e4eb1c7bc2d925a0da0 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Wed, 25 May 2022 20:00:55 +1200 >+Subject: [PATCH 88/99] CVE-2022-2031 s4:kdc: Don't use strncmp to compare >+ principal components >+ >+We would only compare the first 'n' characters, where 'n' is the length >+of the principal component string, so 'k@REALM' would erroneously be >+considered equal to 'krbtgt@REALM'. >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andreas Schneider <asn@samba.org> >+--- >+ selftest/knownfail_heimdal_kdc | 4 ---- >+ selftest/knownfail_mit_kdc | 4 ---- >+ source4/kdc/db-glue.c | 27 ++++++++++++++++++++++----- >+ 3 files changed, 22 insertions(+), 13 deletions(-) >+ >+diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc >+index dbfff5784e6..afb9bcf1209 100644 >+--- selftest/knownfail_heimdal_kdc >++++ selftest/knownfail_heimdal_kdc >+@@ -278,7 +278,3 @@ >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_service.ad_dc >+-# >+-# AS-REQ tests >+-# >+-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_krbtgt_wrong_principal\( >+diff --git selftest/knownfail_mit_kdc selftest/knownfail_mit_kdc >+index 0f90ea10299..c2a31b4a140 100644 >+--- selftest/knownfail_mit_kdc >++++ selftest/knownfail_mit_kdc >+@@ -583,7 +583,3 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_service.ad_dc >+-# >+-# AS-REQ tests >+-# >+-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_krbtgt_wrong_principal\( >+diff --git source4/kdc/db-glue.c source4/kdc/db-glue.c >+index 073ec83c8cf..cfa2097acbd 100644 >+--- source4/kdc/db-glue.c >++++ source4/kdc/db-glue.c >+@@ -769,15 +769,19 @@ static int principal_comp_strcmp_int(krb5_context context, >+ bool do_strcasecmp) >+ { >+ const char *p; >+- size_t len; >+ >+ #if defined(HAVE_KRB5_PRINCIPAL_GET_COMP_STRING) >+ p = krb5_principal_get_comp_string(context, principal, component); >+ if (p == NULL) { >+ return -1; >+ } >+- len = strlen(p); >++ if (do_strcasecmp) { >++ return strcasecmp(p, string); >++ } else { >++ return strcmp(p, string); >++ } >+ #else >++ size_t len; >+ krb5_data *d; >+ if (component >= krb5_princ_size(context, principal)) { >+ return -1; >+@@ -789,13 +793,26 @@ static int principal_comp_strcmp_int(krb5_context context, >+ } >+ >+ p = d->data; >+- len = d->length; >+-#endif >++ >++ len = strlen(string); >++ >++ /* >++ * We explicitly return -1 or 1. Subtracting of the two lengths might >++ * give the wrong result if the result overflows or loses data when >++ * narrowed to int. >++ */ >++ if (d->length < len) { >++ return -1; >++ } else if (d->length > len) { >++ return 1; >++ } >++ >+ if (do_strcasecmp) { >+ return strncasecmp(p, string, len); >+ } else { >+- return strncmp(p, string, len); >++ return memcmp(p, string, len); >+ } >++#endif >+ } >+ >+ static int principal_comp_strcasecmp(krb5_context context, >+-- >+2.25.1 >+ >+ >+From 42ba919c06c24c42ef123304de0c2ca8c689591a Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Thu, 26 May 2022 16:36:30 +1200 >+Subject: [PATCH 89/99] CVE-2022-32744 s4:kdc: Rename keytab_name -> >+ kpasswd_keytab_name >+ >+This makes explicitly clear the purpose of this keytab. >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andreas Schneider <asn@samba.org> >+ >+[jsutton@samba.org Fixed conflicts due to lacking HDBGET support] >+--- >+ source4/kdc/kdc-heimdal.c | 4 ++-- >+ source4/kdc/kdc-server.h | 2 +- >+ source4/kdc/kdc-service-mit.c | 4 ++-- >+ source4/kdc/kpasswd-service.c | 2 +- >+ 4 files changed, 6 insertions(+), 6 deletions(-) >+ >+diff --git source4/kdc/kdc-heimdal.c source4/kdc/kdc-heimdal.c >+index ba74df4f2ec..a4c845b62f8 100644 >+--- source4/kdc/kdc-heimdal.c >++++ source4/kdc/kdc-heimdal.c >+@@ -444,8 +444,8 @@ static void kdc_post_fork(struct task_server *task, struct process_details *pd) >+ return; >+ } >+ >+- kdc->keytab_name = talloc_asprintf(kdc, "HDB:samba4&%p", kdc->base_ctx); >+- if (kdc->keytab_name == NULL) { >++ kdc->kpasswd_keytab_name = talloc_asprintf(kdc, "HDB:samba4&%p", kdc->base_ctx); >++ if (kdc->kpasswd_keytab_name == NULL) { >+ task_server_terminate(task, >+ "kdc: Failed to set keytab name", >+ true); >+diff --git source4/kdc/kdc-server.h source4/kdc/kdc-server.h >+index fd883c2e4b4..89b30f122f5 100644 >+--- source4/kdc/kdc-server.h >++++ source4/kdc/kdc-server.h >+@@ -40,7 +40,7 @@ struct kdc_server { >+ struct ldb_context *samdb; >+ bool am_rodc; >+ uint32_t proxy_timeout; >+- const char *keytab_name; >++ const char *kpasswd_keytab_name; >+ void *private_data; >+ }; >+ >+diff --git source4/kdc/kdc-service-mit.c source4/kdc/kdc-service-mit.c >+index 5d4180aa7cc..22663b6ecc8 100644 >+--- source4/kdc/kdc-service-mit.c >++++ source4/kdc/kdc-service-mit.c >+@@ -291,8 +291,8 @@ NTSTATUS mitkdc_task_init(struct task_server *task) >+ return NT_STATUS_INTERNAL_ERROR; >+ } >+ >+- kdc->keytab_name = talloc_asprintf(kdc, "KDB:"); >+- if (kdc->keytab_name == NULL) { >++ kdc->kpasswd_keytab_name = talloc_asprintf(kdc, "KDB:"); >++ if (kdc->kpasswd_keytab_name == NULL) { >+ task_server_terminate(task, >+ "KDC: Out of memory", >+ true); >+diff --git source4/kdc/kpasswd-service.c source4/kdc/kpasswd-service.c >+index b4706de1ad7..0d2acd8d9e8 100644 >+--- source4/kdc/kpasswd-service.c >++++ source4/kdc/kpasswd-service.c >+@@ -167,7 +167,7 @@ kdc_code kpasswd_process(struct kdc_server *kdc, >+ >+ rv = cli_credentials_set_keytab_name(server_credentials, >+ kdc->task->lp_ctx, >+- kdc->keytab_name, >++ kdc->kpasswd_keytab_name, >+ CRED_SPECIFIED); >+ if (rv != 0) { >+ DBG_ERR("Failed to set credentials keytab name\n"); >+-- >+2.25.1 >+ >+ >+From 997f50c66471071efb8e02d8efbe4bf5d932e7ee Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Wed, 8 Jun 2022 13:53:29 +1200 >+Subject: [PATCH 90/99] s4:kdc: Remove kadmin mode from HDB plugin >+ >+It appears we no longer require it. >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andreas Schneider <asn@samba.org> >+--- >+ source4/kdc/hdb-samba4-plugin.c | 35 +++++++-------------------------- >+ 1 file changed, 7 insertions(+), 28 deletions(-) >+ >+diff --git source4/kdc/hdb-samba4-plugin.c source4/kdc/hdb-samba4-plugin.c >+index 6f76124995d..4b90a766f76 100644 >+--- source4/kdc/hdb-samba4-plugin.c >++++ source4/kdc/hdb-samba4-plugin.c >+@@ -21,40 +21,20 @@ >+ >+ #include "includes.h" >+ #include "kdc/kdc-glue.h" >+-#include "kdc/db-glue.h" >+-#include "lib/util/samba_util.h" >+ #include "lib/param/param.h" >+-#include "source4/lib/events/events.h" >+ >+ static krb5_error_code hdb_samba4_create(krb5_context context, struct HDB **db, const char *arg) >+ { >+ NTSTATUS nt_status; >+- void *ptr; >+- struct samba_kdc_base_context *base_ctx; >+- >+- if (sscanf(arg, "&%p", &ptr) == 1) { >+- base_ctx = talloc_get_type_abort(ptr, struct samba_kdc_base_context); >+- } else if (arg[0] == '\0' || file_exist(arg)) { >+- /* This mode for use in kadmin, rather than in Samba */ >+- >+- setup_logging("hdb_samba4", DEBUG_DEFAULT_STDERR); >+- >+- base_ctx = talloc_zero(NULL, struct samba_kdc_base_context); >+- if (!base_ctx) { >+- return ENOMEM; >+- } >+- >+- base_ctx->ev_ctx = s4_event_context_init(base_ctx); >+- base_ctx->lp_ctx = loadparm_init_global(false); >+- if (arg[0]) { >+- lpcfg_load(base_ctx->lp_ctx, arg); >+- } else { >+- lpcfg_load_default(base_ctx->lp_ctx); >+- } >+- } else { >++ void *ptr = NULL; >++ struct samba_kdc_base_context *base_ctx = NULL; >++ >++ if (sscanf(arg, "&%p", &ptr) != 1) { >+ return EINVAL; >+ } >+ >++ base_ctx = talloc_get_type_abort(ptr, struct samba_kdc_base_context); >++ >+ /* The global kdc_mem_ctx and kdc_lp_ctx, Disgusting, ugly hack, but it means one less private hook */ >+ nt_status = hdb_samba4_create_kdc(base_ctx, context, db); >+ >+@@ -90,8 +70,7 @@ static void hdb_samba4_fini(void *ctx) >+ >+ /* Only used in the hdb-backed keytab code >+ * for a keytab of 'samba4&<address>' or samba4, to find >+- * kpasswd's key in the main DB, and to >+- * copy all the keys into a file (libnet_keytab_export) >++ * kpasswd's key in the main DB >+ * >+ * The <address> is the string form of a pointer to a talloced struct hdb_samba_context >+ */ >+-- >+2.25.1 >+ >+ >+From c0c4b7a4bd229bd36d586faec6249baaba8e7adc Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Thu, 26 May 2022 16:39:20 +1200 >+Subject: [PATCH 91/99] CVE-2022-32744 s4:kdc: Modify HDB plugin to only look >+ up kpasswd principal >+ >+This plugin is now only used by the kpasswd service. Thus, ensuring we >+only look up the kadmin/changepw principal means we can't be fooled into >+accepting tickets for other service principals. We make sure not to >+specify a specific kvno, to ensure that we do not accept RODC-issued >+tickets. >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andreas Schneider <asn@samba.org> >+ >+[jsutton@samba.org Fixed knownfail conflicts] >+ >+[jsutton@samba.org Renamed entry to entry_ex; fixed knownfail conflicts; >+ retained knownfail for test_kpasswd_from_rodc which now causes the KDC >+ to panic] >+--- >+ selftest/knownfail_heimdal_kdc | 3 -- >+ source4/kdc/hdb-samba4-plugin.c | 2 +- >+ source4/kdc/hdb-samba4.c | 66 +++++++++++++++++++++++++++++++++ >+ source4/kdc/kdc-glue.h | 3 ++ >+ 4 files changed, 70 insertions(+), 4 deletions(-) >+ >+diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc >+index afb9bcf1209..0d93253f999 100644 >+--- selftest/knownfail_heimdal_kdc >++++ selftest/knownfail_heimdal_kdc >+@@ -275,6 +275,3 @@ >+ # Kpasswd tests >+ # >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_from_rodc.ad_dc >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key.ad_dc >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_service.ad_dc >+diff --git source4/kdc/hdb-samba4-plugin.c source4/kdc/hdb-samba4-plugin.c >+index 4b90a766f76..dba25e825de 100644 >+--- source4/kdc/hdb-samba4-plugin.c >++++ source4/kdc/hdb-samba4-plugin.c >+@@ -36,7 +36,7 @@ static krb5_error_code hdb_samba4_create(krb5_context context, struct HDB **db, >+ base_ctx = talloc_get_type_abort(ptr, struct samba_kdc_base_context); >+ >+ /* The global kdc_mem_ctx and kdc_lp_ctx, Disgusting, ugly hack, but it means one less private hook */ >+- nt_status = hdb_samba4_create_kdc(base_ctx, context, db); >++ nt_status = hdb_samba4_kpasswd_create_kdc(base_ctx, context, db); >+ >+ if (NT_STATUS_IS_OK(nt_status)) { >+ return 0; >+diff --git source4/kdc/hdb-samba4.c source4/kdc/hdb-samba4.c >+index 43e836f8360..a8aae50b5b0 100644 >+--- source4/kdc/hdb-samba4.c >++++ source4/kdc/hdb-samba4.c >+@@ -136,6 +136,47 @@ static krb5_error_code hdb_samba4_fetch_kvno(krb5_context context, HDB *db, >+ return code; >+ } >+ >++static krb5_error_code hdb_samba4_kpasswd_fetch_kvno(krb5_context context, HDB *db, >++ krb5_const_principal _principal, >++ unsigned flags, >++ krb5_kvno _kvno, >++ hdb_entry_ex *entry_ex) >++{ >++ struct samba_kdc_db_context *kdc_db_ctx = NULL; >++ krb5_error_code ret; >++ krb5_principal kpasswd_principal = NULL; >++ >++ kdc_db_ctx = talloc_get_type_abort(db->hdb_db, >++ struct samba_kdc_db_context); >++ >++ ret = smb_krb5_make_principal(context, &kpasswd_principal, >++ lpcfg_realm(kdc_db_ctx->lp_ctx), >++ "kadmin", "changepw", >++ NULL); >++ if (ret) { >++ return ret; >++ } >++ smb_krb5_principal_set_type(context, kpasswd_principal, KRB5_NT_SRV_INST); >++ >++ /* >++ * For the kpasswd service, always ensure we get the latest kvno. This >++ * also means we (correctly) refuse RODC-issued tickets. >++ */ >++ flags &= ~HDB_F_KVNO_SPECIFIED; >++ >++ /* Don't bother looking up a client or krbtgt. */ >++ flags &= ~(SDB_F_GET_CLIENT|SDB_F_GET_KRBTGT); >++ >++ ret = hdb_samba4_fetch_kvno(context, db, >++ kpasswd_principal, >++ flags, >++ 0, >++ entry_ex); >++ >++ krb5_free_principal(context, kpasswd_principal); >++ return ret; >++} >++ >+ static krb5_error_code hdb_samba4_firstkey(krb5_context context, HDB *db, unsigned flags, >+ hdb_entry_ex *entry) >+ { >+@@ -194,6 +235,14 @@ static krb5_error_code hdb_samba4_nextkey(krb5_context context, HDB *db, unsigne >+ return ret; >+ } >+ >++static krb5_error_code hdb_samba4_nextkey_panic(krb5_context context, HDB *db, >++ unsigned flags, >++ hdb_entry_ex *entry) >++{ >++ DBG_ERR("Attempt to iterate kpasswd keytab => PANIC\n"); >++ smb_panic("hdb_samba4_nextkey_panic: Attempt to iterate kpasswd keytab"); >++} >++ >+ static krb5_error_code hdb_samba4_destroy(krb5_context context, HDB *db) >+ { >+ talloc_free(db); >+@@ -522,3 +571,20 @@ NTSTATUS hdb_samba4_create_kdc(struct samba_kdc_base_context *base_ctx, >+ >+ return NT_STATUS_OK; >+ } >++ >++NTSTATUS hdb_samba4_kpasswd_create_kdc(struct samba_kdc_base_context *base_ctx, >++ krb5_context context, struct HDB **db) >++{ >++ NTSTATUS nt_status; >++ >++ nt_status = hdb_samba4_create_kdc(base_ctx, context, db); >++ if (!NT_STATUS_IS_OK(nt_status)) { >++ return nt_status; >++ } >++ >++ (*db)->hdb_fetch_kvno = hdb_samba4_kpasswd_fetch_kvno; >++ (*db)->hdb_firstkey = hdb_samba4_nextkey_panic; >++ (*db)->hdb_nextkey = hdb_samba4_nextkey_panic; >++ >++ return NT_STATUS_OK; >++} >+diff --git source4/kdc/kdc-glue.h source4/kdc/kdc-glue.h >+index c083b8c6429..ff8684e1666 100644 >+--- source4/kdc/kdc-glue.h >++++ source4/kdc/kdc-glue.h >+@@ -45,6 +45,9 @@ kdc_code kpasswdd_process(struct kdc_server *kdc, >+ NTSTATUS hdb_samba4_create_kdc(struct samba_kdc_base_context *base_ctx, >+ krb5_context context, struct HDB **db); >+ >++NTSTATUS hdb_samba4_kpasswd_create_kdc(struct samba_kdc_base_context *base_ctx, >++ krb5_context context, struct HDB **db); >++ >+ /* from kdc-glue.c */ >+ int kdc_check_pac(krb5_context krb5_context, >+ DATA_BLOB server_sig, >+-- >+2.25.1 >+ >+ >+From 340181bc1100fa31c63af88214a3d8328b944fe9 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Mon, 30 May 2022 19:16:02 +1200 >+Subject: [PATCH 92/99] CVE-2022-32744 s4:kpasswd: Ensure we pass the kpasswd >+ server principal into krb5_rd_req_ctx() >+ >+To ensure that, when decrypting the kpasswd ticket, we look up the >+correct principal and don't trust the sname from the ticket, we should >+pass the principal name of the kpasswd service into krb5_rd_req_ctx(). >+However, gensec_krb5_update_internal() will pass in NULL unless the >+principal in our credentials is CRED_SPECIFIED. >+ >+At present, our principal will be considered obtained as CRED_SMB_CONF >+(from the cli_credentials_set_conf() a few lines up), so we explicitly >+set the realm again, but this time as CRED_SPECIFIED. Now the value of >+server_in_keytab that we provide to smb_krb5_rd_req_decoded() will not >+be NULL. >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andreas Schneider <asn@samba.org> >+ >+[jsutton@samba.org Removed knownfail as KDC no longer panics] >+--- >+ selftest/knownfail_heimdal_kdc | 4 ---- >+ selftest/knownfail_mit_kdc | 2 -- >+ source4/kdc/kpasswd-service.c | 30 ++++++++++++++++++++++++++++++ >+ 3 files changed, 30 insertions(+), 6 deletions(-) >+ >+diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc >+index 0d93253f999..424a8b81c38 100644 >+--- selftest/knownfail_heimdal_kdc >++++ selftest/knownfail_heimdal_kdc >+@@ -271,7 +271,3 @@ >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_service_ticket >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_existing >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_nonexisting >+-# >+-# Kpasswd tests >+-# >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_from_rodc.ad_dc >+diff --git selftest/knownfail_mit_kdc selftest/knownfail_mit_kdc >+index c2a31b4a140..0d2f5bab6d2 100644 >+--- selftest/knownfail_mit_kdc >++++ selftest/knownfail_mit_kdc >+@@ -581,5 +581,3 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize_realm_case.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_service.ad_dc >+diff --git source4/kdc/kpasswd-service.c source4/kdc/kpasswd-service.c >+index 0d2acd8d9e8..b6400be0c49 100644 >+--- source4/kdc/kpasswd-service.c >++++ source4/kdc/kpasswd-service.c >+@@ -29,6 +29,7 @@ >+ #include "kdc/kdc-server.h" >+ #include "kdc/kpasswd-service.h" >+ #include "kdc/kpasswd-helper.h" >++#include "param/param.h" >+ >+ #define HEADER_LEN 6 >+ #ifndef RFC3244_VERSION >+@@ -158,6 +159,20 @@ kdc_code kpasswd_process(struct kdc_server *kdc, >+ >+ cli_credentials_set_conf(server_credentials, kdc->task->lp_ctx); >+ >++ /* >++ * After calling cli_credentials_set_conf(), explicitly set the realm >++ * with CRED_SPECIFIED. We need to do this so the result of >++ * principal_from_credentials() called from the gensec layer is >++ * CRED_SPECIFIED rather than CRED_SMB_CONF, avoiding a fallback to >++ * match-by-key (very undesirable in this case). >++ */ >++ ok = cli_credentials_set_realm(server_credentials, >++ lpcfg_realm(kdc->task->lp_ctx), >++ CRED_SPECIFIED); >++ if (!ok) { >++ goto done; >++ } >++ >+ ok = cli_credentials_set_username(server_credentials, >+ "kadmin/changepw", >+ CRED_SPECIFIED); >+@@ -165,6 +180,21 @@ kdc_code kpasswd_process(struct kdc_server *kdc, >+ goto done; >+ } >+ >++ /* Check that the server principal is indeed CRED_SPECIFIED. */ >++ { >++ char *principal = NULL; >++ enum credentials_obtained obtained; >++ >++ principal = cli_credentials_get_principal_and_obtained(server_credentials, >++ tmp_ctx, >++ &obtained); >++ if (obtained < CRED_SPECIFIED) { >++ goto done; >++ } >++ >++ TALLOC_FREE(principal); >++ } >++ >+ rv = cli_credentials_set_keytab_name(server_credentials, >+ kdc->task->lp_ctx, >+ kdc->kpasswd_keytab_name, >+-- >+2.25.1 >+ >+ >+From 95afbc2da9b541fb8f2eebdcd411f5873d1675ac Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Fri, 10 Jun 2022 19:17:11 +1200 >+Subject: [PATCH 93/99] CVE-2022-2031 tests/krb5: Add test that we cannot >+ provide a TGT to kpasswd >+ >+The kpasswd service should require a kpasswd service ticket, and >+disallow TGTs. >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andreas Schneider <asn@samba.org> >+ >+[jsutton@samba.org Fixed knownfail conflicts] >+ >+[jsutton@samba.org Fixed knownfail conflicts] >+--- >+ python/samba/tests/krb5/kpasswd_tests.py | 28 ++++++++++++++++++++++++ >+ selftest/knownfail_heimdal_kdc | 4 ++++ >+ selftest/knownfail_mit_kdc | 4 ++++ >+ 3 files changed, 36 insertions(+) >+ >+diff --git python/samba/tests/krb5/kpasswd_tests.py python/samba/tests/krb5/kpasswd_tests.py >+index 3a6c7d818dc..0db857f7bbd 100755 >+--- python/samba/tests/krb5/kpasswd_tests.py >++++ python/samba/tests/krb5/kpasswd_tests.py >+@@ -31,6 +31,7 @@ from samba.tests.krb5.rfc4120_constants import ( >+ KDC_ERR_TGT_REVOKED, >+ KDC_ERR_TKT_EXPIRED, >+ KPASSWD_ACCESSDENIED, >++ KPASSWD_AUTHERROR, >+ KPASSWD_HARDERROR, >+ KPASSWD_INITIAL_FLAG_NEEDED, >+ KPASSWD_MALFORMED, >+@@ -779,6 +780,33 @@ class KpasswdTests(KDCBaseTest): >+ self._make_tgs_request(creds, service_creds, ticket, >+ expect_error=False) >+ >++ # Show that we cannot provide a TGT to kpasswd to change the password. >++ def test_kpasswd_tgt(self): >++ # Create an account for testing, and get a TGT. >++ creds = self._get_creds() >++ tgt = self.get_tgt(creds) >++ >++ # Change the sname of the ticket to match that of kadmin/changepw. >++ tgt.set_sname(self.get_kpasswd_sname()) >++ >++ expected_code = KPASSWD_AUTHERROR >++ expected_msg = b'A TGT may not be used as a ticket to kpasswd' >++ >++ # Set the password. >++ new_password = generate_random_password(32, 32) >++ self.kpasswd_exchange(tgt, >++ new_password, >++ expected_code, >++ expected_msg, >++ mode=self.KpasswdMode.SET) >++ >++ # Change the password. >++ self.kpasswd_exchange(tgt, >++ new_password, >++ expected_code, >++ expected_msg, >++ mode=self.KpasswdMode.CHANGE) >++ >+ # Test that kpasswd rejects requests with a service ticket. >+ def test_kpasswd_non_initial(self): >+ # Create an account for testing, and get a TGT. >+diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc >+index 424a8b81c38..42beccaed58 100644 >+--- selftest/knownfail_heimdal_kdc >++++ selftest/knownfail_heimdal_kdc >+@@ -271,3 +271,7 @@ >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_service_ticket >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_existing >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_nonexisting >++# >++# Kpasswd tests >++# >++^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_tgt.ad_dc >+diff --git selftest/knownfail_mit_kdc selftest/knownfail_mit_kdc >+index 0d2f5bab6d2..9fc34e5d8db 100644 >+--- selftest/knownfail_mit_kdc >++++ selftest/knownfail_mit_kdc >+@@ -581,3 +581,7 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize_realm_case.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc >++# >++# Kpasswd tests >++# >++samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_tgt.ad_dc >+-- >+2.25.1 >+ >+ >+From 4b61092459b403b2945daa9082052366f3508b69 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Fri, 10 Jun 2022 19:18:07 +1200 >+Subject: [PATCH 94/99] CVE-2022-2031 auth: Add ticket type field to >+ auth_user_info_dc and auth_session_info >+ >+This field may be used to convey whether we were provided with a TGT or >+a non-TGT. We ensure both structures are zeroed out to avoid incorrect >+results being produced by an uninitialised field. >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andreas Schneider <asn@samba.org> >+--- >+ auth/auth_sam_reply.c | 2 +- >+ auth/auth_util.c | 2 +- >+ librpc/idl/auth.idl | 23 +++++++++++++++++++++++ >+ source4/auth/ntlm/auth_developer.c | 2 +- >+ source4/auth/sam.c | 2 +- >+ source4/auth/session.c | 2 ++ >+ source4/auth/system_session.c | 6 +++--- >+ 7 files changed, 32 insertions(+), 7 deletions(-) >+ >+diff --git auth/auth_sam_reply.c auth/auth_sam_reply.c >+index b5b6362dc93..2e27e5715d1 100644 >+--- auth/auth_sam_reply.c >++++ auth/auth_sam_reply.c >+@@ -416,7 +416,7 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx, >+ return NT_STATUS_INVALID_LEVEL; >+ } >+ >+- user_info_dc = talloc(mem_ctx, struct auth_user_info_dc); >++ user_info_dc = talloc_zero(mem_ctx, struct auth_user_info_dc); >+ NT_STATUS_HAVE_NO_MEMORY(user_info_dc); >+ >+ /* >+diff --git auth/auth_util.c auth/auth_util.c >+index fe01babd107..ec9094d0f15 100644 >+--- auth/auth_util.c >++++ auth/auth_util.c >+@@ -44,7 +44,7 @@ struct auth_session_info *copy_session_info(TALLOC_CTX *mem_ctx, >+ return NULL; >+ } >+ >+- dst = talloc(mem_ctx, struct auth_session_info); >++ dst = talloc_zero(mem_ctx, struct auth_session_info); >+ if (dst == NULL) { >+ DBG_ERR("talloc failed\n"); >+ TALLOC_FREE(frame); >+diff --git librpc/idl/auth.idl librpc/idl/auth.idl >+index 1092935b971..f7658cdde28 100644 >+--- librpc/idl/auth.idl >++++ librpc/idl/auth.idl >+@@ -75,6 +75,26 @@ interface auth >+ [unique,charset(UTF8),string] char *sanitized_username; >+ } auth_user_info_unix; >+ >++ /* >++ * If the user was authenticated with a Kerberos ticket, this indicates >++ * the type of the ticket; TGT, or non-TGT (i.e. service ticket). If >++ * unset, the type is unknown. This indicator is useful for the KDC and >++ * the kpasswd service, which share the same account and keys. By >++ * ensuring it is provided with the appopriate ticket type, each service >++ * avoids accepting a ticket meant for the other. >++ * >++ * The heuristic used to determine the type is the presence or absence >++ * of a REQUESTER_SID buffer in the PAC; we use its presence to assume >++ * we have a TGT. This heuristic will fail for older Samba versions and >++ * Windows prior to Nov. 2021 updates, which lack support for this >++ * buffer. >++ */ >++ typedef enum { >++ TICKET_TYPE_UNKNOWN = 0, >++ TICKET_TYPE_TGT = 1, >++ TICKET_TYPE_NON_TGT = 2 >++ } ticket_type; >++ >+ /* This is the interim product of the auth subsystem, before >+ * privileges and local groups are handled */ >+ typedef [public] struct { >+@@ -83,6 +103,7 @@ interface auth >+ auth_user_info *info; >+ [noprint] DATA_BLOB user_session_key; >+ [noprint] DATA_BLOB lm_session_key; >++ ticket_type ticket_type; >+ } auth_user_info_dc; >+ >+ typedef [public] struct { >+@@ -112,6 +133,8 @@ interface auth >+ * We generate this in auth_generate_session_info() >+ */ >+ GUID unique_session_token; >++ >++ ticket_type ticket_type; >+ } auth_session_info; >+ >+ typedef [public] struct { >+diff --git source4/auth/ntlm/auth_developer.c source4/auth/ntlm/auth_developer.c >+index 1823989c68d..6e92252d5c5 100644 >+--- source4/auth/ntlm/auth_developer.c >++++ source4/auth/ntlm/auth_developer.c >+@@ -76,7 +76,7 @@ static NTSTATUS name_to_ntstatus_check_password(struct auth_method_context *ctx, >+ } >+ NT_STATUS_NOT_OK_RETURN(nt_status); >+ >+- user_info_dc = talloc(mem_ctx, struct auth_user_info_dc); >++ user_info_dc = talloc_zero(mem_ctx, struct auth_user_info_dc); >+ NT_STATUS_HAVE_NO_MEMORY(user_info_dc); >+ >+ /* This returns a pointer to a struct dom_sid, which is the >+diff --git source4/auth/sam.c source4/auth/sam.c >+index 8b233bab3ad..7c609655fcb 100644 >+--- source4/auth/sam.c >++++ source4/auth/sam.c >+@@ -363,7 +363,7 @@ _PUBLIC_ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx, >+ TALLOC_CTX *tmp_ctx; >+ struct ldb_message_element *el; >+ >+- user_info_dc = talloc(mem_ctx, struct auth_user_info_dc); >++ user_info_dc = talloc_zero(mem_ctx, struct auth_user_info_dc); >+ NT_STATUS_HAVE_NO_MEMORY(user_info_dc); >+ >+ tmp_ctx = talloc_new(user_info_dc); >+diff --git source4/auth/session.c source4/auth/session.c >+index 8e44dcd24f1..d6e936dd1f1 100644 >+--- source4/auth/session.c >++++ source4/auth/session.c >+@@ -222,6 +222,8 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, >+ >+ session_info->credentials = NULL; >+ >++ session_info->ticket_type = user_info_dc->ticket_type; >++ >+ talloc_steal(mem_ctx, session_info); >+ *_session_info = session_info; >+ talloc_free(tmp_ctx); >+diff --git source4/auth/system_session.c source4/auth/system_session.c >+index 85b8f1c4edb..2518d654e8b 100644 >+--- source4/auth/system_session.c >++++ source4/auth/system_session.c >+@@ -115,7 +115,7 @@ NTSTATUS auth_system_user_info_dc(TALLOC_CTX *mem_ctx, const char *netbios_name, >+ struct auth_user_info_dc *user_info_dc; >+ struct auth_user_info *info; >+ >+- user_info_dc = talloc(mem_ctx, struct auth_user_info_dc); >++ user_info_dc = talloc_zero(mem_ctx, struct auth_user_info_dc); >+ NT_STATUS_HAVE_NO_MEMORY(user_info_dc); >+ >+ /* This returns a pointer to a struct dom_sid, which is the >+@@ -191,7 +191,7 @@ static NTSTATUS auth_domain_admin_user_info_dc(TALLOC_CTX *mem_ctx, >+ struct auth_user_info_dc *user_info_dc; >+ struct auth_user_info *info; >+ >+- user_info_dc = talloc(mem_ctx, struct auth_user_info_dc); >++ user_info_dc = talloc_zero(mem_ctx, struct auth_user_info_dc); >+ NT_STATUS_HAVE_NO_MEMORY(user_info_dc); >+ >+ user_info_dc->num_sids = 7; >+@@ -356,7 +356,7 @@ _PUBLIC_ NTSTATUS auth_anonymous_user_info_dc(TALLOC_CTX *mem_ctx, >+ { >+ struct auth_user_info_dc *user_info_dc; >+ struct auth_user_info *info; >+- user_info_dc = talloc(mem_ctx, struct auth_user_info_dc); >++ user_info_dc = talloc_zero(mem_ctx, struct auth_user_info_dc); >+ NT_STATUS_HAVE_NO_MEMORY(user_info_dc); >+ >+ /* This returns a pointer to a struct dom_sid, which is the >+-- >+2.25.1 >+ >+ >+From 89c6e36938c27b572573b06d1b35db210bfda99b Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Fri, 10 Jun 2022 19:18:35 +1200 >+Subject: [PATCH 95/99] CVE-2022-2031 s4:auth: Use PAC to determine whether >+ ticket is a TGT >+ >+We use the presence or absence of a REQUESTER_SID PAC buffer to >+determine whether the ticket is a TGT. We will later use this to reject >+TGTs where a service ticket is expected. >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andreas Schneider <asn@samba.org> >+--- >+ source4/auth/kerberos/kerberos_pac.c | 44 ++++++++++++++++++++++++++++ >+ 1 file changed, 44 insertions(+) >+ >+diff --git source4/auth/kerberos/kerberos_pac.c source4/auth/kerberos/kerberos_pac.c >+index 54ef4d61b02..bd0ae20e007 100644 >+--- source4/auth/kerberos/kerberos_pac.c >++++ source4/auth/kerberos/kerberos_pac.c >+@@ -282,6 +282,28 @@ >+ return ret; >+ } >+ >++static krb5_error_code kerberos_pac_buffer_present(krb5_context context, >++ const krb5_pac pac, >++ uint32_t type) >++{ >++#ifdef SAMBA4_USES_HEIMDAL >++ return krb5_pac_get_buffer(context, pac, type, NULL); >++#else /* MIT */ >++ krb5_error_code ret; >++ krb5_data data; >++ >++ /* >++ * MIT won't let us pass NULL for the data parameter, so we are forced >++ * to allocate a new buffer and then immediately free it. >++ */ >++ ret = krb5_pac_get_buffer(context, pac, type, &data); >++ if (ret == 0) { >++ krb5_free_data_contents(context, &data); >++ } >++ return ret; >++#endif /* SAMBA4_USES_HEIMDAL */ >++} >++ >+ krb5_error_code kerberos_pac_to_user_info_dc(TALLOC_CTX *mem_ctx, >+ krb5_pac pac, >+ krb5_context context, >+@@ -414,6 +436,28 @@ krb5_error_code kerberos_pac_to_user_info_dc(TALLOC_CTX *mem_ctx, >+ return EINVAL; >+ } >+ } >++ >++ /* >++ * Based on the presence of a REQUESTER_SID PAC buffer, ascertain >++ * whether the ticket is a TGT. This helps the KDC and kpasswd service >++ * ensure they do not accept tickets meant for the other. >++ * >++ * This heuristic will fail for older Samba versions and Windows prior >++ * to Nov. 2021 updates, which lack support for the REQUESTER_SID PAC >++ * buffer. >++ */ >++ ret = kerberos_pac_buffer_present(context, pac, PAC_TYPE_REQUESTER_SID); >++ if (ret == ENOENT) { >++ /* This probably isn't a TGT. */ >++ user_info_dc_out->ticket_type = TICKET_TYPE_NON_TGT; >++ } else if (ret != 0) { >++ talloc_free(tmp_ctx); >++ return ret; >++ } else { >++ /* This probably is a TGT. */ >++ user_info_dc_out->ticket_type = TICKET_TYPE_TGT; >++ } >++ >+ *user_info_dc = user_info_dc_out; >+ >+ return 0; >+-- >+2.25.1 >+ >+ >+From d5af460403d3949ba266f5c74f051247cd7ce752 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Fri, 10 Jun 2022 19:18:53 +1200 >+Subject: [PATCH 96/99] CVE-2022-2031 s4:kpasswd: Do not accept TGTs as kpasswd >+ tickets >+ >+If TGTs can be used as kpasswd tickets, the two-minute lifetime of a >+authentic kpasswd ticket may be bypassed. Furthermore, kpasswd tickets >+are not supposed to be cached, but using this flaw, a stolen credentials >+cache containing a TGT may be used to change that account's password, >+and thus is made more valuable to an attacker. >+ >+Since all TGTs should be issued with a REQUESTER_SID PAC buffer, and >+service tickets without it, we assert the absence of this buffer to >+ensure we're not accepting a TGT. >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+Reviewed-by: Andreas Schneider <asn@samba.org> >+ >+[jsutton@samba.org Fixed knownfail conflicts] >+ >+[jsutton@samba.org Fixed knownfail conflicts] >+--- >+ selftest/knownfail_heimdal_kdc | 4 ---- >+ selftest/knownfail_mit_kdc | 4 ---- >+ source4/kdc/kpasswd-helper.c | 20 ++++++++++++++++++++ >+ source4/kdc/kpasswd-helper.h | 2 ++ >+ source4/kdc/kpasswd-service-heimdal.c | 13 +++++++++++++ >+ source4/kdc/kpasswd-service-mit.c | 13 +++++++++++++ >+ 6 files changed, 48 insertions(+), 8 deletions(-) >+ >+diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc >+index 42beccaed58..424a8b81c38 100644 >+--- selftest/knownfail_heimdal_kdc >++++ selftest/knownfail_heimdal_kdc >+@@ -271,7 +271,3 @@ >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_service_ticket >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_existing >+ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_nonexisting >+-# >+-# Kpasswd tests >+-# >+-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_tgt.ad_dc >+diff --git selftest/knownfail_mit_kdc selftest/knownfail_mit_kdc >+index 9fc34e5d8db..0d2f5bab6d2 100644 >+--- selftest/knownfail_mit_kdc >++++ selftest/knownfail_mit_kdc >+@@ -581,7 +581,3 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize_realm_case.ad_dc >+ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc >+-# >+-# Kpasswd tests >+-# >+-samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_tgt.ad_dc >+diff --git source4/kdc/kpasswd-helper.c source4/kdc/kpasswd-helper.c >+index 55a2f5b3bf6..2ffdb79aea5 100644 >+--- source4/kdc/kpasswd-helper.c >++++ source4/kdc/kpasswd-helper.c >+@@ -241,3 +241,23 @@ NTSTATUS kpasswd_samdb_set_password(TALLOC_CTX *mem_ctx, >+ >+ return status; >+ } >++ >++krb5_error_code kpasswd_check_non_tgt(struct auth_session_info *session_info, >++ const char **error_string) >++{ >++ switch(session_info->ticket_type) { >++ case TICKET_TYPE_TGT: >++ /* TGTs are disallowed here. */ >++ *error_string = "A TGT may not be used as a ticket to kpasswd"; >++ return KRB5_KPASSWD_AUTHERROR; >++ case TICKET_TYPE_NON_TGT: >++ /* Non-TGTs are permitted, and expected. */ >++ break; >++ default: >++ /* In case we forgot to set the type. */ >++ *error_string = "Failed to ascertain that ticket to kpasswd is not a TGT"; >++ return KRB5_KPASSWD_HARDERROR; >++ } >++ >++ return 0; >++} >+diff --git source4/kdc/kpasswd-helper.h source4/kdc/kpasswd-helper.h >+index 8fad81e0a5d..94a6e2acfdd 100644 >+--- source4/kdc/kpasswd-helper.h >++++ source4/kdc/kpasswd-helper.h >+@@ -43,4 +43,6 @@ NTSTATUS kpasswd_samdb_set_password(TALLOC_CTX *mem_ctx, >+ enum samPwdChangeReason *reject_reason, >+ struct samr_DomInfo1 **dominfo); >+ >++krb5_error_code kpasswd_check_non_tgt(struct auth_session_info *session_info, >++ const char **error_string); >+ #endif /* _KPASSWD_HELPER_H */ >+diff --git source4/kdc/kpasswd-service-heimdal.c source4/kdc/kpasswd-service-heimdal.c >+index a0352d1ad35..4d009b9eb24 100644 >+--- source4/kdc/kpasswd-service-heimdal.c >++++ source4/kdc/kpasswd-service-heimdal.c >+@@ -253,6 +253,7 @@ krb5_error_code kpasswd_handle_request(struct kdc_server *kdc, >+ { >+ struct auth_session_info *session_info; >+ NTSTATUS status; >++ krb5_error_code code; >+ >+ status = gensec_session_info(gensec_security, >+ mem_ctx, >+@@ -264,6 +265,18 @@ krb5_error_code kpasswd_handle_request(struct kdc_server *kdc, >+ return KRB5_KPASSWD_HARDERROR; >+ } >+ >++ /* >++ * Since the kpasswd service shares its keys with the krbtgt, we might >++ * have received a TGT rather than a kpasswd ticket. We need to check >++ * the ticket type to ensure that TGTs cannot be misused in this manner. >++ */ >++ code = kpasswd_check_non_tgt(session_info, >++ error_string); >++ if (code != 0) { >++ DBG_WARNING("%s\n", *error_string); >++ return code; >++ } >++ >+ switch(verno) { >+ case KRB5_KPASSWD_VERS_CHANGEPW: { >+ DATA_BLOB password = data_blob_null; >+diff --git source4/kdc/kpasswd-service-mit.c source4/kdc/kpasswd-service-mit.c >+index de4c6f3f622..6b051567b6e 100644 >+--- source4/kdc/kpasswd-service-mit.c >++++ source4/kdc/kpasswd-service-mit.c >+@@ -332,6 +332,7 @@ krb5_error_code kpasswd_handle_request(struct kdc_server *kdc, >+ { >+ struct auth_session_info *session_info; >+ NTSTATUS status; >++ krb5_error_code code; >+ >+ status = gensec_session_info(gensec_security, >+ mem_ctx, >+@@ -344,6 +345,18 @@ krb5_error_code kpasswd_handle_request(struct kdc_server *kdc, >+ return KRB5_KPASSWD_HARDERROR; >+ } >+ >++ /* >++ * Since the kpasswd service shares its keys with the krbtgt, we might >++ * have received a TGT rather than a kpasswd ticket. We need to check >++ * the ticket type to ensure that TGTs cannot be misused in this manner. >++ */ >++ code = kpasswd_check_non_tgt(session_info, >++ error_string); >++ if (code != 0) { >++ DBG_WARNING("%s\n", *error_string); >++ return code; >++ } >++ >+ switch(verno) { >+ case 1: { >+ DATA_BLOB password; >+-- >+2.25.1 >+ >+ >+From a6231af1f1c03cd81614332f867916e1748e03a8 Mon Sep 17 00:00:00 2001 >+From: Joseph Sutton <josephsutton@catalyst.net.nz> >+Date: Thu, 23 Jun 2022 13:59:11 +1200 >+Subject: [PATCH 97/99] CVE-2022-2031 testprogs: Add test for short-lived >+ ticket across an incoming trust >+ >+We ensure that the KDC does not reject a TGS-REQ with our short-lived >+TGT over an incoming trust. >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 >+ >+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >+ >+[jsutton@samba.org Changed --use-krb5-ccache to -k yes to match >+ surrounding usage] >+--- >+ testprogs/blackbox/test_kinit_trusts_heimdal.sh | 6 +++++- >+ 1 file changed, 5 insertions(+), 1 deletion(-) >+ >+diff --git testprogs/blackbox/test_kinit_trusts_heimdal.sh testprogs/blackbox/test_kinit_trusts_heimdal.sh >+index bf0b81a0473..621434eac35 100755 >+--- testprogs/blackbox/test_kinit_trusts_heimdal.sh >++++ testprogs/blackbox/test_kinit_trusts_heimdal.sh >+@@ -54,6 +54,10 @@ testit "kinit with password" $samba4kinit $enctype --password-file=$PREFIX/tmppa >+ test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" -k yes || failed=`expr $failed + 1` >+ rm -rf $KRB5CCNAME_PATH >+ >++testit "kinit with password and two minute lifetime" $samba4kinit $enctype --password-file=$PREFIX/tmppassfile --request-pac --server=krbtgt/$REALM@$TRUST_REALM --lifetime=2m $TRUST_USERNAME@$TRUST_REALM || failed=`expr $failed + 1` >++test_smbclient "Test login with user kerberos ccache and two minute lifetime" 'ls' "$unc" -k yes || failed=`expr $failed + 1` >++rm -rf $KRB5CCNAME_PATH >++ >+ # Test with smbclient4 >+ smbclient="$samba4bindir/smbclient4" >+ testit "kinit with password" $samba4kinit $enctype --password-file=$PREFIX/tmppassfile --request-pac $TRUST_USERNAME@$TRUST_REALM || failed=`expr $failed + 1` >+@@ -94,5 +98,5 @@ testit "wbinfo check outgoing trust pw" $VALGRIND $wbinfo --check-secret --domai >+ >+ test_smbclient "Test user login with the changed outgoing secret" 'ls' "$unc" -k yes -U$USERNAME@$REALM%$PASSWORD || failed=`expr $failed + 1` >+ >+-rm -f $PREFIX/tmpccache tmpccfile tmppassfile tmpuserpassfile tmpuserccache >++rm -f $PREFIX/tmpccache $PREFIX/tmppassfile >+ exit $failed >+-- >+2.25.1 >+ >+ >+From f6e1750c4fc966c29c2e0663d3c04e87057fa0c3 Mon Sep 17 00:00:00 2001 >+From: Jeremy Allison <jra@samba.org> >+Date: Tue, 7 Jun 2022 09:40:45 -0700 >+Subject: [PATCH 98/99] CVE-2022-32742: s4: torture: Add raw.write.bad-write >+ test. >+ >+Reproduces the test code in: >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15085 >+ >+Add knownfail. >+ >+Signed-off-by: Jeremy Allison <jra@samba.org> >+Reviewed-by: David Disseldorp <ddiss@samba.org> >+--- >+ selftest/knownfail.d/bad-write | 2 + >+ source4/torture/raw/write.c | 89 ++++++++++++++++++++++++++++++++++ >+ 2 files changed, 91 insertions(+) >+ create mode 100644 selftest/knownfail.d/bad-write >+ >+diff --git selftest/knownfail.d/bad-write selftest/knownfail.d/bad-write >+new file mode 100644 >+index 00000000000..5fc16606a13 >+--- /dev/null >++++ selftest/knownfail.d/bad-write >+@@ -0,0 +1,2 @@ >++^samba3.raw.write.bad-write\(nt4_dc_smb1\) >++^samba3.raw.write.bad-write\(ad_dc_smb1\) >+diff --git source4/torture/raw/write.c source4/torture/raw/write.c >+index 0a2f50f425b..661485bb548 100644 >+--- source4/torture/raw/write.c >++++ source4/torture/raw/write.c >+@@ -25,6 +25,7 @@ >+ #include "libcli/libcli.h" >+ #include "torture/util.h" >+ #include "torture/raw/proto.h" >++#include "libcli/raw/raw_proto.h" >+ >+ #define CHECK_STATUS(status, correct) do { \ >+ if (!NT_STATUS_EQUAL(status, correct)) { \ >+@@ -694,6 +695,93 @@ done: >+ return ret; >+ } >+ >++/* >++ test a deliberately bad SMB1 write. >++*/ >++static bool test_bad_write(struct torture_context *tctx, >++ struct smbcli_state *cli) >++{ >++ bool ret = false; >++ int fnum = -1; >++ struct smbcli_request *req = NULL; >++ const char *fname = BASEDIR "\\badwrite.txt"; >++ bool ok = false; >++ >++ if (!torture_setup_dir(cli, BASEDIR)) { >++ torture_fail(tctx, "failed to setup basedir"); >++ } >++ >++ torture_comment(tctx, "Testing RAW_BAD_WRITE\n"); >++ >++ fnum = smbcli_open(cli->tree, fname, O_RDWR|O_CREAT, DENY_NONE); >++ if (fnum == -1) { >++ torture_fail_goto(tctx, >++ done, >++ talloc_asprintf(tctx, >++ "Failed to create %s - %s\n", >++ fname, >++ smbcli_errstr(cli->tree))); >++ } >++ >++ req = smbcli_request_setup(cli->tree, >++ SMBwrite, >++ 5, >++ 0); >++ if (req == NULL) { >++ torture_fail_goto(tctx, >++ done, >++ talloc_asprintf(tctx, "talloc fail\n")); >++ } >++ >++ SSVAL(req->out.vwv, VWV(0), fnum); >++ SSVAL(req->out.vwv, VWV(1), 65535); /* bad write length. */ >++ SIVAL(req->out.vwv, VWV(2), 0); /* offset */ >++ SSVAL(req->out.vwv, VWV(4), 0); /* remaining. */ >++ >++ if (!smbcli_request_send(req)) { >++ torture_fail_goto(tctx, >++ done, >++ talloc_asprintf(tctx, "Send failed\n")); >++ } >++ >++ if (!smbcli_request_receive(req)) { >++ torture_fail_goto(tctx, >++ done, >++ talloc_asprintf(tctx, "Reveive failed\n")); >++ } >++ >++ /* >++ * Check for expected error codes. >++ * ntvfs returns NT_STATUS_UNSUCCESSFUL. >++ */ >++ ok = (NT_STATUS_EQUAL(req->status, NT_STATUS_INVALID_PARAMETER) || >++ NT_STATUS_EQUAL(req->status, NT_STATUS_UNSUCCESSFUL)); >++ >++ if (!ok) { >++ torture_fail_goto(tctx, >++ done, >++ talloc_asprintf(tctx, >++ "Should have returned " >++ "NT_STATUS_INVALID_PARAMETER or " >++ "NT_STATUS_UNSUCCESSFUL " >++ "got %s\n", >++ nt_errstr(req->status))); >++ } >++ >++ ret = true; >++ >++done: >++ if (req != NULL) { >++ smbcli_request_destroy(req); >++ } >++ if (fnum != -1) { >++ smbcli_close(cli->tree, fnum); >++ } >++ smb_raw_exit(cli->session); >++ smbcli_deltree(cli->tree, BASEDIR); >++ return ret; >++} >++ >+ /* >+ basic testing of write calls >+ */ >+@@ -705,6 +793,7 @@ struct torture_suite *torture_raw_write(TALLOC_CTX *mem_ctx) >+ torture_suite_add_1smb_test(suite, "write unlock", test_writeunlock); >+ torture_suite_add_1smb_test(suite, "write close", test_writeclose); >+ torture_suite_add_1smb_test(suite, "writex", test_writex); >++ torture_suite_add_1smb_test(suite, "bad-write", test_bad_write); >+ >+ return suite; >+ } >+-- >+2.25.1 >+ >+ >+From 7720e0acfd7ea6a2339f3e389aa8dcedd6174095 Mon Sep 17 00:00:00 2001 >+From: Jeremy Allison <jra@samba.org> >+Date: Wed, 8 Jun 2022 13:50:51 -0700 >+Subject: [PATCH 99/99] CVE-2022-32742: s3: smbd: Harden the smbreq_bufrem() >+ macro. >+ >+Fixes the raw.write.bad-write test. >+ >+NB. We need the two (==0) changes in source3/smbd/reply.c >+as the gcc optimizer now knows that the return from >+smbreq_bufrem() can never be less than zero. >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15085 >+ >+Remove knownfail. >+ >+Signed-off-by: Jeremy Allison <jra@samba.org> >+Reviewed-by: David Disseldorp <ddiss@samba.org> >+--- >+ selftest/knownfail.d/bad-write | 2 -- >+ source3/include/smb_macros.h | 2 +- >+ source3/smbd/reply.c | 4 ++-- >+ 3 files changed, 3 insertions(+), 5 deletions(-) >+ delete mode 100644 selftest/knownfail.d/bad-write >+ >+diff --git selftest/knownfail.d/bad-write selftest/knownfail.d/bad-write >+deleted file mode 100644 >+index 5fc16606a13..00000000000 >+--- selftest/knownfail.d/bad-write >++++ /dev/null >+@@ -1,2 +0,0 @@ >+-^samba3.raw.write.bad-write\(nt4_dc_smb1\) >+-^samba3.raw.write.bad-write\(ad_dc_smb1\) >+diff --git source3/include/smb_macros.h source3/include/smb_macros.h >+index def122727f0..de1322a503b 100644 >+--- source3/include/smb_macros.h >++++ source3/include/smb_macros.h >+@@ -152,7 +152,7 @@ >+ >+ /* the remaining number of bytes in smb buffer 'buf' from pointer 'p'. */ >+ #define smb_bufrem(buf, p) (smb_buflen(buf)-PTR_DIFF(p, smb_buf(buf))) >+-#define smbreq_bufrem(req, p) (req->buflen - PTR_DIFF(p, req->buf)) >++#define smbreq_bufrem(req, p) ((req)->buflen < PTR_DIFF((p), (req)->buf) ? 0 : (req)->buflen - PTR_DIFF((p), (req)->buf)) >+ >+ >+ /* Note that chain_size must be available as an extern int to this macro. */ >+diff --git source3/smbd/reply.c source3/smbd/reply.c >+index f33326564f7..b5abe588910 100644 >+--- source3/smbd/reply.c >++++ source3/smbd/reply.c >+@@ -342,7 +342,7 @@ size_t srvstr_get_path_req(TALLOC_CTX *mem_ctx, struct smb_request *req, >+ { >+ ssize_t bufrem = smbreq_bufrem(req, src); >+ >+- if (bufrem < 0) { >++ if (bufrem == 0) { >+ *err = NT_STATUS_INVALID_PARAMETER; >+ return 0; >+ } >+@@ -380,7 +380,7 @@ size_t srvstr_pull_req_talloc(TALLOC_CTX *ctx, struct smb_request *req, >+ { >+ ssize_t bufrem = smbreq_bufrem(req, src); >+ >+- if (bufrem < 0) { >++ if (bufrem == 0) { >+ return 0; >+ } >+ >+-- >+2.25.1 >+ >diff --git a/net/samba413/files/patch-waf-2.0.20 b/net/samba413/files/patch-waf-2.0.20 >new file mode 100644 >index 000000000000..3c40ea15f0ed >--- /dev/null >+++ b/net/samba413/files/patch-waf-2.0.20 >@@ -0,0 +1,1663 @@ >+From 5fc3a71d0f54b176d3cb2e399718d0468507e797 Mon Sep 17 00:00:00 2001 >+From: David Mulder <dmulder@suse.com> >+Date: Mon, 24 Aug 2020 13:12:46 -0600 >+Subject: [PATCH] waf: upgrade to 2.0.20 >+ >+This contain an important change: >+"Fix gccdeps.scan() returning nodes that no longer exist on disk." >+https://gitlab.com/ita1024/waf/-/merge_requests/2293 >+ >+Signed-off-by: David Mulder <dmulder@suse.com> >+Reviewed-by: Stefan Metzmacher <metze@samba.org> >+--- >+ buildtools/bin/waf | 2 +- >+ buildtools/wafsamba/samba_utils.py | 2 +- >+ buildtools/wafsamba/samba_waf18.py | 3 +- >+ buildtools/wafsamba/wafsamba.py | 2 +- >+ third_party/waf/waflib/Configure.py | 25 +- >+ third_party/waf/waflib/Context.py | 18 +- >+ third_party/waf/waflib/Options.py | 31 +- >+ third_party/waf/waflib/Scripting.py | 6 +- >+ third_party/waf/waflib/Tools/c_aliases.py | 4 +- >+ third_party/waf/waflib/Tools/c_config.py | 22 +- >+ third_party/waf/waflib/Tools/c_tests.py | 15 +- >+ third_party/waf/waflib/Tools/compiler_c.py | 2 +- >+ third_party/waf/waflib/Tools/compiler_cxx.py | 2 +- >+ third_party/waf/waflib/Tools/fc.py | 4 +- >+ third_party/waf/waflib/Tools/irixcc.py | 14 +- >+ third_party/waf/waflib/Tools/javaw.py | 2 +- >+ third_party/waf/waflib/Tools/python.py | 2 +- >+ third_party/waf/waflib/Tools/qt5.py | 6 +- >+ third_party/waf/waflib/Utils.py | 2 +- >+ .../extras/clang_compilation_database.py | 172 ++++-- >+ third_party/waf/waflib/extras/doxygen.py | 1 + >+ third_party/waf/waflib/extras/gccdeps.py | 15 +- >+ third_party/waf/waflib/extras/javatest.py | 135 ++++- >+ third_party/waf/waflib/extras/msvc_pdb.py | 46 ++ >+ third_party/waf/waflib/extras/pytest.py | 17 +- >+ third_party/waf/waflib/extras/wafcache.py | 524 ++++++++++++++++++ >+ 26 files changed, 942 insertions(+), 132 deletions(-) >+ create mode 100644 third_party/waf/waflib/extras/msvc_pdb.py >+ create mode 100644 third_party/waf/waflib/extras/wafcache.py >+ >+diff --git buildtools/bin/waf buildtools/bin/waf >+index 11ce8e7480a..feabe25d131 100755 >+--- buildtools/bin/waf >++++ buildtools/bin/waf >+@@ -32,7 +32,7 @@ POSSIBILITY OF SUCH DAMAGE. >+ >+ import os, sys, inspect >+ >+-VERSION="2.0.18" >++VERSION="2.0.20" >+ REVISION="x" >+ GIT="x" >+ INSTALL="x" >+diff --git buildtools/wafsamba/samba_utils.py buildtools/wafsamba/samba_utils.py >+index 4afee249d33..0587f525aff 100644 >+--- buildtools/wafsamba/samba_utils.py >++++ buildtools/wafsamba/samba_utils.py >+@@ -459,7 +459,7 @@ def RECURSE(ctx, directory): >+ return >+ visited_dirs.add(key) >+ relpath = os.path.relpath(abspath, ctx.path.abspath()) >+- if ctxclass in ['tmp', 'OptionsContext', 'ConfigurationContext', 'BuildContext']: >++ if ctxclass in ['tmp', 'OptionsContext', 'ConfigurationContext', 'BuildContext', 'ClangDbContext']: >+ return ctx.recurse(relpath) >+ if 'waflib.extras.compat15' in sys.modules: >+ return ctx.recurse(relpath) >+diff --git buildtools/wafsamba/samba_waf18.py buildtools/wafsamba/samba_waf18.py >+index c0bb6bfcf55..ecf3891f175 100644 >+--- buildtools/wafsamba/samba_waf18.py >++++ buildtools/wafsamba/samba_waf18.py >+@@ -5,6 +5,7 @@ from waflib import Build, Configure, Node, Utils, Options, Logs, TaskGen >+ from waflib import ConfigSet >+ from waflib.TaskGen import feature, after >+ from waflib.Configure import conf, ConfigurationContext >++from waflib.extras import clang_compilation_database >+ >+ from waflib.Tools.flex import decide_ext >+ >+@@ -37,7 +38,7 @@ TaskGen.declare_chain( >+ ) >+ >+ >+-for y in (Build.BuildContext, Build.CleanContext, Build.InstallContext, Build.UninstallContext, Build.ListContext): >++for y in (Build.BuildContext, Build.CleanContext, Build.InstallContext, Build.UninstallContext, Build.ListContext, clang_compilation_database.ClangDbContext): >+ class tmp(y): >+ variant = 'default' >+ >+diff --git buildtools/wafsamba/wafsamba.py buildtools/wafsamba/wafsamba.py >+index 7827d374654..9f6ee4f5c7f 100644 >+--- buildtools/wafsamba/wafsamba.py >++++ buildtools/wafsamba/wafsamba.py >+@@ -38,7 +38,7 @@ LIB_PATH="shared" >+ >+ os.environ['PYTHONUNBUFFERED'] = '1' >+ >+-if Context.HEXVERSION not in (0x2001200,): >++if Context.HEXVERSION not in (0x2001400,): >+ Logs.error(''' >+ Please use the version of waf that comes with Samba, not >+ a system installed version. See http://wiki.samba.org/index.php/Waf >+diff --git third_party/waf/waflib/Configure.py third_party/waf/waflib/Configure.py >+index 5762eb66954..e7333948489 100644 >+--- third_party/waf/waflib/Configure.py >++++ third_party/waf/waflib/Configure.py >+@@ -508,23 +508,27 @@ def find_binary(self, filenames, exts, paths): >+ @conf >+ def run_build(self, *k, **kw): >+ """ >+- Create a temporary build context to execute a build. A reference to that build >+- context is kept on self.test_bld for debugging purposes, and you should not rely >+- on it too much (read the note on the cache below). >+- The parameters given in the arguments to this function are passed as arguments for >+- a single task generator created in the build. Only three parameters are obligatory: >++ Create a temporary build context to execute a build. A temporary reference to that build >++ context is kept on self.test_bld for debugging purposes. >++ The arguments to this function are passed to a single task generator for that build. >++ Only three parameters are mandatory: >+ >+ :param features: features to pass to a task generator created in the build >+ :type features: list of string >+ :param compile_filename: file to create for the compilation (default: *test.c*) >+ :type compile_filename: string >+- :param code: code to write in the filename to compile >++ :param code: input file contents >+ :type code: string >+ >+- Though this function returns *0* by default, the build may set an attribute named *retval* on the >++ Though this function returns *0* by default, the build may bind attribute named *retval* on the >+ build context object to return a particular value. See :py:func:`waflib.Tools.c_config.test_exec_fun` for example. >+ >+- This function also features a cache which can be enabled by the following option:: >++ The temporary builds creates a temporary folder; the name of that folder is calculated >++ by hashing input arguments to this function, with the exception of :py:class:`waflib.ConfigSet.ConfigSet` >++ objects which are used for both reading and writing values. >++ >++ This function also features a cache which is disabled by default; that cache relies >++ on the hash value calculated as indicated above:: >+ >+ def options(opt): >+ opt.add_option('--confcache', dest='confcache', default=0, >+@@ -538,7 +542,10 @@ def run_build(self, *k, **kw): >+ buf = [] >+ for key in sorted(kw.keys()): >+ v = kw[key] >+- if hasattr(v, '__call__'): >++ if isinstance(v, ConfigSet.ConfigSet): >++ # values are being written to, so they are excluded from contributing to the hash >++ continue >++ elif hasattr(v, '__call__'): >+ buf.append(Utils.h_fun(v)) >+ else: >+ buf.append(str(v)) >+diff --git third_party/waf/waflib/Context.py third_party/waf/waflib/Context.py >+index e3305fa3341..3f1b4fa48ab 100644 >+--- third_party/waf/waflib/Context.py >++++ third_party/waf/waflib/Context.py >+@@ -6,20 +6,30 @@ >+ Classes and functions enabling the command system >+ """ >+ >+-import os, re, imp, sys >++import os, re, sys >+ from waflib import Utils, Errors, Logs >+ import waflib.Node >+ >++if sys.hexversion > 0x3040000: >++ import types >++ class imp(object): >++ new_module = lambda x: types.ModuleType(x) >++else: >++ import imp >++ >+ # the following 3 constants are updated on each new release (do not touch) >+-HEXVERSION=0x2001200 >++HEXVERSION=0x2001400 >+ """Constant updated on new releases""" >+ >+-WAFVERSION="2.0.18" >++WAFVERSION="2.0.20" >+ """Constant updated on new releases""" >+ >+-WAFREVISION="314689b8994259a84f0de0aaef74d7ce91f541ad" >++WAFREVISION="668769470956da8c5b60817cb8884cd7d0f87cd4" >+ """Git revision when the waf version is updated""" >+ >++WAFNAME="waf" >++"""Application name displayed on --help""" >++ >+ ABI = 20 >+ """Version of the build data cache file format (used in :py:const:`waflib.Context.DBFILE`)""" >+ >+diff --git third_party/waf/waflib/Options.py third_party/waf/waflib/Options.py >+index ad802d4b905..d4104917c82 100644 >+--- third_party/waf/waflib/Options.py >++++ third_party/waf/waflib/Options.py >+@@ -44,7 +44,7 @@ class opt_parser(optparse.OptionParser): >+ """ >+ def __init__(self, ctx, allow_unknown=False): >+ optparse.OptionParser.__init__(self, conflict_handler='resolve', add_help_option=False, >+- version='waf %s (%s)' % (Context.WAFVERSION, Context.WAFREVISION)) >++ version='%s %s (%s)' % (Context.WAFNAME, Context.WAFVERSION, Context.WAFREVISION)) >+ self.formatter.width = Logs.get_term_cols() >+ self.ctx = ctx >+ self.allow_unknown = allow_unknown >+@@ -62,6 +62,21 @@ class opt_parser(optparse.OptionParser): >+ else: >+ self.error(str(e)) >+ >++ def _process_long_opt(self, rargs, values): >++ # --custom-option=-ftxyz is interpreted as -f -t... see #2280 >++ if self.allow_unknown: >++ back = [] + rargs >++ try: >++ optparse.OptionParser._process_long_opt(self, rargs, values) >++ except optparse.BadOptionError: >++ while rargs: >++ rargs.pop() >++ rargs.extend(back) >++ rargs.pop(0) >++ raise >++ else: >++ optparse.OptionParser._process_long_opt(self, rargs, values) >++ >+ def print_usage(self, file=None): >+ return self.print_help(file) >+ >+@@ -96,11 +111,11 @@ class opt_parser(optparse.OptionParser): >+ lst.sort() >+ ret = '\n'.join(lst) >+ >+- return '''waf [commands] [options] >++ return '''%s [commands] [options] >+ >+-Main commands (example: ./waf build -j4) >++Main commands (example: ./%s build -j4) >+ %s >+-''' % ret >++''' % (Context.WAFNAME, Context.WAFNAME, ret) >+ >+ >+ class OptionsContext(Context.Context): >+@@ -141,9 +156,9 @@ class OptionsContext(Context.Context): >+ gr.add_option('-o', '--out', action='store', default='', help='build dir for the project', dest='out') >+ gr.add_option('-t', '--top', action='store', default='', help='src dir for the project', dest='top') >+ >+- gr.add_option('--no-lock-in-run', action='store_true', default='', help=optparse.SUPPRESS_HELP, dest='no_lock_in_run') >+- gr.add_option('--no-lock-in-out', action='store_true', default='', help=optparse.SUPPRESS_HELP, dest='no_lock_in_out') >+- gr.add_option('--no-lock-in-top', action='store_true', default='', help=optparse.SUPPRESS_HELP, dest='no_lock_in_top') >++ gr.add_option('--no-lock-in-run', action='store_true', default=os.environ.get('NO_LOCK_IN_RUN', ''), help=optparse.SUPPRESS_HELP, dest='no_lock_in_run') >++ gr.add_option('--no-lock-in-out', action='store_true', default=os.environ.get('NO_LOCK_IN_OUT', ''), help=optparse.SUPPRESS_HELP, dest='no_lock_in_out') >++ gr.add_option('--no-lock-in-top', action='store_true', default=os.environ.get('NO_LOCK_IN_TOP', ''), help=optparse.SUPPRESS_HELP, dest='no_lock_in_top') >+ >+ default_prefix = getattr(Context.g_module, 'default_prefix', os.environ.get('PREFIX')) >+ if not default_prefix: >+@@ -282,6 +297,8 @@ class OptionsContext(Context.Context): >+ elif arg != 'options': >+ commands.append(arg) >+ >++ if options.jobs < 1: >++ options.jobs = 1 >+ for name in 'top out destdir prefix bindir libdir'.split(): >+ # those paths are usually expanded from Context.launch_dir >+ if getattr(options, name, None): >+diff --git third_party/waf/waflib/Scripting.py third_party/waf/waflib/Scripting.py >+index 68dccf29ce0..da83a2166a1 100644 >+--- third_party/waf/waflib/Scripting.py >++++ third_party/waf/waflib/Scripting.py >+@@ -306,7 +306,7 @@ def distclean(ctx): >+ >+ # remove a build folder, if any >+ cur = '.' >+- if ctx.options.no_lock_in_top: >++ if os.environ.get('NO_LOCK_IN_TOP') or ctx.options.no_lock_in_top: >+ cur = ctx.options.out >+ >+ try: >+@@ -333,9 +333,9 @@ def distclean(ctx): >+ remove_and_log(env.out_dir, shutil.rmtree) >+ >+ env_dirs = [env.out_dir] >+- if not ctx.options.no_lock_in_top: >++ if not (os.environ.get('NO_LOCK_IN_TOP') or ctx.options.no_lock_in_top): >+ env_dirs.append(env.top_dir) >+- if not ctx.options.no_lock_in_run: >++ if not (os.environ.get('NO_LOCK_IN_RUN') or ctx.options.no_lock_in_run): >+ env_dirs.append(env.run_dir) >+ for k in env_dirs: >+ p = os.path.join(k, Options.lockfile) >+diff --git third_party/waf/waflib/Tools/c_aliases.py third_party/waf/waflib/Tools/c_aliases.py >+index 985e048bdb7..928cfe29caa 100644 >+--- third_party/waf/waflib/Tools/c_aliases.py >++++ third_party/waf/waflib/Tools/c_aliases.py >+@@ -38,7 +38,7 @@ def sniff_features(**kw): >+ :return: the list of features for a task generator processing the source files >+ :rtype: list of string >+ """ >+- exts = get_extensions(kw['source']) >++ exts = get_extensions(kw.get('source', [])) >+ typ = kw['typ'] >+ feats = [] >+ >+@@ -72,7 +72,7 @@ def sniff_features(**kw): >+ feats.append(x + typ) >+ will_link = True >+ if not will_link and not kw.get('features', []): >+- raise Errors.WafError('Cannot link from %r, try passing eg: features="c cprogram"?' % kw) >++ raise Errors.WafError('Unable to determine how to link %r, try adding eg: features="c cshlib"?' % kw) >+ return feats >+ >+ def set_features(kw, typ): >+diff --git third_party/waf/waflib/Tools/c_config.py third_party/waf/waflib/Tools/c_config.py >+index 80580cc9fcb..98187fac2e2 100644 >+--- third_party/waf/waflib/Tools/c_config.py >++++ third_party/waf/waflib/Tools/c_config.py >+@@ -86,6 +86,10 @@ def parse_flags(self, line, uselib_store, env=None, force_static=False, posix=No >+ :type uselib_store: string >+ :param env: config set or conf.env by default >+ :type env: :py:class:`waflib.ConfigSet.ConfigSet` >++ :param force_static: force usage of static libraries >++ :type force_static: bool default False >++ :param posix: usage of POSIX mode for shlex lexical analiysis library >++ :type posix: bool default True >+ """ >+ >+ assert(isinstance(line, str)) >+@@ -103,6 +107,8 @@ def parse_flags(self, line, uselib_store, env=None, force_static=False, posix=No >+ lex.commenters = '' >+ lst = list(lex) >+ >++ so_re = re.compile(r"\.so(?:\.[0-9]+)*$") >++ >+ # append_unique is not always possible >+ # for example, apple flags may require both -arch i386 and -arch ppc >+ uselib = uselib_store >+@@ -144,7 +150,7 @@ def parse_flags(self, line, uselib_store, env=None, force_static=False, posix=No >+ elif x.startswith('-std='): >+ prefix = 'CXXFLAGS' if '++' in x else 'CFLAGS' >+ app(prefix, x) >+- elif x.startswith('+') or x in ('-pthread', '-fPIC', '-fpic', '-fPIE', '-fpie'): >++ elif x.startswith('+') or x in ('-pthread', '-fPIC', '-fpic', '-fPIE', '-fpie', '-flto', '-fno-lto'): >+ app('CFLAGS', x) >+ app('CXXFLAGS', x) >+ app('LINKFLAGS', x) >+@@ -180,7 +186,7 @@ def parse_flags(self, line, uselib_store, env=None, force_static=False, posix=No >+ app('CFLAGS', tmp) >+ app('CXXFLAGS', tmp) >+ app('LINKFLAGS', tmp) >+- elif x.endswith(('.a', '.so', '.dylib', '.lib')): >++ elif x.endswith(('.a', '.dylib', '.lib')) or so_re.search(x): >+ appu('LINKFLAGS', x) # not cool, #762 >+ else: >+ self.to_log('Unhandled flag %r' % x) >+@@ -246,6 +252,8 @@ def exec_cfg(self, kw): >+ * if modversion is given, then return the module version >+ * else, execute the *-config* program with the *args* and *variables* given, and set the flags on the *conf.env.FLAGS_name* variable >+ >++ :param path: the **-config program to use** >++ :type path: list of string >+ :param atleast_pkgconfig_version: minimum pkg-config version to use (disable other tests) >+ :type atleast_pkgconfig_version: string >+ :param package: package name, for example *gtk+-2.0* >+@@ -260,6 +268,12 @@ def exec_cfg(self, kw): >+ :type variables: list of string >+ :param define_variable: additional variables to define (also in conf.env.PKG_CONFIG_DEFINES) >+ :type define_variable: dict(string: string) >++ :param pkg_config_path: paths where pkg-config should search for .pc config files (overrides env.PKG_CONFIG_PATH if exists) >++ :type pkg_config_path: string, list of directories separated by colon >++ :param force_static: force usage of static libraries >++ :type force_static: bool default False >++ :param posix: usage of POSIX mode for shlex lexical analiysis library >++ :type posix: bool default True >+ """ >+ >+ path = Utils.to_list(kw['path']) >+@@ -334,6 +348,7 @@ def check_cfg(self, *k, **kw): >+ """ >+ Checks for configuration flags using a **-config**-like program (pkg-config, sdl-config, etc). >+ This wraps internal calls to :py:func:`waflib.Tools.c_config.validate_cfg` and :py:func:`waflib.Tools.c_config.exec_cfg` >++ so check exec_cfg parameters descriptions for more details on kw passed >+ >+ A few examples:: >+ >+@@ -1267,10 +1282,11 @@ def multicheck(self, *k, **kw): >+ tasks = [] >+ >+ id_to_task = {} >+- for dct in k: >++ for counter, dct in enumerate(k): >+ x = Task.classes['cfgtask'](bld=bld, env=None) >+ tasks.append(x) >+ x.args = dct >++ x.args['multicheck_counter'] = counter >+ x.bld = bld >+ x.conf = self >+ x.args = dct >+diff --git third_party/waf/waflib/Tools/c_tests.py third_party/waf/waflib/Tools/c_tests.py >+index 7a4094f2450..bdd186c6bc4 100644 >+--- third_party/waf/waflib/Tools/c_tests.py >++++ third_party/waf/waflib/Tools/c_tests.py >+@@ -180,9 +180,15 @@ def check_large_file(self, **kw): >+ ######################################################################################## >+ >+ ENDIAN_FRAGMENT = ''' >++#ifdef _MSC_VER >++#define testshlib_EXPORT __declspec(dllexport) >++#else >++#define testshlib_EXPORT >++#endif >++ >+ short int ascii_mm[] = { 0x4249, 0x4765, 0x6E44, 0x6961, 0x6E53, 0x7953, 0 }; >+ short int ascii_ii[] = { 0x694C, 0x5454, 0x656C, 0x6E45, 0x6944, 0x6E61, 0 }; >+-int use_ascii (int i) { >++int testshlib_EXPORT use_ascii (int i) { >+ return ascii_mm[i] + ascii_ii[i]; >+ } >+ short int ebcdic_ii[] = { 0x89D3, 0xE3E3, 0x8593, 0x95C5, 0x89C4, 0x9581, 0 }; >+@@ -208,12 +214,12 @@ class grep_for_endianness(Task.Task): >+ return -1 >+ >+ @feature('grep_for_endianness') >+-@after_method('process_source') >++@after_method('apply_link') >+ def grep_for_endianness_fun(self): >+ """ >+ Used by the endianness configuration test >+ """ >+- self.create_task('grep_for_endianness', self.compiled_tasks[0].outputs[0]) >++ self.create_task('grep_for_endianness', self.link_task.outputs[0]) >+ >+ @conf >+ def check_endianness(self): >+@@ -223,7 +229,8 @@ def check_endianness(self): >+ tmp = [] >+ def check_msg(self): >+ return tmp[0] >+- self.check(fragment=ENDIAN_FRAGMENT, features='c grep_for_endianness', >++ >++ self.check(fragment=ENDIAN_FRAGMENT, features='c cshlib grep_for_endianness', >+ msg='Checking for endianness', define='ENDIANNESS', tmp=tmp, >+ okmsg=check_msg, confcache=None) >+ return tmp[0] >+diff --git third_party/waf/waflib/Tools/compiler_c.py third_party/waf/waflib/Tools/compiler_c.py >+index 2dba3f82704..931dc57efec 100644 >+--- third_party/waf/waflib/Tools/compiler_c.py >++++ third_party/waf/waflib/Tools/compiler_c.py >+@@ -37,7 +37,7 @@ from waflib.Logs import debug >+ >+ c_compiler = { >+ 'win32': ['msvc', 'gcc', 'clang'], >+-'cygwin': ['gcc'], >++'cygwin': ['gcc', 'clang'], >+ 'darwin': ['clang', 'gcc'], >+ 'aix': ['xlc', 'gcc', 'clang'], >+ 'linux': ['gcc', 'clang', 'icc'], >+diff --git third_party/waf/waflib/Tools/compiler_cxx.py third_party/waf/waflib/Tools/compiler_cxx.py >+index 1af65a226dc..09fca7e4dc6 100644 >+--- third_party/waf/waflib/Tools/compiler_cxx.py >++++ third_party/waf/waflib/Tools/compiler_cxx.py >+@@ -38,7 +38,7 @@ from waflib.Logs import debug >+ >+ cxx_compiler = { >+ 'win32': ['msvc', 'g++', 'clang++'], >+-'cygwin': ['g++'], >++'cygwin': ['g++', 'clang++'], >+ 'darwin': ['clang++', 'g++'], >+ 'aix': ['xlc++', 'g++', 'clang++'], >+ 'linux': ['g++', 'clang++', 'icpc'], >+diff --git third_party/waf/waflib/Tools/fc.py third_party/waf/waflib/Tools/fc.py >+index fd4d39c90ae..7fbd76d3650 100644 >+--- third_party/waf/waflib/Tools/fc.py >++++ third_party/waf/waflib/Tools/fc.py >+@@ -13,8 +13,8 @@ from waflib.TaskGen import extension >+ from waflib.Configure import conf >+ >+ ccroot.USELIB_VARS['fc'] = set(['FCFLAGS', 'DEFINES', 'INCLUDES', 'FCPPFLAGS']) >+-ccroot.USELIB_VARS['fcprogram_test'] = ccroot.USELIB_VARS['fcprogram'] = set(['LIB', 'STLIB', 'LIBPATH', 'STLIBPATH', 'LINKFLAGS', 'RPATH', 'LINKDEPS']) >+-ccroot.USELIB_VARS['fcshlib'] = set(['LIB', 'STLIB', 'LIBPATH', 'STLIBPATH', 'LINKFLAGS', 'RPATH', 'LINKDEPS']) >++ccroot.USELIB_VARS['fcprogram_test'] = ccroot.USELIB_VARS['fcprogram'] = set(['LIB', 'STLIB', 'LIBPATH', 'STLIBPATH', 'LINKFLAGS', 'RPATH', 'LINKDEPS', 'LDFLAGS']) >++ccroot.USELIB_VARS['fcshlib'] = set(['LIB', 'STLIB', 'LIBPATH', 'STLIBPATH', 'LINKFLAGS', 'RPATH', 'LINKDEPS', 'LDFLAGS']) >+ ccroot.USELIB_VARS['fcstlib'] = set(['ARFLAGS', 'LINKDEPS']) >+ >+ @extension('.f','.F','.f90','.F90','.for','.FOR','.f95','.F95','.f03','.F03','.f08','.F08') >+diff --git third_party/waf/waflib/Tools/irixcc.py third_party/waf/waflib/Tools/irixcc.py >+index c3ae1ac915c..0335c13cb61 100644 >+--- third_party/waf/waflib/Tools/irixcc.py >++++ third_party/waf/waflib/Tools/irixcc.py >+@@ -13,22 +13,11 @@ from waflib.Configure import conf >+ @conf >+ def find_irixcc(conf): >+ v = conf.env >+- cc = None >+- if v.CC: >+- cc = v.CC >+- elif 'CC' in conf.environ: >+- cc = conf.environ['CC'] >+- if not cc: >+- cc = conf.find_program('cc', var='CC') >+- if not cc: >+- conf.fatal('irixcc was not found') >+- >++ cc = conf.find_program('cc', var='CC') >+ try: >+ conf.cmd_and_log(cc + ['-version']) >+ except Errors.WafError: >+ conf.fatal('%r -version could not be executed' % cc) >+- >+- v.CC = cc >+ v.CC_NAME = 'irix' >+ >+ @conf >+@@ -57,7 +46,6 @@ def irixcc_common_flags(conf): >+ >+ def configure(conf): >+ conf.find_irixcc() >+- conf.find_cpp() >+ conf.find_ar() >+ conf.irixcc_common_flags() >+ conf.cc_load_tools() >+diff --git third_party/waf/waflib/Tools/javaw.py third_party/waf/waflib/Tools/javaw.py >+index ceb08c28c87..b7f5dd1f87f 100644 >+--- third_party/waf/waflib/Tools/javaw.py >++++ third_party/waf/waflib/Tools/javaw.py >+@@ -251,7 +251,7 @@ def use_javac_files(self): >+ base_node = tg.path.get_bld() >+ >+ self.use_lst.append(base_node.abspath()) >+- self.javac_task.dep_nodes.extend([x for x in base_node.ant_glob(JAR_RE, remove=False, quiet=True)]) >++ self.javac_task.dep_nodes.extend([dx for dx in base_node.ant_glob(JAR_RE, remove=False, quiet=True)]) >+ >+ for tsk in tg.tasks: >+ self.javac_task.set_run_after(tsk) >+diff --git third_party/waf/waflib/Tools/python.py third_party/waf/waflib/Tools/python.py >+index 7c45a76ffd2..b1c8dd01285 100644 >+--- third_party/waf/waflib/Tools/python.py >++++ third_party/waf/waflib/Tools/python.py >+@@ -620,7 +620,7 @@ def configure(conf): >+ v.PYO = getattr(Options.options, 'pyo', 1) >+ >+ try: >+- v.PYTAG = conf.cmd_and_log(conf.env.PYTHON + ['-c', "import imp;print(imp.get_tag())"]).strip() >++ v.PYTAG = conf.cmd_and_log(conf.env.PYTHON + ['-c', "import sys\ntry:\n print(sys.implementation.cache_tag)\nexcept AttributeError:\n import imp\n print(imp.get_tag())\n"]).strip() >+ except Errors.WafError: >+ pass >+ >+diff --git third_party/waf/waflib/Tools/qt5.py third_party/waf/waflib/Tools/qt5.py >+index 287c25374a4..99e021bae61 100644 >+--- third_party/waf/waflib/Tools/qt5.py >++++ third_party/waf/waflib/Tools/qt5.py >+@@ -482,8 +482,8 @@ def configure(self): >+ self.fatal('No CXX compiler defined: did you forget to configure compiler_cxx first?') >+ >+ # Qt5 may be compiled with '-reduce-relocations' which requires dependent programs to have -fPIE or -fPIC? >+- frag = '#include <QApplication>\nint main(int argc, char **argv) {return 0;}\n' >+- uses = 'QT5CORE QT5WIDGETS QT5GUI' >++ frag = '#include <QMap>\nint main(int argc, char **argv) {QMap<int,int> m;return m.keys().size();}\n' >++ uses = 'QT5CORE' >+ for flag in [[], '-fPIE', '-fPIC', '-std=c++11' , ['-std=c++11', '-fPIE'], ['-std=c++11', '-fPIC']]: >+ msg = 'See if Qt files compile ' >+ if flag: >+@@ -499,7 +499,7 @@ def configure(self): >+ >+ # FreeBSD does not add /usr/local/lib and the pkg-config files do not provide it either :-/ >+ if Utils.unversioned_sys_platform() == 'freebsd': >+- frag = '#include <QApplication>\nint main(int argc, char **argv) { QApplication app(argc, argv); return NULL != (void*) (&app);}\n' >++ frag = '#include <QMap>\nint main(int argc, char **argv) {QMap<int,int> m;return m.keys().size();}\n' >+ try: >+ self.check(features='qt5 cxx cxxprogram', use=uses, fragment=frag, msg='Can we link Qt programs on FreeBSD directly?') >+ except self.errors.ConfigurationError: >+diff --git third_party/waf/waflib/Utils.py third_party/waf/waflib/Utils.py >+index 7472226da58..fc64fa05154 100644 >+--- third_party/waf/waflib/Utils.py >++++ third_party/waf/waflib/Utils.py >+@@ -891,7 +891,7 @@ def run_prefork_process(cmd, kwargs, cargs): >+ """ >+ Delegates process execution to a pre-forked process instance. >+ """ >+- if not 'env' in kwargs: >++ if not kwargs.get('env'): >+ kwargs['env'] = dict(os.environ) >+ try: >+ obj = base64.b64encode(cPickle.dumps([cmd, kwargs, cargs])) >+diff --git third_party/waf/waflib/extras/clang_compilation_database.py third_party/waf/waflib/extras/clang_compilation_database.py >+index 4d9b5e275ae..ff71f22ecfd 100644 >+--- third_party/waf/waflib/extras/clang_compilation_database.py >++++ third_party/waf/waflib/extras/clang_compilation_database.py >+@@ -1,6 +1,7 @@ >+ #!/usr/bin/env python >+ # encoding: utf-8 >+ # Christoph Koke, 2013 >++# Alibek Omarov, 2019 >+ >+ """ >+ Writes the c and cpp compile commands into build/compile_commands.json >+@@ -8,14 +9,23 @@ see http://clang.llvm.org/docs/JSONCompilationDatabase.html >+ >+ Usage: >+ >+- def configure(conf): >+- conf.load('compiler_cxx') >+- ... >+- conf.load('clang_compilation_database') >++ Load this tool in `options` to be able to generate database >++ by request in command-line and before build: >++ >++ $ waf clangdb >++ >++ def options(opt): >++ opt.load('clang_compilation_database') >++ >++ Otherwise, load only in `configure` to generate it always before build. >++ >++ def configure(conf): >++ conf.load('compiler_cxx') >++ ... >++ conf.load('clang_compilation_database') >+ """ >+ >+-import sys, os, json, shlex, pipes >+-from waflib import Logs, TaskGen, Task >++from waflib import Logs, TaskGen, Task, Build, Scripting >+ >+ Task.Task.keep_last_cmd = True >+ >+@@ -23,63 +33,103 @@ Task.Task.keep_last_cmd = True >+ @TaskGen.after_method('process_use') >+ def collect_compilation_db_tasks(self): >+ "Add a compilation database entry for compiled tasks" >+- try: >+- clang_db = self.bld.clang_compilation_database_tasks >+- except AttributeError: >+- clang_db = self.bld.clang_compilation_database_tasks = [] >+- self.bld.add_post_fun(write_compilation_database) >++ if not isinstance(self.bld, ClangDbContext): >++ return >+ >+ tup = tuple(y for y in [Task.classes.get(x) for x in ('c', 'cxx')] if y) >+ for task in getattr(self, 'compiled_tasks', []): >+ if isinstance(task, tup): >+- clang_db.append(task) >+- >+-def write_compilation_database(ctx): >+- "Write the clang compilation database as JSON" >+- database_file = ctx.bldnode.make_node('compile_commands.json') >+- Logs.info('Build commands will be stored in %s', database_file.path_from(ctx.path)) >+- try: >+- root = json.load(database_file) >+- except IOError: >+- root = [] >+- clang_db = dict((x['file'], x) for x in root) >+- for task in getattr(ctx, 'clang_compilation_database_tasks', []): >++ self.bld.clang_compilation_database_tasks.append(task) >++ >++class ClangDbContext(Build.BuildContext): >++ '''generates compile_commands.json by request''' >++ cmd = 'clangdb' >++ clang_compilation_database_tasks = [] >++ >++ def write_compilation_database(self): >++ """ >++ Write the clang compilation database as JSON >++ """ >++ database_file = self.bldnode.make_node('compile_commands.json') >++ Logs.info('Build commands will be stored in %s', database_file.path_from(self.path)) >+ try: >+- cmd = task.last_cmd >+- except AttributeError: >+- continue >+- directory = getattr(task, 'cwd', ctx.variant_dir) >+- f_node = task.inputs[0] >+- filename = os.path.relpath(f_node.abspath(), directory) >+- entry = { >+- "directory": directory, >+- "arguments": cmd, >+- "file": filename, >+- } >+- clang_db[filename] = entry >+- root = list(clang_db.values()) >+- database_file.write(json.dumps(root, indent=2)) >+- >+-# Override the runnable_status function to do a dummy/dry run when the file doesn't need to be compiled. >+-# This will make sure compile_commands.json is always fully up to date. >+-# Previously you could end up with a partial compile_commands.json if the build failed. >+-for x in ('c', 'cxx'): >+- if x not in Task.classes: >+- continue >+- >+- t = Task.classes[x] >+- >+- def runnable_status(self): >+- def exec_command(cmd, **kw): >+- pass >+- >+- run_status = self.old_runnable_status() >+- if run_status == Task.SKIP_ME: >+- setattr(self, 'old_exec_command', getattr(self, 'exec_command', None)) >+- setattr(self, 'exec_command', exec_command) >+- self.run() >+- setattr(self, 'exec_command', getattr(self, 'old_exec_command', None)) >+- return run_status >+- >+- setattr(t, 'old_runnable_status', getattr(t, 'runnable_status', None)) >+- setattr(t, 'runnable_status', runnable_status) >++ root = database_file.read_json() >++ except IOError: >++ root = [] >++ clang_db = dict((x['file'], x) for x in root) >++ for task in self.clang_compilation_database_tasks: >++ try: >++ cmd = task.last_cmd >++ except AttributeError: >++ continue >++ f_node = task.inputs[0] >++ filename = f_node.path_from(task.get_cwd()) >++ entry = { >++ "directory": task.get_cwd().abspath(), >++ "arguments": cmd, >++ "file": filename, >++ } >++ clang_db[filename] = entry >++ root = list(clang_db.values()) >++ database_file.write_json(root) >++ >++ def execute(self): >++ """ >++ Build dry run >++ """ >++ self.restore() >++ >++ if not self.all_envs: >++ self.load_envs() >++ >++ self.recurse([self.run_dir]) >++ self.pre_build() >++ >++ # we need only to generate last_cmd, so override >++ # exec_command temporarily >++ def exec_command(self, *k, **kw): >++ return 0 >++ >++ for g in self.groups: >++ for tg in g: >++ try: >++ f = tg.post >++ except AttributeError: >++ pass >++ else: >++ f() >++ >++ if isinstance(tg, Task.Task): >++ lst = [tg] >++ else: lst = tg.tasks >++ for tsk in lst: >++ tup = tuple(y for y in [Task.classes.get(x) for x in ('c', 'cxx')] if y) >++ if isinstance(tsk, tup): >++ old_exec = tsk.exec_command >++ tsk.exec_command = exec_command >++ tsk.run() >++ tsk.exec_command = old_exec >++ >++ self.write_compilation_database() >++ >++EXECUTE_PATCHED = False >++def patch_execute(): >++ global EXECUTE_PATCHED >++ >++ if EXECUTE_PATCHED: >++ return >++ >++ def new_execute_build(self): >++ """ >++ Invoke clangdb command before build >++ """ >++ if self.cmd.startswith('build'): >++ Scripting.run_command('clangdb') >++ >++ old_execute_build(self) >++ >++ old_execute_build = getattr(Build.BuildContext, 'execute_build', None) >++ setattr(Build.BuildContext, 'execute_build', new_execute_build) >++ EXECUTE_PATCHED = True >++ >++patch_execute() >+diff --git third_party/waf/waflib/extras/doxygen.py third_party/waf/waflib/extras/doxygen.py >+index 20cd9e1a852..de75bc2738a 100644 >+--- third_party/waf/waflib/extras/doxygen.py >++++ third_party/waf/waflib/extras/doxygen.py >+@@ -69,6 +69,7 @@ def parse_doxy(txt): >+ class doxygen(Task.Task): >+ vars = ['DOXYGEN', 'DOXYFLAGS'] >+ color = 'BLUE' >++ ext_in = [ '.py', '.c', '.h', '.java', '.pb.cc' ] >+ >+ def runnable_status(self): >+ ''' >+diff --git third_party/waf/waflib/extras/gccdeps.py third_party/waf/waflib/extras/gccdeps.py >+index bfabe72e6fd..c3a809e252a 100644 >+--- third_party/waf/waflib/extras/gccdeps.py >++++ third_party/waf/waflib/extras/gccdeps.py >+@@ -27,7 +27,7 @@ if not c_preproc.go_absolute: >+ gccdeps_flags = ['-MMD'] >+ >+ # Third-party tools are allowed to add extra names in here with append() >+-supported_compilers = ['gcc', 'icc', 'clang'] >++supported_compilers = ['gas', 'gcc', 'icc', 'clang'] >+ >+ def scan(self): >+ if not self.__class__.__name__ in self.env.ENABLE_GCCDEPS: >+@@ -175,14 +175,14 @@ def wrap_compiled_task(classname): >+ derived_class.scan = scan >+ derived_class.sig_implicit_deps = sig_implicit_deps >+ >+-for k in ('c', 'cxx'): >++for k in ('asm', 'c', 'cxx'): >+ if k in Task.classes: >+ wrap_compiled_task(k) >+ >+ @before_method('process_source') >+ @feature('force_gccdeps') >+ def force_gccdeps(self): >+- self.env.ENABLE_GCCDEPS = ['c', 'cxx'] >++ self.env.ENABLE_GCCDEPS = ['asm', 'c', 'cxx'] >+ >+ def configure(conf): >+ # in case someone provides a --enable-gccdeps command-line option >+@@ -191,6 +191,15 @@ def configure(conf): >+ >+ global gccdeps_flags >+ flags = conf.env.GCCDEPS_FLAGS or gccdeps_flags >++ if conf.env.ASM_NAME in supported_compilers: >++ try: >++ conf.check(fragment='', features='asm force_gccdeps', asflags=flags, compile_filename='test.S', msg='Checking for asm flags %r' % ''.join(flags)) >++ except Errors.ConfigurationError: >++ pass >++ else: >++ conf.env.append_value('ASFLAGS', flags) >++ conf.env.append_unique('ENABLE_GCCDEPS', 'asm') >++ >+ if conf.env.CC_NAME in supported_compilers: >+ try: >+ conf.check(fragment='int main() { return 0; }', features='c force_gccdeps', cflags=flags, msg='Checking for c flags %r' % ''.join(flags)) >+diff --git third_party/waf/waflib/extras/javatest.py third_party/waf/waflib/extras/javatest.py >+index 979b8d8242d..76d40edf250 100755 >+--- third_party/waf/waflib/extras/javatest.py >++++ third_party/waf/waflib/extras/javatest.py >+@@ -1,6 +1,6 @@ >+ #! /usr/bin/env python >+ # encoding: utf-8 >+-# Federico Pellegrin, 2017 (fedepell) >++# Federico Pellegrin, 2019 (fedepell) >+ >+ """ >+ Provides Java Unit test support using :py:class:`waflib.Tools.waf_unit_test.utest` >+@@ -11,6 +11,10 @@ standard waf unit test environment. It has been tested with TestNG and JUnit >+ but should be easily expandable to other frameworks given the flexibility of >+ ut_str provided by the standard waf unit test environment. >+ >++The extra takes care also of managing non-java dependencies (ie. C/C++ libraries >++using JNI or Python modules via JEP) and setting up the environment needed to run >++them. >++ >+ Example usage: >+ >+ def options(opt): >+@@ -20,15 +24,15 @@ def configure(conf): >+ conf.load('java javatest') >+ >+ def build(bld): >+- >++ >+ [ ... mainprog is built here ... ] >+ >+ bld(features = 'javac javatest', >+- srcdir = 'test/', >+- outdir = 'test', >++ srcdir = 'test/', >++ outdir = 'test', >+ sourcepath = ['test'], >+- classpath = [ 'src' ], >+- basedir = 'test', >++ classpath = [ 'src' ], >++ basedir = 'test', >+ use = ['JAVATEST', 'mainprog'], # mainprog is the program being tested in src/ >+ ut_str = 'java -cp ${CLASSPATH} ${JTRUNNER} ${SRC}', >+ jtest_source = bld.path.ant_glob('test/*.xml'), >+@@ -53,10 +57,107 @@ The runner class presence on the system is checked for at configuration stage. >+ """ >+ >+ import os >+-from waflib import Task, TaskGen, Options >++from waflib import Task, TaskGen, Options, Errors, Utils, Logs >++from waflib.Tools import ccroot >++ >++JAR_RE = '**/*' >++ >++def _process_use_rec(self, name): >++ """ >++ Recursively process ``use`` for task generator with name ``name``.. >++ Used by javatest_process_use. >++ """ >++ if name in self.javatest_use_not or name in self.javatest_use_seen: >++ return >++ try: >++ tg = self.bld.get_tgen_by_name(name) >++ except Errors.WafError: >++ self.javatest_use_not.add(name) >++ return >++ >++ self.javatest_use_seen.append(name) >++ tg.post() >++ >++ for n in self.to_list(getattr(tg, 'use', [])): >++ _process_use_rec(self, n) >++ >++@TaskGen.feature('javatest') >++@TaskGen.after_method('process_source', 'apply_link', 'use_javac_files') >++def javatest_process_use(self): >++ """ >++ Process the ``use`` attribute which contains a list of task generator names and store >++ paths that later is used to populate the unit test runtime environment. >++ """ >++ self.javatest_use_not = set() >++ self.javatest_use_seen = [] >++ self.javatest_libpaths = [] # strings or Nodes >++ self.javatest_pypaths = [] # strings or Nodes >++ self.javatest_dep_nodes = [] >++ >++ names = self.to_list(getattr(self, 'use', [])) >++ for name in names: >++ _process_use_rec(self, name) >++ >++ def extend_unique(lst, varlst): >++ ext = [] >++ for x in varlst: >++ if x not in lst: >++ ext.append(x) >++ lst.extend(ext) >++ >++ # Collect type specific info needed to construct a valid runtime environment >++ # for the test. >++ for name in self.javatest_use_seen: >++ tg = self.bld.get_tgen_by_name(name) >++ >++ # Python-Java embedding crosstools such as JEP >++ if 'py' in tg.features: >++ # Python dependencies are added to PYTHONPATH >++ pypath = getattr(tg, 'install_from', tg.path) >++ >++ if 'buildcopy' in tg.features: >++ # Since buildcopy is used we assume that PYTHONPATH in build should be used, >++ # not source >++ extend_unique(self.javatest_pypaths, [pypath.get_bld().abspath()]) >++ >++ # Add buildcopy output nodes to dependencies >++ extend_unique(self.javatest_dep_nodes, [o for task in getattr(tg, 'tasks', []) for o in getattr(task, 'outputs', [])]) >++ else: >++ # If buildcopy is not used, depend on sources instead >++ extend_unique(self.javatest_dep_nodes, tg.source) >++ extend_unique(self.javatest_pypaths, [pypath.abspath()]) >++ >++ >++ if getattr(tg, 'link_task', None): >++ # For tasks with a link_task (C, C++, D et.c.) include their library paths: >++ if not isinstance(tg.link_task, ccroot.stlink_task): >++ extend_unique(self.javatest_dep_nodes, tg.link_task.outputs) >++ extend_unique(self.javatest_libpaths, tg.link_task.env.LIBPATH) >++ >++ if 'pyext' in tg.features: >++ # If the taskgen is extending Python we also want to add the interpreter libpath. >++ extend_unique(self.javatest_libpaths, tg.link_task.env.LIBPATH_PYEXT) >++ else: >++ # Only add to libpath if the link task is not a Python extension >++ extend_unique(self.javatest_libpaths, [tg.link_task.outputs[0].parent.abspath()]) >++ >++ if 'javac' in tg.features or 'jar' in tg.features: >++ if hasattr(tg, 'jar_task'): >++ # For Java JAR tasks depend on generated JAR >++ extend_unique(self.javatest_dep_nodes, tg.jar_task.outputs) >++ else: >++ # For Java non-JAR ones we need to glob generated files (Java output files are not predictable) >++ if hasattr(tg, 'outdir'): >++ base_node = tg.outdir >++ else: >++ base_node = tg.path.get_bld() >++ >++ self.javatest_dep_nodes.extend([dx for dx in base_node.ant_glob(JAR_RE, remove=False, quiet=True)]) >++ >++ >+ >+ @TaskGen.feature('javatest') >+-@TaskGen.after_method('apply_java', 'use_javac_files', 'set_classpath') >++@TaskGen.after_method('apply_java', 'use_javac_files', 'set_classpath', 'javatest_process_use') >+ def make_javatest(self): >+ """ >+ Creates a ``utest`` task with a populated environment for Java Unit test execution >+@@ -65,6 +166,9 @@ def make_javatest(self): >+ tsk = self.create_task('utest') >+ tsk.set_run_after(self.javac_task) >+ >++ # Dependencies from recursive use analysis >++ tsk.dep_nodes.extend(self.javatest_dep_nodes) >++ >+ # Put test input files as waf_unit_test relies on that for some prints and log generation >+ # If jtest_source is there, this is specially useful for passing XML for TestNG >+ # that contain test specification, use that as inputs, otherwise test sources >+@@ -97,6 +201,21 @@ def make_javatest(self): >+ >+ if not hasattr(self, 'ut_env'): >+ self.ut_env = dict(os.environ) >++ def add_paths(var, lst): >++ # Add list of paths to a variable, lst can contain strings or nodes >++ lst = [ str(n) for n in lst ] >++ Logs.debug("ut: %s: Adding paths %s=%s", self, var, lst) >++ self.ut_env[var] = os.pathsep.join(lst) + os.pathsep + self.ut_env.get(var, '') >++ >++ add_paths('PYTHONPATH', self.javatest_pypaths) >++ >++ if Utils.is_win32: >++ add_paths('PATH', self.javatest_libpaths) >++ elif Utils.unversioned_sys_platform() == 'darwin': >++ add_paths('DYLD_LIBRARY_PATH', self.javatest_libpaths) >++ add_paths('LD_LIBRARY_PATH', self.javatest_libpaths) >++ else: >++ add_paths('LD_LIBRARY_PATH', self.javatest_libpaths) >+ >+ def configure(ctx): >+ cp = ctx.env.CLASSPATH or '.' >+diff --git third_party/waf/waflib/extras/msvc_pdb.py third_party/waf/waflib/extras/msvc_pdb.py >+new file mode 100644 >+index 00000000000..077656b4f7e >+--- /dev/null >++++ third_party/waf/waflib/extras/msvc_pdb.py >+@@ -0,0 +1,46 @@ >++#!/usr/bin/env python >++# encoding: utf-8 >++# Rafaël Kooi 2019 >++ >++from waflib import TaskGen >++ >++@TaskGen.feature('c', 'cxx', 'fc') >++@TaskGen.after_method('propagate_uselib_vars') >++def add_pdb_per_object(self): >++ """For msvc/fortran, specify a unique compile pdb per object, to work >++ around LNK4099. Flags are updated with a unique /Fd flag based on the >++ task output name. This is separate from the link pdb. >++ """ >++ if not hasattr(self, 'compiled_tasks'): >++ return >++ >++ link_task = getattr(self, 'link_task', None) >++ >++ for task in self.compiled_tasks: >++ if task.inputs and task.inputs[0].name.lower().endswith('.rc'): >++ continue >++ >++ add_pdb = False >++ for flagname in ('CFLAGS', 'CXXFLAGS', 'FCFLAGS'): >++ # several languages may be used at once >++ for flag in task.env[flagname]: >++ if flag[1:].lower() == 'zi': >++ add_pdb = True >++ break >++ >++ if add_pdb: >++ node = task.outputs[0].change_ext('.pdb') >++ pdb_flag = '/Fd:' + node.abspath() >++ >++ for flagname in ('CFLAGS', 'CXXFLAGS', 'FCFLAGS'): >++ buf = [pdb_flag] >++ for flag in task.env[flagname]: >++ if flag[1:3] == 'Fd' or flag[1:].lower() == 'fs' or flag[1:].lower() == 'mp': >++ continue >++ buf.append(flag) >++ task.env[flagname] = buf >++ >++ if link_task and not node in link_task.dep_nodes: >++ link_task.dep_nodes.append(node) >++ if not node in task.outputs: >++ task.outputs.append(node) >+diff --git third_party/waf/waflib/extras/pytest.py third_party/waf/waflib/extras/pytest.py >+index 7dd5a1a087a..fc9ad1c23e4 100644 >+--- third_party/waf/waflib/extras/pytest.py >++++ third_party/waf/waflib/extras/pytest.py >+@@ -40,6 +40,8 @@ the following environment variables for the `pytest` test runner: >+ >+ - `pytest_libpath` attribute is used to manually specify additional linker paths. >+ >++3. Java class search path (CLASSPATH) of any Java/Javalike dependency >++ >+ Note: `pytest` cannot automatically determine the correct `PYTHONPATH` for `pyext` taskgens >+ because the extension might be part of a Python package or used standalone: >+ >+@@ -119,6 +121,7 @@ def pytest_process_use(self): >+ self.pytest_use_seen = [] >+ self.pytest_paths = [] # strings or Nodes >+ self.pytest_libpaths = [] # strings or Nodes >++ self.pytest_javapaths = [] # strings or Nodes >+ self.pytest_dep_nodes = [] >+ >+ names = self.to_list(getattr(self, 'use', [])) >+@@ -157,6 +160,17 @@ def pytest_process_use(self): >+ extend_unique(self.pytest_dep_nodes, tg.source) >+ extend_unique(self.pytest_paths, [pypath.abspath()]) >+ >++ if 'javac' in tg.features: >++ # If a JAR is generated point to that, otherwise to directory >++ if getattr(tg, 'jar_task', None): >++ extend_unique(self.pytest_javapaths, [tg.jar_task.outputs[0].abspath()]) >++ else: >++ extend_unique(self.pytest_javapaths, [tg.path.get_bld()]) >++ >++ # And add respective dependencies if present >++ if tg.use_lst: >++ extend_unique(self.pytest_javapaths, tg.use_lst) >++ >+ if getattr(tg, 'link_task', None): >+ # For tasks with a link_task (C, C++, D et.c.) include their library paths: >+ if not isinstance(tg.link_task, ccroot.stlink_task): >+@@ -212,8 +226,9 @@ def make_pytest(self): >+ Logs.debug("ut: %s: Adding paths %s=%s", self, var, lst) >+ self.ut_env[var] = os.pathsep.join(lst) + os.pathsep + self.ut_env.get(var, '') >+ >+- # Prepend dependency paths to PYTHONPATH and LD_LIBRARY_PATH >++ # Prepend dependency paths to PYTHONPATH, CLASSPATH and LD_LIBRARY_PATH >+ add_paths('PYTHONPATH', self.pytest_paths) >++ add_paths('CLASSPATH', self.pytest_javapaths) >+ >+ if Utils.is_win32: >+ add_paths('PATH', self.pytest_libpaths) >+diff --git third_party/waf/waflib/extras/wafcache.py third_party/waf/waflib/extras/wafcache.py >+new file mode 100644 >+index 00000000000..8b9567faf14 >+--- /dev/null >++++ third_party/waf/waflib/extras/wafcache.py >+@@ -0,0 +1,524 @@ >++#! /usr/bin/env python >++# encoding: utf-8 >++# Thomas Nagy, 2019 (ita) >++ >++""" >++Filesystem-based cache system to share and re-use build artifacts >++ >++Cache access operations (copy to and from) are delegated to >++independent pre-forked worker subprocesses. >++ >++The following environment variables may be set: >++* WAFCACHE: several possibilities: >++ - File cache: >++ absolute path of the waf cache (~/.cache/wafcache_user, >++ where `user` represents the currently logged-in user) >++ - URL to a cache server, for example: >++ export WAFCACHE=http://localhost:8080/files/ >++ in that case, GET/POST requests are made to urls of the form >++ http://localhost:8080/files/000000000/0 (cache management is then up to the server) >++ - GCS or S3 bucket >++ gs://my-bucket/ >++ s3://my-bucket/ >++* WAFCACHE_NO_PUSH: if set, disables pushing to the cache >++* WAFCACHE_VERBOSITY: if set, displays more detailed cache operations >++ >++File cache specific options: >++ Files are copied using hard links by default; if the cache is located >++ onto another partition, the system switches to file copies instead. >++* WAFCACHE_TRIM_MAX_FOLDER: maximum amount of tasks to cache (1M) >++* WAFCACHE_EVICT_MAX_BYTES: maximum amount of cache size in bytes (10GB) >++* WAFCACHE_EVICT_INTERVAL_MINUTES: minimum time interval to try >++ and trim the cache (3 minutess) >++Usage:: >++ >++ def build(bld): >++ bld.load('wafcache') >++ ... >++ >++To troubleshoot:: >++ >++ waf clean build --zones=wafcache >++""" >++ >++import atexit, base64, errno, fcntl, getpass, os, shutil, sys, time, traceback, urllib3 >++try: >++ import subprocess32 as subprocess >++except ImportError: >++ import subprocess >++ >++base_cache = os.path.expanduser('~/.cache/') >++if not os.path.isdir(base_cache): >++ base_cache = '/tmp/' >++default_wafcache_dir = os.path.join(base_cache, 'wafcache_' + getpass.getuser()) >++ >++CACHE_DIR = os.environ.get('WAFCACHE', default_wafcache_dir) >++TRIM_MAX_FOLDERS = int(os.environ.get('WAFCACHE_TRIM_MAX_FOLDER', 1000000)) >++EVICT_INTERVAL_MINUTES = int(os.environ.get('WAFCACHE_EVICT_INTERVAL_MINUTES', 3)) >++EVICT_MAX_BYTES = int(os.environ.get('WAFCACHE_EVICT_MAX_BYTES', 10**10)) >++WAFCACHE_NO_PUSH = 1 if os.environ.get('WAFCACHE_NO_PUSH') else 0 >++WAFCACHE_VERBOSITY = 1 if os.environ.get('WAFCACHE_VERBOSITY') else 0 >++OK = "ok" >++ >++try: >++ import cPickle >++except ImportError: >++ import pickle as cPickle >++ >++if __name__ != '__main__': >++ from waflib import Task, Logs, Utils, Build >++ >++def can_retrieve_cache(self): >++ """ >++ New method for waf Task classes >++ """ >++ if not self.outputs: >++ return False >++ >++ self.cached = False >++ >++ sig = self.signature() >++ ssig = Utils.to_hex(self.uid() + sig) >++ >++ files_to = [node.abspath() for node in self.outputs] >++ err = cache_command(ssig, [], files_to) >++ if err.startswith(OK): >++ if WAFCACHE_VERBOSITY: >++ Logs.pprint('CYAN', ' Fetched %r from cache' % files_to) >++ else: >++ Logs.debug('wafcache: fetched %r from cache', files_to) >++ else: >++ if WAFCACHE_VERBOSITY: >++ Logs.pprint('YELLOW', ' No cache entry %s' % files_to) >++ else: >++ Logs.debug('wafcache: No cache entry %s: %s', files_to, err) >++ return False >++ >++ self.cached = True >++ return True >++ >++def put_files_cache(self): >++ """ >++ New method for waf Task classes >++ """ >++ if WAFCACHE_NO_PUSH or getattr(self, 'cached', None) or not self.outputs: >++ return >++ >++ bld = self.generator.bld >++ sig = self.signature() >++ ssig = Utils.to_hex(self.uid() + sig) >++ >++ files_from = [node.abspath() for node in self.outputs] >++ err = cache_command(ssig, files_from, []) >++ >++ if err.startswith(OK): >++ if WAFCACHE_VERBOSITY: >++ Logs.pprint('CYAN', ' Successfully uploaded %s to cache' % files_from) >++ else: >++ Logs.debug('wafcache: Successfully uploaded %r to cache', files_from) >++ else: >++ if WAFCACHE_VERBOSITY: >++ Logs.pprint('RED', ' Error caching step results %s: %s' % (files_from, err)) >++ else: >++ Logs.debug('wafcache: Error caching results %s: %s', files_from, err) >++ >++ bld.task_sigs[self.uid()] = self.cache_sig >++ >++def hash_env_vars(self, env, vars_lst): >++ """ >++ Reimplement BuildContext.hash_env_vars so that the resulting hash does not depend on local paths >++ """ >++ if not env.table: >++ env = env.parent >++ if not env: >++ return Utils.SIG_NIL >++ >++ idx = str(id(env)) + str(vars_lst) >++ try: >++ cache = self.cache_env >++ except AttributeError: >++ cache = self.cache_env = {} >++ else: >++ try: >++ return self.cache_env[idx] >++ except KeyError: >++ pass >++ >++ v = str([env[a] for a in vars_lst]) >++ v = v.replace(self.srcnode.abspath().__repr__()[:-1], '') >++ m = Utils.md5() >++ m.update(v.encode()) >++ ret = m.digest() >++ >++ Logs.debug('envhash: %r %r', ret, v) >++ >++ cache[idx] = ret >++ >++ return ret >++ >++def uid(self): >++ """ >++ Reimplement Task.uid() so that the signature does not depend on local paths >++ """ >++ try: >++ return self.uid_ >++ except AttributeError: >++ m = Utils.md5() >++ src = self.generator.bld.srcnode >++ up = m.update >++ up(self.__class__.__name__.encode()) >++ for x in self.inputs + self.outputs: >++ up(x.path_from(src).encode()) >++ self.uid_ = m.digest() >++ return self.uid_ >++ >++ >++def make_cached(cls): >++ """ >++ Enable the waf cache for a given task class >++ """ >++ if getattr(cls, 'nocache', None) or getattr(cls, 'has_cache', False): >++ return >++ >++ m1 = getattr(cls, 'run', None) >++ def run(self): >++ if getattr(self, 'nocache', False): >++ return m1(self) >++ if self.can_retrieve_cache(): >++ return 0 >++ return m1(self) >++ cls.run = run >++ >++ m2 = getattr(cls, 'post_run', None) >++ def post_run(self): >++ if getattr(self, 'nocache', False): >++ return m2(self) >++ ret = m2(self) >++ self.put_files_cache() >++ if hasattr(self, 'chmod'): >++ for node in self.outputs: >++ os.chmod(node.abspath(), self.chmod) >++ return ret >++ cls.post_run = post_run >++ cls.has_cache = True >++ >++process_pool = [] >++def get_process(): >++ """ >++ Returns a worker process that can process waf cache commands >++ The worker process is assumed to be returned to the process pool when unused >++ """ >++ try: >++ return process_pool.pop() >++ except IndexError: >++ filepath = os.path.dirname(os.path.abspath(__file__)) + os.sep + 'wafcache.py' >++ cmd = [sys.executable, '-c', Utils.readf(filepath)] >++ return subprocess.Popen(cmd, stdout=subprocess.PIPE, stdin=subprocess.PIPE, bufsize=0) >++ >++def atexit_pool(): >++ for k in process_pool: >++ try: >++ os.kill(k.pid, 9) >++ except OSError: >++ pass >++ else: >++ k.wait() >++atexit.register(atexit_pool) >++ >++def build(bld): >++ """ >++ Called during the build process to enable file caching >++ """ >++ if process_pool: >++ # already called once >++ return >++ >++ for x in range(bld.jobs): >++ process_pool.append(get_process()) >++ >++ Task.Task.can_retrieve_cache = can_retrieve_cache >++ Task.Task.put_files_cache = put_files_cache >++ Task.Task.uid = uid >++ Build.BuildContext.hash_env_vars = hash_env_vars >++ for x in reversed(list(Task.classes.values())): >++ make_cached(x) >++ >++def cache_command(sig, files_from, files_to): >++ """ >++ Create a command for cache worker processes, returns a pickled >++ base64-encoded tuple containing the task signature, a list of files to >++ cache and a list of files files to get from cache (one of the lists >++ is assumed to be empty) >++ """ >++ proc = get_process() >++ >++ obj = base64.b64encode(cPickle.dumps([sig, files_from, files_to])) >++ proc.stdin.write(obj) >++ proc.stdin.write('\n'.encode()) >++ proc.stdin.flush() >++ obj = proc.stdout.readline() >++ if not obj: >++ raise OSError('Preforked sub-process %r died' % proc.pid) >++ process_pool.append(proc) >++ return cPickle.loads(base64.b64decode(obj)) >++ >++try: >++ copyfun = os.link >++except NameError: >++ copyfun = shutil.copy2 >++ >++def atomic_copy(orig, dest): >++ """ >++ Copy files to the cache, the operation is atomic for a given file >++ """ >++ global copyfun >++ tmp = dest + '.tmp' >++ up = os.path.dirname(dest) >++ try: >++ os.makedirs(up) >++ except OSError: >++ pass >++ >++ try: >++ copyfun(orig, tmp) >++ except OSError as e: >++ if e.errno == errno.EXDEV: >++ copyfun = shutil.copy2 >++ copyfun(orig, tmp) >++ else: >++ raise >++ os.rename(tmp, dest) >++ >++def lru_trim(): >++ """ >++ the cache folders take the form: >++ `CACHE_DIR/0b/0b180f82246d726ece37c8ccd0fb1cde2650d7bfcf122ec1f169079a3bfc0ab9` >++ they are listed in order of last access, and then removed >++ until the amount of folders is within TRIM_MAX_FOLDERS and the total space >++ taken by files is less than EVICT_MAX_BYTES >++ """ >++ lst = [] >++ for up in os.listdir(CACHE_DIR): >++ if len(up) == 2: >++ sub = os.path.join(CACHE_DIR, up) >++ for hval in os.listdir(sub): >++ path = os.path.join(sub, hval) >++ >++ size = 0 >++ for fname in os.listdir(path): >++ size += os.lstat(os.path.join(path, fname)).st_size >++ lst.append((os.stat(path).st_mtime, size, path)) >++ >++ lst.sort(key=lambda x: x[0]) >++ lst.reverse() >++ >++ tot = sum(x[1] for x in lst) >++ while tot > EVICT_MAX_BYTES or len(lst) > TRIM_MAX_FOLDERS: >++ _, tmp_size, path = lst.pop() >++ tot -= tmp_size >++ >++ tmp = path + '.tmp' >++ try: >++ shutil.rmtree(tmp) >++ except OSError: >++ pass >++ try: >++ os.rename(path, tmp) >++ except OSError: >++ sys.stderr.write('Could not rename %r to %r' % (path, tmp)) >++ else: >++ try: >++ shutil.rmtree(tmp) >++ except OSError: >++ sys.stderr.write('Could not remove %r' % tmp) >++ sys.stderr.write("Cache trimmed: %r bytes in %r folders left\n" % (tot, len(lst))) >++ >++ >++def lru_evict(): >++ """ >++ Reduce the cache size >++ """ >++ lockfile = os.path.join(CACHE_DIR, 'all.lock') >++ try: >++ st = os.stat(lockfile) >++ except EnvironmentError as e: >++ if e.errno == errno.ENOENT: >++ with open(lockfile, 'w') as f: >++ f.write('') >++ return >++ else: >++ raise >++ >++ if st.st_mtime < time.time() - EVICT_INTERVAL_MINUTES * 60: >++ # check every EVICT_INTERVAL_MINUTES minutes if the cache is too big >++ # OCLOEXEC is unnecessary because no processes are spawned >++ fd = os.open(lockfile, os.O_RDWR | os.O_CREAT, 0o755) >++ try: >++ try: >++ fcntl.flock(fd, fcntl.LOCK_EX | fcntl.LOCK_NB) >++ except EnvironmentError: >++ sys.stderr.write('another process is running!\n') >++ pass >++ else: >++ # now dow the actual cleanup >++ lru_trim() >++ os.utime(lockfile, None) >++ finally: >++ os.close(fd) >++ >++class netcache(object): >++ def __init__(self): >++ self.http = urllib3.PoolManager() >++ >++ def url_of(self, sig, i): >++ return "%s/%s/%s" % (CACHE_DIR, sig, i) >++ >++ def upload(self, file_path, sig, i): >++ url = self.url_of(sig, i) >++ with open(file_path, 'rb') as f: >++ file_data = f.read() >++ r = self.http.request('POST', url, timeout=60, >++ fields={ 'file': ('%s/%s' % (sig, i), file_data), }) >++ if r.status >= 400: >++ raise OSError("Invalid status %r %r" % (url, r.status)) >++ >++ def download(self, file_path, sig, i): >++ url = self.url_of(sig, i) >++ with self.http.request('GET', url, preload_content=False, timeout=60) as inf: >++ if inf.status >= 400: >++ raise OSError("Invalid status %r %r" % (url, inf.status)) >++ with open(file_path, 'wb') as out: >++ shutil.copyfileobj(inf, out) >++ >++ def copy_to_cache(self, sig, files_from, files_to): >++ try: >++ for i, x in enumerate(files_from): >++ if not os.path.islink(x): >++ self.upload(x, sig, i) >++ except Exception: >++ return traceback.format_exc() >++ return OK >++ >++ def copy_from_cache(self, sig, files_from, files_to): >++ try: >++ for i, x in enumerate(files_to): >++ self.download(x, sig, i) >++ except Exception: >++ return traceback.format_exc() >++ return OK >++ >++class fcache(object): >++ def __init__(self): >++ if not os.path.exists(CACHE_DIR): >++ os.makedirs(CACHE_DIR) >++ if not os.path.exists(CACHE_DIR): >++ raise ValueError('Could not initialize the cache directory') >++ >++ def copy_to_cache(self, sig, files_from, files_to): >++ """ >++ Copy files to the cache, existing files are overwritten, >++ and the copy is atomic only for a given file, not for all files >++ that belong to a given task object >++ """ >++ try: >++ for i, x in enumerate(files_from): >++ dest = os.path.join(CACHE_DIR, sig[:2], sig, str(i)) >++ atomic_copy(x, dest) >++ except Exception: >++ return traceback.format_exc() >++ else: >++ # attempt trimming if caching was successful: >++ # we may have things to trim! >++ lru_evict() >++ return OK >++ >++ def copy_from_cache(self, sig, files_from, files_to): >++ """ >++ Copy files from the cache >++ """ >++ try: >++ for i, x in enumerate(files_to): >++ orig = os.path.join(CACHE_DIR, sig[:2], sig, str(i)) >++ atomic_copy(orig, x) >++ >++ # success! update the cache time >++ os.utime(os.path.join(CACHE_DIR, sig[:2], sig), None) >++ except Exception: >++ return traceback.format_exc() >++ return OK >++ >++class bucket_cache(object): >++ def bucket_copy(self, source, target): >++ if CACHE_DIR.startswith('s3://'): >++ cmd = ['aws', 's3', 'cp', source, target] >++ else: >++ cmd = ['gsutil', 'cp', source, target] >++ proc = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE) >++ out, err = proc.communicate() >++ if proc.returncode: >++ raise OSError('Error copy %r to %r using: %r (exit %r):\n out:%s\n err:%s' % ( >++ source, target, cmd, proc.returncode, out.decode(), err.decode())) >++ >++ def copy_to_cache(self, sig, files_from, files_to): >++ try: >++ for i, x in enumerate(files_from): >++ dest = os.path.join(CACHE_DIR, sig[:2], sig, str(i)) >++ self.bucket_copy(x, dest) >++ except Exception: >++ return traceback.format_exc() >++ return OK >++ >++ def copy_from_cache(self, sig, files_from, files_to): >++ try: >++ for i, x in enumerate(files_to): >++ orig = os.path.join(CACHE_DIR, sig[:2], sig, str(i)) >++ self.bucket_copy(orig, x) >++ except EnvironmentError: >++ return traceback.format_exc() >++ return OK >++ >++def loop(service): >++ """ >++ This function is run when this file is run as a standalone python script, >++ it assumes a parent process that will communicate the commands to it >++ as pickled-encoded tuples (one line per command) >++ >++ The commands are to copy files to the cache or copy files from the >++ cache to a target destination >++ """ >++ # one operation is performed at a single time by a single process >++ # therefore stdin never has more than one line >++ txt = sys.stdin.readline().strip() >++ if not txt: >++ # parent process probably ended >++ sys.exit(1) >++ ret = OK >++ >++ [sig, files_from, files_to] = cPickle.loads(base64.b64decode(txt)) >++ if files_from: >++ # TODO return early when pushing files upstream >++ ret = service.copy_to_cache(sig, files_from, files_to) >++ elif files_to: >++ # the build process waits for workers to (possibly) obtain files from the cache >++ ret = service.copy_from_cache(sig, files_from, files_to) >++ else: >++ ret = "Invalid command" >++ >++ obj = base64.b64encode(cPickle.dumps(ret)) >++ sys.stdout.write(obj.decode()) >++ sys.stdout.write('\n') >++ sys.stdout.flush() >++ >++if __name__ == '__main__': >++ if CACHE_DIR.startswith('s3://') or CACHE_DIR.startswith('gs://'): >++ service = bucket_cache() >++ elif CACHE_DIR.startswith('http'): >++ service = netcache() >++ else: >++ service = fcache() >++ while 1: >++ try: >++ loop(service) >++ except KeyboardInterrupt: >++ break >++ >+-- >+2.37.3 >+ >diff --git a/net/samba413/files/patch-waf-2.0.21 b/net/samba413/files/patch-waf-2.0.21 >new file mode 100644 >index 000000000000..01b2d6e6cafe >--- /dev/null >+++ b/net/samba413/files/patch-waf-2.0.21 >@@ -0,0 +1,703 @@ >+From 6718b5e6d059e5668fc538be802ebd9fbe5ce9af Mon Sep 17 00:00:00 2001 >+From: Stefan Metzmacher <metze@samba.org> >+Date: Wed, 25 Nov 2020 16:29:06 +0100 >+Subject: [PATCH] waf: upgrade to 2.0.21 >+ >+This commit message was wrong: >+ >+ commit 5fc3a71d0f54b176d3cb2e399718d0468507e797 >+ Author: David Mulder <dmulder@suse.com> >+ Date: Mon Aug 24 13:12:46 2020 -0600 >+ >+ waf: upgrade to 2.0.20 >+ >+ This contain an important change: >+ "Fix gccdeps.scan() returning nodes that no longer exist on disk." >+ https://gitlab.com/ita1024/waf/-/merge_requests/2293 >+ >+ Signed-off-by: David Mulder <dmulder@suse.com> >+ Reviewed-by: Stefan Metzmacher <metze@samba.org> >+Reviewed-by: Andrew Bartlett <abartlet@samba.org> >+ >+The fix was in in waf master, but not included in 2.0.20, >+but it's now included in 2.0.21. >+ >+Signed-off-by: Stefan Metzmacher <metze@samba.org> >+Reviewed-by: Andrew Bartlett <abartlet@samba.org> >+--- >+ buildtools/bin/waf | 2 +- >+ buildtools/wafsamba/wafsamba.py | 2 +- >+ third_party/waf/waflib/Build.py | 6 ++- >+ third_party/waf/waflib/Context.py | 8 ++-- >+ third_party/waf/waflib/Tools/asm.py | 5 +- >+ third_party/waf/waflib/Tools/c_config.py | 1 + >+ third_party/waf/waflib/Tools/msvc.py | 8 +++- >+ third_party/waf/waflib/Tools/qt5.py | 26 +++++++++-- >+ third_party/waf/waflib/Tools/waf_unit_test.py | 10 +++- >+ third_party/waf/waflib/extras/boost.py | 5 +- >+ .../waf/waflib/extras/c_dumbpreproc.py | 2 +- >+ third_party/waf/waflib/extras/doxygen.py | 4 +- >+ .../waf/waflib/extras/file_to_object.py | 9 +++- >+ third_party/waf/waflib/extras/gccdeps.py | 21 +++++++-- >+ third_party/waf/waflib/extras/msvcdeps.py | 27 +++++++++-- >+ third_party/waf/waflib/extras/pch.py | 4 +- >+ third_party/waf/waflib/extras/sphinx.py | 40 ++++++++++++---- >+ third_party/waf/waflib/extras/wafcache.py | 46 +++++++++++++++---- >+ third_party/waf/waflib/extras/xcode6.py | 18 ++++---- >+ 19 files changed, 181 insertions(+), 63 deletions(-) >+ >+diff --git buildtools/bin/waf buildtools/bin/waf >+index feabe25d131..041450fc131 100755 >+--- buildtools/bin/waf >++++ buildtools/bin/waf >+@@ -32,7 +32,7 @@ POSSIBILITY OF SUCH DAMAGE. >+ >+ import os, sys, inspect >+ >+-VERSION="2.0.20" >++VERSION="2.0.21" >+ REVISION="x" >+ GIT="x" >+ INSTALL="x" >+diff --git buildtools/wafsamba/wafsamba.py buildtools/wafsamba/wafsamba.py >+index 9dd6d05b91b..d1baa3b4940 100644 >+--- buildtools/wafsamba/wafsamba.py >++++ buildtools/wafsamba/wafsamba.py >+@@ -38,7 +38,7 @@ LIB_PATH="shared" >+ >+ os.environ['PYTHONUNBUFFERED'] = '1' >+ >+-if Context.HEXVERSION not in (0x2001400,): >++if Context.HEXVERSION not in (0x2001500,): >+ Logs.error(''' >+ Please use the version of waf that comes with Samba, not >+ a system installed version. See http://wiki.samba.org/index.php/Waf >+diff --git third_party/waf/waflib/Build.py third_party/waf/waflib/Build.py >+index 39f0991918b..52837618577 100644 >+--- third_party/waf/waflib/Build.py >++++ third_party/waf/waflib/Build.py >+@@ -753,10 +753,12 @@ class BuildContext(Context.Context): >+ else: >+ ln = self.launch_node() >+ if ln.is_child_of(self.bldnode): >+- Logs.warn('Building from the build directory, forcing --targets=*') >++ if Logs.verbose > 1: >++ Logs.warn('Building from the build directory, forcing --targets=*') >+ ln = self.srcnode >+ elif not ln.is_child_of(self.srcnode): >+- Logs.warn('CWD %s is not under %s, forcing --targets=* (run distclean?)', ln.abspath(), self.srcnode.abspath()) >++ if Logs.verbose > 1: >++ Logs.warn('CWD %s is not under %s, forcing --targets=* (run distclean?)', ln.abspath(), self.srcnode.abspath()) >+ ln = self.srcnode >+ >+ def is_post(tg, ln): >+diff --git third_party/waf/waflib/Context.py third_party/waf/waflib/Context.py >+index 3f1b4fa48ab..0ce9df6e91f 100644 >+--- third_party/waf/waflib/Context.py >++++ third_party/waf/waflib/Context.py >+@@ -18,13 +18,13 @@ else: >+ import imp >+ >+ # the following 3 constants are updated on each new release (do not touch) >+-HEXVERSION=0x2001400 >++HEXVERSION=0x2001500 >+ """Constant updated on new releases""" >+ >+-WAFVERSION="2.0.20" >++WAFVERSION="2.0.21" >+ """Constant updated on new releases""" >+ >+-WAFREVISION="668769470956da8c5b60817cb8884cd7d0f87cd4" >++WAFREVISION="edde20a6425a5c3eb6b47d5f3f5c4fbc93fed5f4" >+ """Git revision when the waf version is updated""" >+ >+ WAFNAME="waf" >+@@ -530,7 +530,7 @@ class Context(ctx): >+ """ >+ Prints a configuration message of the form ``msg: result``. >+ The second part of the message will be in colors. The output >+- can be disabled easly by setting ``in_msg`` to a positive value:: >++ can be disabled easily by setting ``in_msg`` to a positive value:: >+ >+ def configure(conf): >+ self.in_msg = 1 >+diff --git third_party/waf/waflib/Tools/asm.py third_party/waf/waflib/Tools/asm.py >+index a57e83bb5ec..1d34ddaca7f 100644 >+--- third_party/waf/waflib/Tools/asm.py >++++ third_party/waf/waflib/Tools/asm.py >+@@ -56,13 +56,11 @@ class asm(Task.Task): >+ Compiles asm files by gas/nasm/yasm/... >+ """ >+ color = 'BLUE' >+- run_str = '${AS} ${ASFLAGS} ${ASMPATH_ST:INCPATHS} ${DEFINES_ST:DEFINES} ${AS_SRC_F}${SRC} ${AS_TGT_F}${TGT}' >++ run_str = '${AS} ${ASFLAGS} ${ASMPATH_ST:INCPATHS} ${ASMDEFINES_ST:DEFINES} ${AS_SRC_F}${SRC} ${AS_TGT_F}${TGT}' >+ >+ def scan(self): >+ if self.env.ASM_NAME == 'gas': >+ return c_preproc.scan(self) >+- Logs.warn('There is no dependency scanner for Nasm!') >+- return [[], []] >+ elif self.env.ASM_NAME == 'nasm': >+ Logs.warn('The Nasm dependency scanner is incomplete!') >+ >+@@ -106,3 +104,4 @@ class asmstlib(stlink_task): >+ >+ def configure(conf): >+ conf.env.ASMPATH_ST = '-I%s' >++ conf.env.ASMDEFINES_ST = '-D%s' >+diff --git third_party/waf/waflib/Tools/c_config.py third_party/waf/waflib/Tools/c_config.py >+index 98187fac2e2..03b6bf61bc0 100644 >+--- third_party/waf/waflib/Tools/c_config.py >++++ third_party/waf/waflib/Tools/c_config.py >+@@ -68,6 +68,7 @@ MACRO_TO_DEST_CPU = { >+ '__s390__' : 's390', >+ '__sh__' : 'sh', >+ '__xtensa__' : 'xtensa', >++'__e2k__' : 'e2k', >+ } >+ >+ @conf >+diff --git third_party/waf/waflib/Tools/msvc.py third_party/waf/waflib/Tools/msvc.py >+index f169c7f441b..37233be8242 100644 >+--- third_party/waf/waflib/Tools/msvc.py >++++ third_party/waf/waflib/Tools/msvc.py >+@@ -99,7 +99,13 @@ all_icl_platforms = [ ('intel64', 'amd64'), ('em64t', 'amd64'), ('ia32', 'x86'), >+ """List of icl platforms""" >+ >+ def options(opt): >+- opt.add_option('--msvc_version', type='string', help = 'msvc version, eg: "msvc 10.0,msvc 9.0"', default='') >++ default_ver = '' >++ vsver = os.getenv('VSCMD_VER') >++ if vsver: >++ m = re.match(r'(^\d+\.\d+).*', vsver) >++ if m: >++ default_ver = 'msvc %s' % m.group(1) >++ opt.add_option('--msvc_version', type='string', help = 'msvc version, eg: "msvc 10.0,msvc 9.0"', default=default_ver) >+ opt.add_option('--msvc_targets', type='string', help = 'msvc targets, eg: "x64,arm"', default='') >+ opt.add_option('--no-msvc-lazy', action='store_false', help = 'lazily check msvc target environments', default=True, dest='msvc_lazy') >+ >+diff --git third_party/waf/waflib/Tools/qt5.py third_party/waf/waflib/Tools/qt5.py >+index 99e021bae61..cff2028174f 100644 >+--- third_party/waf/waflib/Tools/qt5.py >++++ third_party/waf/waflib/Tools/qt5.py >+@@ -57,7 +57,23 @@ A few options (--qt{dir,bin,...}) and environment variables >+ (QT5_{ROOT,DIR,MOC,UIC,XCOMPILE}) allow finer tuning of the tool, >+ tool path selection, etc; please read the source for more info. >+ >+-The detection uses pkg-config on Linux by default. To force static library detection use: >++The detection uses pkg-config on Linux by default. The list of >++libraries to be requested to pkg-config is formulated by scanning >++in the QTLIBS directory (that can be passed via --qtlibs or by >++setting the environment variable QT5_LIBDIR otherwise is derived >++by querying qmake for QT_INSTALL_LIBS directory) for shared/static >++libraries present. >++Alternatively the list of libraries to be requested via pkg-config >++can be set using the qt5_vars attribute, ie: >++ >++ conf.qt5_vars = ['Qt5Core', 'Qt5Gui', 'Qt5Widgets', 'Qt5Test']; >++ >++This can speed up configuration phase if needed libraries are >++known beforehand, can improve detection on systems with a >++sparse QT5 libraries installation (ie. NIX) and can improve >++detection of some header-only Qt modules (ie. Qt5UiPlugin). >++ >++To force static library detection use: >+ QT5_XCOMPILE=1 QT5_FORCE_STATIC=1 waf configure >+ """ >+ >+@@ -466,6 +482,9 @@ def configure(self): >+ >+ The detection uses the program ``pkg-config`` through :py:func:`waflib.Tools.config_c.check_cfg` >+ """ >++ if 'COMPILER_CXX' not in self.env: >++ self.fatal('No CXX compiler defined: did you forget to configure compiler_cxx first?') >++ >+ self.find_qt5_binaries() >+ self.set_qt5_libs_dir() >+ self.set_qt5_libs_to_check() >+@@ -478,9 +497,6 @@ def configure(self): >+ if not has_xml: >+ Logs.error('No xml.sax support was found, rcc dependencies will be incomplete!') >+ >+- if 'COMPILER_CXX' not in self.env: >+- self.fatal('No CXX compiler defined: did you forget to configure compiler_cxx first?') >+- >+ # Qt5 may be compiled with '-reduce-relocations' which requires dependent programs to have -fPIE or -fPIC? >+ frag = '#include <QMap>\nint main(int argc, char **argv) {QMap<int,int> m;return m.keys().size();}\n' >+ uses = 'QT5CORE' >+@@ -637,7 +653,7 @@ def set_qt5_libs_dir(self): >+ except Errors.WafError: >+ qtdir = self.cmd_and_log(env.QMAKE + ['-query', 'QT_INSTALL_PREFIX']).strip() >+ qtlibs = os.path.join(qtdir, 'lib') >+- self.msg('Found the Qt5 libraries in', qtlibs) >++ self.msg('Found the Qt5 library path', qtlibs) >+ env.QTLIBS = qtlibs >+ >+ @conf >+diff --git third_party/waf/waflib/Tools/waf_unit_test.py third_party/waf/waflib/Tools/waf_unit_test.py >+index 6ff6f72739f..dc66fe9c184 100644 >+--- third_party/waf/waflib/Tools/waf_unit_test.py >++++ third_party/waf/waflib/Tools/waf_unit_test.py >+@@ -97,6 +97,7 @@ def make_interpreted_test(self): >+ if isinstance(v, str): >+ v = v.split(os.pathsep) >+ self.ut_env[k] = os.pathsep.join(p + v) >++ self.env.append_value('UT_DEPS', ['%r%r' % (key, self.ut_env[key]) for key in self.ut_env]) >+ >+ @feature('test') >+ @after_method('apply_link', 'process_use') >+@@ -108,7 +109,8 @@ def make_test(self): >+ tsk = self.create_task('utest', self.link_task.outputs) >+ if getattr(self, 'ut_str', None): >+ self.ut_run, lst = Task.compile_fun(self.ut_str, shell=getattr(self, 'ut_shell', False)) >+- tsk.vars = lst + tsk.vars >++ tsk.vars = tsk.vars + lst >++ self.env.append_value('UT_DEPS', self.ut_str) >+ >+ self.handle_ut_cwd('ut_cwd') >+ >+@@ -139,6 +141,10 @@ def make_test(self): >+ if not hasattr(self, 'ut_cmd'): >+ self.ut_cmd = getattr(Options.options, 'testcmd', False) >+ >++ self.env.append_value('UT_DEPS', str(self.ut_cmd)) >++ self.env.append_value('UT_DEPS', self.ut_paths) >++ self.env.append_value('UT_DEPS', ['%r%r' % (key, self.ut_env[key]) for key in self.ut_env]) >++ >+ @taskgen_method >+ def add_test_results(self, tup): >+ """Override and return tup[1] to interrupt the build immediately if a test does not run""" >+@@ -159,7 +165,7 @@ class utest(Task.Task): >+ """ >+ color = 'PINK' >+ after = ['vnum', 'inst'] >+- vars = [] >++ vars = ['UT_DEPS'] >+ >+ def runnable_status(self): >+ """ >+diff --git third_party/waf/waflib/extras/boost.py third_party/waf/waflib/extras/boost.py >+index c2aaaa938a2..93b312a1e6e 100644 >+--- third_party/waf/waflib/extras/boost.py >++++ third_party/waf/waflib/extras/boost.py >+@@ -270,10 +270,12 @@ def boost_get_libs(self, *k, **kw): >+ return file >+ return None >+ >++ # extensions from Tools.ccroot.lib_patterns >++ wo_ext = re.compile(r"\.(a|so|lib|dll|dylib)(\.[0-9\.]+)?$") >+ def format_lib_name(name): >+ if name.startswith('lib') and self.env.CC_NAME != 'msvc': >+ name = name[3:] >+- return name[:name.rfind('.')] >++ return wo_ext.sub("", name) >+ >+ def match_libs(lib_names, is_static): >+ libs = [] >+@@ -522,4 +524,3 @@ def install_boost(self): >+ except: >+ continue >+ install_boost.done = False >+- >+diff --git third_party/waf/waflib/extras/c_dumbpreproc.py third_party/waf/waflib/extras/c_dumbpreproc.py >+index ce9e1a400b9..1fdd5c364ae 100644 >+--- third_party/waf/waflib/extras/c_dumbpreproc.py >++++ third_party/waf/waflib/extras/c_dumbpreproc.py >+@@ -66,7 +66,7 @@ class dumb_parser(parser): >+ if x == c_preproc.POPFILE: >+ self.currentnode_stack.pop() >+ continue >+- self.tryfind(y) >++ self.tryfind(y, env=env) >+ >+ c_preproc.c_parser = dumb_parser >+ >+diff --git third_party/waf/waflib/extras/doxygen.py third_party/waf/waflib/extras/doxygen.py >+index de75bc2738a..0fda70361f3 100644 >+--- third_party/waf/waflib/extras/doxygen.py >++++ third_party/waf/waflib/extras/doxygen.py >+@@ -208,10 +208,10 @@ def process_doxy(self): >+ self.bld.fatal('doxygen file %s not found' % self.doxyfile) >+ >+ # the task instance >+- dsk = self.create_task('doxygen', node) >++ dsk = self.create_task('doxygen', node, always_run=getattr(self, 'always', False)) >+ >+ if getattr(self, 'doxy_tar', None): >+- tsk = self.create_task('tar') >++ tsk = self.create_task('tar', always_run=getattr(self, 'always', False)) >+ tsk.input_tasks = [dsk] >+ tsk.set_outputs(self.path.find_or_declare(self.doxy_tar)) >+ if self.doxy_tar.endswith('bz2'): >+diff --git third_party/waf/waflib/extras/file_to_object.py third_party/waf/waflib/extras/file_to_object.py >+index 1393b511d63..13d2aef37df 100644 >+--- third_party/waf/waflib/extras/file_to_object.py >++++ third_party/waf/waflib/extras/file_to_object.py >+@@ -31,7 +31,7 @@ Known issues: >+ >+ """ >+ >+-import os >++import os, sys >+ from waflib import Task, TaskGen, Errors >+ >+ def filename_c_escape(x): >+@@ -95,12 +95,17 @@ class file_to_object_c(Task.Task): >+ >+ name = "_binary_" + "".join(name) >+ >++ def char_to_num(ch): >++ if sys.version_info[0] < 3: >++ return ord(ch) >++ return ch >++ >+ data = self.inputs[0].read('rb') >+ lines, line = [], [] >+ for idx_byte, byte in enumerate(data): >+ line.append(byte) >+ if len(line) > 15 or idx_byte == size-1: >+- lines.append(", ".join(("0x%02x" % ord(x)) for x in line)) >++ lines.append(", ".join(("0x%02x" % char_to_num(x)) for x in line)) >+ line = [] >+ data = ",\n ".join(lines) >+ >+diff --git third_party/waf/waflib/extras/gccdeps.py third_party/waf/waflib/extras/gccdeps.py >+index c3a809e252a..1fc9373489a 100644 >+--- third_party/waf/waflib/extras/gccdeps.py >++++ third_party/waf/waflib/extras/gccdeps.py >+@@ -163,10 +163,25 @@ def post_run(self): >+ def sig_implicit_deps(self): >+ if not self.__class__.__name__ in self.env.ENABLE_GCCDEPS: >+ return super(self.derived_gccdeps, self).sig_implicit_deps() >++ bld = self.generator.bld >++ >+ try: >+- return Task.Task.sig_implicit_deps(self) >+- except Errors.WafError: >+- return Utils.SIG_NIL >++ return self.compute_sig_implicit_deps() >++ except Errors.TaskNotReady: >++ raise ValueError("Please specify the build order precisely with gccdeps (asm/c/c++ tasks)") >++ except EnvironmentError: >++ # If a file is renamed, assume the dependencies are stale and must be recalculated >++ for x in bld.node_deps.get(self.uid(), []): >++ if not x.is_bld() and not x.exists(): >++ try: >++ del x.parent.children[x.name] >++ except KeyError: >++ pass >++ >++ key = self.uid() >++ bld.node_deps[key] = [] >++ bld.raw_deps[key] = [] >++ return Utils.SIG_NIL >+ >+ def wrap_compiled_task(classname): >+ derived_class = type(classname, (Task.classes[classname],), {}) >+diff --git third_party/waf/waflib/extras/msvcdeps.py third_party/waf/waflib/extras/msvcdeps.py >+index 873a4193150..52985dce058 100644 >+--- third_party/waf/waflib/extras/msvcdeps.py >++++ third_party/waf/waflib/extras/msvcdeps.py >+@@ -150,11 +150,25 @@ def scan(self): >+ def sig_implicit_deps(self): >+ if self.env.CC_NAME not in supported_compilers: >+ return super(self.derived_msvcdeps, self).sig_implicit_deps() >++ bld = self.generator.bld >+ >+ try: >+- return Task.Task.sig_implicit_deps(self) >+- except Errors.WafError: >+- return Utils.SIG_NIL >++ return self.compute_sig_implicit_deps() >++ except Errors.TaskNotReady: >++ raise ValueError("Please specify the build order precisely with msvcdeps (c/c++ tasks)") >++ except EnvironmentError: >++ # If a file is renamed, assume the dependencies are stale and must be recalculated >++ for x in bld.node_deps.get(self.uid(), []): >++ if not x.is_bld() and not x.exists(): >++ try: >++ del x.parent.children[x.name] >++ except KeyError: >++ pass >++ >++ key = self.uid() >++ bld.node_deps[key] = [] >++ bld.raw_deps[key] = [] >++ return Utils.SIG_NIL >+ >+ def exec_command(self, cmd, **kw): >+ if self.env.CC_NAME not in supported_compilers: >+@@ -211,11 +225,14 @@ def exec_command(self, cmd, **kw): >+ # get one from the exception object >+ ret = getattr(e, 'returncode', 1) >+ >++ Logs.debug('msvcdeps: Running for: %s' % self.inputs[0]) >+ for line in raw_out.splitlines(): >+ if line.startswith(INCLUDE_PATTERN): >+- inc_path = line[len(INCLUDE_PATTERN):].strip() >++ # Only strip whitespace after log to preserve >++ # dependency structure in debug output >++ inc_path = line[len(INCLUDE_PATTERN):] >+ Logs.debug('msvcdeps: Regex matched %s', inc_path) >+- self.msvcdeps_paths.append(inc_path) >++ self.msvcdeps_paths.append(inc_path.strip()) >+ else: >+ out.append(line) >+ >+diff --git third_party/waf/waflib/extras/pch.py third_party/waf/waflib/extras/pch.py >+index 103e752838c..b44c7a2e8fd 100644 >+--- third_party/waf/waflib/extras/pch.py >++++ third_party/waf/waflib/extras/pch.py >+@@ -90,7 +90,7 @@ def apply_pch(self): >+ >+ if getattr(self, 'name', None): >+ try: >+- task = self.bld.pch_tasks["%s.%s" % (self.name, self.idx)] >++ task = self.bld.pch_tasks[self.name] >+ self.bld.fatal("Duplicated 'pch' task with name %r" % "%s.%s" % (self.name, self.idx)) >+ except KeyError: >+ pass >+@@ -104,7 +104,7 @@ def apply_pch(self): >+ >+ self.pch_task = task >+ if getattr(self, 'name', None): >+- self.bld.pch_tasks["%s.%s" % (self.name, self.idx)] = task >++ self.bld.pch_tasks[self.name] = task >+ >+ @TaskGen.feature('cxx') >+ @TaskGen.after_method('process_source', 'propagate_uselib_vars') >+diff --git third_party/waf/waflib/extras/sphinx.py third_party/waf/waflib/extras/sphinx.py >+index ce11110e634..71d1028393b 100644 >+--- third_party/waf/waflib/extras/sphinx.py >++++ third_party/waf/waflib/extras/sphinx.py >+@@ -20,7 +20,7 @@ def build(bld): >+ >+ from waflib.Node import Node >+ from waflib import Utils >+-from waflib.Task import Task >++from waflib import Task >+ from waflib.TaskGen import feature, after_method >+ >+ >+@@ -55,13 +55,9 @@ def build_sphinx(self): >+ sphinx_build_task.set_outputs(self.path.get_bld()) >+ >+ # the sphinx-build results are in <build + output_format> directory >+- sphinx_output_directory = self.path.get_bld().make_node(self.env.SPHINX_OUTPUT_FORMAT) >+- sphinx_output_directory.mkdir() >++ self.sphinx_output_directory = self.path.get_bld().make_node(self.env.SPHINX_OUTPUT_FORMAT) >++ self.sphinx_output_directory.mkdir() >+ Utils.def_attrs(self, install_path=get_install_path(self)) >+- self.add_install_files(install_to=self.install_path, >+- install_from=sphinx_output_directory.ant_glob('**/*'), >+- cwd=sphinx_output_directory, >+- relative_trick=True) >+ >+ >+ def get_install_path(tg): >+@@ -73,9 +69,37 @@ def get_install_path(tg): >+ return tg.env.DOCDIR >+ >+ >+-class SphinxBuildingTask(Task): >++class SphinxBuildingTask(Task.Task): >+ color = 'BOLD' >+ run_str = '${SPHINX_BUILD} -M ${SPHINX_OUTPUT_FORMAT} ${SRC} ${TGT} ${SPHINX_OPTIONS}' >+ >+ def keyword(self): >+ return 'Compiling (%s)' % self.env.SPHINX_OUTPUT_FORMAT >++ >++ def runnable_status(self): >++ >++ for x in self.run_after: >++ if not x.hasrun: >++ return Task.ASK_LATER >++ >++ self.signature() >++ ret = Task.Task.runnable_status(self) >++ if ret == Task.SKIP_ME: >++ # in case the files were removed >++ self.add_install() >++ return ret >++ >++ >++ def post_run(self): >++ self.add_install() >++ return Task.Task.post_run(self) >++ >++ >++ def add_install(self): >++ nodes = self.generator.sphinx_output_directory.ant_glob('**/*', quiet=True) >++ self.outputs += nodes >++ self.generator.add_install_files(install_to=self.generator.install_path, >++ install_from=nodes, >++ postpone=False, >++ cwd=self.generator.sphinx_output_directory, >++ relative_trick=True) >+diff --git third_party/waf/waflib/extras/wafcache.py third_party/waf/waflib/extras/wafcache.py >+index 8b9567faf14..088fd0d098d 100644 >+--- third_party/waf/waflib/extras/wafcache.py >++++ third_party/waf/waflib/extras/wafcache.py >+@@ -16,10 +16,19 @@ The following environment variables may be set: >+ - URL to a cache server, for example: >+ export WAFCACHE=http://localhost:8080/files/ >+ in that case, GET/POST requests are made to urls of the form >+- http://localhost:8080/files/000000000/0 (cache management is then up to the server) >+- - GCS or S3 bucket >+- gs://my-bucket/ >+- s3://my-bucket/ >++ http://localhost:8080/files/000000000/0 (cache management is delegated to the server) >++ - GCS, S3 or MINIO bucket >++ gs://my-bucket/ (uses gsutil command line tool or WAFCACHE_CMD) >++ s3://my-bucket/ (uses aws command line tool or WAFCACHE_CMD) >++ minio://my-bucket/ (uses mc command line tool or WAFCACHE_CMD) >++* WAFCACHE_CMD: bucket upload/download command, for example: >++ WAFCACHE_CMD="gsutil cp %{SRC} %{TGT}" >++ Note that the WAFCACHE bucket value is used for the source or destination >++ depending on the operation (upload or download). For example, with: >++ WAFCACHE="gs://mybucket/" >++ the following commands may be run: >++ gsutil cp build/myprogram gs://mybucket/aa/aaaaa/1 >++ gsutil cp gs://mybucket/bb/bbbbb/2 build/somefile >+ * WAFCACHE_NO_PUSH: if set, disables pushing to the cache >+ * WAFCACHE_VERBOSITY: if set, displays more detailed cache operations >+ >+@@ -30,6 +39,7 @@ File cache specific options: >+ * WAFCACHE_EVICT_MAX_BYTES: maximum amount of cache size in bytes (10GB) >+ * WAFCACHE_EVICT_INTERVAL_MINUTES: minimum time interval to try >+ and trim the cache (3 minutess) >++ >+ Usage:: >+ >+ def build(bld): >+@@ -41,7 +51,7 @@ To troubleshoot:: >+ waf clean build --zones=wafcache >+ """ >+ >+-import atexit, base64, errno, fcntl, getpass, os, shutil, sys, time, traceback, urllib3 >++import atexit, base64, errno, fcntl, getpass, os, re, shutil, sys, time, traceback, urllib3, shlex >+ try: >+ import subprocess32 as subprocess >+ except ImportError: >+@@ -53,6 +63,7 @@ if not os.path.isdir(base_cache): >+ default_wafcache_dir = os.path.join(base_cache, 'wafcache_' + getpass.getuser()) >+ >+ CACHE_DIR = os.environ.get('WAFCACHE', default_wafcache_dir) >++WAFCACHE_CMD = os.environ.get('WAFCACHE_CMD') >+ TRIM_MAX_FOLDERS = int(os.environ.get('WAFCACHE_TRIM_MAX_FOLDER', 1000000)) >+ EVICT_INTERVAL_MINUTES = int(os.environ.get('WAFCACHE_EVICT_INTERVAL_MINUTES', 3)) >+ EVICT_MAX_BYTES = int(os.environ.get('WAFCACHE_EVICT_MAX_BYTES', 10**10)) >+@@ -60,6 +71,8 @@ WAFCACHE_NO_PUSH = 1 if os.environ.get('WAFCACHE_NO_PUSH') else 0 >+ WAFCACHE_VERBOSITY = 1 if os.environ.get('WAFCACHE_VERBOSITY') else 0 >+ OK = "ok" >+ >++re_waf_cmd = re.compile('(?P<src>%{SRC})|(?P<tgt>%{TGT})') >++ >+ try: >+ import cPickle >+ except ImportError: >+@@ -233,8 +246,9 @@ def build(bld): >+ # already called once >+ return >+ >+- for x in range(bld.jobs): >+- process_pool.append(get_process()) >++ # pre-allocation >++ processes = [get_process() for x in range(bld.jobs)] >++ process_pool.extend(processes) >+ >+ Task.Task.can_retrieve_cache = can_retrieve_cache >+ Task.Task.put_files_cache = put_files_cache >+@@ -449,10 +463,20 @@ class fcache(object): >+ >+ class bucket_cache(object): >+ def bucket_copy(self, source, target): >+- if CACHE_DIR.startswith('s3://'): >++ if WAFCACHE_CMD: >++ def replacer(match): >++ if match.group('src'): >++ return source >++ elif match.group('tgt'): >++ return target >++ cmd = [re_waf_cmd.sub(replacer, x) for x in shlex.split(WAFCACHE_CMD)] >++ elif CACHE_DIR.startswith('s3://'): >+ cmd = ['aws', 's3', 'cp', source, target] >+- else: >++ elif CACHE_DIR.startswith('gs://'): >+ cmd = ['gsutil', 'cp', source, target] >++ else: >++ cmd = ['mc', 'cp', source, target] >++ >+ proc = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE) >+ out, err = proc.communicate() >+ if proc.returncode: >+@@ -510,7 +534,9 @@ def loop(service): >+ sys.stdout.flush() >+ >+ if __name__ == '__main__': >+- if CACHE_DIR.startswith('s3://') or CACHE_DIR.startswith('gs://'): >++ if CACHE_DIR.startswith('s3://') or CACHE_DIR.startswith('gs://') or CACHE_DIR.startswith('minio://'): >++ if CACHE_DIR.startswith('minio://'): >++ CACHE_DIR = CACHE_DIR[8:] # minio doesn't need the protocol part, uses config aliases >+ service = bucket_cache() >+ elif CACHE_DIR.startswith('http'): >+ service = netcache() >+diff --git third_party/waf/waflib/extras/xcode6.py third_party/waf/waflib/extras/xcode6.py >+index 91bbff181ec..c5b309120c9 100644 >+--- third_party/waf/waflib/extras/xcode6.py >++++ third_party/waf/waflib/extras/xcode6.py >+@@ -99,7 +99,7 @@ env.PROJ_CONFIGURATION = { >+ ... >+ } >+ 'Release': { >+- 'ARCHS' x86_64' >++ 'ARCHS': x86_64' >+ ... >+ } >+ } >+@@ -163,12 +163,12 @@ class XCodeNode(object): >+ result = result + "\t\t}" >+ return result >+ elif isinstance(value, str): >+- return "\"%s\"" % value >++ return '"%s"' % value.replace('"', '\\\\\\"') >+ elif isinstance(value, list): >+ result = "(\n" >+ for i in value: >+- result = result + "\t\t\t%s,\n" % self.tostring(i) >+- result = result + "\t\t)" >++ result = result + "\t\t\t\t%s,\n" % self.tostring(i) >++ result = result + "\t\t\t)" >+ return result >+ elif isinstance(value, XCodeNode): >+ return value._id >+@@ -565,13 +565,13 @@ def process_xcode(self): >+ # Override target specific build settings >+ bldsettings = { >+ 'HEADER_SEARCH_PATHS': ['$(inherited)'] + self.env['INCPATHS'], >+- 'LIBRARY_SEARCH_PATHS': ['$(inherited)'] + Utils.to_list(self.env.LIBPATH) + Utils.to_list(self.env.STLIBPATH) + Utils.to_list(self.env.LIBDIR) , >++ 'LIBRARY_SEARCH_PATHS': ['$(inherited)'] + Utils.to_list(self.env.LIBPATH) + Utils.to_list(self.env.STLIBPATH) + Utils.to_list(self.env.LIBDIR), >+ 'FRAMEWORK_SEARCH_PATHS': ['$(inherited)'] + Utils.to_list(self.env.FRAMEWORKPATH), >+- 'OTHER_LDFLAGS': libs + ' ' + frameworks, >+- 'OTHER_LIBTOOLFLAGS': bld.env['LINKFLAGS'], >++ 'OTHER_LDFLAGS': libs + ' ' + frameworks + ' ' + ' '.join(bld.env['LINKFLAGS']), >+ 'OTHER_CPLUSPLUSFLAGS': Utils.to_list(self.env['CXXFLAGS']), >+ 'OTHER_CFLAGS': Utils.to_list(self.env['CFLAGS']), >+- 'INSTALL_PATH': [] >++ 'INSTALL_PATH': [], >++ 'GCC_PREPROCESSOR_DEFINITIONS': self.env['DEFINES'] >+ } >+ >+ # Install path >+@@ -591,7 +591,7 @@ def process_xcode(self): >+ >+ # The keys represents different build configuration, e.g. Debug, Release and so on.. >+ # Insert our generated build settings to all configuration names >+- keys = set(settings.keys() + bld.env.PROJ_CONFIGURATION.keys()) >++ keys = set(settings.keys()) | set(bld.env.PROJ_CONFIGURATION.keys()) >+ for k in keys: >+ if k in settings: >+ settings[k].update(bldsettings) >+-- >+2.37.3 >+ >diff --git a/net/samba413/files/patch-waf-2.0.22 b/net/samba413/files/patch-waf-2.0.22 >new file mode 100644 >index 000000000000..db3c8edff8d3 >--- /dev/null >+++ b/net/samba413/files/patch-waf-2.0.22 >@@ -0,0 +1,596 @@ >+From 59ed09928541d40df72592419247add608a54aca Mon Sep 17 00:00:00 2001 >+From: Andreas Schneider <asn@samba.org> >+Date: Wed, 25 Aug 2021 15:34:58 +0200 >+Subject: [PATCH] third_party: Update waf to version 2.0.22 >+ >+New in waf 2.0.22 >+ >+* Fix stdin propagation with faulty vcvarsall scripts #2315 >+* Enable mixing Unix-style paths with destdir on Windows platforms #2337 >+* Fix shell escaping unit test parameters #2314 >+* Improve extras/clang_compilation_database and extras/swig compatibility #2336 >+* Propagate C++ flags to the Cuda compiler in extras/cuda #2311 >+* Fix detection of Qt 5.0.0 (preparation for Qt6) #2331 >+* Enable Haxe processing #2308 >+* Fix regression in MACOSX_DEPLOYMENT_TARGET caused by distutils #2330 >+* Fix extras/wafcache concurrent trimming issues #2312 >+* Fix extras/wafcache symlink handling #2327 >+ >+The import was done like this: >+ >+./third_party/waf/update.sh >+ >+Then changing buildtools/bin/waf and buildtools/wafsamba/wafsamba.py >+by hand. >+ >+Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> >+ >+Signed-off-by: Andreas Schneider <asn@samba.org> >+Signed-off-by: Stefan Metzmacher <metze@samba.org> >+Reviewed-by: Andrew Bartlett <abartlet@samba.org> >+ >+Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> >+Autobuild-Date(master): Thu Sep 2 21:22:17 UTC 2021 on sn-devel-184 >+--- >+ buildtools/bin/waf | 2 +- >+ buildtools/wafsamba/wafsamba.py | 2 +- >+ third_party/waf/waflib/Build.py | 4 +- >+ third_party/waf/waflib/Context.py | 6 +- >+ third_party/waf/waflib/Tools/msvc.py | 2 +- >+ third_party/waf/waflib/Tools/python.py | 2 +- >+ third_party/waf/waflib/Tools/qt5.py | 6 +- >+ third_party/waf/waflib/Tools/waf_unit_test.py | 2 +- >+ third_party/waf/waflib/Utils.py | 15 +- >+ .../extras/clang_compilation_database.py | 28 ++-- >+ third_party/waf/waflib/extras/haxe.py | 131 ++++++++++++++++++ >+ third_party/waf/waflib/extras/wafcache.py | 59 ++++++-- >+ 12 files changed, 215 insertions(+), 44 deletions(-) >+ create mode 100644 third_party/waf/waflib/extras/haxe.py >+ >+diff --git buildtools/bin/waf buildtools/bin/waf >+index 041450fc131..b0ccb09a877 100755 >+--- buildtools/bin/waf >++++ buildtools/bin/waf >+@@ -32,7 +32,7 @@ POSSIBILITY OF SUCH DAMAGE. >+ >+ import os, sys, inspect >+ >+-VERSION="2.0.21" >++VERSION="2.0.22" >+ REVISION="x" >+ GIT="x" >+ INSTALL="x" >+diff --git buildtools/wafsamba/wafsamba.py buildtools/wafsamba/wafsamba.py >+index 4fe9daf160e..dee007bf84e 100644 >+--- buildtools/wafsamba/wafsamba.py >++++ buildtools/wafsamba/wafsamba.py >+@@ -38,7 +38,7 @@ LIB_PATH="shared" >+ >+ os.environ['PYTHONUNBUFFERED'] = '1' >+ >+-if Context.HEXVERSION not in (0x2001500,): >++if Context.HEXVERSION not in (0x2001600,): >+ Logs.error(''' >+ Please use the version of waf that comes with Samba, not >+ a system installed version. See http://wiki.samba.org/index.php/Waf >+diff --git third_party/waf/waflib/Build.py third_party/waf/waflib/Build.py >+index 52837618577..b49dd8302b1 100644 >+--- third_party/waf/waflib/Build.py >++++ third_party/waf/waflib/Build.py >+@@ -1066,9 +1066,9 @@ class inst(Task.Task): >+ else: >+ dest = os.path.normpath(Utils.subst_vars(self.install_to, self.env)) >+ if not os.path.isabs(dest): >+- dest = os.path.join(self.env.PREFIX, dest) >++ dest = os.path.join(self.env.PREFIX, dest) >+ if destdir and Options.options.destdir: >+- dest = os.path.join(Options.options.destdir, os.path.splitdrive(dest)[1].lstrip(os.sep)) >++ dest = Options.options.destdir.rstrip(os.sep) + os.sep + os.path.splitdrive(dest)[1].lstrip(os.sep) >+ return dest >+ >+ def copy_fun(self, src, tgt): >+diff --git third_party/waf/waflib/Context.py third_party/waf/waflib/Context.py >+index 0ce9df6e91f..07ee1201f03 100644 >+--- third_party/waf/waflib/Context.py >++++ third_party/waf/waflib/Context.py >+@@ -18,13 +18,13 @@ else: >+ import imp >+ >+ # the following 3 constants are updated on each new release (do not touch) >+-HEXVERSION=0x2001500 >++HEXVERSION=0x2001600 >+ """Constant updated on new releases""" >+ >+-WAFVERSION="2.0.21" >++WAFVERSION="2.0.22" >+ """Constant updated on new releases""" >+ >+-WAFREVISION="edde20a6425a5c3eb6b47d5f3f5c4fbc93fed5f4" >++WAFREVISION="816d5bc48ba2abc4ac22f2b44d94d322bf992b9c" >+ """Git revision when the waf version is updated""" >+ >+ WAFNAME="waf" >+diff --git third_party/waf/waflib/Tools/msvc.py third_party/waf/waflib/Tools/msvc.py >+index 37233be8242..0c4703aaee9 100644 >+--- third_party/waf/waflib/Tools/msvc.py >++++ third_party/waf/waflib/Tools/msvc.py >+@@ -193,7 +193,7 @@ echo PATH=%%PATH%% >+ echo INCLUDE=%%INCLUDE%% >+ echo LIB=%%LIB%%;%%LIBPATH%% >+ """ % (vcvars,target)) >+- sout = conf.cmd_and_log(['cmd.exe', '/E:on', '/V:on', '/C', batfile.abspath()]) >++ sout = conf.cmd_and_log(['cmd.exe', '/E:on', '/V:on', '/C', batfile.abspath()], stdin=getattr(Utils.subprocess, 'DEVNULL', None)) >+ lines = sout.splitlines() >+ >+ if not lines[0]: >+diff --git third_party/waf/waflib/Tools/python.py third_party/waf/waflib/Tools/python.py >+index b1c8dd01285..07442561dff 100644 >+--- third_party/waf/waflib/Tools/python.py >++++ third_party/waf/waflib/Tools/python.py >+@@ -327,7 +327,7 @@ def check_python_headers(conf, features='pyembed pyext'): >+ dct = dict(zip(v, lst)) >+ x = 'MACOSX_DEPLOYMENT_TARGET' >+ if dct[x]: >+- env[x] = conf.environ[x] = dct[x] >++ env[x] = conf.environ[x] = str(dct[x]) >+ env.pyext_PATTERN = '%s' + dct['SO'] # not a mistake >+ >+ >+diff --git third_party/waf/waflib/Tools/qt5.py third_party/waf/waflib/Tools/qt5.py >+index cff2028174f..82c83e18c8a 100644 >+--- third_party/waf/waflib/Tools/qt5.py >++++ third_party/waf/waflib/Tools/qt5.py >+@@ -566,7 +566,7 @@ def find_qt5_binaries(self): >+ # at the end, try to find qmake in the paths given >+ # keep the one with the highest version >+ cand = None >+- prev_ver = ['5', '0', '0'] >++ prev_ver = ['0', '0', '0'] >+ for qmk in ('qmake-qt5', 'qmake5', 'qmake'): >+ try: >+ qmake = self.find_program(qmk, path_list=paths) >+@@ -580,7 +580,7 @@ def find_qt5_binaries(self): >+ else: >+ if version: >+ new_ver = version.split('.') >+- if new_ver > prev_ver: >++ if new_ver[0] == '5' and new_ver > prev_ver: >+ cand = qmake >+ prev_ver = new_ver >+ >+@@ -783,7 +783,7 @@ def set_qt5_libs_to_check(self): >+ pat = self.env.cxxstlib_PATTERN >+ if Utils.unversioned_sys_platform() == 'darwin': >+ pat = r"%s\.framework" >+- re_qt = re.compile(pat%'Qt5?(?P<name>.*)'+'$') >++ re_qt = re.compile(pat % 'Qt5?(?P<name>\\D+)' + '$') >+ for x in dirlst: >+ m = re_qt.match(x) >+ if m: >+diff --git third_party/waf/waflib/Tools/waf_unit_test.py third_party/waf/waflib/Tools/waf_unit_test.py >+index dc66fe9c184..8cff89bdeb9 100644 >+--- third_party/waf/waflib/Tools/waf_unit_test.py >++++ third_party/waf/waflib/Tools/waf_unit_test.py >+@@ -206,7 +206,7 @@ class utest(Task.Task): >+ self.ut_exec = getattr(self.generator, 'ut_exec', [self.inputs[0].abspath()]) >+ ut_cmd = getattr(self.generator, 'ut_cmd', False) >+ if ut_cmd: >+- self.ut_exec = shlex.split(ut_cmd % ' '.join(self.ut_exec)) >++ self.ut_exec = shlex.split(ut_cmd % Utils.shell_escape(self.ut_exec)) >+ >+ return self.exec_command(self.ut_exec) >+ >+diff --git third_party/waf/waflib/Utils.py third_party/waf/waflib/Utils.py >+index fc64fa05154..669490ca908 100644 >+--- third_party/waf/waflib/Utils.py >++++ third_party/waf/waflib/Utils.py >+@@ -11,7 +11,7 @@ through Python versions 2.5 to 3.X and across different platforms (win32, linux, >+ >+ from __future__ import with_statement >+ >+-import atexit, os, sys, errno, inspect, re, datetime, platform, base64, signal, functools, time >++import atexit, os, sys, errno, inspect, re, datetime, platform, base64, signal, functools, time, shlex >+ >+ try: >+ import cPickle >+@@ -577,10 +577,13 @@ def quote_define_name(s): >+ fu = fu.upper() >+ return fu >+ >+-re_sh = re.compile('\\s|\'|"') >+-""" >+-Regexp used for shell_escape below >+-""" >++# shlex.quote didn't exist until python 3.3. Prior to that it was a non-documented >++# function in pipes. >++try: >++ shell_quote = shlex.quote >++except AttributeError: >++ import pipes >++ shell_quote = pipes.quote >+ >+ def shell_escape(cmd): >+ """ >+@@ -589,7 +592,7 @@ def shell_escape(cmd): >+ """ >+ if isinstance(cmd, str): >+ return cmd >+- return ' '.join(repr(x) if re_sh.search(x) else x for x in cmd) >++ return ' '.join(shell_quote(x) for x in cmd) >+ >+ def h_list(lst): >+ """ >+diff --git third_party/waf/waflib/extras/clang_compilation_database.py third_party/waf/waflib/extras/clang_compilation_database.py >+index ff71f22ecfd..17f66949376 100644 >+--- third_party/waf/waflib/extras/clang_compilation_database.py >++++ third_party/waf/waflib/extras/clang_compilation_database.py >+@@ -29,22 +29,9 @@ from waflib import Logs, TaskGen, Task, Build, Scripting >+ >+ Task.Task.keep_last_cmd = True >+ >+-@TaskGen.feature('c', 'cxx') >+-@TaskGen.after_method('process_use') >+-def collect_compilation_db_tasks(self): >+- "Add a compilation database entry for compiled tasks" >+- if not isinstance(self.bld, ClangDbContext): >+- return >+- >+- tup = tuple(y for y in [Task.classes.get(x) for x in ('c', 'cxx')] if y) >+- for task in getattr(self, 'compiled_tasks', []): >+- if isinstance(task, tup): >+- self.bld.clang_compilation_database_tasks.append(task) >+- >+ class ClangDbContext(Build.BuildContext): >+ '''generates compile_commands.json by request''' >+ cmd = 'clangdb' >+- clang_compilation_database_tasks = [] >+ >+ def write_compilation_database(self): >+ """ >+@@ -78,6 +65,8 @@ class ClangDbContext(Build.BuildContext): >+ Build dry run >+ """ >+ self.restore() >++ self.cur_tasks = [] >++ self.clang_compilation_database_tasks = [] >+ >+ if not self.all_envs: >+ self.load_envs() >+@@ -103,8 +92,21 @@ class ClangDbContext(Build.BuildContext): >+ lst = [tg] >+ else: lst = tg.tasks >+ for tsk in lst: >++ if tsk.__class__.__name__ == "swig": >++ tsk.runnable_status() >++ if hasattr(tsk, 'more_tasks'): >++ lst.extend(tsk.more_tasks) >++ # Not all dynamic tasks can be processed, in some cases >++ # one may have to call the method "run()" like this: >++ #elif tsk.__class__.__name__ == 'src2c': >++ # tsk.run() >++ # if hasattr(tsk, 'more_tasks'): >++ # lst.extend(tsk.more_tasks) >++ >+ tup = tuple(y for y in [Task.classes.get(x) for x in ('c', 'cxx')] if y) >+ if isinstance(tsk, tup): >++ self.clang_compilation_database_tasks.append(tsk) >++ tsk.nocache = True >+ old_exec = tsk.exec_command >+ tsk.exec_command = exec_command >+ tsk.run() >+diff --git third_party/waf/waflib/extras/haxe.py third_party/waf/waflib/extras/haxe.py >+new file mode 100644 >+index 00000000000..cb3ba6a949c >+--- /dev/null >++++ third_party/waf/waflib/extras/haxe.py >+@@ -0,0 +1,131 @@ >++import os, re >++from waflib import Utils, Task, Errors >++from waflib.TaskGen import extension, taskgen_method, feature >++from waflib.Configure import conf >++ >++@conf >++def libname_haxe(self, libname): >++ return libname >++ >++@conf >++def check_lib_haxe(self, libname, uselib_store=None): >++ haxe_libs = [node.name for node in self.root.find_node('haxe_libraries').ant_glob()] >++ changed = False >++ self.start_msg('Checking for library %s' % libname) >++ if libname + '.hxml' in haxe_libs: >++ self.end_msg('yes') >++ else: >++ changed = True >++ try: >++ cmd = self.env.LIX + ['+lib', libname] >++ res = self.cmd_and_log(cmd) >++ if (res): >++ raise Errors.WafError(res) >++ else: >++ self.end_msg('downloaded', color = 'YELLOW') >++ except Errors.WafError as e: >++ self.end_msg('no', color = 'RED') >++ self.fatal('Getting %s has failed' % libname) >++ >++ postfix = uselib_store if uselib_store else libname.upper() >++ self.env['LIB_' + postfix] += [self.libname_haxe(libname)] >++ return changed >++ >++@conf >++def check_libs_haxe(self, libnames, uselib_store=None): >++ changed = False >++ for libname in Utils.to_list(libnames): >++ if self.check_lib_haxe(libname, uselib_store): >++ changed = True >++ return changed >++ >++@conf >++def ensure_lix_pkg(self, *k, **kw): >++ if kw.get('compiler') == 'hx': >++ if isinstance(kw.get('libs'), list) and len(kw.get('libs')): >++ changed = self.check_libs_haxe(kw.get('libs'), kw.get('uselib_store')) >++ if changed: >++ try: >++ cmd = self.env.LIX + ['download'] >++ res = self.cmd_and_log(cmd) >++ if (res): >++ raise Errors.WafError(res) >++ except Errors.WafError as e: >++ self.fatal('lix download has failed') >++ else: >++ self.check_lib_haxe(kw.get('lib'), kw.get('uselib_store')) >++ >++@conf >++def haxe(bld, *k, **kw): >++ task_gen = bld(*k, **kw) >++ >++class haxe(Task.Task): >++ vars = ['HAXE', 'HAXE_VERSION', 'HAXEFLAGS'] >++ ext_out = ['.hl', '.c', '.h'] >++ >++ def run(self): >++ cmd = self.env.HAXE + self.env.HAXEFLAGS >++ return self.exec_command(cmd, stdout = open(os.devnull, 'w')) >++ >++@taskgen_method >++def init_haxe_task(self, node): >++ def addflags(flags): >++ self.env.append_value('HAXEFLAGS', flags) >++ >++ if node.suffix() == '.hxml': >++ addflags(self.path.abspath() + '/' + node.name) >++ else: >++ addflags(['-main', node.name]) >++ addflags(['-hl', self.path.get_bld().make_node(self.target).abspath()]) >++ addflags(['-cp', self.path.abspath()]) >++ addflags(['-D', 'resourcesPath=%s' % getattr(self, 'res', '')]) >++ if hasattr(self, 'use'): >++ for dep in self.use: >++ if self.env['LIB_' + dep]: >++ for lib in self.env['LIB_' + dep]: addflags(['-lib', lib]) >++ >++@extension('.hx', '.hxml') >++def haxe_file(self, node): >++ if len(self.source) > 1: >++ self.bld.fatal('Use separate task generators for multiple files') >++ >++ try: >++ haxetask = self.haxetask >++ except AttributeError: >++ haxetask = self.haxetask = self.create_task('haxe') >++ self.init_haxe_task(node) >++ >++ haxetask.inputs.append(node) >++ haxetask.outputs.append(self.path.get_bld().make_node(self.target)) >++ >++@conf >++def find_haxe(self, min_version): >++ npx = self.env.NPX = self.find_program('npx') >++ self.env.LIX = npx + ['lix'] >++ npx_haxe = self.env.HAXE = npx + ['haxe'] >++ try: >++ output = self.cmd_and_log(npx_haxe + ['-version']) >++ except Errors.WafError: >++ haxe_version = None >++ else: >++ ver = re.search(r'\d+.\d+.\d+', output).group().split('.') >++ haxe_version = tuple([int(x) for x in ver]) >++ >++ self.msg('Checking for haxe version', >++ haxe_version, haxe_version and haxe_version >= min_version) >++ if npx_haxe and haxe_version < min_version: >++ self.fatal('haxe version %r is too old, need >= %r' % (haxe_version, min_version)) >++ >++ self.env.HAXE_VERSION = haxe_version >++ return npx_haxe >++ >++@conf >++def check_haxe(self, min_version=(4,1,4)): >++ if self.env.HAXE_MINVER: >++ min_version = self.env.HAXE_MINVER >++ find_haxe(self, min_version) >++ >++def configure(self): >++ self.env.HAXEFLAGS = [] >++ self.check_haxe() >++ self.add_os_flags('HAXEFLAGS', dup = False) >+diff --git third_party/waf/waflib/extras/wafcache.py third_party/waf/waflib/extras/wafcache.py >+index 088fd0d098d..cc23fcd6673 100644 >+--- third_party/waf/waflib/extras/wafcache.py >++++ third_party/waf/waflib/extras/wafcache.py >+@@ -31,6 +31,7 @@ The following environment variables may be set: >+ gsutil cp gs://mybucket/bb/bbbbb/2 build/somefile >+ * WAFCACHE_NO_PUSH: if set, disables pushing to the cache >+ * WAFCACHE_VERBOSITY: if set, displays more detailed cache operations >++* WAFCACHE_STATS: if set, displays cache usage statistics on exit >+ >+ File cache specific options: >+ Files are copied using hard links by default; if the cache is located >+@@ -69,6 +70,7 @@ EVICT_INTERVAL_MINUTES = int(os.environ.get('WAFCACHE_EVICT_INTERVAL_MINUTES', 3 >+ EVICT_MAX_BYTES = int(os.environ.get('WAFCACHE_EVICT_MAX_BYTES', 10**10)) >+ WAFCACHE_NO_PUSH = 1 if os.environ.get('WAFCACHE_NO_PUSH') else 0 >+ WAFCACHE_VERBOSITY = 1 if os.environ.get('WAFCACHE_VERBOSITY') else 0 >++WAFCACHE_STATS = 1 if os.environ.get('WAFCACHE_STATS') else 0 >+ OK = "ok" >+ >+ re_waf_cmd = re.compile('(?P<src>%{SRC})|(?P<tgt>%{TGT})') >+@@ -93,6 +95,9 @@ def can_retrieve_cache(self): >+ sig = self.signature() >+ ssig = Utils.to_hex(self.uid() + sig) >+ >++ if WAFCACHE_STATS: >++ self.generator.bld.cache_reqs += 1 >++ >+ files_to = [node.abspath() for node in self.outputs] >+ err = cache_command(ssig, [], files_to) >+ if err.startswith(OK): >+@@ -100,6 +105,8 @@ def can_retrieve_cache(self): >+ Logs.pprint('CYAN', ' Fetched %r from cache' % files_to) >+ else: >+ Logs.debug('wafcache: fetched %r from cache', files_to) >++ if WAFCACHE_STATS: >++ self.generator.bld.cache_hits += 1 >+ else: >+ if WAFCACHE_VERBOSITY: >+ Logs.pprint('YELLOW', ' No cache entry %s' % files_to) >+@@ -117,11 +124,17 @@ def put_files_cache(self): >+ if WAFCACHE_NO_PUSH or getattr(self, 'cached', None) or not self.outputs: >+ return >+ >++ files_from = [] >++ for node in self.outputs: >++ path = node.abspath() >++ if not os.path.isfile(path): >++ return >++ files_from.append(path) >++ >+ bld = self.generator.bld >+ sig = self.signature() >+ ssig = Utils.to_hex(self.uid() + sig) >+ >+- files_from = [node.abspath() for node in self.outputs] >+ err = cache_command(ssig, files_from, []) >+ >+ if err.startswith(OK): >+@@ -129,6 +142,8 @@ def put_files_cache(self): >+ Logs.pprint('CYAN', ' Successfully uploaded %s to cache' % files_from) >+ else: >+ Logs.debug('wafcache: Successfully uploaded %r to cache', files_from) >++ if WAFCACHE_STATS: >++ self.generator.bld.cache_puts += 1 >+ else: >+ if WAFCACHE_VERBOSITY: >+ Logs.pprint('RED', ' Error caching step results %s: %s' % (files_from, err)) >+@@ -193,6 +208,10 @@ def make_cached(cls): >+ if getattr(cls, 'nocache', None) or getattr(cls, 'has_cache', False): >+ return >+ >++ full_name = "%s.%s" % (cls.__module__, cls.__name__) >++ if full_name in ('waflib.Tools.ccroot.vnum', 'waflib.Build.inst'): >++ return >++ >+ m1 = getattr(cls, 'run', None) >+ def run(self): >+ if getattr(self, 'nocache', False): >+@@ -208,9 +227,6 @@ def make_cached(cls): >+ return m2(self) >+ ret = m2(self) >+ self.put_files_cache() >+- if hasattr(self, 'chmod'): >+- for node in self.outputs: >+- os.chmod(node.abspath(), self.chmod) >+ return ret >+ cls.post_run = post_run >+ cls.has_cache = True >+@@ -257,6 +273,19 @@ def build(bld): >+ for x in reversed(list(Task.classes.values())): >+ make_cached(x) >+ >++ if WAFCACHE_STATS: >++ # Init counter for statistics and hook to print results at the end >++ bld.cache_reqs = bld.cache_hits = bld.cache_puts = 0 >++ >++ def printstats(bld): >++ hit_ratio = 0 >++ if bld.cache_reqs > 0: >++ hit_ratio = (bld.cache_hits / bld.cache_reqs) * 100 >++ Logs.pprint('CYAN', ' wafcache stats: requests: %s, hits, %s, ratio: %.2f%%, writes %s' % >++ (bld.cache_reqs, bld.cache_hits, hit_ratio, bld.cache_puts) ) >++ >++ bld.add_post_fun(printstats) >++ >+ def cache_command(sig, files_from, files_to): >+ """ >+ Create a command for cache worker processes, returns a pickled >+@@ -320,7 +349,10 @@ def lru_trim(): >+ >+ size = 0 >+ for fname in os.listdir(path): >+- size += os.lstat(os.path.join(path, fname)).st_size >++ try: >++ size += os.lstat(os.path.join(path, fname)).st_size >++ except OSError: >++ pass >+ lst.append((os.stat(path).st_mtime, size, path)) >+ >+ lst.sort(key=lambda x: x[0]) >+@@ -331,7 +363,7 @@ def lru_trim(): >+ _, tmp_size, path = lst.pop() >+ tot -= tmp_size >+ >+- tmp = path + '.tmp' >++ tmp = path + '.remove' >+ try: >+ shutil.rmtree(tmp) >+ except OSError: >+@@ -339,12 +371,12 @@ def lru_trim(): >+ try: >+ os.rename(path, tmp) >+ except OSError: >+- sys.stderr.write('Could not rename %r to %r' % (path, tmp)) >++ sys.stderr.write('Could not rename %r to %r\n' % (path, tmp)) >+ else: >+ try: >+ shutil.rmtree(tmp) >+ except OSError: >+- sys.stderr.write('Could not remove %r' % tmp) >++ sys.stderr.write('Could not remove %r\n' % tmp) >+ sys.stderr.write("Cache trimmed: %r bytes in %r folders left\n" % (tot, len(lst))) >+ >+ >+@@ -371,8 +403,8 @@ def lru_evict(): >+ try: >+ fcntl.flock(fd, fcntl.LOCK_EX | fcntl.LOCK_NB) >+ except EnvironmentError: >+- sys.stderr.write('another process is running!\n') >+- pass >++ if WAFCACHE_VERBOSITY: >++ sys.stderr.write('wafcache: another cleaning process is running\n') >+ else: >+ # now dow the actual cleanup >+ lru_trim() >+@@ -443,7 +475,10 @@ class fcache(object): >+ else: >+ # attempt trimming if caching was successful: >+ # we may have things to trim! >+- lru_evict() >++ try: >++ lru_evict() >++ except Exception: >++ return traceback.format_exc() >+ return OK >+ >+ def copy_from_cache(self, sig, files_from, files_to): >+@@ -481,7 +516,7 @@ class bucket_cache(object): >+ out, err = proc.communicate() >+ if proc.returncode: >+ raise OSError('Error copy %r to %r using: %r (exit %r):\n out:%s\n err:%s' % ( >+- source, target, cmd, proc.returncode, out.decode(), err.decode())) >++ source, target, cmd, proc.returncode, out.decode(errors='replace'), err.decode(errors='replace'))) >+ >+ def copy_to_cache(self, sig, files_from, files_to): >+ try: >+-- >+2.37.3 >+ >diff --git a/net/samba413/files/patch-waf-2.0.23 b/net/samba413/files/patch-waf-2.0.23 >new file mode 100644 >index 000000000000..36a70e32e8c3 >--- /dev/null >+++ b/net/samba413/files/patch-waf-2.0.23 >@@ -0,0 +1,877 @@ >+From fb175576b698f43224dab815fd6c0763a12db2b2 Mon Sep 17 00:00:00 2001 >+From: Andreas Schneider <asn@samba.org> >+Date: Thu, 17 Feb 2022 15:40:20 +0100 >+Subject: [PATCH] third_party: Update waf to verison 2.0.23 >+ >+Signed-off-by: Andreas Schneider <asn@samba.org> >+Reviewed-by: Alexander Bokovoy <ab@samba.org> >+ >+Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> >+Autobuild-Date(master): Mon Feb 21 10:06:27 UTC 2022 on sn-devel-184 >+--- >+ buildtools/bin/waf | 3 +- >+ buildtools/wafsamba/wafsamba.py | 2 +- >+ third_party/waf/waflib/Context.py | 6 +- >+ third_party/waf/waflib/Runner.py | 4 +- >+ third_party/waf/waflib/TaskGen.py | 8 +- >+ third_party/waf/waflib/Tools/c_config.py | 1 + >+ third_party/waf/waflib/Tools/compiler_c.py | 25 +++--- >+ third_party/waf/waflib/Tools/compiler_cxx.py | 25 +++--- >+ third_party/waf/waflib/Tools/python.py | 7 +- >+ third_party/waf/waflib/Tools/qt5.py | 4 +- >+ third_party/waf/waflib/Tools/winres.py | 35 ++++++++ >+ .../extras/clang_compilation_database.py | 2 +- >+ .../waf/waflib/extras/classic_runner.py | 68 +++++++++++++++ >+ third_party/waf/waflib/extras/color_gcc.py | 2 +- >+ third_party/waf/waflib/extras/eclipse.py | 74 ++++++++++++++++- >+ third_party/waf/waflib/extras/gccdeps.py | 82 ++++++++++--------- >+ third_party/waf/waflib/extras/msvcdeps.py | 54 ++++++++---- >+ third_party/waf/waflib/extras/msvs.py | 6 +- >+ third_party/waf/waflib/extras/swig.py | 2 +- >+ third_party/waf/waflib/extras/wafcache.py | 26 +++--- >+ third_party/waf/waflib/fixpy2.py | 2 +- >+ 21 files changed, 325 insertions(+), 113 deletions(-) >+ create mode 100644 third_party/waf/waflib/extras/classic_runner.py >+ >+diff --git buildtools/bin/waf buildtools/bin/waf >+index b0ccb09a877..2001ccdbd8a 100755 >+--- buildtools/bin/waf >++++ buildtools/bin/waf >+@@ -32,7 +32,7 @@ POSSIBILITY OF SUCH DAMAGE. >+ >+ import os, sys, inspect >+ >+-VERSION="2.0.22" >++VERSION="2.0.23" >+ REVISION="x" >+ GIT="x" >+ INSTALL="x" >+@@ -164,4 +164,3 @@ if __name__ == '__main__': >+ >+ from waflib import Scripting >+ Scripting.waf_entry_point(cwd, VERSION, wafdir[0]) >+- >+diff --git buildtools/wafsamba/wafsamba.py buildtools/wafsamba/wafsamba.py >+index 185ef3b73a2..710b82af663 100644 >+--- buildtools/wafsamba/wafsamba.py >++++ buildtools/wafsamba/wafsamba.py >+@@ -38,7 +38,7 @@ LIB_PATH="shared" >+ >+ os.environ['PYTHONUNBUFFERED'] = '1' >+ >+-if Context.HEXVERSION not in (0x2001600,): >++if Context.HEXVERSION not in (0x2001700,): >+ Logs.error(''' >+ Please use the version of waf that comes with Samba, not >+ a system installed version. See http://wiki.samba.org/index.php/Waf >+diff --git third_party/waf/waflib/Context.py third_party/waf/waflib/Context.py >+index 07ee1201f03..36d1ca74fef 100644 >+--- third_party/waf/waflib/Context.py >++++ third_party/waf/waflib/Context.py >+@@ -18,13 +18,13 @@ else: >+ import imp >+ >+ # the following 3 constants are updated on each new release (do not touch) >+-HEXVERSION=0x2001600 >++HEXVERSION=0x2001700 >+ """Constant updated on new releases""" >+ >+-WAFVERSION="2.0.22" >++WAFVERSION="2.0.23" >+ """Constant updated on new releases""" >+ >+-WAFREVISION="816d5bc48ba2abc4ac22f2b44d94d322bf992b9c" >++WAFREVISION="cc6b34cf555d354c34f554c41206134072588de7" >+ """Git revision when the waf version is updated""" >+ >+ WAFNAME="waf" >+diff --git third_party/waf/waflib/Runner.py third_party/waf/waflib/Runner.py >+index 91d55479e20..350c86a22c0 100644 >+--- third_party/waf/waflib/Runner.py >++++ third_party/waf/waflib/Runner.py >+@@ -71,7 +71,7 @@ class Consumer(Utils.threading.Thread): >+ """Task to execute""" >+ self.spawner = spawner >+ """Coordinator object""" >+- self.setDaemon(1) >++ self.daemon = True >+ self.start() >+ def run(self): >+ """ >+@@ -98,7 +98,7 @@ class Spawner(Utils.threading.Thread): >+ """:py:class:`waflib.Runner.Parallel` producer instance""" >+ self.sem = Utils.threading.Semaphore(master.numjobs) >+ """Bounded semaphore that prevents spawning more than *n* concurrent consumers""" >+- self.setDaemon(1) >++ self.daemon = True >+ self.start() >+ def run(self): >+ """ >+diff --git third_party/waf/waflib/TaskGen.py third_party/waf/waflib/TaskGen.py >+index f8f92bd57c1..89f63169910 100644 >+--- third_party/waf/waflib/TaskGen.py >++++ third_party/waf/waflib/TaskGen.py >+@@ -631,12 +631,8 @@ def process_rule(self): >+ cls.scan = self.scan >+ elif has_deps: >+ def scan(self): >+- nodes = [] >+- for x in self.generator.to_list(getattr(self.generator, 'deps', None)): >+- node = self.generator.path.find_resource(x) >+- if not node: >+- self.generator.bld.fatal('Could not find %r (was it declared?)' % x) >+- nodes.append(node) >++ deps = getattr(self.generator, 'deps', None) >++ nodes = self.generator.to_nodes(deps) >+ return [nodes, []] >+ cls.scan = scan >+ >+diff --git third_party/waf/waflib/Tools/c_config.py third_party/waf/waflib/Tools/c_config.py >+index 03b6bf61bc0..f5ab19bf6ce 100644 >+--- third_party/waf/waflib/Tools/c_config.py >++++ third_party/waf/waflib/Tools/c_config.py >+@@ -69,6 +69,7 @@ MACRO_TO_DEST_CPU = { >+ '__sh__' : 'sh', >+ '__xtensa__' : 'xtensa', >+ '__e2k__' : 'e2k', >++'__riscv' : 'riscv', >+ } >+ >+ @conf >+diff --git third_party/waf/waflib/Tools/compiler_c.py third_party/waf/waflib/Tools/compiler_c.py >+index 931dc57efec..e033ce6c5c3 100644 >+--- third_party/waf/waflib/Tools/compiler_c.py >++++ third_party/waf/waflib/Tools/compiler_c.py >+@@ -36,18 +36,19 @@ from waflib import Utils >+ from waflib.Logs import debug >+ >+ c_compiler = { >+-'win32': ['msvc', 'gcc', 'clang'], >+-'cygwin': ['gcc', 'clang'], >+-'darwin': ['clang', 'gcc'], >+-'aix': ['xlc', 'gcc', 'clang'], >+-'linux': ['gcc', 'clang', 'icc'], >+-'sunos': ['suncc', 'gcc'], >+-'irix': ['gcc', 'irixcc'], >+-'hpux': ['gcc'], >+-'osf1V': ['gcc'], >+-'gnu': ['gcc', 'clang'], >+-'java': ['gcc', 'msvc', 'clang', 'icc'], >+-'default':['clang', 'gcc'], >++'win32': ['msvc', 'gcc', 'clang'], >++'cygwin': ['gcc', 'clang'], >++'darwin': ['clang', 'gcc'], >++'aix': ['xlc', 'gcc', 'clang'], >++'linux': ['gcc', 'clang', 'icc'], >++'sunos': ['suncc', 'gcc'], >++'irix': ['gcc', 'irixcc'], >++'hpux': ['gcc'], >++'osf1V': ['gcc'], >++'gnu': ['gcc', 'clang'], >++'java': ['gcc', 'msvc', 'clang', 'icc'], >++'gnukfreebsd': ['gcc', 'clang'], >++'default': ['clang', 'gcc'], >+ } >+ """ >+ Dict mapping platform names to Waf tools finding specific C compilers:: >+diff --git third_party/waf/waflib/Tools/compiler_cxx.py third_party/waf/waflib/Tools/compiler_cxx.py >+index 09fca7e4dc6..42658c5847e 100644 >+--- third_party/waf/waflib/Tools/compiler_cxx.py >++++ third_party/waf/waflib/Tools/compiler_cxx.py >+@@ -37,18 +37,19 @@ from waflib import Utils >+ from waflib.Logs import debug >+ >+ cxx_compiler = { >+-'win32': ['msvc', 'g++', 'clang++'], >+-'cygwin': ['g++', 'clang++'], >+-'darwin': ['clang++', 'g++'], >+-'aix': ['xlc++', 'g++', 'clang++'], >+-'linux': ['g++', 'clang++', 'icpc'], >+-'sunos': ['sunc++', 'g++'], >+-'irix': ['g++'], >+-'hpux': ['g++'], >+-'osf1V': ['g++'], >+-'gnu': ['g++', 'clang++'], >+-'java': ['g++', 'msvc', 'clang++', 'icpc'], >+-'default': ['clang++', 'g++'] >++'win32': ['msvc', 'g++', 'clang++'], >++'cygwin': ['g++', 'clang++'], >++'darwin': ['clang++', 'g++'], >++'aix': ['xlc++', 'g++', 'clang++'], >++'linux': ['g++', 'clang++', 'icpc'], >++'sunos': ['sunc++', 'g++'], >++'irix': ['g++'], >++'hpux': ['g++'], >++'osf1V': ['g++'], >++'gnu': ['g++', 'clang++'], >++'java': ['g++', 'msvc', 'clang++', 'icpc'], >++'gnukfreebsd': ['g++', 'clang++'], >++'default': ['clang++', 'g++'] >+ } >+ """ >+ Dict mapping the platform names to Waf tools finding specific C++ compilers:: >+diff --git third_party/waf/waflib/Tools/python.py third_party/waf/waflib/Tools/python.py >+index 07442561dff..fb641e5e20d 100644 >+--- third_party/waf/waflib/Tools/python.py >++++ third_party/waf/waflib/Tools/python.py >+@@ -416,9 +416,14 @@ def check_python_headers(conf, features='pyembed pyext'): >+ >+ if not result: >+ path = [os.path.join(dct['prefix'], "libs")] >+- conf.to_log("\n\n# try again with -L$prefix/libs, and pythonXY name rather than pythonX.Y (win32)\n") >++ conf.to_log("\n\n# try again with -L$prefix/libs, and pythonXY rather than pythonX.Y (win32)\n") >+ result = conf.check(lib=name, uselib='PYEMBED', libpath=path, mandatory=False, msg='Checking for library %s in $prefix/libs' % name) >+ >++ if not result: >++ path = [os.path.normpath(os.path.join(dct['INCLUDEPY'], '..', 'libs'))] >++ conf.to_log("\n\n# try again with -L$INCLUDEPY/../libs, and pythonXY rather than pythonX.Y (win32)\n") >++ result = conf.check(lib=name, uselib='PYEMBED', libpath=path, mandatory=False, msg='Checking for library %s in $INCLUDEPY/../libs' % name) >++ >+ if result: >+ break # do not forget to set LIBPATH_PYEMBED >+ >+diff --git third_party/waf/waflib/Tools/qt5.py third_party/waf/waflib/Tools/qt5.py >+index 82c83e18c8a..b3e61325e50 100644 >+--- third_party/waf/waflib/Tools/qt5.py >++++ third_party/waf/waflib/Tools/qt5.py >+@@ -783,8 +783,8 @@ def set_qt5_libs_to_check(self): >+ pat = self.env.cxxstlib_PATTERN >+ if Utils.unversioned_sys_platform() == 'darwin': >+ pat = r"%s\.framework" >+- re_qt = re.compile(pat % 'Qt5?(?P<name>\\D+)' + '$') >+- for x in dirlst: >++ re_qt = re.compile(pat % 'Qt5?(?P<name>\\w+)' + '$') >++ for x in sorted(dirlst): >+ m = re_qt.match(x) >+ if m: >+ self.qt5_vars.append("Qt5%s" % m.group('name')) >+diff --git third_party/waf/waflib/Tools/winres.py third_party/waf/waflib/Tools/winres.py >+index 9be1ed66009..73c0e95315b 100644 >+--- third_party/waf/waflib/Tools/winres.py >++++ third_party/waf/waflib/Tools/winres.py >+@@ -4,10 +4,12 @@ >+ >+ "Process *.rc* files for C/C++: X{.rc -> [.res|.rc.o]}" >+ >++import os >+ import re >+ from waflib import Task >+ from waflib.TaskGen import extension >+ from waflib.Tools import c_preproc >++from waflib import Utils >+ >+ @extension('.rc') >+ def rc_file(self, node): >+@@ -61,6 +63,39 @@ class winrc(Task.Task): >+ tmp.start(self.inputs[0], self.env) >+ return (tmp.nodes, tmp.names) >+ >++ def exec_command(self, cmd, **kw): >++ if self.env.WINRC_TGT_F == '/fo': >++ # Since winres include paths may contain spaces, they do not fit in >++ # response files and are best passed as environment variables >++ replace_cmd = [] >++ incpaths = [] >++ while cmd: >++ # filter include path flags >++ flag = cmd.pop(0) >++ if flag.upper().startswith('/I'): >++ if len(flag) == 2: >++ incpaths.append(cmd.pop(0)) >++ else: >++ incpaths.append(flag[2:]) >++ else: >++ replace_cmd.append(flag) >++ cmd = replace_cmd >++ if incpaths: >++ # append to existing environment variables in INCLUDE >++ env = kw['env'] = dict(kw.get('env') or self.env.env or os.environ) >++ pre_includes = env.get('INCLUDE', '') >++ env['INCLUDE'] = pre_includes + os.pathsep + os.pathsep.join(incpaths) >++ >++ return super(winrc, self).exec_command(cmd, **kw) >++ >++ def quote_flag(self, flag): >++ if self.env.WINRC_TGT_F == '/fo': >++ # winres does not support quotes around flags in response files >++ return flag >++ >++ return super(winrc, self).quote_flag(flag) >++ >++ >+ def configure(conf): >+ """ >+ Detects the programs RC or windres, depending on the C/C++ compiler in use >+diff --git third_party/waf/waflib/extras/clang_compilation_database.py third_party/waf/waflib/extras/clang_compilation_database.py >+index 17f66949376..bd29db93fd5 100644 >+--- third_party/waf/waflib/extras/clang_compilation_database.py >++++ third_party/waf/waflib/extras/clang_compilation_database.py >+@@ -126,7 +126,7 @@ def patch_execute(): >+ Invoke clangdb command before build >+ """ >+ if self.cmd.startswith('build'): >+- Scripting.run_command('clangdb') >++ Scripting.run_command(self.cmd.replace('build','clangdb')) >+ >+ old_execute_build(self) >+ >+diff --git third_party/waf/waflib/extras/classic_runner.py third_party/waf/waflib/extras/classic_runner.py >+new file mode 100644 >+index 00000000000..b08c794e880 >+--- /dev/null >++++ third_party/waf/waflib/extras/classic_runner.py >+@@ -0,0 +1,68 @@ >++#!/usr/bin/env python >++# encoding: utf-8 >++# Thomas Nagy, 2021 (ita) >++ >++from waflib import Utils, Runner >++ >++""" >++Re-enable the classic threading system from waf 1.x >++ >++def configure(conf): >++ conf.load('classic_runner') >++""" >++ >++class TaskConsumer(Utils.threading.Thread): >++ """ >++ Task consumers belong to a pool of workers >++ >++ They wait for tasks in the queue and then use ``task.process(...)`` >++ """ >++ def __init__(self, spawner): >++ Utils.threading.Thread.__init__(self) >++ """ >++ Obtain :py:class:`waflib.Task.TaskBase` instances from this queue. >++ """ >++ self.spawner = spawner >++ self.daemon = True >++ self.start() >++ >++ def run(self): >++ """ >++ Loop over the tasks to execute >++ """ >++ try: >++ self.loop() >++ except Exception: >++ pass >++ >++ def loop(self): >++ """ >++ Obtain tasks from :py:attr:`waflib.Runner.TaskConsumer.ready` and call >++ :py:meth:`waflib.Task.TaskBase.process`. If the object is a function, execute it. >++ """ >++ master = self.spawner.master >++ while 1: >++ if not master.stop: >++ try: >++ tsk = master.ready.get() >++ if tsk: >++ tsk.log_display(tsk.generator.bld) >++ master.process_task(tsk) >++ else: >++ break >++ finally: >++ master.out.put(tsk) >++ >++class Spawner(object): >++ """ >++ Daemon thread that consumes tasks from :py:class:`waflib.Runner.Parallel` producer and >++ spawns a consuming thread :py:class:`waflib.Runner.Consumer` for each >++ :py:class:`waflib.Task.Task` instance. >++ """ >++ def __init__(self, master): >++ self.master = master >++ """:py:class:`waflib.Runner.Parallel` producer instance""" >++ >++ self.pool = [TaskConsumer(self) for i in range(master.numjobs)] >++ >++Runner.Spawner = Spawner >+diff --git third_party/waf/waflib/extras/color_gcc.py third_party/waf/waflib/extras/color_gcc.py >+index b68c5ebf2df..09729035fec 100644 >+--- third_party/waf/waflib/extras/color_gcc.py >++++ third_party/waf/waflib/extras/color_gcc.py >+@@ -19,7 +19,7 @@ class ColorGCCFormatter(Logs.formatter): >+ func = frame.f_code.co_name >+ if func == 'exec_command': >+ cmd = frame.f_locals.get('cmd') >+- if isinstance(cmd, list) and ('gcc' in cmd[0] or 'g++' in cmd[0]): >++ if isinstance(cmd, list) and (len(cmd) > 0) and ('gcc' in cmd[0] or 'g++' in cmd[0]): >+ lines = [] >+ for line in rec.msg.splitlines(): >+ if 'warning: ' in line: >+diff --git third_party/waf/waflib/extras/eclipse.py third_party/waf/waflib/extras/eclipse.py >+index bb787416e9f..49ca9686b7b 100644 >+--- third_party/waf/waflib/extras/eclipse.py >++++ third_party/waf/waflib/extras/eclipse.py >+@@ -10,6 +10,9 @@ Usage: >+ def options(opt): >+ opt.load('eclipse') >+ >++To add additional targets beside standard ones (configure, dist, install, check) >++the environment ECLIPSE_EXTRA_TARGETS can be set (ie. to ['test', 'lint', 'docs']) >++ >+ $ waf configure eclipse >+ """ >+ >+@@ -25,6 +28,8 @@ cdt_core = oe_cdt + '.core' >+ cdt_bld = oe_cdt + '.build.core' >+ extbuilder_dir = '.externalToolBuilders' >+ extbuilder_name = 'Waf_Builder.launch' >++settings_dir = '.settings' >++settings_name = 'language.settings.xml' >+ >+ class eclipse(Build.BuildContext): >+ cmd = 'eclipse' >+@@ -131,9 +136,11 @@ class eclipse(Build.BuildContext): >+ path = p.path_from(self.srcnode) >+ >+ if (path.startswith("/")): >+- cpppath.append(path) >++ if path not in cpppath: >++ cpppath.append(path) >+ else: >+- workspace_includes.append(path) >++ if path not in workspace_includes: >++ workspace_includes.append(path) >+ >+ if is_cc and path not in source_dirs: >+ source_dirs.append(path) >+@@ -156,6 +163,61 @@ class eclipse(Build.BuildContext): >+ project = self.impl_create_javaproject(javasrcpath, javalibpath) >+ self.write_conf_to_xml('.classpath', project) >+ >++ # Create editor language settings to have correct standards applied in IDE, as per project configuration >++ try: >++ os.mkdir(settings_dir) >++ except OSError: >++ pass # Ignore if dir already exists >++ >++ lang_settings = Document() >++ project = lang_settings.createElement('project') >++ >++ # Language configurations for C and C++ via cdt >++ if hasc: >++ configuration = self.add(lang_settings, project, 'configuration', >++ {'id' : 'org.eclipse.cdt.core.default.config.1', 'name': 'Default'}) >++ >++ extension = self.add(lang_settings, configuration, 'extension', {'point': 'org.eclipse.cdt.core.LanguageSettingsProvider'}) >++ >++ provider = self.add(lang_settings, extension, 'provider', >++ { 'copy-of': 'extension', >++ 'id': 'org.eclipse.cdt.ui.UserLanguageSettingsProvider'}) >++ >++ provider = self.add(lang_settings, extension, 'provider-reference', >++ { 'id': 'org.eclipse.cdt.core.ReferencedProjectsLanguageSettingsProvider', >++ 'ref': 'shared-provider'}) >++ >++ provider = self.add(lang_settings, extension, 'provider-reference', >++ { 'id': 'org.eclipse.cdt.managedbuilder.core.MBSLanguageSettingsProvider', >++ 'ref': 'shared-provider'}) >++ >++ # C and C++ are kept as separated providers so appropriate flags are used also in mixed projects >++ if self.env.CC: >++ provider = self.add(lang_settings, extension, 'provider', >++ { 'class': 'org.eclipse.cdt.managedbuilder.language.settings.providers.GCCBuiltinSpecsDetector', >++ 'console': 'false', >++ 'id': 'org.eclipse.cdt.managedbuilder.language.settings.providers.GCCBuiltinSpecsDetector.1', >++ 'keep-relative-paths' : 'false', >++ 'name': 'CDT GCC Built-in Compiler Settings', >++ 'parameter': '%s %s ${FLAGS} -E -P -v -dD "${INPUTS}"'%(self.env.CC[0],' '.join(self.env['CFLAGS'])), >++ 'prefer-non-shared': 'true' }) >++ >++ self.add(lang_settings, provider, 'language-scope', { 'id': 'org.eclipse.cdt.core.gcc'}) >++ >++ if self.env.CXX: >++ provider = self.add(lang_settings, extension, 'provider', >++ { 'class': 'org.eclipse.cdt.managedbuilder.language.settings.providers.GCCBuiltinSpecsDetector', >++ 'console': 'false', >++ 'id': 'org.eclipse.cdt.managedbuilder.language.settings.providers.GCCBuiltinSpecsDetector.2', >++ 'keep-relative-paths' : 'false', >++ 'name': 'CDT GCC Built-in Compiler Settings', >++ 'parameter': '%s %s ${FLAGS} -E -P -v -dD "${INPUTS}"'%(self.env.CXX[0],' '.join(self.env['CXXFLAGS'])), >++ 'prefer-non-shared': 'true' }) >++ self.add(lang_settings, provider, 'language-scope', { 'id': 'org.eclipse.cdt.core.g++'}) >++ >++ lang_settings.appendChild(project) >++ self.write_conf_to_xml('%s%s%s'%(settings_dir, os.path.sep, settings_name), lang_settings) >++ >+ def impl_create_project(self, executable, appname, hasc, hasjava, haspython, waf_executable): >+ doc = Document() >+ projectDescription = doc.createElement('projectDescription') >+@@ -341,6 +403,8 @@ class eclipse(Build.BuildContext): >+ addTargetWrap('dist', False) >+ addTargetWrap('install', False) >+ addTargetWrap('check', False) >++ for addTgt in self.env.ECLIPSE_EXTRA_TARGETS or []: >++ addTargetWrap(addTgt, False) >+ >+ storageModule = self.add(doc, cproject, 'storageModule', >+ {'moduleId': 'cdtBuildSystem', >+@@ -348,6 +412,12 @@ class eclipse(Build.BuildContext): >+ >+ self.add(doc, storageModule, 'project', {'id': '%s.null.1'%appname, 'name': appname}) >+ >++ storageModule = self.add(doc, cproject, 'storageModule', >++ {'moduleId': 'org.eclipse.cdt.core.LanguageSettingsProviders'}) >++ >++ storageModule = self.add(doc, cproject, 'storageModule', >++ {'moduleId': 'scannerConfiguration'}) >++ >+ doc.appendChild(cproject) >+ return doc >+ >+diff --git third_party/waf/waflib/extras/gccdeps.py third_party/waf/waflib/extras/gccdeps.py >+index 1fc9373489a..9e9952f2f7d 100644 >+--- third_party/waf/waflib/extras/gccdeps.py >++++ third_party/waf/waflib/extras/gccdeps.py >+@@ -29,13 +29,6 @@ if not c_preproc.go_absolute: >+ # Third-party tools are allowed to add extra names in here with append() >+ supported_compilers = ['gas', 'gcc', 'icc', 'clang'] >+ >+-def scan(self): >+- if not self.__class__.__name__ in self.env.ENABLE_GCCDEPS: >+- return super(self.derived_gccdeps, self).scan() >+- nodes = self.generator.bld.node_deps.get(self.uid(), []) >+- names = [] >+- return (nodes, names) >+- >+ re_o = re.compile(r"\.o$") >+ re_splitter = re.compile(r'(?<!\\)\s+') # split by space, except when spaces are escaped >+ >+@@ -61,28 +54,30 @@ def path_to_node(base_node, path, cached_nodes): >+ else: >+ # Not hashable, assume it is a list and join into a string >+ node_lookup_key = (base_node, os.path.sep.join(path)) >++ >+ try: >+- lock.acquire() >+ node = cached_nodes[node_lookup_key] >+ except KeyError: >+- node = base_node.find_resource(path) >+- cached_nodes[node_lookup_key] = node >+- finally: >+- lock.release() >++ # retry with lock on cache miss >++ with lock: >++ try: >++ node = cached_nodes[node_lookup_key] >++ except KeyError: >++ node = cached_nodes[node_lookup_key] = base_node.find_resource(path) >++ >+ return node >+ >+ def post_run(self): >+ if not self.__class__.__name__ in self.env.ENABLE_GCCDEPS: >+ return super(self.derived_gccdeps, self).post_run() >+ >+- name = self.outputs[0].abspath() >+- name = re_o.sub('.d', name) >++ deps_filename = self.outputs[0].abspath() >++ deps_filename = re_o.sub('.d', deps_filename) >+ try: >+- txt = Utils.readf(name) >++ deps_txt = Utils.readf(deps_filename) >+ except EnvironmentError: >+ Logs.error('Could not find a .d dependency file, are cflags/cxxflags overwritten?') >+ raise >+- #os.remove(name) >+ >+ # Compilers have the choice to either output the file's dependencies >+ # as one large Makefile rule: >+@@ -102,15 +97,16 @@ def post_run(self): >+ # So the first step is to sanitize the input by stripping out the left- >+ # hand side of all these lines. After that, whatever remains are the >+ # implicit dependencies of task.outputs[0] >+- txt = '\n'.join([remove_makefile_rule_lhs(line) for line in txt.splitlines()]) >++ deps_txt = '\n'.join([remove_makefile_rule_lhs(line) for line in deps_txt.splitlines()]) >+ >+ # Now join all the lines together >+- txt = txt.replace('\\\n', '') >++ deps_txt = deps_txt.replace('\\\n', '') >+ >+- val = txt.strip() >+- val = [x.replace('\\ ', ' ') for x in re_splitter.split(val) if x] >++ dep_paths = deps_txt.strip() >++ dep_paths = [x.replace('\\ ', ' ') for x in re_splitter.split(dep_paths) if x] >+ >+- nodes = [] >++ resolved_nodes = [] >++ unresolved_names = [] >+ bld = self.generator.bld >+ >+ # Dynamically bind to the cache >+@@ -119,39 +115,41 @@ def post_run(self): >+ except AttributeError: >+ cached_nodes = bld.cached_nodes = {} >+ >+- for x in val: >++ for path in dep_paths: >+ >+ node = None >+- if os.path.isabs(x): >+- node = path_to_node(bld.root, x, cached_nodes) >++ if os.path.isabs(path): >++ node = path_to_node(bld.root, path, cached_nodes) >+ else: >+ # TODO waf 1.9 - single cwd value >+- path = getattr(bld, 'cwdx', bld.bldnode) >++ base_node = getattr(bld, 'cwdx', bld.bldnode) >+ # when calling find_resource, make sure the path does not contain '..' >+- x = [k for k in Utils.split_path(x) if k and k != '.'] >+- while '..' in x: >+- idx = x.index('..') >++ path = [k for k in Utils.split_path(path) if k and k != '.'] >++ while '..' in path: >++ idx = path.index('..') >+ if idx == 0: >+- x = x[1:] >+- path = path.parent >++ path = path[1:] >++ base_node = base_node.parent >+ else: >+- del x[idx] >+- del x[idx-1] >++ del path[idx] >++ del path[idx-1] >+ >+- node = path_to_node(path, x, cached_nodes) >++ node = path_to_node(base_node, path, cached_nodes) >+ >+ if not node: >+- raise ValueError('could not find %r for %r' % (x, self)) >++ raise ValueError('could not find %r for %r' % (path, self)) >++ >+ if id(node) == id(self.inputs[0]): >+ # ignore the source file, it is already in the dependencies >+ # this way, successful config tests may be retrieved from the cache >+ continue >+- nodes.append(node) >+ >+- Logs.debug('deps: gccdeps for %s returned %s', self, nodes) >++ resolved_nodes.append(node) >+ >+- bld.node_deps[self.uid()] = nodes >+- bld.raw_deps[self.uid()] = [] >++ Logs.debug('deps: gccdeps for %s returned %s', self, resolved_nodes) >++ >++ bld.node_deps[self.uid()] = resolved_nodes >++ bld.raw_deps[self.uid()] = unresolved_names >+ >+ try: >+ del self.cache_sig >+@@ -160,6 +158,14 @@ def post_run(self): >+ >+ Task.Task.post_run(self) >+ >++def scan(self): >++ if not self.__class__.__name__ in self.env.ENABLE_GCCDEPS: >++ return super(self.derived_gccdeps, self).scan() >++ >++ resolved_nodes = self.generator.bld.node_deps.get(self.uid(), []) >++ unresolved_names = [] >++ return (resolved_nodes, unresolved_names) >++ >+ def sig_implicit_deps(self): >+ if not self.__class__.__name__ in self.env.ENABLE_GCCDEPS: >+ return super(self.derived_gccdeps, self).sig_implicit_deps() >+diff --git third_party/waf/waflib/extras/msvcdeps.py third_party/waf/waflib/extras/msvcdeps.py >+index 52985dce058..e8985bde7c7 100644 >+--- third_party/waf/waflib/extras/msvcdeps.py >++++ third_party/waf/waflib/extras/msvcdeps.py >+@@ -32,7 +32,6 @@ from waflib.Tools import c_preproc, c, cxx, msvc >+ from waflib.TaskGen import feature, before_method >+ >+ lock = threading.Lock() >+-nodes = {} # Cache the path -> Node lookup >+ >+ PREPROCESSOR_FLAG = '/showIncludes' >+ INCLUDE_PATTERN = 'Note: including file:' >+@@ -50,23 +49,47 @@ def apply_msvcdeps_flags(taskgen): >+ if taskgen.env.get_flat(flag).find(PREPROCESSOR_FLAG) < 0: >+ taskgen.env.append_value(flag, PREPROCESSOR_FLAG) >+ >++ >++def get_correct_path_case(base_path, path): >++ ''' >++ Return a case-corrected version of ``path`` by searching the filesystem for >++ ``path``, relative to ``base_path``, using the case returned by the filesystem. >++ ''' >++ components = Utils.split_path(path) >++ >++ corrected_path = '' >++ if os.path.isabs(path): >++ corrected_path = components.pop(0).upper() + os.sep >++ >++ for part in components: >++ part = part.lower() >++ search_path = os.path.join(base_path, corrected_path) >++ if part == '..': >++ corrected_path = os.path.join(corrected_path, part) >++ search_path = os.path.normpath(search_path) >++ continue >++ >++ for item in sorted(os.listdir(search_path)): >++ if item.lower() == part: >++ corrected_path = os.path.join(corrected_path, item) >++ break >++ else: >++ raise ValueError("Can't find %r in %r" % (part, search_path)) >++ >++ return corrected_path >++ >++ >+ def path_to_node(base_node, path, cached_nodes): >+ ''' >+ Take the base node and the path and return a node >+ Results are cached because searching the node tree is expensive >+ The following code is executed by threads, it is not safe, so a lock is needed... >+ ''' >+- # normalize the path because ant_glob() does not understand >+- # parent path components (..) >++ # normalize the path to remove parent path components (..) >+ path = os.path.normpath(path) >+ >+ # normalize the path case to increase likelihood of a cache hit >+- path = os.path.normcase(path) >+- >+- # ant_glob interprets [] and () characters, so those must be replaced >+- path = path.replace('[', '?').replace(']', '?').replace('(', '[(]').replace(')', '[)]') >+- >+- node_lookup_key = (base_node, path) >++ node_lookup_key = (base_node, os.path.normcase(path)) >+ >+ try: >+ node = cached_nodes[node_lookup_key] >+@@ -76,8 +99,8 @@ def path_to_node(base_node, path, cached_nodes): >+ try: >+ node = cached_nodes[node_lookup_key] >+ except KeyError: >+- node_list = base_node.ant_glob([path], ignorecase=True, remove=False, quiet=True, regex=False) >+- node = cached_nodes[node_lookup_key] = node_list[0] if node_list else None >++ path = get_correct_path_case(base_node.abspath(), path) >++ node = cached_nodes[node_lookup_key] = base_node.find_node(path) >+ >+ return node >+ >+@@ -89,9 +112,9 @@ def post_run(self): >+ if getattr(self, 'cached', None): >+ return Task.Task.post_run(self) >+ >+- bld = self.generator.bld >+- unresolved_names = [] >+ resolved_nodes = [] >++ unresolved_names = [] >++ bld = self.generator.bld >+ >+ # Dynamically bind to the cache >+ try: >+@@ -124,11 +147,14 @@ def post_run(self): >+ continue >+ >+ if id(node) == id(self.inputs[0]): >+- # Self-dependency >++ # ignore the source file, it is already in the dependencies >++ # this way, successful config tests may be retrieved from the cache >+ continue >+ >+ resolved_nodes.append(node) >+ >++ Logs.debug('deps: msvcdeps for %s returned %s', self, resolved_nodes) >++ >+ bld.node_deps[self.uid()] = resolved_nodes >+ bld.raw_deps[self.uid()] = unresolved_names >+ >+diff --git third_party/waf/waflib/extras/msvs.py third_party/waf/waflib/extras/msvs.py >+index 8aa2db0b751..03b739f849c 100644 >+--- third_party/waf/waflib/extras/msvs.py >++++ third_party/waf/waflib/extras/msvs.py >+@@ -787,8 +787,12 @@ class msvs_generator(BuildContext): >+ self.collect_dirs() >+ default_project = getattr(self, 'default_project', None) >+ def sortfun(x): >+- if x.name == default_project: >++ # folders should sort to the top >++ if getattr(x, 'VS_GUID_SOLUTIONFOLDER', None): >+ return '' >++ # followed by the default project >++ elif x.name == default_project: >++ return ' ' >+ return getattr(x, 'path', None) and x.path.win32path() or x.name >+ self.all_projects.sort(key=sortfun) >+ >+diff --git third_party/waf/waflib/extras/swig.py third_party/waf/waflib/extras/swig.py >+index 740ab46d963..967caeb5a82 100644 >+--- third_party/waf/waflib/extras/swig.py >++++ third_party/waf/waflib/extras/swig.py >+@@ -17,7 +17,7 @@ tasks have to be added dynamically: >+ >+ SWIG_EXTS = ['.swig', '.i'] >+ >+-re_module = re.compile(r'%module(?:\s*\(.*\))?\s+(.+)', re.M) >++re_module = re.compile(r'%module(?:\s*\(.*\))?\s+([^\r\n]+)', re.M) >+ >+ re_1 = re.compile(r'^%module.*?\s+([\w]+)\s*?$', re.M) >+ re_2 = re.compile(r'[#%](?:include|import(?:\(module=".*"\))+|python(?:begin|code)) [<"](.*)[">]', re.M) >+diff --git third_party/waf/waflib/extras/wafcache.py third_party/waf/waflib/extras/wafcache.py >+index cc23fcd6673..2cef46c0e1c 100644 >+--- third_party/waf/waflib/extras/wafcache.py >++++ third_party/waf/waflib/extras/wafcache.py >+@@ -258,6 +258,19 @@ def build(bld): >+ """ >+ Called during the build process to enable file caching >+ """ >++ if WAFCACHE_STATS: >++ # Init counter for statistics and hook to print results at the end >++ bld.cache_reqs = bld.cache_hits = bld.cache_puts = 0 >++ >++ def printstats(bld): >++ hit_ratio = 0 >++ if bld.cache_reqs > 0: >++ hit_ratio = (bld.cache_hits / bld.cache_reqs) * 100 >++ Logs.pprint('CYAN', ' wafcache stats: requests: %s, hits, %s, ratio: %.2f%%, writes %s' % >++ (bld.cache_reqs, bld.cache_hits, hit_ratio, bld.cache_puts) ) >++ >++ bld.add_post_fun(printstats) >++ >+ if process_pool: >+ # already called once >+ return >+@@ -273,19 +286,6 @@ def build(bld): >+ for x in reversed(list(Task.classes.values())): >+ make_cached(x) >+ >+- if WAFCACHE_STATS: >+- # Init counter for statistics and hook to print results at the end >+- bld.cache_reqs = bld.cache_hits = bld.cache_puts = 0 >+- >+- def printstats(bld): >+- hit_ratio = 0 >+- if bld.cache_reqs > 0: >+- hit_ratio = (bld.cache_hits / bld.cache_reqs) * 100 >+- Logs.pprint('CYAN', ' wafcache stats: requests: %s, hits, %s, ratio: %.2f%%, writes %s' % >+- (bld.cache_reqs, bld.cache_hits, hit_ratio, bld.cache_puts) ) >+- >+- bld.add_post_fun(printstats) >+- >+ def cache_command(sig, files_from, files_to): >+ """ >+ Create a command for cache worker processes, returns a pickled >+diff --git third_party/waf/waflib/fixpy2.py third_party/waf/waflib/fixpy2.py >+index 24176e06645..c99bff4b9ae 100644 >+--- third_party/waf/waflib/fixpy2.py >++++ third_party/waf/waflib/fixpy2.py >+@@ -56,7 +56,7 @@ def r1(code): >+ @subst('Runner.py') >+ def r4(code): >+ "generator syntax" >+- return code.replace('next(self.biter)', 'self.biter.next()') >++ return code.replace('next(self.biter)', 'self.biter.next()').replace('self.daemon = True', 'self.setDaemon(1)') >+ >+ @subst('Context.py') >+ def r5(code): >+-- >+2.37.3 >+ >diff --git a/net/samba413/files/patch-waf-2.0.24 b/net/samba413/files/patch-waf-2.0.24 >new file mode 100644 >index 000000000000..2c5c76e6ca3b >--- /dev/null >+++ b/net/samba413/files/patch-waf-2.0.24 >@@ -0,0 +1,164 @@ >+From d19dfe1efb2f6cb0dcf0a63b957df584d8ed5945 Mon Sep 17 00:00:00 2001 >+From: Andreas Schneider <asn@samba.org> >+Date: Mon, 23 May 2022 07:54:06 +0200 >+Subject: [PATCH] third_party: Update waf to version 2.0.24 >+ >+This fixes building of python libraries with Python 3.11! >+ >+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15071 >+ >+Signed-off-by: Andreas Schneider <asn@samba.org> >+Reviewed-by: Stefan Metzmacher <metze@samba.org> >+ >+Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> >+Autobuild-Date(master): Mon May 23 09:34:51 UTC 2022 on sn-devel-184 >+--- >+ buildtools/bin/waf | 2 +- >+ buildtools/wafsamba/wafsamba.py | 2 +- >+ third_party/waf/waflib/Context.py | 8 ++++---- >+ third_party/waf/waflib/Tools/ccroot.py | 1 + >+ third_party/waf/waflib/Tools/msvc.py | 17 ++++++++++++++++- >+ third_party/waf/waflib/Tools/python.py | 4 ++-- >+ third_party/waf/waflib/Tools/tex.py | 1 + >+ 7 files changed, 26 insertions(+), 9 deletions(-) >+ >+diff --git buildtools/bin/waf buildtools/bin/waf >+index 2001ccdbd8a..d9cba343623 100755 >+--- buildtools/bin/waf >++++ buildtools/bin/waf >+@@ -32,7 +32,7 @@ POSSIBILITY OF SUCH DAMAGE. >+ >+ import os, sys, inspect >+ >+-VERSION="2.0.23" >++VERSION="2.0.24" >+ REVISION="x" >+ GIT="x" >+ INSTALL="x" >+diff --git buildtools/wafsamba/wafsamba.py buildtools/wafsamba/wafsamba.py >+index 4bd4e9f7fe3..79fe8b5e575 100644 >+--- buildtools/wafsamba/wafsamba.py >++++ buildtools/wafsamba/wafsamba.py >+@@ -38,7 +38,7 @@ LIB_PATH="shared" >+ >+ os.environ['PYTHONUNBUFFERED'] = '1' >+ >+-if Context.HEXVERSION not in (0x2001700,): >++if Context.HEXVERSION not in (0x2001800,): >+ Logs.error(''' >+ Please use the version of waf that comes with Samba, not >+ a system installed version. See http://wiki.samba.org/index.php/Waf >+diff --git third_party/waf/waflib/Context.py third_party/waf/waflib/Context.py >+index 36d1ca74fef..4a0130b24a0 100644 >+--- third_party/waf/waflib/Context.py >++++ third_party/waf/waflib/Context.py >+@@ -18,13 +18,13 @@ else: >+ import imp >+ >+ # the following 3 constants are updated on each new release (do not touch) >+-HEXVERSION=0x2001700 >++HEXVERSION=0x2001800 >+ """Constant updated on new releases""" >+ >+-WAFVERSION="2.0.23" >++WAFVERSION="2.0.24" >+ """Constant updated on new releases""" >+ >+-WAFREVISION="cc6b34cf555d354c34f554c41206134072588de7" >++WAFREVISION="1af97c71f5a6756abf36d0f78ed8fd551596d7cb" >+ """Git revision when the waf version is updated""" >+ >+ WAFNAME="waf" >+@@ -144,7 +144,7 @@ class Context(ctx): >+ :type fun: string >+ >+ .. inheritance-diagram:: waflib.Context.Context waflib.Build.BuildContext waflib.Build.InstallContext waflib.Build.UninstallContext waflib.Build.StepContext waflib.Build.ListContext waflib.Configure.ConfigurationContext waflib.Scripting.Dist waflib.Scripting.DistCheck waflib.Build.CleanContext >+- >++ :top-classes: waflib.Context.Context >+ """ >+ >+ errors = Errors >+diff --git third_party/waf/waflib/Tools/ccroot.py third_party/waf/waflib/Tools/ccroot.py >+index 579d5b2b72b..76deff54dcb 100644 >+--- third_party/waf/waflib/Tools/ccroot.py >++++ third_party/waf/waflib/Tools/ccroot.py >+@@ -128,6 +128,7 @@ class link_task(Task.Task): >+ Base class for all link tasks. A task generator is supposed to have at most one link task bound in the attribute *link_task*. See :py:func:`waflib.Tools.ccroot.apply_link`. >+ >+ .. inheritance-diagram:: waflib.Tools.ccroot.stlink_task waflib.Tools.c.cprogram waflib.Tools.c.cshlib waflib.Tools.cxx.cxxstlib waflib.Tools.cxx.cxxprogram waflib.Tools.cxx.cxxshlib waflib.Tools.d.dprogram waflib.Tools.d.dshlib waflib.Tools.d.dstlib waflib.Tools.ccroot.fake_shlib waflib.Tools.ccroot.fake_stlib waflib.Tools.asm.asmprogram waflib.Tools.asm.asmshlib waflib.Tools.asm.asmstlib >++ :top-classes: waflib.Tools.ccroot.link_task >+ """ >+ color = 'YELLOW' >+ >+diff --git third_party/waf/waflib/Tools/msvc.py third_party/waf/waflib/Tools/msvc.py >+index 0c4703aaee9..026a4c7fc48 100644 >+--- third_party/waf/waflib/Tools/msvc.py >++++ third_party/waf/waflib/Tools/msvc.py >+@@ -109,6 +109,21 @@ def options(opt): >+ opt.add_option('--msvc_targets', type='string', help = 'msvc targets, eg: "x64,arm"', default='') >+ opt.add_option('--no-msvc-lazy', action='store_false', help = 'lazily check msvc target environments', default=True, dest='msvc_lazy') >+ >++class MSVCVersion(object): >++ def __init__(self, ver): >++ m = re.search('^(.*)\s+(\d+[.]\d+)', ver) >++ if m: >++ self.name = m.group(1) >++ self.number = float(m.group(2)) >++ else: >++ self.name = ver >++ self.number = 0. >++ >++ def __lt__(self, other): >++ if self.number == other.number: >++ return self.name < other.name >++ return self.number < other.number >++ >+ @conf >+ def setup_msvc(conf, versiondict): >+ """ >+@@ -125,7 +140,7 @@ def setup_msvc(conf, versiondict): >+ platforms=Utils.to_list(conf.env.MSVC_TARGETS) or [i for i,j in all_msvc_platforms+all_icl_platforms+all_wince_platforms] >+ desired_versions = getattr(Options.options, 'msvc_version', '').split(',') >+ if desired_versions == ['']: >+- desired_versions = conf.env.MSVC_VERSIONS or list(reversed(sorted(versiondict.keys()))) >++ desired_versions = conf.env.MSVC_VERSIONS or list(sorted(versiondict.keys(), key=MSVCVersion, reverse=True)) >+ >+ # Override lazy detection by evaluating after the fact. >+ lazy_detect = getattr(Options.options, 'msvc_lazy', True) >+diff --git third_party/waf/waflib/Tools/python.py third_party/waf/waflib/Tools/python.py >+index fb641e5e20d..a23bd019335 100644 >+--- third_party/waf/waflib/Tools/python.py >++++ third_party/waf/waflib/Tools/python.py >+@@ -315,7 +315,7 @@ def check_python_headers(conf, features='pyembed pyext'): >+ conf.fatal('Could not find the python executable') >+ >+ # so we actually do all this for compatibility reasons and for obtaining pyext_PATTERN below >+- v = 'prefix SO LDFLAGS LIBDIR LIBPL INCLUDEPY Py_ENABLE_SHARED MACOSX_DEPLOYMENT_TARGET LDSHARED CFLAGS LDVERSION'.split() >++ v = 'prefix SO EXT_SUFFIX LDFLAGS LIBDIR LIBPL INCLUDEPY Py_ENABLE_SHARED MACOSX_DEPLOYMENT_TARGET LDSHARED CFLAGS LDVERSION'.split() >+ try: >+ lst = conf.get_python_variables(["get_config_var('%s') or ''" % x for x in v]) >+ except RuntimeError: >+@@ -328,7 +328,7 @@ def check_python_headers(conf, features='pyembed pyext'): >+ x = 'MACOSX_DEPLOYMENT_TARGET' >+ if dct[x]: >+ env[x] = conf.environ[x] = str(dct[x]) >+- env.pyext_PATTERN = '%s' + dct['SO'] # not a mistake >++ env.pyext_PATTERN = '%s' + (dct['EXT_SUFFIX'] or dct['SO']) # SO is deprecated in 3.5 and removed in 3.11 >+ >+ >+ # Try to get pythonX.Y-config >+diff --git third_party/waf/waflib/Tools/tex.py third_party/waf/waflib/Tools/tex.py >+index eaf9fdb5802..b4792c3fe87 100644 >+--- third_party/waf/waflib/Tools/tex.py >++++ third_party/waf/waflib/Tools/tex.py >+@@ -90,6 +90,7 @@ class tex(Task.Task): >+ Compiles a tex/latex file. >+ >+ .. inheritance-diagram:: waflib.Tools.tex.latex waflib.Tools.tex.xelatex waflib.Tools.tex.pdflatex >++ :top-classes: waflib.Tools.tex.tex >+ """ >+ >+ bibtex_fun, _ = Task.compile_fun('${BIBTEX} ${BIBTEXFLAGS} ${SRCFILE}', shell=False) >+-- >+2.37.3 >+ >diff --git a/net/samba413/pkg-plist.ad_dc b/net/samba413/pkg-plist.ad_dc >index 13dbcc536782..b7c8a91fbba4 100644 >--- a/net/samba413/pkg-plist.ad_dc >+++ b/net/samba413/pkg-plist.ad_dc >@@ -5,7 +5,6 @@ sbin/samba_dnsupdate > sbin/samba_kcc > sbin/samba_spnupdate > sbin/samba_upgradedns >-sbin/samba-gpupdate > include/samba4/dcerpc_server.h > lib/samba4/libdcerpc-server.so > lib/samba4/libdcerpc-server.so.0 >@@ -172,4 +171,3 @@ lib/samba4/private/libscavenge-dns-records-samba4.so > @dir %%DATADIR%%/setup/ad-schema > @dir %%DATADIR%%/setup > @dir %%DATADIR%% >-man/man8/samba-gpupdate.8.gz >diff --git a/net/samba413/pkg-plist.python b/net/samba413/pkg-plist.python >index c931ab22f63e..6de93c2891d0 100644 >--- a/net/samba413/pkg-plist.python >+++ b/net/samba413/pkg-plist.python >@@ -1,5 +1,7 @@ > bin/smbtorture >+sbin/samba-gpupdate > man/man1/smbtorture.1.gz >+man/man8/samba-gpupdate.8.gz > include/samba4/policy.h > lib/samba4/libsamba-policy%%PYTHON_EXT_SUFFIX%%.so > lib/samba4/libsamba-policy%%PYTHON_EXT_SUFFIX%%.so.0 >@@ -258,6 +260,7 @@ lib/samba4/private/libsamba-python%%PYTHON_EXT_SUFFIX%%-samba4.so > %%PYTHON_SITELIBDIR%%/samba/tests/krb5/kdc_base_test.py > %%PYTHON_SITELIBDIR%%/samba/tests/krb5/kdc_tests.py > %%PYTHON_SITELIBDIR%%/samba/tests/krb5/kdc_tgs_tests.py >+%%PYTHON_SITELIBDIR%%/samba/tests/krb5/kpasswd_tests.py > %%PYTHON_SITELIBDIR%%/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py > %%PYTHON_SITELIBDIR%%/samba/tests/krb5/raw_testcase.py > %%PYTHON_SITELIBDIR%%/samba/tests/krb5/rfc4120_constants.py >-- >2.37.3 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=236856">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 266641
: 236856