import gssntlmssp-1.2.0-1.el8_8

edit changelog for import gssntlmssp-0.7.0-6.el8
5 changed files with 56 additions and 164 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/gssntlmssp-0.7.0.tar.gz
+SOURCES/gssntlmssp-1.2.0.tar.gz
--- a/.gssntlmssp.metadata
+++ b/.gssntlmssp.metadata
@ -1 +1 @@
-c8145411a1a40224a6d22acb45a8059dacaf8044 SOURCES/gssntlmssp-0.7.0.tar.gz
+55975d0d64ae40cddca12732eaa1227991aeb037 SOURCES/gssntlmssp-1.2.0.tar.gz
--- a/SOURCES/0001-Add-compatibility-with-OpenSSL-1.1.0.patch
+++ b/SOURCES/0001-Add-compatibility-with-OpenSSL-1.1.0.patch
@ -1,149 +0,0 @@
 From e498737a96e8832a2cb9141ab1fe51e129185a48 Mon Sep 17 00:00:00 2001
 From: Simo Sorce <simo@redhat.com>
 Date: Wed, 29 Jun 2016 11:15:11 -0400
 Subject: [PATCH] Add compatibility with OpenSSL 1.1.0
 In their continued wisdom OpenSSL developers keep breaking APIs left and right
 with very poor documentation and forward/backward source compatibility.
 Signed-off-by: Simo Sorce <simo@redhat.com>
 ---
 src/crypto.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++------------
 1 file changed, 48 insertions(+), 12 deletions(-)
 diff --git a/src/crypto.c b/src/crypto.c
 index 9fe69f97cfe9a4c1c9a5fb1861fef3fdfb8ae596..33a0c3e9060df0fa14784e869b5edce2f462b238 100644
 --- a/src/crypto.c
 +++ b/src/crypto.c
@@ -27,6 +27,32 @@
 #include "crypto.h"
 +#if OPENSSL_VERSION_NUMBER < 0x10100000L
 +HMAC_CTX *HMAC_CTX_new(void)
 +{
 +    HMAC_CTX *ctx;
 +
 +    ctx = OPENSSL_malloc(sizeof(HMAC_CTX));
 +    if (!ctx) return NULL;
 +
 +    HMAC_CTX_init(ctx);
 +
 +    return ctx;
 +}
 +
 +void HMAC_CTX_free(HMAC_CTX *ctx)
 +{
 +    if (ctx == NULL) return;
 +
 +    HMAC_CTX_cleanup(ctx);
 +    OPENSSL_free(ctx);
 +}
 +
 +#define EVP_MD_CTX_new EVP_MD_CTX_create
 +#define EVP_MD_CTX_free EVP_MD_CTX_destroy
 +
 +#endif
 +
 int RAND_BUFFER(struct ntlm_buffer *random)
 {
     int ret;
@@ -42,30 +68,34 @@ int HMAC_MD5_IOV(struct ntlm_buffer *key,
                  struct ntlm_iov *iov,
                  struct ntlm_buffer *result)
 {
 -    HMAC_CTX hmac_ctx;
 +    HMAC_CTX *hmac_ctx;
     unsigned int len;
     size_t i;
     int ret = 0;
     if (result->length != 16) return EINVAL;
 -    HMAC_CTX_init(&hmac_ctx);
 +    hmac_ctx = HMAC_CTX_new();
 +    if (!hmac_ctx) {
 +        ret = ERR_CRYPTO;
 +        goto done;
 +    }
 -    ret = HMAC_Init_ex(&hmac_ctx, key->data, key->length, EVP_md5(), NULL);
 +    ret = HMAC_Init_ex(hmac_ctx, key->data, key->length, EVP_md5(), NULL);
     if (ret == 0) {
         ret = ERR_CRYPTO;
         goto done;
     }
     for (i = 0; i < iov->num; i++) {
 -        ret = HMAC_Update(&hmac_ctx, iov->data[i]->data, iov->data[i]->length);
 +        ret = HMAC_Update(hmac_ctx, iov->data[i]->data, iov->data[i]->length);
         if (ret == 0) {
             ret = ERR_CRYPTO;
             goto done;
         }
     }
 -    ret = HMAC_Final(&hmac_ctx, result->data, &len);
 +    ret = HMAC_Final(hmac_ctx, result->data, &len);
     if (ret == 0) {
         ret = ERR_CRYPTO;
         goto done;
@@ -74,7 +104,7 @@ int HMAC_MD5_IOV(struct ntlm_buffer *key,
     ret = 0;
 done:
 -    HMAC_CTX_cleanup(&hmac_ctx);
 +    HMAC_CTX_free(hmac_ctx);
     return ret;
 }
@@ -93,26 +123,32 @@ static int mdx_hash(const EVP_MD *type,
                     struct ntlm_buffer *payload,
                     struct ntlm_buffer *result)
 {
 -    EVP_MD_CTX ctx;
 +    EVP_MD_CTX *ctx;
     unsigned int len;
     int ret;
     if (result->length != 16) return EINVAL;
 -    EVP_MD_CTX_init(&ctx);
 -    ret = EVP_DigestInit_ex(&ctx, type, NULL);
 +    ctx = EVP_MD_CTX_new();
 +    if (!ctx) {
 +        ret = ERR_CRYPTO;
 +        goto done;
 +    }
 +
 +    EVP_MD_CTX_init(ctx);
 +    ret = EVP_DigestInit_ex(ctx, type, NULL);
     if (ret == 0) {
         ret = ERR_CRYPTO;
         goto done;
     }
 -    ret = EVP_DigestUpdate(&ctx, payload->data, payload->length);
 +    ret = EVP_DigestUpdate(ctx, payload->data, payload->length);
     if (ret == 0) {
         ret = ERR_CRYPTO;
         goto done;
     }
 -    ret = EVP_DigestFinal_ex(&ctx, result->data, &len);
 +    ret = EVP_DigestFinal_ex(ctx, result->data, &len);
     if (ret == 0) {
         ret = ERR_CRYPTO;
         goto done;
@@ -121,7 +157,7 @@ static int mdx_hash(const EVP_MD *type,
     ret = 0;
 done:
 -    EVP_MD_CTX_cleanup(&ctx);
 +    if (ctx) EVP_MD_CTX_free(ctx);
     return ret;
 }
 -- 
 2.9.3
--- a/SOURCES/0001-Fix-potential-crash-when-no-target-name-is-present.patch
+++ b/SOURCES/0001-Fix-potential-crash-when-no-target-name-is-present.patch
@ -0,0 +1,28 @@
 From ddab884bf3a2de76c26559e962919e1145040f11 Mon Sep 17 00:00:00 2001
 From: Simo Sorce <simo@redhat.com>
 Date: Fri, 17 Mar 2023 09:08:13 -0400
 Subject: [PATCH] Fix potential crash when no target name is present
 Signed-off-by: Simo Sorce <simo@redhat.com>
 ---
 src/ntlm.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
 diff --git a/src/ntlm.c b/src/ntlm.c
 index 0f71bfd..60a0787 100644
 --- a/src/ntlm.c
 +++ b/src/ntlm.c
@@ -325,7 +325,9 @@ done:
         safefree(out);
     } else {
         /* make sure to terminate output string */
 -        out[outlen] = '\0';
 +        if (out) {
 +            out[outlen] = '\0';
 +        }
     }
     *str = out;
 -- 
 2.39.2
--- a/SPECS/gssntlmssp.spec
+++ b/SPECS/gssntlmssp.spec
@ -1,16 +1,16 @@
-Name:		gssntlmssp
+Name:           gssntlmssp
-Version:	0.7.0
+Version:        1.2.0
-Release:	6%{?dist}
+Release:        1%{?dist}
-Summary:	GSSAPI NTLMSSP Mechanism
+Summary:        GSSAPI NTLMSSP Mechanism
-Group:		System Environment/Libraries
+Group:          System Environment/Libraries
-License:	LGPLv3+
+License:        LGPLv3+
-URL:		https://fedorahosted.org/gss-ntlmssp
+URL:            https://github.com/gssapi/gss-ntlmssp
-Source0:        https://fedorahosted.org/released/gss-ntlmssp/%{name}-%{version}.tar.gz
+Source0:        https://github.com/gssapi/gss-ntlmssp/releases/download/v%{version}/%{name}-%{version}.tar.gz
-Patch01: 0001-Add-compatibility-with-OpenSSL-1.1.0.patch
+Patch01: 0001-Fix-potential-crash-when-no-target-name-is-present.patch
-Requires: krb5-libs%{?_isa} >= 1.12.1-9
+Requires: krb5-libs%{?_isa} >= 1.18.2-22
 BuildRequires: autoconf
 BuildRequires: automake
@ -22,10 +22,12 @@ BuildRequires: docbook-style-xsl
 BuildRequires: doxygen
 BuildRequires: gettext-devel
 BuildRequires: pkgconfig
-BuildRequires: krb5-devel >= 1.11.2
+BuildRequires: krb5-devel >= 1.18.2-22
 BuildRequires: libunistring-devel
 BuildRequires: openssl-devel
 BuildRequires: pkgconfig(wbclient)
 BuildRequires: zlib-devel
 BuildRequires: make
 %description
 A GSSAPI Mechanism that implements NTLMSSP
@ -40,8 +42,7 @@ Adds a header file with definition for custom GSSAPI extensions for NTLMSSP
 %prep
-%setup -q
+%autosetup -S git
 %patch01 -p1
 %build
 autoreconf -fiv
@ -72,6 +73,18 @@ make test_gssntlmssp
 %{_includedir}/gssapi/gssapi_ntlmssp.h
 %changelog
 * Tue Jul 25 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 1.2.0-1
 - Rebuilt for MSVSphere 8.8
 * Thu Mar 23 2023 Julien Rische <jrische@redhat.com> - 1.2.0-1
 - New release 1.2.0
 - Fix CVE-2023-25563: multiple out-of-bounds read when decoding NTLM fields
 - Fix CVE-2023-25564: memory corruption when decoding UTF16 strings
 - Fix CVE-2023-25565: incorrect free when decoding target information
 - Fix CVE-2023-25566: memory leak when parsing usernames
 - Fix CVE-2023-25567: out-of-bounds read when decoding target information
 - Resolves: rhbz#2181313
 * Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.0-6
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
Author	SHA1	Message	Date
MSVSphere Packaging Team	064c41dd70	import gssntlmssp-1.2.0-1.el8_8	1 year ago
MSVSphere Packaging Team	b43312c2b2	edit changelog for import gssntlmssp-0.7.0-6.el8	2 years ago
`@ -1 +1 @@`
	`SOURCES/gssntlmssp-0.7.0.tar.gz`	`SOURCES/gssntlmssp-1.2.0.tar.gz`
`@ -1 +1 @@`
	`c8145411a1a40224a6d22acb45a8059dacaf8044 SOURCES/gssntlmssp-0.7.0.tar.gz`	`55975d0d64ae40cddca12732eaa1227991aeb037 SOURCES/gssntlmssp-1.2.0.tar.gz`