build: Add build time detection for the MIT FAST ccache API This will allow us to link against an older system Heimdal. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
wscript: Refer to correct ConfigSet variable LIB_GSSAPI appears to be an error of copy-and-pasting. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Aug 30 03:15:05 UTC 2023 on atb-devel-224
wscript: Remove semicolons Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
krb5: Increase the minimum MIT Krb5 version to 1.21 This is the version we test with in CI after the image update in the next commit. This addresses the issues that were fixed in CVE-2022-37967 (KrbtgtFullPacSignature) and ensures that Samba builds against the MIT version that allows us to avoid that attack. The hooks to allow these expectations to be disabled in the tests are kept for now, to allow this to be reverted or to test older servers. With MIT 1.21 as the new test standard for the MIT KDC build we update the knownfail_mit_kdc - this was required regadless after the CI image update. Any update to the CI image, even an unrelated one, brings in a new MIT Krb5, version 1.21-3 in this case. This has new behaviour that needs to be noted in the knownfail files or else the tests, which haven't changed, will fail and pipelines won't pass. (The image generated by the earlier bootstrap commit brought in krb5-1.21-2 which was buggy with CVE-2023-39975) Further tweaks to tests or the server should reduce the number of knownfail entries, but this keeps the pipelines passing for now. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15231 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
krb5_wrap: add krb5_free_string() Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
krb5_wrap: add krb5_free_enctypes() MIT Kerberos implements krb5_free_enctypes(), Heimdal is missing it and offers krb5_xfree() instead. This introduces a wrapper krb5_free_enctypes() around krb5_xfree() for Heimdal. Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
wscript: Fix code spelling Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
CVE-2022-37966 system_mitkrb5: require support for aes enctypes This will never fail as we already require a version that supports aes, but this makes it clearer. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s4:mitkdc: Add support for MIT Kerberos 1.20 This also addresses CVE-2020-17049. MIT Kerberos 1.20 is in pre-release state at the time writing this commit. It will be released in autumn 2022. We need to support MIT Kerberos 1.19 till enough distributions have been released with MIT Kerberos 1.20. Pair-Programmed-With: Robbie Harwood <rharwood@redhat.com> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-by: Stefan Metzmacher <metze@samba.org>
selftest: More tests are passing with MIT KRB5 >= 1.20 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
waf:mitkrb5: Always define lib so we get the header include path If you have libkrb5 in a non-standard include path, we would not check the latest version but search default paths (e.g. /usr/include) first. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
waf:mitkrb5: Fix MIT KRB5 detection if not in default system location Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
waf:mitkrb5: Detect com_err with pkgconfig first It is needed as a dependency later! Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
build: Move minimum MIT krb5 version to 1.19 to align with what is tested This avoid shipping untested code and aligns with the version used in GitLab CI for all the MIT builds. The "bronze bit" (CVE-2020-17049) security fixes will need a new MIT KDB version in any case, this prepares the ground by removing the older version support. (knownfail_mit_kdc updates taken from a patch by Andreas Schneider <asn@samba.org> that did this optionally) Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
heimdal_build: Provide C defines showing which Kerberos library is in use Squashed from patches by Stefan Metzmacher as part of his Heimdal update branch Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Fix uxsuccess test with new MIT krb5 library 1.18 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14155 Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
krb5-wrap: deal with different krb5_trace_info struct flavors (earlier MIT krb5 releases) BUG: https://bugzilla.samba.org/show_bug.cgi?id=14252 Guenther Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Fri Jan 24 20:38:53 UTC 2020 on sn-devel-184
wscript_configure_system_mitkrb5: reject a system heimdal krb5-config Review with: git show -w Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Thu Dec 6 16:53:33 CET 2018 on sn-devel-144
wscript_configure_system_mitkrb5: update to handle waf 2.0.4 Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
build:wafsamba: Remove unnecessary parameters to cmd_and_log Signed-off-by: Thomas Nagy <tnagy@waf.io> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>