Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package gssntlmssp for openSUSE:Factory checked in at 2026-04-16 17:25:48 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gssntlmssp (Old) and /work/SRC/openSUSE:Factory/.gssntlmssp.new.11940 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gssntlmssp" Thu Apr 16 17:25:48 2026 rev:3 rq:1347161 version:1.3.1 Changes: -------- --- /work/SRC/openSUSE:Factory/gssntlmssp/gssntlmssp.changes 2023-02-16 16:55:48.498689811 +0100 +++ /work/SRC/openSUSE:Factory/.gssntlmssp.new.11940/gssntlmssp.changes 2026-04-16 17:26:13.097575700 +0200 @@ -1,0 +2,12 @@ +Wed Apr 15 17:38:02 UTC 2026 - Martin Hauke <[email protected]> + +- Update to version 1.3.1 + * Make sending only filled MsvAvFlags field for CHALLENGE message +- Update to version 1.3.0 + * Fix typo in header guard for src/ntlm.h + * Fix crash in target_name decoding. + * Mark defined numbers as unsigned. + * BF: libiconv does not support undashed unicode encoding aliases + * Change the ossl3 context to be allocated once. + +------------------------------------------------------------------- Old: ---- gssntlmssp-1.2.0.tar.gz New: ---- gssntlmssp-1.3.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gssntlmssp.spec ++++++ --- /var/tmp/diff_new_pack.Gh6DmD/_old 2026-04-16 17:26:13.753602696 +0200 +++ /var/tmp/diff_new_pack.Gh6DmD/_new 2026-04-16 17:26:13.757602861 +0200 @@ -1,7 +1,7 @@ # # spec file for package gssntlmssp # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: gssntlmssp -Version: 1.2.0 +Version: 1.3.1 Release: 0 Summary: GSSAPI NTLMSSP Mechanism License: ISC ++++++ gssntlmssp-1.2.0.tar.gz -> gssntlmssp-1.3.1.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gss-ntlmssp-1.2.0/.github/workflows/ccpp.yml new/gss-ntlmssp-1.3.1/.github/workflows/ccpp.yml --- old/gss-ntlmssp-1.2.0/.github/workflows/ccpp.yml 2023-02-12 17:11:03.000000000 +0100 +++ new/gss-ntlmssp-1.3.1/.github/workflows/ccpp.yml 2024-02-27 14:28:41.000000000 +0100 @@ -42,7 +42,7 @@ elif command -v pacman; then pacman -Sy --noconfirm automake autoconf docbook-xml docbook-xsl doxygen libtool libxslt gcc libxml2 m4 make zlib fi - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: autoreconf run: autoreconf -fi - name: configure @@ -57,8 +57,8 @@ - name: make check run: make check - name: Upload logs - uses: actions/upload-artifact@v1 + uses: actions/upload-artifact@v3 if: failure() with: - name: testlogs + name: testlogs ${{ matrix.container }} path: test-suite.log diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gss-ntlmssp-1.2.0/src/crypto.c new/gss-ntlmssp-1.3.1/src/crypto.c --- old/gss-ntlmssp-1.2.0/src/crypto.c 2023-02-12 17:11:03.000000000 +0100 +++ new/gss-ntlmssp-1.3.1/src/crypto.c 2024-02-27 14:28:41.000000000 +0100 @@ -98,15 +98,18 @@ OSSL_PROVIDER *default_provider; } ossl3_context_t; -static ossl3_context_t *init_ossl3_ctx() +static pthread_once_t global_ossl3_ctx_init = PTHREAD_ONCE_INIT; +static ossl3_context_t *global_ossl3_ctx = NULL; + +static void init_global_ossl3_ctx(void) { ossl3_context_t *ctx = OPENSSL_malloc(sizeof(ossl3_context_t)); - if (!ctx) return NULL; + if (!ctx) return; ctx->libctx = OSSL_LIB_CTX_new(); if (!ctx->libctx) { OPENSSL_free(ctx); - return NULL; + return; } /* Load both legacy and default provider as both may be needed */ @@ -114,11 +117,25 @@ * fetch the cipher later */ ctx->legacy_provider = OSSL_PROVIDER_load(ctx->libctx, "legacy"); ctx->default_provider = OSSL_PROVIDER_load(ctx->libctx, "default"); - return ctx; + global_ossl3_ctx = ctx; +} + +static ossl3_context_t *get_ossl3_ctx() +{ + int ret; + + ret = pthread_once(&global_ossl3_ctx_init, init_global_ossl3_ctx); + if (ret != 0) { + return NULL; + } + + return global_ossl3_ctx; } -static void free_ossl3_ctx(ossl3_context_t *ctx) +__attribute__((destructor)) +static void free_ossl3_ctx() { + ossl3_context_t *ctx = global_ossl3_ctx; if (ctx == NULL) return; if (ctx->legacy_provider) OSSL_PROVIDER_unload(ctx->legacy_provider); if (ctx->default_provider) OSSL_PROVIDER_unload(ctx->default_provider); @@ -178,7 +195,7 @@ EVP_MD *md; int ret; - ossl3_ctx = init_ossl3_ctx(); + ossl3_ctx = get_ossl3_ctx(); if (ossl3_ctx == NULL) { ret = ERR_CRYPTO; goto done; @@ -193,7 +210,6 @@ ret = mdx_hash(md, payload, result); done: - free_ossl3_ctx(ossl3_ctx); return ret; #else return mdx_hash(EVP_md4(), payload, result); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gss-ntlmssp-1.2.0/src/gss_sec_ctx.c new/gss-ntlmssp-1.3.1/src/gss_sec_ctx.c --- old/gss-ntlmssp-1.2.0/src/gss_sec_ctx.c 2023-02-12 17:11:03.000000000 +0100 +++ new/gss-ntlmssp-1.3.1/src/gss_sec_ctx.c 2024-02-27 14:28:41.000000000 +0100 @@ -756,7 +756,8 @@ nb_domain_name, server_name->data.server.name, NULL, NULL, - &av_flags, ×tamp, + av_flags ? &av_flags : NULL, /* don't include empty MsvAvFlags */ + ×tamp, NULL, server_name->data.server.spn, NULL, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gss-ntlmssp-1.2.0/src/ntlm.c new/gss-ntlmssp-1.3.1/src/ntlm.c --- old/gss-ntlmssp-1.2.0/src/ntlm.c 2023-02-12 17:11:03.000000000 +0100 +++ new/gss-ntlmssp-1.3.1/src/ntlm.c 2024-02-27 14:28:41.000000000 +0100 @@ -78,12 +78,12 @@ _ctx = calloc(1, sizeof(struct ntlm_ctx)); if (!_ctx) return ENOMEM; - _ctx->from_oem = iconv_open("UTF16LE", "UTF-8"); + _ctx->from_oem = iconv_open("UTF-16LE", "UTF-8"); if (_ctx->from_oem == (iconv_t) -1) { ret = errno; } - _ctx->to_oem = iconv_open("UTF-8", "UTF16LE"); + _ctx->to_oem = iconv_open("UTF-8", "UTF-16LE"); if (_ctx->to_oem == (iconv_t) -1) { iconv_close(_ctx->from_oem); ret = errno; @@ -325,7 +325,9 @@ safefree(out); } else { /* make sure to terminate output string */ - out[outlen] = '\0'; + if (out) { + out[outlen] = '\0'; + } } *str = out; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gss-ntlmssp-1.2.0/src/ntlm.h new/gss-ntlmssp-1.3.1/src/ntlm.h --- old/gss-ntlmssp-1.2.0/src/ntlm.h 2023-02-12 17:11:03.000000000 +0100 +++ new/gss-ntlmssp-1.3.1/src/ntlm.h 2024-02-27 14:28:41.000000000 +0100 @@ -1,45 +1,45 @@ /* Copyright 2013 Simo Sorce <[email protected]>, see COPYING for license */ #ifndef _NTLM_H_ -#define _NTLM_H +#define _NTLM_H_ #include <stdbool.h> #include "ntlm_common.h" /* Negotiate Flags */ -#define NTLMSSP_NEGOTIATE_56 (1 << 31) -#define NTLMSSP_NEGOTIATE_KEY_EXCH (1 << 30) -#define NTLMSSP_NEGOTIATE_128 (1 << 29) -#define UNUSED_R1 (1 << 28) -#define UNUSED_R2 (1 << 27) -#define UNUSED_R3 (1 << 26) -#define NTLMSSP_NEGOTIATE_VERSION (1 << 25) -#define UNUSED_R4 (1 << 24) -#define NTLMSSP_NEGOTIATE_TARGET_INFO (1 << 23) -#define NTLMSSP_REQUEST_NON_NT_SESSION_KEY (1 << 22) -#define UNUSED_R5 /* Davenport: NEGOTIATE_ACCEPT */ (1 << 21) -#define NTLMSSP_NEGOTIATE_IDENTIFY (1 << 20) -#define NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY (1 << 19) -#define UNUSED_R6 /* Davenport:TARGET_TYPE_SHARE */ (1 << 18) -#define NTLMSSP_TARGET_TYPE_SERVER (1 << 17) -#define NTLMSSP_TARGET_TYPE_DOMAIN (1 << 16) -#define NTLMSSP_NEGOTIATE_ALWAYS_SIGN (1 << 15) -#define UNUSED_R7 /* Davenport:LOCAL_CALL */ (1 << 14) -#define NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED (1 << 13) -#define NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED (1 << 12) -#define NTLMSSP_ANONYMOUS (1 << 11) -#define UNUSED_R8 (1 << 10) -#define NTLMSSP_NEGOTIATE_NTLM (1 << 9) -#define UNUSED_R9 (1 << 8) -#define NTLMSSP_NEGOTIATE_LM_KEY (1 << 7) -#define NTLMSSP_NEGOTIATE_DATAGRAM (1 << 6) -#define NTLMSSP_NEGOTIATE_SEAL (1 << 5) -#define NTLMSSP_NEGOTIATE_SIGN (1 << 4) -#define UNUSED_R10 (1 << 3) -#define NTLMSSP_REQUEST_TARGET (1 << 2) -#define NTLMSSP_NEGOTIATE_OEM (1 << 1) -#define NTLMSSP_NEGOTIATE_UNICODE (1 << 0) +#define NTLMSSP_NEGOTIATE_56 (1U << 31) +#define NTLMSSP_NEGOTIATE_KEY_EXCH (1U << 30) +#define NTLMSSP_NEGOTIATE_128 (1U << 29) +#define UNUSED_R1 (1U << 28) +#define UNUSED_R2 (1U << 27) +#define UNUSED_R3 (1U << 26) +#define NTLMSSP_NEGOTIATE_VERSION (1U << 25) +#define UNUSED_R4 (1U << 24) +#define NTLMSSP_NEGOTIATE_TARGET_INFO (1U << 23) +#define NTLMSSP_REQUEST_NON_NT_SESSION_KEY (1U << 22) +#define UNUSED_R5 /* Davenport: NEGOTIATE_ACCEPT */ (1U << 21) +#define NTLMSSP_NEGOTIATE_IDENTIFY (1U << 20) +#define NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY (1U << 19) +#define UNUSED_R6 /* Davenport:TARGET_TYPE_SHARE */ (1U << 18) +#define NTLMSSP_TARGET_TYPE_SERVER (1U << 17) +#define NTLMSSP_TARGET_TYPE_DOMAIN (1U << 16) +#define NTLMSSP_NEGOTIATE_ALWAYS_SIGN (1U << 15) +#define UNUSED_R7 /* Davenport:LOCAL_CALL */ (1U << 14) +#define NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED (1U << 13) +#define NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED (1U << 12) +#define NTLMSSP_ANONYMOUS (1U << 11) +#define UNUSED_R8 (1U << 10) +#define NTLMSSP_NEGOTIATE_NTLM (1U << 9) +#define UNUSED_R9 (1U << 8) +#define NTLMSSP_NEGOTIATE_LM_KEY (1U << 7) +#define NTLMSSP_NEGOTIATE_DATAGRAM (1U << 6) +#define NTLMSSP_NEGOTIATE_SEAL (1U << 5) +#define NTLMSSP_NEGOTIATE_SIGN (1U << 4) +#define UNUSED_R10 (1U << 3) +#define NTLMSSP_REQUEST_TARGET (1U << 2) +#define NTLMSSP_NEGOTIATE_OEM (1U << 1) +#define NTLMSSP_NEGOTIATE_UNICODE (1U << 0) /* (2.2.2.10 VERSION) */ #define WINDOWS_MAJOR_VERSION_5 0x05 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gss-ntlmssp-1.2.0/src/ntlm_crypto.c new/gss-ntlmssp-1.3.1/src/ntlm_crypto.c --- old/gss-ntlmssp-1.2.0/src/ntlm_crypto.c 2023-02-12 17:11:03.000000000 +0100 +++ new/gss-ntlmssp-1.3.1/src/ntlm_crypto.c 2024-02-27 14:28:41.000000000 +0100 @@ -50,7 +50,7 @@ int ret; len = strlen(password); - retstr = u8_conv_to_encoding("UTF16LE", iconveh_error, + retstr = u8_conv_to_encoding("UTF-16LE", iconveh_error, (const uint8_t *)password, len, NULL, NULL, &out); if (!retstr) return ERR_CRYPTO; @@ -254,7 +254,7 @@ offs += len; } - retstr = (uint8_t *)u8_conv_to_encoding("UTF16LE", iconveh_error, + retstr = (uint8_t *)u8_conv_to_encoding("UTF-16LE", iconveh_error, upcased, offs, NULL, NULL, &out); if (!retstr) return ERR_CRYPTO; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gss-ntlmssp-1.2.0/tests/ntlmssptest.c new/gss-ntlmssp-1.3.1/tests/ntlmssptest.c --- old/gss-ntlmssp-1.2.0/tests/ntlmssptest.c 2023-02-12 17:11:03.000000000 +0100 +++ new/gss-ntlmssp-1.3.1/tests/ntlmssptest.c 2024-02-27 14:28:41.000000000 +0100 @@ -3132,6 +3132,48 @@ return 0; } +int test_bad_challenge(struct ntlm_ctx *ctx) +{ + struct ntlm_buffer challenge = { T_ServerChallenge, 8 }; + struct ntlm_buffer message = { 0 }; + struct wire_chal_msg *msg; + uint32_t type; + uint32_t flags; + char *target_name = NULL; + uint8_t chal[8]; + struct ntlm_buffer rchallenge = { chal, 8 }; + int ret; + + /* check we can decode encode/decode NULL target_name */ + flags = T_NTLMv1.ChallengeFlags & + ~(NTLMSSP_TARGET_TYPE_SERVER | NTLMSSP_TARGET_TYPE_DOMAIN); + flags |= NTLMSSP_NEGOTIATE_UNICODE; + + ret = ntlm_encode_chal_msg(ctx, flags, NULL, + &challenge, NULL, &message); + if (ret) return ret; + + /* Doctor the message to set back NTLMSSP_TARGET_TYPE_SERVER */ + msg = (struct wire_chal_msg *)message.data; + msg->neg_flags |= NTLMSSP_TARGET_TYPE_SERVER; + + ret = ntlm_decode_msg_type(ctx, &message, &type); + if (ret) return ret; + if (type != 2) return EINVAL; + + ret = ntlm_decode_chal_msg(ctx, &message, &flags, &target_name, + &rchallenge, NULL); + if (ret) return ret; + + if (target_name != NULL) { + ret = EINVAL; + free(target_name); + } + free(message.data); + + return ret; +} + int main(int argc, const char *argv[]) { struct ntlm_ctx *ctx; @@ -3367,6 +3409,11 @@ fprintf(stderr, "Test: %s\n", (ret ? "FAIL":"SUCCESS")); if (ret) gret++; + fprintf(stderr, "Test Bad Challenge Message\n"); + ret = test_bad_challenge(ctx); + fprintf(stderr, "Test: %s\n", (ret ? "FAIL":"SUCCESS")); + if (ret) gret++; + fprintf(stderr, "Test Acquired cred from with no name\n"); ret = test_ACQ_NO_NAME(); fprintf(stderr, "Test: %s\n", (ret ? "FAIL":"SUCCESS")); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gss-ntlmssp-1.2.0/version.m4 new/gss-ntlmssp-1.3.1/version.m4 --- old/gss-ntlmssp-1.2.0/version.m4 2023-02-12 17:11:03.000000000 +0100 +++ new/gss-ntlmssp-1.3.1/version.m4 2024-02-27 14:28:41.000000000 +0100 @@ -1,5 +1,5 @@ # Primary version number -m4_define([VERSION_NUMBER], [1.2.0]) +m4_define([VERSION_NUMBER], [1.3.1]) # If the PRERELEASE_VERSION_NUMBER is set, we'll append # it to the release tag when creating an RPM or SRPM
