The Samba-Bugzilla – Attachment 17799 Details for
Bug 15270
CVE-2023-0614 [SECURITY] Not-secret but access controlled LDAP attributes can be discovered
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for master v3
CVE-2023-0614-confidential-attrs-master-v3.patch (text/plain), 302.88 KB, created by
Andrew Bartlett
on 2023-03-10 02:55:17 UTC
(
hide
)
Description:
Patch for master v3
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2023-03-10 02:55:17 UTC
Size:
302.88 KB
patch
obsolete
>From cdbdd3cff397f45ac27b37f47d60caad51e2612f Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Fri, 27 Jan 2023 08:06:47 +1300 >Subject: [PATCH 01/39] ldb: Make ldb_msg_remove_attr O(n) >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Previously it was O(n²). > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >--- > lib/ldb/common/ldb_msg.c | 13 ++++++++++--- > 1 file changed, 10 insertions(+), 3 deletions(-) > >diff --git a/lib/ldb/common/ldb_msg.c b/lib/ldb/common/ldb_msg.c >index 9cd7998e21c..4146de185d7 100644 >--- a/lib/ldb/common/ldb_msg.c >+++ b/lib/ldb/common/ldb_msg.c >@@ -1464,11 +1464,18 @@ void ldb_msg_remove_element(struct ldb_message *msg, struct ldb_message_element > */ > void ldb_msg_remove_attr(struct ldb_message *msg, const char *attr) > { >- struct ldb_message_element *el; >+ unsigned int i; >+ unsigned int num_del = 0; > >- while ((el = ldb_msg_find_element(msg, attr)) != NULL) { >- ldb_msg_remove_element(msg, el); >+ for (i = 0; i < msg->num_elements; ++i) { >+ if (ldb_attr_cmp(msg->elements[i].name, attr) == 0) { >+ ++num_del; >+ } else if (num_del) { >+ msg->elements[i - num_del] = msg->elements[i]; >+ } > } >+ >+ msg->num_elements -= num_del; > } > > /* >-- >2.25.1 > > >From 62696b379261803ce0cbcb8bd5292ab394dd77ef Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Fri, 17 Feb 2023 11:46:09 +1300 >Subject: [PATCH 02/39] s4-dsdb:tests: Fix AD DC performance tests > >Calling cmd._run() directly would fail due to the 'command_name' >attribute being absent, so these tests would fail to run. Fix this by >using the samba.netcmd.main.samba_tool helper function. > >Check the return code as well for good measure. > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >--- > .../tests/python/ad_dc_medley_performance.py | 16 ++++++++-------- > source4/dsdb/tests/python/ad_dc_performance.py | 16 ++++++++-------- > .../tests/python/ad_dc_provision_performance.py | 10 +++++----- > 3 files changed, 21 insertions(+), 21 deletions(-) > >diff --git a/source4/dsdb/tests/python/ad_dc_medley_performance.py b/source4/dsdb/tests/python/ad_dc_medley_performance.py >index 7afdb747490..3a8316fa018 100644 >--- a/source4/dsdb/tests/python/ad_dc_medley_performance.py >+++ b/source4/dsdb/tests/python/ad_dc_medley_performance.py >@@ -14,7 +14,7 @@ import shutil > import time > import itertools > >-from samba.netcmd.main import cmd_sambatool >+from samba.netcmd.main import samba_tool > > # We try to use the test infrastructure of Samba 4.3+, but if it > # doesn't work, we are probably in a back-ported patch and trying to >@@ -176,13 +176,13 @@ class UserTests(samba.tests.TestCase): > server = host.split('://', 1)[1] > else: > server = host >- cmd = cmd_sambatool.subcommands['domain'].subcommands['join'] >- result = cmd._run("samba-tool domain join", >- creds.get_realm(), >- "dc", "-U%s%%%s" % (creds.get_username(), >- creds.get_password()), >- '--targetdir=%s' % tmpdir, >- '--server=%s' % server) >+ result = samba_tool('domain', 'join', >+ creds.get_realm(), >+ "dc", "-U%s%%%s" % (creds.get_username(), >+ creds.get_password()), >+ '--targetdir=%s' % tmpdir, >+ '--server=%s' % server) >+ self.assertIsNone(result) > > shutil.rmtree(tmpdir) > >diff --git a/source4/dsdb/tests/python/ad_dc_performance.py b/source4/dsdb/tests/python/ad_dc_performance.py >index 6ff84e4389e..96229bb14af 100644 >--- a/source4/dsdb/tests/python/ad_dc_performance.py >+++ b/source4/dsdb/tests/python/ad_dc_performance.py >@@ -13,7 +13,7 @@ import tempfile > import shutil > import time > >-from samba.netcmd.main import cmd_sambatool >+from samba.netcmd.main import samba_tool > > # We try to use the test infrastructure of Samba 4.3+, but if it > # doesn't work, we are probably in a back-ported patch and trying to >@@ -136,13 +136,13 @@ class UserTests(samba.tests.TestCase): > server = host.split('://', 1)[1] > else: > server = host >- cmd = cmd_sambatool.subcommands['domain'].subcommands['join'] >- result = cmd._run("samba-tool domain join", >- creds.get_realm(), >- "dc", "-U%s%%%s" % (creds.get_username(), >- creds.get_password()), >- '--targetdir=%s' % tmpdir, >- '--server=%s' % server) >+ result = samba_tool('domain', 'join', >+ creds.get_realm(), >+ "dc", "-U%s%%%s" % (creds.get_username(), >+ creds.get_password()), >+ '--targetdir=%s' % tmpdir, >+ '--server=%s' % server) >+ self.assertIsNone(result) > > shutil.rmtree(tmpdir) > >diff --git a/source4/dsdb/tests/python/ad_dc_provision_performance.py b/source4/dsdb/tests/python/ad_dc_provision_performance.py >index 3ce0eb7a13e..3531ced38a0 100644 >--- a/source4/dsdb/tests/python/ad_dc_provision_performance.py >+++ b/source4/dsdb/tests/python/ad_dc_provision_performance.py >@@ -12,7 +12,7 @@ import tempfile > import shutil > import subprocess > >-from samba.netcmd.main import cmd_sambatool >+from samba.netcmd.main import samba_tool > > # We try to use the test infrastructure of Samba 4.3+, but if it > # doesn't work, we are probably in a back-ported patch and trying to >@@ -95,10 +95,10 @@ class UserTests(samba.tests.TestCase): > self._test_provision_subprocess() > > def test_02_00_provision_cmd_sambatool(self): >- cmd = cmd_sambatool.subcommands['domain'].subcommands['provision'] >- result = cmd._run("samba-tool domain provision", >- '--targetdir=%s' % self.tmpdir, >- '--use-ntvfs') >+ result = samba_tool('domain', 'provision', >+ '--targetdir=%s' % self.tmpdir, >+ '--use-ntvfs') >+ self.assertIsNone(result) > > def test_03_00_provision_server_role(self): > for role in ('member', 'server', 'member', 'standalone'): >-- >2.25.1 > > >From b9966ff30ce3269c2d2df65f34a29dcd6c2eba88 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Fri, 17 Feb 2023 16:32:42 +1300 >Subject: [PATCH 03/39] s4-dsdb:tests: Correctly handle LdbError > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >--- > source4/dsdb/tests/python/ad_dc_medley_performance.py | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source4/dsdb/tests/python/ad_dc_medley_performance.py b/source4/dsdb/tests/python/ad_dc_medley_performance.py >index 3a8316fa018..380ac0391e4 100644 >--- a/source4/dsdb/tests/python/ad_dc_medley_performance.py >+++ b/source4/dsdb/tests/python/ad_dc_medley_performance.py >@@ -241,7 +241,7 @@ class UserTests(samba.tests.TestCase): > scope=SCOPE_BASE, > attrs=['cn']) > except LdbError as e: >- (num, msg) = e >+ (num, msg) = e.args > if num != ERR_NO_SUCH_OBJECT: > raise > >-- >2.25.1 > > >From 397ce39e95f00b1f20c60f92612e5b5c03a7ef9b Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Fri, 3 Mar 2023 10:31:40 +1300 >Subject: [PATCH 04/39] CVE-2023-0614 dsdb: Alter timeout test in large_ldap.py > to be slower by matching on large objects > >This changes the slow aspect to be the object matching not the filter parsing. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> >--- > source4/dsdb/tests/python/large_ldap.py | 17 +++++++++++++++-- > 1 file changed, 15 insertions(+), 2 deletions(-) > >diff --git a/source4/dsdb/tests/python/large_ldap.py b/source4/dsdb/tests/python/large_ldap.py >index 0805119a700..f7569607cb2 100644 >--- a/source4/dsdb/tests/python/large_ldap.py >+++ b/source4/dsdb/tests/python/large_ldap.py >@@ -32,7 +32,7 @@ from samba.tests.subunitrun import SubunitOptions, TestProgram > import samba.getopt as options > > from samba.auth import system_session >-from samba import ldb >+from samba import ldb, sd_utils > from samba.samdb import SamDB > from samba.ndr import ndr_unpack > from samba import gensec >@@ -120,6 +120,8 @@ class LargeLDAPTest(samba.tests.TestCase): > def setUp(self): > super(LargeLDAPTest, self).setUp() > self.ldb = SamDB(url, credentials=creds, session_info=system_session(lp), lp=lp) >+ self.sd_utils = sd_utils.SDUtils(self.ldb) >+ > self.base_dn = self.ldb.domain_dn() > self.USER_NAME = "large_user" + format(random.randint(0, 99999), "05") + "-" > self.OU_NAME="large_user_ou" + format(random.randint(0, 99999), "05") >@@ -246,6 +248,7 @@ class LargeLDAPTest(samba.tests.TestCase): > self.assertGreater(count, count_jpeg) > > def test_timeout(self): >+ > policy_dn = ldb.Dn(self.ldb, > 'CN=Default Query Policy,CN=Query-Policies,' > 'CN=Directory Service,CN=Windows NT,CN=Services,' >@@ -283,9 +286,19 @@ class LargeLDAPTest(samba.tests.TestCase): > session_info=system_session(lp), > lp=lp) > >+ for x in range(200): >+ user_name = self.USER_NAME + format(x, "03") >+ ace = "(OD;;RP;{6bc69afa-7bd9-4184-88f5-28762137eb6a};;S-1-%d)" % x >+ dn = ldb.Dn(self.ldb, "cn=" + user_name + "," + str(self.ou_dn)) >+ >+ # add an ACE that denies access to the above random attr >+ # for a not-existing user. This makes each SD distinct >+ # and so will slow SD parsing. >+ self.sd_utils.dacl_add_ace(dn, ace) >+ > # Create a large search expression that will take a long time to > # evaluate. >- expression = '(anr=l)' * 10000 >+ expression = f'(jpegPhoto=*X*)' * 500 > expression = f'(|{expression})' > > # Perform the LDAP search. >-- >2.25.1 > > >From cc2f56e5f6f33b2154fd90e855e5bbfc4650c64f Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Fri, 27 Jan 2023 07:57:27 +1300 >Subject: [PATCH 05/39] CVE-2023-0614 libcli/security: Make some parameters > const > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >--- > libcli/security/access_check.c | 10 +++++----- > libcli/security/access_check.h | 2 +- > 2 files changed, 6 insertions(+), 6 deletions(-) > >diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c >index 7d8eca74c43..70d8b9f0155 100644 >--- a/libcli/security/access_check.c >+++ b/libcli/security/access_check.c >@@ -431,7 +431,7 @@ NTSTATUS se_file_access_check(const struct security_descriptor *sd, > return NT_STATUS_OK; > } > >-static const struct GUID *get_ace_object_type(struct security_ace *ace) >+static const struct GUID *get_ace_object_type(const struct security_ace *ace) > { > if (ace->object.object.flags & SEC_ACE_OBJECT_TYPE_PRESENT) { > return &ace->object.object.type.type; >@@ -449,7 +449,7 @@ static const struct GUID *get_ace_object_type(struct security_ace *ace) > * rights to the object/attribute > * @returns NT_STATUS_OK, unless access was denied > */ >-static NTSTATUS check_object_specific_access(struct security_ace *ace, >+static NTSTATUS check_object_specific_access(const struct security_ace *ace, > struct object_tree *tree, > bool *grant_access) > { >@@ -520,7 +520,7 @@ NTSTATUS sec_access_check_ds_implicit_owner(const struct security_descriptor *sd > uint32_t access_desired, > uint32_t *access_granted, > struct object_tree *tree, >- struct dom_sid *replace_sid, >+ const struct dom_sid *replace_sid, > enum implicit_owner_rights implicit_owner_rights) > { > uint32_t i; >@@ -579,8 +579,8 @@ NTSTATUS sec_access_check_ds_implicit_owner(const struct security_descriptor *sd > > /* check each ace in turn. */ > for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) { >- struct dom_sid *trustee; >- struct security_ace *ace = &sd->dacl->aces[i]; >+ const struct dom_sid *trustee; >+ const struct security_ace *ace = &sd->dacl->aces[i]; > NTSTATUS status; > bool grant_access = false; > >diff --git a/libcli/security/access_check.h b/libcli/security/access_check.h >index e7150914524..7c424b9e05a 100644 >--- a/libcli/security/access_check.h >+++ b/libcli/security/access_check.h >@@ -70,7 +70,7 @@ NTSTATUS sec_access_check_ds_implicit_owner(const struct security_descriptor *sd > uint32_t access_desired, > uint32_t *access_granted, > struct object_tree *tree, >- struct dom_sid *replace_sid, >+ const struct dom_sid *replace_sid, > enum implicit_owner_rights implicit_owner_rights); > > /* modified access check for the purposes of DS security >-- >2.25.1 > > >From 4feab92546c5bb73783ca9762713e17a6daf6db6 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 7 Feb 2023 09:29:51 +1300 >Subject: [PATCH 06/39] CVE-2023-0614 s4:dsdb: Use talloc_get_type_abort() more > consistently > >It is better to explicitly abort than to dereference a NULL pointer or >try to read data cast to the wrong type. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >--- > source4/dsdb/samdb/ldb_modules/acl_read.c | 4 ++-- > source4/dsdb/samdb/ldb_modules/acl_util.c | 2 +- > source4/dsdb/samdb/ldb_modules/linked_attributes.c | 2 +- > source4/dsdb/samdb/ldb_modules/password_hash.c | 2 +- > 4 files changed, 5 insertions(+), 5 deletions(-) > >diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c >index 2ed894a0692..d6bb1d0eeb1 100644 >--- a/source4/dsdb/samdb/ldb_modules/acl_read.c >+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c >@@ -268,7 +268,7 @@ static int aclread_get_sd_from_ldb_message(struct aclread_context *ac, > struct ldb_message_element *sd_element; > struct ldb_context *ldb = ldb_module_get_ctx(ac->module); > struct aclread_private *private_data >- = talloc_get_type(ldb_module_get_private(ac->module), >+ = talloc_get_type_abort(ldb_module_get_private(ac->module), > struct aclread_private); > enum ndr_err_code ndr_err; > >@@ -569,7 +569,7 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) > const struct dsdb_class *objectclass; > bool suppress_result = false; > >- ac = talloc_get_type(req->context, struct aclread_context); >+ ac = talloc_get_type_abort(req->context, struct aclread_context); > ldb = ldb_module_get_ctx(ac->module); > if (!ares) { > return ldb_module_done(ac->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR ); >diff --git a/source4/dsdb/samdb/ldb_modules/acl_util.c b/source4/dsdb/samdb/ldb_modules/acl_util.c >index 1545525093d..4b90207edc3 100644 >--- a/source4/dsdb/samdb/ldb_modules/acl_util.c >+++ b/source4/dsdb/samdb/ldb_modules/acl_util.c >@@ -318,7 +318,7 @@ uint32_t dsdb_request_sd_flags(struct ldb_request *req, bool *explicit) > > sd_control = ldb_request_get_control(req, LDB_CONTROL_SD_FLAGS_OID); > if (sd_control != NULL && sd_control->data != NULL) { >- struct ldb_sd_flags_control *sdctr = (struct ldb_sd_flags_control *)sd_control->data; >+ struct ldb_sd_flags_control *sdctr = talloc_get_type_abort(sd_control->data, struct ldb_sd_flags_control); > > sd_flags = sdctr->secinfo_flags; > >diff --git a/source4/dsdb/samdb/ldb_modules/linked_attributes.c b/source4/dsdb/samdb/ldb_modules/linked_attributes.c >index 5ef075f2037..317df9d3e0e 100644 >--- a/source4/dsdb/samdb/ldb_modules/linked_attributes.c >+++ b/source4/dsdb/samdb/ldb_modules/linked_attributes.c >@@ -104,7 +104,7 @@ static int handle_verify_name_control(TALLOC_CTX *ctx, struct ldb_context *ldb, > * If we are a GC let's remove the control, > * if there is a specified GC check that is us. > */ >- struct ldb_verify_name_control *lvnc = (struct ldb_verify_name_control *)control->data; >+ struct ldb_verify_name_control *lvnc = talloc_get_type_abort(control->data, struct ldb_verify_name_control); > if (samdb_is_gc(ldb)) { > /* Because we can't easily talloc a struct ldb_dn*/ > struct ldb_dn **dn = talloc_array(ctx, struct ldb_dn *, 1); >diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c >index b308226a9f9..6a713b86736 100644 >--- a/source4/dsdb/samdb/ldb_modules/password_hash.c >+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c >@@ -4066,7 +4066,7 @@ static void ph_apply_controls(struct ph_context *ac) > ctrl = ldb_request_get_control(ac->req, > DSDB_CONTROL_PASSWORD_CHANGE_OLD_PW_CHECKED_OID); > if (ctrl != NULL) { >- ac->change = (struct dsdb_control_password_change *) ctrl->data; >+ ac->change = talloc_get_type_abort(ctrl->data, struct dsdb_control_password_change); > > /* Mark the "change" control as uncritical (done) */ > ctrl->critical = false; >-- >2.25.1 > > >From 6c92899a9382bf215ab3412eed1d4f9e0a635d16 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Fri, 27 Jan 2023 08:00:32 +1300 >Subject: [PATCH 07/39] CVE-2023-0614 s4-acl: Make some parameters const > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >--- > source4/dsdb/samdb/ldb_modules/acl_util.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > >diff --git a/source4/dsdb/samdb/ldb_modules/acl_util.c b/source4/dsdb/samdb/ldb_modules/acl_util.c >index 4b90207edc3..352997ef643 100644 >--- a/source4/dsdb/samdb/ldb_modules/acl_util.c >+++ b/source4/dsdb/samdb/ldb_modules/acl_util.c >@@ -97,8 +97,8 @@ int dsdb_module_check_access_on_dn(struct ldb_module *module, > > int acl_check_access_on_attribute_implicit_owner(struct ldb_module *module, > TALLOC_CTX *mem_ctx, >- struct security_descriptor *sd, >- struct dom_sid *rp_sid, >+ const struct security_descriptor *sd, >+ const struct dom_sid *rp_sid, > uint32_t access_mask, > const struct dsdb_attribute *attr, > const struct dsdb_class *objectclass, >-- >2.25.1 > > >From e43c2cacbeb1a3f5ee97a141ee2eca864631ea9b Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Fri, 27 Jan 2023 08:28:36 +1300 >Subject: [PATCH 08/39] CVE-2023-0614 ldb: Add functions for handling > inaccessible message elements > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >--- > lib/ldb/ABI/ldb-2.8.0.sigs | 3 +++ > lib/ldb/common/ldb_msg.c | 26 ++++++++++++++++++++++++++ > lib/ldb/include/ldb_module.h | 4 ++++ > 3 files changed, 33 insertions(+) > >diff --git a/lib/ldb/ABI/ldb-2.8.0.sigs b/lib/ldb/ABI/ldb-2.8.0.sigs >index 40388d9e330..37bbfc56b12 100644 >--- a/lib/ldb/ABI/ldb-2.8.0.sigs >+++ b/lib/ldb/ABI/ldb-2.8.0.sigs >@@ -174,6 +174,8 @@ ldb_msg_element_add_value: int (TALLOC_CTX *, struct ldb_message_element *, cons > ldb_msg_element_compare: int (struct ldb_message_element *, struct ldb_message_element *) > ldb_msg_element_compare_name: int (struct ldb_message_element *, struct ldb_message_element *) > ldb_msg_element_equal_ordered: bool (const struct ldb_message_element *, const struct ldb_message_element *) >+ldb_msg_element_is_inaccessible: bool (const struct ldb_message_element *) >+ldb_msg_element_mark_inaccessible: void (struct ldb_message_element *) > ldb_msg_find_attr_as_bool: int (const struct ldb_message *, const char *, int) > ldb_msg_find_attr_as_dn: struct ldb_dn *(struct ldb_context *, TALLOC_CTX *, const struct ldb_message *, const char *) > ldb_msg_find_attr_as_double: double (const struct ldb_message *, const char *, double) >@@ -191,6 +193,7 @@ ldb_msg_new: struct ldb_message *(TALLOC_CTX *) > ldb_msg_normalize: int (struct ldb_context *, TALLOC_CTX *, const struct ldb_message *, struct ldb_message **) > ldb_msg_remove_attr: void (struct ldb_message *, const char *) > ldb_msg_remove_element: void (struct ldb_message *, struct ldb_message_element *) >+ldb_msg_remove_inaccessible: void (struct ldb_message *) > ldb_msg_rename_attr: int (struct ldb_message *, const char *, const char *) > ldb_msg_sanity_check: int (struct ldb_context *, const struct ldb_message *) > ldb_msg_sort_elements: void (struct ldb_message *) >diff --git a/lib/ldb/common/ldb_msg.c b/lib/ldb/common/ldb_msg.c >index 4146de185d7..3e8987147fd 100644 >--- a/lib/ldb/common/ldb_msg.c >+++ b/lib/ldb/common/ldb_msg.c >@@ -795,6 +795,32 @@ int ldb_msg_element_compare_name(struct ldb_message_element *el1, > return ldb_attr_cmp(el1->name, el2->name); > } > >+void ldb_msg_element_mark_inaccessible(struct ldb_message_element *el) >+{ >+ el->flags |= LDB_FLAG_INTERNAL_INACCESSIBLE_ATTRIBUTE; >+} >+ >+bool ldb_msg_element_is_inaccessible(const struct ldb_message_element *el) >+{ >+ return (el->flags & LDB_FLAG_INTERNAL_INACCESSIBLE_ATTRIBUTE) != 0; >+} >+ >+void ldb_msg_remove_inaccessible(struct ldb_message *msg) >+{ >+ unsigned i; >+ unsigned num_del = 0; >+ >+ for (i = 0; i < msg->num_elements; ++i) { >+ if (ldb_msg_element_is_inaccessible(&msg->elements[i])) { >+ ++num_del; >+ } else if (num_del) { >+ msg->elements[i - num_del] = msg->elements[i]; >+ } >+ } >+ >+ msg->num_elements -= num_del; >+} >+ > /* > convenience functions to return common types from a message > these return the first value if the attribute is multi-valued >diff --git a/lib/ldb/include/ldb_module.h b/lib/ldb/include/ldb_module.h >index 4c7c85a17f0..8481fd3991a 100644 >--- a/lib/ldb/include/ldb_module.h >+++ b/lib/ldb/include/ldb_module.h >@@ -513,6 +513,10 @@ struct ldb_extended_match_rule > int ldb_register_extended_match_rule(struct ldb_context *ldb, > const struct ldb_extended_match_rule *rule); > >+void ldb_msg_element_mark_inaccessible(struct ldb_message_element *el); >+bool ldb_msg_element_is_inaccessible(const struct ldb_message_element *el); >+void ldb_msg_remove_inaccessible(struct ldb_message *msg); >+ > /* > * these pack/unpack functions are exposed in the library for use by > * ldb tools like ldbdump and for use in tests, >-- >2.25.1 > > >From 114f1af6ac3fdf5b7afc28271c775836b7fd1930 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Fri, 27 Jan 2023 08:29:33 +1300 >Subject: [PATCH 09/39] CVE-2023-0614 s4-acl: Use ldb functions for handling > inaccessible message elements > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >--- > source4/dsdb/samdb/ldb_modules/acl_read.c | 62 ++++------------------- > 1 file changed, 10 insertions(+), 52 deletions(-) > >diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c >index d6bb1d0eeb1..7585be3f93b 100644 >--- a/source4/dsdb/samdb/ldb_modules/acl_read.c >+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c >@@ -70,14 +70,6 @@ struct aclread_private { > struct ldb_val sd_cached_blob; > }; > >-static void aclread_mark_inaccesslible(struct ldb_message_element *el) { >- el->flags |= LDB_FLAG_INTERNAL_INACCESSIBLE_ATTRIBUTE; >-} >- >-static bool aclread_is_inaccessible(struct ldb_message_element *el) { >- return el->flags & LDB_FLAG_INTERNAL_INACCESSIBLE_ATTRIBUTE; >-} >- > /* > * the object has a parent, so we have to check for visibility > * >@@ -558,11 +550,9 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) > { > struct ldb_context *ldb; > struct aclread_context *ac; >- struct ldb_message *ret_msg; > struct ldb_message *msg; > int ret; >- size_t num_of_attrs = 0; >- unsigned int i, k = 0; >+ unsigned int i; > struct security_descriptor *sd = NULL; > struct dom_sid *sid = NULL; > TALLOC_CTX *tmp_ctx; >@@ -652,26 +642,26 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) > msg->elements[i].name) == 0; > /* these attributes were added to perform access checks and must be removed */ > if (is_objectsid && ac->added_objectSid) { >- aclread_mark_inaccesslible(&msg->elements[i]); >+ ldb_msg_element_mark_inaccessible(&msg->elements[i]); > continue; > } > if (is_instancetype && ac->added_instanceType) { >- aclread_mark_inaccesslible(&msg->elements[i]); >+ ldb_msg_element_mark_inaccessible(&msg->elements[i]); > continue; > } > if (is_objectclass && ac->added_objectClass) { >- aclread_mark_inaccesslible(&msg->elements[i]); >+ ldb_msg_element_mark_inaccessible(&msg->elements[i]); > continue; > } > if (is_sd && ac->added_nTSecurityDescriptor) { >- aclread_mark_inaccesslible(&msg->elements[i]); >+ ldb_msg_element_mark_inaccessible(&msg->elements[i]); > continue; > } > > access_mask = get_attr_access_mask(attr, ac->sd_flags); > > if (access_mask == 0) { >- aclread_mark_inaccesslible(&msg->elements[i]); >+ ldb_msg_element_mark_inaccessible(&msg->elements[i]); > continue; > } > >@@ -716,7 +706,7 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) > return LDB_SUCCESS; > } > } else { >- aclread_mark_inaccesslible(&msg->elements[i]); >+ ldb_msg_element_mark_inaccessible(&msg->elements[i]); > } > } else if (ret != LDB_SUCCESS) { > ldb_debug_set(ldb, LDB_DEBUG_FATAL, >@@ -759,44 +749,12 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) > } > } > >- for (i=0; i < msg->num_elements; i++) { >- if (!aclread_is_inaccessible(&msg->elements[i])) { >- num_of_attrs++; >- } >- } >- /*create a new message to return*/ >- ret_msg = ldb_msg_new(ac->req); >- ret_msg->dn = msg->dn; >- talloc_steal(ret_msg, msg->dn); >- ret_msg->num_elements = num_of_attrs; >- if (num_of_attrs > 0) { >- ret_msg->elements = talloc_array(ret_msg, >- struct ldb_message_element, >- num_of_attrs); >- if (ret_msg->elements == NULL) { >- return ldb_oom(ldb); >- } >- for (i=0; i < msg->num_elements; i++) { >- bool to_remove = aclread_is_inaccessible(&msg->elements[i]); >- if (!to_remove) { >- ret_msg->elements[k] = msg->elements[i]; >- talloc_steal(ret_msg->elements, msg->elements[i].name); >- talloc_steal(ret_msg->elements, msg->elements[i].values); >- k++; >- } >- } >- /* >- * This should not be needed, but some modules >- * may allocate values on the wrong context... >- */ >- talloc_steal(ret_msg->elements, msg); >- } else { >- ret_msg->elements = NULL; >- } >+ ldb_msg_remove_inaccessible(msg); >+ > talloc_free(tmp_ctx); > > ac->num_entries++; >- return ldb_module_send_entry(ac->req, ret_msg, ares->controls); >+ return ldb_module_send_entry(ac->req, msg, ares->controls); > case LDB_REPLY_REFERRAL: > return ldb_module_send_referral(ac->req, ares->referral); > case LDB_REPLY_DONE: >-- >2.25.1 > > >From ef344856698c4aa167556af3e0cb646d5e45ea0a Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Wed, 15 Feb 2023 12:34:51 +1300 >Subject: [PATCH 10/39] CVE-2023-0614 ldb:tests: Ensure ldb_val data is > zero-terminated > >If the value of an ldb message element is not zero-terminated, calling >ldb_msg_find_attr_as_string() will cause the function to read off the >end of the buffer in an attempt to verify that the value is >zero-terminated. This can cause unexpected behaviour and make the test >randomly fail. > >To avoid this, we must have a terminating null byte that is *not* >counted as part of the length, and so we must calculate the length with >strlen() rather than sizeof. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >--- > lib/ldb/tests/ldb_filter_attrs_test.c | 171 +++++++++++++------------- > 1 file changed, 86 insertions(+), 85 deletions(-) > >diff --git a/lib/ldb/tests/ldb_filter_attrs_test.c b/lib/ldb/tests/ldb_filter_attrs_test.c >index 7d555e0da2e..442d9c77ed2 100644 >--- a/lib/ldb/tests/ldb_filter_attrs_test.c >+++ b/lib/ldb/tests/ldb_filter_attrs_test.c >@@ -36,6 +36,7 @@ > #include <stdarg.h> > #include <stddef.h> > #include <stdint.h> >+#include <string.h> > #include <setjmp.h> > #include <cmocka.h> > >@@ -96,10 +97,10 @@ static void test_filter_attrs_one_attr_matched(void **state) > > const char *attrs[] = {"foo", NULL}; > >- uint8_t value[] = "The value.......end"; >+ char value[] = "The value.......end"; > struct ldb_val value_1 = { >- .data = value, >- .length = (sizeof(value)) >+ .data = (uint8_t *)value, >+ .length = strlen(value) > }; > struct ldb_message_element element_1 = { > .name = "foo", >@@ -130,9 +131,9 @@ static void test_filter_attrs_one_attr_matched(void **state) > assert_string_equal(filtered_msg->elements[0].name, "foo"); > assert_int_equal(filtered_msg->elements[0].num_values, 1); > assert_int_equal(filtered_msg->elements[0].values[0].length, >- sizeof(value)); >+ strlen(value)); > assert_memory_equal(filtered_msg->elements[0].values[0].data, >- value, sizeof(value)); >+ value, strlen(value)); > } > > /* >@@ -148,10 +149,10 @@ static void test_filter_attrs_one_attr_matched_of_many(void **state) > > const char *attrs[] = {"foo", "bar", "baz", NULL}; > >- uint8_t value[] = "The value.......end"; >+ char value[] = "The value.......end"; > struct ldb_val value_1 = { >- .data = value, >- .length = (sizeof(value)) >+ .data = (uint8_t *)value, >+ .length = strlen(value) > }; > struct ldb_message_element element_1 = { > .name = "foo", >@@ -182,9 +183,9 @@ static void test_filter_attrs_one_attr_matched_of_many(void **state) > assert_string_equal(filtered_msg->elements[0].name, "foo"); > assert_int_equal(filtered_msg->elements[0].num_values, 1); > assert_int_equal(filtered_msg->elements[0].values[0].length, >- sizeof(value)); >+ strlen(value)); > assert_memory_equal(filtered_msg->elements[0].values[0].data, >- value, sizeof(value)); >+ value, strlen(value)); > } > > /* >@@ -201,15 +202,15 @@ static void test_filter_attrs_two_attr_matched_attrs(void **state) > /* deliberatly the other order */ > const char *attrs[] = {"bar", "foo", NULL}; > >- uint8_t value1[] = "The value.......end"; >- uint8_t value2[] = "The value..MUST.end"; >+ char value1[] = "The value.......end"; >+ char value2[] = "The value..MUST.end"; > struct ldb_val value_1 = { >- .data = value1, >- .length = (sizeof(value1)) >+ .data = (uint8_t *)value1, >+ .length = strlen(value1) > }; > struct ldb_val value_2 = { >- .data = value2, >- .length = (sizeof(value2)) >+ .data = (uint8_t *)value2, >+ .length = strlen(value2) > }; > > /* foo and bar are the other order to in attrs */ >@@ -251,15 +252,15 @@ static void test_filter_attrs_two_attr_matched_attrs(void **state) > assert_string_equal(filtered_msg->elements[0].name, "foo"); > assert_int_equal(filtered_msg->elements[0].num_values, 1); > assert_int_equal(filtered_msg->elements[0].values[0].length, >- sizeof(value1)); >+ strlen(value1)); > assert_memory_equal(filtered_msg->elements[0].values[0].data, >- value1, sizeof(value1)); >+ value1, strlen(value1)); > assert_string_equal(filtered_msg->elements[1].name, "bar"); > assert_int_equal(filtered_msg->elements[1].num_values, 1); > assert_int_equal(filtered_msg->elements[1].values[0].length, >- sizeof(value2)); >+ strlen(value2)); > assert_memory_equal(filtered_msg->elements[1].values[0].data, >- value2, sizeof(value2)); >+ value2, strlen(value2)); > } > > /* >@@ -276,15 +277,15 @@ static void test_filter_attrs_two_attr_matched_one_attr(void **state) > /* deliberatly the other order */ > const char *attrs[] = {"bar", NULL}; > >- uint8_t value1[] = "The value.......end"; >- uint8_t value2[] = "The value..MUST.end"; >+ char value1[] = "The value.......end"; >+ char value2[] = "The value..MUST.end"; > struct ldb_val value_1 = { >- .data = value1, >- .length = (sizeof(value1)) >+ .data = (uint8_t *)value1, >+ .length = strlen(value1) > }; > struct ldb_val value_2 = { >- .data = value2, >- .length = (sizeof(value2)) >+ .data = (uint8_t *)value2, >+ .length = strlen(value2) > }; > > /* foo and bar are the other order to in attrs */ >@@ -326,9 +327,9 @@ static void test_filter_attrs_two_attr_matched_one_attr(void **state) > assert_string_equal(filtered_msg->elements[0].name, "bar"); > assert_int_equal(filtered_msg->elements[0].num_values, 1); > assert_int_equal(filtered_msg->elements[0].values[0].length, >- sizeof(value2)); >+ strlen(value2)); > assert_memory_equal(filtered_msg->elements[0].values[0].data, >- value2, sizeof(value2)); >+ value2, strlen(value2)); > } > > /* >@@ -345,15 +346,15 @@ static void test_filter_attrs_two_dup_attr_matched_one_attr(void **state) > /* deliberatly the other order */ > const char *attrs[] = {"bar", NULL}; > >- uint8_t value1[] = "The value.......end"; >- uint8_t value2[] = "The value..MUST.end"; >+ char value1[] = "The value.......end"; >+ char value2[] = "The value..MUST.end"; > struct ldb_val value_1 = { >- .data = value1, >- .length = (sizeof(value1)) >+ .data = (uint8_t *)value1, >+ .length = strlen(value1) > }; > struct ldb_val value_2 = { >- .data = value2, >- .length = (sizeof(value2)) >+ .data = (uint8_t *)value2, >+ .length = strlen(value2) > }; > > /* foo and bar are the other order to in attrs */ >@@ -400,15 +401,15 @@ static void test_filter_attrs_two_dup_attr_matched_dup(void **state) > > const char *attrs[] = {"bar", "bar", NULL}; > >- uint8_t value1[] = "The value.......end"; >- uint8_t value2[] = "The value..MUST.end"; >+ char value1[] = "The value.......end"; >+ char value2[] = "The value..MUST.end"; > struct ldb_val value_1 = { >- .data = value1, >- .length = (sizeof(value1)) >+ .data = (uint8_t *)value1, >+ .length = strlen(value1) > }; > struct ldb_val value_2 = { >- .data = value2, >- .length = (sizeof(value2)) >+ .data = (uint8_t *)value2, >+ .length = strlen(value2) > }; > > /* foo and bar are the other order to in attrs */ >@@ -445,15 +446,15 @@ static void test_filter_attrs_two_dup_attr_matched_dup(void **state) > assert_string_equal(filtered_msg->elements[0].name, "bar"); > assert_int_equal(filtered_msg->elements[0].num_values, 1); > assert_int_equal(filtered_msg->elements[0].values[0].length, >- sizeof(value1)); >+ strlen(value1)); > assert_memory_equal(filtered_msg->elements[0].values[0].data, >- value1, sizeof(value1)); >+ value1, strlen(value1)); > assert_string_equal(filtered_msg->elements[1].name, "bar"); > assert_int_equal(filtered_msg->elements[1].num_values, 1); > assert_int_equal(filtered_msg->elements[1].values[0].length, >- sizeof(value2)); >+ strlen(value2)); > assert_memory_equal(filtered_msg->elements[1].values[0].data, >- value2, sizeof(value2)); >+ value2, strlen(value2)); > } > > /* >@@ -469,15 +470,15 @@ static void test_filter_attrs_two_dup_attr_matched_one_of_two(void **state) > > const char *attrs[] = {"bar", "foo", NULL}; > >- uint8_t value1[] = "The value.......end"; >- uint8_t value2[] = "The value..MUST.end"; >+ char value1[] = "The value.......end"; >+ char value2[] = "The value..MUST.end"; > struct ldb_val value_1 = { >- .data = value1, >- .length = (sizeof(value1)) >+ .data = (uint8_t *)value1, >+ .length = strlen(value1) > }; > struct ldb_val value_2 = { >- .data = value2, >- .length = (sizeof(value2)) >+ .data = (uint8_t *)value2, >+ .length = strlen(value2) > }; > > /* foo and bar are the other order to in attrs */ >@@ -514,15 +515,15 @@ static void test_filter_attrs_two_dup_attr_matched_one_of_two(void **state) > assert_string_equal(filtered_msg->elements[0].name, "bar"); > assert_int_equal(filtered_msg->elements[0].num_values, 1); > assert_int_equal(filtered_msg->elements[0].values[0].length, >- sizeof(value1)); >+ strlen(value1)); > assert_memory_equal(filtered_msg->elements[0].values[0].data, >- value1, sizeof(value1)); >+ value1, strlen(value1)); > assert_string_equal(filtered_msg->elements[1].name, "bar"); > assert_int_equal(filtered_msg->elements[1].num_values, 1); > assert_int_equal(filtered_msg->elements[1].values[0].length, >- sizeof(value2)); >+ strlen(value2)); > assert_memory_equal(filtered_msg->elements[1].values[0].data, >- value2, sizeof(value2)); >+ value2, strlen(value2)); > } > > /* >@@ -538,15 +539,15 @@ static void test_filter_attrs_two_dup_attr_matched_star(void **state) > > const char *attrs[] = {"*", "foo", NULL}; > >- uint8_t value1[] = "The value.......end"; >- uint8_t value2[] = "The value..MUST.end"; >+ char value1[] = "The value.......end"; >+ char value2[] = "The value..MUST.end"; > struct ldb_val value_1 = { >- .data = value1, >- .length = (sizeof(value1)) >+ .data = (uint8_t *)value1, >+ .length = strlen(value1) > }; > struct ldb_val value_2 = { >- .data = value2, >- .length = (sizeof(value2)) >+ .data = (uint8_t *)value2, >+ .length = strlen(value2) > }; > > /* foo and bar are the other order to in attrs */ >@@ -586,15 +587,15 @@ static void test_filter_attrs_two_dup_attr_matched_star(void **state) > assert_string_equal(filtered_msg->elements[0].name, "bar"); > assert_int_equal(filtered_msg->elements[0].num_values, 1); > assert_int_equal(filtered_msg->elements[0].values[0].length, >- sizeof(value1)); >+ strlen(value1)); > assert_memory_equal(filtered_msg->elements[0].values[0].data, >- value1, sizeof(value1)); >+ value1, strlen(value1)); > assert_string_equal(filtered_msg->elements[1].name, "bar"); > assert_int_equal(filtered_msg->elements[1].num_values, 1); > assert_int_equal(filtered_msg->elements[1].values[0].length, >- sizeof(value2)); >+ strlen(value2)); > assert_memory_equal(filtered_msg->elements[1].values[0].data, >- value2, sizeof(value2)); >+ value2, strlen(value2)); > /* > * assert the ldb_filter_attrs does not modify filtered_msg.dn > * in this case >@@ -619,10 +620,10 @@ static void test_filter_attrs_one_attr_matched_star(void **state) > > const char *attrs[] = {"*", NULL}; > >- uint8_t value[] = "The value.......end"; >+ char value[] = "The value.......end"; > struct ldb_val value_1 = { >- .data = value, >- .length = (sizeof(value)) >+ .data = (uint8_t *)value, >+ .length = strlen(value) > }; > struct ldb_message_element element_1 = { > .name = "foo", >@@ -676,15 +677,15 @@ static void test_filter_attrs_two_attr_matched_star(void **state) > > const char *attrs[] = {"*", NULL}; > >- uint8_t value1[] = "The value.......end"; >- uint8_t value2[] = "The value..MUST.end"; >+ char value1[] = "The value.......end"; >+ char value2[] = "The value..MUST.end"; > struct ldb_val value_1 = { >- .data = value1, >- .length = (sizeof(value1)) >+ .data = (uint8_t *)value1, >+ .length = strlen(value1) > }; > struct ldb_val value_2 = { >- .data = value2, >- .length = (sizeof(value2)) >+ .data = (uint8_t *)value2, >+ .length = strlen(value2) > }; > struct ldb_message_element elements[] = { > { >@@ -750,10 +751,10 @@ static void test_filter_attrs_one_attr_matched_star_no_dn(void **state) > > const char *attrs[] = {"*", NULL}; > >- uint8_t value[] = "The value.......end"; >+ char value[] = "The value.......end"; > struct ldb_val value_1 = { >- .data = value, >- .length = (sizeof(value)) >+ .data = (uint8_t *)value, >+ .length = strlen(value) > }; > struct ldb_message_element element_1 = { > .name = "foo", >@@ -789,10 +790,10 @@ static void test_filter_attrs_one_attr_matched_star_dn(void **state) > > const char *attrs[] = {"*", "distinguishedName", NULL}; > >- uint8_t value[] = "The value.......end"; >+ char value[] = "The value.......end"; > struct ldb_val value_1 = { >- .data = value, >- .length = (sizeof(value)) >+ .data = (uint8_t *)value, >+ .length = strlen(value) > }; > struct ldb_message_element element_1 = { > .name = "foo", >@@ -844,10 +845,10 @@ static void test_filter_attrs_one_attr_matched_dn(void **state) > > const char *attrs[] = {"distinguishedName", NULL}; > >- uint8_t value[] = "The value.......end"; >+ char value[] = "The value.......end"; > struct ldb_val value_1 = { >- .data = value, >- .length = (sizeof(value)) >+ .data = (uint8_t *)value, >+ .length = strlen(value) > }; > struct ldb_message_element element_1 = { > .name = "foo", >@@ -894,10 +895,10 @@ static void test_filter_attrs_one_attr_empty_list(void **state) > > const char *attrs[] = {NULL}; > >- uint8_t value[] = "The value.......end"; >+ char value[] = "The value.......end"; > struct ldb_val value_1 = { >- .data = value, >- .length = (sizeof(value)) >+ .data = (uint8_t *)value, >+ .length = strlen(value) > }; > struct ldb_message_element element_1 = { > .name = "foo", >-- >2.25.1 > > >From 48cd73afcc6025e34f2dc6fbe377df020ecc5ec0 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Wed, 15 Feb 2023 14:08:57 +1300 >Subject: [PATCH 11/39] CVE-2023-0614 ldb:tests: Ensure all tests are accounted > for > >Add ldb_filter_attrs_test to the list of tests so that it actually gets >run. > >Remove a duplicate ldb_msg_test that was accidentally added in commit >5ca90e758ade97fb5e335029c7a1768094e70564. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >--- > lib/ldb/wscript | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > >diff --git a/lib/ldb/wscript b/lib/ldb/wscript >index 7e1d9a39ee6..e5a8f80b0a4 100644 >--- a/lib/ldb/wscript >+++ b/lib/ldb/wscript >@@ -634,7 +634,6 @@ def test(ctx): > 'ldb_msg_test', > 'ldb_tdb_mod_op_test', > 'ldb_tdb_guid_mod_op_test', >- 'ldb_msg_test', > 'ldb_tdb_kv_ops_test', > 'ldb_tdb_test', > 'ldb_match_test', >@@ -644,7 +643,9 @@ def test(ctx): > # on operations which the TDB backend does not currently > # support > # 'ldb_key_value_sub_txn_tdb_test' >- 'ldb_parse_test'] >+ 'ldb_parse_test', >+ 'ldb_filter_attrs_test', >+ ] > > # if LIB_LDAP and LIB_LBER defined, then we can test ldb_ldap backend > # behavior regression for bz#14413 >-- >2.25.1 > > >From 7fea69a152a80f0289c08f5e9346697525970397 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Fri, 3 Mar 2023 17:23:42 +1300 >Subject: [PATCH 12/39] CVE-2023-0614 ldb: Add function to take ownership of an > ldb message > >Many places in Samba depend upon various components of an ldb message >being talloc allocated, and hence able to be used as talloc contexts. >The elements and values of an unpacked ldb message point to unowned data >inside the memory-mapped database, and this function ensures that such >messages have talloc ownership of said elements and values. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >--- > lib/ldb/ABI/ldb-2.8.0.sigs | 1 + > lib/ldb/common/ldb_pack.c | 41 ++++++++++++++++++++++++++++++++++++ > lib/ldb/include/ldb_module.h | 4 ++++ > 3 files changed, 46 insertions(+) > >diff --git a/lib/ldb/ABI/ldb-2.8.0.sigs b/lib/ldb/ABI/ldb-2.8.0.sigs >index 37bbfc56b12..02bb2ee2ab2 100644 >--- a/lib/ldb/ABI/ldb-2.8.0.sigs >+++ b/lib/ldb/ABI/ldb-2.8.0.sigs >@@ -176,6 +176,7 @@ ldb_msg_element_compare_name: int (struct ldb_message_element *, struct ldb_mess > ldb_msg_element_equal_ordered: bool (const struct ldb_message_element *, const struct ldb_message_element *) > ldb_msg_element_is_inaccessible: bool (const struct ldb_message_element *) > ldb_msg_element_mark_inaccessible: void (struct ldb_message_element *) >+ldb_msg_elements_take_ownership: int (struct ldb_message *) > ldb_msg_find_attr_as_bool: int (const struct ldb_message *, const char *, int) > ldb_msg_find_attr_as_dn: struct ldb_dn *(struct ldb_context *, TALLOC_CTX *, const struct ldb_message *, const char *) > ldb_msg_find_attr_as_double: double (const struct ldb_message *, const char *, double) >diff --git a/lib/ldb/common/ldb_pack.c b/lib/ldb/common/ldb_pack.c >index e7dd364008a..028d96a619a 100644 >--- a/lib/ldb/common/ldb_pack.c >+++ b/lib/ldb/common/ldb_pack.c >@@ -690,6 +690,7 @@ static int ldb_unpack_data_flags_v1(struct ldb_context *ldb, > element->values = NULL; > if ((flags & LDB_UNPACK_DATA_FLAG_NO_VALUES_ALLOC) && element->num_values == 1) { > element->values = &ldb_val_single_array[nelem]; >+ element->flags |= LDB_FLAG_INTERNAL_SHARED_VALUES; > } else if (element->num_values != 0) { > element->values = talloc_array(message->elements, > struct ldb_val, >@@ -932,6 +933,7 @@ static int ldb_unpack_data_flags_v2(struct ldb_context *ldb, > if ((flags & LDB_UNPACK_DATA_FLAG_NO_VALUES_ALLOC) && > element->num_values == 1) { > element->values = &ldb_val_single_array[nelem]; >+ element->flags |= LDB_FLAG_INTERNAL_SHARED_VALUES; > } else if (element->num_values != 0) { > element->values = talloc_array(message->elements, > struct ldb_val, >@@ -1259,3 +1261,42 @@ failed: > TALLOC_FREE(filtered_msg->elements); > return -1; > } >+ >+/* Have an unpacked ldb message take talloc ownership of its elements. */ >+int ldb_msg_elements_take_ownership(struct ldb_message *msg) >+{ >+ unsigned int i = 0; >+ >+ for (i = 0; i < msg->num_elements; i++) { >+ struct ldb_message_element *el = &msg->elements[i]; >+ const char *name; >+ unsigned int j; >+ >+ name = talloc_strdup(msg->elements, >+ el->name); >+ if (name == NULL) { >+ return -1; >+ } >+ el->name = name; >+ >+ if (el->flags & LDB_FLAG_INTERNAL_SHARED_VALUES) { >+ struct ldb_val *values = talloc_memdup(msg->elements, el->values, >+ sizeof(struct ldb_val) * el->num_values); >+ if (values == NULL) { >+ return -1; >+ } >+ el->values = values; >+ el->flags &= ~LDB_FLAG_INTERNAL_SHARED_VALUES; >+ } >+ >+ for (j = 0; j < el->num_values; j++) { >+ struct ldb_val val = ldb_val_dup(el->values, &el->values[j]); >+ if (val.data == NULL && el->values[j].length != 0) { >+ return -1; >+ } >+ el->values[j] = val; >+ } >+ } >+ >+ return LDB_SUCCESS; >+} >diff --git a/lib/ldb/include/ldb_module.h b/lib/ldb/include/ldb_module.h >index 8481fd3991a..8c7f33496fb 100644 >--- a/lib/ldb/include/ldb_module.h >+++ b/lib/ldb/include/ldb_module.h >@@ -542,6 +542,10 @@ int ldb_filter_attrs(struct ldb_context *ldb, > const struct ldb_message *msg, > const char *const *attrs, > struct ldb_message *filtered_msg); >+ >+/* Have an unpacked ldb message take talloc ownership of its elements. */ >+int ldb_msg_elements_take_ownership(struct ldb_message *msg); >+ > /* > * Unpack a ldb message from a linear buffer in ldb_val > * >-- >2.25.1 > > >From 7b79babacf45c55500f38d1d1cde5ae22e45949a Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Fri, 3 Mar 2023 17:26:04 +1300 >Subject: [PATCH 13/39] CVE-2023-0614 ldb: Add function to remove excess > capacity from an ldb message > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >--- > lib/ldb/ABI/ldb-2.8.0.sigs | 1 + > lib/ldb/common/ldb_msg.c | 16 ++++++++++++++++ > lib/ldb/include/ldb_private.h | 3 +++ > 3 files changed, 20 insertions(+) > >diff --git a/lib/ldb/ABI/ldb-2.8.0.sigs b/lib/ldb/ABI/ldb-2.8.0.sigs >index 02bb2ee2ab2..296da92a839 100644 >--- a/lib/ldb/ABI/ldb-2.8.0.sigs >+++ b/lib/ldb/ABI/ldb-2.8.0.sigs >@@ -197,6 +197,7 @@ ldb_msg_remove_element: void (struct ldb_message *, struct ldb_message_element * > ldb_msg_remove_inaccessible: void (struct ldb_message *) > ldb_msg_rename_attr: int (struct ldb_message *, const char *, const char *) > ldb_msg_sanity_check: int (struct ldb_context *, const struct ldb_message *) >+ldb_msg_shrink_to_fit: void (struct ldb_message *) > ldb_msg_sort_elements: void (struct ldb_message *) > ldb_next_del_trans: int (struct ldb_module *) > ldb_next_end_trans: int (struct ldb_module *) >diff --git a/lib/ldb/common/ldb_msg.c b/lib/ldb/common/ldb_msg.c >index 3e8987147fd..6a96d19e0d2 100644 >--- a/lib/ldb/common/ldb_msg.c >+++ b/lib/ldb/common/ldb_msg.c >@@ -1504,6 +1504,22 @@ void ldb_msg_remove_attr(struct ldb_message *msg, const char *attr) > msg->num_elements -= num_del; > } > >+/* Reallocate elements to drop any excess capacity. */ >+void ldb_msg_shrink_to_fit(struct ldb_message *msg) >+{ >+ if (msg->num_elements > 0) { >+ struct ldb_message_element *elements = talloc_realloc(msg, >+ msg->elements, >+ struct ldb_message_element, >+ msg->num_elements); >+ if (elements != NULL) { >+ msg->elements = elements; >+ } >+ } else { >+ TALLOC_FREE(msg->elements); >+ } >+} >+ > /* > return a LDAP formatted GeneralizedTime string > */ >diff --git a/lib/ldb/include/ldb_private.h b/lib/ldb/include/ldb_private.h >index 7d9a47c8ef3..f6f47c28cf3 100644 >--- a/lib/ldb/include/ldb_private.h >+++ b/lib/ldb/include/ldb_private.h >@@ -317,6 +317,9 @@ int ldb_match_message(struct ldb_context *ldb, > const struct ldb_parse_tree *tree, > enum ldb_scope scope, bool *matched); > >+/* Reallocate elements to drop any excess capacity. */ >+void ldb_msg_shrink_to_fit(struct ldb_message *msg); >+ > /** > * @brief Convert a character to uppercase with ASCII precedence. > * >-- >2.25.1 > > >From 6e98a1a118ef294d104d3ff4d2fa3b144d9622c4 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Fri, 3 Mar 2023 17:27:38 +1300 >Subject: [PATCH 14/39] CVE-2023-0614 ldb: Add function to add > distinguishedName to message > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >--- > lib/ldb/ABI/ldb-2.8.0.sigs | 1 + > lib/ldb/common/ldb_pack.c | 6 +++--- > lib/ldb/include/ldb_private.h | 5 +++++ > 3 files changed, 9 insertions(+), 3 deletions(-) > >diff --git a/lib/ldb/ABI/ldb-2.8.0.sigs b/lib/ldb/ABI/ldb-2.8.0.sigs >index 296da92a839..4b3f246bb9e 100644 >--- a/lib/ldb/ABI/ldb-2.8.0.sigs >+++ b/lib/ldb/ABI/ldb-2.8.0.sigs >@@ -149,6 +149,7 @@ ldb_modules_hook: int (struct ldb_context *, enum ldb_module_hook_type) > ldb_modules_list_from_string: const char **(struct ldb_context *, TALLOC_CTX *, const char *) > ldb_modules_load: int (const char *, const char *) > ldb_msg_add: int (struct ldb_message *, const struct ldb_message_element *, int) >+ldb_msg_add_distinguished_name: int (struct ldb_message *) > ldb_msg_add_empty: int (struct ldb_message *, const char *, int, struct ldb_message_element **) > ldb_msg_add_fmt: int (struct ldb_message *, const char *, const char *, ...) > ldb_msg_add_linearized_dn: int (struct ldb_message *, const char *, struct ldb_dn *) >diff --git a/lib/ldb/common/ldb_pack.c b/lib/ldb/common/ldb_pack.c >index 028d96a619a..b0b0d64a5ba 100644 >--- a/lib/ldb/common/ldb_pack.c >+++ b/lib/ldb/common/ldb_pack.c >@@ -1098,7 +1098,7 @@ int ldb_unpack_data(struct ldb_context *ldb, > /* > add the special distinguishedName element > */ >-static int msg_add_distinguished_name(struct ldb_message *msg) >+int ldb_msg_add_distinguished_name(struct ldb_message *msg) > { > const char *dn_attr = "distinguishedName"; > char *dn = NULL; >@@ -1158,7 +1158,7 @@ int ldb_filter_attrs(struct ldb_context *ldb, > > /* Shortcuts for the simple cases */ > } else if (add_dn && i == 1) { >- if (msg_add_distinguished_name(filtered_msg) != 0) { >+ if (ldb_msg_add_distinguished_name(filtered_msg) != 0) { > goto failed; > } > return 0; >@@ -1238,7 +1238,7 @@ int ldb_filter_attrs(struct ldb_context *ldb, > filtered_msg->num_elements = num_elements; > > if (add_dn) { >- if (msg_add_distinguished_name(filtered_msg) != 0) { >+ if (ldb_msg_add_distinguished_name(filtered_msg) != 0) { > goto failed; > } > } >diff --git a/lib/ldb/include/ldb_private.h b/lib/ldb/include/ldb_private.h >index f6f47c28cf3..c6cff44942a 100644 >--- a/lib/ldb/include/ldb_private.h >+++ b/lib/ldb/include/ldb_private.h >@@ -320,6 +320,11 @@ int ldb_match_message(struct ldb_context *ldb, > /* Reallocate elements to drop any excess capacity. */ > void ldb_msg_shrink_to_fit(struct ldb_message *msg); > >+/* >+ add the special distinguishedName element >+*/ >+int ldb_msg_add_distinguished_name(struct ldb_message *msg); >+ > /** > * @brief Convert a character to uppercase with ASCII precedence. > * >-- >2.25.1 > > >From 63f41df82b255bf4cb243894811c45e6f89f9dad Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Fri, 3 Mar 2023 17:29:03 +1300 >Subject: [PATCH 15/39] CVE-2023-0614 ldb: Add function to filter message in > place > >At present this function is an exact duplicate of ldb_filter_attrs(), >but in the next commit we shall modify it to work in place, without the >need for the allocation of a second message. > >The test is a near duplicate of the existing test for >ldb_filter_attrs(). > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >--- > lib/ldb/ABI/ldb-2.8.0.sigs | 1 + > lib/ldb/common/ldb_pack.c | 143 +++ > lib/ldb/include/ldb_module.h | 10 + > .../tests/ldb_filter_attrs_in_place_test.c | 989 ++++++++++++++++++ > lib/ldb/wscript | 6 + > 5 files changed, 1149 insertions(+) > create mode 100644 lib/ldb/tests/ldb_filter_attrs_in_place_test.c > >diff --git a/lib/ldb/ABI/ldb-2.8.0.sigs b/lib/ldb/ABI/ldb-2.8.0.sigs >index 4b3f246bb9e..309fda6b7ed 100644 >--- a/lib/ldb/ABI/ldb-2.8.0.sigs >+++ b/lib/ldb/ABI/ldb-2.8.0.sigs >@@ -86,6 +86,7 @@ ldb_errstring: const char *(struct ldb_context *) > ldb_extended: int (struct ldb_context *, const char *, void *, struct ldb_result **) > ldb_extended_default_callback: int (struct ldb_request *, struct ldb_reply *) > ldb_filter_attrs: int (struct ldb_context *, const struct ldb_message *, const char * const *, struct ldb_message *) >+ldb_filter_attrs_in_place: int (struct ldb_context *, const struct ldb_message *, const char * const *, struct ldb_message *) > ldb_filter_from_tree: char *(TALLOC_CTX *, const struct ldb_parse_tree *) > ldb_get_config_basedn: struct ldb_dn *(struct ldb_context *) > ldb_get_create_perms: unsigned int (struct ldb_context *) >diff --git a/lib/ldb/common/ldb_pack.c b/lib/ldb/common/ldb_pack.c >index b0b0d64a5ba..f19ac73fa5e 100644 >--- a/lib/ldb/common/ldb_pack.c >+++ b/lib/ldb/common/ldb_pack.c >@@ -1262,6 +1262,149 @@ failed: > return -1; > } > >+/* >+ * filter the specified list of attributes from msg, >+ * adding requested attributes, and perhaps all for *, >+ * but not the DN to filtered_msg. >+ */ >+int ldb_filter_attrs_in_place(struct ldb_context *ldb, >+ const struct ldb_message *msg, >+ const char *const *attrs, >+ struct ldb_message *filtered_msg) >+{ >+ unsigned int i; >+ bool keep_all = false; >+ bool add_dn = false; >+ uint32_t num_elements; >+ uint32_t elements_size; >+ >+ if (attrs) { >+ /* check for special attrs */ >+ for (i = 0; attrs[i]; i++) { >+ int cmp = strcmp(attrs[i], "*"); >+ if (cmp == 0) { >+ keep_all = true; >+ break; >+ } >+ cmp = ldb_attr_cmp(attrs[i], "distinguishedName"); >+ if (cmp == 0) { >+ add_dn = true; >+ } >+ } >+ } else { >+ keep_all = true; >+ } >+ >+ if (keep_all) { >+ add_dn = true; >+ elements_size = msg->num_elements + 1; >+ >+ /* Shortcuts for the simple cases */ >+ } else if (add_dn && i == 1) { >+ if (ldb_msg_add_distinguished_name(filtered_msg) != 0) { >+ goto failed; >+ } >+ return 0; >+ } else if (i == 0) { >+ return 0; >+ >+ /* >+ * Otherwise we are copying at most as many elements as we >+ * have attributes >+ */ >+ } else { >+ elements_size = i; >+ } >+ >+ filtered_msg->elements = talloc_array(filtered_msg, >+ struct ldb_message_element, >+ elements_size); >+ if (filtered_msg->elements == NULL) goto failed; >+ >+ num_elements = 0; >+ >+ for (i = 0; i < msg->num_elements; i++) { >+ struct ldb_message_element *el = &msg->elements[i]; >+ >+ /* >+ * el2 is assigned after the Pigeonhole principle >+ * check below for clarity >+ */ >+ struct ldb_message_element *el2 = NULL; >+ unsigned int j; >+ >+ if (keep_all == false) { >+ bool found = false; >+ for (j = 0; attrs[j]; j++) { >+ int cmp = ldb_attr_cmp(el->name, attrs[j]); >+ if (cmp == 0) { >+ found = true; >+ break; >+ } >+ } >+ if (found == false) { >+ continue; >+ } >+ } >+ >+ /* >+ * Pigeonhole principle: we can't have more elements >+ * than the number of attributes if they are unique in >+ * the DB. >+ */ >+ if (num_elements >= elements_size) { >+ goto failed; >+ } >+ >+ el2 = &filtered_msg->elements[num_elements]; >+ >+ *el2 = *el; >+ el2->name = talloc_strdup(filtered_msg->elements, >+ el->name); >+ if (el2->name == NULL) { >+ goto failed; >+ } >+ el2->values = talloc_array(filtered_msg->elements, >+ struct ldb_val, el->num_values); >+ if (el2->values == NULL) { >+ goto failed; >+ } >+ for (j=0;j<el->num_values;j++) { >+ el2->values[j] = ldb_val_dup(el2->values, &el->values[j]); >+ if (el2->values[j].data == NULL && el->values[j].length != 0) { >+ goto failed; >+ } >+ } >+ num_elements++; >+ } >+ >+ filtered_msg->num_elements = num_elements; >+ >+ if (add_dn) { >+ if (ldb_msg_add_distinguished_name(filtered_msg) != 0) { >+ goto failed; >+ } >+ } >+ >+ if (filtered_msg->num_elements > 0) { >+ filtered_msg->elements >+ = talloc_realloc(filtered_msg, >+ filtered_msg->elements, >+ struct ldb_message_element, >+ filtered_msg->num_elements); >+ if (filtered_msg->elements == NULL) { >+ goto failed; >+ } >+ } else { >+ TALLOC_FREE(filtered_msg->elements); >+ } >+ >+ return 0; >+failed: >+ TALLOC_FREE(filtered_msg->elements); >+ return -1; >+} >+ > /* Have an unpacked ldb message take talloc ownership of its elements. */ > int ldb_msg_elements_take_ownership(struct ldb_message *msg) > { >diff --git a/lib/ldb/include/ldb_module.h b/lib/ldb/include/ldb_module.h >index 8c7f33496fb..105093cf38c 100644 >--- a/lib/ldb/include/ldb_module.h >+++ b/lib/ldb/include/ldb_module.h >@@ -543,6 +543,16 @@ int ldb_filter_attrs(struct ldb_context *ldb, > const char *const *attrs, > struct ldb_message *filtered_msg); > >+/* >+ * filter the specified list of attributes from msg, >+ * adding requested attributes, and perhaps all for *, >+ * but not the DN to filtered_msg. >+ */ >+int ldb_filter_attrs_in_place(struct ldb_context *ldb, >+ const struct ldb_message *msg, >+ const char *const *attrs, >+ struct ldb_message *filtered_msg); >+ > /* Have an unpacked ldb message take talloc ownership of its elements. */ > int ldb_msg_elements_take_ownership(struct ldb_message *msg); > >diff --git a/lib/ldb/tests/ldb_filter_attrs_in_place_test.c b/lib/ldb/tests/ldb_filter_attrs_in_place_test.c >new file mode 100644 >index 00000000000..bef961f8f9c >--- /dev/null >+++ b/lib/ldb/tests/ldb_filter_attrs_in_place_test.c >@@ -0,0 +1,989 @@ >+/* >+ * Tests exercising ldb_filter_attrs_in_place(). >+ * >+ * >+ * Copyright (C) Catalyst.NET Ltd 2017 >+ * Copyright (C) Andrew Bartlett <abartlet@samba.org> 2019 >+ * >+ * This program is free software; you can redistribute it and/or modify >+ * it under the terms of the GNU General Public License as published by >+ * the Free Software Foundation; either version 3 of the License, or >+ * (at your option) any later version. >+ * >+ * This program is distributed in the hope that it will be useful, >+ * but WITHOUT ANY WARRANTY; without even the implied warranty of >+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+ * GNU General Public License for more details. >+ * >+ * You should have received a copy of the GNU General Public License >+ * along with this program. If not, see <http://www.gnu.org/licenses/>. >+ * >+ */ >+ >+/* >+ * from cmocka.c: >+ * These headers or their equivalents should be included prior to >+ * including >+ * this header file. >+ * >+ * #include <stdarg.h> >+ * #include <stddef.h> >+ * #include <setjmp.h> >+ * >+ * This allows test applications to use custom definitions of C standard >+ * library functions and types. >+ */ >+#include <stdarg.h> >+#include <stddef.h> >+#include <stdint.h> >+#include <string.h> >+#include <setjmp.h> >+#include <cmocka.h> >+ >+#include "../include/ldb.h" >+#include "../include/ldb_module.h" >+ >+struct ldbtest_ctx { >+ struct tevent_context *ev; >+ struct ldb_context *ldb; >+}; >+ >+/* >+ * NOTE WELL: >+ * >+ * This test checks the current behaviour of the function, however >+ * this is not in a public ABI and many of the tested behaviours are >+ * not ideal. If the behaviour is deliberatly improved, this test >+ * should be updated without worry to the new better behaviour. >+ * >+ * In particular the test is particularly to ensure the current >+ * behaviour is memory-safe. >+ */ >+ >+static int setup(void **state) >+{ >+ struct ldbtest_ctx *test_ctx; >+ >+ test_ctx = talloc_zero(NULL, struct ldbtest_ctx); >+ assert_non_null(test_ctx); >+ >+ test_ctx->ev = tevent_context_init(test_ctx); >+ assert_non_null(test_ctx->ev); >+ >+ test_ctx->ldb = ldb_init(test_ctx, test_ctx->ev); >+ assert_non_null(test_ctx->ldb); >+ >+ *state = test_ctx; >+ return 0; >+} >+ >+static int teardown(void **state) >+{ >+ talloc_free(*state); >+ return 0; >+} >+ >+ >+/* >+ * Test against a record with only one attribute, matching the one in >+ * the list >+ */ >+static void test_filter_attrs_one_attr_matched(void **state) >+{ >+ struct ldbtest_ctx *ctx = *state; >+ int ret; >+ >+ struct ldb_message *filtered_msg = ldb_msg_new(ctx); >+ >+ const char *attrs[] = {"foo", NULL}; >+ >+ char value[] = "The value.......end"; >+ struct ldb_val value_1 = { >+ .data = (uint8_t *)value, >+ .length = strlen(value) >+ }; >+ struct ldb_message_element element_1 = { >+ .name = "foo", >+ .num_values = 1, >+ .values = &value_1 >+ }; >+ struct ldb_message in = { >+ .dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"), >+ .num_elements = 1, >+ .elements = &element_1, >+ }; >+ >+ assert_non_null(in.dn); >+ >+ ret = ldb_filter_attrs_in_place(ctx->ldb, >+ &in, >+ attrs, >+ filtered_msg); >+ assert_int_equal(ret, LDB_SUCCESS); >+ assert_non_null(filtered_msg); >+ >+ /* >+ * assert the ldb_filter_attrs_in_place does not read or modify >+ * filtered_msg.dn in this case >+ */ >+ assert_null(filtered_msg->dn); >+ assert_int_equal(filtered_msg->num_elements, 1); >+ assert_string_equal(filtered_msg->elements[0].name, "foo"); >+ assert_int_equal(filtered_msg->elements[0].num_values, 1); >+ assert_int_equal(filtered_msg->elements[0].values[0].length, >+ strlen(value)); >+ assert_memory_equal(filtered_msg->elements[0].values[0].data, >+ value, strlen(value)); >+} >+ >+/* >+ * Test against a record with only one attribute, matching the one of >+ * the multiple attributes in the list >+ */ >+static void test_filter_attrs_one_attr_matched_of_many(void **state) >+{ >+ struct ldbtest_ctx *ctx = *state; >+ int ret; >+ >+ struct ldb_message *filtered_msg = ldb_msg_new(ctx); >+ >+ const char *attrs[] = {"foo", "bar", "baz", NULL}; >+ >+ char value[] = "The value.......end"; >+ struct ldb_val value_1 = { >+ .data = (uint8_t *)value, >+ .length = strlen(value) >+ }; >+ struct ldb_message_element element_1 = { >+ .name = "foo", >+ .num_values = 1, >+ .values = &value_1 >+ }; >+ struct ldb_message in = { >+ .dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"), >+ .num_elements = 1, >+ .elements = &element_1, >+ }; >+ >+ assert_non_null(in.dn); >+ >+ ret = ldb_filter_attrs_in_place(ctx->ldb, >+ &in, >+ attrs, >+ filtered_msg); >+ assert_int_equal(ret, LDB_SUCCESS); >+ assert_non_null(filtered_msg); >+ >+ /* >+ * assert the ldb_filter_attrs_in_place does not read or modify >+ * filtered_msg.dn in this case >+ */ >+ assert_null(filtered_msg->dn); >+ assert_int_equal(filtered_msg->num_elements, 1); >+ assert_string_equal(filtered_msg->elements[0].name, "foo"); >+ assert_int_equal(filtered_msg->elements[0].num_values, 1); >+ assert_int_equal(filtered_msg->elements[0].values[0].length, >+ strlen(value)); >+ assert_memory_equal(filtered_msg->elements[0].values[0].data, >+ value, strlen(value)); >+} >+ >+/* >+ * Test against a record with only one attribute, matching both >+ * attributes in the list >+ */ >+static void test_filter_attrs_two_attr_matched_attrs(void **state) >+{ >+ struct ldbtest_ctx *ctx = *state; >+ int ret; >+ >+ struct ldb_message *filtered_msg = ldb_msg_new(ctx); >+ >+ /* deliberatly the other order */ >+ const char *attrs[] = {"bar", "foo", NULL}; >+ >+ char value1[] = "The value.......end"; >+ char value2[] = "The value..MUST.end"; >+ struct ldb_val value_1 = { >+ .data = (uint8_t *)value1, >+ .length = strlen(value1) >+ }; >+ struct ldb_val value_2 = { >+ .data = (uint8_t *)value2, >+ .length = strlen(value2) >+ }; >+ >+ /* foo and bar are the other order to in attrs */ >+ struct ldb_message_element elements[] = { >+ { >+ .name = "foo", >+ .num_values = 1, >+ .values = &value_1 >+ }, >+ { >+ .name = "bar", >+ .num_values = 1, >+ .values = &value_2 >+ } >+ }; >+ struct ldb_message in = { >+ .dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"), >+ .num_elements = 2, >+ .elements = elements, >+ }; >+ >+ assert_non_null(in.dn); >+ >+ ret = ldb_filter_attrs_in_place(ctx->ldb, >+ &in, >+ attrs, >+ filtered_msg); >+ assert_int_equal(ret, LDB_SUCCESS); >+ assert_non_null(filtered_msg); >+ assert_int_equal(filtered_msg->num_elements, 2); >+ >+ /* >+ * assert the ldb_filter_attrs_in_place does not read or modify >+ * filtered_msg.dn in this case >+ */ >+ assert_null(filtered_msg->dn); >+ >+ /* Assert that DB order is preserved */ >+ assert_string_equal(filtered_msg->elements[0].name, "foo"); >+ assert_int_equal(filtered_msg->elements[0].num_values, 1); >+ assert_int_equal(filtered_msg->elements[0].values[0].length, >+ strlen(value1)); >+ assert_memory_equal(filtered_msg->elements[0].values[0].data, >+ value1, strlen(value1)); >+ assert_string_equal(filtered_msg->elements[1].name, "bar"); >+ assert_int_equal(filtered_msg->elements[1].num_values, 1); >+ assert_int_equal(filtered_msg->elements[1].values[0].length, >+ strlen(value2)); >+ assert_memory_equal(filtered_msg->elements[1].values[0].data, >+ value2, strlen(value2)); >+} >+ >+/* >+ * Test against a record with two attributes, only of which is in >+ * the list >+ */ >+static void test_filter_attrs_two_attr_matched_one_attr(void **state) >+{ >+ struct ldbtest_ctx *ctx = *state; >+ int ret; >+ >+ struct ldb_message *filtered_msg = ldb_msg_new(ctx); >+ >+ /* deliberatly the other order */ >+ const char *attrs[] = {"bar", NULL}; >+ >+ char value1[] = "The value.......end"; >+ char value2[] = "The value..MUST.end"; >+ struct ldb_val value_1 = { >+ .data = (uint8_t *)value1, >+ .length = strlen(value1) >+ }; >+ struct ldb_val value_2 = { >+ .data = (uint8_t *)value2, >+ .length = strlen(value2) >+ }; >+ >+ /* foo and bar are the other order to in attrs */ >+ struct ldb_message_element elements[] = { >+ { >+ .name = "foo", >+ .num_values = 1, >+ .values = &value_1 >+ }, >+ { >+ .name = "bar", >+ .num_values = 1, >+ .values = &value_2 >+ } >+ }; >+ struct ldb_message in = { >+ .dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"), >+ .num_elements = 2, >+ .elements = elements, >+ }; >+ >+ assert_non_null(in.dn); >+ >+ ret = ldb_filter_attrs_in_place(ctx->ldb, >+ &in, >+ attrs, >+ filtered_msg); >+ assert_int_equal(ret, LDB_SUCCESS); >+ assert_non_null(filtered_msg); >+ assert_int_equal(filtered_msg->num_elements, 1); >+ >+ /* >+ * assert the ldb_filter_attrs_in_place does not read or modify >+ * filtered_msg.dn in this case >+ */ >+ assert_null(filtered_msg->dn); >+ >+ /* Assert that DB order is preserved */ >+ assert_string_equal(filtered_msg->elements[0].name, "bar"); >+ assert_int_equal(filtered_msg->elements[0].num_values, 1); >+ assert_int_equal(filtered_msg->elements[0].values[0].length, >+ strlen(value2)); >+ assert_memory_equal(filtered_msg->elements[0].values[0].data, >+ value2, strlen(value2)); >+} >+ >+/* >+ * Test against a record with two attributes, both matching the one >+ * specified attribute in the list (a corrupt record) >+ */ >+static void test_filter_attrs_two_dup_attr_matched_one_attr(void **state) >+{ >+ struct ldbtest_ctx *ctx = *state; >+ int ret; >+ >+ struct ldb_message *filtered_msg = ldb_msg_new(ctx); >+ >+ /* deliberatly the other order */ >+ const char *attrs[] = {"bar", NULL}; >+ >+ char value1[] = "The value.......end"; >+ char value2[] = "The value..MUST.end"; >+ struct ldb_val value_1 = { >+ .data = (uint8_t *)value1, >+ .length = strlen(value1) >+ }; >+ struct ldb_val value_2 = { >+ .data = (uint8_t *)value2, >+ .length = strlen(value2) >+ }; >+ >+ /* foo and bar are the other order to in attrs */ >+ struct ldb_message_element elements[] = { >+ { >+ .name = "bar", >+ .num_values = 1, >+ .values = &value_1 >+ }, >+ { >+ .name = "bar", >+ .num_values = 1, >+ .values = &value_2 >+ } >+ }; >+ struct ldb_message in = { >+ .dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"), >+ .num_elements = 2, >+ .elements = elements, >+ }; >+ >+ assert_non_null(in.dn); >+ >+ ret = ldb_filter_attrs_in_place(ctx->ldb, >+ &in, >+ attrs, >+ filtered_msg); >+ >+ /* This should fail the pidgenhole test */ >+ assert_int_equal(ret, -1); >+ assert_null(filtered_msg->elements); >+} >+ >+/* >+ * Test against a record with two attributes, both matching the one >+ * specified attribute in the list (a corrupt record) >+ */ >+static void test_filter_attrs_two_dup_attr_matched_dup(void **state) >+{ >+ struct ldbtest_ctx *ctx = *state; >+ int ret; >+ >+ struct ldb_message *filtered_msg = ldb_msg_new(ctx); >+ >+ const char *attrs[] = {"bar", "bar", NULL}; >+ >+ char value1[] = "The value.......end"; >+ char value2[] = "The value..MUST.end"; >+ struct ldb_val value_1 = { >+ .data = (uint8_t *)value1, >+ .length = strlen(value1) >+ }; >+ struct ldb_val value_2 = { >+ .data = (uint8_t *)value2, >+ .length = strlen(value2) >+ }; >+ >+ /* foo and bar are the other order to in attrs */ >+ struct ldb_message_element elements[] = { >+ { >+ .name = "bar", >+ .num_values = 1, >+ .values = &value_1 >+ }, >+ { >+ .name = "bar", >+ .num_values = 1, >+ .values = &value_2 >+ } >+ }; >+ struct ldb_message in = { >+ .dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"), >+ .num_elements = 2, >+ .elements = elements, >+ }; >+ >+ assert_non_null(in.dn); >+ >+ ret = ldb_filter_attrs_in_place(ctx->ldb, >+ &in, >+ attrs, >+ filtered_msg); >+ >+ /* This does not fail the pidgenhole test */ >+ assert_int_equal(ret, LDB_SUCCESS); >+ assert_int_equal(filtered_msg->num_elements, 2); >+ >+ /* Assert that DB order is preserved */ >+ assert_string_equal(filtered_msg->elements[0].name, "bar"); >+ assert_int_equal(filtered_msg->elements[0].num_values, 1); >+ assert_int_equal(filtered_msg->elements[0].values[0].length, >+ strlen(value1)); >+ assert_memory_equal(filtered_msg->elements[0].values[0].data, >+ value1, strlen(value1)); >+ assert_string_equal(filtered_msg->elements[1].name, "bar"); >+ assert_int_equal(filtered_msg->elements[1].num_values, 1); >+ assert_int_equal(filtered_msg->elements[1].values[0].length, >+ strlen(value2)); >+ assert_memory_equal(filtered_msg->elements[1].values[0].data, >+ value2, strlen(value2)); >+} >+ >+/* >+ * Test against a record with two attributes, both matching one of the >+ * specified attributes in the list (a corrupt record) >+ */ >+static void test_filter_attrs_two_dup_attr_matched_one_of_two(void **state) >+{ >+ struct ldbtest_ctx *ctx = *state; >+ int ret; >+ >+ struct ldb_message *filtered_msg = ldb_msg_new(ctx); >+ >+ const char *attrs[] = {"bar", "foo", NULL}; >+ >+ char value1[] = "The value.......end"; >+ char value2[] = "The value..MUST.end"; >+ struct ldb_val value_1 = { >+ .data = (uint8_t *)value1, >+ .length = strlen(value1) >+ }; >+ struct ldb_val value_2 = { >+ .data = (uint8_t *)value2, >+ .length = strlen(value2) >+ }; >+ >+ /* foo and bar are the other order to in attrs */ >+ struct ldb_message_element elements[] = { >+ { >+ .name = "bar", >+ .num_values = 1, >+ .values = &value_1 >+ }, >+ { >+ .name = "bar", >+ .num_values = 1, >+ .values = &value_2 >+ } >+ }; >+ struct ldb_message in = { >+ .dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"), >+ .num_elements = 2, >+ .elements = elements, >+ }; >+ >+ assert_non_null(in.dn); >+ >+ ret = ldb_filter_attrs_in_place(ctx->ldb, >+ &in, >+ attrs, >+ filtered_msg); >+ >+ /* This does not fail the pidgenhole test */ >+ assert_int_equal(ret, LDB_SUCCESS); >+ assert_int_equal(filtered_msg->num_elements, 2); >+ >+ /* Assert that DB order is preserved */ >+ assert_string_equal(filtered_msg->elements[0].name, "bar"); >+ assert_int_equal(filtered_msg->elements[0].num_values, 1); >+ assert_int_equal(filtered_msg->elements[0].values[0].length, >+ strlen(value1)); >+ assert_memory_equal(filtered_msg->elements[0].values[0].data, >+ value1, strlen(value1)); >+ assert_string_equal(filtered_msg->elements[1].name, "bar"); >+ assert_int_equal(filtered_msg->elements[1].num_values, 1); >+ assert_int_equal(filtered_msg->elements[1].values[0].length, >+ strlen(value2)); >+ assert_memory_equal(filtered_msg->elements[1].values[0].data, >+ value2, strlen(value2)); >+} >+ >+/* >+ * Test against a record with two attributes against * (but not the >+ * other named attribute) (a corrupt record) >+ */ >+static void test_filter_attrs_two_dup_attr_matched_star(void **state) >+{ >+ struct ldbtest_ctx *ctx = *state; >+ int ret; >+ >+ struct ldb_message *filtered_msg = ldb_msg_new(ctx); >+ >+ const char *attrs[] = {"*", "foo", NULL}; >+ >+ char value1[] = "The value.......end"; >+ char value2[] = "The value..MUST.end"; >+ struct ldb_val value_1 = { >+ .data = (uint8_t *)value1, >+ .length = strlen(value1) >+ }; >+ struct ldb_val value_2 = { >+ .data = (uint8_t *)value2, >+ .length = strlen(value2) >+ }; >+ >+ /* foo and bar are the other order to in attrs */ >+ struct ldb_message_element elements[] = { >+ { >+ .name = "bar", >+ .num_values = 1, >+ .values = &value_1 >+ }, >+ { >+ .name = "bar", >+ .num_values = 1, >+ .values = &value_2 >+ } >+ }; >+ struct ldb_message in = { >+ .dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"), >+ .num_elements = 2, >+ .elements = elements, >+ }; >+ >+ assert_non_null(in.dn); >+ >+ /* Needed as * implies distinguishedName */ >+ filtered_msg->dn = in.dn; >+ >+ ret = ldb_filter_attrs_in_place(ctx->ldb, >+ &in, >+ attrs, >+ filtered_msg); >+ >+ /* This does not fail the pidgenhole test */ >+ assert_int_equal(ret, LDB_SUCCESS); >+ assert_int_equal(filtered_msg->num_elements, 3); >+ >+ /* Assert that DB order is preserved */ >+ assert_string_equal(filtered_msg->elements[0].name, "bar"); >+ assert_int_equal(filtered_msg->elements[0].num_values, 1); >+ assert_int_equal(filtered_msg->elements[0].values[0].length, >+ strlen(value1)); >+ assert_memory_equal(filtered_msg->elements[0].values[0].data, >+ value1, strlen(value1)); >+ assert_string_equal(filtered_msg->elements[1].name, "bar"); >+ assert_int_equal(filtered_msg->elements[1].num_values, 1); >+ assert_int_equal(filtered_msg->elements[1].values[0].length, >+ strlen(value2)); >+ assert_memory_equal(filtered_msg->elements[1].values[0].data, >+ value2, strlen(value2)); >+ /* >+ * assert the ldb_filter_attrs_in_place does not modify filtered_msg.dn >+ * in this case >+ */ >+ assert_ptr_equal(filtered_msg->dn, in.dn); >+ assert_string_equal(ldb_msg_find_attr_as_string(filtered_msg, >+ "distinguishedName", >+ NULL), >+ ldb_dn_get_linearized(in.dn)); >+} >+ >+/* >+ * Test against a record with only one attribute, matching the * in >+ * the list >+ */ >+static void test_filter_attrs_one_attr_matched_star(void **state) >+{ >+ struct ldbtest_ctx *ctx = *state; >+ int ret; >+ >+ struct ldb_message *filtered_msg = ldb_msg_new(ctx); >+ >+ const char *attrs[] = {"*", NULL}; >+ >+ char value[] = "The value.......end"; >+ struct ldb_val value_1 = { >+ .data = (uint8_t *)value, >+ .length = strlen(value) >+ }; >+ struct ldb_message_element element_1 = { >+ .name = "foo", >+ .num_values = 1, >+ .values = &value_1 >+ }; >+ struct ldb_message in = { >+ .dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"), >+ .num_elements = 1, >+ .elements = &element_1, >+ }; >+ >+ assert_non_null(in.dn); >+ >+ /* Needed as * implies distinguishedName */ >+ filtered_msg->dn = in.dn; >+ >+ ret = ldb_filter_attrs_in_place(ctx->ldb, >+ &in, >+ attrs, >+ filtered_msg); >+ assert_int_equal(ret, LDB_SUCCESS); >+ assert_non_null(filtered_msg); >+ assert_int_equal(filtered_msg->num_elements, 2); >+ >+ /* >+ * assert the ldb_filter_attrs_in_place does not modify filtered_msg.dn >+ * in this case >+ */ >+ assert_ptr_equal(filtered_msg->dn, in.dn); >+ assert_string_equal(ldb_msg_find_attr_as_string(filtered_msg, >+ "distinguishedName", >+ NULL), >+ ldb_dn_get_linearized(in.dn)); >+ assert_string_equal(ldb_msg_find_attr_as_string(filtered_msg, >+ "foo", >+ NULL), >+ value); >+} >+ >+/* >+ * Test against a record with two attributes, matching the * in >+ * the list >+ */ >+static void test_filter_attrs_two_attr_matched_star(void **state) >+{ >+ struct ldbtest_ctx *ctx = *state; >+ int ret; >+ >+ struct ldb_message *filtered_msg = ldb_msg_new(ctx); >+ >+ const char *attrs[] = {"*", NULL}; >+ >+ char value1[] = "The value.......end"; >+ char value2[] = "The value..MUST.end"; >+ struct ldb_val value_1 = { >+ .data = (uint8_t *)value1, >+ .length = strlen(value1) >+ }; >+ struct ldb_val value_2 = { >+ .data = (uint8_t *)value2, >+ .length = strlen(value2) >+ }; >+ struct ldb_message_element elements[] = { >+ { >+ .name = "foo", >+ .num_values = 1, >+ .values = &value_1 >+ }, >+ { >+ .name = "bar", >+ .num_values = 1, >+ .values = &value_2 >+ } >+ }; >+ struct ldb_message in = { >+ .dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"), >+ .num_elements = 2, >+ .elements = elements, >+ }; >+ >+ assert_non_null(in.dn); >+ >+ /* Needed as * implies distinguishedName */ >+ filtered_msg->dn = in.dn; >+ >+ ret = ldb_filter_attrs_in_place(ctx->ldb, >+ &in, >+ attrs, >+ filtered_msg); >+ assert_int_equal(ret, LDB_SUCCESS); >+ assert_non_null(filtered_msg); >+ assert_int_equal(filtered_msg->num_elements, 3); >+ >+ /* >+ * assert the ldb_filter_attrs_in_place does not modify filtered_msg.dn >+ * in this case >+ */ >+ assert_ptr_equal(filtered_msg->dn, in.dn); >+ assert_string_equal(ldb_msg_find_attr_as_string(filtered_msg, >+ "distinguishedName", >+ NULL), >+ ldb_dn_get_linearized(in.dn)); >+ assert_string_equal(ldb_msg_find_attr_as_string(filtered_msg, >+ "foo", >+ NULL), >+ value1); >+ assert_string_equal(ldb_msg_find_attr_as_string(filtered_msg, >+ "bar", >+ NULL), >+ value2); >+} >+ >+/* >+ * Test against a record with only one attribute, matching the * in >+ * the list, but without the DN being pre-filled. Fails due to need >+ * to contstruct the distinguishedName >+ */ >+static void test_filter_attrs_one_attr_matched_star_no_dn(void **state) >+{ >+ struct ldbtest_ctx *ctx = *state; >+ int ret; >+ >+ struct ldb_message *filtered_msg = ldb_msg_new(ctx); >+ >+ const char *attrs[] = {"*", NULL}; >+ >+ char value[] = "The value.......end"; >+ struct ldb_val value_1 = { >+ .data = (uint8_t *)value, >+ .length = strlen(value) >+ }; >+ struct ldb_message_element element_1 = { >+ .name = "foo", >+ .num_values = 1, >+ .values = &value_1 >+ }; >+ struct ldb_message in = { >+ .dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"), >+ .num_elements = 1, >+ .elements = &element_1, >+ }; >+ >+ assert_non_null(in.dn); >+ >+ ret = ldb_filter_attrs_in_place(ctx->ldb, >+ &in, >+ attrs, >+ filtered_msg); >+ assert_int_equal(ret, -1); >+ assert_null(filtered_msg->elements); >+} >+ >+/* >+ * Test against a record with only one attribute, matching the * in >+ * the list plus requsesting distinguishedName >+ */ >+static void test_filter_attrs_one_attr_matched_star_dn(void **state) >+{ >+ struct ldbtest_ctx *ctx = *state; >+ int ret; >+ >+ struct ldb_message *filtered_msg = ldb_msg_new(ctx); >+ >+ const char *attrs[] = {"*", "distinguishedName", NULL}; >+ >+ char value[] = "The value.......end"; >+ struct ldb_val value_1 = { >+ .data = (uint8_t *)value, >+ .length = strlen(value) >+ }; >+ struct ldb_message_element element_1 = { >+ .name = "foo", >+ .num_values = 1, >+ .values = &value_1 >+ }; >+ struct ldb_message in = { >+ .dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"), >+ .num_elements = 1, >+ .elements = &element_1, >+ }; >+ >+ assert_non_null(in.dn); >+ >+ /* Needed for distinguishedName */ >+ filtered_msg->dn = in.dn; >+ >+ ret = ldb_filter_attrs_in_place(ctx->ldb, >+ &in, >+ attrs, >+ filtered_msg); >+ assert_int_equal(ret, LDB_SUCCESS); >+ assert_non_null(filtered_msg); >+ assert_int_equal(filtered_msg->num_elements, 2); >+ >+ /* show that ldb_filter_attrs_in_place does not modify in.dn */ >+ assert_ptr_equal(filtered_msg->dn, in.dn); >+ >+ assert_string_equal(ldb_msg_find_attr_as_string(filtered_msg, >+ "distinguishedName", >+ NULL), >+ ldb_dn_get_linearized(in.dn)); >+ assert_string_equal(ldb_msg_find_attr_as_string(filtered_msg, >+ "foo", >+ NULL), >+ value); >+} >+ >+/* >+ * Test against a record with only one attribute, but returning >+ * distinguishedName from the list (only) >+ */ >+static void test_filter_attrs_one_attr_matched_dn(void **state) >+{ >+ struct ldbtest_ctx *ctx = *state; >+ int ret; >+ >+ struct ldb_message *filtered_msg = ldb_msg_new(ctx); >+ >+ const char *attrs[] = {"distinguishedName", NULL}; >+ >+ char value[] = "The value.......end"; >+ struct ldb_val value_1 = { >+ .data = (uint8_t *)value, >+ .length = strlen(value) >+ }; >+ struct ldb_message_element element_1 = { >+ .name = "foo", >+ .num_values = 1, >+ .values = &value_1 >+ }; >+ struct ldb_message in = { >+ .dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"), >+ .num_elements = 1, >+ .elements = &element_1, >+ }; >+ >+ assert_non_null(in.dn); >+ >+ /* Needed for distinguishedName */ >+ filtered_msg->dn = in.dn; >+ >+ ret = ldb_filter_attrs_in_place(ctx->ldb, >+ &in, >+ attrs, >+ filtered_msg); >+ assert_int_equal(ret, LDB_SUCCESS); >+ assert_non_null(filtered_msg); >+ assert_int_equal(filtered_msg->num_elements, 1); >+ >+ /* show that ldb_filter_attrs_in_place does not modify in.dn */ >+ assert_ptr_equal(filtered_msg->dn, in.dn); >+ assert_string_equal(filtered_msg->elements[0].name, "distinguishedName"); >+ assert_int_equal(filtered_msg->elements[0].num_values, 1); >+ assert_string_equal(filtered_msg->elements[0].values[0].data, >+ ldb_dn_get_linearized(in.dn)); >+} >+ >+/* >+ * Test against a record with only one attribute, not matching the >+ * empty attribute list >+ */ >+static void test_filter_attrs_one_attr_empty_list(void **state) >+{ >+ struct ldbtest_ctx *ctx = *state; >+ int ret; >+ >+ struct ldb_message *filtered_msg = ldb_msg_new(ctx); >+ >+ const char *attrs[] = {NULL}; >+ >+ char value[] = "The value.......end"; >+ struct ldb_val value_1 = { >+ .data = (uint8_t *)value, >+ .length = strlen(value) >+ }; >+ struct ldb_message_element element_1 = { >+ .name = "foo", >+ .num_values = 1, >+ .values = &value_1 >+ }; >+ struct ldb_message in = { >+ .dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"), >+ .num_elements = 1, >+ .elements = &element_1, >+ }; >+ >+ assert_non_null(in.dn); >+ >+ ret = ldb_filter_attrs_in_place(ctx->ldb, >+ &in, >+ attrs, >+ filtered_msg); >+ assert_int_equal(ret, LDB_SUCCESS); >+ assert_non_null(filtered_msg); >+ assert_int_equal(filtered_msg->num_elements, 0); >+ assert_null(filtered_msg->dn); >+ assert_null(filtered_msg->elements); >+} >+ >+int main(int argc, const char **argv) >+{ >+ const struct CMUnitTest tests[] = { >+ cmocka_unit_test_setup_teardown( >+ test_filter_attrs_one_attr_matched, >+ setup, >+ teardown), >+ cmocka_unit_test_setup_teardown( >+ test_filter_attrs_one_attr_matched_of_many, >+ setup, >+ teardown), >+ cmocka_unit_test_setup_teardown( >+ test_filter_attrs_two_attr_matched_attrs, >+ setup, >+ teardown), >+ cmocka_unit_test_setup_teardown( >+ test_filter_attrs_two_attr_matched_one_attr, >+ setup, >+ teardown), >+ cmocka_unit_test_setup_teardown( >+ test_filter_attrs_two_dup_attr_matched_one_attr, >+ setup, >+ teardown), >+ cmocka_unit_test_setup_teardown( >+ test_filter_attrs_two_dup_attr_matched_dup, >+ setup, >+ teardown), >+ cmocka_unit_test_setup_teardown( >+ test_filter_attrs_two_dup_attr_matched_one_of_two, >+ setup, >+ teardown), >+ cmocka_unit_test_setup_teardown( >+ test_filter_attrs_two_dup_attr_matched_star, >+ setup, >+ teardown), >+ cmocka_unit_test_setup_teardown( >+ test_filter_attrs_one_attr_matched_star, >+ setup, >+ teardown), >+ cmocka_unit_test_setup_teardown( >+ test_filter_attrs_two_attr_matched_star, >+ setup, >+ teardown), >+ cmocka_unit_test_setup_teardown( >+ test_filter_attrs_one_attr_matched_star_no_dn, >+ setup, >+ teardown), >+ cmocka_unit_test_setup_teardown( >+ test_filter_attrs_one_attr_matched_star_dn, >+ setup, >+ teardown), >+ cmocka_unit_test_setup_teardown( >+ test_filter_attrs_one_attr_matched_dn, >+ setup, >+ teardown), >+ cmocka_unit_test_setup_teardown( >+ test_filter_attrs_one_attr_empty_list, >+ setup, >+ teardown), >+ }; >+ >+ return cmocka_run_group_tests(tests, NULL, NULL); >+} >diff --git a/lib/ldb/wscript b/lib/ldb/wscript >index e5a8f80b0a4..083e4ba059d 100644 >--- a/lib/ldb/wscript >+++ b/lib/ldb/wscript >@@ -518,6 +518,11 @@ def build(bld): > deps='cmocka ldb ldb_tdb_err_map', > install=False) > >+ bld.SAMBA_BINARY('ldb_filter_attrs_in_place_test', >+ source='tests/ldb_filter_attrs_in_place_test.c', >+ deps='cmocka ldb ldb_tdb_err_map', >+ install=False) >+ > bld.SAMBA_BINARY('ldb_key_value_sub_txn_tdb_test', > bld.SUBDIR('ldb_key_value', > '''ldb_kv_search.c >@@ -645,6 +650,7 @@ def test(ctx): > # 'ldb_key_value_sub_txn_tdb_test' > 'ldb_parse_test', > 'ldb_filter_attrs_test', >+ 'ldb_filter_attrs_in_place_test', > ] > > # if LIB_LDAP and LIB_LBER defined, then we can test ldb_ldap backend >-- >2.25.1 > > >From 23e4f4a2552ea926e825aeb63b2d485e99c2583e Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Fri, 3 Mar 2023 17:30:19 +1300 >Subject: [PATCH 16/39] CVE-2023-0614 ldb: Make ldb_filter_attrs_in_place() > work in place > >ldb_filter_attrs() previously did too much. Now its replacement, >ldb_filter_attrs_in_place(), only does the actual filtering, while >taking ownership of each element's values is handled in a separate >function, ldb_msg_elements_take_ownership(). > >Also, ldb_filter_attrs_in_place() no longer adds the distinguishedName >to the message if it is missing. That is handled in another function, >ldb_msg_add_distinguished_name(). > >As we're now modifying the original message rather than copying it into >a new one, we no longer need the filtered_msg parameter. > >We adapt a test, based on ldb_filter_attrs_test, to exercise the new >function. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >--- > lib/ldb/ABI/ldb-2.8.0.sigs | 2 +- > lib/ldb/common/ldb_pack.c | 129 +--- > lib/ldb/include/ldb_module.h | 11 +- > .../tests/ldb_filter_attrs_in_place_test.c | 609 ++++++++---------- > 4 files changed, 308 insertions(+), 443 deletions(-) > >diff --git a/lib/ldb/ABI/ldb-2.8.0.sigs b/lib/ldb/ABI/ldb-2.8.0.sigs >index 309fda6b7ed..73fe6c4dd9f 100644 >--- a/lib/ldb/ABI/ldb-2.8.0.sigs >+++ b/lib/ldb/ABI/ldb-2.8.0.sigs >@@ -86,7 +86,7 @@ ldb_errstring: const char *(struct ldb_context *) > ldb_extended: int (struct ldb_context *, const char *, void *, struct ldb_result **) > ldb_extended_default_callback: int (struct ldb_request *, struct ldb_reply *) > ldb_filter_attrs: int (struct ldb_context *, const struct ldb_message *, const char * const *, struct ldb_message *) >-ldb_filter_attrs_in_place: int (struct ldb_context *, const struct ldb_message *, const char * const *, struct ldb_message *) >+ldb_filter_attrs_in_place: int (struct ldb_message *, const char * const *) > ldb_filter_from_tree: char *(TALLOC_CTX *, const struct ldb_parse_tree *) > ldb_get_config_basedn: struct ldb_dn *(struct ldb_context *) > ldb_get_create_perms: unsigned int (struct ldb_context *) >diff --git a/lib/ldb/common/ldb_pack.c b/lib/ldb/common/ldb_pack.c >index f19ac73fa5e..28b9a8dfe07 100644 >--- a/lib/ldb/common/ldb_pack.c >+++ b/lib/ldb/common/ldb_pack.c >@@ -1264,19 +1264,16 @@ failed: > > /* > * filter the specified list of attributes from msg, >- * adding requested attributes, and perhaps all for *, >- * but not the DN to filtered_msg. >+ * adding requested attributes, and perhaps all for *. >+ * Unlike ldb_filter_attrs(), the DN will not be added >+ * if it is missing. > */ >-int ldb_filter_attrs_in_place(struct ldb_context *ldb, >- const struct ldb_message *msg, >- const char *const *attrs, >- struct ldb_message *filtered_msg) >+int ldb_filter_attrs_in_place(struct ldb_message *msg, >+ const char *const *attrs) > { >- unsigned int i; >+ unsigned int i = 0; > bool keep_all = false; >- bool add_dn = false; >- uint32_t num_elements; >- uint32_t elements_size; >+ unsigned int num_del = 0; > > if (attrs) { > /* check for special attrs */ >@@ -1286,123 +1283,41 @@ int ldb_filter_attrs_in_place(struct ldb_context *ldb, > keep_all = true; > break; > } >- cmp = ldb_attr_cmp(attrs[i], "distinguishedName"); >- if (cmp == 0) { >- add_dn = true; >- } > } >- } else { >- keep_all = true; >- } >- >- if (keep_all) { >- add_dn = true; >- elements_size = msg->num_elements + 1; >- >- /* Shortcuts for the simple cases */ >- } else if (add_dn && i == 1) { >- if (ldb_msg_add_distinguished_name(filtered_msg) != 0) { >- goto failed; >+ if (!keep_all && i == 0) { >+ msg->num_elements = 0; >+ return LDB_SUCCESS; > } >- return 0; >- } else if (i == 0) { >- return 0; >- >- /* >- * Otherwise we are copying at most as many elements as we >- * have attributes >- */ > } else { >- elements_size = i; >+ keep_all = true; > } > >- filtered_msg->elements = talloc_array(filtered_msg, >- struct ldb_message_element, >- elements_size); >- if (filtered_msg->elements == NULL) goto failed; >- >- num_elements = 0; >- > for (i = 0; i < msg->num_elements; i++) { >- struct ldb_message_element *el = &msg->elements[i]; >- >- /* >- * el2 is assigned after the Pigeonhole principle >- * check below for clarity >- */ >- struct ldb_message_element *el2 = NULL; >+ bool found = false; > unsigned int j; > >- if (keep_all == false) { >- bool found = false; >+ if (keep_all) { >+ found = true; >+ } else { > for (j = 0; attrs[j]; j++) { >- int cmp = ldb_attr_cmp(el->name, attrs[j]); >+ int cmp = ldb_attr_cmp(msg->elements[i].name, attrs[j]); > if (cmp == 0) { > found = true; > break; > } > } >- if (found == false) { >- continue; >- } >- } >- >- /* >- * Pigeonhole principle: we can't have more elements >- * than the number of attributes if they are unique in >- * the DB. >- */ >- if (num_elements >= elements_size) { >- goto failed; > } > >- el2 = &filtered_msg->elements[num_elements]; >- >- *el2 = *el; >- el2->name = talloc_strdup(filtered_msg->elements, >- el->name); >- if (el2->name == NULL) { >- goto failed; >- } >- el2->values = talloc_array(filtered_msg->elements, >- struct ldb_val, el->num_values); >- if (el2->values == NULL) { >- goto failed; >+ if (!found) { >+ ++num_del; >+ } else if (num_del != 0) { >+ msg->elements[i - num_del] = msg->elements[i]; > } >- for (j=0;j<el->num_values;j++) { >- el2->values[j] = ldb_val_dup(el2->values, &el->values[j]); >- if (el2->values[j].data == NULL && el->values[j].length != 0) { >- goto failed; >- } >- } >- num_elements++; > } > >- filtered_msg->num_elements = num_elements; >- >- if (add_dn) { >- if (ldb_msg_add_distinguished_name(filtered_msg) != 0) { >- goto failed; >- } >- } >+ msg->num_elements -= num_del; > >- if (filtered_msg->num_elements > 0) { >- filtered_msg->elements >- = talloc_realloc(filtered_msg, >- filtered_msg->elements, >- struct ldb_message_element, >- filtered_msg->num_elements); >- if (filtered_msg->elements == NULL) { >- goto failed; >- } >- } else { >- TALLOC_FREE(filtered_msg->elements); >- } >- >- return 0; >-failed: >- TALLOC_FREE(filtered_msg->elements); >- return -1; >+ return LDB_SUCCESS; > } > > /* Have an unpacked ldb message take talloc ownership of its elements. */ >diff --git a/lib/ldb/include/ldb_module.h b/lib/ldb/include/ldb_module.h >index 105093cf38c..4ae381ba5be 100644 >--- a/lib/ldb/include/ldb_module.h >+++ b/lib/ldb/include/ldb_module.h >@@ -545,13 +545,12 @@ int ldb_filter_attrs(struct ldb_context *ldb, > > /* > * filter the specified list of attributes from msg, >- * adding requested attributes, and perhaps all for *, >- * but not the DN to filtered_msg. >+ * adding requested attributes, and perhaps all for *. >+ * Unlike ldb_filter_attrs(), the DN will not be added >+ * if it is missing. > */ >-int ldb_filter_attrs_in_place(struct ldb_context *ldb, >- const struct ldb_message *msg, >- const char *const *attrs, >- struct ldb_message *filtered_msg); >+int ldb_filter_attrs_in_place(struct ldb_message *msg, >+ const char *const *attrs); > > /* Have an unpacked ldb message take talloc ownership of its elements. */ > int ldb_msg_elements_take_ownership(struct ldb_message *msg); >diff --git a/lib/ldb/tests/ldb_filter_attrs_in_place_test.c b/lib/ldb/tests/ldb_filter_attrs_in_place_test.c >index bef961f8f9c..da333c73c99 100644 >--- a/lib/ldb/tests/ldb_filter_attrs_in_place_test.c >+++ b/lib/ldb/tests/ldb_filter_attrs_in_place_test.c >@@ -83,17 +83,41 @@ static int teardown(void **state) > return 0; > } > >+static void msg_add_dn(struct ldb_message *msg) >+{ >+ const char *dn_attr = "distinguishedName"; >+ char *dn = NULL; >+ int ret; >+ >+ assert_null(ldb_msg_find_element(msg, dn_attr)); >+ >+ assert_non_null(msg->dn); >+ dn = ldb_dn_alloc_linearized(msg, msg->dn); >+ assert_non_null(dn); >+ >+ /* >+ * The message's elements must be talloc allocated to call >+ * ldb_msg_add_steal_string(). >+ */ >+ msg->elements = talloc_memdup(msg, >+ msg->elements, >+ msg->num_elements * sizeof(msg->elements[0])); >+ assert_non_null(msg->elements); >+ >+ ret = ldb_msg_add_steal_string(msg, dn_attr, dn); >+ assert_int_equal(ret, LDB_SUCCESS); >+} > > /* > * Test against a record with only one attribute, matching the one in > * the list > */ >-static void test_filter_attrs_one_attr_matched(void **state) >+static void test_filter_attrs_in_place_one_attr_matched(void **state) > { > struct ldbtest_ctx *ctx = *state; > int ret; > >- struct ldb_message *filtered_msg = ldb_msg_new(ctx); >+ struct ldb_message *msg = ldb_msg_new(ctx); > > const char *attrs[] = {"foo", NULL}; > >@@ -107,32 +131,25 @@ static void test_filter_attrs_one_attr_matched(void **state) > .num_values = 1, > .values = &value_1 > }; >- struct ldb_message in = { >- .dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"), >- .num_elements = 1, >- .elements = &element_1, >- }; > >- assert_non_null(in.dn); >+ assert_non_null(msg); >+ msg->dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"); >+ msg->num_elements = 1; >+ msg->elements = &element_1; > >- ret = ldb_filter_attrs_in_place(ctx->ldb, >- &in, >- attrs, >- filtered_msg); >+ assert_non_null(msg->dn); >+ msg_add_dn(msg); >+ >+ ret = ldb_filter_attrs_in_place(msg, attrs); > assert_int_equal(ret, LDB_SUCCESS); >- assert_non_null(filtered_msg); > >- /* >- * assert the ldb_filter_attrs_in_place does not read or modify >- * filtered_msg.dn in this case >- */ >- assert_null(filtered_msg->dn); >- assert_int_equal(filtered_msg->num_elements, 1); >- assert_string_equal(filtered_msg->elements[0].name, "foo"); >- assert_int_equal(filtered_msg->elements[0].num_values, 1); >- assert_int_equal(filtered_msg->elements[0].values[0].length, >+ assert_non_null(msg->dn); >+ assert_int_equal(msg->num_elements, 1); >+ assert_string_equal(msg->elements[0].name, "foo"); >+ assert_int_equal(msg->elements[0].num_values, 1); >+ assert_int_equal(msg->elements[0].values[0].length, > strlen(value)); >- assert_memory_equal(filtered_msg->elements[0].values[0].data, >+ assert_memory_equal(msg->elements[0].values[0].data, > value, strlen(value)); > } > >@@ -140,12 +157,12 @@ static void test_filter_attrs_one_attr_matched(void **state) > * Test against a record with only one attribute, matching the one of > * the multiple attributes in the list > */ >-static void test_filter_attrs_one_attr_matched_of_many(void **state) >+static void test_filter_attrs_in_place_one_attr_matched_of_many(void **state) > { > struct ldbtest_ctx *ctx = *state; > int ret; > >- struct ldb_message *filtered_msg = ldb_msg_new(ctx); >+ struct ldb_message *msg = ldb_msg_new(ctx); > > const char *attrs[] = {"foo", "bar", "baz", NULL}; > >@@ -159,32 +176,25 @@ static void test_filter_attrs_one_attr_matched_of_many(void **state) > .num_values = 1, > .values = &value_1 > }; >- struct ldb_message in = { >- .dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"), >- .num_elements = 1, >- .elements = &element_1, >- }; > >- assert_non_null(in.dn); >+ assert_non_null(msg); >+ msg->dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"); >+ msg->num_elements = 1; >+ msg->elements = &element_1; > >- ret = ldb_filter_attrs_in_place(ctx->ldb, >- &in, >- attrs, >- filtered_msg); >+ assert_non_null(msg->dn); >+ msg_add_dn(msg); >+ >+ ret = ldb_filter_attrs_in_place(msg, attrs); > assert_int_equal(ret, LDB_SUCCESS); >- assert_non_null(filtered_msg); > >- /* >- * assert the ldb_filter_attrs_in_place does not read or modify >- * filtered_msg.dn in this case >- */ >- assert_null(filtered_msg->dn); >- assert_int_equal(filtered_msg->num_elements, 1); >- assert_string_equal(filtered_msg->elements[0].name, "foo"); >- assert_int_equal(filtered_msg->elements[0].num_values, 1); >- assert_int_equal(filtered_msg->elements[0].values[0].length, >+ assert_non_null(msg->dn); >+ assert_int_equal(msg->num_elements, 1); >+ assert_string_equal(msg->elements[0].name, "foo"); >+ assert_int_equal(msg->elements[0].num_values, 1); >+ assert_int_equal(msg->elements[0].values[0].length, > strlen(value)); >- assert_memory_equal(filtered_msg->elements[0].values[0].data, >+ assert_memory_equal(msg->elements[0].values[0].data, > value, strlen(value)); > } > >@@ -192,12 +202,12 @@ static void test_filter_attrs_one_attr_matched_of_many(void **state) > * Test against a record with only one attribute, matching both > * attributes in the list > */ >-static void test_filter_attrs_two_attr_matched_attrs(void **state) >+static void test_filter_attrs_in_place_two_attr_matched_attrs(void **state) > { > struct ldbtest_ctx *ctx = *state; > int ret; > >- struct ldb_message *filtered_msg = ldb_msg_new(ctx); >+ struct ldb_message *msg = ldb_msg_new(ctx); > > /* deliberatly the other order */ > const char *attrs[] = {"bar", "foo", NULL}; >@@ -226,40 +236,33 @@ static void test_filter_attrs_two_attr_matched_attrs(void **state) > .values = &value_2 > } > }; >- struct ldb_message in = { >- .dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"), >- .num_elements = 2, >- .elements = elements, >- }; > >- assert_non_null(in.dn); >+ assert_non_null(msg); >+ msg->dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"); >+ msg->num_elements = 2; >+ msg->elements = elements; > >- ret = ldb_filter_attrs_in_place(ctx->ldb, >- &in, >- attrs, >- filtered_msg); >+ assert_non_null(msg->dn); >+ msg_add_dn(msg); >+ >+ ret = ldb_filter_attrs_in_place(msg, attrs); > assert_int_equal(ret, LDB_SUCCESS); >- assert_non_null(filtered_msg); >- assert_int_equal(filtered_msg->num_elements, 2); >+ assert_int_equal(msg->num_elements, 2); > >- /* >- * assert the ldb_filter_attrs_in_place does not read or modify >- * filtered_msg.dn in this case >- */ >- assert_null(filtered_msg->dn); >+ assert_non_null(msg->dn); > > /* Assert that DB order is preserved */ >- assert_string_equal(filtered_msg->elements[0].name, "foo"); >- assert_int_equal(filtered_msg->elements[0].num_values, 1); >- assert_int_equal(filtered_msg->elements[0].values[0].length, >+ assert_string_equal(msg->elements[0].name, "foo"); >+ assert_int_equal(msg->elements[0].num_values, 1); >+ assert_int_equal(msg->elements[0].values[0].length, > strlen(value1)); >- assert_memory_equal(filtered_msg->elements[0].values[0].data, >+ assert_memory_equal(msg->elements[0].values[0].data, > value1, strlen(value1)); >- assert_string_equal(filtered_msg->elements[1].name, "bar"); >- assert_int_equal(filtered_msg->elements[1].num_values, 1); >- assert_int_equal(filtered_msg->elements[1].values[0].length, >+ assert_string_equal(msg->elements[1].name, "bar"); >+ assert_int_equal(msg->elements[1].num_values, 1); >+ assert_int_equal(msg->elements[1].values[0].length, > strlen(value2)); >- assert_memory_equal(filtered_msg->elements[1].values[0].data, >+ assert_memory_equal(msg->elements[1].values[0].data, > value2, strlen(value2)); > } > >@@ -267,14 +270,13 @@ static void test_filter_attrs_two_attr_matched_attrs(void **state) > * Test against a record with two attributes, only of which is in > * the list > */ >-static void test_filter_attrs_two_attr_matched_one_attr(void **state) >+static void test_filter_attrs_in_place_two_attr_matched_one_attr(void **state) > { > struct ldbtest_ctx *ctx = *state; > int ret; > >- struct ldb_message *filtered_msg = ldb_msg_new(ctx); >+ struct ldb_message *msg = ldb_msg_new(ctx); > >- /* deliberatly the other order */ > const char *attrs[] = {"bar", NULL}; > > char value1[] = "The value.......end"; >@@ -288,7 +290,6 @@ static void test_filter_attrs_two_attr_matched_one_attr(void **state) > .length = strlen(value2) > }; > >- /* foo and bar are the other order to in attrs */ > struct ldb_message_element elements[] = { > { > .name = "foo", >@@ -301,34 +302,27 @@ static void test_filter_attrs_two_attr_matched_one_attr(void **state) > .values = &value_2 > } > }; >- struct ldb_message in = { >- .dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"), >- .num_elements = 2, >- .elements = elements, >- }; > >- assert_non_null(in.dn); >+ assert_non_null(msg); >+ msg->dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"); >+ msg->num_elements = 2; >+ msg->elements = elements; > >- ret = ldb_filter_attrs_in_place(ctx->ldb, >- &in, >- attrs, >- filtered_msg); >+ assert_non_null(msg->dn); >+ msg_add_dn(msg); >+ >+ ret = ldb_filter_attrs_in_place(msg, attrs); > assert_int_equal(ret, LDB_SUCCESS); >- assert_non_null(filtered_msg); >- assert_int_equal(filtered_msg->num_elements, 1); >+ assert_int_equal(msg->num_elements, 1); > >- /* >- * assert the ldb_filter_attrs_in_place does not read or modify >- * filtered_msg.dn in this case >- */ >- assert_null(filtered_msg->dn); >+ assert_non_null(msg->dn); > > /* Assert that DB order is preserved */ >- assert_string_equal(filtered_msg->elements[0].name, "bar"); >- assert_int_equal(filtered_msg->elements[0].num_values, 1); >- assert_int_equal(filtered_msg->elements[0].values[0].length, >+ assert_string_equal(msg->elements[0].name, "bar"); >+ assert_int_equal(msg->elements[0].num_values, 1); >+ assert_int_equal(msg->elements[0].values[0].length, > strlen(value2)); >- assert_memory_equal(filtered_msg->elements[0].values[0].data, >+ assert_memory_equal(msg->elements[0].values[0].data, > value2, strlen(value2)); > } > >@@ -336,14 +330,13 @@ static void test_filter_attrs_two_attr_matched_one_attr(void **state) > * Test against a record with two attributes, both matching the one > * specified attribute in the list (a corrupt record) > */ >-static void test_filter_attrs_two_dup_attr_matched_one_attr(void **state) >+static void test_filter_attrs_in_place_two_dup_attr_matched_one_attr(void **state) > { > struct ldbtest_ctx *ctx = *state; > int ret; > >- struct ldb_message *filtered_msg = ldb_msg_new(ctx); >+ struct ldb_message *msg = ldb_msg_new(ctx); > >- /* deliberatly the other order */ > const char *attrs[] = {"bar", NULL}; > > char value1[] = "The value.......end"; >@@ -357,7 +350,6 @@ static void test_filter_attrs_two_dup_attr_matched_one_attr(void **state) > .length = strlen(value2) > }; > >- /* foo and bar are the other order to in attrs */ > struct ldb_message_element elements[] = { > { > .name = "bar", >@@ -370,34 +362,49 @@ static void test_filter_attrs_two_dup_attr_matched_one_attr(void **state) > .values = &value_2 > } > }; >- struct ldb_message in = { >- .dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"), >- .num_elements = 2, >- .elements = elements, >- }; > >- assert_non_null(in.dn); >+ assert_non_null(msg); >+ msg->dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"); >+ msg->num_elements = 2; >+ msg->elements = elements; >+ >+ assert_non_null(msg->dn); >+ msg_add_dn(msg); >+ >+ ret = ldb_filter_attrs_in_place(msg, attrs); > >- ret = ldb_filter_attrs_in_place(ctx->ldb, >- &in, >- attrs, >- filtered_msg); >+ /* Both elements match the filter */ >+ assert_int_equal(ret, LDB_SUCCESS); >+ assert_int_equal(msg->num_elements, 2); >+ >+ assert_non_null(msg->dn); > >- /* This should fail the pidgenhole test */ >- assert_int_equal(ret, -1); >- assert_null(filtered_msg->elements); >+ /* Assert that DB order is preserved */ >+ assert_string_equal(msg->elements[0].name, "bar"); >+ assert_int_equal(msg->elements[0].num_values, 1); >+ assert_int_equal(msg->elements[0].values[0].length, >+ strlen(value1)); >+ assert_memory_equal(msg->elements[0].values[0].data, >+ value1, strlen(value1)); >+ >+ assert_string_equal(msg->elements[1].name, "bar"); >+ assert_int_equal(msg->elements[1].num_values, 1); >+ assert_int_equal(msg->elements[1].values[0].length, >+ strlen(value2)); >+ assert_memory_equal(msg->elements[1].values[0].data, >+ value2, strlen(value2)); > } > > /* > * Test against a record with two attributes, both matching the one > * specified attribute in the list (a corrupt record) > */ >-static void test_filter_attrs_two_dup_attr_matched_dup(void **state) >+static void test_filter_attrs_in_place_two_dup_attr_matched_dup(void **state) > { > struct ldbtest_ctx *ctx = *state; > int ret; > >- struct ldb_message *filtered_msg = ldb_msg_new(ctx); >+ struct ldb_message *msg = ldb_msg_new(ctx); > > const char *attrs[] = {"bar", "bar", NULL}; > >@@ -412,7 +419,6 @@ static void test_filter_attrs_two_dup_attr_matched_dup(void **state) > .length = strlen(value2) > }; > >- /* foo and bar are the other order to in attrs */ > struct ldb_message_element elements[] = { > { > .name = "bar", >@@ -425,35 +431,33 @@ static void test_filter_attrs_two_dup_attr_matched_dup(void **state) > .values = &value_2 > } > }; >- struct ldb_message in = { >- .dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"), >- .num_elements = 2, >- .elements = elements, >- }; > >- assert_non_null(in.dn); >+ assert_non_null(msg); >+ msg->dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"); >+ msg->num_elements = 2; >+ msg->elements = elements; >+ >+ assert_non_null(msg->dn); >+ msg_add_dn(msg); > >- ret = ldb_filter_attrs_in_place(ctx->ldb, >- &in, >- attrs, >- filtered_msg); >+ ret = ldb_filter_attrs_in_place(msg, attrs); > > /* This does not fail the pidgenhole test */ > assert_int_equal(ret, LDB_SUCCESS); >- assert_int_equal(filtered_msg->num_elements, 2); >+ assert_int_equal(msg->num_elements, 2); > > /* Assert that DB order is preserved */ >- assert_string_equal(filtered_msg->elements[0].name, "bar"); >- assert_int_equal(filtered_msg->elements[0].num_values, 1); >- assert_int_equal(filtered_msg->elements[0].values[0].length, >+ assert_string_equal(msg->elements[0].name, "bar"); >+ assert_int_equal(msg->elements[0].num_values, 1); >+ assert_int_equal(msg->elements[0].values[0].length, > strlen(value1)); >- assert_memory_equal(filtered_msg->elements[0].values[0].data, >+ assert_memory_equal(msg->elements[0].values[0].data, > value1, strlen(value1)); >- assert_string_equal(filtered_msg->elements[1].name, "bar"); >- assert_int_equal(filtered_msg->elements[1].num_values, 1); >- assert_int_equal(filtered_msg->elements[1].values[0].length, >+ assert_string_equal(msg->elements[1].name, "bar"); >+ assert_int_equal(msg->elements[1].num_values, 1); >+ assert_int_equal(msg->elements[1].values[0].length, > strlen(value2)); >- assert_memory_equal(filtered_msg->elements[1].values[0].data, >+ assert_memory_equal(msg->elements[1].values[0].data, > value2, strlen(value2)); > } > >@@ -461,12 +465,12 @@ static void test_filter_attrs_two_dup_attr_matched_dup(void **state) > * Test against a record with two attributes, both matching one of the > * specified attributes in the list (a corrupt record) > */ >-static void test_filter_attrs_two_dup_attr_matched_one_of_two(void **state) >+static void test_filter_attrs_in_place_two_dup_attr_matched_one_of_two(void **state) > { > struct ldbtest_ctx *ctx = *state; > int ret; > >- struct ldb_message *filtered_msg = ldb_msg_new(ctx); >+ struct ldb_message *msg = ldb_msg_new(ctx); > > const char *attrs[] = {"bar", "foo", NULL}; > >@@ -481,7 +485,6 @@ static void test_filter_attrs_two_dup_attr_matched_one_of_two(void **state) > .length = strlen(value2) > }; > >- /* foo and bar are the other order to in attrs */ > struct ldb_message_element elements[] = { > { > .name = "bar", >@@ -494,35 +497,33 @@ static void test_filter_attrs_two_dup_attr_matched_one_of_two(void **state) > .values = &value_2 > } > }; >- struct ldb_message in = { >- .dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"), >- .num_elements = 2, >- .elements = elements, >- }; > >- assert_non_null(in.dn); >+ assert_non_null(msg); >+ msg->dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"); >+ msg->num_elements = 2; >+ msg->elements = elements; > >- ret = ldb_filter_attrs_in_place(ctx->ldb, >- &in, >- attrs, >- filtered_msg); >+ assert_non_null(msg->dn); >+ msg_add_dn(msg); >+ >+ ret = ldb_filter_attrs_in_place(msg, attrs); > > /* This does not fail the pidgenhole test */ > assert_int_equal(ret, LDB_SUCCESS); >- assert_int_equal(filtered_msg->num_elements, 2); >+ assert_int_equal(msg->num_elements, 2); > > /* Assert that DB order is preserved */ >- assert_string_equal(filtered_msg->elements[0].name, "bar"); >- assert_int_equal(filtered_msg->elements[0].num_values, 1); >- assert_int_equal(filtered_msg->elements[0].values[0].length, >+ assert_string_equal(msg->elements[0].name, "bar"); >+ assert_int_equal(msg->elements[0].num_values, 1); >+ assert_int_equal(msg->elements[0].values[0].length, > strlen(value1)); >- assert_memory_equal(filtered_msg->elements[0].values[0].data, >+ assert_memory_equal(msg->elements[0].values[0].data, > value1, strlen(value1)); >- assert_string_equal(filtered_msg->elements[1].name, "bar"); >- assert_int_equal(filtered_msg->elements[1].num_values, 1); >- assert_int_equal(filtered_msg->elements[1].values[0].length, >+ assert_string_equal(msg->elements[1].name, "bar"); >+ assert_int_equal(msg->elements[1].num_values, 1); >+ assert_int_equal(msg->elements[1].values[0].length, > strlen(value2)); >- assert_memory_equal(filtered_msg->elements[1].values[0].data, >+ assert_memory_equal(msg->elements[1].values[0].data, > value2, strlen(value2)); > } > >@@ -530,12 +531,12 @@ static void test_filter_attrs_two_dup_attr_matched_one_of_two(void **state) > * Test against a record with two attributes against * (but not the > * other named attribute) (a corrupt record) > */ >-static void test_filter_attrs_two_dup_attr_matched_star(void **state) >+static void test_filter_attrs_in_place_two_dup_attr_matched_star(void **state) > { > struct ldbtest_ctx *ctx = *state; > int ret; > >- struct ldb_message *filtered_msg = ldb_msg_new(ctx); >+ struct ldb_message *msg = ldb_msg_new(ctx); > > const char *attrs[] = {"*", "foo", NULL}; > >@@ -550,7 +551,6 @@ static void test_filter_attrs_two_dup_attr_matched_star(void **state) > .length = strlen(value2) > }; > >- /* foo and bar are the other order to in attrs */ > struct ldb_message_element elements[] = { > { > .name = "bar", >@@ -563,60 +563,52 @@ static void test_filter_attrs_two_dup_attr_matched_star(void **state) > .values = &value_2 > } > }; >- struct ldb_message in = { >- .dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"), >- .num_elements = 2, >- .elements = elements, >- }; > >- assert_non_null(in.dn); >+ assert_non_null(msg); >+ msg->dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"); >+ msg->num_elements = 2; >+ msg->elements = elements; > >- /* Needed as * implies distinguishedName */ >- filtered_msg->dn = in.dn; >+ assert_non_null(msg->dn); >+ msg_add_dn(msg); > >- ret = ldb_filter_attrs_in_place(ctx->ldb, >- &in, >- attrs, >- filtered_msg); >+ ret = ldb_filter_attrs_in_place(msg, attrs); > > /* This does not fail the pidgenhole test */ > assert_int_equal(ret, LDB_SUCCESS); >- assert_int_equal(filtered_msg->num_elements, 3); >+ assert_int_equal(msg->num_elements, 3); > > /* Assert that DB order is preserved */ >- assert_string_equal(filtered_msg->elements[0].name, "bar"); >- assert_int_equal(filtered_msg->elements[0].num_values, 1); >- assert_int_equal(filtered_msg->elements[0].values[0].length, >+ assert_string_equal(msg->elements[0].name, "bar"); >+ assert_int_equal(msg->elements[0].num_values, 1); >+ assert_int_equal(msg->elements[0].values[0].length, > strlen(value1)); >- assert_memory_equal(filtered_msg->elements[0].values[0].data, >+ assert_memory_equal(msg->elements[0].values[0].data, > value1, strlen(value1)); >- assert_string_equal(filtered_msg->elements[1].name, "bar"); >- assert_int_equal(filtered_msg->elements[1].num_values, 1); >- assert_int_equal(filtered_msg->elements[1].values[0].length, >+ assert_string_equal(msg->elements[1].name, "bar"); >+ assert_int_equal(msg->elements[1].num_values, 1); >+ assert_int_equal(msg->elements[1].values[0].length, > strlen(value2)); >- assert_memory_equal(filtered_msg->elements[1].values[0].data, >+ assert_memory_equal(msg->elements[1].values[0].data, > value2, strlen(value2)); >- /* >- * assert the ldb_filter_attrs_in_place does not modify filtered_msg.dn >- * in this case >- */ >- assert_ptr_equal(filtered_msg->dn, in.dn); >- assert_string_equal(ldb_msg_find_attr_as_string(filtered_msg, >+ >+ assert_non_null(msg->dn); >+ assert_string_equal(ldb_msg_find_attr_as_string(msg, > "distinguishedName", > NULL), >- ldb_dn_get_linearized(in.dn)); >+ ldb_dn_get_linearized(msg->dn)); > } > > /* > * Test against a record with only one attribute, matching the * in > * the list > */ >-static void test_filter_attrs_one_attr_matched_star(void **state) >+static void test_filter_attrs_in_place_one_attr_matched_star(void **state) > { > struct ldbtest_ctx *ctx = *state; > int ret; > >- struct ldb_message *filtered_msg = ldb_msg_new(ctx); >+ struct ldb_message *msg = ldb_msg_new(ctx); > > const char *attrs[] = {"*", NULL}; > >@@ -630,35 +622,25 @@ static void test_filter_attrs_one_attr_matched_star(void **state) > .num_values = 1, > .values = &value_1 > }; >- struct ldb_message in = { >- .dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"), >- .num_elements = 1, >- .elements = &element_1, >- }; > >- assert_non_null(in.dn); >+ assert_non_null(msg); >+ msg->dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"); >+ msg->num_elements = 1; >+ msg->elements = &element_1; > >- /* Needed as * implies distinguishedName */ >- filtered_msg->dn = in.dn; >+ assert_non_null(msg->dn); >+ msg_add_dn(msg); > >- ret = ldb_filter_attrs_in_place(ctx->ldb, >- &in, >- attrs, >- filtered_msg); >+ ret = ldb_filter_attrs_in_place(msg, attrs); > assert_int_equal(ret, LDB_SUCCESS); >- assert_non_null(filtered_msg); >- assert_int_equal(filtered_msg->num_elements, 2); >+ assert_int_equal(msg->num_elements, 2); > >- /* >- * assert the ldb_filter_attrs_in_place does not modify filtered_msg.dn >- * in this case >- */ >- assert_ptr_equal(filtered_msg->dn, in.dn); >- assert_string_equal(ldb_msg_find_attr_as_string(filtered_msg, >+ assert_non_null(msg->dn); >+ assert_string_equal(ldb_msg_find_attr_as_string(msg, > "distinguishedName", > NULL), >- ldb_dn_get_linearized(in.dn)); >- assert_string_equal(ldb_msg_find_attr_as_string(filtered_msg, >+ ldb_dn_get_linearized(msg->dn)); >+ assert_string_equal(ldb_msg_find_attr_as_string(msg, > "foo", > NULL), > value); >@@ -668,12 +650,12 @@ static void test_filter_attrs_one_attr_matched_star(void **state) > * Test against a record with two attributes, matching the * in > * the list > */ >-static void test_filter_attrs_two_attr_matched_star(void **state) >+static void test_filter_attrs_in_place_two_attr_matched_star(void **state) > { > struct ldbtest_ctx *ctx = *state; > int ret; > >- struct ldb_message *filtered_msg = ldb_msg_new(ctx); >+ struct ldb_message *msg = ldb_msg_new(ctx); > > const char *attrs[] = {"*", NULL}; > >@@ -699,39 +681,29 @@ static void test_filter_attrs_two_attr_matched_star(void **state) > .values = &value_2 > } > }; >- struct ldb_message in = { >- .dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"), >- .num_elements = 2, >- .elements = elements, >- }; > >- assert_non_null(in.dn); >+ assert_non_null(msg); >+ msg->dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"); >+ msg->num_elements = 2; >+ msg->elements = elements; > >- /* Needed as * implies distinguishedName */ >- filtered_msg->dn = in.dn; >+ assert_non_null(msg->dn); >+ msg_add_dn(msg); > >- ret = ldb_filter_attrs_in_place(ctx->ldb, >- &in, >- attrs, >- filtered_msg); >+ ret = ldb_filter_attrs_in_place(msg, attrs); > assert_int_equal(ret, LDB_SUCCESS); >- assert_non_null(filtered_msg); >- assert_int_equal(filtered_msg->num_elements, 3); >+ assert_int_equal(msg->num_elements, 3); > >- /* >- * assert the ldb_filter_attrs_in_place does not modify filtered_msg.dn >- * in this case >- */ >- assert_ptr_equal(filtered_msg->dn, in.dn); >- assert_string_equal(ldb_msg_find_attr_as_string(filtered_msg, >+ assert_non_null(msg->dn); >+ assert_string_equal(ldb_msg_find_attr_as_string(msg, > "distinguishedName", > NULL), >- ldb_dn_get_linearized(in.dn)); >- assert_string_equal(ldb_msg_find_attr_as_string(filtered_msg, >+ ldb_dn_get_linearized(msg->dn)); >+ assert_string_equal(ldb_msg_find_attr_as_string(msg, > "foo", > NULL), > value1); >- assert_string_equal(ldb_msg_find_attr_as_string(filtered_msg, >+ assert_string_equal(ldb_msg_find_attr_as_string(msg, > "bar", > NULL), > value2); >@@ -739,15 +711,15 @@ static void test_filter_attrs_two_attr_matched_star(void **state) > > /* > * Test against a record with only one attribute, matching the * in >- * the list, but without the DN being pre-filled. Fails due to need >- * to contstruct the distinguishedName >+ * the list, but without the DN being pre-filled. Succeeds, but the >+ * distinguishedName is not added. > */ >-static void test_filter_attrs_one_attr_matched_star_no_dn(void **state) >+static void test_filter_attrs_in_place_one_attr_matched_star_no_dn(void **state) > { > struct ldbtest_ctx *ctx = *state; > int ret; > >- struct ldb_message *filtered_msg = ldb_msg_new(ctx); >+ struct ldb_message *msg = ldb_msg_new(ctx); > > const char *attrs[] = {"*", NULL}; > >@@ -761,32 +733,29 @@ static void test_filter_attrs_one_attr_matched_star_no_dn(void **state) > .num_values = 1, > .values = &value_1 > }; >- struct ldb_message in = { >- .dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"), >- .num_elements = 1, >- .elements = &element_1, >- }; > >- assert_non_null(in.dn); >+ assert_non_null(msg); >+ msg->dn = NULL; >+ msg->num_elements = 1; >+ msg->elements = &element_1; >+ >+ assert_null(msg->dn); > >- ret = ldb_filter_attrs_in_place(ctx->ldb, >- &in, >- attrs, >- filtered_msg); >- assert_int_equal(ret, -1); >- assert_null(filtered_msg->elements); >+ ret = ldb_filter_attrs_in_place(msg, attrs); >+ assert_int_equal(ret, LDB_SUCCESS); >+ assert_int_equal(msg->num_elements, 1); > } > > /* > * Test against a record with only one attribute, matching the * in > * the list plus requsesting distinguishedName > */ >-static void test_filter_attrs_one_attr_matched_star_dn(void **state) >+static void test_filter_attrs_in_place_one_attr_matched_star_dn(void **state) > { > struct ldbtest_ctx *ctx = *state; > int ret; > >- struct ldb_message *filtered_msg = ldb_msg_new(ctx); >+ struct ldb_message *msg = ldb_msg_new(ctx); > > const char *attrs[] = {"*", "distinguishedName", NULL}; > >@@ -800,33 +769,26 @@ static void test_filter_attrs_one_attr_matched_star_dn(void **state) > .num_values = 1, > .values = &value_1 > }; >- struct ldb_message in = { >- .dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"), >- .num_elements = 1, >- .elements = &element_1, >- }; > >- assert_non_null(in.dn); >+ assert_non_null(msg); >+ msg->dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"); >+ msg->num_elements = 1; >+ msg->elements = &element_1; > >- /* Needed for distinguishedName */ >- filtered_msg->dn = in.dn; >+ assert_non_null(msg->dn); >+ msg_add_dn(msg); > >- ret = ldb_filter_attrs_in_place(ctx->ldb, >- &in, >- attrs, >- filtered_msg); >+ ret = ldb_filter_attrs_in_place(msg, attrs); > assert_int_equal(ret, LDB_SUCCESS); >- assert_non_null(filtered_msg); >- assert_int_equal(filtered_msg->num_elements, 2); >+ assert_int_equal(msg->num_elements, 2); > >- /* show that ldb_filter_attrs_in_place does not modify in.dn */ >- assert_ptr_equal(filtered_msg->dn, in.dn); >+ assert_non_null(msg->dn); > >- assert_string_equal(ldb_msg_find_attr_as_string(filtered_msg, >+ assert_string_equal(ldb_msg_find_attr_as_string(msg, > "distinguishedName", > NULL), >- ldb_dn_get_linearized(in.dn)); >- assert_string_equal(ldb_msg_find_attr_as_string(filtered_msg, >+ ldb_dn_get_linearized(msg->dn)); >+ assert_string_equal(ldb_msg_find_attr_as_string(msg, > "foo", > NULL), > value); >@@ -836,12 +798,12 @@ static void test_filter_attrs_one_attr_matched_star_dn(void **state) > * Test against a record with only one attribute, but returning > * distinguishedName from the list (only) > */ >-static void test_filter_attrs_one_attr_matched_dn(void **state) >+static void test_filter_attrs_in_place_one_attr_matched_dn(void **state) > { > struct ldbtest_ctx *ctx = *state; > int ret; > >- struct ldb_message *filtered_msg = ldb_msg_new(ctx); >+ struct ldb_message *msg = ldb_msg_new(ctx); > > const char *attrs[] = {"distinguishedName", NULL}; > >@@ -855,43 +817,36 @@ static void test_filter_attrs_one_attr_matched_dn(void **state) > .num_values = 1, > .values = &value_1 > }; >- struct ldb_message in = { >- .dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"), >- .num_elements = 1, >- .elements = &element_1, >- }; > >- assert_non_null(in.dn); >+ assert_non_null(msg); >+ msg->dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"); >+ msg->num_elements = 1; >+ msg->elements = &element_1; > >- /* Needed for distinguishedName */ >- filtered_msg->dn = in.dn; >+ assert_non_null(msg->dn); >+ msg_add_dn(msg); > >- ret = ldb_filter_attrs_in_place(ctx->ldb, >- &in, >- attrs, >- filtered_msg); >+ ret = ldb_filter_attrs_in_place(msg, attrs); > assert_int_equal(ret, LDB_SUCCESS); >- assert_non_null(filtered_msg); >- assert_int_equal(filtered_msg->num_elements, 1); >- >- /* show that ldb_filter_attrs_in_place does not modify in.dn */ >- assert_ptr_equal(filtered_msg->dn, in.dn); >- assert_string_equal(filtered_msg->elements[0].name, "distinguishedName"); >- assert_int_equal(filtered_msg->elements[0].num_values, 1); >- assert_string_equal(filtered_msg->elements[0].values[0].data, >- ldb_dn_get_linearized(in.dn)); >+ assert_int_equal(msg->num_elements, 1); >+ >+ assert_non_null(msg->dn); >+ assert_string_equal(msg->elements[0].name, "distinguishedName"); >+ assert_int_equal(msg->elements[0].num_values, 1); >+ assert_string_equal(msg->elements[0].values[0].data, >+ ldb_dn_get_linearized(msg->dn)); > } > > /* > * Test against a record with only one attribute, not matching the > * empty attribute list > */ >-static void test_filter_attrs_one_attr_empty_list(void **state) >+static void test_filter_attrs_in_place_one_attr_empty_list(void **state) > { > struct ldbtest_ctx *ctx = *state; > int ret; > >- struct ldb_message *filtered_msg = ldb_msg_new(ctx); >+ struct ldb_message *msg = ldb_msg_new(ctx); > > const char *attrs[] = {NULL}; > >@@ -905,82 +860,78 @@ static void test_filter_attrs_one_attr_empty_list(void **state) > .num_values = 1, > .values = &value_1 > }; >- struct ldb_message in = { >- .dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"), >- .num_elements = 1, >- .elements = &element_1, >- }; > >- assert_non_null(in.dn); >+ assert_non_null(msg); >+ msg->dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"); >+ msg->num_elements = 1; >+ msg->elements = &element_1; >+ >+ assert_non_null(msg->dn); >+ msg_add_dn(msg); > >- ret = ldb_filter_attrs_in_place(ctx->ldb, >- &in, >- attrs, >- filtered_msg); >+ ret = ldb_filter_attrs_in_place(msg, attrs); > assert_int_equal(ret, LDB_SUCCESS); >- assert_non_null(filtered_msg); >- assert_int_equal(filtered_msg->num_elements, 0); >- assert_null(filtered_msg->dn); >- assert_null(filtered_msg->elements); >+ assert_int_equal(msg->num_elements, 0); >+ assert_non_null(msg->dn); > } > > int main(int argc, const char **argv) > { > const struct CMUnitTest tests[] = { > cmocka_unit_test_setup_teardown( >- test_filter_attrs_one_attr_matched, >+ test_filter_attrs_in_place_one_attr_matched, > setup, > teardown), > cmocka_unit_test_setup_teardown( >- test_filter_attrs_one_attr_matched_of_many, >+ test_filter_attrs_in_place_one_attr_matched_of_many, > setup, > teardown), > cmocka_unit_test_setup_teardown( >- test_filter_attrs_two_attr_matched_attrs, >+ test_filter_attrs_in_place_two_attr_matched_attrs, > setup, > teardown), > cmocka_unit_test_setup_teardown( >- test_filter_attrs_two_attr_matched_one_attr, >+ test_filter_attrs_in_place_two_attr_matched_one_attr, > setup, > teardown), > cmocka_unit_test_setup_teardown( >- test_filter_attrs_two_dup_attr_matched_one_attr, >+ test_filter_attrs_in_place_two_dup_attr_matched_one_attr, > setup, > teardown), > cmocka_unit_test_setup_teardown( >- test_filter_attrs_two_dup_attr_matched_dup, >+ test_filter_attrs_in_place_two_dup_attr_matched_dup, > setup, > teardown), > cmocka_unit_test_setup_teardown( >- test_filter_attrs_two_dup_attr_matched_one_of_two, >+ test_filter_attrs_in_place_two_dup_attr_matched_one_of_two, > setup, > teardown), > cmocka_unit_test_setup_teardown( >- test_filter_attrs_two_dup_attr_matched_star, >+ test_filter_attrs_in_place_two_dup_attr_matched_star, > setup, > teardown), > cmocka_unit_test_setup_teardown( >- test_filter_attrs_one_attr_matched_star, >+ test_filter_attrs_in_place_one_attr_matched_star, > setup, > teardown), > cmocka_unit_test_setup_teardown( >- test_filter_attrs_two_attr_matched_star, >+ test_filter_attrs_in_place_two_attr_matched_star, > setup, > teardown), > cmocka_unit_test_setup_teardown( >- test_filter_attrs_one_attr_matched_star_no_dn, >+ test_filter_attrs_in_place_one_attr_matched_star_no_dn, > setup, > teardown), > cmocka_unit_test_setup_teardown( >- test_filter_attrs_one_attr_matched_star_dn, >+ test_filter_attrs_in_place_one_attr_matched_star_dn, > setup, > teardown), > cmocka_unit_test_setup_teardown( >- test_filter_attrs_one_attr_matched_dn, >+ test_filter_attrs_in_place_one_attr_matched_dn, > setup, > teardown), > cmocka_unit_test_setup_teardown( >- test_filter_attrs_one_attr_empty_list, >+ test_filter_attrs_in_place_one_attr_empty_list, > setup, > teardown), > }; >-- >2.25.1 > > >From ddf810e65c2088672654ef8669f9a9e92112aa0f Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Mon, 27 Feb 2023 10:31:52 +1300 >Subject: [PATCH 17/39] CVE-2023-0614 ldb: Make use of > ldb_filter_attrs_in_place() > >Change all uses of ldb_kv_filter_attrs() to use >ldb_filter_attrs_in_place() instead. This function does less work than >its predecessor, and no longer requires the allocation of a second ldb >message. Some of the work is able to be split out into separate >functions that each accomplish a single task, with a purpose to make the >code clearer. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >--- > lib/ldb/ldb_key_value/ldb_kv.h | 6 +- > lib/ldb/ldb_key_value/ldb_kv_index.c | 27 +++++---- > lib/ldb/ldb_key_value/ldb_kv_search.c | 86 ++++++++++++++------------- > source4/torture/ldb/ldb.c | 12 ++-- > 4 files changed, 66 insertions(+), 65 deletions(-) > >diff --git a/lib/ldb/ldb_key_value/ldb_kv.h b/lib/ldb/ldb_key_value/ldb_kv.h >index ac474b04b4c..7d5a40e76e9 100644 >--- a/lib/ldb/ldb_key_value/ldb_kv.h >+++ b/lib/ldb/ldb_key_value/ldb_kv.h >@@ -301,10 +301,8 @@ int ldb_kv_search_key(struct ldb_module *module, > const struct ldb_val ldb_key, > struct ldb_message *msg, > unsigned int unpack_flags); >-int ldb_kv_filter_attrs(struct ldb_context *ldb, >- const struct ldb_message *msg, >- const char *const *attrs, >- struct ldb_message *filtered_msg); >+int ldb_kv_filter_attrs_in_place(struct ldb_message *msg, >+ const char *const *attrs); > int ldb_kv_search(struct ldb_kv_context *ctx); > > /* >diff --git a/lib/ldb/ldb_key_value/ldb_kv_index.c b/lib/ldb/ldb_key_value/ldb_kv_index.c >index d70e5f619ef..203266ea8c9 100644 >--- a/lib/ldb/ldb_key_value/ldb_kv_index.c >+++ b/lib/ldb/ldb_key_value/ldb_kv_index.c >@@ -2264,7 +2264,6 @@ static int ldb_kv_index_filter(struct ldb_kv_private *ldb_kv, > { > struct ldb_context *ldb = ldb_module_get_ctx(ac->module); > struct ldb_message *msg; >- struct ldb_message *filtered_msg; > unsigned int i; > unsigned int num_keys = 0; > uint8_t previous_guid_key[LDB_KV_GUID_KEY_SIZE] = {0}; >@@ -2456,27 +2455,31 @@ static int ldb_kv_index_filter(struct ldb_kv_private *ldb_kv, > continue; > } > >- filtered_msg = ldb_msg_new(ac); >- if (filtered_msg == NULL) { >- TALLOC_FREE(keys); >- TALLOC_FREE(msg); >+ ret = ldb_msg_add_distinguished_name(msg); >+ if (ret == -1) { >+ talloc_free(msg); > return LDB_ERR_OPERATIONS_ERROR; > } > >- filtered_msg->dn = talloc_steal(filtered_msg, msg->dn); >- > /* filter the attributes that the user wants */ >- ret = ldb_kv_filter_attrs(ldb, msg, ac->attrs, filtered_msg); >+ ret = ldb_kv_filter_attrs_in_place(msg, ac->attrs); >+ if (ret != LDB_SUCCESS) { >+ talloc_free(keys); >+ talloc_free(msg); >+ return LDB_ERR_OPERATIONS_ERROR; >+ } > >- talloc_free(msg); >+ ldb_msg_shrink_to_fit(msg); > >- if (ret == -1) { >- TALLOC_FREE(filtered_msg); >+ /* Ensure the message elements are all talloc'd. */ >+ ret = ldb_msg_elements_take_ownership(msg); >+ if (ret != LDB_SUCCESS) { > talloc_free(keys); >+ talloc_free(msg); > return LDB_ERR_OPERATIONS_ERROR; > } > >- ret = ldb_module_send_entry(ac->req, filtered_msg, NULL); >+ ret = ldb_module_send_entry(ac->req, msg, NULL); > if (ret != LDB_SUCCESS) { > /* Regardless of success or failure, the msg > * is the callbacks responsiblity, and should >diff --git a/lib/ldb/ldb_key_value/ldb_kv_search.c b/lib/ldb/ldb_key_value/ldb_kv_search.c >index 964e1c1aba0..b77f46ca52c 100644 >--- a/lib/ldb/ldb_key_value/ldb_kv_search.c >+++ b/lib/ldb/ldb_key_value/ldb_kv_search.c >@@ -293,15 +293,13 @@ int ldb_kv_search_dn1(struct ldb_module *module, > > /* > * filter the specified list of attributes from msg, >- * adding requested attributes, and perhaps all for *, >- * but not the DN to filtered_msg. >+ * adding requested attributes, and perhaps all for *. >+ * The DN will not be added if it is missing. > */ >-int ldb_kv_filter_attrs(struct ldb_context *ldb, >- const struct ldb_message *msg, >- const char *const *attrs, >- struct ldb_message *filtered_msg) >+int ldb_kv_filter_attrs_in_place(struct ldb_message *msg, >+ const char *const *attrs) > { >- return ldb_filter_attrs(ldb, msg, attrs, filtered_msg); >+ return ldb_filter_attrs_in_place(msg, attrs); > } > > /* >@@ -314,7 +312,7 @@ static int search_func(_UNUSED_ struct ldb_kv_private *ldb_kv, > { > struct ldb_context *ldb; > struct ldb_kv_context *ac; >- struct ldb_message *msg, *filtered_msg; >+ struct ldb_message *msg; > struct timeval now; > int ret, timeval_cmp; > bool matched; >@@ -411,25 +409,31 @@ static int search_func(_UNUSED_ struct ldb_kv_private *ldb_kv, > return 0; > } > >- filtered_msg = ldb_msg_new(ac); >- if (filtered_msg == NULL) { >- TALLOC_FREE(msg); >+ ret = ldb_msg_add_distinguished_name(msg); >+ if (ret == -1) { >+ talloc_free(msg); > return LDB_ERR_OPERATIONS_ERROR; > } > >- filtered_msg->dn = talloc_steal(filtered_msg, msg->dn); >- > /* filter the attributes that the user wants */ >- ret = ldb_kv_filter_attrs(ldb, msg, ac->attrs, filtered_msg); >- talloc_free(msg); >+ ret = ldb_kv_filter_attrs_in_place(msg, ac->attrs); >+ if (ret != LDB_SUCCESS) { >+ talloc_free(msg); >+ ac->error = LDB_ERR_OPERATIONS_ERROR; >+ return -1; >+ } > >- if (ret == -1) { >- TALLOC_FREE(filtered_msg); >+ ldb_msg_shrink_to_fit(msg); >+ >+ /* Ensure the message elements are all talloc'd. */ >+ ret = ldb_msg_elements_take_ownership(msg); >+ if (ret != LDB_SUCCESS) { >+ talloc_free(msg); > ac->error = LDB_ERR_OPERATIONS_ERROR; > return -1; > } > >- ret = ldb_module_send_entry(ac->req, filtered_msg, NULL); >+ ret = ldb_module_send_entry(ac->req, msg, NULL); > if (ret != LDB_SUCCESS) { > ac->request_terminated = true; > /* the callback failed, abort the operation */ >@@ -492,7 +496,7 @@ static int ldb_kv_search_full(struct ldb_kv_context *ctx) > static int ldb_kv_search_and_return_base(struct ldb_kv_private *ldb_kv, > struct ldb_kv_context *ctx) > { >- struct ldb_message *msg, *filtered_msg; >+ struct ldb_message *msg; > struct ldb_context *ldb = ldb_module_get_ctx(ctx->module); > const char *dn_linearized; > const char *msg_dn_linearized; >@@ -550,12 +554,6 @@ static int ldb_kv_search_and_return_base(struct ldb_kv_private *ldb_kv, > dn_linearized = ldb_dn_get_linearized(ctx->base); > msg_dn_linearized = ldb_dn_get_linearized(msg->dn); > >- filtered_msg = ldb_msg_new(ctx); >- if (filtered_msg == NULL) { >- talloc_free(msg); >- return LDB_ERR_OPERATIONS_ERROR; >- } >- > if (strcmp(dn_linearized, msg_dn_linearized) == 0) { > /* > * If the DN is exactly the same string, then >@@ -563,36 +561,42 @@ static int ldb_kv_search_and_return_base(struct ldb_kv_private *ldb_kv, > * returned result, as it has already been > * casefolded > */ >- filtered_msg->dn = ldb_dn_copy(filtered_msg, ctx->base); >+ struct ldb_dn *dn = ldb_dn_copy(msg, ctx->base); >+ if (dn != NULL) { >+ msg->dn = dn; >+ } > } > >- /* >- * If the ldb_dn_copy() failed, or if we did not choose that >- * optimisation (filtered_msg is zeroed at allocation), >- * steal the one from the unpack >- */ >- if (filtered_msg->dn == NULL) { >- filtered_msg->dn = talloc_steal(filtered_msg, msg->dn); >+ ret = ldb_msg_add_distinguished_name(msg); >+ if (ret == -1) { >+ talloc_free(msg); >+ return LDB_ERR_OPERATIONS_ERROR; > } > > /* > * filter the attributes that the user wants. > */ >- ret = ldb_kv_filter_attrs(ldb, msg, ctx->attrs, filtered_msg); >- if (ret == -1) { >+ ret = ldb_kv_filter_attrs_in_place(msg, ctx->attrs); >+ if (ret != LDB_SUCCESS) { >+ talloc_free(msg); >+ return LDB_ERR_OPERATIONS_ERROR; >+ } >+ >+ ldb_msg_shrink_to_fit(msg); >+ >+ /* Ensure the message elements are all talloc'd. */ >+ ret = ldb_msg_elements_take_ownership(msg); >+ if (ret != LDB_SUCCESS) { > talloc_free(msg); >- filtered_msg = NULL; > return LDB_ERR_OPERATIONS_ERROR; > } > > /* >- * Remove any extended components possibly copied in from >- * msg->dn, we just want the casefold components >+ * Remove any extended components, we just want the casefold components > */ >- ldb_dn_remove_extended_components(filtered_msg->dn); >- talloc_free(msg); >+ ldb_dn_remove_extended_components(msg->dn); > >- ret = ldb_module_send_entry(ctx->req, filtered_msg, NULL); >+ ret = ldb_module_send_entry(ctx->req, msg, NULL); > if (ret != LDB_SUCCESS) { > /* Regardless of success or failure, the msg > * is the callbacks responsiblity, and should >diff --git a/source4/torture/ldb/ldb.c b/source4/torture/ldb/ldb.c >index bd0ae3a382a..c170416bec4 100644 >--- a/source4/torture/ldb/ldb.c >+++ b/source4/torture/ldb/ldb.c >@@ -1634,7 +1634,6 @@ static bool torture_ldb_unpack_and_filter(struct torture_context *torture, > TALLOC_CTX *mem_ctx = talloc_new(torture); > struct ldb_context *ldb; > struct ldb_val data = *discard_const_p(struct ldb_val, data_p); >- struct ldb_message *unpack_msg = ldb_msg_new(mem_ctx); > struct ldb_message *msg = ldb_msg_new(mem_ctx); > const char *lookup_names[] = {"instanceType", "nonexistent", > "whenChanged", "objectClass", >@@ -1649,18 +1648,15 @@ static bool torture_ldb_unpack_and_filter(struct torture_context *torture, > "Failed to init samba"); > > torture_assert_int_equal(torture, >- ldb_unpack_data(ldb, &data, unpack_msg), >+ ldb_unpack_data(ldb, &data, msg), > 0, "ldb_unpack_data failed"); > >- torture_assert_int_equal(torture, unpack_msg->num_elements, 13, >+ torture_assert_int_equal(torture, msg->num_elements, 13, > "Got wrong count of elements"); > >- msg->dn = talloc_steal(msg, unpack_msg->dn); >- > torture_assert_int_equal(torture, >- ldb_filter_attrs(ldb, unpack_msg, >- lookup_names, msg), >- 0, "ldb_kv_filter_attrs failed"); >+ ldb_filter_attrs_in_place(msg, lookup_names), >+ 0, "ldb_filter_attrs_in_place failed"); > > /* Compare data in binary form */ > torture_assert_int_equal(torture, msg->num_elements, 6, >-- >2.25.1 > > >From 7ea686401e40921bc105a68a0f52edb40bd7e008 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 7 Feb 2023 09:35:24 +1300 >Subject: [PATCH 18/39] CVE-2023-0614 s4:dsdb/extended_dn_in: Don't modify a > search tree we don't own > >In extended_dn_fix_filter() we had: > > req->op.search.tree = ldb_parse_tree_copy_shallow(req, req->op.search.tree); > >which overwrote the parse tree on an existing ldb request with a fixed >up tree. This became a problem if a module performed another search with >that same request structure, as extended_dn_in would try to fix up the >already-modified tree for a second time. The fixed-up tree element now >having an extended DN, it would fall foul of the ldb_dn_match_allowed() >check in extended_dn_filter_callback(), and be replaced with an >ALWAYS_FALSE match rule. In practice this meant that <GUID={}> searches >would only work for one search in an ldb request, and fail for >subsequent ones. > >Fix this by creating a new request with the modified tree, and leaving >the original request unmodified. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >--- > .../dsdb/samdb/ldb_modules/extended_dn_in.c | 40 +++++++++++++++---- > 1 file changed, 32 insertions(+), 8 deletions(-) > >diff --git a/source4/dsdb/samdb/ldb_modules/extended_dn_in.c b/source4/dsdb/samdb/ldb_modules/extended_dn_in.c >index 2d0513a738b..1dc1e1f2d42 100644 >--- a/source4/dsdb/samdb/ldb_modules/extended_dn_in.c >+++ b/source4/dsdb/samdb/ldb_modules/extended_dn_in.c >@@ -48,6 +48,7 @@ > struct extended_search_context { > struct ldb_module *module; > struct ldb_request *req; >+ struct ldb_parse_tree *tree; > struct ldb_dn *basedn; > struct ldb_dn *dn; > char *wellknown_object; >@@ -200,7 +201,7 @@ static int extended_base_callback(struct ldb_request *req, struct ldb_reply *are > ldb_module_get_ctx(ac->module), ac->req, > ac->basedn, > ac->req->op.search.scope, >- ac->req->op.search.tree, >+ ac->tree, > ac->req->op.search.attrs, > ac->req->controls, > ac, extended_final_callback, >@@ -515,11 +516,14 @@ static int extended_dn_filter_callback(struct ldb_parse_tree *tree, void *privat > */ > static int extended_dn_fix_filter(struct ldb_module *module, > struct ldb_request *req, >- uint32_t default_dsdb_flags) >+ uint32_t default_dsdb_flags, >+ struct ldb_parse_tree **down_tree) > { > struct extended_dn_filter_ctx *filter_ctx; > int ret; > >+ *down_tree = NULL; >+ > filter_ctx = talloc_zero(req, struct extended_dn_filter_ctx); > if (filter_ctx == NULL) { > return ldb_module_oom(module); >@@ -550,12 +554,12 @@ static int extended_dn_fix_filter(struct ldb_module *module, > filter_ctx->test_only = false; > filter_ctx->matched = false; > >- req->op.search.tree = ldb_parse_tree_copy_shallow(req, req->op.search.tree); >- if (req->op.search.tree == NULL) { >+ *down_tree = ldb_parse_tree_copy_shallow(req, req->op.search.tree); >+ if (*down_tree == NULL) { > return ldb_oom(ldb_module_get_ctx(module)); > } > >- ret = ldb_parse_tree_walk(req->op.search.tree, extended_dn_filter_callback, filter_ctx); >+ ret = ldb_parse_tree_walk(*down_tree, extended_dn_filter_callback, filter_ctx); > if (ret != LDB_SUCCESS) { > talloc_free(filter_ctx); > return ret; >@@ -572,7 +576,8 @@ static int extended_dn_fix_filter(struct ldb_module *module, > static int extended_dn_in_fix(struct ldb_module *module, struct ldb_request *req, struct ldb_dn *dn) > { > struct extended_search_context *ac; >- struct ldb_request *down_req; >+ struct ldb_request *down_req = NULL; >+ struct ldb_parse_tree *down_tree = NULL; > int ret; > struct ldb_dn *base_dn = NULL; > enum ldb_scope base_dn_scope = LDB_SCOPE_BASE; >@@ -595,7 +600,7 @@ static int extended_dn_in_fix(struct ldb_module *module, struct ldb_request *req > } > > if (req->operation == LDB_SEARCH) { >- ret = extended_dn_fix_filter(module, req, dsdb_flags); >+ ret = extended_dn_fix_filter(module, req, dsdb_flags, &down_tree); > if (ret != LDB_SUCCESS) { > return ret; > } >@@ -603,7 +608,25 @@ static int extended_dn_in_fix(struct ldb_module *module, struct ldb_request *req > > if (!ldb_dn_has_extended(dn)) { > /* Move along there isn't anything to see here */ >- return ldb_next_request(module, req); >+ if (down_tree == NULL) { >+ down_req = req; >+ } else { >+ ret = ldb_build_search_req_ex(&down_req, >+ ldb_module_get_ctx(module), req, >+ req->op.search.base, >+ req->op.search.scope, >+ down_tree, >+ req->op.search.attrs, >+ req->controls, >+ req, dsdb_next_callback, >+ req); >+ if (ret != LDB_SUCCESS) { >+ return ret; >+ } >+ LDB_REQ_SET_LOCATION(down_req); >+ } >+ >+ return ldb_next_request(module, down_req); > } else { > /* It looks like we need to map the DN */ > const struct ldb_val *sid_val, *guid_val, *wkguid_val; >@@ -690,6 +713,7 @@ static int extended_dn_in_fix(struct ldb_module *module, struct ldb_request *req > > ac->module = module; > ac->req = req; >+ ac->tree = (down_tree != NULL) ? down_tree : req->op.search.tree; > ac->dn = dn; > ac->basedn = NULL; /* Filled in if the search finds the DN by SID/GUID etc */ > ac->wellknown_object = wellknown_object; >-- >2.25.1 > > >From d21037d07311e2eb3265e8475d6b7d663e01d61f Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 7 Feb 2023 09:48:37 +1300 >Subject: [PATCH 19/39] CVE-2023-0614 s4:dsdb:tests: Fix <GUID={}> search in > confidential attributes test > >The object returned by schema_format_value() is a bytes object. >Therefore the search expression would resemble: > >(lastKnownParent=<GUID=b'00000000-0000-0000-0000-000000000000'>) > >which, due to the extra characters, would fail to match anything. > >Fix it to be: > >(lastKnownParent=<GUID=00000000-0000-0000-0000-000000000000>) > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >--- > source4/dsdb/tests/python/confidential_attr.py | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > >diff --git a/source4/dsdb/tests/python/confidential_attr.py b/source4/dsdb/tests/python/confidential_attr.py >index d5c7785485a..1c9c456917a 100755 >--- a/source4/dsdb/tests/python/confidential_attr.py >+++ b/source4/dsdb/tests/python/confidential_attr.py >@@ -924,12 +924,12 @@ class ConfidentialAttrTestDirsync(ConfidentialAttrCommon): > self.assert_negative_searches(has_rights_to="all", > samdb=self.ldb_admin) > >- def get_guid(self, dn): >+ def get_guid_string(self, dn): > """Returns an object's GUID (in string format)""" > res = self.ldb_admin.search(base=dn, attrs=["objectGUID"], > scope=SCOPE_BASE) > guid = res[0]['objectGUID'][0] >- return self.ldb_admin.schema_format_value("objectGUID", guid) >+ return self.ldb_admin.schema_format_value("objectGUID", guid).decode('utf-8') > > def make_attr_preserve_on_delete(self): > """Marks the attribute under test as being preserve on delete""" >@@ -978,7 +978,7 @@ class ConfidentialAttrTestDirsync(ConfidentialAttrCommon): > # deleted objects, but only from this particular test run. We can do > # this by matching lastKnownParent against this test case's OU, which > # will match any deleted child objects. >- ou_guid = self.get_guid(self.ou) >+ ou_guid = self.get_guid_string(self.ou) > deleted_filter = "(lastKnownParent=<GUID={0}>)".format(ou_guid) > > # the extra-filter will get combined via AND with the search expression >-- >2.25.1 > > >From ce702d8075e41f4e784af71096f837a8f95efb8c Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 7 Feb 2023 09:25:48 +1300 >Subject: [PATCH 20/39] CVE-2023-0614 schema_samba4.ldif: Allocate previously > added OID > >DSDB_CONTROL_CALCULATED_DEFAULT_SD_OID was added in commit >08187833fee57a8dba6c67546dfca516cd1f9d7a. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >--- > source4/setup/schema_samba4.ldif | 1 + > 1 file changed, 1 insertion(+) > >diff --git a/source4/setup/schema_samba4.ldif b/source4/setup/schema_samba4.ldif >index d3a1f1c9ad7..91f8c640954 100644 >--- a/source4/setup/schema_samba4.ldif >+++ b/source4/setup/schema_samba4.ldif >@@ -233,6 +233,7 @@ > #Allocated: DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID 1.3.6.1.4.1.7165.4.3.33 > #Allocated: DSDB_CONTROL_TRANSACTION_IDENTIFIER_OID 1.3.6.1.4.1.7165.4.3.34 > #Allocated: DSDB_CONTROL_FORCE_ALLOW_VALIDATED_DNS_HOSTNAME_SPN_WRITE_OID 1.3.6.1.4.1.7165.4.3.35 >+#Allocated: DSDB_CONTROL_CALCULATED_DEFAULT_SD_OID 1.3.6.1.4.1.7165.4.3.36 > > > # Extended 1.3.6.1.4.1.7165.4.4.x >-- >2.25.1 > > >From 03159a648b7b1112ee730ed7dc82a102ea758757 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Fri, 27 Jan 2023 08:32:41 +1300 >Subject: [PATCH 21/39] CVE-2023-0614 tests/krb5: Add test for confidential > attributes timing differences > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >--- > selftest/knownfail.d/confidential-attr-timing | 1 + > .../dsdb/tests/python/confidential_attr.py | 162 ++++++++++++++++++ > 2 files changed, 163 insertions(+) > create mode 100644 selftest/knownfail.d/confidential-attr-timing > >diff --git a/selftest/knownfail.d/confidential-attr-timing b/selftest/knownfail.d/confidential-attr-timing >new file mode 100644 >index 00000000000..e213cdb16d3 >--- /dev/null >+++ b/selftest/knownfail.d/confidential-attr-timing >@@ -0,0 +1 @@ >+^samba4.ldap.confidential_attr.python\(ad_dc_slowtests\).__main__.ConfidentialAttrTestDirsync.test_timing_attack\(ad_dc_slowtests\) >diff --git a/source4/dsdb/tests/python/confidential_attr.py b/source4/dsdb/tests/python/confidential_attr.py >index 1c9c456917a..031c9690ba6 100755 >--- a/source4/dsdb/tests/python/confidential_attr.py >+++ b/source4/dsdb/tests/python/confidential_attr.py >@@ -25,6 +25,9 @@ sys.path.insert(0, "bin/python") > > import samba > import os >+import random >+import statistics >+import time > from samba.tests.subunitrun import SubunitOptions, TestProgram > import samba.getopt as options > from ldb import SCOPE_BASE, SCOPE_SUBTREE >@@ -1022,4 +1025,163 @@ class ConfidentialAttrTestDirsync(ConfidentialAttrCommon): > self.assert_conf_attr_searches(has_rights_to=0) > self.assert_negative_searches(has_rights_to=0, dc_mode=dc_mode) > >+ def test_timing_attack(self): >+ # Create the machine account. >+ mach_name = f'conf_timing_{random.randint(0, 0xffff)}' >+ mach_dn = Dn(self.ldb_admin, f'CN={mach_name},{self.ou}') >+ details = { >+ 'dn': mach_dn, >+ 'objectclass': 'computer', >+ 'sAMAccountName': f'{mach_name}$', >+ } >+ self.ldb_admin.add(details) >+ >+ # Get the machine account's GUID. >+ res = self.ldb_admin.search(mach_dn, >+ attrs=['objectGUID'], >+ scope=SCOPE_BASE) >+ mach_guid = res[0].get('objectGUID', idx=0) >+ >+ # Now we can create an msFVE-RecoveryInformation object that is a child >+ # of the machine account object. >+ recovery_dn = Dn(self.ldb_admin, str(mach_dn)) >+ recovery_dn.add_child('CN=recovery_info') >+ >+ secret_pw = 'Secret007' >+ not_secret_pw = 'Secret008' >+ >+ secret_pw_utf8 = secret_pw.encode('utf-8') >+ >+ # The crucial attribute, msFVE-RecoveryPassword, is a confidential >+ # attribute. >+ conf_attr = 'msFVE-RecoveryPassword' >+ >+ m = Message(recovery_dn) >+ m['objectClass'] = 'msFVE-RecoveryInformation' >+ m['msFVE-RecoveryGuid'] = mach_guid >+ m[conf_attr] = secret_pw >+ self.ldb_admin.add(m) >+ >+ attrs = [conf_attr] >+ >+ # Search for the confidential attribute as administrator, ensuring it >+ # is visible. >+ res = self.ldb_admin.search(recovery_dn, >+ attrs=attrs, >+ scope=SCOPE_BASE) >+ self.assertEqual(1, len(res)) >+ pw = res[0].get(conf_attr, idx=0) >+ self.assertEqual(secret_pw_utf8, pw) >+ >+ # Repeat the search with an expression matching on the confidential >+ # attribute. This should also work. >+ res = self.ldb_admin.search( >+ recovery_dn, >+ attrs=attrs, >+ expression=f'({conf_attr}={secret_pw})', >+ scope=SCOPE_BASE) >+ self.assertEqual(1, len(res)) >+ pw = res[0].get(conf_attr, idx=0) >+ self.assertEqual(secret_pw_utf8, pw) >+ >+ # Search for the attribute as an unprivileged user. It should not be >+ # visible. >+ user_res = self.ldb_user.search(recovery_dn, >+ attrs=attrs, >+ scope=SCOPE_BASE) >+ pw = user_res[0].get(conf_attr, idx=0) >+ # The attribute should be None. >+ self.assertIsNone(pw) >+ >+ # We use LDAP_MATCHING_RULE_TRANSITIVE_EVAL to create a search >+ # expression that takes a long time to execute, by setting off another >+ # search each time it is evaluated. It makes no difference that the >+ # object on which we're searching has no 'member' attribute. >+ dummy_dn = 'cn=user,cn=users,dc=samba,dc=example,dc=com' >+ slow_subexpr = f'(member:1.2.840.113556.1.4.1941:={dummy_dn})' >+ slow_expr = f'(|{slow_subexpr * 100})' >+ >+ # The full search expression. It comprises a match on the confidential >+ # attribute joined by an AND to our slow search expression, The AND >+ # operator is short-circuiting, so if our first subexpression fails to >+ # match, we'll bail out of the search early. Otherwise, we'll evaluate >+ # the slow part; as its subexpressions are joined by ORs, and will all >+ # fail to match, every one of them will need to be evaluated. By >+ # measuring how long the search takes, we'll be able to infer whether >+ # the confidential attribute matched or not. >+ >+ # This is bad if we are not an administrator, and are able to use this >+ # to determine the values of confidential attributes. Therefore we need >+ # to ensure we can't observe any difference in timing. >+ correct_expr = f'(&({conf_attr}={secret_pw}){slow_expr})' >+ wrong_expr = f'(&({conf_attr}={not_secret_pw}){slow_expr})' >+ >+ def standard_uncertainty_bounds(times): >+ mean = statistics.mean(times) >+ stdev = statistics.stdev(times, mean) >+ >+ return (mean - stdev, mean + stdev) >+ >+ # Perform a number of searches with both correct and incorrect >+ # expressions, and return the uncertainty bounds for each. >+ def time_searches(samdb): >+ warmup_samples = 3 >+ samples = 10 >+ matching_times = [] >+ non_matching_times = [] >+ >+ for _ in range(warmup_samples): >+ samdb.search(recovery_dn, >+ attrs=attrs, >+ expression=correct_expr, >+ scope=SCOPE_BASE) >+ >+ for _ in range(samples): >+ # Measure the time taken for a search, for both a matching and >+ # a non-matching search expression. >+ >+ prev = time.time() >+ samdb.search(recovery_dn, >+ attrs=attrs, >+ expression=correct_expr, >+ scope=SCOPE_BASE) >+ now = time.time() >+ matching_times.append(now - prev) >+ >+ prev = time.time() >+ samdb.search(recovery_dn, >+ attrs=attrs, >+ expression=wrong_expr, >+ scope=SCOPE_BASE) >+ now = time.time() >+ non_matching_times.append(now - prev) >+ >+ matching = standard_uncertainty_bounds(matching_times) >+ non_matching = standard_uncertainty_bounds(non_matching_times) >+ return matching, non_matching >+ >+ def assertRangesDistinct(a, b): >+ a0, a1 = a >+ b0, b1 = b >+ self.assertLess(min(a1, b1), max(a0, b0)) >+ >+ def assertRangesOverlap(a, b): >+ a0, a1 = a >+ b0, b1 = b >+ self.assertGreaterEqual(min(a1, b1), max(a0, b0)) >+ >+ # For an administrator, the uncertainty bounds for matching and >+ # non-matching searches should be distinct. This shows that the two >+ # cases are distinguishable, and therefore that confidential attributes >+ # are visible. >+ admin_matching, admin_non_matching = time_searches(self.ldb_admin) >+ assertRangesDistinct(admin_matching, admin_non_matching) >+ >+ # The user cannot view the confidential attribute, so the uncertainty >+ # bounds for matching and non-matching searches must overlap. The two >+ # cases must be indistinguishable. >+ user_matching, user_non_matching = time_searches(self.ldb_user) >+ assertRangesOverlap(user_matching, user_non_matching) >+ >+ > TestProgram(module=__name__, opts=subunitopts) >-- >2.25.1 > > >From 7618b959ee08fe4889e4742d48c0b8d704b10786 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Fri, 3 Mar 2023 17:31:54 +1300 >Subject: [PATCH 22/39] CVE-2023-0614 ldb: Add ldb_parse_tree_get_attr() > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >--- > lib/ldb/ABI/ldb-2.8.0.sigs | 1 + > lib/ldb/common/ldb_parse.c | 25 +++++++++++++++++++++++++ > lib/ldb/include/ldb_module.h | 3 +++ > 3 files changed, 29 insertions(+) > >diff --git a/lib/ldb/ABI/ldb-2.8.0.sigs b/lib/ldb/ABI/ldb-2.8.0.sigs >index 73fe6c4dd9f..da595cbe9e4 100644 >--- a/lib/ldb/ABI/ldb-2.8.0.sigs >+++ b/lib/ldb/ABI/ldb-2.8.0.sigs >@@ -220,6 +220,7 @@ ldb_parse_control_strings: struct ldb_control **(struct ldb_context *, TALLOC_CT > ldb_parse_tree: struct ldb_parse_tree *(TALLOC_CTX *, const char *) > ldb_parse_tree_attr_replace: void (struct ldb_parse_tree *, const char *, const char *) > ldb_parse_tree_copy_shallow: struct ldb_parse_tree *(TALLOC_CTX *, const struct ldb_parse_tree *) >+ldb_parse_tree_get_attr: const char *(const struct ldb_parse_tree *) > ldb_parse_tree_walk: int (struct ldb_parse_tree *, int (*)(struct ldb_parse_tree *, void *), void *) > ldb_qsort: void (void * const, size_t, size_t, void *, ldb_qsort_cmp_fn_t) > ldb_register_backend: int (const char *, ldb_connect_fn, bool) >diff --git a/lib/ldb/common/ldb_parse.c b/lib/ldb/common/ldb_parse.c >index f0045ad2093..2d102ff750e 100644 >--- a/lib/ldb/common/ldb_parse.c >+++ b/lib/ldb/common/ldb_parse.c >@@ -997,3 +997,28 @@ struct ldb_parse_tree *ldb_parse_tree_copy_shallow(TALLOC_CTX *mem_ctx, > > return nt; > } >+ >+/* Get the attribute (if any) associated with the top node of a parse tree. */ >+const char *ldb_parse_tree_get_attr(const struct ldb_parse_tree *tree) >+{ >+ switch (tree->operation) { >+ case LDB_OP_AND: >+ case LDB_OP_OR: >+ case LDB_OP_NOT: >+ return NULL; >+ case LDB_OP_EQUALITY: >+ return tree->u.equality.attr; >+ case LDB_OP_SUBSTRING: >+ return tree->u.substring.attr; >+ case LDB_OP_GREATER: >+ case LDB_OP_LESS: >+ case LDB_OP_APPROX: >+ return tree->u.comparison.attr; >+ case LDB_OP_PRESENT: >+ return tree->u.present.attr; >+ case LDB_OP_EXTENDED: >+ return tree->u.extended.attr; >+ } >+ >+ return NULL; >+} >diff --git a/lib/ldb/include/ldb_module.h b/lib/ldb/include/ldb_module.h >index 4ae381ba5be..bd369ed9512 100644 >--- a/lib/ldb/include/ldb_module.h >+++ b/lib/ldb/include/ldb_module.h >@@ -490,6 +490,9 @@ int ldb_init_module(const char *version); > */ > bool ldb_dn_replace_components(struct ldb_dn *dn, struct ldb_dn *new_dn); > >+/* Get the attribute (if any) associated with the top node of a parse tree. */ >+const char *ldb_parse_tree_get_attr(const struct ldb_parse_tree *tree); >+ > /* > walk a parse tree, calling the provided callback on each node > */ >-- >2.25.1 > > >From 7621d9db368942eba673a38aa3382ae5930af5c9 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Mon, 27 Feb 2023 13:40:33 +1300 >Subject: [PATCH 23/39] CVE-2023-0614 s4-acl: Split out logic to remove access > checking attributes > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >--- > source4/dsdb/samdb/ldb_modules/acl_read.c | 58 ++++++++++++++--------- > 1 file changed, 35 insertions(+), 23 deletions(-) > >diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c >index 7585be3f93b..884ba268cca 100644 >--- a/source4/dsdb/samdb/ldb_modules/acl_read.c >+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c >@@ -546,6 +546,39 @@ static int check_search_ops_access(struct aclread_context *ac, > return ret; > } > >+/* >+ * Whether this attribute was added to perform access checks and must be >+ * removed. >+ */ >+static bool should_remove_attr(const char *attr, const struct aclread_context *ac) >+{ >+ if (ac->added_nTSecurityDescriptor && >+ ldb_attr_cmp("nTSecurityDescriptor", attr) == 0) >+ { >+ return true; >+ } >+ >+ if (ac->added_objectSid && >+ ldb_attr_cmp("objectSid", attr) == 0) >+ { >+ return true; >+ } >+ >+ if (ac->added_instanceType && >+ ldb_attr_cmp("instanceType", attr) == 0) >+ { >+ return true; >+ } >+ >+ if (ac->added_objectClass && >+ ldb_attr_cmp("objectClass", attr) == 0) >+ { >+ return true; >+ } >+ >+ return false; >+} >+ > static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) > { > struct ldb_context *ldb; >@@ -620,7 +653,6 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) > /* for every element in the message check RP */ > for (i=0; i < msg->num_elements; i++) { > const struct dsdb_attribute *attr; >- bool is_sd, is_objectsid, is_instancetype, is_objectclass; > uint32_t access_mask; > attr = dsdb_attribute_by_lDAPDisplayName(ac->schema, > msg->elements[i].name); >@@ -632,28 +664,8 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) > ret = LDB_ERR_OPERATIONS_ERROR; > goto fail; > } >- is_sd = ldb_attr_cmp("nTSecurityDescriptor", >- msg->elements[i].name) == 0; >- is_objectsid = ldb_attr_cmp("objectSid", >- msg->elements[i].name) == 0; >- is_instancetype = ldb_attr_cmp("instanceType", >- msg->elements[i].name) == 0; >- is_objectclass = ldb_attr_cmp("objectClass", >- msg->elements[i].name) == 0; >- /* these attributes were added to perform access checks and must be removed */ >- if (is_objectsid && ac->added_objectSid) { >- ldb_msg_element_mark_inaccessible(&msg->elements[i]); >- continue; >- } >- if (is_instancetype && ac->added_instanceType) { >- ldb_msg_element_mark_inaccessible(&msg->elements[i]); >- continue; >- } >- if (is_objectclass && ac->added_objectClass) { >- ldb_msg_element_mark_inaccessible(&msg->elements[i]); >- continue; >- } >- if (is_sd && ac->added_nTSecurityDescriptor) { >+ /* Remove attributes added to perform access checks. */ >+ if (should_remove_attr(msg->elements[i].name, ac)) { > ldb_msg_element_mark_inaccessible(&msg->elements[i]); > continue; > } >-- >2.25.1 > > >From df39f155c609a956afe6162e4dd829070bc1d6df Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Mon, 27 Feb 2023 12:19:08 +1300 >Subject: [PATCH 24/39] CVE-2023-0614 s4-dsdb: Add samdb_result_dom_sid_buf() > >This function parses a SID from an ldb_message, similar to >samdb_result_dom_sid(), but does it without allocating anything. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >--- > source4/dsdb/common/util.c | 20 ++++++++++++++++++++ > 1 file changed, 20 insertions(+) > >diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c >index 25681f8b4a6..7dfdf2680b1 100644 >--- a/source4/dsdb/common/util.c >+++ b/source4/dsdb/common/util.c >@@ -400,6 +400,26 @@ struct auth_SidAttr *samdb_result_dom_sid_attrs(TALLOC_CTX *mem_ctx, const struc > return sid; > } > >+/* >+ pull a dom_sid structure from a objectSid in a result set. >+*/ >+int samdb_result_dom_sid_buf(const struct ldb_message *msg, >+ const char *attr, >+ struct dom_sid *sid) >+{ >+ ssize_t ret; >+ const struct ldb_val *v = NULL; >+ v = ldb_msg_find_ldb_val(msg, attr); >+ if (v == NULL) { >+ return LDB_ERR_NO_SUCH_ATTRIBUTE; >+ } >+ ret = sid_parse(v->data, v->length, sid); >+ if (ret == -1) { >+ return LDB_ERR_OPERATIONS_ERROR; >+ } >+ return LDB_SUCCESS; >+} >+ > /* > pull a guid structure from a objectGUID in a result set. > */ >-- >2.25.1 > > >From 61bee9879a994ea2e9b8eef7876fdcf0212bb44a Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Mon, 27 Feb 2023 13:55:36 +1300 >Subject: [PATCH 25/39] CVE-2023-0614 s4-acl: Split out function to set up > access checking variables > >These variables are often used together, and it is useful to have the >setup code in one place. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >--- > source4/dsdb/samdb/ldb_modules/acl_read.c | 115 +++++++++++++++------- > 1 file changed, 81 insertions(+), 34 deletions(-) > >diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c >index 884ba268cca..0c3b75caf4a 100644 >--- a/source4/dsdb/samdb/ldb_modules/acl_read.c >+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c >@@ -70,6 +70,13 @@ struct aclread_private { > struct ldb_val sd_cached_blob; > }; > >+struct access_check_context { >+ struct security_descriptor *sd; >+ struct dom_sid sid_buf; >+ const struct dom_sid *sid; >+ const struct dsdb_class *objectclass; >+}; >+ > /* > * the object has a parent, so we have to check for visibility > * >@@ -254,7 +261,7 @@ static int aclread_check_object_visible(struct aclread_context *ac, > */ > > static int aclread_get_sd_from_ldb_message(struct aclread_context *ac, >- struct ldb_message *acl_res, >+ const struct ldb_message *acl_res, > struct security_descriptor **sd) > { > struct ldb_message_element *sd_element; >@@ -358,7 +365,7 @@ static uint32_t get_attr_access_mask(const struct dsdb_attribute *attr, > struct parse_tree_aclread_ctx { > struct aclread_context *ac; > TALLOC_CTX *mem_ctx; >- struct dom_sid *sid; >+ const struct dom_sid *sid; > struct ldb_dn *dn; > struct security_descriptor *sd; > const struct dsdb_class *objectclass; >@@ -372,7 +379,7 @@ static int check_attr_access_rights(TALLOC_CTX *mem_ctx, const char *attr_name, > struct aclread_context *ac, > struct security_descriptor *sd, > const struct dsdb_class *objectclass, >- struct dom_sid *sid, struct ldb_dn *dn) >+ const struct dom_sid *sid, struct ldb_dn *dn) > { > int ret; > const struct dsdb_attribute *attr = NULL; >@@ -449,6 +456,69 @@ static const char * parse_tree_get_attr(struct ldb_parse_tree *tree) > return attr; > } > >+static int setup_access_check_context(struct aclread_context *ac, >+ const struct ldb_message *msg, >+ struct access_check_context *ctx) >+{ >+ int ret; >+ >+ /* >+ * Fetch the schema so we can check which attributes are >+ * considered confidential. >+ */ >+ if (ac->schema == NULL) { >+ struct ldb_context *ldb = ldb_module_get_ctx(ac->module); >+ >+ /* Cache the schema for later use. */ >+ ac->schema = dsdb_get_schema(ldb, ac); >+ >+ if (ac->schema == NULL) { >+ return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR, >+ "aclread_callback: Error obtaining schema."); >+ } >+ } >+ >+ /* Fetch the object's security descriptor. */ >+ ret = aclread_get_sd_from_ldb_message(ac, msg, &ctx->sd); >+ if (ret != LDB_SUCCESS) { >+ ldb_debug_set(ldb_module_get_ctx(ac->module), LDB_DEBUG_FATAL, >+ "acl_read: cannot get descriptor of %s: %s\n", >+ ldb_dn_get_linearized(msg->dn), ldb_strerror(ret)); >+ return LDB_ERR_OPERATIONS_ERROR; >+ } else if (ctx->sd == NULL) { >+ ldb_debug_set(ldb_module_get_ctx(ac->module), LDB_DEBUG_FATAL, >+ "acl_read: cannot get descriptor of %s (attribute not found)\n", >+ ldb_dn_get_linearized(msg->dn)); >+ return LDB_ERR_OPERATIONS_ERROR; >+ } >+ /* >+ * Get the most specific structural object class for the ACL check >+ */ >+ ctx->objectclass = dsdb_get_structural_oc_from_msg(ac->schema, msg); >+ if (ctx->objectclass == NULL) { >+ ldb_asprintf_errstring(ldb_module_get_ctx(ac->module), >+ "acl_read: Failed to find a structural class for %s", >+ ldb_dn_get_linearized(msg->dn)); >+ return LDB_ERR_OPERATIONS_ERROR; >+ } >+ >+ /* Fetch the object's SID. */ >+ ret = samdb_result_dom_sid_buf(msg, "objectSid", &ctx->sid_buf); >+ if (ret == LDB_SUCCESS) { >+ ctx->sid = &ctx->sid_buf; >+ } else if (ret == LDB_ERR_NO_SUCH_ATTRIBUTE) { >+ /* This is expected. */ >+ ctx->sid = NULL; >+ } else { >+ ldb_asprintf_errstring(ldb_module_get_ctx(ac->module), >+ "acl_read: Failed to parse objectSid as dom_sid for %s", >+ ldb_dn_get_linearized(msg->dn)); >+ return ret; >+ } >+ >+ return LDB_SUCCESS; >+} >+ > /* > * Checks a single attribute in the search parse-tree to make sure the user has > * sufficient rights to view it. >@@ -523,7 +593,7 @@ static int check_search_ops_access(struct aclread_context *ac, > TALLOC_CTX *mem_ctx, > struct security_descriptor *sd, > const struct dsdb_class *objectclass, >- struct dom_sid *sid, struct ldb_dn *dn, >+ const struct dom_sid *sid, struct ldb_dn *dn, > bool *suppress_result) > { > int ret; >@@ -586,10 +656,8 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) > struct ldb_message *msg; > int ret; > unsigned int i; >- struct security_descriptor *sd = NULL; >- struct dom_sid *sid = NULL; >+ struct access_check_context acl_ctx; > TALLOC_CTX *tmp_ctx; >- const struct dsdb_class *objectclass; > bool suppress_result = false; > > ac = talloc_get_type_abort(req->context, struct aclread_context); >@@ -605,32 +673,11 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) > switch (ares->type) { > case LDB_REPLY_ENTRY: > msg = ares->message; >- ret = aclread_get_sd_from_ldb_message(ac, msg, &sd); >+ ret = setup_access_check_context(ac, msg, &acl_ctx); > if (ret != LDB_SUCCESS) { >- ldb_debug_set(ldb, LDB_DEBUG_FATAL, >- "acl_read: cannot get descriptor of %s: %s\n", >- ldb_dn_get_linearized(msg->dn), ldb_strerror(ret)); >- ret = LDB_ERR_OPERATIONS_ERROR; >- goto fail; >- } else if (sd == NULL) { >- ldb_debug_set(ldb, LDB_DEBUG_FATAL, >- "acl_read: cannot get descriptor of %s (attribute not found)\n", >- ldb_dn_get_linearized(msg->dn)); >- ret = LDB_ERR_OPERATIONS_ERROR; >- goto fail; >- } >- /* >- * Get the most specific structural object class for the ACL check >- */ >- objectclass = dsdb_get_structural_oc_from_msg(ac->schema, msg); >- if (objectclass == NULL) { >- ldb_asprintf_errstring(ldb, "acl_read: Failed to find a structural class for %s", >- ldb_dn_get_linearized(msg->dn)); >- ret = LDB_ERR_OPERATIONS_ERROR; >- goto fail; >+ return ret; > } > >- sid = samdb_result_dom_sid(tmp_ctx, msg, "objectSid"); > if (!ldb_dn_is_null(msg->dn)) { > /* > * this is a real object, so we have >@@ -679,11 +726,11 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) > > ret = acl_check_access_on_attribute_implicit_owner(ac->module, > tmp_ctx, >- sd, >- sid, >+ acl_ctx.sd, >+ acl_ctx.sid, > access_mask, > attr, >- objectclass, >+ acl_ctx.objectclass, > IMPLICIT_OWNER_READ_CONTROL_RIGHTS); > > /* >@@ -735,7 +782,7 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) > * check access rights for the search attributes, as well as the > * attribute values actually being returned > */ >- ret = check_search_ops_access(ac, tmp_ctx, sd, objectclass, sid, >+ ret = check_search_ops_access(ac, tmp_ctx, acl_ctx.sd, acl_ctx.objectclass, acl_ctx.sid, > msg->dn, &suppress_result); > if (ret != LDB_SUCCESS) { > ldb_debug_set(ldb, LDB_DEBUG_FATAL, >-- >2.25.1 > > >From e526b3e5e24afc39144c563fca21c860c5f1bd8d Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Fri, 3 Mar 2023 17:34:29 +1300 >Subject: [PATCH 26/39] CVE-2023-0614 ldb: Prevent disclosure of confidential > attributes > >Add a hook, acl_redact_msg_for_filter(), in the aclread module, that >marks inaccessible any message elements used by an LDAP search filter >that the user has no right to access. Make the various ldb_match_*() >functions check whether message elements are accessible, and refuse to >match any that are not. Remaining message elements, not mentioned in the >search filter, are checked in aclread_callback(), and any inaccessible >elements are removed at this point. > >Certain attributes, namely objectClass, distinguishedName, name, and >objectGUID, are always present, and hence the presence of said >attributes is always allowed to be checked in a search filter. This >corresponds with the behaviour of Windows. > >Further, we unconditionally allow the attributes isDeleted and >isRecycled in a check for presence or equality. Windows is not known to >make this special exception, but it seems mostly harmless, and should >mitigate the performance impact on searches made by the show_deleted >module. > >As a result of all these changes, our behaviour regarding confidential >attributes happens to match Windows more closely. For the test in >confidential_attr.py, we can now model our attribute handling with >DC_MODE_RETURN_ALL, which corresponds to the behaviour exhibited by >Windows. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 > >Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >--- > lib/ldb-samba/ldb_matching_rules.c | 15 + > lib/ldb/ABI/ldb-2.8.0.sigs | 1 + > lib/ldb/common/ldb_match.c | 37 + > lib/ldb/include/ldb_module.h | 11 + > lib/ldb/include/ldb_private.h | 5 + > lib/ldb/ldb_key_value/ldb_kv_index.c | 8 + > lib/ldb/ldb_key_value/ldb_kv_search.c | 15 + > selftest/knownfail.d/confidential-attr-timing | 1 - > source4/dsdb/samdb/ldb_modules/acl.c | 183 +--- > source4/dsdb/samdb/ldb_modules/acl_read.c | 839 ++++++++++++------ > source4/dsdb/samdb/samdb.h | 2 + > .../dsdb/tests/python/confidential_attr.py | 12 +- > source4/setup/schema_samba4.ldif | 1 + > 13 files changed, 673 insertions(+), 457 deletions(-) > delete mode 100644 selftest/knownfail.d/confidential-attr-timing > >diff --git a/lib/ldb-samba/ldb_matching_rules.c b/lib/ldb-samba/ldb_matching_rules.c >index 827f3920ae8..0c4c31e49f9 100644 >--- a/lib/ldb-samba/ldb_matching_rules.c >+++ b/lib/ldb-samba/ldb_matching_rules.c >@@ -87,6 +87,11 @@ static int ldb_eval_transitive_filter_helper(TALLOC_CTX *mem_ctx, > return LDB_SUCCESS; > } > >+ if (ldb_msg_element_is_inaccessible(el)) { >+ *matched = false; >+ return LDB_SUCCESS; >+ } >+ > /* > * If the value to match is present in the attribute values of the > * current entry being visited, set matched to true and return OK >@@ -370,6 +375,11 @@ static int dsdb_match_for_dns_to_tombstone_time(struct ldb_context *ldb, > return LDB_SUCCESS; > } > >+ if (ldb_msg_element_is_inaccessible(el)) { >+ *matched = false; >+ return LDB_SUCCESS; >+ } >+ > session_info = talloc_get_type(ldb_get_opaque(ldb, "sessionInfo"), > struct auth_session_info); > if (session_info == NULL) { >@@ -489,6 +499,11 @@ static int dsdb_match_for_expunge(struct ldb_context *ldb, > return LDB_SUCCESS; > } > >+ if (ldb_msg_element_is_inaccessible(el)) { >+ *matched = false; >+ return LDB_SUCCESS; >+ } >+ > session_info > = talloc_get_type(ldb_get_opaque(ldb, DSDB_SESSION_INFO), > struct auth_session_info); >diff --git a/lib/ldb/ABI/ldb-2.8.0.sigs b/lib/ldb/ABI/ldb-2.8.0.sigs >index da595cbe9e4..aff142ed428 100644 >--- a/lib/ldb/ABI/ldb-2.8.0.sigs >+++ b/lib/ldb/ABI/ldb-2.8.0.sigs >@@ -227,6 +227,7 @@ ldb_register_backend: int (const char *, ldb_connect_fn, bool) > ldb_register_extended_match_rule: int (struct ldb_context *, const struct ldb_extended_match_rule *) > ldb_register_hook: int (ldb_hook_fn) > ldb_register_module: int (const struct ldb_module_ops *) >+ldb_register_redact_callback: int (struct ldb_context *, ldb_redact_fn, struct ldb_module *) > ldb_rename: int (struct ldb_context *, struct ldb_dn *, struct ldb_dn *) > ldb_reply_add_control: int (struct ldb_reply *, const char *, bool, void *) > ldb_reply_get_control: struct ldb_control *(struct ldb_reply *, const char *) >diff --git a/lib/ldb/common/ldb_match.c b/lib/ldb/common/ldb_match.c >index 2f4d41f3441..17314f1b9ca 100644 >--- a/lib/ldb/common/ldb_match.c >+++ b/lib/ldb/common/ldb_match.c >@@ -98,6 +98,11 @@ static int ldb_match_present(struct ldb_context *ldb, > return LDB_SUCCESS; > } > >+ if (ldb_msg_element_is_inaccessible(el)) { >+ *matched = false; >+ return LDB_SUCCESS; >+ } >+ > a = ldb_schema_attribute_by_name(ldb, el->name); > if (!a) { > return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX; >@@ -139,6 +144,11 @@ static int ldb_match_comparison(struct ldb_context *ldb, > return LDB_SUCCESS; > } > >+ if (ldb_msg_element_is_inaccessible(el)) { >+ *matched = false; >+ return LDB_SUCCESS; >+ } >+ > a = ldb_schema_attribute_by_name(ldb, el->name); > if (!a) { > return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX; >@@ -209,6 +219,11 @@ static int ldb_match_equality(struct ldb_context *ldb, > return LDB_SUCCESS; > } > >+ if (ldb_msg_element_is_inaccessible(el)) { >+ *matched = false; >+ return LDB_SUCCESS; >+ } >+ > a = ldb_schema_attribute_by_name(ldb, el->name); > if (a == NULL) { > return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX; >@@ -370,6 +385,11 @@ static int ldb_match_substring(struct ldb_context *ldb, > return LDB_SUCCESS; > } > >+ if (ldb_msg_element_is_inaccessible(el)) { >+ *matched = false; >+ return LDB_SUCCESS; >+ } >+ > for (i = 0; i < el->num_values; i++) { > int ret; > ret = ldb_wildcard_compare(ldb, tree, el->values[i], matched); >@@ -443,6 +463,11 @@ static int ldb_match_bitmask(struct ldb_context *ldb, > return LDB_SUCCESS; > } > >+ if (ldb_msg_element_is_inaccessible(el)) { >+ *matched = false; >+ return LDB_SUCCESS; >+ } >+ > for (i=0;i<el->num_values;i++) { > int ret; > struct ldb_val *v = &el->values[i]; >@@ -741,3 +766,15 @@ int ldb_register_extended_match_rule(struct ldb_context *ldb, > return LDB_SUCCESS; > } > >+int ldb_register_redact_callback(struct ldb_context *ldb, >+ ldb_redact_fn redact_fn, >+ struct ldb_module *module) >+{ >+ if (ldb->redact.callback != NULL) { >+ return LDB_ERR_ENTRY_ALREADY_EXISTS; >+ } >+ >+ ldb->redact.callback = redact_fn; >+ ldb->redact.module = module; >+ return LDB_SUCCESS; >+} >diff --git a/lib/ldb/include/ldb_module.h b/lib/ldb/include/ldb_module.h >index bd369ed9512..0f14b1ad346 100644 >--- a/lib/ldb/include/ldb_module.h >+++ b/lib/ldb/include/ldb_module.h >@@ -102,6 +102,12 @@ struct ldb_module; > */ > #define LDB_FLAG_INTERNAL_SHARED_VALUES 0x200 > >+/* >+ * this attribute has been access checked. We know the user has the right to >+ * view it. Used internally in Samba aclread module. >+ */ >+#define LDB_FLAG_INTERNAL_ACCESS_CHECKED 0x400 >+ > /* an extended match rule that always fails to match */ > #define SAMBA_LDAP_MATCH_ALWAYS_FALSE "1.3.6.1.4.1.7165.4.5.1" > >@@ -520,6 +526,11 @@ void ldb_msg_element_mark_inaccessible(struct ldb_message_element *el); > bool ldb_msg_element_is_inaccessible(const struct ldb_message_element *el); > void ldb_msg_remove_inaccessible(struct ldb_message *msg); > >+typedef int (*ldb_redact_fn)(struct ldb_module *, struct ldb_request *, struct ldb_message *); >+int ldb_register_redact_callback(struct ldb_context *ldb, >+ ldb_redact_fn redact_fn, >+ struct ldb_module *module); >+ > /* > * these pack/unpack functions are exposed in the library for use by > * ldb tools like ldbdump and for use in tests, >diff --git a/lib/ldb/include/ldb_private.h b/lib/ldb/include/ldb_private.h >index c6cff44942a..47ddaa4ff14 100644 >--- a/lib/ldb/include/ldb_private.h >+++ b/lib/ldb/include/ldb_private.h >@@ -119,6 +119,11 @@ struct ldb_context { > struct ldb_extended_match_entry *prev, *next; > } *extended_match_rules; > >+ struct { >+ struct ldb_module *module; >+ ldb_redact_fn callback; >+ } redact; >+ > /* custom utf8 functions */ > struct ldb_utf8_fns utf8_fns; > >diff --git a/lib/ldb/ldb_key_value/ldb_kv_index.c b/lib/ldb/ldb_key_value/ldb_kv_index.c >index 203266ea8c9..163052fecf7 100644 >--- a/lib/ldb/ldb_key_value/ldb_kv_index.c >+++ b/lib/ldb/ldb_key_value/ldb_kv_index.c >@@ -2428,6 +2428,14 @@ static int ldb_kv_index_filter(struct ldb_kv_private *ldb_kv, > return LDB_ERR_OPERATIONS_ERROR; > } > >+ if (ldb->redact.callback != NULL) { >+ ret = ldb->redact.callback(ldb->redact.module, ac->req, msg); >+ if (ret != LDB_SUCCESS) { >+ talloc_free(msg); >+ return ret; >+ } >+ } >+ > /* > * We trust the index for LDB_SCOPE_ONELEVEL > * unless the index key has been truncated. >diff --git a/lib/ldb/ldb_key_value/ldb_kv_search.c b/lib/ldb/ldb_key_value/ldb_kv_search.c >index b77f46ca52c..e16bd6b6717 100644 >--- a/lib/ldb/ldb_key_value/ldb_kv_search.c >+++ b/lib/ldb/ldb_key_value/ldb_kv_search.c >@@ -396,6 +396,14 @@ static int search_func(_UNUSED_ struct ldb_kv_private *ldb_kv, > } > } > >+ if (ldb->redact.callback != NULL) { >+ ret = ldb->redact.callback(ldb->redact.module, ac->req, msg); >+ if (ret != LDB_SUCCESS) { >+ talloc_free(msg); >+ return ret; >+ } >+ } >+ > /* see if it matches the given expression */ > ret = ldb_match_msg_error(ldb, msg, > ac->tree, ac->base, ac->scope, &matched); >@@ -531,6 +539,13 @@ static int ldb_kv_search_and_return_base(struct ldb_kv_private *ldb_kv, > return ret; > } > >+ if (ldb->redact.callback != NULL) { >+ ret = ldb->redact.callback(ldb->redact.module, ctx->req, msg); >+ if (ret != LDB_SUCCESS) { >+ talloc_free(msg); >+ return ret; >+ } >+ } > > /* > * We use this, not ldb_match_msg_error() as we know >diff --git a/selftest/knownfail.d/confidential-attr-timing b/selftest/knownfail.d/confidential-attr-timing >deleted file mode 100644 >index e213cdb16d3..00000000000 >--- a/selftest/knownfail.d/confidential-attr-timing >+++ /dev/null >@@ -1 +0,0 @@ >-^samba4.ldap.confidential_attr.python\(ad_dc_slowtests\).__main__.ConfidentialAttrTestDirsync.test_timing_attack\(ad_dc_slowtests\) >diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c >index 48dbd35c1cb..343cd8325fc 100644 >--- a/source4/dsdb/samdb/ldb_modules/acl.c >+++ b/source4/dsdb/samdb/ldb_modules/acl.c >@@ -46,11 +46,6 @@ > #undef strcasecmp > #undef strncasecmp > >-struct extended_access_check_attribute { >- const char *oa_name; >- const uint32_t requires_rights; >-}; >- > struct acl_private { > bool acl_search; > const char **password_attrs; >@@ -58,7 +53,6 @@ struct acl_private { > uint64_t cached_schema_metadata_usn; > uint64_t cached_schema_loaded_usn; > const char **confidential_attrs; >- bool userPassword_support; > }; > > struct acl_context { >@@ -66,15 +60,12 @@ struct acl_context { > struct ldb_request *req; > bool am_system; > bool am_administrator; >- bool modify_search; > bool constructed_attrs; > bool allowedAttributes; > bool allowedAttributesEffective; > bool allowedChildClasses; > bool allowedChildClassesEffective; > bool sDRightsEffective; >- bool userPassword; >- const char * const *attrs; > struct dsdb_schema *schema; > }; > >@@ -83,25 +74,9 @@ static int acl_module_init(struct ldb_module *module) > struct ldb_context *ldb; > struct acl_private *data; > int ret; >- unsigned int i, n, j; >- TALLOC_CTX *mem_ctx; >- static const char * const attrs[] = { "passwordAttribute", NULL }; >- static const char * const secret_attrs[] = { >- DSDB_SECRET_ATTRIBUTES >- }; >- struct ldb_result *res; >- struct ldb_message *msg; >- struct ldb_message_element *password_attributes; > > ldb = ldb_module_get_ctx(module); > >- ret = ldb_mod_register_control(module, LDB_CONTROL_SD_FLAGS_OID); >- if (ret != LDB_SUCCESS) { >- ldb_debug(ldb, LDB_DEBUG_ERROR, >- "acl_module_init: Unable to register control with rootdse!\n"); >- return ldb_operr(ldb); >- } >- > data = talloc_zero(module, struct acl_private); > if (data == NULL) { > return ldb_oom(ldb); >@@ -111,91 +86,14 @@ static int acl_module_init(struct ldb_module *module) > NULL, "acl", "search", true); > ldb_module_set_private(module, data); > >- mem_ctx = talloc_new(module); >- if (!mem_ctx) { >- return ldb_oom(ldb); >- } >- >- ret = dsdb_module_search_dn(module, mem_ctx, &res, >- ldb_dn_new(mem_ctx, ldb, "@KLUDGEACL"), >- attrs, >- DSDB_FLAG_NEXT_MODULE | >- DSDB_FLAG_AS_SYSTEM, >- NULL); >- if (ret != LDB_SUCCESS) { >- goto done; >- } >- if (res->count == 0) { >- goto done; >- } >- >- if (res->count > 1) { >- talloc_free(mem_ctx); >- return LDB_ERR_CONSTRAINT_VIOLATION; >- } >- >- msg = res->msgs[0]; >- >- password_attributes = ldb_msg_find_element(msg, "passwordAttribute"); >- if (!password_attributes) { >- goto done; >- } >- data->password_attrs = talloc_array(data, const char *, >- password_attributes->num_values + >- ARRAY_SIZE(secret_attrs) + 1); >- if (!data->password_attrs) { >- talloc_free(mem_ctx); >- return ldb_oom(ldb); >- } >- >- n = 0; >- for (i=0; i < password_attributes->num_values; i++) { >- data->password_attrs[n] = (const char *)password_attributes->values[i].data; >- talloc_steal(data->password_attrs, password_attributes->values[i].data); >- n++; >- } >- >- for (i=0; i < ARRAY_SIZE(secret_attrs); i++) { >- bool found = false; >- >- for (j=0; j < n; j++) { >- if (strcasecmp(data->password_attrs[j], secret_attrs[i]) == 0) { >- found = true; >- break; >- } >- } >- >- if (found) { >- continue; >- } >- >- data->password_attrs[n] = talloc_strdup(data->password_attrs, >- secret_attrs[i]); >- if (data->password_attrs[n] == NULL) { >- talloc_free(mem_ctx); >- return ldb_oom(ldb); >- } >- n++; >- } >- data->password_attrs[n] = NULL; >- >-done: >- talloc_free(mem_ctx); >- ret = ldb_next_init(module); >- >+ ret = ldb_mod_register_control(module, LDB_CONTROL_SD_FLAGS_OID); > if (ret != LDB_SUCCESS) { >- return ret; >+ ldb_debug(ldb, LDB_DEBUG_ERROR, >+ "acl_module_init: Unable to register control with rootdse!\n"); >+ return ldb_operr(ldb); > } > >- /* >- * Check this after the modules have be initialised so we >- * can actually read the backend DB. >- */ >- data->userPassword_support >- = dsdb_user_password_support(module, >- module, >- NULL); >- return ret; >+ return ldb_next_init(module); > } > > static int acl_allowedAttributes(struct ldb_module *module, >@@ -2822,29 +2720,11 @@ static int acl_search_callback(struct ldb_request *req, struct ldb_reply *ares) > ares->controls); > } > >- if (data->password_attrs != NULL) { >- for (i = 0; data->password_attrs[i]; i++) { >- if ((!ac->userPassword) && >- (ldb_attr_cmp(data->password_attrs[i], >- "userPassword") == 0)) >- { >- continue; >- } >- >- ldb_msg_remove_attr(ares->message, data->password_attrs[i]); >- } >- } >- > if (ac->am_administrator) { > return ldb_module_send_entry(ac->req, ares->message, > ares->controls); > } > >- ret = acl_search_update_confidential_attrs(ac, data); >- if (ret != LDB_SUCCESS) { >- return ret; >- } >- > if (data->confidential_attrs != NULL) { > for (i = 0; data->confidential_attrs[i]; i++) { > ldb_msg_remove_attr(ares->message, >@@ -2869,11 +2749,12 @@ static int acl_search(struct ldb_module *module, struct ldb_request *req) > { > struct ldb_context *ldb; > struct acl_context *ac; >- struct ldb_parse_tree *down_tree; >+ struct ldb_parse_tree *down_tree = req->op.search.tree; > struct ldb_request *down_req; > struct acl_private *data; > int ret; > unsigned int i; >+ bool modify_search = true; > > if (ldb_dn_is_special(req->op.search.base)) { > return ldb_next_request(module, req); >@@ -2892,13 +2773,11 @@ static int acl_search(struct ldb_module *module, struct ldb_request *req) > ac->am_system = dsdb_module_am_system(module); > ac->am_administrator = dsdb_module_am_administrator(module); > ac->constructed_attrs = false; >- ac->modify_search = true; > ac->allowedAttributes = ldb_attr_in_list(req->op.search.attrs, "allowedAttributes"); > ac->allowedAttributesEffective = ldb_attr_in_list(req->op.search.attrs, "allowedAttributesEffective"); > ac->allowedChildClasses = ldb_attr_in_list(req->op.search.attrs, "allowedChildClasses"); > ac->allowedChildClassesEffective = ldb_attr_in_list(req->op.search.attrs, "allowedChildClassesEffective"); > ac->sDRightsEffective = ldb_attr_in_list(req->op.search.attrs, "sDRightsEffective"); >- ac->userPassword = true; > ac->schema = dsdb_get_schema(ldb, ac); > > ac->constructed_attrs |= ac->allowedAttributes; >@@ -2908,13 +2787,13 @@ static int acl_search(struct ldb_module *module, struct ldb_request *req) > ac->constructed_attrs |= ac->sDRightsEffective; > > if (data == NULL) { >- ac->modify_search = false; >+ modify_search = false; > } > if (ac->am_system) { >- ac->modify_search = false; >+ modify_search = false; > } > >- if (!ac->constructed_attrs && !ac->modify_search) { >+ if (!ac->constructed_attrs && !modify_search) { > talloc_free(ac); > return ldb_next_request(module, req); > } >@@ -2924,38 +2803,24 @@ static int acl_search(struct ldb_module *module, struct ldb_request *req) > return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR, > "acl_private data is missing"); > } >- ac->userPassword = data->userPassword_support; >- >- ret = acl_search_update_confidential_attrs(ac, data); >- if (ret != LDB_SUCCESS) { >- return ret; >- } > >- down_tree = ldb_parse_tree_copy_shallow(ac, req->op.search.tree); >- if (down_tree == NULL) { >- return ldb_oom(ldb); >- } >+ if (!ac->am_system && !ac->am_administrator) { >+ ret = acl_search_update_confidential_attrs(ac, data); >+ if (ret != LDB_SUCCESS) { >+ return ret; >+ } > >- if (!ac->am_system && data->password_attrs) { >- for (i = 0; data->password_attrs[i]; i++) { >- if ((!ac->userPassword) && >- (ldb_attr_cmp(data->password_attrs[i], >- "userPassword") == 0)) >- { >- continue; >+ if (data->confidential_attrs != NULL) { >+ down_tree = ldb_parse_tree_copy_shallow(ac, req->op.search.tree); >+ if (down_tree == NULL) { >+ return ldb_oom(ldb); > } > >- ldb_parse_tree_attr_replace(down_tree, >- data->password_attrs[i], >- "kludgeACLredactedattribute"); >- } >- } >- >- if (!ac->am_system && !ac->am_administrator && data->confidential_attrs) { >- for (i = 0; data->confidential_attrs[i]; i++) { >- ldb_parse_tree_attr_replace(down_tree, >- data->confidential_attrs[i], >- "kludgeACLredactedattribute"); >+ for (i = 0; data->confidential_attrs[i]; i++) { >+ ldb_parse_tree_attr_replace(down_tree, >+ data->confidential_attrs[i], >+ "kludgeACLredactedattribute"); >+ } > } > } > >diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c >index 0c3b75caf4a..47166ef5bc6 100644 >--- a/source4/dsdb/samdb/ldb_modules/acl_read.c >+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c >@@ -37,20 +37,25 @@ > #include "librpc/gen_ndr/ndr_security.h" > #include "param/param.h" > #include "dsdb/samdb/ldb_modules/util.h" >+#include "lib/util/binsearch.h" > > #undef strcasecmp > >+struct ldb_attr_vec { >+ const char** attrs; >+ size_t len; >+ size_t capacity; >+}; >+ > struct aclread_context { > struct ldb_module *module; > struct ldb_request *req; >- const char * const *attrs; > const struct dsdb_schema *schema; > uint32_t sd_flags; > bool added_nTSecurityDescriptor; > bool added_instanceType; > bool added_objectSid; > bool added_objectClass; >- bool indirsync; > > bool do_list_object_initialized; > bool do_list_object; >@@ -60,6 +65,11 @@ struct aclread_context { > /* cache on the last parent we checked in this search */ > struct ldb_dn *last_parent_dn; > int last_parent_check_ret; >+ >+ bool am_administrator; >+ >+ bool got_tree_attrs; >+ struct ldb_attr_vec tree_attrs; > }; > > struct aclread_private { >@@ -68,6 +78,7 @@ struct aclread_private { > /* cache of the last SD we read during any search */ > struct security_descriptor *sd_cached; > struct ldb_val sd_cached_blob; >+ const char **password_attrs; > }; > > struct access_check_context { >@@ -77,6 +88,183 @@ struct access_check_context { > const struct dsdb_class *objectclass; > }; > >+static void acl_element_mark_access_checked(struct ldb_message_element *el) >+{ >+ el->flags |= LDB_FLAG_INTERNAL_ACCESS_CHECKED; >+} >+ >+static bool acl_element_is_access_checked(const struct ldb_message_element *el) >+{ >+ return (el->flags & LDB_FLAG_INTERNAL_ACCESS_CHECKED) != 0; >+} >+ >+static bool attr_in_vec(const struct ldb_attr_vec *vec, const char *attr) >+{ >+ const char **found = NULL; >+ >+ if (vec == NULL) { >+ return false; >+ } >+ >+ BINARY_ARRAY_SEARCH_V(vec->attrs, >+ vec->len, >+ attr, >+ ldb_attr_cmp, >+ found); >+ return found != NULL; >+} >+ >+static int acl_attr_cmp_fn(const char *a, const char **b) >+{ >+ return ldb_attr_cmp(a, *b); >+} >+ >+static int attr_vec_add_unique(TALLOC_CTX *mem_ctx, >+ struct ldb_attr_vec *vec, >+ const char *attr) >+{ >+ const char **exact = NULL; >+ const char **next = NULL; >+ size_t next_idx = 0; >+ >+ BINARY_ARRAY_SEARCH_GTE(vec->attrs, >+ vec->len, >+ attr, >+ acl_attr_cmp_fn, >+ exact, >+ next); >+ if (exact != NULL) { >+ return LDB_SUCCESS; >+ } >+ >+ if (vec->len == SIZE_MAX) { >+ return LDB_ERR_OPERATIONS_ERROR; >+ } >+ >+ if (next != NULL) { >+ next_idx = next - vec->attrs; >+ } >+ >+ if (vec->len >= vec->capacity) { >+ const char **attrs = NULL; >+ >+ if (vec->capacity == 0) { >+ vec->capacity = 4; >+ } else { >+ if (vec->capacity > SIZE_MAX / 2) { >+ return LDB_ERR_OPERATIONS_ERROR; >+ } >+ vec->capacity *= 2; >+ } >+ >+ attrs = talloc_realloc(mem_ctx, vec->attrs, const char *, vec->capacity); >+ if (attrs == NULL) { >+ return LDB_ERR_OPERATIONS_ERROR; >+ } >+ >+ vec->attrs = attrs; >+ } >+ SMB_ASSERT(vec->len < vec->capacity); >+ >+ if (next == NULL) { >+ vec->attrs[vec->len++] = attr; >+ } else { >+ size_t count = (vec->len - next_idx) * sizeof (vec->attrs[0]); >+ memmove(&vec->attrs[next_idx + 1], >+ &vec->attrs[next_idx], >+ count); >+ >+ vec->attrs[next_idx] = attr; >+ ++vec->len; >+ } >+ >+ return LDB_SUCCESS; >+} >+ >+static bool ldb_attr_always_present(const char *attr) >+{ >+ static const char * const attrs_always_present[] = { >+ "objectClass", >+ "distinguishedName", >+ "name", >+ "objectGUID", >+ NULL >+ }; >+ >+ return ldb_attr_in_list(attrs_always_present, attr); >+} >+ >+static bool ldb_attr_always_visible(const char *attr) >+{ >+ static const char * const attrs_always_visible[] = { >+ "isDeleted", >+ "isRecycled", >+ NULL >+ }; >+ >+ return ldb_attr_in_list(attrs_always_visible, attr); >+} >+ >+/* Collect a list of attributes required to match a given parse tree. */ >+static int ldb_parse_tree_collect_acl_attrs(struct ldb_module *module, >+ TALLOC_CTX *mem_ctx, >+ struct ldb_attr_vec *attrs, >+ const struct ldb_parse_tree *tree) >+{ >+ const char *attr = NULL; >+ unsigned int i; >+ int ret; >+ >+ if (tree == NULL) { >+ return 0; >+ } >+ >+ switch (tree->operation) { >+ case LDB_OP_OR: >+ case LDB_OP_AND: /* attributes stored in list of subtrees */ >+ for (i = 0; i < tree->u.list.num_elements; i++) { >+ ret = ldb_parse_tree_collect_acl_attrs(module, mem_ctx, >+ attrs, tree->u.list.elements[i]); >+ if (ret) { >+ return ret; >+ } >+ } >+ return 0; >+ >+ case LDB_OP_NOT: /* attributes stored in single subtree */ >+ return ldb_parse_tree_collect_acl_attrs(module, mem_ctx, attrs, tree->u.isnot.child); >+ >+ case LDB_OP_PRESENT: >+ /* >+ * If the search filter is checking for an attribute's presence, >+ * and the attribute is always present, we can skip access >+ * rights checks. Every object has these attributes, and so >+ * there's no security reason to hide their presence. >+ * Note: the acl.py tests (e.g. test_search1()) rely on this >+ * exception. I.e. even if we lack Read Property (RP) rights >+ * for a child object, it should still appear as a visible >+ * object in 'objectClass=*' searches, so long as we have List >+ * Contents (LC) rights for the object. >+ */ >+ if (ldb_attr_always_present(tree->u.present.attr)) { >+ /* No need to check this attribute. */ >+ return 0; >+ } >+ >+ FALL_THROUGH; >+ case LDB_OP_EQUALITY: >+ if (ldb_attr_always_visible(tree->u.present.attr)) { >+ /* No need to check this attribute. */ >+ return 0; >+ } >+ >+ FALL_THROUGH; >+ default: /* single attribute in tree */ >+ attr = ldb_parse_tree_get_attr(tree); >+ return attr_vec_add_unique(mem_ctx, attrs, attr); >+ } >+} >+ > /* > * the object has a parent, so we have to check for visibility > * >@@ -308,16 +496,11 @@ static int aclread_get_sd_from_ldb_message(struct aclread_context *ac, > } > > talloc_unlink(private_data, private_data->sd_cached_blob.data); >- if (ac->added_nTSecurityDescriptor) { >- private_data->sd_cached_blob = sd_element->values[0]; >- talloc_steal(private_data, sd_element->values[0].data); >- } else { >- private_data->sd_cached_blob = ldb_val_dup(private_data, >- &sd_element->values[0]); >- if (private_data->sd_cached_blob.data == NULL) { >- TALLOC_FREE(*sd); >- return ldb_operr(ldb); >- } >+ private_data->sd_cached_blob = ldb_val_dup(private_data, >+ &sd_element->values[0]); >+ if (private_data->sd_cached_blob.data == NULL) { >+ TALLOC_FREE(*sd); >+ return ldb_operr(ldb); > } > > talloc_unlink(private_data, private_data->sd_cached); >@@ -326,6 +509,27 @@ static int aclread_get_sd_from_ldb_message(struct aclread_context *ac, > return LDB_SUCCESS; > } > >+/* Check whether the attribute is a password attribute. */ >+static bool attr_is_secret(const char *attr, const struct aclread_private *private_data) >+{ >+ unsigned i; >+ >+ if (private_data->password_attrs == NULL) { >+ return false; >+ } >+ >+ for (i = 0; private_data->password_attrs[i] != NULL; ++i) { >+ const char *password_attr = private_data->password_attrs[i]; >+ if (ldb_attr_cmp(attr, password_attr) != 0) { >+ continue; >+ } >+ >+ return true; >+ } >+ >+ return false; >+} >+ > /* > * Returns the access mask required to read a given attribute > */ >@@ -361,62 +565,59 @@ static uint32_t get_attr_access_mask(const struct dsdb_attribute *attr, > return access_mask; > } > >-/* helper struct for traversing the attributes in the search-tree */ >-struct parse_tree_aclread_ctx { >- struct aclread_context *ac; >- TALLOC_CTX *mem_ctx; >- const struct dom_sid *sid; >- struct ldb_dn *dn; >- struct security_descriptor *sd; >- const struct dsdb_class *objectclass; >- bool suppress_result; >-}; >- > /* >- * Checks that the user has sufficient access rights to view an attribute >+ * Checks that the user has sufficient access rights to view an attribute, else >+ * marks it as inaccessible. > */ >-static int check_attr_access_rights(TALLOC_CTX *mem_ctx, const char *attr_name, >- struct aclread_context *ac, >- struct security_descriptor *sd, >- const struct dsdb_class *objectclass, >- const struct dom_sid *sid, struct ldb_dn *dn) >+static int acl_redact_attr(TALLOC_CTX *mem_ctx, >+ struct ldb_message_element *el, >+ struct aclread_context *ac, >+ const struct aclread_private *private_data, >+ const struct ldb_message *msg, >+ const struct dsdb_schema *schema, >+ const struct security_descriptor *sd, >+ const struct dom_sid *sid, >+ const struct dsdb_class *objectclass) > { > int ret; > const struct dsdb_attribute *attr = NULL; > uint32_t access_mask; > struct ldb_context *ldb = ldb_module_get_ctx(ac->module); > >- attr = dsdb_attribute_by_lDAPDisplayName(ac->schema, attr_name); >+ if (attr_is_secret(el->name, private_data)) { >+ ldb_msg_element_mark_inaccessible(el); >+ return LDB_SUCCESS; >+ } >+ >+ /* Look up the attribute in the schema. */ >+ attr = dsdb_attribute_by_lDAPDisplayName(schema, el->name); > if (!attr) { > ldb_debug_set(ldb, >- LDB_DEBUG_TRACE, >- "acl_read: %s cannot find attr[%s] in schema," >- "ignoring\n", >- ldb_dn_get_linearized(dn), attr_name); >- return LDB_SUCCESS; >+ LDB_DEBUG_FATAL, >+ "acl_read: %s cannot find attr[%s] in schema\n", >+ ldb_dn_get_linearized(msg->dn), el->name); >+ return LDB_ERR_OPERATIONS_ERROR; > } > > access_mask = get_attr_access_mask(attr, ac->sd_flags); >- >- /* the access-mask should be non-zero. Skip attribute otherwise */ > if (access_mask == 0) { > DBG_ERR("Could not determine access mask for attribute %s\n", >- attr_name); >+ el->name); >+ ldb_msg_element_mark_inaccessible(el); > return LDB_SUCCESS; > } > >+ /* We must check whether the user has rights to view the attribute. */ >+ > ret = acl_check_access_on_attribute_implicit_owner(ac->module, mem_ctx, sd, sid, > access_mask, attr, objectclass, > IMPLICIT_OWNER_READ_CONTROL_RIGHTS); >- > if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) { >- return ret; >- } >- >- if (ret != LDB_SUCCESS) { >+ ldb_msg_element_mark_inaccessible(el); >+ } else if (ret != LDB_SUCCESS) { > ldb_debug_set(ldb, LDB_DEBUG_FATAL, > "acl_read: %s check attr[%s] gives %s - %s\n", >- ldb_dn_get_linearized(dn), attr_name, >+ ldb_dn_get_linearized(msg->dn), el->name, > ldb_strerror(ret), ldb_errstring(ldb)); > return ret; > } >@@ -424,38 +625,6 @@ static int check_attr_access_rights(TALLOC_CTX *mem_ctx, const char *attr_name, > return LDB_SUCCESS; > } > >-/* >- * Returns the attribute name for this particular level of a search operation >- * parse-tree. >- */ >-static const char * parse_tree_get_attr(struct ldb_parse_tree *tree) >-{ >- const char *attr = NULL; >- >- switch (tree->operation) { >- case LDB_OP_EQUALITY: >- case LDB_OP_GREATER: >- case LDB_OP_LESS: >- case LDB_OP_APPROX: >- attr = tree->u.equality.attr; >- break; >- case LDB_OP_SUBSTRING: >- attr = tree->u.substring.attr; >- break; >- case LDB_OP_PRESENT: >- attr = tree->u.present.attr; >- break; >- case LDB_OP_EXTENDED: >- attr = tree->u.extended.attr; >- break; >- >- /* we'll check LDB_OP_AND/_OR/_NOT children later on in the walk */ >- default: >- break; >- } >- return attr; >-} >- > static int setup_access_check_context(struct aclread_context *ac, > const struct ldb_message *msg, > struct access_check_context *ctx) >@@ -519,103 +688,6 @@ static int setup_access_check_context(struct aclread_context *ac, > return LDB_SUCCESS; > } > >-/* >- * Checks a single attribute in the search parse-tree to make sure the user has >- * sufficient rights to view it. >- */ >-static int parse_tree_check_attr_access(struct ldb_parse_tree *tree, >- void *private_context) >-{ >- struct parse_tree_aclread_ctx *ctx = NULL; >- const char *attr_name = NULL; >- int ret; >- static const char * const attrs_always_present[] = { >- "objectClass", >- "distinguishedName", >- "name", >- "objectGUID", >- NULL >- }; >- >- ctx = (struct parse_tree_aclread_ctx *)private_context; >- >- /* >- * we can skip any further checking if we already know that this object >- * shouldn't be visible in this user's search >- */ >- if (ctx->suppress_result) { >- return LDB_SUCCESS; >- } >- >- /* skip this level of the search-tree if it has no attribute to check */ >- attr_name = parse_tree_get_attr(tree); >- if (attr_name == NULL) { >- return LDB_SUCCESS; >- } >- >- /* >- * If the search filter is checking for an attribute's presence, and the >- * attribute is always present, we can skip access rights checks. Every >- * object has these attributes, and so there's no security reason to >- * hide their presence. >- * Note: the acl.py tests (e.g. test_search1()) rely on this exception. >- * I.e. even if we lack Read Property (RP) rights for a child object, it >- * should still appear as a visible object in 'objectClass=*' searches, >- * so long as we have List Contents (LC) rights for the object. >- */ >- if (tree->operation == LDB_OP_PRESENT && >- is_attr_in_list(attrs_always_present, attr_name)) { >- return LDB_SUCCESS; >- } >- >- ret = check_attr_access_rights(ctx->mem_ctx, attr_name, ctx->ac, >- ctx->sd, ctx->objectclass, ctx->sid, >- ctx->dn); >- >- /* >- * if the user does not have the rights to view this attribute, then we >- * should not return the object as a search result, i.e. act as if the >- * object doesn't exist (for this particular user, at least) >- */ >- if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) { >- ctx->suppress_result = true; >- return LDB_SUCCESS; >- } >- >- return ret; >-} >- >-/* >- * Traverse the search-tree to check that the user has sufficient access rights >- * to view all the attributes. >- */ >-static int check_search_ops_access(struct aclread_context *ac, >- TALLOC_CTX *mem_ctx, >- struct security_descriptor *sd, >- const struct dsdb_class *objectclass, >- const struct dom_sid *sid, struct ldb_dn *dn, >- bool *suppress_result) >-{ >- int ret; >- struct parse_tree_aclread_ctx ctx = { 0 }; >- struct ldb_parse_tree *tree = ac->req->op.search.tree; >- >- ctx.ac = ac; >- ctx.mem_ctx = mem_ctx; >- ctx.suppress_result = false; >- ctx.sid = sid; >- ctx.dn = dn; >- ctx.sd = sd; >- ctx.objectclass = objectclass; >- >- /* walk the search tree, checking each attribute as we go */ >- ret = ldb_parse_tree_walk(tree, parse_tree_check_attr_access, &ctx); >- >- /* return whether this search result should be hidden to this user */ >- *suppress_result = ctx.suppress_result; >- return ret; >-} >- > /* > * Whether this attribute was added to perform access checks and must be > * removed. >@@ -651,17 +723,14 @@ static bool should_remove_attr(const char *attr, const struct aclread_context *a > > static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) > { >- struct ldb_context *ldb; > struct aclread_context *ac; >+ struct aclread_private *private_data = NULL; > struct ldb_message *msg; > int ret; > unsigned int i; > struct access_check_context acl_ctx; >- TALLOC_CTX *tmp_ctx; >- bool suppress_result = false; > > ac = talloc_get_type_abort(req->context, struct aclread_context); >- ldb = ldb_module_get_ctx(ac->module); > if (!ares) { > return ldb_module_done(ac->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR ); > } >@@ -669,14 +738,9 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) > return ldb_module_done(ac->req, ares->controls, > ares->response, ares->error); > } >- tmp_ctx = talloc_new(ac); > switch (ares->type) { > case LDB_REPLY_ENTRY: > msg = ares->message; >- ret = setup_access_check_context(ac, msg, &acl_ctx); >- if (ret != LDB_SUCCESS) { >- return ret; >- } > > if (!ldb_dn_is_null(msg->dn)) { > /* >@@ -685,133 +749,88 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) > */ > ret = aclread_check_object_visible(ac, msg, req); > if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) { >- talloc_free(tmp_ctx); > return LDB_SUCCESS; > } else if (ret != LDB_SUCCESS) { >+ struct ldb_context *ldb = ldb_module_get_ctx(ac->module); > ldb_debug_set(ldb, LDB_DEBUG_FATAL, > "acl_read: %s check parent %s - %s\n", > ldb_dn_get_linearized(msg->dn), > ldb_strerror(ret), > ldb_errstring(ldb)); >- goto fail; >+ return ldb_module_done(ac->req, NULL, NULL, ret); > } > } > > /* for every element in the message check RP */ >- for (i=0; i < msg->num_elements; i++) { >- const struct dsdb_attribute *attr; >- uint32_t access_mask; >- attr = dsdb_attribute_by_lDAPDisplayName(ac->schema, >- msg->elements[i].name); >- if (!attr) { >- ldb_debug_set(ldb, LDB_DEBUG_FATAL, >- "acl_read: %s cannot find attr[%s] in of schema\n", >- ldb_dn_get_linearized(msg->dn), >- msg->elements[i].name); >- ret = LDB_ERR_OPERATIONS_ERROR; >- goto fail; >- } >+ for (i = 0; i < msg->num_elements; ++i) { >+ struct ldb_message_element *el = &msg->elements[i]; >+ > /* Remove attributes added to perform access checks. */ >- if (should_remove_attr(msg->elements[i].name, ac)) { >- ldb_msg_element_mark_inaccessible(&msg->elements[i]); >+ if (should_remove_attr(el->name, ac)) { >+ ldb_msg_element_mark_inaccessible(el); > continue; > } > >- access_mask = get_attr_access_mask(attr, ac->sd_flags); >- >- if (access_mask == 0) { >- ldb_msg_element_mark_inaccessible(&msg->elements[i]); >+ if (acl_element_is_access_checked(el)) { >+ /* We will have already checked this attribute. */ > continue; > } > >- ret = acl_check_access_on_attribute_implicit_owner(ac->module, >- tmp_ctx, >- acl_ctx.sd, >- acl_ctx.sid, >- access_mask, >- attr, >- acl_ctx.objectclass, >- IMPLICIT_OWNER_READ_CONTROL_RIGHTS); >- > /* >- * Dirsync control needs the replpropertymetadata attribute >- * so return it as it will be removed by the control >- * in anycase. >+ * We need to fetch the security descriptor to check >+ * this attribute. > */ >- if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) { >- bool in_search_filter; >- >- /* check if attr is part of the search filter */ >- in_search_filter = dsdb_attr_in_parse_tree(ac->req->op.search.tree, >- msg->elements[i].name); >- >- if (in_search_filter) { >- >- /* >- * We are doing dirysnc answers >- * and the object shouldn't be returned (normally) >- * but we will return it without replPropertyMetaData >- * so that the dirysync module will do what is needed >- * (remove the object if it is not deleted, or return >- * just the objectGUID if it's deleted). >- */ >- if (ac->indirsync) { >- ldb_msg_remove_attr(msg, "replPropertyMetaData"); >- break; >- } else { >- >- /* do not return this entry */ >- talloc_free(tmp_ctx); >- return LDB_SUCCESS; >- } >- } else { >- ldb_msg_element_mark_inaccessible(&msg->elements[i]); >- } >- } else if (ret != LDB_SUCCESS) { >- ldb_debug_set(ldb, LDB_DEBUG_FATAL, >- "acl_read: %s check attr[%s] gives %s - %s\n", >- ldb_dn_get_linearized(msg->dn), >- msg->elements[i].name, >- ldb_strerror(ret), >- ldb_errstring(ldb)); >- goto fail; >- } >+ break; > } > >- /* >- * check access rights for the search attributes, as well as the >- * attribute values actually being returned >- */ >- ret = check_search_ops_access(ac, tmp_ctx, acl_ctx.sd, acl_ctx.objectclass, acl_ctx.sid, >- msg->dn, &suppress_result); >+ if (i == msg->num_elements) { >+ /* All elements have been checked. */ >+ goto reply_entry_done; >+ } >+ >+ ret = setup_access_check_context(ac, msg, &acl_ctx); > if (ret != LDB_SUCCESS) { >- ldb_debug_set(ldb, LDB_DEBUG_FATAL, >- "acl_read: %s check search ops %s - %s\n", >- ldb_dn_get_linearized(msg->dn), >- ldb_strerror(ret), ldb_errstring(ldb)); >- goto fail; >+ return ret; > } > >- if (suppress_result) { >+ private_data = talloc_get_type_abort(ldb_module_get_private(ac->module), >+ struct aclread_private); >+ >+ for (/* begin where we left off */; i < msg->num_elements; ++i) { >+ struct ldb_message_element *el = &msg->elements[i]; >+ >+ /* Remove attributes added to perform access checks. */ >+ if (should_remove_attr(el->name, ac)) { >+ ldb_msg_element_mark_inaccessible(el); >+ continue; >+ } >+ >+ if (acl_element_is_access_checked(el)) { >+ /* We will have already checked this attribute. */ >+ continue; >+ } > > /* >- * As per the above logic, we strip replPropertyMetaData >- * out of the msg so that the dirysync module will do >- * what is needed (return just the objectGUID if it's, >- * deleted, or remove the object if it is not). >+ * We need to check whether the attribute is secret, >+ * confidential, or access-controlled. > */ >- if (ac->indirsync) { >- ldb_msg_remove_attr(msg, "replPropertyMetaData"); >- } else { >- talloc_free(tmp_ctx); >- return LDB_SUCCESS; >+ ret = acl_redact_attr(ac, >+ el, >+ ac, >+ private_data, >+ msg, >+ ac->schema, >+ acl_ctx.sd, >+ acl_ctx.sid, >+ acl_ctx.objectclass); >+ if (ret != LDB_SUCCESS) { >+ return ldb_module_done(ac->req, NULL, NULL, ret); > } > } > >+ reply_entry_done: > ldb_msg_remove_inaccessible(msg); > >- talloc_free(tmp_ctx); >- > ac->num_entries++; > return ldb_module_send_entry(ac->req, msg, ares->controls); > case LDB_REPLY_REFERRAL: >@@ -832,9 +851,6 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) > > } > return LDB_SUCCESS; >-fail: >- talloc_free(tmp_ctx); >- return ldb_module_done(ac->req, NULL, NULL, ret); > } > > >@@ -845,7 +861,6 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req) > struct aclread_context *ac; > struct ldb_request *down_req; > struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID); >- uint32_t flags = ldb_req_get_custom_flags(req); > struct ldb_result *res; > struct aclread_private *p; > bool need_sd = false; >@@ -880,15 +895,6 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req) > } > ac->module = module; > ac->req = req; >- ac->schema = dsdb_get_schema(ldb, req); >- if (flags & DSDB_ACL_CHECKS_DIRSYNC_FLAG) { >- ac->indirsync = true; >- } else { >- ac->indirsync = false; >- } >- if (!ac->schema) { >- return ldb_operr(ldb); >- } > > attrs = req->op.search.attrs; > if (attrs == NULL) { >@@ -945,7 +951,7 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req) > ac->added_nTSecurityDescriptor = true; > } > >- ac->attrs = req->op.search.attrs; >+ ac->am_administrator = dsdb_module_am_administrator(module); > > /* check accessibility of base */ > if (!ldb_dn_is_null(req->op.search.base)) { >@@ -989,19 +995,270 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req) > return LDB_ERR_OPERATIONS_ERROR; > } > >+ /* >+ * We provide 'ac' as the control value, which is then used by the >+ * callback to avoid double-work. >+ */ >+ ret = ldb_request_add_control(down_req, DSDB_CONTROL_ACL_READ_OID, false, ac); >+ if (ret != LDB_SUCCESS) { >+ return ldb_error(ldb, ret, >+ "acl_read: Error adding acl_read control."); >+ } >+ > return ldb_next_request(module, down_req); > } > >+/* >+ * Here we mark inaccessible attributes known to be looked for in the >+ * filter. This only redacts attributes found in the search expression. If any >+ * extended attribute match rules examine different attributes without their own >+ * access control checks, a security bypass is possible. >+ */ >+static int acl_redact_msg_for_filter(struct ldb_module *module, struct ldb_request *req, struct ldb_message *msg) >+{ >+ struct ldb_context *ldb = ldb_module_get_ctx(module); >+ const struct aclread_private *private_data = NULL; >+ struct ldb_control *control = NULL; >+ struct aclread_context *ac = NULL; >+ struct access_check_context acl_ctx; >+ int ret; >+ unsigned i; >+ >+ /* >+ * The private data contains a list of attributes which are to be >+ * considered secret. >+ */ >+ private_data = talloc_get_type(ldb_module_get_private(module), struct aclread_private); >+ if (private_data == NULL) { >+ return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR, >+ "aclread_private data is missing"); >+ } >+ if (!private_data->enabled) { >+ return LDB_SUCCESS; >+ } >+ >+ control = ldb_request_get_control(req, DSDB_CONTROL_ACL_READ_OID); >+ if (control == NULL) { >+ /* >+ * We've bypassed the acl_read module for this request, and >+ * should skip redaction in this case. >+ */ >+ return LDB_SUCCESS; >+ } >+ >+ ac = talloc_get_type_abort(control->data, struct aclread_context); >+ >+ if (!ac->got_tree_attrs) { >+ ret = ldb_parse_tree_collect_acl_attrs(module, ac, &ac->tree_attrs, req->op.search.tree); >+ if (ret != LDB_SUCCESS) { >+ return ret; >+ } >+ ac->got_tree_attrs = true; >+ } >+ >+ for (i = 0; i < msg->num_elements; ++i) { >+ struct ldb_message_element *el = &msg->elements[i]; >+ >+ /* Is the attribute mentioned in the search expression? */ >+ if (attr_in_vec(&ac->tree_attrs, el->name)) { >+ /* >+ * We need to fetch the security descriptor to check >+ * this element. >+ */ >+ break; >+ } >+ >+ /* >+ * This attribute is not in the search filter, so we can leave >+ * handling it till aclread_callback(), by which time we know >+ * this object is a match. This saves work checking ACLs if the >+ * search is unindexed and most objects don't match the filter. >+ */ >+ } >+ >+ if (i == msg->num_elements) { >+ /* All elements have been checked. */ >+ return LDB_SUCCESS; >+ } >+ >+ ret = setup_access_check_context(ac, msg, &acl_ctx); >+ if (ret != LDB_SUCCESS) { >+ return ret; >+ } >+ >+ /* For every element in the message and the parse tree, check RP. */ >+ >+ for (/* begin where we left off */; i < msg->num_elements; ++i) { >+ struct ldb_message_element *el = &msg->elements[i]; >+ >+ /* Is the attribute mentioned in the search expression? */ >+ if (!attr_in_vec(&ac->tree_attrs, el->name)) { >+ /* >+ * If not, leave it for later and check the next >+ * attribute. >+ */ >+ continue; >+ } >+ >+ /* >+ * We need to check whether the attribute is secret, >+ * confidential, or access-controlled. >+ */ >+ ret = acl_redact_attr(ac, >+ el, >+ ac, >+ private_data, >+ msg, >+ ac->schema, >+ acl_ctx.sd, >+ acl_ctx.sid, >+ acl_ctx.objectclass); >+ if (ret != LDB_SUCCESS) { >+ return ret; >+ } >+ >+ acl_element_mark_access_checked(el); >+ } >+ >+ return LDB_SUCCESS; >+} >+ > static int aclread_init(struct ldb_module *module) > { > struct ldb_context *ldb = ldb_module_get_ctx(module); >+ unsigned int i, n, j; >+ TALLOC_CTX *mem_ctx = NULL; >+ int ret; >+ bool userPassword_support; >+ static const char * const attrs[] = { "passwordAttribute", NULL }; >+ static const char * const secret_attrs[] = { >+ DSDB_SECRET_ATTRIBUTES >+ }; >+ struct ldb_result *res; >+ struct ldb_message *msg; >+ struct ldb_message_element *password_attributes; > struct aclread_private *p = talloc_zero(module, struct aclread_private); > if (p == NULL) { > return ldb_module_oom(module); > } > p->enabled = lpcfg_parm_bool(ldb_get_opaque(ldb, "loadparm"), NULL, "acl", "search", true); >+ >+ ret = ldb_mod_register_control(module, LDB_CONTROL_SD_FLAGS_OID); >+ if (ret != LDB_SUCCESS) { >+ ldb_debug(ldb, LDB_DEBUG_ERROR, >+ "acl_module_init: Unable to register sd_flags control with rootdse!\n"); >+ return ldb_operr(ldb); >+ } >+ > ldb_module_set_private(module, p); >- return ldb_next_init(module); >+ >+ mem_ctx = talloc_new(module); >+ if (!mem_ctx) { >+ return ldb_oom(ldb); >+ } >+ >+ ret = dsdb_module_search_dn(module, mem_ctx, &res, >+ ldb_dn_new(mem_ctx, ldb, "@KLUDGEACL"), >+ attrs, >+ DSDB_FLAG_NEXT_MODULE | >+ DSDB_FLAG_AS_SYSTEM, >+ NULL); >+ if (ret != LDB_SUCCESS) { >+ goto done; >+ } >+ if (res->count == 0) { >+ goto done; >+ } >+ >+ if (res->count > 1) { >+ talloc_free(mem_ctx); >+ return LDB_ERR_CONSTRAINT_VIOLATION; >+ } >+ >+ msg = res->msgs[0]; >+ >+ password_attributes = ldb_msg_find_element(msg, "passwordAttribute"); >+ if (!password_attributes) { >+ goto done; >+ } >+ p->password_attrs = talloc_array(p, const char *, >+ password_attributes->num_values + >+ ARRAY_SIZE(secret_attrs) + 1); >+ if (!p->password_attrs) { >+ talloc_free(mem_ctx); >+ return ldb_oom(ldb); >+ } >+ >+ n = 0; >+ for (i=0; i < password_attributes->num_values; i++) { >+ p->password_attrs[n] = (const char *)password_attributes->values[i].data; >+ talloc_steal(p->password_attrs, password_attributes->values[i].data); >+ n++; >+ } >+ >+ for (i=0; i < ARRAY_SIZE(secret_attrs); i++) { >+ bool found = false; >+ >+ for (j=0; j < n; j++) { >+ if (strcasecmp(p->password_attrs[j], secret_attrs[i]) == 0) { >+ found = true; >+ break; >+ } >+ } >+ >+ if (found) { >+ continue; >+ } >+ >+ p->password_attrs[n] = talloc_strdup(p->password_attrs, >+ secret_attrs[i]); >+ if (p->password_attrs[n] == NULL) { >+ talloc_free(mem_ctx); >+ return ldb_oom(ldb); >+ } >+ n++; >+ } >+ p->password_attrs[n] = NULL; >+ >+ ret = ldb_register_redact_callback(ldb, acl_redact_msg_for_filter, module); >+ if (ret != LDB_SUCCESS) { >+ return ret; >+ } >+ >+done: >+ talloc_free(mem_ctx); >+ ret = ldb_next_init(module); >+ >+ if (ret != LDB_SUCCESS) { >+ return ret; >+ } >+ >+ if (p->password_attrs != NULL) { >+ /* >+ * Check this after the modules have be initialised so we can >+ * actually read the backend DB. >+ */ >+ userPassword_support = dsdb_user_password_support(module, >+ module, >+ NULL); >+ if (!userPassword_support) { >+ /* >+ * Remove the userPassword attribute, as it is not >+ * considered secret. >+ */ >+ for (i = 0; p->password_attrs[i] != NULL; ++i) { >+ if (ldb_attr_cmp(p->password_attrs[i], "userPassword") == 0) { >+ break; >+ } >+ } >+ >+ /* Shift following elements backwards by one. */ >+ for (; p->password_attrs[i] != NULL; ++i) { >+ p->password_attrs[i] = p->password_attrs[i + 1]; >+ } >+ } >+ } >+ return ret; > } > > static const struct ldb_module_ops ldb_aclread_module_ops = { >diff --git a/source4/dsdb/samdb/samdb.h b/source4/dsdb/samdb/samdb.h >index d76cbeba841..661edf0a8c7 100644 >--- a/source4/dsdb/samdb/samdb.h >+++ b/source4/dsdb/samdb/samdb.h >@@ -245,6 +245,8 @@ struct dsdb_control_calculated_default_sd { > bool specified_sacl:1; > }; > >+#define DSDB_CONTROL_ACL_READ_OID "1.3.6.1.4.1.7165.4.3.37" >+ > #define DSDB_EXTENDED_REPLICATED_OBJECTS_OID "1.3.6.1.4.1.7165.4.4.1" > struct dsdb_extended_replicated_object { > struct ldb_message *msg; >diff --git a/source4/dsdb/tests/python/confidential_attr.py b/source4/dsdb/tests/python/confidential_attr.py >index 031c9690ba6..6889d5a5560 100755 >--- a/source4/dsdb/tests/python/confidential_attr.py >+++ b/source4/dsdb/tests/python/confidential_attr.py >@@ -490,7 +490,7 @@ class ConfidentialAttrTest(ConfidentialAttrCommon): > self.make_attr_confidential() > > self.assert_conf_attr_searches(has_rights_to=0) >- dc_mode = self.guess_dc_mode() >+ dc_mode = DC_MODE_RETURN_ALL > self.assert_negative_searches(has_rights_to=0, dc_mode=dc_mode) > self.assert_attr_visible(expect_attr=False) > >@@ -503,7 +503,7 @@ class ConfidentialAttrTest(ConfidentialAttrCommon): > self.make_attr_confidential() > > self.assert_conf_attr_searches(has_rights_to=0) >- dc_mode = self.guess_dc_mode() >+ dc_mode = DC_MODE_RETURN_ALL > self.assert_negative_searches(has_rights_to=0, dc_mode=dc_mode) > self.assert_attr_visible(expect_attr=False) > >@@ -566,7 +566,7 @@ class ConfidentialAttrTest(ConfidentialAttrCommon): > self.make_attr_confidential() > > self.assert_conf_attr_searches(has_rights_to=0) >- dc_mode = self.guess_dc_mode() >+ dc_mode = DC_MODE_RETURN_ALL > self.assert_negative_searches(has_rights_to=0, dc_mode=dc_mode) > self.assert_attr_visible(expect_attr=False) > >@@ -741,7 +741,7 @@ class ConfidentialAttrTestDenyAcl(ConfidentialAttrCommon): > > # the user shouldn't be able to see the attribute anymore > self.assert_conf_attr_searches(has_rights_to="deny-one") >- dc_mode = self.guess_dc_mode() >+ dc_mode = DC_MODE_RETURN_ALL > self.assert_negative_searches(has_rights_to="deny-one", > dc_mode=dc_mode) > self.assert_attr_visible(expect_attr=False) >@@ -917,7 +917,7 @@ class ConfidentialAttrTestDirsync(ConfidentialAttrCommon): > > self.assert_conf_attr_searches(has_rights_to=0) > self.assert_attr_visible(expect_attr=False) >- dc_mode = self.guess_dc_mode() >+ dc_mode = DC_MODE_RETURN_ALL > self.assert_negative_searches(has_rights_to=0, dc_mode=dc_mode) > > # as a final sanity-check, make sure the admin can still see the attr >@@ -1012,7 +1012,7 @@ class ConfidentialAttrTestDirsync(ConfidentialAttrCommon): > # check we can't see the objects now, even with using dirsync controls > self.assert_conf_attr_searches(has_rights_to=0) > self.assert_attr_visible(expect_attr=False) >- dc_mode = self.guess_dc_mode() >+ dc_mode = DC_MODE_RETURN_ALL > self.assert_negative_searches(has_rights_to=0, dc_mode=dc_mode) > > # now delete the users (except for the user whose LDB connection >diff --git a/source4/setup/schema_samba4.ldif b/source4/setup/schema_samba4.ldif >index 91f8c640954..0a7f0649c7e 100644 >--- a/source4/setup/schema_samba4.ldif >+++ b/source4/setup/schema_samba4.ldif >@@ -234,6 +234,7 @@ > #Allocated: DSDB_CONTROL_TRANSACTION_IDENTIFIER_OID 1.3.6.1.4.1.7165.4.3.34 > #Allocated: DSDB_CONTROL_FORCE_ALLOW_VALIDATED_DNS_HOSTNAME_SPN_WRITE_OID 1.3.6.1.4.1.7165.4.3.35 > #Allocated: DSDB_CONTROL_CALCULATED_DEFAULT_SD_OID 1.3.6.1.4.1.7165.4.3.36 >+#Allocated: DSDB_CONTROL_ACL_READ_OID 1.3.6.1.4.1.7165.4.3.37 > > > # Extended 1.3.6.1.4.1.7165.4.4.x >-- >2.25.1 > > >From b6d28b2194fd64d0c09f3abb29f28fd6b16d5e04 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Mon, 27 Feb 2023 13:31:44 +1300 >Subject: [PATCH 27/39] CVE-2023-0614 s4-acl: Avoid calling > dsdb_module_am_system() if we can help it > >If the AS_SYSTEM control is present, we know we have system privileges, >and have no need to call dsdb_module_am_system(). > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >--- > source4/dsdb/samdb/ldb_modules/acl_read.c | 11 ++++++++--- > 1 file changed, 8 insertions(+), 3 deletions(-) > >diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c >index 47166ef5bc6..2004aa20e73 100644 >--- a/source4/dsdb/samdb/ldb_modules/acl_read.c >+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c >@@ -860,7 +860,7 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req) > int ret; > struct aclread_context *ac; > struct ldb_request *down_req; >- struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID); >+ bool am_system; > struct ldb_result *res; > struct aclread_private *p; > bool need_sd = false; >@@ -877,11 +877,16 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req) > ldb = ldb_module_get_ctx(module); > p = talloc_get_type(ldb_module_get_private(module), struct aclread_private); > >+ am_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID) != NULL; >+ if (!am_system) { >+ am_system = dsdb_module_am_system(module); >+ } >+ > /* skip access checks if we are system or system control is supplied > * or this is not LDAP server request */ > if (!p || !p->enabled || >- dsdb_module_am_system(module) >- || as_system || !is_untrusted) { >+ am_system || >+ !is_untrusted) { > return ldb_next_request(module, req); > } > /* no checks on special dn */ >-- >2.25.1 > > >From 6f23da7d6f49af5fc1dcb8beb8cb5dcd35e94a09 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Thu, 16 Feb 2023 12:35:34 +1300 >Subject: [PATCH 28/39] CVE-2023-0614 ldb: Use binary search to check whether > attribute is secret > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >--- > source4/dsdb/samdb/ldb_modules/acl_read.c | 56 ++++++++++++++--------- > 1 file changed, 35 insertions(+), 21 deletions(-) > >diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c >index 2004aa20e73..a4645cebcb3 100644 >--- a/source4/dsdb/samdb/ldb_modules/acl_read.c >+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c >@@ -79,6 +79,7 @@ struct aclread_private { > struct security_descriptor *sd_cached; > struct ldb_val sd_cached_blob; > const char **password_attrs; >+ size_t num_password_attrs; > }; > > struct access_check_context { >@@ -512,22 +513,18 @@ static int aclread_get_sd_from_ldb_message(struct aclread_context *ac, > /* Check whether the attribute is a password attribute. */ > static bool attr_is_secret(const char *attr, const struct aclread_private *private_data) > { >- unsigned i; >+ const char **found = NULL; > > if (private_data->password_attrs == NULL) { > return false; > } > >- for (i = 0; private_data->password_attrs[i] != NULL; ++i) { >- const char *password_attr = private_data->password_attrs[i]; >- if (ldb_attr_cmp(attr, password_attr) != 0) { >- continue; >- } >- >- return true; >- } >- >- return false; >+ BINARY_ARRAY_SEARCH_V(private_data->password_attrs, >+ private_data->num_password_attrs, >+ attr, >+ ldb_attr_cmp, >+ found); >+ return found != NULL; > } > > /* >@@ -1128,6 +1125,14 @@ static int acl_redact_msg_for_filter(struct ldb_module *module, struct ldb_reque > return LDB_SUCCESS; > } > >+static int ldb_attr_cmp_fn(const void *_a, const void *_b) >+{ >+ const char * const *a = _a; >+ const char * const *b = _b; >+ >+ return ldb_attr_cmp(*a, *b); >+} >+ > static int aclread_init(struct ldb_module *module) > { > struct ldb_context *ldb = ldb_module_get_ctx(module); >@@ -1188,7 +1193,7 @@ static int aclread_init(struct ldb_module *module) > } > p->password_attrs = talloc_array(p, const char *, > password_attributes->num_values + >- ARRAY_SIZE(secret_attrs) + 1); >+ ARRAY_SIZE(secret_attrs)); > if (!p->password_attrs) { > talloc_free(mem_ctx); > return ldb_oom(ldb); >@@ -1223,7 +1228,10 @@ static int aclread_init(struct ldb_module *module) > } > n++; > } >- p->password_attrs[n] = NULL; >+ p->num_password_attrs = n; >+ >+ /* Sort the password attributes so we can use binary search. */ >+ TYPESAFE_QSORT(p->password_attrs, p->num_password_attrs, ldb_attr_cmp_fn); > > ret = ldb_register_redact_callback(ldb, acl_redact_msg_for_filter, module); > if (ret != LDB_SUCCESS) { >@@ -1247,19 +1255,25 @@ done: > module, > NULL); > if (!userPassword_support) { >+ const char **found = NULL; >+ > /* > * Remove the userPassword attribute, as it is not > * considered secret. > */ >- for (i = 0; p->password_attrs[i] != NULL; ++i) { >- if (ldb_attr_cmp(p->password_attrs[i], "userPassword") == 0) { >- break; >+ BINARY_ARRAY_SEARCH_V(p->password_attrs, >+ p->num_password_attrs, >+ "userPassword", >+ ldb_attr_cmp, >+ found); >+ if (found != NULL) { >+ size_t found_idx = found - p->password_attrs; >+ >+ /* Shift following elements backwards by one. */ >+ for (i = found_idx; i < p->num_password_attrs - 1; ++i) { >+ p->password_attrs[i] = p->password_attrs[i + 1]; > } >- } >- >- /* Shift following elements backwards by one. */ >- for (; p->password_attrs[i] != NULL; ++i) { >- p->password_attrs[i] = p->password_attrs[i + 1]; >+ --p->num_password_attrs; > } > } > } >-- >2.25.1 > > >From 6fb392510f98169b67386826cb554cfd087e0036 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 14 Feb 2023 13:17:24 +1300 >Subject: [PATCH 29/39] CVE-2023-0614 ldb: Centralise checking for inaccessible > matches > >This makes it less likely that we forget to handle a case. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >--- > lib/ldb-samba/ldb_matching_rules.c | 5 --- > lib/ldb/common/ldb_match.c | 56 +++++++++++++++++------------- > 2 files changed, 31 insertions(+), 30 deletions(-) > >diff --git a/lib/ldb-samba/ldb_matching_rules.c b/lib/ldb-samba/ldb_matching_rules.c >index 0c4c31e49f9..b86594c1823 100644 >--- a/lib/ldb-samba/ldb_matching_rules.c >+++ b/lib/ldb-samba/ldb_matching_rules.c >@@ -87,11 +87,6 @@ static int ldb_eval_transitive_filter_helper(TALLOC_CTX *mem_ctx, > return LDB_SUCCESS; > } > >- if (ldb_msg_element_is_inaccessible(el)) { >- *matched = false; >- return LDB_SUCCESS; >- } >- > /* > * If the value to match is present in the attribute values of the > * current entry being visited, set matched to true and return OK >diff --git a/lib/ldb/common/ldb_match.c b/lib/ldb/common/ldb_match.c >index 17314f1b9ca..645cb695ef1 100644 >--- a/lib/ldb/common/ldb_match.c >+++ b/lib/ldb/common/ldb_match.c >@@ -98,11 +98,6 @@ static int ldb_match_present(struct ldb_context *ldb, > return LDB_SUCCESS; > } > >- if (ldb_msg_element_is_inaccessible(el)) { >- *matched = false; >- return LDB_SUCCESS; >- } >- > a = ldb_schema_attribute_by_name(ldb, el->name); > if (!a) { > return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX; >@@ -144,11 +139,6 @@ static int ldb_match_comparison(struct ldb_context *ldb, > return LDB_SUCCESS; > } > >- if (ldb_msg_element_is_inaccessible(el)) { >- *matched = false; >- return LDB_SUCCESS; >- } >- > a = ldb_schema_attribute_by_name(ldb, el->name); > if (!a) { > return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX; >@@ -219,11 +209,6 @@ static int ldb_match_equality(struct ldb_context *ldb, > return LDB_SUCCESS; > } > >- if (ldb_msg_element_is_inaccessible(el)) { >- *matched = false; >- return LDB_SUCCESS; >- } >- > a = ldb_schema_attribute_by_name(ldb, el->name); > if (a == NULL) { > return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX; >@@ -385,11 +370,6 @@ static int ldb_match_substring(struct ldb_context *ldb, > return LDB_SUCCESS; > } > >- if (ldb_msg_element_is_inaccessible(el)) { >- *matched = false; >- return LDB_SUCCESS; >- } >- > for (i = 0; i < el->num_values; i++) { > int ret; > ret = ldb_wildcard_compare(ldb, tree, el->values[i], matched); >@@ -463,11 +443,6 @@ static int ldb_match_bitmask(struct ldb_context *ldb, > return LDB_SUCCESS; > } > >- if (ldb_msg_element_is_inaccessible(el)) { >- *matched = false; >- return LDB_SUCCESS; >- } >- > for (i=0;i<el->num_values;i++) { > int ret; > struct ldb_val *v = &el->values[i]; >@@ -556,6 +531,26 @@ static int ldb_match_extended(struct ldb_context *ldb, > &tree->u.extended.value, matched); > } > >+static bool ldb_must_suppress_match(const struct ldb_message *msg, >+ const struct ldb_parse_tree *tree) >+{ >+ const char *attr = NULL; >+ struct ldb_message_element *el = NULL; >+ >+ attr = ldb_parse_tree_get_attr(tree); >+ if (attr == NULL) { >+ return false; >+ } >+ >+ /* find the message element */ >+ el = ldb_msg_find_element(msg, attr); >+ if (el == NULL) { >+ return false; >+ } >+ >+ return ldb_msg_element_is_inaccessible(el); >+} >+ > /* > Check if a particular message will match the given filter > >@@ -580,6 +575,17 @@ int ldb_match_message(struct ldb_context *ldb, > return LDB_SUCCESS; > } > >+ /* >+ * Suppress matches on confidential attributes (handled >+ * manually in extended matches as these can do custom things >+ * like read other parts of the DB or other attributes). >+ */ >+ if (tree->operation != LDB_OP_EXTENDED) { >+ if (ldb_must_suppress_match(msg, tree)) { >+ return LDB_SUCCESS; >+ } >+ } >+ > switch (tree->operation) { > case LDB_OP_AND: > for (i=0;i<tree->u.list.num_elements;i++) { >-- >2.25.1 > > >From 3def013cecef4287c7cbf14abcb25d046eb7a32f Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Fri, 3 Mar 2023 17:35:55 +1300 >Subject: [PATCH 30/39] CVE-2023-0614 ldb: Filter on search base before > redacting message > >Redaction may be expensive if we end up needing to fetch a security >descriptor to verify rights to an attribute. Checking the search scope >is probably cheaper, so do that first. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >--- > lib/ldb/ABI/ldb-2.8.0.sigs | 1 + > lib/ldb/common/ldb_match.c | 8 +++--- > lib/ldb/include/ldb_private.h | 8 ++++++ > lib/ldb/ldb_key_value/ldb_kv_index.c | 40 +++++++++++++++------------ > lib/ldb/ldb_key_value/ldb_kv_search.c | 14 ++++++++-- > 5 files changed, 48 insertions(+), 23 deletions(-) > >diff --git a/lib/ldb/ABI/ldb-2.8.0.sigs b/lib/ldb/ABI/ldb-2.8.0.sigs >index aff142ed428..b4c5e20e8c7 100644 >--- a/lib/ldb/ABI/ldb-2.8.0.sigs >+++ b/lib/ldb/ABI/ldb-2.8.0.sigs >@@ -126,6 +126,7 @@ ldb_match_message: int (struct ldb_context *, const struct ldb_message *, const > ldb_match_msg: int (struct ldb_context *, const struct ldb_message *, const struct ldb_parse_tree *, struct ldb_dn *, enum ldb_scope) > ldb_match_msg_error: int (struct ldb_context *, const struct ldb_message *, const struct ldb_parse_tree *, struct ldb_dn *, enum ldb_scope, bool *) > ldb_match_msg_objectclass: int (const struct ldb_message *, const char *) >+ldb_match_scope: int (struct ldb_context *, struct ldb_dn *, struct ldb_dn *, enum ldb_scope) > ldb_mod_register_control: int (struct ldb_module *, const char *) > ldb_modify: int (struct ldb_context *, const struct ldb_message *) > ldb_modify_default_callback: int (struct ldb_request *, struct ldb_reply *) >diff --git a/lib/ldb/common/ldb_match.c b/lib/ldb/common/ldb_match.c >index 645cb695ef1..8e27ecbe723 100644 >--- a/lib/ldb/common/ldb_match.c >+++ b/lib/ldb/common/ldb_match.c >@@ -38,10 +38,10 @@ > /* > check if the scope matches in a search result > */ >-static int ldb_match_scope(struct ldb_context *ldb, >- struct ldb_dn *base, >- struct ldb_dn *dn, >- enum ldb_scope scope) >+int ldb_match_scope(struct ldb_context *ldb, >+ struct ldb_dn *base, >+ struct ldb_dn *dn, >+ enum ldb_scope scope) > { > int ret = 0; > >diff --git a/lib/ldb/include/ldb_private.h b/lib/ldb/include/ldb_private.h >index 47ddaa4ff14..a7064f41f1b 100644 >--- a/lib/ldb/include/ldb_private.h >+++ b/lib/ldb/include/ldb_private.h >@@ -322,6 +322,14 @@ int ldb_match_message(struct ldb_context *ldb, > const struct ldb_parse_tree *tree, > enum ldb_scope scope, bool *matched); > >+/* >+ check if the scope matches in a search result >+*/ >+int ldb_match_scope(struct ldb_context *ldb, >+ struct ldb_dn *base, >+ struct ldb_dn *dn, >+ enum ldb_scope scope); >+ > /* Reallocate elements to drop any excess capacity. */ > void ldb_msg_shrink_to_fit(struct ldb_message *msg); > >diff --git a/lib/ldb/ldb_key_value/ldb_kv_index.c b/lib/ldb/ldb_key_value/ldb_kv_index.c >index 163052fecf7..aac0913f431 100644 >--- a/lib/ldb/ldb_key_value/ldb_kv_index.c >+++ b/lib/ldb/ldb_key_value/ldb_kv_index.c >@@ -2428,31 +2428,37 @@ static int ldb_kv_index_filter(struct ldb_kv_private *ldb_kv, > return LDB_ERR_OPERATIONS_ERROR; > } > >- if (ldb->redact.callback != NULL) { >- ret = ldb->redact.callback(ldb->redact.module, ac->req, msg); >- if (ret != LDB_SUCCESS) { >- talloc_free(msg); >- return ret; >- } >- } >- > /* > * We trust the index for LDB_SCOPE_ONELEVEL > * unless the index key has been truncated. > * > * LDB_SCOPE_BASE is not passed in by our only caller. > */ >- if (ac->scope == LDB_SCOPE_ONELEVEL && >- ldb_kv->cache->one_level_indexes && >- scope_one_truncation == KEY_NOT_TRUNCATED) { >- ret = ldb_match_message(ldb, msg, ac->tree, >- ac->scope, &matched); >- } else { >- ret = ldb_match_msg_error(ldb, msg, >- ac->tree, ac->base, >- ac->scope, &matched); >+ if (ac->scope != LDB_SCOPE_ONELEVEL || >+ !ldb_kv->cache->one_level_indexes || >+ scope_one_truncation != KEY_NOT_TRUNCATED) >+ { >+ /* >+ * The redaction callback may be expensive to call if it >+ * fetches a security descriptor. Check the DN early and >+ * bail out if it doesn't match the base. >+ */ >+ if (!ldb_match_scope(ldb, ac->base, msg->dn, ac->scope)) { >+ talloc_free(msg); >+ continue; >+ } >+ } >+ >+ if (ldb->redact.callback != NULL) { >+ ret = ldb->redact.callback(ldb->redact.module, ac->req, msg); >+ if (ret != LDB_SUCCESS) { >+ talloc_free(msg); >+ return ret; >+ } > } > >+ ret = ldb_match_message(ldb, msg, ac->tree, >+ ac->scope, &matched); > if (ret != LDB_SUCCESS) { > talloc_free(keys); > talloc_free(msg); >diff --git a/lib/ldb/ldb_key_value/ldb_kv_search.c b/lib/ldb/ldb_key_value/ldb_kv_search.c >index e16bd6b6717..36df53c821e 100644 >--- a/lib/ldb/ldb_key_value/ldb_kv_search.c >+++ b/lib/ldb/ldb_key_value/ldb_kv_search.c >@@ -396,6 +396,16 @@ static int search_func(_UNUSED_ struct ldb_kv_private *ldb_kv, > } > } > >+ /* >+ * The redaction callback may be expensive to call if it fetches a >+ * security descriptor. Check the DN early and bail out if it doesn't >+ * match the base. >+ */ >+ if (!ldb_match_scope(ldb, ac->base, msg->dn, ac->scope)) { >+ talloc_free(msg); >+ return 0; >+ } >+ > if (ldb->redact.callback != NULL) { > ret = ldb->redact.callback(ldb->redact.module, ac->req, msg); > if (ret != LDB_SUCCESS) { >@@ -405,8 +415,8 @@ static int search_func(_UNUSED_ struct ldb_kv_private *ldb_kv, > } > > /* see if it matches the given expression */ >- ret = ldb_match_msg_error(ldb, msg, >- ac->tree, ac->base, ac->scope, &matched); >+ ret = ldb_match_message(ldb, msg, >+ ac->tree, ac->scope, &matched); > if (ret != LDB_SUCCESS) { > talloc_free(msg); > ac->error = LDB_ERR_OPERATIONS_ERROR; >-- >2.25.1 > > >From cb8b620f26b34af0bd4e505cf6fec08506436b9a Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Fri, 24 Feb 2023 10:03:25 +1300 >Subject: [PATCH 31/39] CVE-2023-0614 s4-dsdb: Treat confidential attributes as > unindexed > >In the unlikely case that someone adds a confidential indexed attribute >to the schema, LDAP search expressions on that attribute could disclose >information via timing differences. Let's not use the index for searches >on confidential attributes. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >--- > source4/dsdb/samdb/ldb_modules/extended_dn_in.c | 10 +++++++++- > source4/dsdb/schema/schema_description.c | 7 +++++++ > source4/dsdb/schema/schema_init.c | 11 +++++++++-- > source4/dsdb/schema/schema_set.c | 9 ++++++++- > 4 files changed, 33 insertions(+), 4 deletions(-) > >diff --git a/source4/dsdb/samdb/ldb_modules/extended_dn_in.c b/source4/dsdb/samdb/ldb_modules/extended_dn_in.c >index 1dc1e1f2d42..248bb66f039 100644 >--- a/source4/dsdb/samdb/ldb_modules/extended_dn_in.c >+++ b/source4/dsdb/samdb/ldb_modules/extended_dn_in.c >@@ -423,7 +423,15 @@ static int extended_dn_filter_callback(struct ldb_parse_tree *tree, void *privat > guid_val = ldb_dn_get_extended_component(dn, "GUID"); > sid_val = ldb_dn_get_extended_component(dn, "SID"); > >- if (!guid_val && !sid_val && (attribute->searchFlags & SEARCH_FLAG_ATTINDEX)) { >+ /* >+ * Is the attribute indexed? By treating confidential attributes >+ * as unindexed, we force searches to go through the unindexed >+ * search path, avoiding observable timing differences. >+ */ >+ if (!guid_val && !sid_val && >+ (attribute->searchFlags & SEARCH_FLAG_ATTINDEX) && >+ !(attribute->searchFlags & SEARCH_FLAG_CONFIDENTIAL)) >+ { > /* if it is indexed, then fixing the string DN will do > no good here, as we will not find the attribute in > the index. So for now fall through to a standard DN >diff --git a/source4/dsdb/schema/schema_description.c b/source4/dsdb/schema/schema_description.c >index 243a02a15f3..5fc70154bf8 100644 >--- a/source4/dsdb/schema/schema_description.c >+++ b/source4/dsdb/schema/schema_description.c >@@ -160,6 +160,13 @@ char *schema_attribute_to_extendedInfo(TALLOC_CTX *mem_ctx, const struct dsdb_at > attribute->rangeUpper, > GUID_hexstring(tmp_ctx, &attribute->schemaIDGUID), > GUID_hexstring(tmp_ctx, &attribute->attributeSecurityGUID), >+ /* >+ * We actually ignore the indexed >+ * flag for confidential >+ * attributes, but we'll include >+ * it for the purposes of >+ * description. >+ */ > (attribute->searchFlags & SEARCH_FLAG_ATTINDEX), > attribute->systemOnly); > talloc_free(tmp_ctx); >diff --git a/source4/dsdb/schema/schema_init.c b/source4/dsdb/schema/schema_init.c >index a3b00497b6b..c8197b86306 100644 >--- a/source4/dsdb/schema/schema_init.c >+++ b/source4/dsdb/schema/schema_init.c >@@ -514,8 +514,15 @@ static int dsdb_schema_setup_ldb_schema_attribute(struct ldb_context *ldb, > if (attr->isSingleValued) { > a->flags |= LDB_ATTR_FLAG_SINGLE_VALUE; > } >- >- if (attr->searchFlags & SEARCH_FLAG_ATTINDEX) { >+ >+ /* >+ * Is the attribute indexed? By treating confidential attributes as >+ * unindexed, we force searches to go through the unindexed search path, >+ * avoiding observable timing differences. >+ */ >+ if (attr->searchFlags & SEARCH_FLAG_ATTINDEX && >+ !(attr->searchFlags & SEARCH_FLAG_CONFIDENTIAL)) >+ { > a->flags |= LDB_ATTR_FLAG_INDEXED; > } > >diff --git a/source4/dsdb/schema/schema_set.c b/source4/dsdb/schema/schema_set.c >index 45faa0912ec..03cf2405595 100644 >--- a/source4/dsdb/schema/schema_set.c >+++ b/source4/dsdb/schema/schema_set.c >@@ -221,7 +221,14 @@ int dsdb_schema_set_indices_and_attributes(struct ldb_context *ldb, > break; > } > >- if (attr->searchFlags & SEARCH_FLAG_ATTINDEX) { >+ /* >+ * Is the attribute indexed? By treating confidential attributes >+ * as unindexed, we force searches to go through the unindexed >+ * search path, avoiding observable timing differences. >+ */ >+ if (attr->searchFlags & SEARCH_FLAG_ATTINDEX && >+ !(attr->searchFlags & SEARCH_FLAG_CONFIDENTIAL)) >+ { > /* > * When preparing to downgrade Samba, we need to write > * out an LDB without the new key word ORDERED_INTEGER. >-- >2.25.1 > > >From 5f3c148538a8fb63ab50c556fbdc208fdac3f9d7 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Thu, 2 Mar 2023 16:31:17 +1300 >Subject: [PATCH 32/39] CVE-2023-0614 dsdb: Add DSDB_MARK_REQ_UNTRUSTED > >This will allow our dsdb helper search functions to mark the new >request as untrusted, forcing read ACL evaluation (per current behaviour). > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> >--- > source4/dsdb/common/util.c | 4 ++++ > source4/dsdb/common/util.h | 1 + > 2 files changed, 5 insertions(+) > >diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c >index 7dfdf2680b1..ef42d71ae04 100644 >--- a/source4/dsdb/common/util.c >+++ b/source4/dsdb/common/util.c >@@ -4909,6 +4909,10 @@ int dsdb_request_add_controls(struct ldb_request *req, uint32_t dsdb_flags) > } > } > >+ if (dsdb_flags & DSDB_MARK_REQ_UNTRUSTED) { >+ ldb_req_mark_untrusted(req); >+ } >+ > return LDB_SUCCESS; > } > >diff --git a/source4/dsdb/common/util.h b/source4/dsdb/common/util.h >index e1854644d53..5bb96d60b3c 100644 >--- a/source4/dsdb/common/util.h >+++ b/source4/dsdb/common/util.h >@@ -43,6 +43,7 @@ > #define DSDB_MODIFY_PARTIAL_REPLICA 0x04000 > #define DSDB_PASSWORD_BYPASS_LAST_SET 0x08000 > #define DSDB_REPLMD_VANISH_LINKS 0x10000 >+#define DSDB_MARK_REQ_UNTRUSTED 0x20000 > > bool is_attr_in_list(const char * const * attrs, const char *attr); > >-- >2.25.1 > > >From a2ed8a38616a88a9af6c906955cf954feec260f0 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Fri, 3 Mar 2023 16:49:00 +1300 >Subject: [PATCH 33/39] CVE-2023-0614 dsdb: Add pre-cleanup and > self.addCleanup() of OU created in match_rules tests > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> >--- > lib/ldb-samba/tests/match_rules.py | 8 ++++++++ > 1 file changed, 8 insertions(+) > >diff --git a/lib/ldb-samba/tests/match_rules.py b/lib/ldb-samba/tests/match_rules.py >index abf485c9eab..2af1dd6a070 100755 >--- a/lib/ldb-samba/tests/match_rules.py >+++ b/lib/ldb-samba/tests/match_rules.py >@@ -31,11 +31,19 @@ class MatchRulesTests(samba.tests.TestCase): > self.ou_groups = "OU=groups,%s" % self.ou > self.ou_computers = "OU=computers,%s" % self.ou > >+ try: >+ self.ldb.delete(self.ou, ["tree_delete:1"]) >+ except LdbError as e: >+ pass >+ > # Add a organizational unit to create objects > self.ldb.add({ > "dn": self.ou, > "objectclass": "organizationalUnit"}) > >+ self.addCleanup(self.ldb.delete, self.ou, controls=['tree_delete:0']) >+ >+ > # Add the following OU hierarchy and set otherWellKnownObjects, > # which has BinaryDN syntax: > # >-- >2.25.1 > > >From 3e1135cf1402a6c5f95ab26c32f5ea7e518b81e3 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Thu, 2 Mar 2023 16:51:25 +1300 >Subject: [PATCH 34/39] CVE-2023-0614 lib/ldb-samba: Add test for > SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL / LDAP_MATCHING_RULE_IN_CHAIN with and > ACL hidden attributes > >The chain for transitive evaluation does consider ACLs, avoiding the disclosure of >confidential information. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> >--- > lib/ldb-samba/tests/match_rules.py | 127 ++++++++++++---------- > lib/ldb-samba/tests/match_rules_remote.py | 104 ++++++++++++++++++ > source4/selftest/tests.py | 1 + > 3 files changed, 175 insertions(+), 57 deletions(-) > create mode 100755 lib/ldb-samba/tests/match_rules_remote.py > >diff --git a/lib/ldb-samba/tests/match_rules.py b/lib/ldb-samba/tests/match_rules.py >index 2af1dd6a070..2fe6c3e2264 100755 >--- a/lib/ldb-samba/tests/match_rules.py >+++ b/lib/ldb-samba/tests/match_rules.py >@@ -20,13 +20,18 @@ from ldb import SCOPE_BASE, SCOPE_SUBTREE, SCOPE_ONELEVEL > # Windows appear to preserve casing of the RDN and uppercase the other keys. > > >-class MatchRulesTests(samba.tests.TestCase): >+class MatchRulesTestsBase(samba.tests.TestCase): > def setUp(self): >- super(MatchRulesTests, self).setUp() >- self.lp = lp >- self.ldb = SamDB(host, credentials=creds, session_info=system_session(lp), lp=lp) >+ super().setUp() >+ self.lp = self.sambaopts.get_loadparm() >+ self.creds = self.credopts.get_credentials(self.lp) >+ >+ self.ldb = SamDB(self.host, credentials=self.creds, >+ session_info=system_session(self.lp), >+ lp=self.lp) > self.base_dn = self.ldb.domain_dn() >- self.ou = "OU=matchrulestest,%s" % self.base_dn >+ self.ou_rdn = "OU=matchrulestest" >+ self.ou = self.ou_rdn + "," + self.base_dn > self.ou_users = "OU=users,%s" % self.ou > self.ou_groups = "OU=groups,%s" % self.ou > self.ou_computers = "OU=computers,%s" % self.ou >@@ -212,6 +217,39 @@ class MatchRulesTests(samba.tests.TestCase): > FLAG_MOD_ADD, "member") > self.ldb.modify(m) > >+ # Add a couple of ms-Exch-Configuration-Container to test forward-link >+ # attributes without backward link (addressBookRoots2) >+ # e1 >+ # |--> e2 >+ # | |--> c1 >+ self.ldb.add({ >+ "dn": "cn=e1,%s" % self.ou, >+ "objectclass": "msExchConfigurationContainer"}) >+ self.ldb.add({ >+ "dn": "cn=e2,%s" % self.ou, >+ "objectclass": "msExchConfigurationContainer"}) >+ >+ m = Message() >+ m.dn = Dn(self.ldb, "cn=e2,%s" % self.ou) >+ m["e1"] = MessageElement("cn=c1,%s" % self.ou_computers, >+ FLAG_MOD_ADD, "addressBookRoots2") >+ self.ldb.modify(m) >+ >+ m = Message() >+ m.dn = Dn(self.ldb, "cn=e1,%s" % self.ou) >+ m["e1"] = MessageElement("cn=e2,%s" % self.ou, >+ FLAG_MOD_ADD, "addressBookRoots2") >+ self.ldb.modify(m) >+ >+ >+ >+class MatchRulesTests(MatchRulesTestsBase): >+ def setUp(self): >+ self.sambaopts = sambaopts >+ self.credopts = credopts >+ self.host = host >+ super().setUp() >+ > # The msDS-RevealedUsers is owned by system and cannot be modified > # directly. Set the schemaUpgradeInProgress flag as workaround > # and create this hierarchy: >@@ -251,33 +289,6 @@ class MatchRulesTests(samba.tests.TestCase): > m["e1"] = MessageElement("0", FLAG_MOD_REPLACE, "schemaUpgradeInProgress") > self.ldb.modify(m) > >- # Add a couple of ms-Exch-Configuration-Container to test forward-link >- # attributes without backward link (addressBookRoots2) >- # e1 >- # |--> e2 >- # | |--> c1 >- self.ldb.add({ >- "dn": "cn=e1,%s" % self.ou, >- "objectclass": "msExchConfigurationContainer"}) >- self.ldb.add({ >- "dn": "cn=e2,%s" % self.ou, >- "objectclass": "msExchConfigurationContainer"}) >- >- m = Message() >- m.dn = Dn(self.ldb, "cn=e2,%s" % self.ou) >- m["e1"] = MessageElement("cn=c1,%s" % self.ou_computers, >- FLAG_MOD_ADD, "addressBookRoots2") >- self.ldb.modify(m) >- >- m = Message() >- m.dn = Dn(self.ldb, "cn=e1,%s" % self.ou) >- m["e1"] = MessageElement("cn=e2,%s" % self.ou, >- FLAG_MOD_ADD, "addressBookRoots2") >- self.ldb.modify(m) >- >- def tearDown(self): >- super(MatchRulesTests, self).tearDown() >- self.ldb.delete(self.ou, controls=['tree_delete:0']) > > def test_u1_member_of_g4(self): > # Search without transitive match must return 0 results >@@ -953,8 +964,12 @@ class MatchRulesTests(samba.tests.TestCase): > class MatchRuleConditionTests(samba.tests.TestCase): > def setUp(self): > super(MatchRuleConditionTests, self).setUp() >- self.lp = lp >- self.ldb = SamDB(host, credentials=creds, session_info=system_session(lp), lp=lp) >+ self.lp = sambaopts.get_loadparm() >+ self.creds = credopts.get_credentials(self.lp) >+ >+ self.ldb = SamDB(host, credentials=self.creds, >+ session_info=system_session(self.lp), >+ lp=self.lp) > self.base_dn = self.ldb.domain_dn() > self.ou = "OU=matchruleconditiontests,%s" % self.base_dn > self.ou_users = "OU=users,%s" % self.ou >@@ -1753,32 +1768,30 @@ class MatchRuleConditionTests(samba.tests.TestCase): > self.ou_groups, self.ou_computers)) > self.assertEqual(len(res1), 0) > >+if __name__ == "__main__": > >-parser = optparse.OptionParser("match_rules.py [options] <host>") >-sambaopts = options.SambaOptions(parser) >-parser.add_option_group(sambaopts) >-parser.add_option_group(options.VersionOptions(parser)) >- >-# use command line creds if available >-credopts = options.CredentialsOptions(parser) >-parser.add_option_group(credopts) >-opts, args = parser.parse_args() >-subunitopts = SubunitOptions(parser) >-parser.add_option_group(subunitopts) >+ parser = optparse.OptionParser("match_rules.py [options] <host>") >+ sambaopts = options.SambaOptions(parser) >+ parser.add_option_group(sambaopts) >+ parser.add_option_group(options.VersionOptions(parser)) > >-if len(args) < 1: >- parser.print_usage() >- sys.exit(1) >+ # use command line creds if available >+ credopts = options.CredentialsOptions(parser) >+ parser.add_option_group(credopts) >+ opts, args = parser.parse_args() >+ subunitopts = SubunitOptions(parser) >+ parser.add_option_group(subunitopts) > >-host = args[0] >+ if len(args) < 1: >+ parser.print_usage() >+ sys.exit(1) > >-lp = sambaopts.get_loadparm() >-creds = credopts.get_credentials(lp) >+ host = args[0] > >-if "://" not in host: >- if os.path.isfile(host): >- host = "tdb://%s" % host >- else: >- host = "ldap://%s" % host >+ if "://" not in host: >+ if os.path.isfile(host): >+ host = "tdb://%s" % host >+ else: >+ host = "ldap://%s" % host > >-TestProgram(module=__name__, opts=subunitopts) >+ TestProgram(module=__name__, opts=subunitopts) >diff --git a/lib/ldb-samba/tests/match_rules_remote.py b/lib/ldb-samba/tests/match_rules_remote.py >new file mode 100755 >index 00000000000..122231f2a60 >--- /dev/null >+++ b/lib/ldb-samba/tests/match_rules_remote.py >@@ -0,0 +1,104 @@ >+#!/usr/bin/env python3 >+ >+import optparse >+import sys >+import os >+import samba >+import samba.getopt as options >+ >+from samba.tests.subunitrun import SubunitOptions, TestProgram >+ >+from samba.samdb import SamDB >+from samba.auth import system_session >+from samba import sd_utils >+from samba.ndr import ndr_unpack >+from ldb import Message, MessageElement, Dn, LdbError >+from ldb import FLAG_MOD_ADD, FLAG_MOD_REPLACE, FLAG_MOD_DELETE >+from ldb import SCOPE_BASE, SCOPE_SUBTREE, SCOPE_ONELEVEL >+ >+from match_rules import MatchRulesTestsBase >+ >+ >+class MatchRulesTestsUser(MatchRulesTestsBase): >+ def setUp(self): >+ self.sambaopts = sambaopts >+ self.credopts = credopts >+ self.host = host >+ super().setUp() >+ self.sd_utils = sd_utils.SDUtils(self.ldb) >+ >+ self.user_pass = "samba123@" >+ self.match_test_user = "matchtestuser" >+ self.ldb.newuser(self.match_test_user, >+ self.user_pass, >+ userou=self.ou_rdn) >+ user_creds = self.insta_creds(template=self.creds, >+ username=self.match_test_user, >+ userpass=self.user_pass) >+ self.user_ldb = SamDB(host, credentials=user_creds, lp=self.lp) >+ token_res = self.user_ldb.search(scope=SCOPE_BASE, >+ base="", >+ attrs=["tokenGroups"]) >+ self.user_sid = ndr_unpack(samba.dcerpc.security.dom_sid, >+ token_res[0]["tokenGroups"][0]) >+ >+ self.member_attr_guid = "bf9679c0-0de6-11d0-a285-00aa003049e2" >+ >+ def test_with_denied_link(self): >+ >+ # add an ACE that denies the user Read Property (RP) access to >+ # the member attr (which is similar to making the attribute >+ # confidential) >+ ace = "(OD;;RP;{0};;{1})".format(self.member_attr_guid, >+ self.user_sid) >+ g2_dn = Dn(self.ldb, "CN=g2,%s" % self.ou_groups) >+ >+ # add the ACE that denies access to the attr under test >+ self.sd_utils.dacl_add_ace(g2_dn, ace) >+ >+ # Search without transitive match must return 0 results >+ res1 = self.ldb.search("cn=g4,%s" % self.ou_groups, >+ scope=SCOPE_BASE, >+ expression="member=cn=u1,%s" % self.ou_users) >+ self.assertEqual(len(res1), 0) >+ >+ # Search with transitive match must return 1 results >+ res1 = self.ldb.search("cn=g4,%s" % self.ou_groups, >+ scope=SCOPE_BASE, >+ expression="member:1.2.840.113556.1.4.1941:=cn=u1,%s" % self.ou_users) >+ self.assertEqual(len(res1), 1) >+ self.assertEqual(str(res1[0].dn).lower(), ("CN=g4,%s" % self.ou_groups).lower()) >+ >+ # Search as a user match must return 0 results as the intermediate link can't be seen >+ res1 = self.user_ldb.search("cn=g4,%s" % self.ou_groups, >+ scope=SCOPE_BASE, >+ expression="member:1.2.840.113556.1.4.1941:=cn=u1,%s" % self.ou_users) >+ self.assertEqual(len(res1), 0) >+ >+ >+ >+parser = optparse.OptionParser("match_rules_remote.py [options] <host>") >+sambaopts = options.SambaOptions(parser) >+parser.add_option_group(sambaopts) >+parser.add_option_group(options.VersionOptions(parser)) >+ >+# use command line creds if available >+credopts = options.CredentialsOptions(parser) >+parser.add_option_group(credopts) >+opts, args = parser.parse_args() >+subunitopts = SubunitOptions(parser) >+parser.add_option_group(subunitopts) >+ >+if len(args) < 1: >+ parser.print_usage() >+ sys.exit(1) >+ >+host = args[0] >+ >+if "://" not in host: >+ if os.path.isfile(host): >+ host = "tdb://%s" % host >+ else: >+ host = "ldap://%s" % host >+ >+TestProgram(module=__name__, opts=subunitopts) >diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py >index 2780d77ad07..eabceedd4d4 100755 >--- a/source4/selftest/tests.py >+++ b/source4/selftest/tests.py >@@ -1331,6 +1331,7 @@ for env in ['ad_dc_default:local', 'schema_dc:local']: > plantestsuite_loadlist("samba4.urgent_replication.python(ad_dc_ntvfs)", "ad_dc_ntvfs:local", [python, os.path.join(DSDB_PYTEST_DIR, "urgent_replication.py"), '$PREFIX_ABS/ad_dc_ntvfs/private/sam.ldb', '$LOADLIST', '$LISTOPT']) > plantestsuite_loadlist("samba4.ldap.dirsync.python(ad_dc_ntvfs)", "ad_dc_ntvfs", [python, os.path.join(DSDB_PYTEST_DIR, "dirsync.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '$LOADLIST', '$LISTOPT']) > plantestsuite_loadlist("samba4.ldap.match_rules.python", "ad_dc_ntvfs", [python, os.path.join(srcdir(), "lib/ldb-samba/tests/match_rules.py"), '$PREFIX_ABS/ad_dc_ntvfs/private/sam.ldb', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '$LOADLIST', '$LISTOPT']) >+plantestsuite_loadlist("samba4.ldap.match_rules.python", "ad_dc_ntvfs", [python, os.path.join(srcdir(), "lib/ldb-samba/tests/match_rules_remote.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '$LOADLIST', '$LISTOPT']) > plantestsuite("samba4.ldap.index.python", "none", [python, os.path.join(srcdir(), "lib/ldb-samba/tests/index.py")]) > plantestsuite_loadlist("samba4.ldap.notification.python(ad_dc_ntvfs)", "ad_dc_ntvfs", [python, os.path.join(DSDB_PYTEST_DIR, "notification.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '$LOADLIST', '$LISTOPT']) > plantestsuite_loadlist("samba4.ldap.sites.python(ad_dc_default)", "ad_dc_default", [python, os.path.join(DSDB_PYTEST_DIR, "sites.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '$LOADLIST', '$LISTOPT']) >-- >2.25.1 > > >From 8a70ba46c988f24e770ae532f72cfcbc82c80979 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Thu, 2 Mar 2023 17:24:15 +1300 >Subject: [PATCH 35/39] CVE-2023-0614 lib/ldb-samba Ensure ACLs are evaluated > on SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL / LDAP_MATCHING_RULE_IN_CHAIN > >Setting the LDB_HANDLE_FLAG_UNTRUSTED tells the acl_read module to operate on this request. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> >--- > lib/ldb-samba/ldb_matching_rules.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > >diff --git a/lib/ldb-samba/ldb_matching_rules.c b/lib/ldb-samba/ldb_matching_rules.c >index b86594c1823..59d1385f4e3 100644 >--- a/lib/ldb-samba/ldb_matching_rules.c >+++ b/lib/ldb-samba/ldb_matching_rules.c >@@ -67,7 +67,12 @@ static int ldb_eval_transitive_filter_helper(TALLOC_CTX *mem_ctx, > * Note also that we don't have the original request > * here, so we can not apply controls or timeouts here. > */ >- ret = dsdb_search_dn(ldb, tmp_ctx, &res, to_visit->dn, attrs, 0); >+ ret = dsdb_search_dn(ldb, >+ tmp_ctx, >+ &res, >+ to_visit->dn, >+ attrs, >+ DSDB_MARK_REQ_UNTRUSTED); > if (ret != LDB_SUCCESS) { > talloc_free(tmp_ctx); > return ret; >-- >2.25.1 > > >From d43e61e540e6af06251f063b867a46af2c2eb134 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 14 Feb 2023 14:18:45 +1300 >Subject: [PATCH 36/39] ldb: Use correct member of union > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >--- > lib/ldb/common/ldb_parse.c | 20 ++++++++++++-------- > lib/ldb/ldb_map/ldb_map_outbound.c | 7 ++++++- > 2 files changed, 18 insertions(+), 9 deletions(-) > >diff --git a/lib/ldb/common/ldb_parse.c b/lib/ldb/common/ldb_parse.c >index 2d102ff750e..f1d224a255e 100644 >--- a/lib/ldb/common/ldb_parse.c >+++ b/lib/ldb/common/ldb_parse.c >@@ -799,27 +799,27 @@ char *ldb_filter_from_tree(TALLOC_CTX *mem_ctx, const struct ldb_parse_tree *tre > ret = s; > return ret; > case LDB_OP_GREATER: >- s = ldb_binary_encode(mem_ctx, tree->u.equality.value); >+ s = ldb_binary_encode(mem_ctx, tree->u.comparison.value); > if (s == NULL) return NULL; > ret = talloc_asprintf(mem_ctx, "(%s>=%s)", >- tree->u.equality.attr, s); >+ tree->u.comparison.attr, s); > talloc_free(s); > return ret; > case LDB_OP_LESS: >- s = ldb_binary_encode(mem_ctx, tree->u.equality.value); >+ s = ldb_binary_encode(mem_ctx, tree->u.comparison.value); > if (s == NULL) return NULL; > ret = talloc_asprintf(mem_ctx, "(%s<=%s)", >- tree->u.equality.attr, s); >+ tree->u.comparison.attr, s); > talloc_free(s); > return ret; > case LDB_OP_PRESENT: > ret = talloc_asprintf(mem_ctx, "(%s=*)", tree->u.present.attr); > return ret; > case LDB_OP_APPROX: >- s = ldb_binary_encode(mem_ctx, tree->u.equality.value); >+ s = ldb_binary_encode(mem_ctx, tree->u.comparison.value); > if (s == NULL) return NULL; > ret = talloc_asprintf(mem_ctx, "(%s~=%s)", >- tree->u.equality.attr, s); >+ tree->u.comparison.attr, s); > talloc_free(s); > return ret; > case LDB_OP_EXTENDED: >@@ -895,11 +895,15 @@ static int parse_tree_attr_replace(struct ldb_parse_tree *tree, void *private_co > struct parse_tree_attr_replace_ctx *ctx = private_context; > switch (tree->operation) { > case LDB_OP_EQUALITY: >+ if (ldb_attr_cmp(tree->u.equality.attr, ctx->attr) == 0) { >+ tree->u.equality.attr = ctx->replace; >+ } >+ break; > case LDB_OP_GREATER: > case LDB_OP_LESS: > case LDB_OP_APPROX: >- if (ldb_attr_cmp(tree->u.equality.attr, ctx->attr) == 0) { >- tree->u.equality.attr = ctx->replace; >+ if (ldb_attr_cmp(tree->u.comparison.attr, ctx->attr) == 0) { >+ tree->u.comparison.attr = ctx->replace; > } > break; > case LDB_OP_SUBSTRING: >diff --git a/lib/ldb/ldb_map/ldb_map_outbound.c b/lib/ldb/ldb_map/ldb_map_outbound.c >index c823ba4a5c6..312b6bc7cdb 100644 >--- a/lib/ldb/ldb_map/ldb_map_outbound.c >+++ b/lib/ldb/ldb_map/ldb_map_outbound.c >@@ -546,6 +546,7 @@ static bool ldb_parse_tree_check_splittable(const struct ldb_parse_tree *tree) > /* Collect a list of attributes required to match a given parse tree. */ > static int ldb_parse_tree_collect_attrs(struct ldb_module *module, void *mem_ctx, const char ***attrs, const struct ldb_parse_tree *tree) > { >+ const char *attr = NULL; > const char **new_attrs; > unsigned int i; > int ret; >@@ -570,7 +571,11 @@ static int ldb_parse_tree_collect_attrs(struct ldb_module *module, void *mem_ctx > return ldb_parse_tree_collect_attrs(module, mem_ctx, attrs, tree->u.isnot.child); > > default: /* single attribute in tree */ >- new_attrs = ldb_attr_list_copy_add(mem_ctx, *attrs, tree->u.equality.attr); >+ attr = ldb_parse_tree_get_attr(tree); >+ new_attrs = ldb_attr_list_copy_add(mem_ctx, *attrs, attr); >+ if (new_attrs == NULL) { >+ return ldb_module_oom(module); >+ } > talloc_free(*attrs); > *attrs = new_attrs; > return 0; >-- >2.25.1 > > >From 8fc1867bc4e7431b7e1c63fffe68806801cbcefa Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Fri, 3 Mar 2023 17:52:13 +1300 >Subject: [PATCH 37/39] CVE-2023-0614 ldb: Release LDB 2.8.1 > >* CVE-2023-0614 Not-secret but access controlled LDAP attributes can be discovered (bug 15270) > >Note the changes to ABI/ldb-2.8.0.sigs only >revert the temporary changes made there... > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> >--- > lib/ldb/ABI/ldb-2.8.0.sigs | 10 - > lib/ldb/ABI/ldb-2.8.1.sigs | 301 ++++++++++++++++++++++++++++++ > lib/ldb/ABI/pyldb-util-2.8.1.sigs | 3 + > lib/ldb/wscript | 2 +- > 4 files changed, 305 insertions(+), 11 deletions(-) > create mode 100644 lib/ldb/ABI/ldb-2.8.1.sigs > create mode 100644 lib/ldb/ABI/pyldb-util-2.8.1.sigs > >diff --git a/lib/ldb/ABI/ldb-2.8.0.sigs b/lib/ldb/ABI/ldb-2.8.0.sigs >index b4c5e20e8c7..40388d9e330 100644 >--- a/lib/ldb/ABI/ldb-2.8.0.sigs >+++ b/lib/ldb/ABI/ldb-2.8.0.sigs >@@ -86,7 +86,6 @@ ldb_errstring: const char *(struct ldb_context *) > ldb_extended: int (struct ldb_context *, const char *, void *, struct ldb_result **) > ldb_extended_default_callback: int (struct ldb_request *, struct ldb_reply *) > ldb_filter_attrs: int (struct ldb_context *, const struct ldb_message *, const char * const *, struct ldb_message *) >-ldb_filter_attrs_in_place: int (struct ldb_message *, const char * const *) > ldb_filter_from_tree: char *(TALLOC_CTX *, const struct ldb_parse_tree *) > ldb_get_config_basedn: struct ldb_dn *(struct ldb_context *) > ldb_get_create_perms: unsigned int (struct ldb_context *) >@@ -126,7 +125,6 @@ ldb_match_message: int (struct ldb_context *, const struct ldb_message *, const > ldb_match_msg: int (struct ldb_context *, const struct ldb_message *, const struct ldb_parse_tree *, struct ldb_dn *, enum ldb_scope) > ldb_match_msg_error: int (struct ldb_context *, const struct ldb_message *, const struct ldb_parse_tree *, struct ldb_dn *, enum ldb_scope, bool *) > ldb_match_msg_objectclass: int (const struct ldb_message *, const char *) >-ldb_match_scope: int (struct ldb_context *, struct ldb_dn *, struct ldb_dn *, enum ldb_scope) > ldb_mod_register_control: int (struct ldb_module *, const char *) > ldb_modify: int (struct ldb_context *, const struct ldb_message *) > ldb_modify_default_callback: int (struct ldb_request *, struct ldb_reply *) >@@ -151,7 +149,6 @@ ldb_modules_hook: int (struct ldb_context *, enum ldb_module_hook_type) > ldb_modules_list_from_string: const char **(struct ldb_context *, TALLOC_CTX *, const char *) > ldb_modules_load: int (const char *, const char *) > ldb_msg_add: int (struct ldb_message *, const struct ldb_message_element *, int) >-ldb_msg_add_distinguished_name: int (struct ldb_message *) > ldb_msg_add_empty: int (struct ldb_message *, const char *, int, struct ldb_message_element **) > ldb_msg_add_fmt: int (struct ldb_message *, const char *, const char *, ...) > ldb_msg_add_linearized_dn: int (struct ldb_message *, const char *, struct ldb_dn *) >@@ -177,9 +174,6 @@ ldb_msg_element_add_value: int (TALLOC_CTX *, struct ldb_message_element *, cons > ldb_msg_element_compare: int (struct ldb_message_element *, struct ldb_message_element *) > ldb_msg_element_compare_name: int (struct ldb_message_element *, struct ldb_message_element *) > ldb_msg_element_equal_ordered: bool (const struct ldb_message_element *, const struct ldb_message_element *) >-ldb_msg_element_is_inaccessible: bool (const struct ldb_message_element *) >-ldb_msg_element_mark_inaccessible: void (struct ldb_message_element *) >-ldb_msg_elements_take_ownership: int (struct ldb_message *) > ldb_msg_find_attr_as_bool: int (const struct ldb_message *, const char *, int) > ldb_msg_find_attr_as_dn: struct ldb_dn *(struct ldb_context *, TALLOC_CTX *, const struct ldb_message *, const char *) > ldb_msg_find_attr_as_double: double (const struct ldb_message *, const char *, double) >@@ -197,10 +191,8 @@ ldb_msg_new: struct ldb_message *(TALLOC_CTX *) > ldb_msg_normalize: int (struct ldb_context *, TALLOC_CTX *, const struct ldb_message *, struct ldb_message **) > ldb_msg_remove_attr: void (struct ldb_message *, const char *) > ldb_msg_remove_element: void (struct ldb_message *, struct ldb_message_element *) >-ldb_msg_remove_inaccessible: void (struct ldb_message *) > ldb_msg_rename_attr: int (struct ldb_message *, const char *, const char *) > ldb_msg_sanity_check: int (struct ldb_context *, const struct ldb_message *) >-ldb_msg_shrink_to_fit: void (struct ldb_message *) > ldb_msg_sort_elements: void (struct ldb_message *) > ldb_next_del_trans: int (struct ldb_module *) > ldb_next_end_trans: int (struct ldb_module *) >@@ -221,14 +213,12 @@ ldb_parse_control_strings: struct ldb_control **(struct ldb_context *, TALLOC_CT > ldb_parse_tree: struct ldb_parse_tree *(TALLOC_CTX *, const char *) > ldb_parse_tree_attr_replace: void (struct ldb_parse_tree *, const char *, const char *) > ldb_parse_tree_copy_shallow: struct ldb_parse_tree *(TALLOC_CTX *, const struct ldb_parse_tree *) >-ldb_parse_tree_get_attr: const char *(const struct ldb_parse_tree *) > ldb_parse_tree_walk: int (struct ldb_parse_tree *, int (*)(struct ldb_parse_tree *, void *), void *) > ldb_qsort: void (void * const, size_t, size_t, void *, ldb_qsort_cmp_fn_t) > ldb_register_backend: int (const char *, ldb_connect_fn, bool) > ldb_register_extended_match_rule: int (struct ldb_context *, const struct ldb_extended_match_rule *) > ldb_register_hook: int (ldb_hook_fn) > ldb_register_module: int (const struct ldb_module_ops *) >-ldb_register_redact_callback: int (struct ldb_context *, ldb_redact_fn, struct ldb_module *) > ldb_rename: int (struct ldb_context *, struct ldb_dn *, struct ldb_dn *) > ldb_reply_add_control: int (struct ldb_reply *, const char *, bool, void *) > ldb_reply_get_control: struct ldb_control *(struct ldb_reply *, const char *) >diff --git a/lib/ldb/ABI/ldb-2.8.1.sigs b/lib/ldb/ABI/ldb-2.8.1.sigs >new file mode 100644 >index 00000000000..b4c5e20e8c7 >--- /dev/null >+++ b/lib/ldb/ABI/ldb-2.8.1.sigs >@@ -0,0 +1,301 @@ >+ldb_add: int (struct ldb_context *, const struct ldb_message *) >+ldb_any_comparison: int (struct ldb_context *, void *, ldb_attr_handler_t, const struct ldb_val *, const struct ldb_val *) >+ldb_asprintf_errstring: void (struct ldb_context *, const char *, ...) >+ldb_attr_casefold: char *(TALLOC_CTX *, const char *) >+ldb_attr_dn: int (const char *) >+ldb_attr_in_list: int (const char * const *, const char *) >+ldb_attr_list_copy: const char **(TALLOC_CTX *, const char * const *) >+ldb_attr_list_copy_add: const char **(TALLOC_CTX *, const char * const *, const char *) >+ldb_base64_decode: int (char *) >+ldb_base64_encode: char *(TALLOC_CTX *, const char *, int) >+ldb_binary_decode: struct ldb_val (TALLOC_CTX *, const char *) >+ldb_binary_encode: char *(TALLOC_CTX *, struct ldb_val) >+ldb_binary_encode_string: char *(TALLOC_CTX *, const char *) >+ldb_build_add_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, const struct ldb_message *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *) >+ldb_build_del_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, struct ldb_dn *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *) >+ldb_build_extended_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, const char *, void *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *) >+ldb_build_mod_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, const struct ldb_message *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *) >+ldb_build_rename_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, struct ldb_dn *, struct ldb_dn *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *) >+ldb_build_search_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, struct ldb_dn *, enum ldb_scope, const char *, const char * const *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *) >+ldb_build_search_req_ex: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, struct ldb_dn *, enum ldb_scope, struct ldb_parse_tree *, const char * const *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *) >+ldb_casefold: char *(struct ldb_context *, TALLOC_CTX *, const char *, size_t) >+ldb_casefold_default: char *(void *, TALLOC_CTX *, const char *, size_t) >+ldb_check_critical_controls: int (struct ldb_control **) >+ldb_comparison_binary: int (struct ldb_context *, void *, const struct ldb_val *, const struct ldb_val *) >+ldb_comparison_fold: int (struct ldb_context *, void *, const struct ldb_val *, const struct ldb_val *) >+ldb_connect: int (struct ldb_context *, const char *, unsigned int, const char **) >+ldb_control_to_string: char *(TALLOC_CTX *, const struct ldb_control *) >+ldb_controls_except_specified: struct ldb_control **(struct ldb_control **, TALLOC_CTX *, struct ldb_control *) >+ldb_debug: void (struct ldb_context *, enum ldb_debug_level, const char *, ...) >+ldb_debug_add: void (struct ldb_context *, const char *, ...) >+ldb_debug_end: void (struct ldb_context *, enum ldb_debug_level) >+ldb_debug_set: void (struct ldb_context *, enum ldb_debug_level, const char *, ...) >+ldb_delete: int (struct ldb_context *, struct ldb_dn *) >+ldb_dn_add_base: bool (struct ldb_dn *, struct ldb_dn *) >+ldb_dn_add_base_fmt: bool (struct ldb_dn *, const char *, ...) >+ldb_dn_add_child: bool (struct ldb_dn *, struct ldb_dn *) >+ldb_dn_add_child_fmt: bool (struct ldb_dn *, const char *, ...) >+ldb_dn_add_child_val: bool (struct ldb_dn *, const char *, struct ldb_val) >+ldb_dn_alloc_casefold: char *(TALLOC_CTX *, struct ldb_dn *) >+ldb_dn_alloc_linearized: char *(TALLOC_CTX *, struct ldb_dn *) >+ldb_dn_canonical_ex_string: char *(TALLOC_CTX *, struct ldb_dn *) >+ldb_dn_canonical_string: char *(TALLOC_CTX *, struct ldb_dn *) >+ldb_dn_check_local: bool (struct ldb_module *, struct ldb_dn *) >+ldb_dn_check_special: bool (struct ldb_dn *, const char *) >+ldb_dn_compare: int (struct ldb_dn *, struct ldb_dn *) >+ldb_dn_compare_base: int (struct ldb_dn *, struct ldb_dn *) >+ldb_dn_copy: struct ldb_dn *(TALLOC_CTX *, struct ldb_dn *) >+ldb_dn_escape_value: char *(TALLOC_CTX *, struct ldb_val) >+ldb_dn_extended_add_syntax: int (struct ldb_context *, unsigned int, const struct ldb_dn_extended_syntax *) >+ldb_dn_extended_filter: void (struct ldb_dn *, const char * const *) >+ldb_dn_extended_syntax_by_name: const struct ldb_dn_extended_syntax *(struct ldb_context *, const char *) >+ldb_dn_from_ldb_val: struct ldb_dn *(TALLOC_CTX *, struct ldb_context *, const struct ldb_val *) >+ldb_dn_get_casefold: const char *(struct ldb_dn *) >+ldb_dn_get_comp_num: int (struct ldb_dn *) >+ldb_dn_get_component_name: const char *(struct ldb_dn *, unsigned int) >+ldb_dn_get_component_val: const struct ldb_val *(struct ldb_dn *, unsigned int) >+ldb_dn_get_extended_comp_num: int (struct ldb_dn *) >+ldb_dn_get_extended_component: const struct ldb_val *(struct ldb_dn *, const char *) >+ldb_dn_get_extended_linearized: char *(TALLOC_CTX *, struct ldb_dn *, int) >+ldb_dn_get_ldb_context: struct ldb_context *(struct ldb_dn *) >+ldb_dn_get_linearized: const char *(struct ldb_dn *) >+ldb_dn_get_parent: struct ldb_dn *(TALLOC_CTX *, struct ldb_dn *) >+ldb_dn_get_rdn_name: const char *(struct ldb_dn *) >+ldb_dn_get_rdn_val: const struct ldb_val *(struct ldb_dn *) >+ldb_dn_has_extended: bool (struct ldb_dn *) >+ldb_dn_is_null: bool (struct ldb_dn *) >+ldb_dn_is_special: bool (struct ldb_dn *) >+ldb_dn_is_valid: bool (struct ldb_dn *) >+ldb_dn_map_local: struct ldb_dn *(struct ldb_module *, void *, struct ldb_dn *) >+ldb_dn_map_rebase_remote: struct ldb_dn *(struct ldb_module *, void *, struct ldb_dn *) >+ldb_dn_map_remote: struct ldb_dn *(struct ldb_module *, void *, struct ldb_dn *) >+ldb_dn_minimise: bool (struct ldb_dn *) >+ldb_dn_new: struct ldb_dn *(TALLOC_CTX *, struct ldb_context *, const char *) >+ldb_dn_new_fmt: struct ldb_dn *(TALLOC_CTX *, struct ldb_context *, const char *, ...) >+ldb_dn_remove_base_components: bool (struct ldb_dn *, unsigned int) >+ldb_dn_remove_child_components: bool (struct ldb_dn *, unsigned int) >+ldb_dn_remove_extended_components: void (struct ldb_dn *) >+ldb_dn_replace_components: bool (struct ldb_dn *, struct ldb_dn *) >+ldb_dn_set_component: int (struct ldb_dn *, int, const char *, const struct ldb_val) >+ldb_dn_set_extended_component: int (struct ldb_dn *, const char *, const struct ldb_val *) >+ldb_dn_update_components: int (struct ldb_dn *, const struct ldb_dn *) >+ldb_dn_validate: bool (struct ldb_dn *) >+ldb_dump_results: void (struct ldb_context *, struct ldb_result *, FILE *) >+ldb_error_at: int (struct ldb_context *, int, const char *, const char *, int) >+ldb_errstring: const char *(struct ldb_context *) >+ldb_extended: int (struct ldb_context *, const char *, void *, struct ldb_result **) >+ldb_extended_default_callback: int (struct ldb_request *, struct ldb_reply *) >+ldb_filter_attrs: int (struct ldb_context *, const struct ldb_message *, const char * const *, struct ldb_message *) >+ldb_filter_attrs_in_place: int (struct ldb_message *, const char * const *) >+ldb_filter_from_tree: char *(TALLOC_CTX *, const struct ldb_parse_tree *) >+ldb_get_config_basedn: struct ldb_dn *(struct ldb_context *) >+ldb_get_create_perms: unsigned int (struct ldb_context *) >+ldb_get_default_basedn: struct ldb_dn *(struct ldb_context *) >+ldb_get_event_context: struct tevent_context *(struct ldb_context *) >+ldb_get_flags: unsigned int (struct ldb_context *) >+ldb_get_opaque: void *(struct ldb_context *, const char *) >+ldb_get_root_basedn: struct ldb_dn *(struct ldb_context *) >+ldb_get_schema_basedn: struct ldb_dn *(struct ldb_context *) >+ldb_global_init: int (void) >+ldb_handle_get_event_context: struct tevent_context *(struct ldb_handle *) >+ldb_handle_new: struct ldb_handle *(TALLOC_CTX *, struct ldb_context *) >+ldb_handle_use_global_event_context: void (struct ldb_handle *) >+ldb_handler_copy: int (struct ldb_context *, void *, const struct ldb_val *, struct ldb_val *) >+ldb_handler_fold: int (struct ldb_context *, void *, const struct ldb_val *, struct ldb_val *) >+ldb_init: struct ldb_context *(TALLOC_CTX *, struct tevent_context *) >+ldb_ldif_message_redacted_string: char *(struct ldb_context *, TALLOC_CTX *, enum ldb_changetype, const struct ldb_message *) >+ldb_ldif_message_string: char *(struct ldb_context *, TALLOC_CTX *, enum ldb_changetype, const struct ldb_message *) >+ldb_ldif_parse_modrdn: int (struct ldb_context *, const struct ldb_ldif *, TALLOC_CTX *, struct ldb_dn **, struct ldb_dn **, bool *, struct ldb_dn **, struct ldb_dn **) >+ldb_ldif_read: struct ldb_ldif *(struct ldb_context *, int (*)(void *), void *) >+ldb_ldif_read_file: struct ldb_ldif *(struct ldb_context *, FILE *) >+ldb_ldif_read_file_state: struct ldb_ldif *(struct ldb_context *, struct ldif_read_file_state *) >+ldb_ldif_read_free: void (struct ldb_context *, struct ldb_ldif *) >+ldb_ldif_read_string: struct ldb_ldif *(struct ldb_context *, const char **) >+ldb_ldif_write: int (struct ldb_context *, int (*)(void *, const char *, ...), void *, const struct ldb_ldif *) >+ldb_ldif_write_file: int (struct ldb_context *, FILE *, const struct ldb_ldif *) >+ldb_ldif_write_redacted_trace_string: char *(struct ldb_context *, TALLOC_CTX *, const struct ldb_ldif *) >+ldb_ldif_write_string: char *(struct ldb_context *, TALLOC_CTX *, const struct ldb_ldif *) >+ldb_load_modules: int (struct ldb_context *, const char **) >+ldb_map_add: int (struct ldb_module *, struct ldb_request *) >+ldb_map_delete: int (struct ldb_module *, struct ldb_request *) >+ldb_map_init: int (struct ldb_module *, const struct ldb_map_attribute *, const struct ldb_map_objectclass *, const char * const *, const char *, const char *) >+ldb_map_modify: int (struct ldb_module *, struct ldb_request *) >+ldb_map_rename: int (struct ldb_module *, struct ldb_request *) >+ldb_map_search: int (struct ldb_module *, struct ldb_request *) >+ldb_match_message: int (struct ldb_context *, const struct ldb_message *, const struct ldb_parse_tree *, enum ldb_scope, bool *) >+ldb_match_msg: int (struct ldb_context *, const struct ldb_message *, const struct ldb_parse_tree *, struct ldb_dn *, enum ldb_scope) >+ldb_match_msg_error: int (struct ldb_context *, const struct ldb_message *, const struct ldb_parse_tree *, struct ldb_dn *, enum ldb_scope, bool *) >+ldb_match_msg_objectclass: int (const struct ldb_message *, const char *) >+ldb_match_scope: int (struct ldb_context *, struct ldb_dn *, struct ldb_dn *, enum ldb_scope) >+ldb_mod_register_control: int (struct ldb_module *, const char *) >+ldb_modify: int (struct ldb_context *, const struct ldb_message *) >+ldb_modify_default_callback: int (struct ldb_request *, struct ldb_reply *) >+ldb_module_call_chain: char *(struct ldb_request *, TALLOC_CTX *) >+ldb_module_connect_backend: int (struct ldb_context *, const char *, const char **, struct ldb_module **) >+ldb_module_done: int (struct ldb_request *, struct ldb_control **, struct ldb_extended *, int) >+ldb_module_flags: uint32_t (struct ldb_context *) >+ldb_module_get_ctx: struct ldb_context *(struct ldb_module *) >+ldb_module_get_name: const char *(struct ldb_module *) >+ldb_module_get_ops: const struct ldb_module_ops *(struct ldb_module *) >+ldb_module_get_private: void *(struct ldb_module *) >+ldb_module_init_chain: int (struct ldb_context *, struct ldb_module *) >+ldb_module_load_list: int (struct ldb_context *, const char **, struct ldb_module *, struct ldb_module **) >+ldb_module_new: struct ldb_module *(TALLOC_CTX *, struct ldb_context *, const char *, const struct ldb_module_ops *) >+ldb_module_next: struct ldb_module *(struct ldb_module *) >+ldb_module_popt_options: struct poptOption **(struct ldb_context *) >+ldb_module_send_entry: int (struct ldb_request *, struct ldb_message *, struct ldb_control **) >+ldb_module_send_referral: int (struct ldb_request *, char *) >+ldb_module_set_next: void (struct ldb_module *, struct ldb_module *) >+ldb_module_set_private: void (struct ldb_module *, void *) >+ldb_modules_hook: int (struct ldb_context *, enum ldb_module_hook_type) >+ldb_modules_list_from_string: const char **(struct ldb_context *, TALLOC_CTX *, const char *) >+ldb_modules_load: int (const char *, const char *) >+ldb_msg_add: int (struct ldb_message *, const struct ldb_message_element *, int) >+ldb_msg_add_distinguished_name: int (struct ldb_message *) >+ldb_msg_add_empty: int (struct ldb_message *, const char *, int, struct ldb_message_element **) >+ldb_msg_add_fmt: int (struct ldb_message *, const char *, const char *, ...) >+ldb_msg_add_linearized_dn: int (struct ldb_message *, const char *, struct ldb_dn *) >+ldb_msg_add_steal_string: int (struct ldb_message *, const char *, char *) >+ldb_msg_add_steal_value: int (struct ldb_message *, const char *, struct ldb_val *) >+ldb_msg_add_string: int (struct ldb_message *, const char *, const char *) >+ldb_msg_add_string_flags: int (struct ldb_message *, const char *, const char *, int) >+ldb_msg_add_value: int (struct ldb_message *, const char *, const struct ldb_val *, struct ldb_message_element **) >+ldb_msg_append_fmt: int (struct ldb_message *, int, const char *, const char *, ...) >+ldb_msg_append_linearized_dn: int (struct ldb_message *, const char *, struct ldb_dn *, int) >+ldb_msg_append_steal_string: int (struct ldb_message *, const char *, char *, int) >+ldb_msg_append_steal_value: int (struct ldb_message *, const char *, struct ldb_val *, int) >+ldb_msg_append_string: int (struct ldb_message *, const char *, const char *, int) >+ldb_msg_append_value: int (struct ldb_message *, const char *, const struct ldb_val *, int) >+ldb_msg_canonicalize: struct ldb_message *(struct ldb_context *, const struct ldb_message *) >+ldb_msg_check_string_attribute: int (const struct ldb_message *, const char *, const char *) >+ldb_msg_copy: struct ldb_message *(TALLOC_CTX *, const struct ldb_message *) >+ldb_msg_copy_attr: int (struct ldb_message *, const char *, const char *) >+ldb_msg_copy_shallow: struct ldb_message *(TALLOC_CTX *, const struct ldb_message *) >+ldb_msg_diff: struct ldb_message *(struct ldb_context *, struct ldb_message *, struct ldb_message *) >+ldb_msg_difference: int (struct ldb_context *, TALLOC_CTX *, struct ldb_message *, struct ldb_message *, struct ldb_message **) >+ldb_msg_element_add_value: int (TALLOC_CTX *, struct ldb_message_element *, const struct ldb_val *) >+ldb_msg_element_compare: int (struct ldb_message_element *, struct ldb_message_element *) >+ldb_msg_element_compare_name: int (struct ldb_message_element *, struct ldb_message_element *) >+ldb_msg_element_equal_ordered: bool (const struct ldb_message_element *, const struct ldb_message_element *) >+ldb_msg_element_is_inaccessible: bool (const struct ldb_message_element *) >+ldb_msg_element_mark_inaccessible: void (struct ldb_message_element *) >+ldb_msg_elements_take_ownership: int (struct ldb_message *) >+ldb_msg_find_attr_as_bool: int (const struct ldb_message *, const char *, int) >+ldb_msg_find_attr_as_dn: struct ldb_dn *(struct ldb_context *, TALLOC_CTX *, const struct ldb_message *, const char *) >+ldb_msg_find_attr_as_double: double (const struct ldb_message *, const char *, double) >+ldb_msg_find_attr_as_int: int (const struct ldb_message *, const char *, int) >+ldb_msg_find_attr_as_int64: int64_t (const struct ldb_message *, const char *, int64_t) >+ldb_msg_find_attr_as_string: const char *(const struct ldb_message *, const char *, const char *) >+ldb_msg_find_attr_as_uint: unsigned int (const struct ldb_message *, const char *, unsigned int) >+ldb_msg_find_attr_as_uint64: uint64_t (const struct ldb_message *, const char *, uint64_t) >+ldb_msg_find_common_values: int (struct ldb_context *, TALLOC_CTX *, struct ldb_message_element *, struct ldb_message_element *, uint32_t) >+ldb_msg_find_duplicate_val: int (struct ldb_context *, TALLOC_CTX *, const struct ldb_message_element *, struct ldb_val **, uint32_t) >+ldb_msg_find_element: struct ldb_message_element *(const struct ldb_message *, const char *) >+ldb_msg_find_ldb_val: const struct ldb_val *(const struct ldb_message *, const char *) >+ldb_msg_find_val: struct ldb_val *(const struct ldb_message_element *, struct ldb_val *) >+ldb_msg_new: struct ldb_message *(TALLOC_CTX *) >+ldb_msg_normalize: int (struct ldb_context *, TALLOC_CTX *, const struct ldb_message *, struct ldb_message **) >+ldb_msg_remove_attr: void (struct ldb_message *, const char *) >+ldb_msg_remove_element: void (struct ldb_message *, struct ldb_message_element *) >+ldb_msg_remove_inaccessible: void (struct ldb_message *) >+ldb_msg_rename_attr: int (struct ldb_message *, const char *, const char *) >+ldb_msg_sanity_check: int (struct ldb_context *, const struct ldb_message *) >+ldb_msg_shrink_to_fit: void (struct ldb_message *) >+ldb_msg_sort_elements: void (struct ldb_message *) >+ldb_next_del_trans: int (struct ldb_module *) >+ldb_next_end_trans: int (struct ldb_module *) >+ldb_next_init: int (struct ldb_module *) >+ldb_next_prepare_commit: int (struct ldb_module *) >+ldb_next_read_lock: int (struct ldb_module *) >+ldb_next_read_unlock: int (struct ldb_module *) >+ldb_next_remote_request: int (struct ldb_module *, struct ldb_request *) >+ldb_next_request: int (struct ldb_module *, struct ldb_request *) >+ldb_next_start_trans: int (struct ldb_module *) >+ldb_op_default_callback: int (struct ldb_request *, struct ldb_reply *) >+ldb_options_copy: const char **(TALLOC_CTX *, const char **) >+ldb_options_find: const char *(struct ldb_context *, const char **, const char *) >+ldb_options_get: const char **(struct ldb_context *) >+ldb_pack_data: int (struct ldb_context *, const struct ldb_message *, struct ldb_val *, uint32_t) >+ldb_parse_control_from_string: struct ldb_control *(struct ldb_context *, TALLOC_CTX *, const char *) >+ldb_parse_control_strings: struct ldb_control **(struct ldb_context *, TALLOC_CTX *, const char **) >+ldb_parse_tree: struct ldb_parse_tree *(TALLOC_CTX *, const char *) >+ldb_parse_tree_attr_replace: void (struct ldb_parse_tree *, const char *, const char *) >+ldb_parse_tree_copy_shallow: struct ldb_parse_tree *(TALLOC_CTX *, const struct ldb_parse_tree *) >+ldb_parse_tree_get_attr: const char *(const struct ldb_parse_tree *) >+ldb_parse_tree_walk: int (struct ldb_parse_tree *, int (*)(struct ldb_parse_tree *, void *), void *) >+ldb_qsort: void (void * const, size_t, size_t, void *, ldb_qsort_cmp_fn_t) >+ldb_register_backend: int (const char *, ldb_connect_fn, bool) >+ldb_register_extended_match_rule: int (struct ldb_context *, const struct ldb_extended_match_rule *) >+ldb_register_hook: int (ldb_hook_fn) >+ldb_register_module: int (const struct ldb_module_ops *) >+ldb_register_redact_callback: int (struct ldb_context *, ldb_redact_fn, struct ldb_module *) >+ldb_rename: int (struct ldb_context *, struct ldb_dn *, struct ldb_dn *) >+ldb_reply_add_control: int (struct ldb_reply *, const char *, bool, void *) >+ldb_reply_get_control: struct ldb_control *(struct ldb_reply *, const char *) >+ldb_req_get_custom_flags: uint32_t (struct ldb_request *) >+ldb_req_is_untrusted: bool (struct ldb_request *) >+ldb_req_location: const char *(struct ldb_request *) >+ldb_req_mark_trusted: void (struct ldb_request *) >+ldb_req_mark_untrusted: void (struct ldb_request *) >+ldb_req_set_custom_flags: void (struct ldb_request *, uint32_t) >+ldb_req_set_location: void (struct ldb_request *, const char *) >+ldb_request: int (struct ldb_context *, struct ldb_request *) >+ldb_request_add_control: int (struct ldb_request *, const char *, bool, void *) >+ldb_request_done: int (struct ldb_request *, int) >+ldb_request_get_control: struct ldb_control *(struct ldb_request *, const char *) >+ldb_request_get_status: int (struct ldb_request *) >+ldb_request_replace_control: int (struct ldb_request *, const char *, bool, void *) >+ldb_request_set_state: void (struct ldb_request *, int) >+ldb_reset_err_string: void (struct ldb_context *) >+ldb_save_controls: int (struct ldb_control *, struct ldb_request *, struct ldb_control ***) >+ldb_schema_attribute_add: int (struct ldb_context *, const char *, unsigned int, const char *) >+ldb_schema_attribute_add_with_syntax: int (struct ldb_context *, const char *, unsigned int, const struct ldb_schema_syntax *) >+ldb_schema_attribute_by_name: const struct ldb_schema_attribute *(struct ldb_context *, const char *) >+ldb_schema_attribute_fill_with_syntax: int (struct ldb_context *, TALLOC_CTX *, const char *, unsigned int, const struct ldb_schema_syntax *, struct ldb_schema_attribute *) >+ldb_schema_attribute_remove: void (struct ldb_context *, const char *) >+ldb_schema_attribute_remove_flagged: void (struct ldb_context *, unsigned int) >+ldb_schema_attribute_set_override_handler: void (struct ldb_context *, ldb_attribute_handler_override_fn_t, void *) >+ldb_schema_set_override_GUID_index: void (struct ldb_context *, const char *, const char *) >+ldb_schema_set_override_indexlist: void (struct ldb_context *, bool) >+ldb_search: int (struct ldb_context *, TALLOC_CTX *, struct ldb_result **, struct ldb_dn *, enum ldb_scope, const char * const *, const char *, ...) >+ldb_search_default_callback: int (struct ldb_request *, struct ldb_reply *) >+ldb_sequence_number: int (struct ldb_context *, enum ldb_sequence_type, uint64_t *) >+ldb_set_create_perms: void (struct ldb_context *, unsigned int) >+ldb_set_debug: int (struct ldb_context *, void (*)(void *, enum ldb_debug_level, const char *, va_list), void *) >+ldb_set_debug_stderr: int (struct ldb_context *) >+ldb_set_default_dns: void (struct ldb_context *) >+ldb_set_errstring: void (struct ldb_context *, const char *) >+ldb_set_event_context: void (struct ldb_context *, struct tevent_context *) >+ldb_set_flags: void (struct ldb_context *, unsigned int) >+ldb_set_modules_dir: void (struct ldb_context *, const char *) >+ldb_set_opaque: int (struct ldb_context *, const char *, void *) >+ldb_set_require_private_event_context: void (struct ldb_context *) >+ldb_set_timeout: int (struct ldb_context *, struct ldb_request *, int) >+ldb_set_timeout_from_prev_req: int (struct ldb_context *, struct ldb_request *, struct ldb_request *) >+ldb_set_utf8_default: void (struct ldb_context *) >+ldb_set_utf8_fns: void (struct ldb_context *, void *, char *(*)(void *, void *, const char *, size_t)) >+ldb_setup_wellknown_attributes: int (struct ldb_context *) >+ldb_should_b64_encode: int (struct ldb_context *, const struct ldb_val *) >+ldb_standard_syntax_by_name: const struct ldb_schema_syntax *(struct ldb_context *, const char *) >+ldb_strerror: const char *(int) >+ldb_string_to_time: time_t (const char *) >+ldb_string_utc_to_time: time_t (const char *) >+ldb_timestring: char *(TALLOC_CTX *, time_t) >+ldb_timestring_utc: char *(TALLOC_CTX *, time_t) >+ldb_transaction_cancel: int (struct ldb_context *) >+ldb_transaction_cancel_noerr: int (struct ldb_context *) >+ldb_transaction_commit: int (struct ldb_context *) >+ldb_transaction_prepare_commit: int (struct ldb_context *) >+ldb_transaction_start: int (struct ldb_context *) >+ldb_unpack_data: int (struct ldb_context *, const struct ldb_val *, struct ldb_message *) >+ldb_unpack_data_flags: int (struct ldb_context *, const struct ldb_val *, struct ldb_message *, unsigned int) >+ldb_unpack_get_format: int (const struct ldb_val *, uint32_t *) >+ldb_val_dup: struct ldb_val (TALLOC_CTX *, const struct ldb_val *) >+ldb_val_equal_exact: int (const struct ldb_val *, const struct ldb_val *) >+ldb_val_map_local: struct ldb_val (struct ldb_module *, void *, const struct ldb_map_attribute *, const struct ldb_val *) >+ldb_val_map_remote: struct ldb_val (struct ldb_module *, void *, const struct ldb_map_attribute *, const struct ldb_val *) >+ldb_val_string_cmp: int (const struct ldb_val *, const char *) >+ldb_val_to_time: int (const struct ldb_val *, time_t *) >+ldb_valid_attr_name: int (const char *) >+ldb_vdebug: void (struct ldb_context *, enum ldb_debug_level, const char *, va_list) >+ldb_wait: int (struct ldb_handle *, enum ldb_wait_type) >diff --git a/lib/ldb/ABI/pyldb-util-2.8.1.sigs b/lib/ldb/ABI/pyldb-util-2.8.1.sigs >new file mode 100644 >index 00000000000..164a806b2ff >--- /dev/null >+++ b/lib/ldb/ABI/pyldb-util-2.8.1.sigs >@@ -0,0 +1,3 @@ >+pyldb_Dn_FromDn: PyObject *(struct ldb_dn *) >+pyldb_Object_AsDn: bool (TALLOC_CTX *, PyObject *, struct ldb_context *, struct ldb_dn **) >+pyldb_check_type: bool (PyObject *, const char *) >diff --git a/lib/ldb/wscript b/lib/ldb/wscript >index 083e4ba059d..a35687d40f6 100644 >--- a/lib/ldb/wscript >+++ b/lib/ldb/wscript >@@ -2,7 +2,7 @@ > > APPNAME = 'ldb' > # For Samba 4.19.x >-VERSION = '2.8.0' >+VERSION = '2.8.1' > > import sys, os > >-- >2.25.1 > > >From 30f1937d503f41206319e6cb2a4d754351016018 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Wed, 1 Mar 2023 14:49:06 +1300 >Subject: [PATCH 38/39] dsdb: Remove remaining references to > DC_MODE_RETURN_NONE and DC_MODE_RETURN_ALL > >The confidential_attrs test no longer uses DC_MODE_RETURN_NONE we can now >remove the complexity. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> >--- > .../dsdb/tests/python/confidential_attr.py | 86 ++++--------------- > 1 file changed, 16 insertions(+), 70 deletions(-) > >diff --git a/source4/dsdb/tests/python/confidential_attr.py b/source4/dsdb/tests/python/confidential_attr.py >index 6889d5a5560..ac83f488061 100755 >--- a/source4/dsdb/tests/python/confidential_attr.py >+++ b/source4/dsdb/tests/python/confidential_attr.py >@@ -70,20 +70,6 @@ lp = sambaopts.get_loadparm() > creds = credopts.get_credentials(lp) > creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL) > >-# When a user does not have access rights to view the objects' attributes, >-# Windows and Samba behave slightly differently. >-# A windows DC will always act as if the hidden attribute doesn't exist AT ALL >-# (for an unprivileged user). So, even for a user that lacks access rights, >-# the inverse/'!' queries should return ALL objects. This is similar to the >-# kludgeaclredacted behaviour on Samba. >-# However, on Samba (for implementation simplicity) we never return a matching >-# result for an unprivileged user. >-# Either approach is OK, so long as it gets applied consistently and we don't >-# disclose any sensitive details by varying what gets returned by the search. >-DC_MODE_RETURN_NONE = 0 >-DC_MODE_RETURN_ALL = 1 >- >- > # > # Tests start here > # >@@ -193,25 +179,6 @@ class ConfidentialAttrCommon(samba.tests.TestCase): > # reset the value after the test completes > self.addCleanup(self.set_attr_search_flags, self.attr_dn, old_value) > >- # The behaviour of the DC can differ in some cases, depending on whether >- # we're talking to a Windows DC or a Samba DC >- def guess_dc_mode(self): >- # if we're in selftest, we can be pretty sure it's a Samba DC >- if os.environ.get('SAMBA_SELFTEST') == '1': >- return DC_MODE_RETURN_NONE >- >- searches = self.get_negative_match_all_searches() >- res = self.ldb_user.search(self.test_dn, expression=searches[0], >- scope=SCOPE_SUBTREE) >- >- # we default to DC_MODE_RETURN_NONE (samba).Update this if it >- # looks like we're talking to a Windows DC >- if len(res) == self.total_objects: >- return DC_MODE_RETURN_ALL >- >- # otherwise assume samba DC behaviour >- return DC_MODE_RETURN_NONE >- > def get_user_dn(self, name): > return "CN={0},{1}".format(name, self.ou) > >@@ -359,7 +326,7 @@ class ConfidentialAttrCommon(samba.tests.TestCase): > return expected_results > > # Returns the expected negative (i.e. '!') search behaviour when talking to >- # a DC with DC_MODE_RETURN_ALL behaviour, i.e. we assert that users >+ # a DC, i.e. we assert that users > # without rights always see ALL objects in '!' searches > def negative_searches_return_all(self, has_rights_to=0, > total_objects=None): >@@ -409,32 +376,24 @@ class ConfidentialAttrCommon(samba.tests.TestCase): > # and what access rights the user has. > # Note we only handle has_rights_to="all", 1 (the test object), or 0 (i.e. > # we don't have rights to any objects) >- def negative_search_expected_results(self, has_rights_to, dc_mode, >- total_objects=None): >+ def negative_search_expected_results(self, has_rights_to, total_objects=None): > > if has_rights_to == "all": > expect_results = self.negative_searches_all_rights(total_objects) > >- # if it's a Samba DC, we only expect the 'match-all' searches to return >- # the objects that we have access rights to (all others are hidden). >- # Whereas Windows 'hides' the objects by always returning all of them >- elif dc_mode == DC_MODE_RETURN_NONE: >- expect_results = self.negative_searches_return_none(has_rights_to) > else: > expect_results = self.negative_searches_return_all(has_rights_to, > total_objects) > return expect_results > >- def assert_negative_searches(self, has_rights_to=0, >- dc_mode=DC_MODE_RETURN_NONE, samdb=None): >+ def assert_negative_searches(self, has_rights_to=0, samdb=None): > """Asserts user without rights cannot see objects in '!' searches""" > > if samdb is None: > samdb = self.ldb_user > > # build a dictionary of key=search-expr, value=expected_num assertions >- expected_results = self.negative_search_expected_results(has_rights_to, >- dc_mode) >+ expected_results = self.negative_search_expected_results(has_rights_to) > > for search, expected_num in expected_results.items(): > self.assert_search_result(expected_num, search, samdb) >@@ -490,8 +449,7 @@ class ConfidentialAttrTest(ConfidentialAttrCommon): > self.make_attr_confidential() > > self.assert_conf_attr_searches(has_rights_to=0) >- dc_mode = DC_MODE_RETURN_ALL >- self.assert_negative_searches(has_rights_to=0, dc_mode=dc_mode) >+ self.assert_negative_searches(has_rights_to=0) > self.assert_attr_visible(expect_attr=False) > > # sanity-check we haven't hidden the attribute from the admin as well >@@ -503,8 +461,7 @@ class ConfidentialAttrTest(ConfidentialAttrCommon): > self.make_attr_confidential() > > self.assert_conf_attr_searches(has_rights_to=0) >- dc_mode = DC_MODE_RETURN_ALL >- self.assert_negative_searches(has_rights_to=0, dc_mode=dc_mode) >+ self.assert_negative_searches(has_rights_to=0) > self.assert_attr_visible(expect_attr=False) > > # apply the allow ACE to the object under test >@@ -513,7 +470,7 @@ class ConfidentialAttrTest(ConfidentialAttrCommon): > # the user should now be able to see the attribute for the one object > # we gave it rights to > self.assert_conf_attr_searches(has_rights_to=1) >- self.assert_negative_searches(has_rights_to=1, dc_mode=dc_mode) >+ self.assert_negative_searches(has_rights_to=1) > self.assert_attr_visible(expect_attr=True) > > # sanity-check the admin can still see the attribute >@@ -566,8 +523,7 @@ class ConfidentialAttrTest(ConfidentialAttrCommon): > self.make_attr_confidential() > > self.assert_conf_attr_searches(has_rights_to=0) >- dc_mode = DC_MODE_RETURN_ALL >- self.assert_negative_searches(has_rights_to=0, dc_mode=dc_mode) >+ self.assert_negative_searches(has_rights_to=0) > self.assert_attr_visible(expect_attr=False) > > # apply the ACE to the object under test >@@ -575,7 +531,7 @@ class ConfidentialAttrTest(ConfidentialAttrCommon): > > # this should make no difference to the user's ability to see the attr > self.assert_conf_attr_searches(has_rights_to=0) >- self.assert_negative_searches(has_rights_to=0, dc_mode=dc_mode) >+ self.assert_negative_searches(has_rights_to=0) > self.assert_attr_visible(expect_attr=False) > > # sanity-check the admin can still see the attribute >@@ -707,8 +663,7 @@ class ConfidentialAttrTestDenyAcl(ConfidentialAttrCommon): > return expected_results > > # override method specifically for deny ACL test cases >- def assert_negative_searches(self, has_rights_to=0, >- dc_mode=DC_MODE_RETURN_NONE, samdb=None): >+ def assert_negative_searches(self, has_rights_to=0, samdb=None): > """Asserts user without rights cannot see objects in '!' searches""" > > if samdb is None: >@@ -719,12 +674,9 @@ class ConfidentialAttrTestDenyAcl(ConfidentialAttrCommon): > # assert this if the '!'/negative search behaviour is to suppress any > # objects we don't have access rights to) > excl_testobj = False >- if has_rights_to != "all" and dc_mode == DC_MODE_RETURN_NONE: >- excl_testobj = True > > # build a dictionary of key=search-expr, value=expected_num assertions >- expected_results = self.negative_search_expected_results(has_rights_to, >- dc_mode) >+ expected_results = self.negative_search_expected_results(has_rights_to) > > for search, expected_num in expected_results.items(): > self.assert_search_result(expected_num, search, samdb, >@@ -741,9 +693,7 @@ class ConfidentialAttrTestDenyAcl(ConfidentialAttrCommon): > > # the user shouldn't be able to see the attribute anymore > self.assert_conf_attr_searches(has_rights_to="deny-one") >- dc_mode = DC_MODE_RETURN_ALL >- self.assert_negative_searches(has_rights_to="deny-one", >- dc_mode=dc_mode) >+ self.assert_negative_searches(has_rights_to="deny-one") > self.assert_attr_visible(expect_attr=False) > > # sanity-check we haven't hidden the attribute from the admin as well >@@ -887,8 +837,7 @@ class ConfidentialAttrTestDirsync(ConfidentialAttrCommon): > attrs=['name']) > > # override method specifically for dirsync (total object count differs) >- def assert_negative_searches(self, has_rights_to=0, >- dc_mode=DC_MODE_RETURN_NONE, samdb=None): >+ def assert_negative_searches(self, has_rights_to=0, samdb=None): > """Asserts user without rights cannot see objects in '!' searches""" > > if samdb is None: >@@ -898,7 +847,6 @@ class ConfidentialAttrTestDirsync(ConfidentialAttrCommon): > # here only includes the user objects (not the parent OU) > total_objects = len(self.all_users) > expected_results = self.negative_search_expected_results(has_rights_to, >- dc_mode, > total_objects) > > for search, expected_num in expected_results.items(): >@@ -917,8 +865,7 @@ class ConfidentialAttrTestDirsync(ConfidentialAttrCommon): > > self.assert_conf_attr_searches(has_rights_to=0) > self.assert_attr_visible(expect_attr=False) >- dc_mode = DC_MODE_RETURN_ALL >- self.assert_negative_searches(has_rights_to=0, dc_mode=dc_mode) >+ self.assert_negative_searches(has_rights_to=0) > > # as a final sanity-check, make sure the admin can still see the attr > self.assert_conf_attr_searches(has_rights_to="all", >@@ -1012,8 +959,7 @@ class ConfidentialAttrTestDirsync(ConfidentialAttrCommon): > # check we can't see the objects now, even with using dirsync controls > self.assert_conf_attr_searches(has_rights_to=0) > self.assert_attr_visible(expect_attr=False) >- dc_mode = DC_MODE_RETURN_ALL >- self.assert_negative_searches(has_rights_to=0, dc_mode=dc_mode) >+ self.assert_negative_searches(has_rights_to=0) > > # now delete the users (except for the user whose LDB connection > # we're currently using) >@@ -1023,7 +969,7 @@ class ConfidentialAttrTestDirsync(ConfidentialAttrCommon): > > # check we still can't see the objects > self.assert_conf_attr_searches(has_rights_to=0) >- self.assert_negative_searches(has_rights_to=0, dc_mode=dc_mode) >+ self.assert_negative_searches(has_rights_to=0) > > def test_timing_attack(self): > # Create the machine account. >-- >2.25.1 > > >From 8cf2e991c347ae1f55b098d20e2095d3b1a8524b Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 14 Feb 2023 17:19:27 +1300 >Subject: [PATCH 39/39] s4-dsdb: Remove DSDB_ACL_CHECKS_DIRSYNC_FLAG > >It's no longer used anywhere. > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >--- > source4/dsdb/samdb/ldb_modules/dirsync.c | 11 ++--------- > source4/dsdb/samdb/samdb.h | 1 - > 2 files changed, 2 insertions(+), 10 deletions(-) > >diff --git a/source4/dsdb/samdb/ldb_modules/dirsync.c b/source4/dsdb/samdb/ldb_modules/dirsync.c >index fa57af49e8f..b3c463741c8 100644 >--- a/source4/dsdb/samdb/ldb_modules/dirsync.c >+++ b/source4/dsdb/samdb/ldb_modules/dirsync.c >@@ -1005,7 +1005,6 @@ static int dirsync_ldb_search(struct ldb_module *module, struct ldb_request *req > struct dirsync_context *dsc; > struct ldb_context *ldb; > struct ldb_parse_tree *new_tree = req->op.search.tree; >- uint32_t flags = 0; > enum ndr_err_code ndr_err; > DATA_BLOB blob; > const char **attrs; >@@ -1117,13 +1116,8 @@ static int dirsync_ldb_search(struct ldb_module *module, struct ldb_request *req > return ret; > } > talloc_free(acl_res); >- } else { >- flags |= DSDB_ACL_CHECKS_DIRSYNC_FLAG; >- >- if (ret != LDB_SUCCESS) { >- return ret; >- } >- >+ } else if (ret != LDB_SUCCESS) { >+ return ret; > } > > dsc->functional_level = dsdb_functional_level(ldb); >@@ -1394,7 +1388,6 @@ static int dirsync_ldb_search(struct ldb_module *module, struct ldb_request *req > req->controls, > dsc, dirsync_search_callback, > req); >- ldb_req_set_custom_flags(down_req, flags); > LDB_REQ_SET_LOCATION(down_req); > if (ret != LDB_SUCCESS) { > return ret; >diff --git a/source4/dsdb/samdb/samdb.h b/source4/dsdb/samdb/samdb.h >index 661edf0a8c7..26e28899d09 100644 >--- a/source4/dsdb/samdb/samdb.h >+++ b/source4/dsdb/samdb/samdb.h >@@ -373,7 +373,6 @@ struct dsdb_extended_dn_store_format { > > #define DSDB_OPAQUE_PARTITION_MODULE_MSG_OPAQUE_NAME "DSDB_OPAQUE_PARTITION_MODULE_MSG" > >-#define DSDB_ACL_CHECKS_DIRSYNC_FLAG 0x1 > #define DSDB_SAMDB_MINIMUM_ALLOWED_RID 1000 > > #define DSDB_METADATA_SCHEMA_SEQ_NUM "SCHEMA_SEQ_NUM" >-- >2.25.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
abartlet
:
ci-passed+
Actions:
View
Attachments on
bug 15270
:
17760
|
17767
|
17768
|
17769
|
17770
|
17771
|
17773
|
17778
|
17789
|
17791
|
17792
|
17793
|
17799
|
17800
|
17804
|
17805
|
17806
|
17807
|
17808
|
17819
|
17820
|
17821
|
17822
|
17834
|
17845