1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

2184 Commits

Author SHA1 Message Date
Joseph Sutton
017c90e1ba lib:crypto: Add ‘FixedData’ parameter to samba_gnutls_sp800_108_derive_key()
Our code won’t use this, but NIST’s test vectors are based on handing a
fixed buffer to the key derivation function.

View with ‘git show -b’.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-30 00:02:33 +00:00
Joseph Sutton
04b6dc8d0b lib:crypto: Add samba_gnutls_sp800_108_derive_key()
Rename smb2_key_derivation() to samba_gnutls_sp800_108_derive_key() and
move it to GNUTLS_HELPERS.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-30 00:02:33 +00:00
Joseph Sutton
30be2446ed libcli/smb: Add ‘algorithm’ parameter to smb2_key_derivation()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-30 00:02:33 +00:00
Joseph Sutton
b5b2157984 libcli/auth: Return more consistent status code on gnutls HMAC failure
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-30 00:02:33 +00:00
Joseph Sutton
5d53ac8af0 libcli/smb: Call correct function to get HMAC output length
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-30 00:02:33 +00:00
Joseph Sutton
2482a714cf libcli/auth: Call correct function to get HMAC output length
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-30 00:02:33 +00:00
Joseph Sutton
cee483fd4a libcli/auth: Use correct enumeration constant
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-30 00:02:33 +00:00
Joseph Sutton
4bb031f875 libcli/smb: Include missing headers
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-30 00:02:33 +00:00
Douglas Bagnall
a757a51a26 libcli/security: note suboptimality of conditional ACE Contains operators
The Contains and Any_of operators could use a sorted comparison like
compare_composites_via_sort(), rather than O(n²) nested loops. But
that would involve amount of quite fiddly work that I am not starting
on now.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Nov 27 23:38:13 UTC 2023 on atb-devel-224
2023-11-27 23:38:13 +00:00
Douglas Bagnall
2eb00c0bba libcli/security: comparability check: claim members are of one type
We know from the way claims are defined, and from the code that checks
sortedness and sets the flag.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 22:37:32 +00:00
Douglas Bagnall
55999b7b7b libcli/security: shift comparability check to shortcut exits
The ordinary comparison path, using the sorted arrays, already implicitly
checks for comparability. We only need this when we're leaving early.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 22:37:32 +00:00
Douglas Bagnall
6c6f25904e libcli/security: add shortcuts for conditional ACE compare
If the number of members does not match in certain ways we can
say the sets are not equal without comparing the members.

We first need to check for comparability, though, so that we can return
an error if things aren't comparable.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 22:37:32 +00:00
Douglas Bagnall
8bad19c42e libcli/security: improve conditional ACE composite comparison
We had the comparison method wrong. Composites are compared as sets or
flabby sets, depending on their origin. Until now we compared them as
something a bit like sets, but not quite, in a maximally inefficient way.

Claims are always sets, and the left hand side is always a claim, but
literal composites on the right hand side can be multi-sets
(containing duplicate values). When it comes to comparison, composites
are reduced down to sets. To do the comparison we sort each side and
compare in order.

The fact that either side might ask for case-sensitive comparison (if
it is a claim) is an interesting complication.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 22:37:32 +00:00
Douglas Bagnall
6a07d2fe44 libcli/security: separate out claim_v1_to_ace_composite_unchecked()
For SDDL Resource ACE conversions we don't want to check too much
claim validity so that a semi-invalid ACE can round-trip through
deserialisation and serialisation. This is because Windows allows it,
but also because if the check puts the values in a sorted order that
makes the round-trip less round (that is, the return string is
semantically the same but possibly different in byte order).

The validity we're talking about is mostly uniqueness. For example
`S:(RA;;;;;WD;("foo",TU,0,7,5,7))` has two 7s, and that would be
invalid as a claim, but this is not checked while in ACE form.

On the other hand `S:(RA;;;;;WD;("foo",TU,0,3,2))` is valid, but the
return string will have 3 and 2 reversed when the check is made. We
prefer the ACE to stay the same while it is just being an ACE.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 22:37:32 +00:00
Douglas Bagnall
e338625ebf libcli/security: avoid leak on SDDL encode failure
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 22:37:32 +00:00
Douglas Bagnall
4f56c70283 libcli/security: claim_v1_to_ace_token(): avoid unnecessary re-sort
If it is a wire claim (which is probably most common), the checking
and sorting has already happened. We don't need to make a copy to
sort and check.

In either case, there is still a copy step to make the conditional ACE
token.

This shuffles around some knownfails because the claim_v1_copy()
function we were using is checking for duplicates, which we don't
always want. That will be fixed soon.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 22:37:32 +00:00
Douglas Bagnall
e223ce4a93 libcli/security: add_claim_to_token() re-sorts/checks claims
This function is used in tests and fuzzing.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 22:37:32 +00:00
Douglas Bagnall
843fd4d15f libcli/security: resource attribute claims use claim_v1_check_and_sort()
Because RA ACEs live a double life, sometimes being ACEs and sometimes
being claims, we make a copy of the claim strucutre for sorting and
further use in conditional ACEs.

We don't need to do that for wire claims, because they are not
persistent or forwarded on to somewhere else.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 22:37:32 +00:00
Douglas Bagnall
8074257c3a libcli/security: wire claim conversion uses claim_v1_check_and_sort()
This roughly returns things to where they were a few commits ago, with
the claims being checked for uniqueness.

The difference is the claims will be sorted afterwards, and the
uniqueness check will be far more efficient on large claims.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 22:37:32 +00:00
Douglas Bagnall
4b032d2558 libcli/security: claim_v1_check_and_sort(): add all types
To manage this sort we need a qsort_r-like sort context which holds:

a) the value type,
b) a case sensitive flag for the string compare, and
c) a return flag indicating a failure. Failures are not picked up until
   after the sort finishes.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 22:37:32 +00:00
Douglas Bagnall
a19f914fb9 libcli/security: begin claim_v1_check_and_sort with Boolean checks
claim_v1_check_and_sort() is meant to sort the claim values and check
that there are no duplicates, as well as making some value checks.

In order to ease into the idea, we look first at the case where the claim
has Boolean values. There are only two values allowed, which limits the
length of a valid claim set and means we only really need to "sort" in
the {1, 0} case, which we rewrite in place as {0, 1}.

That's what will happen with other types: we'll sort in-place, make
some checks on values, set flags, and return an error if there are
duplicates or value errors.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 22:37:32 +00:00
Douglas Bagnall
4ebb488e51 libcli/security: don't allow two NULL string claims
This restores the behaviour with regard to duplicate NULL strings that
existed before the last commit. I'm putting it separately, because it
seems so strange, and I not entirely certain the behaviour is
intentional.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 22:37:32 +00:00
Douglas Bagnall
1c88dfc6ac libcli/security: wire claims conversion: remove strings uniqueness check
This changes the behaviour when one of the strings is NULL. Previously
a single NULL string would be ignored, and two would cause an error.
That will be restored in the next commit.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 22:37:32 +00:00
Douglas Bagnall
08096fd5b4 libcli/security: int wire claims drop uniqueness check
And we allocate all the values together as an array, because
we might as well.

This and the next couple of commits might look like steps backwards,
and they are, but they allow us to get a run-up to leap over a big
fence.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 22:37:32 +00:00
Douglas Bagnall
10fd3e5836 libcli/security: simplify wire claim conversion mem, 3/3: rm tmp_ctx
The interstitial tmp_ctx now does nothing but be interstitial, so
let's get rid of it.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 22:37:32 +00:00
Douglas Bagnall
d7da41a9be libcli/security: simplify wire claim conversion mem, 2/3: one tree
These values would have leaked in the event of failure (but only onto
the caller mem_ctx, which might be fleeting -- especially as its
security token is now failing).

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 22:37:32 +00:00
Douglas Bagnall
7656d13334 libcli/security: simplify wire claim conversion mem, 1/3: avoid NULL parent
The reason for this, apart from weighing up possible over-allocations
vs realloc costs, is in the first iteration of the loop,

       claim_values = talloc_array(claims,

would allocate onto NULL, which leaks.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 22:37:32 +00:00
Douglas Bagnall
cea44421eb libcli/security/sddl: improve some SDDL error messages
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 22:37:32 +00:00
Douglas Bagnall
fc48014429 libcli/security: sddl_conditional_ace: check a talloc_new()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 22:37:32 +00:00
Douglas Bagnall
78506e1752 libcli/security: conditional ACE sddl writers take const tokens
We don't change these when writing the SDDL.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 22:37:32 +00:00
Douglas Bagnall
33d2deec51 lib/security:CA: tokens_are_comparable() accepts NULL operator
In some circumstances we are going to know general comparability
without having an operator around to use.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 22:37:32 +00:00
Douglas Bagnall
6e15a20228 libcli/security: CA: tokens_are_comparable() considers the obvious
Existing callers already make this check, but we are soon going to use
it in contexts that don't.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 22:37:32 +00:00
Douglas Bagnall
fc890742ab libcli/security: add test_claims_conversion
These are unit tests for converting wire claims into sorted claims v1
structures.

These are based from packets derived from the krb5.conditional_ace
tests, and currently don't test more than they do, but they work about
a hundred thousand times quicker.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 22:37:32 +00:00
Douglas Bagnall
da077b8486 libcli/security: test_run_conditional_ace tests more comparisons
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 22:37:32 +00:00
Douglas Bagnall
2f40583ab2 libcli/security: test_run_conditional_ace can set debug levels
No -d, just `bin/test_run_conditional_ace 3`.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 22:37:32 +00:00
Douglas Bagnall
ca57269162 libcli/security: remove redundant claim SID size check
blob_string_sid_to_sid() immediately checks the size is within 5-191, so the 1-10000
just gives you a different message in chircumstances you'll never see.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 22:37:31 +00:00
Douglas Bagnall
fa96bbbe81 libcli/security: avoid leak when converting SID claims
Apart from the leak fix, this is faster and stricter, not accepting
SID string buffers with trailing garbage ("S-1-2-3qwerty" would have
been accepted, but not now).

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 22:37:31 +00:00
Douglas Bagnall
14b17c3de6 libcli/security/tests: gunzip the oversized-acls test vectors
These are just as readable with `less` as they were with `zless`.

This file has been slightly manually edited to add line-breaks. There
is not an easy setting in Python's json module to get good formatting.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Nov 27 02:10:12 UTC 2023 on atb-devel-224
2023-11-27 02:10:12 +00:00
Douglas Bagnall
19129660df libcli/security/tests: remove duplicate TX-integer tests from oversized-ACLs
We had two sets of test vectors (Windows ground-truth for SDDL
compilation) that got mixed up.

The "oversized ACLs" set is ACLs that contain repeated ACEs, like
"D:P(D;;;;;MP)(D;;;;;MP)" -- Windows will assign a size to the ACL
that is greater than the sum of the ACEs, while Samba will not (in
part because we don't actually store a size for the ACL, instead
calculating it on the fly from the size of the ACEs).

The "TX integers" set is for resource attribute ACEs with octet-string
data that contains pure integers (lacking '#' characters) in their
SDDL, like «(RA;;;;;WD;("bar",TX,0x0,0077,00,0077,00))». We used to
think that was weird, and that RA-TX ACEs should contain octet-strings
in the conditional ACE style. But now we have realised it's not weird,
it's normal, and we have fixed our handling of these ACEs.

As a result of this mix-up, some of the tests labelled as "oversized
ACLs" started passing when we fixed the TX integer problem, and that
was confusing. All of the removed tests are already on the TX integer
set -- the removed ones were duplicates.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Douglas Bagnall
cf295c94aa libcli/security:sddl: remove vestiges of shared conditional/resource ACE SID parsing
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Douglas Bagnall
20ffec711d libcli/security: improve error messages in RA ACE SDDL
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Douglas Bagnall
dc60891de9 libcli/security: conditional ACE sid parser no longer expects RA ACEs
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Douglas Bagnall
0a2e335e37 libcli/security: parse resource attribute ace SIDs separately
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Douglas Bagnall
79292c8d1e libcli/security/sddl: write RA octet strings the Windows way
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Douglas Bagnall
38e7b4dcbd libcli/security: add a parser for resource attribute ACE byte strings
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Douglas Bagnall
9ef71399ce libcli/security: sddl_conditional_ace: remove check_resource_attr_type()
This is unneeded, as now all the checks are done in the relevant
parse_* functions.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Douglas Bagnall
059610a62e libcli/security: sddl_conditional_ace: add parse_bool for RA aces
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Douglas Bagnall
800f770e11 libcli/security: sddl_conditional_ace: add parse_uint for RA aces
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Douglas Bagnall
33caae4381 libcli/security: un-invert parse_resource_attr_list, check type first
We were reusing parse_literal() because it almost does what we need,
but it is different enough that check_resource_attr_type() is large
and complicated, and can't handle all the cases (in particular octet-
strings and SIDs are different in resource ACEs).

This way is better because we know the type in advance, so we can use
that to choose the parser, which will help with octet-strings that are
only digits.

In this commit we're leaving the check there, but it soon won't do
anything that the parse_* functions don't, and we will remove it.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Douglas Bagnall
cda9371b59 libcli/security/test_sddl_conditional_ace: adjust RA octet parse tests
We are going to parse octet strings like Windows (as opposed to like
Windows docs), so the tests need changing.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00