1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

2419 Commits

Author SHA1 Message Date
Stefan Metzmacher
3dc3f9cf1b librpc/rpc: add dcerpc_binding_handle_transport_{encrypted,session_key}()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2024-09-26 15:22:45 +00:00
Stefan Metzmacher
492f6a0eef librpc/rpc: map DCERPC_NCA_S_UNSUPPORTED_TYPE to NT_STATUS_RPC_UNSUPPORTED_TYPE
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2024-09-26 15:22:45 +00:00
Stefan Metzmacher
722e93e4d9 librpc/rpc: map DCERPC_NCA_S_SERVER_TOO_BUSY to NT_STATUS_RPC_SERVER_TOO_BUSY
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2024-09-26 15:22:45 +00:00
Volker Lendecke
9d4a7a448e libndr: Use TALLOC_FREE instead of talloc_free
All the existing calls are right before returns, so they don't really
matter. But you never know when the code will change, and any compiler
will wipe the NULL assignment.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
2024-09-20 17:13:37 +00:00
Volker Lendecke
ae3bb10905 libndr: Apply endianness flags to subndr
We're creating a fresh subcontext for a "[MS-RPCE] 2.2.6 Type
Serialization Version 1". Probably nobody has tested a big endian
subcontext yet.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Sep 10 23:04:19 UTC 2024 on atb-devel-224
2024-09-10 23:04:19 +00:00
Volker Lendecke
10df1b9600 libndr: Align an integer type
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-09-10 21:54:36 +00:00
Volker Lendecke
eb882c1306 libndr: Use UINT32_MAX -- no need to count F's
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-09-10 21:54:36 +00:00
Volker Lendecke
b8064a77ee libndr: Remove duplicate prototype
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-09-10 21:54:36 +00:00
Volker Lendecke
4539a6048e libndr: We don't need "../" in includes, -I has what is needed
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-09-10 21:54:36 +00:00
Noel Power
3df816fcb8 librpc/ndr: Fix fuzz CI on latest tumbleweed
running samba-fuzz CI job on latest tumbleweed docker image results in;

../../librpc/ndr/ndr_orpc.c: In function ‘ndr_print_DUALSTRINGARRAY’:
../../librpc/ndr/ndr_orpc.c:97:49: error: ‘snprintf’ output may be truncated before the last format character [-Werror=format-truncation=]
   97 |                 snprintf(idx, sizeof(idx), "[%d]", i);
      |                                                 ^
../../librpc/ndr/ndr_orpc.c:97:17: note: ‘snprintf’ output between 4 and 14 bytes into a destination of size 13
   97 |                 snprintf(idx, sizeof(idx), "[%d]", i);
      |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../librpc/ndr/ndr_orpc.c:105:49: error: ‘snprintf’ output may be truncated before the last format character [-Werror=format-truncation=]
  105 |                 snprintf(idx, sizeof(idx), "[%d]", i);
      |                                                 ^
../../librpc/ndr/ndr_orpc.c:105:17: note: ‘snprintf’ output between 4 and 14 bytes into a destination of size 13
  105 |                 snprintf(idx, sizeof(idx), "[%d]", i);
      |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../librpc/ndr/ndr_orpc.c: In function ‘ndr_print_STRINGARRAY’:
../../librpc/ndr/ndr_orpc.c:159:49: error: ‘snprintf’ output may be truncated before the last format character [-Werror=format-truncation=]
  159 |                 snprintf(idx, sizeof(idx), "[%d]", i);
      |                                                 ^
../../librpc/ndr/ndr_orpc.c:159:17: note: ‘snprintf’ output between 4 and 14 bytes into a destination of size 13
  159 |                 snprintf(idx, sizeof(idx), "[%d]", i);
      |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Tue Sep 10 01:22:28 UTC 2024 on atb-devel-224
2024-09-10 01:22:28 +00:00
Volker Lendecke
5ad8536ec7 libsecurity: Simplify struct ace_condition_script
We only need the stack temporarily, no reason to put it in the struct

Signed-off-by: Volker Lendecke <vl@samba.org>
Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Sep  6 14:23:58 UTC 2024 on atb-devel-224
2024-09-06 14:23:58 +00:00
Stefan Metzmacher
d73c0e0d48 librpc/ndr: remove unused NDR_PUSH_ALLOC_SIZE()
Pair-Programmed-With: Volker Lendecke <vl@samba.org>

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-08-29 18:25:28 +00:00
Stefan Metzmacher
664eb19343 librpc/ndr: avoid alignment allocation in ndr_push_DATA_BLOB()
Pair-Programmed-With: Volker Lendecke <vl@samba.org>

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-08-29 18:25:28 +00:00
Volker Lendecke
df103890f9 libndr: Streamline ndr_token_retrieve_cmp_fn
Rename the public function to ndr_token_peek_cmp_fn, the only user
does not remove the token. Factor out ndr_token_find to move the
token-removing logic to ndr_token_retrieve, the only caller that does
remove the token.

Keep libndr at 6.0.0, this has not been released yet.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jennifer Sutton <josutton@catalyst.net.nz>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Aug 29 08:40:52 UTC 2024 on atb-devel-224
2024-08-29 08:40:52 +00:00
Volker Lendecke
f43ae1ab1a libndr: Simplify ndr_token_retrieve_cmp_fn()
Avoid an if-statement inside by passing a pointer-comparing function

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jennifer Sutton <josutton@catalyst.net.nz>
2024-08-29 07:22:34 +00:00
Douglas Bagnall
e2174dde74 ndr:dnsp: avoid theoretical int overflow (CID 1609418)
Coverity points out that if the string is longer than INT_MAX, the int
will overflow and the cast to uint8_t will discard bits.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <josutton@catalyst.net.nz>
2024-08-28 04:24:39 +00:00
Jo Sutton
09655e13ea librpc: Speed up GUID_buf_string()
This is faster than calling snprintf().

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-08-28 04:24:39 +00:00
Volker Lendecke
fab7416a3d idl: dnsp.h references NTTIME
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jennifer Sutton <jsutton@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Aug 27 08:36:11 UTC 2024 on atb-devel-224
2024-08-27 08:36:11 +00:00
Volker Lendecke
50c7373f44 idl: misc.idl references DATA_BLOB
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jennifer Sutton <jsutton@samba.org>
2024-08-27 07:19:32 +00:00
Volker Lendecke
9b0fe3e66a idl: Remove unused KRB5_EDATA_NTSTATUS
I think the last user went away with e2028837b9 in 2017

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jennifer Sutton <jsutton@samba.org>
2024-08-27 07:19:32 +00:00
Volker Lendecke
99e4dc2ee1 idl: security.idl compiles with only secace.h
It does not need all of security.h

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jennifer Sutton <jsutton@samba.org>
2024-08-27 07:19:32 +00:00
Volker Lendecke
8291eb5f9b libndr: Use _talloc_array() to benefit from overflow protection
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jennifer Sutton <jsutton@samba.org>
2024-08-27 07:19:32 +00:00
Volker Lendecke
4a20037076 libndr: Remove 368 bytes from R/W data into R/O text segment
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jennifer Sutton <jsutton@samba.org>
2024-08-27 07:19:32 +00:00
Volker Lendecke
a32f52e573 librpc: Make NDR_PRINT_DEBUG call just one DEBUG
Give debug.c the chance to use just one write call (right now it
doesn't yet)

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2024-06-28 13:26:24 +00:00
Douglas Bagnall
64003d8677 spelling: fix spelling of privilege.ldb in comments
'privileges' is a word, but the ldb referred to is privilege.ldb

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 04:23:29 +00:00
Stefan Metzmacher
0cc0970d35 dcesrv_reply: we don't need to call dcerpc_set_frag_length() in dcesrv_fault_with_flags()
dcerpc_ncacn_push_auth() already calls dcerpc_set_frag_length().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 16:23:38 +00:00
Volker Lendecke
0baae61e42 lib: Give lib/util/util_file.c its own header file
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
2024-04-16 23:51:45 +00:00
Vinit Agnihotri
644b50b05b messaging: Add new SMBD message
Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-16 23:51:45 +00:00
Andreas Schneider
84d5150363 librpc:rpc: Add dcerpc_lsa.h
This adds AES constants by MS.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-09 22:52:38 +00:00
Douglas Bagnall
6fb98f70c6 ndr: always attempt ACE coda pull if ACE type suggests a coda
We were skipping the pull in cases where the coda size was calculated
to be zero. This has the right result for empty conditional ACEs, but
not for Resource Attribute ACEs where the
CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 coda was not intialised.

The situation is made a bit worse, because the function that
calculates the coda size (ndr_subcontext_size_of_ace_coda()) can
return zero in conditions that are not exactly errors, but in which
the would-be calculated value makes so little sense that zero is
thought to be a safer default.

Credit to OSS-Fuzz.

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66577
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15613

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Mar 25 06:00:21 UTC 2024 on atb-devel-224
2024-03-25 06:00:21 +00:00
Volker Lendecke
02d9631cf3 tools: Fix whitespace
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-12 13:31:31 +00:00
Volker Lendecke
7c68d88cef lib: Make GUID_to_ndr_buf() return void
The whole point of struct GUID_ndr_buf is that this never fails.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-12 13:31:31 +00:00
Andrew Bartlett
724f403d88 libcli/security: Add SID_FRESH_PUBLIC_KEY_IDENTITY
This allows an ACL level check (rather than only an all-or-nothing KDC configuration)
that PKINIT freshness was used during the AS-REQ.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-02-28 03:44:37 +00:00
Andrew Bartlett
e6ef2fc224 librpc/idl: Check protocol version number in Kerberos ccache parser
The ccache file format version is checked by the switch in OPTIONAL_HEADER.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-02-27 01:11:37 +00:00
Andrew Bartlett
ecaaff57e4 librpc/idl: Add a parser for a FILE: format keytab
This will let us examine keytab entries exported for gMSA accounts and
ensure they are the values we expect.  This will in particular help
test our KDC via the "samba-tool domain exportkeytab" as this is a thin
wrapper around the relevant code.

Additionally, we can use this to test the new client-side keytab generation
in "samba-tool domain exportkeytab" for gMSA accounts.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-02-27 01:11:37 +00:00
Andreas Schneider
e758425869 librpc:idl: Make netlogon_samlogon_response public
This is required that we can use it with ndrdump or in python to decode
a NETLOGON_SAM_LOGON_RESPONSE_EX ldap response.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15588

Signed-off-by: Andreas Schneider <asn@samba.org>
Pair-Programmed-With: Guenther Deschner <gd@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-26 06:57:31 +00:00
Noel Power
01e901ef86 idl: Add constant for max rows buffer size
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15579
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-02-17 16:51:37 +00:00
Jo Sutton
14da75c4e1 librpc:idl: Fix code spelling
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-08 02:48:44 +00:00
Jo Sutton
19870248c0 librpc:idl: Remove trailing whitespace
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-08 02:48:44 +00:00
Douglas Bagnall
0c1f421c10 ndr: ignore trailing bytes in ndr_pull_security_ace()
This returns the behaviour with ordinary ACEs to where it was with 4.19.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
2024-02-08 02:48:44 +00:00
Douglas Bagnall
a72c198921 ndr: ndr_push_security_ace: calculate coda size once
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
2024-02-08 02:48:44 +00:00
Douglas Bagnall
ecb5da3e49 ndr: avoid object ACE push overhead for non-object ACE
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
2024-02-08 02:48:44 +00:00
Douglas Bagnall
fce4d51eb4 ndr: avoid object ACE pull overhead for non-object ACE
When an ACE is not an object ACE, which is common, setting the switch
value and attempting the object ACE GUID pull is just going to do
nothing, and we know that ahead of time. By noticing that we can save
a bit of time on a common operation.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
2024-02-08 02:48:44 +00:00
Douglas Bagnall
2a60ec9840 ndr: do not push ACE->coda.ignored blob
From 1e80221b23 (2008) until
c73034cf7c (conditional ACEs, etc, 2023)
we had a manual ndr_pull_security_ace() that would discard trailing
bytes, which are those bytes that we now call the coda. The ACE types
that we handled then are those that end up with a coda.ignored data
blob.

With this we effectively restore the long-standing behaviour in the
event that we push and pull an ACE -- though now we discard the
ignored bytes on push rather than pull.

This change is not because the trailing bytes caused any problems (as
far as is known), but because it is much faster to not do the push.

It may be that such ACEs no longer occur.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
2024-02-08 02:48:44 +00:00
Douglas Bagnall
4face258de ndr: mark invalid pull ndr_flags as unlikely
This might have little effect, but sometimes we see primatives like
ndr_pull_uint32() taking a few percent of the CPU time, and this is in
all those functions.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
2024-02-08 02:48:44 +00:00
Douglas Bagnall
c2673b02a7 ndr: skip talloc when pulling empty DATA_BLOB
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
2024-02-08 02:48:44 +00:00
Douglas Bagnall
ee1b8ae04b ndr: ACE push avoids no-op coda pushes
We don't expect an ordinary ACE to have a non-empty coda, and we don't
really want to push it if it does, but for this patch we still will.

This will not change the data on the wire.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
2024-02-08 02:48:44 +00:00
Douglas Bagnall
dc08e7924c ndr: make security_ace push manual
This will allow some optimisations; in this commit we just copy the
code.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
2024-02-08 02:48:44 +00:00
Douglas Bagnall
ac0c8ee01e ndr: short-circuit ace coda if no bytes left
The overwhelmingly common case is that there are no bytes left, and
regardless of the ACE type we want to store an empty blob.

We know the blob will be empty if there are no bytes, so we don't need
to allocate a sub-ndr and tokens list and so forth.

This can save almost half the time of a security descriptor pull.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
2024-02-08 02:48:44 +00:00
Douglas Bagnall
1e6a876c2c ndr: shift ndr_pull_security_ace to manual code
This was manual until commit c73034cf7c
(a few months ago).

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
2024-02-08 02:48:44 +00:00