samba.git/source4/libcli/ldap/ldap_controls.c, branch talloc-2.4.4 Unnamed repository; edit this file 'description' to name the repository. dsdb: Prepare to handle smartcard password rollover 2024-06-10T04:27:30+00:00 Andrew Bartlett abartlet@samba.org 2024-05-20T01:51:23+00:00 09ae48b415b2b50dbf4600e9c7f9cb4ec65a6263 We do this by allowing the password change control to indicate that the password is to be randomised, bypassing the quality checks (as true random passwords often fail these) and re-randomising with the same code as is used for the KDC. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz> 
We do this by allowing the password change control to indicate
that the password is to be randomised, bypassing the quality
checks (as true random passwords often fail these) and
re-randomising with the same code as is used for the KDC.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
s4:libcli: Add more controls to our list of known controls 2024-05-16T02:11:36+00:00 Jo Sutton josutton@catalyst.net.nz 2024-04-29T05:03:39+00:00 170dd47eae5ece962262814d05bfcedb3426b433 Signed-off-by: Jo Sutton <josutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s4:libcli: Fix code spelling 2024-05-16T02:11:36+00:00 Jo Sutton josutton@catalyst.net.nz 2024-04-29T05:48:01+00:00 526652d162f929426bdefac57ca346dd1c9c5d95 Signed-off-by: Jo Sutton <josutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
util/charset: Rename utf16_len_n() to utf16_null_terminated_len_n() 2023-11-15T22:07:36+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2023-11-08T23:33:43+00:00 542e5a3039a0121646f2e4f108854e1ca4136a56 The new name indicates that — contrary to functions such as strnlen() — the length may include the terminator. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
The new name indicates that — contrary to functions such as strnlen() —
the length may include the terminator.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s4:libcli: Remove trailing whitespace 2023-11-15T22:07:36+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2023-11-08T23:32:20+00:00 a63cf19ee43a2f3db071db846f9294176154368d Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s4:libcli: Check return value of convert_string_talloc() (CID 1272839) 2023-10-13T02:18:31+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2023-10-06T01:10:09+00:00 61534dd22d91dd9d47453c82371016bf45ecb4e1 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s4:libcli: Remove unnecessary casts 2023-10-13T02:18:31+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2023-08-09T04:55:15+00:00 077a7e4134142ce9e4d3c3a2e6d9e5d81b4f758d Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
CVE-2020-25720: s4-acl: Change behavior of Create Children check 2022-09-16T02:32:36+00:00 Nadezhda Ivanova nivanova@symas.com 2021-10-25T10:10:56+00:00 08187833fee57a8dba6c67546dfca516cd1f9d7a Up to now, the rights to modify an attribute were not checked during an LDAP add operation. This means that even if a user has no right to modify an attribute, they can still specify any value during object creation, and the validated writes were not checked. This patch changes this behavior. During an add operation, a security descriptor is created that does not include the one provided by the user, and is used to verify that the user has the right to modify the supplied attributes. Exception is made for an object's mandatory attributes, and if the user has Write DACL right, further checks are skipped. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810 Pair-Programmed-With: Joseph Sutton <josephsutton@catalyst.net.nz> Signed-off-by: Nadezhda Ivanova <nivanova@symas.com> Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Up to now, the rights to modify an attribute were not checked during an LDAP
add operation. This means that even if a user has no right to modify
an attribute, they can still specify any value during object creation,
and the validated writes were not checked.
This patch changes this behavior. During an add operation,
a security descriptor is created that does not include the one provided by the
user, and is used to verify that the user has the right to modify the supplied attributes.
Exception is made for an object's mandatory attributes, and if the user has Write DACL right,
further checks are skipped.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810

Pair-Programmed-With: Joseph Sutton <josephsutton@catalyst.net.nz>

Signed-off-by: Nadezhda Ivanova <nivanova@symas.com>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
dsdb: Return dsdb_password_change control name to DSDB_CONTROL_PASSWORD_CHANGE_OLD_PW_CHECKED_OID 2022-03-17T01:57:38+00:00 Andrew Bartlett abartlet@samba.org 2022-02-09T03:53:08+00:00 0a907c2f45c34efcac784738c9d75303b9d04d2f This makes it clearer that the purpose of this control is to indicate that the password was already checked (by an out-of-band mechanism, eg kpasswd) and so can safely be changed subject to ACLs etc. This essentially reverts bbb9dc806e4399c65dee9b5dc2cde0bfaa9609bd Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> 
This makes it clearer that the purpose of this control is to indicate that the password
was already checked (by an out-of-band mechanism, eg kpasswd) and so can safely be changed
subject to ACLs etc.

This essentially reverts bbb9dc806e4399c65dee9b5dc2cde0bfaa9609bd

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
CVE-2020-10704: lib util asn1: Add ASN.1 max tree depth 2020-05-04T02:59:31+00:00 Gary Lockyer gary@catalyst.net.nz 2020-04-02T23:18:03+00:00 f467727db5ff6a6e58d9b590e4d443a1d974b679 Add maximum parse tree depth to the call to asn1_init, which will be used to limit the depth of the ASN.1 parse tree. Credit to OSS-Fuzz REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Add maximum parse tree depth to the call to asn1_init, which will be
used to limit the depth of the ASN.1 parse tree.

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>