libcli/security: check again for NULL values Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Mar 18 02:51:08 UTC 2024 on atb-devel-224
libcli/security: claims_conversions: check for NULL in claims array If by mistake we end up with a NULL in our array of claims pointers, it is better to return an error than crash. There can be NULLs in the array if a resource attribute ACE has a claim that uses 0 as a relative data pointer. Samba assumes this means a NULL pointer, rather than a zero offset. Credit to OSS-Fuzz. REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66777 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15606 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
libcli/security: Add SID_FRESH_PUBLIC_KEY_IDENTITY This allows an ACL level check (rather than only an all-or-nothing KDC configuration) that PKINIT freshness was used during the AS-REQ. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
python: Generate HRESULT definitions automatically Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Autobuild-User(master): Joseph Sutton <jsutton@samba.org> Autobuild-Date(master): Mon Jan 15 01:56:53 UTC 2024 on atb-devel-224
s4:scripting: Generate HRESULT definitions as part of the build process Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
libcli/security: remove PRIMARY_{USER,GROUP}_SID_INDEX defines from security.h These and more are also defined in security_token.h, which is later included from security.h anyway. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
libcli/security: sddl conditional ACE: write -0 when asked Credit to OSS-Fuzz. REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65122 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
libcli/security: allow round-trip for conditional ACE hex integers As with the previous commit, though not addressing the particular fuzz case, zero hex numbers need to be explicitly written as "0x0", or the round-trip will fail. Credit to OSS-Fuzz. REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62929 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
libcli/security: allow round-trip for conditional ACE octal integers The string "00" will decode into an integer tagged as octal, but `snprintf("%#oll")` will write the string "0", which would decode as decimal, so the in the SDDL1->SD1->SDDL2->SD2 round trip, SD1 would not be the same as SD2. The effect is really only relevant to SDDL, which wants to remember what base the numbers were presented in, though the fuzzers and tests don't directly compare SDDL, which can have extra spaces and so forth. Credit to OSS-Fuzz. REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62929 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
libcli/security: tests for conditional ACE integer base persistence Credit to OSS-Fuzz. REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62929 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>