From: Douglas Bagnall Date: Wed, 22 Nov 2023 01:57:09 +0000 (+1300) Subject: libcli/security: wire claims conversion: remove strings uniqueness check X-Git-Tag: talloc-2.4.2~506 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1c88dfc6ac5021beb1ab92a394d38adf44eede62;p=thirdparty%2Fsamba.git libcli/security: wire claims conversion: remove strings uniqueness check This changes the behaviour when one of the strings is NULL. Previously a single NULL string would be ignored, and two would cause an error. That will be restored in the next commit. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett --- diff --git a/libcli/security/claims-conversions.c b/libcli/security/claims-conversions.c index 6d984da944d..9ae2aee7208 100644 --- a/libcli/security/claims-conversions.c +++ b/libcli/security/claims-conversions.c @@ -836,7 +836,7 @@ NTSTATUS token_claims_to_claims_v1(TALLOC_CTX *mem_ctx, case CLAIM_TYPE_STRING: { const struct CLAIM_STRING *values = &claim_entry->values.claim_string; - uint32_t k; + uint32_t k, m; n_values = values->value_count; value_type = CLAIM_SECURITY_ATTRIBUTE_TYPE_STRING; @@ -849,29 +849,9 @@ NTSTATUS token_claims_to_claims_v1(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } + m = 0; for (k = 0; k < n_values; ++k) { const char *string_value = NULL; - uint32_t m; - - /* - * Ensure that there are no duplicate - * values (very inefficiently, in - * O(n²)). - */ - for (m = 0; m < k; ++m) { - if (values->values[m] == NULL && values->values[k] == NULL) { - talloc_free(claims); - return NT_STATUS_INVALID_PARAMETER; - } - - if (values->values[m] != NULL && - values->values[k] != NULL && - strcasecmp_m(values->values[m], values->values[k]) == 0) - { - talloc_free(claims); - return NT_STATUS_INVALID_PARAMETER; - } - } if (values->values[k] != NULL) { string_value = talloc_strdup(claim_values, values->values[k]); @@ -879,11 +859,11 @@ NTSTATUS token_claims_to_claims_v1(TALLOC_CTX *mem_ctx, talloc_free(claims); return NT_STATUS_NO_MEMORY; } + claim_values[m].string_value = string_value; + m++; } - - claim_values[k].string_value = string_value; } - + n_values = m; break; } default: diff --git a/selftest/knownfail.d/krb5-conditional-aces b/selftest/knownfail.d/krb5-conditional-aces index f2a7db49323..29447379aa8 100644 --- a/selftest/knownfail.d/krb5-conditional-aces +++ b/selftest/knownfail.d/krb5-conditional-aces @@ -1,6 +1,8 @@ -^samba.tests.krb5.conditional_ace_tests.+ConditionalAceTests.test_pac_claim_cmp__1_a_1_42_42_42___a_equals_a_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.+ConditionalAceTests.test_pac_claim_cmp__1_a_2_42_42___a_equals_a_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.+ConditionalAceTests.test_pac_claim_cmp__1_a_6_0_0___a_equals_a_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.+ConditionalAceTests.test_pac_claim_cmp__1_false_booleans_6_0_0___false_booleans_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.+ConditionalAceTests.test_pac_claim_cmp__1_zero_ints_1_0_0___zero_ints_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.+ConditionalAceTests.test_pac_claim_cmp__1_zero_uints_2_0_0___zero_uints_\(ad_dc\) +^samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_1_42_42_42___a_equals_a_\(ad_dc\) +^samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_2_42_42___a_equals_a_\(ad_dc\) +^samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_3_FOO_foo___a_equals_a_\(ad_dc\) +^samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_3_foo_foo___a_equals_a_\(ad_dc\) +^samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_0_0___a_equals_a_\(ad_dc\) +^samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_false_booleans_6_0_0___false_booleans_\(ad_dc\) +^samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_ints_1_0_0___zero_ints_\(ad_dc\) +^samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_uints_2_0_0___zero_uints_\(ad_dc\)