CVE-2023-0614 s4-dsdb: Treat confidential attributes as unindexed

In the unlikely case that someone adds a confidential indexed attribute
to the schema, LDAP search expressions on that attribute could disclose
information via timing differences. Let's not use the index for searches
on confidential attributes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

4 files changed, 33 insertions, 4 deletions

diff --git a/source4/dsdb/samdb/ldb_modules/extended_dn_in.c b/source4/dsdb/samdb/ldb_modules/extended_dn_in.c
index 1dc1e1f2d42..248bb66f039 100644
--- a/source4/dsdb/samdb/ldb_modules/extended_dn_in.c
+++ b/source4/dsdb/samdb/ldb_modules/extended_dn_in.c
@@ -423,7 +423,15 @@ static int extended_dn_filter_callback(struct ldb_parse_tree *tree, void *privat
 	guid_val = ldb_dn_get_extended_component(dn, "GUID");
 	sid_val  = ldb_dn_get_extended_component(dn, "SID");
 
-	if (!guid_val && !sid_val && (attribute->searchFlags & SEARCH_FLAG_ATTINDEX)) {
+	/*
+	 * Is the attribute indexed? By treating confidential attributes
+	 * as unindexed, we force searches to go through the unindexed
+	 * search path, avoiding observable timing differences.
+	 */
+	if (!guid_val && !sid_val &&
+	    (attribute->searchFlags & SEARCH_FLAG_ATTINDEX) &&
+	    !(attribute->searchFlags & SEARCH_FLAG_CONFIDENTIAL))
+	{
 		/* if it is indexed, then fixing the string DN will do
 		   no good here, as we will not find the attribute in
 		   the index. So for now fall through to a standard DN
diff --git a/source4/dsdb/schema/schema_description.c b/source4/dsdb/schema/schema_description.c
index 243a02a15f3..5fc70154bf8 100644
--- a/source4/dsdb/schema/schema_description.c
+++ b/source4/dsdb/schema/schema_description.c
@@ -160,6 +160,13 @@ char *schema_attribute_to_extendedInfo(TALLOC_CTX *mem_ctx, const struct dsdb_at
 					       attribute->rangeUpper,
 					       GUID_hexstring(tmp_ctx, &attribute->schemaIDGUID),
 					       GUID_hexstring(tmp_ctx, &attribute->attributeSecurityGUID),
+					       /*
+						* We actually ignore the indexed
+						* flag for confidential
+						* attributes, but we'll include
+						* it for the purposes of
+						* description.
+						*/
 					       (attribute->searchFlags & SEARCH_FLAG_ATTINDEX),
 					       attribute->systemOnly);
 	talloc_free(tmp_ctx);
diff --git a/source4/dsdb/schema/schema_init.c b/source4/dsdb/schema/schema_init.c
index a3b00497b6b..c8197b86306 100644
--- a/source4/dsdb/schema/schema_init.c
+++ b/source4/dsdb/schema/schema_init.c
@@ -514,8 +514,15 @@ static int dsdb_schema_setup_ldb_schema_attribute(struct ldb_context *ldb,
 	if (attr->isSingleValued) {
 		a->flags |= LDB_ATTR_FLAG_SINGLE_VALUE;
 	}
-	
-	if (attr->searchFlags & SEARCH_FLAG_ATTINDEX) {
+
+	/*
+	 * Is the attribute indexed? By treating confidential attributes as
+	 * unindexed, we force searches to go through the unindexed search path,
+	 * avoiding observable timing differences.
+	 */
+	if (attr->searchFlags & SEARCH_FLAG_ATTINDEX &&
+	    !(attr->searchFlags & SEARCH_FLAG_CONFIDENTIAL))
+	{
 		a->flags |= LDB_ATTR_FLAG_INDEXED;
 	}
 
diff --git a/source4/dsdb/schema/schema_set.c b/source4/dsdb/schema/schema_set.c
index 45faa0912ec..03cf2405595 100644
--- a/source4/dsdb/schema/schema_set.c
+++ b/source4/dsdb/schema/schema_set.c
@@ -221,7 +221,14 @@ int dsdb_schema_set_indices_and_attributes(struct ldb_context *ldb,
 			break;
 		}
 
-		if (attr->searchFlags & SEARCH_FLAG_ATTINDEX) {
+		/*
+		 * Is the attribute indexed? By treating confidential attributes
+		 * as unindexed, we force searches to go through the unindexed
+		 * search path, avoiding observable timing differences.
+		 */
+		if (attr->searchFlags & SEARCH_FLAG_ATTINDEX &&
+		    !(attr->searchFlags & SEARCH_FLAG_CONFIDENTIAL))
+		{
 			/*
 			 * When preparing to downgrade Samba, we need to write
 			 * out an LDB without the new key word ORDERED_INTEGER.