2 Unix SMB/CIFS implementation.
3 Samba utility functions
5 Copyright (C) Stefan (metze) Metzmacher 2002-2004
6 Copyright (C) Andrew Tridgell 1992-2004
7 Copyright (C) Jeremy Allison 1999
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "librpc/gen_ndr/security.h"
27 /*****************************************************************
28 Compare the auth portion of two sids.
29 *****************************************************************/
31 int dom_sid_compare_auth(const struct dom_sid
*sid1
,
32 const struct dom_sid
*sid2
)
43 if (sid1
->sid_rev_num
!= sid2
->sid_rev_num
)
44 return sid1
->sid_rev_num
- sid2
->sid_rev_num
;
46 for (i
= 0; i
< 6; i
++)
47 if (sid1
->id_auth
[i
] != sid2
->id_auth
[i
])
48 return sid1
->id_auth
[i
] - sid2
->id_auth
[i
];
53 /*****************************************************************
55 *****************************************************************/
57 int dom_sid_compare(const struct dom_sid
*sid1
, const struct dom_sid
*sid2
)
68 /* Compare most likely different rids, first: i.e start at end */
69 if (sid1
->num_auths
!= sid2
->num_auths
)
70 return sid1
->num_auths
- sid2
->num_auths
;
72 for (i
= sid1
->num_auths
-1; i
>= 0; --i
)
73 if (sid1
->sub_auths
[i
] != sid2
->sub_auths
[i
])
74 return sid1
->sub_auths
[i
] - sid2
->sub_auths
[i
];
76 return dom_sid_compare_auth(sid1
, sid2
);
79 /*****************************************************************
81 *****************************************************************/
83 bool dom_sid_equal(const struct dom_sid
*sid1
, const struct dom_sid
*sid2
)
85 return dom_sid_compare(sid1
, sid2
) == 0;
88 /*****************************************************************
89 Add a rid to the end of a sid
90 *****************************************************************/
92 bool sid_append_rid(struct dom_sid
*sid
, uint32_t rid
)
94 if (sid
->num_auths
< ARRAY_SIZE(sid
->sub_auths
)) {
95 sid
->sub_auths
[sid
->num_auths
++] = rid
;
102 See if 2 SIDs are in the same domain
103 this just compares the leading sub-auths
105 int dom_sid_compare_domain(const struct dom_sid
*sid1
,
106 const struct dom_sid
*sid2
)
110 n
= MIN(sid1
->num_auths
, sid2
->num_auths
);
112 for (i
= n
-1; i
>= 0; --i
)
113 if (sid1
->sub_auths
[i
] != sid2
->sub_auths
[i
])
114 return sid1
->sub_auths
[i
] - sid2
->sub_auths
[i
];
116 return dom_sid_compare_auth(sid1
, sid2
);
119 /*****************************************************************
120 Convert a string to a SID. Returns True on success, False on fail.
121 Return the first character not parsed in endp.
122 *****************************************************************/
123 #define AUTHORITY_MASK (~(0xffffffffffffULL))
125 bool dom_sid_parse_endp(const char *sidstr
,struct dom_sid
*sidout
,
130 /* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */
133 ZERO_STRUCTP(sidout
);
135 if ((sidstr
[0] != 'S' && sidstr
[0] != 's') || sidstr
[1] != '-') {
139 /* Get the revision number. */
146 conv
= strtoul(p
, &q
, 10);
147 if (!q
|| (*q
!= '-') || conv
> UINT8_MAX
) {
150 sidout
->sid_rev_num
= (uint8_t) conv
;
158 conv
= strtoull(q
, &q
, 0);
159 if (!q
|| conv
& AUTHORITY_MASK
) {
163 /* When identauth >= UINT32_MAX, it's in hex with a leading 0x */
164 /* NOTE - the conv value is in big-endian format. */
165 sidout
->id_auth
[0] = (conv
& 0xff0000000000ULL
) >> 40;
166 sidout
->id_auth
[1] = (conv
& 0x00ff00000000ULL
) >> 32;
167 sidout
->id_auth
[2] = (conv
& 0x0000ff000000ULL
) >> 24;
168 sidout
->id_auth
[3] = (conv
& 0x000000ff0000ULL
) >> 16;
169 sidout
->id_auth
[4] = (conv
& 0x00000000ff00ULL
) >> 8;
170 sidout
->id_auth
[5] = (conv
& 0x0000000000ffULL
);
172 sidout
->num_auths
= 0;
174 /* Just id_auth, no subauths */
187 conv
= strtoull(q
, &end
, 10);
188 if (end
== q
|| conv
> UINT32_MAX
) {
192 if (!sid_append_rid(sidout
, conv
)) {
193 DEBUG(3, ("Too many sid auths in %s\n", sidstr
));
209 DEBUG(3, ("string_to_sid: SID %s is not in a valid format\n", sidstr
));
213 bool string_to_sid(struct dom_sid
*sidout
, const char *sidstr
)
215 return dom_sid_parse(sidstr
, sidout
);
218 bool dom_sid_parse(const char *sidstr
, struct dom_sid
*ret
)
220 return dom_sid_parse_endp(sidstr
, ret
, NULL
);
224 convert a string to a dom_sid, returning a talloc'd dom_sid
226 struct dom_sid
*dom_sid_parse_talloc(TALLOC_CTX
*mem_ctx
, const char *sidstr
)
229 ret
= talloc(mem_ctx
, struct dom_sid
);
233 if (!dom_sid_parse(sidstr
, ret
)) {
242 convert a string to a dom_sid, returning a talloc'd dom_sid
244 struct dom_sid
*dom_sid_parse_length(TALLOC_CTX
*mem_ctx
, const DATA_BLOB
*sid
)
247 char *p
= talloc_strndup(mem_ctx
, (char *)sid
->data
, sid
->length
);
251 ret
= dom_sid_parse_talloc(mem_ctx
, p
);
257 copy a dom_sid structure
259 struct dom_sid
*dom_sid_dup(TALLOC_CTX
*mem_ctx
, const struct dom_sid
*dom_sid
)
268 ret
= talloc(mem_ctx
, struct dom_sid
);
273 ret
->sid_rev_num
= dom_sid
->sid_rev_num
;
274 ret
->id_auth
[0] = dom_sid
->id_auth
[0];
275 ret
->id_auth
[1] = dom_sid
->id_auth
[1];
276 ret
->id_auth
[2] = dom_sid
->id_auth
[2];
277 ret
->id_auth
[3] = dom_sid
->id_auth
[3];
278 ret
->id_auth
[4] = dom_sid
->id_auth
[4];
279 ret
->id_auth
[5] = dom_sid
->id_auth
[5];
280 ret
->num_auths
= dom_sid
->num_auths
;
282 for (i
=0;i
<dom_sid
->num_auths
;i
++) {
283 ret
->sub_auths
[i
] = dom_sid
->sub_auths
[i
];
290 add a rid to a domain dom_sid to make a full dom_sid. This function
291 returns a new sid in the supplied memory context
293 struct dom_sid
*dom_sid_add_rid(TALLOC_CTX
*mem_ctx
,
294 const struct dom_sid
*domain_sid
,
299 sid
= dom_sid_dup(mem_ctx
, domain_sid
);
300 if (!sid
) return NULL
;
302 if (!sid_append_rid(sid
, rid
)) {
311 Split up a SID into its domain and RID part
313 NTSTATUS
dom_sid_split_rid(TALLOC_CTX
*mem_ctx
, const struct dom_sid
*sid
,
314 struct dom_sid
**domain
, uint32_t *rid
)
316 if (sid
->num_auths
== 0) {
317 return NT_STATUS_INVALID_PARAMETER
;
321 if (!(*domain
= dom_sid_dup(mem_ctx
, sid
))) {
322 return NT_STATUS_NO_MEMORY
;
325 (*domain
)->num_auths
-= 1;
329 *rid
= sid
->sub_auths
[sid
->num_auths
- 1];
336 return true if the 2nd sid is in the domain given by the first sid
338 bool dom_sid_in_domain(const struct dom_sid
*domain_sid
,
339 const struct dom_sid
*sid
)
343 if (!domain_sid
|| !sid
) {
347 if (domain_sid
->num_auths
> sid
->num_auths
) {
351 for (i
= domain_sid
->num_auths
-1; i
>= 0; --i
) {
352 if (domain_sid
->sub_auths
[i
] != sid
->sub_auths
[i
]) {
357 return dom_sid_compare_auth(domain_sid
, sid
) == 0;
361 Convert a dom_sid to a string, printing into a buffer. Return the
362 string length. If it overflows, return the string length that would
363 result (buflen needs to be +1 for the terminating 0).
365 int dom_sid_string_buf(const struct dom_sid
*sid
, char *buf
, int buflen
)
371 return strlcpy(buf
, "(NULL SID)", buflen
);
374 ia
= ((uint64_t)sid
->id_auth
[5]) +
375 ((uint64_t)sid
->id_auth
[4] << 8 ) +
376 ((uint64_t)sid
->id_auth
[3] << 16) +
377 ((uint64_t)sid
->id_auth
[2] << 24) +
378 ((uint64_t)sid
->id_auth
[1] << 32) +
379 ((uint64_t)sid
->id_auth
[0] << 40);
381 ofs
= snprintf(buf
, buflen
, "S-%hhu-", (unsigned char)sid
->sid_rev_num
);
382 if (ia
>= UINT32_MAX
) {
383 ofs
+= snprintf(buf
+ ofs
, MAX(buflen
- ofs
, 0), "0x%llx",
384 (unsigned long long)ia
);
386 ofs
+= snprintf(buf
+ ofs
, MAX(buflen
- ofs
, 0), "%llu",
387 (unsigned long long)ia
);
390 for (i
= 0; i
< sid
->num_auths
; i
++) {
391 ofs
+= snprintf(buf
+ ofs
, MAX(buflen
- ofs
, 0), "-%u",
392 (unsigned int)sid
->sub_auths
[i
]);
398 convert a dom_sid to a string
400 char *dom_sid_string(TALLOC_CTX
*mem_ctx
, const struct dom_sid
*sid
)
402 char buf
[DOM_SID_STR_BUFLEN
];
406 len
= dom_sid_string_buf(sid
, buf
, sizeof(buf
));
408 if (len
+1 > sizeof(buf
)) {
409 return talloc_strdup(mem_ctx
, "(SID ERR)");
413 * Avoid calling strlen (via talloc_strdup), we already have
416 result
= (char *)talloc_memdup(mem_ctx
, buf
, len
+1);
419 * beautify the talloc_report output
421 talloc_set_name_const(result
, result
);