librpc/ndr/ndr_sec_helper.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    fast routines for getting the wire size of security objects
   5
   6    Copyright (C) Andrew Tridgell 2003
   7    Copyright (C) Stefan Metzmacher 2006-2008
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 3 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21 */
  22
  23
  24 #include "includes.h"
  25 #include "librpc/gen_ndr/ndr_security.h"
  26 #include "../libcli/security/security.h"
  27
  28 /*
  29   return the wire size of a security_ace
  30 */
  31 size_t ndr_size_security_ace(const struct security_ace *ace, int flags)
  32 {
  33         size_t ret;
  34
  35         if (!ace) return 0;
  36
  37         ret = 8 + ndr_size_dom_sid(&ace->trustee, flags);
  38
  39         switch (ace->type) {
  40         case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
  41         case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
  42         case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
  43         case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
  44                 ret += 4; /* uint32 bitmap ace->object.object.flags */
  45                 if (ace->object.object.flags & SEC_ACE_OBJECT_TYPE_PRESENT) {
  46                         ret += 16; /* GUID ace->object.object.type.type */
  47                 }
  48                 if (ace->object.object.flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) {
  49                         ret += 16; /* GUID ace->object.object.inherited_typeinherited_type */
  50                 }
  51                 break;
  52         default:
  53                 break;
  54         }
  55
  56         return ret;
  57 }
  58
  59 enum ndr_err_code ndr_pull_security_ace(struct ndr_pull *ndr, int ndr_flags, struct security_ace *r)
  60 {
  61         if (ndr_flags & NDR_SCALARS) {
  62                 uint32_t start_ofs = ndr->offset;
  63                 uint32_t size = 0;
  64                 uint32_t pad = 0;
  65                 NDR_CHECK(ndr_pull_align(ndr, 4));
  66                 NDR_CHECK(ndr_pull_security_ace_type(ndr, NDR_SCALARS, &r->type));
  67                 NDR_CHECK(ndr_pull_security_ace_flags(ndr, NDR_SCALARS, &r->flags));
  68                 NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->size));
  69                 NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->access_mask));
  70                 NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->object, r->type));
  71                 NDR_CHECK(ndr_pull_security_ace_object_ctr(ndr, NDR_SCALARS, &r->object));
  72                 NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, &r->trustee));
  73                 size = ndr->offset - start_ofs;
  74                 if (r->size < size) {
  75                         return ndr_pull_error(ndr, NDR_ERR_BUFSIZE,
  76                                               "ndr_pull_security_ace: r->size %u < size %u",
  77                                               (unsigned)r->size, size);
  78                 }
  79                 pad = r->size - size;
  80                 NDR_PULL_NEED_BYTES(ndr, pad);
  81                 ndr->offset += pad;
  82         }
  83         if (ndr_flags & NDR_BUFFERS) {
  84                 NDR_CHECK(ndr_pull_security_ace_object_ctr(ndr, NDR_BUFFERS, &r->object));
  85         }
  86         return NDR_ERR_SUCCESS;
  87 }
  88
  89 /*
  90   return the wire size of a security_acl
  91 */
  92 size_t ndr_size_security_acl(const struct security_acl *theacl, int flags)
  93 {
  94         size_t ret;
  95         int i;
  96         if (!theacl) return 0;
  97         ret = 8;
  98         for (i=0;i<theacl->num_aces;i++) {
  99                 ret += ndr_size_security_ace(&theacl->aces[i], flags);
 100         }
 101         return ret;
 102 }
 103
 104 /*
 105   return the wire size of a security descriptor
 106 */
 107 size_t ndr_size_security_descriptor(const struct security_descriptor *sd, int flags)
 108 {
 109         size_t ret;
 110         if (!sd) return 0;
 111
 112         ret = 20;
 113         ret += ndr_size_dom_sid(sd->owner_sid, flags);
 114         ret += ndr_size_dom_sid(sd->group_sid, flags);
 115         ret += ndr_size_security_acl(sd->dacl, flags);
 116         ret += ndr_size_security_acl(sd->sacl, flags);
 117         return ret;
 118 }
 119
 120 /*
 121   return the wire size of a dom_sid
 122 */
 123 size_t ndr_size_dom_sid(const struct dom_sid *sid, int flags)
 124 {
 125         if (!sid) return 0;
 126         return 8 + 4*sid->num_auths;
 127 }
 128
 129 size_t ndr_size_dom_sid28(const struct dom_sid *sid, int flags)
 130 {
 131         if (!sid) return 0;
 132
 133         if (all_zero((const uint8_t *)sid, sizeof(struct dom_sid))) {
 134                 return 0;
 135         }
 136
 137         return 8 + 4*sid->num_auths;
 138 }
 139
 140 size_t ndr_size_dom_sid0(const struct dom_sid *sid, int flags)
 141 {
 142         return ndr_size_dom_sid28(sid, flags);
 143 }
 144
 145 /*
 146   print a dom_sid
 147 */
 148 void ndr_print_dom_sid(struct ndr_print *ndr, const char *name, const struct dom_sid *sid)
 149 {
 150         ndr->print(ndr, "%-25s: %s", name, dom_sid_string(ndr, sid));
 151 }
 152
 153 void ndr_print_dom_sid2(struct ndr_print *ndr, const char *name, const struct dom_sid *sid)
 154 {
 155         ndr_print_dom_sid(ndr, name, sid);
 156 }
 157
 158 void ndr_print_dom_sid28(struct ndr_print *ndr, const char *name, const struct dom_sid *sid)
 159 {
 160         ndr_print_dom_sid(ndr, name, sid);
 161 }
 162
 163 void ndr_print_dom_sid0(struct ndr_print *ndr, const char *name, const struct dom_sid *sid)
 164 {
 165         ndr_print_dom_sid(ndr, name, sid);
 166 }
 167
 168
 169 /*
 170   parse a dom_sid2 - this is a dom_sid but with an extra copy of the num_auths field
 171 */
 172 enum ndr_err_code ndr_pull_dom_sid2(struct ndr_pull *ndr, int ndr_flags, struct dom_sid *sid)
 173 {
 174         uint32_t num_auths;
 175         if (!(ndr_flags & NDR_SCALARS)) {
 176                 return NDR_ERR_SUCCESS;
 177         }
 178         NDR_CHECK(ndr_pull_uint3264(ndr, NDR_SCALARS, &num_auths));
 179         NDR_CHECK(ndr_pull_dom_sid(ndr, ndr_flags, sid));
 180         if (sid->num_auths != num_auths) {
 181                 return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE,
 182                                       "Bad array size %u should exceed %u",
 183                                       num_auths, sid->num_auths);
 184         }
 185         return NDR_ERR_SUCCESS;
 186 }
 187
 188 /*
 189   parse a dom_sid2 - this is a dom_sid but with an extra copy of the num_auths field
 190 */
 191 enum ndr_err_code ndr_push_dom_sid2(struct ndr_push *ndr, int ndr_flags, const struct dom_sid *sid)
 192 {
 193         if (!(ndr_flags & NDR_SCALARS)) {
 194                 return NDR_ERR_SUCCESS;
 195         }
 196         NDR_CHECK(ndr_push_uint3264(ndr, NDR_SCALARS, sid->num_auths));
 197         return ndr_push_dom_sid(ndr, ndr_flags, sid);
 198 }
 199
 200 /*
 201   parse a dom_sid28 - this is a dom_sid in a fixed 28 byte buffer, so we need to ensure there are only upto 5 sub_auth
 202 */
 203 enum ndr_err_code ndr_pull_dom_sid28(struct ndr_pull *ndr, int ndr_flags, struct dom_sid *sid)
 204 {
 205         enum ndr_err_code status;
 206         struct ndr_pull *subndr;
 207
 208         if (!(ndr_flags & NDR_SCALARS)) {
 209                 return NDR_ERR_SUCCESS;
 210         }
 211
 212         subndr = talloc_zero(ndr, struct ndr_pull);
 213         NDR_ERR_HAVE_NO_MEMORY(subndr);
 214         subndr->flags           = ndr->flags;
 215         subndr->current_mem_ctx = ndr->current_mem_ctx;
 216
 217         subndr->data            = ndr->data + ndr->offset;
 218         subndr->data_size       = 28;
 219         subndr->offset          = 0;
 220
 221         NDR_CHECK(ndr_pull_advance(ndr, 28));
 222
 223         status = ndr_pull_dom_sid(subndr, ndr_flags, sid);
 224         if (!NDR_ERR_CODE_IS_SUCCESS(status)) {
 225                 /* handle a w2k bug which send random data in the buffer */
 226                 ZERO_STRUCTP(sid);
 227         } else if (sid->num_auths == 0) {
 228                 ZERO_STRUCT(sid->sub_auths);
 229         }
 230
 231         return NDR_ERR_SUCCESS;
 232 }
 233
 234 /*
 235   push a dom_sid28 - this is a dom_sid in a 28 byte fixed buffer
 236 */
 237 enum ndr_err_code ndr_push_dom_sid28(struct ndr_push *ndr, int ndr_flags, const struct dom_sid *sid)
 238 {
 239         uint32_t old_offset;
 240         uint32_t padding;
 241
 242         if (!(ndr_flags & NDR_SCALARS)) {
 243                 return NDR_ERR_SUCCESS;
 244         }
 245
 246         if (sid->num_auths > 5) {
 247                 return ndr_push_error(ndr, NDR_ERR_RANGE,
 248                                       "dom_sid28 allows only upto 5 sub auth [%u]",
 249                                       sid->num_auths);
 250         }
 251
 252         old_offset = ndr->offset;
 253         NDR_CHECK(ndr_push_dom_sid(ndr, ndr_flags, sid));
 254
 255         padding = 28 - (ndr->offset - old_offset);
 256
 257         if (padding > 0) {
 258                 NDR_CHECK(ndr_push_zero(ndr, padding));
 259         }
 260
 261         return NDR_ERR_SUCCESS;
 262 }
 263
 264 /*
 265   parse a dom_sid0 - this is a dom_sid in a variable byte buffer, which is maybe empty
 266 */
 267 enum ndr_err_code ndr_pull_dom_sid0(struct ndr_pull *ndr, int ndr_flags, struct dom_sid *sid)
 268 {
 269         if (!(ndr_flags & NDR_SCALARS)) {
 270                 return NDR_ERR_SUCCESS;
 271         }
 272
 273         if (ndr->data_size == ndr->offset) {
 274                 ZERO_STRUCTP(sid);
 275                 return NDR_ERR_SUCCESS;
 276         }
 277
 278         return ndr_pull_dom_sid(ndr, ndr_flags, sid);
 279 }
 280
 281 /*
 282   push a dom_sid0 - this is a dom_sid in a variable byte buffer, which is maybe empty
 283 */
 284 enum ndr_err_code ndr_push_dom_sid0(struct ndr_push *ndr, int ndr_flags, const struct dom_sid *sid)
 285 {
 286         if (!(ndr_flags & NDR_SCALARS)) {
 287                 return NDR_ERR_SUCCESS;
 288         }
 289
 290         if (!sid) {
 291                 return NDR_ERR_SUCCESS;
 292         }
 293
 294         if (all_zero((const uint8_t *)sid, sizeof(struct dom_sid))) {
 295                 return NDR_ERR_SUCCESS;
 296         }
 297
 298         return ndr_push_dom_sid(ndr, ndr_flags, sid);
 299 }
 300
 301 _PUBLIC_ enum ndr_err_code ndr_push_dom_sid(struct ndr_push *ndr, int ndr_flags, const struct dom_sid *r)
 302 {
 303         uint32_t cntr_sub_auths_0;
 304         if (ndr_flags & NDR_SCALARS) {
 305                 NDR_CHECK(ndr_push_align(ndr, 4));
 306                 NDR_CHECK(ndr_push_uint8(ndr, NDR_SCALARS, r->sid_rev_num));
 307                 NDR_CHECK(ndr_push_int8(ndr, NDR_SCALARS, r->num_auths));
 308                 NDR_CHECK(ndr_push_array_uint8(ndr, NDR_SCALARS, r->id_auth, 6));
 309                 if (r->num_auths < 0 || r->num_auths > ARRAY_SIZE(r->sub_auths)) {
 310                         return ndr_push_error(ndr, NDR_ERR_RANGE, "value out of range");
 311                 }
 312                 for (cntr_sub_auths_0 = 0; cntr_sub_auths_0 < r->num_auths; cntr_sub_auths_0++) {
 313                         NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->sub_auths[cntr_sub_auths_0]));
 314                 }
 315         }
 316         return NDR_ERR_SUCCESS;
 317 }
 318
 319 _PUBLIC_ enum ndr_err_code ndr_pull_dom_sid(struct ndr_pull *ndr, int ndr_flags, struct dom_sid *r)
 320 {
 321         uint32_t cntr_sub_auths_0;
 322         if (ndr_flags & NDR_SCALARS) {
 323                 NDR_CHECK(ndr_pull_align(ndr, 4));
 324                 NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->sid_rev_num));
 325                 NDR_CHECK(ndr_pull_int8(ndr, NDR_SCALARS, &r->num_auths));
 326                 if (r->num_auths < 0 || r->num_auths > ARRAY_SIZE(r->sub_auths)) {
 327                         return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range");
 328                 }
 329                 NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->id_auth, 6));
 330                 ZERO_STRUCT(r->sub_auths);
 331                 for (cntr_sub_auths_0 = 0; cntr_sub_auths_0 < r->num_auths; cntr_sub_auths_0++) {
 332                         NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->sub_auths[cntr_sub_auths_0]));
 333                 }
 334         }
 335         return NDR_ERR_SUCCESS;
 336 }