librpc/ndr/ndr_sec_helper.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    fast routines for getting the wire size of security objects
   5
   6    Copyright (C) Andrew Tridgell 2003
   7    Copyright (C) Stefan Metzmacher 2006-2008
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 3 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21 */
  22
  23
  24 #include "includes.h"
  25 #include "librpc/gen_ndr/ndr_security.h"
  26 #include "../libcli/security/security.h"
  27
  28 /*
  29   return the wire size of a security_ace
  30 */
  31 size_t ndr_size_security_ace(const struct security_ace *ace, int flags)
  32 {
  33         size_t ret;
  34
  35         if (!ace) return 0;
  36
  37         ret = 8 + ndr_size_dom_sid(&ace->trustee, flags);
  38
  39         switch (ace->type) {
  40         case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
  41         case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
  42         case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
  43         case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
  44                 ret += 4; /* uint32 bitmap ace->object.object.flags */
  45                 if (ace->object.object.flags & SEC_ACE_OBJECT_TYPE_PRESENT) {
  46                         ret += 16; /* GUID ace->object.object.type.type */
  47                 }
  48                 if (ace->object.object.flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) {
  49                         ret += 16; /* GUID ace->object.object.inherited_typeinherited_type */
  50                 }
  51                 break;
  52         default:
  53                 break;
  54         }
  55
  56         return ret;
  57 }
  58
  59 enum ndr_err_code ndr_pull_security_ace(struct ndr_pull *ndr, int ndr_flags, struct security_ace *r)
  60 {
  61         if (ndr_flags & NDR_SCALARS) {
  62                 uint32_t start_ofs = ndr->offset;
  63                 uint32_t size = 0;
  64                 uint32_t pad = 0;
  65                 NDR_CHECK(ndr_pull_align(ndr, 4));
  66                 NDR_CHECK(ndr_pull_security_ace_type(ndr, NDR_SCALARS, &r->type));
  67                 NDR_CHECK(ndr_pull_security_ace_flags(ndr, NDR_SCALARS, &r->flags));
  68                 NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->size));
  69                 NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->access_mask));
  70                 NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->object, r->type));
  71                 NDR_CHECK(ndr_pull_security_ace_object_ctr(ndr, NDR_SCALARS, &r->object));
  72                 NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, &r->trustee));
  73                 size = ndr->offset - start_ofs;
  74                 if (r->size < size) {
  75                         return ndr_pull_error(ndr, NDR_ERR_BUFSIZE,
  76                                               "ndr_pull_security_ace: r->size %u < size %u",
  77                                               (unsigned)r->size, size);
  78                 }
  79                 pad = r->size - size;
  80                 NDR_PULL_NEED_BYTES(ndr, pad);
  81                 ndr->offset += pad;
  82         }
  83         if (ndr_flags & NDR_BUFFERS) {
  84                 NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->object, r->type));
  85                 NDR_CHECK(ndr_pull_security_ace_object_ctr(ndr, NDR_BUFFERS, &r->object));
  86         }
  87         return NDR_ERR_SUCCESS;
  88 }
  89
  90 /*
  91   return the wire size of a security_acl
  92 */
  93 size_t ndr_size_security_acl(const struct security_acl *theacl, int flags)
  94 {
  95         size_t ret;
  96         int i;
  97         if (!theacl) return 0;
  98         ret = 8;
  99         for (i=0;i<theacl->num_aces;i++) {
 100                 ret += ndr_size_security_ace(&theacl->aces[i], flags);
 101         }
 102         return ret;
 103 }
 104
 105 /*
 106   return the wire size of a security descriptor
 107 */
 108 size_t ndr_size_security_descriptor(const struct security_descriptor *sd, int flags)
 109 {
 110         size_t ret;
 111         if (!sd) return 0;
 112
 113         ret = 20;
 114         ret += ndr_size_dom_sid(sd->owner_sid, flags);
 115         ret += ndr_size_dom_sid(sd->group_sid, flags);
 116         ret += ndr_size_security_acl(sd->dacl, flags);
 117         ret += ndr_size_security_acl(sd->sacl, flags);
 118         return ret;
 119 }
 120
 121 /*
 122   return the wire size of a dom_sid
 123 */
 124 size_t ndr_size_dom_sid(const struct dom_sid *sid, int flags)
 125 {
 126         if (!sid) return 0;
 127         return 8 + 4*sid->num_auths;
 128 }
 129
 130 size_t ndr_size_dom_sid28(const struct dom_sid *sid, int flags)
 131 {
 132         if (all_zero((const uint8_t *)sid, sizeof(struct dom_sid))) {
 133                 return 0;
 134         }
 135         return ndr_size_dom_sid(sid, flags);
 136 }
 137
 138 size_t ndr_size_dom_sid0(const struct dom_sid *sid, int flags)
 139 {
 140         return ndr_size_dom_sid28(sid, flags);
 141 }
 142
 143 /*
 144   print a dom_sid
 145 */
 146 void ndr_print_dom_sid(struct ndr_print *ndr, const char *name, const struct dom_sid *sid)
 147 {
 148         struct dom_sid_buf buf;
 149         ndr->print(ndr, "%-25s: %s", name, dom_sid_str_buf(sid, &buf));
 150 }
 151
 152 void ndr_print_dom_sid2(struct ndr_print *ndr, const char *name, const struct dom_sid *sid)
 153 {
 154         ndr_print_dom_sid(ndr, name, sid);
 155 }
 156
 157 void ndr_print_dom_sid28(struct ndr_print *ndr, const char *name, const struct dom_sid *sid)
 158 {
 159         ndr_print_dom_sid(ndr, name, sid);
 160 }
 161
 162 void ndr_print_dom_sid0(struct ndr_print *ndr, const char *name, const struct dom_sid *sid)
 163 {
 164         ndr_print_dom_sid(ndr, name, sid);
 165 }
 166
 167
 168 /*
 169   parse a dom_sid2 - this is a dom_sid but with an extra copy of the num_auths field
 170 */
 171 enum ndr_err_code ndr_pull_dom_sid2(struct ndr_pull *ndr, int ndr_flags, struct dom_sid *sid)
 172 {
 173         uint32_t num_auths;
 174         if (!(ndr_flags & NDR_SCALARS)) {
 175                 return NDR_ERR_SUCCESS;
 176         }
 177         NDR_CHECK(ndr_pull_uint3264(ndr, NDR_SCALARS, &num_auths));
 178         NDR_CHECK(ndr_pull_dom_sid(ndr, ndr_flags, sid));
 179         if (sid->num_auths != num_auths) {
 180                 return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE,
 181                                       "Bad num_auths %u; should equal %u",
 182                                       num_auths, sid->num_auths);
 183         }
 184         return NDR_ERR_SUCCESS;
 185 }
 186
 187 /*
 188   parse a dom_sid2 - this is a dom_sid but with an extra copy of the num_auths field
 189 */
 190 enum ndr_err_code ndr_push_dom_sid2(struct ndr_push *ndr, int ndr_flags, const struct dom_sid *sid)
 191 {
 192         if (!(ndr_flags & NDR_SCALARS)) {
 193                 return NDR_ERR_SUCCESS;
 194         }
 195         NDR_CHECK(ndr_push_uint3264(ndr, NDR_SCALARS, sid->num_auths));
 196         return ndr_push_dom_sid(ndr, ndr_flags, sid);
 197 }
 198
 199 /*
 200   parse a dom_sid28 - this is a dom_sid in a fixed 28 byte buffer, so we need to ensure there are only up to 5 sub_auth
 201 */
 202 enum ndr_err_code ndr_pull_dom_sid28(struct ndr_pull *ndr, int ndr_flags, struct dom_sid *sid)
 203 {
 204         enum ndr_err_code status;
 205         struct ndr_pull *subndr;
 206
 207         if (!(ndr_flags & NDR_SCALARS)) {
 208                 return NDR_ERR_SUCCESS;
 209         }
 210
 211         subndr = talloc_zero(ndr, struct ndr_pull);
 212         NDR_ERR_HAVE_NO_MEMORY(subndr);
 213         subndr->flags           = ndr->flags;
 214         subndr->current_mem_ctx = ndr->current_mem_ctx;
 215
 216         subndr->data            = ndr->data + ndr->offset;
 217         subndr->data_size       = 28;
 218         subndr->offset          = 0;
 219
 220         NDR_CHECK(ndr_pull_advance(ndr, 28));
 221
 222         status = ndr_pull_dom_sid(subndr, ndr_flags, sid);
 223         if (!NDR_ERR_CODE_IS_SUCCESS(status)) {
 224                 /* handle a w2k bug which send random data in the buffer */
 225                 ZERO_STRUCTP(sid);
 226         } else if (sid->num_auths == 0) {
 227                 ZERO_STRUCT(sid->sub_auths);
 228         }
 229
 230         return NDR_ERR_SUCCESS;
 231 }
 232
 233 /*
 234   push a dom_sid28 - this is a dom_sid in a 28 byte fixed buffer
 235 */
 236 enum ndr_err_code ndr_push_dom_sid28(struct ndr_push *ndr, int ndr_flags, const struct dom_sid *sid)
 237 {
 238         uint32_t old_offset;
 239         uint32_t padding;
 240
 241         if (!(ndr_flags & NDR_SCALARS)) {
 242                 return NDR_ERR_SUCCESS;
 243         }
 244
 245         if (sid->num_auths > 5) {
 246                 return ndr_push_error(ndr, NDR_ERR_RANGE,
 247                                       "dom_sid28 allows only up to 5 sub auth [%u]",
 248                                       sid->num_auths);
 249         }
 250
 251         old_offset = ndr->offset;
 252         NDR_CHECK(ndr_push_dom_sid(ndr, ndr_flags, sid));
 253
 254         padding = 28 - (ndr->offset - old_offset);
 255
 256         if (padding > 0) {
 257                 NDR_CHECK(ndr_push_zero(ndr, padding));
 258         }
 259
 260         return NDR_ERR_SUCCESS;
 261 }
 262
 263 /*
 264   parse a dom_sid0 - this is a dom_sid in a variable byte buffer, which is maybe empty
 265 */
 266 enum ndr_err_code ndr_pull_dom_sid0(struct ndr_pull *ndr, int ndr_flags, struct dom_sid *sid)
 267 {
 268         if (!(ndr_flags & NDR_SCALARS)) {
 269                 return NDR_ERR_SUCCESS;
 270         }
 271
 272         if (ndr->data_size == ndr->offset) {
 273                 ZERO_STRUCTP(sid);
 274                 return NDR_ERR_SUCCESS;
 275         }
 276
 277         return ndr_pull_dom_sid(ndr, ndr_flags, sid);
 278 }
 279
 280 /*
 281   push a dom_sid0 - this is a dom_sid in a variable byte buffer, which is maybe empty
 282 */
 283 enum ndr_err_code ndr_push_dom_sid0(struct ndr_push *ndr, int ndr_flags, const struct dom_sid *sid)
 284 {
 285         if (!(ndr_flags & NDR_SCALARS)) {
 286                 return NDR_ERR_SUCCESS;
 287         }
 288
 289         if (!sid) {
 290                 return NDR_ERR_SUCCESS;
 291         }
 292
 293         if (all_zero((const uint8_t *)sid, sizeof(struct dom_sid))) {
 294                 return NDR_ERR_SUCCESS;
 295         }
 296
 297         return ndr_push_dom_sid(ndr, ndr_flags, sid);
 298 }
 299
 300 _PUBLIC_ enum ndr_err_code ndr_push_dom_sid(struct ndr_push *ndr, int ndr_flags, const struct dom_sid *r)
 301 {
 302         uint32_t cntr_sub_auths_0;
 303         if (ndr_flags & NDR_SCALARS) {
 304                 NDR_CHECK(ndr_push_align(ndr, 4));
 305                 NDR_CHECK(ndr_push_uint8(ndr, NDR_SCALARS, r->sid_rev_num));
 306                 NDR_CHECK(ndr_push_int8(ndr, NDR_SCALARS, r->num_auths));
 307                 NDR_CHECK(ndr_push_array_uint8(ndr, NDR_SCALARS, r->id_auth, 6));
 308                 if (r->num_auths < 0 || r->num_auths > ARRAY_SIZE(r->sub_auths)) {
 309                         return ndr_push_error(ndr, NDR_ERR_RANGE, "value out of range");
 310                 }
 311                 for (cntr_sub_auths_0 = 0; cntr_sub_auths_0 < r->num_auths; cntr_sub_auths_0++) {
 312                         NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->sub_auths[cntr_sub_auths_0]));
 313                 }
 314         }
 315         return NDR_ERR_SUCCESS;
 316 }
 317
 318 _PUBLIC_ enum ndr_err_code ndr_pull_dom_sid(struct ndr_pull *ndr, int ndr_flags, struct dom_sid *r)
 319 {
 320         uint32_t cntr_sub_auths_0;
 321         if (ndr_flags & NDR_SCALARS) {
 322                 NDR_CHECK(ndr_pull_align(ndr, 4));
 323                 NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->sid_rev_num));
 324                 NDR_CHECK(ndr_pull_int8(ndr, NDR_SCALARS, &r->num_auths));
 325                 if (r->num_auths < 0 || r->num_auths > ARRAY_SIZE(r->sub_auths)) {
 326                         return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range");
 327                 }
 328                 NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->id_auth, 6));
 329                 ZERO_STRUCT(r->sub_auths);
 330                 for (cntr_sub_auths_0 = 0; cntr_sub_auths_0 < r->num_auths; cntr_sub_auths_0++) {
 331                         NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->sub_auths[cntr_sub_auths_0]));
 332                 }
 333         }
 334         return NDR_ERR_SUCCESS;
 335 }