Context Navigation

source: vendor/3.6.0/libcli/security/dom_sid.c

Visit:

Last change on this file was 740, checked in by Silvan Scherrer, 13 years ago
Samba Server: update vendor to 3.6.0
File size: 9.5 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3	Samba utility functions
4
5	Copyright (C) Stefan (metze) Metzmacher 2002-2004
6	Copyright (C) Andrew Tridgell 1992-2004
7	Copyright (C) Jeremy Allison 1999
8
9	This program is free software; you can redistribute it and/or modify
10	it under the terms of the GNU General Public License as published by
11	the Free Software Foundation; either version 3 of the License, or
12	(at your option) any later version.
13
14	This program is distributed in the hope that it will be useful,
15	but WITHOUT ANY WARRANTY; without even the implied warranty of
16	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17	GNU General Public License for more details.
18
19	You should have received a copy of the GNU General Public License
20	along with this program. If not, see <http://www.gnu.org/licenses/>.
21	*/
22
23	#include "includes.h"
24	#include "librpc/gen_ndr/security.h"
25	#include "dom_sid.h"
26
27	/*****************************************************************
28	Compare the auth portion of two sids.
29	*****************************************************************/
30
31	int dom_sid_compare_auth(const struct dom_sid *sid1,
32	const struct dom_sid *sid2)
33	{
34	int i;
35
36	if (sid1 == sid2)
37	return 0;
38	if (!sid1)
39	return -1;
40	if (!sid2)
41	return 1;
42
43	if (sid1->sid_rev_num != sid2->sid_rev_num)
44	return sid1->sid_rev_num - sid2->sid_rev_num;
45
46	for (i = 0; i < 6; i++)
47	if (sid1->id_auth[i] != sid2->id_auth[i])
48	return sid1->id_auth[i] - sid2->id_auth[i];
49
50	return 0;
51	}
52
53	/*****************************************************************
54	Compare two sids.
55	*****************************************************************/
56
57	int dom_sid_compare(const struct dom_sid sid1, const struct dom_sid sid2)
58	{
59	int i;
60
61	if (sid1 == sid2)
62	return 0;
63	if (!sid1)
64	return -1;
65	if (!sid2)
66	return 1;
67
68	/* Compare most likely different rids, first: i.e start at end */
69	if (sid1->num_auths != sid2->num_auths)
70	return sid1->num_auths - sid2->num_auths;
71
72	for (i = sid1->num_auths-1; i >= 0; --i)
73	if (sid1->sub_auths[i] != sid2->sub_auths[i])
74	return sid1->sub_auths[i] - sid2->sub_auths[i];
75
76	return dom_sid_compare_auth(sid1, sid2);
77	}
78
79	/*****************************************************************
80	Compare two sids.
81	*****************************************************************/
82
83	bool dom_sid_equal(const struct dom_sid sid1, const struct dom_sid sid2)
84	{
85	return dom_sid_compare(sid1, sid2) == 0;
86	}
87
88	/*****************************************************************
89	Add a rid to the end of a sid
90	*****************************************************************/
91
92	bool sid_append_rid(struct dom_sid *sid, uint32_t rid)
93	{
94	if (sid->num_auths < ARRAY_SIZE(sid->sub_auths)) {
95	sid->sub_auths[sid->num_auths++] = rid;
96	return true;
97	}
98	return false;
99	}
100
101	/*
102	See if 2 SIDs are in the same domain
103	this just compares the leading sub-auths
104	*/
105	int dom_sid_compare_domain(const struct dom_sid *sid1,
106	const struct dom_sid *sid2)
107	{
108	int n, i;
109
110	n = MIN(sid1->num_auths, sid2->num_auths);
111
112	for (i = n-1; i >= 0; --i)
113	if (sid1->sub_auths[i] != sid2->sub_auths[i])
114	return sid1->sub_auths[i] - sid2->sub_auths[i];
115
116	return dom_sid_compare_auth(sid1, sid2);
117	}
118
119	/*****************************************************************
120	Convert a string to a SID. Returns True on success, False on fail.
121	Return the first character not parsed in endp.
122	*****************************************************************/
123
124	bool dom_sid_parse_endp(const char sidstr,struct dom_sid sidout,
125	const char **endp)
126	{
127	const char *p;
128	char *q;
129	/* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */
130	uint32_t conv;
131
132	ZERO_STRUCTP(sidout);
133
134	if ((sidstr[0] != 'S' && sidstr[0] != 's') \|\| sidstr[1] != '-') {
135	goto format_error;
136	}
137
138	/* Get the revision number. */
139	p = sidstr + 2;
140
141	if (!isdigit(*p)) {
142	goto format_error;
143	}
144
145	conv = (uint32_t) strtoul(p, &q, 10);
146	if (!q \|\| (*q != '-')) {
147	goto format_error;
148	}
149	sidout->sid_rev_num = (uint8_t) conv;
150	q++;
151
152	if (!isdigit(*q)) {
153	goto format_error;
154	}
155
156	/* get identauth */
157	conv = (uint32_t) strtoul(q, &q, 10);
158	if (!q) {
159	goto format_error;
160	}
161
162	/* identauth in decimal should be < 2^32 */
163	/* NOTE - the conv value is in big-endian format. */
164	sidout->id_auth[0] = 0;
165	sidout->id_auth[1] = 0;
166	sidout->id_auth[2] = (conv & 0xff000000) >> 24;
167	sidout->id_auth[3] = (conv & 0x00ff0000) >> 16;
168	sidout->id_auth[4] = (conv & 0x0000ff00) >> 8;
169	sidout->id_auth[5] = (conv & 0x000000ff);
170
171	sidout->num_auths = 0;
172	if (*q != '-') {
173	/* Just id_auth, no subauths */
174	return true;
175	}
176
177	q++;
178
179	while (true) {
180	char *end;
181
182	if (!isdigit(*q)) {
183	goto format_error;
184	}
185
186	conv = strtoul(q, &end, 10);
187	if (end == q) {
188	goto format_error;
189	}
190
191	if (!sid_append_rid(sidout, conv)) {
192	DEBUG(3, ("Too many sid auths in %s\n", sidstr));
193	return false;
194	}
195
196	q = end;
197	if (*q != '-') {
198	break;
199	}
200	q += 1;
201	}
202	if (endp != NULL) {
203	*endp = q;
204	}
205	return true;
206
207	format_error:
208	DEBUG(3, ("string_to_sid: SID %s is not in a valid format\n", sidstr));
209	return false;
210	}
211
212	bool string_to_sid(struct dom_sid sidout, const char sidstr)
213	{
214	return dom_sid_parse(sidstr, sidout);
215	}
216
217	bool dom_sid_parse(const char sidstr, struct dom_sid ret)
218	{
219	return dom_sid_parse_endp(sidstr, ret, NULL);
220	}
221
222	/*
223	convert a string to a dom_sid, returning a talloc'd dom_sid
224	*/
225	struct dom_sid dom_sid_parse_talloc(TALLOC_CTX mem_ctx, const char *sidstr)
226	{
227	struct dom_sid *ret;
228	ret = talloc(mem_ctx, struct dom_sid);
229	if (!ret) {
230	return NULL;
231	}
232	if (!dom_sid_parse(sidstr, ret)) {
233	talloc_free(ret);
234	return NULL;
235	}
236
237	return ret;
238	}
239
240	/*
241	convert a string to a dom_sid, returning a talloc'd dom_sid
242	*/
243	struct dom_sid dom_sid_parse_length(TALLOC_CTX mem_ctx, const DATA_BLOB *sid)
244	{
245	struct dom_sid *ret;
246	char p = talloc_strndup(mem_ctx, (char )sid->data, sid->length);
247	if (!p) {
248	return NULL;
249	}
250	ret = dom_sid_parse_talloc(mem_ctx, p);
251	talloc_free(p);
252	return ret;
253	}
254
255	/*
256	copy a dom_sid structure
257	*/
258	struct dom_sid dom_sid_dup(TALLOC_CTX mem_ctx, const struct dom_sid *dom_sid)
259	{
260	struct dom_sid *ret;
261	int i;
262
263	if (!dom_sid) {
264	return NULL;
265	}
266
267	ret = talloc(mem_ctx, struct dom_sid);
268	if (!ret) {
269	return NULL;
270	}
271
272	ret->sid_rev_num = dom_sid->sid_rev_num;
273	ret->id_auth[0] = dom_sid->id_auth[0];
274	ret->id_auth[1] = dom_sid->id_auth[1];
275	ret->id_auth[2] = dom_sid->id_auth[2];
276	ret->id_auth[3] = dom_sid->id_auth[3];
277	ret->id_auth[4] = dom_sid->id_auth[4];
278	ret->id_auth[5] = dom_sid->id_auth[5];
279	ret->num_auths = dom_sid->num_auths;
280
281	for (i=0;i<dom_sid->num_auths;i++) {
282	ret->sub_auths[i] = dom_sid->sub_auths[i];
283	}
284
285	return ret;
286	}
287
288	/*
289	add a rid to a domain dom_sid to make a full dom_sid. This function
290	returns a new sid in the supplied memory context
291	*/
292	struct dom_sid dom_sid_add_rid(TALLOC_CTX mem_ctx,
293	const struct dom_sid *domain_sid,
294	uint32_t rid)
295	{
296	struct dom_sid *sid;
297
298	sid = dom_sid_dup(mem_ctx, domain_sid);
299	if (!sid) return NULL;
300
301	if (!sid_append_rid(sid, rid)) {
302	talloc_free(sid);
303	return NULL;
304	}
305
306	return sid;
307	}
308
309	/*
310	Split up a SID into its domain and RID part
311	*/
312	NTSTATUS dom_sid_split_rid(TALLOC_CTX mem_ctx, const struct dom_sid sid,
313	struct dom_sid *domain, uint32_t rid)
314	{
315	if (sid->num_auths == 0) {
316	return NT_STATUS_INVALID_PARAMETER;
317	}
318
319	if (domain) {
320	if (!(*domain = dom_sid_dup(mem_ctx, sid))) {
321	return NT_STATUS_NO_MEMORY;
322	}
323
324	(*domain)->num_auths -= 1;
325	}
326
327	if (rid) {
328	*rid = sid->sub_auths[sid->num_auths - 1];
329	}
330
331	return NT_STATUS_OK;
332	}
333
334	/*
335	return true if the 2nd sid is in the domain given by the first sid
336	*/
337	bool dom_sid_in_domain(const struct dom_sid *domain_sid,
338	const struct dom_sid *sid)
339	{
340	int i;
341
342	if (!domain_sid \|\| !sid) {
343	return false;
344	}
345
346	if (domain_sid->num_auths > sid->num_auths) {
347	return false;
348	}
349
350	for (i = domain_sid->num_auths-1; i >= 0; --i) {
351	if (domain_sid->sub_auths[i] != sid->sub_auths[i]) {
352	return false;
353	}
354	}
355
356	return dom_sid_compare_auth(domain_sid, sid) == 0;
357	}
358
359	/*
360	Convert a dom_sid to a string, printing into a buffer. Return the
361	string length. If it overflows, return the string length that would
362	result (buflen needs to be +1 for the terminating 0).
363	*/
364	int dom_sid_string_buf(const struct dom_sid sid, char buf, int buflen)
365	{
366	int i, ofs;
367	uint32_t ia;
368
369	if (!sid) {
370	strlcpy(buf, "(NULL SID)", buflen);
371	return 10; /* strlen("(NULL SID)") */
372	}
373
374	ia = (sid->id_auth[5]) +
375	(sid->id_auth[4] << 8 ) +
376	(sid->id_auth[3] << 16) +
377	(sid->id_auth[2] << 24);
378
379	ofs = snprintf(buf, buflen, "S-%u-%lu",
380	(unsigned int)sid->sid_rev_num, (unsigned long)ia);
381
382	for (i = 0; i < sid->num_auths; i++) {
383	ofs += snprintf(buf + ofs, MAX(buflen - ofs, 0), "-%lu",
384	(unsigned long)sid->sub_auths[i]);
385	}
386	return ofs;
387	}
388
389	/*
390	convert a dom_sid to a string
391	*/
392	char dom_sid_string(TALLOC_CTX mem_ctx, const struct dom_sid *sid)
393	{
394	char buf[DOM_SID_STR_BUFLEN];
395	char *result;
396	int len;
397
398	len = dom_sid_string_buf(sid, buf, sizeof(buf));
399
400	if (len+1 > sizeof(buf)) {
401	return talloc_strdup(mem_ctx, "(SID ERR)");
402	}
403
404	/*
405	* Avoid calling strlen (via talloc_strdup), we already have
406	* the length
407	*/
408	result = (char *)talloc_memdup(mem_ctx, buf, len+1);
409
410	/*
411	* beautify the talloc_report output
412	*/
413	talloc_set_name_const(result, result);
414	return result;
415	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: