[168] | 1 | /** |
---|
| 2 | * @file |
---|
[133] | 3 | * This file contains refactored Samba code used to interpret Windows |
---|
| 4 | * Security Descriptors. See: |
---|
[132] | 5 | * http://websvn.samba.org/cgi-bin/viewcvs.cgi/trunk/source/ |
---|
| 6 | * |
---|
| 7 | * Copyright (C) 2005-2006,2009 Timothy D. Morgan |
---|
| 8 | * Copyright (C) 1992-2005 Samba development team |
---|
| 9 | * (see individual files under Subversion for details.) |
---|
| 10 | * |
---|
| 11 | * This program is free software; you can redistribute it and/or modify |
---|
| 12 | * it under the terms of the GNU General Public License as published by |
---|
| 13 | * the Free Software Foundation; version 3 of the License. |
---|
| 14 | * |
---|
| 15 | * This program is distributed in the hope that it will be useful, |
---|
| 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
---|
| 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
---|
| 18 | * GNU General Public License for more details. |
---|
| 19 | * |
---|
| 20 | * You should have received a copy of the GNU General Public License |
---|
| 21 | * along with this program; if not, write to the Free Software |
---|
| 22 | * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. |
---|
| 23 | * |
---|
[133] | 24 | * $Id: winsec.c 168 2010-03-03 00:08:42Z tim $ |
---|
[132] | 25 | */ |
---|
| 26 | |
---|
[147] | 27 | #include "winsec.h" |
---|
[132] | 28 | |
---|
| 29 | |
---|
[147] | 30 | /****************************************************************************** |
---|
| 31 | * Non-talloc() interface for parsing a descriptor. |
---|
| 32 | ******************************************************************************/ |
---|
| 33 | WINSEC_DESC* winsec_parse_descriptor(const uint8_t* buf, uint32_t buf_len) |
---|
| 34 | { |
---|
| 35 | return winsec_parse_desc(NULL, buf, buf_len); |
---|
| 36 | } |
---|
[132] | 37 | |
---|
[147] | 38 | |
---|
[134] | 39 | /****************************************************************************** |
---|
[147] | 40 | * Free a descriptor. Not needed if using talloc and a parent context is freed. |
---|
| 41 | ******************************************************************************/ |
---|
| 42 | void winsec_free_descriptor(WINSEC_DESC* desc) |
---|
| 43 | { |
---|
| 44 | talloc_free(desc); |
---|
| 45 | } |
---|
| 46 | |
---|
| 47 | |
---|
| 48 | /****************************************************************************** |
---|
[134] | 49 | * Parses a WINSEC_DESC structure and substructures. |
---|
| 50 | ******************************************************************************/ |
---|
[147] | 51 | WINSEC_DESC* winsec_parse_desc(void* talloc_ctx, |
---|
| 52 | const uint8_t* buf, uint32_t buf_len) |
---|
[132] | 53 | { |
---|
[134] | 54 | WINSEC_DESC* ret_val; |
---|
[132] | 55 | |
---|
[134] | 56 | if (buf == NULL || buf_len < WINSEC_DESC_HEADER_SIZE) |
---|
| 57 | return NULL; |
---|
[148] | 58 | |
---|
[147] | 59 | if((ret_val = talloc(talloc_ctx, WINSEC_DESC)) == NULL) |
---|
| 60 | return NULL; |
---|
[133] | 61 | |
---|
[134] | 62 | ret_val->revision = buf[0]; |
---|
| 63 | ret_val->sbz1 = buf[1]; |
---|
| 64 | ret_val->control = SVAL(buf, 0x2); |
---|
[133] | 65 | |
---|
[134] | 66 | if(!(ret_val->control & WINSEC_DESC_SELF_RELATIVE)) |
---|
| 67 | fprintf(stderr, "DEBUG: NOT self-relative!\n"); |
---|
[132] | 68 | |
---|
[134] | 69 | ret_val->off_owner_sid = IVAL(buf, 0x4); |
---|
| 70 | ret_val->off_grp_sid = IVAL(buf, 0x8); |
---|
| 71 | ret_val->off_sacl = IVAL(buf, 0xC); |
---|
| 72 | ret_val->off_dacl = IVAL(buf, 0x10); |
---|
[133] | 73 | |
---|
[134] | 74 | /* A basic sanity check to ensure our offsets are within our buffer. |
---|
| 75 | * Additional length checking is done in secondary parsing functions. |
---|
| 76 | */ |
---|
| 77 | if((ret_val->off_owner_sid >= buf_len) |
---|
| 78 | || (ret_val->off_grp_sid >= buf_len) |
---|
| 79 | || (ret_val->off_sacl >= buf_len) |
---|
| 80 | || (ret_val->off_dacl >= buf_len)) |
---|
[133] | 81 | { |
---|
[147] | 82 | talloc_free(ret_val); |
---|
[134] | 83 | return NULL; |
---|
[133] | 84 | } |
---|
[132] | 85 | |
---|
[148] | 86 | if(ret_val->off_owner_sid == 0) |
---|
| 87 | ret_val->owner_sid = NULL; |
---|
| 88 | else |
---|
[133] | 89 | { |
---|
[147] | 90 | ret_val->owner_sid = winsec_parse_dom_sid(ret_val, |
---|
| 91 | buf + ret_val->off_owner_sid, |
---|
[134] | 92 | buf_len - ret_val->off_owner_sid); |
---|
| 93 | if(ret_val->owner_sid == NULL) |
---|
[133] | 94 | { |
---|
[147] | 95 | talloc_free(ret_val); |
---|
[134] | 96 | return NULL; |
---|
[133] | 97 | } |
---|
| 98 | } |
---|
[132] | 99 | |
---|
[148] | 100 | if(ret_val->off_grp_sid == 0) |
---|
| 101 | ret_val->grp_sid = NULL; |
---|
| 102 | else |
---|
[133] | 103 | { |
---|
[147] | 104 | ret_val->grp_sid = winsec_parse_dom_sid(ret_val, buf + ret_val->off_grp_sid, |
---|
[134] | 105 | buf_len - ret_val->off_grp_sid); |
---|
| 106 | if(ret_val->grp_sid == NULL) |
---|
[133] | 107 | { |
---|
[147] | 108 | talloc_free(ret_val); |
---|
[134] | 109 | return NULL; |
---|
[133] | 110 | } |
---|
| 111 | } |
---|
[132] | 112 | |
---|
[148] | 113 | if((ret_val->control & WINSEC_DESC_SACL_PRESENT) && ret_val->off_sacl) |
---|
[133] | 114 | { |
---|
[147] | 115 | ret_val->sacl = winsec_parse_acl(ret_val, buf + ret_val->off_sacl, |
---|
[134] | 116 | buf_len - ret_val->off_sacl); |
---|
| 117 | if(ret_val->sacl == NULL) |
---|
[133] | 118 | { |
---|
[147] | 119 | talloc_free(ret_val); |
---|
[134] | 120 | return NULL; |
---|
[133] | 121 | } |
---|
| 122 | } |
---|
[148] | 123 | else |
---|
| 124 | ret_val->sacl = NULL; |
---|
[132] | 125 | |
---|
[148] | 126 | if((ret_val->control & WINSEC_DESC_DACL_PRESENT) && ret_val->off_dacl != 0) |
---|
[133] | 127 | { |
---|
[147] | 128 | ret_val->dacl = winsec_parse_acl(ret_val, buf + ret_val->off_dacl, |
---|
[134] | 129 | buf_len - ret_val->off_dacl); |
---|
| 130 | if(ret_val->dacl == NULL) |
---|
[133] | 131 | { |
---|
[147] | 132 | talloc_free(ret_val); |
---|
[134] | 133 | return NULL; |
---|
[133] | 134 | } |
---|
| 135 | } |
---|
[148] | 136 | else |
---|
| 137 | ret_val->dacl = NULL; |
---|
[132] | 138 | |
---|
[134] | 139 | return ret_val; |
---|
[132] | 140 | } |
---|
| 141 | |
---|
| 142 | |
---|
[134] | 143 | /****************************************************************************** |
---|
| 144 | * Parses a WINSEC_ACL structure and all substructures. |
---|
| 145 | ******************************************************************************/ |
---|
[147] | 146 | WINSEC_ACL* winsec_parse_acl(void* talloc_ctx, |
---|
| 147 | const uint8_t* buf, uint32_t buf_len) |
---|
[132] | 148 | { |
---|
[134] | 149 | uint32_t i, offset; |
---|
| 150 | WINSEC_ACL* ret_val; |
---|
[132] | 151 | |
---|
[134] | 152 | /* |
---|
| 153 | * Note that the size is always a multiple of 4 bytes due to the |
---|
| 154 | * nature of the data structure. |
---|
| 155 | */ |
---|
| 156 | if (buf == NULL || buf_len < 8) |
---|
| 157 | return NULL; |
---|
[148] | 158 | |
---|
[147] | 159 | if((ret_val = talloc(talloc_ctx, WINSEC_ACL)) == NULL) |
---|
| 160 | return NULL; |
---|
[134] | 161 | |
---|
| 162 | ret_val->revision = SVAL(buf, 0x0); |
---|
| 163 | ret_val->size = SVAL(buf, 0x2); |
---|
| 164 | ret_val->num_aces = IVAL(buf, 0x4); |
---|
[132] | 165 | |
---|
[134] | 166 | /* The num_aces can be at most around 4k because anything greater |
---|
| 167 | * wouldn't fit in the 16 bit size even if every ace was as small as |
---|
| 168 | * possible. |
---|
| 169 | */ |
---|
| 170 | if((ret_val->size > buf_len) || (ret_val->num_aces > 4095)) |
---|
| 171 | { |
---|
[147] | 172 | talloc_free(ret_val); |
---|
[134] | 173 | return NULL; |
---|
| 174 | } |
---|
[132] | 175 | |
---|
[134] | 176 | /* Even if the num_aces is zero, allocate memory as there's a difference |
---|
| 177 | * between a non-present DACL (allow all access) and a DACL with no ACE's |
---|
| 178 | * (allow no access). |
---|
| 179 | */ |
---|
[147] | 180 | if((ret_val->aces = talloc_array(ret_val, WINSEC_ACE*, |
---|
| 181 | ret_val->num_aces+1)) == NULL) |
---|
[133] | 182 | { |
---|
[147] | 183 | talloc_free(ret_val); |
---|
[134] | 184 | return NULL; |
---|
[133] | 185 | } |
---|
[132] | 186 | |
---|
[134] | 187 | offset = 8; |
---|
| 188 | for(i=0; i < ret_val->num_aces; i++) |
---|
| 189 | { |
---|
[147] | 190 | ret_val->aces[i] = winsec_parse_ace(ret_val->aces, |
---|
| 191 | buf+offset, buf_len-offset); |
---|
[134] | 192 | if(ret_val->aces[i] == NULL) |
---|
| 193 | { |
---|
[147] | 194 | talloc_free(ret_val); |
---|
[134] | 195 | return NULL; |
---|
| 196 | } |
---|
[132] | 197 | |
---|
[134] | 198 | offset += ret_val->aces[i]->size; |
---|
| 199 | if(offset > buf_len) |
---|
| 200 | { |
---|
[147] | 201 | talloc_free(ret_val); |
---|
[134] | 202 | return NULL; |
---|
| 203 | } |
---|
| 204 | } |
---|
[148] | 205 | ret_val->aces[ret_val->num_aces] = NULL; |
---|
[132] | 206 | |
---|
[134] | 207 | return ret_val; |
---|
[132] | 208 | } |
---|
| 209 | |
---|
| 210 | |
---|
[134] | 211 | /****************************************************************************** |
---|
| 212 | * Parses a WINSEC_ACE structure and all substructures. |
---|
| 213 | ******************************************************************************/ |
---|
[147] | 214 | WINSEC_ACE* winsec_parse_ace(void* talloc_ctx, |
---|
| 215 | const uint8_t* buf, uint32_t buf_len) |
---|
[132] | 216 | { |
---|
[134] | 217 | uint32_t offset; |
---|
| 218 | WINSEC_ACE* ret_val; |
---|
[132] | 219 | |
---|
[134] | 220 | if(buf == NULL || buf_len < WINSEC_ACE_MIN_SIZE) |
---|
| 221 | return NULL; |
---|
[132] | 222 | |
---|
[147] | 223 | if((ret_val = talloc(talloc_ctx, WINSEC_ACE)) == NULL) |
---|
[134] | 224 | return NULL; |
---|
[132] | 225 | |
---|
[134] | 226 | ret_val->type = buf[0]; |
---|
| 227 | ret_val->flags = buf[1]; |
---|
| 228 | ret_val->size = SVAL(buf, 0x2); |
---|
| 229 | ret_val->access_mask = IVAL(buf, 0x4); |
---|
[132] | 230 | |
---|
[134] | 231 | offset = 0x8; |
---|
[132] | 232 | |
---|
| 233 | /* check whether object access is present */ |
---|
[134] | 234 | if (winsec_ace_object(ret_val->type)) |
---|
[132] | 235 | { |
---|
[134] | 236 | ret_val->obj_flags = IVAL(buf, offset); |
---|
| 237 | offset += 4; |
---|
[132] | 238 | |
---|
[134] | 239 | if(ret_val->obj_flags & WINSEC_ACE_OBJECT_PRESENT) |
---|
| 240 | { |
---|
[147] | 241 | ret_val->obj_guid = winsec_parse_uuid(ret_val, |
---|
| 242 | buf+offset, buf_len-offset); |
---|
[134] | 243 | if(ret_val->obj_guid == NULL) |
---|
| 244 | { |
---|
[147] | 245 | talloc_free(ret_val); |
---|
[134] | 246 | return NULL; |
---|
| 247 | } |
---|
| 248 | offset += sizeof(WINSEC_UUID); |
---|
| 249 | } |
---|
[148] | 250 | else |
---|
| 251 | ret_val->obj_guid = NULL; |
---|
[132] | 252 | |
---|
[134] | 253 | if(ret_val->obj_flags & WINSEC_ACE_OBJECT_INHERITED_PRESENT) |
---|
| 254 | { |
---|
[147] | 255 | ret_val->inh_guid = winsec_parse_uuid(ret_val, |
---|
| 256 | buf+offset, buf_len-offset); |
---|
[134] | 257 | if(ret_val->inh_guid == NULL) |
---|
| 258 | { |
---|
[147] | 259 | talloc_free(ret_val); |
---|
[134] | 260 | return NULL; |
---|
| 261 | } |
---|
| 262 | offset += sizeof(WINSEC_UUID); |
---|
| 263 | } |
---|
[148] | 264 | else |
---|
| 265 | ret_val->inh_guid = NULL; |
---|
[134] | 266 | } |
---|
[132] | 267 | |
---|
[147] | 268 | ret_val->trustee = winsec_parse_dom_sid(ret_val, buf+offset, buf_len-offset); |
---|
[134] | 269 | if(ret_val->trustee == NULL) |
---|
| 270 | { |
---|
[147] | 271 | talloc_free(ret_val); |
---|
| 272 | return NULL; |
---|
[132] | 273 | } |
---|
[134] | 274 | |
---|
| 275 | return ret_val; |
---|
[132] | 276 | } |
---|
| 277 | |
---|
| 278 | |
---|
[134] | 279 | /****************************************************************************** |
---|
| 280 | * Parses a WINSEC_DOM_SID structure. |
---|
| 281 | ******************************************************************************/ |
---|
[147] | 282 | WINSEC_DOM_SID* winsec_parse_dom_sid(void* talloc_ctx, |
---|
| 283 | const uint8_t* buf, uint32_t buf_len) |
---|
[132] | 284 | { |
---|
[134] | 285 | uint32_t i; |
---|
| 286 | WINSEC_DOM_SID* ret_val; |
---|
[132] | 287 | |
---|
[134] | 288 | if(buf == NULL || buf_len < 8) |
---|
| 289 | return NULL; |
---|
[132] | 290 | |
---|
[147] | 291 | /* if((ret_val = (WINSEC_DOM_SID*)zalloc(sizeof(WINSEC_DOM_SID))) == NULL)*/ |
---|
| 292 | if((ret_val = talloc(talloc_ctx, WINSEC_DOM_SID)) == NULL) |
---|
[134] | 293 | return NULL; |
---|
[132] | 294 | |
---|
[134] | 295 | ret_val->sid_rev_num = buf[0]; |
---|
| 296 | ret_val->num_auths = buf[1]; |
---|
| 297 | memcpy(ret_val->id_auth, buf+2, 6); |
---|
[132] | 298 | |
---|
[134] | 299 | /* XXX: should really issue a warning here... */ |
---|
| 300 | if (ret_val->num_auths > WINSEC_MAX_SUBAUTHS) |
---|
| 301 | ret_val->num_auths = WINSEC_MAX_SUBAUTHS; |
---|
| 302 | |
---|
| 303 | if(buf_len < ret_val->num_auths*sizeof(uint32_t)+8) |
---|
[132] | 304 | { |
---|
[147] | 305 | talloc_free(ret_val); |
---|
[134] | 306 | return NULL; |
---|
[132] | 307 | } |
---|
[134] | 308 | |
---|
| 309 | for(i=0; i < ret_val->num_auths; i++) |
---|
| 310 | ret_val->sub_auths[i] = IVAL(buf, 8+i*sizeof(uint32_t)); |
---|
[132] | 311 | |
---|
[134] | 312 | return ret_val; |
---|
| 313 | } |
---|
[132] | 314 | |
---|
| 315 | |
---|
[134] | 316 | /****************************************************************************** |
---|
| 317 | * Parses a WINSEC_UUID struct. |
---|
| 318 | ******************************************************************************/ |
---|
[147] | 319 | WINSEC_UUID* winsec_parse_uuid(void* talloc_ctx, |
---|
| 320 | const uint8_t* buf, uint32_t buf_len) |
---|
[134] | 321 | { |
---|
| 322 | WINSEC_UUID* ret_val; |
---|
| 323 | |
---|
| 324 | if(buf == NULL || buf_len < sizeof(WINSEC_UUID)) |
---|
[133] | 325 | return false; |
---|
[132] | 326 | |
---|
[147] | 327 | if((ret_val = talloc(talloc_ctx, WINSEC_UUID)) == NULL) |
---|
[134] | 328 | return NULL; |
---|
| 329 | |
---|
| 330 | ret_val->time_low = IVAL(buf, 0x0); |
---|
| 331 | ret_val->time_mid = SVAL(buf, 0x4); |
---|
| 332 | ret_val->time_hi_and_version = SVAL(buf, 0x6); |
---|
| 333 | |
---|
| 334 | memcpy(ret_val->clock_seq, buf+0x8, 2); |
---|
| 335 | memcpy(ret_val->node, buf+0xB, 6); |
---|
[132] | 336 | |
---|
[134] | 337 | return ret_val; |
---|
[132] | 338 | } |
---|
| 339 | |
---|
| 340 | |
---|
[134] | 341 | /****************************************************************************** |
---|
| 342 | * Calculates the size of a SID. |
---|
| 343 | ******************************************************************************/ |
---|
| 344 | size_t winsec_sid_size(const WINSEC_DOM_SID* sid) |
---|
[132] | 345 | { |
---|
[133] | 346 | if (sid == NULL) |
---|
| 347 | return 0; |
---|
[132] | 348 | |
---|
[134] | 349 | return sid->num_auths * sizeof(uint32_t) + 8; |
---|
[133] | 350 | } |
---|
[132] | 351 | |
---|
| 352 | |
---|
[134] | 353 | /****************************************************************************** |
---|
| 354 | * Compare the auth portion of two SIDs. |
---|
| 355 | ******************************************************************************/ |
---|
| 356 | int winsec_sid_compare_auth(const WINSEC_DOM_SID* sid1, const WINSEC_DOM_SID* sid2) |
---|
[133] | 357 | { |
---|
| 358 | int i; |
---|
[132] | 359 | |
---|
[133] | 360 | if (sid1 == sid2) |
---|
| 361 | return 0; |
---|
| 362 | if (!sid1) |
---|
| 363 | return -1; |
---|
| 364 | if (!sid2) |
---|
| 365 | return 1; |
---|
[132] | 366 | |
---|
[133] | 367 | if (sid1->sid_rev_num != sid2->sid_rev_num) |
---|
| 368 | return sid1->sid_rev_num - sid2->sid_rev_num; |
---|
[132] | 369 | |
---|
[133] | 370 | for (i = 0; i < 6; i++) |
---|
| 371 | if (sid1->id_auth[i] != sid2->id_auth[i]) |
---|
| 372 | return sid1->id_auth[i] - sid2->id_auth[i]; |
---|
[132] | 373 | |
---|
[133] | 374 | return 0; |
---|
| 375 | } |
---|
[132] | 376 | |
---|
| 377 | |
---|
[134] | 378 | /****************************************************************************** |
---|
| 379 | * Compare two SIDs. |
---|
| 380 | ******************************************************************************/ |
---|
| 381 | int winsec_sid_compare(const WINSEC_DOM_SID* sid1, const WINSEC_DOM_SID* sid2) |
---|
[133] | 382 | { |
---|
| 383 | int i; |
---|
[132] | 384 | |
---|
[133] | 385 | if (sid1 == sid2) |
---|
| 386 | return 0; |
---|
| 387 | if (!sid1) |
---|
| 388 | return -1; |
---|
| 389 | if (!sid2) |
---|
| 390 | return 1; |
---|
[132] | 391 | |
---|
[133] | 392 | /* Compare most likely different rids, first: i.e start at end */ |
---|
| 393 | if (sid1->num_auths != sid2->num_auths) |
---|
| 394 | return sid1->num_auths - sid2->num_auths; |
---|
[132] | 395 | |
---|
[133] | 396 | for (i = sid1->num_auths-1; i >= 0; --i) |
---|
| 397 | if (sid1->sub_auths[i] != sid2->sub_auths[i]) |
---|
| 398 | return sid1->sub_auths[i] - sid2->sub_auths[i]; |
---|
[132] | 399 | |
---|
[134] | 400 | return winsec_sid_compare_auth(sid1, sid2); |
---|
[133] | 401 | } |
---|
[132] | 402 | |
---|
| 403 | |
---|
[134] | 404 | /****************************************************************************** |
---|
| 405 | * Compare two SIDs. |
---|
| 406 | ******************************************************************************/ |
---|
| 407 | bool winsec_sid_equal(const WINSEC_DOM_SID* sid1, const WINSEC_DOM_SID* sid2) |
---|
[133] | 408 | { |
---|
[134] | 409 | return winsec_sid_compare(sid1, sid2) == 0; |
---|
[133] | 410 | } |
---|
[132] | 411 | |
---|
| 412 | |
---|
[134] | 413 | /****************************************************************************** |
---|
| 414 | * Compares two WINSEC_DESC structures. |
---|
| 415 | ******************************************************************************/ |
---|
| 416 | bool winsec_desc_equal(WINSEC_DESC* s1, WINSEC_DESC* s2) |
---|
[133] | 417 | { |
---|
[134] | 418 | /* Trivial cases */ |
---|
| 419 | if (!s1 && !s2) |
---|
[133] | 420 | return true; |
---|
[134] | 421 | if (!s1 || !s2) |
---|
| 422 | return false; |
---|
[132] | 423 | |
---|
[134] | 424 | /* Check top level stuff */ |
---|
| 425 | if (s1->revision != s2->revision) |
---|
| 426 | return false; |
---|
[132] | 427 | |
---|
[134] | 428 | if (s1->control != s2->control) |
---|
[132] | 429 | return false; |
---|
| 430 | |
---|
[134] | 431 | /* Check owner and group */ |
---|
| 432 | if (!winsec_sid_equal(s1->owner_sid, s2->owner_sid)) |
---|
| 433 | return false; |
---|
| 434 | |
---|
| 435 | if (!winsec_sid_equal(s1->grp_sid, s2->grp_sid)) |
---|
| 436 | return false; |
---|
| 437 | |
---|
| 438 | /* Check ACLs present in one but not the other */ |
---|
| 439 | if ((s1->dacl && !s2->dacl) || (!s1->dacl && s2->dacl) || |
---|
| 440 | (s1->sacl && !s2->sacl) || (!s1->sacl && s2->sacl)) |
---|
[132] | 441 | { return false; } |
---|
| 442 | |
---|
[134] | 443 | /* Sigh - we have to do it the hard way by iterating over all |
---|
| 444 | the ACEs in the ACLs */ |
---|
| 445 | if(!winsec_acl_equal(s1->dacl, s2->dacl) || !winsec_acl_equal(s1->sacl, s2->sacl)) |
---|
[132] | 446 | return false; |
---|
| 447 | |
---|
| 448 | return true; |
---|
| 449 | } |
---|
| 450 | |
---|
| 451 | |
---|
[134] | 452 | |
---|
| 453 | /****************************************************************************** |
---|
| 454 | * Compares two WINSEC_ACL structures. |
---|
| 455 | ******************************************************************************/ |
---|
| 456 | bool winsec_acl_equal(WINSEC_ACL* s1, WINSEC_ACL* s2) |
---|
[132] | 457 | { |
---|
| 458 | unsigned int i, j; |
---|
| 459 | |
---|
| 460 | /* Trivial cases */ |
---|
| 461 | if (!s1 && !s2) |
---|
| 462 | return true; |
---|
| 463 | if (!s1 || !s2) |
---|
| 464 | return false; |
---|
| 465 | |
---|
| 466 | /* Check top level stuff */ |
---|
| 467 | if (s1->revision != s2->revision) |
---|
| 468 | return false; |
---|
| 469 | |
---|
| 470 | if (s1->num_aces != s2->num_aces) |
---|
| 471 | return false; |
---|
| 472 | |
---|
| 473 | /* The ACEs could be in any order so check each ACE in s1 against |
---|
| 474 | each ACE in s2. */ |
---|
| 475 | |
---|
[134] | 476 | for (i = 0; i < s1->num_aces; i++) |
---|
[132] | 477 | { |
---|
| 478 | bool found = false; |
---|
| 479 | |
---|
| 480 | for (j = 0; j < s2->num_aces; j++) |
---|
| 481 | { |
---|
[134] | 482 | if (winsec_ace_equal(s1->aces[i], s2->aces[j])) |
---|
[132] | 483 | { |
---|
| 484 | found = true; |
---|
| 485 | break; |
---|
| 486 | } |
---|
| 487 | } |
---|
| 488 | |
---|
| 489 | if (!found) |
---|
| 490 | return false; |
---|
| 491 | } |
---|
| 492 | |
---|
| 493 | return true; |
---|
| 494 | } |
---|
| 495 | |
---|
| 496 | |
---|
[134] | 497 | /****************************************************************************** |
---|
| 498 | * Compares two WINSEC_ACE structures. |
---|
| 499 | ******************************************************************************/ |
---|
| 500 | bool winsec_ace_equal(WINSEC_ACE* s1, WINSEC_ACE* s2) |
---|
[132] | 501 | { |
---|
| 502 | /* Trivial cases */ |
---|
[134] | 503 | if (!s1 && !s2) |
---|
[132] | 504 | return true; |
---|
[134] | 505 | if (!s1 || !s2) |
---|
[132] | 506 | return false; |
---|
| 507 | |
---|
| 508 | /* Check top level stuff */ |
---|
[134] | 509 | if (s1->type != s2->type || s1->flags != s2->flags || |
---|
| 510 | s1->access_mask != s2->access_mask) |
---|
| 511 | { return false; } |
---|
[132] | 512 | |
---|
[134] | 513 | /* Check SID */ |
---|
| 514 | if (!winsec_sid_equal(s1->trustee, s2->trustee)) |
---|
[132] | 515 | return false; |
---|
| 516 | |
---|
[134] | 517 | return true; |
---|
| 518 | } |
---|
[132] | 519 | |
---|
| 520 | |
---|
[134] | 521 | /****************************************************************************** |
---|
| 522 | * Check if ACE has OBJECT type. |
---|
| 523 | ******************************************************************************/ |
---|
| 524 | bool winsec_ace_object(uint8_t type) |
---|
| 525 | { |
---|
| 526 | if (type == WINSEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT || |
---|
| 527 | type == WINSEC_ACE_TYPE_ACCESS_DENIED_OBJECT || |
---|
| 528 | type == WINSEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT || |
---|
| 529 | type == WINSEC_ACE_TYPE_SYSTEM_ALARM_OBJECT) |
---|
| 530 | { return true; } |
---|
[132] | 531 | |
---|
[134] | 532 | return false; |
---|
[132] | 533 | } |
---|