1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

libcli/security: add a parser for resource attribute ACE byte strings

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Douglas Bagnall 2023-11-02 15:28:15 +13:00 committed by Andrew Bartlett
parent 9ef71399ce
commit 38e7b4dcbd
3 changed files with 98 additions and 6 deletions

View File

@ -1937,6 +1937,88 @@ static bool parse_octet_string(struct ace_condition_sddl_compiler_context *comp)
}
static bool parse_ra_octet_string(struct ace_condition_sddl_compiler_context *comp)
{
/*
* Resource attribute octet strings resemble conditional ace octet
* strings, but have some important differences:
*
* 1. The '#' at the start is optional, and if present is
* counted as a zero.
*
* 2. An odd number of characters is implicitly left-padded with a zero.
*
* That is, "abc" means "0abc", "#12" means "0012", "f##"
* means "0f00", and "##" means 00.
*/
struct ace_condition_token token = {};
size_t string_length, bytes_length, i, j;
bool ok;
char pair[2];
string_length = strspn((const char*)(comp->sddl + comp->offset),
"#0123456789abcdefABCDEF");
bytes_length = (string_length + 1) / 2;
if (bytes_length == 0) {
comp_error(comp, "zero length octet bytes");
return false;
}
token.data.bytes = data_blob_talloc_zero(comp->mem_ctx, bytes_length);
if (token.data.bytes.data == NULL) {
return false;
}
token.type = CONDITIONAL_ACE_TOKEN_OCTET_STRING;
j = comp->offset;
i = 0;
if (string_length & 1) {
/*
* An odd number of characters means the first
* character gains an implicit 0 for the high nybble.
*/
pair[0] = 0;
pair[1] = (comp->sddl[0] == '#') ? '0' : comp->sddl[0];
ok = hex_byte(pair, &token.data.bytes.data[i]);
if (!ok) {
goto fail;
}
j++;
i++;
}
for (; i < bytes_length; i++) {
/*
* Why not just strhex_to_str() ?
*
* Because we need to treat '#' as '0' in octet string values.
*/
if (comp->length - j < 2) {
goto fail;
}
pair[0] = (comp->sddl[j] == '#') ? '0' : comp->sddl[j];
pair[1] = (comp->sddl[j + 1] == '#') ? '0' : comp->sddl[j + 1];
ok = hex_byte(pair, &token.data.bytes.data[i]);
if (!ok) {
goto fail;
}
j += 2;
}
comp->offset = j;
return write_sddl_token(comp, token);
fail:
comp_error(comp, "inexplicable error in octet string");
talloc_free(token.data.bytes.data);
return false;
}
static bool parse_sid(struct ace_condition_sddl_compiler_context *comp)
{
struct dom_sid *sid = NULL;
@ -2945,7 +3027,7 @@ static bool parse_resource_attr_list(
}
switch(attr_type_char) {
case 'X':
ok = parse_octet_string(comp);
ok = parse_ra_octet_string(comp);
break;
case 'S':
ok = parse_unicode(comp);
@ -3023,7 +3105,9 @@ struct CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 *sddl_decode_resource_attr (
* TX-attr = "TX" "," attr-flags *("," octet-string)
* TB-attr = "TB" "," attr-flags *("," ( "0" / "1" ) )
*
* and the data types are all parsed in the SDDL way.
* and the data types are *mostly* parsed in the SDDL way,
* though there are significant differences for octet-strings.
*
* At this point we only have the "(«attribute-data»)".
*
* What we do is set up a conditional ACE compiler to be expecting a

View File

@ -1,2 +1 @@
samba.unittests.sddl_conditional_ace.test_full_sddl_ra_escapes
samba.unittests.run_conditional_ace.test_user_attr_any_of_missing_user_attr
samba.unittests.sddl_conditional_ace.test_full_sddl_ra_encode

View File

@ -1,4 +1,13 @@
^samba.tests.security_descriptors.+SDDLvsDescriptorRegistryObjectRights.+
^samba.tests.security_descriptors.+SDDLvsDescriptorShortOrdinaryAclsNoMungeV4.+
^samba.tests.security_descriptors.+SDDLvsDescriptorOverSizeAcls.+
^samba.tests.security_descriptors.+SDDLvsDescriptorShortConditionalAndResourceAcesTxIntegers.+
samba.tests.security_descriptors.+SDDLvsDescriptorOverSizeAcls.test_sddl_vs_sd_001
samba.tests.security_descriptors.+SDDLvsDescriptorOverSizeAcls.test_sddl_vs_sd_002
samba.tests.security_descriptors.+SDDLvsDescriptorOverSizeAcls.test_sddl_vs_sd_003
samba.tests.security_descriptors.+SDDLvsDescriptorOverSizeAcls.test_sddl_vs_sd_004
samba.tests.security_descriptors.+SDDLvsDescriptorOverSizeAcls.test_sddl_vs_sd_016
samba.tests.security_descriptors.+SDDLvsDescriptorOverSizeAcls.test_sddl_vs_sd_017
samba.tests.security_descriptors.+SDDLvsDescriptorOverSizeAcls.test_sddl_vs_sd_018
samba.tests.security_descriptors.+SDDLvsDescriptorOverSizeAcls.test_sddl_vs_sd_019
samba.tests.security_descriptors.+SDDLvsDescriptorOverSizeAcls.test_sddl_vs_sd_020