From 1bab4fdaafd5930a02ae5a0d603176720ef15220 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 24 Jul 2009 14:09:42 -0700 Subject: Fix hash function in acl_xattr to be SHA256, make the hash function selectable. Upgrade version. Compiles but not fully tested yet (coming). Make vfs_acl_tdb.c compile - this needs updating to match acl_xattr (also coming soon). Jeremy. --- librpc/gen_ndr/ndr_xattr.c | 139 ++++++++++++++++++++++++++++++++++++++------- librpc/gen_ndr/ndr_xattr.h | 9 ++- librpc/gen_ndr/xattr.h | 14 ++++- librpc/idl/xattr.idl | 15 ++++- 4 files changed, 149 insertions(+), 28 deletions(-) (limited to 'librpc') diff --git a/librpc/gen_ndr/ndr_xattr.c b/librpc/gen_ndr/ndr_xattr.c index d217a00228..3d09f00864 100644 --- a/librpc/gen_ndr/ndr_xattr.c +++ b/librpc/gen_ndr/ndr_xattr.c @@ -546,7 +546,7 @@ _PUBLIC_ void ndr_print_xattr_DosStreams(struct ndr_print *ndr, const char *name ndr->depth--; } -_PUBLIC_ enum ndr_err_code ndr_push_security_descriptor_hash(struct ndr_push *ndr, int ndr_flags, const struct security_descriptor_hash *r) +_PUBLIC_ enum ndr_err_code ndr_push_security_descriptor_hash_v2(struct ndr_push *ndr, int ndr_flags, const struct security_descriptor_hash_v2 *r) { if (ndr_flags & NDR_SCALARS) { NDR_CHECK(ndr_push_align(ndr, 4)); @@ -561,7 +561,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_security_descriptor_hash(struct ndr_push *nd return NDR_ERR_SUCCESS; } -_PUBLIC_ enum ndr_err_code ndr_pull_security_descriptor_hash(struct ndr_pull *ndr, int ndr_flags, struct security_descriptor_hash *r) +_PUBLIC_ enum ndr_err_code ndr_pull_security_descriptor_hash_v2(struct ndr_pull *ndr, int ndr_flags, struct security_descriptor_hash_v2 *r) { uint32_t _ptr_sd; TALLOC_CTX *_mem_save_sd_0; @@ -586,9 +586,9 @@ _PUBLIC_ enum ndr_err_code ndr_pull_security_descriptor_hash(struct ndr_pull *nd return NDR_ERR_SUCCESS; } -_PUBLIC_ void ndr_print_security_descriptor_hash(struct ndr_print *ndr, const char *name, const struct security_descriptor_hash *r) +_PUBLIC_ void ndr_print_security_descriptor_hash_v2(struct ndr_print *ndr, const char *name, const struct security_descriptor_hash_v2 *r) { - ndr_print_struct(ndr, name, "security_descriptor_hash"); + ndr_print_struct(ndr, name, "security_descriptor_hash_v2"); ndr->depth++; ndr_print_ptr(ndr, "sd", r->sd); ndr->depth++; @@ -600,6 +600,64 @@ _PUBLIC_ void ndr_print_security_descriptor_hash(struct ndr_print *ndr, const ch ndr->depth--; } +_PUBLIC_ enum ndr_err_code ndr_push_security_descriptor_hash_v3(struct ndr_push *ndr, int ndr_flags, const struct security_descriptor_hash_v3 *r) +{ + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_push_align(ndr, 4)); + NDR_CHECK(ndr_push_unique_ptr(ndr, r->sd)); + NDR_CHECK(ndr_push_uint16(ndr, NDR_SCALARS, r->hash_type)); + NDR_CHECK(ndr_push_array_uint8(ndr, NDR_SCALARS, r->hash, XATTR_SD_HASH_SIZE)); + } + if (ndr_flags & NDR_BUFFERS) { + if (r->sd) { + NDR_CHECK(ndr_push_security_descriptor(ndr, NDR_SCALARS|NDR_BUFFERS, r->sd)); + } + } + return NDR_ERR_SUCCESS; +} + +_PUBLIC_ enum ndr_err_code ndr_pull_security_descriptor_hash_v3(struct ndr_pull *ndr, int ndr_flags, struct security_descriptor_hash_v3 *r) +{ + uint32_t _ptr_sd; + TALLOC_CTX *_mem_save_sd_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sd)); + if (_ptr_sd) { + NDR_PULL_ALLOC(ndr, r->sd); + } else { + r->sd = NULL; + } + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->hash_type)); + NDR_PULL_ALLOC_N(ndr, r->hash, XATTR_SD_HASH_SIZE); + NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->hash, XATTR_SD_HASH_SIZE)); + } + if (ndr_flags & NDR_BUFFERS) { + if (r->sd) { + _mem_save_sd_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->sd, 0); + NDR_CHECK(ndr_pull_security_descriptor(ndr, NDR_SCALARS|NDR_BUFFERS, r->sd)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sd_0, 0); + } + } + return NDR_ERR_SUCCESS; +} + +_PUBLIC_ void ndr_print_security_descriptor_hash_v3(struct ndr_print *ndr, const char *name, const struct security_descriptor_hash_v3 *r) +{ + ndr_print_struct(ndr, name, "security_descriptor_hash_v3"); + ndr->depth++; + ndr_print_ptr(ndr, "sd", r->sd); + ndr->depth++; + if (r->sd) { + ndr_print_security_descriptor(ndr, "sd", r->sd); + } + ndr->depth--; + ndr_print_uint16(ndr, "hash_type", r->hash_type); + ndr_print_array_uint8(ndr, "hash", r->hash, XATTR_SD_HASH_SIZE); + ndr->depth--; +} + static enum ndr_err_code ndr_push_xattr_NTACL_Info(struct ndr_push *ndr, int ndr_flags, const union xattr_NTACL_Info *r) { if (ndr_flags & NDR_SCALARS) { @@ -611,7 +669,11 @@ static enum ndr_err_code ndr_push_xattr_NTACL_Info(struct ndr_push *ndr, int ndr break; } case 2: { - NDR_CHECK(ndr_push_unique_ptr(ndr, r->sd_hs)); + NDR_CHECK(ndr_push_unique_ptr(ndr, r->sd_hs2)); + break; } + + case 3: { + NDR_CHECK(ndr_push_unique_ptr(ndr, r->sd_hs3)); break; } default: @@ -628,8 +690,14 @@ static enum ndr_err_code ndr_push_xattr_NTACL_Info(struct ndr_push *ndr, int ndr break; case 2: - if (r->sd_hs) { - NDR_CHECK(ndr_push_security_descriptor_hash(ndr, NDR_SCALARS|NDR_BUFFERS, r->sd_hs)); + if (r->sd_hs2) { + NDR_CHECK(ndr_push_security_descriptor_hash_v2(ndr, NDR_SCALARS|NDR_BUFFERS, r->sd_hs2)); + } + break; + + case 3: + if (r->sd_hs3) { + NDR_CHECK(ndr_push_security_descriptor_hash_v3(ndr, NDR_SCALARS|NDR_BUFFERS, r->sd_hs3)); } break; @@ -645,7 +713,8 @@ static enum ndr_err_code ndr_pull_xattr_NTACL_Info(struct ndr_pull *ndr, int ndr int level; uint16_t _level; TALLOC_CTX *_mem_save_sd_0; - TALLOC_CTX *_mem_save_sd_hs_0; + TALLOC_CTX *_mem_save_sd_hs2_0; + TALLOC_CTX *_mem_save_sd_hs3_0; level = ndr_pull_get_switch_value(ndr, r); if (ndr_flags & NDR_SCALARS) { NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &_level)); @@ -664,12 +733,22 @@ static enum ndr_err_code ndr_pull_xattr_NTACL_Info(struct ndr_pull *ndr, int ndr break; } case 2: { - uint32_t _ptr_sd_hs; - NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sd_hs)); - if (_ptr_sd_hs) { - NDR_PULL_ALLOC(ndr, r->sd_hs); + uint32_t _ptr_sd_hs2; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sd_hs2)); + if (_ptr_sd_hs2) { + NDR_PULL_ALLOC(ndr, r->sd_hs2); + } else { + r->sd_hs2 = NULL; + } + break; } + + case 3: { + uint32_t _ptr_sd_hs3; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sd_hs3)); + if (_ptr_sd_hs3) { + NDR_PULL_ALLOC(ndr, r->sd_hs3); } else { - r->sd_hs = NULL; + r->sd_hs3 = NULL; } break; } @@ -689,11 +768,20 @@ static enum ndr_err_code ndr_pull_xattr_NTACL_Info(struct ndr_pull *ndr, int ndr break; case 2: - if (r->sd_hs) { - _mem_save_sd_hs_0 = NDR_PULL_GET_MEM_CTX(ndr); - NDR_PULL_SET_MEM_CTX(ndr, r->sd_hs, 0); - NDR_CHECK(ndr_pull_security_descriptor_hash(ndr, NDR_SCALARS|NDR_BUFFERS, r->sd_hs)); - NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sd_hs_0, 0); + if (r->sd_hs2) { + _mem_save_sd_hs2_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->sd_hs2, 0); + NDR_CHECK(ndr_pull_security_descriptor_hash_v2(ndr, NDR_SCALARS|NDR_BUFFERS, r->sd_hs2)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sd_hs2_0, 0); + } + break; + + case 3: + if (r->sd_hs3) { + _mem_save_sd_hs3_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->sd_hs3, 0); + NDR_CHECK(ndr_pull_security_descriptor_hash_v3(ndr, NDR_SCALARS|NDR_BUFFERS, r->sd_hs3)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sd_hs3_0, 0); } break; @@ -720,10 +808,19 @@ _PUBLIC_ void ndr_print_xattr_NTACL_Info(struct ndr_print *ndr, const char *name break; case 2: - ndr_print_ptr(ndr, "sd_hs", r->sd_hs); + ndr_print_ptr(ndr, "sd_hs2", r->sd_hs2); + ndr->depth++; + if (r->sd_hs2) { + ndr_print_security_descriptor_hash_v2(ndr, "sd_hs2", r->sd_hs2); + } + ndr->depth--; + break; + + case 3: + ndr_print_ptr(ndr, "sd_hs3", r->sd_hs3); ndr->depth++; - if (r->sd_hs) { - ndr_print_security_descriptor_hash(ndr, "sd_hs", r->sd_hs); + if (r->sd_hs3) { + ndr_print_security_descriptor_hash_v3(ndr, "sd_hs3", r->sd_hs3); } ndr->depth--; break; diff --git a/librpc/gen_ndr/ndr_xattr.h b/librpc/gen_ndr/ndr_xattr.h index 610d4b3296..9bf49d00ef 100644 --- a/librpc/gen_ndr/ndr_xattr.h +++ b/librpc/gen_ndr/ndr_xattr.h @@ -24,9 +24,12 @@ void ndr_print_xattr_DosStream(struct ndr_print *ndr, const char *name, const st enum ndr_err_code ndr_push_xattr_DosStreams(struct ndr_push *ndr, int ndr_flags, const struct xattr_DosStreams *r); enum ndr_err_code ndr_pull_xattr_DosStreams(struct ndr_pull *ndr, int ndr_flags, struct xattr_DosStreams *r); void ndr_print_xattr_DosStreams(struct ndr_print *ndr, const char *name, const struct xattr_DosStreams *r); -enum ndr_err_code ndr_push_security_descriptor_hash(struct ndr_push *ndr, int ndr_flags, const struct security_descriptor_hash *r); -enum ndr_err_code ndr_pull_security_descriptor_hash(struct ndr_pull *ndr, int ndr_flags, struct security_descriptor_hash *r); -void ndr_print_security_descriptor_hash(struct ndr_print *ndr, const char *name, const struct security_descriptor_hash *r); +enum ndr_err_code ndr_push_security_descriptor_hash_v2(struct ndr_push *ndr, int ndr_flags, const struct security_descriptor_hash_v2 *r); +enum ndr_err_code ndr_pull_security_descriptor_hash_v2(struct ndr_pull *ndr, int ndr_flags, struct security_descriptor_hash_v2 *r); +void ndr_print_security_descriptor_hash_v2(struct ndr_print *ndr, const char *name, const struct security_descriptor_hash_v2 *r); +enum ndr_err_code ndr_push_security_descriptor_hash_v3(struct ndr_push *ndr, int ndr_flags, const struct security_descriptor_hash_v3 *r); +enum ndr_err_code ndr_pull_security_descriptor_hash_v3(struct ndr_pull *ndr, int ndr_flags, struct security_descriptor_hash_v3 *r); +void ndr_print_security_descriptor_hash_v3(struct ndr_print *ndr, const char *name, const struct security_descriptor_hash_v3 *r); void ndr_print_xattr_NTACL_Info(struct ndr_print *ndr, const char *name, const union xattr_NTACL_Info *r); enum ndr_err_code ndr_push_xattr_NTACL(struct ndr_push *ndr, int ndr_flags, const struct xattr_NTACL *r); enum ndr_err_code ndr_pull_xattr_NTACL(struct ndr_pull *ndr, int ndr_flags, struct xattr_NTACL *r); diff --git a/librpc/gen_ndr/xattr.h b/librpc/gen_ndr/xattr.h index 1ce58f7ec6..39f1cb0884 100644 --- a/librpc/gen_ndr/xattr.h +++ b/librpc/gen_ndr/xattr.h @@ -17,6 +17,9 @@ #define XATTR_MAX_STREAM_SIZE ( 0x4000 ) #define XATTR_MAX_STREAM_SIZE_TDB ( 0x100000 ) #define XATTR_NTACL_NAME ( "security.NTACL" ) +#define XATTR_SD_HASH_SIZE ( 64 ) +#define XATTR_SD_HASH_TYPE_NONE ( 0x0 ) +#define XATTR_SD_HASH_TYPE_SHA256 ( 0x1 ) struct xattr_DosInfo1 { uint32_t attrib; uint32_t ea_size; @@ -75,14 +78,21 @@ struct xattr_DosStreams { struct xattr_DosStream *streams;/* [unique,size_is(num_streams)] */ }/* [public] */; -struct security_descriptor_hash { +struct security_descriptor_hash_v2 { struct security_descriptor *sd;/* [unique] */ uint8_t hash[16]; }/* [public] */; +struct security_descriptor_hash_v3 { + struct security_descriptor *sd;/* [unique] */ + uint16_t hash_type; + uint8_t *hash; +}/* [public] */; + union xattr_NTACL_Info { struct security_descriptor *sd;/* [unique,case] */ - struct security_descriptor_hash *sd_hs;/* [unique,case(2)] */ + struct security_descriptor_hash_v2 *sd_hs2;/* [unique,case(2)] */ + struct security_descriptor_hash_v3 *sd_hs3;/* [unique,case(3)] */ }/* [switch_type(uint16)] */; struct xattr_NTACL { diff --git a/librpc/idl/xattr.idl b/librpc/idl/xattr.idl index 4191ea67ce..c2b8bb0cc2 100644 --- a/librpc/idl/xattr.idl +++ b/librpc/idl/xattr.idl @@ -123,14 +123,25 @@ interface xattr const char *XATTR_NTACL_NAME = "security.NTACL"; + const int XATTR_SD_HASH_SIZE = 64; + const int XATTR_SD_HASH_TYPE_NONE = 0x0; + const int XATTR_SD_HASH_TYPE_SHA256 = 0x1; + typedef [public] struct { security_descriptor *sd; uint8 hash[16]; - } security_descriptor_hash; + } security_descriptor_hash_v2; /* Hash never used in this version. */ + + typedef [public] struct { + security_descriptor *sd; + uint16 hash_type; + uint8 hash[XATTR_SD_HASH_SIZE]; /* 64 bytes hash. */ + } security_descriptor_hash_v3; typedef [switch_type(uint16)] union { [case(1)] security_descriptor *sd; - [case(2)] security_descriptor_hash *sd_hs; + [case(2)] security_descriptor_hash_v2 *sd_hs2; + [case(3)] security_descriptor_hash_v3 *sd_hs3; } xattr_NTACL_Info; typedef [public] struct { -- cgit