From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 19 Sep 2023 21:31:31 +0000 (+1200)
Subject: conditional_aces: Avoid manual parsing for ace_condition_sid
X-Git-Tag: tevent-0.16.0~415
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=94d1cfbd85b60fc2f8495bd3c46377aa8564d074;p=thirdparty%2Fsamba.git

conditional_aces: Avoid manual parsing for ace_condition_sid

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
---

diff --git a/libcli/security/claims-conversions.c b/libcli/security/claims-conversions.c
index 655f07fb94a..176d23567d6 100644
--- a/libcli/security/claims-conversions.c
+++ b/libcli/security/claims-conversions.c
@@ -152,7 +152,7 @@ static bool claim_v1_sid_to_ace_sid(
 	}
 
 	result->type = CONDITIONAL_ACE_TOKEN_SID;
-	result->data.sid.sid = sid;
+	result->data.sid.sid = *sid;
 	return true;
 }
 
@@ -370,7 +370,7 @@ static bool ace_sid_to_claim_v1_sid(TALLOC_CTX *mem_ctx,
 {
 	/* claim_v1 sid is an "S-1-*" string data blob, not struct dom_sid. */
 	DATA_BLOB *blob = NULL;
-	char *s = dom_sid_string(mem_ctx, tok->data.sid.sid);
+	char *s = dom_sid_string(mem_ctx, &tok->data.sid.sid);
 	if (s == NULL) {
 		return false;
 	}
diff --git a/libcli/security/conditional_ace.c b/libcli/security/conditional_ace.c
index 169e024605f..569bdd82696 100644
--- a/libcli/security/conditional_ace.c
+++ b/libcli/security/conditional_ace.c
@@ -18,6 +18,7 @@
 
 #include "replace.h"
 #include "librpc/gen_ndr/ndr_security.h"
+#include "librpc/gen_ndr/ndr_conditional_ace.h"
 #include "librpc/gen_ndr/conditional_ace.h"
 #include "libcli/security/security.h"
 #include "libcli/security/conditional_ace.h"
@@ -264,25 +265,21 @@ static ssize_t pull_sid(TALLOC_CTX *mem_ctx,
 			uint8_t *data, size_t length,
 			struct ace_condition_sid *tok)
 {
-	uint32_t tok_length;
-	ssize_t sidlen;
-	if (length < 4) {
-		return -1;
-	}
-	tok_length = PULL_LE_U32(data, 0);
-	if (tok_length > length - 4) {
-		return -1;
-	}
-	tok->sid = talloc(mem_ctx, struct dom_sid);
-	if (tok->sid == NULL) {
+	ssize_t bytes_used;
+	enum ndr_err_code ndr_err;
+	DATA_BLOB v = data_blob_const(data, length);
+	struct ndr_pull *ndr = ndr_pull_init_blob(&v, mem_ctx);
+	if (ndr == NULL) {
 		return -1;
 	}
-	sidlen = sid_parse(data + 4, tok_length, tok->sid);
-	if (sidlen == -1) {
-		talloc_free(tok->sid);
+	ndr_err = ndr_pull_ace_condition_sid(ndr, NDR_SCALARS|NDR_BUFFERS, tok);
+	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+		TALLOC_FREE(ndr);
 		return -1;
 	}
-	return tok_length + 4;
+	bytes_used = ndr->offset;
+	TALLOC_FREE(ndr);
+	return bytes_used;
 }
 
 static ssize_t push_sid(uint8_t *data, size_t available,
@@ -290,22 +287,19 @@ static ssize_t push_sid(uint8_t *data, size_t available,
 {
 	enum ndr_err_code ndr_err;
 	DATA_BLOB v;
-	ssize_t total_length;
 	ndr_err = ndr_push_struct_blob(&v, NULL,
-				       tok->sid,
-				       (ndr_push_flags_fn_t)ndr_push_dom_sid);
+				       tok,
+				       (ndr_push_flags_fn_t)ndr_push_ace_condition_sid);
 	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 		return -1;
 	}
-	total_length = v.length + 4;
-	if (available < total_length) {
+	if (available < v.length) {
 		talloc_free(v.data);
 		return -1;
 	}
-	PUSH_LE_U32(data, 0, v.length);
-	memcpy(data + 4, v.data, v.length);
+	memcpy(data, v.data, v.length);
 	talloc_free(v.data);
-	return total_length;
+	return v.length;
 }
 
 
@@ -904,7 +898,7 @@ static bool member_lookup(
 	bool arg_is_a_single_sid;
 	struct dom_sid *sid_array = NULL;
 	size_t num_sids, i, j;
-	struct dom_sid *sid = NULL;
+	const struct dom_sid *sid = NULL;
 
 	result->type = CONDITIONAL_ACE_SAMBA_RESULT_BOOL;
 	result->data.result.value = ACE_CONDITION_UNKNOWN;
@@ -973,7 +967,7 @@ static bool member_lookup(
 		 * In this case the any and all operations are the
 		 * same.
 		 */
-		sid = arg->data.sid.sid;
+		sid = &arg->data.sid.sid;
 		match = false;
 		for (i = 0; i < num_sids; i++) {
 			match = dom_sid_equal(sid, &sid_array[i]);
@@ -1007,7 +1001,7 @@ static bool member_lookup(
 				    j, member->type);
 			return false;
 		}
-		sid = member->data.sid.sid;
+		sid = &member->data.sid.sid;
 		match = false;
 		for (i = 0; i < num_sids; i++) {
 			match = dom_sid_equal(sid, &sid_array[i]);
@@ -1397,8 +1391,8 @@ static bool compare_sids(const struct ace_condition_token *op,
 			 const struct ace_condition_token *rhs,
 			 int *cmp)
 {
-	*cmp = dom_sid_compare(lhs->data.sid.sid,
-			       rhs->data.sid.sid);
+	*cmp = dom_sid_compare(&lhs->data.sid.sid,
+			       &rhs->data.sid.sid);
 	return true;
 }
 
diff --git a/libcli/security/sddl_conditional_ace.c b/libcli/security/sddl_conditional_ace.c
index 9844039e9d2..1349a7fbf3b 100644
--- a/libcli/security/sddl_conditional_ace.c
+++ b/libcli/security/sddl_conditional_ace.c
@@ -560,7 +560,7 @@ char *debug_conditional_ace(TALLOC_CTX *mem_ctx,
 			break;
 		case CONDITIONAL_ACE_TOKEN_SID:
 			utf8 = sddl_encode_sid(mem_ctx,
-					       tok->data.sid.sid,
+					       &tok->data.sid.sid,
 					       NULL);
 			snprintf(line, sizeof(line),
 				 "%s (%s)\n",
@@ -883,7 +883,7 @@ static bool sddl_write_sid(struct sddl_write_context *ctx,
 	bool ok;
 	char *sddl = NULL;
 	char *sid = sddl_encode_sid(ctx->mem_ctx,
-				    tok->data.sid.sid,
+				    &tok->data.sid.sid,
 				    NULL);
 	if (sid == NULL) {
 		return false;
@@ -2019,7 +2019,7 @@ static bool parse_sid(struct ace_condition_sddl_compiler_context *comp)
 		comp->offset++;
 	}
 	token.type = CONDITIONAL_ACE_TOKEN_SID;
-	token.data.sid.sid = sid;
+	token.data.sid.sid = *sid;
 	return write_sddl_token(comp, token);
 }
 
@@ -3167,7 +3167,7 @@ static bool write_resource_attr_from_token(struct sddl_write_context *ctx,
 
 	case CONDITIONAL_ACE_TOKEN_SID:
 		/* unlike conditional ACE, SID does not had "SID()" wrapper. */
-		sid = sddl_encode_sid(ctx->mem_ctx, tok->data.sid.sid, NULL);
+		sid = sddl_encode_sid(ctx->mem_ctx, &tok->data.sid.sid, NULL);
 		if (sid == NULL) {
 			return false;
 		}
diff --git a/libcli/security/wscript_build b/libcli/security/wscript_build
index d02c1e44ab5..34e79f1d09e 100644
--- a/libcli/security/wscript_build
+++ b/libcli/security/wscript_build
@@ -10,7 +10,7 @@ bld.SAMBA_LIBRARY('samba-security',
                           'util_sid.c', 'session.c', 'secdesc.c',
                           'conditional_ace.c', 'sddl_conditional_ace.c',
                           'claims-conversions.c'],
-                  private_library=True, deps='talloc ndr NDR_SECURITY')
+                  private_library=True, deps='talloc ndr NDR_SECURITY NDR_CONDITIONAL_ACE')
 
 pytalloc_util = bld.pyembed_libname('pytalloc-util')
 bld.SAMBA_PYTHON('pysecurity',
diff --git a/librpc/idl/conditional_ace.idl b/librpc/idl/conditional_ace.idl
index 84d51a0c4c4..fc97d75189a 100644
--- a/librpc/idl/conditional_ace.idl
+++ b/librpc/idl/conditional_ace.idl
@@ -264,8 +264,6 @@ interface conditional_ace
 	/*
 	 * Sub-structures for struct ace_condition_token -> data,
 	 * which vary according to the token->type.
-	 *
-	 * These are not used on the wire.
 	 */
 	typedef [flag(NDR_NOALIGN)] struct {
 		int64 value;
@@ -287,8 +285,8 @@ interface conditional_ace
 		uint32 length;
 	} ace_condition_bytes;
 
-	typedef struct {
-		dom_sid *sid;
+	typedef [public] struct {
+		[subcontext(4)] dom_sid sid;
 	} ace_condition_sid;
 
 	/*
diff --git a/librpc/wscript_build b/librpc/wscript_build
index 3cbb5ff78e6..3ba7ce23082 100644
--- a/librpc/wscript_build
+++ b/librpc/wscript_build
@@ -448,6 +448,11 @@ bld.SAMBA_SUBSYSTEM('NDR_WINSTATION',
 	public_deps='ndr'
 	)
 
+bld.SAMBA_SUBSYSTEM('NDR_CONDITIONAL_ACE',
+	source='gen_ndr/ndr_conditional_ace.c',
+	public_deps='ndr'
+	)
+
 bld.SAMBA_SUBSYSTEM('RPC_NDR_ATSVC',
     source='gen_ndr/ndr_atsvc_c.c',
     public_deps='dcerpc-binding NDR_ATSVC'