archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6 Commits
1 Branch
0 Tags
2.0 GiB
Tree: daad8a087a
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'daad8a087a'
${ noResults }
windows-xp/Source/XPSP1/NT/ds/security/services/ca/certlib/acl.cpp

424 lines
11 KiB
Raw Normal View History

Add source files
4 years ago
  1. //+--------------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. // Copyright (C) Microsoft Corporation, 1996 - 1999
  5. //
  6. // File: acl.cpp
  7. //
  8. // Contents: Access Control helpers for certsrv
  9. //
  10. // History: 11-16-98 petesk created
  11. // 10/99 xtan, major changes
  12. //
  13. //---------------------------------------------------------------------------
  15. #include <pch.cpp>
  16. #pragma hdrstop
  17. #include <ntdsapi.h>
  18. #define SECURITY_WIN32
  20. #include <security.h>
  21. #include <sddl.h>
  22. #include <aclapi.h>
  24. #include "certca.h"
  25. #include "cscsp.h"
  26. #include "certacl.h"
  27. #include "certsd.h"
  29. // defines
  31. const GUID GUID_APPRV_REQ = { /* 0e10c966-78fb-11d2-90d4-00c04f79dc55 */
  32. 0x0e10c966,
  33. 0x78fb,
  34. 0x11d2,
  35. {0x90, 0xd4, 0x00, 0xc0, 0x4f, 0x79, 0xdc, 0x55} };
  37. const GUID GUID_REVOKE= { /* 0e10c967-78fb-11d2-90d4-00c04f79dc55 */
  38. 0x0e10c967,
  39. 0x78fb,
  40. 0x11d2,
  41. {0x90, 0xd4, 0x00, 0xc0, 0x4f, 0x79, 0xdc, 0x55} };
  43. // Important, keep enroll GUID in sync with string define in certacl.h
  44. const GUID GUID_ENROLL = { /* 0e10c968-78fb-11d2-90d4-00c04f79dc55 */
  45. 0x0e10c968,
  46. 0x78fb,
  47. 0x11d2,
  48. {0x90, 0xd4, 0x00, 0xc0, 0x4f, 0x79, 0xdc, 0x55} };
  50. const GUID GUID_AUTOENROLL = { /* a05b8cc2-17bc-4802-a710-e7c15ab866a2 */
  51. 0xa05b8cc2,
  52. 0x17bc,
  53. 0x4802,
  54. {0xa7, 0x10, 0xe7, 0xc1, 0x5a, 0xb8, 0x66, 0xa2} };
  56. const GUID GUID_READ_DB = { /* 0e10c969-78fb-11d2-90d4-00c04f79dc55 */
  57. 0x0e10c969,
  58. 0x78fb,
  59. 0x11d2,
  60. {0x90, 0xd4, 0x00, 0xc0, 0x4f, 0x79, 0xdc, 0x55} };
  62. HRESULT
  63. myGetSDFromTemplate(
  64. IN WCHAR const *pwszStringSD,
  65. IN OPTIONAL WCHAR const *pwszReplace,
  66. OUT PSECURITY_DESCRIPTOR *ppSD)
  67. {
  68. HRESULT hr;
  69. WCHAR *pwszReplaceSD = NULL;
  70. WCHAR const *pwszFinalSD = pwszStringSD;
  72. CSASSERT(NULL != ppSD);
  74. if (NULL == ppSD)
  75. {
  76. hr = E_POINTER;
  77. _JumpError(hr, error, "null SD pointer");
  78. }
  80. if (NULL != pwszReplace)
  81. {
  82. // replace the token
  84. CSASSERT(NULL != wcsstr(pwszStringSD, L"%ws"));
  86. pwszReplaceSD = (WCHAR*)LocalAlloc(LMEM_FIXED,
  87. (wcslen(pwszStringSD) +
  88. wcslen(pwszReplace) + 1) * sizeof(WCHAR) );
  89. if (NULL == pwszReplaceSD)
  90. {
  91. hr = E_OUTOFMEMORY;
  92. _JumpError(hr, error, "LocalAlloc");
  93. }
  94. wsprintf(pwszReplaceSD, pwszStringSD, pwszReplace);
  95. pwszFinalSD = pwszReplaceSD;
  96. }
  98. // build the security descriptor including the local machine.
  99. if (!myConvertStringSecurityDescriptorToSecurityDescriptor(
  100. pwszFinalSD,
  101. SDDL_REVISION,
  102. ppSD,
  103. NULL))
  104. {
  105. hr = myHLastError();
  106. _JumpError(
  107. hr,
  108. error,
  109. "myConvertStringSecurityDescriptorToSecurityDescriptor");
  110. }
  112. DBGPRINT((DBG_SS_CERTLIBI, "security descriptor:%ws\n", pwszFinalSD));
  114. hr = S_OK;
  115. error:
  116. if (NULL != pwszReplaceSD)
  117. {
  118. LocalFree(pwszReplaceSD);
  119. }
  120. return hr;
  121. }
  123. HRESULT
  124. myGetSecurityDescriptorDacl(
  125. IN PSECURITY_DESCRIPTOR pSD,
  126. OUT PACL *ppDacl) // no free
  127. {
  128. HRESULT hr;
  129. PACL pDacl = NULL; //no free
  130. BOOL bDaclPresent = FALSE;
  131. BOOL bDaclDefaulted = FALSE;
  133. CSASSERT(NULL != ppDacl);
  135. //init
  136. *ppDacl = NULL;
  138. // get dacl pointers
  139. if (!GetSecurityDescriptorDacl(pSD,
  140. &bDaclPresent,
  141. &pDacl,
  142. &bDaclDefaulted))
  143. {
  144. hr = myHLastError();
  145. _JumpError(hr, error, "GetSecurityDescriptorDacl");
  146. }
  147. if(!bDaclPresent || (pDacl == NULL))
  148. {
  149. hr = E_UNEXPECTED;
  150. _JumpError(hr, error, "GetSecurityDescriptorDacl");
  151. }
  153. *ppDacl = pDacl;
  155. hr = S_OK;
  156. error:
  157. return hr;
  158. }
  160. HRESULT
  161. myGetSecurityDescriptorSacl(
  162. IN PSECURITY_DESCRIPTOR pSD,
  163. OUT PACL *ppSacl) // no free
  164. {
  165. HRESULT hr;
  166. PACL pSacl = NULL; //no free
  167. BOOL bSaclPresent = FALSE;
  168. BOOL bSaclDefaulted = FALSE;
  170. CSASSERT(NULL != ppSacl);
  172. //init
  173. *ppSacl = NULL;
  175. // get dacl pointers
  176. if (!GetSecurityDescriptorSacl(pSD,
  177. &bSaclPresent,
  178. &pSacl,
  179. &bSaclDefaulted))
  180. {
  181. hr = myHLastError();
  182. _JumpError(hr, error, "GetSecurityDescriptorDacl");
  183. }
  184. if(!bSaclPresent || (pSacl == NULL))
  185. {
  186. hr = E_UNEXPECTED;
  187. _JumpError(hr, error, "GetSecurityDescriptorDacl");
  188. }
  190. *ppSacl = pSacl;
  192. hr = S_OK;
  193. error:
  194. return hr;
  195. }
  197. #define CERTSRV_DACL_CONTROL_MASK SE_DACL_AUTO_INHERIT_REQ | \
  198. SE_DACL_AUTO_INHERITED | \
  199. SE_DACL_PROTECTED
  200. #define CERTSRV_SACL_CONTROL_MASK SE_SACL_AUTO_INHERIT_REQ | \
  201. SE_SACL_AUTO_INHERITED | \
  202. SE_SACL_PROTECTED
  205. // Merge parts of a new SD with an old SD based on the SI flags:
  206. // DACL_SECURITY_INFORMATION - use new SD DACL
  207. // SACL_SECURITY_INFORMATION - use new SD SACL
  208. // OWNER_SECURITY_INFORMATION - use new SD owner
  209. // GROUP_SECURITY_INFORMATION - use new SD group
  211. HRESULT
  212. myMergeSD(
  213. IN PSECURITY_DESCRIPTOR pSDOld,
  214. IN PSECURITY_DESCRIPTOR pSDMerge,
  215. IN SECURITY_INFORMATION si,
  216. OUT PSECURITY_DESCRIPTOR *ppSDNew)
  217. {
  218. HRESULT hr;
  219. PSECURITY_DESCRIPTOR pSDDaclSource =
  220. si & DACL_SECURITY_INFORMATION ? pSDMerge : pSDOld;
  221. PSECURITY_DESCRIPTOR pSDSaclSource =
  222. si & SACL_SECURITY_INFORMATION ? pSDMerge : pSDOld;
  223. PSECURITY_DESCRIPTOR pSDOwnerSource =
  224. si & OWNER_SECURITY_INFORMATION ? pSDMerge : pSDOld;
  225. PSECURITY_DESCRIPTOR pSDGroupSource =
  226. si & GROUP_SECURITY_INFORMATION ? pSDMerge : pSDOld;
  227. PSECURITY_DESCRIPTOR pSDNew = NULL;
  228. PSECURITY_DESCRIPTOR pSDNewRelative = NULL;
  229. SECURITY_DESCRIPTOR_CONTROL sdc;
  230. PACL pDacl = NULL; //no free
  231. PSID pGroupSid = NULL; //no free
  232. BOOL fGroupDefaulted = FALSE;
  233. PSID pOwnerSid = NULL; //no free
  234. BOOL fOwnerDefaulted = FALSE;
  235. DWORD dwSize;
  236. BOOL fSaclPresent = FALSE;
  237. BOOL fSaclDefaulted = FALSE;
  238. PACL pSacl = NULL; //no free
  239. DWORD dwRevision;
  241. CSASSERT(NULL != pSDOld);
  242. CSASSERT(NULL != pSDMerge);
  243. CSASSERT(NULL != ppSDNew);
  245. *ppSDNew = NULL;
  247. pSDNew = (PSECURITY_DESCRIPTOR)LocalAlloc(LMEM_FIXED,
  248. SECURITY_DESCRIPTOR_MIN_LENGTH);
  249. if (pSDNew == NULL)
  250. {
  251. hr = E_OUTOFMEMORY;
  252. _JumpError(hr, error, "LocalAlloc");
  253. }
  255. if (!InitializeSecurityDescriptor(pSDNew, SECURITY_DESCRIPTOR_REVISION))
  256. {
  257. hr = myHLastError();
  258. _JumpError(hr, error, "InitializeSecurityDescriptor");
  259. }
  261. // set SD control
  262. if (!GetSecurityDescriptorControl(pSDOld, &sdc, &dwRevision))
  263. {
  264. hr = myHLastError();
  265. _JumpError(hr, error, "GetSecurityDescriptorControl");
  266. }
  268. if (!SetSecurityDescriptorControl(
  269. pSDNew,
  270. CERTSRV_DACL_CONTROL_MASK|
  271. CERTSRV_SACL_CONTROL_MASK,
  272. sdc &
  273. (CERTSRV_DACL_CONTROL_MASK|
  274. CERTSRV_SACL_CONTROL_MASK)))
  275. {
  276. hr = myHLastError();
  277. _JumpError(hr, error, "SetSecurityDescriptorControl");
  278. }
  280. // get CA security acl info
  281. hr = myGetSecurityDescriptorDacl(
  282. pSDDaclSource,
  283. &pDacl);
  284. _JumpIfError(hr, error, "myGetDaclFromInfoSecurityDescriptor");
  286. // set new SD dacl
  287. if(!SetSecurityDescriptorDacl(pSDNew,
  288. TRUE,
  289. pDacl,
  290. FALSE))
  291. {
  292. hr = myHLastError();
  293. _JumpError(hr, error, "SetSecurityDescriptorDacl");
  294. }
  296. // set new SD group
  297. if(!GetSecurityDescriptorGroup(pSDGroupSource, &pGroupSid, &fGroupDefaulted))
  298. {
  299. hr = myHLastError();
  300. _JumpError(hr, error, "GetSecurityDescriptorGroup");
  301. }
  302. if(!SetSecurityDescriptorGroup(pSDNew, pGroupSid, fGroupDefaulted))
  303. {
  304. hr = myHLastError();
  305. _JumpError(hr, error, "SetSecurityDescriptorGroup");
  306. }
  308. // set new SD owner
  309. if(!GetSecurityDescriptorOwner(pSDOwnerSource, &pOwnerSid, &fOwnerDefaulted))
  310. {
  311. hr = myHLastError();
  312. _JumpError(hr, error, "GetSecurityDescriptorGroup");
  313. }
  314. if(!SetSecurityDescriptorOwner(pSDNew, pOwnerSid, fOwnerDefaulted))
  315. {
  316. hr = myHLastError();
  317. _JumpError(hr, error, "SetSecurityDescriptorGroup");
  318. }
  320. // set new SD sacl
  321. if(!GetSecurityDescriptorSacl(pSDSaclSource, &fSaclPresent, &pSacl, &fSaclDefaulted))
  322. {
  323. hr = myHLastError();
  324. _JumpError(hr, error, "GetSecurityDescriptorSacl");
  325. }
  326. if(!SetSecurityDescriptorSacl(pSDNew, fSaclPresent, pSacl, fSaclDefaulted))
  327. {
  328. hr = myHLastError();
  329. _JumpError(hr, error, "SetSecurityDescriptorSacl");
  330. }
  332. if (!IsValidSecurityDescriptor(pSDNew))
  333. {
  334. hr = myHLastError();
  335. _JumpError(hr, error, "IsValidSecurityDescriptor");
  336. }
  338. dwSize = GetSecurityDescriptorLength(pSDNew);
  339. pSDNewRelative = (PSECURITY_DESCRIPTOR)LocalAlloc(LMEM_FIXED, dwSize);
  340. if(pSDNewRelative == NULL)
  341. {
  342. hr = E_OUTOFMEMORY;
  343. _JumpError(hr, error, "LocalAlloc");
  344. }
  346. if(!MakeSelfRelativeSD(pSDNew, pSDNewRelative, &dwSize))
  347. {
  348. hr = myHLastError();
  349. _JumpError(hr, error, "LocalAlloc");
  350. }
  352. if (!IsValidSecurityDescriptor(pSDNewRelative))
  353. {
  354. hr = myHLastError();
  355. _JumpError(hr, error, "IsValidSecurityDescriptor");
  356. }
  358. *ppSDNew = pSDNewRelative;
  359. pSDNewRelative = NULL;
  360. hr = S_OK;
  361. error:
  362. if(pSDNew)
  363. {
  364. LocalFree(pSDNew);
  365. }
  366. if(pSDNewRelative)
  367. {
  368. LocalFree(pSDNewRelative);
  369. }
  370. return hr;
  371. }
  374. HRESULT
  375. UpdateServiceSacl(bool fTurnOnAuditing)
  376. {
  377. HRESULT hr = S_OK;
  378. PSECURITY_DESCRIPTOR pSaclSD = NULL;
  379. PACL pSacl = NULL; // no free
  380. bool fPrivilegeEnabled = false;
  382. hr = myGetSDFromTemplate(
  383. fTurnOnAuditing?
  384. CERTSRV_SERVICE_SACL_ON:
  385. CERTSRV_SERVICE_SACL_OFF,
  386. NULL, // no insertion string
  387. &pSaclSD);
  388. _JumpIfError(hr, error, "myGetSDFromTemplate");
  390. hr = myGetSecurityDescriptorSacl(
  391. pSaclSD,
  392. &pSacl);
  393. _JumpIfError(hr, error, "myGet");
  396. hr = myEnablePrivilege(SE_SECURITY_NAME, TRUE);
  397. _JumpIfError(hr, error, "myEnablePrivilege");
  399. fPrivilegeEnabled = true;
  401. hr = SetNamedSecurityInfo(
  402. wszSERVICE_NAME,
  403. SE_SERVICE,
  404. SACL_SECURITY_INFORMATION,
  405. NULL,
  406. NULL,
  407. NULL,
  408. pSacl);
  409. if(ERROR_SUCCESS != hr)
  410. {
  411. hr = myHError(hr);
  412. _JumpError(hr, error, "SetNamedSecurityInfo");
  413. }
  415. error:
  417. if(fPrivilegeEnabled)
  418. {
  419. myEnablePrivilege(SE_SECURITY_NAME, FALSE);
  420. }
  421. LOCAL_FREE(pSaclSD);
  422. return hr;
  423. }