diff options
| author | Philipp Gesang <phg@phi-gamma.net> | 2018-11-07 23:40:26 +0100 |
|---|---|---|
| committer | Philipp Gesang <phg@phi-gamma.net> | 2018-11-07 23:40:32 +0100 |
| commit | 010d9d9d7f82e6d880da646c810492618476ee32 (patch) | |
| tree | 6f356707ca0019da3e27dc62377b379656be5c68 | |
| parent | 39b9f77dbccecad50fb355cffb0e8e432e28f825 (diff) | |
| download | ocaml-sid-010d9d9d7f82e6d880da646c810492618476ee32.tar.gz | |
sid: sid_test: make subauthorities mandatory
Both the constructor “Sid.create” and the string format parser must
reject inputs lacking a subauthorities array of at least size one. Since
the array is no longer optional, reorder the the constructor arguments
to match the data representation.
It is still possible to create SIDs without subauthorities via the
“Sid.create_unsafe” constructor. Also, the packet representation will
happily accept them because their definition (as well as that that of
the identical RPC version) does not specify a minimum count.
This is all rather ambiguous and exacerbated by the fact that [MS-DTYP]
happily specifies an invalid SID “S-1-5” as the “NT_AUTHORITY”. However,
both the grammar and the Win API “ConvertStringSidToSidA()” function
reject SA-less inputs as invalid, so we should too.
| -rw-r--r-- | misc/nix-ocaml-shell.nix | 1 | ||||
| -rw-r--r-- | sid.ml | 288 | ||||
| -rw-r--r-- | sid.mli | 56 | ||||
| -rw-r--r-- | sid_test.ml | 30 | ||||
| -rwxr-xr-x | util/sidparse_test.sh | 6 |
5 files changed, 207 insertions, 174 deletions
diff --git a/misc/nix-ocaml-shell.nix b/misc/nix-ocaml-shell.nix index 316f156..8a61a5b 100644 --- a/misc/nix-ocaml-shell.nix +++ b/misc/nix-ocaml-shell.nix @@ -3,6 +3,7 @@ with import <nixpkgs> {}; let libs = [ autoconf + gmp bubblewrap binutils curl @@ -14,16 +14,17 @@ let max_ident_auth = U64.of_string "0x0000_ffff_ffff_ffff" let sizeof_sub_auth = 4 let max_subauth_count = 15 -let create_unsafe sa ia = +let create_unsafe ia sa = { sid_ident_auth = ia ; sid_sub_auths = sa } (* There isn’t much to validate to begin with except for the hard cap on the number of subauths. *) -let create ?(sa=[||]) ia = - if Array.length sa > max_subauth_count then None else +let create ia sa = + let nsa = Array.length sa in + if nsa < 1 || max_subauth_count < nsa then None else if U64.compare ia max_ident_auth > 0 then None else - Some (create_unsafe sa ia) + Some (create_unsafe ia sa) let get_ident_auth s = s.sid_ident_auth let get_sub_auths s = s.sid_sub_auths @@ -101,8 +102,23 @@ module StringFmt = struct s i s.[i])) done; Bytes.blit_string s (p+2) b 2 12; - p + ident_auth_hexlen, - U64.of_string (Bytes.unsafe_to_string b) + let ia = U64.of_string (Bytes.unsafe_to_string b) in + if ia < ident_auth_hexmin then + raise + (Invalid_argument + (Printf.sprintf + "input malformed: identifier authority less than 2³² must \ + not be hex-encoded (value=%s)" + (U64.to_string ia))) + else if ia > max_ident_auth then + raise (Invalid_argument + (Printf.sprintf + "Invalid SID: identifier authority (value=%s) cannot fit \ + 6 B (%s)" + (U64.to_string ia) (U64.to_string max_ident_auth))) + else + p + ident_auth_hexlen, + ia let ident_auth_decimal s p = let p, ia = read_decimal_u64 s p in @@ -119,16 +135,7 @@ module StringFmt = struct let r = String.length s - p in if r < ident_auth_hexlen then ident_auth_decimal s p else (* hex can’t fit *) match s.[p], s.[p+1] with - | '0', 'x' -> - (let p, ia = read_ident_auth_hex s p in - if ia < ident_auth_hexmin then - raise - (Invalid_argument - (Printf.sprintf - "input malformed: identifier authority less than 2³² must \ - not be hex-encoded (value=%s)" - (U64.to_string ia))) else - p, ia) + | '0', 'x' -> read_ident_auth_hex s p | _ -> ident_auth_decimal s p (* @@ -150,14 +157,17 @@ module StringFmt = struct expect_char s '-' 3; let p = 4 in let p, ia = read_ident_auth s p in - if ia > max_ident_auth then + if p = n || s.[p] <> '-' then raise (Invalid_argument (Printf.sprintf - "Invalid SID: identifier authority cannot fit 6 B (%s)" - (U64.to_string max_ident_auth))); + "Invalid SID: error parsing SID [%s] at position %d, \ + grammar mandates at least one subauthority" + s p)) else let sa = ref [] and p' = ref p in - while !p' < n - 1 && List.length !sa < max_subauth_count do - expect_char s '-' !p'; + while !p' < n - 1 + && List.length !sa < max_subauth_count + && s.[!p'] = '-' + do let np, d = try read_decimal_u32 s (!p' + 1) with Invalid_argument e -> @@ -319,139 +329,139 @@ module WellKnown = struct * see also * https://docs.microsoft.com/en-us/windows/desktop/secauthz/well-known-sids *) - let null = cu [| U32.zero |] U64.zero - let everyone = cu [| U32.zero |] U64.one + let null = cu U64.zero [| U32.zero |] + let everyone = cu U64.one [| U32.zero |] let world = everyone (* 1-2-… *) - let local = cu [| U32.zero |] (U64.of_int 2) - let console_logon = cu [| U32.one |] (U64.of_int 2) + let local = cu (U64.of_int 2) [| U32.zero |] + let console_logon = cu (U64.of_int 2) [| U32.one |] (* 1-3-… *) - let creator_owner_id = cu [| U32.zero |] (U64.of_int 3) - let creator_group_id = cu [| U32.one |] (U64.of_int 3) - let creator_owner_server = cu [| U32.of_int 2 |] (U64.of_int 3) - let creator_group_server = cu [| U32.of_int 3 |] (U64.of_int 3) - let owner_rights = cu [| U32.of_int 4 |] (U64.of_int 3) - let elite = cu [| U32.of_int 3 ; U32.of_int 3; U32.of_int 7 |] U64.one + let creator_owner_id = cu (U64.of_int 3) [| U32.zero |] + let creator_group_id = cu (U64.of_int 3) [| U32.one |] + let creator_owner_server = cu (U64.of_int 3) [| U32.of_int 2 |] + let creator_group_server = cu (U64.of_int 3) [| U32.of_int 3 |] + let owner_rights = cu (U64.of_int 3) [| U32.of_int 4 |] + let elite = cu U64.one [| U32.of_int 3 ; U32.of_int 3; U32.of_int 7 |] (* 1-5-… *) - let nt_authority = cu [| |] (U64.of_int 5) - let dialup = cu [| U32.one |] (U64.of_int 5) - let network = cu [| U32.of_int 2 |] (U64.of_int 5) - let batch = cu [| U32.of_int 3 |] (U64.of_int 5) - let interactive = cu [| U32.of_int 4 |] (U64.of_int 5) - let logon_id = cu [| U32.of_int 5 |] (U64.of_int 5) - let service = cu [| U32.of_int 6 |] (U64.of_int 5) - let anonymous = cu [| U32.of_int 7 |] (U64.of_int 5) - let proxy = cu [| U32.of_int 8 |] (U64.of_int 5) - let enterprise_domain_controllers = cu [| U32.of_int 9 |] (U64.of_int 5) - let principal_self = cu [| U32.of_int 10 |] (U64.of_int 5) - let authenticated_users = cu [| U32.of_int 11 |] (U64.of_int 5) - let restricted_code = cu [| U32.of_int 12 |] (U64.of_int 5) - let terminal_server_user = cu [| U32.of_int 13 |] (U64.of_int 5) - let remote_interactive_logon = cu [| U32.of_int 14 |] (U64.of_int 5) - let this_organisation = cu [| U32.of_int 15 |] (U64.of_int 5) - let iusr = cu [| U32.of_int 17 |] (U64.of_int 5) - let local_system = cu [| U32.of_int 18 |] (U64.of_int 5) - let local_service = cu [| U32.of_int 19 |] (U64.of_int 5) - let network_service = cu [| U32.of_int 20 |] (U64.of_int 5) - - let compounded_authentication = cu [| sa 21; U32.zero; U32.zero; U32.zero; sa 496 |] (ia 5) - let claims_valid = cu [| sa 21; U32.zero; U32.zero; U32.zero; sa 497 |] (ia 5) - - let administrator machine = cu [| sa 21; machine; sa 500 |] (ia 5) - let guest machine = cu [| sa 21; machine; sa 501 |] (ia 5) - let krbtgt domain = cu [| sa 21; domain; sa 502 |] (ia 5) - let domain_admins domain = cu [| sa 21; domain; sa 512 |] (ia 5) - let domain_users domain = cu [| sa 21; domain; sa 513 |] (ia 5) - let domain_guests domain = cu [| sa 21; domain; sa 514 |] (ia 5) - let domain_computers domain = cu [| sa 21; domain; sa 515 |] (ia 5) - let domain_domain_controllers domain = cu [| sa 21; domain; sa 516 |] (ia 5) - let cert_publishers domain = cu [| sa 21; domain; sa 517 |] (ia 5) - let schema_administrators root_domain = cu [| sa 21; root_domain; sa 518 |] (ia 5) - let enterprise_admins root_domain = cu [| sa 21; root_domain; sa 519 |] (ia 5) - let group_policy_creator_owners domain = cu [| sa 21; domain; sa 520 |] (ia 5) - let readonly_domain_controllers domain = cu [| sa 21; domain; sa 521 |] (ia 5) - let cloneable_controllers domain = cu [| sa 21; domain; sa 522 |] (ia 5) - let protected_users domain = cu [| sa 21; domain; sa 525 |] (ia 5) - let key_admins domain = cu [| sa 21; domain; sa 526 |] (ia 5) - let enterprise_key_admins domain = cu [| sa 21; domain; sa 527 |] (ia 5) - let ras_servers domain = cu [| sa 21; domain; sa 553 |] (ia 5) - let allowed_rodc_password_replication_group domain = cu [| sa 21; domain; sa 571 |] (ia 5) - let denied_rodc_password_replication_group domain = cu [| sa 21; domain; sa 572 |] (ia 5) - - let builtin_administrators = cu [| sa 32; sa 544 |] (ia 5) - let builtin_users = cu [| sa 32; sa 545 |] (ia 5) - let builtin_guests = cu [| sa 32; sa 546 |] (ia 5) - let power_users = cu [| sa 32; sa 547 |] (ia 5) - let account_operators = cu [| sa 32; sa 548 |] (ia 5) - let server_operators = cu [| sa 32; sa 549 |] (ia 5) - let printer_operators = cu [| sa 32; sa 550 |] (ia 5) - let backup_operators = cu [| sa 32; sa 551 |] (ia 5) - let replicator = cu [| sa 32; sa 552 |] (ia 5) - let alias_prew2kcompacc = cu [| sa 32; sa 554 |] (ia 5) - let remote_desktop = cu [| sa 32; sa 555 |] (ia 5) - let network_configuration_ops = cu [| sa 32; sa 556 |] (ia 5) - let incoming_forest_trust_builders = cu [| sa 32; sa 557 |] (ia 5) - let perfmon_users = cu [| sa 32; sa 558 |] (ia 5) - let perflog_users = cu [| sa 32; sa 559 |] (ia 5) - let windows_authorization_access_group = cu [| sa 32; sa 560 |] (ia 5) - let terminal_server_license_servers = cu [| sa 32; sa 561 |] (ia 5) - let distributed_com_users = cu [| sa 32; sa 562 |] (ia 5) - let iis_iusrs = cu [| sa 32; sa 568 |] (ia 5) - let cryptographic_operators = cu [| sa 32; sa 569 |] (ia 5) - let event_log_readers = cu [| sa 32; sa 573 |] (ia 5) - let certificate_service_dcom_access = cu [| sa 32; sa 574 |] (ia 5) - let rds_remote_access_servers = cu [| sa 32; sa 575 |] (ia 5) - let rds_endpoint_servers = cu [| sa 32; sa 576 |] (ia 5) - let rds_management_servers = cu [| sa 32; sa 577 |] (ia 5) - let hyper_v_admins = cu [| sa 32; sa 578 |] (ia 5) - let access_control_assistance_ops = cu [| sa 32; sa 579 |] (ia 5) - let remote_management_users = cu [| sa 32; sa 580 |] (ia 5) - - let write_restricted_code = cu [| sa 33 |] (ia 5) - let ntlm_authentication = cu [| sa 64; sa 10 |] (ia 5) - let schannel_authentication = cu [| sa 64; sa 14 |] (ia 5) - let digest_authentication = cu [| sa 64; sa 21 |] (ia 5) - let this_organization_certificate = cu [| sa 65; sa 1 |] (ia 5) - let nt_service = cu [| sa 80 |] (ia 5) - let user_mode_drivers = cu [| sa 84; U32.zero; U32.zero; U32.zero; U32.zero; U32.zero |] (ia 5) - let local_account = cu [| sa 113 |] (ia 5) - let local_account_and_member_of_administrators_group = cu [| sa 114 |] (ia 5) - let other_organization = cu [| sa 1000 |] (ia 5) + let nt_authority = cu (U64.of_int 5) [| |] + let dialup = cu (U64.of_int 5) [| U32.one |] + let network = cu (U64.of_int 5) [| U32.of_int 2 |] + let batch = cu (U64.of_int 5) [| U32.of_int 3 |] + let interactive = cu (U64.of_int 5) [| U32.of_int 4 |] + let logon_id = cu (U64.of_int 5) [| U32.of_int 5 |] + let service = cu (U64.of_int 5) [| U32.of_int 6 |] + let anonymous = cu (U64.of_int 5) [| U32.of_int 7 |] + let proxy = cu (U64.of_int 5) [| U32.of_int 8 |] + let enterprise_domain_controllers = cu (U64.of_int 5) [| U32.of_int 9 |] + let principal_self = cu (U64.of_int 5) [| U32.of_int 10 |] + let authenticated_users = cu (U64.of_int 5) [| U32.of_int 11 |] + let restricted_code = cu (U64.of_int 5) [| U32.of_int 12 |] + let terminal_server_user = cu (U64.of_int 5) [| U32.of_int 13 |] + let remote_interactive_logon = cu (U64.of_int 5) [| U32.of_int 14 |] + let this_organisation = cu (U64.of_int 5) [| U32.of_int 15 |] + let iusr = cu (U64.of_int 5) [| U32.of_int 17 |] + let local_system = cu (U64.of_int 5) [| U32.of_int 18 |] + let local_service = cu (U64.of_int 5) [| U32.of_int 19 |] + let network_service = cu (U64.of_int 5) [| U32.of_int 20 |] + + let compounded_authentication = cu (ia 5) [| sa 21; U32.zero; U32.zero; U32.zero; sa 496 |] + let claims_valid = cu (ia 5) [| sa 21; U32.zero; U32.zero; U32.zero; sa 497 |] + + let administrator machine = cu (ia 5) [| sa 21; machine; sa 500 |] + let guest machine = cu (ia 5) [| sa 21; machine; sa 501 |] + let krbtgt domain = cu (ia 5) [| sa 21; domain; sa 502 |] + let domain_admins domain = cu (ia 5) [| sa 21; domain; sa 512 |] + let domain_users domain = cu (ia 5) [| sa 21; domain; sa 513 |] + let domain_guests domain = cu (ia 5) [| sa 21; domain; sa 514 |] + let domain_computers domain = cu (ia 5) [| sa 21; domain; sa 515 |] + let domain_domain_controllers domain = cu (ia 5) [| sa 21; domain; sa 516 |] + let cert_publishers domain = cu (ia 5) [| sa 21; domain; sa 517 |] + let schema_administrators root_domain = cu (ia 5) [| sa 21; root_domain; sa 518 |] + let enterprise_admins root_domain = cu (ia 5) [| sa 21; root_domain; sa 519 |] + let group_policy_creator_owners domain = cu (ia 5) [| sa 21; domain; sa 520 |] + let readonly_domain_controllers domain = cu (ia 5) [| sa 21; domain; sa 521 |] + let cloneable_controllers domain = cu (ia 5) [| sa 21; domain; sa 522 |] + let protected_users domain = cu (ia 5) [| sa 21; domain; sa 525 |] + let key_admins domain = cu (ia 5) [| sa 21; domain; sa 526 |] + let enterprise_key_admins domain = cu (ia 5) [| sa 21; domain; sa 527 |] + let ras_servers domain = cu (ia 5) [| sa 21; domain; sa 553 |] + let allowed_rodc_password_replication_group domain = cu (ia 5) [| sa 21; domain; sa 571 |] + let denied_rodc_password_replication_group domain = cu (ia 5) [| sa 21; domain; sa 572 |] + + let builtin_administrators = cu (ia 5) [| sa 32; sa 544 |] + let builtin_users = cu (ia 5) [| sa 32; sa 545 |] + let builtin_guests = cu (ia 5) [| sa 32; sa 546 |] + let power_users = cu (ia 5) [| sa 32; sa 547 |] + let account_operators = cu (ia 5) [| sa 32; sa 548 |] + let server_operators = cu (ia 5) [| sa 32; sa 549 |] + let printer_operators = cu (ia 5) [| sa 32; sa 550 |] + let backup_operators = cu (ia 5) [| sa 32; sa 551 |] + let replicator = cu (ia 5) [| sa 32; sa 552 |] + let alias_prew2kcompacc = cu (ia 5) [| sa 32; sa 554 |] + let remote_desktop = cu (ia 5) [| sa 32; sa 555 |] + let network_configuration_ops = cu (ia 5) [| sa 32; sa 556 |] + let incoming_forest_trust_builders = cu (ia 5) [| sa 32; sa 557 |] + let perfmon_users = cu (ia 5) [| sa 32; sa 558 |] + let perflog_users = cu (ia 5) [| sa 32; sa 559 |] + let windows_authorization_access_group = cu (ia 5) [| sa 32; sa 560 |] + let terminal_server_license_servers = cu (ia 5) [| sa 32; sa 561 |] + let distributed_com_users = cu (ia 5) [| sa 32; sa 562 |] + let iis_iusrs = cu (ia 5) [| sa 32; sa 568 |] + let cryptographic_operators = cu (ia 5) [| sa 32; sa 569 |] + let event_log_readers = cu (ia 5) [| sa 32; sa 573 |] + let certificate_service_dcom_access = cu (ia 5) [| sa 32; sa 574 |] + let rds_remote_access_servers = cu (ia 5) [| sa 32; sa 575 |] + let rds_endpoint_servers = cu (ia 5) [| sa 32; sa 576 |] + let rds_management_servers = cu (ia 5) [| sa 32; sa 577 |] + let hyper_v_admins = cu (ia 5) [| sa 32; sa 578 |] + let access_control_assistance_ops = cu (ia 5) [| sa 32; sa 579 |] + let remote_management_users = cu (ia 5) [| sa 32; sa 580 |] + + let write_restricted_code = cu (ia 5) [| sa 33 |] + let ntlm_authentication = cu (ia 5) [| sa 64; sa 10 |] + let schannel_authentication = cu (ia 5) [| sa 64; sa 14 |] + let digest_authentication = cu (ia 5) [| sa 64; sa 21 |] + let this_organization_certificate = cu (ia 5) [| sa 65; sa 1 |] + let nt_service = cu (ia 5) [| sa 80 |] + let user_mode_drivers = cu (ia 5) [| sa 84; U32.zero; U32.zero; U32.zero; U32.zero; U32.zero |] + let local_account = cu (ia 5) [| sa 113 |] + let local_account_and_member_of_administrators_group = cu (ia 5) [| sa 114 |] + let other_organization = cu (ia 5) [| sa 1000 |] (* 1-15-… *) - let all_app_packages = cu [| sa 2; U32.one |] (ia 15) + let all_app_packages = cu (ia 15) [| sa 2; U32.one |] (* 1-16-… *) - let ml_untrusted = cu [| U32.zero |] (ia 16) - let ml_low = cu [| sa 4096 |] (ia 16) - let ml_medium = cu [| sa 8192 |] (ia 16) - let ml_medium_plus = cu [| sa 8448 |] (ia 16) - let ml_high = cu [| sa 12288 |] (ia 16) - let ml_system = cu [| sa 16384 |] (ia 16) - let ml_protected_process = cu [| sa 20480 |] (ia 16) - let ml_secure_process = cu [| sa 28672 |] (ia 16) + let ml_untrusted = cu (ia 16) [| U32.zero |] + let ml_low = cu (ia 16) [| sa 4096 |] + let ml_medium = cu (ia 16) [| sa 8192 |] + let ml_medium_plus = cu (ia 16) [| sa 8448 |] + let ml_high = cu (ia 16) [| sa 12288 |] + let ml_system = cu (ia 16) [| sa 16384 |] + let ml_protected_process = cu (ia 16) [| sa 20480 |] + let ml_secure_process = cu (ia 16) [| sa 28672 |] (* 1-18-… *) - let authentication_authority_asserted_identity = cu [| U32.one |] (ia 18) - let service_asserted_identity = cu [| sa 2 |] (ia 18) - let fresh_public_key_identity = cu [| sa 3 |] (ia 18) - let key_trust_identity = cu [| sa 4 |] (ia 18) - let key_property_mfa = cu [| sa 5 |] (ia 18) - let key_property_attestation = cu [| sa 6 |] (ia 18) + let authentication_authority_asserted_identity = cu (ia 18) [| U32.one |] + let service_asserted_identity = cu (ia 18) [| sa 2 |] + let fresh_public_key_identity = cu (ia 18) [| sa 3 |] + let key_trust_identity = cu (ia 18) [| sa 4 |] + let key_property_mfa = cu (ia 18) [| sa 5 |] + let key_property_attestation = cu (ia 18) [| sa 6 |] module Prefix = struct - let security_null_sid_authority ?(sa=[||]) () = create_unsafe sa (U64.of_int 0x00) - let security_world_sid_authority ?(sa=[||]) () = create_unsafe sa (U64.of_int 0x01) - let security_local_sid_authority ?(sa=[||]) () = create_unsafe sa (U64.of_int 0x02) - let security_creator_sid_authority ?(sa=[||]) () = create_unsafe sa (U64.of_int 0x03) - let security_nt_authority ?(sa=[||]) () = create_unsafe sa (U64.of_int 0x05) - let security_app_package_authority ?(sa=[||]) () = create_unsafe sa (U64.of_int 0x0f) - let security_mandatory_label_authority ?(sa=[||]) () = create_unsafe sa (U64.of_int 0x10) - let security_scoped_policy_id_authority ?(sa=[||]) () = create_unsafe sa (U64.of_int 0x11) - let security_authentication_authority ?(sa=[||]) () = create_unsafe sa (U64.of_int 0x12) + let security_null_sid_authority sa = create_unsafe (U64.of_int 0x00) sa + let security_world_sid_authority sa = create_unsafe (U64.of_int 0x01) sa + let security_local_sid_authority sa = create_unsafe (U64.of_int 0x02) sa + let security_creator_sid_authority sa = create_unsafe (U64.of_int 0x03) sa + let security_nt_authority sa = create_unsafe (U64.of_int 0x05) sa + let security_app_package_authority sa = create_unsafe (U64.of_int 0x0f) sa + let security_mandatory_label_authority sa = create_unsafe (U64.of_int 0x10) sa + let security_scoped_policy_id_authority sa = create_unsafe (U64.of_int 0x11) sa + let security_authentication_authority sa = create_unsafe (U64.of_int 0x12) sa end end @@ -3,16 +3,16 @@ type t type sub_auths = Stdint.Uint32.t array -val create : ?sa:Stdint.Uint32.t array -> Stdint.Uint64.t -> t option +val create : Stdint.Uint64.t -> Stdint.Uint32.t array -> t option (** [create sas ia] constructs a SID with the identifier authority [ia] - and, optionally, the subauthorities [sas]. The operation will return - [None] if [sa] contains more than fifteen subauthorities, or if [ia] + and the subauthorities [sas]. The operation will return [None] if [sa] + contains either zero or more than fifteen subauthorities, or if [ia] exceeds 48 bits. *) -val create_unsafe : Stdint.Uint32.t array -> Stdint.Uint64.t -> t +val create_unsafe : Stdint.Uint64.t -> Stdint.Uint32.t array -> t (** [create_unsafe sas ia] constructs a SID with the identifier authority [ia] - and, optionally, the sub authorities [sas] without validating the inputs. - Use with caution. *) + and the sub authorities [sas] without validating the inputs. Use with + caution. *) val equal : t -> t -> bool (** [equal sa sb] tests whether [sa] and [sb] are identical. *) @@ -98,7 +98,13 @@ module WellKnown : val elite : t val nt_authority : t - (** The SID {e S-1-5}. *) + (** The SID {e S-1-5}. + + Note that according to the offical grammar as layed out in MS-DTYP + 2.4.2.1, this SID cannot be converted to “string format” due to its + lack of subauthorities. However, it is the same document which also + specifies this SID. How to reconcile the two is left as an exercise + to the reader. *) val dialup : t (** The SID {e S-1-5-1}. *) @@ -389,40 +395,40 @@ module WellKnown : module Prefix : sig - val security_null_sid_authority : ?sa:sub_auths -> unit -> t - (** [security_null_sid_authority sub_auths ()] constructs a SID + val security_null_sid_authority : sub_auths -> t + (** [security_null_sid_authority sub_auths] constructs a SID {e S-1-0-[sub_auths]…}. *) - val security_world_sid_authority : ?sa:sub_auths -> unit -> t - (** [security_world_sid_authority sub_auths ()] constructs a SID + val security_world_sid_authority : sub_auths -> t + (** [security_world_sid_authority sub_auths] constructs a SID {e S-1-1-[sub_auths]…}. *) - val security_local_sid_authority : ?sa:sub_auths -> unit -> t - (** [security_local_sid_authority sub_auths ()] constructs a SID + val security_local_sid_authority : sub_auths -> t + (** [security_local_sid_authority sub_auths] constructs a SID {e S-1-2-[sub_auths]…}. *) - val security_creator_sid_authority : ?sa:sub_auths -> unit -> t - (** [security_creator_sid_authority sub_auths ()] constructs a SID + val security_creator_sid_authority : sub_auths -> t + (** [security_creator_sid_authority sub_auths] constructs a SID {e S-1-3-[sub_auths]…}. *) - val security_nt_authority : ?sa:sub_auths -> unit -> t - (** [security_nt_authority sub_auths ()] constructs a SID + val security_nt_authority : sub_auths -> t + (** [security_nt_authority sub_auths] constructs a SID {e S-1-5-[sub_auths]…}. *) - val security_app_package_authority : ?sa:sub_auths -> unit -> t - (** [security_app_package_authority sub_auths ()] constructs a SID + val security_app_package_authority : sub_auths -> t + (** [security_app_package_authority sub_auths] constructs a SID {e S-1-15-[sub_auths]…}. *) - val security_mandatory_label_authority : ?sa:sub_auths -> unit -> t - (** [security_mandatory_label_authority sub_auths ()] constructs a SID + val security_mandatory_label_authority : sub_auths -> t + (** [security_mandatory_label_authority sub_auths] constructs a SID {e S-1-16-[sub_auths]…}. *) - val security_scoped_policy_id_authority : ?sa:sub_auths -> unit -> t - (** [security_scoped_policy_id_authority sub_auths ()] constructs a SID + val security_scoped_policy_id_authority : sub_auths -> t + (** [security_scoped_policy_id_authority sub_auths] constructs a SID {e S-1-17-[sub_auths]…}. *) - val security_authentication_authority : ?sa:sub_auths -> unit -> t - (** [security_authentication_authority sub_auths ()] constructs a SID + val security_authentication_authority : sub_auths -> t + (** [security_authentication_authority sub_auths] constructs a SID {e S-1-18-[sub_auths]…}. *) end end diff --git a/sid_test.ml b/sid_test.ml index e7b6c24..7da0d7f 100644 --- a/sid_test.ml +++ b/sid_test.ml @@ -14,18 +14,18 @@ let () = Printexc.record_backtrace true ;; (* S-1-1-0-1-2-3-4-5-6-7-8-9-10-11-12-13-14 *) let max_sid = Sid.create_unsafe + U64.one [| U32.zero ; U32.one ; U32.of_int 2 ; U32.of_int 3 ; U32.of_int 4 ; U32.of_int 5 ; U32.of_int 6 ; U32.of_int 7 ; U32.of_int 8 ; U32.of_int 9 ; U32.of_int 10 ; U32.of_int 11 ; U32.of_int 12 ; U32.of_int 13 ; U32.of_int 14 |] - U64.one let create_ok () = let w = Sid.WellKnown.everyone and s = - match Sid.create ~sa:[| U32.zero |] U64.one with + match Sid.create U64.one [| U32.zero |] with | None -> assert_failure "Sid.create failed for S-1-0" | Some s -> s in @@ -33,16 +33,21 @@ let create_ok () = (Printf.sprintf "[%s] ≠ [%s]" (Sid.to_string s) (Sid.to_string w)) (Sid.equal s w) +let create_nosa_fail () = + match Sid.create U64.zero [| |] with + | None -> () + | Some s -> assert_failure ("Sid.create succeeded despite lack of sas") + let create_etoomany_fail () = let sas = Array.make 16 U32.one in - match Sid.create ~sa:sas U64.zero with + match Sid.create U64.zero sas with | None -> () | Some s -> assert_failure ("Sid.create succeeded on invalid sa array") let create_iatoobig_fail () = let sas = Array.make 2 U32.one in let ia = U64.add max_ident_auth U64.one in - match Sid.create ~sa:sas ia with + match Sid.create ia sas with | None -> () | Some s -> assert_failure ("Sid.create succeeded on invalid ident auth") @@ -55,7 +60,7 @@ let unwrap_of_string s = let sf_parse_ok () = let s = unwrap_of_string "S-1-1-0" - and z = Sid.create_unsafe [| U32.zero |] U64.one in + and z = Sid.create_unsafe U64.one [| U32.zero |] in assert_bool (Printf.sprintf "[%s] ≠ [%s]" (Sid.to_string s) (Sid.to_string z)) (Sid.equal s z); @@ -99,6 +104,16 @@ let sf_parse_ver_inval2_fail () = assert_equal e "Invalid SID [S-10-0]: expected ‘-’ at position 3, found ‘0’" +let sf_parse_nosa_fail () = + match Sid.of_string "S-1-1" with + | Ok s -> + assert_failure + (Printf.sprintf "unexpectedly parsed garbage as SID [%s]" + (Sid.to_string s)) + | Error e -> + assert_equal e "Invalid SID: error parsing SID [S-1-1] at position 5, \ + grammar mandates at least one subauthority" + let sf_parse_trailing_ok () = let s = unwrap_of_string "S-1-0-0-" in assert_equal (Sid.to_string s) "S-1-0-0" @@ -221,8 +236,8 @@ let sf_parse_iaxxlong_fail () = (* too many digits, need exactly 12 *) match Sid.of_string "S-1-0xC01DC01DB100D-17-01" with | Error e -> - let expect = "Invalid SID [S-1-0xC01DC01DB100D-17-01]: expected ‘-’ \ - at position 18, found ‘D’" + let expect = "Invalid SID: error parsing SID [S-1-0xC01DC01DB100D-17-01] \ + at position 18, grammar mandates at least one subauthority" in assert_equal ~msg:(Printf.sprintf "[%s] ≠ [%s]" e expect) @@ -425,6 +440,7 @@ let string_format_test = "string-format-syntax" >::: ; "parse-ver-junk-fail" >:: sf_parse_ver_junk_fail ; "parse-ver-inval-fail" >:: sf_parse_ver_inval_fail ; "parse-ver-inval2-fail" >:: sf_parse_ver_inval2_fail + ; "parse-nosa-fail" >:: sf_parse_nosa_fail ; "parse-trailing-ok" >:: sf_parse_trailing_ok ; "parse-maxint-ok" >:: sf_parse_maxint_ok ; "parse-oobia-fail" >:: sf_parse_oobia_fail diff --git a/util/sidparse_test.sh b/util/sidparse_test.sh index 374810d..5d16e1e 100755 --- a/util/sidparse_test.sh +++ b/util/sidparse_test.sh @@ -148,7 +148,7 @@ register_test () { test_parse_simple () { local name="$1" local ret - local cmd=( "./${testme}" S-1-0 ) + local cmd=( "./${testme}" S-1-1-0 ) timeout ${default_timeout} ${cmd[@]} &>/dev/null ret=$? @@ -168,8 +168,8 @@ test_parse_stdin () { local cmd=( "./${testme}" ) timeout ${default_timeout} ${cmd[@]} &>/dev/null <<-STOPTHAT - S-1-0 - S-1-1 + S-1-0-0 + S-1-1-0 S-1-42-2187-1337 STOPTHAT |