sec.c 46.5 KB
Newer Older
Juergen Schmied's avatar
Juergen Schmied committed
1 2 3 4
/*
 *	Security functions
 *
 *	Copyright 1996-1998 Marcus Meissner
5
 * 	Copyright 2003 CodeWeavers Inc. (Ulrich Czekalla)
6 7 8 9 10 11 12 13 14 15 16 17 18
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library; if not, write to the Free Software
19
 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
Juergen Schmied's avatar
Juergen Schmied committed
20 21
 */

22
#include "config.h"
23
#include "wine/port.h"
24

25
#include <stdarg.h>
Juergen Schmied's avatar
Juergen Schmied committed
26 27 28 29 30
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <ctype.h>
#include <math.h>
31 32 33
#ifdef HAVE_UNISTD_H
# include <unistd.h>
#endif
34

35 36
#include "ntstatus.h"
#define WIN32_NO_STATUS
Juergen Schmied's avatar
Juergen Schmied committed
37
#include "windef.h"
38
#include "wine/exception.h"
39
#include "ntdll_misc.h"
40
#include "excpt.h"
41
#include "wine/library.h"
42
#include "wine/unicode.h"
43
#include "wine/debug.h"
Juergen Schmied's avatar
Juergen Schmied committed
44

45
WINE_DEFAULT_DEBUG_CHANNEL(ntdll);
46

47 48
#define NT_SUCCESS(status) (status == STATUS_SUCCESS)

49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64
/* helper function to copy an ACL */
static BOOLEAN copy_acl(DWORD nDestinationAclLength, PACL pDestinationAcl, PACL pSourceAcl)
{
    DWORD size;

    if (!pSourceAcl || !RtlValidAcl(pSourceAcl))
        return FALSE;
        
    size = ((ACL *)pSourceAcl)->AclSize;
    if (nDestinationAclLength < size)
        return FALSE;

    memmove(pDestinationAcl, pSourceAcl, size);
    return TRUE;
}

65 66 67 68 69
/* generically adds an ACE to an ACL */
static NTSTATUS add_access_ace(PACL pAcl, DWORD dwAceRevision, DWORD dwAceFlags,
                               DWORD dwAccessMask, PSID pSid, DWORD dwAceType)
{
    ACE_HEADER *pAceHeader;
70
    DWORD dwLengthSid;
71
    DWORD dwAceSize;
72 73
    DWORD *pAccessMask;
    DWORD *pSidStart;
74

75
    if (!RtlValidSid(pSid))
76 77 78 79 80 81 82 83 84 85 86 87 88 89 90
        return STATUS_INVALID_SID;

    if (pAcl->AclRevision > MAX_ACL_REVISION || dwAceRevision > MAX_ACL_REVISION)
        return STATUS_REVISION_MISMATCH;

    if (!RtlValidAcl(pAcl))
        return STATUS_INVALID_ACL;

    if (!RtlFirstFreeAce(pAcl, &pAceHeader))
        return STATUS_INVALID_ACL;

    if (!pAceHeader)
        return STATUS_ALLOTTED_SPACE_EXCEEDED;

    /* calculate generic size of the ACE */
91 92
    dwLengthSid = RtlLengthSid(pSid);
    dwAceSize = sizeof(ACE_HEADER) + sizeof(DWORD) + dwLengthSid;
93
    if ((char *)pAceHeader + dwAceSize > (char *)pAcl + pAcl->AclSize)
94 95
        return STATUS_ALLOTTED_SPACE_EXCEEDED;

96
    /* fill the new ACE */
97 98 99
    pAceHeader->AceType = dwAceType;
    pAceHeader->AceFlags = dwAceFlags;
    pAceHeader->AceSize = dwAceSize;
100 101 102

    /* skip past the ACE_HEADER of the ACE */
    pAccessMask = (DWORD *)(pAceHeader + 1);
103 104
    *pAccessMask = dwAccessMask;

105 106 107
    /* skip past ACE->Mask */
    pSidStart = pAccessMask + 1;
    RtlCopySid(dwLengthSid, (PSID)pSidStart, pSid);
108

109
    pAcl->AclRevision = max(pAcl->AclRevision, dwAceRevision);
110 111 112 113 114
    pAcl->AceCount++;

    return STATUS_SUCCESS;
}

Juergen Schmied's avatar
Juergen Schmied committed
115 116 117 118 119
/*
 *	SID FUNCTIONS
 */

/******************************************************************************
120
 *  RtlAllocateAndInitializeSid		[NTDLL.@]
Juergen Schmied's avatar
Juergen Schmied committed
121 122
 *
 */
123
NTSTATUS WINAPI RtlAllocateAndInitializeSid (
124 125 126 127 128 129 130
	PSID_IDENTIFIER_AUTHORITY pIdentifierAuthority,
	BYTE nSubAuthorityCount,
	DWORD nSubAuthority0, DWORD nSubAuthority1,
	DWORD nSubAuthority2, DWORD nSubAuthority3,
	DWORD nSubAuthority4, DWORD nSubAuthority5,
	DWORD nSubAuthority6, DWORD nSubAuthority7,
	PSID *pSid )
Juergen Schmied's avatar
Juergen Schmied committed
131
{
132
    SID *tmp_sid;
133

134
    TRACE("(%p, 0x%04x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,%p)\n",
135 136 137 138
		pIdentifierAuthority,nSubAuthorityCount,
		nSubAuthority0, nSubAuthority1,	nSubAuthority2, nSubAuthority3,
		nSubAuthority4, nSubAuthority5,	nSubAuthority6, nSubAuthority7, pSid);

139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164
    if (nSubAuthorityCount > 8) return STATUS_INVALID_SID;

    if (!(tmp_sid= RtlAllocateHeap( GetProcessHeap(), 0,
                                    RtlLengthRequiredSid(nSubAuthorityCount))))
        return STATUS_NO_MEMORY;

    tmp_sid->Revision = SID_REVISION;

    if (pIdentifierAuthority)
        memcpy(&tmp_sid->IdentifierAuthority, pIdentifierAuthority, sizeof(SID_IDENTIFIER_AUTHORITY));
    tmp_sid->SubAuthorityCount = nSubAuthorityCount;

    switch( nSubAuthorityCount )
    {
        case 8: tmp_sid->SubAuthority[7]= nSubAuthority7;
        case 7: tmp_sid->SubAuthority[6]= nSubAuthority6;
        case 6: tmp_sid->SubAuthority[5]= nSubAuthority5;
        case 5: tmp_sid->SubAuthority[4]= nSubAuthority4;
        case 4: tmp_sid->SubAuthority[3]= nSubAuthority3;
        case 3: tmp_sid->SubAuthority[2]= nSubAuthority2;
        case 2: tmp_sid->SubAuthority[1]= nSubAuthority1;
        case 1: tmp_sid->SubAuthority[0]= nSubAuthority0;
        break;
    }
    *pSid = tmp_sid;
    return STATUS_SUCCESS;
Juergen Schmied's avatar
Juergen Schmied committed
165
}
166

Juergen Schmied's avatar
Juergen Schmied committed
167
/******************************************************************************
168
 *  RtlEqualSid		[NTDLL.@]
Juergen Schmied's avatar
Juergen Schmied committed
169
 *
Jon Griffiths's avatar
Jon Griffiths committed
170 171 172 173 174 175 176 177 178
 * Determine if two SIDs are equal.
 *
 * PARAMS
 *  pSid1 [I] Source SID
 *  pSid2 [I] SID to compare with
 *
 * RETURNS
 *  TRUE, if pSid1 is equal to pSid2,
 *  FALSE otherwise.
Juergen Schmied's avatar
Juergen Schmied committed
179
 */
180 181 182 183 184 185 186 187
BOOL WINAPI RtlEqualSid( PSID pSid1, PSID pSid2 )
{
    if (!RtlValidSid(pSid1) || !RtlValidSid(pSid2))
        return FALSE;

    if (*RtlSubAuthorityCountSid(pSid1) != *RtlSubAuthorityCountSid(pSid2))
        return FALSE;

188
    if (memcmp(pSid1, pSid2, RtlLengthSid(pSid1)) != 0)
189 190 191 192 193 194
        return FALSE;

    return TRUE;
}

/******************************************************************************
Patrik Stridvall's avatar
Patrik Stridvall committed
195
 * RtlEqualPrefixSid	[NTDLL.@]
196
 */
197
BOOL WINAPI RtlEqualPrefixSid (PSID pSid1, PSID pSid2)
198 199 200 201 202 203 204
{
    if (!RtlValidSid(pSid1) || !RtlValidSid(pSid2))
        return FALSE;

    if (*RtlSubAuthorityCountSid(pSid1) != *RtlSubAuthorityCountSid(pSid2))
        return FALSE;

205
    if (memcmp(pSid1, pSid2, RtlLengthRequiredSid(((SID*)pSid1)->SubAuthorityCount - 1)) != 0)
206 207 208
        return FALSE;

    return TRUE;
Juergen Schmied's avatar
Juergen Schmied committed
209 210
}

211

Juergen Schmied's avatar
Juergen Schmied committed
212
/******************************************************************************
213
 *  RtlFreeSid		[NTDLL.@]
Jon Griffiths's avatar
Jon Griffiths committed
214 215 216 217 218 219 220 221
 *
 * Free the resources used by a SID.
 *
 * PARAMS
 *  pSid [I] SID to Free.
 *
 * RETURNS
 *  STATUS_SUCCESS.
Juergen Schmied's avatar
Juergen Schmied committed
222
 */
223
DWORD WINAPI RtlFreeSid(PSID pSid)
Juergen Schmied's avatar
Juergen Schmied committed
224
{
225
	TRACE("(%p)\n", pSid);
226
	RtlFreeHeap( GetProcessHeap(), 0, pSid );
227
	return STATUS_SUCCESS;
Juergen Schmied's avatar
Juergen Schmied committed
228 229 230
}

/**************************************************************************
231
 * RtlLengthRequiredSid	[NTDLL.@]
232
 *
Jon Griffiths's avatar
Jon Griffiths committed
233 234
 * Determine the amount of memory a SID will use
 *
235
 * PARAMS
Jon Griffiths's avatar
Jon Griffiths committed
236 237 238 239
 *   nrofsubauths [I] Number of Sub Authorities in the SID.
 *
 * RETURNS
 *   The size, in bytes, of a SID with nrofsubauths Sub Authorities.
Juergen Schmied's avatar
Juergen Schmied committed
240 241 242
 */
DWORD WINAPI RtlLengthRequiredSid(DWORD nrofsubauths)
{
243
	return (nrofsubauths-1)*sizeof(DWORD) + sizeof(SID);
Juergen Schmied's avatar
Juergen Schmied committed
244 245 246
}

/**************************************************************************
247
 *                 RtlLengthSid				[NTDLL.@]
Jon Griffiths's avatar
Jon Griffiths committed
248 249 250 251
 *
 * Determine the amount of memory a SID is using
 *
 * PARAMS
252
 *  pSid [I] SID to get the size of.
Jon Griffiths's avatar
Jon Griffiths committed
253 254 255
 *
 * RETURNS
 *  The size, in bytes, of pSid.
Juergen Schmied's avatar
Juergen Schmied committed
256
 */
257
DWORD WINAPI RtlLengthSid(PSID pSid)
Juergen Schmied's avatar
Juergen Schmied committed
258
{
259
	TRACE("sid=%p\n",pSid);
260
	if (!pSid) return 0;
261
	return RtlLengthRequiredSid(*RtlSubAuthorityCountSid(pSid));
Juergen Schmied's avatar
Juergen Schmied committed
262 263 264
}

/**************************************************************************
265
 *                 RtlInitializeSid			[NTDLL.@]
Jon Griffiths's avatar
Jon Griffiths committed
266 267 268 269 270 271 272 273 274
 *
 * Initialise a SID.
 *
 * PARAMS
 *  pSid                 [I] SID to initialise
 *  pIdentifierAuthority [I] Identifier Authority
 *  nSubAuthorityCount   [I] Number of Sub Authorities
 *
 * RETURNS
275
 *  Success: TRUE. pSid is initialised with the details given.
Jon Griffiths's avatar
Jon Griffiths committed
276
 *  Failure: FALSE, if nSubAuthorityCount is >= SID_MAX_SUB_AUTHORITIES.
Juergen Schmied's avatar
Juergen Schmied committed
277
 */
278 279 280 281
BOOL WINAPI RtlInitializeSid(
	PSID pSid,
	PSID_IDENTIFIER_AUTHORITY pIdentifierAuthority,
	BYTE nSubAuthorityCount)
Juergen Schmied's avatar
Juergen Schmied committed
282
{
283
	int i;
284 285
	SID* pisid=pSid;

286 287
	if (nSubAuthorityCount >= SID_MAX_SUB_AUTHORITIES)
	  return FALSE;
Juergen Schmied's avatar
Juergen Schmied committed
288

289 290
	pisid->Revision = SID_REVISION;
	pisid->SubAuthorityCount = nSubAuthorityCount;
291
	if (pIdentifierAuthority)
292
	  memcpy(&pisid->IdentifierAuthority, pIdentifierAuthority, sizeof (SID_IDENTIFIER_AUTHORITY));
293 294

	for (i = 0; i < nSubAuthorityCount; i++)
295
	  *RtlSubAuthoritySid(pSid, i) = 0;
296 297

	return TRUE;
Juergen Schmied's avatar
Juergen Schmied committed
298 299 300
}

/**************************************************************************
301
 *                 RtlSubAuthoritySid			[NTDLL.@]
302
 *
Jon Griffiths's avatar
Jon Griffiths committed
303 304
 * Return the Sub Authority of a SID
 *
305
 * PARAMS
Jon Griffiths's avatar
Jon Griffiths committed
306 307 308 309 310
 *   pSid          [I] SID to get the Sub Authority from.
 *   nSubAuthority [I] Sub Authority number.
 *
 * RETURNS
 *   A pointer to The Sub Authority value of pSid.
Juergen Schmied's avatar
Juergen Schmied committed
311
 */
312
LPDWORD WINAPI RtlSubAuthoritySid( PSID pSid, DWORD nSubAuthority )
Juergen Schmied's avatar
Juergen Schmied committed
313
{
314
    return &(((SID*)pSid)->SubAuthority[nSubAuthority]);
Juergen Schmied's avatar
Juergen Schmied committed
315 316 317
}

/**************************************************************************
318
 * RtlIdentifierAuthoritySid	[NTDLL.@]
319
 *
Jon Griffiths's avatar
Jon Griffiths committed
320 321
 * Return the Identifier Authority of a SID.
 *
322
 * PARAMS
Jon Griffiths's avatar
Jon Griffiths committed
323 324 325 326
 *   pSid [I] SID to get the Identifier Authority from.
 *
 * RETURNS
 *   A pointer to the Identifier Authority value of pSid.
Juergen Schmied's avatar
Juergen Schmied committed
327
 */
328 329
PSID_IDENTIFIER_AUTHORITY WINAPI RtlIdentifierAuthoritySid( PSID pSid )
{
330
    return &(((SID*)pSid)->IdentifierAuthority);
331
}
Juergen Schmied's avatar
Juergen Schmied committed
332

333
/**************************************************************************
334
 *                 RtlSubAuthorityCountSid		[NTDLL.@]
335
 *
Jon Griffiths's avatar
Jon Griffiths committed
336 337
 * Get the number of Sub Authorities in a SID.
 *
338
 * PARAMS
Jon Griffiths's avatar
Jon Griffiths committed
339 340 341 342
 *   pSid [I] SID to get the count from.
 *
 * RETURNS
 *  A pointer to the Sub Authority count of pSid.
343 344
 */
LPBYTE WINAPI RtlSubAuthorityCountSid(PSID pSid)
Juergen Schmied's avatar
Juergen Schmied committed
345
{
346
    return &(((SID*)pSid)->SubAuthorityCount);
Juergen Schmied's avatar
Juergen Schmied committed
347 348 349
}

/**************************************************************************
350
 *                 RtlCopySid				[NTDLL.@]
Juergen Schmied's avatar
Juergen Schmied committed
351
 */
352
BOOLEAN WINAPI RtlCopySid( DWORD nDestinationSidLength, PSID pDestinationSid, PSID pSourceSid )
353 354 355 356 357
{
	if (!pSourceSid || !RtlValidSid(pSourceSid) ||
	    (nDestinationSidLength < RtlLengthSid(pSourceSid)))
          return FALSE;

358
	if (nDestinationSidLength < (((SID*)pSourceSid)->SubAuthorityCount*4+8))
359 360
	  return FALSE;

361
	memmove(pDestinationSid, pSourceSid, ((SID*)pSourceSid)->SubAuthorityCount*4+8);
362 363 364
	return TRUE;
}
/******************************************************************************
365
 * RtlValidSid [NTDLL.@]
366
 *
Jon Griffiths's avatar
Jon Griffiths committed
367 368
 * Determine if a SID is valid.
 *
369
 * PARAMS
Jon Griffiths's avatar
Jon Griffiths committed
370 371 372 373 374
 *   pSid [I] SID to check
 *
 * RETURNS
 *   TRUE if pSid is valid,
 *   FALSE otherwise.
375
 */
376
BOOLEAN WINAPI RtlValidSid( PSID pSid )
377
{
378 379 380 381
    BOOL ret;
    __TRY
    {
        ret = TRUE;
382 383
        if (!pSid || ((SID*)pSid)->Revision != SID_REVISION ||
            ((SID*)pSid)->SubAuthorityCount > SID_MAX_SUB_AUTHORITIES)
384 385 386 387
        {
            ret = FALSE;
        }
    }
388
    __EXCEPT_PAGE_FAULT
389 390 391 392
    {
        WARN("(%p): invalid pointer!\n", pSid);
        return FALSE;
    }
393 394
    __ENDTRY
    return ret;
Juergen Schmied's avatar
Juergen Schmied committed
395 396
}

397

Juergen Schmied's avatar
Juergen Schmied committed
398 399 400 401 402
/*
 *	security descriptor functions
 */

/**************************************************************************
403
 * RtlCreateSecurityDescriptor			[NTDLL.@]
Juergen Schmied's avatar
Juergen Schmied committed
404
 *
Jon Griffiths's avatar
Jon Griffiths committed
405 406 407 408 409 410
 * Initialise a SECURITY_DESCRIPTOR.
 *
 * PARAMS
 *  lpsd [O] Descriptor to initialise.
 *  rev  [I] Revision, must be set to SECURITY_DESCRIPTOR_REVISION.
 *
411
 * RETURNS
Jon Griffiths's avatar
Jon Griffiths committed
412 413
 *  Success: STATUS_SUCCESS.
 *  Failure: STATUS_UNKNOWN_REVISION if rev is incorrect.
Juergen Schmied's avatar
Juergen Schmied committed
414 415 416 417 418 419 420
 */
NTSTATUS WINAPI RtlCreateSecurityDescriptor(
	PSECURITY_DESCRIPTOR lpsd,
	DWORD rev)
{
	if (rev!=SECURITY_DESCRIPTOR_REVISION)
		return STATUS_UNKNOWN_REVISION;
421
	memset(lpsd,'\0',sizeof(SECURITY_DESCRIPTOR));
422
	((SECURITY_DESCRIPTOR*)lpsd)->Revision = SECURITY_DESCRIPTOR_REVISION;
Juergen Schmied's avatar
Juergen Schmied committed
423 424
	return STATUS_SUCCESS;
}
425 426 427 428 429 430 431 432 433 434

/**************************************************************************
 * RtlCopySecurityDescriptor            [NTDLL.@]
 *
 * Copies an absolute or sefl-relative SECURITY_DESCRIPTOR.
 *
 * PARAMS
 *  pSourceSD      [O] SD to copy from.
 *  pDestinationSD [I] Destination SD.
 *
435
 * RETURNS
436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525
 *  Success: STATUS_SUCCESS.
 *  Failure: STATUS_UNKNOWN_REVISION if rev is incorrect.
 */
NTSTATUS WINAPI RtlCopySecurityDescriptor(PSECURITY_DESCRIPTOR pSourceSD, PSECURITY_DESCRIPTOR pDestinationSD)
{
    SECURITY_DESCRIPTOR *srcSD = (SECURITY_DESCRIPTOR *)pSourceSD;
    SECURITY_DESCRIPTOR *destSD = (SECURITY_DESCRIPTOR *)pDestinationSD;
    PSID Owner, Group;
    PACL Dacl, Sacl;
    BOOLEAN defaulted, present;
    DWORD length;
    BOOL isSelfRelative = srcSD->Control & SE_SELF_RELATIVE;
    
    if (srcSD->Revision != SECURITY_DESCRIPTOR_REVISION)
        return STATUS_UNKNOWN_REVISION;

    /* copy initial data */
    destSD->Revision = srcSD->Revision;
    destSD->Sbz1 = srcSD->Sbz1;
    destSD->Control = srcSD->Control;

    /* copy Owner */
    RtlGetOwnerSecurityDescriptor(pSourceSD, &Owner, &defaulted);
    length = RtlLengthSid(Owner);

    if (isSelfRelative)
    {
        destSD->Owner = srcSD->Owner;
        RtlCopySid(length, (LPBYTE)destSD + (DWORD)destSD->Owner, Owner);
    }
    else
    {
        destSD->Owner = RtlAllocateHeap(GetProcessHeap(), 0, length);
        RtlCopySid(length, destSD->Owner, Owner);
    }

    /* copy Group */
    RtlGetGroupSecurityDescriptor(pSourceSD, &Group, &defaulted);
    length = RtlLengthSid(Group);

    if (isSelfRelative)
    {
        destSD->Group = srcSD->Group;
        RtlCopySid(length, (LPBYTE)destSD + (DWORD)destSD->Group, Group);
    }
    else
    {
        destSD->Group = RtlAllocateHeap(GetProcessHeap(), 0, length);
        RtlCopySid(length, destSD->Group, Group);
    }

    /* copy Dacl */
    if (srcSD->Control & SE_DACL_PRESENT)
    {
        RtlGetDaclSecurityDescriptor(pSourceSD, &present, &Dacl, &defaulted);
        length = Dacl->AclSize;

        if (isSelfRelative)
        {
            destSD->Dacl = srcSD->Dacl;
            copy_acl(length, (PACL)((LPBYTE)destSD + (DWORD)destSD->Dacl), Dacl);
        }
        else
        {
            destSD->Dacl = RtlAllocateHeap(GetProcessHeap(), 0, length);
            copy_acl(length, destSD->Dacl, Dacl);
        }
    }

    /* copy Sacl */
    if (srcSD->Control & SE_SACL_PRESENT)
    {
        RtlGetSaclSecurityDescriptor(pSourceSD, &present, &Sacl, &defaulted);
        length = Sacl->AclSize;

        if (isSelfRelative)
        {
            destSD->Sacl = srcSD->Sacl;
            copy_acl(length, (PACL)((LPBYTE)destSD + (DWORD)destSD->Sacl), Sacl);
        }
        else
        {
            destSD->Sacl = RtlAllocateHeap(GetProcessHeap(), 0, length);
            copy_acl(length, destSD->Sacl, Sacl);
        }
    }

    return STATUS_SUCCESS;
}

Juergen Schmied's avatar
Juergen Schmied committed
526
/**************************************************************************
527
 * RtlValidSecurityDescriptor			[NTDLL.@]
Juergen Schmied's avatar
Juergen Schmied committed
528
 *
Jon Griffiths's avatar
Jon Griffiths committed
529 530 531 532 533 534 535 536
 * Determine if a SECURITY_DESCRIPTOR is valid.
 *
 * PARAMS
 *  SecurityDescriptor [I] Descriptor to check.
 *
 * RETURNS
 *   Success: STATUS_SUCCESS.
 *   Failure: STATUS_INVALID_SECURITY_DESCR or STATUS_UNKNOWN_REVISION.
Juergen Schmied's avatar
Juergen Schmied committed
537 538 539 540 541 542
 */
NTSTATUS WINAPI RtlValidSecurityDescriptor(
	PSECURITY_DESCRIPTOR SecurityDescriptor)
{
	if ( ! SecurityDescriptor )
		return STATUS_INVALID_SECURITY_DESCR;
543
	if ( ((SECURITY_DESCRIPTOR*)SecurityDescriptor)->Revision != SECURITY_DESCRIPTOR_REVISION )
Juergen Schmied's avatar
Juergen Schmied committed
544 545 546 547 548 549
		return STATUS_UNKNOWN_REVISION;

	return STATUS_SUCCESS;
}

/**************************************************************************
550
 *  RtlLengthSecurityDescriptor			[NTDLL.@]
Juergen Schmied's avatar
Juergen Schmied committed
551 552
 */
ULONG WINAPI RtlLengthSecurityDescriptor(
553
	PSECURITY_DESCRIPTOR pSecurityDescriptor)
Juergen Schmied's avatar
Juergen Schmied committed
554
{
555
	SECURITY_DESCRIPTOR* lpsd=pSecurityDescriptor;
556 557 558
	ULONG offset = 0;
	ULONG Size = SECURITY_DESCRIPTOR_MIN_LENGTH;

559
	if ( lpsd == NULL )
Juergen Schmied's avatar
Juergen Schmied committed
560 561
		return 0;

562 563
	if ( lpsd->Control & SE_SELF_RELATIVE)
		offset = (ULONG) lpsd;
564

565 566
	if ( lpsd->Owner != NULL )
		Size += RtlLengthSid((PSID)((LPBYTE)lpsd->Owner + offset));
Juergen Schmied's avatar
Juergen Schmied committed
567

568 569
	if ( lpsd->Group != NULL )
		Size += RtlLengthSid((PSID)((LPBYTE)lpsd->Group + offset));
Juergen Schmied's avatar
Juergen Schmied committed
570

571 572
	if ( (lpsd->Control & SE_SACL_PRESENT) &&
	      lpsd->Sacl != NULL )
573
		Size += ((PACL)((LPBYTE)lpsd->Sacl + offset))->AclSize;
574

575 576
	if ( (lpsd->Control & SE_DACL_PRESENT) &&
	      lpsd->Dacl != NULL )
577
		Size += ((PACL)((LPBYTE)lpsd->Dacl + offset))->AclSize;
Juergen Schmied's avatar
Juergen Schmied committed
578 579 580 581 582

	return Size;
}

/******************************************************************************
583
 *  RtlGetDaclSecurityDescriptor		[NTDLL.@]
Juergen Schmied's avatar
Juergen Schmied committed
584 585 586 587 588 589 590 591
 *
 */
NTSTATUS WINAPI RtlGetDaclSecurityDescriptor(
	IN PSECURITY_DESCRIPTOR pSecurityDescriptor,
	OUT PBOOLEAN lpbDaclPresent,
	OUT PACL *pDacl,
	OUT PBOOLEAN lpbDaclDefaulted)
{
592 593
	SECURITY_DESCRIPTOR* lpsd=pSecurityDescriptor;

594
	TRACE("(%p,%p,%p,%p)\n",
595
	pSecurityDescriptor, lpbDaclPresent, pDacl, lpbDaclDefaulted);
Juergen Schmied's avatar
Juergen Schmied committed
596

597
	if (lpsd->Revision != SECURITY_DESCRIPTOR_REVISION)
Juergen Schmied's avatar
Juergen Schmied committed
598 599
	  return STATUS_UNKNOWN_REVISION ;

600
	if ( (*lpbDaclPresent = (SE_DACL_PRESENT & lpsd->Control) ? 1 : 0) )
Juergen Schmied's avatar
Juergen Schmied committed
601
	{
602
	  if ( SE_SELF_RELATIVE & lpsd->Control)
603
	    *pDacl = (PACL) ((LPBYTE)lpsd + (DWORD)lpsd->Dacl);
Juergen Schmied's avatar
Juergen Schmied committed
604
	  else
605
	    *pDacl = lpsd->Dacl;
Juergen Schmied's avatar
Juergen Schmied committed
606

607 608
	  *lpbDaclDefaulted = (( SE_DACL_DEFAULTED & lpsd->Control ) ? 1 : 0);
	}
609

Juergen Schmied's avatar
Juergen Schmied committed
610 611 612 613
	return STATUS_SUCCESS;
}

/**************************************************************************
614
 *  RtlSetDaclSecurityDescriptor		[NTDLL.@]
Juergen Schmied's avatar
Juergen Schmied committed
615 616
 */
NTSTATUS WINAPI RtlSetDaclSecurityDescriptor (
617
	PSECURITY_DESCRIPTOR pSecurityDescriptor,
Juergen Schmied's avatar
Juergen Schmied committed
618 619 620 621
	BOOLEAN daclpresent,
	PACL dacl,
	BOOLEAN dacldefaulted )
{
622 623
	SECURITY_DESCRIPTOR* lpsd=pSecurityDescriptor;

Juergen Schmied's avatar
Juergen Schmied committed
624 625 626 627 628
	if (lpsd->Revision!=SECURITY_DESCRIPTOR_REVISION)
		return STATUS_UNKNOWN_REVISION;
	if (lpsd->Control & SE_SELF_RELATIVE)
		return STATUS_INVALID_SECURITY_DESCR;

629
	if (!daclpresent)
Juergen Schmied's avatar
Juergen Schmied committed
630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645
	{	lpsd->Control &= ~SE_DACL_PRESENT;
		return TRUE;
	}

	lpsd->Control |= SE_DACL_PRESENT;
	lpsd->Dacl = dacl;

	if (dacldefaulted)
		lpsd->Control |= SE_DACL_DEFAULTED;
	else
		lpsd->Control &= ~SE_DACL_DEFAULTED;

	return STATUS_SUCCESS;
}

/******************************************************************************
646
 *  RtlGetSaclSecurityDescriptor		[NTDLL.@]
Juergen Schmied's avatar
Juergen Schmied committed
647 648 649 650 651 652 653 654
 *
 */
NTSTATUS WINAPI RtlGetSaclSecurityDescriptor(
	IN PSECURITY_DESCRIPTOR pSecurityDescriptor,
	OUT PBOOLEAN lpbSaclPresent,
	OUT PACL *pSacl,
	OUT PBOOLEAN lpbSaclDefaulted)
{
655 656
	SECURITY_DESCRIPTOR* lpsd=pSecurityDescriptor;

657
	TRACE("(%p,%p,%p,%p)\n",
Juergen Schmied's avatar
Juergen Schmied committed
658 659
	pSecurityDescriptor, lpbSaclPresent, *pSacl, lpbSaclDefaulted);

660
	if (lpsd->Revision != SECURITY_DESCRIPTOR_REVISION)
661
	  return STATUS_UNKNOWN_REVISION;
Juergen Schmied's avatar
Juergen Schmied committed
662

663
	if ( (*lpbSaclPresent = (SE_SACL_PRESENT & lpsd->Control) ? 1 : 0) )
Juergen Schmied's avatar
Juergen Schmied committed
664
	{
665 666
	  if (SE_SELF_RELATIVE & lpsd->Control)
	    *pSacl = (PACL) ((LPBYTE)lpsd + (DWORD)lpsd->Sacl);
Juergen Schmied's avatar
Juergen Schmied committed
667
	  else
668
	    *pSacl = lpsd->Sacl;
Juergen Schmied's avatar
Juergen Schmied committed
669

670 671
	  *lpbSaclDefaulted = (( SE_SACL_DEFAULTED & lpsd->Control ) ? 1 : 0);
	}
672

Juergen Schmied's avatar
Juergen Schmied committed
673 674 675 676
	return STATUS_SUCCESS;
}

/**************************************************************************
677
 * RtlSetSaclSecurityDescriptor			[NTDLL.@]
Juergen Schmied's avatar
Juergen Schmied committed
678 679
 */
NTSTATUS WINAPI RtlSetSaclSecurityDescriptor (
680
	PSECURITY_DESCRIPTOR pSecurityDescriptor,
Juergen Schmied's avatar
Juergen Schmied committed
681 682 683 684
	BOOLEAN saclpresent,
	PACL sacl,
	BOOLEAN sacldefaulted)
{
685 686
	SECURITY_DESCRIPTOR* lpsd=pSecurityDescriptor;

Juergen Schmied's avatar
Juergen Schmied committed
687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704
	if (lpsd->Revision!=SECURITY_DESCRIPTOR_REVISION)
		return STATUS_UNKNOWN_REVISION;
	if (lpsd->Control & SE_SELF_RELATIVE)
		return STATUS_INVALID_SECURITY_DESCR;
	if (!saclpresent) {
		lpsd->Control &= ~SE_SACL_PRESENT;
		return 0;
	}
	lpsd->Control |= SE_SACL_PRESENT;
	lpsd->Sacl = sacl;
	if (sacldefaulted)
		lpsd->Control |= SE_SACL_DEFAULTED;
	else
		lpsd->Control &= ~SE_SACL_DEFAULTED;
	return STATUS_SUCCESS;
}

/**************************************************************************
705
 * RtlGetOwnerSecurityDescriptor		[NTDLL.@]
Juergen Schmied's avatar
Juergen Schmied committed
706 707
 */
NTSTATUS WINAPI RtlGetOwnerSecurityDescriptor(
708
	PSECURITY_DESCRIPTOR pSecurityDescriptor,
Juergen Schmied's avatar
Juergen Schmied committed
709 710 711
	PSID *Owner,
	PBOOLEAN OwnerDefaulted)
{
712 713 714
	SECURITY_DESCRIPTOR* lpsd=pSecurityDescriptor;

	if ( !lpsd  || !Owner || !OwnerDefaulted )
Juergen Schmied's avatar
Juergen Schmied committed
715 716
		return STATUS_INVALID_PARAMETER;

717
	if (lpsd->Owner != NULL)
718
	{
719 720 721
            if (lpsd->Control & SE_SELF_RELATIVE)
                *Owner = (PSID)((LPBYTE)lpsd +
                                (ULONG)lpsd->Owner);
722
            else
723
                *Owner = lpsd->Owner;
724

725
            if ( lpsd->Control & SE_OWNER_DEFAULTED )
726 727 728 729 730 731 732
                *OwnerDefaulted = TRUE;
            else
                *OwnerDefaulted = FALSE;
        }
	else
	    *Owner = NULL;

Juergen Schmied's avatar
Juergen Schmied committed
733 734 735 736
	return STATUS_SUCCESS;
}

/**************************************************************************
737
 *                 RtlSetOwnerSecurityDescriptor		[NTDLL.@]
Juergen Schmied's avatar
Juergen Schmied committed
738 739
 */
NTSTATUS WINAPI RtlSetOwnerSecurityDescriptor(
740
	PSECURITY_DESCRIPTOR pSecurityDescriptor,
Juergen Schmied's avatar
Juergen Schmied committed
741 742 743
	PSID owner,
	BOOLEAN ownerdefaulted)
{
744 745
	SECURITY_DESCRIPTOR* lpsd=pSecurityDescriptor;

Juergen Schmied's avatar
Juergen Schmied committed
746 747 748 749 750 751 752 753 754 755 756 757 758 759
	if (lpsd->Revision!=SECURITY_DESCRIPTOR_REVISION)
		return STATUS_UNKNOWN_REVISION;
	if (lpsd->Control & SE_SELF_RELATIVE)
		return STATUS_INVALID_SECURITY_DESCR;

	lpsd->Owner = owner;
	if (ownerdefaulted)
		lpsd->Control |= SE_OWNER_DEFAULTED;
	else
		lpsd->Control &= ~SE_OWNER_DEFAULTED;
	return STATUS_SUCCESS;
}

/**************************************************************************
760
 *                 RtlSetGroupSecurityDescriptor		[NTDLL.@]
Juergen Schmied's avatar
Juergen Schmied committed
761 762
 */
NTSTATUS WINAPI RtlSetGroupSecurityDescriptor (
763
	PSECURITY_DESCRIPTOR pSecurityDescriptor,
Juergen Schmied's avatar
Juergen Schmied committed
764 765 766
	PSID group,
	BOOLEAN groupdefaulted)
{
767 768
	SECURITY_DESCRIPTOR* lpsd=pSecurityDescriptor;

Juergen Schmied's avatar
Juergen Schmied committed
769 770 771 772 773 774 775 776 777 778 779 780
	if (lpsd->Revision!=SECURITY_DESCRIPTOR_REVISION)
		return STATUS_UNKNOWN_REVISION;
	if (lpsd->Control & SE_SELF_RELATIVE)
		return STATUS_INVALID_SECURITY_DESCR;

	lpsd->Group = group;
	if (groupdefaulted)
		lpsd->Control |= SE_GROUP_DEFAULTED;
	else
		lpsd->Control &= ~SE_GROUP_DEFAULTED;
	return STATUS_SUCCESS;
}
781

Juergen Schmied's avatar
Juergen Schmied committed
782
/**************************************************************************
783
 *                 RtlGetGroupSecurityDescriptor		[NTDLL.@]
Juergen Schmied's avatar
Juergen Schmied committed
784 785
 */
NTSTATUS WINAPI RtlGetGroupSecurityDescriptor(
786
	PSECURITY_DESCRIPTOR pSecurityDescriptor,
Juergen Schmied's avatar
Juergen Schmied committed
787 788 789
	PSID *Group,
	PBOOLEAN GroupDefaulted)
{
790 791 792
	SECURITY_DESCRIPTOR* lpsd=pSecurityDescriptor;

	if ( !lpsd || !Group || !GroupDefaulted )
Juergen Schmied's avatar
Juergen Schmied committed
793 794
		return STATUS_INVALID_PARAMETER;

795
	if (lpsd->Group != NULL)
796
	{
797 798 799
            if (lpsd->Control & SE_SELF_RELATIVE)
                *Group = (PSID)((LPBYTE)lpsd +
                                (ULONG)lpsd->Group);
800
            else
801
                *Group = lpsd->Group;
802

803
            if ( lpsd->Control & SE_GROUP_DEFAULTED )
804 805 806
                *GroupDefaulted = TRUE;
            else
                *GroupDefaulted = FALSE;
Juergen Schmied's avatar
Juergen Schmied committed
807
	}
808 809 810
	else
	    *Group = NULL;

Juergen Schmied's avatar
Juergen Schmied committed
811
	return STATUS_SUCCESS;
812
}
Juergen Schmied's avatar
Juergen Schmied committed
813

814
/**************************************************************************
815
 *                 RtlMakeSelfRelativeSD		[NTDLL.@]
816 817 818 819 820 821
 */
NTSTATUS WINAPI RtlMakeSelfRelativeSD(
	IN PSECURITY_DESCRIPTOR pAbsoluteSecurityDescriptor,
	IN PSECURITY_DESCRIPTOR pSelfRelativeSecurityDescriptor,
	IN OUT LPDWORD lpdwBufferLength)
{
822 823
    ULONG offsetRel;
    ULONG length;
824 825
    SECURITY_DESCRIPTOR* pAbs = pAbsoluteSecurityDescriptor;
    SECURITY_DESCRIPTOR* pRel = pSelfRelativeSecurityDescriptor;
826

827
    TRACE(" %p %p %p(%d)\n", pAbs, pRel, lpdwBufferLength,
828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891
        lpdwBufferLength ? *lpdwBufferLength: -1);

    if (!lpdwBufferLength || !pAbs)
        return STATUS_INVALID_PARAMETER;

    length = RtlLengthSecurityDescriptor(pAbs);
    if (*lpdwBufferLength < length)
    {
        *lpdwBufferLength = length;
        return STATUS_BUFFER_TOO_SMALL;
    }

    if (!pRel)
        return STATUS_INVALID_PARAMETER;

    if (pAbs->Control & SE_SELF_RELATIVE)
    {
        memcpy(pRel, pAbs, length);
        return STATUS_SUCCESS;
    }

    pRel->Revision = pAbs->Revision;
    pRel->Sbz1 = pAbs->Sbz1;
    pRel->Control = pAbs->Control | SE_SELF_RELATIVE;

    offsetRel = sizeof(SECURITY_DESCRIPTOR);
    pRel->Owner = (PSID) offsetRel;
    length = RtlLengthSid(pAbs->Owner);
    memcpy((LPBYTE)pRel + offsetRel, pAbs->Owner, length);

    offsetRel += length;
    pRel->Group = (PSID) offsetRel;
    length = RtlLengthSid(pAbs->Group);
    memcpy((LPBYTE)pRel + offsetRel, pAbs->Group, length);

    if (pRel->Control & SE_SACL_PRESENT)
    {
        offsetRel += length;
        pRel->Sacl = (PACL) offsetRel;
        length = pAbs->Sacl->AclSize;
        memcpy((LPBYTE)pRel + offsetRel, pAbs->Sacl, length);
    }
    else
    {
        pRel->Sacl = NULL;
    }

    if (pRel->Control & SE_DACL_PRESENT)
    {
        offsetRel += length;
        pRel->Dacl = (PACL) offsetRel;
        length = pAbs->Dacl->AclSize;
        memcpy((LPBYTE)pRel + offsetRel, pAbs->Dacl, length);
    }
    else
    {
        pRel->Dacl = NULL;
    }

    return STATUS_SUCCESS;
}


/**************************************************************************
892 893
 *                 RtlSelfRelativeToAbsoluteSD [NTDLL.@]
 */
894 895 896 897 898 899 900 901 902 903 904 905 906 907
NTSTATUS WINAPI RtlSelfRelativeToAbsoluteSD(
        IN PSECURITY_DESCRIPTOR pSelfRelativeSecurityDescriptor,
	OUT PSECURITY_DESCRIPTOR pAbsoluteSecurityDescriptor,
	OUT LPDWORD lpdwAbsoluteSecurityDescriptorSize,
	OUT PACL pDacl,
	OUT LPDWORD lpdwDaclSize,
	OUT PACL pSacl,
	OUT LPDWORD lpdwSaclSize,
	OUT PSID pOwner,
	OUT LPDWORD lpdwOwnerSize,
	OUT PSID pPrimaryGroup,
	OUT LPDWORD lpdwPrimaryGroupSize)
{
    NTSTATUS status = STATUS_SUCCESS;
908 909
    SECURITY_DESCRIPTOR* pAbs = pAbsoluteSecurityDescriptor;
    SECURITY_DESCRIPTOR* pRel = pSelfRelativeSecurityDescriptor;
910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991

    if (!pRel ||
        !lpdwAbsoluteSecurityDescriptorSize ||
        !lpdwDaclSize ||
        !lpdwSaclSize ||
        !lpdwOwnerSize ||
        !lpdwPrimaryGroupSize ||
        ~pRel->Control & SE_SELF_RELATIVE)
        return STATUS_INVALID_PARAMETER;

    /* Confirm buffers are sufficiently large */
    if (*lpdwAbsoluteSecurityDescriptorSize < sizeof(SECURITY_DESCRIPTOR))
    {
        *lpdwAbsoluteSecurityDescriptorSize = sizeof(SECURITY_DESCRIPTOR);
        status = STATUS_BUFFER_TOO_SMALL;
    }

    if (pRel->Control & SE_DACL_PRESENT &&
        *lpdwDaclSize  < ((PACL)((LPBYTE)pRel->Dacl + (ULONG)pRel))->AclSize)
    {
        *lpdwDaclSize = ((PACL)((LPBYTE)pRel->Dacl + (ULONG)pRel))->AclSize;
        status = STATUS_BUFFER_TOO_SMALL;
    }

    if (pRel->Control & SE_SACL_PRESENT &&
        *lpdwSaclSize  < ((PACL)((LPBYTE)pRel->Sacl + (ULONG)pRel))->AclSize)
    {
        *lpdwSaclSize = ((PACL)((LPBYTE)pRel->Sacl + (ULONG)pRel))->AclSize;
        status = STATUS_BUFFER_TOO_SMALL;
    }

    if (pRel->Owner &&
        *lpdwOwnerSize < RtlLengthSid((PSID)((LPBYTE)pRel->Owner + (ULONG)pRel)))
    {
        *lpdwOwnerSize = RtlLengthSid((PSID)((LPBYTE)pRel->Owner + (ULONG)pRel));
        status = STATUS_BUFFER_TOO_SMALL;
    }

    if (pRel->Group &&
        *lpdwPrimaryGroupSize < RtlLengthSid((PSID)((LPBYTE)pRel->Group + (ULONG)pRel)))
    {
        *lpdwPrimaryGroupSize = RtlLengthSid((PSID)((LPBYTE)pRel->Group + (ULONG)pRel));
        status = STATUS_BUFFER_TOO_SMALL;
    }

    if (status != STATUS_SUCCESS)
        return status;

    /* Copy structures */
    pAbs->Revision = pRel->Revision;
    pAbs->Control = pRel->Control & ~SE_SELF_RELATIVE;

    if (pRel->Control & SE_SACL_PRESENT)
    {
        PACL pAcl = (PACL)((LPBYTE)pRel->Sacl + (ULONG)pRel);

        memcpy(pSacl, pAcl, pAcl->AclSize);
        pAbs->Sacl = pSacl;
    }

    if (pRel->Control & SE_DACL_PRESENT)
    {
        PACL pAcl = (PACL)((LPBYTE)pRel->Dacl + (ULONG)pRel);
        memcpy(pDacl, pAcl, pAcl->AclSize);
        pAbs->Dacl = pDacl;
    }

    if (pRel->Owner)
    {
        PSID psid = (PSID)((LPBYTE)pRel->Owner + (ULONG)pRel);
        memcpy(pOwner, psid, RtlLengthSid(psid));
        pAbs->Owner = pOwner;
    }

    if (pRel->Group)
    {
        PSID psid = (PSID)((LPBYTE)pRel->Group + (ULONG)pRel);
        memcpy(pPrimaryGroup, psid, RtlLengthSid(psid));
        pAbs->Group = pPrimaryGroup;
    }

    return status;
992 993
}

994 995 996 997
/******************************************************************************
 * RtlGetControlSecurityDescriptor (NTDLL.@)
 */
NTSTATUS WINAPI RtlGetControlSecurityDescriptor(
James Hawkins's avatar
James Hawkins committed
998
    PSECURITY_DESCRIPTOR pSecurityDescriptor,
999 1000 1001
    PSECURITY_DESCRIPTOR_CONTROL pControl,
    LPDWORD lpdwRevision)
{
James Hawkins's avatar
James Hawkins committed
1002
    SECURITY_DESCRIPTOR *lpsd = pSecurityDescriptor;
1003

James Hawkins's avatar
James Hawkins committed
1004
    TRACE("(%p,%p,%p)\n",pSecurityDescriptor,pControl,lpdwRevision);
1005 1006

    *lpdwRevision = lpsd->Revision;
James Hawkins's avatar
James Hawkins committed
1007 1008 1009 1010

    if (*lpdwRevision != SECURITY_DESCRIPTOR_REVISION)
        return STATUS_UNKNOWN_REVISION;

1011 1012 1013 1014 1015
    *pControl = lpsd->Control;

    return STATUS_SUCCESS;
}

1016 1017 1018 1019 1020 1021 1022 1023 1024

/**************************************************************************
 *                 RtlAbsoluteToSelfRelativeSD [NTDLL.@]
 */
NTSTATUS WINAPI RtlAbsoluteToSelfRelativeSD(
    PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor,
    PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor,
    PULONG BufferLength)
{
1025 1026 1027
    SECURITY_DESCRIPTOR *abs = AbsoluteSecurityDescriptor;

    TRACE("%p %p %p\n", AbsoluteSecurityDescriptor,
1028
          SelfRelativeSecurityDescriptor, BufferLength);
1029 1030 1031 1032 1033 1034

    if (abs->Control & SE_SELF_RELATIVE)
        return STATUS_BAD_DESCRIPTOR_FORMAT;

    return RtlMakeSelfRelativeSD(AbsoluteSecurityDescriptor, 
        SelfRelativeSecurityDescriptor, BufferLength);
1035 1036 1037
}


Juergen Schmied's avatar
Juergen Schmied committed
1038 1039 1040 1041 1042
/*
 *	access control list's
 */

/**************************************************************************
1043
 *                 RtlCreateAcl				[NTDLL.@]
Juergen Schmied's avatar
Juergen Schmied committed
1044 1045 1046 1047
 *
 * NOTES
 *    This should return NTSTATUS
 */
1048
NTSTATUS WINAPI RtlCreateAcl(PACL acl,DWORD size,DWORD rev)
Juergen Schmied's avatar
Juergen Schmied committed
1049
{
1050
	TRACE("%p 0x%08x 0x%08x\n", acl, size, rev);
1051

Juergen Schmied's avatar
Juergen Schmied committed
1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062
	if (rev!=ACL_REVISION)
		return STATUS_INVALID_PARAMETER;
	if (size<sizeof(ACL))
		return STATUS_BUFFER_TOO_SMALL;
	if (size>0xFFFF)
		return STATUS_INVALID_PARAMETER;

	memset(acl,'\0',sizeof(ACL));
	acl->AclRevision	= rev;
	acl->AclSize		= size;
	acl->AceCount		= 0;
Jon Griffiths's avatar
Jon Griffiths committed
1063
	return STATUS_SUCCESS;
Juergen Schmied's avatar
Juergen Schmied committed
1064 1065 1066
}

/**************************************************************************
1067
 *                 RtlFirstFreeAce			[NTDLL.@]
Juergen Schmied's avatar
Juergen Schmied committed
1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080
 * looks for the AceCount+1 ACE, and if it is still within the alloced
 * ACL, return a pointer to it
 */
BOOLEAN WINAPI RtlFirstFreeAce(
	PACL acl,
	PACE_HEADER *x)
{
	PACE_HEADER	ace;
	int		i;

	*x = 0;
	ace = (PACE_HEADER)(acl+1);
	for (i=0;i<acl->AceCount;i++) {
1081
		if ((BYTE *)ace >= (BYTE *)acl + acl->AclSize)
Juergen Schmied's avatar
Juergen Schmied committed
1082 1083 1084
			return 0;
		ace = (PACE_HEADER)(((BYTE*)ace)+ace->AceSize);
	}
1085
	if ((BYTE *)ace >= (BYTE *)acl + acl->AclSize)
Juergen Schmied's avatar
Juergen Schmied committed
1086 1087 1088 1089 1090 1091
		return 0;
	*x = ace;
	return 1;
}

/**************************************************************************
1092
 *                 RtlAddAce				[NTDLL.@]
Juergen Schmied's avatar
Juergen Schmied committed
1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108
 */
NTSTATUS WINAPI RtlAddAce(
	PACL acl,
	DWORD rev,
	DWORD xnrofaces,
	PACE_HEADER acestart,
	DWORD acelen)
{
	PACE_HEADER	ace,targetace;
	int		nrofaces;

	if (acl->AclRevision != ACL_REVISION)
		return STATUS_INVALID_PARAMETER;
	if (!RtlFirstFreeAce(acl,&targetace))
		return STATUS_INVALID_PARAMETER;
	nrofaces=0;ace=acestart;
1109
	while (((BYTE *)ace - (BYTE *)acestart) < acelen) {
Juergen Schmied's avatar
Juergen Schmied committed
1110 1111 1112
		nrofaces++;
		ace = (PACE_HEADER)(((BYTE*)ace)+ace->AceSize);
	}
1113
	if ((BYTE *)targetace + acelen > (BYTE *)acl + acl->AclSize) /* too much aces */
Juergen Schmied's avatar
Juergen Schmied committed
1114 1115 1116 1117 1118 1119
		return STATUS_INVALID_PARAMETER;
	memcpy((LPBYTE)targetace,acestart,acelen);
	acl->AceCount+=nrofaces;
	return STATUS_SUCCESS;
}

1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134
/**************************************************************************
 *                 RtlDeleteAce				[NTDLL.@]
 */
NTSTATUS  WINAPI RtlDeleteAce(PACL pAcl, DWORD dwAceIndex)
{
	NTSTATUS status;
	PACE_HEADER pAce;

	status = RtlGetAce(pAcl,dwAceIndex,(LPVOID*)&pAce);

	if (STATUS_SUCCESS == status)
	{
		PACE_HEADER pcAce;
		DWORD len = 0;

1135
		/* skip over the ACE we are deleting */
1136
		pcAce = (PACE_HEADER)(((BYTE*)pAce)+pAce->AceSize);
1137 1138 1139
		dwAceIndex++;

		/* calculate the length of the rest */
1140 1141 1142 1143 1144 1145
		for (; dwAceIndex < pAcl->AceCount; dwAceIndex++)
		{
			len += pcAce->AceSize;
			pcAce = (PACE_HEADER)(((BYTE*)pcAce) + pcAce->AceSize);
		}

1146 1147 1148
		/* slide them all backwards */
		memmove(pAce, ((BYTE*)pAce)+pAce->AceSize, len);
		pAcl->AceCount--;
1149 1150
	}

1151
	TRACE("pAcl=%p dwAceIndex=%d status=0x%08x\n", pAcl, dwAceIndex, status);
1152

1153 1154 1155
	return status;
}

Juergen Schmied's avatar
Juergen Schmied committed
1156
/******************************************************************************
1157
 *  RtlAddAccessAllowedAce		[NTDLL.@]
Juergen Schmied's avatar
Juergen Schmied committed
1158
 */
1159
NTSTATUS WINAPI RtlAddAccessAllowedAce(
1160 1161 1162 1163
	IN OUT PACL pAcl,
	IN DWORD dwAceRevision,
	IN DWORD AccessMask,
	IN PSID pSid)
1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176
{
	return RtlAddAccessAllowedAceEx( pAcl, dwAceRevision, 0, AccessMask, pSid);
}
 
/******************************************************************************
 *  RtlAddAccessAllowedAceEx		[NTDLL.@]
 */
NTSTATUS WINAPI RtlAddAccessAllowedAceEx(
	IN OUT PACL pAcl,
	IN DWORD dwAceRevision,
	IN DWORD AceFlags,
	IN DWORD AccessMask,
	IN PSID pSid)
Juergen Schmied's avatar
Juergen Schmied committed
1177
{
1178
   TRACE("(%p,0x%08x,0x%08x,%p)\n", pAcl, dwAceRevision, AccessMask, pSid);
1179 1180 1181

    return add_access_ace(pAcl, dwAceRevision, AceFlags,
                          AccessMask, pSid, ACCESS_ALLOWED_ACE_TYPE);
1182 1183 1184 1185 1186 1187 1188 1189 1190 1191
}

/******************************************************************************
 *  RtlAddAccessDeniedAce		[NTDLL.@]
 */
NTSTATUS WINAPI RtlAddAccessDeniedAce(
	IN OUT PACL pAcl,
	IN DWORD dwAceRevision,
	IN DWORD AccessMask,
	IN PSID pSid)
1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202 1203 1204
{
	return RtlAddAccessDeniedAceEx( pAcl, dwAceRevision, 0, AccessMask, pSid);
}

/******************************************************************************
 *  RtlAddAccessDeniedAceEx		[NTDLL.@]
 */
NTSTATUS WINAPI RtlAddAccessDeniedAceEx(
	IN OUT PACL pAcl,
	IN DWORD dwAceRevision,
	IN DWORD AceFlags,
	IN DWORD AccessMask,
	IN PSID pSid)
1205
{
1206
   TRACE("(%p,0x%08x,0x%08x,%p)\n", pAcl, dwAceRevision, AccessMask, pSid);
1207 1208 1209

    return add_access_ace(pAcl, dwAceRevision, AceFlags,
                          AccessMask, pSid, ACCESS_DENIED_ACE_TYPE);
1210 1211
}

1212 1213 1214 1215 1216 1217 1218 1219 1220 1221 1222
/************************************************************************** 
 *  RtlAddAuditAccessAce     [NTDLL.@] 
 */ 
NTSTATUS WINAPI RtlAddAuditAccessAce( 
    IN OUT PACL pAcl, 
    IN DWORD dwAceRevision, 
    IN DWORD dwAccessMask, 
    IN PSID pSid, 
    IN BOOL bAuditSuccess, 
    IN BOOL bAuditFailure) 
{ 
1223 1224
    DWORD dwAceFlags = 0;

1225
    TRACE("(%p,%d,%d,%p,%u,%u)\n",pAcl,dwAceRevision,dwAccessMask,
1226 1227 1228 1229 1230 1231 1232 1233 1234 1235
          pSid,bAuditSuccess,bAuditFailure);

    if (bAuditSuccess)
        dwAceFlags |= SUCCESSFUL_ACCESS_ACE_FLAG;

    if (bAuditFailure)
        dwAceFlags |= FAILED_ACCESS_ACE_FLAG;

    return add_access_ace(pAcl, dwAceRevision, dwAceFlags,
                          dwAccessMask, pSid, SYSTEM_AUDIT_ACE_TYPE);
1236 1237
} 
 
1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248 1249 1250 1251 1252 1253 1254 1255 1256 1257 1258 1259 1260 1261 1262 1263 1264 1265 1266 1267
/******************************************************************************
 *  RtlValidAcl		[NTDLL.@]
 */
BOOLEAN WINAPI RtlValidAcl(PACL pAcl)
{
        BOOLEAN ret;
	TRACE("(%p)\n", pAcl);

	__TRY
	{
		PACE_HEADER	ace;
		int		i;

                if (pAcl->AclRevision != ACL_REVISION)
                    ret = FALSE;
                else
                {
                    ace = (PACE_HEADER)(pAcl+1);
                    ret = TRUE;
                    for (i=0;i<=pAcl->AceCount;i++)
                    {
                        if ((char *)ace > (char *)pAcl + pAcl->AclSize)
                        {
                            ret = FALSE;
                            break;
                        }
                        ace = (PACE_HEADER)(((BYTE*)ace)+ace->AceSize);
                    }
                }
	}
1268
	__EXCEPT_PAGE_FAULT
1269 1270 1271 1272 1273 1274
	{
		WARN("(%p): invalid pointer!\n", pAcl);
		return 0;
	}
	__ENDTRY
        return ret;
Juergen Schmied's avatar
Juergen Schmied committed
1275 1276 1277
}

/******************************************************************************
1278
 *  RtlGetAce		[NTDLL.@]
Juergen Schmied's avatar
Juergen Schmied committed
1279
 */
1280
NTSTATUS WINAPI RtlGetAce(PACL pAcl,DWORD dwAceIndex,LPVOID *pAce )
Juergen Schmied's avatar
Juergen Schmied committed
1281
{
1282 1283
	PACE_HEADER ace;

1284
	TRACE("(%p,%d,%p)\n",pAcl,dwAceIndex,pAce);
1285 1286 1287 1288 1289 1290 1291 1292 1293 1294 1295

	if ((dwAceIndex < 0) || (dwAceIndex > pAcl->AceCount))
		return STATUS_INVALID_PARAMETER;

	ace = (PACE_HEADER)(pAcl + 1);
	for (;dwAceIndex;dwAceIndex--)
		ace = (PACE_HEADER)(((BYTE*)ace)+ace->AceSize);

	*pAce = (LPVOID) ace;

	return STATUS_SUCCESS;
Juergen Schmied's avatar
Juergen Schmied committed
1296 1297 1298 1299 1300 1301 1302
}

/*
 *	misc
 */

/******************************************************************************
1303
 *  RtlAdjustPrivilege		[NTDLL.@]
1304 1305 1306 1307 1308 1309 1310 1311 1312 1313 1314 1315 1316 1317 1318 1319
 *
 * Enables or disables a privilege from the calling thread or process.
 *
 * PARAMS
 *  Privilege     [I] Privilege index to change.
 *  Enable        [I] If TRUE, then enable the privilege otherwise disable.
 *  CurrentThread [I] If TRUE, then enable in calling thread, otherwise process.
 *  Enabled       [O] Whether privilege was previously enabled or disabled.
 *
 * RETURNS
 *  Success: STATUS_SUCCESS.
 *  Failure: NTSTATUS code.
 *
 * SEE ALSO
 *  NtAdjustPrivilegesToken, NtOpenThreadToken, NtOpenProcessToken.
 *
Juergen Schmied's avatar
Juergen Schmied committed
1320
 */
1321 1322 1323 1324 1325
NTSTATUS WINAPI
RtlAdjustPrivilege(ULONG Privilege,
                   BOOLEAN Enable,
                   BOOLEAN CurrentThread,
                   PBOOLEAN Enabled)
Juergen Schmied's avatar
Juergen Schmied committed
1326
{
1327 1328 1329 1330 1331 1332
    TOKEN_PRIVILEGES NewState;
    TOKEN_PRIVILEGES OldState;
    ULONG ReturnLength;
    HANDLE TokenHandle;
    NTSTATUS Status;

1333
    TRACE("(%d, %s, %s, %p)\n", Privilege, Enable ? "TRUE" : "FALSE",
1334 1335 1336 1337 1338 1339 1340 1341 1342 1343 1344 1345 1346 1347 1348 1349 1350 1351
        CurrentThread ? "TRUE" : "FALSE", Enabled);

    if (CurrentThread)
    {
        Status = NtOpenThreadToken(GetCurrentThread(),
                                   TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
                                   FALSE,
                                   &TokenHandle);
    }
    else
    {
        Status = NtOpenProcessToken(GetCurrentProcess(),
                                    TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
                                    &TokenHandle);
    }

    if (!NT_SUCCESS(Status))
    {
1352
        WARN("Retrieving token handle failed (Status %x)\n", Status);
1353 1354 1355 1356 1357 1358 1359 1360 1361 1362 1363 1364 1365 1366 1367 1368 1369 1370 1371 1372 1373 1374 1375 1376
        return Status;
    }

    OldState.PrivilegeCount = 1;

    NewState.PrivilegeCount = 1;
    NewState.Privileges[0].Luid.LowPart = Privilege;
    NewState.Privileges[0].Luid.HighPart = 0;
    NewState.Privileges[0].Attributes = (Enable) ? SE_PRIVILEGE_ENABLED : 0;

    Status = NtAdjustPrivilegesToken(TokenHandle,
                                     FALSE,
                                     &NewState,
                                     sizeof(TOKEN_PRIVILEGES),
                                     &OldState,
                                     &ReturnLength);
    NtClose (TokenHandle);
    if (Status == STATUS_NOT_ALL_ASSIGNED)
    {
        TRACE("Failed to assign all privileges\n");
        return STATUS_PRIVILEGE_NOT_HELD;
    }
    if (!NT_SUCCESS(Status))
    {
1377
        WARN("NtAdjustPrivilegesToken() failed (Status %x)\n", Status);
1378 1379 1380 1381 1382 1383 1384 1385 1386
        return Status;
    }

    if (OldState.PrivilegeCount == 0)
        *Enabled = Enable;
    else
        *Enabled = (OldState.Privileges[0].Attributes & SE_PRIVILEGE_ENABLED);

    return STATUS_SUCCESS;
Juergen Schmied's avatar
Juergen Schmied committed
1387 1388
}

1389
/******************************************************************************
1390
 *  RtlImpersonateSelf		[NTDLL.@]
1391 1392 1393 1394 1395 1396 1397 1398 1399 1400
 *
 * Makes an impersonation token that represents the process user and assigns
 * to the current thread.
 *
 * PARAMS
 *  ImpersonationLevel [I] Level at which to impersonate.
 *
 * RETURNS
 *  Success: STATUS_SUCCESS.
 *  Failure: NTSTATUS code.
1401
 */
1402
NTSTATUS WINAPI
1403 1404
RtlImpersonateSelf(SECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
{
1405 1406 1407 1408 1409 1410 1411 1412 1413 1414 1415 1416 1417 1418 1419 1420 1421 1422 1423 1424 1425 1426 1427 1428 1429 1430 1431 1432 1433 1434 1435 1436 1437 1438 1439
    NTSTATUS Status;
    OBJECT_ATTRIBUTES ObjectAttributes;
    HANDLE ProcessToken;
    HANDLE ImpersonationToken;

    TRACE("(%08x)\n", ImpersonationLevel);

    Status = NtOpenProcessToken( NtCurrentProcess(), TOKEN_DUPLICATE,
                                 &ProcessToken);
    if (Status != STATUS_SUCCESS)
        return Status;

    InitializeObjectAttributes( &ObjectAttributes, NULL, 0, NULL, NULL );

    Status = NtDuplicateToken( ProcessToken,
                               TOKEN_IMPERSONATE,
                               &ObjectAttributes,
                               ImpersonationLevel,
                               TokenImpersonation,
                               &ImpersonationToken );
    if (Status != STATUS_SUCCESS)
    {
        NtClose( ProcessToken );
        return Status;
    }

    Status = NtSetInformationThread( GetCurrentThread(),
                                     ThreadImpersonationToken,
                                     &ImpersonationToken,
                                     sizeof(ImpersonationToken) );

    NtClose( ImpersonationToken );
    NtClose( ProcessToken );

    return Status;
1440 1441
}

1442
/******************************************************************************
1443
 *  NtAccessCheck		[NTDLL.@]
Jon Griffiths's avatar
Jon Griffiths committed
1444
 *  ZwAccessCheck		[NTDLL.@]
1445 1446 1447 1448 1449 1450 1451 1452 1453 1454 1455 1456 1457 1458 1459 1460 1461 1462 1463 1464 1465 1466 1467
 *
 * Checks that a user represented by a token is allowed to access an object
 * represented by a security descriptor.
 *
 * PARAMS
 *  SecurityDescriptor [I] The security descriptor of the object to check.
 *  ClientToken        [I] Token of the user accessing the object.
 *  DesiredAccess      [I] The desired access to the object.
 *  GenericMapping     [I] Mapping used to transform access rights in the SD to their specific forms.
 *  PrivilegeSet       [I/O] Privileges used during the access check.
 *  ReturnLength       [O] Number of bytes stored into PrivilegeSet.
 *  GrantedAccess      [O] The actual access rights granted.
 *  AccessStatus       [O] The status of the access check.
 *
 * RETURNS
 *  NTSTATUS code.
 *
 * NOTES
 *  DesiredAccess may be MAXIMUM_ALLOWED, in which case the function determines
 *  the maximum access rights allowed by the SD and returns them in
 *  GrantedAccess.
 *  The SecurityDescriptor must have a valid owner and groups present,
 *  otherwise the function will fail.
1468
 */
1469
NTSTATUS WINAPI
1470
NtAccessCheck(
1471 1472 1473 1474 1475 1476 1477 1478
    PSECURITY_DESCRIPTOR SecurityDescriptor,
    HANDLE ClientToken,
    ACCESS_MASK DesiredAccess,
    PGENERIC_MAPPING GenericMapping,
    PPRIVILEGE_SET PrivilegeSet,
    PULONG ReturnLength,
    PULONG GrantedAccess,
    NTSTATUS *AccessStatus)
1479
{
1480 1481
    NTSTATUS status;

1482
    TRACE("(%p, %p, %08x, %p, %p, %p, %p, %p), stub\n",
1483 1484 1485 1486 1487 1488
        SecurityDescriptor, ClientToken, DesiredAccess, GenericMapping,
        PrivilegeSet, ReturnLength, GrantedAccess, AccessStatus);

    SERVER_START_REQ( access_check )
    {
        struct security_descriptor sd;
1489 1490 1491 1492 1493 1494 1495
        PSID owner;
        PSID group;
        PACL sacl;
        PACL dacl;
        BOOLEAN defaulted, present;
        DWORD revision;
        SECURITY_DESCRIPTOR_CONTROL control;
1496 1497 1498 1499 1500 1501 1502 1503 1504

        req->handle = ClientToken;
        req->desired_access = DesiredAccess;
        req->mapping_read = GenericMapping->GenericRead;
        req->mapping_write = GenericMapping->GenericWrite;
        req->mapping_execute = GenericMapping->GenericExecute;
        req->mapping_all = GenericMapping->GenericAll;

        /* marshal security descriptor */
1505 1506 1507 1508 1509 1510 1511 1512 1513 1514 1515
        RtlGetControlSecurityDescriptor( SecurityDescriptor, &control, &revision );
        sd.control = control & ~SE_SELF_RELATIVE;
        RtlGetOwnerSecurityDescriptor( SecurityDescriptor, &owner, &defaulted );
        sd.owner_len = RtlLengthSid( owner );
        RtlGetGroupSecurityDescriptor( SecurityDescriptor, &group, &defaulted );
        sd.group_len = RtlLengthSid( group );
        RtlGetSaclSecurityDescriptor( SecurityDescriptor, &present, &sacl, &defaulted );
        sd.sacl_len = (present ? sacl->AclSize : 0);
        RtlGetDaclSecurityDescriptor( SecurityDescriptor, &present, &dacl, &defaulted );
        sd.dacl_len = (present ? dacl->AclSize : 0);

1516
        wine_server_add_data( req, &sd, sizeof(sd) );
1517 1518 1519 1520
        wine_server_add_data( req, owner, sd.owner_len );
        wine_server_add_data( req, group, sd.group_len );
        wine_server_add_data( req, sacl, sd.sacl_len );
        wine_server_add_data( req, dacl, sd.dacl_len );
1521 1522 1523 1524 1525 1526 1527 1528 1529 1530 1531 1532 1533 1534 1535

        wine_server_set_reply( req, &PrivilegeSet->Privilege, *ReturnLength - FIELD_OFFSET( PRIVILEGE_SET, Privilege ) );

        status = wine_server_call( req );

        *ReturnLength = FIELD_OFFSET( PRIVILEGE_SET, Privilege ) + reply->privileges_len;
        PrivilegeSet->PrivilegeCount = reply->privileges_len / sizeof(LUID_AND_ATTRIBUTES);

        if (status == STATUS_SUCCESS)
            *AccessStatus = reply->access_status;
        *GrantedAccess = reply->access_granted;
    }
    SERVER_END_REQ;

    return status;
1536 1537
}

1538
/******************************************************************************
1539
 *  NtSetSecurityObject		[NTDLL.@]
1540
 */
1541 1542 1543 1544
NTSTATUS WINAPI
NtSetSecurityObject(
        IN HANDLE Handle,
        IN SECURITY_INFORMATION SecurityInformation,
1545
        IN PSECURITY_DESCRIPTOR SecurityDescriptor)
1546
{
1547
	FIXME("%p 0x%08x %p\n", Handle, SecurityInformation, SecurityDescriptor);
1548 1549 1550
	return STATUS_SUCCESS;
}

1551
/******************************************************************************
1552
 * RtlConvertSidToUnicodeString (NTDLL.@)
1553 1554 1555 1556 1557
 *
 * The returned SID is used to access the USER registry hive usually
 *
 * the native function returns something like
 * "S-1-5-21-0000000000-000000000-0000000000-500";
1558 1559
 */
NTSTATUS WINAPI RtlConvertSidToUnicodeString(
1560
       PUNICODE_STRING String,
1561
       PSID pSid,
1562
       BOOLEAN AllocateString)
1563
{
1564 1565 1566 1567 1568 1569 1570 1571 1572 1573 1574 1575 1576 1577 1578 1579
    static const WCHAR formatW[] = {'-','%','u',0};
    WCHAR buffer[2 + 10 + 10 + 10 * SID_MAX_SUB_AUTHORITIES];
    WCHAR *p = buffer;
    const SID *sid = (const SID *)pSid;
    DWORD i, len;

    *p++ = 'S';
    p += sprintfW( p, formatW, sid->Revision );
    p += sprintfW( p, formatW, MAKELONG( MAKEWORD( sid->IdentifierAuthority.Value[5],
                                                   sid->IdentifierAuthority.Value[4] ),
                                         MAKEWORD( sid->IdentifierAuthority.Value[3],
                                                   sid->IdentifierAuthority.Value[2] )));
    for (i = 0; i < sid->SubAuthorityCount; i++)
        p += sprintfW( p, formatW, sid->SubAuthority[i] );

    len = (p + 1 - buffer) * sizeof(WCHAR);
1580

1581 1582 1583 1584 1585 1586 1587 1588
    String->Length = len - sizeof(WCHAR);
    if (AllocateString)
    {
        String->MaximumLength = len;
        if (!(String->Buffer = RtlAllocateHeap( GetProcessHeap(), 0, len )))
            return STATUS_NO_MEMORY;
    }
    else if (len > String->MaximumLength) return STATUS_BUFFER_OVERFLOW;
1589

1590
    memcpy( String->Buffer, buffer, len );
1591
    return STATUS_SUCCESS;
1592
}
1593 1594 1595 1596 1597 1598 1599 1600 1601 1602 1603 1604

/******************************************************************************
 * RtlQueryInformationAcl (NTDLL.@)
 */
NTSTATUS WINAPI RtlQueryInformationAcl(
    PACL pAcl,
    LPVOID pAclInformation,
    DWORD nAclInformationLength,
    ACL_INFORMATION_CLASS dwAclInformationClass)
{
    NTSTATUS status = STATUS_SUCCESS;

1605
    TRACE("pAcl=%p pAclInfo=%p len=%d, class=%d\n", 
1606 1607 1608 1609 1610 1611 1612 1613 1614 1615 1616 1617 1618 1619 1620 1621 1622 1623 1624 1625 1626 1627 1628 1629 1630 1631 1632 1633 1634 1635 1636 1637 1638 1639 1640 1641 1642 1643 1644 1645
        pAcl, pAclInformation, nAclInformationLength, dwAclInformationClass);

    switch (dwAclInformationClass)
    {
        case AclRevisionInformation:
        {
            PACL_REVISION_INFORMATION paclrev = (PACL_REVISION_INFORMATION) pAclInformation;

            if (nAclInformationLength < sizeof(ACL_REVISION_INFORMATION))
                status = STATUS_INVALID_PARAMETER;
            else
                paclrev->AclRevision = pAcl->AclRevision;

            break;
        }

        case AclSizeInformation:
        {
            PACL_SIZE_INFORMATION paclsize = (PACL_SIZE_INFORMATION) pAclInformation;

            if (nAclInformationLength < sizeof(ACL_SIZE_INFORMATION))
                status = STATUS_INVALID_PARAMETER;
            else
            {
                INT i;
                PACE_HEADER ace;

                paclsize->AceCount = pAcl->AceCount;

                paclsize->AclBytesInUse = 0;
		ace = (PACE_HEADER) (pAcl + 1);

                for (i = 0; i < pAcl->AceCount; i++)
                {
                    paclsize->AclBytesInUse += ace->AceSize;
		    ace = (PACE_HEADER)(((BYTE*)ace)+ace->AceSize);
                }

		if (pAcl->AclSize < paclsize->AclBytesInUse)
                {
1646
                    WARN("Acl has %d bytes free\n", paclsize->AclBytesFree);
1647 1648 1649 1650 1651 1652 1653 1654 1655 1656 1657 1658 1659 1660 1661 1662 1663
                    paclsize->AclBytesFree = 0;
                    paclsize->AclBytesInUse = pAcl->AclSize;
                }
                else
                    paclsize->AclBytesFree = pAcl->AclSize - paclsize->AclBytesInUse;
            }

            break;
        }

        default:
            WARN("Unknown AclInformationClass value: %d\n", dwAclInformationClass);
            status = STATUS_INVALID_PARAMETER;
    }

    return status;
}