windows-nt/Source/XPSP1/NT/ds/security/cryptoapi/pkitrust/initpki/initacl.cpp

600 lines
17 KiB
C++
Raw Permalink Normal View History

2020-09-26 03:20:57 -05:00
//+-------------------------------------------------------------------------
// Microsoft Windows
//
// Copyright (C) Microsoft Corporation, 1995 - 1999
//
// File: initacl.cpp
//
// Contents: Initialize ACLs so that Everyone only has KEY_READ access
// for the following REGPATHs:
// HKLM\Software\Microsoft\Cryptography\OID ..
// HKLM\Software\Microsoft\Cryptography\Providers\Trust ..
// HKLM\Software\Microsoft\Cryptography\Services ...
// HKLM\Software\Microsoft\SystemCertificates ..
// HKLM\Software\Policies\Microsoft\SystemCertificates ..
// HKLM\Software\Microsoft\EnterpriseCertificates ..
//
// Initialize ACLS so that Everyone has KEY_READ and KEY_SET_VALUE
// access for the following REGPATH:
// HKLM\Software\Microsoft\Cryptography\IEDirtyFlags
//
// Functions: InitializeHKLMAcls
//
// Note: By default HKLM\Software ... gives Everyone special access.
// Special access includes: KEY_READ, KEY_WRITE, DELETE
//
// History: 08-May-98 philh created
//--------------------------------------------------------------------------
#include "global.hxx"
#ifdef STATIC
#undef STATIC
#endif
#define STATIC
static const LPCWSTR rgpwszHKLMRegPath[] = {
OID_REGPATH,
PROVIDERS_REGPATH,
SERVICES_REGPATH,
SYSTEM_STORE_REGPATH,
GROUP_POLICY_STORE_REGPATH,
ENTERPRISE_STORE_REGPATH,
};
#define HKLM_REGPATH_CNT (sizeof(rgpwszHKLMRegPath) / \
sizeof(rgpwszHKLMRegPath[0]))
//+-------------------------------------------------------------------------
// Predefined SIDs allocated once by GetPredefinedSids. Freed when
// InitializeHKLMAcls() returns
//--------------------------------------------------------------------------
static PSID psidLocalSystem = NULL;
static PSID psidAdministrators = NULL;
static PSID psidEveryone = NULL;
//+-------------------------------------------------------------------------
// ACL definitions used to set security on the HKLM registry keys
//--------------------------------------------------------------------------
#define HKLM_SYSTEM_ACE_MASK KEY_ALL_ACCESS
#define HKLM_ADMIN_ACE_MASK KEY_ALL_ACCESS
#define HKLM_EVERYONE_ACE_MASK KEY_READ
#define HKLM_ACE_FLAGS CONTAINER_INHERIT_ACE
#define HKLM_ACE_COUNT 3
#define HKLM_SYSTEM_ACE_INDEX 0
#define HKLM_ADMIN_ACE_INDEX 1
#define HKLM_EVERYONE_ACE_INDEX 2
//+-------------------------------------------------------------------------
// Maximum allowed access rights for Everyone in HKLM
//--------------------------------------------------------------------------
#define MAX_HKLM_EVERYONE_ACE_MASK (KEY_READ | GENERIC_READ)
//+-------------------------------------------------------------------------
// Access rights for Everyone on the CERT_IE_DIRTY_FLAGS registry SubKey
//--------------------------------------------------------------------------
#define IE_EVERYONE_ACE_MASK (KEY_READ | KEY_SET_VALUE)
//+-------------------------------------------------------------------------
// Allocate/free predefined SIDs
//--------------------------------------------------------------------------
STATIC BOOL GetPredefinedSids()
{
BOOL fResult;
SID_IDENTIFIER_AUTHORITY siaNtAuthority = SECURITY_NT_AUTHORITY;
SID_IDENTIFIER_AUTHORITY siaWorldSidAuthority =
SECURITY_WORLD_SID_AUTHORITY;
if (!AllocateAndInitializeSid(
&siaNtAuthority,
1,
SECURITY_LOCAL_SYSTEM_RID,
0, 0, 0, 0, 0, 0, 0,
&psidLocalSystem
))
goto AllocateAndInitializeSidError;
if (!AllocateAndInitializeSid(
&siaNtAuthority,
2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS,
0, 0, 0, 0, 0, 0,
&psidAdministrators
))
goto AllocateAndInitializeSidError;
if (!AllocateAndInitializeSid(
&siaWorldSidAuthority,
1,
SECURITY_WORLD_RID,
0, 0, 0, 0, 0, 0, 0,
&psidEveryone
))
goto AllocateAndInitializeSidError;
fResult = TRUE;
CommonReturn:
return fResult;
ErrorReturn:
fResult = FALSE;
goto CommonReturn;
TRACE_ERROR(AllocateAndInitializeSidError)
}
STATIC void FreePredefinedSids()
{
FreeSid(psidLocalSystem);
FreeSid(psidAdministrators);
FreeSid(psidEveryone);
}
#define HKLM_SD_LEN 0x1000
//+-------------------------------------------------------------------------
// Allocate and get the security descriptor information for the specified
// registry key.
//--------------------------------------------------------------------------
STATIC PSECURITY_DESCRIPTOR AllocAndGetSecurityDescriptor(
IN HKEY hKey,
SECURITY_INFORMATION SecInf
)
{
LONG err;
PSECURITY_DESCRIPTOR psd = NULL;
DWORD cbsd;
cbsd = HKLM_SD_LEN;
if (NULL == (psd = (PSECURITY_DESCRIPTOR) PkiNonzeroAlloc(cbsd)))
goto OutOfMemory;
err = RegGetKeySecurity(
hKey,
SecInf,
psd,
&cbsd
);
if (ERROR_SUCCESS == err)
goto CommonReturn;
if (ERROR_INSUFFICIENT_BUFFER != err)
goto RegGetKeySecurityError;
if (0 == cbsd)
goto NoSecurityDescriptor;
PkiFree(psd);
if (NULL == (psd = (PSECURITY_DESCRIPTOR) PkiNonzeroAlloc(cbsd)))
goto OutOfMemory;
if (ERROR_SUCCESS != (err = RegGetKeySecurity(
hKey,
SecInf,
psd,
&cbsd
))) goto RegGetKeySecurityError;
CommonReturn:
return psd;
ErrorReturn:
PkiFree(psd);
psd = NULL;
goto CommonReturn;
TRACE_ERROR(OutOfMemory)
SET_ERROR_VAR(RegGetKeySecurityError, err)
SET_ERROR(NoSecurityDescriptor, ERROR_INVALID_SECURITY_DESCR)
}
//+-------------------------------------------------------------------------
// Checks that "Everyone" doesn't have more than KEY_READ or GENERIC_READ
// access rights. If valid, returns TRUE.
//--------------------------------------------------------------------------
STATIC BOOL IsValidHKLMAccessRights(
IN HKEY hKey
)
{
BOOL fResult;
PSECURITY_DESCRIPTOR psd = NULL;
BOOL fDaclPresent;
PACL pAcl; // not allocated
BOOL fDaclDefaulted;
DWORD dwAceIndex;
if (NULL == (psd = AllocAndGetSecurityDescriptor(
hKey,
DACL_SECURITY_INFORMATION
))) goto GetSecurityDescriptorError;
if (!GetSecurityDescriptorDacl(psd, &fDaclPresent, &pAcl,
&fDaclDefaulted))
goto GetSecurityDescriptorDaclError;
if (!fDaclPresent || NULL == pAcl || 0 == pAcl->AceCount)
goto MissingDaclError;
for (dwAceIndex = 0; dwAceIndex < pAcl->AceCount; dwAceIndex++) {
PACCESS_ALLOWED_ACE pAce;
if (!GetAce(pAcl, dwAceIndex, (void **) &pAce))
goto GetAceError;
if (ACCESS_ALLOWED_ACE_TYPE != pAce->Header.AceType)
continue;
if (!EqualSid(psidEveryone, (PSID) &pAce->SidStart))
continue;
if (0 != (pAce->Mask & ~MAX_HKLM_EVERYONE_ACE_MASK))
goto InvalidEveryoneAccess;
}
fResult = TRUE;
CommonReturn:
PkiFree(psd);
return fResult;
InvalidEveryoneAccess:
ErrorReturn:
fResult = FALSE;
goto CommonReturn;
TRACE_ERROR(GetSecurityDescriptorError)
TRACE_ERROR(GetSecurityDescriptorDaclError)
SET_ERROR(MissingDaclError, ERROR_INVALID_ACL)
TRACE_ERROR(GetAceError)
}
//+-------------------------------------------------------------------------
// Create the SecurityDescriptor to be used for HKLM SubKeys
//--------------------------------------------------------------------------
STATIC BOOL CreateHKLMSecurityDescriptor(
IN ACCESS_MASK EveryoneAccessMask,
OUT PSECURITY_DESCRIPTOR psd,
OUT PACL *ppDacl
)
{
BOOL fResult;
PACL pDacl = NULL;
PACCESS_ALLOWED_ACE pAce;
DWORD dwAclSize;
DWORD i;
if (!InitializeSecurityDescriptor(psd, SECURITY_DESCRIPTOR_REVISION))
goto InitializeSecurityDescriptorError;
// Set DACL
//
// compute size of ACL
//
dwAclSize = sizeof(ACL) +
HKLM_ACE_COUNT * ( sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) ) +
GetLengthSid(psidLocalSystem) +
GetLengthSid(psidAdministrators) +
GetLengthSid(psidEveryone)
;
//
// allocate storage for Acl
//
if (NULL == (pDacl = (PACL) PkiNonzeroAlloc(dwAclSize)))
goto OutOfMemory;
if (!InitializeAcl(pDacl, dwAclSize, ACL_REVISION))
goto InitializeAclError;
if (!AddAccessAllowedAce(
pDacl,
ACL_REVISION,
HKLM_SYSTEM_ACE_MASK,
psidLocalSystem
))
goto AddAceError;
if (!AddAccessAllowedAce(
pDacl,
ACL_REVISION,
HKLM_ADMIN_ACE_MASK,
psidAdministrators
))
goto AddAceError;
if (!AddAccessAllowedAce(
pDacl,
ACL_REVISION,
EveryoneAccessMask,
psidEveryone
))
goto AddAceError;
//
// make containers inherit.
//
for (i = 0; i < HKLM_ACE_COUNT; i++) {
if(!GetAce(pDacl, i, (void **) &pAce))
goto GetAceError;
pAce->Header.AceFlags = HKLM_ACE_FLAGS;
}
if (!SetSecurityDescriptorDacl(psd, TRUE, pDacl, FALSE))
goto SetSecurityDescriptorDaclError;
fResult = TRUE;
CommonReturn:
*ppDacl = pDacl;
return fResult;
ErrorReturn:
PkiFree(pDacl);
pDacl = NULL;
fResult = FALSE;
goto CommonReturn;
TRACE_ERROR(InitializeSecurityDescriptorError)
TRACE_ERROR(OutOfMemory)
TRACE_ERROR(InitializeAclError)
TRACE_ERROR(AddAceError)
TRACE_ERROR(GetAceError)
TRACE_ERROR(SetSecurityDescriptorDaclError)
}
//+-------------------------------------------------------------------------
// Set the DACL for the SubKey
//--------------------------------------------------------------------------
STATIC BOOL SetHKLMDacl(
IN HKEY hKey,
IN PSECURITY_DESCRIPTOR psd
)
{
BOOL fResult;
LONG err;
if (ERROR_SUCCESS != (err = RegSetKeySecurity(
hKey,
DACL_SECURITY_INFORMATION,
psd
)))
goto RegSetKeySecurityError;
fResult = TRUE;
CommonReturn:
return fResult;
ErrorReturn:
fResult = FALSE;
goto CommonReturn;
SET_ERROR_VAR(RegSetKeySecurityError, err)
}
STATIC BOOL GetSubKeyInfo(
IN HKEY hKey,
OUT OPTIONAL DWORD *pcSubKeys,
OUT OPTIONAL DWORD *pcchMaxSubKey = NULL
)
{
BOOL fResult;
LONG err;
if (ERROR_SUCCESS != (err = RegQueryInfoKeyU(
hKey,
NULL, // lpszClass
NULL, // lpcchClass
NULL, // lpdwReserved
pcSubKeys,
pcchMaxSubKey,
NULL, // lpcchMaxClass
NULL, // lpcValues
NULL, // lpcchMaxValuesName
NULL, // lpcbMaxValueData
NULL, // lpcbSecurityDescriptor
NULL // lpftLastWriteTime
))) goto RegQueryInfoKeyError;
fResult = TRUE;
CommonReturn:
// For Win95 Remote Registry Access:: returns half of the cch
if (pcchMaxSubKey && *pcchMaxSubKey)
*pcchMaxSubKey = (*pcchMaxSubKey + 1) * 2 + 2;
return fResult;
ErrorReturn:
fResult = FALSE;
if (pcSubKeys)
*pcSubKeys = 0;
if (pcchMaxSubKey)
*pcchMaxSubKey = 0;
goto CommonReturn;
SET_ERROR_VAR(RegQueryInfoKeyError, err)
}
//+-------------------------------------------------------------------------
// Check the HKEY for valid access rights for Everyone. If not valid, set
// the HKEY's DACL. Enumerate the HKEY's SubKeys and recursively call.
//--------------------------------------------------------------------------
STATIC BOOL RecursiveInitializeHKLMSubKeyAcls(
IN HKEY hKey,
IN PSECURITY_DESCRIPTOR psd
)
{
BOOL fResult = TRUE;
DWORD cSubKeys;
DWORD cchMaxSubKey;
LPWSTR pwszSubKey = NULL;
if (!IsValidHKLMAccessRights(hKey))
fResult &= SetHKLMDacl(hKey, psd);
if (!GetSubKeyInfo(
hKey,
&cSubKeys,
&cchMaxSubKey
))
return FALSE;
if (cSubKeys && cchMaxSubKey) {
DWORD i;
cchMaxSubKey++;
if (NULL == (pwszSubKey = (LPWSTR) PkiNonzeroAlloc(
cchMaxSubKey * sizeof(WCHAR))))
goto OutOfMemory;
for (i = 0; i < cSubKeys; i++) {
DWORD cchSubKey = cchMaxSubKey;
LONG err;
HKEY hSubKey;
if (ERROR_SUCCESS != (err = RegEnumKeyExU(
hKey,
i,
pwszSubKey,
&cchSubKey,
NULL, // lpdwReserved
NULL, // lpszClass
NULL, // lpcchClass
NULL // lpftLastWriteTime
)) || 0 == cchSubKey ||
L'\0' == *pwszSubKey)
continue;
if (ERROR_SUCCESS != (err = RegOpenKeyExU(
hKey,
pwszSubKey,
0, // dwReserved
KEY_READ | WRITE_DAC,
&hSubKey))) {
#if DBG
DbgPrintf(DBG_SS_CRYPT32,
"RegOpenKeyEx(%S) returned error: %d 0x%x\n",
pwszSubKey, err, err);
#endif
} else {
fResult &= RecursiveInitializeHKLMSubKeyAcls(hSubKey, psd);
RegCloseKey(hSubKey);
}
}
}
CommonReturn:
PkiFree(pwszSubKey);
return fResult;
ErrorReturn:
fResult = FALSE;
goto CommonReturn;
TRACE_ERROR(OutOfMemory)
}
//+-------------------------------------------------------------------------
// Initialize the HKLM registry used by crypt32 so that Everyone only has
// KEY_READ access rights.
//
// Initialize the IEDirtyFlags registry key so that Everyone has KEY_READ
// and KEY_SET_VALUE access rights.
//--------------------------------------------------------------------------
BOOL
InitializeHKLMAcls()
{
BOOL fResult = TRUE;
SECURITY_DESCRIPTOR sd;
PACL pDacl = NULL;
SECURITY_ATTRIBUTES SecAttr;
HKEY hKey;
LONG err;
DWORD dwDisposition;
DWORD i;
if (!FIsWinNT())
return TRUE;
if (!GetPredefinedSids())
return FALSE;
if (!CreateHKLMSecurityDescriptor(
HKLM_EVERYONE_ACE_MASK,
&sd,
&pDacl
))
goto ErrorReturn;
memset(&SecAttr, 0, sizeof(SecAttr));
SecAttr.nLength = sizeof(SecAttr);
SecAttr.lpSecurityDescriptor = (LPVOID) &sd;
SecAttr.bInheritHandle = FALSE;
// Iterate through the HKLM registry locations used by crypt32. If
// the registry key doesn't exist, create it and give Everyone READ_KEY
// access. Otherwise, recurse through its SubKeys. For SubKeys having
// more than KEY_READ access rights for Everyone, set their ACLs giving
// only KEY_READ access to Everyone.
for (i = 0; i < HKLM_REGPATH_CNT; i++) {
if (ERROR_SUCCESS != (err = RegCreateKeyExU(
HKEY_LOCAL_MACHINE,
rgpwszHKLMRegPath[i],
0, // dwReserved
NULL, // lpClass
REG_OPTION_NON_VOLATILE,
MAXIMUM_ALLOWED,
&SecAttr,
&hKey,
&dwDisposition))) {
#if DBG
DbgPrintf(DBG_SS_CRYPT32,
"RegCreateKeyEx(HKLM\\%S) returned error: %d 0x%x\n",
rgpwszHKLMRegPath[i], err, err);
#endif
fResult = FALSE;
continue;
}
if (REG_CREATED_NEW_KEY != dwDisposition)
fResult &= RecursiveInitializeHKLMSubKeyAcls(hKey, &sd);
RegCloseKey(hKey);
}
PkiFree(pDacl);
// Allow Everyone to have KEY_READ and KEY_SET_VALUE access to
// the IEDirtyFlags registry key
if (!CreateHKLMSecurityDescriptor(
IE_EVERYONE_ACE_MASK,
&sd,
&pDacl
))
goto ErrorReturn;
if (ERROR_SUCCESS != (err = RegCreateKeyExU(
HKEY_LOCAL_MACHINE,
CERT_IE_DIRTY_FLAGS_REGPATH,
0, // dwReserved
NULL, // lpClass
REG_OPTION_NON_VOLATILE,
MAXIMUM_ALLOWED,
&SecAttr,
&hKey,
&dwDisposition))) {
#if DBG
DbgPrintf(DBG_SS_CRYPT32,
"RegCreateKeyEx(HKLM\\%S) returned error: %d 0x%x\n",
CERT_IE_DIRTY_FLAGS_REGPATH, err, err);
#endif
fResult = FALSE;
} else {
if (REG_CREATED_NEW_KEY != dwDisposition)
fResult &= SetHKLMDacl(hKey, &sd);
RegCloseKey(hKey);
}
PkiFree(pDacl);
CommonReturn:
FreePredefinedSids();
return fResult;
ErrorReturn:
fResult = FALSE;
goto CommonReturn;
}