Line data Source code
1 : /*
2 : * Unit tests for conditional ACE SDDL.
3 : *
4 : * Copyright (C) Catalyst.NET Ltd 2023
5 : *
6 : * This program is free software; you can redistribute it and/or modify
7 : * it under the terms of the GNU General Public License as published by
8 : * the Free Software Foundation; either version 3 of the License, or
9 : * (at your option) any later version.
10 : *
11 : * This program is distributed in the hope that it will be useful,
12 : * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 : * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 : * GNU General Public License for more details.
15 : *
16 : * You should have received a copy of the GNU General Public License
17 : * along with this program. If not, see <http://www.gnu.org/licenses/>.
18 : *
19 : */
20 :
21 : #include <stdarg.h>
22 : #include <stddef.h>
23 : #include <setjmp.h>
24 : #include "cmocka.h"
25 :
26 : #include "lib/util/attr.h"
27 : #include "includes.h"
28 : #include "librpc/gen_ndr/ndr_security.h"
29 : #include "libcli/security/security.h"
30 : #include "libcli/security/conditional_ace.h"
31 : #include "librpc/gen_ndr/conditional_ace.h"
32 :
33 : /*
34 : * Some of the test strings break subunit, so we only print those if
35 : * stdout is a terminal.
36 : */
37 : #define debug_message(...) do { \
38 : if (isatty(1)) { \
39 : print_message(__VA_ARGS__); \
40 : } \
41 : } while(0)
42 :
43 : #define debug_fail(x, ...) debug_message("\033[1;31m" x "\033[0m", __VA_ARGS__)
44 : #define debug_ok(x, ...) debug_message("\033[1;32m" x "\033[0m", __VA_ARGS__)
45 :
46 : #define ACEINT64(x, b, s) CONDITIONAL_ACE_TOKEN_INT64, \
47 : (x & 0xff), ((x >> 8) & 0xff), ((x >> 16) & 0xff), \
48 : ((x >> 24) & 0xff), (((uint64_t)x >> 32) & 0xff), (((uint64_t)x >> 40) & 0xff), \
49 : (((uint64_t)x >> 48) & 0xff), (((uint64_t)x >> 56) & 0xff), b, s
50 :
51 :
52 23 : static void print_error_message(const char *sddl,
53 : const char *message,
54 : size_t message_offset)
55 : {
56 23 : print_message("%s\n\033[1;33m %*c\033[0m\n", sddl,
57 : (int)message_offset, '^');
58 23 : print_message("%s\n", message);
59 23 : }
60 :
61 1 : static void test_sddl_compile(void **state)
62 : {
63 : /*
64 : * Example codes:
65 : *
66 : * CONDITIONAL_ACE_LOCAL_ATTRIBUTE, 2,0,0,0, 'x',0,
67 : * ^attr byte code ^ ^
68 : * 32 bit little-endian length |
69 : * utf-16, little endian
70 : *
71 : * CONDITIONAL_ACE_TOKEN_EQUAL
72 : * ^ op byte code with no following data
73 : */
74 1 : static const char *sddl = "(x==41 &&(x >@device.x ) )";
75 1 : static const uint8_t ace[] = {
76 : 'a', 'r', 't', 'x',
77 : CONDITIONAL_ACE_LOCAL_ATTRIBUTE, 2, 0, 0, 0, 'x', 0,
78 : ACEINT64(41,
79 : CONDITIONAL_ACE_INT_SIGN_NONE,
80 : CONDITIONAL_ACE_INT_BASE_10),
81 : CONDITIONAL_ACE_TOKEN_EQUAL,
82 : CONDITIONAL_ACE_LOCAL_ATTRIBUTE, 2, 0, 0, 0, 'x', 0,
83 : CONDITIONAL_ACE_DEVICE_ATTRIBUTE, 2, 0, 0, 0, 'x', 0,
84 : CONDITIONAL_ACE_TOKEN_GREATER_THAN,
85 : CONDITIONAL_ACE_TOKEN_AND, 0,0,0,0,
86 : };
87 :
88 1 : size_t i;
89 1 : TALLOC_CTX *mem_ctx = talloc_new(NULL);
90 1 : struct ace_condition_script *s = NULL;
91 1 : const char *message = NULL;
92 1 : size_t message_offset;
93 1 : bool ok;
94 1 : DATA_BLOB compiled;
95 1 : size_t length;
96 :
97 1 : s = ace_conditions_compile_sddl(mem_ctx, sddl, &message,
98 : &message_offset, &length);
99 1 : if (message != NULL) {
100 0 : print_error_message(sddl, message, message_offset);
101 : }
102 1 : if (s == NULL) {
103 0 : debug_fail("%s\n", sddl);
104 0 : fail();
105 : }
106 :
107 1 : ok = conditional_ace_encode_binary(mem_ctx, s, &compiled);
108 1 : assert_true(ok);
109 :
110 1 : assert_true(compiled.length <= ARRAY_SIZE(ace));
111 42 : for (i = 0; i < compiled.length; i++) {
112 40 : assert_int_equal(compiled.data[i], ace[i]);
113 : }
114 1 : }
115 :
116 1 : static void test_sddl_compile2(void **state)
117 : {
118 : /* this one is from Windows, not hand-calculated */
119 1 : static const char *sddl = "(@USER.Project Any_of 1))";
120 1 : static const uint8_t ace[] = ("artx\xf9\x0e\x00\x00\x00P\x00r"
121 : "\x00o\x00j\x00""e\x00""c\x00t\x00"
122 : "\x04\x01\x00\x00\x00\x00\x00\x00"
123 : "\x00\x03\x02\x88\x00");
124 1 : size_t i;
125 1 : TALLOC_CTX *mem_ctx = talloc_new(NULL);
126 1 : struct ace_condition_script *s = NULL;
127 1 : const char *message = NULL;
128 1 : size_t message_offset;
129 1 : bool ok;
130 1 : DATA_BLOB compiled;
131 1 : size_t length;
132 :
133 1 : s = ace_conditions_compile_sddl(mem_ctx, sddl, &message,
134 : &message_offset, &length);
135 1 : if (message != NULL) {
136 0 : print_error_message(sddl, message, message_offset);
137 : }
138 1 : if (s == NULL) {
139 0 : debug_fail("%s\n", sddl);
140 0 : fail();
141 : }
142 :
143 1 : ok = conditional_ace_encode_binary(mem_ctx, s, &compiled);
144 1 : assert_true(ok);
145 :
146 1 : assert_true(compiled.length <= ARRAY_SIZE(ace));
147 38 : for (i = 0; i < compiled.length; i++) {
148 36 : assert_int_equal(compiled.data[i], ace[i]);
149 : }
150 1 : }
151 :
152 1 : static void test_full_sddl_compile(void **state)
153 : {
154 : /*
155 : * This one is from Windows, and annotated by hand.
156 : *
157 : * We have the bytes of a full security descriptor, in
158 : * "relative" form, which is the same as the its NDR
159 : * representation.
160 : *
161 : * *In general* we can't necessarily assert that Samba's NDR
162 : * will be the same as Windows, because they could e.g. put
163 : * the two ACLs in the reverse order which is also legitimate
164 : * (there are hints this may vary on Windows). But in this
165 : * particular case Samba and the Windows 2022 sample agree, so
166 : * we can compare the bytes here.
167 : *
168 : * We can assert that unpacking these bytes as a security
169 : * descriptor should succeed and give us exactly the same
170 : * descriptor as parsing the SDDL.
171 : */
172 1 : TALLOC_CTX *mem_ctx = talloc_new(NULL);
173 1 : struct security_descriptor sec_desc_windows = {};
174 1 : struct security_descriptor *sec_desc_samba = NULL;
175 1 : DATA_BLOB sd_ndr = {};
176 1 : DATA_BLOB sd_win_push = {};
177 1 : DATA_BLOB sd_samba_push = {};
178 1 : bool ok;
179 1 : enum ndr_err_code ndr_err;
180 1 : const char *sddl = "D:(XA;;CCDCLCSWRPWP;;;MP;"\
181 : "(@RESOURCE.c))S:(RA;;;;;WD;(\"colOIr\",TU,0xe,29925))";
182 :
183 1 : uint8_t sd_bytes[] = {
184 : 1, /* 0 version */
185 : 0, /* 1 reserved */
186 : 20, 128, /* 2 control */
187 : 0, 0, 0, 0, /* 4 owner (null relative pointer == no owner) */
188 : 0, 0, 0, 0, /* 8 group */
189 : 20, 0, 0, 0,/* 12 SACL */
190 : 92, 0, 0, 0,/* 16 DACL, i.e. pointer to 92 below */
191 :
192 : /* 20 SACL (from pointer above) */
193 : 4, /* 20 revision (ADS) */
194 : 0, /* 21 reserved */
195 : 72, 0, /* 22 size --> takes us to 92 */
196 : 1, 0, /* 24 ace count */
197 : 0, 0, /* 26 reserved */
198 :
199 : /* now come SACL aces, of which there should be one */
200 : 18, /* 28 ace type (SEC_ACE_TYPE_SYSTEM_RESOURCE_ATTRIBUTE) */
201 : 0, /* 29 ace flags */
202 : 64, 0, /* 30 ace size (from start of ACE, again adds to ending at 92) */
203 : 0, 0, 0, 0, /* 32 mask */
204 :
205 : /* here's the ACE SID */
206 : 1, /* 36 revision */
207 : 1, /* 37 sub-auth count */
208 : 0, 0, 0, 0, 0, 1, /* 38 big endian ident auth */
209 : 0, 0, 0, 0, /* 44 the sub-auth (so SID is S-1-1-0 (everyone), mandatory with RA ace) */
210 :
211 : /* here starts the actual claim, at 48 */
212 : 20, 0, 0, 0, /* 48 pointer to name (relative to claim, at 68) */
213 : 2, 0, /* 52 value type (uint64) */
214 : 0, 0, /* 54 reserved */
215 : 14, 0, 0, 0, /* 56 flags (case-sensitive|deny-only|disabled-by-default -- the "0xe" in the SDDL) */
216 : 1, 0, 0, 0, /* 60 value count */
217 : 34, 0, 0, 0, /* 64 array of pointers, 1-long, points to 48 + 34 == 82 */
218 : /* 68 utf-16 letters "colOIr\0", indicated by name pointer at 48 */
219 : 'c', 0,
220 : 'o', 0,
221 : 'l', 0,
222 : 'O', 0, /* unlike conditional ACE strings, this is nul-terminated. */
223 : 'I', 0, /* where does the next thing start: */
224 : 'r', 0, /* 6 letters + '\0' * 2 = 14. 68 + 14 = 82 */
225 : 0, 0,
226 : /* 82 is the value pointed to at 64 above (LE uint64) */
227 : 229, 116, 0, 0, 0, 0, 0, 0, /* this equals 229 + 116 * 256 == 29925, as we see in the SDDL. */
228 :
229 : /* 88 the claim has ended. the ace has NEARLY ended, but we need to round up: */
230 :
231 : 0, 0, /* 90 two bytes of padding to get to a multiple of 4. */
232 : /* The ace and SACL have ended */
233 :
234 : /* 92 the DACL starts. */
235 : 2, /* 92 version (NT) */
236 : 0, /* 93 reserved */
237 : 40, 0, /* 94 size */
238 : 1, 0, /* 96 ace count */
239 : 0, 0, /* 98 reserved */
240 : /* 100 the DACL aces start */
241 : 9, /* 100 ace type (SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK) */
242 : 0, /* 101 flags */
243 : 32, 0, /* 102 ace size (ending at 132) */
244 : 63, 0, 0, 0, /* 104 mask (let's assume CCDCLCSWRPWP as in sddl, not checked, but it's the right number of bits) */
245 : /* 108 the ACE sid */
246 : 1, /* 108 version */
247 : 1, /* 109 sub-auths */
248 : 0, 0, 0, 0, 0, 16,/* 110 bigendian 16 identauth */
249 : 0, 33, 0, 0, /* 116 sub-auth 1, 33 << 8 == 8448; "S-1-16-8448" == "ML_MEDIUM_PLUS" == "MP" */
250 : /* 120 here starts the callback */
251 : 97, 114, 116, 120, /* 120 'artx' */
252 : 250, /* 124 0xfa CONDITIONAL_ACE_RESOURCE_ATTRIBUTE token */
253 : 2, 0, 0, 0, /* 125 length 2 (bytes) */
254 : 'c', 0, /* 129 utf-16 "c" -- NOT nul-terminated */
255 : 0 /* 131 padding to bring length to a multiple of 4 (132) */
256 : };
257 1 : sd_ndr.length = 132;
258 1 : sd_ndr.data = sd_bytes;
259 :
260 1 : sec_desc_samba = sddl_decode(mem_ctx, sddl, NULL);
261 1 : assert_non_null(sec_desc_samba);
262 1 : ndr_err = ndr_pull_struct_blob(
263 : &sd_ndr, mem_ctx, &sec_desc_windows,
264 : (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
265 :
266 1 : assert_true(NDR_ERR_CODE_IS_SUCCESS(ndr_err));
267 :
268 : /*
269 : * look, we munge the DACL version byte before comparing,
270 : * because Samba currently always does version 4.
271 : */
272 1 : sec_desc_windows.dacl->revision = SECURITY_ACL_REVISION_ADS;
273 1 : sd_bytes[92] = SECURITY_ACL_REVISION_ADS;
274 :
275 : /* push the structures back into blobs for 3-way comparisons. */
276 1 : ndr_err = ndr_push_struct_blob(
277 : &sd_win_push, mem_ctx,
278 : &sec_desc_windows,
279 : (ndr_push_flags_fn_t)ndr_push_security_descriptor);
280 1 : assert_true(NDR_ERR_CODE_IS_SUCCESS(ndr_err));
281 :
282 1 : ndr_err = ndr_push_struct_blob(
283 : &sd_samba_push, mem_ctx,
284 : sec_desc_samba,
285 : (ndr_push_flags_fn_t)ndr_push_security_descriptor);
286 1 : assert_true(NDR_ERR_CODE_IS_SUCCESS(ndr_err));
287 :
288 1 : assert_int_equal(sd_samba_push.length, sd_win_push.length);
289 1 : assert_int_equal(sd_samba_push.length, sd_ndr.length);
290 1 : assert_memory_equal(sd_samba_push.data,
291 : sd_win_push.data,
292 : sd_win_push.length);
293 1 : assert_memory_equal(sd_win_push.data,
294 : sd_ndr.data,
295 : sd_ndr.length);
296 :
297 1 : ok = security_descriptor_equal(sec_desc_samba, &sec_desc_windows);
298 1 : assert_true(ok);
299 1 : talloc_free(mem_ctx);
300 1 : }
301 :
302 :
303 : static void debug_conditional_ace_stderr(TALLOC_CTX *mem_ctx,
304 : struct ace_condition_script *program)
305 : {
306 : char * debug_string = debug_conditional_ace(mem_ctx, program);
307 :
308 : if (debug_string != NULL) {
309 : fputs(debug_string, stderr);
310 : TALLOC_FREE(debug_string);
311 : } else {
312 : print_message("failed to debug!\n");
313 : }
314 : }
315 :
316 :
317 1 : static void test_full_sddl_ra_encode(void **state)
318 : {
319 : /*
320 : * This is an example from Windows that Samba once had trouble
321 : * with.
322 : */
323 1 : bool ok;
324 1 : enum ndr_err_code ndr_err;
325 1 : char *sddl = NULL;
326 1 : struct dom_sid domain_sid;
327 1 : uint8_t win_bytes[] = {
328 : 0x01, 0x00, 0x14, 0x80, /* descriptor header */
329 : 0x00, 0x00, 0x00, 0x00, /* NULL owner pointer */
330 : 0x00, 0x00, 0x00, 0x00, /* NULL group pointer */
331 : 0x14, 0x00, 0x00, 0x00, /* SACL at 0x14 (20) */
332 : 0x58, 0x01, 0x00, 0x00, /* DACL at 0x158 (344) */
333 : /* SACL starts here (20) */
334 : 0x02, 0x00, /* rev 2, NT */
335 : 0x44, 0x01, /* size 0x0144 (324) -- ends at 344 */
336 : 0x01, 0x00, /* ace count */
337 : 0x00, 0x00, /* reserved */
338 : /* ace starts here, 28 */
339 : 0x12, 0x00, /* ace type, flags: 0x12(18) is resource attribute */
340 : 0x3c, 0x01, /* ACE size 0x13c == 316, from ACE start, end at 344 */
341 : 0x00, 0x00, 0x00, 0x00, /*ACE mask */
342 : 0x01, 0x01, /* SID S-1-<identauth>-<1 subauth>) */
343 : 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, /* -1- indent auth */
344 : 0x00, 0x00, 0x00, 0x00, /* -0 -> S-1-1-0, world */
345 : /* claim starts here, 48 */
346 : 0x28, 0x00, 0x00, 0x00, /* pointer to name 40 (from claim start 48) = 88 */
347 : 0x10, 0x00, /* type octet string */
348 : 0x00, 0x00, /* empty */
349 : 0x00, 0x00, 0x00, 0x00, /* zero flags */
350 : 0x06, 0x00, 0x00, 0x00, /* value count */
351 : /* array of 6 value pointers (at claim + 16, 64) */
352 : 0xf2, 0x00, 0x00, 0x00, /* value 0xf2 = 242 from claim (48) == 290 */
353 : 0xf8, 0x00, 0x00, 0x00, /* 0xf8, 248 */
354 : 0x0d, 0x01, 0x00, 0x00, /* 0x10d, 269 */
355 : 0x14, 0x01, 0x00, 0x00, /* 0x114, 276 */
356 : 0x1a, 0x01, 0x00, 0x00, /* 0x11a, 282 */
357 : 0x21, 0x01, 0x00, 0x00, /* 0x121, 289 */
358 : /* here's the name, at 88 */
359 : 'c', 0x00,
360 : 'o', 0x00,
361 : 'l', 0x00,
362 : 'O', 0x00,
363 : 'I', 0x00,
364 : 'r', 0x00, /* the following lines are all \x16 */
365 : /* 100 */
366 : 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00,
367 : 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00,
368 : 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00,
369 : 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00,
370 : 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00,
371 : /* 150 */
372 : 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00,
373 : 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00,
374 : 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00,
375 : 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00,
376 : 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00,
377 : /* 200 */
378 : 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00,
379 : 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00,
380 : 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00,
381 : 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00,
382 : 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00,
383 : /* 250 */
384 : 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00,
385 : 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00,
386 : 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00,
387 : /* 280 */
388 : 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, /* 286 */
389 : 'r', 0x00,
390 : 0x00, 0x00, /* name is nul-terminated */
391 : /* 290, first octet string blob */
392 : 0x02, 0x00, 0x00, 0x00, /* length 2 */
393 : 0x00, 0x77, /* 2 blob bytes */
394 : /* second blob @ 48 + 248 == 296 */
395 : 0x11, 0x00, 0x00, 0x00, /* length 0x11 = 17 */
396 : 0x00, 0x77, 0x77, 0x71, 0x83, 0x68, 0x96, 0x62, 0x95, 0x93,
397 : 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07,
398 : /* third blob at 269 + 48 == 317 */
399 : 0x03, 0x00, 0x00, 0x00,
400 : 0x00, 0x77, 0x77,
401 : /* fourth blob, 276 + 48 == 324 */
402 : 0x02, 0x00, 0x00, 0x00,
403 : 0x00, 0x77,
404 : /* fifth blob, 282 + 48 == 330 */
405 : 0x03, 0x00, 0x00, 0x00,
406 : 0x00, 0x77, 0x77,
407 : /* last blob 289 + 48 == 337 */
408 : 0x03, 0x00, 0x00, 0x00,
409 : 0x00, 0x77, 0x77,
410 : /* claim ends */
411 : /* 344 DACL starts */
412 : 0x02, 0x00, /* rev 2 (NT) */
413 : 0x28, 0x00, /* size 40, ending at 384 */
414 : 0x01, 0x00, /* ace count */
415 : 0x00, 0x00,
416 : /* ACE starts here, 352 */
417 : 0x09, 0x00, /* type 9, access allowed callback */
418 : 0x20, 0x00, /* size 32 */
419 : 0x3f, 0x00, 0x00, 0x00, /*mask */
420 : 0x01, 0x01, /* S-1-... (1 subauth) */
421 : 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, /*...-16-...*/
422 : 0x00, 0x21, 0x00, 0x00, /* -5356. S-1-16-5376 */
423 : 'a', 'r', 't', 'x',
424 : 0xfa, /* resource attr */
425 : 0x02, 0x00, 0x00, 0x00, /*name is 2 bytes long (i.e. 1 UTF-16) */
426 : 'c', 0x00, /* name is "c" */
427 : /* here we're at 383, but need to round to a multiple of 4 with zeros: */
428 : 0x00
429 : };
430 1 : DATA_BLOB win_blob = {
431 : .data = win_bytes,
432 : .length = sizeof(win_bytes)
433 : };
434 :
435 1 : TALLOC_CTX *mem_ctx = talloc_new(NULL);
436 1 : struct security_descriptor sec_desc_windows = {};
437 1 : struct security_descriptor *sec_desc_samba = NULL;
438 :
439 1 : ndr_err = ndr_pull_struct_blob(
440 : &win_blob, mem_ctx, &sec_desc_windows,
441 : (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
442 1 : assert_true(NDR_ERR_CODE_IS_SUCCESS(ndr_err));
443 :
444 1 : string_to_sid(&domain_sid, "S-1-2-3");
445 1 : sddl = sddl_encode(mem_ctx, &sec_desc_windows, &domain_sid);
446 1 : assert_non_null(sddl);
447 1 : sec_desc_samba = sddl_decode(mem_ctx, sddl, &domain_sid);
448 :
449 : /* hack the acl revision numbers */
450 1 : sec_desc_windows.dacl->revision = SECURITY_ACL_REVISION_ADS;
451 1 : sec_desc_windows.sacl->revision = SECURITY_ACL_REVISION_ADS;
452 1 : ok = security_descriptor_equal(sec_desc_samba, &sec_desc_windows);
453 1 : assert_true(ok);
454 1 : talloc_free(mem_ctx);
455 1 : }
456 :
457 :
458 1 : static void test_full_sddl_ra_escapes(void **state)
459 : {
460 : /*
461 : * This is the security descriptor described in
462 : * test_full_sddl_ra_encode(), with SDDL.
463 : */
464 1 : enum ndr_err_code ndr_err;
465 1 : const char *sddl = (
466 : "D:(XA;;CCDCLCSWRPWP;;;MP;(@RESOURCE.c))S:(RA;;;;;WD;(\""
467 : "colOIr%0016%0016%0016%0016%0016%0016%0016%0016%0016%0016"
468 : "%0016%0016%0016%0016%0016%0016%0016%0016%0016%0016%0016"
469 : "%0016%0016%0016%0016%0016%0016%0016%0016%0016%0016%0016"
470 : "%0016%0016%0016%0016%0016%0016%0016%0016%0016%0016%0016"
471 : "%0016%0016%0016%0016%0016%0016%0016%0016%0016%0016%0016"
472 : "%0016%0016%0016%0016%0016%0016%0016%0016%0016%0016%0016"
473 : "%0016%0016%0016%0016%0016%0016%0016%0016%0016%0016%0016"
474 : "%0016%0016%0016%0016%0016%0016%0016%0016%0016%0016%0016"
475 : "%0016%0016%0016%0016%0016%0016%0016%0016%0016%0016%0016"
476 : "%0016%0016%0016%0016%0016%0016%0016%0016%0016%0016%0016"
477 : "%0016%0016%0016%0016%0016%0016r\","
478 : "TX,0x0,"
479 : "#0077,#00,#0077,#00,#0077,#00,#00,#00,#0077,#00,#0077,"
480 : "#00,#0077,#007777,#007777,#0077,#007777,#0077,#007777,"
481 : "#007770,#0077,#00,#0077,#00,#00,#00,#0077,#00,#0077,#00,"
482 : "#0077,#007777,#007777,#0077,#007777,#0077,#007777,#007777))");
483 1 : uint8_t win_bytes[] = {
484 : 0x01, 0x00, 0x14, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
485 : 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0xb0, 0x02, 0x00, 0x00,
486 : 0x02, 0x00, 0x9c, 0x02, 0x01, 0x00, 0x00, 0x00, 0x12, 0x00,
487 : 0x94, 0x02, 0x00, 0x00, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00,
488 : 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0xa8, 0x00,
489 : 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
490 : 0x26, 0x00, 0x00, 0x00, 0x9e, 0x01, 0x00, 0x00, 0xa4, 0x01,
491 : 0x00, 0x00, 0xa9, 0x01, 0x00, 0x00, 0xaf, 0x01, 0x00, 0x00,
492 : 0xb4, 0x01, 0x00, 0x00, 0xba, 0x01, 0x00, 0x00, 0xbf, 0x01,
493 : 0x00, 0x00, 0xc4, 0x01, 0x00, 0x00, 0xc9, 0x01, 0x00, 0x00,
494 : 0xcf, 0x01, 0x00, 0x00, 0xd4, 0x01, 0x00, 0x00, 0xda, 0x01,
495 : 0x00, 0x00, 0xdf, 0x01, 0x00, 0x00, 0xe5, 0x01, 0x00, 0x00,
496 : 0xec, 0x01, 0x00, 0x00, 0xf3, 0x01, 0x00, 0x00, 0xf9, 0x01,
497 : 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x06, 0x02, 0x00, 0x00,
498 : 0x0d, 0x02, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x1a, 0x02,
499 : 0x00, 0x00, 0x1f, 0x02, 0x00, 0x00, 0x25, 0x02, 0x00, 0x00,
500 : 0x2a, 0x02, 0x00, 0x00, 0x2f, 0x02, 0x00, 0x00, 0x34, 0x02,
501 : 0x00, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x3f, 0x02, 0x00, 0x00,
502 : 0x45, 0x02, 0x00, 0x00, 0x4a, 0x02, 0x00, 0x00, 0x50, 0x02,
503 : 0x00, 0x00, 0x57, 0x02, 0x00, 0x00, 0x5e, 0x02, 0x00, 0x00,
504 : 0x64, 0x02, 0x00, 0x00, 0x6b, 0x02, 0x00, 0x00, 0x71, 0x02,
505 : 0x00, 0x00, 0x78, 0x02, 0x00, 0x00, 0x63, 0x00, 0x6f, 0x00,
506 : 0x6c, 0x00, 0x4f, 0x00, 0x49, 0x00, 0x72, 0x00, 0x16, 0x00,
507 : 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00,
508 : 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00,
509 : 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00,
510 : 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00,
511 : 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00,
512 : 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00,
513 : 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00,
514 : 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00,
515 : 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00,
516 : 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00,
517 : 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00,
518 : 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00,
519 : 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00,
520 : 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00,
521 : 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00,
522 : 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00,
523 : 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00,
524 : 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00,
525 : 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00,
526 : 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00,
527 : 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00,
528 : 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00,
529 : 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x16, 0x00, 0x72, 0x00,
530 : 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x77, 0x01, 0x00,
531 : 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x77, 0x01,
532 : 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x77,
533 : 0x01, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
534 : 0x01, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00,
535 : 0x77, 0x01, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
536 : 0x00, 0x77, 0x01, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00,
537 : 0x00, 0x00, 0x77, 0x03, 0x00, 0x00, 0x00, 0x00, 0x77, 0x77,
538 : 0x03, 0x00, 0x00, 0x00, 0x00, 0x77, 0x77, 0x02, 0x00, 0x00,
539 : 0x00, 0x00, 0x77, 0x03, 0x00, 0x00, 0x00, 0x00, 0x77, 0x77,
540 : 0x02, 0x00, 0x00, 0x00, 0x00, 0x77, 0x03, 0x00, 0x00, 0x00,
541 : 0x00, 0x77, 0x77, 0x03, 0x00, 0x00, 0x00, 0x00, 0x77, 0x70,
542 : 0x02, 0x00, 0x00, 0x00, 0x00, 0x77, 0x01, 0x00, 0x00, 0x00,
543 : 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x77, 0x01, 0x00, 0x00,
544 : 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00,
545 : 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x77, 0x01, 0x00,
546 : 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x77, 0x01,
547 : 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x77,
548 : 0x03, 0x00, 0x00, 0x00, 0x00, 0x77, 0x77, 0x03, 0x00, 0x00,
549 : 0x00, 0x00, 0x77, 0x77, 0x02, 0x00, 0x00, 0x00, 0x00, 0x77,
550 : 0x03, 0x00, 0x00, 0x00, 0x00, 0x77, 0x77, 0x02, 0x00, 0x00,
551 : 0x00, 0x00, 0x77, 0x03, 0x00, 0x00, 0x00, 0x00, 0x77, 0x77,
552 : 0x03, 0x00, 0x00, 0x00, 0x00, 0x77, 0x77, 0x00, 0x02, 0x00,
553 : 0x28, 0x00, 0x01, 0x00, 0x00, 0x00, 0x09, 0x00, 0x20, 0x00,
554 : 0x3f, 0x00, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00,
555 : 0x00, 0x10, 0x00, 0x21, 0x00, 0x00, 0x61, 0x72, 0x74, 0x78,
556 : 0xfa, 0x02, 0x00, 0x00, 0x00, 0x63, 0x00, 0x00};
557 1 : DATA_BLOB win_blob = {
558 : .data = win_bytes,
559 : .length = sizeof(win_bytes)
560 : };
561 :
562 1 : TALLOC_CTX *mem_ctx = talloc_new(NULL);
563 1 : struct security_descriptor sec_desc_windows = {};
564 1 : struct security_descriptor *sec_desc_samba = sddl_decode(mem_ctx, sddl,
565 : NULL);
566 1 : assert_non_null(sec_desc_samba);
567 1 : ndr_err = ndr_pull_struct_blob(
568 : &win_blob, mem_ctx, &sec_desc_windows,
569 : (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
570 :
571 1 : assert_true(NDR_ERR_CODE_IS_SUCCESS(ndr_err));
572 1 : }
573 :
574 1 : static void test_round_trips(void **state)
575 : {
576 : /*
577 : * These expressions should parse into proper conditional
578 : * ACEs, which then decode into the same string.
579 : */
580 1 : static const char *sddl[] = {
581 : ("(Member_of{SID(AA)})"),
582 : ("(a Contains @USER.b == @device.c)"),
583 : ("(a == @user.b == @resource.c)"),
584 : ("(@Device.bb <= -00624677746777766777767)"),
585 : ("(@Device.bb == 0624677746777766777767)"),
586 : ("(@Device.%025cɜ == 3)"),
587 : ("(17pq == 3||2a==@USER.7)"),
588 : ("(x==1 && x >= 2 && @User.Title == @User.shoes || "
589 : "Member_of{SID(CD)} && !(Member_of_Any{ 3 }) || "
590 : "Device_Member_of{SID(BA), 7, 1, 3} "
591 : "|| Exists hooly)"),
592 : ("(!(!(!(!(!((!(x==1))))))))"),
593 : ("(@User.a == {})"),
594 : ("(Member_of{})"),
595 : ("(Member_of {SID(S-1-33-5), "
596 : "SID(BO)} && @Device.Bitlocker)"),
597 : "(@USER.ad://ext/AuthenticationSilo == \"siloname\")",
598 : "(@User.Division==\"Finance\" || @User.Division ==\"Sales\")",
599 : "(@User.Title == @User.Title)",
600 : "(@User.Title == \"PM\")",
601 : "(OctetStringType==#01020300)",
602 : "(@User.Project Any_of @Resource.Project)",
603 : "(@user.x==1 &&(@user.x >@user.x ) )",
604 : "(x==1) ",
605 : "( x Contains 3)",
606 : "( x < 3)",
607 : "(x Any_of 3)",
608 : "( x == SID(BA))",
609 : "((x) == SID(BA))",
610 : "(OctetStringType==#1#2#3###))",
611 : };
612 1 : size_t i, length;
613 1 : TALLOC_CTX *mem_ctx = talloc_new(NULL);
614 1 : bool failed = false;
615 1 : bool ok;
616 28 : for (i = 0; i < ARRAY_SIZE(sddl); i++) {
617 26 : struct ace_condition_script *s1 = NULL;
618 26 : struct ace_condition_script *s2 = NULL;
619 26 : struct ace_condition_script *s3 = NULL;
620 26 : const char *message = NULL;
621 26 : size_t message_offset;
622 26 : const char *resddl1 = NULL;
623 26 : const char *resddl2 = NULL;
624 26 : DATA_BLOB e1, e2, e3;
625 26 : fputs("=======================\n", stderr);
626 26 : s1 = ace_conditions_compile_sddl(mem_ctx,
627 : sddl[i],
628 : &message,
629 : &message_offset,
630 : &length);
631 26 : if (s1 == NULL) {
632 0 : debug_fail("%s\n", sddl[i]);
633 0 : failed = true;
634 0 : print_error_message(sddl[i], message, message_offset);
635 0 : continue;
636 : }
637 26 : if (false) {
638 : debug_conditional_ace_stderr(mem_ctx, s1);
639 : }
640 26 : ok = conditional_ace_encode_binary(mem_ctx, s1, &e1);
641 26 : if (! ok) {
642 0 : failed = true;
643 0 : debug_fail("%s could not encode\n", sddl[i]);
644 0 : continue;
645 : }
646 :
647 26 : s2 = parse_conditional_ace(mem_ctx, e1);
648 26 : if (s2 == NULL) {
649 0 : debug_fail("%s failed to decode ace\n", sddl[i]);
650 0 : failed = true;
651 0 : continue;
652 : }
653 :
654 26 : ok = conditional_ace_encode_binary(mem_ctx, s2, &e2);
655 26 : if (! ok) {
656 0 : failed = true;
657 0 : debug_fail("%s could not re-encode\n", sddl[i]);
658 0 : continue;
659 : }
660 26 : if (data_blob_cmp(&e1, &e2) != 0) {
661 0 : failed = failed || ok;
662 : }
663 :
664 26 : resddl1 = sddl_from_conditional_ace(mem_ctx, s1);
665 26 : if (resddl1 == NULL) {
666 0 : failed = true;
667 0 : debug_fail("could not re-make SDDL of %s\n", sddl[i]);
668 0 : continue;
669 : }
670 26 : resddl2 = sddl_from_conditional_ace(mem_ctx, s2);
671 26 : if (resddl2 == NULL) {
672 0 : failed = true;
673 0 : debug_fail("could not re-make SDDL of %s\n", sddl[i]);
674 0 : continue;
675 : }
676 26 : if (strcmp(resddl1, resddl2) != 0) {
677 0 : print_message("SDDL 2: %s\n", resddl2);
678 0 : failed = failed || ok;
679 : }
680 26 : print_message("SDDL: %s\n", resddl1);
681 26 : s3 = ace_conditions_compile_sddl(mem_ctx,
682 : resddl1,
683 : &message,
684 : &message_offset,
685 : &length);
686 26 : if (s3 == NULL) {
687 0 : debug_fail("resddl: %s\n", resddl1);
688 0 : failed = true;
689 0 : print_error_message(resddl1, message, message_offset);
690 0 : continue;
691 : }
692 26 : ok = conditional_ace_encode_binary(mem_ctx, s3, &e3);
693 26 : if (! ok) {
694 0 : failed = true;
695 0 : debug_fail("%s could not encode\n", resddl1);
696 0 : continue;
697 : }
698 26 : if (data_blob_cmp(&e1, &e2) != 0) {
699 0 : debug_fail("'%s' compiled differently\n", resddl1);
700 : failed = failed || ok;
701 : }
702 : }
703 1 : assert_false(failed);
704 1 : }
705 :
706 1 : static void test_a_number_of_valid_strings(void **state)
707 : {
708 : /*
709 : * These expressions should parse into proper conditional ACEs.
710 : */
711 1 : static const char *sddl[] = {
712 : "(@User.TEETH == \"5\")",
713 : "(x==1) ",
714 : "( x Contains 3)",
715 : "( x < 3)",
716 : "(x Any_of 3)",
717 : "( x == SID(BA))",
718 : "(x ANY_Of 3)",
719 : "((x) == SID(BA))",
720 : "(x==1 && x >= 2)", /* logical consistency not required */
721 : };
722 1 : size_t i, length;
723 1 : TALLOC_CTX *mem_ctx = talloc_new(NULL);
724 1 : bool failed = false;
725 11 : for (i = 0; i < ARRAY_SIZE(sddl); i++) {
726 9 : struct ace_condition_script *s = NULL;
727 9 : const char *message = NULL;
728 9 : size_t message_offset;
729 :
730 9 : s = ace_conditions_compile_sddl(mem_ctx,
731 : sddl[i],
732 : &message,
733 : &message_offset,
734 : &length);
735 9 : if (s == NULL) {
736 0 : debug_fail("%s\n", sddl[i]);
737 : failed = true;
738 9 : } else if (length != strlen(sddl[i])) {
739 0 : debug_fail("%s failed to consume whole string\n",
740 : sddl[i]);
741 : failed = true;
742 : }
743 9 : if (message != NULL) {
744 9 : print_error_message(sddl[i], message, message_offset);
745 9 : } else if (s == NULL) {
746 0 : print_message("failed without message\n");
747 : }
748 : }
749 1 : assert_false(failed);
750 1 : }
751 :
752 :
753 1 : static void test_a_number_of_invalid_strings(void **state)
754 : {
755 : /*
756 : * These expressions should fail to parse.
757 : */
758 1 : static const char *sddl[] = {
759 : /* '!' is only allowed before parens or @attr */
760 : "(!!! !!! !!! Not_Member_of{SID(AA)}))",
761 : /* overflowing numbers can't be sensibly interpreted */
762 : ("(@Device.bb == 055555624677746777766777767)"),
763 : ("(@Device.bb == 0x624677746777766777767)"),
764 : ("(@Device.bb == 624677746777766777767)"),
765 : /* insufficient arguments */
766 : "(!)",
767 : "(x >)",
768 : "(> 3)",
769 : /* keyword as local attribute name */
770 : "( Member_of Contains 3)",
771 : /* no parens */
772 : " x < 3",
773 : /* wants '==' */
774 : "( x = SID(BA))",
775 : /* invalid SID strings */
776 : "( x == SID(ZZ))",
777 : "( x == SID(S-1-))",
778 : "( x == SID())",
779 : /* literal on LHS */
780 : "(\"x\" == \"x\")",
781 : /* odd number of digits following '#' */
782 : "(OctetStringType==#1#2#3##))",
783 : /* empty expression */
784 : "()",
785 : /* relational op with with complex RHS */
786 : "(@Device.bb == (@USER.x < 62))",
787 : /* hex‐escapes that should be literals */
788 : ("(@Device.%002e == 3)"),
789 : ("(@Device.%002f == 3)"),
790 : ("(@Device.%003a == 3)"),
791 : /* trailing comma in composite */
792 : "(Member_of{SID(AA),})",
793 : /* missing comma between elements of a composite */
794 : "(Member_of{SID(AA) SID(AC)})",
795 : /* unexpected comma in composite */
796 : "(Member_of{,})",
797 : };
798 1 : size_t i, length;
799 1 : TALLOC_CTX *mem_ctx = talloc_new(NULL);
800 1 : bool failed_to_fail = false;
801 25 : for (i = 0; i < ARRAY_SIZE(sddl); i++) {
802 23 : struct ace_condition_script *s = NULL;
803 23 : const char *message = NULL;
804 23 : size_t message_offset;
805 23 : s = ace_conditions_compile_sddl(mem_ctx,
806 : sddl[i],
807 : &message,
808 : &message_offset,
809 : &length);
810 23 : if (s != NULL) {
811 0 : print_message("unexpected success: ");
812 0 : debug_fail("%s\n", sddl[i]);
813 : failed_to_fail = true;
814 : }
815 23 : if (message != NULL) {
816 46 : print_error_message(sddl[i], message, message_offset);
817 0 : } else if (s == NULL) {
818 0 : print_message("failed without message\n");
819 : }
820 : }
821 1 : assert_false(failed_to_fail);
822 1 : }
823 :
824 :
825 1 : static void test_valid_strings_with_trailing_crap(void **state)
826 : {
827 : /*
828 : * These expressions should parse even though they have
829 : * trailing bytes that look bad.
830 : *
831 : * ace_conditions_compile_sddl() will return when it has
832 : * found a complete expression, and tell us how much it used.
833 : */
834 1 : static struct {
835 : const char *sddl;
836 : size_t length;
837 : } pairs[] = {
838 : {"(x==1 &&(x < 5 )) )", 18},
839 : {"(x==1) &&", 7},
840 : {"(x)) ", 3},
841 : };
842 1 : size_t i, length;
843 1 : TALLOC_CTX *mem_ctx = talloc_new(NULL);
844 1 : bool failed = false;
845 5 : for (i = 0; i < ARRAY_SIZE(pairs); i++) {
846 3 : struct ace_condition_script *s = NULL;
847 3 : const char *message = NULL;
848 3 : size_t message_offset;
849 3 : s = ace_conditions_compile_sddl(mem_ctx,
850 : pairs[i].sddl,
851 : &message,
852 : &message_offset,
853 : &length);
854 :
855 3 : if (s == NULL) {
856 0 : debug_fail("%s\n", pairs[i].sddl);
857 : failed = true;
858 3 : } else if (pairs[i].length == length) {
859 3 : debug_ok("%s\n", pairs[i].sddl);
860 : } else {
861 0 : debug_fail("expected to consume %zu bytes, actual %zu\n",
862 : pairs[i].length, length);
863 : failed = true;
864 : }
865 3 : if (message != NULL) {
866 3 : print_error_message(pairs[i].sddl, message, message_offset);
867 3 : } else if (s == NULL) {
868 0 : print_message("failed without message\n");
869 : }
870 : }
871 1 : assert_false(failed);
872 1 : }
873 :
874 :
875 1 : int main(_UNUSED_ int argc, _UNUSED_ const char **argv)
876 : {
877 1 : const struct CMUnitTest tests[] = {
878 : cmocka_unit_test(test_full_sddl_ra_encode),
879 : cmocka_unit_test(test_full_sddl_ra_escapes),
880 : cmocka_unit_test(test_full_sddl_compile),
881 : cmocka_unit_test(test_round_trips),
882 : cmocka_unit_test(test_a_number_of_invalid_strings),
883 : cmocka_unit_test(test_a_number_of_valid_strings),
884 : cmocka_unit_test(test_valid_strings_with_trailing_crap),
885 : cmocka_unit_test(test_sddl_compile),
886 : cmocka_unit_test(test_sddl_compile2),
887 : };
888 1 : if (!isatty(1)) {
889 1 : cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
890 : }
891 1 : return cmocka_run_group_tests(tests, NULL, NULL);
892 : }
|
