static WERROR pull_winreg_Data(TALLOC_CTX *mem_ctx,
const DATA_BLOB *blob,
union winreg_Data *data,
enum winreg_Type type)
{
enum ndr_err_code ndr_err;
ndr_err = ndr_pull_union_blob(blob, mem_ctx, data, type,
(ndr_pull_flags_fn_t)ndr_pull_winreg_Data);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
return WERR_GENERAL_FAILURE;
}
return WERR_OK;
}
krb5_error_code kerberos_pac_to_user_info_dc(TALLOC_CTX *mem_ctx,
krb5_pac pac,
krb5_context context,
struct auth_user_info_dc **user_info_dc,
struct PAC_SIGNATURE_DATA *pac_srv_sig,
struct PAC_SIGNATURE_DATA *pac_kdc_sig)
{
NTSTATUS nt_status;
enum ndr_err_code ndr_err;
krb5_error_code ret;
DATA_BLOB pac_logon_info_in, pac_srv_checksum_in, pac_kdc_checksum_in;
krb5_data k5pac_logon_info_in, k5pac_srv_checksum_in, k5pac_kdc_checksum_in;
DATA_BLOB pac_upn_dns_info_in;
krb5_data k5pac_upn_dns_info_in;
union PAC_INFO info;
union PAC_INFO _upn_dns_info;
const struct PAC_UPN_DNS_INFO *upn_dns_info = NULL;
struct auth_user_info_dc *user_info_dc_out;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
if (!tmp_ctx) {
return ENOMEM;
}
ret = krb5_pac_get_buffer(context, pac, PAC_TYPE_LOGON_INFO, &k5pac_logon_info_in);
if (ret != 0) {
talloc_free(tmp_ctx);
return EINVAL;
}
pac_logon_info_in = data_blob_const(k5pac_logon_info_in.data, k5pac_logon_info_in.length);
ndr_err = ndr_pull_union_blob(&pac_logon_info_in, tmp_ctx, &info,
PAC_TYPE_LOGON_INFO,
(ndr_pull_flags_fn_t)ndr_pull_PAC_INFO);
smb_krb5_free_data_contents(context, &k5pac_logon_info_in);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
nt_status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't parse the PAC LOGON_INFO: %s\n", nt_errstr(nt_status)));
talloc_free(tmp_ctx);
return EINVAL;
}
if (info.logon_info.info == NULL) {
DEBUG(0,("can't parse the PAC LOGON_INFO: missing info pointer\n"));
talloc_free(tmp_ctx);
return EINVAL;
}
ret = krb5_pac_get_buffer(context, pac, PAC_TYPE_UPN_DNS_INFO,
&k5pac_upn_dns_info_in);
if (ret == ENOENT) {
ZERO_STRUCT(k5pac_upn_dns_info_in);
ret = 0;
}
if (ret != 0) {
talloc_free(tmp_ctx);
return EINVAL;
}
pac_upn_dns_info_in = data_blob_const(k5pac_upn_dns_info_in.data,
k5pac_upn_dns_info_in.length);
if (pac_upn_dns_info_in.length != 0) {
ndr_err = ndr_pull_union_blob(&pac_upn_dns_info_in, tmp_ctx,
&_upn_dns_info,
PAC_TYPE_UPN_DNS_INFO,
(ndr_pull_flags_fn_t)ndr_pull_PAC_INFO);
smb_krb5_free_data_contents(context, &k5pac_upn_dns_info_in);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
nt_status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't parse the PAC UPN_DNS_INFO: %s\n",
nt_errstr(nt_status)));
talloc_free(tmp_ctx);
return EINVAL;
}
upn_dns_info = &_upn_dns_info.upn_dns_info;
}
/* Pull this right into the normal auth sysstem structures */
nt_status = make_user_info_dc_pac(mem_ctx,
info.logon_info.info,
upn_dns_info,
&user_info_dc_out);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return EINVAL;
}
if (pac_srv_sig) {
ret = krb5_pac_get_buffer(context, pac, PAC_TYPE_SRV_CHECKSUM, &k5pac_srv_checksum_in);
if (ret != 0) {
talloc_free(tmp_ctx);
return ret;
}
pac_srv_checksum_in = data_blob_const(k5pac_srv_checksum_in.data, k5pac_srv_checksum_in.length);
ndr_err = ndr_pull_struct_blob(&pac_srv_checksum_in, pac_srv_sig,
pac_srv_sig,
(ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA);
smb_krb5_free_data_contents(context, &k5pac_srv_checksum_in);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
nt_status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't parse the KDC signature: %s\n",
nt_errstr(nt_status)));
return EINVAL;
}
}
if (pac_kdc_sig) {
ret = krb5_pac_get_buffer(context, pac, PAC_TYPE_KDC_CHECKSUM, &k5pac_kdc_checksum_in);
if (ret != 0) {
talloc_free(tmp_ctx);
return ret;
}
pac_kdc_checksum_in = data_blob_const(k5pac_kdc_checksum_in.data, k5pac_kdc_checksum_in.length);
ndr_err = ndr_pull_struct_blob(&pac_kdc_checksum_in, pac_kdc_sig,
pac_kdc_sig,
(ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA);
smb_krb5_free_data_contents(context, &k5pac_kdc_checksum_in);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
nt_status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't parse the KDC signature: %s\n",
nt_errstr(nt_status)));
return EINVAL;
}
}
*user_info_dc = user_info_dc_out;
return 0;
}
_PUBLIC_ void ndr_print_bkrp_BackupKey(struct ndr_print *ndr, const char *name, int flags, const struct bkrp_BackupKey *r)
{
ndr_print_struct(ndr, name, "bkrp_BackupKey");
if (r == NULL) { ndr_print_null(ndr); return; }
ndr->depth++;
if (flags & NDR_SET_VALUES) {
ndr->flags |= LIBNDR_PRINT_SET_VALUES;
}
if (flags & NDR_IN) {
union bkrp_data_in_blob inblob;
DATA_BLOB blob;
uint32_t level;
enum ndr_err_code ndr_err;
ndr_print_struct(ndr, "in", "bkrp_BackupKey");
ndr->depth++;
ndr_print_ptr(ndr, "guidActionAgent", r->in.guidActionAgent);
ndr->depth++;
ndr_print_GUID(ndr, "guidActionAgent", r->in.guidActionAgent);
ndr->depth--;
level = backupkeyguid_to_uint(r->in.guidActionAgent);
blob.data = r->in.data_in;
blob.length = r->in.data_in_len;
ndr_err = ndr_pull_union_blob(&blob, ndr, &inblob, level,
(ndr_pull_flags_fn_t)ndr_pull_bkrp_data_in_blob);
ndr_print_ptr(ndr, "data_in", r->in.data_in);
ndr->depth++;
if (NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
ndr_print_bkrp_data_in_blob(ndr, "data_in", &inblob);
} else {
ndr_print_array_uint8(ndr, "data_in", r->in.data_in, r->in.data_in_len);
}
ndr->depth--;
ndr_print_uint32(ndr, "data_in_len", r->in.data_in_len);
ndr_print_uint32(ndr, "param", r->in.param);
ndr->depth--;
}
if (flags & NDR_OUT) {
ndr_print_struct(ndr, "out", "bkrp_BackupKey");
ndr->depth++;
ndr_print_ptr(ndr, "data_out", r->out.data_out);
ndr->depth++;
ndr_print_ptr(ndr, "data_out", *r->out.data_out);
ndr->depth++;
if (*r->out.data_out) {
ndr_print_array_uint8(ndr, "data_out", *r->out.data_out, *r->out.data_out_len);
}
ndr->depth--;
ndr->depth--;
ndr_print_ptr(ndr, "data_out_len", r->out.data_out_len);
ndr->depth++;
ndr_print_uint32(ndr, "data_out_len", *r->out.data_out_len);
ndr->depth--;
ndr_print_WERROR(ndr, "result", r->out.result);
ndr->depth--;
}
ndr->depth--;
}
krb5_error_code kerberos_pac_to_server_info(TALLOC_CTX *mem_ctx,
struct smb_iconv_convenience *iconv_convenience,
krb5_pac pac,
krb5_context context,
struct auth_serversupplied_info **server_info)
{
NTSTATUS nt_status;
enum ndr_err_code ndr_err;
krb5_error_code ret;
DATA_BLOB pac_logon_info_in, pac_srv_checksum_in, pac_kdc_checksum_in;
krb5_data k5pac_logon_info_in, k5pac_srv_checksum_in, k5pac_kdc_checksum_in;
union PAC_INFO info;
union netr_Validation validation;
struct auth_serversupplied_info *server_info_out;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
if (!tmp_ctx) {
return ENOMEM;
}
ret = krb5_pac_get_buffer(context, pac, PAC_TYPE_LOGON_INFO, &k5pac_logon_info_in);
if (ret != 0) {
talloc_free(tmp_ctx);
return EINVAL;
}
pac_logon_info_in = data_blob_const(k5pac_logon_info_in.data, k5pac_logon_info_in.length);
ndr_err = ndr_pull_union_blob(&pac_logon_info_in, tmp_ctx, iconv_convenience, &info,
PAC_TYPE_LOGON_INFO,
(ndr_pull_flags_fn_t)ndr_pull_PAC_INFO);
krb5_data_free(&k5pac_logon_info_in);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err) || !info.logon_info.info) {
nt_status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't parse the PAC LOGON_INFO: %s\n", nt_errstr(nt_status)));
talloc_free(tmp_ctx);
return EINVAL;
}
/* Pull this right into the normal auth sysstem structures */
validation.sam3 = &info.logon_info.info->info3;
nt_status = make_server_info_netlogon_validation(mem_ctx,
"",
3, &validation,
&server_info_out);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return EINVAL;
}
ret = krb5_pac_get_buffer(context, pac, PAC_TYPE_SRV_CHECKSUM, &k5pac_srv_checksum_in);
if (ret != 0) {
talloc_free(tmp_ctx);
return ret;
}
pac_srv_checksum_in = data_blob_const(k5pac_srv_checksum_in.data, k5pac_srv_checksum_in.length);
ndr_err = ndr_pull_struct_blob(&pac_srv_checksum_in, server_info_out,
iconv_convenience, &server_info_out->pac_srv_sig,
(ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA);
krb5_data_free(&k5pac_srv_checksum_in);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
nt_status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't parse the KDC signature: %s\n",
nt_errstr(nt_status)));
return EINVAL;
}
ret = krb5_pac_get_buffer(context, pac, PAC_TYPE_KDC_CHECKSUM, &k5pac_kdc_checksum_in);
if (ret != 0) {
talloc_free(tmp_ctx);
return ret;
}
pac_kdc_checksum_in = data_blob_const(k5pac_kdc_checksum_in.data, k5pac_kdc_checksum_in.length);
ndr_err = ndr_pull_struct_blob(&pac_kdc_checksum_in, server_info_out,
iconv_convenience, &server_info_out->pac_kdc_sig,
(ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA);
krb5_data_free(&k5pac_kdc_checksum_in);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
nt_status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't parse the KDC signature: %s\n",
nt_errstr(nt_status)));
return EINVAL;
}
*server_info = server_info_out;
return 0;
}