summaryrefslogtreecommitdiff
path: root/source4/auth
diff options
context:
space:
mode:
Diffstat (limited to 'source4/auth')
-rw-r--r--source4/auth/auth_winbind.c9
-rw-r--r--source4/auth/gensec/schannel.c22
-rw-r--r--source4/auth/kerberos/kerberos_pac.c92
3 files changed, 74 insertions, 49 deletions
diff --git a/source4/auth/auth_winbind.c b/source4/auth/auth_winbind.c
index 2ec0dc7a56..c002428581 100644
--- a/source4/auth/auth_winbind.c
+++ b/source4/auth/auth_winbind.c
@@ -32,15 +32,18 @@ static NTSTATUS get_info3_from_ndr(TALLOC_CTX *mem_ctx, struct winbindd_response
{
size_t len = response->length - sizeof(struct winbindd_response);
if (len > 4) {
- NTSTATUS status;
+ enum ndr_err_code ndr_err;
DATA_BLOB blob;
blob.length = len - 4;
blob.data = (uint8_t *)(((char *)response->extra_data.data) + 4);
- status = ndr_pull_struct_blob(&blob, mem_ctx, info3,
+ ndr_err = ndr_pull_struct_blob(&blob, mem_ctx, info3,
(ndr_pull_flags_fn_t)ndr_pull_netr_SamInfo3);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ return ndr_map_error2ntstatus(ndr_err);
+ }
- return status;
+ return NT_STATUS_OK;
} else {
DEBUG(2, ("get_info3_from_ndr: No info3 struct found!\n"));
return NT_STATUS_UNSUCCESSFUL;
diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
index 4d2c9cfee3..98d000be22 100644
--- a/source4/auth/gensec/schannel.c
+++ b/source4/auth/gensec/schannel.c
@@ -46,6 +46,7 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
{
struct schannel_state *state = (struct schannel_state *)gensec_security->private_data;
NTSTATUS status;
+ enum ndr_err_code ndr_err;
struct schannel_bind bind_schannel;
struct schannel_bind_ack bind_schannel_ack;
struct creds_CredentialState *creds;
@@ -80,9 +81,10 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
bind_schannel.u.info3.workstation = cli_credentials_get_workstation(gensec_security->credentials);
#endif
- status = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel,
- (ndr_push_flags_fn_t)ndr_push_schannel_bind);
- if (!NT_STATUS_IS_OK(status)) {
+ ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel,
+ (ndr_push_flags_fn_t)ndr_push_schannel_bind);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ status = ndr_map_error2ntstatus(ndr_err);
DEBUG(3, ("Could not create schannel bind: %s\n",
nt_errstr(status)));
return status;
@@ -99,9 +101,10 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
}
/* parse the schannel startup blob */
- status = ndr_pull_struct_blob(&in, out_mem_ctx, &bind_schannel,
- (ndr_pull_flags_fn_t)ndr_pull_schannel_bind);
- if (!NT_STATUS_IS_OK(status)) {
+ ndr_err = ndr_pull_struct_blob(&in, out_mem_ctx, &bind_schannel,
+ (ndr_pull_flags_fn_t)ndr_pull_schannel_bind);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ status = ndr_map_error2ntstatus(ndr_err);
DEBUG(3, ("Could not parse incoming schannel bind: %s\n",
nt_errstr(status)));
return status;
@@ -133,9 +136,10 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
bind_schannel_ack.unknown2 = 0;
bind_schannel_ack.unknown3 = 0x6c0000;
- status = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel_ack,
- (ndr_push_flags_fn_t)ndr_push_schannel_bind_ack);
- if (!NT_STATUS_IS_OK(status)) {
+ ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel_ack,
+ (ndr_push_flags_fn_t)ndr_push_schannel_bind_ack);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ status = ndr_map_error2ntstatus(ndr_err);
DEBUG(3, ("Could not return schannel bind ack for client %s: %s\n",
workstation, nt_errstr(status)));
return status;
diff --git a/source4/auth/kerberos/kerberos_pac.c b/source4/auth/kerberos/kerberos_pac.c
index 0c20ca0744..5fefd24cd1 100644
--- a/source4/auth/kerberos/kerberos_pac.c
+++ b/source4/auth/kerberos/kerberos_pac.c
@@ -76,6 +76,7 @@ static krb5_error_code check_pac_checksum(TALLOC_CTX *mem_ctx,
{
krb5_error_code ret;
NTSTATUS status;
+ enum ndr_err_code ndr_err;
struct PAC_SIGNATURE_DATA *srv_sig_ptr = NULL;
struct PAC_SIGNATURE_DATA *kdc_sig_ptr = NULL;
struct PAC_SIGNATURE_DATA *srv_sig_wipe = NULL;
@@ -110,10 +111,12 @@ static krb5_error_code check_pac_checksum(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
- status = ndr_pull_struct_blob(&blob, pac_data, pac_data,
- (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0,("can't parse the PAC\n"));
+ ndr_err = ndr_pull_struct_blob(&blob, pac_data, pac_data,
+ (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ status = ndr_map_error2ntstatus(ndr_err);
+ DEBUG(0,("can't parse the PAC: %s\n",
+ nt_errstr(status)));
return status;
}
@@ -123,10 +126,12 @@ static krb5_error_code check_pac_checksum(TALLOC_CTX *mem_ctx,
return NT_STATUS_INVALID_PARAMETER;
}
- status = ndr_pull_struct_blob(&blob, pac_data_raw, pac_data_raw,
- (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA_RAW);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0,("can't parse the PAC\n"));
+ ndr_err = ndr_pull_struct_blob(&blob, pac_data_raw, pac_data_raw,
+ (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA_RAW);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ status = ndr_map_error2ntstatus(ndr_err);
+ DEBUG(0,("can't parse the PAC: %s\n",
+ nt_errstr(status)));
return status;
}
@@ -201,43 +206,53 @@ static krb5_error_code check_pac_checksum(TALLOC_CTX *mem_ctx,
/* Find and zero out the signatures, as required by the signing algorithm */
/* We find the data blobs above, now we parse them to get at the exact portion we should zero */
- status = ndr_pull_struct_blob(kdc_sig_blob, kdc_sig_wipe, kdc_sig_wipe,
- (ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0,("can't parse the KDC signature\n"));
+ ndr_err = ndr_pull_struct_blob(kdc_sig_blob, kdc_sig_wipe, kdc_sig_wipe,
+ (ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ status = ndr_map_error2ntstatus(ndr_err);
+ DEBUG(0,("can't parse the KDC signature: %s\n",
+ nt_errstr(status)));
return status;
}
- status = ndr_pull_struct_blob(srv_sig_blob, srv_sig_wipe, srv_sig_wipe,
- (ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0,("can't parse the SRV signature\n"));
+ ndr_err = ndr_pull_struct_blob(srv_sig_blob, srv_sig_wipe, srv_sig_wipe,
+ (ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ status = ndr_map_error2ntstatus(ndr_err);
+ DEBUG(0,("can't parse the SRV signature: %s\n",
+ nt_errstr(status)));
return status;
}
-
+
/* Now zero the decoded structure */
memset(kdc_sig_wipe->signature.data, '\0', kdc_sig_wipe->signature.length);
memset(srv_sig_wipe->signature.data, '\0', srv_sig_wipe->signature.length);
/* and reencode, back into the same place it came from */
- status = ndr_push_struct_blob(kdc_sig_blob, pac_data_raw, kdc_sig_wipe,
- (ndr_push_flags_fn_t)ndr_push_PAC_SIGNATURE_DATA);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0,("can't repack the KDC signature\n"));
+ ndr_err = ndr_push_struct_blob(kdc_sig_blob, pac_data_raw, kdc_sig_wipe,
+ (ndr_push_flags_fn_t)ndr_push_PAC_SIGNATURE_DATA);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ status = ndr_map_error2ntstatus(ndr_err);
+ DEBUG(0,("can't repack the KDC signature: %s\n",
+ nt_errstr(status)));
return status;
- }
- status = ndr_push_struct_blob(srv_sig_blob, pac_data_raw, srv_sig_wipe,
- (ndr_push_flags_fn_t)ndr_push_PAC_SIGNATURE_DATA);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0,("can't repack the SRV signature\n"));
+ }
+ ndr_err = ndr_push_struct_blob(srv_sig_blob, pac_data_raw, srv_sig_wipe,
+ (ndr_push_flags_fn_t)ndr_push_PAC_SIGNATURE_DATA);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ status = ndr_map_error2ntstatus(ndr_err);
+ DEBUG(0,("can't repack the SRV signature: %s\n",
+ nt_errstr(status)));
return status;
}
/* push out the whole structure, but now with zero'ed signatures */
- status = ndr_push_struct_blob(&modified_pac_blob, pac_data_raw, pac_data_raw,
- (ndr_push_flags_fn_t)ndr_push_PAC_DATA_RAW);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0,("can't repack the RAW PAC\n"));
+ ndr_err = ndr_push_struct_blob(&modified_pac_blob, pac_data_raw, pac_data_raw,
+ (ndr_push_flags_fn_t)ndr_push_PAC_DATA_RAW);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ status = ndr_map_error2ntstatus(ndr_err);
+ DEBUG(0,("can't repack the RAW PAC: %s\n",
+ nt_errstr(status)));
return status;
}
@@ -309,7 +324,7 @@ static krb5_error_code check_pac_checksum(TALLOC_CTX *mem_ctx,
logon_info->info3.base.full_name.string));
*pac_data_out = pac_data;
- return status;
+ return NT_STATUS_OK;
}
_PUBLIC_ NTSTATUS kerberos_pac_logon_info(TALLOC_CTX *mem_ctx,
@@ -404,6 +419,7 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx,
{
NTSTATUS nt_status;
krb5_error_code ret;
+ enum ndr_err_code ndr_err;
DATA_BLOB zero_blob = data_blob(NULL, 0);
DATA_BLOB tmp_blob = data_blob(NULL, 0);
struct PAC_SIGNATURE_DATA *kdc_checksum = NULL;
@@ -456,9 +472,10 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx,
memset(kdc_checksum->signature.data, '\0', kdc_checksum->signature.length);
memset(srv_checksum->signature.data, '\0', srv_checksum->signature.length);
- nt_status = ndr_push_struct_blob(&tmp_blob, mem_ctx, pac_data,
- (ndr_push_flags_fn_t)ndr_push_PAC_DATA);
- if (!NT_STATUS_IS_OK(nt_status)) {
+ ndr_err = ndr_push_struct_blob(&tmp_blob, mem_ctx, pac_data,
+ (ndr_push_flags_fn_t)ndr_push_PAC_DATA);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ nt_status = ndr_map_error2ntstatus(ndr_err);
DEBUG(1, ("PAC (presig) push failed: %s\n", nt_errstr(nt_status)));
talloc_free(pac_data);
return EINVAL;
@@ -478,9 +495,10 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx,
}
/* And push it out again, this time to the world. This relies on determanistic pointer values */
- nt_status = ndr_push_struct_blob(&tmp_blob, mem_ctx, pac_data,
- (ndr_push_flags_fn_t)ndr_push_PAC_DATA);
- if (!NT_STATUS_IS_OK(nt_status)) {
+ ndr_err = ndr_push_struct_blob(&tmp_blob, mem_ctx, pac_data,
+ (ndr_push_flags_fn_t)ndr_push_PAC_DATA);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ nt_status = ndr_map_error2ntstatus(ndr_err);
DEBUG(1, ("PAC (final) push failed: %s\n", nt_errstr(nt_status)));
talloc_free(pac_data);
return EINVAL;