From 8df1728e124f0fa0e7d2891f5373d806226a21f3 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 29 Feb 2024 10:02:16 +0100
Subject: [PATCH] s3:rpc_server: Implement lsa_CreateTrustedDomain_common()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 source3/rpc_server/lsa/srv_lsa_nt.c | 195 ++++++++++++++++------------
 1 file changed, 115 insertions(+), 80 deletions(-)

diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c
index 08e1bf1caff..ae082a363c4 100644
--- a/source3/rpc_server/lsa/srv_lsa_nt.c
+++ b/source3/rpc_server/lsa/srv_lsa_nt.c
@@ -1910,6 +1910,99 @@ static NTSTATUS lsa_CreateTrustedDomain_precheck(
 	return NT_STATUS_OK;
 }
 
+static NTSTATUS lsa_CreateTrustedDomain_common(
+	struct pipes_struct *p,
+	TALLOC_CTX *mem_ctx,
+	struct auth_session_info *session_info,
+	struct lsa_info *policy,
+	uint32_t access_mask,
+	struct lsa_TrustDomainInfoInfoEx *info,
+	struct trustDomainPasswords *auth_struct,
+	struct policy_handle **ptrustdom_handle)
+{
+	struct security_descriptor *psd = NULL;
+	size_t sd_size = 0;
+	uint32_t acc_granted = 0;
+	struct pdb_trusted_domain td = {
+		.trust_type = 0,
+	};
+	NTSTATUS status;
+
+	/* Work out max allowed. */
+	map_max_allowed_access(session_info->security_token,
+			       session_info->unix_token,
+			       &access_mask);
+
+	/* map the generic bits to the lsa policy ones */
+	se_map_generic(&access_mask, &lsa_account_mapping);
+
+	status = make_lsa_object_sd(
+		mem_ctx, &psd, &sd_size, &lsa_trusted_domain_mapping, NULL, 0);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
+	}
+
+	status = access_check_object(psd,
+				     session_info->security_token,
+				     SEC_PRIV_INVALID,
+				     SEC_PRIV_INVALID,
+				     0,
+				     access_mask,
+				     &acc_granted,
+				     "lsa_CreateTrustedDomain_common");
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
+	}
+
+	td.domain_name = talloc_strdup(mem_ctx, info->domain_name.string);
+	if (td.domain_name == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+	td.netbios_name = talloc_strdup(mem_ctx, info->netbios_name.string);
+	if (td.netbios_name == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+	sid_copy(&td.security_identifier, info->sid);
+	td.trust_direction = info->trust_direction;
+	td.trust_type = info->trust_type;
+	td.trust_attributes = info->trust_attributes;
+
+	status = get_trustauth_inout_blob(mem_ctx,
+					  &auth_struct->incoming,
+					  &td.trust_auth_incoming);
+	if (!NT_STATUS_IS_OK(status)) {
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+
+	status = get_trustauth_inout_blob(mem_ctx,
+					  &auth_struct->outgoing,
+					  &td.trust_auth_outgoing);
+	if (!NT_STATUS_IS_OK(status)) {
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+
+	status = pdb_set_trusted_domain(info->domain_name.string, &td);
+	if (!NT_STATUS_IS_OK(status)) {
+		DBG_ERR("pdb_set_trusted_domain failed: %s\n",
+			nt_errstr(status));
+		return status;
+	}
+
+	status = create_lsa_policy_handle(mem_ctx, p,
+					  LSA_HANDLE_TRUST_TYPE,
+					  acc_granted,
+					  info->sid,
+					  info->netbios_name.string,
+					  psd,
+					  *ptrustdom_handle);
+	if (!NT_STATUS_IS_OK(status)) {
+		pdb_del_trusted_domain(info->netbios_name.string);
+		return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+	}
+
+	return NT_STATUS_OK;
+}
+
 /***************************************************************************
  _lsa_CreateTrustedDomainEx2
  ***************************************************************************/
@@ -1922,12 +2015,10 @@ NTSTATUS _lsa_CreateTrustedDomainEx2(struct pipes_struct *p,
 		dcesrv_call_session_info(dce_call);
 	struct lsa_info *policy;
 	NTSTATUS status;
-	uint32_t acc_granted;
-	struct security_descriptor *psd;
-	size_t sd_size;
-	struct pdb_trusted_domain td;
-	struct trustDomainPasswords auth_struct;
-	DATA_BLOB auth_blob;
+	struct trustDomainPasswords auth_struct = {
+		.incoming_size = 0,
+	};
+	DATA_BLOB auth_blob = data_blob_null;
 
 	if (!IS_DC) {
 		return NT_STATUS_NOT_SUPPORTED;
@@ -1950,88 +2041,32 @@ NTSTATUS _lsa_CreateTrustedDomainEx2(struct pipes_struct *p,
 		return status;
 	}
 
-	/* Work out max allowed. */
-	map_max_allowed_access(session_info->security_token,
-			       session_info->unix_token,
-			       &r->in.access_mask);
-
-	/* map the generic bits to the lsa policy ones */
-	se_map_generic(&r->in.access_mask, &lsa_account_mapping);
-
-	status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
-				    &lsa_trusted_domain_mapping,
-				    NULL, 0);
-	if (!NT_STATUS_IS_OK(status)) {
-		return status;
-	}
-
-	status = access_check_object(psd, session_info->security_token,
-				     SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0,
-				     r->in.access_mask, &acc_granted,
-				     "_lsa_CreateTrustedDomainEx2");
-	if (!NT_STATUS_IS_OK(status)) {
-		return status;
-	}
-
-	ZERO_STRUCT(td);
 
-	td.domain_name = talloc_strdup(p->mem_ctx,
-				       r->in.info->domain_name.string);
-	if (td.domain_name == NULL) {
-		return NT_STATUS_NO_MEMORY;
-	}
-	td.netbios_name = talloc_strdup(p->mem_ctx,
-					r->in.info->netbios_name.string);
-	if (td.netbios_name == NULL) {
-		return NT_STATUS_NO_MEMORY;
+	if (r->in.auth_info_internal->auth_blob.size == 0) {
+		return NT_STATUS_INVALID_PARAMETER;
 	}
-	sid_copy(&td.security_identifier, r->in.info->sid);
-	td.trust_direction = r->in.info->trust_direction;
-	td.trust_type = r->in.info->trust_type;
-	td.trust_attributes = r->in.info->trust_attributes;
 
-	if (r->in.auth_info_internal->auth_blob.size != 0) {
-		auth_blob.length = r->in.auth_info_internal->auth_blob.size;
-		auth_blob.data = r->in.auth_info_internal->auth_blob.data;
+	auth_blob = data_blob_const(r->in.auth_info_internal->auth_blob.data,
+				    r->in.auth_info_internal->auth_blob.size);
 
-		status = get_trustdom_auth_blob(p, p->mem_ctx, &auth_blob, &auth_struct);
-		if (!NT_STATUS_IS_OK(status)) {
-			return NT_STATUS_UNSUCCESSFUL;
-		}
-
-		status = get_trustauth_inout_blob(p->mem_ctx, &auth_struct.incoming, &td.trust_auth_incoming);
-		if (!NT_STATUS_IS_OK(status)) {
-			return NT_STATUS_UNSUCCESSFUL;
-		}
-
-		status = get_trustauth_inout_blob(p->mem_ctx, &auth_struct.outgoing, &td.trust_auth_outgoing);
-		if (!NT_STATUS_IS_OK(status)) {
-			return NT_STATUS_UNSUCCESSFUL;
-		}
-	} else {
-		td.trust_auth_incoming.data = NULL;
-		td.trust_auth_incoming.length = 0;
-		td.trust_auth_outgoing.data = NULL;
-		td.trust_auth_outgoing.length = 0;
-	}
-
-	status = pdb_set_trusted_domain(r->in.info->domain_name.string, &td);
+	status = get_trustdom_auth_blob(p,
+					p->mem_ctx,
+					&auth_blob,
+					&auth_struct);
 	if (!NT_STATUS_IS_OK(status)) {
-		DBG_ERR("pdb_set_trusted_domain failed: %s\n",
-			nt_errstr(status));
-		return status;
+		return NT_STATUS_UNSUCCESSFUL;
 	}
 
-	status = create_lsa_policy_handle(p->mem_ctx, p,
-					  LSA_HANDLE_TRUST_TYPE,
-					  acc_granted,
-					  r->in.info->sid,
-					  r->in.info->netbios_name.string,
-					  psd,
-					  r->out.trustdom_handle);
+	status = lsa_CreateTrustedDomain_common(p,
+						p->mem_ctx,
+						session_info,
+						policy,
+						r->in.access_mask,
+						r->in.info,
+						&auth_struct,
+						&r->out.trustdom_handle);
 	if (!NT_STATUS_IS_OK(status)) {
-		pdb_del_trusted_domain(r->in.info->netbios_name.string);
-		return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+		return status;
 	}
 
 	return NT_STATUS_OK;
-- 
2.34.1