libcli/auth: make use of netlogon_creds_cli_check_transport() in more places

This was somehow missing in commit
7a5ad9f64a905f5744430c6e0796c646baf9432e

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Nov  7 09:14:33 UTC 2024 on atb-devel-224

(cherry picked from commit f340dce6546a22d857cad440f8afaee9815dbdb1)

Autobuild-User(v4-21-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-21-test): Wed Nov 13 10:05:15 UTC 2024 on atb-devel-224

libcli/auth/netlogon_creds_cli.c

@@ -3748,33 +3748,13 @@ static void netlogon_creds_cli_GetForestTrustInformation_locked(struct tevent_re
 		return;
 	}
 
-	if (state->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
-		switch (state->auth_level) {
-		case DCERPC_AUTH_LEVEL_INTEGRITY:
-		case DCERPC_AUTH_LEVEL_PRIVACY:
-			break;
-		default:
-			tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
+	status = netlogon_creds_cli_check_transport(state->auth_type,
+						    state->auth_level,
+						    state->creds,
+						    DCERPC_AUTH_LEVEL_NONE);
+	if (tevent_req_nterror(req, status)) {
 		return;
 	}
-	} else {
-		uint32_t tmp = state->creds->negotiate_flags;
-
-		if (tmp & NETLOGON_NEG_AUTHENTICATED_RPC) {
-			/*
-			 * if DCERPC_AUTH_TYPE_SCHANNEL is supported
-			 * it should be used, which means
-			 * we had a chance to verify no downgrade
-			 * happened.
-			 *
-			 * This relies on netlogon_creds_cli_check*
-			 * being called before, as first request after
-			 * the DCERPC bind.
-			 */
-			tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
-			return;
-		}
-	}
 
 	/*
 	 * we defer all callbacks in order to cleanup
@@ -4027,33 +4007,13 @@ static void netlogon_creds_cli_SendToSam_locked(struct tevent_req *subreq)
 		return;
 	}
 
-	if (state->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
-		switch (state->auth_level) {
-		case DCERPC_AUTH_LEVEL_INTEGRITY:
-		case DCERPC_AUTH_LEVEL_PRIVACY:
-			break;
-		default:
-			tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
+	status = netlogon_creds_cli_check_transport(state->auth_type,
+						    state->auth_level,
+						    state->creds,
+						    DCERPC_AUTH_LEVEL_NONE);
+	if (tevent_req_nterror(req, status)) {
 		return;
 	}
-	} else {
-		uint32_t tmp = state->creds->negotiate_flags;
-
-		if (tmp & NETLOGON_NEG_AUTHENTICATED_RPC) {
-			/*
-			 * if DCERPC_AUTH_TYPE_SCHANNEL is supported
-			 * it should be used, which means
-			 * we had a chance to verify no downgrade
-			 * happened.
-			 *
-			 * This relies on netlogon_creds_cli_check*
-			 * being called before, as first request after
-			 * the DCERPC bind.
-			 */
-			tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
-			return;
-		}
-	}
 
 	/*
 	 * we defer all callbacks in order to cleanup
@@ -4303,33 +4263,13 @@ static void netlogon_creds_cli_LogonGetDomainInfo_locked(struct tevent_req *subr
 		return;
 	}
 
-	if (state->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
-		switch (state->auth_level) {
-		case DCERPC_AUTH_LEVEL_INTEGRITY:
-		case DCERPC_AUTH_LEVEL_PRIVACY:
-			break;
-		default:
-			tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
+	status = netlogon_creds_cli_check_transport(state->auth_type,
+						    state->auth_level,
+						    state->creds,
+						    DCERPC_AUTH_LEVEL_NONE);
+	if (tevent_req_nterror(req, status)) {
 		return;
 	}
-	} else {
-		uint32_t tmp = state->creds->negotiate_flags;
-
-		if (tmp & NETLOGON_NEG_AUTHENTICATED_RPC) {
-			/*
-			 * if DCERPC_AUTH_TYPE_SCHANNEL is supported
-			 * it should be used, which means
-			 * we had a chance to verify no downgrade
-			 * happened.
-			 *
-			 * This relies on netlogon_creds_cli_check*
-			 * being called before, as first request after
-			 * the DCERPC bind.
-			 */
-			tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
-			return;
-		}
-	}
 
 	/*
 	 * we defer all callbacks in order to cleanup