sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-08 21:18:16 +03:00
Code

libcli/auth: split out netlogon_creds_cli_check_transport()

Browse Source 
This will make it easier to implement netr_ServerAuthenticateKerberos()
later...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This commit is contained in:
Stefan Metzmacher 2024-10-29 13:42:06 +01:00 committed by Douglas Bagnall
parent 8edbdd65ef
commit 7a5ad9f64a
1 changed files with 65 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

138
libcli/auth/netlogon_creds_cli.c
View File

@ -1216,6 +1216,49 @@ NTSTATUS netlogon_creds_cli_lck(
return status; return status;
} }
static NTSTATUS netlogon_creds_cli_check_transport(
enum dcerpc_AuthType auth_type,
enum dcerpc_AuthLevel auth_level,
const struct netlogon_creds_CredentialState *creds,
enum dcerpc_AuthLevel min_auth_level)
{
if (auth_level < min_auth_level) {
return NT_STATUS_INVALID_PARAMETER_MIX;
}
if (creds == NULL) {
return NT_STATUS_INVALID_PARAMETER_MIX;
}
if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
switch (auth_level) {
case DCERPC_AUTH_LEVEL_INTEGRITY:
case DCERPC_AUTH_LEVEL_PRIVACY:
return NT_STATUS_OK;
default:
break;
}
return NT_STATUS_INVALID_PARAMETER_MIX;
}
if (creds->negotiate_flags & NETLOGON_NEG_AUTHENTICATED_RPC) {
/*
* if DCERPC_AUTH_TYPE_SCHANNEL is supported
* it should be used, which means
* we had a chance to verify no downgrade
* happened.
*
* This relies on netlogon_creds_cli_check*
* being called before, as first request after
* the DCERPC bind.
*/
return NT_STATUS_INVALID_PARAMETER_MIX;
}
return NT_STATUS_OK;
}
struct netlogon_creds_cli_auth_state { struct netlogon_creds_cli_auth_state {
struct tevent_context *ev; struct tevent_context *ev;
struct netlogon_creds_cli_context *context; struct netlogon_creds_cli_context *context;
@ -1707,17 +1750,11 @@ struct tevent_req *netlogon_creds_cli_check_send(TALLOC_CTX *mem_ctx,
&state->auth_type, &state->auth_type,
&state->auth_level); &state->auth_level);
if (state->auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { status = netlogon_creds_cli_check_transport(state->auth_type,
tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX); state->auth_level,
return tevent_req_post(req, ev); state->creds,
} DCERPC_AUTH_LEVEL_INTEGRITY);
if (tevent_req_nterror(req, status)) {
switch (state->auth_level) {
case DCERPC_AUTH_LEVEL_INTEGRITY:
case DCERPC_AUTH_LEVEL_PRIVACY:
break;
default:
tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
return tevent_req_post(req, ev); return tevent_req_post(req, ev);
} }
@ -2305,32 +2342,12 @@ static void netlogon_creds_cli_ServerPasswordSet_locked(struct tevent_req *subre
return; return;
} }
if (state->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { status = netlogon_creds_cli_check_transport(state->auth_type,
switch (state->auth_level) { state->auth_level,
case DCERPC_AUTH_LEVEL_INTEGRITY: state->creds,
case DCERPC_AUTH_LEVEL_PRIVACY: DCERPC_AUTH_LEVEL_NONE);
break; if (tevent_req_nterror(req, status)) {
default: return;
tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
return;
}
} else {
uint32_t tmp = state->creds->negotiate_flags;
if (tmp & NETLOGON_NEG_AUTHENTICATED_RPC) {
/*
* if DCERPC_AUTH_TYPE_SCHANNEL is supported
* it should be used, which means
* we had a chance to verify no downgrade
* happened.
*
* This relies on netlogon_creds_cli_check*
* being called before, as first request after
* the DCERPC bind.
*/
tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
return;
}
} }
state->old_timeout = dcerpc_binding_handle_set_timeout( state->old_timeout = dcerpc_binding_handle_set_timeout(
@ -3196,32 +3213,12 @@ static void netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_locked(struct t
return; return;
} }
if (state->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { status = netlogon_creds_cli_check_transport(state->auth_type,
switch (state->auth_level) { state->auth_level,
case DCERPC_AUTH_LEVEL_INTEGRITY: state->creds,
case DCERPC_AUTH_LEVEL_PRIVACY: DCERPC_AUTH_LEVEL_NONE);
break; if (tevent_req_nterror(req, status)) {
default: return;
tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
return;
}
} else {
uint32_t tmp = state->creds->negotiate_flags;
if (tmp & NETLOGON_NEG_AUTHENTICATED_RPC) {
/*
* if DCERPC_AUTH_TYPE_SCHANNEL is supported
* it should be used, which means
* we had a chance to verify no downgrade
* happened.
*
* This relies on netlogon_creds_cli_check*
* being called before, as first request after
* the DCERPC bind.
*/
tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
return;
}
} }
/* /*
@ -3465,16 +3462,11 @@ static void netlogon_creds_cli_ServerGetTrustInfo_locked(struct tevent_req *subr
return; return;
} }
if (state->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { status = netlogon_creds_cli_check_transport(state->auth_type,
switch (state->auth_level) { state->auth_level,
case DCERPC_AUTH_LEVEL_PRIVACY: state->creds,
break; DCERPC_AUTH_LEVEL_PRIVACY);
default: if (tevent_req_nterror(req, status)) {
tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
return;
}
} else {
tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
return; return;
} }