mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
libcli:auth: Allow to connect to netlogon server offering only AES
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14912 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Thu Dec 2 14:49:35 UTC 2021 on sn-devel-184
This commit is contained in:
parent
6bf3a39b11
commit
d1ea9c5aab
@ -516,9 +516,33 @@ enum dcerpc_AuthLevel netlogon_creds_cli_auth_level(
|
||||
return context->client.auth_level;
|
||||
}
|
||||
|
||||
static bool netlogon_creds_cli_downgraded(uint32_t negotiated_flags,
|
||||
uint32_t proposed_flags,
|
||||
uint32_t required_flags)
|
||||
{
|
||||
uint32_t req_flags = required_flags;
|
||||
uint32_t tmp_flags;
|
||||
|
||||
req_flags = required_flags;
|
||||
if ((negotiated_flags & NETLOGON_NEG_SUPPORTS_AES) &&
|
||||
(proposed_flags & NETLOGON_NEG_SUPPORTS_AES))
|
||||
{
|
||||
req_flags &= ~NETLOGON_NEG_ARCFOUR|NETLOGON_NEG_STRONG_KEYS;
|
||||
}
|
||||
|
||||
tmp_flags = negotiated_flags;
|
||||
tmp_flags &= req_flags;
|
||||
if (tmp_flags != req_flags) {
|
||||
return true;
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
struct netlogon_creds_cli_fetch_state {
|
||||
TALLOC_CTX *mem_ctx;
|
||||
struct netlogon_creds_CredentialState *creds;
|
||||
uint32_t proposed_flags;
|
||||
uint32_t required_flags;
|
||||
NTSTATUS status;
|
||||
};
|
||||
@ -530,7 +554,7 @@ static void netlogon_creds_cli_fetch_parser(TDB_DATA key, TDB_DATA data,
|
||||
(struct netlogon_creds_cli_fetch_state *)private_data;
|
||||
enum ndr_err_code ndr_err;
|
||||
DATA_BLOB blob;
|
||||
uint32_t tmp_flags;
|
||||
bool downgraded;
|
||||
|
||||
state->creds = talloc_zero(state->mem_ctx,
|
||||
struct netlogon_creds_CredentialState);
|
||||
@ -554,9 +578,11 @@ static void netlogon_creds_cli_fetch_parser(TDB_DATA key, TDB_DATA data,
|
||||
NDR_PRINT_DEBUG(netlogon_creds_CredentialState, state->creds);
|
||||
}
|
||||
|
||||
tmp_flags = state->creds->negotiate_flags;
|
||||
tmp_flags &= state->required_flags;
|
||||
if (tmp_flags != state->required_flags) {
|
||||
downgraded = netlogon_creds_cli_downgraded(
|
||||
state->creds->negotiate_flags,
|
||||
state->proposed_flags,
|
||||
state->required_flags);
|
||||
if (downgraded) {
|
||||
TALLOC_FREE(state->creds);
|
||||
state->status = NT_STATUS_DOWNGRADE_DETECTED;
|
||||
return;
|
||||
@ -827,6 +853,7 @@ static NTSTATUS netlogon_creds_cli_get_internal(
|
||||
{
|
||||
struct netlogon_creds_cli_fetch_state fstate = {
|
||||
.status = NT_STATUS_INTERNAL_ERROR,
|
||||
.proposed_flags = context->client.proposed_flags,
|
||||
.required_flags = context->client.required_flags,
|
||||
};
|
||||
NTSTATUS status;
|
||||
@ -1309,7 +1336,7 @@ static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq)
|
||||
enum ndr_err_code ndr_err;
|
||||
DATA_BLOB blob;
|
||||
TDB_DATA data;
|
||||
uint32_t tmp_flags;
|
||||
bool downgraded;
|
||||
|
||||
if (state->try_auth3) {
|
||||
status = dcerpc_netr_ServerAuthenticate3_recv(subreq, state,
|
||||
@ -1356,9 +1383,11 @@ static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq)
|
||||
return;
|
||||
}
|
||||
|
||||
tmp_flags = state->creds->negotiate_flags;
|
||||
tmp_flags &= state->context->client.required_flags;
|
||||
if (tmp_flags != state->context->client.required_flags) {
|
||||
downgraded = netlogon_creds_cli_downgraded(
|
||||
state->creds->negotiate_flags,
|
||||
state->context->client.proposed_flags,
|
||||
state->context->client.required_flags);
|
||||
if (downgraded) {
|
||||
if (NT_STATUS_IS_OK(result)) {
|
||||
tevent_req_nterror(req, NT_STATUS_DOWNGRADE_DETECTED);
|
||||
return;
|
||||
@ -1368,8 +1397,7 @@ static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq)
|
||||
}
|
||||
|
||||
if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) {
|
||||
|
||||
tmp_flags = state->context->client.proposed_flags;
|
||||
uint32_t tmp_flags = state->context->client.proposed_flags;
|
||||
if ((state->current_flags == tmp_flags) &&
|
||||
(state->creds->negotiate_flags != tmp_flags))
|
||||
{
|
||||
|
@ -1 +0,0 @@
|
||||
^samba.blackbox.rpcclient_schannel.ncacn_np.getusername.fips\(ad_member_fips:local\)
|
Loading…
Reference in New Issue
Block a user