From d1ea9c5aaba42447f25a15935a9bf5bbd20f7d93 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 18 Nov 2021 13:46:26 +0100 Subject: [PATCH] libcli:auth: Allow to connect to netlogon server offering only AES BUG: https://bugzilla.samba.org/show_bug.cgi?id=14912 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Thu Dec 2 14:49:35 UTC 2021 on sn-devel-184 --- libcli/auth/netlogon_creds_cli.c | 48 +++++++++++++++++++------ selftest/knownfail.d/rpcclient_schannel | 1 - 2 files changed, 38 insertions(+), 11 deletions(-) delete mode 100644 selftest/knownfail.d/rpcclient_schannel diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c index beab2fae53a..e92a042c012 100644 --- a/libcli/auth/netlogon_creds_cli.c +++ b/libcli/auth/netlogon_creds_cli.c @@ -516,9 +516,33 @@ enum dcerpc_AuthLevel netlogon_creds_cli_auth_level( return context->client.auth_level; } +static bool netlogon_creds_cli_downgraded(uint32_t negotiated_flags, + uint32_t proposed_flags, + uint32_t required_flags) +{ + uint32_t req_flags = required_flags; + uint32_t tmp_flags; + + req_flags = required_flags; + if ((negotiated_flags & NETLOGON_NEG_SUPPORTS_AES) && + (proposed_flags & NETLOGON_NEG_SUPPORTS_AES)) + { + req_flags &= ~NETLOGON_NEG_ARCFOUR|NETLOGON_NEG_STRONG_KEYS; + } + + tmp_flags = negotiated_flags; + tmp_flags &= req_flags; + if (tmp_flags != req_flags) { + return true; + } + + return false; +} + struct netlogon_creds_cli_fetch_state { TALLOC_CTX *mem_ctx; struct netlogon_creds_CredentialState *creds; + uint32_t proposed_flags; uint32_t required_flags; NTSTATUS status; }; @@ -530,7 +554,7 @@ static void netlogon_creds_cli_fetch_parser(TDB_DATA key, TDB_DATA data, (struct netlogon_creds_cli_fetch_state *)private_data; enum ndr_err_code ndr_err; DATA_BLOB blob; - uint32_t tmp_flags; + bool downgraded; state->creds = talloc_zero(state->mem_ctx, struct netlogon_creds_CredentialState); @@ -554,9 +578,11 @@ static void netlogon_creds_cli_fetch_parser(TDB_DATA key, TDB_DATA data, NDR_PRINT_DEBUG(netlogon_creds_CredentialState, state->creds); } - tmp_flags = state->creds->negotiate_flags; - tmp_flags &= state->required_flags; - if (tmp_flags != state->required_flags) { + downgraded = netlogon_creds_cli_downgraded( + state->creds->negotiate_flags, + state->proposed_flags, + state->required_flags); + if (downgraded) { TALLOC_FREE(state->creds); state->status = NT_STATUS_DOWNGRADE_DETECTED; return; @@ -827,6 +853,7 @@ static NTSTATUS netlogon_creds_cli_get_internal( { struct netlogon_creds_cli_fetch_state fstate = { .status = NT_STATUS_INTERNAL_ERROR, + .proposed_flags = context->client.proposed_flags, .required_flags = context->client.required_flags, }; NTSTATUS status; @@ -1309,7 +1336,7 @@ static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq) enum ndr_err_code ndr_err; DATA_BLOB blob; TDB_DATA data; - uint32_t tmp_flags; + bool downgraded; if (state->try_auth3) { status = dcerpc_netr_ServerAuthenticate3_recv(subreq, state, @@ -1356,9 +1383,11 @@ static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq) return; } - tmp_flags = state->creds->negotiate_flags; - tmp_flags &= state->context->client.required_flags; - if (tmp_flags != state->context->client.required_flags) { + downgraded = netlogon_creds_cli_downgraded( + state->creds->negotiate_flags, + state->context->client.proposed_flags, + state->context->client.required_flags); + if (downgraded) { if (NT_STATUS_IS_OK(result)) { tevent_req_nterror(req, NT_STATUS_DOWNGRADE_DETECTED); return; @@ -1368,8 +1397,7 @@ static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq) } if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) { - - tmp_flags = state->context->client.proposed_flags; + uint32_t tmp_flags = state->context->client.proposed_flags; if ((state->current_flags == tmp_flags) && (state->creds->negotiate_flags != tmp_flags)) { diff --git a/selftest/knownfail.d/rpcclient_schannel b/selftest/knownfail.d/rpcclient_schannel deleted file mode 100644 index 5498837ee29..00000000000 --- a/selftest/knownfail.d/rpcclient_schannel +++ /dev/null @@ -1 +0,0 @@ -^samba.blackbox.rpcclient_schannel.ncacn_np.getusername.fips\(ad_member_fips:local\)