diff options
author | Andreas Schneider <asn@samba.org> | 2021-11-18 13:46:26 +0100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2021-12-08 09:59:18 +0000 |
commit | 18c7681358775b079d95cc44c4146b715ffb54cd (patch) | |
tree | b6710f96d3efc0c59cdaef8f0a6d8aacb99a61e3 | |
parent | b1f0aa5c22fdf65114540d4bb15ac6980f194abf (diff) | |
download | samba-18c7681358775b079d95cc44c4146b715ffb54cd.tar.gz |
libcli:auth: Allow to connect to netlogon server offering only AES
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14912
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Dec 2 14:49:35 UTC 2021 on sn-devel-184
(cherry picked from commit d1ea9c5aaba42447f25a15935a9bf5bbd20f7d93)
-rw-r--r-- | libcli/auth/netlogon_creds_cli.c | 48 | ||||
-rw-r--r-- | selftest/knownfail.d/rpcclient_schannel | 1 |
2 files changed, 38 insertions, 11 deletions
diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c index 12cb3149ff6..b23dddc21be 100644 --- a/libcli/auth/netlogon_creds_cli.c +++ b/libcli/auth/netlogon_creds_cli.c @@ -504,9 +504,33 @@ enum dcerpc_AuthLevel netlogon_creds_cli_auth_level( return context->client.auth_level; } +static bool netlogon_creds_cli_downgraded(uint32_t negotiated_flags, + uint32_t proposed_flags, + uint32_t required_flags) +{ + uint32_t req_flags = required_flags; + uint32_t tmp_flags; + + req_flags = required_flags; + if ((negotiated_flags & NETLOGON_NEG_SUPPORTS_AES) && + (proposed_flags & NETLOGON_NEG_SUPPORTS_AES)) + { + req_flags &= ~NETLOGON_NEG_ARCFOUR|NETLOGON_NEG_STRONG_KEYS; + } + + tmp_flags = negotiated_flags; + tmp_flags &= req_flags; + if (tmp_flags != req_flags) { + return true; + } + + return false; +} + struct netlogon_creds_cli_fetch_state { TALLOC_CTX *mem_ctx; struct netlogon_creds_CredentialState *creds; + uint32_t proposed_flags; uint32_t required_flags; NTSTATUS status; }; @@ -518,7 +542,7 @@ static void netlogon_creds_cli_fetch_parser(TDB_DATA key, TDB_DATA data, (struct netlogon_creds_cli_fetch_state *)private_data; enum ndr_err_code ndr_err; DATA_BLOB blob; - uint32_t tmp_flags; + bool downgraded; state->creds = talloc_zero(state->mem_ctx, struct netlogon_creds_CredentialState); @@ -542,9 +566,11 @@ static void netlogon_creds_cli_fetch_parser(TDB_DATA key, TDB_DATA data, NDR_PRINT_DEBUG(netlogon_creds_CredentialState, state->creds); } - tmp_flags = state->creds->negotiate_flags; - tmp_flags &= state->required_flags; - if (tmp_flags != state->required_flags) { + downgraded = netlogon_creds_cli_downgraded( + state->creds->negotiate_flags, + state->proposed_flags, + state->required_flags); + if (downgraded) { TALLOC_FREE(state->creds); state->status = NT_STATUS_DOWNGRADE_DETECTED; return; @@ -815,6 +841,7 @@ static NTSTATUS netlogon_creds_cli_get_internal( { struct netlogon_creds_cli_fetch_state fstate = { .status = NT_STATUS_INTERNAL_ERROR, + .proposed_flags = context->client.proposed_flags, .required_flags = context->client.required_flags, }; NTSTATUS status; @@ -1297,7 +1324,7 @@ static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq) enum ndr_err_code ndr_err; DATA_BLOB blob; TDB_DATA data; - uint32_t tmp_flags; + bool downgraded; if (state->try_auth3) { status = dcerpc_netr_ServerAuthenticate3_recv(subreq, state, @@ -1344,9 +1371,11 @@ static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq) return; } - tmp_flags = state->creds->negotiate_flags; - tmp_flags &= state->context->client.required_flags; - if (tmp_flags != state->context->client.required_flags) { + downgraded = netlogon_creds_cli_downgraded( + state->creds->negotiate_flags, + state->context->client.proposed_flags, + state->context->client.required_flags); + if (downgraded) { if (NT_STATUS_IS_OK(result)) { tevent_req_nterror(req, NT_STATUS_DOWNGRADE_DETECTED); return; @@ -1356,8 +1385,7 @@ static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq) } if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) { - - tmp_flags = state->context->client.proposed_flags; + uint32_t tmp_flags = state->context->client.proposed_flags; if ((state->current_flags == tmp_flags) && (state->creds->negotiate_flags != tmp_flags)) { diff --git a/selftest/knownfail.d/rpcclient_schannel b/selftest/knownfail.d/rpcclient_schannel deleted file mode 100644 index 5498837ee29..00000000000 --- a/selftest/knownfail.d/rpcclient_schannel +++ /dev/null @@ -1 +0,0 @@ -^samba.blackbox.rpcclient_schannel.ncacn_np.getusername.fips\(ad_member_fips:local\) |