repl: Give an error if we get a secret when not expecting one

We should never get a secret from a server when we specify DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING

This asserts that this is the case.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

2 files changed, 7 insertions, 0 deletions

diff --git a/libcli/drsuapi/drsuapi.h b/libcli/drsuapi/drsuapi.h
index a4fb15fa49d..7c6cf2f69fb 100644
--- a/libcli/drsuapi/drsuapi.h
+++ b/libcli/drsuapi/drsuapi.h
@@ -29,6 +29,7 @@ WERROR drsuapi_decrypt_attribute_value(TALLOC_CTX *mem_ctx,
 WERROR drsuapi_decrypt_attribute(TALLOC_CTX *mem_ctx, 
 				 const DATA_BLOB *gensec_skey,
 				 uint32_t rid,
+				 uint32_t dsdb_repl_flags,
 				 struct drsuapi_DsReplicaAttribute *attr);
 
 
diff --git a/libcli/drsuapi/repl_decrypt.c b/libcli/drsuapi/repl_decrypt.c
index 00b8db8abc0..4a2a28f27ff 100644
--- a/libcli/drsuapi/repl_decrypt.c
+++ b/libcli/drsuapi/repl_decrypt.c
@@ -28,6 +28,7 @@
 #include "../lib/crypto/crypto.h"
 #include "../libcli/drsuapi/drsuapi.h"
 #include "libcli/auth/libcli_auth.h"
+#include "dsdb/samdb/samdb.h"
 
 WERROR drsuapi_decrypt_attribute_value(TALLOC_CTX *mem_ctx,
 				       const DATA_BLOB *gensec_skey,
@@ -134,6 +135,7 @@ WERROR drsuapi_decrypt_attribute_value(TALLOC_CTX *mem_ctx,
 WERROR drsuapi_decrypt_attribute(TALLOC_CTX *mem_ctx, 
 				 const DATA_BLOB *gensec_skey,
 				 uint32_t rid,
+				 uint32_t dsdb_repl_flags,
 				 struct drsuapi_DsReplicaAttribute *attr)
 {
 	WERROR status;
@@ -164,6 +166,10 @@ WERROR drsuapi_decrypt_attribute(TALLOC_CTX *mem_ctx,
 		return WERR_OK;
 	}
 
+	if (dsdb_repl_flags & DSDB_REPL_FLAG_EXPECT_NO_SECRETS) {
+		return WERR_TOO_MANY_SECRETS;
+	}
+
 	if (attr->value_ctr.num_values > 1) {
 		return WERR_DS_DRA_INVALID_PARAMETER;
 	}