diff options
| author | Stefan Metzmacher <metze@samba.org> | 2018-11-08 13:05:25 +0100 |
|---|---|---|
| committer | Jeremy Allison <jra@samba.org> | 2019-01-12 03:13:35 +0100 |
| commit | cd380d8adad8cea7df8ee2cfb33dab86ba3900b6 (patch) | |
| tree | 1d0238b19dbf2bc176d0017b59c24de7d889fbaf /source4 | |
| parent | fc596ef1c733c75e56a4790b70641f7ca8fb9828 (diff) | |
| download | samba-cd380d8adad8cea7df8ee2cfb33dab86ba3900b6.tar.gz | |
s4:rpc_server/netlogon: simplify logic of dcesrv_netr_creds_server_step_check()
It's enough to check the auth_type for DCERPC_AUTH_TYPE_SCHANNEL,
there's no need to also check the auth_level for integrity or privacy.
The gensec layer already required at least DCERPC_AUTH_LEVEL_INTEGRITY,
see schannel_update_internal().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=7113
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11892
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Diffstat (limited to 'source4')
| -rw-r--r-- | source4/rpc_server/netlogon/dcerpc_netlogon.c | 41 |
1 files changed, 4 insertions, 37 deletions
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index b7d174da65f..72b50327c50 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -620,38 +620,6 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate2(struct dcesrv_call_state *dce_ca * The reason we keep 2 copies is that they use different structures to * represent the auth_info and the decrpc pipes. */ - -/* - * If schannel is required for this call test that it actually is available. - */ -static NTSTATUS schannel_check_required(const struct dcesrv_auth *auth_info, - const char *computer_name, - bool integrity, bool privacy) -{ - - if (auth_info && auth_info->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { - if (!privacy && !integrity) { - return NT_STATUS_OK; - } - - if ((!privacy && integrity) && - auth_info->auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) { - return NT_STATUS_OK; - } - - if ((privacy || integrity) && - auth_info->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { - return NT_STATUS_OK; - } - } - - /* test didn't pass */ - DEBUG(0, ("schannel_check_required: [%s] is not using schannel\n", - computer_name)); - - return NT_STATUS_ACCESS_DENIED; -} - static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, const char *computer_name, @@ -664,11 +632,10 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc bool schannel_global_required = (schannel == true); if (schannel_global_required) { - nt_status = schannel_check_required(&dce_call->conn->auth_state, - computer_name, - true, false); - if (!NT_STATUS_IS_OK(nt_status)) { - return nt_status; + if (dce_call->conn->auth_state.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { + DBG_ERR("[%s] is not using schannel\n", + computer_name); + return NT_STATUS_ACCESS_DENIED; } } |