s4:librpc/rpc: make use of netlogon_creds_client_verify()

author Stefan Metzmacher <metze@samba.org>

Tue, 29 Oct 2024 09:31:52 +0000 (10:31 +0100)

committer Jule Anger <janger@samba.org>

Wed, 13 Nov 2024 10:39:12 +0000 (10:39 +0000)
author Stefan Metzmacher <metze@samba.org>
Tue, 29 Oct 2024 09:31:52 +0000 (10:31 +0100)
committer Jule Anger <janger@samba.org>
Wed, 13 Nov 2024 10:39:12 +0000 (10:39 +0000)
diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c

index ca0495c4d472a201af7d14f772f91ff1b047ad7b..8622791fe302a1b68b9442e23862c2c229badce4 100644 (file)
--- a/source4/librpc/rpc/dcerpc_schannel.c
+++ b/source4/librpc/rpc/dcerpc_schannel.c
@@ -222,10 +222,17 @@ static void continue_srv_auth2(struct tevent_req *subreq)
  {
         struct composite_context *c;
         struct schannel_key_state *s;
+       enum dcerpc_AuthType auth_type;
+       enum dcerpc_AuthLevel auth_level;
+       NTSTATUS status;
  
         c = tevent_req_callback_data(subreq, struct composite_context);
         s = talloc_get_type(c->private_data, struct schannel_key_state);
  
+       dcerpc_binding_handle_auth_info(s->pipe2->binding_handle,
+                                       &auth_type,
+                                       &auth_level);
+
         /* receive rpc request result - auth2 credentials */ 
         c->status = dcerpc_netr_ServerAuthenticate2_r_recv(subreq, s);
         TALLOC_FREE(subreq);
@@ -328,8 +335,12 @@ static void continue_srv_auth2(struct tevent_req *subreq)
         }
  
         /* verify credentials */
-       if (!netlogon_creds_client_check(s->creds, s->a.out.return_credentials)) {
-               composite_error(c, NT_STATUS_UNSUCCESSFUL);
+       status = netlogon_creds_client_verify(s->creds,
+                                             s->a.out.return_credentials,
+                                             auth_type,
+                                             auth_level);
+       if (!NT_STATUS_IS_OK(status)) {
+               composite_error(c, status);
                 return;
         }
  
@@ -602,11 +613,17 @@ static void continue_get_negotiated_capabilities(struct tevent_req *subreq)
  {
         struct composite_context *c;
         struct auth_schannel_state *s;
+       enum dcerpc_AuthType auth_type;
+       enum dcerpc_AuthLevel auth_level;
         NTSTATUS status;
  
         c = tevent_req_callback_data(subreq, struct composite_context);
         s = talloc_get_type(c->private_data, struct auth_schannel_state);
  
+       dcerpc_binding_handle_auth_info(s->pipe->binding_handle,
+                                       &auth_type,
+                                       &auth_level);
+
         /* receive rpc request result */
         c->status = dcerpc_netr_LogonGetCapabilities_r_recv(subreq, s);
         TALLOC_FREE(subreq);
@@ -642,9 +659,12 @@ static void continue_get_negotiated_capabilities(struct tevent_req *subreq)
         }
  
         /* verify credentials */
-       if (!netlogon_creds_client_check(&s->save_creds_state,
-                                        &s->c.out.return_authenticator->cred)) {
-               composite_error(c, NT_STATUS_UNSUCCESSFUL);
+       status = netlogon_creds_client_verify(&s->save_creds_state,
+                                             &s->c.out.return_authenticator->cred,
+                                             auth_type,
+                                             auth_level);
+       if (!NT_STATUS_IS_OK(status)) {
+               composite_error(c, status);
                 return;
         }
  
@@ -705,10 +725,17 @@ static void continue_get_client_capabilities(struct tevent_req *subreq)
  {
         struct composite_context *c;
         struct auth_schannel_state *s;
+       enum dcerpc_AuthType auth_type;
+       enum dcerpc_AuthLevel auth_level;
+       NTSTATUS status;
  
         c = tevent_req_callback_data(subreq, struct composite_context);
         s = talloc_get_type(c->private_data, struct auth_schannel_state);
  
+       dcerpc_binding_handle_auth_info(s->pipe->binding_handle,
+                                       &auth_type,
+                                       &auth_level);
+
         /* receive rpc request result */
         c->status = dcerpc_netr_LogonGetCapabilities_r_recv(subreq, s);
         TALLOC_FREE(subreq);
@@ -743,9 +770,12 @@ static void continue_get_client_capabilities(struct tevent_req *subreq)
         }
  
         /* verify credentials */
-       if (!netlogon_creds_client_check(&s->save_creds_state,
-                                        &s->c.out.return_authenticator->cred)) {
-               composite_error(c, NT_STATUS_UNSUCCESSFUL);
+       status = netlogon_creds_client_verify(&s->save_creds_state,
+                                             &s->c.out.return_authenticator->cred,
+                                             auth_type,
+                                             auth_level);
+       if (!NT_STATUS_IS_OK(status)) {
+               composite_error(c, status);
                 return;
         }
author	Stefan Metzmacher <metze@samba.org>
	Tue, 29 Oct 2024 09:31:52 +0000 (10:31 +0100)
committer	Jule Anger <janger@samba.org>
	Wed, 13 Nov 2024 10:39:12 +0000 (10:39 +0000)