libcli/auth: make use of netlogon_creds_cli_check_transport() in more places

This was somehow missing in commit
7a5ad9f64a905f5744430c6e0796c646baf9432e

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Nov  7 09:14:33 UTC 2024 on atb-devel-224

(cherry picked from commit f340dce6546a22d857cad440f8afaee9815dbdb1)

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Wed Nov 13 11:36:37 UTC 2024 on atb-devel-224

diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index 19c4a104937fbcdc9dc09747e0f4b2629eee4006..c452623d12e11d1e2d2e543b695ffe86758f2cbd 100644 (file)
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -3748,32 +3748,12 @@ static void netlogon_creds_cli_GetForestTrustInformation_locked(struct tevent_re
                return;
        }
 
-       if (state->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
-               switch (state->auth_level) {
-               case DCERPC_AUTH_LEVEL_INTEGRITY:
-               case DCERPC_AUTH_LEVEL_PRIVACY:
-                       break;
-               default:
-                       tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
-                       return;
-               }
-       } else {
-               uint32_t tmp = state->creds->negotiate_flags;
-
-               if (tmp & NETLOGON_NEG_AUTHENTICATED_RPC) {
-                       /*
-                        * if DCERPC_AUTH_TYPE_SCHANNEL is supported
-                        * it should be used, which means
-                        * we had a chance to verify no downgrade
-                        * happened.
-                        *
-                        * This relies on netlogon_creds_cli_check*
-                        * being called before, as first request after
-                        * the DCERPC bind.
-                        */
-                       tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
-                       return;
-               }
+       status = netlogon_creds_cli_check_transport(state->auth_type,
+                                                   state->auth_level,
+                                                   state->creds,
+                                                   DCERPC_AUTH_LEVEL_NONE);
+       if (tevent_req_nterror(req, status)) {
+               return;
        }
 
        /*
@@ -4027,32 +4007,12 @@ static void netlogon_creds_cli_SendToSam_locked(struct tevent_req *subreq)
                return;
        }
 
-       if (state->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
-               switch (state->auth_level) {
-               case DCERPC_AUTH_LEVEL_INTEGRITY:
-               case DCERPC_AUTH_LEVEL_PRIVACY:
-                       break;
-               default:
-                       tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
-                       return;
-               }
-       } else {
-               uint32_t tmp = state->creds->negotiate_flags;
-
-               if (tmp & NETLOGON_NEG_AUTHENTICATED_RPC) {
-                       /*
-                        * if DCERPC_AUTH_TYPE_SCHANNEL is supported
-                        * it should be used, which means
-                        * we had a chance to verify no downgrade
-                        * happened.
-                        *
-                        * This relies on netlogon_creds_cli_check*
-                        * being called before, as first request after
-                        * the DCERPC bind.
-                        */
-                       tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
-                       return;
-               }
+       status = netlogon_creds_cli_check_transport(state->auth_type,
+                                                   state->auth_level,
+                                                   state->creds,
+                                                   DCERPC_AUTH_LEVEL_NONE);
+       if (tevent_req_nterror(req, status)) {
+               return;
        }
 
        /*
@@ -4303,32 +4263,12 @@ static void netlogon_creds_cli_LogonGetDomainInfo_locked(struct tevent_req *subr
                return;
        }
 
-       if (state->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
-               switch (state->auth_level) {
-               case DCERPC_AUTH_LEVEL_INTEGRITY:
-               case DCERPC_AUTH_LEVEL_PRIVACY:
-                       break;
-               default:
-                       tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
-                       return;
-               }
-       } else {
-               uint32_t tmp = state->creds->negotiate_flags;
-
-               if (tmp & NETLOGON_NEG_AUTHENTICATED_RPC) {
-                       /*
-                        * if DCERPC_AUTH_TYPE_SCHANNEL is supported
-                        * it should be used, which means
-                        * we had a chance to verify no downgrade
-                        * happened.
-                        *
-                        * This relies on netlogon_creds_cli_check*
-                        * being called before, as first request after
-                        * the DCERPC bind.
-                        */
-                       tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
-                       return;
-               }
+       status = netlogon_creds_cli_check_transport(state->auth_type,
+                                                   state->auth_level,
+                                                   state->creds,
+                                                   DCERPC_AUTH_LEVEL_NONE);
+       if (tevent_req_nterror(req, status)) {
+               return;
        }
 
        /*