return status;
}
+static NTSTATUS netlogon_creds_cli_check_transport(
+ enum dcerpc_AuthType auth_type,
+ enum dcerpc_AuthLevel auth_level,
+ const struct netlogon_creds_CredentialState *creds,
+ enum dcerpc_AuthLevel min_auth_level)
+{
+ if (auth_level < min_auth_level) {
+ return NT_STATUS_INVALID_PARAMETER_MIX;
+ }
+
+ if (creds == NULL) {
+ return NT_STATUS_INVALID_PARAMETER_MIX;
+ }
+
+ if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
+ switch (auth_level) {
+ case DCERPC_AUTH_LEVEL_INTEGRITY:
+ case DCERPC_AUTH_LEVEL_PRIVACY:
+ return NT_STATUS_OK;
+ default:
+ break;
+ }
+
+ return NT_STATUS_INVALID_PARAMETER_MIX;
+ }
+
+ if (creds->negotiate_flags & NETLOGON_NEG_AUTHENTICATED_RPC) {
+ /*
+ * if DCERPC_AUTH_TYPE_SCHANNEL is supported
+ * it should be used, which means
+ * we had a chance to verify no downgrade
+ * happened.
+ *
+ * This relies on netlogon_creds_cli_check*
+ * being called before, as first request after
+ * the DCERPC bind.
+ */
+ return NT_STATUS_INVALID_PARAMETER_MIX;
+ }
+
+ return NT_STATUS_OK;
+}
+
struct netlogon_creds_cli_auth_state {
struct tevent_context *ev;
struct netlogon_creds_cli_context *context;
&state->auth_type,
&state->auth_level);
- if (state->auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
- tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
- return tevent_req_post(req, ev);
- }
-
- switch (state->auth_level) {
- case DCERPC_AUTH_LEVEL_INTEGRITY:
- case DCERPC_AUTH_LEVEL_PRIVACY:
- break;
- default:
- tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
+ status = netlogon_creds_cli_check_transport(state->auth_type,
+ state->auth_level,
+ state->creds,
+ DCERPC_AUTH_LEVEL_INTEGRITY);
+ if (tevent_req_nterror(req, status)) {
return tevent_req_post(req, ev);
}
return;
}
- if (state->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
- switch (state->auth_level) {
- case DCERPC_AUTH_LEVEL_INTEGRITY:
- case DCERPC_AUTH_LEVEL_PRIVACY:
- break;
- default:
- tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
- return;
- }
- } else {
- uint32_t tmp = state->creds->negotiate_flags;
-
- if (tmp & NETLOGON_NEG_AUTHENTICATED_RPC) {
- /*
- * if DCERPC_AUTH_TYPE_SCHANNEL is supported
- * it should be used, which means
- * we had a chance to verify no downgrade
- * happened.
- *
- * This relies on netlogon_creds_cli_check*
- * being called before, as first request after
- * the DCERPC bind.
- */
- tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
- return;
- }
+ status = netlogon_creds_cli_check_transport(state->auth_type,
+ state->auth_level,
+ state->creds,
+ DCERPC_AUTH_LEVEL_NONE);
+ if (tevent_req_nterror(req, status)) {
+ return;
}
state->old_timeout = dcerpc_binding_handle_set_timeout(
return;
}
- if (state->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
- switch (state->auth_level) {
- case DCERPC_AUTH_LEVEL_INTEGRITY:
- case DCERPC_AUTH_LEVEL_PRIVACY:
- break;
- default:
- tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
- return;
- }
- } else {
- uint32_t tmp = state->creds->negotiate_flags;
-
- if (tmp & NETLOGON_NEG_AUTHENTICATED_RPC) {
- /*
- * if DCERPC_AUTH_TYPE_SCHANNEL is supported
- * it should be used, which means
- * we had a chance to verify no downgrade
- * happened.
- *
- * This relies on netlogon_creds_cli_check*
- * being called before, as first request after
- * the DCERPC bind.
- */
- tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
- return;
- }
+ status = netlogon_creds_cli_check_transport(state->auth_type,
+ state->auth_level,
+ state->creds,
+ DCERPC_AUTH_LEVEL_NONE);
+ if (tevent_req_nterror(req, status)) {
+ return;
}
/*
return;
}
- if (state->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
- switch (state->auth_level) {
- case DCERPC_AUTH_LEVEL_PRIVACY:
- break;
- default:
- tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
- return;
- }
- } else {
- tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
+ status = netlogon_creds_cli_check_transport(state->auth_type,
+ state->auth_level,
+ state->creds,
+ DCERPC_AUTH_LEVEL_PRIVACY);
+ if (tevent_req_nterror(req, status)) {
return;
}
projects / thirdparty / samba.git / commitdiff
