From: Stefan Metzmacher Date: Mon, 27 May 2019 11:12:14 +0000 (+0200) Subject: s3:rpc_server:netlogon: simplify AUTH_TYPE_SCHANNEL check in netr_creds_server_step_c... X-Git-Tag: samba-4.9.12~74 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=948b60d21ef70366886e9cde6f6a01548279c38c;p=thirdparty%2Fsamba.git s3:rpc_server:netlogon: simplify AUTH_TYPE_SCHANNEL check in netr_creds_server_step_check() The gensec schannel module already asserts that at least AUTH_LEVEL_INTEGRITY is used. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13949 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider (cherry picked from commit 0b6e37c9e801435e094194dd60d9213b4868c3de) --- diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c index afe7b25f74d..d799ba4feef 100644 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c @@ -1061,36 +1061,6 @@ NTSTATUS _netr_ServerAuthenticate2(struct pipes_struct *p, return _netr_ServerAuthenticate3(p, &a); } -/************************************************************************* - * If schannel is required for this call test that it actually is available. - *************************************************************************/ -static NTSTATUS schannel_check_required(struct pipe_auth_data *auth_info, - const char *computer_name, - bool integrity, bool privacy) -{ - if (auth_info && auth_info->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { - if (!privacy && !integrity) { - return NT_STATUS_OK; - } - - if ((!privacy && integrity) && - auth_info->auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) { - return NT_STATUS_OK; - } - - if ((privacy || integrity) && - auth_info->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { - return NT_STATUS_OK; - } - } - - /* test didn't pass */ - DEBUG(0, ("schannel_check_required: [%s] is not using schannel\n", - computer_name)); - - return NT_STATUS_ACCESS_DENIED; -} - /************************************************************************* *************************************************************************/ @@ -1110,11 +1080,10 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, } if (schannel_global_required) { - status = schannel_check_required(&p->auth, - computer_name, - false, false); - if (!NT_STATUS_IS_OK(status)) { - return status; + if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { + DBG_ERR("[%s] is not using schannel\n", + computer_name); + return NT_STATUS_ACCESS_DENIED; } }