From 0b6e37c9e801435e094194dd60d9213b4868c3de Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 27 May 2019 13:12:14 +0200
Subject: [PATCH] s3:rpc_server:netlogon: simplify AUTH_TYPE_SCHANNEL check in
 netr_creds_server_step_check()

The gensec schannel module already asserts that at least
AUTH_LEVEL_INTEGRITY is used.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13949

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
 source3/rpc_server/netlogon/srv_netlog_nt.c | 39 +++------------------
 1 file changed, 4 insertions(+), 35 deletions(-)

diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index 8c7b0db77fc..1bc5d62f979 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1060,36 +1060,6 @@ NTSTATUS _netr_ServerAuthenticate2(struct pipes_struct *p,
 	return _netr_ServerAuthenticate3(p, &a);
 }
 
-/*************************************************************************
- * If schannel is required for this call test that it actually is available.
- *************************************************************************/
-static NTSTATUS schannel_check_required(struct pipe_auth_data *auth_info,
-					const char *computer_name,
-					bool integrity, bool privacy)
-{
-	if (auth_info && auth_info->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
-		if (!privacy && !integrity) {
-			return NT_STATUS_OK;
-		}
-
-		if ((!privacy && integrity) &&
-		    auth_info->auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
-			return NT_STATUS_OK;
-		}
-
-		if ((privacy || integrity) &&
-		    auth_info->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
-			return NT_STATUS_OK;
-		}
-	}
-
-	/* test didn't pass */
-	DEBUG(0, ("schannel_check_required: [%s] is not using schannel\n",
-		  computer_name));
-
-	return NT_STATUS_ACCESS_DENIED;
-}
-
 /*************************************************************************
  *************************************************************************/
 
@@ -1109,11 +1079,10 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
 	}
 
 	if (schannel_global_required) {
-		status = schannel_check_required(&p->auth,
-						 computer_name,
-						 false, false);
-		if (!NT_STATUS_IS_OK(status)) {
-			return status;
+		if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
+			DBG_ERR("[%s] is not using schannel\n",
+				computer_name);
+			return NT_STATUS_ACCESS_DENIED;
 		}
 	}
 
-- 
2.47.3