/*************************************************************************
*************************************************************************/
-static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
- TALLOC_CTX *mem_ctx,
- const char *computer_name,
- struct netr_Authenticator *received_authenticator,
- struct netr_Authenticator *return_authenticator,
- struct netlogon_creds_CredentialState **creds_out)
+static NTSTATUS netr_check_schannel(struct pipes_struct *p,
+ const struct netlogon_creds_CredentialState *creds,
+ enum dcerpc_AuthType auth_type,
+ enum dcerpc_AuthLevel auth_level,
+ uint16_t opnum)
{
TALLOC_CTX *frame = talloc_stackframe();
NTSTATUS status;
bool schannel_global_required = (lp_server_schannel() == true) ? true:false;
bool schannel_required = schannel_global_required;
const char *explicit_opt = NULL;
- struct loadparm_context *lp_ctx;
- struct netlogon_creds_CredentialState *creds = NULL;
- int CVE_2020_1472_warn_level = DBGLVL_ERR;
- int CVE_2020_1472_error_level = DBGLVL_ERR;
+ int CVE_2020_1472_warn_level = lp_parm_int(GLOBAL_SECTION_SNUM,
+ "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR);
+ int CVE_2020_1472_error_level = lp_parm_int(GLOBAL_SECTION_SNUM,
+ "CVE_2020_1472", "error_debug_level", DBGLVL_ERR);
unsigned int dbg_lvl = DBGLVL_DEBUG;
- enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
- enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
- uint16_t opnum = p->opnum;
const char *opname = "<unknown>";
const char *reason = "<unknown>";
static bool warned_global_once = false;
- if (creds_out != NULL) {
- *creds_out = NULL;
- }
-
if (opnum < ndr_table_netlogon.num_calls) {
opname = ndr_table_netlogon.calls[opnum].name;
}
- auth_type = p->auth.auth_type;
- auth_level = p->auth.auth_level;
-
- lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
- if (lp_ctx == NULL) {
- DEBUG(0, ("loadparm_init_s3 failed\n"));
- TALLOC_FREE(frame);
- return NT_STATUS_INTERNAL_ERROR;
- }
-
- CVE_2020_1472_warn_level = lpcfg_parm_int(lp_ctx, NULL,
- "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR);
- CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL,
- "CVE_2020_1472", "error_debug_level", DBGLVL_ERR);
-
if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
reason = "WITH SEALED";
reason = "WITHOUT";
}
- status = schannel_check_creds_state(mem_ctx, lp_ctx,
- computer_name, received_authenticator,
- return_authenticator, &creds);
- if (!NT_STATUS_IS_OK(status)) {
- ZERO_STRUCTP(return_authenticator);
- TALLOC_FREE(frame);
- return status;
- }
-
/*
* We don't use lp_parm_bool(), as we
* need the explicit_opt pointer in order to
log_escape(frame, creds->computer_name)));
}
- *creds_out = creds;
TALLOC_FREE(frame);
return status;
}
"might be needed for a legacy client.\n",
log_escape(frame, creds->account_name)));
}
- TALLOC_FREE(creds);
- ZERO_STRUCTP(return_authenticator);
TALLOC_FREE(frame);
return status;
}
log_escape(frame, creds->computer_name)));
}
- *creds_out = creds;
TALLOC_FREE(frame);
return NT_STATUS_OK;
}
+static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
+ TALLOC_CTX *mem_ctx,
+ const char *computer_name,
+ struct netr_Authenticator *received_authenticator,
+ struct netr_Authenticator *return_authenticator,
+ struct netlogon_creds_CredentialState **creds_out)
+{
+ struct loadparm_context *lp_ctx = NULL;
+ NTSTATUS status;
+ struct netlogon_creds_CredentialState *creds = NULL;
+ enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
+ enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
+ uint16_t opnum = p->opnum;
+
+ if (creds_out != NULL) {
+ *creds_out = NULL;
+ }
+
+ auth_type = p->auth.auth_type;
+ auth_level = p->auth.auth_level;
+
+ lp_ctx = loadparm_init_s3(mem_ctx, loadparm_s3_helpers());
+ if (lp_ctx == NULL) {
+ DEBUG(0, ("loadparm_init_s3 failed\n"));
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ status = schannel_check_creds_state(mem_ctx,
+ lp_ctx,
+ computer_name,
+ received_authenticator,
+ return_authenticator,
+ &creds);
+ TALLOC_FREE(lp_ctx);
+ if (!NT_STATUS_IS_OK(status)) {
+ ZERO_STRUCTP(return_authenticator);
+ return status;
+ }
+
+ status = netr_check_schannel(p,
+ creds,
+ auth_type,
+ auth_level,
+ opnum);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(creds);
+ ZERO_STRUCTP(return_authenticator);
+ return status;
+ }
+
+ *creds_out = creds;
+ return NT_STATUS_OK;
+}
/*************************************************************************
*************************************************************************/