return context->client.auth_level;
}
+static bool netlogon_creds_cli_downgraded(uint32_t negotiated_flags,
+ uint32_t proposed_flags,
+ uint32_t required_flags)
+{
+ uint32_t req_flags = required_flags;
+ uint32_t tmp_flags;
+
+ req_flags = required_flags;
+ if ((negotiated_flags & NETLOGON_NEG_SUPPORTS_AES) &&
+ (proposed_flags & NETLOGON_NEG_SUPPORTS_AES))
+ {
+ req_flags &= ~NETLOGON_NEG_ARCFOUR|NETLOGON_NEG_STRONG_KEYS;
+ }
+
+ tmp_flags = negotiated_flags;
+ tmp_flags &= req_flags;
+ if (tmp_flags != req_flags) {
+ return true;
+ }
+
+ return false;
+}
+
struct netlogon_creds_cli_fetch_state {
TALLOC_CTX *mem_ctx;
struct netlogon_creds_CredentialState *creds;
+ uint32_t proposed_flags;
uint32_t required_flags;
NTSTATUS status;
};
(struct netlogon_creds_cli_fetch_state *)private_data;
enum ndr_err_code ndr_err;
DATA_BLOB blob;
- uint32_t tmp_flags;
+ bool downgraded;
state->creds = talloc_zero(state->mem_ctx,
struct netlogon_creds_CredentialState);
NDR_PRINT_DEBUG(netlogon_creds_CredentialState, state->creds);
}
- tmp_flags = state->creds->negotiate_flags;
- tmp_flags &= state->required_flags;
- if (tmp_flags != state->required_flags) {
+ downgraded = netlogon_creds_cli_downgraded(
+ state->creds->negotiate_flags,
+ state->proposed_flags,
+ state->required_flags);
+ if (downgraded) {
TALLOC_FREE(state->creds);
state->status = NT_STATUS_DOWNGRADE_DETECTED;
return;
{
struct netlogon_creds_cli_fetch_state fstate = {
.status = NT_STATUS_INTERNAL_ERROR,
+ .proposed_flags = context->client.proposed_flags,
.required_flags = context->client.required_flags,
};
NTSTATUS status;
enum ndr_err_code ndr_err;
DATA_BLOB blob;
TDB_DATA data;
- uint32_t tmp_flags;
+ bool downgraded;
if (state->try_auth3) {
status = dcerpc_netr_ServerAuthenticate3_recv(subreq, state,
return;
}
- tmp_flags = state->creds->negotiate_flags;
- tmp_flags &= state->context->client.required_flags;
- if (tmp_flags != state->context->client.required_flags) {
+ downgraded = netlogon_creds_cli_downgraded(
+ state->creds->negotiate_flags,
+ state->context->client.proposed_flags,
+ state->context->client.required_flags);
+ if (downgraded) {
if (NT_STATUS_IS_OK(result)) {
tevent_req_nterror(req, NT_STATUS_DOWNGRADE_DETECTED);
return;
}
if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) {
-
- tmp_flags = state->context->client.proposed_flags;
+ uint32_t tmp_flags = state->context->client.proposed_flags;
if ((state->current_flags == tmp_flags) &&
(state->creds->negotiate_flags != tmp_flags))
{