SQ uint32_t negotiated = state->tmp_creds.negotiate_flags; comments
authorStefan Metzmacher <metze@samba.org>
Mon, 23 Dec 2013 09:56:34 +0000 (10:56 +0100)
committerStefan Metzmacher <metze@samba.org>
Mon, 23 Dec 2013 10:01:50 +0000 (11:01 +0100)
libcli/auth/netlogon_creds_cli.c

index 4f22a3a04e0ea10baf66fddfad758097ace4b82a..17240640ca83578f45a2936e468f332c7ba8df56 100644 (file)
@@ -1537,9 +1537,13 @@ static void netlogon_creds_cli_check_caps(struct tevent_req *subreq)
                                                       &result);
        TALLOC_FREE(subreq);
        if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
-               uint32_t tmp = state->tmp_creds.negotiate_flags;
+               /*
+                * Note that the negotiated flags are already checked
+                * for our required flags after the ServerAuthenticate3/2 call.
+                */
+               uint32_t negotiated = state->tmp_creds.negotiate_flags;
 
-               if (tmp & NETLOGON_NEG_SUPPORTS_AES) {
+               if (negotiated & NETLOGON_NEG_SUPPORTS_AES) {
                        /*
                         * If we have negotiated NETLOGON_NEG_SUPPORTS_AES
                         * already, we expect this to work!
@@ -1550,8 +1554,12 @@ static void netlogon_creds_cli_check_caps(struct tevent_req *subreq)
                        return;
                }
 
-               if (tmp & NETLOGON_NEG_STRONG_KEYS) {
+               if (negotiated & NETLOGON_NEG_STRONG_KEYS) {
                        /*
+                        * If we have negotiated NETLOGON_NEG_STRONG_KEYS
+                        * we expect this to work at least as far as the
+                        * NOT_SUPPORTED error handled below!
+                        *
                         * NT 4.0 and Old Samba servers are not
                         * allowed without "require strong key = no"
                         */
@@ -1584,9 +1592,13 @@ static void netlogon_creds_cli_check_caps(struct tevent_req *subreq)
        }
 
        if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
-               uint32_t tmp = state->tmp_creds.negotiate_flags;
+               /*
+                * Note that the negotiated flags are already checked
+                * for our required flags after the ServerAuthenticate3/2 call.
+                */
+               uint32_t negotiated = state->tmp_creds.negotiate_flags;
 
-               if (tmp & NETLOGON_NEG_SUPPORTS_AES) {
+               if (negotiated & NETLOGON_NEG_SUPPORTS_AES) {
                        /*
                         * If we have negotiated NETLOGON_NEG_SUPPORTS_AES
                         * already, we expect this to work!
@@ -1631,6 +1643,14 @@ static void netlogon_creds_cli_check_caps(struct tevent_req *subreq)
                return;
        }
 
+       /*
+        * This is the key check that makes this check secure.  If we
+        * get OK here (rather than NOT_SUPPORTED), then the server
+        * did support AES. If the server only proposed STRONG_KEYS
+        * and not AES, then it should have failed with
+        * NOT_IMPLEMENTED. We always send AES as a client, so the
+        * server should always have returned it.
+        */
        if (!(state->caps.server_capabilities & NETLOGON_NEG_SUPPORTS_AES)) {
                status = NT_STATUS_DOWNGRADE_DETECTED;
                tevent_req_nterror(req, status);