From b4c9dc3724b5c34661b6986e81af2dc6c191dde9 Mon Sep 17 00:00:00 2001
From: Simo Sorce <idra@samba.org>
Date: Thu, 18 Feb 2010 10:19:09 -0500
Subject: [PATCH] s3:schannel more readable check logic

Make the initial schannel check logic more understandable.
Make it easy to define different policies depending on ther caller's security
requirements (Integrity/Privacy/Both/None)
---
 libcli/auth/schannel_state_proto.h |  2 --
 libcli/auth/schannel_state_tdb.c   | 15 -------------
 source3/rpc_server/srv_netlog_nt.c | 44 +++++++++++++++++++++++++++++++++-----
 3 files changed, 39 insertions(+), 22 deletions(-)

diff --git a/libcli/auth/schannel_state_proto.h b/libcli/auth/schannel_state_proto.h
index c582c3e8b89..d0a071c876d 100644
--- a/libcli/auth/schannel_state_proto.h
+++ b/libcli/auth/schannel_state_proto.h
@@ -36,8 +36,6 @@ NTSTATUS schannel_fetch_session_key_tdb(struct tdb_context *tdb,
 NTSTATUS schannel_creds_server_step_check_tdb(struct tdb_context *tdb,
 					      TALLOC_CTX *mem_ctx,
 					      const char *computer_name,
-					      bool schannel_required_for_call,
-					      bool schannel_in_use,
 					      struct netr_Authenticator *received_authenticator,
 					      struct netr_Authenticator *return_authenticator,
 					      struct netlogon_creds_CredentialState **creds_out);
diff --git a/libcli/auth/schannel_state_tdb.c b/libcli/auth/schannel_state_tdb.c
index 7ec8b3fdea0..3da7618e2c1 100644
--- a/libcli/auth/schannel_state_tdb.c
+++ b/libcli/auth/schannel_state_tdb.c
@@ -163,8 +163,6 @@ NTSTATUS schannel_fetch_session_key_tdb(struct tdb_context *tdb,
 NTSTATUS schannel_creds_server_step_check_tdb(struct tdb_context *tdb,
 					      TALLOC_CTX *mem_ctx,
 					      const char *computer_name,
-					      bool schannel_required_for_call,
-					      bool schannel_in_use,
 					      struct netr_Authenticator *received_authenticator,
 					      struct netr_Authenticator *return_authenticator,
 					      struct netlogon_creds_CredentialState **creds_out)
@@ -185,19 +183,6 @@ NTSTATUS schannel_creds_server_step_check_tdb(struct tdb_context *tdb,
 	status = schannel_fetch_session_key_tdb(tdb, mem_ctx, computer_name,
 						&creds);
 
-	/* If we are flaged that schannel is required for a call, and
-	 * it is not in use, then make this an error */
-
-	/* It would be good to make this mandatory once schannel is
-	 * negotiated, but this is not what windows does */
-	if (schannel_required_for_call && !schannel_in_use) {
-		DEBUG(0,("schannel_creds_server_step_check_tdb: "
-			"client %s not using schannel for netlogon, despite negotiating it\n",
-			creds->computer_name ));
-		tdb_transaction_cancel(tdb);
-		return NT_STATUS_ACCESS_DENIED;
-	}
-
 	if (NT_STATUS_IS_OK(status)) {
 		status = netlogon_creds_server_step_check(creds,
 							  received_authenticator,
diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c
index 71463c28ad8..769936ca200 100644
--- a/source3/rpc_server/srv_netlog_nt.c
+++ b/source3/rpc_server/srv_netlog_nt.c
@@ -766,6 +766,36 @@ NTSTATUS _netr_ServerAuthenticate2(pipes_struct *p,
 }
 
 /*************************************************************************
+ * If schannel is required for this call test that it actually is available.
+ *************************************************************************/
+static NTSTATUS schannel_check_required(struct pipe_auth_data *auth_info,
+					const char *computer_name,
+					bool integrity, bool privacy)
+{
+	if (auth_info && auth_info->auth_type == PIPE_AUTH_TYPE_SCHANNEL) {
+		if (!privacy && !integrity) {
+			return NT_STATUS_OK;
+		}
+
+		if ((!privacy && integrity) &&
+		    auth_info->auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
+			return NT_STATUS_OK;
+		}
+
+		if ((privacy || integrity) &&
+		    auth_info->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
+			return NT_STATUS_OK;
+		}
+	}
+
+	/* test didn't pass */
+	DEBUG(0, ("schannel_check_required: [%s] is not using schannel\n",
+		  computer_name));
+
+	return NT_STATUS_ACCESS_DENIED;
+}
+
+/*************************************************************************
  *************************************************************************/
 
 static NTSTATUS netr_creds_server_step_check(pipes_struct *p,
@@ -778,9 +808,15 @@ static NTSTATUS netr_creds_server_step_check(pipes_struct *p,
 	NTSTATUS status;
 	struct tdb_context *tdb;
 	bool schannel_global_required = (lp_server_schannel() == true) ? true:false;
-	bool schannel_in_use = (p->auth.auth_type == PIPE_AUTH_TYPE_SCHANNEL) ? true:false; /* &&
-		(p->auth.auth_level == DCERPC_AUTH_LEVEL_INTEGRITY ||
-		 p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY); */
+
+	if (schannel_global_required) {
+		status = schannel_check_required(&p->auth,
+						 computer_name,
+						 false, false);
+		if (!NT_STATUS_IS_OK(status)) {
+			return status;
+		}
+	}
 
 	tdb = open_schannel_session_store(mem_ctx);
 	if (!tdb) {
@@ -789,8 +825,6 @@ static NTSTATUS netr_creds_server_step_check(pipes_struct *p,
 
 	status = schannel_creds_server_step_check_tdb(tdb, mem_ctx,
 						      computer_name,
-						      schannel_global_required,
-						      schannel_in_use,
 						      received_authenticator,
 						      return_authenticator,
 						      creds_out);
-- 
2.11.4.GIT