From e7c7a911302fa6c3df70303a529e0ba362f9e838 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 23 Dec 2011 15:22:06 +0100 Subject: s4:librpc/rpc/dcerpc_schannel: rework downgrade logic MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit metze Signed-off-by: Günther Deschner --- source4/librpc/rpc/dcerpc_schannel.c | 43 +++++++++++++++++++++++++++++++----- 1 file changed, 38 insertions(+), 5 deletions(-) diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c index 335c34ca35..1655e6bad0 100644 --- a/source4/librpc/rpc/dcerpc_schannel.c +++ b/source4/librpc/rpc/dcerpc_schannel.c @@ -221,15 +221,48 @@ static void continue_srv_auth2(struct tevent_req *subreq) TALLOC_FREE(subreq); if (!composite_is_ok(c)) return; + if (!NT_STATUS_EQUAL(s->a.out.result, NT_STATUS_ACCESS_DENIED) && + !NT_STATUS_IS_OK(s->a.out.result)) { + composite_error(c, s->a.out.result); + return; + } + /* * Strong keys could be unsupported (NT4) or disables. So retry with the * flags returned by the server. - asn */ - if (NT_STATUS_EQUAL(s->a.out.result, NT_STATUS_ACCESS_DENIED) && - s->dcerpc_schannel_auto && - (s->local_negotiate_flags & NETLOGON_NEG_STRONG_KEYS)) { - DEBUG(3, ("Server doesn't support strong keys, " - "downgrade and retry!\n")); + if (NT_STATUS_EQUAL(s->a.out.result, NT_STATUS_ACCESS_DENIED)) { + uint32_t lf = s->local_negotiate_flags; + const char *ln = NULL; + uint32_t rf = s->remote_negotiate_flags; + const char *rn = NULL; + + if (!s->dcerpc_schannel_auto) { + composite_error(c, s->a.out.result); + return; + } + s->dcerpc_schannel_auto = false; + + if (lf & NETLOGON_NEG_STRONG_KEYS) { + ln = "strong"; + if (rf & NETLOGON_NEG_STRONG_KEYS) { + composite_error(c, s->a.out.result); + return; + } + } else { + ln = "des"; + } + + if (rf & NETLOGON_NEG_STRONG_KEYS) { + rn = "strong"; + } else { + rn = "des"; + } + + DEBUG(3, ("Server doesn't support %s keys, downgrade to %s" + "and retry! local[0x%08X] remote[0x%08X]\n", + ln, rn, lf, rf)); + s->local_negotiate_flags = s->remote_negotiate_flags; generate_random_buffer(s->credentials1.data, -- cgit