The Samba-Bugzilla – Attachment 17040 Details for
Bug 14912
A schannel client incorrectly detects a downgrade connecting to an AES only server
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for 4.15
0001-libcli-auth-Allow-to-connect-to-netlogon-server-offe.patch (text/plain), 4.50 KB, created by
Andreas Schneider
on 2021-12-02 15:10:22 UTC
(
hide
)
Description:
patch for 4.15
Filename:
MIME Type:
Creator:
Andreas Schneider
Created:
2021-12-02 15:10:22 UTC
Size:
4.50 KB
patch
obsolete
>From bbe6c2a31ac9ef09ad3bb00a3d483211cf08a489 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Thu, 18 Nov 2021 13:46:26 +0100 >Subject: [PATCH] libcli:auth: Allow to connect to netlogon server offering > only AES > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14912 > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> > >Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> >Autobuild-Date(master): Thu Dec 2 14:49:35 UTC 2021 on sn-devel-184 > >(cherry picked from commit d1ea9c5aaba42447f25a15935a9bf5bbd20f7d93) >--- > libcli/auth/netlogon_creds_cli.c | 48 +++++++++++++++++++------ > selftest/knownfail.d/rpcclient_schannel | 1 - > 2 files changed, 38 insertions(+), 11 deletions(-) > delete mode 100644 selftest/knownfail.d/rpcclient_schannel > >diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c >index 12cb3149ff6..b23dddc21be 100644 >--- a/libcli/auth/netlogon_creds_cli.c >+++ b/libcli/auth/netlogon_creds_cli.c >@@ -504,9 +504,33 @@ enum dcerpc_AuthLevel netlogon_creds_cli_auth_level( > return context->client.auth_level; > } > >+static bool netlogon_creds_cli_downgraded(uint32_t negotiated_flags, >+ uint32_t proposed_flags, >+ uint32_t required_flags) >+{ >+ uint32_t req_flags = required_flags; >+ uint32_t tmp_flags; >+ >+ req_flags = required_flags; >+ if ((negotiated_flags & NETLOGON_NEG_SUPPORTS_AES) && >+ (proposed_flags & NETLOGON_NEG_SUPPORTS_AES)) >+ { >+ req_flags &= ~NETLOGON_NEG_ARCFOUR|NETLOGON_NEG_STRONG_KEYS; >+ } >+ >+ tmp_flags = negotiated_flags; >+ tmp_flags &= req_flags; >+ if (tmp_flags != req_flags) { >+ return true; >+ } >+ >+ return false; >+} >+ > struct netlogon_creds_cli_fetch_state { > TALLOC_CTX *mem_ctx; > struct netlogon_creds_CredentialState *creds; >+ uint32_t proposed_flags; > uint32_t required_flags; > NTSTATUS status; > }; >@@ -518,7 +542,7 @@ static void netlogon_creds_cli_fetch_parser(TDB_DATA key, TDB_DATA data, > (struct netlogon_creds_cli_fetch_state *)private_data; > enum ndr_err_code ndr_err; > DATA_BLOB blob; >- uint32_t tmp_flags; >+ bool downgraded; > > state->creds = talloc_zero(state->mem_ctx, > struct netlogon_creds_CredentialState); >@@ -542,9 +566,11 @@ static void netlogon_creds_cli_fetch_parser(TDB_DATA key, TDB_DATA data, > NDR_PRINT_DEBUG(netlogon_creds_CredentialState, state->creds); > } > >- tmp_flags = state->creds->negotiate_flags; >- tmp_flags &= state->required_flags; >- if (tmp_flags != state->required_flags) { >+ downgraded = netlogon_creds_cli_downgraded( >+ state->creds->negotiate_flags, >+ state->proposed_flags, >+ state->required_flags); >+ if (downgraded) { > TALLOC_FREE(state->creds); > state->status = NT_STATUS_DOWNGRADE_DETECTED; > return; >@@ -815,6 +841,7 @@ static NTSTATUS netlogon_creds_cli_get_internal( > { > struct netlogon_creds_cli_fetch_state fstate = { > .status = NT_STATUS_INTERNAL_ERROR, >+ .proposed_flags = context->client.proposed_flags, > .required_flags = context->client.required_flags, > }; > NTSTATUS status; >@@ -1297,7 +1324,7 @@ static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq) > enum ndr_err_code ndr_err; > DATA_BLOB blob; > TDB_DATA data; >- uint32_t tmp_flags; >+ bool downgraded; > > if (state->try_auth3) { > status = dcerpc_netr_ServerAuthenticate3_recv(subreq, state, >@@ -1344,9 +1371,11 @@ static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq) > return; > } > >- tmp_flags = state->creds->negotiate_flags; >- tmp_flags &= state->context->client.required_flags; >- if (tmp_flags != state->context->client.required_flags) { >+ downgraded = netlogon_creds_cli_downgraded( >+ state->creds->negotiate_flags, >+ state->context->client.proposed_flags, >+ state->context->client.required_flags); >+ if (downgraded) { > if (NT_STATUS_IS_OK(result)) { > tevent_req_nterror(req, NT_STATUS_DOWNGRADE_DETECTED); > return; >@@ -1356,8 +1385,7 @@ static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq) > } > > if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) { >- >- tmp_flags = state->context->client.proposed_flags; >+ uint32_t tmp_flags = state->context->client.proposed_flags; > if ((state->current_flags == tmp_flags) && > (state->creds->negotiate_flags != tmp_flags)) > { >diff --git a/selftest/knownfail.d/rpcclient_schannel b/selftest/knownfail.d/rpcclient_schannel >deleted file mode 100644 >index 5498837ee29..00000000000 >--- a/selftest/knownfail.d/rpcclient_schannel >+++ /dev/null >@@ -1 +0,0 @@ >-^samba.blackbox.rpcclient_schannel.ncacn_np.getusername.fips\(ad_member_fips:local\) >-- >2.34.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=17040">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
asn
:
review?
(
gd
)
metze
:
review+
Actions:
View
Attachments on
bug 14912
: 17040