File _service:tar_scm_kernel_repo:backport-0031-CVE-... of Package samba

File _service:tar_scm_kernel_repo:backport-0031-CVE-2022-38023.patch of Package samba

From 4118bd2e1b1a31717f4c5355be5d83c121fa85dc Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Wed, 21 Dec 2022 18:17:57 +0100
Subject: [PATCH 32/40] CVE-2022-38023 s3:rpc_server/netlogon: re-order
 checking in netr_creds_server_step_check()

This will simplify the following changes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Samuel Cabrero <scabrero@samba.org>

Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17736
---
 source3/rpc_server/netlogon/srv_netlog_nt.c | 40 ++++++++++-----------
 1 file changed, 19 insertions(+), 21 deletions(-)

diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index 8e907e60f7e..ba73fe3fa58 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1122,13 +1122,27 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
 		schannel_required = lp_bool(explicit_opt);
 	}
 
-	if (schannel_required) {
-		if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
-			*creds_out = creds;
-			TALLOC_FREE(frame);
-			return NT_STATUS_OK;
+	if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
+		if (!schannel_required) {
+			DBG_ERR("CVE-2020-1472(ZeroLogon): "
+				"%s request (opnum[%u]) WITH schannel from "
+				"client_account[%s] client_computer_name[%s]\n",
+				opname, opnum,
+				log_escape(frame, creds->account_name),
+				log_escape(frame, creds->computer_name));
+		}
+		if (explicit_opt != NULL && !schannel_required) {
+			DBG_ERR("CVE-2020-1472(ZeroLogon): "
+				"Option 'server require schannel:%s = no' not needed!?\n",
+				log_escape(frame, creds->account_name));
 		}
 
+		*creds_out = creds;
+		TALLOC_FREE(frame);
+		return NT_STATUS_OK;
+	}
+
+	if (schannel_required) {
 		DBG_ERR("CVE-2020-1472(ZeroLogon): "
 			"%s request (opnum[%u]) without schannel from "
 			"client_account[%s] client_computer_name[%s]\n",
@@ -1155,22 +1169,6 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
 		warned_global_once = true;
 	}
 
-	if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
-		DBG_ERR("CVE-2020-1472(ZeroLogon): "
-			"%s request (opnum[%u]) WITH schannel from "
-			"client_account[%s] client_computer_name[%s]\n",
-			opname, opnum,
-			log_escape(frame, creds->account_name),
-			log_escape(frame, creds->computer_name));
-		DBG_ERR("CVE-2020-1472(ZeroLogon): "
-			"Option 'server require schannel:%s = no' not needed!?\n",
-			log_escape(frame, creds->account_name));
-
-		*creds_out = creds;
-		TALLOC_FREE(frame);
-		return NT_STATUS_OK;
-	}
-
 	if (explicit_opt != NULL) {
 		DBG_INFO("CVE-2020-1472(ZeroLogon): "
 			 "%s request (opnum[%u]) without schannel from "
-- 
2.39.0