1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-03 01:18:10 +03:00

s4:rpc_server/netlogon: if we require AES there's no need to remove the ARCFOUR flag

With SAMBA_WEAK_CRYPTO_DISALLOWED dcesrv_netr_ServerAuthenticate3_check_downgrade()
will return DOWNGRADE_DETECTED with negotiate_flags = 0, if AES was not
negotiated...

And if AES was negotiated there's no harm in returning the ARCFOUR
flag...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit a0bc372dee)
This commit is contained in:
Stefan Metzmacher 2024-10-10 12:34:33 +02:00 committed by Jule Anger
parent 6916bf43d3
commit 349f314488

View File

@ -503,12 +503,17 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
NETLOGON_NEG_AUTHENTICATED_RPC;
/*
* If weak crypto is disabled, do not announce that we support RC4.
* With SAMBA_WEAK_CRYPTO_DISALLOWED
* dcesrv_netr_ServerAuthenticate3_check_downgrade() will return
* DOWNGRADE_DETECTED with negotiate_flags = 0,
* if NETLOGON_NEG_SUPPORTS_AES was not negotiated...
*
* And if NETLOGON_NEG_SUPPORTS_AES was negotiated there's no harm in
* returning the NETLOGON_NEG_ARCFOUR flag too...
*
* So there's no reason to remove NETLOGON_NEG_ARCFOUR nor
* NETLOGON_NEG_STRONG_KEYS from server_flags...
*/
if (lpcfg_weak_crypto(dce_call->conn->dce_ctx->lp_ctx) ==
SAMBA_WEAK_CRYPTO_DISALLOWED) {
server_flags &= ~NETLOGON_NEG_ARCFOUR;
}
negotiate_flags = *r->in.negotiate_flags & server_flags;