mirror of
https://github.com/samba-team/samba.git
synced 2025-01-21 18:04:06 +03:00
s4:rpc_server/netlogon: if we require AES there's no need to remove the ARCFOUR flag
With SAMBA_WEAK_CRYPTO_DISALLOWED dcesrv_netr_ServerAuthenticate3_check_downgrade() will return DOWNGRADE_DETECTED with negotiate_flags = 0, if AES was not negotiated... And if AES was negotiated there's no harm in returning the ARCFOUR flag... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> (cherry picked from commit a0bc372dee68ad255da005d2e2078da754bbef2a)
This commit is contained in:
parent
6916bf43d3
commit
349f314488
@ -503,12 +503,17 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
|
|||||||
NETLOGON_NEG_AUTHENTICATED_RPC;
|
NETLOGON_NEG_AUTHENTICATED_RPC;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* If weak crypto is disabled, do not announce that we support RC4.
|
* With SAMBA_WEAK_CRYPTO_DISALLOWED
|
||||||
|
* dcesrv_netr_ServerAuthenticate3_check_downgrade() will return
|
||||||
|
* DOWNGRADE_DETECTED with negotiate_flags = 0,
|
||||||
|
* if NETLOGON_NEG_SUPPORTS_AES was not negotiated...
|
||||||
|
*
|
||||||
|
* And if NETLOGON_NEG_SUPPORTS_AES was negotiated there's no harm in
|
||||||
|
* returning the NETLOGON_NEG_ARCFOUR flag too...
|
||||||
|
*
|
||||||
|
* So there's no reason to remove NETLOGON_NEG_ARCFOUR nor
|
||||||
|
* NETLOGON_NEG_STRONG_KEYS from server_flags...
|
||||||
*/
|
*/
|
||||||
if (lpcfg_weak_crypto(dce_call->conn->dce_ctx->lp_ctx) ==
|
|
||||||
SAMBA_WEAK_CRYPTO_DISALLOWED) {
|
|
||||||
server_flags &= ~NETLOGON_NEG_ARCFOUR;
|
|
||||||
}
|
|
||||||
|
|
||||||
negotiate_flags = *r->in.negotiate_flags & server_flags;
|
negotiate_flags = *r->in.negotiate_flags & server_flags;
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user