CVE-2022-38023 s4:rpc_server/netlogon: require aes if weak crypto is disabled

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

source4/rpc_server/netlogon/dcerpc_netlogon.c

@@ -137,6 +137,15 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade(
 	bool reject_des_client = !allow_nt4_crypto;
 	bool reject_md5_client = lpcfg_reject_md5_clients(lp_ctx);
 
+	/*
+	 * If weak cryto is disabled, do not announce that we support RC4.
+	 */
+	if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+		/* Without RC4 and DES we require AES */
+		reject_des_client = true;
+		reject_md5_client = true;
+	}
+
 	if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
 		reject_des_client = false;
 	}

source4/torture/rpc/netlogon_crypto.c

@@ -150,7 +150,7 @@ static bool test_ServerAuth3Crypto(struct dcerpc_pipe *p,
 	    force_client_rc4) {
 		torture_assert_ntstatus_equal(tctx,
 					      a.out.result,
-					      NT_STATUS_ACCESS_DENIED,
+					      NT_STATUS_DOWNGRADE_DETECTED,
 					      "Unexpected status code");
 		return false;
 	}