mirror of
https://github.com/samba-team/samba.git
synced 2025-03-09 08:58:35 +03:00
s3:rpc_server/netlogon: if we require AES there's no need to remove the ARCFOUR flag
With SAMBA_WEAK_CRYPTO_DISALLOWED we will return DOWNGRADE_DETECTED with negotiate_flags = 0, if AES was not negotiated... And if AES was negotiated there's no harm in returning the ARCFOUR flag... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> (cherry picked from commit e5bc5ee3e04138b10c0630640469a08fad847e56)
This commit is contained in:
Stefan Metzmacher
Jule Anger
parent
a442241004
commit
6916bf43d3
@ -927,6 +927,18 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p,
|
||||
NETLOGON_NEG_SUPPORTS_AES |
|
||||
NETLOGON_NEG_SCHANNEL;
|
||||
|
||||
/*
|
||||
* With SAMBA_WEAK_CRYPTO_DISALLOWED we will return DOWNGRADE_DETECTED
|
||||
* with negotiate_flags = 0 below, if NETLOGON_NEG_SUPPORTS_AES was not
|
||||
* negotiated...
|
||||
*
|
||||
* And if NETLOGON_NEG_SUPPORTS_AES was negotiated there's no harm in
|
||||
* returning the NETLOGON_NEG_ARCFOUR flag too...
|
||||
*
|
||||
* So there's no reason to remove NETLOGON_NEG_ARCFOUR nor
|
||||
* NETLOGON_NEG_STRONG_KEYS from srv_flgs...
|
||||
*/
|
||||
|
||||
/*
|
||||
* Support authentication of trusted domains.
|
||||
*
|
||||
@ -940,13 +952,6 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p,
|
||||
NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION;
|
||||
}
|
||||
|
||||
/*
|
||||
* If weak crypto is disabled, do not announce that we support RC4.
|
||||
*/
|
||||
if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
|
||||
srv_flgs &= ~NETLOGON_NEG_ARCFOUR;
|
||||
}
|
||||
|
||||
neg_flags = in_neg_flags & srv_flgs;
|
||||
|
||||
switch (dce_call->pkt.u.request.opnum) {
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user