sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-08 05:57:51 +03:00
Code

s4:rpc_server: Allow to use RC4 for creating trusts

Browse Source 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
Andreas Schneider 2020-08-20 13:51:39 +02:00 committed by Andreas Schneider
parent 4425f2c113
commit c75dd1ea17
1 changed files with 18 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
source4/rpc_server/lsa/dcesrv_lsa.c
View File

@ -34,6 +34,8 @@
#include "lib/messaging/irpc.h" #include "lib/messaging/irpc.h"
#include "libds/common/roles.h" #include "libds/common/roles.h"
#include "lib/util/smb_strtox.h" #include "lib/util/smb_strtox.h"
#include "lib/param/loadparm.h"
#include "librpc/rpc/dcerpc_helper.h"
#include "lib/crypto/gnutls_helpers.h" #include "lib/crypto/gnutls_helpers.h"
#include <gnutls/gnutls.h> #include <gnutls/gnutls.h>
@ -872,6 +874,19 @@ static NTSTATUS get_trustdom_auth_blob(struct dcesrv_call_state *dce_call,
gnutls_cipher_hd_t cipher_hnd = NULL; gnutls_cipher_hd_t cipher_hnd = NULL;
gnutls_datum_t _session_key; gnutls_datum_t _session_key;
int rc; int rc;
struct auth_session_info *session_info =
dcesrv_call_session_info(dce_call);
struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
bool encrypted;
encrypted =
dcerpc_is_transport_encrypted(session_info);
if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED &&
!encrypted) {
DBG_ERR("Transport isn't encrypted and weak crypto disallowed!\n");
return NT_STATUS_ACCESS_DENIED;
}
nt_status = dcesrv_transport_session_key(dce_call, &session_key); nt_status = dcesrv_transport_session_key(dce_call, &session_key);
if (!NT_STATUS_IS_OK(nt_status)) { if (!NT_STATUS_IS_OK(nt_status)) {
@ -883,11 +898,13 @@ static NTSTATUS get_trustdom_auth_blob(struct dcesrv_call_state *dce_call,
.size = session_key.length, .size = session_key.length,
}; };
GNUTLS_FIPS140_SET_LAX_MODE();
rc = gnutls_cipher_init(&cipher_hnd, rc = gnutls_cipher_init(&cipher_hnd,
GNUTLS_CIPHER_ARCFOUR_128, GNUTLS_CIPHER_ARCFOUR_128,
&_session_key, &_session_key,
NULL); NULL);
if (rc < 0) { if (rc < 0) {
GNUTLS_FIPS140_SET_STRICT_MODE();
nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
goto out; goto out;
} }
@ -896,6 +913,7 @@ static NTSTATUS get_trustdom_auth_blob(struct dcesrv_call_state *dce_call,
auth_blob->data, auth_blob->data,
auth_blob->length); auth_blob->length);
gnutls_cipher_deinit(cipher_hnd); gnutls_cipher_deinit(cipher_hnd);
GNUTLS_FIPS140_SET_STRICT_MODE();
if (rc < 0) { if (rc < 0) {
nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
goto out; goto out;