mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
netlogon:schannel: If weak crypto is disabled, do not announce RC4 support.
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
17cc20ebe6
commit
d6c7a2a700
@ -39,6 +39,7 @@
|
||||
#include "libds/common/roles.h"
|
||||
#include "lib/crypto/md4.h"
|
||||
#include "auth/credentials/credentials.h"
|
||||
#include "lib/param/loadparm.h"
|
||||
|
||||
struct netlogon_creds_cli_locked_state;
|
||||
|
||||
@ -414,6 +415,17 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
|
||||
required_flags |= NETLOGON_NEG_AUTHENTICATED_RPC;
|
||||
}
|
||||
|
||||
/*
|
||||
* If weak crypto is disabled, do not announce that we support RC4 and
|
||||
* require AES.
|
||||
*/
|
||||
if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) {
|
||||
required_flags &= ~NETLOGON_NEG_ARCFOUR;
|
||||
required_flags |= NETLOGON_NEG_SUPPORTS_AES;
|
||||
proposed_flags &= ~NETLOGON_NEG_ARCFOUR;
|
||||
proposed_flags |= NETLOGON_NEG_SUPPORTS_AES;
|
||||
}
|
||||
|
||||
proposed_flags |= required_flags;
|
||||
|
||||
if (seal_secure_channel) {
|
||||
|
@ -910,6 +910,13 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p,
|
||||
NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION;
|
||||
}
|
||||
|
||||
/*
|
||||
* If weak cryto is disabled, do not announce that we support RC4.
|
||||
*/
|
||||
if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
|
||||
srv_flgs &= ~NETLOGON_NEG_ARCFOUR;
|
||||
}
|
||||
|
||||
switch (p->opnum) {
|
||||
case NDR_NETR_SERVERAUTHENTICATE:
|
||||
fn = "_netr_ServerAuthenticate";
|
||||
|
@ -31,6 +31,7 @@
|
||||
#include "auth/credentials/credentials.h"
|
||||
#include "librpc/rpc/dcerpc_proto.h"
|
||||
#include "param/param.h"
|
||||
#include "lib/param/loadparm.h"
|
||||
|
||||
struct schannel_key_state {
|
||||
struct dcerpc_pipe *pipe;
|
||||
@ -346,6 +347,10 @@ static struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
|
||||
s->local_negotiate_flags |= NETLOGON_NEG_RODC_PASSTHROUGH;
|
||||
}
|
||||
|
||||
if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) {
|
||||
s->local_negotiate_flags &= ~NETLOGON_NEG_ARCFOUR;
|
||||
}
|
||||
|
||||
epm_creds = cli_credentials_init_anon(s);
|
||||
if (composite_nomem(epm_creds, c)) return c;
|
||||
|
||||
|
@ -44,6 +44,7 @@
|
||||
#include "lib/socket/netif.h"
|
||||
#include "rpc_server/common/sid_helper.h"
|
||||
#include "lib/util/util_str_escape.h"
|
||||
#include "lib/param/loadparm.h"
|
||||
|
||||
#define DCESRV_INTERFACE_NETLOGON_BIND(context, iface) \
|
||||
dcesrv_interface_netlogon_bind(context, iface)
|
||||
@ -223,6 +224,14 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
|
||||
NETLOGON_NEG_AUTHENTICATED_RPC_LSASS |
|
||||
NETLOGON_NEG_AUTHENTICATED_RPC;
|
||||
|
||||
/*
|
||||
* If weak cryto is disabled, do not announce that we support RC4.
|
||||
*/
|
||||
if (lpcfg_weak_crypto(dce_call->conn->dce_ctx->lp_ctx) ==
|
||||
SAMBA_WEAK_CRYPTO_DISALLOWED) {
|
||||
server_flags &= ~NETLOGON_NEG_ARCFOUR;
|
||||
}
|
||||
|
||||
negotiate_flags = *r->in.negotiate_flags & server_flags;
|
||||
|
||||
if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
|
||||
|
Loading…
Reference in New Issue
Block a user