1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

netlogon:schannel: If weak crypto is disabled, do not announce RC4 support.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Andreas Schneider 2020-09-03 15:58:56 +02:00 committed by Andreas Schneider
parent 17cc20ebe6
commit d6c7a2a700
4 changed files with 33 additions and 0 deletions

View File

@ -39,6 +39,7 @@
#include "libds/common/roles.h"
#include "lib/crypto/md4.h"
#include "auth/credentials/credentials.h"
#include "lib/param/loadparm.h"
struct netlogon_creds_cli_locked_state;
@ -414,6 +415,17 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
required_flags |= NETLOGON_NEG_AUTHENTICATED_RPC;
}
/*
* If weak crypto is disabled, do not announce that we support RC4 and
* require AES.
*/
if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) {
required_flags &= ~NETLOGON_NEG_ARCFOUR;
required_flags |= NETLOGON_NEG_SUPPORTS_AES;
proposed_flags &= ~NETLOGON_NEG_ARCFOUR;
proposed_flags |= NETLOGON_NEG_SUPPORTS_AES;
}
proposed_flags |= required_flags;
if (seal_secure_channel) {

View File

@ -910,6 +910,13 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p,
NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION;
}
/*
* If weak cryto is disabled, do not announce that we support RC4.
*/
if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
srv_flgs &= ~NETLOGON_NEG_ARCFOUR;
}
switch (p->opnum) {
case NDR_NETR_SERVERAUTHENTICATE:
fn = "_netr_ServerAuthenticate";

View File

@ -31,6 +31,7 @@
#include "auth/credentials/credentials.h"
#include "librpc/rpc/dcerpc_proto.h"
#include "param/param.h"
#include "lib/param/loadparm.h"
struct schannel_key_state {
struct dcerpc_pipe *pipe;
@ -346,6 +347,10 @@ static struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
s->local_negotiate_flags |= NETLOGON_NEG_RODC_PASSTHROUGH;
}
if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) {
s->local_negotiate_flags &= ~NETLOGON_NEG_ARCFOUR;
}
epm_creds = cli_credentials_init_anon(s);
if (composite_nomem(epm_creds, c)) return c;

View File

@ -44,6 +44,7 @@
#include "lib/socket/netif.h"
#include "rpc_server/common/sid_helper.h"
#include "lib/util/util_str_escape.h"
#include "lib/param/loadparm.h"
#define DCESRV_INTERFACE_NETLOGON_BIND(context, iface) \
dcesrv_interface_netlogon_bind(context, iface)
@ -223,6 +224,14 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
NETLOGON_NEG_AUTHENTICATED_RPC_LSASS |
NETLOGON_NEG_AUTHENTICATED_RPC;
/*
* If weak cryto is disabled, do not announce that we support RC4.
*/
if (lpcfg_weak_crypto(dce_call->conn->dce_ctx->lp_ctx) ==
SAMBA_WEAK_CRYPTO_DISALLOWED) {
server_flags &= ~NETLOGON_NEG_ARCFOUR;
}
negotiate_flags = *r->in.negotiate_flags & server_flags;
if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {