From d73e6c7ab087b93436d1419f804e865dbbe6bc34 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 10 Oct 2024 12:31:18 +0200
Subject: [PATCH] libcli/auth: if we require aes we don't need to require
 arcfour nor strong key

But we can send arcfour and strong key on the wire and don't need to
remove them from the proposed flags.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 3da40f1c6818550eb08a6d7d680c213c3f1d0649)
---
 libcli/auth/netlogon_creds_cli.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index 1a196620751..f4b3560f42c 100644
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -502,14 +502,16 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
 	 * require AES.
 	 */
 	if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) {
-		required_flags &= ~NETLOGON_NEG_ARCFOUR;
 		required_flags |= NETLOGON_NEG_SUPPORTS_AES;
-		proposed_flags &= ~NETLOGON_NEG_ARCFOUR;
-		proposed_flags |= NETLOGON_NEG_SUPPORTS_AES;
 	}
 
 	proposed_flags |= required_flags;
 
+	if (required_flags & NETLOGON_NEG_SUPPORTS_AES) {
+		required_flags &= ~NETLOGON_NEG_ARCFOUR;
+		required_flags &= ~NETLOGON_NEG_STRONG_KEYS;
+	}
+
 	if (seal_secure_channel) {
 		auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
 	} else {