netlogon:schannel: If weak crypto is disabled, do not announce RC4 support.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index 12cb3149ff607feeba4837a11157d56d2129aef5..e78bc17396897c2b8983f99a93ff0d6c687ed36c 100644 (file)
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -39,6 +39,7 @@
 #include "libds/common/roles.h"
 #include "lib/crypto/md4.h"
 #include "auth/credentials/credentials.h"
+#include "lib/param/loadparm.h"
 
 struct netlogon_creds_cli_locked_state;
 
@@ -414,6 +415,17 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
                required_flags |= NETLOGON_NEG_AUTHENTICATED_RPC;
        }
 
+       /*
+        * If weak crypto is disabled, do not announce that we support RC4 and
+        * require AES.
+        */
+       if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+               required_flags &= ~NETLOGON_NEG_ARCFOUR;
+               required_flags |= NETLOGON_NEG_SUPPORTS_AES;
+               proposed_flags &= ~NETLOGON_NEG_ARCFOUR;
+               proposed_flags |= NETLOGON_NEG_SUPPORTS_AES;
+       }
+
        proposed_flags |= required_flags;
 
        if (seal_secure_channel) {

diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index eaacd8dbc6abd86a4255143d243796e533d5cc29..51a5663b9da099246773fe411eb8229fa32ce4ff 100644 (file)
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -910,6 +910,13 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p,
                            NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION;
        }
 
+       /*
+        * If weak cryto is disabled, do not announce that we support RC4.
+        */
+       if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+               srv_flgs &= ~NETLOGON_NEG_ARCFOUR;
+       }
+
        switch (p->opnum) {
                case NDR_NETR_SERVERAUTHENTICATE:
                        fn = "_netr_ServerAuthenticate";

diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c
index d12647222eb559b35eaf1ceeeb19df57985b4680..68bc3b34e24cd62c309073737877ddee5d63bbb9 100644 (file)
--- a/source4/librpc/rpc/dcerpc_schannel.c
+++ b/source4/librpc/rpc/dcerpc_schannel.c
@@ -31,6 +31,7 @@
 #include "auth/credentials/credentials.h"
 #include "librpc/rpc/dcerpc_proto.h"
 #include "param/param.h"
+#include "lib/param/loadparm.h"
 
 struct schannel_key_state {
        struct dcerpc_pipe *pipe;
@@ -346,6 +347,10 @@ static struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
                s->local_negotiate_flags |= NETLOGON_NEG_RODC_PASSTHROUGH;
        }
 
+       if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+               s->local_negotiate_flags &= ~NETLOGON_NEG_ARCFOUR;
+       }
+
        epm_creds = cli_credentials_init_anon(s);
        if (composite_nomem(epm_creds, c)) return c;
 

diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index c87375c16a5a2f55a2ccdb8a58c89a43037d419d..6860202a985b54ebbd8976cab7cf4e01670c7fd8 100644 (file)
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -44,6 +44,7 @@
 #include "lib/socket/netif.h"
 #include "rpc_server/common/sid_helper.h"
 #include "lib/util/util_str_escape.h"
+#include "lib/param/loadparm.h"
 
 #define DCESRV_INTERFACE_NETLOGON_BIND(context, iface) \
        dcesrv_interface_netlogon_bind(context, iface)
@@ -223,6 +224,14 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
                       NETLOGON_NEG_AUTHENTICATED_RPC_LSASS |
                       NETLOGON_NEG_AUTHENTICATED_RPC;
 
+       /*
+        * If weak cryto is disabled, do not announce that we support RC4.
+        */
+       if (lpcfg_weak_crypto(dce_call->conn->dce_ctx->lp_ctx) ==
+           SAMBA_WEAK_CRYPTO_DISALLOWED) {
+               server_flags &= ~NETLOGON_NEG_ARCFOUR;
+       }
+
        negotiate_flags = *r->in.negotiate_flags & server_flags;
 
        if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {