s4:netlogon: implement "allow nt4 crypto" and "reject md5 clients" features.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jan  7 16:53:31 CET 2014 on sn-devel-104

diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index eb15c7fed888cbef5562324971feec35664b7ca8..0dd215df6ce7b44ec2a793f81fcd71872fe6558f 100644 (file)
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -93,6 +93,9 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
        const char *account_name;
        uint32_t server_flags = 0;
        uint32_t negotiate_flags = 0;
+       bool allow_nt4_crypto = lpcfg_allow_nt4_crypto(dce_call->conn->dce_ctx->lp_ctx);
+       bool reject_des_client = !allow_nt4_crypto;
+       bool reject_md5_client = lpcfg_reject_md5_clients(dce_call->conn->dce_ctx->lp_ctx);
 
        ZERO_STRUCTP(r->out.return_credentials);
        *r->out.rid = 0;
@@ -125,6 +128,23 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
 
        negotiate_flags = *r->in.negotiate_flags & server_flags;
 
+       if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
+               reject_des_client = false;
+       }
+
+       if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+               reject_des_client = false;
+               reject_md5_client = false;
+       }
+
+       if (reject_des_client || reject_md5_client) {
+               /*
+                * Here we match Windows 2012 and return no flags.
+                */
+               *r->out.negotiate_flags = 0;
+               return NT_STATUS_DOWNGRADE_DETECTED;
+       }
+
        /*
         * According to Microsoft (see bugid #6099)
         * Windows 7 looks at the negotiate_flags