CVE-2022-38023 s4:rpc_server/netlogon: require aes if weak crypto is disabled

author Stefan Metzmacher <metze@samba.org>

Fri, 25 Nov 2022 09:10:33 +0000 (10:10 +0100)

committer Stefan Metzmacher <metze@samba.org>

Wed, 14 Dec 2022 10:28:16 +0000 (10:28 +0000)
author Stefan Metzmacher <metze@samba.org>
Fri, 25 Nov 2022 09:10:33 +0000 (10:10 +0100)
committer Stefan Metzmacher <metze@samba.org>
Wed, 14 Dec 2022 10:28:16 +0000 (10:28 +0000)
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c

index 87e4bbe00f2de6b13ca587ea3dc22ad3989874ca..4141cc40687f51cb0f943274597558a08173825b 100644 (file)
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -137,6 +137,15 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade(
         bool reject_des_client = !allow_nt4_crypto;
         bool reject_md5_client = lpcfg_reject_md5_clients(lp_ctx);
  
+       /*
+        * If weak cryto is disabled, do not announce that we support RC4.
+        */
+       if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+               /* Without RC4 and DES we require AES */
+               reject_des_client = true;
+               reject_md5_client = true;
+       }
+
         if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
                 reject_des_client = false;
         }
diff --git a/source4/torture/rpc/netlogon_crypto.c b/source4/torture/rpc/netlogon_crypto.c

index 05beb2b77b3bf5233b7638747bc2f7c43e17afbb..85844604ee278185f23eb36ee215ec9f6a4d8091 100644 (file)
--- a/source4/torture/rpc/netlogon_crypto.c
+++ b/source4/torture/rpc/netlogon_crypto.c
@@ -150,7 +150,7 @@ static bool test_ServerAuth3Crypto(struct dcerpc_pipe *p,
             force_client_rc4) {
                 torture_assert_ntstatus_equal(tctx,
                                               a.out.result,
-                                             NT_STATUS_ACCESS_DENIED,
+                                             NT_STATUS_DOWNGRADE_DETECTED,
                                               "Unexpected status code");
                 return false;
         }
author	Stefan Metzmacher <metze@samba.org>
	Fri, 25 Nov 2022 09:10:33 +0000 (10:10 +0100)
committer	Stefan Metzmacher <metze@samba.org>
	Wed, 14 Dec 2022 10:28:16 +0000 (10:28 +0000)
source4/rpc_server/netlogon/dcerpc_netlogon.c		patch \| blob \| blame \| history
source4/torture/rpc/netlogon_crypto.c		patch \| blob \| blame \| history