s4:rpc_server/netlogon: if we require AES there's no need to remove the ARCFOUR flag

With SAMBA_WEAK_CRYPTO_DISALLOWED dcesrv_netr_ServerAuthenticate3_check_downgrade()
will return DOWNGRADE_DETECTED with negotiate_flags = 0, if AES was not
negotiated...

And if AES was negotiated there's no harm in returning the ARCFOUR
flag...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 175ff532b4a49adc7f450cbcfac10db19223fe32..e9cd56b8084da7a2752e70261d5a0cde567e7088 100644 (file)
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -503,12 +503,17 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
                       NETLOGON_NEG_AUTHENTICATED_RPC;
 
        /*
-        * If weak crypto is disabled, do not announce that we support RC4.
+        * With SAMBA_WEAK_CRYPTO_DISALLOWED
+        * dcesrv_netr_ServerAuthenticate3_check_downgrade() will return
+        * DOWNGRADE_DETECTED with negotiate_flags = 0,
+        * if NETLOGON_NEG_SUPPORTS_AES was not negotiated...
+        *
+        * And if NETLOGON_NEG_SUPPORTS_AES was negotiated there's no harm in
+        * returning the NETLOGON_NEG_ARCFOUR flag too...
+        *
+        * So there's no reason to remove NETLOGON_NEG_ARCFOUR nor
+        * NETLOGON_NEG_STRONG_KEYS from server_flags...
         */
-       if (lpcfg_weak_crypto(dce_call->conn->dce_ctx->lp_ctx) ==
-           SAMBA_WEAK_CRYPTO_DISALLOWED) {
-               server_flags &= ~NETLOGON_NEG_ARCFOUR;
-       }
 
        negotiate_flags = *r->in.negotiate_flags & server_flags;