From: Andreas Schneider Date: Thu, 20 Aug 2020 11:40:21 +0000 (+0200) Subject: s3:rpc_server: Allow to use RC4 for creating trusts X-Git-Tag: talloc-2.3.2~24 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4425f2c113a4dc33a8dc609d84a92018d61b4d2e;p=thirdparty%2Fsamba.git s3:rpc_server: Allow to use RC4 for creating trusts Signed-off-by: Andreas Schneider Reviewed-by: Alexander Bokovoy Reviewed-by: Stefan Metzmacher --- diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c index e749caf2551..d6d606ddeca 100644 --- a/source3/rpc_server/lsa/srv_lsa_nt.c +++ b/source3/rpc_server/lsa/srv_lsa_nt.c @@ -51,6 +51,8 @@ #include "../libcli/lsarpc/util_lsarpc.h" #include "lsa.h" #include "librpc/rpc/dcesrv_core.h" +#include "librpc/rpc/dcerpc_helper.h" +#include "lib/param/loadparm.h" #include "lib/crypto/gnutls_helpers.h" #include @@ -1706,6 +1708,14 @@ static NTSTATUS get_trustdom_auth_blob(struct pipes_struct *p, gnutls_datum_t my_session_key; NTSTATUS status; int rc; + bool encrypted; + + encrypted = + dcerpc_is_transport_encrypted(p->session_info); + if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED && + !encrypted) { + return NT_STATUS_ACCESS_DENIED; + } status = session_extract_session_key(p->session_info, &lsession_key, KEY_USE_16BYTES); if (!NT_STATUS_IS_OK(status)) { @@ -1717,11 +1727,13 @@ static NTSTATUS get_trustdom_auth_blob(struct pipes_struct *p, .size = lsession_key.length, }; + GNUTLS_FIPS140_SET_LAX_MODE(); rc = gnutls_cipher_init(&cipher_hnd, GNUTLS_CIPHER_ARCFOUR_128, &my_session_key, NULL); if (rc < 0) { + GNUTLS_FIPS140_SET_STRICT_MODE(); status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); goto out; } @@ -1730,6 +1742,7 @@ static NTSTATUS get_trustdom_auth_blob(struct pipes_struct *p, auth_blob->data, auth_blob->length); gnutls_cipher_deinit(cipher_hnd); + GNUTLS_FIPS140_SET_STRICT_MODE(); if (rc < 0) { status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); goto out;