From: Andreas Schneider Date: Thu, 3 Sep 2020 13:58:56 +0000 (+0200) Subject: netlogon:schannel: If weak crypto is disabled, do not announce RC4 support. X-Git-Tag: ldb-2.5.0~1036 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d6c7a2a7003a2c081aa1ed710a84941bc8f331bf;p=thirdparty%2Fsamba.git netlogon:schannel: If weak crypto is disabled, do not announce RC4 support. Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett --- diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c index 12cb3149ff6..e78bc173968 100644 --- a/libcli/auth/netlogon_creds_cli.c +++ b/libcli/auth/netlogon_creds_cli.c @@ -39,6 +39,7 @@ #include "libds/common/roles.h" #include "lib/crypto/md4.h" #include "auth/credentials/credentials.h" +#include "lib/param/loadparm.h" struct netlogon_creds_cli_locked_state; @@ -414,6 +415,17 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx, required_flags |= NETLOGON_NEG_AUTHENTICATED_RPC; } + /* + * If weak crypto is disabled, do not announce that we support RC4 and + * require AES. + */ + if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) { + required_flags &= ~NETLOGON_NEG_ARCFOUR; + required_flags |= NETLOGON_NEG_SUPPORTS_AES; + proposed_flags &= ~NETLOGON_NEG_ARCFOUR; + proposed_flags |= NETLOGON_NEG_SUPPORTS_AES; + } + proposed_flags |= required_flags; if (seal_secure_channel) { diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c index eaacd8dbc6a..51a5663b9da 100644 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c @@ -910,6 +910,13 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p, NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION; } + /* + * If weak cryto is disabled, do not announce that we support RC4. + */ + if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) { + srv_flgs &= ~NETLOGON_NEG_ARCFOUR; + } + switch (p->opnum) { case NDR_NETR_SERVERAUTHENTICATE: fn = "_netr_ServerAuthenticate"; diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c index d12647222eb..68bc3b34e24 100644 --- a/source4/librpc/rpc/dcerpc_schannel.c +++ b/source4/librpc/rpc/dcerpc_schannel.c @@ -31,6 +31,7 @@ #include "auth/credentials/credentials.h" #include "librpc/rpc/dcerpc_proto.h" #include "param/param.h" +#include "lib/param/loadparm.h" struct schannel_key_state { struct dcerpc_pipe *pipe; @@ -346,6 +347,10 @@ static struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx, s->local_negotiate_flags |= NETLOGON_NEG_RODC_PASSTHROUGH; } + if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) { + s->local_negotiate_flags &= ~NETLOGON_NEG_ARCFOUR; + } + epm_creds = cli_credentials_init_anon(s); if (composite_nomem(epm_creds, c)) return c; diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index c87375c16a5..6860202a985 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -44,6 +44,7 @@ #include "lib/socket/netif.h" #include "rpc_server/common/sid_helper.h" #include "lib/util/util_str_escape.h" +#include "lib/param/loadparm.h" #define DCESRV_INTERFACE_NETLOGON_BIND(context, iface) \ dcesrv_interface_netlogon_bind(context, iface) @@ -223,6 +224,14 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( NETLOGON_NEG_AUTHENTICATED_RPC_LSASS | NETLOGON_NEG_AUTHENTICATED_RPC; + /* + * If weak cryto is disabled, do not announce that we support RC4. + */ + if (lpcfg_weak_crypto(dce_call->conn->dce_ctx->lp_ctx) == + SAMBA_WEAK_CRYPTO_DISALLOWED) { + server_flags &= ~NETLOGON_NEG_ARCFOUR; + } + negotiate_flags = *r->in.negotiate_flags & server_flags; if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {