From: Stefan Metzmacher Date: Thu, 10 Oct 2024 10:34:33 +0000 (+0200) Subject: s3:rpc_server/netlogon: if we require AES there's no need to remove the ARCFOUR flag X-Git-Tag: tdb-1.4.13~835 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e5bc5ee3e04138b10c0630640469a08fad847e56;p=thirdparty%2Fsamba.git s3:rpc_server/netlogon: if we require AES there's no need to remove the ARCFOUR flag With SAMBA_WEAK_CRYPTO_DISALLOWED we will return DOWNGRADE_DETECTED with negotiate_flags = 0, if AES was not negotiated... And if AES was negotiated there's no harm in returning the ARCFOUR flag... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher Reviewed-by: Douglas Bagnall --- diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c index f9d3dcca6b0..4a258874d16 100644 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c @@ -927,6 +927,18 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p, NETLOGON_NEG_SUPPORTS_AES | NETLOGON_NEG_SCHANNEL; + /* + * With SAMBA_WEAK_CRYPTO_DISALLOWED we will return DOWNGRADE_DETECTED + * with negotiate_flags = 0 below, if NETLOGON_NEG_SUPPORTS_AES was not + * negotiated... + * + * And if NETLOGON_NEG_SUPPORTS_AES was negotiated there's no harm in + * returning the NETLOGON_NEG_ARCFOUR flag too... + * + * So there's no reason to remove NETLOGON_NEG_ARCFOUR nor + * NETLOGON_NEG_STRONG_KEYS from srv_flgs... + */ + /* * Support authentication of trusted domains. * @@ -940,13 +952,6 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p, NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION; } - /* - * If weak crypto is disabled, do not announce that we support RC4. - */ - if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) { - srv_flgs &= ~NETLOGON_NEG_ARCFOUR; - } - neg_flags = in_neg_flags & srv_flgs; switch (dce_call->pkt.u.request.opnum) {