From: Andreas Schneider <asn@samba.org>
Date: Thu, 20 Aug 2020 11:51:39 +0000 (+0200)
Subject: s4:rpc_server: Allow to use RC4 for creating trusts
X-Git-Tag: talloc-2.3.2~23
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c75dd1ea178325b8f65343cb5c35bb93f43a49a3;p=thirdparty%2Fsamba.git

s4:rpc_server: Allow to use RC4 for creating trusts

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---

diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index 009e1189548..15b068aec62 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -34,6 +34,8 @@
 #include "lib/messaging/irpc.h"
 #include "libds/common/roles.h"
 #include "lib/util/smb_strtox.h"
+#include "lib/param/loadparm.h"
+#include "librpc/rpc/dcerpc_helper.h"
 
 #include "lib/crypto/gnutls_helpers.h"
 #include <gnutls/gnutls.h>
@@ -872,6 +874,19 @@ static NTSTATUS get_trustdom_auth_blob(struct dcesrv_call_state *dce_call,
 	gnutls_cipher_hd_t cipher_hnd = NULL;
 	gnutls_datum_t _session_key;
 	int rc;
+	struct auth_session_info *session_info =
+		dcesrv_call_session_info(dce_call);
+	struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
+	bool encrypted;
+
+	encrypted =
+		dcerpc_is_transport_encrypted(session_info);
+	if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED &&
+	    !encrypted) {
+		DBG_ERR("Transport isn't encrypted and weak crypto disallowed!\n");
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
 
 	nt_status = dcesrv_transport_session_key(dce_call, &session_key);
 	if (!NT_STATUS_IS_OK(nt_status)) {
@@ -883,11 +898,13 @@ static NTSTATUS get_trustdom_auth_blob(struct dcesrv_call_state *dce_call,
 		.size = session_key.length,
 	};
 
+	GNUTLS_FIPS140_SET_LAX_MODE();
 	rc = gnutls_cipher_init(&cipher_hnd,
 				GNUTLS_CIPHER_ARCFOUR_128,
 				&_session_key,
 				NULL);
 	if (rc < 0) {
+		GNUTLS_FIPS140_SET_STRICT_MODE();
 		nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
 		goto out;
 	}
@@ -896,6 +913,7 @@ static NTSTATUS get_trustdom_auth_blob(struct dcesrv_call_state *dce_call,
 				   auth_blob->data,
 				   auth_blob->length);
 	gnutls_cipher_deinit(cipher_hnd);
+	GNUTLS_FIPS140_SET_STRICT_MODE();
 	if (rc < 0) {
 		nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
 		goto out;