libcli/auth: if we require aes we don't need to require arcfour nor strong key

But we can send arcfour and strong key on the wire and don't need to
remove them from the proposed flags.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 3da40f1c6818550eb08a6d7d680c213c3f1d0649)

diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index 1a19662075111c28f763b1d5a9f4189fd38bff65..f4b3560f42ceb5fcbb71843db5e459293626a5e0 100644 (file)
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -502,14 +502,16 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
         * require AES.
         */
        if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) {
-               required_flags &= ~NETLOGON_NEG_ARCFOUR;
                required_flags |= NETLOGON_NEG_SUPPORTS_AES;
-               proposed_flags &= ~NETLOGON_NEG_ARCFOUR;
-               proposed_flags |= NETLOGON_NEG_SUPPORTS_AES;
        }
 
        proposed_flags |= required_flags;
 
+       if (required_flags & NETLOGON_NEG_SUPPORTS_AES) {
+               required_flags &= ~NETLOGON_NEG_ARCFOUR;
+               required_flags &= ~NETLOGON_NEG_STRONG_KEYS;
+       }
+
        if (seal_secure_channel) {
                auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
        } else {