From 28a7372c58d35a1d9e4b7bbcac14549b637e36bd Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 10 Oct 2024 12:31:18 +0200
Subject: [PATCH] libcli/auth: if we require aes we don't need to require
 arcfour nor strong key

But we can send arcfour and strong key on the wire and don't need to
remove them from the proposed flags.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 3da40f1c6818550eb08a6d7d680c213c3f1d0649)
---
 libcli/auth/netlogon_creds_cli.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index 1a196620751..f4b3560f42c 100644
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -502,14 +502,16 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
 	 * require AES.
 	 */
 	if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) {
-		required_flags &= ~NETLOGON_NEG_ARCFOUR;
 		required_flags |= NETLOGON_NEG_SUPPORTS_AES;
-		proposed_flags &= ~NETLOGON_NEG_ARCFOUR;
-		proposed_flags |= NETLOGON_NEG_SUPPORTS_AES;
 	}
 
 	proposed_flags |= required_flags;
 
+	if (required_flags & NETLOGON_NEG_SUPPORTS_AES) {
+		required_flags &= ~NETLOGON_NEG_ARCFOUR;
+		required_flags &= ~NETLOGON_NEG_STRONG_KEYS;
+	}
+
 	if (seal_secure_channel) {
 		auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
 	} else {
-- 
2.47.2