From 92fc4f2b6832cdaced71bf3e3afb33cae6f71a44 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 10 Oct 2024 12:34:33 +0200 Subject: [PATCH] s4:rpc_server/netlogon: if we require AES there's no need to remove the ARCFOUR flag With SAMBA_WEAK_CRYPTO_DISALLOWED dcesrv_netr_ServerAuthenticate3_check_downgrade() will return DOWNGRADE_DETECTED with negotiate_flags = 0, if AES was not negotiated... And if AES was negotiated there's no harm in returning the ARCFOUR flag... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher Reviewed-by: Douglas Bagnall (cherry picked from commit a0bc372dee68ad255da005d2e2078da754bbef2a) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 457af26fb5c..6a1740dc83e 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -497,12 +497,17 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( NETLOGON_NEG_AUTHENTICATED_RPC; /* - * If weak crypto is disabled, do not announce that we support RC4. + * With SAMBA_WEAK_CRYPTO_DISALLOWED + * dcesrv_netr_ServerAuthenticate3_check_downgrade() will return + * DOWNGRADE_DETECTED with negotiate_flags = 0, + * if NETLOGON_NEG_SUPPORTS_AES was not negotiated... + * + * And if NETLOGON_NEG_SUPPORTS_AES was negotiated there's no harm in + * returning the NETLOGON_NEG_ARCFOUR flag too... + * + * So there's no reason to remove NETLOGON_NEG_ARCFOUR nor + * NETLOGON_NEG_STRONG_KEYS from server_flags... */ - if (lpcfg_weak_crypto(dce_call->conn->dce_ctx->lp_ctx) == - SAMBA_WEAK_CRYPTO_DISALLOWED) { - server_flags &= ~NETLOGON_NEG_ARCFOUR; - } negotiate_flags = *r->in.negotiate_flags & server_flags; -- 2.47.2