diff options
author | Andreas Schneider <asn@samba.org> | 2020-09-03 15:58:56 +0200 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2021-08-03 09:28:38 +0000 |
commit | d6c7a2a7003a2c081aa1ed710a84941bc8f331bf (patch) | |
tree | 51f92d9e0a7c77606fa71fbc37d6d6e8f8309444 /libcli/auth | |
parent | 17cc20ebe602b619461efa215ac75fed8e0d6338 (diff) | |
download | samba-d6c7a2a7003a2c081aa1ed710a84941bc8f331bf.tar.gz |
netlogon:schannel: If weak crypto is disabled, do not announce RC4 support.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'libcli/auth')
-rw-r--r-- | libcli/auth/netlogon_creds_cli.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c index 12cb3149ff6..e78bc173968 100644 --- a/libcli/auth/netlogon_creds_cli.c +++ b/libcli/auth/netlogon_creds_cli.c @@ -39,6 +39,7 @@ #include "libds/common/roles.h" #include "lib/crypto/md4.h" #include "auth/credentials/credentials.h" +#include "lib/param/loadparm.h" struct netlogon_creds_cli_locked_state; @@ -414,6 +415,17 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx, required_flags |= NETLOGON_NEG_AUTHENTICATED_RPC; } + /* + * If weak crypto is disabled, do not announce that we support RC4 and + * require AES. + */ + if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) { + required_flags &= ~NETLOGON_NEG_ARCFOUR; + required_flags |= NETLOGON_NEG_SUPPORTS_AES; + proposed_flags &= ~NETLOGON_NEG_ARCFOUR; + proposed_flags |= NETLOGON_NEG_SUPPORTS_AES; + } + proposed_flags |= required_flags; if (seal_secure_channel) { |