netlogon:schannel: If weak crypto is disabled, do not announce RC4 support.

Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
author: Andreas Schneider <asn@samba.org> 2020-09-03 15:58:56 +0200
committer: Andreas Schneider <asn@cryptomilk.org> 2021-08-03 09:28:38 +0000
commit: d6c7a2a7003a2c081aa1ed710a84941bc8f331bf (patch)
tree: 51f92d9e0a7c77606fa71fbc37d6d6e8f8309444 /libcli/auth
parent: 17cc20ebe602b619461efa215ac75fed8e0d6338 (diff)
download: samba-d6c7a2a7003a2c081aa1ed710a84941bc8f331bf.tar.gz
1 files changed, 12 insertions, 0 deletions
diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index 12cb3149ff6..e78bc173968 100644
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -39,6 +39,7 @@
 #include "libds/common/roles.h"
 #include "lib/crypto/md4.h"
 #include "auth/credentials/credentials.h"
+#include "lib/param/loadparm.h"
 
 struct netlogon_creds_cli_locked_state;
 
@@ -414,6 +415,17 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
 		required_flags |= NETLOGON_NEG_AUTHENTICATED_RPC;
 	}
 
+	/*
+	 * If weak crypto is disabled, do not announce that we support RC4 and
+	 * require AES.
+	 */
+	if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+		required_flags &= ~NETLOGON_NEG_ARCFOUR;
+		required_flags |= NETLOGON_NEG_SUPPORTS_AES;
+		proposed_flags &= ~NETLOGON_NEG_ARCFOUR;
+		proposed_flags |= NETLOGON_NEG_SUPPORTS_AES;
+	}
+
 	proposed_flags |= required_flags;
 
 	if (seal_secure_channel) {
author	Andreas Schneider <asn@samba.org>	2020-09-03 15:58:56 +0200
committer	Andreas Schneider <asn@cryptomilk.org>	2021-08-03 09:28:38 +0000
commit	d6c7a2a7003a2c081aa1ed710a84941bc8f331bf (patch)
tree	51f92d9e0a7c77606fa71fbc37d6d6e8f8309444 /libcli/auth
parent	17cc20ebe602b619461efa215ac75fed8e0d6338 (diff)
download	samba-d6c7a2a7003a2c081aa1ed710a84941bc8f331bf.tar.gz