CVE-2022-38023 s4:rpc_server/netlogon: require aes if weak crypto is disabled

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
author: Stefan Metzmacher <metze@samba.org> 2022-11-25 10:10:33 +0100
committer: Stefan Metzmacher <metze@samba.org> 2022-12-13 13:07:29 +0000
commit: 4c7f84798acd1e3218209d66d1a92e9f42954d51 (patch)
tree: e42c92531edd38ce33615cd8a11a06ca3f0a81ef /source4/rpc_server
parent: b6339fd1dcbe903e73efeea074ab0bd04ef83561 (diff)
download: samba-4c7f84798acd1e3218209d66d1a92e9f42954d51.tar.gz
1 files changed, 9 insertions, 0 deletions
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 82e3df055e7..51e8dd42cdc 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -137,6 +137,15 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade(
 	bool reject_des_client = !allow_nt4_crypto;
 	bool reject_md5_client = lpcfg_reject_md5_clients(lp_ctx);
 
+	/*
+	 * If weak cryto is disabled, do not announce that we support RC4.
+	 */
+	if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+		/* Without RC4 and DES we require AES */
+		reject_des_client = true;
+		reject_md5_client = true;
+	}
+
 	if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
 		reject_des_client = false;
 	}
author	Stefan Metzmacher <metze@samba.org>	2022-11-25 10:10:33 +0100
committer	Stefan Metzmacher <metze@samba.org>	2022-12-13 13:07:29 +0000
commit	4c7f84798acd1e3218209d66d1a92e9f42954d51 (patch)
tree	e42c92531edd38ce33615cd8a11a06ca3f0a81ef /source4/rpc_server
parent	b6339fd1dcbe903e73efeea074ab0bd04ef83561 (diff)
download	samba-4c7f84798acd1e3218209d66d1a92e9f42954d51.tar.gz