From 00351ef5dd8fb5ab1d036850a99d7dee07dadca1 Mon Sep 17 00:00:00 2001

From: Andreas Schneider <asn@samba.org>

Date: Fri, 15 Nov 2019 13:49:40 +0100

Subject: [PATCH 200/208] s4:rpc_server: Allow to use RC4 for setting passwords

Signed-off-by: Andreas Schneider <asn@samba.org>

---

 source4/rpc_server/samr/samr_password.c | 7 +++++++

 1 file changed, 7 insertions(+)

diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c

index fba236ebdd7..e5e339842b1 100644

--- a/source4/rpc_server/samr/samr_password.c

+++ b/source4/rpc_server/samr/samr_password.c

@@ -618,6 +618,11 @@ NTSTATUS samr_set_password(struct dcesrv_call_state *dce_call,

 		.size = session_key.length,

 	};

+	/*

+	 * This is safe to support as we only have a session key

+	 * over a SMB connection which we force to be encrypted.

+	 */

+	GNUTLS_FIPS140_SET_LAX_MODE();

 	rc = gnutls_cipher_init(&cipher_hnd,

 				GNUTLS_CIPHER_ARCFOUR_128,

 				&_session_key,

@@ -635,6 +640,7 @@ NTSTATUS samr_set_password(struct dcesrv_call_state *dce_call,

 		nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);

 		goto out;

 	}

+	GNUTLS_FIPS140_SET_STRICT_MODE();

 	if (!extract_pw_from_buffer(mem_ctx, pwbuf->data, &new_password)) {

 		DEBUG(3,("samr: failed to decode password buffer\n"));

@@ -655,6 +661,7 @@ NTSTATUS samr_set_password(struct dcesrv_call_state *dce_call,

 				       NULL,

 				       NULL);

 out:

+	GNUTLS_FIPS140_SET_STRICT_MODE();

 	return nt_status;

 }

-- 

2.23.0