1524bc
From 00351ef5dd8fb5ab1d036850a99d7dee07dadca1 Mon Sep 17 00:00:00 2001
1524bc
From: Andreas Schneider <asn@samba.org>
1524bc
Date: Fri, 15 Nov 2019 13:49:40 +0100
1524bc
Subject: [PATCH 200/208] s4:rpc_server: Allow to use RC4 for setting passwords
1524bc
1524bc
Signed-off-by: Andreas Schneider <asn@samba.org>
1524bc
---
1524bc
 source4/rpc_server/samr/samr_password.c | 7 +++++++
1524bc
 1 file changed, 7 insertions(+)
1524bc
1524bc
diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c
1524bc
index fba236ebdd7..e5e339842b1 100644
1524bc
--- a/source4/rpc_server/samr/samr_password.c
1524bc
+++ b/source4/rpc_server/samr/samr_password.c
1524bc
@@ -618,6 +618,11 @@ NTSTATUS samr_set_password(struct dcesrv_call_state *dce_call,
1524bc
 		.size = session_key.length,
1524bc
 	};
1524bc
 
1524bc
+	/*
1524bc
+	 * This is safe to support as we only have a session key
1524bc
+	 * over a SMB connection which we force to be encrypted.
1524bc
+	 */
1524bc
+	GNUTLS_FIPS140_SET_LAX_MODE();
1524bc
 	rc = gnutls_cipher_init(&cipher_hnd,
1524bc
 				GNUTLS_CIPHER_ARCFOUR_128,
1524bc
 				&_session_key,
1524bc
@@ -635,6 +640,7 @@ NTSTATUS samr_set_password(struct dcesrv_call_state *dce_call,
1524bc
 		nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
1524bc
 		goto out;
1524bc
 	}
1524bc
+	GNUTLS_FIPS140_SET_STRICT_MODE();
1524bc
 
1524bc
 	if (!extract_pw_from_buffer(mem_ctx, pwbuf->data, &new_password)) {
1524bc
 		DEBUG(3,("samr: failed to decode password buffer\n"));
1524bc
@@ -655,6 +661,7 @@ NTSTATUS samr_set_password(struct dcesrv_call_state *dce_call,
1524bc
 				       NULL,
1524bc
 				       NULL);
1524bc
 out:
1524bc
+	GNUTLS_FIPS140_SET_STRICT_MODE();
1524bc
 	return nt_status;
1524bc
 }
1524bc
 
1524bc
-- 
1524bc
2.23.0
1524bc