From 00351ef5dd8fb5ab1d036850a99d7dee07dadca1 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 15 Nov 2019 13:49:40 +0100
Subject: [PATCH 200/208] s4:rpc_server: Allow to use RC4 for setting passwords
Signed-off-by: Andreas Schneider <asn@samba.org>
---
source4/rpc_server/samr/samr_password.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c
index fba236ebdd7..e5e339842b1 100644
--- a/source4/rpc_server/samr/samr_password.c
+++ b/source4/rpc_server/samr/samr_password.c
@@ -618,6 +618,11 @@ NTSTATUS samr_set_password(struct dcesrv_call_state *dce_call,
.size = session_key.length,
};
+ /*
+ * This is safe to support as we only have a session key
+ * over a SMB connection which we force to be encrypted.
+ */
+ GNUTLS_FIPS140_SET_LAX_MODE();
rc = gnutls_cipher_init(&cipher_hnd,
GNUTLS_CIPHER_ARCFOUR_128,
&_session_key,
@@ -635,6 +640,7 @@ NTSTATUS samr_set_password(struct dcesrv_call_state *dce_call,
nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
goto out;
}
+ GNUTLS_FIPS140_SET_STRICT_MODE();
if (!extract_pw_from_buffer(mem_ctx, pwbuf->data, &new_password)) {
DEBUG(3,("samr: failed to decode password buffer\n"));
@@ -655,6 +661,7 @@ NTSTATUS samr_set_password(struct dcesrv_call_state *dce_call,
NULL,
NULL);
out:
+ GNUTLS_FIPS140_SET_STRICT_MODE();
return nt_status;
}
--
2.23.0