From: Andreas Schneider Date: Wed, 11 Dec 2019 16:45:39 +0000 (+0100) Subject: gensec: Add a check if a gensec module implements weak crypto X-Git-Tag: ldb-2.2.0~1387 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6ada071d6208addcff21bbbba4f757ac2e63e66f;p=thirdparty%2Fsamba.git gensec: Add a check if a gensec module implements weak crypto Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett --- diff --git a/auth/gensec/gensec_internal.h b/auth/gensec/gensec_internal.h index 911b48b52d6..8efb1bdff0f 100644 --- a/auth/gensec/gensec_internal.h +++ b/auth/gensec/gensec_internal.h @@ -28,6 +28,7 @@ struct gensec_security; struct gensec_security_ops { const char *name; const char *sasl_name; + bool weak_crypto; uint8_t auth_type; /* 0 if not offered on DCE-RPC */ const char **oid; /* NULL if not offered by SPNEGO */ NTSTATUS (*client_start)(struct gensec_security *gensec_security); diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c index 50f4de73110..d2d62d6652e 100644 --- a/auth/gensec/gensec_start.c +++ b/auth/gensec/gensec_start.c @@ -32,6 +32,7 @@ #include "lib/util/tsort.h" #include "lib/util/samba_modules.h" #include "lib/util/base64.h" +#include "lib/crypto/gnutls_helpers.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH @@ -49,7 +50,17 @@ _PUBLIC_ const struct gensec_security_ops * const *gensec_security_all(void) bool gensec_security_ops_enabled(const struct gensec_security_ops *ops, struct gensec_security *security) { - return lpcfg_parm_bool(security->settings->lp_ctx, NULL, "gensec", ops->name, ops->enabled); + bool ok = lpcfg_parm_bool(security->settings->lp_ctx, + NULL, + "gensec", + ops->name, + ops->enabled); + + if (!samba_gnutls_weak_crypto_allowed() && ops->weak_crypto) { + ok = false; + } + + return ok; } /* Sometimes we want to force only kerberos, sometimes we want to