From: Andreas Schneider <asn@samba.org>
Date: Wed, 15 May 2019 06:46:56 +0000 (+0200)
Subject: s4:samdb: Do not create WDdigests for HTTP if weak crypto is disabled
X-Git-Tag: ldb-2.2.0~970
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ecdd17c53665d6076e63f748b19a962c67e41d01;p=thirdparty%2Fsamba.git

s4:samdb: Do not create WDdigests for HTTP if weak crypto is disabled

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
---

diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index ffd48da616e..287f79541bf 100644
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -47,8 +47,9 @@
 #include "lib/krb5_wrap/krb5_samba.h"
 #include "auth/common_auth.h"
 #include "lib/messaging/messaging.h"
+#include "lib/param/loadparm.h"
 
-#include <gnutls/gnutls.h>
+#include "lib/crypto/gnutls_helpers.h"
 #include <gnutls/crypto.h>
 
 #ifdef ENABLE_GPGME
@@ -1792,11 +1793,14 @@ static int setup_supplemental_field(struct setup_password_fields_io *io)
 	bool do_newer_keys = false;
 	bool do_cleartext = false;
 	bool do_samba_gpg = false;
+	struct loadparm_context *lp_ctx = NULL;
 
 	ZERO_STRUCT(names);
 	ZERO_STRUCT(packages);
 
 	ldb = ldb_module_get_ctx(io->ac->module);
+	lp_ctx = talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
+				 struct loadparm_context);
 
 	if (!io->n.cleartext_utf8) {
 		/*
@@ -1922,7 +1926,7 @@ static int setup_supplemental_field(struct setup_password_fields_io *io)
 		num_packages++;
 	}
 
-	{
+	if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_ALLOWED) {
 		/*
 		 * setup 'Primary:WDigest' element
 		 */