diff options
author | Andreas Schneider <asn@samba.org> | 2019-12-11 17:45:39 +0100 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2020-03-19 20:46:41 +0000 |
commit | 6ada071d6208addcff21bbbba4f757ac2e63e66f (patch) | |
tree | 3304319b50e4feb644e2030946061ba6c51c57b4 /auth | |
parent | 7d09c1cc8771d0822480f90b77b9f883d67b5658 (diff) | |
download | samba-6ada071d6208addcff21bbbba4f757ac2e63e66f.tar.gz |
gensec: Add a check if a gensec module implements weak crypto
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'auth')
-rw-r--r-- | auth/gensec/gensec_internal.h | 1 | ||||
-rw-r--r-- | auth/gensec/gensec_start.c | 13 |
2 files changed, 13 insertions, 1 deletions
diff --git a/auth/gensec/gensec_internal.h b/auth/gensec/gensec_internal.h index 911b48b52d6..8efb1bdff0f 100644 --- a/auth/gensec/gensec_internal.h +++ b/auth/gensec/gensec_internal.h @@ -28,6 +28,7 @@ struct gensec_security; struct gensec_security_ops { const char *name; const char *sasl_name; + bool weak_crypto; uint8_t auth_type; /* 0 if not offered on DCE-RPC */ const char **oid; /* NULL if not offered by SPNEGO */ NTSTATUS (*client_start)(struct gensec_security *gensec_security); diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c index 50f4de73110..d2d62d6652e 100644 --- a/auth/gensec/gensec_start.c +++ b/auth/gensec/gensec_start.c @@ -32,6 +32,7 @@ #include "lib/util/tsort.h" #include "lib/util/samba_modules.h" #include "lib/util/base64.h" +#include "lib/crypto/gnutls_helpers.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH @@ -49,7 +50,17 @@ _PUBLIC_ const struct gensec_security_ops * const *gensec_security_all(void) bool gensec_security_ops_enabled(const struct gensec_security_ops *ops, struct gensec_security *security) { - return lpcfg_parm_bool(security->settings->lp_ctx, NULL, "gensec", ops->name, ops->enabled); + bool ok = lpcfg_parm_bool(security->settings->lp_ctx, + NULL, + "gensec", + ops->name, + ops->enabled); + + if (!samba_gnutls_weak_crypto_allowed() && ops->weak_crypto) { + ok = false; + } + + return ok; } /* Sometimes we want to force only kerberos, sometimes we want to |