From 6ada071d6208addcff21bbbba4f757ac2e63e66f Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 11 Dec 2019 17:45:39 +0100 Subject: gensec: Add a check if a gensec module implements weak crypto Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett --- auth/gensec/gensec_internal.h | 1 + auth/gensec/gensec_start.c | 13 ++++++++++++- 2 files changed, 13 insertions(+), 1 deletion(-) (limited to 'auth') diff --git a/auth/gensec/gensec_internal.h b/auth/gensec/gensec_internal.h index 911b48b52d6..8efb1bdff0f 100644 --- a/auth/gensec/gensec_internal.h +++ b/auth/gensec/gensec_internal.h @@ -28,6 +28,7 @@ struct gensec_security; struct gensec_security_ops { const char *name; const char *sasl_name; + bool weak_crypto; uint8_t auth_type; /* 0 if not offered on DCE-RPC */ const char **oid; /* NULL if not offered by SPNEGO */ NTSTATUS (*client_start)(struct gensec_security *gensec_security); diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c index 50f4de73110..d2d62d6652e 100644 --- a/auth/gensec/gensec_start.c +++ b/auth/gensec/gensec_start.c @@ -32,6 +32,7 @@ #include "lib/util/tsort.h" #include "lib/util/samba_modules.h" #include "lib/util/base64.h" +#include "lib/crypto/gnutls_helpers.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH @@ -49,7 +50,17 @@ _PUBLIC_ const struct gensec_security_ops * const *gensec_security_all(void) bool gensec_security_ops_enabled(const struct gensec_security_ops *ops, struct gensec_security *security) { - return lpcfg_parm_bool(security->settings->lp_ctx, NULL, "gensec", ops->name, ops->enabled); + bool ok = lpcfg_parm_bool(security->settings->lp_ctx, + NULL, + "gensec", + ops->name, + ops->enabled); + + if (!samba_gnutls_weak_crypto_allowed() && ops->weak_crypto) { + ok = false; + } + + return ok; } /* Sometimes we want to force only kerberos, sometimes we want to -- cgit v1.2.1