lib/krb5_wrap: add smb_krb5_get_allowed_weak_crypto().

author Günther Deschner <gd@samba.org>

Tue, 29 Apr 2014 16:14:05 +0000 (18:14 +0200)

committer Andrew Bartlett <abartlet@samba.org>

Fri, 8 Aug 2014 04:02:34 +0000 (06:02 +0200)
author Günther Deschner <gd@samba.org>
Tue, 29 Apr 2014 16:14:05 +0000 (18:14 +0200)
committer Andrew Bartlett <abartlet@samba.org>
Fri, 8 Aug 2014 04:02:34 +0000 (06:02 +0200)
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c

index df0db67f88cff65dd8a59b91eef3e3be5f870467..84a62a690614ba09a4f5e084c39413f784536bdf 100644 (file)
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -2405,6 +2405,59 @@ char *smb_get_krb5_error_message(krb5_context context,
         return ret;
  }
  
+
+/**
+* @brief Return the kerberos library setting for "libdefaults:allow_weak_crypto"
+*
+* @param context       The krb5_context
+*
+* @return krb5_boolean
+*
+* Function returns true if weak crypto is allowd, false if not
+*/
+
+krb5_boolean smb_krb5_get_allowed_weak_crypto(krb5_context context)
+#if defined(HAVE_KRB5_CONFIG_GET_BOOL_DEFAULT)
+{
+       return krb5_config_get_bool_default(context,
+                                           NULL,
+                                           FALSE,
+                                           "libdefaults",
+                                           "allow_weak_crypto",
+                                           NULL);
+}
+#elif defined(HAVE_PROFILE_H) && defined(HAVE_KRB5_GET_PROFILE)
+{
+#include <profile.h>
+       krb5_error_code ret;
+       krb5_boolean ret_default = false;
+       profile_t profile;
+       int ret_profile;
+
+       ret = krb5_get_profile(context,
+                              &profile);
+       if (ret) {
+               return ret_default;
+       }
+
+       ret = profile_get_boolean(profile,
+                                 "libdefaults",
+                                 "allow_weak_crypto",
+                                 NULL, /* subsubname */
+                                 ret_default, /* def_val */
+                                 &ret_profile /* *ret_default */);
+       if (ret) {
+               return ret_default;
+       }
+
+       profile_release(profile);
+
+       return ret_profile;
+}
+#else
+#error UNKNOWN_KRB5_CONFIG_ROUTINES
+#endif
+
  #else /* HAVE_KRB5 */
   /* this saves a few linking headaches */
   int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx,
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h

index 0977f8e06ea119864045e36a4b47097b8bf7a50f..ee06f556e3dbd7d478aa73531266d0a6ca68de50 100644 (file)
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -306,6 +306,8 @@ int smb_krb5_create_key_from_string(krb5_context context,
                                     krb5_enctype enctype,
                                     krb5_keyblock *key);
  
+krb5_boolean smb_krb5_get_allowed_weak_crypto(krb5_context context);
+
  #endif /* HAVE_KRB5 */
  
  int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx,
diff --git a/source4/heimdal_build/wscript_configure b/source4/heimdal_build/wscript_configure

index bed63d67ba4524d52dcff1e98f93809fc038f9d0..cb53629480f526849636af37efc68aac43d05a69 100755 (executable)
--- a/source4/heimdal_build/wscript_configure
+++ b/source4/heimdal_build/wscript_configure
@@ -162,6 +162,7 @@ conf.define('HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96', 1)
  conf.define('HAVE_KRB5_PRINCIPAL_GET_NUM_COMP', 1)
  conf.define('HAVE_GSSAPI_GSSAPI_SPNEGO_H', 1)
  conf.define('HAVE_FLAGS_IN_KRB5_CREDS', 1)
+conf.define('HAVE_KRB5_CONFIG_GET_BOOL_DEFAULT', 1)
  
  heimdal_includedirs = []
  heimdal_libdirs = []
diff --git a/wscript_configure_system_mitkrb5 b/wscript_configure_system_mitkrb5

index a62d00bdbbf06eb3682a9bc5a62e8f1885696e79..b971cf79b5facfe64e6afd7bc9951add16d89579 100644 (file)
--- a/wscript_configure_system_mitkrb5
+++ b/wscript_configure_system_mitkrb5
@@ -62,6 +62,8 @@ conf.CHECK_FUNCS_IN('des_set_key','crypto')
  conf.CHECK_FUNCS_IN('copy_Authenticator', 'asn1')
  conf.CHECK_FUNCS_IN('roken_getaddrinfo_hostspec', 'roken')
  
+conf.CHECK_HEADERS('profile.h')
+
  if conf.CHECK_FUNCS_IN('gss_display_status', 'gssapi gssapi_krb5'):
      have_gssapi=True
  
@@ -103,7 +105,9 @@ conf.CHECK_FUNCS('''
         krb5_get_init_creds_keyblock krb5_get_init_creds_keytab
         krb5_make_principal krb5_build_principal_alloc_va
         krb5_cc_get_lifetime krb5_cc_retrieve_cred
-       krb5_free_checksum_contents krb5_c_make_checksum krb5_create_checksum''',
+       krb5_free_checksum_contents krb5_c_make_checksum krb5_create_checksum
+       krb5_config_get_bool_default krb5_get_profile
+       ''',
       lib='krb5 k5crypto')
  conf.CHECK_DECLS('''krb5_get_credentials_for_user
                      krb5_auth_con_set_req_cksumtype''',
author	Günther Deschner <gd@samba.org>
	Tue, 29 Apr 2014 16:14:05 +0000 (18:14 +0200)
committer	Andrew Bartlett <abartlet@samba.org>
	Fri, 8 Aug 2014 04:02:34 +0000 (06:02 +0200)
lib/krb5_wrap/krb5_samba.c		patch \| blob \| history
lib/krb5_wrap/krb5_samba.h		patch \| blob \| history
source4/heimdal_build/wscript_configure		patch \| blob \| history
wscript_configure_system_mitkrb5		patch \| blob \| history