struct gensec_security_ops {
const char *name;
const char *sasl_name;
+ bool weak_crypto;
uint8_t auth_type; /* 0 if not offered on DCE-RPC */
const char **oid; /* NULL if not offered by SPNEGO */
NTSTATUS (*client_start)(struct gensec_security *gensec_security);
#include "lib/util/tsort.h"
#include "lib/util/samba_modules.h"
#include "lib/util/base64.h"
+#include "lib/crypto/gnutls_helpers.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
bool gensec_security_ops_enabled(const struct gensec_security_ops *ops, struct gensec_security *security)
{
- return lpcfg_parm_bool(security->settings->lp_ctx, NULL, "gensec", ops->name, ops->enabled);
+ bool ok = lpcfg_parm_bool(security->settings->lp_ctx,
+ NULL,
+ "gensec",
+ ops->name,
+ ops->enabled);
+
+ if (!samba_gnutls_weak_crypto_allowed() && ops->weak_crypto) {
+ ok = false;
+ }
+
+ return ok;
}
/* Sometimes we want to force only kerberos, sometimes we want to