gensec: Add a check if a gensec module implements weak crypto

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/auth/gensec/gensec_internal.h b/auth/gensec/gensec_internal.h
index 911b48b52d625f79165081fba5c2018e736948f3..8efb1bdff0fb39f0779a5a112d6e192c1d492694 100644 (file)
--- a/auth/gensec/gensec_internal.h
+++ b/auth/gensec/gensec_internal.h
@@ -28,6 +28,7 @@ struct gensec_security;
 struct gensec_security_ops {
        const char *name;
        const char *sasl_name;
+       bool weak_crypto;
        uint8_t auth_type;  /* 0 if not offered on DCE-RPC */
        const char **oid;  /* NULL if not offered by SPNEGO */
        NTSTATUS (*client_start)(struct gensec_security *gensec_security);

diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
index 50f4de731100851dbb1c7b1747846d42332a503d..d2d62d6652e6071c15ed5bf5b8616ac492546722 100644 (file)
--- a/auth/gensec/gensec_start.c
+++ b/auth/gensec/gensec_start.c
@@ -32,6 +32,7 @@
 #include "lib/util/tsort.h"
 #include "lib/util/samba_modules.h"
 #include "lib/util/base64.h"
+#include "lib/crypto/gnutls_helpers.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_AUTH
@@ -49,7 +50,17 @@ _PUBLIC_ const struct gensec_security_ops * const *gensec_security_all(void)
 
 bool gensec_security_ops_enabled(const struct gensec_security_ops *ops, struct gensec_security *security)
 {
-       return lpcfg_parm_bool(security->settings->lp_ctx, NULL, "gensec", ops->name, ops->enabled);
+       bool ok = lpcfg_parm_bool(security->settings->lp_ctx,
+                                 NULL,
+                                 "gensec",
+                                 ops->name,
+                                 ops->enabled);
+
+       if (!samba_gnutls_weak_crypto_allowed() && ops->weak_crypto) {
+               ok = false;
+       }
+
+       return ok;
 }
 
 /* Sometimes we want to force only kerberos, sometimes we want to