samba/SOURCES/0195-gensec-Add-a-check-if-a-gensec-module-implements-wea.patch

51 lines
1.7 KiB
Diff
Raw Normal View History

2020-04-28 09:33:08 +00:00
From c8b68454839618abf0e0c467ceaa08ef88717b22 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 11 Dec 2019 17:45:39 +0100
Subject: [PATCH 195/208] gensec: Add a check if a gensec module implements
weak crypto
Signed-off-by: Andreas Schneider <asn@samba.org>
---
auth/gensec/gensec_internal.h | 1 +
auth/gensec/gensec_start.c | 12 +++++++++++-
2 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/auth/gensec/gensec_internal.h b/auth/gensec/gensec_internal.h
index 911b48b52d6..8efb1bdff0f 100644
--- a/auth/gensec/gensec_internal.h
+++ b/auth/gensec/gensec_internal.h
@@ -28,6 +28,7 @@ struct gensec_security;
struct gensec_security_ops {
const char *name;
const char *sasl_name;
+ bool weak_crypto;
uint8_t auth_type; /* 0 if not offered on DCE-RPC */
const char **oid; /* NULL if not offered by SPNEGO */
NTSTATUS (*client_start)(struct gensec_security *gensec_security);
diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
index 50f4de73110..860c974f056 100644
--- a/auth/gensec/gensec_start.c
+++ b/auth/gensec/gensec_start.c
@@ -49,7 +49,17 @@ _PUBLIC_ const struct gensec_security_ops * const *gensec_security_all(void)
bool gensec_security_ops_enabled(const struct gensec_security_ops *ops, struct gensec_security *security)
{
- return lpcfg_parm_bool(security->settings->lp_ctx, NULL, "gensec", ops->name, ops->enabled);
+ bool ok = lpcfg_parm_bool(security->settings->lp_ctx,
+ NULL,
+ "gensec",
+ ops->name,
+ ops->enabled);
+
+ if (!samba_gnutls_weak_crypto_allowed() && ops->weak_crypto) {
+ ok = false;
+ }
+
+ return ok;
}
/* Sometimes we want to force only kerberos, sometimes we want to
--
2.23.0