|
 |
b6b438 |
From fa0c97dd4960e56864b6446ae4f5ff072763b6a2 Mon Sep 17 00:00:00 2001
|
|
|
b6b438 |
From: Andreas Schneider <asn@samba.org>
|
|
|
b6b438 |
Date: Mon, 4 Nov 2019 17:15:14 +0100
|
|
|
b6b438 |
Subject: [PATCH 194/208] lib:param: Add lp(cfg)_weak_crypto()
|
|
|
b6b438 |
|
|
|
b6b438 |
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
|
b6b438 |
---
|
|
|
b6b438 |
lib/param/loadparm.c | 15 +++++++++++++++
|
|
|
b6b438 |
lib/param/loadparm.h | 10 +++++++++-
|
|
|
b6b438 |
lib/param/wscript_build | 2 +-
|
|
|
b6b438 |
source3/include/proto.h | 1 +
|
|
|
b6b438 |
source3/param/loadparm.c | 14 ++++++++++++++
|
|
|
b6b438 |
5 files changed, 40 insertions(+), 2 deletions(-)
|
|
|
b6b438 |
|
|
|
b6b438 |
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
|
|
|
b6b438 |
index 883d4167bf4..83dc111c05c 100644
|
|
|
b6b438 |
--- a/lib/param/loadparm.c
|
|
|
b6b438 |
+++ b/lib/param/loadparm.c
|
|
|
b6b438 |
@@ -71,6 +71,7 @@
|
|
|
b6b438 |
#include "libds/common/roles.h"
|
|
|
b6b438 |
#include "lib/util/samba_util.h"
|
|
|
b6b438 |
#include "libcli/auth/ntlm_check.h"
|
|
|
b6b438 |
+#include "lib/crypto/gnutls_helpers.h"
|
|
|
b6b438 |
|
|
|
b6b438 |
#ifdef HAVE_HTTPCONNECTENCRYPT
|
|
|
b6b438 |
#include <cups/http.h>
|
|
|
b6b438 |
@@ -95,6 +96,19 @@ int lpcfg_rpc_high_port(struct loadparm_context *lp_ctx)
|
|
|
b6b438 |
return lp_ctx->globals->rpc_high_port;
|
|
|
b6b438 |
}
|
|
|
b6b438 |
|
|
|
b6b438 |
+enum samba_weak_crypto lpcfg_weak_crypto(struct loadparm_context *lp_ctx)
|
|
|
b6b438 |
+{
|
|
|
b6b438 |
+ if (lp_ctx->globals->weak_crypto == SAMBA_WEAK_CRYPTO_UNKNOWN) {
|
|
|
b6b438 |
+ lp_ctx->globals->weak_crypto = SAMBA_WEAK_CRYPTO_DISALLOWED;
|
|
|
b6b438 |
+
|
|
|
b6b438 |
+ if (samba_gnutls_weak_crypto_allowed()) {
|
|
|
b6b438 |
+ lp_ctx->globals->weak_crypto = SAMBA_WEAK_CRYPTO_ALLOWED;
|
|
|
b6b438 |
+ }
|
|
|
b6b438 |
+ }
|
|
|
b6b438 |
+
|
|
|
b6b438 |
+ return lp_ctx->globals->weak_crypto;
|
|
|
b6b438 |
+}
|
|
|
b6b438 |
+
|
|
|
b6b438 |
/**
|
|
|
b6b438 |
* Convenience routine to grab string parameters into temporary memory
|
|
|
b6b438 |
* and run standard_sub_basic on them.
|
|
|
b6b438 |
@@ -2592,6 +2606,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
|
|
|
b6b438 |
lp_ctx->globals->ctx = lp_ctx->globals;
|
|
|
b6b438 |
lp_ctx->globals->rpc_low_port = SERVER_TCP_LOW_PORT;
|
|
|
b6b438 |
lp_ctx->globals->rpc_high_port = SERVER_TCP_HIGH_PORT;
|
|
|
b6b438 |
+ lp_ctx->globals->weak_crypto = SAMBA_WEAK_CRYPTO_UNKNOWN;
|
|
|
b6b438 |
lp_ctx->sDefault = talloc_zero(lp_ctx, struct loadparm_service);
|
|
|
b6b438 |
lp_ctx->flags = talloc_zero_array(lp_ctx, unsigned int, num_parameters());
|
|
|
b6b438 |
|
|
|
b6b438 |
diff --git a/lib/param/loadparm.h b/lib/param/loadparm.h
|
|
|
b6b438 |
index 0b2e302d2a9..897031985f8 100644
|
|
|
b6b438 |
--- a/lib/param/loadparm.h
|
|
|
b6b438 |
+++ b/lib/param/loadparm.h
|
|
|
b6b438 |
@@ -248,6 +248,13 @@ enum inheritowner_options {
|
|
|
b6b438 |
/* mangled names options */
|
|
|
b6b438 |
enum mangled_names_options {MANGLED_NAMES_NO, MANGLED_NAMES_YES, MANGLED_NAMES_ILLEGAL};
|
|
|
b6b438 |
|
|
|
b6b438 |
+/* FIPS values */
|
|
|
b6b438 |
+enum samba_weak_crypto {
|
|
|
b6b438 |
+ SAMBA_WEAK_CRYPTO_UNKNOWN,
|
|
|
b6b438 |
+ SAMBA_WEAK_CRYPTO_ALLOWED,
|
|
|
b6b438 |
+ SAMBA_WEAK_CRYPTO_DISALLOWED,
|
|
|
b6b438 |
+};
|
|
|
b6b438 |
+
|
|
|
b6b438 |
/*
|
|
|
b6b438 |
* Default passwd chat script.
|
|
|
b6b438 |
*/
|
|
|
b6b438 |
@@ -285,7 +292,8 @@ enum mangled_names_options {MANGLED_NAMES_NO, MANGLED_NAMES_YES, MANGLED_NAMES_I
|
|
|
b6b438 |
struct parmlist_entry *param_opt; \
|
|
|
b6b438 |
char *dnsdomain; \
|
|
|
b6b438 |
int rpc_low_port; \
|
|
|
b6b438 |
- int rpc_high_port;
|
|
|
b6b438 |
+ int rpc_high_port; \
|
|
|
b6b438 |
+ enum samba_weak_crypto weak_crypto;
|
|
|
b6b438 |
|
|
|
b6b438 |
const char* server_role_str(uint32_t role);
|
|
|
b6b438 |
int lp_find_server_role(int server_role, int security, int domain_logons, int domain_master);
|
|
|
b6b438 |
diff --git a/lib/param/wscript_build b/lib/param/wscript_build
|
|
|
b6b438 |
index 20c8bcab22a..864975a5884 100644
|
|
|
b6b438 |
--- a/lib/param/wscript_build
|
|
|
b6b438 |
+++ b/lib/param/wscript_build
|
|
|
b6b438 |
@@ -40,7 +40,7 @@ bld.SAMBA_LIBRARY('samba-hostconfig',
|
|
|
b6b438 |
pc_files='samba-hostconfig.pc',
|
|
|
b6b438 |
vnum='0.0.1',
|
|
|
b6b438 |
deps='DYNCONFIG server-role tdb',
|
|
|
b6b438 |
- public_deps='samba-util param_local.h',
|
|
|
b6b438 |
+ public_deps='GNUTLS_HELPERS samba-util param_local.h',
|
|
|
b6b438 |
public_headers='param.h',
|
|
|
b6b438 |
autoproto='param_proto.h'
|
|
|
b6b438 |
)
|
|
|
b6b438 |
diff --git a/source3/include/proto.h b/source3/include/proto.h
|
|
|
b6b438 |
index 43a4b8f8b4d..956a328b626 100644
|
|
|
b6b438 |
--- a/source3/include/proto.h
|
|
|
b6b438 |
+++ b/source3/include/proto.h
|
|
|
b6b438 |
@@ -755,6 +755,7 @@ bool lp_widelinks(int );
|
|
|
b6b438 |
int lp_rpc_low_port(void);
|
|
|
b6b438 |
int lp_rpc_high_port(void);
|
|
|
b6b438 |
bool lp_lanman_auth(void);
|
|
|
b6b438 |
+enum samba_weak_crypto lp_weak_crypto(void);
|
|
|
b6b438 |
|
|
|
b6b438 |
int lp_wi_scan_global_parametrics(
|
|
|
b6b438 |
const char *regex, size_t max_matches,
|
|
|
b6b438 |
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
|
|
|
b6b438 |
index a8d5fdc5954..923c2473662 100644
|
|
|
b6b438 |
--- a/source3/param/loadparm.c
|
|
|
b6b438 |
+++ b/source3/param/loadparm.c
|
|
|
b6b438 |
@@ -72,6 +72,7 @@
|
|
|
b6b438 |
#include "librpc/gen_ndr/nbt.h"
|
|
|
b6b438 |
#include "source4/lib/tls/tls.h"
|
|
|
b6b438 |
#include "libcli/auth/ntlm_check.h"
|
|
|
b6b438 |
+#include "lib/crypto/gnutls_helpers.h"
|
|
|
b6b438 |
|
|
|
b6b438 |
#ifdef HAVE_SYS_SYSCTL_H
|
|
|
b6b438 |
#include <sys/sysctl.h>
|
|
|
b6b438 |
@@ -4677,3 +4678,16 @@ unsigned int * get_flags(void)
|
|
|
b6b438 |
|
|
|
b6b438 |
return flags_list;
|
|
|
b6b438 |
}
|
|
|
b6b438 |
+
|
|
|
b6b438 |
+enum samba_weak_crypto lp_weak_crypto()
|
|
|
b6b438 |
+{
|
|
|
b6b438 |
+ if (Globals.weak_crypto == SAMBA_WEAK_CRYPTO_UNKNOWN) {
|
|
|
b6b438 |
+ Globals.weak_crypto = SAMBA_WEAK_CRYPTO_DISALLOWED;
|
|
|
b6b438 |
+
|
|
|
b6b438 |
+ if (samba_gnutls_weak_crypto_allowed()) {
|
|
|
b6b438 |
+ Globals.weak_crypto = SAMBA_WEAK_CRYPTO_ALLOWED;
|
|
|
b6b438 |
+ }
|
|
|
b6b438 |
+ }
|
|
|
b6b438 |
+
|
|
|
b6b438 |
+ return Globals.weak_crypto;
|
|
|
b6b438 |
+}
|
|
|
b6b438 |
--
|
|
|
b6b438 |
2.23.0
|
|
|
b6b438 |
|