From c8b68454839618abf0e0c467ceaa08ef88717b22 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 11 Dec 2019 17:45:39 +0100
Subject: [PATCH 195/208] gensec: Add a check if a gensec module implements
 weak crypto

Signed-off-by: Andreas Schneider <asn@samba.org>
---
 auth/gensec/gensec_internal.h |  1 +
 auth/gensec/gensec_start.c    | 12 +++++++++++-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/auth/gensec/gensec_internal.h b/auth/gensec/gensec_internal.h
index 911b48b52d6..8efb1bdff0f 100644
--- a/auth/gensec/gensec_internal.h
+++ b/auth/gensec/gensec_internal.h
@@ -28,6 +28,7 @@ struct gensec_security;
 struct gensec_security_ops {
 	const char *name;
 	const char *sasl_name;
+	bool weak_crypto;
 	uint8_t auth_type;  /* 0 if not offered on DCE-RPC */
 	const char **oid;  /* NULL if not offered by SPNEGO */
 	NTSTATUS (*client_start)(struct gensec_security *gensec_security);
diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
index 50f4de73110..860c974f056 100644
--- a/auth/gensec/gensec_start.c
+++ b/auth/gensec/gensec_start.c
@@ -49,7 +49,17 @@ _PUBLIC_ const struct gensec_security_ops * const *gensec_security_all(void)
 
 bool gensec_security_ops_enabled(const struct gensec_security_ops *ops, struct gensec_security *security)
 {
-	return lpcfg_parm_bool(security->settings->lp_ctx, NULL, "gensec", ops->name, ops->enabled);
+	bool ok = lpcfg_parm_bool(security->settings->lp_ctx,
+				  NULL,
+				  "gensec",
+				  ops->name,
+				  ops->enabled);
+
+	if (!samba_gnutls_weak_crypto_allowed() && ops->weak_crypto) {
+		ok = false;
+	}
+
+	return ok;
 }
 
 /* Sometimes we want to force only kerberos, sometimes we want to
-- 
2.23.0