From fa0c97dd4960e56864b6446ae4f5ff072763b6a2 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 4 Nov 2019 17:15:14 +0100
Subject: [PATCH 194/208] lib:param: Add lp(cfg)_weak_crypto()

Signed-off-by: Andreas Schneider <asn@samba.org>
---
 lib/param/loadparm.c     | 15 +++++++++++++++
 lib/param/loadparm.h     | 10 +++++++++-
 lib/param/wscript_build  |  2 +-
 source3/include/proto.h  |  1 +
 source3/param/loadparm.c | 14 ++++++++++++++
 5 files changed, 40 insertions(+), 2 deletions(-)

diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 883d4167bf4..83dc111c05c 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -71,6 +71,7 @@
 #include "libds/common/roles.h"
 #include "lib/util/samba_util.h"
 #include "libcli/auth/ntlm_check.h"
+#include "lib/crypto/gnutls_helpers.h"
 
 #ifdef HAVE_HTTPCONNECTENCRYPT
 #include <cups/http.h>
@@ -95,6 +96,19 @@ int lpcfg_rpc_high_port(struct loadparm_context *lp_ctx)
 	return lp_ctx->globals->rpc_high_port;
 }
 
+enum samba_weak_crypto lpcfg_weak_crypto(struct loadparm_context *lp_ctx)
+{
+	if (lp_ctx->globals->weak_crypto == SAMBA_WEAK_CRYPTO_UNKNOWN) {
+		lp_ctx->globals->weak_crypto = SAMBA_WEAK_CRYPTO_DISALLOWED;
+
+		if (samba_gnutls_weak_crypto_allowed()) {
+			lp_ctx->globals->weak_crypto = SAMBA_WEAK_CRYPTO_ALLOWED;
+		}
+	}
+
+	return lp_ctx->globals->weak_crypto;
+}
+
 /**
  * Convenience routine to grab string parameters into temporary memory
  * and run standard_sub_basic on them.
@@ -2592,6 +2606,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 	lp_ctx->globals->ctx = lp_ctx->globals;
 	lp_ctx->globals->rpc_low_port = SERVER_TCP_LOW_PORT;
 	lp_ctx->globals->rpc_high_port = SERVER_TCP_HIGH_PORT;
+	lp_ctx->globals->weak_crypto = SAMBA_WEAK_CRYPTO_UNKNOWN;
 	lp_ctx->sDefault = talloc_zero(lp_ctx, struct loadparm_service);
 	lp_ctx->flags = talloc_zero_array(lp_ctx, unsigned int, num_parameters());
 
diff --git a/lib/param/loadparm.h b/lib/param/loadparm.h
index 0b2e302d2a9..897031985f8 100644
--- a/lib/param/loadparm.h
+++ b/lib/param/loadparm.h
@@ -248,6 +248,13 @@ enum inheritowner_options {
 /* mangled names options */
 enum mangled_names_options {MANGLED_NAMES_NO, MANGLED_NAMES_YES, MANGLED_NAMES_ILLEGAL};
 
+/* FIPS values */
+enum samba_weak_crypto {
+	SAMBA_WEAK_CRYPTO_UNKNOWN,
+	SAMBA_WEAK_CRYPTO_ALLOWED,
+	SAMBA_WEAK_CRYPTO_DISALLOWED,
+};
+
 /*
  * Default passwd chat script.
  */
@@ -285,7 +292,8 @@ enum mangled_names_options {MANGLED_NAMES_NO, MANGLED_NAMES_YES, MANGLED_NAMES_I
 	struct parmlist_entry *param_opt;				\
 	char *dnsdomain;						\
 	int rpc_low_port;						\
-	int rpc_high_port;
+	int rpc_high_port;						\
+	enum samba_weak_crypto weak_crypto;
 
 const char* server_role_str(uint32_t role);
 int lp_find_server_role(int server_role, int security, int domain_logons, int domain_master);
diff --git a/lib/param/wscript_build b/lib/param/wscript_build
index 20c8bcab22a..864975a5884 100644
--- a/lib/param/wscript_build
+++ b/lib/param/wscript_build
@@ -40,7 +40,7 @@ bld.SAMBA_LIBRARY('samba-hostconfig',
 	pc_files='samba-hostconfig.pc',
 	vnum='0.0.1',
 	deps='DYNCONFIG server-role tdb',
-	public_deps='samba-util param_local.h',
+	public_deps='GNUTLS_HELPERS samba-util param_local.h',
 	public_headers='param.h',
 	autoproto='param_proto.h'
 	)
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 43a4b8f8b4d..956a328b626 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -755,6 +755,7 @@ bool lp_widelinks(int );
 int lp_rpc_low_port(void);
 int lp_rpc_high_port(void);
 bool lp_lanman_auth(void);
+enum samba_weak_crypto lp_weak_crypto(void);
 
 int lp_wi_scan_global_parametrics(
 	const char *regex, size_t max_matches,
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index a8d5fdc5954..923c2473662 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -72,6 +72,7 @@
 #include "librpc/gen_ndr/nbt.h"
 #include "source4/lib/tls/tls.h"
 #include "libcli/auth/ntlm_check.h"
+#include "lib/crypto/gnutls_helpers.h"
 
 #ifdef HAVE_SYS_SYSCTL_H
 #include <sys/sysctl.h>
@@ -4677,3 +4678,16 @@ unsigned int * get_flags(void)
 
 	return flags_list;
 }
+
+enum samba_weak_crypto lp_weak_crypto()
+{
+	if (Globals.weak_crypto == SAMBA_WEAK_CRYPTO_UNKNOWN) {
+		Globals.weak_crypto = SAMBA_WEAK_CRYPTO_DISALLOWED;
+
+		if (samba_gnutls_weak_crypto_allowed()) {
+			Globals.weak_crypto = SAMBA_WEAK_CRYPTO_ALLOWED;
+		}
+	}
+
+	return Globals.weak_crypto;
+}
-- 
2.23.0