From 3854e64a4ac3008d991f9b3cf723d9cdc33e32d9 Mon Sep 17 00:00:00 2001 From: Jeffrey Altman Date: Mon, 26 Sep 2011 01:44:16 -0400 Subject: [PATCH] include weak etypes in default etype list if allow_weak_crypto commit 0ed83cebd3344889ffc99ec243f79e117b288a08 removed the weak enctypes from the default enctype list. This is a change in behavior from 1.5.x which permitted the use of weak enctypes if "allow_weak_crypto" is set to true. This patchset creates two default enctype lists. One with weak enctypes and the other without. The weak version is used if "allow_weak_crypto" is set to true. Change-Id: Ide5cce0645836249031350bfaf619d970635e579 --- lib/krb5/context.c | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/lib/krb5/context.c b/lib/krb5/context.c index a832a4971..d126f7700 100644 --- a/lib/krb5/context.c +++ b/lib/krb5/context.c @@ -885,6 +885,32 @@ krb5_kerberos_enctypes(krb5_context context) ETYPE_ARCFOUR_HMAC_MD5, ETYPE_NULL }; + + static const krb5_enctype weak[] = { + ETYPE_AES256_CTS_HMAC_SHA1_96, + ETYPE_AES128_CTS_HMAC_SHA1_96, + ETYPE_DES3_CBC_SHA1, + ETYPE_DES3_CBC_MD5, + ETYPE_ARCFOUR_HMAC_MD5, + ETYPE_DES_CBC_MD5, + ETYPE_DES_CBC_MD4, + ETYPE_DES_CBC_CRC, + ETYPE_NULL + }; + + /* + * if the list of enctypes enabled by "allow_weak_crypto" + * are valid, then return the former default enctype list + * that contained the weak entries. + */ + if (krb5_enctype_valid(context, ETYPE_DES_CBC_CRC) == 0 && + krb5_enctype_valid(context, ETYPE_DES_CBC_MD4) == 0 && + krb5_enctype_valid(context, ETYPE_DES_CBC_MD5) == 0 && + krb5_enctype_valid(context, ETYPE_DES_CBC_NONE) == 0 && + krb5_enctype_valid(context, ETYPE_DES_CFB64_NONE) == 0 && + krb5_enctype_valid(context, ETYPE_DES_PCBC_NONE) == 0) + return weak; + return p; }