include weak etypes in default etype list if allow_weak_crypto

commit 0ed83cebd3 removed the weak enctypes from the default enctype list. This is a change in behavior from 1.5.x which permitted the use of weak enctypes if "allow_weak_crypto" is set to true. This patchset creates two default enctype lists. One with weak enctypes and the other without. The weak version is used if "allow_weak_crypto" is set to true. Change-Id: Ide5cce0645836249031350bfaf619d970635e579
2011-09-26 01:44:16 -04:00
parent 00773b4119
commit 3854e64a4a
1 changed files with 26 additions and 0 deletions
--- a/lib/krb5/context.c
+++ b/lib/krb5/context.c
@@ -885,6 +885,32 @@ krb5_kerberos_enctypes(krb5_context context)
 	ETYPE_ARCFOUR_HMAC_MD5,
 	ETYPE_NULL
    };
+
+    static const krb5_enctype weak[] = {
+	ETYPE_AES256_CTS_HMAC_SHA1_96,
+	ETYPE_AES128_CTS_HMAC_SHA1_96,
+	ETYPE_DES3_CBC_SHA1,
+	ETYPE_DES3_CBC_MD5,
+	ETYPE_ARCFOUR_HMAC_MD5,
+	ETYPE_DES_CBC_MD5,
+	ETYPE_DES_CBC_MD4,
+	ETYPE_DES_CBC_CRC,
+	ETYPE_NULL
+    };
+
+    /*
+     * if the list of enctypes enabled by "allow_weak_crypto"
+     * are valid, then return the former default enctype list
+     * that contained the weak entries.
+     */
+    if (krb5_enctype_valid(context, ETYPE_DES_CBC_CRC) == 0 &&
+        krb5_enctype_valid(context, ETYPE_DES_CBC_MD4) == 0 &&
+        krb5_enctype_valid(context, ETYPE_DES_CBC_MD5) == 0 &&
+        krb5_enctype_valid(context, ETYPE_DES_CBC_NONE) == 0 &&
+        krb5_enctype_valid(context, ETYPE_DES_CFB64_NONE) == 0 &&
+        krb5_enctype_valid(context, ETYPE_DES_PCBC_NONE) == 0)
+        return weak;
+
    return p;
 }