make excpetion for known weak types

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23599 ec53bebd-3082-4978-b11e-865c3cabbd6b
2008-08-17 14:11:29 +00:00
parent b5910292fc
commit 80e3051b41
1 changed files with 20 additions and 1 deletions
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -84,6 +84,24 @@ _kdc_find_padata(const KDC_REQ *req, int *start, int type)
    return NULL;
 }

+/*
+ * This is a hack to allow predefined weak services, like afs to
+ * still use weak types
+ */
+
+krb5_boolean
+_kdc_is_weak_expection(krb5_principal principal, krb5_enctype etype)
+{
+    if (principal->name.name_string.len > 0 &&
+	strcmp(principal->name.name_string.val[0], "afs") == 0 &&
+	(etype == ETYPE_DES_CBC_CRC
+	 || etype == ETYPE_DES_CBC_MD4
+	 || etype == ETYPE_DES_CBC_MD5))
+	return TRUE;
+    return FALSE;
+}
+
+
 /*
 * Detect if `key' is the using the the precomputed `default_salt'.
 */
@@ -120,7 +138,8 @@ _kdc_find_etype(krb5_context context, const hdb_entry_ex *princ,
    for(i = 0; ret != 0 && i < len ; i++) {
 	Key *key = NULL;

-	if (krb5_enctype_valid(context, etypes[i]) != 0)
+	if (krb5_enctype_valid(context, etypes[i]) != 0 &&
+	    !_kdc_is_weak_expection(princ->entry.principal, etypes[i]))
 	    continue;

 	while (hdb_next_enctype2key(context, &princ->entry, etypes[i], &key) == 0) {