From 80e3051b41ab22b76d33b320cf93920be274dc51 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Sun, 17 Aug 2008 14:11:29 +0000
Subject: [PATCH] make excpetion for known weak types

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23599 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 kdc/kerberos5.c | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index 56553a863..2d68770f0 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -84,6 +84,24 @@ _kdc_find_padata(const KDC_REQ *req, int *start, int type)
     return NULL;
 }
 
+/*
+ * This is a hack to allow predefined weak services, like afs to
+ * still use weak types
+ */
+
+krb5_boolean
+_kdc_is_weak_expection(krb5_principal principal, krb5_enctype etype)
+{
+    if (principal->name.name_string.len > 0 &&
+	strcmp(principal->name.name_string.val[0], "afs") == 0 &&
+	(etype == ETYPE_DES_CBC_CRC
+	 || etype == ETYPE_DES_CBC_MD4
+	 || etype == ETYPE_DES_CBC_MD5))
+	return TRUE;
+    return FALSE;
+}
+
+
 /*
  * Detect if `key' is the using the the precomputed `default_salt'.
  */
@@ -120,7 +138,8 @@ _kdc_find_etype(krb5_context context, const hdb_entry_ex *princ,
     for(i = 0; ret != 0 && i < len ; i++) {
 	Key *key = NULL;
 
-	if (krb5_enctype_valid(context, etypes[i]) != 0)
+	if (krb5_enctype_valid(context, etypes[i]) != 0 &&
+	    !_kdc_is_weak_expection(princ->entry.principal, etypes[i]))
 	    continue;
 
 	while (hdb_next_enctype2key(context, &princ->entry, etypes[i], &key) == 0) {