diff --git a/configure.in b/configure.in index f23aed54e..f104be27f 100644 --- a/configure.in +++ b/configure.in @@ -61,6 +61,8 @@ LT_INIT([shared static win32-dll]) AM_CONDITIONAL(ENABLE_SHARED, test "$enable_shared" = "yes") rk_VERSIONSCRIPT +AC_DEFINE(HEIM_WEAK_CRYPTO, 1, [Define if you want support for weak crypto]) + rk_TEST_PACKAGE(openldap, [#include #include ], diff --git a/lib/gssapi/krb5/get_mic.c b/lib/gssapi/krb5/get_mic.c index 02093f2b2..a17c4639f 100644 --- a/lib/gssapi/krb5/get_mic.c +++ b/lib/gssapi/krb5/get_mic.c @@ -33,6 +33,8 @@ #include "gsskrb5_locl.h" +#ifdef HEIM_WEAK_CRYPTO + static OM_uint32 mic_des (OM_uint32 * minor_status, @@ -125,6 +127,7 @@ mic_des *minor_status = 0; return GSS_S_COMPLETE; } +#endif static OM_uint32 mic_des3 @@ -301,8 +304,12 @@ OM_uint32 _gsskrb5_get_mic switch (keytype) { case KEYTYPE_DES : +#ifdef HEIM_WEAK_CRYPTO ret = mic_des (minor_status, ctx, context, qop_req, message_buffer, message_token, key); +#else + ret = GSS_S_FAILURE; +#endif break; case KEYTYPE_DES3 : ret = mic_des3 (minor_status, ctx, context, qop_req, diff --git a/lib/gssapi/krb5/unwrap.c b/lib/gssapi/krb5/unwrap.c index a8085c5c0..555c5dce2 100644 --- a/lib/gssapi/krb5/unwrap.c +++ b/lib/gssapi/krb5/unwrap.c @@ -33,6 +33,8 @@ #include "gsskrb5_locl.h" +#ifdef HEIM_WEAK_CRYPTO + static OM_uint32 unwrap_des (OM_uint32 * minor_status, @@ -182,6 +184,7 @@ unwrap_des output_message_buffer->length); return GSS_S_COMPLETE; } +#endif static OM_uint32 unwrap_des3 @@ -416,9 +419,13 @@ OM_uint32 _gsskrb5_unwrap switch (keytype) { case KEYTYPE_DES : +#ifdef HEIM_WEAK_CRYPTO ret = unwrap_des (minor_status, ctx, input_message_buffer, output_message_buffer, conf_state, qop_state, key); +#else + ret = GSS_S_FAILURE; +#endif break; case KEYTYPE_DES3 : ret = unwrap_des3 (minor_status, ctx, context, diff --git a/lib/gssapi/krb5/verify_mic.c b/lib/gssapi/krb5/verify_mic.c index a59eb6239..5ce6dee29 100644 --- a/lib/gssapi/krb5/verify_mic.c +++ b/lib/gssapi/krb5/verify_mic.c @@ -33,6 +33,8 @@ #include "gsskrb5_locl.h" +#ifdef HEIM_WEAK_CRYPTO + static OM_uint32 verify_mic_des (OM_uint32 * minor_status, @@ -129,6 +131,7 @@ verify_mic_des return GSS_S_COMPLETE; } +#endif static OM_uint32 verify_mic_des3 @@ -296,9 +299,13 @@ _gsskrb5_verify_mic_internal krb5_enctype_to_keytype (context, key->keytype, &keytype); switch (keytype) { case KEYTYPE_DES : +#ifdef HEIM_WEAK_CRYPTO ret = verify_mic_des (minor_status, ctx, context, message_buffer, token_buffer, qop_state, key, type); +#else + ret = GSS_S_FAILURE; +#endif break; case KEYTYPE_DES3 : ret = verify_mic_des3 (minor_status, ctx, context, diff --git a/lib/gssapi/krb5/wrap.c b/lib/gssapi/krb5/wrap.c index 536be3427..2c20f7b87 100644 --- a/lib/gssapi/krb5/wrap.c +++ b/lib/gssapi/krb5/wrap.c @@ -168,7 +168,11 @@ _gsskrb5_wrap_size_limit ( switch (keytype) { case KEYTYPE_DES : +#ifdef HEIM_WEAK_CRYPTO ret = sub_wrap_size(req_output_size, max_input_size, 8, 22); +#else + ret = GSS_S_FAILURE; +#endif break; case KEYTYPE_ARCFOUR: case KEYTYPE_ARCFOUR_56: @@ -188,6 +192,8 @@ _gsskrb5_wrap_size_limit ( return ret; } +#ifdef HEIM_WEAK_CRYPTO + static OM_uint32 wrap_des (OM_uint32 * minor_status, @@ -325,6 +331,8 @@ wrap_des return GSS_S_COMPLETE; } +#endif + static OM_uint32 wrap_des3 (OM_uint32 * minor_status, @@ -553,9 +561,13 @@ OM_uint32 _gsskrb5_wrap switch (keytype) { case KEYTYPE_DES : +#ifdef HEIM_WEAK_CRYPTO ret = wrap_des (minor_status, ctx, context, conf_req_flag, qop_req, input_message_buffer, conf_state, output_message_buffer, key); +#else + ret = GSS_S_FAILURE; +#endif break; case KEYTYPE_DES3 : ret = wrap_des3 (minor_status, ctx, context, conf_req_flag, diff --git a/lib/krb5/crypto.c b/lib/krb5/crypto.c index 670f161c7..1c837d3be 100644 --- a/lib/krb5/crypto.c +++ b/lib/krb5/crypto.c @@ -36,8 +36,6 @@ #include "krb5_locl.h" #include -#define WEAK_ENCTYPES 1 - #ifndef HEIMDAL_SMALLER #define DES3_OLD_ENCTYPE 1 #endif @@ -182,7 +180,7 @@ struct evp_schedule { static HEIMDAL_MUTEX crypto_mutex = HEIMDAL_MUTEX_INITIALIZER; -#ifdef WEAK_ENCTYPES +#ifdef HEIM_WEAK_CRYPTO static void krb5_DES_random_key(krb5_context context, krb5_keyblock *key) @@ -715,7 +713,7 @@ evp_cleanup(krb5_context context, struct key_data *kd) * */ -#ifdef WEAK_ENCTYPES +#ifdef HEIM_WEAK_CRYPTO static struct salt_type des_salt[] = { { KRB5_PW_SALT, @@ -786,7 +784,7 @@ static struct key_type keytype_null = { NULL }; -#ifdef WEAK_ENCTYPES +#ifdef HEIM_WEAK_CRYPTO static struct key_type keytype_des_old = { KEYTYPE_DES, "des-old", @@ -812,7 +810,7 @@ static struct key_type keytype_des = { evp_cleanup, EVP_des_cbc }; -#endif /* WEAK_ENCTYPES */ +#endif /* HEIM_WEAK_CRYPTO */ #ifdef DES3_OLD_ENCTYPE static struct key_type keytype_des3 = { @@ -2056,7 +2054,7 @@ evp_encrypt(krb5_context context, return 0; } -#ifdef WEAK_ENCTYPES +#ifdef HEIM_WEAK_CRYPTO static krb5_error_code evp_des_encrypt_null_ivec(krb5_context context, struct key_data *key, @@ -2505,7 +2503,7 @@ static struct encryption_type enctype_des3_cbc_none = { 0, NULL }; -#ifdef WEAK_ENCTYPES +#ifdef HEIM_WEAK_CRYPTO static struct encryption_type enctype_des_cbc_crc = { ETYPE_DES_CBC_CRC, "des-cbc-crc", @@ -2590,7 +2588,7 @@ static struct encryption_type enctype_des_pcbc_none = { 0, NULL }; -#endif /* WEAK_ENCTYPES */ +#endif /* HEIM_WEAK_CRYPTO */ static struct encryption_type *etypes[] = { &enctype_aes256_cts_hmac_sha1, @@ -2602,7 +2600,7 @@ static struct encryption_type *etypes[] = { &enctype_des3_cbc_md5, &enctype_old_des3_cbc_sha1, #endif -#ifdef WEAK_ENCTYPES +#ifdef HEIM_WEAK_CRYPTO &enctype_des_cbc_crc, &enctype_des_cbc_md4, &enctype_des_cbc_md5,