From 8a57d5cb08d920eb324380426db7422db7b23282 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 27 Jan 2010 20:39:21 -0800 Subject: [PATCH] Add krb5_allow_weak_crypto API to enable weak enctypes Add krb5_allow_weak_crypto parallel to the API introduced in MIT Kerberos 1.8. Enables or disables all enctypes marked as weak. Add a new enctype flag marking weak enctypes (all of the ones that are disabled by default). Signed-off-by: Love Hornquist Astrand --- lib/krb5/crypto.c | 40 ++++++++++++++++++++++++++++----- lib/krb5/libkrb5-exports.def.in | 1 + lib/krb5/version-script.map | 1 + 3 files changed, 36 insertions(+), 6 deletions(-) diff --git a/lib/krb5/crypto.c b/lib/krb5/crypto.c index c641ddc60..8b33ffec7 100644 --- a/lib/krb5/crypto.c +++ b/lib/krb5/crypto.c @@ -67,6 +67,7 @@ struct krb5_crypto_data { #define F_PSEUDO 16 /* not a real protocol type */ #define F_SPECIAL 32 /* backwards */ #define F_DISABLED 64 /* enctype/checksum disabled */ +#define F_WEAK 128 /* enctype is considered weak */ struct salt_type { krb5_salttype type; @@ -2612,7 +2613,7 @@ static struct encryption_type enctype_des_cbc_crc = { &keytype_des, &checksum_crc32, NULL, - F_DISABLED, + F_DISABLED|F_WEAK, evp_des_encrypt_key_ivec, 0, NULL @@ -2626,7 +2627,7 @@ static struct encryption_type enctype_des_cbc_md4 = { &keytype_des, &checksum_rsa_md4, &checksum_rsa_md4_des, - F_DISABLED, + F_DISABLED|F_WEAK, evp_des_encrypt_null_ivec, 0, NULL @@ -2640,7 +2641,7 @@ static struct encryption_type enctype_des_cbc_md5 = { &keytype_des, &checksum_rsa_md5, &checksum_rsa_md5_des, - F_DISABLED, + F_DISABLED|F_WEAK, evp_des_encrypt_null_ivec, 0, NULL @@ -2654,7 +2655,7 @@ static struct encryption_type enctype_des_cbc_none = { &keytype_des, &checksum_none, NULL, - F_PSEUDO|F_DISABLED, + F_PSEUDO|F_DISABLED|F_WEAK, evp_des_encrypt_null_ivec, 0, NULL @@ -2668,7 +2669,7 @@ static struct encryption_type enctype_des_cfb64_none = { &keytype_des_old, &checksum_none, NULL, - F_PSEUDO|F_DISABLED, + F_PSEUDO|F_DISABLED|F_WEAK, DES_CFB64_encrypt_null_ivec, 0, NULL @@ -2682,7 +2683,7 @@ static struct encryption_type enctype_des_pcbc_none = { &keytype_des_old, &checksum_none, NULL, - F_PSEUDO|F_DISABLED, + F_PSEUDO|F_DISABLED|F_WEAK, DES_PCBC_encrypt_key_ivec, 0, NULL @@ -4402,6 +4403,33 @@ krb5_enctype_enable(krb5_context context, return 0; } +/** + * Enable or disable all weak encryption types + * + * @param context Kerberos 5 context + * @param enable true to enable, false to disable + * + * @return Return an error code or 0. + * + * @ingroup krb5_crypto + */ + +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +krb5_allow_weak_crypto(krb5_context context, + krb5_boolean enable) +{ + int i; + + for(i = 0; i < num_etypes; i++) + if(etypes[i]->flags & F_WEAK) { + if(enable) + etypes[i]->flags &= ~F_DISABLED; + else + etypes[i]->flags |= F_DISABLED; + } + return 0; +} + KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_string_to_key_derived(krb5_context context, diff --git a/lib/krb5/libkrb5-exports.def.in b/lib/krb5/libkrb5-exports.def.in index 9286841b2..e93a752ab 100644 --- a/lib/krb5/libkrb5-exports.def.in +++ b/lib/krb5/libkrb5-exports.def.in @@ -21,6 +21,7 @@ EXPORTS krb5_address_order krb5_address_prefixlen_boundary krb5_address_search + krb5_allow_weak_crypto krb5_aname_to_localname krb5_anyaddr krb5_appdefault_boolean diff --git a/lib/krb5/version-script.map b/lib/krb5/version-script.map index e9a799268..22d6df68d 100644 --- a/lib/krb5/version-script.map +++ b/lib/krb5/version-script.map @@ -20,6 +20,7 @@ HEIMDAL_KRB5_2.0 { krb5_address_order; krb5_address_prefixlen_boundary; krb5_address_search; + krb5_allow_weak_crypto; krb5_aname_to_localname; krb5_anyaddr; krb5_appdefault_boolean;