Windows: add krb5_enctype_enable(DES) calls

Heimdal disables DES by default. Enable DES-CBC-CRC by calling krb5_enctype_enable() so that the active profile does not require [libdefaults] allow_weak_enctypes = 1 Change-Id: I75d7b6bd7269081c7b1fcaafe05074dcdcc9a7e0 Reviewed-on: http://gerrit.openafs.org/5501 Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Jeffrey Altman <jaltman@openafs.org> Tested-by: Jeffrey Altman <jaltman@openafs.org>
2025-01-22 17:00:15 +00:00 · 2011-09-24 11:12:09 -04:00 · 2011-09-24 11:12:09 -04:00 · 8583124515
commit 8583124515
parent 4251e386aa
5 changed files with 33 additions and 0 deletions
--- a/src/WINNT/afsd/afskfw-int.h
+++ b/src/WINNT/afsd/afskfw-int.h
@ -170,4 +170,6 @@ DWORD KFW_get_default_mslsa_import(krb5_context);

 DWORD KFW_get_default_lifetime(krb5_context, const char *);

+void KFW_enable_DES(krb5_context);
+
 #endif /* AFSKFW_INT_H */
--- a/src/WINNT/afsd/afskfw.c
+++ b/src/WINNT/afsd/afskfw.c
@ -160,6 +160,8 @@ KFW_initialize(void)

            if ( KFW_is_available() ) {
                char rootcell[CELL_MAXNAMELEN+1];
+
+                KFW_enable_DES(NULL);
 #ifdef USE_MS2MIT
                KFW_import_windows_lsa();
 #endif /* USE_MS2MIT */
@ -1084,6 +1086,27 @@ KFW_import_ccache_data(void)
        krb5_free_context(context);
 }

+void
+KFW_enable_DES(krb5_context alt_context)
+{
+    krb5_context context;
+    krb5_error_code code;
+
+    if ( alt_context ) {
+        context = alt_context;
+    } else {
+        code = krb5_init_context(&context);
+        if (code) goto cleanup;
+    }
+
+    if (krb5_enctype_valid(context, ETYPE_DES_CBC_CRC))
+        krb5_enctype_enable(context, ETYPE_DES_CBC_CRC);
+
+  cleanup:
+    if (context && (context != alt_context))
+        krb5_free_context(context);
+}
+

 int
 KFW_AFS_get_cred( char * username,
--- a/src/WINNT/aklog/aklog.c
+++ b/src/WINNT/aklog/aklog.c
@ -1605,6 +1605,8 @@ int main(int argc, char *argv[])
        validate_krb5_availability();
        if (krb5_init_context(&context))
            return(AKLOG_KERBEROS);
+        if (krb5_enctype_valid(context, ETYPE_DES_CBC_CRC))
+            krb5_enctype_enable(context, ETYPE_DES_CBC_CRC);
    } else
        validate_krb4_availability();
    afs_set_com_err_hook(redirect_errors);
--- a/src/WINNT/aklog/asetkey.c
+++ b/src/WINNT/aklog/asetkey.c
@ -97,6 +97,7 @@ main(int argc, char **argv)
 	printf("asetkey: can't initialize conf dir '%s'\n", confdir);
 	exit(1);
    }
+
    if (strcmp(argv[1], "add")==0) {
 	krb5_context context;
 	krb5_principal principal;
@ -110,6 +111,8 @@ main(int argc, char **argv)
 	}

 	krb5_init_context(&context);
+        if (krb5_enctype_valid(context, ETYPE_DES_CBC_CRC))
+            krb5_enctype_enable(context, ETYPE_DES_CBC_CRC);

 	kvno = atoi(argv[2]);
 	retval = krb5_parse_name(context, argv[4], &principal);
--- a/src/WINNT/netidmgr_plugin/krb5common.c
+++ b/src/WINNT/netidmgr_plugin/krb5common.c
@ -114,6 +114,9 @@ khm_krb5_initialize(khm_handle ident,
        goto on_error;
    }

+    if (krb5_enctype_valid(*ctx, ETYPE_DES_CBC_CRC))
+        krb5_enctype_enable(*ctx, ETYPE_DES_CBC_CRC);
+
    if(*cache == 0) {
        wchar_t wccname[MAX_PATH];
        khm_size cbwccname;