From 85831245154afc19da31bb86d21e64376ec11f94 Mon Sep 17 00:00:00 2001 From: Jeffrey Altman Date: Sat, 24 Sep 2011 11:12:09 -0400 Subject: [PATCH] Windows: add krb5_enctype_enable(DES) calls Heimdal disables DES by default. Enable DES-CBC-CRC by calling krb5_enctype_enable() so that the active profile does not require [libdefaults] allow_weak_enctypes = 1 Change-Id: I75d7b6bd7269081c7b1fcaafe05074dcdcc9a7e0 Reviewed-on: http://gerrit.openafs.org/5501 Tested-by: BuildBot Reviewed-by: Jeffrey Altman Tested-by: Jeffrey Altman --- src/WINNT/afsd/afskfw-int.h | 2 ++ src/WINNT/afsd/afskfw.c | 23 +++++++++++++++++++++++ src/WINNT/aklog/aklog.c | 2 ++ src/WINNT/aklog/asetkey.c | 3 +++ src/WINNT/netidmgr_plugin/krb5common.c | 3 +++ 5 files changed, 33 insertions(+) diff --git a/src/WINNT/afsd/afskfw-int.h b/src/WINNT/afsd/afskfw-int.h index 81428f95df..3213042075 100644 --- a/src/WINNT/afsd/afskfw-int.h +++ b/src/WINNT/afsd/afskfw-int.h @@ -170,4 +170,6 @@ DWORD KFW_get_default_mslsa_import(krb5_context); DWORD KFW_get_default_lifetime(krb5_context, const char *); +void KFW_enable_DES(krb5_context); + #endif /* AFSKFW_INT_H */ diff --git a/src/WINNT/afsd/afskfw.c b/src/WINNT/afsd/afskfw.c index 7bcb71233c..2833b61d03 100644 --- a/src/WINNT/afsd/afskfw.c +++ b/src/WINNT/afsd/afskfw.c @@ -160,6 +160,8 @@ KFW_initialize(void) if ( KFW_is_available() ) { char rootcell[CELL_MAXNAMELEN+1]; + + KFW_enable_DES(NULL); #ifdef USE_MS2MIT KFW_import_windows_lsa(); #endif /* USE_MS2MIT */ @@ -1084,6 +1086,27 @@ KFW_import_ccache_data(void) krb5_free_context(context); } +void +KFW_enable_DES(krb5_context alt_context) +{ + krb5_context context; + krb5_error_code code; + + if ( alt_context ) { + context = alt_context; + } else { + code = krb5_init_context(&context); + if (code) goto cleanup; + } + + if (krb5_enctype_valid(context, ETYPE_DES_CBC_CRC)) + krb5_enctype_enable(context, ETYPE_DES_CBC_CRC); + + cleanup: + if (context && (context != alt_context)) + krb5_free_context(context); +} + int KFW_AFS_get_cred( char * username, diff --git a/src/WINNT/aklog/aklog.c b/src/WINNT/aklog/aklog.c index ecfa5ddef0..ddc86cfbf2 100644 --- a/src/WINNT/aklog/aklog.c +++ b/src/WINNT/aklog/aklog.c @@ -1605,6 +1605,8 @@ int main(int argc, char *argv[]) validate_krb5_availability(); if (krb5_init_context(&context)) return(AKLOG_KERBEROS); + if (krb5_enctype_valid(context, ETYPE_DES_CBC_CRC)) + krb5_enctype_enable(context, ETYPE_DES_CBC_CRC); } else validate_krb4_availability(); afs_set_com_err_hook(redirect_errors); diff --git a/src/WINNT/aklog/asetkey.c b/src/WINNT/aklog/asetkey.c index 51b8ecffb3..6421525f04 100644 --- a/src/WINNT/aklog/asetkey.c +++ b/src/WINNT/aklog/asetkey.c @@ -97,6 +97,7 @@ main(int argc, char **argv) printf("asetkey: can't initialize conf dir '%s'\n", confdir); exit(1); } + if (strcmp(argv[1], "add")==0) { krb5_context context; krb5_principal principal; @@ -110,6 +111,8 @@ main(int argc, char **argv) } krb5_init_context(&context); + if (krb5_enctype_valid(context, ETYPE_DES_CBC_CRC)) + krb5_enctype_enable(context, ETYPE_DES_CBC_CRC); kvno = atoi(argv[2]); retval = krb5_parse_name(context, argv[4], &principal); diff --git a/src/WINNT/netidmgr_plugin/krb5common.c b/src/WINNT/netidmgr_plugin/krb5common.c index 90dd94ff43..f80d92c6a3 100644 --- a/src/WINNT/netidmgr_plugin/krb5common.c +++ b/src/WINNT/netidmgr_plugin/krb5common.c @@ -114,6 +114,9 @@ khm_krb5_initialize(khm_handle ident, goto on_error; } + if (krb5_enctype_valid(*ctx, ETYPE_DES_CBC_CRC)) + krb5_enctype_enable(*ctx, ETYPE_DES_CBC_CRC); + if(*cache == 0) { wchar_t wccname[MAX_PATH]; khm_size cbwccname;