krb5int_des_string_to_key,
NULL, /*PRF*/
CKSUMTYPE_RSA_MD5,
- NULL /*AEAD*/ },
+ NULL, /*AEAD*/
+ ETYPE_WEAK },
{ ENCTYPE_DES_CBC_MD4,
"des-cbc-md4", { 0 }, "DES cbc mode with RSA-MD4",
&krb5int_enc_des, &krb5int_hash_md4,
krb5int_des_string_to_key,
NULL, /*PRF*/
CKSUMTYPE_RSA_MD4,
- NULL /*AEAD*/ },
+ NULL, /*AEAD*/
+ ETYPE_WEAK },
{ ENCTYPE_DES_CBC_MD5,
"des-cbc-md5", { "des" }, "DES cbc mode with RSA-MD5",
&krb5int_enc_des, &krb5int_hash_md5,
krb5int_des_string_to_key,
NULL, /*PRF*/
CKSUMTYPE_RSA_MD5,
- NULL /*AEAD*/ },
+ NULL, /*AEAD*/
+ ETYPE_WEAK },
{ ENCTYPE_DES_CBC_RAW,
"des-cbc-raw", { 0 }, "DES cbc mode raw",
&krb5int_enc_des, NULL,
krb5int_des_string_to_key,
NULL, /*PRF*/
0,
- &krb5int_aead_raw },
+ &krb5int_aead_raw,
+ ETYPE_WEAK },
{ ENCTYPE_DES3_CBC_RAW,
"des3-cbc-raw", { 0 }, "Triple DES cbc mode raw",
&krb5int_enc_des3, NULL,
krb5int_dk_string_to_key,
NULL, /*PRF*/
0,
- &krb5int_aead_raw },
+ &krb5int_aead_raw,
+ ETYPE_WEAK },
{ ENCTYPE_DES3_CBC_SHA1,
"des3-cbc-sha1", { "des3-hmac-sha1", "des3-cbc-sha1-kd" },
krb5int_dk_string_to_key,
NULL, /*PRF*/
CKSUMTYPE_HMAC_SHA1_DES3,
- &krb5int_aead_dk },
+ &krb5int_aead_dk,
+ 0 /*flags*/ },
{ ENCTYPE_DES_HMAC_SHA1,
"des-hmac-sha1", { 0 }, "DES with HMAC/sha1",
krb5int_dk_string_to_key,
NULL, /*PRF*/
0,
- NULL },
+ NULL,
+ ETYPE_WEAK },
{ ENCTYPE_ARCFOUR_HMAC,
"arcfour-hmac", { "rc4-hmac", "arcfour-hmac-md5" },
"ArcFour with HMAC/md5",
krb5_arcfour_decrypt, krb5int_arcfour_string_to_key,
NULL, /*PRF*/
CKSUMTYPE_HMAC_MD5_ARCFOUR,
- &krb5int_aead_arcfour },
+ &krb5int_aead_arcfour,
+ 0 /*flags*/ },
{ ENCTYPE_ARCFOUR_HMAC_EXP,
"arcfour-hmac-exp", { "rc4-hmac-exp", "arcfour-hmac-md5-exp" },
"Exportable ArcFour with HMAC/md5",
krb5_arcfour_decrypt, krb5int_arcfour_string_to_key,
NULL, /*PRF*/
CKSUMTYPE_HMAC_MD5_ARCFOUR,
- &krb5int_aead_arcfour },
+ &krb5int_aead_arcfour,
+ 0 /*flags*/ },
{ ENCTYPE_AES128_CTS_HMAC_SHA1_96,
"aes128-cts-hmac-sha1-96", { "aes128-cts" },
krb5int_aes_string_to_key,
krb5int_dk_prf,
CKSUMTYPE_HMAC_SHA1_96_AES128,
- &krb5int_aead_aes },
+ &krb5int_aead_aes,
+ 0 /*flags*/ },
{ ENCTYPE_AES256_CTS_HMAC_SHA1_96,
"aes256-cts-hmac-sha1-96", { "aes256-cts" },
"AES-256 CTS mode with 96-bit SHA-1 HMAC",
krb5int_aes_string_to_key,
krb5int_dk_prf,
CKSUMTYPE_HMAC_SHA1_96_AES256,
- &krb5int_aead_aes },
+ &krb5int_aead_aes,
+ 0 /*flags*/ },
};
const int krb5_enctypes_length =
if ((retval = krb5_os_init_context(ctx, kdc)))
goto cleanup;
+ retval = profile_get_boolean(ctx->profile, "libdefaults",
+ "allow_weak_crypto", NULL, 0, &tmp);
+ if (retval)
+ goto cleanup;
+ ctx->allow_weak_crypto = tmp;
+
/* initialize the prng (not well, but passable) */
if ((retval = krb5_c_random_os_entropy( ctx, 0, NULL)) !=0)
goto cleanup;
for (i = 0; ktypes[i]; i++) {
if (!krb5_c_valid_enctype(ktypes[i]))
return KRB5_PROG_ETYPE_NOSUPP;
+ if (!context->allow_weak_crypto && krb5_c_weak_enctype(ktypes[i]))
+ return KRB5_PROG_ETYPE_NOSUPP;
}
/* Now copy the default ktypes into the context pointer */
unsigned int ctx_count, krb5_enctype *ctx_list)
{
krb5_enctype *old_ktypes;
+ krb5_enctype ktype;
if (ctx_count) {
/* application-set defaults */
j = 0;
i = 1;
while (1) {
- if (! krb5_string_to_enctype(sp, &old_ktypes[j]))
+ if (!krb5_string_to_enctype(sp, &ktype) &&
+ (context->allow_weak_crypto || !krb5_c_weak_enctype(ktype))) {
+ old_ktypes[j] = ktype;
j++;
-
+ }
if (i++ >= count)
break;
for (i = 0; ktypes[i]; i++) {
if (!krb5_c_valid_enctype(ktypes[i]))
return KRB5_PROG_ETYPE_NOSUPP;
+ if (!context->allow_weak_crypto && krb5_c_weak_enctype(ktypes[i]))
+ return KRB5_PROG_ETYPE_NOSUPP;
}
/* Now copy the default ktypes into the context pointer */