Default allow_weak_crypto=true for now. Default supported_enctypes to

exclude single-DES enctypes.

ticket: 6353
status: open

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21851 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/include/osconf.hin b/src/include/osconf.hin
index 6feb22338ae4c6d88d4b20f10de398102d624604..339e4b228dd0002bb00cb7f06720cb238fa48eb7 100644 (file)
--- a/src/include/osconf.hin
+++ b/src/include/osconf.hin
@@ -101,6 +101,11 @@
 #define DEFAULT_KADM5_ACL_FILE "@LOCALSTATEDIR/krb5kdc/kadm5.acl"
 #define DEFAULT_KADM5_PORT     749 /* assigned by IANA */
 
+#define KRB5_DEFAULT_SUPPORTED_ENCTYPES                        \
+       "aes256-cts-hmac-sha1-96:normal "               \
+       "aes128-cts-hmac-sha1-96:normal "               \
+       "des3-cbc-sha1:normal arcfour-hmac-md5:normal"
+
 #define MAX_DGRAM_SIZE 4096
 #define MAX_SKDC_TIMEOUT 30
 #define SKDC_TIMEOUT_SHIFT 2           /* left shift of timeout for backoff */

diff --git a/src/lib/kadm5/alt_prof.c b/src/lib/kadm5/alt_prof.c
index ae9d84c7f489696981bbb90c752780400d1b3c56..7ad59ab4d0e0053a5f83ba874742820ee79586f3 100644 (file)
--- a/src/lib/kadm5/alt_prof.c
+++ b/src/lib/kadm5/alt_prof.c
@@ -749,7 +749,7 @@ krb5_error_code kadm5_get_config_params(context, use_kdc_config,
          if (aprofile)
               krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue);
          if (svalue == NULL)
-             svalue = strdup("des3-hmac-sha1:normal des-cbc-crc:normal");
+             svalue = strdup(KRB5_DEFAULT_SUPPORTED_ENCTYPES);
 
          params.keysalts = NULL;
          params.num_keysalts = 0;

diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
index bab143e6f86aef4494faaef155b4fdbb45d5512e..69f7ad887d958fd3f61cc1d62cff1abd257eea01 100644 (file)
--- a/src/lib/krb5/krb/init_ctx.c
+++ b/src/lib/krb5/krb/init_ctx.c
@@ -172,7 +172,7 @@ init_common (krb5_context *context, krb5_boolean secure, krb5_boolean kdc)
                goto cleanup;
 
        retval = profile_get_boolean(ctx->profile, "libdefaults",
-                                    "allow_weak_crypto", NULL, 0, &tmp);
+                                    "allow_weak_crypto", NULL, 1, &tmp);
        if (retval)
                goto cleanup;
        ctx->allow_weak_crypto = tmp;