From: Russ Allbery <rra@stanford.edu>
Date: Fri, 22 Jan 2010 19:04:10 +0000 (-0800)
Subject: Enable weak enctypes for aklog if supported by Kerberos
X-Git-Tag: openafs-stable-1_4_12pre2~4
X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=d22e6c08bea7192603e94e751d6e38ae49d04951;p=packages%2Fo%2Fopenafs.git

Enable weak enctypes for aklog if supported by Kerberos

Current versions of both MIT Kerberos and Heimdal disable DES enctypes
by default, but DES enctypes are still required for AFS service tickets.
Probe for either krb5_allow_weak_crypto() (MIT Kerberos 1.8) or
krb5_enctype_enable() (Heimdal) and, if found, call them to enable DES
enctypes.  If neither is found, assume that the Kerberos libraries are
old enough that DES is enabled by default.

Change-Id: Ib5231bb7c2fe88f4c424628394ed08122d5710a1
Reviewed-on: http://gerrit.openafs.org/1141
Reviewed-by: Derrick Brashear <shadow@dementia.org>
Tested-by: Derrick Brashear <shadow@dementia.org>
(cherry picked from commit cb4b62a40352ccebae3a299f4327fa70fc7a0c5c)
Reviewed-on: http://gerrit.openafs.org/1145
Tested-by: Russ Allbery <rra@stanford.edu>
---

diff --git a/src/aklog/aklog_main.c b/src/aklog/aklog_main.c
index e6cee5531..a3df62b61 100644
--- a/src/aklog/aklog_main.c
+++ b/src/aklog/aklog_main.c
@@ -1258,6 +1258,19 @@ void aklog(int argc, char *argv[])
     krb5_init_context(&context);
     initialize_ktc_error_table ();
 
+    /*
+     * Enable DES enctypes, which are currently still required for AFS.
+     * krb5_allow_weak_crypto is MIT Kerberos 1.8.  krb5_enctype_enable is
+     * Heimdal.
+     */
+#if defined(HAVE_KRB5_ALLOW_WEAK_CRYPTO)
+    krb5_allow_weak_crypto(context, 1);
+#elif defined(HAVE_KRB5_ENCTYPE_ENABLE)
+    i = krb5_enctype_valid(context, ETYPE_DES_CBC_CRC);
+    if (i)
+        krb5_enctype_enable(context, ETYPE_DES_CBC_CRC);
+#endif
+
     /* Initialize list of cells to which we have authenticated */
     (void)ll_init(&authedcells);
 
diff --git a/src/cf/kerberos.m4 b/src/cf/kerberos.m4
index f0bed24e3..8ddffe0ea 100644
--- a/src/cf/kerberos.m4
+++ b/src/cf/kerberos.m4
@@ -60,7 +60,7 @@ if test X$conf_krb5 = XYES; then
 	CPPFLAGS="$CPPFLAGS $KRB5CFLAGS"
 	save_LIBS="$LIBS"
 	LIBS="$LIBS $KRB5LIBS"
-	AC_CHECK_FUNCS([add_to_error_table add_error_table krb5_princ_size krb5_principal_get_comp_string encode_krb5_enc_tkt_part encode_krb5_ticket krb5_c_encrypt krb5_c_encrypt_length krb5_cc_register krb5_decode_ticket krb5_get_prompt_types])
+	AC_CHECK_FUNCS([add_to_error_table add_error_table krb5_princ_size krb5_principal_get_comp_string encode_krb5_enc_tkt_part encode_krb5_ticket krb5_c_encrypt krb5_c_encrypt_length krb5_cc_register krb5_decode_ticket krb5_get_prompt_types krb5_allow_weak_crypto krb5_enctype_enable])
 	AC_CHECK_FUNCS([krb5_524_convert_creds], ,
 	    [AC_CHECK_FUNCS([krb524_convert_creds_kdc], ,
 		[AC_CHECK_LIB([krb524], [krb524_convert_creds_kdc],