From b19f2a8984321c3e20a29c8a76456cecb99bccca Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Tue, 5 Jan 2010 02:47:58 +0000 Subject: disable weak crypto by default Set allow_weak_crypto=false by default. Set default master key enctype to sha256. Adjust test suite to compensate. ticket: 6621 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23586 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/krb5/krb/decrypt_tk.c | 3 +++ src/lib/krb5/krb/init_ctx.c | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) (limited to 'src/lib') diff --git a/src/lib/krb5/krb/decrypt_tk.c b/src/lib/krb5/krb/decrypt_tk.c index c06353b9e..7ce411552 100644 --- a/src/lib/krb5/krb/decrypt_tk.c +++ b/src/lib/krb5/krb/decrypt_tk.c @@ -49,6 +49,9 @@ krb5_decrypt_tkt_part(krb5_context context, const krb5_keyblock *srv_key, regist if (!krb5_c_valid_enctype(ticket->enc_part.enctype)) return KRB5_PROG_ETYPE_NOSUPP; + if (!krb5_is_permitted_enctype(context, ticket->enc_part.enctype)) + return KRB5_NOPERM_ETYPE; + scratch.length = ticket->enc_part.ciphertext.length; if (!(scratch.data = malloc(ticket->enc_part.ciphertext.length))) return(ENOMEM); diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c index 8f6a1b3dc..2c2beb6bf 100644 --- a/src/lib/krb5/krb/init_ctx.c +++ b/src/lib/krb5/krb/init_ctx.c @@ -165,7 +165,7 @@ init_common (krb5_context *context, krb5_boolean secure, krb5_boolean kdc) goto cleanup; retval = profile_get_boolean(ctx->profile, KRB5_CONF_LIBDEFAULTS, - KRB5_CONF_ALLOW_WEAK_CRYPTO, NULL, 1, &tmp); + KRB5_CONF_ALLOW_WEAK_CRYPTO, NULL, 0, &tmp); if (retval) goto cleanup; ctx->allow_weak_crypto = tmp; -- cgit