svn rev #21851: trunk/src/ include/ lib/kadm5/ lib/krb5/krb/

Fri Jan 30 22:57:22 EST 2009

http://src.mit.edu/fisheye/changelog/krb5/?cs=21851
Commit By: tlyu
Log Message:
ticket: 6353
status: open

Default allow_weak_crypto=true for now.  Default supported_enctypes to
exclude single-DES enctypes.


Changed Files:
U   trunk/src/include/osconf.hin
U   trunk/src/lib/kadm5/alt_prof.c
U   trunk/src/lib/krb5/krb/init_ctx.c
Modified: trunk/src/include/osconf.hin
===================================================================

--- trunk/src/include/osconf.hin	2009-01-31 02:55:25 UTC (rev 21850)
+++ trunk/src/include/osconf.hin	2009-01-31 03:57:20 UTC (rev 21851)
@@ -101,6 +101,11 @@
 #define DEFAULT_KADM5_ACL_FILE	"@LOCALSTATEDIR/krb5kdc/kadm5.acl"
 #define DEFAULT_KADM5_PORT	749 /* assigned by IANA */
 
+#define KRB5_DEFAULT_SUPPORTED_ENCTYPES			\
+	"aes256-cts-hmac-sha1-96:normal "		\
+	"aes128-cts-hmac-sha1-96:normal "		\
+	"des3-cbc-sha1:normal arcfour-hmac-md5:normal"
+
 #define MAX_DGRAM_SIZE	4096
 #define MAX_SKDC_TIMEOUT 30
 #define SKDC_TIMEOUT_SHIFT 2		/* left shift of timeout for backoff */

Modified: trunk/src/lib/kadm5/alt_prof.c
===================================================================
--- trunk/src/lib/kadm5/alt_prof.c	2009-01-31 02:55:25 UTC (rev 21850)
+++ trunk/src/lib/kadm5/alt_prof.c	2009-01-31 03:57:20 UTC (rev 21851)
@@ -749,7 +749,7 @@
          if (aprofile)
               krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue);
          if (svalue == NULL)
-             svalue = strdup("des3-hmac-sha1:normal des-cbc-crc:normal");
+             svalue = strdup(KRB5_DEFAULT_SUPPORTED_ENCTYPES);
 
          params.keysalts = NULL;
          params.num_keysalts = 0;

Modified: trunk/src/lib/krb5/krb/init_ctx.c
===================================================================
--- trunk/src/lib/krb5/krb/init_ctx.c	2009-01-31 02:55:25 UTC (rev 21850)
+++ trunk/src/lib/krb5/krb/init_ctx.c	2009-01-31 03:57:20 UTC (rev 21851)
@@ -172,7 +172,7 @@
 		goto cleanup;
 
 	retval = profile_get_boolean(ctx->profile, "libdefaults",
-				     "allow_weak_crypto", NULL, 0, &tmp);
+				     "allow_weak_crypto", NULL, 1, &tmp);
 	if (retval)
 		goto cleanup;
 	ctx->allow_weak_crypto = tmp;


