Current versions of both MIT Kerberos and Heimdal disable DES enctypes
by default, but DES enctypes are still required for AFS service tickets.
Probe for either krb5_allow_weak_crypto() (MIT Kerberos 1.8) or
krb5_enctype_enable() (Heimdal) and, if found, call them to enable DES
enctypes. If neither is found, assume that the Kerberos libraries are
old enough that DES is enabled by default.
Change-Id: Ib5231bb7c2fe88f4c424628394ed08122d5710a1
Reviewed-on: http://gerrit.openafs.org/1141
Reviewed-by: Derrick Brashear <shadow@dementia.org>
Tested-by: Derrick Brashear <shadow@dementia.org>
initialize_ktc_error_table ();
afs_set_com_err_hook(redirect_errors);
+ /*
+ * Enable DES enctypes, which are currently still required for AFS.
+ * krb5_allow_weak_crypto is MIT Kerberos 1.8. krb5_enctype_enable is
+ * Heimdal.
+ */
+#if defined(HAVE_KRB5_ALLOW_WEAK_CRYPTO)
+ krb5_allow_weak_crypto(context, 1);
+#elif defined(HAVE_KRB5_ENCTYPE_ENABLE)
+ i = krb5_enctype_valid(context, ETYPE_DES_CBC_CRC);
+ if (i)
+ krb5_enctype_enable(context, ETYPE_DES_CBC_CRC);
+#endif
+
/* Initialize list of cells to which we have authenticated */
(void)ll_init(&authedcells);
CPPFLAGS="$CPPFLAGS $KRB5CFLAGS"
save_LIBS="$LIBS"
LIBS="$LIBS $KRB5LIBS"
- AC_CHECK_FUNCS([add_to_error_table add_error_table krb5_princ_size krb5_principal_get_comp_string encode_krb5_enc_tkt_part encode_krb5_ticket krb5_c_encrypt krb5_decode_ticket krb5_get_prompt_types])
+ AC_CHECK_FUNCS([add_to_error_table add_error_table krb5_princ_size krb5_principal_get_comp_string encode_krb5_enc_tkt_part encode_krb5_ticket krb5_c_encrypt krb5_decode_ticket krb5_get_prompt_types krb5_allow_weak_crypto krb5_enctype_enable])
AC_CHECK_FUNCS([krb5_524_convert_creds], ,
[AC_CHECK_FUNCS([krb524_convert_creds_kdc], ,
[AC_CHECK_LIB([krb524], [krb524_convert_creds_kdc],