From b575f7fa544c407ada7339359dcbc904d4faa6ae Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Fri, 4 Apr 2025 15:08:36 +0200
Subject: [PATCH] [downstream] Remove 3des support (cumulative 1)

Remove mentions for the triple-DES encryption type which were added
since the previous downstream patch.
---
 README                             | 15 +++++++--------
 doc/admin/conf_files/krb5_conf.rst |  6 ------
 doc/admin/enctypes.rst             | 11 ++---------
 doc/mitK5features.rst              |  5 ++---
 src/include/k5-int.h               |  2 --
 src/kdc/kdc_util.c                 |  2 --
 src/lib/krb5/krb/init_ctx.c        |  5 -----
 src/man/krb5.conf.man              |  6 ------
 src/tests/gssapi/t_enctypes.py     |  5 ++---
 src/tests/t_etype_info.py          |  4 ++--
 src/tests/t_sesskeynego.py         |  8 --------
 src/util/k5test.py                 |  7 -------
 12 files changed, 15 insertions(+), 61 deletions(-)

diff --git a/README b/README
index 6d6f7f16e3..9341bd3dd8 100644
--- a/README
+++ b/README
@@ -81,11 +81,11 @@ Triple-DES and RC4 transitions
 ------------------------------
 
 Beginning with the krb5-1.21 release, the KDC will not issue tickets
-with triple-DES or RC4 session keys unless explicitly configured using
-the new allow_des3 and allow_rc4 variables in [libdefaults].  To
-facilitate the negotiation of session keys, the KDC will assume that
-all services can handle aes256-sha1 session keys unless the service
-principal has a session_enctypes string attribute.
+with RC4 session keys unless explicitly configured using the new
+allow_rc4 variable in [libdefaults].  To facilitate the negotiation of
+session keys, the KDC will assume that all services can handle
+aes256-sha1 session keys unless the service principal has a
+session_enctypes string attribute.
 
 Beginning with the krb5-1.19 release, a warning will be issued if
 initial credentials are acquired using the des3-cbc-sha1 encryption
@@ -164,9 +164,8 @@ Developer experience:
 
 Protocol evolution:
 
-* The KDC will no longer issue tickets with RC4 or triple-DES session
-  keys unless explicitly configured with the new allow_rc4 or
-  allow_des3 variables respectively.
+* The KDC will no longer issue tickets with RC4 session keys unless
+  explicitly configured with the new allow_rc4 variable.
 
 * The KDC will assume that all services can handle aes256-sha1 session
   keys unless the service principal has a session_enctypes string
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index d51fd3ce7e..d20dcf18e3 100644
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
@@ -95,12 +95,6 @@ Additionally, krb5.conf may include any of the relations described in
 
 The libdefaults section may contain any of the following relations:
 
-**allow_des3**
-    Permit the KDC to issue tickets with des3-cbc-sha1 session keys.
-    In future releases, this flag will allow des3-cbc-sha1 to be used
-    at all.  The default value for this tag is false.  (Added in
-    release 1.21.)
-
 **allow_rc4**
     Permit the KDC to issue tickets with arcfour-hmac session keys.
     In future releases, this flag will allow arcfour-hmac to be used
diff --git a/doc/admin/enctypes.rst b/doc/admin/enctypes.rst
index 2b4ed7da0b..6ce4638d5e 100644
--- a/doc/admin/enctypes.rst
+++ b/doc/admin/enctypes.rst
@@ -49,8 +49,8 @@ The KDC chooses the session key enctype by taking the intersection of
 its **permitted_enctypes** list, the list of long-term keys for the
 most recent kvno of the service, and the client's requested list of
 enctypes.  Starting in krb5-1.21, all services are assumed to support
-aes256-cts-hmac-sha1-96; also, des3-cbc-sha1 and arcfour-hmac session
-keys will not be issued by default.
+aes256-cts-hmac-sha1-96; also, arcfour-hmac session keys will not be
+issued by default.
 
 Starting in krb5-1.11, it is possible to set a string attribute on a
 service principal to control what session key enctypes the KDC may
@@ -90,13 +90,6 @@ affect how enctypes are chosen.
     acceptable risk for your environment and the weak enctypes are
     required for backward compatibility.
 
-**allow_des3**
-    was added in release 1.21 and defaults to *false*.  Unless this
-    flag is set to *true*, the KDC will not issue tickets with
-    des3-cbc-sha1 session keys.  In a future release, this flag will
-    control whether des3-cbc-sha1 is permitted in similar fashion to
-    weak enctypes.
-
 **allow_rc4**
     was added in release 1.21 and defaults to *false*.  Unless this
     flag is set to *true*, the KDC will not issue tickets with
diff --git a/doc/mitK5features.rst b/doc/mitK5features.rst
index cad0855724..64d746b0af 100644
--- a/doc/mitK5features.rst
+++ b/doc/mitK5features.rst
@@ -659,9 +659,8 @@ Release 1.21
 
 * Protocol evolution:
 
-  - The KDC will no longer issue tickets with RC4 or triple-DES
-    session keys unless explicitly configured with the new allow_rc4
-    or allow_des3 variables respectively.
+  - The KDC will no longer issue tickets with RC4 session keys unless
+    explicitly configured with the new allow_rc4 variable.
 
   - The KDC will assume that all services can handle aes256-sha1
     session keys unless the service principal has a session_enctypes
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index d0a263aa7d..82a763298d 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -181,7 +181,6 @@ typedef unsigned char   u_char;
  * matches the variable name.  Keep these alphabetized. */
 #define KRB5_CONF_ACL_FILE                     "acl_file"
 #define KRB5_CONF_ADMIN_SERVER                 "admin_server"
-#define KRB5_CONF_ALLOW_DES3                   "allow_des3"
 #define KRB5_CONF_ALLOW_RC4                    "allow_rc4"
 #define KRB5_CONF_ALLOW_WEAK_CRYPTO            "allow_weak_crypto"
 #define KRB5_CONF_AUTH_TO_LOCAL                "auth_to_local"
@@ -1243,7 +1242,6 @@ struct _krb5_context {
     struct _kdb_log_context *kdblog_context;
 
     krb5_boolean allow_weak_crypto;
-    krb5_boolean allow_des3;
     krb5_boolean allow_rc4;
     krb5_boolean ignore_acceptor_hostname;
     krb5_boolean enforce_ok_as_delegate;
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index c7b6e4090d..bafcf5f728 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1113,8 +1113,6 @@ select_session_keytype(krb5_context context, krb5_db_entry *server,
          * unless they are explicitly allowed.  In the future they will be more
          * comprehensively disabled and eventually removed.
          */
-        if (ktype[i] == ENCTYPE_DES3_CBC_SHA1 && !context->allow_des3)
-            continue;
         if (ktype[i] == ENCTYPE_ARCFOUR_HMAC && !context->allow_rc4)
             continue;
 
diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
index a32f8dbf03..82aba64c5e 100644
--- a/src/lib/krb5/krb/init_ctx.c
+++ b/src/lib/krb5/krb/init_ctx.c
@@ -220,11 +220,6 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags,
         goto cleanup;
     ctx->allow_weak_crypto = tmp;
 
-    retval = get_boolean(ctx, KRB5_CONF_ALLOW_DES3, 0, &tmp);
-    if (retval)
-        goto cleanup;
-    ctx->allow_des3 = tmp;
-
     retval = get_boolean(ctx, KRB5_CONF_ALLOW_RC4, 0, &tmp);
     if (retval)
         goto cleanup;
diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man
index 6c0e9aff8c..4b53988712 100644
--- a/src/man/krb5.conf.man
+++ b/src/man/krb5.conf.man
@@ -178,12 +178,6 @@ kdc.conf(5), but it is not a recommended practice.
 The libdefaults section may contain any of the following relations:
 .INDENT 0.0
 .TP
-\fBallow_des3\fP
-Permit the KDC to issue tickets with des3\-cbc\-sha1 session keys.
-In future releases, this flag will allow des3\-cbc\-sha1 to be used
-at all.  The default value for this tag is false.  (Added in
-release 1.21.)
-.TP
 \fBallow_rc4\fP
 Permit the KDC to issue tickets with arcfour\-hmac session keys.
 In future releases, this flag will allow arcfour\-hmac to be used
diff --git a/src/tests/gssapi/t_enctypes.py b/src/tests/gssapi/t_enctypes.py
index e6bde47afc..1bb8c40b6b 100755
--- a/src/tests/gssapi/t_enctypes.py
+++ b/src/tests/gssapi/t_enctypes.py
@@ -10,9 +10,8 @@ d_rc4 = 'DEPRECATED:arcfour-hmac'
 
 # These tests make assumptions about the default enctype lists, so set
 # them explicitly rather than relying on the library defaults.
-supp='aes256-cts:normal aes128-cts:normal des3-cbc-sha1:normal rc4-hmac:normal'
-conf = {'libdefaults': {'permitted_enctypes': 'aes des3 rc4',
-                        'allow_des3': 'true', 'allow_rc4': 'true'},
+supp='aes256-cts:normal aes128-cts:normal rc4-hmac:normal'
+conf = {'libdefaults': {'permitted_enctypes': 'aes rc4', 'allow_rc4': 'true'},
         'realms': {'$realm': {'supported_enctypes': supp}}}
 realm = K5Realm(krb5_conf=conf)
 shutil.copyfile(realm.ccache, os.path.join(realm.testdir, 'save'))
diff --git a/src/tests/t_etype_info.py b/src/tests/t_etype_info.py
index 75d9621dd6..e82ff7ff07 100644
--- a/src/tests/t_etype_info.py
+++ b/src/tests/t_etype_info.py
@@ -1,7 +1,7 @@
 from k5test import *
 
-supported_enctypes = 'aes128-cts des3-cbc-sha1 rc4-hmac'
-conf = {'libdefaults': {'allow_des3': 'true', 'allow_rc4': 'true'},
+supported_enctypes = 'aes128-cts rc4-hmac'
+conf = {'libdefaults': {'allow_rc4': 'true'},
         'realms': {'$realm': {'supported_enctypes': supported_enctypes}}}
 realm = K5Realm(create_host=False, get_creds=False, krb5_conf=conf)
 
diff --git a/src/tests/t_sesskeynego.py b/src/tests/t_sesskeynego.py
index 5a213617b5..c7dba0ff5b 100755
--- a/src/tests/t_sesskeynego.py
+++ b/src/tests/t_sesskeynego.py
@@ -26,7 +26,6 @@ conf3 = {'libdefaults': {
         'default_tgs_enctypes': 'rc4-hmac,aes128-cts'}}
 conf4 = {'libdefaults': {'permitted_enctypes': 'aes256-cts'}}
 conf5 = {'libdefaults': {'allow_rc4': 'true'}}
-conf6 = {'libdefaults': {'allow_des3': 'true'}}
 # Test with client request and session_enctypes preferring aes128, but
 # aes256 long-term key.
 realm = K5Realm(krb5_conf=conf1, create_host=False, get_creds=False)
@@ -78,13 +77,6 @@ realm.run([kadminl, 'setstr', 'server', 'session_enctypes', 'rc4-hmac'])
 test_kvno(realm, 'DEPRECATED:arcfour-hmac', 'aes256-cts-hmac-sha1-96')
 realm.stop()
 
-# 6: allow_des3 permits negotiation of des3-cbc-sha1 session key.
-realm = K5Realm(krb5_conf=conf6, create_host=False, get_creds=False)
-realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server'])
-realm.run([kadminl, 'setstr', 'server', 'session_enctypes', 'des3-cbc-sha1'])
-test_kvno(realm, 'DEPRECATED:des3-cbc-sha1', 'aes256-cts-hmac-sha1-96')
-realm.stop()
-
 # 7: default config negotiates aes256-sha1 session key for RC4-only service.
 realm = K5Realm(create_host=False, get_creds=False)
 realm.run([kadminl, 'addprinc', '-randkey', '-e', 'rc4-hmac', 'server'])
diff --git a/src/util/k5test.py b/src/util/k5test.py
index 8e5f5ba8e9..b953827018 100644
--- a/src/util/k5test.py
+++ b/src/util/k5test.py
@@ -1338,13 +1338,6 @@ _passes = [
     # No special settings; exercises AES256.
     ('default', None, None, None),
 
-    # Exercise the DES3 enctype.
-    ('des3', None,
-     {'libdefaults': {'permitted_enctypes': 'des3 aes256-sha1'}},
-     {'realms': {'$realm': {
-                    'supported_enctypes': 'des3-cbc-sha1:normal',
-                    'master_key_type': 'des3-cbc-sha1'}}}),
-
     # Exercise the arcfour enctype.
     ('arcfour', None,
      {'libdefaults': {'permitted_enctypes': 'rc4 aes256-sha1'}},
-- 
2.49.0