261 lines
11 KiB
Diff
261 lines
11 KiB
Diff
From b575f7fa544c407ada7339359dcbc904d4faa6ae Mon Sep 17 00:00:00 2001
|
|
From: Julien Rische <jrische@redhat.com>
|
|
Date: Fri, 4 Apr 2025 15:08:36 +0200
|
|
Subject: [PATCH] [downstream] Remove 3des support (cumulative 1)
|
|
|
|
Remove mentions for the triple-DES encryption type which were added
|
|
since the previous downstream patch.
|
|
---
|
|
README | 15 +++++++--------
|
|
doc/admin/conf_files/krb5_conf.rst | 6 ------
|
|
doc/admin/enctypes.rst | 11 ++---------
|
|
doc/mitK5features.rst | 5 ++---
|
|
src/include/k5-int.h | 2 --
|
|
src/kdc/kdc_util.c | 2 --
|
|
src/lib/krb5/krb/init_ctx.c | 5 -----
|
|
src/man/krb5.conf.man | 6 ------
|
|
src/tests/gssapi/t_enctypes.py | 5 ++---
|
|
src/tests/t_etype_info.py | 4 ++--
|
|
src/tests/t_sesskeynego.py | 8 --------
|
|
src/util/k5test.py | 7 -------
|
|
12 files changed, 15 insertions(+), 61 deletions(-)
|
|
|
|
diff --git a/README b/README
|
|
index 6d6f7f16e3..9341bd3dd8 100644
|
|
--- a/README
|
|
+++ b/README
|
|
@@ -81,11 +81,11 @@ Triple-DES and RC4 transitions
|
|
------------------------------
|
|
|
|
Beginning with the krb5-1.21 release, the KDC will not issue tickets
|
|
-with triple-DES or RC4 session keys unless explicitly configured using
|
|
-the new allow_des3 and allow_rc4 variables in [libdefaults]. To
|
|
-facilitate the negotiation of session keys, the KDC will assume that
|
|
-all services can handle aes256-sha1 session keys unless the service
|
|
-principal has a session_enctypes string attribute.
|
|
+with RC4 session keys unless explicitly configured using the new
|
|
+allow_rc4 variable in [libdefaults]. To facilitate the negotiation of
|
|
+session keys, the KDC will assume that all services can handle
|
|
+aes256-sha1 session keys unless the service principal has a
|
|
+session_enctypes string attribute.
|
|
|
|
Beginning with the krb5-1.19 release, a warning will be issued if
|
|
initial credentials are acquired using the des3-cbc-sha1 encryption
|
|
@@ -164,9 +164,8 @@ Developer experience:
|
|
|
|
Protocol evolution:
|
|
|
|
-* The KDC will no longer issue tickets with RC4 or triple-DES session
|
|
- keys unless explicitly configured with the new allow_rc4 or
|
|
- allow_des3 variables respectively.
|
|
+* The KDC will no longer issue tickets with RC4 session keys unless
|
|
+ explicitly configured with the new allow_rc4 variable.
|
|
|
|
* The KDC will assume that all services can handle aes256-sha1 session
|
|
keys unless the service principal has a session_enctypes string
|
|
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
|
|
index d51fd3ce7e..d20dcf18e3 100644
|
|
--- a/doc/admin/conf_files/krb5_conf.rst
|
|
+++ b/doc/admin/conf_files/krb5_conf.rst
|
|
@@ -95,12 +95,6 @@ Additionally, krb5.conf may include any of the relations described in
|
|
|
|
The libdefaults section may contain any of the following relations:
|
|
|
|
-**allow_des3**
|
|
- Permit the KDC to issue tickets with des3-cbc-sha1 session keys.
|
|
- In future releases, this flag will allow des3-cbc-sha1 to be used
|
|
- at all. The default value for this tag is false. (Added in
|
|
- release 1.21.)
|
|
-
|
|
**allow_rc4**
|
|
Permit the KDC to issue tickets with arcfour-hmac session keys.
|
|
In future releases, this flag will allow arcfour-hmac to be used
|
|
diff --git a/doc/admin/enctypes.rst b/doc/admin/enctypes.rst
|
|
index 2b4ed7da0b..6ce4638d5e 100644
|
|
--- a/doc/admin/enctypes.rst
|
|
+++ b/doc/admin/enctypes.rst
|
|
@@ -49,8 +49,8 @@ The KDC chooses the session key enctype by taking the intersection of
|
|
its **permitted_enctypes** list, the list of long-term keys for the
|
|
most recent kvno of the service, and the client's requested list of
|
|
enctypes. Starting in krb5-1.21, all services are assumed to support
|
|
-aes256-cts-hmac-sha1-96; also, des3-cbc-sha1 and arcfour-hmac session
|
|
-keys will not be issued by default.
|
|
+aes256-cts-hmac-sha1-96; also, arcfour-hmac session keys will not be
|
|
+issued by default.
|
|
|
|
Starting in krb5-1.11, it is possible to set a string attribute on a
|
|
service principal to control what session key enctypes the KDC may
|
|
@@ -90,13 +90,6 @@ affect how enctypes are chosen.
|
|
acceptable risk for your environment and the weak enctypes are
|
|
required for backward compatibility.
|
|
|
|
-**allow_des3**
|
|
- was added in release 1.21 and defaults to *false*. Unless this
|
|
- flag is set to *true*, the KDC will not issue tickets with
|
|
- des3-cbc-sha1 session keys. In a future release, this flag will
|
|
- control whether des3-cbc-sha1 is permitted in similar fashion to
|
|
- weak enctypes.
|
|
-
|
|
**allow_rc4**
|
|
was added in release 1.21 and defaults to *false*. Unless this
|
|
flag is set to *true*, the KDC will not issue tickets with
|
|
diff --git a/doc/mitK5features.rst b/doc/mitK5features.rst
|
|
index cad0855724..64d746b0af 100644
|
|
--- a/doc/mitK5features.rst
|
|
+++ b/doc/mitK5features.rst
|
|
@@ -659,9 +659,8 @@ Release 1.21
|
|
|
|
* Protocol evolution:
|
|
|
|
- - The KDC will no longer issue tickets with RC4 or triple-DES
|
|
- session keys unless explicitly configured with the new allow_rc4
|
|
- or allow_des3 variables respectively.
|
|
+ - The KDC will no longer issue tickets with RC4 session keys unless
|
|
+ explicitly configured with the new allow_rc4 variable.
|
|
|
|
- The KDC will assume that all services can handle aes256-sha1
|
|
session keys unless the service principal has a session_enctypes
|
|
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
|
|
index d0a263aa7d..82a763298d 100644
|
|
--- a/src/include/k5-int.h
|
|
+++ b/src/include/k5-int.h
|
|
@@ -181,7 +181,6 @@ typedef unsigned char u_char;
|
|
* matches the variable name. Keep these alphabetized. */
|
|
#define KRB5_CONF_ACL_FILE "acl_file"
|
|
#define KRB5_CONF_ADMIN_SERVER "admin_server"
|
|
-#define KRB5_CONF_ALLOW_DES3 "allow_des3"
|
|
#define KRB5_CONF_ALLOW_RC4 "allow_rc4"
|
|
#define KRB5_CONF_ALLOW_WEAK_CRYPTO "allow_weak_crypto"
|
|
#define KRB5_CONF_AUTH_TO_LOCAL "auth_to_local"
|
|
@@ -1243,7 +1242,6 @@ struct _krb5_context {
|
|
struct _kdb_log_context *kdblog_context;
|
|
|
|
krb5_boolean allow_weak_crypto;
|
|
- krb5_boolean allow_des3;
|
|
krb5_boolean allow_rc4;
|
|
krb5_boolean ignore_acceptor_hostname;
|
|
krb5_boolean enforce_ok_as_delegate;
|
|
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
|
|
index c7b6e4090d..bafcf5f728 100644
|
|
--- a/src/kdc/kdc_util.c
|
|
+++ b/src/kdc/kdc_util.c
|
|
@@ -1113,8 +1113,6 @@ select_session_keytype(krb5_context context, krb5_db_entry *server,
|
|
* unless they are explicitly allowed. In the future they will be more
|
|
* comprehensively disabled and eventually removed.
|
|
*/
|
|
- if (ktype[i] == ENCTYPE_DES3_CBC_SHA1 && !context->allow_des3)
|
|
- continue;
|
|
if (ktype[i] == ENCTYPE_ARCFOUR_HMAC && !context->allow_rc4)
|
|
continue;
|
|
|
|
diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
|
|
index a32f8dbf03..82aba64c5e 100644
|
|
--- a/src/lib/krb5/krb/init_ctx.c
|
|
+++ b/src/lib/krb5/krb/init_ctx.c
|
|
@@ -220,11 +220,6 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags,
|
|
goto cleanup;
|
|
ctx->allow_weak_crypto = tmp;
|
|
|
|
- retval = get_boolean(ctx, KRB5_CONF_ALLOW_DES3, 0, &tmp);
|
|
- if (retval)
|
|
- goto cleanup;
|
|
- ctx->allow_des3 = tmp;
|
|
-
|
|
retval = get_boolean(ctx, KRB5_CONF_ALLOW_RC4, 0, &tmp);
|
|
if (retval)
|
|
goto cleanup;
|
|
diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man
|
|
index 6c0e9aff8c..4b53988712 100644
|
|
--- a/src/man/krb5.conf.man
|
|
+++ b/src/man/krb5.conf.man
|
|
@@ -178,12 +178,6 @@ kdc.conf(5), but it is not a recommended practice.
|
|
The libdefaults section may contain any of the following relations:
|
|
.INDENT 0.0
|
|
.TP
|
|
-\fBallow_des3\fP
|
|
-Permit the KDC to issue tickets with des3\-cbc\-sha1 session keys.
|
|
-In future releases, this flag will allow des3\-cbc\-sha1 to be used
|
|
-at all. The default value for this tag is false. (Added in
|
|
-release 1.21.)
|
|
-.TP
|
|
\fBallow_rc4\fP
|
|
Permit the KDC to issue tickets with arcfour\-hmac session keys.
|
|
In future releases, this flag will allow arcfour\-hmac to be used
|
|
diff --git a/src/tests/gssapi/t_enctypes.py b/src/tests/gssapi/t_enctypes.py
|
|
index e6bde47afc..1bb8c40b6b 100755
|
|
--- a/src/tests/gssapi/t_enctypes.py
|
|
+++ b/src/tests/gssapi/t_enctypes.py
|
|
@@ -10,9 +10,8 @@ d_rc4 = 'DEPRECATED:arcfour-hmac'
|
|
|
|
# These tests make assumptions about the default enctype lists, so set
|
|
# them explicitly rather than relying on the library defaults.
|
|
-supp='aes256-cts:normal aes128-cts:normal des3-cbc-sha1:normal rc4-hmac:normal'
|
|
-conf = {'libdefaults': {'permitted_enctypes': 'aes des3 rc4',
|
|
- 'allow_des3': 'true', 'allow_rc4': 'true'},
|
|
+supp='aes256-cts:normal aes128-cts:normal rc4-hmac:normal'
|
|
+conf = {'libdefaults': {'permitted_enctypes': 'aes rc4', 'allow_rc4': 'true'},
|
|
'realms': {'$realm': {'supported_enctypes': supp}}}
|
|
realm = K5Realm(krb5_conf=conf)
|
|
shutil.copyfile(realm.ccache, os.path.join(realm.testdir, 'save'))
|
|
diff --git a/src/tests/t_etype_info.py b/src/tests/t_etype_info.py
|
|
index 75d9621dd6..e82ff7ff07 100644
|
|
--- a/src/tests/t_etype_info.py
|
|
+++ b/src/tests/t_etype_info.py
|
|
@@ -1,7 +1,7 @@
|
|
from k5test import *
|
|
|
|
-supported_enctypes = 'aes128-cts des3-cbc-sha1 rc4-hmac'
|
|
-conf = {'libdefaults': {'allow_des3': 'true', 'allow_rc4': 'true'},
|
|
+supported_enctypes = 'aes128-cts rc4-hmac'
|
|
+conf = {'libdefaults': {'allow_rc4': 'true'},
|
|
'realms': {'$realm': {'supported_enctypes': supported_enctypes}}}
|
|
realm = K5Realm(create_host=False, get_creds=False, krb5_conf=conf)
|
|
|
|
diff --git a/src/tests/t_sesskeynego.py b/src/tests/t_sesskeynego.py
|
|
index 5a213617b5..c7dba0ff5b 100755
|
|
--- a/src/tests/t_sesskeynego.py
|
|
+++ b/src/tests/t_sesskeynego.py
|
|
@@ -26,7 +26,6 @@ conf3 = {'libdefaults': {
|
|
'default_tgs_enctypes': 'rc4-hmac,aes128-cts'}}
|
|
conf4 = {'libdefaults': {'permitted_enctypes': 'aes256-cts'}}
|
|
conf5 = {'libdefaults': {'allow_rc4': 'true'}}
|
|
-conf6 = {'libdefaults': {'allow_des3': 'true'}}
|
|
# Test with client request and session_enctypes preferring aes128, but
|
|
# aes256 long-term key.
|
|
realm = K5Realm(krb5_conf=conf1, create_host=False, get_creds=False)
|
|
@@ -78,13 +77,6 @@ realm.run([kadminl, 'setstr', 'server', 'session_enctypes', 'rc4-hmac'])
|
|
test_kvno(realm, 'DEPRECATED:arcfour-hmac', 'aes256-cts-hmac-sha1-96')
|
|
realm.stop()
|
|
|
|
-# 6: allow_des3 permits negotiation of des3-cbc-sha1 session key.
|
|
-realm = K5Realm(krb5_conf=conf6, create_host=False, get_creds=False)
|
|
-realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server'])
|
|
-realm.run([kadminl, 'setstr', 'server', 'session_enctypes', 'des3-cbc-sha1'])
|
|
-test_kvno(realm, 'DEPRECATED:des3-cbc-sha1', 'aes256-cts-hmac-sha1-96')
|
|
-realm.stop()
|
|
-
|
|
# 7: default config negotiates aes256-sha1 session key for RC4-only service.
|
|
realm = K5Realm(create_host=False, get_creds=False)
|
|
realm.run([kadminl, 'addprinc', '-randkey', '-e', 'rc4-hmac', 'server'])
|
|
diff --git a/src/util/k5test.py b/src/util/k5test.py
|
|
index 8e5f5ba8e9..b953827018 100644
|
|
--- a/src/util/k5test.py
|
|
+++ b/src/util/k5test.py
|
|
@@ -1338,13 +1338,6 @@ _passes = [
|
|
# No special settings; exercises AES256.
|
|
('default', None, None, None),
|
|
|
|
- # Exercise the DES3 enctype.
|
|
- ('des3', None,
|
|
- {'libdefaults': {'permitted_enctypes': 'des3 aes256-sha1'}},
|
|
- {'realms': {'$realm': {
|
|
- 'supported_enctypes': 'des3-cbc-sha1:normal',
|
|
- 'master_key_type': 'des3-cbc-sha1'}}}),
|
|
-
|
|
# Exercise the arcfour enctype.
|
|
('arcfour', None,
|
|
{'libdefaults': {'permitted_enctypes': 'rc4 aes256-sha1'}},
|
|
--
|
|
2.49.0
|
|
|