[30857] in CVS-changelog-for-Kerberos-V5
krb5 commit: Warn when des3-cbc-sha1 is used for initial auth
daemon@ATHENA.MIT.EDU (Greg Hudson)
Fri Sep 18 14:01:04 2020
Date: Fri, 18 Sep 2020 14:00:50 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <202009181800.08II0o0Q029836@drugstore.mit.edu>
To: <cvs-krb5@mit.edu>
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/39fecf78796bbdde1e3d4828b86f64f05d9e4c77
commit 39fecf78796bbdde1e3d4828b86f64f05d9e4c77
Author: Greg Hudson <ghudson@mit.edu>
Date: Mon Sep 14 20:40:29 2020 -0400
Warn when des3-cbc-sha1 is used for initial auth
During initial authentication, if des3-cbc-sha1 is used for either the
reply key or session key, display a warning that it will be disabled.
ticket: 8947 (new)
src/lib/krb5/krb/get_in_tkt.c | 21 +++++++++++++++++++++
1 files changed, 21 insertions(+), 0 deletions(-)
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index 0245f11..ab8f4eb 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -1589,6 +1589,26 @@ warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options,
(*prompter)(context, data, 0, banner, 0, 0);
}
+/* Display a warning via the prompter if des3-cbc-sha1 was used for either the
+ * reply key or the session key. */
+static void
+warn_des3(krb5_context context, krb5_init_creds_context ctx,
+ krb5_enctype as_key_enctype)
+{
+ const char *banner;
+
+ if (as_key_enctype != ENCTYPE_DES3_CBC_SHA1 &&
+ ctx->cred.keyblock.enctype != ENCTYPE_DES3_CBC_SHA1)
+ return;
+ if (ctx->prompter == NULL)
+ return;
+
+ banner = _("Warning: encryption type des3-cbc-sha1 used for "
+ "authentication is weak and will be disabled");
+ /* PROMPTER_INVOCATION */
+ (*ctx->prompter)(context, ctx->prompter_data, NULL, banner, 0, NULL);
+}
+
static krb5_error_code
init_creds_step_reply(krb5_context context,
krb5_init_creds_context ctx,
@@ -1802,6 +1822,7 @@ init_creds_step_reply(krb5_context context,
ctx->complete = TRUE;
warn_pw_expiry(context, ctx->opt, ctx->prompter, ctx->prompter_data,
ctx->in_tkt_service, ctx->reply);
+ warn_des3(context, ctx, encrypting_key.enctype);
cleanup:
krb5_free_pa_data(context, kdc_padata);
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
