svn rev #23586: trunk/src/ include/ kadmin/testing/proto/ lib/krb5/krb/ tests/dejagnu/config/ ...

tlyu@MIT.EDU tlyu at MIT.EDU
Mon Jan 4 21:47:59 EST 2010 

http://src.mit.edu/fisheye/changelog/krb5/?cs=23586
Commit By: tlyu
Log Message:
ticket: 6621
subject: disable weak crypto by default

Set allow_weak_crypto=false by default.  Set default master key
enctype to sha256.  Adjust test suite to compensate.


Changed Files:
U   trunk/src/include/osconf.hin
U   trunk/src/kadmin/testing/proto/krb5.conf.proto
U   trunk/src/lib/krb5/krb/decrypt_tk.c
U   trunk/src/lib/krb5/krb/init_ctx.c
U   trunk/src/tests/dejagnu/config/default.exp
U   trunk/src/tests/mkeystash_compat/Makefile.in
Modified: trunk/src/include/osconf.hin
===================================================================
--- trunk/src/include/osconf.hin	2010-01-04 21:45:23 UTC (rev 23585)
+++ trunk/src/include/osconf.hin	2010-01-05 02:47:58 UTC (rev 23586)
@@ -77,7 +77,7 @@
 #define DEFAULT_KDB_LIB_PATH    { "@MODULEDIR/kdb", NULL }
 #endif
 
-#define DEFAULT_KDC_ENCTYPE     ENCTYPE_DES3_CBC_SHA1
+#define DEFAULT_KDC_ENCTYPE     ENCTYPE_AES256_CTS_HMAC_SHA1_96
 #define KDCRCACHE               "dfl:krb5kdc_rcache"
 
 #define KDC_PORTNAME            "kerberos" /* for /etc/services or equiv. */

Modified: trunk/src/kadmin/testing/proto/krb5.conf.proto
===================================================================
--- trunk/src/kadmin/testing/proto/krb5.conf.proto	2010-01-04 21:45:23 UTC (rev 23585)
+++ trunk/src/kadmin/testing/proto/krb5.conf.proto	2010-01-05 02:47:58 UTC (rev 23586)
@@ -2,7 +2,6 @@
 	default_realm = __REALM__
 	default_keytab_name = FILE:__K5ROOT__/v5srvtab
 	dns_fallback = no
-	allow_weak_crypto = true
 
 [realms]
 	__REALM__ = {

Modified: trunk/src/lib/krb5/krb/decrypt_tk.c
===================================================================
--- trunk/src/lib/krb5/krb/decrypt_tk.c	2010-01-04 21:45:23 UTC (rev 23585)
+++ trunk/src/lib/krb5/krb/decrypt_tk.c	2010-01-05 02:47:58 UTC (rev 23586)
@@ -49,6 +49,9 @@
     if (!krb5_c_valid_enctype(ticket->enc_part.enctype))
         return KRB5_PROG_ETYPE_NOSUPP;
 
+    if (!krb5_is_permitted_enctype(context, ticket->enc_part.enctype))
+        return KRB5_NOPERM_ETYPE;
+
     scratch.length = ticket->enc_part.ciphertext.length;
     if (!(scratch.data = malloc(ticket->enc_part.ciphertext.length)))
         return(ENOMEM);

Modified: trunk/src/lib/krb5/krb/init_ctx.c
===================================================================
--- trunk/src/lib/krb5/krb/init_ctx.c	2010-01-04 21:45:23 UTC (rev 23585)
+++ trunk/src/lib/krb5/krb/init_ctx.c	2010-01-05 02:47:58 UTC (rev 23586)
@@ -165,7 +165,7 @@
         goto cleanup;
 
     retval = profile_get_boolean(ctx->profile, KRB5_CONF_LIBDEFAULTS,
-                                 KRB5_CONF_ALLOW_WEAK_CRYPTO, NULL, 1, &tmp);
+                                 KRB5_CONF_ALLOW_WEAK_CRYPTO, NULL, 0, &tmp);
     if (retval)
         goto cleanup;
     ctx->allow_weak_crypto = tmp;

Modified: trunk/src/tests/dejagnu/config/default.exp
===================================================================
--- trunk/src/tests/dejagnu/config/default.exp	2010-01-04 21:45:23 UTC (rev 23585)
+++ trunk/src/tests/dejagnu/config/default.exp	2010-01-05 02:47:58 UTC (rev 23586)
@@ -17,7 +17,6 @@
 
 set des3_krbtgt 0
 set tgt_support_desmd5 0
-set supported_enctypes "des-cbc-crc:normal"
 
 # The names of the individual passes must be unique; lots of things
 # depend on it.  The PASSES variable may not contain comments; only
@@ -164,7 +163,7 @@
 	{dummy=[verbose -log "DES3 TGT, DES3 + DES enctypes"]}
     }
     {
-	aes
+	aes-des
 	mode=udp
 	des3_krbtgt=0
 	{supported_enctypes=aes256-cts-hmac-sha1-96:normal des-cbc-crc:normal}
@@ -175,6 +174,21 @@
 	{dummy=[verbose -log "AES + DES enctypes"]}
     }
     {
+	aes-only
+	mode=udp
+	des3_krbtgt=0
+	{supported_enctypes=aes256-cts-hmac-sha1-96:normal}
+	{permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96}
+	{permitted_enctypes(client)=aes256-cts-hmac-sha1-96}
+	{permitted_enctypes(server)=aes256-cts-hmac-sha1-96}
+	{allow_weak_crypto(kdc)=false}
+	{allow_weak_crypto(slave)=false}
+	{allow_weak_crypto(client)=false}
+	{allow_weak_crypto(server)=false}
+	{master_key_type=aes256-cts-hmac-sha1-96}
+	{dummy=[verbose -log "AES enctypes"]}
+    }
+    {
 	aes-des3
 	mode=udp
 	des3_krbtgt=0
@@ -183,10 +197,10 @@
 	{permitted_enctypes(client)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc}
 	{permitted_enctypes(server)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc}
 	{master_key_type=aes256-cts-hmac-sha1-96}
-	{dummy=[verbose -log "AES + DES enctypes"]}
+	{dummy=[verbose -log "AES + DES3 + DES enctypes"]}
     }
     {
-	des3-aes
+	aes-des3tgt
 	mode=udp
 	des3_krbtgt=1
 	{supported_enctypes=aes256-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des-cbc-crc:normal}
@@ -213,13 +227,14 @@
 	{dummy=[verbose -log "DES TGT, DES-MD5 and -CRC enctypes, V4 salt"]}
     }
     {
-	all-des-des3-enctypes
+	all-enctypes
 	mode=udp
-	des3_krbtgt=1
-	{supported_enctypes=des3-cbc-sha1:normal des-cbc-crc:normal \
-		des-cbc-md5:normal des-cbc-crc:v4 des-cbc-md5:norealm \
-		des-cbc-md4:normal}
-	{dummy=[verbose -log "DES3 TGT, many DES3 + DES enctypes"]}
+	des3_krbtgt=0
+	{allow_weak_crypto(kdc)=false}
+	{allow_weak_crypto(slave)=false}
+	{allow_weak_crypto(client)=false}
+	{allow_weak_crypto(server)=false}
+	{dummy=[verbose -log "all default enctypes"]}
     }
     {
 	des.no-kdc-md5
@@ -806,9 +821,6 @@
     # Create a kdc.conf file.
     if { ![file exists $tmppwd/kdc.conf] \
 	    || $last_passname_conf != $multipass_name } {
-	if ![info exists master_key_type] {
-	    set master_key_type des-cbc-md5
-	}
 	set conffile [open $tmppwd/kdc.conf w]
 	puts $conffile "\[kdcdefaults\]"
 	puts $conffile "	kdc_ports = $portbase,[expr 1 + $portbase],[expr 2 + $portbase]"
@@ -827,9 +839,13 @@
 	puts $conffile "		kpasswd_port = [expr 5 + $portbase]"
 	puts $conffile "		max_life = 1:00:00"
 	puts $conffile "		max_renewable_life = 3:00:00"
-	puts $conffile "		master_key_type = $master_key_type"
+	if [info exists master_key_type] {
+	    puts $conffile "		master_key_type = $master_key_type"
+	}
 	puts $conffile "		master_key_name = master/key"
-	puts $conffile "		supported_enctypes = $supported_enctypes"
+	if [info exists supported_enctypes] {
+	    puts $conffile "		supported_enctypes = $supported_enctypes"
+	}
 	if { $mode == "tcp" } {
 	    puts $conffile "		kdc_ports = [expr 3 + $portbase]"
 	    puts $conffile "		kdc_tcp_ports = [expr 1 + $portbase],[expr 3 + $portbase]"
@@ -856,9 +872,6 @@
     # KDC processes).
     if { ![file exists $tmppwd/slave.conf] \
 	    || $last_passname_conf != $multipass_name } {
-	if ![info exists master_key_type] {
-	    set master_key_type des-cbc-md5
-	}
 	set conffile [open $tmppwd/slave.conf w]
 	puts $conffile "\[kdcdefaults\]"
 	puts $conffile "	kdc_ports = $portbase,[expr 1 + $portbase],[expr 2 + $portbase]"
@@ -877,9 +890,13 @@
 	puts $conffile "		kpasswd_port = [expr 5 + $portbase]"
 	puts $conffile "		max_life = 1:00:00"
 	puts $conffile "		max_renewable_life = 3:00:00"
-	puts $conffile "		master_key_type = $master_key_type"
+	if [info exists master_key_type] {
+	    puts $conffile "		master_key_type = $master_key_type"
+	}
 	puts $conffile "		master_key_name = master/key"
-	puts $conffile "		supported_enctypes = $supported_enctypes"
+	if [info exists supported_enctypes] {
+	    puts $conffile "		supported_enctypes = $supported_enctypes"
+	}
 	if { $mode == "tcp" } {
 	    puts $conffile "		kdc_ports = [expr 3 + $portbase]"
 	    puts $conffile "		kdc_tcp_ports = [expr 1 + $portbase],[expr 3 + $portbase]"
@@ -938,6 +955,7 @@
     global default_tgs_enctypes
     global default_tkt_enctypes
     global permitted_enctypes
+    global allow_weak_crypto
     global mode
     global portbase
     global KRB5_DB_MODULE_DIR
@@ -950,7 +968,11 @@
 	puts $conffile "\[libdefaults\]"
 	puts $conffile "	default_realm = $REALMNAME"
 	puts $conffile "	dns_lookup_kdc = false"
-	puts $conffile "	allow_weak_crypto = true"
+	if [info exists allow_weak_crypto($type)] {
+	    puts $conffile "	allow_weak_crypto = $allow_weak_crypto($type)"
+	} else {
+	    puts $conffile "	allow_weak_crypto = true"
+	}
 	if [info exists default_tgs_enctypes($type)] {
 	    puts $conffile \
 		    "	default_tgs_enctypes = $default_tgs_enctypes($type)"
@@ -2425,7 +2447,7 @@
     global supported_enctypes
     global KRBIV
 
-    if ![info exists KRBIV] {
+    if ![info exists KRBIV] || ![info exists supported_enctypes] {
 	return 0;
     }
 

Modified: trunk/src/tests/mkeystash_compat/Makefile.in
===================================================================
--- trunk/src/tests/mkeystash_compat/Makefile.in	2010-01-04 21:45:23 UTC (rev 23585)
+++ trunk/src/tests/mkeystash_compat/Makefile.in	2010-01-05 02:47:58 UTC (rev 23586)
@@ -25,6 +25,7 @@
 	rm -rf kdc.conf
 	@echo "[realms]" > kdc.conf
 	@echo "$(TEST_REALM) = {" >> kdc.conf
+	@echo "  master_key_type = des3-cbc-sha1" >> kdc.conf
 	@echo "  key_stash_file = `pwd`/stash_file" >> kdc.conf
 	@echo "}" >> kdc.conf

More information about the cvs-krb5 mailing list