https://github.com/krb5/krb5/commit/39fecf78796bbdde1e3d4828b86f64f05d9e4c77
commit 39fecf78796bbdde1e3d4828b86f64f05d9e4c77
Author: Greg Hudson <ghudson at mit.edu>
Date: Mon Sep 14 20:40:29 2020 -0400
Warn when des3-cbc-sha1 is used for initial auth
During initial authentication, if des3-cbc-sha1 is used for either the
reply key or session key, display a warning that it will be disabled.
ticket: 8947 (new)
src/lib/krb5/krb/get_in_tkt.c | 21 +++++++++++++++++++++
1 files changed, 21 insertions(+), 0 deletions(-)
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index 0245f11..ab8f4eb 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -1589,6 +1589,26 @@ warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options,
(*prompter)(context, data, 0, banner, 0, 0);
}
+/* Display a warning via the prompter if des3-cbc-sha1 was used for either the
+ * reply key or the session key. */
+static void
+warn_des3(krb5_context context, krb5_init_creds_context ctx,
+ krb5_enctype as_key_enctype)
+{
+ const char *banner;
+
+ if (as_key_enctype != ENCTYPE_DES3_CBC_SHA1 &&
+ ctx->cred.keyblock.enctype != ENCTYPE_DES3_CBC_SHA1)
+ return;
+ if (ctx->prompter == NULL)
+ return;
+
+ banner = _("Warning: encryption type des3-cbc-sha1 used for "
+ "authentication is weak and will be disabled");
+ /* PROMPTER_INVOCATION */
+ (*ctx->prompter)(context, ctx->prompter_data, NULL, banner, 0, NULL);
+}
+
static krb5_error_code
init_creds_step_reply(krb5_context context,
krb5_init_creds_context ctx,
@@ -1802,6 +1822,7 @@ init_creds_step_reply(krb5_context context,
ctx->complete = TRUE;
warn_pw_expiry(context, ctx->opt, ctx->prompter, ctx->prompter_data,
ctx->in_tkt_service, ctx->reply);
+ warn_des3(context, ctx, encrypting_key.enctype);
cleanup:
krb5_free_pa_data(context, kdc_padata);