From b19f2a8984321c3e20a29c8a76456cecb99bccca Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Tue, 5 Jan 2010 02:47:58 +0000 Subject: disable weak crypto by default Set allow_weak_crypto=false by default. Set default master key enctype to sha256. Adjust test suite to compensate. ticket: 6621 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23586 dc483132-0cff-0310-8789-dd5450dbe970 --- src/include/osconf.hin | 2 +- src/kadmin/testing/proto/krb5.conf.proto | 1 - src/lib/krb5/krb/decrypt_tk.c | 3 ++ src/lib/krb5/krb/init_ctx.c | 2 +- src/tests/dejagnu/config/default.exp | 66 +++++++++++++++++++++----------- src/tests/mkeystash_compat/Makefile.in | 1 + 6 files changed, 50 insertions(+), 25 deletions(-) diff --git a/src/include/osconf.hin b/src/include/osconf.hin index 6d0e7bc09..b39c97498 100644 --- a/src/include/osconf.hin +++ b/src/include/osconf.hin @@ -77,7 +77,7 @@ #define DEFAULT_KDB_LIB_PATH { "@MODULEDIR/kdb", NULL } #endif -#define DEFAULT_KDC_ENCTYPE ENCTYPE_DES3_CBC_SHA1 +#define DEFAULT_KDC_ENCTYPE ENCTYPE_AES256_CTS_HMAC_SHA1_96 #define KDCRCACHE "dfl:krb5kdc_rcache" #define KDC_PORTNAME "kerberos" /* for /etc/services or equiv. */ diff --git a/src/kadmin/testing/proto/krb5.conf.proto b/src/kadmin/testing/proto/krb5.conf.proto index b6ce16bff..c2648d6c6 100644 --- a/src/kadmin/testing/proto/krb5.conf.proto +++ b/src/kadmin/testing/proto/krb5.conf.proto @@ -2,7 +2,6 @@ default_realm = __REALM__ default_keytab_name = FILE:__K5ROOT__/v5srvtab dns_fallback = no - allow_weak_crypto = true [realms] __REALM__ = { diff --git a/src/lib/krb5/krb/decrypt_tk.c b/src/lib/krb5/krb/decrypt_tk.c index c06353b9e..7ce411552 100644 --- a/src/lib/krb5/krb/decrypt_tk.c +++ b/src/lib/krb5/krb/decrypt_tk.c @@ -49,6 +49,9 @@ krb5_decrypt_tkt_part(krb5_context context, const krb5_keyblock *srv_key, regist if (!krb5_c_valid_enctype(ticket->enc_part.enctype)) return KRB5_PROG_ETYPE_NOSUPP; + if (!krb5_is_permitted_enctype(context, ticket->enc_part.enctype)) + return KRB5_NOPERM_ETYPE; + scratch.length = ticket->enc_part.ciphertext.length; if (!(scratch.data = malloc(ticket->enc_part.ciphertext.length))) return(ENOMEM); diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c index 8f6a1b3dc..2c2beb6bf 100644 --- a/src/lib/krb5/krb/init_ctx.c +++ b/src/lib/krb5/krb/init_ctx.c @@ -165,7 +165,7 @@ init_common (krb5_context *context, krb5_boolean secure, krb5_boolean kdc) goto cleanup; retval = profile_get_boolean(ctx->profile, KRB5_CONF_LIBDEFAULTS, - KRB5_CONF_ALLOW_WEAK_CRYPTO, NULL, 1, &tmp); + KRB5_CONF_ALLOW_WEAK_CRYPTO, NULL, 0, &tmp); if (retval) goto cleanup; ctx->allow_weak_crypto = tmp; diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/dejagnu/config/default.exp index c7c622f71..8e540b3a0 100644 --- a/src/tests/dejagnu/config/default.exp +++ b/src/tests/dejagnu/config/default.exp @@ -17,7 +17,6 @@ set env(TERM) dumb set des3_krbtgt 0 set tgt_support_desmd5 0 -set supported_enctypes "des-cbc-crc:normal" # The names of the individual passes must be unique; lots of things # depend on it. The PASSES variable may not contain comments; only @@ -164,7 +163,7 @@ set passes { {dummy=[verbose -log "DES3 TGT, DES3 + DES enctypes"]} } { - aes + aes-des mode=udp des3_krbtgt=0 {supported_enctypes=aes256-cts-hmac-sha1-96:normal des-cbc-crc:normal} @@ -174,6 +173,21 @@ set passes { {master_key_type=aes256-cts-hmac-sha1-96} {dummy=[verbose -log "AES + DES enctypes"]} } + { + aes-only + mode=udp + des3_krbtgt=0 + {supported_enctypes=aes256-cts-hmac-sha1-96:normal} + {permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96} + {permitted_enctypes(client)=aes256-cts-hmac-sha1-96} + {permitted_enctypes(server)=aes256-cts-hmac-sha1-96} + {allow_weak_crypto(kdc)=false} + {allow_weak_crypto(slave)=false} + {allow_weak_crypto(client)=false} + {allow_weak_crypto(server)=false} + {master_key_type=aes256-cts-hmac-sha1-96} + {dummy=[verbose -log "AES enctypes"]} + } { aes-des3 mode=udp @@ -183,10 +197,10 @@ set passes { {permitted_enctypes(client)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc} {permitted_enctypes(server)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc} {master_key_type=aes256-cts-hmac-sha1-96} - {dummy=[verbose -log "AES + DES enctypes"]} + {dummy=[verbose -log "AES + DES3 + DES enctypes"]} } { - des3-aes + aes-des3tgt mode=udp des3_krbtgt=1 {supported_enctypes=aes256-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des-cbc-crc:normal} @@ -213,13 +227,14 @@ set passes { {dummy=[verbose -log "DES TGT, DES-MD5 and -CRC enctypes, V4 salt"]} } { - all-des-des3-enctypes + all-enctypes mode=udp - des3_krbtgt=1 - {supported_enctypes=des3-cbc-sha1:normal des-cbc-crc:normal \ - des-cbc-md5:normal des-cbc-crc:v4 des-cbc-md5:norealm \ - des-cbc-md4:normal} - {dummy=[verbose -log "DES3 TGT, many DES3 + DES enctypes"]} + des3_krbtgt=0 + {allow_weak_crypto(kdc)=false} + {allow_weak_crypto(slave)=false} + {allow_weak_crypto(client)=false} + {allow_weak_crypto(server)=false} + {dummy=[verbose -log "all default enctypes"]} } { des.no-kdc-md5 @@ -806,9 +821,6 @@ proc setup_kerberos_files { } { # Create a kdc.conf file. if { ![file exists $tmppwd/kdc.conf] \ || $last_passname_conf != $multipass_name } { - if ![info exists master_key_type] { - set master_key_type des-cbc-md5 - } set conffile [open $tmppwd/kdc.conf w] puts $conffile "\[kdcdefaults\]" puts $conffile " kdc_ports = $portbase,[expr 1 + $portbase],[expr 2 + $portbase]" @@ -827,9 +839,13 @@ proc setup_kerberos_files { } { puts $conffile " kpasswd_port = [expr 5 + $portbase]" puts $conffile " max_life = 1:00:00" puts $conffile " max_renewable_life = 3:00:00" - puts $conffile " master_key_type = $master_key_type" + if [info exists master_key_type] { + puts $conffile " master_key_type = $master_key_type" + } puts $conffile " master_key_name = master/key" - puts $conffile " supported_enctypes = $supported_enctypes" + if [info exists supported_enctypes] { + puts $conffile " supported_enctypes = $supported_enctypes" + } if { $mode == "tcp" } { puts $conffile " kdc_ports = [expr 3 + $portbase]" puts $conffile " kdc_tcp_ports = [expr 1 + $portbase],[expr 3 + $portbase]" @@ -856,9 +872,6 @@ proc setup_kerberos_files { } { # KDC processes). if { ![file exists $tmppwd/slave.conf] \ || $last_passname_conf != $multipass_name } { - if ![info exists master_key_type] { - set master_key_type des-cbc-md5 - } set conffile [open $tmppwd/slave.conf w] puts $conffile "\[kdcdefaults\]" puts $conffile " kdc_ports = $portbase,[expr 1 + $portbase],[expr 2 + $portbase]" @@ -877,9 +890,13 @@ proc setup_kerberos_files { } { puts $conffile " kpasswd_port = [expr 5 + $portbase]" puts $conffile " max_life = 1:00:00" puts $conffile " max_renewable_life = 3:00:00" - puts $conffile " master_key_type = $master_key_type" + if [info exists master_key_type] { + puts $conffile " master_key_type = $master_key_type" + } puts $conffile " master_key_name = master/key" - puts $conffile " supported_enctypes = $supported_enctypes" + if [info exists supported_enctypes] { + puts $conffile " supported_enctypes = $supported_enctypes" + } if { $mode == "tcp" } { puts $conffile " kdc_ports = [expr 3 + $portbase]" puts $conffile " kdc_tcp_ports = [expr 1 + $portbase],[expr 3 + $portbase]" @@ -938,6 +955,7 @@ proc setup_krb5_conf { {type client} } { global default_tgs_enctypes global default_tkt_enctypes global permitted_enctypes + global allow_weak_crypto global mode global portbase global KRB5_DB_MODULE_DIR @@ -950,7 +968,11 @@ proc setup_krb5_conf { {type client} } { puts $conffile "\[libdefaults\]" puts $conffile " default_realm = $REALMNAME" puts $conffile " dns_lookup_kdc = false" - puts $conffile " allow_weak_crypto = true" + if [info exists allow_weak_crypto($type)] { + puts $conffile " allow_weak_crypto = $allow_weak_crypto($type)" + } else { + puts $conffile " allow_weak_crypto = true" + } if [info exists default_tgs_enctypes($type)] { puts $conffile \ " default_tgs_enctypes = $default_tgs_enctypes($type)" @@ -2425,7 +2447,7 @@ proc v4_compatible_enctype {} { global supported_enctypes global KRBIV - if ![info exists KRBIV] { + if ![info exists KRBIV] || ![info exists supported_enctypes] { return 0; } diff --git a/src/tests/mkeystash_compat/Makefile.in b/src/tests/mkeystash_compat/Makefile.in index 59bc82760..faf55c1ea 100644 --- a/src/tests/mkeystash_compat/Makefile.in +++ b/src/tests/mkeystash_compat/Makefile.in @@ -25,6 +25,7 @@ kdc.conf: Makefile rm -rf kdc.conf @echo "[realms]" > kdc.conf @echo "$(TEST_REALM) = {" >> kdc.conf + @echo " master_key_type = des3-cbc-sha1" >> kdc.conf @echo " key_stash_file = `pwd`/stash_file" >> kdc.conf @echo "}" >> kdc.conf -- cgit