disable weak crypto by default
authorTom Yu <tlyu@mit.edu>
Tue, 5 Jan 2010 02:47:58 +0000 (02:47 +0000)
committerTom Yu <tlyu@mit.edu>
Tue, 5 Jan 2010 02:47:58 +0000 (02:47 +0000)
Set allow_weak_crypto=false by default.  Set default master key
enctype to sha256.  Adjust test suite to compensate.

ticket: 6621

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23586 dc483132-0cff-0310-8789-dd5450dbe970

src/include/osconf.hin
src/kadmin/testing/proto/krb5.conf.proto
src/lib/krb5/krb/decrypt_tk.c
src/lib/krb5/krb/init_ctx.c
src/tests/dejagnu/config/default.exp
src/tests/mkeystash_compat/Makefile.in

index 6d0e7bc09102492e7b23282931162f4ef28ee296..b39c97498ff106ca519a18726e433f84cf400f0a 100644 (file)
@@ -77,7 +77,7 @@
 #define DEFAULT_KDB_LIB_PATH    { "@MODULEDIR/kdb", NULL }
 #endif
 
-#define DEFAULT_KDC_ENCTYPE     ENCTYPE_DES3_CBC_SHA1
+#define DEFAULT_KDC_ENCTYPE     ENCTYPE_AES256_CTS_HMAC_SHA1_96
 #define KDCRCACHE               "dfl:krb5kdc_rcache"
 
 #define KDC_PORTNAME            "kerberos" /* for /etc/services or equiv. */
index b6ce16bff5ec78fa5081280a9f25346f15024c92..c2648d6c67e7ef9bc06284a08491038990ca233e 100644 (file)
@@ -2,7 +2,6 @@
        default_realm = __REALM__
        default_keytab_name = FILE:__K5ROOT__/v5srvtab
        dns_fallback = no
-       allow_weak_crypto = true
 
 [realms]
        __REALM__ = {
index c06353b9ed1408668947495c031c97be04fc3fe7..7ce41155284497c35305614c89c402beb85a512d 100644 (file)
@@ -49,6 +49,9 @@ krb5_decrypt_tkt_part(krb5_context context, const krb5_keyblock *srv_key, regist
     if (!krb5_c_valid_enctype(ticket->enc_part.enctype))
         return KRB5_PROG_ETYPE_NOSUPP;
 
+    if (!krb5_is_permitted_enctype(context, ticket->enc_part.enctype))
+        return KRB5_NOPERM_ETYPE;
+
     scratch.length = ticket->enc_part.ciphertext.length;
     if (!(scratch.data = malloc(ticket->enc_part.ciphertext.length)))
         return(ENOMEM);
index 8f6a1b3dcbf9784cd6b1b60990c3db7e367ff190..2c2beb6bfc5bbea77ae959f67bbfb74c61fca21c 100644 (file)
@@ -165,7 +165,7 @@ init_common (krb5_context *context, krb5_boolean secure, krb5_boolean kdc)
         goto cleanup;
 
     retval = profile_get_boolean(ctx->profile, KRB5_CONF_LIBDEFAULTS,
-                                 KRB5_CONF_ALLOW_WEAK_CRYPTO, NULL, 1, &tmp);
+                                 KRB5_CONF_ALLOW_WEAK_CRYPTO, NULL, 0, &tmp);
     if (retval)
         goto cleanup;
     ctx->allow_weak_crypto = tmp;
index c7c622f71486b2366ae8a62b4f22fb44ba341eab..8e540b3a09f543a3e0d91873ca2fd082f8e3e58e 100644 (file)
@@ -17,7 +17,6 @@ set env(TERM) dumb
 
 set des3_krbtgt 0
 set tgt_support_desmd5 0
-set supported_enctypes "des-cbc-crc:normal"
 
 # The names of the individual passes must be unique; lots of things
 # depend on it.  The PASSES variable may not contain comments; only
@@ -164,7 +163,7 @@ set passes {
        {dummy=[verbose -log "DES3 TGT, DES3 + DES enctypes"]}
     }
     {
-       aes
+       aes-des
        mode=udp
        des3_krbtgt=0
        {supported_enctypes=aes256-cts-hmac-sha1-96:normal des-cbc-crc:normal}
@@ -174,6 +173,21 @@ set passes {
        {master_key_type=aes256-cts-hmac-sha1-96}
        {dummy=[verbose -log "AES + DES enctypes"]}
     }
+    {
+       aes-only
+       mode=udp
+       des3_krbtgt=0
+       {supported_enctypes=aes256-cts-hmac-sha1-96:normal}
+       {permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96}
+       {permitted_enctypes(client)=aes256-cts-hmac-sha1-96}
+       {permitted_enctypes(server)=aes256-cts-hmac-sha1-96}
+       {allow_weak_crypto(kdc)=false}
+       {allow_weak_crypto(slave)=false}
+       {allow_weak_crypto(client)=false}
+       {allow_weak_crypto(server)=false}
+       {master_key_type=aes256-cts-hmac-sha1-96}
+       {dummy=[verbose -log "AES enctypes"]}
+    }
     {
        aes-des3
        mode=udp
@@ -183,10 +197,10 @@ set passes {
        {permitted_enctypes(client)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc}
        {permitted_enctypes(server)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc}
        {master_key_type=aes256-cts-hmac-sha1-96}
-       {dummy=[verbose -log "AES + DES enctypes"]}
+       {dummy=[verbose -log "AES + DES3 + DES enctypes"]}
     }
     {
-       des3-aes
+       aes-des3tgt
        mode=udp
        des3_krbtgt=1
        {supported_enctypes=aes256-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des-cbc-crc:normal}
@@ -213,13 +227,14 @@ set passes {
        {dummy=[verbose -log "DES TGT, DES-MD5 and -CRC enctypes, V4 salt"]}
     }
     {
-       all-des-des3-enctypes
+       all-enctypes
        mode=udp
-       des3_krbtgt=1
-       {supported_enctypes=des3-cbc-sha1:normal des-cbc-crc:normal \
-               des-cbc-md5:normal des-cbc-crc:v4 des-cbc-md5:norealm \
-               des-cbc-md4:normal}
-       {dummy=[verbose -log "DES3 TGT, many DES3 + DES enctypes"]}
+       des3_krbtgt=0
+       {allow_weak_crypto(kdc)=false}
+       {allow_weak_crypto(slave)=false}
+       {allow_weak_crypto(client)=false}
+       {allow_weak_crypto(server)=false}
+       {dummy=[verbose -log "all default enctypes"]}
     }
     {
        des.no-kdc-md5
@@ -806,9 +821,6 @@ proc setup_kerberos_files { } {
     # Create a kdc.conf file.
     if { ![file exists $tmppwd/kdc.conf] \
            || $last_passname_conf != $multipass_name } {
-       if ![info exists master_key_type] {
-           set master_key_type des-cbc-md5
-       }
        set conffile [open $tmppwd/kdc.conf w]
        puts $conffile "\[kdcdefaults\]"
        puts $conffile "        kdc_ports = $portbase,[expr 1 + $portbase],[expr 2 + $portbase]"
@@ -827,9 +839,13 @@ proc setup_kerberos_files { } {
        puts $conffile "                kpasswd_port = [expr 5 + $portbase]"
        puts $conffile "                max_life = 1:00:00"
        puts $conffile "                max_renewable_life = 3:00:00"
-       puts $conffile "                master_key_type = $master_key_type"
+       if [info exists master_key_type] {
+           puts $conffile "            master_key_type = $master_key_type"
+       }
        puts $conffile "                master_key_name = master/key"
-       puts $conffile "                supported_enctypes = $supported_enctypes"
+       if [info exists supported_enctypes] {
+           puts $conffile "            supported_enctypes = $supported_enctypes"
+       }
        if { $mode == "tcp" } {
            puts $conffile "            kdc_ports = [expr 3 + $portbase]"
            puts $conffile "            kdc_tcp_ports = [expr 1 + $portbase],[expr 3 + $portbase]"
@@ -856,9 +872,6 @@ proc setup_kerberos_files { } {
     # KDC processes).
     if { ![file exists $tmppwd/slave.conf] \
            || $last_passname_conf != $multipass_name } {
-       if ![info exists master_key_type] {
-           set master_key_type des-cbc-md5
-       }
        set conffile [open $tmppwd/slave.conf w]
        puts $conffile "\[kdcdefaults\]"
        puts $conffile "        kdc_ports = $portbase,[expr 1 + $portbase],[expr 2 + $portbase]"
@@ -877,9 +890,13 @@ proc setup_kerberos_files { } {
        puts $conffile "                kpasswd_port = [expr 5 + $portbase]"
        puts $conffile "                max_life = 1:00:00"
        puts $conffile "                max_renewable_life = 3:00:00"
-       puts $conffile "                master_key_type = $master_key_type"
+       if [info exists master_key_type] {
+           puts $conffile "            master_key_type = $master_key_type"
+       }
        puts $conffile "                master_key_name = master/key"
-       puts $conffile "                supported_enctypes = $supported_enctypes"
+       if [info exists supported_enctypes] {
+           puts $conffile "            supported_enctypes = $supported_enctypes"
+       }
        if { $mode == "tcp" } {
            puts $conffile "            kdc_ports = [expr 3 + $portbase]"
            puts $conffile "            kdc_tcp_ports = [expr 1 + $portbase],[expr 3 + $portbase]"
@@ -938,6 +955,7 @@ proc setup_krb5_conf { {type client} } {
     global default_tgs_enctypes
     global default_tkt_enctypes
     global permitted_enctypes
+    global allow_weak_crypto
     global mode
     global portbase
     global KRB5_DB_MODULE_DIR
@@ -950,7 +968,11 @@ proc setup_krb5_conf { {type client} } {
        puts $conffile "\[libdefaults\]"
        puts $conffile "        default_realm = $REALMNAME"
        puts $conffile "        dns_lookup_kdc = false"
-       puts $conffile "        allow_weak_crypto = true"
+       if [info exists allow_weak_crypto($type)] {
+           puts $conffile "    allow_weak_crypto = $allow_weak_crypto($type)"
+       } else {
+           puts $conffile "    allow_weak_crypto = true"
+       }
        if [info exists default_tgs_enctypes($type)] {
            puts $conffile \
                    "   default_tgs_enctypes = $default_tgs_enctypes($type)"
@@ -2425,7 +2447,7 @@ proc v4_compatible_enctype {} {
     global supported_enctypes
     global KRBIV
 
-    if ![info exists KRBIV] {
+    if ![info exists KRBIV] || ![info exists supported_enctypes] {
        return 0;
     }
 
index 59bc82760b5a14deb9dfe62ada33d979ea6dc7c3..faf55c1ea9573d9431b342948adb89b2f0f55b7c 100644 (file)
@@ -25,6 +25,7 @@ kdc.conf: Makefile
        rm -rf kdc.conf
        @echo "[realms]" > kdc.conf
        @echo "$(TEST_REALM) = {" >> kdc.conf
+       @echo "  master_key_type = des3-cbc-sha1" >> kdc.conf
        @echo "  key_stash_file = `pwd`/stash_file" >> kdc.conf
        @echo "}" >> kdc.conf