From 91e86460cd5334b5bb83401c7cbffbf4f04d4e06 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 8 Oct 2021 15:59:42 +1300 Subject: [PATCH] kdc: Add krb5_is_enctype_old() to determine whether an enctype is older AES256 and AES128 are newer enctypes because they are officially specified in RFC4120 and RFC8009, while enctypes not officially specified since RFC4120 are considered older. This function differs from older_enctype() in that it does not report unknown or non-existent enctypes as being 'newer'. Signed-off-by: Joseph Sutton --- kdc/kerberos5.c | 40 ++++++++------------------------- lib/krb5/crypto-arcfour.c | 2 +- lib/krb5/crypto-des.c | 12 +++++----- lib/krb5/crypto-des3.c | 8 +++---- lib/krb5/crypto-null.c | 2 +- lib/krb5/crypto.c | 20 +++++++++++++++++ lib/krb5/crypto.h | 1 + lib/krb5/libkrb5-exports.def.in | 1 + lib/krb5/version-script.map | 1 + 9 files changed, 44 insertions(+), 43 deletions(-) diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c index 81ebee1a2..91053ec60 100644 --- a/kdc/kerberos5.c +++ b/kdc/kerberos5.c @@ -1165,34 +1165,6 @@ _kdc_encode_reply(krb5_context context, return 0; } -/* - * Return 1 if the client have only older enctypes, this is for - * determining if the server should send ETYPE_INFO2 or not. - */ - -static int -older_enctype(krb5_enctype enctype) -{ - switch (enctype) { - case ETYPE_DES_CBC_CRC: - case ETYPE_DES_CBC_MD4: - case ETYPE_DES_CBC_MD5: - case ETYPE_DES3_CBC_SHA1: - case ETYPE_ARCFOUR_HMAC_MD5: - case ETYPE_ARCFOUR_HMAC_MD5_56: - /* - * The following three is "old" windows enctypes and is needed for - * windows 2000 hosts. - */ - case ETYPE_ARCFOUR_MD4: - case ETYPE_ARCFOUR_HMAC_OLD: - case ETYPE_ARCFOUR_HMAC_OLD_EXP: - return 1; - default: - return 0; - } -} - /* * */ @@ -1407,13 +1379,19 @@ get_pa_etype_info2(krb5_context context, return 0; } +/* + * Return 0 if the client have only older enctypes, this is for + * determining if the server should send ETYPE_INFO2 or not. + */ + static int -newer_enctype_present(struct KDC_REQ_BODY_etype *etype_list) +newer_enctype_present(krb5_context context, + struct KDC_REQ_BODY_etype *etype_list) { size_t i; for (i = 0; i < etype_list->len; i++) { - if (!older_enctype(etype_list->val[i])) + if (!krb5_is_enctype_old(context, etype_list->val[i])) return 1; } return 0; @@ -1462,7 +1440,7 @@ get_pa_etype_info_both(krb5_context context, if (ret) return ret; - if (!newer_enctype_present(etype_list)) + if (!newer_enctype_present(context, etype_list)) ret = get_pa_etype_info(context, config, md, ckey, include_salt); return ret; diff --git a/lib/krb5/crypto-arcfour.c b/lib/krb5/crypto-arcfour.c index 9b5250aed..28fc52e4c 100644 --- a/lib/krb5/crypto-arcfour.c +++ b/lib/krb5/crypto-arcfour.c @@ -360,7 +360,7 @@ struct _krb5_encryption_type _krb5_enctype_arcfour_hmac_md5 = { &keytype_arcfour, &_krb5_checksum_hmac_md5, &_krb5_checksum_hmac_md5, - F_SPECIAL | F_WEAK, + F_SPECIAL | F_WEAK | F_OLD, ARCFOUR_encrypt, NULL, 0, diff --git a/lib/krb5/crypto-des.c b/lib/krb5/crypto-des.c index 7060283f3..c5692954c 100644 --- a/lib/krb5/crypto-des.c +++ b/lib/krb5/crypto-des.c @@ -309,7 +309,7 @@ struct _krb5_encryption_type _krb5_enctype_des_cbc_crc = { &keytype_des, &_krb5_checksum_crc32, NULL, - F_DISABLED|F_WEAK, + F_DISABLED|F_WEAK|F_OLD, evp_des_encrypt_key_ivec, NULL, 0, @@ -326,7 +326,7 @@ struct _krb5_encryption_type _krb5_enctype_des_cbc_md4 = { &keytype_des, &_krb5_checksum_rsa_md4, &_krb5_checksum_rsa_md4_des, - F_DISABLED|F_WEAK, + F_DISABLED|F_WEAK|F_OLD, evp_des_encrypt_null_ivec, NULL, 0, @@ -343,7 +343,7 @@ struct _krb5_encryption_type _krb5_enctype_des_cbc_md5 = { &keytype_des, &_krb5_checksum_rsa_md5, &_krb5_checksum_rsa_md5_des, - F_DISABLED|F_WEAK, + F_DISABLED|F_WEAK|F_OLD, evp_des_encrypt_null_ivec, NULL, 0, @@ -360,7 +360,7 @@ struct _krb5_encryption_type _krb5_enctype_des_cbc_none = { &keytype_des, &_krb5_checksum_none, NULL, - F_PSEUDO|F_DISABLED|F_WEAK, + F_PSEUDO|F_DISABLED|F_WEAK|F_OLD, evp_des_encrypt_null_ivec, NULL, 0, @@ -377,7 +377,7 @@ struct _krb5_encryption_type _krb5_enctype_des_cfb64_none = { &keytype_des_old, &_krb5_checksum_none, NULL, - F_PSEUDO|F_DISABLED|F_WEAK, + F_PSEUDO|F_DISABLED|F_WEAK|F_OLD, DES_CFB64_encrypt_null_ivec, NULL, 0, @@ -394,7 +394,7 @@ struct _krb5_encryption_type _krb5_enctype_des_pcbc_none = { &keytype_des_old, &_krb5_checksum_none, NULL, - F_PSEUDO|F_DISABLED|F_WEAK, + F_PSEUDO|F_DISABLED|F_WEAK|F_OLD, DES_PCBC_encrypt_key_ivec, NULL, 0, diff --git a/lib/krb5/crypto-des3.c b/lib/krb5/crypto-des3.c index c4eba3012..d231921d6 100644 --- a/lib/krb5/crypto-des3.c +++ b/lib/krb5/crypto-des3.c @@ -196,7 +196,7 @@ struct _krb5_encryption_type _krb5_enctype_des3_cbc_md5 = { &keytype_des3, &_krb5_checksum_rsa_md5, &_krb5_checksum_rsa_md5_des3, - 0, + F_OLD, _krb5_evp_encrypt, _krb5_evp_encrypt_iov, 0, @@ -214,7 +214,7 @@ struct _krb5_encryption_type _krb5_enctype_des3_cbc_sha1 = { &keytype_des3_derived, &_krb5_checksum_sha1, &_krb5_checksum_hmac_sha1_des3, - F_DERIVED | F_RFC3961_ENC | F_RFC3961_KDF, + F_DERIVED | F_RFC3961_ENC | F_RFC3961_KDF | F_OLD, _krb5_evp_encrypt, _krb5_evp_encrypt_iov, 16, @@ -232,7 +232,7 @@ struct _krb5_encryption_type _krb5_enctype_old_des3_cbc_sha1 = { &keytype_des3, &_krb5_checksum_sha1, &_krb5_checksum_hmac_sha1_des3, - 0, + F_OLD, _krb5_evp_encrypt, _krb5_evp_encrypt_iov, 0, @@ -250,7 +250,7 @@ struct _krb5_encryption_type _krb5_enctype_des3_cbc_none = { &keytype_des3_derived, &_krb5_checksum_none, NULL, - F_PSEUDO, + F_PSEUDO | F_OLD, _krb5_evp_encrypt, _krb5_evp_encrypt_iov, 0, diff --git a/lib/krb5/crypto-null.c b/lib/krb5/crypto-null.c index 53f97c529..a62a57ffc 100644 --- a/lib/krb5/crypto-null.c +++ b/lib/krb5/crypto-null.c @@ -95,7 +95,7 @@ struct _krb5_encryption_type _krb5_enctype_null = { &keytype_null, &_krb5_checksum_none, NULL, - F_DISABLED, + F_DISABLED | F_OLD, NULL_encrypt, NULL, 0, diff --git a/lib/krb5/crypto.c b/lib/krb5/crypto.c index 6d6e5b7f5..524b2e786 100644 --- a/lib/krb5/crypto.c +++ b/lib/krb5/crypto.c @@ -2847,6 +2847,26 @@ krb5_is_enctype_weak(krb5_context context, krb5_enctype enctype) return FALSE; } +/** + * Returns whether the encryption type is new or old + * + * @param context Kerberos 5 context + * @param enctype encryption type to probe + * + * @return Returns true if encryption type is old or is not supported. + * + * @ingroup krb5_crypto + */ + +KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL +krb5_is_enctype_old(krb5_context context, krb5_enctype enctype) +{ + struct _krb5_encryption_type *et = _krb5_find_enctype(enctype); + if (!et || (et->flags & F_OLD)) + return TRUE; + return FALSE; +} + /** * Returns whether the encryption type should use randomly generated salts * diff --git a/lib/krb5/crypto.h b/lib/krb5/crypto.h index 0971c3d2e..3cbaf70ab 100644 --- a/lib/krb5/crypto.h +++ b/lib/krb5/crypto.h @@ -52,6 +52,7 @@ struct _krb5_key_usage; #define F_PSEUDO 0x0010 /* not a real protocol type */ #define F_DISABLED 0x0020 /* enctype/checksum disabled */ #define F_WEAK 0x0040 /* enctype is considered weak */ +#define F_OLD 0x0080 /* enctype is old */ #define F_RFC3961_ENC 0x0100 /* RFC3961 simplified profile */ #define F_SPECIAL 0x0200 /* backwards */ diff --git a/lib/krb5/libkrb5-exports.def.in b/lib/krb5/libkrb5-exports.def.in index df6fa7caa..90212173e 100644 --- a/lib/krb5/libkrb5-exports.def.in +++ b/lib/krb5/libkrb5-exports.def.in @@ -400,6 +400,7 @@ EXPORTS krb5_init_ets krb5_initlog krb5_is_config_principal + krb5_is_enctype_old krb5_is_enctype_weak krb5_is_thread_safe #ifdef HAVE_KCM diff --git a/lib/krb5/version-script.map b/lib/krb5/version-script.map index 26b53f6ed..2cc49fe0f 100644 --- a/lib/krb5/version-script.map +++ b/lib/krb5/version-script.map @@ -395,6 +395,7 @@ HEIMDAL_KRB5_2.0 { krb5_init_ets; krb5_initlog; krb5_is_config_principal; + krb5_is_enctype_old; krb5_is_enctype_weak; krb5_is_thread_safe; krb5_kcm_call;