kdc: Add krb5_is_enctype_old() to determine whether an enctype is older

AES256 and AES128 are newer enctypes because they are officially specified in RFC4120 and RFC8009, while enctypes not officially specified since RFC4120 are considered older. This function differs from older_enctype() in that it does not report unknown or non-existent enctypes as being 'newer'. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-10-08 15:59:42 +13:00
parent 87348cf27a
commit 91e86460cd
9 changed files with 44 additions and 43 deletions
--- a/lib/krb5/crypto-arcfour.c
+++ b/lib/krb5/crypto-arcfour.c
@@ -360,7 +360,7 @@ struct _krb5_encryption_type _krb5_enctype_arcfour_hmac_md5 = {
    &keytype_arcfour,
    &_krb5_checksum_hmac_md5,
    &_krb5_checksum_hmac_md5,
-    F_SPECIAL | F_WEAK,
+    F_SPECIAL | F_WEAK | F_OLD,
    ARCFOUR_encrypt,
    NULL,
    0,
--- a/lib/krb5/crypto-des.c
+++ b/lib/krb5/crypto-des.c
@@ -309,7 +309,7 @@ struct _krb5_encryption_type _krb5_enctype_des_cbc_crc = {
    &keytype_des,
    &_krb5_checksum_crc32,
    NULL,
-    F_DISABLED|F_WEAK,
+    F_DISABLED|F_WEAK|F_OLD,
    evp_des_encrypt_key_ivec,
    NULL,
    0,
@@ -326,7 +326,7 @@ struct _krb5_encryption_type _krb5_enctype_des_cbc_md4 = {
    &keytype_des,
    &_krb5_checksum_rsa_md4,
    &_krb5_checksum_rsa_md4_des,
-    F_DISABLED|F_WEAK,
+    F_DISABLED|F_WEAK|F_OLD,
    evp_des_encrypt_null_ivec,
    NULL,
    0,
@@ -343,7 +343,7 @@ struct _krb5_encryption_type _krb5_enctype_des_cbc_md5 = {
    &keytype_des,
    &_krb5_checksum_rsa_md5,
    &_krb5_checksum_rsa_md5_des,
-    F_DISABLED|F_WEAK,
+    F_DISABLED|F_WEAK|F_OLD,
    evp_des_encrypt_null_ivec,
    NULL,
    0,
@@ -360,7 +360,7 @@ struct _krb5_encryption_type _krb5_enctype_des_cbc_none = {
    &keytype_des,
    &_krb5_checksum_none,
    NULL,
-    F_PSEUDO|F_DISABLED|F_WEAK,
+    F_PSEUDO|F_DISABLED|F_WEAK|F_OLD,
    evp_des_encrypt_null_ivec,
    NULL,
    0,
@@ -377,7 +377,7 @@ struct _krb5_encryption_type _krb5_enctype_des_cfb64_none = {
    &keytype_des_old,
    &_krb5_checksum_none,
    NULL,
-    F_PSEUDO|F_DISABLED|F_WEAK,
+    F_PSEUDO|F_DISABLED|F_WEAK|F_OLD,
    DES_CFB64_encrypt_null_ivec,
    NULL,
    0,
@@ -394,7 +394,7 @@ struct _krb5_encryption_type _krb5_enctype_des_pcbc_none = {
    &keytype_des_old,
    &_krb5_checksum_none,
    NULL,
-    F_PSEUDO|F_DISABLED|F_WEAK,
+    F_PSEUDO|F_DISABLED|F_WEAK|F_OLD,
    DES_PCBC_encrypt_key_ivec,
    NULL,
    0,
--- a/lib/krb5/crypto-des3.c
+++ b/lib/krb5/crypto-des3.c
@@ -196,7 +196,7 @@ struct _krb5_encryption_type _krb5_enctype_des3_cbc_md5 = {
    &keytype_des3,
    &_krb5_checksum_rsa_md5,
    &_krb5_checksum_rsa_md5_des3,
-    0,
+    F_OLD,
    _krb5_evp_encrypt,
    _krb5_evp_encrypt_iov,
    0,
@@ -214,7 +214,7 @@ struct _krb5_encryption_type _krb5_enctype_des3_cbc_sha1 = {
    &keytype_des3_derived,
    &_krb5_checksum_sha1,
    &_krb5_checksum_hmac_sha1_des3,
-    F_DERIVED | F_RFC3961_ENC | F_RFC3961_KDF,
+    F_DERIVED | F_RFC3961_ENC | F_RFC3961_KDF | F_OLD,
    _krb5_evp_encrypt,
    _krb5_evp_encrypt_iov,
    16,
@@ -232,7 +232,7 @@ struct _krb5_encryption_type _krb5_enctype_old_des3_cbc_sha1 = {
    &keytype_des3,
    &_krb5_checksum_sha1,
    &_krb5_checksum_hmac_sha1_des3,
-    0,
+    F_OLD,
    _krb5_evp_encrypt,
    _krb5_evp_encrypt_iov,
    0,
@@ -250,7 +250,7 @@ struct _krb5_encryption_type _krb5_enctype_des3_cbc_none = {
    &keytype_des3_derived,
    &_krb5_checksum_none,
    NULL,
-    F_PSEUDO,
+    F_PSEUDO | F_OLD,
    _krb5_evp_encrypt,
    _krb5_evp_encrypt_iov,
    0,
--- a/lib/krb5/crypto-null.c
+++ b/lib/krb5/crypto-null.c
@@ -95,7 +95,7 @@ struct _krb5_encryption_type _krb5_enctype_null = {
    &keytype_null,
    &_krb5_checksum_none,
    NULL,
-    F_DISABLED,
+    F_DISABLED | F_OLD,
    NULL_encrypt,
    NULL,
    0,
--- a/lib/krb5/crypto.c
+++ b/lib/krb5/crypto.c
@@ -2847,6 +2847,26 @@ krb5_is_enctype_weak(krb5_context context, krb5_enctype enctype)
    return FALSE;
 }

+/**
+ * Returns whether the encryption type is new or old
+ *
+ * @param context Kerberos 5 context
+ * @param enctype encryption type to probe
+ *
+ * @return Returns true if encryption type is old or is not supported.
+ *
+ * @ingroup krb5_crypto
+ */
+
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
+krb5_is_enctype_old(krb5_context context, krb5_enctype enctype)
+{
+    struct _krb5_encryption_type *et = _krb5_find_enctype(enctype);
+    if (!et  || (et->flags & F_OLD))
+	return TRUE;
+    return FALSE;
+}
+
 /**
 * Returns whether the encryption type should use randomly generated salts
 *
--- a/lib/krb5/crypto.h
+++ b/lib/krb5/crypto.h
@@ -52,6 +52,7 @@ struct _krb5_key_usage;
 #define F_PSEUDO		0x0010	/* not a real protocol type */
 #define F_DISABLED		0x0020	/* enctype/checksum disabled */
 #define F_WEAK			0x0040	/* enctype is considered weak */
+#define F_OLD			0x0080	/* enctype is old */

 #define F_RFC3961_ENC		0x0100	/* RFC3961 simplified profile */
 #define F_SPECIAL		0x0200	/* backwards */
--- a/lib/krb5/libkrb5-exports.def.in
+++ b/lib/krb5/libkrb5-exports.def.in
@@ -400,6 +400,7 @@ EXPORTS
 	krb5_init_ets
 	krb5_initlog
 	krb5_is_config_principal
+	krb5_is_enctype_old
 	krb5_is_enctype_weak
 	krb5_is_thread_safe
 #ifdef HAVE_KCM
--- a/lib/krb5/version-script.map
+++ b/lib/krb5/version-script.map
@@ -395,6 +395,7 @@ HEIMDAL_KRB5_2.0 {
 		krb5_init_ets;
 		krb5_initlog;
 		krb5_is_config_principal;
+		krb5_is_enctype_old;
 		krb5_is_enctype_weak;
 		krb5_is_thread_safe;
 		krb5_kcm_call;