kdc: Add krb5_is_enctype_old() to determine whether an enctype is older

AES256 and AES128 are newer enctypes because they are officially specified in RFC4120 and RFC8009, while enctypes not officially specified since RFC4120 are considered older. This function differs from older_enctype() in that it does not report unknown or non-existent enctypes as being 'newer'. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-10-08 15:59:42 +13:00
parent 87348cf27a
commit 91e86460cd
9 changed files with 44 additions and 43 deletions
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -1165,34 +1165,6 @@ _kdc_encode_reply(krb5_context context,
    return 0;
 }

-/*
- * Return 1 if the client have only older enctypes, this is for
- * determining if the server should send ETYPE_INFO2 or not.
- */
-
-static int
-older_enctype(krb5_enctype enctype)
-{
-    switch (enctype) {
-    case ETYPE_DES_CBC_CRC:
-    case ETYPE_DES_CBC_MD4:
-    case ETYPE_DES_CBC_MD5:
-    case ETYPE_DES3_CBC_SHA1:
-    case ETYPE_ARCFOUR_HMAC_MD5:
-    case ETYPE_ARCFOUR_HMAC_MD5_56:
-    /*
-     * The following three is "old" windows enctypes and is needed for
-     * windows 2000 hosts.
-     */
-    case ETYPE_ARCFOUR_MD4:
-    case ETYPE_ARCFOUR_HMAC_OLD:
-    case ETYPE_ARCFOUR_HMAC_OLD_EXP:
-	return 1;
-    default:
-	return 0;
-    }
-}
-
 /*
 *
 */
@@ -1407,13 +1379,19 @@ get_pa_etype_info2(krb5_context context,
    return 0;
 }

+/*
+ * Return 0 if the client have only older enctypes, this is for
+ * determining if the server should send ETYPE_INFO2 or not.
+ */
+
 static int
-newer_enctype_present(struct KDC_REQ_BODY_etype *etype_list)
+newer_enctype_present(krb5_context context,
+		      struct KDC_REQ_BODY_etype *etype_list)
 {
    size_t i;

    for (i = 0; i < etype_list->len; i++) {
-	if (!older_enctype(etype_list->val[i]))
+	if (!krb5_is_enctype_old(context, etype_list->val[i]))
 	    return 1;
    }
    return 0;
@@ -1462,7 +1440,7 @@ get_pa_etype_info_both(krb5_context context,
    if (ret)
 	return ret;

-    if (!newer_enctype_present(etype_list))
+    if (!newer_enctype_present(context, etype_list))
 	ret = get_pa_etype_info(context, config, md, ckey, include_salt);

    return ret;
--- a/lib/krb5/crypto-arcfour.c
+++ b/lib/krb5/crypto-arcfour.c
@@ -360,7 +360,7 @@ struct _krb5_encryption_type _krb5_enctype_arcfour_hmac_md5 = {
    &keytype_arcfour,
    &_krb5_checksum_hmac_md5,
    &_krb5_checksum_hmac_md5,
-    F_SPECIAL | F_WEAK,
+    F_SPECIAL | F_WEAK | F_OLD,
    ARCFOUR_encrypt,
    NULL,
    0,
--- a/lib/krb5/crypto-des.c
+++ b/lib/krb5/crypto-des.c
@@ -309,7 +309,7 @@ struct _krb5_encryption_type _krb5_enctype_des_cbc_crc = {
    &keytype_des,
    &_krb5_checksum_crc32,
    NULL,
-    F_DISABLED|F_WEAK,
+    F_DISABLED|F_WEAK|F_OLD,
    evp_des_encrypt_key_ivec,
    NULL,
    0,
@@ -326,7 +326,7 @@ struct _krb5_encryption_type _krb5_enctype_des_cbc_md4 = {
    &keytype_des,
    &_krb5_checksum_rsa_md4,
    &_krb5_checksum_rsa_md4_des,
-    F_DISABLED|F_WEAK,
+    F_DISABLED|F_WEAK|F_OLD,
    evp_des_encrypt_null_ivec,
    NULL,
    0,
@@ -343,7 +343,7 @@ struct _krb5_encryption_type _krb5_enctype_des_cbc_md5 = {
    &keytype_des,
    &_krb5_checksum_rsa_md5,
    &_krb5_checksum_rsa_md5_des,
-    F_DISABLED|F_WEAK,
+    F_DISABLED|F_WEAK|F_OLD,
    evp_des_encrypt_null_ivec,
    NULL,
    0,
@@ -360,7 +360,7 @@ struct _krb5_encryption_type _krb5_enctype_des_cbc_none = {
    &keytype_des,
    &_krb5_checksum_none,
    NULL,
-    F_PSEUDO|F_DISABLED|F_WEAK,
+    F_PSEUDO|F_DISABLED|F_WEAK|F_OLD,
    evp_des_encrypt_null_ivec,
    NULL,
    0,
@@ -377,7 +377,7 @@ struct _krb5_encryption_type _krb5_enctype_des_cfb64_none = {
    &keytype_des_old,
    &_krb5_checksum_none,
    NULL,
-    F_PSEUDO|F_DISABLED|F_WEAK,
+    F_PSEUDO|F_DISABLED|F_WEAK|F_OLD,
    DES_CFB64_encrypt_null_ivec,
    NULL,
    0,
@@ -394,7 +394,7 @@ struct _krb5_encryption_type _krb5_enctype_des_pcbc_none = {
    &keytype_des_old,
    &_krb5_checksum_none,
    NULL,
-    F_PSEUDO|F_DISABLED|F_WEAK,
+    F_PSEUDO|F_DISABLED|F_WEAK|F_OLD,
    DES_PCBC_encrypt_key_ivec,
    NULL,
    0,
--- a/lib/krb5/crypto-des3.c
+++ b/lib/krb5/crypto-des3.c
@@ -196,7 +196,7 @@ struct _krb5_encryption_type _krb5_enctype_des3_cbc_md5 = {
    &keytype_des3,
    &_krb5_checksum_rsa_md5,
    &_krb5_checksum_rsa_md5_des3,
-    0,
+    F_OLD,
    _krb5_evp_encrypt,
    _krb5_evp_encrypt_iov,
    0,
@@ -214,7 +214,7 @@ struct _krb5_encryption_type _krb5_enctype_des3_cbc_sha1 = {
    &keytype_des3_derived,
    &_krb5_checksum_sha1,
    &_krb5_checksum_hmac_sha1_des3,
-    F_DERIVED | F_RFC3961_ENC | F_RFC3961_KDF,
+    F_DERIVED | F_RFC3961_ENC | F_RFC3961_KDF | F_OLD,
    _krb5_evp_encrypt,
    _krb5_evp_encrypt_iov,
    16,
@@ -232,7 +232,7 @@ struct _krb5_encryption_type _krb5_enctype_old_des3_cbc_sha1 = {
    &keytype_des3,
    &_krb5_checksum_sha1,
    &_krb5_checksum_hmac_sha1_des3,
-    0,
+    F_OLD,
    _krb5_evp_encrypt,
    _krb5_evp_encrypt_iov,
    0,
@@ -250,7 +250,7 @@ struct _krb5_encryption_type _krb5_enctype_des3_cbc_none = {
    &keytype_des3_derived,
    &_krb5_checksum_none,
    NULL,
-    F_PSEUDO,
+    F_PSEUDO | F_OLD,
    _krb5_evp_encrypt,
    _krb5_evp_encrypt_iov,
    0,
--- a/lib/krb5/crypto-null.c
+++ b/lib/krb5/crypto-null.c
@@ -95,7 +95,7 @@ struct _krb5_encryption_type _krb5_enctype_null = {
    &keytype_null,
    &_krb5_checksum_none,
    NULL,
-    F_DISABLED,
+    F_DISABLED | F_OLD,
    NULL_encrypt,
    NULL,
    0,
--- a/lib/krb5/crypto.c
+++ b/lib/krb5/crypto.c
@@ -2847,6 +2847,26 @@ krb5_is_enctype_weak(krb5_context context, krb5_enctype enctype)
    return FALSE;
 }

+/**
+ * Returns whether the encryption type is new or old
+ *
+ * @param context Kerberos 5 context
+ * @param enctype encryption type to probe
+ *
+ * @return Returns true if encryption type is old or is not supported.
+ *
+ * @ingroup krb5_crypto
+ */
+
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
+krb5_is_enctype_old(krb5_context context, krb5_enctype enctype)
+{
+    struct _krb5_encryption_type *et = _krb5_find_enctype(enctype);
+    if (!et  || (et->flags & F_OLD))
+	return TRUE;
+    return FALSE;
+}
+
 /**
 * Returns whether the encryption type should use randomly generated salts
 *
--- a/lib/krb5/crypto.h
+++ b/lib/krb5/crypto.h
@@ -52,6 +52,7 @@ struct _krb5_key_usage;
 #define F_PSEUDO		0x0010	/* not a real protocol type */
 #define F_DISABLED		0x0020	/* enctype/checksum disabled */
 #define F_WEAK			0x0040	/* enctype is considered weak */
+#define F_OLD			0x0080	/* enctype is old */

 #define F_RFC3961_ENC		0x0100	/* RFC3961 simplified profile */
 #define F_SPECIAL		0x0200	/* backwards */
--- a/lib/krb5/libkrb5-exports.def.in
+++ b/lib/krb5/libkrb5-exports.def.in
@@ -400,6 +400,7 @@ EXPORTS
 	krb5_init_ets
 	krb5_initlog
 	krb5_is_config_principal
+	krb5_is_enctype_old
 	krb5_is_enctype_weak
 	krb5_is_thread_safe
 #ifdef HAVE_KCM
--- a/lib/krb5/version-script.map
+++ b/lib/krb5/version-script.map
@@ -395,6 +395,7 @@ HEIMDAL_KRB5_2.0 {
 		krb5_init_ets;
 		krb5_initlog;
 		krb5_is_config_principal;
+		krb5_is_enctype_old;
 		krb5_is_enctype_weak;
 		krb5_is_thread_safe;
 		krb5_kcm_call;