| |
@@ -1,4 +1,4 @@
|
| |
- From 7b40250066bbcc529b5348b68199c58fbad82376 Mon Sep 17 00:00:00 2001
|
| |
+ From 0691db92e13e0d224c2c9dd72c1421d8f7c3c078 Mon Sep 17 00:00:00 2001
|
| |
From: Robbie Harwood <rharwood@redhat.com>
|
| |
Date: Tue, 26 Mar 2019 18:51:10 -0400
|
| |
Subject: [PATCH] [downstream] Remove 3des support
|
| |
@@ -32,7 +32,7 @@
|
| |
src/include/krb5/krb5.hin | 10 +-
|
| |
src/kdc/kdc_util.c | 4 -
|
| |
src/lib/crypto/Makefile.in | 8 +-
|
| |
- src/lib/crypto/builtin/Makefile.in | 6 +-
|
| |
+ src/lib/crypto/builtin/Makefile.in | 4 +-
|
| |
src/lib/crypto/builtin/des/ISSUES | 13 -
|
| |
src/lib/crypto/builtin/des/Makefile.in | 82 ----
|
| |
src/lib/crypto/builtin/des/d3_aead.c | 137 ------
|
| |
@@ -74,7 +74,7 @@
|
| |
src/lib/crypto/krb/prf_des.c | 47 ---
|
| |
src/lib/crypto/krb/random_to_key.c | 28 --
|
| |
src/lib/crypto/libk5crypto.exports | 1 -
|
| |
- src/lib/crypto/openssl/Makefile.in | 8 +-
|
| |
+ src/lib/crypto/openssl/Makefile.in | 4 +-
|
| |
src/lib/crypto/openssl/des/Makefile.in | 20 -
|
| |
src/lib/crypto/openssl/des/deps | 14 -
|
| |
src/lib/crypto/openssl/des/des_keys.c | 39 --
|
| |
@@ -98,18 +98,19 @@
|
| |
src/plugins/preauth/pkinit/pkinit_crypto.h | 10 +-
|
| |
src/plugins/preauth/pkinit/pkinit_kdf_test.c | 30 --
|
| |
src/plugins/preauth/spake/t_vectors.c | 25 --
|
| |
- src/tests/gssapi/t_enctypes.py | 33 +-
|
| |
+ src/tests/gssapi/t_enctypes.py | 34 +-
|
| |
src/tests/gssapi/t_invalid.c | 12 -
|
| |
src/tests/gssapi/t_pcontok.c | 16 +-
|
| |
src/tests/gssapi/t_prf.c | 7 -
|
| |
src/tests/t_authdata.py | 2 +-
|
| |
- src/tests/t_etype_info.py | 18 +-
|
| |
+ src/tests/t_etype_info.py | 20 +-
|
| |
src/tests/t_keyrollover.py | 8 +-
|
| |
src/tests/t_mkey.py | 35 --
|
| |
src/tests/t_salt.py | 5 +-
|
| |
+ src/tests/t_sesskeynego.py | 8 -
|
| |
src/util/k5test.py | 7 -
|
| |
.../leash/htmlhelp/html/Encryption_Types.htm | 13 -
|
| |
- 89 files changed, 151 insertions(+), 4713 deletions(-)
|
| |
+ 90 files changed, 149 insertions(+), 4720 deletions(-)
|
| |
delete mode 100644 src/lib/crypto/builtin/des/ISSUES
|
| |
delete mode 100644 src/lib/crypto/builtin/des/Makefile.in
|
| |
delete mode 100644 src/lib/crypto/builtin/des/d3_aead.c
|
| |
@@ -199,10 +200,10 @@
|
| |
|
| |
While **aes128-cts** and **aes256-cts** are supported for all Kerberos
|
| |
diff --git a/doc/admin/enctypes.rst b/doc/admin/enctypes.rst
|
| |
- index 694922c0d9..c4d5499d3b 100644
|
| |
+ index dce19ad43e..2b4ed7da0b 100644
|
| |
--- a/doc/admin/enctypes.rst
|
| |
+++ b/doc/admin/enctypes.rst
|
| |
- @@ -129,7 +129,7 @@ enctype weak? krb5 Windows
|
| |
+ @@ -146,7 +146,7 @@ enctype weak? krb5 Windows
|
| |
des-cbc-crc weak <1.18 >=2000
|
| |
des-cbc-md4 weak <1.18 ?
|
| |
des-cbc-md5 weak <1.18 >=2000
|
| |
@@ -211,7 +212,7 @@
|
| |
arcfour-hmac deprecated >=1.3 >=2000
|
| |
arcfour-hmac-exp weak >=1.3 >=2000
|
| |
aes128-cts-hmac-sha1-96 >=1.3 >=Vista
|
| |
- @@ -148,9 +148,11 @@ default.
|
| |
+ @@ -165,9 +165,11 @@ default.
|
| |
krb5 releases 1.17 and later flag deprecated encryption types
|
| |
(including ``des3-cbc-sha1`` and ``arcfour-hmac``) in KDC logs and
|
| |
kadmin output. krb5 release 1.19 issues a warning during initial
|
| |
@@ -247,7 +248,7 @@
|
| |
|
| |
.. _err_cert_chain_cert_expired:
|
| |
diff --git a/doc/appdev/refs/macros/index.rst b/doc/appdev/refs/macros/index.rst
|
| |
- index a0d4f26701..5f34dea5e8 100644
|
| |
+ index 45fe160d7f..b4b1f3bd93 100644
|
| |
--- a/doc/appdev/refs/macros/index.rst
|
| |
+++ b/doc/appdev/refs/macros/index.rst
|
| |
@@ -36,7 +36,6 @@ Public
|
| |
@@ -259,10 +260,10 @@
|
| |
CKSUMTYPE_NIST_SHA.rst
|
| |
CKSUMTYPE_RSA_MD4.rst
|
| |
diff --git a/doc/conf.py b/doc/conf.py
|
| |
- index fa0eb80f1f..12168fa695 100644
|
| |
+ index cd76f5999f..1e1cfce80c 100644
|
| |
--- a/doc/conf.py
|
| |
+++ b/doc/conf.py
|
| |
- @@ -278,7 +278,7 @@ else:
|
| |
+ @@ -281,7 +281,7 @@ else:
|
| |
rst_epilog += '''
|
| |
.. |krb5conf| replace:: ``/etc/krb5.conf``
|
| |
.. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal``
|
| |
@@ -272,7 +273,7 @@
|
| |
.. |copy| unicode:: U+000A9
|
| |
'''
|
| |
diff --git a/doc/mitK5features.rst b/doc/mitK5features.rst
|
| |
- index ca2d6ef117..100c64a1c1 100644
|
| |
+ index 10effcf175..cad0855724 100644
|
| |
--- a/doc/mitK5features.rst
|
| |
+++ b/doc/mitK5features.rst
|
| |
@@ -37,7 +37,7 @@ Database backends: LDAP, DB2, LMDB
|
| |
@@ -307,10 +308,10 @@
|
| |
##DOS## $(WCONFIG) config < $@.in > $@
|
| |
##DOS##lib\crypto\builtin\camellia\Makefile: lib\crypto\builtin\camellia\Makefile.in $(MKFDEP)
|
| |
diff --git a/src/configure.ac b/src/configure.ac
|
| |
- index 40545f2bfc..8dc864718d 100644
|
| |
+ index 69be9030f8..2561e917a2 100644
|
| |
--- a/src/configure.ac
|
| |
+++ b/src/configure.ac
|
| |
- @@ -1489,12 +1489,12 @@ V5_AC_OUTPUT_MAKEFILE(.
|
| |
+ @@ -1513,12 +1513,12 @@ V5_AC_OUTPUT_MAKEFILE(.
|
| |
lib lib/kdb
|
| |
|
| |
lib/crypto lib/crypto/krb lib/crypto/crypto_tests
|
| |
@@ -326,7 +327,7 @@
|
| |
|
| |
lib/krb5 lib/krb5/error_tables lib/krb5/asn.1 lib/krb5/ccache
|
| |
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
|
| |
- index 7e1dea2cbf..fb9f2a366c 100644
|
| |
+ index dd6430ece8..350bcf86f2 100644
|
| |
--- a/src/include/krb5/krb5.hin
|
| |
+++ b/src/include/krb5/krb5.hin
|
| |
@@ -426,8 +426,8 @@ typedef struct _krb5_crypto_iov {
|
| |
@@ -362,10 +363,10 @@
|
| |
#define CKSUMTYPE_HMAC_SHA1_96_AES128 0x000f /**< RFC 3962. Used with
|
| |
ENCTYPE_AES128_CTS_HMAC_SHA1_96 */
|
| |
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
|
| |
- index 9f2a67d189..b7a9aa4992 100644
|
| |
+ index e54cc751f9..ea10e23a95 100644
|
| |
--- a/src/kdc/kdc_util.c
|
| |
+++ b/src/kdc/kdc_util.c
|
| |
- @@ -1111,8 +1111,6 @@ enctype_name(krb5_enctype ktype, char *buf, size_t buflen)
|
| |
+ @@ -1164,8 +1164,6 @@ enctype_name(krb5_enctype ktype, char *buf, size_t buflen)
|
| |
name = "rsaEncryption-EnvOID";
|
| |
else if (ktype == ENCTYPE_RSA_ES_OAEP_ENV)
|
| |
name = "id-RSAES-OAEP-EnvOID";
|
| |
@@ -374,7 +375,7 @@
|
| |
else
|
| |
return krb5_enctype_to_name(ktype, FALSE, buf, buflen);
|
| |
|
| |
- @@ -1704,8 +1702,6 @@ krb5_boolean
|
| |
+ @@ -1657,8 +1655,6 @@ krb5_boolean
|
| |
enctype_requires_etype_info_2(krb5_enctype enctype)
|
| |
{
|
| |
switch(enctype) {
|
| |
@@ -414,7 +415,7 @@
|
| |
all-unix: all-liblinks
|
| |
install-unix: install-libs
|
| |
diff --git a/src/lib/crypto/builtin/Makefile.in b/src/lib/crypto/builtin/Makefile.in
|
| |
- index daf19da195..c9e967c807 100644
|
| |
+ index 243bb17ba3..30bfcd30c0 100644
|
| |
--- a/src/lib/crypto/builtin/Makefile.in
|
| |
+++ b/src/lib/crypto/builtin/Makefile.in
|
| |
@@ -1,6 +1,6 @@
|
| |
@@ -429,15 +430,6 @@
|
| |
$(srcdir)/kdf.c \
|
| |
$(srcdir)/pbkdf2.c
|
| |
|
| |
- -STOBJLISTS= des/OBJS.ST md4/OBJS.ST \
|
| |
- +STOBJLISTS= md4/OBJS.ST \
|
| |
- md5/OBJS.ST sha1/OBJS.ST sha2/OBJS.ST \
|
| |
- enc_provider/OBJS.ST \
|
| |
- hash_provider/OBJS.ST \
|
| |
- @@ -33,7 +33,7 @@ STOBJLISTS= des/OBJS.ST md4/OBJS.ST \
|
| |
- camellia/OBJS.ST \
|
| |
- OBJS.ST
|
| |
-
|
| |
-SUBDIROBJLISTS= des/OBJS.ST md4/OBJS.ST \
|
| |
+SUBDIROBJLISTS= md4/OBJS.ST \
|
| |
md5/OBJS.ST sha1/OBJS.ST sha2/OBJS.ST \
|
| |
@@ -4862,7 +4854,7 @@
|
| |
krb5int_camellia_encrypt
|
| |
krb5int_cmac_checksum
|
| |
diff --git a/src/lib/crypto/openssl/Makefile.in b/src/lib/crypto/openssl/Makefile.in
|
| |
- index 08de047d0a..88f7fd0a09 100644
|
| |
+ index cf11f6847b..8e4cdb8bbf 100644
|
| |
--- a/src/lib/crypto/openssl/Makefile.in
|
| |
+++ b/src/lib/crypto/openssl/Makefile.in
|
| |
@@ -1,6 +1,6 @@
|
| |
@@ -4873,32 +4865,15 @@
|
| |
LOCALINCLUDES=-I$(srcdir)/../krb $(CRYPTO_IMPL_CFLAGS)
|
| |
|
| |
STLIBOBJS=\
|
| |
- @@ -24,14 +24,14 @@ SRCS=\
|
| |
+ @@ -24,7 +24,7 @@ SRCS=\
|
| |
$(srcdir)/pbkdf2.c \
|
| |
$(srcdir)/sha256.c
|
| |
|
| |
- -STOBJLISTS= des/OBJS.ST md4/OBJS.ST \
|
| |
- +STOBJLISTS= md4/OBJS.ST \
|
| |
- md5/OBJS.ST sha1/OBJS.ST sha2/OBJS.ST \
|
| |
- enc_provider/OBJS.ST \
|
| |
- hash_provider/OBJS.ST \
|
| |
- aes/OBJS.ST \
|
| |
- OBJS.ST
|
| |
-
|
| |
-SUBDIROBJLISTS= des/OBJS.ST md4/OBJS.ST \
|
| |
+SUBDIROBJLISTS= md4/OBJS.ST \
|
| |
md5/OBJS.ST sha1/OBJS.ST sha2/OBJS.ST \
|
| |
enc_provider/OBJS.ST \
|
| |
hash_provider/OBJS.ST \
|
| |
- @@ -42,7 +42,7 @@ includes: depend
|
| |
-
|
| |
- depend: $(SRCS)
|
| |
-
|
| |
- -clean-unix:: clean-libobjs
|
| |
- +clean-unix:: clean-libobjsn
|
| |
-
|
| |
- @lib_frag@
|
| |
- @libobj_frag@
|
| |
diff --git a/src/lib/crypto/openssl/des/Makefile.in b/src/lib/crypto/openssl/des/Makefile.in
|
| |
deleted file mode 100644
|
| |
index a6cece1dd1..0000000000
|
| |
@@ -5244,10 +5219,10 @@
|
| |
}
|
| |
|
| |
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
|
| |
- index d4e90793f9..1bc807172b 100644
|
| |
+ index b35e11bfb6..d7c2ad321e 100644
|
| |
--- a/src/lib/gssapi/krb5/accept_sec_context.c
|
| |
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
|
| |
- @@ -1030,7 +1030,6 @@ kg_accept_krb5(minor_status, context_handle,
|
| |
+ @@ -1026,7 +1026,6 @@ kg_accept_krb5(minor_status, context_handle,
|
| |
}
|
| |
|
| |
switch (negotiated_etype) {
|
| |
@@ -5256,7 +5231,7 @@
|
| |
case ENCTYPE_ARCFOUR_HMAC_EXP:
|
| |
/* RFC 4121 accidentally omits RC4-HMAC-EXP as a "not-newer"
|
| |
diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
|
| |
- index a4446530fc..88d41130a7 100644
|
| |
+ index 7364607198..5aeb69aebc 100644
|
| |
--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
|
| |
+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
|
| |
@@ -125,14 +125,14 @@ enum sgn_alg {
|
| |
@@ -5286,10 +5261,10 @@
|
| |
};
|
| |
|
| |
diff --git a/src/lib/gssapi/krb5/k5seal.c b/src/lib/gssapi/krb5/k5seal.c
|
| |
- index d1cdce486f..7f7146a0a2 100644
|
| |
+ index 99275be53a..0e5d10b115 100644
|
| |
--- a/src/lib/gssapi/krb5/k5seal.c
|
| |
+++ b/src/lib/gssapi/krb5/k5seal.c
|
| |
- @@ -136,19 +136,12 @@ make_seal_token_v1 (krb5_context context,
|
| |
+ @@ -142,19 +142,12 @@ make_seal_token_v1 (krb5_context context,
|
| |
|
| |
/* pad the plaintext, encrypt if needed, and stick it in the token */
|
| |
|
| |
@@ -5315,7 +5290,7 @@
|
| |
|
| |
code = krb5_c_checksum_length(context, md5cksum.checksum_type, &sumlen);
|
| |
if (code) {
|
| |
- @@ -196,20 +189,8 @@ make_seal_token_v1 (krb5_context context,
|
| |
+ @@ -203,20 +196,8 @@ make_seal_token_v1 (krb5_context context,
|
| |
gssalloc_free(t);
|
| |
return(code);
|
| |
}
|
| |
@@ -5327,22 +5302,22 @@
|
| |
- */
|
| |
- if (md5cksum.length != cksum_size)
|
| |
- abort ();
|
| |
- - memcpy (ptr+14, md5cksum.contents, md5cksum.length);
|
| |
+ - memcpy(checksum, md5cksum.contents, md5cksum.length);
|
| |
- break;
|
| |
- case SGN_ALG_HMAC_MD5:
|
| |
- - memcpy (ptr+14, md5cksum.contents, cksum_size);
|
| |
+ - memcpy(checksum, md5cksum.contents, cksum_size);
|
| |
- break;
|
| |
- }
|
| |
+
|
| |
- + memcpy (ptr+14, md5cksum.contents, cksum_size);
|
| |
+ + memcpy(checksum, md5cksum.contents, cksum_size);
|
| |
|
| |
krb5_free_checksum_contents(context, &md5cksum);
|
| |
|
| |
diff --git a/src/lib/gssapi/krb5/k5sealiov.c b/src/lib/gssapi/krb5/k5sealiov.c
|
| |
- index 9bb2ee1099..9147bb2c78 100644
|
| |
+ index 7bf7609a48..d5e12cb436 100644
|
| |
--- a/src/lib/gssapi/krb5/k5sealiov.c
|
| |
+++ b/src/lib/gssapi/krb5/k5sealiov.c
|
| |
- @@ -144,18 +144,11 @@ make_seal_token_v1_iov(krb5_context context,
|
| |
+ @@ -147,18 +147,11 @@ make_seal_token_v1_iov(krb5_context context,
|
| |
/* pad the plaintext, encrypt if needed, and stick it in the token */
|
| |
|
| |
/* initialize the checksum */
|
| |
@@ -5366,20 +5341,20 @@
|
| |
|
| |
code = krb5_c_checksum_length(context, md5cksum.checksum_type, &k5_trailerlen);
|
| |
if (code != 0)
|
| |
- @@ -177,15 +170,7 @@ make_seal_token_v1_iov(krb5_context context,
|
| |
+ @@ -182,15 +175,7 @@ make_seal_token_v1_iov(krb5_context context,
|
| |
if (code != 0)
|
| |
goto cleanup;
|
| |
|
| |
- switch (ctx->signalg) {
|
| |
- case SGN_ALG_HMAC_SHA1_DES3_KD:
|
| |
- assert(md5cksum.length == ctx->cksum_size);
|
| |
- - memcpy(ptr + 14, md5cksum.contents, md5cksum.length);
|
| |
+ - memcpy(checksum, md5cksum.contents, md5cksum.length);
|
| |
- break;
|
| |
- case SGN_ALG_HMAC_MD5:
|
| |
- - memcpy(ptr + 14, md5cksum.contents, ctx->cksum_size);
|
| |
+ - memcpy(checksum, md5cksum.contents, ctx->cksum_size);
|
| |
- break;
|
| |
- }
|
| |
- + memcpy(ptr + 14, md5cksum.contents, ctx->cksum_size);
|
| |
+ + memcpy(checksum, md5cksum.contents, ctx->cksum_size);
|
| |
|
| |
/* create the seq_num */
|
| |
code = kg_make_seq_num(context, ctx->seq, ctx->initiate ? 0 : 0xFF,
|
| |
@@ -5618,7 +5593,7 @@
|
| |
case ENCTYPE_ARCFOUR_HMAC_EXP:
|
| |
/* RFC 4121 accidentally omits RC4-HMAC-EXP as a "not-newer" enctype,
|
| |
diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
|
| |
- index 87b486c53f..2b5abcd817 100644
|
| |
+ index a6c2bbeb54..18290b764b 100644
|
| |
--- a/src/lib/krb5/krb/init_ctx.c
|
| |
+++ b/src/lib/krb5/krb/init_ctx.c
|
| |
@@ -59,7 +59,6 @@
|
| |
@@ -5629,7 +5604,7 @@
|
| |
ENCTYPE_ARCFOUR_HMAC,
|
| |
ENCTYPE_CAMELLIA128_CTS_CMAC, ENCTYPE_CAMELLIA256_CTS_CMAC,
|
| |
0
|
| |
- @@ -450,8 +449,6 @@ krb5int_parse_enctype_list(krb5_context context, const char *profkey,
|
| |
+ @@ -460,8 +459,6 @@ krb5int_parse_enctype_list(krb5_context context, const char *profkey,
|
| |
/* Set all enctypes in the default list. */
|
| |
for (i = 0; default_list[i]; i++)
|
| |
mod_list(default_list[i], sel, weak, &list);
|
| |
@@ -5769,10 +5744,10 @@
|
| |
#define CKK_CAST3 (0x17)
|
| |
#define CKK_CAST128 (0x18)
|
| |
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h
|
| |
- index 94a1b22fb1..65f6210727 100644
|
| |
+ index e22798f668..9fa315d7a0 100644
|
| |
--- a/src/plugins/preauth/pkinit/pkinit_crypto.h
|
| |
+++ b/src/plugins/preauth/pkinit/pkinit_crypto.h
|
| |
- @@ -376,11 +376,11 @@ krb5_error_code server_process_dh
|
| |
+ @@ -370,11 +370,11 @@ krb5_error_code server_process_dh
|
| |
* krb5_algorithm_identifier
|
| |
*/
|
| |
krb5_error_code create_krb5_supportedCMSTypes
|
| |
@@ -5874,10 +5849,10 @@
|
| |
/* initial key, w, x, y, T, S, K */
|
| |
"8846F7EAEE8FB117AD06BDD830B7586C",
|
| |
diff --git a/src/tests/gssapi/t_enctypes.py b/src/tests/gssapi/t_enctypes.py
|
| |
- index 7494d7fcdb..2f95d89967 100755
|
| |
+ index f5f11842e2..1bb8c40b6b 100755
|
| |
--- a/src/tests/gssapi/t_enctypes.py
|
| |
+++ b/src/tests/gssapi/t_enctypes.py
|
| |
- @@ -1,24 +1,17 @@
|
| |
+ @@ -1,25 +1,17 @@
|
| |
from k5test import *
|
| |
|
| |
-# Define some convenience abbreviations for enctypes we will see in
|
| |
@@ -5901,13 +5876,14 @@
|
| |
# These tests make assumptions about the default enctype lists, so set
|
| |
# them explicitly rather than relying on the library defaults.
|
| |
-supp='aes256-cts:normal aes128-cts:normal des3-cbc-sha1:normal rc4-hmac:normal'
|
| |
- -conf = {'libdefaults': {'permitted_enctypes': 'aes des3 rc4'},
|
| |
+ -conf = {'libdefaults': {'permitted_enctypes': 'aes des3 rc4',
|
| |
+ - 'allow_des3': 'true', 'allow_rc4': 'true'},
|
| |
+supp='aes256-cts:normal aes128-cts:normal rc4-hmac:normal'
|
| |
- +conf = {'libdefaults': {'permitted_enctypes': 'aes rc4'},
|
| |
+ +conf = {'libdefaults': {'permitted_enctypes': 'aes rc4', 'allow_rc4': 'true'},
|
| |
'realms': {'$realm': {'supported_enctypes': supp}}}
|
| |
realm = K5Realm(krb5_conf=conf)
|
| |
shutil.copyfile(realm.ccache, os.path.join(realm.testdir, 'save'))
|
| |
- @@ -87,19 +80,12 @@ test('both aes128', 'aes128-cts', 'aes128-cts',
|
| |
+ @@ -88,19 +80,12 @@ test('both aes128', 'aes128-cts', 'aes128-cts',
|
| |
test_err('acc aes128', None, 'aes128-cts',
|
| |
'Encryption type aes256-cts-hmac-sha1-96 not permitted')
|
| |
|
| |
@@ -5928,7 +5904,7 @@
|
| |
# subkey.
|
| |
test('upgrade noargs', None, None,
|
| |
tktenc=aes256, tktsession=d_rc4,
|
| |
- @@ -115,13 +101,6 @@ test('upgrade init aes128+rc4', 'aes128-cts rc4', None,
|
| |
+ @@ -116,13 +101,6 @@ test('upgrade init aes128+rc4', 'aes128-cts rc4', None,
|
| |
tktenc=aes256, tktsession=d_rc4,
|
| |
proto='cfx', isubkey=rc4, asubkey=aes128)
|
| |
|
| |
@@ -6019,10 +5995,10 @@
|
| |
"3BB3AE288C12B3B9D06B208A4151B3B6",
|
| |
"9AEA11A3BCF3C53F1F91F5A0BA2132E2501ADF5F3C28"
|
| |
diff --git a/src/tests/t_authdata.py b/src/tests/t_authdata.py
|
| |
- index 97e2474bf8..47ea9e4b47 100644
|
| |
+ index bde1c36844..8fcd30db51 100644
|
| |
--- a/src/tests/t_authdata.py
|
| |
+++ b/src/tests/t_authdata.py
|
| |
- @@ -164,7 +164,7 @@ realm.run([kvno, 'restricted'])
|
| |
+ @@ -179,7 +179,7 @@ realm.run([kvno, 'restricted'])
|
| |
# preferred krbtgt enctype changes.
|
| |
mark('#8139 regression test')
|
| |
realm.kinit(realm.user_princ, password('user'), ['-f'])
|
| |
@@ -6032,17 +6008,19 @@
|
| |
realm.run(['./forward'])
|
| |
realm.run([kvno, realm.host_princ])
|
| |
diff --git a/src/tests/t_etype_info.py b/src/tests/t_etype_info.py
|
| |
- index c982508d8b..96e90a69d2 100644
|
| |
+ index 38cf96ca8f..e82ff7ff07 100644
|
| |
--- a/src/tests/t_etype_info.py
|
| |
+++ b/src/tests/t_etype_info.py
|
| |
- @@ -1,6 +1,6 @@
|
| |
+ @@ -1,7 +1,7 @@
|
| |
from k5test import *
|
| |
|
| |
-supported_enctypes = 'aes128-cts des3-cbc-sha1 rc4-hmac'
|
| |
+ -conf = {'libdefaults': {'allow_des3': 'true', 'allow_rc4': 'true'},
|
| |
+supported_enctypes = 'aes128-cts rc4-hmac'
|
| |
- conf = {'libdefaults': {'allow_weak_crypto': 'true'},
|
| |
+ +conf = {'libdefaults': {'allow_rc4': 'true'},
|
| |
'realms': {'$realm': {'supported_enctypes': supported_enctypes}}}
|
| |
realm = K5Realm(create_host=False, get_creds=False, krb5_conf=conf)
|
| |
+
|
| |
@@ -26,9 +26,9 @@ def test_etinfo(princ, enctypes, expected_lines):
|
| |
# With no newer enctypes in the request, PA-ETYPE-INFO2,
|
| |
# PA-ETYPE-INFO, and PA-PW-SALT appear in the AS-REP, each listing one
|
| |
@@ -6081,7 +6059,7 @@
|
| |
# Verify that etype-info2 is included in a MORE_PREAUTH_DATA_REQUIRED
|
| |
# error if the client does optimistic preauth.
|
| |
diff --git a/src/tests/t_keyrollover.py b/src/tests/t_keyrollover.py
|
| |
- index 2c825a6922..f29e0d5500 100755
|
| |
+ index e9840dfae8..583c2fa27e 100755
|
| |
--- a/src/tests/t_keyrollover.py
|
| |
+++ b/src/tests/t_keyrollover.py
|
| |
@@ -37,9 +37,9 @@ realm.run([klist, '-e'], expected_msg=msg)
|
| |
@@ -6181,24 +6159,50 @@
|
| |
|
| |
# Test using different salt types in a principal's key list.
|
| |
# Parameters from one key in the list must not leak over to later ones.
|
| |
+ diff --git a/src/tests/t_sesskeynego.py b/src/tests/t_sesskeynego.py
|
| |
+ index 5a213617b5..c7dba0ff5b 100755
|
| |
+ --- a/src/tests/t_sesskeynego.py
|
| |
+ +++ b/src/tests/t_sesskeynego.py
|
| |
+ @@ -26,7 +26,6 @@ conf3 = {'libdefaults': {
|
| |
+ 'default_tgs_enctypes': 'rc4-hmac,aes128-cts'}}
|
| |
+ conf4 = {'libdefaults': {'permitted_enctypes': 'aes256-cts'}}
|
| |
+ conf5 = {'libdefaults': {'allow_rc4': 'true'}}
|
| |
+ -conf6 = {'libdefaults': {'allow_des3': 'true'}}
|
| |
+ # Test with client request and session_enctypes preferring aes128, but
|
| |
+ # aes256 long-term key.
|
| |
+ realm = K5Realm(krb5_conf=conf1, create_host=False, get_creds=False)
|
| |
+ @@ -78,13 +77,6 @@ realm.run([kadminl, 'setstr', 'server', 'session_enctypes', 'rc4-hmac'])
|
| |
+ test_kvno(realm, 'DEPRECATED:arcfour-hmac', 'aes256-cts-hmac-sha1-96')
|
| |
+ realm.stop()
|
| |
+
|
| |
+ -# 6: allow_des3 permits negotiation of des3-cbc-sha1 session key.
|
| |
+ -realm = K5Realm(krb5_conf=conf6, create_host=False, get_creds=False)
|
| |
+ -realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server'])
|
| |
+ -realm.run([kadminl, 'setstr', 'server', 'session_enctypes', 'des3-cbc-sha1'])
|
| |
+ -test_kvno(realm, 'DEPRECATED:des3-cbc-sha1', 'aes256-cts-hmac-sha1-96')
|
| |
+ -realm.stop()
|
| |
+ -
|
| |
+ # 7: default config negotiates aes256-sha1 session key for RC4-only service.
|
| |
+ realm = K5Realm(create_host=False, get_creds=False)
|
| |
+ realm.run([kadminl, 'addprinc', '-randkey', '-e', 'rc4-hmac', 'server'])
|
| |
diff --git a/src/util/k5test.py b/src/util/k5test.py
|
| |
- index 619f1995f8..771f82e3cc 100644
|
| |
+ index 8e5f5ba8e9..b953827018 100644
|
| |
--- a/src/util/k5test.py
|
| |
+++ b/src/util/k5test.py
|
| |
- @@ -1344,13 +1344,6 @@ _passes = [
|
| |
+ @@ -1338,13 +1338,6 @@ _passes = [
|
| |
# No special settings; exercises AES256.
|
| |
('default', None, None, None),
|
| |
|
| |
- # Exercise the DES3 enctype.
|
| |
- ('des3', None,
|
| |
- - {'libdefaults': {'permitted_enctypes': 'des3'}},
|
| |
+ - {'libdefaults': {'permitted_enctypes': 'des3 aes256-sha1'}},
|
| |
- {'realms': {'$realm': {
|
| |
- 'supported_enctypes': 'des3-cbc-sha1:normal',
|
| |
- 'master_key_type': 'des3-cbc-sha1'}}}),
|
| |
-
|
| |
# Exercise the arcfour enctype.
|
| |
('arcfour', None,
|
| |
- {'libdefaults': {'permitted_enctypes': 'rc4'}},
|
| |
+ {'libdefaults': {'permitted_enctypes': 'rc4 aes256-sha1'}},
|
| |
diff --git a/src/windows/leash/htmlhelp/html/Encryption_Types.htm b/src/windows/leash/htmlhelp/html/Encryption_Types.htm
|
| |
index 1aebdd0b4a..c38eefd2bd 100644
|
| |
--- a/src/windows/leash/htmlhelp/html/Encryption_Types.htm
|
| |
@@ -6224,5 +6228,5 @@
|
| |
<td>The AES Advanced Encryption Standard
|
| |
family, like 3DES, is a symmetric block cipher and was designed
|
| |
--
|
| |
- 2.38.1
|
| |
+ 2.40.1
|
| |
|
| |
Replace file dependency by package name
Resolves: rhbz#2216903
Do not disable PKINIT if some of the well-known DH groups are unavailable
Resolves: rhbz#2214297
Make PKINIT CMS SHA-1 signature verification available in FIPS mode
Resolves: rhbz#2214300
Allow to set PAC ticket signature as optional
Resolves: rhbz#2181311
Add support for MS-PAC extended KDC signature (CVE-2022-37967)
Resolves: rhbz#2166001
Fix syntax error in aclocal.m4
Resolves: rhbz#2143306