diff options
author | Greg Hudson <ghudson@mit.edu> | 2020-09-14 20:40:29 -0400 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2020-09-18 12:07:54 -0400 |
commit | 39fecf78796bbdde1e3d4828b86f64f05d9e4c77 (patch) | |
tree | 15319a34848f2a3fc8e8c39312baecf72044dce4 | |
parent | 05deeebfc096970b5d9aa67a48b14106cf1b9b56 (diff) | |
download | krb5-39fecf78796bbdde1e3d4828b86f64f05d9e4c77.zip krb5-39fecf78796bbdde1e3d4828b86f64f05d9e4c77.tar.gz krb5-39fecf78796bbdde1e3d4828b86f64f05d9e4c77.tar.bz2 |
Warn when des3-cbc-sha1 is used for initial auth
During initial authentication, if des3-cbc-sha1 is used for either the
reply key or session key, display a warning that it will be disabled.
ticket: 8947 (new)
-rw-r--r-- | src/lib/krb5/krb/get_in_tkt.c | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c index 0245f11..ab8f4eb 100644 --- a/src/lib/krb5/krb/get_in_tkt.c +++ b/src/lib/krb5/krb/get_in_tkt.c @@ -1589,6 +1589,26 @@ warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options, (*prompter)(context, data, 0, banner, 0, 0); } +/* Display a warning via the prompter if des3-cbc-sha1 was used for either the + * reply key or the session key. */ +static void +warn_des3(krb5_context context, krb5_init_creds_context ctx, + krb5_enctype as_key_enctype) +{ + const char *banner; + + if (as_key_enctype != ENCTYPE_DES3_CBC_SHA1 && + ctx->cred.keyblock.enctype != ENCTYPE_DES3_CBC_SHA1) + return; + if (ctx->prompter == NULL) + return; + + banner = _("Warning: encryption type des3-cbc-sha1 used for " + "authentication is weak and will be disabled"); + /* PROMPTER_INVOCATION */ + (*ctx->prompter)(context, ctx->prompter_data, NULL, banner, 0, NULL); +} + static krb5_error_code init_creds_step_reply(krb5_context context, krb5_init_creds_context ctx, @@ -1802,6 +1822,7 @@ init_creds_step_reply(krb5_context context, ctx->complete = TRUE; warn_pw_expiry(context, ctx->opt, ctx->prompter, ctx->prompter_data, ctx->in_tkt_service, ctx->reply); + warn_des3(context, ctx, encrypting_key.enctype); cleanup: krb5_free_pa_data(context, kdc_padata); |