Skip to content
Permalink
Browse files
8139348: Deprecate 3DES and RC4 in Kerberos
Reviewed-by: mullan
  • Loading branch information
wangweij committed Feb 25, 2021
1 parent 5a9b701 commit ded96ddcde1e9e8556a6ce8948acef27b6e192cc
Show file tree
Hide file tree
Showing 7 changed files with 64 additions and 43 deletions.
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2021, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -236,8 +236,8 @@ public static int[] getBuiltInDefaults() {
result = BUILTIN_ETYPES;
}
if (!allowWeakCrypto) {
// The last 2 etypes are now weak ones
return Arrays.copyOfRange(result, 0, result.length - 2);
// The last 4 etypes are now weak ones
return Arrays.copyOfRange(result, 0, result.length - 4);
}
return result;
}
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2010, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2010, 2021, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -45,7 +45,7 @@ public static void main(String[] args)
KDC kdc = new OneKDC(null);
if (System.getProperty("onlyonepreauth") != null) {
KDC.saveConfig(OneKDC.KRB5_CONF, kdc,
"default_tgs_enctypes=des3-cbc-sha1");
"default_tgs_enctypes=aes128-sha1");
Config.refresh();
kdc.setOption(KDC.Option.ONLY_ONE_PREAUTH, true);
}
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2010, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2010, 2021, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -27,12 +27,12 @@
* @summary kerberos login failure on win2008 with AD set to win2000 compat mode
* and cannot login if session key and preauth does not use the same etype
* @library /test/lib
* @compile -XDignore.symbol.file W83.java
* @run main jdk.test.lib.FileInstaller TestHosts TestHosts
* @run main/othervm -D6932525 -Djdk.net.hosts.file=TestHosts W83
* @run main/othervm -D6959292 -Djdk.net.hosts.file=TestHosts W83
*/
import com.sun.security.auth.module.Krb5LoginModule;
import java.io.File;
import sun.security.krb5.Config;
import sun.security.krb5.EncryptedData;
import sun.security.krb5.PrincipalName;
@@ -49,7 +49,8 @@ public static void main(String[] args) throws Exception {
KDC kdc = new KDC(OneKDC.REALM, "127.0.0.1", 0, true);
kdc.addPrincipal(OneKDC.USER, OneKDC.PASS);
kdc.addPrincipalRandKey("krbtgt/" + OneKDC.REALM);
KDC.saveConfig(OneKDC.KRB5_CONF, kdc);
KDC.saveConfig(OneKDC.KRB5_CONF, kdc,
"allow_weak_crypto = true");
System.setProperty("java.security.krb5.conf", OneKDC.KRB5_CONF);
Config.refresh();

@@ -1,5 +1,5 @@
/*
* Copyright (c) 2010, 2013, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2010, 2021, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -22,7 +22,7 @@
*/
/*
* @test
* @bug 6844909 8012679
* @bug 6844909 8012679 8139348
* @modules java.security.jgss/sun.security.krb5
* java.security.jgss/sun.security.krb5.internal.crypto
* @run main/othervm WeakCrypto
@@ -31,34 +31,52 @@
* @summary support allow_weak_crypto in krb5.conf
*/

import java.io.File;
import java.lang.Exception;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.Arrays;
import java.util.List;

import sun.security.krb5.EncryptionKey;
import sun.security.krb5.internal.crypto.EType;
import sun.security.krb5.EncryptedData;

public class WeakCrypto {

static List<Integer> weakOnes = List.of(
EncryptedData.ETYPE_DES_CBC_CRC,
EncryptedData.ETYPE_DES_CBC_MD5,
EncryptedData.ETYPE_DES3_CBC_HMAC_SHA1_KD,
EncryptedData.ETYPE_ARCFOUR_HMAC
);

public static void main(String[] args) throws Exception {

String conf = "[libdefaults]\n" +
(args.length > 0 ? ("allow_weak_crypto = " + args[0]) : "");
Files.write(Paths.get("krb5.conf"), conf.getBytes());
System.setProperty("java.security.krb5.conf", "krb5.conf");

boolean expected = args.length != 0 && args[0].equals("true");
int[] etypes = EType.getBuiltInDefaults();
// expected number of supported weak etypes
int expected = 0;
if (args.length != 0 && args[0].equals("true")) {
expected = weakOnes.size();
}

boolean found = false;
for (int i=0, length = etypes.length; i<length; i++) {
if (etypes[i] == EncryptedData.ETYPE_DES_CBC_CRC ||
etypes[i] == EncryptedData.ETYPE_DES_CBC_MD4 ||
etypes[i] == EncryptedData.ETYPE_DES_CBC_MD5) {
found = true;
}
// Ensure EType.getBuiltInDefaults() has the correct etypes
if (Arrays.stream(EType.getBuiltInDefaults())
.filter(weakOnes::contains)
.count() != expected) {
throw new Exception("getBuiltInDefaults fails");
}
if (expected != found) {
throw new Exception();

// Ensure keys generated have the correct etypes
if (Arrays.stream(EncryptionKey.acquireSecretKeys(
"password".toCharArray(), "salt"))
.map(EncryptionKey::getEType)
.filter(weakOnes::contains)
.count() != expected) {
throw new Exception("acquireSecretKeys fails");
}
}
}

This file was deleted.

@@ -1,5 +1,5 @@
/*
* Copyright (c) 2010, 2019, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2010, 2021, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -34,7 +34,7 @@

/*
* @test
* @bug 6950546
* @bug 6950546 8139348
* @summary "ktab -d name etype" to "ktab -d name [-e etype] [kvno | all | old]"
* @requires os.family == "windows"
* @library /test/lib
@@ -49,39 +49,43 @@ public static void main(String[] args) throws Exception {

Files.deleteIfExists(Path.of(KEYTAB));

// This test uses a krb5.conf file (onlythree.conf) in which
// only 3 etypes in the default_tkt_enctypes setting are enabled
// by default: aes128-cts(17), aes256-cts(18), and aes128-sha2(19).

ktab("-a me mine");
check(1,16,1,23,1,17);
check(1,17,1,18,1,19);
ktab("-a me mine -n 0");
check(0,16,0,23,0,17);
check(0,17,0,18,0,19);
ktab("-a me mine -n 1 -append");
check(0,16,0,23,0,17,1,16,1,23,1,17);
check(0,17,0,18,0,19,1,17,1,18,1,19);
ktab("-a me mine -append");
check(0,16,0,23,0,17,1,16,1,23,1,17,2,16,2,23,2,17);
check(0,17,0,18,0,19,1,17,1,18,1,19,2,17,2,18,2,19);
ktab("-a me mine");
check(3,16,3,23,3,17);
check(3,17,3,18,3,19);
ktab("-a me mine -n 4 -append");
check(3,16,3,23,3,17,4,16,4,23,4,17);
check(3,17,3,18,3,19,4,17,4,18,4,19);
ktab("-a me mine -n 5 -append");
check(3,16,3,23,3,17,4,16,4,23,4,17,5,16,5,23,5,17);
check(3,17,3,18,3,19,4,17,4,18,4,19,5,17,5,18,5,19);
ktab("-a me mine -n 6 -append");
check(3,16,3,23,3,17,4,16,4,23,4,17,5,16,5,23,5,17,6,16,6,23,6,17);
check(3,17,3,18,3,19,4,17,4,18,4,19,5,17,5,18,5,19,6,17,6,18,6,19);
ktab("-d me 3");
check(4,16,4,23,4,17,5,16,5,23,5,17,6,16,6,23,6,17);
ktab("-d me -e 16 6");
check(4,16,4,23,4,17,5,16,5,23,5,17,6,23,6,17);
check(4,17,4,18,4,19,5,17,5,18,5,19,6,17,6,18,6,19);
ktab("-d me -e 17 6");
check(4,16,4,23,4,17,5,16,5,23,5,17,6,23);
ktab("-d me -e 16 5");
check(4,16,4,23,4,17,5,23,5,17,6,23);
check(4,17,4,18,4,19,5,17,5,18,5,19,6,18,6,19);
ktab("-d me -e 19 6");
check(4,17,4,18,4,19,5,17,5,18,5,19,6,18);
ktab("-d me -e 17 5");
check(4,17,4,18,4,19,5,18,5,19,6,18);
ktab("-d me old");
check(4,16,5,17,6,23);
check(4,17,5,19,6,18);
try {
ktab("-d me old");
throw new Exception("Should fail");
} catch (Exception e) {
// no-op
}
check(4,16,5,17,6,23);
check(4,17,5,19,6,18);
ktab("-d me");
check();
}
@@ -1,6 +1,6 @@
[libdefaults]
default_realm = LOCAL.COM
default_tkt_enctypes = des3-cbc-sha1 rc4-hmac aes128-cts
default_tkt_enctypes = des-cbc-crc des-cbc-md5 des3-cbc-sha1 rc4-hmac aes128-cts aes256-cts aes128-sha2

[realms]
LOCAL.COM = {

0 comments on commit ded96dd

Please sign in to comment.