Date: Mon, 10 Jun 2019 19:22:36 +0000 (UTC) From: John Baldwin <jhb@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r348875 - head/sys/kgssapi/krb5 Message-ID: <201906101922.x5AJMa3P015444@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: jhb Date: Mon Jun 10 19:22:36 2019 New Revision: 348875 URL: https://svnweb.freebsd.org/changeset/base/348875 Log: Add warnings for Kerberos GSS algorithms deprecated in RFCs 6649 and 8429. All of these algorithms are explicitly marked SHOULD NOT in one of these RFCs. Specifically, RFC 6649 deprecates all algorithms using DES as well as the "export-friendly" variant of RC4. RFC 8429 deprecates Triple DES and the remaining RC4 algorithms. Reviewed by: cem MFC after: 1 month Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D20343 Modified: head/sys/kgssapi/krb5/kcrypto_arcfour.c head/sys/kgssapi/krb5/kcrypto_des.c head/sys/kgssapi/krb5/kcrypto_des3.c Modified: head/sys/kgssapi/krb5/kcrypto_arcfour.c ============================================================================== --- head/sys/kgssapi/krb5/kcrypto_arcfour.c Mon Jun 10 19:01:54 2019 (r348874) +++ head/sys/kgssapi/krb5/kcrypto_arcfour.c Mon Jun 10 19:22:36 2019 (r348875) @@ -46,8 +46,12 @@ __FBSDID("$FreeBSD$"); static void arcfour_init(struct krb5_key_state *ks) { + static struct timeval lastwarn; + static struct timeval warninterval = { .tv_sec = 3600, .tv_usec = 0 }; ks->ks_priv = NULL; + if (ratecheck(&lastwarn, &warninterval)) + gone_in(13, "RC4 cipher for Kerberos GSS"); } static void Modified: head/sys/kgssapi/krb5/kcrypto_des.c ============================================================================== --- head/sys/kgssapi/krb5/kcrypto_des.c Mon Jun 10 19:01:54 2019 (r348874) +++ head/sys/kgssapi/krb5/kcrypto_des.c Mon Jun 10 19:22:36 2019 (r348875) @@ -53,11 +53,15 @@ struct des1_state { static void des1_init(struct krb5_key_state *ks) { + static struct timeval lastwarn; + static struct timeval warninterval = { .tv_sec = 3600, .tv_usec = 0 }; struct des1_state *ds; ds = malloc(sizeof(struct des1_state), M_GSSAPI, M_WAITOK|M_ZERO); mtx_init(&ds->ds_lock, "gss des lock", NULL, MTX_DEF); ks->ks_priv = ds; + if (ratecheck(&lastwarn, &warninterval)) + gone_in(13, "DES cipher for Kerberos GSS"); } static void Modified: head/sys/kgssapi/krb5/kcrypto_des3.c ============================================================================== --- head/sys/kgssapi/krb5/kcrypto_des3.c Mon Jun 10 19:01:54 2019 (r348874) +++ head/sys/kgssapi/krb5/kcrypto_des3.c Mon Jun 10 19:22:36 2019 (r348875) @@ -54,11 +54,15 @@ struct des3_state { static void des3_init(struct krb5_key_state *ks) { + static struct timeval lastwarn; + static struct timeval warninterval = { .tv_sec = 3600, .tv_usec = 0 }; struct des3_state *ds; ds = malloc(sizeof(struct des3_state), M_GSSAPI, M_WAITOK|M_ZERO); mtx_init(&ds->ds_lock, "gss des3 lock", NULL, MTX_DEF); ks->ks_priv = ds; + if (ratecheck(&lastwarn, &warninterval)) + gone_in(13, "DES3 cipher for Kerberos GSS"); } static void
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201906101922.x5AJMa3P015444>