From owner-svn-src-head@freebsd.org  Mon Jun 10 19:22:38 2019
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id C3E1B15C72A0;
 Mon, 10 Jun 2019 19:22:37 +0000 (UTC) (envelope-from jhb@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 65F9289889;
 Mon, 10 Jun 2019 19:22:37 +0000 (UTC) (envelope-from jhb@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 276FF1EA38;
 Mon, 10 Jun 2019 19:22:37 +0000 (UTC) (envelope-from jhb@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x5AJMbcD015447;
 Mon, 10 Jun 2019 19:22:37 GMT (envelope-from jhb@FreeBSD.org)
Received: (from jhb@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id x5AJMa3P015444;
 Mon, 10 Jun 2019 19:22:36 GMT (envelope-from jhb@FreeBSD.org)
Message-Id: <201906101922.x5AJMa3P015444@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: jhb set sender to jhb@FreeBSD.org
 using -f
From: John Baldwin <jhb@FreeBSD.org>
Date: Mon, 10 Jun 2019 19:22:36 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r348875 - head/sys/kgssapi/krb5
X-SVN-Group: head
X-SVN-Commit-Author: jhb
X-SVN-Commit-Paths: head/sys/kgssapi/krb5
X-SVN-Commit-Revision: 348875
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Rspamd-Queue-Id: 65F9289889
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org
X-Spamd-Result: default: False [-2.98 / 15.00];
 local_wl_from(0.00)[FreeBSD.org];
 NEURAL_HAM_MEDIUM(-1.00)[-0.999,0];
 NEURAL_HAM_SHORT(-0.98)[-0.978,0];
 ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Jun 2019 19:22:38 -0000

Author: jhb
Date: Mon Jun 10 19:22:36 2019
New Revision: 348875
URL: https://svnweb.freebsd.org/changeset/base/348875

Log:
  Add warnings for Kerberos GSS algorithms deprecated in RFCs 6649 and 8429.
  
  All of these algorithms are explicitly marked SHOULD NOT in one of these
  RFCs.
  
  Specifically, RFC 6649 deprecates all algorithms using DES as well as
  the "export-friendly" variant of RC4.  RFC 8429 deprecates Triple DES
  and the remaining RC4 algorithms.
  
  Reviewed by:	cem
  MFC after:	1 month
  Sponsored by:	Chelsio Communications
  Differential Revision:	https://reviews.freebsd.org/D20343

Modified:
  head/sys/kgssapi/krb5/kcrypto_arcfour.c
  head/sys/kgssapi/krb5/kcrypto_des.c
  head/sys/kgssapi/krb5/kcrypto_des3.c

Modified: head/sys/kgssapi/krb5/kcrypto_arcfour.c
==============================================================================
--- head/sys/kgssapi/krb5/kcrypto_arcfour.c	Mon Jun 10 19:01:54 2019	(r348874)
+++ head/sys/kgssapi/krb5/kcrypto_arcfour.c	Mon Jun 10 19:22:36 2019	(r348875)
@@ -46,8 +46,12 @@ __FBSDID("$FreeBSD$");
 static void
 arcfour_init(struct krb5_key_state *ks)
 {
+	static struct timeval lastwarn;
+	static struct timeval warninterval = { .tv_sec = 3600, .tv_usec = 0 };
 
 	ks->ks_priv = NULL;
+	if (ratecheck(&lastwarn, &warninterval))
+		gone_in(13, "RC4 cipher for Kerberos GSS");
 }
 
 static void

Modified: head/sys/kgssapi/krb5/kcrypto_des.c
==============================================================================
--- head/sys/kgssapi/krb5/kcrypto_des.c	Mon Jun 10 19:01:54 2019	(r348874)
+++ head/sys/kgssapi/krb5/kcrypto_des.c	Mon Jun 10 19:22:36 2019	(r348875)
@@ -53,11 +53,15 @@ struct des1_state {
 static void
 des1_init(struct krb5_key_state *ks)
 {
+	static struct timeval lastwarn;
+	static struct timeval warninterval = { .tv_sec = 3600, .tv_usec = 0 };
 	struct des1_state *ds;
 
 	ds = malloc(sizeof(struct des1_state), M_GSSAPI, M_WAITOK|M_ZERO);
 	mtx_init(&ds->ds_lock, "gss des lock", NULL, MTX_DEF);
 	ks->ks_priv = ds;
+	if (ratecheck(&lastwarn, &warninterval))
+		gone_in(13, "DES cipher for Kerberos GSS");
 }
 
 static void

Modified: head/sys/kgssapi/krb5/kcrypto_des3.c
==============================================================================
--- head/sys/kgssapi/krb5/kcrypto_des3.c	Mon Jun 10 19:01:54 2019	(r348874)
+++ head/sys/kgssapi/krb5/kcrypto_des3.c	Mon Jun 10 19:22:36 2019	(r348875)
@@ -54,11 +54,15 @@ struct des3_state {
 static void
 des3_init(struct krb5_key_state *ks)
 {
+	static struct timeval lastwarn;
+	static struct timeval warninterval = { .tv_sec = 3600, .tv_usec = 0 };
 	struct des3_state *ds;
 
 	ds = malloc(sizeof(struct des3_state), M_GSSAPI, M_WAITOK|M_ZERO);
 	mtx_init(&ds->ds_lock, "gss des3 lock", NULL, MTX_DEF);
 	ks->ks_priv = ds;
+	if (ratecheck(&lastwarn, &warninterval))
+		gone_in(13, "DES3 cipher for Kerberos GSS");
 }
 
 static void