Date: Tue, 20 Aug 2019 00:50:17 +0000 (UTC) From: John Baldwin <jhb@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org Subject: svn commit: r351243 - in stable: 11/sys/kgssapi/krb5 12/sys/kgssapi/krb5 Message-ID: <201908200050.x7K0oH4v055829@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: jhb Date: Tue Aug 20 00:50:17 2019 New Revision: 351243 URL: https://svnweb.freebsd.org/changeset/base/351243 Log: MFC 348875: Add warnings for Kerberos GSS algorithms deprecated in RFCs 6649 and 8429. All of these algorithms are explicitly marked SHOULD NOT in one of these RFCs. Specifically, RFC 6649 deprecates all algorithms using DES as well as the "export-friendly" variant of RC4. RFC 8429 deprecates Triple DES and the remaining RC4 algorithms. Relnotes: yes Modified: stable/12/sys/kgssapi/krb5/kcrypto_arcfour.c stable/12/sys/kgssapi/krb5/kcrypto_des.c stable/12/sys/kgssapi/krb5/kcrypto_des3.c Directory Properties: stable/12/ (props changed) Changes in other areas also in this revision: Modified: stable/11/sys/kgssapi/krb5/kcrypto_arcfour.c stable/11/sys/kgssapi/krb5/kcrypto_des.c stable/11/sys/kgssapi/krb5/kcrypto_des3.c Directory Properties: stable/11/ (props changed) Modified: stable/12/sys/kgssapi/krb5/kcrypto_arcfour.c ============================================================================== --- stable/12/sys/kgssapi/krb5/kcrypto_arcfour.c Mon Aug 19 23:57:37 2019 (r351242) +++ stable/12/sys/kgssapi/krb5/kcrypto_arcfour.c Tue Aug 20 00:50:17 2019 (r351243) @@ -46,8 +46,12 @@ __FBSDID("$FreeBSD$"); static void arcfour_init(struct krb5_key_state *ks) { + static struct timeval lastwarn; + static struct timeval warninterval = { .tv_sec = 3600, .tv_usec = 0 }; ks->ks_priv = NULL; + if (ratecheck(&lastwarn, &warninterval)) + gone_in(13, "RC4 cipher for Kerberos GSS"); } static void Modified: stable/12/sys/kgssapi/krb5/kcrypto_des.c ============================================================================== --- stable/12/sys/kgssapi/krb5/kcrypto_des.c Mon Aug 19 23:57:37 2019 (r351242) +++ stable/12/sys/kgssapi/krb5/kcrypto_des.c Tue Aug 20 00:50:17 2019 (r351243) @@ -53,11 +53,15 @@ struct des1_state { static void des1_init(struct krb5_key_state *ks) { + static struct timeval lastwarn; + static struct timeval warninterval = { .tv_sec = 3600, .tv_usec = 0 }; struct des1_state *ds; ds = malloc(sizeof(struct des1_state), M_GSSAPI, M_WAITOK|M_ZERO); mtx_init(&ds->ds_lock, "gss des lock", NULL, MTX_DEF); ks->ks_priv = ds; + if (ratecheck(&lastwarn, &warninterval)) + gone_in(13, "DES cipher for Kerberos GSS"); } static void Modified: stable/12/sys/kgssapi/krb5/kcrypto_des3.c ============================================================================== --- stable/12/sys/kgssapi/krb5/kcrypto_des3.c Mon Aug 19 23:57:37 2019 (r351242) +++ stable/12/sys/kgssapi/krb5/kcrypto_des3.c Tue Aug 20 00:50:17 2019 (r351243) @@ -54,11 +54,15 @@ struct des3_state { static void des3_init(struct krb5_key_state *ks) { + static struct timeval lastwarn; + static struct timeval warninterval = { .tv_sec = 3600, .tv_usec = 0 }; struct des3_state *ds; ds = malloc(sizeof(struct des3_state), M_GSSAPI, M_WAITOK|M_ZERO); mtx_init(&ds->ds_lock, "gss des3 lock", NULL, MTX_DEF); ks->ks_priv = ds; + if (ratecheck(&lastwarn, &warninterval)) + gone_in(13, "DES3 cipher for Kerberos GSS"); } static void
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201908200050.x7K0oH4v055829>