Differential D20343

Add warnings for Kerberos GSS algorithms deprecated in RFCs 6649 and 8429.
ClosedPublic
Actions

Authored by jhb on May 21 2019, 10:13 PM.

Details

Reviewers

bjk
cem

Commits

rS348875: Add warnings for Kerberos GSS algorithms deprecated in RFCs 6649 and 8429.

Summary

All of these algorithms are explicitly marked SHOULD NOT in one of these
RFCs.

Specifically, RFC 6649 deprecates all algorithms using DES as well as
the "export-friendly" variant of RC4. RFC 8429 deprecates Triple DES
and the remaining RC4 algorithms.

Test Plan

I have not tested this and don't even know where to begin with starting to test it (I've never used Kerberos).

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

jhb created this revision.May 21 2019, 10:13 PM

Harbormaster completed remote builds in B24373: Diff 57657.May 21 2019, 10:14 PM

Note that these macros are printed every time a routine is invoked and don't have rate limiting built in. That may be spammy for this use. (Maybe they should have rate-limiting built in.)

This revision is now accepted and ready to land.May 21 2019, 11:12 PM

From my code reading these init routines should be called rarely (during session setup as opposed to per-packet). If someone is able to test this and finds it is in fact spammy I'd be happy to rate limit it.

In D20343#438694, @jhb wrote:

From my code reading these init routines should be called rarely (during session setup as opposed to per-packet). If someone is able to test this and finds it is in fact spammy I'd be happy to rate limit it.

That seems ok to me. I might have worded it poorly earlier; I'm just saying I'm unfamiliar with this code and how frequently these functions are called. :-)

I haven't had a Kerberos setup for quite a while.
However, Peter Errikson uses Kerberized NFS and even with a Windows KDC, I think?

He has been quite willing to test other NFS stuff for me, so he might be willing to
test this?

His email is: pen@lysator.liu.se

Added ratelimiting.

This revision now requires review to proceed.Jun 7 2019, 9:08 PM

Harbormaster completed remote builds in B24761: Diff 58379.Jun 7 2019, 9:08 PM

I still haven't setup GSSAPI for NFS to run test this, but I did some more code reading and am convinced that just a single call to gss_init_sec_context or gss_alloc_sec_context() which ends up call get_keys() can result in multiple calls to krb5_alloc_key and possibly multiple calls to krb5_derive_key, and each call to krb5_alloc_key or krb5_derive_key runs the init routine that contains the warning. As a result, I decided to add rate limiting with the rate limit set to only whining once per hour. This should avoid spamming while still getting the point across.

jhb added a parent revision: D20555: Make the warning intervals for deprecated crypto algorithms tunable..Jun 7 2019, 9:19 PM

jhb removed a parent revision: D20555: Make the warning intervals for deprecated crypto algorithms tunable..

jhb added a child revision: D20555: Make the warning intervals for deprecated crypto algorithms tunable..

cem accepted this revision.Jun 7 2019, 9:31 PM

This revision is now accepted and ready to land.Jun 7 2019, 9:31 PM

Closed by commit rS348875: Add warnings for Kerberos GSS algorithms deprecated in RFCs 6649 and 8429. (authored by jhb). · Explain WhyJun 10 2019, 7:22 PM

This revision was automatically updated to reflect the committed changes.

Herald added a subscriber: imp. · View Herald TranscriptJun 10 2019, 7:22 PM