File 0132-CVE-2025-35.patch of Package krb5.40603
From 103d8a5b701d265b549a7daba2eb7181db7ac9e2 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 3 Sep 2025 16:25:30 +0100
Subject: [PATCH] Don't issue session keys with deprecated enctypes
A paper by Tom Tervoort noted that rc4-hmac pre-hashes the input for
its checksum and GSS operations before applying HMAC, and is therefore
potentially vulnerable to hash collision attacks if a protocol
contains a restricted signing oracle.
In light of these potential attacks, begin the functional deprecation
of DES3 and RC4 by disallowing their use as session key enctypes by
default.  Add the variables allow_des3 and allow_rc4 in case
negotiability of these enctypes for session keys needs to be turned
back on, with the expectation that in future releases the enctypes
will be more comprehensively deprecated.
ticket: 9081
---
 doc/admin/conf_files/krb5_conf.rst | 12 ++++++++++++
 doc/admin/enctypes.rst             | 24 ++++++++++++++++++++---
 src/include/k5-int.h               |  4 ++++
 src/kdc/kdc_util.c                 |  9 +++++++++
 src/lib/krb5/krb/get_in_tkt.c      | 23 ++++++++++++++++++++++
 src/lib/krb5/krb/init_ctx.c        | 10 ++++++++++
 src/tests/gssapi/t_enctypes.py     |  2 +-
 src/tests/t_sesskeynego.py         | 31 +++++++++++++++++++++++++++---
 src/util/k5test.py                 |  4 ++--
 9 files changed, 110 insertions(+), 9 deletions(-)
Index: krb5-1.12.5/doc/admin/conf_files/krb5_conf.rst
===================================================================
--- krb5-1.12.5.orig/doc/admin/conf_files/krb5_conf.rst
+++ krb5-1.12.5/doc/admin/conf_files/krb5_conf.rst
@@ -92,6 +92,18 @@ Additionally, krb5.conf may include any
 
 The libdefaults section may contain any of the following relations:
 
+**allow_des3**
+    Permit the KDC to issue tickets with des3-cbc-sha1 session keys.
+    In future releases, this flag will allow des3-cbc-sha1 to be used
+    at all.  The default value for this tag is false.  (Added in
+    release 1.21.)
+
+**allow_rc4**
+    Permit the KDC to issue tickets with arcfour-hmac session keys.
+    In future releases, this flag will allow arcfour-hmac to be used
+    at all.  The default value for this tag is false.  (Added in
+    release 1.21.)
+
 **allow_weak_crypto**
     If this flag is set to false, then weak encryption types (as noted
     in :ref:`Encryption_types` in :ref:`kdc.conf(5)`) will be filtered
Index: krb5-1.12.5/doc/admin/enctypes.rst
===================================================================
--- krb5-1.12.5.orig/doc/admin/enctypes.rst
+++ krb5-1.12.5/doc/admin/enctypes.rst
@@ -48,7 +48,10 @@ Session key selection
 The KDC chooses the session key enctype by taking the intersection of
 its **permitted_enctypes** list, the list of long-term keys for the
 most recent kvno of the service, and the client's requested list of
-enctypes.  If **allow_weak_crypto** is true, all services are assumed
+enctypes. Starting in krb5-1.21, all services are assumed to support
+aes256-cts-hmac-sha1-96; also, des3-cbc-sha1 and arcfour-hmac session
+keys will not be issued by default.
+If **allow_weak_crypto** is true, all services are assumed
 to support des-cbc-crc.
 
 Starting in krb5-1.11, **des_crc_session_supported** in
@@ -57,8 +60,9 @@ issues des-cbc-crc session keys.
 
 Also starting in krb5-1.11, it is possible to set a string attribute
 on a service principal to control what session key enctypes the KDC
-may issue for service tickets for that principal.  See
-:ref:`set_string` in :ref:`kadmin(1)` for details.
+may issue for service tickets for that principal, overriding the service's
+long-term keys and the assumption of aes256-cts-hmac-sha1-96 support.
+See :ref:`set_string` in :ref:`kadmin(1)` for details.
 
 
 Choosing enctypes for a service
@@ -92,6 +96,20 @@ affect how enctypes are chosen.
     use of weak enctypes is an acceptable risk for your environment
     and the weak enctypes are required for backward compatibility.
 
+**allow_des3**
+    was added in release 1.21 and defaults to *false*.  Unless this
+    flag is set to *true*, the KDC will not issue tickets with
+    des3-cbc-sha1 session keys.  In a future release, this flag will
+    control whether des3-cbc-sha1 is permitted in similar fashion to
+    weak enctypes.
+
+**allow_rc4**
+    was added in release 1.21 and defaults to *false*.  Unless this
+    flag is set to *true*, the KDC will not issue tickets with
+    arcfour-hmac session keys.  In a future release, this flag will
+    control whether arcfour-hmac is permitted in similar fashion to
+    weak enctypes.
+
 **permitted_enctypes**
     controls the set of enctypes that a service will accept as session
     keys.
Index: krb5-1.12.5/src/include/k5-int.h
===================================================================
--- krb5-1.12.5.orig/src/include/k5-int.h
+++ krb5-1.12.5/src/include/k5-int.h
@@ -185,6 +185,8 @@ typedef INT64_TYPE krb5_int64;
 /* cofiguration variables */
 #define KRB5_CONF_ACL_FILE                       "acl_file"
 #define KRB5_CONF_ADMIN_SERVER                   "admin_server"
+#define KRB5_CONF_ALLOW_DES3                   "allow_des3"
+#define KRB5_CONF_ALLOW_RC4                    "allow_rc4"
 #define KRB5_CONF_ALLOW_WEAK_CRYPTO              "allow_weak_crypto"
 #define KRB5_CONF_AP_REQ_CHECKSUM_TYPE           "ap_req_checksum_type"
 #define KRB5_CONF_AUTH_TO_LOCAL                  "auth_to_local"
@@ -1178,6 +1180,8 @@ struct _krb5_context {
     struct _kdb_log_context *kdblog_context;
 
     krb5_boolean allow_weak_crypto;
+    krb5_boolean allow_des3;
+    krb5_boolean allow_rc4;
     krb5_boolean ignore_acceptor_hostname;
     krb5_boolean dns_canonicalize_hostname;
 
Index: krb5-1.12.5/src/kdc/kdc_util.c
===================================================================
--- krb5-1.12.5.orig/src/kdc/kdc_util.c
+++ krb5-1.12.5/src/kdc/kdc_util.c
@@ -932,6 +932,15 @@ select_session_keytype(kdc_realm_t *kdc_
         if (!krb5_is_permitted_enctype(kdc_context, ktype[i]))
             continue;
 
+	/*
+         * Prevent these deprecated enctypes from being used as session keys
+         * unless they are explicitly allowed.  In the future they will be more
+         * comprehensively disabled and eventually removed.
+         */
+        if (ktype[i] == ENCTYPE_DES3_CBC_SHA1 && !kdc_context->allow_des3)
+            continue;
+        if (ktype[i] == ENCTYPE_ARCFOUR_HMAC && !kdc_context->allow_rc4)
+            continue;
         if (dbentry_supports_enctype(kdc_active_realm, server, ktype[i]))
             return ktype[i];
     }
Index: krb5-1.12.5/src/lib/krb5/krb/get_in_tkt.c
===================================================================
--- krb5-1.12.5.orig/src/lib/krb5/krb/get_in_tkt.c
+++ krb5-1.12.5/src/lib/krb5/krb/get_in_tkt.c
@@ -1400,6 +1400,35 @@ is_referral(krb5_context context, krb5_e
     return !krb5_realm_compare(context, err->client, client);
 }
 
+/* Display a warning via the prompter if a deprecated enctype was used for
+ * either the reply key or the session key. */
+static void
+warn_deprecated(krb5_context context, krb5_init_creds_context ctx,
+                krb5_enctype as_key_enctype)
+{
+    krb5_enctype etype;
+    char encbuf[128], banner[256];
+
+    if (ctx->prompter == NULL)
+         return;
+
+    if (krb5int_c_deprecated_enctype(as_key_enctype))
+        etype = as_key_enctype;
+    else if (krb5int_c_deprecated_enctype(ctx->cred.keyblock.enctype))
+        etype = ctx->cred.keyblock.enctype;
+    else
+        return;
+
+    if (krb5_enctype_to_name(etype, FALSE, encbuf, sizeof(encbuf)) != 0)
+        return;
+    snprintf(banner, sizeof(banner),
+             _("Warning: encryption type %s used for authentication is "
+               "deprecated and will be disabled"), encbuf);
+
+    /* PROMPTER_INVOCATION */
+    (*ctx->prompter)(context, ctx->prompter_data, NULL, banner, 0, NULL);
+}
+
 static krb5_error_code
 init_creds_step_reply(krb5_context context,
                       krb5_init_creds_context ctx,
@@ -1662,6 +1691,7 @@ init_creds_step_reply(krb5_context conte
     /* success */
     ctx->complete = TRUE;
 
+    warn_deprecated(context, ctx, encrypting_key.enctype);
 cleanup:
     krb5_free_pa_data(context, kdc_padata);
     krb5_free_keyblock(context, strengthen_key);
Index: krb5-1.12.5/src/lib/krb5/krb/init_ctx.c
===================================================================
--- krb5-1.12.5.orig/src/lib/krb5/krb/init_ctx.c
+++ krb5-1.12.5/src/lib/krb5/krb/init_ctx.c
@@ -205,6 +205,16 @@ krb5_init_context_profile(profile_t prof
         goto cleanup;
     ctx->allow_weak_crypto = tmp;
 
+    retval = get_boolean(ctx, KRB5_CONF_ALLOW_DES3, 0, &tmp);
+    if (retval)
+        goto cleanup;
+    ctx->allow_des3 = tmp;
+
+    retval = get_boolean(ctx, KRB5_CONF_ALLOW_RC4, 0, &tmp);
+    if (retval)
+        goto cleanup;
+    ctx->allow_rc4 = tmp;
+
     retval = get_boolean(ctx, KRB5_CONF_IGNORE_ACCEPTOR_HOSTNAME, 0, &tmp);
     if (retval)
         goto cleanup;
Index: krb5-1.12.5/src/tests/gssapi/t_enctypes.py
===================================================================
--- krb5-1.12.5.orig/src/tests/gssapi/t_enctypes.py
+++ krb5-1.12.5/src/tests/gssapi/t_enctypes.py
@@ -20,7 +20,7 @@ supp='aes256-cts:normal aes128-cts:norma
 conf = {'libdefaults': {
         'default_tgs_enctypes': enctypes,
         'default_tkt_enctypes': enctypes,
-        'permitted_enctypes': enctypes},
+        'permitted_enctypes': enctypes, 'allow_des3': 'true', 'allow_rc4': 'true'},
         'realms': {'$realm': {'supported_enctypes': supp}}}
 realm = K5Realm(krb5_conf=conf)
 shutil.copyfile(realm.ccache, os.path.join(realm.testdir, 'save'))
Index: krb5-1.12.5/src/tests/t_sesskeynego.py
===================================================================
--- krb5-1.12.5.orig/src/tests/t_sesskeynego.py
+++ krb5-1.12.5/src/tests/t_sesskeynego.py
@@ -30,7 +30,10 @@ conf4 = {'libdefaults': {
         'default_tkt_enctypes': 'aes256-cts',
         'default_tgs_enctypes': 'des-cbc-crc,rc4-hmac,aes256-cts'},
          'realms': {'$realm': {'des_crc_session_supported': 'false'}}}
-
+conf5 = {'libdefaults': {
+        'allow_rc4': 'true' }}
+conf6 = {'libdefaults': {
+        'allow_des3': 'true' }}
 # Test with client request and session_enctypes preferring aes128, but
 # aes256 long-term key.
 realm = K5Realm(krb5_conf=conf1, create_host=False, get_creds=False)
@@ -56,10 +59,12 @@ realm.run_kadminl('addprinc -randkey -e
 realm.run_kadminl('setstr server session_enctypes aes128-cts,aes256-cts')
 test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96')
 
-# 3b: Negotiate rc4-hmac session key when principal only has aes256 long-term.
+# 3b: Skip RC4 (as the KDC does not allow it for session keys by
+# default) and negotiate aes128-cts session key, with only an aes256
+# long-term service key.
 realm.run_kadminl('setstr server session_enctypes '
                   'rc4-hmac,aes128-cts,aes256-cts')
-test_kvno(realm, 'arcfour-hmac', 'aes256-cts-hmac-sha1-96')
+test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96')
 
 # 3c: Test des-cbc-crc default assumption.
 realm.run_kadminl('delstr server session_enctypes')
@@ -72,4 +77,24 @@ realm.run_kadminl('addprinc -randkey -e
 test_kvno(realm, 'aes256-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96')
 realm.stop()
 
+# 5: allow_rc4 permits negotiation of rc4-hmac session key.
+realm = K5Realm(krb5_conf=conf5, create_host=False, get_creds=False)
+realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server'])
+realm.run([kadminl, 'setstr', 'server', 'session_enctypes', 'rc4-hmac'])
+test_kvno(realm, 'DEPRECATED:arcfour-hmac', 'aes256-cts-hmac-sha1-96')
+realm.stop()
+
+# 6: allow_des3 permits negotiation of des3-cbc-sha1 session key.
+realm = K5Realm(krb5_conf=conf6, create_host=False, get_creds=False)
+realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server'])
+realm.run([kadminl, 'setstr', 'server', 'session_enctypes', 'des3-cbc-sha1'])
+test_kvno(realm, 'DEPRECATED:des3-cbc-sha1', 'aes256-cts-hmac-sha1-96')
+realm.stop()
+
+# 7: default config negotiates aes256-sha1 session key for RC4-only service.
+realm = K5Realm(create_host=False, get_creds=False)
+realm.run([kadminl, 'addprinc', '-randkey', '-e', 'rc4-hmac', 'server'])
+test_kvno(realm, 'aes256-cts-hmac-sha1-96', 'DEPRECATED:arcfour-hmac')
+realm.stop()
+
 success('sesskeynego')
Index: krb5-1.12.5/src/util/k5test.py
===================================================================
--- krb5-1.12.5.orig/src/util/k5test.py
+++ krb5-1.12.5/src/util/k5test.py
@@ -1123,7 +1123,7 @@ _passes = [
      {'libdefaults': {
                 'default_tgs_enctypes': 'des3',
                 'default_tkt_enctypes': 'des3',
-                'permitted_enctypes': 'des3'}},
+                'permitted_enctypes': 'des3 aes256-sha1'}},
      {'realms': {'$realm': {
                     'supported_enctypes': 'des3-cbc-sha1:normal',
                     'master_key_type': 'des3-cbc-sha1'}}}),
@@ -1133,7 +1133,7 @@ _passes = [
      {'libdefaults': {
                 'default_tgs_enctypes': 'rc4',
                 'default_tkt_enctypes': 'rc4',
-                'permitted_enctypes': 'rc4'}},
+                'permitted_enctypes': 'rc4 aes256-sha1'}},
      {'realms': {'$realm': {
                     'supported_enctypes': 'arcfour-hmac:normal',
                     'master_key_type': 'arcfour-hmac'}}}),