RFR: 8273670: Remove weak etypes from default krb5 etype list

Sean Mullan mullan at openjdk.java.net
Fri Sep 24 19:54:55 UTC 2021

On Thu, 23 Sep 2021 14:32:01 GMT, Weijun Wang <weijun at openjdk.org> wrote:

> This code change removes weak etypes from the default list so it's safer to enable one of them. See the corresponding CSR at https://bugs.openjdk.java.net/browse/JDK-8274207 for more explanation. BTW, please review the CSR as well.

src/java.security.jgss/share/classes/sun/security/krb5/internal/crypto/EType.java line 101:

> 99:         if (allowWeakCrypto) {
> 100:             result[num++] = EncryptedData.ETYPE_DES3_CBC_HMAC_SHA1_KD;
> 101:             result[num++] = EncryptedData.ETYPE_ARCFOUR_HMAC;

MIT still has arcfour-hmac-md5 in the enabled list - do you think there is any reason (compatibility) we should do the same? Note that I think it is better that we don't though. See "permitted_enctypes" at https://web.mit.edu/Kerberos/krb5-1.19/doc/admin/conf_files/krb5_conf.html#libdefaults.

src/java.security.jgss/share/classes/sun/security/krb5/internal/crypto/EType.java line 242:

> 240:     // used in Config
> 241:     public static int[] getBuiltInDefaults() {
> 242:         return defaultETypes;

It might be safer to return a clone here since it is mutable. The previous code always returned a new array. This array gets passed back to calling code via Etype.getDefaults(), returning a clone would prevent the configured value from being accidentally modified.


PR: https://git.openjdk.java.net/jdk/pull/5654

More information about the security-dev mailing list