RFR: 8273670: Remove weak etypes from default krb5 etype list
Valerie Peng
valeriep at openjdk.java.net
Fri Sep 24 22:09:56 UTC 2021
On Thu, 23 Sep 2021 14:32:01 GMT, Weijun Wang <weijun at openjdk.org> wrote:
> This code change removes weak etypes from the default list so it's safer to enable one of them. See the corresponding CSR at https://bugs.openjdk.java.net/browse/JDK-8274207 for more explanation. BTW, please review the CSR as well.
src/java.security.jgss/share/classes/sun/security/krb5/internal/crypto/EType.java line 90:
> 88: try {
> 89: Config cfg = Config.getInstance();
> 90: allowWeakCrypto = cfg.getBooleanObject("libdefaults", "allow_weak_crypto")
nit: exceeds 80 chars?
src/java.security.jgss/share/classes/sun/security/krb5/internal/crypto/EType.java line 111:
> 109: } else {
> 110: supportedETypes = Arrays.copyOf(result, num);
> 111: }
nit: it seems clearer to base supportedETypes on defaultETypes, e.g.
<pre> if (allowWeakCrypto) {
supportedETypes = Arrays.copyOf(defaultETypes,
defaultETypes.length + 4);
supportedETypes[defaultETypes.length] =
EncryptedData.ETYPE_DES3_CBC_HMAC_SHA1_KD;
supportedETypes[defaultETypes.length + 1] =
EncryptedData.ETYPE_ARCFOUR_HMAC;
supportedETypes[defaultETypes.length + 2] =
EncryptedData.ETYPE_DES_CBC_CRC;
supportedETypes[defaultETypes.length + 3] =
EncryptedData.ETYPE_DES_CBC_MD5;
} else {
supportedETypes = defaultETypes;
}
</pre>
-------------
PR: https://git.openjdk.java.net/jdk/pull/5654
More information about the security-dev
mailing list