password_hash: do not generate single DES keys

Per RFC-6649 single DES enctypes should not be used.

MIT has retired single DES encryption types, see:
https://web.mit.edu/kerberos/krb5-1.12/doc/admin/advanced/retiring-des.html

As a workaround, store random keys instead, making the usage of signle DES
encryption types virtually impossible.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index 006e35c46d573311dbbf22fcae4651f6988bbbfa..ffd48da616e40363dc03dd2a00a56d5ceaafa878 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -783,56 +783,21 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io)
        }
 
        /*
-        * create ENCTYPE_DES_CBC_MD5 key out of
-        * the salt and the cleartext password
+        * As per RFC-6649 single DES encryption types are no longer considered
+        * secure to be used in Kerberos, we store random keys instead of the
+        * ENCTYPE_DES_CBC_MD5 and ENCTYPE_DES_CBC_CRC keys.
         */
-       krb5_ret = smb_krb5_create_key_from_string(io->smb_krb5_context->krb5_context,
-                                                  NULL,
-                                                  &salt,
-                                                  &cleartext_data,
-                                                  ENCTYPE_DES_CBC_MD5,
-                                                  &key);
-       if (krb5_ret) {
-               ldb_asprintf_errstring(ldb,
-                                      "setup_kerberos_keys: "
-                                      "generation of a des-cbc-md5 key failed: %s",
-                                      smb_get_krb5_error_message(io->smb_krb5_context->krb5_context,
-                                                                 krb5_ret, io->ac));
-               return LDB_ERR_OPERATIONS_ERROR;
-       }
-       io->g.des_md5 = data_blob_talloc(io->ac,
-                                        KRB5_KEY_DATA(&key),
-                                        KRB5_KEY_LENGTH(&key));
-       krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
+       io->g.des_md5 = data_blob_talloc(io->ac, NULL, 8);
        if (!io->g.des_md5.data) {
                return ldb_oom(ldb);
        }
+       generate_secret_buffer(io->g.des_md5.data, 8);
 
-       /*
-        * create ENCTYPE_DES_CBC_CRC key out of
-        * the salt and the cleartext password
-        */
-       krb5_ret = smb_krb5_create_key_from_string(io->smb_krb5_context->krb5_context,
-                                                  NULL,
-                                                  &salt,
-                                                  &cleartext_data,
-                                                  ENCTYPE_DES_CBC_CRC,
-                                                  &key);
-       if (krb5_ret) {
-               ldb_asprintf_errstring(ldb,
-                                      "setup_kerberos_keys: "
-                                      "generation of a des-cbc-crc key failed: %s",
-                                      smb_get_krb5_error_message(io->smb_krb5_context->krb5_context,
-                                                                 krb5_ret, io->ac));
-               return LDB_ERR_OPERATIONS_ERROR;
-       }
-       io->g.des_crc = data_blob_talloc(io->ac,
-                                        KRB5_KEY_DATA(&key),
-                                        KRB5_KEY_LENGTH(&key));
-       krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
+       io->g.des_crc = data_blob_talloc(io->ac, NULL, 8);
        if (!io->g.des_crc.data) {
                return ldb_oom(ldb);
        }
+       generate_secret_buffer(io->g.des_crc.data, 8);
 
        return LDB_SUCCESS;
 }