krb5: fix CVE-2025-3576

Upstream-Status: Backport from https://github.com/krb5/krb5/commit/39fecf78796bbdde1e3d4828b86f64f05d9e4c77 && https://github.com/krb5/krb5/commit/1b57a4d134bbd0e7c52d5885a92eccc815726463 && https://github.com/krb5/krb5/commit/484a6e7712f9b66e782b2520f07b0883889e116f Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
2026-06-13 17:39:57 +00:00 · 2025-08-05 10:49:01 +05:30
parent 23a3451a6d
commit 55aaf6082c
4 changed files with 506 additions and 0 deletions
@@ -0,0 +1,257 @@
+From: Greg Hudson <ghudson@mit.edu>
+Date: Fri, 16 Dec 2022 18:31:07 -0500
+Subject: [PATCH] Don't issue session keys with deprecated enctypes
+
+A paper by Tom Tervoort noted that rc4-hmac pre-hashes the input for
+its checksum and GSS operations before applying HMAC, and is therefore
+potentially vulnerable to hash collision attacks if a protocol
+contains a restricted signing oracle.
+
+In light of these potential attacks, begin the functional deprecation
+of DES3 and RC4 by disallowing their use as session key enctypes by
+default.  Add the variables allow_des3 and allow_rc4 in case
+negotiability of these enctypes for session keys needs to be turned
+back on, with the expectation that in future releases the enctypes
+will be more comprehensively deprecated.
+
+ticket: 9081
+
+CVE: CVE-2025-3576
+Upstream-Status: Backport [https://github.com/krb5/krb5/commit/1b57a4d134bbd0e7c52d5885a92eccc815726463]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/include/k5-int.h               |  4 ++++
+ src/kdc/kdc_util.c                 | 10 +++++++++
+ src/lib/krb5/krb/get_in_tkt.c      | 33 ++++++++++++++++++++----------
+ src/lib/krb5/krb/init_ctx.c        | 10 +++++++++
+ src/tests/gssapi/t_enctypes.py     |  2 +-
+ src/tests/t_etype_info.py          |  2 +-
+ src/tests/t_sesskeynego.py         | 28 +++++++++++++++++++++++--
+ src/util/k5test.py                 |  4 ++--
+ 8 files changed, 74 insertions(+), 19 deletions(-)
+
+diff --git a/src/include/k5-int.h b/src/include/k5-int.h
+index 6522422..fffc6f8 100644
+--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
+@@ -180,6 +180,8 @@ typedef unsigned char   u_char;
+  * matches the variable name.  Keep these alphabetized. */
+ #define KRB5_CONF_ACL_FILE                     "acl_file"
+ #define KRB5_CONF_ADMIN_SERVER                 "admin_server"
+#define KRB5_CONF_ALLOW_DES3                   "allow_des3"
+#define KRB5_CONF_ALLOW_RC4                    "allow_rc4"
+ #define KRB5_CONF_ALLOW_WEAK_CRYPTO            "allow_weak_crypto"
+ #define KRB5_CONF_AP_REQ_CHECKSUM_TYPE         "ap_req_checksum_type"
+ #define KRB5_CONF_AUTH_TO_LOCAL                "auth_to_local"
+@@ -1220,6 +1222,8 @@ struct _krb5_context {
+     struct _kdb_log_context *kdblog_context;
+ 
+     krb5_boolean allow_weak_crypto;
+    krb5_boolean allow_des3;
+    krb5_boolean allow_rc4;
+     krb5_boolean ignore_acceptor_hostname;
+     krb5_boolean dns_canonicalize_hostname;
+ 
+diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
+index 0155c28..d62aca6 100644
+--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
+@@ -1012,6 +1012,16 @@ select_session_keytype(kdc_realm_t *kdc_active_realm, krb5_db_entry *server,
+         if (!krb5_is_permitted_enctype(kdc_context, ktype[i]))
+             continue;
+ 
+        /*
+         * Prevent these deprecated enctypes from being used as session keys
+         * unless they are explicitly allowed.  In the future they will be more
+         * comprehensively disabled and eventually removed.
+         */
+        if (ktype[i] == ENCTYPE_DES3_CBC_SHA1 && !kdc_context->allow_des3)
+            continue;
+        if (ktype[i] == ENCTYPE_ARCFOUR_HMAC && !kdc_context->allow_rc4)
+            continue;
+
+         if (dbentry_supports_enctype(kdc_active_realm, server, ktype[i]))
+             return ktype[i];
+     }
+diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
+index 51580c9..80f4d93 100644
+--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
+@@ -1509,22 +1509,32 @@ accept_method_data(krb5_context context, krb5_init_creds_context ctx)
+                                      ctx->method_padata);
+ }
+ 
+-/* Display a warning via the prompter if des3-cbc-sha1 was used for either the
+- * reply key or the session key. */
+
+/* Display a warning via the prompter if a deprecated enctype was used for
+ * either the reply key or the session key. */
+ static void
+-warn_des3(krb5_context context, krb5_init_creds_context ctx,
+-          krb5_enctype as_key_enctype)
+warn_deprecated(krb5_context context, krb5_init_creds_context ctx,
+                krb5_enctype as_key_enctype)
+ {
+-    const char *banner;
+    krb5_enctype etype;
+    char encbuf[128], banner[256];
+ 
+-    if (as_key_enctype != ENCTYPE_DES3_CBC_SHA1 &&
+-        ctx->cred.keyblock.enctype != ENCTYPE_DES3_CBC_SHA1)
+-        return;
+     if (ctx->prompter == NULL)
+         return;
+ 
+-    banner = _("Warning: encryption type des3-cbc-sha1 used for "
+-               "authentication is weak and will be disabled");
+    if (krb5int_c_deprecated_enctype(as_key_enctype))
+        etype = as_key_enctype;
+    else if (krb5int_c_deprecated_enctype(ctx->cred.keyblock.enctype))
+        etype = ctx->cred.keyblock.enctype;
+    else
+        return;
+
+    if (krb5_enctype_to_name(etype, FALSE, encbuf, sizeof(encbuf)) != 0)
+        return;
+    snprintf(banner, sizeof(banner),
+             _("Warning: encryption type %s used for authentication is "
+               "deprecated and will be disabled"), encbuf);
+
+     /* PROMPTER_INVOCATION */
+     (*ctx->prompter)(context, ctx->prompter_data, NULL, banner, 0, NULL);
+ }
+@@ -1728,7 +1738,8 @@ init_creds_step_reply(krb5_context context,
+ 
+     /* success */
+     ctx->complete = TRUE;
+-    warn_des3(context, ctx, encrypting_key.enctype);
+
+    warn_deprecated(context, ctx, encrypting_key.enctype);
+ 
+ cleanup:
+     krb5_free_pa_data(context, kdc_padata);
+diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
+index 947e504..077c428 100644
+--- a/src/lib/krb5/krb/init_ctx.c
+++ b/src/lib/krb5/krb/init_ctx.c
+@@ -208,6 +208,16 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags,
+         goto cleanup;
+     ctx->allow_weak_crypto = tmp;
+ 
+    retval = get_boolean(ctx, KRB5_CONF_ALLOW_DES3, 0, &tmp);
+    if (retval)
+        goto cleanup;
+    ctx->allow_des3 = tmp;
+
+    retval = get_boolean(ctx, KRB5_CONF_ALLOW_RC4, 0, &tmp);
+    if (retval)
+        goto cleanup;
+    ctx->allow_rc4 = tmp;
+
+     retval = get_boolean(ctx, KRB5_CONF_IGNORE_ACCEPTOR_HOSTNAME, 0, &tmp);
+     if (retval)
+         goto cleanup;
+diff --git a/src/tests/gssapi/t_enctypes.py b/src/tests/gssapi/t_enctypes.py
+index ee43ff0..92abb1b 100755
+--- a/src/tests/gssapi/t_enctypes.py
+++ b/src/tests/gssapi/t_enctypes.py
+@@ -14,7 +14,7 @@ rc4 = 'arcfour-hmac'
+ 
+ # These tests make assumptions about the default enctype lists, so set
+ # them explicitly rather than relying on the library defaults.
+-enctypes='aes des3 rc4'
+enctypes='aes des3 rc4 allow_des3 allow_rc4'
+ supp='aes256-cts:normal aes128-cts:normal des3-cbc-sha1:normal rc4-hmac:normal'
+ conf = {'libdefaults': {
+         'default_tgs_enctypes': enctypes,
+diff --git a/src/tests/t_etype_info.py b/src/tests/t_etype_info.py
+index 2026e78..f6e7804 100644
+--- a/src/tests/t_etype_info.py
+++ b/src/tests/t_etype_info.py
+@@ -1,7 +1,7 @@
+ from k5test import *
+ 
+ supported_enctypes = 'aes128-cts des3-cbc-sha1 rc4-hmac des-cbc-crc:afs3'
+-conf = {'libdefaults': {'allow_weak_crypto': 'true'},
+conf = {'libdefaults': {'allow_des3': 'true', 'allow_rc4': 'true'},
+         'realms': {'$realm': {'supported_enctypes': supported_enctypes}}}
+ realm = K5Realm(create_host=False, get_creds=False, krb5_conf=conf)
+ 
+diff --git a/src/tests/t_sesskeynego.py b/src/tests/t_sesskeynego.py
+index 4480923..5143b0b 100755
+--- a/src/tests/t_sesskeynego.py
+++ b/src/tests/t_sesskeynego.py
+@@ -30,6 +30,8 @@ conf4 = {'libdefaults': {
+         'default_tgs_enctypes': 'des-cbc-crc,rc4-hmac,aes256-cts'},
+          'realms': {'$realm': {'des_crc_session_supported': 'false'}}}
+ 
+conf5 = {'libdefaults': {'allow_rc4': 'true'}}
+conf6 = {'libdefaults': {'allow_des3': 'true'}}
+ # Test with client request and session_enctypes preferring aes128, but
+ # aes256 long-term key.
+ realm = K5Realm(krb5_conf=conf1, create_host=False, get_creds=False)
+@@ -59,10 +61,12 @@ realm.run([kadminl, 'setstr', 'server', 'session_enctypes',
+            'aes128-cts,aes256-cts'])
+ test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96')
+ 
+-# 3b: Negotiate rc4-hmac session key when principal only has aes256 long-term.
+# 3b: Skip RC4 (as the KDC does not allow it for session keys by
+# default) and negotiate aes128-cts session key, with only an aes256
+# long-term service key.
+ realm.run([kadminl, 'setstr', 'server', 'session_enctypes',
+            'rc4-hmac,aes128-cts,aes256-cts'])
+-test_kvno(realm, 'arcfour-hmac', 'aes256-cts-hmac-sha1-96')
+test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96')
+ 
+ # 3c: Test des-cbc-crc default assumption.
+ realm.run([kadminl, 'delstr', 'server', 'session_enctypes'])
+@@ -75,4 +79,24 @@ realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server'])
+ test_kvno(realm, 'aes256-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96')
+ realm.stop()
+ 
+# 5: allow_rc4 permits negotiation of rc4-hmac session key.
+realm = K5Realm(krb5_conf=conf5, create_host=False, get_creds=False)
+realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server'])
+realm.run([kadminl, 'setstr', 'server', 'session_enctypes', 'rc4-hmac'])
+test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96')
+realm.stop()
+
+# 6: allow_des3 permits negotiation of des3-cbc-sha1 session key.
+realm = K5Realm(krb5_conf=conf6, create_host=False, get_creds=False)
+realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server'])
+realm.run([kadminl, 'setstr', 'server', 'session_enctypes', 'des3-cbc-sha1'])
+test_kvno(realm, 'DEPRECATED:des3-cbc-sha1', 'aes256-cts-hmac-sha1-96')
+realm.stop()
+
+# 7: default config negotiates aes256-sha1 session key for RC4-only service.
+realm = K5Realm(create_host=False, get_creds=False)
+realm.run([kadminl, 'addprinc', '-randkey', '-e', 'rc4-hmac', 'server'])
+test_kvno(realm, 'aes256-cts-hmac-sha1-96', 'DEPRECATED:arcfour-hmac')
+realm.stop()
+
+ success('sesskeynego')
+diff --git a/src/util/k5test.py b/src/util/k5test.py
+index 3aec1ef..ad47228 100644
+--- a/src/util/k5test.py
+++ b/src/util/k5test.py
+@@ -1262,7 +1262,7 @@ _passes = [
+      {'libdefaults': {
+                 'default_tgs_enctypes': 'des3',
+                 'default_tkt_enctypes': 'des3',
+-                'permitted_enctypes': 'des3'}},
+                'permitted_enctypes': 'des3 aes256-sha1'}},
+      {'realms': {'$realm': {
+                     'supported_enctypes': 'des3-cbc-sha1:normal',
+                     'master_key_type': 'des3-cbc-sha1'}}}),
+@@ -1272,7 +1272,7 @@ _passes = [
+      {'libdefaults': {
+                 'default_tgs_enctypes': 'rc4',
+                 'default_tkt_enctypes': 'rc4',
+-                'permitted_enctypes': 'rc4'}},
+                'permitted_enctypes': 'rc4 aes256-sha1'}},
+      {'realms': {'$realm': {
+                     'supported_enctypes': 'arcfour-hmac:normal',
+                     'master_key_type': 'arcfour-hmac'}}}),
+-- 
+2.50.1
+
@@ -0,0 +1,188 @@
+From 484a6e7712f9b66e782b2520f07b0883889e116f Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Tue, 15 Jan 2019 16:16:57 -0500
+Subject: [PATCH] Add function and enctype flag for deprecations
+
+krb5int_c_deprecated_enctype() checks for the ETYPE_DEPRECATED flag on
+enctypes.  All ENCTYPE_WEAK enctypes are currently deprecated; not all
+deprecated enctypes are considered weak.  Deprecations follow RFC 6649
+and RFC 8429.
+
+CVE: CVE-2025-3576
+Upstream-Status: Backport [https://github.com/krb5/krb5/commit/484a6e7712f9b66e782b2520f07b0883889e116f]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/include/k5-int.h               |  1 +
+ src/lib/crypto/krb/crypto_int.h    |  9 ++++++++-
+ src/lib/crypto/krb/enctype_util.c  |  7 +++++++
+ src/lib/crypto/krb/etypes.c        | 19 ++++++++++---------
+ src/lib/crypto/libk5crypto.exports |  1 +
+ src/lib/krb5_32.def                |  3 +++
+ 6 files changed, 30 insertions(+), 10 deletions(-)
+
+diff --git a/src/include/k5-int.h b/src/include/k5-int.h
+index fffc6f8..5928c82 100644
+--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
+@@ -2080,6 +2080,7 @@ krb5_get_tgs_ktypes(krb5_context, krb5_const_principal, krb5_enctype **);
+ krb5_boolean krb5_is_permitted_enctype(krb5_context, krb5_enctype);
+ 
+ krb5_boolean KRB5_CALLCONV krb5int_c_weak_enctype(krb5_enctype);
+krb5_boolean KRB5_CALLCONV krb5int_c_deprecated_enctype(krb5_enctype);
+ krb5_error_code k5_enctype_to_ssf(krb5_enctype enctype, unsigned int *ssf_out);
+ 
+ krb5_error_code krb5_kdc_rep_decrypt_proc(krb5_context, const krb5_keyblock *,
+diff --git a/src/lib/crypto/krb/crypto_int.h b/src/lib/crypto/krb/crypto_int.h
+index e509929..6c1c77c 100644
+--- a/src/lib/crypto/krb/crypto_int.h
+++ b/src/lib/crypto/krb/crypto_int.h
+@@ -114,7 +114,14 @@ struct krb5_keytypes {
+     unsigned int ssf;
+ };
+ 
+-#define ETYPE_WEAK 1
+/*
+ * "Weak" means the enctype is believed to be vulnerable to practical attacks,
+ * and will be disabled unless allow_weak_crypto is set to true.  "Deprecated"
+ * means the enctype has been deprecated by the IETF, and affects display and
+ * logging.
+ */
+#define ETYPE_WEAK (1 << 0)
+#define ETYPE_DEPRECATED (1 << 1)
+ 
+ extern const struct krb5_keytypes krb5int_enctypes_list[];
+ extern const int krb5int_enctypes_length;
+diff --git a/src/lib/crypto/krb/enctype_util.c b/src/lib/crypto/krb/enctype_util.c
+index b1b40e7..e394f4e 100644
+--- a/src/lib/crypto/krb/enctype_util.c
+++ b/src/lib/crypto/krb/enctype_util.c
+@@ -51,6 +51,13 @@ krb5int_c_weak_enctype(krb5_enctype etype)
+     return (ktp != NULL && (ktp->flags & ETYPE_WEAK) != 0);
+ }
+ 
+krb5_boolean KRB5_CALLCONV
+krb5int_c_deprecated_enctype(krb5_enctype etype)
+{
+    const struct krb5_keytypes *ktp = find_enctype(etype);
+    return ktp != NULL && (ktp->flags & ETYPE_DEPRECATED) != 0;
+}
+
+ krb5_error_code KRB5_CALLCONV
+ krb5_c_enctype_compare(krb5_context context, krb5_enctype e1, krb5_enctype e2,
+                        krb5_boolean *similar)
+diff --git a/src/lib/crypto/krb/etypes.c b/src/lib/crypto/krb/etypes.c
+index 53d4a5c..8f44c37 100644
+--- a/src/lib/crypto/krb/etypes.c
+++ b/src/lib/crypto/krb/etypes.c
+@@ -33,6 +33,7 @@
+    that the keytypes are all near each other.  I'd rather not make
+    that assumption. */
+ 
+/* Deprecations come from RFC 6649 and RFC 8249. */
+ const struct krb5_keytypes krb5int_enctypes_list[] = {
+     { ENCTYPE_DES_CBC_CRC,
+       "des-cbc-crc", { 0 }, "DES cbc mode with CRC-32",
+@@ -42,7 +43,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
+       krb5int_des_string_to_key, k5_rand2key_des,
+       krb5int_des_prf,
+       CKSUMTYPE_RSA_MD5_DES,
+-      ETYPE_WEAK, 56 },
+      ETYPE_WEAK | ETYPE_DEPRECATED, 56 },
+     { ENCTYPE_DES_CBC_MD4,
+       "des-cbc-md4", { 0 }, "DES cbc mode with RSA-MD4",
+       &krb5int_enc_des, &krb5int_hash_md4,
+@@ -51,7 +52,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
+       krb5int_des_string_to_key, k5_rand2key_des,
+       krb5int_des_prf,
+       CKSUMTYPE_RSA_MD4_DES,
+-      ETYPE_WEAK, 56 },
+      ETYPE_WEAK | ETYPE_DEPRECATED, 56 },
+     { ENCTYPE_DES_CBC_MD5,
+       "des-cbc-md5", { "des" }, "DES cbc mode with RSA-MD5",
+       &krb5int_enc_des, &krb5int_hash_md5,
+@@ -60,7 +61,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
+       krb5int_des_string_to_key, k5_rand2key_des,
+       krb5int_des_prf,
+       CKSUMTYPE_RSA_MD5_DES,
+-      ETYPE_WEAK, 56 },
+      ETYPE_WEAK | ETYPE_DEPRECATED, 56 },
+     { ENCTYPE_DES_CBC_RAW,
+       "des-cbc-raw", { 0 }, "DES cbc mode raw",
+       &krb5int_enc_des, NULL,
+@@ -69,7 +70,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
+       krb5int_des_string_to_key, k5_rand2key_des,
+       krb5int_des_prf,
+       0,
+-      ETYPE_WEAK, 56 },
+      ETYPE_WEAK | ETYPE_DEPRECATED, 56 },
+     { ENCTYPE_DES3_CBC_RAW,
+       "des3-cbc-raw", { 0 }, "Triple DES cbc mode raw",
+       &krb5int_enc_des3, NULL,
+@@ -78,7 +79,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
+       krb5int_dk_string_to_key, k5_rand2key_des3,
+       NULL, /*PRF*/
+       0,
+-      ETYPE_WEAK, 112 },
+      ETYPE_WEAK | ETYPE_DEPRECATED, 112 },
+ 
+     { ENCTYPE_DES3_CBC_SHA1,
+       "des3-cbc-sha1", { "des3-hmac-sha1", "des3-cbc-sha1-kd" },
+@@ -89,7 +90,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
+       krb5int_dk_string_to_key, k5_rand2key_des3,
+       krb5int_dk_prf,
+       CKSUMTYPE_HMAC_SHA1_DES3,
+-      0 /*flags*/, 112 },
+      ETYPE_DEPRECATED, 112 },
+ 
+     { ENCTYPE_DES_HMAC_SHA1,
+       "des-hmac-sha1", { 0 }, "DES with HMAC/sha1",
+@@ -99,7 +100,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
+       krb5int_dk_string_to_key, k5_rand2key_des,
+       NULL, /*PRF*/
+       0,
+-      ETYPE_WEAK, 56 },
+      ETYPE_WEAK | ETYPE_DEPRECATED, 56 },
+ 
+     /* rc4-hmac uses a 128-bit key, but due to weaknesses in the RC4 cipher, we
+      * consider its strength degraded and assign it an SSF value of 64. */
+@@ -113,7 +114,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
+       krb5int_arcfour_decrypt, krb5int_arcfour_string_to_key,
+       k5_rand2key_direct, krb5int_arcfour_prf,
+       CKSUMTYPE_HMAC_MD5_ARCFOUR,
+-      0 /*flags*/, 64 },
+      ETYPE_DEPRECATED, 64 },
+     { ENCTYPE_ARCFOUR_HMAC_EXP,
+       "arcfour-hmac-exp", { "rc4-hmac-exp", "arcfour-hmac-md5-exp" },
+       "Exportable ArcFour with HMAC/md5",
+@@ -124,7 +125,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
+       krb5int_arcfour_decrypt, krb5int_arcfour_string_to_key,
+       k5_rand2key_direct, krb5int_arcfour_prf,
+       CKSUMTYPE_HMAC_MD5_ARCFOUR,
+-      ETYPE_WEAK, 40
+      ETYPE_WEAK | ETYPE_DEPRECATED, 40
+     },
+ 
+     { ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+diff --git a/src/lib/crypto/libk5crypto.exports b/src/lib/crypto/libk5crypto.exports
+index 82eb5f3..90afdf5 100644
+--- a/src/lib/crypto/libk5crypto.exports
+++ b/src/lib/crypto/libk5crypto.exports
+@@ -109,3 +109,4 @@ k5_allow_weak_pbkdf2iter
+ krb5_c_prfplus
+ krb5_c_derive_prfplus
+ k5_enctype_to_ssf
+krb5int_c_deprecated_enctype
+diff --git a/src/lib/krb5_32.def b/src/lib/krb5_32.def
+index c350229..e6a4875 100644
+--- a/src/lib/krb5_32.def
+++ b/src/lib/krb5_32.def
+@@ -487,3 +487,6 @@ EXPORTS
+ 	encode_krb5_pa_spake				@444 ; PRIVATE
+ 	decode_krb5_pa_spake				@445 ; PRIVATE
+ 	k5_free_pa_spake				@446 ; PRIVATE
+
+; new in 1.18
+	krb5int_c_deprecated_enctype			@450 ; PRIVATE
+-- 
+2.50.1
+
@@ -0,0 +1,58 @@
+From: Greg Hudson <ghudson@mit.edu>
+Date: Mon, 14 Sep 2020 20:40:29 -0400
+Subject: [PATCH] Warn when des3-cbc-sha1 is used for initial auth
+
+During initial authentication, if des3-cbc-sha1 is used for either the
+reply key or session key, display a warning that it will be disabled.
+
+ticket: 8947
+
+CVE: CVE-2025-3576
+Upstream-Status: Backport [https://github.com/krb5/krb5/commit/39fecf78796bbdde1e3d4828b86f64f05d9e4c77]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/lib/krb5/krb/get_in_tkt.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
+index 79dede2..51580c9 100644
+--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
+@@ -1509,6 +1509,26 @@ accept_method_data(krb5_context context, krb5_init_creds_context ctx)
+                                      ctx->method_padata);
+ }
+ 
+/* Display a warning via the prompter if des3-cbc-sha1 was used for either the
+ * reply key or the session key. */
+static void
+warn_des3(krb5_context context, krb5_init_creds_context ctx,
+          krb5_enctype as_key_enctype)
+{
+    const char *banner;
+
+    if (as_key_enctype != ENCTYPE_DES3_CBC_SHA1 &&
+        ctx->cred.keyblock.enctype != ENCTYPE_DES3_CBC_SHA1)
+        return;
+    if (ctx->prompter == NULL)
+        return;
+
+    banner = _("Warning: encryption type des3-cbc-sha1 used for "
+               "authentication is weak and will be disabled");
+    /* PROMPTER_INVOCATION */
+    (*ctx->prompter)(context, ctx->prompter_data, NULL, banner, 0, NULL);
+}
+
+ static krb5_error_code
+ init_creds_step_reply(krb5_context context,
+                       krb5_init_creds_context ctx,
+@@ -1708,6 +1728,7 @@ init_creds_step_reply(krb5_context context,
+ 
+     /* success */
+     ctx->complete = TRUE;
+    warn_des3(context, ctx, encrypting_key.enctype);
+ 
+ cleanup:
+     krb5_free_pa_data(context, kdc_padata);
+-- 
+2.50.1
+
@@ -37,6 +37,9 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \
           file://CVE-2024-37370_37371-pre1.patch;striplevel=2 \
           file://CVE-2024-37370_37371.patch;striplevel=2 \
           file://CVE-2024-26458_CVE-2024-26461.patch;striplevel=2 \
+           file://CVE-2025-3576-pre.patch;striplevel=2 \
+           file://CVE-2025-3576-01.patch;striplevel=2 \
+           file://CVE-2025-3576-02.patch;striplevel=2 \
 "
 SRC_URI[md5sum] = "aa4337fffa3b61f22dbd0167f708818f"
 SRC_URI[sha256sum] = "1a4bba94df92f6d39a197a10687653e8bfbc9a2076e129f6eb92766974f86134"