diff options
author | Greg Hudson <ghudson@mit.edu> | 2015-12-08 13:50:06 -0500 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2016-10-03 15:39:23 -0400 |
commit | d1ec317288278d10ae34fde9b2414e4fca5c52dd (patch) | |
tree | 2a6a4dac071d32b5a7940e6bfd3a91d590668d3d | |
parent | d4efd9fe567631b9d5f3ffa8b53a22953e5069cb (diff) | |
download | krb5-d1ec317288278d10ae34fde9b2414e4fca5c52dd.zip krb5-d1ec317288278d10ae34fde9b2414e4fca5c52dd.tar.gz krb5-d1ec317288278d10ae34fde9b2414e4fca5c52dd.tar.bz2 |
Add aes-sha2 to permitted_enctypes and aes family
Add the new aes-sha2 enctypes to the default value of
permitted_enctype, and to the enctypes implied by the "aes" family
when parsing enctype lists.
ticket: 8490
-rw-r--r-- | src/lib/krb5/krb/init_ctx.c | 3 | ||||
-rw-r--r-- | src/lib/krb5/krb/t_etypes.c | 15 |
2 files changed, 14 insertions, 4 deletions
diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c index a393627..cf226fd 100644 --- a/src/lib/krb5/krb/init_ctx.c +++ b/src/lib/krb5/krb/init_ctx.c @@ -62,6 +62,7 @@ des-crc for now. */ static krb5_enctype default_enctype_list[] = { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96, + ENCTYPE_AES256_CTS_HMAC_SHA384_192, ENCTYPE_AES128_CTS_HMAC_SHA256_128, ENCTYPE_DES3_CBC_SHA1, ENCTYPE_ARCFOUR_HMAC, ENCTYPE_CAMELLIA128_CTS_CMAC, ENCTYPE_CAMELLIA256_CTS_CMAC, @@ -482,6 +483,8 @@ krb5int_parse_enctype_list(krb5_context context, const char *profkey, } else if (strcasecmp(token, "aes") == 0) { mod_list(ENCTYPE_AES256_CTS_HMAC_SHA1_96, sel, weak, &list); mod_list(ENCTYPE_AES128_CTS_HMAC_SHA1_96, sel, weak, &list); + mod_list(ENCTYPE_AES256_CTS_HMAC_SHA384_192, sel, weak, &list); + mod_list(ENCTYPE_AES128_CTS_HMAC_SHA256_128, sel, weak, &list); } else if (strcasecmp(token, "rc4") == 0) { mod_list(ENCTYPE_ARCFOUR_HMAC, sel, weak, &list); } else if (strcasecmp(token, "camellia") == 0) { diff --git a/src/lib/krb5/krb/t_etypes.c b/src/lib/krb5/krb/t_etypes.c index 0a8a199..3176376 100644 --- a/src/lib/krb5/krb/t_etypes.c +++ b/src/lib/krb5/krb/t_etypes.c @@ -92,8 +92,10 @@ static struct { { "aes des3-cbc-sha1-kd", { 0 }, { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96, + ENCTYPE_AES256_CTS_HMAC_SHA384_192, ENCTYPE_AES128_CTS_HMAC_SHA256_128, ENCTYPE_DES3_CBC_SHA1, 0 }, { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96, + ENCTYPE_AES256_CTS_HMAC_SHA384_192, ENCTYPE_AES128_CTS_HMAC_SHA256_128, ENCTYPE_DES3_CBC_SHA1, 0 }, 0, 0 }, @@ -115,9 +117,12 @@ static struct { { "DEFAULT +aes -arcfour-hmac-md5", { ENCTYPE_ARCFOUR_HMAC, ENCTYPE_DES3_CBC_SHA1, ENCTYPE_DES_CBC_CRC, 0 }, { ENCTYPE_DES3_CBC_SHA1, ENCTYPE_AES256_CTS_HMAC_SHA1_96, - ENCTYPE_AES128_CTS_HMAC_SHA1_96, 0 }, + ENCTYPE_AES128_CTS_HMAC_SHA1_96, ENCTYPE_AES256_CTS_HMAC_SHA384_192, + ENCTYPE_AES128_CTS_HMAC_SHA256_128, 0 }, { ENCTYPE_DES3_CBC_SHA1, ENCTYPE_DES_CBC_CRC, - ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96, 0 }, + ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96, + ENCTYPE_AES256_CTS_HMAC_SHA384_192, ENCTYPE_AES128_CTS_HMAC_SHA256_128, + 0 }, 0, 0 }, /* Default set with families removed and enctypes added (one redundant) */ @@ -145,8 +150,10 @@ static struct { { "aes +rc4 -DEFaulT des3-hmac-sha1", { ENCTYPE_AES128_CTS_HMAC_SHA1_96, ENCTYPE_DES3_CBC_SHA1, ENCTYPE_ARCFOUR_HMAC, 0 }, - { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_DES3_CBC_SHA1, 0 }, - { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_DES3_CBC_SHA1, 0 }, + { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES256_CTS_HMAC_SHA384_192, + ENCTYPE_AES128_CTS_HMAC_SHA256_128, ENCTYPE_DES3_CBC_SHA1, 0 }, + { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES256_CTS_HMAC_SHA384_192, + ENCTYPE_AES128_CTS_HMAC_SHA256_128, ENCTYPE_DES3_CBC_SHA1, 0 }, 0, 0 }, /* Test krb5_set_default_in_tkt_ktypes */ |