diff options
| -rw-r--r-- | src/kdc/kdc_util.c | 4 | ||||
| -rwxr-xr-x | src/tests/t_keyrollover.py | 6 |
2 files changed, 7 insertions, 3 deletions
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index f5cb2ab..0c846c1 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -1006,6 +1006,10 @@ dbentry_supports_enctype(krb5_context context, krb5_db_entry *server, free(etypes_str); free(etypes); + /* Assume every server without a session_enctypes attribute supports + * aes256-cts-hmac-sha1-96. */ + if (enctype == ENCTYPE_AES256_CTS_HMAC_SHA1_96) + return TRUE; /* Assume the server supports any enctype it has a long-term key for. */ return !krb5_dbe_find_enctype(context, server, enctype, -1, 0, &datap); } diff --git a/src/tests/t_keyrollover.py b/src/tests/t_keyrollover.py index 2c825a6..e9840df 100755 --- a/src/tests/t_keyrollover.py +++ b/src/tests/t_keyrollover.py @@ -22,9 +22,9 @@ realm.run([kvno, princ1]) realm.run([kadminl, 'purgekeys', realm.krbtgt_princ]) # Make sure an old TGT fails after purging old TGS key. realm.run([kvno, princ2], expected_code=1) -et = "aes128-cts-hmac-sha256-128" -msg = 'krbtgt/%s@%s\n\tEtype (skey, tkt): %s, %s' % \ - (realm.realm, realm.realm, et, et) +msg = 'krbtgt/%s@%s\n\tEtype (skey, tkt): ' \ + 'aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha256-128' % \ + (realm.realm, realm.realm) realm.run([klist, '-e'], expected_msg=msg) # Check that new key actually works. |