krb5 commit: Update test suite to avoid single-DES enctypes

Greg Hudson ghudson at mit.edu
Tue May 28 15:00:54 EDT 2019


https://github.com/krb5/krb5/commit/50588db5d26e81f3d564d1f69435af34ae80d9b2
commit 50588db5d26e81f3d564d1f69435af34ae80d9b2
Author: Robbie Harwood <rharwood at redhat.com>
Date:   Fri May 24 13:11:55 2019 -0400

    Update test suite to avoid single-DES enctypes
    
    Remove the CRC exercise code, since CRC is DES-only.
    
    ticket: 8808

 src/kadmin/testing/proto/kdc.conf.proto            |    2 +-
 src/kadmin/testing/util/tcl_kadm5.c                |    2 -
 src/lib/crypto/crypto_tests/CRC.pm                 |  156 -----------
 src/lib/crypto/crypto_tests/Makefile.in            |   31 +--
 src/lib/crypto/crypto_tests/crc.pl                 |  111 --------
 src/lib/crypto/crypto_tests/deps                   |   24 --
 src/lib/crypto/crypto_tests/t_cf2.expected         |    1 -
 src/lib/crypto/crypto_tests/t_cf2.in               |    5 -
 src/lib/crypto/crypto_tests/t_cksum.c              |  160 ------------
 src/lib/crypto/crypto_tests/t_cksums.c             |    8 +-
 src/lib/crypto/crypto_tests/t_combine.c            |   18 --
 src/lib/crypto/crypto_tests/t_crc.c                |  148 -----------
 src/lib/crypto/crypto_tests/t_decrypt.c            |  148 -----------
 src/lib/crypto/crypto_tests/t_encrypt.c            |    3 -
 src/lib/crypto/crypto_tests/t_short.c              |    3 -
 src/lib/crypto/crypto_tests/t_str2key.c            |  274 --------------------
 src/lib/crypto/crypto_tests/vectors.c              |    3 +-
 .../unit-test/api.current/chpass-principal-v2.exp  |    8 +-
 .../unit-test/api.current/get-principal-v2.exp     |    4 +-
 .../unit-test/api.current/randkey-principal-v2.exp |   11 +-
 src/lib/kadm5/unit-test/setkey-test.c              |    6 +-
 src/lib/krb5/keytab/t_keytab.c                     |   40 ++--
 src/lib/krb5/krb/t_etypes.c                        |   67 +----
 src/lib/krb5/krb/t_ser.c                           |    2 +-
 src/lib/krb5/os/t_trace.c                          |    2 +-
 src/lib/krb5/os/t_trace.ref                        |    2 +-
 src/tests/asn.1/ktest.c                            |    2 +-
 src/tests/asn.1/pkinit_encode.out                  |    2 +-
 src/tests/asn.1/pkinit_trval.out                   |    2 +-
 src/tests/dejagnu/config/default.exp               |  226 ++---------------
 src/tests/gssapi/t_invalid.c                       |   20 +--
 src/tests/gssapi/t_pcontok.c                       |   17 +-
 src/tests/gssapi/t_prf.c                           |    7 -
 src/tests/t_etype_info.py                          |    4 +-
 src/tests/t_keyrollover.py                         |    6 +-
 src/tests/t_salt.py                                |    2 +-
 src/tests/t_sesskeynego.py                         |   18 +--
 src/util/k5test.py                                 |    2 +-
 38 files changed, 88 insertions(+), 1459 deletions(-)

diff --git a/src/kadmin/testing/proto/kdc.conf.proto b/src/kadmin/testing/proto/kdc.conf.proto
index 45df78b..8a4b87d 100644
--- a/src/kadmin/testing/proto/kdc.conf.proto
+++ b/src/kadmin/testing/proto/kdc.conf.proto
@@ -12,5 +12,5 @@
 		kadmind_port = 1751
 		kpasswd_port = 1752
 		master_key_type = des3-hmac-sha1
-		supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-md5:normal des-cbc-raw:normal
+		supported_enctypes = des3-hmac-sha1:normal aes256-cts:normal aes128-cts:normal aes256-sha2:normal aes128-sha2:normal
 	}
diff --git a/src/kadmin/testing/util/tcl_kadm5.c b/src/kadmin/testing/util/tcl_kadm5.c
index 9dde579..4d3114b 100644
--- a/src/kadmin/testing/util/tcl_kadm5.c
+++ b/src/kadmin/testing/util/tcl_kadm5.c
@@ -1514,8 +1514,6 @@ static Tcl_DString *unparse_keytype(krb5_enctype enctype)
     switch (enctype) {
         /* XXX is this right? */
     case ENCTYPE_NULL: Tcl_DStringAppend(str, "ENCTYPE_NULL", -1); break;
-    case ENCTYPE_DES_CBC_CRC:
-        Tcl_DStringAppend(str, "ENCTYPE_DES_CBC_CRC", -1); break;
     default:
         sprintf(buf, "UNKNOWN KEYTYPE (0x%x)", enctype);
         Tcl_DStringAppend(str, buf, -1);
diff --git a/src/lib/crypto/crypto_tests/CRC.pm b/src/lib/crypto/crypto_tests/CRC.pm
deleted file mode 100644
index ee2ab2a..0000000
--- a/src/lib/crypto/crypto_tests/CRC.pm
+++ /dev/null
@@ -1,156 +0,0 @@
-# Copyright 2002 by the Massachusetts Institute of Technology.
-# All Rights Reserved.
-#
-# Export of this software from the United States of America may
-#   require a specific license from the United States Government.
-#   It is the responsibility of any person or organization contemplating
-#   export to obtain such a license before exporting.
-# 
-# WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-# distribute this software and its documentation for any purpose and
-# without fee is hereby granted, provided that the above copyright
-# notice appear in all copies and that both that copyright notice and
-# this permission notice appear in supporting documentation, and that
-# the name of M.I.T. not be used in advertising or publicity pertaining
-# to distribution of the software without specific, written prior
-# permission.  Furthermore if you modify this software you must label
-# your software as modified software and not distribute it in such a
-# fashion that it might be confused with the original M.I.T. software.
-# M.I.T. makes no representations about the suitability of
-# this software for any purpose.  It is provided "as is" without express
-# or implied warranty.
-
-package CRC;
-
-# CRC: implement a CRC using the Poly package (yes this is slow)
-#
-# message M(x) = m_0 * x^0 + m_1 * x^1 + ... + m_(k-1) * x^(k-1)
-# generator P(x) = p_0 * x^0 + p_1 * x^1 + ... + p_n * x^n
-# remainder R(x) = r_0 * x^0 + r_1 * x^1 + ... + r_(n-1) * x^(n-1)
-#
-# R(x) = (x^n * M(x)) % P(x)
-#
-# Note that if F(x) = x^n * M(x) + R(x), then F(x) = 0 mod P(x) .
-#
-# In MIT Kerberos 5, R(x) is taken as the CRC, as opposed to what
-# ISO 3309 does.
-#
-# ISO 3309 adds a precomplement and a postcomplement.
-#
-# The ISO 3309 postcomplement is of the form
-#
-# A(x) = x^0 + x^1 + ... + x^(n-1) .
-#
-# The ISO 3309 precomplement is of the form
-#
-# B(x) = x^k * A(x) .
-#
-# The ISO 3309 FCS is then
-#
-# (x^n * M(x)) % P(x) + B(x) % P(x) + A(x) ,
-#
-# which is equivalent to
-#
-# (x^n * M(x) + B(x)) % P(x) + A(x) .
-#
-# In ISO 3309, the transmitted frame is
-#
-# F'(x) = x^n * M(x) + R(x) + R'(x) + A(x) ,
-#
-# where
-#
-# R'(x) = B(x) % P(x) .
-#
-# Note that this means that if a new remainder is computed over the
-# frame F'(x) (treating F'(x) as the new M(x)), it will be equal to a
-# constant.
-#
-# F'(x) = 0 + R'(x) + A(x) mod P(x) ,
-#
-# then
-#
-# (F'(x) + x^k * A(x)) * x^n
-#
-# = ((R'(x) + A(x)) + x^k * A(x)) * x^n mod P(x)
-#
-# = (x^k * A(x) + A(x) + x^k * A(x)) * x^n mod P(x)
-#
-# = (0 + A(x)) * x^n mod P(x)
-#
-# Note that (A(x) * x^n) % P(x) is a constant, and that this result
-# depends on B(x) being x^k * A(x).
-
-use Carp;
-use Poly;
-
-sub new {
-    my $self = shift;
-    my $class = ref($self) || $self;
-    my %args = @_;
-    $self = {bitsendian => "little"};
-    bless $self, $class;
-    $self->setpoly($args{"Poly"}) if exists $args{"Poly"};
-    $self->bitsendian($args{"bitsendian"})
-	if exists $args{"bitsendian"};
-    $self->{precomp} = $args{precomp} if exists $args{precomp};
-    $self->{postcomp} = $args{postcomp} if exists $args{postcomp};
-    return $self;
-}
-
-sub setpoly {
-    my $self = shift;
-    my($arg) = @_;
-    croak "need a polynomial" if !$arg->isa("Poly");
-    $self->{Poly} = $arg;
-    return $self;
-}
-
-sub crc {
-    my $self = shift;
-    my $msg = Poly->new(@_);
-    my($order, $r, $precomp);
-    $order = $self->{Poly}->order;
-    # B(x) = x^k * precomp
-    $precomp = $self->{precomp} ?
-	$self->{precomp} * Poly->powers2poly(scalar(@_)) : Poly->new;
-    # R(x) = (x^n * M(x)) % P(x)
-    $r = ($msg * Poly->powers2poly($order)) % $self->{Poly};
-    # B(x) % P(x)
-    $r += $precomp % $self->{Poly};
-    $r += $self->{postcomp} if exists $self->{postcomp};
-    return $r;
-}
-
-# endianness of bits of each octet
-#
-# Note that the message is always treated as being sent in big-endian
-# octet order.
-#
-# Usually, the message will be treated as bits being little-endian,
-# since that is the common case for serial implementations that
-# present data in octets; e.g., most UARTs shift octets onto the line
-# in little-endian order, and protocols such as ISO 3309, V.42,
-# etc. treat individual octets as being sent LSB-first.
-
-sub bitsendian {
-    my $self = shift;
-    my($arg) = @_;
-    croak "bad bit endianness" if $arg !~ /big|little/;
-    $self->{bitsendian} = $arg;
-    return $self;
-}
-
-sub crcstring {
-    my $self = shift;
-    my($arg) = @_;
-    my($packstr, @m);
-    {
-	$packstr = "B*", last if $self->{bitsendian} =~ /big/;
-	$packstr = "b*", last if $self->{bitsendian} =~ /little/;
-	croak "bad bit endianness";
-    };
-    @m = split //, unpack $packstr, $arg;
-    return $self->crc(@m);
-}
-
-1;
diff --git a/src/lib/crypto/crypto_tests/Makefile.in b/src/lib/crypto/crypto_tests/Makefile.in
index c5eba1b..09feeb5 100644
--- a/src/lib/crypto/crypto_tests/Makefile.in
+++ b/src/lib/crypto/crypto_tests/Makefile.in
@@ -16,9 +16,7 @@ EXTRADEPSRCS=\
 	$(srcdir)/aes-test.c	\
 	$(srcdir)/camellia-test.c	\
 	$(srcdir)/t_cf2.c	\
-	$(srcdir)/t_cksum.c	\
 	$(srcdir)/t_cksums.c	\
-	$(srcdir)/t_crc.c	\
 	$(srcdir)/t_mddriver.c	\
 	$(srcdir)/t_kperf.c	\
 	$(srcdir)/t_sha2.c	\
@@ -30,15 +28,12 @@ EXTRADEPSRCS=\
 
 ##DOS##BUILDTOP = ..\..\..
 
-# NOTE: The t_cksum known checksum values are primarily for regression
-# testing.  They are not derived a priori, but are known to produce
-# checksums that interoperate.
 check-unix: t_nfold t_encrypt t_decrypt t_prf t_prng t_cmac t_hmac \
-		t_cksum4 t_cksum5 t_cksums \
+		t_cksums \
 		aes-test  \
 		camellia-test  \
 		t_mddriver4 t_mddriver \
-		t_crc t_cts t_sha2 t_short t_str2key t_derive t_fork t_cf2 \
+		t_cts t_sha2 t_short t_str2key t_derive t_fork t_cf2 \
 		t_combine
 	$(RUN_TEST) ./t_nfold
 	$(RUN_TEST) ./t_encrypt
@@ -47,10 +42,7 @@ check-unix: t_nfold t_encrypt t_decrypt t_prf t_prng t_cmac t_hmac \
 	$(RUN_TEST) ./t_cmac
 	$(RUN_TEST) ./t_hmac
 	$(RUN_TEST) ./t_prf
-	$(RUN_TEST) ./t_cksum4 "this is a test" e3f76a07f3401e3536b43a3f54226c39422c35682c354835
-	$(RUN_TEST) ./t_cksum5 "this is a test" e3f76a07f3401e351143ee6f4c09be1edb4264d55015db53
 	$(RUN_TEST) ./t_cksums
-	$(RUN_TEST) ./t_crc
 	$(RUN_TEST) ./t_cts
 	$(RUN_TEST) ./aes-test -k > vk.txt
 	cmp vk.txt $(srcdir)/expect-vk.txt
@@ -109,24 +101,9 @@ t_short$(EXEEXT): t_short.$(OBJEXT) $(KRB5_BASE_DEPLIBS)
 	$(CC_LINK) -o $@ t_short.$(OBJEXT) \
 		$(KRB5_BASE_LIBS)
 
-t_cksum4.o: $(srcdir)/t_cksum.c
-	$(CC) -DMD=4 $(ALL_CFLAGS) -o t_cksum4.o -c $(srcdir)/t_cksum.c
-
-t_cksum5.o: $(srcdir)/t_cksum.c
-	$(CC) -DMD=5 $(ALL_CFLAGS) -o t_cksum5.o -c $(srcdir)/t_cksum.c
-
-t_cksum4: t_cksum4.o $(CRYTPO_DEPLIB)
-	$(CC_LINK) -o t_cksum4 t_cksum4.o $(KRB5_BASE_LIBS)
-
-t_cksum5: t_cksum5.o $(CRYPTO_DEPLIB)
-	$(CC_LINK) -o t_cksum5 t_cksum5.o $(KRB5_BASE_LIBS)
-
 t_cksums: t_cksums.o $(CRYTPO_DEPLIB)
 	$(CC_LINK) -o t_cksums t_cksums.o -lkrb5 $(KRB5_BASE_LIBS)
 
-t_crc: t_crc.o $(KRB5_BASE_DEPLIBS)
-	$(CC_LINK) -o $@ t_crc.o $(KRB5_BASE_LIBS)
-
 aes-test: aes-test.$(OBJEXT) $(KRB5_BASE_DEPLIBS)
 	$(CC_LINK) -o aes-test aes-test.$(OBJEXT) $(KRB5_BASE_LIBS)
 
@@ -165,9 +142,9 @@ clean:
 		t_decrypt.o t_decrypt t_prng.o t_prng t_cmac.o t_cmac \
 		t_hmac.o t_hmac t_pkcs5.o t_pkcs5 pbkdf2.o t_prf t_prf.o \
 		aes-test.o aes-test vt.txt vk.txt kresults.out \
-		t_crc.o t_crc t_cts.o t_cts \
+		t_cts.o t_cts \
 		t_mddriver4.o t_mddriver4 t_mddriver.o t_mddriver \
-		t_cksum4 t_cksum4.o t_cksum5 t_cksum5.o t_cksums t_cksums.o \
+		t_cksums t_cksums.o \
 		t_kperf.o t_kperf t_sha2.o t_sha2 t_short t_short.o t_str2key \
 		t_str2key.o t_derive t_derive.o t_fork t_fork.o \
 		t_mddriver$(EXEEXT) $(OUTPRE)t_mddriver.$(OBJEXT) \
diff --git a/src/lib/crypto/crypto_tests/crc.pl b/src/lib/crypto/crypto_tests/crc.pl
deleted file mode 100644
index b21b6b1..0000000
--- a/src/lib/crypto/crypto_tests/crc.pl
+++ /dev/null
@@ -1,111 +0,0 @@
-# Copyright 2002 by the Massachusetts Institute of Technology.
-# All Rights Reserved.
-#
-# Export of this software from the United States of America may
-#   require a specific license from the United States Government.
-#   It is the responsibility of any person or organization contemplating
-#   export to obtain such a license before exporting.
-# 
-# WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-# distribute this software and its documentation for any purpose and
-# without fee is hereby granted, provided that the above copyright
-# notice appear in all copies and that both that copyright notice and
-# this permission notice appear in supporting documentation, and that
-# the name of M.I.T. not be used in advertising or publicity pertaining
-# to distribution of the software without specific, written prior
-# permission.  Furthermore if you modify this software you must label
-# your software as modified software and not distribute it in such a
-# fashion that it might be confused with the original M.I.T. software.
-# M.I.T. makes no representations about the suitability of
-# this software for any purpose.  It is provided "as is" without express
-# or implied warranty.
-
-use CRC;
-
-print "*** crudely testing polynomial functions ***\n";
-
-$x = Poly->new(1,1,1,1);
-$y = Poly->new(1,1);
-print "x = @{[$x->pretty]}\ny = @{[$y->pretty]}\n";
-$q = $x / $y;
-$r = $x % $y;
-print $x->pretty, " = (", $y->pretty , ") * (", $q->pretty,
-    ") + ", $r->pretty, "\n";
-$q = $y / $x;
-$r = $y % $x;
-print "y / x = @{[$q->pretty]}\ny % x = @{[$r->pretty]}\n";
-
-# ISO 3309 32-bit FCS polynomial
-$fcs32 = Poly->powers2poly(32,26,23,22,16,12,11,10,8,7,5,4,2,1,0);
-print "fcs32 = ", $fcs32->pretty, "\n";
-
-$crc = CRC->new(Poly => $fcs32, bitsendian => "little");
-
-print "\n";
-
-print "*** little endian, no complementation ***\n";
-for ($i = 0; $i < 256; $i++) {
-    $r = $crc->crcstring(pack "C", $i);
-    printf ("%02x: ", $i) if !($i % 8);
-    print ($r->revhex, ($i % 8 == 7) ? "\n" : " ");
-}
-
-print "\n";
-
-print "*** little endian, 4 bits, no complementation ***\n";
-for ($i = 0; $i < 16; $i++) {
-    @m = (split //, unpack "b*", pack "C", $i)[0..3];
-    $r = $crc->crc(@m);
-    printf ("%02x: ", $i) if !($i % 8);
-    print ($r->revhex, ($i % 8 == 7) ? "\n" : " ");
-}
-
-print "\n";
-
-print "*** test vectors for t_crc.c, little endian ***\n";
-for ($i = 1; $i <= 4; $i *=2) {
-    for ($j = 0; $j < $i * 8; $j++) {
-	@m = split //, unpack "b*", pack "V", 1 << $j;
-	splice @m, $i * 8;
-	$r = $crc->crc(@m);
-	$m = unpack "H*", pack "b*", join("", @m);
-	print "{HEX, \"$m\", 0x", $r->revhex, "},\n";
-    }
-}
- at m = ("foo", "test0123456789",
-      "MASSACHVSETTS INSTITVTE OF TECHNOLOGY");
-foreach $m (@m) {
-    $r = $crc->crcstring($m);
-    print "{STR, \"$m\", 0x", $r->revhex, "},\n";
-}
-__END__
-
-print "*** big endian, no complementation ***\n";
-for ($i = 0; $i < 256; $i++) {
-    $r = $crc->crcstring(pack "C", $i);
-    printf ("%02x: ", $i) if !($i % 8);
-    print ($r->hex, ($i % 8 == 7) ? "\n" : " ");
-}
-
-# all ones polynomial of order 31
-$ones = Poly->new((1) x 32);
-
-print "*** big endian, ISO-3309 style\n";
-$crc = CRC->new(Poly => $fcs32,
-		bitsendian => "little",
-		precomp => $ones,
-		postcomp => $ones);
-for ($i = 0; $i < 256; $i++) {
-    $r = $crc->crcstring(pack "C", $i);
-    print ($r->hex, ($i % 8 == 7) ? "\n" : " ");
-}
-
-for ($i = 0; $i < 0; $i++) {
-    $x = Poly->new((1) x 32, (0) x $i);
-    $y = Poly->new((1) x 32);
-    $f = ($x % $fcs32) + $y;
-    $r = (($f + $x) * Poly->powers2poly(32)) % $fcs32;
-    @out = @$r;
-    unshift @out, 0 while @out < 32;
-    print @out, "\n";
-}
diff --git a/src/lib/crypto/crypto_tests/deps b/src/lib/crypto/crypto_tests/deps
index 5d94a59..19fef25 100644
--- a/src/lib/crypto/crypto_tests/deps
+++ b/src/lib/crypto/crypto_tests/deps
@@ -140,17 +140,6 @@ $(OUTPRE)camellia-test.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(top_srcdir)/include/socket-utils.h camellia-test.c
 $(OUTPRE)t_cf2.$(OBJEXT): $(BUILDTOP)/include/krb5/krb5.h \
   $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h t_cf2.c
-$(OUTPRE)t_cksum.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
-  $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
-  $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
-  $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
-  $(top_srcdir)/include/k5-hex.h $(top_srcdir)/include/k5-int-pkinit.h \
-  $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
-  $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
-  $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \
-  $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
-  $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
-  t_cksum.c
 $(OUTPRE)t_cksums.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
@@ -161,19 +150,6 @@ $(OUTPRE)t_cksums.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
   $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
   $(top_srcdir)/include/socket-utils.h t_cksums.c
-$(OUTPRE)t_crc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
-  $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
-  $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../builtin/aes/aes.h \
-  $(srcdir)/../builtin/crypto_mod.h $(srcdir)/../builtin/sha2/sha2.h \
-  $(srcdir)/../krb/crypto_int.h $(top_srcdir)/include/k5-buf.h \
-  $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
-  $(top_srcdir)/include/k5-hex.h $(top_srcdir)/include/k5-int-pkinit.h \
-  $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
-  $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
-  $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \
-  $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
-  $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
-  t_crc.c
 $(OUTPRE)t_mddriver.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../builtin/aes/aes.h \
diff --git a/src/lib/crypto/crypto_tests/t_cf2.expected b/src/lib/crypto/crypto_tests/t_cf2.expected
index 11a24b8..f8251a1 100644
--- a/src/lib/crypto/crypto_tests/t_cf2.expected
+++ b/src/lib/crypto/crypto_tests/t_cf2.expected
@@ -1,6 +1,5 @@
 97df97e4b798b29eb31ed7280287a92a
 4d6ca4e629785c1f01baf55e2e548566b9617ae3a96868c337cb93b5e72b1c7b
-43bae3738c9467e6
 e58f9eb643862c13ad38e529313462a7f73e62834fe54a01
 24d7f6b6bae4e5c00d2082c5ebab3672
 edd02a39d2dbde31611c16e610be062c
diff --git a/src/lib/crypto/crypto_tests/t_cf2.in b/src/lib/crypto/crypto_tests/t_cf2.in
index e62ead7..73e2f8f 100644
--- a/src/lib/crypto/crypto_tests/t_cf2.in
+++ b/src/lib/crypto/crypto_tests/t_cf2.in
@@ -8,11 +8,6 @@ key1
 key2
 a
 b
-1
-key1
-key2
-a
-b
 16
 key1
 key2
diff --git a/src/lib/crypto/crypto_tests/t_cksum.c b/src/lib/crypto/crypto_tests/t_cksum.c
deleted file mode 100644
index 0edaeb8..0000000
--- a/src/lib/crypto/crypto_tests/t_cksum.c
+++ /dev/null
@@ -1,160 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* lib/crypto/crypto_tests/t_cksum.c */
-/*
- * Copyright 1995 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- *   require a specific license from the United States Government.
- *   It is the responsibility of any person or organization contemplating
- *   export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission.  Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose.  It is provided "as is" without express
- * or implied warranty.
- */
-
-/* Test checksum and checksum compatability for rsa-md[4,5]-des. */
-
-#include "k5-int.h"
-#include "k5-hex.h"
-
-#define MD5_K5BETA_COMPAT
-#define MD4_K5BETA_COMPAT
-
-#if MD == 4
-#define CKTYPE CKSUMTYPE_RSA_MD4_DES
-#endif
-
-#if MD == 5
-#define CKTYPE CKSUMTYPE_RSA_MD5_DES
-#endif
-
-static void
-print_checksum(char *text, int number, char *message, krb5_checksum *checksum)
-{
-    unsigned int i;
-
-    printf("%s MD%d checksum(\"%s\") = ", text, number, message);
-    for (i=0; i<checksum->length; i++)
-        printf("%02x", (unsigned char) checksum->contents[i]);
-    printf("\n");
-}
-
-/*
- * Test the checksum verification of Old Style (tm) and correct RSA-MD[4,5]-DES
- * checksums.
- */
-
-krb5_octet testkey[8] = { 0x45, 0x01, 0x49, 0x61, 0x58, 0x19, 0x1a, 0x3d };
-
-int
-main(argc, argv)
-    int argc;
-    char **argv;
-{
-    int                   msgindex;
-    size_t                len;
-    krb5_boolean          valid;
-    krb5_keyblock         keyblock;
-    krb5_key              key;
-    krb5_error_code       kret=0;
-    krb5_data             plaintext;
-    krb5_checksum         checksum, knowncksum;
-
-    /* this is a terrible seed, but that's ok for the test. */
-
-    plaintext.length = 8;
-    plaintext.data = (char *) testkey;
-
-    krb5_c_random_seed(/* XXX */ 0, &plaintext);
-
-    keyblock.enctype = ENCTYPE_DES_CBC_CRC;
-    keyblock.length = sizeof(testkey);
-    keyblock.contents = testkey;
-
-    krb5_k_create_key(NULL, &keyblock, &key);
-
-    for (msgindex = 1; msgindex + 1 < argc; msgindex += 2) {
-        plaintext.length = strlen(argv[msgindex]);
-        plaintext.data = argv[msgindex];
-
-        /* Create a checksum. */
-        kret = krb5_k_make_checksum(NULL, CKTYPE, key, 0, &plaintext,
-                                    &checksum);
-        if (kret != 0) {
-            printf("krb5_calculate_checksum choked with %d\n", kret);
-            break;
-        }
-        print_checksum("correct", MD, argv[msgindex], &checksum);
-
-        /* Verify it. */
-        kret = krb5_k_verify_checksum(NULL, key, 0, &plaintext, &checksum,
-                                      &valid);
-        if (kret != 0) {
-            printf("verify on new checksum choked with %d\n", kret);
-            break;
-        }
-        if (!valid) {
-            printf("verify on new checksum failed\n");
-            kret = 1;
-            break;
-        }
-        printf("Verify succeeded for \"%s\"\n", argv[msgindex]);
-
-        /* Corrupt the checksum and see if it still verifies. */
-        checksum.contents[0]++;
-        kret = krb5_k_verify_checksum(NULL, key, 0, &plaintext, &checksum,
-                                      &valid);
-        if (kret != 0) {
-            printf("verify on new checksum choked with %d\n", kret);
-            break;
-        }
-        if (valid) {
-            printf("verify on new checksum succeeded, but shouldn't have\n");
-            kret = 1;
-            break;
-        }
-        printf("Verify of bad checksum OK for \"%s\"\n", argv[msgindex]);
-        free(checksum.contents);
-
-        /* Verify a known-good checksum for this plaintext. */
-        kret = k5_hex_decode(argv[msgindex + 1], &knowncksum.contents, &len);
-        if (kret) {
-            printf("k5_hex_decode failed\n");
-            break;
-        }
-        knowncksum.length = len;
-        knowncksum.checksum_type = CKTYPE;
-        knowncksum.magic = KV5M_CHECKSUM;
-        kret = krb5_k_verify_checksum(NULL, key, 0, &plaintext, &knowncksum,
-                                      &valid);
-        if (kret != 0) {
-            printf("verify on known checksum choked with %d\n", kret);
-            break;
-        }
-        if (!valid) {
-            printf("verify on known checksum failed\n");
-            kret = 1;
-            break;
-        }
-        printf("Verify on known checksum succeeded\n");
-        free(knowncksum.contents);
-    }
-    if (!kret)
-        printf("%d tests passed successfully for MD%d checksum\n", (argc-1)/2, MD);
-
-    krb5_k_free_key(NULL, key);
-
-    return(kret);
-}
diff --git a/src/lib/crypto/crypto_tests/t_cksums.c b/src/lib/crypto/crypto_tests/t_cksums.c
index 5afc90e..4da14ea 100644
--- a/src/lib/crypto/crypto_tests/t_cksums.c
+++ b/src/lib/crypto/crypto_tests/t_cksums.c
@@ -27,7 +27,7 @@
 /*
  * This harness tests checksum results against known values.  With the -v flag,
  * results for all tests are displayed.  This harness only works for
- * deterministic checksums; for rsa-md4-des and rsa-md5-des, see t_cksum.c.
+ * deterministic checksums.
  */
 
 #include "k5-int.h"
@@ -41,12 +41,6 @@ struct test {
     krb5_data cksum;
 } test_cases[] = {
     {
-        { KV5M_DATA, 3, "abc" },
-        CKSUMTYPE_CRC32, 0, 0, { KV5M_DATA, 0, "" },
-        { KV5M_DATA, 4,
-          "\xD0\x98\x65\xCA" }
-    },
-    {
         { KV5M_DATA, 3, "one" },
         CKSUMTYPE_RSA_MD4, 0, 0, { KV5M_DATA, 0, "" },
         { KV5M_DATA, 16,
diff --git a/src/lib/crypto/crypto_tests/t_combine.c b/src/lib/crypto/crypto_tests/t_combine.c
index 89219c7..ba0622b 100644
--- a/src/lib/crypto/crypto_tests/t_combine.c
+++ b/src/lib/crypto/crypto_tests/t_combine.c
@@ -32,10 +32,6 @@
 
 #include "k5-int.h"
 
-unsigned char des_key1[] = "\x04\x86\xCD\x97\x61\xDF\xD6\x29";
-unsigned char des_key2[] = "\x1A\x54\x9B\x7F\xDC\x20\x83\x0E";
-unsigned char des_result[] = "\xC2\x13\x01\x52\x89\x26\xC4\xF7";
-
 unsigned char des3_key1[] = "\x10\xB6\x75\xD5\x5B\xD9\x6E\x73"
     "\xFD\x54\xB3\x3D\x37\x52\xC1\x2A\xF7\x43\x91\xFE\x1C\x02\x37\x13";
 unsigned char des3_key2[] = "\xC8\xDA\x3E\xA7\xB6\x64\xAE\x7A"
@@ -48,20 +44,6 @@ main(int argc, char **argv)
 {
     krb5_keyblock kb1, kb2, result;
 
-    kb1.enctype = ENCTYPE_DES_CBC_CRC;
-    kb1.contents = des_key1;
-    kb1.length = 8;
-    kb2.enctype = ENCTYPE_DES_CBC_CRC;
-    kb2.contents = des_key2;
-    kb2.length = 8;
-    memset(&result, 0, sizeof(result));
-    if (krb5int_c_combine_keys(NULL, &kb1, &kb2, &result) != 0)
-        abort();
-    if (result.enctype != ENCTYPE_DES_CBC_CRC || result.length != 8 ||
-        memcmp(result.contents, des_result, 8) != 0)
-        abort();
-    krb5_free_keyblock_contents(NULL, &result);
-
     kb1.enctype = ENCTYPE_DES3_CBC_SHA1;
     kb1.contents = des3_key1;
     kb1.length = 24;
diff --git a/src/lib/crypto/crypto_tests/t_crc.c b/src/lib/crypto/crypto_tests/t_crc.c
deleted file mode 100644
index 8cd1d36..0000000
--- a/src/lib/crypto/crypto_tests/t_crc.c
+++ /dev/null
@@ -1,148 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* lib/crypto/crypto_tests/t_crc.c */
-/*
- * Copyright 2002,2005 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- *   require a specific license from the United States Government.
- *   It is the responsibility of any person or organization contemplating
- *   export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission.  Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose.  It is provided "as is" without express
- * or implied warranty.
- */
-
-/*
- * Sanity checks for CRC32.
- */
-#include <sys/times.h>
-#include <limits.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <k5-hex.h>
-#include "crypto_int.h"
-
-#define HEX 1
-#define STR 2
-struct crc_trial {
-    int         type;
-    char        *data;
-    unsigned long       sum;
-};
-
-struct crc_trial trials[] = {
-    {HEX, "01", 0x77073096},
-    {HEX, "02", 0xee0e612c},
-    {HEX, "04", 0x076dc419},
-    {HEX, "08", 0x0edb8832},
-    {HEX, "10", 0x1db71064},
-    {HEX, "20", 0x3b6e20c8},
-    {HEX, "40", 0x76dc4190},
-    {HEX, "80", 0xedb88320},
-    {HEX, "0100", 0x191b3141},
-    {HEX, "0200", 0x32366282},
-    {HEX, "0400", 0x646cc504},
-    {HEX, "0800", 0xc8d98a08},
-    {HEX, "1000", 0x4ac21251},
-    {HEX, "2000", 0x958424a2},
-    {HEX, "4000", 0xf0794f05},
-    {HEX, "8000", 0x3b83984b},
-    {HEX, "0001", 0x77073096},
-    {HEX, "0002", 0xee0e612c},
-    {HEX, "0004", 0x076dc419},
-    {HEX, "0008", 0x0edb8832},
-    {HEX, "0010", 0x1db71064},
-    {HEX, "0020", 0x3b6e20c8},
-    {HEX, "0040", 0x76dc4190},
-    {HEX, "0080", 0xedb88320},
-    {HEX, "01000000", 0xb8bc6765},
-    {HEX, "02000000", 0xaa09c88b},
-    {HEX, "04000000", 0x8f629757},
-    {HEX, "08000000", 0xc5b428ef},
-    {HEX, "10000000", 0x5019579f},
-    {HEX, "20000000", 0xa032af3e},
-    {HEX, "40000000", 0x9b14583d},
-    {HEX, "80000000", 0xed59b63b},
-    {HEX, "00010000", 0x01c26a37},
-    {HEX, "00020000", 0x0384d46e},
-    {HEX, "00040000", 0x0709a8dc},
-    {HEX, "00080000", 0x0e1351b8},
-    {HEX, "00100000", 0x1c26a370},
-    {HEX, "00200000", 0x384d46e0},
-    {HEX, "00400000", 0x709a8dc0},
-    {HEX, "00800000", 0xe1351b80},
-    {HEX, "00000100", 0x191b3141},
-    {HEX, "00000200", 0x32366282},
-    {HEX, "00000400", 0x646cc504},
-    {HEX, "00000800", 0xc8d98a08},
-    {HEX, "00001000", 0x4ac21251},
-    {HEX, "00002000", 0x958424a2},
-    {HEX, "00004000", 0xf0794f05},
-    {HEX, "00008000", 0x3b83984b},
-    {HEX, "00000001", 0x77073096},
-    {HEX, "00000002", 0xee0e612c},
-    {HEX, "00000004", 0x076dc419},
-    {HEX, "00000008", 0x0edb8832},
-    {HEX, "00000010", 0x1db71064},
-    {HEX, "00000020", 0x3b6e20c8},
-    {HEX, "00000040", 0x76dc4190},
-    {HEX, "00000080", 0xedb88320},
-    {STR, "foo", 0x7332bc33},
-    {STR, "test0123456789", 0xb83e88d6},
-    {STR, "MASSACHVSETTS INSTITVTE OF TECHNOLOGY", 0xe34180f7}
-};
-
-#define NTRIALS (sizeof(trials) / sizeof(trials[0]))
-
-
-int
-main(void)
-{
-    unsigned int i;
-    struct crc_trial trial;
-    uint8_t *bytes;
-    size_t len;
-    unsigned long cksum;
-    char *typestr;
-
-    for (i = 0; i < NTRIALS; i++) {
-        trial = trials[i];
-        switch (trial.type) {
-        case STR:
-            len = strlen(trial.data);
-            typestr = "STR";
-            cksum = 0;
-            mit_crc32(trial.data, len, &cksum);
-            break;
-        case HEX:
-            typestr = "HEX";
-            if (k5_hex_decode(trial.data, &bytes, &len) != 0)
-                abort();
-            cksum = 0;
-            mit_crc32(bytes, len, &cksum);
-            free(bytes);
-            break;
-        default:
-            typestr = "BOGUS";
-            fprintf(stderr, "bad trial type %d\n", trial.type);
-            exit(1);
-        }
-        printf("%s: %s \"%s\" = 0x%08lx\n",
-               (trial.sum == cksum) ? "OK" : "***BAD***",
-               typestr, trial.data, cksum);
-    }
-    exit(0);
-}
diff --git a/src/lib/crypto/crypto_tests/t_decrypt.c b/src/lib/crypto/crypto_tests/t_decrypt.c
index 4ae0256..a40a855 100644
--- a/src/lib/crypto/crypto_tests/t_decrypt.c
+++ b/src/lib/crypto/crypto_tests/t_decrypt.c
@@ -40,151 +40,6 @@ struct test {
     krb5_data ciphertext;
 } test_cases[] = {
     {
-        ENCTYPE_DES_CBC_CRC,
-        { KV5M_DATA, 0, "" }, 0,
-        { KV5M_DATA, 8,
-          "\x45\xE6\x08\x7C\xDF\x13\x8F\xB5" },
-        { KV5M_DATA, 16,
-          "\x28\xF6\xB0\x9A\x01\x2B\xCC\xF7\x2F\xB0\x51\x22\xB2\x83\x9E\x6E" }
-    },
-    {
-        ENCTYPE_DES_CBC_CRC,
-        { KV5M_DATA, 1, "1" }, 1,
-        { KV5M_DATA, 8,
-          "\x92\xA7\x15\x58\x10\x58\x6B\x2F" },
-        { KV5M_DATA, 16,
-          "\xB4\xC8\x71\xC2\xF3\xE7\xBF\x76\x05\xEF\xD6\x2F\x2E\xEE\xC2\x05" }
-    },
-    {
-        ENCTYPE_DES_CBC_CRC,
-        { KV5M_DATA, 9, "9 bytesss" }, 2,
-        { KV5M_DATA, 8,
-          "\xA4\xB9\x51\x4A\x61\x64\x64\x23" },
-        { KV5M_DATA, 24,
-          "\x5F\x14\xC3\x51\x78\xD3\x3D\x7C\xDE\x0E\xC1\x69\xC6\x23\xCC\x83"
-          "\x21\xB7\xB8\xBD\x34\xEA\x7E\xFE" }
-    },
-    {
-        ENCTYPE_DES_CBC_CRC,
-        { KV5M_DATA, 13, "13 bytes byte", }, 3,
-        { KV5M_DATA, 8,
-          "\x2F\x16\xA2\xA7\xFD\xB0\x57\x68" },
-        { KV5M_DATA, 32,
-          "\x0B\x58\x8E\x38\xD9\x71\x43\x3C\x9D\x86\xD8\xBA\xEB\xF6\x3E\x4C"
-          "\x1A\x01\x66\x6E\x76\xD8\xA5\x4A\x32\x93\xF7\x26\x79\xED\x88\xC9" }
-    },
-    {
-        ENCTYPE_DES_CBC_CRC,
-        { KV5M_DATA, 30, "30 bytes bytes bytes bytes byt", }, 4,
-        { KV5M_DATA, 8,
-          "\xBC\x8F\x70\xFD\x20\x97\xD6\x7C" },
-        { KV5M_DATA, 48,
-          "\x38\xD6\x32\xD2\xC2\x0A\x7C\x2E\xA2\x50\xFC\x8E\xCE\x42\x93\x8E"
-          "\x92\xA9\xF5\xD3\x02\x50\x26\x65\xC1\xA3\x37\x29\xC1\x05\x0D\xC2"
-          "\x05\x62\x98\xFB\xFB\x16\x82\xCE\xEB\x65\xE5\x92\x04\xFD\xA7\xDF" }
-    },
-
-    {
-        ENCTYPE_DES_CBC_MD4,
-        { KV5M_DATA, 0, "", }, 0,
-        { KV5M_DATA, 8,
-          "\x13\xEF\x45\xD0\xD6\xD9\xA1\x5D" },
-        { KV5M_DATA, 24,
-          "\x1F\xB2\x02\xBF\x07\xAF\x30\x47\xFB\x78\x01\xE5\x88\x56\x86\x86"
-          "\xBA\x63\xD7\x8B\xE3\xE8\x7D\xC7" }
-    },
-    {
-        ENCTYPE_DES_CBC_MD4,
-        { KV5M_DATA, 1, "1", }, 1,
-        { KV5M_DATA, 8,
-          "\x64\x68\x86\x54\xDC\x26\x9E\x67" },
-        { KV5M_DATA, 32,
-          "\x1F\x6C\xB9\xCE\xCB\x73\xF7\x55\xAB\xFD\xB3\xD5\x65\xBD\x31\xD5"
-          "\xA2\xE6\x4B\xFE\x44\xC4\x91\xE2\x0E\xEB\xE5\xBD\x20\xE4\xD2\xA9" }
-    },
-    {
-        ENCTYPE_DES_CBC_MD4,
-        { KV5M_DATA, 9, "9 bytesss", }, 2,
-        { KV5M_DATA, 8,
-          "\x68\x04\xFB\x26\xDF\x8A\x4C\x32" },
-        { KV5M_DATA, 40,
-          "\x08\xA5\x3D\x62\xFE\xC3\x33\x8A\xD1\xD2\x18\xE6\x0D\xBD\xD3\xB2"
-          "\x12\x94\x06\x79\xD1\x25\xE0\x62\x1B\x3B\xAB\x46\x80\xCE\x03\x67"
-          "\x6A\x2C\x42\x0E\x9B\xE7\x84\xEB" }
-    },
-    {
-        ENCTYPE_DES_CBC_MD4,
-        { KV5M_DATA, 13, "13 bytes byte", }, 3,
-        { KV5M_DATA, 8,
-          "\x23\x4A\x43\x6E\xC7\x2F\xA8\x0B" },
-        { KV5M_DATA, 40,
-          "\x17\xCD\x45\xE1\x4F\xF0\x6B\x28\x40\xA6\x03\x6E\x9A\xA7\xA4\x14"
-          "\x4E\x29\x76\x81\x44\xA0\xC1\x82\x7D\x8C\x4B\xC7\xC9\x90\x6E\x72"
-          "\xCD\x4D\xC3\x28\xF6\x64\x8C\x99" }
-    },
-    {
-        ENCTYPE_DES_CBC_MD4,
-        { KV5M_DATA, 30, "30 bytes bytes bytes bytes byt", }, 4,
-        { KV5M_DATA, 8,
-          "\x1F\xD5\xF7\x43\x34\xC4\xFB\x8C" },
-        { KV5M_DATA, 56,
-          "\x51\x13\x4C\xD8\x95\x1E\x9D\x57\xC0\xA3\x60\x53\xE0\x4C\xE0\x3E"
-          "\xCB\x84\x22\x48\x8F\xDD\xC5\xC0\x74\xC4\xD8\x5E\x60\xA2\xAE\x42"
-          "\x3C\x3C\x70\x12\x01\x31\x4F\x36\x2C\xB0\x74\x48\x09\x16\x79\xC6"
-          "\xA4\x96\xC1\x1D\x7B\x93\xC7\x1B" }
-    },
-
-    {
-        ENCTYPE_DES_CBC_MD5,
-        { KV5M_DATA, 0, "", }, 0,
-        { KV5M_DATA, 8,
-          "\x4A\x54\x5E\x0B\xF7\xA2\x26\x31" },
-        { KV5M_DATA, 24,
-          "\x78\x4C\xD8\x15\x91\xA0\x34\xBE\x82\x55\x6F\x56\xDC\xA3\x22\x4B"
-          "\x62\xD9\x95\x6F\xA9\x0B\x1B\x93" }
-    },
-    {
-        ENCTYPE_DES_CBC_MD5,
-        { KV5M_DATA, 1, "1", }, 1,
-        { KV5M_DATA, 8,
-          "\xD5\x80\x4A\x26\x9D\xC4\xE6\x45" },
-        { KV5M_DATA, 32,
-          "\xFF\xA2\x5C\x7B\xE2\x87\x59\x6B\xFE\x58\x12\x6E\x90\xAA\xA0\xF1"
-          "\x2D\x9A\x82\xA0\xD8\x6D\xF6\xD5\xF9\x07\x4B\x6B\x39\x9E\x7F\xF1" }
-    },
-    {
-        ENCTYPE_DES_CBC_MD5,
-        { KV5M_DATA, 9, "9 bytesss", }, 2,
-        { KV5M_DATA, 8,
-          "\xC8\x31\x2F\x7F\x83\xEA\x46\x40" },
-        { KV5M_DATA, 40,
-          "\xE7\x85\x03\x37\xF2\xCC\x5E\x3F\x35\xCE\x3D\x69\xE2\xC3\x29\x86"
-          "\x38\xA7\xAA\x44\xB8\x78\x03\x1E\x39\x85\x1E\x47\xC1\x5B\x5D\x0E"
-          "\xE7\xE7\xAC\x54\xDE\x11\x1D\x80" }
-    },
-    {
-        ENCTYPE_DES_CBC_MD5,
-        { KV5M_DATA, 13, "13 bytes byte", }, 3,
-        { KV5M_DATA, 8,
-          "\x7F\xDA\x3E\x62\xAD\x8A\xF1\x8C" },
-        { KV5M_DATA, 40,
-          "\xD7\xA8\x03\x2E\x19\x99\x4C\x92\x87\x77\x50\x65\x95\xFB\xDA\x98"
-          "\x83\x15\x8A\x85\x14\x54\x8E\x29\x6E\x91\x1C\x29\xF4\x65\xC6\x72"
-          "\x36\x60\x00\x55\x8B\xFC\x2E\x88" }
-    },
-    {
-        ENCTYPE_DES_CBC_MD5,
-        { KV5M_DATA, 30, "30 bytes bytes bytes bytes byt", }, 4,
-        { KV5M_DATA, 8,
-          "\xD3\xD6\x83\x29\x70\xA7\x37\x52" },
-        { KV5M_DATA, 56,
-          "\x8A\x48\x16\x6A\x4C\x6F\xEA\xE6\x07\xA8\xCF\x68\xB3\x81\xC0\x75"
-          "\x5E\x40\x2B\x19\xDB\xC0\xF8\x1A\x7D\x7C\xA1\x9A\x25\xE0\x52\x23"
-          "\xF6\x06\x44\x09\xBF\x5A\x4F\x50\xAC\xD8\x26\x63\x9F\xFA\x76\x73"
-          "\xFD\x32\x4E\xC1\x9E\x42\x95\x02" }
-    },
-
-    {
         ENCTYPE_DES3_CBC_SHA1,
         { KV5M_DATA, 0, "", }, 0,
         { KV5M_DATA, 24,
@@ -669,9 +524,6 @@ printhex(const char *head, void *data, size_t len)
 
 static krb5_enctype
 enctypes[] = {
-    ENCTYPE_DES_CBC_CRC,
-    ENCTYPE_DES_CBC_MD4,
-    ENCTYPE_DES_CBC_MD5,
     ENCTYPE_DES3_CBC_SHA1,
     ENCTYPE_ARCFOUR_HMAC,
     ENCTYPE_ARCFOUR_HMAC_EXP,
diff --git a/src/lib/crypto/crypto_tests/t_encrypt.c b/src/lib/crypto/crypto_tests/t_encrypt.c
index 4afbdde..bd9b946 100644
--- a/src/lib/crypto/crypto_tests/t_encrypt.c
+++ b/src/lib/crypto/crypto_tests/t_encrypt.c
@@ -37,9 +37,6 @@
 
 /* What enctypes should we test?*/
 krb5_enctype interesting_enctypes[] = {
-    ENCTYPE_DES_CBC_CRC,
-    ENCTYPE_DES_CBC_MD4,
-    ENCTYPE_DES_CBC_MD5,
     ENCTYPE_DES3_CBC_SHA1,
     ENCTYPE_ARCFOUR_HMAC,
     ENCTYPE_ARCFOUR_HMAC_EXP,
diff --git a/src/lib/crypto/crypto_tests/t_short.c b/src/lib/crypto/crypto_tests/t_short.c
index 40fa282..d4c2b97 100644
--- a/src/lib/crypto/crypto_tests/t_short.c
+++ b/src/lib/crypto/crypto_tests/t_short.c
@@ -34,9 +34,6 @@
 #include "k5-int.h"
 
 krb5_enctype interesting_enctypes[] = {
-    ENCTYPE_DES_CBC_CRC,
-    ENCTYPE_DES_CBC_MD4,
-    ENCTYPE_DES_CBC_MD5,
     ENCTYPE_DES3_CBC_SHA1,
     ENCTYPE_ARCFOUR_HMAC,
     ENCTYPE_ARCFOUR_HMAC_EXP,
diff --git a/src/lib/crypto/crypto_tests/t_str2key.c b/src/lib/crypto/crypto_tests/t_str2key.c
index 27896e6..cdb1acc 100644
--- a/src/lib/crypto/crypto_tests/t_str2key.c
+++ b/src/lib/crypto/crypto_tests/t_str2key.c
@@ -35,280 +35,6 @@ struct test {
     krb5_error_code expected_err;
     krb5_boolean allow_weak;
 } test_cases[] = {
-    /* AFS string-to-key tests from old t_afss2k.c. */
-    {
-        ENCTYPE_DES_CBC_CRC,
-        "",
-        { KV5M_DATA, 15, "Sodium Chloride" },
-        { KV5M_DATA, 1, "\1" },
-        { KV5M_DATA, 8, "\xA4\xD0\xD0\x9B\x86\x92\xB0\xC2" },
-        0,
-        FALSE
-    },
-    {
-        ENCTYPE_DES_CBC_CRC,
-        "M",
-        { KV5M_DATA, 15, "Sodium Chloride" },
-        { KV5M_DATA, 1, "\1" },
-        { KV5M_DATA, 8, "\xF1\xF2\x9E\xAB\xD0\xEF\xDF\x73" },
-        0,
-        FALSE
-    },
-    {
-        ENCTYPE_DES_CBC_CRC,
-        "My",
-        { KV5M_DATA, 15, "Sodium Chloride" },
-        { KV5M_DATA, 1, "\1" },
-        { KV5M_DATA, 8, "\xD6\x85\x61\xC4\xF2\x94\xF4\xA1" },
-        0,
-        FALSE
-    },
-    {
-        ENCTYPE_DES_CBC_CRC,
-        "My ",
-        { KV5M_DATA, 15, "Sodium Chloride" },
-        { KV5M_DATA, 1, "\1" },
-        { KV5M_DATA, 8, "\xD0\xE3\xA7\x83\x94\x61\xE0\xD0" },
-        0,
-        FALSE
-    },
-    {
-        ENCTYPE_DES_CBC_CRC,
-        "My P",
-        { KV5M_DATA, 15, "Sodium Chloride" },
-        { KV5M_DATA, 1, "\1" },
-        { KV5M_DATA, 8, "\xD5\x62\xCD\x94\x61\xCB\x97\xDF" },
-        0,
-        FALSE
-    },
-    {
-        ENCTYPE_DES_CBC_CRC,
-        "My Pa",
-        { KV5M_DATA, 15, "Sodium Chloride" },
-        { KV5M_DATA, 1, "\1" },
-        { KV5M_DATA, 8, "\x9E\xA2\xA2\xEC\xA8\x8C\x6B\x8F" },
-        0,
-        FALSE
-    },
-    {
-        ENCTYPE_DES_CBC_CRC,
-        "My Pas",
-        { KV5M_DATA, 15, "Sodium Chloride" },
-        { KV5M_DATA, 1, "\1" },
-        { KV5M_DATA, 8, "\xE3\x91\x6D\xD3\x85\xF1\x67\xC4" },
-        0,
-        FALSE
-    },
-    {
-        ENCTYPE_DES_CBC_CRC,
-        "My Pass",
-        { KV5M_DATA, 15, "Sodium Chloride" },
-        { KV5M_DATA, 1, "\1" },
-        { KV5M_DATA, 8, "\xF4\xC4\x73\xC8\x8A\xE9\x94\x6D" },
-        0,
-        FALSE
-    },
-    {
-        ENCTYPE_DES_CBC_CRC,
-        "My Passw",
-        { KV5M_DATA, 15, "Sodium Chloride" },
-        { KV5M_DATA, 1, "\1" },
-        { KV5M_DATA, 8, "\xA1\x9E\xB3\xAD\x6B\xE3\xAB\xD9" },
-        0,
-        FALSE
-    },
-    {
-        ENCTYPE_DES_CBC_CRC,
-        "My Passwo",
-        { KV5M_DATA, 15, "Sodium Chloride" },
-        { KV5M_DATA, 1, "\1" },
-        { KV5M_DATA, 8, "\xAD\xA1\xCE\x10\x37\x83\xA7\x8C" },
-        0,
-        FALSE
-    },
-    {
-        ENCTYPE_DES_CBC_CRC,
-        "My Passwor",
-        { KV5M_DATA, 15, "Sodium Chloride" },
-        { KV5M_DATA, 1, "\1" },
-        { KV5M_DATA, 8, "\xD3\x01\xD0\xF7\x3E\x7A\x49\x0B" },
-        0,
-        FALSE
-    },
-    {
-        ENCTYPE_DES_CBC_CRC,
-        "My Password",
-        { KV5M_DATA, 15, "Sodium Chloride" },
-        { KV5M_DATA, 1, "\1" },
-        { KV5M_DATA, 8, "\xB6\x2A\x4A\xEC\x9D\x4C\x68\xDF" },
-        0,
-        FALSE
-    },
-    {
-        ENCTYPE_DES_CBC_CRC,
-        "",
-        { KV5M_DATA, 4, "NaCl" },
-        { KV5M_DATA, 1, "\1" },
-        { KV5M_DATA, 8, "\x61\xEF\xE6\x83\xE5\x8A\x6B\x98" },
-        0,
-        FALSE
-    },
-    {
-        ENCTYPE_DES_CBC_CRC,
-        "M",
-        { KV5M_DATA, 4, "NaCl" },
-        { KV5M_DATA, 1, "\1" },
-        { KV5M_DATA, 8, "\x68\xCD\x68\xAD\xC4\x86\xCD\xE5" },
-        0,
-        FALSE
-    },
-    {
-        ENCTYPE_DES_CBC_CRC,
-        "My",
-        { KV5M_DATA, 4, "NaCl" },
-        { KV5M_DATA, 1, "\1" },
-        { KV5M_DATA, 8, "\x83\xA1\xC8\x86\x8F\x67\xD0\x62" },
-        0,
-        FALSE
-    },
-    {
-        ENCTYPE_DES_CBC_CRC,
-        "My ",
-        { KV5M_DATA, 4, "NaCl" },
-        { KV5M_DATA, 1, "\1" },
-        { KV5M_DATA, 8, "\x9E\xC7\x8F\xA4\xA4\xB3\xE0\xD5" },
-        0,
-        FALSE
-    },
-    {
-        ENCTYPE_DES_CBC_CRC,
-        "My P",
-        { KV5M_DATA, 4, "NaCl" },
-        { KV5M_DATA, 1, "\1" },
-        { KV5M_DATA, 8, "\xD9\x92\x86\x8F\x9D\x8C\x85\xE6" },
-        0,
-        FALSE
-    },
-    {
-        ENCTYPE_DES_CBC_CRC,
-        "My Pa",
-        { KV5M_DATA, 4, "NaCl" },
-        { KV5M_DATA, 1, "\1" },
-        { KV5M_DATA, 8, "\xDA\xF2\x92\x83\xF4\x9B\xA7\xAD" },
-        0,
-        FALSE
-    },
-    {
-        ENCTYPE_DES_CBC_CRC,
-        "My Pas",
-        { KV5M_DATA, 4, "NaCl" },
-        { KV5M_DATA, 1, "\1" },
-        { KV5M_DATA, 8, "\x91\xCD\xAD\xEF\x86\xDF\xD3\xA2" },
-        0,
-        FALSE
-    },
-    {
-        ENCTYPE_DES_CBC_CRC,
-        "My Pass",
-        { KV5M_DATA, 4, "NaCl" },
-        { KV5M_DATA, 1, "\1" },
-        { KV5M_DATA, 8, "\x73\xD3\x67\x68\x8F\x6E\xE3\x73" },
-        0,
-        FALSE
-    },
-    {
-        ENCTYPE_DES_CBC_CRC,
-        "My Passw",
-        { KV5M_DATA, 4, "NaCl" },
-        { KV5M_DATA, 1, "\1" },
-        { KV5M_DATA, 8, "\xC4\x61\x85\x9D\xAD\xF4\xDC\xB0" },
-        0,
-        FALSE
-    },
-    {
-        ENCTYPE_DES_CBC_CRC,
-        "My Passwo",
-        { KV5M_DATA, 4, "NaCl" },
-        { KV5M_DATA, 1, "\1" },
-        { KV5M_DATA, 8, "\xE9\x02\x83\x16\x2C\xEC\xE0\x08" },
-        0,
-        FALSE
-    },
-    {
-        ENCTYPE_DES_CBC_CRC,
-        "My Passwor",
-        { KV5M_DATA, 4, "NaCl" },
-        { KV5M_DATA, 1, "\1" },
-        { KV5M_DATA, 8, "\x61\xC8\x26\x29\xD9\x73\x6E\xB6" },
-        0,
-        FALSE
-    },
-    {
-        ENCTYPE_DES_CBC_CRC,
-        "My Password",
-        { KV5M_DATA, 4, "NaCl" },
-        { KV5M_DATA, 1, "\1" },
-        { KV5M_DATA, 8, "\x8C\xA8\x9E\xC4\xA8\xDC\x31\x73" },
-        0,
-        FALSE
-    },
-
-    /* Test vectors from RFC 3961 appendix A.2. */
-    {
-        ENCTYPE_DES_CBC_CRC,
-        "password",
-        { KV5M_DATA, 21, "ATHENA.MIT.EDUraeburn" },
-        { KV5M_DATA, 1, "\0" },
-        { KV5M_DATA, 8, "\xCB\xC2\x2F\xAE\x23\x52\x98\xE3" },
-        0,
-        FALSE
-    },
-    {
-        ENCTYPE_DES_CBC_CRC,
-        "potatoe",
-        { KV5M_DATA, 19, "WHITEHOUSE.GOVdanny" },
-        { KV5M_DATA, 1, "\0" },
-        { KV5M_DATA, 8, "\xDF\x3D\x32\xA7\x4F\xD9\x2A\x01" },
-        0,
-        FALSE
-    },
-    {
-        ENCTYPE_DES_CBC_CRC,
-        "\xF0\x9D\x84\x9E",
-        { KV5M_DATA, 18, "EXAMPLE.COMpianist" },
-        { KV5M_DATA, 1, "\0" },
-        { KV5M_DATA, 8, "\x4F\xFB\x26\xBA\xB0\xCD\x94\x13" },
-        0,
-        FALSE
-    },
-    {
-        ENCTYPE_DES_CBC_CRC,
-        "\xC3\x9F",
-        { KV5M_DATA, 23, "ATHENA.MIT.EDUJuri\xC5\xA1\x69\xC4\x87" },
-        { KV5M_DATA, 1, "\0" },
-        { KV5M_DATA, 8, "\x62\xC8\x1A\x52\x32\xB5\xE6\x9D" },
-        0,
-        FALSE
-    },
-    {
-        ENCTYPE_DES_CBC_CRC,
-        "11119999",
-        { KV5M_DATA, 8, "AAAAAAAA" },
-        { KV5M_DATA, 1, "\0" },
-        { KV5M_DATA, 8, "\x98\x40\x54\xd0\xf1\xa7\x3e\x31" },
-        0,
-        FALSE
-    },
-    {
-        ENCTYPE_DES_CBC_CRC,
-        "NNNN6666",
-        { KV5M_DATA, 8, "FFFFAAAA" },
-        { KV5M_DATA, 1, "\0" },
-        { KV5M_DATA, 8, "\xC4\xBF\x6B\x25\xAD\xF7\xA4\xF8" },
-        0,
-        FALSE
-    },
-
     /* Test vectors from RFC 3961 appendix A.4. */
     {
         ENCTYPE_DES3_CBC_SHA1,
diff --git a/src/lib/crypto/crypto_tests/vectors.c b/src/lib/crypto/crypto_tests/vectors.c
index c1a7657..bcf5c91 100644
--- a/src/lib/crypto/crypto_tests/vectors.c
+++ b/src/lib/crypto/crypto_tests/vectors.c
@@ -30,7 +30,8 @@
  *
  * N.B.: Doesn't compile -- this file uses some routines internal to our
  * crypto library which are declared "static" and thus aren't accessible
- * without modifying the other sources.
+ * without modifying the other sources.  Additionally, some ciphers have been
+ * removed.
  */
 
 #include <assert.h>
diff --git a/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp b/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp
index db899a1..740425c 100644
--- a/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp
+++ b/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp
@@ -18,8 +18,8 @@ proc test200 {} {
 
     # I'd like to specify a long list of keysalt tuples and make sure
     # that chpass does the right thing, but we can only use those
-    # enctypes that krbtgt has a key for: des-cbc-crc:normal
-    # according to the prototype kdc.conf.
+    # enctypes that krbtgt has a key for: the AES enctypes, according to
+    # the prototype kdc.conf.
     if {! [cmd [format {
 	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
 		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_3 \
@@ -53,10 +53,10 @@ proc test200 {} {
     }
 
     # XXX Perhaps I should actually check the key type returned.
-    if {$num_keys == 2} {
+    if {$num_keys == 5} {
 	pass "$test"
     } else {
-	fail "$test: $num_keys keys, should be 2"
+	fail "$test: $num_keys keys, should be 5"
     }
     if { ! [cmd {kadm5_destroy $server_handle}]} {
 	perror "$test: unexpected failure in destroy"
diff --git a/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp b/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp
index 8526897..3ea1ba2 100644
--- a/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp
+++ b/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp
@@ -143,8 +143,8 @@ proc test101_102 {rpc} {
     }
 
     set failed 0
-    if {$num_keys != 2} {
-	fail "$test: num_keys $num_keys should be 2"
+    if {$num_keys != 5} {
+	fail "$test: num_keys $num_keys should be 5"
 	set failed 1
     }
     for {set i 0} {$i < $num_keys} {incr i} {
diff --git a/src/lib/kadm5/unit-test/api.current/randkey-principal-v2.exp b/src/lib/kadm5/unit-test/api.current/randkey-principal-v2.exp
index ee652cb..2925c1c 100644
--- a/src/lib/kadm5/unit-test/api.current/randkey-principal-v2.exp
+++ b/src/lib/kadm5/unit-test/api.current/randkey-principal-v2.exp
@@ -16,10 +16,9 @@ proc test100 {} {
 	return
     }
 
-    # I'd like to specify a long list of keysalt tuples and make sure
-    # that randkey does the right thing, but we can only use those
-    # enctypes that krbtgt has a key for: des-cbc-crc:normal and
-    # des-cbc-crc:v4, according to the prototype kdc.conf.
+    # I'd like to specify a long list of keysalt tuples and make sure that
+    # randkey does the right thing, but we can only use those enctypes that
+    # krbtgt has a key for: 3DES and AES, according to the prototype kdc.conf.
     if {! [cmd [format {
 	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
 		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_3 \
@@ -47,10 +46,10 @@ proc test100 {} {
     }
 
     # XXX Perhaps I should actually check the key type returned.
-    if {$num_keys == 2} {
+    if {$num_keys == 5} {
 	pass "$test"
     } else {
-	fail "$test: $num_keys keys, should be 2"
+	fail "$test: $num_keys keys, should be 5"
     }
     if { ! [cmd {kadm5_destroy $server_handle}]} {
 	perror "$test: unexpected failure in destroy"
diff --git a/src/lib/kadm5/unit-test/setkey-test.c b/src/lib/kadm5/unit-test/setkey-test.c
index fa2392f..8e7df96 100644
--- a/src/lib/kadm5/unit-test/setkey-test.c
+++ b/src/lib/kadm5/unit-test/setkey-test.c
@@ -19,15 +19,15 @@ need a random number generator
 #endif  /* no random */
 
 krb5_keyblock test1[] = {
-    {0, ENCTYPE_DES_CBC_CRC, 0, 0},
+    {0, ENCTYPE_AES128_CTS_HMAC_SHA1_96, 0, 0},
     {-1},
 };
 krb5_keyblock test2[] = {
-    {0, ENCTYPE_DES_CBC_CRC, 0, 0},
+    {0, ENCTYPE_AES128_CTS_HMAC_SHA1_96, 0, 0},
     {-1},
 };
 krb5_keyblock test3[] = {
-    {0, ENCTYPE_DES_CBC_CRC, 0, 0},
+    {0, ENCTYPE_AES128_CTS_HMAC_SHA1_96, 0, 0},
     {-1},
 };
 
diff --git a/src/lib/krb5/keytab/t_keytab.c b/src/lib/krb5/keytab/t_keytab.c
index c845596..ea4ce68 100644
--- a/src/lib/krb5/keytab/t_keytab.c
+++ b/src/lib/krb5/keytab/t_keytab.c
@@ -96,6 +96,8 @@ kt_test(krb5_context context, const char *name)
     krb5_principal princ;
     krb5_kt_cursor cursor, cursor2;
     int cnt;
+    krb5_enctype e1 = ENCTYPE_AES128_CTS_HMAC_SHA256_128,
+        e2 = ENCTYPE_AES256_CTS_HMAC_SHA384_192;
 
     kret = krb5_kt_resolve(context, name, &kt);
     CHECK(kret, "resolve");
@@ -139,9 +141,9 @@ kt_test(krb5_context context, const char *name)
     /* ===================   Add entries to keytab ================= */
     /*
      * Add the following for this principal
-     * enctype 1, kvno 1, key = "1"
-     * enctype 2, kvno 1, key = "1"
-     * enctype 1, kvno 2, key = "2"
+     * enctype e1, kvno 1, key = "1"
+     * enctype e2, kvno 1, key = "1"
+     * enctype e1, kvno 2, key = "2"
      */
     memset(&kent, 0, sizeof(kent));
     kent.magic = KV5M_KEYTAB_ENTRY;
@@ -149,7 +151,7 @@ kt_test(krb5_context context, const char *name)
     kent.timestamp = 327689;
     kent.vno = 1;
     kent.key.magic = KV5M_KEYBLOCK;
-    kent.key.enctype = 1;
+    kent.key.enctype = e1;
     kent.key.length = 1;
     kent.key.contents = (krb5_octet *) "1";
 
@@ -157,11 +159,11 @@ kt_test(krb5_context context, const char *name)
     kret = krb5_kt_add_entry(context, kt, &kent);
     CHECK(kret, "Adding initial entry");
 
-    kent.key.enctype = 2;
+    kent.key.enctype = e2;
     kret = krb5_kt_add_entry(context, kt, &kent);
     CHECK(kret, "Adding second entry");
 
-    kent.key.enctype = 1;
+    kent.key.enctype = e1;
     kent.vno = 2;
     kent.key.contents = (krb5_octet *) "2";
     kret = krb5_kt_add_entry(context, kt, &kent);
@@ -183,7 +185,7 @@ kt_test(krb5_context context, const char *name)
     cnt = 0;
     while((kret = krb5_kt_next_entry(context, kt, &kent, &cursor)) == 0) {
         if(((kent.vno != 1) && (kent.vno != 2)) ||
-           ((kent.key.enctype != 1) && (kent.key.enctype != 2)) ||
+           ((kent.key.enctype != e1) && (kent.key.enctype != e2)) ||
            (kent.key.length != 1) ||
            (kent.key.contents[0] != kent.vno +'0')) {
             fprintf(stderr, "Error in read contents\n");
@@ -231,7 +233,7 @@ kt_test(krb5_context context, const char *name)
     /* Ensure a valid answer  - we did not specify an enctype or kvno */
     if (!krb5_principal_compare(context, princ, kent.principal) ||
         ((kent.vno != 1) && (kent.vno != 2)) ||
-        ((kent.key.enctype != 1) && (kent.key.enctype != 2)) ||
+        ((kent.key.enctype != e1) && (kent.key.enctype != e2)) ||
         (kent.key.length != 1) ||
         (kent.key.contents[0] != kent.vno +'0')) {
         fprintf(stderr, "Retrieved principal does not check\n");
@@ -243,12 +245,12 @@ kt_test(krb5_context context, const char *name)
     /* Try to lookup a specific enctype - but unspecified kvno - should give
      * max kvno
      */
-    kret = krb5_kt_get_entry(context, kt, princ, 0, 1, &kent);
+    kret = krb5_kt_get_entry(context, kt, princ, 0, e1, &kent);
     CHECK(kret, "looking up principal");
 
     /* Ensure a valid answer  - we did specified an enctype */
     if (!krb5_principal_compare(context, princ, kent.principal) ||
-        (kent.vno != 2) || (kent.key.enctype != 1) ||
+        (kent.vno != 2) || (kent.key.enctype != e1) ||
         (kent.key.length != 1) ||
         (kent.key.contents[0] != kent.vno +'0')) {
         fprintf(stderr, "Retrieved principal does not check\n");
@@ -266,7 +268,7 @@ kt_test(krb5_context context, const char *name)
 
     /* Ensure a valid answer  - we did not specify a kvno */
     if (!krb5_principal_compare(context, princ, kent.principal) ||
-        (kent.vno != 2) || (kent.key.enctype != 1) ||
+        (kent.vno != 2) || (kent.key.enctype != e1) ||
         (kent.key.length != 1) ||
         (kent.key.contents[0] != kent.vno +'0')) {
         fprintf(stderr, "Retrieved principal does not check\n");
@@ -281,11 +283,11 @@ kt_test(krb5_context context, const char *name)
 
     /* Try to lookup specified enctype and kvno */
 
-    kret = krb5_kt_get_entry(context, kt, princ, 1, 1, &kent);
+    kret = krb5_kt_get_entry(context, kt, princ, 1, e1, &kent);
     CHECK(kret, "looking up principal");
 
     if (!krb5_principal_compare(context, princ, kent.principal) ||
-        (kent.vno != 1) || (kent.key.enctype != 1) ||
+        (kent.vno != 1) || (kent.key.enctype != e1) ||
         (kent.key.length != 1) ||
         (kent.key.contents[0] != kent.vno +'0')) {
         fprintf(stderr, "Retrieved principal does not check\n");
@@ -334,7 +336,7 @@ kt_test(krb5_context context, const char *name)
 
     /* Try to lookup specified enctype and kvno  - that does not exist*/
 
-    kret = krb5_kt_get_entry(context, kt, princ, 3, 1, &kent);
+    kret = krb5_kt_get_entry(context, kt, princ, 3, e1, &kent);
     CHECK_ERR(kret, KRB5_KT_KVNONOTFOUND,
               "looking up specific principal, kvno, enctype");
 
@@ -347,12 +349,12 @@ kt_test(krb5_context context, const char *name)
     kret = krb5_parse_name(context, "test/test2 at TEST.MIT.EDU", &princ);
     CHECK(kret, "parsing principal");
 
-    kret = krb5_kt_get_entry(context, kt, princ, 0, 1, &kent);
+    kret = krb5_kt_get_entry(context, kt, princ, 0, e1, &kent);
     CHECK(kret, "looking up principal");
 
-    /* Ensure a valid answer  - we are looking for max(kvno) and enc=1 */
+    /* Ensure a valid answer  - we are looking for max(kvno) and enc=e1 */
     if (!krb5_principal_compare(context, princ, kent.principal) ||
-        (kent.vno != 2) || (kent.key.enctype != 1) ||
+        (kent.vno != 2) || (kent.key.enctype != e1) ||
         (kent.key.length != 1) ||
         (kent.key.contents[0] != kent.vno +'0')) {
         fprintf(stderr, "Retrieved principal does not check\n");
@@ -368,12 +370,12 @@ kt_test(krb5_context context, const char *name)
     krb5_free_keytab_entry_contents(context, &kent);
     /* And ensure gone */
 
-    kret = krb5_kt_get_entry(context, kt, princ, 0, 1, &kent);
+    kret = krb5_kt_get_entry(context, kt, princ, 0, e1, &kent);
     CHECK(kret, "looking up principal");
 
     /* Ensure a valid answer - kvno should now be 1 - we deleted 2 */
     if (!krb5_principal_compare(context, princ, kent.principal) ||
-        (kent.vno != 1) || (kent.key.enctype != 1) ||
+        (kent.vno != 1) || (kent.key.enctype != e1) ||
         (kent.key.length != 1) ||
         (kent.key.contents[0] != kent.vno +'0')) {
         fprintf(stderr, "Delete principal check failed\n");
diff --git a/src/lib/krb5/krb/t_etypes.c b/src/lib/krb5/krb/t_etypes.c
index 3176376..f609e93 100644
--- a/src/lib/krb5/krb/t_etypes.c
+++ b/src/lib/krb5/krb/t_etypes.c
@@ -36,20 +36,6 @@ static struct {
     krb5_error_code expected_err_noweak;
     krb5_error_code expected_err_weak;
 } tests[] = {
-    /* Empty string, unused default list */
-    { "",
-      { ENCTYPE_DES_CBC_CRC, 0 },
-      { 0 },
-      { 0 },
-      0, 0
-    },
-    /* Single weak enctype */
-    { "des-cbc-md4",
-      { 0 },
-      { 0 },
-      { ENCTYPE_DES_CBC_MD4, 0 },
-      0, 0
-    },
     /* Single non-weak enctype */
     { "aes128-cts-hmac-sha1-96",
       { 0 },
@@ -57,35 +43,11 @@ static struct {
       { ENCTYPE_AES128_CTS_HMAC_SHA1_96, 0 },
       0, 0
     },
-    /* Two enctypes, one an alias, one weak */
-    { "rc4-hmac des-cbc-md5",
-      { 0 },
-      { ENCTYPE_ARCFOUR_HMAC, 0 },
-      { ENCTYPE_ARCFOUR_HMAC, ENCTYPE_DES_CBC_MD5, 0 },
-      0, 0
-    },
-    /* Three enctypes, all weak, case variation, funky separators */
-    { "  deS-HMac-shA1 , arCFour-hmaC-mD5-exp\tdeS3-Cbc-RAw\n",
-      { 0 },
-      { 0 },
-      { ENCTYPE_DES_HMAC_SHA1, ENCTYPE_ARCFOUR_HMAC_EXP,
-        ENCTYPE_DES3_CBC_RAW, 0 },
-      0, 0
-    },
-    /* Default set with enctypes added (one weak in each pair) */
-    { "DEFAULT des-cbc-raw +des3-hmac-sha1",
-      { ENCTYPE_ARCFOUR_HMAC, ENCTYPE_ARCFOUR_HMAC_EXP, 0 },
-      { ENCTYPE_ARCFOUR_HMAC, ENCTYPE_DES3_CBC_SHA1, 0 },
-      { ENCTYPE_ARCFOUR_HMAC, ENCTYPE_ARCFOUR_HMAC_EXP,
-        ENCTYPE_DES_CBC_RAW, ENCTYPE_DES3_CBC_SHA1, 0 },
-      0, 0
-    },
     /* Default set with enctypes removed */
     { "default -aes128-cts -des-hmac-sha1",
-      { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96,
-        ENCTYPE_DES_CBC_MD5, ENCTYPE_DES_HMAC_SHA1, 0 },
+      { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96, 0 },
+      { ENCTYPE_AES256_CTS_HMAC_SHA1_96, 0 },
       { ENCTYPE_AES256_CTS_HMAC_SHA1_96, 0 },
-      { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_DES_CBC_MD5, 0 },
       0, 0
     },
     /* Family followed by enctype */
@@ -105,31 +67,22 @@ static struct {
       { ENCTYPE_CAMELLIA128_CTS_CMAC, 0 },
       { ENCTYPE_CAMELLIA128_CTS_CMAC, 0 }
     },
-    /* Enctype followed by two families */
-    { "+rc4-hmAC des3 +des",
-      { 0 },
-      { ENCTYPE_ARCFOUR_HMAC, ENCTYPE_DES3_CBC_SHA1, 0 },
-      { ENCTYPE_ARCFOUR_HMAC, ENCTYPE_DES3_CBC_SHA1, ENCTYPE_DES_CBC_CRC,
-        ENCTYPE_DES_CBC_MD5, ENCTYPE_DES_CBC_MD4 },
-      0, 0
-    },
     /* Default set with family added and enctype removed */
     { "DEFAULT +aes -arcfour-hmac-md5",
-      { ENCTYPE_ARCFOUR_HMAC, ENCTYPE_DES3_CBC_SHA1, ENCTYPE_DES_CBC_CRC, 0 },
+      { ENCTYPE_ARCFOUR_HMAC, ENCTYPE_DES3_CBC_SHA1, 0 },
       { ENCTYPE_DES3_CBC_SHA1, ENCTYPE_AES256_CTS_HMAC_SHA1_96,
         ENCTYPE_AES128_CTS_HMAC_SHA1_96, ENCTYPE_AES256_CTS_HMAC_SHA384_192,
         ENCTYPE_AES128_CTS_HMAC_SHA256_128, 0 },
-      { ENCTYPE_DES3_CBC_SHA1, ENCTYPE_DES_CBC_CRC,
+      { ENCTYPE_DES3_CBC_SHA1,
         ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96,
         ENCTYPE_AES256_CTS_HMAC_SHA384_192, ENCTYPE_AES128_CTS_HMAC_SHA256_128,
         0 },
       0, 0
     },
     /* Default set with families removed and enctypes added (one redundant) */
-    { "DEFAULT -des -des3 rc4-hmac rc4-hmac-exp",
+    { "DEFAULT -des3 rc4-hmac rc4-hmac-exp",
       { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96,
-        ENCTYPE_DES3_CBC_SHA1, ENCTYPE_ARCFOUR_HMAC,
-        ENCTYPE_DES_CBC_CRC, ENCTYPE_DES_CBC_MD5, ENCTYPE_DES_CBC_MD4, 0 },
+        ENCTYPE_DES3_CBC_SHA1, ENCTYPE_ARCFOUR_HMAC, 0 },
       { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96,
         ENCTYPE_ARCFOUR_HMAC, 0 },
       { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96,
@@ -158,17 +111,17 @@ static struct {
     },
     /* Test krb5_set_default_in_tkt_ktypes */
     { NULL,
-      { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_DES_CBC_CRC, 0 },
       { ENCTYPE_AES256_CTS_HMAC_SHA1_96, 0 },
-      { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_DES_CBC_CRC, 0 },
+      { ENCTYPE_AES256_CTS_HMAC_SHA1_96, 0 },
+      { ENCTYPE_AES256_CTS_HMAC_SHA1_96, 0 },
       0, 0
     },
     /* Should get KRB5_CONFIG_ETYPE_NOSUPP if app-provided list has no strong
      * enctypes and allow_weak_crypto=false. */
     { NULL,
-      { ENCTYPE_DES_CBC_CRC, 0 },
+      { ENCTYPE_ARCFOUR_HMAC_EXP, 0 },
       { 0 },
-      { ENCTYPE_DES_CBC_CRC, 0 },
+      { ENCTYPE_ARCFOUR_HMAC_EXP, 0 },
       KRB5_CONFIG_ETYPE_NOSUPP, 0
     },
     /* Should get EINVAL if app provides an empty list. */
diff --git a/src/lib/krb5/krb/t_ser.c b/src/lib/krb5/krb/t_ser.c
index 1d6ccea..f1a8c25 100644
--- a/src/lib/krb5/krb/t_ser.c
+++ b/src/lib/krb5/krb/t_ser.c
@@ -272,7 +272,7 @@ ser_acontext_test(krb5_context kcontext, int verbose)
                               KV5M_AUTH_CONTEXT))) {
             memset(&ukeyblock, 0, sizeof(ukeyblock));
             memset(keydata, 0, sizeof(keydata));
-            ukeyblock.enctype = ENCTYPE_DES_CBC_MD5;
+            ukeyblock.enctype = ENCTYPE_AES128_CTS_HMAC_SHA256_128;
             ukeyblock.length = sizeof(keydata);
             ukeyblock.contents = keydata;
             keydata[0] = 0xde;
diff --git a/src/lib/krb5/os/t_trace.c b/src/lib/krb5/os/t_trace.c
index 5aea68e..10ba8d0 100644
--- a/src/lib/krb5/os/t_trace.c
+++ b/src/lib/krb5/os/t_trace.c
@@ -204,7 +204,7 @@ main (int argc, char *argv[])
     padatap = NULL;
 
     TRACE(ctx, "krb5_enctype, display shortest name of enctype: {etype}",
-          ENCTYPE_DES_CBC_CRC);
+          ENCTYPE_AES128_CTS_HMAC_SHA1_96);
     TRACE(ctx, "krb5_enctype *, display list of enctypes: {etypes}", enctypes);
     TRACE(ctx, "krb5_enctype *, display list of enctypes: {etypes}", NULL);
 
diff --git a/src/lib/krb5/os/t_trace.ref b/src/lib/krb5/os/t_trace.ref
index bd5d9b6..044a669 100644
--- a/src/lib/krb5/os/t_trace.ref
+++ b/src/lib/krb5/os/t_trace.ref
@@ -40,7 +40,7 @@ int, krb5_principal type: NT 4 style name and SID
 int, krb5_principal type: ?
 krb5_pa_data **, display list of padata type numbers: PA-PW-SALT (3), 0
 krb5_pa_data **, display list of padata type numbers: (empty)
-krb5_enctype, display shortest name of enctype: des-cbc-crc
+krb5_enctype, display shortest name of enctype: aes128-cts
 krb5_enctype *, display list of enctypes: 5, rc4-hmac-exp, 511
 krb5_enctype *, display list of enctypes: (empty)
 krb5_ccache, display type:name: FILE:/path/to/ccache
diff --git a/src/tests/asn.1/ktest.c b/src/tests/asn.1/ktest.c
index 6bf6e54..2583772 100644
--- a/src/tests/asn.1/ktest.c
+++ b/src/tests/asn.1/ktest.c
@@ -893,7 +893,7 @@ ktest_make_sample_sp80056a_other_info(krb5_sp80056a_other_info *p)
 void
 ktest_make_sample_pkinit_supp_pub_info(krb5_pkinit_supp_pub_info *p)
 {
-    p->enctype = ENCTYPE_DES_CBC_CRC;
+    p->enctype = ENCTYPE_AES256_CTS_HMAC_SHA384_192;
     ktest_make_sample_data(&p->as_req);
     ktest_make_sample_data(&p->pk_as_rep);
 }
diff --git a/src/tests/asn.1/pkinit_encode.out b/src/tests/asn.1/pkinit_encode.out
index 3b0f719..55a60bb 100644
--- a/src/tests/asn.1/pkinit_encode.out
+++ b/src/tests/asn.1/pkinit_encode.out
@@ -10,4 +10,4 @@ encode_krb5_kdc_dh_key_info: 30 25 A0 0B 03 09 00 6B 72 62 35 64 61 74 61 A1 03
 encode_krb5_reply_key_pack: 30 26 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34
 encode_krb5_reply_key_pack_draft9: 30 1A A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 03 02 01 2A
 encode_krb5_sp80056a_other_info: 30 81 81 30 0B 06 09 2A 86 48 86 F7 12 01 02 02 A0 32 04 30 30 2E A0 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A1 32 04 30 30 2E A0 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 0A 04 08 6B 72 62 35 64 61 74 61
-encode_krb5_pkinit_supp_pub_info: 30 1D A0 03 02 01 01 A1 0A 04 08 6B 72 62 35 64 61 74 61 A2 0A 04 08 6B 72 62 35 64 61 74 61
+encode_krb5_pkinit_supp_pub_info: 30 1D A0 03 02 01 14 A1 0A 04 08 6B 72 62 35 64 61 74 61 A2 0A 04 08 6B 72 62 35 64 61 74 61
diff --git a/src/tests/asn.1/pkinit_trval.out b/src/tests/asn.1/pkinit_trval.out
index f9edbe1..9557188 100644
--- a/src/tests/asn.1/pkinit_trval.out
+++ b/src/tests/asn.1/pkinit_trval.out
@@ -145,6 +145,6 @@ encode_krb5_sp80056a_other_info:
 encode_krb5_pkinit_supp_pub_info:
 
 [Sequence/Sequence Of]
-.  [0] [Integer] 1
+.  [0] [Integer] 20
 .  [1] [Octet String] "krb5data"
 .  [2] [Octet String] "krb5data"
diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/dejagnu/config/default.exp
index c061d76..e8adee2 100644
--- a/src/tests/dejagnu/config/default.exp
+++ b/src/tests/dejagnu/config/default.exp
@@ -16,21 +16,6 @@ set stty_init {erase \^h kill \^u}
 set env(TERM) dumb
 
 set des3_krbtgt 0
-set tgt_support_desmd5 0
-
-# The names of the individual passes must be unique; lots of things
-# depend on it.  The PASSES variable may not contain comments; only
-# small pieces get evaluated, so comments will do strange things.
-
-# Most of the purpose of using multiple passes is to exercise the
-# dependency of various bugs on configuration file settings,
-# particularly with regards to encryption types.
-
-# The des.no-kdc-md5 pass will fail if the KDC does not constrain
-# session key enctypes to those in its permitted_enctypes list.  It
-# works by assuming enctype similarity, thus allowing the client to
-# request a des-cbc-md4 session key.  Since only des-cbc-crc is in the
-# KDC's permitted_enctypes list, the TGT will be unusable.
 
 if { [string length $VALGRIND] } {
     rename spawn valgrind_aux_spawn
@@ -111,47 +96,21 @@ if { $PRIOCNTL_HACK } {
     }
 }
 
-# The des.des3-tgt.no-kdc-des3 pass will fail if the KDC doesn't
-# constrain ticket key enctypes to those in permitted_enctypes.  It
-# does this by not putting des3 in the permitted_enctypes, while
-# creating a TGT princpal that has a des3 key as well as a des key.
+# The names of the individual passes must be unique; lots of things
+# depend on it.  The PASSES variable may not contain comments; only
+# small pieces get evaluated, so comments will do strange things.
 
-# XXX -- master_key_type is fragile w.r.t. permitted_enctypes; it is
-# possible to configure things such that you have a master_key_type
-# that is not permitted, and the error message used to be cryptic.
+# Most of the purpose of using multiple passes is to exercise the
+# dependency of various bugs on configuration file settings,
+# particularly with regards to encryption types.
 
 set passes {
     {
-	des
-	mode=udp
-	des3_krbtgt=0
-	{supported_enctypes=des-cbc-crc:normal}
-	{dummy=[verbose -log "DES TGT, DES enctype"]}
-    }
-    {
-	des.des3tgt
-	mode=udp
-	des3_krbtgt=1
-	{supported_enctypes=des-cbc-crc:normal}
-	{dummy=[verbose -log "DES3 TGT, DES enctype"]}
-    }
-    {
 	des3
 	mode=udp
 	des3_krbtgt=1
-	{supported_enctypes=des3-cbc-sha1:normal des-cbc-crc:normal}
-	{dummy=[verbose -log "DES3 TGT, DES3 + DES enctypes"]}
-    }
-    {
-	aes-des
-	mode=udp
-	des3_krbtgt=0
-	{supported_enctypes=aes256-cts-hmac-sha1-96:normal des-cbc-crc:normal}
-	{permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96 des-cbc-crc}
-	{permitted_enctypes(client)=aes256-cts-hmac-sha1-96 des-cbc-crc}
-	{permitted_enctypes(server)=aes256-cts-hmac-sha1-96 des-cbc-crc}
-	{master_key_type=aes256-cts-hmac-sha1-96}
-	{dummy=[verbose -log "AES + DES enctypes"]}
+	{supported_enctypes=des3-cbc-sha1:normal}
+	{dummy=[verbose -log "DES3 TGT, DES3 enctype"]}
     }
     {
 	aes-only
@@ -220,10 +179,10 @@ set passes {
 	aes-des3
 	mode=udp
 	des3_krbtgt=0
-	{supported_enctypes=aes256-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des-cbc-crc:normal}
-	{permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc}
-	{permitted_enctypes(client)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc}
-	{permitted_enctypes(server)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc}
+	{supported_enctypes=aes256-cts-hmac-sha1-96:normal des3-cbc-sha1:normal}
+	{permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96 des3-cbc-sha1}
+	{permitted_enctypes(client)=aes256-cts-hmac-sha1-96 des3-cbc-sha1}
+	{permitted_enctypes(server)=aes256-cts-hmac-sha1-96 des3-cbc-sha1}
 	{master_key_type=aes256-cts-hmac-sha1-96}
 	{dummy=[verbose -log "AES + DES3 + DES enctypes"]}
     }
@@ -231,12 +190,12 @@ set passes {
 	aes-des3tgt
 	mode=udp
 	des3_krbtgt=1
-	{supported_enctypes=aes256-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des-cbc-crc:normal}
-	{permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc}
-	{permitted_enctypes(client)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc}
-	{permitted_enctypes(server)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc}
+	{supported_enctypes=aes256-cts-hmac-sha1-96:normal des3-cbc-sha1:normal}
+	{permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96 des3-cbc-sha1}
+	{permitted_enctypes(client)=aes256-cts-hmac-sha1-96 des3-cbc-sha1}
+	{permitted_enctypes(server)=aes256-cts-hmac-sha1-96 des3-cbc-sha1}
 	{master_key_type=aes256-cts-hmac-sha1-96}
-	{dummy=[verbose -log "AES + DES enctypes, DES3 TGT"]}
+	{dummy=[verbose -log "AES enctypes, DES3 TGT"]}
     }
     {
 	all-enctypes
@@ -248,114 +207,7 @@ set passes {
 	{allow_weak_crypto(server)=false}
 	{dummy=[verbose -log "all default enctypes"]}
     }
-    {
-	des.no-kdc-md5
-	mode=udp
-	des3_krbtgt=0
-	tgt_support_desmd5=0
-	{permitted_enctypes(kdc)=des-cbc-crc}
-	{default_tgs_enctypes(client)=des-cbc-md5 des-cbc-md4 des-cbc-crc}
-	{default_tkt_enctypes(client)=des-cbc-md5 des-cbc-md4 des-cbc-crc}
-	{supported_enctypes=des-cbc-crc:normal}
-	{master_key_type=des-cbc-crc}
-	{dummy=[verbose -log \
-		"DES TGT, KDC permitting only des-cbc-crc"]}
-    }
-    {
-	des.des3-tgt.no-kdc-des3
-	mode=udp
-	tgt_support_desmd5=0
-	{permitted_enctypes(kdc)=des-cbc-crc}
-	{default_tgs_enctypes(client)=des-cbc-crc}
-	{default_tkt_enctypes(client)=des-cbc-crc}
-	{supported_enctypes=des3-cbc-sha1:normal des-cbc-crc:normal}
-	{master_key_type=des-cbc-crc}
-	{dummy=[verbose -log \
-		"DES3 TGT, KDC permitting only des-cbc-crc"]}
-    }
-}
-
-# des.md5-tgt is set as unused, since it won't trigger the error case
-# if SUPPORT_DESMD5 isn't honored.
-
-# The des.md5-tgt pass will fail if enctype similarity is inconsisent;
-# between 1.0.x and 1.1, the decrypt functions became more strict
-# about matching enctypes, while the KDB retrieval functions didn't
-# coerce the enctype to match what was requested.  It works by setting
-# SUPPORT_DESMD5 on the TGT principal, forcing an enctype of
-# des-cbc-md5 on the TGT key.  Since the database only contains a
-# des-cbc-crc key, the decrypt will fail if enctypes are not coerced.
-
-# des.no-kdc-md5.client-md4-skey is retained in unsed_passes, even
-# though des.no-kdc-md5 is roughly equivalent, since the associated
-# comment needs additional investigation at some point re the kadmin
-# client.
-
-# The des.no-kdc-md5.client-md4-skey will fail on TGS requests due to
-# the KDC issuing session keys that it won't accept.  It will also
-# fail for a kadmin client, but for different reasons, since the kadm5
-# library does some curious filtering of enctypes, and also uses
-# get_in_tkt() rather than get_init_creds(); the former does an
-# intersection of the enctypes provided by the caller and those listed
-# in the config file!
-
-set unused_passes {
-    {
-	des.md5-tgt
-	des3_krbtgt=0
-	tgt_support_desmd5=1
-	supported_enctypes=des-cbc-crc:normal
-	{permitted_enctypes(kdc)=des-cbc-md5 des-cbc-md4 des-cbc-crc}
-	{permitted_enctypes(client)=des-cbc-md5 des-cbc-md4 des-cbc-crc}
-	{dummy=[verbose -log "DES TGT, SUPPORTS_DESMD5"]}
-    }
-    {
-	des.md5-tgt.no-kdc-md5
-	des3_krbtgt=0
-	tgt_support_desmd5=1
-	{permitted_enctypes(kdc)=des-cbc-crc}
-	{default_tgs_enctypes(client)=des-cbc-crc}
-	{default_tkt_enctypes(client)=des-cbc-crc}
-	{supported_enctypes=des-cbc-crc:normal}
-	{master_key_type=des-cbc-crc}
-	{dummy=[verbose -log \
-		"DES TGT, SUPPORTS_DESMD5, KDC permitting only des-cbc-crc"]}
-    }
-    {
-	des.no-kdc-md5.client-md4-skey
-	des3_krbtgt=0
-	{permitted_enctypes(kdc)=des-cbc-crc}
-	{permitted_enctypes(client)=des-cbc-crc des-cbc-md4}
-	{default_tgs_enctypes(client)=des-cbc-crc des-cbc-md4}
-	{default_tkt_enctypes(client)=des-cbc-md4}
-	{supported_enctypes=des-cbc-crc:normal}
-	{dummy=[verbose -log \
-		"DES TGT, DES enctype, KDC permitting only des-cbc-crc, client requests des-cbc-md4 session key"]}
-    }
-    {
-	all-enctypes
-	des3_krbtgt=1
-	{supported_enctypes=\
-	aes256-cts-hmac-sha1-96:normal aes256-cts-hmac-sha1-96:norealm \
-	aes128-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:norealm \
-	des3-cbc-sha1:normal des3-cbc-sha1:none \
-	des-cbc-md5:normal des-cbc-md4:normal des-cbc-crc:normal \
-	}
-	{dummy=[verbose -log "DES3 TGT, default enctypes"]}
-    }
-    {
-	aes-tcp
-	mode=tcp
-	des3_krbtgt=0
-	{supported_enctypes=aes256-cts-hmac-sha1-96:normal}
-	{permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96}
-	{permitted_enctypes(client)=aes256-cts-hmac-sha1-96}
-	{permitted_enctypes(server)=aes256-cts-hmac-sha1-96}
-	{master_key_type=aes256-cts-hmac-sha1-96}
-	{dummy=[verbose -log "AES via TCP"]}
-    }
 }
-#	{supported_enctypes=des-cbc-md5:normal des-cbc-crc:normal twofish256-hmac-sha1:normal }
 
 # This shouldn't be necessary on dejagnu-1.4 and later, but 1.3 seems
 # to need it because its runtest.exp doesn't deal with PASS at all.
@@ -1095,7 +947,7 @@ proc setup_kerberos_db { standalone } {
     global REALMNAME KDB5_UTIL KADMIN_LOCAL KEY
     global tmppwd hostname
     global spawn_id
-    global des3_krbtgt tgt_support_desmd5
+    global des3_krbtgt
     global multipass_name last_passname_db
 
     set failall 0
@@ -1334,48 +1186,6 @@ proc setup_kerberos_db { standalone } {
 	    }
 	}
     }
-    if $tgt_support_desmd5 {
-	# Make TGT support des-cbc-md5
-	set test "kadmin.local TGT to SUPPORT_DESMD5"
-	set body {
-	    if $failall {
-		break
-	    }
-	    spawn $KADMIN_LOCAL -r $REALMNAME
-	    verbose "starting $test"
-	    expect_after $def_exp_after
-
-	    expect "kadmin.local: "
-	    send "modprinc +support_desmd5 krbtgt/$REALMNAME@$REALMNAME\r"
-	    # It echos...
-	    expect "modprinc +support_desmd5 krbtgt/$REALMNAME@$REALMNAME\r"
-	    expect {
-		"Principal \"krbtgt/$REALMNAME@$REALMNAME\" modified.\r\n" { }
-	    }
-	    expect "kadmin.local: "
-	    send "quit\r"
-	    expect eof
-	    catch expect_after
-	    if ![check_exit_status kadmin_local] {
-		break
-	    }
-	}
-	set ret [catch $body]
-	catch "expect eof"
-	catch expect_after
-	if $ret {
-	    set failall 1
-	    if $standalone {
-		fail $test
-	    } else {
-		delete_db
-	    }
-	} else {
-	    if $standalone {
-		pass $test
-	    }
-	}
-    }
     envstack_pop
 
     # create the admin database lock file
diff --git a/src/tests/gssapi/t_invalid.c b/src/tests/gssapi/t_invalid.c
index 2a332a8..9876a11 100644
--- a/src/tests/gssapi/t_invalid.c
+++ b/src/tests/gssapi/t_invalid.c
@@ -85,17 +85,6 @@ struct test {
     const char *token;
 } tests[] = {
     {
-        ENCTYPE_DES_CBC_CRC, ENCTYPE_DES_CBC_RAW,
-        SEAL_ALG_DES, SGN_ALG_DES_MAC_MD5, 8,
-        8,
-        "\x26\xEC\xBA\xB6\xFE\xBA\x91\xCE",
-        53,
-        "\x60\x33\x06\x09\x2A\x86\x48\x86\xF7\x12\x01\x02\x02\x02\x01\x00"
-        "\x00\x00\x00\xFF\xFF\xF0\x0B\x90\x7B\xC4\xFC\xEB\xF4\x84\x9C\x5A"
-        "\xA8\x56\x41\x3E\xE1\x62\xEE\x38\xD1\x34\x9A\xE3\xFB\xC9\xFD\x0A"
-        "\xDC\x83\xE1\x4A\xE4"
-    },
-    {
         ENCTYPE_DES3_CBC_SHA1, ENCTYPE_DES3_CBC_RAW,
         SEAL_ALG_DES3KD, SGN_ALG_HMAC_SHA1_DES3_KD, 20,
         24,
@@ -160,8 +149,6 @@ make_fake_context(const struct test *test)
     gss_union_ctx_id_t uctx;
     krb5_gss_ctx_id_t kgctx;
     krb5_keyblock kb;
-    unsigned char encbuf[8];
-    size_t i;
 
     kgctx = calloc(1, sizeof(*kgctx));
     if (kgctx == NULL)
@@ -184,11 +171,6 @@ make_fake_context(const struct test *test)
     if (krb5_k_create_key(NULL, &kb, &kgctx->seq) != 0)
         abort();
 
-    if (kb.enctype == ENCTYPE_DES_CBC_RAW) {
-        for (i = 0; i < 8; i++)
-            encbuf[i] = kb.contents[i] ^ 0xF0;
-        kb.contents = encbuf;
-    }
     if (krb5_k_create_key(NULL, &kb, &kgctx->enc) != 0)
         abort();
 
@@ -248,7 +230,7 @@ test_bogus_1964_token(gss_ctx_id_t ctx)
     gss_iov_buffer_desc iov;
 
     store_16_be(KG_TOK_SIGN_MSG, tokbuf);
-    store_16_le(SGN_ALG_DES_MAC_MD5, tokbuf + 2);
+    store_16_le(SGN_ALG_HMAC_MD5, tokbuf + 2);
     store_16_le(SEAL_ALG_NONE, tokbuf + 4);
     store_16_le(0xFFFF, tokbuf + 6);
     memset(tokbuf + 8, 0, 16);
diff --git a/src/tests/gssapi/t_pcontok.c b/src/tests/gssapi/t_pcontok.c
index c40ea43..7368f75 100644
--- a/src/tests/gssapi/t_pcontok.c
+++ b/src/tests/gssapi/t_pcontok.c
@@ -43,7 +43,6 @@
 #include "k5-int.h"
 #include "common.h"
 
-#define SGN_ALG_DES_MAC_MD5       0x00
 #define SGN_ALG_HMAC_SHA1_DES3_KD 0x04
 #define SGN_ALG_HMAC_MD5          0x11
 
@@ -78,11 +77,7 @@ make_delete_token(gss_krb5_lucid_context_v1_t *lctx, gss_buffer_desc *out)
     ret = krb5_k_create_key(context, &seqkb, &seq);
     check_k5err(context, "krb5_k_create_key", ret);
 
-    if (signalg == SGN_ALG_DES_MAC_MD5) {
-        cktype = CKSUMTYPE_RSA_MD5;
-        cksize = 8;
-        ckusage = 0;
-    } else if (signalg == SGN_ALG_HMAC_SHA1_DES3_KD) {
+    if (signalg == SGN_ALG_HMAC_SHA1_DES3_KD) {
         cktype = CKSUMTYPE_HMAC_SHA1_DES3;
         cksize = 20;
         ckusage = 23;
@@ -122,15 +117,7 @@ make_delete_token(gss_krb5_lucid_context_v1_t *lctx, gss_buffer_desc *out)
     d = make_data(ptr - 8, 8);
     ret = krb5_k_make_checksum(context, cktype, seq, ckusage, &d, &cksum);
     check_k5err(context, "krb5_k_make_checksum", ret);
-    if (signalg == SGN_ALG_DES_MAC_MD5) {
-        iov.flags = KRB5_CRYPTO_TYPE_DATA;
-        iov.data = make_data(cksum.contents, 16);
-        ret = krb5_k_encrypt_iov(context, seq, 0, NULL, &iov, 1);
-        check_k5err(context, "krb5_k_encrypt_iov", ret);
-        memcpy(ptr + 8, cksum.contents + 8, 8);
-    } else {
-        memcpy(ptr + 8, cksum.contents, cksize);
-    }
+    memcpy(ptr + 8, cksum.contents, cksize);
 
     /* Create the sequence number (8 bytes). */
     iov.flags = KRB5_CRYPTO_TYPE_DATA;
diff --git a/src/tests/gssapi/t_prf.c b/src/tests/gssapi/t_prf.c
index 6a698ce..f71774c 100644
--- a/src/tests/gssapi/t_prf.c
+++ b/src/tests/gssapi/t_prf.c
@@ -41,13 +41,6 @@ static struct {
     const char *key2;
     const char *out2;
 } tests[] = {
-    { ENCTYPE_DES_CBC_CRC,
-      "E607FE9DABB57AE0",
-      "803C4121379FC4B87CE413B67707C4632EBED2C6D6B7"
-      "2A55E878836E35E21600D915D590DED5B6D77BB30A1F",
-      "54758316B6257A75",
-      "279E4105F7ADC9BD6EF28ABE31D89B442FE0058388BA"
-      "33264ACB5729562DC637950F6BD144B654BE7700B2D6" },
     { ENCTYPE_DES3_CBC_SHA1,
       "70378A19CD64134580C27C0115D6B34A1CF2FEECEF9886A2",
       "9F8D127C520BB826BFF3E0FE5EF352389C17E0C073D9"
diff --git a/src/tests/t_etype_info.py b/src/tests/t_etype_info.py
index c21d054..2a052fc 100644
--- a/src/tests/t_etype_info.py
+++ b/src/tests/t_etype_info.py
@@ -24,7 +24,7 @@ def test_etinfo(princ, enctypes, expected_lines):
 # With no newer enctypes in the request, PA-ETYPE-INFO2,
 # PA-ETYPE-INFO, and PA-PW-SALT appear in the AS-REP, each listing one
 # key for the most preferred matching enctype.
-test_etinfo('user', 'rc4-hmac-exp des3 rc4 des-cbc-crc',
+test_etinfo('user', 'rc4-hmac-exp des3 rc4',
             ['asrep etype_info2 des3-cbc-sha1 KRBTEST.COMuser',
              'asrep etype_info des3-cbc-sha1 KRBTEST.COMuser',
              'asrep pw_salt KRBTEST.COMuser'])
@@ -37,7 +37,7 @@ test_etinfo('user', 'rc4 aes256-cts',
 
 # In preauth-required errors, PA-PW-SALT does not appear, but the same
 # etype-info2 values are expected.
-test_etinfo('preauthuser', 'rc4-hmac-exp des3 rc4 des-cbc-crc',
+test_etinfo('preauthuser', 'rc4-hmac-exp des3 rc4',
             ['error etype_info2 des3-cbc-sha1 KRBTEST.COMpreauthuser',
              'error etype_info des3-cbc-sha1 KRBTEST.COMpreauthuser'])
 test_etinfo('preauthuser', 'rc4 aes256-cts',
diff --git a/src/tests/t_keyrollover.py b/src/tests/t_keyrollover.py
index 4af6804..2c825a6 100755
--- a/src/tests/t_keyrollover.py
+++ b/src/tests/t_keyrollover.py
@@ -2,7 +2,7 @@ from k5test import *
 
 rollover_krb5_conf = {'libdefaults': {'allow_weak_crypto': 'true'}}
 
-realm = K5Realm(krbtgt_keysalt='des-cbc-crc:normal',
+realm = K5Realm(krbtgt_keysalt='aes128-cts-hmac-sha256-128:normal',
                 krb5_conf=rollover_krb5_conf)
 
 princ1 = 'host/test1@%s' % (realm.realm,)
@@ -22,9 +22,9 @@ realm.run([kvno, princ1])
 realm.run([kadminl, 'purgekeys', realm.krbtgt_princ])
 # Make sure an old TGT fails after purging old TGS key.
 realm.run([kvno, princ2], expected_code=1)
-ddes = "DEPRECATED:des-cbc-crc"
+et = "aes128-cts-hmac-sha256-128"
 msg = 'krbtgt/%s@%s\n\tEtype (skey, tkt): %s, %s' % \
-    (realm.realm, realm.realm, ddes, ddes)
+    (realm.realm, realm.realm, et, et)
 realm.run([klist, '-e'], expected_msg=msg)
 
 # Check that new key actually works.
diff --git a/src/tests/t_salt.py b/src/tests/t_salt.py
index 008efcb..65084bb 100755
--- a/src/tests/t_salt.py
+++ b/src/tests/t_salt.py
@@ -22,7 +22,7 @@ salts = [('des3-cbc-sha1', 'norealm'),
 # These enctypes are chosen to cover the different string-to-key routines.
 # Omit ":normal" from aes256 to check that salttype defaulting works.
 second_kstypes = ['aes256-cts-hmac-sha1-96', 'arcfour-hmac:normal',
-                  'des3-cbc-sha1:normal', 'des-cbc-crc:normal']
+                  'des3-cbc-sha1:normal']
 
 # Test using different salt types in a principal's key list.
 # Parameters from one key in the list must not leak over to later ones.
diff --git a/src/tests/t_sesskeynego.py b/src/tests/t_sesskeynego.py
index da02f22..621b271 100755
--- a/src/tests/t_sesskeynego.py
+++ b/src/tests/t_sesskeynego.py
@@ -23,13 +23,7 @@ conf2 = {'libdefaults': {'default_tgs_enctypes': 'aes256-cts,aes128-cts'}}
 conf3 = {'libdefaults': {
         'allow_weak_crypto': 'true',
         'default_tkt_enctypes': 'aes128-cts',
-        'default_tgs_enctypes': 'rc4-hmac,aes128-cts,des-cbc-crc'}}
-conf4 = {'libdefaults': {
-        'allow_weak_crypto': 'true',
-        'default_tkt_enctypes': 'aes256-cts',
-        'default_tgs_enctypes': 'des-cbc-crc,rc4-hmac,aes256-cts'},
-         'realms': {'$realm': {'des_crc_session_supported': 'false'}}}
-
+        'default_tgs_enctypes': 'rc4-hmac,aes128-cts'}}
 # Test with client request and session_enctypes preferring aes128, but
 # aes256 long-term key.
 realm = K5Realm(krb5_conf=conf1, create_host=False, get_creds=False)
@@ -63,16 +57,6 @@ test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96')
 realm.run([kadminl, 'setstr', 'server', 'session_enctypes',
            'rc4-hmac,aes128-cts,aes256-cts'])
 test_kvno(realm, 'DEPRECATED:arcfour-hmac', 'aes256-cts-hmac-sha1-96')
-
-# 3c: Test des-cbc-crc default assumption.
-realm.run([kadminl, 'delstr', 'server', 'session_enctypes'])
-test_kvno(realm, 'DEPRECATED:des-cbc-crc', 'aes256-cts-hmac-sha1-96')
-realm.stop()
-
-# Last go: test that we can disable the des-cbc-crc assumption
-realm = K5Realm(krb5_conf=conf4, get_creds=False)
-realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server'])
-test_kvno(realm, 'aes256-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96')
 realm.stop()
 
 success('sesskeynego')
diff --git a/src/util/k5test.py b/src/util/k5test.py
index b6d93f1..da2782e 100644
--- a/src/util/k5test.py
+++ b/src/util/k5test.py
@@ -1307,7 +1307,7 @@ _passes = [
                     'master_key_type': 'aes256-sha2'}}}),
 
     # Test a setup with modern principal keys but an old TGT key.
-    ('aes256.destgt', 'des-cbc-crc:normal',
+    ('aes256.destgt', 'arcfour-hmac:normal',
      {'libdefaults': {'allow_weak_crypto': 'true'}},
      None)
 ]


More information about the cvs-krb5 mailing list