krb5 commit: In KDC, assume all services support aes256-sha1
ghudson at mit.edu
ghudson at mit.edu
Mon Jan 23 20:04:48 EST 2023
https://github.com/krb5/krb5/commit/2cbd847e0e92bc4e219b65c770ae33f851b22afc
commit 2cbd847e0e92bc4e219b65c770ae33f851b22afc
Author: Greg Hudson <ghudson at mit.edu>
Date: Wed Dec 14 13:20:46 2022 -0500
In KDC, assume all services support aes256-sha1
To facilitate negotiating session keys with acceptable security,
assume that services support aes256-cts-hmac-sha1 unless a
session_enctypes string attribute says otherwise.
ticket: 9075
src/kdc/kdc_util.c | 4 ++++
src/tests/t_keyrollover.py | 6 +++---
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index f5cb2abf8..0c846c1a8 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1006,6 +1006,10 @@ dbentry_supports_enctype(krb5_context context, krb5_db_entry *server,
free(etypes_str);
free(etypes);
+ /* Assume every server without a session_enctypes attribute supports
+ * aes256-cts-hmac-sha1-96. */
+ if (enctype == ENCTYPE_AES256_CTS_HMAC_SHA1_96)
+ return TRUE;
/* Assume the server supports any enctype it has a long-term key for. */
return !krb5_dbe_find_enctype(context, server, enctype, -1, 0, &datap);
}
diff --git a/src/tests/t_keyrollover.py b/src/tests/t_keyrollover.py
index 2c825a692..e9840dfae 100755
--- a/src/tests/t_keyrollover.py
+++ b/src/tests/t_keyrollover.py
@@ -22,9 +22,9 @@ realm.run([kvno, princ1])
realm.run([kadminl, 'purgekeys', realm.krbtgt_princ])
# Make sure an old TGT fails after purging old TGS key.
realm.run([kvno, princ2], expected_code=1)
-et = "aes128-cts-hmac-sha256-128"
-msg = 'krbtgt/%s@%s\n\tEtype (skey, tkt): %s, %s' % \
- (realm.realm, realm.realm, et, et)
+msg = 'krbtgt/%s@%s\n\tEtype (skey, tkt): ' \
+ 'aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha256-128' % \
+ (realm.realm, realm.realm)
realm.run([klist, '-e'], expected_msg=msg)
# Check that new key actually works.
More information about the cvs-krb5
mailing list