Add aes-sha2 to permitted_enctypes and aes family

Add the new aes-sha2 enctypes to the default value of
permitted_enctype, and to the enctypes implied by the "aes" family
when parsing enctype lists.

ticket: 8490

diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
index a39362745b4d183e966726dc9027bb0774d2bf70..cf226fdbabc086bfbc0e5078992f79d8289be751 100644 (file)
--- a/src/lib/krb5/krb/init_ctx.c
+++ b/src/lib/krb5/krb/init_ctx.c
@@ -62,6 +62,7 @@
    des-crc for now.  */
 static krb5_enctype default_enctype_list[] = {
     ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+    ENCTYPE_AES256_CTS_HMAC_SHA384_192, ENCTYPE_AES128_CTS_HMAC_SHA256_128,
     ENCTYPE_DES3_CBC_SHA1,
     ENCTYPE_ARCFOUR_HMAC,
     ENCTYPE_CAMELLIA128_CTS_CMAC, ENCTYPE_CAMELLIA256_CTS_CMAC,
@@ -482,6 +483,8 @@ krb5int_parse_enctype_list(krb5_context context, const char *profkey,
         } else if (strcasecmp(token, "aes") == 0) {
             mod_list(ENCTYPE_AES256_CTS_HMAC_SHA1_96, sel, weak, &list);
             mod_list(ENCTYPE_AES128_CTS_HMAC_SHA1_96, sel, weak, &list);
+            mod_list(ENCTYPE_AES256_CTS_HMAC_SHA384_192, sel, weak, &list);
+            mod_list(ENCTYPE_AES128_CTS_HMAC_SHA256_128, sel, weak, &list);
         } else if (strcasecmp(token, "rc4") == 0) {
             mod_list(ENCTYPE_ARCFOUR_HMAC, sel, weak, &list);
         } else if (strcasecmp(token, "camellia") == 0) {

diff --git a/src/lib/krb5/krb/t_etypes.c b/src/lib/krb5/krb/t_etypes.c
index 0a8a19984a7151633d48646f6c15e30ff654dccc..3176376842a9bde939990e5249ec7d5a0e60b038 100644 (file)
--- a/src/lib/krb5/krb/t_etypes.c
+++ b/src/lib/krb5/krb/t_etypes.c
@@ -92,8 +92,10 @@ static struct {
     { "aes des3-cbc-sha1-kd",
       { 0 },
       { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+        ENCTYPE_AES256_CTS_HMAC_SHA384_192, ENCTYPE_AES128_CTS_HMAC_SHA256_128,
         ENCTYPE_DES3_CBC_SHA1, 0 },
       { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+        ENCTYPE_AES256_CTS_HMAC_SHA384_192, ENCTYPE_AES128_CTS_HMAC_SHA256_128,
         ENCTYPE_DES3_CBC_SHA1, 0 },
       0, 0
     },
@@ -115,9 +117,12 @@ static struct {
     { "DEFAULT +aes -arcfour-hmac-md5",
       { ENCTYPE_ARCFOUR_HMAC, ENCTYPE_DES3_CBC_SHA1, ENCTYPE_DES_CBC_CRC, 0 },
       { ENCTYPE_DES3_CBC_SHA1, ENCTYPE_AES256_CTS_HMAC_SHA1_96,
-        ENCTYPE_AES128_CTS_HMAC_SHA1_96, 0 },
+        ENCTYPE_AES128_CTS_HMAC_SHA1_96, ENCTYPE_AES256_CTS_HMAC_SHA384_192,
+        ENCTYPE_AES128_CTS_HMAC_SHA256_128, 0 },
       { ENCTYPE_DES3_CBC_SHA1, ENCTYPE_DES_CBC_CRC,
-        ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96, 0 },
+        ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+        ENCTYPE_AES256_CTS_HMAC_SHA384_192, ENCTYPE_AES128_CTS_HMAC_SHA256_128,
+        0 },
       0, 0
     },
     /* Default set with families removed and enctypes added (one redundant) */
@@ -145,8 +150,10 @@ static struct {
     { "aes +rc4 -DEFaulT des3-hmac-sha1",
       { ENCTYPE_AES128_CTS_HMAC_SHA1_96, ENCTYPE_DES3_CBC_SHA1,
         ENCTYPE_ARCFOUR_HMAC, 0 },
-      { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_DES3_CBC_SHA1, 0 },
-      { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_DES3_CBC_SHA1, 0 },
+      { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES256_CTS_HMAC_SHA384_192,
+        ENCTYPE_AES128_CTS_HMAC_SHA256_128, ENCTYPE_DES3_CBC_SHA1, 0 },
+      { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES256_CTS_HMAC_SHA384_192,
+        ENCTYPE_AES128_CTS_HMAC_SHA256_128, ENCTYPE_DES3_CBC_SHA1, 0 },
       0, 0
     },
     /* Test krb5_set_default_in_tkt_ktypes */