From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 10 Dec 2015 18:17:31 +0000 (-0500)
Subject: Document aes-sha2 enctypes
X-Git-Tag: krb5-1.15-beta1~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6fd74a89ac6c2444a347a357fac51b3490467284;p=thirdparty%2Fkrb5.git

Document aes-sha2 enctypes

Add minimal documentation for the new aes-sha2 enctypes.

ticket: 8490
---

diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst
index 429c528725..13077ecf4b 100644
--- a/doc/admin/conf_files/kdc_conf.rst
+++ b/doc/admin/conf_files/kdc_conf.rst
@@ -814,8 +814,10 @@ des-cbc-raw                                          DES cbc mode raw (weak)
 des3-cbc-raw                                         Triple DES cbc mode raw (weak)
 des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kd        Triple DES cbc mode with HMAC/sha1
 des-hmac-sha1                                        DES with HMAC/sha1 (weak)
-aes256-cts-hmac-sha1-96 aes256-cts AES-256           CTS mode with 96-bit SHA-1 HMAC
-aes128-cts-hmac-sha1-96 aes128-cts AES-128           CTS mode with 96-bit SHA-1 HMAC
+aes256-cts-hmac-sha1-96 aes256-cts aes256-sha1       AES-256 CTS mode with 96-bit SHA-1 HMAC
+aes128-cts-hmac-sha1-96 aes128-cts aes128-sha1       AES-128 CTS mode with 96-bit SHA-1 HMAC
+aes256-cts-hmac-sha384-192 aes256-sha2               AES-256 CTS mode with 192-bit SHA-384 HMAC
+aes128-cts-hmac-sha256-128 aes128-sha2               AES-128 CTS mode with 128-bit SHA-256 HMAC
 arcfour-hmac rc4-hmac arcfour-hmac-md5               RC4 with HMAC/MD5
 arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp   Exportable RC4 with HMAC/MD5 (weak)
 camellia256-cts-cmac camellia256-cts                 Camellia-256 CTS mode with CMAC
@@ -840,8 +842,13 @@ front.
 While **aes128-cts** and **aes256-cts** are supported for all Kerberos
 operations, they are not supported by very old versions of our GSSAPI
 implementation (krb5-1.3.1 and earlier).  Services running versions of
-krb5 without AES support must not be given AES keys in the KDC
-database.
+krb5 without AES support must not be given keys of these encryption
+types in the KDC database.
+
+The **aes128-sha2** and **aes256-sha2** encryption types are new in
+release 1.15.  Services running versions of krb5 without support for
+these newer encryption types must not be given keys of these
+encryption types in the KDC database.
 
 
 .. _Keysalt_lists:
diff --git a/doc/admin/enctypes.rst b/doc/admin/enctypes.rst
index 44b6a8c471..3cdfc92cf1 100644
--- a/doc/admin/enctypes.rst
+++ b/doc/admin/enctypes.rst
@@ -124,20 +124,22 @@ Enctype compatibility
 
 See :ref:`Encryption_types` for additional information about enctypes.
 
-======================= ===== ======== =======
-enctype                 weak? krb5     Windows
-======================= ===== ======== =======
-des-cbc-crc             weak  all      >=2000
-des-cbc-md4             weak  all      ?
-des-cbc-md5             weak  all      >=2000
-des3-cbc-sha1                 >=1.1    none
-arcfour-hmac                  >=1.3    >=2000
-arcfour-hmac-exp        weak  >=1.3    >=2000
-aes128-cts-hmac-sha1-96       >=1.3    >=Vista
-aes256-cts-hmac-sha1-96       >=1.3    >=Vista
-camellia128-cts-cmac          >=1.9    none
-camellia256-cts-cmac          >=1.9    none
-======================= ===== ======== =======
+========================== ===== ======== =======
+enctype                    weak? krb5     Windows
+========================== ===== ======== =======
+des-cbc-crc                weak  all      >=2000
+des-cbc-md4                weak  all      ?
+des-cbc-md5                weak  all      >=2000
+des3-cbc-sha1                    >=1.1    none
+arcfour-hmac                     >=1.3    >=2000
+arcfour-hmac-exp           weak  >=1.3    >=2000
+aes128-cts-hmac-sha1-96          >=1.3    >=Vista
+aes256-cts-hmac-sha1-96          >=1.3    >=Vista
+aes128-cts-hmac-sha256-128       >=1.15   none
+aes256-cts-hmac-sha384-192       >=1.15   none
+camellia128-cts-cmac             >=1.9    none
+camellia256-cts-cmac             >=1.9    none
+========================== ===== ======== =======
 
 krb5 releases 1.8 and later disable the single-DES enctypes by
 default.  Microsoft Windows releases Windows 7 and later disable
diff --git a/doc/appdev/refs/macros/index.rst b/doc/appdev/refs/macros/index.rst
index 2271e90c3a..e767471025 100644
--- a/doc/appdev/refs/macros/index.rst
+++ b/doc/appdev/refs/macros/index.rst
@@ -34,6 +34,8 @@ Public
    CKSUMTYPE_HMAC_MD5_ARCFOUR.rst
    CKSUMTYPE_HMAC_SHA1_96_AES128.rst
    CKSUMTYPE_HMAC_SHA1_96_AES256.rst
+   CKSUMTYPE_HMAC_SHA256_128_AES128.rst
+   CKSUMTYPE_HMAC_SHA384_192_AES256.rst
    CKSUMTYPE_HMAC_SHA1_DES3.rst
    CKSUMTYPE_MD5_HMAC_ARCFOUR.rst
    CKSUMTYPE_NIST_SHA.rst
@@ -42,7 +44,9 @@ Public
    CKSUMTYPE_RSA_MD5.rst
    CKSUMTYPE_RSA_MD5_DES.rst
    ENCTYPE_AES128_CTS_HMAC_SHA1_96.rst
+   ENCTYPE_AES128_CTS_HMAC_SHA256_128.rst
    ENCTYPE_AES256_CTS_HMAC_SHA1_96.rst
+   ENCTYPE_AES256_CTS_HMAC_SHA384_192.rst
    ENCTYPE_ARCFOUR_HMAC.rst
    ENCTYPE_ARCFOUR_HMAC_EXP.rst
    ENCTYPE_CAMELLIA128_CTS_CMAC.rst