Discussion:
aes-sha2 in default etype list now?
Weijun Wang
2017-06-21 15:11:20 UTC
Permalink
According to the source at
https://github.com/krb5/krb5/blob/master/src/lib/krb5/krb/init_ctx.c#L63:

static krb5_enctype default_enctype_list[] = {
ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96,
ENCTYPE_AES256_CTS_HMAC_SHA384_192, ENCTYPE_AES128_CTS_HMAC_SHA256_128,
ENCTYPE_DES3_CBC_SHA1,
ENCTYPE_ARCFOUR_HMAC,
ENCTYPE_CAMELLIA128_CTS_CMAC, ENCTYPE_CAMELLIA256_CTS_CMAC,
ENCTYPE_DES_CBC_CRC, ENCTYPE_DES_CBC_MD5, ENCTYPE_DES_CBC_MD4,
0
};

But the doc at https://github.com/krb5/krb5/blob/master/doc/conf.py#L275
shows:

.. |defetypes| replace:: ``aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5
camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5
des-cbc-md4``

Are aes128-sha2 and aes256-sha2 default etypes?

Is doc behind src?

Thanks
Max
_______________________________________________
krbdev mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
Greg Hudson
2017-06-21 17:13:38 UTC
Permalink
Post by Weijun Wang
But the doc at https://github.com/krb5/krb5/blob/master/doc/conf.py#L275
.. |defetypes| replace:: ``aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5
camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5
des-cbc-md4``
That's an oversight; I have filed a PR to update it.
Post by Weijun Wang
Are aes128-sha2 and aes256-sha2 default etypes?
They are permitted by default, though not in the default list of
key/salt types for generating new keys.
_______________________________________________
krbdev mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev

Loading...