aes-sha2 in default etype list now?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

aes-sha2 in default etype list now?

Weijun Wang
According to the source at
https://github.com/krb5/krb5/blob/master/src/lib/krb5/krb/init_ctx.c#L63:

static krb5_enctype default_enctype_list[] = {
     ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96,
     ENCTYPE_AES256_CTS_HMAC_SHA384_192, ENCTYPE_AES128_CTS_HMAC_SHA256_128,
     ENCTYPE_DES3_CBC_SHA1,
     ENCTYPE_ARCFOUR_HMAC,
     ENCTYPE_CAMELLIA128_CTS_CMAC, ENCTYPE_CAMELLIA256_CTS_CMAC,
     ENCTYPE_DES_CBC_CRC, ENCTYPE_DES_CBC_MD5, ENCTYPE_DES_CBC_MD4,
     0
};

But the doc at https://github.com/krb5/krb5/blob/master/doc/conf.py#L275 
shows:

.. |defetypes| replace:: ``aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5
camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5
des-cbc-md4``

Are aes128-sha2 and aes256-sha2 default etypes?

Is doc behind src?

Thanks
Max
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: aes-sha2 in default etype list now?

Greg Hudson
On 06/21/2017 11:11 AM, Weijun Wang wrote:
> But the doc at https://github.com/krb5/krb5/blob/master/doc/conf.py#L275 
> shows:
>
> .. |defetypes| replace:: ``aes256-cts-hmac-sha1-96
> aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5
> camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5
> des-cbc-md4``

That's an oversight; I have filed a PR to update it.

> Are aes128-sha2 and aes256-sha2 default etypes?

They are permitted by default, though not in the default list of
key/salt types for generating new keys.
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev