In KDC, assume all services support aes256-sha1

To facilitate negotiating session keys with acceptable security,
assume that services support aes256-cts-hmac-sha1 unless a
session_enctypes string attribute says otherwise.

ticket: 9075

2 files changed, 7 insertions, 3 deletions

diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index f5cb2abf8..0c846c1a8 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1006,6 +1006,10 @@ dbentry_supports_enctype(krb5_context context, krb5_db_entry *server,
     free(etypes_str);
     free(etypes);
 
+    /* Assume every server without a session_enctypes attribute supports
+     * aes256-cts-hmac-sha1-96. */
+    if (enctype == ENCTYPE_AES256_CTS_HMAC_SHA1_96)
+        return TRUE;
     /* Assume the server supports any enctype it has a long-term key for. */
     return !krb5_dbe_find_enctype(context, server, enctype, -1, 0, &datap);
 }
diff --git a/src/tests/t_keyrollover.py b/src/tests/t_keyrollover.py
index 2c825a692..e9840dfae 100755
--- a/src/tests/t_keyrollover.py
+++ b/src/tests/t_keyrollover.py
@@ -22,9 +22,9 @@ realm.run([kvno, princ1])
 realm.run([kadminl, 'purgekeys', realm.krbtgt_princ])
 # Make sure an old TGT fails after purging old TGS key.
 realm.run([kvno, princ2], expected_code=1)
-et = "aes128-cts-hmac-sha256-128"
-msg = 'krbtgt/%s@%s\n\tEtype (skey, tkt): %s, %s' % \
-    (realm.realm, realm.realm, et, et)
+msg = 'krbtgt/%s@%s\n\tEtype (skey, tkt): ' \
+    'aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha256-128' % \
+    (realm.realm, realm.realm)
 realm.run([klist, '-e'], expected_msg=msg)
 
 # Check that new key actually works.