Enctype list configuration enhancements

In the processing code for enctype lists, add support for "DEFAULT"
to indicate the default list, for families (des/des3/aes/rc4), and
for removing entries from the current list (-foo).  Also add unit
tests and document.

ticket: 6539

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22469 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 9 insertions, 0 deletions

diff --git a/doc/admin.texinfo b/doc/admin.texinfo
index f5d5e618c1..9af5f6b258 100644
--- a/doc/admin.texinfo
+++ b/doc/admin.texinfo
@@ -360,6 +360,15 @@ but not recommended for use.
 
 @include support-enc.texinfo
 
+The string DEFAULT can be used to refer to the default set of types for
+the variable in question.  Types or families can be removed from the
+current list by prefixing them with a minus sign (``-'').  Types or
+families can be prefixed with a plus sign (``+'') for symmetry; it has
+the same meaning as just listing the type or family.  For example,
+``DEFAULT -des'' would be the default set of encryption types with DES
+types removed, and ``des3 DEFAULT'' would be the default set of
+encryption types with triple DES types moved to the front.
+
 While aes128-cts and aes256-cts are supported for all Kerberos
 operations, they are not supported by older versions of our GSSAPI
 implementation (krb5-1.3.1 and earlier).