From 0e9bf73d2b8da55aedd25061faefe6a22d9613d3 Mon Sep 17 00:00:00 2001
From: Nicolas Williams <nico@cryptonector.com>
Date: Mon, 4 Jun 2012 17:17:31 -0500
Subject: Add control over session key enctype negotiation

Adds a principal string attribute named "session_enctypes" which can
specify what enctypes the principal supports for session keys.  (For
what it's worth, this actually allows one to list des-cbc-md5 as a
supported session key enctype, though obviously this hardly matters
now.)

Add a [realms] section parameter for specifying whether to assume that
principals (which lack the session_enctypes attribute) support
des-cbc-crc for session keys.  This allows those who still need to use
allow_weak_crypto=true, for whatever reason, to start reducing the
number of tickets issued with des-cbc-crc session keys to clients
which still give des-cbc-crc preference in their default_tgs_enctypes
list.

[ghudson@mit.edu: Miscellaneous edits, cleanups, and fixes; refactored
test script; documented session_enctypes attribute]
---
 src/include/adm.h    | 2 ++
 src/include/k5-int.h | 1 +
 src/include/kdb.h    | 3 +++
 3 files changed, 6 insertions(+)

(limited to 'src/include')

diff --git a/src/include/adm.h b/src/include/adm.h
index 9c75b156a..9b05f79d7 100644
--- a/src/include/adm.h
+++ b/src/include/adm.h
@@ -218,6 +218,8 @@ typedef struct __krb5_realm_params {
     unsigned int        realm_flags_valid:1;
     unsigned int        realm_reject_bad_transit_valid:1;
     unsigned int        realm_restrict_anon_valid:1;
+    unsigned int        realm_assume_des_crc_sess:1;
+    unsigned int        realm_assume_des_crc_sess_valid:1;
     krb5_int32          realm_num_keysalts;
 } krb5_realm_params;
 #endif  /* KRB5_ADM_H__ */
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index ca18baf13..ee15eacd8 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -266,6 +266,7 @@ typedef INT64_TYPE krb5_int64;
 #define KRB5_CONF_REJECT_BAD_TRANSIT          "reject_bad_transit"
 #define KRB5_CONF_RENEW_LIFETIME              "renew_lifetime"
 #define KRB5_CONF_RESTRICT_ANONYMOUS_TO_TGT   "restrict_anonymous_to_tgt"
+#define KRB5_CONF_ASSUME_DES_CRC_SESSION      "des_crc_session_supported"
 #define KRB5_CONF_SAFE_CHECKSUM_TYPE          "safe_checksum_type"
 #define KRB5_CONF_SUPPORTED_ENCTYPES          "supported_enctypes"
 #define KRB5_CONF_TICKET_LIFETIME             "ticket_lifetime"
diff --git a/src/include/kdb.h b/src/include/kdb.h
index 67c403155..291a05bb6 100644
--- a/src/include/kdb.h
+++ b/src/include/kdb.h
@@ -131,6 +131,9 @@
 #define KRB5_KDB_FLAGS_S4U                      ( KRB5_KDB_FLAG_PROTOCOL_TRANSITION | \
                                                   KRB5_KDB_FLAG_CONSTRAINED_DELEGATION )
 
+/* String attribute names recognized by krb5 */
+#define KRB5_KDB_SK_SESSION_ENCTYPES            "session_enctypes"
+
 #if !defined(_WIN32)
 
 /*
-- 
cgit