From 4a8ea2dc6b7b149e4bbd1287552ac7da17665252 Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Wed, 15 Apr 2009 20:07:55 +0000 Subject: [PATCH] pull up r22188 from trunk ------------------------------------------------------------------------ r22188 | ghudson | 2009-04-10 12:09:19 -0400 (Fri, 10 Apr 2009) | 8 lines Changed paths: M /trunk/doc/admin.texinfo M /trunk/doc/support-enc.texinfo ticket: 6452 subject: Document allow_weak_crypto tags: pullup target_version: 1.7 Also document which cryptosystems are defined to be weak, and add some enctype entries which weren't in the documentation. ticket: 6452 version_fixed: 1.7 git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22258 dc483132-0cff-0310-8789-dd5450dbe970 --- doc/admin.texinfo | 8 ++++++++ doc/support-enc.texinfo | 16 ++++++++++------ 2 files changed, 18 insertions(+), 6 deletions(-) diff --git a/doc/admin.texinfo b/doc/admin.texinfo index 9a1983757..fbfa91f95 100644 --- a/doc/admin.texinfo +++ b/doc/admin.texinfo @@ -355,6 +355,8 @@ Following are definitions of some of the Kerberos terminology. Any tag in the configuration files which requires a list of encryption types can be set to some combination of the following strings. +Encryption types marked as ``weak'' are available for compatibility +but not recommended for use. @include support-enc.texinfo @@ -442,6 +444,12 @@ Identifies all encryption types that are permitted for use in session key encryption. The default value for this tag is @value{DefaultPermittedEnctypes}. +@itemx allow_weak_crypto +If this is set to 0 (for false), then weak encryption types will be +filtered out of the previous three lists (as noted in @ref{Supported +Encryption Types}). The default value for this tag is true, but that +default may change in the future. + @itemx clockskew Sets the maximum allowable amount of clockskew in seconds that the library will tolerate before assuming that a Kerberos message is diff --git a/doc/support-enc.texinfo b/doc/support-enc.texinfo index ca4e8faab..c359db6ea 100644 --- a/doc/support-enc.texinfo +++ b/doc/support-enc.texinfo @@ -5,17 +5,21 @@ in krb5/src/lib/crypto/etypes.c (and krb5/src/include/krb5.h[in]?) @table @code @item des-cbc-crc -DES cbc mode with CRC-32 +DES cbc mode with CRC-32 (weak) @item des-cbc-md4 -DES cbc mode with RSA-MD4 +DES cbc mode with RSA-MD4 (weak) @item des-cbc-md5 -DES cbc mode with RSA-MD5 +DES cbc mode with RSA-MD5 (weak) +@item des-cbc-raw +DES cbc mode raw (weak) +@item des3-cbc-raw +Triple DES cbc mode raw (weak) @item des3-cbc-sha1 @itemx des3-hmac-sha1 @itemx des3-cbc-sha1-kd -triple DES cbc mode with HMAC/sha1 +Triple DES cbc mode with HMAC/sha1 @item des-hmac-sha1 -DES with HMAC/sha1 +DES with HMAC/sha1 (weak) @item aes256-cts-hmac-sha1-96 @itemx aes256-cts AES-256 CTS mode with 96-bit SHA-1 HMAC @@ -29,5 +33,5 @@ RC4 with HMAC/MD5 @item arcfour-hmac-exp @itemx rc4-hmac-exp @itemx arcfour-hmac-md5-exp -exportable RC4 with HMAC/MD5 +Exportable RC4 with HMAC/MD5 (weak) @end table -- 2.26.2