From 7587003ec6c0eee31d62de43b38280c04a082ad2 Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Thu, 13 Nov 2025 23:53:56 -0600 Subject: [PATCH] krb5: Promote AES SHA2 enctypes to preferred --- lib/krb5/context.c | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/lib/krb5/context.c b/lib/krb5/context.c index 0b9c967fb..034b8c425 100644 --- a/lib/krb5/context.c +++ b/lib/krb5/context.c @@ -856,11 +856,10 @@ KRB5_LIB_FUNCTION const krb5_enctype * KRB5_LIB_CALL krb5_kerberos_enctypes(krb5_context context) { static const krb5_enctype p[] = { - ETYPE_AES256_CTS_HMAC_SHA1_96, - ETYPE_AES128_CTS_HMAC_SHA1_96, ETYPE_AES256_CTS_HMAC_SHA384_192, ETYPE_AES128_CTS_HMAC_SHA256_128, - ETYPE_DES3_CBC_SHA1, + ETYPE_AES256_CTS_HMAC_SHA1_96, + ETYPE_AES128_CTS_HMAC_SHA1_96, ETYPE_ARCFOUR_HMAC_MD5, ETYPE_NULL }; @@ -870,12 +869,7 @@ krb5_kerberos_enctypes(krb5_context context) ETYPE_AES128_CTS_HMAC_SHA1_96, ETYPE_AES256_CTS_HMAC_SHA384_192, ETYPE_AES128_CTS_HMAC_SHA256_128, - ETYPE_DES3_CBC_SHA1, - ETYPE_DES3_CBC_MD5, ETYPE_ARCFOUR_HMAC_MD5, - ETYPE_DES_CBC_MD5, - ETYPE_DES_CBC_MD4, - ETYPE_DES_CBC_CRC, ETYPE_NULL }; @@ -883,6 +877,9 @@ krb5_kerberos_enctypes(krb5_context context) * if the list of enctypes enabled by "allow_weak_crypto" * are valid, then return the former default enctype list * that contained the weak entries. + * + * XXX We should nuke all traces of dead code like this that references + * 1DES and 3DES. */ if (krb5_enctype_valid(context, ETYPE_DES_CBC_CRC) == 0 && krb5_enctype_valid(context, ETYPE_DES_CBC_MD4) == 0 &&