From: huaraz <huaraz@moeller.plus.com>
Date: Sat, 25 Jan 2020 03:36:49 +0000 (+0000)
Subject: kerberos_ldap_group: fix encryption type for cross realm check (#542)
X-Git-Tag: 4.15-20210522-snapshot~170
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b4548e78f1b1a706619b90e88d876ec06b80ac41;p=thirdparty%2Fsquid.git

kerberos_ldap_group: fix encryption type for cross realm check (#542)

Newer setups require AESxxx encryption but old Crossrealm
tickets are still using RC4. Remove the use of the cached client
ticket encryption type and use the configured default list
(which must include AESxxx and RC4).
---

diff --git a/src/acl/external/kerberos_ldap_group/support_krb5.cc b/src/acl/external/kerberos_ldap_group/support_krb5.cc
index 48b7c0f15a..6d50c73166 100644
--- a/src/acl/external/kerberos_ldap_group/support_krb5.cc
+++ b/src/acl/external/kerberos_ldap_group/support_krb5.cc
@@ -465,6 +465,12 @@ krb5_create_cache(char *domain, char *service_principal_name)
                     k5_error("Error while initialising TGT credentials", code);
                     goto loop_end;
                 }
+
+                // overwrite limitation of enctypes
+                creds->keyblock.enctype = 0;
+                if (creds->keyblock.contents)
+                    krb5_free_keyblock_contents(kparam.context, &creds->keyblock);
+
                 code = krb5_get_credentials(kparam.context, 0, kparam.cc[ccindex], creds, &tgt_creds);
                 if (code) {
                     k5_error("Error while getting tgt", code);