git.ipfire.org Git - thirdparty/krb5.git/commit

author	Greg Hudson <ghudson@mit.edu>
	Tue, 6 Aug 2013 03:47:52 +0000 (23:47 -0400)
committer	Greg Hudson <ghudson@mit.edu>
	Mon, 12 Aug 2013 15:48:30 +0000 (11:48 -0400)
commit	2e956074b228ff4df3b7462037ab69e4e88ffffe
tree	dc5b984c1ac87bdd44f464e478302fd7bab39306	tree
parent	941f3d999ad403f327c0a7ccc5c1f71347a6221a	commit \| diff

Fix gss_krb5_set_allowable_enctypes for acceptor

The acceptor implementation of gss_krb5_set_allowable_enctypes (added
in 1.9.1) is intended to restrict the acceptor subkey negotiated by
krb5_rd_req().  It uses the same approach as the initiator, calling
krb5_set_default_tgs_enctypes on the context.  This has the unwanted
side effect of restricting the encryption key of the ticket, because
krb5_decrypt_tkt_part has checked krb5_is_permitted_enctype on the
ticket encryption key since 1.8.

Instead, use krb5_auth_con_setpermetypes on the auth context.  This
list is only used for session key enctype negotiation.  Also add
automated tests to verify that gss_krb5_set_allowable_enctypes works
as desired.

ticket: 7688 (new)
target_version: 1.11.4
tags: pullup

src/lib/gssapi/krb5/accept_sec_context.c		diff \| blob \| blame \| history
src/tests/gssapi/Makefile.in		diff \| blob \| blame \| history
src/tests/gssapi/t_enctypes.c	[new file with mode: 0644]	blob
src/tests/gssapi/t_enctypes.py	[new file with mode: 0644]	blob