From aa2c6f469414668e56aa03d5ba5cecde64bc713e Mon Sep 17 00:00:00 2001
From: Stef Walter <stefw@gnome.org>
Date: Fri, 6 Jul 2012 19:06:48 +0200
Subject: Revert commit 4c157ecedd52602f75574605ef48d0c48e9bfbe8

 * This broke corner cases when used with
      default_tkt_types = des-cbc-crc
   and DES enabled on an AD domain.
 * This is fixed in kerberos instead, in a more correct way
   and in a way which we cannot replicate.
---
 src/util/sss_krb5.c | 143 ----------------------------------------------------
 src/util/sss_krb5.h |   8 ---
 2 files changed, 151 deletions(-)

(limited to 'src/util')

diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c
index 6cbf8c61a..8180d73d5 100644
--- a/src/util/sss_krb5.c
+++ b/src/util/sss_krb5.c
@@ -965,149 +965,6 @@ sss_krb5_free_keytab_entry_contents(krb5_context context,
 }
 #endif
 
-static int
-is_preferred_etype (krb5_enctype etype)
-{
-    static const krb5_enctype preferred[] = {
-        ENCTYPE_DES3_CBC_SHA1,
-        ENCTYPE_ARCFOUR_HMAC,
-        ENCTYPE_AES128_CTS_HMAC_SHA1_96,
-        ENCTYPE_AES256_CTS_HMAC_SHA1_96,
-#ifdef ENCTYPE_CAMELLIA128_CTS_CMAC
-        ENCTYPE_CAMELLIA128_CTS_CMAC,
-#endif
-#ifdef ENCTYPE_CAMELLIA128_CTS_CMAC
-        ENCTYPE_CAMELLIA256_CTS_CMAC,
-#endif
-        0
-    };
-    int i;
-
-    for (i = 0; preferred[i] != 0; i++) {
-        if (preferred[i] == etype) {
-            return 1;
-        }
-    }
-
-    return 0;
-}
-
-static int
-compare_etypes (const void *one,
-                const void *two)
-{
-    const krb5_enctype *e1 = one;
-    const krb5_enctype *e2 = two;
-    int p1, p2;
-
-    p1 = is_preferred_etype(*e1);
-    p2 = is_preferred_etype(*e2);
-
-    if (p1 == p2) {
-        return (int)*e2 - (int)*e1;
-    }
-
-    /* Sort preferred etypes first */
-    return p2 - p1;
-}
-
-krb5_error_code
-sss_krb5_read_etypes_for_keytab(TALLOC_CTX *mem_ctx,
-                                krb5_context context,
-                                krb5_keytab keytab,
-                                krb5_principal princ,
-                                krb5_enctype **etype_list,
-                                int *n_etype_list)
-{
-    krb5_kt_cursor cursor;
-    krb5_keytab_entry entry;
-    krb5_enctype *etypes = NULL;
-    krb5_kvno max_kvno = 0;
-    int allocated = 0;
-    TALLOC_CTX *tmp_ctx;
-    int count = 0;
-    int ret;
-
-    tmp_ctx = talloc_new(NULL);
-    if (!tmp_ctx) return ENOMEM;
-
-    ret = krb5_kt_start_seq_get(context, keytab, &cursor);
-    if (ret != 0) {
-        talloc_free(tmp_ctx);
-        return ret;
-    }
-
-    for (;;) {
-        ret = krb5_kt_next_entry(context, keytab, &entry, &cursor);
-        if (ret != 0) {
-            break;
-        }
-
-        if (!krb5_c_valid_enctype(entry.key.enctype) ||
-            !krb5_principal_compare(context, entry.principal, princ)) {
-            continue;
-        }
-
-        /* Make sure our list is for the highest kvno found for client. */
-        if (entry.vno > max_kvno) {
-            count = 0;
-            max_kvno = entry.vno;
-        } else if (entry.vno != max_kvno) {
-            continue;
-        }
-
-        /*
-         * Reallocate and add enctype. When reallocating always reserve
-         * one for extra logic below.
-         */
-        if (count + 1 >= allocated) {
-            allocated += 16;
-            etypes = talloc_realloc(tmp_ctx, etypes, krb5_enctype, allocated);
-            if (etypes == NULL) {
-                ret = ENOMEM;
-                break;
-            }
-        }
-        etypes[count] = entry.key.enctype;
-        count++;
-
-        /* All DES key types work with des-cbc-crc, which is more likely to be
-         * accepted by the KDC (since MIT KDCs refuse des-cbc-md5). */
-        if (entry.key.enctype == ENCTYPE_DES_CBC_MD5 ||
-            entry.key.enctype == ENCTYPE_DES_CBC_MD4) {
-            etypes[count] = ENCTYPE_DES_CBC_CRC;
-            count++;
-        }
-    }
-
-    krb5_kt_end_seq_get(context, keytab, &cursor);
-
-    if (ret == KRB5_KT_END) {
-        ret = 0;
-    }
-
-    if (ret == 0) {
-        if (etypes) {
-            /* Sort the preferred enctypes first */
-            qsort(etypes, count, sizeof(*etypes), compare_etypes);
-            etypes = talloc_realloc(tmp_ctx, etypes, krb5_enctype, count);
-            if (etypes == NULL) {
-                ret = ENOMEM;
-            } else {
-                *etype_list = talloc_steal(mem_ctx, etypes);
-                *n_etype_list = count;
-            }
-        } else {
-            /* The key table was empty. There are no enctypes to match */
-            *etype_list = NULL;
-            *n_etype_list = 0;
-        }
-    }
-
-    talloc_free(tmp_ctx);
-    return ret;
-}
-
 #define SSS_KRB5_FILE   "FILE:"
 #define SSS_KRB5_DIR    "DIR:"
 
diff --git a/src/util/sss_krb5.h b/src/util/sss_krb5.h
index d56b3bdd5..22d2c96eb 100644
--- a/src/util/sss_krb5.h
+++ b/src/util/sss_krb5.h
@@ -168,12 +168,4 @@ typedef krb5_ticket_times sss_krb5_ticket_times;
 typedef krb5_times sss_krb5_ticket_times;
 #endif
 
-krb5_error_code
-sss_krb5_read_etypes_for_keytab(TALLOC_CTX *mem_ctx,
-                                krb5_context context,
-                                krb5_keytab keytab,
-                                krb5_principal princ,
-                                krb5_enctype **etype_list,
-                                int *n_etype_list);
-
 #endif /* __SSS_KRB5_H__ */
-- 
cgit