diff options
author | Stef Walter <stefw@gnome.org> | 2012-07-06 19:06:48 +0200 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2012-07-06 13:19:32 -0400 |
commit | aa2c6f469414668e56aa03d5ba5cecde64bc713e (patch) | |
tree | a2e7c3b20d3fc945b5a6163e0a81d12e4e583f08 /src/util/sss_krb5.c | |
parent | 346f41f1ede975cb2db0af570f5b454b9b306704 (diff) | |
download | sssd-aa2c6f469414668e56aa03d5ba5cecde64bc713e.tar.gz sssd-aa2c6f469414668e56aa03d5ba5cecde64bc713e.tar.xz sssd-aa2c6f469414668e56aa03d5ba5cecde64bc713e.zip |
Revert commit 4c157ecedd52602f75574605ef48d0c48e9bfbe8
* This broke corner cases when used with
default_tkt_types = des-cbc-crc
and DES enabled on an AD domain.
* This is fixed in kerberos instead, in a more correct way
and in a way which we cannot replicate.
Diffstat (limited to 'src/util/sss_krb5.c')
-rw-r--r-- | src/util/sss_krb5.c | 143 |
1 files changed, 0 insertions, 143 deletions
diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c index 6cbf8c61a..8180d73d5 100644 --- a/src/util/sss_krb5.c +++ b/src/util/sss_krb5.c @@ -965,149 +965,6 @@ sss_krb5_free_keytab_entry_contents(krb5_context context, } #endif -static int -is_preferred_etype (krb5_enctype etype) -{ - static const krb5_enctype preferred[] = { - ENCTYPE_DES3_CBC_SHA1, - ENCTYPE_ARCFOUR_HMAC, - ENCTYPE_AES128_CTS_HMAC_SHA1_96, - ENCTYPE_AES256_CTS_HMAC_SHA1_96, -#ifdef ENCTYPE_CAMELLIA128_CTS_CMAC - ENCTYPE_CAMELLIA128_CTS_CMAC, -#endif -#ifdef ENCTYPE_CAMELLIA128_CTS_CMAC - ENCTYPE_CAMELLIA256_CTS_CMAC, -#endif - 0 - }; - int i; - - for (i = 0; preferred[i] != 0; i++) { - if (preferred[i] == etype) { - return 1; - } - } - - return 0; -} - -static int -compare_etypes (const void *one, - const void *two) -{ - const krb5_enctype *e1 = one; - const krb5_enctype *e2 = two; - int p1, p2; - - p1 = is_preferred_etype(*e1); - p2 = is_preferred_etype(*e2); - - if (p1 == p2) { - return (int)*e2 - (int)*e1; - } - - /* Sort preferred etypes first */ - return p2 - p1; -} - -krb5_error_code -sss_krb5_read_etypes_for_keytab(TALLOC_CTX *mem_ctx, - krb5_context context, - krb5_keytab keytab, - krb5_principal princ, - krb5_enctype **etype_list, - int *n_etype_list) -{ - krb5_kt_cursor cursor; - krb5_keytab_entry entry; - krb5_enctype *etypes = NULL; - krb5_kvno max_kvno = 0; - int allocated = 0; - TALLOC_CTX *tmp_ctx; - int count = 0; - int ret; - - tmp_ctx = talloc_new(NULL); - if (!tmp_ctx) return ENOMEM; - - ret = krb5_kt_start_seq_get(context, keytab, &cursor); - if (ret != 0) { - talloc_free(tmp_ctx); - return ret; - } - - for (;;) { - ret = krb5_kt_next_entry(context, keytab, &entry, &cursor); - if (ret != 0) { - break; - } - - if (!krb5_c_valid_enctype(entry.key.enctype) || - !krb5_principal_compare(context, entry.principal, princ)) { - continue; - } - - /* Make sure our list is for the highest kvno found for client. */ - if (entry.vno > max_kvno) { - count = 0; - max_kvno = entry.vno; - } else if (entry.vno != max_kvno) { - continue; - } - - /* - * Reallocate and add enctype. When reallocating always reserve - * one for extra logic below. - */ - if (count + 1 >= allocated) { - allocated += 16; - etypes = talloc_realloc(tmp_ctx, etypes, krb5_enctype, allocated); - if (etypes == NULL) { - ret = ENOMEM; - break; - } - } - etypes[count] = entry.key.enctype; - count++; - - /* All DES key types work with des-cbc-crc, which is more likely to be - * accepted by the KDC (since MIT KDCs refuse des-cbc-md5). */ - if (entry.key.enctype == ENCTYPE_DES_CBC_MD5 || - entry.key.enctype == ENCTYPE_DES_CBC_MD4) { - etypes[count] = ENCTYPE_DES_CBC_CRC; - count++; - } - } - - krb5_kt_end_seq_get(context, keytab, &cursor); - - if (ret == KRB5_KT_END) { - ret = 0; - } - - if (ret == 0) { - if (etypes) { - /* Sort the preferred enctypes first */ - qsort(etypes, count, sizeof(*etypes), compare_etypes); - etypes = talloc_realloc(tmp_ctx, etypes, krb5_enctype, count); - if (etypes == NULL) { - ret = ENOMEM; - } else { - *etype_list = talloc_steal(mem_ctx, etypes); - *n_etype_list = count; - } - } else { - /* The key table was empty. There are no enctypes to match */ - *etype_list = NULL; - *n_etype_list = 0; - } - } - - talloc_free(tmp_ctx); - return ret; -} - #define SSS_KRB5_FILE "FILE:" #define SSS_KRB5_DIR "DIR:" |