summaryrefslogtreecommitdiffstats
path: root/src/util/sss_krb5.c
diff options
context:
space:
mode:
authorStef Walter <stefw@gnome.org>2012-07-06 19:06:48 +0200
committerStephen Gallagher <sgallagh@redhat.com>2012-07-06 13:19:32 -0400
commitaa2c6f469414668e56aa03d5ba5cecde64bc713e (patch)
treea2e7c3b20d3fc945b5a6163e0a81d12e4e583f08 /src/util/sss_krb5.c
parent346f41f1ede975cb2db0af570f5b454b9b306704 (diff)
downloadsssd-aa2c6f469414668e56aa03d5ba5cecde64bc713e.tar.gz
sssd-aa2c6f469414668e56aa03d5ba5cecde64bc713e.tar.xz
sssd-aa2c6f469414668e56aa03d5ba5cecde64bc713e.zip
Revert commit 4c157ecedd52602f75574605ef48d0c48e9bfbe8
* This broke corner cases when used with default_tkt_types = des-cbc-crc and DES enabled on an AD domain. * This is fixed in kerberos instead, in a more correct way and in a way which we cannot replicate.
Diffstat (limited to 'src/util/sss_krb5.c')
-rw-r--r--src/util/sss_krb5.c143
1 files changed, 0 insertions, 143 deletions
diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c
index 6cbf8c61a..8180d73d5 100644
--- a/src/util/sss_krb5.c
+++ b/src/util/sss_krb5.c
@@ -965,149 +965,6 @@ sss_krb5_free_keytab_entry_contents(krb5_context context,
}
#endif
-static int
-is_preferred_etype (krb5_enctype etype)
-{
- static const krb5_enctype preferred[] = {
- ENCTYPE_DES3_CBC_SHA1,
- ENCTYPE_ARCFOUR_HMAC,
- ENCTYPE_AES128_CTS_HMAC_SHA1_96,
- ENCTYPE_AES256_CTS_HMAC_SHA1_96,
-#ifdef ENCTYPE_CAMELLIA128_CTS_CMAC
- ENCTYPE_CAMELLIA128_CTS_CMAC,
-#endif
-#ifdef ENCTYPE_CAMELLIA128_CTS_CMAC
- ENCTYPE_CAMELLIA256_CTS_CMAC,
-#endif
- 0
- };
- int i;
-
- for (i = 0; preferred[i] != 0; i++) {
- if (preferred[i] == etype) {
- return 1;
- }
- }
-
- return 0;
-}
-
-static int
-compare_etypes (const void *one,
- const void *two)
-{
- const krb5_enctype *e1 = one;
- const krb5_enctype *e2 = two;
- int p1, p2;
-
- p1 = is_preferred_etype(*e1);
- p2 = is_preferred_etype(*e2);
-
- if (p1 == p2) {
- return (int)*e2 - (int)*e1;
- }
-
- /* Sort preferred etypes first */
- return p2 - p1;
-}
-
-krb5_error_code
-sss_krb5_read_etypes_for_keytab(TALLOC_CTX *mem_ctx,
- krb5_context context,
- krb5_keytab keytab,
- krb5_principal princ,
- krb5_enctype **etype_list,
- int *n_etype_list)
-{
- krb5_kt_cursor cursor;
- krb5_keytab_entry entry;
- krb5_enctype *etypes = NULL;
- krb5_kvno max_kvno = 0;
- int allocated = 0;
- TALLOC_CTX *tmp_ctx;
- int count = 0;
- int ret;
-
- tmp_ctx = talloc_new(NULL);
- if (!tmp_ctx) return ENOMEM;
-
- ret = krb5_kt_start_seq_get(context, keytab, &cursor);
- if (ret != 0) {
- talloc_free(tmp_ctx);
- return ret;
- }
-
- for (;;) {
- ret = krb5_kt_next_entry(context, keytab, &entry, &cursor);
- if (ret != 0) {
- break;
- }
-
- if (!krb5_c_valid_enctype(entry.key.enctype) ||
- !krb5_principal_compare(context, entry.principal, princ)) {
- continue;
- }
-
- /* Make sure our list is for the highest kvno found for client. */
- if (entry.vno > max_kvno) {
- count = 0;
- max_kvno = entry.vno;
- } else if (entry.vno != max_kvno) {
- continue;
- }
-
- /*
- * Reallocate and add enctype. When reallocating always reserve
- * one for extra logic below.
- */
- if (count + 1 >= allocated) {
- allocated += 16;
- etypes = talloc_realloc(tmp_ctx, etypes, krb5_enctype, allocated);
- if (etypes == NULL) {
- ret = ENOMEM;
- break;
- }
- }
- etypes[count] = entry.key.enctype;
- count++;
-
- /* All DES key types work with des-cbc-crc, which is more likely to be
- * accepted by the KDC (since MIT KDCs refuse des-cbc-md5). */
- if (entry.key.enctype == ENCTYPE_DES_CBC_MD5 ||
- entry.key.enctype == ENCTYPE_DES_CBC_MD4) {
- etypes[count] = ENCTYPE_DES_CBC_CRC;
- count++;
- }
- }
-
- krb5_kt_end_seq_get(context, keytab, &cursor);
-
- if (ret == KRB5_KT_END) {
- ret = 0;
- }
-
- if (ret == 0) {
- if (etypes) {
- /* Sort the preferred enctypes first */
- qsort(etypes, count, sizeof(*etypes), compare_etypes);
- etypes = talloc_realloc(tmp_ctx, etypes, krb5_enctype, count);
- if (etypes == NULL) {
- ret = ENOMEM;
- } else {
- *etype_list = talloc_steal(mem_ctx, etypes);
- *n_etype_list = count;
- }
- } else {
- /* The key table was empty. There are no enctypes to match */
- *etype_list = NULL;
- *n_etype_list = 0;
- }
- }
-
- talloc_free(tmp_ctx);
- return ret;
-}
-
#define SSS_KRB5_FILE "FILE:"
#define SSS_KRB5_DIR "DIR:"