Fix gss_krb5_set_allowable_enctypes for acceptor

The acceptor implementation of gss_krb5_set_allowable_enctypes (added
in 1.9.1) is intended to restrict the acceptor subkey negotiated by
krb5_rd_req().  It uses the same approach as the initiator, calling
krb5_set_default_tgs_enctypes on the context.  This has the unwanted
side effect of restricting the encryption key of the ticket, because
krb5_decrypt_tkt_part has checked krb5_is_permitted_enctype on the
ticket encryption key since 1.8.

Instead, use krb5_auth_con_setpermetypes on the auth context.  This
list is only used for session key enctype negotiation.  Also add
automated tests to verify that gss_krb5_set_allowable_enctypes works
as desired.

ticket: 7688 (new)
target_version: 1.11.4
tags: pullup

0 files changed, 0 insertions, 0 deletions