From 2e956074b228ff4df3b7462037ab69e4e88ffffe Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 5 Aug 2013 23:47:52 -0400 Subject: Fix gss_krb5_set_allowable_enctypes for acceptor The acceptor implementation of gss_krb5_set_allowable_enctypes (added in 1.9.1) is intended to restrict the acceptor subkey negotiated by krb5_rd_req(). It uses the same approach as the initiator, calling krb5_set_default_tgs_enctypes on the context. This has the unwanted side effect of restricting the encryption key of the ticket, because krb5_decrypt_tkt_part has checked krb5_is_permitted_enctype on the ticket encryption key since 1.8. Instead, use krb5_auth_con_setpermetypes on the auth context. This list is only used for session key enctype negotiation. Also add automated tests to verify that gss_krb5_set_allowable_enctypes works as desired. ticket: 7688 (new) target_version: 1.11.4 tags: pullup --- src/lib/gssapi/krb5/accept_sec_context.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/lib') diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c index 42ac1226b..82bd013c3 100644 --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c @@ -625,8 +625,8 @@ kg_accept_krb5(minor_status, context_handle, /* Limit the encryption types negotiated (if requested). */ if (cred->req_enctypes) { - if ((code = krb5_set_default_tgs_enctypes(context, - cred->req_enctypes))) { + if ((code = krb5_auth_con_setpermetypes(context, auth_context, + cred->req_enctypes))) { major_status = GSS_S_FAILURE; goto fail; } -- cgit