[krbdev.mit.edu #7688] git commit
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Mon Aug 12 11:48:48 EDT 2013
Fix gss_krb5_set_allowable_enctypes for acceptor
The acceptor implementation of gss_krb5_set_allowable_enctypes (added
in 1.9.1) is intended to restrict the acceptor subkey negotiated by
krb5_rd_req(). It uses the same approach as the initiator, calling
krb5_set_default_tgs_enctypes on the context. This has the unwanted
side effect of restricting the encryption key of the ticket, because
krb5_decrypt_tkt_part has checked krb5_is_permitted_enctype on the
ticket encryption key since 1.8.
Instead, use krb5_auth_con_setpermetypes on the auth context. This
list is only used for session key enctype negotiation. Also add
automated tests to verify that gss_krb5_set_allowable_enctypes works
as desired.
https://github.com/krb5/krb5/commit/2e956074b228ff4df3b7462037ab69e4e88ffffe
Author: Greg Hudson <ghudson at mit.edu>
Commit: 2e956074b228ff4df3b7462037ab69e4e88ffffe
Branch: master
src/lib/gssapi/krb5/accept_sec_context.c | 4 +-
src/tests/gssapi/Makefile.in | 3 +
src/tests/gssapi/t_enctypes.c | 229 ++++++++++++++++++++++++++++++
src/tests/gssapi/t_enctypes.py | 149 +++++++++++++++++++
4 files changed, 383 insertions(+), 2 deletions(-)
More information about the krb5-bugs
mailing list