svn rev #24630: branches/krb5-1-8/src/lib/gssapi/krb5/
tlyu@MIT.EDU
tlyu at MIT.EDU
Wed Feb 9 17:19:02 EST 2011
http://src.mit.edu/fisheye/changelog/krb5/?cs=24630
Commit By: tlyu
Log Message:
ticket: 6853
version_fixed: 1.8.4
status: resolved
pull up r24603 from trunk
------------------------------------------------------------------------
r24603 | ghudson | 2011-01-24 19:23:48 -0500 (Mon, 24 Jan 2011) | 15 lines
ticket: 6852
subject: Make gss_krb5_set_allowable_enctypes work for the acceptor
target_version: 1.9.1
tags: pullup
With the addition of enctype negotiation in 1.7, a gss-krb5 acceptor
can choose an enctype for the acceptor subkey other than the one in
the keytab. If the resulting security context will be exported and
re-imported by another gss-krb5 implementation (such as one in the
kernel), the acceptor needs a way to restrict the set of negotiated
enctypes to those supported by the other implementation. We had that
functionality for the initiator already in the form of
gss_krb5_set_allowable_enctypes; this change makes it work for the
acceptor as well.
Changed Files:
U branches/krb5-1-8/src/lib/gssapi/krb5/accept_sec_context.c
Modified: branches/krb5-1-8/src/lib/gssapi/krb5/accept_sec_context.c
===================================================================
--- branches/krb5-1-8/src/lib/gssapi/krb5/accept_sec_context.c 2011-02-09 21:55:36 UTC (rev 24629)
+++ branches/krb5-1-8/src/lib/gssapi/krb5/accept_sec_context.c 2011-02-09 22:19:02 UTC (rev 24630)
@@ -583,6 +583,15 @@
goto fail;
}
+ /* Limit the encryption types negotiated (if requested). */
+ if (cred->req_enctypes) {
+ if ((code = krb5_set_default_tgs_enctypes(context,
+ cred->req_enctypes))) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+ }
+
if ((code = krb5_rd_req(context, &auth_context, &ap_req,
cred->default_identity ? NULL : cred->name->princ,
cred->keytab,
More information about the cvs-krb5
mailing list