svn rev #24610: branches/krb5-1-9/src/lib/gssapi/krb5/

tlyu@MIT.EDU tlyu at MIT.EDU
Mon Jan 31 17:44:26 EST 2011


http://src.mit.edu/fisheye/changelog/krb5/?cs=24610
Commit By: tlyu
Log Message:
ticket: 6852
version_fixed: 1.9.1
status: resolved

pull up r24603 from trunk

 ------------------------------------------------------------------------
 r24603 | ghudson | 2011-01-24 19:23:48 -0500 (Mon, 24 Jan 2011) | 15 lines

 ticket: 6852
 subject: Make gss_krb5_set_allowable_enctypes work for the acceptor
 target_version: 1.9.1
 tags: pullup

 With the addition of enctype negotiation in 1.7, a gss-krb5 acceptor
 can choose an enctype for the acceptor subkey other than the one in
 the keytab.  If the resulting security context will be exported and
 re-imported by another gss-krb5 implementation (such as one in the
 kernel), the acceptor needs a way to restrict the set of negotiated
 enctypes to those supported by the other implementation.  We had that
 functionality for the initiator already in the form of
 gss_krb5_set_allowable_enctypes; this change makes it work for the
 acceptor as well.


Changed Files:
U   branches/krb5-1-9/src/lib/gssapi/krb5/accept_sec_context.c
Modified: branches/krb5-1-9/src/lib/gssapi/krb5/accept_sec_context.c
===================================================================
--- branches/krb5-1-9/src/lib/gssapi/krb5/accept_sec_context.c	2011-01-31 22:44:22 UTC (rev 24609)
+++ branches/krb5-1-9/src/lib/gssapi/krb5/accept_sec_context.c	2011-01-31 22:44:26 UTC (rev 24610)
@@ -623,6 +623,15 @@
         goto fail;
     }
 
+    /* Limit the encryption types negotiated (if requested). */
+    if (cred->req_enctypes) {
+        if ((code = krb5_set_default_tgs_enctypes(context,
+                                                  cred->req_enctypes))) {
+            major_status = GSS_S_FAILURE;
+            goto fail;
+        }
+    }
+
     if ((code = krb5_rd_req(context, &auth_context, &ap_req,
                             cred->default_identity ? NULL : cred->name->princ,
                             cred->keytab,




More information about the cvs-krb5 mailing list