[krbdev.mit.edu #7688] git commit

Greg Hudson via RT rt-comment at krbdev.mit.edu
Mon Aug 12 11:48:48 EDT 2013


Fix gss_krb5_set_allowable_enctypes for acceptor

The acceptor implementation of gss_krb5_set_allowable_enctypes (added
in 1.9.1) is intended to restrict the acceptor subkey negotiated by
krb5_rd_req().  It uses the same approach as the initiator, calling
krb5_set_default_tgs_enctypes on the context.  This has the unwanted
side effect of restricting the encryption key of the ticket, because
krb5_decrypt_tkt_part has checked krb5_is_permitted_enctype on the
ticket encryption key since 1.8.

Instead, use krb5_auth_con_setpermetypes on the auth context.  This
list is only used for session key enctype negotiation.  Also add
automated tests to verify that gss_krb5_set_allowable_enctypes works
as desired.

https://github.com/krb5/krb5/commit/2e956074b228ff4df3b7462037ab69e4e88ffffe
Author: Greg Hudson <ghudson at mit.edu>
Commit: 2e956074b228ff4df3b7462037ab69e4e88ffffe
Branch: master
 src/lib/gssapi/krb5/accept_sec_context.c |    4 +-
 src/tests/gssapi/Makefile.in             |    3 +
 src/tests/gssapi/t_enctypes.c            |  229 ++++++++++++++++++++++++++++++
 src/tests/gssapi/t_enctypes.py           |  149 +++++++++++++++++++
 4 files changed, 383 insertions(+), 2 deletions(-)



More information about the krb5-bugs mailing list