From: Tom Yu Date: Mon, 31 Jan 2011 22:44:26 +0000 (+0000) Subject: pull up r24603 from trunk X-Git-Tag: krb5-1.9.1-beta1~13 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=6a60b22ae48f18d39e3d9eca767d2d2b9dc81c46;p=krb5.git pull up r24603 from trunk ------------------------------------------------------------------------ r24603 | ghudson | 2011-01-24 19:23:48 -0500 (Mon, 24 Jan 2011) | 15 lines ticket: 6852 subject: Make gss_krb5_set_allowable_enctypes work for the acceptor target_version: 1.9.1 tags: pullup With the addition of enctype negotiation in 1.7, a gss-krb5 acceptor can choose an enctype for the acceptor subkey other than the one in the keytab. If the resulting security context will be exported and re-imported by another gss-krb5 implementation (such as one in the kernel), the acceptor needs a way to restrict the set of negotiated enctypes to those supported by the other implementation. We had that functionality for the initiator already in the form of gss_krb5_set_allowable_enctypes; this change makes it work for the acceptor as well. ticket: 6852 version_fixed: 1.9.1 status: resolved git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24610 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c index 0c0b3a547..d57893843 100644 --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c @@ -623,6 +623,15 @@ kg_accept_krb5(minor_status, context_handle, goto fail; } + /* Limit the encryption types negotiated (if requested). */ + if (cred->req_enctypes) { + if ((code = krb5_set_default_tgs_enctypes(context, + cred->req_enctypes))) { + major_status = GSS_S_FAILURE; + goto fail; + } + } + if ((code = krb5_rd_req(context, &auth_context, &ap_req, cred->default_identity ? NULL : cred->name->princ, cred->keytab,