X-RT-Interface: Web
X-Mailer: MIME-tools 5.507 (Entity 5.507)
Content-Disposition: inline
To: rt@krbdev.mit.edu
From: ghudson@mit.edu
Subject: gss_set_allowable_enctypes() fails if any enctypes aren't recognized
Date: Mon, 15 Jul 2019 22:29:17 -0400
MIME-Version: 1.0
Message-ID: <rt-4.4.4-50301-1563244157-578.0-0-0@mit.edu>
Content-Transfer-Encoding: binary
Content-Type: text/html; charset="utf-8"
X-RT-Original-Encoding: utf-8
Content-Length: 1106

gss_set_allowable_enctypes() is typically used to force the session key negotiated for a GSS context to fall within the supported set of another implementation, such as the Linux kernel.<br />
<br />
In the current implementation, any invalid enctype in the requested set causes the call to fail.&nbsp; This can cause a problem if the external implementation supports any enctypes we don&#39;t.&nbsp; In Debian bug #932000 this was observed because the kernel still supports single-DES enctypes while we removed them.&nbsp; The problem could also arise if the kernel supports enctypes too new for libkrb5, such as if the kernel supports aes-sha2 enctypes but libkrb5 is from a release before 1.15.<br />
<br />
Of course the caller can do its own filtering with krb5_c_valid_enctype(), but that&#39;s pushing work onto the caller for no reason.&nbsp; Instead, gss_set_allowable_enctypes() should filter out invalid enctypes and only error out if no enctypes remain.<br />
<br />
<a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932000">https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932000</a>