Skip Menu |

Subject: git commit
Download (untitled) / with headers
text/plain 1.1KiB

Fix gss_krb5_set_allowable_enctypes for acceptor

The acceptor implementation of gss_krb5_set_allowable_enctypes (added
in 1.9.1) is intended to restrict the acceptor subkey negotiated by
krb5_rd_req(). It uses the same approach as the initiator, calling
krb5_set_default_tgs_enctypes on the context. This has the unwanted
side effect of restricting the encryption key of the ticket, because
krb5_decrypt_tkt_part has checked krb5_is_permitted_enctype on the
ticket encryption key since 1.8.

Instead, use krb5_auth_con_setpermetypes on the auth context. This
list is only used for session key enctype negotiation. Also add
automated tests to verify that gss_krb5_set_allowable_enctypes works
as desired.
Author: Greg Hudson <>
Commit: 2e956074b228ff4df3b7462037ab69e4e88ffffe
Branch: master
src/lib/gssapi/krb5/accept_sec_context.c | 4 +-
src/tests/gssapi/ | 3 +
src/tests/gssapi/t_enctypes.c | 229 ++++++++++++++++++++++++++++++
src/tests/gssapi/ | 149 +++++++++++++++++++
4 files changed, 383 insertions(+), 2 deletions(-)
Subject: git commit

Actually build t_enctypes

Commit 2e956074b228ff4df3b7462037ab69e4e88ffffe omitted adding a
dependency to the "all" target to force the build of the t_enctypes
test program.
Author: Tom Yu <>
Commit: 34efd90d941999b277b901cf6ea18ac52141f7e9
Branch: master
src/tests/gssapi/ | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
The test script won't backport directly because of the run_as_client ->
run change in in master. It will probably work if we change
"run" to "run_as_client" in the 1.11 backport of the script.
Alternatively, we could omit the tests when backporting.
From: kaduk@MIT.EDU
Subject: git commit

Fix windows build

This routine is now used in the gssapi library and must be exported
as such.
Author: Ben Kaduk <>
Commit: 64ab5e5781a8668b55dad7d46c368e5a33e08012
Branch: master
src/lib/krb5_32.def | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)