Skip Menu |

Subject: gss_set_allowable_enctypes() fails if any enctypes aren't recognized
Date: Mon, 15 Jul 2019 22:29:17 -0400
gss_set_allowable_enctypes() is typically used to force the session key negotiated for a GSS context to fall within the supported set of another implementation, such as the Linux kernel.

In the current implementation, any invalid enctype in the requested set causes the call to fail.  This can cause a problem if the external implementation supports any enctypes we don't.  In Debian bug #932000 this was observed because the kernel still supports single-DES enctypes while we removed them.  The problem could also arise if the kernel supports enctypes too new for libkrb5, such as if the kernel supports aes-sha2 enctypes but libkrb5 is from a release before 1.15.

Of course the caller can do its own filtering with krb5_c_valid_enctype(), but that's pushing work onto the caller for no reason.  Instead, gss_set_allowable_enctypes() should filter out invalid enctypes and only error out if no enctypes remain.
Subject: git commit

Filter enctypes in gss_set_allowable_enctypes()

Instead of erroring out when any invalid enctypes are present in the
caller's list, filter out the invalid ones and only error if no
enctypes remain.
Author: Greg Hudson <>
Commit: 37ab7ea128a4c2aa2dad65ab9006baded5335bc7
Branch: master
src/lib/gssapi/krb5/set_allowable_enctypes.c | 29 ++++++++++++-------------
1 files changed, 14 insertions(+), 15 deletions(-)