From 7d16663dfadafbf0d89f62f4d852d842b9a7d463 Mon Sep 17 00:00:00 2001
From: Nicolas Williams <nico@twosigma.com>
Date: Thu, 13 Nov 2025 23:52:41 -0600
Subject: [PATCH] gsskrb5: Fix part of the enctype negotiation problems

---
 lib/gssapi/krb5/init_sec_context.c |  4 ++++
 lib/krb5/build_auth.c              | 30 ++++++++++++++++++++++++------
 lib/krb5/mk_req_ext.c              |  1 +
 3 files changed, 29 insertions(+), 6 deletions(-)

diff --git a/lib/gssapi/krb5/init_sec_context.c b/lib/gssapi/krb5/init_sec_context.c
index fbf9e5521..e52c81d8f 100644
--- a/lib/gssapi/krb5/init_sec_context.c
+++ b/lib/gssapi/krb5/init_sec_context.c
@@ -452,6 +452,9 @@ init_auth
 			 ctx->auth_context,
 			 &ctx->kcred->session);
 
+    if (cred && cred->enctypes && cred->enctypes[0] != KRB5_ENCTYPE_NULL)
+        ctx->auth_context->keytype = cred->enctypes[0];
+
     kret = krb5_auth_con_generatelocalsubkey(context,
 					     ctx->auth_context,
 					     &ctx->kcred->session);
@@ -630,6 +633,7 @@ init_auth_restart
     kret = _krb5_build_authenticator(context,
 				     ctx->auth_context,
 				     enctype,
+                                     cred ? cred->enctypes : NULL,
 				     ctx->kcred,
 				     &cksum,
 				     channel_bound,
diff --git a/lib/krb5/build_auth.c b/lib/krb5/build_auth.c
index 0ca33d335..0a36274cc 100644
--- a/lib/krb5/build_auth.c
+++ b/lib/krb5/build_auth.c
@@ -51,6 +51,7 @@ add_auth_data(krb5_context context,
 
 static krb5_error_code
 add_etypelist(krb5_context context,
+              krb5_enctype *allowed_enctypes,
 	      krb5_authdata *auth_data)
 {
     AuthorizationDataElement ade;
@@ -58,12 +59,26 @@ add_etypelist(krb5_context context,
     krb5_error_code ret;
     krb5_data e;
     size_t len = 0;
+    size_t i;
 
-    ret = _krb5_init_etype(context, KRB5_PDU_NONE,
-			   &etypes.len, &etypes.val,
-			   NULL);
-    if (ret)
-	return ret;
+    if (allowed_enctypes) {
+        while (allowed_enctypes[len] != KRB5_ENCTYPE_NULL)
+            len++;
+    }
+
+    if (len) {
+        if ((etypes.val = calloc(len, sizeof(etypes.val[0]))) == NULL)
+            return krb5_enomem(context);
+        for (i = 0; i < len; i++)
+            etypes.val[i] = allowed_enctypes[0];
+        etypes.len = len;
+    } else {
+        ret = _krb5_init_etype(context, KRB5_PDU_NONE,
+                               &etypes.len, &etypes.val,
+                               NULL);
+        if (ret)
+            return ret;
+    }
 
     ASN1_MALLOC_ENCODE(EtypeList, e.data, e.length, &etypes, &len, ret);
     if (ret) {
@@ -122,6 +137,7 @@ add_ap_options(krb5_context context,
 static krb5_error_code
 make_ap_authdata(krb5_context context,
                  krb5_boolean channel_bound,
+                 krb5_enctype *allowed_enctypes,
                  krb5_authdata **auth_data)
 {
     krb5_error_code ret;
@@ -132,7 +148,7 @@ make_ap_authdata(krb5_context context,
     ad.len = 0;
     ad.val = NULL;
 
-    ret = add_etypelist(context, &ad);
+    ret = add_etypelist(context, allowed_enctypes, &ad);
     if (ret)
 	return ret;
 
@@ -168,6 +184,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 _krb5_build_authenticator (krb5_context context,
 			   krb5_auth_context auth_context,
 			   krb5_enctype enctype,
+			   krb5_enctype *allowed_enctypes,
 			   krb5_creds *cred,
 			   Checksum *cksum,
 			   krb5_boolean channel_bound,
@@ -229,6 +246,7 @@ _krb5_build_authenticator (krb5_context context,
 	     */
 	    ret = make_ap_authdata(context,
 				   channel_bound,
+                                   allowed_enctypes,
 				   &auth.authorization_data);
 	    if (ret)
 		goto fail;
diff --git a/lib/krb5/mk_req_ext.c b/lib/krb5/mk_req_ext.c
index 09c116cd9..e3d9b7445 100644
--- a/lib/krb5/mk_req_ext.c
+++ b/lib/krb5/mk_req_ext.c
@@ -115,6 +115,7 @@ _krb5_mk_req_internal(krb5_context context,
     ret = _krb5_build_authenticator(context,
 				    ac,
 				    ac->keyblock->keytype,
+                                    NULL,
 				    in_creds,
 				    c_opt,
 				    FALSE, /* channel_bound */