lib/krb5: keep a copy of config etypes in the context

When reading configuration file, keep an extra copy of the encryption types, and use this when resetting the encryption types to default. GSSAPI always resets the enctypes to default before obtaining a TGS, because the enctypes might have previously altered, so this prevents changing the etypes from the configured ones to the full set of supported etypes. Signed-off-by: Uri Simchoni <uri@samba.org>
2016-09-23 19:19:02 +03:00
parent a16a9cc939
commit a3bece16c7
2 changed files with 30 additions and 0 deletions
--- a/lib/krb5/context.c
+++ b/lib/krb5/context.c
@@ -48,6 +48,11 @@
        }								\
    } while(0)

+static krb5_error_code
+copy_enctypes(krb5_context context,
+	      const krb5_enctype *in,
+	      krb5_enctype **out);
+
 /*
 * Set the list of etypes `ret_etypes' from the configuration variable
 * `name'
@@ -123,6 +128,18 @@ init_context_from_config_file(krb5_context context)
    free(context->etypes);
    context->etypes = tmptypes;

+    /* The etypes member may change during the lifetime
+     * of the context. To be able to reset it to
+     * config value, we keep another copy.
+     */
+    free(context->cfg_etypes);
+    context->cfg_etypes = NULL;
+    if (tmptypes) {
+	ret = copy_enctypes(context, tmptypes, &context->cfg_etypes);
+	if (ret)
+	    return ret;
+    }
+
    ret = set_etypes (context, "default_etypes_des", &tmptypes);
    if(ret)
 	return ret;
@@ -529,6 +546,11 @@ krb5_copy_context(krb5_context context, krb5_context *out)
 	if (ret)
 	    goto out;
    }
+    if (context->cfg_etypes) {
+	ret = copy_etypes(context, context->cfg_etypes, &p->cfg_etypes);
+	if (ret)
+	    goto out;
+    }
    if (context->etypes_des) {
 	ret = copy_etypes(context, context->etypes_des, &p->etypes_des);
 	if (ret)
@@ -598,6 +620,7 @@ krb5_free_context(krb5_context context)
    if (context->default_cc_name_env)
 	free(context->default_cc_name_env);
    free(context->etypes);
+    free(context->cfg_etypes);
    free(context->etypes_des);
    krb5_free_host_realm (context, context->default_realms);
    krb5_config_file_free (context, context->cf);
@@ -990,6 +1013,8 @@ default_etypes(krb5_context context, krb5_enctype **etype)
 *
 * @param context Kerberos 5 context.
 * @param etypes Encryption types, array terminated with ETYPE_NULL (0).
+ * A value of NULL resets the encryption types to the defaults set in the
+ * configuration file.
 *
 * @return Returns 0 to indicate success. Otherwise an kerberos et
 * error code is returned, see krb5_get_error_message().
@@ -1004,6 +1029,10 @@ krb5_set_default_in_tkt_etypes(krb5_context context,
    krb5_error_code ret;
    krb5_enctype *p = NULL;

+    if(!etypes) {
+	etypes = context->cfg_etypes;
+    }
+
    if(etypes) {
 	ret = copy_enctypes(context, etypes, &p);
 	if (ret)
--- a/lib/krb5/krb5_locl.h
+++ b/lib/krb5/krb5_locl.h
@@ -218,6 +218,7 @@ typedef uint32_t krb5_enctype_set;

 typedef struct krb5_context_data {
    krb5_enctype *etypes;
+    krb5_enctype *cfg_etypes;
    krb5_enctype *etypes_des;/* deprecated */
    krb5_enctype *as_etypes;
    krb5_enctype *tgs_etypes;