heimdal-lib/krb5: keep a copy of config etypes in the context

When reading configuration file, keep an extra copy of
the encryption types, and use this when resetting the
encryption types to default.

GSSAPI always resets the enctypes to default before obtaining
a TGS, because the enctypes might have previously altered,
so this prevents changing the etypes from the configured ones
to the full set of supported etypes.

The same patch has gone into upstream heimdal as commit
a3bece1. It is a different solution to the problem fixed
here by commit 1f90983, so this commit will be reverted next
to keep compatibility with uptream.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/heimdal/lib/krb5/context.c b/source4/heimdal/lib/krb5/context.c
index 4290b71bb683d717b2b71f27c5189524c5c3cc5d..23e3879d6dbee5b8f5044d6cad3193193289a4bc 100644 (file)
--- a/source4/heimdal/lib/krb5/context.c
+++ b/source4/heimdal/lib/krb5/context.c
@@ -48,6 +48,11 @@
         }                                                              \
     } while(0)
 
+static krb5_error_code
+copy_enctypes(krb5_context context,
+             const krb5_enctype *in,
+             krb5_enctype **out);
+
 /*
  * Set the list of etypes `ret_etypes' from the configuration variable
  * `name'
@@ -123,6 +128,18 @@ init_context_from_config_file(krb5_context context)
     free(context->etypes);
     context->etypes = tmptypes;
 
+    /* The etypes member may change during the lifetime
+     * of the context. To be able to reset it to
+     * config value, we keep another copy.
+     */
+    free(context->cfg_etypes);
+    context->cfg_etypes = NULL;
+    if (tmptypes) {
+       ret = copy_enctypes(context, tmptypes, &context->cfg_etypes);
+       if (ret)
+           return ret;
+    }
+
     ret = set_etypes (context, "default_etypes_des", &tmptypes);
     if(ret)
        return ret;
@@ -506,6 +523,11 @@ krb5_copy_context(krb5_context context, krb5_context *out)
        if (ret)
            goto out;
     }
+    if (context->cfg_etypes) {
+       ret = copy_etypes(context, context->cfg_etypes, &p->cfg_etypes);
+       if (ret)
+           goto out;
+    }
     if (context->etypes_des) {
        ret = copy_etypes(context, context->etypes_des, &p->etypes_des);
        if (ret)
@@ -574,6 +596,7 @@ krb5_free_context(krb5_context context)
     if (context->default_cc_name_env)
        free(context->default_cc_name_env);
     free(context->etypes);
+    free(context->cfg_etypes);
     free(context->etypes_des);
     krb5_free_host_realm (context, context->default_realms);
     krb5_config_file_free (context, context->cf);
@@ -944,6 +967,8 @@ default_etypes(krb5_context context, krb5_enctype **etype)
  *
  * @param context Kerberos 5 context.
  * @param etypes Encryption types, array terminated with ETYPE_NULL (0).
+ * A value of NULL resets the encryption types to the defaults set in the
+ * configuration file.
  *
  * @return Returns 0 to indicate success. Otherwise an kerberos et
  * error code is returned, see krb5_get_error_message().
@@ -958,6 +983,10 @@ krb5_set_default_in_tkt_etypes(krb5_context context,
     krb5_error_code ret;
     krb5_enctype *p = NULL;
 
+    if(!etypes) {
+       etypes = context->cfg_etypes;
+    }
+
     if(etypes) {
        ret = copy_enctypes(context, etypes, &p);
        if (ret)

diff --git a/source4/heimdal/lib/krb5/krb5_locl.h b/source4/heimdal/lib/krb5/krb5_locl.h
index d0c68927ffbd358b84f28d60c3fc752d4dceb6e5..49c614d5efe1fa19038484cbc362cb25f71efa34 100644 (file)
--- a/source4/heimdal/lib/krb5/krb5_locl.h
+++ b/source4/heimdal/lib/krb5/krb5_locl.h
@@ -250,6 +250,7 @@ typedef uint32_t krb5_enctype_set;
 
 typedef struct krb5_context_data {
     krb5_enctype *etypes;
+    krb5_enctype *cfg_etypes;
     krb5_enctype *etypes_des;/* deprecated */
     krb5_enctype *as_etypes;
     krb5_enctype *tgs_etypes;