heimdal-lib/krb5: keep a copy of config etypes in the context

When reading configuration file, keep an extra copy of
the encryption types, and use this when resetting the
encryption types to default.

GSSAPI always resets the enctypes to default before obtaining
a TGS, because the enctypes might have previously altered,
so this prevents changing the etypes from the configured ones
to the full set of supported etypes.

The same patch has gone into upstream heimdal as commit
a3bece1. It is a different solution to the problem fixed
here by commit 1f90983, so this commit will be reverted next
to keep compatibility with uptream.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

2 files changed, 30 insertions, 0 deletions

diff --git a/source4/heimdal/lib/krb5/context.c b/source4/heimdal/lib/krb5/context.c
index 4290b71bb68..23e3879d6db 100644
--- a/source4/heimdal/lib/krb5/context.c
+++ b/source4/heimdal/lib/krb5/context.c
@@ -48,6 +48,11 @@
         }								\
     } while(0)
 
+static krb5_error_code
+copy_enctypes(krb5_context context,
+	      const krb5_enctype *in,
+	      krb5_enctype **out);
+
 /*
  * Set the list of etypes `ret_etypes' from the configuration variable
  * `name'
@@ -123,6 +128,18 @@ init_context_from_config_file(krb5_context context)
     free(context->etypes);
     context->etypes = tmptypes;
 
+    /* The etypes member may change during the lifetime
+     * of the context. To be able to reset it to
+     * config value, we keep another copy.
+     */
+    free(context->cfg_etypes);
+    context->cfg_etypes = NULL;
+    if (tmptypes) {
+	ret = copy_enctypes(context, tmptypes, &context->cfg_etypes);
+	if (ret)
+	    return ret;
+    }
+
     ret = set_etypes (context, "default_etypes_des", &tmptypes);
     if(ret)
 	return ret;
@@ -506,6 +523,11 @@ krb5_copy_context(krb5_context context, krb5_context *out)
 	if (ret)
 	    goto out;
     }
+    if (context->cfg_etypes) {
+	ret = copy_etypes(context, context->cfg_etypes, &p->cfg_etypes);
+	if (ret)
+	    goto out;
+    }
     if (context->etypes_des) {
 	ret = copy_etypes(context, context->etypes_des, &p->etypes_des);
 	if (ret)
@@ -574,6 +596,7 @@ krb5_free_context(krb5_context context)
     if (context->default_cc_name_env)
 	free(context->default_cc_name_env);
     free(context->etypes);
+    free(context->cfg_etypes);
     free(context->etypes_des);
     krb5_free_host_realm (context, context->default_realms);
     krb5_config_file_free (context, context->cf);
@@ -944,6 +967,8 @@ default_etypes(krb5_context context, krb5_enctype **etype)
  *
  * @param context Kerberos 5 context.
  * @param etypes Encryption types, array terminated with ETYPE_NULL (0).
+ * A value of NULL resets the encryption types to the defaults set in the
+ * configuration file.
  *
  * @return Returns 0 to indicate success. Otherwise an kerberos et
  * error code is returned, see krb5_get_error_message().
@@ -958,6 +983,10 @@ krb5_set_default_in_tkt_etypes(krb5_context context,
     krb5_error_code ret;
     krb5_enctype *p = NULL;
 
+    if(!etypes) {
+	etypes = context->cfg_etypes;
+    }
+
     if(etypes) {
 	ret = copy_enctypes(context, etypes, &p);
 	if (ret)
diff --git a/source4/heimdal/lib/krb5/krb5_locl.h b/source4/heimdal/lib/krb5/krb5_locl.h
index d0c68927ffb..49c614d5efe 100644
--- a/source4/heimdal/lib/krb5/krb5_locl.h
+++ b/source4/heimdal/lib/krb5/krb5_locl.h
@@ -250,6 +250,7 @@ typedef uint32_t krb5_enctype_set;
 
 typedef struct krb5_context_data {
     krb5_enctype *etypes;
+    krb5_enctype *cfg_etypes;
     krb5_enctype *etypes_des;/* deprecated */
     krb5_enctype *as_etypes;
     krb5_enctype *tgs_etypes;