From 2d9fd3855f3c50c17111a72f6247aabd02e575be Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Wed, 23 Mar 2022 09:47:53 +1300
Subject: [PATCH] s4:kdc: Pass supported enctypes to samba_kdc_set_fixed_keys()

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
 source4/kdc/db-glue.c    | 17 ++++++++---------
 source4/kdc/db-glue.h    |  3 +--
 source4/kdc/hdb-samba4.c |  2 +-
 3 files changed, 10 insertions(+), 12 deletions(-)

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 10a8dab76f6..a5e7cebab1b 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -336,12 +336,10 @@ static void samba_kdc_sort_keys(struct sdb_keys *keys)
 }
 
 int samba_kdc_set_fixed_keys(krb5_context context,
-			     struct samba_kdc_db_context *kdc_db_ctx,
 			     const struct ldb_val *secretbuffer,
-			     bool is_protected,
+			     uint32_t supported_enctypes,
 			     struct sdb_keys *keys)
 {
-	uint32_t supported_enctypes = ENC_ALL_TYPES;
 	uint16_t allocated_keys = 0;
 	int ret;
 
@@ -354,10 +352,6 @@ int samba_kdc_set_fixed_keys(krb5_context context,
 		goto out;
 	}
 
-	if (is_protected) {
-		supported_enctypes &= ~ENC_RC4_HMAC_MD5;
-	}
-
 	if (supported_enctypes & ENC_HMAC_SHA1_96_AES256) {
 		struct sdb_key key = {};
 
@@ -419,9 +413,14 @@ static int samba_kdc_set_random_keys(krb5_context context,
 				     struct sdb_keys *keys,
 				     bool is_protected)
 {
+	uint32_t supported_enctypes = ENC_ALL_TYPES;
 	struct ldb_val secret_val;
 	uint8_t secretbuffer[32];
 
+	if (is_protected) {
+		supported_enctypes &= ~ENC_RC4_HMAC_MD5;
+	}
+
 	/*
 	 * Fake keys until we have a better way to reject
 	 * non-pkinit requests.
@@ -433,9 +432,9 @@ static int samba_kdc_set_random_keys(krb5_context context,
 
 	secret_val = data_blob_const(secretbuffer,
 				     sizeof(secretbuffer));
-	return samba_kdc_set_fixed_keys(context, kdc_db_ctx,
+	return samba_kdc_set_fixed_keys(context,
 					&secret_val,
-					is_protected,
+					supported_enctypes,
 					keys);
 }
 
diff --git a/source4/kdc/db-glue.h b/source4/kdc/db-glue.h
index d9559d395f1..6779a87eadf 100644
--- a/source4/kdc/db-glue.h
+++ b/source4/kdc/db-glue.h
@@ -26,9 +26,8 @@ struct sdb_entry;
 
 
 int samba_kdc_set_fixed_keys(krb5_context context,
-			     struct samba_kdc_db_context *kdc_db_ctx,
 			     const struct ldb_val *secretbuffer,
-			     bool is_protected,
+			     uint32_t supported_enctypes,
 			     struct sdb_keys *keys);
 
 krb5_error_code samba_kdc_fetch(krb5_context context,
diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index 62e66781588..480d2c06e5e 100644
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -223,7 +223,7 @@ static krb5_error_code hdb_samba4_fetch_fast_cookie(krb5_context context,
 		return ret;
 	}
 
-	ret = samba_kdc_set_fixed_keys(context, kdc_db_ctx, val, false,
+	ret = samba_kdc_set_fixed_keys(context, val, ENC_ALL_TYPES,
 				       &sentry.keys);
 	if (ret != 0) {
 		return ret;