From 2ea3f2db8087e0a2c4a18c633b039c722cb6f829 Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Wed, 12 Oct 2011 01:15:13 -0500 Subject: [PATCH] CVE-2022-45141 source4/heimdal: Fix check-des The previous fix was incomplete. But it also finally uncovered an old check-des problem that I'd had once and which may have gotten papered over by changing the default of one of the *strongest* KDC parameters. The old problem is that we were passing the wrong enctype to _kdc_encode_reply(): we were passing the session key enctype where the ticket enc-part key's enctype was expected. The whole enctype being passed in is superfluous anyways. Let's clean that up next. (cherry picked from Heimdal commit 4c6976a6bdf8a76c6f3c650ae970d46c931e5c71) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15214 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher --- source4/heimdal/kdc/krb5tgs.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c index 7391393e4b6..609649003ea 100644 --- a/source4/heimdal/kdc/krb5tgs.c +++ b/source4/heimdal/kdc/krb5tgs.c @@ -747,7 +747,7 @@ tgs_make_reply(krb5_context context, etype list, even if we don't want a session key with DES3? */ ret = _kdc_encode_reply(context, config, - &rep, &et, &ek, et.key.keytype, + &rep, &et, &ek, serverkey->keytype, kvno, serverkey, 0, replykey, rk_is_subkey, e_text, reply); @@ -1665,13 +1665,22 @@ server_lookup: } else { Key *skey; - ret = _kdc_get_preferred_key(context, config, server, spn, - &etype, &skey); + ret = _kdc_find_etype(context, + config->tgs_use_strongest_session_key, FALSE, + server, b->etype.val, b->etype.len, &etype, + NULL); if(ret) { kdc_log(context, config, 0, "Server (%s) has no support for etypes", spn); goto out; } + ret = _kdc_get_preferred_key(context, config, server, spn, + NULL, &skey); + if(ret) { + kdc_log(context, config, 0, + "Server (%s) has no supported etypes", spn); + goto out; + } ekey = &skey->key; kvno = server->entry.kvno; }