1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

CVE-2020-25719 heimdal:kdc: Move fetching krbtgt entry to before enctype selection

This allows us to use it when validating user-to-user.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Joseph Sutton 2021-10-26 20:34:44 +13:00 committed by Jule Anger
parent a5db5c7fa2
commit f170f1eb49

View File

@ -1518,6 +1518,41 @@ server_lookup:
goto out;
}
/* Now refetch the primary krbtgt, and get the current kvno (the
* sign check may have been on an old kvno, and the server may
* have been an incoming trust) */
ret = krb5_make_principal(context, &krbtgt_principal,
krb5_principal_get_comp_string(context,
krbtgt->entry.principal,
1),
KRB5_TGS_NAME,
krb5_principal_get_comp_string(context,
krbtgt->entry.principal,
1), NULL);
if(ret) {
kdc_log(context, config, 0,
"Failed to generate krbtgt principal");
goto out;
}
ret = _kdc_db_fetch(context, config, krbtgt_principal, HDB_F_GET_KRBTGT, NULL, NULL, &krbtgt_out);
krb5_free_principal(context, krbtgt_principal);
if (ret) {
krb5_error_code ret2;
char *ktpn, *ktpn2;
ret = krb5_unparse_name(context, krbtgt->entry.principal, &ktpn);
ret2 = krb5_unparse_name(context, krbtgt_principal, &ktpn2);
kdc_log(context, config, 0,
"Request with wrong krbtgt: %s, %s not found in our database",
(ret == 0) ? ktpn : "<unknown>", (ret2 == 0) ? ktpn2 : "<unknown>");
if(ret == 0)
free(ktpn);
if(ret2 == 0)
free(ktpn2);
ret = KRB5KRB_AP_ERR_NOT_US;
goto out;
}
/*
* Select enctype, return key and kvno.
*/
@ -1568,41 +1603,6 @@ server_lookup:
* backward.
*/
/* Now refetch the primary krbtgt, and get the current kvno (the
* sign check may have been on an old kvno, and the server may
* have been an incoming trust) */
ret = krb5_make_principal(context, &krbtgt_principal,
krb5_principal_get_comp_string(context,
krbtgt->entry.principal,
1),
KRB5_TGS_NAME,
krb5_principal_get_comp_string(context,
krbtgt->entry.principal,
1), NULL);
if(ret) {
kdc_log(context, config, 0,
"Failed to generate krbtgt principal");
goto out;
}
ret = _kdc_db_fetch(context, config, krbtgt_principal, HDB_F_GET_KRBTGT, NULL, NULL, &krbtgt_out);
krb5_free_principal(context, krbtgt_principal);
if (ret) {
krb5_error_code ret2;
char *ktpn, *ktpn2;
ret = krb5_unparse_name(context, krbtgt->entry.principal, &ktpn);
ret2 = krb5_unparse_name(context, krbtgt_principal, &ktpn2);
kdc_log(context, config, 0,
"Request with wrong krbtgt: %s, %s not found in our database",
(ret == 0) ? ktpn : "<unknown>", (ret2 == 0) ? ktpn2 : "<unknown>");
if(ret == 0)
free(ktpn);
if(ret2 == 0)
free(ktpn2);
ret = KRB5KRB_AP_ERR_NOT_US;
goto out;
}
/* The first realm is the realm of the service, the second is
* krbtgt/<this>/@REALM component of the krbtgt DN the request was
* encrypted to. The redirection via the krbtgt_out entry allows