mirror of
https://github.com/samba-team/samba.git
synced 2025-01-11 05:18:09 +03:00
CVE-2020-25719 heimdal:kdc: Move fetching krbtgt entry to before enctype selection
This allows us to use it when validating user-to-user. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
a5db5c7fa2
commit
f170f1eb49
@ -1518,6 +1518,41 @@ server_lookup:
|
||||
goto out;
|
||||
}
|
||||
|
||||
/* Now refetch the primary krbtgt, and get the current kvno (the
|
||||
* sign check may have been on an old kvno, and the server may
|
||||
* have been an incoming trust) */
|
||||
ret = krb5_make_principal(context, &krbtgt_principal,
|
||||
krb5_principal_get_comp_string(context,
|
||||
krbtgt->entry.principal,
|
||||
1),
|
||||
KRB5_TGS_NAME,
|
||||
krb5_principal_get_comp_string(context,
|
||||
krbtgt->entry.principal,
|
||||
1), NULL);
|
||||
if(ret) {
|
||||
kdc_log(context, config, 0,
|
||||
"Failed to generate krbtgt principal");
|
||||
goto out;
|
||||
}
|
||||
|
||||
ret = _kdc_db_fetch(context, config, krbtgt_principal, HDB_F_GET_KRBTGT, NULL, NULL, &krbtgt_out);
|
||||
krb5_free_principal(context, krbtgt_principal);
|
||||
if (ret) {
|
||||
krb5_error_code ret2;
|
||||
char *ktpn, *ktpn2;
|
||||
ret = krb5_unparse_name(context, krbtgt->entry.principal, &ktpn);
|
||||
ret2 = krb5_unparse_name(context, krbtgt_principal, &ktpn2);
|
||||
kdc_log(context, config, 0,
|
||||
"Request with wrong krbtgt: %s, %s not found in our database",
|
||||
(ret == 0) ? ktpn : "<unknown>", (ret2 == 0) ? ktpn2 : "<unknown>");
|
||||
if(ret == 0)
|
||||
free(ktpn);
|
||||
if(ret2 == 0)
|
||||
free(ktpn2);
|
||||
ret = KRB5KRB_AP_ERR_NOT_US;
|
||||
goto out;
|
||||
}
|
||||
|
||||
/*
|
||||
* Select enctype, return key and kvno.
|
||||
*/
|
||||
@ -1568,41 +1603,6 @@ server_lookup:
|
||||
* backward.
|
||||
*/
|
||||
|
||||
/* Now refetch the primary krbtgt, and get the current kvno (the
|
||||
* sign check may have been on an old kvno, and the server may
|
||||
* have been an incoming trust) */
|
||||
ret = krb5_make_principal(context, &krbtgt_principal,
|
||||
krb5_principal_get_comp_string(context,
|
||||
krbtgt->entry.principal,
|
||||
1),
|
||||
KRB5_TGS_NAME,
|
||||
krb5_principal_get_comp_string(context,
|
||||
krbtgt->entry.principal,
|
||||
1), NULL);
|
||||
if(ret) {
|
||||
kdc_log(context, config, 0,
|
||||
"Failed to generate krbtgt principal");
|
||||
goto out;
|
||||
}
|
||||
|
||||
ret = _kdc_db_fetch(context, config, krbtgt_principal, HDB_F_GET_KRBTGT, NULL, NULL, &krbtgt_out);
|
||||
krb5_free_principal(context, krbtgt_principal);
|
||||
if (ret) {
|
||||
krb5_error_code ret2;
|
||||
char *ktpn, *ktpn2;
|
||||
ret = krb5_unparse_name(context, krbtgt->entry.principal, &ktpn);
|
||||
ret2 = krb5_unparse_name(context, krbtgt_principal, &ktpn2);
|
||||
kdc_log(context, config, 0,
|
||||
"Request with wrong krbtgt: %s, %s not found in our database",
|
||||
(ret == 0) ? ktpn : "<unknown>", (ret2 == 0) ? ktpn2 : "<unknown>");
|
||||
if(ret == 0)
|
||||
free(ktpn);
|
||||
if(ret2 == 0)
|
||||
free(ktpn2);
|
||||
ret = KRB5KRB_AP_ERR_NOT_US;
|
||||
goto out;
|
||||
}
|
||||
|
||||
/* The first realm is the realm of the service, the second is
|
||||
* krbtgt/<this>/@REALM component of the krbtgt DN the request was
|
||||
* encrypted to. The redirection via the krbtgt_out entry allows
|
||||
|
Loading…
Reference in New Issue
Block a user