CVE-2022-45141 source4/heimdal: Fix TGS ticket enc-part key selection

    When I added support for configuring how the KDC selects session,
    reply, and ticket enc-part keys I accidentally had the KDC use the
    session key selection algorithm for selecting the ticket enc-part
    key.  This becomes a problem when using a Heimdal KDC with an MIT
    KDB as the HDB backend and when the krbtgt keys are not in
    strongest-to-weakest order, in which case forwardable tickets minted
    by the Heimdal KDC will not be accepted by MIT KDCs with the same
    KDB.

(cherry picked from Heimdal commit 12cd2c9cbd1ca027a3ef9ac7ab3e79526b1348ae)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15214
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index 15be136496fa4471554b4ccc7d13236145c3f5e8..7391393e4b64cbea96bfd579a16f593763673316 100644 (file)
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -1665,17 +1665,14 @@ server_lookup:
        } else {
            Key *skey;
 
-           ret = _kdc_find_etype(context,
-                                 config->tgs_use_strongest_session_key, FALSE,
-                                 server, b->etype.val, b->etype.len, NULL,
-                                 &skey);
+           ret = _kdc_get_preferred_key(context, config, server, spn,
+                                        &etype, &skey);
            if(ret) {
                kdc_log(context, config, 0,
                        "Server (%s) has no support for etypes", spn);
                goto out;
            }
            ekey = &skey->key;
-           etype = skey->key.keytype;
            kvno = server->entry.kvno;
        }