CVE-2022-45141 source4/heimdal: Fix check-des

    The previous fix was incomplete.  But it also finally uncovered an
    old check-des problem that I'd had once and which may have gotten
    papered over by changing the default of one of the *strongest* KDC
    parameters.  The old problem is that we were passing the wrong
    enctype to _kdc_encode_reply(): we were passing the session key
    enctype where the ticket enc-part key's enctype was expected.

    The whole enctype being passed in is superfluous anyways.  Let's
    clean that up next.

(cherry picked from Heimdal commit 4c6976a6bdf8a76c6f3c650ae970d46c931e5c71)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15214
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index 7391393e4b64cbea96bfd579a16f593763673316..609649003ea57e1f286e119d746bd39c7f01fe2b 100644 (file)
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -747,7 +747,7 @@ tgs_make_reply(krb5_context context,
        etype list, even if we don't want a session key with
        DES3? */
     ret = _kdc_encode_reply(context, config,
-                           &rep, &et, &ek, et.key.keytype,
+                           &rep, &et, &ek, serverkey->keytype,
                            kvno,
                            serverkey, 0, replykey, rk_is_subkey,
                            e_text, reply);
@@ -1665,13 +1665,22 @@ server_lookup:
        } else {
            Key *skey;
 
-           ret = _kdc_get_preferred_key(context, config, server, spn,
-                                        &etype, &skey);
+           ret = _kdc_find_etype(context,
+                                 config->tgs_use_strongest_session_key, FALSE,
+                                 server, b->etype.val, b->etype.len, &etype,
+                                 NULL);
            if(ret) {
                kdc_log(context, config, 0,
                        "Server (%s) has no support for etypes", spn);
                goto out;
            }
+           ret = _kdc_get_preferred_key(context, config, server, spn,
+                                        NULL, &skey);
+           if(ret) {
+               kdc_log(context, config, 0,
+                       "Server (%s) has no supported etypes", spn);
+               goto out;
+           }
            ekey = &skey->key;
            kvno = server->entry.kvno;
        }