From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 1 Nov 2022 01:47:12 +0000 (+1300)
Subject: CVE-2022-37966 HEIMDAL: Look up the server keys to combine with clients etype list... 
X-Git-Tag: samba-4.15.13~49
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4650ce1fa5ce1f1da46829bd95bffbb748ed90ca;p=thirdparty%2Fsamba.git

CVE-2022-37966 HEIMDAL: Look up the server keys to combine with clients etype list to select a session key

We need to select server, not client, to compare client etypes against.

(It is not useful to compare the client-supplied encryption types with
the client's own long-term keys.)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

(similar to commit 538315a2aa6d03b7639b49eb1576efa8755fefec)
[jsutton@samba.org Fixed knownfail conflicts]

[jsutton@samba.org Fixed knownfail conflicts]

[jsutton@samba.org Fixed knownfail conflicts; adapted to older Heimdal
 version]
---

diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 5dc3c60847e..692b9ecdd72 100644
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -109,8 +109,3 @@
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_service_ticket
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_existing
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_nonexisting
-#
-# Encryption type tests
-#
-^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_as_aes_requested.ad_dc
-^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_as_rc4_supported_aes_requested.ad_dc
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index bda61e69df2..bfe196c338f 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -1164,7 +1164,7 @@ _kdc_as_rep(krb5_context context,
      * decrypt.
      */
     ret = _kdc_find_etype(context, config->as_use_strongest_session_key, FALSE,
-			  client, b->etype.val, b->etype.len, &sessionetype,
+			  server, b->etype.val, b->etype.len, &sessionetype,
 			  NULL);
     if (ret) {
 	kdc_log(context, config, 0,