From d7ed635e822e13b89fef93463d1d132b1e03b78f Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Wed, 13 May 2020 13:05:49 -0400 Subject: [PATCH] Prevent use of invalid local TGT key Commit 570967e11bd5ea60a82fc8157ad7d07602402ebb took a shortcut in get_local_tgt() by using the first key data entry in the TGT principal entry. This is usually correct, but if the first key data entry has an invalid enctype (such as a single-DES enctype), we can select a key we can't use. Call krb5_dbe_find_enctype() instead. Reported by Leonard Peirce. ticket: 8906 tags: pullup target_version: 1.18-next --- src/kdc/kdc_util.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 9dd02425cc..4390b289d1 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -514,6 +514,7 @@ get_local_tgt(krb5_context context, const krb5_data *realm, krb5_error_code ret; krb5_principal princ; krb5_db_entry *storage = NULL, *tgt; + krb5_key_data *kd; *alias_out = NULL; *storage_out = NULL; @@ -534,12 +535,11 @@ get_local_tgt(krb5_context context, const krb5_data *realm, tgt = candidate; } - if (tgt->n_key_data == 0) { - ret = KRB5_KDB_NO_MATCHING_KEY; + /* Find and decrypt the first valid key of the current kvno. */ + ret = krb5_dbe_find_enctype(context, tgt, -1, -1, 0, &kd); + if (ret) goto cleanup; - } - ret = krb5_dbe_decrypt_key_data(context, NULL, &tgt->key_data[0], key_out, - NULL); + ret = krb5_dbe_decrypt_key_data(context, NULL, kd, key_out, NULL); if (ret) goto cleanup; -- 2.47.2