From f79d71ecfd3aa2a25be6e4cef4eddd28bcccd722 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 27 Feb 2018 13:09:51 -0500
Subject: [PATCH] Improve KDC encrypting key memory management

Commit 0ba5ccd7bb3ea15e44a87f84ca6feed8890f657d caused encrypting_key
to hold either an owned or alias pointer depending on the presence of
the KDC_OPT_ENC_TKT_IN_SKEY (u2u) flag in the request.  For better
memory management safety, introducing server_keyblock to hold owned
memory in the non-u2u case, and turning encrypting_key into an alias
pointer for both cases.
---
 src/kdc/do_tgs_req.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index fca01db9d1..e569937318 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -113,7 +113,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
     krb5_enc_tkt_part enc_tkt_reply;
     int newtransited = 0;
     krb5_error_code retval = 0;
-    krb5_keyblock encrypting_key;
+    krb5_keyblock server_keyblock, *encrypting_key;
     krb5_timestamp kdc_time, authtime = 0;
     krb5_keyblock session_key;
     krb5_keyblock *reply_key = NULL;
@@ -144,7 +144,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
     memset(&reply_encpart, 0, sizeof(reply_encpart));
     memset(&ticket_reply, 0, sizeof(ticket_reply));
     memset(&enc_tkt_reply, 0, sizeof(enc_tkt_reply));
-    memset(&encrypting_key, 0, sizeof(encrypting_key));
+    memset(&server_keyblock, 0, sizeof(server_keyblock));
     session_key.contents = NULL;
 
     retval = decode_krb5_tgs_req(pkt, &request);
@@ -536,7 +536,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
     }
     if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) {
         krb5_enc_tkt_part *t2enc = request->second_ticket[st_idx]->enc_part2;
-        encrypting_key = *(t2enc->session);
+        encrypting_key = t2enc->session;
     } else {
         /*
          * Find the server key
@@ -555,11 +555,12 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
          * (it may be encrypted in the database)
          */
         if ((errcode = krb5_dbe_decrypt_key_data(kdc_context, NULL,
-                                                 server_key, &encrypting_key,
+                                                 server_key, &server_keyblock,
                                                  NULL))) {
             status = "DECRYPT_SERVER_KEY";
             goto cleanup;
         }
+        encrypting_key = &server_keyblock;
     }
 
     if (isflagset(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION)) {
@@ -670,7 +671,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
                               header_server, local_tgt,
                               subkey != NULL ? subkey :
                               header_ticket->enc_part2->session,
-                              &encrypting_key, /* U2U or server key */
+                              encrypting_key, /* U2U or server key */
                               header_key,
                               pkt,
                               request,
@@ -718,7 +719,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
         ticket_kvno = server_key->key_data_kvno;
     }
 
-    errcode = krb5_encrypt_tkt_part(kdc_context, &encrypting_key,
+    errcode = krb5_encrypt_tkt_part(kdc_context, encrypting_key,
                                     &ticket_reply);
     if (errcode)
         goto cleanup;
@@ -809,8 +810,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
 cleanup:
     if (status == NULL)
         status = "UNKNOWN_REASON";
-    if (!isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY))
-        krb5_free_keyblock_contents(kdc_context, &encrypting_key);
+    krb5_free_keyblock_contents(kdc_context, &server_keyblock);
     if (reply_key)
         krb5_free_keyblock(kdc_context, reply_key);
     if (errcode)
-- 
2.47.2