tgs_make_reply: fix temp weak enctype exception

The default heimdal KDC chokes when trying to encrypt a ticket with a weak
server key that has a different type than the session key. The problem
happens in the krb5_crypto_init function called from the _kdc_encode_reply
function.

The existing work-around of the problem temporarily enabled the weak
enctype in case it was disabled but the principal was on the (hard-coded)
exception list.

Unfortunately the code used the keytype of the key encoded in the ticked
(the session key) instead of the keytype of the key used to encrypt the ticket
(the serverkey) thus enabling the incorrect encryption type if those two
are different, for instance des-cbc-md5 and des-cbc-crc.

Change-Id: Ia55dc344e3e5fc9ec1eb93c9e8ebb0a58c673d57
This commit is contained in:
Ragnar Sundblad
2013-07-30 12:21:54 -04:00
committed by Jeffrey Altman
parent c4aa2f9067
commit 1bed48b75c

View File

@@ -970,10 +970,10 @@ tgs_make_reply(krb5_context context,
goto out;
}
if (krb5_enctype_valid(context, et.key.keytype) != 0
&& _kdc_is_weak_exception(server->entry.principal, et.key.keytype))
if (krb5_enctype_valid(context, serverkey->keytype) != 0
&& _kdc_is_weak_exception(server->entry.principal, serverkey->keytype))
{
krb5_enctype_enable(context, et.key.keytype);
krb5_enctype_enable(context, serverkey->keytype);
is_weak = 1;
}
@@ -994,7 +994,7 @@ tgs_make_reply(krb5_context context,
serverkey, 0, replykey, rk_is_subkey,
e_text, reply);
if (is_weak)
krb5_enctype_disable(context, et.key.keytype);
krb5_enctype_disable(context, serverkey->keytype);
out:
free_TGS_REP(&rep);