tgs_make_reply: fix temp weak enctype exception
The default heimdal KDC chokes when trying to encrypt a ticket with a weak server key that has a different type than the session key. The problem happens in the krb5_crypto_init function called from the _kdc_encode_reply function. The existing work-around of the problem temporarily enabled the weak enctype in case it was disabled but the principal was on the (hard-coded) exception list. Unfortunately the code used the keytype of the key encoded in the ticked (the session key) instead of the keytype of the key used to encrypt the ticket (the serverkey) thus enabling the incorrect encryption type if those two are different, for instance des-cbc-md5 and des-cbc-crc. Change-Id: Ia55dc344e3e5fc9ec1eb93c9e8ebb0a58c673d57
This commit is contained in:

committed by
Jeffrey Altman

parent
c4aa2f9067
commit
1bed48b75c
@@ -970,10 +970,10 @@ tgs_make_reply(krb5_context context,
|
||||
goto out;
|
||||
}
|
||||
|
||||
if (krb5_enctype_valid(context, et.key.keytype) != 0
|
||||
&& _kdc_is_weak_exception(server->entry.principal, et.key.keytype))
|
||||
if (krb5_enctype_valid(context, serverkey->keytype) != 0
|
||||
&& _kdc_is_weak_exception(server->entry.principal, serverkey->keytype))
|
||||
{
|
||||
krb5_enctype_enable(context, et.key.keytype);
|
||||
krb5_enctype_enable(context, serverkey->keytype);
|
||||
is_weak = 1;
|
||||
}
|
||||
|
||||
@@ -994,7 +994,7 @@ tgs_make_reply(krb5_context context,
|
||||
serverkey, 0, replykey, rk_is_subkey,
|
||||
e_text, reply);
|
||||
if (is_weak)
|
||||
krb5_enctype_disable(context, et.key.keytype);
|
||||
krb5_enctype_disable(context, serverkey->keytype);
|
||||
|
||||
out:
|
||||
free_TGS_REP(&rep);
|
||||
|
Reference in New Issue
Block a user