From 1bed48b75cdebebfb1a3ce1e8c6962ca43848e32 Mon Sep 17 00:00:00 2001 From: Ragnar Sundblad Date: Tue, 30 Jul 2013 12:21:54 -0400 Subject: [PATCH] tgs_make_reply: fix temp weak enctype exception The default heimdal KDC chokes when trying to encrypt a ticket with a weak server key that has a different type than the session key. The problem happens in the krb5_crypto_init function called from the _kdc_encode_reply function. The existing work-around of the problem temporarily enabled the weak enctype in case it was disabled but the principal was on the (hard-coded) exception list. Unfortunately the code used the keytype of the key encoded in the ticked (the session key) instead of the keytype of the key used to encrypt the ticket (the serverkey) thus enabling the incorrect encryption type if those two are different, for instance des-cbc-md5 and des-cbc-crc. Change-Id: Ia55dc344e3e5fc9ec1eb93c9e8ebb0a58c673d57 --- kdc/krb5tgs.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c index 43a677271..4634fefb6 100644 --- a/kdc/krb5tgs.c +++ b/kdc/krb5tgs.c @@ -970,10 +970,10 @@ tgs_make_reply(krb5_context context, goto out; } - if (krb5_enctype_valid(context, et.key.keytype) != 0 - && _kdc_is_weak_exception(server->entry.principal, et.key.keytype)) + if (krb5_enctype_valid(context, serverkey->keytype) != 0 + && _kdc_is_weak_exception(server->entry.principal, serverkey->keytype)) { - krb5_enctype_enable(context, et.key.keytype); + krb5_enctype_enable(context, serverkey->keytype); is_weak = 1; } @@ -994,7 +994,7 @@ tgs_make_reply(krb5_context context, serverkey, 0, replykey, rk_is_subkey, e_text, reply); if (is_weak) - krb5_enctype_disable(context, et.key.keytype); + krb5_enctype_disable(context, serverkey->keytype); out: free_TGS_REP(&rep);