kdc: Move fetching krbtgt entry to before enctype selection
Assists Samba to address CVE-2020-25719 This allows us to use it when validating user-to-user. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (Similar to Samba commit f170f1eb4989d7f337eed0f45a558fe5231ea367)
This commit is contained in:

committed by
Luke Howard

parent
5cb5b6d748
commit
b768c78fca
@@ -1665,6 +1665,46 @@ server_lookup:
|
||||
else
|
||||
rsp = sp;
|
||||
|
||||
/*
|
||||
* Now refetch the primary krbtgt, and get the current kvno (the
|
||||
* sign check may have been on an old kvno, and the server may
|
||||
* have been an incoming trust)
|
||||
*/
|
||||
|
||||
ret = krb5_make_principal(context,
|
||||
&krbtgt_out_principal,
|
||||
our_realm,
|
||||
KRB5_TGS_NAME,
|
||||
our_realm,
|
||||
NULL);
|
||||
if (ret) {
|
||||
kdc_log(context, config, 4,
|
||||
"Failed to make krbtgt principal name object for "
|
||||
"authz-data signatures");
|
||||
goto out;
|
||||
}
|
||||
ret = krb5_unparse_name(context, krbtgt_out_principal, &krbtgt_out_n);
|
||||
if (ret) {
|
||||
kdc_log(context, config, 4,
|
||||
"Failed to make krbtgt principal name object for "
|
||||
"authz-data signatures");
|
||||
goto out;
|
||||
}
|
||||
|
||||
ret = _kdc_db_fetch(context, config, krbtgt_out_principal,
|
||||
HDB_F_GET_KRBTGT, NULL, NULL, &krbtgt_out);
|
||||
if (ret) {
|
||||
char *ktpn = NULL;
|
||||
ret = krb5_unparse_name(context, krbtgt->entry.principal, &ktpn);
|
||||
kdc_log(context, config, 4,
|
||||
"No such principal %s (needed for authz-data signature keys) "
|
||||
"while processing TGS-REQ for service %s with krbtg %s",
|
||||
krbtgt_out_n, spn, (ret == 0) ? ktpn : "<unknown>");
|
||||
free(ktpn);
|
||||
ret = KRB5KRB_AP_ERR_NOT_US;
|
||||
goto out;
|
||||
}
|
||||
|
||||
/*
|
||||
* Select enctype, return key and kvno.
|
||||
*/
|
||||
@@ -1727,46 +1767,6 @@ server_lookup:
|
||||
* backward.
|
||||
*/
|
||||
|
||||
/*
|
||||
* Now refetch the primary krbtgt, and get the current kvno (the
|
||||
* sign check may have been on an old kvno, and the server may
|
||||
* have been an incoming trust)
|
||||
*/
|
||||
|
||||
ret = krb5_make_principal(context,
|
||||
&krbtgt_out_principal,
|
||||
our_realm,
|
||||
KRB5_TGS_NAME,
|
||||
our_realm,
|
||||
NULL);
|
||||
if (ret) {
|
||||
kdc_log(context, config, 4,
|
||||
"Failed to make krbtgt principal name object for "
|
||||
"authz-data signatures");
|
||||
goto out;
|
||||
}
|
||||
ret = krb5_unparse_name(context, krbtgt_out_principal, &krbtgt_out_n);
|
||||
if (ret) {
|
||||
kdc_log(context, config, 4,
|
||||
"Failed to make krbtgt principal name object for "
|
||||
"authz-data signatures");
|
||||
goto out;
|
||||
}
|
||||
|
||||
ret = _kdc_db_fetch(context, config, krbtgt_out_principal,
|
||||
HDB_F_GET_KRBTGT, NULL, NULL, &krbtgt_out);
|
||||
if (ret) {
|
||||
char *ktpn = NULL;
|
||||
ret = krb5_unparse_name(context, krbtgt->entry.principal, &ktpn);
|
||||
kdc_log(context, config, 4,
|
||||
"No such principal %s (needed for authz-data signature keys) "
|
||||
"while processing TGS-REQ for service %s with krbtg %s",
|
||||
krbtgt_out_n, spn, (ret == 0) ? ktpn : "<unknown>");
|
||||
free(ktpn);
|
||||
ret = KRB5KRB_AP_ERR_NOT_US;
|
||||
goto out;
|
||||
}
|
||||
|
||||
/*
|
||||
* The first realm is the realm of the service, the second is
|
||||
* krbtgt/<this>/@REALM component of the krbtgt DN the request was
|
||||
|
Reference in New Issue
Block a user