kdc: Move fetching krbtgt entry to before enctype selection

Assists Samba to address CVE-2020-25719 This allows us to use it when validating user-to-user. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (Similar to Samba commit f170f1eb4989d7f337eed0f45a558fe5231ea367)
2021-11-16 12:57:47 +13:00
parent 5cb5b6d748
commit b768c78fca
1 changed files with 40 additions and 40 deletions
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -1665,6 +1665,46 @@ server_lookup:
    else
 	rsp = sp;

+    /*
+     * Now refetch the primary krbtgt, and get the current kvno (the
+     * sign check may have been on an old kvno, and the server may
+     * have been an incoming trust)
+     */
+
+    ret = krb5_make_principal(context,
+                              &krbtgt_out_principal,
+                              our_realm,
+                              KRB5_TGS_NAME,
+                              our_realm,
+                              NULL);
+    if (ret) {
+        kdc_log(context, config, 4,
+                "Failed to make krbtgt principal name object for "
+                "authz-data signatures");
+        goto out;
+    }
+    ret = krb5_unparse_name(context, krbtgt_out_principal, &krbtgt_out_n);
+    if (ret) {
+        kdc_log(context, config, 4,
+                "Failed to make krbtgt principal name object for "
+                "authz-data signatures");
+        goto out;
+    }
+
+    ret = _kdc_db_fetch(context, config, krbtgt_out_principal,
+			HDB_F_GET_KRBTGT, NULL, NULL, &krbtgt_out);
+    if (ret) {
+	char *ktpn = NULL;
+	ret = krb5_unparse_name(context, krbtgt->entry.principal, &ktpn);
+	kdc_log(context, config, 4,
+		"No such principal %s (needed for authz-data signature keys) "
+		"while processing TGS-REQ for service %s with krbtg %s",
+		krbtgt_out_n, spn, (ret == 0) ? ktpn : "<unknown>");
+	free(ktpn);
+	ret = KRB5KRB_AP_ERR_NOT_US;
+	goto out;
+    }
+
    /*
     * Select enctype, return key and kvno.
     */
@@ -1727,46 +1767,6 @@ server_lookup:
     * backward.
     */

-    /* 
-     * Now refetch the primary krbtgt, and get the current kvno (the
-     * sign check may have been on an old kvno, and the server may
-     * have been an incoming trust)
-     */
-    
-    ret = krb5_make_principal(context,
-                              &krbtgt_out_principal,
-                              our_realm,
-                              KRB5_TGS_NAME,
-                              our_realm,
-                              NULL);
-    if (ret) {
-        kdc_log(context, config, 4,
-                "Failed to make krbtgt principal name object for "
-                "authz-data signatures");
-        goto out;
-    }
-    ret = krb5_unparse_name(context, krbtgt_out_principal, &krbtgt_out_n);
-    if (ret) {
-        kdc_log(context, config, 4,
-                "Failed to make krbtgt principal name object for "
-                "authz-data signatures");
-        goto out;
-    }
-
-    ret = _kdc_db_fetch(context, config, krbtgt_out_principal,
-			HDB_F_GET_KRBTGT, NULL, NULL, &krbtgt_out);
-    if (ret) {
-	char *ktpn = NULL;
-	ret = krb5_unparse_name(context, krbtgt->entry.principal, &ktpn);
-	kdc_log(context, config, 4,
-		"No such principal %s (needed for authz-data signature keys) "
-		"while processing TGS-REQ for service %s with krbtg %s",
-		krbtgt_out_n, spn, (ret == 0) ? ktpn : "<unknown>");
-	free(ktpn);
-	ret = KRB5KRB_AP_ERR_NOT_US;
-	goto out;
-    }
-
    /* 
     * The first realm is the realm of the service, the second is
     * krbtgt/<this>/@REALM component of the krbtgt DN the request was