From b768c78fcad7ca048a70478d824bde9f5ceffbd8 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Tue, 16 Nov 2021 12:57:47 +1300
Subject: [PATCH] kdc: Move fetching krbtgt entry to before enctype selection

Assists Samba to address CVE-2020-25719

This allows us to use it when validating user-to-user.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

(Similar to Samba commit f170f1eb4989d7f337eed0f45a558fe5231ea367)
---
 kdc/krb5tgs.c | 80 +++++++++++++++++++++++++--------------------------
 1 file changed, 40 insertions(+), 40 deletions(-)

diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index 39d86064d..dd556004d 100644
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -1665,6 +1665,46 @@ server_lookup:
     else
 	rsp = sp;
 
+    /*
+     * Now refetch the primary krbtgt, and get the current kvno (the
+     * sign check may have been on an old kvno, and the server may
+     * have been an incoming trust)
+     */
+
+    ret = krb5_make_principal(context,
+                              &krbtgt_out_principal,
+                              our_realm,
+                              KRB5_TGS_NAME,
+                              our_realm,
+                              NULL);
+    if (ret) {
+        kdc_log(context, config, 4,
+                "Failed to make krbtgt principal name object for "
+                "authz-data signatures");
+        goto out;
+    }
+    ret = krb5_unparse_name(context, krbtgt_out_principal, &krbtgt_out_n);
+    if (ret) {
+        kdc_log(context, config, 4,
+                "Failed to make krbtgt principal name object for "
+                "authz-data signatures");
+        goto out;
+    }
+
+    ret = _kdc_db_fetch(context, config, krbtgt_out_principal,
+			HDB_F_GET_KRBTGT, NULL, NULL, &krbtgt_out);
+    if (ret) {
+	char *ktpn = NULL;
+	ret = krb5_unparse_name(context, krbtgt->entry.principal, &ktpn);
+	kdc_log(context, config, 4,
+		"No such principal %s (needed for authz-data signature keys) "
+		"while processing TGS-REQ for service %s with krbtg %s",
+		krbtgt_out_n, spn, (ret == 0) ? ktpn : "<unknown>");
+	free(ktpn);
+	ret = KRB5KRB_AP_ERR_NOT_US;
+	goto out;
+    }
+
     /*
      * Select enctype, return key and kvno.
      */
@@ -1727,46 +1767,6 @@ server_lookup:
      * backward.
      */
 
-    /* 
-     * Now refetch the primary krbtgt, and get the current kvno (the
-     * sign check may have been on an old kvno, and the server may
-     * have been an incoming trust)
-     */
-    
-    ret = krb5_make_principal(context,
-                              &krbtgt_out_principal,
-                              our_realm,
-                              KRB5_TGS_NAME,
-                              our_realm,
-                              NULL);
-    if (ret) {
-        kdc_log(context, config, 4,
-                "Failed to make krbtgt principal name object for "
-                "authz-data signatures");
-        goto out;
-    }
-    ret = krb5_unparse_name(context, krbtgt_out_principal, &krbtgt_out_n);
-    if (ret) {
-        kdc_log(context, config, 4,
-                "Failed to make krbtgt principal name object for "
-                "authz-data signatures");
-        goto out;
-    }
-
-    ret = _kdc_db_fetch(context, config, krbtgt_out_principal,
-			HDB_F_GET_KRBTGT, NULL, NULL, &krbtgt_out);
-    if (ret) {
-	char *ktpn = NULL;
-	ret = krb5_unparse_name(context, krbtgt->entry.principal, &ktpn);
-	kdc_log(context, config, 4,
-		"No such principal %s (needed for authz-data signature keys) "
-		"while processing TGS-REQ for service %s with krbtg %s",
-		krbtgt_out_n, spn, (ret == 0) ? ktpn : "<unknown>");
-	free(ktpn);
-	ret = KRB5KRB_AP_ERR_NOT_US;
-	goto out;
-    }
-
     /* 
      * The first realm is the realm of the service, the second is
      * krbtgt/<this>/@REALM component of the krbtgt DN the request was