krb5 commit: Prevent use of invalid local TGT key

Greg Hudson ghudson at mit.edu
Thu May 14 17:04:35 EDT 2020


https://github.com/krb5/krb5/commit/d7ed635e822e13b89fef93463d1d132b1e03b78f
commit d7ed635e822e13b89fef93463d1d132b1e03b78f
Author: Greg Hudson <ghudson at mit.edu>
Date:   Wed May 13 13:05:49 2020 -0400

    Prevent use of invalid local TGT key
    
    Commit 570967e11bd5ea60a82fc8157ad7d07602402ebb took a shortcut in
    get_local_tgt() by using the first key data entry in the TGT principal
    entry.  This is usually correct, but if the first key data entry has
    an invalid enctype (such as a single-DES enctype), we can select a key
    we can't use.  Call krb5_dbe_find_enctype() instead.  Reported by
    Leonard Peirce.
    
    ticket: 8906
    tags: pullup
    target_version: 1.18-next

 src/kdc/kdc_util.c |   10 +++++-----
 1 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 9dd0242..4390b28 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -514,6 +514,7 @@ get_local_tgt(krb5_context context, const krb5_data *realm,
     krb5_error_code ret;
     krb5_principal princ;
     krb5_db_entry *storage = NULL, *tgt;
+    krb5_key_data *kd;
 
     *alias_out = NULL;
     *storage_out = NULL;
@@ -534,12 +535,11 @@ get_local_tgt(krb5_context context, const krb5_data *realm,
         tgt = candidate;
     }
 
-    if (tgt->n_key_data == 0) {
-        ret = KRB5_KDB_NO_MATCHING_KEY;
+    /* Find and decrypt the first valid key of the current kvno. */
+    ret = krb5_dbe_find_enctype(context, tgt, -1, -1, 0, &kd);
+    if (ret)
         goto cleanup;
-    }
-    ret = krb5_dbe_decrypt_key_data(context, NULL, &tgt->key_data[0], key_out,
-                                    NULL);
+    ret = krb5_dbe_decrypt_key_data(context, NULL, kd, key_out, NULL);
     if (ret)
         goto cleanup;
 


More information about the cvs-krb5 mailing list