CVE-2022-45141 source4/heimdal: Fix TGS ticket enc-part key selection

    When I added support for configuring how the KDC selects session,
    reply, and ticket enc-part keys I accidentally had the KDC use the
    session key selection algorithm for selecting the ticket enc-part
    key.  This becomes a problem when using a Heimdal KDC with an MIT
    KDB as the HDB backend and when the krbtgt keys are not in
    strongest-to-weakest order, in which case forwardable tickets minted
    by the Heimdal KDC will not be accepted by MIT KDCs with the same
    KDB.

(cherry picked from Heimdal commit 12cd2c9cbd1ca027a3ef9ac7ab3e79526b1348ae)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15214
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

1 files changed, 2 insertions, 5 deletions

diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index 15be136496f..7391393e4b6 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -1665,17 +1665,14 @@ server_lookup:
 	} else {
 	    Key *skey;
 
-	    ret = _kdc_find_etype(context,
-				  config->tgs_use_strongest_session_key, FALSE,
-				  server, b->etype.val, b->etype.len, NULL,
-				  &skey);
+	    ret = _kdc_get_preferred_key(context, config, server, spn,
+					 &etype, &skey);
 	    if(ret) {
 		kdc_log(context, config, 0,
 			"Server (%s) has no support for etypes", spn);
 		goto out;
 	    }
 	    ekey = &skey->key;
-	    etype = skey->key.keytype;
 	    kvno = server->entry.kvno;
 	}