diff options
author | Andrew Bartlett <abartlet@samba.org> | 2022-11-01 14:47:12 +1300 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2022-12-14 00:48:48 +0100 |
commit | 4650ce1fa5ce1f1da46829bd95bffbb748ed90ca (patch) | |
tree | 22573c33d7cd8a4c71540df7bb17276a53c27c54 | |
parent | fed97f46265834f53a895de2460d01321b6f32a7 (diff) | |
download | samba-4650ce1fa5ce1f1da46829bd95bffbb748ed90ca.tar.gz |
CVE-2022-37966 HEIMDAL: Look up the server keys to combine with clients etype list to select a session key
We need to select server, not client, to compare client etypes against.
(It is not useful to compare the client-supplied encryption types with
the client's own long-term keys.)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(similar to commit 538315a2aa6d03b7639b49eb1576efa8755fefec)
[jsutton@samba.org Fixed knownfail conflicts]
[jsutton@samba.org Fixed knownfail conflicts]
[jsutton@samba.org Fixed knownfail conflicts; adapted to older Heimdal
version]
-rw-r--r-- | selftest/knownfail_heimdal_kdc | 5 | ||||
-rw-r--r-- | source4/heimdal/kdc/kerberos5.c | 2 |
2 files changed, 1 insertions, 6 deletions
diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index 5dc3c60847e..692b9ecdd72 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -109,8 +109,3 @@ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_service_ticket ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_existing ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_nonexisting -# -# Encryption type tests -# -^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_as_aes_requested.ad_dc -^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_as_rc4_supported_aes_requested.ad_dc diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c index bda61e69df2..bfe196c338f 100644 --- a/source4/heimdal/kdc/kerberos5.c +++ b/source4/heimdal/kdc/kerberos5.c @@ -1164,7 +1164,7 @@ _kdc_as_rep(krb5_context context, * decrypt. */ ret = _kdc_find_etype(context, config->as_use_strongest_session_key, FALSE, - client, b->etype.val, b->etype.len, &sessionetype, + server, b->etype.val, b->etype.len, &sessionetype, NULL); if (ret) { kdc_log(context, config, 0, |