Prevent use of invalid local TGT key
Commit 570967e11bd5ea60a82fc8157ad7d07602402ebb took a shortcut in
get_local_tgt() by using the first key data entry in the TGT principal
entry. This is usually correct, but if the first key data entry has
an invalid enctype (such as a single-DES enctype), we can select a key
we can't use. Call krb5_dbe_find_enctype() instead. Reported by
Leonard Peirce.
(cherry picked from commit d7ed635e822e13b89fef93463d1d132b1e03b78f)
ticket: 8906
version_fixed: 1.18.2
Greg Hudson
3 years ago
563 | 563 | krb5_error_code ret; |
564 | 564 | krb5_principal princ; |
565 | 565 | krb5_db_entry *storage = NULL, *tgt; |
566 | krb5_key_data *kd; | |
566 | 567 | |
567 | 568 | *alias_out = NULL; |
568 | 569 | *storage_out = NULL; |
583 | 584 | tgt = candidate; |
584 | 585 | } |
585 | 586 | |
586 | if (tgt->n_key_data == 0) { | |
587 | ret = KRB5_KDB_NO_MATCHING_KEY; | |
587 | /* Find and decrypt the first valid key of the current kvno. */ | |
588 | ret = krb5_dbe_find_enctype(context, tgt, -1, -1, 0, &kd); | |
589 | if (ret) | |
588 | 590 | goto cleanup; |
589 | } | |
590 | ret = krb5_dbe_decrypt_key_data(context, NULL, &tgt->key_data[0], key_out, | |
591 | NULL); | |
591 | ret = krb5_dbe_decrypt_key_data(context, NULL, kd, key_out, NULL); | |
592 | 592 | if (ret) |
593 | 593 | goto cleanup; |
594 | 594 |