Attachment 17534 Details for Bug 15048 – Patches for Heimdal that seem to be the upstream fix for selecting the strongest key

[patch] Patches for Heimdal that seem to be the upstream fix for selecting the strongest key

heimdal-skey-selection.patch (text/plain), 3.34 KB, created by Andrew Bartlett on 2022-09-28 02:14:55 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Andrew Bartlett

Created: 2022-09-28 02:14:55 UTC

Size: 3.34 KB

patch

obsolete

>From 12cd2c9cbd1ca027a3ef9ac7ab3e79526b1348ae Mon Sep 17 00:00:00 2001
>From: Nicolas Williams <nico@cryptonector.com>
>Date: Tue, 11 Oct 2011 23:57:58 -0500
>Subject: [PATCH 1/2] Fix TGS ticket enc-part key selection
>
>    When I added support for configuring how the KDC selects session,
>    reply, and ticket enc-part keys I accidentally had the KDC use the
>    session key selection algorithm for selecting the ticket enc-part
>    key.  This becomes a problem when using a Heimdal KDC with an MIT
>    KDB as the HDB backend and when the krbtgt keys are not in
>    strongest-to-weakest order, in which case forwardable tickets minted
>    by the Heimdal KDC will not be accepted by MIT KDCs with the same
>    KDB.
>---
> kdc/krb5tgs.c | 7 ++-----
> 1 file changed, 2 insertions(+), 5 deletions(-)
>
>diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
>index 15ea5b0505..983c9dd4ae 100644
>--- a/kdc/krb5tgs.c
>+++ b/kdc/krb5tgs.c
>@@ -1699,17 +1699,14 @@ server_lookup:
> 	} else {
> 	    Key *skey;
> 
>-	    ret = _kdc_find_etype(context,
>-				  config->tgs_use_strongest_session_key, FALSE,
>-				  server, b->etype.val, b->etype.len, NULL,
>-				  &skey);
>+	    ret = _kdc_get_preferred_key(context, config, server, spn,
>+					 &etype, &skey);
> 	    if(ret) {
> 		kdc_log(context, config, 0,
> 			"Server (%s) has no support for etypes", spn);
> 		goto out;
> 	    }
> 	    ekey = &skey->key;
>-	    etype = skey->key.keytype;
> 	    kvno = server->entry.kvno;
> 	}
> 
>-- 
>2.25.1
>
>
>From 4c6976a6bdf8a76c6f3c650ae970d46c931e5c71 Mon Sep 17 00:00:00 2001
>From: Nicolas Williams <nico@cryptonector.com>
>Date: Wed, 12 Oct 2011 01:15:13 -0500
>Subject: [PATCH 2/2] Fix check-des
>
>    The previous fix was incomplete.  But it also finally uncovered an
>    old check-des problem that I'd had once and which may have gotten
>    papered over by changing the default of one of the *strongest* KDC
>    parameters.  The old problem is that we were passing the wrong
>    enctype to _kdc_encode_reply(): we were passing the session key
>    enctype where the ticket enc-part key's enctype was expected.
>
>    The whole enctype being passed in is superfluous anyways.  Let's
>    clean that up next.
>---
> kdc/krb5tgs.c | 15 ++++++++++++---
> 1 file changed, 12 insertions(+), 3 deletions(-)
>
>diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
>index 983c9dd4ae..903aaaa917 100644
>--- a/kdc/krb5tgs.c
>+++ b/kdc/krb5tgs.c
>@@ -988,7 +988,7 @@ tgs_make_reply(krb5_context context,
>        etype list, even if we don't want a session key with
>        DES3? */
>     ret = _kdc_encode_reply(context, config,
>-			    &rep, &et, &ek, et.key.keytype,
>+			    &rep, &et, &ek, serverkey->keytype,
> 			    kvno,
> 			    serverkey, 0, replykey, rk_is_subkey,
> 			    e_text, reply);
>@@ -1699,13 +1699,22 @@ server_lookup:
> 	} else {
> 	    Key *skey;
> 
>-	    ret = _kdc_get_preferred_key(context, config, server, spn,
>-					 &etype, &skey);
>+	    ret = _kdc_find_etype(context,
>+				  config->tgs_use_strongest_session_key, FALSE,
>+				  server, b->etype.val, b->etype.len, &etype,
>+				  NULL);
> 	    if(ret) {
> 		kdc_log(context, config, 0,
> 			"Server (%s) has no support for etypes", spn);
> 		goto out;
> 	    }
>+	    ret = _kdc_get_preferred_key(context, config, server, spn,
>+					 NULL, &skey);
>+	    if(ret) {
>+		kdc_log(context, config, 0,
>+			"Server (%s) has no supported etypes", spn);
>+		goto out;
>+	    }
> 	    ekey = &skey->key;
> 	    kvno = server->entry.kvno;
> 	}
>-- 
>2.25.1
>

Actions: View

Attachments on bug 15048: 17534