CVE-2020-25719 heimdal:kdc: Move fetching krbtgt entry to before enctype selection

This allows us to use it when validating user-to-user.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index 5cc45826cbe8174bb7dc3d44e06ba401ce2471a7..9cad3ac7a76daa91bfbcf03339de922301b1342b 100644 (file)
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -1518,6 +1518,41 @@ server_lookup:
        goto out;
     }
 
+    /* Now refetch the primary krbtgt, and get the current kvno (the
+     * sign check may have been on an old kvno, and the server may
+     * have been an incoming trust) */
+    ret = krb5_make_principal(context, &krbtgt_principal,
+                             krb5_principal_get_comp_string(context,
+                                                            krbtgt->entry.principal,
+                                                            1),
+                             KRB5_TGS_NAME,
+                             krb5_principal_get_comp_string(context,
+                                                            krbtgt->entry.principal,
+                                                            1), NULL);
+    if(ret) {
+       kdc_log(context, config, 0,
+                   "Failed to generate krbtgt principal");
+       goto out;
+    }
+
+    ret = _kdc_db_fetch(context, config, krbtgt_principal, HDB_F_GET_KRBTGT, NULL, NULL, &krbtgt_out);
+    krb5_free_principal(context, krbtgt_principal);
+    if (ret) {
+       krb5_error_code ret2;
+       char *ktpn, *ktpn2;
+       ret = krb5_unparse_name(context, krbtgt->entry.principal, &ktpn);
+       ret2 = krb5_unparse_name(context, krbtgt_principal, &ktpn2);
+       kdc_log(context, config, 0,
+               "Request with wrong krbtgt: %s, %s not found in our database",
+               (ret == 0) ? ktpn : "<unknown>", (ret2 == 0) ? ktpn2 : "<unknown>");
+       if(ret == 0)
+           free(ktpn);
+       if(ret2 == 0)
+           free(ktpn2);
+       ret = KRB5KRB_AP_ERR_NOT_US;
+       goto out;
+    }
+
     /*
      * Select enctype, return key and kvno.
      */
@@ -1568,41 +1603,6 @@ server_lookup:
      * backward.
      */
 
-    /* Now refetch the primary krbtgt, and get the current kvno (the
-     * sign check may have been on an old kvno, and the server may
-     * have been an incoming trust) */
-    ret = krb5_make_principal(context, &krbtgt_principal,
-                             krb5_principal_get_comp_string(context,
-                                                            krbtgt->entry.principal,
-                                                            1),
-                             KRB5_TGS_NAME,
-                             krb5_principal_get_comp_string(context,
-                                                            krbtgt->entry.principal,
-                                                            1), NULL);
-    if(ret) {
-       kdc_log(context, config, 0,
-                   "Failed to generate krbtgt principal");
-       goto out;
-    }
-
-    ret = _kdc_db_fetch(context, config, krbtgt_principal, HDB_F_GET_KRBTGT, NULL, NULL, &krbtgt_out);
-    krb5_free_principal(context, krbtgt_principal);
-    if (ret) {
-       krb5_error_code ret2;
-       char *ktpn, *ktpn2;
-       ret = krb5_unparse_name(context, krbtgt->entry.principal, &ktpn);
-       ret2 = krb5_unparse_name(context, krbtgt_principal, &ktpn2);
-       kdc_log(context, config, 0,
-               "Request with wrong krbtgt: %s, %s not found in our database",
-               (ret == 0) ? ktpn : "<unknown>", (ret2 == 0) ? ktpn2 : "<unknown>");
-       if(ret == 0)
-           free(ktpn);
-       if(ret2 == 0)
-           free(ktpn2);
-       ret = KRB5KRB_AP_ERR_NOT_US;
-       goto out;
-    }
-
     /* The first realm is the realm of the service, the second is
      * krbtgt/<this>/@REALM component of the krbtgt DN the request was
      * encrypted to.  The redirection via the krbtgt_out entry allows