CVE-2022-37966 HEIMDAL: Look up the server keys to combine with clients etype list...

We need to select server, not client, to compare client etypes against.

(It is not useful to compare the client-supplied encryption types with
the client's own long-term keys.)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index 98d03d36b6f13f98f2f67524ff7e60a80560f90c..2ae215e556688bb31b0d7018ab42b473fec16fc8 100644 (file)
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -2210,7 +2210,7 @@ _kdc_as_rep(astgs_request_t r)
      * intersection of the client's requested enctypes and the server's (like a
      * root krbtgt, but not necessarily) etypes from its HDB entry.
      */
-    ret = _kdc_find_etype(r, (is_tgs ?  KFE_IS_TGS:0) | KFE_USE_CLIENT,
+    ret = _kdc_find_etype(r, (is_tgs ?  KFE_IS_TGS:0),
                          b->etype.val, b->etype.len,
                          &r->sessionetype, NULL, NULL);
     if (ret) {