[29440] in CVS-changelog-for-Kerberos-V5

home help back first fref pref prev next nref lref last post

krb5 commit: Fail on error when processing KDC-issued authdata

daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Jun 20 11:54:19 2016

Date: Mon, 20 Jun 2016 11:54:15 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201606201554.u5KFsF6G006424@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu

https://github.com/krb5/krb5/commit/19eee5ffaca1cc5f2c8696188e524240e33af777
commit 19eee5ffaca1cc5f2c8696188e524240e33af777
Author: Matt Rogers <mrogers@redhat.com>
Date:   Thu May 12 20:36:41 2016 -0400

    Fail on error when processing KDC-issued authdata
    
    Have k5_get_kdc_issued_authdata() return 0 on a verification failure and
    non-zero for other failures, rather than call assert().  Check the
    return value when called in krb5int_authdata_verify().
    
    ticket: 8425

 src/lib/krb5/krb/authdata.c |   13 ++++++++++---
 1 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/src/lib/krb5/krb/authdata.c b/src/lib/krb5/krb/authdata.c
index 047128a..91261b8 100644
--- a/src/lib/krb5/krb/authdata.c
+++ b/src/lib/krb5/krb/authdata.c
@@ -499,6 +499,7 @@ krb5_authdata_import_attributes(krb5_context kcontext,
     return k5_ad_internalize(kcontext, context, usage, &bp, &remain);
 }
 
+/* Return 0 with *kdc_issued_authdata == NULL on verification failure. */
 static krb5_error_code
 k5_get_kdc_issued_authdata(krb5_context kcontext,
                            const krb5_ap_req *ap_req,
@@ -530,7 +531,10 @@ k5_get_kdc_issued_authdata(krb5_context kcontext,
                                            kdc_issuer,
                                            kdc_issued_authdata);
 
-    assert(code == 0 || *kdc_issued_authdata == NULL);
+    if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY ||
+        code == KRB5KRB_AP_ERR_INAPP_CKSUM ||
+        code == KRB5_BAD_ENCTYPE || code == KRB5_BAD_MSIZE)
+        code = 0;
 
     krb5_free_authdata(kcontext, authdata);
 
@@ -621,8 +625,11 @@ krb5int_authdata_verify(krb5_context kcontext,
 
     authen_authdata = (*auth_context)->authentp->authorization_data;
     ticket_authdata = ap_req->ticket->enc_part2->authorization_data;
-    k5_get_kdc_issued_authdata(kcontext, ap_req,
-                               &kdc_issuer, &kdc_issued_authdata);
+
+    code = k5_get_kdc_issued_authdata(kcontext, ap_req, &kdc_issuer,
+                                      &kdc_issued_authdata);
+    if (code)
+        goto cleanup;
 
     code = get_cammac_authdata(kcontext, ap_req, key, &cammac_authdata);
     if (code)
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
home help back first fref pref prev next nref lref last post