[29906] in CVS-changelog-for-Kerberos-V5
krb5 commit: Check for FAST in encrypted challenge client
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Apr 12 11:50:47 2017
Date: Wed, 12 Apr 2017 11:50:43 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201704121550.v3CFoh0H004299@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/ff6aac3e018e80fa32df2e14446c6ed9595dfc3c
commit ff6aac3e018e80fa32df2e14446c6ed9595dfc3c
Author: Greg Hudson <ghudson@mit.edu>
Date: Tue Apr 11 17:00:01 2017 -0400
Check for FAST in encrypted challenge client
If we reach the encrypted challenge clpreauth process method without
an armor key, error out instead of crashing. This can happen if (a)
the KDC offers encrypted challenge even though the request doesn't use
FAST (the Heimdal KDC apparently does this), and (b) we fall back to
that preauth method before generating a preauthenticated request,
typically because of a prompter failure in encrypted timestamp.
Reported by Nico Williams.
ticket: 8573 (new)
target_version: 1.15-next
target_version: 1.14-next
tags: pullup
src/lib/krb5/krb/preauth_ec.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/src/lib/krb5/krb/preauth_ec.c b/src/lib/krb5/krb/preauth_ec.c
index b197833..c1aa909 100644
--- a/src/lib/krb5/krb/preauth_ec.c
+++ b/src/lib/krb5/krb/preauth_ec.c
@@ -58,6 +58,8 @@ ec_process(krb5_context context, krb5_clpreauth_moddata moddata,
krb5_keyblock *challenge_key = NULL, *armor_key, *as_key;
armor_key = cb->fast_armor(context, rock);
+ if (armor_key == NULL)
+ return ENOENT;
retval = cb->get_as_key(context, rock, &as_key);
if (retval == 0 && padata->length) {
krb5_enc_data *enc = NULL;
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5