[666] in Kerberos-V5-bugs
Pointer-sharing problem (still) in krb5_mk_req_extended()
daemon@ATHENA.MIT.EDU (Shawn Mamros)
Fri Aug 19 15:22:26 1994
Date: Fri, 19 Aug 94 15:25:36 EDT
To: krb5-bugs@MIT.EDU
Cc: mamros@ftp.com
From: mamros@ftp.com (Shawn Mamros)
Reply-To: mamros@ftp.com
krb5_mk_req_extended(), as shipped in Kerberos V5 beta 4 patchlevel 2,
will not function correctly if the newkey argument is non-NULL (indicating
that a sub-session key should be generated), and the authentp argument
is NULL. If this happens, krb5_free_authenticator_contents() will
zero out and free the contents of newkey after generating the AP-REQ but
before returning to the caller, since the static function
krb5_generate_authenticator() merely sets authent->subkey to the pointer
to the keyblock, rather than copying the contents to a new keyblock.
There are two potential solutions. One is to null out authent.subkey
after the call to encode_krb5_authenticator() in krb5_mk_req_extended(),
as it does with the other pointers in authent. The caller does not need
the sub-session key in a returned authentp (if one is specified), since
the key is not generated unless the newkey argument is specified, in which
case it is placed in newkey. On the other hand, if it is considered
important that the caller be able to access the key in both places, then
krb5_generate_authenticator() should be changed to copy the key (via
krb5_copy_keyblock()).
If one or the other of these solutions is adopted, or if some other
solution is used, I would appreciate hearing about it.
Thanks,
-Shawn Mamros
E-mail to: mamros@ftp.com
