krb5 commit [krb5-1.12]: Fix SAM-2 preauth when password argument is used
Tom Yu
tlyu at MIT.EDU
Thu Jun 26 16:36:09 EDT 2014
https://github.com/krb5/krb5/commit/249562f0371207de31f48beb6cf7431dccd6f420
commit 249562f0371207de31f48beb6cf7431dccd6f420
Author: Greg Hudson <ghudson at mit.edu>
Date: Tue Feb 11 20:00:51 2014 -0500
Fix SAM-2 preauth when password argument is used
sam2_process accesses gak_data to get the password, so that it can do
string-to-key with the etype in the SAM-2 challenge. When #7642
changed gic_pwd.c to use struct gak_password instead of krb5_data,
sam2_process wasn't altered to match. We don't see a problem when the
password is read through the prompter (as with kinit), because the
password winds up in the storage field at the beginning of the
gak_password structure. But when a password is supplied as a
parameter (as with ksu), the storage field is empty and we get the
wrong answer from sam2_process.
(cherry picked from commit 3bedfe7c3724b0d22c72d1684f1cf76cfb600fdd)
ticket: 7862
version_fixed: 1.12.2
status: resolved
src/lib/krb5/krb/preauth_sam2.c | 5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/lib/krb5/krb/preauth_sam2.c b/src/lib/krb5/krb/preauth_sam2.c
index 6888e94..c8a3306 100644
--- a/src/lib/krb5/krb/preauth_sam2.c
+++ b/src/lib/krb5/krb/preauth_sam2.c
@@ -95,6 +95,7 @@ sam2_process(krb5_context context, krb5_clpreauth_moddata moddata,
krb5_prompt kprompt;
krb5_prompt_type prompt_type;
krb5_data defsalt, *salt;
+ struct gak_password *gakpw;
krb5_checksum **cksum;
krb5_data *scratch = NULL;
krb5_boolean valid_cksum = 0;
@@ -219,9 +220,9 @@ sam2_process(krb5_context context, krb5_clpreauth_moddata moddata,
}
/* generate a key using the supplied password */
+ gakpw = ctx->gak_data;
retval = krb5_c_string_to_key(context, sc2b->sam_etype,
- (krb5_data *)ctx->gak_data, salt,
- &ctx->as_key);
+ gakpw->password, salt, &ctx->as_key);
if (retval) {
krb5_free_sam_challenge_2(context, sc2);
More information about the cvs-krb5
mailing list