krb5 commit: Fail on error when processing KDC-issued authdata
Greg Hudson
ghudson at mit.edu
Mon Jun 20 11:54:15 EDT 2016
https://github.com/krb5/krb5/commit/19eee5ffaca1cc5f2c8696188e524240e33af777
commit 19eee5ffaca1cc5f2c8696188e524240e33af777
Author: Matt Rogers <mrogers at redhat.com>
Date: Thu May 12 20:36:41 2016 -0400
Fail on error when processing KDC-issued authdata
Have k5_get_kdc_issued_authdata() return 0 on a verification failure and
non-zero for other failures, rather than call assert(). Check the
return value when called in krb5int_authdata_verify().
ticket: 8425
src/lib/krb5/krb/authdata.c | 13 ++++++++++---
1 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/src/lib/krb5/krb/authdata.c b/src/lib/krb5/krb/authdata.c
index 047128a..91261b8 100644
--- a/src/lib/krb5/krb/authdata.c
+++ b/src/lib/krb5/krb/authdata.c
@@ -499,6 +499,7 @@ krb5_authdata_import_attributes(krb5_context kcontext,
return k5_ad_internalize(kcontext, context, usage, &bp, &remain);
}
+/* Return 0 with *kdc_issued_authdata == NULL on verification failure. */
static krb5_error_code
k5_get_kdc_issued_authdata(krb5_context kcontext,
const krb5_ap_req *ap_req,
@@ -530,7 +531,10 @@ k5_get_kdc_issued_authdata(krb5_context kcontext,
kdc_issuer,
kdc_issued_authdata);
- assert(code == 0 || *kdc_issued_authdata == NULL);
+ if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY ||
+ code == KRB5KRB_AP_ERR_INAPP_CKSUM ||
+ code == KRB5_BAD_ENCTYPE || code == KRB5_BAD_MSIZE)
+ code = 0;
krb5_free_authdata(kcontext, authdata);
@@ -621,8 +625,11 @@ krb5int_authdata_verify(krb5_context kcontext,
authen_authdata = (*auth_context)->authentp->authorization_data;
ticket_authdata = ap_req->ticket->enc_part2->authorization_data;
- k5_get_kdc_issued_authdata(kcontext, ap_req,
- &kdc_issuer, &kdc_issued_authdata);
+
+ code = k5_get_kdc_issued_authdata(kcontext, ap_req, &kdc_issuer,
+ &kdc_issued_authdata);
+ if (code)
+ goto cleanup;
code = get_cammac_authdata(kcontext, ap_req, key, &cammac_authdata);
if (code)
More information about the cvs-krb5
mailing list