krb5 commit [krb5-1.15]: Check for FAST in encrypted challenge client

Greg Hudson ghudson at mit.edu
Mon Jul 17 22:59:31 EDT 2017


https://github.com/krb5/krb5/commit/ab8ab286f9c27ea34fb569dcb4472896abbf96d8
commit ab8ab286f9c27ea34fb569dcb4472896abbf96d8
Author: Greg Hudson <ghudson at mit.edu>
Date:   Tue Apr 11 17:00:01 2017 -0400

    Check for FAST in encrypted challenge client
    
    If we reach the encrypted challenge clpreauth process method without
    an armor key, error out instead of crashing.  This can happen if (a)
    the KDC offers encrypted challenge even though the request doesn't use
    FAST (the Heimdal KDC apparently does this), and (b) we fall back to
    that preauth method before generating a preauthenticated request,
    typically because of a prompter failure in encrypted timestamp.
    Reported by Nico Williams.
    
    (cherry picked from commit ff6aac3e018e80fa32df2e14446c6ed9595dfc3c)
    
    ticket: 8573
    version_fixed: 1.15.2

 src/lib/krb5/krb/preauth_ec.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/src/lib/krb5/krb/preauth_ec.c b/src/lib/krb5/krb/preauth_ec.c
index b197833..c1aa909 100644
--- a/src/lib/krb5/krb/preauth_ec.c
+++ b/src/lib/krb5/krb/preauth_ec.c
@@ -58,6 +58,8 @@ ec_process(krb5_context context, krb5_clpreauth_moddata moddata,
     krb5_keyblock *challenge_key = NULL, *armor_key, *as_key;
 
     armor_key = cb->fast_armor(context, rock);
+    if (armor_key == NULL)
+        return ENOENT;
     retval = cb->get_as_key(context, rock, &as_key);
     if (retval == 0 && padata->length) {
         krb5_enc_data *enc = NULL;


More information about the cvs-krb5 mailing list