From: Greg Hudson Date: Tue, 11 Apr 2017 21:00:01 +0000 (-0400) Subject: Check for FAST in encrypted challenge client X-Git-Tag: krb5-1.16-beta1~109 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ff6aac3e018e80fa32df2e14446c6ed9595dfc3c;p=thirdparty%2Fkrb5.git Check for FAST in encrypted challenge client If we reach the encrypted challenge clpreauth process method without an armor key, error out instead of crashing. This can happen if (a) the KDC offers encrypted challenge even though the request doesn't use FAST (the Heimdal KDC apparently does this), and (b) we fall back to that preauth method before generating a preauthenticated request, typically because of a prompter failure in encrypted timestamp. Reported by Nico Williams. ticket: 8573 (new) target_version: 1.15-next target_version: 1.14-next tags: pullup --- diff --git a/src/lib/krb5/krb/preauth_ec.c b/src/lib/krb5/krb/preauth_ec.c index b1978336a0..c1aa9090fb 100644 --- a/src/lib/krb5/krb/preauth_ec.c +++ b/src/lib/krb5/krb/preauth_ec.c @@ -58,6 +58,8 @@ ec_process(krb5_context context, krb5_clpreauth_moddata moddata, krb5_keyblock *challenge_key = NULL, *armor_key, *as_key; armor_key = cb->fast_armor(context, rock); + if (armor_key == NULL) + return ENOENT; retval = cb->get_as_key(context, rock, &as_key); if (retval == 0 && padata->length) { krb5_enc_data *enc = NULL;