directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kiran Ayyagari (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (DIRKRB-97) NPE while calling KdcConnection.changePassword
Date Wed, 08 Jan 2014 09:48:51 GMT

     [ https://issues.apache.org/jira/browse/DIRKRB-97?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Kiran Ayyagari resolved DIRKRB-97.
----------------------------------

       Resolution: Fixed
    Fix Version/s: 2.0.0-M12
         Assignee: Kiran Ayyagari  (was: Emmanuel Lecharny)

Thanks for the report and the patch, looks like Active Directory is not
setting the subkey in the reply (ApacheDS does, but it is not needed).

Fixed here http://svn.apache.org/r1556475

> NPE while calling KdcConnection.changePassword
> ----------------------------------------------
>
>                 Key: DIRKRB-97
>                 URL: https://issues.apache.org/jira/browse/DIRKRB-97
>             Project: Directory Kerberos
>          Issue Type: Bug
>          Components: changepw
>    Affects Versions: 2.0.0-M12
>         Environment: Sun JDK 7 + Active Directory
>            Reporter: Kevin Bulebush
>            Assignee: Kiran Ayyagari
>              Labels: NPE, NullPointerException, kpasswd
>             Fix For: 2.0.0-M12
>
>   Original Estimate: 0.5h
>  Remaining Estimate: 0.5h
>
> Calling org.apache.directory.kerberos.client.KdcConnection.changePassword() will result
in an NPE if a reply is received from the ActiveDirectory server, regardless of password change
success or failure. 
> StackTrace:
> org.apache.directory.server.kerberos.changepwd.exceptions.ChangePasswordException: Request
failed due to a hard error in processing the request.
> 	at org.apache.directory.kerberos.client.KdcConnection.changePassword(KdcConnection.java:619)
> 	at com.test.PasswordChangeUtil.main(KPasswordChange.java:52)
> Caused by: java.lang.NullPointerException
> 	at org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler.decrypt(CipherTextHandler.java:118)
> 	at org.apache.directory.kerberos.client.KdcConnection.changePassword(KdcConnection.java:605)
> 	... 1 more
> Fix:
> The Change Password spec (http://tools.ietf.org/html/draft-ietf-cat-kerb-chg-password-02)
says:
> "This KRB-PRIV message [OF THE REPLY] must be generated using the subkey in the Authenticator
in the AP-REQ data."
> Therefore line 605 of KdcConnection is using the incorrect key.
> byte[] data = cipherTextHandler.decrypt( encApRepPart.getSubkey(), replyPriv.getEncPart(),
KeyUsage.KRB_PRIV_ENC_PART_CHOSEN_KEY );
>             
> Patch:
> -byte[] data = cipherTextHandler.decrypt( encApRepPart.getSubkey(), replyPriv.getEncPart(),
KeyUsage.KRB_PRIV_ENC_PART_CHOSEN_KEY );
> +byte[] data = cipherTextHandler.decrypt( subKey, replyPriv.getEncPart(), KeyUsage.KRB_PRIV_ENC_PART_CHOSEN_KEY
)
>             
> This leaves a few unused variables that can be cleaned up as well. 



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Mime
View raw message