[jira] [Resolved] (DIRKRB-97) NPE while calling KdcConnection.changePassword

Wed, 08 Jan 2014 01:49:37 -0800 

     [ 
https://issues.apache.org/jira/browse/DIRKRB-97?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Kiran Ayyagari resolved DIRKRB-97.
----------------------------------

       Resolution: Fixed
    Fix Version/s: 2.0.0-M12
         Assignee: Kiran Ayyagari  (was: Emmanuel Lecharny)

Thanks for the report and the patch, looks like Active Directory is not
setting the subkey in the reply (ApacheDS does, but it is not needed).

Fixed here http://svn.apache.org/r1556475

> NPE while calling KdcConnection.changePassword
> ----------------------------------------------
>
>                 Key: DIRKRB-97
>                 URL: https://issues.apache.org/jira/browse/DIRKRB-97
>             Project: Directory Kerberos
>          Issue Type: Bug
>          Components: changepw
>    Affects Versions: 2.0.0-M12
>         Environment: Sun JDK 7 + Active Directory
>            Reporter: Kevin Bulebush
>            Assignee: Kiran Ayyagari
>              Labels: NPE, NullPointerException, kpasswd
>             Fix For: 2.0.0-M12
>
>   Original Estimate: 0.5h
>  Remaining Estimate: 0.5h
>
> Calling org.apache.directory.kerberos.client.KdcConnection.changePassword() 
> will result in an NPE if a reply is received from the ActiveDirectory server, 
> regardless of password change success or failure. 
> StackTrace:
> org.apache.directory.server.kerberos.changepwd.exceptions.ChangePasswordException:
>  Request failed due to a hard error in processing the request.
>       at 
> org.apache.directory.kerberos.client.KdcConnection.changePassword(KdcConnection.java:619)
>       at com.test.PasswordChangeUtil.main(KPasswordChange.java:52)
> Caused by: java.lang.NullPointerException
>       at 
> org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler.decrypt(CipherTextHandler.java:118)
>       at 
> org.apache.directory.kerberos.client.KdcConnection.changePassword(KdcConnection.java:605)
>       ... 1 more
> Fix:
> The Change Password spec 
> (http://tools.ietf.org/html/draft-ietf-cat-kerb-chg-password-02) says:
> "This KRB-PRIV message [OF THE REPLY] must be generated using the subkey in 
> the Authenticator in the AP-REQ data."
> Therefore line 605 of KdcConnection is using the incorrect key.
> byte[] data = cipherTextHandler.decrypt( encApRepPart.getSubkey(), 
> replyPriv.getEncPart(), KeyUsage.KRB_PRIV_ENC_PART_CHOSEN_KEY );
>             
> Patch:
> -byte[] data = cipherTextHandler.decrypt( encApRepPart.getSubkey(), 
> replyPriv.getEncPart(), KeyUsage.KRB_PRIV_ENC_PART_CHOSEN_KEY );
> +byte[] data = cipherTextHandler.decrypt( subKey, replyPriv.getEncPart(), 
> KeyUsage.KRB_PRIV_ENC_PART_CHOSEN_KEY )
>             
> This leaves a few unused variables that can be cleaned up as well. 



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Reply via email to