Uploaded image for project: 'Directory Kerberos'
  1. Directory Kerberos
  2. DIRKRB-97

NPE while calling KdcConnection.changePassword

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: changepw
    • Environment:
      Sun JDK 7 + Active Directory

      Description

      Calling org.apache.directory.kerberos.client.KdcConnection.changePassword() will result in an NPE if a reply is received from the ActiveDirectory server, regardless of password change success or failure.

      StackTrace:

      org.apache.directory.server.kerberos.changepwd.exceptions.ChangePasswordException: Request failed due to a hard error in processing the request.
      at org.apache.directory.kerberos.client.KdcConnection.changePassword(KdcConnection.java:619)
      at com.test.PasswordChangeUtil.main(KPasswordChange.java:52)
      Caused by: java.lang.NullPointerException
      at org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler.decrypt(CipherTextHandler.java:118)
      at org.apache.directory.kerberos.client.KdcConnection.changePassword(KdcConnection.java:605)
      ... 1 more

      Fix:

      The Change Password spec (http://tools.ietf.org/html/draft-ietf-cat-kerb-chg-password-02) says:

      "This KRB-PRIV message [OF THE REPLY] must be generated using the subkey in the Authenticator in the AP-REQ data."

      Therefore line 605 of KdcConnection is using the incorrect key.

      byte[] data = cipherTextHandler.decrypt( encApRepPart.getSubkey(), replyPriv.getEncPart(), KeyUsage.KRB_PRIV_ENC_PART_CHOSEN_KEY );

      Patch:
      -byte[] data = cipherTextHandler.decrypt( encApRepPart.getSubkey(), replyPriv.getEncPart(), KeyUsage.KRB_PRIV_ENC_PART_CHOSEN_KEY );
      +byte[] data = cipherTextHandler.decrypt( subKey, replyPriv.getEncPart(), KeyUsage.KRB_PRIV_ENC_PART_CHOSEN_KEY )

      This leaves a few unused variables that can be cleaned up as well.

        Attachments

          Activity

            People

            • Assignee:
              akiran Kiran Ayyagari
              Reporter:
              kmbulebu Kevin Bulebush
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 0.5h
                0.5h
                Remaining:
                Remaining Estimate - 0.5h
                0.5h
                Logged:
                Time Spent - Not Specified
                Not Specified