projects / krb5.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
KDC MUST NOT accept ap-request armor in FAST TGS
[krb5.git] / src / kdc / fast_util.c
diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c
index 17b8447526279128e84897a01725ee06da812548..310faf09a931f76b2469d8165e28f27e9b5c225d 100644 (file)
--- a/src/kdc/fast_util.c
+++ b/src/kdc/fast_util.c
@@ -148,6 +148,11 @@ kdc_find_fast(krb5_kdc_req **requestptr,
         if (retval == 0 &&fast_armored_req->armor) {
             switch (fast_armored_req->armor->armor_type) {
             case KRB5_FAST_ARMOR_AP_REQUEST:
+                if (tgs_subkey) {
+                    krb5_set_error_message( kdc_context, KRB5KDC_ERR_PREAUTH_FAILED,
+                                            "Ap-request armor not permitted with TGS");
+                    return KRB5KDC_ERR_PREAUTH_FAILED;
+                }
                 retval = armor_ap_request(state, fast_armored_req->armor);
                 break;
             default:
MIT implementation of the Kerberos network authentication protocol. This repo may be rebased, so don't base your work on it. Use git://github.com/krb5/krb5 instead.