KDC MUST NOT accept ap-request armor in FAST TGS
authorSam Hartman <hartmans@mit.edu>
Tue, 24 Nov 2009 01:05:30 +0000 (01:05 +0000)
committerSam Hartman <hartmans@mit.edu>
Tue, 24 Nov 2009 01:05:30 +0000 (01:05 +0000)
Per the latest preauth framework spec, the working group has decided
to forbid ap-request armor in the TGS request because of security
problems with that armor type.

This commit was tested against an implementation of FAST TGS client to
confirm that if explicit armor is sent, the request is rejected.

ticket: 6585
target_version: 1.7.1
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23325 dc483132-0cff-0310-8789-dd5450dbe970

src/kdc/fast_util.c

index 17b8447526279128e84897a01725ee06da812548..310faf09a931f76b2469d8165e28f27e9b5c225d 100644 (file)
@@ -148,6 +148,11 @@ kdc_find_fast(krb5_kdc_req **requestptr,
         if (retval == 0 &&fast_armored_req->armor) {
             switch (fast_armored_req->armor->armor_type) {
             case KRB5_FAST_ARMOR_AP_REQUEST:
+                if (tgs_subkey) {
+                    krb5_set_error_message( kdc_context, KRB5KDC_ERR_PREAUTH_FAILED,
+                                            "Ap-request armor not permitted with TGS");
+                    return KRB5KDC_ERR_PREAUTH_FAILED;
+                }
                 retval = armor_ap_request(state, fast_armored_req->armor);
                 break;
             default: