KDC MUST NOT accept ap-request armor in FAST TGS

Per the latest preauth framework spec, the working group has decided
to forbid ap-request armor in the TGS request because of security
problems with that armor type.

This commit was tested against an implementation of FAST TGS client to
confirm that if explicit armor is sent, the request is rejected.

ticket: 6585
target_version: 1.7.1
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/users/hartmans/fast-negotiate@23324 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 5 insertions, 0 deletions

diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c
index 17b8447..310faf0 100644
--- a/src/kdc/fast_util.c
+++ b/src/kdc/fast_util.c
@@ -148,6 +148,11 @@ kdc_find_fast(krb5_kdc_req **requestptr,
         if (retval == 0 &&fast_armored_req->armor) {
             switch (fast_armored_req->armor->armor_type) {
             case KRB5_FAST_ARMOR_AP_REQUEST:
+                if (tgs_subkey) {
+                    krb5_set_error_message( kdc_context, KRB5KDC_ERR_PREAUTH_FAILED,
+                                            "Ap-request armor not permitted with TGS");
+                    return KRB5KDC_ERR_PREAUTH_FAILED;
+                }
                 retval = armor_ap_request(state, fast_armored_req->armor);
                 break;
             default: