From 117873bc61d5dcda8f060845cfa19ea5f4409016 Mon Sep 17 00:00:00 2001 From: Sam Hartman Date: Tue, 24 Nov 2009 00:53:36 +0000 Subject: KDC MUST NOT accept ap-request armor in FAST TGS Per the latest preauth framework spec, the working group has decided to forbid ap-request armor in the TGS request because of security problems with that armor type. This commit was tested against an implementation of FAST TGS client to confirm that if explicit armor is sent, the request is rejected. ticket: 6585 target_version: 1.7.1 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/users/hartmans/fast-negotiate@23324 dc483132-0cff-0310-8789-dd5450dbe970 --- src/kdc/fast_util.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c index 17b8447..310faf0 100644 --- a/src/kdc/fast_util.c +++ b/src/kdc/fast_util.c @@ -148,6 +148,11 @@ kdc_find_fast(krb5_kdc_req **requestptr, if (retval == 0 &&fast_armored_req->armor) { switch (fast_armored_req->armor->armor_type) { case KRB5_FAST_ARMOR_AP_REQUEST: + if (tgs_subkey) { + krb5_set_error_message( kdc_context, KRB5KDC_ERR_PREAUTH_FAILED, + "Ap-request armor not permitted with TGS"); + return KRB5KDC_ERR_PREAUTH_FAILED; + } retval = armor_ap_request(state, fast_armored_req->armor); break; default: -- cgit v1.1