svn rev #22144: branches/fast/src/ include/krb5/ kdc/ lib/krb5/

hartmans@MIT.EDU hartmans at MIT.EDU
Thu Mar 26 01:37:37 EDT 2009 

http://src.mit.edu/fisheye/changelog/krb5/?cs=22144
Commit By: hartmans
Log Message:
Reject non-armor ticket use of AD-FX-ARMOR

Reject tickets or authenticators that have AD-FX-ARMOR and are used
with the TGS per draft-ietf-krb-wg-preauth-framework.

* kdc_util.c find authdata and reject
* krb5.hin include constant
* libkrb5.exports: export krb5int_find_authdata


Changed Files:
U   branches/fast/src/include/krb5/krb5.hin
U   branches/fast/src/kdc/kdc_util.c
U   branches/fast/src/lib/krb5/libkrb5.exports
Modified: branches/fast/src/include/krb5/krb5.hin
===================================================================
--- branches/fast/src/include/krb5/krb5.hin	2009-03-26 05:37:34 UTC (rev 22143)
+++ branches/fast/src/include/krb5/krb5.hin	2009-03-26 05:37:36 UTC (rev 22144)
@@ -1016,7 +1016,7 @@
 #define KRB5_AUTHDATA_SESAME	65
 #define KRB5_AUTHDATA_WIN2K_PAC	128
 #define KRB5_AUTHDATA_ETYPE_NEGOTIATION	129	/* RFC 4537 */
-
+#define KRB5_AUTHDATA_FX_ARMOR 71
 /* password change constants */
 
 #define KRB5_KPASSWD_SUCCESS		0

Modified: branches/fast/src/kdc/kdc_util.c
===================================================================
--- branches/fast/src/kdc/kdc_util.c	2009-03-26 05:37:34 UTC (rev 22143)
+++ branches/fast/src/kdc/kdc_util.c	2009-03-26 05:37:36 UTC (rev 22144)
@@ -230,6 +230,7 @@
     krb5_pa_data        * tmppa;
     krb5_ap_req 	* apreq;
     krb5_error_code 	  retval;
+    krb5_authdata **authdata = NULL;
     krb5_data		  scratch1;
     krb5_data 		* scratch = NULL;
     krb5_boolean 	  foreign_server = FALSE;
@@ -341,6 +342,22 @@
 						 &authenticator)))
 	goto cleanup_auth_context;
 
+    retval = krb5int_find_authdata(kdc_context,
+				   (*ticket)->enc_part2->authorization_data,
+				   authenticator->authorization_data,
+				   KRB5_AUTHDATA_FX_ARMOR, &authdata);
+    if (retval != 0)
+	goto cleanup_auth_context;
+        if (authdata&& authdata[0]) {
+	krb5_set_error_message(kdc_context, KRB5KDC_ERR_POLICY,
+			       "ticket valid only as FAST armor");
+	retval = KRB5KDC_ERR_POLICY;
+	krb5_free_authdata(kdc_context, authdata);
+	goto cleanup_auth_context;
+    }
+    krb5_free_authdata(kdc_context, authdata);
+    
+			       
     /* Check for a checksum */
     if (!(his_cksum = authenticator->checksum)) {
 	retval = KRB5KRB_AP_ERR_INAPP_CKSUM; 

Modified: branches/fast/src/lib/krb5/libkrb5.exports
===================================================================
--- branches/fast/src/lib/krb5/libkrb5.exports	2009-03-26 05:37:34 UTC (rev 22143)
+++ branches/fast/src/lib/krb5/libkrb5.exports	2009-03-26 05:37:36 UTC (rev 22144)
@@ -525,6 +525,7 @@
 krb5int_cleanup_library
 krb5int_cm_call_select
 krb5int_copy_data_contents_add0
+krb5int_find_authdata
 krb5int_find_pa_data
 krb5int_foreach_localaddr
 krb5int_free_addrlist

More information about the cvs-krb5 mailing list