svn rev #23325: trunk/src/kdc/
hartmans@MIT.EDU
hartmans at MIT.EDU
Mon Nov 23 20:05:30 EST 2009
http://src.mit.edu/fisheye/changelog/krb5/?cs=23325
Commit By: hartmans
Log Message:
ticket: 6585
subject: KDC MUST NOT accept ap-request armor in FAST TGS
target_version: 1.7.1
tags: pullup
Per the latest preauth framework spec, the working group has decided
to forbid ap-request armor in the TGS request because of security
problems with that armor type.
This commit was tested against an implementation of FAST TGS client to
confirm that if explicit armor is sent, the request is rejected.
Changed Files:
U trunk/src/kdc/fast_util.c
Modified: trunk/src/kdc/fast_util.c
===================================================================
--- trunk/src/kdc/fast_util.c 2009-11-24 00:53:36 UTC (rev 23324)
+++ trunk/src/kdc/fast_util.c 2009-11-24 01:05:30 UTC (rev 23325)
@@ -148,6 +148,11 @@
if (retval == 0 &&fast_armored_req->armor) {
switch (fast_armored_req->armor->armor_type) {
case KRB5_FAST_ARMOR_AP_REQUEST:
+ if (tgs_subkey) {
+ krb5_set_error_message( kdc_context, KRB5KDC_ERR_PREAUTH_FAILED,
+ "Ap-request armor not permitted with TGS");
+ return KRB5KDC_ERR_PREAUTH_FAILED;
+ }
retval = armor_ap_request(state, fast_armored_req->armor);
break;
default:
More information about the cvs-krb5
mailing list