Reject non-armor ticket use of AD-FX-ARMOR

author Sam Hartman <hartmans@mit.edu>

Thu, 26 Mar 2009 05:37:36 +0000 (05:37 +0000)

committer Sam Hartman <hartmans@mit.edu>

Thu, 26 Mar 2009 05:37:36 +0000 (05:37 +0000)
author Sam Hartman <hartmans@mit.edu>
Thu, 26 Mar 2009 05:37:36 +0000 (05:37 +0000)
committer Sam Hartman <hartmans@mit.edu>
Thu, 26 Mar 2009 05:37:36 +0000 (05:37 +0000)
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin

index 58b349bf849d133564993730ea988b115a8dcc64..845cfdfed22ad0b51504fd16eb4490726c075607 100644 (file)
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -1016,7 +1016,7 @@ krb5_error_code KRB5_CALLCONV krb5_verify_checksum
  #define KRB5_AUTHDATA_SESAME   65
  #define KRB5_AUTHDATA_WIN2K_PAC        128
  #define KRB5_AUTHDATA_ETYPE_NEGOTIATION        129     /* RFC 4537 */
-
+#define KRB5_AUTHDATA_FX_ARMOR 71
  /* password change constants */
  
  #define KRB5_KPASSWD_SUCCESS           0
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c

index b7db1edb264cc2f372b8906d9929e6ce60019e77..08d84db68960886cdcc9a7d18d1f24f373050b43 100644 (file)
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -230,6 +230,7 @@ kdc_process_tgs_req(krb5_kdc_req *request, const krb5_fulladdr *from,
      krb5_pa_data        * tmppa;
      krb5_ap_req        * apreq;
      krb5_error_code      retval;
+    krb5_authdata **authdata = NULL;
      krb5_data            scratch1;
      krb5_data          * scratch = NULL;
      krb5_boolean         foreign_server = FALSE;
@@ -341,6 +342,22 @@ kdc_process_tgs_req(krb5_kdc_req *request, const krb5_fulladdr *from,
                                                  &authenticator)))
         goto cleanup_auth_context;
  
+    retval = krb5int_find_authdata(kdc_context,
+                                  (*ticket)->enc_part2->authorization_data,
+                                  authenticator->authorization_data,
+                                  KRB5_AUTHDATA_FX_ARMOR, &authdata);
+    if (retval != 0)
+       goto cleanup_auth_context;
+        if (authdata&& authdata[0]) {
+       krb5_set_error_message(kdc_context, KRB5KDC_ERR_POLICY,
+                              "ticket valid only as FAST armor");
+       retval = KRB5KDC_ERR_POLICY;
+       krb5_free_authdata(kdc_context, authdata);
+       goto cleanup_auth_context;
+    }
+    krb5_free_authdata(kdc_context, authdata);
+    
+                              
      /* Check for a checksum */
      if (!(his_cksum = authenticator->checksum)) {
         retval = KRB5KRB_AP_ERR_INAPP_CKSUM; 
diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports

index 0f1fd9c5dad98914b6d2a1f9977b5439a262b59b..f30b57114b9ff54766ca96a48c799d22d6fba7c6 100644 (file)
--- a/src/lib/krb5/libkrb5.exports
+++ b/src/lib/krb5/libkrb5.exports
@@ -525,6 +525,7 @@ krb5int_cc_default
  krb5int_cleanup_library
  krb5int_cm_call_select
  krb5int_copy_data_contents_add0
+krb5int_find_authdata
  krb5int_find_pa_data
  krb5int_foreach_localaddr
  krb5int_free_addrlist
author	Sam Hartman <hartmans@mit.edu>
	Thu, 26 Mar 2009 05:37:36 +0000 (05:37 +0000)
committer	Sam Hartman <hartmans@mit.edu>
	Thu, 26 Mar 2009 05:37:36 +0000 (05:37 +0000)
src/include/krb5/krb5.hin		patch \| blob \| blame \| history
src/kdc/kdc_util.c		patch \| blob \| blame \| history
src/lib/krb5/libkrb5.exports		patch \| blob \| blame \| history