From: Sam Hartman <hartmans@mit.edu>
Date: Thu, 26 Mar 2009 05:37:36 +0000 (+0000)
Subject: Reject non-armor ticket use of AD-FX-ARMOR
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=59c56c85575b47b1ea5e6599a7f7b1be9ca559f8;p=thirdparty%2Fkrb5.git

Reject non-armor ticket use of AD-FX-ARMOR

Reject tickets or authenticators that have AD-FX-ARMOR and are used
with the TGS per draft-ietf-krb-wg-preauth-framework.

* kdc_util.c find authdata and reject
* krb5.hin include constant
* libkrb5.exports: export krb5int_find_authdata

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast@22144 dc483132-0cff-0310-8789-dd5450dbe970
---

diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index 58b349bf84..845cfdfed2 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -1016,7 +1016,7 @@ krb5_error_code KRB5_CALLCONV krb5_verify_checksum
 #define KRB5_AUTHDATA_SESAME	65
 #define KRB5_AUTHDATA_WIN2K_PAC	128
 #define KRB5_AUTHDATA_ETYPE_NEGOTIATION	129	/* RFC 4537 */
-
+#define KRB5_AUTHDATA_FX_ARMOR 71
 /* password change constants */
 
 #define KRB5_KPASSWD_SUCCESS		0
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index b7db1edb26..08d84db689 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -230,6 +230,7 @@ kdc_process_tgs_req(krb5_kdc_req *request, const krb5_fulladdr *from,
     krb5_pa_data        * tmppa;
     krb5_ap_req 	* apreq;
     krb5_error_code 	  retval;
+    krb5_authdata **authdata = NULL;
     krb5_data		  scratch1;
     krb5_data 		* scratch = NULL;
     krb5_boolean 	  foreign_server = FALSE;
@@ -341,6 +342,22 @@ kdc_process_tgs_req(krb5_kdc_req *request, const krb5_fulladdr *from,
 						 &authenticator)))
 	goto cleanup_auth_context;
 
+    retval = krb5int_find_authdata(kdc_context,
+				   (*ticket)->enc_part2->authorization_data,
+				   authenticator->authorization_data,
+				   KRB5_AUTHDATA_FX_ARMOR, &authdata);
+    if (retval != 0)
+	goto cleanup_auth_context;
+        if (authdata&& authdata[0]) {
+	krb5_set_error_message(kdc_context, KRB5KDC_ERR_POLICY,
+			       "ticket valid only as FAST armor");
+	retval = KRB5KDC_ERR_POLICY;
+	krb5_free_authdata(kdc_context, authdata);
+	goto cleanup_auth_context;
+    }
+    krb5_free_authdata(kdc_context, authdata);
+    
+			       
     /* Check for a checksum */
     if (!(his_cksum = authenticator->checksum)) {
 	retval = KRB5KRB_AP_ERR_INAPP_CKSUM; 
diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports
index 0f1fd9c5da..f30b57114b 100644
--- a/src/lib/krb5/libkrb5.exports
+++ b/src/lib/krb5/libkrb5.exports
@@ -525,6 +525,7 @@ krb5int_cc_default
 krb5int_cleanup_library
 krb5int_cm_call_select
 krb5int_copy_data_contents_add0
+krb5int_find_authdata
 krb5int_find_pa_data
 krb5int_foreach_localaddr
 krb5int_free_addrlist