Permalink
Browse files

ticket: 6585

version_fixed: 1.7.1
status: resolved

pull up r23325, 23384 from trunk

 ------------------------------------------------------------------------
 r23384 | hartmans | 2009-11-30 09:14:47 -0500 (Mon, 30 Nov 2009) | 4 lines

 ticket: 6585

 Fix memory leak

 ------------------------------------------------------------------------
 r23325 | hartmans | 2009-11-23 20:05:30 -0500 (Mon, 23 Nov 2009) | 12 lines

 ticket: 6585
 subject: KDC MUST NOT accept ap-request armor in FAST TGS
 target_version: 1.7.1
 tags: pullup

 Per the latest preauth framework spec, the working group has decided
 to forbid ap-request armor in the TGS request because of security
 problems with that armor type.

 This commit was tested against an implementation of FAST TGS client to
 confirm that if explicit armor is sent, the request is rejected.

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@23643 dc483132-0cff-0310-8789-dd5450dbe970
  • Loading branch information...
tlyu
tlyu committed Jan 12, 2010
1 parent ead1231 commit 014d3ba07c31a5e6ff7048493ac9722f08d720cf
Showing with 6 additions and 0 deletions.
  1. +6 −0 src/kdc/fast_util.c
View
@@ -147,6 +147,12 @@ krb5_error_code kdc_find_fast
if (retval == 0 &&fast_armored_req->armor) {
switch (fast_armored_req->armor->armor_type) {
case KRB5_FAST_ARMOR_AP_REQUEST:
if (tgs_subkey) {
krb5_set_error_message( kdc_context, KRB5KDC_ERR_PREAUTH_FAILED,
"Ap-request armor not permitted with TGS");
retval = KRB5KDC_ERR_PREAUTH_FAILED;
break;
}
retval = armor_ap_request(state, fast_armored_req->armor);
break;
default:

0 comments on commit 014d3ba

Please sign in to comment.