From f95f4bc99ec44d8f0535e941a7c20d5e3fb95271 Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Mon, 13 Dec 2021 12:36:27 +1100 Subject: [PATCH] krb5: require strengthen_key when FAST + GSS PA Always require a strengthen key to be used if GSS pre-authentication is used within FAST. TRhis avoids a MITM attack that could result in unintended privilege escalation, should a KDC add additional positive authorization data from the armor ticket to the issued ticket. An upcoming revision of the draft will reflect this. --- lib/krb5/init_creds_pw.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/lib/krb5/init_creds_pw.c b/lib/krb5/init_creds_pw.c index 79cf0298f..792f0ec84 100644 --- a/lib/krb5/init_creds_pw.c +++ b/lib/krb5/init_creds_pw.c @@ -1336,8 +1336,22 @@ pa_data_to_md_gss(krb5_context context, (ctx->fast_state.flags & KRB5_FAST_EXPECTED) && (ctx->fast_state.flags & KRB5_FAST_KDC_VERIFIED)) ret = 0; - if (ret == 0) + if (ret == 0) { + /* + * Always require a strengthen key if FAST was used, to avoid a MITM + * attack that could result in unintended privilege escalation should + * the KDC add positive authorization data from the armor ticket. + */ + if ((ctx->fast_state.flags & KRB5_FAST_EXPECTED) && + ctx->fast_state.strengthen_key == NULL) { + krb5_set_error_message(context, HEIM_ERR_PA_CANT_CONTINUE, + "FAST GSS pre-authentication without strengthen key"); + ret = KRB5_KDCREP_MODIFIED; + goto out; + } + pa_gss_ctx->open = 1; + } if (output_token.length) { ret = krb5_padata_add(context, out_md, KRB5_PADATA_GSS,