kdc: remove pac_attributes_present field

Remove the unwieldy pac_attributes_present field from the request structure.

Instead, if PAC attributes are not present in the TGT, the default is to assume
they were set to KRB5_PAC_WAS_GIVEN_IMPLICITLY.

kdc/fast.c

@@ -848,8 +848,7 @@ _kdc_fast_check_armor_pac(astgs_request_t r)
 			 armor_client, r->armor_server,
 			 r->armor_server, r->armor_server,
 			 &r->armor_key->key, &r->armor_key->key,
-			 &r->armor_ticket->ticket, &ad_kdc_issued, &mspac,
-			 NULL, NULL, NULL);
+			 &r->armor_ticket->ticket, &ad_kdc_issued, &mspac, NULL, NULL);
     if (ret) {
 	const char *msg = krb5_get_error_message(r->context, ret);
 

kdc/kdc_locl.h

@@ -106,7 +106,6 @@ struct astgs_request_desc {
     /* only valid for tgs-req */
     unsigned int rk_is_subkey : 1;
     unsigned int fast_asserted : 1;
-    unsigned int pac_attributes_present : 1;
 
     krb5_crypto armor_crypto;
     hdb_entry_ex *armor_server;

kdc/krb5tgs.c

@@ -90,7 +90,6 @@ _kdc_check_pac(krb5_context context,
 	       krb5_boolean *kdc_issued,
 	       krb5_pac *ppac,
 	       krb5_principal *pac_canon_name,
-	       krb5_boolean *pac_attributes_present,
 	       uint64_t *pac_attributes)
 {
     krb5_pac pac = NULL;
@@ -101,10 +100,8 @@ _kdc_check_pac(krb5_context context,
     *ppac = NULL;
     if (pac_canon_name)
 	*pac_canon_name = NULL;
-    if (pac_attributes) {
-	*pac_attributes_present = FALSE;
-	*pac_attributes = 0;
-    }
+    if (pac_attributes)
+	*pac_attributes = KRB5_PAC_WAS_GIVEN_IMPLICITLY;
 
     ret = _krb5_kdc_pac_ticket_parse(context, tkt, &signedticket, &pac);
     if (ret)
@@ -135,10 +132,9 @@ _kdc_check_pac(krb5_context context,
 		return ret;
 	    }
 	}
-	if (pac_attributes) {
-	    *pac_attributes_present =
-		(_krb5_pac_get_attributes_info(context, pac, pac_attributes) == 0);
-	}
+	if (pac_attributes &&
+	    _krb5_pac_get_attributes_info(context, pac, pac_attributes) != 0)
+	    *pac_attributes = KRB5_PAC_WAS_GIVEN_IMPLICITLY;
     } else if (ret == KRB5_PLUGIN_NO_HANDLE) {
 	/*
 	 * We can't verify the KDC signatures if the ticket was issued by
@@ -160,10 +156,9 @@ _kdc_check_pac(krb5_context context,
 		krb5_pac_free(context, pac);
 		return ret;
 	    }
-	    if (pac_attributes) {
-		*pac_attributes_present =
-		    (_krb5_pac_get_attributes_info(context, pac, pac_attributes) == 0);
-	    }
+	    if (pac_attributes &&
+		_krb5_pac_get_attributes_info(context, pac, pac_attributes) != 0)
+		*pac_attributes = KRB5_PAC_WAS_GIVEN_IMPLICITLY;
 	}
 
 	/* Discard the PAC if the plugin didn't handle it */
@@ -833,9 +828,8 @@ tgs_make_reply(astgs_request_t r,
 	krb5_boolean is_tgs =
 	    krb5_principal_is_krbtgt(r->context, server->entry.principal);
 
-	if (r->pac_attributes_present)
-	    _kdc_audit_addkv((kdc_request_t)r, 0, "pac_attributes", "%lx",
-		(long)r->pac_attributes);
+	_kdc_audit_addkv((kdc_request_t)r, 0, "pac_attributes", "%lx",
+			 (long)r->pac_attributes);
 
 	/*
 	 * PACs are included when issuing TGTs, if there is no PAC_ATTRIBUTES
@@ -843,7 +837,6 @@ tgs_make_reply(astgs_request_t r,
 	 * AS client requested one.
 	 */
 	if (is_tgs ||
-	    !r->pac_attributes_present ||
 	    (r->pac_attributes & (KRB5_PAC_WAS_REQUESTED | KRB5_PAC_WAS_GIVEN_IMPLICITLY))) {
 	    ret = _krb5_kdc_pac_sign_ticket(r->context, mspac, tgt_name, serverkey,
 					    krbtgtkey, rodc_id, NULL, r->client_princ,
@@ -1489,7 +1482,6 @@ tgs_build_reply(astgs_request_t priv,
     krb5_kvno kvno;
     krb5_pac mspac = NULL;
     krb5_pac user2user_pac = NULL;
-    krb5_boolean pac_attributes_present = FALSE;
     uint16_t rodc_id;
     krb5_boolean add_ticket_sig = FALSE;
     const char *tgt_realm = /* Realm of TGT issuer */
@@ -1873,8 +1865,7 @@ server_lookup:
 	    ret = _kdc_check_pac(context, config, user2user_princ, NULL,
 				 user2user_client, user2user_krbtgt, user2user_krbtgt, user2user_krbtgt,
 				 &uukey->key, &priv->ticket_key->key, &adtkt,
-				 &user2user_kdc_issued, &user2user_pac,
-				 NULL, NULL, NULL);
+				 &user2user_kdc_issued, &user2user_pac, NULL, NULL);
 	    _kdc_free_ent(context, user2user_client);
 	    if (ret) {
 		const char *msg = krb5_get_error_message(context, ret);
@@ -2002,8 +1993,7 @@ server_lookup:
 
     ret = _kdc_check_pac(context, config, cp, NULL, client, server, krbtgt, krbtgt,
 			 &priv->ticket_key->key, &priv->ticket_key->key, tgt,
-			 &kdc_issued, &mspac, &priv->client_princ,
-			 &pac_attributes_present, &priv->pac_attributes);
+			 &kdc_issued, &mspac, &priv->client_princ, &priv->pac_attributes);
     if (ret) {
 	const char *msg = krb5_get_error_message(context, ret);
         _kdc_audit_addreason((kdc_request_t)priv, "PAC check failed");
@@ -2013,7 +2003,6 @@ server_lookup:
 	krb5_free_error_message(context, msg);
 	goto out;
     }
-    priv->pac_attributes_present = pac_attributes_present;
 
     /*
      * Process request
@@ -2336,8 +2325,7 @@ server_lookup:
 	 */
 	ret = _kdc_check_pac(context, config, tp, dp, adclient, server, krbtgt, client,
 			     &clientkey->key, &priv->ticket_key->key, &adtkt,
-			     &ad_kdc_issued, &mspac, &priv->client_princ,
-			     &pac_attributes_present, &priv->pac_attributes);
+			     &ad_kdc_issued, &mspac, &priv->client_princ, &priv->pac_attributes);
 	if (adclient)
 	    _kdc_free_ent(context, adclient);
 	if (ret) {
@@ -2362,7 +2350,6 @@ server_lookup:
                                  "Constrained delegation ticket not signed");
 	    goto out;
 	}
-	priv->pac_attributes_present = pac_attributes_present;
 
 	kdc_log(context, config, 4, "constrained delegation for %s "
 		"from %s (%s) to %s", tpn, cpn, dpn, spn);