From 5b7cf5d56fcbe4bcd0eda902e70b4162955e5e37 Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Thu, 23 Dec 2021 13:19:22 +1100
Subject: [PATCH] kdc: centralize include PAC logic

Add a helper function that returns TRUE if a PAC should be included in ticket
authorization data, that can be called from both AS and TGS paths.

Per [MS-KILE] 3.3.5.3, PACs are always included for TGTs; for service
tickets, policy is governed by whether the client explicitly requested
a PAC be omitted when requesting a TGT, or if the no-auth-data-reqd
flag is set on the service principal entry.
---
 kdc/kerberos5.c |  3 +++
 kdc/krb5tgs.c   |  9 ++++-----
 kdc/misc.c      | 20 ++++++++++++++++++++
 3 files changed, 27 insertions(+), 5 deletions(-)

diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index fa3a1d607..78e785cfc 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -1870,6 +1870,9 @@ generate_pac(astgs_request_t r, const Key *skey, const Key *tkey,
     _kdc_audit_addkv((kdc_request_t)r, 0, "pac_attributes", "%lx",
 		     (long)r->pac_attributes);
 
+    if (!_kdc_include_pac_p(r))
+	return 0;
+
     /*
      * When a PA mech does not use the client's long-term key, the PAC
      * may include the client's long-term key (encrypted in the reply key)
diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index 9c1369ee1..aa636ca85 100644
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -825,9 +825,6 @@ tgs_make_reply(astgs_request_t r,
      * is implementation dependent.
      */
     if (mspac && !et.flags.anonymous) {
-	krb5_boolean is_tgs =
-	    krb5_principal_is_krbtgt(r->context, server->entry.principal);
-
 	_kdc_audit_addkv((kdc_request_t)r, 0, "pac_attributes", "%lx",
 			 (long)r->pac_attributes);
 
@@ -836,8 +833,10 @@ tgs_make_reply(astgs_request_t r,
 	 * buffer (legacy behavior) or if the attributes buffer indicates the
 	 * AS client requested one.
 	 */
-	if (is_tgs ||
-	    (r->pac_attributes & (KRB5_PAC_WAS_REQUESTED | KRB5_PAC_WAS_GIVEN_IMPLICITLY))) {
+	if (_kdc_include_pac_p(r)) {
+	    krb5_boolean is_tgs =
+		krb5_principal_is_krbtgt(r->context, server->entry.principal);
+
 	    ret = _krb5_kdc_pac_sign_ticket(r->context, mspac, tgt_name, serverkey,
 					    krbtgtkey, rodc_id, NULL, r->client_princ,
 					    add_ticket_sig, &et,
diff --git a/kdc/misc.c b/kdc/misc.c
index c737f31b0..61296ffa0 100644
--- a/kdc/misc.c
+++ b/kdc/misc.c
@@ -321,3 +321,23 @@ _kdc_verify_checksum(krb5_context context,
 
     return ret;
 }
+
+/*
+ * Returns TRUE if a PAC should be included in ticket authorization data.
+ *
+ * Per [MS-KILE] 3.3.5.3, PACs are always included for TGTs; for service
+ * tickets, policy is governed by whether the client explicitly requested
+ * a PAC be omitted when requesting a TGT, or if the no-auth-data-reqd
+ * flag is set on the service principal entry.
+ */
+
+krb5_boolean
+_kdc_include_pac_p(astgs_request_t r)
+{
+    if (krb5_principal_is_krbtgt(r->context, r->server->entry.principal))
+	return TRUE;
+    else if (r->server->entry.flags.no_auth_data_reqd)
+	return FALSE;
+
+    return !!(r->pac_attributes & (KRB5_PAC_WAS_REQUESTED | KRB5_PAC_WAS_GIVEN_IMPLICITLY));
+}