oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

kdc: centralize include PAC logic

Browse Source 
Add a helper function that returns TRUE if a PAC should be included in ticket
authorization data, that can be called from both AS and TGS paths.

Per [MS-KILE] 3.3.5.3, PACs are always included for TGTs; for service
tickets, policy is governed by whether the client explicitly requested
a PAC be omitted when requesting a TGT, or if the no-auth-data-reqd
flag is set on the service principal entry.
This commit is contained in:
Luke Howard
2021-12-23 13:19:22 +11:00
parent 0165633964
commit 5b7cf5d56f
3 changed files with 27 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
kdc/misc.c
View File

@@ -321,3 +321,23 @@ _kdc_verify_checksum(krb5_context context,
return ret;
}
/*
* Returns TRUE if a PAC should be included in ticket authorization data.
*
* Per [MS-KILE] 3.3.5.3, PACs are always included for TGTs; for service
* tickets, policy is governed by whether the client explicitly requested
* a PAC be omitted when requesting a TGT, or if the no-auth-data-reqd
* flag is set on the service principal entry.
*/
krb5_boolean
_kdc_include_pac_p(astgs_request_t r)
{
if (krb5_principal_is_krbtgt(r->context, r->server->entry.principal))
return TRUE;
else if (r->server->entry.flags.no_auth_data_reqd)
return FALSE;
return !!(r->pac_attributes & (KRB5_PAC_WAS_REQUESTED | KRB5_PAC_WAS_GIVEN_IMPLICITLY));
}