oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

kdc: centralize include PAC logic

Browse Source 
Add a helper function that returns TRUE if a PAC should be included in ticket
authorization data, that can be called from both AS and TGS paths.

Per [MS-KILE] 3.3.5.3, PACs are always included for TGTs; for service
tickets, policy is governed by whether the client explicitly requested
a PAC be omitted when requesting a TGT, or if the no-auth-data-reqd
flag is set on the service principal entry.
This commit is contained in:
Luke Howard
2021-12-23 13:19:22 +11:00
parent 0165633964
commit 5b7cf5d56f
3 changed files with 27 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
kdc/kerberos5.c
View File

@@ -1870,6 +1870,9 @@ generate_pac(astgs_request_t r, const Key *skey, const Key *tkey,
_kdc_audit_addkv((kdc_request_t)r, 0, "pac_attributes", "%lx", _kdc_audit_addkv((kdc_request_t)r, 0, "pac_attributes", "%lx",
(long)r->pac_attributes); (long)r->pac_attributes);
if (!_kdc_include_pac_p(r))
return 0;
/* /*
* When a PA mech does not use the client's long-term key, the PAC * When a PA mech does not use the client's long-term key, the PAC
* may include the client's long-term key (encrypted in the reply key) * may include the client's long-term key (encrypted in the reply key)

9
kdc/krb5tgs.c
View File

@@ -825,9 +825,6 @@ tgs_make_reply(astgs_request_t r,
* is implementation dependent. * is implementation dependent.
*/ */
if (mspac && !et.flags.anonymous) { if (mspac && !et.flags.anonymous) {
krb5_boolean is_tgs =
krb5_principal_is_krbtgt(r->context, server->entry.principal);
_kdc_audit_addkv((kdc_request_t)r, 0, "pac_attributes", "%lx", _kdc_audit_addkv((kdc_request_t)r, 0, "pac_attributes", "%lx",
(long)r->pac_attributes); (long)r->pac_attributes);
@@ -836,8 +833,10 @@ tgs_make_reply(astgs_request_t r,
* buffer (legacy behavior) or if the attributes buffer indicates the * buffer (legacy behavior) or if the attributes buffer indicates the
* AS client requested one. * AS client requested one.
*/ */
if (is_tgs || if (_kdc_include_pac_p(r)) {
(r->pac_attributes & (KRB5_PAC_WAS_REQUESTED | KRB5_PAC_WAS_GIVEN_IMPLICITLY))) { krb5_boolean is_tgs =
krb5_principal_is_krbtgt(r->context, server->entry.principal);
ret = _krb5_kdc_pac_sign_ticket(r->context, mspac, tgt_name, serverkey, ret = _krb5_kdc_pac_sign_ticket(r->context, mspac, tgt_name, serverkey,
krbtgtkey, rodc_id, NULL, r->client_princ, krbtgtkey, rodc_id, NULL, r->client_princ,
add_ticket_sig, &et, add_ticket_sig, &et,

20
kdc/misc.c
View File

@@ -321,3 +321,23 @@ _kdc_verify_checksum(krb5_context context,
return ret; return ret;
} }
/*
* Returns TRUE if a PAC should be included in ticket authorization data.
*
* Per [MS-KILE] 3.3.5.3, PACs are always included for TGTs; for service
* tickets, policy is governed by whether the client explicitly requested
* a PAC be omitted when requesting a TGT, or if the no-auth-data-reqd
* flag is set on the service principal entry.
*/
krb5_boolean
_kdc_include_pac_p(astgs_request_t r)
{
if (krb5_principal_is_krbtgt(r->context, r->server->entry.principal))
return TRUE;
else if (r->server->entry.flags.no_auth_data_reqd)
return FALSE;
return !!(r->pac_attributes & (KRB5_PAC_WAS_REQUESTED | KRB5_PAC_WAS_GIVEN_IMPLICITLY));
}