kdc: provide kdc_request_get_explicit_armor_{clientdb,client,pac}()

_kdc_fast_check_armor_pac() already checks the PAC of the armor, but it should also remember it if it's an TGS-REQ with explicit armor. This will allow the kdc pac hooks to generate a compound identity PAC with PAC_TYPE_DEVICE_INFO. Signed-off-by: Stefan Metzmacher <metze@samba.org> Closes: #967
2022-02-24 18:17:57 +01:00
parent 11d8a053f5
commit 8495f63bc3
6 changed files with 51 additions and 4 deletions
--- a/kdc/fast.c
+++ b/kdc/fast.c
@@ -465,7 +465,6 @@ fast_unwrap_request(astgs_request_t r,
    krb5_flags ap_req_options;
    krb5_keyblock armorkey;
    krb5_keyblock explicit_armorkey;
-    krb5_boolean explicit_armor;
    krb5_error_code ret;
    krb5_ap_req ap_req;
    KrbFastReq fastreq;
@@ -519,7 +518,7 @@ fast_unwrap_request(astgs_request_t r,
 	goto out;
    }

-    explicit_armor = fxreq.u.armored_data.armor != NULL && tgs_ac != NULL;
+    r->explicit_armor_present = fxreq.u.armored_data.armor != NULL && tgs_ac != NULL;

    /*
     *
@@ -626,11 +625,11 @@ fast_unwrap_request(astgs_request_t r,
 			       ac->remote_subkey,
 			       &ticket->ticket.key,
 			       &armorkey,
-			       explicit_armor ? NULL : &r->armor_crypto);
+			       r->explicit_armor_present ? NULL : &r->armor_crypto);
    if (ret)
 	goto out;

-    if (explicit_armor) {
+    if (r->explicit_armor_present) {
 	ret = _krb5_fast_explicit_armor_key(r->context,
 					    &armorkey,
 					    tgs_ac->remote_subkey,
@@ -888,6 +887,17 @@ _kdc_fast_check_armor_pac(astgs_request_t r)
 	goto out;
    }

+    if (r->explicit_armor_present) {
+	r->explicit_armor_clientdb = armor_db;
+	armor_db = NULL;
+
+	r->explicit_armor_client = armor_client;
+	armor_client = NULL;
+
+	r->explicit_armor_pac = mspac;
+	mspac = NULL;
+    }
+
 out:
    krb5_xfree(armor_client_principal_name);
    if (armor_client)