From b8c58191dc02956847308628378e59e005705d67 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Fri, 29 Oct 2021 14:35:52 +1300
Subject: [PATCH] kdc: Optionally require that PAC be be present

This is from Samba's patches for CVE-2020-25719.

This allows Heimdal to match AD behaviour, when configured,
for the behaviour after Microsoft's CVE-2021-42287 when
PacRequestorEnforcement is set to 2.

Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686
REF: https://support.microsoft.com/en-au/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

[abarlet@samba.org based on Samba commit
 756934f14cc87dc1adfd9315672ae5d49cb24d95
 and f7a2fef8f49a86f63c3dc2f6a2d7d979fb53238a]
---
 kdc/default_config.c | 9 +++++++++
 kdc/kdc.h            | 1 +
 kdc/krb5tgs.c        | 8 +++++++-
 3 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/kdc/default_config.c b/kdc/default_config.c
index 49d56c9e7..c460dce5a 100644
--- a/kdc/default_config.c
+++ b/kdc/default_config.c
@@ -100,6 +100,7 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
     c->historical_anon_realm = FALSE;
     c->strict_nametypes = FALSE;
     c->trpolicy = TRPOLICY_ALWAYS_CHECK;
+    c->require_pac = FALSE;
     c->enable_armored_pa_enc_timestamp = TRUE;
     c->enable_unarmored_pa_enc_timestamp = TRUE;
     c->enable_pkinit = FALSE;
@@ -253,6 +254,14 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
 				      c->kdc_warn_pwexpire,
 				      "kdc", "kdc_warn_pwexpire", NULL);
 
+    c->require_pac =
+	krb5_config_get_bool_default(context,
+				     NULL,
+				     c->require_pac,
+				     "kdc",
+				     "require_pac",
+				     NULL);
+
     c->enable_armored_pa_enc_timestamp =
 	krb5_config_get_bool_default(context,
 				     NULL,
diff --git a/kdc/kdc.h b/kdc/kdc.h
index 36440d8fb..32f974751 100644
--- a/kdc/kdc.h
+++ b/kdc/kdc.h
@@ -84,6 +84,7 @@ typedef struct krb5_kdc_configuration {
     krb5_boolean strict_nametypes;
     enum krb5_kdc_trpolicy trpolicy;
 
+    krb5_boolean require_pac;
     krb5_boolean enable_armored_pa_enc_timestamp;
     krb5_boolean enable_unarmored_pa_enc_timestamp;
 
diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index e1eb49013..74d3ae9e7 100644
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -74,9 +74,15 @@ _kdc_check_pac(krb5_context context,
     *ppac = NULL;
 
     ret = _krb5_kdc_pac_ticket_parse(context, tkt, &signedticket, &pac);
-    if (ret || pac == NULL)
+    if (ret)
 	return ret;
 
+    if (pac == NULL) {
+	if (config->require_pac)
+	    ret = KRB5KDC_ERR_TGT_REVOKED;
+	return ret;
+    }
+
     /* Verify the server signature. */
     ret = krb5_pac_verify(context, pac, tkt->authtime, client_principal,
 			  server_check_key, NULL);