kdc: Optionally require that PAC be be present

This is from Samba's patches for CVE-2020-25719. This allows Heimdal to match AD behaviour, when configured, for the behaviour after Microsoft's CVE-2021-42287 when PacRequestorEnforcement is set to 2. Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686 REF: https://support.microsoft.com/en-au/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> [abarlet@samba.org based on Samba commit 756934f14cc87dc1adfd9315672ae5d49cb24d95 and f7a2fef8f49a86f63c3dc2f6a2d7d979fb53238a]
2021-10-29 14:35:52 +13:00
parent 83a80cd53b
commit b8c58191dc
3 changed files with 17 additions and 1 deletions
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -74,9 +74,15 @@ _kdc_check_pac(krb5_context context,
    *ppac = NULL;

    ret = _krb5_kdc_pac_ticket_parse(context, tkt, &signedticket, &pac);
-    if (ret || pac == NULL)
+    if (ret)
 	return ret;

+    if (pac == NULL) {
+	if (config->require_pac)
+	    ret = KRB5KDC_ERR_TGT_REVOKED;
+	return ret;
+    }
+
    /* Verify the server signature. */
    ret = krb5_pac_verify(context, pac, tkt->authtime, client_principal,
 			  server_check_key, NULL);