From ebd7092dffc3eef0a7cb4333f37bf6d3f875d3bb Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Thu, 23 Dec 2021 11:24:35 +1100
Subject: [PATCH] kdc: distinguish long-term key from replacing reply key

Distinguish pre-authentication mechanisms that replace the reply key from those
that use the client's long-term key. In the general case, one is the inverse of
the other, however KRB5_PADATA_ENCRYPTED_CHALLENGE replaces the reply-key with
one derived from the long-term key.

PA_REPLACE_REPLY_KEY indicates that the kvno should be set to zero in the
reply; the absence of PA_USES_LONG_TERM_KEY indicates that the client's
long-term key may be included in the PAC (PAC_CREDENTIAL_INFO with Samba only).

Corrects e8984871.
---
 kdc/kerberos5.c | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index a198657c6..fa3a1d607 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -980,7 +980,8 @@ struct kdc_patypes {
 #define PA_ANNOUNCE	1
 #define PA_REQ_FAST	2 /* only use inside fast */
 #define PA_SYNTHETIC_OK	4
-#define PA_REPLACE_REPLY_KEY	8
+#define PA_REPLACE_REPLY_KEY	8   /* PA mech replaces reply key */
+#define PA_USES_LONG_TERM_KEY	16  /* PA mech uses client's long-term key */
     krb5_error_code (*validate)(astgs_request_t,
 				const PA_DATA *pa,
 				struct kdc_pa_auth_status *auth_status);
@@ -1011,12 +1012,12 @@ static const struct kdc_patypes pat[] = {
     { KRB5_PADATA_PA_PK_OCSP_RESPONSE , "OCSP", 0, NULL, NULL, NULL },
     { 
 	KRB5_PADATA_ENC_TIMESTAMP , "ENC-TS",
-	PA_ANNOUNCE,
+	PA_ANNOUNCE | PA_USES_LONG_TERM_KEY,
 	pa_enc_ts_validate, NULL, NULL
     },
     {
 	KRB5_PADATA_ENCRYPTED_CHALLENGE , "ENC-CHAL",
-	PA_ANNOUNCE | PA_REQ_FAST,
+	PA_ANNOUNCE | PA_USES_LONG_TERM_KEY | PA_REQ_FAST,
 	pa_enc_chal_validate, NULL, NULL
     },
     { KRB5_PADATA_REQ_ENC_PA_REP , "REQ-ENC-PA-REP", 0, NULL, NULL, NULL },
@@ -1870,15 +1871,17 @@ generate_pac(astgs_request_t r, const Key *skey, const Key *tkey,
 		     (long)r->pac_attributes);
 
     /*
-     * When a PA mech replaces the reply key, the PAC may include the
-     * client's long term key (encrypted in the reply key) for use by
-     * other shared secret authentication protocols, e.g. NTLM.
+     * When a PA mech does not use the client's long-term key, the PAC
+     * may include the client's long-term key (encrypted in the reply key)
+     * for use by other shared secret authentication protocols, e.g. NTLM.
+     * Validate a PA mech was actually used before doing this.
      */
 
     ret = _kdc_pac_generate(r->context,
 			    r->client,
 			    r->server,
-			    pa_used_flag_isset(r, PA_REPLACE_REPLY_KEY) ? &r->reply_key : NULL,
+			    r->pa_used && !pa_used_flag_isset(r, PA_USES_LONG_TERM_KEY)
+				? &r->reply_key : NULL,
 			    r->pac_attributes,
 			    &p);
     if (ret) {