HEIMDAL:kdc: add krb5plugin_windc_pac_pk_generate() hook

This allows PAC_CRENDENTIAL_INFO to be added to the PAC
when using PKINIT. In that case PAC_CRENDENTIAL_INFO contains
an encrypted PAC_CRENDENTIAL_DATA.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

4 files changed, 22 insertions, 4 deletions

diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index a75ec0eaaec..3282d5e0800 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -982,6 +982,7 @@ _kdc_as_rep(krb5_context context,
 #ifdef PKINIT
     pk_client_params *pkp = NULL;
 #endif
+    const EncryptionKey *pk_reply_key = NULL;
 
     memset(&rep, 0, sizeof(rep));
     memset(&session_key, 0, sizeof(session_key));
@@ -1625,7 +1626,7 @@ _kdc_as_rep(krb5_context context,
 	copy_HostAddresses(et.caddr, ek.caddr);
     }
 
-#if PKINIT
+#ifdef PKINIT
     if (pkp) {
         e_text = "Failed to build PK-INIT reply";
 	ret = _kdc_pk_mk_pa_reply(context, config, pkp, client,
@@ -1640,6 +1641,11 @@ _kdc_as_rep(krb5_context context,
 	if (ret)
 	    goto out;
 
+	/*
+	 * Send reply key as constant value to pac generate which allows
+	 * parts of the buffer to be encrypted (i.e., PAC_CREDENTIAL_DATA).
+	 */
+	pk_reply_key = reply_key;
     } else
 #endif
     {
@@ -1668,7 +1674,7 @@ _kdc_as_rep(krb5_context context,
 	krb5_pac p = NULL;
 	krb5_data data;
 
-	ret = _kdc_pac_generate(context, client, &p);
+	ret = _kdc_pac_generate(context, client, pk_reply_key, &p);
 	if (ret) {
 	    kdc_log(context, config, 0, "PAC generation failed for -- %s",
 		    client_name);
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index c221c903461..334a6eb1dc8 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -1990,7 +1990,7 @@ server_lookup:
 		    krb5_free_error_message(context, msg);
 		    goto out;
 		}
-		ret = _kdc_pac_generate(context, s4u2self_impersonated_client, &p);
+		ret = _kdc_pac_generate(context, s4u2self_impersonated_client, NULL, &p);
 		if (ret) {
 		    kdc_log(context, config, 0, "PAC generation failed for -- %s",
 			    tpn);
diff --git a/source4/heimdal/kdc/windc.c b/source4/heimdal/kdc/windc.c
index ba87abb7cc0..fb1c8a6a993 100644
--- a/source4/heimdal/kdc/windc.c
+++ b/source4/heimdal/kdc/windc.c
@@ -73,11 +73,15 @@ krb5_kdc_windc_init(krb5_context context)
 krb5_error_code
 _kdc_pac_generate(krb5_context context,
 		  hdb_entry_ex *client,
+		  const krb5_keyblock *pk_reply_key,
 		  krb5_pac *pac)
 {
     *pac = NULL;
     if (windcft == NULL)
 	return 0;
+    if (windcft->pac_pk_generate != NULL && pk_reply_key != NULL)
+	return (windcft->pac_pk_generate)(windcctx, context,
+					  client, pk_reply_key, pac);
     return (windcft->pac_generate)(windcctx, context, client, pac);
 }
 
diff --git a/source4/heimdal/kdc/windc_plugin.h b/source4/heimdal/kdc/windc_plugin.h
index fa4ba434f3e..bf90826cb06 100644
--- a/source4/heimdal/kdc/windc_plugin.h
+++ b/source4/heimdal/kdc/windc_plugin.h
@@ -53,7 +53,14 @@ struct hdb_entry_ex;
 
 typedef krb5_error_code
 (*krb5plugin_windc_pac_generate)(void *, krb5_context,
-				 struct hdb_entry_ex *, krb5_pac *);
+				 struct hdb_entry_ex *, /* client */
+				 krb5_pac *);
+
+typedef krb5_error_code
+(*krb5plugin_windc_pac_pk_generate)(void *, krb5_context,
+				    struct hdb_entry_ex *, /* client */
+				    const krb5_keyblock *, /* pk_replykey */
+				    krb5_pac *);
 
 typedef krb5_error_code
 (*krb5plugin_windc_pac_verify)(void *, krb5_context,
@@ -83,6 +90,7 @@ typedef struct krb5plugin_windc_ftable {
     krb5plugin_windc_pac_generate	pac_generate;
     krb5plugin_windc_pac_verify		pac_verify;
     krb5plugin_windc_client_access	client_access;
+    krb5plugin_windc_pac_pk_generate    pac_pk_generate;
 } krb5plugin_windc_ftable;
 
 #endif /* HEIMDAL_KRB5_PAC_PLUGIN_H */