From a50a2be622afaa7a280312ea12f5eb9c9a0c41da Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Wed, 9 Nov 2022 13:45:13 +1300
Subject: CVE-2022-37967 Add new PAC checksum

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15231

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
 librpc/idl/krb5pac.idl | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'librpc')

diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
index d2f8414d69e..57c37656eb6 100644
--- a/librpc/idl/krb5pac.idl
+++ b/librpc/idl/krb5pac.idl
@@ -166,7 +166,8 @@ interface krb5pac
 		PAC_TYPE_DEVICE_CLAIMS_INFO = 15,
 		PAC_TYPE_TICKET_CHECKSUM = 16,
 		PAC_TYPE_ATTRIBUTES_INFO = 17,
-		PAC_TYPE_REQUESTER_SID = 18
+		PAC_TYPE_REQUESTER_SID = 18,
+		PAC_TYPE_FULL_CHECKSUM = 19
 	} PAC_TYPE;
 
 	typedef struct {
@@ -188,6 +189,7 @@ interface krb5pac
 		[case(PAC_TYPE_CLIENT_CLAIMS_INFO)][subcontext(0)] DATA_BLOB_REM client_claims_info;
 		[case(PAC_TYPE_DEVICE_INFO)][subcontext(0xFFFFFC01)] PAC_DEVICE_INFO_CTR device_info;
 		[case(PAC_TYPE_DEVICE_CLAIMS_INFO)][subcontext(0)] DATA_BLOB_REM device_claims_info;
+		[case(PAC_TYPE_FULL_CHECKSUM)]	PAC_SIGNATURE_DATA full_checksum;
 		/* when new PAC info types are added they are supposed to be done
 		   in such a way that they are backwards compatible with existing
 		   servers. This makes it safe to just use a [default] for
-- 
cgit v1.2.1