krb5 commit: Add API to get client account name from PAC

Mon Sep 9 10:33:38 EDT 2019

https://github.com/krb5/krb5/commit/d975dd1eae7b22b14ce7aa6eefb523e9b3c022ba
commit d975dd1eae7b22b14ce7aa6eefb523e9b3c022ba
Author: Isaac Boukris <iboukris at gmail.com>
Date:   Wed Aug 7 19:39:10 2019 +0000

    Add API to get client account name from PAC
    
    Add a krb5_pac_get_client_info() API to interpret the PAC_CLIENT_INFO
    buffer of a PAC.  This API is needed by KDB plugin modules to set the
    reply client for cross-realm RBCD requests.
    
    [ghudson at mit.edu: added doxygen comment; clarified commit message]
    
    ticket: 8828 (new)

 doc/appdev/refs/api/index.rst |    1 +
 src/include/krb5/krb5.hin     |   22 +++++++++++++++++++++
 src/lib/krb5/krb/pac.c        |   42 +++++++++++++++++++++++++++++++++-------
 src/lib/krb5/libkrb5.exports  |    1 +
 src/lib/krb5_32.def           |    1 +
 5 files changed, 59 insertions(+), 8 deletions(-)

diff --git a/doc/appdev/refs/api/index.rst b/doc/appdev/refs/api/index.rst
index 70efc3e..727d9b4 100644
--- a/doc/appdev/refs/api/index.rst
+++ b/doc/appdev/refs/api/index.rst
@@ -253,6 +253,7 @@ Rarely used public interfaces
    krb5_pac_sign_ext.rst
    krb5_pac_verify.rst
    krb5_pac_verify_ext.rst
+   krb5_pac_get_client_info.rst
    krb5_prepend_error_message.rst
    krb5_principal2salt.rst
    krb5_rd_cred.rst
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index eed38fd..d486853 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -8338,6 +8338,28 @@ krb5_pac_sign_ext(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
                   const krb5_keyblock *privsvr_key, krb5_boolean with_realm,
                   krb5_data *data);
 
+
+/*
+ * Read client information from a PAC.
+ *
+ * @param [in]  context         Library context
+ * @param [in]  pac             PAC handle
+ * @param [out] authtime_out    Authentication timestamp (NULL if not needed)
+ * @param [out] princname_out   Client account name
+ *
+ * Read the PAC_CLIENT_INFO buffer in @a pac.  Place the client account name as
+ * a string in @a princname_out.  If @a authtime_out is not NULL, place the
+ * initial authentication timestamp in @a authtime_out.
+ *
+ * @retval 0 on success, ENOENT if no PAC_CLIENT_INFO buffer is present in @a
+ * pac, ERANGE if the buffer contains invalid lengths.
+ *
+ * @version New in 1.18
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_pac_get_client_info(krb5_context context, const krb5_pac pac,
+                         krb5_timestamp *authtime_out, char **princname_out);
+
 /**
  * Allow the appplication to override the profile's allow_weak_crypto setting.
  *
diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
index 5efc91e..950beda 100644
--- a/src/lib/krb5/krb/pac.c
+++ b/src/lib/krb5/krb/pac.c
@@ -399,21 +399,23 @@ k5_seconds_since_1970_to_time(krb5_timestamp elapsedSeconds, uint64_t *ntTime)
     return 0;
 }
 
-krb5_error_code
-k5_pac_validate_client(krb5_context context,
-                       const krb5_pac pac,
-                       krb5_timestamp authtime,
-                       krb5_const_principal principal,
-                       krb5_boolean with_realm)
+krb5_error_code KRB5_CALLCONV
+krb5_pac_get_client_info(krb5_context context,
+                         const krb5_pac pac,
+                         krb5_timestamp *authtime_out,
+                         char **princname_out)
 {
     krb5_error_code ret;
     krb5_data client_info;
-    char *pac_princname, *princname;
+    char *pac_princname;
     unsigned char *p;
     krb5_timestamp pac_authtime;
     krb5_ui_2 pac_princname_length;
     int64_t pac_nt_authtime;
-    int flags = 0;
+
+    if (authtime_out != NULL)
+        *authtime_out = 0;
+    *princname_out = NULL;
 
     ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_CLIENT_INFO,
                                &client_info);
@@ -441,6 +443,30 @@ k5_pac_validate_client(krb5_context context,
     if (ret != 0)
         return ret;
 
+    if (authtime_out != NULL)
+        *authtime_out = pac_authtime;
+    *princname_out = pac_princname;
+
+    return 0;
+}
+
+krb5_error_code
+k5_pac_validate_client(krb5_context context,
+                       const krb5_pac pac,
+                       krb5_timestamp authtime,
+                       krb5_const_principal principal,
+                       krb5_boolean with_realm)
+{
+    krb5_error_code ret;
+    char *pac_princname, *princname;
+    krb5_timestamp pac_authtime;
+    int flags = 0;
+
+    ret = krb5_pac_get_client_info(context, pac, &pac_authtime,
+                                   &pac_princname);
+    if (ret != 0)
+        return ret;
+
     flags = KRB5_PRINCIPAL_UNPARSE_DISPLAY;
     if (!with_realm)
         flags |= KRB5_PRINCIPAL_UNPARSE_NO_REALM;
diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports
index f036b1a..55e2635 100644
--- a/src/lib/krb5/libkrb5.exports
+++ b/src/lib/krb5/libkrb5.exports
@@ -498,6 +498,7 @@ krb5_pac_sign
 krb5_pac_sign_ext
 krb5_pac_verify
 krb5_pac_verify_ext
+krb5_pac_get_client_info
 krb5_parse_name
 krb5_parse_name_flags
 krb5_prepend_error_message
diff --git a/src/lib/krb5_32.def b/src/lib/krb5_32.def
index 67ac1d3..c327ceb 100644
--- a/src/lib/krb5_32.def
+++ b/src/lib/krb5_32.def
@@ -488,3 +488,4 @@ EXPORTS
 
 ; new in 1.18
 	krb5int_c_deprecated_enctype			@450 ; PRIVATE
+	krb5_pac_get_client_info			@451
