krb5 commit: Add krb5_get_init_creds_opt_set_pac_request()
Greg Hudson
ghudson at mit.edu
Wed Apr 27 17:02:10 EDT 2016
https://github.com/krb5/krb5/commit/8fc32c0d8d6887ad628382f0b90439bfce82fb73
commit 8fc32c0d8d6887ad628382f0b90439bfce82fb73
Author: Andreas Schneider <asn at samba.org>
Date: Tue Dec 1 18:42:03 2015 +0100
Add krb5_get_init_creds_opt_set_pac_request()
Add a new public function to set a PAC request option for an AS
request.
[ghudson at mit.edu: simplified code; made signature conform to Heimdal
function; expanded on doxygen comment; added new function to API
reference; changed code to send encoded KERB-PA-PAC-REQUEST instead
of a single octet]
ticket: 7985
doc/appdev/refs/api/index.rst | 1 +
src/include/krb5/krb5.hin | 20 ++++++++++++++++++++
src/lib/krb5/asn.1/asn1_k_encode.c | 1 +
src/lib/krb5/krb/get_in_tkt.c | 28 ++++++++++++++++++++++++++++
src/lib/krb5/krb/gic_opt.c | 25 +++++++++++++++++++++++++
src/lib/krb5/krb/int-proto.h | 5 +++++
src/lib/krb5/libkrb5.exports | 1 +
src/lib/krb5_32.def | 1 +
8 files changed, 82 insertions(+), 0 deletions(-)
diff --git a/doc/appdev/refs/api/index.rst b/doc/appdev/refs/api/index.rst
index e97cbca..55acaf0 100644
--- a/doc/appdev/refs/api/index.rst
+++ b/doc/appdev/refs/api/index.rst
@@ -50,6 +50,7 @@ Frequently used public interfaces
krb5_get_init_creds_opt_set_in_ccache.rst
krb5_get_init_creds_opt_set_out_ccache.rst
krb5_get_init_creds_opt_set_pa.rst
+ krb5_get_init_creds_opt_set_pac_request.rst
krb5_get_init_creds_opt_set_preauth_list.rst
krb5_get_init_creds_opt_set_proxiable.rst
krb5_get_init_creds_opt_set_renew_life.rst
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index f52a9ea..a1bf849 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -7100,6 +7100,26 @@ krb5_get_init_creds_opt_set_out_ccache(krb5_context context,
krb5_ccache ccache);
/**
+ * @brief Ask the KDC to include or not include a PAC in the ticket
+ *
+ * @param [in] context Library context
+ * @param [in] opt Options structure
+ * @param [in] req_pac Whether to request a PAC or not
+ *
+ * If this option is set, the AS request will include a PAC-REQUEST pa-data
+ * item explicitly asking the KDC to either include or not include a privilege
+ * attribute certificate in the ticket authorization data. By default, no
+ * request is made; typically the KDC will default to including a PAC if it
+ * supports them.
+ *
+ * @version New in 1.15
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_get_init_creds_opt_set_pac_request(krb5_context context,
+ krb5_get_init_creds_opt *opt,
+ krb5_boolean req_pac);
+
+/**
* Set FAST flags in initial credential options.
*
* @param [in] context Library context
diff --git a/src/lib/krb5/asn.1/asn1_k_encode.c b/src/lib/krb5/asn.1/asn1_k_encode.c
index b2d2675..a827ca6 100644
--- a/src/lib/krb5/asn.1/asn1_k_encode.c
+++ b/src/lib/krb5/asn.1/asn1_k_encode.c
@@ -1318,6 +1318,7 @@ MAKE_DECODER(decode_krb5_pa_for_user, pa_for_user);
MAKE_ENCODER(encode_krb5_s4u_userid, s4u_userid);
MAKE_ENCODER(encode_krb5_pa_s4u_x509_user, pa_s4u_x509_user);
MAKE_DECODER(decode_krb5_pa_s4u_x509_user, pa_s4u_x509_user);
+MAKE_ENCODER(encode_krb5_pa_pac_req, pa_pac_req);
MAKE_DECODER(decode_krb5_pa_pac_req, pa_pac_req);
MAKE_ENCODER(encode_krb5_etype_list, etype_list);
MAKE_DECODER(decode_krb5_etype_list, etype_list);
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index 6ddfa4c..37f29cc 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -1197,6 +1197,29 @@ save_cc_config_out_data(krb5_context context, krb5_ccache ccache,
return code;
}
+/* Add a KERB-PA-PAC-REQUEST pa-data item if the gic options require one. */
+static krb5_error_code
+maybe_add_pac_request(krb5_context context, krb5_init_creds_context ctx)
+{
+ krb5_error_code code;
+ krb5_pa_pac_req pac_req;
+ krb5_data *encoded;
+ int val;
+
+ val = k5_gic_opt_pac_request(ctx->opt);
+ if (val == -1)
+ return 0;
+
+ pac_req.include_pac = val;
+ code = encode_krb5_pa_pac_req(&pac_req, &encoded);
+ if (code)
+ return code;
+ code = add_padata(&ctx->request->padata, KRB5_PADATA_PAC_REQUEST,
+ encoded->data, encoded->length);
+ krb5_free_data(context, encoded);
+ return code;
+}
+
static krb5_error_code
init_creds_step_request(krb5_context context,
krb5_init_creds_context ctx,
@@ -1280,6 +1303,11 @@ init_creds_step_request(krb5_context context,
}
if (code)
goto cleanup;
+
+ code = maybe_add_pac_request(context, ctx);
+ if (code)
+ goto cleanup;
+
code = krb5int_fast_prep_req(context, ctx->fast_state,
ctx->request, ctx->outer_request_body,
encode_krb5_as_req,
diff --git a/src/lib/krb5/krb/gic_opt.c b/src/lib/krb5/krb/gic_opt.c
index d4b8918..3be44d5 100644
--- a/src/lib/krb5/krb/gic_opt.c
+++ b/src/lib/krb5/krb/gic_opt.c
@@ -28,6 +28,7 @@ struct extended_options {
void *expire_data;
krb5_responder_fn responder;
void *responder_data;
+ int pac_request; /* -1 unset, 0 false, 1 true */
};
#if TARGET_OS_MAC
#pragma pack(pop)
@@ -148,6 +149,7 @@ krb5_get_init_creds_opt_alloc(krb5_context context,
if (opte == NULL)
return ENOMEM;
opte->opt.flags = DEFAULT_FLAGS | GIC_OPT_EXTENDED;
+ opte->pac_request = -1;
*opt = (krb5_get_init_creds_opt *)opte;
return 0;
}
@@ -473,3 +475,26 @@ k5_gic_opt_shallow_copy(krb5_get_init_creds_opt *opt)
opte->opt.flags |= GIC_OPT_SHALLOW_COPY;
return (krb5_get_init_creds_opt *)opte;
}
+
+krb5_error_code KRB5_CALLCONV
+krb5_get_init_creds_opt_set_pac_request(krb5_context context,
+ krb5_get_init_creds_opt *opt,
+ krb5_boolean req_pac)
+{
+ struct extended_options *opte = (struct extended_options *)opt;
+
+ if (opt == NULL || !(opt->flags & GIC_OPT_EXTENDED))
+ return EINVAL;
+ opte->pac_request = !!req_pac;
+ return 0;
+}
+
+int
+k5_gic_opt_pac_request(krb5_get_init_creds_opt *opt)
+{
+ struct extended_options *opte = (struct extended_options *)opt;
+
+ if (opt == NULL || !(opt->flags & GIC_OPT_EXTENDED))
+ return -1;
+ return opte->pac_request;
+}
diff --git a/src/lib/krb5/krb/int-proto.h b/src/lib/krb5/krb/int-proto.h
index 5739f83..6da7485 100644
--- a/src/lib/krb5/krb/int-proto.h
+++ b/src/lib/krb5/krb/int-proto.h
@@ -322,4 +322,9 @@ k5_gic_opt_get_responder(krb5_get_init_creds_opt *opt,
krb5_get_init_creds_opt *
k5_gic_opt_shallow_copy(krb5_get_init_creds_opt *opt);
+/* Return -1 if no PAC request option was specified, or the option value as a
+ * boolean (0 or 1). */
+int
+k5_gic_opt_pac_request(krb5_get_init_creds_opt *opt);
+
#endif /* KRB5_INT_FUNC_PROTO__ */
diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports
index ea6982d..eeb1146 100644
--- a/src/lib/krb5/libkrb5.exports
+++ b/src/lib/krb5/libkrb5.exports
@@ -388,6 +388,7 @@ krb5_get_init_creds_opt_set_forwardable
krb5_get_init_creds_opt_set_in_ccache
krb5_get_init_creds_opt_set_out_ccache
krb5_get_init_creds_opt_set_pa
+krb5_get_init_creds_opt_set_pac_request
krb5_get_init_creds_opt_set_preauth_list
krb5_get_init_creds_opt_set_proxiable
krb5_get_init_creds_opt_set_renew_life
diff --git a/src/lib/krb5_32.def b/src/lib/krb5_32.def
index 8d58ea1..79a24d1 100644
--- a/src/lib/krb5_32.def
+++ b/src/lib/krb5_32.def
@@ -467,3 +467,4 @@ EXPORTS
; new in 1.15
krb5_set_kdc_send_hook @433
krb5_set_kdc_recv_hook @434
+ krb5_get_init_creds_opt_set_pac_request @435
More information about the cvs-krb5
mailing list