krb5 commit: Add KDC support functions for PA-PAC-OPTIONS
Greg Hudson
ghudson at mit.edu
Mon Sep 9 10:33:25 EDT 2019
https://github.com/krb5/krb5/commit/86ba26248dfbbed13cd753dd79e5f45a9a01defc
commit 86ba26248dfbbed13cd753dd79e5f45a9a01defc
Author: Isaac Boukris <iboukris at gmail.com>
Date: Sat Aug 3 21:57:14 2019 +0000
Add KDC support functions for PA-PAC-OPTIONS
Add helper functions kdc_get_pa_pac_options() and
kdc_add_pa_pac_options(), to retrieve PA-PAC-OPTIONS values from
request padata and to set a PA-PAC-OPTIONS value in encrypted padata.
Don't actually call kdc_add_pa_pac_options() yet.
[ghudson at mit.edu: rewrote commit message; minor style edits]
ticket: 8479
src/kdc/kdc_util.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
src/kdc/kdc_util.h | 8 ++++++++
2 files changed, 56 insertions(+), 0 deletions(-)
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index db5a9ed..95b3a3c 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1900,6 +1900,54 @@ cleanup:
return retval;
}
+krb5_error_code
+kdc_get_pa_pac_options(krb5_context context, krb5_pa_data **in_padata,
+ krb5_pa_pac_options **pac_options_out)
+{
+ krb5_pa_data *pa;
+ krb5_data der_pac_options;
+
+ *pac_options_out = NULL;
+
+ pa = krb5int_find_pa_data(context, in_padata, KRB5_PADATA_PAC_OPTIONS);
+ if (pa == NULL)
+ return 0;
+
+ der_pac_options = make_data(pa->contents, pa->length);
+ return decode_krb5_pa_pac_options(&der_pac_options, pac_options_out);
+}
+
+krb5_error_code
+kdc_add_pa_pac_options(krb5_context context, krb5_kdc_req *request,
+ krb5_pa_data ***out_enc_padata)
+{
+ krb5_error_code ret;
+ krb5_pa_pac_options *pac_options = NULL;
+ krb5_data *der_pac_options;
+
+ ret = kdc_get_pa_pac_options(context, request->padata, &pac_options);
+ if (ret || pac_options == NULL)
+ return ret;
+
+ /* Only return supported PAC options (currently only resource-based
+ * constrained delegation support). */
+ pac_options->options &= KRB5_PA_PAC_OPTIONS_RBCD;
+ if (pac_options->options == 0) {
+ free(pac_options);
+ return 0;
+ }
+
+ ret = encode_krb5_pa_pac_options(pac_options, &der_pac_options);
+ free(pac_options);
+ if (ret)
+ return ret;
+
+ ret = k5_add_pa_data_from_data(out_enc_padata, KRB5_PADATA_PAC_OPTIONS,
+ der_pac_options);
+ krb5_free_data(context, der_pac_options);
+ return ret;
+}
+
/*
* Although the KDC doesn't call this function directly,
* process_tcp_connection_read() in net-server.c does call it.
diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h
index 8583a91..2d20439 100644
--- a/src/kdc/kdc_util.h
+++ b/src/kdc/kdc_util.h
@@ -413,6 +413,14 @@ kdc_fast_make_cookie(krb5_context context, struct kdc_request_state *state,
krb5_const_principal client_princ,
krb5_pa_data **cookie_out);
+krb5_error_code
+kdc_add_pa_pac_options(krb5_context context, krb5_kdc_req *request,
+ krb5_pa_data ***out_enc_padata);
+
+krb5_error_code
+kdc_get_pa_pac_options(krb5_context context, krb5_pa_data **in_padata,
+ krb5_pa_pac_options **pac_options_out);
+
/* Information handle for kdcpreauth callbacks. All pointers are aliases. */
struct krb5_kdcpreauth_rock_st {
krb5_kdc_req *request;
More information about the cvs-krb5
mailing list