krb5 commit: Add API to get client account name from PAC
Greg Hudson
ghudson at mit.edu
Mon Sep 9 10:33:38 EDT 2019
https://github.com/krb5/krb5/commit/d975dd1eae7b22b14ce7aa6eefb523e9b3c022ba
commit d975dd1eae7b22b14ce7aa6eefb523e9b3c022ba
Author: Isaac Boukris <iboukris at gmail.com>
Date: Wed Aug 7 19:39:10 2019 +0000
Add API to get client account name from PAC
Add a krb5_pac_get_client_info() API to interpret the PAC_CLIENT_INFO
buffer of a PAC. This API is needed by KDB plugin modules to set the
reply client for cross-realm RBCD requests.
[ghudson at mit.edu: added doxygen comment; clarified commit message]
ticket: 8828 (new)
doc/appdev/refs/api/index.rst | 1 +
src/include/krb5/krb5.hin | 22 +++++++++++++++++++++
src/lib/krb5/krb/pac.c | 42 +++++++++++++++++++++++++++++++++-------
src/lib/krb5/libkrb5.exports | 1 +
src/lib/krb5_32.def | 1 +
5 files changed, 59 insertions(+), 8 deletions(-)
diff --git a/doc/appdev/refs/api/index.rst b/doc/appdev/refs/api/index.rst
index 70efc3e..727d9b4 100644
--- a/doc/appdev/refs/api/index.rst
+++ b/doc/appdev/refs/api/index.rst
@@ -253,6 +253,7 @@ Rarely used public interfaces
krb5_pac_sign_ext.rst
krb5_pac_verify.rst
krb5_pac_verify_ext.rst
+ krb5_pac_get_client_info.rst
krb5_prepend_error_message.rst
krb5_principal2salt.rst
krb5_rd_cred.rst
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index eed38fd..d486853 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -8338,6 +8338,28 @@ krb5_pac_sign_ext(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
const krb5_keyblock *privsvr_key, krb5_boolean with_realm,
krb5_data *data);
+
+/*
+ * Read client information from a PAC.
+ *
+ * @param [in] context Library context
+ * @param [in] pac PAC handle
+ * @param [out] authtime_out Authentication timestamp (NULL if not needed)
+ * @param [out] princname_out Client account name
+ *
+ * Read the PAC_CLIENT_INFO buffer in @a pac. Place the client account name as
+ * a string in @a princname_out. If @a authtime_out is not NULL, place the
+ * initial authentication timestamp in @a authtime_out.
+ *
+ * @retval 0 on success, ENOENT if no PAC_CLIENT_INFO buffer is present in @a
+ * pac, ERANGE if the buffer contains invalid lengths.
+ *
+ * @version New in 1.18
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_pac_get_client_info(krb5_context context, const krb5_pac pac,
+ krb5_timestamp *authtime_out, char **princname_out);
+
/**
* Allow the appplication to override the profile's allow_weak_crypto setting.
*
diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
index 5efc91e..950beda 100644
--- a/src/lib/krb5/krb/pac.c
+++ b/src/lib/krb5/krb/pac.c
@@ -399,21 +399,23 @@ k5_seconds_since_1970_to_time(krb5_timestamp elapsedSeconds, uint64_t *ntTime)
return 0;
}
-krb5_error_code
-k5_pac_validate_client(krb5_context context,
- const krb5_pac pac,
- krb5_timestamp authtime,
- krb5_const_principal principal,
- krb5_boolean with_realm)
+krb5_error_code KRB5_CALLCONV
+krb5_pac_get_client_info(krb5_context context,
+ const krb5_pac pac,
+ krb5_timestamp *authtime_out,
+ char **princname_out)
{
krb5_error_code ret;
krb5_data client_info;
- char *pac_princname, *princname;
+ char *pac_princname;
unsigned char *p;
krb5_timestamp pac_authtime;
krb5_ui_2 pac_princname_length;
int64_t pac_nt_authtime;
- int flags = 0;
+
+ if (authtime_out != NULL)
+ *authtime_out = 0;
+ *princname_out = NULL;
ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_CLIENT_INFO,
&client_info);
@@ -441,6 +443,30 @@ k5_pac_validate_client(krb5_context context,
if (ret != 0)
return ret;
+ if (authtime_out != NULL)
+ *authtime_out = pac_authtime;
+ *princname_out = pac_princname;
+
+ return 0;
+}
+
+krb5_error_code
+k5_pac_validate_client(krb5_context context,
+ const krb5_pac pac,
+ krb5_timestamp authtime,
+ krb5_const_principal principal,
+ krb5_boolean with_realm)
+{
+ krb5_error_code ret;
+ char *pac_princname, *princname;
+ krb5_timestamp pac_authtime;
+ int flags = 0;
+
+ ret = krb5_pac_get_client_info(context, pac, &pac_authtime,
+ &pac_princname);
+ if (ret != 0)
+ return ret;
+
flags = KRB5_PRINCIPAL_UNPARSE_DISPLAY;
if (!with_realm)
flags |= KRB5_PRINCIPAL_UNPARSE_NO_REALM;
diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports
index f036b1a..55e2635 100644
--- a/src/lib/krb5/libkrb5.exports
+++ b/src/lib/krb5/libkrb5.exports
@@ -498,6 +498,7 @@ krb5_pac_sign
krb5_pac_sign_ext
krb5_pac_verify
krb5_pac_verify_ext
+krb5_pac_get_client_info
krb5_parse_name
krb5_parse_name_flags
krb5_prepend_error_message
diff --git a/src/lib/krb5_32.def b/src/lib/krb5_32.def
index 67ac1d3..c327ceb 100644
--- a/src/lib/krb5_32.def
+++ b/src/lib/krb5_32.def
@@ -488,3 +488,4 @@ EXPORTS
; new in 1.18
krb5int_c_deprecated_enctype @450 ; PRIVATE
+ krb5_pac_get_client_info @451
More information about the cvs-krb5
mailing list