Add KDC support functions for PA-PAC-OPTIONS

Add helper functions kdc_get_pa_pac_options() and
kdc_add_pa_pac_options(), to retrieve PA-PAC-OPTIONS values from
request padata and to set a PA-PAC-OPTIONS value in encrypted padata.
Don't actually call kdc_add_pa_pac_options() yet.

[ghudson@mit.edu: rewrote commit message; minor style edits]

ticket: 8479

diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index db5a9edecb995315bf671296149d65ba0a82df93..95b3a3c6ec6391d2fe6175f5b801184d84555a78 100644 (file)
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1900,6 +1900,54 @@ cleanup:
     return retval;
 }
 
+krb5_error_code
+kdc_get_pa_pac_options(krb5_context context, krb5_pa_data **in_padata,
+                       krb5_pa_pac_options **pac_options_out)
+{
+    krb5_pa_data *pa;
+    krb5_data der_pac_options;
+
+    *pac_options_out = NULL;
+
+    pa = krb5int_find_pa_data(context, in_padata, KRB5_PADATA_PAC_OPTIONS);
+    if (pa == NULL)
+        return 0;
+
+    der_pac_options = make_data(pa->contents, pa->length);
+    return decode_krb5_pa_pac_options(&der_pac_options, pac_options_out);
+}
+
+krb5_error_code
+kdc_add_pa_pac_options(krb5_context context, krb5_kdc_req *request,
+                       krb5_pa_data ***out_enc_padata)
+{
+    krb5_error_code ret;
+    krb5_pa_pac_options *pac_options = NULL;
+    krb5_data *der_pac_options;
+
+    ret = kdc_get_pa_pac_options(context, request->padata, &pac_options);
+    if (ret || pac_options == NULL)
+        return ret;
+
+    /* Only return supported PAC options (currently only resource-based
+     * constrained delegation support). */
+    pac_options->options &= KRB5_PA_PAC_OPTIONS_RBCD;
+    if (pac_options->options == 0) {
+        free(pac_options);
+        return 0;
+    }
+
+    ret = encode_krb5_pa_pac_options(pac_options, &der_pac_options);
+    free(pac_options);
+    if (ret)
+        return ret;
+
+    ret = k5_add_pa_data_from_data(out_enc_padata, KRB5_PADATA_PAC_OPTIONS,
+                                   der_pac_options);
+    krb5_free_data(context, der_pac_options);
+    return ret;
+}
+
 /*
  * Although the KDC doesn't call this function directly,
  * process_tcp_connection_read() in net-server.c does call it.

diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h
index 8583a91aca91713d437461b8643fa1ce8c5a9aed..2d20439ac6d8fc084406bfac5cd6914e0fb7aafc 100644 (file)
--- a/src/kdc/kdc_util.h
+++ b/src/kdc/kdc_util.h
@@ -413,6 +413,14 @@ kdc_fast_make_cookie(krb5_context context, struct kdc_request_state *state,
                      krb5_const_principal client_princ,
                      krb5_pa_data **cookie_out);
 
+krb5_error_code
+kdc_add_pa_pac_options(krb5_context context, krb5_kdc_req *request,
+                       krb5_pa_data ***out_enc_padata);
+
+krb5_error_code
+kdc_get_pa_pac_options(krb5_context context, krb5_pa_data **in_padata,
+                       krb5_pa_pac_options **pac_options_out);
+
 /* Information handle for kdcpreauth callbacks.  All pointers are aliases. */
 struct krb5_kdcpreauth_rock_st {
     krb5_kdc_req *request;