Add krb5_get_init_creds_opt_set_pac_request()

Add a new public function to set a PAC request option for an AS
request.

[ghudson@mit.edu: simplified code; made signature conform to Heimdal
function; expanded on doxygen comment; added new function to API
reference; changed code to send encoded KERB-PA-PAC-REQUEST instead
of a single octet]

ticket: 7985

diff --git a/doc/appdev/refs/api/index.rst b/doc/appdev/refs/api/index.rst
index e97cbca633d1097f730aedccfe69790172705c5a..55acaf0e6a2a510796ee36d01dd033e36ef1591a 100644 (file)
--- a/doc/appdev/refs/api/index.rst
+++ b/doc/appdev/refs/api/index.rst
@@ -50,6 +50,7 @@ Frequently used public interfaces
    krb5_get_init_creds_opt_set_in_ccache.rst
    krb5_get_init_creds_opt_set_out_ccache.rst
    krb5_get_init_creds_opt_set_pa.rst
+   krb5_get_init_creds_opt_set_pac_request.rst
    krb5_get_init_creds_opt_set_preauth_list.rst
    krb5_get_init_creds_opt_set_proxiable.rst
    krb5_get_init_creds_opt_set_renew_life.rst

diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index f52a9ea90ce48f89401fcff66273f6bf7eef5e41..a1bf84966856e4b3bc0acaa7d0f1b99fbbf622e0 100644 (file)
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -7099,6 +7099,26 @@ krb5_get_init_creds_opt_set_out_ccache(krb5_context context,
                                        krb5_get_init_creds_opt *opt,
                                        krb5_ccache ccache);
 
+/**
+ * @brief Ask the KDC to include or not include a PAC in the ticket
+ *
+ * @param [in] context          Library context
+ * @param [in] opt              Options structure
+ * @param [in] req_pac          Whether to request a PAC or not
+ *
+ * If this option is set, the AS request will include a PAC-REQUEST pa-data
+ * item explicitly asking the KDC to either include or not include a privilege
+ * attribute certificate in the ticket authorization data.  By default, no
+ * request is made; typically the KDC will default to including a PAC if it
+ * supports them.
+ *
+ * @version New in 1.15
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_get_init_creds_opt_set_pac_request(krb5_context context,
+                                        krb5_get_init_creds_opt *opt,
+                                        krb5_boolean req_pac);
+
 /**
  * Set FAST flags in initial credential options.
  *

diff --git a/src/lib/krb5/asn.1/asn1_k_encode.c b/src/lib/krb5/asn.1/asn1_k_encode.c
index b2d2675778b354220d0c56ca198019406165577e..a827ca6083e890b4f5653b6f5cb37655a328ef87 100644 (file)
--- a/src/lib/krb5/asn.1/asn1_k_encode.c
+++ b/src/lib/krb5/asn.1/asn1_k_encode.c
@@ -1318,6 +1318,7 @@ MAKE_DECODER(decode_krb5_pa_for_user, pa_for_user);
 MAKE_ENCODER(encode_krb5_s4u_userid, s4u_userid);
 MAKE_ENCODER(encode_krb5_pa_s4u_x509_user, pa_s4u_x509_user);
 MAKE_DECODER(decode_krb5_pa_s4u_x509_user, pa_s4u_x509_user);
+MAKE_ENCODER(encode_krb5_pa_pac_req, pa_pac_req);
 MAKE_DECODER(decode_krb5_pa_pac_req, pa_pac_req);
 MAKE_ENCODER(encode_krb5_etype_list, etype_list);
 MAKE_DECODER(decode_krb5_etype_list, etype_list);

diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index 6ddfa4ca9aba7acba36c7d7c81e7268c8f740236..37f29ccffa0f7b92ad78ac646bf9c397cd9356d5 100644 (file)
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -1197,6 +1197,29 @@ save_cc_config_out_data(krb5_context context, krb5_ccache ccache,
     return code;
 }
 
+/* Add a KERB-PA-PAC-REQUEST pa-data item if the gic options require one. */
+static krb5_error_code
+maybe_add_pac_request(krb5_context context, krb5_init_creds_context ctx)
+{
+    krb5_error_code code;
+    krb5_pa_pac_req pac_req;
+    krb5_data *encoded;
+    int val;
+
+    val = k5_gic_opt_pac_request(ctx->opt);
+    if (val == -1)
+        return 0;
+
+    pac_req.include_pac = val;
+    code = encode_krb5_pa_pac_req(&pac_req, &encoded);
+    if (code)
+        return code;
+    code = add_padata(&ctx->request->padata, KRB5_PADATA_PAC_REQUEST,
+                      encoded->data, encoded->length);
+    krb5_free_data(context, encoded);
+    return code;
+}
+
 static krb5_error_code
 init_creds_step_request(krb5_context context,
                         krb5_init_creds_context ctx,
@@ -1280,6 +1303,11 @@ init_creds_step_request(krb5_context context,
     }
     if (code)
         goto cleanup;
+
+    code = maybe_add_pac_request(context, ctx);
+    if (code)
+        goto cleanup;
+
     code = krb5int_fast_prep_req(context, ctx->fast_state,
                                  ctx->request, ctx->outer_request_body,
                                  encode_krb5_as_req,

diff --git a/src/lib/krb5/krb/gic_opt.c b/src/lib/krb5/krb/gic_opt.c
index d4b8918aa926b5345be209274491a05a1760328b..3be44d5cd756a7c71d14191e7c2d0d282a736109 100644 (file)
--- a/src/lib/krb5/krb/gic_opt.c
+++ b/src/lib/krb5/krb/gic_opt.c
@@ -28,6 +28,7 @@ struct extended_options {
     void *expire_data;
     krb5_responder_fn responder;
     void *responder_data;
+    int pac_request;            /* -1 unset, 0 false, 1 true */
 };
 #if TARGET_OS_MAC
 #pragma pack(pop)
@@ -148,6 +149,7 @@ krb5_get_init_creds_opt_alloc(krb5_context context,
     if (opte == NULL)
         return ENOMEM;
     opte->opt.flags = DEFAULT_FLAGS | GIC_OPT_EXTENDED;
+    opte->pac_request = -1;
     *opt = (krb5_get_init_creds_opt *)opte;
     return 0;
 }
@@ -473,3 +475,26 @@ k5_gic_opt_shallow_copy(krb5_get_init_creds_opt *opt)
     opte->opt.flags |= GIC_OPT_SHALLOW_COPY;
     return (krb5_get_init_creds_opt *)opte;
 }
+
+krb5_error_code KRB5_CALLCONV
+krb5_get_init_creds_opt_set_pac_request(krb5_context context,
+                                        krb5_get_init_creds_opt *opt,
+                                        krb5_boolean req_pac)
+{
+    struct extended_options *opte = (struct extended_options *)opt;
+
+    if (opt == NULL || !(opt->flags & GIC_OPT_EXTENDED))
+        return EINVAL;
+    opte->pac_request = !!req_pac;
+    return 0;
+}
+
+int
+k5_gic_opt_pac_request(krb5_get_init_creds_opt *opt)
+{
+    struct extended_options *opte = (struct extended_options *)opt;
+
+    if (opt == NULL || !(opt->flags & GIC_OPT_EXTENDED))
+        return -1;
+    return opte->pac_request;
+}

diff --git a/src/lib/krb5/krb/int-proto.h b/src/lib/krb5/krb/int-proto.h
index 5739f8334a10a72767dff0f0a589e60205a97cbd..6da74858e2103f222b77eb2a9ca93c4a9b6de828 100644 (file)
--- a/src/lib/krb5/krb/int-proto.h
+++ b/src/lib/krb5/krb/int-proto.h
@@ -322,4 +322,9 @@ k5_gic_opt_get_responder(krb5_get_init_creds_opt *opt,
 krb5_get_init_creds_opt *
 k5_gic_opt_shallow_copy(krb5_get_init_creds_opt *opt);
 
+/* Return -1 if no PAC request option was specified, or the option value as a
+ * boolean (0 or 1). */
+int
+k5_gic_opt_pac_request(krb5_get_init_creds_opt *opt);
+
 #endif /* KRB5_INT_FUNC_PROTO__ */

diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports
index ea6982d0269ce6b1f9027ac4627e82e703c49446..eeb1146165b9f70c42537a707313a5243ce5a586 100644 (file)
--- a/src/lib/krb5/libkrb5.exports
+++ b/src/lib/krb5/libkrb5.exports
@@ -388,6 +388,7 @@ krb5_get_init_creds_opt_set_forwardable
 krb5_get_init_creds_opt_set_in_ccache
 krb5_get_init_creds_opt_set_out_ccache
 krb5_get_init_creds_opt_set_pa
+krb5_get_init_creds_opt_set_pac_request
 krb5_get_init_creds_opt_set_preauth_list
 krb5_get_init_creds_opt_set_proxiable
 krb5_get_init_creds_opt_set_renew_life

diff --git a/src/lib/krb5_32.def b/src/lib/krb5_32.def
index 8d58ea1d968fa5f7be30706ac303859e502fa2d0..79a24d15463968111d537b8bdc13bcd7c446dd7a 100644 (file)
--- a/src/lib/krb5_32.def
+++ b/src/lib/krb5_32.def
@@ -467,3 +467,4 @@ EXPORTS
 ; new in 1.15
        krb5_set_kdc_send_hook                          @433
        krb5_set_kdc_recv_hook                          @434
+       krb5_get_init_creds_opt_set_pac_request         @435