Add API to get client account name from PAC

Add a krb5_pac_get_client_info() API to interpret the PAC_CLIENT_INFO
buffer of a PAC.  This API is needed by KDB plugin modules to set the
reply client for cross-realm RBCD requests.

[ghudson@mit.edu: added doxygen comment; clarified commit message]

ticket: 8828 (new)

diff --git a/doc/appdev/refs/api/index.rst b/doc/appdev/refs/api/index.rst
index 70efc3eed251904511bee8c760d870ac642bcc01..727d9b492ca7286038f9d492457579db7585b5e4 100644 (file)
--- a/doc/appdev/refs/api/index.rst
+++ b/doc/appdev/refs/api/index.rst
@@ -253,6 +253,7 @@ Rarely used public interfaces
    krb5_pac_sign_ext.rst
    krb5_pac_verify.rst
    krb5_pac_verify_ext.rst
+   krb5_pac_get_client_info.rst
    krb5_prepend_error_message.rst
    krb5_principal2salt.rst
    krb5_rd_cred.rst

diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index eed38fd7ea28b24f53f695d5c8994596e00134a4..d4868535779938328485fb3f8fe187417fdcca40 100644 (file)
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -8338,6 +8338,28 @@ krb5_pac_sign_ext(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
                   const krb5_keyblock *privsvr_key, krb5_boolean with_realm,
                   krb5_data *data);
 
+
+/*
+ * Read client information from a PAC.
+ *
+ * @param [in]  context         Library context
+ * @param [in]  pac             PAC handle
+ * @param [out] authtime_out    Authentication timestamp (NULL if not needed)
+ * @param [out] princname_out   Client account name
+ *
+ * Read the PAC_CLIENT_INFO buffer in @a pac.  Place the client account name as
+ * a string in @a princname_out.  If @a authtime_out is not NULL, place the
+ * initial authentication timestamp in @a authtime_out.
+ *
+ * @retval 0 on success, ENOENT if no PAC_CLIENT_INFO buffer is present in @a
+ * pac, ERANGE if the buffer contains invalid lengths.
+ *
+ * @version New in 1.18
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_pac_get_client_info(krb5_context context, const krb5_pac pac,
+                         krb5_timestamp *authtime_out, char **princname_out);
+
 /**
  * Allow the appplication to override the profile's allow_weak_crypto setting.
  *

diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
index 5efc91eeb4838bc576114f79a5f7338b7b051b85..950beda6571912391b8081dcd4e8ff8cee9e3b63 100644 (file)
--- a/src/lib/krb5/krb/pac.c
+++ b/src/lib/krb5/krb/pac.c
@@ -399,21 +399,23 @@ k5_seconds_since_1970_to_time(krb5_timestamp elapsedSeconds, uint64_t *ntTime)
     return 0;
 }
 
-krb5_error_code
-k5_pac_validate_client(krb5_context context,
-                       const krb5_pac pac,
-                       krb5_timestamp authtime,
-                       krb5_const_principal principal,
-                       krb5_boolean with_realm)
+krb5_error_code KRB5_CALLCONV
+krb5_pac_get_client_info(krb5_context context,
+                         const krb5_pac pac,
+                         krb5_timestamp *authtime_out,
+                         char **princname_out)
 {
     krb5_error_code ret;
     krb5_data client_info;
-    char *pac_princname, *princname;
+    char *pac_princname;
     unsigned char *p;
     krb5_timestamp pac_authtime;
     krb5_ui_2 pac_princname_length;
     int64_t pac_nt_authtime;
-    int flags = 0;
+
+    if (authtime_out != NULL)
+        *authtime_out = 0;
+    *princname_out = NULL;
 
     ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_CLIENT_INFO,
                                &client_info);
@@ -441,6 +443,30 @@ k5_pac_validate_client(krb5_context context,
     if (ret != 0)
         return ret;
 
+    if (authtime_out != NULL)
+        *authtime_out = pac_authtime;
+    *princname_out = pac_princname;
+
+    return 0;
+}
+
+krb5_error_code
+k5_pac_validate_client(krb5_context context,
+                       const krb5_pac pac,
+                       krb5_timestamp authtime,
+                       krb5_const_principal principal,
+                       krb5_boolean with_realm)
+{
+    krb5_error_code ret;
+    char *pac_princname, *princname;
+    krb5_timestamp pac_authtime;
+    int flags = 0;
+
+    ret = krb5_pac_get_client_info(context, pac, &pac_authtime,
+                                   &pac_princname);
+    if (ret != 0)
+        return ret;
+
     flags = KRB5_PRINCIPAL_UNPARSE_DISPLAY;
     if (!with_realm)
         flags |= KRB5_PRINCIPAL_UNPARSE_NO_REALM;

diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports
index f036b1a611fec8c2a9b2e8c6eb0725defff2ab38..55e2635454d0e216a236a6340c4210c4b6d32bef 100644 (file)
--- a/src/lib/krb5/libkrb5.exports
+++ b/src/lib/krb5/libkrb5.exports
@@ -498,6 +498,7 @@ krb5_pac_sign
 krb5_pac_sign_ext
 krb5_pac_verify
 krb5_pac_verify_ext
+krb5_pac_get_client_info
 krb5_parse_name
 krb5_parse_name_flags
 krb5_prepend_error_message

diff --git a/src/lib/krb5_32.def b/src/lib/krb5_32.def
index 67ac1d365393eca1121058c09d511bb4f3285f1c..c327ceb153718b67d9ff37f37c471107c12d4ba3 100644 (file)
--- a/src/lib/krb5_32.def
+++ b/src/lib/krb5_32.def
@@ -488,3 +488,4 @@ EXPORTS
 
 ; new in 1.18
        krb5int_c_deprecated_enctype                    @450 ; PRIVATE
+       krb5_pac_get_client_info                        @451