From: Andreas Schneider <asn@samba.org>
Date: Tue, 1 Dec 2015 17:42:03 +0000 (+0100)
Subject: Add krb5_get_init_creds_opt_set_pac_request()
X-Git-Tag: krb5-1.15-beta1~211
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8fc32c0d8d6887ad628382f0b90439bfce82fb73;p=thirdparty%2Fkrb5.git

Add krb5_get_init_creds_opt_set_pac_request()

Add a new public function to set a PAC request option for an AS
request.

[ghudson@mit.edu: simplified code; made signature conform to Heimdal
function; expanded on doxygen comment; added new function to API
reference; changed code to send encoded KERB-PA-PAC-REQUEST instead
of a single octet]

ticket: 7985
---

diff --git a/doc/appdev/refs/api/index.rst b/doc/appdev/refs/api/index.rst
index e97cbca633..55acaf0e6a 100644
--- a/doc/appdev/refs/api/index.rst
+++ b/doc/appdev/refs/api/index.rst
@@ -50,6 +50,7 @@ Frequently used public interfaces
    krb5_get_init_creds_opt_set_in_ccache.rst
    krb5_get_init_creds_opt_set_out_ccache.rst
    krb5_get_init_creds_opt_set_pa.rst
+   krb5_get_init_creds_opt_set_pac_request.rst
    krb5_get_init_creds_opt_set_preauth_list.rst
    krb5_get_init_creds_opt_set_proxiable.rst
    krb5_get_init_creds_opt_set_renew_life.rst
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index f52a9ea90c..a1bf849668 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -7099,6 +7099,26 @@ krb5_get_init_creds_opt_set_out_ccache(krb5_context context,
                                        krb5_get_init_creds_opt *opt,
                                        krb5_ccache ccache);
 
+/**
+ * @brief Ask the KDC to include or not include a PAC in the ticket
+ *
+ * @param [in] context          Library context
+ * @param [in] opt              Options structure
+ * @param [in] req_pac          Whether to request a PAC or not
+ *
+ * If this option is set, the AS request will include a PAC-REQUEST pa-data
+ * item explicitly asking the KDC to either include or not include a privilege
+ * attribute certificate in the ticket authorization data.  By default, no
+ * request is made; typically the KDC will default to including a PAC if it
+ * supports them.
+ *
+ * @version New in 1.15
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_get_init_creds_opt_set_pac_request(krb5_context context,
+                                        krb5_get_init_creds_opt *opt,
+                                        krb5_boolean req_pac);
+
 /**
  * Set FAST flags in initial credential options.
  *
diff --git a/src/lib/krb5/asn.1/asn1_k_encode.c b/src/lib/krb5/asn.1/asn1_k_encode.c
index b2d2675778..a827ca6083 100644
--- a/src/lib/krb5/asn.1/asn1_k_encode.c
+++ b/src/lib/krb5/asn.1/asn1_k_encode.c
@@ -1318,6 +1318,7 @@ MAKE_DECODER(decode_krb5_pa_for_user, pa_for_user);
 MAKE_ENCODER(encode_krb5_s4u_userid, s4u_userid);
 MAKE_ENCODER(encode_krb5_pa_s4u_x509_user, pa_s4u_x509_user);
 MAKE_DECODER(decode_krb5_pa_s4u_x509_user, pa_s4u_x509_user);
+MAKE_ENCODER(encode_krb5_pa_pac_req, pa_pac_req);
 MAKE_DECODER(decode_krb5_pa_pac_req, pa_pac_req);
 MAKE_ENCODER(encode_krb5_etype_list, etype_list);
 MAKE_DECODER(decode_krb5_etype_list, etype_list);
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index 6ddfa4ca9a..37f29ccffa 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -1197,6 +1197,29 @@ save_cc_config_out_data(krb5_context context, krb5_ccache ccache,
     return code;
 }
 
+/* Add a KERB-PA-PAC-REQUEST pa-data item if the gic options require one. */
+static krb5_error_code
+maybe_add_pac_request(krb5_context context, krb5_init_creds_context ctx)
+{
+    krb5_error_code code;
+    krb5_pa_pac_req pac_req;
+    krb5_data *encoded;
+    int val;
+
+    val = k5_gic_opt_pac_request(ctx->opt);
+    if (val == -1)
+        return 0;
+
+    pac_req.include_pac = val;
+    code = encode_krb5_pa_pac_req(&pac_req, &encoded);
+    if (code)
+        return code;
+    code = add_padata(&ctx->request->padata, KRB5_PADATA_PAC_REQUEST,
+                      encoded->data, encoded->length);
+    krb5_free_data(context, encoded);
+    return code;
+}
+
 static krb5_error_code
 init_creds_step_request(krb5_context context,
                         krb5_init_creds_context ctx,
@@ -1280,6 +1303,11 @@ init_creds_step_request(krb5_context context,
     }
     if (code)
         goto cleanup;
+
+    code = maybe_add_pac_request(context, ctx);
+    if (code)
+        goto cleanup;
+
     code = krb5int_fast_prep_req(context, ctx->fast_state,
                                  ctx->request, ctx->outer_request_body,
                                  encode_krb5_as_req,
diff --git a/src/lib/krb5/krb/gic_opt.c b/src/lib/krb5/krb/gic_opt.c
index d4b8918aa9..3be44d5cd7 100644
--- a/src/lib/krb5/krb/gic_opt.c
+++ b/src/lib/krb5/krb/gic_opt.c
@@ -28,6 +28,7 @@ struct extended_options {
     void *expire_data;
     krb5_responder_fn responder;
     void *responder_data;
+    int pac_request;            /* -1 unset, 0 false, 1 true */
 };
 #if TARGET_OS_MAC
 #pragma pack(pop)
@@ -148,6 +149,7 @@ krb5_get_init_creds_opt_alloc(krb5_context context,
     if (opte == NULL)
         return ENOMEM;
     opte->opt.flags = DEFAULT_FLAGS | GIC_OPT_EXTENDED;
+    opte->pac_request = -1;
     *opt = (krb5_get_init_creds_opt *)opte;
     return 0;
 }
@@ -473,3 +475,26 @@ k5_gic_opt_shallow_copy(krb5_get_init_creds_opt *opt)
     opte->opt.flags |= GIC_OPT_SHALLOW_COPY;
     return (krb5_get_init_creds_opt *)opte;
 }
+
+krb5_error_code KRB5_CALLCONV
+krb5_get_init_creds_opt_set_pac_request(krb5_context context,
+                                        krb5_get_init_creds_opt *opt,
+                                        krb5_boolean req_pac)
+{
+    struct extended_options *opte = (struct extended_options *)opt;
+
+    if (opt == NULL || !(opt->flags & GIC_OPT_EXTENDED))
+        return EINVAL;
+    opte->pac_request = !!req_pac;
+    return 0;
+}
+
+int
+k5_gic_opt_pac_request(krb5_get_init_creds_opt *opt)
+{
+    struct extended_options *opte = (struct extended_options *)opt;
+
+    if (opt == NULL || !(opt->flags & GIC_OPT_EXTENDED))
+        return -1;
+    return opte->pac_request;
+}
diff --git a/src/lib/krb5/krb/int-proto.h b/src/lib/krb5/krb/int-proto.h
index 5739f8334a..6da74858e2 100644
--- a/src/lib/krb5/krb/int-proto.h
+++ b/src/lib/krb5/krb/int-proto.h
@@ -322,4 +322,9 @@ k5_gic_opt_get_responder(krb5_get_init_creds_opt *opt,
 krb5_get_init_creds_opt *
 k5_gic_opt_shallow_copy(krb5_get_init_creds_opt *opt);
 
+/* Return -1 if no PAC request option was specified, or the option value as a
+ * boolean (0 or 1). */
+int
+k5_gic_opt_pac_request(krb5_get_init_creds_opt *opt);
+
 #endif /* KRB5_INT_FUNC_PROTO__ */
diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports
index ea6982d026..eeb1146165 100644
--- a/src/lib/krb5/libkrb5.exports
+++ b/src/lib/krb5/libkrb5.exports
@@ -388,6 +388,7 @@ krb5_get_init_creds_opt_set_forwardable
 krb5_get_init_creds_opt_set_in_ccache
 krb5_get_init_creds_opt_set_out_ccache
 krb5_get_init_creds_opt_set_pa
+krb5_get_init_creds_opt_set_pac_request
 krb5_get_init_creds_opt_set_preauth_list
 krb5_get_init_creds_opt_set_proxiable
 krb5_get_init_creds_opt_set_renew_life
diff --git a/src/lib/krb5_32.def b/src/lib/krb5_32.def
index 8d58ea1d96..79a24d1546 100644
--- a/src/lib/krb5_32.def
+++ b/src/lib/krb5_32.def
@@ -467,3 +467,4 @@ EXPORTS
 ; new in 1.15
 	krb5_set_kdc_send_hook				@433
 	krb5_set_kdc_recv_hook				@434
+	krb5_get_init_creds_opt_set_pac_request		@435