diff options
author | Isaac Boukris <iboukris@gmail.com> | 2019-08-03 21:57:14 +0000 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2019-09-09 00:04:42 -0400 |
commit | 86ba26248dfbbed13cd753dd79e5f45a9a01defc (patch) | |
tree | 7c0c6e21d4194e009880a35d623118e39cfda3ca | |
parent | e131d339b81a22bfc91ab96990c3be9e7779200e (diff) | |
download | krb5-86ba26248dfbbed13cd753dd79e5f45a9a01defc.zip krb5-86ba26248dfbbed13cd753dd79e5f45a9a01defc.tar.gz krb5-86ba26248dfbbed13cd753dd79e5f45a9a01defc.tar.bz2 |
Add KDC support functions for PA-PAC-OPTIONS
Add helper functions kdc_get_pa_pac_options() and
kdc_add_pa_pac_options(), to retrieve PA-PAC-OPTIONS values from
request padata and to set a PA-PAC-OPTIONS value in encrypted padata.
Don't actually call kdc_add_pa_pac_options() yet.
[ghudson@mit.edu: rewrote commit message; minor style edits]
ticket: 8479
-rw-r--r-- | src/kdc/kdc_util.c | 48 | ||||
-rw-r--r-- | src/kdc/kdc_util.h | 8 |
2 files changed, 56 insertions, 0 deletions
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index db5a9ed..95b3a3c 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -1900,6 +1900,54 @@ cleanup: return retval; } +krb5_error_code +kdc_get_pa_pac_options(krb5_context context, krb5_pa_data **in_padata, + krb5_pa_pac_options **pac_options_out) +{ + krb5_pa_data *pa; + krb5_data der_pac_options; + + *pac_options_out = NULL; + + pa = krb5int_find_pa_data(context, in_padata, KRB5_PADATA_PAC_OPTIONS); + if (pa == NULL) + return 0; + + der_pac_options = make_data(pa->contents, pa->length); + return decode_krb5_pa_pac_options(&der_pac_options, pac_options_out); +} + +krb5_error_code +kdc_add_pa_pac_options(krb5_context context, krb5_kdc_req *request, + krb5_pa_data ***out_enc_padata) +{ + krb5_error_code ret; + krb5_pa_pac_options *pac_options = NULL; + krb5_data *der_pac_options; + + ret = kdc_get_pa_pac_options(context, request->padata, &pac_options); + if (ret || pac_options == NULL) + return ret; + + /* Only return supported PAC options (currently only resource-based + * constrained delegation support). */ + pac_options->options &= KRB5_PA_PAC_OPTIONS_RBCD; + if (pac_options->options == 0) { + free(pac_options); + return 0; + } + + ret = encode_krb5_pa_pac_options(pac_options, &der_pac_options); + free(pac_options); + if (ret) + return ret; + + ret = k5_add_pa_data_from_data(out_enc_padata, KRB5_PADATA_PAC_OPTIONS, + der_pac_options); + krb5_free_data(context, der_pac_options); + return ret; +} + /* * Although the KDC doesn't call this function directly, * process_tcp_connection_read() in net-server.c does call it. diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h index 8583a91..2d20439 100644 --- a/src/kdc/kdc_util.h +++ b/src/kdc/kdc_util.h @@ -413,6 +413,14 @@ kdc_fast_make_cookie(krb5_context context, struct kdc_request_state *state, krb5_const_principal client_princ, krb5_pa_data **cookie_out); +krb5_error_code +kdc_add_pa_pac_options(krb5_context context, krb5_kdc_req *request, + krb5_pa_data ***out_enc_padata); + +krb5_error_code +kdc_get_pa_pac_options(krb5_context context, krb5_pa_data **in_padata, + krb5_pa_pac_options **pac_options_out); + /* Information handle for kdcpreauth callbacks. All pointers are aliases. */ struct krb5_kdcpreauth_rock_st { krb5_kdc_req *request; |