6 files changed, 35 insertions, 26 deletions

diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 1682a345b9..d2498a82c0 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -2786,15 +2786,6 @@ k5alloc(size_t len, krb5_error_code *code)
 }
 
 krb5_error_code KRB5_CALLCONV
-krb5int_pac_sign(krb5_context context,
-                 krb5_pac pac,
-                 krb5_timestamp authtime,
-                 krb5_const_principal principal,
-                 const krb5_keyblock *server_key,
-                 const krb5_keyblock *privsvr_key,
-                 krb5_data *data);
-
-krb5_error_code KRB5_CALLCONV
 krb5_get_credentials_for_user(krb5_context context, krb5_flags options,
                               krb5_ccache ccache,
                               krb5_creds *in_creds,
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index 3d9dbbfb7e..33279774bd 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -7495,6 +7495,27 @@ krb5_pac_verify(krb5_context context, const krb5_pac pac,
                 const krb5_keyblock *server, const krb5_keyblock *privsvr);
 
 /**
+ * Sign a PAC.
+ *
+ * @param [in]  context         Library context
+ * @param [in]  pac             PAC handle
+ * @param [in]  authtime        Expected timestamp
+ * @param [in]  principal       Expected principal name (or NULL)
+ * @param [in]  server          Key for server checksum
+ * @param [in]  privsvr         Key for KDC checksum
+ * @param [out] data            Signed PAC encoding
+ *
+ * This function signs @a pac using the keys @a server and @a privsvr and
+ * returns the signed encoding in @a data.  @a pac is modified to include the
+ * server and KDC checksum buffers.  Use krb5_free_data_contents() to free @a
+ * data when it is no longer needed.
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
+              krb5_const_principal principal, const krb5_keyblock *server_key,
+              const krb5_keyblock *privsvr_key, krb5_data *data);
+
+/**
  * Allow the appplication to override the profile's allow_weak_crypto setting.
  *
  * @param [in] context          Library context
diff --git a/src/lib/krb5/krb/pac_sign.c b/src/lib/krb5/krb/pac_sign.c
index ae11a0c024..26b1f133e6 100644
--- a/src/lib/krb5/krb/pac_sign.c
+++ b/src/lib/krb5/krb/pac_sign.c
@@ -180,13 +180,9 @@ k5_pac_encode_header(krb5_context context, krb5_pac pac)
 }
 
 krb5_error_code KRB5_CALLCONV
-krb5int_pac_sign(krb5_context context,
-                 krb5_pac pac,
-                 krb5_timestamp authtime,
-                 krb5_const_principal principal,
-                 const krb5_keyblock *server_key,
-                 const krb5_keyblock *privsvr_key,
-                 krb5_data *data)
+krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
+              krb5_const_principal principal, const krb5_keyblock *server_key,
+              const krb5_keyblock *privsvr_key, krb5_data *data)
 {
     krb5_error_code ret;
     krb5_data server_cksum, privsvr_cksum;
diff --git a/src/lib/krb5/krb/t_pac.c b/src/lib/krb5/krb/t_pac.c
index 9e96b692e9..61fb51a98a 100644
--- a/src/lib/krb5/krb/t_pac.c
+++ b/src/lib/krb5/krb/t_pac.c
@@ -149,10 +149,10 @@ main(int argc, char **argv)
     if (ret)
         err(context, ret, "krb5_pac_verify");
 
-    ret = krb5int_pac_sign(context, pac, authtime, p,
-                           &member_keyblock, &kdc_keyblock, &data);
+    ret = krb5_pac_sign(context, pac, authtime, p,
+                        &member_keyblock, &kdc_keyblock, &data);
     if (ret)
-        err(context, ret, "krb5int_pac_sign");
+        err(context, ret, "krb5_pac_sign");
 
     krb5_pac_free(context, pac);
 
@@ -204,10 +204,10 @@ main(int argc, char **argv)
         }
         free(list);
 
-        ret = krb5int_pac_sign(context, pac2, authtime, p,
-                               &member_keyblock, &kdc_keyblock, &data);
+        ret = krb5_pac_sign(context, pac2, authtime, p,
+                            &member_keyblock, &kdc_keyblock, &data);
         if (ret)
-            err(context, ret, "krb5int_pac_sign 4");
+            err(context, ret, "krb5_pac_sign 4");
 
         krb5_pac_free(context, pac2);
 
@@ -283,10 +283,10 @@ main(int argc, char **argv)
         krb5_free_data_contents(context, &data);
     }
 
-    ret = krb5int_pac_sign(context, pac, authtime, p,
-                           &member_keyblock, &kdc_keyblock, &data);
+    ret = krb5_pac_sign(context, pac, authtime, p,
+                        &member_keyblock, &kdc_keyblock, &data);
     if (ret)
-        err(context, ret, "krb5int_pac_sign");
+        err(context, ret, "krb5_pac_sign");
 
     krb5_pac_free(context, pac);
 
diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports
index e31ebb9cbf..c4a0015f0e 100644
--- a/src/lib/krb5/libkrb5.exports
+++ b/src/lib/krb5/libkrb5.exports
@@ -465,6 +465,7 @@ krb5_pac_get_buffer
 krb5_pac_get_types
 krb5_pac_init
 krb5_pac_parse
+krb5_pac_sign
 krb5_pac_verify
 krb5_parse_name
 krb5_parse_name_flags
@@ -617,7 +618,6 @@ krb5int_get_authdata_containee_types
 krb5int_init_context_kdc
 krb5int_init_trace
 krb5int_initialize_library
-krb5int_pac_sign
 krb5int_sendtokdc_debug_handler
 krb5int_trace
 profile_abandon
diff --git a/src/lib/krb5_32.def b/src/lib/krb5_32.def
index 17d15b076f..208b92b8fb 100644
--- a/src/lib/krb5_32.def
+++ b/src/lib/krb5_32.def
@@ -418,3 +418,4 @@ EXPORTS
 	krb5_cc_switch					@392
 	krb5_free_string				@393
 	krb5_cc_select					@394
+	krb5_pac_sign					@395