1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
|
* dropped hunk that modified src/lib/krb5_32.def
* adjusted to apply to 1.9.1
* try to keep the old symbol name around in case someone's basing which one
they use on a version check (a wild guess, but it's inexpensive to do it)
commit 297cb47b92892daa52092c932bc5345b2fcb9285
Author: ghudson <ghudson@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Wed Oct 12 16:34:07 2011 +0000
ticket: 6974
subject: Make krb5_pac_sign public
krb5int_pac_sign was created as a private API because it is only
needed by the KDC. But it is actually used by DAL or authdata plugin
modules, not the core KDC code. Since plugin modules should not need
to consume internal libkrb5 functions, rename krb5int_pac_sign to
krb5_pac_sign and make it public.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25325 dc483132-0cff-0310-8789-dd5450dbe970
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 1682a34..d2498a8 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -2786,15 +2786,6 @@ k5alloc(size_t len, krb5_error_code *code)
}
krb5_error_code KRB5_CALLCONV
-krb5int_pac_sign(krb5_context context,
- krb5_pac pac,
- krb5_timestamp authtime,
- krb5_const_principal principal,
- const krb5_keyblock *server_key,
- const krb5_keyblock *privsvr_key,
- krb5_data *data);
-
-krb5_error_code KRB5_CALLCONV
krb5_get_credentials_for_user(krb5_context context, krb5_flags options,
krb5_ccache ccache,
krb5_creds *in_creds,
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index 3d9dbbf..3327977 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -7495,6 +7495,27 @@ krb5_pac_verify(krb5_context context, const krb5_pac pac,
krb5_timestamp authtime, krb5_const_principal principal,
const krb5_keyblock *server, const krb5_keyblock *privsvr);
+/**
+ * Sign a PAC.
+ *
+ * @param [in] context Library context
+ * @param [in] pac PAC handle
+ * @param [in] authtime Expected timestamp
+ * @param [in] principal Expected principal name (or NULL)
+ * @param [in] server Key for server checksum
+ * @param [in] privsvr Key for KDC checksum
+ * @param [out] data Signed PAC encoding
+ *
+ * This function signs @a pac using the keys @a server and @a privsvr and
+ * returns the signed encoding in @a data. @a pac is modified to include the
+ * server and KDC checksum buffers. Use krb5_free_data_contents() to free @a
+ * data when it is no longer needed.
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
+ krb5_const_principal principal, const krb5_keyblock *server_key,
+ const krb5_keyblock *privsvr_key, krb5_data *data);
+
/* Allows the appplication to override the profile's allow_weak_crypto setting.
* Primarily for use by aklog. */
krb5_error_code KRB5_CALLCONV
diff --git a/src/lib/krb5/krb/pac_sign.c b/src/lib/krb5/krb/pac_sign.c
index ae11a0c..26b1f13 100644
--- a/src/lib/krb5/krb/pac_sign.c
+++ b/src/lib/krb5/krb/pac_sign.c
@@ -190,6 +190,15 @@ k5_pac_encode_header(krb5_context context, krb5_pac pac)
const krb5_keyblock *server_key,
const krb5_keyblock *privsvr_key,
krb5_data *data)
+{
+ return krb5_pac_sign(context, pac, authtime, principal,
+ server_key, privsvr_key, data);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
+ krb5_const_principal principal, const krb5_keyblock *server_key,
+ const krb5_keyblock *privsvr_key, krb5_data *data)
{
krb5_error_code ret;
krb5_data server_cksum, privsvr_cksum;
diff --git a/src/lib/krb5/krb/t_pac.c b/src/lib/krb5/krb/t_pac.c
index 9e96b69..61fb51a 100644
--- a/src/lib/krb5/krb/t_pac.c
+++ b/src/lib/krb5/krb/t_pac.c
@@ -149,10 +149,10 @@ main(int argc, char **argv)
if (ret)
err(context, ret, "krb5_pac_verify");
- ret = krb5int_pac_sign(context, pac, authtime, p,
- &member_keyblock, &kdc_keyblock, &data);
+ ret = krb5_pac_sign(context, pac, authtime, p,
+ &member_keyblock, &kdc_keyblock, &data);
if (ret)
- err(context, ret, "krb5int_pac_sign");
+ err(context, ret, "krb5_pac_sign");
krb5_pac_free(context, pac);
@@ -204,10 +204,10 @@ main(int argc, char **argv)
}
free(list);
- ret = krb5int_pac_sign(context, pac2, authtime, p,
- &member_keyblock, &kdc_keyblock, &data);
+ ret = krb5_pac_sign(context, pac2, authtime, p,
+ &member_keyblock, &kdc_keyblock, &data);
if (ret)
- err(context, ret, "krb5int_pac_sign 4");
+ err(context, ret, "krb5_pac_sign 4");
krb5_pac_free(context, pac2);
@@ -283,10 +283,10 @@ main(int argc, char **argv)
krb5_free_data_contents(context, &data);
}
- ret = krb5int_pac_sign(context, pac, authtime, p,
- &member_keyblock, &kdc_keyblock, &data);
+ ret = krb5_pac_sign(context, pac, authtime, p,
+ &member_keyblock, &kdc_keyblock, &data);
if (ret)
- err(context, ret, "krb5int_pac_sign");
+ err(context, ret, "krb5_pac_sign");
krb5_pac_free(context, pac);
diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports
index e31ebb9..c4a0015 100644
--- a/src/lib/krb5/libkrb5.exports
+++ b/src/lib/krb5/libkrb5.exports
@@ -465,6 +465,7 @@ krb5_pac_get_buffer
krb5_pac_get_types
krb5_pac_init
krb5_pac_parse
+krb5_pac_sign
krb5_pac_verify
krb5_parse_name
krb5_parse_name_flags
|
