2 * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "krb5_locl.h"
37 struct PAC_INFO_BUFFER {
47 struct PAC_INFO_BUFFER buffers[1];
50 struct krb5_pac_data {
53 struct PAC_INFO_BUFFER *server_checksum;
54 struct PAC_INFO_BUFFER *privsvr_checksum;
55 struct PAC_INFO_BUFFER *logon_name;
58 #define PAC_ALIGNMENT 8
60 #define PACTYPE_SIZE 8
61 #define PAC_INFO_BUFFER_SIZE 16
63 #define PAC_SERVER_CHECKSUM 6
64 #define PAC_PRIVSVR_CHECKSUM 7
65 #define PAC_LOGON_NAME 10
66 #define PAC_CONSTRAINED_DELEGATION 11
68 #define CHECK(r,f,l) \
70 if (((r) = f ) != 0) { \
71 krb5_clear_error_message(context); \
76 static const char zeros[PAC_ALIGNMENT] = { 0 };
83 krb5_pac_parse(krb5_context context, const void *ptr, size_t len,
88 krb5_storage *sp = NULL;
89 uint32_t i, tmp, tmp2, header_end;
91 p = calloc(1, sizeof(*p));
94 krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
98 sp = krb5_storage_from_readonly_mem(ptr, len);
101 krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
104 krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
106 CHECK(ret, krb5_ret_uint32(sp, &tmp), out);
107 CHECK(ret, krb5_ret_uint32(sp, &tmp2), out);
109 ret = EINVAL; /* Too few buffers */
110 krb5_set_error_message(context, ret, N_("PAC have too few buffer", ""));
114 ret = EINVAL; /* Wrong version */
115 krb5_set_error_message(context, ret,
116 N_("PAC have wrong version %d", ""),
122 sizeof(*p->pac) + (sizeof(p->pac->buffers[0]) * (tmp - 1)));
123 if (p->pac == NULL) {
125 krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
129 p->pac->numbuffers = tmp;
130 p->pac->version = tmp2;
132 header_end = PACTYPE_SIZE + (PAC_INFO_BUFFER_SIZE * p->pac->numbuffers);
133 if (header_end > len) {
138 for (i = 0; i < p->pac->numbuffers; i++) {
139 CHECK(ret, krb5_ret_uint32(sp, &p->pac->buffers[i].type), out);
140 CHECK(ret, krb5_ret_uint32(sp, &p->pac->buffers[i].buffersize), out);
141 CHECK(ret, krb5_ret_uint32(sp, &p->pac->buffers[i].offset_lo), out);
142 CHECK(ret, krb5_ret_uint32(sp, &p->pac->buffers[i].offset_hi), out);
144 /* consistency checks */
145 if (p->pac->buffers[i].offset_lo & (PAC_ALIGNMENT - 1)) {
147 krb5_set_error_message(context, ret,
148 N_("PAC out of allignment", ""));
151 if (p->pac->buffers[i].offset_hi) {
153 krb5_set_error_message(context, ret,
154 N_("PAC high offset set", ""));
157 if (p->pac->buffers[i].offset_lo > len) {
159 krb5_set_error_message(context, ret,
160 N_("PAC offset off end", ""));
163 if (p->pac->buffers[i].offset_lo < header_end) {
165 krb5_set_error_message(context, ret,
166 N_("PAC offset inside header: %lu %lu", ""),
167 (unsigned long)p->pac->buffers[i].offset_lo,
168 (unsigned long)header_end);
171 if (p->pac->buffers[i].buffersize > len - p->pac->buffers[i].offset_lo){
173 krb5_set_error_message(context, ret, N_("PAC length off end", ""));
177 /* let save pointer to data we need later */
178 if (p->pac->buffers[i].type == PAC_SERVER_CHECKSUM) {
179 if (p->server_checksum) {
181 krb5_set_error_message(context, ret,
182 N_("PAC have two server checksums", ""));
185 p->server_checksum = &p->pac->buffers[i];
186 } else if (p->pac->buffers[i].type == PAC_PRIVSVR_CHECKSUM) {
187 if (p->privsvr_checksum) {
189 krb5_set_error_message(context, ret,
190 N_("PAC have two KDC checksums", ""));
193 p->privsvr_checksum = &p->pac->buffers[i];
194 } else if (p->pac->buffers[i].type == PAC_LOGON_NAME) {
197 krb5_set_error_message(context, ret,
198 N_("PAC have two logon names", ""));
201 p->logon_name = &p->pac->buffers[i];
205 ret = krb5_data_copy(&p->data, ptr, len);
209 krb5_storage_free(sp);
216 krb5_storage_free(sp);
228 krb5_pac_init(krb5_context context, krb5_pac *pac)
233 p = calloc(1, sizeof(*p));
235 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
239 p->pac = calloc(1, sizeof(*p->pac));
240 if (p->pac == NULL) {
242 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
246 ret = krb5_data_alloc(&p->data, PACTYPE_SIZE);
250 krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
260 krb5_pac_add_buffer(krb5_context context, krb5_pac p,
261 uint32_t type, const krb5_data *data)
265 size_t len, offset, header_end, old_end;
268 len = p->pac->numbuffers;
270 ptr = realloc(p->pac,
271 sizeof(*p->pac) + (sizeof(p->pac->buffers[0]) * len));
273 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
278 for (i = 0; i < len; i++)
279 p->pac->buffers[i].offset_lo += PAC_INFO_BUFFER_SIZE;
281 offset = p->data.length + PAC_INFO_BUFFER_SIZE;
283 p->pac->buffers[len].type = type;
284 p->pac->buffers[len].buffersize = data->length;
285 p->pac->buffers[len].offset_lo = offset;
286 p->pac->buffers[len].offset_hi = 0;
288 old_end = p->data.length;
289 len = p->data.length + data->length + PAC_INFO_BUFFER_SIZE;
290 if (len < p->data.length) {
291 krb5_set_error_message(context, EINVAL, "integer overrun");
295 /* align to PAC_ALIGNMENT */
296 len = ((len + PAC_ALIGNMENT - 1) / PAC_ALIGNMENT) * PAC_ALIGNMENT;
298 ret = krb5_data_realloc(&p->data, len);
300 krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
305 * make place for new PAC INFO BUFFER header
307 header_end = PACTYPE_SIZE + (PAC_INFO_BUFFER_SIZE * p->pac->numbuffers);
308 memmove((unsigned char *)p->data.data + header_end + PAC_INFO_BUFFER_SIZE,
309 (unsigned char *)p->data.data + header_end ,
310 old_end - header_end);
311 memset((unsigned char *)p->data.data + header_end, 0, PAC_INFO_BUFFER_SIZE);
314 * copy in new data part
317 memcpy((unsigned char *)p->data.data + offset,
318 data->data, data->length);
319 memset((unsigned char *)p->data.data + offset + data->length,
320 0, p->data.length - offset - data->length);
322 p->pac->numbuffers += 1;
328 * Get the PAC buffer of specific type from the pac.
330 * @param context Kerberos 5 context.
331 * @param p the pac structure returned by krb5_pac_parse().
332 * @param type type of buffer to get
333 * @param data return data, free with krb5_data_free().
335 * @return Returns 0 to indicate success. Otherwise an kerberos et
336 * error code is returned, see krb5_get_error_message().
342 krb5_pac_get_buffer(krb5_context context, krb5_pac p,
343 uint32_t type, krb5_data *data)
348 for (i = 0; i < p->pac->numbuffers; i++) {
349 const size_t len = p->pac->buffers[i].buffersize;
350 const size_t offset = p->pac->buffers[i].offset_lo;
352 if (p->pac->buffers[i].type != type)
355 ret = krb5_data_copy(data, (unsigned char *)p->data.data + offset, len);
357 krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
362 krb5_set_error_message(context, ENOENT, "No PAC buffer of type %lu was found",
363 (unsigned long)type);
372 krb5_pac_get_types(krb5_context context,
379 *types = calloc(p->pac->numbuffers, sizeof(*types));
380 if (*types == NULL) {
382 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
385 for (i = 0; i < p->pac->numbuffers; i++)
386 (*types)[i] = p->pac->buffers[i].type;
387 *len = p->pac->numbuffers;
397 krb5_pac_free(krb5_context context, krb5_pac pac)
399 krb5_data_free(&pac->data);
408 static krb5_error_code
409 verify_checksum(krb5_context context,
410 const struct PAC_INFO_BUFFER *sig,
411 const krb5_data *data,
412 void *ptr, size_t len,
413 const krb5_keyblock *key)
415 krb5_storage *sp = NULL;
420 memset(&cksum, 0, sizeof(cksum));
422 sp = krb5_storage_from_mem((char *)data->data + sig->offset_lo,
425 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
428 krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
430 CHECK(ret, krb5_ret_uint32(sp, &type), out);
431 cksum.cksumtype = type;
432 cksum.checksum.length =
433 sig->buffersize - krb5_storage_seek(sp, 0, SEEK_CUR);
434 cksum.checksum.data = malloc(cksum.checksum.length);
435 if (cksum.checksum.data == NULL) {
437 krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
440 ret = krb5_storage_read(sp, cksum.checksum.data, cksum.checksum.length);
441 if (ret != cksum.checksum.length) {
443 krb5_set_error_message(context, ret, "PAC checksum missing checksum");
447 if (!krb5_checksum_is_keyed(context, cksum.cksumtype)) {
449 krb5_set_error_message(context, ret, "Checksum type %d not keyed",
454 /* If the checksum is HMAC-MD5, the checksum type is not tied to
455 * the key type, instead the HMAC-MD5 checksum is applied blindly
456 * on whatever key is used for this connection, avoiding issues
457 * with unkeyed checksums on des-cbc-md5 and des-cbc-crc. See
458 * http://comments.gmane.org/gmane.comp.encryption.kerberos.devel/8743
459 * for the same issue in MIT, and
460 * http://blogs.msdn.com/b/openspecification/archive/2010/01/01/verifying-the-server-signature-in-kerberos-privilege-account-certificate.aspx
461 * for Microsoft's explaination */
462 if (cksum.cksumtype == CKSUMTYPE_HMAC_MD5) {
463 Checksum local_checksum;
465 ret = HMAC_MD5_any_checksum(context, key, ptr, len, KRB5_KU_OTHER_CKSUM, &local_checksum);
467 if(local_checksum.checksum.length != cksum.checksum.length ||
468 ct_memcmp(local_checksum.checksum.data, cksum.checksum.data, local_checksum.checksum.length)) {
469 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
470 krb5_set_error_message(context, ret,
471 N_("PAC integrity check failed for hmac-md5 checksum", ""));
475 krb5_data_free(&local_checksum.checksum);
477 krb5_crypto crypto = NULL;
479 ret = krb5_crypto_init(context, key, 0, &crypto);
483 ret = krb5_verify_checksum(context, crypto, KRB5_KU_OTHER_CKSUM,
485 krb5_crypto_destroy(context, crypto);
487 free(cksum.checksum.data);
488 krb5_storage_free(sp);
493 if (cksum.checksum.data)
494 free(cksum.checksum.data);
496 krb5_storage_free(sp);
500 static krb5_error_code
501 create_checksum(krb5_context context,
502 const krb5_keyblock *key,
504 void *data, size_t datalen,
505 void *sig, size_t siglen)
507 krb5_crypto crypto = NULL;
511 /* If the checksum is HMAC-MD5, the checksum type is not tied to
512 * the key type, instead the HMAC-MD5 checksum is applied blindly
513 * on whatever key is used for this connection, avoiding issues
514 * with unkeyed checksums on des-cbc-md5 and des-cbc-crc. See
515 * http://comments.gmane.org/gmane.comp.encryption.kerberos.devel/8743
516 * for the same issue in MIT, and
517 * http://blogs.msdn.com/b/openspecification/archive/2010/01/01/verifying-the-server-signature-in-kerberos-privilege-account-certificate.aspx
518 * for Microsoft's explaination */
519 if (cksumtype == CKSUMTYPE_HMAC_MD5) {
520 ret = HMAC_MD5_any_checksum(context, key, data, datalen, KRB5_KU_OTHER_CKSUM, &cksum);
522 ret = krb5_crypto_init(context, key, 0, &crypto);
526 ret = krb5_create_checksum(context, crypto, KRB5_KU_OTHER_CKSUM, 0,
527 data, datalen, &cksum);
528 krb5_crypto_destroy(context, crypto);
532 if (cksum.checksum.length != siglen) {
533 krb5_set_error_message(context, EINVAL, "pac checksum wrong length");
534 free_Checksum(&cksum);
538 memcpy(sig, cksum.checksum.data, siglen);
539 free_Checksum(&cksum);
549 #define NTTIME_EPOCH 0x019DB1DED53E8000LL
552 unix2nttime(time_t unix_time)
555 wt = unix_time * (uint64_t)10000000 + (uint64_t)NTTIME_EPOCH;
559 static krb5_error_code
560 verify_logonname(krb5_context context,
561 const struct PAC_INFO_BUFFER *logon_name,
562 const krb5_data *data,
564 krb5_const_principal principal)
568 uint32_t time1, time2;
573 sp = krb5_storage_from_readonly_mem((const char *)data->data + logon_name->offset_lo,
574 logon_name->buffersize);
576 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
580 krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
582 CHECK(ret, krb5_ret_uint32(sp, &time1), out);
583 CHECK(ret, krb5_ret_uint32(sp, &time2), out);
587 t1 = unix2nttime(authtime);
588 t2 = ((uint64_t)time2 << 32) | time1;
590 krb5_storage_free(sp);
591 krb5_set_error_message(context, EINVAL, "PAC timestamp mismatch");
595 CHECK(ret, krb5_ret_uint16(sp, &len), out);
597 krb5_storage_free(sp);
598 krb5_set_error_message(context, EINVAL, "PAC logon name length missing");
604 krb5_storage_free(sp);
605 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
608 ret = krb5_storage_read(sp, s, len);
610 krb5_storage_free(sp);
611 krb5_set_error_message(context, EINVAL, "Failed to read PAC logon name");
614 krb5_storage_free(sp);
616 size_t ucs2len = len / 2;
619 unsigned int flags = WIND_RW_LE;
621 ucs2 = malloc(sizeof(ucs2[0]) * ucs2len);
623 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
626 ret = wind_ucs2read(s, len, &flags, ucs2, &ucs2len);
630 krb5_set_error_message(context, ret, "Failed to convert string to UCS-2");
633 ret = wind_ucs2utf8_length(ucs2, ucs2len, &u8len);
636 krb5_set_error_message(context, ret, "Failed to count length of UCS-2 string");
639 u8len += 1; /* Add space for NUL */
643 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
646 ret = wind_ucs2utf8(ucs2, ucs2len, s, &u8len);
650 krb5_set_error_message(context, ret, "Failed to convert to UTF-8");
654 ret = krb5_parse_name_flags(context, s, KRB5_PRINCIPAL_PARSE_NO_REALM, &p2);
659 if (krb5_principal_compare_any_realm(context, principal, p2) != TRUE) {
661 krb5_set_error_message(context, ret, "PAC logon name mismatch");
663 krb5_free_principal(context, p2);
673 static krb5_error_code
674 build_logon_name(krb5_context context,
676 krb5_const_principal principal,
685 t = unix2nttime(authtime);
687 krb5_data_zero(logon);
689 sp = krb5_storage_emem();
691 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
694 krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
696 CHECK(ret, krb5_store_uint32(sp, t & 0xffffffff), out);
697 CHECK(ret, krb5_store_uint32(sp, t >> 32), out);
699 ret = krb5_unparse_name_flags(context, principal,
700 KRB5_PRINCIPAL_UNPARSE_NO_REALM, &s);
706 CHECK(ret, krb5_store_uint16(sp, len * 2), out);
708 #if 1 /* cheat for now */
709 s2 = malloc(len * 2);
715 for (i = 0; i < len; i++) {
721 /* write libwind code here */
724 ret = krb5_storage_write(sp, s2, len * 2);
726 if (ret != len * 2) {
730 ret = krb5_storage_to_data(sp, logon);
733 krb5_storage_free(sp);
737 krb5_storage_free(sp);
745 * @param context Kerberos 5 context.
746 * @param pac the pac structure returned by krb5_pac_parse().
747 * @param authtime The time of the ticket the PAC belongs to.
748 * @param principal the principal to verify.
749 * @param server The service key, most always be given.
750 * @param privsvr The KDC key, may be given.
752 * @return Returns 0 to indicate success. Otherwise an kerberos et
753 * error code is returned, see krb5_get_error_message().
759 krb5_pac_verify(krb5_context context,
762 krb5_const_principal principal,
763 const krb5_keyblock *server,
764 const krb5_keyblock *privsvr)
768 if (pac->server_checksum == NULL) {
769 krb5_set_error_message(context, EINVAL, "PAC missing server checksum");
772 if (pac->privsvr_checksum == NULL) {
773 krb5_set_error_message(context, EINVAL, "PAC missing kdc checksum");
776 if (pac->logon_name == NULL) {
777 krb5_set_error_message(context, EINVAL, "PAC missing logon name");
781 ret = verify_logonname(context,
790 * in the service case, clean out data option of the privsvr and
791 * server checksum before checking the checksum.
796 ret = krb5_copy_data(context, &pac->data, ©);
800 if (pac->server_checksum->buffersize < 4)
802 if (pac->privsvr_checksum->buffersize < 4)
805 memset((char *)copy->data + pac->server_checksum->offset_lo + 4,
807 pac->server_checksum->buffersize - 4);
809 memset((char *)copy->data + pac->privsvr_checksum->offset_lo + 4,
811 pac->privsvr_checksum->buffersize - 4);
813 ret = verify_checksum(context,
814 pac->server_checksum,
819 krb5_free_data(context, copy);
824 /* The priv checksum covers the server checksum */
825 ret = verify_checksum(context,
826 pac->privsvr_checksum,
828 (char *)pac->data.data
829 + pac->server_checksum->offset_lo + 4,
830 pac->server_checksum->buffersize - 4,
843 static krb5_error_code
844 fill_zeros(krb5_context context, krb5_storage *sp, size_t len)
851 if (l > sizeof(zeros))
853 sret = krb5_storage_write(sp, zeros, l);
855 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
863 static krb5_error_code
864 pac_checksum(krb5_context context,
865 const krb5_keyblock *key,
869 krb5_cksumtype cktype;
871 krb5_crypto crypto = NULL;
873 ret = krb5_crypto_init(context, key, 0, &crypto);
877 ret = krb5_crypto_get_checksum_type(context, crypto, &cktype);
878 krb5_crypto_destroy(context, crypto);
882 if (krb5_checksum_is_keyed(context, cktype) == FALSE) {
883 *cksumtype = CKSUMTYPE_HMAC_MD5;
887 ret = krb5_checksumsize(context, cktype, cksumsize);
891 *cksumtype = (uint32_t)cktype;
897 _krb5_pac_sign(krb5_context context,
900 krb5_principal principal,
901 const krb5_keyblock *server_key,
902 const krb5_keyblock *priv_key,
906 krb5_storage *sp = NULL, *spdata = NULL;
908 size_t server_size, priv_size;
909 uint32_t server_offset = 0, priv_offset = 0;
910 uint32_t server_cksumtype = 0, priv_cksumtype = 0;
914 krb5_data_zero(&logon);
916 if (p->logon_name == NULL)
918 if (p->server_checksum == NULL)
920 if (p->privsvr_checksum == NULL)
926 ptr = realloc(p->pac, sizeof(*p->pac) + (sizeof(p->pac->buffers[0]) * (p->pac->numbuffers + num - 1)));
928 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
933 if (p->logon_name == NULL) {
934 p->logon_name = &p->pac->buffers[p->pac->numbuffers++];
935 memset(p->logon_name, 0, sizeof(*p->logon_name));
936 p->logon_name->type = PAC_LOGON_NAME;
938 if (p->server_checksum == NULL) {
939 p->server_checksum = &p->pac->buffers[p->pac->numbuffers++];
940 memset(p->server_checksum, 0, sizeof(*p->server_checksum));
941 p->server_checksum->type = PAC_SERVER_CHECKSUM;
943 if (p->privsvr_checksum == NULL) {
944 p->privsvr_checksum = &p->pac->buffers[p->pac->numbuffers++];
945 memset(p->privsvr_checksum, 0, sizeof(*p->privsvr_checksum));
946 p->privsvr_checksum->type = PAC_PRIVSVR_CHECKSUM;
950 /* Calculate LOGON NAME */
951 ret = build_logon_name(context, authtime, principal, &logon);
955 /* Set lengths for checksum */
956 ret = pac_checksum(context, server_key, &server_cksumtype, &server_size);
959 ret = pac_checksum(context, priv_key, &priv_cksumtype, &priv_size);
964 sp = krb5_storage_emem();
966 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
969 krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
971 spdata = krb5_storage_emem();
972 if (spdata == NULL) {
973 krb5_storage_free(sp);
974 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
977 krb5_storage_set_flags(spdata, KRB5_STORAGE_BYTEORDER_LE);
979 CHECK(ret, krb5_store_uint32(sp, p->pac->numbuffers), out);
980 CHECK(ret, krb5_store_uint32(sp, p->pac->version), out);
982 end = PACTYPE_SIZE + (PAC_INFO_BUFFER_SIZE * p->pac->numbuffers);
984 for (i = 0; i < p->pac->numbuffers; i++) {
991 if (p->pac->buffers[i].type == PAC_SERVER_CHECKSUM) {
992 len = server_size + 4;
993 server_offset = end + 4;
994 CHECK(ret, krb5_store_uint32(spdata, server_cksumtype), out);
995 CHECK(ret, fill_zeros(context, spdata, server_size), out);
996 } else if (p->pac->buffers[i].type == PAC_PRIVSVR_CHECKSUM) {
998 priv_offset = end + 4;
999 CHECK(ret, krb5_store_uint32(spdata, priv_cksumtype), out);
1000 CHECK(ret, fill_zeros(context, spdata, priv_size), out);
1001 } else if (p->pac->buffers[i].type == PAC_LOGON_NAME) {
1002 len = krb5_storage_write(spdata, logon.data, logon.length);
1003 if (logon.length != len) {
1008 len = p->pac->buffers[i].buffersize;
1009 ptr = (char *)p->data.data + p->pac->buffers[i].offset_lo;
1011 sret = krb5_storage_write(spdata, ptr, len);
1014 krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
1017 /* XXX if not aligned, fill_zeros */
1021 CHECK(ret, krb5_store_uint32(sp, p->pac->buffers[i].type), out);
1022 CHECK(ret, krb5_store_uint32(sp, len), out);
1023 CHECK(ret, krb5_store_uint32(sp, end), out);
1024 CHECK(ret, krb5_store_uint32(sp, 0), out);
1026 /* advance data endpointer and align */
1031 e = ((end + PAC_ALIGNMENT - 1) / PAC_ALIGNMENT) * PAC_ALIGNMENT;
1033 CHECK(ret, fill_zeros(context, spdata, e - end), out);
1040 /* assert (server_offset != 0 && priv_offset != 0); */
1043 ret = krb5_storage_to_data(spdata, &d);
1045 krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
1048 ret = krb5_storage_write(sp, d.data, d.length);
1049 if (ret != d.length) {
1052 krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
1057 ret = krb5_storage_to_data(sp, &d);
1059 krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
1064 ret = create_checksum(context, server_key, server_cksumtype,
1066 (char *)d.data + server_offset, server_size);
1071 ret = create_checksum(context, priv_key, priv_cksumtype,
1072 (char *)d.data + server_offset, server_size,
1073 (char *)d.data + priv_offset, priv_size);
1082 krb5_data_free(&logon);
1083 krb5_storage_free(sp);
1084 krb5_storage_free(spdata);
1088 krb5_data_free(&logon);
1090 krb5_storage_free(sp);
1092 krb5_storage_free(spdata);