xref: /freebsd/crypto/heimdal/lib/krb5/pac.c (revision 0fca6ea1d4eea4c934cfff25ac9ee8ad6fe95583)
1 /*
2  * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
3  * (Royal Institute of Technology, Stockholm, Sweden).
4  * All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  *
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  *
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  *
17  * 3. Neither the name of the Institute nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 #include "krb5_locl.h"
35 #include <wind.h>
36 
37 struct PAC_INFO_BUFFER {
38     uint32_t type;
39     uint32_t buffersize;
40     uint32_t offset_hi;
41     uint32_t offset_lo;
42 };
43 
44 struct PACTYPE {
45     uint32_t numbuffers;
46     uint32_t version;
47     struct PAC_INFO_BUFFER buffers[1];
48 };
49 
50 struct krb5_pac_data {
51     struct PACTYPE *pac;
52     krb5_data data;
53     struct PAC_INFO_BUFFER *server_checksum;
54     struct PAC_INFO_BUFFER *privsvr_checksum;
55     struct PAC_INFO_BUFFER *logon_name;
56 };
57 
58 #define PAC_ALIGNMENT			8
59 
60 #define PACTYPE_SIZE			8
61 #define PAC_INFO_BUFFER_SIZE		16
62 
63 #define PAC_SERVER_CHECKSUM		6
64 #define PAC_PRIVSVR_CHECKSUM		7
65 #define PAC_LOGON_NAME			10
66 #define PAC_CONSTRAINED_DELEGATION	11
67 
68 #define CHECK(r,f,l)						\
69 	do {							\
70 		if (((r) = f ) != 0) {				\
71 			krb5_clear_error_message(context);	\
72 			goto l;					\
73 		}						\
74 	} while(0)
75 
76 static const char zeros[PAC_ALIGNMENT] = { 0 };
77 
78 /*
79  * HMAC-MD5 checksum over any key (needed for the PAC routines)
80  */
81 
82 static krb5_error_code
83 HMAC_MD5_any_checksum(krb5_context context,
84 		      const krb5_keyblock *key,
85 		      const void *data,
86 		      size_t len,
87 		      unsigned usage,
88 		      Checksum *result)
89 {
90     struct _krb5_key_data local_key;
91     krb5_error_code ret;
92 
93     memset(&local_key, 0, sizeof(local_key));
94 
95     ret = krb5_copy_keyblock(context, key, &local_key.key);
96     if (ret)
97 	return ret;
98 
99     ret = krb5_data_alloc (&result->checksum, 16);
100     if (ret) {
101 	krb5_free_keyblock(context, local_key.key);
102 	return ret;
103     }
104 
105     result->cksumtype = CKSUMTYPE_HMAC_MD5;
106     ret = _krb5_HMAC_MD5_checksum(context, &local_key, data, len, usage, result);
107     if (ret)
108 	krb5_data_free(&result->checksum);
109 
110     krb5_free_keyblock(context, local_key.key);
111     return ret;
112 }
113 
114 
115 static krb5_error_code pac_header_size(krb5_context context,
116 				       uint32_t num_buffers,
117 				       uint32_t *result)
118 {
119     krb5_error_code ret;
120     uint32_t header_size;
121 
122     /* Guard against integer overflow on 32-bit systems. */
123     if (num_buffers > 1000) {
124 	ret = EINVAL;
125 	krb5_set_error_message(context, ret, "PAC has too many buffers");
126 	return ret;
127     }
128     header_size = PAC_INFO_BUFFER_SIZE * num_buffers;
129 
130     /* Guard against integer overflow on 32-bit systems. */
131     if (header_size > UINT32_MAX - PACTYPE_SIZE) {
132 	ret = EINVAL;
133 	krb5_set_error_message(context, ret, "PAC has too many buffers");
134 	return ret;
135     }
136     header_size += PACTYPE_SIZE;
137 
138     *result = header_size;
139 
140     return 0;
141 }
142 
143 static krb5_error_code pac_aligned_size(krb5_context context,
144 					uint32_t size,
145 					uint32_t *aligned_size)
146 {
147     krb5_error_code ret;
148 
149     /* Guard against integer overflow on 32-bit systems. */
150     if (size > UINT32_MAX - (PAC_ALIGNMENT - 1)) {
151 	ret = EINVAL;
152 	krb5_set_error_message(context, ret, "integer overrun");
153 	return ret;
154     }
155     size += PAC_ALIGNMENT - 1;
156 
157     /* align to PAC_ALIGNMENT */
158     size = (size / PAC_ALIGNMENT) * PAC_ALIGNMENT;
159 
160     *aligned_size = size;
161 
162     return 0;
163 }
164 
165 /*
166  *
167  */
168 
169 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
170 krb5_pac_parse(krb5_context context, const void *ptr, size_t len,
171 	       krb5_pac *pac)
172 {
173     krb5_error_code ret;
174     krb5_pac p;
175     krb5_storage *sp = NULL;
176     uint32_t i, tmp, tmp2, header_end;
177 
178     p = calloc(1, sizeof(*p));
179     if (p == NULL) {
180 	ret = krb5_enomem(context);
181 	goto out;
182     }
183 
184     sp = krb5_storage_from_readonly_mem(ptr, len);
185     if (sp == NULL) {
186 	ret = krb5_enomem(context);
187 	goto out;
188     }
189     krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
190 
191     CHECK(ret, krb5_ret_uint32(sp, &tmp), out);
192     CHECK(ret, krb5_ret_uint32(sp, &tmp2), out);
193     if (tmp < 1) {
194 	ret = EINVAL; /* Too few buffers */
195 	krb5_set_error_message(context, ret, N_("PAC have too few buffer", ""));
196 	goto out;
197     }
198     if (tmp2 != 0) {
199 	ret = EINVAL; /* Wrong version */
200 	krb5_set_error_message(context, ret,
201 			       N_("PAC have wrong version %d", ""),
202 			       (int)tmp2);
203 	goto out;
204     }
205 
206     ret = pac_header_size(context, tmp, &header_end);
207     if (ret) {
208 	return ret;
209     }
210 
211     p->pac = calloc(1, header_end);
212     if (p->pac == NULL) {
213 	ret = krb5_enomem(context);
214 	goto out;
215     }
216 
217     p->pac->numbuffers = tmp;
218     p->pac->version = tmp2;
219 
220     if (header_end > len) {
221 	ret = EINVAL;
222 	goto out;
223     }
224 
225     for (i = 0; i < p->pac->numbuffers; i++) {
226 	CHECK(ret, krb5_ret_uint32(sp, &p->pac->buffers[i].type), out);
227 	CHECK(ret, krb5_ret_uint32(sp, &p->pac->buffers[i].buffersize), out);
228 	CHECK(ret, krb5_ret_uint32(sp, &p->pac->buffers[i].offset_lo), out);
229 	CHECK(ret, krb5_ret_uint32(sp, &p->pac->buffers[i].offset_hi), out);
230 
231 	/* consistency checks */
232 	if (p->pac->buffers[i].offset_lo & (PAC_ALIGNMENT - 1)) {
233 	    ret = EINVAL;
234 	    krb5_set_error_message(context, ret,
235 				   N_("PAC out of allignment", ""));
236 	    goto out;
237 	}
238 	if (p->pac->buffers[i].offset_hi) {
239 	    ret = EINVAL;
240 	    krb5_set_error_message(context, ret,
241 				   N_("PAC high offset set", ""));
242 	    goto out;
243 	}
244 	if (p->pac->buffers[i].offset_lo > len) {
245 	    ret = EINVAL;
246 	    krb5_set_error_message(context, ret,
247 				   N_("PAC offset off end", ""));
248 	    goto out;
249 	}
250 	if (p->pac->buffers[i].offset_lo < header_end) {
251 	    ret = EINVAL;
252 	    krb5_set_error_message(context, ret,
253 				   N_("PAC offset inside header: %lu %lu", ""),
254 				   (unsigned long)p->pac->buffers[i].offset_lo,
255 				   (unsigned long)header_end);
256 	    goto out;
257 	}
258 	if (p->pac->buffers[i].buffersize > len - p->pac->buffers[i].offset_lo){
259 	    ret = EINVAL;
260 	    krb5_set_error_message(context, ret, N_("PAC length off end", ""));
261 	    goto out;
262 	}
263 
264 	/* let save pointer to data we need later */
265 	if (p->pac->buffers[i].type == PAC_SERVER_CHECKSUM) {
266 	    if (p->server_checksum) {
267 		ret = EINVAL;
268 		krb5_set_error_message(context, ret,
269 				       N_("PAC have two server checksums", ""));
270 		goto out;
271 	    }
272 	    p->server_checksum = &p->pac->buffers[i];
273 	} else if (p->pac->buffers[i].type == PAC_PRIVSVR_CHECKSUM) {
274 	    if (p->privsvr_checksum) {
275 		ret = EINVAL;
276 		krb5_set_error_message(context, ret,
277 				       N_("PAC have two KDC checksums", ""));
278 		goto out;
279 	    }
280 	    p->privsvr_checksum = &p->pac->buffers[i];
281 	} else if (p->pac->buffers[i].type == PAC_LOGON_NAME) {
282 	    if (p->logon_name) {
283 		ret = EINVAL;
284 		krb5_set_error_message(context, ret,
285 				       N_("PAC have two logon names", ""));
286 		goto out;
287 	    }
288 	    p->logon_name = &p->pac->buffers[i];
289 	}
290     }
291 
292     ret = krb5_data_copy(&p->data, ptr, len);
293     if (ret)
294 	goto out;
295 
296     krb5_storage_free(sp);
297 
298     *pac = p;
299     return 0;
300 
301 out:
302     if (sp)
303 	krb5_storage_free(sp);
304     if (p) {
305 	if (p->pac)
306 	    free(p->pac);
307 	free(p);
308     }
309     *pac = NULL;
310 
311     return ret;
312 }
313 
314 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
315 krb5_pac_init(krb5_context context, krb5_pac *pac)
316 {
317     krb5_error_code ret;
318     krb5_pac p;
319 
320     p = calloc(1, sizeof(*p));
321     if (p == NULL) {
322 	return krb5_enomem(context);
323     }
324 
325     p->pac = calloc(1, sizeof(*p->pac));
326     if (p->pac == NULL) {
327 	free(p);
328 	return krb5_enomem(context);
329     }
330 
331     ret = krb5_data_alloc(&p->data, PACTYPE_SIZE);
332     if (ret) {
333 	free (p->pac);
334 	free(p);
335 	return krb5_enomem(context);
336     }
337 
338     *pac = p;
339     return 0;
340 }
341 
342 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
343 krb5_pac_add_buffer(krb5_context context, krb5_pac p,
344 		    uint32_t type, const krb5_data *data)
345 {
346     krb5_error_code ret;
347     void *ptr;
348     uint32_t unaligned_len, num_buffers, len, offset, header_end, old_end;
349     uint32_t i;
350 
351     if (data->length > UINT32_MAX) {
352 	ret = EINVAL;
353 	krb5_set_error_message(context, ret, "integer overrun");
354 	return ret;
355     }
356 
357     num_buffers = p->pac->numbuffers;
358 
359     if (num_buffers >= UINT32_MAX) {
360 	ret = EINVAL;
361 	krb5_set_error_message(context, ret, "integer overrun");
362 	return ret;
363     }
364     ret = pac_header_size(context, num_buffers + 1, &header_end);
365     if (ret) {
366 	return ret;
367     }
368 
369     ptr = realloc(p->pac, header_end);
370     if (ptr == NULL)
371 	return krb5_enomem(context);
372 
373     p->pac = ptr;
374 
375     for (i = 0; i < num_buffers; i++) {
376 	if (p->pac->buffers[i].offset_lo > UINT32_MAX - PAC_INFO_BUFFER_SIZE) {
377 	    ret = EINVAL;
378 	    krb5_set_error_message(context, ret, "integer overrun");
379 	    return ret;
380 	}
381 
382 	p->pac->buffers[i].offset_lo += PAC_INFO_BUFFER_SIZE;
383     }
384 
385     if (p->data.length > UINT32_MAX - PAC_INFO_BUFFER_SIZE) {
386 	ret = EINVAL;
387 	krb5_set_error_message(context, ret, "integer overrun");
388 	return ret;
389     }
390     offset = p->data.length + PAC_INFO_BUFFER_SIZE;
391 
392     p->pac->buffers[num_buffers].type = type;
393     p->pac->buffers[num_buffers].buffersize = data->length;
394     p->pac->buffers[num_buffers].offset_lo = offset;
395     p->pac->buffers[num_buffers].offset_hi = 0;
396 
397     old_end = p->data.length;
398     if (offset > UINT32_MAX - data->length) {
399 	krb5_set_error_message(context, EINVAL, "integer overrun");
400 	return EINVAL;
401     }
402     unaligned_len = offset + data->length;
403 
404     ret = pac_aligned_size(context, unaligned_len, &len);
405     if (ret)
406 	return ret;
407 
408     ret = krb5_data_realloc(&p->data, len);
409     if (ret) {
410 	krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
411 	return ret;
412     }
413 
414     /*
415      * make place for new PAC INFO BUFFER header
416      */
417     header_end -= PAC_INFO_BUFFER_SIZE;
418     memmove((unsigned char *)p->data.data + header_end + PAC_INFO_BUFFER_SIZE,
419 	    (unsigned char *)p->data.data + header_end ,
420 	    old_end - header_end);
421     memset((unsigned char *)p->data.data + header_end, 0, PAC_INFO_BUFFER_SIZE);
422 
423     /*
424      * copy in new data part
425      */
426 
427     memcpy((unsigned char *)p->data.data + offset,
428 	   data->data, data->length);
429     memset((unsigned char *)p->data.data + offset + data->length,
430  	   0, p->data.length - unaligned_len);
431 
432     p->pac->numbuffers += 1;
433 
434     return 0;
435 }
436 
437 /**
438  * Get the PAC buffer of specific type from the pac.
439  *
440  * @param context Kerberos 5 context.
441  * @param p the pac structure returned by krb5_pac_parse().
442  * @param type type of buffer to get
443  * @param data return data, free with krb5_data_free().
444  *
445  * @return Returns 0 to indicate success. Otherwise an kerberos et
446  * error code is returned, see krb5_get_error_message().
447  *
448  * @ingroup krb5_pac
449  */
450 
451 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
452 krb5_pac_get_buffer(krb5_context context, krb5_pac p,
453 		    uint32_t type, krb5_data *data)
454 {
455     krb5_error_code ret;
456     uint32_t i;
457 
458     for (i = 0; i < p->pac->numbuffers; i++) {
459 	const uint32_t len = p->pac->buffers[i].buffersize;
460 	const uint32_t offset = p->pac->buffers[i].offset_lo;
461 
462 	if (p->pac->buffers[i].type != type)
463 	    continue;
464 
465 	ret = krb5_data_copy(data, (unsigned char *)p->data.data + offset, len);
466 	if (ret) {
467 	    krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
468 	    return ret;
469 	}
470 	return 0;
471     }
472     krb5_set_error_message(context, ENOENT, "No PAC buffer of type %lu was found",
473 			   (unsigned long)type);
474     return ENOENT;
475 }
476 
477 /*
478  *
479  */
480 
481 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
482 krb5_pac_get_types(krb5_context context,
483 		   krb5_pac p,
484 		   size_t *len,
485 		   uint32_t **types)
486 {
487     size_t i;
488 
489     *types = calloc(p->pac->numbuffers, sizeof(*types));
490     if (*types == NULL) {
491 	*len = 0;
492 	return krb5_enomem(context);
493     }
494     for (i = 0; i < p->pac->numbuffers; i++)
495 	(*types)[i] = p->pac->buffers[i].type;
496     *len = p->pac->numbuffers;
497 
498     return 0;
499 }
500 
501 /*
502  *
503  */
504 
505 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
506 krb5_pac_free(krb5_context context, krb5_pac pac)
507 {
508     krb5_data_free(&pac->data);
509     free(pac->pac);
510     free(pac);
511 }
512 
513 /*
514  *
515  */
516 
517 static krb5_error_code
518 verify_checksum(krb5_context context,
519 		const struct PAC_INFO_BUFFER *sig,
520 		const krb5_data *data,
521 		void *ptr, size_t len,
522 		const krb5_keyblock *key)
523 {
524     krb5_storage *sp = NULL;
525     uint32_t type;
526     krb5_error_code ret;
527     Checksum cksum;
528 
529     memset(&cksum, 0, sizeof(cksum));
530 
531     sp = krb5_storage_from_mem((char *)data->data + sig->offset_lo,
532 			       sig->buffersize);
533     if (sp == NULL)
534 	return krb5_enomem(context);
535 
536     krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
537 
538     CHECK(ret, krb5_ret_uint32(sp, &type), out);
539     cksum.cksumtype = type;
540     cksum.checksum.length =
541 	sig->buffersize - krb5_storage_seek(sp, 0, SEEK_CUR);
542     cksum.checksum.data = malloc(cksum.checksum.length);
543     if (cksum.checksum.data == NULL) {
544 	ret = krb5_enomem(context);
545 	goto out;
546     }
547     ret = krb5_storage_read(sp, cksum.checksum.data, cksum.checksum.length);
548     if (ret != (int)cksum.checksum.length) {
549 	ret = EINVAL;
550 	krb5_set_error_message(context, ret, "PAC checksum missing checksum");
551 	goto out;
552     }
553 
554     if (!krb5_checksum_is_keyed(context, cksum.cksumtype)) {
555 	ret = EINVAL;
556 	krb5_set_error_message(context, ret, "Checksum type %d not keyed",
557 			       cksum.cksumtype);
558 	goto out;
559     }
560 
561     /* If the checksum is HMAC-MD5, the checksum type is not tied to
562      * the key type, instead the HMAC-MD5 checksum is applied blindly
563      * on whatever key is used for this connection, avoiding issues
564      * with unkeyed checksums on des-cbc-md5 and des-cbc-crc.  See
565      * http://comments.gmane.org/gmane.comp.encryption.kerberos.devel/8743
566      * for the same issue in MIT, and
567      * http://blogs.msdn.com/b/openspecification/archive/2010/01/01/verifying-the-server-signature-in-kerberos-privilege-account-certificate.aspx
568      * for Microsoft's explaination */
569 
570     if (cksum.cksumtype == CKSUMTYPE_HMAC_MD5) {
571 	Checksum local_checksum;
572 
573 	memset(&local_checksum, 0, sizeof(local_checksum));
574 
575 	ret = HMAC_MD5_any_checksum(context, key, ptr, len,
576 				    KRB5_KU_OTHER_CKSUM, &local_checksum);
577 
578 	if (ret != 0 || krb5_data_ct_cmp(&local_checksum.checksum, &cksum.checksum) != 0) {
579 	    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
580 	    krb5_set_error_message(context, ret,
581 				   N_("PAC integrity check failed for "
582 				      "hmac-md5 checksum", ""));
583 	}
584 	krb5_data_free(&local_checksum.checksum);
585 
586    } else {
587 	krb5_crypto crypto = NULL;
588 
589 	ret = krb5_crypto_init(context, key, 0, &crypto);
590 	if (ret)
591 		goto out;
592 
593 	ret = krb5_verify_checksum(context, crypto, KRB5_KU_OTHER_CKSUM,
594 				   ptr, len, &cksum);
595 	krb5_crypto_destroy(context, crypto);
596     }
597     free(cksum.checksum.data);
598     krb5_storage_free(sp);
599 
600     return ret;
601 
602 out:
603     if (cksum.checksum.data)
604 	free(cksum.checksum.data);
605     if (sp)
606 	krb5_storage_free(sp);
607     return ret;
608 }
609 
610 static krb5_error_code
611 create_checksum(krb5_context context,
612 		const krb5_keyblock *key,
613 		uint32_t cksumtype,
614 		void *data, size_t datalen,
615 		void *sig, size_t siglen)
616 {
617     krb5_crypto crypto = NULL;
618     krb5_error_code ret;
619     Checksum cksum;
620 
621     /* If the checksum is HMAC-MD5, the checksum type is not tied to
622      * the key type, instead the HMAC-MD5 checksum is applied blindly
623      * on whatever key is used for this connection, avoiding issues
624      * with unkeyed checksums on des-cbc-md5 and des-cbc-crc.  See
625      * http://comments.gmane.org/gmane.comp.encryption.kerberos.devel/8743
626      * for the same issue in MIT, and
627      * http://blogs.msdn.com/b/openspecification/archive/2010/01/01/verifying-the-server-signature-in-kerberos-privilege-account-certificate.aspx
628      * for Microsoft's explaination */
629 
630     if (cksumtype == (uint32_t)CKSUMTYPE_HMAC_MD5) {
631 	ret = HMAC_MD5_any_checksum(context, key, data, datalen,
632 				    KRB5_KU_OTHER_CKSUM, &cksum);
633     } else {
634 	ret = krb5_crypto_init(context, key, 0, &crypto);
635 	if (ret)
636 	    return ret;
637 
638 	ret = krb5_create_checksum(context, crypto, KRB5_KU_OTHER_CKSUM, 0,
639 				   data, datalen, &cksum);
640 	krb5_crypto_destroy(context, crypto);
641 	if (ret)
642 	    return ret;
643     }
644     if (cksum.checksum.length != siglen) {
645 	krb5_set_error_message(context, EINVAL, "pac checksum wrong length");
646 	free_Checksum(&cksum);
647 	return EINVAL;
648     }
649 
650     memcpy(sig, cksum.checksum.data, siglen);
651     free_Checksum(&cksum);
652 
653     return 0;
654 }
655 
656 
657 /*
658  *
659  */
660 
661 #define NTTIME_EPOCH 0x019DB1DED53E8000LL
662 
663 static uint64_t
664 unix2nttime(time_t unix_time)
665 {
666     long long wt;
667     wt = unix_time * (uint64_t)10000000 + (uint64_t)NTTIME_EPOCH;
668     return wt;
669 }
670 
671 static krb5_error_code
672 verify_logonname(krb5_context context,
673 		 const struct PAC_INFO_BUFFER *logon_name,
674 		 const krb5_data *data,
675 		 time_t authtime,
676 		 krb5_const_principal principal)
677 {
678     krb5_error_code ret;
679     krb5_principal p2;
680     uint32_t time1, time2;
681     krb5_storage *sp;
682     uint16_t len;
683     char *s;
684 
685     sp = krb5_storage_from_readonly_mem((const char *)data->data + logon_name->offset_lo,
686 					logon_name->buffersize);
687     if (sp == NULL)
688 	return krb5_enomem(context);
689 
690     krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
691 
692     CHECK(ret, krb5_ret_uint32(sp, &time1), out);
693     CHECK(ret, krb5_ret_uint32(sp, &time2), out);
694 
695     {
696 	uint64_t t1, t2;
697 	t1 = unix2nttime(authtime);
698 	t2 = ((uint64_t)time2 << 32) | time1;
699 	if (t1 != t2) {
700 	    krb5_storage_free(sp);
701 	    krb5_set_error_message(context, EINVAL, "PAC timestamp mismatch");
702 	    return EINVAL;
703 	}
704     }
705     CHECK(ret, krb5_ret_uint16(sp, &len), out);
706     if (len == 0) {
707 	krb5_storage_free(sp);
708 	krb5_set_error_message(context, EINVAL, "PAC logon name length missing");
709 	return EINVAL;
710     }
711 
712     s = malloc(len);
713     if (s == NULL) {
714 	krb5_storage_free(sp);
715 	return krb5_enomem(context);
716     }
717     ret = krb5_storage_read(sp, s, len);
718     if (ret != len) {
719 	krb5_storage_free(sp);
720 	krb5_set_error_message(context, EINVAL, "Failed to read PAC logon name");
721 	return EINVAL;
722     }
723     krb5_storage_free(sp);
724     {
725 	size_t ucs2len = len / 2;
726 	uint16_t *ucs2;
727 	size_t u8len;
728 	unsigned int flags = WIND_RW_LE;
729 
730 	ucs2 = malloc(sizeof(ucs2[0]) * ucs2len);
731 	if (ucs2 == NULL)
732 	    return krb5_enomem(context);
733 
734 	ret = wind_ucs2read(s, len, &flags, ucs2, &ucs2len);
735 	free(s);
736 	if (ret) {
737 	    free(ucs2);
738 	    krb5_set_error_message(context, ret, "Failed to convert string to UCS-2");
739 	    return ret;
740 	}
741 	ret = wind_ucs2utf8_length(ucs2, ucs2len, &u8len);
742 	if (ret) {
743 	    free(ucs2);
744 	    krb5_set_error_message(context, ret, "Failed to count length of UCS-2 string");
745 	    return ret;
746 	}
747 	u8len += 1; /* Add space for NUL */
748 	s = malloc(u8len);
749 	if (s == NULL) {
750 	    free(ucs2);
751 	    return krb5_enomem(context);
752 	}
753 	ret = wind_ucs2utf8(ucs2, ucs2len, s, &u8len);
754 	free(ucs2);
755 	if (ret) {
756 	    free(s);
757 	    krb5_set_error_message(context, ret, "Failed to convert to UTF-8");
758 	    return ret;
759 	}
760     }
761     ret = krb5_parse_name_flags(context, s, KRB5_PRINCIPAL_PARSE_NO_REALM, &p2);
762     free(s);
763     if (ret)
764 	return ret;
765 
766     if (krb5_principal_compare_any_realm(context, principal, p2) != TRUE) {
767 	ret = EINVAL;
768 	krb5_set_error_message(context, ret, "PAC logon name mismatch");
769     }
770     krb5_free_principal(context, p2);
771     return ret;
772 out:
773     return ret;
774 }
775 
776 /*
777  *
778  */
779 
780 static krb5_error_code
781 build_logon_name(krb5_context context,
782 		 time_t authtime,
783 		 krb5_const_principal principal,
784 		 krb5_data *logon)
785 {
786     krb5_error_code ret;
787     krb5_storage *sp;
788     uint64_t t;
789     char *s, *s2;
790     size_t s2_len;
791 
792     t = unix2nttime(authtime);
793 
794     krb5_data_zero(logon);
795 
796     sp = krb5_storage_emem();
797     if (sp == NULL)
798 	return krb5_enomem(context);
799 
800     krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
801 
802     CHECK(ret, krb5_store_uint32(sp, t & 0xffffffff), out);
803     CHECK(ret, krb5_store_uint32(sp, t >> 32), out);
804 
805     ret = krb5_unparse_name_flags(context, principal,
806 				  KRB5_PRINCIPAL_UNPARSE_NO_REALM, &s);
807     if (ret)
808 	goto out;
809 
810     {
811 	size_t ucs2_len;
812 	uint16_t *ucs2;
813 	unsigned int flags;
814 
815 	ret = wind_utf8ucs2_length(s, &ucs2_len);
816 	if (ret) {
817 	    free(s);
818 	    krb5_set_error_message(context, ret, "Failed to count length of UTF-8 string");
819 	    return ret;
820 	}
821 
822 	ucs2 = malloc(sizeof(ucs2[0]) * ucs2_len);
823 	if (ucs2 == NULL) {
824 	    free(s);
825 	    return krb5_enomem(context);
826 	}
827 
828 	ret = wind_utf8ucs2(s, ucs2, &ucs2_len);
829 	free(s);
830 	if (ret) {
831 	    free(ucs2);
832 	    krb5_set_error_message(context, ret, "Failed to convert string to UCS-2");
833 	    return ret;
834 	}
835 
836 	s2_len = (ucs2_len + 1) * 2;
837 	s2 = malloc(s2_len);
838 	if (ucs2 == NULL) {
839 	    free(ucs2);
840 	    return krb5_enomem(context);
841 	}
842 
843 	flags = WIND_RW_LE;
844 	ret = wind_ucs2write(ucs2, ucs2_len,
845 			     &flags, s2, &s2_len);
846 	free(ucs2);
847 	if (ret) {
848 	    free(s2);
849 	    krb5_set_error_message(context, ret, "Failed to write to UCS-2 buffer");
850 	    return ret;
851 	}
852 
853 	/*
854 	 * we do not want zero termination
855 	 */
856 	s2_len = ucs2_len * 2;
857     }
858 
859     CHECK(ret, krb5_store_uint16(sp, s2_len), out);
860 
861     ret = krb5_storage_write(sp, s2, s2_len);
862     free(s2);
863     if (ret != (int)s2_len) {
864 	ret = krb5_enomem(context);
865 	goto out;
866     }
867     ret = krb5_storage_to_data(sp, logon);
868     if (ret)
869 	goto out;
870     krb5_storage_free(sp);
871 
872     return 0;
873 out:
874     krb5_storage_free(sp);
875     return ret;
876 }
877 
878 
879 /**
880  * Verify the PAC.
881  *
882  * @param context Kerberos 5 context.
883  * @param pac the pac structure returned by krb5_pac_parse().
884  * @param authtime The time of the ticket the PAC belongs to.
885  * @param principal the principal to verify.
886  * @param server The service key, most always be given.
887  * @param privsvr The KDC key, may be given.
888 
889  * @return Returns 0 to indicate success. Otherwise an kerberos et
890  * error code is returned, see krb5_get_error_message().
891  *
892  * @ingroup krb5_pac
893  */
894 
895 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
896 krb5_pac_verify(krb5_context context,
897 		const krb5_pac pac,
898 		time_t authtime,
899 		krb5_const_principal principal,
900 		const krb5_keyblock *server,
901 		const krb5_keyblock *privsvr)
902 {
903     krb5_error_code ret;
904 
905     if (pac->server_checksum == NULL) {
906 	krb5_set_error_message(context, EINVAL, "PAC missing server checksum");
907 	return EINVAL;
908     }
909     if (pac->privsvr_checksum == NULL) {
910 	krb5_set_error_message(context, EINVAL, "PAC missing kdc checksum");
911 	return EINVAL;
912     }
913     if (pac->logon_name == NULL) {
914 	krb5_set_error_message(context, EINVAL, "PAC missing logon name");
915 	return EINVAL;
916     }
917 
918     ret = verify_logonname(context,
919 			   pac->logon_name,
920 			   &pac->data,
921 			   authtime,
922 			   principal);
923     if (ret)
924 	return ret;
925 
926     /*
927      * in the service case, clean out data option of the privsvr and
928      * server checksum before checking the checksum.
929      */
930     {
931 	krb5_data *copy;
932 
933 	ret = krb5_copy_data(context, &pac->data, &copy);
934 	if (ret)
935 	    return ret;
936 
937 	if (pac->server_checksum->buffersize < 4)
938 	    return EINVAL;
939 	if (pac->privsvr_checksum->buffersize < 4)
940 	    return EINVAL;
941 
942 	memset((char *)copy->data + pac->server_checksum->offset_lo + 4,
943 	       0,
944 	       pac->server_checksum->buffersize - 4);
945 
946 	memset((char *)copy->data + pac->privsvr_checksum->offset_lo + 4,
947 	       0,
948 	       pac->privsvr_checksum->buffersize - 4);
949 
950 	ret = verify_checksum(context,
951 			      pac->server_checksum,
952 			      &pac->data,
953 			      copy->data,
954 			      copy->length,
955 			      server);
956 	krb5_free_data(context, copy);
957 	if (ret)
958 	    return ret;
959     }
960     if (privsvr) {
961 	/* The priv checksum covers the server checksum */
962 	ret = verify_checksum(context,
963 			      pac->privsvr_checksum,
964 			      &pac->data,
965 			      (char *)pac->data.data
966 			      + pac->server_checksum->offset_lo + 4,
967 			      pac->server_checksum->buffersize - 4,
968 			      privsvr);
969 	if (ret)
970 	    return ret;
971     }
972 
973     return 0;
974 }
975 
976 /*
977  *
978  */
979 
980 static krb5_error_code
981 fill_zeros(krb5_context context, krb5_storage *sp, size_t len)
982 {
983     ssize_t sret;
984     size_t l;
985 
986     while (len) {
987 	l = len;
988 	if (l > sizeof(zeros))
989 	    l = sizeof(zeros);
990 	sret = krb5_storage_write(sp, zeros, l);
991 	if (sret <= 0)
992 	    return krb5_enomem(context);
993 
994 	len -= sret;
995     }
996     return 0;
997 }
998 
999 static krb5_error_code
1000 pac_checksum(krb5_context context,
1001 	     const krb5_keyblock *key,
1002 	     uint32_t *cksumtype,
1003 	     size_t *cksumsize)
1004 {
1005     krb5_cksumtype cktype;
1006     krb5_error_code ret;
1007     krb5_crypto crypto = NULL;
1008 
1009     ret = krb5_crypto_init(context, key, 0, &crypto);
1010     if (ret)
1011 	return ret;
1012 
1013     ret = krb5_crypto_get_checksum_type(context, crypto, &cktype);
1014     krb5_crypto_destroy(context, crypto);
1015     if (ret)
1016 	return ret;
1017 
1018     if (krb5_checksum_is_keyed(context, cktype) == FALSE) {
1019 	*cksumtype = CKSUMTYPE_HMAC_MD5;
1020 	*cksumsize = 16;
1021     }
1022 
1023     ret = krb5_checksumsize(context, cktype, cksumsize);
1024     if (ret)
1025 	return ret;
1026 
1027     *cksumtype = (uint32_t)cktype;
1028 
1029     return 0;
1030 }
1031 
1032 krb5_error_code
1033 _krb5_pac_sign(krb5_context context,
1034 	       krb5_pac p,
1035 	       time_t authtime,
1036 	       krb5_principal principal,
1037 	       const krb5_keyblock *server_key,
1038 	       const krb5_keyblock *priv_key,
1039 	       krb5_data *data)
1040 {
1041     krb5_error_code ret;
1042     krb5_storage *sp = NULL, *spdata = NULL;
1043     uint32_t end;
1044     size_t server_size, priv_size;
1045     uint32_t server_offset = 0, priv_offset = 0;
1046     uint32_t server_cksumtype = 0, priv_cksumtype = 0;
1047     uint32_t num = 0;
1048     uint32_t i;
1049     krb5_data logon, d;
1050 
1051     krb5_data_zero(&logon);
1052 
1053     if (p->logon_name == NULL)
1054 	num++;
1055     if (p->server_checksum == NULL)
1056 	num++;
1057     if (p->privsvr_checksum == NULL)
1058 	num++;
1059 
1060     if (num) {
1061 	void *ptr;
1062         uint32_t len;
1063 
1064  	if (p->pac->numbuffers > UINT32_MAX - num) {
1065  	    ret = EINVAL;
1066  	    krb5_set_error_message(context, ret, "integer overrun");
1067  	    goto out;
1068  	}
1069  	ret = pac_header_size(context, p->pac->numbuffers + num, &len);
1070  	if (ret)
1071  	    goto out;
1072 
1073  	ptr = realloc(p->pac, len);
1074 	if (ptr == NULL)
1075 	    return krb5_enomem(context);
1076 
1077 	p->pac = ptr;
1078 
1079 	if (p->logon_name == NULL) {
1080 	    p->logon_name = &p->pac->buffers[p->pac->numbuffers++];
1081 	    memset(p->logon_name, 0, sizeof(*p->logon_name));
1082 	    p->logon_name->type = PAC_LOGON_NAME;
1083 	}
1084 	if (p->server_checksum == NULL) {
1085 	    p->server_checksum = &p->pac->buffers[p->pac->numbuffers++];
1086 	    memset(p->server_checksum, 0, sizeof(*p->server_checksum));
1087 	    p->server_checksum->type = PAC_SERVER_CHECKSUM;
1088 	}
1089 	if (p->privsvr_checksum == NULL) {
1090 	    p->privsvr_checksum = &p->pac->buffers[p->pac->numbuffers++];
1091 	    memset(p->privsvr_checksum, 0, sizeof(*p->privsvr_checksum));
1092 	    p->privsvr_checksum->type = PAC_PRIVSVR_CHECKSUM;
1093 	}
1094     }
1095 
1096     /* Calculate LOGON NAME */
1097     ret = build_logon_name(context, authtime, principal, &logon);
1098     if (ret)
1099 	goto out;
1100 
1101     /* Set lengths for checksum */
1102     ret = pac_checksum(context, server_key, &server_cksumtype, &server_size);
1103     if (ret)
1104 	goto out;
1105     ret = pac_checksum(context, priv_key, &priv_cksumtype, &priv_size);
1106     if (ret)
1107 	goto out;
1108 
1109     /* Encode PAC */
1110     sp = krb5_storage_emem();
1111     if (sp == NULL)
1112 	return krb5_enomem(context);
1113 
1114     krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
1115 
1116     spdata = krb5_storage_emem();
1117     if (spdata == NULL) {
1118 	krb5_storage_free(sp);
1119 	return krb5_enomem(context);
1120     }
1121     krb5_storage_set_flags(spdata, KRB5_STORAGE_BYTEORDER_LE);
1122 
1123     CHECK(ret, krb5_store_uint32(sp, p->pac->numbuffers), out);
1124     CHECK(ret, krb5_store_uint32(sp, p->pac->version), out);
1125 
1126     ret = pac_header_size(context, p->pac->numbuffers, &end);
1127     if (ret)
1128         goto out;
1129 
1130     for (i = 0; i < p->pac->numbuffers; i++) {
1131 	uint32_t len;
1132 	size_t sret;
1133 	void *ptr = NULL;
1134 
1135 	/* store data */
1136 
1137 	if (p->pac->buffers[i].type == PAC_SERVER_CHECKSUM) {
1138 	    if (server_size > UINT32_MAX - 4) {
1139 		ret = EINVAL;
1140 		krb5_set_error_message(context, ret, "integer overrun");
1141 		goto out;
1142 	    }
1143 	    if (end > UINT32_MAX - 4) {
1144 		ret = EINVAL;
1145 		krb5_set_error_message(context, ret, "integer overrun");
1146 		goto out;
1147 	    }
1148 	    len = server_size + 4;
1149 	    server_offset = end + 4;
1150 	    CHECK(ret, krb5_store_uint32(spdata, server_cksumtype), out);
1151 	    CHECK(ret, fill_zeros(context, spdata, server_size), out);
1152 	} else if (p->pac->buffers[i].type == PAC_PRIVSVR_CHECKSUM) {
1153 	    if (priv_size > UINT32_MAX - 4) {
1154 		ret = EINVAL;
1155 		krb5_set_error_message(context, ret, "integer overrun");
1156 		goto out;
1157 	    }
1158 	    if (end > UINT32_MAX - 4) {
1159 		ret = EINVAL;
1160 		krb5_set_error_message(context, ret, "integer overrun");
1161 		goto out;
1162 	    }
1163 	    len = priv_size + 4;
1164 	    priv_offset = end + 4;
1165 	    CHECK(ret, krb5_store_uint32(spdata, priv_cksumtype), out);
1166 	    CHECK(ret, fill_zeros(context, spdata, priv_size), out);
1167 	} else if (p->pac->buffers[i].type == PAC_LOGON_NAME) {
1168 	    len = krb5_storage_write(spdata, logon.data, logon.length);
1169 	    if (logon.length != len) {
1170 		ret = EINVAL;
1171 		goto out;
1172 	    }
1173 	} else {
1174 	    len = p->pac->buffers[i].buffersize;
1175 	    ptr = (char *)p->data.data + p->pac->buffers[i].offset_lo;
1176 
1177 	    sret = krb5_storage_write(spdata, ptr, len);
1178 	    if (sret != len) {
1179 		ret = krb5_enomem(context);
1180 		goto out;
1181 	    }
1182 	    /* XXX if not aligned, fill_zeros */
1183 	}
1184 
1185 	/* write header */
1186 	CHECK(ret, krb5_store_uint32(sp, p->pac->buffers[i].type), out);
1187 	CHECK(ret, krb5_store_uint32(sp, len), out);
1188 	CHECK(ret, krb5_store_uint32(sp, end), out);
1189 	CHECK(ret, krb5_store_uint32(sp, 0), out);
1190 
1191 	/* advance data endpointer and align */
1192 	{
1193 	    uint32_t e;
1194 
1195 	    if (end > UINT32_MAX - len) {
1196 		ret = EINVAL;
1197 		krb5_set_error_message(context, ret, "integer overrun");
1198 		goto out;
1199 	    }
1200 	    end += len;
1201 
1202 	    ret = pac_aligned_size(context, end, &e);
1203 	    if (ret)
1204 		goto out;
1205 
1206 	    if (end != e) {
1207 		CHECK(ret, fill_zeros(context, spdata, e - end), out);
1208 	    }
1209 	    end = e;
1210 	}
1211 
1212     }
1213 
1214     /* assert (server_offset != 0 && priv_offset != 0); */
1215 
1216     /* export PAC */
1217     ret = krb5_storage_to_data(spdata, &d);
1218     if (ret) {
1219 	krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
1220 	goto out;
1221     }
1222     ret = krb5_storage_write(sp, d.data, d.length);
1223     if (ret != (int)d.length) {
1224 	krb5_data_free(&d);
1225 	ret = krb5_enomem(context);
1226 	goto out;
1227     }
1228     krb5_data_free(&d);
1229 
1230     ret = krb5_storage_to_data(sp, &d);
1231     if (ret) {
1232 	ret = krb5_enomem(context);
1233 	goto out;
1234     }
1235 
1236     /* sign */
1237     ret = create_checksum(context, server_key, server_cksumtype,
1238 			  d.data, d.length,
1239 			  (char *)d.data + server_offset, server_size);
1240     if (ret) {
1241 	krb5_data_free(&d);
1242 	goto out;
1243     }
1244     ret = create_checksum(context, priv_key, priv_cksumtype,
1245 			  (char *)d.data + server_offset, server_size,
1246 			  (char *)d.data + priv_offset, priv_size);
1247     if (ret) {
1248 	krb5_data_free(&d);
1249 	goto out;
1250     }
1251 
1252     /* done */
1253     *data = d;
1254 
1255     krb5_data_free(&logon);
1256     krb5_storage_free(sp);
1257     krb5_storage_free(spdata);
1258 
1259     return 0;
1260 out:
1261     krb5_data_free(&logon);
1262     if (sp)
1263 	krb5_storage_free(sp);
1264     if (spdata)
1265 	krb5_storage_free(spdata);
1266     return ret;
1267 }
1268