static krb5_error_code k5_insert_client_info(krb5_context context, krb5_pac pac, krb5_timestamp authtime, krb5_const_principal principal) { krb5_error_code ret; krb5_data client_info; char *princ_name_utf8 = NULL; unsigned char *princ_name_ucs2 = NULL, *p; size_t princ_name_ucs2_len = 0; krb5_ui_8 nt_authtime; /* If we already have a CLIENT_INFO buffer, then just validate it */ if (k5_pac_locate_buffer(context, pac, KRB5_PAC_CLIENT_INFO, &client_info) == 0) { return k5_pac_validate_client(context, pac, authtime, principal); } ret = krb5_unparse_name_flags(context, principal, KRB5_PRINCIPAL_UNPARSE_NO_REALM, &princ_name_utf8); if (ret != 0) goto cleanup; ret = krb5int_utf8s_to_ucs2les(princ_name_utf8, &princ_name_ucs2, &princ_name_ucs2_len); if (ret != 0) goto cleanup; client_info.length = PAC_CLIENT_INFO_LENGTH + princ_name_ucs2_len; client_info.data = NULL; ret = k5_pac_add_buffer(context, pac, KRB5_PAC_CLIENT_INFO, &client_info, TRUE, &client_info); if (ret != 0) goto cleanup; p = (unsigned char *)client_info.data; /* copy in authtime converted to a 64-bit NT time */ k5_seconds_since_1970_to_time(authtime, &nt_authtime); store_64_le(nt_authtime, p); p += 8; /* copy in number of UCS-2 characters in principal name */ store_16_le(princ_name_ucs2_len, p); p += 2; /* copy in principal name */ memcpy(p, princ_name_ucs2, princ_name_ucs2_len); cleanup: if (princ_name_ucs2 != NULL) free(princ_name_ucs2); krb5_free_unparsed_name(context, princ_name_utf8); return ret; }
krb5_error_code KRB5_CALLCONV krb5_pac_add_buffer(krb5_context context, krb5_pac pac, krb5_ui_4 type, const krb5_data *data) { return k5_pac_add_buffer(context, pac, type, data, FALSE, NULL); }
static krb5_error_code k5_insert_checksum(krb5_context context, krb5_pac pac, krb5_ui_4 type, const krb5_keyblock *key, krb5_cksumtype *cksumtype) { krb5_error_code ret; size_t len; krb5_data cksumdata; ret = krb5int_c_mandatory_cksumtype(context, key->enctype, cksumtype); if (ret != 0) return ret; ret = krb5_c_checksum_length(context, *cksumtype, &len); if (ret != 0) return ret; ret = k5_pac_locate_buffer(context, pac, type, &cksumdata); if (ret == 0) { /* * If we're resigning PAC, make sure we can fit checksum * into existing buffer */ if (cksumdata.length != PAC_SIGNATURE_DATA_LENGTH + len) return ERANGE; memset(cksumdata.data, 0, cksumdata.length); } else { /* Add a zero filled buffer */ cksumdata.length = PAC_SIGNATURE_DATA_LENGTH + len; cksumdata.data = NULL; ret = k5_pac_add_buffer(context, pac, type, &cksumdata, TRUE, &cksumdata); if (ret != 0) return ret; } /* Encode checksum type into buffer */ store_32_le((krb5_ui_4)*cksumtype, cksumdata.data); return 0; }