1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2 /* lib/krb5/krb/pac.c */
4 * Copyright 2008 by the Massachusetts Institute of Technology.
7 * Export of this software from the United States of America may
8 * require a specific license from the United States Government.
9 * It is the responsibility of any person or organization contemplating
10 * export to obtain such a license before exporting.
12 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
13 * distribute this software and its documentation for any purpose and
14 * without fee is hereby granted, provided that the above copyright
15 * notice appear in all copies and that both that copyright notice and
16 * this permission notice appear in supporting documentation, and that
17 * the name of M.I.T. not be used in advertising or publicity pertaining
18 * to distribution of the software without specific, written prior
19 * permission. Furthermore if you modify this software you must label
20 * your software as modified software and not distribute it in such a
21 * fashion that it might be confused with the original M.I.T. software.
22 * M.I.T. makes no representations about the suitability of
23 * this software for any purpose. It is provided "as is" without express
24 * or implied warranty.
30 /* draft-brezak-win2k-krb-authz-00 */
33 * Add a buffer to the provided PAC and update header.
36 k5_pac_add_buffer(krb5_context context,
39 const krb5_data *data,
40 krb5_boolean zerofill,
44 size_t header_len, i, pad = 0;
47 assert((data->data == NULL) == zerofill);
49 /* Check there isn't already a buffer of this type */
50 if (k5_pac_locate_buffer(context, pac, type, NULL) == 0) {
54 header = (PACTYPE *)realloc(pac->pac,
56 (pac->pac->cBuffers * sizeof(PAC_INFO_BUFFER)));
62 header_len = PACTYPE_LENGTH + (pac->pac->cBuffers * PAC_INFO_BUFFER_LENGTH);
64 if (data->length % PAC_ALIGNMENT)
65 pad = PAC_ALIGNMENT - (data->length % PAC_ALIGNMENT);
67 pac_data = realloc(pac->data.data,
68 pac->data.length + PAC_INFO_BUFFER_LENGTH + data->length + pad);
69 if (pac_data == NULL) {
72 pac->data.data = pac_data;
74 /* Update offsets of existing buffers */
75 for (i = 0; i < pac->pac->cBuffers; i++)
76 pac->pac->Buffers[i].Offset += PAC_INFO_BUFFER_LENGTH;
78 /* Make room for new PAC_INFO_BUFFER */
79 memmove(pac->data.data + header_len + PAC_INFO_BUFFER_LENGTH,
80 pac->data.data + header_len,
81 pac->data.length - header_len);
82 memset(pac->data.data + header_len, 0, PAC_INFO_BUFFER_LENGTH);
84 /* Initialise new PAC_INFO_BUFFER */
85 pac->pac->Buffers[i].ulType = type;
86 pac->pac->Buffers[i].cbBufferSize = data->length;
87 pac->pac->Buffers[i].Offset = pac->data.length + PAC_INFO_BUFFER_LENGTH;
88 assert((pac->pac->Buffers[i].Offset % PAC_ALIGNMENT) == 0);
90 /* Copy in new PAC data and zero padding bytes */
92 memset(pac->data.data + pac->pac->Buffers[i].Offset, 0, data->length);
94 memcpy(pac->data.data + pac->pac->Buffers[i].Offset, data->data, data->length);
96 memset(pac->data.data + pac->pac->Buffers[i].Offset + data->length, 0, pad);
99 pac->data.length += PAC_INFO_BUFFER_LENGTH + data->length + pad;
101 if (out_data != NULL) {
102 out_data->data = pac->data.data + pac->pac->Buffers[i].Offset;
103 out_data->length = data->length;
106 pac->verified = FALSE;
111 krb5_error_code KRB5_CALLCONV
112 krb5_pac_add_buffer(krb5_context context,
115 const krb5_data *data)
117 return k5_pac_add_buffer(context, pac, type, data, FALSE, NULL);
124 krb5_pac_free(krb5_context context,
128 if (pac->data.data != NULL) {
129 memset(pac->data.data, 0, pac->data.length);
130 free(pac->data.data);
132 if (pac->pac != NULL)
134 memset(pac, 0, sizeof(*pac));
140 k5_pac_locate_buffer(krb5_context context,
145 PAC_INFO_BUFFER *buffer = NULL;
151 for (i = 0; i < pac->pac->cBuffers; i++) {
152 if (pac->pac->Buffers[i].ulType == type) {
154 buffer = &pac->pac->Buffers[i];
163 assert(buffer->Offset + buffer->cbBufferSize <= pac->data.length);
166 data->length = buffer->cbBufferSize;
167 data->data = pac->data.data + buffer->Offset;
174 * Find a buffer and copy data into output
176 krb5_error_code KRB5_CALLCONV
177 krb5_pac_get_buffer(krb5_context context,
185 ret = k5_pac_locate_buffer(context, pac, type, &d);
189 data->data = malloc(d.length);
190 if (data->data == NULL)
193 data->length = d.length;
194 memcpy(data->data, d.data, d.length);
200 * Return an array of the types of data in the PAC
202 krb5_error_code KRB5_CALLCONV
203 krb5_pac_get_types(krb5_context context,
210 *types = (krb5_ui_4 *)malloc(pac->pac->cBuffers * sizeof(krb5_ui_4));
214 *len = pac->pac->cBuffers;
216 for (i = 0; i < pac->pac->cBuffers; i++)
217 (*types)[i] = pac->pac->Buffers[i].ulType;
225 krb5_error_code KRB5_CALLCONV
226 krb5_pac_init(krb5_context context,
231 pac = (krb5_pac)malloc(sizeof(*pac));
235 pac->pac = (PACTYPE *)malloc(sizeof(PACTYPE));
236 if (pac->pac == NULL) {
241 pac->pac->cBuffers = 0;
242 pac->pac->Version = 0;
244 pac->data.length = PACTYPE_LENGTH;
245 pac->data.data = calloc(1, pac->data.length);
246 if (pac->data.data == NULL) {
247 krb5_pac_free(context, pac);
251 pac->verified = FALSE;
258 static krb5_error_code
259 k5_pac_copy(krb5_context context,
265 krb5_error_code code;
268 cbuffers = src->pac->cBuffers;
272 header_len = sizeof(PACTYPE) + cbuffers * sizeof(PAC_INFO_BUFFER);
274 pac = (krb5_pac)malloc(sizeof(*pac));
278 pac->pac = (PACTYPE *)malloc(header_len);
279 if (pac->pac == NULL) {
284 memcpy(pac->pac, src->pac, header_len);
286 code = krb5int_copy_data_contents(context, &src->data, &pac->data);
293 pac->verified = src->verified;
300 * Parse the supplied data into the PAC allocated by this function
302 krb5_error_code KRB5_CALLCONV
303 krb5_pac_parse(krb5_context context,
310 const unsigned char *p = (const unsigned char *)ptr;
313 krb5_ui_4 cbuffers, version;
317 if (len < PACTYPE_LENGTH)
320 cbuffers = load_32_le(p);
322 version = load_32_le(p);
328 header_len = PACTYPE_LENGTH + (cbuffers * PAC_INFO_BUFFER_LENGTH);
329 if (len < header_len)
332 ret = krb5_pac_init(context, &pac);
336 pac->pac = (PACTYPE *)realloc(pac->pac,
337 sizeof(PACTYPE) + ((cbuffers - 1) * sizeof(PAC_INFO_BUFFER)));
338 if (pac->pac == NULL) {
339 krb5_pac_free(context, pac);
343 pac->pac->cBuffers = cbuffers;
344 pac->pac->Version = version;
346 for (i = 0; i < pac->pac->cBuffers; i++) {
347 PAC_INFO_BUFFER *buffer = &pac->pac->Buffers[i];
349 buffer->ulType = load_32_le(p);
351 buffer->cbBufferSize = load_32_le(p);
353 buffer->Offset = load_64_le(p);
356 if (buffer->Offset % PAC_ALIGNMENT) {
357 krb5_pac_free(context, pac);
360 if (buffer->Offset < header_len ||
361 buffer->Offset + buffer->cbBufferSize > len) {
362 krb5_pac_free(context, pac);
367 pac->data.data = realloc(pac->data.data, len);
368 if (pac->data.data == NULL) {
369 krb5_pac_free(context, pac);
372 memcpy(pac->data.data, ptr, len);
374 pac->data.length = len;
381 static krb5_error_code
382 k5_time_to_seconds_since_1970(krb5_int64 ntTime,
383 krb5_timestamp *elapsedSeconds)
389 abstime = ntTime > 0 ? ntTime - NT_TIME_EPOCH : -ntTime;
391 if (abstime > KRB5_INT32_MAX)
394 *elapsedSeconds = abstime;
400 k5_seconds_since_1970_to_time(krb5_timestamp elapsedSeconds,
403 *ntTime = elapsedSeconds;
405 if (elapsedSeconds > 0)
406 *ntTime += NT_TIME_EPOCH;
414 k5_pac_validate_client(krb5_context context,
416 krb5_timestamp authtime,
417 krb5_const_principal principal)
420 krb5_data client_info;
423 krb5_timestamp pac_authtime;
424 krb5_ui_2 pac_princname_length;
425 krb5_int64 pac_nt_authtime;
426 krb5_principal pac_principal;
428 ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_CLIENT_INFO,
433 if (client_info.length < PAC_CLIENT_INFO_LENGTH)
436 p = (unsigned char *)client_info.data;
437 pac_nt_authtime = load_64_le(p);
439 pac_princname_length = load_16_le(p);
442 ret = k5_time_to_seconds_since_1970(pac_nt_authtime, &pac_authtime);
446 if (client_info.length < PAC_CLIENT_INFO_LENGTH + pac_princname_length ||
447 pac_princname_length % 2)
450 ret = krb5int_ucs2lecs_to_utf8s(p, (size_t)pac_princname_length / 2,
451 &pac_princname, NULL);
455 ret = krb5_parse_name_flags(context, pac_princname,
456 KRB5_PRINCIPAL_PARSE_NO_REALM, &pac_principal);
464 if (pac_authtime != authtime ||
465 !krb5_principal_compare_flags(context,
468 KRB5_PRINCIPAL_COMPARE_IGNORE_REALM))
469 ret = KRB5KRB_AP_WRONG_PRINC;
471 krb5_free_principal(context, pac_principal);
476 static krb5_error_code
477 k5_pac_zero_signature(krb5_context context,
482 PAC_INFO_BUFFER *buffer = NULL;
485 assert(type == KRB5_PAC_SERVER_CHECKSUM ||
486 type == KRB5_PAC_PRIVSVR_CHECKSUM);
487 assert(data->length >= pac->data.length);
489 for (i = 0; i < pac->pac->cBuffers; i++) {
490 if (pac->pac->Buffers[i].ulType == type) {
491 buffer = &pac->pac->Buffers[i];
499 if (buffer->Offset + buffer->cbBufferSize > pac->data.length)
502 if (buffer->cbBufferSize < PAC_SIGNATURE_DATA_LENGTH)
503 return KRB5_BAD_MSIZE;
505 /* Zero out the data portion of the checksum only */
506 memset(data->data + buffer->Offset + PAC_SIGNATURE_DATA_LENGTH,
508 buffer->cbBufferSize - PAC_SIGNATURE_DATA_LENGTH);
513 static krb5_error_code
514 k5_pac_verify_server_checksum(krb5_context context,
516 const krb5_keyblock *server)
519 krb5_data pac_data; /* PAC with zeroed checksums */
520 krb5_checksum checksum;
521 krb5_data checksum_data;
525 ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_SERVER_CHECKSUM,
530 if (checksum_data.length < PAC_SIGNATURE_DATA_LENGTH)
531 return KRB5_BAD_MSIZE;
533 p = (krb5_octet *)checksum_data.data;
534 checksum.checksum_type = load_32_le(p);
535 checksum.length = checksum_data.length - PAC_SIGNATURE_DATA_LENGTH;
536 checksum.contents = p + PAC_SIGNATURE_DATA_LENGTH;
537 if (!krb5_c_is_keyed_cksum(checksum.checksum_type))
538 return KRB5KRB_AP_ERR_INAPP_CKSUM;
540 pac_data.length = pac->data.length;
541 pac_data.data = malloc(pac->data.length);
542 if (pac_data.data == NULL)
545 memcpy(pac_data.data, pac->data.data, pac->data.length);
547 /* Zero out both checksum buffers */
548 ret = k5_pac_zero_signature(context, pac, KRB5_PAC_SERVER_CHECKSUM,
555 ret = k5_pac_zero_signature(context, pac, KRB5_PAC_PRIVSVR_CHECKSUM,
562 ret = krb5_c_verify_checksum(context, server,
563 KRB5_KEYUSAGE_APP_DATA_CKSUM,
564 &pac_data, &checksum, &valid);
573 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
578 static krb5_error_code
579 k5_pac_verify_kdc_checksum(krb5_context context,
581 const krb5_keyblock *privsvr)
584 krb5_data server_checksum, privsvr_checksum;
585 krb5_checksum checksum;
589 ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_PRIVSVR_CHECKSUM,
594 if (privsvr_checksum.length < PAC_SIGNATURE_DATA_LENGTH)
595 return KRB5_BAD_MSIZE;
597 ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_SERVER_CHECKSUM,
602 if (server_checksum.length < PAC_SIGNATURE_DATA_LENGTH)
603 return KRB5_BAD_MSIZE;
605 p = (krb5_octet *)privsvr_checksum.data;
606 checksum.checksum_type = load_32_le(p);
607 checksum.length = privsvr_checksum.length - PAC_SIGNATURE_DATA_LENGTH;
608 checksum.contents = p + PAC_SIGNATURE_DATA_LENGTH;
609 if (!krb5_c_is_keyed_cksum(checksum.checksum_type))
610 return KRB5KRB_AP_ERR_INAPP_CKSUM;
612 server_checksum.data += PAC_SIGNATURE_DATA_LENGTH;
613 server_checksum.length -= PAC_SIGNATURE_DATA_LENGTH;
615 ret = krb5_c_verify_checksum(context, privsvr,
616 KRB5_KEYUSAGE_APP_DATA_CKSUM,
617 &server_checksum, &checksum, &valid);
622 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
627 krb5_error_code KRB5_CALLCONV
628 krb5_pac_verify(krb5_context context,
630 krb5_timestamp authtime,
631 krb5_const_principal principal,
632 const krb5_keyblock *server,
633 const krb5_keyblock *privsvr)
640 ret = k5_pac_verify_server_checksum(context, pac, server);
644 if (privsvr != NULL) {
645 ret = k5_pac_verify_kdc_checksum(context, pac, privsvr);
650 if (principal != NULL) {
651 ret = k5_pac_validate_client(context, pac, authtime, principal);
656 pac->verified = TRUE;
662 * PAC auth data attribute backend
664 struct mspac_context {
668 static krb5_error_code
669 mspac_init(krb5_context kcontext, void **plugin_context)
671 *plugin_context = NULL;
676 mspac_flags(krb5_context kcontext,
677 void *plugin_context,
678 krb5_authdatatype ad_type,
681 *flags = AD_USAGE_TGS_REQ;
685 mspac_fini(krb5_context kcontext, void *plugin_context)
690 static krb5_error_code
691 mspac_request_init(krb5_context kcontext,
692 krb5_authdata_context context,
693 void *plugin_context,
694 void **request_context)
696 struct mspac_context *pacctx;
698 pacctx = (struct mspac_context *)malloc(sizeof(*pacctx));
704 *request_context = pacctx;
709 static krb5_error_code
710 mspac_import_authdata(krb5_context kcontext,
711 krb5_authdata_context context,
712 void *plugin_context,
713 void *request_context,
714 krb5_authdata **authdata,
715 krb5_boolean kdc_issued,
716 krb5_const_principal kdc_issuer)
718 krb5_error_code code;
719 struct mspac_context *pacctx = (struct mspac_context *)request_context;
724 if (pacctx->pac != NULL) {
725 krb5_pac_free(kcontext, pacctx->pac);
729 assert(authdata[0] != NULL);
730 assert((authdata[0]->ad_type & AD_TYPE_FIELD_TYPE_MASK) ==
731 KRB5_AUTHDATA_WIN2K_PAC);
733 code = krb5_pac_parse(kcontext, authdata[0]->contents,
734 authdata[0]->length, &pacctx->pac);
739 static krb5_error_code
740 mspac_export_authdata(krb5_context kcontext,
741 krb5_authdata_context context,
742 void *plugin_context,
743 void *request_context,
745 krb5_authdata ***out_authdata)
747 struct mspac_context *pacctx = (struct mspac_context *)request_context;
748 krb5_error_code code;
749 krb5_authdata **authdata;
752 if (pacctx->pac == NULL)
755 authdata = calloc(2, sizeof(krb5_authdata *));
756 if (authdata == NULL)
759 authdata[0] = calloc(1, sizeof(krb5_authdata));
760 if (authdata[0] == NULL) {
766 code = krb5int_copy_data_contents(kcontext, &pacctx->pac->data, &data);
768 krb5_free_authdata(kcontext, authdata);
772 authdata[0]->magic = KV5M_AUTHDATA;
773 authdata[0]->ad_type = KRB5_AUTHDATA_WIN2K_PAC;
774 authdata[0]->length = data.length;
775 authdata[0]->contents = (krb5_octet *)data.data;
779 *out_authdata = authdata;
784 static krb5_error_code
785 mspac_verify(krb5_context kcontext,
786 krb5_authdata_context context,
787 void *plugin_context,
788 void *request_context,
789 const krb5_auth_context *auth_context,
790 const krb5_keyblock *key,
791 const krb5_ap_req *req)
793 krb5_error_code code;
794 struct mspac_context *pacctx = (struct mspac_context *)request_context;
796 if (pacctx->pac == NULL)
799 code = krb5_pac_verify(kcontext, pacctx->pac,
800 req->ticket->enc_part2->times.authtime,
801 req->ticket->enc_part2->client, key, NULL);
803 TRACE_MSPAC_VERIFY_FAIL(kcontext, code);
806 * If the above verification failed, don't fail the whole authentication,
807 * just don't mark the PAC as verified. A checksum mismatch can occur if
808 * the PAC was copied from a cross-realm TGT by an ignorant KDC, and Apple
809 * Mac OS X Server Open Directory (as of 10.6) generates PACs with no
810 * server checksum at all.
816 mspac_request_fini(krb5_context kcontext,
817 krb5_authdata_context context,
818 void *plugin_context,
819 void *request_context)
821 struct mspac_context *pacctx = (struct mspac_context *)request_context;
823 if (pacctx != NULL) {
824 if (pacctx->pac != NULL)
825 krb5_pac_free(kcontext, pacctx->pac);
831 #define STRLENOF(x) (sizeof((x)) - 1)
836 } mspac_attribute_types[] = {
837 { (krb5_ui_4)-1, { KV5M_DATA, STRLENOF("urn:mspac:"),
839 { KRB5_PAC_LOGON_INFO, { KV5M_DATA,
840 STRLENOF("urn:mspac:logon-info"),
841 "urn:mspac:logon-info" } },
842 { KRB5_PAC_CREDENTIALS_INFO, { KV5M_DATA,
843 STRLENOF("urn:mspac:credentials-info"),
844 "urn:mspac:credentials-info" } },
845 { KRB5_PAC_SERVER_CHECKSUM, { KV5M_DATA,
846 STRLENOF("urn:mspac:server-checksum"),
847 "urn:mspac:server-checksum" } },
848 { KRB5_PAC_PRIVSVR_CHECKSUM, { KV5M_DATA,
849 STRLENOF("urn:mspac:privsvr-checksum"),
850 "urn:mspac:privsvr-checksum" } },
851 { KRB5_PAC_CLIENT_INFO, { KV5M_DATA,
852 STRLENOF("urn:mspac:client-info"),
853 "urn:mspac:client-info" } },
854 { KRB5_PAC_DELEGATION_INFO, { KV5M_DATA,
855 STRLENOF("urn:mspac:delegation-info"),
856 "urn:mspac:delegation-info" } },
857 { KRB5_PAC_UPN_DNS_INFO, { KV5M_DATA,
858 STRLENOF("urn:mspac:upn-dns-info"),
859 "urn:mspac:upn-dns-info" } },
862 #define MSPAC_ATTRIBUTE_COUNT (sizeof(mspac_attribute_types)/sizeof(mspac_attribute_types[0]))
864 static krb5_error_code
865 mspac_type2attr(krb5_ui_4 type, krb5_data *attr)
869 for (i = 0; i < MSPAC_ATTRIBUTE_COUNT; i++) {
870 if (mspac_attribute_types[i].type == type) {
871 *attr = mspac_attribute_types[i].attribute;
879 static krb5_error_code
880 mspac_attr2type(const krb5_data *attr, krb5_ui_4 *type)
884 for (i = 0; i < MSPAC_ATTRIBUTE_COUNT; i++) {
885 if (attr->length == mspac_attribute_types[i].attribute.length &&
886 strncasecmp(attr->data, mspac_attribute_types[i].attribute.data, attr->length) == 0) {
887 *type = mspac_attribute_types[i].type;
892 if (attr->length > STRLENOF("urn:mspac:") &&
893 strncasecmp(attr->data, "urn:mspac:", STRLENOF("urn:mspac:")) == 0)
895 char *p = &attr->data[STRLENOF("urn:mspac:")];
898 *type = strtoul(p, &endptr, 10);
899 if (*type != 0 && *endptr == '\0')
906 static krb5_error_code
907 mspac_get_attribute_types(krb5_context kcontext,
908 krb5_authdata_context context,
909 void *plugin_context,
910 void *request_context,
911 krb5_data **out_attrs)
913 struct mspac_context *pacctx = (struct mspac_context *)request_context;
916 krb5_error_code code;
918 if (pacctx->pac == NULL)
921 attrs = calloc(1 + pacctx->pac->pac->cBuffers + 1, sizeof(krb5_data));
928 code = krb5int_copy_data_contents(kcontext,
929 &mspac_attribute_types[0].attribute,
937 for (i = 0; i < pacctx->pac->pac->cBuffers; i++) {
940 code = mspac_type2attr(pacctx->pac->pac->Buffers[i].ulType, &attr);
942 code = krb5int_copy_data_contents(kcontext, &attr, &attrs[j++]);
944 krb5int_free_data_list(kcontext, attrs);
950 length = asprintf(&attrs[j].data, "urn:mspac:%d",
951 pacctx->pac->pac->Buffers[i].ulType);
953 krb5int_free_data_list(kcontext, attrs);
956 attrs[j++].length = length;
959 attrs[j].data = NULL;
967 static krb5_error_code
968 mspac_get_attribute(krb5_context kcontext,
969 krb5_authdata_context context,
970 void *plugin_context,
971 void *request_context,
972 const krb5_data *attribute,
973 krb5_boolean *authenticated,
974 krb5_boolean *complete,
976 krb5_data *display_value,
979 struct mspac_context *pacctx = (struct mspac_context *)request_context;
980 krb5_error_code code;
983 if (display_value != NULL) {
984 display_value->data = NULL;
985 display_value->length = 0;
988 if (*more != -1 || pacctx->pac == NULL)
991 /* If it didn't verify, pretend it didn't exist. */
992 if (!pacctx->pac->verified) {
993 TRACE_MSPAC_DISCARD_UNVERF(kcontext);
997 code = mspac_attr2type(attribute, &type);
1001 /* -1 is a magic type that refers to the entire PAC */
1002 if (type == (krb5_ui_4)-1) {
1004 code = krb5int_copy_data_contents(kcontext,
1011 code = krb5_pac_get_buffer(kcontext, pacctx->pac, type, value);
1013 code = k5_pac_locate_buffer(kcontext, pacctx->pac, type, NULL);
1016 *authenticated = pacctx->pac->verified;
1025 static krb5_error_code
1026 mspac_set_attribute(krb5_context kcontext,
1027 krb5_authdata_context context,
1028 void *plugin_context,
1029 void *request_context,
1030 krb5_boolean complete,
1031 const krb5_data *attribute,
1032 const krb5_data *value)
1034 struct mspac_context *pacctx = (struct mspac_context *)request_context;
1035 krb5_error_code code;
1038 if (pacctx->pac == NULL)
1041 code = mspac_attr2type(attribute, &type);
1045 /* -1 is a magic type that refers to the entire PAC */
1046 if (type == (krb5_ui_4)-1) {
1049 code = krb5_pac_parse(kcontext, value->data, value->length, &newpac);
1053 krb5_pac_free(kcontext, pacctx->pac);
1054 pacctx->pac = newpac;
1056 code = krb5_pac_add_buffer(kcontext, pacctx->pac, type, value);
1062 static krb5_error_code
1063 mspac_export_internal(krb5_context kcontext,
1064 krb5_authdata_context context,
1065 void *plugin_context,
1066 void *request_context,
1067 krb5_boolean restrict_authenticated,
1070 struct mspac_context *pacctx = (struct mspac_context *)request_context;
1071 krb5_error_code code;
1076 if (pacctx->pac == NULL)
1079 if (restrict_authenticated && (pacctx->pac->verified) == FALSE)
1082 code = krb5_pac_parse(kcontext, pacctx->pac->data.data,
1083 pacctx->pac->data.length, &pac);
1085 pac->verified = pacctx->pac->verified;
1093 mspac_free_internal(krb5_context kcontext,
1094 krb5_authdata_context context,
1095 void *plugin_context,
1096 void *request_context,
1100 krb5_pac_free(kcontext, (krb5_pac)ptr);
1105 static krb5_error_code
1106 mspac_size(krb5_context kcontext,
1107 krb5_authdata_context context,
1108 void *plugin_context,
1109 void *request_context,
1112 struct mspac_context *pacctx = (struct mspac_context *)request_context;
1114 *sizep += sizeof(krb5_int32);
1116 if (pacctx->pac != NULL)
1117 *sizep += pacctx->pac->data.length;
1119 *sizep += sizeof(krb5_int32);
1124 static krb5_error_code
1125 mspac_externalize(krb5_context kcontext,
1126 krb5_authdata_context context,
1127 void *plugin_context,
1128 void *request_context,
1129 krb5_octet **buffer,
1132 krb5_error_code code = 0;
1133 struct mspac_context *pacctx = (struct mspac_context *)request_context;
1134 size_t required = 0;
1139 remain = *lenremain;
1141 if (pacctx->pac != NULL) {
1142 mspac_size(kcontext, context, plugin_context,
1143 request_context, &required);
1145 if (required <= remain) {
1146 krb5_ser_pack_int32((krb5_int32)pacctx->pac->data.length,
1148 krb5_ser_pack_bytes((krb5_octet *)pacctx->pac->data.data,
1149 (size_t)pacctx->pac->data.length,
1151 krb5_ser_pack_int32((krb5_int32)pacctx->pac->verified,
1157 krb5_ser_pack_int32(0, &bp, &remain); /* length */
1158 krb5_ser_pack_int32(0, &bp, &remain); /* verified */
1162 *lenremain = remain;
1167 static krb5_error_code
1168 mspac_internalize(krb5_context kcontext,
1169 krb5_authdata_context context,
1170 void *plugin_context,
1171 void *request_context,
1172 krb5_octet **buffer,
1175 struct mspac_context *pacctx = (struct mspac_context *)request_context;
1176 krb5_error_code code;
1180 krb5_pac pac = NULL;
1183 remain = *lenremain;
1186 code = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
1191 code = krb5_pac_parse(kcontext, bp, ibuf, &pac);
1200 code = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
1202 krb5_pac_free(kcontext, pac);
1207 pac->verified = (ibuf != 0);
1210 if (pacctx->pac != NULL) {
1211 krb5_pac_free(kcontext, pacctx->pac);
1217 *lenremain = remain;
1222 static krb5_error_code
1223 mspac_copy(krb5_context kcontext,
1224 krb5_authdata_context context,
1225 void *plugin_context,
1226 void *request_context,
1227 void *dst_plugin_context,
1228 void *dst_request_context)
1230 struct mspac_context *srcctx = (struct mspac_context *)request_context;
1231 struct mspac_context *dstctx = (struct mspac_context *)dst_request_context;
1232 krb5_error_code code = 0;
1234 assert(dstctx != NULL);
1235 assert(dstctx->pac == NULL);
1237 if (srcctx->pac != NULL)
1238 code = k5_pac_copy(kcontext, srcctx->pac, &dstctx->pac);
1243 static krb5_authdatatype mspac_ad_types[] = { KRB5_AUTHDATA_WIN2K_PAC, 0 };
1245 krb5plugin_authdata_client_ftable_v0 krb5int_mspac_authdata_client_ftable = {
1253 mspac_get_attribute_types,
1254 mspac_get_attribute,
1255 mspac_set_attribute,
1256 NULL, /* delete_attribute_proc */
1257 mspac_export_authdata,
1258 mspac_import_authdata,
1259 mspac_export_internal,
1260 mspac_free_internal,