samba-mirror/third_party/heimdal/lib/krb5/pac.c

/*
 * Copyright (c) 2006 - 2017 Kungliga Tekniska Högskolan
 * (Royal Institute of Technology, Stockholm, Sweden).
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * 3. Neither the name of the Institute nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

#include "krb5_locl.h"

#include <heimbasepriv.h>
#include <wind.h>
#include <assert.h>

/*
 * https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/3341cfa2-6ef5-42e0-b7bc-4544884bf399
 */
struct PAC_INFO_BUFFER {
    uint32_t type;          /* ULONG   ulType       in the original */
    uint32_t buffersize;    /* ULONG   cbBufferSize in the original */
    uint64_t offset;        /* ULONG64 Offset       in the original
                             * this being the offset from the beginning of the
                             * struct PACTYPE to the beginning of the buffer
                             * containing data of type ulType
                             */
};

/*
 * https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/6655b92f-ab06-490b-845d-037e6987275f
 */
struct PACTYPE {
    uint32_t numbuffers;    /* named cBuffers of type ULONG in the original */
    uint32_t version;       /* Named Version  of type ULONG in the original */
    struct PAC_INFO_BUFFER buffers[1]; /* an ellipsis (...) in the original */
};

/*
 * A PAC starts with a PACTYPE header structure that is followed by an array of
 * numbuffers PAC_INFO_BUFFER structures, each of which points to a buffer
 * beyond the last PAC_INFO_BUFFER structures.
 */

struct krb5_pac_data {
    struct PACTYPE *pac;
    krb5_data data;
    struct PAC_INFO_BUFFER *server_checksum;
    struct PAC_INFO_BUFFER *privsvr_checksum;
    struct PAC_INFO_BUFFER *logon_name;
    struct PAC_INFO_BUFFER *upn_dns_info;
    struct PAC_INFO_BUFFER *ticket_checksum;
    struct PAC_INFO_BUFFER *attributes_info;
    struct PAC_INFO_BUFFER *full_checksum;
    krb5_data ticket_sign_data;

    /* PAC_UPN_DNS_INFO */
    krb5_principal upn_princ;
    uint32_t upn_flags;
    krb5_principal canon_princ;
    krb5_data sid;

    /* PAC_ATTRIBUTES_INFO */
    uint64_t pac_attributes;
};

#define PAC_ALIGNMENT			8

#define PACTYPE_SIZE			8
#define PAC_INFO_BUFFER_SIZE		16

#define PAC_LOGON_INFO			1
#define PAC_CREDENTIALS_INFO		2
#define PAC_SERVER_CHECKSUM		6
#define PAC_PRIVSVR_CHECKSUM		7
#define PAC_LOGON_NAME			10
#define PAC_CONSTRAINED_DELEGATION	11
#define PAC_UPN_DNS_INFO		12
#define PAC_TICKET_CHECKSUM		16
#define PAC_ATTRIBUTES_INFO		17
#define PAC_REQUESTOR_SID		18
#define PAC_FULL_CHECKSUM		19

/* Flag in PAC_UPN_DNS_INFO */
#define PAC_EXTRA_LOGON_INFO_FLAGS_UPN_DEFAULTED	0x1
#define PAC_EXTRA_LOGON_INFO_FLAGS_HAS_SAM_NAME_AND_SID	0x2

#define CHECK(r,f,l)						\
	do {							\
		if (((r) = f ) != 0) {				\
			krb5_clear_error_message(context);	\
			goto l;					\
		}						\
	} while(0)

static const char zeros[PAC_ALIGNMENT];

static void HEIM_CALLCONV
pac_dealloc(void *ctx)
{
    krb5_pac pac = (krb5_pac)ctx;

    krb5_data_free(&pac->data);
    krb5_data_free(&pac->ticket_sign_data);

    if (pac->upn_princ) {
	free_Principal(pac->upn_princ);
	free(pac->upn_princ);
    }
    if (pac->canon_princ) {
	free_Principal(pac->canon_princ);
	free(pac->canon_princ);
    }
    krb5_data_free(&pac->sid);

    free(pac->pac);
}

struct heim_type_data pac_object = {
    HEIM_TID_PAC,
    "heim-pac",
    NULL,
    pac_dealloc,
    NULL,
    NULL,
    NULL,
    NULL
};

/*
 * Returns the size of the PACTYPE header + the PAC_INFO_BUFFER array.  This is
 * also the end of the whole thing, and any offsets to buffers from
 * thePAC_INFO_BUFFER[] entries have to be beyond it.
 */
static krb5_error_code
pac_header_size(krb5_context context, uint32_t num_buffers, uint32_t *result)
{
    krb5_error_code ret;
    uint32_t header_size;

    /* Guard against integer overflow */
    if (num_buffers > UINT32_MAX / PAC_INFO_BUFFER_SIZE) {
	ret = EOVERFLOW;
	krb5_set_error_message(context, ret, "PAC has too many buffers");
	return ret;
    }
    header_size = PAC_INFO_BUFFER_SIZE * num_buffers;

    /* Guard against integer overflow */
    if (header_size > UINT32_MAX - PACTYPE_SIZE) {
	ret = EOVERFLOW;
	krb5_set_error_message(context, ret, "PAC has too many buffers");
	return ret;
    }
    header_size += PACTYPE_SIZE;

    *result = header_size;

    return 0;
}

/* Output `size' + `addend' + padding for alignment if it doesn't overflow */
static krb5_error_code
pac_aligned_size(krb5_context context,
                 uint32_t size,
                 uint32_t addend,
                 uint32_t *aligned_size)
{
    krb5_error_code ret;

    if (size > UINT32_MAX - addend ||
        (size + addend) > UINT32_MAX - (PAC_ALIGNMENT - 1)) {
	ret = EOVERFLOW;
	krb5_set_error_message(context, ret, "integer overrun");
	return ret;
    }
    size += addend;
    size += PAC_ALIGNMENT - 1;
    size &= ~(PAC_ALIGNMENT - 1);
    *aligned_size = size;
    return 0;
}

/*
 * HMAC-MD5 checksum over any key (needed for the PAC routines)
 */

static krb5_error_code
HMAC_MD5_any_checksum(krb5_context context,
		      const krb5_keyblock *key,
		      const void *data,
		      size_t len,
		      unsigned usage,
		      Checksum *result)
{
    struct _krb5_key_data local_key;
    struct krb5_crypto_iov iov;
    krb5_error_code ret;

    memset(&local_key, 0, sizeof(local_key));

    ret = krb5_copy_keyblock(context, key, &local_key.key);
    if (ret)
	return ret;

    ret = krb5_data_alloc (&result->checksum, 16);
    if (ret) {
	krb5_free_keyblock(context, local_key.key);
	return ret;
    }

    result->cksumtype = CKSUMTYPE_HMAC_MD5;
    iov.data.data = (void *)data;
    iov.data.length = len;
    iov.flags = KRB5_CRYPTO_TYPE_DATA;

    ret = _krb5_HMAC_MD5_checksum(context, NULL, &local_key, usage, &iov, 1,
                                  result);
    if (ret)
	krb5_data_free(&result->checksum);

    krb5_free_keyblock(context, local_key.key);
    return ret;
}


/*
 *
 */

KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_pac_parse(krb5_context context, const void *ptr, size_t len,
	       krb5_pac *pac)
{
    krb5_error_code ret = 0;
    krb5_pac p;
    krb5_storage *sp = NULL;
    uint32_t i, num_buffers, version, header_size = 0;
    uint32_t prev_start = 0;
    uint32_t prev_end = 0;

    *pac = NULL;
    p = _heim_alloc_object(&pac_object, sizeof(*p));
    if (p)
        sp = krb5_storage_from_readonly_mem(ptr, len);
    if (sp == NULL)
	ret = krb5_enomem(context);
    if (ret == 0) {
        krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
        ret = krb5_ret_uint32(sp, &num_buffers);
    }
    if (ret == 0)
        ret = krb5_ret_uint32(sp, &version);
    if (ret == 0 && num_buffers < 1)
	krb5_set_error_message(context, ret = EINVAL,
                               N_("PAC has too few buffers", ""));
    if (ret == 0 && num_buffers > 1000)
	krb5_set_error_message(context, ret = EINVAL,
                               N_("PAC has too many buffers", ""));
    if (ret == 0 && version != 0)
	krb5_set_error_message(context, ret = EINVAL,
			       N_("PAC has wrong version %d", ""),
			       (int)version);
    if (ret == 0)
        ret = pac_header_size(context, num_buffers, &header_size);
    if (ret == 0 && header_size > len)
        krb5_set_error_message(context, ret = EOVERFLOW,
                               N_("PAC encoding invalid, would overflow buffers", ""));
    if (ret == 0)
        p->pac = calloc(1, header_size);
    if (ret == 0 && p->pac == NULL)
	ret = krb5_enomem(context);

    if (ret == 0) {
        p->pac->numbuffers = num_buffers;
        p->pac->version = version;
    }

    for (i = 0; ret == 0 && i < p->pac->numbuffers; i++) {
        ret = krb5_ret_uint32(sp, &p->pac->buffers[i].type);
        if (ret == 0)
            ret = krb5_ret_uint32(sp, &p->pac->buffers[i].buffersize);
        if (ret == 0)
            ret = krb5_ret_uint64(sp, &p->pac->buffers[i].offset);
        if (ret)
            break;

	/* Consistency checks (we don't check for wasted space) */
	if (p->pac->buffers[i].offset & (PAC_ALIGNMENT - 1)) {
	    krb5_set_error_message(context, ret = EINVAL,
				   N_("PAC out of alignment", ""));
	    break;
	}
	if (p->pac->buffers[i].offset > len ||
            p->pac->buffers[i].buffersize > len ||
            len - p->pac->buffers[i].offset < p->pac->buffers[i].buffersize) {
	    krb5_set_error_message(context, ret = EOVERFLOW,
				   N_("PAC buffer overflow", ""));
	    break;
	}
	if (p->pac->buffers[i].offset < header_size) {
	    krb5_set_error_message(context, ret = EINVAL,
				   N_("PAC offset inside header: %lu %lu", ""),
				   (unsigned long)p->pac->buffers[i].offset,
				   (unsigned long)header_size);
	    break;
	}

        /*
         * We'd like to check for non-overlapping of buffers, but the buffers
         * need not be in the same order as the PAC_INFO_BUFFER[] entries
         * pointing to them!  To fully check for overlap we'd have to have an
         * O(N^2) loop after we parse all the PAC_INFO_BUFFER[].
         *
         * But we can check that each buffer does not overlap the previous
         * buffer.
         */
        if (prev_start) {
            if (p->pac->buffers[i].offset >= prev_start &&
                p->pac->buffers[i].offset <  prev_end) {
                krb5_set_error_message(context, ret = EINVAL,
                                       N_("PAC overlap", ""));
                break;
            }
            if (p->pac->buffers[i].offset < prev_start &&
                p->pac->buffers[i].offset +
                p->pac->buffers[i].buffersize > prev_start) {
                krb5_set_error_message(context, ret = EINVAL,
                                       N_("PAC overlap", ""));
                break;
            }
        }
        prev_start = p->pac->buffers[i].offset;
        prev_end = p->pac->buffers[i].offset + p->pac->buffers[i].buffersize;

	/* Let's save pointers to buffers we'll need later */
        switch (p->pac->buffers[i].type) {
        case PAC_SERVER_CHECKSUM:
	    if (p->server_checksum)
		krb5_set_error_message(context, ret = EINVAL,
				       N_("PAC has multiple server checksums", ""));
	    else
                p->server_checksum = &p->pac->buffers[i];
            break;
        case PAC_PRIVSVR_CHECKSUM:
	    if (p->privsvr_checksum)
                krb5_set_error_message(context, ret = EINVAL,
                                       N_("PAC has multiple KDC checksums", ""));
            else
                p->privsvr_checksum = &p->pac->buffers[i];
            break;
        case PAC_LOGON_NAME:
	    if (p->logon_name)
		krb5_set_error_message(context, ret = EINVAL,
                                       N_("PAC has multiple logon names", ""));
            else
                p->logon_name = &p->pac->buffers[i];
            break;
        case PAC_UPN_DNS_INFO:
	    if (p->upn_dns_info)
		krb5_set_error_message(context, ret = EINVAL,
				       N_("PAC has multiple UPN DNS info buffers", ""));
            else
                p->upn_dns_info = &p->pac->buffers[i];
            break;
        case PAC_TICKET_CHECKSUM:
	    if (p->ticket_checksum)
		krb5_set_error_message(context, ret = EINVAL,
				       N_("PAC has multiple ticket checksums", ""));
            else
                p->ticket_checksum = &p->pac->buffers[i];
            break;
        case PAC_ATTRIBUTES_INFO:
	    if (p->attributes_info)
		krb5_set_error_message(context, ret = EINVAL,
				       N_("PAC has multiple attributes info buffers", ""));
            else
                p->attributes_info = &p->pac->buffers[i];
            break;
        case PAC_FULL_CHECKSUM:
	    if (p->full_checksum)
		krb5_set_error_message(context, ret = EINVAL,
				       N_("PAC has multiple full checksums", ""));
            else
                p->full_checksum = &p->pac->buffers[i];
            break;
        default: break;
        }
    }

    if (ret == 0)
        ret = krb5_data_copy(&p->data, ptr, len);
    if (ret == 0) {
        *pac = p;
        p = NULL;
    }
    if (sp)
        krb5_storage_free(sp);
    krb5_pac_free(context, p);
    return ret;
}

KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_pac_init(krb5_context context, krb5_pac *pac)
{
    krb5_error_code ret;
    krb5_pac p;

    p = _heim_alloc_object(&pac_object, sizeof(*p));
    if (p == NULL) {
	return krb5_enomem(context);
    }

    p->pac = calloc(1, sizeof(*p->pac));
    if (p->pac == NULL) {
	krb5_pac_free(context, p);
	return krb5_enomem(context);
    }

    ret = krb5_data_alloc(&p->data, PACTYPE_SIZE);
    if (ret) {
	free (p->pac);
	krb5_pac_free(context, p);
	return krb5_enomem(context);
    }
    memset(p->data.data, 0, p->data.length);

    *pac = p;
    return 0;
}

/**
 * Add a PAC buffer `nd' of type `type' to the pac `p'.
 *
 * @param context
 * @param p
 * @param type
 * @param nd
 *
 * @return 0 on success or a Kerberos or system error.
 */
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_pac_add_buffer(krb5_context context, krb5_pac p,
		    uint32_t type, const krb5_data *nd)
{
    krb5_error_code ret;
    void *ptr;
    size_t old_len = p->data.length;
    uint32_t len, offset, header_size;
    uint32_t i;
    uint32_t num_buffers;

    assert(nd->data != NULL);

    num_buffers = p->pac->numbuffers;
    ret = pac_header_size(context, num_buffers + 1, &header_size);
    if (ret)
	return ret;

    ptr = realloc(p->pac, header_size);
    if (ptr == NULL)
	return krb5_enomem(context);

    p->pac = ptr;
    p->pac->buffers[num_buffers].type = 0;
    p->pac->buffers[num_buffers].buffersize = 0;
    p->pac->buffers[num_buffers].offset = 0;

    /*
     * Check that we can adjust all the buffer offsets in the existing
     * PAC_INFO_BUFFERs, since changing the size of PAC_INFO_BUFFER[] means
     * changing the offsets of buffers following that array.
     *
     * We don't adjust them until we can't fail.
     */
    for (i = 0; i < num_buffers; i++) {
	if (p->pac->buffers[i].offset > UINT32_MAX - PAC_INFO_BUFFER_SIZE) {
	    krb5_set_error_message(context, ret = EOVERFLOW,
                                   "too many / too large PAC buffers");
	    return ret;
	}
    }

    /*
     * The new buffer's offset must be past the end of the buffers we have
     * (p->data), which is the sum of the header and p->data.length.
     */

    /* Set offset = p->data.length + PAC_INFO_BUFFER_SIZE + alignment */
    ret = pac_aligned_size(context, p->data.length, PAC_INFO_BUFFER_SIZE, &offset);
    if (ret == 0)
        /* Set the new length = offset + nd->length + alignment */
        ret = pac_aligned_size(context, offset, nd->length, &len);
    if (ret) {
	krb5_set_error_message(context, ret, "PAC buffer too large");
        return ret;
    }
    ret = krb5_data_realloc(&p->data, len);
    if (ret) {
	krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
	return ret;
    }

    /* Zero out the new allocation to zero out any padding */
    memset((char *)p->data.data + old_len, 0, len - old_len);

    p->pac->buffers[num_buffers].type = type;
    p->pac->buffers[num_buffers].buffersize = nd->length;
    p->pac->buffers[num_buffers].offset = offset;

    /* Adjust all the buffer offsets in the existing PAC_INFO_BUFFERs now */
    for (i = 0; i < num_buffers; i++)
	p->pac->buffers[i].offset += PAC_INFO_BUFFER_SIZE;

    /*
     * Make place for new PAC INFO BUFFER header
     */
    header_size -= PAC_INFO_BUFFER_SIZE;
    memmove((unsigned char *)p->data.data + header_size + PAC_INFO_BUFFER_SIZE,
	    (unsigned char *)p->data.data + header_size ,
	    old_len - header_size);
    /* Clear the space where we would put the new PAC_INFO_BUFFER[] element */
    memset((unsigned char *)p->data.data + header_size, 0,
           PAC_INFO_BUFFER_SIZE);

    /*
     * Copy in new data part
     */
    memcpy((unsigned char *)p->data.data + offset, nd->data, nd->length);
    p->pac->numbuffers += 1;
    return 0;
}

/**
 * Get the PAC buffer of specific type from the pac.
 *
 * @param context Kerberos 5 context.
 * @param p the pac structure returned by krb5_pac_parse().
 * @param type type of buffer to get
 * @param data return data, free with krb5_data_free().
 *
 * @return Returns 0 to indicate success, ENOENT to indicate that a buffer of
 * the given type was not found, or a Kerberos or system error code.
 *
 * @ingroup krb5_pac
 */

KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_pac_get_buffer(krb5_context context, krb5_const_pac p,
		    uint32_t type, krb5_data *data)
{
    krb5_error_code ret;
    uint32_t i;

    for (i = 0; i < p->pac->numbuffers; i++) {
	size_t len = p->pac->buffers[i].buffersize;
	size_t offset = p->pac->buffers[i].offset;

	if (p->pac->buffers[i].type != type)
	    continue;

	if (!data)
            return 0;

        ret = krb5_data_copy(data, (unsigned char *)p->data.data + offset, len);
        if (ret)
            krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
	return ret;
    }
    krb5_set_error_message(context, ENOENT, "No PAC buffer of type %lu was found",
			   (unsigned long)type);
    return ENOENT;
}

static struct {
    uint32_t type;
    krb5_data name;
} pac_buffer_name_map[] = {
#define PAC_MAP_ENTRY(type, name) { PAC_##type, { sizeof(name) - 1, name } }
    PAC_MAP_ENTRY(LOGON_INFO,		    "logon-info"	),
    PAC_MAP_ENTRY(CREDENTIALS_INFO,	    "credentials-info"  ),
    PAC_MAP_ENTRY(SERVER_CHECKSUM,	    "server-checksum"   ),
    PAC_MAP_ENTRY(PRIVSVR_CHECKSUM,	    "privsvr-checksum"  ),
    PAC_MAP_ENTRY(LOGON_NAME,		    "client-info"	),
    PAC_MAP_ENTRY(CONSTRAINED_DELEGATION,   "delegation-info"   ),
    PAC_MAP_ENTRY(UPN_DNS_INFO,		    "upn-dns-info"	),
    PAC_MAP_ENTRY(TICKET_CHECKSUM,	    "ticket-checksum"   ),
    PAC_MAP_ENTRY(ATTRIBUTES_INFO,	    "attributes-info"   ),
    PAC_MAP_ENTRY(REQUESTOR_SID,	    "requestor-sid"	)
};

/*
 *
 */

KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
_krb5_pac_get_buffer_by_name(krb5_context context, krb5_const_pac p,
			     const krb5_data *name, krb5_data *data)
{
    size_t i;

    for (i = 0;
	 i < sizeof(pac_buffer_name_map) / sizeof(pac_buffer_name_map[0]);
	 i++) {
	if (krb5_data_cmp(name, &pac_buffer_name_map[i].name) == 0)
	    return krb5_pac_get_buffer(context, p, pac_buffer_name_map[i].type, data);
    }

    krb5_set_error_message(context, ENOENT, "No PAC buffer with name %.*s was found",
			   (int)name->length, (char *)name->data);
    return ENOENT;
}

/*
 *
 */

KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_pac_get_types(krb5_context context,
		   krb5_const_pac p,
		   size_t *len,
		   uint32_t **types)
{
    size_t i;

    *types = calloc(p->pac->numbuffers, sizeof(**types));
    if (*types == NULL) {
	*len = 0;
	return krb5_enomem(context);
    }
    for (i = 0; i < p->pac->numbuffers; i++)
	(*types)[i] = p->pac->buffers[i].type;
    *len = p->pac->numbuffers;

    return 0;
}

/*
 *
 */

KRB5_LIB_FUNCTION void KRB5_LIB_CALL
krb5_pac_free(krb5_context context, krb5_pac pac)
{
    heim_release(pac);
}

/*
 *
 */

static krb5_error_code
verify_checksum(krb5_context context,
		const struct PAC_INFO_BUFFER *sig,
		const krb5_data *data,
		void *ptr, size_t len,
		const krb5_keyblock *key,
		krb5_boolean strict_cksumtype_match)
{
    krb5_storage *sp = NULL;
    uint32_t type;
    krb5_error_code ret;
    Checksum cksum;
    size_t cksumsize;

    memset(&cksum, 0, sizeof(cksum));

    sp = krb5_storage_from_mem((char *)data->data + sig->offset,
			       sig->buffersize);
    if (sp == NULL)
	return krb5_enomem(context);

    krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);

    CHECK(ret, krb5_ret_uint32(sp, &type), out);
    cksum.cksumtype = type;

    ret = krb5_checksumsize(context, type, &cksumsize);
    if (ret)
	goto out;

    /* Allow for RODCIdentifier trailer, see MS-PAC 2.8 */
    if (cksumsize > (sig->buffersize - krb5_storage_seek(sp, 0, SEEK_CUR))) {
	ret = EINVAL;
	goto out;
    }
    cksum.checksum.length = cksumsize;
    cksum.checksum.data = malloc(cksum.checksum.length);
    if (cksum.checksum.data == NULL) {
	ret = krb5_enomem(context);
	goto out;
    }
    ret = krb5_storage_read(sp, cksum.checksum.data, cksum.checksum.length);
    if (ret != (int)cksum.checksum.length) {
	ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
	krb5_set_error_message(context, ret, "PAC checksum missing checksum");
	goto out;
    }

    if (!krb5_checksum_is_keyed(context, cksum.cksumtype)) {
	ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
	krb5_set_error_message(context, ret, "Checksum type %d not keyed",
			       cksum.cksumtype);
	goto out;
    }

    /* If the checksum is HMAC-MD5, the checksum type is not tied to
     * the key type, instead the HMAC-MD5 checksum is applied blindly
     * on whatever key is used for this connection, avoiding issues
     * with unkeyed checksums on des-cbc-md5 and des-cbc-crc.  See
     * http://comments.gmane.org/gmane.comp.encryption.kerberos.devel/8743
     * for the same issue in MIT, and
     * http://blogs.msdn.com/b/openspecification/archive/2010/01/01/verifying-the-server-signature-in-kerberos-privilege-account-certificate.aspx
     * for Microsoft's explaination */

    if (cksum.cksumtype == CKSUMTYPE_HMAC_MD5 && !strict_cksumtype_match) {
	Checksum local_checksum;

	memset(&local_checksum, 0, sizeof(local_checksum));

	ret = HMAC_MD5_any_checksum(context, key, ptr, len,
				    KRB5_KU_OTHER_CKSUM, &local_checksum);

	if (ret != 0 || krb5_data_ct_cmp(&local_checksum.checksum, &cksum.checksum) != 0) {
	    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
	    krb5_set_error_message(context, ret,
				   N_("PAC integrity check failed for "
				      "hmac-md5 checksum", ""));
	}
	krb5_data_free(&local_checksum.checksum);

   } else {
	krb5_crypto crypto = NULL;

	ret = krb5_crypto_init(context, key, 0, &crypto);
	if (ret)
		goto out;

	ret = krb5_verify_checksum(context, crypto, KRB5_KU_OTHER_CKSUM,
				   ptr, len, &cksum);
	krb5_crypto_destroy(context, crypto);
    }
    free(cksum.checksum.data);
    krb5_storage_free(sp);

    return ret;

out:
    if (cksum.checksum.data)
	free(cksum.checksum.data);
    if (sp)
	krb5_storage_free(sp);
    return ret;
}

static krb5_error_code
create_checksum(krb5_context context,
		const krb5_keyblock *key,
		uint32_t cksumtype,
		void *data, size_t datalen,
		void *sig, size_t siglen)
{
    krb5_crypto crypto = NULL;
    krb5_error_code ret;
    Checksum cksum;

    /* If the checksum is HMAC-MD5, the checksum type is not tied to
     * the key type, instead the HMAC-MD5 checksum is applied blindly
     * on whatever key is used for this connection, avoiding issues
     * with unkeyed checksums on des-cbc-md5 and des-cbc-crc.  See
     * http://comments.gmane.org/gmane.comp.encryption.kerberos.devel/8743
     * for the same issue in MIT, and
     * http://blogs.msdn.com/b/openspecification/archive/2010/01/01/verifying-the-server-signature-in-kerberos-privilege-account-certificate.aspx
     * for Microsoft's explaination */

    if (cksumtype == (uint32_t)CKSUMTYPE_HMAC_MD5) {
	ret = HMAC_MD5_any_checksum(context, key, data, datalen,
				    KRB5_KU_OTHER_CKSUM, &cksum);
        if (ret)
            return ret;
    } else {
	ret = krb5_crypto_init(context, key, 0, &crypto);
	if (ret)
	    return ret;

	ret = krb5_create_checksum(context, crypto, KRB5_KU_OTHER_CKSUM, 0,
				   data, datalen, &cksum);
	krb5_crypto_destroy(context, crypto);
	if (ret)
	    return ret;
    }
    if (cksum.checksum.length != siglen) {
	krb5_set_error_message(context, EINVAL, "pac checksum wrong length");
	free_Checksum(&cksum);
	return EINVAL;
    }

    memcpy(sig, cksum.checksum.data, siglen);
    free_Checksum(&cksum);

    return 0;
}

static krb5_error_code
parse_upn_dns_info(krb5_context context,
		   const struct PAC_INFO_BUFFER *upndnsinfo,
		   const krb5_data *data,
		   krb5_principal *upn_princ,
		   uint32_t *flags,
		   krb5_principal *canon_princ,
		   krb5_data *sid)
{
    krb5_error_code ret;
    krb5_storage *sp = NULL;
    uint16_t upn_length, upn_offset;
    uint16_t dns_domain_name_length, dns_domain_name_offset;
    uint16_t canon_princ_length, canon_princ_offset;
    uint16_t sid_length, sid_offset;
    char *upn = NULL;
    char *dns_domain_name = NULL;
    char *sam_name = NULL;

    *upn_princ = NULL;
    *flags = 0;
    *canon_princ = NULL;
    krb5_data_zero(sid);

    sp = krb5_storage_from_readonly_mem((const char *)data->data + upndnsinfo->offset,
					upndnsinfo->buffersize);
    if (sp == NULL)
	return krb5_enomem(context);

    krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);

    CHECK(ret, krb5_ret_uint16(sp, &upn_length), out);
    CHECK(ret, krb5_ret_uint16(sp, &upn_offset), out);
    CHECK(ret, krb5_ret_uint16(sp, &dns_domain_name_length), out);
    CHECK(ret, krb5_ret_uint16(sp, &dns_domain_name_offset), out);
    CHECK(ret, krb5_ret_uint32(sp, flags), out);

    if (*flags & PAC_EXTRA_LOGON_INFO_FLAGS_HAS_SAM_NAME_AND_SID) {
	CHECK(ret, krb5_ret_uint16(sp, &canon_princ_length), out);
	CHECK(ret, krb5_ret_uint16(sp, &canon_princ_offset), out);
	CHECK(ret, krb5_ret_uint16(sp, &sid_length), out);
	CHECK(ret, krb5_ret_uint16(sp, &sid_offset), out);
    } else {
	canon_princ_length = canon_princ_offset = 0;
	sid_length = sid_offset = 0;
    }

    if (upn_offset) {
	CHECK(ret, _krb5_ret_utf8_from_ucs2le_at_offset(sp, upn_offset,
							upn_length, &upn), out);
    }
    CHECK(ret, _krb5_ret_utf8_from_ucs2le_at_offset(sp, dns_domain_name_offset,
						    dns_domain_name_length, &dns_domain_name), out);
    if ((*flags & PAC_EXTRA_LOGON_INFO_FLAGS_HAS_SAM_NAME_AND_SID) && canon_princ_offset) {
	CHECK(ret, _krb5_ret_utf8_from_ucs2le_at_offset(sp, canon_princ_offset,
							canon_princ_length, &sam_name), out);
    }

    if (upn_offset) {
	ret = krb5_parse_name_flags(context,
				    upn,
				    KRB5_PRINCIPAL_PARSE_ENTERPRISE |
				    KRB5_PRINCIPAL_PARSE_NO_DEF_REALM,
				    upn_princ);
	if (ret)
	    goto out;

	ret = krb5_principal_set_realm(context, *upn_princ, dns_domain_name);
	if (ret)
	    goto out;
    }

    if (canon_princ_offset) {
	ret = krb5_parse_name_flags(context,
				    sam_name,
				    KRB5_PRINCIPAL_PARSE_NO_REALM |
				    KRB5_PRINCIPAL_PARSE_NO_DEF_REALM,
				    canon_princ);
	if (ret)
	    goto out;

	ret = krb5_principal_set_realm(context, *canon_princ, dns_domain_name);
	if (ret)
	    goto out;
    }

    if (sid_offset)
	CHECK(ret, _krb5_ret_data_at_offset(sp, sid_offset, sid_length, sid), out);

out:
    free(upn);
    free(dns_domain_name);
    free(sam_name);

    krb5_storage_free(sp);

    return ret;
}

/*
 *
 */

#define NTTIME_EPOCH 0x019DB1DED53E8000LL

static uint64_t
unix2nttime(time_t unix_time)
{
    long long wt;
    wt = unix_time * (uint64_t)10000000 + (uint64_t)NTTIME_EPOCH;
    return wt;
}

static krb5_error_code
verify_logonname(krb5_context context,
		 const struct PAC_INFO_BUFFER *logon_name,
		 const krb5_data *data,
		 time_t authtime,
		 krb5_const_principal principal)
{
    krb5_error_code ret;
    uint32_t time1, time2;
    krb5_storage *sp = NULL;
    uint16_t len;
    char *s = NULL;
    char *principal_string = NULL;
    char *logon_string = NULL;

    sp = krb5_storage_from_readonly_mem((const char *)data->data + logon_name->offset,
					logon_name->buffersize);
    if (sp == NULL)
	return krb5_enomem(context);

    krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);

    CHECK(ret, krb5_ret_uint32(sp, &time1), out);
    CHECK(ret, krb5_ret_uint32(sp, &time2), out);

    {
	uint64_t t1, t2;
	t1 = unix2nttime(authtime);
	t2 = ((uint64_t)time2 << 32) | time1;
	/*
	 * When neither the ticket nor the PAC set an explicit authtime,
	 * both times are zero, but relative to different time scales.
	 * So we must compare "not set" values without converting to a
	 * common time reference.
         */
	if (t1 != t2 && (t2 != 0 && authtime != 0)) {
	    krb5_storage_free(sp);
	    krb5_set_error_message(context, EINVAL, "PAC timestamp mismatch");
	    return EINVAL;
	}
    }
    CHECK(ret, krb5_ret_uint16(sp, &len), out);
    if (len == 0) {
	krb5_storage_free(sp);
	krb5_set_error_message(context, EINVAL, "PAC logon name length missing");
	return EINVAL;
    }

    s = malloc(len);
    if (s == NULL) {
	krb5_storage_free(sp);
	return krb5_enomem(context);
    }
    ret = krb5_storage_read(sp, s, len);
    if (ret != len) {
	krb5_storage_free(sp);
	krb5_set_error_message(context, EINVAL, "Failed to read PAC logon name");
	return EINVAL;
    }
    krb5_storage_free(sp);
    {
	size_t ucs2len = len / 2;
	uint16_t *ucs2;
	size_t u8len;
	unsigned int flags = WIND_RW_LE;

	ucs2 = malloc(sizeof(ucs2[0]) * ucs2len);
	if (ucs2 == NULL)
	    return krb5_enomem(context);

	ret = wind_ucs2read(s, len, &flags, ucs2, &ucs2len);
	free(s);
	if (ret) {
	    free(ucs2);
	    krb5_set_error_message(context, ret, "Failed to convert string to UCS-2");
	    return ret;
	}
	ret = wind_ucs2utf8_length(ucs2, ucs2len, &u8len);
	if (ret) {
	    free(ucs2);
	    krb5_set_error_message(context, ret, "Failed to count length of UCS-2 string");
	    return ret;
	}
	u8len += 1; /* Add space for NUL */
	logon_string = malloc(u8len);
	if (logon_string == NULL) {
	    free(ucs2);
	    return krb5_enomem(context);
	}
	ret = wind_ucs2utf8(ucs2, ucs2len, logon_string, &u8len);
	free(ucs2);
	if (ret) {
	    free(logon_string);
	    krb5_set_error_message(context, ret, "Failed to convert to UTF-8");
	    return ret;
	}
    }
    ret = krb5_unparse_name_flags(context, principal,
				  KRB5_PRINCIPAL_UNPARSE_NO_REALM |
				  KRB5_PRINCIPAL_UNPARSE_DISPLAY,
				  &principal_string);
    if (ret) {
	free(logon_string);
	return ret;
    }

    if (strcmp(logon_string, principal_string) != 0) {
	ret = EINVAL;
	krb5_set_error_message(context, ret, "PAC logon name [%s] mismatch principal name [%s]",
			       logon_string, principal_string);
    }
    free(logon_string);
    free(principal_string);
    return ret;
out:
    krb5_storage_free(sp);
    return ret;
}

/*
 *
 */

static krb5_error_code
build_logon_name(krb5_context context,
		 time_t authtime,
		 krb5_const_principal principal,
		 krb5_data *logon)
{
    krb5_error_code ret;
    krb5_storage *sp;
    uint64_t t;
    char *s, *s2 = NULL;
    size_t s2_len;

    t = unix2nttime(authtime);

    krb5_data_zero(logon);

    sp = krb5_storage_emem();
    if (sp == NULL)
	return krb5_enomem(context);

    krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);

    CHECK(ret, krb5_store_uint32(sp, t & 0xffffffff), out);
    CHECK(ret, krb5_store_uint32(sp, t >> 32), out);

    ret = krb5_unparse_name_flags(context, principal,
				  KRB5_PRINCIPAL_UNPARSE_NO_REALM |
				  KRB5_PRINCIPAL_UNPARSE_DISPLAY,
				  &s);
    if (ret)
	goto out;

    {
	size_t ucs2_len;
	uint16_t *ucs2;
	unsigned int flags;

	ret = wind_utf8ucs2_length(s, &ucs2_len);
	if (ret) {
	    krb5_set_error_message(context, ret, "Principal %s is not valid UTF-8", s);
	    free(s);
	    return ret;
	}

	ucs2 = malloc(sizeof(ucs2[0]) * ucs2_len);
	if (ucs2 == NULL) {
	    free(s);
	    return krb5_enomem(context);
	}

	ret = wind_utf8ucs2(s, ucs2, &ucs2_len);
	if (ret) {
	    free(ucs2);
	    krb5_set_error_message(context, ret, "Principal %s is not valid UTF-8", s);
	    free(s);
	    return ret;
	} else
	    free(s);

	s2_len = (ucs2_len + 1) * 2;
	s2 = malloc(s2_len);
	if (s2 == NULL) {
	    free(ucs2);
	    return krb5_enomem(context);
	}

	flags = WIND_RW_LE;
	ret = wind_ucs2write(ucs2, ucs2_len,
			     &flags, s2, &s2_len);
	free(ucs2);
	if (ret) {
	    free(s2);
	    krb5_set_error_message(context, ret, "Failed to write to UCS-2 buffer");
	    return ret;
	}

	/*
	 * we do not want zero termination
	 */
	s2_len = ucs2_len * 2;
    }

    CHECK(ret, krb5_store_uint16(sp, s2_len), out);

    ret = krb5_storage_write(sp, s2, s2_len);
    if (ret != (int)s2_len) {
	ret = krb5_enomem(context);
	goto out;
    }
    ret = krb5_storage_to_data(sp, logon);

 out:
    free(s2);
    krb5_storage_free(sp);
    return ret;
}

static krb5_error_code
parse_attributes_info(krb5_context context,
		      const struct PAC_INFO_BUFFER *attributes_info,
		      const krb5_data *data,
		      uint64_t *pac_attributes)
{
    krb5_error_code ret;
    krb5_storage *sp = NULL;
    uint32_t flags_length;

    *pac_attributes = 0;

    sp = krb5_storage_from_readonly_mem((const char *)data->data + attributes_info->offset,
					attributes_info->buffersize);
    if (sp == NULL)
	return krb5_enomem(context);

    krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);

    ret = krb5_ret_uint32(sp, &flags_length);
    if (ret == 0) {
	if (flags_length > 32)
	    ret = krb5_ret_uint64(sp, pac_attributes);
	else {
	    uint32_t pac_attributes32 = 0;
	    ret = krb5_ret_uint32(sp, &pac_attributes32);
	    *pac_attributes = pac_attributes32;
	}
    }

    krb5_storage_free(sp);

    return ret;
}

/**
 * Verify the PAC.
 *
 * @param context Kerberos 5 context.
 * @param pac the pac structure returned by krb5_pac_parse().
 * @param authtime The time of the ticket the PAC belongs to.
 * @param principal the principal to verify.
 * @param server The service key, may be given.
 * @param privsvr The KDC key, may be given.

 * @return Returns 0 to indicate success. Otherwise an kerberos et
 * error code is returned, see krb5_get_error_message().
 *
 * @ingroup krb5_pac
 */

KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_pac_verify(krb5_context context,
		const krb5_pac pac,
		time_t authtime,
		krb5_const_principal principal,
		const krb5_keyblock *server,
		const krb5_keyblock *privsvr)
{
    krb5_error_code ret;
    /*
     * If we are in the KDC, we expect back a full signature in the PAC
     *
     * This is set up as a seperate variable to make it easier if a
     * subsequent patch is added to make this configurable in the
     * krb5.conf (or forced into the krb5_context via Samba)
     */
    krb5_boolean expect_full_sig = privsvr != NULL;

    /*
     * If we are on the KDC, then we trust we are not in a realm with
     * buggy Windows 2008 or similar era DCs that give our HMAC-MD5
     * sigatures over AES keys.  DES is also already gone.
     */
    krb5_boolean strict_cksumtype_match = expect_full_sig;

    if (pac->server_checksum == NULL) {
	krb5_set_error_message(context, EINVAL, "PAC missing server checksum");
	return EINVAL;
    }
    if (pac->privsvr_checksum == NULL) {
	krb5_set_error_message(context, EINVAL, "PAC missing kdc checksum");
	return EINVAL;
    }
    if (pac->logon_name == NULL) {
	krb5_set_error_message(context, EINVAL, "PAC missing logon name");
	return EINVAL;
    }
    if (expect_full_sig && pac->full_checksum == NULL) {
	krb5_set_error_message(context, EINVAL, "PAC missing full checksum");
	return EINVAL;
    }

    if (principal != NULL) {
	ret = verify_logonname(context, pac->logon_name, &pac->data, authtime,
			       principal);
	if (ret)
	    return ret;
    }

    if (pac->server_checksum->buffersize < 4 ||
        pac->privsvr_checksum->buffersize < 4)
	return EINVAL;

    if (server != NULL || privsvr != NULL)
    {
	krb5_data *copy;

	/*
	 * in the service case, clean out data option of the privsvr and
	 * server checksum before checking the checksum.
	 */

	ret = krb5_copy_data(context, &pac->data, &copy);
	if (ret)
	    return ret;

	memset((char *)copy->data + pac->server_checksum->offset + 4,
	       0,
	       pac->server_checksum->buffersize - 4);

	memset((char *)copy->data + pac->privsvr_checksum->offset + 4,
	       0,
	       pac->privsvr_checksum->buffersize - 4);

	if (server != NULL) {
	    ret = verify_checksum(context,
				  pac->server_checksum,
				  &pac->data,
				  copy->data,
				  copy->length,
				  server,
				  strict_cksumtype_match);
	    if (ret) {
		krb5_free_data(context, copy);
		return ret;
	    }
	}

	if (privsvr != NULL && pac->full_checksum != NULL) {
	    /*
	     * in the full checksum case, also clean out the full
	     * checksum before verifying it.
	     */
	    memset((char *)copy->data + pac->full_checksum->offset + 4,
		   0,
		   pac->full_checksum->buffersize - 4);

	    ret = verify_checksum(context,
				  pac->full_checksum,
				  &pac->data,
				  copy->data,
				  copy->length,
				  privsvr,
				  strict_cksumtype_match);
	    if (ret) {
		krb5_free_data(context, copy);
		return ret;
	    }
	}

	krb5_free_data(context, copy);
    }
    if (privsvr) {
	/* The priv checksum covers the server checksum */
	ret = verify_checksum(context,
			      pac->privsvr_checksum,
			      &pac->data,
			      (char *)pac->data.data
			      + pac->server_checksum->offset + 4,
			      pac->server_checksum->buffersize - 4,
			      privsvr,
			      strict_cksumtype_match);
	if (ret)
	    return ret;

	if (pac->ticket_sign_data.length != 0) {
	    if (pac->ticket_checksum == NULL) {
		krb5_set_error_message(context, EINVAL,
				       "PAC missing ticket checksum");
		return EINVAL;
	    }

	    ret = verify_checksum(context, pac->ticket_checksum, &pac->data,
				 pac->ticket_sign_data.data,
				 pac->ticket_sign_data.length, privsvr,
				 strict_cksumtype_match);
	    if (ret)
		return ret;
	}
    }

    if (pac->upn_dns_info &&
	pac->upn_princ == NULL && pac->canon_princ == NULL && pac->sid.data == NULL) {
	ret = parse_upn_dns_info(context, pac->upn_dns_info, &pac->data,
				 &pac->upn_princ, &pac->upn_flags,
				 &pac->canon_princ, &pac->sid);
	if (ret)
	    return ret;
    }

    if (pac->attributes_info) {
	ret = parse_attributes_info(context, pac->attributes_info, &pac->data,
				    &pac->pac_attributes);
	if (ret)
	    return ret;
    }

    return 0;
}

/*
 *
 */

static krb5_error_code
fill_zeros(krb5_context context, krb5_storage *sp, size_t len)
{
    ssize_t sret;
    size_t l;

    while (len) {
	l = len;
	if (l > sizeof(zeros))
	    l = sizeof(zeros);
	sret = krb5_storage_write(sp, zeros, l);
	if (sret != l)
	    return krb5_enomem(context);

	len -= sret;
    }
    return 0;
}

static krb5_error_code
pac_checksum(krb5_context context,
	     const krb5_keyblock *key,
	     uint32_t *cksumtype,
	     size_t *cksumsize)
{
    krb5_cksumtype cktype;
    krb5_error_code ret;
    krb5_crypto crypto = NULL;

    ret = krb5_crypto_init(context, key, 0, &crypto);
    if (ret)
	return ret;

    ret = krb5_crypto_get_checksum_type(context, crypto, &cktype);
    krb5_crypto_destroy(context, crypto);
    if (ret)
	return ret;

    if (krb5_checksum_is_keyed(context, cktype) == FALSE) {
	*cksumtype = CKSUMTYPE_HMAC_MD5;
	*cksumsize = 16;
    }

    ret = krb5_checksumsize(context, cktype, cksumsize);
    if (ret)
	return ret;

    *cksumtype = (uint32_t)cktype;

    return 0;
}

KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
_krb5_pac_sign(krb5_context context,
	       krb5_pac p,
	       time_t authtime,
	       krb5_const_principal principal,
	       const krb5_keyblock *server_key,
	       const krb5_keyblock *priv_key,
	       uint16_t rodc_id,
	       krb5_const_principal upn_princ,
	       krb5_const_principal canon_princ,
	       krb5_boolean add_full_sig,
	       uint64_t *pac_attributes, /* optional */
	       krb5_data *data)
{
    krb5_error_code ret;
    krb5_storage *sp = NULL, *spdata = NULL;
    uint32_t end;
    size_t server_size, priv_size;
    uint32_t server_offset = 0, priv_offset = 0, ticket_offset = 0, full_offset = 0;
    uint32_t server_cksumtype = 0, priv_cksumtype = 0;
    uint32_t num = 0;
    uint32_t i, sz;
    krb5_data logon, d;

    krb5_data_zero(&d);
    krb5_data_zero(&logon);

    /*
     * Set convenience buffer pointers.
     *
     * This could really stand to be moved to krb5_pac_add_buffer() and/or
     * utility function, so that when this function gets called they must
     * already have been set.
     */
    for (i = 0; i < p->pac->numbuffers; i++) {
	if (p->pac->buffers[i].type == PAC_SERVER_CHECKSUM) {
	    if (p->server_checksum == NULL) {
		p->server_checksum = &p->pac->buffers[i];
	    }
	    if (p->server_checksum != &p->pac->buffers[i]) {
		ret = KRB5KDC_ERR_BADOPTION;
		krb5_set_error_message(context, ret,
				       N_("PAC has multiple server checksums", ""));
		goto out;
	    }
	} else if (p->pac->buffers[i].type == PAC_PRIVSVR_CHECKSUM) {
	    if (p->privsvr_checksum == NULL) {
		p->privsvr_checksum = &p->pac->buffers[i];
	    }
	    if (p->privsvr_checksum != &p->pac->buffers[i]) {
		ret = KRB5KDC_ERR_BADOPTION;
		krb5_set_error_message(context, ret,
				       N_("PAC has multiple KDC checksums", ""));
		goto out;
	    }
	} else if (p->pac->buffers[i].type == PAC_LOGON_NAME) {
	    if (p->logon_name == NULL) {
		p->logon_name = &p->pac->buffers[i];
	    }
	    if (p->logon_name != &p->pac->buffers[i]) {
		ret = KRB5KDC_ERR_BADOPTION;
		krb5_set_error_message(context, ret,
				       N_("PAC has multiple logon names", ""));
		goto out;
	    }
	} else if (p->pac->buffers[i].type == PAC_UPN_DNS_INFO) {
	    if (p->upn_dns_info == NULL) {
		p->upn_dns_info = &p->pac->buffers[i];
	    }
	    if (p->upn_dns_info != &p->pac->buffers[i]) {
		ret = KRB5KDC_ERR_BADOPTION;
		krb5_set_error_message(context, ret,
				       N_("PAC has multiple UPN DNS info buffers", ""));
		goto out;
	    }
	} else if (p->pac->buffers[i].type == PAC_TICKET_CHECKSUM) {
	    if (p->ticket_checksum == NULL) {
		p->ticket_checksum = &p->pac->buffers[i];
	    }
	    if (p->ticket_checksum != &p->pac->buffers[i]) {
		ret = KRB5KDC_ERR_BADOPTION;
		krb5_set_error_message(context, ret,
				       N_("PAC has multiple ticket checksums", ""));
		goto out;
	    }
	} else if (p->pac->buffers[i].type == PAC_ATTRIBUTES_INFO) {
	    if (p->attributes_info == NULL) {
		p->attributes_info = &p->pac->buffers[i];
	    }
	    if (p->attributes_info != &p->pac->buffers[i]) {
		ret = KRB5KDC_ERR_BADOPTION;
		krb5_set_error_message(context, ret,
				       N_("PAC has multiple attributes info buffers", ""));
		goto out;
	    }
	} else if (p->pac->buffers[i].type == PAC_FULL_CHECKSUM) {
	    if (p->full_checksum == NULL) {
		p->full_checksum = &p->pac->buffers[i];
	    }
	    if (p->full_checksum != &p->pac->buffers[i]) {
		ret = KRB5KDC_ERR_BADOPTION;
		krb5_set_error_message(context, ret,
				       N_("PAC has multiple full checksums", ""));
		goto out;
	    }
	}
    }

    /* Count missing-but-necessary buffers */
    if (p->logon_name == NULL)
	num++;
    if (p->server_checksum == NULL)
	num++;
    if (p->privsvr_checksum == NULL)
	num++;
    if (p->ticket_sign_data.length != 0 && p->ticket_checksum == NULL)
	num++;
    if (add_full_sig && p->full_checksum == NULL)
	num++;

    /* Allocate any missing-but-necessary buffers */
    if (num) {
	void *ptr;
	uint32_t old_len, len;

	if (p->pac->numbuffers > UINT32_MAX - num) {
	    ret = EINVAL;
	    krb5_set_error_message(context, ret, "integer overrun");
	    goto out;
	}
	ret = pac_header_size(context, p->pac->numbuffers, &old_len);
        if (ret == 0)
            ret = pac_header_size(context, p->pac->numbuffers + num, &len);
	if (ret)
	    goto out;

	ptr = realloc(p->pac, len);
	if (ptr == NULL) {
	    ret = krb5_enomem(context);
            goto out;
        }
        memset((char *)ptr + old_len, 0, len - old_len);
	p->pac = ptr;


	if (p->logon_name == NULL) {
	    p->logon_name = &p->pac->buffers[p->pac->numbuffers++];
	    p->logon_name->type = PAC_LOGON_NAME;
	}
	if (p->server_checksum == NULL) {
	    p->server_checksum = &p->pac->buffers[p->pac->numbuffers++];
	    p->server_checksum->type = PAC_SERVER_CHECKSUM;
	}
	if (p->privsvr_checksum == NULL) {
	    p->privsvr_checksum = &p->pac->buffers[p->pac->numbuffers++];
	    p->privsvr_checksum->type = PAC_PRIVSVR_CHECKSUM;
	}
	if (p->ticket_sign_data.length != 0 && p->ticket_checksum == NULL) {
	    p->ticket_checksum = &p->pac->buffers[p->pac->numbuffers++];
	    p->ticket_checksum->type = PAC_TICKET_CHECKSUM;
	}
	if (add_full_sig && p->full_checksum == NULL) {
	    p->full_checksum = &p->pac->buffers[p->pac->numbuffers++];
	    memset(p->full_checksum, 0, sizeof(*p->full_checksum));
	    p->full_checksum->type = PAC_FULL_CHECKSUM;
	}
    }

    /* Calculate LOGON NAME */
    ret = build_logon_name(context, authtime, principal, &logon);

    /* Set lengths for checksum */
    if (ret == 0)
        ret = pac_checksum(context, server_key, &server_cksumtype, &server_size);

    if (ret == 0)
        ret = pac_checksum(context, priv_key, &priv_cksumtype, &priv_size);

    /* Encode PAC */
    if (ret == 0) {
        sp = krb5_storage_emem();
        if (sp == NULL)
            ret = krb5_enomem(context);
    }

    if (ret == 0) {
        krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
        spdata = krb5_storage_emem();
        if (spdata == NULL)
            ret = krb5_enomem(context);
    }

    if (ret)
        goto out;

    krb5_storage_set_flags(spdata, KRB5_STORAGE_BYTEORDER_LE);

    /* `sp' has the header, `spdata' has the buffers */
    CHECK(ret, krb5_store_uint32(sp, p->pac->numbuffers), out);
    CHECK(ret, krb5_store_uint32(sp, p->pac->version), out);

    ret = pac_header_size(context, p->pac->numbuffers, &end);
    if (ret)
        goto out;

    /*
     * For each buffer we write its contents to `spdata' and then append the
     * PAC_INFO_BUFFER for that buffer into the header in `sp'.  The logical
     * end of the whole thing is kept in `end', which functions as the offset
     * to write in the buffer's PAC_INFO_BUFFER, then we update it at the
     * bottom so that the next buffer can be written there.
     *
     * TODO?  Maybe rewrite all of this so that:
     *
     *  - we use krb5_pac_add_buffer() to add the buffers we produce
     *  - we use the krb5_data of the concatenated buffers that's maintained by
     *    krb5_pac_add_buffer() so we don't need `spdata' here
     *
     * We do way too much here, and that makes this code hard to read.  Plus we
     * throw away all the work done in krb5_pac_add_buffer().  On the other
     * hand, krb5_pac_add_buffer() has to loop over all the buffers, so if we
     * call krb5_pac_add_buffer() here in a loop, we'll be accidentally
     * quadratic, but we only need to loop over adding the buffers we add,
     * which is very few, so not quite quadratic.  We should also cap the
     * number of buffers we're willing to accept in a PAC we parse to something
     * reasonable, like a few tens.
     */
    for (i = 0; i < p->pac->numbuffers; i++) {
	uint32_t len;
	size_t sret;
	void *ptr = NULL;

	/* store data */

	if (p->pac->buffers[i].type == PAC_SERVER_CHECKSUM) {
	    if (server_size > UINT32_MAX - 4) {
		ret = EINVAL;
		krb5_set_error_message(context, ret, "integer overrun");
		goto out;
	    }
	    len = server_size + 4;
	    if (end > UINT32_MAX - 4) {
		ret = EINVAL;
		krb5_set_error_message(context, ret, "integer overrun");
		goto out;
	    }
	    server_offset = end + 4;
	    CHECK(ret, krb5_store_uint32(spdata, server_cksumtype), out);
	    CHECK(ret, fill_zeros(context, spdata, server_size), out);
	} else if (p->pac->buffers[i].type == PAC_PRIVSVR_CHECKSUM) {
	    if (priv_size > UINT32_MAX - 4) {
		ret = EINVAL;
		krb5_set_error_message(context, ret, "integer overrun");
		goto out;
	    }
	    len = priv_size + 4;
	    if (end > UINT32_MAX - 4) {
		ret = EINVAL;
		krb5_set_error_message(context, ret, "integer overrun");
		goto out;
	    }
	    priv_offset = end + 4;
	    CHECK(ret, krb5_store_uint32(spdata, priv_cksumtype), out);
	    CHECK(ret, fill_zeros(context, spdata, priv_size), out);
	    if (rodc_id != 0) {
		if (len > UINT32_MAX - sizeof(rodc_id)) {
		    ret = EINVAL;
		    krb5_set_error_message(context, ret, "integer overrun");
		    goto out;
		}
		len += sizeof(rodc_id);
		CHECK(ret, fill_zeros(context, spdata, sizeof(rodc_id)), out);
	    }
	} else if (p->ticket_sign_data.length != 0 &&
		   p->pac->buffers[i].type == PAC_TICKET_CHECKSUM) {
	    if (priv_size > UINT32_MAX - 4) {
		ret = EINVAL;
		krb5_set_error_message(context, ret, "integer overrun");
		goto out;
	    }
	    len = priv_size + 4;
	    if (end > UINT32_MAX - 4) {
		ret = EINVAL;
		krb5_set_error_message(context, ret, "integer overrun");
		goto out;
	    }
	    ticket_offset = end + 4;
	    CHECK(ret, krb5_store_uint32(spdata, priv_cksumtype), out);
	    CHECK(ret, fill_zeros(context, spdata, priv_size), out);
	    if (rodc_id != 0) {
		if (len > UINT32_MAX - sizeof(rodc_id)) {
		    ret = EINVAL;
		    krb5_set_error_message(context, ret, "integer overrun");
		    goto out;
		}
		len += sizeof(rodc_id);
		CHECK(ret, krb5_store_uint16(spdata, rodc_id), out);
	    }
	} else if (add_full_sig &&
		   p->pac->buffers[i].type == PAC_FULL_CHECKSUM) {
	    if (priv_size > UINT32_MAX - 4) {
		ret = EINVAL;
		krb5_set_error_message(context, ret, "integer overrun");
		goto out;
	    }
	    len = priv_size + 4;
	    if (end > UINT32_MAX - 4) {
		ret = EINVAL;
		krb5_set_error_message(context, ret, "integer overrun");
		goto out;
	    }
	    full_offset = end + 4;
	    CHECK(ret, krb5_store_uint32(spdata, priv_cksumtype), out);
	    CHECK(ret, fill_zeros(context, spdata, priv_size), out);
	    if (rodc_id != 0) {
		if (len > UINT32_MAX - sizeof(rodc_id)) {
		    ret = EINVAL;
		    krb5_set_error_message(context, ret, "integer overrun");
		    goto out;
		}
		len += sizeof(rodc_id);
		CHECK(ret, fill_zeros(context, spdata, sizeof(rodc_id)), out);
	    }
	} else if (p->pac->buffers[i].type == PAC_LOGON_NAME) {
	    len = krb5_storage_write(spdata, logon.data, logon.length);
	    if (logon.length != len) {
		ret = KRB5KDC_ERR_BADOPTION;
		goto out;
	    }
	} else {
	    len = p->pac->buffers[i].buffersize;
	    ptr = (char *)p->data.data + p->pac->buffers[i].offset;

	    sret = krb5_storage_write(spdata, ptr, len);
	    if (sret != len) {
		ret = krb5_enomem(context);
		goto out;
	    }
	    /* XXX if not aligned, fill_zeros */
	}

	/* write header */
	CHECK(ret, krb5_store_uint32(sp, p->pac->buffers[i].type), out);
	CHECK(ret, krb5_store_uint32(sp, len), out);
	CHECK(ret, krb5_store_uint64(sp, end), out); /* offset */

	/* advance data endpointer and align */
	{
	    uint32_t e;

	    ret = pac_aligned_size(context, end, len, &e);
            if (ret == 0 && end + len != e)
                ret = fill_zeros(context, spdata, e - (end + len));
	    if (ret)
		goto out;
	    end = e;
	}

    }

    /* assert (server_offset != 0 && priv_offset != 0); */

    /* export PAC */
    if (ret == 0)
        ret = krb5_storage_to_data(spdata, &d);
    if (ret == 0) {
        sz = krb5_storage_write(sp, d.data, d.length);
        if (sz != d.length) {
            krb5_data_free(&d);
            ret = krb5_enomem(context);
            goto out;
        }
    }
    krb5_data_free(&d);

    if (ret == 0)
        ret = krb5_storage_to_data(sp, &d);

    /* sign */
    if (ret == 0 && p->ticket_sign_data.length)
	ret = create_checksum(context, priv_key, priv_cksumtype,
			      p->ticket_sign_data.data,
			      p->ticket_sign_data.length,
			      (char *)d.data + ticket_offset, priv_size);
    if (ret == 0 && add_full_sig)
        ret = create_checksum(context, priv_key, priv_cksumtype,
                              d.data, d.length,
                              (char *)d.data + full_offset, priv_size);
    if (ret == 0 && add_full_sig && rodc_id != 0) {
	void *buf = (char *)d.data + full_offset + priv_size;
	krb5_storage *rs = krb5_storage_from_mem(buf, sizeof(rodc_id));
	if (rs == NULL)
	    ret = krb5_enomem(context);
        else
            krb5_storage_set_flags(rs, KRB5_STORAGE_BYTEORDER_LE);
        if (ret == 0)
            ret = krb5_store_uint16(rs, rodc_id);
	krb5_storage_free(rs);
    }
    if (ret == 0)
        ret = create_checksum(context, server_key, server_cksumtype,
                              d.data, d.length,
                              (char *)d.data + server_offset, server_size);
    if (ret == 0)
        ret = create_checksum(context, priv_key, priv_cksumtype,
                              (char *)d.data + server_offset, server_size,
                              (char *)d.data + priv_offset, priv_size);
    if (ret == 0 && rodc_id != 0) {
	void *buf = (char *)d.data + priv_offset + priv_size;
	krb5_storage *rs = krb5_storage_from_mem(buf, sizeof(rodc_id));
	if (rs == NULL)
	    ret = krb5_enomem(context);
        else
            krb5_storage_set_flags(rs, KRB5_STORAGE_BYTEORDER_LE);
        if (ret == 0)
            ret = krb5_store_uint16(rs, rodc_id);
	krb5_storage_free(rs);
    }

    if (ret)
        goto out;

    /* done */
    *data = d;

    krb5_data_free(&logon);
    krb5_storage_free(sp);
    krb5_storage_free(spdata);

    return 0;
out:
    krb5_data_free(&d);
    krb5_data_free(&logon);
    if (sp)
	krb5_storage_free(sp);
    if (spdata)
	krb5_storage_free(spdata);
    return ret;
}

KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_pac_get_kdc_checksum_info(krb5_context context,
			       krb5_const_pac pac,
			       krb5_cksumtype *cstype,
			       uint16_t *rodc_id)
{
    krb5_error_code ret;
    krb5_storage *sp = NULL;
    const struct PAC_INFO_BUFFER *sig;
    size_t cksumsize, prefix;
    uint32_t type = 0;

    *cstype = 0;
    *rodc_id = 0;

    sig = pac->privsvr_checksum;
    if (sig == NULL) {
	krb5_set_error_message(context, KRB5KDC_ERR_BADOPTION,
			       "PAC missing kdc checksum");
	return KRB5KDC_ERR_BADOPTION;
    }

    sp = krb5_storage_from_mem((char *)pac->data.data + sig->offset,
			       sig->buffersize);
    if (sp == NULL)
	return krb5_enomem(context);

    krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);

    ret = krb5_ret_uint32(sp, &type);
    if (ret)
	goto out;

    ret = krb5_checksumsize(context, type, &cksumsize);
    if (ret)
	goto out;

    prefix = krb5_storage_seek(sp, 0, SEEK_CUR);

    if ((sig->buffersize - prefix) >= cksumsize + 2) {
	krb5_storage_seek(sp, cksumsize, SEEK_CUR);
	ret = krb5_ret_uint16(sp, rodc_id);
	if (ret)
	    goto out;
    }

    *cstype = type;

out:
    krb5_storage_free(sp);

    return ret;
}


KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
_krb5_pac_get_canon_principal(krb5_context context,
			      krb5_const_pac pac,
			      krb5_principal *canon_princ)
{
    *canon_princ = NULL;

    if (pac->canon_princ == NULL) {
	krb5_set_error_message(context, ENOENT,
			       "PAC missing UPN DNS info buffer");
	return ENOENT;
    }

    return krb5_copy_principal(context, pac->canon_princ, canon_princ);
}

KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
_krb5_pac_get_attributes_info(krb5_context context,
			      krb5_const_pac pac,
			      uint64_t *pac_attributes)
{
    *pac_attributes = 0;

    if (pac->attributes_info == NULL) {
	krb5_set_error_message(context, ENOENT,
			       "PAC missing attributes info buffer");
	return ENOENT;
    }

    *pac_attributes = pac->pac_attributes;

    return 0;
}

static unsigned char single_zero = '\0';
static krb5_data single_zero_pac = { 1, &single_zero };

KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
_krb5_kdc_pac_ticket_parse(krb5_context context,
			   EncTicketPart *tkt,
			   krb5_boolean *signedticket,
			   krb5_pac *ppac)
{
    AuthorizationData *ad = tkt->authorization_data;
    krb5_pac pac = NULL;
    unsigned i, j;
    size_t len = 0;
    krb5_error_code ret = 0;

    *signedticket = FALSE;
    *ppac = NULL;

    if (ad == NULL || ad->len == 0)
	return 0;

    for (i = 0; i < ad->len; i++) {
	AuthorizationData child;

	if (ad->val[i].ad_type == KRB5_AUTHDATA_WIN2K_PAC) {
	    ret = KRB5KDC_ERR_BADOPTION;
	    goto out;
	}

	if (ad->val[i].ad_type != KRB5_AUTHDATA_IF_RELEVANT)
	    continue;

	ret = decode_AuthorizationData(ad->val[i].ad_data.data,
				       ad->val[i].ad_data.length,
				       &child,
				       NULL);
	if (ret) {
	    krb5_set_error_message(context, ret, "Failed to decode "
				   "AD-IF-RELEVANT with %d", ret);
	    goto out;
	}

	for (j = 0; j < child.len; j++) {
	    krb5_data adifr_data = ad->val[i].ad_data;
	    krb5_data pac_data = child.val[j].ad_data;
	    krb5_data recoded_adifr;

	    if (child.val[j].ad_type != KRB5_AUTHDATA_WIN2K_PAC)
		continue;

	    if (pac != NULL) {
		free_AuthorizationData(&child);
		ret = KRB5KDC_ERR_BADOPTION;
		goto out;
	    }

	    ret = krb5_pac_parse(context,
				 pac_data.data,
				 pac_data.length,
				 &pac);
	    if (ret) {
		free_AuthorizationData(&child);
		goto out;
	    }

	    if (pac->ticket_checksum == NULL)
		continue;

	    /*
	     * Encode the ticket with the PAC replaced with a single zero
	     * byte, to be used as input data to the ticket signature.
	     */

	    child.val[j].ad_data = single_zero_pac;

	    ASN1_MALLOC_ENCODE(AuthorizationData, recoded_adifr.data,
			       recoded_adifr.length, &child, &len, ret);
	    if (recoded_adifr.length != len)
		krb5_abortx(context, "Internal error in ASN.1 encoder");

	    child.val[j].ad_data = pac_data;

	    if (ret) {
		free_AuthorizationData(&child);
		goto out;
	    }

	    ad->val[i].ad_data = recoded_adifr;

	    ASN1_MALLOC_ENCODE(EncTicketPart,
			       pac->ticket_sign_data.data,
			       pac->ticket_sign_data.length, tkt, &len,
			       ret);
	    if (pac->ticket_sign_data.length != len)
		krb5_abortx(context, "Internal error in ASN.1 encoder");

	    ad->val[i].ad_data = adifr_data;
	    krb5_data_free(&recoded_adifr);

	    if (ret) {
		free_AuthorizationData(&child);
		goto out;
	    }

	    *signedticket = TRUE;
	}
	free_AuthorizationData(&child);
    }

out:
    if (ret) {
	krb5_pac_free(context, pac);
	return ret;
    }

    *ppac = pac;

    return 0;
}

KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
_krb5_kdc_pac_sign_ticket(krb5_context context,
			  const krb5_pac pac,
			  krb5_const_principal client,
			  const krb5_keyblock *server_key,
			  const krb5_keyblock *kdc_key,
			  uint16_t rodc_id,
			  krb5_const_principal upn,
			  krb5_const_principal canon_name,
			  krb5_boolean add_ticket_sig,
			  krb5_boolean add_full_sig,
			  EncTicketPart *tkt,
			  uint64_t *pac_attributes) /* optional */
{
    krb5_error_code ret;
    krb5_data tkt_data;
    krb5_data rspac;

    krb5_data_zero(&rspac);
    krb5_data_zero(&tkt_data);

    krb5_data_free(&pac->ticket_sign_data);

    if (add_ticket_sig) {
	size_t len = 0;

	ret = _kdc_tkt_insert_pac(context, tkt, &single_zero_pac);
	if (ret)
	    return ret;

	ASN1_MALLOC_ENCODE(EncTicketPart, tkt_data.data, tkt_data.length,
			   tkt, &len, ret);
	if(tkt_data.length != len)
	    krb5_abortx(context, "Internal error in ASN.1 encoder");
	if (ret)
	    return ret;

	ret = remove_AuthorizationData(tkt->authorization_data, 0);
	if (ret) {
	    krb5_data_free(&tkt_data);
	    return ret;
	}

	pac->ticket_sign_data = tkt_data;
    }

    ret = _krb5_pac_sign(context, pac, tkt->authtime, client, server_key,
			 kdc_key, rodc_id, upn, canon_name,
			 add_full_sig,
			 pac_attributes, &rspac);
    if (ret == 0)
        ret = _kdc_tkt_insert_pac(context, tkt, &rspac);
    krb5_data_free(&rspac);
    return ret;
}