crypto/heimdal/lib/krb5/mk_req_ext.c

   1 /*
   2  * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
   3  * (Royal Institute of Technology, Stockholm, Sweden).
   4  * All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms, with or without
   7  * modification, are permitted provided that the following conditions
   8  * are met:
   9  *
  10  * 1. Redistributions of source code must retain the above copyright
  11  *    notice, this list of conditions and the following disclaimer.
  12  *
  13  * 2. Redistributions in binary form must reproduce the above copyright
  14  *    notice, this list of conditions and the following disclaimer in the
  15  *    documentation and/or other materials provided with the distribution.
  16  *
  17  * 3. Neither the name of the Institute nor the names of its contributors
  18  *    may be used to endorse or promote products derived from this software
  19  *    without specific prior written permission.
  20  *
  21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  31  * SUCH DAMAGE.
  32  */
  33
  34 #include <krb5_locl.h>
  35
  36 RCSID("$Id: mk_req_ext.c 19511 2006-12-27 12:07:22Z lha $");
  37
  38 krb5_error_code
  39 _krb5_mk_req_internal(krb5_context context,
  40                       krb5_auth_context *auth_context,
  41                       const krb5_flags ap_req_options,
  42                       krb5_data *in_data,
  43                       krb5_creds *in_creds,
  44                       krb5_data *outbuf,
  45                       krb5_key_usage checksum_usage,
  46                       krb5_key_usage encrypt_usage)
  47 {
  48     krb5_error_code ret;
  49     krb5_data authenticator;
  50     Checksum c;
  51     Checksum *c_opt;
  52     krb5_auth_context ac;
  53
  54     if(auth_context) {
  55         if(*auth_context == NULL)
  56             ret = krb5_auth_con_init(context, auth_context);
  57         else
  58             ret = 0;
  59         ac = *auth_context;
  60     } else
  61         ret = krb5_auth_con_init(context, &ac);
  62     if(ret)
  63         return ret;
  64
  65     if(ac->local_subkey == NULL && (ap_req_options & AP_OPTS_USE_SUBKEY)) {
  66         ret = krb5_auth_con_generatelocalsubkey(context,
  67                                                 ac,
  68                                                 &in_creds->session);
  69         if(ret)
  70             goto out;
  71     }
  72
  73     krb5_free_keyblock(context, ac->keyblock);
  74     ret = krb5_copy_keyblock(context, &in_creds->session, &ac->keyblock);
  75     if (ret)
  76         goto out;
  77
  78     /* it's unclear what type of checksum we can use.  try the best one, except:
  79      * a) if it's configured differently for the current realm, or
  80      * b) if the session key is des-cbc-crc
  81      */
  82
  83     if (in_data) {
  84         if(ac->keyblock->keytype == ETYPE_DES_CBC_CRC) {
  85             /* this is to make DCE secd (and older MIT kdcs?) happy */
  86             ret = krb5_create_checksum(context,
  87                                        NULL,
  88                                        0,
  89                                        CKSUMTYPE_RSA_MD4,
  90                                        in_data->data,
  91                                        in_data->length,
  92                                        &c);
  93         } else if(ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5 ||
  94                   ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5_56 ||
  95                   ac->keyblock->keytype == ETYPE_DES_CBC_MD4 ||
  96                   ac->keyblock->keytype == ETYPE_DES_CBC_MD5) {
  97             /* this is to make MS kdc happy */
  98             ret = krb5_create_checksum(context,
  99                                        NULL,
 100                                        0,
 101                                        CKSUMTYPE_RSA_MD5,
 102                                        in_data->data,
 103                                        in_data->length,
 104                                        &c);
 105         } else {
 106             krb5_crypto crypto;
 107
 108             ret = krb5_crypto_init(context, ac->keyblock, 0, &crypto);
 109             if (ret)
 110                 goto out;
 111             ret = krb5_create_checksum(context,
 112                                        crypto,
 113                                        checksum_usage,
 114                                        0,
 115                                        in_data->data,
 116                                        in_data->length,
 117                                        &c);
 118             krb5_crypto_destroy(context, crypto);
 119         }
 120         c_opt = &c;
 121     } else {
 122         c_opt = NULL;
 123     }
 124
 125     if (ret)
 126         goto out;
 127
 128     ret = krb5_build_authenticator (context,
 129                                     ac,
 130                                     ac->keyblock->keytype,
 131                                     in_creds,
 132                                     c_opt,
 133                                     NULL,
 134                                     &authenticator,
 135                                     encrypt_usage);
 136     if (c_opt)
 137         free_Checksum (c_opt);
 138     if (ret)
 139         goto out;
 140
 141     ret = krb5_build_ap_req (context, ac->keyblock->keytype,
 142                              in_creds, ap_req_options, authenticator, outbuf);
 143 out:
 144     if(auth_context == NULL)
 145         krb5_auth_con_free(context, ac);
 146     return ret;
 147 }
 148
 149 krb5_error_code KRB5_LIB_FUNCTION
 150 krb5_mk_req_extended(krb5_context context,
 151                      krb5_auth_context *auth_context,
 152                      const krb5_flags ap_req_options,
 153                      krb5_data *in_data,
 154                      krb5_creds *in_creds,
 155                      krb5_data *outbuf)
 156 {
 157     return _krb5_mk_req_internal (context,
 158                                  auth_context,
 159                                  ap_req_options,
 160                                  in_data,
 161                                  in_creds,
 162                                  outbuf,
 163                                  KRB5_KU_AP_REQ_AUTH_CKSUM,
 164                                  KRB5_KU_AP_REQ_AUTH);
 165 }