2 * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include <krb5_locl.h>
39 krb5_mk_req_internal(krb5_context context
,
40 krb5_auth_context
*auth_context
,
41 const krb5_flags ap_req_options
,
45 krb5_key_usage checksum_usage
,
46 krb5_key_usage encrypt_usage
)
49 krb5_data authenticator
;
55 if(*auth_context
== NULL
)
56 ret
= krb5_auth_con_init(context
, auth_context
);
61 ret
= krb5_auth_con_init(context
, &ac
);
65 if(ac
->local_subkey
== NULL
&& (ap_req_options
& AP_OPTS_USE_SUBKEY
)) {
66 ret
= krb5_auth_con_generatelocalsubkey(context
, ac
, &in_creds
->session
);
73 /* This is somewhat bogus since we're possibly overwriting a
74 value specified by the user, but it's the easiest way to make
75 the code use a compatible enctype */
77 krb5_keytype ticket_keytype
;
79 ret
= decode_Ticket(in_creds
->ticket
.data
,
80 in_creds
->ticket
.length
,
83 krb5_enctype_to_keytype (context
,
84 ticket
.enc_part
.etype
,
87 if (ticket_keytype
== in_creds
->session
.keytype
)
88 krb5_auth_setenctype(context
,
90 ticket
.enc_part
.etype
);
95 krb5_free_keyblock(context
, ac
->keyblock
);
96 krb5_copy_keyblock(context
, &in_creds
->session
, &ac
->keyblock
);
98 /* it's unclear what type of checksum we can use. try the best one, except:
99 * a) if it's configured differently for the current realm, or
100 * b) if the session key is des-cbc-crc
104 if(ac
->keyblock
->keytype
== ETYPE_DES_CBC_CRC
) {
105 /* this is to make DCE secd (and older MIT kdcs?) happy */
106 ret
= krb5_create_checksum(context
,
113 } else if(ac
->keyblock
->keytype
== ETYPE_ARCFOUR_HMAC_MD5
) {
114 /* this is to make MS kdc happy */
115 ret
= krb5_create_checksum(context
,
125 ret
= krb5_crypto_init(context
, ac
->keyblock
, 0, &crypto
);
128 ret
= krb5_create_checksum(context
,
136 krb5_crypto_destroy(context
, crypto
);
143 ret
= krb5_build_authenticator (context
,
145 ac
->keyblock
->keytype
,
152 free_Checksum (c_opt
);
156 ret
= krb5_build_ap_req (context
, ac
->keyblock
->keytype
,
157 in_creds
, ap_req_options
, authenticator
, outbuf
);
158 if(auth_context
== NULL
)
159 krb5_auth_con_free(context
, ac
);
164 krb5_mk_req_extended(krb5_context context
,
165 krb5_auth_context
*auth_context
,
166 const krb5_flags ap_req_options
,
168 krb5_creds
*in_creds
,
171 return krb5_mk_req_internal (context
,
177 KRB5_KU_AP_REQ_AUTH_CKSUM
,
178 KRB5_KU_AP_REQ_AUTH
);