kdc/fast.c

   1 /*
   2  * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
   3  * (Royal Institute of Technology, Stockholm, Sweden).
   4  * All rights reserved.
   5  *
   6  * Portions Copyright (c) 2010 Apple Inc. All rights reserved.
   7  *
   8  * Redistribution and use in source and binary forms, with or without
   9  * modification, are permitted provided that the following conditions
  10  * are met:
  11  *
  12  * 1. Redistributions of source code must retain the above copyright
  13  *    notice, this list of conditions and the following disclaimer.
  14  *
  15  * 2. Redistributions in binary form must reproduce the above copyright
  16  *    notice, this list of conditions and the following disclaimer in the
  17  *    documentation and/or other materials provided with the distribution.
  18  *
  19  * 3. Neither the name of the Institute nor the names of its contributors
  20  *    may be used to endorse or promote products derived from this software
  21  *    without specific prior written permission.
  22  *
  23  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  24  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  25  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  26  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  27  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  28  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  29  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  30  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  31  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  32  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  33  * SUCH DAMAGE.
  34  */
  35
  36 #include "kdc_locl.h"
  37
  38 krb5_error_code
  39 _kdc_fast_mk_response(krb5_context context,
  40                       krb5_crypto armor_crypto,
  41                       METHOD_DATA *pa_data,
  42                       krb5_keyblock *strengthen_key,
  43                       KrbFastFinished *finished,
  44                       krb5uint32 nonce,
  45                       krb5_data *data)
  46 {
  47     PA_FX_FAST_REPLY fxfastrep;
  48     KrbFastResponse fastrep;
  49     krb5_error_code ret;
  50     krb5_data buf;
  51     size_t size;
  52
  53     memset(&fxfastrep, 0, sizeof(fxfastrep));
  54     memset(&fastrep, 0, sizeof(fastrep));
  55     krb5_data_zero(data);
  56
  57     if (pa_data) {
  58         fastrep.padata.val = pa_data->val;
  59         fastrep.padata.len = pa_data->len;
  60     }
  61     fastrep.strengthen_key = strengthen_key;
  62     fastrep.finished = finished;
  63     fastrep.nonce = nonce;
  64
  65     ASN1_MALLOC_ENCODE(KrbFastResponse, buf.data, buf.length,
  66                        &fastrep, &size, ret);
  67     if (ret)
  68         return ret;
  69     if (buf.length != size)
  70         krb5_abortx(context, "internal asn.1 error");
  71
  72     fxfastrep.element = choice_PA_FX_FAST_REPLY_armored_data;
  73
  74     ret = krb5_encrypt_EncryptedData(context,
  75                                      armor_crypto,
  76                                      KRB5_KU_FAST_REP,
  77                                      buf.data,
  78                                      buf.length,
  79                                      0,
  80                                      &fxfastrep.u.armored_data.enc_fast_rep);
  81     krb5_data_free(&buf);
  82     if (ret)
  83         return ret;
  84
  85     ASN1_MALLOC_ENCODE(PA_FX_FAST_REPLY, data->data, data->length,
  86                        &fxfastrep, &size, ret);
  87     free_PA_FX_FAST_REPLY(&fxfastrep);
  88     if (ret)
  89         return ret;
  90     if (data->length != size)
  91         krb5_abortx(context, "internal asn.1 error");
  92
  93     return 0;
  94 }
  95
  96
  97 krb5_error_code
  98 _kdc_fast_mk_error(krb5_context context,
  99                    METHOD_DATA *error_method,
 100                    krb5_crypto armor_crypto,
 101                    const KDC_REQ_BODY *req_body,
 102                    krb5_error_code outer_error,
 103                    const char *e_text,
 104                    krb5_principal error_client,
 105                    krb5_principal error_server,
 106                    time_t *csec, int *cusec,
 107                    krb5_data *error_msg)
 108 {
 109     krb5_error_code ret;
 110     krb5_data e_data;
 111     size_t size;
 112
 113     krb5_data_zero(&e_data);
 114
 115     if (armor_crypto) {
 116         PA_FX_FAST_REPLY fxfastrep;
 117         KrbFastResponse fastrep;
 118
 119         memset(&fxfastrep, 0, sizeof(fxfastrep));
 120         memset(&fastrep, 0, sizeof(fastrep));
 121
 122         /* first add the KRB-ERROR to the fast errors */
 123
 124         ret = krb5_mk_error(context,
 125                             outer_error,
 126                             e_text,
 127                             NULL,
 128                             error_client,
 129                             error_server,
 130                             NULL,
 131                             NULL,
 132                             &e_data);
 133         if (ret)
 134             return ret;
 135
 136         ret = krb5_padata_add(context, error_method,
 137                               KRB5_PADATA_FX_ERROR,
 138                               e_data.data, e_data.length);
 139         if (ret) {
 140             krb5_data_free(&e_data);
 141             return ret;
 142         }
 143
 144         if (/* hide_principal */ 0) {
 145             error_client = NULL;
 146             error_server = NULL;
 147             e_text = NULL;
 148         }
 149
 150         ret = krb5_padata_add(context, error_method,
 151                               KRB5_PADATA_FX_COOKIE,
 152                               NULL, 0);
 153         if (ret)
 154             return ret;
 155
 156         ret = _kdc_fast_mk_response(context, armor_crypto,
 157                                     error_method, NULL, NULL,
 158                                     req_body->nonce, &e_data);
 159         free_METHOD_DATA(error_method);
 160         if (ret)
 161             return ret;
 162
 163         ret = krb5_padata_add(context, error_method,
 164                               KRB5_PADATA_FX_FAST,
 165                               e_data.data, e_data.length);
 166         if (ret)
 167             return ret;
 168
 169         if (ret)
 170             return ret;
 171     }
 172
 173     if (error_method && error_method->len) {
 174         ASN1_MALLOC_ENCODE(METHOD_DATA, e_data.data, e_data.length,
 175                            error_method, &size, ret);
 176         if (ret)
 177             return ret;
 178         if (e_data.length != size)
 179             krb5_abortx(context, "internal asn.1 error");
 180     }
 181
 182     ret = krb5_mk_error(context,
 183                         outer_error,
 184                         e_text,
 185                         (e_data.length ? &e_data : NULL),
 186                         error_client,
 187                         error_server,
 188                         csec,
 189                         cusec,
 190                         error_msg);
 191     krb5_data_free(&e_data);
 192
 193     return ret;
 194 }