2 * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "krb5_locl.h"
36 static krb5_error_code
37 add_auth_data(krb5_context context
,
38 AuthorizationData
*src
,
39 AuthorizationData
**dst
)
41 krb5_error_code ret
= 0;
45 (*dst
= calloc(1, sizeof(**dst
))) == NULL
)
46 return krb5_enomem(context
);
47 for (i
= 0; ret
== 0 && i
< src
->len
; i
++)
48 ret
= add_AuthorizationData(*dst
, &src
->val
[i
]);
52 static krb5_error_code
53 add_etypelist(krb5_context context
,
54 krb5_authdata
*auth_data
)
56 AuthorizationDataElement ade
;
62 ret
= _krb5_init_etype(context
, KRB5_PDU_NONE
,
63 &etypes
.len
, &etypes
.val
,
68 ASN1_MALLOC_ENCODE(EtypeList
, e
.data
, e
.length
, &etypes
, &len
, ret
);
70 free_EtypeList(&etypes
);
74 krb5_abortx(context
, "internal error in ASN.1 encoder");
75 free_EtypeList(&etypes
);
77 ade
.ad_type
= KRB5_AUTHDATA_GSS_API_ETYPE_NEGOTIATION
;
80 ret
= add_AuthorizationData(auth_data
, &ade
);
87 static krb5_error_code
88 add_ap_options(krb5_context context
,
89 krb5_boolean channel_bound
,
90 krb5_authdata
*auth_data
)
93 AuthorizationDataElement ade
;
94 krb5_boolean require_cb
;
95 uint8_t ap_options
[4];
97 require_cb
= krb5_config_get_bool_default(context
, NULL
, FALSE
,
99 "client_aware_channel_bindings",
108 ap_options
[0] = (KERB_AP_OPTIONS_CBT
>> 0 ) & 0xFF;
109 ap_options
[1] = (KERB_AP_OPTIONS_CBT
>> 8 ) & 0xFF;
110 ap_options
[2] = (KERB_AP_OPTIONS_CBT
>> 16) & 0xFF;
111 ap_options
[3] = (KERB_AP_OPTIONS_CBT
>> 24) & 0xFF;
113 ade
.ad_type
= KRB5_AUTHDATA_AP_OPTIONS
;
114 ade
.ad_data
.length
= sizeof(ap_options
);
115 ade
.ad_data
.data
= ap_options
;
117 ret
= add_AuthorizationData(auth_data
, &ade
);
122 static krb5_error_code
123 make_ap_authdata(krb5_context context
,
124 krb5_boolean channel_bound
,
125 krb5_authdata
**auth_data
)
128 AuthorizationData ad
;
135 ret
= add_etypelist(context
, &ad
);
140 * Windows has a bug and only looks for first occurrence of AD-IF-RELEVANT
141 * in the AP authenticator when looking for AD-AP-OPTIONS. Make sure to
142 * bundle it together with etypes.
144 ret
= add_ap_options(context
, channel_bound
, &ad
);
146 free_AuthorizationData(&ad
);
150 ASN1_MALLOC_ENCODE(AuthorizationData
, ir
.data
, ir
.length
, &ad
, &len
, ret
);
152 free_AuthorizationData(&ad
);
156 krb5_abortx(context
, "internal error in ASN.1 encoder");
158 ret
= _krb5_add_1auth_data(context
, KRB5_AUTHDATA_IF_RELEVANT
, &ir
, 1,
161 free_AuthorizationData(&ad
);
167 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
168 _krb5_build_authenticator (krb5_context context
,
169 krb5_auth_context auth_context
,
170 krb5_enctype enctype
,
173 krb5_boolean channel_bound
,
175 krb5_key_usage usage
)
184 memset(&auth
, 0, sizeof(auth
));
186 auth
.authenticator_vno
= 5;
187 ret
= copy_Realm(&cred
->client
->realm
, &auth
.crealm
);
190 ret
= copy_PrincipalName(&cred
->client
->name
, &auth
.cname
);
194 krb5_us_timeofday (context
, &auth
.ctime
, &auth
.cusec
);
196 ret
= krb5_auth_con_getlocalsubkey(context
, auth_context
, &auth
.subkey
);
200 if (auth_context
->flags
& KRB5_AUTH_CONTEXT_DO_SEQUENCE
) {
201 if(auth_context
->local_seqnumber
== 0)
202 krb5_generate_seq_number (context
,
204 &auth_context
->local_seqnumber
);
205 ALLOC(auth
.seq_number
, 1);
206 if(auth
.seq_number
== NULL
) {
207 ret
= krb5_enomem(context
);
210 *auth
.seq_number
= auth_context
->local_seqnumber
;
212 auth
.seq_number
= NULL
;
213 auth
.authorization_data
= NULL
;
216 ALLOC(auth
.cksum
, 1);
217 if (auth
.cksum
== NULL
) {
218 ret
= krb5_enomem(context
);
221 ret
= copy_Checksum(cksum
, auth
.cksum
);
225 if (auth
.cksum
->cksumtype
== CKSUMTYPE_GSSAPI
) {
227 * This is not GSS-API specific, we only enable it for
230 ret
= make_ap_authdata(context
,
232 &auth
.authorization_data
);
238 /* Copy other authz data from auth_context */
239 if (auth_context
->auth_data
) {
240 ret
= add_auth_data(context
, auth_context
->auth_data
, &auth
.authorization_data
);
245 /* XXX - Copy more to auth_context? */
247 auth_context
->authenticator
->ctime
= auth
.ctime
;
248 auth_context
->authenticator
->cusec
= auth
.cusec
;
250 ASN1_MALLOC_ENCODE(Authenticator
, buf
, buf_size
, &auth
, &len
, ret
);
254 krb5_abortx(context
, "internal error in ASN.1 encoder");
256 ret
= krb5_crypto_init(context
, &cred
->session
, enctype
, &crypto
);
259 ret
= krb5_encrypt (context
,
261 usage
/* KRB5_KU_AP_REQ_AUTH */,
265 krb5_crypto_destroy(context
, crypto
);
271 free_Authenticator (&auth
);