lib/krb5/mk_req_ext.c

   1 /*
   2  * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
   3  * (Royal Institute of Technology, Stockholm, Sweden).
   4  * All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms, with or without
   7  * modification, are permitted provided that the following conditions
   8  * are met:
   9  *
  10  * 1. Redistributions of source code must retain the above copyright
  11  *    notice, this list of conditions and the following disclaimer.
  12  *
  13  * 2. Redistributions in binary form must reproduce the above copyright
  14  *    notice, this list of conditions and the following disclaimer in the
  15  *    documentation and/or other materials provided with the distribution.
  16  *
  17  * 3. Neither the name of the Institute nor the names of its contributors
  18  *    may be used to endorse or promote products derived from this software
  19  *    without specific prior written permission.
  20  *
  21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  31  * SUCH DAMAGE.
  32  */
  33
  34 #include "krb5_locl.h"
  35
  36 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
  37 _krb5_mk_req_internal(krb5_context context,
  38                       krb5_auth_context *auth_context,
  39                       const krb5_flags ap_req_options,
  40                       krb5_data *in_data,
  41                       krb5_creds *in_creds,
  42                       krb5_data *outbuf,
  43                       krb5_key_usage checksum_usage,
  44                       krb5_key_usage encrypt_usage)
  45 {
  46     krb5_error_code ret;
  47     krb5_data authenticator;
  48     Checksum c;
  49     Checksum *c_opt;
  50     krb5_auth_context ac;
  51
  52     if(auth_context) {
  53         if(*auth_context == NULL)
  54             ret = krb5_auth_con_init(context, auth_context);
  55         else
  56             ret = 0;
  57         ac = *auth_context;
  58     } else
  59         ret = krb5_auth_con_init(context, &ac);
  60     if(ret)
  61         return ret;
  62
  63     if(ac->local_subkey == NULL && (ap_req_options & AP_OPTS_USE_SUBKEY)) {
  64         ret = krb5_auth_con_generatelocalsubkey(context,
  65                                                 ac,
  66                                                 &in_creds->session);
  67         if(ret)
  68             goto out;
  69     }
  70
  71     krb5_free_keyblock(context, ac->keyblock);
  72     ret = krb5_copy_keyblock(context, &in_creds->session, &ac->keyblock);
  73     if (ret)
  74         goto out;
  75
  76     /* it's unclear what type of checksum we can use.  try the best one, except:
  77      * a) if it's configured differently for the current realm, or
  78      * b) if the session key is des-cbc-crc
  79      */
  80
  81     if (in_data) {
  82         if(ac->keyblock->keytype == ETYPE_DES_CBC_CRC) {
  83             /* this is to make DCE secd (and older MIT kdcs?) happy */
  84             ret = krb5_create_checksum(context,
  85                                        NULL,
  86                                        0,
  87                                        CKSUMTYPE_RSA_MD4,
  88                                        in_data->data,
  89                                        in_data->length,
  90                                        &c);
  91         } else if(ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5 ||
  92                   ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5_56 ||
  93                   ac->keyblock->keytype == ETYPE_DES_CBC_MD4 ||
  94                   ac->keyblock->keytype == ETYPE_DES_CBC_MD5) {
  95             /* this is to make MS kdc happy */
  96             ret = krb5_create_checksum(context,
  97                                        NULL,
  98                                        0,
  99                                        CKSUMTYPE_RSA_MD5,
 100                                        in_data->data,
 101                                        in_data->length,
 102                                        &c);
 103         } else {
 104             krb5_crypto crypto;
 105
 106             ret = krb5_crypto_init(context, ac->keyblock, 0, &crypto);
 107             if (ret)
 108                 goto out;
 109             ret = krb5_create_checksum(context,
 110                                        crypto,
 111                                        checksum_usage,
 112                                        0,
 113                                        in_data->data,
 114                                        in_data->length,
 115                                        &c);
 116             krb5_crypto_destroy(context, crypto);
 117         }
 118         c_opt = &c;
 119     } else {
 120         c_opt = NULL;
 121     }
 122
 123     if (ret)
 124         goto out;
 125
 126     ret = _krb5_build_authenticator(context,
 127                                     ac,
 128                                     ac->keyblock->keytype,
 129                                     in_creds,
 130                                     c_opt,
 131                                     &authenticator,
 132                                     encrypt_usage);
 133     if (c_opt)
 134         free_Checksum (c_opt);
 135     if (ret)
 136         goto out;
 137
 138     ret = krb5_build_ap_req (context, ac->keyblock->keytype,
 139                              in_creds, ap_req_options, authenticator, outbuf);
 140 out:
 141     if(auth_context == NULL)
 142         krb5_auth_con_free(context, ac);
 143     return ret;
 144 }
 145
 146 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 147 krb5_mk_req_extended(krb5_context context,
 148                      krb5_auth_context *auth_context,
 149                      const krb5_flags ap_req_options,
 150                      krb5_data *in_data,
 151                      krb5_creds *in_creds,
 152                      krb5_data *outbuf)
 153 {
 154     return _krb5_mk_req_internal (context,
 155                                  auth_context,
 156                                  ap_req_options,
 157                                  in_data,
 158                                  in_creds,
 159                                  outbuf,
 160                                  KRB5_KU_AP_REQ_AUTH_CKSUM,
 161                                  KRB5_KU_AP_REQ_AUTH);
 162 }