mk_req_ext.c revision 103423
155682Smarkm/* 2103423Snectar * Copyright (c) 1997 - 2002 Kungliga Tekniska H�gskolan 355682Smarkm * (Royal Institute of Technology, Stockholm, Sweden). 455682Smarkm * All rights reserved. 555682Smarkm * 655682Smarkm * Redistribution and use in source and binary forms, with or without 755682Smarkm * modification, are permitted provided that the following conditions 855682Smarkm * are met: 955682Smarkm * 1055682Smarkm * 1. Redistributions of source code must retain the above copyright 1155682Smarkm * notice, this list of conditions and the following disclaimer. 1255682Smarkm * 1355682Smarkm * 2. Redistributions in binary form must reproduce the above copyright 1455682Smarkm * notice, this list of conditions and the following disclaimer in the 1555682Smarkm * documentation and/or other materials provided with the distribution. 1655682Smarkm * 1755682Smarkm * 3. Neither the name of the Institute nor the names of its contributors 1855682Smarkm * may be used to endorse or promote products derived from this software 1955682Smarkm * without specific prior written permission. 2055682Smarkm * 2155682Smarkm * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 2255682Smarkm * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 2355682Smarkm * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 2455682Smarkm * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 2555682Smarkm * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 2655682Smarkm * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 2755682Smarkm * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 2855682Smarkm * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 2955682Smarkm * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 3055682Smarkm * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 3155682Smarkm * SUCH DAMAGE. 3255682Smarkm */ 3355682Smarkm 3455682Smarkm#include <krb5_locl.h> 3555682Smarkm 36103423SnectarRCSID("$Id: mk_req_ext.c,v 1.26 2002/09/02 17:13:52 joda Exp $"); 3755682Smarkm 3855682Smarkmkrb5_error_code 3955682Smarkmkrb5_mk_req_internal(krb5_context context, 4055682Smarkm krb5_auth_context *auth_context, 4155682Smarkm const krb5_flags ap_req_options, 4255682Smarkm krb5_data *in_data, 4355682Smarkm krb5_creds *in_creds, 4455682Smarkm krb5_data *outbuf, 4572445Sassar krb5_key_usage checksum_usage, 4672445Sassar krb5_key_usage encrypt_usage) 4755682Smarkm{ 4855682Smarkm krb5_error_code ret; 4955682Smarkm krb5_data authenticator; 5055682Smarkm Checksum c; 5155682Smarkm Checksum *c_opt; 5255682Smarkm krb5_auth_context ac; 5355682Smarkm 5455682Smarkm if(auth_context) { 5555682Smarkm if(*auth_context == NULL) 5655682Smarkm ret = krb5_auth_con_init(context, auth_context); 5755682Smarkm else 5855682Smarkm ret = 0; 5955682Smarkm ac = *auth_context; 6055682Smarkm } else 6155682Smarkm ret = krb5_auth_con_init(context, &ac); 6255682Smarkm if(ret) 6355682Smarkm return ret; 6455682Smarkm 65103423Snectar if(ac->local_subkey == NULL && (ap_req_options & AP_OPTS_USE_SUBKEY)) { 66103423Snectar ret = krb5_auth_con_generatelocalsubkey(context, ac, &in_creds->session); 67103423Snectar if(ret) 68103423Snectar return ret; 69103423Snectar } 70103423Snectar 7155682Smarkm#if 0 7255682Smarkm { 7355682Smarkm /* This is somewhat bogus since we're possibly overwriting a 7455682Smarkm value specified by the user, but it's the easiest way to make 7555682Smarkm the code use a compatible enctype */ 7655682Smarkm Ticket ticket; 7755682Smarkm krb5_keytype ticket_keytype; 7855682Smarkm 7955682Smarkm ret = decode_Ticket(in_creds->ticket.data, 8055682Smarkm in_creds->ticket.length, 8155682Smarkm &ticket, 8255682Smarkm NULL); 8355682Smarkm krb5_enctype_to_keytype (context, 8455682Smarkm ticket.enc_part.etype, 8555682Smarkm &ticket_keytype); 8655682Smarkm 8755682Smarkm if (ticket_keytype == in_creds->session.keytype) 8855682Smarkm krb5_auth_setenctype(context, 8955682Smarkm ac, 9055682Smarkm ticket.enc_part.etype); 9155682Smarkm free_Ticket(&ticket); 9255682Smarkm } 9355682Smarkm#endif 9455682Smarkm 9555682Smarkm krb5_free_keyblock(context, ac->keyblock); 9655682Smarkm krb5_copy_keyblock(context, &in_creds->session, &ac->keyblock); 9755682Smarkm 9872445Sassar /* it's unclear what type of checksum we can use. try the best one, except: 9972445Sassar * a) if it's configured differently for the current realm, or 10072445Sassar * b) if the session key is des-cbc-crc 10172445Sassar */ 10272445Sassar 10355682Smarkm if (in_data) { 10455682Smarkm if(ac->keyblock->keytype == ETYPE_DES_CBC_CRC) { 10555682Smarkm /* this is to make DCE secd (and older MIT kdcs?) happy */ 10655682Smarkm ret = krb5_create_checksum(context, 10755682Smarkm NULL, 10878527Sassar 0, 10955682Smarkm CKSUMTYPE_RSA_MD4, 11055682Smarkm in_data->data, 11155682Smarkm in_data->length, 11255682Smarkm &c); 11355682Smarkm } else { 11455682Smarkm krb5_crypto crypto; 11572445Sassar 11672445Sassar ret = krb5_crypto_init(context, ac->keyblock, 0, &crypto); 11772445Sassar if (ret) 11872445Sassar return ret; 11955682Smarkm ret = krb5_create_checksum(context, 12055682Smarkm crypto, 12172445Sassar checksum_usage, 12278527Sassar 0, 12355682Smarkm in_data->data, 12455682Smarkm in_data->length, 12555682Smarkm &c); 12655682Smarkm 12755682Smarkm krb5_crypto_destroy(context, crypto); 12855682Smarkm } 12955682Smarkm c_opt = &c; 13055682Smarkm } else { 13155682Smarkm c_opt = NULL; 13255682Smarkm } 13355682Smarkm 13455682Smarkm ret = krb5_build_authenticator (context, 13555682Smarkm ac, 13655682Smarkm ac->keyblock->keytype, 13755682Smarkm in_creds, 13855682Smarkm c_opt, 13955682Smarkm NULL, 14072445Sassar &authenticator, 14172445Sassar encrypt_usage); 14255682Smarkm if (c_opt) 14355682Smarkm free_Checksum (c_opt); 14455682Smarkm if (ret) 14555682Smarkm return ret; 14655682Smarkm 14755682Smarkm ret = krb5_build_ap_req (context, ac->keyblock->keytype, 14855682Smarkm in_creds, ap_req_options, authenticator, outbuf); 14955682Smarkm if(auth_context == NULL) 15055682Smarkm krb5_auth_con_free(context, ac); 15155682Smarkm return ret; 15255682Smarkm} 15355682Smarkm 15455682Smarkmkrb5_error_code 15555682Smarkmkrb5_mk_req_extended(krb5_context context, 15655682Smarkm krb5_auth_context *auth_context, 15755682Smarkm const krb5_flags ap_req_options, 15855682Smarkm krb5_data *in_data, 15955682Smarkm krb5_creds *in_creds, 16055682Smarkm krb5_data *outbuf) 16155682Smarkm{ 16255682Smarkm return krb5_mk_req_internal (context, 16355682Smarkm auth_context, 16455682Smarkm ap_req_options, 16555682Smarkm in_data, 16655682Smarkm in_creds, 16755682Smarkm outbuf, 16872445Sassar KRB5_KU_AP_REQ_AUTH_CKSUM, 16972445Sassar KRB5_KU_AP_REQ_AUTH); 17055682Smarkm} 171