mk_req_ext.c revision 103423 
155682Smarkm/*
2103423Snectar * Copyright (c) 1997 - 2002 Kungliga Tekniska H�gskolan
355682Smarkm * (Royal Institute of Technology, Stockholm, Sweden).
455682Smarkm * All rights reserved.
555682Smarkm *
655682Smarkm * Redistribution and use in source and binary forms, with or without
755682Smarkm * modification, are permitted provided that the following conditions
855682Smarkm * are met:
955682Smarkm *
1055682Smarkm * 1. Redistributions of source code must retain the above copyright
1155682Smarkm *    notice, this list of conditions and the following disclaimer.
1255682Smarkm *
1355682Smarkm * 2. Redistributions in binary form must reproduce the above copyright
1455682Smarkm *    notice, this list of conditions and the following disclaimer in the
1555682Smarkm *    documentation and/or other materials provided with the distribution.
1655682Smarkm *
1755682Smarkm * 3. Neither the name of the Institute nor the names of its contributors
1855682Smarkm *    may be used to endorse or promote products derived from this software
1955682Smarkm *    without specific prior written permission.
2055682Smarkm *
2155682Smarkm * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
2255682Smarkm * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
2355682Smarkm * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
2455682Smarkm * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
2555682Smarkm * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
2655682Smarkm * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
2755682Smarkm * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
2855682Smarkm * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
2955682Smarkm * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
3055682Smarkm * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
3155682Smarkm * SUCH DAMAGE.
3255682Smarkm */
3355682Smarkm
3455682Smarkm#include <krb5_locl.h>
3555682Smarkm
36103423SnectarRCSID("$Id: mk_req_ext.c,v 1.26 2002/09/02 17:13:52 joda Exp $");
3755682Smarkm
3855682Smarkmkrb5_error_code
3955682Smarkmkrb5_mk_req_internal(krb5_context context,
4055682Smarkm		     krb5_auth_context *auth_context,
4155682Smarkm		     const krb5_flags ap_req_options,
4255682Smarkm		     krb5_data *in_data,
4355682Smarkm		     krb5_creds *in_creds,
4455682Smarkm		     krb5_data *outbuf,
4572445Sassar		     krb5_key_usage checksum_usage,
4672445Sassar		     krb5_key_usage encrypt_usage)
4755682Smarkm{
4855682Smarkm  krb5_error_code ret;
4955682Smarkm  krb5_data authenticator;
5055682Smarkm  Checksum c;
5155682Smarkm  Checksum *c_opt;
5255682Smarkm  krb5_auth_context ac;
5355682Smarkm
5455682Smarkm  if(auth_context) {
5555682Smarkm      if(*auth_context == NULL)
5655682Smarkm	  ret = krb5_auth_con_init(context, auth_context);
5755682Smarkm      else
5855682Smarkm	  ret = 0;
5955682Smarkm      ac = *auth_context;
6055682Smarkm  } else
6155682Smarkm      ret = krb5_auth_con_init(context, &ac);
6255682Smarkm  if(ret)
6355682Smarkm      return ret;
6455682Smarkm
65103423Snectar  if(ac->local_subkey == NULL && (ap_req_options & AP_OPTS_USE_SUBKEY)) {
66103423Snectar      ret = krb5_auth_con_generatelocalsubkey(context, ac, &in_creds->session);
67103423Snectar      if(ret)
68103423Snectar	  return ret;
69103423Snectar  }
70103423Snectar
7155682Smarkm#if 0
7255682Smarkm  {
7355682Smarkm      /* This is somewhat bogus since we're possibly overwriting a
7455682Smarkm         value specified by the user, but it's the easiest way to make
7555682Smarkm         the code use a compatible enctype */
7655682Smarkm      Ticket ticket;
7755682Smarkm      krb5_keytype ticket_keytype;
7855682Smarkm
7955682Smarkm      ret = decode_Ticket(in_creds->ticket.data,
8055682Smarkm			  in_creds->ticket.length,
8155682Smarkm			  &ticket,
8255682Smarkm			  NULL);
8355682Smarkm      krb5_enctype_to_keytype (context,
8455682Smarkm			       ticket.enc_part.etype,
8555682Smarkm			       &ticket_keytype);
8655682Smarkm
8755682Smarkm      if (ticket_keytype == in_creds->session.keytype)
8855682Smarkm	  krb5_auth_setenctype(context,
8955682Smarkm			       ac,
9055682Smarkm			       ticket.enc_part.etype);
9155682Smarkm      free_Ticket(&ticket);
9255682Smarkm  }
9355682Smarkm#endif
9455682Smarkm
9555682Smarkm  krb5_free_keyblock(context, ac->keyblock);
9655682Smarkm  krb5_copy_keyblock(context, &in_creds->session, &ac->keyblock);
9755682Smarkm
9872445Sassar  /* it's unclear what type of checksum we can use.  try the best one, except:
9972445Sassar   * a) if it's configured differently for the current realm, or
10072445Sassar   * b) if the session key is des-cbc-crc
10172445Sassar   */
10272445Sassar
10355682Smarkm  if (in_data) {
10455682Smarkm      if(ac->keyblock->keytype == ETYPE_DES_CBC_CRC) {
10555682Smarkm	  /* this is to make DCE secd (and older MIT kdcs?) happy */
10655682Smarkm	  ret = krb5_create_checksum(context,
10755682Smarkm				     NULL,
10878527Sassar				     0,
10955682Smarkm				     CKSUMTYPE_RSA_MD4,
11055682Smarkm				     in_data->data,
11155682Smarkm				     in_data->length,
11255682Smarkm				     &c);
11355682Smarkm      } else {
11455682Smarkm	  krb5_crypto crypto;
11572445Sassar
11672445Sassar	  ret = krb5_crypto_init(context, ac->keyblock, 0, &crypto);
11772445Sassar	  if (ret)
11872445Sassar	      return ret;
11955682Smarkm	  ret = krb5_create_checksum(context,
12055682Smarkm				     crypto,
12172445Sassar				     checksum_usage,
12278527Sassar				     0,
12355682Smarkm				     in_data->data,
12455682Smarkm				     in_data->length,
12555682Smarkm				     &c);
12655682Smarkm
12755682Smarkm	  krb5_crypto_destroy(context, crypto);
12855682Smarkm      }
12955682Smarkm      c_opt = &c;
13055682Smarkm  } else {
13155682Smarkm      c_opt = NULL;
13255682Smarkm  }
13355682Smarkm
13455682Smarkm  ret = krb5_build_authenticator (context,
13555682Smarkm				  ac,
13655682Smarkm				  ac->keyblock->keytype,
13755682Smarkm				  in_creds,
13855682Smarkm				  c_opt,
13955682Smarkm				  NULL,
14072445Sassar				  &authenticator,
14172445Sassar				  encrypt_usage);
14255682Smarkm  if (c_opt)
14355682Smarkm      free_Checksum (c_opt);
14455682Smarkm  if (ret)
14555682Smarkm    return ret;
14655682Smarkm
14755682Smarkm  ret = krb5_build_ap_req (context, ac->keyblock->keytype,
14855682Smarkm			   in_creds, ap_req_options, authenticator, outbuf);
14955682Smarkm  if(auth_context == NULL)
15055682Smarkm      krb5_auth_con_free(context, ac);
15155682Smarkm  return ret;
15255682Smarkm}
15355682Smarkm
15455682Smarkmkrb5_error_code
15555682Smarkmkrb5_mk_req_extended(krb5_context context,
15655682Smarkm		     krb5_auth_context *auth_context,
15755682Smarkm		     const krb5_flags ap_req_options,
15855682Smarkm		     krb5_data *in_data,
15955682Smarkm		     krb5_creds *in_creds,
16055682Smarkm		     krb5_data *outbuf)
16155682Smarkm{
16255682Smarkm    return krb5_mk_req_internal (context,
16355682Smarkm				 auth_context,
16455682Smarkm				 ap_req_options,
16555682Smarkm				 in_data,
16655682Smarkm				 in_creds,
16755682Smarkm				 outbuf,
16872445Sassar				 KRB5_KU_AP_REQ_AUTH_CKSUM,
16972445Sassar				 KRB5_KU_AP_REQ_AUTH);
17055682Smarkm}
171