mk_req_ext.c revision 72445
155682Smarkm/* 272445Sassar * Copyright (c) 1997 - 2000 Kungliga Tekniska H�gskolan 355682Smarkm * (Royal Institute of Technology, Stockholm, Sweden). 455682Smarkm * All rights reserved. 555682Smarkm * 655682Smarkm * Redistribution and use in source and binary forms, with or without 755682Smarkm * modification, are permitted provided that the following conditions 855682Smarkm * are met: 955682Smarkm * 1055682Smarkm * 1. Redistributions of source code must retain the above copyright 1155682Smarkm * notice, this list of conditions and the following disclaimer. 1255682Smarkm * 1355682Smarkm * 2. Redistributions in binary form must reproduce the above copyright 1455682Smarkm * notice, this list of conditions and the following disclaimer in the 1555682Smarkm * documentation and/or other materials provided with the distribution. 1655682Smarkm * 1755682Smarkm * 3. Neither the name of the Institute nor the names of its contributors 1855682Smarkm * may be used to endorse or promote products derived from this software 1955682Smarkm * without specific prior written permission. 2055682Smarkm * 2155682Smarkm * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 2255682Smarkm * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 2355682Smarkm * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 2455682Smarkm * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 2555682Smarkm * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 2655682Smarkm * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 2755682Smarkm * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 2855682Smarkm * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 2955682Smarkm * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 3055682Smarkm * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 3155682Smarkm * SUCH DAMAGE. 3255682Smarkm */ 3355682Smarkm 3455682Smarkm#include <krb5_locl.h> 3555682Smarkm 3672445SassarRCSID("$Id: mk_req_ext.c,v 1.24 2000/11/15 07:01:26 assar Exp $"); 3755682Smarkm 3855682Smarkmkrb5_error_code 3955682Smarkmkrb5_mk_req_internal(krb5_context context, 4055682Smarkm krb5_auth_context *auth_context, 4155682Smarkm const krb5_flags ap_req_options, 4255682Smarkm krb5_data *in_data, 4355682Smarkm krb5_creds *in_creds, 4455682Smarkm krb5_data *outbuf, 4572445Sassar krb5_key_usage checksum_usage, 4672445Sassar krb5_key_usage encrypt_usage) 4755682Smarkm{ 4855682Smarkm krb5_error_code ret; 4955682Smarkm krb5_data authenticator; 5055682Smarkm Checksum c; 5155682Smarkm Checksum *c_opt; 5255682Smarkm krb5_auth_context ac; 5355682Smarkm 5455682Smarkm if(auth_context) { 5555682Smarkm if(*auth_context == NULL) 5655682Smarkm ret = krb5_auth_con_init(context, auth_context); 5755682Smarkm else 5855682Smarkm ret = 0; 5955682Smarkm ac = *auth_context; 6055682Smarkm } else 6155682Smarkm ret = krb5_auth_con_init(context, &ac); 6255682Smarkm if(ret) 6355682Smarkm return ret; 6455682Smarkm 6555682Smarkm#if 0 6655682Smarkm { 6755682Smarkm /* This is somewhat bogus since we're possibly overwriting a 6855682Smarkm value specified by the user, but it's the easiest way to make 6955682Smarkm the code use a compatible enctype */ 7055682Smarkm Ticket ticket; 7155682Smarkm krb5_keytype ticket_keytype; 7255682Smarkm 7355682Smarkm ret = decode_Ticket(in_creds->ticket.data, 7455682Smarkm in_creds->ticket.length, 7555682Smarkm &ticket, 7655682Smarkm NULL); 7755682Smarkm krb5_enctype_to_keytype (context, 7855682Smarkm ticket.enc_part.etype, 7955682Smarkm &ticket_keytype); 8055682Smarkm 8155682Smarkm if (ticket_keytype == in_creds->session.keytype) 8255682Smarkm krb5_auth_setenctype(context, 8355682Smarkm ac, 8455682Smarkm ticket.enc_part.etype); 8555682Smarkm free_Ticket(&ticket); 8655682Smarkm } 8755682Smarkm#endif 8855682Smarkm 8955682Smarkm krb5_free_keyblock(context, ac->keyblock); 9055682Smarkm krb5_copy_keyblock(context, &in_creds->session, &ac->keyblock); 9155682Smarkm 9272445Sassar /* it's unclear what type of checksum we can use. try the best one, except: 9372445Sassar * a) if it's configured differently for the current realm, or 9472445Sassar * b) if the session key is des-cbc-crc 9572445Sassar */ 9672445Sassar 9755682Smarkm if (in_data) { 9855682Smarkm if(ac->keyblock->keytype == ETYPE_DES_CBC_CRC) { 9955682Smarkm /* this is to make DCE secd (and older MIT kdcs?) happy */ 10055682Smarkm ret = krb5_create_checksum(context, 10155682Smarkm NULL, 10255682Smarkm CKSUMTYPE_RSA_MD4, 10355682Smarkm in_data->data, 10455682Smarkm in_data->length, 10555682Smarkm &c); 10655682Smarkm } else { 10755682Smarkm krb5_crypto crypto; 10872445Sassar 10972445Sassar ret = krb5_crypto_init(context, ac->keyblock, 0, &crypto); 11072445Sassar if (ret) 11172445Sassar return ret; 11255682Smarkm ret = krb5_create_checksum(context, 11355682Smarkm crypto, 11472445Sassar checksum_usage, 11555682Smarkm in_data->data, 11655682Smarkm in_data->length, 11755682Smarkm &c); 11855682Smarkm 11955682Smarkm krb5_crypto_destroy(context, crypto); 12055682Smarkm } 12155682Smarkm c_opt = &c; 12255682Smarkm } else { 12355682Smarkm c_opt = NULL; 12455682Smarkm } 12555682Smarkm 12655682Smarkm ret = krb5_build_authenticator (context, 12755682Smarkm ac, 12855682Smarkm ac->keyblock->keytype, 12955682Smarkm in_creds, 13055682Smarkm c_opt, 13155682Smarkm NULL, 13272445Sassar &authenticator, 13372445Sassar encrypt_usage); 13455682Smarkm if (c_opt) 13555682Smarkm free_Checksum (c_opt); 13655682Smarkm if (ret) 13755682Smarkm return ret; 13855682Smarkm 13955682Smarkm ret = krb5_build_ap_req (context, ac->keyblock->keytype, 14055682Smarkm in_creds, ap_req_options, authenticator, outbuf); 14155682Smarkm if(auth_context == NULL) 14255682Smarkm krb5_auth_con_free(context, ac); 14355682Smarkm return ret; 14455682Smarkm} 14555682Smarkm 14655682Smarkmkrb5_error_code 14755682Smarkmkrb5_mk_req_extended(krb5_context context, 14855682Smarkm krb5_auth_context *auth_context, 14955682Smarkm const krb5_flags ap_req_options, 15055682Smarkm krb5_data *in_data, 15155682Smarkm krb5_creds *in_creds, 15255682Smarkm krb5_data *outbuf) 15355682Smarkm{ 15455682Smarkm return krb5_mk_req_internal (context, 15555682Smarkm auth_context, 15655682Smarkm ap_req_options, 15755682Smarkm in_data, 15855682Smarkm in_creds, 15955682Smarkm outbuf, 16072445Sassar KRB5_KU_AP_REQ_AUTH_CKSUM, 16172445Sassar KRB5_KU_AP_REQ_AUTH); 16255682Smarkm} 163