crypto/external/bsd/heimdal/dist/lib/krb5/mk_req_ext.c

   1 /*      $NetBSD: mk_req_ext.c,v 1.1.1.1 2011/04/13 18:15:36 elric Exp $ */
   2
   3 /*
   4  * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
   5  * (Royal Institute of Technology, Stockholm, Sweden).
   6  * All rights reserved.
   7  *
   8  * Redistribution and use in source and binary forms, with or without
   9  * modification, are permitted provided that the following conditions
  10  * are met:
  11  *
  12  * 1. Redistributions of source code must retain the above copyright
  13  *    notice, this list of conditions and the following disclaimer.
  14  *
  15  * 2. Redistributions in binary form must reproduce the above copyright
  16  *    notice, this list of conditions and the following disclaimer in the
  17  *    documentation and/or other materials provided with the distribution.
  18  *
  19  * 3. Neither the name of the Institute nor the names of its contributors
  20  *    may be used to endorse or promote products derived from this software
  21  *    without specific prior written permission.
  22  *
  23  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  24  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  25  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  26  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  27  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  28  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  29  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  30  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  31  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  32  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  33  * SUCH DAMAGE.
  34  */
  35
  36 #include "krb5_locl.h"
  37
  38 krb5_error_code
  39 _krb5_mk_req_internal(krb5_context context,
  40                       krb5_auth_context *auth_context,
  41                       const krb5_flags ap_req_options,
  42                       krb5_data *in_data,
  43                       krb5_creds *in_creds,
  44                       krb5_data *outbuf,
  45                       krb5_key_usage checksum_usage,
  46                       krb5_key_usage encrypt_usage)
  47 {
  48     krb5_error_code ret;
  49     krb5_data authenticator;
  50     Checksum c;
  51     Checksum *c_opt;
  52     krb5_auth_context ac;
  53
  54     if(auth_context) {
  55         if(*auth_context == NULL)
  56             ret = krb5_auth_con_init(context, auth_context);
  57         else
  58             ret = 0;
  59         ac = *auth_context;
  60     } else
  61         ret = krb5_auth_con_init(context, &ac);
  62     if(ret)
  63         return ret;
  64
  65     if(ac->local_subkey == NULL && (ap_req_options & AP_OPTS_USE_SUBKEY)) {
  66         ret = krb5_auth_con_generatelocalsubkey(context,
  67                                                 ac,
  68                                                 &in_creds->session);
  69         if(ret)
  70             goto out;
  71     }
  72
  73     krb5_free_keyblock(context, ac->keyblock);
  74     ret = krb5_copy_keyblock(context, &in_creds->session, &ac->keyblock);
  75     if (ret)
  76         goto out;
  77
  78     /* it's unclear what type of checksum we can use.  try the best one, except:
  79      * a) if it's configured differently for the current realm, or
  80      * b) if the session key is des-cbc-crc
  81      */
  82
  83     if (in_data) {
  84         if(ac->keyblock->keytype == ETYPE_DES_CBC_CRC) {
  85             /* this is to make DCE secd (and older MIT kdcs?) happy */
  86             ret = krb5_create_checksum(context,
  87                                        NULL,
  88                                        0,
  89                                        CKSUMTYPE_RSA_MD4,
  90                                        in_data->data,
  91                                        in_data->length,
  92                                        &c);
  93         } else if(ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5 ||
  94                   ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5_56 ||
  95                   ac->keyblock->keytype == ETYPE_DES_CBC_MD4 ||
  96                   ac->keyblock->keytype == ETYPE_DES_CBC_MD5) {
  97             /* this is to make MS kdc happy */
  98             ret = krb5_create_checksum(context,
  99                                        NULL,
 100                                        0,
 101                                        CKSUMTYPE_RSA_MD5,
 102                                        in_data->data,
 103                                        in_data->length,
 104                                        &c);
 105         } else {
 106             krb5_crypto crypto;
 107
 108             ret = krb5_crypto_init(context, ac->keyblock, 0, &crypto);
 109             if (ret)
 110                 goto out;
 111             ret = krb5_create_checksum(context,
 112                                        crypto,
 113                                        checksum_usage,
 114                                        0,
 115                                        in_data->data,
 116                                        in_data->length,
 117                                        &c);
 118             krb5_crypto_destroy(context, crypto);
 119         }
 120         c_opt = &c;
 121     } else {
 122         c_opt = NULL;
 123     }
 124
 125     if (ret)
 126         goto out;
 127
 128     ret = _krb5_build_authenticator(context,
 129                                     ac,
 130                                     ac->keyblock->keytype,
 131                                     in_creds,
 132                                     c_opt,
 133                                     &authenticator,
 134                                     encrypt_usage);
 135     if (c_opt)
 136         free_Checksum (c_opt);
 137     if (ret)
 138         goto out;
 139
 140     ret = krb5_build_ap_req (context, ac->keyblock->keytype,
 141                              in_creds, ap_req_options, authenticator, outbuf);
 142 out:
 143     if(auth_context == NULL)
 144         krb5_auth_con_free(context, ac);
 145     return ret;
 146 }
 147
 148 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 149 krb5_mk_req_extended(krb5_context context,
 150                      krb5_auth_context *auth_context,
 151                      const krb5_flags ap_req_options,
 152                      krb5_data *in_data,
 153                      krb5_creds *in_creds,
 154                      krb5_data *outbuf)
 155 {
 156     return _krb5_mk_req_internal (context,
 157                                  auth_context,
 158                                  ap_req_options,
 159                                  in_data,
 160                                  in_creds,
 161                                  outbuf,
 162                                  KRB5_KU_AP_REQ_AUTH_CKSUM,
 163                                  KRB5_KU_AP_REQ_AUTH);
 164 }