1 /*
2 * lib/krb5/krb/encode_kdc.c
3 *
4 * Copyright 1990 by the Massachusetts Institute of Technology.
5 * All Rights Reserved.
6 *
7 * Export of this software from the United States of America may
8 * require a specific license from the United States Government.
9 * It is the responsibility of any person or organization contemplating
10 * export to obtain such a license before exporting.
11 *
12 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
13 * distribute this software and its documentation for any purpose and
14 * without fee is hereby granted, provided that the above copyright
15 * notice appear in all copies and that both that copyright notice and
16 * this permission notice appear in supporting documentation, and that
17 * the name of M.I.T. not be used in advertising or publicity pertaining
18 * to distribution of the software without specific, written prior
19 * permission. Furthermore if you modify this software you must label
20 * your software as modified software and not distribute it in such a
21 * fashion that it might be confused with the original M.I.T. software.
22 * M.I.T. makes no representations about the suitability of
23 * this software for any purpose. It is provided "as is" without express
24 * or implied warranty.
25 *
26 *
27 * krb5_encode_kdc_rep() function.
28 */
29
30 #include "k5-int.h"
31
32 /*
33 Takes KDC rep parts in *rep and *encpart, and formats it into *enc_rep,
34 using message type type and encryption key client_key and encryption type
35 etype.
36
37 The string *enc_rep will be allocated before formatting; the caller should
38 free when finished.
39
40 returns system errors
41
42 dec_rep->enc_part.ciphertext is allocated and filled in.
43 */
44 /* due to argument promotion rules, we need to use the DECLARG/OLDDECLARG
45 stuff... */
46 krb5_error_code
krb5_encode_kdc_rep(krb5_context context,krb5_msgtype type,const krb5_enc_kdc_rep_part * encpart,int using_subkey,const krb5_keyblock * client_key,krb5_kdc_rep * dec_rep,krb5_data ** enc_rep)47 krb5_encode_kdc_rep(krb5_context context, krb5_msgtype type,
48 const krb5_enc_kdc_rep_part *encpart,
49 int using_subkey, const krb5_keyblock *client_key,
50 krb5_kdc_rep *dec_rep, krb5_data **enc_rep)
51 {
52 krb5_data *scratch;
53 krb5_error_code retval;
54 krb5_enc_kdc_rep_part tmp_encpart;
55 krb5_keyusage usage;
56
57 if (!krb5_c_valid_enctype(dec_rep->enc_part.enctype))
58 return KRB5_PROG_ETYPE_NOSUPP;
59
60 switch (type) {
61 case KRB5_AS_REP:
62 usage = KRB5_KEYUSAGE_AS_REP_ENCPART;
63 break;
64 case KRB5_TGS_REP:
65 if (using_subkey)
66 usage = KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY;
67 else
68 usage = KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY;
69 break;
70 default:
71 return KRB5_BADMSGTYPE;
72 }
73
74 /*
75 * We don't want to modify encpart, but we need to be able to pass
76 * in the message type to the encoder, so it can set the ASN.1
77 * type correct.
78 *
79 * Although note that it may be doing nothing with the message
80 * type, to be compatible with old versions of Kerberos that always
81 * encode this as a TGS_REP regardly of what it really should be;
82 * also note that the reason why we are passing it in a structure
83 * instead of as an argument to encode_krb5_enc_kdc_rep_part (the
84 * way we should) is for compatibility with the ISODE version of
85 * this fuction. Ah, compatibility....
86 */
87 tmp_encpart = *encpart;
88 tmp_encpart.msg_type = type;
89 retval = encode_krb5_enc_kdc_rep_part(&tmp_encpart, &scratch);
90 if (retval) {
91 return retval;
92 }
93 memset(&tmp_encpart, 0, sizeof(tmp_encpart));
94
95 #define cleanup_scratch() { (void) memset(scratch->data, 0, scratch->length); \
96 krb5_free_data(context, scratch); }
97
98 retval = krb5_encrypt_helper(context, client_key, usage, scratch,
99 &dec_rep->enc_part);
100
101 #define cleanup_encpart() { \
102 (void) memset(dec_rep->enc_part.ciphertext.data, 0, \
103 dec_rep->enc_part.ciphertext.length); \
104 free(dec_rep->enc_part.ciphertext.data); \
105 dec_rep->enc_part.ciphertext.length = 0; \
106 dec_rep->enc_part.ciphertext.data = 0;}
107
108 cleanup_scratch();
109
110 if (retval)
111 return(retval);
112
113 /* now it's ready to be encoded for the wire! */
114
115 switch (type) {
116 case KRB5_AS_REP:
117 retval = encode_krb5_as_rep(dec_rep, enc_rep);
118 break;
119 case KRB5_TGS_REP:
120 retval = encode_krb5_tgs_rep(dec_rep, enc_rep);
121 break;
122 }
123
124 if (retval)
125 cleanup_encpart();
126
127 return retval;
128 }
129