1 /* 2 * Copyright (c) 1997 - 2003 Kungliga Tekniska H�gskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * 3. Neither the name of the Institute nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include <krb5_locl.h> 35 36 RCSID("$Id: build_auth.c 17033 2006-04-10 08:53:21Z lha $"); 37 38 static krb5_error_code 39 make_etypelist(krb5_context context, 40 krb5_authdata **auth_data) 41 { 42 EtypeList etypes; 43 krb5_error_code ret; 44 krb5_authdata ad; 45 u_char *buf; 46 size_t len; 47 size_t buf_size; 48 49 ret = krb5_init_etype(context, &etypes.len, &etypes.val, NULL); 50 if (ret) 51 return ret; 52 53 ASN1_MALLOC_ENCODE(EtypeList, buf, buf_size, &etypes, &len, ret); 54 if (ret) { 55 free_EtypeList(&etypes); 56 return ret; 57 } 58 if(buf_size != len) 59 krb5_abortx(context, "internal error in ASN.1 encoder"); 60 free_EtypeList(&etypes); 61 62 ALLOC_SEQ(&ad, 1); 63 if (ad.val == NULL) { 64 free(buf); 65 krb5_set_error_string(context, "malloc: out of memory"); 66 return ENOMEM; 67 } 68 69 ad.val[0].ad_type = KRB5_AUTHDATA_GSS_API_ETYPE_NEGOTIATION; 70 ad.val[0].ad_data.length = len; 71 ad.val[0].ad_data.data = buf; 72 73 ASN1_MALLOC_ENCODE(AD_IF_RELEVANT, buf, buf_size, &ad, &len, ret); 74 if (ret) { 75 free_AuthorizationData(&ad); 76 return ret; 77 } 78 if(buf_size != len) 79 krb5_abortx(context, "internal error in ASN.1 encoder"); 80 free_AuthorizationData(&ad); 81 82 ALLOC(*auth_data, 1); 83 if (*auth_data == NULL) { 84 krb5_set_error_string(context, "malloc: out of memory"); 85 return ENOMEM; 86 } 87 88 ALLOC_SEQ(*auth_data, 1); 89 if ((*auth_data)->val == NULL) { 90 free(buf); 91 krb5_set_error_string(context, "malloc: out of memory"); 92 return ENOMEM; 93 } 94 95 (*auth_data)->val[0].ad_type = KRB5_AUTHDATA_IF_RELEVANT; 96 (*auth_data)->val[0].ad_data.length = len; 97 (*auth_data)->val[0].ad_data.data = buf; 98 99 return 0; 100 } 101 102 krb5_error_code KRB5_LIB_FUNCTION 103 krb5_build_authenticator (krb5_context context, 104 krb5_auth_context auth_context, 105 krb5_enctype enctype, 106 krb5_creds *cred, 107 Checksum *cksum, 108 Authenticator **auth_result, 109 krb5_data *result, 110 krb5_key_usage usage) 111 { 112 Authenticator *auth; 113 u_char *buf = NULL; 114 size_t buf_size; 115 size_t len; 116 krb5_error_code ret; 117 krb5_crypto crypto; 118 119 auth = calloc(1, sizeof(*auth)); 120 if (auth == NULL) { 121 krb5_set_error_string(context, "malloc: out of memory"); 122 return ENOMEM; 123 } 124 125 auth->authenticator_vno = 5; 126 copy_Realm(&cred->client->realm, &auth->crealm); 127 copy_PrincipalName(&cred->client->name, &auth->cname); 128 129 krb5_us_timeofday (context, &auth->ctime, &auth->cusec); 130 131 ret = krb5_auth_con_getlocalsubkey(context, auth_context, &auth->subkey); 132 if(ret) 133 goto fail; 134 135 if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { 136 if(auth_context->local_seqnumber == 0) 137 krb5_generate_seq_number (context, 138 &cred->session, 139 &auth_context->local_seqnumber); 140 ALLOC(auth->seq_number, 1); 141 if(auth->seq_number == NULL) { 142 ret = ENOMEM; 143 goto fail; 144 } 145 *auth->seq_number = auth_context->local_seqnumber; 146 } else 147 auth->seq_number = NULL; 148 auth->authorization_data = NULL; 149 auth->cksum = cksum; 150 151 if (cksum != NULL && cksum->cksumtype == CKSUMTYPE_GSSAPI) { 152 /* 153 * This is not GSS-API specific, we only enable it for 154 * GSS for now 155 */ 156 ret = make_etypelist(context, &auth->authorization_data); 157 if (ret) 158 goto fail; 159 } 160 161 /* XXX - Copy more to auth_context? */ 162 163 auth_context->authenticator->ctime = auth->ctime; 164 auth_context->authenticator->cusec = auth->cusec; 165 166 ASN1_MALLOC_ENCODE(Authenticator, buf, buf_size, auth, &len, ret); 167 if (ret) 168 goto fail; 169 if(buf_size != len) 170 krb5_abortx(context, "internal error in ASN.1 encoder"); 171 172 ret = krb5_crypto_init(context, &cred->session, enctype, &crypto); 173 if (ret) 174 goto fail; 175 ret = krb5_encrypt (context, 176 crypto, 177 usage /* KRB5_KU_AP_REQ_AUTH */, 178 buf + buf_size - len, 179 len, 180 result); 181 krb5_crypto_destroy(context, crypto); 182 183 if (ret) 184 goto fail; 185 186 free (buf); 187 188 if (auth_result) 189 *auth_result = auth; 190 else { 191 /* Don't free the `cksum', it's allocated by the caller */ 192 auth->cksum = NULL; 193 free_Authenticator (auth); 194 free (auth); 195 } 196 return ret; 197 fail: 198 free_Authenticator (auth); 199 free (auth); 200 free (buf); 201 return ret; 202 } 203