xref: /freebsd/crypto/heimdal/lib/krb5/mk_req_ext.c (revision 6a068746777241722b2b32c5d0bc443a2a64d80b) 
1b528cefcSMark Murray /*
2*ae771770SStanislav Sedov  * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
3b528cefcSMark Murray  * (Royal Institute of Technology, Stockholm, Sweden).
4b528cefcSMark Murray  * All rights reserved.
5b528cefcSMark Murray  *
6b528cefcSMark Murray  * Redistribution and use in source and binary forms, with or without
7b528cefcSMark Murray  * modification, are permitted provided that the following conditions
8b528cefcSMark Murray  * are met:
9b528cefcSMark Murray  *
10b528cefcSMark Murray  * 1. Redistributions of source code must retain the above copyright
11b528cefcSMark Murray  *    notice, this list of conditions and the following disclaimer.
12b528cefcSMark Murray  *
13b528cefcSMark Murray  * 2. Redistributions in binary form must reproduce the above copyright
14b528cefcSMark Murray  *    notice, this list of conditions and the following disclaimer in the
15b528cefcSMark Murray  *    documentation and/or other materials provided with the distribution.
16b528cefcSMark Murray  *
17b528cefcSMark Murray  * 3. Neither the name of the Institute nor the names of its contributors
18b528cefcSMark Murray  *    may be used to endorse or promote products derived from this software
19b528cefcSMark Murray  *    without specific prior written permission.
20b528cefcSMark Murray  *
21b528cefcSMark Murray  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22b528cefcSMark Murray  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23b528cefcSMark Murray  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24b528cefcSMark Murray  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25b528cefcSMark Murray  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26b528cefcSMark Murray  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27b528cefcSMark Murray  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28b528cefcSMark Murray  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29b528cefcSMark Murray  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30b528cefcSMark Murray  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31b528cefcSMark Murray  * SUCH DAMAGE.
32b528cefcSMark Murray  */
33b528cefcSMark Murray 
34*ae771770SStanislav Sedov #include "krb5_locl.h"
35b528cefcSMark Murray 
36b528cefcSMark Murray krb5_error_code
_krb5_mk_req_internal(krb5_context context,krb5_auth_context * auth_context,const krb5_flags ap_req_options,krb5_data * in_data,krb5_creds * in_creds,krb5_data * outbuf,krb5_key_usage checksum_usage,krb5_key_usage encrypt_usage)37c19800e8SDoug Rabson _krb5_mk_req_internal(krb5_context context,
38b528cefcSMark Murray 		      krb5_auth_context *auth_context,
39b528cefcSMark Murray 		      const krb5_flags ap_req_options,
40b528cefcSMark Murray 		      krb5_data *in_data,
41b528cefcSMark Murray 		      krb5_creds *in_creds,
42b528cefcSMark Murray 		      krb5_data *outbuf,
435e9cd1aeSAssar Westerlund 		      krb5_key_usage checksum_usage,
445e9cd1aeSAssar Westerlund 		      krb5_key_usage encrypt_usage)
45b528cefcSMark Murray {
46b528cefcSMark Murray     krb5_error_code ret;
47b528cefcSMark Murray     krb5_data authenticator;
48b528cefcSMark Murray     Checksum c;
49b528cefcSMark Murray     Checksum *c_opt;
50b528cefcSMark Murray     krb5_auth_context ac;
51b528cefcSMark Murray 
52b528cefcSMark Murray     if(auth_context) {
53b528cefcSMark Murray 	if(*auth_context == NULL)
54b528cefcSMark Murray 	    ret = krb5_auth_con_init(context, auth_context);
55b528cefcSMark Murray 	else
56b528cefcSMark Murray 	    ret = 0;
57b528cefcSMark Murray 	ac = *auth_context;
58b528cefcSMark Murray     } else
59b528cefcSMark Murray 	ret = krb5_auth_con_init(context, &ac);
60b528cefcSMark Murray     if(ret)
61b528cefcSMark Murray 	return ret;
62b528cefcSMark Murray 
630cadf2f4SJacques Vidrine     if(ac->local_subkey == NULL && (ap_req_options & AP_OPTS_USE_SUBKEY)) {
64c19800e8SDoug Rabson 	ret = krb5_auth_con_generatelocalsubkey(context,
65b528cefcSMark Murray 						ac,
66c19800e8SDoug Rabson 						&in_creds->session);
67c19800e8SDoug Rabson 	if(ret)
68c19800e8SDoug Rabson 	    goto out;
69b528cefcSMark Murray     }
70b528cefcSMark Murray 
71b528cefcSMark Murray     krb5_free_keyblock(context, ac->keyblock);
72c19800e8SDoug Rabson     ret = krb5_copy_keyblock(context, &in_creds->session, &ac->keyblock);
73c19800e8SDoug Rabson     if (ret)
74c19800e8SDoug Rabson 	goto out;
75b528cefcSMark Murray 
765e9cd1aeSAssar Westerlund     /* it's unclear what type of checksum we can use.  try the best one, except:
775e9cd1aeSAssar Westerlund      * a) if it's configured differently for the current realm, or
785e9cd1aeSAssar Westerlund      * b) if the session key is des-cbc-crc
795e9cd1aeSAssar Westerlund      */
805e9cd1aeSAssar Westerlund 
81b528cefcSMark Murray     if (in_data) {
82b528cefcSMark Murray 	if(ac->keyblock->keytype == ETYPE_DES_CBC_CRC) {
83b528cefcSMark Murray 	    /* this is to make DCE secd (and older MIT kdcs?) happy */
84b528cefcSMark Murray 	    ret = krb5_create_checksum(context,
85b528cefcSMark Murray 				       NULL,
86adb0ddaeSAssar Westerlund 				       0,
87b528cefcSMark Murray 				       CKSUMTYPE_RSA_MD4,
88b528cefcSMark Murray 				       in_data->data,
89b528cefcSMark Murray 				       in_data->length,
90b528cefcSMark Murray 				       &c);
91c19800e8SDoug Rabson 	} else if(ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5 ||
92c19800e8SDoug Rabson 		  ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5_56 ||
93c19800e8SDoug Rabson 		  ac->keyblock->keytype == ETYPE_DES_CBC_MD4 ||
94c19800e8SDoug Rabson 		  ac->keyblock->keytype == ETYPE_DES_CBC_MD5) {
951c43270aSJacques Vidrine 	    /* this is to make MS kdc happy */
961c43270aSJacques Vidrine 	    ret = krb5_create_checksum(context,
971c43270aSJacques Vidrine 				       NULL,
981c43270aSJacques Vidrine 				       0,
991c43270aSJacques Vidrine 				       CKSUMTYPE_RSA_MD5,
1001c43270aSJacques Vidrine 				       in_data->data,
1011c43270aSJacques Vidrine 				       in_data->length,
1021c43270aSJacques Vidrine 				       &c);
103b528cefcSMark Murray 	} else {
104b528cefcSMark Murray 	    krb5_crypto crypto;
1055e9cd1aeSAssar Westerlund 
1065e9cd1aeSAssar Westerlund 	    ret = krb5_crypto_init(context, ac->keyblock, 0, &crypto);
1075e9cd1aeSAssar Westerlund 	    if (ret)
108c19800e8SDoug Rabson 		goto out;
109b528cefcSMark Murray 	    ret = krb5_create_checksum(context,
110b528cefcSMark Murray 				       crypto,
1115e9cd1aeSAssar Westerlund 				       checksum_usage,
112adb0ddaeSAssar Westerlund 				       0,
113b528cefcSMark Murray 				       in_data->data,
114b528cefcSMark Murray 				       in_data->length,
115b528cefcSMark Murray 				       &c);
116b528cefcSMark Murray 	    krb5_crypto_destroy(context, crypto);
117b528cefcSMark Murray 	}
118b528cefcSMark Murray 	c_opt = &c;
119b528cefcSMark Murray     } else {
120b528cefcSMark Murray 	c_opt = NULL;
121b528cefcSMark Murray     }
122b528cefcSMark Murray 
123c19800e8SDoug Rabson     if (ret)
124c19800e8SDoug Rabson 	goto out;
125c19800e8SDoug Rabson 
126*ae771770SStanislav Sedov     ret = _krb5_build_authenticator(context,
127b528cefcSMark Murray 				    ac,
128b528cefcSMark Murray 				    ac->keyblock->keytype,
129b528cefcSMark Murray 				    in_creds,
130b528cefcSMark Murray 				    c_opt,
1315e9cd1aeSAssar Westerlund 				    &authenticator,
1325e9cd1aeSAssar Westerlund 				    encrypt_usage);
133b528cefcSMark Murray     if (c_opt)
134b528cefcSMark Murray 	free_Checksum (c_opt);
135b528cefcSMark Murray     if (ret)
136c19800e8SDoug Rabson 	goto out;
137b528cefcSMark Murray 
138b528cefcSMark Murray     ret = krb5_build_ap_req (context, ac->keyblock->keytype,
139b528cefcSMark Murray 			     in_creds, ap_req_options, authenticator, outbuf);
140c19800e8SDoug Rabson out:
141b528cefcSMark Murray     if(auth_context == NULL)
142b528cefcSMark Murray 	krb5_auth_con_free(context, ac);
143b528cefcSMark Murray     return ret;
144b528cefcSMark Murray }
145b528cefcSMark Murray 
146*ae771770SStanislav Sedov KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_mk_req_extended(krb5_context context,krb5_auth_context * auth_context,const krb5_flags ap_req_options,krb5_data * in_data,krb5_creds * in_creds,krb5_data * outbuf)147b528cefcSMark Murray krb5_mk_req_extended(krb5_context context,
148b528cefcSMark Murray 		     krb5_auth_context *auth_context,
149b528cefcSMark Murray 		     const krb5_flags ap_req_options,
150b528cefcSMark Murray 		     krb5_data *in_data,
151b528cefcSMark Murray 		     krb5_creds *in_creds,
152b528cefcSMark Murray 		     krb5_data *outbuf)
153b528cefcSMark Murray {
154c19800e8SDoug Rabson     return _krb5_mk_req_internal (context,
155b528cefcSMark Murray 				 auth_context,
156b528cefcSMark Murray 				 ap_req_options,
157b528cefcSMark Murray 				 in_data,
158b528cefcSMark Murray 				 in_creds,
159b528cefcSMark Murray 				 outbuf,
1605e9cd1aeSAssar Westerlund 				 KRB5_KU_AP_REQ_AUTH_CKSUM,
1615e9cd1aeSAssar Westerlund 				 KRB5_KU_AP_REQ_AUTH);
162b528cefcSMark Murray }
163