xref: /freebsd/crypto/heimdal/lib/krb5/mk_req_ext.c (revision 39beb93c3f8bdbf72a61fda42300b5ebed7390c8) 
1 /*
2  * Copyright (c) 1997 - 2002 Kungliga Tekniska H�gskolan
3  * (Royal Institute of Technology, Stockholm, Sweden).
4  * All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  *
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  *
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  *
17  * 3. Neither the name of the Institute nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 #include <krb5_locl.h>
35 
36 RCSID("$Id: mk_req_ext.c 19511 2006-12-27 12:07:22Z lha $");
37 
38 krb5_error_code
39 _krb5_mk_req_internal(krb5_context context,
40 		      krb5_auth_context *auth_context,
41 		      const krb5_flags ap_req_options,
42 		      krb5_data *in_data,
43 		      krb5_creds *in_creds,
44 		      krb5_data *outbuf,
45 		      krb5_key_usage checksum_usage,
46 		      krb5_key_usage encrypt_usage)
47 {
48     krb5_error_code ret;
49     krb5_data authenticator;
50     Checksum c;
51     Checksum *c_opt;
52     krb5_auth_context ac;
53 
54     if(auth_context) {
55 	if(*auth_context == NULL)
56 	    ret = krb5_auth_con_init(context, auth_context);
57 	else
58 	    ret = 0;
59 	ac = *auth_context;
60     } else
61 	ret = krb5_auth_con_init(context, &ac);
62     if(ret)
63 	return ret;
64 
65     if(ac->local_subkey == NULL && (ap_req_options & AP_OPTS_USE_SUBKEY)) {
66 	ret = krb5_auth_con_generatelocalsubkey(context,
67 						ac,
68 						&in_creds->session);
69 	if(ret)
70 	    goto out;
71     }
72 
73     krb5_free_keyblock(context, ac->keyblock);
74     ret = krb5_copy_keyblock(context, &in_creds->session, &ac->keyblock);
75     if (ret)
76 	goto out;
77 
78     /* it's unclear what type of checksum we can use.  try the best one, except:
79      * a) if it's configured differently for the current realm, or
80      * b) if the session key is des-cbc-crc
81      */
82 
83     if (in_data) {
84 	if(ac->keyblock->keytype == ETYPE_DES_CBC_CRC) {
85 	    /* this is to make DCE secd (and older MIT kdcs?) happy */
86 	    ret = krb5_create_checksum(context,
87 				       NULL,
88 				       0,
89 				       CKSUMTYPE_RSA_MD4,
90 				       in_data->data,
91 				       in_data->length,
92 				       &c);
93 	} else if(ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5 ||
94 		  ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5_56 ||
95 		  ac->keyblock->keytype == ETYPE_DES_CBC_MD4 ||
96 		  ac->keyblock->keytype == ETYPE_DES_CBC_MD5) {
97 	    /* this is to make MS kdc happy */
98 	    ret = krb5_create_checksum(context,
99 				       NULL,
100 				       0,
101 				       CKSUMTYPE_RSA_MD5,
102 				       in_data->data,
103 				       in_data->length,
104 				       &c);
105 	} else {
106 	    krb5_crypto crypto;
107 
108 	    ret = krb5_crypto_init(context, ac->keyblock, 0, &crypto);
109 	    if (ret)
110 		goto out;
111 	    ret = krb5_create_checksum(context,
112 				       crypto,
113 				       checksum_usage,
114 				       0,
115 				       in_data->data,
116 				       in_data->length,
117 				       &c);
118 	    krb5_crypto_destroy(context, crypto);
119 	}
120 	c_opt = &c;
121     } else {
122 	c_opt = NULL;
123     }
124 
125     if (ret)
126 	goto out;
127 
128     ret = krb5_build_authenticator (context,
129 				    ac,
130 				    ac->keyblock->keytype,
131 				    in_creds,
132 				    c_opt,
133 				    NULL,
134 				    &authenticator,
135 				    encrypt_usage);
136     if (c_opt)
137 	free_Checksum (c_opt);
138     if (ret)
139 	goto out;
140 
141     ret = krb5_build_ap_req (context, ac->keyblock->keytype,
142 			     in_creds, ap_req_options, authenticator, outbuf);
143 out:
144     if(auth_context == NULL)
145 	krb5_auth_con_free(context, ac);
146     return ret;
147 }
148 
149 krb5_error_code KRB5_LIB_FUNCTION
150 krb5_mk_req_extended(krb5_context context,
151 		     krb5_auth_context *auth_context,
152 		     const krb5_flags ap_req_options,
153 		     krb5_data *in_data,
154 		     krb5_creds *in_creds,
155 		     krb5_data *outbuf)
156 {
157     return _krb5_mk_req_internal (context,
158 				 auth_context,
159 				 ap_req_options,
160 				 in_data,
161 				 in_creds,
162 				 outbuf,
163 				 KRB5_KU_AP_REQ_AUTH_CKSUM,
164 				 KRB5_KU_AP_REQ_AUTH);
165 }
166