xref: /freebsd/crypto/heimdal/lib/krb5/mk_req_ext.c (revision 9336e0699bda8a301cd2bfa37106b6ec5e32012e) 
1 /*
2  * Copyright (c) 1997 - 2002 Kungliga Tekniska H�gskolan
3  * (Royal Institute of Technology, Stockholm, Sweden).
4  * All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  *
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  *
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  *
17  * 3. Neither the name of the Institute nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 #include <krb5_locl.h>
35 
36 RCSID("$Id: mk_req_ext.c,v 1.26.4.1 2003/09/18 20:34:30 lha Exp $");
37 
38 krb5_error_code
39 krb5_mk_req_internal(krb5_context context,
40 		     krb5_auth_context *auth_context,
41 		     const krb5_flags ap_req_options,
42 		     krb5_data *in_data,
43 		     krb5_creds *in_creds,
44 		     krb5_data *outbuf,
45 		     krb5_key_usage checksum_usage,
46 		     krb5_key_usage encrypt_usage)
47 {
48   krb5_error_code ret;
49   krb5_data authenticator;
50   Checksum c;
51   Checksum *c_opt;
52   krb5_auth_context ac;
53 
54   if(auth_context) {
55       if(*auth_context == NULL)
56 	  ret = krb5_auth_con_init(context, auth_context);
57       else
58 	  ret = 0;
59       ac = *auth_context;
60   } else
61       ret = krb5_auth_con_init(context, &ac);
62   if(ret)
63       return ret;
64 
65   if(ac->local_subkey == NULL && (ap_req_options & AP_OPTS_USE_SUBKEY)) {
66       ret = krb5_auth_con_generatelocalsubkey(context, ac, &in_creds->session);
67       if(ret)
68 	  return ret;
69   }
70 
71 #if 0
72   {
73       /* This is somewhat bogus since we're possibly overwriting a
74          value specified by the user, but it's the easiest way to make
75          the code use a compatible enctype */
76       Ticket ticket;
77       krb5_keytype ticket_keytype;
78 
79       ret = decode_Ticket(in_creds->ticket.data,
80 			  in_creds->ticket.length,
81 			  &ticket,
82 			  NULL);
83       krb5_enctype_to_keytype (context,
84 			       ticket.enc_part.etype,
85 			       &ticket_keytype);
86 
87       if (ticket_keytype == in_creds->session.keytype)
88 	  krb5_auth_setenctype(context,
89 			       ac,
90 			       ticket.enc_part.etype);
91       free_Ticket(&ticket);
92   }
93 #endif
94 
95   krb5_free_keyblock(context, ac->keyblock);
96   krb5_copy_keyblock(context, &in_creds->session, &ac->keyblock);
97 
98   /* it's unclear what type of checksum we can use.  try the best one, except:
99    * a) if it's configured differently for the current realm, or
100    * b) if the session key is des-cbc-crc
101    */
102 
103   if (in_data) {
104       if(ac->keyblock->keytype == ETYPE_DES_CBC_CRC) {
105 	  /* this is to make DCE secd (and older MIT kdcs?) happy */
106 	  ret = krb5_create_checksum(context,
107 				     NULL,
108 				     0,
109 				     CKSUMTYPE_RSA_MD4,
110 				     in_data->data,
111 				     in_data->length,
112 				     &c);
113       } else if(ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5) {
114 	  /* this is to make MS kdc happy */
115 	  ret = krb5_create_checksum(context,
116 				     NULL,
117 				     0,
118 				     CKSUMTYPE_RSA_MD5,
119 				     in_data->data,
120 				     in_data->length,
121 				     &c);
122       } else {
123 	  krb5_crypto crypto;
124 
125 	  ret = krb5_crypto_init(context, ac->keyblock, 0, &crypto);
126 	  if (ret)
127 	      return ret;
128 	  ret = krb5_create_checksum(context,
129 				     crypto,
130 				     checksum_usage,
131 				     0,
132 				     in_data->data,
133 				     in_data->length,
134 				     &c);
135 
136 	  krb5_crypto_destroy(context, crypto);
137       }
138       c_opt = &c;
139   } else {
140       c_opt = NULL;
141   }
142 
143   ret = krb5_build_authenticator (context,
144 				  ac,
145 				  ac->keyblock->keytype,
146 				  in_creds,
147 				  c_opt,
148 				  NULL,
149 				  &authenticator,
150 				  encrypt_usage);
151   if (c_opt)
152       free_Checksum (c_opt);
153   if (ret)
154     return ret;
155 
156   ret = krb5_build_ap_req (context, ac->keyblock->keytype,
157 			   in_creds, ap_req_options, authenticator, outbuf);
158   if(auth_context == NULL)
159       krb5_auth_con_free(context, ac);
160   return ret;
161 }
162 
163 krb5_error_code
164 krb5_mk_req_extended(krb5_context context,
165 		     krb5_auth_context *auth_context,
166 		     const krb5_flags ap_req_options,
167 		     krb5_data *in_data,
168 		     krb5_creds *in_creds,
169 		     krb5_data *outbuf)
170 {
171     return krb5_mk_req_internal (context,
172 				 auth_context,
173 				 ap_req_options,
174 				 in_data,
175 				 in_creds,
176 				 outbuf,
177 				 KRB5_KU_AP_REQ_AUTH_CKSUM,
178 				 KRB5_KU_AP_REQ_AUTH);
179 }
180