1*d3273b5bSchristos /* $NetBSD: mk_req_ext.c,v 1.2 2017/01/28 21:31:49 christos Exp $ */
2ca1c9b0cSelric
3ca1c9b0cSelric /*
4ca1c9b0cSelric * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
5ca1c9b0cSelric * (Royal Institute of Technology, Stockholm, Sweden).
6ca1c9b0cSelric * All rights reserved.
7ca1c9b0cSelric *
8ca1c9b0cSelric * Redistribution and use in source and binary forms, with or without
9ca1c9b0cSelric * modification, are permitted provided that the following conditions
10ca1c9b0cSelric * are met:
11ca1c9b0cSelric *
12ca1c9b0cSelric * 1. Redistributions of source code must retain the above copyright
13ca1c9b0cSelric * notice, this list of conditions and the following disclaimer.
14ca1c9b0cSelric *
15ca1c9b0cSelric * 2. Redistributions in binary form must reproduce the above copyright
16ca1c9b0cSelric * notice, this list of conditions and the following disclaimer in the
17ca1c9b0cSelric * documentation and/or other materials provided with the distribution.
18ca1c9b0cSelric *
19ca1c9b0cSelric * 3. Neither the name of the Institute nor the names of its contributors
20ca1c9b0cSelric * may be used to endorse or promote products derived from this software
21ca1c9b0cSelric * without specific prior written permission.
22ca1c9b0cSelric *
23ca1c9b0cSelric * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24ca1c9b0cSelric * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25ca1c9b0cSelric * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26ca1c9b0cSelric * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27ca1c9b0cSelric * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28ca1c9b0cSelric * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29ca1c9b0cSelric * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30ca1c9b0cSelric * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31ca1c9b0cSelric * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32ca1c9b0cSelric * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33ca1c9b0cSelric * SUCH DAMAGE.
34ca1c9b0cSelric */
35ca1c9b0cSelric
36ca1c9b0cSelric #include "krb5_locl.h"
37ca1c9b0cSelric
38b9d004c6Schristos KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
_krb5_mk_req_internal(krb5_context context,krb5_auth_context * auth_context,const krb5_flags ap_req_options,krb5_data * in_data,krb5_creds * in_creds,krb5_data * outbuf,krb5_key_usage checksum_usage,krb5_key_usage encrypt_usage)39ca1c9b0cSelric _krb5_mk_req_internal(krb5_context context,
40ca1c9b0cSelric krb5_auth_context *auth_context,
41ca1c9b0cSelric const krb5_flags ap_req_options,
42ca1c9b0cSelric krb5_data *in_data,
43ca1c9b0cSelric krb5_creds *in_creds,
44ca1c9b0cSelric krb5_data *outbuf,
45ca1c9b0cSelric krb5_key_usage checksum_usage,
46ca1c9b0cSelric krb5_key_usage encrypt_usage)
47ca1c9b0cSelric {
48ca1c9b0cSelric krb5_error_code ret;
49ca1c9b0cSelric krb5_data authenticator;
50ca1c9b0cSelric Checksum c;
51ca1c9b0cSelric Checksum *c_opt;
52ca1c9b0cSelric krb5_auth_context ac;
53ca1c9b0cSelric
54ca1c9b0cSelric if(auth_context) {
55ca1c9b0cSelric if(*auth_context == NULL)
56ca1c9b0cSelric ret = krb5_auth_con_init(context, auth_context);
57ca1c9b0cSelric else
58ca1c9b0cSelric ret = 0;
59ca1c9b0cSelric ac = *auth_context;
60ca1c9b0cSelric } else
61ca1c9b0cSelric ret = krb5_auth_con_init(context, &ac);
62ca1c9b0cSelric if(ret)
63ca1c9b0cSelric return ret;
64ca1c9b0cSelric
65ca1c9b0cSelric if(ac->local_subkey == NULL && (ap_req_options & AP_OPTS_USE_SUBKEY)) {
66ca1c9b0cSelric ret = krb5_auth_con_generatelocalsubkey(context,
67ca1c9b0cSelric ac,
68ca1c9b0cSelric &in_creds->session);
69ca1c9b0cSelric if(ret)
70ca1c9b0cSelric goto out;
71ca1c9b0cSelric }
72ca1c9b0cSelric
73ca1c9b0cSelric krb5_free_keyblock(context, ac->keyblock);
74ca1c9b0cSelric ret = krb5_copy_keyblock(context, &in_creds->session, &ac->keyblock);
75ca1c9b0cSelric if (ret)
76ca1c9b0cSelric goto out;
77ca1c9b0cSelric
78ca1c9b0cSelric /* it's unclear what type of checksum we can use. try the best one, except:
79ca1c9b0cSelric * a) if it's configured differently for the current realm, or
80ca1c9b0cSelric * b) if the session key is des-cbc-crc
81ca1c9b0cSelric */
82ca1c9b0cSelric
83ca1c9b0cSelric if (in_data) {
84ca1c9b0cSelric if(ac->keyblock->keytype == ETYPE_DES_CBC_CRC) {
85ca1c9b0cSelric /* this is to make DCE secd (and older MIT kdcs?) happy */
86ca1c9b0cSelric ret = krb5_create_checksum(context,
87ca1c9b0cSelric NULL,
88ca1c9b0cSelric 0,
89ca1c9b0cSelric CKSUMTYPE_RSA_MD4,
90ca1c9b0cSelric in_data->data,
91ca1c9b0cSelric in_data->length,
92ca1c9b0cSelric &c);
93ca1c9b0cSelric } else if(ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5 ||
94ca1c9b0cSelric ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5_56 ||
95ca1c9b0cSelric ac->keyblock->keytype == ETYPE_DES_CBC_MD4 ||
96ca1c9b0cSelric ac->keyblock->keytype == ETYPE_DES_CBC_MD5) {
97ca1c9b0cSelric /* this is to make MS kdc happy */
98ca1c9b0cSelric ret = krb5_create_checksum(context,
99ca1c9b0cSelric NULL,
100ca1c9b0cSelric 0,
101ca1c9b0cSelric CKSUMTYPE_RSA_MD5,
102ca1c9b0cSelric in_data->data,
103ca1c9b0cSelric in_data->length,
104ca1c9b0cSelric &c);
105ca1c9b0cSelric } else {
106ca1c9b0cSelric krb5_crypto crypto;
107ca1c9b0cSelric
108ca1c9b0cSelric ret = krb5_crypto_init(context, ac->keyblock, 0, &crypto);
109ca1c9b0cSelric if (ret)
110ca1c9b0cSelric goto out;
111ca1c9b0cSelric ret = krb5_create_checksum(context,
112ca1c9b0cSelric crypto,
113ca1c9b0cSelric checksum_usage,
114ca1c9b0cSelric 0,
115ca1c9b0cSelric in_data->data,
116ca1c9b0cSelric in_data->length,
117ca1c9b0cSelric &c);
118ca1c9b0cSelric krb5_crypto_destroy(context, crypto);
119ca1c9b0cSelric }
120ca1c9b0cSelric c_opt = &c;
121ca1c9b0cSelric } else {
122ca1c9b0cSelric c_opt = NULL;
123ca1c9b0cSelric }
124ca1c9b0cSelric
125ca1c9b0cSelric if (ret)
126ca1c9b0cSelric goto out;
127ca1c9b0cSelric
128ca1c9b0cSelric ret = _krb5_build_authenticator(context,
129ca1c9b0cSelric ac,
130ca1c9b0cSelric ac->keyblock->keytype,
131ca1c9b0cSelric in_creds,
132ca1c9b0cSelric c_opt,
133ca1c9b0cSelric &authenticator,
134ca1c9b0cSelric encrypt_usage);
135ca1c9b0cSelric if (c_opt)
136ca1c9b0cSelric free_Checksum (c_opt);
137ca1c9b0cSelric if (ret)
138ca1c9b0cSelric goto out;
139ca1c9b0cSelric
140ca1c9b0cSelric ret = krb5_build_ap_req (context, ac->keyblock->keytype,
141ca1c9b0cSelric in_creds, ap_req_options, authenticator, outbuf);
142ca1c9b0cSelric out:
143ca1c9b0cSelric if(auth_context == NULL)
144ca1c9b0cSelric krb5_auth_con_free(context, ac);
145ca1c9b0cSelric return ret;
146ca1c9b0cSelric }
147ca1c9b0cSelric
148ca1c9b0cSelric KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_mk_req_extended(krb5_context context,krb5_auth_context * auth_context,const krb5_flags ap_req_options,krb5_data * in_data,krb5_creds * in_creds,krb5_data * outbuf)149ca1c9b0cSelric krb5_mk_req_extended(krb5_context context,
150ca1c9b0cSelric krb5_auth_context *auth_context,
151ca1c9b0cSelric const krb5_flags ap_req_options,
152ca1c9b0cSelric krb5_data *in_data,
153ca1c9b0cSelric krb5_creds *in_creds,
154ca1c9b0cSelric krb5_data *outbuf)
155ca1c9b0cSelric {
156ca1c9b0cSelric return _krb5_mk_req_internal (context,
157ca1c9b0cSelric auth_context,
158ca1c9b0cSelric ap_req_options,
159ca1c9b0cSelric in_data,
160ca1c9b0cSelric in_creds,
161ca1c9b0cSelric outbuf,
162ca1c9b0cSelric KRB5_KU_AP_REQ_AUTH_CKSUM,
163ca1c9b0cSelric KRB5_KU_AP_REQ_AUTH);
164ca1c9b0cSelric }
165