summaryrefslogtreecommitdiff
path: root/source4/heimdal/lib/krb5/mk_req_ext.c
diff options
context:
space:
mode:
Diffstat (limited to 'source4/heimdal/lib/krb5/mk_req_ext.c')
-rw-r--r--source4/heimdal/lib/krb5/mk_req_ext.c195
1 files changed, 89 insertions, 106 deletions
diff --git a/source4/heimdal/lib/krb5/mk_req_ext.c b/source4/heimdal/lib/krb5/mk_req_ext.c
index ab83d912ea..18b0e3552f 100644
--- a/source4/heimdal/lib/krb5/mk_req_ext.c
+++ b/source4/heimdal/lib/krb5/mk_req_ext.c
@@ -33,7 +33,7 @@
#include <krb5_locl.h>
-RCSID("$Id: mk_req_ext.c,v 1.30 2005/01/05 06:31:01 lukeh Exp $");
+RCSID("$Id: mk_req_ext.c,v 1.32 2006/03/19 20:33:13 lha Exp $");
krb5_error_code
_krb5_mk_req_internal(krb5_context context,
@@ -45,120 +45,103 @@ _krb5_mk_req_internal(krb5_context context,
krb5_key_usage checksum_usage,
krb5_key_usage encrypt_usage)
{
- krb5_error_code ret;
- krb5_data authenticator;
- Checksum c;
- Checksum *c_opt;
- krb5_auth_context ac;
+ krb5_error_code ret;
+ krb5_data authenticator;
+ Checksum c;
+ Checksum *c_opt;
+ krb5_auth_context ac;
- if(auth_context) {
- if(*auth_context == NULL)
- ret = krb5_auth_con_init(context, auth_context);
- else
- ret = 0;
- ac = *auth_context;
- } else
- ret = krb5_auth_con_init(context, &ac);
- if(ret)
- return ret;
+ if(auth_context) {
+ if(*auth_context == NULL)
+ ret = krb5_auth_con_init(context, auth_context);
+ else
+ ret = 0;
+ ac = *auth_context;
+ } else
+ ret = krb5_auth_con_init(context, &ac);
+ if(ret)
+ return ret;
- if(ac->local_subkey == NULL && (ap_req_options & AP_OPTS_USE_SUBKEY)) {
- ret = krb5_auth_con_generatelocalsubkey(context, ac, &in_creds->session);
- if(ret)
- return ret;
- }
+ if(ac->local_subkey == NULL && (ap_req_options & AP_OPTS_USE_SUBKEY)) {
+ ret = krb5_auth_con_generatelocalsubkey(context,
+ ac,
+ &in_creds->session);
+ if(ret)
+ goto out;
+ }
-#if 0
- {
- /* This is somewhat bogus since we're possibly overwriting a
- value specified by the user, but it's the easiest way to make
- the code use a compatible enctype */
- Ticket ticket;
- krb5_keytype ticket_keytype;
+ krb5_free_keyblock(context, ac->keyblock);
+ ret = krb5_copy_keyblock(context, &in_creds->session, &ac->keyblock);
+ if (ret)
+ goto out;
+
+ /* it's unclear what type of checksum we can use. try the best one, except:
+ * a) if it's configured differently for the current realm, or
+ * b) if the session key is des-cbc-crc
+ */
- ret = decode_Ticket(in_creds->ticket.data,
- in_creds->ticket.length,
- &ticket,
- NULL);
- krb5_enctype_to_keytype (context,
- ticket.enc_part.etype,
- &ticket_keytype);
+ if (in_data) {
+ if(ac->keyblock->keytype == ETYPE_DES_CBC_CRC) {
+ /* this is to make DCE secd (and older MIT kdcs?) happy */
+ ret = krb5_create_checksum(context,
+ NULL,
+ 0,
+ CKSUMTYPE_RSA_MD4,
+ in_data->data,
+ in_data->length,
+ &c);
+ } else if(ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5 ||
+ ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5_56) {
+ /* this is to make MS kdc happy */
+ ret = krb5_create_checksum(context,
+ NULL,
+ 0,
+ CKSUMTYPE_RSA_MD5,
+ in_data->data,
+ in_data->length,
+ &c);
+ } else {
+ krb5_crypto crypto;
- if (ticket_keytype == in_creds->session.keytype)
- krb5_auth_setenctype(context,
- ac,
- ticket.enc_part.etype);
- free_Ticket(&ticket);
- }
-#endif
+ ret = krb5_crypto_init(context, ac->keyblock, 0, &crypto);
+ if (ret)
+ goto out;
+ ret = krb5_create_checksum(context,
+ crypto,
+ checksum_usage,
+ 0,
+ in_data->data,
+ in_data->length,
+ &c);
+ krb5_crypto_destroy(context, crypto);
+ }
+ c_opt = &c;
+ } else {
+ c_opt = NULL;
+ }
- krb5_free_keyblock(context, ac->keyblock);
- krb5_copy_keyblock(context, &in_creds->session, &ac->keyblock);
+ if (ret)
+ goto out;
- /* it's unclear what type of checksum we can use. try the best one, except:
- * a) if it's configured differently for the current realm, or
- * b) if the session key is des-cbc-crc
- */
-
- if (in_data) {
- if(ac->keyblock->keytype == ETYPE_DES_CBC_CRC) {
- /* this is to make DCE secd (and older MIT kdcs?) happy */
- ret = krb5_create_checksum(context,
- NULL,
- 0,
- CKSUMTYPE_RSA_MD4,
- in_data->data,
- in_data->length,
- &c);
- } else if(ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5 ||
- ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5_56) {
- /* this is to make MS kdc happy */
- ret = krb5_create_checksum(context,
- NULL,
- 0,
- CKSUMTYPE_RSA_MD5,
- in_data->data,
- in_data->length,
- &c);
- } else {
- krb5_crypto crypto;
+ ret = krb5_build_authenticator (context,
+ ac,
+ ac->keyblock->keytype,
+ in_creds,
+ c_opt,
+ NULL,
+ &authenticator,
+ encrypt_usage);
+ if (c_opt)
+ free_Checksum (c_opt);
+ if (ret)
+ goto out;
- ret = krb5_crypto_init(context, ac->keyblock, 0, &crypto);
- if (ret)
- return ret;
- ret = krb5_create_checksum(context,
- crypto,
- checksum_usage,
- 0,
- in_data->data,
- in_data->length,
- &c);
-
- krb5_crypto_destroy(context, crypto);
- }
- c_opt = &c;
- } else {
- c_opt = NULL;
- }
-
- ret = krb5_build_authenticator (context,
- ac,
- ac->keyblock->keytype,
- in_creds,
- c_opt,
- NULL,
- &authenticator,
- encrypt_usage);
- if (c_opt)
- free_Checksum (c_opt);
- if (ret)
+ ret = krb5_build_ap_req (context, ac->keyblock->keytype,
+ in_creds, ap_req_options, authenticator, outbuf);
+out:
+ if(auth_context == NULL)
+ krb5_auth_con_free(context, ac);
return ret;
-
- ret = krb5_build_ap_req (context, ac->keyblock->keytype,
- in_creds, ap_req_options, authenticator, outbuf);
- if(auth_context == NULL)
- krb5_auth_con_free(context, ac);
- return ret;
}
krb5_error_code KRB5_LIB_FUNCTION