OM_uint32 _gsskrb5_unwrap
(OM_uint32 * minor_status,
const gss_ctx_id_t context_handle,
const gss_buffer_t input_message_buffer,
gss_buffer_t output_message_buffer,
int * conf_state,
gss_qop_t * qop_state
)
{
krb5_keyblock *key;
krb5_context context;
OM_uint32 ret;
krb5_keytype keytype;
gsskrb5_ctx ctx = (gsskrb5_ctx) context_handle;
output_message_buffer->value = NULL;
output_message_buffer->length = 0;
GSSAPI_KRB5_INIT (&context);
if (qop_state != NULL)
*qop_state = GSS_C_QOP_DEFAULT;
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
ret = _gsskrb5i_get_token_key(ctx, context, &key);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
if (ret) {
*minor_status = ret;
return GSS_S_FAILURE;
}
krb5_enctype_to_keytype (context, key->keytype, &keytype);
*minor_status = 0;
switch (keytype) {
case KEYTYPE_DES :
ret = unwrap_des (minor_status, ctx,
input_message_buffer, output_message_buffer,
conf_state, qop_state, key);
break;
case KEYTYPE_DES3 :
ret = unwrap_des3 (minor_status, ctx, context,
input_message_buffer, output_message_buffer,
conf_state, qop_state, key);
break;
case KEYTYPE_ARCFOUR:
case KEYTYPE_ARCFOUR_56:
ret = _gssapi_unwrap_arcfour (minor_status, ctx, context,
input_message_buffer, output_message_buffer,
conf_state, qop_state, key);
break;
default :
ret = _gssapi_unwrap_cfx (minor_status, ctx, context,
input_message_buffer, output_message_buffer,
conf_state, qop_state, key);
break;
}
krb5_free_keyblock (context, key);
return ret;
}
OM_uint32
_gsskrb5_verify_mic_internal
(OM_uint32 * minor_status,
const gsskrb5_ctx ctx,
krb5_context context,
const gss_buffer_t message_buffer,
const gss_buffer_t token_buffer,
gss_qop_t * qop_state,
char * type
)
{
krb5_keyblock *key;
OM_uint32 ret;
krb5_keytype keytype;
if (ctx->more_flags & IS_CFX)
return _gssapi_verify_mic_cfx (minor_status, ctx,
context, message_buffer, token_buffer,
qop_state);
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
ret = _gsskrb5i_get_token_key(ctx, context, &key);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
if (ret) {
*minor_status = ret;
return GSS_S_FAILURE;
}
*minor_status = 0;
krb5_enctype_to_keytype (context, key->keytype, &keytype);
switch (keytype) {
case KEYTYPE_DES :
#ifdef HEIM_WEAK_CRYPTO
ret = verify_mic_des (minor_status, ctx, context,
message_buffer, token_buffer, qop_state, key,
type);
#else
ret = GSS_S_FAILURE;
#endif
break;
case KEYTYPE_DES3 :
ret = verify_mic_des3 (minor_status, ctx, context,
message_buffer, token_buffer, qop_state, key,
type);
break;
case KEYTYPE_ARCFOUR :
case KEYTYPE_ARCFOUR_56 :
ret = _gssapi_verify_mic_arcfour (minor_status, ctx,
context,
message_buffer, token_buffer,
qop_state, key, type);
break;
default :
abort();
}
krb5_free_keyblock (context, key);
return ret;
}
OM_uint32 GSSAPI_CALLCONV
_gk_wrap_iov(OM_uint32 * minor_status,
gss_ctx_id_t context_handle,
int conf_req_flag,
gss_qop_t qop_req,
int * conf_state,
gss_iov_buffer_desc *iov,
int iov_count)
{
const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle;
krb5_context context;
OM_uint32 ret;
krb5_keyblock *key;
krb5_keytype keytype;
GSSAPI_KRB5_INIT (&context);
if (ctx->more_flags & IS_CFX)
return _gssapi_wrap_cfx_iov(minor_status, ctx, context,
conf_req_flag, conf_state,
iov, iov_count);
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
ret = _gsskrb5i_get_token_key(ctx, context, &key);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
if (ret) {
*minor_status = ret;
return GSS_S_FAILURE;
}
krb5_enctype_to_keytype(context, key->keytype, &keytype);
switch (keytype) {
case KEYTYPE_ARCFOUR:
case KEYTYPE_ARCFOUR_56:
ret = _gssapi_wrap_iov_arcfour(minor_status, ctx, context,
conf_req_flag, conf_state,
iov, iov_count, key);
break;
default:
ret = GSS_S_FAILURE;
break;
}
krb5_free_keyblock(context, key);
return ret;
}
krb5_error_code
_krb5_mk_req_internal(krb5_context context,
krb5_auth_context *auth_context,
const krb5_flags ap_req_options,
krb5_data *in_data,
krb5_creds *in_creds,
krb5_data *outbuf,
krb5_key_usage checksum_usage,
krb5_key_usage encrypt_usage)
{
krb5_error_code ret;
krb5_data authenticator;
Checksum c;
Checksum *c_opt;
krb5_auth_context ac;
if(auth_context) {
if(*auth_context == NULL)
ret = krb5_auth_con_init(context, auth_context);
else
ret = 0;
ac = *auth_context;
} else
ret = krb5_auth_con_init(context, &ac);
if(ret)
return ret;
if(ac->local_subkey == NULL && (ap_req_options & AP_OPTS_USE_SUBKEY)) {
ret = krb5_auth_con_generatelocalsubkey(context, ac, &in_creds->session);
if(ret)
goto out;
}
#if 0
{
/* This is somewhat bogus since we're possibly overwriting a
value specified by the user, but it's the easiest way to make
the code use a compatible enctype */
Ticket ticket;
krb5_keytype ticket_keytype;
ret = decode_Ticket(in_creds->ticket.data,
in_creds->ticket.length,
&ticket,
NULL);
krb5_enctype_to_keytype (context,
ticket.enc_part.etype,
&ticket_keytype);
if (ticket_keytype == in_creds->session.keytype)
krb5_auth_setenctype(context,
ac,
ticket.enc_part.etype);
free_Ticket(&ticket);
}
#endif
krb5_free_keyblock(context, ac->keyblock);
ret = krb5_copy_keyblock(context, &in_creds->session, &ac->keyblock);
if (ret)
goto out;
/* it's unclear what type of checksum we can use. try the best one, except:
* a) if it's configured differently for the current realm, or
* b) if the session key is des-cbc-crc
*/
if (in_data) {
if(ac->keyblock->keytype == ETYPE_DES_CBC_CRC) {
/* this is to make DCE secd (and older MIT kdcs?) happy */
ret = krb5_create_checksum(context,
NULL,
0,
CKSUMTYPE_RSA_MD4,
in_data->data,
in_data->length,
&c);
} else if(ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5 ||
ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5_56) {
/* this is to make MS kdc happy */
ret = krb5_create_checksum(context,
NULL,
0,
CKSUMTYPE_RSA_MD5,
in_data->data,
in_data->length,
&c);
} else {
krb5_crypto crypto;
ret = krb5_crypto_init(context, ac->keyblock, 0, &crypto);
if (ret)
goto out;
ret = krb5_create_checksum(context,
crypto,
checksum_usage,
0,
in_data->data,
in_data->length,
&c);
krb5_crypto_destroy(context, crypto);
}
c_opt = &c;
} else {
c_opt = NULL;
}
if (ret)
goto out;
ret = krb5_build_authenticator (context,
ac,
ac->keyblock->keytype,
in_creds,
c_opt,
NULL,
&authenticator,
encrypt_usage);
if (c_opt)
free_Checksum (c_opt);
if (ret)
goto out;
ret = krb5_build_ap_req (context, ac->keyblock->keytype,
in_creds, ap_req_options, authenticator, outbuf);
out:
if(auth_context == NULL)
krb5_auth_con_free(context, ac);
return ret;
}
