/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
*
* Copyright (C) 2009 by the Massachusetts Institute of Technology.
* All rights reserved.
*
* Export of this software from the United States of America may
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
*
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* notice appear in all copies and that both that copyright notice and
* this permission notice appear in supporting documentation, and that
* the name of M.I.T. not be used in advertising or publicity pertaining
* to distribution of the software without specific, written prior
* permission. Furthermore if you modify this software you must label
* your software as modified software and not distribute it in such a
* fashion that it might be confused with the original M.I.T. software.
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
*
*
* Implement Encrypted Challenge fast factor from
* draft-ietf-krb-wg-preauth-framework
*/
#include <k5-int.h>
#include "../fast_factor.h"
/* Solaris Kerberos */
#include <preauth_plugin.h>
/* Solaris Kerberos */
#include <libintl.h>
static int
{
return PA_REAL;
}
static krb5_error_code
{
return 0;
return 0;
if (retval == 0) {
}
if (retval == 0)
if (retval == 0)
if (retval == 0) {
}
if (retval == 0)
/*
* Per draft 11 of the preauth framework, the client MAY but is not
* required to actually check the timestamp from the KDC other than to
* confirm it decrypts. This code does not perform that check.
*/
if (retval == 0)
if (enc)
} else { /*No padata; we send*/
if (retval == 0)
if (retval == 0)
if (retval == 0)
armor_key, "clientchallengearmor",
as_key, "challengelongterm",
if (retval == 0)
encoded_ts, &enc);
if (encoded_ts)
encoded_ts = NULL;
if (retval == 0) {
}
if (retval == 0) {
}
if (retval == 0) {
}
if (retval == 0) {
encoded_ts = NULL;
*out_padata = pa_array;
}
if (pa)
if (encoded_ts)
if (pa_array)
}
if (challenge_key)
if (armor_key)
if (etype_data != NULL)
&etype_data);
return retval;
}
static krb5_error_code
struct _krb5_db_entry_new *client,
struct _krb5_db_entry_new *server,
{
if (retval)
return retval;
if (armor_key == 0)
return ENOENT;
return 0;
}
static krb5_error_code
void *pa_module_context, void **pa_request_context,
{
int i = 0;
return 0;
/* Solaris Kerberos */
krb5_set_error_message(context, ENOENT, gettext("Encrypted Challenge used outside of FAST tunnel"));
}
if (retval == 0)
if (retval == 0) {
}
if (retval == 0)
if (retval == 0) {
armor_key, "clientchallengearmor",
&client_keys[i], "challengelongterm",
if (retval == 0)
if (challenge_key)
if (retval == 0)
break;
/*We failed to decrypt. Try next key*/
retval = 0;
}
if (client_keys[i].enctype == 0) {
/* Solaris Kerberos */
} else { /*not run out of keys*/
int j;
}
}
if (retval == 0)
if (retval == 0)
if (retval == 0) {
/*
* If this fails, we won't generate a reply to the client. That
* may cause the client to fail, but at this point the KDC has
* considered this a success, so the return value is ignored.
*/
&client_keys[i], "challengelongterm",
(krb5_keyblock **) pa_request_context);
} else { /*skew*/
}
}
if (client_keys) {
if (client_keys[i].enctype)
}
if (armor_key)
if (enc)
if (ts)
return retval;
}
static krb5_error_code
struct _krb5_key_data *client_keys,
void *pa_module_context, void **pa_request_context)
{
return 0;
if (challenge_key == NULL)
return 0;
* challenge key*/
if (retval == 0)
if (retval == 0)
if (retval == 0)
if (retval == 0) {
}
if (retval == 0) {
}
if (challenge_key)
if (encoded)
if (plain)
return retval;
}
static int
{
return 0;
}
"Encrypted challenge",
&supported_pa_types[0],
NULL,
NULL,
};
"Encrypted Challenge", /* name */
&supported_pa_types[0], /* pa_type_list */
NULL, /* enctype_list */
NULL, /* plugin init function */
NULL, /* plugin fini function */
preauth_flags, /* get flags function */
NULL, /* request init function */
NULL, /* request fini function */
process_preauth, /* process function */
NULL, /* try_again function */
NULL /* get init creds opt function */
};