diff options
Diffstat (limited to 'src/lib/krb5/krb/mk_req_ext.c')
-rw-r--r-- | src/lib/krb5/krb/mk_req_ext.c | 58 |
1 files changed, 39 insertions, 19 deletions
diff --git a/src/lib/krb5/krb/mk_req_ext.c b/src/lib/krb5/krb/mk_req_ext.c index 1ed14a9..cdb8f69 100644 --- a/src/lib/krb5/krb/mk_req_ext.c +++ b/src/lib/krb5/krb/mk_req_ext.c @@ -68,7 +68,39 @@ static krb5_error_code krb5_generate_authenticator (krb5_context, krb5_authenticator *, krb5_principal, krb5_checksum *, krb5_keyblock *, - krb5_int32, krb5_authdata ** ); + krb5_ui_4, krb5_authdata ** ); + +krb5_error_code +krb5int_generate_and_save_subkey (krb5_context context, + krb5_auth_context auth_context, + krb5_keyblock *keyblock) +{ + /* Provide some more fodder for random number code. + This isn't strong cryptographically; the point here is not + to guarantee randomness, but to make it less likely that multiple + sessions could pick the same subkey. */ + struct { + krb5_int32 sec, usec; + } rnd_data; + krb5_data d; + krb5_error_code retval; + + krb5_crypto_us_timeofday (&rnd_data.sec, &rnd_data.usec); + d.length = sizeof (rnd_data); + d.data = (char *) &rnd_data; + (void) krb5_c_random_add_entropy (context, KRB5_C_RANDSOURCE_TIMING, &d); + + if ((retval = krb5_generate_subkey(context, keyblock, &auth_context->send_subkey))) + return retval; + retval = krb5_copy_keyblock(context, auth_context->send_subkey, + &auth_context->recv_subkey); + if (retval) { + krb5_free_keyblock(context, auth_context->send_subkey); + auth_context->send_subkey = NULL; + return retval; + } + return 0; +} krb5_error_code KRB5_CALLCONV krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context, @@ -130,22 +162,10 @@ krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context, goto cleanup; } - if ((ap_req_options & AP_OPTS_USE_SUBKEY)&&(!(*auth_context)->local_subkey)) { - /* Provide some more fodder for random number code. - This isn't strong cryptographically; the point here is not - to guarantee randomness, but to make it less likely that multiple - sessions could pick the same subkey. */ - struct { - krb5_int32 sec, usec; - } rnd_data; - krb5_data d; - krb5_crypto_us_timeofday (&rnd_data.sec, &rnd_data.usec); - d.length = sizeof (rnd_data); - d.data = (char *) &rnd_data; - (void) krb5_c_random_add_entropy (context, KRB5_C_RANDSOURCE_TIMING, &d); - - if ((retval = krb5_generate_subkey(context, &(in_creds)->keyblock, - &(*auth_context)->local_subkey))) + if ((ap_req_options & AP_OPTS_USE_SUBKEY)&&(!(*auth_context)->send_subkey)) { + retval = krb5int_generate_and_save_subkey (context, *auth_context, + &in_creds->keyblock); + if (retval) goto cleanup; } @@ -178,7 +198,7 @@ krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context, if ((retval = krb5_generate_authenticator(context, (*auth_context)->authentp, (in_creds)->client, checksump, - (*auth_context)->local_subkey, + (*auth_context)->send_subkey, (*auth_context)->local_seq_number, (in_creds)->authdata))) goto cleanup_cksum; @@ -232,7 +252,7 @@ cleanup: } static krb5_error_code -krb5_generate_authenticator(krb5_context context, krb5_authenticator *authent, krb5_principal client, krb5_checksum *cksum, krb5_keyblock *key, krb5_int32 seq_number, krb5_authdata **authorization) +krb5_generate_authenticator(krb5_context context, krb5_authenticator *authent, krb5_principal client, krb5_checksum *cksum, krb5_keyblock *key, krb5_ui_4 seq_number, krb5_authdata **authorization) { krb5_error_code retval; |