krb5/krb/preauth.c

159d09a2SMark Phalan/*
159d09a2SMark Phalan * Copyright 1995 by the Massachusetts Institute of Technology.  All
159d09a2SMark Phalan * Rights Reserved.
159d09a2SMark Phalan *
159d09a2SMark Phalan * Export of this software from the United States of America may
159d09a2SMark Phalan *   require a specific license from the United States Government.
159d09a2SMark Phalan *   It is the responsibility of any person or organization contemplating
159d09a2SMark Phalan *   export to obtain such a license before exporting.
159d09a2SMark Phalan *
159d09a2SMark Phalan * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
159d09a2SMark Phalan * distribute this software and its documentation for any purpose and
159d09a2SMark Phalan * without fee is hereby granted, provided that the above copyright
159d09a2SMark Phalan * notice appear in all copies and that both that copyright notice and
159d09a2SMark Phalan * this permission notice appear in supporting documentation, and that
159d09a2SMark Phalan * the name of M.I.T. not be used in advertising or publicity pertaining
159d09a2SMark Phalan * to distribution of the software without specific, written prior
159d09a2SMark Phalan * permission.  Furthermore if you modify this software you must label
159d09a2SMark Phalan * your software as modified software and not distribute it in such a
159d09a2SMark Phalan * fashion that it might be confused with the original M.I.T. software.
159d09a2SMark Phalan * M.I.T. makes no representations about the suitability of
159d09a2SMark Phalan * this software for any purpose.  It is provided "as is" without express
159d09a2SMark Phalan * or implied warranty.
159d09a2SMark Phalan *
159d09a2SMark Phalan */
159d09a2SMark Phalan
159d09a2SMark Phalan/*
159d09a2SMark Phalan * This file contains routines for establishing, verifying, and any other
*55fea89dSDan Cross * necessary functions, for utilizing the pre-authentication field of the
159d09a2SMark Phalan * kerberos kdc request, with various hardware/software verification devices.
159d09a2SMark Phalan */
159d09a2SMark Phalan
159d09a2SMark Phalan#include "k5-int.h"
159d09a2SMark Phalan#include <stdio.h>
159d09a2SMark Phalan#include <time.h>
159d09a2SMark Phalan
159d09a2SMark Phalanstatic krb5_error_code obtain_enc_ts_padata
159d09a2SMark Phalan	(krb5_context,
159d09a2SMark Phalan	 krb5_pa_data *,
159d09a2SMark Phalan	 krb5_etype_info,
159d09a2SMark Phalan	 krb5_keyblock *,
159d09a2SMark Phalan	 krb5_error_code ( * )(krb5_context,
159d09a2SMark Phalan			       const krb5_enctype,
159d09a2SMark Phalan			       krb5_data *,
159d09a2SMark Phalan			       krb5_const_pointer,
159d09a2SMark Phalan			       krb5_keyblock **),
159d09a2SMark Phalan	 krb5_const_pointer,
159d09a2SMark Phalan	 krb5_creds *,
159d09a2SMark Phalan	 krb5_kdc_req *,
159d09a2SMark Phalan	 krb5_pa_data **);
159d09a2SMark Phalan
159d09a2SMark Phalanstatic krb5_error_code process_pw_salt
159d09a2SMark Phalan	(krb5_context,
159d09a2SMark Phalan	 krb5_pa_data *,
159d09a2SMark Phalan	 krb5_kdc_req *,
159d09a2SMark Phalan	 krb5_kdc_rep *,
159d09a2SMark Phalan	 krb5_error_code ( * )(krb5_context,
159d09a2SMark Phalan			       const krb5_enctype,
159d09a2SMark Phalan			       krb5_data *,
159d09a2SMark Phalan			       krb5_const_pointer,
159d09a2SMark Phalan			       krb5_keyblock **),
159d09a2SMark Phalan	 krb5_const_pointer,
159d09a2SMark Phalan	 krb5_error_code ( * )(krb5_context,
159d09a2SMark Phalan			       const krb5_keyblock *,
159d09a2SMark Phalan			       krb5_const_pointer,
159d09a2SMark Phalan			       krb5_kdc_rep * ),
159d09a2SMark Phalan	 krb5_keyblock **,
159d09a2SMark Phalan	 krb5_creds *,
159d09a2SMark Phalan	 krb5_int32 *,
159d09a2SMark Phalan	 krb5_int32 *);
159d09a2SMark Phalan
159d09a2SMark Phalanstatic krb5_error_code obtain_sam_padata
159d09a2SMark Phalan	(krb5_context,
159d09a2SMark Phalan	 krb5_pa_data *,
159d09a2SMark Phalan	 krb5_etype_info,
*55fea89dSDan Cross	 krb5_keyblock *,
159d09a2SMark Phalan	 krb5_error_code ( * )(krb5_context,
159d09a2SMark Phalan			       const krb5_enctype,
159d09a2SMark Phalan			       krb5_data *,
159d09a2SMark Phalan			       krb5_const_pointer,
159d09a2SMark Phalan			       krb5_keyblock **),
159d09a2SMark Phalan	 krb5_const_pointer,
159d09a2SMark Phalan	 krb5_creds *,
159d09a2SMark Phalan	 krb5_kdc_req *,
159d09a2SMark Phalan	 krb5_pa_data **);
159d09a2SMark Phalan
159d09a2SMark Phalanstatic const krb5_preauth_ops preauth_systems[] = {
159d09a2SMark Phalan    {
159d09a2SMark Phalan	KV5M_PREAUTH_OPS,
159d09a2SMark Phalan	KRB5_PADATA_ENC_TIMESTAMP,
159d09a2SMark Phalan        0,
159d09a2SMark Phalan        obtain_enc_ts_padata,
159d09a2SMark Phalan        0,
159d09a2SMark Phalan    },
159d09a2SMark Phalan    {
159d09a2SMark Phalan	KV5M_PREAUTH_OPS,
159d09a2SMark Phalan	KRB5_PADATA_PW_SALT,
159d09a2SMark Phalan        0,
159d09a2SMark Phalan        0,
159d09a2SMark Phalan        process_pw_salt,
159d09a2SMark Phalan    },
159d09a2SMark Phalan    {
159d09a2SMark Phalan	KV5M_PREAUTH_OPS,
159d09a2SMark Phalan	KRB5_PADATA_AFS3_SALT,
159d09a2SMark Phalan        0,
159d09a2SMark Phalan        0,
159d09a2SMark Phalan        process_pw_salt,
159d09a2SMark Phalan    },
159d09a2SMark Phalan    {
159d09a2SMark Phalan	KV5M_PREAUTH_OPS,
159d09a2SMark Phalan	KRB5_PADATA_SAM_CHALLENGE,
159d09a2SMark Phalan        0,
159d09a2SMark Phalan        obtain_sam_padata,
159d09a2SMark Phalan        0,
159d09a2SMark Phalan    },
159d09a2SMark Phalan    { KV5M_PREAUTH_OPS, -1 }
159d09a2SMark Phalan};
159d09a2SMark Phalan
159d09a2SMark Phalanstatic krb5_error_code find_pa_system
159d09a2SMark Phalan    (krb5_preauthtype type, const krb5_preauth_ops **Preauth_proc);
159d09a2SMark Phalan
159d09a2SMark Phalan/* some typedef's for the function args to make things look a bit cleaner */
159d09a2SMark Phalan
159d09a2SMark Phalantypedef krb5_error_code (*git_key_proc) (krb5_context,
159d09a2SMark Phalan					 const krb5_enctype,
159d09a2SMark Phalan					 krb5_data *,
159d09a2SMark Phalan					 krb5_const_pointer,
159d09a2SMark Phalan					 krb5_keyblock **);
159d09a2SMark Phalan
159d09a2SMark Phalantypedef krb5_error_code (*git_decrypt_proc) (krb5_context,
159d09a2SMark Phalan					     const krb5_keyblock *,
159d09a2SMark Phalan					     krb5_const_pointer,
159d09a2SMark Phalan					     krb5_kdc_rep *);
159d09a2SMark Phalan
159d09a2SMark Phalankrb5_error_code krb5_obtain_padata(krb5_context context, krb5_pa_data **preauth_to_use, git_key_proc key_proc, krb5_const_pointer key_seed, krb5_creds *creds, krb5_kdc_req *request)
159d09a2SMark Phalan{
159d09a2SMark Phalan    krb5_error_code		retval;
159d09a2SMark Phalan    krb5_etype_info	    	etype_info = 0;
159d09a2SMark Phalan    krb5_pa_data **		pa;
159d09a2SMark Phalan    krb5_pa_data **		send_pa_list;
159d09a2SMark Phalan    krb5_pa_data **		send_pa;
159d09a2SMark Phalan    const krb5_preauth_ops	*ops;
159d09a2SMark Phalan    krb5_keyblock *		def_enc_key = 0;
159d09a2SMark Phalan    krb5_enctype 		enctype;
159d09a2SMark Phalan    krb5_data 			salt;
159d09a2SMark Phalan    krb5_data			scratch;
159d09a2SMark Phalan    int				size;
159d09a2SMark Phalan    int				f_salt = 0;
159d09a2SMark Phalan
159d09a2SMark Phalan    if (preauth_to_use == NULL)
159d09a2SMark Phalan	return 0;
159d09a2SMark Phalan
159d09a2SMark Phalan    for (pa = preauth_to_use, size=0; *pa; pa++, size++) {
159d09a2SMark Phalan	if ((*pa)->pa_type == KRB5_PADATA_ETYPE_INFO) {
159d09a2SMark Phalan	    /* XXX use the first one.  Is there another way to disambiguate? */
159d09a2SMark Phalan	    if (etype_info)
159d09a2SMark Phalan		continue;
159d09a2SMark Phalan
159d09a2SMark Phalan	    scratch.length = (*pa)->length;
159d09a2SMark Phalan	    scratch.data = (char *) (*pa)->contents;
159d09a2SMark Phalan	    retval = decode_krb5_etype_info(&scratch, &etype_info);
159d09a2SMark Phalan	    if (retval)
159d09a2SMark Phalan		return retval;
159d09a2SMark Phalan	    if (etype_info[0] == NULL) {
159d09a2SMark Phalan		krb5_free_etype_info(context, etype_info);
159d09a2SMark Phalan		etype_info = NULL;
159d09a2SMark Phalan	    }
159d09a2SMark Phalan	}
159d09a2SMark Phalan    }
159d09a2SMark Phalan
159d09a2SMark Phalan    if ((send_pa_list = malloc((size+1) * sizeof(krb5_pa_data *))) == NULL)
159d09a2SMark Phalan	return ENOMEM;
159d09a2SMark Phalan
159d09a2SMark Phalan    send_pa = send_pa_list;
159d09a2SMark Phalan    *send_pa = 0;
159d09a2SMark Phalan
159d09a2SMark Phalan    enctype = request->ktype[0];
159d09a2SMark Phalan    salt.data = 0;
159d09a2SMark Phalan    salt.length = SALT_TYPE_NO_LENGTH;
159d09a2SMark Phalan    if (etype_info) {
159d09a2SMark Phalan	enctype = etype_info[0]->etype;
159d09a2SMark Phalan	salt.data = (char *) etype_info[0]->salt;
*55fea89dSDan Cross	if(etype_info[0]->length == KRB5_ETYPE_NO_SALT)
159d09a2SMark Phalan	  salt.length = SALT_TYPE_NO_LENGTH; /* XXX */
*55fea89dSDan Cross	else
159d09a2SMark Phalan	  salt.length = etype_info[0]->length;
159d09a2SMark Phalan    }
159d09a2SMark Phalan    if (salt.length == SALT_TYPE_NO_LENGTH) {
159d09a2SMark Phalan        /*
*55fea89dSDan Cross	 * This will set the salt length
159d09a2SMark Phalan	 */
159d09a2SMark Phalan	if ((retval = krb5_principal2salt(context, request->client, &salt)))
159d09a2SMark Phalan	    return(retval);
159d09a2SMark Phalan	f_salt = 1;
159d09a2SMark Phalan    }
*55fea89dSDan Cross
159d09a2SMark Phalan    if ((retval = (*key_proc)(context, enctype, &salt, key_seed,
159d09a2SMark Phalan			      &def_enc_key)))
159d09a2SMark Phalan	goto cleanup;
*55fea89dSDan Cross
159d09a2SMark Phalan
159d09a2SMark Phalan    for (pa = preauth_to_use; *pa; pa++) {
159d09a2SMark Phalan	if (find_pa_system((*pa)->pa_type, &ops))
159d09a2SMark Phalan	    continue;
159d09a2SMark Phalan
159d09a2SMark Phalan	if (ops->obtain == 0)
159d09a2SMark Phalan	    continue;
*55fea89dSDan Cross
159d09a2SMark Phalan	retval = ((ops)->obtain)(context, *pa, etype_info, def_enc_key,
159d09a2SMark Phalan				 key_proc, key_seed, creds,
159d09a2SMark Phalan				 request, send_pa);
159d09a2SMark Phalan	if (retval)
159d09a2SMark Phalan	    goto cleanup;
159d09a2SMark Phalan
159d09a2SMark Phalan	if (*send_pa)
159d09a2SMark Phalan	    send_pa++;
159d09a2SMark Phalan	*send_pa = 0;
159d09a2SMark Phalan    }
159d09a2SMark Phalan
159d09a2SMark Phalan    retval = 0;
159d09a2SMark Phalan
159d09a2SMark Phalan    if (send_pa_list[0]) {
159d09a2SMark Phalan	request->padata = send_pa_list;
159d09a2SMark Phalan	send_pa_list = 0;
159d09a2SMark Phalan    }
159d09a2SMark Phalan
159d09a2SMark Phalancleanup:
159d09a2SMark Phalan    if (etype_info)
159d09a2SMark Phalan	krb5_free_etype_info(context, etype_info);
159d09a2SMark Phalan    if (f_salt)
159d09a2SMark Phalan	krb5_xfree(salt.data);
159d09a2SMark Phalan    if (send_pa_list)
159d09a2SMark Phalan	krb5_free_pa_data(context, send_pa_list);
159d09a2SMark Phalan    if (def_enc_key)
159d09a2SMark Phalan	krb5_free_keyblock(context, def_enc_key);
159d09a2SMark Phalan    return retval;
*55fea89dSDan Cross
159d09a2SMark Phalan}
159d09a2SMark Phalan
159d09a2SMark Phalankrb5_error_code
159d09a2SMark Phalankrb5_process_padata(krb5_context context, krb5_kdc_req *request, krb5_kdc_rep *as_reply, git_key_proc key_proc, krb5_const_pointer keyseed, git_decrypt_proc decrypt_proc, krb5_keyblock **decrypt_key, krb5_creds *creds, krb5_int32 *do_more)
159d09a2SMark Phalan{
159d09a2SMark Phalan    krb5_error_code		retval = 0;
159d09a2SMark Phalan    const krb5_preauth_ops * 	ops;
159d09a2SMark Phalan    krb5_pa_data **		pa;
159d09a2SMark Phalan    krb5_int32			done = 0;
*55fea89dSDan Cross
159d09a2SMark Phalan    *do_more = 0;		/* By default, we don't need to repeat... */
159d09a2SMark Phalan    if (as_reply->padata == 0)
159d09a2SMark Phalan	return 0;
159d09a2SMark Phalan
159d09a2SMark Phalan    for (pa = as_reply->padata; *pa; pa++) {
159d09a2SMark Phalan	if (find_pa_system((*pa)->pa_type, &ops))
159d09a2SMark Phalan	    continue;
159d09a2SMark Phalan
159d09a2SMark Phalan	if (ops->process == 0)
159d09a2SMark Phalan	    continue;
*55fea89dSDan Cross
159d09a2SMark Phalan	retval = ((ops)->process)(context, *pa, request, as_reply,
159d09a2SMark Phalan				  key_proc, keyseed, decrypt_proc,
159d09a2SMark Phalan				  decrypt_key, creds, do_more, &done);
159d09a2SMark Phalan	if (retval)
159d09a2SMark Phalan	    goto cleanup;
159d09a2SMark Phalan	if (done)
159d09a2SMark Phalan	    break;
159d09a2SMark Phalan    }
159d09a2SMark Phalan
159d09a2SMark Phalancleanup:
159d09a2SMark Phalan    return retval;
159d09a2SMark Phalan}
159d09a2SMark Phalan
159d09a2SMark Phalan/*
159d09a2SMark Phalan * This routine is the "obtain" function for the ENC_TIMESTAMP
159d09a2SMark Phalan * preauthentication type.  It take the current time and encrypts it
159d09a2SMark Phalan * in the user's key.
159d09a2SMark Phalan */
159d09a2SMark Phalanstatic krb5_error_code
159d09a2SMark Phalanobtain_enc_ts_padata(krb5_context context, krb5_pa_data *in_padata, krb5_etype_info etype_info, krb5_keyblock *def_enc_key, git_key_proc key_proc, krb5_const_pointer key_seed, krb5_creds *creds, krb5_kdc_req *request, krb5_pa_data **out_padata)
159d09a2SMark Phalan{
159d09a2SMark Phalan    krb5_pa_enc_ts		pa_enc;
159d09a2SMark Phalan    krb5_error_code		retval;
159d09a2SMark Phalan    krb5_data *			scratch;
159d09a2SMark Phalan    krb5_enc_data 		enc_data;
159d09a2SMark Phalan    krb5_pa_data *		pa;
159d09a2SMark Phalan
159d09a2SMark Phalan    retval = krb5_us_timeofday(context, &pa_enc.patimestamp, &pa_enc.pausec);
159d09a2SMark Phalan    if (retval)
159d09a2SMark Phalan	return retval;
159d09a2SMark Phalan
159d09a2SMark Phalan    if ((retval = encode_krb5_pa_enc_ts(&pa_enc, &scratch)) != 0)
159d09a2SMark Phalan	return retval;
159d09a2SMark Phalan
159d09a2SMark Phalan    enc_data.ciphertext.data = 0;
159d09a2SMark Phalan
159d09a2SMark Phalan    if ((retval = krb5_encrypt_helper(context, def_enc_key,
159d09a2SMark Phalan				      KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS,
159d09a2SMark Phalan				      scratch, &enc_data)))
159d09a2SMark Phalan	goto cleanup;
159d09a2SMark Phalan
159d09a2SMark Phalan    krb5_free_data(context, scratch);
159d09a2SMark Phalan    scratch = 0;
*55fea89dSDan Cross
159d09a2SMark Phalan    if ((retval = encode_krb5_enc_data(&enc_data, &scratch)) != 0)
159d09a2SMark Phalan	goto cleanup;
159d09a2SMark Phalan
159d09a2SMark Phalan    if ((pa = malloc(sizeof(krb5_pa_data))) == NULL) {
159d09a2SMark Phalan	retval = ENOMEM;
159d09a2SMark Phalan	goto cleanup;
159d09a2SMark Phalan    }
159d09a2SMark Phalan
159d09a2SMark Phalan    pa->magic = KV5M_PA_DATA;
159d09a2SMark Phalan    pa->pa_type = KRB5_PADATA_ENC_TIMESTAMP;
159d09a2SMark Phalan    pa->length = scratch->length;
159d09a2SMark Phalan    pa->contents = (krb5_octet *) scratch->data;
159d09a2SMark Phalan
159d09a2SMark Phalan    *out_padata = pa;
159d09a2SMark Phalan
159d09a2SMark Phalan    krb5_xfree(scratch);
159d09a2SMark Phalan    scratch = 0;
159d09a2SMark Phalan
159d09a2SMark Phalan    retval = 0;
*55fea89dSDan Cross
159d09a2SMark Phalancleanup:
159d09a2SMark Phalan    if (scratch)
159d09a2SMark Phalan	krb5_free_data(context, scratch);
159d09a2SMark Phalan    if (enc_data.ciphertext.data)
159d09a2SMark Phalan	krb5_xfree(enc_data.ciphertext.data);
159d09a2SMark Phalan    return retval;
159d09a2SMark Phalan}
159d09a2SMark Phalan
159d09a2SMark Phalanstatic krb5_error_code
159d09a2SMark Phalanprocess_pw_salt(krb5_context context, krb5_pa_data *padata, krb5_kdc_req *request, krb5_kdc_rep *as_reply, git_key_proc key_proc, krb5_const_pointer keyseed, git_decrypt_proc decrypt_proc, krb5_keyblock **decrypt_key, krb5_creds *creds, krb5_int32 *do_more, krb5_int32 *done)
159d09a2SMark Phalan{
159d09a2SMark Phalan    krb5_error_code	retval;
159d09a2SMark Phalan    krb5_data		salt;
*55fea89dSDan Cross
159d09a2SMark Phalan    if (*decrypt_key != 0)
159d09a2SMark Phalan	return 0;
159d09a2SMark Phalan
159d09a2SMark Phalan    salt.data = (char *) padata->contents;
*55fea89dSDan Cross    salt.length =
159d09a2SMark Phalan      (padata->pa_type == KRB5_PADATA_AFS3_SALT)?(SALT_TYPE_AFS_LENGTH):(padata->length);
*55fea89dSDan Cross
159d09a2SMark Phalan    if ((retval = (*key_proc)(context, as_reply->enc_part.enctype,
159d09a2SMark Phalan			      &salt, keyseed, decrypt_key))) {
159d09a2SMark Phalan	*decrypt_key = 0;
159d09a2SMark Phalan	return retval;
159d09a2SMark Phalan    }
159d09a2SMark Phalan
159d09a2SMark Phalan    return 0;
159d09a2SMark Phalan}
*55fea89dSDan Cross
159d09a2SMark Phalanstatic krb5_error_code
159d09a2SMark Phalanfind_pa_system(krb5_preauthtype type, const krb5_preauth_ops **preauth)
159d09a2SMark Phalan{
159d09a2SMark Phalan    const krb5_preauth_ops *ap = preauth_systems;
*55fea89dSDan Cross
159d09a2SMark Phalan    while ((ap->type != -1) && (ap->type != type))
159d09a2SMark Phalan	ap++;
159d09a2SMark Phalan    if (ap->type == -1)
159d09a2SMark Phalan	return(KRB5_PREAUTH_BAD_TYPE);
159d09a2SMark Phalan    *preauth = ap;
159d09a2SMark Phalan    return 0;
*55fea89dSDan Cross}
159d09a2SMark Phalan
159d09a2SMark Phalan
159d09a2SMark Phalanextern const char *krb5_default_pwd_prompt1;
159d09a2SMark Phalan
159d09a2SMark Phalanstatic krb5_error_code
159d09a2SMark Phalansam_get_pass_from_user(krb5_context context, krb5_etype_info etype_info, git_key_proc key_proc, krb5_const_pointer key_seed, krb5_kdc_req *request, krb5_keyblock **new_enc_key, const char *prompt)
159d09a2SMark Phalan{
159d09a2SMark Phalan    krb5_enctype 		enctype;
159d09a2SMark Phalan    krb5_error_code		retval;
159d09a2SMark Phalan    const char *oldprompt;
159d09a2SMark Phalan
159d09a2SMark Phalan    /* enctype = request->ktype[0]; */
159d09a2SMark Phalan    enctype = ENCTYPE_DES_CBC_MD5;
159d09a2SMark Phalan/* hack with this first! */
159d09a2SMark Phalan    oldprompt = krb5_default_pwd_prompt1;
159d09a2SMark Phalan    krb5_default_pwd_prompt1 = prompt;
159d09a2SMark Phalan    {
159d09a2SMark Phalan      krb5_data newpw;
159d09a2SMark Phalan      newpw.data = 0; newpw.length = 0;
159d09a2SMark Phalan      /* we don't keep the new password, just the key... */
*55fea89dSDan Cross      retval = (*key_proc)(context, enctype, 0,
159d09a2SMark Phalan			   (krb5_const_pointer)&newpw, new_enc_key);
159d09a2SMark Phalan      krb5_xfree(newpw.data);
159d09a2SMark Phalan    }
159d09a2SMark Phalan    krb5_default_pwd_prompt1 = oldprompt;
159d09a2SMark Phalan    return retval;
159d09a2SMark Phalan}
*55fea89dSDan Crossstatic
159d09a2SMark Phalanchar *handle_sam_labels(krb5_sam_challenge *sc)
159d09a2SMark Phalan{
159d09a2SMark Phalan    char *label = sc->sam_challenge_label.data;
159d09a2SMark Phalan    unsigned int label_len = sc->sam_challenge_label.length;
159d09a2SMark Phalan    char *prompt = sc->sam_response_prompt.data;
159d09a2SMark Phalan    unsigned int prompt_len = sc->sam_response_prompt.length;
159d09a2SMark Phalan    char *challenge = sc->sam_challenge.data;
159d09a2SMark Phalan    unsigned int challenge_len = sc->sam_challenge.length;
159d09a2SMark Phalan    char *prompt1, *p;
159d09a2SMark Phalan    char *sep1 = ": [";
159d09a2SMark Phalan    char *sep2 = "]\n";
159d09a2SMark Phalan    char *sep3 = ": ";
159d09a2SMark Phalan
159d09a2SMark Phalan    if (sc->sam_cksum.length == 0) {
159d09a2SMark Phalan      /* or invalid -- but lets just handle presence now XXX */
159d09a2SMark Phalan      switch (sc->sam_type) {
159d09a2SMark Phalan      case PA_SAM_TYPE_ENIGMA:	/* Enigma Logic */
159d09a2SMark Phalan	label = "Challenge for Enigma Logic mechanism";
159d09a2SMark Phalan	break;
159d09a2SMark Phalan      case PA_SAM_TYPE_DIGI_PATH: /*  Digital Pathways */
159d09a2SMark Phalan      case PA_SAM_TYPE_DIGI_PATH_HEX: /*  Digital Pathways */
159d09a2SMark Phalan	label = "Challenge for Digital Pathways mechanism";
159d09a2SMark Phalan	break;
159d09a2SMark Phalan      case PA_SAM_TYPE_ACTIVCARD_DEC: /*  Digital Pathways */
159d09a2SMark Phalan      case PA_SAM_TYPE_ACTIVCARD_HEX: /*  Digital Pathways */
159d09a2SMark Phalan	label = "Challenge for Activcard mechanism";
159d09a2SMark Phalan	break;
159d09a2SMark Phalan      case PA_SAM_TYPE_SKEY_K0:	/*  S/key where  KDC has key 0 */
159d09a2SMark Phalan	label = "Challenge for Enhanced S/Key mechanism";
159d09a2SMark Phalan	break;
159d09a2SMark Phalan      case PA_SAM_TYPE_SKEY:	/*  Traditional S/Key */
159d09a2SMark Phalan	label = "Challenge for Traditional S/Key mechanism";
159d09a2SMark Phalan	break;
159d09a2SMark Phalan      case PA_SAM_TYPE_SECURID:	/*  Security Dynamics */
159d09a2SMark Phalan	label = "Challenge for Security Dynamics mechanism";
159d09a2SMark Phalan	break;
159d09a2SMark Phalan      case PA_SAM_TYPE_SECURID_PREDICT:	/* predictive Security Dynamics */
159d09a2SMark Phalan	label = "Challenge for Security Dynamics mechanism";
159d09a2SMark Phalan	break;
159d09a2SMark Phalan      }
159d09a2SMark Phalan      prompt = "Passcode";
159d09a2SMark Phalan      label_len = strlen(label);
159d09a2SMark Phalan      prompt_len = strlen(prompt);
159d09a2SMark Phalan    }
159d09a2SMark Phalan
159d09a2SMark Phalan    /* example:
159d09a2SMark Phalan       Challenge for Digital Pathways mechanism: [134591]
*55fea89dSDan Cross       Passcode:
159d09a2SMark Phalan     */
159d09a2SMark Phalan    p = prompt1 = malloc(label_len + strlen(sep1) +
159d09a2SMark Phalan			 challenge_len + strlen(sep2) +
159d09a2SMark Phalan			 prompt_len+ strlen(sep3) + 1);
159d09a2SMark Phalan    if (p == NULL)
159d09a2SMark Phalan	return NULL;
159d09a2SMark Phalan    if (challenge_len) {
159d09a2SMark Phalan	strncpy(p, label, label_len); p += label_len;
159d09a2SMark Phalan	strcpy(p, sep1); p += strlen(sep1);
159d09a2SMark Phalan	strncpy(p, challenge, challenge_len); p += challenge_len;
159d09a2SMark Phalan	strcpy(p, sep2); p += strlen(sep2);
159d09a2SMark Phalan    }
159d09a2SMark Phalan    strncpy(p, prompt, prompt_len); p += prompt_len;
159d09a2SMark Phalan    strcpy(p, sep3); /* p += strlen(sep3); */
159d09a2SMark Phalan    return prompt1;
159d09a2SMark Phalan}
159d09a2SMark Phalan
159d09a2SMark Phalan/*
159d09a2SMark Phalan * This routine is the "obtain" function for the SAM_CHALLENGE
159d09a2SMark Phalan * preauthentication type.  It presents the challenge...
159d09a2SMark Phalan */
159d09a2SMark Phalanstatic krb5_error_code
159d09a2SMark Phalanobtain_sam_padata(krb5_context context, krb5_pa_data *in_padata, krb5_etype_info etype_info, krb5_keyblock *def_enc_key, git_key_proc key_proc, krb5_const_pointer key_seed, krb5_creds *creds, krb5_kdc_req *request, krb5_pa_data **out_padata)
159d09a2SMark Phalan{
159d09a2SMark Phalan    krb5_error_code		retval;
159d09a2SMark Phalan    krb5_data *			scratch;
159d09a2SMark Phalan    krb5_data			tmpsam;
159d09a2SMark Phalan    krb5_pa_data *		pa;
159d09a2SMark Phalan    krb5_sam_challenge		*sam_challenge = 0;
159d09a2SMark Phalan    krb5_sam_response		sam_response;
159d09a2SMark Phalan    /* these two get encrypted and stuffed in to sam_response */
159d09a2SMark Phalan    krb5_enc_sam_response_enc	enc_sam_response_enc;
159d09a2SMark Phalan    krb5_keyblock *		sam_use_key = 0;
159d09a2SMark Phalan    char * prompt;
159d09a2SMark Phalan
159d09a2SMark Phalan    tmpsam.length = in_padata->length;
159d09a2SMark Phalan    tmpsam.data = (char *) in_padata->contents;
159d09a2SMark Phalan    retval = decode_krb5_sam_challenge(&tmpsam, &sam_challenge);
159d09a2SMark Phalan    if (retval)
159d09a2SMark Phalan      return retval;
159d09a2SMark Phalan
159d09a2SMark Phalan    if (sam_challenge->sam_flags & KRB5_SAM_MUST_PK_ENCRYPT_SAD) {
159d09a2SMark Phalan      return KRB5_SAM_UNSUPPORTED;
159d09a2SMark Phalan    }
159d09a2SMark Phalan
159d09a2SMark Phalan    enc_sam_response_enc.sam_nonce = sam_challenge->sam_nonce;
159d09a2SMark Phalan    if (!sam_challenge->sam_nonce) {
159d09a2SMark Phalan      retval = krb5_us_timeofday(context,
159d09a2SMark Phalan                                 &enc_sam_response_enc.sam_timestamp,
159d09a2SMark Phalan                                 &enc_sam_response_enc.sam_usec);
159d09a2SMark Phalan      sam_response.sam_patimestamp = enc_sam_response_enc.sam_timestamp;
159d09a2SMark Phalan    }
159d09a2SMark Phalan    if (retval)
159d09a2SMark Phalan      return retval;
159d09a2SMark Phalan    if (sam_challenge->sam_flags & KRB5_SAM_SEND_ENCRYPTED_SAD) {
159d09a2SMark Phalan      /* encrypt passcode in key by stuffing it here */
159d09a2SMark Phalan      unsigned int pcsize = 256;
159d09a2SMark Phalan      char *passcode = malloc(pcsize+1);
159d09a2SMark Phalan      if (passcode == NULL)
159d09a2SMark Phalan	return ENOMEM;
159d09a2SMark Phalan      prompt = handle_sam_labels(sam_challenge);
159d09a2SMark Phalan      if (prompt == NULL) {
159d09a2SMark Phalan	free(passcode);
159d09a2SMark Phalan	return ENOMEM;
159d09a2SMark Phalan      }
159d09a2SMark Phalan      retval = krb5_read_password(context, prompt, 0, passcode, &pcsize);
159d09a2SMark Phalan      free(prompt);
159d09a2SMark Phalan
159d09a2SMark Phalan      if (retval) {
159d09a2SMark Phalan	free(passcode);
159d09a2SMark Phalan	return retval;
159d09a2SMark Phalan      }
159d09a2SMark Phalan      enc_sam_response_enc.sam_sad.data = passcode;
159d09a2SMark Phalan      enc_sam_response_enc.sam_sad.length = pcsize;
159d09a2SMark Phalan    } else if (sam_challenge->sam_flags & KRB5_SAM_USE_SAD_AS_KEY) {
159d09a2SMark Phalan      prompt = handle_sam_labels(sam_challenge);
159d09a2SMark Phalan      if (prompt == NULL)
159d09a2SMark Phalan	return ENOMEM;
*55fea89dSDan Cross      retval = sam_get_pass_from_user(context, etype_info, key_proc,
159d09a2SMark Phalan				      key_seed, request, &sam_use_key,
159d09a2SMark Phalan				      prompt);
159d09a2SMark Phalan      free(prompt);
159d09a2SMark Phalan      if (retval)
*55fea89dSDan Cross	return retval;
159d09a2SMark Phalan      enc_sam_response_enc.sam_sad.length = 0;
159d09a2SMark Phalan    } else {
159d09a2SMark Phalan      /* what *was* it? */
159d09a2SMark Phalan      return KRB5_SAM_UNSUPPORTED;
159d09a2SMark Phalan    }
159d09a2SMark Phalan
159d09a2SMark Phalan    /* so at this point, either sam_use_key is generated from the passcode
*55fea89dSDan Cross     * or enc_sam_response_enc.sam_sad is set to it, and we use
159d09a2SMark Phalan     * def_enc_key instead. */
159d09a2SMark Phalan    /* encode the encoded part of the response */
159d09a2SMark Phalan    if ((retval = encode_krb5_enc_sam_response_enc(&enc_sam_response_enc,
159d09a2SMark Phalan						   &scratch)) != 0)
159d09a2SMark Phalan      return retval;
159d09a2SMark Phalan
*55fea89dSDan Cross    if ((retval = krb5_encrypt_data(context,
*55fea89dSDan Cross				    sam_use_key?sam_use_key:def_enc_key,
159d09a2SMark Phalan				    0, scratch,
159d09a2SMark Phalan				    &sam_response.sam_enc_nonce_or_ts)))
159d09a2SMark Phalan      goto cleanup;
159d09a2SMark Phalan
159d09a2SMark Phalan    krb5_free_data(context, scratch);
159d09a2SMark Phalan    scratch = 0;
159d09a2SMark Phalan
159d09a2SMark Phalan    /* sam_enc_key is reserved for future use */
159d09a2SMark Phalan    sam_response.sam_enc_key.ciphertext.length = 0;
159d09a2SMark Phalan
159d09a2SMark Phalan    /* copy things from the challenge */
159d09a2SMark Phalan    sam_response.sam_nonce = sam_challenge->sam_nonce;
159d09a2SMark Phalan    sam_response.sam_flags = sam_challenge->sam_flags;
159d09a2SMark Phalan    sam_response.sam_track_id = sam_challenge->sam_track_id;
159d09a2SMark Phalan    sam_response.sam_type = sam_challenge->sam_type;
159d09a2SMark Phalan    sam_response.magic = KV5M_SAM_RESPONSE;
159d09a2SMark Phalan
159d09a2SMark Phalan    if ((retval = encode_krb5_sam_response(&sam_response, &scratch)) != 0)
159d09a2SMark Phalan	return retval;
*55fea89dSDan Cross
159d09a2SMark Phalan    if ((pa = malloc(sizeof(krb5_pa_data))) == NULL) {
159d09a2SMark Phalan	retval = ENOMEM;
159d09a2SMark Phalan	goto cleanup;
159d09a2SMark Phalan    }
159d09a2SMark Phalan
159d09a2SMark Phalan    pa->magic = KV5M_PA_DATA;
159d09a2SMark Phalan    pa->pa_type = KRB5_PADATA_SAM_RESPONSE;
159d09a2SMark Phalan    pa->length = scratch->length;
159d09a2SMark Phalan    pa->contents = (krb5_octet *) scratch->data;
159d09a2SMark Phalan    scratch = 0;		/* so we don't free it! */
159d09a2SMark Phalan
159d09a2SMark Phalan    *out_padata = pa;
159d09a2SMark Phalan
159d09a2SMark Phalan    retval = 0;
*55fea89dSDan Cross
159d09a2SMark Phalancleanup:
159d09a2SMark Phalan    if (scratch)
159d09a2SMark Phalan	krb5_free_data(context, scratch);
159d09a2SMark Phalan    if (sam_challenge)
159d09a2SMark Phalan        krb5_xfree(sam_challenge);
159d09a2SMark Phalan    return retval;
159d09a2SMark Phalan}