/**
* shishi_encapreppart_time_copy:
* @handle: shishi handle as allocated by shishi_init().
* @encapreppart: EncAPRepPart as allocated by shishi_encapreppart().
* @authenticator: Authenticator to copy time fields from.
*
* Copy time fields from Authenticator into EncAPRepPart.
*
* Return value: Returns SHISHI_OK iff successful.
**/
int
shishi_encapreppart_time_copy (Shishi * handle,
Shishi_asn1 encapreppart,
Shishi_asn1 authenticator)
{
char *buf;
size_t buflen;
int res;
res = shishi_asn1_read (handle, authenticator, "cusec", &buf, &buflen);
if (res != SHISHI_OK)
return res;
res = shishi_asn1_write (handle, encapreppart, "cusec", buf, buflen);
free (buf);
if (res != SHISHI_OK)
return res;
res = shishi_asn1_read (handle, authenticator, "ctime", &buf, &buflen);
if (res != SHISHI_OK)
return res;
res = shishi_asn1_write (handle, encapreppart, "ctime", buf, buflen);
free (buf);
if (res != SHISHI_OK)
return res;
return SHISHI_OK;
}
/**
* shishi_apreq_set_authenticator:
* @handle: shishi handle as allocated by shishi_init().
* @apreq: AP-REQ to add authenticator field to.
* @etype: encryption type used to encrypt authenticator.
* @kvno: version of the key used to encrypt authenticator.
* @buf: input array with encrypted authenticator.
* @buflen: size of input array with encrypted authenticator.
*
* Set the encrypted authenticator field in the AP-REP. The encrypted
* data is usually created by calling shishi_encrypt() on the DER
* encoded authenticator. To save time, you may want to use
* shishi_apreq_add_authenticator() instead, which calculates the
* encrypted data and calls this function in one step.
*
* Return value: Returns SHISHI_OK on success.
**/
int
shishi_apreq_set_authenticator (Shishi * handle,
Shishi_asn1 apreq,
int32_t etype, uint32_t kvno,
const char *buf, size_t buflen)
{
int res;
res = shishi_asn1_write (handle, apreq, "authenticator.cipher",
buf, buflen);
if (res != SHISHI_OK)
return res;
if (kvno == UINT32_MAX)
res = shishi_asn1_write (handle, apreq, "authenticator.kvno", NULL, 0);
else
res = shishi_asn1_write_int32 (handle, apreq, "authenticator.kvno", kvno);
if (res != SHISHI_OK)
return res;
res = shishi_asn1_write_int32 (handle, apreq, "authenticator.etype", etype);
if (res != SHISHI_OK)
return res;
return SHISHI_OK;
}
/**
* shishi_kdcreq_add_padata:
* @handle: shishi handle as allocated by shishi_init().
* @kdcreq: KDC-REQ to add PA-DATA to.
* @padatatype: type of PA-DATA, see Shishi_padata_type.
* @data: input array with PA-DATA value.
* @datalen: size of input array with PA-DATA value.
*
* Add new pre authentication data (PA-DATA) to KDC-REQ. This is used
* to pass various information to KDC, such as in case of a
* SHISHI_PA_TGS_REQ padatatype the AP-REQ that authenticates the user
* to get the ticket. (But also see shishi_kdcreq_add_padata_tgs()
* which takes an AP-REQ directly.)
*
* Return value: Returns SHISHI_OK iff successful.
**/
int
shishi_kdcreq_add_padata (Shishi * handle,
Shishi_asn1 kdcreq,
int padatatype, const char *data, size_t datalen)
{
char *format;
int res;
size_t i;
res = shishi_asn1_write (handle, kdcreq, "padata", "NEW", 1);
if (res != SHISHI_OK)
return res;
res = shishi_asn1_number_of_elements (handle, kdcreq, "padata", &i);
if (res != SHISHI_OK)
return res;
asprintf (&format, "padata.?%zu.padata-value", i);
res = shishi_asn1_write (handle, kdcreq, format, data, datalen);
free (format);
if (res != SHISHI_OK)
return res;
asprintf (&format, "padata.?%zu.padata-type", i);
res = shishi_asn1_write_uint32 (handle, kdcreq, format, padatatype);
free (format);
if (res != SHISHI_OK)
return res;
return SHISHI_OK;
}
/**
* shishi_encapreppart:
* @handle: shishi handle as allocated by shishi_init().
*
* This function creates a new EncAPRepPart, populated with some
* default values. It uses the current time as returned by the system
* for the ctime and cusec fields.
*
* Return value: Returns the encapreppart or NULL on failure.
**/
Shishi_asn1
shishi_encapreppart (Shishi * handle)
{
int res;
Shishi_asn1 node = NULL;
struct timeval tv;
uint32_t seqnr;
res = gettimeofday (&tv, NULL);
if (res)
return NULL;
node = shishi_asn1_encapreppart (handle);
if (!node)
return NULL;
res = shishi_asn1_write (handle, node, "ctime",
shishi_generalize_time (handle, time (NULL)), 0);
if (res != SHISHI_OK)
goto error;
res = shishi_encapreppart_cusec_set (handle, node, tv.tv_usec % 1000000);
if (res != SHISHI_OK)
goto error;
res = shishi_asn1_write (handle, node, "subkey", NULL, 0);
if (res != SHISHI_OK)
goto error;
/*
* For sequence numbers to adequately support the detection of
* replays they SHOULD be non-repeating, even across connection
* boundaries. The initial sequence number SHOULD be random and
* uniformly distributed across the full space of possible sequence
* numbers, so that it cannot be guessed by an attacker and so that
* it and the successive sequence numbers do not repeat other
* sequences.
*/
shishi_randomize (handle, 0, &seqnr, sizeof (seqnr));
/*
* Implementation note: as noted before, some implementations omit
* the optional sequence number when its value would be zero.
* Implementations MAY accept an omitted sequence number when
* expecting a value of zero, and SHOULD NOT transmit an
* Authenticator with a initial sequence number of zero.
*/
if (seqnr == 0)
seqnr++;
res = shishi_encapreppart_seqnumber_set (handle, node, seqnr);
if (res != SHISHI_OK)
goto error;
return node;
error:
shishi_asn1_done (handle, node);
return NULL;
}
/**
* shishi_kdcreq_set_etype:
* @handle: shishi handle as allocated by shishi_init().
* @kdcreq: KDC-REQ variable to set etype field in.
* @etype: input array with encryption types.
* @netype: number of elements in input array with encryption types.
*
* Set the list of supported or wanted encryption types in the
* request. The list should be sorted in priority order.
*
* Return value: Returns SHISHI_OK iff successful.
**/
int
shishi_kdcreq_set_etype (Shishi * handle,
Shishi_asn1 kdcreq, int32_t * etype, int netype)
{
int res;
char *buf;
int i;
res = shishi_asn1_write (handle, kdcreq, "req-body.etype", NULL, 0);
if (res != SHISHI_OK)
return res;
for (i = 1; i <= netype; i++)
{
res = shishi_asn1_write (handle, kdcreq, "req-body.etype", "NEW", 1);
if (res != SHISHI_OK)
return res;
asprintf (&buf, "req-body.etype.?%d", i);
res = shishi_asn1_write_int32 (handle, kdcreq, buf, etype[i - 1]);
free (buf);
if (res != SHISHI_OK)
return res;
}
return SHISHI_OK;
}
int
shishi_kdcreq_build (Shishi * handle, Shishi_asn1 kdcreq)
{
int res;
size_t n;
int msgtype;
shishi_verbose (handle, "Building KDC-REQ...");
if (shishi_asn1_empty_p (handle, kdcreq, "req-body.rtime"))
{
res = shishi_asn1_write (handle, kdcreq, "req-body.rtime", NULL, 0);
if (res != SHISHI_OK)
{
shishi_error_printf (handle, "Could not write rtime\n");
return res;
}
}
if (shishi_asn1_empty_p (handle, kdcreq, "req-body.from"))
{
res = shishi_asn1_write (handle, kdcreq, "req-body.from", NULL, 0);
if (res != SHISHI_OK)
{
shishi_error_printf (handle, "Could not write from\n");
return res;
}
}
res = shishi_asn1_read_integer (handle, kdcreq, "msg-type", &msgtype);
if (res != SHISHI_OK)
return res;
if (msgtype == SHISHI_MSGTYPE_AS_REQ)
{
res = shishi_asn1_number_of_elements (handle, kdcreq, "padata", &n);
if (res == SHISHI_OK && n == 0)
{
res = shishi_kdcreq_clear_padata (handle, kdcreq);
if (res != SHISHI_OK)
{
shishi_error_printf (handle, "Could not write padata\n");
return res;
}
}
}
return SHISHI_OK;
}
Shishi_asn1
shishi_encticketpart (Shishi * handle)
{
Shishi_asn1 node;
int res;
node = shishi_asn1_encticketpart (handle);
res = shishi_asn1_write (handle, node, "starttime", NULL, 0);
if (res != SHISHI_OK)
{
shishi_asn1_done (handle, node);
return NULL;
}
res = shishi_asn1_write (handle, node, "renew-till", NULL, 0);
if (res != SHISHI_OK)
{
shishi_asn1_done (handle, node);
return NULL;
}
res = shishi_asn1_write (handle, node, "caddr", NULL, 0);
if (res != SHISHI_OK)
{
shishi_asn1_done (handle, node);
return NULL;
}
res = shishi_asn1_write (handle, node, "authorization-data", NULL, 0);
if (res != SHISHI_OK)
{
shishi_asn1_done (handle, node);
return NULL;
}
res = shishi_encticketpart_flags_set (handle, node, 0);
if (res != SHISHI_OK)
{
shishi_asn1_done (handle, node);
return NULL;
}
return node;
}
/**
* shishi_kdcreq_clear_padata:
* @handle: shishi handle as allocated by shishi_init().
* @kdcreq: KDC-REQ to remove PA-DATA from.
*
* Remove the padata field from KDC-REQ.
*
* Return value: Returns SHISHI_OK iff successful.
**/
int
shishi_kdcreq_clear_padata (Shishi * handle, Shishi_asn1 kdcreq)
{
int res;
res = shishi_asn1_write (handle, kdcreq, "padata", NULL, 0);
if (res != SHISHI_OK)
return res;
return SHISHI_OK;
}
/**
* shishi_authenticator_remove_subkey:
* @handle: shishi handle as allocated by shishi_init().
* @authenticator: authenticator as allocated by shishi_authenticator().
*
* Remove subkey from the authenticator.
*
* Return value: Returns SHISHI_OK iff successful.
**/
int
shishi_authenticator_remove_subkey (Shishi * handle,
Shishi_asn1 authenticator)
{
int res;
res = shishi_asn1_write (handle, authenticator, "subkey", NULL, 0);
if (res != SHISHI_OK)
return res;
return SHISHI_OK;
}
/**
* shishi_encticketpart_crealm_set:
* @handle: shishi handle as allocated by shishi_init().
* @encticketpart: input EncTicketPart variable.
* @realm: input array with name of realm.
*
* Set the realm field in the KDC-REQ.
*
* Return value: Returns SHISHI_OK iff successful.
**/
int
shishi_encticketpart_crealm_set (Shishi * handle,
Shishi_asn1 encticketpart, const char *realm)
{
int res;
res = shishi_asn1_write (handle, encticketpart, "crealm", realm, 0);
if (res != SHISHI_OK)
return res;
return SHISHI_OK;
}
/**
* shishi_authenticator_seqnumber_remove:
* @handle: shishi handle as allocated by shishi_init().
* @authenticator: authenticator as allocated by shishi_authenticator().
*
* Remove sequence number field in Authenticator.
*
* Return value: Returns %SHISHI_OK iff successful.
**/
int
shishi_authenticator_seqnumber_remove (Shishi * handle,
Shishi_asn1 authenticator)
{
int res;
res = shishi_asn1_write (handle, authenticator, "seq-number", NULL, 0);
if (res != SHISHI_OK)
return res;
return SHISHI_OK;
}
/**
* shishi_kdcreq_set_realm:
* @handle: shishi handle as allocated by shishi_init().
* @kdcreq: KDC-REQ variable to set realm field in.
* @realm: input array with name of realm.
*
* Set the realm field in the KDC-REQ.
*
* Return value: Returns SHISHI_OK iff successful.
**/
int
shishi_kdcreq_set_realm (Shishi * handle, Shishi_asn1 kdcreq,
const char *realm)
{
int res;
res = shishi_asn1_write (handle, kdcreq, "req-body.realm", realm, 0);
if (res != SHISHI_OK)
return res;
return SHISHI_OK;
}
/**
* shishi_encapreppart_seqnumber_remove:
* @handle: shishi handle as allocated by shishi_init().
* @encapreppart: encapreppart as allocated by shishi_encapreppart().
*
* Remove sequence number field in EncAPRepPart.
*
* Return value: Returns %SHISHI_OK iff successful.
**/
int
shishi_encapreppart_seqnumber_remove (Shishi * handle,
Shishi_asn1 encapreppart)
{
int res;
res = shishi_asn1_write (handle, encapreppart, "seq-number", NULL, 0);
if (res != SHISHI_OK)
return res;
return SHISHI_OK;
}
int
shishi_authenticator_remove_cksum (Shishi * handle, Shishi_asn1 authenticator)
{
int res;
/* XXX remove this function */
res = shishi_asn1_write (handle, authenticator, "cksum", NULL, 0);
if (res != SHISHI_OK)
return res;
return SHISHI_OK;
}
/**
* shishi_authenticator_clear_authorizationdata:
* @handle: shishi handle as allocated by shishi_init().
* @authenticator: Authenticator as allocated by shishi_authenticator().
*
* Remove the authorization-data field from Authenticator.
*
* Return value: Returns SHISHI_OK iff successful.
**/
int
shishi_authenticator_clear_authorizationdata (Shishi * handle,
Shishi_asn1 authenticator)
{
int res;
res = shishi_asn1_write (handle, authenticator,
"authorization-data", NULL, 0);
if (res != SHISHI_OK)
return SHISHI_ASN1_ERROR;
return SHISHI_OK;
}
/**
* shishi_encapreppart_ctime_set:
* @handle: shishi handle as allocated by shishi_init().
* @encapreppart: EncAPRepPart as allocated by shishi_encapreppart().
* @t: string with generalized time value to store in EncAPRepPart.
*
* Store client time in EncAPRepPart.
*
* Return value: Returns SHISHI_OK iff successful.
**/
int
shishi_encapreppart_ctime_set (Shishi * handle,
Shishi_asn1 encapreppart, const char *t)
{
int res;
res = shishi_asn1_write (handle, encapreppart, "ctime",
t, SHISHI_GENERALIZEDTIME_LENGTH);
if (res != SHISHI_OK)
return res;
return SHISHI_OK;
}
/**
* shishi_authenticator_set_crealm:
* @handle: shishi handle as allocated by shishi_init().
* @authenticator: authenticator as allocated by shishi_authenticator().
* @crealm: input array with realm.
*
* Set realm field in authenticator to specified value.
*
* Return value: Returns SHISHI_OK iff successful.
**/
int
shishi_authenticator_set_crealm (Shishi * handle,
Shishi_asn1 authenticator,
const char *crealm)
{
int res;
res = shishi_asn1_write (handle, authenticator, "crealm", crealm, 0);
if (res != SHISHI_OK)
return res;
return SHISHI_OK;
}
/**
* shishi_authenticator_ctime_set:
* @handle: shishi handle as allocated by shishi_init().
* @authenticator: Authenticator as allocated by shishi_authenticator().
* @t: string with generalized time value to store in Authenticator.
*
* Store client time in Authenticator.
*
* Return value: Returns SHISHI_OK iff successful.
**/
int
shishi_authenticator_ctime_set (Shishi * handle,
Shishi_asn1 authenticator, const char *t)
{
int res;
res = shishi_asn1_write (handle, authenticator, "ctime",
t, SHISHI_GENERALIZEDTIME_LENGTH);
if (res != SHISHI_OK)
return res;
return SHISHI_OK;
}
/**
* shishi_encticketpart_endtime_set:
* @handle: shishi handle as allocated by shishi_init().
* @encticketpart: input EncTicketPart variable.
* @endtime: character buffer containing a generalized time string.
*
* Set the EncTicketPart.endtime to supplied value.
*
* Return value: Returns %SHISHI_OK iff successful.
**/
int
shishi_encticketpart_endtime_set (Shishi * handle,
Shishi_asn1 encticketpart,
const char *endtime)
{
int res;
res = shishi_asn1_write (handle, encticketpart, "endtime",
endtime, SHISHI_GENERALIZEDTIME_LENGTH);
if (res != SHISHI_OK)
return res;
return SHISHI_OK;
}
/**
* shishi_encticketpart_authtime_set:
* @handle: shishi handle as allocated by shishi_init().
* @encticketpart: input EncTicketPart variable.
* @authtime: character buffer containing a generalized time string.
*
* Set the EncTicketPart.authtime to supplied value.
*
* Return value: Returns %SHISHI_OK iff successful.
**/
int
shishi_encticketpart_authtime_set (Shishi * handle,
Shishi_asn1 encticketpart,
const char *authtime)
{
int res;
res = shishi_asn1_write (handle, encticketpart, "authtime",
authtime, SHISHI_GENERALIZEDTIME_LENGTH);
if (res != SHISHI_OK)
return SHISHI_ASN1_ERROR;
return SHISHI_OK;
}
/**
* shishi_authenticator_add_authorizationdata:
* @handle: shishi handle as allocated by shishi_init().
* @authenticator: authenticator as allocated by shishi_authenticator().
* @adtype: input authorization data type to add.
* @addata: input authorization data to add.
* @addatalen: size of input authorization data to add.
*
* Add authorization data to authenticator.
*
* Return value: Returns SHISHI_OK iff successful.
**/
int
shishi_authenticator_add_authorizationdata (Shishi * handle,
Shishi_asn1 authenticator,
int32_t adtype,
const char *addata,
size_t addatalen)
{
char *format;
int res;
size_t i;
res = shishi_asn1_write (handle, authenticator,
"authorization-data", "NEW", 1);
if (res != SHISHI_OK)
return res;
res = shishi_asn1_number_of_elements (handle, authenticator,
"authorization-data", &i);
if (res != SHISHI_OK)
return res;
asprintf (&format, "authorization-data.?%zu.ad-type", i);
res = shishi_asn1_write_integer (handle, authenticator, format, adtype);
if (res != SHISHI_OK)
{
free (format);
return res;
}
sprintf (format, "authorization-data.?%zu.ad-data", i);
res = shishi_asn1_write (handle, authenticator, format, addata, addatalen);
free (format);
if (res != SHISHI_OK)
return res;
return SHISHI_OK;
}
/**
* shishi_encticketpart_key_set:
* @handle: shishi handle as allocated by shishi_init().
* @encticketpart: input EncTicketPart variable.
* @key: key handle with information to store in encticketpart.
*
* Set the EncTicketPart.key field to key type and value of supplied
* key.
*
* Return value: Returns %SHISHI_OK iff successful.
**/
int
shishi_encticketpart_key_set (Shishi * handle,
Shishi_asn1 encticketpart, Shishi_key * key)
{
int res;
int keytype;
keytype = shishi_key_type (key);
res = shishi_asn1_write_uint32 (handle, encticketpart,
"key.keytype", keytype);
if (res != SHISHI_OK)
return res;
res = shishi_asn1_write (handle, encticketpart, "key.keyvalue",
shishi_key_value (key), shishi_key_length (key));
if (res != SHISHI_OK)
return res;
return SHISHI_OK;
}
/**
* shishi_authenticator_set_subkey:
* @handle: shishi handle as allocated by shishi_init().
* @authenticator: authenticator as allocated by shishi_authenticator().
* @subkeytype: input subkey type to store in authenticator.
* @subkey: input subkey data to store in authenticator.
* @subkeylen: size of input subkey data to store in authenticator.
*
* Store subkey value in authenticator. A subkey is usually created
* by calling shishi_key_random() using the default encryption type of
* the key from the ticket that is being used. To save time, you may
* want to use shishi_authenticator_add_subkey() instead, which calculates
* the subkey and calls this function in one step.
*
* Return value: Returns SHISHI_OK iff successful.
**/
int
shishi_authenticator_set_subkey (Shishi * handle,
Shishi_asn1 authenticator,
int32_t subkeytype,
const char *subkey, size_t subkeylen)
{
int res;
res = shishi_asn1_write_int32 (handle, authenticator,
"subkey.keytype", subkeytype);
if (res != SHISHI_OK)
return res;
res = shishi_asn1_write (handle, authenticator, "subkey.keyvalue",
subkey, subkeylen);
if (res != SHISHI_OK)
return res;
return SHISHI_OK;
}
/**
* shishi_encticketpart_transited_set:
* @handle: shishi handle as allocated by shishi_init().
* @encticketpart: input EncTicketPart variable.
* @trtype: transitedencoding type, e.g. SHISHI_TR_DOMAIN_X500_COMPRESS.
* @trdata: actual transited realm data.
* @trdatalen: length of actual transited realm data.
*
* Set the EncTicketPart.transited field to supplied value.
*
* Return value: Returns %SHISHI_OK iff successful.
**/
int
shishi_encticketpart_transited_set (Shishi * handle,
Shishi_asn1 encticketpart,
int32_t trtype,
const char *trdata, size_t trdatalen)
{
int res;
res = shishi_asn1_write_int32 (handle, encticketpart,
"transited.tr-type", trtype);
if (res != SHISHI_OK)
return res;
res = shishi_asn1_write (handle, encticketpart,
"transited.contents", trdata, trdatalen);
if (res != SHISHI_OK)
return res;
return SHISHI_OK;
}
/**
* shishi_authenticator_set_cksum:
* @handle: shishi handle as allocated by shishi_init().
* @authenticator: authenticator as allocated by shishi_authenticator().
* @cksumtype: input checksum type to store in authenticator.
* @cksum: input checksum data to store in authenticator.
* @cksumlen: size of input checksum data to store in authenticator.
*
* Store checksum value in authenticator. A checksum is usually created
* by calling shishi_checksum() on some application specific data using
* the key from the ticket that is being used. To save time, you may
* want to use shishi_authenticator_add_cksum() instead, which calculates
* the checksum and calls this function in one step.
*
* Return value: Returns SHISHI_OK iff successful.
**/
int
shishi_authenticator_set_cksum (Shishi * handle,
Shishi_asn1 authenticator,
int32_t cksumtype,
char *cksum, size_t cksumlen)
{
int res;
res = shishi_asn1_write_int32 (handle, authenticator,
"cksum.cksumtype", cksumtype);
if (res != SHISHI_OK)
return res;
res = shishi_asn1_write (handle, authenticator, "cksum.checksum",
cksum, cksumlen);
if (res != SHISHI_OK)
return res;
return SHISHI_OK;
}
/**
* shishi_apreq:
* @handle: shishi handle as allocated by shishi_init().
*
* This function creates a new AP-REQ, populated with some default
* values.
*
* Return value: Returns the AP-REQ or NULL on failure.
**/
Shishi_asn1
shishi_apreq (Shishi * handle)
{
Shishi_asn1 node;
int res;
node = shishi_asn1_apreq (handle);
if (!node)
goto error;
res = shishi_asn1_write (handle, node, "pvno",
SHISHI_APREQ_DEFAULT_PVNO,
SHISHI_APREQ_DEFAULT_PVNO_LEN);
if (res != SHISHI_OK)
goto error;
res = shishi_asn1_write (handle, node, "msg-type",
SHISHI_APREQ_DEFAULT_MSG_TYPE,
SHISHI_APREQ_DEFAULT_MSG_TYPE_LEN);
if (res != SHISHI_OK)
goto error;
res = shishi_asn1_write (handle, node, "ap-options",
SHISHI_APREQ_DEFAULT_AP_OPTIONS,
SHISHI_APREQ_DEFAULT_AP_OPTIONS_LEN);
if (res != SHISHI_OK)
goto error;
res = shishi_asn1_write (handle, node, "ticket.tkt-vno",
SHISHI_APREQ_DEFAULT_TICKET_TKT_VNO,
SHISHI_APREQ_DEFAULT_TICKET_TKT_VNO_LEN);
if (res != SHISHI_OK)
goto error;
res = shishi_asn1_write (handle, node, "ticket.realm",
SHISHI_APREQ_DEFAULT_TICKET_REALM,
SHISHI_APREQ_DEFAULT_TICKET_REALM_LEN);
if (res != SHISHI_OK)
goto error;
res = shishi_asn1_write (handle, node, "ticket.realm",
SHISHI_APREQ_DEFAULT_TICKET_REALM,
SHISHI_APREQ_DEFAULT_TICKET_REALM_LEN);
if (res != SHISHI_OK)
goto error;
res = shishi_asn1_write (handle, node, "ticket.sname.name-type",
SHISHI_APREQ_DEFAULT_TICKET_SNAME_NAME_TYPE,
SHISHI_APREQ_DEFAULT_TICKET_SNAME_NAME_TYPE_LEN);
if (res != SHISHI_OK)
goto error;
res = shishi_asn1_write (handle, node, "ticket.enc-part.etype",
SHISHI_APREQ_DEFAULT_TICKET_ENC_PART_ETYPE,
SHISHI_APREQ_DEFAULT_TICKET_ENC_PART_ETYPE_LEN);
if (res != SHISHI_OK)
goto error;
res = shishi_asn1_write (handle, node, "ticket.enc-part.kvno",
SHISHI_APREQ_DEFAULT_TICKET_ENC_PART_KVNO,
SHISHI_APREQ_DEFAULT_TICKET_ENC_PART_KVNO_LEN);
if (res != SHISHI_OK)
goto error;
res = shishi_asn1_write (handle, node, "ticket.enc-part.cipher",
SHISHI_APREQ_DEFAULT_TICKET_ENC_PART_CIPHER,
SHISHI_APREQ_DEFAULT_TICKET_ENC_PART_CIPHER_LEN);
if (res != SHISHI_OK)
goto error;
res = shishi_asn1_write (handle, node, "authenticator.etype",
SHISHI_APREQ_DEFAULT_AUTHENTICATOR_ETYPE,
SHISHI_APREQ_DEFAULT_AUTHENTICATOR_ETYPE_LEN);
if (res != SHISHI_OK)
goto error;
res = shishi_asn1_write (handle, node, "authenticator.kvno",
SHISHI_APREQ_DEFAULT_AUTHENTICATOR_KVNO,
SHISHI_APREQ_DEFAULT_AUTHENTICATOR_KVNO_LEN);
if (res != SHISHI_OK)
goto error;
res = shishi_asn1_write (handle, node, "authenticator.cipher",
SHISHI_APREQ_DEFAULT_AUTHENTICATOR_CIPHER,
SHISHI_APREQ_DEFAULT_AUTHENTICATOR_CIPHER_LEN);
if (res != SHISHI_OK)
goto error;
return node;
error:
if (node)
shishi_asn1_done (handle, node);
return NULL;
}
/**
* shishi_kdcreq_add_padata_preauth:
* @handle: shishi handle as allocated by shishi_init().
* @kdcreq: KDC-REQ to add pre-authentication data to.
* @key: Key used to encrypt pre-auth data.
*
* Add pre-authentication data to KDC-REQ.
*
* Return value: Returns SHISHI_OK iff successful.
**/
int
shishi_kdcreq_add_padata_preauth (Shishi * handle,
Shishi_asn1 kdcreq, Shishi_key * key)
{
char *der, *data;
size_t derlen, datalen;
Shishi_asn1 pa;
struct timeval tv;
int rc;
Shishi_asn1 ed;
pa = shishi_asn1_pa_enc_ts_enc (handle);
if (!pa)
return SHISHI_ASN1_ERROR;
rc = gettimeofday (&tv, NULL);
if (rc != 0)
return SHISHI_GETTIMEOFDAY_ERROR;
rc = shishi_asn1_write (handle, pa, "patimestamp",
shishi_generalize_time (handle, tv.tv_sec),
SHISHI_GENERALIZEDTIME_LENGTH);
if (rc != SHISHI_OK)
return rc;
rc = shishi_asn1_write_integer (handle, pa, "pausec", tv.tv_usec);
if (rc != SHISHI_OK)
return rc;
rc = shishi_asn1_to_der (handle, pa, &der, &derlen);
if (rc != SHISHI_OK)
return rc;
rc = shishi_encrypt (handle, key, SHISHI_KEYUSAGE_ASREQ_PA_ENC_TIMESTAMP,
der, derlen, &data, &datalen);
free (der);
if (rc != SHISHI_OK)
return rc;
ed = shishi_asn1_encrypteddata (handle);
if (!ed)
return SHISHI_ASN1_ERROR;
rc = shishi_asn1_write_integer (handle, ed, "etype", shishi_key_type (key));
if (rc != SHISHI_OK)
return rc;
rc = shishi_asn1_write (handle, ed, "cipher", data, datalen);
if (rc != SHISHI_OK)
return rc;
rc = shishi_asn1_write (handle, ed, "kvno", NULL, 0);
if (rc != SHISHI_OK)
return rc;
rc = shishi_asn1_to_der (handle, ed, &der, &derlen);
free (data);
if (rc != SHISHI_OK)
return rc;
rc = shishi_kdcreq_add_padata (handle, kdcreq, SHISHI_PA_ENC_TIMESTAMP,
der, derlen);
free (der);
if (rc != SHISHI_OK)
return rc;
return rc;
}
static Shishi_asn1
_shishi_kdcreq (Shishi * handle, int as)
{
int res;
Shishi_asn1 node;
const char *servicebuf[3];
uint32_t nonce;
if (as)
node = shishi_asn1_asreq (handle);
else
node = shishi_asn1_tgsreq (handle);
if (!node)
return NULL;
res = shishi_asn1_write (handle, node, "pvno",
SHISHI_KDCREQ_DEFAULT_PVNO,
SHISHI_KDCREQ_DEFAULT_PVNO_LEN);
if (res != SHISHI_OK)
goto error;
if (as)
res = shishi_asn1_write (handle, node, "msg-type",
SHISHI_AS_REQ_DEFAULT_MSG_TYPE,
SHISHI_AS_REQ_DEFAULT_MSG_TYPE_LEN);
else
res = shishi_asn1_write (handle, node, "msg-type",
SHISHI_TGS_REQ_DEFAULT_MSG_TYPE,
SHISHI_TGS_REQ_DEFAULT_MSG_TYPE_LEN);
if (res != SHISHI_OK)
goto error;
res = shishi_asn1_write (handle, node, "req-body.kdc-options",
SHISHI_KDCREQ_DEFAULT_REQ_BODY_KDC_OPTIONS,
SHISHI_KDCREQ_DEFAULT_REQ_BODY_KDC_OPTIONS_LEN);
if (res != SHISHI_OK)
goto error;
if (as)
res = shishi_kdcreq_set_cname (handle, node, SHISHI_NT_PRINCIPAL,
shishi_principal_default (handle));
else
res = shishi_asn1_write (handle, node, "req-body.cname", NULL, 0);
if (res != SHISHI_OK)
goto error;
res = shishi_kdcreq_set_realm (handle, node, shishi_realm_default (handle));
if (res != SHISHI_OK)
goto error;
servicebuf[0] = "krbtgt";
servicebuf[1] = shishi_realm_default (handle);
servicebuf[2] = NULL;
res = shishi_kdcreq_set_sname (handle, node,
SHISHI_NT_PRINCIPAL, servicebuf);
if (res != SHISHI_OK)
goto error;
res = shishi_asn1_write (handle, node, "req-body.sname.name-type",
SHISHI_KDCREQ_DEFAULT_REQ_BODY_SNAME_NAME_TYPE,
SHISHI_KDCREQ_DEFAULT_REQ_BODY_SNAME_NAME_TYPE_LEN);
if (res != SHISHI_OK)
goto error;
res = shishi_asn1_write (handle, node, "req-body.till",
shishi_generalize_time (handle,
time (NULL) +
handle->ticketlife), 0);
if (res != SHISHI_OK)
goto error;
shishi_randomize (handle, 0, &nonce, sizeof (nonce));
nonce &= 0x7FFFFFFF; /* XXX fix _libtasn1_convert_integer. */
res = shishi_kdcreq_nonce_set (handle, node, nonce);
if (res != SHISHI_OK)
goto error;
res = shishi_kdcreq_set_etype (handle, node, handle->clientkdcetypes,
handle->nclientkdcetypes);
if (res != SHISHI_OK)
goto error;
res = shishi_asn1_write (handle, node, "req-body.addresses", NULL, 0);
if (res != SHISHI_OK)
goto error;
res = shishi_asn1_write (handle, node,
"req-body.enc-authorization-data", NULL, 0);
if (res != SHISHI_OK)
goto error;
res =
shishi_asn1_write (handle, node, "req-body.additional-tickets", NULL, 0);
if (res != SHISHI_OK)
goto error;
return node;
error:
shishi_asn1_done (handle, node);
return NULL;
}
/**
* shishi_apreq_set_ticket:
* @handle: shishi handle as allocated by shishi_init().
* @apreq: AP-REQ to add ticket field to.
* @ticket: input ticket to copy into AP-REQ ticket field.
*
* Copy ticket into AP-REQ.
*
* Return value: Returns SHISHI_OK iff successful.
**/
int
shishi_apreq_set_ticket (Shishi * handle, Shishi_asn1 apreq,
Shishi_asn1 ticket)
{
int res;
char *format;
char *buf;
size_t buflen, i, n;
res = shishi_asn1_read (handle, ticket, "tkt-vno", &buf, &buflen);
if (res != SHISHI_OK)
return res;
res = shishi_asn1_write (handle, apreq, "ticket.tkt-vno", buf, buflen);
free (buf);
if (res != SHISHI_OK)
return res;
res = shishi_asn1_read (handle, ticket, "realm", &buf, &buflen);
if (res != SHISHI_OK)
return res;
res = shishi_asn1_write (handle, apreq, "ticket.realm", buf, buflen);
free (buf);
if (res != SHISHI_OK)
return res;
res = shishi_asn1_read (handle, ticket, "sname.name-type", &buf, &buflen);
if (res != SHISHI_OK)
return res;
res = shishi_asn1_write (handle, apreq, "ticket.sname.name-type",
buf, buflen);
free (buf);
if (res != SHISHI_OK)
return res;
res = shishi_asn1_number_of_elements (handle, ticket,
"sname.name-string", &n);
if (res != SHISHI_OK)
return res;
for (i = 1; i <= n; i++)
{
res = shishi_asn1_write (handle, apreq,
"ticket.sname.name-string", "NEW", 1);
if (res != SHISHI_OK)
return res;
asprintf (&format, "sname.name-string.?%d", i);
res = shishi_asn1_read (handle, ticket, format, &buf, &buflen);
free (format);
if (res != SHISHI_OK)
return res;
asprintf (&format, "ticket.sname.name-string.?%d", i);
res = shishi_asn1_write (handle, apreq, format, buf, buflen);
free (format);
free (buf);
if (res != SHISHI_OK)
return res;
}
res = shishi_asn1_read (handle, ticket, "enc-part.etype", &buf, &buflen);
if (res != SHISHI_OK)
return res;
res = shishi_asn1_write (handle, apreq, "ticket.enc-part.etype",
buf, buflen);
free (buf);
if (res != SHISHI_OK)
return res;
res = shishi_asn1_read (handle, ticket, "enc-part.kvno", &buf, &buflen);
if (res != SHISHI_OK && res != SHISHI_ASN1_NO_ELEMENT)
return res;
if (res == SHISHI_ASN1_NO_ELEMENT)
res = shishi_asn1_write (handle, apreq, "ticket.enc-part.kvno", NULL, 0);
else
{
res = shishi_asn1_write (handle, apreq, "ticket.enc-part.kvno",
buf, buflen);
free (buf);
}
if (res != SHISHI_OK)
return res;
res = shishi_asn1_read (handle, ticket, "enc-part.cipher", &buf, &buflen);
if (res != SHISHI_OK)
return res;
res = shishi_asn1_write (handle, apreq, "ticket.enc-part.cipher",
buf, buflen);
free (buf);
if (res != SHISHI_OK)
return res;
return SHISHI_OK;
}
/**
* shishi_apreq_get_ticket:
* @handle: shishi handle as allocated by shishi_init().
* @apreq: AP-REQ variable to get ticket from.
* @ticket: output variable to hold extracted ticket.
*
* Extract ticket from AP-REQ.
*
* Return value: Returns SHISHI_OK iff successful.
**/
int
shishi_apreq_get_ticket (Shishi * handle,
Shishi_asn1 apreq, Shishi_asn1 * ticket)
{
char *buf;
char *format;
size_t buflen, i, n;
int res;
/* there's GOT to be an easier way to do this */
*ticket = shishi_ticket (handle);
if (!*ticket)
return SHISHI_ASN1_ERROR;
res = shishi_asn1_read (handle, apreq, "ticket.tkt-vno", &buf, &buflen);
if (res != SHISHI_OK)
goto error;
res = shishi_asn1_write (handle, *ticket, "tkt-vno", buf, buflen);
free (buf);
if (res != SHISHI_OK)
goto error;
res = shishi_asn1_read (handle, apreq, "ticket.realm", &buf, &buflen);
if (res != SHISHI_OK)
goto error;
res = shishi_asn1_write (handle, *ticket, "realm", buf, buflen);
free (buf);
if (res != SHISHI_OK)
goto error;
res = shishi_asn1_read (handle, apreq, "ticket.sname.name-type",
&buf, &buflen);
if (res != SHISHI_OK)
goto error;
res = shishi_asn1_write (handle, *ticket, "sname.name-type", buf, buflen);
free (buf);
if (res != SHISHI_OK)
goto error;
res = shishi_asn1_number_of_elements (handle, apreq,
"ticket.sname.name-string", &n);
if (res != SHISHI_OK)
goto error;
for (i = 1; i <= n; i++)
{
res = shishi_asn1_write (handle, *ticket, "sname.name-string",
"NEW", 1);
if (res != SHISHI_OK)
goto error;
asprintf (&format, "ticket.sname.name-string.?%d", i);
res = shishi_asn1_read (handle, apreq, format, &buf, &buflen);
free (format);
if (res != SHISHI_OK)
goto error;
asprintf (&format, "sname.name-string.?%d", i);
res = shishi_asn1_write (handle, *ticket, format, buf, buflen);
free (format);
free (buf);
if (res != SHISHI_OK)
goto error;
}
res = shishi_asn1_read (handle, apreq, "ticket.enc-part.etype",
&buf, &buflen);
if (res != SHISHI_OK)
goto error;
res = shishi_asn1_write (handle, *ticket, "enc-part.etype", buf, buflen);
free (buf);
if (res != SHISHI_OK)
goto error;
res = shishi_asn1_read (handle, apreq, "ticket.enc-part.kvno",
&buf, &buflen);
if (res != SHISHI_OK && res != SHISHI_ASN1_NO_ELEMENT)
goto error;
if (res == SHISHI_ASN1_NO_ELEMENT)
res = shishi_asn1_write (handle, *ticket, "enc-part.kvno", NULL, 0);
else
{
res = shishi_asn1_write (handle, *ticket, "enc-part.kvno", buf, buflen);
free (buf);
}
if (res != SHISHI_OK)
goto error;
res = shishi_asn1_read (handle, apreq, "ticket.enc-part.cipher",
&buf, &buflen);
if (res != SHISHI_OK)
goto error;
res = shishi_asn1_write (handle, *ticket, "enc-part.cipher", buf, buflen);
free (buf);
if (res != SHISHI_OK)
goto error;
return SHISHI_OK;
error:
shishi_asn1_done (handle, *ticket);
return res;
}
