static int doit (Shishi * h, Shishi_ap * ap, int verbose) { Shishi_asn1 asn1safe; Shishi_safe *safe; char *userdata; size_t userdatalen; int res; printf ("Application exchange start. Press ^D to finish.\n"); while ((res = shishi_safe_parse (h, stdin, &asn1safe)) == SHISHI_OK) { if (res != SHISHI_OK) { fprintf (stderr, "Could not read SAFE:\n%s\n%s\n", shishi_strerror (res), shishi_error (h)); return 1; } res = shishi_safe (h, &safe); if (res != SHISHI_OK) { fprintf (stderr, "Could not create SAFE:\n%s\n%s\n", shishi_strerror (res), shishi_error (h)); return 1; } shishi_safe_safe_set (safe, asn1safe); res = shishi_safe_verify (safe, shishi_ap_key (ap)); if (res != SHISHI_OK) { fprintf (stderr, "Could not verify SAFE:\n%s\n%s\n", shishi_strerror (res), shishi_error (h)); return 1; } printf ("Verified SAFE successfully...\n"); res = shishi_safe_user_data (h, asn1safe, &userdata, &userdatalen); if (res != SHISHI_OK) { fprintf (stderr, "Could not extract user data:\n%s\n%s\n", shishi_strerror (res), shishi_error (h)); return 1; } userdata[userdatalen] = '\0'; printf ("user data: `%s'\n", userdata); } if (ferror (stdin)) { printf ("error reading stdin\n"); return 1; } return 0; }
static int doit (Shishi * handle, Shishi_ap * ap, int verbose) { char line[BUFSIZ]; int res; printf ("Application exchange start. Press ^D to finish.\n"); while (fgets (line, sizeof (line), stdin)) { Shishi_safe *safe; line[strlen(line)-1] = '\0'; printf ("read: %s\n", line); res = shishi_safe (handle, &safe); if (res != SHISHI_OK) { printf ("Could not build SAFE: %s\n", shishi_strerror (res)); return res; } res = shishi_safe_set_user_data (handle, shishi_safe_safe (safe), line, strlen (line)); if (res != SHISHI_OK) { printf ("Could not set application data in SAFE: %s\n", shishi_strerror (res)); return res; } res = shishi_safe_build (safe, shishi_ap_key (ap)); if (res != SHISHI_OK) { printf ("Could not build SAFE: %s\n", shishi_strerror (res)); return res; } res = shishi_safe_print (handle, stdout, shishi_safe_safe (safe)); if (res != SHISHI_OK) { printf ("Could not print SAFE: %s\n", shishi_strerror (res)); return res; } } if (ferror (stdin)) { printf ("error reading stdin\n"); return 1; } return 0; }
/** * shishi_tgs_req_build: * @tgs: structure that holds information about TGS exchange * * Checksum data in authenticator and add ticket and authenticator to * TGS-REQ. * * Return value: Returns SHISHI_OK iff successful. **/ int shishi_tgs_req_build (Shishi_tgs * tgs) { uint32_t apoptions; int res; if (VERBOSE (tgs->handle)) printf ("Building TGS-REQ...\n"); res = shishi_kdcreq_build (tgs->handle, tgs->tgsreq); if (res != SHISHI_OK) return res; res = shishi_apreq_options (tgs->handle, shishi_ap_req (tgs->ap), &apoptions); if (res != SHISHI_OK) { shishi_error_printf (tgs->handle, "Could not get AP-REQ AP-Options: %s\n", shishi_strerror (res)); return res; } res = shishi_ap_set_tktoptionsasn1usage (tgs->ap, tgs->tgtkt, apoptions, tgs->tgsreq, "req-body", SHISHI_KEYUSAGE_TGSREQ_APREQ_AUTHENTICATOR_CKSUM, SHISHI_KEYUSAGE_TGSREQ_APREQ_AUTHENTICATOR); if (res == SHISHI_OK) res = shishi_ap_req_build (tgs->ap); if (res != SHISHI_OK) { shishi_error_printf (tgs->handle, "Could not make AP-REQ: %s\n", shishi_strerror (res)); return res; } if (VERBOSE (tgs->handle)) printf ("Got AP-REQ...\n"); if (VERBOSEASN1 (tgs->handle)) shishi_apreq_print (tgs->handle, stdout, shishi_ap_req (tgs->ap)); res = shishi_kdcreq_add_padata_tgs (tgs->handle, tgs->tgsreq, shishi_ap_req (tgs->ap)); if (res != SHISHI_OK) { shishi_error_printf (tgs->handle, "Could not add AP-REQ to TGS: %s\n", shishi_strerror (res)); return res; } return SHISHI_OK; }
/** * shishi_tgs_rep_process: * @tgs: structure that holds information about TGS exchange * * Process new TGS-REP and set ticket. The key to decrypt the TGS-REP * is taken from the EncKDCRepPart of the TGS tgticket. * * Return value: Returns SHISHI_OK iff successful. **/ int shishi_tgs_rep_process (Shishi_tgs * tgs) { Shishi_asn1 kdcreppart, ticket; int res; if (VERBOSE (tgs->handle)) printf ("Processing TGS-REQ and TGS-REP...\n"); res = shishi_tgs_process (tgs->handle, tgs->tgsreq, tgs->tgsrep, shishi_ap_authenticator (tgs->ap), shishi_tkt_enckdcreppart (tgs->tgtkt), &kdcreppart); if (res != SHISHI_OK) { shishi_error_printf (tgs->handle, "Could not process TGS: %s", shishi_strerror (res)); return res; } if (VERBOSE (tgs->handle)) printf ("Got EncKDCRepPart...\n"); if (VERBOSEASN1 (tgs->handle)) shishi_enckdcreppart_print (tgs->handle, stdout, kdcreppart); res = shishi_kdcrep_get_ticket (tgs->handle, tgs->tgsrep, &ticket); if (res != SHISHI_OK) { shishi_error_printf (tgs->handle, "Could not extract ticket from TGS-REP: %s", shishi_strerror (res)); return res; } if (VERBOSE (tgs->handle)) printf ("Got Ticket...\n"); if (VERBOSEASN1 (tgs->handle)) shishi_ticket_print (tgs->handle, stdout, ticket); /* XXX */ tgs->tkt = shishi_tkt2 (tgs->handle, ticket, kdcreppart, tgs->tgsrep); return SHISHI_OK; }
/** * shishi_tgs_set_realm: * @tgs: structure that holds information about TGS exchange * @realm: indicates the realm to acquire ticket for. * * Set the server in the TGS-REQ. * * Return value: Returns SHISHI_OK iff successful. **/ int shishi_tgs_set_realm (Shishi_tgs * tgs, const char *realm) { int res; res = shishi_kdcreq_set_realm (tgs->handle, tgs->tgsreq, realm); if (res != SHISHI_OK) { shishi_error_printf (tgs->handle, "Could not set realm in KDC-REQ: %s\n", shishi_strerror (res)); return res; } return SHISHI_OK; }
int krcmd_mutual (Shishi ** h, char **ahost, unsigned short rport, char **remuser, char *cmd, int *fd2p, const char *realm, Shishi_key ** key, int af) { int sock = -1, err = 0; struct sockaddr_storage laddr, faddr; long authopts = SHISHI_APOPTIONS_MUTUAL_REQUIRED; # ifdef HAVE_GETPWUID_R if (!pwbuf) { pwbuflen = sysconf (_SC_GETPW_R_SIZE_MAX); if (pwbuflen <= 0) pwbuflen = 1024; /* Guessing only. */ pwbuf = malloc (pwbuflen); } if (pwbuf) (void) getpwuid_r (getuid (), &pwstor, pwbuf, pwbuflen, &pwd); # endif /* HAVE_GETPWUID_R */ err = kcmd (h, &sock, ahost, rport, # ifdef HAVE_GETPWUID_R pwd ? pwd->pw_name : *remuser, /* locuser */ # else /* !HAVE_GETPWUID_R */ NULL, /* locuser not used */ # endif remuser, cmd, fd2p, SERVICE_NAME, realm, key, /* filled in */ &laddr, /* filled in */ &faddr, /* filled in */ authopts, af); if (err > SHISHI_OK) { fprintf (stderr, "krcmd_mutual: error %d, %s\n", err, shishi_strerror (err)); return (-1); } if (err < 0) return (-1); return (sock); }
int krcmd (Shishi ** h, char **ahost, unsigned short rport, char **remuser, char *cmd, int *fd2p, const char *realm, int af) { int sock = -1, err = 0; long authopts = 0L; # ifdef HAVE_GETPWUID_R if (!pwbuf) { pwbuflen = sysconf (_SC_GETPW_R_SIZE_MAX); if (pwbuflen <= 0) pwbuflen = 1024; /* Guessing only. */ pwbuf = malloc (pwbuflen); } if (pwbuf) (void) getpwuid_r (getuid (), &pwstor, pwbuf, pwbuflen, &pwd); # endif /* HAVE_GETPWUID_R */ err = kcmd (h, &sock, ahost, rport, # ifdef HAVE_GETPWUID_R pwd ? pwd->pw_name : *remuser, /* locuser */ # else /* !HAVE_GETPWUID_R */ NULL, /* locuser not used */ # endif remuser, cmd, fd2p, SERVICE_NAME, realm, NULL, /* key schedule not used */ NULL, /* local addr not used */ NULL, /* foreign addr not used */ authopts, af); if (err > SHISHI_OK) { fprintf (stderr, "krcmd: error %d, %s\n", err, shishi_strerror (err)); return (-1); } if (err < 0) return (-1); return (sock); }
int main (int argc, char *argv[]) { Shishi *h; Shishi_ap *ap; char *sname; int rc; printf ("sample-client (shishi " SHISHI_VERSION ")\n"); if (!shishi_check_version (SHISHI_VERSION)) { printf ("shishi_check_version() failed:\n" "Header file incompatible with shared library.\n"); return 1; } rc = shishi_init (&h); if (rc != SHISHI_OK) { printf ("error initializing shishi: %s\n", shishi_strerror (rc)); return 1; } if (argc > 1) sname = argv[1]; else sname = shishi_server_for_local_service (h, SERVICE); ap = auth (h, 1, shishi_principal_default (h), sname); if (ap) rc = doit (h, ap, 1); else rc = 1; shishi_done (h); return rc; }
/** * shishi_kdcreq_add_padata_tgs: * @handle: shishi handle as allocated by shishi_init(). * @kdcreq: KDC-REQ to add PA-DATA to. * @apreq: AP-REQ to add as PA-DATA. * * Add TGS pre-authentication data to KDC-REQ. The data is an AP-REQ * that authenticates the request. This functions simply DER encodes * the AP-REQ and calls shishi_kdcreq_add_padata() with a * SHISHI_PA_TGS_REQ padatatype. * * Return value: Returns SHISHI_OK iff successful. **/ int shishi_kdcreq_add_padata_tgs (Shishi * handle, Shishi_asn1 kdcreq, Shishi_asn1 apreq) { int res; char *data; size_t datalen; res = shishi_asn1_to_der (handle, apreq, &data, &datalen); if (res != SHISHI_OK) { shishi_error_printf (handle, "Could not DER encode AP-REQ: %s\n", shishi_strerror (res)); return res; } res = shishi_kdcreq_add_padata (handle, kdcreq, SHISHI_PA_TGS_REQ, data, datalen); free (data); if (res != SHISHI_OK) return res; return res; }
/** * shishi_apreq_add_authenticator: * @handle: shishi handle as allocated by shishi_init(). * @apreq: AP-REQ to add authenticator field to. * @key: key to to use for encryption. * @keyusage: cryptographic key usage value to use in encryption. * @authenticator: authenticator as allocated by shishi_authenticator(). * * Encrypts DER encoded authenticator using key and store it in the * AP-REQ. * * Return value: Returns SHISHI_OK iff successful. **/ int shishi_apreq_add_authenticator (Shishi * handle, Shishi_asn1 apreq, Shishi_key * key, int keyusage, Shishi_asn1 authenticator) { int res; char *buf; size_t buflen; char *der; size_t derlen; res = shishi_asn1_to_der (handle, authenticator, &der, &derlen); if (res != SHISHI_OK) { shishi_error_printf (handle, "Could not DER encode authenticator: %s\n", shishi_strerror (res)); return res; } res = shishi_encrypt (handle, key, keyusage, der, derlen, &buf, &buflen); free (der); if (res != SHISHI_OK) { shishi_error_printf (handle, "Cannot encrypt authenticator.\n"); return res; } res = shishi_apreq_set_authenticator (handle, apreq, shishi_key_type (key), shishi_key_version (key), buf, buflen); return res; }
int main (int argc, char **argv) { char *user = NULL; char *luser = NULL; char *host = NULL; char *port = "shell"; char *p; char lport[5]; struct passwd *pw; int af = AF_UNSPEC; struct addrinfo hint, *ai, *aip, *lai; struct sockaddr raddr; int raddrlen; int err, sock = -1, lsock = -1, esock = -1, i; int opt; bool verbose = false; char hostaddr[NI_MAXHOST]; char portnr[NI_MAXSERV]; char buf[3][BUFLEN], *bufp[3]; int len[3], wlen; fd_set infd, outfd, infdset, outfdset, errfd; int maxfd; int flags; #ifdef SHISHI Shishi *h; Shishi_key *enckey = NULL, *deckey = NULL; int rc; char *sname = NULL; int shishi = 0; int encryption = 0; int auth2 = 0; char *cmd, *tcmd; int hostlen, cmdlen; struct hostent *hostdata; char *iv = NULL; char *iv2 = NULL; char *iv3 = NULL; int ivlen; int ivlen2; int ivlen3; #endif argv0 = argv[0]; /* Lookup local username */ if (!(pw = getpwuid (getuid ()))) { fprintf (stderr, "%s: Could not lookup username: %s\n", argv0, strerror (errno)); return 1; } /* Process options */ #ifdef SHISHI while ((opt = getopt (argc, argv, "+l:p:46vsx")) != -1) #else while ((opt = getopt (argc, argv, "+l:p:46v")) != -1) #endif { switch (opt) { case 'l': user = optarg; break; case 'p': port = optarg; break; case '4': af = AF_INET; break; case '6': af = AF_INET6; break; case 'v': verbose = true; break; #ifdef SHISHI case 's': shishi = 1; port = "544"; break; case 'x': shishi = 1; encryption = 1; port = "544"; break; #endif default: fprintf (stderr, "%s: Unknown option!\n", argv0); usage (); return 1; } } if (optind == argc) { fprintf (stderr, "%s: No host specified!\n", argv0); usage (); return 1; } #ifdef SHISHI if (!shishi) { luser = pw->pw_name; if (!user) user = luser; } #endif host = argv[optind++]; if ((p = strchr (host, '@'))) { user = host; *p = '\0'; host = p + 1; } /* Resolve hostname and try to make a connection */ memset (&hint, '\0', sizeof (hint)); hint.ai_family = af; hint.ai_socktype = SOCK_STREAM; err = getaddrinfo (host, port, &hint, &ai); if (err) { fprintf (stderr, "%s: Error looking up host: %s\n", argv0, gai_strerror (err)); return 1; } hint.ai_flags = AI_PASSIVE; for (aip = ai; aip; aip = aip->ai_next) { if (getnameinfo (aip->ai_addr, aip->ai_addrlen, hostaddr, sizeof (hostaddr), portnr, sizeof (portnr), NI_NUMERICHOST | NI_NUMERICSERV)) { fprintf (stderr, "%s: Error resolving address: %s\n", argv0, strerror (errno)); return 1; } if (verbose) fprintf (stderr, "Trying %s port %s...", hostaddr, portnr); if ((sock = socket (aip->ai_family, aip->ai_socktype, aip->ai_protocol)) == -1) { if (verbose) fprintf (stderr, " Could not open socket: %s\n", strerror (errno)); continue; } hint.ai_family = aip->ai_family; /* Bind to a privileged port */ for (i = 1023; i >= 512; i--) { snprintf (lport, sizeof (lport), "%d", i); err = getaddrinfo (NULL, lport, &hint, &lai); if (err) { fprintf (stderr, " Error looking up localhost: %s\n", gai_strerror (err)); return 1; } err = bind (sock, lai->ai_addr, lai->ai_addrlen); freeaddrinfo (lai); if (err) continue; else break; } if (err) { if (verbose) fprintf (stderr, " Could not bind to privileged port: %s\n", strerror (errno)); continue; } if (connect (sock, aip->ai_addr, aip->ai_addrlen) == -1) { if (verbose) fprintf (stderr, " Connection failed: %s\n", strerror (errno)); continue; } if (verbose) fprintf (stderr, " Connected.\n"); break; } if (!aip) { fprintf (stderr, "%s: Could not make a connection.\n", argv0); return 1; } /* Create a socket for the incoming connection for stderr output */ if ((lsock = socket (aip->ai_family, aip->ai_socktype, aip->ai_protocol)) == -1) { fprintf (stderr, "%s: Could not open socket: %s\n", argv0, strerror (errno)); return 1; } hint.ai_family = aip->ai_family; freeaddrinfo (ai); for (i--; i >= 512; i--) { snprintf (lport, sizeof (lport), "%d", i); err = getaddrinfo (NULL, lport, &hint, &lai); if (err) { fprintf (stderr, "%s: Error looking up localhost: %s\n", argv0, gai_strerror (err)); return 1; } err = bind (lsock, lai->ai_addr, lai->ai_addrlen); freeaddrinfo (lai); if (err) continue; else break; } if (err) { fprintf (stderr, "%s: Could not bind to privileged port: %s\n", argv0, strerror (errno)); return 1; } if (listen (lsock, 1)) { fprintf (stderr, "%s: Could not listen: %s\n", argv0, strerror (errno)); return 1; } /* Drop privileges */ if (setuid (getuid ())) { fprintf (stderr, "%s: Unable to drop privileges: %s\n", argv0, strerror (errno)); return 1; } /* Send required information to the server */ bufp[0] = buf[0]; len[0] = sizeof (buf[0]); #ifdef SHISHI if (shishi) { if (!shishi_check_version (SHISHI_VERSION)) { printf ("shishi_check_version() failed:\n" "Header file incompatible with shared library.\n"); return 1; } rc = shishi_init (&h); if (rc != SHISHI_OK) { printf ("error initializing shishi: %s\n", shishi_strerror (rc)); return 1; } hostdata = gethostbyname (host); hostlen = strlen (hostdata->h_name) + strlen (SERVICE) + 2; sname = malloc (hostlen); snprintf (sname, hostlen, "%s/%s", SERVICE, hostdata->h_name); rc = optind; cmdlen = BUFLEN; cmd = malloc (cmdlen); tcmd = cmd; if (encryption) safecpy (&tcmd, &cmdlen, "-x ", 0); for (; optind < argc; optind++) { safecpy (&tcmd, &cmdlen, argv[optind], 0); if (optind < argc - 1) safecpy (&tcmd, &cmdlen, " ", 0); } safecpy (&tcmd, &cmdlen, "", 1); optind = rc; if (!user) user = (char *) shishi_principal_default (h); safewrite (sock, lport, strlen (lport) + 1); /* Wait for incoming connection from server */ if ((esock = accept (lsock, &raddr, &raddrlen)) == -1) { fprintf (stderr, "%s: Could not accept stderr connection: %s\n", argv0, strerror (errno)); return 1; } close (lsock); if (auth (h, 0, user, sname, sock, cmd, port, &enckey, deckey) != AUTH_OK) return 1; free (cmd); } else { safecpy (&bufp[0], &len[0], lport, 1); safecpy (&bufp[0], &len[0], luser, 1); } #else safecpy (&bufp[0], &len[0], lport, 1); safecpy (&bufp[0], &len[0], luser, 1); #endif safecpy (&bufp[0], &len[0], user, 1); #ifdef SHISHI if (encryption) safecpy (&bufp[0], &len[0], "-x ", 0); #endif for (; optind < argc; optind++) { safecpy (&bufp[0], &len[0], argv[optind], 0); if (optind < argc - 1) safecpy (&bufp[0], &len[0], " ", 0); } #ifdef SHISHI if (shishi) { safecpy (&bufp[0], &len[0], "", 1); safecpy (&bufp[0], &len[0], user, 1); } else #endif safecpy (&bufp[0], &len[0], "", 1); if (!len[0]) { fprintf (stderr, "%s: Arguments too long!\n", argv0); return 1; } if (safewrite (sock, buf[0], bufp[0] - buf[0]) == -1) { fprintf (stderr, "%s: Unable to send required information: %s\n", argv0, strerror (errno)); return 1; } #ifdef SHISHI if (shishi) { safewrite (sock, &auth2, sizeof (int)); } #endif /* Wait for acknowledgement from server */ errno = 0; if (read (sock, buf[0], 1) != 1 || *buf[0]) { fprintf (stderr, "%s: Didn't receive NULL byte from server: %s\n", argv0, strerror (errno)); return 1; } #ifdef SHISHI if (encryption) { ivlen = ivlen2 = ivlen3 = shishi_key_length (enckey); iv = malloc (ivlen); memset (iv, 1, ivlen); iv2 = malloc (ivlen2); memset (iv2, 3, ivlen2); iv3 = malloc (ivlen3); memset (iv3, 0, ivlen3); } if (!shishi) { /* Wait for incoming connection from server */ if ((esock = accept (lsock, &raddr, &raddrlen)) == -1) { fprintf (stderr, "%s: Could not accept stderr connection: %s\n", argv0, strerror (errno)); return 1; } close (lsock); } #else /* Wait for incoming connection from server */ if ((esock = accept (lsock, &raddr, &raddrlen)) == -1) { fprintf (stderr, "%s: Could not accept stderr connection: %s\n", argv0, strerror (errno)); return 1; } close (lsock); #endif /* Process input/output */ flags = fcntl (sock, F_GETFL); fcntl (sock, F_SETFL, flags | O_NONBLOCK); flags = fcntl (esock, F_GETFL); fcntl (esock, F_SETFL, flags | O_NONBLOCK); bufp[0] = buf[0]; bufp[1] = buf[1]; bufp[2] = buf[2]; FD_ZERO (&infdset); FD_ZERO (&outfdset); FD_SET (0, &infdset); FD_SET (sock, &infdset); FD_SET (esock, &infdset); maxfd = (sock > esock ? sock : esock) + 1; for (;;) { errno = 0; infd = infdset; outfd = outfdset; errfd = infdset; if (select (maxfd, &infd, &outfd, &errfd, NULL) <= 0) { if (errno == EINTR) continue; else break; } if (FD_ISSET (esock, &infd)) { #ifdef SHISHI if (encryption) { rc = readenc (h, esock, buf[2], &len[2], iv2, &ivlen2, enckey); if (rc != SHISHI_OK) break; } else #endif len[2] = read (esock, buf[2], BUFLEN); if (len[2] <= 0) { if (errno != EINTR) { if (FD_ISSET (sock, &infdset) || FD_ISSET (1, &outfdset)) FD_CLR (esock, &infdset); else break; } } else { FD_SET (2, &outfdset); FD_CLR (esock, &infdset); } } if (FD_ISSET (2, &outfd)) { wlen = write (2, bufp[2], len[2]); if (wlen <= 0) { if (errno != EINTR) { if (FD_ISSET (sock, &infdset) || FD_ISSET (1, &outfdset)) FD_CLR (esock, &infdset); else break; } } else { len[2] -= wlen; bufp[2] += wlen; if (!len[2]) { FD_CLR (2, &outfdset); FD_SET (esock, &infdset); bufp[2] = buf[2]; } } } if (FD_ISSET (sock, &infd)) { #ifdef SHISHI if (encryption) { rc = readenc (h, sock, buf[1], &len[1], iv, &ivlen, enckey); if (rc != SHISHI_OK) break; } else #endif len[1] = read (sock, buf[1], BUFLEN); if (len[1] <= 0) { if (errno != EINTR) { if (FD_ISSET (esock, &infdset) || FD_ISSET (2, &outfdset)) FD_CLR (sock, &infdset); else break; } } else { FD_SET (1, &outfdset); FD_CLR (sock, &infdset); } } if (FD_ISSET (1, &outfd)) { wlen = write (1, bufp[1], len[1]); if (wlen <= 0) { if (errno != EINTR) { if (FD_ISSET (esock, &infdset) || FD_ISSET (2, &outfdset)) FD_CLR (sock, &infdset); else break; } } else { len[1] -= wlen; bufp[1] += wlen; if (!len[1]) { FD_CLR (1, &outfdset); FD_SET (sock, &infdset); bufp[1] = buf[1]; } } } if (FD_ISSET (0, &infd)) { len[0] = read (0, buf[0], BUFLEN); if (len[0] <= 0) { if (errno != EINTR) { FD_CLR (0, &infdset); shutdown (sock, SHUT_WR); } } else { FD_SET (sock, &outfdset); FD_CLR (0, &infdset); } } if (FD_ISSET (sock, &outfd)) { #ifdef SHISHI if (encryption) { rc = writeenc (h, sock, bufp[0], len[0], &wlen, iv3, &ivlen3, enckey); if (rc != SHISHI_OK) break; } else #endif wlen = write (sock, bufp[0], len[0]); if (wlen <= 0) { if (errno != EINTR) break; } else { len[0] -= wlen; bufp[0] += wlen; if (!len[0]) { FD_CLR (sock, &outfdset); FD_SET (0, &infdset); bufp[0] = buf[0]; } } } } if (errno) { fprintf (stderr, "%s: %s\n", argv0, strerror (errno)); return 1; } close (sock); close (esock); #ifdef SHISHI if (shishi) { shishi_done (h); if (encryption) { free (iv); free (iv2); free (iv3); } } #endif return 0; }
/* shishi authentication */ int auth (Shishi * h, int verbose, const char *cname, const char *sname, int sock, char *cmd, char *port, Shishi_key ** enckey, Shishi_key * deckey) { Shishi_ap *ap; Shishi_tkt *tkt; Shishi_tkts_hint hint; int rc; char *out; int outlen; int krb5len, msglen; char auth; /* KERBEROS 5 SENDAUTH MESSAGE */ char krb5sendauth[] = "KRB5_SENDAUTH_V1.0"; /* PROTOCOL VERSION */ char krb5sendclient[] = "KCMDV0.2"; /* to store error msg sent by server */ char errormsg[101]; char cksumdata[101]; /* size of KRB5 auth message */ krb5len = strlen (krb5sendauth) + 1; msglen = htonl (krb5len); safewrite (sock, &msglen, sizeof (int)); /* KRB5 authentication message */ safewrite (sock, krb5sendauth, krb5len); /* size of client message */ krb5len = strlen (krb5sendclient) + 1; msglen = htonl (krb5len); safewrite (sock, &msglen, sizeof (int)); /* KRB5 client message */ safewrite (sock, krb5sendclient, krb5len); /* get answer from server 0 = ok, 1 = error with message */ read (sock, &auth, 1); if (auth) { read (sock, errormsg, 100); errormsg[100] = '\0'; printf ("Error during server authentication : %s\n", errormsg); return 1; } if (verbose) { printf ("Client: %s\n", cname); printf ("Server: %s\n", sname); } /* Get a ticket for the server. */ memset (&hint, 0, sizeof (hint)); hint.client = (char *) cname; hint.server = (char *) sname; tkt = shishi_tkts_get (shishi_tkts_default (h), &hint); if (!tkt) { printf ("cannot find ticket for \"%s\"\n", sname); return 1; } if (verbose) shishi_tkt_pretty_print (tkt, stderr); /* Create Authentication context */ rc = shishi_ap_tktoptions (h, &ap, tkt, SHISHI_APOPTIONS_MUTUAL_REQUIRED); if (rc != SHISHI_OK) { printf ("cannot create authentication context\n"); return 1; } /* checksum = port: terminal name */ snprintf (cksumdata, 100, "%s:%s%s", port, cmd, cname); /* add checksum to authenticator */ shishi_ap_authenticator_cksumdata_set (ap, cksumdata, strlen (cksumdata)); /* To be compatible with MIT rlogind */ shishi_ap_authenticator_cksumtype_set (ap, SHISHI_RSA_MD5); /* create der encoded AP-REQ */ rc = shishi_ap_req_der (ap, &out, &outlen); if (rc != SHISHI_OK) { printf ("cannot build authentication request: %s\n", shishi_strerror (rc)); return 1; } if (verbose) shishi_authenticator_print (h, stderr, shishi_ap_authenticator (ap)); /* extract subkey if present from ap exchange for secure connection */ shishi_authenticator_get_subkey (h, shishi_ap_authenticator (ap), enckey); /* send size of AP-REQ to the server */ msglen = htonl (outlen); safewrite (sock, (char *) &msglen, sizeof (int)); /* send AP-REQ to the server */ safewrite (sock, out, outlen); /* read a respond from server - what ? */ read (sock, &auth, sizeof (int)); /* For mutual authentication, wait for server reply. */ if (shishi_apreq_mutual_required_p (h, shishi_ap_req (ap))) { if (verbose) printf ("Waiting for server to authenticate itself...\n"); /* read size of the AP-REP */ read (sock, (char *) &outlen, sizeof (int)); /* read AP-REP */ outlen = ntohl (outlen); outlen = read (sock, out, outlen); rc = shishi_ap_rep_verify_der (ap, out, outlen); if (rc == SHISHI_OK) { if (verbose) printf ("AP-REP verification OK...\n"); } else { if (rc == SHISHI_APREP_VERIFY_FAILED) printf ("AP-REP verification failed...\n"); else printf ("AP-REP verification error: %s\n", shishi_strerror (rc)); return 1; } /* The server is authenticated. */ if (verbose) printf ("Server authenticated.\n"); } /* We are now authenticated. */ if (verbose) printf ("User authenticated.\n"); return AUTH_OK; }
static Shishi_ap * auth (Shishi * h, int verbose, const char *cname, const char *sname) { Shishi_ap *ap; Shishi_tkt *tkt; Shishi_tkts_hint hint; int rc; printf ("Client: %s\n", cname); printf ("Server: %s\n", sname); /* Get a ticket for the server. */ memset (&hint, 0, sizeof (hint)); hint.client = (char *) cname; hint.server = (char *) sname; tkt = shishi_tkts_get (shishi_tkts_default (h), &hint); if (!tkt) { printf ("cannot find ticket for \"%s\"\n", sname); return NULL; } if (verbose) shishi_tkt_pretty_print (tkt, stderr); /* Create Authentication context */ rc = shishi_ap_tktoptions (h, &ap, tkt, SHISHI_APOPTIONS_MUTUAL_REQUIRED); if (rc != SHISHI_OK) { printf ("cannot create authentication context\n"); return NULL; } /* Build Authentication request */ rc = shishi_ap_req_build (ap); if (rc != SHISHI_OK) { printf ("cannot build authentication request: %s\n", shishi_strerror (rc)); return NULL; } if (verbose) shishi_authenticator_print (h, stderr, shishi_ap_authenticator (ap)); /* Authentication ourself to server */ shishi_apreq_print (h, stdout, shishi_ap_req (ap)); /* Note: to get the binary blob to send, use: * * char *out; int outlen; * ... * rc = shishi_ap_req_der (ap, &out, &outlen); * ... * write(fd, out, outlen); */ /* For mutual authentication, wait for server reply. */ if (shishi_apreq_mutual_required_p (h, shishi_ap_req (ap))) { Shishi_asn1 aprep; printf ("Waiting for server to authenticate itself...\n"); rc = shishi_aprep_parse (h, stdin, &aprep); if (rc != SHISHI_OK) { printf ("Cannot parse AP-REP from server: %s\n", shishi_strerror (rc)); return NULL; } rc = shishi_ap_rep_verify_asn1 (ap, aprep); if (rc == SHISHI_OK) printf ("AP-REP verification OK...\n"); else { if (rc == SHISHI_APREP_VERIFY_FAILED) printf ("AP-REP verification failed...\n"); else printf ("AP-REP verification error: %s\n", shishi_strerror (rc)); return NULL; } /* The server is authenticated. */ printf ("Server authenticated.\n"); } /* We are now authenticated. */ printf ("User authenticated.\n"); return ap; }
static Shishi * init_handle (int outputtype) { Shishi *handle; int rc; handle = xcalloc (1, sizeof (*handle)); shishi_error_set_outputtype (handle, outputtype); if (!shishi_check_version (SHISHI_VERSION)) { shishi_warn (handle, "Library and header version missmatch (%s vs %s).", shishi_check_version (NULL), SHISHI_VERSION); free (handle); return NULL; } rc = gl_sockets_startup (SOCKETS_2_1); if (rc) { shishi_warn (handle, "Failed to initialized Windows sockets (%d)", rc); free (handle); return NULL; } rc = _shishi_crypto_init (handle); if (rc != SHISHI_OK) { shishi_warn (handle, "Cannot initialize crypto library"); free (handle); return NULL; } #ifdef USE_STARTTLS rc = _shishi_tls_init (handle); if (rc != SHISHI_OK) { shishi_warn (handle, "Cannot initialize TLS library"); free (handle); return NULL; } #endif rc = _shishi_asn1_init (handle); if (rc != SHISHI_OK) { shishi_warn (handle, "%s", shishi_strerror (SHISHI_ASN1_ERROR)); free (handle); return NULL; } bindtextdomain (PACKAGE, LOCALEDIR); textdomain (PACKAGE); handle->kdctimeout = 5; handle->kdcretries = 3; handle->ticketlife = TICKETLIFE; handle->renewlife = RENEWLIFE; handle->nclientkdcetypes = 1; handle->clientkdcetypes = xmalloc (sizeof (*handle->clientkdcetypes) * handle->nclientkdcetypes); handle->clientkdcetypes[0] = SHISHI_AES256_CTS_HMAC_SHA1_96; handle->nauthorizationtypes = 1; handle->authorizationtypes = xmalloc (sizeof (*handle->authorizationtypes) * handle->nauthorizationtypes); handle->authorizationtypes[0] = SHISHI_AUTHORIZATION_BASIC; return handle; }
int main (int argc, char *argv[]) { struct gengetopt_args_info args; time_t starttime, endtime, renew_till; Shishi *sh; int rc; setlocale (LC_ALL, ""); bindtextdomain (PACKAGE, LOCALEDIR); textdomain (PACKAGE); set_program_name (argv[0]); if (cmdline_parser (argc, argv, &args) != 0) usage (EXIT_FAILURE); if (args.version_given) { version_etc (stdout, "shishi", PACKAGE_NAME, VERSION, "Simon Josefsson", (char *) NULL); return EXIT_SUCCESS; } if (args.inputs_num > 2 || args.destroy_given + args.list_given + args.renew_given > 1) { error (0, 0, _("too many arguments")); usage (EXIT_FAILURE); } if (args.help_given) usage (EXIT_SUCCESS); rc = shishi_init_with_paths (&sh, args.ticket_file_arg, args.system_configuration_file_arg, args.configuration_file_arg); if (rc == SHISHI_HANDLE_ERROR) error (EXIT_FAILURE, 0, _("Could not initialize libshishi.")); rc = shishi_cfg_clientkdcetype_set (sh, args.encryption_type_arg); if (rc != SHISHI_OK) error (EXIT_FAILURE, 0, _("Could not set encryption types: %s"), shishi_strerror (rc)); if (args.inputs_num > 0) { rc = shishi_parse_name (sh, args.inputs[0], (args.client_name_arg ? NULL : &args.client_name_arg), (args.realm_arg ? NULL : &args.realm_arg)); if (rc != SHISHI_OK) error (EXIT_FAILURE, 0, _("Could not parse client principal \"%s\": %s"), args.inputs[0], shishi_strerror (rc)); } if (args.inputs_num > 1) { rc = shishi_parse_name (sh, args.inputs[1], (args.server_name_arg ? NULL : &args.server_name_arg), (args.realm_arg ? NULL : &args.realm_arg)); if (rc != SHISHI_OK) error (EXIT_FAILURE, 0, _("Could not parse server principal \"%s\": %s"), args.inputs[1], shishi_strerror (rc)); } rc = shishi_cfg (sh, args.library_options_arg); if (rc != SHISHI_OK) error (EXIT_FAILURE, 0, _("Could not read library options: %s"), shishi_strerror (rc)); if (args.verbose_given > 0) shishi_cfg (sh, "verbose"); if (args.verbose_given > 1) shishi_cfg (sh, "verbose-noise"); if (args.verbose_given > 2) shishi_cfg (sh, "verbose-asn1"); if (args.verbose_given > 3) shishi_cfg (sh, "verbose-crypto"); if (args.verbose_given > 4) shishi_cfg (sh, "verbose-crypto-noise"); if (args.starttime_arg) { starttime = shishi_get_date (args.starttime_arg, NULL); if (starttime == -1) error (EXIT_FAILURE, 0, _("Invalid --starttime date `%s'"), args.starttime_arg); } else starttime = time (NULL); if (args.endtime_arg) { endtime = shishi_get_date (args.endtime_arg, &starttime); if (endtime == -1) error (EXIT_FAILURE, 0, _("Invalid --endtime date `%s'"), args.starttime_arg); } else endtime = 0; if (args.renew_till_arg) { renew_till = shishi_get_date (args.renew_till_arg, &starttime); if (renew_till == -1) error (EXIT_FAILURE, 0, _("Invalid --renew-till date `%s'"), args.renew_till_arg); } else renew_till = 0; if (args.client_name_arg) shishi_principal_default_set (sh, args.client_name_arg); if (args.realm_arg) shishi_realm_default_set (sh, args.realm_arg); if (!args.ticket_granter_arg) asprintf (&args.ticket_granter_arg, "krbtgt/%s", shishi_realm_default (sh)); if (args.list_flag) { if (!args.quiet_flag) printf (_("Tickets in `%s':\n"), shishi_tkts_default_file (sh)); rc = shishi_tkts_print_for_service (shishi_tkts_default (sh), stdout, args.server_name_arg); if (rc != SHISHI_OK) error (EXIT_FAILURE, 0, _("Could not list tickets: %s"), shishi_strerror (rc)); } else if (args.destroy_flag) { int i, removed = 0; for (i = 0; i < shishi_tkts_size (shishi_tkts_default (sh)); i++) { if (args.server_name_arg && !shishi_tkt_server_p (shishi_tkts_nth (shishi_tkts_default (sh), i), args.server_name_arg)) continue; if (args.verbose_given) { printf (_("Removing ticket:\n")); shishi_tkt_pretty_print (shishi_tkts_nth (shishi_tkts_default (sh), i), stdout); } rc = shishi_tkts_remove (shishi_tkts_default (sh), i); if (rc != SHISHI_OK) error (EXIT_FAILURE, 0, _("Could not destroy ticket %d:\n%s"), i, shishi_strerror (rc)); i--; removed++; } if (!args.quiet_flag) { if (removed == 0) printf (_("No tickets removed.\n")); else printf (ngettext ("%d ticket removed.\n", "%d tickets removed.\n", removed), removed); } } else if (args.renew_given) { error (EXIT_FAILURE, 0, "Command --renew not implemented."); } else { Shishi_tkt *tkt; Shishi_tkts_hint hint; memset (&hint, 0, sizeof (hint)); hint.client = args.client_name_arg; hint.server = args.server_name_arg ? args.server_name_arg : args.ticket_granter_arg; hint.starttime = starttime; hint.endtime = endtime; hint.renew_till = renew_till; if (args.renewable_flag) hint.tktflags |= SHISHI_TICKETFLAGS_RENEWABLE; if (args.proxiable_flag) hint.tktflags |= SHISHI_TICKETFLAGS_PROXIABLE; if (args.proxy_flag) hint.tktflags |= SHISHI_TICKETFLAGS_PROXY; if (args.forwardable_flag) hint.tktflags |= SHISHI_TICKETFLAGS_FORWARDABLE; if (args.forwarded_flag) hint.tktflags |= SHISHI_TICKETFLAGS_FORWARDED; tkt = shishi_tkts_get (shishi_tkts_default (sh), &hint); if (!tkt) error (EXIT_FAILURE, 0, _("Could not get ticket as `%s' for `%s'."), hint.client ? hint.client : shishi_principal_default (sh), hint.server); shishi_tkt_pretty_print (tkt, stdout); } shishi_tkts_expire (shishi_tkts_default (sh)); if (args.ticket_write_file_arg) shishi_tkts_default_file_set (sh, args.ticket_write_file_arg); shishi_done (sh); return EXIT_SUCCESS; }
static Shishi_ap * auth (Shishi * h, int verbose, const char *cname, const char *sname) { Shishi_key *key; Shishi_ap *ap; Shishi_asn1 apreq; char *buf; size_t buflen; int rc; printf ("Client: %s\n", cname); printf ("Server: %s\n", sname); /* Get key for the server. */ key = shishi_hostkeys_for_server (h, sname); if (!key) { printf ("could not find key: %s\n", shishi_error (h)); return NULL; } if (verbose) shishi_key_print (h, stderr, key); /* Read Authentication request from client */ printf ("Waiting for client to authenticate itself...\n"); rc = shishi_apreq_parse (h, stdin, &apreq); if (rc != SHISHI_OK) { printf ("could not read AP-REQ: %s\n", shishi_strerror (rc)); return NULL; } /* Create Authentication context */ rc = shishi_ap (h, &ap); if (rc != SHISHI_OK) { printf ("Could not create AP: %s\n", shishi_strerror (rc)); return NULL; } /* Store request in context */ shishi_ap_req_set (ap, apreq); /* Process authentication request */ rc = shishi_ap_req_process (ap, key); if (rc != SHISHI_OK) { printf ("Could not process AP-REQ: %s\n", shishi_strerror (rc)); return NULL; } if (verbose) shishi_authenticator_print (h, stderr, shishi_ap_authenticator (ap)); rc = shishi_authenticator_client (h, shishi_ap_authenticator (ap), &buf, &buflen); printf ("Client name (from authenticator): %.*s\n", (int) buflen, buf); free (buf); rc = shishi_encticketpart_clientrealm (h, shishi_tkt_encticketpart (shishi_ap_tkt (ap)), &buf, &buflen); printf ("Client name (from encticketpart): %.*s\n", (int) buflen, buf); free (buf); rc = shishi_ticket_server (h, shishi_tkt_ticket (shishi_ap_tkt (ap)), &buf, &buflen); printf ("Server name (from ticket): %.*s\n", (int) buflen, buf); free (buf); /* User is authenticated. */ printf ("User authenticated.\n"); /* Authenticate ourself to client, if request */ if (shishi_apreq_mutual_required_p (h, apreq)) { Shishi_asn1 aprep; printf ("Mutual authentication required.\n"); rc = shishi_ap_rep_asn1 (ap, &aprep); if (rc != SHISHI_OK) { printf ("Error creating AP-REP: %s\n", shishi_strerror (rc)); return NULL; } if (verbose) shishi_encapreppart_print (h, stderr, shishi_ap_encapreppart (ap)); shishi_aprep_print (h, stdout, aprep); /* We are authenticated to client */ } return ap; }
/* authentication, server side */ int get_auth (int infd, krb5_context *ctx, krb5_auth_context *actx, krb5_keyblock **key, const char **err_msg, int *protoversion, int *cksumtype, char **cksum, size_t *cksumlen, char *srvname) { char *out; size_t outlen; char *buf; int buflen; int len; int rc; int error; /* KERBEROS 5 SENDAUTH MESSAGE */ char krb5sendauth[] = "KRB5_SENDAUTH_V1.0"; /* PROTOCOL VERSION */ char krb5kcmd1[] = "KCMDV0.1"; char krb5kcmd2[] = "KCMDV0.2"; char *servername, *server = NULL, *realm = NULL; *err_msg = NULL; /* Get key for the server. */ # if 0 /* * XXX: Taken straight from the version for libshishi. * XXX: No adaptions yet. */ rc = shishi_init_server (handle); if (rc != SHISHI_OK) return rc; if (srvname && *srvname) { rc = shishi_parse_name (*handle, srvname, &server, &realm); if (rc != SHISHI_OK) { *err_msg = shishi_strerror (rc); return rc; } } if (server && *server) { char *p; servername = malloc (sizeof (SERVICE) + strlen (server) + 2); if (!servername) { *err_msg = "Not enough memory"; return SHISHI_TOO_SMALL_BUFFER; } p = strchr (server, '/'); if (p && (p != server)) sprintf (servername, "%s", server); /* Non-empty prefix. */ else sprintf (servername, "%s/%s", SERVICE, server + (p ? 1 : 0)); /* Remove initial slash. */ } else servername = shishi_server_for_local_service (*handle, SERVICE); if (realm && *realm) shishi_realm_default_set (*handle, realm); free (server); free (realm); /* Enable use of `~/.k5login'. */ if (shishi_check_version ("1.0.2")) /* Faulty in version 1.0.1. */ { rc = shishi_cfg_authorizationtype_set (*handle, "k5login basic"); if (rc != SHISHI_OK) { *err_msg = shishi_error (*handle); return rc; } } key = shishi_hostkeys_for_serverrealm (*handle, servername, shishi_realm_default (*handle)); free (servername); if (!key) { *err_msg = shishi_error (*handle); return SHISHI_INVALID_KEY; } /* Read Kerberos 5 sendauth message */ rc = read (infd, &len, sizeof (int)); if (rc != sizeof (int)) { *err_msg = "Error reading message size"; return SHISHI_IO_ERROR; } buflen = ntohl (len); buf = malloc (buflen); if (!buf) { *err_msg = "Not enough memory"; return SHISHI_TOO_SMALL_BUFFER; } rc = read (infd, buf, buflen); if (rc != buflen) { *err_msg = "Error reading authentication message"; return SHISHI_IO_ERROR; } len = strlen (krb5sendauth); rc = strncmp (buf, krb5sendauth, buflen >= len ? len : buflen); if (rc) { *err_msg = "Invalid authentication type"; /* Authentication type is wrong. */ write (infd, "\001", 1); return SHISHI_VERIFY_FAILED; } free (buf); /* Read protocol version */ rc = read (infd, &len, sizeof (int)); if (rc != sizeof (int)) { *err_msg = "Error reading protocol message size"; return SHISHI_IO_ERROR; } buflen = ntohl (len); buf = malloc (buflen); if (!buf) { *err_msg = "Not enough memory"; return SHISHI_TOO_SMALL_BUFFER; } rc = read (infd, buf, buflen); if (rc != buflen) { *err_msg = "Error reading protocol message"; return SHISHI_IO_ERROR; } len = strlen (krb5kcmd1); rc = strncmp (buf, krb5kcmd1, buflen >= len ? len : buflen); if (rc) { len = strlen (krb5kcmd2); rc = strncmp (buf, krb5kcmd2, buflen >= len ? len : buflen); if (rc) { *err_msg = "Protocol version not supported"; /* Protocol version is wrong. */ write (infd, "\002", 1); return SHISHI_VERIFY_FAILED; } *protoversion = 2; } else *protoversion = 1; free (buf); /* Authentication type is ok */ write (infd, "\0", 1); /* Read Authentication request from client */ rc = read (infd, &len, sizeof (int)); if (rc != sizeof (int)) { *err_msg = "Error reading authentication request size"; return SHISHI_IO_ERROR; } buflen = ntohl (len); buf = malloc (buflen); if (!buf) { *err_msg = "Not enough memory"; return SHISHI_TOO_SMALL_BUFFER; } rc = read (infd, buf, buflen); if (rc != buflen) { *err_msg = "Error reading authentication request"; return SHISHI_IO_ERROR; } /* Create Authentication context */ rc = shishi_ap_nosubkey (*handle, ap); if (rc != SHISHI_OK) return rc; /* Store request in context */ rc = shishi_ap_req_der_set (*ap, buf, buflen); if (rc != SHISHI_OK) return rc; free (buf); /* Process authentication request */ rc = shishi_ap_req_process (*ap, key); if (rc != SHISHI_OK) return rc; # ifdef ENCRYPTION /* extract subkey if present from ap exchange for secure connection */ if (*protoversion == 2) { *enckey = NULL; shishi_authenticator_get_subkey (*handle, shishi_ap_authenticator (*ap), enckey); } # endif /* Get authenticator checksum */ rc = shishi_authenticator_cksum (*handle, shishi_ap_authenticator (*ap), cksumtype, cksum, cksumlen); if (rc != SHISHI_OK) return rc; /* User is authenticated. */ error = 0; write (infd, &error, sizeof (int)); /* Authenticate ourself to client, if requested. */ if (shishi_apreq_mutual_required_p (*handle, shishi_ap_req (*ap))) { int len; rc = shishi_ap_rep_der (*ap, &out, &outlen); if (rc != SHISHI_OK) return rc; len = outlen; len = htonl (len); rc = write (infd, &len, sizeof (len)); if (rc != sizeof (int)) { *err_msg = "Error sending AP-REP"; free (out); return SHISHI_IO_ERROR; } rc = write (infd, out, ntohl (len)); if (rc != (int) ntohl (len)) { *err_msg = "Error sending AP-REP"; free (out); return SHISHI_IO_ERROR; } free (out); /* We are authenticated to client */ } # ifdef ENCRYPTION if (*protoversion == 1) { Shishi_tkt *tkt; tkt = shishi_ap_tkt (*ap); if (tkt == NULL) { *err_msg = "Could not get tkt from AP-REQ"; return SHISHI_INVALID_TICKET; } rc = shishi_encticketpart_get_key (*handle, shishi_tkt_encticketpart (tkt), enckey); if (rc != SHISHI_OK) return rc; } # endif /* ENCRYPTION */ return 0; # else return -1; # endif }
/* Allows a remotely initiated security context between the application and a remote peer to be established, using krb5. Assumes context_handle is valid. */ OM_uint32 gss_krb5_accept_sec_context (OM_uint32 * minor_status, gss_ctx_id_t * context_handle, const gss_cred_id_t acceptor_cred_handle, const gss_buffer_t input_token_buffer, const gss_channel_bindings_t input_chan_bindings, gss_name_t * src_name, gss_OID * mech_type, gss_buffer_t output_token, OM_uint32 * ret_flags, OM_uint32 * time_rec, gss_cred_id_t * delegated_cred_handle) { gss_buffer_desc data; char *in; size_t inlen; gss_ctx_id_t cx; _gss_krb5_ctx_t cxk5; _gss_krb5_cred_t crk5; int rc; if (minor_status) *minor_status = 0; if (ret_flags) *ret_flags = 0; if (!acceptor_cred_handle) /* XXX support GSS_C_NO_CREDENTIAL: acquire_cred() default server */ return GSS_S_NO_CRED; if (*context_handle) return GSS_S_FAILURE; crk5 = acceptor_cred_handle->krb5; cx = calloc (sizeof (*cx), 1); if (!cx) { if (minor_status) *minor_status = ENOMEM; return GSS_S_FAILURE; } cxk5 = calloc (sizeof (*cxk5), 1); if (!cxk5) { free (cx); if (minor_status) *minor_status = ENOMEM; return GSS_S_FAILURE; } cx->mech = GSS_KRB5; cx->krb5 = cxk5; /* XXX cx->peer?? */ *context_handle = cx; cxk5->sh = crk5->sh; cxk5->key = crk5->key; cxk5->acceptor = 1; rc = shishi_ap (cxk5->sh, &cxk5->ap); if (rc != SHISHI_OK) return GSS_S_FAILURE; rc = gss_decapsulate_token (input_token_buffer, GSS_KRB5, &in, &inlen); if (!rc) return GSS_S_BAD_MIC; if (inlen < TOK_LEN) return GSS_S_BAD_MIC; if (memcmp (in, TOK_AP_REQ, TOK_LEN) != 0) return GSS_S_BAD_MIC; rc = shishi_ap_req_der_set (cxk5->ap, in + TOK_LEN, inlen - TOK_LEN); if (rc != SHISHI_OK) return GSS_S_FAILURE; rc = shishi_ap_req_process (cxk5->ap, crk5->key); if (rc != SHISHI_OK) { if (minor_status) *minor_status = GSS_KRB5_S_G_VALIDATE_FAILED; return GSS_S_FAILURE; } rc = shishi_authenticator_seqnumber_get (cxk5->sh, shishi_ap_authenticator (cxk5->ap), &cxk5->initseqnr); if (rc != SHISHI_OK) return GSS_S_FAILURE; rc = _gss_krb5_checksum_parse (minor_status, context_handle, input_chan_bindings); if (rc != GSS_S_COMPLETE) return GSS_S_FAILURE; cxk5->tkt = shishi_ap_tkt (cxk5->ap); cxk5->key = shishi_ap_key (cxk5->ap); if (shishi_apreq_mutual_required_p (crk5->sh, shishi_ap_req (cxk5->ap))) { Shishi_asn1 aprep; rc = shishi_ap_rep_asn1 (cxk5->ap, &aprep); if (rc != SHISHI_OK) { printf ("Error creating AP-REP: %s\n", shishi_strerror (rc)); return GSS_S_FAILURE; } rc = shishi_encapreppart_seqnumber_get (cxk5->sh, shishi_ap_encapreppart (cxk5-> ap), &cxk5->acceptseqnr); if (rc != SHISHI_OK) { /* A strict 1964 implementation would return GSS_S_DEFECTIVE_TOKEN here. gssapi-cfx permit absent sequence number, though. */ cxk5->acceptseqnr = 0; } { char *der; size_t len; rc = shishi_asn1_to_der (crk5->sh, aprep, &der, &len); if (rc != SHISHI_OK) { printf ("Error der encoding aprep: %s\n", shishi_strerror (rc)); return GSS_S_FAILURE; } data.value = der; data.length = len; } rc = gss_encapsulate_token_prefix (&data, TOK_AP_REP, TOK_LEN, GSS_KRB5, output_token); if (!rc) return GSS_S_FAILURE; if (ret_flags) *ret_flags = GSS_C_MUTUAL_FLAG; } else { output_token->value = NULL; output_token->length = 0; } if (src_name) { gss_name_t p; p = malloc (sizeof (*p)); if (!p) { if (minor_status) *minor_status = ENOMEM; return GSS_S_FAILURE; } rc = shishi_encticketpart_client (cxk5->sh, shishi_tkt_encticketpart (cxk5->tkt), &p->value, &p->length); if (rc != SHISHI_OK) return GSS_S_FAILURE; p->type = GSS_KRB5_NT_PRINCIPAL_NAME; *src_name = p; } /* PROT_READY is not mentioned in 1964/gssapi-cfx but we support it anyway. */ if (ret_flags) *ret_flags |= GSS_C_PROT_READY_FLAG; if (minor_status) *minor_status = 0; return GSS_S_COMPLETE; }