static Shishi_ap *
auth (Shishi * h, int verbose, const char *cname, const char *sname)
{
Shishi_key *key;
Shishi_ap *ap;
Shishi_asn1 apreq;
char *buf;
size_t buflen;
int rc;
printf ("Client: %s\n", cname);
printf ("Server: %s\n", sname);
/* Get key for the server. */
key = shishi_hostkeys_for_server (h, sname);
if (!key)
{
printf ("could not find key: %s\n", shishi_error (h));
return NULL;
}
if (verbose)
shishi_key_print (h, stderr, key);
/* Read Authentication request from client */
printf ("Waiting for client to authenticate itself...\n");
rc = shishi_apreq_parse (h, stdin, &apreq);
if (rc != SHISHI_OK)
{
printf ("could not read AP-REQ: %s\n", shishi_strerror (rc));
return NULL;
}
/* Create Authentication context */
rc = shishi_ap (h, &ap);
if (rc != SHISHI_OK)
{
printf ("Could not create AP: %s\n", shishi_strerror (rc));
return NULL;
}
/* Store request in context */
shishi_ap_req_set (ap, apreq);
/* Process authentication request */
rc = shishi_ap_req_process (ap, key);
if (rc != SHISHI_OK)
{
printf ("Could not process AP-REQ: %s\n", shishi_strerror (rc));
return NULL;
}
if (verbose)
shishi_authenticator_print (h, stderr, shishi_ap_authenticator (ap));
rc = shishi_authenticator_client (h, shishi_ap_authenticator (ap),
&buf, &buflen);
printf ("Client name (from authenticator): %.*s\n", (int) buflen, buf);
free (buf);
rc = shishi_encticketpart_clientrealm
(h, shishi_tkt_encticketpart (shishi_ap_tkt (ap)), &buf, &buflen);
printf ("Client name (from encticketpart): %.*s\n", (int) buflen, buf);
free (buf);
rc = shishi_ticket_server (h, shishi_tkt_ticket (shishi_ap_tkt (ap)),
&buf, &buflen);
printf ("Server name (from ticket): %.*s\n", (int) buflen, buf);
free (buf);
/* User is authenticated. */
printf ("User authenticated.\n");
/* Authenticate ourself to client, if request */
if (shishi_apreq_mutual_required_p (h, apreq))
{
Shishi_asn1 aprep;
printf ("Mutual authentication required.\n");
rc = shishi_ap_rep_asn1 (ap, &aprep);
if (rc != SHISHI_OK)
{
printf ("Error creating AP-REP: %s\n", shishi_strerror (rc));
return NULL;
}
if (verbose)
shishi_encapreppart_print (h, stderr, shishi_ap_encapreppart (ap));
shishi_aprep_print (h, stdout, aprep);
/* We are authenticated to client */
}
return ap;
}
int
get_auth (int infd, Shishi ** handle, Shishi_ap ** ap,
Shishi_key ** enckey, const char **err_msg, int *protoversion,
int *cksumtype, char **cksum, int *cksumlen)
{
Shishi_key *key;
char *out;
int outlen;
char *buf;
int buflen;
int len;
int rc;
int i;
int error;
/* KERBEROS 5 SENDAUTH MESSAGE */
char krb5sendauth[] = "KRB5_SENDAUTH_V1.0";
/* PROTOCOL VERSION */
char krb5kcmd1[] = "KCMDV0.1";
char krb5kcmd2[] = "KCMDV0.2";
int auth_correct = 0;
char *servername;
*err_msg = NULL;
/* Get key for the server. */
if (!shishi_check_version (SHISHI_VERSION))
{
*err_msg =
"shishi_check_version() failed: header file incompatible with shared library.";
return 1;
}
rc = shishi_init_server (handle);
if (rc != SHISHI_OK)
return rc;
servername = shishi_server_for_local_service (*handle, SERVICE);
key = shishi_hostkeys_for_server (*handle, servername);
if (!key)
{
*err_msg = shishi_error (*handle);
return 1;
}
/* Read Kerberos 5 sendauth message */
rc = read (infd, &len, sizeof (int));
if (rc != sizeof (int))
{
*err_msg = "Error reading message size";
return 1;
}
buflen = ntohl (len);
buf = malloc (buflen);
if (!buf)
{
*err_msg = "Not enough memory";
return 1;
}
rc = read (infd, buf, buflen);
if (rc != buflen)
{
*err_msg = "Error reading authentication message";
return 1;
}
len = strlen (krb5sendauth);
rc = strncmp (buf, krb5sendauth, buflen >= len ? len : buflen);
if (rc)
{
*err_msg = "Invalid authentication type";
return 1;
}
free (buf);
/* Read protocol version */
rc = read (infd, &len, sizeof (int));
if (rc != sizeof (int))
{
*err_msg = "Error reading protocol message size";
return 1;
}
buflen = ntohl (len);
buf = malloc (buflen);
if (!buf)
{
*err_msg = "Not enough memory";
return 1;
}
rc = read (infd, buf, buflen);
if (rc != buflen)
{
*err_msg = "Error reading protocol message";
return 1;
}
len = strlen (krb5kcmd1);
rc = strncmp (buf, krb5kcmd1, buflen >= len ? len : buflen);
if (rc)
{
len = strlen (krb5kcmd2);
rc = strncmp (buf, krb5kcmd2, buflen >= len ? len : buflen);
if (rc)
{
*err_msg = "Protocol version not supported";
return 1;
}
*protoversion = 2;
}
else
*protoversion = 1;
free (buf);
/* Authentication type is ok */
write (infd, "\0", 1);
/* Read Authentication request from client */
rc = read (infd, &len, sizeof (int));
if (rc != sizeof (int))
{
*err_msg = "Error reading authentication request size";
return 1;
}
buflen = ntohl (len);
buf = malloc (buflen);
if (!buf)
{
*err_msg = "Not enough memory";
return 1;
}
rc = read (infd, buf, buflen);
if (rc != buflen)
{
*err_msg = "Error reading authentication request";
return 1;
}
/* Create Authentication context */
rc = shishi_ap_nosubkey (*handle, ap);
if (rc != SHISHI_OK)
return rc;
/* Store request in context */
shishi_ap_req_der_set (*ap, buf, buflen);
if (rc != SHISHI_OK)
return rc;
free (buf);
/* Process authentication request */
rc = shishi_ap_req_process (*ap, key);
if (rc != SHISHI_OK)
return rc;
# ifdef ENCRYPTION
/* extract subkey if present from ap exchange for secure connection */
if (*protoversion == 2)
{
*enckey = NULL;
shishi_authenticator_get_subkey (*handle,
shishi_ap_authenticator (*ap), enckey);
}
# endif
/* Get authenticator checksum */
rc = shishi_authenticator_cksum (*handle,
shishi_ap_authenticator (*ap),
cksumtype, cksum, cksumlen);
if (rc != SHISHI_OK)
return rc;
/* User is authenticated. */
error = 0;
write (infd, &error, sizeof (int));
/* Authenticate ourself to client, if request */
if (shishi_apreq_mutual_required_p (*handle, shishi_ap_req (*ap)))
{
rc = shishi_ap_rep_der (*ap, &out, &outlen);
if (rc != SHISHI_OK)
return rc;
outlen = htonl (outlen);
rc = write (infd, &outlen, sizeof (int));
if (rc != sizeof (int))
{
*err_msg = "Error sending AP-REP";
free (out);
return 1;
}
rc = write (infd, out, ntohl (outlen));
if (rc != ntohl (outlen))
{
*err_msg = "Error sending AP-REP";
free (out);
return 1;
}
free (out);
/* We are authenticated to client */
}
# ifdef ENCRYPTION
if (*protoversion == 1)
{
Shishi_tkt *tkt;
tkt = shishi_ap_tkt (*ap);
if (tkt == NULL)
{
*err_msg = "Could not get tkt from AP-REQ";
return 1;
}
rc = shishi_encticketpart_get_key (*handle,
shishi_tkt_encticketpart (tkt),
enckey);
if (rc != SHISHI_OK)
return rc;
}
# endif
return SHISHI_OK;
}