/**
* shishi_tgs_req_build:
* @tgs: structure that holds information about TGS exchange
*
* Checksum data in authenticator and add ticket and authenticator to
* TGS-REQ.
*
* Return value: Returns SHISHI_OK iff successful.
**/
int
shishi_tgs_req_build (Shishi_tgs * tgs)
{
uint32_t apoptions;
int res;
if (VERBOSE (tgs->handle))
printf ("Building TGS-REQ...\n");
res = shishi_kdcreq_build (tgs->handle, tgs->tgsreq);
if (res != SHISHI_OK)
return res;
res = shishi_apreq_options (tgs->handle, shishi_ap_req (tgs->ap),
&apoptions);
if (res != SHISHI_OK)
{
shishi_error_printf (tgs->handle,
"Could not get AP-REQ AP-Options: %s\n",
shishi_strerror (res));
return res;
}
res = shishi_ap_set_tktoptionsasn1usage
(tgs->ap, tgs->tgtkt, apoptions, tgs->tgsreq, "req-body",
SHISHI_KEYUSAGE_TGSREQ_APREQ_AUTHENTICATOR_CKSUM,
SHISHI_KEYUSAGE_TGSREQ_APREQ_AUTHENTICATOR);
if (res == SHISHI_OK)
res = shishi_ap_req_build (tgs->ap);
if (res != SHISHI_OK)
{
shishi_error_printf (tgs->handle, "Could not make AP-REQ: %s\n",
shishi_strerror (res));
return res;
}
if (VERBOSE (tgs->handle))
printf ("Got AP-REQ...\n");
if (VERBOSEASN1 (tgs->handle))
shishi_apreq_print (tgs->handle, stdout, shishi_ap_req (tgs->ap));
res = shishi_kdcreq_add_padata_tgs (tgs->handle, tgs->tgsreq,
shishi_ap_req (tgs->ap));
if (res != SHISHI_OK)
{
shishi_error_printf (tgs->handle, "Could not add AP-REQ to TGS: %s\n",
shishi_strerror (res));
return res;
}
return SHISHI_OK;
}
static Shishi_ap *
auth (Shishi * h, int verbose, const char *cname, const char *sname)
{
Shishi_ap *ap;
Shishi_tkt *tkt;
Shishi_tkts_hint hint;
int rc;
printf ("Client: %s\n", cname);
printf ("Server: %s\n", sname);
/* Get a ticket for the server. */
memset (&hint, 0, sizeof (hint));
hint.client = (char *) cname;
hint.server = (char *) sname;
tkt = shishi_tkts_get (shishi_tkts_default (h), &hint);
if (!tkt)
{
printf ("cannot find ticket for \"%s\"\n", sname);
return NULL;
}
if (verbose)
shishi_tkt_pretty_print (tkt, stderr);
/* Create Authentication context */
rc = shishi_ap_tktoptions (h, &ap, tkt, SHISHI_APOPTIONS_MUTUAL_REQUIRED);
if (rc != SHISHI_OK)
{
printf ("cannot create authentication context\n");
return NULL;
}
/* Build Authentication request */
rc = shishi_ap_req_build (ap);
if (rc != SHISHI_OK)
{
printf ("cannot build authentication request: %s\n",
shishi_strerror (rc));
return NULL;
}
if (verbose)
shishi_authenticator_print (h, stderr, shishi_ap_authenticator (ap));
/* Authentication ourself to server */
shishi_apreq_print (h, stdout, shishi_ap_req (ap));
/* Note: to get the binary blob to send, use:
*
* char *out; int outlen;
* ...
* rc = shishi_ap_req_der (ap, &out, &outlen);
* ...
* write(fd, out, outlen);
*/
/* For mutual authentication, wait for server reply. */
if (shishi_apreq_mutual_required_p (h, shishi_ap_req (ap)))
{
Shishi_asn1 aprep;
printf ("Waiting for server to authenticate itself...\n");
rc = shishi_aprep_parse (h, stdin, &aprep);
if (rc != SHISHI_OK)
{
printf ("Cannot parse AP-REP from server: %s\n",
shishi_strerror (rc));
return NULL;
}
rc = shishi_ap_rep_verify_asn1 (ap, aprep);
if (rc == SHISHI_OK)
printf ("AP-REP verification OK...\n");
else
{
if (rc == SHISHI_APREP_VERIFY_FAILED)
printf ("AP-REP verification failed...\n");
else
printf ("AP-REP verification error: %s\n", shishi_strerror (rc));
return NULL;
}
/* The server is authenticated. */
printf ("Server authenticated.\n");
}
/* We are now authenticated. */
printf ("User authenticated.\n");
return ap;
}
