static int
doit (Shishi * h, Shishi_ap * ap, int verbose)
{
Shishi_asn1 asn1safe;
Shishi_safe *safe;
char *userdata;
size_t userdatalen;
int res;
printf ("Application exchange start. Press ^D to finish.\n");
while ((res = shishi_safe_parse (h, stdin, &asn1safe)) == SHISHI_OK)
{
if (res != SHISHI_OK)
{
fprintf (stderr, "Could not read SAFE:\n%s\n%s\n",
shishi_strerror (res), shishi_error (h));
return 1;
}
res = shishi_safe (h, &safe);
if (res != SHISHI_OK)
{
fprintf (stderr, "Could not create SAFE:\n%s\n%s\n",
shishi_strerror (res), shishi_error (h));
return 1;
}
shishi_safe_safe_set (safe, asn1safe);
res = shishi_safe_verify (safe, shishi_ap_key (ap));
if (res != SHISHI_OK)
{
fprintf (stderr, "Could not verify SAFE:\n%s\n%s\n",
shishi_strerror (res), shishi_error (h));
return 1;
}
printf ("Verified SAFE successfully...\n");
res = shishi_safe_user_data (h, asn1safe, &userdata, &userdatalen);
if (res != SHISHI_OK)
{
fprintf (stderr, "Could not extract user data:\n%s\n%s\n",
shishi_strerror (res), shishi_error (h));
return 1;
}
userdata[userdatalen] = '\0';
printf ("user data: `%s'\n", userdata);
}
if (ferror (stdin))
{
printf ("error reading stdin\n");
return 1;
}
return 0;
}
/**
* shishi_tgs:
* @handle: shishi handle as allocated by shishi_init().
* @tgs: holds pointer to newly allocate Shishi_tgs structure.
*
* Allocate a new TGS exchange variable.
*
* Return value: Returns SHISHI_OK iff successful.
**/
int
shishi_tgs (Shishi * handle, Shishi_tgs ** tgs)
{
Shishi_tgs *ltgs;
int res;
*tgs = xcalloc (1, sizeof (**tgs));
ltgs = *tgs;
ltgs->handle = handle;
ltgs->tgsreq = shishi_tgsreq (handle);
if (ltgs->tgsreq == NULL)
{
shishi_error_printf (handle, "Could not create TGS-REQ: %s\n",
shishi_error (handle));
return SHISHI_ASN1_ERROR;
}
ltgs->tgsrep = shishi_tgsrep (handle);
if (ltgs->tgsreq == NULL)
{
shishi_error_printf (handle, "Could not create TGS-REP: %s\n",
shishi_error (handle));
return SHISHI_ASN1_ERROR;
}
ltgs->krberror = shishi_krberror (handle);
if (ltgs->krberror == NULL)
{
shishi_error_printf (handle, "Could not create KRB-ERROR: %s\n",
shishi_error (handle));
return SHISHI_ASN1_ERROR;
}
res = shishi_ap_nosubkey (handle, <gs->ap);
if (res != SHISHI_OK)
return res;
res = shishi_authenticator_remove_subkey
(handle, shishi_ap_authenticator (ltgs->ap));
if (res != SHISHI_OK)
return res;
res = shishi_tkt (handle, <gs->tkt);
if (res != SHISHI_OK)
return res;
return SHISHI_OK;
}
int
do_shishi_login (int infd, struct auth_data *ad, const char **err_msg)
{
int rc;
int error = 0;
int keylen, keytype;
struct passwd *pwd = NULL;
int cksumtype, cksumlen = 30;
char *cksum;
char *compcksum;
size_t compcksumlen;
char cksumdata[100];
struct sockaddr_in sock;
size_t socklen = sizeof (struct sockaddr_in);
# ifdef ENCRYPTION
rc = get_auth (infd, &ad->h, &ad->ap, &ad->enckey, err_msg, &ad->protocol,
&cksumtype, &cksum, &cksumlen);
# else
rc = get_auth (infd, &ad->h, &ad->ap, NULL, err_msg, &ad->protocol,
&cksumtype, &cksum, &cksumlen);
# endif
if (rc != SHISHI_OK)
return rc;
# ifdef ENCRYPTION
/* init IV */
if (encrypt_io)
{
int i;
char *iv;
ad->ivtab[0] = &ad->iv1;
ad->ivtab[1] = &ad->iv2;
keytype = shishi_key_type (ad->enckey);
keylen = shishi_cipher_blocksize (keytype);
for (i = 0; i < 2; i++)
{
ad->ivtab[i]->ivlen = keylen;
switch (keytype)
{
case SHISHI_DES_CBC_CRC:
case SHISHI_DES_CBC_MD4:
case SHISHI_DES_CBC_MD5:
case SHISHI_DES_CBC_NONE:
case SHISHI_DES3_CBC_HMAC_SHA1_KD:
ad->ivtab[i]->keyusage = SHISHI_KEYUSAGE_KCMD_DES;
ad->ivtab[i]->iv = malloc (ad->ivtab[i]->ivlen);
memset (ad->ivtab[i]->iv, i, ad->ivtab[i]->ivlen);
ad->ivtab[i]->ctx =
shishi_crypto (ad->h, ad->enckey, ad->ivtab[i]->keyusage,
shishi_key_type (ad->enckey), ad->ivtab[i]->iv,
ad->ivtab[i]->ivlen);
break;
case SHISHI_ARCFOUR_HMAC:
case SHISHI_ARCFOUR_HMAC_EXP:
ad->ivtab[i]->keyusage = SHISHI_KEYUSAGE_KCMD_DES + 6 - 4 * i;
ad->ivtab[i]->ctx =
shishi_crypto (ad->h, ad->enckey, ad->ivtab[i]->keyusage,
shishi_key_type (ad->enckey), NULL, 0);
break;
default:
ad->ivtab[i]->keyusage = SHISHI_KEYUSAGE_KCMD_DES + 6 - 4 * i;
ad->ivtab[i]->iv = malloc (ad->ivtab[i]->ivlen);
memset (ad->ivtab[i]->iv, 0, ad->ivtab[i]->ivlen);
if (ad->protocol == 2)
ad->ivtab[i]->ctx =
shishi_crypto (ad->h, ad->enckey, ad->ivtab[i]->keyusage,
shishi_key_type (ad->enckey),
ad->ivtab[i]->iv, ad->ivtab[i]->ivlen);
}
}
}
# endif
getstr (infd, &ad->lusername, NULL);
getstr (infd, &ad->term, "TERM=");
getstr (infd, &ad->rusername, NULL);
rc = read (infd, &error, sizeof (int));
if ((rc != sizeof (int)) && rc)
{
free (pwd);
free (cksum);
return 1;
}
/*
getpwnam crash !!!!
pwd = getpwnam (ad->lusername);
if (pwd == NULL)
{
*err_msg = "getpwnam failed";
syslog (LOG_ERR, "getpwnam failed: %m");
return 1;
}
syslog (LOG_INFO | LOG_AUTH,
"%sKerberos V login from %s on %s\n",
(pwd->pw_uid == 0) ? "ROOT " : "",
ad->lusername, ad->hostname);
*/
free (pwd);
syslog (LOG_INFO | LOG_AUTH,
"Kerberos V login from %s on %s\n", ad->lusername, ad->hostname);
/* verify checksum */
if (getsockname (infd, (struct sockaddr *) &sock, &socklen) < 0)
{
syslog (LOG_ERR, "Can't get sock name");
fatal (infd, "Can't get sockname", 1);
}
snprintf (cksumdata, 100, "%u:%s%s", ntohs (sock.sin_port), ad->term + 5,
ad->lusername);
rc = shishi_checksum (ad->h, ad->enckey, 0, cksumtype, cksumdata,
strlen (cksumdata), &compcksum, &compcksumlen);
free (cksum);
if (rc != SHISHI_OK
|| compcksumlen != cksumlen || memcmp (compcksum, cksum, cksumlen) != 0)
{
/* err_msg crash ? */
/* *err_msg = "checksum verify failed"; */
syslog (LOG_ERR, "checksum verify failed: %s", shishi_error (ad->h));
free (compcksum);
return 1;
}
free (compcksum);
rc = shishi_authorized_p (ad->h, shishi_ap_tkt (ad->ap), ad->lusername);
if (!rc)
{
syslog (LOG_ERR, "User is not authorized to log in as: %s",
ad->lusername);
shishi_ap_done (ad->ap);
return 1;
}
shishi_ap_done (ad->ap);
return SHISHI_OK;
}
void
test (Shishi * handle)
{
Shishi_key *key, *key2;
char out[BUFSIZ];
size_t i;
int res;
if (debug)
shishi_cfg (handle, strdup ("verbose-crypto,verbose-crypto-noise"));
for (i = 0; i < sizeof (drdk) / sizeof (drdk[0]); i++)
{
if (debug)
printf ("DR entry %d\n", i);
res = shishi_key_from_value (handle, drdk[i].type, drdk[i].key, &key);
if (res == SHISHI_OK)
res = shishi_dr (handle, key, drdk[i].usage, drdk[i].nusage,
out, strlen (drdk[i].dr));
shishi_key_done (key);
if (res != SHISHI_OK)
{
fail ("shishi_dr() entry %d failed (%s)\n",
i, shishi_error (handle));
continue;
}
if (debug)
{
printf ("DR(%s, key, usage)\n", shishi_cipher_name (drdk[i].type));
printf ("key:\n");
escapeprint (drdk[i].key, strlen (drdk[i].key));
hexprint (drdk[i].key, strlen (drdk[i].key));
puts ("");
binprint (drdk[i].key, strlen (drdk[i].key));
puts ("");
printf ("usage:\n");
escapeprint (drdk[i].usage, drdk[i].nusage);
hexprint (drdk[i].usage, drdk[i].nusage);
puts ("");
binprint (drdk[i].usage, drdk[i].nusage);
puts ("");
printf ("computed DR:\n");
escapeprint (out, strlen (drdk[i].dr));
hexprint (out, strlen (drdk[i].dr));
puts ("");
binprint (out, strlen (drdk[i].dr));
puts ("");
printf ("expected DR:\n");
escapeprint (drdk[i].dr, strlen (drdk[i].dr));
hexprint (drdk[i].dr, strlen (drdk[i].dr));
puts ("");
binprint (drdk[i].dr, strlen (drdk[i].dr));
puts ("");
}
if (memcmp (drdk[i].dr, out, strlen (drdk[i].dr)) != 0)
{
fail ("shishi_dr() entry %d failed\n", i);
if (debug)
printf ("ERROR\n");
}
else if (debug)
success ("OK\n");
res = shishi_key_from_value (handle, drdk[i].type, drdk[i].key, &key);
if (res == SHISHI_OK)
res = shishi_key_from_value (handle, drdk[i].type, NULL, &key2);
if (res == SHISHI_OK)
res = shishi_dk (handle, key, drdk[i].usage, drdk[i].nusage, key2);
shishi_key_done (key);
if (res != SHISHI_OK)
{
fail ("shishi_dk() entry %d failed (%s)\n",
i, shishi_error (handle));
continue;
}
if (debug)
{
printf ("DK(%s, key, usage)\n", shishi_cipher_name (drdk[i].type));
printf ("key:\n");
escapeprint (drdk[i].key, strlen (drdk[i].key));
hexprint (drdk[i].key, strlen (drdk[i].key));
puts ("");
binprint (drdk[i].key, strlen (drdk[i].key));
puts ("");
printf ("usage:\n");
escapeprint (drdk[i].usage, drdk[i].nusage);
hexprint (drdk[i].usage, drdk[i].nusage);
puts ("");
binprint (drdk[i].usage, drdk[i].nusage);
puts ("");
printf ("computed DK:\n");
escapeprint (shishi_key_value (key2), shishi_key_length (key2));
hexprint (shishi_key_value (key2), shishi_key_length (key2));
puts ("");
binprint (shishi_key_value (key2), shishi_key_length (key2));
puts ("");
printf ("expected DK:\n");
escapeprint (drdk[i].dk, strlen (drdk[i].dk));
hexprint (drdk[i].dk, strlen (drdk[i].dk));
puts ("");
binprint (drdk[i].dk, strlen (drdk[i].dk));
puts ("");
}
if (!(shishi_key_length (key2) == strlen (drdk[i].dk) &&
memcmp (drdk[i].dk, shishi_key_value (key2),
strlen (drdk[i].dk)) == 0))
{
fail ("shishi_dk() entry %d failed\n", i);
if (debug)
printf ("ERROR\n");
}
else if (debug)
success ("OK\n");
shishi_key_done (key2);
}
for (i = 0; i < sizeof (nfold) / sizeof (nfold[0]); i++)
{
if (debug)
printf ("N-FOLD entry %d\n", i);
res = shishi_n_fold (handle,
nfold[i].in, strlen (nfold[i].in),
out, nfold[i].n / 8);
if (res != SHISHI_OK)
{
fail ("shishi_n_fold() entry %d failed (%s)\n",
i, shishi_error (handle));
continue;
}
if (debug)
{
printf ("in:\n");
escapeprint (nfold[i].in, strlen (nfold[i].in));
hexprint (nfold[i].in, strlen (nfold[i].in));
puts ("");
binprint (nfold[i].in, strlen (nfold[i].in));
puts ("");
printf ("out:\n");
escapeprint (out, nfold[i].n / 8);
hexprint (out, nfold[i].n / 8);
puts ("");
binprint (out, nfold[i].n / 8);
puts ("");
printf ("expected out:\n");
escapeprint (nfold[i].out, nfold[i].n / 8);
hexprint (nfold[i].out, nfold[i].n / 8);
puts ("");
binprint (nfold[i].out, nfold[i].n / 8);
puts ("");
}
if (memcmp (nfold[i].out, out, nfold[i].n / 8) != 0)
{
fail ("shishi_n_fold() entry %d failed\n", i);
if (debug)
printf ("ERROR\n");
}
else if (debug)
success ("OK\n");
}
for (i = 0; i < sizeof (str2key) / sizeof (str2key[0]); i++)
{
int n_password = strlen (str2key[i].password);
int saltlen = strlen (str2key[i].salt);
int keylen = sizeof (key);
const char *name = shishi_cipher_name (str2key[i].etype);
if (debug)
printf ("STRING-TO-KEY entry %d (key type %s)\n", i,
name ? name : "NO NAME");
res = shishi_key_from_string (handle, str2key[i].etype,
str2key[i].password, n_password,
str2key[i].salt, saltlen,
str2key[i].parameters, &key);
if (res != SHISHI_OK)
{
fail ("shishi_string_to_key() entry %d failed (%s)\n",
i, shishi_error (handle));
continue;
}
if (debug)
{
printf ("password:\n");
escapeprint (str2key[i].password, n_password);
hexprint (str2key[i].password, n_password);
puts ("");
binprint (str2key[i].password, n_password);
puts ("");
printf ("salt:\n");
escapeprint (str2key[i].salt, saltlen);
hexprint (str2key[i].salt, saltlen);
puts ("");
binprint (str2key[i].salt, saltlen);
puts ("");
printf ("computed key:\n");
escapeprint (shishi_key_value (key), shishi_key_length (key));
hexprint (shishi_key_value (key), shishi_key_length (key));
puts ("");
binprint (shishi_key_value (key), shishi_key_length (key));
puts ("");
printf ("expected key:\n");
escapeprint (str2key[i].key, strlen (str2key[i].key));
hexprint (str2key[i].key, strlen (str2key[i].key));
puts ("");
binprint (str2key[i].key, strlen (str2key[i].key));
puts ("");
}
if (memcmp (str2key[i].key, shishi_key_value (key), keylen) != 0)
{
fail ("shishi_string_to_key() entry %d failed\n", i);
if (debug)
printf ("ERROR\n");
}
else if (debug)
success ("OK\n");
shishi_key_done (key);
}
for (i = 0; i < sizeof (pkcs5) / sizeof (pkcs5[0]); i++)
{
if (debug)
printf ("PKCS5 entry %d\n", i);
res = shishi_pbkdf2_sha1 (handle,
pkcs5[i].password, strlen (pkcs5[i].password),
pkcs5[i].salt, strlen (pkcs5[i].salt),
pkcs5[i].iterations, pkcs5[i].dklen, out);
if (res != SHISHI_OK)
{
fail ("PKCS5 entry %d failed fatally: %d\n", i, res);
continue;
}
if (debug)
{
printf ("password:\n");
escapeprint (pkcs5[i].password, strlen (pkcs5[i].password));
hexprint (pkcs5[i].password, strlen (pkcs5[i].password));
puts ("");
binprint (pkcs5[i].password, strlen (pkcs5[i].password));
puts ("");
printf ("salt:\n");
escapeprint (pkcs5[i].salt, strlen (pkcs5[i].salt));
hexprint (pkcs5[i].salt, strlen (pkcs5[i].salt));
puts ("");
binprint (pkcs5[i].salt, strlen (pkcs5[i].salt));
puts ("");
printf ("computed key:\n");
escapeprint (out, pkcs5[i].dklen);
hexprint (out, pkcs5[i].dklen);
puts ("");
binprint (out, pkcs5[i].dklen);
puts ("");
printf ("expected key:\n");
escapeprint (pkcs5[i].expected, pkcs5[i].dklen);
hexprint (pkcs5[i].expected, pkcs5[i].dklen);
puts ("");
binprint (pkcs5[i].expected, pkcs5[i].dklen);
puts ("");
}
if (memcmp (pkcs5[i].expected, out, pkcs5[i].dklen) != 0)
{
fail ("PKCS5 entry %d failed\n", i);
if (debug)
printf ("ERROR\n");
}
else if (debug)
success ("OK\n");
}
}
/* authentication, server side */
int
get_auth (int infd, krb5_context *ctx, krb5_auth_context *actx,
krb5_keyblock **key, const char **err_msg,
int *protoversion, int *cksumtype,
char **cksum, size_t *cksumlen, char *srvname)
{
char *out;
size_t outlen;
char *buf;
int buflen;
int len;
int rc;
int error;
/* KERBEROS 5 SENDAUTH MESSAGE */
char krb5sendauth[] = "KRB5_SENDAUTH_V1.0";
/* PROTOCOL VERSION */
char krb5kcmd1[] = "KCMDV0.1";
char krb5kcmd2[] = "KCMDV0.2";
char *servername, *server = NULL, *realm = NULL;
*err_msg = NULL;
/* Get key for the server. */
# if 0
/*
* XXX: Taken straight from the version for libshishi.
* XXX: No adaptions yet.
*/
rc = shishi_init_server (handle);
if (rc != SHISHI_OK)
return rc;
if (srvname && *srvname)
{
rc = shishi_parse_name (*handle, srvname, &server, &realm);
if (rc != SHISHI_OK)
{
*err_msg = shishi_strerror (rc);
return rc;
}
}
if (server && *server)
{
char *p;
servername = malloc (sizeof (SERVICE) + strlen (server) + 2);
if (!servername)
{
*err_msg = "Not enough memory";
return SHISHI_TOO_SMALL_BUFFER;
}
p = strchr (server, '/');
if (p && (p != server))
sprintf (servername, "%s", server); /* Non-empty prefix. */
else
sprintf (servername, "%s/%s", SERVICE,
server + (p ? 1 : 0)); /* Remove initial slash. */
}
else
servername = shishi_server_for_local_service (*handle, SERVICE);
if (realm && *realm)
shishi_realm_default_set (*handle, realm);
free (server);
free (realm);
/* Enable use of `~/.k5login'. */
if (shishi_check_version ("1.0.2")) /* Faulty in version 1.0.1. */
{
rc = shishi_cfg_authorizationtype_set (*handle, "k5login basic");
if (rc != SHISHI_OK)
{
*err_msg = shishi_error (*handle);
return rc;
}
}
key = shishi_hostkeys_for_serverrealm (*handle, servername,
shishi_realm_default (*handle));
free (servername);
if (!key)
{
*err_msg = shishi_error (*handle);
return SHISHI_INVALID_KEY;
}
/* Read Kerberos 5 sendauth message */
rc = read (infd, &len, sizeof (int));
if (rc != sizeof (int))
{
*err_msg = "Error reading message size";
return SHISHI_IO_ERROR;
}
buflen = ntohl (len);
buf = malloc (buflen);
if (!buf)
{
*err_msg = "Not enough memory";
return SHISHI_TOO_SMALL_BUFFER;
}
rc = read (infd, buf, buflen);
if (rc != buflen)
{
*err_msg = "Error reading authentication message";
return SHISHI_IO_ERROR;
}
len = strlen (krb5sendauth);
rc = strncmp (buf, krb5sendauth, buflen >= len ? len : buflen);
if (rc)
{
*err_msg = "Invalid authentication type";
/* Authentication type is wrong. */
write (infd, "\001", 1);
return SHISHI_VERIFY_FAILED;
}
free (buf);
/* Read protocol version */
rc = read (infd, &len, sizeof (int));
if (rc != sizeof (int))
{
*err_msg = "Error reading protocol message size";
return SHISHI_IO_ERROR;
}
buflen = ntohl (len);
buf = malloc (buflen);
if (!buf)
{
*err_msg = "Not enough memory";
return SHISHI_TOO_SMALL_BUFFER;
}
rc = read (infd, buf, buflen);
if (rc != buflen)
{
*err_msg = "Error reading protocol message";
return SHISHI_IO_ERROR;
}
len = strlen (krb5kcmd1);
rc = strncmp (buf, krb5kcmd1, buflen >= len ? len : buflen);
if (rc)
{
len = strlen (krb5kcmd2);
rc = strncmp (buf, krb5kcmd2, buflen >= len ? len : buflen);
if (rc)
{
*err_msg = "Protocol version not supported";
/* Protocol version is wrong. */
write (infd, "\002", 1);
return SHISHI_VERIFY_FAILED;
}
*protoversion = 2;
}
else
*protoversion = 1;
free (buf);
/* Authentication type is ok */
write (infd, "\0", 1);
/* Read Authentication request from client */
rc = read (infd, &len, sizeof (int));
if (rc != sizeof (int))
{
*err_msg = "Error reading authentication request size";
return SHISHI_IO_ERROR;
}
buflen = ntohl (len);
buf = malloc (buflen);
if (!buf)
{
*err_msg = "Not enough memory";
return SHISHI_TOO_SMALL_BUFFER;
}
rc = read (infd, buf, buflen);
if (rc != buflen)
{
*err_msg = "Error reading authentication request";
return SHISHI_IO_ERROR;
}
/* Create Authentication context */
rc = shishi_ap_nosubkey (*handle, ap);
if (rc != SHISHI_OK)
return rc;
/* Store request in context */
rc = shishi_ap_req_der_set (*ap, buf, buflen);
if (rc != SHISHI_OK)
return rc;
free (buf);
/* Process authentication request */
rc = shishi_ap_req_process (*ap, key);
if (rc != SHISHI_OK)
return rc;
# ifdef ENCRYPTION
/* extract subkey if present from ap exchange for secure connection */
if (*protoversion == 2)
{
*enckey = NULL;
shishi_authenticator_get_subkey (*handle,
shishi_ap_authenticator (*ap), enckey);
}
# endif
/* Get authenticator checksum */
rc = shishi_authenticator_cksum (*handle,
shishi_ap_authenticator (*ap),
cksumtype, cksum, cksumlen);
if (rc != SHISHI_OK)
return rc;
/* User is authenticated. */
error = 0;
write (infd, &error, sizeof (int));
/* Authenticate ourself to client, if requested. */
if (shishi_apreq_mutual_required_p (*handle, shishi_ap_req (*ap)))
{
int len;
rc = shishi_ap_rep_der (*ap, &out, &outlen);
if (rc != SHISHI_OK)
return rc;
len = outlen;
len = htonl (len);
rc = write (infd, &len, sizeof (len));
if (rc != sizeof (int))
{
*err_msg = "Error sending AP-REP";
free (out);
return SHISHI_IO_ERROR;
}
rc = write (infd, out, ntohl (len));
if (rc != (int) ntohl (len))
{
*err_msg = "Error sending AP-REP";
free (out);
return SHISHI_IO_ERROR;
}
free (out);
/* We are authenticated to client */
}
# ifdef ENCRYPTION
if (*protoversion == 1)
{
Shishi_tkt *tkt;
tkt = shishi_ap_tkt (*ap);
if (tkt == NULL)
{
*err_msg = "Could not get tkt from AP-REQ";
return SHISHI_INVALID_TICKET;
}
rc = shishi_encticketpart_get_key (*handle,
shishi_tkt_encticketpart (tkt),
enckey);
if (rc != SHISHI_OK)
return rc;
}
# endif /* ENCRYPTION */
return 0;
# else
return -1;
# endif
}
static Shishi_ap *
auth (Shishi * h, int verbose, const char *cname, const char *sname)
{
Shishi_key *key;
Shishi_ap *ap;
Shishi_asn1 apreq;
char *buf;
size_t buflen;
int rc;
printf ("Client: %s\n", cname);
printf ("Server: %s\n", sname);
/* Get key for the server. */
key = shishi_hostkeys_for_server (h, sname);
if (!key)
{
printf ("could not find key: %s\n", shishi_error (h));
return NULL;
}
if (verbose)
shishi_key_print (h, stderr, key);
/* Read Authentication request from client */
printf ("Waiting for client to authenticate itself...\n");
rc = shishi_apreq_parse (h, stdin, &apreq);
if (rc != SHISHI_OK)
{
printf ("could not read AP-REQ: %s\n", shishi_strerror (rc));
return NULL;
}
/* Create Authentication context */
rc = shishi_ap (h, &ap);
if (rc != SHISHI_OK)
{
printf ("Could not create AP: %s\n", shishi_strerror (rc));
return NULL;
}
/* Store request in context */
shishi_ap_req_set (ap, apreq);
/* Process authentication request */
rc = shishi_ap_req_process (ap, key);
if (rc != SHISHI_OK)
{
printf ("Could not process AP-REQ: %s\n", shishi_strerror (rc));
return NULL;
}
if (verbose)
shishi_authenticator_print (h, stderr, shishi_ap_authenticator (ap));
rc = shishi_authenticator_client (h, shishi_ap_authenticator (ap),
&buf, &buflen);
printf ("Client name (from authenticator): %.*s\n", (int) buflen, buf);
free (buf);
rc = shishi_encticketpart_clientrealm
(h, shishi_tkt_encticketpart (shishi_ap_tkt (ap)), &buf, &buflen);
printf ("Client name (from encticketpart): %.*s\n", (int) buflen, buf);
free (buf);
rc = shishi_ticket_server (h, shishi_tkt_ticket (shishi_ap_tkt (ap)),
&buf, &buflen);
printf ("Server name (from ticket): %.*s\n", (int) buflen, buf);
free (buf);
/* User is authenticated. */
printf ("User authenticated.\n");
/* Authenticate ourself to client, if request */
if (shishi_apreq_mutual_required_p (h, apreq))
{
Shishi_asn1 aprep;
printf ("Mutual authentication required.\n");
rc = shishi_ap_rep_asn1 (ap, &aprep);
if (rc != SHISHI_OK)
{
printf ("Error creating AP-REP: %s\n", shishi_strerror (rc));
return NULL;
}
if (verbose)
shishi_encapreppart_print (h, stderr, shishi_ap_encapreppart (ap));
shishi_aprep_print (h, stdout, aprep);
/* We are authenticated to client */
}
return ap;
}
int
get_auth (int infd, Shishi ** handle, Shishi_ap ** ap,
Shishi_key ** enckey, const char **err_msg, int *protoversion,
int *cksumtype, char **cksum, int *cksumlen)
{
Shishi_key *key;
char *out;
int outlen;
char *buf;
int buflen;
int len;
int rc;
int i;
int error;
/* KERBEROS 5 SENDAUTH MESSAGE */
char krb5sendauth[] = "KRB5_SENDAUTH_V1.0";
/* PROTOCOL VERSION */
char krb5kcmd1[] = "KCMDV0.1";
char krb5kcmd2[] = "KCMDV0.2";
int auth_correct = 0;
char *servername;
*err_msg = NULL;
/* Get key for the server. */
if (!shishi_check_version (SHISHI_VERSION))
{
*err_msg =
"shishi_check_version() failed: header file incompatible with shared library.";
return 1;
}
rc = shishi_init_server (handle);
if (rc != SHISHI_OK)
return rc;
servername = shishi_server_for_local_service (*handle, SERVICE);
key = shishi_hostkeys_for_server (*handle, servername);
if (!key)
{
*err_msg = shishi_error (*handle);
return 1;
}
/* Read Kerberos 5 sendauth message */
rc = read (infd, &len, sizeof (int));
if (rc != sizeof (int))
{
*err_msg = "Error reading message size";
return 1;
}
buflen = ntohl (len);
buf = malloc (buflen);
if (!buf)
{
*err_msg = "Not enough memory";
return 1;
}
rc = read (infd, buf, buflen);
if (rc != buflen)
{
*err_msg = "Error reading authentication message";
return 1;
}
len = strlen (krb5sendauth);
rc = strncmp (buf, krb5sendauth, buflen >= len ? len : buflen);
if (rc)
{
*err_msg = "Invalid authentication type";
return 1;
}
free (buf);
/* Read protocol version */
rc = read (infd, &len, sizeof (int));
if (rc != sizeof (int))
{
*err_msg = "Error reading protocol message size";
return 1;
}
buflen = ntohl (len);
buf = malloc (buflen);
if (!buf)
{
*err_msg = "Not enough memory";
return 1;
}
rc = read (infd, buf, buflen);
if (rc != buflen)
{
*err_msg = "Error reading protocol message";
return 1;
}
len = strlen (krb5kcmd1);
rc = strncmp (buf, krb5kcmd1, buflen >= len ? len : buflen);
if (rc)
{
len = strlen (krb5kcmd2);
rc = strncmp (buf, krb5kcmd2, buflen >= len ? len : buflen);
if (rc)
{
*err_msg = "Protocol version not supported";
return 1;
}
*protoversion = 2;
}
else
*protoversion = 1;
free (buf);
/* Authentication type is ok */
write (infd, "\0", 1);
/* Read Authentication request from client */
rc = read (infd, &len, sizeof (int));
if (rc != sizeof (int))
{
*err_msg = "Error reading authentication request size";
return 1;
}
buflen = ntohl (len);
buf = malloc (buflen);
if (!buf)
{
*err_msg = "Not enough memory";
return 1;
}
rc = read (infd, buf, buflen);
if (rc != buflen)
{
*err_msg = "Error reading authentication request";
return 1;
}
/* Create Authentication context */
rc = shishi_ap_nosubkey (*handle, ap);
if (rc != SHISHI_OK)
return rc;
/* Store request in context */
shishi_ap_req_der_set (*ap, buf, buflen);
if (rc != SHISHI_OK)
return rc;
free (buf);
/* Process authentication request */
rc = shishi_ap_req_process (*ap, key);
if (rc != SHISHI_OK)
return rc;
# ifdef ENCRYPTION
/* extract subkey if present from ap exchange for secure connection */
if (*protoversion == 2)
{
*enckey = NULL;
shishi_authenticator_get_subkey (*handle,
shishi_ap_authenticator (*ap), enckey);
}
# endif
/* Get authenticator checksum */
rc = shishi_authenticator_cksum (*handle,
shishi_ap_authenticator (*ap),
cksumtype, cksum, cksumlen);
if (rc != SHISHI_OK)
return rc;
/* User is authenticated. */
error = 0;
write (infd, &error, sizeof (int));
/* Authenticate ourself to client, if request */
if (shishi_apreq_mutual_required_p (*handle, shishi_ap_req (*ap)))
{
rc = shishi_ap_rep_der (*ap, &out, &outlen);
if (rc != SHISHI_OK)
return rc;
outlen = htonl (outlen);
rc = write (infd, &outlen, sizeof (int));
if (rc != sizeof (int))
{
*err_msg = "Error sending AP-REP";
free (out);
return 1;
}
rc = write (infd, out, ntohl (outlen));
if (rc != ntohl (outlen))
{
*err_msg = "Error sending AP-REP";
free (out);
return 1;
}
free (out);
/* We are authenticated to client */
}
# ifdef ENCRYPTION
if (*protoversion == 1)
{
Shishi_tkt *tkt;
tkt = shishi_ap_tkt (*ap);
if (tkt == NULL)
{
*err_msg = "Could not get tkt from AP-REQ";
return 1;
}
rc = shishi_encticketpart_get_key (*handle,
shishi_tkt_encticketpart (tkt),
enckey);
if (rc != SHISHI_OK)
return rc;
}
# endif
return SHISHI_OK;
}
