Use GPL instead of LGPL.

[shishi.git] / lib / ticket.c

/* ticket.c     ticket handling
 * Copyright (C) 2002  Simon Josefsson
 *
 * This file is part of Shishi.
 *
 * Shishi is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * Shishi is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with Shishi; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 *
 */

#include "internal.h"

struct Shishi_ticket
{
  Shishi *handle;
  char *principal;
  ASN1_TYPE ticket;
  ASN1_TYPE enckdcreppart;
  Shishi_key *key;
};

int
shishi_ticket_realm_get (Shishi * handle,
                         ASN1_TYPE ticket, char *realm, int *realmlen)
{
  return _shishi_asn1_field (handle, ticket, realm, realmlen, "Ticket.realm");
}

int
shishi_ticket_sname_get (Shishi * handle,
                         ASN1_TYPE ticket, char *server, int *serverlen)
{
  return shishi_principal_name_get (handle, ticket, "Ticket.sname",
                                    server, serverlen);
}

int
shishi_ticket_snamerealm_get (Shishi * handle,
                              ASN1_TYPE ticket,
                              char *serverrealm, int *serverrealmlen)
{
  return shishi_principal_name_realm_get (handle, ticket, "Ticket.sname",
                                          ticket, "Ticket.realm",
                                          serverrealm, serverrealmlen);
}

/**
 * shishi_asn1ticket_get_enc_part_etype:
 * @handle: shishi handle as allocated by shishi_init().
 * @kdcrep: Ticket variable to get value from.
 * @etype: output variable that holds the value.
 *
 * Extract Ticket.enc-part.etype.
 *
 * Return value: Returns SHISHI_OK iff successful.
 **/
int
shishi_asn1ticket_get_enc_part_etype (Shishi * handle,
                                      ASN1_TYPE ticket, int *etype)
{
  int buflen;
  int res;

  *etype = 0;
  buflen = sizeof (*etype);
  res = _shishi_asn1_field (handle, ticket,
                            (char *) etype, &buflen, "Ticket.enc-part.etype");

  return res;
}

/**
 * shishi_ticket_principal:
 * @handle: shishi handle as allocated by shishi_init().
 * @ticket: input variable with ticket info.
 *
 * Return value: Returns client principal of ticket.
 **/
char *
shishi_ticket_principal (Shishi_ticket * ticket)
{
  return ticket->principal ? ticket->principal : "<none>";
}

/**
 * shishi_ticket_ticket:
 * @handle: shishi handle as allocated by shishi_init().
 * @ticket: input variable with ticket info.
 *
 * Return value: Returns actual ticket.
 **/
ASN1_TYPE
shishi_ticket_ticket (Shishi_ticket * ticket)
{
  return ticket->ticket;
}

/**
 * shishi_ticket_enckdcreppart:
 * @handle: shishi handle as allocated by shishi_init().
 * @ticket: input variable with ticket info.
 *
 * Return value: Returns auxilliary ticket information.
 **/
ASN1_TYPE
shishi_ticket_enckdcreppart (Shishi_ticket * ticket)
{
  return ticket->enckdcreppart;
}

/**
 * shishi_ticket_key:
 * @ticket: input variable with ticket info.
 *
 * Return value: Returns key extracted from enckdcreppart.
 **/
Shishi_key *
shishi_ticket_key (Shishi_ticket * ticket)
{
  if (!ticket->key)
    {
      int res;

      res = shishi_enckdcreppart_get_key (ticket->handle,
                                          shishi_ticket_enckdcreppart (ticket),
                                          &ticket->key);
      if (res != SHISHI_OK)
        return NULL;
    }

  return ticket->key;
}

/**
 * shishi_ticket:
 * @handle: shishi handle as allocated by shishi_init().
 * @principal: input variable with client principal of ticket.
 * @ticket: input variable with ticket.
 * @enckdcreppart: input variable with auxilliary ticket information.
 *
 * Create a new ticket handle.
 *
 * Return value: Returns new ticket handle, or %NULL on error.
 **/
Shishi_ticket *
shishi_ticket (Shishi * handle, char *principal,
               ASN1_TYPE ticket, ASN1_TYPE enckdcreppart)
{
  Shishi_ticket *tkt;

  tkt = malloc (sizeof (*tkt));
  if (tkt == NULL)
    return NULL;

  memset(tkt, 0, sizeof(*tkt));

  tkt->handle = handle;
  tkt->principal = principal;
  tkt->ticket = ticket;
  tkt->enckdcreppart = enckdcreppart;

  return tkt;
}

int
shishi_ticket_flags (Shishi_ticket * ticket, int *flags)
{
  int len = sizeof (*flags);
  int res;
  *flags = 0;
  res = _shishi_asn1_field (ticket->handle, ticket->enckdcreppart,
                            (char *) flags, &len, "EncKDCRepPart.flags");
  return res;
}

int
shishi_ticket_forwardable_p (Shishi_ticket * ticket)
{
  int flags = 0;

  shishi_ticket_flags (ticket, &flags);

  return flags & SHISHI_TICKETFLAGS_FORWARDABLE;
}

int
shishi_ticket_forwarded_p (Shishi_ticket * ticket)
{
  int flags = 0;

  shishi_ticket_flags (ticket, &flags);

  return flags & SHISHI_TICKETFLAGS_FORWARDED;
}

int
shishi_ticket_proxiable_p (Shishi_ticket * ticket)
{
  int flags = 0;

  shishi_ticket_flags (ticket, &flags);

  return flags & SHISHI_TICKETFLAGS_PROXIABLE;
}

int
shishi_ticket_proxy_p (Shishi_ticket * ticket)
{
  int flags = 0;

  shishi_ticket_flags (ticket, &flags);

  return flags & SHISHI_TICKETFLAGS_PROXY;
}

int
shishi_ticket_may_postdate_p (Shishi_ticket * ticket)
{
  int flags = 0;

  shishi_ticket_flags (ticket, &flags);

  return flags & SHISHI_TICKETFLAGS_MAY_POSTDATE;
}

int
shishi_ticket_postdated_p (Shishi_ticket * ticket)
{
  int flags = 0;

  shishi_ticket_flags (ticket, &flags);

  return flags & SHISHI_TICKETFLAGS_POSTDATED;
}

int
shishi_ticket_invalid_p (Shishi_ticket * ticket)
{
  int flags = 0;

  shishi_ticket_flags (ticket, &flags);

  return flags & SHISHI_TICKETFLAGS_INVALID;
}

int
shishi_ticket_renewable_p (Shishi_ticket * ticket)
{
  int flags = 0;

  shishi_ticket_flags (ticket, &flags);

  return flags & SHISHI_TICKETFLAGS_RENEWABLE;
}

int
shishi_ticket_initial_p (Shishi_ticket * ticket)
{
  int flags = 0;

  shishi_ticket_flags (ticket, &flags);

  return flags & SHISHI_TICKETFLAGS_INITIAL;
}

int
shishi_ticket_pre_authent_p (Shishi_ticket * ticket)
{
  int flags = 0;

  shishi_ticket_flags (ticket, &flags);

  return flags & SHISHI_TICKETFLAGS_PRE_AUTHENT;
}

int
shishi_ticket_hw_authent_p (Shishi_ticket * ticket)
{
  int flags = 0;

  shishi_ticket_flags (ticket, &flags);

  return flags & SHISHI_TICKETFLAGS_HW_AUTHENT;
}

int
shishi_ticket_transited_policy_checked_p (Shishi_ticket * ticket)
{
  int flags = 0;

  shishi_ticket_flags (ticket, &flags);

  return flags & SHISHI_TICKETFLAGS_TRANSITED_POLICY_CHECKED;
}

int
shishi_ticket_ok_as_delegate_p (Shishi_ticket * ticket)
{
  int flags = 0;

  shishi_ticket_flags (ticket, &flags);

  return flags & SHISHI_TICKETFLAGS_OK_AS_DELEGATE;
}

int
shishi_ticket_realm (Shishi_ticket * ticket, const char *realm, int *realmlen)
{
  return shishi_ticket_realm_get (ticket->handle, ticket->ticket,
                                  realm, realmlen);
}

int
shishi_ticket_server (Shishi_ticket * ticket,
                      const char *service, int *servicelen)
{
  return shishi_ticket_sname_get (ticket->handle, ticket->ticket,
                                  service, servicelen);
}

int
shishi_ticket_server_p (Shishi_ticket * ticket, const char *service)
{
  char *buf;
  int buflen;
  int res;

  buflen = strlen (service) + 1;
  buf = malloc (buflen);
  if (buf == NULL)
    return 0;

  res = shishi_ticket_server (ticket, buf, &buflen);
  if (res != SHISHI_OK)
    {
      free (buf);
      return 0;
    }
  buf[buflen] = '\0';

  if (strcmp (service, buf) != 0)
    {
      free (buf);
      return 0;
    }

  free (buf);

  return 1;
}

int
shishi_ticket_server_realm (Shishi_ticket * ticket,
                            char *servicerealm, int *servicerealmlen)
{
  return shishi_ticket_snamerealm_get (ticket->handle, ticket->ticket,
                                       servicerealm, servicerealmlen);
}

int
shishi_ticket_keytype (Shishi_ticket * ticket, int *etype)
{
  return _shishi_asn1_integer_field (ticket->handle,
                                     ticket->enckdcreppart, etype,
                                     "EncKDCRepPart.key.keytype");
}

int
shishi_ticket_authtime (Shishi_ticket * ticket,
                        char *authtime, int *authtimelen)
{
  return _shishi_asn1_field (ticket->handle, ticket->enckdcreppart,
                             authtime, authtimelen, "EncKDCRepPart.authtime");
}

time_t
shishi_ticket_authctime (Shishi_ticket * ticket)
{
  char authtime[GENERALIZEDTIME_TIME_LEN + 1];
  int authtimelen;
  time_t t;
  int res;

  authtimelen = sizeof (authtime);
  res = shishi_ticket_authtime (ticket, authtime, &authtimelen);
  if (res != SHISHI_OK)
    return (time_t) - 1;

  authtime[GENERALIZEDTIME_TIME_LEN] = '\0';

  t = shishi_generalize_ctime (ticket->handle, authtime);

  return t;
}

int
shishi_ticket_starttime (Shishi_ticket * ticket,
                         char *starttime, int *starttimelen)
{
  return _shishi_asn1_optional_field (ticket->handle, ticket->enckdcreppart,
                                      starttime, starttimelen,
                                      "EncKDCRepPart.starttime");
}

time_t
shishi_ticket_startctime (Shishi_ticket * ticket)
{
  char starttime[GENERALIZEDTIME_TIME_LEN + 1];
  int starttimelen;
  time_t t;
  int res;

  starttimelen = sizeof (starttime);
  res = shishi_ticket_starttime (ticket, starttime, &starttimelen);
  if (res != SHISHI_OK || starttimelen == 0)
    return (time_t) - 1;

  starttime[GENERALIZEDTIME_TIME_LEN] = '\0';

  t = shishi_generalize_ctime (ticket->handle, starttime);

  return t;
}

int
shishi_ticket_endtime (Shishi_ticket * ticket, char *endtime, int *endtimelen)
{
  return _shishi_asn1_field (ticket->handle, ticket->enckdcreppart,
                             endtime, endtimelen, "EncKDCRepPart.endtime");
}

time_t
shishi_ticket_endctime (Shishi_ticket * ticket)
{
  char endtime[GENERALIZEDTIME_TIME_LEN + 1];
  int endtimelen;
  time_t t;
  int res;

  endtimelen = sizeof (endtime);
  res = shishi_ticket_endtime (ticket, endtime, &endtimelen);
  if (res != SHISHI_OK)
    return (time_t) - 1;

  endtime[GENERALIZEDTIME_TIME_LEN] = '\0';

  t = shishi_generalize_ctime (ticket->handle, endtime);

  return t;
}

int
shishi_ticket_renew_till (Shishi_ticket * ticket,
                          char *renewtill, int *renewtilllen)
{
  return _shishi_asn1_optional_field (ticket->handle, ticket->enckdcreppart,
                                      renewtill, renewtilllen,
                                      "EncKDCRepPart.renew-till");
}

time_t
shishi_ticket_renew_tillc (Shishi_ticket * ticket)
{
  char renewtill[GENERALIZEDTIME_TIME_LEN + 1];
  int renewtilllen;
  time_t t;
  int res;

  renewtilllen = sizeof (renewtill);
  res = shishi_ticket_renew_till (ticket, renewtill, &renewtilllen);
  if (res != SHISHI_OK || renewtilllen == 0)
    return (time_t) - 1;

  renewtill[GENERALIZEDTIME_TIME_LEN] = '\0';

  t = shishi_generalize_ctime (ticket->handle, renewtill);

  return t;
}

int
shishi_ticket_valid_at_time_p (Shishi_ticket * ticket, time_t now)
{
  time_t starttime, endtime;

  starttime = shishi_ticket_startctime (ticket);
  if (starttime == (time_t) - 1)
    starttime = shishi_ticket_authctime (ticket);
  endtime = shishi_ticket_endctime (ticket);

  return starttime <= now && now <= endtime;
}

int
shishi_ticket_valid_now_p (Shishi_ticket * ticket)
{
  return shishi_ticket_valid_at_time_p (ticket, time (NULL));
}

int
shishi_ticket_print (Shishi_ticket * ticket, FILE * fh)
{
  char buf[BUFSIZ];
  char *p;
  int buflen;
  int etype, flags;
  int res;
  time_t t;

  printf ("%s:\n", shishi_ticket_principal (ticket));

  t = shishi_ticket_authctime (ticket);
  printf (_("Authtime:\t%s"), ctime (&t));

  t = shishi_ticket_startctime (ticket);
  if (t != (time_t) - 1)
    printf (_("Starttime:\t%s"), ctime (&t));

  t = shishi_ticket_endctime (ticket);
  p = ctime (&t);
  p[strlen (p) - 1] = '\0';
  printf (_("Endtime:\t%s\t%s\n"), p,
          shishi_ticket_valid_now_p (ticket) ? "valid" : "EXPIRED");

  t = shishi_ticket_renew_tillc (ticket);
  if (t != (time_t) - 1)
    printf (_("Renewable until:\t%s"), ctime (&t));

  buflen = sizeof (buf);
  buf[0] = '\0';
  res = shishi_ticket_server (ticket, buf, &buflen);
  if (res != SHISHI_OK)
    return res;
  buf[buflen] = '\0';
  printf (_("Service:\t%s\n"), buf);

  res = shishi_ticket_keytype (ticket, &etype);
  if (res != SHISHI_OK)
    return res;
  printf (_("Key type:\t%s (%d)\n"), shishi_cipher_name (etype), etype);

  res = shishi_ticket_flags (ticket, &flags);
  if (res != SHISHI_OK)
    return res;
  printf (_
          ("Flags:\t%d\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n"),
          flags, shishi_ticket_forwardable_p (ticket) ? "FORWARDABLE" :
          "", shishi_ticket_forwarded_p (ticket) ? "FORWARDED" : "",
          shishi_ticket_proxiable_p (ticket) ? "PROXIABLE" : "",
          shishi_ticket_proxy_p (ticket) ? "PROXY" : "",
          shishi_ticket_may_postdate_p (ticket) ? "MAYPOSTDATE" : "",
          shishi_ticket_postdated_p (ticket) ? "POSTDATED" : "",
          shishi_ticket_invalid_p (ticket) ? "INVALID" : "",
          shishi_ticket_renewable_p (ticket) ? "RENEWABLE" : "",
          shishi_ticket_initial_p (ticket) ? "INITIAL" : "",
          shishi_ticket_pre_authent_p (ticket) ? "PREAUTHENT" : "",
          shishi_ticket_hw_authent_p (ticket) ? "HWAUTHENT" : "",
          shishi_ticket_transited_policy_checked_p (ticket) ?
          "TRANSITEDPOLICYCHECKED" : "",
          shishi_ticket_ok_as_delegate_p (ticket) ? "OKASDELEGATE" : "");



  return SHISHI_OK;
}

int
shishi_ticket_decrypt (Shishi * handle,
                       ASN1_TYPE ticket,
                       Shishi_key *key,
                       ASN1_TYPE * encticketpart)
{
  int res;
  int i, len;
  int buflen = BUFSIZ;
  unsigned char buf[BUFSIZ];
  unsigned char cipher[BUFSIZ];
  int realmlen = BUFSIZ;
  int cipherlen;
  int etype;

  res = shishi_asn1ticket_get_enc_part_etype (handle, ticket, &etype);
  if (res != SHISHI_OK)
    return res;

  if (etype != shishi_key_type(key))
    return SHISHI_KDCREP_BAD_KEYTYPE;

  cipherlen = BUFSIZ;
  res = _shishi_asn1_field (handle, ticket, cipher, &cipherlen,
                            "Ticket.enc-part.cipher");
  if (res != SHISHI_OK)
    return res;

  res = shishi_decrypt (handle, key, SHISHI_KEYUSAGE_KDCREP_TICKET,
                        cipher, cipherlen, buf, &buflen);

  if (res != SHISHI_OK)
    {
      if (VERBOSE (handle))
        printf ("des_decrypt failed: %s\n", shishi_strerror_details (handle));
      shishi_error_printf (handle,
                           "des_decrypt fail, most likely wrong password\n");
      return res;
    }

  /* The crypto is so 1980; no length indicator. Trim off pad bytes
     until we can parse it. */
  for (i = 0; i < 8; i++)
    {
      if (VERBOSEASN1 (handle))
        printf ("Trying with %d pad in enckdcrep...\n", i);

      *encticketpart = shishi_d2a_encticketpart (handle, &buf[0], buflen - i);
      if (*encticketpart != ASN1_TYPE_EMPTY)
        break;
    }

  if (*encticketpart == ASN1_TYPE_EMPTY)
    {
      shishi_error_printf (handle, "Could not DER decode EncTicketPart. "
                           "Password probably correct (decrypt ok) though\n");
      return SHISHI_ASN1_ERROR;
    }

  return SHISHI_OK;
}