search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix.
[shishi.git] / lib / ap.c
blob29432888068e2ee9807cac55c0fbd58a68a5654b
1 /* ap.c AP functions
2 * Copyright (C) 2002, 2003 Simon Josefsson
3 *
4 * This file is part of Shishi.
5 *
6 * Shishi is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * Shishi is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with Shishi; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
19 *
20 */
21
22 #include "internal.h"
23
24 struct Shishi_ap
25 {
26 Shishi *handle;
27 Shishi_tkt *tkt;
28 Shishi_key *key;
29 Shishi_asn1 authenticator;
30 Shishi_asn1 apreq;
31 Shishi_asn1 aprep;
32 Shishi_asn1 encapreppart;
33 int authenticatorcksumkeyusage;
34 int authenticatorkeyusage;
35 int authenticatorcksumtype;
36 char *authenticatorcksumdata;
37 size_t authenticatorcksumdatalen;
38 };
39
40 /**
41 * shishi_ap:
42 * @handle: shishi handle as allocated by shishi_init().
43 * @ap: pointer to new structure that holds information about AP exchange
44 *
45 * Create a new AP exchange.
46 *
47 * Return value: Returns SHISHI_OK iff successful.
48 **/
49 int
50 shishi_ap (Shishi * handle, Shishi_ap ** ap)
51 {
52 int res;
53
54 res = shishi_ap_nosubkey (handle, ap);
55 if (res != SHISHI_OK)
56 {
57 shishi_error_printf (handle, "Could not create Authenticator: %s\n",
58 shishi_error (handle));
59 return res;
60 }
61
62 res = shishi_authenticator_add_random_subkey (handle, (*ap)->authenticator);
63 if (res != SHISHI_OK)
64 {
65 shishi_error_printf (handle, "Could not add random subkey in AP: %s\n",
66 shishi_strerror (res));
67 return res;
68 }
69
70 return SHISHI_OK;
71 }
72
73 /**
74 * shishi_ap_nosubkey:
75 * @handle: shishi handle as allocated by shishi_init().
76 * @ap: pointer to new structure that holds information about AP exchange
77 *
78 * Create a new AP exchange without subkey in authenticator.
79 *
80 * Return value: Returns SHISHI_OK iff successful.
81 **/
82 int
83 shishi_ap_nosubkey (Shishi * handle, Shishi_ap ** ap)
84 {
85 Shishi_ap *lap;
86
87 *ap = xcalloc (1, sizeof (**ap));
88 lap = *ap;
89
90 lap->handle = handle;
91 lap->authenticatorcksumtype = SHISHI_NO_CKSUMTYPE;
92 lap->authenticatorcksumkeyusage = SHISHI_KEYUSAGE_APREQ_AUTHENTICATOR_CKSUM;
93 lap->authenticatorkeyusage = SHISHI_KEYUSAGE_APREQ_AUTHENTICATOR;
94
95 lap->authenticator = shishi_authenticator (handle);
96 if (lap->authenticator == NULL)
97 {
98 shishi_error_printf (handle, "Could not create Authenticator: %s\n",
99 shishi_error (handle));
100 return SHISHI_ASN1_ERROR;
101 }
102
103 lap->apreq = shishi_apreq (handle);
104 if (lap->apreq == NULL)
105 {
106 shishi_error_printf (handle, "Could not create AP-REQ: %s\n",
107 shishi_error (handle));
108 return SHISHI_ASN1_ERROR;
109 }
110
111 lap->aprep = shishi_aprep (handle);
112 if (lap->aprep == NULL)
113 {
114 shishi_error_printf (handle, "Could not create AP-REP: %s\n",
115 shishi_error (handle));
116 return SHISHI_ASN1_ERROR;
117 }
118
119 lap->encapreppart = shishi_encapreppart (handle);
120 if (lap->encapreppart == NULL)
121 {
122 shishi_error_printf (handle, "Could not create EncAPRepPart: %s\n",
123 shishi_error (handle));
124 return SHISHI_ASN1_ERROR;
125 }
126
127 return SHISHI_OK;
128 }
129
130 /**
131 * shishi_ap_done:
132 * @ap: structure that holds information about AP exchange
133 *
134 * Deallocate resources associated with AP exchange. This should be
135 * called by the application when it no longer need to utilize the AP
136 * exchange handle.
137 **/
138 void
139 shishi_ap_done (Shishi_ap * ap)
140 {
141 shishi_asn1_done (ap->handle, ap->authenticator);
142 shishi_asn1_done (ap->handle, ap->apreq);
143 shishi_asn1_done (ap->handle, ap->aprep);
144 shishi_asn1_done (ap->handle, ap->encapreppart);
145 free (ap);
146 }
147
148 /**
149 * shishi_ap_set_tktoptions:
150 * @ap: structure that holds information about AP exchange
151 * @tkt: ticket to set in AP.
152 * @options: AP-REQ options to set in AP.
153 *
154 * Set the ticket (see shishi_ap_tkt_set()) and set the AP-REQ
155 * apoptions (see shishi_apreq_options_set()).
156 *
157 * Return value: Returns SHISHI_OK iff successful.
158 **/
159 int
160 shishi_ap_set_tktoptions (Shishi_ap * ap, Shishi_tkt * tkt, int options)
161 {
162 int rc;
163
164 shishi_ap_tkt_set (ap, tkt);
165
166 rc = shishi_apreq_options_set (ap->handle, shishi_ap_req (ap), options);
167 if (rc != SHISHI_OK)
168 {
169 printf ("Could not set AP-Options: %s", shishi_strerror (rc));
170 return rc;
171 }
172
173 return SHISHI_OK;
174 }
175
176 /**
177 * shishi_ap_set_tktoptionsdata:
178 * @ap: structure that holds information about AP exchange
179 * @tkt: ticket to set in AP.
180 * @options: AP-REQ options to set in AP.
181 * @data: input array with data to checksum in Authenticator.
182 * @len: length of input array with data to checksum in Authenticator.
183 *
184 * Set the ticket (see shishi_ap_tkt_set()) and set the AP-REQ
185 * apoptions (see shishi_apreq_options_set()) and set the
186 * Authenticator checksum data.
187 *
188 * Return value: Returns SHISHI_OK iff successful.
189 **/
190 int
191 shishi_ap_set_tktoptionsdata (Shishi_ap * ap,
192 Shishi_tkt * tkt,
193 int options, const char *data, size_t len)
194 {
195 int rc;
196
197 shishi_ap_tkt_set (ap, tkt);
198
199 rc = shishi_apreq_options_set (ap->handle, shishi_ap_req (ap), options);
200 if (rc != SHISHI_OK)
201 {
202 printf ("Could not set AP-Options: %s", shishi_strerror (rc));
203 return rc;
204 }
205
206 shishi_ap_authenticator_cksumdata_set (ap, data, len);
207
208 return SHISHI_OK;
209 }
210
211 /**
212 * shishi_ap_set_tktoptionsasn1usage:
213 * @ap: structure that holds information about AP exchange
214 * @tkt: ticket to set in AP.
215 * @options: AP-REQ options to set in AP.
216 * @node: input ASN.1 structure to store as authenticator checksum data.
217 * @field: field in ASN.1 structure to use.
218 * @authenticatorcksumkeyusage: key usage for checksum in authenticator.
219 * @authenticatorkeyusage: key usage for authenticator.
220 *
221 * Set ticket, options and authenticator checksum data using
222 * shishi_ap_set_tktoptionsdata(). The authenticator checksum data is
223 * the DER encoding of the ASN.1 field provided.
224 *
225 * Return value: Returns SHISHI_OK iff successful.
226 **/
227 int
228 shishi_ap_set_tktoptionsasn1usage (Shishi_ap * ap,
229 Shishi_tkt * tkt,
230 int options,
231 Shishi_asn1 node,
232 char *field,
233 int authenticatorcksumkeyusage,
234 int authenticatorkeyusage)
235 {
236 char *buf;
237 int buflen;
238 int res;
239
240 res = shishi_a2d_new_field (ap->handle, node, field, &buf, &buflen);
241 if (res != SHISHI_OK)
242 return res;
243
244 /* XXX what is this? */
245 memmove (buf, buf + 2, buflen - 2);
246 buflen -= 2;
247
248 res = shishi_ap_set_tktoptionsdata (ap, tkt, options, buf, buflen);
249 if (res != SHISHI_OK)
250 return res;
251
252 ap->authenticatorcksumkeyusage = authenticatorcksumkeyusage;
253 ap->authenticatorkeyusage = authenticatorkeyusage;
254
255 return SHISHI_OK;
256 }
257
258 /**
259 * shishi_ap_tktoptions:
260 * @handle: shishi handle as allocated by shishi_init().
261 * @ap: pointer to new structure that holds information about AP exchange
262 * @tkt: ticket to set in newly created AP.
263 * @options: AP-REQ options to set in newly created AP.
264 *
265 * Create a new AP exchange using shishi_ap(), and set the ticket and
266 * AP-REQ apoptions using shishi_ap_set_tktoption().
267 *
268 * Return value: Returns SHISHI_OK iff successful.
269 **/
270 int
271 shishi_ap_tktoptions (Shishi * handle,
272 Shishi_ap ** ap, Shishi_tkt * tkt, int options)
273 {
274 int rc;
275
276 rc = shishi_ap (handle, ap);
277 if (rc != SHISHI_OK)
278 return rc;
279
280 rc = shishi_ap_set_tktoptions (*ap, tkt, options);
281 if (rc != SHISHI_OK)
282 return rc;
283
284 return SHISHI_OK;
285 }
286
287 /**
288 * shishi_ap_tktoptionsdata:
289 * @handle: shishi handle as allocated by shishi_init().
290 * @ap: pointer to new structure that holds information about AP exchange
291 * @tkt: ticket to set in newly created AP.
292 * @options: AP-REQ options to set in newly created AP.
293 * @data: input array with data to checksum in Authenticator.
294 * @len: length of input array with data to checksum in Authenticator.
295 *
296 * Create a new AP exchange using shishi_ap(), and set the ticket,
297 * AP-REQ apoptions and the Authenticator checksum data using
298 * shishi_ap_set_tktoptionsdata().
299 *
300 * Return value: Returns SHISHI_OK iff successful.
301 **/
302 int
303 shishi_ap_tktoptionsdata (Shishi * handle,
304 Shishi_ap ** ap,
305 Shishi_tkt * tkt, int options,
306 const char *data, size_t len)
307 {
308 int rc;
309
310 rc = shishi_ap (handle, ap);
311 if (rc != SHISHI_OK)
312 return rc;
313
314 rc = shishi_ap_set_tktoptionsdata (*ap, tkt, options, data, len);
315 if (rc != SHISHI_OK)
316 return rc;
317
318 return SHISHI_OK;
319 }
320
321 /**
322 * shishi_ap_tktoptionsasn1usage:
323 * @handle: shishi handle as allocated by shishi_init().
324 * @ap: pointer to new structure that holds information about AP exchange
325 * @tkt: ticket to set in newly created AP.
326 * @options: AP-REQ options to set in newly created AP.
327 * @node: input ASN.1 structure to store as authenticator checksum data.
328 * @field: field in ASN.1 structure to use.
329 * @authenticatorcksumkeyusage: key usage for checksum in authenticator.
330 * @authenticatorkeyusage: key usage for authenticator.
331 *
332 * Create a new AP exchange using shishi_ap(), and set ticket, options
333 * and authenticator checksum data from the DER encoding of the ASN.1
334 * field using shishi_ap_set_tktoptionsasn1usage().
335 *
336 * Return value: Returns SHISHI_OK iff successful.
337 **/
338 int
339 shishi_ap_tktoptionsasn1usage (Shishi * handle,
340 Shishi_ap ** ap,
341 Shishi_tkt * tkt,
342 int options,
343 Shishi_asn1 node,
344 char *field,
345 int authenticatorcksumkeyusage,
346 int authenticatorkeyusage)
347 {
348 int rc;
349
350 rc = shishi_ap (handle, ap);
351 if (rc != SHISHI_OK)
352 return rc;
353
354 rc = shishi_ap_set_tktoptionsasn1usage (*ap, tkt, options,
355 node, field,
356 authenticatorcksumkeyusage,
357 authenticatorkeyusage);
358 if (rc != SHISHI_OK)
359 return rc;
360
361 return SHISHI_OK;
362 }
363
364 /**
365 * shishi_ap_tkt:
366 * @ap: structure that holds information about AP exchange
367 *
368 * Return value: Returns the ticket from the AP exchange, or NULL if
369 * not yet set or an error occured.
370 **/
371 Shishi_tkt *
372 shishi_ap_tkt (Shishi_ap * ap)
373 {
374 return ap->tkt;
375 }
376
377 /**
378 * shishi_ap_tkt_set:
379 * @ap: structure that holds information about AP exchange
380 * @tkt: ticket to store in AP.
381 *
382 * Set the Ticket in the AP exchange.
383 **/
384 void
385 shishi_ap_tkt_set (Shishi_ap * ap, Shishi_tkt * tkt)
386 {
387 ap->tkt = tkt;
388 }
389
390 /**
391 * shishi_ap_authenticatorcksumdata:
392 * @ap: structure that holds information about AP exchange
393 * @out: output array that holds authenticator checksum data.
394 * @len: on input, maximum length of output array that holds
395 * authenticator checksum data, on output actual length of
396 * output array that holds authenticator checksum data.
397 *
398 * Return value: Returns SHISHI_OK if successful, or
399 * SHISHI_TOO_SMALL_BUFFER if buffer provided was too small.
400 **/
401 int
402 shishi_ap_authenticator_cksumdata (Shishi_ap * ap, char *out, size_t * len)
403 {
404 if (*len < ap->authenticatorcksumdatalen)
405 return SHISHI_TOO_SMALL_BUFFER;
406 if (ap->authenticatorcksumdata)
407 memcpy (out, ap->authenticatorcksumdata, ap->authenticatorcksumdatalen);
408 *len = ap->authenticatorcksumdatalen;
409 return SHISHI_OK;
410 }
411
412 /**
413 * shishi_ap_authenticator_cksumdata_set:
414 * @ap: structure that holds information about AP exchange
415 * @authenticatorcksumdata: input array with authenticator checksum
416 * data to use in AP.
417 * @authenticatorcksumdatalen: length of input array with authenticator
418 * checksum data to use in AP.
419 *
420 * Set the Authenticator Checksum Data in the AP exchange.
421 **/
422 void
423 shishi_ap_authenticator_cksumdata_set (Shishi_ap * ap,
424 const char *authenticatorcksumdata,
425 size_t authenticatorcksumdatalen)
426 {
427 ap->authenticatorcksumdata = authenticatorcksumdata;
428 ap->authenticatorcksumdatalen = authenticatorcksumdatalen;
429 }
430
431 /**
432 * shishi_ap_authenticatorcksumtype:
433 * @ap: structure that holds information about AP exchange
434 *
435 * Get the Authenticator Checksum Type in the AP exchange.
436 *
437 * Return value: Return the authenticator checksum type.
438 **/
439 int
440 shishi_ap_authenticator_cksumtype (Shishi_ap * ap)
441 {
442 return ap->authenticatorcksumtype;
443 }
444
445 /**
446 * shishi_ap_authenticator_cksumtype_set:
447 * @ap: structure that holds information about AP exchange
448 * @cksumtype: authenticator checksum type to set in AP.
449 *
450 * Set the Authenticator Checksum Type in the AP exchange.
451 **/
452 void
453 shishi_ap_authenticator_cksumtype_set (Shishi_ap * ap, int cksumtype)
454 {
455 ap->authenticatorcksumtype = cksumtype;
456 }
457
458 /**
459 * shishi_ap_authenticator:
460 * @ap: structure that holds information about AP exchange
461 *
462 * Return value: Returns the Authenticator from the AP exchange, or
463 * NULL if not yet set or an error occured.
464 **/
465
466 Shishi_asn1
467 shishi_ap_authenticator (Shishi_ap * ap)
468 {
469 return ap->authenticator;
470 }
471
472 /**
473 * shishi_ap_authenticator_set:
474 * @ap: structure that holds information about AP exchange
475 * @authenticator: authenticator to store in AP.
476 *
477 * Set the Authenticator in the AP exchange.
478 **/
479 void
480 shishi_ap_authenticator_set (Shishi_ap * ap, Shishi_asn1 authenticator)
481 {
482 if (ap->authenticator)
483 shishi_asn1_done (ap->handle, ap->authenticator);
484 ap->authenticator = authenticator;
485 }
486
487 /**
488 * shishi_ap_req:
489 * @ap: structure that holds information about AP exchange
490 *
491 * Return value: Returns the AP-REQ from the AP exchange, or NULL if
492 * not yet set or an error occured.
493 **/
494 Shishi_asn1
495 shishi_ap_req (Shishi_ap * ap)
496 {
497 return ap->apreq;
498 }
499
500
501 /**
502 * shishi_ap_req_set:
503 * @ap: structure that holds information about AP exchange
504 * @apreq: apreq to store in AP.
505 *
506 * Set the AP-REQ in the AP exchange.
507 **/
508 void
509 shishi_ap_req_set (Shishi_ap * ap, Shishi_asn1 apreq)
510 {
511 if (ap->apreq)
512 shishi_asn1_done (ap->handle, ap->apreq);
513 ap->apreq = apreq;
514 }
515
516 /**
517 * shishi_ap_req_der:
518 * @ap: structure that holds information about AP exchange
519 * @out: pointer to output array with der encoding of AP-REQ.
520 * @outlen: pointer to length of output array with der encoding of AP-REQ.
521 *
522 * Build AP-REQ using shishi_ap_req_build() and DER encode it. @out
523 * is allocated by this function, and it is the responsibility of
524 * caller to deallocate it.
525 *
526 * Return value: Returns SHISHI_OK iff successful.
527 **/
528 int
529 shishi_ap_req_der (Shishi_ap * ap, char **out, size_t * outlen)
530 {
531 int rc;
532
533 rc = shishi_ap_req_build (ap);
534 if (rc != SHISHI_OK)
535 return rc;
536
537 rc = shishi_new_a2d (ap->handle, ap->apreq, out, outlen);
538 if (rc != SHISHI_OK)
539 return rc;
540
541 return SHISHI_OK;
542 }
543
544 /**
545 * shishi_ap_req_der_set:
546 * @ap: structure that holds information about AP exchange
547 * @der: input array with DER encoded AP-REQ.
548 * @derlen: length of input array with DER encoded AP-REQ.
549 *
550 * DER decode AP-REQ and set it AP exchange. If decoding fails, the
551 * AP-REQ in the AP exchange is lost.
552 *
553 * Return value: Returns SHISHI_OK.
554 **/
555 int
556 shishi_ap_req_der_set (Shishi_ap * ap, char *der, size_t derlen)
557 {
558 ap->apreq = shishi_der2asn1_apreq (ap->handle, der, derlen);
559
560 if (ap->apreq)
561 return SHISHI_OK;
562 else
563 return SHISHI_ASN1_ERROR;
564 }
565
566 /**
567 * shishi_ap_req_build:
568 * @ap: structure that holds information about AP exchange
569 *
570 * Checksum data in authenticator and add ticket and authenticator to
571 * AP-REQ.
572 *
573 * Return value: Returns SHISHI_OK iff successful.
574 **/
575 int
576 shishi_ap_req_build (Shishi_ap * ap)
577 {
578 int res;
579 int cksumtype;
580
581 if (VERBOSE (ap->handle))
582 printf ("Building AP-REQ...\n");
583
584 res = shishi_apreq_set_ticket (ap->handle, ap->apreq,
585 shishi_tkt_ticket (ap->tkt));
586 if (res != SHISHI_OK)
587 {
588 shishi_error_printf (ap->handle, "Could not set ticket in AP-REQ: %s\n",
589 shishi_error (ap->handle));
590 return res;
591 }
592
593 cksumtype = shishi_ap_authenticator_cksumtype (ap);
594 if (cksumtype == SHISHI_NO_CKSUMTYPE)
595 res = shishi_authenticator_add_cksum (ap->handle, ap->authenticator,
596 shishi_tkt_key (ap->tkt),
597 ap->authenticatorcksumkeyusage,
598 ap->authenticatorcksumdata,
599 ap->authenticatorcksumdatalen);
600 else
601 res = shishi_authenticator_add_cksum_type (ap->handle, ap->authenticator,
602 shishi_tkt_key (ap->tkt),
603 ap->authenticatorcksumkeyusage,
604 cksumtype,
605 ap->authenticatorcksumdata,
606 ap->authenticatorcksumdatalen);
607 if (res != SHISHI_OK)
608 {
609 shishi_error_printf (ap->handle,
610 "Could not add checksum to authenticator: %s\n",
611 shishi_error (ap->handle));
612 return res;
613 }
614
615 if (VERBOSE (ap->handle))
616 printf ("Got Authenticator...\n");
617
618 if (VERBOSEASN1 (ap->handle))
619 shishi_authenticator_print (ap->handle, stdout, ap->authenticator);
620
621 res = shishi_apreq_add_authenticator (ap->handle, ap->apreq,
622 shishi_tkt_key (ap->tkt),
623 ap->authenticatorkeyusage,
624 ap->authenticator);
625 if (res != SHISHI_OK)
626 {
627 shishi_error_printf (ap->handle, "Could not set authenticator: %s\n",
628 shishi_error (ap->handle));
629 return res;
630 }
631
632 if (VERBOSEASN1 (ap->handle))
633 shishi_apreq_print (ap->handle, stdout, ap->apreq);
634
635 return SHISHI_OK;
636 }
637
638 /**
639 * shishi_ap_req_process_keyusage:
640 * @ap: structure that holds information about AP exchange
641 * @key: cryptographic key used to decrypt ticket in AP-REQ.
642 * @keyusage: key usage to use during decryption, for normal
643 * AP-REQ's this is normally SHISHI_KEYUSAGE_APREQ_AUTHENTICATOR,
644 * for AP-REQ's part of TGS-REQ's, this is normally
645 * SHISHI_KEYUSAGE_TGSREQ_APREQ_AUTHENTICATOR.
646 *
647 * Decrypt ticket in AP-REQ using supplied key and decrypt
648 * Authenticator in AP-REQ using key in decrypted ticket, and on
649 * success set the Ticket and Authenticator fields in the AP exchange.
650 *
651 * Return value: Returns SHISHI_OK iff successful.
652 **/
653 int
654 shishi_ap_req_process_keyusage (Shishi_ap * ap,
655 Shishi_key * key, int32_t keyusage)
656 {
657 Shishi_asn1 ticket, authenticator;
658 Shishi_tkt *tkt;
659 Shishi_key *tktkey;
660 int rc;
661
662 if (VERBOSEASN1 (ap->handle))
663 shishi_apreq_print (ap->handle, stdout, ap->apreq);
664
665 rc = shishi_apreq_get_ticket (ap->handle, ap->apreq, &ticket);
666 if (rc != SHISHI_OK)
667 {
668 shishi_error_printf (ap->handle,
669 "Could not extract ticket from AP-REQ: %s\n",
670 shishi_strerror (rc));
671 return rc;
672 }
673
674 if (VERBOSEASN1 (ap->handle))
675 shishi_ticket_print (ap->handle, stdout, ticket);
676
677 tkt = shishi_tkt2 (ap->handle, ticket, NULL, NULL);
678
679 rc = shishi_tkt_decrypt (tkt, key);
680 if (rc != SHISHI_OK)
681 {
682 shishi_error_printf (ap->handle, "Error decrypting ticket: %s\n",
683 shishi_strerror (rc));
684 return rc;
685 }
686
687 rc = shishi_encticketpart_get_key (ap->handle,
688 shishi_tkt_encticketpart (tkt), &tktkey);
689 if (rc != SHISHI_OK)
690 {
691 shishi_error_printf (ap->handle, "Could not get key from ticket: %s\n",
692 shishi_strerror (rc));
693 return rc;
694 }
695
696 if (VERBOSEASN1 (ap->handle))
697 shishi_encticketpart_print (ap->handle, stdout,
698 shishi_tkt_encticketpart (tkt));
699
700 rc = shishi_apreq_decrypt (ap->handle, ap->apreq, tktkey,
701 keyusage, &authenticator);
702 if (rc != SHISHI_OK)
703 {
704 shishi_error_printf (ap->handle, "Error decrypting apreq: %s\n",
705 shishi_strerror (rc));
706 return rc;
707 }
708
709 /* XXX? verify checksum in authenticator. */
710
711 if (VERBOSEASN1 (ap->handle))
712 shishi_authenticator_print (ap->handle, stdout, authenticator);
713
714 ap->tkt = tkt;
715 ap->authenticator = authenticator;
716
717 return SHISHI_OK;
718 }
719
720 /**
721 * shishi_ap_req_process:
722 * @ap: structure that holds information about AP exchange
723 * @key: cryptographic key used to decrypt ticket in AP-REQ.
724 *
725 * Decrypt ticket in AP-REQ using supplied key and decrypt
726 * Authenticator in AP-REQ using key in decrypted ticket, and on
727 * success set the Ticket and Authenticator fields in the AP exchange.
728 *
729 * Return value: Returns SHISHI_OK iff successful.
730 **/
731 int
732 shishi_ap_req_process (Shishi_ap * ap, Shishi_key * key)
733 {
734 return shishi_ap_req_process_keyusage (ap, key,
735 SHISHI_KEYUSAGE_APREQ_AUTHENTICATOR);
736 }
737
738 /**
739 * shishi_ap_req_asn1:
740 * @ap: structure that holds information about AP exchange
741 * @apreq: output AP-REQ variable.
742 *
743 * Build AP-REQ using shishi_ap_req_build() and return it.
744 *
745 * Return value: Returns SHISHI_OK iff successful.
746 **/
747 int
748 shishi_ap_req_asn1 (Shishi_ap * ap, Shishi_asn1 * apreq)
749 {
750 int rc;
751
752 rc = shishi_ap_req_build (ap);
753 if (rc != SHISHI_OK)
754 return rc;
755
756 *apreq = ap->apreq;
757
758 return SHISHI_OK;
759 }
760
761 /**
762 * shishi_ap_key:
763 * @ap: structure that holds information about AP exchange
764 *
765 * Extract the application key from AP. If subkeys are used, it is
766 * taken from the Authenticator, otherwise the session key is used.
767 *
768 * Return value: Return application key from AP.
769 **/
770 Shishi_key *
771 shishi_ap_key (Shishi_ap * ap)
772 {
773 int rc;
774
775 /* XXX do real check if subkey is present, don't just assume error
776 means no subkey */
777
778 rc = shishi_authenticator_get_subkey (ap->handle, ap->authenticator,
779 &ap->key);
780 if (rc != SHISHI_OK)
781 ap->key = shishi_tkt_key (ap->tkt);
782
783 return ap->key;
784 }
785
786 /**
787 * shishi_ap_rep:
788 * @ap: structure that holds information about AP exchange
789 *
790 * Return value: Returns the AP-REP from the AP exchange, or NULL if
791 * not yet set or an error occured.
792 **/
793 Shishi_asn1
794 shishi_ap_rep (Shishi_ap * ap)
795 {
796 return ap->aprep;
797 }
798
799 /**
800 * shishi_ap_rep_set:
801 * @ap: structure that holds information about AP exchange
802 * @aprep: aprep to store in AP.
803 *
804 * Set the AP-REP in the AP exchange.
805 **/
806 void
807 shishi_ap_rep_set (Shishi_ap * ap, Shishi_asn1 aprep)
808 {
809 if (ap->aprep)
810 shishi_asn1_done (ap->handle, ap->aprep);
811 ap->aprep = aprep;
812 }
813
814 /**
815 * shishi_ap_rep_der:
816 * @ap: structure that holds information about AP exchange
817 * @out: output array with newly allocated DER encoding of AP-REP.
818 * @outlen: length of output array with DER encoding of AP-REP.
819 *
820 * Build AP-REP using shishi_ap_rep_build() and DER encode it. @out
821 * is allocated by this function, and it is the responsibility of
822 * caller to deallocate it.
823 *
824 * Return value: Returns SHISHI_OK iff successful.
825 **/
826 int
827 shishi_ap_rep_der (Shishi_ap * ap, char **out, size_t * outlen)
828 {
829 int rc;
830
831 rc = shishi_ap_rep_build (ap);
832 if (rc != SHISHI_OK)
833 return rc;
834
835 rc = shishi_new_a2d (ap->handle, ap->aprep, out, outlen);
836 if (rc != SHISHI_OK)
837 return rc;
838
839 return SHISHI_OK;
840 }
841
842 /**
843 * shishi_ap_rep_der_set:
844 * @ap: structure that holds information about AP exchange
845 * @der: input array with DER encoded AP-REP.
846 * @derlen: length of input array with DER encoded AP-REP.
847 *
848 * DER decode AP-REP and set it AP exchange. If decoding fails, the
849 * AP-REP in the AP exchange remains.
850 *
851 * Return value: Returns SHISHI_OK.
852 **/
853 int
854 shishi_ap_rep_der_set (Shishi_ap * ap, char *der, size_t derlen)
855 {
856 Shishi_asn1 aprep;
857
858 aprep = shishi_der2asn1_aprep (ap->handle, der, derlen);
859
860 if (!aprep)
861 return SHISHI_ASN1_ERROR;
862
863 ap->aprep = aprep;
864
865 return SHISHI_OK;
866 }
867
868 /**
869 * shishi_ap_rep_build:
870 * @ap: structure that holds information about AP exchange
871 *
872 * Checksum data in authenticator and add ticket and authenticator to
873 * AP-REP.
874 *
875 * Return value: Returns SHISHI_OK iff successful.
876 **/
877 int
878 shishi_ap_rep_build (Shishi_ap * ap)
879 {
880 Shishi_asn1 aprep;
881 int rc;
882
883 if (VERBOSE (ap->handle))
884 printf ("Building AP-REP...\n");
885
886 aprep = shishi_aprep (ap->handle);
887 rc = shishi_aprep_enc_part_make (ap->handle, aprep, ap->authenticator,
888 shishi_tkt_encticketpart (ap->tkt));
889 if (rc != SHISHI_OK)
890 {
891 shishi_error_printf (ap->handle, "Error creating AP-REP: %s\n",
892 shishi_strerror (rc));
893 return rc;
894 }
895
896 if (VERBOSEASN1 (ap->handle))
897 shishi_aprep_print (ap->handle, stdout, aprep);
898
899 shishi_ap_rep_set (ap, aprep);
900
901 return SHISHI_OK;
902 }
903
904 /**
905 * shishi_ap_rep_asn1:
906 * @ap: structure that holds information about AP exchange
907 * @aprep: output AP-REP variable.
908 *
909 * Build AP-REP using shishi_ap_rep_build() and return it.
910 *
911 * Return value: Returns SHISHI_OK iff successful.
912 **/
913 int
914 shishi_ap_rep_asn1 (Shishi_ap * ap, Shishi_asn1 * aprep)
915 {
916 int rc;
917
918 rc = shishi_ap_rep_build (ap);
919 if (rc != SHISHI_OK)
920 return rc;
921
922 *aprep = ap->aprep;
923
924 return SHISHI_OK;
925 }
926
927 /**
928 * shishi_ap_rep_verify:
929 * @ap: structure that holds information about AP exchange
930 *
931 * Verify AP-REP compared to Authenticator.
932 *
933 * Return value: Returns SHISHI_OK, SHISHI_APREP_VERIFY_FAILED or an
934 * error.
935 **/
936 int
937 shishi_ap_rep_verify (Shishi_ap * ap)
938 {
939 int res;
940
941 if (VERBOSE (ap->handle))
942 printf ("Decrypting AP-REP...\n");
943
944 if (VERBOSEASN1 (ap->handle))
945 shishi_aprep_print (ap->handle, stdout, ap->aprep);
946
947 res = shishi_aprep_decrypt (ap->handle, ap->aprep,
948 shishi_tkt_key (ap->tkt),
949 SHISHI_KEYUSAGE_ENCAPREPPART,
950 &ap->encapreppart);
951 if (res != SHISHI_OK)
952 return res;
953
954 if (VERBOSEASN1 (ap->handle))
955 shishi_encapreppart_print (ap->handle, stdout, ap->encapreppart);
956
957 res = shishi_aprep_verify (ap->handle, ap->authenticator, ap->encapreppart);
958 if (res != SHISHI_OK)
959 return res;
960
961 if (VERBOSE (ap->handle))
962 printf ("Verified AP-REP successfully...\n");
963
964 return SHISHI_OK;
965 }
966
967 /**
968 * shishi_ap_rep_verify_der:
969 * @ap: structure that holds information about AP exchange
970 * @der: input array with DER encoded AP-REP.
971 * @derlen: length of input array with DER encoded AP-REP.
972 *
973 * DER decode AP-REP and set it in AP exchange using
974 * shishi_ap_rep_der_set() and verify it using shishi_ap_rep_verify().
975 *
976 * Return value: Returns SHISHI_OK, SHISHI_APREP_VERIFY_FAILED or an
977 * error.
978 **/
979 int
980 shishi_ap_rep_verify_der (Shishi_ap * ap, char *der, size_t derlen)
981 {
982 int res;
983
984 res = shishi_ap_rep_der_set (ap, der, derlen);
985 if (res != SHISHI_OK)
986 return res;
987
988 res = shishi_ap_rep_verify (ap);
989 if (res != SHISHI_OK)
990 return res;
991
992 return SHISHI_OK;
993 }
994
995 /**
996 * shishi_ap_rep_verify_asn1:
997 * @ap: structure that holds information about AP exchange
998 * @aprep: input AP-REP.
999 *
1000 * Set the AP-REP in the AP exchange using shishi_ap_rep_set() and
1001 * verify it using shishi_ap_rep_verify().
1002 *
1003 * Return value: Returns SHISHI_OK, SHISHI_APREP_VERIFY_FAILED or an
1004 * error.
1005 **/
1006 int
1007 shishi_ap_rep_verify_asn1 (Shishi_ap * ap, Shishi_asn1 aprep)
1008 {
1009 int res;
1010
1011 shishi_ap_rep_set (ap, aprep);
1012
1013 res = shishi_ap_rep_verify (ap);
1014 if (res != SHISHI_OK)
1015 return res;
1016
1017 return SHISHI_OK;
1018 }
1019
1020 /**
1021 * shishi_ap_rep:
1022 * @ap: structure that holds information about AP exchange
1023 *
1024 * Return value: Returns the EncAPREPPart from the AP exchange, or
1025 * NULL if not yet set or an error occured.
1026 **/
1027 Shishi_asn1
1028 shishi_ap_encapreppart (Shishi_ap * ap)
1029 {
1030 return ap->encapreppart;
1031 }
1032
1033 /**
1034 * shishi_ap_encapreppart_set:
1035 * @ap: structure that holds information about AP exchange
1036 * @encapreppart: EncAPRepPart to store in AP.
1037 *
1038 * Set the EncAPRepPart in the AP exchange.
1039 **/
1040 void
1041 shishi_ap_encapreppart_set (Shishi_ap * ap, Shishi_asn1 encapreppart)
1042 {
1043 if (ap->encapreppart)
1044 shishi_asn1_done (ap->handle, ap->encapreppart);
1045 ap->encapreppart = encapreppart;
1046 }
1047
1048 #define APOPTION_RESERVED "reserved"
1049 #define APOPTION_USE_SESSION_KEY "use-session-key"
1050 #define APOPTION_MUTUAL_REQUIRED "mutual-required"
1051 #define APOPTION_UNKNOWN "unknown"
1052
1053 /**
1054 * shishi_ap_option2string:
1055 * @option: enumerated AP-Option type, see Shishi_apoptions.
1056 *
1057 * Convert AP-Option type to AP-Option name string. Note that @option
1058 * must be just one of the AP-Option types, it cannot be an binary
1059 * ORed indicating several AP-Options.
1060 *
1061 * Return value: Returns static string with name of AP-Option that
1062 * must not be deallocated, or "unknown" if AP-Option was not understood.
1063 **/
1064 const char *
1065 shishi_ap_option2string (Shishi_apoptions option)
1066 {
1067 char *str;
1068
1069 switch (option)
1070 {
1071 case SHISHI_APOPTIONS_RESERVED:
1072 str = APOPTION_RESERVED;
1073 break;
1074
1075 case SHISHI_APOPTIONS_USE_SESSION_KEY:
1076 str = APOPTION_USE_SESSION_KEY;
1077 break;
1078
1079 case SHISHI_APOPTIONS_MUTUAL_REQUIRED:
1080 str = APOPTION_MUTUAL_REQUIRED;
1081 break;
1082
1083 default:
1084 str = APOPTION_UNKNOWN;
1085 break;
1086 }
1087
1088 return str;
1089 }
1090
1091 /**
1092 * shishi_ap_string2option:
1093 * @str: zero terminated character array with name of AP-Option,
1094 * e.g. "use-session-key".
1095 *
1096 * Convert AP-Option name to AP-Option type.
1097 *
1098 * Return value: Returns enumerated type member corresponding to AP-Option,
1099 * or 0 if string was not understood.
1100 **/
1101 Shishi_apoptions
1102 shishi_ap_string2option (const char *str)
1103 {
1104 int option;
1105
1106 if (strcasecmp (str, APOPTION_RESERVED) == 0)
1107 option = SHISHI_APOPTIONS_RESERVED;
1108 else if (strcasecmp (str, APOPTION_USE_SESSION_KEY) == 0)
1109 option = SHISHI_APOPTIONS_USE_SESSION_KEY;
1110 else if (strcasecmp (str, APOPTION_MUTUAL_REQUIRED) == 0)
1111 option = SHISHI_APOPTIONS_MUTUAL_REQUIRED;
1112 else
1113 option = strtol (str, (char **) NULL, 0);
1114
1115 return option;
1116 }
Free Kerberos V5 implementation