search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix API.
[shishi.git] / lib / ap.c
blob91a9e72592554271ee79e1f3f296a8d7dbd9f9b4
1 /* ap.c AP functions
2 * Copyright (C) 2002, 2003 Simon Josefsson
3 *
4 * This file is part of Shishi.
5 *
6 * Shishi is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * Shishi is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with Shishi; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
19 *
20 */
21
22 #include "internal.h"
23
24 struct Shishi_ap
25 {
26 Shishi *handle;
27 Shishi_tkt *tkt;
28 Shishi_key *key;
29 Shishi_asn1 authenticator;
30 Shishi_asn1 apreq;
31 Shishi_asn1 aprep;
32 Shishi_asn1 encapreppart;
33 int authenticatorcksumkeyusage;
34 int authenticatorkeyusage;
35 int authenticatorcksumtype;
36 char *authenticatorcksumdata;
37 int authenticatorcksumdatalen;
38 };
39
40 /**
41 * shishi_ap:
42 * @handle: shishi handle as allocated by shishi_init().
43 * @ap: pointer to new structure that holds information about AP exchange
44 *
45 * Create a new AP exchange.
46 *
47 * Return value: Returns SHISHI_OK iff successful.
48 **/
49 int
50 shishi_ap (Shishi * handle, Shishi_ap ** ap)
51 {
52 int res;
53
54 res = shishi_ap_nosubkey (handle, ap);
55 if (res != SHISHI_OK)
56 {
57 shishi_error_printf (handle, "Could not create Authenticator: %s\n",
58 shishi_error (handle));
59 return res;
60 }
61
62 res = shishi_authenticator_add_random_subkey (handle, (*ap)->authenticator);
63 if (res != SHISHI_OK)
64 {
65 shishi_error_printf (handle, "Could not add random subkey in AP: %s\n",
66 shishi_strerror (res));
67 return res;
68 }
69
70 return SHISHI_OK;
71 }
72
73 /**
74 * shishi_ap_nosubkey:
75 * @handle: shishi handle as allocated by shishi_init().
76 * @ap: pointer to new structure that holds information about AP exchange
77 *
78 * Create a new AP exchange without subkey in authenticator.
79 *
80 * Return value: Returns SHISHI_OK iff successful.
81 **/
82 int
83 shishi_ap_nosubkey (Shishi * handle, Shishi_ap ** ap)
84 {
85 Shishi_ap *lap;
86
87 *ap = xcalloc (1, sizeof (**ap));
88 lap = *ap;
89
90 lap->handle = handle;
91 lap->authenticatorcksumtype = SHISHI_NO_CKSUMTYPE;
92 lap->authenticatorcksumkeyusage = SHISHI_KEYUSAGE_APREQ_AUTHENTICATOR_CKSUM;
93 lap->authenticatorkeyusage = SHISHI_KEYUSAGE_APREQ_AUTHENTICATOR;
94
95 lap->authenticator = shishi_authenticator (handle);
96 if (lap->authenticator == NULL)
97 {
98 shishi_error_printf (handle, "Could not create Authenticator: %s\n",
99 shishi_error (handle));
100 return SHISHI_ASN1_ERROR;
101 }
102
103 lap->apreq = shishi_apreq (handle);
104 if (lap->apreq == NULL)
105 {
106 shishi_error_printf (handle, "Could not create AP-REQ: %s\n",
107 shishi_error (handle));
108 return SHISHI_ASN1_ERROR;
109 }
110
111 lap->aprep = shishi_aprep (handle);
112 if (lap->aprep == NULL)
113 {
114 shishi_error_printf (handle, "Could not create AP-REP: %s\n",
115 shishi_error (handle));
116 return SHISHI_ASN1_ERROR;
117 }
118
119 lap->encapreppart = shishi_encapreppart (handle);
120 if (lap->encapreppart == NULL)
121 {
122 shishi_error_printf (handle, "Could not create EncAPRepPart: %s\n",
123 shishi_error (handle));
124 return SHISHI_ASN1_ERROR;
125 }
126
127 return SHISHI_OK;
128 }
129
130 /**
131 * shishi_ap_done:
132 * @ap: structure that holds information about AP exchange
133 *
134 * Deallocate resources associated with AP exchange. This should be
135 * called by the application when it no longer need to utilize the AP
136 * exchange handle.
137 **/
138 void
139 shishi_ap_done (Shishi_ap * ap)
140 {
141 shishi_asn1_done (ap->handle, ap->authenticator);
142 shishi_asn1_done (ap->handle, ap->apreq);
143 shishi_asn1_done (ap->handle, ap->aprep);
144 shishi_asn1_done (ap->handle, ap->encapreppart);
145 free (ap);
146 }
147
148 /**
149 * shishi_ap_set_tktoptions:
150 * @ap: structure that holds information about AP exchange
151 * @tkt: ticket to set in AP.
152 * @options: AP-REQ options to set in AP.
153 *
154 * Set the ticket (see shishi_ap_tkt_set()) and set the AP-REQ
155 * apoptions (see shishi_apreq_options_set()).
156 *
157 * Return value: Returns SHISHI_OK iff successful.
158 **/
159 int
160 shishi_ap_set_tktoptions (Shishi_ap * ap, Shishi_tkt * tkt, int options)
161 {
162 int rc;
163
164 shishi_ap_tkt_set (ap, tkt);
165
166 rc = shishi_apreq_options_set (ap->handle, shishi_ap_req (ap), options);
167 if (rc != SHISHI_OK)
168 {
169 printf ("Could not set AP-Options: %s", shishi_strerror (rc));
170 return rc;
171 }
172
173 return SHISHI_OK;
174 }
175
176 /**
177 * shishi_ap_set_tktoptionsdata:
178 * @ap: structure that holds information about AP exchange
179 * @tkt: ticket to set in AP.
180 * @options: AP-REQ options to set in AP.
181 * @data: input array with data to checksum in Authenticator.
182 * @len: length of input array with data to checksum in Authenticator.
183 *
184 * Set the ticket (see shishi_ap_tkt_set()) and set the AP-REQ
185 * apoptions (see shishi_apreq_options_set()) and set the
186 * Authenticator checksum data.
187 *
188 * Return value: Returns SHISHI_OK iff successful.
189 **/
190 int
191 shishi_ap_set_tktoptionsdata (Shishi_ap * ap,
192 Shishi_tkt * tkt,
193 int options, char *data, int len)
194 {
195 int rc;
196
197 shishi_ap_tkt_set (ap, tkt);
198
199 rc = shishi_apreq_options_set (ap->handle, shishi_ap_req (ap), options);
200 if (rc != SHISHI_OK)
201 {
202 printf ("Could not set AP-Options: %s", shishi_strerror (rc));
203 return rc;
204 }
205
206 shishi_ap_authenticator_cksumdata_set (ap, data, len);
207
208 return SHISHI_OK;
209 }
210
211 /**
212 * shishi_ap_set_tktoptionsasn1usage:
213 * @ap: structure that holds information about AP exchange
214 * @tkt: ticket to set in AP.
215 * @options: AP-REQ options to set in AP.
216 * @node: input ASN.1 structure to store as authenticator checksum data.
217 * @field: field in ASN.1 structure to use.
218 * @authenticatorcksumkeyusage: key usage for checksum in authenticator.
219 * @authenticatorkeyusage: key usage for authenticator.
220 *
221 * Set ticket, options and authenticator checksum data using
222 * shishi_ap_set_tktoptionsdata(). The authenticator checksum data is
223 * the DER encoding of the ASN.1 field provided.
224 *
225 * Return value: Returns SHISHI_OK iff successful.
226 **/
227 int
228 shishi_ap_set_tktoptionsasn1usage (Shishi_ap * ap,
229 Shishi_tkt * tkt,
230 int options,
231 Shishi_asn1 node,
232 char *field,
233 int authenticatorcksumkeyusage,
234 int authenticatorkeyusage)
235 {
236 char *buf;
237 int buflen;
238 int res;
239
240 res = shishi_a2d_new_field (ap->handle, node, field, &buf, &buflen);
241 if (res != SHISHI_OK)
242 return res;
243
244 /* XXX what is this? */
245 memmove (buf, buf + 2, buflen - 2);
246 buflen -= 2;
247
248 res = shishi_ap_set_tktoptionsdata (ap, tkt, options, buf, buflen);
249 if (res != SHISHI_OK)
250 return res;
251
252 ap->authenticatorcksumkeyusage = authenticatorcksumkeyusage;
253 ap->authenticatorkeyusage = authenticatorkeyusage;
254
255 return SHISHI_OK;
256 }
257
258 /**
259 * shishi_ap_tktoptions:
260 * @handle: shishi handle as allocated by shishi_init().
261 * @ap: pointer to new structure that holds information about AP exchange
262 * @tkt: ticket to set in newly created AP.
263 * @options: AP-REQ options to set in newly created AP.
264 *
265 * Create a new AP exchange using shishi_ap(), and set the ticket and
266 * AP-REQ apoptions using shishi_ap_set_tktoption().
267 *
268 * Return value: Returns SHISHI_OK iff successful.
269 **/
270 int
271 shishi_ap_tktoptions (Shishi * handle,
272 Shishi_ap ** ap, Shishi_tkt * tkt, int options)
273 {
274 int rc;
275
276 rc = shishi_ap (handle, ap);
277 if (rc != SHISHI_OK)
278 return rc;
279
280 rc = shishi_ap_set_tktoptions (*ap, tkt, options);
281 if (rc != SHISHI_OK)
282 return rc;
283
284 return SHISHI_OK;
285 }
286
287 /**
288 * shishi_ap_tktoptionsdata:
289 * @handle: shishi handle as allocated by shishi_init().
290 * @ap: pointer to new structure that holds information about AP exchange
291 * @tkt: ticket to set in newly created AP.
292 * @options: AP-REQ options to set in newly created AP.
293 * @data: input array with data to checksum in Authenticator.
294 * @len: length of input array with data to checksum in Authenticator.
295 *
296 * Create a new AP exchange using shishi_ap(), and set the ticket,
297 * AP-REQ apoptions and the Authenticator checksum data using
298 * shishi_ap_set_tktoptionsdata().
299 *
300 * Return value: Returns SHISHI_OK iff successful.
301 **/
302 int
303 shishi_ap_tktoptionsdata (Shishi * handle,
304 Shishi_ap ** ap,
305 Shishi_tkt * tkt, int options, char *data, int len)
306 {
307 int rc;
308
309 rc = shishi_ap (handle, ap);
310 if (rc != SHISHI_OK)
311 return rc;
312
313 rc = shishi_ap_set_tktoptionsdata (*ap, tkt, options, data, len);
314 if (rc != SHISHI_OK)
315 return rc;
316
317 return SHISHI_OK;
318 }
319
320 /**
321 * shishi_ap_tktoptionsasn1usage:
322 * @handle: shishi handle as allocated by shishi_init().
323 * @ap: pointer to new structure that holds information about AP exchange
324 * @tkt: ticket to set in newly created AP.
325 * @options: AP-REQ options to set in newly created AP.
326 * @node: input ASN.1 structure to store as authenticator checksum data.
327 * @field: field in ASN.1 structure to use.
328 * @authenticatorcksumkeyusage: key usage for checksum in authenticator.
329 * @authenticatorkeyusage: key usage for authenticator.
330 *
331 * Create a new AP exchange using shishi_ap(), and set ticket, options
332 * and authenticator checksum data from the DER encoding of the ASN.1
333 * field using shishi_ap_set_tktoptionsasn1usage().
334 *
335 * Return value: Returns SHISHI_OK iff successful.
336 **/
337 int
338 shishi_ap_tktoptionsasn1usage (Shishi * handle,
339 Shishi_ap ** ap,
340 Shishi_tkt * tkt,
341 int options,
342 Shishi_asn1 node,
343 char *field,
344 int authenticatorcksumkeyusage,
345 int authenticatorkeyusage)
346 {
347 int rc;
348
349 rc = shishi_ap (handle, ap);
350 if (rc != SHISHI_OK)
351 return rc;
352
353 rc = shishi_ap_set_tktoptionsasn1usage (*ap, tkt, options,
354 node, field,
355 authenticatorcksumkeyusage,
356 authenticatorkeyusage);
357 if (rc != SHISHI_OK)
358 return rc;
359
360 return SHISHI_OK;
361 }
362
363 /**
364 * shishi_ap_tkt:
365 * @ap: structure that holds information about AP exchange
366 *
367 * Return value: Returns the ticket from the AP exchange, or NULL if
368 * not yet set or an error occured.
369 **/
370 Shishi_tkt *
371 shishi_ap_tkt (Shishi_ap * ap)
372 {
373 return ap->tkt;
374 }
375
376 /**
377 * shishi_ap_tkt_set:
378 * @ap: structure that holds information about AP exchange
379 * @tkt: ticket to store in AP.
380 *
381 * Set the Ticket in the AP exchange.
382 **/
383 void
384 shishi_ap_tkt_set (Shishi_ap * ap, Shishi_tkt * tkt)
385 {
386 ap->tkt = tkt;
387 }
388
389 /**
390 * shishi_ap_authenticatorcksumdata:
391 * @ap: structure that holds information about AP exchange
392 * @out: output array that holds authenticator checksum data.
393 * @len: on input, maximum length of output array that holds
394 * authenticator checksum data, on output actual length of
395 * output array that holds authenticator checksum data.
396 *
397 * Return value: Returns SHISHI_OK if successful, or
398 * SHISHI_TOO_SMALL_BUFFER if buffer provided was too small.
399 **/
400 int
401 shishi_ap_authenticator_cksumdata (Shishi_ap * ap, char *out, int *len)
402 {
403 if (*len < ap->authenticatorcksumdatalen)
404 return SHISHI_TOO_SMALL_BUFFER;
405 if (ap->authenticatorcksumdata)
406 memcpy (out, ap->authenticatorcksumdata, ap->authenticatorcksumdatalen);
407 *len = ap->authenticatorcksumdatalen;
408 return SHISHI_OK;
409 }
410
411 /**
412 * shishi_ap_authenticator_cksumdata_set:
413 * @ap: structure that holds information about AP exchange
414 * @authenticatorcksumdata: input array with authenticator checksum
415 * data to use in AP.
416 * @authenticatorcksumdatalen: length of input array with authenticator
417 * checksum data to use in AP.
418 *
419 * Set the Authenticator Checksum Data in the AP exchange.
420 **/
421 void
422 shishi_ap_authenticator_cksumdata_set (Shishi_ap * ap,
423 char *authenticatorcksumdata,
424 int authenticatorcksumdatalen)
425 {
426 ap->authenticatorcksumdata = authenticatorcksumdata;
427 ap->authenticatorcksumdatalen = authenticatorcksumdatalen;
428 }
429
430 /**
431 * shishi_ap_authenticatorcksumtype:
432 * @ap: structure that holds information about AP exchange
433 *
434 * Get the Authenticator Checksum Type in the AP exchange.
435 *
436 * Return value: Return the authenticator checksum type.
437 **/
438 int
439 shishi_ap_authenticator_cksumtype (Shishi_ap * ap)
440 {
441 return ap->authenticatorcksumtype;
442 }
443
444 /**
445 * shishi_ap_authenticator_cksumtype_set:
446 * @ap: structure that holds information about AP exchange
447 * @cksumtype: authenticator checksum type to set in AP.
448 *
449 * Set the Authenticator Checksum Type in the AP exchange.
450 **/
451 void
452 shishi_ap_authenticator_cksumtype_set (Shishi_ap * ap,
453 int cksumtype)
454 {
455 ap->authenticatorcksumtype = cksumtype;
456 }
457
458 /**
459 * shishi_ap_authenticator:
460 * @ap: structure that holds information about AP exchange
461 *
462 * Return value: Returns the Authenticator from the AP exchange, or
463 * NULL if not yet set or an error occured.
464 **/
465
466 Shishi_asn1
467 shishi_ap_authenticator (Shishi_ap * ap)
468 {
469 return ap->authenticator;
470 }
471
472 /**
473 * shishi_ap_authenticator_set:
474 * @ap: structure that holds information about AP exchange
475 * @authenticator: authenticator to store in AP.
476 *
477 * Set the Authenticator in the AP exchange.
478 **/
479 void
480 shishi_ap_authenticator_set (Shishi_ap * ap, Shishi_asn1 authenticator)
481 {
482 if (ap->authenticator)
483 shishi_asn1_done (ap->handle, ap->authenticator);
484 ap->authenticator = authenticator;
485 }
486
487 /**
488 * shishi_ap_req:
489 * @ap: structure that holds information about AP exchange
490 *
491 * Return value: Returns the AP-REQ from the AP exchange, or NULL if
492 * not yet set or an error occured.
493 **/
494 Shishi_asn1
495 shishi_ap_req (Shishi_ap * ap)
496 {
497 return ap->apreq;
498 }
499
500
501 /**
502 * shishi_ap_req_set:
503 * @ap: structure that holds information about AP exchange
504 * @apreq: apreq to store in AP.
505 *
506 * Set the AP-REQ in the AP exchange.
507 **/
508 void
509 shishi_ap_req_set (Shishi_ap * ap, Shishi_asn1 apreq)
510 {
511 if (ap->apreq)
512 shishi_asn1_done (ap->handle, ap->apreq);
513 ap->apreq = apreq;
514 }
515
516 /**
517 * shishi_ap_req_der:
518 * @ap: structure that holds information about AP exchange
519 * @out: pointer to output array with der encoding of AP-REQ.
520 * @outlen: pointer to length of output array with der encoding of AP-REQ.
521 *
522 * Build AP-REQ using shishi_ap_req_build() and DER encode it. @out
523 * is allocated by this function, and it is the responsibility of
524 * caller to deallocate it.
525 *
526 * Return value: Returns SHISHI_OK iff successful.
527 **/
528 int
529 shishi_ap_req_der (Shishi_ap * ap, char **out, size_t *outlen)
530 {
531 int rc;
532
533 rc = shishi_ap_req_build (ap);
534 if (rc != SHISHI_OK)
535 return rc;
536
537 rc = shishi_new_a2d (ap->handle, ap->apreq, out, outlen);
538 if (rc != SHISHI_OK)
539 return rc;
540
541 return SHISHI_OK;
542 }
543
544 /**
545 * shishi_ap_req_der_set:
546 * @ap: structure that holds information about AP exchange
547 * @der: input array with DER encoded AP-REQ.
548 * @derlen: length of input array with DER encoded AP-REQ.
549 *
550 * DER decode AP-REQ and set it AP exchange. If decoding fails, the
551 * AP-REQ in the AP exchange is lost.
552 *
553 * Return value: Returns SHISHI_OK.
554 **/
555 int
556 shishi_ap_req_der_set (Shishi_ap * ap, char *der, size_t derlen)
557 {
558 ap->apreq = shishi_der2asn1_apreq (ap->handle, der, derlen);
559
560 if (ap->apreq)
561 return SHISHI_OK;
562 else
563 return SHISHI_ASN1_ERROR;
564 }
565
566 /**
567 * shishi_ap_req_build:
568 * @ap: structure that holds information about AP exchange
569 *
570 * Checksum data in authenticator and add ticket and authenticator to
571 * AP-REQ.
572 *
573 * Return value: Returns SHISHI_OK iff successful.
574 **/
575 int
576 shishi_ap_req_build (Shishi_ap * ap)
577 {
578 int res;
579 int cksumtype;
580
581 if (VERBOSE (ap->handle))
582 printf ("Building AP-REQ...\n");
583
584 res = shishi_apreq_set_ticket (ap->handle, ap->apreq,
585 shishi_tkt_ticket (ap->tkt));
586 if (res != SHISHI_OK)
587 {
588 shishi_error_printf (ap->handle, "Could not set ticket in AP-REQ: %s\n",
589 shishi_error (ap->handle));
590 return res;
591 }
592
593 cksumtype = shishi_ap_authenticator_cksumtype (ap);
594 if (cksumtype == SHISHI_NO_CKSUMTYPE)
595 res = shishi_authenticator_add_cksum (ap->handle, ap->authenticator,
596 shishi_tkt_key (ap->tkt),
597 ap->authenticatorcksumkeyusage,
598 ap->authenticatorcksumdata,
599 ap->authenticatorcksumdatalen);
600 else
601 res = shishi_authenticator_add_cksum_type (ap->handle, ap->authenticator,
602 shishi_tkt_key (ap->tkt),
603 ap->authenticatorcksumkeyusage,
604 cksumtype,
605 ap->authenticatorcksumdata,
606 ap->authenticatorcksumdatalen);
607 if (res != SHISHI_OK)
608 {
609 shishi_error_printf (ap->handle,
610 "Could not add checksum to authenticator: %s\n",
611 shishi_error (ap->handle));
612 return res;
613 }
614
615 if (VERBOSE (ap->handle))
616 printf ("Got Authenticator...\n");
617
618 if (VERBOSEASN1 (ap->handle))
619 shishi_authenticator_print (ap->handle, stdout, ap->authenticator);
620
621 res = shishi_apreq_add_authenticator (ap->handle, ap->apreq,
622 shishi_tkt_key (ap->tkt),
623 ap->authenticatorkeyusage,
624 ap->authenticator);
625 if (res != SHISHI_OK)
626 {
627 shishi_error_printf (ap->handle, "Could not set authenticator: %s\n",
628 shishi_error (ap->handle));
629 return res;
630 }
631
632 if (VERBOSEASN1 (ap->handle))
633 shishi_apreq_print (ap->handle, stdout, ap->apreq);
634
635 return SHISHI_OK;
636 }
637
638 /**
639 * shishi_ap_req_process_keyusage:
640 * @ap: structure that holds information about AP exchange
641 * @key: cryptographic key used to decrypt ticket in AP-REQ.
642 * @keyusage: key usage to use during decryption, for normal
643 * AP-REQ's this is normally SHISHI_KEYUSAGE_APREQ_AUTHENTICATOR,
644 * for AP-REQ's part of TGS-REQ's, this is normally
645 * SHISHI_KEYUSAGE_TGSREQ_APREQ_AUTHENTICATOR.
646 *
647 * Decrypt ticket in AP-REQ using supplied key and decrypt
648 * Authenticator in AP-REQ using key in decrypted ticket, and on
649 * success set the Ticket and Authenticator fields in the AP exchange.
650 *
651 * Return value: Returns SHISHI_OK iff successful.
652 **/
653 int
654 shishi_ap_req_process_keyusage (Shishi_ap * ap,
655 Shishi_key * key,
656 int32_t keyusage)
657 {
658 Shishi_asn1 ticket, authenticator;
659 Shishi_tkt *tkt;
660 Shishi_key *tktkey;
661 int rc;
662
663 if (VERBOSEASN1 (ap->handle))
664 shishi_apreq_print (ap->handle, stdout, ap->apreq);
665
666 rc = shishi_apreq_get_ticket (ap->handle, ap->apreq, &ticket);
667 if (rc != SHISHI_OK)
668 {
669 shishi_error_printf (ap->handle,
670 "Could not extract ticket from AP-REQ: %s\n",
671 shishi_strerror (rc));
672 return rc;
673 }
674
675 if (VERBOSEASN1 (ap->handle))
676 shishi_ticket_print (ap->handle, stdout, ticket);
677
678 tkt = shishi_tkt2 (ap->handle, ticket, NULL, NULL);
679
680 rc = shishi_tkt_decrypt (tkt, key);
681 if (rc != SHISHI_OK)
682 {
683 shishi_error_printf (ap->handle, "Error decrypting ticket: %s\n",
684 shishi_strerror (rc));
685 return rc;
686 }
687
688 rc = shishi_encticketpart_get_key (ap->handle,
689 shishi_tkt_encticketpart (tkt), &tktkey);
690 if (rc != SHISHI_OK)
691 {
692 shishi_error_printf (ap->handle, "Could not get key from ticket: %s\n",
693 shishi_strerror (rc));
694 return rc;
695 }
696
697 if (VERBOSEASN1 (ap->handle))
698 shishi_encticketpart_print (ap->handle, stdout,
699 shishi_tkt_encticketpart (tkt));
700
701 rc = shishi_apreq_decrypt (ap->handle, ap->apreq, tktkey,
702 keyusage, &authenticator);
703 if (rc != SHISHI_OK)
704 {
705 shishi_error_printf (ap->handle, "Error decrypting apreq: %s\n",
706 shishi_strerror (rc));
707 return rc;
708 }
709
710 /* XXX? verify checksum in authenticator. */
711
712 if (VERBOSEASN1 (ap->handle))
713 shishi_authenticator_print (ap->handle, stdout, authenticator);
714
715 ap->tkt = tkt;
716 ap->authenticator = authenticator;
717
718 return SHISHI_OK;
719 }
720
721 /**
722 * shishi_ap_req_process:
723 * @ap: structure that holds information about AP exchange
724 * @key: cryptographic key used to decrypt ticket in AP-REQ.
725 *
726 * Decrypt ticket in AP-REQ using supplied key and decrypt
727 * Authenticator in AP-REQ using key in decrypted ticket, and on
728 * success set the Ticket and Authenticator fields in the AP exchange.
729 *
730 * Return value: Returns SHISHI_OK iff successful.
731 **/
732 int
733 shishi_ap_req_process (Shishi_ap * ap, Shishi_key * key)
734 {
735 return shishi_ap_req_process_keyusage (ap, key,
736 SHISHI_KEYUSAGE_APREQ_AUTHENTICATOR);
737 }
738
739 /**
740 * shishi_ap_req_asn1:
741 * @ap: structure that holds information about AP exchange
742 * @apreq: output AP-REQ variable.
743 *
744 * Build AP-REQ using shishi_ap_req_build() and return it.
745 *
746 * Return value: Returns SHISHI_OK iff successful.
747 **/
748 int
749 shishi_ap_req_asn1 (Shishi_ap * ap, Shishi_asn1 * apreq)
750 {
751 int rc;
752
753 rc = shishi_ap_req_build (ap);
754 if (rc != SHISHI_OK)
755 return rc;
756
757 *apreq = ap->apreq;
758
759 return SHISHI_OK;
760 }
761
762 /**
763 * shishi_ap_key:
764 * @ap: structure that holds information about AP exchange
765 *
766 * Extract the application key from AP. If subkeys are used, it is
767 * taken from the Authenticator, otherwise the session key is used.
768 *
769 * Return value: Return application key from AP.
770 **/
771 Shishi_key *
772 shishi_ap_key (Shishi_ap * ap)
773 {
774 int rc;
775
776 /* XXX do real check if subkey is present, don't just assume error
777 means no subkey */
778
779 rc = shishi_authenticator_get_subkey (ap->handle, ap->authenticator,
780 &ap->key);
781 if (rc != SHISHI_OK)
782 ap->key = shishi_tkt_key (ap->tkt);
783
784 return ap->key;
785 }
786
787 /**
788 * shishi_ap_rep:
789 * @ap: structure that holds information about AP exchange
790 *
791 * Return value: Returns the AP-REP from the AP exchange, or NULL if
792 * not yet set or an error occured.
793 **/
794 Shishi_asn1
795 shishi_ap_rep (Shishi_ap * ap)
796 {
797 return ap->aprep;
798 }
799
800 /**
801 * shishi_ap_rep_set:
802 * @ap: structure that holds information about AP exchange
803 * @aprep: aprep to store in AP.
804 *
805 * Set the AP-REP in the AP exchange.
806 **/
807 void
808 shishi_ap_rep_set (Shishi_ap * ap, Shishi_asn1 aprep)
809 {
810 if (ap->aprep)
811 shishi_asn1_done (ap->handle, ap->aprep);
812 ap->aprep = aprep;
813 }
814
815 /**
816 * shishi_ap_rep_der:
817 * @ap: structure that holds information about AP exchange
818 * @out: output array with newly allocated DER encoding of AP-REP.
819 * @outlen: length of output array with DER encoding of AP-REP.
820 *
821 * Build AP-REP using shishi_ap_rep_build() and DER encode it. @out
822 * is allocated by this function, and it is the responsibility of
823 * caller to deallocate it.
824 *
825 * Return value: Returns SHISHI_OK iff successful.
826 **/
827 int
828 shishi_ap_rep_der (Shishi_ap * ap, char **out, size_t * outlen)
829 {
830 int rc;
831
832 rc = shishi_ap_rep_build (ap);
833 if (rc != SHISHI_OK)
834 return rc;
835
836 rc = shishi_new_a2d (ap->handle, ap->aprep, out, outlen);
837 if (rc != SHISHI_OK)
838 return rc;
839
840 return SHISHI_OK;
841 }
842
843 /**
844 * shishi_ap_rep_der_set:
845 * @ap: structure that holds information about AP exchange
846 * @der: input array with DER encoded AP-REP.
847 * @derlen: length of input array with DER encoded AP-REP.
848 *
849 * DER decode AP-REP and set it AP exchange. If decoding fails, the
850 * AP-REP in the AP exchange remains.
851 *
852 * Return value: Returns SHISHI_OK.
853 **/
854 int
855 shishi_ap_rep_der_set (Shishi_ap * ap, char *der, size_t derlen)
856 {
857 Shishi_asn1 aprep;
858
859 aprep = shishi_der2asn1_aprep (ap->handle, der, derlen);
860
861 if (!aprep)
862 return SHISHI_ASN1_ERROR;
863
864 ap->aprep = aprep;
865
866 return SHISHI_OK;
867 }
868
869 /**
870 * shishi_ap_rep_build:
871 * @ap: structure that holds information about AP exchange
872 *
873 * Checksum data in authenticator and add ticket and authenticator to
874 * AP-REP.
875 *
876 * Return value: Returns SHISHI_OK iff successful.
877 **/
878 int
879 shishi_ap_rep_build (Shishi_ap * ap)
880 {
881 Shishi_asn1 aprep;
882 int rc;
883
884 if (VERBOSE (ap->handle))
885 printf ("Building AP-REP...\n");
886
887 aprep = shishi_aprep (ap->handle);
888 rc = shishi_aprep_enc_part_make (ap->handle, aprep, ap->authenticator,
889 shishi_tkt_encticketpart (ap->tkt));
890 if (rc != SHISHI_OK)
891 {
892 shishi_error_printf (ap->handle, "Error creating AP-REP: %s\n",
893 shishi_strerror (rc));
894 return rc;
895 }
896
897 if (VERBOSEASN1 (ap->handle))
898 shishi_aprep_print (ap->handle, stdout, aprep);
899
900 shishi_ap_rep_set (ap, aprep);
901
902 return SHISHI_OK;
903 }
904
905 /**
906 * shishi_ap_rep_asn1:
907 * @ap: structure that holds information about AP exchange
908 * @aprep: output AP-REP variable.
909 *
910 * Build AP-REP using shishi_ap_rep_build() and return it.
911 *
912 * Return value: Returns SHISHI_OK iff successful.
913 **/
914 int
915 shishi_ap_rep_asn1 (Shishi_ap * ap, Shishi_asn1 * aprep)
916 {
917 int rc;
918
919 rc = shishi_ap_rep_build (ap);
920 if (rc != SHISHI_OK)
921 return rc;
922
923 *aprep = ap->aprep;
924
925 return SHISHI_OK;
926 }
927
928 /**
929 * shishi_ap_rep_verify:
930 * @ap: structure that holds information about AP exchange
931 *
932 * Verify AP-REP compared to Authenticator.
933 *
934 * Return value: Returns SHISHI_OK, SHISHI_APREP_VERIFY_FAILED or an
935 * error.
936 **/
937 int
938 shishi_ap_rep_verify (Shishi_ap * ap)
939 {
940 int res;
941
942 if (VERBOSE (ap->handle))
943 printf ("Decrypting AP-REP...\n");
944
945 if (VERBOSEASN1 (ap->handle))
946 shishi_aprep_print (ap->handle, stdout, ap->aprep);
947
948 res = shishi_aprep_decrypt (ap->handle, ap->aprep,
949 shishi_tkt_key (ap->tkt),
950 SHISHI_KEYUSAGE_ENCAPREPPART,
951 &ap->encapreppart);
952 if (res != SHISHI_OK)
953 return res;
954
955 if (VERBOSEASN1 (ap->handle))
956 shishi_encapreppart_print (ap->handle, stdout, ap->encapreppart);
957
958 res = shishi_aprep_verify (ap->handle, ap->authenticator, ap->encapreppart);
959 if (res != SHISHI_OK)
960 return res;
961
962 if (VERBOSE (ap->handle))
963 printf ("Verified AP-REP successfully...\n");
964
965 return SHISHI_OK;
966 }
967
968 /**
969 * shishi_ap_rep_verify_der:
970 * @ap: structure that holds information about AP exchange
971 * @der: input array with DER encoded AP-REP.
972 * @derlen: length of input array with DER encoded AP-REP.
973 *
974 * DER decode AP-REP and set it in AP exchange using
975 * shishi_ap_rep_der_set() and verify it using shishi_ap_rep_verify().
976 *
977 * Return value: Returns SHISHI_OK, SHISHI_APREP_VERIFY_FAILED or an
978 * error.
979 **/
980 int
981 shishi_ap_rep_verify_der (Shishi_ap * ap, char *der, size_t derlen)
982 {
983 int res;
984
985 res = shishi_ap_rep_der_set (ap, der, derlen);
986 if (res != SHISHI_OK)
987 return res;
988
989 res = shishi_ap_rep_verify (ap);
990 if (res != SHISHI_OK)
991 return res;
992
993 return SHISHI_OK;
994 }
995
996 /**
997 * shishi_ap_rep_verify_asn1:
998 * @ap: structure that holds information about AP exchange
999 * @aprep: input AP-REP.
1000 *
1001 * Set the AP-REP in the AP exchange using shishi_ap_rep_set() and
1002 * verify it using shishi_ap_rep_verify().
1003 *
1004 * Return value: Returns SHISHI_OK, SHISHI_APREP_VERIFY_FAILED or an
1005 * error.
1006 **/
1007 int
1008 shishi_ap_rep_verify_asn1 (Shishi_ap * ap, Shishi_asn1 aprep)
1009 {
1010 int res;
1011
1012 shishi_ap_rep_set (ap, aprep);
1013
1014 res = shishi_ap_rep_verify (ap);
1015 if (res != SHISHI_OK)
1016 return res;
1017
1018 return SHISHI_OK;
1019 }
1020
1021 /**
1022 * shishi_ap_rep:
1023 * @ap: structure that holds information about AP exchange
1024 *
1025 * Return value: Returns the EncAPREPPart from the AP exchange, or
1026 * NULL if not yet set or an error occured.
1027 **/
1028 Shishi_asn1
1029 shishi_ap_encapreppart (Shishi_ap * ap)
1030 {
1031 return ap->encapreppart;
1032 }
1033
1034 /**
1035 * shishi_ap_encapreppart_set:
1036 * @ap: structure that holds information about AP exchange
1037 * @encapreppart: EncAPRepPart to store in AP.
1038 *
1039 * Set the EncAPRepPart in the AP exchange.
1040 **/
1041 void
1042 shishi_ap_encapreppart_set (Shishi_ap * ap, Shishi_asn1 encapreppart)
1043 {
1044 if (ap->encapreppart)
1045 shishi_asn1_done (ap->handle, ap->encapreppart);
1046 ap->encapreppart = encapreppart;
1047 }
1048
1049 #define APOPTION_RESERVED "reserved"
1050 #define APOPTION_USE_SESSION_KEY "use-session-key"
1051 #define APOPTION_MUTUAL_REQUIRED "mutual-required"
1052 #define APOPTION_UNKNOWN "unknown"
1053
1054 /**
1055 * shishi_ap_option2string:
1056 * @option: enumerated AP-Option type, see Shishi_apoptions.
1057 *
1058 * Convert AP-Option type to AP-Option name string. Note that @option
1059 * must be just one of the AP-Option types, it cannot be an binary
1060 * ORed indicating several AP-Options.
1061 *
1062 * Return value: Returns static string with name of AP-Option that
1063 * must not be deallocated, or "unknown" if AP-Option was not understood.
1064 **/
1065 const char *
1066 shishi_ap_option2string (Shishi_apoptions option)
1067 {
1068 char *str;
1069
1070 switch (option)
1071 {
1072 case SHISHI_APOPTIONS_RESERVED:
1073 str = APOPTION_RESERVED;
1074 break;
1075
1076 case SHISHI_APOPTIONS_USE_SESSION_KEY:
1077 str = APOPTION_USE_SESSION_KEY;
1078 break;
1079
1080 case SHISHI_APOPTIONS_MUTUAL_REQUIRED:
1081 str = APOPTION_MUTUAL_REQUIRED;
1082 break;
1083
1084 default:
1085 str = APOPTION_UNKNOWN;
1086 break;
1087 }
1088
1089 return str;
1090 }
1091
1092 /**
1093 * shishi_ap_string2option:
1094 * @str: zero terminated character array with name of AP-Option,
1095 * e.g. "use-session-key".
1096 *
1097 * Convert AP-Option name to AP-Option type.
1098 *
1099 * Return value: Returns enumerated type member corresponding to AP-Option,
1100 * or 0 if string was not understood.
1101 **/
1102 Shishi_apoptions
1103 shishi_ap_string2option (const char *str)
1104 {
1105 int option;
1106
1107 if (strcasecmp (str, APOPTION_RESERVED) == 0)
1108 option = SHISHI_APOPTIONS_RESERVED;
1109 else if (strcasecmp (str, APOPTION_USE_SESSION_KEY) == 0)
1110 option = SHISHI_APOPTIONS_USE_SESSION_KEY;
1111 else if (strcasecmp (str, APOPTION_MUTUAL_REQUIRED) == 0)
1112 option = SHISHI_APOPTIONS_MUTUAL_REQUIRED;
1113 else
1114 option = strtol (str, (char **) NULL, 0);
1115
1116 return option;
1117 }
Free Kerberos V5 implementation