|
| From: | shishi-commit |
| Subject: | TGS-REQ works via Shisa (well). |
| Date: | Thu, 11 Dec 2003 04:43:43 +0100 |
| Commit from jas | 2003-12-11 04:43 CET |
TGS-REQ works via Shisa (well).
| Module | File name | Revision | |||
|---|---|---|---|---|---|
| shishi | src/shishid.c | 1.62 | >>> | 1.63 | |
| shishi/src/shishid.c 1.62 >>> 1.63 |
|---|
| Line 352 |
|
{ int rc; Shishi_tkt *tkt; |
|
- Shishi_key *sessionkey, *sessiontktkey, *serverkey, *subkey, *keytouse; |
|
+ Shishi_key *newsessionkey, *oldsessionkey, *serverkey, *subkey, *keytouse, *tgkey; |
|
char buf[BUFSIZ]; int buflen; int err; |
|
- char *username, *servername, *realm; - int32_t etype, keyusage; |
|
+ char *username, *servername, *tgname, *tgrealm, *client, *clientrealm, *serverrealm; + size_t usernamelen, tgnamelen, tgrealmlen, clientlen, clientrealmlen; + int32_t keyusage; + Shisa_principal krbtgt; + Shisa_principal user; + Shishi_asn1 reqapticket; |
|
int i; |
|
+ Shisa_key **tgkeys; + size_t ntgkeys; + Shisa_key **serverkeys; + size_t nserverkeys; |
|
|
|
- buflen = sizeof (buf) - 1; - err = shishi_encticketpart_cname_get - (handle, shishi_tkt_encticketpart (shishi_ap_tkt (shishi_tgs_ap (tgs))), - buf, &buflen); |
|
+ /* Extract pa-data and populate tgs->ap. */ + rc = shishi_tgs_req_process (tgs); + if (rc != SHISHI_OK) + return rc; + + /* Get ticket used to authenticate request. */ + rc = shishi_apreq_get_ticket (handle, shishi_ap_req (shishi_tgs_ap (tgs)), + &reqapticket); + if (rc != SHISHI_OK) + return rc; + + /* Find name of ticket granter, e.g., krbtgt/address@hidden */ + + err = shishi_ticket_realm_get (handle, reqapticket, &tgrealm, NULL); + if (err != SHISHI_OK) + return err; + printf ("tg realm %s\n", tgrealm); + + rc = shishi_ticket_server (handle, reqapticket, &tgname, &tgnamelen); + if (rc != SHISHI_OK) + return rc; + printf ("Found ticket granter name address@hidden", tgname, tgrealm); + + /* We need to decrypt the ticket granting ticket, get key. */ + + rc = shisa_enumerate_keys (dbh, tgrealm, tgname, &tgkeys, &ntgkeys); + if (err != SHISA_OK) + { + printf ("Error getting keys for address@hidden", tgname, tgrealm); + return SHISHI_INVALID_PRINCIPAL_NAME; + } + printf ("Found keys for ticket granter address@hidden", tgname, tgrealm); + + /* XXX use etype/kvno to select key. */ + + err = shishi_key_from_value (handle, tgkeys[0]->etype, + tgkeys[0]->key, &tgkey); |
|
if (err != SHISHI_OK) return err; |
|
- buf[buflen] = '\0'; - username = strdup (buf); - printf ("username %s\n", username); |
|
|
|
- buflen = sizeof (buf) - 1; - err = shishi_kdcreq_sname_get (handle, shishi_tgs_req (tgs), buf, &buflen); |
|
+ shishi_key_print (handle, stdout, tgkey); + + /* Find the server, e.g., host/address@hidden */ + + err = shishi_kdcreq_realm (handle, shishi_tgs_req (tgs), &serverrealm, NULL); |
|
if (err != SHISHI_OK) return err; |
|
- buf[buflen] = '\0'; - servername = strdup (buf); - printf ("servername %s\n", servername); |
|
+ printf ("server realm %s\n", serverrealm); |
|
|
|
- buflen = sizeof (buf) - 1; - err = shishi_kdcreq_realm_get (handle, shishi_tgs_req (tgs), buf, &buflen); |
|
+ err = shishi_kdcreq_server (handle, shishi_tgs_req (tgs), &servername, NULL); |
|
if (err != SHISHI_OK) return err; |
|
- buf[buflen] = '\0'; - realm = strdup (buf); - printf ("server realm %s\n", realm); |
|
+ printf ("servername %s\n", servername); |
|
|
|
- tkt = shishi_tgs_tkt (tgs); - if (!tkt) - return SHISHI_MALLOC_ERROR; |
|
+ err = shisa_principal_find (dbh, serverrealm, servername, &krbtgt); + if (err != SHISA_OK) + { + printf ("server address@hidden not found\n", servername, serverrealm); + return SHISHI_INVALID_PRINCIPAL_NAME; + } + printf ("Found server address@hidden", servername, serverrealm); + + /* Get key for server, used to encrypt new ticket. */ |
|
|
|
- i = 1; - do |
|
+ rc = shisa_enumerate_keys (dbh, serverrealm, servername, + &serverkeys, &nserverkeys); + if (err != SHISA_OK) |
|
{ |
|
- err = shishi_kdcreq_etype (handle, shishi_tgs_req (tgs), &etype, i); - if (err == SHISHI_OK && shishi_cipher_supported_p (etype)) - break; |
|
+ printf ("Error getting keys for address@hidden", servername, serverrealm); + return SHISHI_INVALID_PRINCIPAL_NAME; |
|
} |
|
- while (err == SHISHI_OK); |
|
+ printf ("Found keys for server address@hidden", servername, serverrealm); + + /* XXX select "best" available key (highest kvno, best algorithm?) here. */ + + err = shishi_key_from_value (handle, serverkeys[0]->etype, + serverkeys[0]->key, &serverkey); |
|
if (err != SHISHI_OK) return err; |
|
- /* XXX use a "preferred server kdc etype" from shishi instead? */ |
|
+ shishi_key_print (handle, stdout, serverkey); + + /* Decrypt incoming ticket with our key, and decrypt authenticator + using key stored in ticket. */ + rc = shishi_ap_req_process_keyusage + (shishi_tgs_ap (tgs), tgkey, SHISHI_KEYUSAGE_TGSREQ_APREQ_AUTHENTICATOR); + if (rc != SHISHI_OK) + return rc; + + /* XXX check that checksum in authenticator match tgsreq.req-body */ |
|
|
|
- err = shishi_key_random (handle, etype, &sessionkey); |
|
+ tkt = shishi_tgs_tkt (tgs); + + /* Generate session key for the newly generated ticket, of same key + type as the selected long-term server key. */ + + err = shishi_key_random (handle, shishi_key_type (serverkey), + &newsessionkey); |
|
if (err) return err; |
|
- err = shishi_tkt_key_set (tkt, sessionkey); |
|
+ err = shishi_tkt_key_set (tkt, newsessionkey); |
|
if (err) return err; |
|
- /* extract pa-data and populate tgs->ap */ - rc = shishi_tgs_req_process (tgs); - if (rc != SHISHI_OK) - return rc; - - /* XXX check if ticket is for our tgt key */ |
|
+ /* In the new ticket, store identity of the client, taken from the + decrypted incoming ticket. */ |
|
|
|
- #if 0 - /* decrypt ticket with our key, and decrypt authenticator using key in tkt */ - rc = shishi_ap_req_process_keyusage - (shishi_tgs_ap (tgs), arg.tgskey, - SHISHI_KEYUSAGE_TGSREQ_APREQ_AUTHENTICATOR); - if (rc != SHISHI_OK) - return rc; - #endif |
|
+ err = shishi_encticketpart_crealm + (handle, shishi_tkt_encticketpart (shishi_ap_tkt (shishi_tgs_ap (tgs))), + &clientrealm, &clientrealmlen); + if (err != SHISHI_OK) + return err; + printf ("userrealm %s\n", clientrealm); |
|
|
|
- /* XXX check that checksum in authenticator match tgsreq.req-body */ |
|
+ err = shishi_encticketpart_client + (handle, shishi_tkt_encticketpart (shishi_ap_tkt (shishi_tgs_ap (tgs))), + &client, &clientlen); + if (err != SHISHI_OK) + return err; + printf ("username %s\n", client); |
|
|
|
- err = shishi_tkt_clientrealm_set (tkt, realm, username); |
|
+ err = shishi_tkt_clientrealm_set (tkt, clientrealm, client); |
|
if (err) return err; |
|
- err = shishi_tkt_serverrealm_set (tkt, realm, servername); |
|
+ err = shishi_tkt_serverrealm_set (tkt, serverrealm, servername); |
|
if (err) return err; |
|
- #if 0 - serverkey = shishi_keys_for_serverrealm_in_file (handle, - arg.keyfile, - servername, realm); - if (!serverkey) - return !SHISHI_OK; - #endif |
|
+ + /* Build new key, using the server's key. */ + |
|
err = shishi_tkt_build (tkt, serverkey); if (err) return err; |
|
+ /* The TGS-REP need to be encrypted, decide which key to use. + Either it is the session key in the incoming ticket, or it is the + sub-key in the authenticator. */ + |
|
err = shishi_encticketpart_get_key (handle, shishi_tkt_encticketpart (shishi_ap_tkt (shishi_tgs_ap (tgs))), |
|
- &sessiontktkey); |
|
+ &oldsessionkey); |
|
err = shishi_authenticator_get_subkey (handle, shishi_ap_authenticator (shishi_tgs_ap (tgs)), &subkey); |
| Line 465 |
|
else { keyusage = SHISHI_KEYUSAGE_ENCTGSREPPART_SESSION_KEY; |
|
- keytouse = sessiontktkey; |
|
+ keytouse = oldsessionkey; |
|
} |
|
+ /* Build TGS-REP. */ + |
|
err = shishi_tgs_rep_build (tgs, keyusage, keytouse); if (err) return err; |
| [Prev in Thread] | Current Thread | [Next in Thread] |