|
From: | shishi-commit |
Subject: | TGS-REQ works via Shisa (well). |
Date: | Thu, 11 Dec 2003 04:43:43 +0100 |
Commit from jas | 2003-12-11 04:43 CET |
TGS-REQ works via Shisa (well).
Module | File name | Revision | |||
---|---|---|---|---|---|
shishi | src/shishid.c | 1.62 | >>> | 1.63 |
shishi/src/shishid.c 1.62 >>> 1.63 |
---|
Line 352 |
{ int rc; Shishi_tkt *tkt; |
- Shishi_key *sessionkey, *sessiontktkey, *serverkey, *subkey, *keytouse; |
+ Shishi_key *newsessionkey, *oldsessionkey, *serverkey, *subkey, *keytouse, *tgkey; |
char buf[BUFSIZ]; int buflen; int err; |
- char *username, *servername, *realm; - int32_t etype, keyusage; |
+ char *username, *servername, *tgname, *tgrealm, *client, *clientrealm, *serverrealm; + size_t usernamelen, tgnamelen, tgrealmlen, clientlen, clientrealmlen; + int32_t keyusage; + Shisa_principal krbtgt; + Shisa_principal user; + Shishi_asn1 reqapticket; |
int i; |
+ Shisa_key **tgkeys; + size_t ntgkeys; + Shisa_key **serverkeys; + size_t nserverkeys; |
|
- buflen = sizeof (buf) - 1; - err = shishi_encticketpart_cname_get - (handle, shishi_tkt_encticketpart (shishi_ap_tkt (shishi_tgs_ap (tgs))), - buf, &buflen); |
+ /* Extract pa-data and populate tgs->ap. */ + rc = shishi_tgs_req_process (tgs); + if (rc != SHISHI_OK) + return rc; + + /* Get ticket used to authenticate request. */ + rc = shishi_apreq_get_ticket (handle, shishi_ap_req (shishi_tgs_ap (tgs)), + &reqapticket); + if (rc != SHISHI_OK) + return rc; + + /* Find name of ticket granter, e.g., krbtgt/address@hidden */ + + err = shishi_ticket_realm_get (handle, reqapticket, &tgrealm, NULL); + if (err != SHISHI_OK) + return err; + printf ("tg realm %s\n", tgrealm); + + rc = shishi_ticket_server (handle, reqapticket, &tgname, &tgnamelen); + if (rc != SHISHI_OK) + return rc; + printf ("Found ticket granter name address@hidden", tgname, tgrealm); + + /* We need to decrypt the ticket granting ticket, get key. */ + + rc = shisa_enumerate_keys (dbh, tgrealm, tgname, &tgkeys, &ntgkeys); + if (err != SHISA_OK) + { + printf ("Error getting keys for address@hidden", tgname, tgrealm); + return SHISHI_INVALID_PRINCIPAL_NAME; + } + printf ("Found keys for ticket granter address@hidden", tgname, tgrealm); + + /* XXX use etype/kvno to select key. */ + + err = shishi_key_from_value (handle, tgkeys[0]->etype, + tgkeys[0]->key, &tgkey); |
if (err != SHISHI_OK) return err; |
- buf[buflen] = '\0'; - username = strdup (buf); - printf ("username %s\n", username); |
|
- buflen = sizeof (buf) - 1; - err = shishi_kdcreq_sname_get (handle, shishi_tgs_req (tgs), buf, &buflen); |
+ shishi_key_print (handle, stdout, tgkey); + + /* Find the server, e.g., host/address@hidden */ + + err = shishi_kdcreq_realm (handle, shishi_tgs_req (tgs), &serverrealm, NULL); |
if (err != SHISHI_OK) return err; |
- buf[buflen] = '\0'; - servername = strdup (buf); - printf ("servername %s\n", servername); |
+ printf ("server realm %s\n", serverrealm); |
|
- buflen = sizeof (buf) - 1; - err = shishi_kdcreq_realm_get (handle, shishi_tgs_req (tgs), buf, &buflen); |
+ err = shishi_kdcreq_server (handle, shishi_tgs_req (tgs), &servername, NULL); |
if (err != SHISHI_OK) return err; |
- buf[buflen] = '\0'; - realm = strdup (buf); - printf ("server realm %s\n", realm); |
+ printf ("servername %s\n", servername); |
|
- tkt = shishi_tgs_tkt (tgs); - if (!tkt) - return SHISHI_MALLOC_ERROR; |
+ err = shisa_principal_find (dbh, serverrealm, servername, &krbtgt); + if (err != SHISA_OK) + { + printf ("server address@hidden not found\n", servername, serverrealm); + return SHISHI_INVALID_PRINCIPAL_NAME; + } + printf ("Found server address@hidden", servername, serverrealm); + + /* Get key for server, used to encrypt new ticket. */ |
|
- i = 1; - do |
+ rc = shisa_enumerate_keys (dbh, serverrealm, servername, + &serverkeys, &nserverkeys); + if (err != SHISA_OK) |
{ |
- err = shishi_kdcreq_etype (handle, shishi_tgs_req (tgs), &etype, i); - if (err == SHISHI_OK && shishi_cipher_supported_p (etype)) - break; |
+ printf ("Error getting keys for address@hidden", servername, serverrealm); + return SHISHI_INVALID_PRINCIPAL_NAME; |
} |
- while (err == SHISHI_OK); |
+ printf ("Found keys for server address@hidden", servername, serverrealm); + + /* XXX select "best" available key (highest kvno, best algorithm?) here. */ + + err = shishi_key_from_value (handle, serverkeys[0]->etype, + serverkeys[0]->key, &serverkey); |
if (err != SHISHI_OK) return err; |
- /* XXX use a "preferred server kdc etype" from shishi instead? */ |
+ shishi_key_print (handle, stdout, serverkey); + + /* Decrypt incoming ticket with our key, and decrypt authenticator + using key stored in ticket. */ + rc = shishi_ap_req_process_keyusage + (shishi_tgs_ap (tgs), tgkey, SHISHI_KEYUSAGE_TGSREQ_APREQ_AUTHENTICATOR); + if (rc != SHISHI_OK) + return rc; + + /* XXX check that checksum in authenticator match tgsreq.req-body */ |
|
- err = shishi_key_random (handle, etype, &sessionkey); |
+ tkt = shishi_tgs_tkt (tgs); + + /* Generate session key for the newly generated ticket, of same key + type as the selected long-term server key. */ + + err = shishi_key_random (handle, shishi_key_type (serverkey), + &newsessionkey); |
if (err) return err; |
- err = shishi_tkt_key_set (tkt, sessionkey); |
+ err = shishi_tkt_key_set (tkt, newsessionkey); |
if (err) return err; |
- /* extract pa-data and populate tgs->ap */ - rc = shishi_tgs_req_process (tgs); - if (rc != SHISHI_OK) - return rc; - - /* XXX check if ticket is for our tgt key */ |
+ /* In the new ticket, store identity of the client, taken from the + decrypted incoming ticket. */ |
|
- #if 0 - /* decrypt ticket with our key, and decrypt authenticator using key in tkt */ - rc = shishi_ap_req_process_keyusage - (shishi_tgs_ap (tgs), arg.tgskey, - SHISHI_KEYUSAGE_TGSREQ_APREQ_AUTHENTICATOR); - if (rc != SHISHI_OK) - return rc; - #endif |
+ err = shishi_encticketpart_crealm + (handle, shishi_tkt_encticketpart (shishi_ap_tkt (shishi_tgs_ap (tgs))), + &clientrealm, &clientrealmlen); + if (err != SHISHI_OK) + return err; + printf ("userrealm %s\n", clientrealm); |
|
- /* XXX check that checksum in authenticator match tgsreq.req-body */ |
+ err = shishi_encticketpart_client + (handle, shishi_tkt_encticketpart (shishi_ap_tkt (shishi_tgs_ap (tgs))), + &client, &clientlen); + if (err != SHISHI_OK) + return err; + printf ("username %s\n", client); |
|
- err = shishi_tkt_clientrealm_set (tkt, realm, username); |
+ err = shishi_tkt_clientrealm_set (tkt, clientrealm, client); |
if (err) return err; |
- err = shishi_tkt_serverrealm_set (tkt, realm, servername); |
+ err = shishi_tkt_serverrealm_set (tkt, serverrealm, servername); |
if (err) return err; |
- #if 0 - serverkey = shishi_keys_for_serverrealm_in_file (handle, - arg.keyfile, - servername, realm); - if (!serverkey) - return !SHISHI_OK; - #endif |
+ + /* Build new key, using the server's key. */ + |
err = shishi_tkt_build (tkt, serverkey); if (err) return err; |
+ /* The TGS-REP need to be encrypted, decide which key to use. + Either it is the session key in the incoming ticket, or it is the + sub-key in the authenticator. */ + |
err = shishi_encticketpart_get_key (handle, shishi_tkt_encticketpart (shishi_ap_tkt (shishi_tgs_ap (tgs))), |
- &sessiontktkey); |
+ &oldsessionkey); |
err = shishi_authenticator_get_subkey (handle, shishi_ap_authenticator (shishi_tgs_ap (tgs)), &subkey); |
Line 465 |
else { keyusage = SHISHI_KEYUSAGE_ENCTGSREPPART_SESSION_KEY; |
- keytouse = sessiontktkey; |
+ keytouse = oldsessionkey; |
} |
+ /* Build TGS-REP. */ + |
err = shishi_tgs_rep_build (tgs, keyusage, keytouse); if (err) return err; |
[Prev in Thread] | Current Thread | [Next in Thread] |