Branch data Line data Source code
1 : : /* tkt.c --- Ticket handling.
2 : : * Copyright (C) 2002, 2003, 2004, 2006, 2007, 2010 Simon Josefsson
3 : : *
4 : : * This file is part of Shishi.
5 : : *
6 : : * Shishi is free software; you can redistribute it and/or modify it
7 : : * under the terms of the GNU General Public License as published by
8 : : * the Free Software Foundation; either version 3 of the License, or
9 : : * (at your option) any later version.
10 : : *
11 : : * Shishi is distributed in the hope that it will be useful, but
12 : : * WITHOUT ANY WARRANTY; without even the implied warranty of
13 : : * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 : : * GNU General Public License for more details.
15 : : *
16 : : * You should have received a copy of the GNU General Public License
17 : : * along with Shishi; if not, see http://www.gnu.org/licenses or write
18 : : * to the Free Software Foundation, Inc., 51 Franklin Street, Fifth
19 : : * Floor, Boston, MA 02110-1301, USA
20 : : *
21 : : */
22 : :
23 : : #include "internal.h"
24 : :
25 : : struct Shishi_tkt
26 : : {
27 : : Shishi *handle;
28 : : Shishi_asn1 ticket;
29 : : Shishi_asn1 kdcrep;
30 : : Shishi_asn1 enckdcreppart;
31 : : Shishi_asn1 encticketpart;
32 : : Shishi_key *key;
33 : : };
34 : :
35 : : /**
36 : : * shishi_tkt:
37 : : * @handle: shishi handle as allocated by shishi_init().
38 : : * @tkt: output variable with newly allocated ticket.
39 : : *
40 : : * Create a new ticket handle.
41 : : *
42 : : * Return value: Returns SHISHI_OK iff successful.
43 : : **/
44 : : int
45 : 2 : shishi_tkt (Shishi * handle, Shishi_tkt ** tkt)
46 : : {
47 : : Shishi_tkt *t;
48 : : int res;
49 : :
50 : 2 : t = xcalloc (1, sizeof (*t));
51 : :
52 : 2 : t->handle = handle;
53 : :
54 : 2 : t->ticket = shishi_ticket (handle);
55 [ - + ]: 2 : if (t->ticket == NULL)
56 : : {
57 : 0 : shishi_error_printf (handle, "Could not create Ticket: %s\n",
58 : : shishi_error (handle));
59 : 0 : return SHISHI_ASN1_ERROR;
60 : : }
61 : :
62 : : /* XXX what about tgs's? */
63 : 2 : t->enckdcreppart = shishi_encasreppart (handle);
64 [ - + ]: 2 : if (t->enckdcreppart == NULL)
65 : : {
66 : 0 : shishi_error_printf (handle, "Could not create EncKDCRepPart: %s\n",
67 : : shishi_error (handle));
68 : 0 : return SHISHI_ASN1_ERROR;
69 : : }
70 : :
71 : 2 : t->encticketpart = shishi_encticketpart (handle);
72 [ - + ]: 2 : if (t->encticketpart == NULL)
73 : : {
74 : 0 : shishi_error_printf (handle, "Could not create EncTicketPart: %s\n",
75 : : shishi_error (handle));
76 : 0 : return SHISHI_ASN1_ERROR;
77 : : }
78 : :
79 : 2 : res = shishi_encticketpart_transited_set (handle,
80 : : t->encticketpart,
81 : : SHISHI_TR_DOMAIN_X500_COMPRESS,
82 : : "", 0);
83 [ - + ]: 2 : if (res != SHISHI_OK)
84 : 0 : return res;
85 : :
86 : 2 : res = shishi_encticketpart_authtime_set
87 : : (handle, t->encticketpart, shishi_generalize_time (handle, time (NULL)));
88 [ - + ]: 2 : if (res != SHISHI_OK)
89 : 0 : return res;
90 : :
91 : 2 : res = shishi_encticketpart_endtime_set
92 : : (handle, t->encticketpart,
93 : : shishi_generalize_time (handle, time (NULL) + 1000));
94 [ - + ]: 2 : if (res != SHISHI_OK)
95 : 0 : return res;
96 : :
97 : 2 : t->kdcrep = shishi_asrep (handle);
98 [ - + ]: 2 : if (t->kdcrep == NULL)
99 : : {
100 : 0 : shishi_error_printf (handle, "Could not create AS-REP: %s\n",
101 : : shishi_error (handle));
102 : 0 : return SHISHI_ASN1_ERROR;
103 : : }
104 : :
105 : : /* XXX We don't allocate t->key here, because shishi_tkt_key()
106 : : relies on it being NULL. Possibly, we should allocate it here
107 : : instead, and simplify shishi_tkt_key(). */
108 : :
109 : 2 : *tkt = t;
110 : :
111 : 2 : return SHISHI_OK;
112 : : }
113 : :
114 : : /**
115 : : * shishi_tkt2:
116 : : * @handle: shishi handle as allocated by shishi_init().
117 : : * @ticket: input variable with ticket.
118 : : * @enckdcreppart: input variable with auxiliary ticket information.
119 : : * @kdcrep: input variable with KDC-REP ticket information.
120 : : *
121 : : * Create a new ticket handle.
122 : : *
123 : : * Return value: Returns new ticket handle, or %NULL on error.
124 : : **/
125 : : Shishi_tkt *
126 : 4 : shishi_tkt2 (Shishi * handle,
127 : : Shishi_asn1 ticket, Shishi_asn1 enckdcreppart,
128 : : Shishi_asn1 kdcrep)
129 : : {
130 : : Shishi_tkt *tkt;
131 : :
132 : 4 : tkt = xcalloc (1, sizeof (*tkt));
133 : :
134 : 4 : tkt->handle = handle;
135 : 4 : tkt->ticket = ticket;
136 : 4 : tkt->enckdcreppart = enckdcreppart;
137 : 4 : tkt->kdcrep = kdcrep;
138 : :
139 : 4 : return tkt;
140 : : }
141 : :
142 : : /**
143 : : * shishi_tkt_done:
144 : : * @tkt: input variable with ticket info.
145 : : *
146 : : * Deallocate resources associated with ticket. The ticket must not
147 : : * be used again after this call.
148 : : **/
149 : : void
150 : 4 : shishi_tkt_done (Shishi_tkt * tkt)
151 : : {
152 [ - + ]: 4 : if (tkt->key)
153 : 0 : shishi_key_done (tkt->key);
154 : 4 : free (tkt);
155 : 4 : }
156 : :
157 : :
158 : : int
159 : 0 : shishi_tkt_build (Shishi_tkt * tkt, Shishi_key * key)
160 : : {
161 : : int res;
162 : :
163 : 0 : res = shishi_ticket_add_enc_part (tkt->handle, tkt->ticket,
164 : : key, tkt->encticketpart);
165 [ # # ]: 0 : if (res != SHISHI_OK)
166 : 0 : return res;
167 : :
168 : 0 : return SHISHI_OK;
169 : : }
170 : :
171 : : /**
172 : : * shishi_tkt_ticket:
173 : : * @tkt: input variable with ticket info.
174 : : *
175 : : * Get ASN.1 Ticket structure from ticket.
176 : : *
177 : : * Return value: Returns actual ticket.
178 : : **/
179 : : Shishi_asn1
180 : 8 : shishi_tkt_ticket (Shishi_tkt * tkt)
181 : : {
182 : 8 : return tkt->ticket;
183 : : }
184 : :
185 : : /**
186 : : * shishi_tkt_ticket_set:
187 : : * @tkt: input variable with ticket info.
188 : : * @ticket: ASN.1 Ticket to store in ticket.
189 : : *
190 : : * Set the ASN.1 Ticket in the Ticket.
191 : : **/
192 : : void
193 : 2 : shishi_tkt_ticket_set (Shishi_tkt * tkt, Shishi_asn1 ticket)
194 : : {
195 [ + - ]: 2 : if (tkt->ticket)
196 : 2 : shishi_asn1_done (tkt->handle, tkt->ticket);
197 : 2 : tkt->ticket = ticket;
198 : 2 : }
199 : :
200 : : /**
201 : : * shishi_tkt_enckdcreppart:
202 : : * @tkt: input variable with ticket info.
203 : : *
204 : : * Get ASN.1 EncKDCRepPart structure from ticket.
205 : : *
206 : : * Return value: Returns auxiliary ticket information.
207 : : **/
208 : : Shishi_asn1
209 : 20 : shishi_tkt_enckdcreppart (Shishi_tkt * tkt)
210 : : {
211 : 20 : return tkt->enckdcreppart;
212 : : }
213 : :
214 : : /**
215 : : * shishi_tkt_enckdcreppart_set:
216 : : * @tkt: structure that holds information about Ticket exchange
217 : : * @enckdcreppart: EncKDCRepPart to store in Ticket.
218 : : *
219 : : * Set the EncKDCRepPart in the Ticket.
220 : : **/
221 : : void
222 : 0 : shishi_tkt_enckdcreppart_set (Shishi_tkt * tkt, Shishi_asn1 enckdcreppart)
223 : : {
224 [ # # ]: 0 : if (tkt->enckdcreppart)
225 : 0 : shishi_asn1_done (tkt->handle, tkt->enckdcreppart);
226 : 0 : tkt->enckdcreppart = enckdcreppart;
227 : 0 : }
228 : :
229 : : /**
230 : : * shishi_tkt_kdcrep:
231 : : * @tkt: input variable with ticket info.
232 : : *
233 : : * Get ASN.1 KDCRep structure from ticket.
234 : : *
235 : : * Return value: Returns KDC-REP information.
236 : : **/
237 : : Shishi_asn1
238 : 14 : shishi_tkt_kdcrep (Shishi_tkt * tkt)
239 : : {
240 : 14 : return tkt->kdcrep;
241 : : }
242 : :
243 : : /**
244 : : * shishi_tkt_encticketpart:
245 : : * @tkt: input variable with ticket info.
246 : : *
247 : : * Get ASN.1 EncTicketPart structure from ticket.
248 : : *
249 : : * Return value: Returns EncTicketPart information.
250 : : **/
251 : : Shishi_asn1
252 : 0 : shishi_tkt_encticketpart (Shishi_tkt * tkt)
253 : : {
254 : 0 : return tkt->encticketpart;
255 : : }
256 : :
257 : : /**
258 : : * shishi_tkt_encticketpart_set:
259 : : * @tkt: input variable with ticket info.
260 : : * @encticketpart: encticketpart to store in ticket.
261 : : *
262 : : * Set the EncTicketPart in the Ticket.
263 : : **/
264 : : void
265 : 0 : shishi_tkt_encticketpart_set (Shishi_tkt * tkt, Shishi_asn1 encticketpart)
266 : : {
267 [ # # ]: 0 : if (tkt->encticketpart)
268 : 0 : shishi_asn1_done (tkt->handle, tkt->encticketpart);
269 : 0 : tkt->encticketpart = encticketpart;
270 : 0 : }
271 : :
272 : : /**
273 : : * shishi_tkt_key:
274 : : * @tkt: input variable with ticket info.
275 : : *
276 : : * Get key used in ticket, by looking first in EncKDCRepPart and then
277 : : * in EncTicketPart. If key is already populated, it is not extracted
278 : : * again.
279 : : *
280 : : * Return value: Returns key extracted from EncKDCRepPart or
281 : : * EncTicketPart.
282 : : **/
283 : : Shishi_key *
284 : 0 : shishi_tkt_key (Shishi_tkt * tkt)
285 : : {
286 : : int rc;
287 : :
288 : : /* XXX We probably shouldn't extract the keys here. Where is this
289 : : extraction actually needed? */
290 [ # # ][ # # ]: 0 : if (!tkt->key && tkt->enckdcreppart)
291 : : {
292 : 0 : rc = shishi_enckdcreppart_get_key (tkt->handle,
293 : : tkt->enckdcreppart, &tkt->key);
294 [ # # ]: 0 : if (rc != SHISHI_OK)
295 : 0 : return NULL;
296 : : }
297 [ # # ][ # # ]: 0 : else if (!tkt->key && tkt->encticketpart)
298 : : {
299 : 0 : rc = shishi_encticketpart_get_key (tkt->handle,
300 : : tkt->encticketpart, &tkt->key);
301 [ # # ]: 0 : if (rc != SHISHI_OK)
302 : 0 : return NULL;
303 : : }
304 : :
305 : 0 : return tkt->key;
306 : : }
307 : :
308 : : /**
309 : : * shishi_tkt_key_set:
310 : : * @tkt: input variable with ticket info.
311 : : * @key: key to store in ticket.
312 : : *
313 : : * Set the key in the EncTicketPart.
314 : : *
315 : : * Return value: Returns SHISHI_OK iff successful.
316 : : **/
317 : : int
318 : 2 : shishi_tkt_key_set (Shishi_tkt * tkt, Shishi_key * key)
319 : : {
320 : : int res;
321 : :
322 : 2 : res = shishi_encticketpart_key_set (tkt->handle, tkt->encticketpart, key);
323 [ - + ]: 2 : if (res != SHISHI_OK)
324 : 0 : return res;
325 : :
326 : 2 : res = shishi_enckdcreppart_key_set (tkt->handle, tkt->enckdcreppart, key);
327 [ - + ]: 2 : if (res != SHISHI_OK)
328 : 0 : return res;
329 : :
330 [ + - ]: 2 : if (!tkt->key)
331 : : {
332 : 2 : res = shishi_key (tkt->handle, &tkt->key);
333 [ - + ]: 2 : if (res != SHISHI_OK)
334 : 0 : return res;
335 : : }
336 : :
337 : 2 : shishi_key_copy (tkt->key, key);
338 : :
339 : 2 : return SHISHI_OK;
340 : : }
341 : :
342 : : int
343 : 0 : shishi_tkt_clientrealm_set (Shishi_tkt * tkt,
344 : : const char *realm, const char *client)
345 : : {
346 : : int res;
347 : :
348 : 0 : res = shishi_encticketpart_crealm_set (tkt->handle,
349 : : tkt->encticketpart, realm);
350 [ # # ]: 0 : if (res != SHISHI_OK)
351 : 0 : return res;
352 : :
353 : 0 : res = shishi_encticketpart_cname_set (tkt->handle,
354 : : tkt->encticketpart,
355 : : SHISHI_NT_UNKNOWN, client);
356 [ # # ]: 0 : if (res != SHISHI_OK)
357 : 0 : return res;
358 : :
359 : 0 : return SHISHI_OK;
360 : : }
361 : :
362 : : int
363 : 0 : shishi_tkt_serverrealm_set (Shishi_tkt * tkt,
364 : : const char *realm, const char *server)
365 : : {
366 : : int res;
367 : :
368 : 0 : res = shishi_ticket_srealmserver_set (tkt->handle, tkt->ticket,
369 : : realm, server);
370 [ # # ]: 0 : if (res != SHISHI_OK)
371 : 0 : return res;
372 : :
373 : 0 : res = shishi_enckdcreppart_srealmserver_set
374 : : (tkt->handle, tkt->enckdcreppart, realm, server);
375 [ # # ]: 0 : if (res != SHISHI_OK)
376 : 0 : return res;
377 : :
378 : 0 : return SHISHI_OK;
379 : : }
380 : :
381 : : /**
382 : : * shishi_tkt_client:
383 : : * @tkt: input variable with ticket info.
384 : : * @client: pointer to newly allocated zero terminated string containing
385 : : * principal name. May be %NULL (to only populate @clientlen).
386 : : * @clientlen: pointer to length of @client on output, excluding terminating
387 : : * zero. May be %NULL (to only populate @client).
388 : : *
389 : : * Represent client principal name in Ticket KDC-REP as
390 : : * zero-terminated string. The string is allocate by this function,
391 : : * and it is the responsibility of the caller to deallocate it. Note
392 : : * that the output length @clientlen does not include the terminating
393 : : * zero.
394 : : *
395 : : * Return value: Returns SHISHI_OK iff successful.
396 : : **/
397 : : int
398 : 3 : shishi_tkt_client (Shishi_tkt * tkt, char **client, size_t * clientlen)
399 : : {
400 : 3 : return shishi_principal_name (tkt->handle, tkt->kdcrep,
401 : : "cname", client, clientlen);
402 : : }
403 : :
404 : : /**
405 : : * shishi_tkt_client_p:
406 : : * @tkt: input variable with ticket info.
407 : : * @client: client name of ticket.
408 : : *
409 : : * Determine if ticket is for specified client.
410 : : *
411 : : * Return value: Returns non-0 iff ticket is for specified client.
412 : : **/
413 : : int
414 : 3 : shishi_tkt_client_p (Shishi_tkt * tkt, const char *client)
415 : : {
416 : : char *buf;
417 : : size_t buflen;
418 : : int res;
419 : :
420 : 3 : res = shishi_tkt_client (tkt, &buf, &buflen);
421 [ - + ]: 3 : if (res != SHISHI_OK)
422 : 0 : return 0;
423 : :
424 : 3 : res = strcmp (client, buf) == 0;
425 : :
426 : 3 : free (buf);
427 : :
428 : 3 : return res;
429 : : }
430 : :
431 : : /**
432 : : * shishi_tkt_clientrealm:
433 : : * @tkt: input variable with ticket info.
434 : : * @client: pointer to newly allocated zero terminated string containing
435 : : * principal name and realm. May be %NULL (to only populate @clientlen).
436 : : * @clientlen: pointer to length of @client on output, excluding terminating
437 : : * zero. May be %NULL (to only populate @client).
438 : : *
439 : : * Convert cname and realm fields from AS-REQ to printable principal
440 : : * name format. The string is allocate by this function, and it is
441 : : * the responsibility of the caller to deallocate it. Note that the
442 : : * output length @clientlen does not include the terminating zero.
443 : : *
444 : : * Return value: Returns SHISHI_OK iff successful.
445 : : **/
446 : : int
447 : 2 : shishi_tkt_clientrealm (Shishi_tkt * tkt, char **client, size_t * clientlen)
448 : : {
449 : 2 : return shishi_principal_name_realm (tkt->handle,
450 : : tkt->kdcrep, "cname",
451 : : tkt->kdcrep, "crealm",
452 : : client, clientlen);
453 : : }
454 : :
455 : : /**
456 : : * shishi_tkt_clientrealm_p:
457 : : * @tkt: input variable with ticket info.
458 : : * @client: principal name (client name and realm) of ticket.
459 : : *
460 : : * Determine if ticket is for specified client principal.
461 : : *
462 : : * Return value: Returns non-0 iff ticket is for specified client principal.
463 : : **/
464 : : int
465 : 0 : shishi_tkt_clientrealm_p (Shishi_tkt * tkt, const char *client)
466 : : {
467 : : char *buf;
468 : : size_t buflen;
469 : : int res;
470 : :
471 : 0 : res = shishi_tkt_clientrealm (tkt, &buf, &buflen);
472 [ # # ]: 0 : if (res != SHISHI_OK)
473 : 0 : return 0;
474 : :
475 : 0 : res = strcmp (client, buf) == 0;
476 : :
477 : 0 : free (buf);
478 : :
479 : 0 : return res;
480 : : }
481 : :
482 : : /**
483 : : * shishi_tkt_realm:
484 : : * @tkt: input variable with ticket info.
485 : : * @realm: pointer to newly allocated character array with realm name.
486 : : * @realmlen: length of newly allocated character array with realm name.
487 : : *
488 : : * Extract realm of server in ticket.
489 : : *
490 : : * Return value: Returns SHISHI_OK iff successful.
491 : : **/
492 : : int
493 : 0 : shishi_tkt_realm (Shishi_tkt * tkt, char **realm, size_t * realmlen)
494 : : {
495 : 0 : return shishi_ticket_realm_get (tkt->handle, tkt->ticket, realm, realmlen);
496 : : }
497 : :
498 : : /**
499 : : * shishi_tkt_server:
500 : : * @tkt: input variable with ticket info.
501 : : * @server: pointer to newly allocated zero terminated string containing
502 : : * principal name. May be %NULL (to only populate @serverlen).
503 : : * @serverlen: pointer to length of @server on output, excluding terminating
504 : : * zero. May be %NULL (to only populate @server).
505 : : *
506 : : * Represent server principal name in Ticket as zero-terminated
507 : : * string. The string is allocate by this function, and it is the
508 : : * responsibility of the caller to deallocate it. Note that the
509 : : * output length @serverlen does not include the terminating zero.
510 : : *
511 : : * Return value: Returns SHISHI_OK iff successful.
512 : : **/
513 : : int
514 : 8 : shishi_tkt_server (Shishi_tkt * tkt, char **server, size_t * serverlen)
515 : : {
516 : 8 : return shishi_ticket_server (tkt->handle, tkt->ticket, server, serverlen);
517 : : }
518 : :
519 : : /**
520 : : * shishi_tkt_server_p:
521 : : * @tkt: input variable with ticket info.
522 : : * @server: server name of ticket.
523 : : *
524 : : * Determine if ticket is for specified server.
525 : : *
526 : : * Return value: Returns non-0 iff ticket is for specified server.
527 : : **/
528 : : int
529 : 6 : shishi_tkt_server_p (Shishi_tkt * tkt, const char *server)
530 : : {
531 : : char *buf;
532 : : int res;
533 : :
534 : 6 : res = shishi_tkt_server (tkt, &buf, NULL);
535 [ - + ]: 6 : if (res != SHISHI_OK)
536 : 0 : return 0;
537 : :
538 : 6 : res = strcmp (server, buf) == 0;
539 : :
540 : 6 : free (buf);
541 : :
542 : 6 : return res;
543 : : }
544 : :
545 : : /**
546 : : * shishi_tkt_flags:
547 : : * @tkt: input variable with ticket info.
548 : : * @flags: pointer to output integer with flags.
549 : : *
550 : : * Extract flags in ticket (i.e., EncKDCRepPart).
551 : : *
552 : : * Return value: Returns SHISHI_OK iff successful.
553 : : **/
554 : : int
555 : 28 : shishi_tkt_flags (Shishi_tkt * tkt, uint32_t * flags)
556 : : {
557 : 28 : return shishi_asn1_read_bitstring (tkt->handle, tkt->enckdcreppart,
558 : : "flags", flags);
559 : : }
560 : :
561 : : /**
562 : : * shishi_tkt_flags_set:
563 : : * @tkt: input variable with ticket info.
564 : : * @flags: integer with flags to store in ticket.
565 : : *
566 : : * Set flags in ticket, i.e., both EncTicketPart and EncKDCRepPart.
567 : : * Note that this reset any already existing flags.
568 : : *
569 : : * Return value: Returns SHISHI_OK iff successful.
570 : : **/
571 : : int
572 : 2 : shishi_tkt_flags_set (Shishi_tkt * tkt, uint32_t flags)
573 : : {
574 : : int res;
575 : :
576 : 2 : res = shishi_encticketpart_flags_set (tkt->handle, tkt->encticketpart,
577 : : flags);
578 [ - + ]: 2 : if (res != SHISHI_OK)
579 : 0 : return res;
580 : :
581 : 2 : res = shishi_enckdcreppart_flags_set (tkt->handle, tkt->enckdcreppart,
582 : : flags);
583 [ - + ]: 2 : if (res != SHISHI_OK)
584 : 0 : return res;
585 : :
586 : 2 : return SHISHI_OK;
587 : : }
588 : :
589 : : /**
590 : : * shishi_tkt_flags_add:
591 : : * @tkt: input variable with ticket info.
592 : : * @flag: integer with flags to store in ticket.
593 : : *
594 : : * Add ticket flags to Ticket and EncKDCRepPart. This preserves all
595 : : * existing options.
596 : : *
597 : : * Return value: Returns SHISHI_OK iff successful.
598 : : **/
599 : : int
600 : 0 : shishi_tkt_flags_add (Shishi_tkt * tkt, uint32_t flag)
601 : : {
602 : : uint32_t flags;
603 : : int res;
604 : :
605 : 0 : res = shishi_tkt_flags (tkt, &flags);
606 [ # # ]: 0 : if (res != SHISHI_OK)
607 : 0 : return res;
608 : :
609 : 0 : flags |= flag;
610 : :
611 : 0 : res = shishi_tkt_flags_set (tkt, flags);
612 [ # # ]: 0 : if (res != SHISHI_OK)
613 : 0 : return res;
614 : :
615 : 0 : return SHISHI_OK;
616 : : }
617 : :
618 : : /**
619 : : * shishi_tkt_forwardable_p:
620 : : * @tkt: input variable with ticket info.
621 : : *
622 : : * Determine if ticket is forwardable.
623 : : *
624 : : * The FORWARDABLE flag in a ticket is normally only interpreted by
625 : : * the ticket-granting service. It can be ignored by application
626 : : * servers. The FORWARDABLE flag has an interpretation similar to
627 : : * that of the PROXIABLE flag, except ticket-granting tickets may also
628 : : * be issued with different network addresses. This flag is reset by
629 : : * default, but users MAY request that it be set by setting the
630 : : * FORWARDABLE option in the AS request when they request their
631 : : * initial ticket-granting ticket.
632 : : *
633 : : * Return value: Returns non-0 iff forwardable flag is set in ticket.
634 : : **/
635 : : int
636 : 2 : shishi_tkt_forwardable_p (Shishi_tkt * tkt)
637 : : {
638 : 2 : uint32_t flags = 0;
639 : :
640 : 2 : shishi_tkt_flags (tkt, &flags);
641 : :
642 : 2 : return flags & SHISHI_TICKETFLAGS_FORWARDABLE;
643 : : }
644 : :
645 : : /**
646 : : * shishi_tkt_forwarded_p:
647 : : * @tkt: input variable with ticket info.
648 : : *
649 : : * Determine if ticket is forwarded.
650 : : *
651 : : * The FORWARDED flag is set by the TGS when a client presents a
652 : : * ticket with the FORWARDABLE flag set and requests a forwarded
653 : : * ticket by specifying the FORWARDED KDC option and supplying a set
654 : : * of addresses for the new ticket. It is also set in all tickets
655 : : * issued based on tickets with the FORWARDED flag set. Application
656 : : * servers may choose to process FORWARDED tickets differently than
657 : : * non-FORWARDED tickets.
658 : : *
659 : : * Return value: Returns non-0 iff forwarded flag is set in ticket.
660 : : **/
661 : : int
662 : 2 : shishi_tkt_forwarded_p (Shishi_tkt * tkt)
663 : : {
664 : 2 : uint32_t flags = 0;
665 : :
666 : 2 : shishi_tkt_flags (tkt, &flags);
667 : :
668 : 2 : return flags & SHISHI_TICKETFLAGS_FORWARDED;
669 : : }
670 : :
671 : : /**
672 : : * shishi_tkt_proxiable_p:
673 : : * @tkt: input variable with ticket info.
674 : : *
675 : : * Determine if ticket is proxiable.
676 : : *
677 : : * The PROXIABLE flag in a ticket is normally only interpreted by the
678 : : * ticket-granting service. It can be ignored by application servers.
679 : : * When set, this flag tells the ticket-granting server that it is OK
680 : : * to issue a new ticket (but not a ticket-granting ticket) with a
681 : : * different network address based on this ticket. This flag is set if
682 : : * requested by the client on initial authentication. By default, the
683 : : * client will request that it be set when requesting a
684 : : * ticket-granting ticket, and reset when requesting any other ticket.
685 : : *
686 : : * Return value: Returns non-0 iff proxiable flag is set in ticket.
687 : : **/
688 : : int
689 : 2 : shishi_tkt_proxiable_p (Shishi_tkt * tkt)
690 : : {
691 : 2 : uint32_t flags = 0;
692 : :
693 : 2 : shishi_tkt_flags (tkt, &flags);
694 : :
695 : 2 : return flags & SHISHI_TICKETFLAGS_PROXIABLE;
696 : : }
697 : :
698 : : /**
699 : : * shishi_tkt_proxy_p:
700 : : * @tkt: input variable with ticket info.
701 : : *
702 : : * Determine if ticket is proxy ticket.
703 : : *
704 : : * The PROXY flag is set in a ticket by the TGS when it issues a proxy
705 : : * ticket. Application servers MAY check this flag and at their
706 : : * option they MAY require additional authentication from the agent
707 : : * presenting the proxy in order to provide an audit trail.
708 : : *
709 : : * Return value: Returns non-0 iff proxy flag is set in ticket.
710 : : **/
711 : : int
712 : 2 : shishi_tkt_proxy_p (Shishi_tkt * tkt)
713 : : {
714 : 2 : uint32_t flags = 0;
715 : :
716 : 2 : shishi_tkt_flags (tkt, &flags);
717 : :
718 : 2 : return flags & SHISHI_TICKETFLAGS_PROXY;
719 : : }
720 : :
721 : : /**
722 : : * shishi_tkt_may_postdate_p:
723 : : * @tkt: input variable with ticket info.
724 : : *
725 : : * Determine if ticket may be used to grant postdated tickets.
726 : : *
727 : : * The MAY-POSTDATE flag in a ticket is normally only interpreted by
728 : : * the ticket-granting service. It can be ignored by application
729 : : * servers. This flag MUST be set in a ticket-granting ticket in
730 : : * order to issue a postdated ticket based on the presented ticket. It
731 : : * is reset by default; it MAY be requested by a client by setting the
732 : : * ALLOW- POSTDATE option in the KRB_AS_REQ message. This flag does
733 : : * not allow a client to obtain a postdated ticket-granting ticket;
734 : : * postdated ticket-granting tickets can only by obtained by
735 : : * requesting the postdating in the KRB_AS_REQ message. The life
736 : : * (endtime-starttime) of a postdated ticket will be the remaining
737 : : * life of the ticket-granting ticket at the time of the request,
738 : : * unless the RENEWABLE option is also set, in which case it can be
739 : : * the full life (endtime-starttime) of the ticket-granting
740 : : * ticket. The KDC MAY limit how far in the future a ticket may be
741 : : * postdated.
742 : : *
743 : : * Return value: Returns non-0 iff may-postdate flag is set in ticket.
744 : : **/
745 : : int
746 : 2 : shishi_tkt_may_postdate_p (Shishi_tkt * tkt)
747 : : {
748 : 2 : uint32_t flags = 0;
749 : :
750 : 2 : shishi_tkt_flags (tkt, &flags);
751 : :
752 : 2 : return flags & SHISHI_TICKETFLAGS_MAY_POSTDATE;
753 : : }
754 : :
755 : : /**
756 : : * shishi_tkt_postdated_p:
757 : : * @tkt: input variable with ticket info.
758 : : *
759 : : * Determine if ticket is postdated.
760 : : *
761 : : * The POSTDATED flag indicates that a ticket has been postdated. The
762 : : * application server can check the authtime field in the ticket to
763 : : * see when the original authentication occurred. Some services MAY
764 : : * choose to reject postdated tickets, or they may only accept them
765 : : * within a certain period after the original authentication. When the
766 : : * KDC issues a POSTDATED ticket, it will also be marked as INVALID,
767 : : * so that the application client MUST present the ticket to the KDC
768 : : * to be validated before use.
769 : : *
770 : : * Return value: Returns non-0 iff postdated flag is set in ticket.
771 : : **/
772 : : int
773 : 2 : shishi_tkt_postdated_p (Shishi_tkt * tkt)
774 : : {
775 : 2 : uint32_t flags = 0;
776 : :
777 : 2 : shishi_tkt_flags (tkt, &flags);
778 : :
779 : 2 : return flags & SHISHI_TICKETFLAGS_POSTDATED;
780 : : }
781 : :
782 : : /**
783 : : * shishi_tkt_invalid_p:
784 : : * @tkt: input variable with ticket info.
785 : : *
786 : : * Determine if ticket is invalid.
787 : : *
788 : : * The INVALID flag indicates that a ticket is invalid. Application
789 : : * servers MUST reject tickets which have this flag set. A postdated
790 : : * ticket will be issued in this form. Invalid tickets MUST be
791 : : * validated by the KDC before use, by presenting them to the KDC in a
792 : : * TGS request with the VALIDATE option specified. The KDC will only
793 : : * validate tickets after their starttime has passed. The validation
794 : : * is required so that postdated tickets which have been stolen before
795 : : * their starttime can be rendered permanently invalid (through a
796 : : * hot-list mechanism).
797 : : *
798 : : * Return value: Returns non-0 iff invalid flag is set in ticket.
799 : : **/
800 : : int
801 : 2 : shishi_tkt_invalid_p (Shishi_tkt * tkt)
802 : : {
803 : 2 : uint32_t flags = 0;
804 : :
805 : 2 : shishi_tkt_flags (tkt, &flags);
806 : :
807 : 2 : return flags & SHISHI_TICKETFLAGS_INVALID;
808 : : }
809 : :
810 : : /**
811 : : * shishi_tkt_renewable_p:
812 : : * @tkt: input variable with ticket info.
813 : : *
814 : : * Determine if ticket is renewable.
815 : : *
816 : : * The RENEWABLE flag in a ticket is normally only interpreted by the
817 : : * ticket-granting service (discussed below in section 3.3). It can
818 : : * usually be ignored by application servers. However, some
819 : : * particularly careful application servers MAY disallow renewable
820 : : * tickets.
821 : : *
822 : : * Return value: Returns non-0 iff renewable flag is set in ticket.
823 : : **/
824 : : int
825 : 2 : shishi_tkt_renewable_p (Shishi_tkt * tkt)
826 : : {
827 : 2 : uint32_t flags = 0;
828 : :
829 : 2 : shishi_tkt_flags (tkt, &flags);
830 : :
831 : 2 : return flags & SHISHI_TICKETFLAGS_RENEWABLE;
832 : : }
833 : :
834 : : /**
835 : : * shishi_tkt_initial_p:
836 : : * @tkt: input variable with ticket info.
837 : : *
838 : : * Determine if ticket was issued using AS exchange.
839 : : *
840 : : * The INITIAL flag indicates that a ticket was issued using the AS
841 : : * protocol, rather than issued based on a ticket-granting ticket.
842 : : * Application servers that want to require the demonstrated knowledge
843 : : * of a client's secret key (e.g. a password-changing program) can
844 : : * insist that this flag be set in any tickets they accept, and thus
845 : : * be assured that the client's key was recently presented to the
846 : : * application client.
847 : : *
848 : : * Return value: Returns non-0 iff initial flag is set in ticket.
849 : : **/
850 : : int
851 : 2 : shishi_tkt_initial_p (Shishi_tkt * tkt)
852 : : {
853 : 2 : uint32_t flags = 0;
854 : :
855 : 2 : shishi_tkt_flags (tkt, &flags);
856 : :
857 : 2 : return flags & SHISHI_TICKETFLAGS_INITIAL;
858 : : }
859 : :
860 : : /**
861 : : * shishi_tkt_pre_authent_p:
862 : : * @tkt: input variable with ticket info.
863 : : *
864 : : * Determine if ticket was pre-authenticated.
865 : : *
866 : : * The PRE-AUTHENT and HW-AUTHENT flags provide additional information
867 : : * about the initial authentication, regardless of whether the current
868 : : * ticket was issued directly (in which case INITIAL will also be set)
869 : : * or issued on the basis of a ticket-granting ticket (in which case
870 : : * the INITIAL flag is clear, but the PRE-AUTHENT and HW-AUTHENT flags
871 : : * are carried forward from the ticket-granting ticket).
872 : : *
873 : : * Return value: Returns non-0 iff pre-authent flag is set in ticket.
874 : : **/
875 : : int
876 : 2 : shishi_tkt_pre_authent_p (Shishi_tkt * tkt)
877 : : {
878 : 2 : uint32_t flags = 0;
879 : :
880 : 2 : shishi_tkt_flags (tkt, &flags);
881 : :
882 : 2 : return flags & SHISHI_TICKETFLAGS_PRE_AUTHENT;
883 : : }
884 : :
885 : : /**
886 : : * shishi_tkt_hw_authent_p:
887 : : * @tkt: input variable with ticket info.
888 : : *
889 : : * Determine if ticket is authenticated using a hardware token.
890 : : *
891 : : * The PRE-AUTHENT and HW-AUTHENT flags provide additional information
892 : : * about the initial authentication, regardless of whether the current
893 : : * ticket was issued directly (in which case INITIAL will also be set)
894 : : * or issued on the basis of a ticket-granting ticket (in which case
895 : : * the INITIAL flag is clear, but the PRE-AUTHENT and HW-AUTHENT flags
896 : : * are carried forward from the ticket-granting ticket).
897 : : *
898 : : * Return value: Returns non-0 iff hw-authent flag is set in ticket.
899 : : **/
900 : : int
901 : 2 : shishi_tkt_hw_authent_p (Shishi_tkt * tkt)
902 : : {
903 : 2 : uint32_t flags = 0;
904 : :
905 : 2 : shishi_tkt_flags (tkt, &flags);
906 : :
907 : 2 : return flags & SHISHI_TICKETFLAGS_HW_AUTHENT;
908 : : }
909 : :
910 : : /**
911 : : * shishi_tkt_transited_policy_checked_p:
912 : : * @tkt: input variable with ticket info.
913 : : *
914 : : * Determine if ticket has been policy checked for transit.
915 : : *
916 : : * The application server is ultimately responsible for accepting or
917 : : * rejecting authentication and SHOULD check that only suitably
918 : : * trusted KDCs are relied upon to authenticate a principal. The
919 : : * transited field in the ticket identifies which realms (and thus
920 : : * which KDCs) were involved in the authentication process and an
921 : : * application server would normally check this field. If any of these
922 : : * are untrusted to authenticate the indicated client principal
923 : : * (probably determined by a realm-based policy), the authentication
924 : : * attempt MUST be rejected. The presence of trusted KDCs in this list
925 : : * does not provide any guarantee; an untrusted KDC may have
926 : : * fabricated the list.
927 : : *
928 : : * While the end server ultimately decides whether authentication is
929 : : * valid, the KDC for the end server's realm MAY apply a realm
930 : : * specific policy for validating the transited field and accepting
931 : : * credentials for cross-realm authentication. When the KDC applies
932 : : * such checks and accepts such cross-realm authentication it will set
933 : : * the TRANSITED-POLICY-CHECKED flag in the service tickets it issues
934 : : * based on the cross-realm TGT. A client MAY request that the KDCs
935 : : * not check the transited field by setting the
936 : : * DISABLE-TRANSITED-CHECK flag. KDCs are encouraged but not required
937 : : * to honor this flag.
938 : : *
939 : : * Application servers MUST either do the transited-realm checks
940 : : * themselves, or reject cross-realm tickets without TRANSITED-POLICY-
941 : : * CHECKED set.
942 : : *
943 : : * Return value: Returns non-0 iff transited-policy-checked flag is
944 : : * set in ticket.
945 : : **/
946 : : int
947 : 2 : shishi_tkt_transited_policy_checked_p (Shishi_tkt * tkt)
948 : : {
949 : 2 : uint32_t flags = 0;
950 : :
951 : 2 : shishi_tkt_flags (tkt, &flags);
952 : :
953 : 2 : return flags & SHISHI_TICKETFLAGS_TRANSITED_POLICY_CHECKED;
954 : : }
955 : :
956 : : /**
957 : : * shishi_tkt_ok_as_delegate_p:
958 : : * @tkt: input variable with ticket info.
959 : : *
960 : : * Determine if ticket is ok as delegated ticket.
961 : : *
962 : : * The copy of the ticket flags in the encrypted part of the KDC reply
963 : : * may have the OK-AS-DELEGATE flag set to indicates to the client
964 : : * that the server specified in the ticket has been determined by
965 : : * policy of the realm to be a suitable recipient of delegation. A
966 : : * client can use the presence of this flag to help it make a decision
967 : : * whether to delegate credentials (either grant a proxy or a
968 : : * forwarded ticket- granting ticket) to this server. It is
969 : : * acceptable to ignore the value of this flag. When setting this
970 : : * flag, an administrator should consider the security and placement
971 : : * of the server on which the service will run, as well as whether the
972 : : * service requires the use of delegated credentials.
973 : : *
974 : : * Return value: Returns non-0 iff ok-as-delegate flag is set in ticket.
975 : : **/
976 : : int
977 : 2 : shishi_tkt_ok_as_delegate_p (Shishi_tkt * tkt)
978 : : {
979 : 2 : uint32_t flags = 0;
980 : :
981 : 2 : shishi_tkt_flags (tkt, &flags);
982 : :
983 : 2 : return flags & SHISHI_TICKETFLAGS_OK_AS_DELEGATE;
984 : : }
985 : :
986 : : /**
987 : : * shishi_tkt_keytype:
988 : : * @tkt: input variable with ticket info.
989 : : * @etype: pointer to encryption type that is set, see Shishi_etype.
990 : : *
991 : : * Extract encryption type of key in ticket (really EncKDCRepPart).
992 : : *
993 : : * Return value: Returns SHISHI_OK iff successful.
994 : : **/
995 : : int
996 : 2 : shishi_tkt_keytype (Shishi_tkt * tkt, int32_t * etype)
997 : : {
998 : 2 : return shishi_asn1_read_int32 (tkt->handle, tkt->enckdcreppart,
999 : : "key.keytype", etype);
1000 : : }
1001 : :
1002 : : /**
1003 : : * shishi_tkt_keytype_fast:
1004 : : * @tkt: input variable with ticket info.
1005 : : *
1006 : : * Extract encryption type of key in ticket (really EncKDCRepPart).
1007 : : *
1008 : : * Return value: Returns encryption type of session key in ticket
1009 : : * (really EncKDCRepPart), or -1 on error.
1010 : : **/
1011 : : int32_t
1012 : 0 : shishi_tkt_keytype_fast (Shishi_tkt * tkt)
1013 : : {
1014 : 0 : int32_t etype = -1;
1015 : : int res;
1016 : :
1017 : 0 : res = shishi_asn1_read_int32 (tkt->handle, tkt->enckdcreppart,
1018 : : "key.keytype", &etype);
1019 [ # # ]: 0 : if (res != SHISHI_OK)
1020 : 0 : return -1;
1021 : :
1022 : 0 : return etype;
1023 : : }
1024 : :
1025 : : /**
1026 : : * shishi_tkt_keytype_p:
1027 : : * @tkt: input variable with ticket info.
1028 : : * @etype: encryption type, see Shishi_etype.
1029 : : *
1030 : : * Determine if key in ticket (really EncKDCRepPart) is of specified
1031 : : * key type (really encryption type).
1032 : : *
1033 : : * Return value: Returns non-0 iff key in ticket is of specified
1034 : : * encryption type.
1035 : : **/
1036 : : int
1037 : 0 : shishi_tkt_keytype_p (Shishi_tkt * tkt, int32_t etype)
1038 : : {
1039 : : int32_t tktetype;
1040 : : int rc;
1041 : :
1042 : 0 : rc = shishi_asn1_read_int32 (tkt->handle, tkt->enckdcreppart,
1043 : : "key.keytype", &tktetype);
1044 [ # # ]: 0 : if (rc != SHISHI_OK)
1045 : 0 : return 0;
1046 : :
1047 : 0 : return etype == tktetype;
1048 : : }
1049 : :
1050 : : int
1051 : 0 : shishi_tkt_lastreq (Shishi_tkt * tkt,
1052 : : char **lrtime, size_t * lrtimelen, int32_t lrtype)
1053 : : {
1054 : : char *format;
1055 : : int32_t tmplrtype;
1056 : : size_t i, n;
1057 : : int res;
1058 : :
1059 : 0 : res = shishi_asn1_number_of_elements (tkt->handle, tkt->enckdcreppart,
1060 : : "last-req", &n);
1061 [ # # ]: 0 : if (res != SHISHI_OK)
1062 : 0 : return res;
1063 : :
1064 [ # # ]: 0 : for (i = 1; i <= n; i++)
1065 : : {
1066 : 0 : asprintf (&format, "last-req.?%d.lr-type", i);
1067 : 0 : res = shishi_asn1_read_int32 (tkt->handle, tkt->enckdcreppart,
1068 : : format, &tmplrtype);
1069 : 0 : free (format);
1070 [ # # ]: 0 : if (res != SHISHI_OK)
1071 : 0 : return res;
1072 : :
1073 [ # # ]: 0 : if (lrtype == tmplrtype)
1074 : : {
1075 : 0 : asprintf (&format, "last-req.?%d.lr-value", i);
1076 : 0 : res = shishi_asn1_read (tkt->handle, tkt->enckdcreppart,
1077 : : format, lrtime, lrtimelen);
1078 : 0 : free (format);
1079 [ # # ]: 0 : if (res != SHISHI_OK)
1080 : 0 : return res;
1081 : :
1082 : 0 : return SHISHI_OK;
1083 : : }
1084 : : }
1085 : :
1086 : 0 : return !SHISHI_OK;
1087 : : }
1088 : :
1089 : : /**
1090 : : * shishi_tkt_lastreqc:
1091 : : * @tkt: input variable with ticket info.
1092 : : * @lrtype: lastreq type to extract, see Shishi_lrtype. E.g.,
1093 : : * SHISHI_LRTYPE_LAST_REQUEST.
1094 : : *
1095 : : * Extract C time corresponding to given lastreq type field in the
1096 : : * ticket.
1097 : : *
1098 : : * Return value: Returns C time interpretation of the specified
1099 : : * lastreq field, or (time_t) -1.
1100 : : **/
1101 : : time_t
1102 : 0 : shishi_tkt_lastreqc (Shishi_tkt * tkt, Shishi_lrtype lrtype)
1103 : : {
1104 : : char *lrtime;
1105 : : size_t lrtimelen;
1106 : 0 : time_t t = (time_t) - 1;
1107 : : int res;
1108 : :
1109 : 0 : res = shishi_tkt_lastreq (tkt, &lrtime, &lrtimelen, lrtype);
1110 [ # # ]: 0 : if (res != SHISHI_OK)
1111 : 0 : return t;
1112 : :
1113 [ # # ]: 0 : if (lrtimelen == SHISHI_GENERALIZEDTIME_LENGTH)
1114 : 0 : t = shishi_generalize_ctime (tkt->handle, lrtime);
1115 : :
1116 : 0 : free (lrtime);
1117 : :
1118 : 0 : return t;
1119 : : }
1120 : :
1121 : : int
1122 : 3 : shishi_tkt_authtime (Shishi_tkt * tkt, char **authtime, size_t * authtimelen)
1123 : : {
1124 : 3 : return shishi_asn1_read (tkt->handle, tkt->enckdcreppart, "authtime",
1125 : : authtime, authtimelen);
1126 : : }
1127 : :
1128 : : /**
1129 : : * shishi_tkt_authctime:
1130 : : * @tkt: input variable with ticket info.
1131 : : *
1132 : : * Extract C time corresponding to the authtime field. The field
1133 : : * holds the time when the original authentication took place that
1134 : : * later resulted in this ticket.
1135 : : *
1136 : : * Return value: Returns C time interpretation of the endtime in ticket.
1137 : : **/
1138 : : time_t
1139 : 3 : shishi_tkt_authctime (Shishi_tkt * tkt)
1140 : : {
1141 : : char *authtime;
1142 : : size_t authtimelen;
1143 : 3 : time_t t = (time_t) - 1;
1144 : : int res;
1145 : :
1146 : 3 : res = shishi_tkt_authtime (tkt, &authtime, &authtimelen);
1147 [ - + ]: 3 : if (res != SHISHI_OK)
1148 : 0 : return t;
1149 : :
1150 [ + - ]: 3 : if (authtimelen == SHISHI_GENERALIZEDTIME_LENGTH + 1) /* XXX why +1 ? */
1151 : 3 : t = shishi_generalize_ctime (tkt->handle, authtime);
1152 : :
1153 : 3 : free (authtime);
1154 : :
1155 : 3 : return t;
1156 : : }
1157 : :
1158 : : int
1159 : 4 : shishi_tkt_starttime (Shishi_tkt * tkt,
1160 : : char **starttime, size_t * starttimelen)
1161 : : {
1162 : 4 : return shishi_asn1_read_optional (tkt->handle, tkt->enckdcreppart,
1163 : : "starttime", starttime, starttimelen);
1164 : : }
1165 : :
1166 : : /**
1167 : : * shishi_tkt_startctime:
1168 : : * @tkt: input variable with ticket info.
1169 : : *
1170 : : * Extract C time corresponding to the starttime field. The field
1171 : : * holds the time where the ticket start to be valid (typically in the
1172 : : * past).
1173 : : *
1174 : : * Return value: Returns C time interpretation of the endtime in ticket.
1175 : : **/
1176 : : time_t
1177 : 4 : shishi_tkt_startctime (Shishi_tkt * tkt)
1178 : : {
1179 : : char *starttime;
1180 : : size_t starttimelen;
1181 : 4 : time_t t = (time_t) - 1;
1182 : : int res;
1183 : :
1184 : 4 : res = shishi_tkt_starttime (tkt, &starttime, &starttimelen);
1185 [ + - + + ]: 4 : if (res != SHISHI_OK || starttimelen == 0)
1186 : 1 : return t;
1187 : :
1188 [ + - ]: 3 : if (starttimelen == SHISHI_GENERALIZEDTIME_LENGTH + 1) /* XXX why +1 ? */
1189 : 3 : t = shishi_generalize_ctime (tkt->handle, starttime);
1190 : :
1191 : 3 : free (starttime);
1192 : :
1193 : 4 : return t;
1194 : : }
1195 : :
1196 : : int
1197 : 4 : shishi_tkt_endtime (Shishi_tkt * tkt, char **endtime, size_t * endtimelen)
1198 : : {
1199 : 4 : return shishi_asn1_read (tkt->handle, tkt->enckdcreppart, "endtime",
1200 : : endtime, endtimelen);
1201 : : }
1202 : :
1203 : : /**
1204 : : * shishi_tkt_endctime:
1205 : : * @tkt: input variable with ticket info.
1206 : : *
1207 : : * Extract C time corresponding to the endtime field. The field holds
1208 : : * the time where the ticket stop being valid.
1209 : : *
1210 : : * Return value: Returns C time interpretation of the endtime in ticket.
1211 : : **/
1212 : : time_t
1213 : 4 : shishi_tkt_endctime (Shishi_tkt * tkt)
1214 : : {
1215 : : char *endtime;
1216 : : size_t endtimelen;
1217 : 4 : time_t t = (time_t) - 1;
1218 : : int res;
1219 : :
1220 : 4 : res = shishi_tkt_endtime (tkt, &endtime, &endtimelen);
1221 [ - + ]: 4 : if (res != SHISHI_OK)
1222 : 0 : return t;
1223 : :
1224 [ + - ]: 4 : if (endtimelen == SHISHI_GENERALIZEDTIME_LENGTH + 1) /* XXX why +1 ? */
1225 : 4 : t = shishi_generalize_ctime (tkt->handle, endtime);
1226 : :
1227 : 4 : free (endtime);
1228 : :
1229 : 4 : return t;
1230 : : }
1231 : :
1232 : : int
1233 : 2 : shishi_tkt_renew_till (Shishi_tkt * tkt,
1234 : : char **renewtill, size_t * renewtilllen)
1235 : : {
1236 : 2 : return shishi_asn1_read_optional (tkt->handle, tkt->enckdcreppart,
1237 : : "renew-till", renewtill, renewtilllen);
1238 : : }
1239 : :
1240 : : /**
1241 : : * shishi_tkt_renew_tillc:
1242 : : * @tkt: input variable with ticket info.
1243 : : *
1244 : : * Extract C time corresponding to the renew-till field. The field
1245 : : * holds the time where the ticket stop being valid for renewal.
1246 : : *
1247 : : * Return value: Returns C time interpretation of the renew-till in ticket.
1248 : : **/
1249 : : time_t
1250 : 2 : shishi_tkt_renew_tillc (Shishi_tkt * tkt)
1251 : : {
1252 : : char *renewtill;
1253 : : size_t renewtilllen;
1254 : 2 : time_t t = (time_t) - 1;
1255 : : int res;
1256 : :
1257 : 2 : res = shishi_tkt_renew_till (tkt, &renewtill, &renewtilllen);
1258 [ + - + - ]: 2 : if (res != SHISHI_OK || renewtilllen == 0)
1259 : 2 : return t;
1260 : :
1261 [ # # ]: 0 : if (renewtilllen == SHISHI_GENERALIZEDTIME_LENGTH + 1) /* XXX why +1 ? */
1262 : 0 : t = shishi_generalize_ctime (tkt->handle, renewtill);
1263 : :
1264 : 0 : free (renewtill);
1265 : :
1266 : 2 : return t;
1267 : : }
1268 : :
1269 : : /**
1270 : : * shishi_tkt_valid_at_time_p:
1271 : : * @tkt: input variable with ticket info.
1272 : : * @now: time to check for.
1273 : : *
1274 : : * Determine if ticket is valid at a specific point in time.
1275 : : *
1276 : : * Return value: Returns non-0 iff ticket is valid (not expired and
1277 : : * after starttime) at specified time.
1278 : : **/
1279 : : int
1280 : 2 : shishi_tkt_valid_at_time_p (Shishi_tkt * tkt, time_t now)
1281 : : {
1282 : : time_t starttime, endtime;
1283 : :
1284 : 2 : starttime = shishi_tkt_startctime (tkt);
1285 [ + + ]: 2 : if (starttime == (time_t) - 1)
1286 : 1 : starttime = shishi_tkt_authctime (tkt);
1287 : 2 : endtime = shishi_tkt_endctime (tkt);
1288 : :
1289 [ + - - + ]: 2 : return starttime <= now && now <= endtime;
1290 : : }
1291 : :
1292 : : /**
1293 : : * shishi_tkt_valid_now_p:
1294 : : * @tkt: input variable with ticket info.
1295 : : *
1296 : : * Determine if ticket is valid now.
1297 : : *
1298 : : * Return value: Returns 0 iff ticket is invalid (expired or not yet
1299 : : * valid).
1300 : : **/
1301 : : int
1302 : 2 : shishi_tkt_valid_now_p (Shishi_tkt * tkt)
1303 : : {
1304 : 2 : return shishi_tkt_valid_at_time_p (tkt, time (NULL));
1305 : : }
1306 : :
1307 : : /**
1308 : : * shishi_tkt_expired_p:
1309 : : * @tkt: input variable with ticket info.
1310 : : *
1311 : : * Determine if ticket has expired (i.e., endtime is in the past).
1312 : : *
1313 : : * Return value: Returns 0 iff ticket has expired.
1314 : : **/
1315 : : int
1316 : 0 : shishi_tkt_expired_p (Shishi_tkt * tkt)
1317 : : {
1318 : 0 : time_t endtime = shishi_tkt_endctime (tkt);
1319 : 0 : time_t now = time (NULL);
1320 : :
1321 : 0 : return endtime < now;
1322 : : }
1323 : :
1324 : : /**
1325 : : * shishi_tkt_lastreq_pretty_print:
1326 : : * @tkt: input variable with ticket info.
1327 : : * @fh: file handle open for writing.
1328 : : *
1329 : : * Print a human readable representation of the various lastreq fields
1330 : : * in the ticket (really EncKDCRepPart).
1331 : : **/
1332 : : void
1333 : 0 : shishi_tkt_lastreq_pretty_print (Shishi_tkt * tkt, FILE * fh)
1334 : : {
1335 : : time_t t;
1336 : :
1337 : 0 : t = shishi_tkt_lastreqc (tkt, SHISHI_LRTYPE_LAST_INITIAL_TGT_REQUEST);
1338 [ # # ]: 0 : if (t != (time_t) - 1)
1339 : 0 : fprintf (fh, _("Time of last initial request for a TGT:\t%s"),
1340 : : ctime (&t));
1341 : :
1342 : 0 : t = shishi_tkt_lastreqc (tkt, SHISHI_LRTYPE_LAST_INITIAL_REQUEST);
1343 [ # # ]: 0 : if (t != (time_t) - 1)
1344 : 0 : fprintf (fh, "Time of last initial request:\t%s", ctime (&t));
1345 : :
1346 : 0 : t = shishi_tkt_lastreqc (tkt, SHISHI_LRTYPE_NEWEST_TGT_ISSUE);
1347 [ # # ]: 0 : if (t != (time_t) - 1)
1348 : 0 : fprintf (fh,
1349 : : "Time of issue for the newest ticket-granting ticket used:\t%s",
1350 : : ctime (&t));
1351 : :
1352 : 0 : t = shishi_tkt_lastreqc (tkt, SHISHI_LRTYPE_LAST_RENEWAL);
1353 [ # # ]: 0 : if (t != (time_t) - 1)
1354 : 0 : fprintf (fh, "Time of the last renewal:\t%s", ctime (&t));
1355 : :
1356 : 0 : t = shishi_tkt_lastreqc (tkt, SHISHI_LRTYPE_LAST_REQUEST);
1357 [ # # ]: 0 : if (t != (time_t) - 1)
1358 : 0 : fprintf (fh, "Time of last request:\t%s", ctime (&t));
1359 : 0 : }
1360 : :
1361 : : /**
1362 : : * shishi_tkt_pretty_print:
1363 : : * @tkt: input variable with ticket info.
1364 : : * @fh: file handle open for writing.
1365 : : *
1366 : : * Print a human readable representation of a ticket to file handle.
1367 : : **/
1368 : : void
1369 : 2 : shishi_tkt_pretty_print (Shishi_tkt * tkt, FILE * fh)
1370 : : {
1371 : : char *buf;
1372 : : char *p;
1373 : : size_t buflen;
1374 : : int keytype, etype;
1375 : : uint32_t flags;
1376 : : int res;
1377 : : time_t t;
1378 : 2 : time_t now = time (NULL);
1379 : :
1380 : 2 : res = shishi_tkt_clientrealm (tkt, &buf, &buflen);
1381 [ + - ]: 2 : if (res == SHISHI_OK)
1382 : : {
1383 : 2 : fprintf (fh, "%s:\n", buf);
1384 : 2 : free (buf);
1385 : : }
1386 : : else
1387 : 0 : fprintf (fh, "<unknown>:\n");
1388 : :
1389 : 2 : t = shishi_tkt_authctime (tkt);
1390 : 2 : fprintf (fh, _("Authtime:\t%s"), ctime (&t));
1391 : :
1392 : 2 : t = shishi_tkt_startctime (tkt);
1393 [ + - ]: 2 : if (t != (time_t) - 1)
1394 : : {
1395 : 2 : p = ctime (&t);
1396 : 2 : p[strlen (p) - 1] = '\0';
1397 : 2 : fprintf (fh, _("Starttime:\t%s"), p);
1398 [ - + ]: 2 : if (t > now)
1399 : 0 : fprintf (fh, " NOT YET VALID");
1400 : 2 : fprintf (fh, "\n");
1401 : : }
1402 : :
1403 : 2 : t = shishi_tkt_endctime (tkt);
1404 [ + - ]: 2 : if (t != (time_t) - 1)
1405 : : {
1406 : 2 : p = ctime (&t);
1407 : 2 : p[strlen (p) - 1] = '\0';
1408 : 2 : fprintf (fh, _("Endtime:\t%s"), p);
1409 [ + - ]: 2 : if (t < now)
1410 : 2 : fprintf (fh, " EXPIRED");
1411 : 2 : fprintf (fh, "\n");
1412 : : }
1413 : :
1414 : 2 : t = shishi_tkt_renew_tillc (tkt);
1415 [ - + ]: 2 : if (t != (time_t) - 1)
1416 : 0 : fprintf (fh, _("Renewable till:\t%s"), ctime (&t));
1417 : :
1418 : 2 : res = shishi_tkt_server (tkt, &buf, NULL);
1419 [ + - ]: 2 : if (res == SHISHI_OK)
1420 : : {
1421 : 2 : res = shishi_ticket_get_enc_part_etype (tkt->handle, tkt->ticket,
1422 : : &keytype);
1423 [ + - ]: 2 : if (res == SHISHI_OK)
1424 : 2 : fprintf (fh, _("Server:\t\t%s key %s (%d)\n"), buf,
1425 : : shishi_cipher_name (keytype), keytype);
1426 : 2 : free (buf);
1427 : : }
1428 : :
1429 : 2 : res = shishi_tkt_keytype (tkt, &keytype);
1430 [ + - ]: 2 : if (res == SHISHI_OK)
1431 : 2 : res = shishi_kdcrep_get_enc_part_etype (tkt->handle, tkt->kdcrep, &etype);
1432 [ + - ]: 2 : if (res == SHISHI_OK)
1433 : 2 : fprintf (fh, _("Ticket key:\t%s (%d) protected by %s (%d)\n"),
1434 : : shishi_cipher_name (keytype), keytype,
1435 : : shishi_cipher_name (etype), etype);
1436 : :
1437 : 2 : res = shishi_tkt_flags (tkt, &flags);
1438 [ + - + - ]: 2 : if (res == SHISHI_OK && flags)
1439 : : {
1440 : 2 : fprintf (fh, _("Ticket flags:\t"));
1441 [ - + ]: 2 : if (shishi_tkt_forwardable_p (tkt))
1442 : 0 : fprintf (fh, "FORWARDABLE ");
1443 [ - + ]: 2 : if (shishi_tkt_forwarded_p (tkt))
1444 : 0 : fprintf (fh, "FORWARDED ");
1445 [ - + ]: 2 : if (shishi_tkt_proxiable_p (tkt))
1446 : 0 : fprintf (fh, "PROXIABLE ");
1447 [ + - ]: 2 : if (shishi_tkt_proxy_p (tkt))
1448 : 2 : fprintf (fh, "PROXY ");
1449 [ - + ]: 2 : if (shishi_tkt_may_postdate_p (tkt))
1450 : 0 : fprintf (fh, "MAYPOSTDATE ");
1451 [ + - ]: 2 : if (shishi_tkt_postdated_p (tkt))
1452 : 2 : fprintf (fh, "POSTDATED ");
1453 [ - + ]: 2 : if (shishi_tkt_invalid_p (tkt))
1454 : 0 : fprintf (fh, "INVALID ");
1455 [ - + ]: 2 : if (shishi_tkt_renewable_p (tkt))
1456 : 0 : fprintf (fh, "RENEWABLE ");
1457 [ - + ]: 2 : if (shishi_tkt_initial_p (tkt))
1458 : 0 : fprintf (fh, "INITIAL ");
1459 [ - + ]: 2 : if (shishi_tkt_pre_authent_p (tkt))
1460 : 0 : fprintf (fh, "PREAUTHENT ");
1461 [ + + ]: 2 : if (shishi_tkt_hw_authent_p (tkt))
1462 : 1 : fprintf (fh, "HWAUTHENT ");
1463 [ - + ]: 2 : if (shishi_tkt_transited_policy_checked_p (tkt))
1464 : 0 : fprintf (fh, "TRANSITEDPOLICYCHECKED ");
1465 [ + - ]: 2 : if (shishi_tkt_ok_as_delegate_p (tkt))
1466 : 2 : fprintf (fh, "OKASDELEGATE ");
1467 : 2 : fprintf (fh, "(%d)\n", flags);
1468 : : }
1469 : 2 : }
1470 : :
1471 : : int
1472 : 0 : shishi_tkt_decrypt (Shishi_tkt * tkt, Shishi_key * key)
1473 : : {
1474 : : int rc;
1475 : : Shishi_asn1 encticketpart;
1476 : :
1477 : 0 : rc = shishi_ticket_decrypt (tkt->handle, tkt->ticket, key, &encticketpart);
1478 [ # # ]: 0 : if (rc != SHISHI_OK)
1479 : 0 : return rc;
1480 : :
1481 : 0 : tkt->encticketpart = encticketpart;
1482 : :
1483 : 0 : return SHISHI_OK;
1484 : : }
|
