Top |
enum | Shishi_rc |
enum | Shishi_name_type |
enum | Shishi_padata_type |
enum | Shishi_tr_type |
enum | Shishi_apoptions |
enum | Shishi_ticketflags |
enum | Shishi_KDCOptions |
enum | Shishi_msgtype |
enum | Shishi_lrtype |
enum | Shishi_etype |
enum | Shishi_cksumtype |
enum | Shishi_filetype |
enum | Shishi_outputtype |
enum | Shishi_authorization |
enum | Shishi_keyusage |
enum | Shishi_krb_error |
enum | Shishi_tkts_hintflags |
struct | Shishi_tkts_hint |
struct | Shishi_dns_st |
struct | Shishi_dns_srv_st |
#define | SHISHI_DNS_IN |
#define | SHISHI_DNS_TXT |
#define | SHISHI_DNS_SRV |
typedef | Shishi_dns |
typedef | Shishi_dns_srv |
typedef | Shishi |
typedef | Shishi_tkt |
typedef | Shishi_tkts |
typedef | Shishi_as |
typedef | Shishi_tgs |
typedef | Shishi_ap |
typedef | Shishi_key |
typedef | Shishi_keys |
typedef | Shishi_safe |
typedef | Shishi_priv |
typedef | Shishi_asn1 |
typedef | Shishi_crypto |
#define | SHISHI_GENERALIZEDTIME_LENGTH |
#define | SHISHI_GENERALIZEDTIMEZ_LENGTH |
Shishi *
shishi (void
);
Initializes the Shishi library, and primes logging so that future
warnings and informational messages are printed on stderr
.
If this function fails, it may send its own diagnostic errors
to stderr
.
Shishi *
shishi_server (void
);
Initializes the Shishi library, and primes logging so that future warnings and informational messages are sent to the syslog system. If this function fails, it may print diagnostic errors in the syslog.
void
shishi_done (Shishi *handle
);
Deallocates the Shishi library handle. The handle must not be used
in any call to a shishi function after an execution of shishi_done()
.
If there is a default tkts, it is written to the default tkts file.
If you do not wish to write the default tkts file, close the
default file before calling this function. It is closed with a
simple shishi_tkts_done(handle
, NULL
). For related information,
see shishi_tkts_default_file_set()
.
int
shishi_init (Shishi **handle
);
Creates a Shishi library handle, using shishi()
, and reads the system
configuration file, user configuration file and user tickets from
their default locations. The paths to the system configuration
file is decided at compile time, and is $sysconfdir/shishi.conf.
The user configuration file is $HOME/.shishi/config, and the user
ticket file is $HOME/.shishi/ticket.
The handle is allocated regardless of return value. The single
exception being SHISHI_HANDLE_ERROR
, which indicates a problem
in allocating the handle. Other error conditions could arise
while reading files.
int shishi_init_with_paths (Shishi **handle
,const char *tktsfile
,const char *systemcfgfile
,const char *usercfgfile
);
Creates a Shishi library handle, using shishi()
, and reads the system
configuration file, user configuration file, and user tickets at
the specified locations. If any of usercfgfile
or systemcfgfile
is NULL
, the file is read from its default location, which for
the system configuration is decided at compile time, and is
$sysconfdir/shishi.conf, and for the user configuration it is
$HOME/.shishi/config. If the ticket file name is NULL
, a ticket
file is not read at all.
The handle is allocated regardless of return value. The single
exception being SHISHI_HANDLE_ERROR
, which indicates a problem
in allocating the handle. Other error conditions could arise
while reading files.
int
shishi_init_server (Shishi **handle
);
Creates a Shishi library handle, using shishi_server()
, and reads
the system configuration file. The path to the system configuration
file is decided at compile time, and is $sysconfdir/shishi.conf.
The handle is allocated regardless of return value. The single
exception being SHISHI_HANDLE_ERROR
, which indicates a problem
in allocating the handle. Other error conditions could arise
while reading the file.
int shishi_init_server_with_paths (Shishi **handle
,const char *systemcfgfile
);
Creates a Shishi library handle, using shishi_server()
, and reads
the system configuration file from the specified location. The path
to the system configuration file is decided at compile time, and is
$sysconfdir/shishi.conf.
The handle is allocated regardless of return value. The single
exception being SHISHI_HANDLE_ERROR
, which indicates a problem
in allocating the handle. Other error conditions could arise
while reading the file.
int shishi_cfg (Shishi *handle
,const char *option
);
Configures the shishi library according to the options
given in option
.
handle |
Shishi library handle created by |
|
option |
String containing shishi library options. |
int shishi_cfg_from_file (Shishi *handle
,const char *cfg
);
Configures the shishi library using a configuration file
located at cfg
.
int shishi_cfg_print (Shishi *handle
,FILE *fh
);
Prints library configuration status to fh
. This function is
mostly intended for debugging purposes.
handle |
Shishi library handle created by |
|
fh |
File stream handle opened for writing. |
const char *
shishi_cfg_default_systemfile (Shishi *handle
);
The system configuration file name is decided at compile time, but is replaced by assigning another file name to the environment variable $SHISHI_CONFIG. This call offers a single interface for determining the file name, to which the library turns for its settings.
const char *
shishi_cfg_default_userdirectory (Shishi *handle
);
The default user directory, referred to for Shishi ticket cache and other purposes, is normally computed by appending the fixed string "/.shishi" to the content of the environment variable $HOME.
This hard coded directory, i.e., "$HOME/.shishi/", can be replaced by whatever complete path is stored in the environment variable $SHISHI_HOME.
const char *
shishi_cfg_default_userfile (Shishi *handle
);
Reports the absolute filename of the default user configuration file. This is typically "$HOME/.shishi/shishi.conf".
The value of $SHISHI_HOME will change the directory part,
as stated regarding shishi_cfg_default_userdirectory()
.
char * shishi_cfg_userdirectory_file (Shishi *handle
,const char *file
);
Reports the full path to the file where the Shishi library
expects to find the user's library configuration, given that
the file itself is named by the parameter file
.
The answer is composed from the value of file
and the directory
returned by shishi_cfg_default_userdirectory()
. Typically, the
returned string would be expanded from "$HOME/.shishi/file
".
handle |
Shishi library handle created by |
|
file |
Basename of file to use for the user's configuration settings of the library. |
int shishi_cfg_clientkdcetype (Shishi *handle
,int32_t **etypes
);
Sets the variable etypes
to a static array of preferred encryption
types applicable to clients.
handle |
Shishi library handle created by |
|
etypes |
Pointer to an array of encryption types. |
int32_t
shishi_cfg_clientkdcetype_fast (Shishi *handle
);
Extracts the default encryption type from the list of preferred encryption types acceptable to the client.
When the preferred list is empty, SHISHI_AES256_CTS_HMAC_SHA1_96
is returned as a sensible default type.
int shishi_cfg_clientkdcetype_set (Shishi *handle
,char *value
);
Sets the configuration option "client-kdc-etypes" from value
.
The string contains encryption types, integers or names,
separated by comma or by whitespace. An example naming three
encryption types could be:
aes256-cts-hmac-sha1-96 des3-cbc-sha1-kd des-cbc-md5
handle |
Shishi library handle created by |
|
value |
String naming acceptable encryption types. |
int shishi_cfg_authorizationtype_set (Shishi *handle
,char *value
);
Sets the configuration option "authorization-types" from value
.
The string contains authorization types, integers or names,
separated by comma or whitespace.
As an example, "k5login basic" would first check Kerberos5 authentication based on preset principals, and then fall back to the basic test of identical principal names.
handle |
Shishi library handle created by |
|
value |
String listing acceptable authorization types. |
const char *
shishi_strerror (int err
);
Converts the return code in err
to a human readable string.
const char *
shishi_error (Shishi *handle
);
Extracts detailed information on the most recently occurred error condition. Note that memory is managed by the Shishi library, so the returned string must not be deallocated.
void
shishi_error_clear (Shishi *handle
);
Clears the internal error description. See shishi_error()
on how to access the error string, and shishi_error_set()
as well
as shishi_error_printf()
on how to set the error string.
This function is mostly for Shishi's internal use, but if you develop an extension of Shishi, it may be useful to support the same error handling infrastructure.
void shishi_error_set (Shishi *handle
,const char *errstr
);
Sets the error description to the content of errstr
. The
string is copied into the Shishi internal structure, so you can
deallocate any string passed to this function.
This function is mostly for Shishi's internal use, but if you develop an extension of Shishi, it may be useful to support the same error handling infrastructure.
handle |
shishi handle as allocated by |
|
errstr |
A null-terminated character string holding a description,
or |
void shishi_error_printf (Shishi *handle
,const char *format
,...
);
Sets the internal error description to a printf(3) formatted string. This function is mostly for Shishi's internal use, but if you develop an extension of Shishi, it may be useful to support the same infrastructure for error handling.
handle |
shishi handle as allocated by |
|
format |
printf style format string. |
|
... |
printf style arguments. |
int
shishi_error_outputtype (Shishi *handle
);
Reports the current output type used in message logging.
Returns the output type. SHISHI_OUTPUTTYPE_NULL
means no output. SHISHI_OUTPUTTYPE_STDERR
and
SHISHI_OUTPUTTYPE_SYSLOG
direct text to the console, or to the
syslog system.
void shishi_error_set_outputtype (Shishi *handle
,int type
);
Sets the output type (NULL
, stderr
or syslog
) used for information
and warning messages. Intended values are SHISHI_OUTPUTTYPE_NULL
,
for no output at all, SHISHI_OUTPUTTYPE_STDERR
for output to the
console, and SHISHI_OUTPUTTYPE_SYSLOG
for syslog messaging.
The first value covers everything different from the latter two values.
handle |
shishi handle as allocated by |
|
type |
output type, of enum type Shishi_outputtype. |
void shishi_info (Shishi *handle
,const char *format
,...
);
Prints an informational message, composed from the arguments,
to the output stream set in handle
.
handle |
shishi handle as allocated by |
|
format |
printf style format string. |
|
... |
printf style arguments. |
void shishi_warn (Shishi *handle
,const char *format
,...
);
Prints a warning, composed from the arguments, to the output
stream set in handle
.
handle |
shishi handle as allocated by |
|
format |
printf style format string. |
|
... |
printf style arguments. |
void shishi_verbose (Shishi *handle
,const char *format
,...
);
Prints a diagnostic message, composed from the arguments,
to the output stream set in handle
. The current verbosity
setting determines whether the message is actually printed,
or is suppressed due to low significance.
handle |
shishi handle as allocated by |
|
format |
printf style format string. |
|
... |
printf style arguments. |
char *
shishi_realm_default_guess (void
);
Guesses a realm based on getdomainname()
, which really responds
with a NIS/YP domain, but if set properly, it might be a good
first guess. If this NIS query fails, call gethostname()
,
and on its failure, fall back to returning the artificial
string "could-not-guess-default-realm".
Note that the hostname is not trimmed off of the string returned
by gethostname()
, thus pretending the local host name is a valid
realm name. The resulting corner case could merit a check that
the suggested realm is distinct from the fully qualifies host,
and if not, simply strip the host name from the returned string
before it is used in an application. One reason for sticking
with the present behaviour, is that some systems respond with
a non-qualified host name as reply from gethostname()
.
const char *
shishi_realm_default (Shishi *handle
);
Determines name of default realm, i.e., the name of whatever realm the library will use whenever an explicit realm is not stated during a library call.
void shishi_realm_default_set (Shishi *handle
,const char *realm
);
Sets the default realm used by the library; or, with realm
set to NULL
, resets the library realm setting to that name
selected by configuration for default value.
The string is copied into the library, so you can dispose of
the content in realm
immediately after calling this function.
handle |
Shishi library handle created by |
|
realm |
String stating a new default realm name, or |
char * shishi_realm_for_server_file (Shishi *handle
,char *server
);
Finds the realm applicable to a host server
, using the
standard configuration file.
handle |
Shishi library handle created by |
|
server |
Hostname to determine realm for. |
char * shishi_realm_for_server_dns (Shishi *handle
,char *server
);
Finds the realm for a host server
using DNS lookup, as is
prescribed in "draft-ietf-krb-wg-krb-dns-locate-03.txt".
Since DNS lookup can be spoofed, relying on the realm information may result in a redirection attack. In a single-realm scenario, this only achieves a denial of service, but with trust across multiple realms the attack may redirect you to a compromised realm. For this reason, Shishi prints a warning, suggesting that the user should instead add a proper 'server-realm' configuration token.
To illustrate the DNS information used, here is an extract from a zone file for the domain ASDF.COM:
_kerberos.asdf.com. IN TXT "ASDF.COM" _kerberos.mrkserver.asdf.com. IN TXT "MARKETING.ASDF.COM" _kerberos.salesserver.asdf.com. IN TXT "SALES.ASDF.COM"
Let us suppose that in this case, a client wishes to use a service on the host "foo.asdf.com". It would first query for
_kerberos.foo.asdf.com. IN TXT
Finding no match, it would then query for
_kerberos.asdf.com. IN TXT
With the resource records stated above, the latter query returns a positive answer.
handle |
Shishi library handle created by |
|
server |
Hostname to find realm for. |
char * shishi_realm_for_server (Shishi *handle
,char *server
);
Finds a realm for the host server
, using various methods.
Currently this includes static configuration files, using
the library call shishi_realm_for_server_file()
, and DNS
lookup using shishi_realm_for_server_dns()
. They are
attempted in the stated order. See the documentation of
either function for more information.
handle |
Shishi library handle created by |
|
server |
Hostname to find realm for. |
char *
shishi_principal_default_guess (void
);
Guesses the principal name for the user, looking at environment variables SHISHI_USER, USER and LOGNAME, or if that fails, returns the string "user".
const char *
shishi_principal_default (Shishi *handle
);
The default principal name is the name in the environment variable USER, or LOGNAME for some systems, but it can be overridden by specifying the environment variable SHISHI_USER.
void shishi_principal_default_set (Shishi *handle
,const char *principal
);
Set the default principal used by the library. The string is copied into the library, so you can dispose of the variable immediately after calling this function.
handle |
Shishi library handle created by |
|
principal |
string with new default principal name, or NULL to reset to default. |
int shishi_principal_name (Shishi *handle
,Shishi_asn1 namenode
,const char *namefield
,char **out
,size_t *outlen
);
Represent principal name in ASN.1 structure as null-terminated
string. The string is allocated by this function, and it is the
responsibility of the caller to deallocate it. Note that the
output length outlen
does not include the terminating null.
handle |
Shishi library handle created by |
|
namenode |
ASN.1 structure with principal in |
|
namefield |
name of field in |
|
out |
pointer to newly allocated, null terminated, string containing
principal name. May be |
|
outlen |
pointer to length of |
int shishi_principal_name_realm (Shishi *handle
,Shishi_asn1 namenode
,const char *namefield
,Shishi_asn1 realmnode
,const char *realmfield
,char **out
,size_t *outlen
);
Represent principal name and realm in ASN.1 structure as
null-terminated string. The string is allocated by this function.
It is the responsibility of the caller to deallocate it. Note
that the output length outlen
does not include the terminating
null character.
handle |
Shishi library handle created by |
|
namenode |
ASN.1 structure with principal name in |
|
namefield |
name of field in |
|
realmnode |
ASN.1 structure with principal realm in |
|
realmfield |
name of field in |
|
out |
pointer to newly allocated null terminated string containing
principal name. May be |
|
outlen |
pointer to length of |
int shishi_principal_name_set (Shishi *handle
,Shishi_asn1 namenode
,const char *namefield
,Shishi_name_type name_type
,const char *name[]
);
Set the given principal name field to the given name.
handle |
shishi handle as allocated by |
|
namenode |
ASN.1 structure with principal in |
|
namefield |
name of field in |
|
name_type |
type of principal, see Shishi_name_type, usually SHISHI_NT_UNKNOWN. |
|
name |
null-terminated input array with principal name. |
int shishi_principal_set (Shishi *handle
,Shishi_asn1 namenode
,const char *namefield
,const char *name
);
Set principal name field in an ASN.1 structure to the given name.
handle |
shishi handle as allocated by |
|
namenode |
ASN.1 structure with principal in |
|
namefield |
name of field in |
|
name |
null-terminated string with principal name in RFC 1964 form. |
int shishi_parse_name (Shishi *handle
,const char *name
,char **principal
,char **realm
);
Split principal name (e.g., "simon@JOSEFSSON.ORG") into two
newly allocated strings, the principal
("simon"), and the realm
("JOSEFSSON.ORG"). If there is no realm part in name
, realm
is set
to NULL.
handle |
Shishi library handle created by |
|
name |
input principal name string, e.g. imap/mail.gnu.org@GNU.ORG. |
|
principal |
newly allocated output string with principal name. |
|
realm |
newly allocated output string with realm name. |
int shishi_derive_default_salt (Shishi *handle
,const char *name
,char **salt
);
Derive the default salt from a principal. The default salt is the concatenation of the decoded realm and the principal.
handle |
shishi handle as allocated by |
|
name |
principal name of user. |
|
salt |
output variable with newly allocated salt string. |
char * shishi_server_for_local_service (Shishi *handle
,const char *service
);
Construct a service principal (e.g., "imap/yxa.extuno.com") based
on supplied service name (i.e., "imap") and the system's hostname as
returned by hostname()
(i.e., "yxa.extundo.com"). The string must
be deallocated by the caller.
handle |
shishi handle as allocated by |
|
service |
null terminated string with name of service, e.g., "host". |
Shishi_asn1
shishi_ticket (Shishi *handle
);
This function creates a new ASN.1 Ticket, populated with some default values.
int shishi_ticket_server (Shishi *handle
,Shishi_asn1 ticket
,char **server
,size_t *serverlen
);
Represent server principal name in Ticket as zero-terminated
string. The string is allocate by this function, and it is the
responsibility of the caller to deallocate it. Note that the
output length serverlen
does not include the terminating zero.
handle |
Shishi library handle create by |
|
ticket |
ASN.1 Ticket variable to get server name from. |
|
server |
pointer to newly allocated zero terminated string containing
principal name. May be |
|
serverlen |
pointer to length of |
int shishi_ticket_sname_set (Shishi *handle
,Shishi_asn1 ticket
,Shishi_name_type name_type
,char *sname[]
);
Set the server name field in the Ticket.
handle |
shishi handle as allocated by |
|
ticket |
Ticket variable to set server name field in. |
|
name_type |
type of principial, see Shishi_name_type, usually SHISHI_NT_UNKNOWN. |
|
sname |
input array with principal name. |
int shishi_ticket_srealmserver_set (Shishi *handle
,Shishi_asn1 ticket
,const char *realm
,const char *server
);
int shishi_ticket_set_server (Shishi *handle
,Shishi_asn1 ticket
,const char *server
);
int shishi_ticket_realm_get (Shishi *handle
,Shishi_asn1 ticket
,char **realm
,size_t *realmlen
);
Extract realm from ticket.
handle |
shishi handle as allocated by |
|
ticket |
input variable with ticket info. |
|
realm |
output array with newly allocated name of realm in ticket. |
|
realmlen |
size of output array. |
int shishi_ticket_realm_set (Shishi *handle
,Shishi_asn1 ticket
,const char *realm
);
Set the realm field in the Ticket.
handle |
shishi handle as allocated by |
|
ticket |
input variable with ticket info. |
|
realm |
input array with name of realm. |
int shishi_ticket_get_enc_part_etype (Shishi *handle
,Shishi_asn1 ticket
,int32_t *etype
);
Extract Ticket.enc-part.etype.
handle |
shishi handle as allocated by |
|
ticket |
Ticket variable to get value from. |
|
etype |
output variable that holds the value. |
int shishi_ticket_set_enc_part (Shishi *handle
,Shishi_asn1 ticket
,int32_t etype
,uint32_t kvno
,const char *buf
,size_t buflen
);
Set the encrypted enc-part field in the Ticket. The encrypted data
is usually created by calling shishi_encrypt()
on the DER encoded
enc-part. To save time, you may want to use
shishi_ticket_add_enc_part()
instead, which calculates the
encrypted data and calls this function in one step.
handle |
shishi handle as allocated by |
|
ticket |
Ticket to add enc-part field to. |
|
etype |
encryption type used to encrypt enc-part. |
|
kvno |
key version number. |
|
buf |
input array with encrypted enc-part. |
|
buflen |
size of input array with encrypted enc-part. |
int shishi_ticket_add_enc_part (Shishi *handle
,Shishi_asn1 ticket
,Shishi_key *key
,Shishi_asn1 encticketpart
);
Encrypts DER encoded EncTicketPart using key and stores it in the Ticket.
handle |
shishi handle as allocated by |
|
ticket |
Ticket to add enc-part field to. |
|
key |
key used to encrypt enc-part. |
|
encticketpart |
EncTicketPart to add. |
int shishi_ticket_decrypt (Shishi *handle
,Shishi_asn1 ticket
,Shishi_key *key
,Shishi_asn1 *encticketpart
);
Shishi_asn1
shishi_tkt_ticket (Shishi_tkt *tkt
);
Get ASN.1 Ticket structure from ticket.
void shishi_tkt_ticket_set (Shishi_tkt *tkt
,Shishi_asn1 ticket
);
Set the ASN.1 Ticket in the Ticket.
Shishi_asn1
shishi_tkt_kdcrep (Shishi_tkt *tkt
);
Get ASN.1 KDCRep structure from ticket.
Shishi_asn1
shishi_tkt_enckdcreppart (Shishi_tkt *tkt
);
Get ASN.1 EncKDCRepPart structure from ticket.
void shishi_tkt_enckdcreppart_set (Shishi_tkt *tkt
,Shishi_asn1 enckdcreppart
);
Set the EncKDCRepPart in the Ticket.
Shishi_asn1
shishi_tkt_encticketpart (Shishi_tkt *tkt
);
Get ASN.1 EncTicketPart structure from ticket.
void shishi_tkt_encticketpart_set (Shishi_tkt *tkt
,Shishi_asn1 encticketpart
);
Set the EncTicketPart in the Ticket.
Shishi_key *
shishi_tkt_key (Shishi_tkt *tkt
);
Get key used in ticket, by looking first in EncKDCRepPart and then in EncTicketPart. If key is already populated, it is not extracted again.
int shishi_tkt_key_set (Shishi_tkt *tkt
,Shishi_key *key
);
Set the key in the EncTicketPart.
int shishi_tkt (Shishi *handle
,Shishi_tkt **tkt
);
Create a new ticket handle.
handle |
shishi handle as allocated by |
|
tkt |
output variable with newly allocated ticket. |
Shishi_tkt * shishi_tkt2 (Shishi *handle
,Shishi_asn1 ticket
,Shishi_asn1 enckdcreppart
,Shishi_asn1 kdcrep
);
Create a new ticket handle.
handle |
shishi handle as allocated by |
|
ticket |
input variable with ticket. |
|
enckdcreppart |
input variable with auxiliary ticket information. |
|
kdcrep |
input variable with KDC-REP ticket information. |
void shishi_tkt_pretty_print (Shishi_tkt *tkt
,FILE *fh
);
Print a human readable representation of a ticket to file handle.
int shishi_tkt_realm (Shishi_tkt *tkt
,char **realm
,size_t *realmlen
);
Extract realm of server in ticket.
int shishi_tkt_client (Shishi_tkt *tkt
,char **client
,size_t *clientlen
);
Represent client principal name in Ticket KDC-REP as
zero-terminated string. The string is allocate by this function,
and it is the responsibility of the caller to deallocate it. Note
that the output length clientlen
does not include the terminating
zero.
int shishi_tkt_client_p (Shishi_tkt *tkt
,const char *client
);
Determine if ticket is for specified client.
int shishi_tkt_clientrealm (Shishi_tkt *tkt
,char **client
,size_t *clientlen
);
Convert cname and realm fields from AS-REQ to printable principal
name format. The string is allocate by this function, and it is
the responsibility of the caller to deallocate it. Note that the
output length clientlen
does not include the terminating zero.
tkt |
input variable with ticket info. |
|
client |
pointer to newly allocated zero terminated string containing
principal name and realm. May be |
|
clientlen |
pointer to length of |
int shishi_tkt_clientrealm_p (Shishi_tkt *tkt
,const char *client
);
Determine if ticket is for specified client principal.
int shishi_tkt_clientrealm_set (Shishi_tkt *tkt
,const char *realm
,const char *client
);
int shishi_tkt_serverrealm_set (Shishi_tkt *tkt
,const char *realm
,const char *server
);
int shishi_tkt_lastreq (Shishi_tkt *tkt
,char **lrtime
,size_t *lrtimelen
,int32_t lrtype
);
time_t shishi_tkt_lastreqc (Shishi_tkt *tkt
,Shishi_lrtype lrtype
);
Extract C time corresponding to given lastreq type field in the ticket.
void shishi_tkt_lastreq_pretty_print (Shishi_tkt *tkt
,FILE *fh
);
Print a human readable representation of the various lastreq fields in the ticket (really EncKDCRepPart).
int shishi_tkt_authtime (Shishi_tkt *tkt
,char **authtime
,size_t *authtimelen
);
time_t
shishi_tkt_authctime (Shishi_tkt *tkt
);
Extract C time corresponding to the authtime field. The field holds the time when the original authentication took place that later resulted in this ticket.
int shishi_tkt_starttime (Shishi_tkt *tkt
,char **starttime
,size_t *starttimelen
);
time_t
shishi_tkt_startctime (Shishi_tkt *tkt
);
Extract C time corresponding to the starttime field. The field holds the time where the ticket start to be valid (typically in the past).
time_t
shishi_tkt_endctime (Shishi_tkt *tkt
);
Extract C time corresponding to the endtime field. The field holds the time where the ticket stop being valid.
int shishi_tkt_renew_till (Shishi_tkt *tkt
,char **renewtilltime
,size_t *renewtilllen
);
time_t
shishi_tkt_renew_tillc (Shishi_tkt *tkt
);
Extract C time corresponding to the renew-till field. The field holds the time where the ticket stop being valid for renewal.
int shishi_tkt_keytype (Shishi_tkt *tkt
,int32_t *etype
);
Extract encryption type of key in ticket (really EncKDCRepPart).
int32_t
shishi_tkt_keytype_fast (Shishi_tkt *tkt
);
Extract encryption type of key in ticket (really EncKDCRepPart).
int shishi_tkt_keytype_p (Shishi_tkt *tkt
,int32_t etype
);
Determine if key in ticket (really EncKDCRepPart) is of specified key type (really encryption type).
int shishi_tkt_server (Shishi_tkt *tkt
,char **server
,size_t *serverlen
);
Represent server principal name in Ticket as zero-terminated
string. The string is allocate by this function, and it is the
responsibility of the caller to deallocate it. Note that the
output length serverlen
does not include the terminating zero.
int shishi_tkt_server_p (Shishi_tkt *tkt
,const char *server
);
Determine if ticket is for specified server.
int shishi_tkt_valid_at_time_p (Shishi_tkt *tkt
,time_t now
);
Determine if ticket is valid at a specific point in time.
int
shishi_tkt_valid_now_p (Shishi_tkt *tkt
);
Determine if ticket is valid now.
int
shishi_tkt_expired_p (Shishi_tkt *tkt
);
Determine if ticket has expired (i.e., endtime is in the past).
void
shishi_tkt_done (Shishi_tkt *tkt
);
Deallocate resources associated with ticket. The ticket must not be used again after this call.
int shishi_tkt_flags (Shishi_tkt *tkt
,uint32_t *flags
);
Extract flags in ticket (i.e., EncKDCRepPart).
int shishi_tkt_flags_set (Shishi_tkt *tkt
,uint32_t flags
);
Set flags in ticket, i.e., both EncTicketPart and EncKDCRepPart. Note that this reset any already existing flags.
int shishi_tkt_flags_add (Shishi_tkt *tkt
,uint32_t flag
);
Add ticket flags to Ticket and EncKDCRepPart. This preserves all existing options.
int
shishi_tkt_forwardable_p (Shishi_tkt *tkt
);
Determine if ticket is forwardable.
The FORWARDABLE flag in a ticket is normally only interpreted by the ticket-granting service. It can be ignored by application servers. The FORWARDABLE flag has an interpretation similar to that of the PROXIABLE flag, except ticket-granting tickets may also be issued with different network addresses. This flag is reset by default, but users MAY request that it be set by setting the FORWARDABLE option in the AS request when they request their initial ticket-granting ticket.
int
shishi_tkt_forwarded_p (Shishi_tkt *tkt
);
Determine if ticket is forwarded.
The FORWARDED flag is set by the TGS when a client presents a ticket with the FORWARDABLE flag set and requests a forwarded ticket by specifying the FORWARDED KDC option and supplying a set of addresses for the new ticket. It is also set in all tickets issued based on tickets with the FORWARDED flag set. Application servers may choose to process FORWARDED tickets differently than non-FORWARDED tickets.
int
shishi_tkt_proxiable_p (Shishi_tkt *tkt
);
Determine if ticket is proxiable.
The PROXIABLE flag in a ticket is normally only interpreted by the ticket-granting service. It can be ignored by application servers. When set, this flag tells the ticket-granting server that it is OK to issue a new ticket (but not a ticket-granting ticket) with a different network address based on this ticket. This flag is set if requested by the client on initial authentication. By default, the client will request that it be set when requesting a ticket-granting ticket, and reset when requesting any other ticket.
int
shishi_tkt_proxy_p (Shishi_tkt *tkt
);
Determine if ticket is proxy ticket.
The PROXY flag is set in a ticket by the TGS when it issues a proxy ticket. Application servers MAY check this flag and at their option they MAY require additional authentication from the agent presenting the proxy in order to provide an audit trail.
int
shishi_tkt_may_postdate_p (Shishi_tkt *tkt
);
Determine if ticket may be used to grant postdated tickets.
The MAY-POSTDATE flag in a ticket is normally only interpreted by the ticket-granting service. It can be ignored by application servers. This flag MUST be set in a ticket-granting ticket in order to issue a postdated ticket based on the presented ticket. It is reset by default; it MAY be requested by a client by setting the ALLOW- POSTDATE option in the KRB_AS_REQ message. This flag does not allow a client to obtain a postdated ticket-granting ticket; postdated ticket-granting tickets can only by obtained by requesting the postdating in the KRB_AS_REQ message. The life (endtime-starttime) of a postdated ticket will be the remaining life of the ticket-granting ticket at the time of the request, unless the RENEWABLE option is also set, in which case it can be the full life (endtime-starttime) of the ticket-granting ticket. The KDC MAY limit how far in the future a ticket may be postdated.
int
shishi_tkt_postdated_p (Shishi_tkt *tkt
);
Determine if ticket is postdated.
The POSTDATED flag indicates that a ticket has been postdated. The application server can check the authtime field in the ticket to see when the original authentication occurred. Some services MAY choose to reject postdated tickets, or they may only accept them within a certain period after the original authentication. When the KDC issues a POSTDATED ticket, it will also be marked as INVALID, so that the application client MUST present the ticket to the KDC to be validated before use.
int
shishi_tkt_invalid_p (Shishi_tkt *tkt
);
Determine if ticket is invalid.
The INVALID flag indicates that a ticket is invalid. Application servers MUST reject tickets which have this flag set. A postdated ticket will be issued in this form. Invalid tickets MUST be validated by the KDC before use, by presenting them to the KDC in a TGS request with the VALIDATE option specified. The KDC will only validate tickets after their starttime has passed. The validation is required so that postdated tickets which have been stolen before their starttime can be rendered permanently invalid (through a hot-list mechanism).
int
shishi_tkt_renewable_p (Shishi_tkt *tkt
);
Determine if ticket is renewable.
The RENEWABLE flag in a ticket is normally only interpreted by the ticket-granting service (discussed below in section 3.3). It can usually be ignored by application servers. However, some particularly careful application servers MAY disallow renewable tickets.
int
shishi_tkt_initial_p (Shishi_tkt *tkt
);
Determine if ticket was issued using AS exchange.
The INITIAL flag indicates that a ticket was issued using the AS protocol, rather than issued based on a ticket-granting ticket. Application servers that want to require the demonstrated knowledge of a client's secret key (e.g. a password-changing program) can insist that this flag be set in any tickets they accept, and thus be assured that the client's key was recently presented to the application client.
int
shishi_tkt_pre_authent_p (Shishi_tkt *tkt
);
Determine if ticket was pre-authenticated.
The PRE-AUTHENT and HW-AUTHENT flags provide additional information about the initial authentication, regardless of whether the current ticket was issued directly (in which case INITIAL will also be set) or issued on the basis of a ticket-granting ticket (in which case the INITIAL flag is clear, but the PRE-AUTHENT and HW-AUTHENT flags are carried forward from the ticket-granting ticket).
int
shishi_tkt_hw_authent_p (Shishi_tkt *tkt
);
Determine if ticket is authenticated using a hardware token.
The PRE-AUTHENT and HW-AUTHENT flags provide additional information about the initial authentication, regardless of whether the current ticket was issued directly (in which case INITIAL will also be set) or issued on the basis of a ticket-granting ticket (in which case the INITIAL flag is clear, but the PRE-AUTHENT and HW-AUTHENT flags are carried forward from the ticket-granting ticket).
int
shishi_tkt_transited_policy_checked_p (Shishi_tkt *tkt
);
Determine if ticket has been policy checked for transit.
The application server is ultimately responsible for accepting or rejecting authentication and SHOULD check that only suitably trusted KDCs are relied upon to authenticate a principal. The transited field in the ticket identifies which realms (and thus which KDCs) were involved in the authentication process and an application server would normally check this field. If any of these are untrusted to authenticate the indicated client principal (probably determined by a realm-based policy), the authentication attempt MUST be rejected. The presence of trusted KDCs in this list does not provide any guarantee; an untrusted KDC may have fabricated the list.
While the end server ultimately decides whether authentication is valid, the KDC for the end server's realm MAY apply a realm specific policy for validating the transited field and accepting credentials for cross-realm authentication. When the KDC applies such checks and accepts such cross-realm authentication it will set the TRANSITED-POLICY-CHECKED flag in the service tickets it issues based on the cross-realm TGT. A client MAY request that the KDCs not check the transited field by setting the DISABLE-TRANSITED-CHECK flag. KDCs are encouraged but not required to honor this flag.
Application servers MUST either do the transited-realm checks themselves, or reject cross-realm tickets without TRANSITED-POLICY- CHECKED set.
int
shishi_tkt_ok_as_delegate_p (Shishi_tkt *tkt
);
Determine if ticket is ok as delegated ticket.
The copy of the ticket flags in the encrypted part of the KDC reply may have the OK-AS-DELEGATE flag set to indicates to the client that the server specified in the ticket has been determined by policy of the realm to be a suitable recipient of delegation. A client can use the presence of this flag to help it make a decision whether to delegate credentials (either grant a proxy or a forwarded ticket- granting ticket) to this server. It is acceptable to ignore the value of this flag. When setting this flag, an administrator should consider the security and placement of the server on which the service will run, as well as whether the service requires the use of delegated credentials.
char *
shishi_tkts_default_file_guess (Shishi *handle
);
Guesses the default ticket filename; it is $SHISHI_TICKETS, $SHISHI_HOME/tickets, or $HOME/.shishi/tickets.
const char *
shishi_tkts_default_file (Shishi *handle
);
Get filename of default ticket set.
void shishi_tkts_default_file_set (Shishi *handle
,const char *tktsfile
);
Set the default ticket set filename used in the library. The string is copied into the library, so you can dispose of the variable immediately after calling this function.
handle |
Shishi library handle create by |
|
tktsfile |
string with new default tkts file name, or NULL to reset to default. |
Shishi_tkts *
shishi_tkts_default (Shishi *handle
);
Get the default ticket set for library handle.
int shishi_tkts (Shishi *handle
,Shishi_tkts **tkts
);
Get a new ticket set handle.
handle |
shishi handle as allocated by |
|
tkts |
output pointer to newly allocated tkts handle. |
Shishi_tkt * shishi_tkts_nth (Shishi_tkts *tkts
,int ticketno
);
Get the n:th ticket in ticket set.
tkts |
ticket set handle as allocated by |
|
ticketno |
integer indicating requested ticket in ticket set. |
int shishi_tkts_add (Shishi_tkts *tkts
,Shishi_tkt *tkt
);
Add a ticket to the ticket set. Only the pointer is stored, so if
you modify tkt
, the ticket in the ticket set will also be
modified.
tkts |
ticket set handle as allocated by |
|
tkt |
ticket to be added to ticket set. |
int shishi_tkts_new (Shishi_tkts *tkts
,Shishi_asn1 ticket
,Shishi_asn1 enckdcreppart
,Shishi_asn1 kdcrep
);
Allocate a new ticket and add it to the ticket set.
Note that ticket
, enckdcreppart
and kdcrep
are stored by
reference, so you must not de-allocate them before the ticket is
removed from the ticket set and de-allocated.
tkts |
ticket set handle as allocated by |
|
ticket |
input ticket variable. |
|
enckdcreppart |
input ticket detail variable. |
|
kdcrep |
input KDC-REP variable. |
int shishi_tkts_remove (Shishi_tkts *tkts
,int ticketno
);
Remove a ticket, indexed by ticketno
, in ticket set.
tkts |
ticket set handle as allocated by |
|
ticketno |
ticket number of ticket in the set to remove. The first ticket is ticket number 0. |
int
shishi_tkts_expire (Shishi_tkts *tkts
);
Remove expired tickets from ticket set.
int shishi_tkts_print_for_service (Shishi_tkts *tkts
,FILE *fh
,const char *service
);
Print description of tickets for specified service to file descriptor. If service is NULL, all tickets are printed.
tkts |
ticket set handle as allocated by |
|
fh |
file descriptor to print to. |
|
service |
service to limit tickets printed to, or NULL. |
int shishi_tkts_print (Shishi_tkts *tkts
,FILE *fh
);
Print description of all tickets to file descriptor.
int shishi_tkts_write (Shishi_tkts *tkts
,FILE *fh
);
Write tickets in set to file descriptor.
tkts |
ticket set handle as allocated by |
|
fh |
file descriptor to write tickets to. |
int shishi_tkts_to_file (Shishi_tkts *tkts
,const char *filename
);
Write tickets in set to file.
tkts |
ticket set handle as allocated by |
|
filename |
filename to write tickets to. |
int shishi_tkts_read (Shishi_tkts *tkts
,FILE *fh
);
Read tickets from file descriptor and add them to the ticket set.
int shishi_tkts_from_file (Shishi_tkts *tkts
,const char *filename
);
Read tickets from file and add them to the ticket set.
tkts |
ticket set handle as allocated by |
|
filename |
filename to read tickets from. |
void
shishi_tkts_done (Shishi_tkts **tkts
);
Deallocates all resources associated with ticket set. The ticket set handle must not be used in calls to other shishi_tkts_*() functions after this.
int shishi_tkt_match_p (Shishi_tkt *tkt
,Shishi_tkts_hint *hint
);
Test if a ticket matches specified hints.
Shishi_tkt * shishi_tkts_find (Shishi_tkts *tkts
,Shishi_tkts_hint *hint
);
Search the ticketset sequentially (from ticket number 0 through all tickets in the set) for a ticket that fits the given characteristics. If a ticket is found, the hint->startpos field is updated to point to the next ticket in the set, so this function can be called repeatedly with the same hint argument in order to find all tickets matching a certain criterium. Note that if tickets are added to, or removed from, the ticketset during a query with the same hint argument, the hint->startpos field must be updated appropriately.
Here is how you would typically use this function:
Shishi_tkts_hint hint;
Shishi_tkt tkt;
memset(&hint, 0, sizeof(hint));
hint.server = "imap/mail.example.org";
tkt = shishi_tkts_find (shishi_tkts_default(handle), &hint);
if (!tkt)
printf("No ticket found...\n");
else
do_something_with_ticket (tkt);
tkts |
ticket set handle as allocated by |
|
hint |
structure with characteristics of ticket to be found. |
Shishi_tkt * shishi_tkts_find_for_clientserver (Shishi_tkts *tkts
,const char *client
,const char *server
);
Short-hand function for searching the ticket set for a ticket for
the given client and server. See shishi_tkts_find()
.
tkts |
ticket set handle as allocated by |
|
client |
client name to find ticket for. |
|
server |
server name to find ticket for. |
Shishi_tkt * shishi_tkts_find_for_server (Shishi_tkts *tkts
,const char *server
);
Short-hand function for searching the ticket set for a ticket for
the given server using the default client principal. See
shishi_tkts_find_for_clientserver()
and shishi_tkts_find()
.
tkts |
ticket set handle as allocated by |
|
server |
server name to find ticket for. |
Shishi_tkt * shishi_tkts_get (Shishi_tkts *tkts
,Shishi_tkts_hint *hint
);
Get a ticket matching given characteristics. This function first
looks in the ticket set for a ticket, then tries to find a
suitable TGT, possibly via an AS exchange, using
shishi_tkts_get_tgt()
, and then uses that TGT in a TGS exchange to
get the ticket.
Currently this function does not implement cross realm logic.
tkts |
ticket set handle as allocated by |
|
hint |
structure with characteristics of ticket to be found. |
Shishi_tkt * shishi_tkts_get_tgt (Shishi_tkts *tkts
,Shishi_tkts_hint *hint
);
Get a ticket granting ticket (TGT) suitable for acquiring ticket matching the hint. I.e., get a TGT for the server realm in the hint structure (hint->serverrealm), or the default realm if the serverrealm field is NULL. Can result in AS exchange.
Currently this function do not implement cross realm logic.
This function is used by shishi_tkts_get()
, which is probably what
you really want to use unless you have special needs.
tkts |
ticket set handle as allocated by |
|
hint |
structure with characteristics of ticket to begot. |
Shishi_tkt * shishi_tkts_get_tgs (Shishi_tkts *tkts
,Shishi_tkts_hint *hint
,Shishi_tkt *tgt
);
Get a ticket via TGS exchange using specified ticket granting ticket.
This function is used by shishi_tkts_get()
, which is probably what
you really want to use unless you have special needs.
tkts |
ticket set handle as allocated by |
|
hint |
structure with characteristics of ticket to begot. |
|
tgt |
ticket granting ticket to use. |
Shishi_tkt * shishi_tkts_get_for_clientserver (Shishi_tkts *tkts
,const char *client
,const char *server
);
Short-hand function for getting a ticket for the given client and
server. See shishi_tkts_get()
.
tkts |
ticket set handle as allocated by |
|
client |
client name to get ticket for. |
|
server |
server name to get ticket for. |
Shishi_tkt * shishi_tkts_get_for_server (Shishi_tkts *tkts
,const char *server
);
Short-hand function for getting a ticket to the given server and
for the default principal client. See shishi_tkts_get()
.
tkts |
ticket set handle as allocated by |
|
server |
server name to get ticket for. |
Shishi_tkt * shishi_tkts_get_for_localservicepasswd (Shishi_tkts *tkts
,const char *service
,const char *passwd
);
Short-hand function for getting a ticket to the given
local service, and for the default principal client.
The latter's password is given as argument.
See shishi_tkts_get()
.
tkts |
ticket set handle as allocated by |
|
service |
service name to get ticket for. |
|
passwd |
password for the default client principal. |
char *
shishi_tkts_default_ccache_guess (Shishi *handle
);
Guesses the default ccache ticket filename; it is the contents of
the environment variable KRB5CCNAME or /tmp/krb5cc_UID where UID is
the user's identity in decimal, as returned by getuid()
.
const char *
shishi_tkts_default_ccache (Shishi *handle
);
Get filename of default ccache filename.
void shishi_tkts_default_ccache_set (Shishi *handle
,const char *ccache
);
Set the default ccache filename used in the library. The string is copied into the library, so you can dispose of the variable immediately after calling this function.
handle |
Shishi library handle create by |
|
ccache |
string with new default ccache filename, or NULL to reset to default. |
int shishi_tkts_add_ccache_mem (Shishi *handle
,const char *data
,size_t len
,Shishi_tkts *tkts
);
Read tickets from a ccache data structure, and add them to the ticket set.
The ccache format is proprietary, and this function support (at least) the 0x0504 format. See the section The Credential Cache Binary File Format in the Shishi manual for a description of the file format.
handle |
shishi handle as allocated by |
|
data |
constant memory buffer with ccache of |
|
len |
size of memory buffer with ccache data. |
|
tkts |
allocated key set to store tickets in. |
Returns SHISHI_CCACHE_ERROR
if the data does not
represent a valid ccache structure, and SHISHI_OK
on success.
int shishi_tkts_add_ccache_file (Shishi *handle
,const char *filename
,Shishi_tkts *tkts
);
Read tickets from a ccache data structure, and add them to the ticket set.
The ccache format is proprietary, and this function support (at least) the 0x0504 format. See the section The Credential Cache Binary File Format in the Shishi manual for a description of the file format.
handle |
shishi handle as allocated by |
|
filename |
name of file to read. |
|
tkts |
allocated ticket set to store tickets in. |
Returns SHISHI_IO_ERROR
if the file cannot be read,
SHISHI_CCACHE_ERROR
if the data cannot be parsed as a valid ccache
structure, and SHISHI_OK
on success.
int shishi_tkts_from_ccache_mem (Shishi *handle
,const char *data
,size_t len
,Shishi_tkts **outtkts
);
Read tickets from a ccache data structure, and add them to the ticket set.
The ccache format is proprietary, and this function support (at least) the 0x0504 format. See the section The Credential Cache Binary File Format in the Shishi manual for a description of the file format.
handle |
shishi handle as allocated by |
|
data |
constant memory buffer with ccache of |
|
len |
size of memory buffer with ccache data. |
|
outtkts |
pointer to ticket set that will be allocated and populated, must be deallocated by caller on succes. |
Returns SHISHI_CCACHE_ERROR
if the data does not
represent a valid ccache structure, and SHISHI_OK
on success.
int shishi_tkts_from_ccache_file (Shishi *handle
,const char *filename
,Shishi_tkts **outtkts
);
Read tickets from a ccache data structure, and add them to the ticket set.
The ccache format is proprietary, and this function support (at least) the 0x0504 format. See the section The Credential Cache Binary File Format in the Shishi manual for a description of the file format.
handle |
shishi handle as allocated by |
|
filename |
name of file to read. |
|
outtkts |
pointer to ticket set that will be allocated and populated, must be deallocated by caller on succes. |
Returns SHISHI_IO_ERROR
if the file cannot be read,
SHISHI_CCACHE_ERROR
if the data cannot be parsed as a valid ccache
structure, and SHISHI_OK
on success.
int shishi_enckdcreppart_print (Shishi *handle
,FILE *fh
,Shishi_asn1 enckdcreppart
);
int shishi_enckdcreppart_save (Shishi *handle
,FILE *fh
,Shishi_asn1 enckdcreppart
);
int shishi_enckdcreppart_parse (Shishi *handle
,FILE *fh
,Shishi_asn1 *enckdcreppart
);
int shishi_enckdcreppart_read (Shishi *handle
,FILE *fh
,Shishi_asn1 *enckdcreppart
);
int shishi_kdc_print (Shishi *handle
,FILE *fh
,Shishi_asn1 asreq
,Shishi_asn1 asrep
,Shishi_asn1 encasreppart
);
int shishi_etype_info_print (Shishi *handle
,FILE *fh
,Shishi_asn1 etypeinfo
);
int shishi_etype_info2_print (Shishi *handle
,FILE *fh
,Shishi_asn1 etypeinfo2
);
int shishi_methoddata_print (Shishi *handle
,FILE *fh
,Shishi_asn1 methoddata
);
Shishi_asn1
shishi_authenticator (Shishi *handle
);
This function creates a new Authenticator, populated with some default values. It uses the current time as returned by the system for the ctime and cusec fields.
int shishi_authenticator_set_crealm (Shishi *handle
,Shishi_asn1 authenticator
,const char *crealm
);
Set realm field in authenticator to specified value.
handle |
shishi handle as allocated by |
|
authenticator |
authenticator as allocated by |
|
crealm |
input array with realm. |
int shishi_authenticator_set_cname (Shishi *handle
,Shishi_asn1 authenticator
,Shishi_name_type name_type
,const char *cname[]
);
Set principal field in authenticator to specified value.
handle |
shishi handle as allocated by |
|
authenticator |
authenticator as allocated by |
|
name_type |
type of principial, see Shishi_name_type, usually SHISHI_NT_UNKNOWN. |
|
cname |
input array with principal name. |
int shishi_authenticator_client_set (Shishi *handle
,Shishi_asn1 authenticator
,const char *client
);
Set the client name field in the Authenticator.
handle |
shishi handle as allocated by |
|
authenticator |
Authenticator to set client name field in. |
|
client |
zero-terminated string with principal name on RFC 1964 form. |
int shishi_authenticator_ctime (Shishi *handle
,Shishi_asn1 authenticator
,char **t
);
Extract client time from Authenticator.
handle |
shishi handle as allocated by |
|
authenticator |
Authenticator as allocated by |
|
t |
newly allocated zero-terminated character array with client time. |
int shishi_authenticator_ctime_set (Shishi *handle
,Shishi_asn1 authenticator
,const char *t
);
Store client time in Authenticator.
handle |
shishi handle as allocated by |
|
authenticator |
Authenticator as allocated by |
|
t |
string with generalized time value to store in Authenticator. |
int shishi_authenticator_cusec_get (Shishi *handle
,Shishi_asn1 authenticator
,uint32_t *cusec
);
Extract client microseconds field from Authenticator.
handle |
shishi handle as allocated by |
|
authenticator |
Authenticator as allocated by |
|
cusec |
output integer with client microseconds field. |
int shishi_authenticator_cusec_set (Shishi *handle
,Shishi_asn1 authenticator
,uint32_t cusec
);
Set the cusec field in the Authenticator.
handle |
shishi handle as allocated by |
|
authenticator |
authenticator as allocated by |
|
cusec |
client microseconds to set in authenticator, 0-999999. |
int shishi_authenticator_seqnumber_get (Shishi *handle
,Shishi_asn1 authenticator
,uint32_t *seqnumber
);
Extract sequence number field from Authenticator.
handle |
shishi handle as allocated by |
|
authenticator |
authenticator as allocated by |
|
seqnumber |
output integer with sequence number field. |
int shishi_authenticator_seqnumber_remove (Shishi *handle
,Shishi_asn1 authenticator
);
Remove sequence number field in Authenticator.
handle |
shishi handle as allocated by |
|
authenticator |
authenticator as allocated by |
int shishi_authenticator_seqnumber_set (Shishi *handle
,Shishi_asn1 authenticator
,uint32_t seqnumber
);
Store sequence number field in Authenticator.
handle |
shishi handle as allocated by |
|
authenticator |
authenticator as allocated by |
|
seqnumber |
integer with sequence number field to store in Authenticator. |
int shishi_authenticator_client (Shishi *handle
,Shishi_asn1 authenticator
,char **client
,size_t *clientlen
);
Represent client principal name in Authenticator as zero-terminated
string. The string is allocate by this function, and it is the
responsibility of the caller to deallocate it. Note that the
output length clientlen
does not include the terminating zero.
handle |
Shishi library handle create by |
|
authenticator |
Authenticator variable to get client name from. |
|
client |
pointer to newly allocated zero terminated string containing
principal name. May be |
|
clientlen |
pointer to length of |
int shishi_authenticator_clientrealm (Shishi *handle
,Shishi_asn1 authenticator
,char **client
,size_t *clientlen
);
Convert cname and realm fields from Authenticator to printable
principal name format. The string is allocate by this function,
and it is the responsibility of the caller to deallocate it. Note
that the output length clientlen
does not include the terminating
zero.
handle |
Shishi library handle create by |
|
authenticator |
Authenticator variable to get client name and realm from. |
|
client |
pointer to newly allocated zero terminated string containing
principal name and realm. May be |
|
clientlen |
pointer to length of |
int shishi_authenticator_remove_cksum (Shishi *handle
,Shishi_asn1 authenticator
);
int shishi_authenticator_cksum (Shishi *handle
,Shishi_asn1 authenticator
,int32_t *cksumtype
,char **cksum
,size_t *cksumlen
);
Read checksum value from authenticator. cksum
is allocated by
this function, and it is the responsibility of caller to deallocate
it.
handle |
shishi handle as allocated by |
|
authenticator |
authenticator as allocated by |
|
cksumtype |
output checksum type. |
|
cksum |
newly allocated output checksum data from authenticator. |
|
cksumlen |
on output, actual size of allocated output checksum data buffer. |
int shishi_authenticator_set_cksum (Shishi *handle
,Shishi_asn1 authenticator
,int cksumtype
,char *cksum
,size_t cksumlen
);
Store checksum value in authenticator. A checksum is usually created
by calling shishi_checksum()
on some application specific data using
the key from the ticket that is being used. To save time, you may
want to use shishi_authenticator_add_cksum()
instead, which calculates
the checksum and calls this function in one step.
handle |
shishi handle as allocated by |
|
authenticator |
authenticator as allocated by |
|
cksumtype |
input checksum type to store in authenticator. |
|
cksum |
input checksum data to store in authenticator. |
|
cksumlen |
size of input checksum data to store in authenticator. |
int shishi_authenticator_add_cksum (Shishi *handle
,Shishi_asn1 authenticator
,Shishi_key *key
,int keyusage
,char *data
,size_t datalen
);
Calculate checksum for data and store it in the authenticator.
handle |
shishi handle as allocated by |
|
authenticator |
authenticator as allocated by |
|
key |
key to to use for encryption. |
|
keyusage |
cryptographic key usage value to use in encryption. |
|
data |
input array with data to calculate checksum on. |
|
datalen |
size of input array with data to calculate checksum on. |
int shishi_authenticator_add_cksum_type (Shishi *handle
,Shishi_asn1 authenticator
,Shishi_key *key
,int keyusage
,int cksumtype
,char *data
,size_t datalen
);
Calculate checksum for data and store it in the authenticator.
handle |
shishi handle as allocated by |
|
authenticator |
authenticator as allocated by |
|
key |
key to to use for encryption. |
|
keyusage |
cryptographic key usage value to use in encryption. |
|
cksumtype |
checksum to type to calculate checksum. |
|
data |
input array with data to calculate checksum on. |
|
datalen |
size of input array with data to calculate checksum on. |
int shishi_authenticator_remove_subkey (Shishi *handle
,Shishi_asn1 authenticator
);
Remove subkey from the authenticator.
handle |
shishi handle as allocated by |
|
authenticator |
authenticator as allocated by |
Shishi_asn1
shishi_authenticator_subkey (Shishi *handle
);
This function creates a new Authenticator, populated with some default values. It uses the current time as returned by the system for the ctime and cusec fields. It adds a random subkey.
int shishi_authenticator_get_subkey (Shishi *handle
,Shishi_asn1 authenticator
,Shishi_key **subkey
);
Read subkey value from authenticator.
handle |
shishi handle as allocated by |
|
authenticator |
authenticator as allocated by |
|
subkey |
output newly allocated subkey from authenticator. |
int shishi_authenticator_set_subkey (Shishi *handle
,Shishi_asn1 authenticator
,int32_t subkeytype
,const char *subkey
,size_t subkeylen
);
Store subkey value in authenticator. A subkey is usually created
by calling shishi_key_random()
using the default encryption type of
the key from the ticket that is being used. To save time, you may
want to use shishi_authenticator_add_subkey()
instead, which calculates
the subkey and calls this function in one step.
handle |
shishi handle as allocated by |
|
authenticator |
authenticator as allocated by |
|
subkeytype |
input subkey type to store in authenticator. |
|
subkey |
input subkey data to store in authenticator. |
|
subkeylen |
size of input subkey data to store in authenticator. |
int shishi_authenticator_add_random_subkey (Shishi *handle
,Shishi_asn1 authenticator
);
Generate random subkey, of the default encryption type from configuration, and store it in the authenticator.
handle |
shishi handle as allocated by |
|
authenticator |
authenticator as allocated by |
int shishi_authenticator_add_random_subkey_etype (Shishi *handle
,Shishi_asn1 authenticator
,int etype
);
Generate random subkey of indicated encryption type, and store it in the authenticator.
handle |
shishi handle as allocated by |
|
authenticator |
authenticator as allocated by |
|
etype |
encryption type of random key to generate. |
int shishi_authenticator_add_subkey (Shishi *handle
,Shishi_asn1 authenticator
,Shishi_key *subkey
);
Store subkey in the authenticator.
handle |
shishi handle as allocated by |
|
authenticator |
authenticator as allocated by |
|
subkey |
subkey to add to authenticator. |
int shishi_authenticator_clear_authorizationdata (Shishi *handle
,Shishi_asn1 authenticator
);
Remove the authorization-data field from Authenticator.
handle |
shishi handle as allocated by |
|
authenticator |
Authenticator as allocated by |
int shishi_authenticator_add_authorizationdata (Shishi *handle
,Shishi_asn1 authenticator
,int32_t adtype
,const char *addata
,size_t addatalen
);
Add authorization data to authenticator.
handle |
shishi handle as allocated by |
|
authenticator |
authenticator as allocated by |
|
adtype |
input authorization data type to add. |
|
addata |
input authorization data to add. |
|
addatalen |
size of input authorization data to add. |
int shishi_authenticator_authorizationdata (Shishi *handle
,Shishi_asn1 authenticator
,int32_t *adtype
,char **addata
,size_t *addatalen
,size_t nth
);
Extract n:th authorization data from authenticator. The first field is 1.
handle |
shishi handle as allocated by |
|
authenticator |
authenticator as allocated by |
|
adtype |
output authorization data type. |
|
addata |
newly allocated output authorization data. |
|
addatalen |
on output, actual size of newly allocated authorization data. |
|
nth |
element number of authorization-data to extract. |
int shishi_authenticator_read (Shishi *handle
,FILE *fh
,Shishi_asn1 *authenticator
);
Read DER encoded authenticator from file and populate given authenticator variable.
handle |
shishi handle as allocated by |
|
fh |
file handle open for reading. |
|
authenticator |
output variable with newly allocated authenticator. |
int shishi_authenticator_parse (Shishi *handle
,FILE *fh
,Shishi_asn1 *authenticator
);
Read ASCII armored DER encoded authenticator from file and populate given authenticator variable.
handle |
shishi handle as allocated by |
|
fh |
file handle open for reading. |
|
authenticator |
output variable with newly allocated authenticator. |
int shishi_authenticator_from_file (Shishi *handle
,Shishi_asn1 *authenticator
,int filetype
,const char *filename
);
Read Authenticator from file in specified TYPE.
handle |
shishi handle as allocated by |
|
authenticator |
output variable with newly allocated Authenticator. |
|
filetype |
input variable specifying type of file to be read, see Shishi_filetype. |
|
filename |
input variable with filename to read from. |
int shishi_authenticator_print (Shishi *handle
,FILE *fh
,Shishi_asn1 authenticator
);
Print ASCII armored DER encoding of authenticator to file.
handle |
shishi handle as allocated by |
|
fh |
file handle open for writing. |
|
authenticator |
authenticator as allocated by |
int shishi_authenticator_to_file (Shishi *handle
,Shishi_asn1 authenticator
,int filetype
,const char *filename
);
Write Authenticator to file in specified TYPE. The file will be truncated if it exists.
handle |
shishi handle as allocated by |
|
authenticator |
Authenticator to save. |
|
filetype |
input variable specifying type of file to be written, see Shishi_filetype. |
|
filename |
input variable with filename to write to. |
int shishi_authenticator_save (Shishi *handle
,FILE *fh
,Shishi_asn1 authenticator
);
Save DER encoding of authenticator to file.
handle |
shishi handle as allocated by |
|
fh |
file handle open for writing. |
|
authenticator |
authenticator as allocated by |
int shishi_as (Shishi *handle
,Shishi_as **as
);
Allocate a new AS exchange variable.
handle |
shishi handle as allocated by |
|
as |
holds pointer to newly allocate Shishi_as structure. |
void
shishi_as_done (Shishi_as *as
);
Deallocate resources associated with AS exchange. This should be called by the application when it no longer need to utilize the AS exchange handle.
Shishi_asn1
shishi_as_req (Shishi_as *as
);
Get ASN.1 AS-REQ structure from AS exchange.
int
shishi_as_req_build (Shishi_as *as
);
Possibly remove unset fields (e.g., rtime).
void shishi_as_req_set (Shishi_as *as
,Shishi_asn1 asreq
);
Set the AS-REQ in the AS exchange.
int shishi_as_req_der (Shishi_as *as
,char **out
,size_t *outlen
);
DER encode AS-REQ. out
is allocated by this function, and it is
the responsibility of caller to deallocate it.
int shishi_as_req_der_set (Shishi_as *as
,char *der
,size_t derlen
);
DER decode AS-REQ and set it AS exchange. If decoding fails, the AS-REQ in the AS exchange remains.
Shishi_asn1
shishi_as_rep (Shishi_as *as
);
Get ASN.1 AS-REP structure from AS exchange.
void shishi_as_rep_set (Shishi_as *as
,Shishi_asn1 asrep
);
Set the AS-REP in the AS exchange.
int shishi_as_rep_build (Shishi_as *as
,Shishi_key *key
);
Build AS-REP.
int shishi_as_rep_der (Shishi_as *as
,char **out
,size_t *outlen
);
DER encode AS-REP. out
is allocated by this function, and it is
the responsibility of caller to deallocate it.
int shishi_as_rep_der_set (Shishi_as *as
,char *der
,size_t derlen
);
DER decode AS-REP and set it AS exchange. If decoding fails, the AS-REP in the AS exchange remains.
Shishi_asn1
shishi_as_krberror (Shishi_as *as
);
Get ASN.1 KRB-ERROR structure from AS exchange.
int shishi_as_krberror_der (Shishi_as *as
,char **out
,size_t *outlen
);
DER encode KRB-ERROR. out
is allocated by this function, and it is
the responsibility of caller to deallocate it.
void shishi_as_krberror_set (Shishi_as *as
,Shishi_asn1 krberror
);
Set the KRB-ERROR in the AS exchange.
void shishi_as_tkt_set (Shishi_as *as
,Shishi_tkt *tkt
);
Set the Tkt in the AS exchange.
int
shishi_as_sendrecv (Shishi_as *as
);
Send AS-REQ and receive AS-REP or KRB-ERROR. This is the initial authentication, usually used to acquire a Ticket Granting Ticket.
int shishi_as_sendrecv_hint (Shishi_as *as
,Shishi_tkts_hint *hint
);
Send AS-REQ and receive AS-REP or KRB-ERROR. This is the initial
authentication, usually used to acquire a Ticket Granting Ticket.
The hint
structure can be used to set, e.g., parameters for TLS
authentication.
int shishi_as_rep_process (Shishi_as *as
,Shishi_key *key
,const char *password
);
Process new AS-REP and set ticket. The key is used to decrypt the AP-REP. If both key and password is NULL, the user is queried for it.
int shishi_tgs (Shishi *handle
,Shishi_tgs **tgs
);
Allocate a new TGS exchange variable.
handle |
shishi handle as allocated by |
|
tgs |
holds pointer to newly allocate Shishi_tgs structure. |
void
shishi_tgs_done (Shishi_tgs *tgs
);
Deallocate resources associated with TGS exchange. This should be called by the application when it no longer need to utilize the TGS exchange handle.
Shishi_tkt *
shishi_tgs_tgtkt (Shishi_tgs *tgs
);
Get Ticket-granting-ticket from TGS exchange.
void shishi_tgs_tgtkt_set (Shishi_tgs *tgs
,Shishi_tkt *tgtkt
);
Set the Ticket in the TGS exchange.
int shishi_tgs_req_der (Shishi_tgs *tgs
,char **out
,size_t *outlen
);
DER encode TGS-REQ. out
is allocated by this function, and it is
the responsibility of caller to deallocate it.
int shishi_tgs_req_der_set (Shishi_tgs *tgs
,char *der
,size_t derlen
);
DER decode TGS-REQ and set it TGS exchange. If decoding fails, the TGS-REQ in the TGS exchange remains.
void shishi_tgs_req_set (Shishi_tgs *tgs
,Shishi_asn1 tgsreq
);
Set the TGS-REQ in the TGS exchange.
int
shishi_tgs_req_build (Shishi_tgs *tgs
);
Checksum data in authenticator and add ticket and authenticator to TGS-REQ.
int
shishi_tgs_req_process (Shishi_tgs *tgs
);
Process new TGS-REQ and set ticket. The key to decrypt the TGS-REQ is taken from the EncKDCReqPart of the TGS tgticket.
int shishi_tgs_rep_der (Shishi_tgs *tgs
,char **out
,size_t *outlen
);
DER encode TGS-REP. out
is allocated by this function, and it is
the responsibility of caller to deallocate it.
int shishi_tgs_rep_build (Shishi_tgs *tgs
,int keyusage
,Shishi_key *key
);
Build TGS-REP.
int
shishi_tgs_rep_process (Shishi_tgs *tgs
);
Process new TGS-REP and set ticket. The key to decrypt the TGS-REP is taken from the EncKDCRepPart of the TGS tgticket.
Shishi_asn1
shishi_tgs_krberror (Shishi_tgs *tgs
);
Get KRB-ERROR from TGS exchange.
int shishi_tgs_krberror_der (Shishi_tgs *tgs
,char **out
,size_t *outlen
);
DER encode KRB-ERROR. out
is allocated by this function, and it is
the responsibility of caller to deallocate it.
void shishi_tgs_krberror_set (Shishi_tgs *tgs
,Shishi_asn1 krberror
);
Set the KRB-ERROR in the TGS exchange.
void shishi_tgs_tkt_set (Shishi_tgs *tgs
,Shishi_tkt *tkt
);
Set the Ticket in the TGS exchange.
int
shishi_tgs_sendrecv (Shishi_tgs *tgs
);
Send TGS-REQ and receive TGS-REP or KRB-ERROR. This is the subsequent authentication, usually used to acquire server tickets.
int shishi_tgs_sendrecv_hint (Shishi_tgs *tgs
,Shishi_tkts_hint *hint
);
Send TGS-REQ and receive TGS-REP or KRB-ERROR. This is the
subsequent authentication, usually used to acquire server tickets.
The hint
structure can be used to set, e.g., parameters for TLS
authentication.
int shishi_tgs_set_server (Shishi_tgs *tgs
,const char *server
);
Set the server in the TGS-REQ.
int shishi_tgs_set_realm (Shishi_tgs *tgs
,const char *realm
);
Set the server in the TGS-REQ.
int shishi_tgs_set_realmserver (Shishi_tgs *tgs
,const char *realm
,const char *server
);
Set the realm and server in the TGS-REQ.
Shishi_asn1
shishi_asreq (Shishi *handle
);
This function creates a new AS-REQ, populated with some default values.
Shishi_asn1 shishi_asreq_rsc (Shishi *handle
,char *realm
,char *server
,char *client
);
Shishi_asn1
shishi_tgsreq (Shishi *handle
);
This function creates a new TGS-REQ, populated with some default values.
Shishi_asn1 shishi_tgsreq_rst (Shishi *handle
,char *realm
,char *server
,Shishi_tkt *tkt
);
int shishi_kdcreq_save (Shishi *handle
,FILE *fh
,Shishi_asn1 kdcreq
);
Print DER encoding of KDC-REQ to file.
handle |
shishi handle as allocated by |
|
fh |
file handle open for writing. |
|
kdcreq |
KDC-REQ to save. |
int shishi_kdcreq_print (Shishi *handle
,FILE *fh
,Shishi_asn1 kdcreq
);
Print ASCII armored DER encoding of KDC-REQ to file.
handle |
shishi handle as allocated by |
|
fh |
file handle open for writing. |
|
kdcreq |
KDC-REQ to print. |
int shishi_kdcreq_to_file (Shishi *handle
,Shishi_asn1 kdcreq
,int filetype
,const char *filename
);
Write KDC-REQ to file in specified TYPE. The file will be truncated if it exists.
handle |
shishi handle as allocated by |
|
kdcreq |
KDC-REQ to save. |
|
filetype |
input variable specifying type of file to be written, see Shishi_filetype. |
|
filename |
input variable with filename to write to. |
int shishi_kdcreq_parse (Shishi *handle
,FILE *fh
,Shishi_asn1 *kdcreq
);
Read ASCII armored DER encoded KDC-REQ from file and populate given variable.
handle |
shishi handle as allocated by |
|
fh |
file handle open for reading. |
|
kdcreq |
output variable with newly allocated KDC-REQ. |
int shishi_kdcreq_read (Shishi *handle
,FILE *fh
,Shishi_asn1 *kdcreq
);
Read DER encoded KDC-REQ from file and populate given variable.
handle |
shishi handle as allocated by |
|
fh |
file handle open for reading. |
|
kdcreq |
output variable with newly allocated KDC-REQ. |
int shishi_kdcreq_from_file (Shishi *handle
,Shishi_asn1 *kdcreq
,int filetype
,const char *filename
);
Read KDC-REQ from file in specified TYPE.
handle |
shishi handle as allocated by |
|
kdcreq |
output variable with newly allocated KDC-REQ. |
|
filetype |
input variable specifying type of file to be read, see Shishi_filetype. |
|
filename |
input variable with filename to read from. |
int shishi_asreq_clientrealm (Shishi *handle
,Shishi_asn1 asreq
,char **client
,size_t *clientlen
);
Convert cname and realm fields from AS-REQ to printable principal
name format. The string is allocate by this function, and it is
the responsibility of the caller to deallocate it. Note that the
output length clientlen
does not include the terminating zero.
handle |
Shishi library handle create by |
|
asreq |
AS-REQ variable to get client name and realm from. |
|
client |
pointer to newly allocated zero terminated string containing
principal name and realm. May be |
|
clientlen |
pointer to length of |
int shishi_kdcreq_nonce (Shishi *handle
,Shishi_asn1 kdcreq
,uint32_t *nonce
);
int shishi_kdcreq_nonce_set (Shishi *handle
,Shishi_asn1 kdcreq
,uint32_t nonce
);
Store nonce number field in KDC-REQ.
handle |
shishi handle as allocated by |
|
kdcreq |
KDC-REQ variable to set client name field in. |
|
nonce |
integer nonce to store in KDC-REQ. |
int shishi_kdcreq_client (Shishi *handle
,Shishi_asn1 kdcreq
,char **client
,size_t *clientlen
);
Represent client principal name in KDC-REQ as zero-terminated
string. The string is allocate by this function, and it is the
responsibility of the caller to deallocate it. Note that the
output length clientlen
does not include the terminating zero.
handle |
Shishi library handle create by |
|
kdcreq |
KDC-REQ variable to get client name from. |
|
client |
pointer to newly allocated zero terminated string containing
principal name. May be |
|
clientlen |
pointer to length of |
int shishi_kdcreq_set_cname (Shishi *handle
,Shishi_asn1 kdcreq
,Shishi_name_type name_type
,const char *principal
);
Set the client name field in the KDC-REQ.
handle |
shishi handle as allocated by |
|
kdcreq |
KDC-REQ variable to set client name field in. |
|
name_type |
type of principial, see Shishi_name_type, usually SHISHI_NT_UNKNOWN. |
|
principal |
input array with principal name. |
int shishi_kdcreq_server (Shishi *handle
,Shishi_asn1 kdcreq
,char **server
,size_t *serverlen
);
Represent server principal name in KDC-REQ as zero-terminated
string. The string is allocate by this function, and it is the
responsibility of the caller to deallocate it. Note that the
output length serverlen
does not include the terminating zero.
handle |
Shishi library handle create by |
|
kdcreq |
KDC-REQ variable to get server name from. |
|
server |
pointer to newly allocated zero terminated string containing
principal name. May be |
|
serverlen |
pointer to length of |
int shishi_kdcreq_set_sname (Shishi *handle
,Shishi_asn1 kdcreq
,Shishi_name_type name_type
,const char *sname[]
);
Set the server name field in the KDC-REQ.
handle |
shishi handle as allocated by |
|
kdcreq |
KDC-REQ variable to set server name field in. |
|
name_type |
type of principial, see Shishi_name_type, usually SHISHI_NT_UNKNOWN. |
|
sname |
input array with principal name. |
int shishi_kdcreq_realm (Shishi *handle
,Shishi_asn1 kdcreq
,char **realm
,size_t *realmlen
);
Get realm field in KDC-REQ as zero-terminated string. The string
is allocate by this function, and it is the responsibility of the
caller to deallocate it. Note that the output length realmlen
does not include the terminating zero.
handle |
Shishi library handle create by |
|
kdcreq |
KDC-REQ variable to get client name from. |
|
realm |
pointer to newly allocated zero terminated string containing
realm. May be |
|
realmlen |
pointer to length of |
int shishi_kdcreq_realm_get (Shishi *handle
,Shishi_asn1 kdcreq
,char **realm
,size_t *realmlen
);
int shishi_kdcreq_set_realm (Shishi *handle
,Shishi_asn1 kdcreq
,const char *realm
);
Set the realm field in the KDC-REQ.
handle |
shishi handle as allocated by |
|
kdcreq |
KDC-REQ variable to set realm field in. |
|
realm |
input array with name of realm. |
int shishi_kdcreq_set_server (Shishi *handle
,Shishi_asn1 req
,const char *service
);
int shishi_kdcreq_set_realmserver (Shishi *handle
,Shishi_asn1 req
,char *realm
,char *service
);
int shishi_kdcreq_till (Shishi *handle
,Shishi_asn1 kdcreq
,char **till
,size_t *tilllen
);
Get "till" field, i.e., "endtime", in KDC-REQ as a null-terminated
string. The string is typically 15 characters long and is
allocated by this function. It is the responsibility of the
caller to deallocate it. Note that the output length tilllen
does not include the terminating zero.
handle |
Shishi library handle created by |
|
kdcreq |
KDC-REQ variable to get endtime from. |
|
till |
pointer to newly allocated null terminated string containing
"till" field with generalized time. May be passed as |
|
tilllen |
pointer to length of |
time_t shishi_kdcreq_tillc (Shishi *handle
,Shishi_asn1 kdcreq
);
Extract C time corresponding to the "till" field.
handle |
Shishi library handle created by |
|
kdcreq |
KDC-REQ variable to get "till" field from. |
int shishi_kdcreq_etype (Shishi *handle
,Shishi_asn1 kdcreq
,int32_t *etype
,int netype
);
Return the netype:th encryption type from KDC-REQ. The first etype is number 1.
handle |
shishi handle as allocated by |
|
kdcreq |
KDC-REQ variable to get etype field from. |
|
etype |
output encryption type. |
|
netype |
element number to return. |
int shishi_kdcreq_set_etype (Shishi *handle
,Shishi_asn1 kdcreq
,int32_t *etype
,int netype
);
Set the list of supported or wanted encryption types in the request. The list should be sorted in priority order.
handle |
shishi handle as allocated by |
|
kdcreq |
KDC-REQ variable to set etype field in. |
|
etype |
input array with encryption types. |
|
netype |
number of elements in input array with encryption types. |
int shishi_kdcreq_options (Shishi *handle
,Shishi_asn1 kdcreq
,uint32_t *flags
);
Extract KDC-Options from KDC-REQ.
handle |
shishi handle as allocated by |
|
kdcreq |
KDC-REQ variable to get kdc-options field from. |
|
flags |
pointer to output integer with flags. |
int shishi_kdcreq_forwardable_p (Shishi *handle
,Shishi_asn1 kdcreq
);
Determine if KDC-Option forwardable flag is set.
The FORWARDABLE option indicates that the ticket to be issued is to have its forwardable flag set. It may only be set on the initial request, or in a subsequent request if the ticket-granting ticket on which it is based is also forwardable.
handle |
shishi handle as allocated by |
|
kdcreq |
KDC-REQ variable to get kdc-options field from. |
int shishi_kdcreq_forwarded_p (Shishi *handle
,Shishi_asn1 kdcreq
);
Determine if KDC-Option forwarded flag is set.
The FORWARDED option is only specified in a request to the ticket-granting server and will only be honored if the ticket-granting ticket in the request has its FORWARDABLE bit set. This option indicates that this is a request for forwarding. The address(es) of the host from which the resulting ticket is to be valid are included in the addresses field of the request.
handle |
shishi handle as allocated by |
|
kdcreq |
KDC-REQ variable to get kdc-options field from. |
int shishi_kdcreq_proxiable_p (Shishi *handle
,Shishi_asn1 kdcreq
);
Determine if KDC-Option proxiable flag is set.
The PROXIABLE option indicates that the ticket to be issued is to have its proxiable flag set. It may only be set on the initial request, or in a subsequent request if the ticket-granting ticket on which it is based is also proxiable.
handle |
shishi handle as allocated by |
|
kdcreq |
KDC-REQ variable to get kdc-options field from. |
int shishi_kdcreq_proxy_p (Shishi *handle
,Shishi_asn1 kdcreq
);
Determine if KDC-Option proxy flag is set.
The PROXY option indicates that this is a request for a proxy. This option will only be honored if the ticket-granting ticket in the request has its PROXIABLE bit set. The address(es) of the host from which the resulting ticket is to be valid are included in the addresses field of the request.
handle |
shishi handle as allocated by |
|
kdcreq |
KDC-REQ variable to get kdc-options field from. |
int shishi_kdcreq_allow_postdate_p (Shishi *handle
,Shishi_asn1 kdcreq
);
Determine if KDC-Option allow-postdate flag is set.
The ALLOW-POSTDATE option indicates that the ticket to be issued is to have its MAY-POSTDATE flag set. It may only be set on the initial request, or in a subsequent request if the ticket-granting ticket on which it is based also has its MAY-POSTDATE flag set.
handle |
shishi handle as allocated by |
|
kdcreq |
KDC-REQ variable to get kdc-options field from. |
int shishi_kdcreq_postdated_p (Shishi *handle
,Shishi_asn1 kdcreq
);
Determine if KDC-Option postdated flag is set.
The POSTDATED option indicates that this is a request for a postdated ticket. This option will only be honored if the ticket-granting ticket on which it is based has its MAY-POSTDATE flag set. The resulting ticket will also have its INVALID flag set, and that flag may be reset by a subsequent request to the KDC after the starttime in the ticket has been reached.
handle |
shishi handle as allocated by |
|
kdcreq |
KDC-REQ variable to get kdc-options field from. |
int shishi_kdcreq_renewable_p (Shishi *handle
,Shishi_asn1 kdcreq
);
Determine if KDC-Option renewable flag is set.
The RENEWABLE option indicates that the ticket to be issued is to have its RENEWABLE flag set. It may only be set on the initial request, or when the ticket-granting ticket on which the request is based is also renewable. If this option is requested, then the rtime field in the request contains the desired absolute expiration time for the ticket.
handle |
shishi handle as allocated by |
|
kdcreq |
KDC-REQ variable to get kdc-options field from. |
int shishi_kdcreq_disable_transited_check_p (Shishi *handle
,Shishi_asn1 kdcreq
);
Determine if KDC-Option disable-transited-check flag is set.
By default the KDC will check the transited field of a ticket-granting-ticket against the policy of the local realm before it will issue derivative tickets based on the ticket-granting ticket. If this flag is set in the request, checking of the transited field is disabled. Tickets issued without the performance of this check will be noted by the reset (0) value of the TRANSITED-POLICY-CHECKED flag, indicating to the application server that the tranisted field must be checked locally. KDCs are encouraged but not required to honor the DISABLE-TRANSITED-CHECK option.
This flag is new since RFC 1510
handle |
shishi handle as allocated by |
|
kdcreq |
KDC-REQ variable to get kdc-options field from. |
int shishi_kdcreq_renewable_ok_p (Shishi *handle
,Shishi_asn1 kdcreq
);
Determine if KDC-Option renewable-ok flag is set.
The RENEWABLE-OK option indicates that a renewable ticket will be acceptable if a ticket with the requested life cannot otherwise be provided. If a ticket with the requested life cannot be provided, then a renewable ticket may be issued with a renew-till equal to the requested endtime. The value of the renew-till field may still be limited by local limits, or limits selected by the individual principal or server.
handle |
shishi handle as allocated by |
|
kdcreq |
KDC-REQ variable to get kdc-options field from. |
int shishi_kdcreq_enc_tkt_in_skey_p (Shishi *handle
,Shishi_asn1 kdcreq
);
Determine if KDC-Option enc-tkt-in-skey flag is set.
This option is used only by the ticket-granting service. The ENC-TKT-IN-SKEY option indicates that the ticket for the end server is to be encrypted in the session key from the additional ticket-granting ticket provided.
handle |
shishi handle as allocated by |
|
kdcreq |
KDC-REQ variable to get kdc-options field from. |
int shishi_kdcreq_renew_p (Shishi *handle
,Shishi_asn1 kdcreq
);
Determine if KDC-Option renew flag is set.
This option is used only by the ticket-granting service. The RENEW option indicates that the present request is for a renewal. The ticket provided is encrypted in the secret key for the server on which it is valid. This option will only be honored if the ticket to be renewed has its RENEWABLE flag set and if the time in its renew-till field has not passed. The ticket to be renewed is passed in the padata field as part of the authentication header.
handle |
shishi handle as allocated by |
|
kdcreq |
KDC-REQ variable to get kdc-options field from. |
int shishi_kdcreq_validate_p (Shishi *handle
,Shishi_asn1 kdcreq
);
Determine if KDC-Option validate flag is set.
This option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. It will only be honored if the ticket presented is postdated, presently has its INVALID flag set, and would be otherwise usable at this time. A ticket cannot be validated before its starttime. The ticket presented for validation is encrypted in the key of the server for which it is valid and is passed in the padata field as part of the authentication header.
handle |
shishi handle as allocated by |
|
kdcreq |
KDC-REQ variable to get kdc-options field from. |
int shishi_kdcreq_options_set (Shishi *handle
,Shishi_asn1 kdcreq
,uint32_t options
);
Set options in KDC-REQ. Note that this reset any already existing flags.
handle |
shishi handle as allocated by |
|
kdcreq |
KDC-REQ variable to set etype field in. |
|
options |
integer with flags to store in KDC-REQ. |
int shishi_kdcreq_options_add (Shishi *handle
,Shishi_asn1 kdcreq
,uint32_t option
);
Add KDC-Option to KDC-REQ. This preserves all existing options.
handle |
shishi handle as allocated by |
|
kdcreq |
KDC-REQ variable to set etype field in. |
|
option |
integer with options to add in KDC-REQ. |
int shishi_kdcreq_clear_padata (Shishi *handle
,Shishi_asn1 kdcreq
);
Remove the padata field from KDC-REQ.
handle |
shishi handle as allocated by |
|
kdcreq |
KDC-REQ to remove PA-DATA from. |
int shishi_kdcreq_get_padata (Shishi *handle
,Shishi_asn1 kdcreq
,Shishi_padata_type padatatype
,char **out
,size_t *outlen
);
Get pre authentication data (PA-DATA) from KDC-REQ. Pre authentication data is used to pass various information to KDC, such as in case of a SHISHI_PA_TGS_REQ padatatype the AP-REQ that authenticates the user to get the ticket.
handle |
shishi handle as allocated by |
|
kdcreq |
KDC-REQ to get PA-DATA from. |
|
padatatype |
type of PA-DATA, see Shishi_padata_type. |
|
out |
output array with newly allocated PA-DATA value. |
|
outlen |
size of output array with PA-DATA value. |
int shishi_kdcreq_get_padata_tgs (Shishi *handle
,Shishi_asn1 kdcreq
,Shishi_asn1 *apreq
);
Extract TGS pre-authentication data from KDC-REQ. The data is an
AP-REQ that authenticates the request. This function call
shishi_kdcreq_get_padata()
with a SHISHI_PA_TGS_REQ padatatype and
DER decode the result (if any).
handle |
shishi handle as allocated by |
|
kdcreq |
KDC-REQ to get PA-TGS-REQ from. |
|
apreq |
Output variable with newly allocated AP-REQ. |
int shishi_kdcreq_add_padata (Shishi *handle
,Shishi_asn1 kdcreq
,int padatatype
,const char *data
,size_t datalen
);
Add new pre authentication data (PA-DATA) to KDC-REQ. This is used
to pass various information to KDC, such as in case of a
SHISHI_PA_TGS_REQ padatatype the AP-REQ that authenticates the user
to get the ticket. (But also see shishi_kdcreq_add_padata_tgs()
which takes an AP-REQ directly.)
handle |
shishi handle as allocated by |
|
kdcreq |
KDC-REQ to add PA-DATA to. |
|
padatatype |
type of PA-DATA, see Shishi_padata_type. |
|
data |
input array with PA-DATA value. |
|
datalen |
size of input array with PA-DATA value. |
int shishi_kdcreq_add_padata_tgs (Shishi *handle
,Shishi_asn1 kdcreq
,Shishi_asn1 apreq
);
Add TGS pre-authentication data to KDC-REQ. The data is an AP-REQ
that authenticates the request. This functions simply DER encodes
the AP-REQ and calls shishi_kdcreq_add_padata()
with a
SHISHI_PA_TGS_REQ padatatype.
handle |
shishi handle as allocated by |
|
kdcreq |
KDC-REQ to add PA-DATA to. |
|
apreq |
AP-REQ to add as PA-DATA. |
int shishi_kdcreq_add_padata_preauth (Shishi *handle
,Shishi_asn1 kdcreq
,Shishi_key *key
);
Add pre-authentication data to KDC-REQ.
handle |
shishi handle as allocated by |
|
kdcreq |
KDC-REQ to add pre-authentication data to. |
|
key |
Key used to encrypt pre-auth data. |
int shishi_as_derive_salt (Shishi *handle
,Shishi_asn1 asreq
,Shishi_asn1 asrep
,char **salt
,size_t *saltlen
);
Computes the salt that should be used when deriving a key via
shishi_string_to_key()
for an AS exchange. Currently this
searches for PA-DATA of type SHISHI_PA_PW_SALT
in the AS-REP
provided by asrep
, and if present returns it. Otherwise the
salt is composed from the client name and the realm, both are
extracted from the request asreq
.
handle |
Shishi handle as allocated by |
|
asreq |
Input AS-REQ variable. |
|
asrep |
Input AS-REP variable. |
|
salt |
Returned pointer to newly allocated output array. |
|
saltlen |
Pointer to integer, returning size of output array. |
int shishi_tgs_process (Shishi *handle
,Shishi_asn1 tgsreq
,Shishi_asn1 tgsrep
,Shishi_asn1 authenticator
,Shishi_asn1 oldenckdcreppart
,Shishi_asn1 *enckdcreppart
);
Processes a TGS client exchange and outputs the decrypted
EncKDCRepPart, holding details about the received ticket.
This function simply derives the encryption key from the
ticket used to construct the original TGS request, and then
calls shishi_kdc_process()
.
handle |
Shishi handle as allocated by |
|
tgsreq |
Input variable holding the transmitted KDC-REQ. |
|
tgsrep |
Input variable holding the received KDC-REP. |
|
authenticator |
Input variable with an authenticator extracted
from the AP-REQ part of |
|
oldenckdcreppart |
Input variable with EncKDCRepPart used in the request. |
|
enckdcreppart |
Output variable holding the new EncKDCRepPart. |
Returns SHISHI_OK
if the TGS client exchange
was successful. Failures include ASN.1 and TGS conditions.
int shishi_as_process (Shishi *handle
,Shishi_asn1 asreq
,Shishi_asn1 asrep
,const char *string
,Shishi_asn1 *enckdcreppart
);
Processes an AS client exchange and returns the decrypted
EncKDCRepPart, holding details about the received ticket.
This function simply derives the encryption key from the
password, and then calls shishi_kdc_process()
.
handle |
Shishi handle as allocated by |
|
asreq |
Input variable holding the transmitted KDC-REQ. |
|
asrep |
Input variable holding the received KDC-REP. |
|
string |
Input variable with a null terminated password. |
|
enckdcreppart |
Output variable returning a new EncKDCRepPart. |
Returns SHISHI_OK
if the AS client exchange was
successful. Multiple failure conditions are possible.
int shishi_kdc_process (Shishi *handle
,Shishi_asn1 kdcreq
,Shishi_asn1 kdcrep
,Shishi_key *key
,int keyusage
,Shishi_asn1 *enckdcreppart
);
Processes a KDC client exchange and extracts a decrypted
EncKDCRepPart, holding details about the received ticket.
Use shishi_kdcrep_get_ticket()
to extract the ticket itself.
This function verifies the various conditions that must hold
if the response is to be considered valid. In particular,
it compares nonces (using shishi_kdc_check_nonce()
), and if
the exchange was an AS exchange, it also checks cname and
crealm (using shishi_as_check_cname()
, shishi_as_check_crealm()
).
Usually shishi_as_process()
and shishi_tgs_process()
should be
used instead of this call, since they simplify computation of
the decryption key.
handle |
Shishi handle as allocated by |
|
kdcreq |
Input variable holding the transmitted KDC-REQ. |
|
kdcrep |
Input variable holding the received KDC-REP. |
|
key |
Input pointet to key for decrypting parts of |
|
keyusage |
Kerberos key usage code. |
|
enckdcreppart |
Output pointer for the extracted EncKDCRepPart. |
Returns SHISHI_OK
if the KDC client exchange was
successful. Multiple failure conditions are possible.
int shishi_kdcreq_sendrecv (Shishi *handle
,Shishi_asn1 kdcreq
,Shishi_asn1 *kdcrep
);
Sends a request to KDC, and receives the response.
The provided AS-REQ, in kdcreq
, sets all data for the
request. On reception the reply is decoded as AS-REP
into kdcrep
.
handle |
Shishi library handle created by |
|
kdcreq |
Input variable with a prepared AS-REQ. |
|
kdcrep |
Output pointer variable returning received AS-REP. |
Return code is SHISHI_OK
on success,
SHISHI_KDC_TIMEOUT
on timeouts, SHISHI_ASN1_ERROR
on
translation errors, and SHISHI_GOT_KRBERROR
for other
corruptions.
int shishi_kdcreq_sendrecv_hint (Shishi *handle
,Shishi_asn1 kdcreq
,Shishi_asn1 *kdcrep
,Shishi_tkts_hint *hint
);
Sends a request to KDC, and receives the response.
The provided request kdcreq
and the hints structure hint
,
together determine transmitted data. On reception the reply
is decoded as AS-REP into kdcrep
.
handle |
Shishi library handle created by |
|
kdcreq |
Input variable with a prepared AS-REQ. |
|
kdcrep |
Output pointer variable for decoded AS-REP. |
|
hint |
Input Shishi_tkts_hint structure with flags. |
Return code is SHISHI_OK
on success,
SHISHI_KDC_TIMEOUT
on timeouts, SHISHI_ASN1_ERROR
on
translation errors, and SHISHI_GOT_KRBERROR
for other
corruptions.
int shishi_kdc_copy_crealm (Shishi *handle
,Shishi_asn1 kdcrep
,Shishi_asn1 encticketpart
);
Reads the field "crealm" from the ticket encticketpart
and copies the value into the reply kdcrep
.
handle |
Shishi handle as allocated by |
|
kdcrep |
KDC-REP where the field "crealm" is updated. |
|
encticketpart |
EncTicketPart providing "crealm" field. |
int shishi_as_check_crealm (Shishi *handle
,Shishi_asn1 asreq
,Shishi_asn1 asrep
);
Verifies that the fields asreq.req
-body.realm and asrep.crealm
contain identical realm names. This is one of the steps that
has to be performed when processing an exchange of AS-REQ and
AS-REP; see shishi_kdc_process()
for more details.
handle |
Shishi handle as allocated by |
|
asreq |
Request of type AS-REQ. |
|
asrep |
Reply structure of type AS-REP. |
Returns SHISHI_OK
if successful,
SHISHI_REALM_MISMATCH
whenever the realm names differ,
and an error code otherwise.
int shishi_kdc_copy_cname (Shishi *handle
,Shishi_asn1 kdcrep
,Shishi_asn1 encticketpart
);
Reads the field "cname" from the ticket encticketpart
and copies the value into the reply kdcrep
.
handle |
Shishi handle as allocated by |
|
kdcrep |
KDC-REP where the field "cname" is updated. |
|
encticketpart |
EncTicketPart providing "cname" field. |
int shishi_as_check_cname (Shishi *handle
,Shishi_asn1 asreq
,Shishi_asn1 asrep
);
Verifies that the fields asreq.req
-body.cname and asrep.cname
contain identical names. This is one of the steps that has to
be performed when processing an exchange of AS-REQ and AS-REP;
see shishi_kdc_process()
for more details.
handle |
Shishi handle as allocated by |
|
asreq |
Request of type AS-REQ. |
|
asrep |
Reply structure of type AS-REP. |
Returns SHISHI_OK
if successful,
SHISHI_CNAME_MISMATCH
if the names differ,
and an error code otherwise.
int shishi_kdc_copy_nonce (Shishi *handle
,Shishi_asn1 kdcreq
,Shishi_asn1 enckdcreppart
);
Sets the field "nonce" in enckdcreppart
to a value retreived
from the corresponding field in kdcreq
.
handle |
Shishi handle as allocated by |
|
kdcreq |
KDC-REQ providing "nonce" field. |
|
enckdcreppart |
EncKDCRepPart where "nonce" field is updated. |
int shishi_kdc_check_nonce (Shishi *handle
,Shishi_asn1 kdcreq
,Shishi_asn1 enckdcreppart
);
Verifies that kdcreq.req
-body.nonce and enckdcreppart.nonce
contain matching values. This is one of the steps that has to
be performed when processing an exchange of KDC-REQ and KDC-REP.
handle |
Shishi handle as allocated by |
|
kdcreq |
Request of type KDC-REQ. |
|
enckdcreppart |
Encrypted KDC-REP part. |
Returns SHISHI_OK
if successful,
SHISHI_NONCE_MISMATCH
whenever the nonces are of
differing lengths (usually a sign that a buggy server
truncates the nonce to 4 bytes) and the same code if the
nonce values differ, or an error code otherwise.
Shishi_asn1
shishi_asrep (Shishi *handle
);
This function creates a new AS-REP, populated with some default values.
Shishi_asn1
shishi_tgsrep (Shishi *handle
);
This function creates a new TGS-REP, populated with some default values.
int shishi_kdcrep_save (Shishi *handle
,FILE *fh
,Shishi_asn1 kdcrep
);
Print DER encoding of KDC-REP to file.
handle |
shishi handle as allocated by |
|
fh |
file handle open for writing. |
|
kdcrep |
KDC-REP to save. |
int shishi_kdcrep_print (Shishi *handle
,FILE *fh
,Shishi_asn1 kdcrep
);
Print ASCII armored DER encoding of KDC-REP to file.
handle |
shishi handle as allocated by |
|
fh |
file handle open for writing. |
|
kdcrep |
KDC-REP to print. |
int shishi_kdcrep_to_file (Shishi *handle
,Shishi_asn1 kdcrep
,int filetype
,const char *filename
);
Write KDC-REP to file in specified TYPE. The file will be truncated if it exists.
handle |
shishi handle as allocated by |
|
kdcrep |
KDC-REP to save. |
|
filetype |
input variable specifying type of file to be written, see Shishi_filetype. |
|
filename |
input variable with filename to write to. |
int shishi_kdcrep_parse (Shishi *handle
,FILE *fh
,Shishi_asn1 *kdcrep
);
Read ASCII armored DER encoded KDC-REP from file and populate given variable.
handle |
shishi handle as allocated by |
|
fh |
file handle open for reading. |
|
kdcrep |
output variable with newly allocated KDC-REP. |
int shishi_kdcrep_read (Shishi *handle
,FILE *fh
,Shishi_asn1 *kdcrep
);
Read DER encoded KDC-REP from file and populate given variable.
handle |
shishi handle as allocated by |
|
fh |
file handle open for reading. |
|
kdcrep |
output variable with newly allocated KDC-REP. |
int shishi_kdcrep_from_file (Shishi *handle
,Shishi_asn1 *kdcrep
,int filetype
,const char *filename
);
Read KDC-REP from file in specified TYPE.
handle |
shishi handle as allocated by |
|
kdcrep |
output variable with newly allocated KDC-REP. |
|
filetype |
input variable specifying type of file to be read, see Shishi_filetype. |
|
filename |
input variable with filename to read from. |
int shishi_kdcrep_clear_padata (Shishi *handle
,Shishi_asn1 kdcrep
);
Remove the padata field from KDC-REP.
handle |
shishi handle as allocated by |
|
kdcrep |
KDC-REP to remove PA-DATA from. |
int shishi_kdcrep_get_enc_part_etype (Shishi *handle
,Shishi_asn1 kdcrep
,int32_t *etype
);
Extract KDC-REP.enc-part.etype.
handle |
shishi handle as allocated by |
|
kdcrep |
KDC-REP variable to get value from. |
|
etype |
output variable that holds the value. |
int shishi_kdcrep_add_enc_part (Shishi *handle
,Shishi_asn1 kdcrep
,Shishi_key *key
,int keyusage
,Shishi_asn1 enckdcreppart
);
Encrypts DER encoded EncKDCRepPart using key and stores it in the KDC-REP.
handle |
shishi handle as allocated by |
|
kdcrep |
KDC-REP to add enc-part field to. |
|
key |
key used to encrypt enc-part. |
|
keyusage |
key usage to use, normally SHISHI_KEYUSAGE_ENCASREPPART, SHISHI_KEYUSAGE_ENCTGSREPPART_SESSION_KEY or SHISHI_KEYUSAGE_ENCTGSREPPART_AUTHENTICATOR_KEY. |
|
enckdcreppart |
EncKDCRepPart to add. |
int shishi_kdcrep_get_ticket (Shishi *handle
,Shishi_asn1 kdcrep
,Shishi_asn1 *ticket
);
Extract ticket from KDC-REP.
handle |
shishi handle as allocated by |
|
kdcrep |
KDC-REP variable to get ticket from. |
|
ticket |
output variable to hold extracted ticket. |
int shishi_kdcrep_set_ticket (Shishi *handle
,Shishi_asn1 kdcrep
,Shishi_asn1 ticket
);
Copy ticket into KDC-REP.
handle |
shishi handle as allocated by |
|
kdcrep |
KDC-REP to add ticket field to. |
|
ticket |
input ticket to copy into KDC-REP ticket field. |
int shishi_kdcrep_crealm_set (Shishi *handle
,Shishi_asn1 kdcrep
,const char *crealm
);
Set the client realm field in the KDC-REP.
handle |
shishi handle as allocated by |
|
kdcrep |
Kdcrep variable to set realm field in. |
|
crealm |
input array with name of realm. |
int shishi_kdcrep_cname_set (Shishi *handle
,Shishi_asn1 kdcrep
,Shishi_name_type name_type
,const char *cname[]
);
Set the client name field in the KDC-REP.
handle |
shishi handle as allocated by |
|
kdcrep |
Kdcrep variable to set server name field in. |
|
name_type |
type of principial, see Shishi_name_type, usually SHISHI_NT_UNKNOWN. |
|
cname |
input array with principal name. |
int shishi_kdcrep_client_set (Shishi *handle
,Shishi_asn1 kdcrep
,const char *client
);
Set the client name field in the KDC-REP.
handle |
shishi handle as allocated by |
|
kdcrep |
Kdcrep variable to set server name field in. |
|
client |
zero-terminated string with principal name on RFC 1964 form. |
int shishi_kdcrep_crealmserver_set (Shishi *handle
,Shishi_asn1 kdcrep
,const char *crealm
,const char *client
);
int shishi_kdcrep_set_enc_part (Shishi *handle
,Shishi_asn1 kdcrep
,int32_t etype
,uint32_t kvno
,const char *buf
,size_t buflen
);
Set the encrypted enc-part field in the KDC-REP. The encrypted
data is usually created by calling shishi_encrypt()
on the DER
encoded enc-part. To save time, you may want to use
shishi_kdcrep_add_enc_part()
instead, which calculates the
encrypted data and calls this function in one step.
handle |
shishi handle as allocated by |
|
kdcrep |
KDC-REP to add enc-part field to. |
|
etype |
encryption type used to encrypt enc-part. |
|
kvno |
key version number. |
|
buf |
input array with encrypted enc-part. |
|
buflen |
size of input array with encrypted enc-part. |
int shishi_kdcrep_decrypt (Shishi *handle
,Shishi_asn1 kdcrep
,Shishi_key *key
,int keyusage
,Shishi_asn1 *enckdcreppart
);
int shishi_enckdcreppart_get_key (Shishi *handle
,Shishi_asn1 enckdcreppart
,Shishi_key **key
);
Extract the key to use with the ticket sent in the KDC-REP associated with the EncKDCRepPart input variable.
handle |
shishi handle as allocated by |
|
enckdcreppart |
input EncKDCRepPart variable. |
|
key |
newly allocated encryption key handle. |
int shishi_enckdcreppart_key_set (Shishi *handle
,Shishi_asn1 enckdcreppart
,Shishi_key *key
);
Set the EncKDCRepPart.key field to key type and value of supplied key.
handle |
shishi handle as allocated by |
|
enckdcreppart |
input EncKDCRepPart variable. |
|
key |
key handle with information to store in enckdcreppart. |
int shishi_enckdcreppart_nonce_set (Shishi *handle
,Shishi_asn1 enckdcreppart
,uint32_t nonce
);
Set the EncKDCRepPart.nonce field.
handle |
shishi handle as allocated by |
|
enckdcreppart |
input EncKDCRepPart variable. |
|
nonce |
nonce to set in EncKDCRepPart. |
int shishi_enckdcreppart_flags_set (Shishi *handle
,Shishi_asn1 enckdcreppart
,int flags
);
Set the EncKDCRepPart.flags field.
handle |
shishi handle as allocated by |
|
enckdcreppart |
input EncKDCRepPart variable. |
|
flags |
flags to set in EncKDCRepPart. |
int shishi_enckdcreppart_authtime_set (Shishi *handle
,Shishi_asn1 enckdcreppart
,const char *authtime
);
Set the EncTicketPart.authtime to supplied value.
handle |
shishi handle as allocated by |
|
enckdcreppart |
input EncKDCRepPart variable. |
|
authtime |
character buffer containing a generalized time string. |
int shishi_enckdcreppart_starttime_set (Shishi *handle
,Shishi_asn1 enckdcreppart
,const char *starttime
);
Set the EncTicketPart.starttime to supplied value. Use a NULL
value for starttime
to remove the field.
handle |
shishi handle as allocated by |
|
enckdcreppart |
input EncKDCRepPart variable. |
|
starttime |
character buffer containing a generalized time string. |
int shishi_enckdcreppart_endtime_set (Shishi *handle
,Shishi_asn1 enckdcreppart
,const char *endtime
);
Set the EncTicketPart.endtime to supplied value.
handle |
shishi handle as allocated by |
|
enckdcreppart |
input EncKDCRepPart variable. |
|
endtime |
character buffer containing a generalized time string. |
int shishi_enckdcreppart_renew_till_set (Shishi *handle
,Shishi_asn1 enckdcreppart
,const char *renew_till
);
Set the EncTicketPart.renew-till to supplied value. Use a NULL
value for renew_till
to remove the field.
handle |
shishi handle as allocated by |
|
enckdcreppart |
input EncKDCRepPart variable. |
|
renew_till |
character buffer containing a generalized time string. |
int shishi_enckdcreppart_srealm_set (Shishi *handle
,Shishi_asn1 enckdcreppart
,const char *srealm
);
Set the server realm field in the EncKDCRepPart.
handle |
shishi handle as allocated by |
|
enckdcreppart |
EncKDCRepPart variable to set realm field in. |
|
srealm |
input array with name of realm. |
int shishi_enckdcreppart_sname_set (Shishi *handle
,Shishi_asn1 enckdcreppart
,Shishi_name_type name_type
,char *sname[]
);
Set the server name field in the EncKDCRepPart.
handle |
shishi handle as allocated by |
|
enckdcreppart |
EncKDCRepPart variable to set server name field in. |
|
name_type |
type of principial, see Shishi_name_type, usually SHISHI_NT_UNKNOWN. |
|
sname |
input array with principal name. |
int shishi_enckdcreppart_server_set (Shishi *handle
,Shishi_asn1 enckdcreppart
,const char *server
);
int shishi_enckdcreppart_srealmserver_set (Shishi *handle
,Shishi_asn1 enckdcreppart
,const char *srealm
,const char *server
);
int shishi_enckdcreppart_populate_encticketpart (Shishi *handle
,Shishi_asn1 enckdcreppart
,Shishi_asn1 encticketpart
);
Set the flags, authtime, starttime, endtime, renew-till and caddr fields of the EncKDCRepPart to the corresponding values in the EncTicketPart.
handle |
shishi handle as allocated by |
|
enckdcreppart |
input EncKDCRepPart variable. |
|
encticketpart |
input EncTicketPart variable. |
Shishi_asn1
shishi_krberror (Shishi *handle
);
This function creates a new KRB-ERROR, populated with some default values.
int shishi_krberror_print (Shishi *handle
,FILE *fh
,Shishi_asn1 krberror
);
Print ASCII armored DER encoding of KRB-ERROR to file.
handle |
shishi handle as allocated by |
|
fh |
file handle open for writing. |
|
krberror |
KRB-ERROR to print. |
int shishi_krberror_save (Shishi *handle
,FILE *fh
,Shishi_asn1 krberror
);
Save DER encoding of KRB-ERROR to file.
handle |
shishi handle as allocated by |
|
fh |
file handle open for writing. |
|
krberror |
KRB-ERROR to save. |
int shishi_krberror_to_file (Shishi *handle
,Shishi_asn1 krberror
,int filetype
,const char *filename
);
Write KRB-ERROR to file in specified TYPE. The file will be truncated if it exists.
handle |
shishi handle as allocated by |
|
krberror |
KRB-ERROR to save. |
|
filetype |
input variable specifying type of file to be written, see Shishi_filetype. |
|
filename |
input variable with filename to write to. |
int shishi_krberror_parse (Shishi *handle
,FILE *fh
,Shishi_asn1 *krberror
);
Read ASCII armored DER encoded KRB-ERROR from file and populate given variable.
handle |
shishi handle as allocated by |
|
fh |
file handle open for reading. |
|
krberror |
output variable with newly allocated KRB-ERROR. |
int shishi_krberror_read (Shishi *handle
,FILE *fh
,Shishi_asn1 *krberror
);
Read DER encoded KRB-ERROR from file and populate given variable.
handle |
shishi handle as allocated by |
|
fh |
file handle open for reading. |
|
krberror |
output variable with newly allocated KRB-ERROR. |
int shishi_krberror_from_file (Shishi *handle
,Shishi_asn1 *krberror
,int filetype
,const char *filename
);
Read KRB-ERROR from file in specified TYPE.
handle |
shishi handle as allocated by |
|
krberror |
output variable with newly allocated KRB-ERROR. |
|
filetype |
input variable specifying type of file to be read, see Shishi_filetype. |
|
filename |
input variable with filename to read from. |
int shishi_krberror_build (Shishi *handle
,Shishi_asn1 krberror
);
Finish KRB-ERROR, called before e.g. shishi_krberror_der. This function removes empty but OPTIONAL fields (such as cname), and
handle |
shishi handle as allocated by |
|
krberror |
krberror as allocated by |
int shishi_krberror_der (Shishi *handle
,Shishi_asn1 krberror
,char **out
,size_t *outlen
);
DER encode KRB-ERROR. The caller must deallocate the OUT buffer.
handle |
shishi handle as allocated by |
|
krberror |
krberror as allocated by |
|
out |
output array with newly allocated DER encoding of KRB-ERROR. |
|
outlen |
length of output array with DER encoding of KRB-ERROR. |
int shishi_krberror_crealm (Shishi *handle
,Shishi_asn1 krberror
,char **realm
,size_t *realmlen
);
Extract client realm from KRB-ERROR.
handle |
shishi handle as allocated by |
|
krberror |
krberror as allocated by |
|
realm |
output array with newly allocated name of realm in KRB-ERROR. |
|
realmlen |
size of output array. |
int shishi_krberror_remove_crealm (Shishi *handle
,Shishi_asn1 krberror
);
Remove client realm field in KRB-ERROR.
handle |
shishi handle as allocated by |
|
krberror |
krberror as allocated by |
int shishi_krberror_set_crealm (Shishi *handle
,Shishi_asn1 krberror
,const char *crealm
);
Set realm field in krberror to specified value.
handle |
shishi handle as allocated by |
|
krberror |
krberror as allocated by |
|
crealm |
input array with realm. |
int shishi_krberror_client (Shishi *handle
,Shishi_asn1 krberror
,char **client
,size_t *clientlen
);
Return client principal name in KRB-ERROR.
handle |
shishi handle as allocated by |
|
krberror |
krberror as allocated by |
|
client |
pointer to newly allocated zero terminated string containing
principal name. May be |
|
clientlen |
pointer to length of |
int shishi_krberror_set_cname (Shishi *handle
,Shishi_asn1 krberror
,Shishi_name_type name_type
,const char *cname[]
);
Set principal field in krberror to specified value.
handle |
shishi handle as allocated by |
|
krberror |
krberror as allocated by |
|
name_type |
type of principial, see Shishi_name_type, usually SHISHI_NT_UNKNOWN. |
|
cname |
input array with principal name. |
int shishi_krberror_remove_cname (Shishi *handle
,Shishi_asn1 krberror
);
Remove client realm field in KRB-ERROR.
handle |
shishi handle as allocated by |
|
krberror |
krberror as allocated by |
int shishi_krberror_client_set (Shishi *handle
,Shishi_asn1 krberror
,const char *client
);
Set the client name field in the Krberror.
handle |
shishi handle as allocated by |
|
krberror |
Krberror to set client name field in. |
|
client |
zero-terminated string with principal name on RFC 1964 form. |
int shishi_krberror_realm (Shishi *handle
,Shishi_asn1 krberror
,char **realm
,size_t *realmlen
);
Extract (server) realm from KRB-ERROR.
handle |
shishi handle as allocated by |
|
krberror |
krberror as allocated by |
|
realm |
output array with newly allocated name of realm in KRB-ERROR. |
|
realmlen |
size of output array. |
int shishi_krberror_set_realm (Shishi *handle
,Shishi_asn1 krberror
,const char *realm
);
Set (server) realm field in krberror to specified value.
handle |
shishi handle as allocated by |
|
krberror |
krberror as allocated by |
|
realm |
input array with (server) realm. |
int shishi_krberror_server (Shishi *handle
,Shishi_asn1 krberror
,char **server
,size_t *serverlen
);
Return server principal name in KRB-ERROR.
handle |
shishi handle as allocated by |
|
krberror |
krberror as allocated by |
|
server |
pointer to newly allocated zero terminated string containing
server name. May be |
|
serverlen |
pointer to length of |
int shishi_krberror_remove_sname (Shishi *handle
,Shishi_asn1 krberror
);
Remove server name field in KRB-ERROR. (Since it is not marked OPTIONAL in the ASN.1 profile, what is done is to set the name-type to UNKNOWN and make sure the name-string sequence is empty.)
handle |
shishi handle as allocated by |
|
krberror |
Krberror to set server name field in. |
int shishi_krberror_set_sname (Shishi *handle
,Shishi_asn1 krberror
,Shishi_name_type name_type
,const char *sname[]
);
Set principal field in krberror to specified value.
handle |
shishi handle as allocated by |
|
krberror |
krberror as allocated by |
|
name_type |
type of principial, see Shishi_name_type, usually SHISHI_NT_UNKNOWN. |
|
sname |
input array with principal name. |
int shishi_krberror_server_set (Shishi *handle
,Shishi_asn1 krberror
,const char *server
);
Set the server name field in the Krberror.
handle |
shishi handle as allocated by |
|
krberror |
Krberror to set server name field in. |
|
server |
zero-terminated string with principal name on RFC 1964 form. |
int shishi_krberror_ctime (Shishi *handle
,Shishi_asn1 krberror
,char **t
);
Extract client time from KRB-ERROR.
handle |
shishi handle as allocated by |
|
krberror |
Krberror to set client name field in. |
|
t |
newly allocated zero-terminated output array with client time. |
int shishi_krberror_ctime_set (Shishi *handle
,Shishi_asn1 krberror
,const char *t
);
Store client time in Krberror.
handle |
shishi handle as allocated by |
|
krberror |
Krberror as allocated by |
|
t |
string with generalized time value to store in Krberror. |
int shishi_krberror_remove_ctime (Shishi *handle
,Shishi_asn1 krberror
);
Remove client time field in Krberror.
handle |
shishi handle as allocated by |
|
krberror |
Krberror as allocated by |
int shishi_krberror_cusec (Shishi *handle
,Shishi_asn1 krberror
,uint32_t *cusec
);
Extract client microseconds field from Krberror.
handle |
shishi handle as allocated by |
|
krberror |
Krberror as allocated by |
|
cusec |
output integer with client microseconds field. |
int shishi_krberror_cusec_set (Shishi *handle
,Shishi_asn1 krberror
,uint32_t cusec
);
Set the cusec field in the Krberror.
handle |
shishi handle as allocated by |
|
krberror |
krberror as allocated by |
|
cusec |
client microseconds to set in krberror, 0-999999. |
int shishi_krberror_remove_cusec (Shishi *handle
,Shishi_asn1 krberror
);
Remove client usec field in Krberror.
handle |
shishi handle as allocated by |
|
krberror |
Krberror as allocated by |
int shishi_krberror_stime (Shishi *handle
,Shishi_asn1 krberror
,char **t
);
Extract server time from KRB-ERROR.
handle |
shishi handle as allocated by |
|
krberror |
Krberror to set client name field in. |
|
t |
newly allocated zero-terminated output array with server time. |
int shishi_krberror_stime_set (Shishi *handle
,Shishi_asn1 krberror
,const char *t
);
Store server time in Krberror.
handle |
shishi handle as allocated by |
|
krberror |
Krberror as allocated by |
|
t |
string with generalized time value to store in Krberror. |
int shishi_krberror_susec (Shishi *handle
,Shishi_asn1 krberror
,uint32_t *susec
);
Extract server microseconds field from Krberror.
handle |
shishi handle as allocated by |
|
krberror |
Krberror as allocated by |
|
susec |
output integer with server microseconds field. |
int shishi_krberror_susec_set (Shishi *handle
,Shishi_asn1 krberror
,uint32_t susec
);
Set the susec field in the Krberror.
handle |
shishi handle as allocated by |
|
krberror |
krberror as allocated by |
|
susec |
server microseconds to set in krberror, 0-999999. |
int shishi_krberror_errorcode_set (Shishi *handle
,Shishi_asn1 krberror
,int errorcode
);
Set the error-code field to a new error code.
handle |
shishi handle as allocated by |
|
krberror |
KRB-ERROR structure with error code to set. |
|
errorcode |
new error code to set in krberror. |
int shishi_krberror_etext (Shishi *handle
,Shishi_asn1 krberror
,char **etext
,size_t *etextlen
);
Extract additional error text from server (possibly empty).
handle |
shishi handle as allocated by |
|
krberror |
KRB-ERROR structure with error code. |
|
etext |
output array with newly allocated error text. |
|
etextlen |
output length of error text. |
int shishi_krberror_set_etext (Shishi *handle
,Shishi_asn1 krberror
,const char *etext
);
Set error text (e-text) field in KRB-ERROR to specified value.
handle |
shishi handle as allocated by |
|
krberror |
krberror as allocated by |
|
etext |
input array with error text to set. |
int shishi_krberror_remove_etext (Shishi *handle
,Shishi_asn1 krberror
);
Remove error text (e-text) field in KRB-ERROR.
handle |
shishi handle as allocated by |
|
krberror |
krberror as allocated by |
int shishi_krberror_edata (Shishi *handle
,Shishi_asn1 krberror
,char **edata
,size_t *edatalen
);
Extract additional error data from server (possibly empty).
handle |
shishi handle as allocated by |
|
krberror |
KRB-ERROR structure with error code. |
|
edata |
output array with newly allocated error data. |
|
edatalen |
output length of error data. |
int shishi_krberror_set_edata (Shishi *handle
,Shishi_asn1 krberror
,const char *edata
);
Set error text (e-data) field in KRB-ERROR to specified value.
handle |
shishi handle as allocated by |
|
krberror |
krberror as allocated by |
|
edata |
input array with error text to set. |
int shishi_krberror_remove_edata (Shishi *handle
,Shishi_asn1 krberror
);
Remove error text (e-data) field in KRB-ERROR.
handle |
shishi handle as allocated by |
|
krberror |
krberror as allocated by |
int shishi_krberror_errorcode (Shishi *handle
,Shishi_asn1 krberror
,int *errorcode
);
Extract error code from KRB-ERROR.
handle |
shishi handle as allocated by |
|
krberror |
KRB-ERROR structure with error code. |
|
errorcode |
output integer KRB-ERROR error code. |
int shishi_krberror_errorcode_fast (Shishi *handle
,Shishi_asn1 krberror
);
Get error code from KRB-ERROR, without error checking.
handle |
shishi handle as allocated by |
|
krberror |
KRB-ERROR structure with error code. |
int shishi_krberror_pretty_print (Shishi *handle
,FILE *fh
,Shishi_asn1 krberror
);
Print KRB-ERROR error condition and some explanatory text to file descriptor.
handle |
shishi handle as allocated by |
|
fh |
file handle opened for writing. |
|
krberror |
KRB-ERROR structure with error code. |
const char * shishi_krberror_errorcode_message (Shishi *handle
,int errorcode
);
Get human readable string describing KRB-ERROR code.
handle |
shishi handle as allocated by |
|
errorcode |
integer KRB-ERROR error code. |
const char * shishi_krberror_message (Shishi *handle
,Shishi_asn1 krberror
);
Extract error code (see shishi_krberror_errorcode_fast()
) and
return error message (see shishi_krberror_errorcode_message()
).
handle |
shishi handle as allocated by |
|
krberror |
KRB-ERROR structure with error code. |
int shishi_krberror_methoddata (Shishi *handle
,Shishi_asn1 krberror
,Shishi_asn1 *methoddata
);
Extract METHOD-DATA ASN.1 object from the e-data field. The e-data
field will only contain a METHOD-DATA if the krberror error code is
SHISHI_KDC_ERR_PREAUTH_REQUIRED
.
handle |
shishi handle as allocated by |
|
krberror |
KRB-ERROR structure with error code. |
|
methoddata |
output ASN.1 METHOD-DATA. |
const char * shishi_generalize_time (Shishi *handle
,time_t t
);
Converts C time t
to a KerberosTime string representation.
The returned string must not be deallocated by the caller.
const char *
shishi_generalize_now (Shishi *handle
);
Converts the current time to a KerberosTime string. The returned string must not be deallocated by the caller.
time_t shishi_generalize_ctime (Shishi *handle
,const char *t
);
Converts a KerberosTime formatted string in t
to
integral C time representation.
int shishi_time (Shishi *handle
,Shishi_asn1 node
,const char *field
,char **t
);
Extracts time information from an ASN.1 structure,
and to be precise, does so from the named field field
within the structure node
.
handle |
Shishi handle as allocated by |
|
node |
ASN.1 structure to get time from. |
|
field |
Name of the field in the ASN.1 node carrying time. |
|
t |
Returned pointer to an allocated char array containing a null-terminated time string. |
int shishi_ctime (Shishi *handle
,Shishi_asn1 node
,const char *field
,time_t *t
);
Extracts time information from an ASN.1 structure node
,
and from an arbitrary element field
of that structure.
handle |
Shishi handle as allocated by |
|
node |
ASN.1 structure to read field from. |
|
field |
Name of field in |
|
t |
Pointer to a C-time valued integer, being updated with the time value to be extracted. |
Returns SHISHI_OK
if successful,
SHISHI_ASN1_NO_ELEMENT
if the element does not exist,
SHISHI_ASN1_NO_VALUE
if the field has no value.
In all other cases, SHISHI_ASN1_ERROR
is returned.
int shishi_randomize (Shishi *handle
,int strong
,void *data
,size_t datalen
);
Store cryptographically random data of given size in the provided buffer.
handle |
shishi handle as allocated by |
|
strong |
0 iff operation should not block, non-0 for very strong randomness. |
|
data |
output array to be filled with random data. |
|
datalen |
size of output array. |
int shishi_crc (Shishi *handle
,const char *in
,size_t inlen
,char *out[4]
);
Compute checksum of data using CRC32 modified according to RFC
The out
buffer must be deallocated by the caller.
The modifications compared to standard CRC32 is that no initial and final XOR is performed, and that the output is returned in LSB-first order.
handle |
shishi handle as allocated by |
|
in |
input character array of data to checksum. |
|
inlen |
length of input character array of data to checksum. |
|
out |
newly allocated character array with checksum of data. |
int shishi_md4 (Shishi *handle
,const char *in
,size_t inlen
,char *out[16]
);
Compute hash of data using MD4. The out
buffer must be
deallocated by the caller.
handle |
shishi handle as allocated by |
|
in |
input character array of data to hash. |
|
inlen |
length of input character array of data to hash. |
|
out |
newly allocated character array with hash of data. |
int shishi_md5 (Shishi *handle
,const char *in
,size_t inlen
,char *out[16]
);
Compute hash of data using MD5. The out
buffer must be
deallocated by the caller.
handle |
shishi handle as allocated by |
|
in |
input character array of data to hash. |
|
inlen |
length of input character array of data to hash. |
|
out |
newly allocated character array with hash of data. |
int shishi_hmac_md5 (Shishi *handle
,const char *key
,size_t keylen
,const char *in
,size_t inlen
,char *outhash[16]
);
Compute keyed checksum of data using HMAC-MD5. The outhash
buffer
must be deallocated by the caller.
handle |
shishi handle as allocated by |
|
key |
input character array with key to use. |
|
keylen |
length of input character array with key to use. |
|
in |
input character array of data to hash. |
|
inlen |
length of input character array of data to hash. |
|
outhash |
newly allocated character array with keyed hash of data. |
int shishi_hmac_sha1 (Shishi *handle
,const char *key
,size_t keylen
,const char *in
,size_t inlen
,char *outhash[20]
);
Compute keyed checksum of data using HMAC-SHA1. The outhash
buffer must be deallocated by the caller.
handle |
shishi handle as allocated by |
|
key |
input character array with key to use. |
|
keylen |
length of input character array with key to use. |
|
in |
input character array of data to hash. |
|
inlen |
length of input character array of data to hash. |
|
outhash |
newly allocated character array with keyed hash of data. |
int shishi_des_cbc_mac (Shishi *handle
,const char key[8]
,const char iv[8]
,const char *in
,size_t inlen
,char *out[8]
);
Computed keyed checksum of data using DES-CBC-MAC. The out
buffer
must be deallocated by the caller.
handle |
shishi handle as allocated by |
|
key |
input character array with key to use. |
|
iv |
input character array with initialization vector to use, can be NULL. |
|
in |
input character array of data to hash. |
|
inlen |
length of input character array of data to hash. |
|
out |
newly allocated character array with keyed hash of data. |
int shishi_arcfour (Shishi *handle
,int decryptp
,const char *key
,size_t keylen
,const char iv[258]
,char *ivout[258]
,const char *in
,size_t inlen
,char **out
);
Encrypt or decrypt data (depending on decryptp
) using ARCFOUR.
The out
buffer must be deallocated by the caller.
The "initialization vector" used here is the concatenation of the sbox and i and j, and is thus always of size 256 + 1 + 1. This is a slight abuse of terminology, and assumes you know what you are doing. Don't use it if you can avoid to.
handle |
shishi handle as allocated by |
|
decryptp |
0 to indicate encryption, non-0 to indicate decryption. |
|
key |
input character array with key to use. |
|
keylen |
length of input key array. |
|
iv |
input character array with initialization vector to use, or NULL. |
|
ivout |
output character array with updated initialization vector, or NULL. |
|
in |
input character array of data to encrypt/decrypt. |
|
inlen |
length of input character array of data to encrypt/decrypt. |
|
out |
newly allocated character array with encrypted/decrypted data. |
int shishi_des (Shishi *handle
,int decryptp
,const char key[8]
,const char iv[8]
,char *ivout[8]
,const char *in
,size_t inlen
,char **out
);
Encrypt or decrypt data (depending on decryptp
) using DES in CBC
mode. The out
buffer must be deallocated by the caller.
handle |
shishi handle as allocated by |
|
decryptp |
0 to indicate encryption, non-0 to indicate decryption. |
|
key |
input character array with key to use. |
|
iv |
input character array with initialization vector to use, or NULL. |
|
ivout |
output character array with updated initialization vector, or NULL. |
|
in |
input character array of data to encrypt/decrypt. |
|
inlen |
length of input character array of data to encrypt/decrypt. |
|
out |
newly allocated character array with encrypted/decrypted data. |
int shishi_3des (Shishi *handle
,int decryptp
,const char key[24]
,const char iv[8]
,char *ivout[8]
,const char *in
,size_t inlen
,char **out
);
Encrypt or decrypt data (depending on decryptp
) using 3DES in CBC
mode. The out
buffer must be deallocated by the caller.
handle |
shishi handle as allocated by |
|
decryptp |
0 to indicate encryption, non-0 to indicate decryption. |
|
key |
input character array with key to use. |
|
iv |
input character array with initialization vector to use, or NULL. |
|
ivout |
output character array with updated initialization vector, or NULL. |
|
in |
input character array of data to encrypt/decrypt. |
|
inlen |
length of input character array of data to encrypt/decrypt. |
|
out |
newly allocated character array with encrypted/decrypted data. |
int shishi_aes_cts (Shishi *handle
,int decryptp
,const char *key
,size_t keylen
,const char iv[16]
,char *ivout[16]
,const char *in
,size_t inlen
,char **out
);
Encrypt or decrypt data (depending on decryptp
) using AES in
CBC-CTS mode. The length of the key, keylen
, decide if AES 128 or
AES 256 should be used. The out
buffer must be deallocated by the
caller.
handle |
shishi handle as allocated by |
|
decryptp |
0 to indicate encryption, non-0 to indicate decryption. |
|
key |
input character array with key to use. |
|
keylen |
length of input character array with key to use. |
|
iv |
input character array with initialization vector to use, or NULL. |
|
ivout |
output character array with updated initialization vector, or NULL. |
|
in |
input character array of data to encrypt/decrypt. |
|
inlen |
length of input character array of data to encrypt/decrypt. |
|
out |
newly allocated character array with encrypted/decrypted data. |
int
shishi_cipher_supported_p (int type
);
Find out if cipher is supported.
const char *
shishi_cipher_name (int type
);
Read humanly readable string for cipher.
int
shishi_cipher_confoundersize (int type
);
Get length of confounder for cipher.
size_t
shishi_cipher_randomlen (int type
);
Get length of random data for cipher.
int
shishi_cipher_defaultcksumtype (int32_t type
);
Get the default checksum associated with cipher.
int
shishi_cipher_parse (const char *cipher
);
Get cipher number by parsing string.
int
shishi_checksum_supported_p (int32_t type
);
Find out whether checksum is supported.
size_t
shishi_checksum_cksumlen (int32_t type
);
Get length of checksum output.
int
shishi_checksum_parse (const char *checksum
);
Get checksum number by parsing a string.
int shishi_string_to_key (Shishi *handle
,int32_t keytype
,const char *password
,size_t passwordlen
,const char *salt
,size_t saltlen
,const char *parameter
,Shishi_key *outkey
);
Derive key from a string (password) and salt (commonly concatenation of realm and principal) for specified key type, and set the type and value in the given key to the computed values. The parameter value is specific for each keytype, and can be set if the parameter information is not available.
handle |
shishi handle as allocated by |
|
keytype |
cryptographic encryption type, see Shishi_etype. |
|
password |
input array with password. |
|
passwordlen |
length of input array with password. |
|
salt |
input array with salt. |
|
saltlen |
length of input array with salt. |
|
parameter |
input array with opaque encryption type specific information. |
|
outkey |
allocated key handle that will contain new key. |
int shishi_random_to_key (Shishi *handle
,int32_t keytype
,const char *rnd
,size_t rndlen
,Shishi_key *outkey
);
Derive key from random data for specified key type, and set the type and value in the given key to the computed values.
handle |
shishi handle as allocated by |
|
keytype |
cryptographic encryption type, see Shishi_etype. |
|
rnd |
input array with random data. |
|
rndlen |
length of input array with random data. |
|
outkey |
allocated key handle that will contain new key. |
int shishi_encrypt_ivupdate_etype (Shishi *handle
,Shishi_key *key
,int keyusage
,int32_t etype
,const char *iv
,size_t ivlen
,char **ivout
,size_t *ivoutlen
,const char *in
,size_t inlen
,char **out
,size_t *outlen
);
Encrypts data as per encryption method using specified initialization vector and key. The key actually used is derived using the key usage. If key usage is 0, no key derivation is used. The OUT buffer must be deallocated by the caller. If IVOUT or IVOUTLEN is NULL, the updated IV is not saved anywhere.
Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data exactly. Some encryption types add pad to make the data fit into the block size of the encryption algorithm. Furthermore, the pad is not guaranteed to look in any special way, although existing implementations often pad with the zero byte. This means that you may have to "frame" data, so it is possible to infer the original length after decryption. Compare ASN.1 DER which contains such information.
handle |
shishi handle as allocated by |
|
key |
key to encrypt with. |
|
keyusage |
integer specifying what this key is encrypting. |
|
etype |
integer specifying what cipher to use. |
|
iv |
input array with initialization vector |
|
ivlen |
size of input array with initialization vector. |
|
ivout |
output array with newly allocated updated initialization vector. |
|
ivoutlen |
size of output array with updated initialization vector. |
|
in |
input array with data to encrypt. |
|
inlen |
size of input array with data to encrypt. |
|
out |
output array with newly allocated encrypted data. |
|
outlen |
output variable with size of newly allocated output array. |
int shishi_encrypt_iv_etype (Shishi *handle
,Shishi_key *key
,int keyusage
,int32_t etype
,const char *iv
,size_t ivlen
,const char *in
,size_t inlen
,char **out
,size_t *outlen
);
Encrypts data as per encryption method using specified initialization vector and key. The key actually used is derived using the key usage. If key usage is 0, no key derivation is used. The OUT buffer must be deallocated by the caller. The next IV is lost, see shishi_encrypt_ivupdate_etype if you need it.
Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data exactly. Some encryption types add pad to make the data fit into the block size of the encryption algorithm. Furthermore, the pad is not guaranteed to look in any special way, although existing implementations often pad with the zero byte. This means that you may have to "frame" data, so it is possible to infer the original length after decryption. Compare ASN.1 DER which contains such information.
handle |
shishi handle as allocated by |
|
key |
key to encrypt with. |
|
keyusage |
integer specifying what this key is encrypting. |
|
etype |
integer specifying what cipher to use. |
|
iv |
input array with initialization vector |
|
ivlen |
size of input array with initialization vector. |
|
in |
input array with data to encrypt. |
|
inlen |
size of input array with data to encrypt. |
|
out |
output array with newly allocated encrypted data. |
|
outlen |
output variable with size of newly allocated output array. |
int shishi_encrypt_etype (Shishi *handle
,Shishi_key *key
,int keyusage
,int32_t etype
,const char *in
,size_t inlen
,char **out
,size_t *outlen
);
Encrypts data as per encryption method using specified initialization vector and key. The key actually used is derived using the key usage. If key usage is 0, no key derivation is used. The OUT buffer must be deallocated by the caller. The default IV is used, see shishi_encrypt_iv_etype if you need to alter it. The next IV is lost, see shishi_encrypt_ivupdate_etype if you need it.
Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data exactly. Some encryption types add pad to make the data fit into the block size of the encryption algorithm. Furthermore, the pad is not guaranteed to look in any special way, although existing implementations often pad with the zero byte. This means that you may have to "frame" data, so it is possible to infer the original length after decryption. Compare ASN.1 DER which contains such information.
handle |
shishi handle as allocated by |
|
key |
key to encrypt with. |
|
keyusage |
integer specifying what this key is encrypting. |
|
etype |
integer specifying what cipher to use. |
|
in |
input array with data to encrypt. |
|
inlen |
size of input array with data to encrypt. |
|
out |
output array with newly allocated encrypted data. |
|
outlen |
output variable with size of newly allocated output array. |
int shishi_encrypt_ivupdate (Shishi *handle
,Shishi_key *key
,int keyusage
,const char *iv
,size_t ivlen
,char **ivout
,size_t *ivoutlen
,const char *in
,size_t inlen
,char **out
,size_t *outlen
);
Encrypts data using specified initialization vector and key. The key actually used is derived using the key usage. If key usage is 0, no key derivation is used. The OUT buffer must be deallocated by the caller. If IVOUT or IVOUTLEN is NULL, the updated IV is not saved anywhere.
Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data exactly. Some encryption types add pad to make the data fit into the block size of the encryption algorithm. Furthermore, the pad is not guaranteed to look in any special way, although existing implementations often pad with the zero byte. This means that you may have to "frame" data, so it is possible to infer the original length after decryption. Compare ASN.1 DER which contains such information.
handle |
shishi handle as allocated by |
|
key |
key to encrypt with. |
|
keyusage |
integer specifying what this key is encrypting. |
|
iv |
input array with initialization vector |
|
ivlen |
size of input array with initialization vector. |
|
ivout |
output array with newly allocated updated initialization vector. |
|
ivoutlen |
size of output array with updated initialization vector. |
|
in |
input array with data to encrypt. |
|
inlen |
size of input array with data to encrypt. |
|
out |
output array with newly allocated encrypted data. |
|
outlen |
output variable with size of newly allocated output array. |
int shishi_encrypt_iv (Shishi *handle
,Shishi_key *key
,int keyusage
,const char *iv
,size_t ivlen
,const char *in
,size_t inlen
,char **out
,size_t *outlen
);
Encrypts data using specified initialization vector and key. The key actually used is derived using the key usage. If key usage is 0, no key derivation is used. The OUT buffer must be deallocated by the caller. The next IV is lost, see shishi_encrypt_ivupdate if you need it.
Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data exactly. Some encryption types add pad to make the data fit into the block size of the encryption algorithm. Furthermore, the pad is not guaranteed to look in any special way, although existing implementations often pad with the zero byte. This means that you may have to "frame" data, so it is possible to infer the original length after decryption. Compare ASN.1 DER which contains such information.
handle |
shishi handle as allocated by |
|
key |
key to encrypt with. |
|
keyusage |
integer specifying what this key is encrypting. |
|
iv |
input array with initialization vector |
|
ivlen |
size of input array with initialization vector. |
|
in |
input array with data to encrypt. |
|
inlen |
size of input array with data to encrypt. |
|
out |
output array with newly allocated encrypted data. |
|
outlen |
output variable with size of newly allocated output array. |
int shishi_encrypt (Shishi *handle
,Shishi_key *key
,int keyusage
,char *in
,size_t inlen
,char **out
,size_t *outlen
);
Encrypts data using specified key. The key actually used is derived using the key usage. If key usage is 0, no key derivation is used. The OUT buffer must be deallocated by the caller. The default IV is used, see shishi_encrypt_iv if you need to alter it. The next IV is lost, see shishi_encrypt_ivupdate if you need it.
Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data exactly. Some encryption types add pad to make the data fit into the block size of the encryption algorithm. Furthermore, the pad is not guaranteed to look in any special way, although existing implementations often pad with the zero byte. This means that you may have to "frame" data, so it is possible to infer the original length after decryption. Compare ASN.1 DER which contains such information.
handle |
shishi handle as allocated by |
|
key |
key to encrypt with. |
|
keyusage |
integer specifying what this key is encrypting. |
|
in |
input array with data to encrypt. |
|
inlen |
size of input array with data to encrypt. |
|
out |
output array with newly allocated encrypted data. |
|
outlen |
output variable with size of newly allocated output array. |
int shishi_decrypt_ivupdate_etype (Shishi *handle
,Shishi_key *key
,int keyusage
,int32_t etype
,const char *iv
,size_t ivlen
,char **ivout
,size_t *ivoutlen
,const char *in
,size_t inlen
,char **out
,size_t *outlen
);
Decrypts data as per encryption method using specified initialization vector and key. The key actually used is derived using the key usage. If key usage is 0, no key derivation is used. The OUT buffer must be deallocated by the caller. If IVOUT or IVOUTLEN is NULL, the updated IV is not saved anywhere.
Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data exactly. Some encryption types add pad to make the data fit into the block size of the encryption algorithm. Furthermore, the pad is not guaranteed to look in any special way, although existing implementations often pad with the zero byte. This means that you may have to "frame" data, so it is possible to infer the original length after decryption. Compare ASN.1 DER which contains such information.
handle |
shishi handle as allocated by |
|
key |
key to decrypt with. |
|
keyusage |
integer specifying what this key is decrypting. |
|
etype |
integer specifying what cipher to use. |
|
iv |
input array with initialization vector |
|
ivlen |
size of input array with initialization vector. |
|
ivout |
output array with newly allocated updated initialization vector. |
|
ivoutlen |
size of output array with updated initialization vector. |
|
in |
input array with data to decrypt. |
|
inlen |
size of input array with data to decrypt. |
|
out |
output array with newly allocated decrypted data. |
|
outlen |
output variable with size of newly allocated output array. |
int shishi_decrypt_iv_etype (Shishi *handle
,Shishi_key *key
,int keyusage
,int32_t etype
,const char *iv
,size_t ivlen
,const char *in
,size_t inlen
,char **out
,size_t *outlen
);
Decrypts data as per encryption method using specified initialization vector and key. The key actually used is derived using the key usage. If key usage is 0, no key derivation is used. The OUT buffer must be deallocated by the caller. The next IV is lost, see shishi_decrypt_ivupdate_etype if you need it.
Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data exactly. Some encryption types add pad to make the data fit into the block size of the encryption algorithm. Furthermore, the pad is not guaranteed to look in any special way, although existing implementations often pad with the zero byte. This means that you may have to "frame" data, so it is possible to infer the original length after decryption. Compare ASN.1 DER which contains such information.
handle |
shishi handle as allocated by |
|
key |
key to decrypt with. |
|
keyusage |
integer specifying what this key is decrypting. |
|
etype |
integer specifying what cipher to use. |
|
iv |
input array with initialization vector |
|
ivlen |
size of input array with initialization vector. |
|
in |
input array with data to decrypt. |
|
inlen |
size of input array with data to decrypt. |
|
out |
output array with newly allocated decrypted data. |
|
outlen |
output variable with size of newly allocated output array. |
int shishi_decrypt_etype (Shishi *handle
,Shishi_key *key
,int keyusage
,int32_t etype
,const char *in
,size_t inlen
,char **out
,size_t *outlen
);
Decrypts data as per encryption method using specified key. The key actually used is derived using the key usage. If key usage is 0, no key derivation is used. The OUT buffer must be deallocated by the caller. The default IV is used, see shishi_decrypt_iv_etype if you need to alter it. The next IV is lost, see shishi_decrypt_ivupdate_etype if you need it.
Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data exactly. Some encryption types add pad to make the data fit into the block size of the encryption algorithm. Furthermore, the pad is not guaranteed to look in any special way, although existing implementations often pad with the zero byte. This means that you may have to "frame" data, so it is possible to infer the original length after decryption. Compare ASN.1 DER which contains such information.
handle |
shishi handle as allocated by |
|
key |
key to decrypt with. |
|
keyusage |
integer specifying what this key is decrypting. |
|
etype |
integer specifying what cipher to use. |
|
in |
input array with data to decrypt. |
|
inlen |
size of input array with data to decrypt. |
|
out |
output array with newly allocated decrypted data. |
|
outlen |
output variable with size of newly allocated output array. |
int shishi_decrypt_ivupdate (Shishi *handle
,Shishi_key *key
,int keyusage
,const char *iv
,size_t ivlen
,char **ivout
,size_t *ivoutlen
,const char *in
,size_t inlen
,char **out
,size_t *outlen
);
Decrypts data using specified initialization vector and key. The key actually used is derived using the key usage. If key usage is 0, no key derivation is used. The OUT buffer must be deallocated by the caller. If IVOUT or IVOUTLEN is NULL, the updated IV is not saved anywhere.
Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data exactly. Some encryption types add pad to make the data fit into the block size of the encryption algorithm. Furthermore, the pad is not guaranteed to look in any special way, although existing implementations often pad with the zero byte. This means that you may have to "frame" data, so it is possible to infer the original length after decryption. Compare ASN.1 DER which contains such information.
handle |
shishi handle as allocated by |
|
key |
key to decrypt with. |
|
keyusage |
integer specifying what this key is decrypting. |
|
iv |
input array with initialization vector |
|
ivlen |
size of input array with initialization vector. |
|
ivout |
output array with newly allocated updated initialization vector. |
|
ivoutlen |
size of output array with updated initialization vector. |
|
in |
input array with data to decrypt. |
|
inlen |
size of input array with data to decrypt. |
|
out |
output array with newly allocated decrypted data. |
|
outlen |
output variable with size of newly allocated output array. |
int shishi_decrypt_iv (Shishi *handle
,Shishi_key *key
,int keyusage
,const char *iv
,size_t ivlen
,const char *in
,size_t inlen
,char **out
,size_t *outlen
);
Decrypts data using specified initialization vector and key. The key actually used is derived using the key usage. If key usage is 0, no key derivation is used. The OUT buffer must be deallocated by the caller. The next IV is lost, see shishi_decrypt_ivupdate_etype if you need it.
Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data exactly. Some encryption types add pad to make the data fit into the block size of the encryption algorithm. Furthermore, the pad is not guaranteed to look in any special way, although existing implementations often pad with the zero byte. This means that you may have to "frame" data, so it is possible to infer the original length after decryption. Compare ASN.1 DER which contains such information.
handle |
shishi handle as allocated by |
|
key |
key to decrypt with. |
|
keyusage |
integer specifying what this key is decrypting. |
|
iv |
input array with initialization vector |
|
ivlen |
size of input array with initialization vector. |
|
in |
input array with data to decrypt. |
|
inlen |
size of input array with data to decrypt. |
|
out |
output array with newly allocated decrypted data. |
|
outlen |
output variable with size of newly allocated output array. |
int shishi_decrypt (Shishi *handle
,Shishi_key *key
,int keyusage
,const char *in
,size_t inlen
,char **out
,size_t *outlen
);
Decrypts data specified key. The key actually used is derived using the key usage. If key usage is 0, no key derivation is used. The OUT buffer must be deallocated by the caller. The default IV is used, see shishi_decrypt_iv if you need to alter it. The next IV is lost, see shishi_decrypt_ivupdate if you need it.
Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data exactly. Some encryption types add pad to make the data fit into the block size of the encryption algorithm. Furthermore, the pad is not guaranteed to look in any special way, although existing implementations often pad with the zero byte. This means that you may have to "frame" data, so it is possible to infer the original length after decryption. Compare ASN.1 DER which contains such information.
handle |
shishi handle as allocated by |
|
key |
key to decrypt with. |
|
keyusage |
integer specifying what this key is decrypting. |
|
in |
input array with data to decrypt. |
|
inlen |
size of input array with data to decrypt. |
|
out |
output array with newly allocated decrypted data. |
|
outlen |
output variable with size of newly allocated output array. |
int shishi_checksum (Shishi *handle
,Shishi_key *key
,int keyusage
,int32_t cksumtype
,const char *in
,size_t inlen
,char **out
,size_t *outlen
);
Integrity protect data using key, possibly altered by supplied key usage. If key usage is 0, no key derivation is used. The OUT buffer must be deallocated by the caller.
handle |
shishi handle as allocated by |
|
key |
key to compute checksum with. |
|
keyusage |
integer specifying what this key is used for. |
|
cksumtype |
the checksum algorithm to use. |
|
in |
input array with data to integrity protect. |
|
inlen |
size of input array with data to integrity protect. |
|
out |
output array with newly allocated integrity protected data. |
|
outlen |
output variable with length of output array with checksum. |
int shishi_verify (Shishi *handle
,Shishi_key *key
,int keyusage
,int cksumtype
,const char *in
,size_t inlen
,const char *cksum
,size_t cksumlen
);
Verify checksum of data using key, possibly altered by supplied key usage. If key usage is 0, no key derivation is used.
handle |
shishi handle as allocated by |
|
key |
key to verify checksum with. |
|
keyusage |
integer specifying what this key is used for. |
|
cksumtype |
the checksum algorithm to use. |
|
in |
input array with data that was integrity protected. |
|
inlen |
size of input array with data that was integrity protected. |
|
cksum |
input array with alleged checksum of data. |
|
cksumlen |
size of input array with alleged checksum of data. |
int shishi_dk (Shishi *handle
,Shishi_key *key
,const char *prfconstant
,size_t prfconstantlen
,Shishi_key *derivedkey
);
Derive a key from a key and a constant thusly: DK(KEY, PRFCONSTANT) = SHISHI_RANDOM-TO-KEY(SHISHI_DR(KEY, PRFCONSTANT)).
handle |
shishi handle as allocated by |
|
key |
input cryptographic key to use. |
|
prfconstant |
input array with the constant string. |
|
prfconstantlen |
size of input array with the constant string. |
|
derivedkey |
pointer to derived key (allocated by caller). |
int shishi_dr (Shishi *handle
,Shishi_key *key
,const char *prfconstant
,size_t prfconstantlen
,char *derivedrandom
,size_t derivedrandomlen
);
Derive "random" data from a key and a constant thusly: DR(KEY, PRFCONSTANT) = TRUNCATE(DERIVEDRANDOMLEN, SHISHI_ENCRYPT(KEY, PRFCONSTANT)).
handle |
shishi handle as allocated by |
|
key |
input array with cryptographic key to use. |
|
prfconstant |
input array with the constant string. |
|
prfconstantlen |
size of input array with the constant string. |
|
derivedrandom |
output array with derived random data. |
|
derivedrandomlen |
size of output array with derived random data. |
int shishi_n_fold (Shishi *handle
,const char *in
,size_t inlen
,char *out
,size_t outlen
);
Fold data into a fixed length output array, with the intent to give each input bit approximately equal weight in determining the value of each output bit.
The algorithm is from "A Better Key Schedule For DES-like Ciphers" by Uri Blumenthal and Steven M. Bellovin, http://www.research.att.com/~smb/papers/ides.pdf, although the sample vectors provided by the paper are incorrect.
handle |
shishi handle as allocated by |
|
in |
input array with data to decrypt. |
|
inlen |
size of input array with data to decrypt ("M"). |
|
out |
output array with decrypted data. |
|
outlen |
size of output array ("N"). |
int shishi_pbkdf2_sha1 (Shishi *handle
,const char *P
,size_t Plen
,const char *S
,size_t Slen
,unsigned int c
,unsigned int dkLen
,char *DK
);
Derive key using the PBKDF2 defined in PKCS5. PBKDF2 applies a pseudorandom function to derive keys. The length of the derived key is essentially unbounded. (However, the maximum effective search space for the derived key may be limited by the structure of the underlying pseudorandom function, which is this function is always SHA1.)
handle |
shishi handle as allocated by |
|
P |
input password, an octet string |
|
Plen |
length of password, an octet string |
|
S |
input salt, an octet string |
|
Slen |
length of salt, an octet string |
|
c |
iteration count, a positive integer |
|
dkLen |
intended length in octets of the derived key, a positive integer, at most (2^32 - 1) * hLen. The DK array must have room for this many characters. |
|
DK |
output derived key, a dkLen-octet string |
Shishi_crypto * shishi_crypto (Shishi *handle
,Shishi_key *key
,int keyusage
,int32_t etype
,const char *iv
,size_t ivlen
);
Initialize a crypto context. This store a key, keyusage,
encryption type and initialization vector in a "context", and the
caller can then use this context to perform encryption via
shishi_crypto_encrypt()
and decryption via shishi_crypto_encrypt()
without supplying all those details again. The functions also
takes care of propagating the IV between calls.
When the application no longer need to use the context, it should
deallocate resources associated with it by calling
shishi_crypto_close()
.
handle |
shishi handle as allocated by |
|
key |
key to encrypt with. |
|
keyusage |
integer specifying what this key will encrypt/decrypt. |
|
etype |
integer specifying what cipher to use. |
|
iv |
input array with initialization vector |
|
ivlen |
size of input array with initialization vector. |
void
shishi_crypto_close (Shishi_crypto *ctx
);
Deallocate resources associated with the crypto context.
int shishi_crypto_encrypt (Shishi_crypto *ctx
,const char *in
,size_t inlen
,char **out
,size_t *outlen
);
Encrypt data, using information (e.g., key and initialization vector) from context. The IV is updated inside the context after this call.
When the application no longer need to use the context, it should
deallocate resources associated with it by calling
shishi_crypto_close()
.
ctx |
crypto context as returned by |
|
in |
input array with data to encrypt. |
|
inlen |
size of input array with data to encrypt. |
|
out |
output array with newly allocated encrypted data. |
|
outlen |
output variable with size of newly allocated output array. |
int shishi_crypto_decrypt (Shishi_crypto *ctx
,const char *in
,size_t inlen
,char **out
,size_t *outlen
);
Decrypt data, using information (e.g., key and initialization vector) from context. The IV is updated inside the context after this call.
When the application no longer need to use the context, it should
deallocate resources associated with it by calling
shishi_crypto_close()
.
ctx |
crypto context as returned by |
|
in |
input array with data to decrypt. |
|
inlen |
size of input array with data to decrypt. |
|
out |
output array with newly allocated decrypted data. |
|
outlen |
output variable with size of newly allocated output array. |
const char *
shishi_check_version (const char *req_version
);
Checks that the installed library version is at least
as recent as the one provided in req_version
.
The version string is formatted like "1.0.2".
Whenever NULL
is passed to this function, the check is
suppressed, but the library version is still returned.
int (*shishi_prompt_password_func) (Shishi *handle
,char **s
,const char *format
,va_list ap
);
void shishi_prompt_password_callback_set (Shishi *handle
,shishi_prompt_password_func cb
);
Set a callback function that will be used by
shishi_prompt_password()
to query the user for a password. The
function pointer can be retrieved using
shishi_prompt_password_callback_get()
.