The Shishi Manual

Shishi

Copyright © 2002 Simon Josefsson.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with no Invariant Sections, with the Front-Cover texts being "A GNU Manual," and with the Back-Cover Texts as in (a) below. A copy of the license is included in the section entitled "GNU Free Documentation License."

(a) The FSF's Back-Cover Text is: "You have freedom to copy and modify this GNU Manual, like GNU software. Copies published by the Free Software Foundation raise funds for GNU development."

• Introduction: How to use this manual.
• User Manual: Using Shishi as end-user.
• Administration Manual: Administrating server aspects of Shishi.
• Programming Manual: Calling Shishi from a programming language.
• Acknowledgements: Whom to blame.

  Appendices

• Copying This Manual: How you can copy and share this manual.
• Copying: How you can copy and share the source.

  Indices

• Concept Index: Index of concepts and programs.
• Function and Data Index: Index of functions, variables and data types.

1 Introduction

Shishi implements the RFC 1510 network security system, also known as Kerberos 5.

• Getting Started:
• Features and Status:
• Overview:
• Cryptographic Overview:
• Supported Platforms:
• Bug Reports:

1.1 Getting Started

This manual documents the Shishi application and library programming interface. All commands, functions and data types provided by Shishi are explained.

The reader is assumed to possess basic familiarity with network security and the RFC 1510 security system.

This manual can be used in several ways. If read from the beginning to the end, it gives a good introduction into the library and how it can be used in an application. Forward references are included where necessary. Later on, the manual can be used as a reference manual to get just the information needed about any particular interface of the library. Experienced programmers might want to start looking at the examples at the end of the manual, and then only read up those parts of the interface which are unclear.

1.2 Features and Status

Shishi might have a couple of advantages over other packages doing a similar job.

It's Free Software

Anybody can use, modify, and redistribute it under the terms of the GNU General Public License (see Copying).

It's thread-safe

The library uses no global variables.

It's internationalized

It handles non-ASCII username and passwords and user visible strings used in the library (error messages) can be translated into the users' language.

It's portable

It should work on all Unix like operating systems, including Windows.

Shishi is far from feature complete, it is not even a full RFC 1510 implementation yet. However, some basic functionality is implemented. A few implemented feature are mentioned below.

• Initial authentication (AS) from raw key or password. This step is typically used to acquire a ticket granting ticket and, less commonly, a server ticket.
• Subsequent authentication (TGS). This step is typically used to acquire a server ticket, by authenticating yourself using the ticket granting ticket.
• Client-Server authentication (AP). This step is used by clients and servers to prove to each other who they are, using negotiated tickets.
• Integrity protected communication (SAFE). This step is used by clients and servers to exchange integrity protected data with each other. The key is typically agreed on using the Client-Server authentication step.
• Ticket cache, supporting multiple principals and realms. As tickets have a life time of typically several hours, they are managed in disk files. There can be multiple ticket caches, and each ticket cache can store tickets for multiple clients (users), servers, encryption types, etc. Functionality is provided for locating the proper ticket for every use.
• Most standard cryptographic primitives. The believed most secure algorithms are supported (see Cryptographic Overview).
• Telnet client and server. This is used to remotely login to other machines, after authenticating yourself with a ticket.
• PAM module. This is used to login locally on a machine.
• KDC addresses located using DNS SRV RRs.

The following table summarize what the current objectives are (i.e., the todo list) and an estimate on how long it will take to implement the feature. If you like to start working on anything, please let me know so work duplication can be avoided.

• Cross-realm support (week).
• Session keys in AP (week).
• PKINIT (use libksba, weeks)
• Finish GSSAPI support via GPL GSS (weeks) Shishi will not support GSS, but a separate project "GPL GSS" is under way to produce a generic GSS implementation, and it will use Shishi to implement the Kerberos 5 mechanism.
• Port to cyclone (cyclone need to mature first)
• Modularize ASN.1 library so it can be replaced (days)
• Modularize Crypto library so it can be replaced (days)
• KDC (initiated, weeks)
• PAM module (week) Finished.
• Set/Change password protocol (weeks?)
• Port applications to use Shishi (indefinite)
• Improve documentation
• Improve internationalization
• Fix fixed size buffers.

1.3 Overview

This section describes RFC 1510 from a protocol point of view¹.

Kerberos provides a means of verifying the identities of principals, (e.g., a workstation user or a network server) on an open (unprotected) network. This is accomplished without relying on authentication by the host operating system, without basing trust on host addresses, without requiring physical security of all the hosts on the network, and under the assumption that packets traveling along the network can be read, modified, and inserted at will. (Note, however, that many applications use Kerberos' functions only upon the initiation of a stream-based network connection, and assume the absence of any "hijackers" who might subvert such a connection. Such use implicitly trusts the host addresses involved.) Kerberos performs authentication under these conditions as a trusted third- party authentication service by using conventional cryptography, i.e., shared secret key. (shared secret key - Secret and private are often used interchangeably in the literature. In our usage, it takes two (or more) to share a secret, thus a shared DES key is a secret key. Something is only private when no one but its owner knows it. Thus, in public key cryptosystems, one has a public and a private key.)

The authentication process proceeds as follows: A client sends a request to the authentication server (AS) requesting "credentials" for a given server. The AS responds with these credentials, encrypted in the client's key. The credentials consist of 1) a "ticket" for the server and 2) a temporary encryption key (often called a "session key"). The client transmits the ticket (which contains the client's identity and a copy of the session key, all encrypted in the server's key) to the server. The session key (now shared by the client and server) is used to authenticate the client, and may optionally be used to authenticate the server. It may also be used to encrypt further communication between the two parties or to exchange a separate sub-session key to be used to encrypt further communication.

The implementation consists of one or more authentication servers running on physically secure hosts. The authentication servers maintain a database of principals (i.e., users and servers) and their secret keys. Code libraries provide encryption and implement the Kerberos protocol. In order to add authentication to its transactions, a typical network application adds one or two calls to the Kerberos library, which results in the transmission of the necessary messages to achieve authentication.

The Kerberos protocol consists of several sub-protocols (or exchanges). There are two methods by which a client can ask a Kerberos server for credentials. In the first approach, the client sends a cleartext request for a ticket for the desired server to the AS. The reply is sent encrypted in the client's secret key. Usually this request is for a ticket-granting ticket (TGT) which can later be used with the ticket-granting server (TGS). In the second method, the client sends a request to the TGS. The client sends the TGT to the TGS in the same manner as if it were contacting any other application server which requires Kerberos credentials. The reply is encrypted in the session key from the TGT.

Once obtained, credentials may be used to verify the identity of the principals in a transaction, to ensure the integrity of messages exchanged between them, or to preserve privacy of the messages. The application is free to choose whatever protection may be necessary.

To verify the identities of the principals in a transaction, the client transmits the ticket to the server. Since the ticket is sent "in the clear" (parts of it are encrypted, but this encryption doesn't thwart replay) and might be intercepted and reused by an attacker, additional information is sent to prove that the message was originated by the principal to whom the ticket was issued. This information (called the authenticator) is encrypted in the session key, and includes a timestamp. The timestamp proves that the message was recently generated and is not a replay. Encrypting the authenticator in the session key proves that it was generated by a party possessing the session key. Since no one except the requesting principal and the server know the session key (it is never sent over the network in the clear) this guarantees the identity of the client.

The integrity of the messages exchanged between principals can also be guaranteed using the session key (passed in the ticket and contained in the credentials). This approach provides detection of both replay attacks and message stream modification attacks. It is accomplished by generating and transmitting a collision-proof checksum (elsewhere called a hash or digest function) of the client's message, keyed with the session key. Privacy and integrity of the messages exchanged between principals can be secured by encrypting the data to be passed using the session key passed in the ticket, and contained in the credentials.

1.4 Cryptographic Overview

Shishi implements several of the standard cryptographic primitives. Here are the names of the supported encryption suites, with some notes on their status and there associated checksum suite. They are ordered by increased security as perceived by the author.

NULL

NULL is a dummy encryption suite for debugging. Encryption and decryption are identity functions. No integrity protection. It is weak. It is associated with the NULL checksum.

des-cbc-crc

des-cbc-crc is DES encryption and decryption with 56 bit keys and 8 byte blocks in CBC mode. The keys can be derived from passwords by an obscure application specific algorithm. Data is integrity protected with an unkeyed but encrypted CRC32-like checksum. It is weak. It is associated with the rsa-md5-des checksum.

des-cbc-md4

des-cbc-md4 is DES encryption and decryption with 56 bit keys and 8 byte blocks in CBC mode. The keys can be derived from passwords by an obscure application specific algorithm. Data is integrity protected with an unkeyed but encrypted MD4 hash. It is weak. It is associated with the rsa-md4-des checksum.

des-cbc-md5

des-cbc-md5 is DES encryption and decryption with 56 bit keys and 8 byte blocks in CBC mode. The keys can be derived from passwords by an obscure application specific algorithm. Data is integrity protected with an unkeyed but encrypted MD5 hash. It is weak. It is associated with the rsa-md5-des checksum. This is the strongest RFC 1510 interoperable mechanism.

des3-cbc-sha1-kd

des3-cbc-sha1-kd is DES encryption and decryption with three 56 bit keys (effective key size 112 bits) and 8 byte blocks in CBC mode. The keys can be derived from passwords by a algorithm based on the paper "A Better Key Schedule For DES-like Ciphers" ² by Uri Blumenthal and Steven M. Bellovin (it is not clear if the algorithm, and the way it is used, is used by any other protocols, although it seems unlikely). Data is integrity protected with a keyed (HMAC) SHA1 hash. It has no security proof, but is assumed to provide adequate security in the sense that knowledge on how to crack it is not known to the public. It is associated with the hmac-sha1-des3-kd checksum.

aes128-cts-hmac-sha1-96

aes256-cts-hmac-sha1-96.

aes128-cts-hmac-sha1-96 and aes256-cts-hmac-sha1-96 is AES encryption and decryption with 128 bit and 256 bit key, respectively, and 16 byte blocks in CBC mode with Cipher Text Stealing. Cipher Text Stealing means data length of encrypted data is preserved (pure CBC add up to 7 pad characters). The keys can be derived from passwords with RSA Laboratories PKCS#5 Password Based Key Derivation Function 2³, which is allegedly provably secure in a random oracle model. Data is integrity protected with a keyed (HMAC) SHA1 hash truncated to 96 bits. There is no security proof, but the schemes are assumed to provide good security, but has, as AES itself, yet to receive the test of time. It is associated with the hmac-sha1-96-aes128 and hmac-sha1-96-aes256 checksums, respectively.

The protocol do not include any way to negotiate which checksum mechanisms to use, so in most cases the associated checksum will be used. However, checksum mechanisms can be used with other encryption mechanisms, as long as they are compatible in terms of key format etc. Here are the names of the supported checksum mechanisms, with some notes on their status and the compatible encryption mechanisms. They are ordered by increased security as perceived by the author.

NULL

NULL is a dummy checksum suite for debugging. It provides no integrity. It is weak. It is compatible with the NULL encryption mechanism.

rsa-md4-des

rsa-md4-des is a DES CBC encryption of one block of random data and a unkeyed MD4 hash computed over the random data and the message to integrity protect. The key used is derived from the base protocol key by XOR with a constant. It is weak. It is compatible with the des-cbc-crc, des-cbc-md4, des-cbc-md5 encryption mechanisms.

rsa-md5-des

rsa-md5-des is a DES CBC encryption of one block of random data and a unkeyed MD5 hash computed over the random data and the message to integrity protect. The key used is derived from the base protocol key by XOR with a constant. It is weak. It is compatible with the des-cbc-crc, des-cbc-md4, des-cbc-md5 encryption mechanisms.

hmac-sha1-des3-kd

hmac-sha1-des3-kd is a keyed (HMAC) SHA1 hash computed over the message. The key is derived from the base protocol by the simplified key derivation function (similar to the password key derivation functions of des3-cbc-sha1-kd). It has no security proof, but is assumed to provide good security. It is compatible with the des3-cbc-sha1-kd encryption mechanism.

hmac-sha1-96-aes128

hmac-sha1-96-aes256

hmac-sha1-96-aes* are keyed (HMAC) SHA1 hashes computed over the message and then truncated to 96 bits. The key is derived from the base protocol by the simplified key derivation function (similar to the password key derivation functions of des3-cbc-sha1-kd). It has no security proof, but is assumed to provide good security. It is compatible with the des3-cbc-sha1-kd encryption mechanism.

1.5 Supported Platforms

Shishi has at some point in time been tested on the following platforms.

1. Debian GNU/Linux 3.0r0 (Woody)

   GCC 2.95.4 and GNU Make. alphaev67-unknown-linux-gnu, alphaev6-unknown-linux-gnu, hppa64-unknown-linux-gnu, i686-pc-linux-gnu, ia64-unknown-linux-gnu.

2. Tru64 UNIX

   Tru64 UNIX C compiler and Tru64 Make. alphaev68-dec-osf5.1.

3. SuSE Linux 7.1

   GCC 2.96 and GNU Make. alphaev67-unknown-linux-gnu.

4. SuSE Linux 7.2a

   GCC 3.0 and GNU Make. ia64-unknown-linux-gnu.

5. RedHat Linux 7.2

   GCC 2.96 and GNU Make. i686-pc-linux-gnu.

6. RedHat Linux 8.0

   GCC 3.2 and GNU Make. i686-pc-linux-gnu.

7. SUN Solaris 2.8

   Sun WorkShop Compiler C 6.0 and SUN Make. sparc-sun-solaris2.8.

8. NetBSD 1.6

   GCC 2.95.3 and GNU Make. alpha-unknown-netbsd1.6, i386-unknown-netbsdelf1.6.

9. OpenBSD 3.1

   GCC 2.95.3 and GNU Make. i386-unknown-openbsd3.1.

10. FreeBSD 4.7

    GCC 2.95.4 and GNU Make. alpha-unknown-freebsd4.7, i386-unknown-freebsd4.7.

If you use Shishi on, or port Shishi to, a new platform please report it to the author (see Bug Reports).

1.6 Bug Reports

If you think you have found a bug in Shishi, please investigate it and report it.

• Please make sure that the bug is really in Shishi, and preferably also check that it hasn't already been fixed in the latest version.
• You have to send us a test case that makes it possible for us to reproduce the bug.
• You also have to explain what is wrong; if you get a crash, or if the results printed are not good and in that case, in what way. Make sure that the bug report includes all information you would need to fix this kind of bug for someone else.

Please make an effort to produce a self-contained report, with something definite that can be tested or debugged. Vague queries or piecemeal messages are difficult to act on and don't help the development effort.

If your bug report is good, we will do our best to help you to get a corrected version of the software; if the bug report is poor, we won't do anything about it (apart from asking you to send better bug reports).

If you think something in this manual is unclear, or downright incorrect, or if the language needs to be improved, please also send a note.

Send your bug report to:

2 User Manual

Usually Shishi interacts with you to get some initial authentication information like a password, and then contacts a server to receive a so called ticket granting ticket. From now on, you rarely interacts with Shishi directly. Applications that needs security services instruct the Shishi library to use the ticket granting ticket to get new tickets for various servers. An example could be if you log on to a host remotely; the host usually requires authentication before permitting you in. The telnet application uses the ticket granting ticket to get a ticket for the server, and then use this ticket to authenticate you to the server (and usually also authenticating the server to you, so you know who you are talking with the right host). You perform the initial authentication by typing shishi as at the prompt. The as command is the default command for Shishi, so you can type only shishi if you want to save a few key strokes. Sometimes it is necessary to supply options telling Shishi what your principal (username) or realm is. See as, for the details. In the example, I need to specify my name and realm.

     

     jas@latte:~/src/shishi$ shishi as --client-name \
     	simon --realm JOSEFSSON.ORG
     Unknown option `read-krb5conf=/etc/krb5.conf'
     Unknown option `server-realm=lab.josefsson.org'
     Unknown option `.josefsson.org'
     Sending to latte.josefsson.org (217.208.172.73)...
     Enter password for `simon@JOSEFSSON.ORG':
     Warning: using insecure memory!
     simon@JOSEFSSON.ORG:
     Authtime:       Fri Nov 22 23:44:02 2002
     Endtime:        Sat Nov 23 00:00:42 2002        valid
     Service:        krbtgt/JOSEFSSON.ORG
     Key type:       des3-cbc-sha1-kd (16)
     Flags:  16384
     jas@latte:~/src/shishi$
     
     

As you can see, Shishi also prints a short description of the ticket received.

A logical next step is to display all tickets you have received (by the way, the tickets are usually stored as text in ~/.shishi/tickets). This is achieved by typing shishi list.

     

     jas@latte:~/src/shishi$ shishi list
     Unknown option `read-krb5conf=/etc/krb5.conf'
     Unknown option `server-realm=lab.josefsson.org'
     Unknown option `.josefsson.org'
     Tickets in `/home/jas/.shishi/tickets':
     
     jas@JOSEFSSON.ORG:
     Authtime:       Fri Nov 22 23:46:18 2002
     Endtime:        Sat Nov 23 00:02:58 2002        valid
     Service:        krbtgt/JOSEFSSON.ORG
     Key type:       des3-cbc-sha1-kd (16)
     Flags:  16384
     
     jas@JOSEFSSON.ORG:
     Authtime:       Fri Nov 22 23:46:18 2002
     Endtime:        Sat Nov 23 00:02:58 2002        valid
     Service:        host/h73n1c1o299.bredband.skanova.com
     Key type:       des3-cbc-sha1-kd (16)
     Flags:  0
     
     2 tickets found.
     jas@latte:~/src/shishi$
     
     

As you can see, I had a ticket for the server host/h73n1c1o299.bredband.skanova.com which was generated by telnet:ing to that host. The observant reader might notice that it now says the tickets are owned by jas@JOSEFSSON.ORG instead of simon@JOSEFSSON.ORG. This is because the identity of the ticket owner is not stored in the ticket file, but must be set every time with --client-name parameter. Since the parameter was not given, Shishi defaults to using the username on the system. Perhaps this has been fixed in your version of Shishi, if not you are very welcome to fix the problem.

If, for some weird reason, you want to manually get a ticket for a specific server, you can use the shishi tgs command (see tgs). Normally, however, the application that uses Shishi will take care of getting a ticket for the appropriate server, so you don't need this command. But maybe you just want to tinker with things. Or maybe you are bored. What do I know. (If you read this far you really must be bored though.) Anyway.

     

     jas@latte:~/src/shishi$ src/shishi tgs \
     	--server-name user/billg  --client-name simon \
     	-e des-cbc-md5
     Unknown option `read-krb5conf=/etc/krb5.conf'
     Unknown option `server-realm=lab.josefsson.org'
     Unknown option `.josefsson.org'
     Searching tickets for client `simon' and server `krbtgt/JOSEFSSON.ORG'
     Warning: using insecure memory!
     Sending to latte.josefsson.org (217.208.172.73)...
     jas@JOSEFSSON.ORG:
     Authtime:       Fri Nov 22 23:46:18 2002
     Endtime:        Sat Nov 23 00:02:58 2002        valid
     Service:        user/billg
     Key type:       des-cbc-md5 (3)
     Flags:  0
     jas@latte:~/src/shishi$
     
     

As you can see, I received a ticket for user/billg with a des-cbc-md5 (see Cryptographic Overview) encryption key specified with the -e parameter.

The rest of the commands are rather esoteric, so I think it is better if you read the following reference sections instead of trying to understand any weird examples I may come up with. If you can think of something neat that the other commands can be used for, feel free to suggest a paragraph or two here.

• as: Initial Authentication.
• list: Listing tickets in cache.
• tgs: Getting subsequent tickets manually.
• client: Simple Client.
• server: Simple Server.
• ap: Low-level client-server authentication.
• crypto: Low-level cryptographic functions.
• kdc: Low-level AS/TGS exchange.
• miscellaneous: Various options.

2.1 as

       as                         Acquire ticket granting ticket using password and
                                  the Authentication Service (AS) exchange.
     
      Options for Authentication Service (AS-OPTIONS):
           --client-name=NAME     Client name. Default is login username.
       -e, --encryption-type=ETYPE,[ETYPE...]
                                  Encryption types to use.  ETYPE is either
                                  registered name or integer.
       -r, --realm=REALM          Realm of client and server. Default is DNS domain
                                  of local host.
           --string-to-key=PASSWORD   Password to decrypt response (discouraged).
                                  Default is to prompt user.
     

2.2 list

       list                       List tickets.
     
      Options for the List command (LIST-OPTIONS):
           --server-name=NAME     Restrict list to tickets for specified server.
     

2.3 tgs

       tgs                        Acquire ticket using the ticket granting ticket
                                  and the Ticket-Granting Service (TGS) exchange.
     
      Options for Ticket Granting Service (TGS-OPTIONS):
           --client-name=NAME     Client name. Default is login username. Used to
                                  locate ticket granting ticket.
           --encryption-type=ETYPE,[ETYPE...]
                                  Encryption types to use.  ETYPE is either
                                  registered name or integer.
           --realm=REALM          Realm of server. Default is DNS domain of local
                                  host.
           --server-name=NAME     Name of server.
           --ticket-granter=NAME  Name of server field in the ticket to use as the
                                  ticket granter. Defaults to "krbtgt/REALM@REALM"
                                  where REALM is server realm (see --realm).
     

2.4 client

       client                     Kerberos client.
     
      Options for Network Client (CLIENT-OPTIONS):
           --options=OPTION[,OPTION...]
                                  Indicate AP-OPTIONS separated by comma (,) or
                                  whitespace. Options are integers (ORed together)
                                  or the pre-defined strings "use-session-key"
                                  indicating that the ticket is encrypted in the
                                  server's TGT key rather than its own key (not
                                  implemented) or "mutual-required" indicating that
                                  mutual authentication is required.
           --realm=REALM          Realm of server. Defaults to DNS domain of local
                                  host.
           --server-name=NAME     Name of server. Defaults to "sample/REALM" where
                                  REALM is realm of server (see --realm).
     

2.5 server

       server                     Kerberos server.
     
      Options for Network Server (SERVER-OPTIONS):
           --client-name=NAME     Client name. Default is login username.
           --key-value=KEY        Cipher key of server.
           --realm=REALM          Realm of server. Defaults to DNS domain of local
                                  host.
           --server-name=NAME     Name of server. Defaults to "sample/REALM" where
                                  REALM is realm of server (see --realm).
           --string-to-key=PASSWORD   Password to decrypt response (discouraged).
     

2.6 ap

       ap                         Kerberos Client/Server Authentication (AP-REQ and
                                  AP-REP).
     
      Options for low-level Client/Server Authentication (AP-OPTIONS):
           --data=B64STRING       Base64 encoded data to checksum in generated
                                  authenticator. By default checksum is omitted
                                  (indicating no application payload).
           --read-ap-request-file=[TYPE,]FILE
                                  Read AP-REQ from FILE in format TYPE; TEXT
                                  (default) or DER. Default is to generate it.
           --read-data-file=[TYPE,]FILE
                                  Read data to checksum in generated authenticator
                                  from FILE in format TYPE, BASE64, HEX or BINARY
                                  (default). By default checksum is omitted
                                  (indicating no application payload).
           --realm=REALM          Realm of server. Defaults to DNS domain of local
                                  host. Used for locating the ticket to use.
           --server-name=NAME     Name of server. Defaults to "krbtgt.DEFAULTREALM"
                                  where DEFAULTREALM is realm of server. Used for
                                  locating the ticket to use.
           --write-ap-request-file=[TYPE,]FILE
                                  Write AP-REQ to FILE in format TYPE; TEXT
                                  (default) or DER.  Default is stdout.
           --write-authenticator-file=[TYPE,]FILE
                                  Write authenticator to FILE in format TYPE; TEXT
                                  (default) or DER. Not written by default.
     

2.7 crypto

       crypto                     Cryptographic functions.
     
      Options for low-level cryptography (CRYPTO-OPTIONS):
           --algorithm=ALGORITHM  Use ciphering algorithm, expressed either as the
                                  etype integer or the registered name.
           --client-name=NAME     Client name. Default is login username. Used for
                                  generating cipher key.
           --decrypt              Decrypt data
           --encrypt              Encrypt data
           --input-file=[TYPE,]FILE   Read data from FILE in TYPE, BASE64, HEX or
                                  BINARY (default).
           --key-file=[TYPE,]FILE Read/write cipher key from/to FILE in TYPE
           --key-value=KEY        Specify cipher key directly (discouraged)
           --output-file=[TYPE,]FILE   Write data to FILE in TYPE, BASE64, HEX or
                                  BINARY (default).
           --realm=REALM          Realm of principal. Defaults to DNS domain of
                                  local host. Used for generating cipher key.
           --string-to-key=PASSWORD   Convert password to key.  Client-name and
                                  realm also modify the key.
     

2.8 kdc

       kdc                        Key Distribution Center Services; Authentication
                                  Service (AS) and Ticket-Granting Service (TGS).
     
      Options for low-level Key Distribution Services (KDC-OPTIONS):
           --client-name=NAME     Client name. Default is login username. Only for
                                  AS.
           --encryption-type=ETYPE,[ETYPE...]
                                  Encryption types to use.  ETYPE is either
                                  registered name or integer.
           --force-as             Force AS mode. Default is to use TGS iff a TGT is
                                  found.
           --force-tgs            Force TGS mode. Default is to use TGS iff a TGT is
                                  found.
           --key-value=KEY        Cipher key to decrypt response (discouraged).
           --read-kdc-request-file=[TYPE,]FILE
                                  Read KDC-REQ from FILE in format TYPE; TEXT
                                  (default) or DER. Default is to generate it.
           --read-kdc-response-file=[TYPE,]FILE
                                  Read KDC-REP from FILE in format TYPE; TEXT
                                  (default) or DER. Default is to receive it from
                                  server.
           --realm=REALM          Realm of server. Default is DNS domain of local
                                  host. For AS, this also indicates realm of
                                  client.
           --request              Only generate the request.
           --response             Only parse request and response and output ticket.
     
           --sendrecv             Only send request and receive response.
           --server=HOST          Send request to HOST. Default uses address from
                                  configuration file.
           --server-name=NAME     Server name. Default is "krbtgt/REALM" where REALM
                                  is server realm (see --realm).
           --short-nonce          Use a 4 byte nonce. Required by some buggy
                                  servers.
           --string-to-key=PASSWORD   Password to decrypt response (discouraged).
                                  Only for AS.
           --ticket-granter=NAME  Service name in ticket to use for authenticating
                                  request. Only for TGS. Defaults to
                                  "krbtgt/REALM@REALM" where REALM is server realm
                                  (see --realm).
           --write-ap-request-file=[TYPE,]FILE
                                  Write AP-REQ to FILE in TYPE, either TEXT
                                  (default) or DER. Only for TGS. Not written by
                                  default.
           --write-authenticator-file=[TYPE,]FILE
                                  Write Authenticator to FILE in TYPE, either TEXT
                                  (default) or DER. Only for TGS. Not written by
                                  default.
           --write-kdc-request-file=[TYPE,]FILE
                                  Write KDC-REQ to FILE in format TYPE; TEXT
                                  (default) or DER. Not written by default.
           --write-kdc-response-file=[TYPE,]FILE
                                  Write KDC-REP to FILE in format TYPE; TEXT
                                  (default) or DER. Not written by default.
     

2.9 miscellaneous

These parameters are applicable to all commands.

           --configuration-file=FILE   Read user configuration from file.  Default
                                  is ~/.shishi/config.
       -o, --library-options=STRING   Parse STRING as a configuration file
                                  statement.
       -q, --quiet, --silent      Don't produce any output.
       -s, --system-configuration-file=FILE
                                  Read system wide configuration from file.  Default
                                  is /usr/local/etc/shishi.conf.
       -t, --ticket-file=FILE     Read tickets from FILE. Default is
                                  $HOME/.shishi/tickets.
       -v, --verbose              Produce verbose output.
       -w, --ticket-write-file=FILE   Write tickets to FILE.  Default is to write
                                  them back to ticket file.
       -?, --help                 Give this help list
           --usage                Give a short usage message
       -V, --version              Print program version
     

3 Administration Manual

TBW.

4 Programming Manual

This chapter describes all the publicly available functions in the library.

• Preparation: What you should do before using the library.
• Initialization Functions: Creating library handle, configuration file.
• Ticket Set Functions: High-level ticket management functions.
• AP-REQ and AP-REP Functions: Client/Server authentication functions.
• SAFE and PRIV Functions: Client/Server session data functions.
• Ticket Functions: Medium-level ticket manipulation functions.
• AS Functions: Medium-level initial authentication functions.
• TGS Functions: Medium-level authentication functions.
• Ticket (ASN.1) Functions: Low-level Ticket functions.
• AS/TGS Functions: Low-level KDC functions; AS and TGS.
• Authenticator Functions: Low-level authenticator functions.
• Cryptographic Functions: Low-level cryptographic functions.
• Utility Functions: Utilities for use in the global context.
• Error Handling: Error codes and such.
• Examples: Example code.
• Generic Security Service: If you want to use the GSS API instead.

4.1 Preparation

To use `Libshishi', you have to perform some changes to your sources and the build system. The necessary changes are small and explained in the following sections. At the end of this chapter, it is described how the library is initialized, and how the requirements of the library are verified.

A faster way to find out how to adapt your application for use with `Libshishi' may be to look at the examples at the end of this manual (see Examples).

• Header:
• Initialization:
• Version Check:
• Building the source:

4.1.1 Header

All interfaces (data types and functions) of the library are defined in the header file `shishi.h'. You must include this in all programs using the library, either directly or through some other header file, like this:

     #include <shishi.h>
     

The name space of `Libshishi' is shishi_* for function names, Shishi* for data types and SHISHI_* for other symbols. In addition the same name prefixes with one prepended underscore are reserved for internal use and should never be used by an application.

4.1.2 Initialization

`Libshishi' must be initialized before it can be used. The library is initialized by calling shishi_init() (see Initialization Functions). The resources allocated by the initialization process can be released if the application no longer has a need to call `Libshishi' functions, this is done by calling shishi_done().

In order to take advantage of the internationalisation features in `Libshishi', such as translated error messages, the application must set the current locale using setlocale() before initializing `Libshishi'.

4.1.3 Version Check

It is often desirable to check that the version of `Libshishi' used is indeed one which fits all requirements. Even with binary compatibility new features may have been introduced but due to problem with the dynamic linker an old version is actually used. So you may want to check that the version is okay right after program startup.

const char * shishi_check_version (const char * req_version)

Function

req_version: version string to compare with, or NULL Check that the the version of the library is at minimum the one given as a string in req_version and return the actual version string of the library; return NULL if the condition is not met. If NULL is passed to this function no check is done and only the version string is returned. It is a pretty good idea to run this function as soon as possible, because it may also intializes some subsystems. In a multithreaded environment if should be called before any more threads are created.

The normal way to use the function is to put something similar to the following early in your main():

       if (!shishi_check_version (SHISHI_VERSION))
         {
           printf ("shishi_check_version() failed:\n"
                   "Header file incompatible with shared library.\n");
           exit(1);
         }
     

4.1.4 Building the source

If you want to compile a source file including the `shishi.h' header file, you must make sure that the compiler can find it in the directory hierarchy. This is accomplished by adding the path to the directory in which the header file is located to the compilers include file search path (via the -I option).

However, the path to the include file is determined at the time the source is configured. To solve this problem, `Libshishi' uses the external package pkg-config that knows the path to the include file and other configuration options. The options that need to be added to the compiler invocation at compile time are output by the --cflags option to pkg-config shishi. The following example shows how it can be used at the command line:

     gcc -c foo.c `pkg-config shishi --cflags`
     

Adding the output of pkg-config shishi --cflags to the compilers command line will ensure that the compiler can find the `Libshishi' header file.

A similar problem occurs when linking the program with the library. Again, the compiler has to find the library files. For this to work, the path to the library files has to be added to the library search path (via the -L option). For this, the option --libs to pkg-config shishi can be used. For convenience, this option also outputs all other options that are required to link the program with the `Libshishi' libararies (in particular, the -lshishi option). The example shows how to link foo.o with the `Libshishi' library to a program foo.

     gcc -o foo foo.o `pkg-config shishi --libs`
     

Of course you can also combine both examples to a single command by specifying both options to pkg-config:

     gcc -o foo foo.c `pkg-config shishi --cflags --libs`
     

4.2 Initialization Functions

Shishi * shishi ( void)

Function

Initializes the Shishi library. If this function fails, it may print diagnostic errors to stderr. Returns Shishi library handle, or NULL on error.

int shishi_init (Shishi ** handle)

Function

handle: pointer to handle to be created. Create a Shishi library handle and read the system configuration file, user configuration file and user tickets from the default paths. The paths to the system configuration file is decided at compile time, and is $sysconfdir/shishi.conf. The user configuration file is $HOME/.shishi/config, and the user ticket file is $HOME/.shishi/ticket. The handle is allocated regardless of return values, except for SHISHI_HANDLE_ERROR which indicates a problem allocating the handle. (The other error conditions comes from reading the files.) Returns SHISHI_OK iff successful.

int shishi_init_with_paths (Shishi ** handle, const char * tktsfile, const char * systemcfgfile, const char * usercfgfile)

Function

handle: pointer to handle to be created. tktsfile: Filename of ticket file, or NULL. systemcfgfile: Filename of system configuration, or NULL. usercfgfile: Filename of user configuration, or NULL. Like shishi_init() but use explicit paths. Like shishi_init(), the handle is allocated regardless of return values, except for SHISHI_HANDLE_ERROR which indicates a problem allocating the handle. (The other error conditions comes from reading the files.) Returns SHISHI_OK iff successful.

int shishi_init_server (Shishi ** handle)

Function

handle: pointer to handle to be created. Like shishi_init() but only read the system configuration file. Like shishi_init(), the handle is allocated regardless of return values, except for SHISHI_HANDLE_ERROR which indicates a problem allocating the handle. (The other error conditions comes from reading the configuration file.) Returns SHISHI_OK iff successful.

int shishi_init_server_with_paths (Shishi ** handle, const char * systemcfgfile)

Function

handle: pointer to handle to be created. systemcfgfile: Filename of system configuration, or NULL. Like shishi_init() but only read the system configuration file from specified location. Like shishi_init(), the handle is allocated regardless of return values, except for SHISHI_HANDLE_ERROR which indicates a problem allocating the handle. (The other error conditions comes from reading the configuration file.) Returns SHISHI_OK iff successful.

void shishi_done (Shishi * handle)

Function

handle: shishi handle as allocated by shishi_init(). Deallocates the shishi library handle. The handle must not be used in any calls to shishi functions after this. If there is a default tkts, it is written to the default tkts file (call shishi_tkts_default_file_set() to change the default tkts file). If you do not wish to write the default tkts file, close the default tkts with shishi_tkts_done(handle, NULL) before calling this function.

int shishi_cfg (Shishi * handle, char * option)

Function

option: string with shishi library option. Configure shishi library with given option. Returns SHISHI_OK if option was valid.

int shishi_cfg_from_file (Shishi * handle, const char * cfg)

Function

cfg: filename to read configuration from. Configure shishi library using configuration file. Returns SHISHI_OK iff succesful.

int shishi_cfg_print (Shishi * handle, FILE * fh)

Function

handle: Shishi library handle create by shishi_init(). fh: file descriptor opened for writing. Print library configuration status, mostly for debugging purposes. Returns SHISHI_OK.

const char * shishi_cfg_default_systemfile (Shishi * handle)

Function

handle: Shishi library handle create by shishi_init(). Return system configuration filename.

const char * shishi_cfg_default_userdirectory (Shishi * handle)

Function

handle: Shishi library handle create by shishi_init(). Return directory with configuration files etc.

const char * shishi_cfg_default_userfile (Shishi * handle)

Function

handle: Shishi library handle create by shishi_init(). Return user configuration filename.

int shishi_cfg_clientkdcetype (Shishi * handle, int32_t ** etypes)

Function

handle: Shishi library handle create by shishi_init(). etypes: output array with encryption types. Set the etypes variable to the array of preferred client etypes. Return the number of encryption types in the array, 0 means none.

int shishi_cfg_clientkdcetype_set (Shishi * handle, char * value)

Function

handle: Shishi library handle create by shishi_init(). value: string with encryption types. Set the "client-kdc-etypes" configuration option from given string. The string contains encryption types (integer or names) separated by comma or whitespace, e.g. "aes256-cts-hmac-sha1-96 des3-cbc-sha1-kd des-cbc-md5". Return SHISHI_OK iff successful.

4.3 Ticket Set Functions

A "ticket set" is, as the name implies, a collection of tickets. Functions are provided to read tickets from file into a ticket set, to query number of tickets in the set, to extract a given ticket from the set, to search the ticket set for tickets matching certain criterium, to write the ticket set to a file, etc. High level functions for performing a initial authentication (see AS Functions) or subsequent authentication (see TGS Functions) and storing the new ticket in the ticket set are also provided.

To manipulate each individual ticket, See Ticket Functions. For low-level ASN.1 manipulation see See Ticket (ASN.1) Functions.

char * shishi_tkts_default_file_guess ( void)

Function

Guesses the default ticket filename; it is $HOME/.shishi/tickets. Returns default tkts filename as a string that has to be deallocated with free() by the caller.

const char * shishi_tkts_default_file (Shishi * handle)

Function

handle: Shishi library handle create by shishi_init(). Returns the default ticket set filename used in the library. (Not a copy of it, so don't modify or deallocate it.)

void shishi_tkts_default_file_set (Shishi * handle, const char * tktsfile)

Function

handle: Shishi library handle create by shishi_init(). tktsfile: string with new default tkts file name, or NULL to reset to default. Set the default ticket set filename used in the library. The string is copied into the library, so you can dispose of the variable immediately after calling this function.

Shishi_tkts * shishi_tkts_default (Shishi * handle)

Function

handle: Shishi library handle create by shishi_init(). Return the handle global ticket set.

int shishi_tkts (Shishi * handle, Shishi_tkts ** tkts)

Function

handle: shishi handle as allocated by shishi_init(). tkts: output pointer to newly allocated tkts handle. Returns SHISHI_OK iff successful.

void shishi_tkts_done (Shishi_tkts ** tkts)

Function

tkts: ticket set handle as allocated by shishi_tkts(). Deallocates all resources associated with ticket set. The ticket set handle must not be used in calls to other shishi_tkts_*() functions after this.

int shishi_tkts_size (Shishi_tkts * tkts)

Function

tkts: ticket set handle as allocated by shishi_tkts(). Returns number of tickets stored in ticket set.

Shishi_tkt * shishi_tkts_nth (Shishi_tkts * tkts, int ticketno)

Function

tkts: ticket set handle as allocated by shishi_tkts(). ticketno: integer indicating requested ticket in ticket set. Returns a ticket handle to the ticketno:th ticket in the ticket set, or NULL if ticket set is invalid or ticketno is out of bounds. The first ticket is ticketno 0, the second ticketno 1, and so on.

int shishi_tkts_remove (Shishi_tkts * tkts, int ticketno)

Function

tkts: ticket set handle as allocated by shishi_tkts(). Returns SHISHI_OK if succesful or if ticketno larger than size of ticket set.

int shishi_tkts_add (Shishi_tkts * tkts, Shishi_tkt * tkt)

Function

tkts: ticket set handle as allocated by shishi_tkts(). Returns SHISHI_OK iff succesful.

int shishi_tkts_new (Shishi_tkts * tkts, Shishi_asn1 ticket, Shishi_asn1 enckdcreppart, Shishi_asn1 kdcrep)

Function

tkts: ticket set handle as allocated by shishi_tkts(). ticket: input ticket variable. enckdcreppart: input ticket detail variable. kdcrep: input KDC-REP variable. Allocate a new ticket and add it to the ticket set. Returns SHISHI_OK iff succesful.

int shishi_tkts_read (Shishi_tkts * tkts, FILE * fh)

Function

tkts: ticket set handle as allocated by shishi_tkts(). fh: file descriptor to read from. Read tickets from file descriptor and add them to the ticket set. Returns SHISHI_OK iff succesful.

int shishi_tkts_from_file (Shishi_tkts * tkts, const char * filename)

Function

tkts: ticket set handle as allocated by shishi_tkts(). filename: filename to read tickets from. Read tickets from file and add them to the ticket set. Returns SHISHI_OK iff succesful.

int shishi_tkts_write (Shishi_tkts * tkts, FILE * fh)

Function

tkts: ticket set handle as allocated by shishi_tkts(). Write tickets in set to file descriptor. Returns SHISHI_OK iff succesful.

int shishi_tkts_expire (Shishi_tkts * tkts)

Function

tkts: ticket set handle as allocated by shishi_tkts(). Remove expired tickets from ticket set. Returns SHISHI_OK iff succesful.

int shishi_tkts_to_file (Shishi_tkts * tkts, const char * filename)

Function

tkts: ticket set handle as allocated by shishi_tkts(). filename: filename to write tickets to. Write tickets in set to file. Returns SHISHI_OK iff succesful.

int shishi_tkts_print_for_service (Shishi_tkts * tkts, FILE * fh, const char * service)

Function

tkts: ticket set handle as allocated by shishi_tkts(). fh: file descriptor to print to. service: service to limit tickets printed to, or NULL. Print description of tickets for specified service to file descriptor. If service is NULL, all tickets are printed. Returns SHISHI_OK iff succesful.

int shishi_tkts_print (Shishi_tkts * tkts, FILE * fh)

Function

tkts: ticket set handle as allocated by shishi_tkts(). fh: file descriptor to print to. Print description of all tickets to file descriptor. Returns SHISHI_OK iff succesful.

int shishi_tkt_match_p (Shishi_tkt * tkt, Shishi_tkts_hint * hint)

Function

tkt: ticket to test hints on. hint: structure with characteristics of ticket to be found. Returns 0 iff ticket fails to match given criteria.

Shishi_tkt * shishi_tkts_find (Shishi_tkts * tkts, Shishi_tkts_hint * hint)

Function

tkts: ticket set handle as allocated by shishi_tkts(). hint: structure with characteristics of ticket to be found. Search the ticketset sequentially (from ticket number 0 through all tickets in the set) for a ticket that fits the given characteristics. If a ticket is found, the hint->startpos field is updated to point to the next ticket in the set, so this function can be called repeatedly with the same hint argument in order to find all tickets matching a certain criterium. Note that if tickets are added to, or removed from, the ticketset during a query with the same hint argument, the hint->startpos field must be updated appropriately. Shishi_tkts_hint hint; Shishi_tkt tkt; ... memset(hint, 0, sizeof(hint)); hint.server = "imap/mail.example.org"; tkt = shishi_tkts_find (shishi_tkts_default(handle), hint); if (!tkt) printf("No ticket found...\n"); else ...do something with ticket Returns a ticket if found, or NULL if no further matching tickets could be found.

Shishi_tkt * shishi_tkts_find_for_clientserver (Shishi_tkts * tkts, const char * client, const char * server)

Function

tkts: ticket set handle as allocated by shishi_tkts(). client: client name to find ticket for. server: server name to find ticket for. Short-hand function for searching the ticket set for a ticket for the given client and server. See shishi_tkts_find(). Returns a ticket if found, or NULL.

Shishi_tkt * shishi_tkts_find_for_server (Shishi_tkts * tkts, const char * server)

Function

tkts: ticket set handle as allocated by shishi_tkts(). server: server name to find ticket for. Short-hand function for searching the ticket set for a ticket for the given server using the default client principal. See shishi_tkts_find_for_clientserver() and shishi_tkts_find(). Returns a ticket if found, or NULL.

Shishi_tkt * shishi_tkts_get (Shishi_tkts * tkts, Shishi_tkts_hint * hint)

Function

tkts: ticket set handle as allocated by shishi_tkts(). hint: structure with characteristics of ticket to begot. Get a ticket matching given characteristics. This function first looks in the ticket set for the ticket, then tries to find a TGT for the realm (possibly by using an AS exchange) and then use the TGT in a TGS exchange to get the ticket. Currently this function do not implement cross realm logic. Returns a ticket if found, or NULL if this function is unable to get the ticket.

Shishi_tkt * shishi_tkts_get_for_clientserver (Shishi_tkts * tkts, const char * client, const char * server)

Function

tkts: ticket set handle as allocated by shishi_tkts(). client: client name to get ticket for. server: server name to get ticket for. Short-hand function for getting a ticket for the given client and server. See shishi_tkts_get(). Returns a ticket if found, or NULL.

Shishi_tkt * shishi_tkts_get_for_server (Shishi_tkts * tkts, const char * server)

Function

tkts: ticket set handle as allocated by shishi_tkts(). server: server name to get ticket for. Short-hand function for getting a ticket for the given server and the default principal client. See shishi_tkts_get(). Returns a ticket if found, or NULL.

4.4 AP-REQ and AP-REP Functions

The "AP-REQ" and "AP-REP" are ASN.1 structures used by application client and servers to prove to each other who they are. The structures contain auxilliary information, together with an authenticator (see Authenticator Functions) which is the real cryptographic proof. The following illustrates the AP-REQ and AP-REP ASN.1 structures.

AP-REQ		::= [APPLICATION 14] SEQUENCE {
	pvno		[0] INTEGER (5),
	msg-type	[1] INTEGER (14),
	ap-options	[2] APOptions,
	ticket		[3] Ticket,
	authenticator	[4] EncryptedData {Authenticator,
				{ keyuse-pa-TGSReq-authenticator
				  | keyuse-APReq-authenticator }}
}

AP-REP		::= [APPLICATION 15] SEQUENCE {
	pvno		[0] INTEGER (5),
	msg-type	[1] INTEGER (15),
	enc-part	[2] EncryptedData {EncAPRepPart,
				{ keyuse-EncAPRepPart }}
}

EncAPRepPart	::= [APPLICATION 27] SEQUENCE {
	ctime		[0] KerberosTime,
	cusec		[1] Microseconds,
	subkey		[2] EncryptionKey OPTIONAL,
	seq-number	[3] UInt32 OPTIONAL
}

int shishi_ap (Shishi * handle, Shishi_ap ** ap)

Function

handle: shishi handle as allocated by shishi_init(). ap: pointer to new structure that holds information about AP exchange Create a new AP exchange. Returns SHISHI_OK iff successful.

int shishi_ap_set_tktoptions (Shishi_ap * ap, Shishi_tkt * tkt, int options)

Function

ap: structure that holds information about AP exchange tkt: ticket to set in AP. options: AP-REQ options to set in AP. Set the ticket (see shishi_ap_tkt_set()) and set the AP-REQ apoptions (see shishi_apreq_options_set()). Returns SHISHI_OK iff successful.

int shishi_ap_set_tktoptionsdata (Shishi_ap * ap, Shishi_tkt * tkt, int options, char * data, int len)

Function

ap: structure that holds information about AP exchange tkt: ticket to set in AP. options: AP-REQ options to set in AP. data: input array with data to checksum in Authenticator. len: length of input array with data to checksum in Authenticator. Set the ticket (see shishi_ap_tkt_set()) and set the AP-REQ apoptions (see shishi_apreq_options_set()) and set the Authenticator checksum data. Returns SHISHI_OK iff successful.

int shishi_ap_set_tktoptionsasn1usage (Shishi_ap * ap, Shishi_tkt * tkt, int options, Shishi_asn1 node, char * field, int authenticatorcksumkeyusage, int authenticatorkeyusage)

Function

ap: structure that holds information about AP exchange tkt: ticket to set in AP. options: AP-REQ options to set in AP. node: input ASN.1 structure to store as authenticator checksum data. Set ticket, options and authenticator checksum data using shishi_ap_set_tktoptionsdata(). The authenticator checksum data is the DER encoding of the ASN.1 structure provided. Returns SHISHI_OK iff successful.

int shishi_ap_tktoptions (Shishi * handle, Shishi_ap ** ap, Shishi_tkt * tkt, int options)

Function

handle: shishi handle as allocated by shishi_init(). ap: pointer to new structure that holds information about AP exchange tkt: ticket to set in newly created AP. options: AP-REQ options to set in newly created AP. Create a new AP exchange using shishi_ap(), and set the ticket and AP-REQ apoptions using shishi_ap_set_tktoption(). Returns SHISHI_OK iff successful.

int shishi_ap_tktoptionsdata (Shishi * handle, Shishi_ap ** ap, Shishi_tkt * tkt, int options, char * data, int len)

Function

handle: shishi handle as allocated by shishi_init(). ap: pointer to new structure that holds information about AP exchange tkt: ticket to set in newly created AP. options: AP-REQ options to set in newly created AP. data: input array with data to checksum in Authenticator. len: length of input array with data to checksum in Authenticator. Create a new AP exchange using shishi_ap(), and set the ticket, AP-REQ apoptions and the Authenticator checksum data using shishi_ap_set_tktoptionsdata(). Returns SHISHI_OK iff successful.

int shishi_ap_tktoptionsasn1usage (Shishi * handle, Shishi_ap ** ap, Shishi_tkt * tkt, int options, Shishi_asn1 node, char * field, int authenticatorcksumkeyusage, int authenticatorkeyusage)

Function

handle: shishi handle as allocated by shishi_init(). ap: pointer to new structure that holds information about AP exchange tkt: ticket to set in newly created AP. options: AP-REQ options to set in newly created AP. node: input ASN.1 structure to store as authenticator checksum data. Create a new AP exchange using shishi_ap(), and set ticket, options and authenticator checksum data from the DER encoding of the ASN.1 field using shishi_ap_set_tktoptionsasn1usage(). Returns SHISHI_OK iff successful.

Shishi_tkt * shishi_ap_tkt (Shishi_ap * ap)

Function

ap: structure that holds information about AP exchange Returns the ticket from the AP exchange, or NULL if not yet set or an error occured.

void shishi_ap_tkt_set (Shishi_ap * ap, Shishi_tkt * tkt)

Function

ap: structure that holds information about AP exchange tkt: ticket to store in AP. Set the Ticket in the AP exchange.

int shishi_ap_authenticator_cksumdata (Shishi_ap * ap, char * out, int * len)

Function

ap: structure that holds information about AP exchange out: output array that holds authenticator checksum data. len: on input, maximum length of output array that holds authenticator checksum data, on output actual length of output array that holds authenticator checksum data. Returns SHISHI_OK if successful, or SHISHI_TOO_SMALL_BUFFER if buffer provided was too small.

void shishi_ap_authenticator_cksumdata_set (Shishi_ap * ap, char * authenticatorcksumdata, int authenticatorcksumdatalen)

Function

ap: structure that holds information about AP exchange authenticatorcksumdata: length of input array with authenticator checksum data to use in AP. Set the Authenticator Checksum Data in the AP exchange.

Shishi_asn1 shishi_ap_authenticator (Shishi_ap * ap)

Function

ap: structure that holds information about AP exchange Returns the Authenticator from the AP exchange, or NULL if not yet set or an error occured.

void shishi_ap_authenticator_set (Shishi_ap * ap, Shishi_asn1 authenticator)

Function

ap: structure that holds information about AP exchange authenticator: authenticator to store in AP. Set the Authenticator in the AP exchange.

Shishi_asn1 shishi_ap_req (Shishi_ap * ap)

Function

ap: structure that holds information about AP exchange Returns the AP-REQ from the AP exchange, or NULL if not yet set or an error occured.

void shishi_ap_req_set (Shishi_ap * ap, Shishi_asn1 apreq)

Function

ap: structure that holds information about AP exchange apreq: apreq to store in AP. Set the AP-REQ in the AP exchange.

int shishi_ap_req_der (Shishi_ap * ap, char * out, int * outlen)

Function

ap: structure that holds information about AP exchange out: output array with der encoding of AP-REQ. outlen: length of output array with der encoding of AP-REQ. Build AP-REQ using shishi_ap_req_build() and DER encode it. Returns SHISHI_OK iff successful.

int shishi_ap_req_der_new (Shishi_ap * ap, char ** out, int * outlen)

Function

ap: structure that holds information about AP exchange out: pointer to output array with der encoding of AP-REQ. outlen: pointer to length of output array with der encoding of AP-REQ. Build AP-REQ using shishi_ap_req_build() and DER encode it. out is allocated by this function, and it is the responsibility of caller to deallocate it. Returns SHISHI_OK iff successful.

int shishi_ap_req_der_set (Shishi_ap * ap, char * der, size_t derlen)

Function

ap: structure that holds information about AP exchange der: input array with DER encoded AP-REQ. derlen: length of input array with DER encoded AP-REQ. DER decode AP-REQ and set it AP exchange. If decoding fails, the AP-REQ in the AP exchange is lost. Returns SHISHI_OK.

int shishi_ap_req_build (Shishi_ap * ap)

Function

ap: structure that holds information about AP exchange Checksum data in authenticator and add ticket and authenticator to AP-REQ. Returns SHISHI_OK iff successful.

int shishi_ap_req_process (Shishi_ap * ap, Shishi_key * key)

Function

ap: structure that holds information about AP exchange Decrypt ticket in AP-REQ using supplied key and decrypt Authenticator in AP-REQ using key in decrypted ticket, and on success set the Ticket and Authenticator fields in the AP exchange. Returns SHISHI_OK iff successful.

int shishi_ap_req_asn1 (Shishi_ap * ap, Shishi_asn1 * apreq)

Function

ap: structure that holds information about AP exchange apreq: output AP-REQ variable. Build AP-REQ using shishi_ap_req_build() and return it. Returns SHISHI_OK iff successful.

Shishi_asn1 shishi_ap_rep (Shishi_ap * ap)

Function

ap: structure that holds information about AP exchange Returns the AP-REP from the AP exchange, or NULL if not yet set or an error occured.

void shishi_ap_rep_set (Shishi_ap * ap, Shishi_asn1 aprep)

Function

ap: structure that holds information about AP exchange aprep: aprep to store in AP. Set the AP-REP in the AP exchange.

int shishi_ap_rep_der (Shishi_ap * ap, char * out, size_t * outlen)

Function

ap: structure that holds information about AP exchange out: output array with der encoding of AP-REP. outlen: length of output array with der encoding of AP-REP. Build AP-REP using shishi_ap_rep_build() and DER encode it. Returns SHISHI_OK iff successful.

int shishi_ap_rep_der_set (Shishi_ap * ap, char * der, size_t derlen)

Function

ap: structure that holds information about AP exchange der: input array with DER encoded AP-REP. derlen: length of input array with DER encoded AP-REP. DER decode AP-REP and set it AP exchange. If decoding fails, the AP-REP in the AP exchange remains. Returns SHISHI_OK.

int shishi_ap_rep_build (Shishi_ap * ap)

Function

ap: structure that holds information about AP exchange Checksum data in authenticator and add ticket and authenticator to AP-REQ. Returns SHISHI_OK iff successful.

int shishi_ap_rep_asn1 (Shishi_ap * ap, Shishi_asn1 * aprep)

Function

ap: structure that holds information about AP exchange Build AP-REP using shishi_ap_rep_build() and return it. Returns SHISHI_OK iff successful.

int shishi_ap_rep_verify (Shishi_ap * ap)

Function

ap: structure that holds information about AP exchange Verify AP-REP compared to Authenticator. Returns SHISHI_OK, SHISHI_APREP_VERIFY_FAILED or an error.

int shishi_ap_rep_verify_der (Shishi_ap * ap, char * der, size_t derlen)

Function

ap: structure that holds information about AP exchange der: input array with DER encoded AP-REP. derlen: length of input array with DER encoded AP-REP. DER decode AP-REP and set it in AP exchange using shishi_ap_rep_der_set() and verify it using shishi_ap_rep_verify(). Returns SHISHI_OK, SHISHI_APREP_VERIFY_FAILED or an error.

int shishi_ap_rep_verify_asn1 (Shishi_ap * ap, Shishi_asn1 aprep)

Function

ap: structure that holds information about AP exchange aprep: input AP-REP. Set the AP-REP in the AP exchange using shishi_ap_rep_set() and verify it using shishi_ap_rep_verify(). Returns SHISHI_OK, SHISHI_APREP_VERIFY_FAILED or an error.

Shishi_asn1 shishi_ap_encapreppart (Shishi_ap * ap)

Function

ap: structure that holds information about AP exchange Returns the EncAPREPPart from the AP exchange, or NULL if not yet set or an error occured.

void shishi_ap_encapreppart_set (Shishi_ap * ap, Shishi_asn1 encapreppart)

Function

ap: structure that holds information about AP exchange encapreppart: EncAPRepPart to store in AP. Set the EncAPRepPart in the AP exchange.

Shishi_asn1 shishi_apreq (Shishi * handle)

Function

handle: shishi handle as allocated by shishi_init(). This function creates a new AP-REQ, populated with some default values. Returns the AP-REQ or NULL on failure.

int shishi_apreq_print (Shishi * handle, FILE * fh, Shishi_asn1 apreq)

Function

handle: shishi handle as allocated by shishi_init(). fh: file handle open for writing. apreq: AP-REQ to print. Print ASCII armored DER encoding of AP-REQ to file. Returns SHISHI_OK iff successful.

int shishi_apreq_save (Shishi * handle, FILE * fh, Shishi_asn1 apreq)

Function

handle: shishi handle as allocated by shishi_init(). fh: file handle open for writing. apreq: AP-REQ to save. Save DER encoding of AP-REQ to file. Returns SHISHI_OK iff successful.

int shishi_apreq_to_file (Shishi * handle, Shishi_asn1 apreq, int filetype, char * filename)

Function

handle: shishi handle as allocated by shishi_init(). apreq: AP-REQ to save. filetype: input variable specifying type of file to be written, see Shishi_filetype. filename: input variable with filename to write to. Write AP-REQ to file in specified TYPE. The file will be truncated if it exists. Returns SHISHI_OK iff successful.

int shishi_apreq_parse (Shishi * handle, FILE * fh, Shishi_asn1 * apreq)

Function

handle: shishi handle as allocated by shishi_init(). fh: file handle open for reading. apreq: output variable with newly allocated AP-REQ. Read ASCII armored DER encoded AP-REQ from file and populate given variable. Returns SHISHI_OK iff successful.

int shishi_apreq_read (Shishi * handle, FILE * fh, Shishi_asn1 * apreq)

Function

handle: shishi handle as allocated by shishi_init(). fh: file handle open for reading. apreq: output variable with newly allocated AP-REQ. Read DER encoded AP-REQ from file and populate given variable. Returns SHISHI_OK iff successful.

int shishi_apreq_from_file (Shishi * handle, Shishi_asn1 * apreq, int filetype, char * filename)

Function

handle: shishi handle as allocated by shishi_init(). apreq: output variable with newly allocated AP-REQ. filetype: input variable specifying type of file to be read, see Shishi_filetype. filename: input variable with filename to read from. Read AP-REQ from file in specified TYPE. Returns SHISHI_OK iff successful.

int shishi_apreq_set_authenticator (Shishi * handle, Shishi_asn1 apreq, int32_t etype, char * buf, int buflen)

Function

handle: shishi handle as allocated by shishi_init(). apreq: AP-REQ to add authenticator field to. etype: encryption type used to encrypt authenticator. buf: input array with encrypted authenticator. buflen: size of input array with encrypted authenticator. Set the encrypted authenticator field in the AP-REP. The encrypted data is usually created by calling shishi_encrypt() on the DER encoded authenticator. To save time, you may want to use shishi_apreq_add_authenticator() instead, which calculates the encrypted data and calls this function in one step.

int shishi_apreq_add_authenticator (Shishi * handle, Shishi_asn1 apreq, Shishi_key * key, int keyusage, Shishi_asn1 authenticator)

Function

handle: shishi handle as allocated by shishi_init(). apreq: AP-REQ to add authenticator field to. authenticator: authenticator as allocated by shishi_authenticator(). Encrypts DER encoded authenticator using key from ticket and store it in the AP-REQ. Returns SHISHI_OK iff successful.

int shishi_apreq_set_ticket (Shishi * handle, Shishi_asn1 apreq, Shishi_asn1 ticket)

Function

handle: shishi handle as allocated by shishi_init(). apreq: AP-REQ to add ticket field to. ticket: input ticket to copy into AP-REQ ticket field. Copy ticket into AP-REQ. Returns SHISHI_OK iff successful.

int shishi_apreq_get_authenticator_etype (Shishi * handle, Shishi_asn1 apreq, int32_t * etype)

Function

handle: shishi handle as allocated by shishi_init(). etype: output variable that holds the value. Extract KDC-REP.enc-part.etype. Returns SHISHI_OK iff successful.

int shishi_apreq_get_ticket (Shishi * handle, Shishi_asn1 apreq, Shishi_asn1 * ticket)

Function

handle: shishi handle as allocated by shishi_init(). ticket: output variable to hold extracted ticket. Extract ticket from AP-REQ. Returns SHISHI_OK iff successful.

Shishi_asn1 shishi_aprep (Shishi * handle)

Function

handle: shishi handle as allocated by shishi_init(). This function creates a new AP-REP, populated with some default values. Returns the authenticator or NULL on failure.

int shishi_aprep_print (Shishi * handle, FILE * fh, Shishi_asn1 aprep)

Function

handle: shishi handle as allocated by shishi_init(). fh: file handle open for writing. aprep: AP-REP to print. Print ASCII armored DER encoding of AP-REP to file. Returns SHISHI_OK iff successful.

int shishi_aprep_save (Shishi * handle, FILE * fh, Shishi_asn1 aprep)

Function

handle: shishi handle as allocated by shishi_init(). fh: file handle open for writing. aprep: AP-REP to save. Save DER encoding of AP-REP to file. Returns SHISHI_OK iff successful.

int shishi_aprep_to_file (Shishi * handle, Shishi_asn1 aprep, int filetype, char * filename)

Function

handle: shishi handle as allocated by shishi_init(). aprep: AP-REP to save. filetype: input variable specifying type of file to be written, see Shishi_filetype. filename: input variable with filename to write to. Write AP-REP to file in specified TYPE. The file will be truncated if it exists. Returns SHISHI_OK iff successful.

int shishi_aprep_parse (Shishi * handle, FILE * fh, Shishi_asn1 * aprep)

Function

handle: shishi handle as allocated by shishi_init(). fh: file handle open for reading. aprep: output variable with newly allocated AP-REP. Read ASCII armored DER encoded AP-REP from file and populate given variable. Returns SHISHI_OK iff successful.

int shishi_aprep_read (Shishi * handle, FILE * fh, Shishi_asn1 * aprep)

Function

handle: shishi handle as allocated by shishi_init(). fh: file handle open for reading. aprep: output variable with newly allocated AP-REP. Read DER encoded AP-REP from file and populate given variable. Returns SHISHI_OK iff successful.

int shishi_aprep_from_file (Shishi * handle, Shishi_asn1 * aprep, int filetype, char * filename)

Function

handle: shishi handle as allocated by shishi_init(). aprep: output variable with newly allocated AP-REP. filetype: input variable specifying type of file to be read, see Shishi_filetype. filename: input variable with filename to read from. Read AP-REP from file in specified TYPE. Returns SHISHI_OK iff successful.

int shishi_aprep_get_enc_part_etype (Shishi * handle, Shishi_asn1 aprep, int32_t * etype)

Function

handle: shishi handle as allocated by shishi_init(). aprep: AP-REP variable to get value from. etype: output variable that holds the value. Extract AP-REP.enc-part.etype. Returns SHISHI_OK iff successful.

int shishi_encapreppart_print (Shishi * handle, FILE * fh, Shishi_asn1 encapreppart)

Function

handle: shishi handle as allocated by shishi_init(). fh: file handle open for writing. encapreppart: EncAPRepPart to print. Print ASCII armored DER encoding of EncAPRepPart to file. Returns SHISHI_OK iff successful.

int shishi_encapreppart_save (Shishi * handle, FILE * fh, Shishi_asn1 encapreppart)

Function

handle: shishi handle as allocated by shishi_init(). fh: file handle open for writing. encapreppart: EncAPRepPart to save. Save DER encoding of EncAPRepPart to file. Returns SHISHI_OK iff successful.

int shishi_encapreppart_to_file (Shishi * handle, Shishi_asn1 encapreppart, int filetype, char * filename)

Function

handle: shishi handle as allocated by shishi_init(). encapreppart: EncAPRepPart to save. filetype: input variable specifying type of file to be written, see Shishi_filetype. filename: input variable with filename to write to. Write EncAPRepPart to file in specified TYPE. The file will be truncated if it exists. Returns SHISHI_OK iff successful.

int shishi_encapreppart_parse (Shishi * handle, FILE * fh, Shishi_asn1 * encapreppart)

Function

handle: shishi handle as allocated by shishi_init(). fh: file handle open for reading. encapreppart: output variable with newly allocated EncAPRepPart. Read ASCII armored DER encoded EncAPRepPart from file and populate given variable. Returns SHISHI_OK iff successful.

int shishi_encapreppart_read (Shishi * handle, FILE * fh, Shishi_asn1 * encapreppart)

Function

handle: shishi handle as allocated by shishi_init(). fh: file handle open for reading. encapreppart: output variable with newly allocated EncAPRepPart. Read DER encoded EncAPRepPart from file and populate given variable. Returns SHISHI_OK iff successful.

int shishi_encapreppart_from_file (Shishi * handle, Shishi_asn1 * encapreppart, int filetype, char * filename)

Function

handle: shishi handle as allocated by shishi_init(). encapreppart: output variable with newly allocated EncAPRepPart. filetype: input variable specifying type of file to be read, see Shishi_filetype. filename: input variable with filename to read from. Read EncAPRepPart from file in specified TYPE. Returns SHISHI_OK iff successful.

int shishi_encapreppart_get_key (Shishi * handle, Shishi_asn1 encapreppart, int32_t * keytype, char * keyvalue, size_t * keyvalue_len)

Function

handle: shishi handle as allocated by shishi_init(). encapreppart: input EncAPRepPart variable. keytype: output variable that holds key type. keyvalue: output array with key. keyvalue_len: on input, maximum size of output array with key, on output, holds the actual size of output array with key. Extract the subkey from the encrypted AP-REP part. Returns SHISHI_OK iff succesful.

int shishi_encapreppart_ctime_set (Shishi * handle, Shishi_asn1 encapreppart, char * ctime)

Function

handle: shishi handle as allocated by shishi_init(). encapreppart: EncAPRepPart as allocated by shishi_encapreppart(). ctime: string with generalized time value to store in EncAPRepPart. Store client time in EncAPRepPart. Returns SHISHI_OK iff successful.

int shishi_encapreppart_cusec_get (Shishi * handle, Shishi_asn1 encapreppart, int * cusec)

Function

handle: shishi handle as allocated by shishi_init(). encapreppart: EncAPRepPart as allocated by shishi_encapreppart(). cusec: output integer with client microseconds field. Extract client microseconds field from EncAPRepPart. Returns SHISHI_OK iff successful.

int shishi_encapreppart_cusec_set (Shishi * handle, Shishi_asn1 encapreppart, int cusec)

Function

handle: shishi handle as allocated by shishi_init(). encapreppart: EncAPRepPart as allocated by shishi_encapreppart(). cusec: client microseconds to set in authenticator, 0-999999. Set the cusec field in the Authenticator. Returns SHISHI_OK iff successful.

int shishi_encapreppart_seqnumber_get (Shishi * handle, Shishi_asn1 encapreppart, uint32_t * seqnumber)

Function

handle: shishi handle as allocated by shishi_init(). encapreppart: EncAPRepPart as allocated by shishi_encapreppart(). seqnumber: output integer with sequence number field. Extract sequence number field from EncAPRepPart. Returns SHISHI_OK iff successful.

4.5 SAFE and PRIV Functions

The "KRB-SAFE" is an ASN.1 structure used by application client and servers to exchange integrity protected data. The integrity protection is keyed, usually with a key agreed on via the AP exchange (see AP-REQ and AP-REP Functions). The following illustrates the KRB-SAFE ASN.1 structure.

   KRB-SAFE        ::= [APPLICATION 20] SEQUENCE {
           pvno            [0] INTEGER (5),
           msg-type        [1] INTEGER (20),
           safe-body       [2] KRB-SAFE-BODY,
           cksum           [3] Checksum
   }

   KRB-SAFE-BODY   ::= SEQUENCE {
           user-data       [0] OCTET STRING,
           timestamp       [1] KerberosTime OPTIONAL,
           usec            [2] Microseconds OPTIONAL,
           seq-number      [3] UInt32 OPTIONAL,
           s-address       [4] HostAddress,
           r-address       [5] HostAddress OPTIONAL
   }

int shishi_safe (Shishi * handle, Shishi_safe ** safe)

Function

handle: shishi handle as allocated by shishi_init(). safe: pointer to new structure that holds information about SAFE exchange Create a new SAFE exchange. Returns SHISHI_OK iff successful.

Shishi_key * shishi_safe_key (Shishi_safe * safe)

Function

Returns the key used in the SAFE exchange, or NULL if not yet set or an error occured.

void shishi_safe_key_set (Shishi_safe * safe, Shishi_key * key)

Function

safe: structure that holds information about SAFE exchange key: key to store in SAFE. Set the Key in the SAFE exchange.

Shishi_asn1 shishi_safe_safe (Shishi_safe * safe)

Function

Returns the ASN.1 safe in the SAFE exchange, or NULL if not yet set or an error occured.

void shishi_safe_safe_set (Shishi_safe * safe, Shishi_asn1 asn1safe)

Function

safe: KRB-SAFE to store in SAFE exchange. Set the KRB-SAFE in the SAFE exchange.

int shishi_safe_safe_der (Shishi_safe * safe, char * out, int * outlen)

Function

safe: safe as allocated by shishi_safe(). out: output array with der encoding of SAFE. outlen: length of output array with der encoding of SAFE. DER encode SAFE structure. Typically shishi_safe_build() is used instead to build the SAFE structure first. Returns SHISHI_OK iff successful.

int shishi_safe_safe_der_set (Shishi_safe * safe, char * der, size_t derlen)

Function

safe: safe as allocated by shishi_safe(). der: input array with DER encoded KRB-SAFE. derlen: length of input array with DER encoded KRB-SAFE. DER decode KRB-SAFE and set it SAFE exchange. If decoding fails, the KRB-SAFE in the SAFE exchange remains. Returns SHISHI_OK.

int shishi_safe_print (Shishi * handle, FILE * fh, Shishi_asn1 safe)

Function

handle: shishi handle as allocated by shishi_init(). fh: file handle open for writing. safe: SAFE to print. Print ASCII armored DER encoding of SAFE to file. Returns SHISHI_OK iff successful.

int shishi_safe_save (Shishi * handle, FILE * fh, Shishi_asn1 safe)

Function

handle: shishi handle as allocated by shishi_init(). fh: file handle open for writing. safe: SAFE to save. Save DER encoding of SAFE to file. Returns SHISHI_OK iff successful.

int shishi_safe_to_file (Shishi * handle, Shishi_asn1 safe, int filetype, char * filename)

Function

handle: shishi handle as allocated by shishi_init(). safe: SAFE to save. filetype: input variable specifying type of file to be written, see Shishi_filetype. filename: input variable with filename to write to. Write SAFE to file in specified TYPE. The file will be truncated if it exists. Returns SHISHI_OK iff successful.

int shishi_safe_parse (Shishi * handle, FILE * fh, Shishi_asn1 * safe)

Function

handle: shishi handle as allocated by shishi_init(). fh: file handle open for reading. safe: output variable with newly allocated SAFE. Read ASCII armored DER encoded SAFE from file and populate given variable. Returns SHISHI_OK iff successful.

int shishi_safe_read (Shishi * handle, FILE * fh, Shishi_asn1 * safe)

Function

handle: shishi handle as allocated by shishi_init(). fh: file handle open for reading. safe: output variable with newly allocated SAFE. Read DER encoded SAFE from file and populate given variable. Returns SHISHI_OK iff successful.

int shishi_safe_from_file (Shishi * handle, Shishi_asn1 * safe, int filetype, char * filename)

Function

handle: shishi handle as allocated by shishi_init(). safe: output variable with newly allocated SAFE. filetype: input variable specifying type of file to be read, see Shishi_filetype. filename: input variable with filename to read from. Read SAFE from file in specified TYPE. Returns SHISHI_OK iff successful.

int shishi_safe_cksum (Shishi * handle, Shishi_asn1 safe, int32_t * cksumtype, char * cksum, size_t * cksumlen)

Function

handle: shishi handle as allocated by shishi_init(). safe: safe as allocated by shishi_safe(). cksumtype: output checksum type. cksum: output checksum data from SAFE. cksumlen: on input, maximum size of output checksum data buffer, on output, actual size of output checksum data buffer. Read checksum value from KRB-SAFE. Returns SHISHI_OK iff successful.

int shishi_safe_set_cksum (Shishi * handle, Shishi_asn1 safe, int32_t cksumtype, char * cksum, size_t cksumlen)

Function

handle: shishi handle as allocated by shishi_init(). safe: safe as allocated by shishi_safe(). cksumtype: input checksum type to store in SAFE. cksum: input checksum data to store in SAFE. cksumlen: size of input checksum data to store in SAFE. Store checksum value in SAFE. A checksum is usually created by calling shishi_checksum() on some application specific data using the key from the ticket that is being used. To save time, you may want to use shishi_safe_build() instead, which calculates the checksum and calls this function in one step. Returns SHISHI_OK iff successful.

int shishi_safe_user_data (Shishi * handle, Shishi_asn1 safe, char * userdata, size_t * userdatalen)

Function

handle: shishi handle as allocated by shishi_init(). safe: safe as allocated by shishi_safe(). userdata: output user data from KRB-SAFE. userdatalen: on input, maximum size of output user data buffer, on output, actual size of output user data buffer. Read user data value from KRB-SAFE. Returns SHISHI_OK iff successful.

int shishi_safe_set_user_data (Shishi * handle, Shishi_asn1 safe, char * userdata, size_t userdatalen)

Function

handle: shishi handle as allocated by shishi_init(). safe: safe as allocated by shishi_safe(). userdata: input user application to store in SAFE. userdatalen: size of input user application to store in SAFE. Set the application data in SAFE. Returns SHISHI_OK iff successful.

int shishi_safe_build (Shishi_safe * safe, Shishi_key * key)

Function

safe: safe as allocated by shishi_safe(). key: key for session, used to compute checksum. Build checksum and set it in KRB-SAFE. Note that this follows RFC 1510bis and is incompatible with RFC 1510, although presumably few implementations use the RFC1510 algorithm. Returns SHISHI_OK iff successful.

int shishi_safe_verify (Shishi_safe * safe, Shishi_key * key)

Function

safe: safe as allocated by shishi_safe(). key: key for session, used to verify checksum. Verify checksum in KRB-SAFE. Note that this follows RFC 1510bis and is incompatible with RFC 1510, although presumably few implementations use the RFC1510 algorithm. Returns SHISHI_OK iff successful, SHISHI_SAFE_BAD_KEYTYPE if an incompatible key type is used, or SHISHI_SAFE_VERIFY_FAILED if the actual verification failed.

The "KRB-PRIV" is an ASN.1 structure used by application client and servers to exchange confidential data. The confidentiality is keyed, usually with a key agreed on via the AP exchange (see AP-REQ and AP-REP Functions). The following illustrates the KRB-PRIV ASN.1 structure.

   KRB-PRIV        ::= [APPLICATION 21] SEQUENCE {
           pvno            [0] INTEGER (5),
           msg-type        [1] INTEGER (21),
                           -- NOTE: there is no [2] tag
           enc-part        [3] EncryptedData -- EncKrbPrivPart
   }

   EncKrbPrivPart  ::= [APPLICATION 28] SEQUENCE {
           user-data       [0] OCTET STRING,
           timestamp       [1] KerberosTime OPTIONAL,
           usec            [2] Microseconds OPTIONAL,
           seq-number      [3] UInt32 OPTIONAL,
           s-address       [4] HostAddress -- sender's addr --,
           r-address       [5] HostAddress OPTIONAL -- recip's addr
   }

4.6 Ticket Functions

int shishi_tkt_client (Shishi_tkt * tkt, char * client, int * clientlen)

Function

client: output buffer that holds client name of ticket. clientlen: on input, maximum size of output buffer, on output, actual size of output buffer. Returns client principal of ticket.

Shishi_asn1 shishi_tkt_ticket (Shishi_tkt * tkt)

Function

tkt: input variable with ticket info. Returns actual ticket.

Shishi_asn1 shishi_tkt_enckdcreppart (Shishi_tkt * tkt)

Function

tkt: input variable with ticket info. Returns auxilliary ticket information.

void shishi_tkt_enckdcreppart_set (Shishi_tkt * tkt, Shishi_asn1 enckdcreppart)

Function

enckdcreppart: EncKDCRepPart to store in Ticket. Set the EncKDCRepPart in the Ticket.

Shishi_asn1 shishi_tkt_kdcrep (Shishi_tkt * tkt)

Function

tkt: input variable with ticket info. Returns KDC-REP information.

Shishi_asn1 shishi_tkt_encticketpart (Shishi_tkt * tkt)

Function

tkt: input variable with ticket info. Returns EncTicketPart information.

void shishi_tkt_encticketpart_set (Shishi_tkt * tkt, Shishi_asn1 encticketpart)

Function

tkt: input variable with ticket info. encticketpart: encticketpart to store in ticket. Set the EncTicketPart in the Ticket.

Shishi_key * shishi_tkt_key (Shishi_tkt * tkt)

Function

tkt: input variable with ticket info. Returns key extracted from enckdcreppart.

int shishi_tkt_key_set (Shishi_tkt * tkt, Shishi_key * key)

Function

tkt: input variable with ticket info. key: key to store in ticket. Set the key in the EncTicketPart. Returns SHISHI_OK iff successful.

Shishi_tkt * shishi_tkt2 (Shishi * handle, Shishi_asn1 ticket, Shishi_asn1 enckdcreppart, Shishi_asn1 kdcrep)

Function

handle: shishi handle as allocated by shishi_init(). ticket: input variable with ticket. enckdcreppart: input variable with auxilliary ticket information. kdcrep: input variable with KDC-REP ticket information. Create a new ticket handle. Returns new ticket handle, or NULL on error.

int shishi_tkt (Shishi * handle, Shishi_tkt ** tkt)

Function

handle: shishi handle as allocated by shishi_init(). tkt: output variable with newly allocated ticket. Create a new ticket handle. Returns SHISHI_OK iff successful.

4.7 AS Functions

The Authentication Service (AS) is used to get an initial ticket using e.g. your password. The following illustrates the AS-REQ and AS-REP ASN.1 structures.

-- Request --

AS-REQ		::= KDC-REQ {10}

KDC-REQ {INTEGER:tagnum}	::= [APPLICATION tagnum] SEQUENCE {
	pvno		[1] INTEGER (5) -- first tag is [1], not [0] --,
	msg-type	[2] INTEGER (tagnum),
	padata		[3] SEQUENCE OF PA-DATA OPTIONAL,
	req-body	[4] KDC-REQ-BODY
}

KDC-REQ-BODY	::= SEQUENCE {
	kdc-options		[0] KDCOptions,
	cname			[1] PrincipalName OPTIONAL
				    -- Used only in AS-REQ --,
	realm			[2] Realm
				    -- Server's realm
				    -- Also client's in AS-REQ --,
	sname			[3] PrincipalName OPTIONAL,
	from			[4] KerberosTime OPTIONAL,
	till			[5] KerberosTime,
	rtime			[6] KerberosTime OPTIONAL,
	nonce			[7] UInt32,
	etype			[8] SEQUENCE OF Int32 -- EncryptionType
				    -- in preference order --,
	addresses		[9] HostAddresses OPTIONAL,
	enc-authorization-data	[10] EncryptedData {
					AuthorizationData,
					{ keyuse-TGSReqAuthData-sesskey
					  | keyuse-TGSReqAuthData-subkey }
				     } OPTIONAL,
	additional-tickets	[11] SEQUENCE OF Ticket OPTIONAL
}

-- Reply --

AS-REP		::= KDC-REP {11, EncASRepPart, {keyuse-EncASRepPart}}

KDC-REP {INTEGER:tagnum,
	 TypeToEncrypt,
	 UInt32:KeyUsages}	::= [APPLICATION tagnum] SEQUENCE {
	pvno		[0] INTEGER (5),
	msg-type	[1] INTEGER (tagnum),
	padata		[2] SEQUENCE OF PA-DATA OPTIONAL,
	crealm		[3] Realm,
	cname		[4] PrincipalName,
	ticket		[5] Ticket,
	enc-part	[6] EncryptedData {TypeToEncrypt, KeyUsages}
}

EncASRepPart	::= [APPLICATION 25] EncKDCRepPart

EncKDCRepPart	::= SEQUENCE {
	key		[0] EncryptionKey,
	last-req	[1] LastReq,
	nonce		[2] UInt32,
	key-expiration	[3] KerberosTime OPTIONAL,
	flags		[4] TicketFlags,
	authtime	[5] KerberosTime,
	starttime	[6] KerberosTime OPTIONAL,
	endtime		[7] KerberosTime,
	renew-till	[8] KerberosTime OPTIONAL,
	srealm		[9] Realm,
	sname		[10] PrincipalName,
	caddr		[11] HostAddresses OPTIONAL
}

int shishi_as (Shishi * handle, Shishi_as ** as)

Function

handle: shishi handle as allocated by shishi_init(). as: holds pointer to newly allocate Shishi_as structure. Allocate a new AS exchange variable. Returns SHISHI_OK iff successful.

Shishi_asn1 shishi_as_req (Shishi_as * as)

Function

as: structure that holds information about AS exchange Returns the generated AS-REQ packet from the AS exchange, or NULL if not yet set or an error occured.

void shishi_as_req_set (Shishi_as * as, Shishi_asn1 asreq)

Function

as: structure that holds information about AS exchange asreq: asreq to store in AS. Set the AS-REQ in the AP exchange.

int shishi_as_req_der (Shishi_as * as, char * out, int * outlen)

Function

as: structure that holds information about AS exchange out: output array with der encoding of AS-REQ. outlen: length of output array with der encoding of AS-REQ. DER encode AS-REQ. Returns SHISHI_OK iff successful.

int shishi_as_req_der_set (Shishi_as * as, char * der, size_t derlen)

Function

as: structure that holds information about AS exchange der: input array with DER encoded AP-REQ. derlen: length of input array with DER encoded AP-REQ. DER decode AS-REQ and set it AS exchange. If decoding fails, the AS-REQ in the AS exchange remains. Returns SHISHI_OK.

Shishi_asn1 shishi_as_rep (Shishi_as * as)

Function

as: structure that holds information about AS exchange Returns the received AS-REP packet from the AS exchange, or NULL if not yet set or an error occured.

int shishi_as_rep_process (Shishi_as * as, Shishi_key * key, const char * password)

Function

as: structure that holds information about AS exchange Process new AS-REP and set ticket. The key is used to decrypt the AP-REP. Returns SHISHI_OK iff successful.

int shishi_as_rep_build (Shishi_as * as, Shishi_key * key)

Function

as: structure that holds information about AS exchange key: user's key, used to encrypt the encrypted part of the AS-REP. Build AS-REP. Returns SHISHI_OK iff successful.

int shishi_as_rep_der (Shishi_as * as, char * out, int * outlen)

Function

as: structure that holds information about AS exchange out: output array with der encoding of AS-REP. outlen: length of output array with der encoding of AS-REP. DER encode AS-REP. Returns SHISHI_OK iff successful.

void shishi_as_rep_set (Shishi_as * as, Shishi_asn1 asrep)

Function

as: structure that holds information about AS exchange asrep: asrep to store in AS. Set the AS-REP in the AP exchange.

int shishi_as_rep_der_set (Shishi_as * as, char * der, size_t derlen)

Function

as: structure that holds information about AS exchange der: input array with DER encoded AP-REP. derlen: length of input array with DER encoded AP-REP. DER decode AS-REP and set it AS exchange. If decoding fails, the AS-REP in the AS exchange remains. Returns SHISHI_OK.

Shishi_asn1 shishi_as_krberror (Shishi_as * as)

Function

as: structure that holds information about AS exchange Returns the received KRB-ERROR packet from the AS exchange, or NULL if not yet set or an error occured.

int shishi_as_krberror_der (Shishi_as * as, char * out, int * outlen)

Function

as: structure that holds information about AS exchange out: output array with der encoding of KRB-ERROR. outlen: length of output array with der encoding of KRB-ERROR. DER encode KRB-ERROR. Returns SHISHI_OK iff successful.

void shishi_as_krberror_set (Shishi_as * as, Shishi_asn1 krberror)

Function

as: structure that holds information about AS exchange krberror: krberror to store in AS. Set the KRB-ERROR in the AP exchange.

Shishi_tkt * shishi_as_tkt (Shishi_as * as)

Function

as: structure that holds information about AS exchange Returns the newly aquired tkt from the AS exchange, or NULL if not yet set or an error occured.

void shishi_as_tkt_set (Shishi_as * as, Shishi_tkt * tkt)

Function

as: structure that holds information about AS exchange tkt: tkt to store in AS. Set the Tkt in the AP exchange.

int shishi_as_sendrecv (Shishi_as * as)

Function

as: structure that holds information about AS exchange Send AS-REQ and receive AS-REP or KRB-ERROR. This is the initial authentication, usually used to acquire a Ticket Granting Ticket. Returns SHISHI_OK iff successful.

4.8 TGS Functions

The Ticket Granting Service (TGS) is used to get subsequent tickets, authenticated by other tickets (so called ticket granting tickets). The following illustrates the TGS-REQ and TGS-REP ASN.1 structures.

-- Request --

TGS-REQ		::= KDC-REQ {12}

KDC-REQ {INTEGER:tagnum}	::= [APPLICATION tagnum] SEQUENCE {
	pvno		[1] INTEGER (5) -- first tag is [1], not [0] --,
	msg-type	[2] INTEGER (tagnum),
	padata		[3] SEQUENCE OF PA-DATA OPTIONAL,
	req-body	[4] KDC-REQ-BODY
}

KDC-REQ-BODY	::= SEQUENCE {
	kdc-options		[0] KDCOptions,
	cname			[1] PrincipalName OPTIONAL
				    -- Used only in AS-REQ --,
	realm			[2] Realm
				    -- Server's realm
				    -- Also client's in AS-REQ --,
	sname			[3] PrincipalName OPTIONAL,
	from			[4] KerberosTime OPTIONAL,
	till			[5] KerberosTime,
	rtime			[6] KerberosTime OPTIONAL,
	nonce			[7] UInt32,
	etype			[8] SEQUENCE OF Int32 -- EncryptionType
				    -- in preference order --,
	addresses		[9] HostAddresses OPTIONAL,
	enc-authorization-data	[10] EncryptedData {
					AuthorizationData,
					{ keyuse-TGSReqAuthData-sesskey
					  | keyuse-TGSReqAuthData-subkey }
				     } OPTIONAL,
	additional-tickets	[11] SEQUENCE OF Ticket OPTIONAL
}

-- Reply --

TGS-REP		::= KDC-REP {13, EncTGSRepPart,
			{ keyuse-EncTGSRepPart-sesskey
			  | keyuse-EncTGSRepPart-subkey }}

KDC-REP {INTEGER:tagnum,
	 TypeToEncrypt,
	 UInt32:KeyUsages}	::= [APPLICATION tagnum] SEQUENCE {
	pvno		[0] INTEGER (5),
	msg-type	[1] INTEGER (tagnum),
	padata		[2] SEQUENCE OF PA-DATA OPTIONAL,
	crealm		[3] Realm,
	cname		[4] PrincipalName,
	ticket		[5] Ticket,
	enc-part	[6] EncryptedData {TypeToEncrypt, KeyUsages}
}

EncTGSRepPart	::= [APPLICATION 26] EncKDCRepPart

EncKDCRepPart	::= SEQUENCE {
	key		[0] EncryptionKey,
	last-req	[1] LastReq,
	nonce		[2] UInt32,
	key-expiration	[3] KerberosTime OPTIONAL,
	flags		[4] TicketFlags,
	authtime	[5] KerberosTime,
	starttime	[6] KerberosTime OPTIONAL,
	endtime		[7] KerberosTime,
	renew-till	[8] KerberosTime OPTIONAL,
	srealm		[9] Realm,
	sname		[10] PrincipalName,
	caddr		[11] HostAddresses OPTIONAL
}

int shishi_tgs (Shishi * handle, Shishi_tgs ** tgs)

Function

handle: shishi handle as allocated by shishi_init(). tgs: holds pointer to newly allocate Shishi_tgs structure. Allocate a new TGS exchange variable. Returns SHISHI_OK iff successful.

Shishi_tkt * shishi_tgs_tgtkt (Shishi_tgs * tgs)

Function

tgs: structure that holds information about TGS exchange Returns the ticket-granting-ticket used in the TGS exchange, or NULL if not yet set or an error occured.

void shishi_tgs_tgtkt_set (Shishi_tgs * tgs, Shishi_tkt * tgtkt)

Function

tgs: structure that holds information about TGS exchange tgtkt: ticket granting ticket to store in TGS. Set the Ticket in the AP exchange.

Shishi_ap * shishi_tgs_ap (Shishi_tgs * tgs)

Function

tgs: structure that holds information about TGS exchange Returns the AP exchange (part of TGS-REQ) from the TGS exchange, or NULL if not yet set or an error occured.

Shishi_asn1 shishi_tgs_req (Shishi_tgs * tgs)

Function

tgs: structure that holds information about TGS exchange Returns the generated TGS-REQ from the TGS exchange, or NULL if not yet set or an error occured.

int shishi_tgs_req_build (Shishi_tgs * tgs)

Function

tgs: structure that holds information about TGS exchange Checksum data in authenticator and add ticket and authenticator to TGS-REQ. Returns SHISHI_OK iff successful.

Shishi_asn1 shishi_tgs_rep (Shishi_tgs * tgs)

Function

tgs: structure that holds information about TGS exchange Returns the received TGS-REP from the TGS exchange, or NULL if not yet set or an error occured.

int shishi_tgs_rep_process (Shishi_tgs * tgs)

Function

tgs: structure that holds information about TGS exchange Process new TGS-REP and set ticket. The key to decrypt the TGS-REP is taken from the EncKDCRepPart of the TGS tgticket. Returns SHISHI_OK iff successful.

Shishi_asn1 shishi_tgs_krberror (Shishi_tgs * tgs)

Function

tgs: structure that holds information about TGS exchange Returns the received TGS-REP from the TGS exchange, or NULL if not yet set or an error occured.

Shishi_tkt * shishi_tgs_tkt (Shishi_tgs * tgs)

Function

tgs: structure that holds information about TGS exchange Returns the newly aquired ticket from the TGS exchange, or NULL if not yet set or an error occured.

void shishi_tgs_tkt_set (Shishi_tgs * tgs, Shishi_tkt * tkt)

Function

tgs: structure that holds information about TGS exchange tkt: ticket to store in TGS. Set the Ticket in the AP exchange.

int shishi_tgs_sendrecv (Shishi_tgs * tgs)

Function

tgs: structure that holds information about TGS exchange Send TGS-REQ and receive TGS-REP or KRB-ERROR. This is the subsequent authentication, usually used to acquire server tickets. Returns SHISHI_OK iff successful.

int shishi_tgs_set_server (Shishi_tgs * tgs, const char * server)

Function

tgs: structure that holds information about TGS exchange server: indicates the server to acquire ticket for. Set the server in the TGS-REQ. Returns SHISHI_OK iff successful.

int shishi_tgs_set_realm (Shishi_tgs * tgs, const char * realm)

Function

tgs: structure that holds information about TGS exchange realm: indicates the realm to acquire ticket for. Set the server in the TGS-REQ. Returns SHISHI_OK iff successful.

int shishi_tgs_set_realmserver (Shishi_tgs * tgs, const char * realm, const char * server)

Function

tgs: structure that holds information about TGS exchange realm: indicates the realm to acquire ticket for. server: indicates the server to acquire ticket for. Set the realm and server in the TGS-REQ. Returns SHISHI_OK iff successful.

4.9 Ticket (ASN.1) Functions

int shishi_ticket_realm_set (Shishi * handle, Shishi_asn1 ticket, const char * realm)

Function

handle: shishi handle as allocated by shishi_init(). ticket: input variable with ticket info. realm: input array with name of realm. Set the realm field in the Ticket. Returns SHISHI_OK iff successful.

int shishi_ticket_sname_set (Shishi * handle, Shishi_asn1 ticket, Shishi_name_type name_type, char * sname[])

Function

handle: shishi handle as allocated by shishi_init(). ticket: Ticket variable to set server name field in. name_type: type of principial, see Shishi_name_type, usually SHISHI_NT_UNKNOWN. Set the server name field in the Ticket. Returns SHISHI_OK iff successful.

int shishi_ticket_get_enc_part_etype (Shishi * handle, Shishi_asn1 ticket, int32_t * etype)

Function

handle: shishi handle as allocated by shishi_init(). etype: output variable that holds the value. Extract Ticket.enc-part.etype. Returns SHISHI_OK iff successful.

int shishi_ticket_set_enc_part (Shishi * handle, Shishi_asn1 ticket, int etype, int kvno, char * buf, size_t buflen)

Function

handle: shishi handle as allocated by shishi_init(). ticket: Ticket to add enc-part field to. etype: encryption type used to encrypt enc-part. kvno: key version number. buf: input array with encrypted enc-part. buflen: size of input array with encrypted enc-part. Set the encrypted enc-part field in the Ticket. The encrypted data is usually created by calling shishi_encrypt() on the DER encoded enc-part. To save time, you may want to use shishi_ticket_add_enc_part() instead, which calculates the encrypted data and calls this function in one step. Returns SHISHI_OK iff successful.

int shishi_ticket_add_enc_part (Shishi * handle, Shishi_asn1 ticket, Shishi_key * key, Shishi_asn1 encticketpart)

Function

handle: shishi handle as allocated by shishi_init(). ticket: Ticket to add enc-part field to. key: key used to encrypt enc-part. encticketpart: EncTicketPart to add. Encrypts DER encoded EncTicketPart using key and stores it in the Ticket. Returns SHISHI_OK iff successful.

4.10 AS/TGS Functions

The Authentication Service (AS) is used to get an initial ticket using e.g. your password. The Ticket Granting Service (TGS) is used to get subsequent tickets using other tickets. Protocol wise the procedures are very similar, which is the reason they are described together. The following illustrates the AS-REQ, TGS-REQ and AS-REP, TGS-REP ASN.1 structures. Most of the functions use the mnemonic "KDC" instead of either AS or TGS, which means the function operates on both AS and TGS types. Only where the distinction between AS and TGS is important are the AS and TGS names used. Remember, these are low-level functions, and normal applications will likely be satisfied with the AS (see AS Functions) and TGS (see TGS Functions) interfaces, or the even more high-level Ticket Set (see Ticket Set Functions) interface.

-- Request --

AS-REQ		::= KDC-REQ {10}
TGS-REQ		::= KDC-REQ {12}

KDC-REQ {INTEGER:tagnum}	::= [APPLICATION tagnum] SEQUENCE {
	pvno		[1] INTEGER (5) -- first tag is [1], not [0] --,
	msg-type	[2] INTEGER (tagnum),
	padata		[3] SEQUENCE OF PA-DATA OPTIONAL,
	req-body	[4] KDC-REQ-BODY
}

KDC-REQ-BODY	::= SEQUENCE {
	kdc-options		[0] KDCOptions,
	cname			[1] PrincipalName OPTIONAL
				    -- Used only in AS-REQ --,
	realm			[2] Realm
				    -- Server's realm
				    -- Also client's in AS-REQ --,
	sname			[3] PrincipalName OPTIONAL,
	from			[4] KerberosTime OPTIONAL,
	till			[5] KerberosTime,
	rtime			[6] KerberosTime OPTIONAL,
	nonce			[7] UInt32,
	etype			[8] SEQUENCE OF Int32 -- EncryptionType
				    -- in preference order --,
	addresses		[9] HostAddresses OPTIONAL,
	enc-authorization-data	[10] EncryptedData {
					AuthorizationData,
					{ keyuse-TGSReqAuthData-sesskey
					  | keyuse-TGSReqAuthData-subkey }
				     } OPTIONAL,
	additional-tickets	[11] SEQUENCE OF Ticket OPTIONAL
}

-- Reply --

AS-REP		::= KDC-REP {11, EncASRepPart, {keyuse-EncASRepPart}}
TGS-REP		::= KDC-REP {13, EncTGSRepPart,
			{ keyuse-EncTGSRepPart-sesskey
			  | keyuse-EncTGSRepPart-subkey }}

KDC-REP {INTEGER:tagnum,
	 TypeToEncrypt,
	 UInt32:KeyUsages}	::= [APPLICATION tagnum] SEQUENCE {
	pvno		[0] INTEGER (5),
	msg-type	[1] INTEGER (tagnum),
	padata		[2] SEQUENCE OF PA-DATA OPTIONAL,
	crealm		[3] Realm,
	cname		[4] PrincipalName,
	ticket		[5] Ticket,
	enc-part	[6] EncryptedData {TypeToEncrypt, KeyUsages}
}

EncASRepPart	::= [APPLICATION 25] EncKDCRepPart
EncTGSRepPart	::= [APPLICATION 26] EncKDCRepPart

EncKDCRepPart	::= SEQUENCE {
	key		[0] EncryptionKey,
	last-req	[1] LastReq,
	nonce		[2] UInt32,
	key-expiration	[3] KerberosTime OPTIONAL,
	flags		[4] TicketFlags,
	authtime	[5] KerberosTime,
	starttime	[6] KerberosTime OPTIONAL,
	endtime		[7] KerberosTime,
	renew-till	[8] KerberosTime OPTIONAL,
	srealm		[9] Realm,
	sname		[10] PrincipalName,
	caddr		[11] HostAddresses OPTIONAL
}

int shishi_as_derive_salt (Shishi * handle, Shishi_asn1 asreq, Shishi_asn1 asrep, char * salt, size_t * saltlen)

Function

handle: shishi handle as allocated by shishi_init(). asrep: input AS-REP variable. salt: output array with salt. saltlen: on input, maximum size of output array with salt, on output, holds actual size of output array with salt. Derive the salt that should be used when deriving a key via shishi_string_to_key() for an AS exchange. Currently this searches for PA-DATA of type SHISHI_PA_PW_SALT in the AS-REP and returns it if found, otherwise the salt is derived from the client name and realm in AS-REQ. Returns SHISHI_OK iff successful.

int shishi_kdc_copy_crealm (Shishi * handle, Shishi_asn1 kdcrep, Shishi_asn1 encticketpart)

Function

handle: shishi handle as allocated by shishi_init(). encticketpart: EncTicketPart to set crealm in. Set crealm in KDC-REP to value in EncTicketPart. Returns SHISHI_OK if successful.

int shishi_as_check_crealm (Shishi * handle, Shishi_asn1 asreq, Shishi_asn1 asrep)

Function

handle: shishi handle as allocated by shishi_init(). Verify that AS-REQ.req-body.realm and AS-REP.crealm fields matches. This is one of the steps that has to be performed when processing a AS-REQ and AS-REP exchange, see shishi_kdc_process(). Returns SHISHI_OK if successful, SHISHI_REALM_MISMATCH if the values differ, or an error code.

int shishi_kdc_copy_cname (Shishi * handle, Shishi_asn1 kdcrep, Shishi_asn1 encticketpart)

Function

handle: shishi handle as allocated by shishi_init(). encticketpart: EncTicketPart to set cname in. Set cname in KDC-REP to value in EncTicketPart. Returns SHISHI_OK if successful.

int shishi_as_check_cname (Shishi * handle, Shishi_asn1 asreq, Shishi_asn1 asrep)

Function

handle: shishi handle as allocated by shishi_init(). Verify that AS-REQ.req-body.realm and AS-REP.crealm fields matches. This is one of the steps that has to be performed when processing a AS-REQ and AS-REP exchange, see shishi_kdc_process(). Returns SHISHI_OK if successful, SHISHI_CNAME_MISMATCH if the values differ, or an error code.

int shishi_kdc_copy_nonce (Shishi * handle, Shishi_asn1 kdcreq, Shishi_asn1 enckdcreppart)

Function

handle: shishi handle as allocated by shishi_init(). kdcreq: KDC-REQ to read nonce from. enckdcreppart: EncKDCRepPart to set nonce in. Set nonce in EncKDCRepPart to value in KDC-REQ. Returns SHISHI_OK if successful.

int shishi_kdc_check_nonce (Shishi * handle, Shishi_asn1 kdcreq, Shishi_asn1 enckdcreppart)

Function

handle: shishi handle as allocated by shishi_init(). kdcreq: KDC-REQ to compare nonce field in. enckdcreppart: Encrypted KDC-REP part to compare nonce field in. Verify that KDC-REQ.req-body.nonce and EncKDCRepPart.nonce fields matches. This is one of the steps that has to be performed when processing a KDC-REQ and KDC-REP exchange. Returns SHISHI_OK if successful, SHISHI_NONCE_LENGTH_MISMATCH if the nonces have different lengths (usually indicates that buggy server truncated nonce to 4 bytes), SHISHI_NONCE_MISMATCH if the values differ, or an error code.

int shishi_tgs_process (Shishi * handle, Shishi_asn1 tgsreq, Shishi_asn1 tgsrep, Shishi_asn1 oldenckdcreppart, Shishi_asn1 * enckdcreppart)

Function

handle: shishi handle as allocated by shishi_init(). oldenckdcreppart: input variable with EncKDCRepPart used in request. enckdcreppart: output variable that holds new EncKDCRepPart. Process a TGS client exchange and output decrypted EncKDCRepPart which holds details for the new ticket received. This function simply derives the encryption key from the ticket used to construct the TGS request and calls shishi_kdc_process(), which see. Returns SHISHI_OK iff the TGS client exchange was successful.

int shishi_as_process (Shishi * handle, Shishi_asn1 asreq, Shishi_asn1 asrep, const char * string, Shishi_asn1 * enckdcreppart)

Function

handle: shishi handle as allocated by shishi_init(). string: input variable with zero terminated password. enckdcreppart: output variable that holds new EncKDCRepPart. Process an AS client exchange and output decrypted EncKDCRepPart which holds details for the new ticket received. This function simply derives the encryption key from the password and calls shishi_kdc_process(), which see. Returns SHISHI_OK iff the AS client exchange was successful.

int shishi_kdc_process (Shishi * handle, Shishi_asn1 kdcreq, Shishi_asn1 kdcrep, Shishi_key * key, int keyusage, Shishi_asn1 * enckdcreppart)

Function

handle: shishi handle as allocated by shishi_init(). kdcreq: input variable that holds the sent KDC-REQ. kdcrep: input variable that holds the received KDC-REP. key: input array with key to decrypt encrypted part of KDC-REP with. enckdcreppart: output variable that holds new EncKDCRepPart. Process a KDC client exchange and output decrypted EncKDCRepPart which holds details for the new ticket received. Use shishi_kdcrep_get_ticket() to extract the ticket. This function verifies the various conditions that must hold if the response is to be considered valid, specifically it compares nonces (shishi_check_nonces()) and if the exchange was a AS exchange, it also compares cname and crealm (shishi_check_cname() and shishi_check_crealm()). Usually the shishi_as_process() and shishi_tgs_process() functions should be used instead, since they simplify the decryption key computation. Returns SHISHI_OK iff the KDC client exchange was successful.

Shishi_asn1 shishi_asreq (Shishi * handle)

Function

handle: shishi handle as allocated by shishi_init(). This function creates a new AS-REQ, populated with some default values. Returns the AS-REQ or NULL on failure.

Shishi_asn1 shishi_tgsreq (Shishi * handle)

Function

handle: shishi handle as allocated by shishi_init(). This function creates a new TGS-REQ, populated with some default values. Returns the TGS-REQ or NULL on failure.

int shishi_kdcreq_print (Shishi * handle, FILE * fh, Shishi_asn1 kdcreq)

Function

handle: shishi handle as allocated by shishi_init(). fh: file handle open for writing. kdcreq: KDC-REQ to print. Print ASCII armored DER encoding of KDC-REQ to file. Returns SHISHI_OK iff successful.

int shishi_kdcreq_save (Shishi * handle, FILE * fh, Shishi_asn1 kdcreq)

Function

handle: shishi handle as allocated by shishi_init(). fh: file handle open for writing. kdcreq: KDC-REQ to save. Print DER encoding of KDC-REQ to file. Returns SHISHI_OK iff successful.

int shishi_kdcreq_to_file (Shishi * handle, Shishi_asn1 kdcreq, int filetype, char * filename)

Function

handle: shishi handle as allocated by shishi_init(). kdcreq: KDC-REQ to save. filetype: input variable specifying type of file to be written, see Shishi_filetype. filename: input variable with filename to write to. Write KDC-REQ to file in specified TYPE. The file will be truncated if it exists. Returns SHISHI_OK iff successful.

int shishi_kdcreq_parse (Shishi * handle, FILE * fh, Shishi_asn1 * kdcreq)

Function

handle: shishi handle as allocated by shishi_init(). fh: file handle open for reading. kdcreq: output variable with newly allocated KDC-REQ. Read ASCII armored DER encoded KDC-REQ from file and populate given variable. Returns SHISHI_OK iff successful.

int shishi_kdcreq_read (Shishi * handle, FILE * fh, Shishi_asn1 * kdcreq)

Function

handle: shishi handle as allocated by shishi_init(). fh: file handle open for reading. kdcreq: output variable with newly allocated KDC-REQ. Read DER encoded KDC-REQ from file and populate given variable. Returns SHISHI_OK iff successful.

int shishi_kdcreq_from_file (Shishi * handle, Shishi_asn1 * kdcreq, int filetype, char * filename)

Function

handle: shishi handle as allocated by shishi_init(). kdcreq: output variable with newly allocated KDC-REQ. filetype: input variable specifying type of file to be read, see Shishi_filetype. filename: input variable with filename to read from. Read KDC-REQ from file in specified TYPE. Returns SHISHI_OK iff successful.

int shishi_kdcreq_set_cname (Shishi * handle, Shishi_asn1 kdcreq, Shishi_name_type name_type, const char * principal)

Function

handle: shishi handle as allocated by shishi_init(). kdcreq: KDC-REQ variable to set client name field in. name_type: type of principial, see Shishi_name_type, usually SHISHI_NT_UNKNOWN. principal: input array with principal name. Set the client name field in the KDC-REQ. Returns SHISHI_OK iff successful.

int shishi_kdcreq_set_realm (Shishi * handle, Shishi_asn1 kdcreq, const char * realm)

Function

handle: shishi handle as allocated by shishi_init(). kdcreq: KDC-REQ variable to set realm field in. realm: input array with name of realm. Set the realm field in the KDC-REQ. Returns SHISHI_OK iff successful.

int shishi_kdcreq_set_sname (Shishi * handle, Shishi_asn1 kdcreq, Shishi_name_type name_type, const char * sname[])

Function

handle: shishi handle as allocated by shishi_init(). kdcreq: KDC-REQ variable to set server name field in. name_type: type of principial, see Shishi_name_type, usually SHISHI_NT_UNKNOWN. Set the server name field in the KDC-REQ. Returns SHISHI_OK iff successful.

int shishi_kdcreq_etype (Shishi * handle, Shishi_asn1 kdcreq, int32_t * etype, int netype)

Function

handle: shishi handle as allocated by shishi_init(). kdcreq: KDC-REQ variable to get etype field from. etype: output encryption type. netype: element number to return. th encryption type from KDC-REQ. The first etype is number 1. Returns SHISHI_OK iff etype successful set.

int shishi_kdcreq_set_etype (Shishi * handle, Shishi_asn1 kdcreq, int32_t * etype, int netype)

Function

handle: shishi handle as allocated by shishi_init(). kdcreq: KDC-REQ variable to set etype field in. etype: input array with encryption types. netype: number of elements in input array with encryption types. Set the list of supported or wanted encryption types in the request. The list should be sorted in priority order. Returns SHISHI_OK iff successful.

int shishi_kdcreq_clear_padata (Shishi * handle, Shishi_asn1 kdcreq)

Function

handle: shishi handle as allocated by shishi_init(). kdcreq: KDC-REQ to remove PA-DATA from. Remove the padata field from KDC-REQ. Returns SHISHI_OK iff successful.

int shishi_kdcreq_add_padata (Shishi * handle, Shishi_asn1 kdcreq, int padatatype, char * data, int datalen)

Function

handle: shishi handle as allocated by shishi_init(). kdcreq: KDC-REQ to add PA-DATA to. padatatype: type of PA-DATA, see Shishi_padata_type. data: input array with PA-DATA value. datalen: size of input array with PA-DATA value. Add new pre authentication data (PA-DATA) to KDC-REQ. This is used to pass various information to KDC, such as in case of a SHISHI_PA_TGS_REQ padatatype the AP-REQ that authenticates the user to get the ticket. (But also see shishi_kdcreq_add_padata_tgs() which takes an AP-REQ directly.) Returns SHISHI_OK iff successful.

int shishi_kdcreq_add_padata_tgs (Shishi * handle, Shishi_asn1 kdcreq, Shishi_asn1 apreq)

Function

handle: shishi handle as allocated by shishi_init(). kdcreq: KDC-REQ to add PA-DATA to. apreq: AP-REQ to add as PA-DATA. Add TGS pre-authentication data to KDC-REQ. The data is an AP-REQ that authenticates the request. This functions simply DER encodes the AP-REQ and calls shishi_kdcreq_add_padata() with a SHISHI_PA_TGS_REQ padatatype. Returns SHISHI_OK iff successful.

Shishi_asn1 shishi_asrep (Shishi * handle)

Function

handle: shishi handle as allocated by shishi_init(). This function creates a new AS-REP, populated with some default values. Returns the AS-REP or NULL on failure.

Shishi_asn1 shishi_tgsrep (Shishi * handle)

Function

handle: shishi handle as allocated by shishi_init(). This function creates a new TGS-REP, populated with some default values. Returns the TGS-REP or NULL on failure.

int shishi_kdcrep_print (Shishi * handle, FILE * fh, Shishi_asn1 kdcrep)

Function

handle: shishi handle as allocated by shishi_init(). fh: file handle open for writing. kdcrep: KDC-REP to print. Print ASCII armored DER encoding of KDC-REP to file. Returns SHISHI_OK iff successful.

int shishi_kdcrep_save (Shishi * handle, FILE * fh, Shishi_asn1 kdcrep)

Function

handle: shishi handle as allocated by shishi_init(). fh: file handle open for writing. kdcrep: KDC-REP to save. Print DER encoding of KDC-REP to file. Returns SHISHI_OK iff successful.

int shishi_kdcrep_to_file (Shishi * handle, Shishi_asn1 kdcrep, int filetype, char * filename)

Function

handle: shishi handle as allocated by shishi_init(). kdcrep: KDC-REP to save. filetype: input variable specifying type of file to be written, see Shishi_filetype. filename: input variable with filename to write to. Write KDC-REP to file in specified TYPE. The file will be truncated if it exists. Returns SHISHI_OK iff successful.

int shishi_kdcrep_parse (Shishi * handle, FILE * fh, Shishi_asn1 * kdcrep)

Function

handle: shishi handle as allocated by shishi_init(). fh: file handle open for reading. kdcrep: output variable with newly allocated KDC-REP. Read ASCII armored DER encoded KDC-REP from file and populate given variable. Returns SHISHI_OK iff successful.

int shishi_kdcrep_read (Shishi * handle, FILE * fh, Shishi_asn1 * kdcrep)

Function

handle: shishi handle as allocated by shishi_init(). fh: file handle open for reading. kdcrep: output variable with newly allocated KDC-REP. Read DER encoded KDC-REP from file and populate given variable. Returns SHISHI_OK iff successful.

int shishi_kdcrep_from_file (Shishi * handle, Shishi_asn1 * kdcrep, int filetype, char * filename)

Function

handle: shishi handle as allocated by shishi_init(). kdcrep: output variable with newly allocated KDC-REP. filetype: input variable specifying type of file to be read, see Shishi_filetype. filename: input variable with filename to read from. Read KDC-REP from file in specified TYPE. Returns SHISHI_OK iff successful.

int shishi_kdcrep_crealm_set (Shishi * handle, Shishi_asn1 kdcrep, const char * crealm)

Function

handle: shishi handle as allocated by shishi_init(). kdcrep: Kdcrep variable to set realm field in. crealm: input array with name of realm. Set the client realm field in the KDC-REP. Returns SHISHI_OK iff successful.

int shishi_kdcrep_cname_set (Shishi * handle, Shishi_asn1 kdcrep, Shishi_name_type name_type, const char * cname[])

Function

handle: shishi handle as allocated by shishi_init(). kdcrep: Kdcrep variable to set server name field in. name_type: type of principial, see Shishi_name_type, usually SHISHI_NT_UNKNOWN. Set the server name field in the KDC-REP. Returns SHISHI_OK iff successful.

int shishi_kdcrep_client_set (Shishi * handle, Shishi_asn1 kdcrep, const char * client)

Function

handle: shishi handle as allocated by shishi_init(). kdcrep: Kdcrep variable to set server name field in. Set the client name field in the KDC-REP. Returns SHISHI_OK iff successful.

int shishi_kdcrep_get_enc_part_etype (Shishi * handle, Shishi_asn1 kdcrep, int32_t * etype)

Function

handle: shishi handle as allocated by shishi_init(). kdcrep: KDC-REP variable to get value from. etype: output variable that holds the value. Extract KDC-REP.enc-part.etype. Returns SHISHI_OK iff successful.

int shishi_kdcrep_get_ticket (Shishi * handle, Shishi_asn1 kdcrep, Shishi_asn1 * ticket)

Function

handle: shishi handle as allocated by shishi_init(). kdcrep: KDC-REP variable to get ticket from. ticket: output variable to hold extracted ticket. Extract ticket from KDC-REP. Returns SHISHI_OK iff successful.

int shishi_kdcrep_set_ticket (Shishi * handle, Shishi_asn1 kdcrep, Shishi_asn1 ticket)

Function

handle: shishi handle as allocated by shishi_init(). kdcrep: KDC-REP to add ticket field to. ticket: input ticket to copy into KDC-REP ticket field. Copy ticket into KDC-REP. Returns SHISHI_OK iff successful.

int shishi_kdcrep_set_enc_part (Shishi * handle, Shishi_asn1 kdcrep, int etype, int kvno, char * buf, int buflen)

Function

handle: shishi handle as allocated by shishi_init(). kdcrep: KDC-REP to add enc-part field to. etype: encryption type used to encrypt enc-part. kvno: key version number. buf: input array with encrypted enc-part. buflen: size of input array with encrypted enc-part. Set the encrypted enc-part field in the KDC-REP. The encrypted data is usually created by calling shishi_encrypt() on the DER encoded enc-part. To save time, you may want to use shishi_kdcrep_add_enc_part() instead, which calculates the encrypted data and calls this function in one step. Returns SHISHI_OK iff successful.

int shishi_kdcrep_add_enc_part (Shishi * handle, Shishi_asn1 kdcrep, Shishi_key * key, int keyusage, Shishi_asn1 enckdcreppart)

Function

handle: shishi handle as allocated by shishi_init(). kdcrep: KDC-REP to add enc-part field to. key: key used to encrypt enc-part. keyusage: key usage to use, normally SHISHI_KEYUSAGE_ENCASREPPART, SHISHI_KEYUSAGE_ENCTGSREPPART_SESSION_KEY or SHISHI_KEYUSAGE_ENCTGSREPPART_AUTHENTICATOR_KEY. enckdcreppart: EncKDCRepPart to add. Encrypts DER encoded EncKDCRepPart using key and stores it in the KDC-REP. Returns SHISHI_OK iff successful.

int shishi_kdcrep_clear_padata (Shishi * handle, Shishi_asn1 kdcrep)

Function

handle: shishi handle as allocated by shishi_init(). kdcrep: KDC-REP to remove PA-DATA from. Remove the padata field from KDC-REP. Returns SHISHI_OK iff successful.

int shishi_enckdcreppart_get_key (Shishi * handle, Shishi_asn1 enckdcreppart, Shishi_key ** key)

Function

handle: shishi handle as allocated by shishi_init(). enckdcreppart: input EncKDCRepPart variable. Extract the key to use with the ticket sent in the KDC-REP associated with the EndKDCRepPart input variable. Returns SHISHI_OK iff succesful.

int shishi_enckdcreppart_key_set (Shishi * handle, Shishi_asn1 enckdcreppart, Shishi_key * key)

Function

handle: shishi handle as allocated by shishi_init(). enckdcreppart: input EncKDCRepPart variable. key: key handle with information to store in enckdcreppart. Set the EncKDCRepPart.key field to key type and value of supplied key. Returns SHISHI_OK iff succesful.

int shishi_enckdcreppart_nonce_set (Shishi * handle, Shishi_asn1 enckdcreppart, uint32_t nonce)

Function

handle: shishi handle as allocated by shishi_init(). enckdcreppart: input EncKDCRepPart variable. nonce: nonce to set in EncKDCRepPart. Set the EncKDCRepPart.nonce field. Returns SHISHI_OK iff succesful.

int shishi_enckdcreppart_flags_set (Shishi * handle, Shishi_asn1 enckdcreppart, int flags)

Function

handle: shishi handle as allocated by shishi_init(). enckdcreppart: input EncKDCRepPart variable. flags: flags to set in EncKDCRepPart. Set the EncKDCRepPart.flags field. Returns SHISHI_OK iff succesful.

int shishi_enckdcreppart_populate_encticketpart (Shishi * handle, Shishi_asn1 enckdcreppart, Shishi_asn1 encticketpart)

Function

handle: shishi handle as allocated by shishi_init(). enckdcreppart: input EncKDCRepPart variable. encticketpart: input EncTicketPart variable. Set the flags, authtime, starttime, endtime, renew-till and caddr fields of the EncKDCRepPart to the corresponding values in the EncTicketPart. Returns SHISHI_OK iff succesful.

int shishi_enckdcreppart_srealm_set (Shishi * handle, Shishi_asn1 enckdcreppart, const char * srealm)

Function

handle: shishi handle as allocated by shishi_init(). enckdcreppart: EncKDCRepPart variable to set realm field in. srealm: input array with name of realm. Set the server realm field in the EncKDCRepPart. Returns SHISHI_OK iff successful.

int shishi_enckdcreppart_sname_set (Shishi * handle, Shishi_asn1 enckdcreppart, Shishi_name_type name_type, char * sname[])

Function

handle: shishi handle as allocated by shishi_init(). enckdcreppart: EncKDCRepPart variable to set server name field in. name_type: type of principial, see Shishi_name_type, usually SHISHI_NT_UNKNOWN. Set the server name field in the EncKDCRepPart. Returns SHISHI_OK iff successful.

4.11 Authenticator Functions

An "Authenticator" is a ASN.1 structure that work as a proof that an entity owns a ticket. It is usually embedded in the AP-REQ structure (see AP-REQ and AP-REP Functions), and you most likely want to use an AP-REQ instead of a Authenticator in normal applications. The following illustrates the Authenticator ASN.1 structure.

Authenticator	::= [APPLICATION 2] SEQUENCE  {
	authenticator-vno	[0] INTEGER (5),
	crealm			[1] Realm,
	cname			[2] PrincipalName,
	cksum			[3] Checksum OPTIONAL,
	cusec			[4] Microseconds,
	ctime			[5] KerberosTime,
	subkey			[6] EncryptionKey OPTIONAL,
	seq-number		[7] UInt32 OPTIONAL,
	authorization-data	[8] AuthorizationData OPTIONAL
}

Shishi_asn1 shishi_authenticator (Shishi * handle)

Function

handle: shishi handle as allocated by shishi_init(). This function creates a new Authenticator, populated with some default values. It uses the current time as returned by the system for the ctime and cusec fields. Returns the authenticator or NULL on failure.

int shishi_authenticator_print (Shishi * handle, FILE * fh, Shishi_asn1 authenticator)

Function

handle: shishi handle as allocated by shishi_init(). fh: file handle open for writing. authenticator: authenticator as allocated by shishi_authenticator(). Print ASCII armored DER encoding of authenticator to file. Returns SHISHI_OK iff successful.

int shishi_authenticator_save (Shishi * handle, FILE * fh, Shishi_asn1 authenticator)

Function

handle: shishi handle as allocated by shishi_init(). fh: file handle open for writing. authenticator: authenticator as allocated by shishi_authenticator(). Save DER encoding of authenticator to file. Returns SHISHI_OK iff successful.

int shishi_authenticator_to_file (Shishi * handle, Shishi_asn1 authenticator, int filetype, char * filename)

Function

handle: shishi handle as allocated by shishi_init(). authenticator: Authenticator to save. filetype: input variable specifying type of file to be written, see Shishi_filetype. filename: input variable with filename to write to. Write Authenticator to file in specified TYPE. The file will be truncated if it exists. Returns SHISHI_OK iff successful.

int shishi_authenticator_parse (Shishi * handle, FILE * fh, Shishi_asn1 * authenticator)

Function

handle: shishi handle as allocated by shishi_init(). fh: file handle open for reading. authenticator: output variable with newly allocated authenticator. Read ASCII armored DER encoded authenticator from file and populate given authenticator variable. Returns SHISHI_OK iff successful.

int shishi_authenticator_read (Shishi * handle, FILE * fh, Shishi_asn1 * authenticator)

Function

handle: shishi handle as allocated by shishi_init(). fh: file handle open for reading. authenticator: output variable with newly allocated authenticator. Read DER encoded authenticator from file and populate given authenticator variable. Returns SHISHI_OK iff successful.

int shishi_authenticator_from_file (Shishi * handle, Shishi_asn1 * authenticator, int filetype, char * filename)

Function

handle: shishi handle as allocated by shishi_init(). authenticator: output variable with newly allocated Authenticator. filetype: input variable specifying type of file to be read, see Shishi_filetype. filename: input variable with filename to read from. Read Authenticator from file in specified TYPE. Returns SHISHI_OK iff successful.

int shishi_authenticator_set_crealm (Shishi * handle, Shishi_asn1 authenticator, const char * crealm)

Function

handle: shishi handle as allocated by shishi_init(). authenticator: authenticator as allocated by shishi_authenticator(). crealm: input array with realm. Set realm field in authenticator to specified value. Returns SHISHI_OK iff successful.

int shishi_authenticator_set_cname (Shishi * handle, Shishi_asn1 authenticator, Shishi_name_type name_type, const char * cname[])

Function

handle: shishi handle as allocated by shishi_init(). authenticator: authenticator as allocated by shishi_authenticator(). name_type: type of principial, see Shishi_name_type, usually SHISHI_NT_UNKNOWN. Set principal field in authenticator to specified value. Returns SHISHI_OK iff successful.

int shishi_authenticator_client_set (Shishi * handle, Shishi_asn1 authenticator, const char * client)

Function

handle: shishi handle as allocated by shishi_init(). Set the client name field in the Authenticator. Returns SHISHI_OK iff successful.

int shishi_authenticator_ctime_set (Shishi * handle, Shishi_asn1 authenticator, char * ctime)

Function

handle: shishi handle as allocated by shishi_init(). authenticator: Authenticator as allocated by shishi_authenticator(). ctime: string with generalized time value to store in Authenticator. Store client time in Authenticator. Returns SHISHI_OK iff successful.

int shishi_authenticator_cusec_get (Shishi * handle, Shishi_asn1 authenticator, int * cusec)

Function

handle: shishi handle as allocated by shishi_init(). authenticator: Authenticator as allocated by shishi_authenticator(). cusec: output integer with client microseconds field. Extract client microseconds field from Authenticator. Returns SHISHI_OK iff successful.

int shishi_authenticator_cusec_set (Shishi * handle, Shishi_asn1 authenticator, int cusec)

Function

handle: shishi handle as allocated by shishi_init(). authenticator: authenticator as allocated by shishi_authenticator(). cusec: client microseconds to set in authenticator, 0-999999. Set the cusec field in the Authenticator. Returns SHISHI_OK iff successful.

int shishi_authenticator_cksum (Shishi * handle, Shishi_asn1 authenticator, int32_t * cksumtype, char * cksum, size_t * cksumlen)

Function

handle: shishi handle as allocated by shishi_init(). authenticator: authenticator as allocated by shishi_authenticator(). cksumtype: output checksum type. cksum: output checksum data from authenticator. cksumlen: on input, maximum size of output checksum data buffer, on output, actual size of output checksum data buffer. Read checksum value from authenticator. Returns SHISHI_OK iff successful.

int shishi_authenticator_set_cksum (Shishi * handle, Shishi_asn1 authenticator, int32_t cksumtype, char * cksum, size_t cksumlen)

Function

handle: shishi handle as allocated by shishi_init(). authenticator: authenticator as allocated by shishi_authenticator(). cksumtype: input checksum type to store in authenticator. cksum: input checksum data to store in authenticator. cksumlen: size of input checksum data to store in authenticator. Store checksum value in authenticator. A checksum is usually created by calling shishi_checksum() on some application specific data using the key from the ticket that is being used. To save time, you may want to use shishi_authenticator_add_cksum() instead, which calculates the checksum and calls this function in one step. Returns SHISHI_OK iff successful.

int shishi_authenticator_add_cksum (Shishi * handle, Shishi_asn1 authenticator, Shishi_key * key, int keyusage, char * data, int datalen)

Function

handle: shishi handle as allocated by shishi_init(). authenticator: authenticator as allocated by shishi_authenticator(). data: input array with data to calculate checksum on. datalen: size of input array with data to calculate checksum on. Calculate checksum for data and store it in the authenticator. Returns SHISHI_OK iff successful.

int shishi_authenticator_clear_authorizationdata (Shishi * handle, Shishi_asn1 authenticator)

Function

handle: shishi handle as allocated by shishi_init(). authenticator: Authenticator as allocated by shishi_authenticator(). Remove the authorization-data field from Authenticator. Returns SHISHI_OK iff successful.

int shishi_authenticator_add_authorizationdata (Shishi * handle, Shishi_asn1 authenticator, int adtype, char * addata, int addatalen)

Function

handle: shishi handle as allocated by shishi_init(). authenticator: authenticator as allocated by shishi_authenticator(). adtype: input authorization data type to add. addata: input authorization data to add. addatalen: size of input authorization data to add. Add authorization data to authenticator. Returns SHISHI_OK iff successful.

int shishi_authenticator_authorizationdata (Shishi * handle, Shishi_asn1 authenticator, int * adtype, char * addata, int * addatalen, int nth)

Function

handle: shishi handle as allocated by shishi_init(). authenticator: authenticator as allocated by shishi_authenticator(). adtype: output authorization data type. addata: output authorization data. addatalen: on input, maximum size of output authorization data, nth: element number of authorization-data to extract. th authorization data from authenticator. The first field is 1. Returns SHISHI_OK iff successful.

4.12 Cryptographic Functions

Underneath the high-level functions described earlier, cryptographic operations are happening. If you need to access these cryptographic primitives directly, this section describes the functions available.

Most cryptographic operations need keying material, and cryptographic keys have been isolated into it's own data structure Shishi_key. The following illustrates it's contents, but note that you cannot access it's elements directly but must use the accessor functions described below.

struct Shishi_key
{
  int type;    /* RFC 1510 encryption integer type */
  char *value; /* Cryptographic key data */
  int version; /* RFC 1510 ``kvno'' */
};

All functions that operate on this data structure are described now.

const char * shishi_key_principal (Shishi_key * key)

Function

key: structure that holds key information Returns the principal owning the key. (Not a copy of it, so don't modify or deallocate it.)

void shishi_key_principal_set (Shishi_key * key, const char * principal)

Function

key: structure that holds key information principal: string with new principal name. Set the principal owning the key. The string is copied into the key, so you can dispose of the variable immediately after calling this function.

const char * shishi_key_realm (Shishi_key * key)

Function

key: structure that holds key information Returns the realm for the principal owning the key. (Not a copy of it, so don't modify or deallocate it.)

void shishi_key_realm_set (Shishi_key * key, const char * realm)

Function

key: structure that holds key information realm: string with new realm name. Set the realm for the principal owning the key. The string is copied into the key, so you can dispose of the variable immediately after calling this function.

int shishi_key_type (Shishi_key * key)

Function

key: structure that holds key information Returns the type of key as an integer as described in the standard.

void shishi_key_type_set (Shishi_key * key, int32_t type)

Function

key: structure that holds key information Set the type of key in key structure.

char * shishi_key_value (Shishi_key * key)

Function

key: structure that holds key information Returns the key value as a pointer which is valid throughout the lifetime of the key structure.

void shishi_key_value_set (Shishi_key * key, const char * value)

Function

key: structure that holds key information value: input array with key data. Set the key value and length in key structure.

int shishi_key_version (Shishi_key * key)

Function

key: structure that holds key information Returns the version of key ("kvno").

void shishi_key_version_set (Shishi_key * key, int version)

Function

key: structure that holds key information version: new version integer. Set the version of key ("kvno") in key structure.

const char * shishi_key_name (Shishi_key * key)

Function

key: structure that holds key information Calls shishi_cipher_name for key type. Return name of key.

size_t shishi_key_length (Shishi_key * key)

Function

key: structure that holds key information Calls shishi_cipher_keylen for key type. Returns the length of the key value.

int shishi_key (Shishi * handle, Shishi_key ** key)

Function

handle: Shishi library handle create by shishi_init(). key: pointer to structure that will hold newly created key information Create a new Key information structure. Returns SHISHI_MALLOC_ERROR on memory allocation errors, and SHISHI_OK on success.

void shishi_key_done (Shishi_key ** key)

Function

key: pointer to structure that holds key information. Deallocates key information structure and set key handle to NULL.

void shishi_key_copy (Shishi_key * dstkey, Shishi_key * srckey)

Function

dstkey: structure that holds destination key information srckey: structure that holds source key information Copies source key into existing allocated destination key.

int shishi_key_from_value (Shishi * handle, int32_t type, char * value, Shishi_key ** key)

Function

handle: Shishi library handle create by shishi_init(). type: type of key. value: input array with key value, or NULL. key: pointer to structure that will hold newly created key information Create a new Key information structure, and set the key type and key value. KEY contains a newly allocated structure only if this function is successful. Returns SHISHI_MALLOC_ERROR on memory allocation errors, and SHISHI_OK on success.

int shishi_key_from_base64 (Shishi * handle, int32_t type, char * value, Shishi_key ** key)

Function

handle: Shishi library handle create by shishi_init(). type: type of key. value: input string with base64 encoded key value, or NULL. key: pointer to structure that will hold newly created key information Create a new Key information structure, and set the key type and key value. KEY contains a newly allocated structure only if this function is successful. Returns SHISHI_MALLOC_ERROR on memory allocation errors, SHISHI_INVALID_KEY if the base64 encoded key length doesn't match the key type, and SHISHI_OK on success.

int shishi_key_random (Shishi * handle, int32_t type, Shishi_key ** key)

Function

handle: Shishi library handle create by shishi_init(). type: type of key. Create a new Key information structure for the key type and some random data. KEY contains a newly allocated structure only if this function is successful. Returns SHISHI_OK iff successful.

int shishi_key_from_random (Shishi * handle, int32_t type, char * random, size_t randomlen, Shishi_key ** key)

Function

handle: Shishi library handle create by shishi_init(). type: type of key. random: random data. randomlen: length of random data. Create a new Key information structure, and set the key type and key value using shishi_random_to_key(). KEY contains a newly allocated structure only if this function is successful. Returns SHISHI_MALLOC_ERROR on memory allocation errors, and SHISHI_OK on success.

int shishi_key_from_string (Shishi * handle, int32_t type, const char * password, size_t passwordlen, const char * salt, size_t saltlen, const char * parameter, Shishi_key ** key)

Function

handle: Shishi library handle create by shishi_init(). type: type of key. password: input array containing password. passwordlen: length of input array containing password. salt: input array containing salt. saltlen: length of input array containing salt. parameter: input array with opaque encryption type specific information. Create a new Key information structure, and set the key type and key value using shishi_string_to_key(). KEY contains a newly allocated structure only if this function is successful. Returns SHISHI_MALLOC_ERROR on memory allocation errors, and SHISHI_OK on success.

Many servers run uninteractively but still need keying material, and when they do they are normally read from a file stored on the local host. The file should be protected from unauthorized access. The file is in ASCII format and contains keys as outputed by shishi_key_print(). All functions that handle these hostkeys file are described now.

const char * shishi_hostkeys_default_file (Shishi * handle)

Function

handle: Shishi library handle create by shishi_init(). Returns the default host key filename used in the library. (Not a copy of it, so don't modify or deallocate it.)

void shishi_hostkeys_default_file_set (Shishi * handle, const char * hostkeysfile)

Function

handle: Shishi library handle create by shishi_init(). hostkeysfile: string with new default hostkeys file name, or NULL to reset to default. Set the default host key filename used in the library. The string is copied into the library, so you can dispose of the variable immediately after calling this function.

Shishi_key * shishi_hostkeys_for_serverrealm_in_file (Shishi * handle, const char * filename, const char * server, const char * realm)

Function

handle: Shishi library handle create by shishi_init(). filename: file to read keys from. server: server name to get key for. realm: realm of server to get key for. Returns the key for specific server and realm, read from the indicated file, or NULL if no key could be found or an error encountered.

Shishi_key * shishi_hostkeys_for_server_in_file (Shishi * handle, const char * filename, const char * server)

Function

handle: Shishi library handle create by shishi_init(). filename: file to read keys from. server: server name to get key for. Returns the key for specific server, read from the indicated file, or NULL if no key could be found or an error encountered.

Shishi_key * shishi_hostkeys_for_server (Shishi * handle, const char * server)

Function

handle: Shishi library handle create by shishi_init(). server: server name to get key for Returns the key for specific server, read from the default host keys file (see shishi_hostkeys_default_file()), or NULL if no key could be found or an error encountered.

Shishi_key * shishi_hostkeys_for_serverrealm (Shishi * handle, const char * server, const char * realm)

Function

handle: Shishi library handle create by shishi_init(). server: server name to get key for realm: realm of server to get key for. Returns the key for specific server and realm, read from the default host keys file (see shishi_hostkeys_default_file()), or NULL if no key could be found or an error encountered.

Shishi_key * shishi_hostkeys_for_localservicerealm (Shishi * handle, const char * service, const char * realm)

Function

handle: Shishi library handle create by shishi_init(). service: service to get key for. realm: realm of server to get key for. Returns the key for the server "SERVICE/HOSTNAMEREALM" (where HOSTNAME is the current system's hostname), read from the default host keys file (see shishi_hostkeys_default_file()), or NULL if no key could be found or an error encountered.