lib/krb5/sendauth.c

   1 /*
   2  * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
   3  * (Royal Institute of Technology, Stockholm, Sweden).
   4  * All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms, with or without
   7  * modification, are permitted provided that the following conditions
   8  * are met:
   9  *
  10  * 1. Redistributions of source code must retain the above copyright
  11  *    notice, this list of conditions and the following disclaimer.
  12  *
  13  * 2. Redistributions in binary form must reproduce the above copyright
  14  *    notice, this list of conditions and the following disclaimer in the
  15  *    documentation and/or other materials provided with the distribution.
  16  *
  17  * 3. Neither the name of the Institute nor the names of its contributors
  18  *    may be used to endorse or promote products derived from this software
  19  *    without specific prior written permission.
  20  *
  21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  31  * SUCH DAMAGE.
  32  */
  33
  34 #include "krb5_locl.h"
  35
  36 RCSID("$Id$");
  37
  38 /*
  39  * The format seems to be:
  40  * client -> server
  41  *
  42  * 4 bytes - length
  43  * KRB5_SENDAUTH_V1.0 (including zero)
  44  * 4 bytes - length
  45  * protocol string (with terminating zero)
  46  *
  47  * server -> client
  48  * 1 byte - (0 = OK, else some kind of error)
  49  *
  50  * client -> server
  51  * 4 bytes - length
  52  * AP-REQ
  53  *
  54  * server -> client
  55  * 4 bytes - length (0 = OK, else length of error)
  56  * (error)
  57  *
  58  * if(mutual) {
  59  * server -> client
  60  * 4 bytes - length
  61  * AP-REP
  62  * }
  63  */
  64
  65 krb5_error_code KRB5_LIB_FUNCTION
  66 krb5_sendauth(krb5_context context,
  67               krb5_auth_context *auth_context,
  68               krb5_pointer p_fd,
  69               const char *appl_version,
  70               krb5_principal client,
  71               krb5_principal server,
  72               krb5_flags ap_req_options,
  73               krb5_data *in_data,
  74               krb5_creds *in_creds,
  75               krb5_ccache ccache,
  76               krb5_error **ret_error,
  77               krb5_ap_rep_enc_part **rep_result,
  78               krb5_creds **out_creds)
  79 {
  80     krb5_error_code ret;
  81     uint32_t len, net_len;
  82     const char *version = KRB5_SENDAUTH_VERSION;
  83     u_char repl;
  84     krb5_data ap_req, error_data;
  85     krb5_creds this_cred;
  86     krb5_principal this_client = NULL;
  87     krb5_creds *creds;
  88     ssize_t sret;
  89     krb5_boolean my_ccache = FALSE;
  90
  91     len = strlen(version) + 1;
  92     net_len = htonl(len);
  93     if (krb5_net_write (context, p_fd, &net_len, 4) != 4
  94         || krb5_net_write (context, p_fd, version, len) != len) {
  95         ret = errno;
  96         krb5_set_error_string (context, "write: %s", strerror(ret));
  97         return ret;
  98     }
  99
 100     len = strlen(appl_version) + 1;
 101     net_len = htonl(len);
 102     if (krb5_net_write (context, p_fd, &net_len, 4) != 4
 103         || krb5_net_write (context, p_fd, appl_version, len) != len) {
 104         ret = errno;
 105         krb5_set_error_string (context, "write: %s", strerror(ret));
 106         return ret;
 107     }
 108
 109     sret = krb5_net_read (context, p_fd, &repl, sizeof(repl));
 110     if (sret < 0) {
 111         ret = errno;
 112         krb5_set_error_string (context, "read: %s", strerror(ret));
 113         return ret;
 114     } else if (sret != sizeof(repl)) {
 115         krb5_clear_error_string (context);
 116         return KRB5_SENDAUTH_BADRESPONSE;
 117     }
 118
 119     if (repl != 0) {
 120         krb5_clear_error_string (context);
 121         return KRB5_SENDAUTH_REJECTED;
 122     }
 123
 124     if (in_creds == NULL) {
 125         if (ccache == NULL) {
 126             ret = krb5_cc_default (context, &ccache);
 127             if (ret)
 128                 return ret;
 129             my_ccache = TRUE;
 130         }
 131
 132         if (client == NULL) {
 133             ret = krb5_cc_get_principal (context, ccache, &this_client);
 134             if (ret) {
 135                 if(my_ccache)
 136                     krb5_cc_close(context, ccache);
 137                 return ret;
 138             }
 139             client = this_client;
 140         }
 141         memset(&this_cred, 0, sizeof(this_cred));
 142         this_cred.client = client;
 143         this_cred.server = server;
 144         this_cred.times.endtime = 0;
 145         this_cred.ticket.length = 0;
 146         in_creds = &this_cred;
 147     }
 148     if (in_creds->ticket.length == 0) {
 149         ret = krb5_get_credentials (context, 0, ccache, in_creds, &creds);
 150         if (ret) {
 151             if(my_ccache)
 152                 krb5_cc_close(context, ccache);
 153             return ret;
 154         }
 155     } else {
 156         creds = in_creds;
 157     }
 158     if(my_ccache)
 159         krb5_cc_close(context, ccache);
 160     ret = krb5_mk_req_extended (context,
 161                                 auth_context,
 162                                 ap_req_options,
 163                                 in_data,
 164                                 creds,
 165                                 &ap_req);
 166
 167     if (out_creds)
 168         *out_creds = creds;
 169     else
 170         krb5_free_creds(context, creds);
 171     if(this_client)
 172         krb5_free_principal(context, this_client);
 173
 174     if (ret)
 175         return ret;
 176
 177     ret = krb5_write_message (context,
 178                               p_fd,
 179                               &ap_req);
 180     if (ret)
 181         return ret;
 182
 183     krb5_data_free (&ap_req);
 184
 185     ret = krb5_read_message (context, p_fd, &error_data);
 186     if (ret)
 187         return ret;
 188
 189     if (error_data.length != 0) {
 190         KRB_ERROR error;
 191
 192         ret = krb5_rd_error (context, &error_data, &error);
 193         krb5_data_free (&error_data);
 194         if (ret == 0) {
 195             ret = krb5_error_from_rd_error(context, &error, NULL);
 196             if (ret_error != NULL) {
 197                 *ret_error = malloc (sizeof(krb5_error));
 198                 if (*ret_error == NULL) {
 199                     krb5_free_error_contents (context, &error);
 200                 } else {
 201                     **ret_error = error;
 202                 }
 203             } else {
 204                 krb5_free_error_contents (context, &error);
 205             }
 206             return ret;
 207         } else {
 208             krb5_clear_error_string(context);
 209             return ret;
 210         }
 211     }
 212
 213     if (ap_req_options & AP_OPTS_MUTUAL_REQUIRED) {
 214         krb5_data ap_rep;
 215         krb5_ap_rep_enc_part *ignore;
 216
 217         krb5_data_zero (&ap_rep);
 218         ret = krb5_read_message (context,
 219                                  p_fd,
 220                                  &ap_rep);
 221         if (ret)
 222             return ret;
 223
 224         ret = krb5_rd_rep (context, *auth_context, &ap_rep,
 225                            rep_result ? rep_result : &ignore);
 226         krb5_data_free (&ap_rep);
 227         if (ret)
 228             return ret;
 229         if (rep_result == NULL)
 230             krb5_free_ap_rep_enc_part (context, ignore);
 231     }
 232     return 0;
 233 }