search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Use anon realm for anonymous PKINIT
[heimdal.git] / lib / krb5 / recvauth.c
blob3af283d7c3256a1f337c37706084cef072910816
1 /*
2 * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "krb5_locl.h"
35
36 /*
37 * See `sendauth.c' for the format.
38 */
39
40 static krb5_boolean
41 match_exact(const void *data, const char *appl_version)
42 {
43 return strcmp(data, appl_version) == 0;
44 }
45
46 /**
47 * Perform the server side of the sendauth protocol.
48 *
49 * @param context Kerberos 5 context.
50 * @param auth_context authentication context of the peer.
51 * @param p_fd socket associated to the connection.
52 * @param appl_version server-specific string.
53 * @param server server principal.
54 * @param flags if KRB5_RECVAUTH_IGNORE_VERSION is set, skip the sendauth version
55 * part of the protocol.
56 * @param keytab server keytab.
57 * @param ticket on success, set to the authenticated client credentials.
58 * Must be deallocated with krb5_free_ticket(). If not
59 * interested, pass a NULL value.
60 *
61 * @return 0 to indicate success. Otherwise a Kerberos error code is
62 * returned, see krb5_get_error_message().
63 */
64 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
65 krb5_recvauth(krb5_context context,
66 krb5_auth_context *auth_context,
67 krb5_pointer p_fd,
68 const char *appl_version,
69 krb5_principal server,
70 int32_t flags,
71 krb5_keytab keytab,
72 krb5_ticket **ticket)
73 {
74 return krb5_recvauth_match_version(context, auth_context, p_fd,
75 match_exact, appl_version,
76 server, flags,
77 keytab, ticket);
78 }
79
80 /**
81 * Perform the server side of the sendauth protocol like krb5_recvauth(), but support
82 * a user-specified callback, \a match_appl_version, to perform the match of the application
83 * version \a match_data.
84 */
85 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
86 krb5_recvauth_match_version(krb5_context context,
87 krb5_auth_context *auth_context,
88 krb5_pointer p_fd,
89 krb5_boolean (*match_appl_version)(const void *,
90 const char*),
91 const void *match_data,
92 krb5_principal server,
93 int32_t flags,
94 krb5_keytab keytab,
95 krb5_ticket **ticket)
96 {
97 krb5_error_code ret;
98 const char *version = KRB5_SENDAUTH_VERSION;
99 char her_version[sizeof(KRB5_SENDAUTH_VERSION)];
100 char *her_appl_version;
101 uint32_t len;
102 u_char repl;
103 krb5_data data;
104 krb5_flags ap_options;
105 ssize_t n;
106
107 /*
108 * If there are no addresses in auth_context, get them from `fd'.
109 */
110
111 if (*auth_context == NULL) {
112 ret = krb5_auth_con_init (context, auth_context);
113 if (ret)
114 return ret;
115 }
116
117 ret = krb5_auth_con_setaddrs_from_fd (context,
118 *auth_context,
119 p_fd);
120 if (ret)
121 return ret;
122
123 /*
124 * Expect SENDAUTH protocol version.
125 */
126 if(!(flags & KRB5_RECVAUTH_IGNORE_VERSION)) {
127 n = krb5_net_read (context, p_fd, &len, 4);
128 if (n < 0) {
129 ret = errno;
130 krb5_set_error_message(context, ret, "read: %s", strerror(ret));
131 return ret;
132 }
133 if (n == 0) {
134 krb5_set_error_message(context, KRB5_SENDAUTH_BADAUTHVERS,
135 N_("Failed to receive sendauth data", ""));
136 return KRB5_SENDAUTH_BADAUTHVERS;
137 }
138 len = ntohl(len);
139 if (len != sizeof(her_version)
140 || krb5_net_read (context, p_fd, her_version, len) != len
141 || strncmp (version, her_version, len)) {
142 repl = 1;
143 krb5_net_write (context, p_fd, &repl, 1);
144 krb5_clear_error_message (context);
145 return KRB5_SENDAUTH_BADAUTHVERS;
146 }
147 }
148
149 /*
150 * Expect application protocol version.
151 */
152 n = krb5_net_read (context, p_fd, &len, 4);
153 if (n < 0) {
154 ret = errno;
155 krb5_set_error_message(context, ret, "read: %s", strerror(ret));
156 return ret;
157 }
158 if (n == 0) {
159 krb5_clear_error_message (context);
160 return KRB5_SENDAUTH_BADAPPLVERS;
161 }
162 len = ntohl(len);
163 her_appl_version = malloc (len);
164 if (her_appl_version == NULL) {
165 repl = 2;
166 krb5_net_write (context, p_fd, &repl, 1);
167 return krb5_enomem(context);
168 }
169 if (krb5_net_read (context, p_fd, her_appl_version, len) != len
170 || !(*match_appl_version)(match_data, her_appl_version)) {
171 repl = 2;
172 krb5_net_write (context, p_fd, &repl, 1);
173 krb5_set_error_message(context, KRB5_SENDAUTH_BADAPPLVERS,
174 N_("wrong sendauth application version (%s)", ""),
175 her_appl_version);
176 free (her_appl_version);
177 return KRB5_SENDAUTH_BADAPPLVERS;
178 }
179 free (her_appl_version);
180
181 /*
182 * Send OK.
183 */
184 repl = 0;
185 if (krb5_net_write (context, p_fd, &repl, 1) != 1) {
186 ret = errno;
187 krb5_set_error_message(context, ret, "write: %s", strerror(ret));
188 return ret;
189 }
190
191 /*
192 * Until here, the fields in the message were in cleartext and unauthenticated.
193 * From now on, Kerberos kicks in.
194 */
195
196 /*
197 * Expect AP_REQ.
198 */
199 krb5_data_zero (&data);
200 ret = krb5_read_message (context, p_fd, &data);
201 if (ret)
202 return ret;
203
204 ret = krb5_rd_req (context,
205 auth_context,
206 &data,
207 server,
208 keytab,
209 &ap_options,
210 ticket);
211 krb5_data_free (&data);
212 if (ret) {
213 krb5_data error_data;
214 krb5_error_code ret2;
215
216 ret2 = krb5_mk_error (context,
217 ret,
218 NULL,
219 NULL,
220 NULL,
221 server,
222 NULL,
223 NULL,
224 &error_data);
225 if (ret2 == 0) {
226 krb5_write_message (context, p_fd, &error_data);
227 krb5_data_free (&error_data);
228 }
229 return ret;
230 }
231
232 /*
233 * Send OK.
234 */
235 len = 0;
236 if (krb5_net_write (context, p_fd, &len, 4) != 4) {
237 ret = errno;
238 krb5_set_error_message(context, ret, "write: %s", strerror(ret));
239 krb5_free_ticket(context, *ticket);
240 *ticket = NULL;
241 return ret;
242 }
243
244 /*
245 * If client requires mutual authentication, send AP_REP.
246 */
247 if (ap_options & AP_OPTS_MUTUAL_REQUIRED) {
248 ret = krb5_mk_rep (context, *auth_context, &data);
249 if (ret) {
250 krb5_free_ticket(context, *ticket);
251 *ticket = NULL;
252 return ret;
253 }
254
255 ret = krb5_write_message (context, p_fd, &data);
256 if (ret) {
257 krb5_free_ticket(context, *ticket);
258 *ticket = NULL;
259 return ret;
260 }
261 krb5_data_free (&data);
262 }
263 return 0;
264 }
Heimdal