1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2 /* lib/krb5/krb/recvauth.c */
3 /*
4 * Copyright 1991 by the Massachusetts Institute of Technology.
5 * All Rights Reserved.
6 *
7 * Export of this software from the United States of America may
8 * require a specific license from the United States Government.
9 * It is the responsibility of any person or organization contemplating
10 * export to obtain such a license before exporting.
11 *
12 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
13 * distribute this software and its documentation for any purpose and
14 * without fee is hereby granted, provided that the above copyright
15 * notice appear in all copies and that both that copyright notice and
16 * this permission notice appear in supporting documentation, and that
17 * the name of M.I.T. not be used in advertising or publicity pertaining
18 * to distribution of the software without specific, written prior
19 * permission. Furthermore if you modify this software you must label
20 * your software as modified software and not distribute it in such a
21 * fashion that it might be confused with the original M.I.T. software.
22 * M.I.T. makes no representations about the suitability of
23 * this software for any purpose. It is provided "as is" without express
24 * or implied warranty.
25 */
26
27 /*
28 *
29 * convenience sendauth/recvauth functions
30 */
31
32 #include "k5-int.h"
33 #include "auth_con.h"
34 #include "com_err.h"
35 #include <errno.h>
36 #include <stdio.h>
37 #include <string.h>
38
39 static const char sendauth_version[] = "KRB5_SENDAUTH_V1.0";
40
41 static krb5_error_code
recvauth_common(krb5_context context,krb5_auth_context * auth_context,krb5_pointer fd,char * appl_version,krb5_principal server,krb5_int32 flags,krb5_keytab keytab,krb5_ticket ** ticket,krb5_data * version)42 recvauth_common(krb5_context context,
43 krb5_auth_context * auth_context,
44 /* IN */
45 krb5_pointer fd,
46 char *appl_version,
47 krb5_principal server,
48 krb5_int32 flags,
49 krb5_keytab keytab,
50 /* OUT */
51 krb5_ticket ** ticket,
52 krb5_data *version)
53 {
54 krb5_auth_context new_auth_context;
55 krb5_flags ap_option = 0;
56 krb5_error_code retval, problem;
57 krb5_data inbuf;
58 krb5_data outbuf;
59 krb5_rcache rcache = 0;
60 krb5_octet response;
61 krb5_data d;
62 int need_error_free = 0;
63 int local_rcache = 0, local_authcon = 0;
64
65 /*
66 * Zero out problem variable. If problem is set at the end of
67 * the initial version negotiation section, it means that we
68 * need to send an error code back to the client application
69 * and exit.
70 */
71 problem = 0;
72 response = 0;
73
74 if (!(flags & KRB5_RECVAUTH_SKIP_VERSION)) {
75 /*
76 * First read the sendauth version string and check it.
77 */
78 if ((retval = krb5_read_message(context, fd, &inbuf)))
79 return(retval);
80 d = make_data((char *)sendauth_version, strlen(sendauth_version) + 1);
81 if (!data_eq(inbuf, d)) {
82 problem = KRB5_SENDAUTH_BADAUTHVERS;
83 response = 1;
84 }
85 free(inbuf.data);
86 }
87 if (flags & KRB5_RECVAUTH_BADAUTHVERS) {
88 problem = KRB5_SENDAUTH_BADAUTHVERS;
89 response = 1;
90 }
91
92 /*
93 * Do the same thing for the application version string.
94 */
95 if ((retval = krb5_read_message(context, fd, &inbuf)))
96 return(retval);
97 if (appl_version != NULL && !problem) {
98 d = make_data(appl_version, strlen(appl_version) + 1);
99 if (!data_eq(inbuf, d)) {
100 problem = KRB5_SENDAUTH_BADAPPLVERS;
101 response = 2;
102 }
103 }
104 if (version && !problem)
105 *version = inbuf;
106 else
107 free(inbuf.data);
108
109 /*
110 * Now we actually write the response. If the response is non-zero,
111 * exit with a return value of problem
112 */
113 if ((krb5_net_write(context, *((int *)fd), (char *)&response, 1)) < 0) {
114 return(problem); /* We'll return the top-level problem */
115 }
116 if (problem)
117 return(problem);
118
119 /* We are clear of errors here */
120
121 /*
122 * Now, let's read the AP_REQ message and decode it
123 */
124 if ((retval = krb5_read_message(context, fd, &inbuf)))
125 return retval;
126
127 if (*auth_context == NULL) {
128 problem = krb5_auth_con_init(context, &new_auth_context);
129 *auth_context = new_auth_context;
130 local_authcon = 1;
131 }
132 krb5_auth_con_getrcache(context, *auth_context, &rcache);
133 if ((!problem) && rcache == NULL) {
134 problem = k5_rc_default(context, &rcache);
135 if (!problem)
136 problem = krb5_auth_con_setrcache(context, *auth_context, rcache);
137 local_rcache = 1;
138 }
139 if (!problem) {
140 problem = krb5_rd_req(context, auth_context, &inbuf, server,
141 keytab, &ap_option, ticket);
142 free(inbuf.data);
143 }
144
145 /*
146 * If there was a problem, send back a krb5_error message,
147 * preceded by the length of the krb5_error message. If
148 * everything's ok, send back 0 for the length.
149 */
150 if (problem) {
151 krb5_error error;
152 const char *message;
153
154 memset(&error, 0, sizeof(error));
155 krb5_us_timeofday(context, &error.stime, &error.susec);
156 if(server)
157 error.server = server;
158 else {
159 /* If this fails - ie. ENOMEM we are hosed
160 we cannot even send the error if we wanted to... */
161 (void) krb5_parse_name(context, "????", &error.server);
162 need_error_free = 1;
163 }
164
165 error.error = problem - ERROR_TABLE_BASE_krb5;
166 if (error.error > 127)
167 error.error = KRB_ERR_GENERIC;
168 message = error_message(problem);
169 error.text.length = strlen(message) + 1;
170 error.text.data = strdup(message);
171 if (!error.text.data) {
172 retval = ENOMEM;
173 goto cleanup;
174 }
175 if ((retval = krb5_mk_error(context, &error, &outbuf))) {
176 free(error.text.data);
177 goto cleanup;
178 }
179 free(error.text.data);
180 if(need_error_free)
181 krb5_free_principal(context, error.server);
182
183 } else {
184 outbuf.length = 0;
185 outbuf.data = 0;
186 }
187
188 retval = krb5_write_message(context, fd, &outbuf);
189 if (outbuf.data) {
190 free(outbuf.data);
191 /* We sent back an error, we need cleanup then return */
192 retval = problem;
193 goto cleanup;
194 }
195 if (retval)
196 goto cleanup;
197
198 /* Here lies the mutual authentication stuff... */
199 if ((ap_option & AP_OPTS_MUTUAL_REQUIRED)) {
200 if ((retval = krb5_mk_rep(context, *auth_context, &outbuf))) {
201 return(retval);
202 }
203 retval = krb5_write_message(context, fd, &outbuf);
204 free(outbuf.data);
205 }
206
207 cleanup:;
208 if (retval) {
209 if (local_authcon) {
210 krb5_auth_con_free(context, *auth_context);
211 } else if (local_rcache && rcache != NULL) {
212 k5_rc_close(context, rcache);
213 krb5_auth_con_setrcache(context, *auth_context, NULL);
214 }
215 }
216 return retval;
217 }
218
219 krb5_error_code KRB5_CALLCONV
krb5_recvauth(krb5_context context,krb5_auth_context * auth_context,krb5_pointer fd,char * appl_version,krb5_principal server,krb5_int32 flags,krb5_keytab keytab,krb5_ticket ** ticket)220 krb5_recvauth(krb5_context context, krb5_auth_context *auth_context, krb5_pointer fd, char *appl_version, krb5_principal server, krb5_int32 flags, krb5_keytab keytab, krb5_ticket **ticket)
221 {
222 return recvauth_common (context, auth_context, fd, appl_version,
223 server, flags, keytab, ticket, 0);
224 }
225
226 krb5_error_code KRB5_CALLCONV
krb5_recvauth_version(krb5_context context,krb5_auth_context * auth_context,krb5_pointer fd,krb5_principal server,krb5_int32 flags,krb5_keytab keytab,krb5_ticket ** ticket,krb5_data * version)227 krb5_recvauth_version(krb5_context context,
228 krb5_auth_context *auth_context,
229 /* IN */
230 krb5_pointer fd,
231 krb5_principal server,
232 krb5_int32 flags,
233 krb5_keytab keytab,
234 /* OUT */
235 krb5_ticket **ticket,
236 krb5_data *version)
237 {
238 return recvauth_common (context, auth_context, fd, 0,
239 server, flags, keytab, ticket, version);
240 }
241