1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2 /* lib/krb5/krb/sendauth.c */
3 /*
4 * Copyright 1991, 2009 by the Massachusetts Institute of Technology.
5 * All Rights Reserved.
6 *
7 * Export of this software from the United States of America may
8 * require a specific license from the United States Government.
9 * It is the responsibility of any person or organization contemplating
10 * export to obtain such a license before exporting.
11 *
12 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
13 * distribute this software and its documentation for any purpose and
14 * without fee is hereby granted, provided that the above copyright
15 * notice appear in all copies and that both that copyright notice and
16 * this permission notice appear in supporting documentation, and that
17 * the name of M.I.T. not be used in advertising or publicity pertaining
18 * to distribution of the software without specific, written prior
19 * permission. Furthermore if you modify this software you must label
20 * your software as modified software and not distribute it in such a
21 * fashion that it might be confused with the original M.I.T. software.
22 * M.I.T. makes no representations about the suitability of
23 * this software for any purpose. It is provided "as is" without express
24 * or implied warranty.
25 */
26
27 #include "k5-int.h"
28 #include "os-proto.h"
29 #include "com_err.h"
30 #include "auth_con.h"
31 #include <errno.h>
32 #include <stdio.h>
33 #include <string.h>
34
35 static const char sendauth_version[] = "KRB5_SENDAUTH_V1.0";
36
37 krb5_error_code KRB5_CALLCONV
krb5_sendauth(krb5_context context,krb5_auth_context * auth_context,krb5_pointer fd,char * appl_version,krb5_principal client,krb5_principal server,krb5_flags ap_req_options,krb5_data * in_data,krb5_creds * in_creds,krb5_ccache ccache,krb5_error ** error,krb5_ap_rep_enc_part ** rep_result,krb5_creds ** out_creds)38 krb5_sendauth(krb5_context context, krb5_auth_context *auth_context,
39 krb5_pointer fd, char *appl_version, krb5_principal client,
40 krb5_principal server, krb5_flags ap_req_options,
41 krb5_data *in_data, krb5_creds *in_creds, krb5_ccache ccache,
42 krb5_error **error, krb5_ap_rep_enc_part **rep_result,
43 krb5_creds **out_creds)
44 {
45 krb5_octet result;
46 krb5_creds creds;
47 krb5_creds * credsp = NULL;
48 krb5_creds * credspout = NULL;
49 krb5_error_code retval = 0;
50 krb5_data inbuf, outbuf[2];
51 int len;
52 krb5_ccache use_ccache = 0;
53
54 if (error)
55 *error = 0;
56
57 /*
58 * First, send over the length of the sendauth version string;
59 * then, we send over the sendauth version. Next, we send
60 * over the length of the application version strings followed
61 * by the string itself.
62 */
63 outbuf[0].length = strlen(sendauth_version) + 1;
64 outbuf[0].data = (char *) sendauth_version;
65 outbuf[1].length = strlen(appl_version) + 1;
66 outbuf[1].data = appl_version;
67 if ((retval = k5_write_messages(context, fd, outbuf, 2)))
68 return(retval);
69 /*
70 * Now, read back a byte: 0 means no error, 1 means bad sendauth
71 * version, 2 means bad application version
72 */
73 if ((len = krb5_net_read(context, *((int *) fd), (char *)&result, 1)) != 1)
74 return((len < 0) ? errno : ECONNABORTED);
75 if (result == 1)
76 return(KRB5_SENDAUTH_BADAUTHVERS);
77 else if (result == 2)
78 return(KRB5_SENDAUTH_BADAPPLVERS);
79 else if (result != 0)
80 return(KRB5_SENDAUTH_BADRESPONSE);
81 /*
82 * We're finished with the initial negotiations; let's get and
83 * send over the authentication header. (The AP_REQ message)
84 */
85
86 /*
87 * If no credentials were provided, try getting it from the
88 * credentials cache.
89 */
90 memset(&creds, 0, sizeof(creds));
91
92 /*
93 * See if we need to access the credentials cache
94 */
95 if (!in_creds || !in_creds->ticket.length) {
96 if (ccache)
97 use_ccache = ccache;
98 else if ((retval = krb5int_cc_default(context, &use_ccache)))
99 goto error_return;
100 }
101 if (!in_creds) {
102 if ((retval = krb5_copy_principal(context, server,
103 &creds.server)))
104 goto error_return;
105 if (client)
106 retval = krb5_copy_principal(context, client,
107 &creds.client);
108 else
109 retval = krb5_cc_get_principal(context, use_ccache,
110 &creds.client);
111 if (retval)
112 goto error_return;
113 /* creds.times.endtime = 0; -- memset 0 takes care of this
114 zero means "as long as possible" */
115 /* creds.keyblock.enctype = 0; -- as well as this.
116 zero means no session enctype
117 preference */
118 in_creds = &creds;
119 }
120 if (!in_creds->ticket.length) {
121 if ((retval = krb5_get_credentials(context, 0,
122 use_ccache, in_creds, &credsp)))
123 goto error_return;
124 credspout = credsp;
125 } else {
126 credsp = in_creds;
127 }
128
129 outbuf[0].data = NULL; /* Coverity is confused otherwise */
130 if ((retval = krb5_mk_req_extended(context, auth_context,
131 ap_req_options, in_data, credsp,
132 &outbuf[0])))
133 goto error_return;
134
135 /*
136 * First write the length of the AP_REQ message, then write
137 * the message itself.
138 */
139 retval = krb5_write_message(context, fd, &outbuf[0]);
140 free(outbuf[0].data);
141 if (retval)
142 goto error_return;
143
144 /*
145 * Now, read back a message. If it was a null message (the
146 * length was zero) then there was no error. If not, we the
147 * authentication was rejected, and we need to return the
148 * error structure.
149 */
150 if ((retval = krb5_read_message(context, fd, &inbuf)))
151 goto error_return;
152
153 if (inbuf.length) {
154 if (error) {
155 if ((retval = krb5_rd_error(context, &inbuf, error))) {
156 free(inbuf.data);
157 goto error_return;
158 }
159 }
160 retval = KRB5_SENDAUTH_REJECTED;
161 free(inbuf.data);
162 goto error_return;
163 }
164
165 /*
166 * If we asked for mutual authentication, we should now get a
167 * length field, followed by a AP_REP message
168 */
169 if ((ap_req_options & AP_OPTS_MUTUAL_REQUIRED)) {
170 krb5_ap_rep_enc_part *repl = 0;
171
172 if ((retval = krb5_read_message(context, fd, &inbuf)))
173 goto error_return;
174
175 if ((retval = krb5_rd_rep(context, *auth_context, &inbuf,
176 &repl))) {
177 if (repl)
178 krb5_free_ap_rep_enc_part(context, repl);
179 free(inbuf.data);
180 goto error_return;
181 }
182
183 free(inbuf.data);
184 /*
185 * If the user wants to look at the AP_REP message,
186 * copy it for him
187 */
188 if (rep_result)
189 *rep_result = repl;
190 else
191 krb5_free_ap_rep_enc_part(context, repl);
192 }
193 retval = 0; /* Normal return */
194 if (out_creds) {
195 *out_creds = credsp;
196 credspout = NULL;
197 }
198
199 error_return:
200 krb5_free_cred_contents(context, &creds);
201 if (credspout != NULL)
202 krb5_free_creds(context, credspout);
203 if (!ccache && use_ccache)
204 krb5_cc_close(context, use_ccache);
205 return(retval);
206 }
207