xref: /freebsd/crypto/heimdal/lib/krb5/recvauth.c (revision 1e413cf93298b5b97441a21d9a50fdcd0ee9945e)
1 /*
2  * Copyright (c) 1997-2002 Kungliga Tekniska H�gskolan
3  * (Royal Institute of Technology, Stockholm, Sweden).
4  * All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  *
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  *
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  *
17  * 3. Neither the name of the Institute nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 #include "krb5_locl.h"
35 
36 RCSID("$Id: recvauth.c,v 1.16 2002/04/18 09:41:33 joda Exp $");
37 
38 /*
39  * See `sendauth.c' for the format.
40  */
41 
42 static krb5_boolean
43 match_exact(const void *data, const char *appl_version)
44 {
45     return strcmp(data, appl_version) == 0;
46 }
47 
48 krb5_error_code
49 krb5_recvauth(krb5_context context,
50 	      krb5_auth_context *auth_context,
51 	      krb5_pointer p_fd,
52 	      const char *appl_version,
53 	      krb5_principal server,
54 	      int32_t flags,
55 	      krb5_keytab keytab,
56 	      krb5_ticket **ticket)
57 {
58     return krb5_recvauth_match_version(context, auth_context, p_fd,
59 				       match_exact, appl_version,
60 				       server, flags,
61 				       keytab, ticket);
62 }
63 
64 krb5_error_code
65 krb5_recvauth_match_version(krb5_context context,
66 			    krb5_auth_context *auth_context,
67 			    krb5_pointer p_fd,
68 			    krb5_boolean (*match_appl_version)(const void *,
69 							       const char*),
70 			    const void *match_data,
71 			    krb5_principal server,
72 			    int32_t flags,
73 			    krb5_keytab keytab,
74 			    krb5_ticket **ticket)
75 {
76   krb5_error_code ret;
77   const char *version = KRB5_SENDAUTH_VERSION;
78   char her_version[sizeof(KRB5_SENDAUTH_VERSION)];
79   char *her_appl_version;
80   u_int32_t len;
81   u_char repl;
82   krb5_data data;
83   krb5_flags ap_options;
84   ssize_t n;
85 
86   /*
87    * If there are no addresses in auth_context, get them from `fd'.
88    */
89 
90   if (*auth_context == NULL) {
91       ret = krb5_auth_con_init (context, auth_context);
92       if (ret)
93 	  return ret;
94   }
95 
96   ret = krb5_auth_con_setaddrs_from_fd (context,
97 					*auth_context,
98 					p_fd);
99   if (ret)
100       return ret;
101 
102   if(!(flags & KRB5_RECVAUTH_IGNORE_VERSION)) {
103     n = krb5_net_read (context, p_fd, &len, 4);
104     if (n < 0) {
105 	ret = errno;
106 	krb5_set_error_string (context, "read: %s", strerror(errno));
107 	return ret;
108     }
109     if (n == 0) {
110 	krb5_clear_error_string (context);
111 	return KRB5_SENDAUTH_BADAUTHVERS;
112     }
113     len = ntohl(len);
114     if (len != sizeof(her_version)
115 	|| krb5_net_read (context, p_fd, her_version, len) != len
116 	|| strncmp (version, her_version, len)) {
117       repl = 1;
118       krb5_net_write (context, p_fd, &repl, 1);
119 	krb5_clear_error_string (context);
120       return KRB5_SENDAUTH_BADAUTHVERS;
121     }
122   }
123 
124   n = krb5_net_read (context, p_fd, &len, 4);
125   if (n < 0) {
126       ret = errno;
127       krb5_set_error_string (context, "read: %s", strerror(errno));
128       return ret;
129   }
130   if (n == 0) {
131       krb5_clear_error_string (context);
132       return KRB5_SENDAUTH_BADAPPLVERS;
133   }
134   len = ntohl(len);
135   her_appl_version = malloc (len);
136   if (her_appl_version == NULL) {
137       repl = 2;
138       krb5_net_write (context, p_fd, &repl, 1);
139       krb5_set_error_string (context, "malloc: out of memory");
140       return ENOMEM;
141   }
142   if (krb5_net_read (context, p_fd, her_appl_version, len) != len
143       || !(*match_appl_version)(match_data, her_appl_version)) {
144     repl = 2;
145     krb5_net_write (context, p_fd, &repl, 1);
146     krb5_set_error_string (context, "wrong sendauth version (%s)",
147 			   her_appl_version);
148     free (her_appl_version);
149     return KRB5_SENDAUTH_BADAPPLVERS;
150   }
151   free (her_appl_version);
152 
153   repl = 0;
154   if (krb5_net_write (context, p_fd, &repl, 1) != 1) {
155     ret = errno;
156     krb5_set_error_string (context, "write: %s", strerror(errno));
157     return ret;
158   }
159 
160   krb5_data_zero (&data);
161   ret = krb5_read_message (context, p_fd, &data);
162   if (ret)
163       return ret;
164 
165   ret = krb5_rd_req (context,
166 		     auth_context,
167 		     &data,
168 		     server,
169 		     keytab,
170 		     &ap_options,
171 		     ticket);
172   krb5_data_free (&data);
173   if (ret) {
174       krb5_data error_data;
175       krb5_error_code ret2;
176 
177       ret2 = krb5_mk_error (context,
178 			    ret,
179 			    NULL,
180 			    NULL,
181 			    NULL,
182 			    server,
183 			    NULL,
184 			    NULL,
185 			    &error_data);
186       if (ret2 == 0) {
187 	  krb5_write_message (context, p_fd, &error_data);
188 	  krb5_data_free (&error_data);
189       }
190       return ret;
191   }
192 
193   len = 0;
194   if (krb5_net_write (context, p_fd, &len, 4) != 4) {
195       ret = errno;
196       krb5_set_error_string (context, "write: %s", strerror(errno));
197       return ret;
198   }
199 
200   if (ap_options & AP_OPTS_MUTUAL_REQUIRED) {
201     ret = krb5_mk_rep (context, *auth_context, &data);
202     if (ret)
203       return ret;
204 
205     ret = krb5_write_message (context, p_fd, &data);
206     if (ret)
207 	return ret;
208     krb5_data_free (&data);
209   }
210   return 0;
211 }
212