xref: /freebsd/crypto/heimdal/lib/krb5/sendauth.c (revision 7aa383846770374466b1dcb2cefd71bde9acf463)
1 /*
2  * Copyright (c) 1997 - 2006 Kungliga Tekniska H�gskolan
3  * (Royal Institute of Technology, Stockholm, Sweden).
4  * All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  *
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  *
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  *
17  * 3. Neither the name of the Institute nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 #include "krb5_locl.h"
35 
36 RCSID("$Id: sendauth.c 17442 2006-05-05 09:31:15Z lha $");
37 
38 /*
39  * The format seems to be:
40  * client -> server
41  *
42  * 4 bytes - length
43  * KRB5_SENDAUTH_V1.0 (including zero)
44  * 4 bytes - length
45  * protocol string (with terminating zero)
46  *
47  * server -> client
48  * 1 byte - (0 = OK, else some kind of error)
49  *
50  * client -> server
51  * 4 bytes - length
52  * AP-REQ
53  *
54  * server -> client
55  * 4 bytes - length (0 = OK, else length of error)
56  * (error)
57  *
58  * if(mutual) {
59  * server -> client
60  * 4 bytes - length
61  * AP-REP
62  * }
63  */
64 
65 krb5_error_code KRB5_LIB_FUNCTION
66 krb5_sendauth(krb5_context context,
67 	      krb5_auth_context *auth_context,
68 	      krb5_pointer p_fd,
69 	      const char *appl_version,
70 	      krb5_principal client,
71 	      krb5_principal server,
72 	      krb5_flags ap_req_options,
73 	      krb5_data *in_data,
74 	      krb5_creds *in_creds,
75 	      krb5_ccache ccache,
76 	      krb5_error **ret_error,
77 	      krb5_ap_rep_enc_part **rep_result,
78 	      krb5_creds **out_creds)
79 {
80     krb5_error_code ret;
81     uint32_t len, net_len;
82     const char *version = KRB5_SENDAUTH_VERSION;
83     u_char repl;
84     krb5_data ap_req, error_data;
85     krb5_creds this_cred;
86     krb5_principal this_client = NULL;
87     krb5_creds *creds;
88     ssize_t sret;
89     krb5_boolean my_ccache = FALSE;
90 
91     len = strlen(version) + 1;
92     net_len = htonl(len);
93     if (krb5_net_write (context, p_fd, &net_len, 4) != 4
94 	|| krb5_net_write (context, p_fd, version, len) != len) {
95 	ret = errno;
96 	krb5_set_error_string (context, "write: %s", strerror(ret));
97 	return ret;
98     }
99 
100     len = strlen(appl_version) + 1;
101     net_len = htonl(len);
102     if (krb5_net_write (context, p_fd, &net_len, 4) != 4
103 	|| krb5_net_write (context, p_fd, appl_version, len) != len) {
104 	ret = errno;
105 	krb5_set_error_string (context, "write: %s", strerror(ret));
106 	return ret;
107     }
108 
109     sret = krb5_net_read (context, p_fd, &repl, sizeof(repl));
110     if (sret < 0) {
111 	ret = errno;
112 	krb5_set_error_string (context, "read: %s", strerror(ret));
113 	return ret;
114     } else if (sret != sizeof(repl)) {
115 	krb5_clear_error_string (context);
116 	return KRB5_SENDAUTH_BADRESPONSE;
117     }
118 
119     if (repl != 0) {
120 	krb5_clear_error_string (context);
121 	return KRB5_SENDAUTH_REJECTED;
122     }
123 
124     if (in_creds == NULL) {
125 	if (ccache == NULL) {
126 	    ret = krb5_cc_default (context, &ccache);
127 	    if (ret)
128 		return ret;
129 	    my_ccache = TRUE;
130 	}
131 
132 	if (client == NULL) {
133 	    ret = krb5_cc_get_principal (context, ccache, &this_client);
134 	    if (ret) {
135 		if(my_ccache)
136 		    krb5_cc_close(context, ccache);
137 		return ret;
138 	    }
139 	    client = this_client;
140 	}
141 	memset(&this_cred, 0, sizeof(this_cred));
142 	this_cred.client = client;
143 	this_cred.server = server;
144 	this_cred.times.endtime = 0;
145 	this_cred.ticket.length = 0;
146 	in_creds = &this_cred;
147     }
148     if (in_creds->ticket.length == 0) {
149 	ret = krb5_get_credentials (context, 0, ccache, in_creds, &creds);
150 	if (ret) {
151 	    if(my_ccache)
152 		krb5_cc_close(context, ccache);
153 	    return ret;
154 	}
155     } else {
156 	creds = in_creds;
157     }
158     if(my_ccache)
159 	krb5_cc_close(context, ccache);
160     ret = krb5_mk_req_extended (context,
161 				auth_context,
162 				ap_req_options,
163 				in_data,
164 				creds,
165 				&ap_req);
166 
167     if (out_creds)
168 	*out_creds = creds;
169     else
170 	krb5_free_creds(context, creds);
171     if(this_client)
172 	krb5_free_principal(context, this_client);
173 
174     if (ret)
175 	return ret;
176 
177     ret = krb5_write_message (context,
178 			      p_fd,
179 			      &ap_req);
180     if (ret)
181 	return ret;
182 
183     krb5_data_free (&ap_req);
184 
185     ret = krb5_read_message (context, p_fd, &error_data);
186     if (ret)
187 	return ret;
188 
189     if (error_data.length != 0) {
190 	KRB_ERROR error;
191 
192 	ret = krb5_rd_error (context, &error_data, &error);
193 	krb5_data_free (&error_data);
194 	if (ret == 0) {
195 	    ret = krb5_error_from_rd_error(context, &error, NULL);
196 	    if (ret_error != NULL) {
197 		*ret_error = malloc (sizeof(krb5_error));
198 		if (*ret_error == NULL) {
199 		    krb5_free_error_contents (context, &error);
200 		} else {
201 		    **ret_error = error;
202 		}
203 	    } else {
204 		krb5_free_error_contents (context, &error);
205 	    }
206 	    return ret;
207 	} else {
208 	    krb5_clear_error_string(context);
209 	    return ret;
210 	}
211     }
212 
213     if (ap_req_options & AP_OPTS_MUTUAL_REQUIRED) {
214 	krb5_data ap_rep;
215 	krb5_ap_rep_enc_part *ignore;
216 
217 	krb5_data_zero (&ap_rep);
218 	ret = krb5_read_message (context,
219 				 p_fd,
220 				 &ap_rep);
221 	if (ret)
222 	    return ret;
223 
224 	ret = krb5_rd_rep (context, *auth_context, &ap_rep,
225 			   rep_result ? rep_result : &ignore);
226 	krb5_data_free (&ap_rep);
227 	if (ret)
228 	    return ret;
229 	if (rep_result == NULL)
230 	    krb5_free_ap_rep_enc_part (context, ignore);
231     }
232     return 0;
233 }
234