xref: /freebsd/crypto/heimdal/lib/krb5/sendauth.c (revision 8ddb146abcdf061be9f2c0db7e391697dafad85c)
1 /*
2  * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
3  * (Royal Institute of Technology, Stockholm, Sweden).
4  * All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  *
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  *
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  *
17  * 3. Neither the name of the Institute nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 #include "krb5_locl.h"
35 
36 /*
37  * The format seems to be:
38  * client -> server
39  *
40  * 4 bytes - length
41  * KRB5_SENDAUTH_V1.0 (including zero)
42  * 4 bytes - length
43  * protocol string (with terminating zero)
44  *
45  * server -> client
46  * 1 byte - (0 = OK, else some kind of error)
47  *
48  * client -> server
49  * 4 bytes - length
50  * AP-REQ
51  *
52  * server -> client
53  * 4 bytes - length (0 = OK, else length of error)
54  * (error)
55  *
56  * if(mutual) {
57  * server -> client
58  * 4 bytes - length
59  * AP-REP
60  * }
61  */
62 
63 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
64 krb5_sendauth(krb5_context context,
65 	      krb5_auth_context *auth_context,
66 	      krb5_pointer p_fd,
67 	      const char *appl_version,
68 	      krb5_principal client,
69 	      krb5_principal server,
70 	      krb5_flags ap_req_options,
71 	      krb5_data *in_data,
72 	      krb5_creds *in_creds,
73 	      krb5_ccache ccache,
74 	      krb5_error **ret_error,
75 	      krb5_ap_rep_enc_part **rep_result,
76 	      krb5_creds **out_creds)
77 {
78     krb5_error_code ret;
79     uint32_t len, net_len;
80     const char *version = KRB5_SENDAUTH_VERSION;
81     u_char repl;
82     krb5_data ap_req, error_data;
83     krb5_creds this_cred;
84     krb5_principal this_client = NULL;
85     krb5_creds *creds;
86     ssize_t sret;
87     krb5_boolean my_ccache = FALSE;
88 
89     len = strlen(version) + 1;
90     net_len = htonl(len);
91     if (krb5_net_write (context, p_fd, &net_len, 4) != 4
92 	|| krb5_net_write (context, p_fd, version, len) != len) {
93 	ret = errno;
94 	krb5_set_error_message (context, ret, "write: %s", strerror(ret));
95 	return ret;
96     }
97 
98     len = strlen(appl_version) + 1;
99     net_len = htonl(len);
100     if (krb5_net_write (context, p_fd, &net_len, 4) != 4
101 	|| krb5_net_write (context, p_fd, appl_version, len) != len) {
102 	ret = errno;
103 	krb5_set_error_message (context, ret, "write: %s", strerror(ret));
104 	return ret;
105     }
106 
107     sret = krb5_net_read (context, p_fd, &repl, sizeof(repl));
108     if (sret < 0) {
109 	ret = errno;
110 	krb5_set_error_message (context, ret, "read: %s", strerror(ret));
111 	return ret;
112     } else if (sret != sizeof(repl)) {
113 	krb5_clear_error_message (context);
114 	return KRB5_SENDAUTH_BADRESPONSE;
115     }
116 
117     if (repl != 0) {
118 	krb5_clear_error_message (context);
119 	return KRB5_SENDAUTH_REJECTED;
120     }
121 
122     if (in_creds == NULL) {
123 	if (ccache == NULL) {
124 	    ret = krb5_cc_default (context, &ccache);
125 	    if (ret)
126 		return ret;
127 	    my_ccache = TRUE;
128 	}
129 
130 	if (client == NULL) {
131 	    ret = krb5_cc_get_principal (context, ccache, &this_client);
132 	    if (ret) {
133 		if(my_ccache)
134 		    krb5_cc_close(context, ccache);
135 		return ret;
136 	    }
137 	    client = this_client;
138 	}
139 	memset(&this_cred, 0, sizeof(this_cred));
140 	this_cred.client = client;
141 	this_cred.server = server;
142 	this_cred.times.endtime = 0;
143 	this_cred.ticket.length = 0;
144 	in_creds = &this_cred;
145     }
146     if (in_creds->ticket.length == 0) {
147 	ret = krb5_get_credentials (context, 0, ccache, in_creds, &creds);
148 	if (ret) {
149 	    if(my_ccache)
150 		krb5_cc_close(context, ccache);
151 	    return ret;
152 	}
153     } else {
154 	creds = in_creds;
155     }
156     if(my_ccache)
157 	krb5_cc_close(context, ccache);
158     ret = krb5_mk_req_extended (context,
159 				auth_context,
160 				ap_req_options,
161 				in_data,
162 				creds,
163 				&ap_req);
164 
165     if (out_creds)
166 	*out_creds = creds;
167     else
168 	krb5_free_creds(context, creds);
169     if(this_client)
170 	krb5_free_principal(context, this_client);
171 
172     if (ret)
173 	return ret;
174 
175     ret = krb5_write_message (context,
176 			      p_fd,
177 			      &ap_req);
178     if (ret)
179 	return ret;
180 
181     krb5_data_free (&ap_req);
182 
183     ret = krb5_read_message (context, p_fd, &error_data);
184     if (ret)
185 	return ret;
186 
187     if (error_data.length != 0) {
188 	KRB_ERROR error;
189 
190 	ret = krb5_rd_error (context, &error_data, &error);
191 	krb5_data_free (&error_data);
192 	if (ret == 0) {
193 	    ret = krb5_error_from_rd_error(context, &error, NULL);
194 	    if (ret_error != NULL) {
195 		*ret_error = malloc (sizeof(krb5_error));
196 		if (*ret_error == NULL) {
197 		    krb5_free_error_contents (context, &error);
198 		} else {
199 		    **ret_error = error;
200 		}
201 	    } else {
202 		krb5_free_error_contents (context, &error);
203 	    }
204 	    return ret;
205 	} else {
206 	    krb5_clear_error_message(context);
207 	    return ret;
208 	}
209     } else
210 	krb5_data_free (&error_data);
211 
212     if (ap_req_options & AP_OPTS_MUTUAL_REQUIRED) {
213 	krb5_data ap_rep;
214 	krb5_ap_rep_enc_part *ignore = NULL;
215 
216 	krb5_data_zero (&ap_rep);
217 	ret = krb5_read_message (context,
218 				 p_fd,
219 				 &ap_rep);
220 	if (ret)
221 	    return ret;
222 
223 	ret = krb5_rd_rep (context, *auth_context, &ap_rep,
224 			   rep_result ? rep_result : &ignore);
225 	krb5_data_free (&ap_rep);
226 	if (ret)
227 	    return ret;
228 	if (rep_result == NULL)
229 	    krb5_free_ap_rep_enc_part (context, ignore);
230     }
231     return 0;
232 }
233