krb5/krb/sendauth.c

2N/A/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2N/A/*
2N/A * lib/krb5/krb/sendauth.c
2N/A *
2N/A * Copyright 1991, 2009 by the Massachusetts Institute of Technology.
2N/A * All Rights Reserved.
2N/A *
2N/A * Export of this software from the United States of America may
2N/A *   require a specific license from the United States Government.
2N/A *   It is the responsibility of any person or organization contemplating
2N/A *   export to obtain such a license before exporting.
2N/A *
2N/A * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
2N/A * distribute this software and its documentation for any purpose and
2N/A * without fee is hereby granted, provided that the above copyright
2N/A * notice appear in all copies and that both that copyright notice and
2N/A * this permission notice appear in supporting documentation, and that
2N/A * the name of M.I.T. not be used in advertising or publicity pertaining
2N/A * to distribution of the software without specific, written prior
2N/A * permission.  Furthermore if you modify this software you must label
2N/A * your software as modified software and not distribute it in such a
2N/A * fashion that it might be confused with the original M.I.T. software.
2N/A * M.I.T. makes no representations about the suitability of
2N/A * this software for any purpose.  It is provided "as is" without express
2N/A * or implied warranty.
2N/A */
2N/A/*
2N/A * Copyright (c) 2002, 2011, Oracle and/or its affiliates. All rights reserved.
2N/A */
2N/A/*
2N/A * convenience sendauth/recvauth functions
2N/A */
2N/A
2N/A
2N/A#include "k5-int.h"
2N/A#include "com_err.h"
2N/A#include "auth_con.h"
2N/A#include <errno.h>
2N/A#include <stdio.h>
2N/A#include <string.h>
2N/A
2N/A/* Solaris Kerberos */
2N/A#include "kerberos_dtrace.h"
2N/A
2N/Astatic const char sendauth_version[] = "KRB5_SENDAUTH_V1.0";
2N/A
2N/Akrb5_error_code KRB5_CALLCONV
2N/Akrb5_sendauth(krb5_context context, krb5_auth_context *auth_context,
2N/A              krb5_pointer fd, char *appl_version, krb5_principal client,
2N/A              krb5_principal server, krb5_flags ap_req_options,
2N/A              krb5_data *in_data, krb5_creds *in_creds, krb5_ccache ccache,
2N/A              krb5_error **error, krb5_ap_rep_enc_part **rep_result,
2N/A              krb5_creds **out_creds)
2N/A{
2N/A    krb5_octet          result;
2N/A    krb5_creds          creds;
2N/A    krb5_creds           * credsp = NULL;
2N/A    krb5_creds           * credspout = NULL;
2N/A    krb5_error_code     retval = 0;
2N/A    krb5_data           inbuf, outbuf[2];
2N/A    int                 len;
2N/A    krb5_ccache         use_ccache = 0;
2N/A
2N/A    if (error)
2N/A        *error = 0;
2N/A
2N/A    /*
2N/A     * First, send over the length of the sendauth version string;
2N/A     * then, we send over the sendauth version.  Next, we send
2N/A     * over the length of the application version strings followed
2N/A     * by the string itself.
2N/A     */
2N/A    outbuf[0].length = strlen(sendauth_version) + 1;
2N/A    outbuf[0].data = (char *) sendauth_version;
2N/A    outbuf[1].length = strlen(appl_version) + 1;
2N/A    outbuf[1].data = appl_version;
2N/A    if ((retval = krb5int_write_messages(context, fd, outbuf, 2)))
2N/A        return(retval);
2N/A    /*
2N/A     * Now, read back a byte: 0 means no error, 1 means bad sendauth
2N/A     * version, 2 means bad application version
2N/A     */
2N/A    if ((len = krb5_net_read(context, *((int *) fd), (char *)&result, 1)) != 1)
2N/A        return((len < 0) ? errno : ECONNABORTED);
2N/A    if (result == 1)
2N/A        return(KRB5_SENDAUTH_BADAUTHVERS);
2N/A    else if (result == 2)
2N/A        return(KRB5_SENDAUTH_BADAPPLVERS);
2N/A    else if (result != 0)
2N/A        return(KRB5_SENDAUTH_BADRESPONSE);
2N/A    /*
2N/A     * We're finished with the initial negotiations; let's get and
2N/A     * send over the authentication header.  (The AP_REQ message)
2N/A     */
2N/A
2N/A    /*
2N/A     * If no credentials were provided, try getting it from the
2N/A     * credentials cache.
2N/A     */
2N/A    memset(&creds, 0, sizeof(creds));
2N/A
2N/A    /*
2N/A     * See if we need to access the credentials cache
2N/A     */
2N/A    if (!in_creds || !in_creds->ticket.length) {
2N/A        if (ccache)
2N/A            use_ccache = ccache;
2N/A        else if ((retval = krb5int_cc_default(context, &use_ccache)))
2N/A            goto error_return;
2N/A    }
2N/A    if (!in_creds) {
2N/A        if ((retval = krb5_copy_principal(context, server,
2N/A                                          &creds.server)))
2N/A            goto error_return;
2N/A        if (client)
2N/A            retval = krb5_copy_principal(context, client,
2N/A                                         &creds.client);
2N/A        else
2N/A            retval = krb5_cc_get_principal(context, use_ccache,
2N/A                                           &creds.client);
2N/A        if (retval) {
2N/A            krb5_free_principal(context, creds.server);
2N/A            goto error_return;
2N/A        }
2N/A        /* creds.times.endtime = 0; -- memset 0 takes care of this
2N/A           zero means "as long as possible" */
2N/A        /* creds.keyblock.enctype = 0; -- as well as this.
2N/A           zero means no session enctype
2N/A           preference */
2N/A        in_creds = &creds;
2N/A    }
2N/A    if (!in_creds->ticket.length) {
2N/A        if ((retval = krb5_get_credentials(context, 0,
2N/A                                           use_ccache, in_creds, &credsp)))
2N/A            goto error_return;
2N/A        credspout = credsp;
2N/A    } else {
2N/A        credsp = in_creds;
2N/A    }
2N/A
2N/A    if (ap_req_options & AP_OPTS_USE_SUBKEY) {
2N/A        /* Provide some more fodder for random number code.
2N/A           This isn't strong cryptographically; the point here is
2N/A           not to guarantee randomness, but to make it less likely
2N/A           that multiple sessions could pick the same subkey.  */
2N/A        char rnd_data[1024];
2N/A        GETPEERNAME_ARG3_TYPE len2;
2N/A        krb5_data d;
2N/A        d.length = sizeof (rnd_data);
2N/A        d.data = rnd_data;
2N/A        len2 = sizeof (rnd_data);
2N/A        if (getpeername (*(int*)fd, (GETPEERNAME_ARG2_TYPE *) rnd_data,
2N/A                         &len2) == 0) {
2N/A            d.length = len2;
2N/A            /* Solaris Kerberos: don't need to add entropy  */
2N/A            (void) krb5_c_random_seed (context, &d);
2N/A        }
2N/A        len2 = sizeof (rnd_data);
2N/A        if (getsockname (*(int*)fd, (GETSOCKNAME_ARG2_TYPE *) rnd_data,
2N/A                         &len2) == 0) {
2N/A            d.length = len2;
2N/A            /* Solaris Kerberos: don't need to add entropy  */
2N/A            (void) krb5_c_random_seed (context, &d);
2N/A        }
2N/A    }
2N/A
2N/A    outbuf[0].data = NULL;      /* Coverity is confused otherwise */
2N/A    if ((retval = krb5_mk_req_extended(context, auth_context,
2N/A                                       ap_req_options, in_data, credsp,
2N/A                                       &outbuf[0])))
2N/A        goto error_return;
2N/A
2N/A    /*
2N/A     * First write the length of the AP_REQ message, then write
2N/A     * the message itself.
2N/A     */
2N/A    retval = krb5_write_message(context, fd, &outbuf[0]);
2N/A    /* Solaris Kerberos dtrace support */
2N/A    if (retval == 0)
2N/A        k5_trace_message_send(*((int *)fd), outbuf[0].data, outbuf[0].length);
2N/A    free(outbuf[0].data);
2N/A    if (retval)
2N/A        goto error_return;
2N/A
2N/A    /*
2N/A     * Now, read back a message.  If it was a null message (the
2N/A     * length was zero) then there was no error.  If not, we the
2N/A     * authentication was rejected, and we need to return the
2N/A     * error structure.
2N/A     */
2N/A    if ((retval = krb5_read_message(context, fd, &inbuf)))
2N/A        goto error_return;
2N/A
2N/A    if (inbuf.length) {
2N/A        /* Solaris Kerberos */
2N/A        k5_trace_message_recv(*((int *)fd), inbuf.data, inbuf.length);
2N/A        if (error) {
2N/A            if ((retval = krb5_rd_error(context, &inbuf, error))) {
2N/A                free(inbuf.data);
2N/A                goto error_return;
2N/A            }
2N/A        }
2N/A        retval = KRB5_SENDAUTH_REJECTED;
2N/A        free(inbuf.data);
2N/A        goto error_return;
2N/A    }
2N/A
2N/A    /*
2N/A     * If we asked for mutual authentication, we should now get a
2N/A     * length field, followed by a AP_REP message
2N/A     */
2N/A    if ((ap_req_options & AP_OPTS_MUTUAL_REQUIRED)) {
2N/A        krb5_ap_rep_enc_part    *repl = 0;
2N/A
2N/A        if ((retval = krb5_read_message(context, fd, &inbuf)))
2N/A            goto error_return;
2N/A
2N/A        /* Solaris Kerberos */
2N/A        k5_trace_message_recv(*((int *)fd), inbuf.data, inbuf.length);
2N/A
2N/A        if ((retval = krb5_rd_rep(context, *auth_context, &inbuf,
2N/A                                  &repl))) {
2N/A            if (repl)
2N/A                krb5_free_ap_rep_enc_part(context, repl);
2N/A            free(inbuf.data);
2N/A            goto error_return;
2N/A        }
2N/A
2N/A        free(inbuf.data);
2N/A        /*
2N/A         * If the user wants to look at the AP_REP message,
2N/A         * copy it for him
2N/A         */
2N/A        if (rep_result)
2N/A            *rep_result = repl;
2N/A        else
2N/A            krb5_free_ap_rep_enc_part(context, repl);
2N/A    }
2N/A    retval = 0;         /* Normal return */
2N/A    if (out_creds) {
2N/A        *out_creds = credsp;
2N/A        credspout = NULL;
2N/A    }
2N/A
2N/Aerror_return:
2N/A    krb5_free_cred_contents(context, &creds);
2N/A    if (credspout != NULL)
2N/A        krb5_free_creds(context, credspout);
2N/A    if (!ccache && use_ccache)
2N/A        krb5_cc_close(context, use_ccache);
2N/A    return(retval);
2N/A}