1/*
2 * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 *    notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 *    notice, this list of conditions and the following disclaimer in the
15 *    documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 *    may be used to endorse or promote products derived from this software
19 *    without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34#include "krb5_locl.h"
35
36/*
37 * The format seems to be:
38 * client -> server
39 *
40 * 4 bytes - length
41 * KRB5_SENDAUTH_V1.0 (including zero)
42 * 4 bytes - length
43 * protocol string (with terminating zero)
44 *
45 * server -> client
46 * 1 byte - (0 = OK, else some kind of error)
47 *
48 * client -> server
49 * 4 bytes - length
50 * AP-REQ
51 *
52 * server -> client
53 * 4 bytes - length (0 = OK, else length of error)
54 * (error)
55 *
56 * if(mutual) {
57 * server -> client
58 * 4 bytes - length
59 * AP-REP
60 * }
61 */
62
63KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
64krb5_sendauth(krb5_context context,
65	      krb5_auth_context *auth_context,
66	      krb5_pointer p_fd,
67	      const char *appl_version,
68	      krb5_principal client,
69	      krb5_principal server,
70	      krb5_flags ap_req_options,
71	      krb5_data *in_data,
72	      krb5_creds *in_creds,
73	      krb5_ccache ccache,
74	      krb5_error **ret_error,
75	      krb5_ap_rep_enc_part **rep_result,
76	      krb5_creds **out_creds)
77{
78    krb5_error_code ret;
79    uint32_t net_len;
80    ssize_t len;
81    const char *version = KRB5_SENDAUTH_VERSION;
82    u_char repl;
83    krb5_data ap_req, error_data;
84    krb5_creds this_cred;
85    krb5_principal this_client = NULL;
86    krb5_creds *creds;
87    ssize_t sret;
88    krb5_boolean my_ccache = FALSE;
89
90    len = strlen(version) + 1;
91    net_len = htonl(len);
92    if (krb5_net_write (context, p_fd, &net_len, 4) != 4
93	|| krb5_net_write (context, p_fd, version, len) != len) {
94	ret = errno;
95	krb5_set_error_message (context, ret, "write: %s", strerror(ret));
96	return ret;
97    }
98
99    len = strlen(appl_version) + 1;
100    net_len = htonl(len);
101    if (krb5_net_write (context, p_fd, &net_len, 4) != 4
102	|| krb5_net_write (context, p_fd, appl_version, len) != len) {
103	ret = errno;
104	krb5_set_error_message (context, ret, "write: %s", strerror(ret));
105	return ret;
106    }
107
108    sret = krb5_net_read (context, p_fd, &repl, sizeof(repl));
109    if (sret < 0) {
110	ret = errno;
111	krb5_set_error_message (context, ret, "read: %s", strerror(ret));
112	return ret;
113    } else if (sret != sizeof(repl)) {
114	krb5_clear_error_message (context);
115	return KRB5_SENDAUTH_BADRESPONSE;
116    }
117
118    if (repl != 0) {
119	krb5_clear_error_message (context);
120	return KRB5_SENDAUTH_REJECTED;
121    }
122
123    if (in_creds == NULL) {
124	if (ccache == NULL) {
125	    ret = krb5_cc_default (context, &ccache);
126	    if (ret)
127		return ret;
128	    my_ccache = TRUE;
129	}
130
131	if (client == NULL) {
132	    ret = krb5_cc_get_principal (context, ccache, &this_client);
133	    if (ret) {
134		if(my_ccache)
135		    krb5_cc_close(context, ccache);
136		return ret;
137	    }
138	    client = this_client;
139	}
140	memset(&this_cred, 0, sizeof(this_cred));
141	this_cred.client = client;
142	this_cred.server = server;
143	this_cred.times.endtime = 0;
144	this_cred.ticket.length = 0;
145	in_creds = &this_cred;
146    }
147    if (in_creds->ticket.length == 0) {
148	ret = krb5_get_credentials (context, 0, ccache, in_creds, &creds);
149	if (ret) {
150	    if(my_ccache)
151		krb5_cc_close(context, ccache);
152	    return ret;
153	}
154    } else {
155	creds = in_creds;
156    }
157    if(my_ccache)
158	krb5_cc_close(context, ccache);
159    ret = krb5_mk_req_extended (context,
160				auth_context,
161				ap_req_options,
162				in_data,
163				creds,
164				&ap_req);
165
166    if (out_creds)
167	*out_creds = creds;
168    else
169	krb5_free_creds(context, creds);
170    if(this_client)
171	krb5_free_principal(context, this_client);
172
173    if (ret)
174	return ret;
175
176    ret = krb5_write_message (context,
177			      p_fd,
178			      &ap_req);
179    if (ret) {
180	krb5_set_error_message(context, ret, "krb5_sendauth: server closed connection");
181	return ret;
182    }
183
184    krb5_data_free (&ap_req);
185
186    ret = krb5_read_message (context, p_fd, &error_data);
187    if (ret) {
188	krb5_set_error_message(context, ret, "krb5_sendauth: server closed connection");
189	return ret;
190    }
191
192    if (error_data.length != 0) {
193	KRB_ERROR error;
194
195	ret = krb5_rd_error (context, &error_data, &error);
196	krb5_data_free (&error_data);
197	if (ret == 0) {
198	    ret = krb5_error_from_rd_error(context, &error, NULL);
199	    if (ret_error != NULL) {
200		*ret_error = malloc (sizeof(krb5_error));
201		if (*ret_error == NULL) {
202		    krb5_free_error_contents (context, &error);
203		} else {
204		    **ret_error = error;
205		}
206	    } else {
207		krb5_free_error_contents (context, &error);
208	    }
209	    return ret;
210	} else {
211	    krb5_clear_error_message(context);
212	    return ret;
213	}
214    } else
215	krb5_data_free (&error_data);
216
217    if (ap_req_options & AP_OPTS_MUTUAL_REQUIRED) {
218	krb5_data ap_rep;
219	krb5_ap_rep_enc_part *ignore = NULL;
220
221	krb5_data_zero (&ap_rep);
222	ret = krb5_read_message (context,
223				 p_fd,
224				 &ap_rep);
225	if (ret) {
226	    krb5_set_error_message(context, ret, "krb5_sendauth: server closed connection");
227	    return ret;
228	}
229
230	ret = krb5_rd_rep (context, *auth_context, &ap_rep,
231			   rep_result ? rep_result : &ignore);
232	krb5_data_free (&ap_rep);
233	if (ret)
234	    return ret;
235	if (rep_result == NULL)
236	    krb5_free_ap_rep_enc_part (context, ignore);
237    }
238    return 0;
239}
240