sendauth.c revision 781:57319a72b15f 
1/*
2 * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
3 * Use is subject to license terms.
4 */
5
6#pragma ident	"%Z%%M%	%I%	%E% SMI"
7
8/*
9 * lib/krb5/krb/sendauth.c
10 *
11 * Copyright 1991 by the Massachusetts Institute of Technology.
12 * All Rights Reserved.
13 *
14 * Export of this software from the United States of America may
15 *   require a specific license from the United States Government.
16 *   It is the responsibility of any person or organization contemplating
17 *   export to obtain such a license before exporting.
18 *
19 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
20 * distribute this software and its documentation for any purpose and
21 * without fee is hereby granted, provided that the above copyright
22 * notice appear in all copies and that both that copyright notice and
23 * this permission notice appear in supporting documentation, and that
24 * the name of M.I.T. not be used in advertising or publicity pertaining
25 * to distribution of the software without specific, written prior
26 * permission.  Furthermore if you modify this software you must label
27 * your software as modified software and not distribute it in such a
28 * fashion that it might be confused with the original M.I.T. software.
29 * M.I.T. makes no representations about the suitability of
30 * this software for any purpose.  It is provided "as is" without express
31 * or implied warranty.
32 *
33 *
34 * convenience sendauth/recvauth functions
35 */
36
37#define NEED_SOCKETS
38
39#include <k5-int.h>
40#include <com_err.h>
41#include <auth_con.h>
42#include <errno.h>
43#include <stdio.h>
44#include <string.h>
45
46static const char sendauth_version[] = "KRB5_SENDAUTH_V1.0";
47
48krb5_error_code KRB5_CALLCONV
49krb5_sendauth(krb5_context context, krb5_auth_context *auth_context, krb5_pointer fd, char *appl_version, krb5_principal client, krb5_principal server, krb5_flags ap_req_options, krb5_data *in_data, krb5_creds *in_creds, krb5_ccache ccache, krb5_error **error, krb5_ap_rep_enc_part **rep_result, krb5_creds **out_creds)
50{
51	krb5_octet		result;
52	krb5_creds 		creds;
53	krb5_creds		* credsp = NULL;
54	krb5_creds		* credspout = NULL;
55	krb5_error_code		retval = 0;
56	krb5_data		inbuf, outbuf;
57	int			len;
58	krb5_ccache		use_ccache = 0;
59
60	if (error)
61	    *error = 0;
62
63	/*
64	 * First, send over the length of the sendauth version string;
65	 * then, we send over the sendauth version.  Next, we send
66	 * over the length of the application version strings followed
67	 * by the string itself.
68	 */
69	outbuf.length = strlen(sendauth_version) + 1;
70	outbuf.data = (char *) sendauth_version;
71	if ((retval = krb5_write_message(context, fd, &outbuf)))
72		return(retval);
73	outbuf.length = strlen(appl_version) + 1;
74	outbuf.data = appl_version;
75	if ((retval = krb5_write_message(context, fd, &outbuf)))
76		return(retval);
77	/*
78	 * Now, read back a byte: 0 means no error, 1 means bad sendauth
79	 * version, 2 means bad application version
80	 */
81    if ((len = krb5_net_read(context, *((int *) fd), (char *)&result, 1)) != 1)
82	return((len < 0) ? errno : ECONNABORTED);
83    if (result == 1)
84	return(KRB5_SENDAUTH_BADAUTHVERS);
85    else if (result == 2)
86	return(KRB5_SENDAUTH_BADAPPLVERS);
87    else if (result != 0)
88	return(KRB5_SENDAUTH_BADRESPONSE);
89	/*
90	 * We're finished with the initial negotiations; let's get and
91	 * send over the authentication header.  (The AP_REQ message)
92	 */
93
94	/*
95	 * If no credentials were provided, try getting it from the
96	 * credentials cache.
97	 */
98	memset((char *)&creds, 0, sizeof(creds));
99
100	/*
101	 * See if we need to access the credentials cache
102	 */
103	if (!in_creds || !in_creds->ticket.length) {
104		if (ccache)
105			use_ccache = ccache;
106		else if ((retval = krb5int_cc_default(context, &use_ccache)) != 0)
107			goto error_return;
108	}
109	if (!in_creds) {
110		if ((retval = krb5_copy_principal(context, server,
111						  &creds.server)))
112			goto error_return;
113		if (client)
114			retval = krb5_copy_principal(context, client,
115						     &creds.client);
116		else
117			retval = krb5_cc_get_principal(context, use_ccache,
118						       &creds.client);
119		if (retval) {
120			krb5_free_principal(context, creds.server);
121			goto error_return;
122		}
123		/* creds.times.endtime = 0; -- memset 0 takes care of this
124					zero means "as long as possible" */
125		/* creds.keyblock.enctype = 0; -- as well as this.
126					zero means no session enctype
127					preference */
128		in_creds = &creds;
129	}
130	if (!in_creds->ticket.length) {
131	    if ((retval = krb5_get_credentials(context, 0,
132					       use_ccache, in_creds, &credsp)) != 0)
133		    goto error_return;
134	    credspout = credsp;
135	} else {
136	    credsp = in_creds;
137	}
138
139	if (ap_req_options & AP_OPTS_USE_SUBKEY) {
140	    /* Provide some more fodder for random number code.
141	       This isn't strong cryptographically; the point here is
142	       not to guarantee randomness, but to make it less likely
143	       that multiple sessions could pick the same subkey.  */
144	    char rnd_data[1024];
145	    size_t len;
146	    krb5_data d;
147	    d.length = sizeof (rnd_data);
148	    d.data = rnd_data;
149	    len = sizeof (rnd_data);
150	    if (getpeername (*(int*)fd, (struct sockaddr *) rnd_data, &len) == 0) {
151		d.length = len;
152		(void) krb5_c_random_seed (context, &d);
153	    }
154	    len = sizeof (rnd_data);
155	    if (getsockname (*(int*)fd, (struct sockaddr *) rnd_data, &len) == 0) {
156		d.length = len;
157		(void) krb5_c_random_seed (context, &d);
158	    }
159	}
160
161	if ((retval = krb5_mk_req_extended(context, auth_context,
162					   ap_req_options, in_data, credsp,
163					   &outbuf)) != 0)
164	    goto error_return;
165
166	/*
167	 * First write the length of the AP_REQ message, then write
168	 * the message itself.
169	 */
170	retval = krb5_write_message(context, fd, &outbuf);
171	free(outbuf.data);
172	if (retval)
173	    goto error_return;
174
175	/*
176	 * Now, read back a message.  If it was a null message (the
177	 * length was zero) then there was no error.  If not, we the
178	 * authentication was rejected, and we need to return the
179	 * error structure.
180	 */
181	if ((retval = krb5_read_message(context, fd, &inbuf)) != 0)
182	    goto error_return;
183
184	if (inbuf.length) {
185		if (error) {
186		    if ((retval = krb5_rd_error(context, &inbuf, error)) != 0) {
187			krb5_xfree(inbuf.data);
188			goto error_return;
189		    }
190		}
191		retval = KRB5_SENDAUTH_REJECTED;
192		krb5_xfree(inbuf.data);
193		goto error_return;
194	}
195
196	/*
197	 * If we asked for mutual authentication, we should now get a
198	 * length field, followed by a AP_REP message
199	 */
200	if ((ap_req_options & AP_OPTS_MUTUAL_REQUIRED)) {
201	    krb5_ap_rep_enc_part	*repl = 0;
202
203	    if ((retval = krb5_read_message(context, fd, &inbuf)) != 0)
204		goto error_return;
205
206	    if ((retval = krb5_rd_rep(context, *auth_context, &inbuf,
207				      &repl)) != 0) {
208		if (repl)
209		    krb5_free_ap_rep_enc_part(context, repl);
210	        krb5_xfree(inbuf.data);
211		goto error_return;
212	    }
213
214	    krb5_xfree(inbuf.data);
215	    /*
216	     * If the user wants to look at the AP_REP message,
217	     * copy it for him
218	     */
219	    if (rep_result)
220		*rep_result = repl;
221	    else
222		krb5_free_ap_rep_enc_part(context, repl);
223	}
224	retval = 0;		/* Normal return */
225	if (out_creds) {
226	    *out_creds = credsp;
227	    credspout = NULL;
228	}
229
230error_return:
231    krb5_free_cred_contents(context, &creds);
232    if (credspout != NULL)
233	krb5_free_creds(context, credspout);
234    if (!ccache && use_ccache)
235	(void) krb5_cc_close(context, use_ccache);
236    return(retval);
237}
238