xref: /netbsd-src/crypto/external/bsd/heimdal/dist/lib/krb5/recvauth.c (revision d3273b5b76f5afaafe308cead5511dbb8df8c5e9) 
1 /*	$NetBSD: recvauth.c,v 1.2 2017/01/28 21:31:49 christos Exp $	*/
2 
3 /*
4  * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
5  * (Royal Institute of Technology, Stockholm, Sweden).
6  * All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  *
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in the
17  *    documentation and/or other materials provided with the distribution.
18  *
19  * 3. Neither the name of the Institute nor the names of its contributors
20  *    may be used to endorse or promote products derived from this software
21  *    without specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33  * SUCH DAMAGE.
34  */
35 
36 #include "krb5_locl.h"
37 
38 /*
39  * See `sendauth.c' for the format.
40  */
41 
42 static krb5_boolean
match_exact(const void * data,const char * appl_version)43 match_exact(const void *data, const char *appl_version)
44 {
45     return strcmp(data, appl_version) == 0;
46 }
47 
48 /**
49  * Perform the server side of the sendauth protocol.
50  *
51  * @param context       Kerberos 5 context.
52  * @param auth_context  authentication context of the peer.
53  * @param p_fd          socket associated to the connection.
54  * @param appl_version  server-specific string.
55  * @param server        server principal.
56  * @param flags         if KRB5_RECVAUTH_IGNORE_VERSION is set, skip the sendauth version
57  *                      part of the protocol.
58  * @param keytab        server keytab.
59  * @param ticket        on success, set to the authenticated client credentials.
60  *                      Must be deallocated with krb5_free_ticket(). If not
61  *                      interested, pass a NULL value.
62  *
63  * @return 0 to indicate success. Otherwise a Kerberos error code is
64  *         returned, see krb5_get_error_message().
65  */
66 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_recvauth(krb5_context context,krb5_auth_context * auth_context,krb5_pointer p_fd,const char * appl_version,krb5_principal server,int32_t flags,krb5_keytab keytab,krb5_ticket ** ticket)67 krb5_recvauth(krb5_context context,
68 	      krb5_auth_context *auth_context,
69 	      krb5_pointer p_fd,
70 	      const char *appl_version,
71 	      krb5_principal server,
72 	      int32_t flags,
73 	      krb5_keytab keytab,
74 	      krb5_ticket **ticket)
75 {
76     return krb5_recvauth_match_version(context, auth_context, p_fd,
77 				       match_exact, appl_version,
78 				       server, flags,
79 				       keytab, ticket);
80 }
81 
82 /**
83  * Perform the server side of the sendauth protocol like krb5_recvauth(), but support
84  * a user-specified callback, \a match_appl_version, to perform the match of the application
85  * version \a match_data.
86  */
87 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_recvauth_match_version(krb5_context context,krb5_auth_context * auth_context,krb5_pointer p_fd,krb5_boolean (* match_appl_version)(const void *,const char *),const void * match_data,krb5_principal server,int32_t flags,krb5_keytab keytab,krb5_ticket ** ticket)88 krb5_recvauth_match_version(krb5_context context,
89 			    krb5_auth_context *auth_context,
90 			    krb5_pointer p_fd,
91 			    krb5_boolean (*match_appl_version)(const void *,
92 							       const char*),
93 			    const void *match_data,
94 			    krb5_principal server,
95 			    int32_t flags,
96 			    krb5_keytab keytab,
97 			    krb5_ticket **ticket)
98 {
99     krb5_error_code ret;
100     const char *version = KRB5_SENDAUTH_VERSION;
101     char her_version[sizeof(KRB5_SENDAUTH_VERSION)];
102     char *her_appl_version;
103     uint32_t len;
104     u_char repl;
105     krb5_data data;
106     krb5_flags ap_options;
107     ssize_t n;
108 
109     /*
110      * If there are no addresses in auth_context, get them from `fd'.
111      */
112 
113     if (*auth_context == NULL) {
114 	ret = krb5_auth_con_init (context, auth_context);
115 	if (ret)
116 	    return ret;
117     }
118 
119     ret = krb5_auth_con_setaddrs_from_fd (context,
120 					  *auth_context,
121 					  p_fd);
122     if (ret)
123 	return ret;
124 
125     /*
126      * Expect SENDAUTH protocol version.
127      */
128     if(!(flags & KRB5_RECVAUTH_IGNORE_VERSION)) {
129 	n = krb5_net_read (context, p_fd, &len, 4);
130 	if (n < 0) {
131 	    ret = errno ? errno : EINVAL;
132 	    krb5_set_error_message(context, ret, "read: %s", strerror(ret));
133 	    return ret;
134 	}
135 	if (n == 0) {
136 	    krb5_set_error_message(context, KRB5_SENDAUTH_BADAUTHVERS,
137 				   N_("Failed to receive sendauth data", ""));
138 	    return KRB5_SENDAUTH_BADAUTHVERS;
139 	}
140 	len = ntohl(len);
141 	if (len != sizeof(her_version)
142 	    || krb5_net_read (context, p_fd, her_version, len) != len
143 	    || strncmp (version, her_version, len)) {
144 	    repl = 1;
145 	    krb5_net_write (context, p_fd, &repl, 1);
146 	    krb5_clear_error_message (context);
147 	    return KRB5_SENDAUTH_BADAUTHVERS;
148 	}
149     }
150 
151     /*
152      * Expect application protocol version.
153      */
154     n = krb5_net_read (context, p_fd, &len, 4);
155     if (n < 0) {
156 	ret = errno ? errno : EINVAL;
157 	krb5_set_error_message(context, ret, "read: %s", strerror(ret));
158 	return ret;
159     }
160     if (n == 0) {
161 	krb5_clear_error_message (context);
162 	return KRB5_SENDAUTH_BADAPPLVERS;
163     }
164     len = ntohl(len);
165     her_appl_version = malloc (len);
166     if (her_appl_version == NULL) {
167 	repl = 2;
168 	krb5_net_write (context, p_fd, &repl, 1);
169 	return krb5_enomem(context);
170     }
171     if (krb5_net_read (context, p_fd, her_appl_version, len) != len
172 	|| !(*match_appl_version)(match_data, her_appl_version)) {
173 	repl = 2;
174 	krb5_net_write (context, p_fd, &repl, 1);
175 	krb5_set_error_message(context, KRB5_SENDAUTH_BADAPPLVERS,
176 			       N_("wrong sendauth application version (%s)", ""),
177 			       her_appl_version);
178 	free (her_appl_version);
179 	return KRB5_SENDAUTH_BADAPPLVERS;
180     }
181     free (her_appl_version);
182 
183     /*
184      * Send OK.
185      */
186     repl = 0;
187     if (krb5_net_write (context, p_fd, &repl, 1) != 1) {
188 	ret = errno ? errno : EINVAL;
189 	krb5_set_error_message(context, ret, "write: %s", strerror(ret));
190 	return ret;
191     }
192 
193     /*
194      * Until here, the fields in the message were in cleartext and unauthenticated.
195      * From now on, Kerberos kicks in.
196      */
197 
198     /*
199      * Expect AP_REQ.
200      */
201     krb5_data_zero (&data);
202     ret = krb5_read_message (context, p_fd, &data);
203     if (ret)
204 	return ret;
205 
206     ret = krb5_rd_req (context,
207 		       auth_context,
208 		       &data,
209 		       server,
210 		       keytab,
211 		       &ap_options,
212 		       ticket);
213     krb5_data_free (&data);
214     if (ret) {
215 	krb5_data error_data;
216 	krb5_error_code ret2;
217 
218 	ret2 = krb5_mk_error (context,
219 			      ret,
220 			      NULL,
221 			      NULL,
222 			      NULL,
223 			      server,
224 			      NULL,
225 			      NULL,
226 			      &error_data);
227 	if (ret2 == 0) {
228 	    krb5_write_message (context, p_fd, &error_data);
229 	    krb5_data_free (&error_data);
230 	}
231 	return ret;
232     }
233 
234     /*
235      * Send OK.
236      */
237     len = 0;
238     if (krb5_net_write (context, p_fd, &len, 4) != 4) {
239 	ret = errno ? errno : EINVAL;
240 	krb5_set_error_message(context, ret, "write: %s", strerror(ret));
241 	krb5_free_ticket(context, *ticket);
242 	*ticket = NULL;
243 	return ret;
244     }
245 
246     /*
247      * If client requires mutual authentication, send AP_REP.
248      */
249     if (ap_options & AP_OPTS_MUTUAL_REQUIRED) {
250 	ret = krb5_mk_rep (context, *auth_context, &data);
251 	if (ret) {
252 	    krb5_free_ticket(context, *ticket);
253 	    *ticket = NULL;
254 	    return ret;
255 	}
256 
257 	ret = krb5_write_message (context, p_fd, &data);
258 	if (ret) {
259 	    krb5_free_ticket(context, *ticket);
260 	    *ticket = NULL;
261 	    return ret;
262 	}
263 	krb5_data_free (&data);
264     }
265     return 0;
266 }
267