10Sstevel@tonic-gate /*
2*8711SMark.Phalan@Sun.COM * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
30Sstevel@tonic-gate * Use is subject to license terms.
40Sstevel@tonic-gate */
50Sstevel@tonic-gate
60Sstevel@tonic-gate
70Sstevel@tonic-gate /*
80Sstevel@tonic-gate * lib/krb5/krb/recvauth.c
90Sstevel@tonic-gate *
100Sstevel@tonic-gate * Copyright 1991 by the Massachusetts Institute of Technology.
110Sstevel@tonic-gate * All Rights Reserved.
120Sstevel@tonic-gate *
130Sstevel@tonic-gate * Export of this software from the United States of America may
140Sstevel@tonic-gate * require a specific license from the United States Government.
150Sstevel@tonic-gate * It is the responsibility of any person or organization contemplating
160Sstevel@tonic-gate * export to obtain such a license before exporting.
177934SMark.Phalan@Sun.COM *
180Sstevel@tonic-gate * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
190Sstevel@tonic-gate * distribute this software and its documentation for any purpose and
200Sstevel@tonic-gate * without fee is hereby granted, provided that the above copyright
210Sstevel@tonic-gate * notice appear in all copies and that both that copyright notice and
220Sstevel@tonic-gate * this permission notice appear in supporting documentation, and that
230Sstevel@tonic-gate * the name of M.I.T. not be used in advertising or publicity pertaining
240Sstevel@tonic-gate * to distribution of the software without specific, written prior
250Sstevel@tonic-gate * permission. Furthermore if you modify this software you must label
260Sstevel@tonic-gate * your software as modified software and not distribute it in such a
270Sstevel@tonic-gate * fashion that it might be confused with the original M.I.T. software.
280Sstevel@tonic-gate * M.I.T. makes no representations about the suitability of
290Sstevel@tonic-gate * this software for any purpose. It is provided "as is" without express
300Sstevel@tonic-gate * or implied warranty.
317934SMark.Phalan@Sun.COM *
320Sstevel@tonic-gate *
330Sstevel@tonic-gate * convenience sendauth/recvauth functions
340Sstevel@tonic-gate */
350Sstevel@tonic-gate
367934SMark.Phalan@Sun.COM #include "k5-int.h"
377934SMark.Phalan@Sun.COM #include "auth_con.h"
387934SMark.Phalan@Sun.COM #include "com_err.h"
390Sstevel@tonic-gate #include <errno.h>
400Sstevel@tonic-gate #include <stdio.h>
410Sstevel@tonic-gate #include <string.h>
420Sstevel@tonic-gate
43781Sgtb static const char sendauth_version[] = "KRB5_SENDAUTH_V1.0";
440Sstevel@tonic-gate
45781Sgtb static krb5_error_code
recvauth_common(krb5_context context,krb5_auth_context * auth_context,krb5_pointer fd,char * appl_version,krb5_principal server,krb5_int32 flags,krb5_keytab keytab,krb5_ticket ** ticket,krb5_data * version)460Sstevel@tonic-gate recvauth_common(krb5_context context,
47781Sgtb krb5_auth_context * auth_context,
480Sstevel@tonic-gate /* IN */
490Sstevel@tonic-gate krb5_pointer fd,
50781Sgtb char *appl_version,
510Sstevel@tonic-gate krb5_principal server,
520Sstevel@tonic-gate krb5_int32 flags,
530Sstevel@tonic-gate krb5_keytab keytab,
540Sstevel@tonic-gate /* OUT */
55781Sgtb krb5_ticket ** ticket,
56781Sgtb krb5_data *version)
570Sstevel@tonic-gate {
580Sstevel@tonic-gate krb5_auth_context new_auth_context;
590Sstevel@tonic-gate krb5_flags ap_option;
600Sstevel@tonic-gate krb5_error_code retval, problem;
610Sstevel@tonic-gate krb5_data inbuf;
620Sstevel@tonic-gate krb5_data outbuf;
630Sstevel@tonic-gate krb5_rcache rcache = 0;
640Sstevel@tonic-gate krb5_octet response;
650Sstevel@tonic-gate krb5_data null_server;
660Sstevel@tonic-gate int need_error_free = 0;
670Sstevel@tonic-gate int local_rcache = 0, local_authcon = 0;
680Sstevel@tonic-gate
690Sstevel@tonic-gate /*
700Sstevel@tonic-gate * Zero out problem variable. If problem is set at the end of
710Sstevel@tonic-gate * the intial version negotiation section, it means that we
720Sstevel@tonic-gate * need to send an error code back to the client application
730Sstevel@tonic-gate * and exit.
740Sstevel@tonic-gate */
750Sstevel@tonic-gate problem = 0;
760Sstevel@tonic-gate
770Sstevel@tonic-gate if (!(flags & KRB5_RECVAUTH_SKIP_VERSION)) {
780Sstevel@tonic-gate /*
790Sstevel@tonic-gate * First read the sendauth version string and check it.
800Sstevel@tonic-gate */
810Sstevel@tonic-gate if ((retval = krb5_read_message(context, fd, &inbuf)))
820Sstevel@tonic-gate return(retval);
830Sstevel@tonic-gate if (strcmp(inbuf.data, sendauth_version)) {
840Sstevel@tonic-gate problem = KRB5_SENDAUTH_BADAUTHVERS;
850Sstevel@tonic-gate }
860Sstevel@tonic-gate krb5_xfree(inbuf.data);
870Sstevel@tonic-gate }
880Sstevel@tonic-gate if (flags & KRB5_RECVAUTH_BADAUTHVERS)
890Sstevel@tonic-gate problem = KRB5_SENDAUTH_BADAUTHVERS;
900Sstevel@tonic-gate
910Sstevel@tonic-gate /*
920Sstevel@tonic-gate * Do the same thing for the application version string.
930Sstevel@tonic-gate */
940Sstevel@tonic-gate if ((retval = krb5_read_message(context, fd, &inbuf)))
950Sstevel@tonic-gate return(retval);
960Sstevel@tonic-gate if (appl_version && strcmp(inbuf.data, appl_version)) {
970Sstevel@tonic-gate if (!problem)
980Sstevel@tonic-gate problem = KRB5_SENDAUTH_BADAPPLVERS;
990Sstevel@tonic-gate }
1000Sstevel@tonic-gate if (version && !problem)
1010Sstevel@tonic-gate *version = inbuf;
1020Sstevel@tonic-gate else
1030Sstevel@tonic-gate krb5_xfree(inbuf.data);
1040Sstevel@tonic-gate /*
1050Sstevel@tonic-gate * OK, now check the problem variable. If it's zero, we're
1060Sstevel@tonic-gate * fine and we can continue. Otherwise, we have to signal an
1070Sstevel@tonic-gate * error to the client side and bail out.
1080Sstevel@tonic-gate */
1090Sstevel@tonic-gate switch (problem) {
1100Sstevel@tonic-gate case 0:
1110Sstevel@tonic-gate response = 0;
1120Sstevel@tonic-gate break;
1130Sstevel@tonic-gate case KRB5_SENDAUTH_BADAUTHVERS:
1140Sstevel@tonic-gate response = 1;
1150Sstevel@tonic-gate break;
1160Sstevel@tonic-gate case KRB5_SENDAUTH_BADAPPLVERS:
1170Sstevel@tonic-gate response = 2;
1180Sstevel@tonic-gate break;
1190Sstevel@tonic-gate default:
1200Sstevel@tonic-gate /*
1210Sstevel@tonic-gate * Should never happen!
1220Sstevel@tonic-gate */
1230Sstevel@tonic-gate response = 255;
1240Sstevel@tonic-gate #ifdef SENDAUTH_DEBUG
1250Sstevel@tonic-gate fprintf(stderr, "Programming botch in recvauth! problem = %d",
1260Sstevel@tonic-gate problem);
1270Sstevel@tonic-gate abort();
1280Sstevel@tonic-gate #endif
1290Sstevel@tonic-gate break;
1300Sstevel@tonic-gate }
1310Sstevel@tonic-gate /*
1320Sstevel@tonic-gate * Now we actually write the response. If the response is non-zero,
1330Sstevel@tonic-gate * exit with a return value of problem
1340Sstevel@tonic-gate */
1350Sstevel@tonic-gate if ((krb5_net_write(context, *((int *)fd), (char *)&response, 1)) < 0) {
1360Sstevel@tonic-gate return(problem); /* We'll return the top-level problem */
1370Sstevel@tonic-gate }
1380Sstevel@tonic-gate if (problem)
1390Sstevel@tonic-gate return(problem);
1400Sstevel@tonic-gate
1410Sstevel@tonic-gate /* We are clear of errors here */
1420Sstevel@tonic-gate
1430Sstevel@tonic-gate /*
1440Sstevel@tonic-gate * Now, let's read the AP_REQ message and decode it
1450Sstevel@tonic-gate */
1460Sstevel@tonic-gate if ((retval = krb5_read_message(context, fd, &inbuf)))
1470Sstevel@tonic-gate return retval;
1480Sstevel@tonic-gate
1490Sstevel@tonic-gate if (*auth_context == NULL) {
1500Sstevel@tonic-gate problem = krb5_auth_con_init(context, &new_auth_context);
1510Sstevel@tonic-gate *auth_context = new_auth_context;
1520Sstevel@tonic-gate local_authcon = 1;
1530Sstevel@tonic-gate }
1540Sstevel@tonic-gate krb5_auth_con_getrcache(context, *auth_context, &rcache);
1550Sstevel@tonic-gate if ((!problem) && rcache == NULL) {
1560Sstevel@tonic-gate /*
1570Sstevel@tonic-gate * Setup the replay cache.
1580Sstevel@tonic-gate */
1590Sstevel@tonic-gate if (server) {
1607934SMark.Phalan@Sun.COM problem = krb5_get_server_rcache(context,
1610Sstevel@tonic-gate krb5_princ_component(context, server, 0), &rcache);
1620Sstevel@tonic-gate } else {
1630Sstevel@tonic-gate null_server.length = 7;
1640Sstevel@tonic-gate null_server.data = "default";
1650Sstevel@tonic-gate problem = krb5_get_server_rcache(context, &null_server, &rcache);
1660Sstevel@tonic-gate }
1677934SMark.Phalan@Sun.COM if (!problem)
1680Sstevel@tonic-gate problem = krb5_auth_con_setrcache(context, *auth_context, rcache);
1690Sstevel@tonic-gate local_rcache = 1;
1700Sstevel@tonic-gate }
1710Sstevel@tonic-gate if (!problem) {
1720Sstevel@tonic-gate problem = krb5_rd_req(context, auth_context, &inbuf, server,
1730Sstevel@tonic-gate keytab, &ap_option, ticket);
1740Sstevel@tonic-gate krb5_xfree(inbuf.data);
1750Sstevel@tonic-gate }
1760Sstevel@tonic-gate
1770Sstevel@tonic-gate /*
1780Sstevel@tonic-gate * If there was a problem, send back a krb5_error message,
1790Sstevel@tonic-gate * preceeded by the length of the krb5_error message. If
1800Sstevel@tonic-gate * everything's ok, send back 0 for the length.
1810Sstevel@tonic-gate */
1820Sstevel@tonic-gate if (problem) {
1830Sstevel@tonic-gate krb5_error error;
1840Sstevel@tonic-gate const char *message;
1850Sstevel@tonic-gate
1860Sstevel@tonic-gate memset((char *)&error, 0, sizeof(error));
1870Sstevel@tonic-gate krb5_us_timeofday(context, &error.stime, &error.susec);
1887934SMark.Phalan@Sun.COM if(server)
1890Sstevel@tonic-gate error.server = server;
1900Sstevel@tonic-gate else {
1910Sstevel@tonic-gate /* If this fails - ie. ENOMEM we are hosed
1920Sstevel@tonic-gate we cannot even send the error if we wanted to... */
1930Sstevel@tonic-gate (void) krb5_parse_name(context, "????", &error.server);
1940Sstevel@tonic-gate need_error_free = 1;
1950Sstevel@tonic-gate }
1960Sstevel@tonic-gate
1970Sstevel@tonic-gate error.error = problem - ERROR_TABLE_BASE_krb5;
1980Sstevel@tonic-gate if (error.error > 127)
1990Sstevel@tonic-gate error.error = KRB_ERR_GENERIC;
2000Sstevel@tonic-gate message = error_message(problem);
2010Sstevel@tonic-gate error.text.length = strlen(message) + 1;
2020Sstevel@tonic-gate if (!(error.text.data = malloc(error.text.length))) {
2030Sstevel@tonic-gate retval = ENOMEM;
2040Sstevel@tonic-gate goto cleanup;
2050Sstevel@tonic-gate }
2060Sstevel@tonic-gate strcpy(error.text.data, message);
2077934SMark.Phalan@Sun.COM /* Solaris Kerberos */
2080Sstevel@tonic-gate if ((retval = krb5_mk_error(context, &error, &outbuf)) != 0) {
2090Sstevel@tonic-gate free(error.text.data);
2100Sstevel@tonic-gate goto cleanup;
2110Sstevel@tonic-gate }
2120Sstevel@tonic-gate free(error.text.data);
2137934SMark.Phalan@Sun.COM if(need_error_free)
2140Sstevel@tonic-gate krb5_free_principal(context, error.server);
2150Sstevel@tonic-gate
2160Sstevel@tonic-gate } else {
2170Sstevel@tonic-gate outbuf.length = 0;
2180Sstevel@tonic-gate outbuf.data = 0;
2190Sstevel@tonic-gate }
2200Sstevel@tonic-gate
2210Sstevel@tonic-gate retval = krb5_write_message(context, fd, &outbuf);
2220Sstevel@tonic-gate if (outbuf.data) {
2230Sstevel@tonic-gate krb5_xfree(outbuf.data);
2240Sstevel@tonic-gate /* We sent back an error, we need cleanup then return */
2250Sstevel@tonic-gate retval = problem;
2260Sstevel@tonic-gate goto cleanup;
2270Sstevel@tonic-gate }
2280Sstevel@tonic-gate if (retval)
2290Sstevel@tonic-gate goto cleanup;
2300Sstevel@tonic-gate
2310Sstevel@tonic-gate /* Here lies the mutual authentication stuff... */
2320Sstevel@tonic-gate if ((ap_option & AP_OPTS_MUTUAL_REQUIRED)) {
2330Sstevel@tonic-gate if ((retval = krb5_mk_rep(context, *auth_context, &outbuf))) {
2340Sstevel@tonic-gate return(retval);
2350Sstevel@tonic-gate }
2360Sstevel@tonic-gate retval = krb5_write_message(context, fd, &outbuf);
2370Sstevel@tonic-gate krb5_xfree(outbuf.data);
2380Sstevel@tonic-gate }
2390Sstevel@tonic-gate
2400Sstevel@tonic-gate cleanup:;
2410Sstevel@tonic-gate if (retval) {
2420Sstevel@tonic-gate if (local_authcon) {
2430Sstevel@tonic-gate krb5_auth_con_free(context, *auth_context);
244*8711SMark.Phalan@Sun.COM /* Solaris Kerberos */
245*8711SMark.Phalan@Sun.COM *auth_context = NULL;
2460Sstevel@tonic-gate } else if (local_rcache && rcache != NULL) {
2477934SMark.Phalan@Sun.COM /* Solaris Kerberos */
2480Sstevel@tonic-gate (void) krb5_rc_close(context, rcache);
2490Sstevel@tonic-gate krb5_auth_con_setrcache(context, *auth_context, NULL);
2500Sstevel@tonic-gate }
2510Sstevel@tonic-gate }
2520Sstevel@tonic-gate return retval;
2530Sstevel@tonic-gate }
2540Sstevel@tonic-gate
255781Sgtb krb5_error_code KRB5_CALLCONV
krb5_recvauth(krb5_context context,krb5_auth_context * auth_context,krb5_pointer fd,char * appl_version,krb5_principal server,krb5_int32 flags,krb5_keytab keytab,krb5_ticket ** ticket)256781Sgtb krb5_recvauth(krb5_context context, krb5_auth_context *auth_context, krb5_pointer fd, char *appl_version, krb5_principal server, krb5_int32 flags, krb5_keytab keytab, krb5_ticket **ticket)
2570Sstevel@tonic-gate {
2587934SMark.Phalan@Sun.COM return recvauth_common (context, auth_context, fd, appl_version,
2590Sstevel@tonic-gate server, flags, keytab, ticket, 0);
2600Sstevel@tonic-gate }
2610Sstevel@tonic-gate
262781Sgtb krb5_error_code KRB5_CALLCONV
krb5_recvauth_version(krb5_context context,krb5_auth_context * auth_context,krb5_pointer fd,krb5_principal server,krb5_int32 flags,krb5_keytab keytab,krb5_ticket ** ticket,krb5_data * version)2630Sstevel@tonic-gate krb5_recvauth_version(krb5_context context,
264781Sgtb krb5_auth_context *auth_context,
2650Sstevel@tonic-gate /* IN */
2660Sstevel@tonic-gate krb5_pointer fd,
2670Sstevel@tonic-gate krb5_principal server,
2680Sstevel@tonic-gate krb5_int32 flags,
2690Sstevel@tonic-gate krb5_keytab keytab,
2700Sstevel@tonic-gate /* OUT */
271781Sgtb krb5_ticket **ticket,
272781Sgtb krb5_data *version)
2730Sstevel@tonic-gate {
2740Sstevel@tonic-gate return recvauth_common (context, auth_context, fd, 0,
2750Sstevel@tonic-gate server, flags, keytab, ticket, version);
2760Sstevel@tonic-gate }
277