2 * lib/krb5/krb/sendauth.c
4 * Copyright 1991 by the Massachusetts Institute of Technology.
7 * Export of this software from the United States of America may
8 * require a specific license from the United States Government.
9 * It is the responsibility of any person or organization contemplating
10 * export to obtain such a license before exporting.
12 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
13 * distribute this software and its documentation for any purpose and
14 * without fee is hereby granted, provided that the above copyright
15 * notice appear in all copies and that both that copyright notice and
16 * this permission notice appear in supporting documentation, and that
17 * the name of M.I.T. not be used in advertising or publicity pertaining
18 * to distribution of the software without specific, written prior
19 * permission. M.I.T. makes no representations about the suitability of
20 * this software for any purpose. It is provided "as is" without express
21 * or implied warranty.
24 * convenience sendauth/recvauth functions
36 static char *sendauth_version = "KRB5_SENDAUTH_V1.0";
38 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
39 krb5_sendauth(context, auth_context,
41 fd, appl_version, client, server, ap_req_options, in_data,
46 error, rep_result, out_creds)
48 krb5_auth_context FAR * auth_context;
50 char FAR * appl_version;
51 krb5_principal client;
52 krb5_principal server;
53 krb5_flags ap_req_options;
54 krb5_data FAR * in_data;
55 krb5_creds FAR * in_creds;
57 krb5_error FAR * FAR * error;
58 krb5_ap_rep_enc_part FAR * FAR * rep_result;
59 krb5_creds FAR * FAR * out_creds;
63 krb5_creds FAR * credsp = NULL;
64 krb5_creds FAR * credspout = NULL;
65 krb5_error_code retval = 0;
66 krb5_data inbuf, outbuf;
68 krb5_ccache use_ccache = 0;
74 * First, send over the length of the sendauth version string;
75 * then, we send over the sendauth version. Next, we send
76 * over the length of the application version strings followed
77 * by the string itself.
79 outbuf.length = strlen(sendauth_version) + 1;
80 outbuf.data = sendauth_version;
81 if ((retval = krb5_write_message(context, fd, &outbuf)))
83 outbuf.length = strlen(appl_version) + 1;
84 outbuf.data = appl_version;
85 if ((retval = krb5_write_message(context, fd, &outbuf)))
88 * Now, read back a byte: 0 means no error, 1 means bad sendauth
89 * version, 2 means bad application version
92 #define ECONNABORTED WSAECONNABORTED
94 if ((len = krb5_net_read(context, *((int *) fd), (char *)&result, 1)) != 1)
95 return((len < 0) ? errno : ECONNABORTED);
97 return(KRB5_SENDAUTH_BADAUTHVERS);
99 return(KRB5_SENDAUTH_BADAPPLVERS);
100 else if (result != 0)
101 return(KRB5_SENDAUTH_BADRESPONSE);
103 * We're finished with the initial negotiations; let's get and
104 * send over the authentication header. (The AP_REQ message)
108 * If no credentials were provided, try getting it from the
111 memset((char *)&creds, 0, sizeof(creds));
114 * See if we need to access the credentials cache
116 if (!in_creds || !in_creds->ticket.length) {
119 else if ((retval = krb5_cc_default(context, &use_ccache)))
123 if ((retval = krb5_copy_principal(context, server,
127 retval = krb5_copy_principal(context, client,
130 retval = krb5_cc_get_principal(context, use_ccache,
133 krb5_free_principal(context, creds.server);
136 /* creds.times.endtime = 0; -- memset 0 takes care of this
137 zero means "as long as possible" */
138 /* creds.keyblock.enctype = 0; -- as well as this.
139 zero means no session enctype
143 if (!in_creds->ticket.length) {
144 if ((retval = krb5_get_credentials(context, 0,
145 use_ccache, in_creds, &credsp)))
152 if ((retval = krb5_mk_req_extended(context, auth_context, ap_req_options,
153 in_data, credsp, &outbuf)))
157 * First write the length of the AP_REQ message, then write
158 * the message itself.
160 retval = krb5_write_message(context, fd, &outbuf);
166 * Now, read back a message. If it was a null message (the
167 * length was zero) then there was no error. If not, we the
168 * authentication was rejected, and we need to return the
171 if ((retval = krb5_read_message(context, fd, &inbuf)))
176 if ((retval = krb5_rd_error(context, &inbuf, error))) {
177 krb5_xfree(inbuf.data);
181 retval = KRB5_SENDAUTH_REJECTED;
182 krb5_xfree(inbuf.data);
187 * If we asked for mutual authentication, we should now get a
188 * length field, followed by a AP_REP message
190 if ((ap_req_options & AP_OPTS_MUTUAL_REQUIRED)) {
191 krb5_ap_rep_enc_part *repl = 0;
193 if ((retval = krb5_read_message(context, fd, &inbuf)))
196 if ((retval = krb5_rd_rep(context, *auth_context, &inbuf,
199 krb5_free_ap_rep_enc_part(context, repl);
200 krb5_xfree(inbuf.data);
204 krb5_xfree(inbuf.data);
206 * If the user wants to look at the AP_REP message,
212 krb5_free_ap_rep_enc_part(context, repl);
214 retval = 0; /* Normal return */
220 krb5_free_cred_contents(context, &creds);
221 if (!out_creds && credspout)
222 krb5_free_creds(context, credspout);
223 if (!ccache && use_ccache)
224 krb5_cc_close(context, use_ccache);