Holger Hildebrandt | fa07499 | 2020-03-27 15:42:06 +0000 | [diff] [blame] | 1 | package client |
| 2 | |
| 3 | import ( |
| 4 | "bytes" |
| 5 | "encoding/binary" |
| 6 | "errors" |
| 7 | "fmt" |
| 8 | "io" |
| 9 | "net" |
| 10 | "time" |
| 11 | |
| 12 | "gopkg.in/jcmturner/gokrb5.v7/iana/errorcode" |
| 13 | "gopkg.in/jcmturner/gokrb5.v7/messages" |
| 14 | ) |
| 15 | |
| 16 | // SendToKDC performs network actions to send data to the KDC. |
| 17 | func (cl *Client) sendToKDC(b []byte, realm string) ([]byte, error) { |
| 18 | var rb []byte |
| 19 | if cl.Config.LibDefaults.UDPPreferenceLimit == 1 { |
| 20 | //1 means we should always use TCP |
| 21 | rb, errtcp := cl.sendKDCTCP(realm, b) |
| 22 | if errtcp != nil { |
| 23 | if e, ok := errtcp.(messages.KRBError); ok { |
| 24 | return rb, e |
| 25 | } |
| 26 | return rb, fmt.Errorf("communication error with KDC via TCP: %v", errtcp) |
| 27 | } |
| 28 | return rb, nil |
| 29 | } |
| 30 | if len(b) <= cl.Config.LibDefaults.UDPPreferenceLimit { |
| 31 | //Try UDP first, TCP second |
| 32 | rb, errudp := cl.sendKDCUDP(realm, b) |
| 33 | if errudp != nil { |
| 34 | if e, ok := errudp.(messages.KRBError); ok && e.ErrorCode != errorcode.KRB_ERR_RESPONSE_TOO_BIG { |
| 35 | // Got a KRBError from KDC |
| 36 | // If this is not a KRB_ERR_RESPONSE_TOO_BIG we will return immediately otherwise will try TCP. |
| 37 | return rb, e |
| 38 | } |
| 39 | // Try TCP |
| 40 | r, errtcp := cl.sendKDCTCP(realm, b) |
| 41 | if errtcp != nil { |
| 42 | if e, ok := errtcp.(messages.KRBError); ok { |
| 43 | // Got a KRBError |
| 44 | return r, e |
| 45 | } |
| 46 | return r, fmt.Errorf("failed to communicate with KDC. Attempts made with UDP (%v) and then TCP (%v)", errudp, errtcp) |
| 47 | } |
| 48 | rb = r |
| 49 | } |
| 50 | return rb, nil |
| 51 | } |
| 52 | //Try TCP first, UDP second |
| 53 | rb, errtcp := cl.sendKDCTCP(realm, b) |
| 54 | if errtcp != nil { |
| 55 | if e, ok := errtcp.(messages.KRBError); ok { |
| 56 | // Got a KRBError from KDC so returning and not trying UDP. |
| 57 | return rb, e |
| 58 | } |
| 59 | rb, errudp := cl.sendKDCUDP(realm, b) |
| 60 | if errudp != nil { |
| 61 | if e, ok := errudp.(messages.KRBError); ok { |
| 62 | // Got a KRBError |
| 63 | return rb, e |
| 64 | } |
| 65 | return rb, fmt.Errorf("failed to communicate with KDC. Attempts made with TCP (%v) and then UDP (%v)", errtcp, errudp) |
| 66 | } |
| 67 | } |
| 68 | return rb, nil |
| 69 | } |
| 70 | |
| 71 | // dialKDCTCP establishes a UDP connection to a KDC. |
| 72 | func dialKDCUDP(count int, kdcs map[int]string) (*net.UDPConn, error) { |
| 73 | i := 1 |
| 74 | for i <= count { |
| 75 | udpAddr, err := net.ResolveUDPAddr("udp", kdcs[i]) |
| 76 | if err != nil { |
| 77 | return nil, fmt.Errorf("error resolving KDC address: %v", err) |
| 78 | } |
| 79 | |
| 80 | conn, err := net.DialTimeout("udp", udpAddr.String(), 5*time.Second) |
| 81 | if err == nil { |
| 82 | if err := conn.SetDeadline(time.Now().Add(5 * time.Second)); err != nil { |
| 83 | return nil, err |
| 84 | } |
| 85 | // conn is guaranteed to be a UDPConn |
| 86 | return conn.(*net.UDPConn), nil |
| 87 | } |
| 88 | i++ |
| 89 | } |
| 90 | return nil, errors.New("error in getting a UDP connection to any of the KDCs") |
| 91 | } |
| 92 | |
| 93 | // dialKDCTCP establishes a TCP connection to a KDC. |
| 94 | func dialKDCTCP(count int, kdcs map[int]string) (*net.TCPConn, error) { |
| 95 | i := 1 |
| 96 | for i <= count { |
| 97 | tcpAddr, err := net.ResolveTCPAddr("tcp", kdcs[i]) |
| 98 | if err != nil { |
| 99 | return nil, fmt.Errorf("error resolving KDC address: %v", err) |
| 100 | } |
| 101 | |
| 102 | conn, err := net.DialTimeout("tcp", tcpAddr.String(), 5*time.Second) |
| 103 | if err == nil { |
| 104 | if err := conn.SetDeadline(time.Now().Add(5 * time.Second)); err != nil { |
| 105 | return nil, err |
| 106 | } |
| 107 | // conn is guaranteed to be a TCPConn |
| 108 | return conn.(*net.TCPConn), nil |
| 109 | } |
| 110 | i++ |
| 111 | } |
| 112 | return nil, errors.New("error in getting a TCP connection to any of the KDCs") |
| 113 | } |
| 114 | |
| 115 | // sendKDCUDP sends bytes to the KDC via UDP. |
| 116 | func (cl *Client) sendKDCUDP(realm string, b []byte) ([]byte, error) { |
| 117 | var r []byte |
| 118 | count, kdcs, err := cl.Config.GetKDCs(realm, false) |
| 119 | if err != nil { |
| 120 | return r, err |
| 121 | } |
| 122 | conn, err := dialKDCUDP(count, kdcs) |
| 123 | if err != nil { |
| 124 | return r, err |
| 125 | } |
| 126 | r, err = cl.sendUDP(conn, b) |
| 127 | if err != nil { |
| 128 | return r, err |
| 129 | } |
| 130 | return checkForKRBError(r) |
| 131 | } |
| 132 | |
| 133 | // sendKDCTCP sends bytes to the KDC via TCP. |
| 134 | func (cl *Client) sendKDCTCP(realm string, b []byte) ([]byte, error) { |
| 135 | var r []byte |
| 136 | count, kdcs, err := cl.Config.GetKDCs(realm, true) |
| 137 | if err != nil { |
| 138 | return r, err |
| 139 | } |
| 140 | conn, err := dialKDCTCP(count, kdcs) |
| 141 | if err != nil { |
| 142 | return r, err |
| 143 | } |
| 144 | rb, err := cl.sendTCP(conn, b) |
| 145 | if err != nil { |
| 146 | return r, err |
| 147 | } |
| 148 | return checkForKRBError(rb) |
| 149 | } |
| 150 | |
| 151 | // sendUDP sends bytes to connection over UDP. |
| 152 | func (cl *Client) sendUDP(conn *net.UDPConn, b []byte) ([]byte, error) { |
| 153 | var r []byte |
| 154 | defer conn.Close() |
| 155 | _, err := conn.Write(b) |
| 156 | if err != nil { |
| 157 | return r, fmt.Errorf("error sending to (%s): %v", conn.RemoteAddr().String(), err) |
| 158 | } |
| 159 | udpbuf := make([]byte, 4096) |
| 160 | n, _, err := conn.ReadFrom(udpbuf) |
| 161 | r = udpbuf[:n] |
| 162 | if err != nil { |
| 163 | return r, fmt.Errorf("sending over UDP failed to %s: %v", conn.RemoteAddr().String(), err) |
| 164 | } |
| 165 | if len(r) < 1 { |
| 166 | return r, fmt.Errorf("no response data from %s", conn.RemoteAddr().String()) |
| 167 | } |
| 168 | return r, nil |
| 169 | } |
| 170 | |
| 171 | // sendTCP sends bytes to connection over TCP. |
| 172 | func (cl *Client) sendTCP(conn *net.TCPConn, b []byte) ([]byte, error) { |
| 173 | defer conn.Close() |
| 174 | var r []byte |
| 175 | /* |
| 176 | RFC https://tools.ietf.org/html/rfc4120#section-7.2.2 |
| 177 | Each request (KRB_KDC_REQ) and response (KRB_KDC_REP or KRB_ERROR) |
| 178 | sent over the TCP stream is preceded by the length of the request as |
| 179 | 4 octets in network byte order. The high bit of the length is |
| 180 | reserved for future expansion and MUST currently be set to zero. If |
| 181 | a KDC that does not understand how to interpret a set high bit of the |
| 182 | length encoding receives a request with the high order bit of the |
| 183 | length set, it MUST return a KRB-ERROR message with the error |
| 184 | KRB_ERR_FIELD_TOOLONG and MUST close the TCP stream. |
| 185 | NB: network byte order == big endian |
| 186 | */ |
| 187 | var buf bytes.Buffer |
| 188 | err := binary.Write(&buf, binary.BigEndian, uint32(len(b))) |
| 189 | if err != nil { |
| 190 | return r, err |
| 191 | } |
| 192 | b = append(buf.Bytes(), b...) |
| 193 | |
| 194 | _, err = conn.Write(b) |
| 195 | if err != nil { |
| 196 | return r, fmt.Errorf("error sending to KDC (%s): %v", conn.RemoteAddr().String(), err) |
| 197 | } |
| 198 | |
| 199 | sh := make([]byte, 4, 4) |
| 200 | _, err = conn.Read(sh) |
| 201 | if err != nil { |
| 202 | return r, fmt.Errorf("error reading response size header: %v", err) |
| 203 | } |
| 204 | s := binary.BigEndian.Uint32(sh) |
| 205 | |
| 206 | rb := make([]byte, s, s) |
| 207 | _, err = io.ReadFull(conn, rb) |
| 208 | if err != nil { |
| 209 | return r, fmt.Errorf("error reading response: %v", err) |
| 210 | } |
| 211 | if len(rb) < 1 { |
| 212 | return r, fmt.Errorf("no response data from KDC %s", conn.RemoteAddr().String()) |
| 213 | } |
| 214 | return rb, nil |
| 215 | } |
| 216 | |
| 217 | // checkForKRBError checks if the response bytes from the KDC are a KRBError. |
| 218 | func checkForKRBError(b []byte) ([]byte, error) { |
| 219 | var KRBErr messages.KRBError |
| 220 | if err := KRBErr.Unmarshal(b); err == nil { |
| 221 | return b, KRBErr |
| 222 | } |
| 223 | return b, nil |
| 224 | } |