blob: 493fb2f3dbd8851d00cbbc0d0565439087deef16 [file] [log] [blame]
Holger Hildebrandtfa074992020-03-27 15:42:06 +00001package client
2
3import (
4 "bytes"
5 "encoding/binary"
6 "errors"
7 "fmt"
8 "io"
9 "net"
10 "time"
11
12 "gopkg.in/jcmturner/gokrb5.v7/iana/errorcode"
13 "gopkg.in/jcmturner/gokrb5.v7/messages"
14)
15
16// SendToKDC performs network actions to send data to the KDC.
17func (cl *Client) sendToKDC(b []byte, realm string) ([]byte, error) {
18 var rb []byte
19 if cl.Config.LibDefaults.UDPPreferenceLimit == 1 {
20 //1 means we should always use TCP
21 rb, errtcp := cl.sendKDCTCP(realm, b)
22 if errtcp != nil {
23 if e, ok := errtcp.(messages.KRBError); ok {
24 return rb, e
25 }
26 return rb, fmt.Errorf("communication error with KDC via TCP: %v", errtcp)
27 }
28 return rb, nil
29 }
30 if len(b) <= cl.Config.LibDefaults.UDPPreferenceLimit {
31 //Try UDP first, TCP second
32 rb, errudp := cl.sendKDCUDP(realm, b)
33 if errudp != nil {
34 if e, ok := errudp.(messages.KRBError); ok && e.ErrorCode != errorcode.KRB_ERR_RESPONSE_TOO_BIG {
35 // Got a KRBError from KDC
36 // If this is not a KRB_ERR_RESPONSE_TOO_BIG we will return immediately otherwise will try TCP.
37 return rb, e
38 }
39 // Try TCP
40 r, errtcp := cl.sendKDCTCP(realm, b)
41 if errtcp != nil {
42 if e, ok := errtcp.(messages.KRBError); ok {
43 // Got a KRBError
44 return r, e
45 }
46 return r, fmt.Errorf("failed to communicate with KDC. Attempts made with UDP (%v) and then TCP (%v)", errudp, errtcp)
47 }
48 rb = r
49 }
50 return rb, nil
51 }
52 //Try TCP first, UDP second
53 rb, errtcp := cl.sendKDCTCP(realm, b)
54 if errtcp != nil {
55 if e, ok := errtcp.(messages.KRBError); ok {
56 // Got a KRBError from KDC so returning and not trying UDP.
57 return rb, e
58 }
59 rb, errudp := cl.sendKDCUDP(realm, b)
60 if errudp != nil {
61 if e, ok := errudp.(messages.KRBError); ok {
62 // Got a KRBError
63 return rb, e
64 }
65 return rb, fmt.Errorf("failed to communicate with KDC. Attempts made with TCP (%v) and then UDP (%v)", errtcp, errudp)
66 }
67 }
68 return rb, nil
69}
70
71// dialKDCTCP establishes a UDP connection to a KDC.
72func dialKDCUDP(count int, kdcs map[int]string) (*net.UDPConn, error) {
73 i := 1
74 for i <= count {
75 udpAddr, err := net.ResolveUDPAddr("udp", kdcs[i])
76 if err != nil {
77 return nil, fmt.Errorf("error resolving KDC address: %v", err)
78 }
79
80 conn, err := net.DialTimeout("udp", udpAddr.String(), 5*time.Second)
81 if err == nil {
82 if err := conn.SetDeadline(time.Now().Add(5 * time.Second)); err != nil {
83 return nil, err
84 }
85 // conn is guaranteed to be a UDPConn
86 return conn.(*net.UDPConn), nil
87 }
88 i++
89 }
90 return nil, errors.New("error in getting a UDP connection to any of the KDCs")
91}
92
93// dialKDCTCP establishes a TCP connection to a KDC.
94func dialKDCTCP(count int, kdcs map[int]string) (*net.TCPConn, error) {
95 i := 1
96 for i <= count {
97 tcpAddr, err := net.ResolveTCPAddr("tcp", kdcs[i])
98 if err != nil {
99 return nil, fmt.Errorf("error resolving KDC address: %v", err)
100 }
101
102 conn, err := net.DialTimeout("tcp", tcpAddr.String(), 5*time.Second)
103 if err == nil {
104 if err := conn.SetDeadline(time.Now().Add(5 * time.Second)); err != nil {
105 return nil, err
106 }
107 // conn is guaranteed to be a TCPConn
108 return conn.(*net.TCPConn), nil
109 }
110 i++
111 }
112 return nil, errors.New("error in getting a TCP connection to any of the KDCs")
113}
114
115// sendKDCUDP sends bytes to the KDC via UDP.
116func (cl *Client) sendKDCUDP(realm string, b []byte) ([]byte, error) {
117 var r []byte
118 count, kdcs, err := cl.Config.GetKDCs(realm, false)
119 if err != nil {
120 return r, err
121 }
122 conn, err := dialKDCUDP(count, kdcs)
123 if err != nil {
124 return r, err
125 }
126 r, err = cl.sendUDP(conn, b)
127 if err != nil {
128 return r, err
129 }
130 return checkForKRBError(r)
131}
132
133// sendKDCTCP sends bytes to the KDC via TCP.
134func (cl *Client) sendKDCTCP(realm string, b []byte) ([]byte, error) {
135 var r []byte
136 count, kdcs, err := cl.Config.GetKDCs(realm, true)
137 if err != nil {
138 return r, err
139 }
140 conn, err := dialKDCTCP(count, kdcs)
141 if err != nil {
142 return r, err
143 }
144 rb, err := cl.sendTCP(conn, b)
145 if err != nil {
146 return r, err
147 }
148 return checkForKRBError(rb)
149}
150
151// sendUDP sends bytes to connection over UDP.
152func (cl *Client) sendUDP(conn *net.UDPConn, b []byte) ([]byte, error) {
153 var r []byte
154 defer conn.Close()
155 _, err := conn.Write(b)
156 if err != nil {
157 return r, fmt.Errorf("error sending to (%s): %v", conn.RemoteAddr().String(), err)
158 }
159 udpbuf := make([]byte, 4096)
160 n, _, err := conn.ReadFrom(udpbuf)
161 r = udpbuf[:n]
162 if err != nil {
163 return r, fmt.Errorf("sending over UDP failed to %s: %v", conn.RemoteAddr().String(), err)
164 }
165 if len(r) < 1 {
166 return r, fmt.Errorf("no response data from %s", conn.RemoteAddr().String())
167 }
168 return r, nil
169}
170
171// sendTCP sends bytes to connection over TCP.
172func (cl *Client) sendTCP(conn *net.TCPConn, b []byte) ([]byte, error) {
173 defer conn.Close()
174 var r []byte
175 /*
176 RFC https://tools.ietf.org/html/rfc4120#section-7.2.2
177 Each request (KRB_KDC_REQ) and response (KRB_KDC_REP or KRB_ERROR)
178 sent over the TCP stream is preceded by the length of the request as
179 4 octets in network byte order. The high bit of the length is
180 reserved for future expansion and MUST currently be set to zero. If
181 a KDC that does not understand how to interpret a set high bit of the
182 length encoding receives a request with the high order bit of the
183 length set, it MUST return a KRB-ERROR message with the error
184 KRB_ERR_FIELD_TOOLONG and MUST close the TCP stream.
185 NB: network byte order == big endian
186 */
187 var buf bytes.Buffer
188 err := binary.Write(&buf, binary.BigEndian, uint32(len(b)))
189 if err != nil {
190 return r, err
191 }
192 b = append(buf.Bytes(), b...)
193
194 _, err = conn.Write(b)
195 if err != nil {
196 return r, fmt.Errorf("error sending to KDC (%s): %v", conn.RemoteAddr().String(), err)
197 }
198
199 sh := make([]byte, 4, 4)
200 _, err = conn.Read(sh)
201 if err != nil {
202 return r, fmt.Errorf("error reading response size header: %v", err)
203 }
204 s := binary.BigEndian.Uint32(sh)
205
206 rb := make([]byte, s, s)
207 _, err = io.ReadFull(conn, rb)
208 if err != nil {
209 return r, fmt.Errorf("error reading response: %v", err)
210 }
211 if len(rb) < 1 {
212 return r, fmt.Errorf("no response data from KDC %s", conn.RemoteAddr().String())
213 }
214 return rb, nil
215}
216
217// checkForKRBError checks if the response bytes from the KDC are a KRBError.
218func checkForKRBError(b []byte) ([]byte, error) {
219 var KRBErr messages.KRBError
220 if err := KRBErr.Unmarshal(b); err == nil {
221 return b, KRBErr
222 }
223 return b, nil
224}