From 2b29b7186459d945ec448694164bfe4239b30d72 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 27 Oct 2008 11:35:07 +0100 Subject: s4: import lorikeet-heimdal-200810271034 metze --- source4/heimdal/kdc/digest.c | 220 +++++++++++++++++++++---------------------- 1 file changed, 110 insertions(+), 110 deletions(-) (limited to 'source4/heimdal/kdc/digest.c') diff --git a/source4/heimdal/kdc/digest.c b/source4/heimdal/kdc/digest.c index 401ca1db11..96986c1a87 100644 --- a/source4/heimdal/kdc/digest.c +++ b/source4/heimdal/kdc/digest.c @@ -1,34 +1,34 @@ /* - * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "kdc_locl.h" @@ -63,7 +63,7 @@ get_digest_key(krb5_context context, krb5_error_code ret; krb5_enctype enctype; Key *key; - + ret = _kdc_get_preferred_key(context, config, server, @@ -115,8 +115,8 @@ fill_targetinfo(krb5_context context, ti.domainname = targetname; p = client->entry.principal; str = krb5_principal_get_comp_string(context, p, 0); - if (str != NULL && - (strcmp("host", str) == 0 || + if (str != NULL && + (strcmp("host", str) == 0 || strcmp("ftp", str) == 0 || strcmp("imap", str) == 0 || strcmp("pop", str) == 0 || @@ -125,7 +125,7 @@ fill_targetinfo(krb5_context context, str = krb5_principal_get_comp_string(context, p, 1); ti.dnsservername = rk_UNCONST(str); } - + ret = heim_ntlm_encode_targetinfo(&ti, 1, &d); if (ret) return ret; @@ -199,7 +199,7 @@ get_password_entry(krb5_context context, */ krb5_error_code -_kdc_do_digest(krb5_context context, +_kdc_do_digest(krb5_context context, krb5_kdc_configuration *config, const DigestREQ *req, krb5_data *reply, const char *from, struct sockaddr *addr) @@ -223,7 +223,7 @@ _kdc_do_digest(krb5_context context, krb5_data serverNonce; if(!config->enable_digest) { - kdc_log(context, config, 0, + kdc_log(context, config, 0, "Rejected digest request (disabled) from %s", from); return KRB5KDC_ERR_POLICY; } @@ -243,7 +243,7 @@ _kdc_do_digest(krb5_context context, goto out; } - ret = krb5_rd_req(context, + ret = krb5_rd_req(context, &ac, &req->apReq, NULL, @@ -288,7 +288,7 @@ _kdc_do_digest(krb5_context context, krb5_free_principal(context, principal); goto out; } - krb5_clear_error_string(context); + krb5_clear_error_message(context); ret = _kdc_db_fetch(context, config, principal, HDB_F_GET_SERVER, NULL, &server); @@ -319,9 +319,9 @@ _kdc_do_digest(krb5_context context, goto out; if (client->entry.flags.allow_digest == 0) { - kdc_log(context, config, 0, + kdc_log(context, config, 0, "Client %s tried to use digest " - "but is not allowed to", + "but is not allowed to", client_name); ret = KRB5KDC_ERR_POLICY; krb5_set_error_message(context, ret, @@ -355,7 +355,7 @@ _kdc_do_digest(krb5_context context, crypto = NULL; if (ret) goto out; - + ret = decode_DigestReqInner(buf.data, buf.length, &ireq, NULL); krb5_data_free(&buf); if (ret) { @@ -363,7 +363,7 @@ _kdc_do_digest(krb5_context context, goto out; } - kdc_log(context, config, 0, "Valid digest request from %s (%s)", + kdc_log(context, config, 0, "Valid digest request from %s (%s)", client_name, from); /* @@ -399,7 +399,7 @@ _kdc_do_digest(krb5_context context, } ret = krb5_store_stringz(sp, ireq.u.init.type); if (ret) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); goto out; } @@ -421,12 +421,12 @@ _kdc_do_digest(krb5_context context, ret = krb5_store_stringz(sp, r.u.initReply.nonce); if (ret) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); goto out; } if (strcasecmp(ireq.u.init.type, "CHAP") == 0) { - r.u.initReply.identifier = + r.u.initReply.identifier = malloc(sizeof(*r.u.initReply.identifier)); if (r.u.initReply.identifier == NULL) { ret = ENOMEM; @@ -447,14 +447,14 @@ _kdc_do_digest(krb5_context context, if (ireq.u.init.hostname) { ret = krb5_store_stringz(sp, *ireq.u.init.hostname); if (ret) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); goto out; } } ret = krb5_storage_to_data(sp, &buf); if (ret) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); goto out; } @@ -488,7 +488,7 @@ _kdc_do_digest(krb5_context context, hex_encode(buf.data, buf.length, &r.u.initReply.opaque); free(buf.data); if (r.u.initReply.opaque == NULL) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); ret = ENOMEM; goto out; } @@ -507,7 +507,7 @@ _kdc_do_digest(krb5_context context, } ret = krb5_store_stringz(sp, ireq.u.digestRequest.type); if (ret) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); goto out; } @@ -516,7 +516,7 @@ _kdc_do_digest(krb5_context context, if (ireq.u.digestRequest.hostname) { ret = krb5_store_stringz(sp, *ireq.u.digestRequest.hostname); if (ret) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); goto out; } } @@ -546,7 +546,7 @@ _kdc_do_digest(krb5_context context, ret = krb5_storage_to_data(sp, &buf); if (ret) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); goto out; } @@ -557,15 +557,15 @@ _kdc_do_digest(krb5_context context, krb5_set_error_message(context, ret, "malloc: out of memory"); goto out; } - + /* * CHAP does the checksum of the raw nonce, but do it for all * types, since we need to check the timestamp. */ { ssize_t ssize; - - ssize = hex_decode(ireq.u.digestRequest.serverNonce, + + ssize = hex_decode(ireq.u.digestRequest.serverNonce, serverNonce.data, serverNonce.length); if (ssize <= 0) { ret = ENOMEM; @@ -579,7 +579,7 @@ _kdc_do_digest(krb5_context context, if (ret) goto out; - ret = krb5_verify_checksum(context, crypto, + ret = krb5_verify_checksum(context, crypto, KRB5_KU_DIGEST_OPAQUE, buf.data, buf.length, &res); krb5_crypto_destroy(context, crypto); @@ -591,7 +591,7 @@ _kdc_do_digest(krb5_context context, { unsigned char *p = serverNonce.data; uint32_t t; - + if (serverNonce.length < 4) { ret = EINVAL; krb5_set_error_message(context, ret, "server nonce too short"); @@ -623,14 +623,14 @@ _kdc_do_digest(krb5_context context, "from CHAP request"); goto out; } - + if (hex_decode(*ireq.u.digestRequest.identifier, &id, 1) != 1) { ret = EINVAL; krb5_set_error_message(context, ret, "failed to decode identifier"); goto out; } - - ret = get_password_entry(context, config, + + ret = get_password_entry(context, config, ireq.u.digestRequest.username, &password); if (ret) @@ -644,7 +644,7 @@ _kdc_do_digest(krb5_context context, hex_encode(md, sizeof(md), &mdx); if (mdx == NULL) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); ret = ENOMEM; goto out; } @@ -656,7 +656,7 @@ _kdc_do_digest(krb5_context context, if (ret == 0) { r.u.response.success = TRUE; } else { - kdc_log(context, config, 0, + kdc_log(context, config, 0, "CHAP reply mismatch for %s", ireq.u.digestRequest.username); r.u.response.success = FALSE; @@ -673,16 +673,16 @@ _kdc_do_digest(krb5_context context, goto out; } - if (ireq.u.digestRequest.nonceCount == NULL) + if (ireq.u.digestRequest.nonceCount == NULL) goto out; - if (ireq.u.digestRequest.clientNonce == NULL) + if (ireq.u.digestRequest.clientNonce == NULL) goto out; - if (ireq.u.digestRequest.qop == NULL) + if (ireq.u.digestRequest.qop == NULL) goto out; - if (ireq.u.digestRequest.realm == NULL) + if (ireq.u.digestRequest.realm == NULL) goto out; - - ret = get_password_entry(context, config, + + ret = get_password_entry(context, config, ireq.u.digestRequest.username, &password); if (ret) @@ -697,7 +697,7 @@ _kdc_do_digest(krb5_context context, MD5_Update(&ctx, ":", 1); MD5_Update(&ctx, password, strlen(password)); MD5_Final(md, &ctx); - + MD5_Init(&ctx); MD5_Update(&ctx, md, sizeof(md)); MD5_Update(&ctx, ":", 1); @@ -718,7 +718,7 @@ _kdc_do_digest(krb5_context context, krb5_set_error_message(context, ret, "malloc: out of memory"); goto failed; } - + MD5_Init(&ctx); MD5_Update(&ctx, "AUTHENTICATE:", sizeof("AUTHENTICATE:") - 1); MD5_Update(&ctx, *ireq.u.digestRequest.uri, @@ -729,7 +729,7 @@ _kdc_do_digest(krb5_context context, static char conf_zeros[] = ":00000000000000000000000000000000"; MD5_Update(&ctx, conf_zeros, sizeof(conf_zeros) - 1); } - + MD5_Final(md, &ctx); hex_encode(md, sizeof(md), &A2); if (A2 == NULL) { @@ -763,7 +763,7 @@ _kdc_do_digest(krb5_context context, hex_encode(md, sizeof(md), &mdx); if (mdx == NULL) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); ret = ENOMEM; goto out; } @@ -774,7 +774,7 @@ _kdc_do_digest(krb5_context context, if (ret == 0) { r.u.response.success = TRUE; } else { - kdc_log(context, config, 0, + kdc_log(context, config, 0, "DIGEST-MD5 reply mismatch for %s", ireq.u.digestRequest.username); r.u.response.success = FALSE; @@ -796,13 +796,13 @@ _kdc_do_digest(krb5_context context, if (ireq.u.digestRequest.clientNonce == NULL) { ret = EINVAL; - krb5_set_error_message(context, ret, + krb5_set_error_message(context, ret, "MS-CHAP-V2 clientNonce missing"); goto failed; - } + } if (serverNonce.length != 16) { ret = EINVAL; - krb5_set_error_message(context, ret, + krb5_set_error_message(context, ret, "MS-CHAP-V2 serverNonce wrong length"); goto failed; } @@ -828,11 +828,11 @@ _kdc_do_digest(krb5_context context, goto out; } - ssize = hex_decode(*ireq.u.digestRequest.clientNonce, + ssize = hex_decode(*ireq.u.digestRequest.clientNonce, clientNonce.data, clientNonce.length); if (ssize != 16) { ret = ENOMEM; - krb5_set_error_message(context, ret, + krb5_set_error_message(context, ret, "Failed to decode clientNonce"); goto out; } @@ -847,21 +847,21 @@ _kdc_do_digest(krb5_context context, ret = krb5_parse_name(context, username, &clientprincipal); if (ret) goto failed; - + ret = _kdc_db_fetch(context, config, clientprincipal, HDB_F_GET_CLIENT, NULL, &user); krb5_free_principal(context, clientprincipal); if (ret) { - krb5_set_error_message(context, ret, + krb5_set_error_message(context, ret, "MS-CHAP-V2 user %s not in database", username); goto failed; } - ret = hdb_enctype2key(context, &user->entry, + ret = hdb_enctype2key(context, &user->entry, ETYPE_ARCFOUR_HMAC_MD5, &key); if (ret) { - krb5_set_error_message(context, ret, + krb5_set_error_message(context, ret, "MS-CHAP-V2 missing arcfour key %s", username); goto failed; @@ -875,11 +875,11 @@ _kdc_do_digest(krb5_context context, krb5_set_error_message(context, ret, "NTLM missing arcfour key"); goto failed; } - + hex_encode(answer.data, answer.length, &mdx); if (mdx == NULL) { free(answer.data); - krb5_clear_error_string(context); + krb5_clear_error_message(context); ret = ENOMEM; goto out; } @@ -889,7 +889,7 @@ _kdc_do_digest(krb5_context context, if (ret == 0) { r.u.response.success = TRUE; } else { - kdc_log(context, config, 0, + kdc_log(context, config, 0, "MS-CHAP-V2 hash mismatch for %s", ireq.u.digestRequest.username); r.u.response.success = FALSE; @@ -904,7 +904,7 @@ _kdc_do_digest(krb5_context context, MD4_CTX hctx; MD4_Init(&hctx); - MD4_Update(&hctx, key->key.keyvalue.data, + MD4_Update(&hctx, key->key.keyvalue.data, key->key.keyvalue.length); MD4_Final(hashhash, &hctx); } @@ -925,7 +925,7 @@ _kdc_do_digest(krb5_context context, r.u.response.rsp = calloc(1, sizeof(*r.u.response.rsp)); if (r.u.response.rsp == NULL) { free(answer.data); - krb5_clear_error_string(context); + krb5_clear_error_message(context); ret = ENOMEM; goto out; } @@ -933,7 +933,7 @@ _kdc_do_digest(krb5_context context, hex_encode(md, sizeof(md), r.u.response.rsp); if (r.u.response.rsp == NULL) { free(answer.data); - krb5_clear_error_string(context); + krb5_clear_error_message(context); ret = ENOMEM; goto out; } @@ -947,24 +947,24 @@ _kdc_do_digest(krb5_context context, free(answer.data); - r.u.response.session_key = + r.u.response.session_key = calloc(1, sizeof(*r.u.response.session_key)); if (r.u.response.session_key == NULL) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); ret = ENOMEM; goto out; } ret = krb5_data_copy(r.u.response.session_key, md, 16); if (ret) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); goto out; } } } else { r.element = choice_DigestRepInner_error; - asprintf(&r.u.error.reason, "Unsupported digest type %s", + asprintf(&r.u.error.reason, "Unsupported digest type %s", ireq.u.digestRequest.type); if (r.u.error.reason == NULL) { ret = ENOMEM; @@ -1002,7 +1002,7 @@ _kdc_do_digest(krb5_context context, goto failed; } - r.u.ntlmInitReply.flags |= + r.u.ntlmInitReply.flags |= NTLM_NEG_TARGET | NTLM_TARGET_DOMAIN | NTLM_ENC_128; @@ -1018,7 +1018,7 @@ _kdc_do_digest(krb5_context context, #undef ALL - r.u.ntlmInitReply.targetname = + r.u.ntlmInitReply.targetname = get_ntlm_targetname(context, client); if (r.u.ntlmInitReply.targetname == NULL) { ret = ENOMEM; @@ -1033,7 +1033,7 @@ _kdc_do_digest(krb5_context context, } r.u.ntlmInitReply.challange.length = 8; if (RAND_bytes(r.u.ntlmInitReply.challange.data, - r.u.ntlmInitReply.challange.length) != 1) + r.u.ntlmInitReply.challange.length) != 1) { ret = ENOMEM; krb5_set_error_message(context, ret, "out of random error"); @@ -1057,7 +1057,7 @@ _kdc_do_digest(krb5_context context, goto out; } - /* + /* * Save data encryted in opaque for the second part of the * ntlm authentication */ @@ -1076,13 +1076,13 @@ _kdc_do_digest(krb5_context context, } ret = krb5_store_uint32(sp, r.u.ntlmInitReply.flags); if (ret) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); goto out; } ret = krb5_storage_to_data(sp, &buf); if (ret) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); goto out; } @@ -1109,7 +1109,7 @@ _kdc_do_digest(krb5_context context, uint32_t flags; Key *key = NULL; int version; - + r.element = choice_DigestRepInner_ntlmResponse; r.u.ntlmResponse.success = 0; r.u.ntlmResponse.flags = 0; @@ -1142,7 +1142,7 @@ _kdc_do_digest(krb5_context context, krb5_crypto_destroy(context, crypto); crypto = NULL; if (ret) { - kdc_log(context, config, 0, + kdc_log(context, config, 0, "Failed to decrypt nonce from %s", from); goto failed; } @@ -1173,7 +1173,7 @@ _kdc_do_digest(krb5_context context, goto out; } - ret = hdb_enctype2key(context, &user->entry, + ret = hdb_enctype2key(context, &user->entry, ETYPE_ARCFOUR_HMAC_MD5, &key); if (ret) { krb5_set_error_message(context, ret, "NTLM missing arcfour key"); @@ -1255,7 +1255,7 @@ _kdc_do_digest(krb5_context context, goto failed; } } - + ret = heim_ntlm_calculate_ntlm1(key->key.keyvalue.data, key->key.keyvalue.length, challange, &answer); @@ -1263,7 +1263,7 @@ _kdc_do_digest(krb5_context context, krb5_set_error_message(context, ret, "NTLM missing arcfour key"); goto failed; } - + if (ireq.u.ntlmRequest.ntlm.length != answer.length || memcmp(ireq.u.ntlmRequest.ntlm.data, answer.data, answer.length) != 0) { @@ -1278,7 +1278,7 @@ _kdc_do_digest(krb5_context context, MD4_CTX ctx; MD4_Init(&ctx); - MD4_Update(&ctx, + MD4_Update(&ctx, key->key.keyvalue.data, key->key.keyvalue.length); MD4_Final(sessionkey, &ctx); } @@ -1288,7 +1288,7 @@ _kdc_do_digest(krb5_context context, unsigned char masterkey[MD4_DIGEST_LENGTH]; RC4_KEY rc4; size_t len; - + if ((flags & NTLM_NEG_KEYEX) == 0) { ret = EINVAL; krb5_set_error_message(context, ret, @@ -1296,7 +1296,7 @@ _kdc_do_digest(krb5_context context, "exchange but still sent key"); goto failed; } - + len = ireq.u.ntlmRequest.sessionkey->length; if (len != sizeof(masterkey)){ ret = EINVAL; @@ -1305,22 +1305,22 @@ _kdc_do_digest(krb5_context context, (unsigned long)len); goto failed; } - + RC4_set_key(&rc4, sizeof(sessionkey), sessionkey); - + RC4(&rc4, sizeof(masterkey), - ireq.u.ntlmRequest.sessionkey->data, + ireq.u.ntlmRequest.sessionkey->data, masterkey); memset(&rc4, 0, sizeof(rc4)); - - r.u.ntlmResponse.sessionkey = + + r.u.ntlmResponse.sessionkey = malloc(sizeof(*r.u.ntlmResponse.sessionkey)); if (r.u.ntlmResponse.sessionkey == NULL) { ret = EINVAL; krb5_set_error_message(context, ret, "malloc: out of memory"); goto out; } - + ret = krb5_data_copy(r.u.ntlmResponse.sessionkey, masterkey, sizeof(masterkey)); if (ret) { @@ -1364,7 +1364,7 @@ _kdc_do_digest(krb5_context context, s = krb5_get_error_message(context, ret); if (s == NULL) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); goto out; } @@ -1410,10 +1410,10 @@ _kdc_do_digest(krb5_context context, goto out; } - ret = krb5_encrypt_EncryptedData(context, crypto, KRB5_KU_DIGEST_ENCRYPT, + ret = krb5_encrypt_EncryptedData(context, crypto, KRB5_KU_DIGEST_ENCRYPT, buf.data, buf.length, 0, &rep.innerRep); - + ASN1_MALLOC_ENCODE(DigestREP, reply->data, reply->length, &rep, &size, ret); if (ret) { krb5_set_error_message(context, ret, "Failed to encode digest reply"); @@ -1422,7 +1422,7 @@ _kdc_do_digest(krb5_context context, if (size != reply->length) krb5_abortx(context, "ASN1 internal error"); - + out: if (ac) krb5_auth_con_free(context, ac); -- cgit