search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Catch memory allocation failures [CID-61]
[heimdal.git] / kuser / kdigest.c
blob162e40adfa635ef4a3449666c8b47c40d79f11e4
1 /*
2 * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "kuser_locl.h"
35 RCSID("$Id$");
36 #include <kdigest-commands.h>
37 #include <hex.h>
38 #include <base64.h>
39 #include <heimntlm.h>
40 #include "crypto-headers.h"
41
42 static int version_flag = 0;
43 static int help_flag = 0;
44 static char *ccache_string;
45 static krb5_ccache id;
46
47 static struct getargs args[] = {
48 {"ccache", 0, arg_string, &ccache_string, "credential cache", NULL },
49 {"version", 0, arg_flag, &version_flag, "print version", NULL },
50 {"help", 0, arg_flag, &help_flag, NULL, NULL }
51 };
52
53 static void
54 usage (int ret)
55 {
56 arg_printusage (args, sizeof(args)/sizeof(*args),
57 NULL, "");
58 exit (ret);
59 }
60
61 static krb5_context context;
62
63 int
64 digest_probe(struct digest_probe_options *opt,
65 int argc, char ** argv)
66 {
67 krb5_error_code ret;
68 krb5_realm realm;
69 unsigned flags;
70
71 realm = opt->realm_string;
72
73 if (realm == NULL)
74 errx(1, "realm missing");
75
76 ret = krb5_digest_probe(context, realm, id, &flags);
77 if (ret)
78 krb5_err(context, 1, ret, "digest_probe");
79
80 printf("flags: %u\n", flags);
81
82 return 0;
83 }
84
85 int
86 digest_server_init(struct digest_server_init_options *opt,
87 int argc, char ** argv)
88 {
89 krb5_error_code ret;
90 krb5_digest digest;
91
92 ret = krb5_digest_alloc(context, &digest);
93 if (ret)
94 krb5_err(context, 1, ret, "digest_alloc");
95
96 ret = krb5_digest_set_type(context, digest, opt->type_string);
97 if (ret)
98 krb5_err(context, 1, ret, "krb5_digest_set_type");
99
100 if (opt->cb_type_string && opt->cb_value_string) {
101 ret = krb5_digest_set_server_cb(context, digest,
102 opt->cb_type_string,
103 opt->cb_value_string);
104 if (ret)
105 krb5_err(context, 1, ret, "krb5_digest_set_server_cb");
106 }
107 ret = krb5_digest_init_request(context,
108 digest,
109 opt->kerberos_realm_string,
110 id);
111 if (ret)
112 krb5_err(context, 1, ret, "krb5_digest_init_request");
113
114 printf("type=%s\n", opt->type_string);
115 printf("server-nonce=%s\n",
116 krb5_digest_get_server_nonce(context, digest));
117 {
118 const char *s = krb5_digest_get_identifier(context, digest);
119 if (s)
120 printf("identifier=%s\n", s);
121 }
122 printf("opaque=%s\n", krb5_digest_get_opaque(context, digest));
123
124 krb5_digest_free(digest);
125
126 return 0;
127 }
128
129 int
130 digest_server_request(struct digest_server_request_options *opt,
131 int argc, char **argv)
132 {
133 krb5_error_code ret;
134 krb5_digest digest;
135 const char *status, *rsp;
136 krb5_data session_key;
137
138 if (opt->server_nonce_string == NULL)
139 errx(1, "server nonce missing");
140 if (opt->type_string == NULL)
141 errx(1, "type missing");
142 if (opt->opaque_string == NULL)
143 errx(1, "opaque missing");
144 if (opt->client_response_string == NULL)
145 errx(1, "client response missing");
146
147 ret = krb5_digest_alloc(context, &digest);
148 if (ret)
149 krb5_err(context, 1, ret, "digest_alloc");
150
151 if (strcasecmp(opt->type_string, "CHAP") == 0) {
152 if (opt->server_identifier_string == NULL)
153 errx(1, "server identifier missing");
154
155 ret = krb5_digest_set_identifier(context, digest,
156 opt->server_identifier_string);
157 if (ret)
158 krb5_err(context, 1, ret, "krb5_digest_set_type");
159 }
160
161 ret = krb5_digest_set_type(context, digest, opt->type_string);
162 if (ret)
163 krb5_err(context, 1, ret, "krb5_digest_set_type");
164
165 ret = krb5_digest_set_username(context, digest, opt->username_string);
166 if (ret)
167 krb5_err(context, 1, ret, "krb5_digest_set_username");
168
169 ret = krb5_digest_set_server_nonce(context, digest,
170 opt->server_nonce_string);
171 if (ret)
172 krb5_err(context, 1, ret, "krb5_digest_set_server_nonce");
173
174 if(opt->client_nonce_string) {
175 ret = krb5_digest_set_client_nonce(context, digest,
176 opt->client_nonce_string);
177 if (ret)
178 krb5_err(context, 1, ret, "krb5_digest_set_client_nonce");
179 }
180
181
182 ret = krb5_digest_set_opaque(context, digest, opt->opaque_string);
183 if (ret)
184 krb5_err(context, 1, ret, "krb5_digest_set_opaque");
185
186 ret = krb5_digest_set_responseData(context, digest,
187 opt->client_response_string);
188 if (ret)
189 krb5_err(context, 1, ret, "krb5_digest_set_responseData");
190
191 ret = krb5_digest_request(context, digest,
192 opt->kerberos_realm_string, id);
193 if (ret)
194 krb5_err(context, 1, ret, "krb5_digest_request");
195
196 status = krb5_digest_rep_get_status(context, digest) ? "ok" : "failed";
197 rsp = krb5_digest_get_rsp(context, digest);
198
199 printf("status=%s\n", status);
200 if (rsp)
201 printf("rsp=%s\n", rsp);
202 printf("tickets=no\n");
203
204 ret = krb5_digest_get_session_key(context, digest, &session_key);
205 if (ret)
206 krb5_err(context, 1, ret, "krb5_digest_get_session_key");
207
208 if (session_key.length) {
209 char *key;
210 hex_encode(session_key.data, session_key.length, &key);
211 if (key == NULL)
212 krb5_errx(context, 1, "hex_encode");
213 krb5_data_free(&session_key);
214 printf("session-key=%s\n", key);
215 free(key);
216 }
217
218 krb5_digest_free(digest);
219
220 return 0;
221 }
222
223 static void
224 client_chap(const void *server_nonce, size_t snoncelen,
225 unsigned char server_identifier,
226 const char *password)
227 {
228 MD5_CTX ctx;
229 unsigned char md[MD5_DIGEST_LENGTH];
230 char *h;
231
232 MD5_Init(&ctx);
233 MD5_Update(&ctx, &server_identifier, 1);
234 MD5_Update(&ctx, password, strlen(password));
235 MD5_Update(&ctx, server_nonce, snoncelen);
236 MD5_Final(md, &ctx);
237
238 hex_encode(md, 16, &h);
239
240 printf("responseData=%s\n", h);
241 free(h);
242 }
243
244 static const unsigned char ms_chap_v2_magic1[39] = {
245 0x4D, 0x61, 0x67, 0x69, 0x63, 0x20, 0x73, 0x65, 0x72, 0x76,
246 0x65, 0x72, 0x20, 0x74, 0x6F, 0x20, 0x63, 0x6C, 0x69, 0x65,
247 0x6E, 0x74, 0x20, 0x73, 0x69, 0x67, 0x6E, 0x69, 0x6E, 0x67,
248 0x20, 0x63, 0x6F, 0x6E, 0x73, 0x74, 0x61, 0x6E, 0x74
249 };
250 static const unsigned char ms_chap_v2_magic2[41] = {
251 0x50, 0x61, 0x64, 0x20, 0x74, 0x6F, 0x20, 0x6D, 0x61, 0x6B,
252 0x65, 0x20, 0x69, 0x74, 0x20, 0x64, 0x6F, 0x20, 0x6D, 0x6F,
253 0x72, 0x65, 0x20, 0x74, 0x68, 0x61, 0x6E, 0x20, 0x6F, 0x6E,
254 0x65, 0x20, 0x69, 0x74, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6F,
255 0x6E
256 };
257 static const unsigned char ms_rfc3079_magic1[27] = {
258 0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74,
259 0x68, 0x65, 0x20, 0x4d, 0x50, 0x50, 0x45, 0x20, 0x4d,
260 0x61, 0x73, 0x74, 0x65, 0x72, 0x20, 0x4b, 0x65, 0x79
261 };
262
263 static void
264 client_mschapv2(const void *server_nonce, size_t snoncelen,
265 const void *client_nonce, size_t cnoncelen,
266 const char *username,
267 const char *password)
268 {
269 SHA_CTX ctx;
270 MD4_CTX hctx;
271 unsigned char md[SHA_DIGEST_LENGTH], challange[SHA_DIGEST_LENGTH];
272 unsigned char hmd[MD4_DIGEST_LENGTH];
273 struct ntlm_buf answer;
274 int i, len, ret;
275 char *h;
276
277 SHA1_Init(&ctx);
278 SHA1_Update(&ctx, client_nonce, cnoncelen);
279 SHA1_Update(&ctx, server_nonce, snoncelen);
280 SHA1_Update(&ctx, username, strlen(username));
281 SHA1_Final(md, &ctx);
282
283 MD4_Init(&hctx);
284 len = strlen(password);
285 for (i = 0; i < len; i++) {
286 MD4_Update(&hctx, &password[i], 1);
287 MD4_Update(&hctx, &password[len], 1);
288 }
289 MD4_Final(hmd, &hctx);
290
291 /* ChallengeResponse */
292 ret = heim_ntlm_calculate_ntlm1(hmd, sizeof(hmd), md, &answer);
293 if (ret)
294 errx(1, "heim_ntlm_calculate_ntlm1");
295
296 hex_encode(answer.data, answer.length, &h);
297 printf("responseData=%s\n", h);
298 free(h);
299
300 /* PasswordHash */
301 MD4_Init(&hctx);
302 MD4_Update(&hctx, hmd, sizeof(hmd));
303 MD4_Final(hmd, &hctx);
304
305 /* GenerateAuthenticatorResponse */
306 SHA1_Init(&ctx);
307 SHA1_Update(&ctx, hmd, sizeof(hmd));
308 SHA1_Update(&ctx, answer.data, answer.length);
309 SHA1_Update(&ctx, ms_chap_v2_magic1, sizeof(ms_chap_v2_magic1));
310 SHA1_Final(md, &ctx);
311
312 /* ChallengeHash */
313 SHA1_Init(&ctx);
314 SHA1_Update(&ctx, client_nonce, cnoncelen);
315 SHA1_Update(&ctx, server_nonce, snoncelen);
316 SHA1_Update(&ctx, username, strlen(username));
317 SHA1_Final(challange, &ctx);
318
319 SHA1_Init(&ctx);
320 SHA1_Update(&ctx, md, sizeof(md));
321 SHA1_Update(&ctx, challange, 8);
322 SHA1_Update(&ctx, ms_chap_v2_magic2, sizeof(ms_chap_v2_magic2));
323 SHA1_Final(md, &ctx);
324
325 hex_encode(md, sizeof(md), &h);
326 printf("AuthenticatorResponse=%s\n", h);
327 free(h);
328
329 /* get_master, rfc 3079 3.4 */
330 SHA1_Init(&ctx);
331 SHA1_Update(&ctx, hmd, sizeof(hmd));
332 SHA1_Update(&ctx, answer.data, answer.length);
333 SHA1_Update(&ctx, ms_rfc3079_magic1, sizeof(ms_rfc3079_magic1));
334 SHA1_Final(md, &ctx);
335
336 free(answer.data);
337
338 hex_encode(md, 16, &h);
339 printf("session-key=%s\n", h);
340 free(h);
341 }
342
343
344 int
345 digest_client_request(struct digest_client_request_options *opt,
346 int argc, char **argv)
347 {
348 char *server_nonce, *client_nonce = NULL, server_identifier;
349 ssize_t snoncelen, cnoncelen = 0;
350
351 if (opt->server_nonce_string == NULL)
352 errx(1, "server nonce missing");
353 if (opt->password_string == NULL)
354 errx(1, "password missing");
355
356 if (opt->opaque_string == NULL)
357 errx(1, "opaque missing");
358
359 snoncelen = strlen(opt->server_nonce_string);
360 server_nonce = malloc(snoncelen);
361 if (server_nonce == NULL)
362 errx(1, "server_nonce");
363
364 snoncelen = hex_decode(opt->server_nonce_string, server_nonce, snoncelen);
365 if (snoncelen <= 0)
366 errx(1, "server nonce wrong");
367
368 if (opt->client_nonce_string) {
369 cnoncelen = strlen(opt->client_nonce_string);
370 client_nonce = malloc(cnoncelen);
371 if (client_nonce == NULL)
372 errx(1, "client_nonce");
373
374 cnoncelen = hex_decode(opt->client_nonce_string,
375 client_nonce, cnoncelen);
376 if (cnoncelen <= 0)
377 errx(1, "client nonce wrong");
378 }
379
380 if (opt->server_identifier_string) {
381 int ret;
382
383 ret = hex_decode(opt->server_identifier_string, &server_identifier, 1);
384 if (ret != 1)
385 errx(1, "server identifier wrong length");
386 }
387
388 if (strcasecmp(opt->type_string, "CHAP") == 0) {
389 if (opt->server_identifier_string == NULL)
390 errx(1, "server identifier missing");
391
392 client_chap(server_nonce, snoncelen, server_identifier,
393 opt->password_string);
394
395 } else if (strcasecmp(opt->type_string, "MS-CHAP-V2") == 0) {
396 if (opt->client_nonce_string == NULL)
397 errx(1, "client nonce missing");
398 if (opt->username_string == NULL)
399 errx(1, "client nonce missing");
400
401 client_mschapv2(server_nonce, snoncelen,
402 client_nonce, cnoncelen,
403 opt->username_string,
404 opt->password_string);
405 }
406 if (client_nonce)
407 free(client_nonce);
408 free(server_nonce);
409
410 return 0;
411 }
412
413 #include <heimntlm.h>
414
415 int
416 ntlm_server_init(struct ntlm_server_init_options *opt,
417 int argc, char ** argv)
418 {
419 krb5_error_code ret;
420 krb5_ntlm ntlm;
421 struct ntlm_type2 type2;
422 krb5_data challange, opaque;
423 struct ntlm_buf data;
424 char *s;
425
426 memset(&type2, 0, sizeof(type2));
427
428 ret = krb5_ntlm_alloc(context, &ntlm);
429 if (ret)
430 krb5_err(context, 1, ret, "krb5_ntlm_alloc");
431
432 ret = krb5_ntlm_init_request(context,
433 ntlm,
434 opt->kerberos_realm_string,
435 id,
436 NTLM_NEG_UNICODE|NTLM_NEG_NTLM,
437 "NUTCRACKER",
438 "L");
439 if (ret)
440 krb5_err(context, 1, ret, "krb5_ntlm_init_request");
441
442 /*
443 *
444 */
445
446 ret = krb5_ntlm_init_get_challange(context, ntlm, &challange);
447 if (ret)
448 krb5_err(context, 1, ret, "krb5_ntlm_init_get_challange");
449
450 if (challange.length != sizeof(type2.challange))
451 krb5_errx(context, 1, "ntlm challange have wrong length");
452 memcpy(type2.challange, challange.data, sizeof(type2.challange));
453 krb5_data_free(&challange);
454
455 ret = krb5_ntlm_init_get_flags(context, ntlm, &type2.flags);
456 if (ret)
457 krb5_err(context, 1, ret, "krb5_ntlm_init_get_flags");
458
459 krb5_ntlm_init_get_targetname(context, ntlm, &type2.targetname);
460 type2.targetinfo.data = "\x00\x00";
461 type2.targetinfo.length = 2;
462
463 ret = heim_ntlm_encode_type2(&type2, &data);
464 if (ret)
465 krb5_errx(context, 1, "heim_ntlm_encode_type2");
466
467 free(type2.targetname);
468
469 /*
470 *
471 */
472
473 base64_encode(data.data, data.length, &s);
474 free(data.data);
475 printf("type2=%s\n", s);
476 free(s);
477
478 /*
479 *
480 */
481
482 ret = krb5_ntlm_init_get_opaque(context, ntlm, &opaque);
483 if (ret)
484 krb5_err(context, 1, ret, "krb5_ntlm_init_get_opaque");
485
486 base64_encode(opaque.data, opaque.length, &s);
487 krb5_data_free(&opaque);
488 printf("opaque=%s\n", s);
489 free(s);
490
491 /*
492 *
493 */
494
495 krb5_ntlm_free(context, ntlm);
496
497 return 0;
498 }
499
500
501 /*
502 *
503 */
504
505 int
506 help(void *opt, int argc, char **argv)
507 {
508 sl_slc_help(commands, argc, argv);
509 return 0;
510 }
511
512 int
513 main(int argc, char **argv)
514 {
515 krb5_error_code ret;
516 int optidx = 0;
517
518 setprogname(argv[0]);
519
520 ret = krb5_init_context (&context);
521 if (ret == KRB5_CONFIG_BADFORMAT)
522 errx (1, "krb5_init_context failed to parse configuration file");
523 else if (ret)
524 errx(1, "krb5_init_context failed: %d", ret);
525
526 if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
527 usage(1);
528
529 if (help_flag)
530 usage (0);
531
532 if(version_flag){
533 print_version(NULL);
534 exit(0);
535 }
536
537 argc -= optidx;
538 argv += optidx;
539
540 if (argc == 0) {
541 help(NULL, argc, argv);
542 return 1;
543 }
544
545 if (ccache_string) {
546 ret = krb5_cc_resolve(context, ccache_string, &id);
547 if (ret)
548 krb5_err(context, 1, ret, "krb5_cc_resolve");
549 }
550
551 ret = sl_command (commands, argc, argv);
552 if (ret == -1) {
553 help(NULL, argc, argv);
554 return 1;
555 }
556 return ret;
557 }
Heimdal