xref: /freebsd/crypto/heimdal/kdc/digest.c (revision 031beb4e239bfce798af17f5fe8dba8bcaf13d99)
1 /*
2  * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
3  * (Royal Institute of Technology, Stockholm, Sweden).
4  * All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  *
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  *
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  *
17  * 3. Neither the name of the Institute nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 #include "kdc_locl.h"
35 #include <hex.h>
36 
37 #ifdef DIGEST
38 
39 #define MS_CHAP_V2	0x20
40 #define CHAP_MD5	0x10
41 #define DIGEST_MD5	0x08
42 #define NTLM_V2		0x04
43 #define NTLM_V1_SESSION	0x02
44 #define NTLM_V1		0x01
45 
46 const struct units _kdc_digestunits[] = {
47     {"ms-chap-v2",		1U << 5},
48     {"chap-md5",		1U << 4},
49     {"digest-md5",		1U << 3},
50     {"ntlm-v2",		1U << 2},
51     {"ntlm-v1-session",	1U << 1},
52     {"ntlm-v1",		1U << 0},
53     {NULL,	0}
54 };
55 
56 
57 static krb5_error_code
58 get_digest_key(krb5_context context,
59 	       krb5_kdc_configuration *config,
60 	       hdb_entry_ex *server,
61 	       krb5_crypto *crypto)
62 {
63     krb5_error_code ret;
64     krb5_enctype enctype;
65     Key *key;
66 
67     ret = _kdc_get_preferred_key(context,
68 				 config,
69 				 server,
70 				 "digest-service",
71 				 &enctype,
72 				 &key);
73     if (ret)
74 	return ret;
75     return krb5_crypto_init(context, &key->key, 0, crypto);
76 }
77 
78 /*
79  *
80  */
81 
82 static char *
83 get_ntlm_targetname(krb5_context context,
84 		    hdb_entry_ex *client)
85 {
86     char *targetname, *p;
87 
88     targetname = strdup(krb5_principal_get_realm(context,
89 						 client->entry.principal));
90     if (targetname == NULL)
91 	return NULL;
92 
93     p = strchr(targetname, '.');
94     if (p)
95 	*p = '\0';
96 
97     strupr(targetname);
98     return targetname;
99 }
100 
101 static krb5_error_code
102 fill_targetinfo(krb5_context context,
103 		char *targetname,
104 		hdb_entry_ex *client,
105 		krb5_data *data)
106 {
107     struct ntlm_targetinfo ti;
108     krb5_error_code ret;
109     struct ntlm_buf d;
110     krb5_principal p;
111     const char *str;
112 
113     memset(&ti, 0, sizeof(ti));
114 
115     ti.domainname = targetname;
116     p = client->entry.principal;
117     str = krb5_principal_get_comp_string(context, p, 0);
118     if (str != NULL &&
119 	(strcmp("host", str) == 0 ||
120 	 strcmp("ftp", str) == 0 ||
121 	 strcmp("imap", str) == 0 ||
122 	 strcmp("pop", str) == 0 ||
123 	 strcmp("smtp", str)))
124 	{
125 	    str = krb5_principal_get_comp_string(context, p, 1);
126 	    ti.dnsservername = rk_UNCONST(str);
127 	}
128 
129     ret = heim_ntlm_encode_targetinfo(&ti, 1, &d);
130     if (ret)
131 	return ret;
132 
133     data->data = d.data;
134     data->length = d.length;
135 
136     return 0;
137 }
138 
139 
140 static const unsigned char ms_chap_v2_magic1[39] = {
141     0x4D, 0x61, 0x67, 0x69, 0x63, 0x20, 0x73, 0x65, 0x72, 0x76,
142     0x65, 0x72, 0x20, 0x74, 0x6F, 0x20, 0x63, 0x6C, 0x69, 0x65,
143     0x6E, 0x74, 0x20, 0x73, 0x69, 0x67, 0x6E, 0x69, 0x6E, 0x67,
144     0x20, 0x63, 0x6F, 0x6E, 0x73, 0x74, 0x61, 0x6E, 0x74
145 };
146 static const unsigned char ms_chap_v2_magic2[41] = {
147     0x50, 0x61, 0x64, 0x20, 0x74, 0x6F, 0x20, 0x6D, 0x61, 0x6B,
148     0x65, 0x20, 0x69, 0x74, 0x20, 0x64, 0x6F, 0x20, 0x6D, 0x6F,
149     0x72, 0x65, 0x20, 0x74, 0x68, 0x61, 0x6E, 0x20, 0x6F, 0x6E,
150     0x65, 0x20, 0x69, 0x74, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6F,
151     0x6E
152 };
153 static const unsigned char ms_rfc3079_magic1[27] = {
154     0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74,
155     0x68, 0x65, 0x20, 0x4d, 0x50, 0x50, 0x45, 0x20, 0x4d,
156     0x61, 0x73, 0x74, 0x65, 0x72, 0x20, 0x4b, 0x65, 0x79
157 };
158 
159 /*
160  *
161  */
162 
163 static krb5_error_code
164 get_password_entry(krb5_context context,
165 		   krb5_kdc_configuration *config,
166 		   const char *username,
167 		   char **password)
168 {
169     krb5_principal clientprincipal;
170     krb5_error_code ret;
171     hdb_entry_ex *user;
172     HDB *db;
173 
174     /* get username */
175     ret = krb5_parse_name(context, username, &clientprincipal);
176     if (ret)
177 	return ret;
178 
179     ret = _kdc_db_fetch(context, config, clientprincipal,
180 			HDB_F_GET_CLIENT, NULL, &db, &user);
181     krb5_free_principal(context, clientprincipal);
182     if (ret)
183 	return ret;
184 
185     ret = hdb_entry_get_password(context, db, &user->entry, password);
186     if (ret || password == NULL) {
187 	if (ret == 0) {
188 	    ret = EINVAL;
189 	    krb5_set_error_message(context, ret, "password missing");
190 	}
191 	memset(user, 0, sizeof(*user));
192     }
193     _kdc_free_ent (context, user);
194     return ret;
195 }
196 
197 /*
198  *
199  */
200 
201 krb5_error_code
202 _kdc_do_digest(krb5_context context,
203 	       krb5_kdc_configuration *config,
204 	       const struct DigestREQ *req, krb5_data *reply,
205 	       const char *from, struct sockaddr *addr)
206 {
207     krb5_error_code ret = 0;
208     krb5_ticket *ticket = NULL;
209     krb5_auth_context ac = NULL;
210     krb5_keytab id = NULL;
211     krb5_crypto crypto = NULL;
212     DigestReqInner ireq;
213     DigestRepInner r;
214     DigestREP rep;
215     krb5_flags ap_req_options;
216     krb5_data buf;
217     size_t size;
218     krb5_storage *sp = NULL;
219     Checksum res;
220     hdb_entry_ex *server = NULL, *user = NULL;
221     hdb_entry_ex *client = NULL;
222     char *client_name = NULL, *password = NULL;
223     krb5_data serverNonce;
224 
225     if(!config->enable_digest) {
226 	kdc_log(context, config, 0,
227 		"Rejected digest request (disabled) from %s", from);
228 	return KRB5KDC_ERR_POLICY;
229     }
230 
231     krb5_data_zero(&buf);
232     krb5_data_zero(reply);
233     krb5_data_zero(&serverNonce);
234     memset(&ireq, 0, sizeof(ireq));
235     memset(&r, 0, sizeof(r));
236     memset(&rep, 0, sizeof(rep));
237     memset(&res, 0, sizeof(res));
238 
239     kdc_log(context, config, 0, "Digest request from %s", from);
240 
241     ret = krb5_kt_resolve(context, "HDB:", &id);
242     if (ret) {
243 	kdc_log(context, config, 0, "Can't open database for digest");
244 	goto out;
245     }
246 
247     ret = krb5_rd_req(context,
248 		      &ac,
249 		      &req->apReq,
250 		      NULL,
251 		      id,
252 		      &ap_req_options,
253 		      &ticket);
254     if (ret)
255 	goto out;
256 
257     /* check the server principal in the ticket matches digest/R@R */
258     {
259 	krb5_principal principal = NULL;
260 	const char *p, *rr;
261 
262 	ret = krb5_ticket_get_server(context, ticket, &principal);
263 	if (ret)
264 	    goto out;
265 
266 	ret = EINVAL;
267 	krb5_set_error_message(context, ret, "Wrong digest server principal used");
268 	p = krb5_principal_get_comp_string(context, principal, 0);
269 	if (p == NULL) {
270 	    krb5_free_principal(context, principal);
271 	    goto out;
272 	}
273 	if (strcmp(p, KRB5_DIGEST_NAME) != 0) {
274 	    krb5_free_principal(context, principal);
275 	    goto out;
276 	}
277 
278 	p = krb5_principal_get_comp_string(context, principal, 1);
279 	if (p == NULL) {
280 	    krb5_free_principal(context, principal);
281 	    goto out;
282 	}
283 	rr = krb5_principal_get_realm(context, principal);
284 	if (rr == NULL) {
285 	    krb5_free_principal(context, principal);
286 	    goto out;
287 	}
288 	if (strcmp(p, rr) != 0) {
289 	    krb5_free_principal(context, principal);
290 	    goto out;
291 	}
292 	krb5_clear_error_message(context);
293 
294 	ret = _kdc_db_fetch(context, config, principal,
295 			    HDB_F_GET_SERVER, NULL, NULL, &server);
296 	if (ret)
297 	    goto out;
298 
299 	krb5_free_principal(context, principal);
300     }
301 
302     /* check the client is allowed to do digest auth */
303     {
304 	krb5_principal principal = NULL;
305 
306 	ret = krb5_ticket_get_client(context, ticket, &principal);
307 	if (ret)
308 	    goto out;
309 
310 	ret = krb5_unparse_name(context, principal, &client_name);
311 	if (ret) {
312 	    krb5_free_principal(context, principal);
313 	    goto out;
314 	}
315 
316 	ret = _kdc_db_fetch(context, config, principal,
317 			    HDB_F_GET_CLIENT, NULL, NULL, &client);
318 	krb5_free_principal(context, principal);
319 	if (ret)
320 	    goto out;
321 
322 	if (client->entry.flags.allow_digest == 0) {
323 	    kdc_log(context, config, 0,
324 		    "Client %s tried to use digest "
325 		    "but is not allowed to",
326 		    client_name);
327 	    ret = KRB5KDC_ERR_POLICY;
328 	    krb5_set_error_message(context, ret,
329 				   "Client is not permitted to use digest");
330 	    goto out;
331 	}
332     }
333 
334     /* unpack request */
335     {
336 	krb5_keyblock *key;
337 
338 	ret = krb5_auth_con_getremotesubkey(context, ac, &key);
339 	if (ret)
340 	    goto out;
341 	if (key == NULL) {
342 	    ret = EINVAL;
343 	    krb5_set_error_message(context, ret, "digest: remote subkey not found");
344 	    goto out;
345 	}
346 
347 	ret = krb5_crypto_init(context, key, 0, &crypto);
348 	krb5_free_keyblock (context, key);
349 	if (ret)
350 	    goto out;
351     }
352 
353     ret = krb5_decrypt_EncryptedData(context, crypto, KRB5_KU_DIGEST_ENCRYPT,
354 				     &req->innerReq, &buf);
355     krb5_crypto_destroy(context, crypto);
356     crypto = NULL;
357     if (ret)
358 	goto out;
359 
360     ret = decode_DigestReqInner(buf.data, buf.length, &ireq, NULL);
361     krb5_data_free(&buf);
362     if (ret) {
363 	krb5_set_error_message(context, ret, "Failed to decode digest inner request");
364 	goto out;
365     }
366 
367     kdc_log(context, config, 0, "Valid digest request from %s (%s)",
368 	    client_name, from);
369 
370     /*
371      * Process the inner request
372      */
373 
374     switch (ireq.element) {
375     case choice_DigestReqInner_init: {
376 	unsigned char server_nonce[16], identifier;
377 
378 	RAND_bytes(&identifier, sizeof(identifier));
379 	RAND_bytes(server_nonce, sizeof(server_nonce));
380 
381 	server_nonce[0] = kdc_time & 0xff;
382 	server_nonce[1] = (kdc_time >> 8) & 0xff;
383 	server_nonce[2] = (kdc_time >> 16) & 0xff;
384 	server_nonce[3] = (kdc_time >> 24) & 0xff;
385 
386 	r.element = choice_DigestRepInner_initReply;
387 
388 	hex_encode(server_nonce, sizeof(server_nonce), &r.u.initReply.nonce);
389 	if (r.u.initReply.nonce == NULL) {
390 	    ret = ENOMEM;
391 	    krb5_set_error_message(context, ret, "Failed to decode server nonce");
392 	    goto out;
393 	}
394 
395 	sp = krb5_storage_emem();
396 	if (sp == NULL) {
397 	    ret = ENOMEM;
398 	    krb5_set_error_message(context, ret, "malloc: out of memory");
399 	    goto out;
400 	}
401 	ret = krb5_store_stringz(sp, ireq.u.init.type);
402 	if (ret) {
403 	    krb5_clear_error_message(context);
404 	    goto out;
405 	}
406 
407 	if (ireq.u.init.channel) {
408 	    char *s;
409 
410 	    asprintf(&s, "%s-%s:%s", r.u.initReply.nonce,
411 		     ireq.u.init.channel->cb_type,
412 		     ireq.u.init.channel->cb_binding);
413 	    if (s == NULL) {
414 		ret = ENOMEM;
415 		krb5_set_error_message(context, ret,
416 				       "Failed to allocate channel binding");
417 		goto out;
418 	    }
419 	    free(r.u.initReply.nonce);
420 	    r.u.initReply.nonce = s;
421 	}
422 
423 	ret = krb5_store_stringz(sp, r.u.initReply.nonce);
424 	if (ret) {
425 	    krb5_clear_error_message(context);
426 	    goto out;
427 	}
428 
429 	if (strcasecmp(ireq.u.init.type, "CHAP") == 0) {
430 	    r.u.initReply.identifier =
431 		malloc(sizeof(*r.u.initReply.identifier));
432 	    if (r.u.initReply.identifier == NULL) {
433 		ret = ENOMEM;
434 		krb5_set_error_message(context, ret, "malloc: out of memory");
435 		goto out;
436 	    }
437 
438 	    asprintf(r.u.initReply.identifier, "%02X", identifier & 0xff);
439 	    if (*r.u.initReply.identifier == NULL) {
440 		ret = ENOMEM;
441 		krb5_set_error_message(context, ret, "malloc: out of memory");
442 		goto out;
443 	    }
444 
445 	} else
446 	    r.u.initReply.identifier = NULL;
447 
448 	if (ireq.u.init.hostname) {
449 	    ret = krb5_store_stringz(sp, *ireq.u.init.hostname);
450 	    if (ret) {
451 		krb5_clear_error_message(context);
452 		goto out;
453 	    }
454 	}
455 
456 	ret = krb5_storage_to_data(sp, &buf);
457 	if (ret) {
458 	    krb5_clear_error_message(context);
459 	    goto out;
460 	}
461 
462 	ret = get_digest_key(context, config, server, &crypto);
463 	if (ret)
464 	    goto out;
465 
466 	ret = krb5_create_checksum(context,
467 				   crypto,
468 				   KRB5_KU_DIGEST_OPAQUE,
469 				   0,
470 				   buf.data,
471 				   buf.length,
472 				   &res);
473 	krb5_crypto_destroy(context, crypto);
474 	crypto = NULL;
475 	krb5_data_free(&buf);
476 	if (ret)
477 	    goto out;
478 
479 	ASN1_MALLOC_ENCODE(Checksum, buf.data, buf.length, &res, &size, ret);
480 	free_Checksum(&res);
481 	if (ret) {
482 	    krb5_set_error_message(context, ret, "Failed to encode "
483 				   "checksum in digest request");
484 	    goto out;
485 	}
486 	if (size != buf.length)
487 	    krb5_abortx(context, "ASN1 internal error");
488 
489 	hex_encode(buf.data, buf.length, &r.u.initReply.opaque);
490 	free(buf.data);
491 	krb5_data_zero(&buf);
492 	if (r.u.initReply.opaque == NULL) {
493 	    krb5_clear_error_message(context);
494 	    ret = ENOMEM;
495 	    goto out;
496 	}
497 
498 	kdc_log(context, config, 0, "Digest %s init request successful from %s",
499 		ireq.u.init.type, from);
500 
501 	break;
502     }
503     case choice_DigestReqInner_digestRequest: {
504 	sp = krb5_storage_emem();
505 	if (sp == NULL) {
506 	    ret = ENOMEM;
507 	    krb5_set_error_message(context, ret, "malloc: out of memory");
508 	    goto out;
509 	}
510 	ret = krb5_store_stringz(sp, ireq.u.digestRequest.type);
511 	if (ret) {
512 	    krb5_clear_error_message(context);
513 	    goto out;
514 	}
515 
516 	krb5_store_stringz(sp, ireq.u.digestRequest.serverNonce);
517 
518 	if (ireq.u.digestRequest.hostname) {
519 	    ret = krb5_store_stringz(sp, *ireq.u.digestRequest.hostname);
520 	    if (ret) {
521 		krb5_clear_error_message(context);
522 		goto out;
523 	    }
524 	}
525 
526 	buf.length = strlen(ireq.u.digestRequest.opaque);
527 	buf.data = malloc(buf.length);
528 	if (buf.data == NULL) {
529 	    ret = ENOMEM;
530 	    krb5_set_error_message(context, ret, "malloc: out of memory");
531 	    goto out;
532 	}
533 
534 	ret = hex_decode(ireq.u.digestRequest.opaque, buf.data, buf.length);
535 	if (ret <= 0) {
536 	    ret = ENOMEM;
537 	    krb5_set_error_message(context, ret, "Failed to decode opaque");
538 	    goto out;
539 	}
540 	buf.length = ret;
541 
542 	ret = decode_Checksum(buf.data, buf.length, &res, NULL);
543 	free(buf.data);
544 	krb5_data_zero(&buf);
545 	if (ret) {
546 	    krb5_set_error_message(context, ret,
547 				   "Failed to decode digest Checksum");
548 	    goto out;
549 	}
550 
551 	ret = krb5_storage_to_data(sp, &buf);
552 	if (ret) {
553 	    krb5_clear_error_message(context);
554 	    goto out;
555 	}
556 
557 	serverNonce.length = strlen(ireq.u.digestRequest.serverNonce);
558 	serverNonce.data = malloc(serverNonce.length);
559 	if (serverNonce.data == NULL) {
560 	    ret = ENOMEM;
561 	    krb5_set_error_message(context, ret, "malloc: out of memory");
562 	    goto out;
563 	}
564 
565 	/*
566 	 * CHAP does the checksum of the raw nonce, but do it for all
567 	 * types, since we need to check the timestamp.
568 	 */
569 	{
570 	    ssize_t ssize;
571 
572 	    ssize = hex_decode(ireq.u.digestRequest.serverNonce,
573 			       serverNonce.data, serverNonce.length);
574 	    if (ssize <= 0) {
575 		ret = ENOMEM;
576 		krb5_set_error_message(context, ret, "Failed to decode serverNonce");
577 		goto out;
578 	    }
579 	    serverNonce.length = ssize;
580 	}
581 
582 	ret = get_digest_key(context, config, server, &crypto);
583 	if (ret)
584 	    goto out;
585 
586 	ret = krb5_verify_checksum(context, crypto,
587 				   KRB5_KU_DIGEST_OPAQUE,
588 				   buf.data, buf.length, &res);
589 	free_Checksum(&res);
590 	krb5_data_free(&buf);
591 	krb5_crypto_destroy(context, crypto);
592 	crypto = NULL;
593 	if (ret)
594 	    goto out;
595 
596 	/* verify time */
597 	{
598 	    unsigned char *p = serverNonce.data;
599 	    uint32_t t;
600 
601 	    if (serverNonce.length < 4) {
602 		ret = EINVAL;
603 		krb5_set_error_message(context, ret, "server nonce too short");
604 		goto out;
605 	    }
606 	    t = p[0] | (p[1] << 8) | (p[2] << 16) | (p[3] << 24);
607 
608 	    if (abs((kdc_time & 0xffffffff) - t) > context->max_skew) {
609 		ret = EINVAL;
610 		krb5_set_error_message(context, ret, "time screw in server nonce ");
611 		goto out;
612 	    }
613 	}
614 
615 	if (strcasecmp(ireq.u.digestRequest.type, "CHAP") == 0) {
616 	    EVP_MD_CTX *ctx;
617 	    unsigned char md[MD5_DIGEST_LENGTH];
618 	    char *mdx;
619 	    char idx;
620 
621 	    if ((config->digests_allowed & CHAP_MD5) == 0) {
622 		kdc_log(context, config, 0, "Digest CHAP MD5 not allowed");
623 		goto out;
624 	    }
625 
626 	    if (ireq.u.digestRequest.identifier == NULL) {
627 		ret = EINVAL;
628 		krb5_set_error_message(context, ret, "Identifier missing "
629 				       "from CHAP request");
630 		goto out;
631 	    }
632 
633 	    if (hex_decode(*ireq.u.digestRequest.identifier, &idx, 1) != 1) {
634 		ret = EINVAL;
635 		krb5_set_error_message(context, ret, "failed to decode identifier");
636 		goto out;
637 	    }
638 
639 	    ret = get_password_entry(context, config,
640 				     ireq.u.digestRequest.username,
641 				     &password);
642 	    if (ret)
643 		goto out;
644 
645 	    ctx = EVP_MD_CTX_create();
646 
647 	    EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
648 	    EVP_DigestUpdate(ctx, &idx, 1);
649 	    EVP_DigestUpdate(ctx, password, strlen(password));
650 	    EVP_DigestUpdate(ctx, serverNonce.data, serverNonce.length);
651 	    EVP_DigestFinal_ex(ctx, md, NULL);
652 
653 	    EVP_MD_CTX_destroy(ctx);
654 
655 	    hex_encode(md, sizeof(md), &mdx);
656 	    if (mdx == NULL) {
657 		krb5_clear_error_message(context);
658 		ret = ENOMEM;
659 		goto out;
660 	    }
661 
662 	    r.element = choice_DigestRepInner_response;
663 
664 	    ret = strcasecmp(mdx, ireq.u.digestRequest.responseData);
665 	    free(mdx);
666 	    if (ret == 0) {
667 		r.u.response.success = TRUE;
668 	    } else {
669 		kdc_log(context, config, 0,
670 			"CHAP reply mismatch for %s",
671 			ireq.u.digestRequest.username);
672 		r.u.response.success = FALSE;
673 	    }
674 
675 	} else if (strcasecmp(ireq.u.digestRequest.type, "SASL-DIGEST-MD5") == 0) {
676 	    EVP_MD_CTX *ctx;
677 	    unsigned char md[MD5_DIGEST_LENGTH];
678 	    char *mdx;
679 	    char *A1, *A2;
680 
681 	    if ((config->digests_allowed & DIGEST_MD5) == 0) {
682 		kdc_log(context, config, 0, "Digest SASL MD5 not allowed");
683 		goto out;
684 	    }
685 
686 	    if (ireq.u.digestRequest.nonceCount == NULL)
687 		goto out;
688 	    if (ireq.u.digestRequest.clientNonce == NULL)
689 		goto out;
690 	    if (ireq.u.digestRequest.qop == NULL)
691 		goto out;
692 	    if (ireq.u.digestRequest.realm == NULL)
693 		goto out;
694 
695 	    ret = get_password_entry(context, config,
696 				     ireq.u.digestRequest.username,
697 				     &password);
698 	    if (ret)
699 		goto failed;
700 
701 	    ctx = EVP_MD_CTX_create();
702 
703 	    EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
704 	    EVP_DigestUpdate(ctx, ireq.u.digestRequest.username,
705 		       strlen(ireq.u.digestRequest.username));
706 	    EVP_DigestUpdate(ctx, ":", 1);
707 	    EVP_DigestUpdate(ctx, *ireq.u.digestRequest.realm,
708 		       strlen(*ireq.u.digestRequest.realm));
709 	    EVP_DigestUpdate(ctx, ":", 1);
710 	    EVP_DigestUpdate(ctx, password, strlen(password));
711 	    EVP_DigestFinal_ex(ctx, md, NULL);
712 
713 	    EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
714 	    EVP_DigestUpdate(ctx, md, sizeof(md));
715 	    EVP_DigestUpdate(ctx, ":", 1);
716 	    EVP_DigestUpdate(ctx, ireq.u.digestRequest.serverNonce,
717 		       strlen(ireq.u.digestRequest.serverNonce));
718 	    EVP_DigestUpdate(ctx, ":", 1);
719 	    EVP_DigestUpdate(ctx, *ireq.u.digestRequest.nonceCount,
720 		       strlen(*ireq.u.digestRequest.nonceCount));
721 	    if (ireq.u.digestRequest.authid) {
722 		EVP_DigestUpdate(ctx, ":", 1);
723 		EVP_DigestUpdate(ctx, *ireq.u.digestRequest.authid,
724 			   strlen(*ireq.u.digestRequest.authid));
725 	    }
726 	    EVP_DigestFinal_ex(ctx, md, NULL);
727 	    hex_encode(md, sizeof(md), &A1);
728 	    if (A1 == NULL) {
729 		ret = ENOMEM;
730 		krb5_set_error_message(context, ret, "malloc: out of memory");
731 		EVP_MD_CTX_destroy(ctx);
732 		goto failed;
733 	    }
734 
735 	    EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
736 	    EVP_DigestUpdate(ctx,
737 			     "AUTHENTICATE:", sizeof("AUTHENTICATE:") - 1);
738 	    EVP_DigestUpdate(ctx, *ireq.u.digestRequest.uri,
739 		       strlen(*ireq.u.digestRequest.uri));
740 
741 	    /* conf|int */
742 	    if (strcmp(ireq.u.digestRequest.digest, "clear") != 0) {
743 		static char conf_zeros[] = ":00000000000000000000000000000000";
744 		EVP_DigestUpdate(ctx, conf_zeros, sizeof(conf_zeros) - 1);
745 	    }
746 
747 	    EVP_DigestFinal_ex(ctx, md, NULL);
748 
749 	    hex_encode(md, sizeof(md), &A2);
750 	    if (A2 == NULL) {
751 		ret = ENOMEM;
752 		krb5_set_error_message(context, ret, "malloc: out of memory");
753 		free(A1);
754 		goto failed;
755 	    }
756 
757 	    EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
758 	    EVP_DigestUpdate(ctx, A1, strlen(A2));
759 	    EVP_DigestUpdate(ctx, ":", 1);
760 	    EVP_DigestUpdate(ctx, ireq.u.digestRequest.serverNonce,
761 		       strlen(ireq.u.digestRequest.serverNonce));
762 	    EVP_DigestUpdate(ctx, ":", 1);
763 	    EVP_DigestUpdate(ctx, *ireq.u.digestRequest.nonceCount,
764 		       strlen(*ireq.u.digestRequest.nonceCount));
765 	    EVP_DigestUpdate(ctx, ":", 1);
766 	    EVP_DigestUpdate(ctx, *ireq.u.digestRequest.clientNonce,
767 		       strlen(*ireq.u.digestRequest.clientNonce));
768 	    EVP_DigestUpdate(ctx, ":", 1);
769 	    EVP_DigestUpdate(ctx, *ireq.u.digestRequest.qop,
770 		       strlen(*ireq.u.digestRequest.qop));
771 	    EVP_DigestUpdate(ctx, ":", 1);
772 	    EVP_DigestUpdate(ctx, A2, strlen(A2));
773 
774 	    EVP_DigestFinal_ex(ctx, md, NULL);
775 
776 	    EVP_MD_CTX_destroy(ctx);
777 
778 	    free(A1);
779 	    free(A2);
780 
781 	    hex_encode(md, sizeof(md), &mdx);
782 	    if (mdx == NULL) {
783 		krb5_clear_error_message(context);
784 		ret = ENOMEM;
785 		goto out;
786 	    }
787 
788 	    r.element = choice_DigestRepInner_response;
789 	    ret = strcasecmp(mdx, ireq.u.digestRequest.responseData);
790 	    free(mdx);
791 	    if (ret == 0) {
792 		r.u.response.success = TRUE;
793 	    } else {
794 		kdc_log(context, config, 0,
795 			"DIGEST-MD5 reply mismatch for %s",
796 			ireq.u.digestRequest.username);
797 		r.u.response.success = FALSE;
798 	    }
799 
800 	} else if (strcasecmp(ireq.u.digestRequest.type, "MS-CHAP-V2") == 0) {
801 	    unsigned char md[SHA_DIGEST_LENGTH], challange[SHA_DIGEST_LENGTH];
802 	    krb5_principal clientprincipal = NULL;
803 	    char *mdx;
804 	    const char *username;
805 	    struct ntlm_buf answer;
806 	    Key *key = NULL;
807 	    EVP_MD_CTX *ctp;
808 
809 	    if ((config->digests_allowed & MS_CHAP_V2) == 0) {
810 		kdc_log(context, config, 0, "MS-CHAP-V2 not allowed");
811 		goto failed;
812 	    }
813 
814 	    if (ireq.u.digestRequest.clientNonce == NULL)  {
815 		ret = EINVAL;
816 		krb5_set_error_message(context, ret,
817 				       "MS-CHAP-V2 clientNonce missing");
818 		goto failed;
819 	    }
820 	    if (serverNonce.length != 16) {
821 		ret = EINVAL;
822 		krb5_set_error_message(context, ret,
823 				       "MS-CHAP-V2 serverNonce wrong length");
824 		goto failed;
825 	    }
826 
827 	    /* strip of the domain component */
828 	    username = strchr(ireq.u.digestRequest.username, '\\');
829 	    if (username == NULL)
830 		username = ireq.u.digestRequest.username;
831 	    else
832 		username++;
833 
834 	    ctp = EVP_MD_CTX_create();
835 
836 	    /* ChallangeHash */
837 	    EVP_DigestInit_ex(ctp, EVP_sha1(), NULL);
838 	    {
839 		ssize_t ssize;
840 		krb5_data clientNonce;
841 
842 		clientNonce.length = strlen(*ireq.u.digestRequest.clientNonce);
843 		clientNonce.data = malloc(clientNonce.length);
844 		if (clientNonce.data == NULL) {
845 		    ret = ENOMEM;
846 		    krb5_set_error_message(context, ret,
847 					   "malloc: out of memory");
848 		    EVP_MD_CTX_destroy(ctp);
849 		    goto out;
850 		}
851 
852 		ssize = hex_decode(*ireq.u.digestRequest.clientNonce,
853 				   clientNonce.data, clientNonce.length);
854 		if (ssize != 16) {
855 		    ret = ENOMEM;
856 		    krb5_set_error_message(context, ret,
857 					   "Failed to decode clientNonce");
858 		    EVP_MD_CTX_destroy(ctp);
859 		    goto out;
860 		}
861 		EVP_DigestUpdate(ctp, clientNonce.data, ssize);
862 		free(clientNonce.data);
863 	    }
864 	    EVP_DigestUpdate(ctp, serverNonce.data, serverNonce.length);
865 	    EVP_DigestUpdate(ctp, username, strlen(username));
866 
867 	    EVP_DigestFinal_ex(ctp, challange, NULL);
868 
869 	    EVP_MD_CTX_destroy(ctp);
870 
871 	    /* NtPasswordHash */
872 	    ret = krb5_parse_name(context, username, &clientprincipal);
873 	    if (ret)
874 		goto failed;
875 
876 	    ret = _kdc_db_fetch(context, config, clientprincipal,
877 				HDB_F_GET_CLIENT, NULL, NULL, &user);
878 	    krb5_free_principal(context, clientprincipal);
879 	    if (ret) {
880 		krb5_set_error_message(context, ret,
881 				       "MS-CHAP-V2 user %s not in database",
882 				       username);
883 		goto failed;
884 	    }
885 
886 	    ret = hdb_enctype2key(context, &user->entry,
887 				  ETYPE_ARCFOUR_HMAC_MD5, &key);
888 	    if (ret) {
889 		krb5_set_error_message(context, ret,
890 				       "MS-CHAP-V2 missing arcfour key %s",
891 				       username);
892 		goto failed;
893 	    }
894 
895 	    /* ChallengeResponse */
896 	    ret = heim_ntlm_calculate_ntlm1(key->key.keyvalue.data,
897 					    key->key.keyvalue.length,
898 					    challange, &answer);
899 	    if (ret) {
900 		krb5_set_error_message(context, ret, "NTLM missing arcfour key");
901 		goto failed;
902 	    }
903 
904 	    hex_encode(answer.data, answer.length, &mdx);
905 	    if (mdx == NULL) {
906 		free(answer.data);
907 		krb5_clear_error_message(context);
908 		ret = ENOMEM;
909 		goto out;
910 	    }
911 
912 	    r.element = choice_DigestRepInner_response;
913 	    ret = strcasecmp(mdx, ireq.u.digestRequest.responseData);
914 	    if (ret == 0) {
915 		r.u.response.success = TRUE;
916 	    } else {
917 		kdc_log(context, config, 0,
918 			"MS-CHAP-V2 hash mismatch for %s",
919 			ireq.u.digestRequest.username);
920 		r.u.response.success = FALSE;
921 	    }
922 	    free(mdx);
923 
924 	    if (r.u.response.success) {
925 		unsigned char hashhash[MD4_DIGEST_LENGTH];
926 		EVP_MD_CTX *ctxp;
927 
928 		ctxp = EVP_MD_CTX_create();
929 
930 		/* hashhash */
931 		{
932 		    EVP_DigestInit_ex(ctxp, EVP_md4(), NULL);
933 		    EVP_DigestUpdate(ctxp,
934 				     key->key.keyvalue.data,
935 				     key->key.keyvalue.length);
936 		    EVP_DigestFinal_ex(ctxp, hashhash, NULL);
937 		}
938 
939 		/* GenerateAuthenticatorResponse */
940 		EVP_DigestInit_ex(ctxp, EVP_sha1(), NULL);
941 		EVP_DigestUpdate(ctxp, hashhash, sizeof(hashhash));
942 		EVP_DigestUpdate(ctxp, answer.data, answer.length);
943 		EVP_DigestUpdate(ctxp, ms_chap_v2_magic1,
944 				 sizeof(ms_chap_v2_magic1));
945 		EVP_DigestFinal_ex(ctxp, md, NULL);
946 
947 		EVP_DigestInit_ex(ctxp, EVP_sha1(), NULL);
948 		EVP_DigestUpdate(ctxp, md, sizeof(md));
949 		EVP_DigestUpdate(ctxp, challange, 8);
950 		EVP_DigestUpdate(ctxp, ms_chap_v2_magic2,
951 				 sizeof(ms_chap_v2_magic2));
952 		EVP_DigestFinal_ex(ctxp, md, NULL);
953 
954 		r.u.response.rsp = calloc(1, sizeof(*r.u.response.rsp));
955 		if (r.u.response.rsp == NULL) {
956 		    free(answer.data);
957 		    krb5_clear_error_message(context);
958 		    EVP_MD_CTX_destroy(ctxp);
959 		    ret = ENOMEM;
960 		    goto out;
961 		}
962 
963 		hex_encode(md, sizeof(md), r.u.response.rsp);
964 		if (r.u.response.rsp == NULL) {
965 		    free(answer.data);
966 		    krb5_clear_error_message(context);
967 		    EVP_MD_CTX_destroy(ctxp);
968 		    ret = ENOMEM;
969 		    goto out;
970 		}
971 
972 		/* get_master, rfc 3079 3.4 */
973 		EVP_DigestInit_ex(ctxp, EVP_sha1(), NULL);
974 		EVP_DigestUpdate(ctxp, hashhash, 16);
975 		EVP_DigestUpdate(ctxp, answer.data, answer.length);
976 		EVP_DigestUpdate(ctxp, ms_rfc3079_magic1,
977 				 sizeof(ms_rfc3079_magic1));
978 		EVP_DigestFinal_ex(ctxp, md, NULL);
979 
980 		free(answer.data);
981 
982 		EVP_MD_CTX_destroy(ctxp);
983 
984 		r.u.response.session_key =
985 		    calloc(1, sizeof(*r.u.response.session_key));
986 		if (r.u.response.session_key == NULL) {
987 		    krb5_clear_error_message(context);
988 		    ret = ENOMEM;
989 		    goto out;
990 		}
991 
992 		ret = krb5_data_copy(r.u.response.session_key, md, 16);
993 		if (ret) {
994 		    krb5_clear_error_message(context);
995 		    goto out;
996 		}
997 	    }
998 
999 	} else {
1000 	    r.element = choice_DigestRepInner_error;
1001 	    asprintf(&r.u.error.reason, "Unsupported digest type %s",
1002 		     ireq.u.digestRequest.type);
1003 	    if (r.u.error.reason == NULL) {
1004 		ret = ENOMEM;
1005 		krb5_set_error_message(context, ret, "malloc: out of memory");
1006 		goto out;
1007 	    }
1008 	    r.u.error.code = EINVAL;
1009 	}
1010 
1011 	kdc_log(context, config, 0, "Digest %s request successful %s",
1012 		ireq.u.digestRequest.type, ireq.u.digestRequest.username);
1013 
1014 	break;
1015     }
1016     case choice_DigestReqInner_ntlmInit:
1017 
1018 	if ((config->digests_allowed & (NTLM_V1|NTLM_V1_SESSION|NTLM_V2)) == 0) {
1019 	    kdc_log(context, config, 0, "NTLM not allowed");
1020 	    goto failed;
1021 	}
1022 
1023 	r.element = choice_DigestRepInner_ntlmInitReply;
1024 
1025 	r.u.ntlmInitReply.flags = NTLM_NEG_UNICODE;
1026 
1027 	if ((ireq.u.ntlmInit.flags & NTLM_NEG_UNICODE) == 0) {
1028 	    kdc_log(context, config, 0, "NTLM client have no unicode");
1029 	    goto failed;
1030 	}
1031 
1032 	if (ireq.u.ntlmInit.flags & NTLM_NEG_NTLM)
1033 	    r.u.ntlmInitReply.flags |= NTLM_NEG_NTLM;
1034 	else {
1035 	    kdc_log(context, config, 0, "NTLM client doesn't support NTLM");
1036 	    goto failed;
1037 	}
1038 
1039 	r.u.ntlmInitReply.flags |=
1040 	    NTLM_NEG_TARGET |
1041 	    NTLM_TARGET_DOMAIN |
1042 	    NTLM_ENC_128;
1043 
1044 #define ALL					\
1045 	NTLM_NEG_SIGN|				\
1046 	    NTLM_NEG_SEAL|			\
1047 	    NTLM_NEG_ALWAYS_SIGN|		\
1048 	    NTLM_NEG_NTLM2_SESSION|		\
1049 	    NTLM_NEG_KEYEX
1050 
1051 	r.u.ntlmInitReply.flags |= (ireq.u.ntlmInit.flags & (ALL));
1052 
1053 #undef ALL
1054 
1055 	r.u.ntlmInitReply.targetname =
1056 	    get_ntlm_targetname(context, client);
1057 	if (r.u.ntlmInitReply.targetname == NULL) {
1058 	    ret = ENOMEM;
1059 	    krb5_set_error_message(context, ret, "malloc: out of memory");
1060 	    goto out;
1061 	}
1062 	r.u.ntlmInitReply.challange.data = malloc(8);
1063 	if (r.u.ntlmInitReply.challange.data == NULL) {
1064 	    ret = ENOMEM;
1065 	    krb5_set_error_message(context, ret, "malloc: out of memory");
1066 	    goto out;
1067 	}
1068 	r.u.ntlmInitReply.challange.length = 8;
1069 	if (RAND_bytes(r.u.ntlmInitReply.challange.data,
1070 		       r.u.ntlmInitReply.challange.length) != 1)
1071 	    {
1072 		ret = ENOMEM;
1073 		krb5_set_error_message(context, ret, "out of random error");
1074 		goto out;
1075 	    }
1076 	/* XXX fix targetinfo */
1077 	ALLOC(r.u.ntlmInitReply.targetinfo);
1078 	if (r.u.ntlmInitReply.targetinfo == NULL) {
1079 	    ret = ENOMEM;
1080 	    krb5_set_error_message(context, ret, "malloc: out of memory");
1081 	    goto out;
1082 	}
1083 
1084 	ret = fill_targetinfo(context,
1085 			      r.u.ntlmInitReply.targetname,
1086 			      client,
1087 			      r.u.ntlmInitReply.targetinfo);
1088 	if (ret) {
1089 	    ret = ENOMEM;
1090 	    krb5_set_error_message(context, ret, "malloc: out of memory");
1091 	    goto out;
1092 	}
1093 
1094 	/*
1095 	 * Save data encryted in opaque for the second part of the
1096 	 * ntlm authentication
1097 	 */
1098 	sp = krb5_storage_emem();
1099 	if (sp == NULL) {
1100 	    ret = ENOMEM;
1101 	    krb5_set_error_message(context, ret, "malloc: out of memory");
1102 	    goto out;
1103 	}
1104 
1105 	ret = krb5_storage_write(sp, r.u.ntlmInitReply.challange.data, 8);
1106 	if (ret != 8) {
1107 	    ret = ENOMEM;
1108 	    krb5_set_error_message(context, ret, "storage write challange");
1109 	    goto out;
1110 	}
1111 	ret = krb5_store_uint32(sp, r.u.ntlmInitReply.flags);
1112 	if (ret) {
1113 	    krb5_clear_error_message(context);
1114 	    goto out;
1115 	}
1116 
1117 	ret = krb5_storage_to_data(sp, &buf);
1118 	if (ret) {
1119 	    krb5_clear_error_message(context);
1120 	    goto out;
1121 	}
1122 
1123 	ret = get_digest_key(context, config, server, &crypto);
1124 	if (ret)
1125 	    goto out;
1126 
1127 	ret = krb5_encrypt(context, crypto, KRB5_KU_DIGEST_OPAQUE,
1128 			   buf.data, buf.length, &r.u.ntlmInitReply.opaque);
1129 	krb5_data_free(&buf);
1130 	krb5_crypto_destroy(context, crypto);
1131 	crypto = NULL;
1132 	if (ret)
1133 	    goto out;
1134 
1135 	kdc_log(context, config, 0, "NTLM init from %s", from);
1136 
1137 	break;
1138 
1139     case choice_DigestReqInner_ntlmRequest: {
1140 	krb5_principal clientprincipal;
1141 	unsigned char sessionkey[16];
1142 	unsigned char challange[8];
1143 	uint32_t flags;
1144 	Key *key = NULL;
1145 	int version;
1146 
1147 	r.element = choice_DigestRepInner_ntlmResponse;
1148 	r.u.ntlmResponse.success = 0;
1149 	r.u.ntlmResponse.flags = 0;
1150 	r.u.ntlmResponse.sessionkey = NULL;
1151 	r.u.ntlmResponse.tickets = NULL;
1152 
1153 	/* get username */
1154 	ret = krb5_parse_name(context,
1155 			      ireq.u.ntlmRequest.username,
1156 			      &clientprincipal);
1157 	if (ret)
1158 	    goto failed;
1159 
1160 	ret = _kdc_db_fetch(context, config, clientprincipal,
1161 			    HDB_F_GET_CLIENT, NULL, NULL, &user);
1162 	krb5_free_principal(context, clientprincipal);
1163 	if (ret) {
1164 	    krb5_set_error_message(context, ret, "NTLM user %s not in database",
1165 				   ireq.u.ntlmRequest.username);
1166 	    goto failed;
1167 	}
1168 
1169 	ret = get_digest_key(context, config, server, &crypto);
1170 	if (ret)
1171 	    goto failed;
1172 
1173 	ret = krb5_decrypt(context, crypto, KRB5_KU_DIGEST_OPAQUE,
1174 			   ireq.u.ntlmRequest.opaque.data,
1175 			   ireq.u.ntlmRequest.opaque.length, &buf);
1176 	krb5_crypto_destroy(context, crypto);
1177 	crypto = NULL;
1178 	if (ret) {
1179 	    kdc_log(context, config, 0,
1180 		    "Failed to decrypt nonce from %s", from);
1181 	    goto failed;
1182 	}
1183 
1184 	sp = krb5_storage_from_data(&buf);
1185 	if (sp == NULL) {
1186 	    ret = ENOMEM;
1187 	    krb5_set_error_message(context, ret, "malloc: out of memory");
1188 	    goto out;
1189 	}
1190 
1191 	ret = krb5_storage_read(sp, challange, sizeof(challange));
1192 	if (ret != sizeof(challange)) {
1193 	    ret = ENOMEM;
1194 	    krb5_set_error_message(context, ret, "NTLM storage read challange");
1195 	    goto out;
1196 	}
1197 	ret = krb5_ret_uint32(sp, &flags);
1198 	if (ret) {
1199 	    krb5_set_error_message(context, ret, "NTLM storage read flags");
1200 	    goto out;
1201 	}
1202 	krb5_storage_free(sp);
1203 	sp = NULL;
1204 	krb5_data_free(&buf);
1205 
1206 	if ((flags & NTLM_NEG_NTLM) == 0) {
1207 	    ret = EINVAL;
1208 	    krb5_set_error_message(context, ret, "NTLM not negotiated");
1209 	    goto out;
1210 	}
1211 
1212 	ret = hdb_enctype2key(context, &user->entry,
1213 			      ETYPE_ARCFOUR_HMAC_MD5, &key);
1214 	if (ret) {
1215 	    krb5_set_error_message(context, ret, "NTLM missing arcfour key");
1216 	    goto out;
1217 	}
1218 
1219 	/* check if this is NTLMv2 */
1220 	if (ireq.u.ntlmRequest.ntlm.length != 24) {
1221 	    struct ntlm_buf infotarget, answer;
1222 	    char *targetname;
1223 
1224 	    if ((config->digests_allowed & NTLM_V2) == 0) {
1225 		kdc_log(context, config, 0, "NTLM v2 not allowed");
1226 		goto out;
1227 	    }
1228 
1229 	    version = 2;
1230 
1231 	    targetname = get_ntlm_targetname(context, client);
1232 	    if (targetname == NULL) {
1233 		ret = ENOMEM;
1234 		krb5_set_error_message(context, ret, "malloc: out of memory");
1235 		goto out;
1236 	    }
1237 
1238 	    answer.length = ireq.u.ntlmRequest.ntlm.length;
1239 	    answer.data = ireq.u.ntlmRequest.ntlm.data;
1240 
1241 	    ret = heim_ntlm_verify_ntlm2(key->key.keyvalue.data,
1242 					 key->key.keyvalue.length,
1243 					 ireq.u.ntlmRequest.username,
1244 					 targetname,
1245 					 0,
1246 					 challange,
1247 					 &answer,
1248 					 &infotarget,
1249 					 sessionkey);
1250 	    free(targetname);
1251 	    if (ret) {
1252 		krb5_set_error_message(context, ret, "NTLM v2 verify failed");
1253 		goto failed;
1254 	    }
1255 
1256 	    /* XXX verify infotarget matches client (checksum ?) */
1257 
1258 	    free(infotarget.data);
1259 	    /* */
1260 
1261 	} else {
1262 	    struct ntlm_buf answer;
1263 
1264 	    version = 1;
1265 
1266 	    if (flags & NTLM_NEG_NTLM2_SESSION) {
1267 		unsigned char sessionhash[MD5_DIGEST_LENGTH];
1268 		EVP_MD_CTX *ctx;
1269 
1270 		if ((config->digests_allowed & NTLM_V1_SESSION) == 0) {
1271 		    kdc_log(context, config, 0, "NTLM v1-session not allowed");
1272 		    ret = EINVAL;
1273 		    goto failed;
1274 		}
1275 
1276 		if (ireq.u.ntlmRequest.lm.length != 24) {
1277 		    ret = EINVAL;
1278 		    krb5_set_error_message(context, ret, "LM hash have wrong length "
1279 					   "for NTLM session key");
1280 		    goto failed;
1281 		}
1282 
1283 		ctx = EVP_MD_CTX_create();
1284 
1285 		EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
1286 
1287 		EVP_DigestUpdate(ctx, challange, sizeof(challange));
1288 		EVP_DigestUpdate(ctx, ireq.u.ntlmRequest.lm.data, 8);
1289 		EVP_DigestFinal_ex(ctx, sessionhash, NULL);
1290 		memcpy(challange, sessionhash, sizeof(challange));
1291 
1292 		EVP_MD_CTX_destroy(ctx);
1293 
1294 	    } else {
1295 		if ((config->digests_allowed & NTLM_V1) == 0) {
1296 		    kdc_log(context, config, 0, "NTLM v1 not allowed");
1297 		    goto failed;
1298 		}
1299 	    }
1300 
1301 	    ret = heim_ntlm_calculate_ntlm1(key->key.keyvalue.data,
1302 					    key->key.keyvalue.length,
1303 					    challange, &answer);
1304 	    if (ret) {
1305 		krb5_set_error_message(context, ret, "NTLM missing arcfour key");
1306 		goto failed;
1307 	    }
1308 
1309 	    if (ireq.u.ntlmRequest.ntlm.length != answer.length ||
1310 		memcmp(ireq.u.ntlmRequest.ntlm.data, answer.data, answer.length) != 0)
1311 		{
1312 		    free(answer.data);
1313 		    ret = EINVAL;
1314 		    krb5_set_error_message(context, ret, "NTLM hash mismatch");
1315 		    goto failed;
1316 		}
1317 	    free(answer.data);
1318 
1319 	    {
1320 		EVP_MD_CTX *ctx;
1321 
1322 		ctx = EVP_MD_CTX_create();
1323 
1324 		EVP_DigestInit_ex(ctx, EVP_md4(), NULL);
1325 		EVP_DigestUpdate(ctx,
1326 				 key->key.keyvalue.data,
1327 				 key->key.keyvalue.length);
1328 		EVP_DigestFinal_ex(ctx, sessionkey, NULL);
1329 
1330 		EVP_MD_CTX_destroy(ctx);
1331 	    }
1332 	}
1333 
1334 	if (ireq.u.ntlmRequest.sessionkey) {
1335 	    unsigned char masterkey[MD4_DIGEST_LENGTH];
1336 	    EVP_CIPHER_CTX *rc4;
1337 	    size_t len;
1338 
1339 	    if ((flags & NTLM_NEG_KEYEX) == 0) {
1340 		ret = EINVAL;
1341 		krb5_set_error_message(context, ret,
1342 				       "NTLM client failed to neg key "
1343 				       "exchange but still sent key");
1344 		goto failed;
1345 	    }
1346 
1347 	    len = ireq.u.ntlmRequest.sessionkey->length;
1348 	    if (len != sizeof(masterkey)){
1349 		ret = EINVAL;
1350 		krb5_set_error_message(context, ret,
1351 				       "NTLM master key wrong length: %lu",
1352 				       (unsigned long)len);
1353 		goto failed;
1354 	    }
1355 
1356 
1357 	    rc4 = EVP_CIPHER_CTX_new();
1358 	    if (rc4 == NULL) {
1359 		ret = ENOMEM;
1360 		krb5_set_error_message(context, ret,
1361 				       "NTLM failed to malloc cipher context");
1362 		goto failed;
1363 	    }
1364 	    EVP_CipherInit_ex(rc4, EVP_rc4(), NULL, sessionkey, NULL, 1);
1365 	    EVP_Cipher(rc4,
1366 		       masterkey, ireq.u.ntlmRequest.sessionkey->data,
1367 		       sizeof(masterkey));
1368 	    EVP_CIPHER_CTX_free(rc4);
1369 
1370 	    r.u.ntlmResponse.sessionkey =
1371 		malloc(sizeof(*r.u.ntlmResponse.sessionkey));
1372 	    if (r.u.ntlmResponse.sessionkey == NULL) {
1373 		ret = EINVAL;
1374 		krb5_set_error_message(context, ret, "malloc: out of memory");
1375 		goto out;
1376 	    }
1377 
1378 	    ret = krb5_data_copy(r.u.ntlmResponse.sessionkey,
1379 				 masterkey, sizeof(masterkey));
1380 	    if (ret) {
1381 		krb5_set_error_message(context, ret, "malloc: out of memory");
1382 		goto out;
1383 	    }
1384 	}
1385 
1386 	r.u.ntlmResponse.success = 1;
1387 	kdc_log(context, config, 0, "NTLM version %d successful for %s",
1388 		version, ireq.u.ntlmRequest.username);
1389 	break;
1390     }
1391     case choice_DigestReqInner_supportedMechs:
1392 
1393 	kdc_log(context, config, 0, "digest supportedMechs from %s", from);
1394 
1395 	r.element = choice_DigestRepInner_supportedMechs;
1396 	memset(&r.u.supportedMechs, 0, sizeof(r.u.supportedMechs));
1397 
1398 	if (config->digests_allowed & NTLM_V1)
1399 	    r.u.supportedMechs.ntlm_v1 = 1;
1400 	if (config->digests_allowed & NTLM_V1_SESSION)
1401 	    r.u.supportedMechs.ntlm_v1_session = 1;
1402 	if (config->digests_allowed & NTLM_V2)
1403 	    r.u.supportedMechs.ntlm_v2 = 1;
1404 	if (config->digests_allowed & DIGEST_MD5)
1405 	    r.u.supportedMechs.digest_md5 = 1;
1406 	if (config->digests_allowed & CHAP_MD5)
1407 	    r.u.supportedMechs.chap_md5 = 1;
1408 	if (config->digests_allowed & MS_CHAP_V2)
1409 	    r.u.supportedMechs.ms_chap_v2 = 1;
1410 	break;
1411 
1412     default: {
1413 	const char *s;
1414 	ret = EINVAL;
1415 	krb5_set_error_message(context, ret, "unknown operation to digest");
1416 
1417 	failed:
1418 
1419 	s = krb5_get_error_message(context, ret);
1420 	if (s == NULL) {
1421 	    krb5_clear_error_message(context);
1422 	    goto out;
1423 	}
1424 
1425 	kdc_log(context, config, 0, "Digest failed with: %s", s);
1426 
1427 	r.element = choice_DigestRepInner_error;
1428 	r.u.error.reason = strdup("unknown error");
1429 	krb5_free_error_message(context, s);
1430 	if (r.u.error.reason == NULL) {
1431 	    ret = ENOMEM;
1432 	    krb5_set_error_message(context, ret, "malloc: out of memory");
1433 	    goto out;
1434 	}
1435 	r.u.error.code = EINVAL;
1436 	break;
1437     }
1438     }
1439 
1440     ASN1_MALLOC_ENCODE(DigestRepInner, buf.data, buf.length, &r, &size, ret);
1441     if (ret) {
1442 	krb5_set_error_message(context, ret, "Failed to encode inner digest reply");
1443 	goto out;
1444     }
1445     if (size != buf.length)
1446 	krb5_abortx(context, "ASN1 internal error");
1447 
1448     krb5_auth_con_addflags(context, ac, KRB5_AUTH_CONTEXT_USE_SUBKEY, NULL);
1449 
1450     ret = krb5_mk_rep (context, ac, &rep.apRep);
1451     if (ret)
1452 	goto out;
1453 
1454     {
1455 	krb5_keyblock *key;
1456 
1457 	ret = krb5_auth_con_getlocalsubkey(context, ac, &key);
1458 	if (ret)
1459 	    goto out;
1460 
1461 	ret = krb5_crypto_init(context, key, 0, &crypto);
1462 	krb5_free_keyblock (context, key);
1463 	if (ret)
1464 	    goto out;
1465     }
1466 
1467     ret = krb5_encrypt_EncryptedData(context, crypto, KRB5_KU_DIGEST_ENCRYPT,
1468 				     buf.data, buf.length, 0,
1469 				     &rep.innerRep);
1470     if (ret) {
1471         krb5_prepend_error_message(context, ret, "Failed to encrypt digest: ");
1472         goto out;
1473     }
1474 
1475     ASN1_MALLOC_ENCODE(DigestREP, reply->data, reply->length, &rep, &size, ret);
1476     if (ret) {
1477 	krb5_set_error_message(context, ret, "Failed to encode digest reply");
1478 	goto out;
1479     }
1480     if (size != reply->length)
1481 	krb5_abortx(context, "ASN1 internal error");
1482 
1483 
1484  out:
1485     if (ac)
1486 	krb5_auth_con_free(context, ac);
1487     if (ret)
1488 	krb5_warn(context, ret, "Digest request from %s failed", from);
1489     if (ticket)
1490 	krb5_free_ticket(context, ticket);
1491     if (id)
1492 	krb5_kt_close(context, id);
1493     if (crypto)
1494 	krb5_crypto_destroy(context, crypto);
1495     if (sp)
1496 	krb5_storage_free(sp);
1497     if (user)
1498 	_kdc_free_ent (context, user);
1499     if (server)
1500 	_kdc_free_ent (context, server);
1501     if (client)
1502 	_kdc_free_ent (context, client);
1503     if (password) {
1504 	memset(password, 0, strlen(password));
1505 	free (password);
1506     }
1507     if (client_name)
1508 	free (client_name);
1509     krb5_data_free(&buf);
1510     krb5_data_free(&serverNonce);
1511     free_Checksum(&res);
1512     free_DigestREP(&rep);
1513     free_DigestRepInner(&r);
1514     free_DigestReqInner(&ireq);
1515 
1516     return ret;
1517 }
1518 
1519 #endif /* DIGEST */
1520