ref: 4f3f1ca14db8dbae93eda1a9ae3dbdeef8c44776
dir: /sys/src/cmd/auth/factotum/chap.c/
/*
 * CHAP, MSCHAP
 * 
 * The client does not authenticate the server
 *
 * Client protocol:
 *	write Chapchal 
 *	read response Chapreply or MSchaprely structure
 *
 * Server protocol:
 *	read challenge: 8 bytes binary (or 16 bytes for mschapv2)
 *	write user: utf8
 *	write dom: utf8 (ntlm)
 *	write response: Chapreply or MSchapreply structure
 *	... retry another user
 */
#include <ctype.h>
#include "dat.h"
enum {
	ChapChallen = 8,
	ChapResplen = 16,
	/* Microsoft auth constants */
	MShashlen = 16,
	MSchallen = 8,
	MSresplen = 24,
	MSchallenv2 = 16,
	Chapreplylen = MD5LEN+1,
	MSchapreplylen = 24+24,
};
static int dochal(State *s);
static int doreply(State *s, uchar *reply, int nreply);
static int dochap(char *passwd, int id, char chal[ChapChallen], uchar *resp, int resplen);
static int domschap(char *passwd, uchar chal[MSchallen], uchar *resp, int resplen);
static int dontlmv2(char *passwd, char *user, char *dom, uchar chal[MSchallen], uchar *resp, int resplen);
static void nthash(uchar hash[MShashlen], char *passwd);
struct State
{
	int astype;
	int asfd;
	Key *key;
	Authkey k;
	Ticket t;
	Ticketreq tr;
	int nchal;
	char chal[16];
	int nresp;
	uchar resp[4096];
	char err[ERRMAX];
	char user[64];
	char dom[DOMLEN];
	uchar secret[16+20];	/* for mschap: MPPE Master secret + authenticator (v2) */
	int nsecret;
};
enum
{
	CNeedChal,
	CHaveResp,
	SHaveChal,
	SNeedUser,
	SNeedDom,
	SNeedResp,
	Maxphase
};
static char *phasenames[Maxphase] =
{
[CNeedChal]	"CNeedChal",
[CHaveResp]	"CHaveResp",
[SHaveChal]	"SHaveChal",
[SNeedUser]	"SNeedUser",
[SNeedDom]	"SNeedDom",
[SNeedResp]	"SNeedResp",
};
static int
chapinit(Proto *p, Fsstate *fss)
{
	int iscli, ret;
	State *s;
	if((iscli = isclient(_strfindattr(fss->attr, "role"))) < 0)
		return failure(fss, nil);
	s = emalloc(sizeof *s);
	s->nresp = 0;
	s->nsecret = 0;
	strcpy(s->user, "none");
	fss->phasename = phasenames;
	fss->maxphase = Maxphase;
	s->asfd = -1;
	if(p == &mschapv2) {
		s->nchal = MSchallenv2;
		s->astype = AuthMSchapv2;
	} else if(p == &mschap){
		s->nchal = MSchallen;
		s->astype = AuthMSchap;
	} else if(p == &ntlm || p == &ntlmv2){
		s->nchal = MSchallen;
		s->astype = AuthNTLM;
	} else {
		s->nchal = ChapChallen;
		s->astype = AuthChap;
	}
	if(iscli)
		fss->phase = CNeedChal;
	else{
		if((ret = findp9authkey(&s->key, fss)) != RpcOk){
			free(s);
			return ret;
		}
		if(dochal(s) < 0){
			free(s);
			return failure(fss, nil);
		}
		fss->phase = SHaveChal;
	}
	fss->ps = s;
	return RpcOk;
}
static void
chapclose(Fsstate *fss)
{
	State *s;
	s = fss->ps;
	if(s->asfd >= 0){
		close(s->asfd);
		s->asfd = -1;
	}
	free(s);
}
static int
chapwrite(Fsstate *fss, void *va, uint n)
{
	int ret, nreply;
	char *a, *pass;
	Key *k;
	Keyinfo ki;
	State *s;
	Chapreply *cr;
	MSchapreply *mcr;
	OChapreply *ocr;
	OMSchapreply *omcr;
	NTLMreply *ntcr;
	uchar pchal[MSchallenv2];
	uchar digest[SHA1dlen];
	uchar reply[4096];
	char *user, *dom;
	DigestState *ds;
	s = fss->ps;
	a = va;
	switch(fss->phase){
	default:
		return phaseerror(fss, "write");
	case CNeedChal:
		ret = findkey(&k, mkkeyinfo(&ki, fss, nil), "%s", fss->proto->keyprompt);
		if(ret != RpcOk)
			return ret;
		user = nil;
		pass = _strfindattr(k->privattr, "!password");
		if(pass == nil){
			closekey(k);
			return failure(fss, "key has no password");
		}
		s->nsecret = 0;
		s->nresp = 0;
		memset(s->resp, 0, sizeof(s->resp));
		setattrs(fss->attr, k->attr);
		switch(s->astype){
		case AuthNTLM:
			if(n < MSchallen)
				break;
			if(fss->proto == &ntlmv2){
				user = _strfindattr(fss->attr, "user");
				if(user == nil)
					break;
				dom = _strfindattr(fss->attr, "windom");
				if(dom == nil)
					dom = "";
				s->nresp = dontlmv2(pass, user, dom, (uchar*)a, s->resp, sizeof(s->resp));
			} else {
				s->nresp = domschap(pass, (uchar*)a, s->resp, sizeof(s->resp));
			}
			break;
		case AuthMSchap:
			if(n < MSchallen)
				break;
			s->nresp = domschap(pass, (uchar*)a, s->resp, sizeof(s->resp));
			nthash(digest, pass);
			md4(digest, 16, digest, nil);
			ds = sha1(digest, 16, nil, nil);
			sha1(digest, 16, nil, ds);
			sha1((uchar*)a, 8, s->secret, ds);
			s->nsecret = 16;
			break;
		case AuthMSchapv2:
			if(n < MSchallenv2)
				break;
			user = _strfindattr(fss->attr, "user");
			if(user == nil)
				break;
			genrandom((uchar*)pchal, MSchallenv2);
			/* ChallengeHash() */
			ds = sha1(pchal, MSchallenv2, nil, nil);
			ds = sha1((uchar*)a, MSchallenv2, nil, ds);
			sha1((uchar*)user, strlen(user), reply, ds);
			s->nresp = domschap(pass, reply, s->resp, sizeof(s->resp));
			if(s->nresp <= 0)
				break;
			mcr = (MSchapreply*)s->resp;
			memset(mcr->LMresp, 0, sizeof(mcr->LMresp));
			memmove(mcr->LMresp, pchal, MSchallenv2);
			nthash(digest, pass);
			md4(digest, 16, digest, nil);
			ds = sha1(digest, 16, nil, nil);
			sha1((uchar*)mcr->NTresp, MSresplen, nil, ds);
			sha1((uchar*)"This is the MPPE Master Key", 27, s->secret, ds);
			ds = sha1(digest, 16, nil, nil);
			sha1((uchar*)mcr->NTresp, MSresplen, nil, ds);
			sha1((uchar*)"Magic server to client signing constant", 39, digest, ds);
			ds = sha1(digest, 20, nil, nil);
			sha1(reply, 8, nil, ds);	/* ChallngeHash */
			sha1((uchar*)"Pad to make it do more than one iteration", 41, s->secret+16, ds);
			s->nsecret = 16+20;
			break;
		case AuthChap:
			if(n < ChapChallen+1)
				break;
			s->nresp = dochap(pass, *a, a+1, s->resp, sizeof(s->resp));
			break;
		}
		closekey(k);
		if(s->nresp <= 0)
			return failure(fss, "chap botch");
		if(user != nil)
			safecpy(s->user, user, sizeof s->user);
		fss->phase = CHaveResp;
		return RpcOk;
	case SNeedUser:
		if(n >= sizeof s->user)
			return failure(fss, "user name too long");
		memmove(s->user, va, n);
		s->user[n] = '\0';
		fss->phase = (s->astype == AuthNTLM)? SNeedDom: SNeedResp;
		return RpcOk;
	case SNeedDom:
		if(n >= sizeof s->dom)
			return failure(fss, "domain name too long");
		memmove(s->dom, va, n);
		s->dom[n] = '\0';
		fss->phase = SNeedResp;
		return RpcOk;
	case SNeedResp:
		switch(s->astype){
		default:
			return failure(fss, "chap internal botch");
		case AuthChap:
			if(n < Chapreplylen)
				return failure(fss, "did not get Chapreply");
			cr = (Chapreply*)va;
			nreply = OCHAPREPLYLEN;
			memset(reply, 0, nreply);
			ocr = (OChapreply*)reply;
			strecpy(ocr->uid, ocr->uid+sizeof(ocr->uid), s->user);
			ocr->id = cr->id;
			memmove(ocr->resp, cr->resp, sizeof(ocr->resp));
			break;
		case AuthMSchap:
		case AuthMSchapv2:
			if(n < MSchapreplylen)
				return failure(fss, "did not get MSchapreply");
			mcr = (MSchapreply*)va;
			nreply = OMSCHAPREPLYLEN;
			memset(reply, 0, nreply);
			omcr = (OMSchapreply*)reply;
			strecpy(omcr->uid, omcr->uid+sizeof(omcr->uid), s->user);
			memmove(omcr->LMresp, mcr->LMresp, sizeof(omcr->LMresp));
			memmove(omcr->NTresp, mcr->NTresp, sizeof(mcr->NTresp));
			break;
		case AuthNTLM:
			if(n < MSchapreplylen)
				return failure(fss, "did not get MSchapreply");
			if(n > sizeof(reply)+MSchapreplylen-NTLMREPLYLEN)
				return failure(fss, "MSchapreply too long");
			mcr = (MSchapreply*)va;
			nreply = n+NTLMREPLYLEN-MSchapreplylen;
			memset(reply, 0, nreply);
			ntcr = (NTLMreply*)reply;
			ntcr->len[0] = nreply;
			ntcr->len[1] = nreply>>8;
			strecpy(ntcr->uid, ntcr->uid+sizeof(ntcr->uid), s->user);
			strecpy(ntcr->dom, ntcr->dom+sizeof(ntcr->dom), s->dom);
			memmove(ntcr->LMresp, mcr->LMresp, sizeof(ntcr->LMresp));
			memmove(ntcr->NTresp, mcr->NTresp, n+sizeof(mcr->NTresp)-MSchapreplylen);
			break;
		}
		if(doreply(s, reply, nreply) < 0){
			fss->phase = SNeedUser;
			return failure(fss, nil);
		}
		fss->phase = Established;
		fss->ai.cuid = s->t.cuid;
		fss->ai.suid = s->t.suid;
		fss->ai.secret = s->secret;
		fss->ai.nsecret = s->nsecret;
		fss->haveai = 1;
		return RpcOk;
	}
}
static int
chapread(Fsstate *fss, void *va, uint *n)
{
	State *s;
	s = fss->ps;
	switch(fss->phase){
	default:
		return phaseerror(fss, "read");
	case CHaveResp:
		if(*n > s->nresp)
			*n = s->nresp;
		memmove(va, s->resp, *n);
		fss->phase = Established;
		if(s->nsecret == 0){
			fss->haveai = 0;
			return RpcOk;
		}
		fss->ai.cuid = s->user;
		fss->ai.suid = "none";	/* server not authenticated */
		fss->ai.secret = s->secret;
		fss->ai.nsecret = s->nsecret;
		fss->haveai = 1;
		return RpcOk;
	case SHaveChal:
		if(*n > s->nchal)
			*n = s->nchal;
		memmove(va, s->chal, *n);
		fss->phase = SNeedUser;
		return RpcOk;
	}
}
static int
dochal(State *s)
{
	char *dom, *user;
	int n;
	s->asfd = -1;
	/* send request to authentication server and get challenge */
	if((dom = _strfindattr(s->key->attr, "dom")) == nil
	|| (user = _strfindattr(s->key->attr, "user")) == nil){
		werrstr("chap/dochal cannot happen");
		goto err;
	}
	memmove(&s->k, s->key->priv, sizeof(Authkey));
	memset(&s->tr, 0, sizeof(s->tr));
	safecpy(s->tr.authdom, dom, sizeof(s->tr.authdom));
	safecpy(s->tr.hostid, user, sizeof(s->tr.hostid));
	s->tr.type = s->astype;
	s->asfd = _authreq(&s->tr, &s->k);
	if(s->asfd < 0)
		goto err;
	
	alarm(30*1000);
	n = readn(s->asfd, s->chal, s->nchal);
	alarm(0);
	if(n != s->nchal)
		goto err;
	return 0;
err:
	if(s->asfd >= 0)
		close(s->asfd);
	s->asfd = -1;
	return -1;
}
static int
doreply(State *s, uchar *reply, int nreply)
{
	int n;
	Authenticator a;
	alarm(30*1000);
	if(write(s->asfd, reply, nreply) != nreply){
		alarm(0);
		goto err;
	}
	n = _asgetresp(s->asfd, &s->t, &a, &s->k);
	alarm(0);
	if(n < 0){
		/* leave connection open so we can try again */
		return -1;
	}
	close(s->asfd);
	s->asfd = -1;
	if(s->t.num != AuthTs
	|| tsmemcmp(s->t.chal, s->tr.chal, sizeof(s->t.chal)) != 0){
		if(s->key->successes == 0)
			disablekey(s->key);
		werrstr(Easproto);
		return -1;
	}
	if(a.num != AuthAc
	|| tsmemcmp(a.chal, s->tr.chal, sizeof(a.chal)) != 0){
		werrstr(Easproto);
		return -1;
	}
	s->key->successes++;
	s->nsecret = 0;
	if(s->t.form != 0){
		if(s->astype == AuthMSchap || s->astype == AuthMSchapv2){
			memmove(s->secret, s->t.key, 16);
			if(s->astype == AuthMSchapv2){
				memmove(s->secret+16, a.rand, 20);
				s->nsecret = 16+20;
			} else
				s->nsecret = 16;
		}
	}
	return 0;
err:
	if(s->asfd >= 0)
		close(s->asfd);
	s->asfd = -1;
	return -1;
}
Proto chap = {
.name=	"chap",
.init=	chapinit,
.write=	chapwrite,
.read=	chapread,
.close=	chapclose,
.addkey= replacekey,
.keyprompt= "!password?"
};
Proto mschap = {
.name=	"mschap",
.init=	chapinit,
.write=	chapwrite,
.read=	chapread,
.close=	chapclose,
.addkey= replacekey,
.keyprompt= "!password?"
};
Proto mschapv2 = {
.name=	"mschapv2",
.init=	chapinit,
.write=	chapwrite,
.read=	chapread,
.close=	chapclose,
.addkey= replacekey,
.keyprompt= "user? !password?"
};
Proto ntlm = {
.name=	"ntlm",
.init=	chapinit,
.write=	chapwrite,
.read=	chapread,
.close=	chapclose,
.addkey= replacekey,
.keyprompt= "user? !password?"
};
Proto ntlmv2 = {
.name=	"ntlmv2",
.init=	chapinit,
.write=	chapwrite,
.read=	chapread,
.close=	chapclose,
.addkey= replacekey,
.keyprompt= "user? windom? !password?"
};
static void
nthash(uchar hash[MShashlen], char *passwd)
{
	DigestState *ds;
	uchar b[2];
	Rune r;
	ds = md4(nil, 0, nil, nil);
	while(*passwd){
		passwd += chartorune(&r, passwd);
		b[0] = r & 0xff;
		b[1] = r >> 8;
		md4(b, 2, nil, ds);
	}
	md4(nil, 0, hash, ds);
}
static void
ntv2hash(uchar hash[MShashlen], char *passwd, char *user, char *dom)
{
	uchar v1hash[MShashlen];
	DigestState *ds;
	uchar b[2];
	Rune r;
	nthash(v1hash, passwd);
	/*
	 * Some documentation insists that the username must be forced to
	 * uppercase, but the domain name should not be. Other shows both
	 * being forced to uppercase. I am pretty sure this is irrevevant as the
	 * domain name passed from the remote server always seems to be in
	 * uppercase already.
	 */
        ds = hmac_md5(nil, 0, v1hash, sizeof(v1hash), nil, nil);
	while(*user){
		user += chartorune(&r, user);
		r = toupperrune(r);
		b[0] = r & 0xff;
		b[1] = r >> 8;
        	hmac_md5(b, 2, v1hash, sizeof(v1hash), nil, ds);
	}
	while(*dom){
		dom += chartorune(&r, dom);
		b[0] = r & 0xff;
		b[1] = r >> 8;
        	hmac_md5(b, 2, v1hash, sizeof(v1hash), nil, ds);
	}
        hmac_md5(nil, 0, v1hash, sizeof(v1hash), hash, ds);
}
static void
desencrypt(uchar data[8], uchar key[7])
{
	ulong ekey[32];
	key_setup(key, ekey);
	block_cipher(ekey, data, 0);
}
static void
lmhash(uchar hash[MShashlen], char *passwd)
{
	uchar buf[14];
	char *stdtext = "KGS!@#$%";
	int i;
	memset(buf, 0, sizeof(buf));
	strncpy((char*)buf, passwd, sizeof(buf));
	for(i=0; i<sizeof(buf); i++)
		if(buf[i] >= 'a' && buf[i] <= 'z')
			buf[i] += 'A' - 'a';
	memcpy(hash, stdtext, 8);
	memcpy(hash+8, stdtext, 8);
	desencrypt(hash, buf);
	desencrypt(hash+8, buf+7);
}
static void
mschalresp(uchar resp[MSresplen], uchar hash[MShashlen], uchar chal[MSchallen])
{
	int i;
	uchar buf[21];
	memset(buf, 0, sizeof(buf));
	memcpy(buf, hash, MShashlen);
	for(i=0; i<3; i++) {
		memmove(resp+i*MSchallen, chal, MSchallen);
		desencrypt(resp+i*MSchallen, buf+i*7);
	}
}
static int
domschap(char *passwd, uchar chal[MSchallen], uchar *resp, int resplen)
{
	uchar hash[MShashlen];
	MSchapreply *r;
	r = (MSchapreply*)resp;
	if(resplen < MSchapreplylen)
		return 0;
	lmhash(hash, passwd);
	mschalresp((uchar*)r->LMresp, hash, chal);
	nthash(hash, passwd);
	mschalresp((uchar*)r->NTresp, hash, chal);
	return MSchapreplylen;
}
static int
dontlmv2(char *passwd, char *user, char *dom, uchar chal[MSchallen], uchar *resp, int resplen)
{
	uchar hash[MShashlen], *p, *e;
	MSchapreply *r;
	DigestState *s;
	uvlong t;
	Rune rr;
	int nb;
	ntv2hash(hash, passwd, user, dom);
	r = (MSchapreply*)resp;
	p = (uchar*)r->NTresp+16;
	e = resp + resplen;
	if(p+2+2+4+8+8+4+4+4+4 > e)
		return 0;	
	*p++ = 1;		/* 8bit: response type */
	*p++ = 1;		/* 8bit: max response type understood by client */
	*p++ = 0;		/* 16bit: reserved */
	*p++ = 0;
	*p++ = 0;		/* 32bit: unknown */
	*p++ = 0;
	*p++ = 0;
	*p++ = 0;
	t = time(nil);
	t += 11644473600LL;
	t *= 10000000LL;
	*p++ = t;		/* 64bit: time in NT format */
	*p++ = t >> 8;
	*p++ = t >> 16;
	*p++ = t >> 24;
	*p++ = t >> 32;
	*p++ = t >> 40;
	*p++ = t >> 48;
	*p++ = t >> 56;
	genrandom(p, 8);
	p += 8;			/* 64bit: client nonce */
	*p++ = 0;		/* 32bit: unknown data */
	*p++ = 0;
	*p++ = 0;
	*p++ = 0;
	*p++ = 2;		/* AvPair Domain */
	*p++ = 0;
	*p++ = 0;		/* length */
	*p++ = 0;
	nb = 0;
	while(*dom){
		dom += chartorune(&rr, dom);
		if(p+2+4+4 > e)
			return 0;
		*p++ = rr & 0xFF;
		*p++ = rr >> 8;
		nb += 2;
	}
	p[-nb - 2] = nb & 0xFF;
	p[-nb - 1] = nb >> 8;
	*p++ = 0;		/* AvPair EOF */
	*p++ = 0;
	*p++ = 0;
	*p++ = 0;
	
	*p++ = 0;		/* 32bit: unknown data */
	*p++ = 0;
	*p++ = 0;
	*p++ = 0;
	/*
	 * LmResponse = Cat(HMAC_MD5(LmHash, Cat(SC, CC)), CC)
	 */
	s = hmac_md5(chal, 8, hash, MShashlen, nil, nil);
	genrandom((uchar*)r->LMresp+16, 8);
	hmac_md5((uchar*)r->LMresp+16, 8, hash, MShashlen, (uchar*)r->LMresp, s);
	/*
	 * NtResponse = Cat(HMAC_MD5(NtHash, Cat(SC, NtBlob)), NtBlob)
	 */
	s = hmac_md5(chal, 8, hash, MShashlen, nil, nil);
	hmac_md5((uchar*)r->NTresp+16, p - ((uchar*)r->NTresp+16), hash, MShashlen, (uchar*)r->NTresp, s);
	return p - resp;
}
static int
dochap(char *passwd, int id, char chal[ChapChallen], uchar *resp, int resplen)
{
	char buf[1+ChapChallen+MAXNAMELEN+1];
	int n;
	if(resplen < ChapResplen)
		return 0;
	memset(buf, 0, sizeof buf);
	*buf = id;
	n = strlen(passwd);
	if(n > MAXNAMELEN)
		n = MAXNAMELEN-1;
	strncpy(buf+1, passwd, n);
	memmove(buf+1+n, chal, ChapChallen);
	md5((uchar*)buf, 1+n+ChapChallen, resp, nil);
	return ChapResplen;
}