Fix out-of-bounds accesses to ZPasswordHash arrays (#395)

[ppp.git] / pppd / chap_ms.c

diff --git a/pppd/chap_ms.c b/pppd/chap_ms.c
index 71942fed0833d88868c157976cce4f4405ef3641..d1e0cf80212c265cdfeae2c4c6659d15c8422108 100644 (file)
--- a/pppd/chap_ms.c
+++ b/pppd/chap_ms.c
@@ -93,12 +93,14 @@
 #include <linux/ppp-comp.h>
 #endif
 
-#include "pppd.h"
-#include "chap-new.h"
+#include "pppd-private.h"
+#include "options.h"
+#include "chap.h"
 #include "chap_ms.h"
 #include "magic.h"
 #include "mppe.h"
-#include "ppp-crypto.h"
+#include "crypto.h"
+#include "crypto_ms.h"
 
 #ifdef UNIT_TEST
 #undef PPP_WITH_MPPE
@@ -138,7 +140,7 @@ static char *mschap2_peer_challenge = NULL;
 /*
  * Command-line options.
  */
-static option_t chapms_option_list[] = {
+static struct option chapms_option_list[] = {
 #ifdef PPP_WITH_MSLANMAN
        { "ms-lanman", o_bool, &ms_lanman,
          "Use LanMan passwd when using MS-CHAP", 1 },
@@ -507,11 +509,8 @@ ChallengeResponse(u_char *challenge,
                  u_char *PasswordHash,
                  u_char *response)
 {
-    u_char ZPasswordHash[21];
+    u_char ZPasswordHash[24];
     PPP_CIPHER_CTX *ctx;
-    int outlen = 0;
-    int offset = 0;
-    int retval = 0;
 
     BZERO(ZPasswordHash, sizeof(ZPasswordHash));
     BCOPY(PasswordHash, ZPasswordHash, MD4_DIGEST_LENGTH);
@@ -521,38 +520,15 @@ ChallengeResponse(u_char *challenge,
           sizeof(ZPasswordHash), ZPasswordHash);
 #endif
 
-    ctx = PPP_CIPHER_CTX_new();
-    if (ctx != NULL) {
-
-        if (PPP_CipherInit(ctx, PPP_des_ecb(), ZPasswordHash + 0, NULL, 1)) {
-
-            if (PPP_CipherUpdate(ctx, response + offset, &outlen, challenge, 8)) {
-                offset += outlen;
-
-                PPP_CIPHER_CTX_set_cipher_data(ctx, ZPasswordHash + 7);
-                if (PPP_CipherUpdate(ctx, response + offset, &outlen, challenge, 8)) {
-                    offset += outlen;
-
-                    PPP_CIPHER_CTX_set_cipher_data(ctx, ZPasswordHash + 14);
-                    if (PPP_CipherUpdate(ctx, response + offset, &outlen, challenge, 8)) {
-                        offset += outlen;
-
-                        if (PPP_CipherFinal(ctx, response + offset, &outlen)) {
-
-                            retval = 1;
-                        }
-                    }
-                }
-            }
-        }
-
-        PPP_CIPHER_CTX_free(ctx);
-    }
+    if (DesEncrypt(challenge, ZPasswordHash + 0,  response + 0) &&
+        DesEncrypt(challenge, ZPasswordHash + 7,  response + 8) &&
+        DesEncrypt(challenge, ZPasswordHash + 14, response + 16))
+        return 1;
 
 #if 0
     dbglog("ChallengeResponse - response %.24B", response);
 #endif
-    return retval;
+    return 0;
 }
 
 void
@@ -563,7 +539,7 @@ ChallengeHash(u_char PeerChallenge[16], u_char *rchallenge,
     PPP_MD_CTX* ctx;
     u_char     hash[SHA_DIGEST_LENGTH];
     int     hash_len;
-    char       *user;
+    const char *user;
 
     /* remove domain from "domain\username" */
     if ((user = strrchr(username, '\\')) != NULL)
@@ -860,7 +836,7 @@ ChapMS(u_char *rchallenge, char *secret, int secret_len,
  * Authenticator Response.
  */
 void
-ChapMS2(u_char *rchallenge, u_char *PeerChallenge,
+ChapMS2(unsigned char *rchallenge, unsigned char *PeerChallenge,
        char *user, char *secret, int secret_len, unsigned char *response,
        u_char authResponse[], int authenticator)
 {
@@ -919,7 +895,7 @@ chapms_init(void)
 {
        chap_register_digest(&chapms_digest);
        chap_register_digest(&chapms2_digest);
-       add_options(chapms_option_list);
+       ppp_add_options(chapms_option_list);
 }
 #else