*
*/
-#define RCSID "$Id: chap_ms.c,v 1.30 2003/07/10 17:59:33 fcusack Exp $"
+#define RCSID "$Id: chap_ms.c,v 1.33 2004/11/12 09:57:43 paulus Exp $"
#ifdef CHAPMS
static const char rcsid[] = RCSID;
-static void ChallengeHash __P((u_char[16], u_char *, char *, u_char[8]));
static void ascii2unicode __P((char[], int, u_char[]));
static void NTPasswordHash __P((char *, int, u_char[MD4_SIGNATURE_SIZE]));
static void ChallengeResponse __P((u_char *, u_char *, u_char[24]));
static void ChapMS_NT __P((u_char *, char *, int, u_char[24]));
static void ChapMS2_NT __P((char *, u_char[16], char *, char *, int,
u_char[24]));
-static void GenerateAuthenticatorResponse __P((char*, int, u_char[24],
- u_char[16], u_char *,
- char *, u_char[41]));
+static void GenerateAuthenticatorResponsePlain
+ __P((char*, int, u_char[24], u_char[16], u_char *,
+ char *, u_char[41]));
#ifdef MSLANMAN
static void ChapMS_LANMan __P((u_char *, char *, int, MS_ChapResponse *));
#endif
u_char mppe_recv_key[MPPE_MAX_KEY_LEN];
int mppe_keys_set = 0; /* Have the MPPE keys been set? */
+#ifdef DEBUGMPPEKEY
/* For MPPE debug */
/* Use "[]|}{?/><,`!2&&(" (sans quotes) for RFC 3079 MS-CHAPv2 test value */
static char *mschap_challenge = NULL;
/* Use "!@\#$%^&*()_+:3|~" (sans quotes, backslash is to escape #) for ... */
static char *mschap2_peer_challenge = NULL;
+#endif
#include "fsm.h" /* Need to poke MPPE options */
#include "ccp.h"
chapms_generate_challenge(unsigned char *challenge)
{
*challenge++ = 8;
+#ifdef DEBUGMPPEKEY
if (mschap_challenge && strlen(mschap_challenge) == 8)
memcpy(challenge, mschap_challenge, 8);
else
+#endif
random_bytes(challenge, 8);
}
chapms2_generate_challenge(unsigned char *challenge)
{
*challenge++ = 16;
+#ifdef DEBUGMPPEKEY
if (mschap_challenge && strlen(mschap_challenge) == 16)
memcpy(challenge, mschap_challenge, 16);
else
+#endif
random_bytes(challenge, 16);
}
#endif
/* Generate the expected response. */
- ChapMS(challenge, secret, secret_len, &md);
+ ChapMS(challenge, (char *)secret, secret_len, &md);
#ifdef MSLANMAN
/* Determine which part of response to verify against */
/* Generate the expected response and our mutual auth. */
ChapMS2(challenge, rmd->PeerChallenge, name,
- secret, secret_len, &md,
- saresponse, MS_CHAP2_AUTHENTICATOR);
+ (char *)secret, secret_len, &md,
+ (unsigned char *)saresponse, MS_CHAP2_AUTHENTICATOR);
/* compare MDs and send the appropriate status */
/*
{
challenge++; /* skip length, should be 16 */
*response++ = MS_CHAP2_RESPONSE_LEN;
- ChapMS2(challenge, mschap2_peer_challenge, our_name,
- secret, secret_len,
+ ChapMS2(challenge,
+#ifdef DEBUGMPPEKEY
+ mschap2_peer_challenge,
+#else
+ NULL,
+#endif
+ our_name, secret, secret_len,
(MS_Chap2Response *) response, private,
MS_CHAP2_AUTHENTICATEE);
}
static int
chapms2_check_success(unsigned char *msg, int len, unsigned char *private)
{
- if ((len < MS_AUTH_RESPONSE_LENGTH + 2) || strncmp(msg, "S=", 2)) {
+ if ((len < MS_AUTH_RESPONSE_LENGTH + 2) ||
+ strncmp((char *)msg, "S=", 2) != 0) {
/* Packet does not start with "S=" */
error("MS-CHAPv2 Success packet is badly formed.");
return 0;
/* Authenticator Response matches. */
msg += MS_AUTH_RESPONSE_LENGTH; /* Eat it */
len -= MS_AUTH_RESPONSE_LENGTH;
- if ((len >= 3) && !strncmp(msg, " M=", 3)) {
+ if ((len >= 3) && !strncmp((char *)msg, " M=", 3)) {
msg += 3; /* Eat the delimiter */
} else if (len) {
/* Packet has extra text which does not begin " M=" */
#endif
}
-static void
+void
ChallengeHash(u_char PeerChallenge[16], u_char *rchallenge,
char *username, u_char Challenge[8])
SHA1_Init(&sha1Context);
SHA1_Update(&sha1Context, PeerChallenge, 16);
SHA1_Update(&sha1Context, rchallenge, 16);
- SHA1_Update(&sha1Context, user, strlen(user));
+ SHA1_Update(&sha1Context, (unsigned char *)user, strlen(user));
SHA1_Final(sha1Hash, &sha1Context);
BCOPY(sha1Hash, Challenge, 8);
MD4_CTX md4Context;
MD4Init(&md4Context);
- MD4Update(&md4Context, secret, mdlen);
+ MD4Update(&md4Context, (unsigned char *)secret, mdlen);
MD4Final(hash, &md4Context);
}
/* Hash the Unicode version of the secret (== password). */
ascii2unicode(secret, secret_len, unicodePassword);
- NTPasswordHash(unicodePassword, secret_len * 2, PasswordHash);
+ NTPasswordHash((char *)unicodePassword, secret_len * 2, PasswordHash);
ChallengeResponse(rchallenge, PasswordHash, NTResponse);
}
u_char PasswordHash[MD4_SIGNATURE_SIZE];
u_char Challenge[8];
- ChallengeHash(PeerChallenge, rchallenge, username, Challenge);
+ ChallengeHash(PeerChallenge, (unsigned char *)rchallenge, username,
+ Challenge);
/* Hash the Unicode version of the secret (== password). */
ascii2unicode(secret, secret_len, unicodePassword);
- NTPasswordHash(unicodePassword, secret_len * 2, PasswordHash);
+ NTPasswordHash((char *)unicodePassword, secret_len * 2, PasswordHash);
ChallengeResponse(Challenge, PasswordHash, NTResponse);
}
#endif
-static void
-GenerateAuthenticatorResponse(char *secret, int secret_len,
+void
+GenerateAuthenticatorResponse(u_char PasswordHashHash[MD4_SIGNATURE_SIZE],
u_char NTResponse[24], u_char PeerChallenge[16],
u_char *rchallenge, char *username,
u_char authResponse[MS_AUTH_RESPONSE_LENGTH+1])
int i;
SHA1_CTX sha1Context;
- u_char unicodePassword[MAX_NT_PASSWORD * 2];
- u_char PasswordHash[MD4_SIGNATURE_SIZE];
- u_char PasswordHashHash[MD4_SIGNATURE_SIZE];
u_char Digest[SHA1_SIGNATURE_SIZE];
u_char Challenge[8];
- /* Hash (x2) the Unicode version of the secret (== password). */
- ascii2unicode(secret, secret_len, unicodePassword);
- NTPasswordHash(unicodePassword, secret_len * 2, PasswordHash);
- NTPasswordHash(PasswordHash, sizeof(PasswordHash), PasswordHashHash);
-
SHA1_Init(&sha1Context);
- SHA1_Update(&sha1Context, PasswordHashHash, sizeof(PasswordHashHash));
+ SHA1_Update(&sha1Context, PasswordHashHash, MD4_SIGNATURE_SIZE);
SHA1_Update(&sha1Context, NTResponse, 24);
SHA1_Update(&sha1Context, Magic1, sizeof(Magic1));
SHA1_Final(Digest, &sha1Context);
/* Convert to ASCII hex string. */
for (i = 0; i < MAX((MS_AUTH_RESPONSE_LENGTH / 2), sizeof(Digest)); i++)
- sprintf(&authResponse[i * 2], "%02X", Digest[i]);
+ sprintf((char *)&authResponse[i * 2], "%02X", Digest[i]);
+}
+
+
+static void
+GenerateAuthenticatorResponsePlain
+ (char *secret, int secret_len,
+ u_char NTResponse[24], u_char PeerChallenge[16],
+ u_char *rchallenge, char *username,
+ u_char authResponse[MS_AUTH_RESPONSE_LENGTH+1])
+{
+ u_char unicodePassword[MAX_NT_PASSWORD * 2];
+ u_char PasswordHash[MD4_SIGNATURE_SIZE];
+ u_char PasswordHashHash[MD4_SIGNATURE_SIZE];
+
+ /* Hash (x2) the Unicode version of the secret (== password). */
+ ascii2unicode(secret, secret_len, unicodePassword);
+ NTPasswordHash((char *)unicodePassword, secret_len * 2, PasswordHash);
+ NTPasswordHash((char *)PasswordHash, sizeof(PasswordHash),
+ PasswordHashHash);
+
+ GenerateAuthenticatorResponse(PasswordHashHash, NTResponse, PeerChallenge,
+ rchallenge, username, authResponse);
}
/* Same key in both directions. */
BCOPY(Digest, mppe_send_key, sizeof(mppe_send_key));
BCOPY(Digest, mppe_recv_key, sizeof(mppe_recv_key));
+
+ mppe_keys_set = 1;
}
/*
/*
* Set mppe_xxxx_key from MS-CHAPv2 credentials. (see RFC 3079)
+ *
+ * This helper function used in the Winbind module, which gets the
+ * NTHashHash from the server.
*/
-static void
-SetMasterKeys(char *secret, int secret_len, u_char NTResponse[24], int IsServer)
+void
+mppe_set_keys2(u_char PasswordHashHash[MD4_SIGNATURE_SIZE],
+ u_char NTResponse[24], int IsServer)
{
SHA1_CTX sha1Context;
- u_char unicodePassword[MAX_NT_PASSWORD * 2];
- u_char PasswordHash[MD4_SIGNATURE_SIZE];
- u_char PasswordHashHash[MD4_SIGNATURE_SIZE];
u_char MasterKey[SHA1_SIGNATURE_SIZE]; /* >= MPPE_MAX_KEY_LEN */
u_char Digest[SHA1_SIGNATURE_SIZE]; /* >= MPPE_MAX_KEY_LEN */
0x6b, 0x65, 0x79, 0x2e };
u_char *s;
- /* Hash (x2) the Unicode version of the secret (== password). */
- ascii2unicode(secret, secret_len, unicodePassword);
- NTPasswordHash(unicodePassword, secret_len * 2, PasswordHash);
- NTPasswordHash(PasswordHash, sizeof(PasswordHash), PasswordHashHash);
-
SHA1_Init(&sha1Context);
- SHA1_Update(&sha1Context, PasswordHashHash, sizeof(PasswordHashHash));
+ SHA1_Update(&sha1Context, PasswordHashHash, MD4_SIGNATURE_SIZE);
SHA1_Update(&sha1Context, NTResponse, 24);
SHA1_Update(&sha1Context, Magic1, sizeof(Magic1));
SHA1_Final(MasterKey, &sha1Context);
SHA1_Final(Digest, &sha1Context);
BCOPY(Digest, mppe_recv_key, sizeof(mppe_recv_key));
+
+ mppe_keys_set = 1;
+}
+
+/*
+ * Set mppe_xxxx_key from MS-CHAPv2 credentials. (see RFC 3079)
+ */
+static void
+SetMasterKeys(char *secret, int secret_len, u_char NTResponse[24], int IsServer)
+{
+ u_char unicodePassword[MAX_NT_PASSWORD * 2];
+ u_char PasswordHash[MD4_SIGNATURE_SIZE];
+ u_char PasswordHashHash[MD4_SIGNATURE_SIZE];
+ /* Hash (x2) the Unicode version of the secret (== password). */
+ ascii2unicode(secret, secret_len, unicodePassword);
+ NTPasswordHash(unicodePassword, secret_len * 2, PasswordHash);
+ NTPasswordHash(PasswordHash, sizeof(PasswordHash), PasswordHashHash);
+ mppe_set_keys2(PasswordHashHash, NTResponse, IsServer);
}
#endif /* MPPE */
ChapMS(u_char *rchallenge, char *secret, int secret_len,
MS_ChapResponse *response)
{
-#if 0
- CHAPDEBUG((LOG_INFO, "ChapMS: secret is '%.*s'", secret_len, secret));
-#endif
BZERO(response, sizeof(*response));
ChapMS_NT(rchallenge, secret, secret_len, response->NTResp);
#ifdef MPPE
Set_Start_Key(rchallenge, secret, secret_len);
- mppe_keys_set = 1;
#endif
}
sizeof(response->PeerChallenge));
/* Generate the NT-Response */
- ChapMS2_NT(rchallenge, response->PeerChallenge, user,
+ ChapMS2_NT((char *)rchallenge, response->PeerChallenge, user,
secret, secret_len, response->NTResp);
/* Generate the Authenticator Response. */
- GenerateAuthenticatorResponse(secret, secret_len, response->NTResp,
- response->PeerChallenge, rchallenge,
- user, authResponse);
+ GenerateAuthenticatorResponsePlain(secret, secret_len, response->NTResp,
+ response->PeerChallenge, rchallenge,
+ user, authResponse);
#ifdef MPPE
SetMasterKeys(secret, secret_len, response->NTResp, authenticator);
- mppe_keys_set = 1;
#endif
}
projects / ppp.git / blobdiff