X-Git-Url: http://git.ozlabs.org/?p=ppp.git;a=blobdiff_plain;f=pppd%2Fchap_ms.c;h=4e50d5bd24018d39ee5de7cc4f0bfe9663ce2d85;hp=d10b99a4f1980c6ac2f99fccd51d3bd2c202c9e2;hb=19872c62b8c5c5f77a4db07e52852f6bd22d4f75;hpb=bcfa20820fc9ff3b25bcf62308e3e737c1897dc6

diff --git a/pppd/chap_ms.c b/pppd/chap_ms.c
index d10b99a..4e50d5b 100644
--- a/pppd/chap_ms.c
+++ b/pppd/chap_ms.c
@@ -34,11 +34,13 @@
 /*
  * Modifications by Frank Cusack, frank@google.com, March 2002.
  *
- *   Implemented MS-CHAPv2 functionality.  Heavily based on
- *   sample implementation in RFC 2759.
+ *   Implemented MS-CHAPv2 functionality, heavily based on sample
+ *   implementation in RFC 2759.  Implemented MPPE functionality,
+ *   heavily based on sample implementation in RFC 3079.
+ *   Copyright (c) 2002 Google, Inc.
  */
 
-#define RCSID	"$Id: chap_ms.c,v 1.18 2002/03/05 15:14:04 dfs Exp $"
+#define RCSID	"$Id: chap_ms.c,v 1.22 2002/09/06 22:11:12 kad Exp $"
 
 #ifdef CHAPMS
 
@@ -88,6 +90,11 @@ static void	Expand __P((u_char *, u_char *));
 static void	Collapse __P((u_char *, u_char *));
 #endif
 
+#ifdef MPPE
+static void	Set_Start_Key __P((u_char *, char *, int));
+static void	SetMasterKeys __P((char *, int, u_char[24], int));
+#endif
+
 extern double drand48 __P((void));
 
 #ifdef MSLANMAN
@@ -95,6 +102,11 @@ bool	ms_lanman = 0;    	/* Use LanMan password instead of NT */
 			  	/* Has meaning only with MS-CHAP challenges */
 #endif
 
+#ifdef MPPE
+u_char mppe_send_key[MPPE_MAX_KEY_LEN];
+u_char mppe_recv_key[MPPE_MAX_KEY_LEN];
+#endif
+
 static void
 ChallengeResponse(u_char *challenge,
 		  u_char PasswordHash[MD4_SIGNATURE_SIZE],
@@ -249,11 +261,18 @@ ChallengeHash(u_char PeerChallenge[16], u_char *rchallenge,
 {
     SHA1_CTX	sha1Context;
     u_char	sha1Hash[SHA1_SIGNATURE_SIZE];
+    char	*user;
+
+    /* remove domain from "domain\username" */
+    if ((user = strrchr(username, '\\')) != NULL)
+	++user;
+    else
+	user = username;
 
     SHA1_Init(&sha1Context);
     SHA1_Update(&sha1Context, PeerChallenge, 16);
     SHA1_Update(&sha1Context, rchallenge, 16);
-    SHA1_Update(&sha1Context, username, strlen(username));
+    SHA1_Update(&sha1Context, user, strlen(user));
     SHA1_Final(sha1Hash, &sha1Context);
 
     BCOPY(sha1Hash, Challenge, 8);
@@ -356,16 +375,16 @@ GenerateAuthenticatorResponse(char *secret, int secret_len,
      * "Magic" constants used in response generation, from RFC 2759.
      */
     u_char Magic1[39] = /* "Magic server to client signing constant" */
-	{0x4D, 0x61, 0x67, 0x69, 0x63, 0x20, 0x73, 0x65, 0x72, 0x76,
-	 0x65, 0x72, 0x20, 0x74, 0x6F, 0x20, 0x63, 0x6C, 0x69, 0x65,
-	 0x6E, 0x74, 0x20, 0x73, 0x69, 0x67, 0x6E, 0x69, 0x6E, 0x67,
-	 0x20, 0x63, 0x6F, 0x6E, 0x73, 0x74, 0x61, 0x6E, 0x74};
+	{ 0x4D, 0x61, 0x67, 0x69, 0x63, 0x20, 0x73, 0x65, 0x72, 0x76,
+	  0x65, 0x72, 0x20, 0x74, 0x6F, 0x20, 0x63, 0x6C, 0x69, 0x65,
+	  0x6E, 0x74, 0x20, 0x73, 0x69, 0x67, 0x6E, 0x69, 0x6E, 0x67,
+	  0x20, 0x63, 0x6F, 0x6E, 0x73, 0x74, 0x61, 0x6E, 0x74 };
     u_char Magic2[41] = /* "Pad to make it do more than one iteration" */
-	{0x50, 0x61, 0x64, 0x20, 0x74, 0x6F, 0x20, 0x6D, 0x61, 0x6B,
-	 0x65, 0x20, 0x69, 0x74, 0x20, 0x64, 0x6F, 0x20, 0x6D, 0x6F,
-	 0x72, 0x65, 0x20, 0x74, 0x68, 0x61, 0x6E, 0x20, 0x6F, 0x6E,
-	 0x65, 0x20, 0x69, 0x74, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6F,
-	 0x6E};
+	{ 0x50, 0x61, 0x64, 0x20, 0x74, 0x6F, 0x20, 0x6D, 0x61, 0x6B,
+	  0x65, 0x20, 0x69, 0x74, 0x20, 0x64, 0x6F, 0x20, 0x6D, 0x6F,
+	  0x72, 0x65, 0x20, 0x74, 0x68, 0x61, 0x6E, 0x20, 0x6F, 0x6E,
+	  0x65, 0x20, 0x69, 0x74, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6F,
+	  0x6E };
 
     int		i;
     SHA1_CTX	sha1Context;
@@ -400,6 +419,148 @@ GenerateAuthenticatorResponse(char *secret, int secret_len,
 }
 
 
+#ifdef MPPE
+/*
+ * Set mppe_xxxx_key from the NTPasswordHashHash.
+ * RFC 2548 (RADIUS support) requires us to export this function (ugh).
+ */
+void
+mppe_set_keys(u_char *rchallenge, u_char PasswordHashHash[MD4_SIGNATURE_SIZE])
+{
+    SHA1_CTX	sha1Context;
+    u_char	Digest[SHA1_SIGNATURE_SIZE];	/* >= MPPE_MAX_KEY_LEN */
+
+    SHA1_Init(&sha1Context);
+    SHA1_Update(&sha1Context, PasswordHashHash, MD4_SIGNATURE_SIZE);
+    SHA1_Update(&sha1Context, PasswordHashHash, MD4_SIGNATURE_SIZE);
+    SHA1_Update(&sha1Context, rchallenge, 8);
+    SHA1_Final(Digest, &sha1Context);
+
+    /* Same key in both directions. */
+    BCOPY(Digest, mppe_send_key, sizeof(mppe_send_key));
+    BCOPY(Digest, mppe_recv_key, sizeof(mppe_recv_key));
+}
+
+/*
+ * Set mppe_xxxx_key from MS-CHAP credentials. (see RFC 3079)
+ */
+static void
+Set_Start_Key(u_char *rchallenge, char *secret, int secret_len)
+{
+    u_char	unicodePassword[MAX_NT_PASSWORD * 2];
+    u_char	PasswordHash[MD4_SIGNATURE_SIZE];
+    u_char	PasswordHashHash[MD4_SIGNATURE_SIZE];
+
+    /* Hash (x2) the Unicode version of the secret (== password). */
+    ascii2unicode(secret, secret_len, unicodePassword);
+    NTPasswordHash(unicodePassword, secret_len * 2, PasswordHash);
+    NTPasswordHash(PasswordHash, sizeof(PasswordHash), PasswordHashHash);
+
+    mppe_set_keys(rchallenge, PasswordHashHash);
+}
+
+/*
+ * Set mppe_xxxx_key from MS-CHAPv2 credentials. (see RFC 3079)
+ */
+static void
+SetMasterKeys(char *secret, int secret_len, u_char NTResponse[24], int IsServer)
+{
+    SHA1_CTX	sha1Context;
+    u_char	unicodePassword[MAX_NT_PASSWORD * 2];
+    u_char	PasswordHash[MD4_SIGNATURE_SIZE];
+    u_char	PasswordHashHash[MD4_SIGNATURE_SIZE];
+    u_char	MasterKey[SHA1_SIGNATURE_SIZE];	/* >= MPPE_MAX_KEY_LEN */
+    u_char	Digest[SHA1_SIGNATURE_SIZE];	/* >= MPPE_MAX_KEY_LEN */
+
+    u_char SHApad1[40] =
+	{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
+    u_char SHApad2[40] =
+	{ 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2,
+	  0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2,
+	  0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2,
+	  0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2 };
+
+    /* "This is the MPPE Master Key" */
+    u_char Magic1[27] =
+	{ 0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74,
+	  0x68, 0x65, 0x20, 0x4d, 0x50, 0x50, 0x45, 0x20, 0x4d,
+	  0x61, 0x73, 0x74, 0x65, 0x72, 0x20, 0x4b, 0x65, 0x79 };
+    /* "On the client side, this is the send key; "
+       "on the server side, it is the receive key." */
+    u_char Magic2[84] =
+	{ 0x4f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x69,
+	  0x65, 0x6e, 0x74, 0x20, 0x73, 0x69, 0x64, 0x65, 0x2c, 0x20,
+	  0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68,
+	  0x65, 0x20, 0x73, 0x65, 0x6e, 0x64, 0x20, 0x6b, 0x65, 0x79,
+	  0x3b, 0x20, 0x6f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x73,
+	  0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x73, 0x69, 0x64, 0x65,
+	  0x2c, 0x20, 0x69, 0x74, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68,
+	  0x65, 0x20, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x20,
+	  0x6b, 0x65, 0x79, 0x2e };
+    /* "On the client side, this is the receive key; "
+       "on the server side, it is the send key." */
+    u_char Magic3[84] =
+	{ 0x4f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x69,
+	  0x65, 0x6e, 0x74, 0x20, 0x73, 0x69, 0x64, 0x65, 0x2c, 0x20,
+	  0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68,
+	  0x65, 0x20, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x20,
+	  0x6b, 0x65, 0x79, 0x3b, 0x20, 0x6f, 0x6e, 0x20, 0x74, 0x68,
+	  0x65, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x73,
+	  0x69, 0x64, 0x65, 0x2c, 0x20, 0x69, 0x74, 0x20, 0x69, 0x73,
+	  0x20, 0x74, 0x68, 0x65, 0x20, 0x73, 0x65, 0x6e, 0x64, 0x20,
+	  0x6b, 0x65, 0x79, 0x2e };
+    u_char *s;
+
+    /* Hash (x2) the Unicode version of the secret (== password). */
+    ascii2unicode(secret, secret_len, unicodePassword);
+    NTPasswordHash(unicodePassword, secret_len * 2, PasswordHash);
+    NTPasswordHash(PasswordHash, sizeof(PasswordHash), PasswordHashHash);
+
+    SHA1_Init(&sha1Context);
+    SHA1_Update(&sha1Context, PasswordHashHash, sizeof(PasswordHashHash));
+    SHA1_Update(&sha1Context, NTResponse, 24);
+    SHA1_Update(&sha1Context, Magic1, sizeof(Magic1));
+    SHA1_Final(MasterKey, &sha1Context);
+
+    /*
+     * generate send key
+     */
+    if (IsServer)
+	s = Magic3;
+    else
+	s = Magic2;
+    SHA1_Init(&sha1Context);
+    SHA1_Update(&sha1Context, MasterKey, 16);
+    SHA1_Update(&sha1Context, SHApad1, sizeof(SHApad1));
+    SHA1_Update(&sha1Context, s, 84);
+    SHA1_Update(&sha1Context, SHApad2, sizeof(SHApad2));
+    SHA1_Final(Digest, &sha1Context);
+
+    BCOPY(Digest, mppe_send_key, sizeof(mppe_send_key));
+
+    /*
+     * generate recv key
+     */
+    if (IsServer)
+	s = Magic2;
+    else
+	s = Magic3;
+    SHA1_Init(&sha1Context);
+    SHA1_Update(&sha1Context, MasterKey, 16);
+    SHA1_Update(&sha1Context, SHApad1, sizeof(SHApad1));
+    SHA1_Update(&sha1Context, s, 84);
+    SHA1_Update(&sha1Context, SHApad2, sizeof(SHApad2));
+    SHA1_Final(Digest, &sha1Context);
+
+    BCOPY(Digest, mppe_recv_key, sizeof(mppe_recv_key));
+}
+
+#endif /* MPPE */
+
+
 void
 ChapMS(chap_state *cstate, u_char *rchallenge, char *secret, int secret_len,
        MS_ChapResponse *response)
@@ -407,20 +568,24 @@ ChapMS(chap_state *cstate, u_char *rchallenge, char *secret, int secret_len,
 #if 0
     CHAPDEBUG((LOG_INFO, "ChapMS: secret is '%.*s'", secret_len, secret));
 #endif
-    BZERO(response, sizeof(response));
+    BZERO(response, sizeof(*response));
 
-    /* Calculate both always */
     ChapMS_NT(rchallenge, secret, secret_len, response->NTResp);
 
 #ifdef MSLANMAN
     ChapMS_LANMan(rchallenge, secret, secret_len, response);
 
-    /* prefered method is set by option  */
+    /* preferred method is set by option  */
     response->UseNT[0] = !ms_lanman;
 #else
     response->UseNT[0] = 1;
 #endif
 
+    cstate->resp_length = MS_CHAP_RESPONSE_LEN;
+
+#ifdef MPPE
+    Set_Start_Key(rchallenge, secret, secret_len);
+#endif
 }
 
 
@@ -428,7 +593,8 @@ ChapMS(chap_state *cstate, u_char *rchallenge, char *secret, int secret_len,
  * If PeerChallenge is NULL, one is generated and response->PeerChallenge
  * is filled in.  Call this way when generating a response.
  * If PeerChallenge is supplied, it is copied into response->PeerChallenge.
- * Call this way when verifying a response.
+ * Call this way when verifying a response (or debugging).
+ * Do not call with PeerChallenge = response->PeerChallenge.
  *
  * response->PeerChallenge is then used for calculation of the
  * Authenticator Response.
@@ -436,12 +602,13 @@ ChapMS(chap_state *cstate, u_char *rchallenge, char *secret, int secret_len,
 void
 ChapMS2(chap_state *cstate, u_char *rchallenge, u_char *PeerChallenge,
 	char *user, char *secret, int secret_len, MS_Chap2Response *response,
-	u_char authResponse[MS_AUTH_RESPONSE_LENGTH+1])
+	u_char authResponse[MS_AUTH_RESPONSE_LENGTH+1], int authenticator)
 {
+    /* ARGSUSED */
     u_char *p = response->PeerChallenge;
     int i;
 
-    BZERO(response, sizeof(response));
+    BZERO(response, sizeof(*response));
 
     /* Generate the Peer-Challenge if requested, or copy it if supplied. */
     if (!PeerChallenge)
@@ -459,6 +626,12 @@ ChapMS2(chap_state *cstate, u_char *rchallenge, u_char *PeerChallenge,
     GenerateAuthenticatorResponse(secret, secret_len, response->NTResp,
 				  response->PeerChallenge, rchallenge,
 				  user, authResponse);
+
+    cstate->resp_length = MS_CHAP2_RESPONSE_LEN;
+
+#ifdef MPPE
+    SetMasterKeys(secret, secret_len, response->NTResp, authenticator);
+#endif
 }