From 4cb90c1fb141ae3cca08c2ac9c663c14a4d2473e Mon Sep 17 00:00:00 2001 From: =?utf8?q?Eivind=20N=C3=A6ss?= Date: Mon, 8 Aug 2022 08:51:54 -0700 Subject: [PATCH] Reduce the clutter by defining the MD4/MD5/SHA digest lengths in one place. Avoid using these variables in function descriptors. MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Signed-off-by: Eivind Næss --- pppd/chap-md5.c | 79 ++++++------ pppd/chap_ms.c | 53 ++++---- pppd/chap_ms.h | 17 ++- pppd/mppe.c | 30 ++--- pppd/mppe.h | 6 +- pppd/plugins/radius/Makefile.am | 15 +-- pppd/plugins/radius/md5.c | 29 ++++- pppd/plugins/radius/radius.c | 198 +++++++++++++++++++++-------- pppd/plugins/radius/radiusclient.h | 2 +- pppd/plugins/winbind.c | 5 +- pppd/ppp-crypto.c | 2 - pppd/ppp-crypto.h | 14 +- pppd/ppp-des.c | 7 +- 13 files changed, 279 insertions(+), 178 deletions(-) diff --git a/pppd/chap-md5.c b/pppd/chap-md5.c index 750a8d7..8bcbbba 100644 --- a/pppd/chap-md5.c +++ b/pppd/chap-md5.c @@ -42,7 +42,6 @@ #include "magic.h" #include "ppp-crypto.h" -#define MD5_HASH_SIZE 16 #define MD5_MIN_CHALLENGE 16 #define MD5_MAX_CHALLENGE 24 @@ -64,42 +63,42 @@ chap_md5_verify_response(int id, char *name, char *message, int message_space) { unsigned char idbyte = id; - unsigned char hash[MD5_HASH_SIZE]; - unsigned int hash_len = MD5_HASH_SIZE; + unsigned char hash[MD5_DIGEST_LENGTH]; + unsigned int hash_len = MD5_DIGEST_LENGTH; int challenge_len, response_len; - bool success = 0; + bool success = 0; challenge_len = *challenge++; response_len = *response++; - if (response_len == MD5_HASH_SIZE) { + if (response_len == MD5_DIGEST_LENGTH) { /* Generate hash of ID, secret, challenge */ - PPP_MD_CTX* ctx = PPP_MD_CTX_new(); - if (ctx) { + PPP_MD_CTX* ctx = PPP_MD_CTX_new(); + if (ctx) { - if (PPP_DigestInit(ctx, PPP_md5())) { + if (PPP_DigestInit(ctx, PPP_md5())) { - if (PPP_DigestUpdate(ctx, &idbyte, 1)) { + if (PPP_DigestUpdate(ctx, &idbyte, 1)) { - if (PPP_DigestUpdate(ctx, secret, secret_len)) { + if (PPP_DigestUpdate(ctx, secret, secret_len)) { - if (PPP_DigestUpdate(ctx, challenge, challenge_len)) { + if (PPP_DigestUpdate(ctx, challenge, challenge_len)) { - if (PPP_DigestFinal(ctx, hash, &hash_len)) { + if (PPP_DigestFinal(ctx, hash, &hash_len)) { - success = 1; - } - } - } - } - } - PPP_MD_CTX_free(ctx); - } + success = 1; + } + } + } + } + } + PPP_MD_CTX_free(ctx); + } + } + if (success && memcmp(hash, response, hash_len) == 0) { + slprintf(message, message_space, "Access granted"); + return 1; } - if (success && memcmp(hash, response, hash_len) == 0) { - slprintf(message, message_space, "Access granted"); - return 1; - } slprintf(message, message_space, "Access denied"); return 0; } @@ -111,29 +110,29 @@ chap_md5_make_response(unsigned char *response, int id, char *our_name, { unsigned char idbyte = id; int challenge_len = *challenge++; - int hash_len = MD5_HASH_SIZE; + int hash_len = MD5_DIGEST_LENGTH; - PPP_MD_CTX* ctx = PPP_MD_CTX_new(); - if (ctx) { + PPP_MD_CTX* ctx = PPP_MD_CTX_new(); + if (ctx) { - if (PPP_DigestInit(ctx, PPP_md5())) { + if (PPP_DigestInit(ctx, PPP_md5())) { - if (PPP_DigestUpdate(ctx, &idbyte, 1)) { + if (PPP_DigestUpdate(ctx, &idbyte, 1)) { - if (PPP_DigestUpdate(ctx, secret, secret_len)) { + if (PPP_DigestUpdate(ctx, secret, secret_len)) { - if (PPP_DigestUpdate(ctx, challenge, challenge_len)) { + if (PPP_DigestUpdate(ctx, challenge, challenge_len)) { - if (PPP_DigestFinal(ctx, &response[1], &hash_len)) { + if (PPP_DigestFinal(ctx, &response[1], &hash_len)) { - response[0] = hash_len; - } - } - } - } - } - PPP_MD_CTX_free(ctx); - } + response[0] = hash_len; + } + } + } + } + } + PPP_MD_CTX_free(ctx); + } } static struct chap_digest_type md5_digest = { diff --git a/pppd/chap_ms.c b/pppd/chap_ms.c index 45a10f3..71942fe 100644 --- a/pppd/chap_ms.c +++ b/pppd/chap_ms.c @@ -105,8 +105,8 @@ #endif static void ascii2unicode (char[], int, u_char[]); -static void NTPasswordHash (u_char *, int, u_char[MD4_SIGNATURE_SIZE]); -static int ChallengeResponse (u_char *, u_char *, u_char[24]); +static void NTPasswordHash (u_char *, int, unsigned char *); +static int ChallengeResponse (u_char *, u_char *, u_char*); static void ChapMS_NT (u_char *, char *, int, u_char[24]); static void ChapMS2_NT (u_char *, u_char[16], char *, char *, int, u_char[24]); @@ -502,22 +502,19 @@ print_msg: free(msg); } -// TODO: Move this definition somewhere -#define NT_RESPONSE_LEN 24 - static int ChallengeResponse(u_char *challenge, - u_char PasswordHash[MD4_SIGNATURE_SIZE], - u_char response[NT_RESPONSE_LEN]) + u_char *PasswordHash, + u_char *response) { u_char ZPasswordHash[21]; PPP_CIPHER_CTX *ctx; - int outlen = NT_RESPONSE_LEN; + int outlen = 0; int offset = 0; int retval = 0; BZERO(ZPasswordHash, sizeof(ZPasswordHash)); - BCOPY(PasswordHash, ZPasswordHash, MD4_SIGNATURE_SIZE); + BCOPY(PasswordHash, ZPasswordHash, MD4_DIGEST_LENGTH); #if 0 dbglog("ChallengeResponse - ZPasswordHash %.*B", @@ -564,7 +561,7 @@ ChallengeHash(u_char PeerChallenge[16], u_char *rchallenge, { PPP_MD_CTX* ctx; - u_char hash[SHA1_SIGNATURE_SIZE]; + u_char hash[SHA_DIGEST_LENGTH]; int hash_len; char *user; @@ -585,7 +582,7 @@ ChallengeHash(u_char PeerChallenge[16], u_char *rchallenge, if (PPP_DigestUpdate(ctx, user, strlen(user))) { - hash_len = SHA1_SIGNATURE_SIZE; + hash_len = SHA_DIGEST_LENGTH; if (PPP_DigestFinal(ctx, hash, &hash_len)) { BCOPY(hash, Challenge, 8); @@ -617,7 +614,7 @@ ascii2unicode(char ascii[], int ascii_len, u_char unicode[]) } static void -NTPasswordHash(u_char *secret, int secret_len, u_char hash[MD4_SIGNATURE_SIZE]) +NTPasswordHash(u_char *secret, int secret_len, unsigned char* hash) { PPP_MD_CTX* ctx = PPP_MD_CTX_new(); if (ctx != NULL) { @@ -626,7 +623,7 @@ NTPasswordHash(u_char *secret, int secret_len, u_char hash[MD4_SIGNATURE_SIZE]) if (PPP_DigestUpdate(ctx, secret, secret_len)) { - int hash_len = MD4_SIGNATURE_SIZE; + int hash_len = MD4_DIGEST_LENGTH; PPP_DigestFinal(ctx, hash, &hash_len); } } @@ -640,7 +637,7 @@ ChapMS_NT(u_char *rchallenge, char *secret, int secret_len, u_char NTResponse[24]) { u_char unicodePassword[MAX_NT_PASSWORD * 2]; - u_char PasswordHash[MD4_SIGNATURE_SIZE]; + u_char PasswordHash[MD4_DIGEST_LENGTH]; /* Hash the Unicode version of the secret (== password). */ ascii2unicode(secret, secret_len, unicodePassword); @@ -654,7 +651,7 @@ ChapMS2_NT(u_char *rchallenge, u_char PeerChallenge[16], char *username, char *secret, int secret_len, u_char NTResponse[24]) { u_char unicodePassword[MAX_NT_PASSWORD * 2]; - u_char PasswordHash[MD4_SIGNATURE_SIZE]; + u_char PasswordHash[MD4_DIGEST_LENGTH]; u_char Challenge[8]; ChallengeHash(PeerChallenge, rchallenge, username, Challenge); @@ -675,7 +672,7 @@ ChapMS_LANMan(u_char *rchallenge, char *secret, int secret_len, { int i; u_char UcasePassword[MAX_NT_PASSWORD]; /* max is actually 14 */ - u_char PasswordHash[MD4_SIGNATURE_SIZE]; + u_char PasswordHash[MD4_DIGEST_LENGTH]; /* LANMan password is case insensitive */ BZERO(UcasePassword, sizeof(UcasePassword)); @@ -691,10 +688,10 @@ ChapMS_LANMan(u_char *rchallenge, char *secret, int secret_len, void -GenerateAuthenticatorResponse(u_char PasswordHashHash[MD4_SIGNATURE_SIZE], - u_char NTResponse[24], u_char PeerChallenge[16], - u_char *rchallenge, char *username, - u_char authResponse[MS_AUTH_RESPONSE_LENGTH+1]) +GenerateAuthenticatorResponse(unsigned char* PasswordHashHash, + unsigned char *NTResponse, unsigned char *PeerChallenge, + unsigned char *rchallenge, char *username, + unsigned char *authResponse) { /* * "Magic" constants used in response generation, from RFC 2759. @@ -713,7 +710,7 @@ GenerateAuthenticatorResponse(u_char PasswordHashHash[MD4_SIGNATURE_SIZE], int i; PPP_MD_CTX *ctx; - u_char Digest[SHA1_SIGNATURE_SIZE]; + u_char Digest[SHA_DIGEST_LENGTH]; int hash_len; u_char Challenge[8]; @@ -722,7 +719,7 @@ GenerateAuthenticatorResponse(u_char PasswordHashHash[MD4_SIGNATURE_SIZE], if (PPP_DigestInit(ctx, PPP_sha1())) { - if (PPP_DigestUpdate(ctx, PasswordHashHash, MD4_SIGNATURE_SIZE)) { + if (PPP_DigestUpdate(ctx, PasswordHashHash, MD4_DIGEST_LENGTH)) { if (PPP_DigestUpdate(ctx, NTResponse, 24)) { @@ -775,8 +772,8 @@ GenerateAuthenticatorResponsePlain u_char authResponse[MS_AUTH_RESPONSE_LENGTH+1]) { u_char unicodePassword[MAX_NT_PASSWORD * 2]; - u_char PasswordHash[MD4_SIGNATURE_SIZE]; - u_char PasswordHashHash[MD4_SIGNATURE_SIZE]; + u_char PasswordHash[MD4_DIGEST_LENGTH]; + u_char PasswordHashHash[MD4_DIGEST_LENGTH]; /* Hash (x2) the Unicode version of the secret (== password). */ ascii2unicode(secret, secret_len, unicodePassword); @@ -798,8 +795,8 @@ static void Set_Start_Key(u_char *rchallenge, char *secret, int secret_len) { u_char unicodePassword[MAX_NT_PASSWORD * 2]; - u_char PasswordHash[MD4_SIGNATURE_SIZE]; - u_char PasswordHashHash[MD4_SIGNATURE_SIZE]; + u_char PasswordHash[MD4_DIGEST_LENGTH]; + u_char PasswordHashHash[MD4_DIGEST_LENGTH]; /* Hash (x2) the Unicode version of the secret (== password). */ ascii2unicode(secret, secret_len, unicodePassword); @@ -816,8 +813,8 @@ static void SetMasterKeys(char *secret, int secret_len, u_char NTResponse[24], int IsServer) { u_char unicodePassword[MAX_NT_PASSWORD * 2]; - u_char PasswordHash[MD4_SIGNATURE_SIZE]; - u_char PasswordHashHash[MD4_SIGNATURE_SIZE]; + u_char PasswordHash[MD4_DIGEST_LENGTH]; + u_char PasswordHashHash[MD4_DIGEST_LENGTH]; /* Hash (x2) the Unicode version of the secret (== password). */ ascii2unicode(secret, secret_len, unicodePassword); NTPasswordHash(unicodePassword, secret_len * 2, PasswordHash); diff --git a/pppd/chap_ms.h b/pppd/chap_ms.h index 7b08cff..5397a22 100644 --- a/pppd/chap_ms.h +++ b/pppd/chap_ms.h @@ -35,7 +35,6 @@ #include "pppdconf.h" -#define MD4_SIGNATURE_SIZE 16 /* 16 bytes in a MD4 message digest */ #define MAX_NT_PASSWORD 256 /* Max (Unicode) chars in an NT pass */ #define MS_CHAP_RESPONSE_LEN 49 /* Response length for MS-CHAP */ @@ -81,10 +80,18 @@ void ChapMS2 (u_char *, u_char *, char *, char *, int, void ChallengeHash (u_char[16], u_char *, char *, u_char[8]); -void GenerateAuthenticatorResponse(u_char PasswordHashHash[MD4_SIGNATURE_SIZE], - u_char NTResponse[24], u_char PeerChallenge[16], - u_char *rchallenge, char *username, - u_char authResponse[MS_AUTH_RESPONSE_LENGTH+1]); + +/** + * PasswordHashHash - 16 bytes representing the NT Password Hash Hash + * NTResponse - 24 bytes represending the NTResponse parameter + * PeerChallenge - 16 bytes challange for peer + * rchallenge - 16 bytes challenge provided by peer + * authResponse - 24 + 1 byte to store the authenticator response + */ +void GenerateAuthenticatorResponse(unsigned char *PasswordHashHash, + unsigned char *NTResponse, unsigned char *PeerChallenge, + unsigned char *rchallenge, char *username, + unsigned char *authResponse); void chapms_init(void); diff --git a/pppd/mppe.c b/pppd/mppe.c index d3019b6..c1bc4d3 100644 --- a/pppd/mppe.c +++ b/pppd/mppe.c @@ -109,10 +109,10 @@ mppe_clear_keys(void) * RFC 2548 (RADIUS support) requires us to export this function (ugh). */ void -mppe_set_chapv1(u_char *rchallenge, u_char PasswordHashHash[MD4_SIGNATURE_SIZE]) +mppe_set_chapv1(unsigned char *rchallenge, unsigned char *PasswordHashHash) { PPP_MD_CTX *ctx; - u_char Digest[SHA1_SIGNATURE_SIZE]; + u_char Digest[SHA_DIGEST_LENGTH]; int DigestLen; ctx = PPP_MD_CTX_new(); @@ -120,13 +120,13 @@ mppe_set_chapv1(u_char *rchallenge, u_char PasswordHashHash[MD4_SIGNATURE_SIZE]) if (PPP_DigestInit(ctx, PPP_sha1())) { - if (PPP_DigestUpdate(ctx, PasswordHashHash, MD4_SIGNATURE_SIZE)) { + if (PPP_DigestUpdate(ctx, PasswordHashHash, MD4_DIGEST_LENGTH)) { - if (PPP_DigestUpdate(ctx, PasswordHashHash, MD4_SIGNATURE_SIZE)) { + if (PPP_DigestUpdate(ctx, PasswordHashHash, MD4_DIGEST_LENGTH)) { if (PPP_DigestUpdate(ctx, rchallenge, 8)) { - DigestLen = SHA1_SIGNATURE_SIZE; + DigestLen = SHA_DIGEST_LENGTH; PPP_DigestFinal(ctx, Digest, &DigestLen); } } @@ -148,14 +148,14 @@ mppe_set_chapv1(u_char *rchallenge, u_char PasswordHashHash[MD4_SIGNATURE_SIZE]) * NTHashHash from the server. */ void -mppe_set_chapv2(u_char PasswordHashHash[MD4_SIGNATURE_SIZE], - u_char NTResponse[MS_AUTH_NTRESP_LEN], int IsServer) +mppe_set_chapv2(unsigned char *PasswordHashHash, unsigned char *NTResponse, + int IsServer) { PPP_MD_CTX *ctx; - u_char MasterKey[SHA1_SIGNATURE_SIZE]; - u_char SendKey[SHA1_SIGNATURE_SIZE]; - u_char RecvKey[SHA1_SIGNATURE_SIZE]; + u_char MasterKey[SHA_DIGEST_LENGTH]; + u_char SendKey[SHA_DIGEST_LENGTH]; + u_char RecvKey[SHA_DIGEST_LENGTH]; int KeyLen; u_char SHApad1[40] = @@ -205,13 +205,13 @@ mppe_set_chapv2(u_char PasswordHashHash[MD4_SIGNATURE_SIZE], if (PPP_DigestInit(ctx, PPP_sha1())) { - if (PPP_DigestUpdate(ctx, PasswordHashHash, MD4_SIGNATURE_SIZE)) { + if (PPP_DigestUpdate(ctx, PasswordHashHash, MD4_DIGEST_LENGTH)) { if (PPP_DigestUpdate(ctx, NTResponse, 24)) { if (PPP_DigestUpdate(ctx, Magic1, sizeof(Magic1))) { - KeyLen = SHA1_SIGNATURE_SIZE; + KeyLen = SHA_DIGEST_LENGTH; PPP_DigestFinal(ctx, MasterKey, &KeyLen); } } @@ -242,7 +242,7 @@ mppe_set_chapv2(u_char PasswordHashHash[MD4_SIGNATURE_SIZE], if (PPP_DigestUpdate(ctx, SHApad2, sizeof(SHApad2))) { - KeyLen = SHA1_SIGNATURE_SIZE; + KeyLen = SHA_DIGEST_LENGTH; PPP_DigestFinal(ctx, SendKey, &KeyLen); } } @@ -275,7 +275,7 @@ mppe_set_chapv2(u_char PasswordHashHash[MD4_SIGNATURE_SIZE], if (PPP_DigestUpdate(ctx, SHApad2, sizeof(SHApad2))) { - KeyLen = SHA1_SIGNATURE_SIZE; + KeyLen = SHA_DIGEST_LENGTH; PPP_DigestFinal(ctx, RecvKey, &KeyLen); } } @@ -286,7 +286,7 @@ mppe_set_chapv2(u_char PasswordHashHash[MD4_SIGNATURE_SIZE], PPP_MD_CTX_free(ctx); } - mppe_set_keys(SendKey, RecvKey, SHA1_SIGNATURE_SIZE); + mppe_set_keys(SendKey, RecvKey, SHA_DIGEST_LENGTH); } #ifndef UNIT_TEST diff --git a/pppd/mppe.h b/pppd/mppe.h index ade208f..f1c53c3 100644 --- a/pppd/mppe.h +++ b/pppd/mppe.h @@ -179,13 +179,13 @@ bool mppe_keys_isset(void); /* * Set mppe_xxxx_key from NT Password Hash Hash (MSCHAPv1), see RFC3079 */ -void mppe_set_chapv1(u_char *rchallenge, u_char PasswordHashHash[MD4_SIGNATURE_SIZE]); +void mppe_set_chapv1(unsigned char *rchallenge, unsigned char *PasswordHashHash); /* * Set the mppe_xxxx_key from MS-CHAP-v2 credentials, see RFC3079 */ -void mppe_set_chapv2(u_char PasswordHashHash[MD4_SIGNATURE_SIZE], - u_char NTResponse[MS_AUTH_NTRESP_LEN], int IsServer); +void mppe_set_chapv2(unsigned char *PasswordHashHash, + unsigned char *NTResponse, int IsServer); #endif // #ifdef PPP_WITH_MPPE #endif // #ifdef PPP_MPPE_H diff --git a/pppd/plugins/radius/Makefile.am b/pppd/plugins/radius/Makefile.am index 40f4d16..3897e98 100644 --- a/pppd/plugins/radius/Makefile.am +++ b/pppd/plugins/radius/Makefile.am @@ -32,9 +32,6 @@ radius_la_CPPFLAGS = $(RADIUS_CPPFLAGS) radius_la_LDFLAGS = $(RADIUS_LDFLAGS) radius_la_SOURCES = radius.c radius_la_LIBADD = libradiusclient.la -if WITH_OPENSSL -radius_la_LIBADD += $(OPENSSL_LIBS) -endif radattr_la_CPPFLAGS = $(RADIUS_CPPFLAGS) radattr_la_LDFLAGS = $(RADIUS_LDFLAGS) @@ -46,19 +43,9 @@ radrealms_la_SOURCES = radrealms.c libradiusclient_la_SOURCES = \ avpair.c buildreq.c config.c dict.c ip_util.c \ - clientid.c sendserver.c lock.c util.c + clientid.c sendserver.c lock.c util.c md5.c libradiusclient_la_CPPFLAGS = $(RADIUS_CPPFLAGS) -DSYSCONFDIR=\"${sysconfdir}\" -if !WITH_OPENSSL -libradiusclient_la_SOURCES += md5.c -else -if OPENSSL_HAVE_MD5 -libradiusclient_la_SOURCES += md5.c -else -libradiusclient_la_CPPFLAGS += $(OPENSSL_INCLUDES) -endif -endif - EXTRA_DIST = \ $(EXTRA_FILES) \ $(EXTRA_ETC) diff --git a/pppd/plugins/radius/md5.c b/pppd/plugins/radius/md5.c index 8acfb38..5a3903d 100644 --- a/pppd/plugins/radius/md5.c +++ b/pppd/plugins/radius/md5.c @@ -1,13 +1,30 @@ /* * $Id: md5.c,v 1.1 2004/11/14 07:26:26 paulus Exp $ */ -#include +#include -void rc_md5_calc (unsigned char *output, unsigned char *input, unsigned int inlen) +#include + +int rc_md5_calc(unsigned char *out, const unsigned char *in, unsigned int inl) { - MD5_CTX context; + int retval = 0; + int outl = MD5_DIGEST_LENGTH; + + PPP_MD_CTX *ctx = PPP_MD_CTX_new(); + if (ctx) { + + if (PPP_DigestInit(ctx, PPP_md5())) { + + if (PPP_DigestUpdate(ctx, in, inl)) { + + if (PPP_DigestFinal(ctx, out, &outl)) { + + retval = 1; + } + } + } - MD5_Init (&context); - MD5_Update (&context, input, inlen); - MD5_Final (output, &context); + PPP_MD_CTX_free(ctx); + } + return retval; } diff --git a/pppd/plugins/radius/radius.c b/pppd/plugins/radius/radius.c index 02875b4..999a306 100644 --- a/pppd/plugins/radius/radius.c +++ b/pppd/plugins/radius/radius.c @@ -40,7 +40,7 @@ static char const RCSID[] = #include #ifdef PPP_WITH_MPPE #include -#include +#include #endif #endif #include @@ -50,8 +50,6 @@ static char const RCSID[] = #define BUF_LEN 1024 -#define MD5_HASH_SIZE 16 - #define MSDNS 1 static char *config_file = NULL; @@ -400,15 +398,15 @@ radius_chap_verify(char *user, char *ourname, int id, switch (digest->code) { case CHAP_MD5: /* CHAP-Challenge and CHAP-Password */ - if (response_len != MD5_HASH_SIZE) + if (response_len != MD5_DIGEST_LENGTH) return 0; cpassword[0] = id; - memcpy(&cpassword[1], response, MD5_HASH_SIZE); + memcpy(&cpassword[1], response, MD5_DIGEST_LENGTH); rc_avpair_add(&send, PW_CHAP_CHALLENGE, challenge, challenge_len, VENDOR_NONE); rc_avpair_add(&send, PW_CHAP_PASSWORD, - cpassword, MD5_HASH_SIZE + 1, VENDOR_NONE); + cpassword, MD5_DIGEST_LENGTH + 1, VENDOR_NONE); break; #ifdef PPP_WITH_CHAPMS @@ -772,9 +770,12 @@ radius_setmppekeys(VALUE_PAIR *vp, REQUEST_INFO *req_info, unsigned char *challenge) { int i; - MD5_CTX Context; - u_char plain[32]; - u_char buf[16]; + int status = 0; + PPP_MD_CTX *ctx; + unsigned char plain[32]; + unsigned char buf[MD5_DIGEST_LENGTH]; + unsigned int buflen; + if (vp->lvalue != 32) { error("RADIUS: Incorrect attribute length (%d) for MS-CHAP-MPPE-Keys", @@ -784,30 +785,70 @@ radius_setmppekeys(VALUE_PAIR *vp, REQUEST_INFO *req_info, memcpy(plain, vp->strvalue, sizeof(plain)); - MD5_Init(&Context); - MD5_Update(&Context, req_info->secret, strlen(req_info->secret)); - MD5_Update(&Context, req_info->request_vector, AUTH_VECTOR_LEN); - MD5_Final(buf, &Context); + ctx = PPP_MD_CTX_new(); + if (ctx) { - for (i = 0; i < 16; i++) - plain[i] ^= buf[i]; + if (PPP_DigestInit(ctx, PPP_md5())) { - MD5_Init(&Context); - MD5_Update(&Context, req_info->secret, strlen(req_info->secret)); - MD5_Update(&Context, vp->strvalue, 16); - MD5_Final(buf, &Context); + if (PPP_DigestUpdate(ctx, req_info->secret, strlen(req_info->secret))) { - for(i = 0; i < 16; i++) - plain[i + 16] ^= buf[i]; + if (PPP_DigestUpdate(ctx, req_info->request_vector, AUTH_VECTOR_LEN)) { - /* - * Annoying. The "key" returned is just the NTPasswordHashHash, which - * the NAS (us) doesn't need; we only need the start key. So we have - * to generate the start key, sigh. NB: We do not support the LM-Key. - */ - mppe_set_chapv1(challenge, &plain[8]); + buflen = sizeof(buf); + if (PPP_DigestFinal(ctx, buf, &buflen)) { + + status = 1; + } + } + } + } + PPP_MD_CTX_free(ctx); + } + + if (status) { + + for (i = 0; i < MD5_DIGEST_LENGTH; i++) { + plain[i] ^= buf[i]; + } + + status = 0; + ctx = PPP_MD_CTX_new(); + if (ctx) { + + if (PPP_DigestInit(ctx, PPP_md5())) { - return 0; + if (PPP_DigestUpdate(ctx, req_info->secret, strlen(req_info->secret))) { + + if (PPP_DigestUpdate(ctx, vp->strvalue, 16)) { + + buflen = MD5_DIGEST_LENGTH; + if (PPP_DigestFinal(ctx, buf, &buflen)) { + + status = 1; + } + } + } + } + PPP_MD_CTX_free(ctx); + } + + if (status) { + + for(i = 0; i < MD5_DIGEST_LENGTH; i++) { + plain[i + 16] ^= buf[i]; + } + + /* + * Annoying. The "key" returned is just the NTPasswordHashHash, which + * the NAS (us) doesn't need; we only need the start key. So we have + * to generate the start key, sigh. NB: We do not support the LM-Key. + */ + mppe_set_chapv1(challenge, &plain[8]); + return 0; + } + } + + return -1; } /********************************************************************** @@ -825,11 +866,13 @@ static int radius_setmppekeys2(VALUE_PAIR *vp, REQUEST_INFO *req_info) { int i; - MD5_CTX Context; - u_char *salt = vp->strvalue; - u_char *crypt = vp->strvalue + 2; - u_char plain[32]; - u_char buf[MD5_HASH_SIZE]; + int status = 0; + PPP_MD_CTX *ctx; + unsigned char *salt = vp->strvalue; + unsigned char *crypt = vp->strvalue + 2; + unsigned char plain[32]; + unsigned char buf[MD5_DIGEST_LENGTH]; + unsigned int buflen; char *type = "Send"; if (vp->attribute == PW_MS_MPPE_RECV_KEY) @@ -848,34 +891,81 @@ radius_setmppekeys2(VALUE_PAIR *vp, REQUEST_INFO *req_info) memcpy(plain, crypt, 32); - MD5_Init(&Context); - MD5_Update(&Context, req_info->secret, strlen(req_info->secret)); - MD5_Update(&Context, req_info->request_vector, AUTH_VECTOR_LEN); - MD5_Update(&Context, salt, 2); - MD5_Final(buf, &Context); + ctx = PPP_MD_CTX_new(); + if (ctx) { - for (i = 0; i < 16; i++) - plain[i] ^= buf[i]; + if (PPP_DigestInit(ctx, PPP_md5())) { - if (plain[0] != 16) { - error("RADIUS: Incorrect key length (%d) for MS-MPPE-%s-Key attribute", - (int) plain[0], type); - return -1; + if (PPP_DigestUpdate(ctx, req_info->secret, strlen(req_info->secret))) { + + if (PPP_DigestUpdate(ctx, req_info->request_vector, AUTH_VECTOR_LEN)) { + + if (PPP_DigestUpdate(ctx, salt, 2)) { + + buflen = sizeof(buf); + if (PPP_DigestFinal(ctx, buf, &buflen)) { + + status = 1; + } + } + } + } + } + + PPP_MD_CTX_free(ctx); } - MD5_Init(&Context); - MD5_Update(&Context, req_info->secret, strlen(req_info->secret)); - MD5_Update(&Context, crypt, 16); - MD5_Final(buf, &Context); + if (status) { - plain[16] ^= buf[0]; /* only need the first byte */ + for (i = 0; i < 16; i++) { + plain[i] ^= buf[i]; + } - if (vp->attribute == PW_MS_MPPE_SEND_KEY) - mppe_set_keys(plain + 1, NULL, 16); - else - mppe_set_keys(NULL, plain + 1, 16); + if (plain[0] != 16) { + error("RADIUS: Incorrect key length (%d) for MS-MPPE-%s-Key attribute", + (int) plain[0], type); + return -1; + } - return 0; + status = 0; + ctx = PPP_MD_CTX_new(); + if (ctx) { + + if (PPP_DigestInit(ctx, PPP_md5())) { + + if (PPP_DigestUpdate(ctx, req_info->secret, strlen(req_info->secret))) { + + if (PPP_DigestUpdate(ctx, crypt, 16)) { + + if (PPP_DigestUpdate(ctx, salt, 2)) { + + buflen = sizeof(buf); + if (PPP_DigestFinal(ctx, buf, &buflen)) { + + status = 1; + } + } + } + } + } + + PPP_MD_CTX_free(ctx); + } + + if (status) { + + plain[16] ^= buf[0]; /* only need the first byte */ + + if (vp->attribute == PW_MS_MPPE_SEND_KEY) { + mppe_set_keys(plain + 1, NULL, 16); + } else { + mppe_set_keys(NULL, plain + 1, 16); + } + return 0; + } + } + + return -1; } #endif /* PPP_WITH_MPPE */ diff --git a/pppd/plugins/radius/radiusclient.h b/pppd/plugins/radius/radiusclient.h index 96449be..777e120 100644 --- a/pppd/plugins/radius/radiusclient.h +++ b/pppd/plugins/radius/radiusclient.h @@ -468,6 +468,6 @@ void rc_mdelay(int); /* md5.c */ -void rc_md5_calc(unsigned char *, unsigned char *, unsigned int); +int rc_md5_calc(unsigned char *out, const unsigned char *in, unsigned int inl); #endif /* RADIUSCLIENT_H */ diff --git a/pppd/plugins/winbind.c b/pppd/plugins/winbind.c index 71c0d03..1843d6c 100644 --- a/pppd/plugins/winbind.c +++ b/pppd/plugins/winbind.c @@ -52,6 +52,7 @@ #include #include #include +#include #define BUF_LEN 1024 @@ -556,7 +557,7 @@ winbind_chap_verify(char *user, char *ourname, int id, u_char *lm_response = NULL; int nt_response_size = 0; int lm_response_size = 0; - u_char session_key[16]; + u_char session_key[MD4_DIGEST_LENGTH]; if (response_len != MS_CHAP_RESPONSE_LEN) break; /* not even the right length */ @@ -608,7 +609,7 @@ winbind_chap_verify(char *user, char *ourname, int id, case CHAP_MICROSOFT_V2: { u_char Challenge[8]; - u_char session_key[MD4_SIGNATURE_SIZE]; + u_char session_key[MD4_DIGEST_LENGTH]; char *error_string = NULL; if (response_len != MS_CHAP2_RESPONSE_LEN) diff --git a/pppd/ppp-crypto.c b/pppd/ppp-crypto.c index bf78b65..6dfe962 100644 --- a/pppd/ppp-crypto.c +++ b/pppd/ppp-crypto.c @@ -490,12 +490,10 @@ int main(int argc, char *argv[]) { failure++; } - /* Bug in DES EVP decryption, TODO: file an issue if (!test_des_decrypt()) { printf("DES decryption test failed\n"); failure++; } - */ if (!PPP_crypto_deinit()) { printf("Couldn't deinitialize crypto test\n"); diff --git a/pppd/ppp-crypto.h b/pppd/ppp-crypto.h index b1688b8..b5313cb 100644 --- a/pppd/ppp-crypto.h +++ b/pppd/ppp-crypto.h @@ -30,15 +30,17 @@ #ifndef PPP_CRYPTO_H #define PPP_CRYPTO_H - -#ifndef SHA1_SIGNATURE_SIZE -#ifdef SHA_DIGESTSIZE -#define SHA1_SIGNATURE_SIZE SHA_DIGESTSIZE -#else -#define SHA1_SIGNATURE_SIZE 20 +#ifndef MD5_DIGEST_LENGTH +#define MD5_DIGEST_LENGTH 16 #endif + +#ifndef MD4_DIGEST_LENGTH +#define MD4_DIGEST_LENGTH 16 #endif +#ifndef SHA_DIGEST_LENGTH +#define SHA_DIGEST_LENGTH 20 +#endif struct _PPP_MD_CTX; struct _PPP_MD; diff --git a/pppd/ppp-des.c b/pppd/ppp-des.c index 9c93e9c..94045ec 100644 --- a/pppd/ppp-des.c +++ b/pppd/ppp-des.c @@ -142,8 +142,11 @@ static int des_init(PPP_CIPHER_CTX *ctx, const unsigned char *key, const unsigne MakeKey(key, ctx->key); } if (EVP_CipherInit(cc, EVP_des_ecb(), ctx->key, ctx->iv, ctx->is_encr)) { - ctx->priv = cc; - return 1; + + if (EVP_CIPHER_CTX_set_padding(cc, 0)) { + ctx->priv = cc; + return 1; + } } EVP_CIPHER_CTX_free(cc); } -- 2.39.2