search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
hack(6): Separate hostprog.
[dragonfly.git] / usr.sbin / ppp / chap_ms.c
blob33729d2226acd23f28c6e920baa196c6282a81fb
1 /*-
2 * Copyright (c) 1997 Gabor Kincses <gabor@acm.org>
3 * 1997 - 2001 Brian Somers <brian@Awfulhak.org>
4 * based on work by Eric Rosenquist
5 * Strata Software Limited.
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 *
29 * $FreeBSD: src/usr.sbin/ppp/chap_ms.c,v 1.9.2.6 2002/09/01 02:12:23 brian Exp $
30 */
31
32 #include <ctype.h>
33 #include <sys/types.h>
34 #include <stdlib.h>
35 #ifdef __DragonFly__
36 #include <openssl/des.h>
37 #include <sha.h>
38 #else
39 #ifdef __NetBSD__
40 #include <openssl/des.h>
41 #else
42 #include <des.h>
43 #endif
44 #include <openssl/sha.h>
45 #endif
46 #include <md4.h>
47 #include <string.h>
48
49 #include "chap_ms.h"
50
51 /*
52 * Documentation & specifications:
53 *
54 * MS-CHAP (CHAP80) rfc2433
55 * MS-CHAP-V2 (CHAP81) rfc2759
56 * MPPE key management draft-ietf-pppext-mppe-keys-02.txt
57 */
58
59 static char SHA1_Pad1[40] =
60 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
61 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
62 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
63 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
64
65 static char SHA1_Pad2[40] =
66 {0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2,
67 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2,
68 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2,
69 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2};
70
71 /* unused, for documentation only */
72 /* only NTResp is filled in for FreeBSD */
73 struct MS_ChapResponse {
74 u_char LANManResp[24];
75 u_char NTResp[24];
76 u_char UseNT; /* If 1, ignore the LANMan response field */
77 };
78
79 static u_char
80 Get7Bits(u_char *input, int startBit)
81 {
82 unsigned int word;
83
84 word = (unsigned)input[startBit / 8] << 8;
85 word |= (unsigned)input[startBit / 8 + 1];
86
87 word >>= 15 - (startBit % 8 + 7);
88
89 return word & 0xFE;
90 }
91
92 /* IN 56 bit DES key missing parity bits
93 OUT 64 bit DES key with parity bits added */
94 static void
95 MakeKey(u_char *key, u_char *des_key)
96 {
97 des_key[0] = Get7Bits(key, 0);
98 des_key[1] = Get7Bits(key, 7);
99 des_key[2] = Get7Bits(key, 14);
100 des_key[3] = Get7Bits(key, 21);
101 des_key[4] = Get7Bits(key, 28);
102 des_key[5] = Get7Bits(key, 35);
103 des_key[6] = Get7Bits(key, 42);
104 des_key[7] = Get7Bits(key, 49);
105
106 DES_set_odd_parity((DES_cblock *)des_key);
107 }
108
109 static void /* IN 8 octets IN 7 octest OUT 8 octets */
110 DesEncrypt(u_char *clear, u_char *key, u_char *cipher)
111 {
112 DES_cblock des_key;
113 DES_key_schedule key_schedule;
114
115 MakeKey(key, des_key);
116 DES_set_key(&des_key, &key_schedule);
117 DES_ecb_encrypt((DES_cblock *)clear, (DES_cblock *)cipher, &key_schedule, 1);
118 }
119
120 static void /* IN 8 octets IN 16 octets OUT 24 octets */
121 ChallengeResponse(u_char *challenge, u_char *pwHash, u_char *response)
122 {
123 char ZPasswordHash[21];
124
125 memset(ZPasswordHash, '\0', sizeof ZPasswordHash);
126 memcpy(ZPasswordHash, pwHash, 16);
127
128 DesEncrypt(challenge, ZPasswordHash + 0, response + 0);
129 DesEncrypt(challenge, ZPasswordHash + 7, response + 8);
130 DesEncrypt(challenge, ZPasswordHash + 14, response + 16);
131 }
132
133 void
134 NtPasswordHash(char *key, int keylen, char *hash)
135 {
136 MD4_CTX MD4context;
137
138 MD4Init(&MD4context);
139 MD4Update(&MD4context, key, keylen);
140 MD4Final(hash, &MD4context);
141 }
142
143 void
144 HashNtPasswordHash(char *hash, char *hashhash)
145 {
146 MD4_CTX MD4context;
147
148 MD4Init(&MD4context);
149 MD4Update(&MD4context, hash, 16);
150 MD4Final(hashhash, &MD4context);
151 }
152
153 static void
154 ChallengeHash(char *PeerChallenge, char *AuthenticatorChallenge,
155 char *UserName, char *Challenge)
156 {
157 SHA_CTX Context;
158 char Digest[SHA_DIGEST_LENGTH];
159 char *Name;
160
161 Name = strrchr(UserName, '\\');
162 if(NULL == Name)
163 Name = UserName;
164 else
165 Name++;
166
167 SHA1_Init(&Context);
168
169 SHA1_Update(&Context, PeerChallenge, 16);
170 SHA1_Update(&Context, AuthenticatorChallenge, 16);
171 SHA1_Update(&Context, Name, strlen(Name));
172
173 SHA1_Final(Digest, &Context);
174 memcpy(Challenge, Digest, 8);
175 }
176
177 void
178 GenerateNTResponse(char *AuthenticatorChallenge, char *PeerChallenge,
179 char *UserName, char *Password,
180 int PasswordLen, char *Response)
181 {
182 char Challenge[8];
183 char PasswordHash[16];
184
185 ChallengeHash(PeerChallenge, AuthenticatorChallenge, UserName, Challenge);
186 NtPasswordHash(Password, PasswordLen, PasswordHash);
187 ChallengeResponse(Challenge, PasswordHash, Response);
188 }
189
190 #define LENGTH 20
191 static char *
192 SHA1_End(SHA_CTX *ctx, char *buf)
193 {
194 int i;
195 unsigned char digest[LENGTH];
196 static const char hex[]="0123456789abcdef";
197
198 if (!buf)
199 buf = malloc(2*LENGTH + 1);
200 if (!buf)
201 return 0;
202 SHA1_Final(digest, ctx);
203 for (i = 0; i < LENGTH; i++) {
204 buf[i+i] = hex[digest[i] >> 4];
205 buf[i+i+1] = hex[digest[i] & 0x0f];
206 }
207 buf[i+i] = '\0';
208 return buf;
209 }
210
211 void
212 GenerateAuthenticatorResponse(char *Password, int PasswordLen,
213 char *NTResponse, char *PeerChallenge,
214 char *AuthenticatorChallenge, char *UserName,
215 char *AuthenticatorResponse)
216 {
217 SHA_CTX Context;
218 char PasswordHash[16];
219 char PasswordHashHash[16];
220 char Challenge[8];
221 u_char Digest[SHA_DIGEST_LENGTH];
222 int i;
223
224 /*
225 * "Magic" constants used in response generation
226 */
227 char Magic1[39] =
228 {0x4D, 0x61, 0x67, 0x69, 0x63, 0x20, 0x73, 0x65, 0x72, 0x76,
229 0x65, 0x72, 0x20, 0x74, 0x6F, 0x20, 0x63, 0x6C, 0x69, 0x65,
230 0x6E, 0x74, 0x20, 0x73, 0x69, 0x67, 0x6E, 0x69, 0x6E, 0x67,
231 0x20, 0x63, 0x6F, 0x6E, 0x73, 0x74, 0x61, 0x6E, 0x74};
232
233
234 char Magic2[41] =
235 {0x50, 0x61, 0x64, 0x20, 0x74, 0x6F, 0x20, 0x6D, 0x61, 0x6B,
236 0x65, 0x20, 0x69, 0x74, 0x20, 0x64, 0x6F, 0x20, 0x6D, 0x6F,
237 0x72, 0x65, 0x20, 0x74, 0x68, 0x61, 0x6E, 0x20, 0x6F, 0x6E,
238 0x65, 0x20, 0x69, 0x74, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6F,
239 0x6E};
240 /*
241 * Hash the password with MD4
242 */
243 NtPasswordHash(Password, PasswordLen, PasswordHash);
244 /*
245 * Now hash the hash
246 */
247 HashNtPasswordHash(PasswordHash, PasswordHashHash);
248
249 SHA1_Init(&Context);
250 SHA1_Update(&Context, PasswordHashHash, 16);
251 SHA1_Update(&Context, NTResponse, 24);
252 SHA1_Update(&Context, Magic1, 39);
253 SHA1_Final(Digest, &Context);
254 ChallengeHash(PeerChallenge, AuthenticatorChallenge, UserName, Challenge);
255 SHA1_Init(&Context);
256 SHA1_Update(&Context, Digest, 20);
257 SHA1_Update(&Context, Challenge, 8);
258 SHA1_Update(&Context, Magic2, 41);
259
260 /*
261 * Encode the value of 'Digest' as "S=" followed by
262 * 40 ASCII hexadecimal digits and return it in
263 * AuthenticatorResponse.
264 * For example,
265 * "S=0123456789ABCDEF0123456789ABCDEF01234567"
266 */
267 AuthenticatorResponse[0] = 'S';
268 AuthenticatorResponse[1] = '=';
269 SHA1_End(&Context, AuthenticatorResponse + 2);
270 for (i=2; i<42; i++)
271 AuthenticatorResponse[i] = toupper(AuthenticatorResponse[i]);
272
273 }
274
275 void
276 GetMasterKey(char *PasswordHashHash, char *NTResponse, char *MasterKey)
277 {
278 char Digest[SHA_DIGEST_LENGTH];
279 SHA_CTX Context;
280 static char Magic1[27] =
281 {0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74,
282 0x68, 0x65, 0x20, 0x4d, 0x50, 0x50, 0x45, 0x20, 0x4d,
283 0x61, 0x73, 0x74, 0x65, 0x72, 0x20, 0x4b, 0x65, 0x79};
284
285 SHA1_Init(&Context);
286 SHA1_Update(&Context, PasswordHashHash, 16);
287 SHA1_Update(&Context, NTResponse, 24);
288 SHA1_Update(&Context, Magic1, 27);
289 SHA1_Final(Digest, &Context);
290 memcpy(MasterKey, Digest, 16);
291 }
292
293 void
294 GetAsymetricStartKey(char *MasterKey, char *SessionKey, int SessionKeyLength,
295 int IsSend, int IsServer)
296 {
297 char Digest[SHA_DIGEST_LENGTH];
298 SHA_CTX Context;
299 char *s;
300
301 static char Magic2[84] =
302 {0x4f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x69,
303 0x65, 0x6e, 0x74, 0x20, 0x73, 0x69, 0x64, 0x65, 0x2c, 0x20,
304 0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68,
305 0x65, 0x20, 0x73, 0x65, 0x6e, 0x64, 0x20, 0x6b, 0x65, 0x79,
306 0x3b, 0x20, 0x6f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x73,
307 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x73, 0x69, 0x64, 0x65,
308 0x2c, 0x20, 0x69, 0x74, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68,
309 0x65, 0x20, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x20,
310 0x6b, 0x65, 0x79, 0x2e};
311
312 static char Magic3[84] =
313 {0x4f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x69,
314 0x65, 0x6e, 0x74, 0x20, 0x73, 0x69, 0x64, 0x65, 0x2c, 0x20,
315 0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68,
316 0x65, 0x20, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x20,
317 0x6b, 0x65, 0x79, 0x3b, 0x20, 0x6f, 0x6e, 0x20, 0x74, 0x68,
318 0x65, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x73,
319 0x69, 0x64, 0x65, 0x2c, 0x20, 0x69, 0x74, 0x20, 0x69, 0x73,
320 0x20, 0x74, 0x68, 0x65, 0x20, 0x73, 0x65, 0x6e, 0x64, 0x20,
321 0x6b, 0x65, 0x79, 0x2e};
322
323 if (IsSend) {
324 if (IsServer) {
325 s = Magic3;
326 } else {
327 s = Magic2;
328 }
329 } else {
330 if (IsServer) {
331 s = Magic2;
332 } else {
333 s = Magic3;
334 }
335 }
336
337 SHA1_Init(&Context);
338 SHA1_Update(&Context, MasterKey, 16);
339 SHA1_Update(&Context, SHA1_Pad1, 40);
340 SHA1_Update(&Context, s, 84);
341 SHA1_Update(&Context, SHA1_Pad2, 40);
342 SHA1_Final(Digest, &Context);
343
344 memcpy(SessionKey, Digest, SessionKeyLength);
345 }
346
347 void
348 GetNewKeyFromSHA(char *StartKey, char *SessionKey, long SessionKeyLength,
349 char *InterimKey)
350 {
351 SHA_CTX Context;
352 char Digest[SHA_DIGEST_LENGTH];
353
354 SHA1_Init(&Context);
355 SHA1_Update(&Context, StartKey, SessionKeyLength);
356 SHA1_Update(&Context, SHA1_Pad1, 40);
357 SHA1_Update(&Context, SessionKey, SessionKeyLength);
358 SHA1_Update(&Context, SHA1_Pad2, 40);
359 SHA1_Final(Digest, &Context);
360
361 memcpy(InterimKey, Digest, SessionKeyLength);
362 }
363
364 #if 0
365 static void
366 Get_Key(char *InitialSessionKey, char *CurrentSessionKey,
367 int LengthOfDesiredKey)
368 {
369 SHA_CTX Context;
370 char Digest[SHA_DIGEST_LENGTH];
371
372 SHA1_Init(&Context);
373 SHA1_Update(&Context, InitialSessionKey, LengthOfDesiredKey);
374 SHA1_Update(&Context, SHA1_Pad1, 40);
375 SHA1_Update(&Context, CurrentSessionKey, LengthOfDesiredKey);
376 SHA1_Update(&Context, SHA1_Pad2, 40);
377 SHA1_Final(Digest, &Context);
378
379 memcpy(CurrentSessionKey, Digest, LengthOfDesiredKey);
380 }
381 #endif
382
383 /* passwordHash 16-bytes MD4 hashed password
384 challenge 8-bytes peer CHAP challenge
385 since passwordHash is in a 24-byte buffer, response is written in there */
386 void
387 mschap_NT(char *passwordHash, char *challenge)
388 {
389 u_char response[24];
390
391 ChallengeResponse(challenge, passwordHash, response);
392 memcpy(passwordHash, response, 24);
393 passwordHash[24] = 1; /* NT-style response */
394 }
395
396 void
397 mschap_LANMan(char *digest, char *challenge, char *secret)
398 {
399 static u_char salt[] = "KGS!@#$%"; /* RASAPI32.dll */
400 char SECRET[14], *ptr, *end;
401 u_char hash[16];
402
403 end = SECRET + sizeof SECRET;
404 for (ptr = SECRET; *secret && ptr < end; ptr++, secret++)
405 *ptr = toupper(*secret);
406 if (ptr < end)
407 memset(ptr, '\0', end - ptr);
408
409 DesEncrypt(salt, SECRET, hash);
410 DesEncrypt(salt, SECRET + 7, hash + 8);
411
412 ChallengeResponse(challenge, hash, digest);
413 }
DragonFly BSD