mschaputil: Move mschapv2 funcs into common util

2025-05-07 10:27:26 +02:00 · 2019-01-10 14:34:17 -08:00 · 2019-01-10 14:34:17 -08:00 · 6ffa1cf58a
commit 6ffa1cf58a
parent 9b722197ba
4 changed files with 178 additions and 203 deletions
--- a/src/eap-mschapv2.c
+++ b/src/eap-mschapv2.c
@ -25,9 +25,10 @@
 #include <errno.h>
 #include <ell/ell.h>
-#include "eap.h"
+#include "src/eap.h"
-#include "eap-private.h"
+#include "src/eap-private.h"
-#include "eap-mschapv2.h"
+#include "src/eap-mschapv2.h"
 #include "src/mschaputil.h"
 #define MSCHAPV2_CHAL_LEN 16
 #define MSCHAPV2_NT_RESPONSE_LEN 24
@ -181,37 +182,6 @@ bool mschapv2_get_master_key(const uint8_t pw_hash_hash[static 16],
 	return true;
 }
 /**
 * Internal function to generate the challenge used in nt_response
 * https://tools.ietf.org/html/rfc2759
 *
 * @peer_challenge: The challenge generated by the peer (us)
 * @server_challenge: The challenge generated by the authenticator
 * @user: The username utf8 encoded
 * @challenge: The destination
 *
 * Returns: true on success, false if hash/encrypt couldn't be done
 **/
 static bool mschapv2_challenge_hash(const uint8_t *peer_challenge,
 				const uint8_t *server_challenge,
 				const char *user, uint8_t challenge[static 8])
 {
 	struct l_checksum *check;
 	check = l_checksum_new(L_CHECKSUM_SHA1);
 	if (!check)
 		return false;
 	l_checksum_update(check, peer_challenge, 16);
 	l_checksum_update(check, server_challenge, 16);
 	l_checksum_update(check, user, strlen(user));
 	l_checksum_get_digest(check, challenge, 8);
 	l_checksum_free(check);
 	return true;
 }
 /**
 * Hash the utf8 encoded nt password.
 * It is asumed, that the password is valid utf8!
@ -251,160 +221,6 @@ bool mschapv2_nt_password_hash(const char *password, uint8_t hash[static 16])
 	return true;
 }
 /**
 * Internal function for generate_nt_response.
 * The DES keys specified for generate_nt_response are 56bit, while the api we
 * use takes 64bit keys, so we have to generate the parity bits.
 **/
 static bool mschapv2_des_encrypt(const uint8_t challenge[static 8],
 						const uint8_t key[static 7],
 						uint8_t cipher_text[static 8])
 {
 	uint8_t pkey[8], tmp;
 	int i;
 	struct l_cipher *cipher;
 	uint8_t next;
 	for (i = 0, next = 0; i < 7; ++i) {
 		tmp = key[i];
 		pkey[i] = (tmp >> i) | next | 1;
 		next = tmp << (7 - i);
 	}
 	pkey[i] = next | 1;
 	cipher = l_cipher_new(L_CIPHER_DES, pkey, 8);
 	if (!cipher)
 		return false;
 	l_cipher_encrypt(cipher, challenge, cipher_text, 8);
 	l_cipher_free(cipher);
 	return true;
 }
 /**
 * Generate the nt_response for mschapv2.
 * This function is specified in:
 * https://tools.ietf.org/html/rfc2759
 *
 * @password_hash: The MD4 hash of the ucs2 encoded user password
 * @peer_challenge: the challenge generated by the peer (us)
 * @server_challenge: the challenge generated by the authenticator
 * @user: The username, utf8 encoded
 * @nt_response: The destination
 *
 * Returns: true on success, false if hash/encrypt couldn't be done
 **/
 bool mschapv2_generate_nt_response(const uint8_t password_hash[static 16],
 				const uint8_t peer_challenge[static 16],
 				const uint8_t server_challenge[static 16],
 				const char *user, uint8_t response[static 24])
 {
 	uint8_t challenge[8];
 	uint8_t buffer[21];
 	memset(buffer, 0, sizeof(buffer));
 	memcpy(buffer, password_hash, 16);
 	if (!mschapv2_challenge_hash(peer_challenge, server_challenge, user,
 								challenge))
 		return false;
 	if (!mschapv2_des_encrypt(challenge, buffer + 0, response + 0))
 		return false;
 	if (!mschapv2_des_encrypt(challenge, buffer + 7, response + 8))
 		return false;
 	if (!mschapv2_des_encrypt(challenge, buffer + 14, response + 16))
 		return false;
 	return true;
 }
 /**
 * Generate the mschapv2 authenticator response for verifying authenticator
 * This function is specified in:
 * https://tools.ietf.org/html/rfc2759
 *
 * @password_hash_hash: The MD4 hash of the password hash
 * @nt_response: The nt_response generated for this exchange
 * @peer_challenge: The challenge generated by the peer (us)
 * @server_challenge: The challenge generated by the authenticator
 * @user: The username utf8 encoded
 * @response: The destination
 *
 * Returns: true on success, false if hash/encrypt couldn't be done
 **/
 bool mschapv2_generate_authenticator_response(
 				const uint8_t pw_hash_hash[static 16],
 				const uint8_t nt_response[static 24],
 				const uint8_t peer_challenge[static 16],
 				const uint8_t server_challenge[static 16],
 				const char *user, char response[static 42])
 {
 	static const uint8_t magic1[] = {
 		0x4D, 0x61, 0x67, 0x69, 0x63, 0x20, 0x73, 0x65, 0x72, 0x76,
 		0x65, 0x72, 0x20, 0x74, 0x6F, 0x20, 0x63, 0x6C, 0x69, 0x65,
 		0x6E, 0x74, 0x20, 0x73, 0x69, 0x67, 0x6E, 0x69, 0x6E, 0x67,
 		0x20, 0x63, 0x6F, 0x6E, 0x73, 0x74, 0x61, 0x6E, 0x74
 	};
 	static const uint8_t magic2[] = {
 		0x50, 0x61, 0x64, 0x20, 0x74, 0x6F, 0x20, 0x6D, 0x61, 0x6B,
 		0x65, 0x20, 0x69, 0x74, 0x20, 0x64, 0x6F, 0x20, 0x6D, 0x6F,
 		0x72, 0x65, 0x20, 0x74, 0x68, 0x61, 0x6E, 0x20, 0x6F, 0x6E,
 		0x65, 0x20, 0x69, 0x74, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6F,
 		0x6E
 	};
 	uint8_t digest[20];
 	uint8_t challenge[8];
 	char *ascii;
 	int i;
 	struct l_checksum *check;
 	check = l_checksum_new(L_CHECKSUM_SHA1);
 	if (!check)
 		return false;
 	l_checksum_update(check, pw_hash_hash, 16);
 	l_checksum_update(check, nt_response, 24);
 	l_checksum_update(check, magic1, sizeof(magic1));
 	l_checksum_get_digest(check, digest, sizeof(digest));
 	l_checksum_free(check);
 	if (!mschapv2_challenge_hash(peer_challenge, server_challenge, user,
 								challenge))
 		return false;
 	check = l_checksum_new(L_CHECKSUM_SHA1);
 	if (!check)
 		return false;
 	l_checksum_update(check, digest, sizeof(digest));
 	l_checksum_update(check, challenge, sizeof(challenge));
 	l_checksum_update(check, magic2, sizeof(magic2));
 	l_checksum_get_digest(check, digest, sizeof(digest));
 	l_checksum_free(check);
 	response[0] = 'S';
 	response[1] = '=';
 	ascii = l_util_hexstring(digest, sizeof(digest));
 	if (!ascii)
 		return false;
 	for (i = 0; i < 40; ++i) {
 		response[i + 2] = toupper(ascii[i]);
 	}
 	l_free(ascii);
 	return true;
 }
 static bool eap_mschapv2_reset_state(struct eap_state *eap)
 {
 	struct eap_mschapv2_state *state = eap_get_data(eap);
--- a/src/eap-mschapv2.h
+++ b/src/eap-mschapv2.h
@ -38,16 +38,3 @@ bool mschapv2_get_master_key(const uint8_t pw_hash_hash[static 16],
 					uint8_t master_key[static 16]);
 bool mschapv2_nt_password_hash(const char *password, uint8_t hash[16]);
 bool mschapv2_generate_nt_response(const uint8_t password_hash[static 16],
 				const uint8_t peer_challenge[static 16],
 				const uint8_t server_challenge[static 16],
 				const char *user,
 				uint8_t response[static 24]);
 bool mschapv2_generate_authenticator_response(
 				const uint8_t pw_hash_hash[static 16],
 				const uint8_t nt_response[static 24],
 				const uint8_t peer_challenge[static 16],
 				const uint8_t server_challenge[static 16],
 				const char *user, char response[static 42]);
--- a/src/mschaputil.c
+++ b/src/mschaputil.c
@ -28,8 +28,14 @@
 #include "src/mschaputil.h"
-static bool mschap_des_encrypt(const uint8_t *challenge, const uint8_t *key,
+/**
-							uint8_t *cipher_text)
+ * Internal function for generate_nt_response.
 * The DES keys specified for generate_nt_response are 56bit, while the api we
 * use takes 64bit keys, so we have to generate the parity bits.
 **/
 static bool mschap_des_encrypt(const uint8_t challenge[static 8],
 						const uint8_t key[static 7],
 						uint8_t cipher_text[static 8])
 {
 	uint8_t pkey[8], tmp;
 	int i;
@ -106,3 +112,156 @@ bool mschap_nt_password_hash(const char *password, uint8_t *password_hash)
 	return true;
 }
 /**
 * Internal function to generate the challenge used in nt_response
 * https://tools.ietf.org/html/rfc2759
 *
 * @peer_challenge: The challenge generated by the peer (us)
 * @server_challenge: The challenge generated by the authenticator
 * @user: The username utf8 encoded
 * @challenge: The destination
 *
 * Returns: true on success, false if hash/encrypt couldn't be done
 **/
 static bool mschapv2_challenge_hash(const uint8_t *peer_challenge,
 				const uint8_t *server_challenge,
 				const char *user, uint8_t challenge[static 8])
 {
 	struct l_checksum *check;
 	check = l_checksum_new(L_CHECKSUM_SHA1);
 	if (!check)
 		return false;
 	l_checksum_update(check, peer_challenge, 16);
 	l_checksum_update(check, server_challenge, 16);
 	l_checksum_update(check, user, strlen(user));
 	l_checksum_get_digest(check, challenge, 8);
 	l_checksum_free(check);
 	return true;
 }
 /**
 * Generate the nt_response for mschapv2.
 * This function is specified in:
 * https://tools.ietf.org/html/rfc2759
 *
 * @password_hash: The MD4 hash of the ucs2 encoded user password
 * @peer_challenge: the challenge generated by the peer (us)
 * @server_challenge: the challenge generated by the authenticator
 * @user: The username, utf8 encoded
 * @nt_response: The destination
 *
 * Returns: true on success, false if hash/encrypt couldn't be done
 **/
 bool mschapv2_generate_nt_response(const uint8_t password_hash[static 16],
 				const uint8_t peer_challenge[static 16],
 				const uint8_t server_challenge[static 16],
 				const char *user, uint8_t response[static 24])
 {
 	uint8_t challenge[8];
 	uint8_t buffer[21];
 	memset(buffer, 0, sizeof(buffer));
 	memcpy(buffer, password_hash, 16);
 	if (!mschapv2_challenge_hash(peer_challenge, server_challenge, user,
 								challenge))
 		return false;
 	if (!mschapv2_des_encrypt(challenge, buffer + 0, response + 0))
 		return false;
 	if (!mschapv2_des_encrypt(challenge, buffer + 7, response + 8))
 		return false;
 	if (!mschapv2_des_encrypt(challenge, buffer + 14, response + 16))
 		return false;
 	return true;
 }
 /**
 * Generate the mschapv2 authenticator response for verifying authenticator
 * This function is specified in:
 * https://tools.ietf.org/html/rfc2759
 *
 * @password_hash_hash: The MD4 hash of the password hash
 * @nt_response: The nt_response generated for this exchange
 * @peer_challenge: The challenge generated by the peer (us)
 * @server_challenge: The challenge generated by the authenticator
 * @user: The username utf8 encoded
 * @response: The destination
 *
 * Returns: true on success, false if hash/encrypt couldn't be done
 **/
 bool mschapv2_generate_authenticator_response(
 				const uint8_t pw_hash_hash[static 16],
 				const uint8_t nt_response[static 24],
 				const uint8_t peer_challenge[static 16],
 				const uint8_t server_challenge[static 16],
 				const char *user, char response[static 42])
 {
 	static const uint8_t magic1[] = {
 		0x4D, 0x61, 0x67, 0x69, 0x63, 0x20, 0x73, 0x65, 0x72, 0x76,
 		0x65, 0x72, 0x20, 0x74, 0x6F, 0x20, 0x63, 0x6C, 0x69, 0x65,
 		0x6E, 0x74, 0x20, 0x73, 0x69, 0x67, 0x6E, 0x69, 0x6E, 0x67,
 		0x20, 0x63, 0x6F, 0x6E, 0x73, 0x74, 0x61, 0x6E, 0x74
 	};
 	static const uint8_t magic2[] = {
 		0x50, 0x61, 0x64, 0x20, 0x74, 0x6F, 0x20, 0x6D, 0x61, 0x6B,
 		0x65, 0x20, 0x69, 0x74, 0x20, 0x64, 0x6F, 0x20, 0x6D, 0x6F,
 		0x72, 0x65, 0x20, 0x74, 0x68, 0x61, 0x6E, 0x20, 0x6F, 0x6E,
 		0x65, 0x20, 0x69, 0x74, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6F,
 		0x6E
 	};
 	uint8_t digest[20];
 	uint8_t challenge[8];
 	char *ascii;
 	int i;
 	struct l_checksum *check;
 	check = l_checksum_new(L_CHECKSUM_SHA1);
 	if (!check)
 		return false;
 	l_checksum_update(check, pw_hash_hash, 16);
 	l_checksum_update(check, nt_response, 24);
 	l_checksum_update(check, magic1, sizeof(magic1));
 	l_checksum_get_digest(check, digest, sizeof(digest));
 	l_checksum_free(check);
 	if (!mschapv2_challenge_hash(peer_challenge, server_challenge, user,
 								challenge))
 		return false;
 	check = l_checksum_new(L_CHECKSUM_SHA1);
 	if (!check)
 		return false;
 	l_checksum_update(check, digest, sizeof(digest));
 	l_checksum_update(check, challenge, sizeof(challenge));
 	l_checksum_update(check, magic2, sizeof(magic2));
 	l_checksum_get_digest(check, digest, sizeof(digest));
 	l_checksum_free(check);
 	response[0] = 'S';
 	response[1] = '=';
 	ascii = l_util_hexstring(digest, sizeof(digest));
 	if (!ascii)
 		return false;
 	for (i = 0; i < 40; ++i) {
 		response[i + 2] = toupper(ascii[i]);
 	}
 	l_free(ascii);
 	return true;
 }
--- a/src/mschaputil.h
+++ b/src/mschaputil.h
@ -26,3 +26,16 @@ bool mschap_challenge_response(const uint8_t *challenge,
 						const uint8_t *password_hash,
 						uint8_t *response);
 bool mschap_nt_password_hash(const char *password, uint8_t *password_hash);
 bool mschapv2_generate_nt_response(const uint8_t password_hash[static 16],
 				const uint8_t peer_challenge[static 16],
 				const uint8_t server_challenge[static 16],
 				const char *user,
 				uint8_t response[static 24]);
 bool mschapv2_generate_authenticator_response(
 				const uint8_t pw_hash_hash[static 16],
 				const uint8_t nt_response[static 24],
 				const uint8_t peer_challenge[static 16],
 				const uint8_t server_challenge[static 16],
 				const char *user, char response[static 42]);