[thirdparty/hostap.git] / src / crypto / ms_funcs.c

/*
 * WPA Supplicant / shared MSCHAPV2 helper functions / RFC 2433 / RFC 2759
 * Copyright (c) 2004-2009, Jouni Malinen <j@w1.fi>
 *
 * This software may be distributed under the terms of the BSD license.
 * See README for more details.
 */

#include "includes.h"

#include "common.h"
#include "sha1.h"
#include "ms_funcs.h"
#include "crypto.h"

/**
 * utf8_to_ucs2 - Convert UTF-8 string to UCS-2 encoding
 * @utf8_string: UTF-8 string (IN)
 * @utf8_string_len: Length of utf8_string (IN)
 * @ucs2_buffer: UCS-2 buffer (OUT)
 * @ucs2_buffer_size: Length of UCS-2 buffer (IN)
 * @ucs2_string_size: Number of 2-byte words in the resulting UCS-2 string
 * Returns: 0 on success, -1 on failure
 */
static int utf8_to_ucs2(const u8 *utf8_string, size_t utf8_string_len,
                        u8 *ucs2_buffer, size_t ucs2_buffer_size,
                        size_t *ucs2_string_size)
{
	size_t i, j;

	for (i = 0, j = 0; i < utf8_string_len; i++) {
		u8 c = utf8_string[i];
		if (j >= ucs2_buffer_size) {
			/* input too long */
			return -1;
		}
		if (c <= 0x7F) {
			WPA_PUT_LE16(ucs2_buffer + j, c);
			j += 2;
		} else if (i == utf8_string_len - 1 ||
			   j >= ucs2_buffer_size - 1) {
			/* incomplete surrogate */
			return -1;
		} else {
			u8 c2 = utf8_string[++i];
			if ((c & 0xE0) == 0xC0) {
				/* two-byte encoding */
				WPA_PUT_LE16(ucs2_buffer + j,
					     ((c & 0x1F) << 6) | (c2 & 0x3F));
				j += 2;
			} else if (i == utf8_string_len ||
				   j >= ucs2_buffer_size - 1) {
				/* incomplete surrogate */
				return -1;
			} else {
				/* three-byte encoding */
				u8 c3 = utf8_string[++i];
				WPA_PUT_LE16(ucs2_buffer + j,
					     ((c & 0xF) << 12) |
					     ((c2 & 0x3F) << 6) | (c3 & 0x3F));
			}
		}
	}

	if (ucs2_string_size)
		*ucs2_string_size = j / 2;
	return 0;
}


/**
 * challenge_hash - ChallengeHash() - RFC 2759, Sect. 8.2
 * @peer_challenge: 16-octet PeerChallenge (IN)
 * @auth_challenge: 16-octet AuthenticatorChallenge (IN)
 * @username: 0-to-256-char UserName (IN)
 * @username_len: Length of username
 * @challenge: 8-octet Challenge (OUT)
 * Returns: 0 on success, -1 on failure
 */
static int challenge_hash(const u8 *peer_challenge, const u8 *auth_challenge,
			  const u8 *username, size_t username_len,
			  u8 *challenge)
{
	u8 hash[SHA1_MAC_LEN];
	const unsigned char *addr[3];
	size_t len[3];

	addr[0] = peer_challenge;
	len[0] = 16;
	addr[1] = auth_challenge;
	len[1] = 16;
	addr[2] = username;
	len[2] = username_len;

	if (sha1_vector(3, addr, len, hash))
		return -1;
	os_memcpy(challenge, hash, 8);
	return 0;
}


/**
 * nt_password_hash - NtPasswordHash() - RFC 2759, Sect. 8.3
 * @password: 0-to-256-unicode-char Password (IN; UTF-8)
 * @password_len: Length of password
 * @password_hash: 16-octet PasswordHash (OUT)
 * Returns: 0 on success, -1 on failure
 */
int nt_password_hash(const u8 *password, size_t password_len,
		      u8 *password_hash)
{
	u8 buf[512], *pos;
	size_t len, max_len;

	max_len = sizeof(buf);
	if (utf8_to_ucs2(password, password_len, buf, max_len, &len) < 0)
		return -1;

	len *= 2;
	pos = buf;
	return md4_vector(1, (const u8 **) &pos, &len, password_hash);
}


/**
 * hash_nt_password_hash - HashNtPasswordHash() - RFC 2759, Sect. 8.4
 * @password_hash: 16-octet PasswordHash (IN)
 * @password_hash_hash: 16-octet PasswordHashHash (OUT)
 * Returns: 0 on success, -1 on failure
 */
int hash_nt_password_hash(const u8 *password_hash, u8 *password_hash_hash)
{
	size_t len = 16;
	return md4_vector(1, &password_hash, &len, password_hash_hash);
}


/**
 * challenge_response - ChallengeResponse() - RFC 2759, Sect. 8.5
 * @challenge: 8-octet Challenge (IN)
 * @password_hash: 16-octet PasswordHash (IN)
 * @response: 24-octet Response (OUT)
 */
void challenge_response(const u8 *challenge, const u8 *password_hash,
			u8 *response)
{
	u8 zpwd[7];
	des_encrypt(challenge, password_hash, response);
	des_encrypt(challenge, password_hash + 7, response + 8);
	zpwd[0] = password_hash[14];
	zpwd[1] = password_hash[15];
	os_memset(zpwd + 2, 0, 5);
	des_encrypt(challenge, zpwd, response + 16);
}


/**
 * generate_nt_response - GenerateNTResponse() - RFC 2759, Sect. 8.1
 * @auth_challenge: 16-octet AuthenticatorChallenge (IN)
 * @peer_challenge: 16-octet PeerChallenge (IN)
 * @username: 0-to-256-char UserName (IN)
 * @username_len: Length of username
 * @password: 0-to-256-unicode-char Password (IN; UTF-8)
 * @password_len: Length of password
 * @response: 24-octet Response (OUT)
 * Returns: 0 on success, -1 on failure
 */
int generate_nt_response(const u8 *auth_challenge, const u8 *peer_challenge,
			 const u8 *username, size_t username_len,
			 const u8 *password, size_t password_len,
			 u8 *response)
{
	u8 challenge[8];
	u8 password_hash[16];

	challenge_hash(peer_challenge, auth_challenge, username, username_len,
		       challenge);
	if (nt_password_hash(password, password_len, password_hash))
		return -1;
	challenge_response(challenge, password_hash, response);
	return 0;
}


/**
 * generate_nt_response_pwhash - GenerateNTResponse() - RFC 2759, Sect. 8.1
 * @auth_challenge: 16-octet AuthenticatorChallenge (IN)
 * @peer_challenge: 16-octet PeerChallenge (IN)
 * @username: 0-to-256-char UserName (IN)
 * @username_len: Length of username
 * @password_hash: 16-octet PasswordHash (IN)
 * @response: 24-octet Response (OUT)
 * Returns: 0 on success, -1 on failure
 */
int generate_nt_response_pwhash(const u8 *auth_challenge,
				const u8 *peer_challenge,
				const u8 *username, size_t username_len,
				const u8 *password_hash,
				u8 *response)
{
	u8 challenge[8];

	if (challenge_hash(peer_challenge, auth_challenge,
			   username, username_len,
			   challenge))
		return -1;
	challenge_response(challenge, password_hash, response);
	return 0;
}


/**
 * generate_authenticator_response_pwhash - GenerateAuthenticatorResponse() - RFC 2759, Sect. 8.7
 * @password_hash: 16-octet PasswordHash (IN)
 * @nt_response: 24-octet NT-Response (IN)
 * @peer_challenge: 16-octet PeerChallenge (IN)
 * @auth_challenge: 16-octet AuthenticatorChallenge (IN)
 * @username: 0-to-256-char UserName (IN)
 * @username_len: Length of username
 * @response: 20-octet AuthenticatorResponse (OUT) (note: this value is usually
 * encoded as a 42-octet ASCII string (S=hexdump_of_response)
 * Returns: 0 on success, -1 on failure
 */
int generate_authenticator_response_pwhash(
	const u8 *password_hash,
	const u8 *peer_challenge, const u8 *auth_challenge,
	const u8 *username, size_t username_len,
	const u8 *nt_response, u8 *response)
{
	static const u8 magic1[39] = {
		0x4D, 0x61, 0x67, 0x69, 0x63, 0x20, 0x73, 0x65, 0x72, 0x76,
		0x65, 0x72, 0x20, 0x74, 0x6F, 0x20, 0x63, 0x6C, 0x69, 0x65,
		0x6E, 0x74, 0x20, 0x73, 0x69, 0x67, 0x6E, 0x69, 0x6E, 0x67,
		0x20, 0x63, 0x6F, 0x6E, 0x73, 0x74, 0x61, 0x6E, 0x74
	};
	static const u8 magic2[41] = {
		0x50, 0x61, 0x64, 0x20, 0x74, 0x6F, 0x20, 0x6D, 0x61, 0x6B,
		0x65, 0x20, 0x69, 0x74, 0x20, 0x64, 0x6F, 0x20, 0x6D, 0x6F,
		0x72, 0x65, 0x20, 0x74, 0x68, 0x61, 0x6E, 0x20, 0x6F, 0x6E,
		0x65, 0x20, 0x69, 0x74, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6F,
		0x6E
	};

	u8 password_hash_hash[16], challenge[8];
	const unsigned char *addr1[3];
	const size_t len1[3] = { 16, 24, sizeof(magic1) };
	const unsigned char *addr2[3];
	const size_t len2[3] = { SHA1_MAC_LEN, 8, sizeof(magic2) };

	addr1[0] = password_hash_hash;
	addr1[1] = nt_response;
	addr1[2] = magic1;

	addr2[0] = response;
	addr2[1] = challenge;
	addr2[2] = magic2;

	if (hash_nt_password_hash(password_hash, password_hash_hash))
		return -1;
	if (sha1_vector(3, addr1, len1, response))
		return -1;

	challenge_hash(peer_challenge, auth_challenge, username, username_len,
		       challenge);
	return sha1_vector(3, addr2, len2, response);
}


/**
 * generate_authenticator_response - GenerateAuthenticatorResponse() - RFC 2759, Sect. 8.7
 * @password: 0-to-256-unicode-char Password (IN; UTF-8)
 * @password_len: Length of password
 * @nt_response: 24-octet NT-Response (IN)
 * @peer_challenge: 16-octet PeerChallenge (IN)
 * @auth_challenge: 16-octet AuthenticatorChallenge (IN)
 * @username: 0-to-256-char UserName (IN)
 * @username_len: Length of username
 * @response: 20-octet AuthenticatorResponse (OUT) (note: this value is usually
 * encoded as a 42-octet ASCII string (S=hexdump_of_response)
 * Returns: 0 on success, -1 on failure
 */
int generate_authenticator_response(const u8 *password, size_t password_len,
				    const u8 *peer_challenge,
				    const u8 *auth_challenge,
				    const u8 *username, size_t username_len,
				    const u8 *nt_response, u8 *response)
{
	u8 password_hash[16];
	if (nt_password_hash(password, password_len, password_hash))
		return -1;
	return generate_authenticator_response_pwhash(
		password_hash, peer_challenge, auth_challenge,
		username, username_len, nt_response, response);
}


/**
 * nt_challenge_response - NtChallengeResponse() - RFC 2433, Sect. A.5
 * @challenge: 8-octet Challenge (IN)
 * @password: 0-to-256-unicode-char Password (IN; UTF-8)
 * @password_len: Length of password
 * @response: 24-octet Response (OUT)
 * Returns: 0 on success, -1 on failure
 */
int nt_challenge_response(const u8 *challenge, const u8 *password,
			  size_t password_len, u8 *response)
{
	u8 password_hash[16];
	if (nt_password_hash(password, password_len, password_hash))
		return -1;
	challenge_response(challenge, password_hash, response);
	return 0;
}


/**
 * get_master_key - GetMasterKey() - RFC 3079, Sect. 3.4
 * @password_hash_hash: 16-octet PasswordHashHash (IN)
 * @nt_response: 24-octet NTResponse (IN)
 * @master_key: 16-octet MasterKey (OUT)
 * Returns: 0 on success, -1 on failure
 */
int get_master_key(const u8 *password_hash_hash, const u8 *nt_response,
		   u8 *master_key)
{
	static const u8 magic1[27] = {
		0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74,
		0x68, 0x65, 0x20, 0x4d, 0x50, 0x50, 0x45, 0x20, 0x4d,
		0x61, 0x73, 0x74, 0x65, 0x72, 0x20, 0x4b, 0x65, 0x79
	};
	const unsigned char *addr[3];
	const size_t len[3] = { 16, 24, sizeof(magic1) };
	u8 hash[SHA1_MAC_LEN];

	addr[0] = password_hash_hash;
	addr[1] = nt_response;
	addr[2] = magic1;

	if (sha1_vector(3, addr, len, hash))
		return -1;
	os_memcpy(master_key, hash, 16);
	return 0;
}


/**
 * get_asymetric_start_key - GetAsymetricStartKey() - RFC 3079, Sect. 3.4
 * @master_key: 16-octet MasterKey (IN)
 * @session_key: 8-to-16 octet SessionKey (OUT)
 * @session_key_len: SessionKeyLength (Length of session_key) (IN)
 * @is_send: IsSend (IN, BOOLEAN)
 * @is_server: IsServer (IN, BOOLEAN)
 * Returns: 0 on success, -1 on failure
 */
int get_asymetric_start_key(const u8 *master_key, u8 *session_key,
			    size_t session_key_len, int is_send,
			    int is_server)
{
	static const u8 magic2[84] = {
		0x4f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x69,
		0x65, 0x6e, 0x74, 0x20, 0x73, 0x69, 0x64, 0x65, 0x2c, 0x20,
		0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68,
		0x65, 0x20, 0x73, 0x65, 0x6e, 0x64, 0x20, 0x6b, 0x65, 0x79,
		0x3b, 0x20, 0x6f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x73,
		0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x73, 0x69, 0x64, 0x65,
		0x2c, 0x20, 0x69, 0x74, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68,
		0x65, 0x20, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x20,
		0x6b, 0x65, 0x79, 0x2e
	};
	static const u8 magic3[84] = {
		0x4f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x69,
		0x65, 0x6e, 0x74, 0x20, 0x73, 0x69, 0x64, 0x65, 0x2c, 0x20,
		0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68,
		0x65, 0x20, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x20,
		0x6b, 0x65, 0x79, 0x3b, 0x20, 0x6f, 0x6e, 0x20, 0x74, 0x68,
		0x65, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x73,
		0x69, 0x64, 0x65, 0x2c, 0x20, 0x69, 0x74, 0x20, 0x69, 0x73,
		0x20, 0x74, 0x68, 0x65, 0x20, 0x73, 0x65, 0x6e, 0x64, 0x20,
		0x6b, 0x65, 0x79, 0x2e
	};
	static const u8 shs_pad1[40] = {
		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
	};

	static const u8 shs_pad2[40] = {
		0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2,
		0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2,
		0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2,
		0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2
	};
	u8 digest[SHA1_MAC_LEN];
	const unsigned char *addr[4];
	const size_t len[4] = { 16, 40, 84, 40 };

	addr[0] = master_key;
	addr[1] = shs_pad1;
	if (is_send) {
		addr[2] = is_server ? magic3 : magic2;
	} else {
		addr[2] = is_server ? magic2 : magic3;
	}
	addr[3] = shs_pad2;

	if (sha1_vector(4, addr, len, digest))
		return -1;

	if (session_key_len > SHA1_MAC_LEN)
		session_key_len = SHA1_MAC_LEN;
	os_memcpy(session_key, digest, session_key_len);
	return 0;
}


#define PWBLOCK_LEN 516

/**
 * encrypt_pw_block_with_password_hash - EncryptPwBlockWithPasswordHash() - RFC 2759, Sect. 8.10
 * @password: 0-to-256-unicode-char Password (IN; UTF-8)
 * @password_len: Length of password
 * @password_hash: 16-octet PasswordHash (IN)
 * @pw_block: 516-byte PwBlock (OUT)
 * Returns: 0 on success, -1 on failure
 */
int encrypt_pw_block_with_password_hash(
	const u8 *password, size_t password_len,
	const u8 *password_hash, u8 *pw_block)
{
	size_t ucs2_len, offset;
	u8 *pos;

	os_memset(pw_block, 0, PWBLOCK_LEN);

	if (utf8_to_ucs2(password, password_len, pw_block, 512, &ucs2_len) < 0)
		return -1;

	if (ucs2_len > 256)
		return -1;

	offset = (256 - ucs2_len) * 2;
	if (offset != 0) {
		os_memmove(pw_block + offset, pw_block, ucs2_len * 2);
		if (os_get_random(pw_block, offset) < 0)
			return -1;
	}
	/*
	 * PasswordLength is 4 octets, but since the maximum password length is
	 * 256, only first two (in little endian byte order) can be non-zero.
	 */
	pos = &pw_block[2 * 256];
	WPA_PUT_LE16(pos, password_len * 2);
	rc4_skip(password_hash, 16, 0, pw_block, PWBLOCK_LEN);
	return 0;
}


/**
 * new_password_encrypted_with_old_nt_password_hash - NewPasswordEncryptedWithOldNtPasswordHash() - RFC 2759, Sect. 8.9
 * @new_password: 0-to-256-unicode-char NewPassword (IN; UTF-8)
 * @new_password_len: Length of new_password
 * @old_password: 0-to-256-unicode-char OldPassword (IN; UTF-8)
 * @old_password_len: Length of old_password
 * @encrypted_pw_block: 516-octet EncryptedPwBlock (OUT)
 * Returns: 0 on success, -1 on failure
 */
int new_password_encrypted_with_old_nt_password_hash(
	const u8 *new_password, size_t new_password_len,
	const u8 *old_password, size_t old_password_len,
	u8 *encrypted_pw_block)
{
	u8 password_hash[16];

	if (nt_password_hash(old_password, old_password_len, password_hash))
		return -1;
	if (encrypt_pw_block_with_password_hash(new_password, new_password_len,
						password_hash,
						encrypted_pw_block))
		return -1;
	return 0;
}


/**
 * nt_password_hash_encrypted_with_block - NtPasswordHashEncryptedWithBlock() - RFC 2759, Sect 8.13
 * @password_hash: 16-octer PasswordHash (IN)
 * @block: 16-octet Block (IN)
 * @cypher: 16-octer Cypher (OUT)
 */
void nt_password_hash_encrypted_with_block(const u8 *password_hash,
					   const u8 *block, u8 *cypher)
{
	des_encrypt(password_hash, block, cypher);
	des_encrypt(password_hash + 8, block + 7, cypher + 8);
}


/**
 * old_nt_password_hash_encrypted_with_new_nt_password_hash - OldNtPasswordHashEncryptedWithNewNtPasswordHash() - RFC 2759, Sect. 8.12
 * @new_password: 0-to-256-unicode-char NewPassword (IN; UTF-8)
 * @new_password_len: Length of new_password
 * @old_password: 0-to-256-unicode-char OldPassword (IN; UTF-8)
 * @old_password_len: Length of old_password
 * @encrypted_password_hash: 16-octet EncryptedPasswordHash (OUT)
 * Returns: 0 on success, -1 on failure
 */
int old_nt_password_hash_encrypted_with_new_nt_password_hash(
	const u8 *new_password, size_t new_password_len,
	const u8 *old_password, size_t old_password_len,
	u8 *encrypted_password_hash)
{
	u8 old_password_hash[16], new_password_hash[16];

	if (nt_password_hash(old_password, old_password_len,
			     old_password_hash) ||
	    nt_password_hash(new_password, new_password_len,
			     new_password_hash))
		return -1;
	nt_password_hash_encrypted_with_block(old_password_hash,
					      new_password_hash,
					      encrypted_password_hash);
	return 0;
}
Commit	Line	Data
6fc6879b JM	1	/*
6fc6879b JM	2	* WPA Supplicant / shared MSCHAPV2 helper functions / RFC 2433 / RFC 2759
6d503f67	3	* Copyright (c) 2004-2009, Jouni Malinen <j@w1.fi>
6fc6879b	4	*
0f3d578e JM	5	* This software may be distributed under the terms of the BSD license.
0f3d578e JM	6	* See README for more details.
6fc6879b JM	7	*/
	8
	9	#include "includes.h"
	10
	11	#include "common.h"
	12	#include "sha1.h"
	13	#include "ms_funcs.h"
	14	#include "crypto.h"
6fc6879b	15
c48183fc EB	16	/**
	17	* utf8_to_ucs2 - Convert UTF-8 string to UCS-2 encoding
	18	* @utf8_string: UTF-8 string (IN)
	19	* @utf8_string_len: Length of utf8_string (IN)
	20	* @ucs2_buffer: UCS-2 buffer (OUT)
	21	* @ucs2_buffer_size: Length of UCS-2 buffer (IN)
	22	* @ucs2_string_size: Number of 2-byte words in the resulting UCS-2 string
	23	* Returns: 0 on success, -1 on failure
	24	*/
	25	static int utf8_to_ucs2(const u8 *utf8_string, size_t utf8_string_len,
	26	u8 *ucs2_buffer, size_t ucs2_buffer_size,
	27	size_t *ucs2_string_size)
	28	{
	29	size_t i, j;
	30
	31	for (i = 0, j = 0; i < utf8_string_len; i++) {
	32	u8 c = utf8_string[i];
	33	if (j >= ucs2_buffer_size) {
	34	/* input too long */
	35	return -1;
	36	}
	37	if (c <= 0x7F) {
	38	WPA_PUT_LE16(ucs2_buffer + j, c);
	39	j += 2;
	40	} else if (i == utf8_string_len - 1 \|\|
	41	j >= ucs2_buffer_size - 1) {
	42	/* incomplete surrogate */
	43	return -1;
	44	} else {
	45	u8 c2 = utf8_string[++i];
	46	if ((c & 0xE0) == 0xC0) {
	47	/* two-byte encoding */
	48	WPA_PUT_LE16(ucs2_buffer + j,
	49	((c & 0x1F) << 6) \| (c2 & 0x3F));
	50	j += 2;
	51	} else if (i == utf8_string_len \|\|
	52	j >= ucs2_buffer_size - 1) {
	53	/* incomplete surrogate */
	54	return -1;
	55	} else {
	56	/* three-byte encoding */
	57	u8 c3 = utf8_string[++i];
	58	WPA_PUT_LE16(ucs2_buffer + j,
	59	((c & 0xF) << 12) \|
	60	((c2 & 0x3F) << 6) \| (c3 & 0x3F));
	61	}
	62	}
	63	}
	64
	65	if (ucs2_string_size)
	66	*ucs2_string_size = j / 2;
	67	return 0;
	68	}
	69
6fc6879b JM	70
	71	/**
	72	* challenge_hash - ChallengeHash() - RFC 2759, Sect. 8.2
	73	* @peer_challenge: 16-octet PeerChallenge (IN)
	74	* @auth_challenge: 16-octet AuthenticatorChallenge (IN)
	75	* @username: 0-to-256-char UserName (IN)
	76	* @username_len: Length of username
	77	* @challenge: 8-octet Challenge (OUT)
6d503f67	78	* Returns: 0 on success, -1 on failure
6fc6879b	79	*/
6d503f67 JM	80	static int challenge_hash(const u8 peer_challenge, const u8 auth_challenge,
	81	const u8 *username, size_t username_len,
	82	u8 *challenge)
6fc6879b JM	83	{
	84	u8 hash[SHA1_MAC_LEN];
	85	const unsigned char *addr[3];
	86	size_t len[3];
	87
	88	addr[0] = peer_challenge;
	89	len[0] = 16;
	90	addr[1] = auth_challenge;
	91	len[1] = 16;
	92	addr[2] = username;
	93	len[2] = username_len;
	94
6d503f67 JM	95	if (sha1_vector(3, addr, len, hash))
6d503f67 JM	96	return -1;
6fc6879b	97	os_memcpy(challenge, hash, 8);
6d503f67	98	return 0;
6fc6879b JM	99	}
	100
	101
	102	/**
	103	* nt_password_hash - NtPasswordHash() - RFC 2759, Sect. 8.3
c48183fc	104	* @password: 0-to-256-unicode-char Password (IN; UTF-8)
6fc6879b JM	105	* @password_len: Length of password
6fc6879b JM	106	* @password_hash: 16-octet PasswordHash (OUT)
6d503f67	107	* Returns: 0 on success, -1 on failure
6fc6879b	108	*/
6d503f67	109	int nt_password_hash(const u8 *password, size_t password_len,
6fc6879b JM	110	u8 *password_hash)
	111	{
	112	u8 buf[512], *pos;
c48183fc	113	size_t len, max_len;
6fc6879b	114
c48183fc EB	115	max_len = sizeof(buf);
	116	if (utf8_to_ucs2(password, password_len, buf, max_len, &len) < 0)
	117	return -1;
6fc6879b	118
c48183fc	119	len *= 2;
6fc6879b	120	pos = buf;
6d503f67	121	return md4_vector(1, (const u8 **) &pos, &len, password_hash);
6fc6879b JM	122	}
	123
	124
	125	/**
	126	* hash_nt_password_hash - HashNtPasswordHash() - RFC 2759, Sect. 8.4
	127	* @password_hash: 16-octet PasswordHash (IN)
	128	* @password_hash_hash: 16-octet PasswordHashHash (OUT)
6d503f67	129	* Returns: 0 on success, -1 on failure
6fc6879b	130	*/
6d503f67	131	int hash_nt_password_hash(const u8 password_hash, u8 password_hash_hash)
6fc6879b JM	132	{
6fc6879b JM	133	size_t len = 16;
6d503f67	134	return md4_vector(1, &password_hash, &len, password_hash_hash);
6fc6879b JM	135	}
	136
	137
	138	/**
	139	* challenge_response - ChallengeResponse() - RFC 2759, Sect. 8.5
	140	* @challenge: 8-octet Challenge (IN)
	141	* @password_hash: 16-octet PasswordHash (IN)
	142	* @response: 24-octet Response (OUT)
	143	*/
	144	void challenge_response(const u8 challenge, const u8 password_hash,
	145	u8 *response)
	146	{
	147	u8 zpwd[7];
	148	des_encrypt(challenge, password_hash, response);
	149	des_encrypt(challenge, password_hash + 7, response + 8);
	150	zpwd[0] = password_hash[14];
	151	zpwd[1] = password_hash[15];
	152	os_memset(zpwd + 2, 0, 5);
	153	des_encrypt(challenge, zpwd, response + 16);
	154	}
	155
	156
	157	/**
	158	* generate_nt_response - GenerateNTResponse() - RFC 2759, Sect. 8.1
	159	* @auth_challenge: 16-octet AuthenticatorChallenge (IN)
a17df5fb	160	* @peer_challenge: 16-octet PeerChallenge (IN)
6fc6879b JM	161	* @username: 0-to-256-char UserName (IN)
6fc6879b JM	162	* @username_len: Length of username
c48183fc	163	* @password: 0-to-256-unicode-char Password (IN; UTF-8)
6fc6879b JM	164	* @password_len: Length of password
6fc6879b JM	165	* @response: 24-octet Response (OUT)
6d503f67	166	* Returns: 0 on success, -1 on failure
6fc6879b	167	*/
6d503f67 JM	168	int generate_nt_response(const u8 auth_challenge, const u8 peer_challenge,
	169	const u8 *username, size_t username_len,
	170	const u8 *password, size_t password_len,
	171	u8 *response)
6fc6879b JM	172	{
	173	u8 challenge[8];
	174	u8 password_hash[16];
	175
	176	challenge_hash(peer_challenge, auth_challenge, username, username_len,
	177	challenge);
6d503f67 JM	178	if (nt_password_hash(password, password_len, password_hash))
6d503f67 JM	179	return -1;
6fc6879b	180	challenge_response(challenge, password_hash, response);
6d503f67	181	return 0;
6fc6879b JM	182	}
	183
	184
	185	/**
	186	* generate_nt_response_pwhash - GenerateNTResponse() - RFC 2759, Sect. 8.1
	187	* @auth_challenge: 16-octet AuthenticatorChallenge (IN)
a17df5fb	188	* @peer_challenge: 16-octet PeerChallenge (IN)
6fc6879b JM	189	* @username: 0-to-256-char UserName (IN)
	190	* @username_len: Length of username
	191	* @password_hash: 16-octet PasswordHash (IN)
	192	* @response: 24-octet Response (OUT)
6d503f67	193	* Returns: 0 on success, -1 on failure
6fc6879b	194	*/
6d503f67 JM	195	int generate_nt_response_pwhash(const u8 *auth_challenge,
	196	const u8 *peer_challenge,
	197	const u8 *username, size_t username_len,
	198	const u8 *password_hash,
	199	u8 *response)
6fc6879b JM	200	{
	201	u8 challenge[8];
	202
6d503f67 JM	203	if (challenge_hash(peer_challenge, auth_challenge,
	204	username, username_len,
	205	challenge))
	206	return -1;
6fc6879b	207	challenge_response(challenge, password_hash, response);
6d503f67	208	return 0;
6fc6879b JM	209	}
	210
	211
	212	/**
	213	* generate_authenticator_response_pwhash - GenerateAuthenticatorResponse() - RFC 2759, Sect. 8.7
	214	* @password_hash: 16-octet PasswordHash (IN)
	215	* @nt_response: 24-octet NT-Response (IN)
	216	* @peer_challenge: 16-octet PeerChallenge (IN)
	217	* @auth_challenge: 16-octet AuthenticatorChallenge (IN)
	218	* @username: 0-to-256-char UserName (IN)
	219	* @username_len: Length of username
	220	* @response: 20-octet AuthenticatorResponse (OUT) (note: this value is usually
b39d1280	221	* encoded as a 42-octet ASCII string (S=hexdump_of_response)
6d503f67	222	* Returns: 0 on success, -1 on failure
6fc6879b	223	*/
6d503f67	224	int generate_authenticator_response_pwhash(
6fc6879b JM	225	const u8 *password_hash,
	226	const u8 peer_challenge, const u8 auth_challenge,
	227	const u8 *username, size_t username_len,
	228	const u8 nt_response, u8 response)
	229	{
	230	static const u8 magic1[39] = {
	231	0x4D, 0x61, 0x67, 0x69, 0x63, 0x20, 0x73, 0x65, 0x72, 0x76,
	232	0x65, 0x72, 0x20, 0x74, 0x6F, 0x20, 0x63, 0x6C, 0x69, 0x65,
	233	0x6E, 0x74, 0x20, 0x73, 0x69, 0x67, 0x6E, 0x69, 0x6E, 0x67,
	234	0x20, 0x63, 0x6F, 0x6E, 0x73, 0x74, 0x61, 0x6E, 0x74
	235	};
	236	static const u8 magic2[41] = {
	237	0x50, 0x61, 0x64, 0x20, 0x74, 0x6F, 0x20, 0x6D, 0x61, 0x6B,
	238	0x65, 0x20, 0x69, 0x74, 0x20, 0x64, 0x6F, 0x20, 0x6D, 0x6F,
	239	0x72, 0x65, 0x20, 0x74, 0x68, 0x61, 0x6E, 0x20, 0x6F, 0x6E,
	240	0x65, 0x20, 0x69, 0x74, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6F,
	241	0x6E
	242	};
	243
	244	u8 password_hash_hash[16], challenge[8];
	245	const unsigned char *addr1[3];
	246	const size_t len1[3] = { 16, 24, sizeof(magic1) };
	247	const unsigned char *addr2[3];
	248	const size_t len2[3] = { SHA1_MAC_LEN, 8, sizeof(magic2) };
	249
	250	addr1[0] = password_hash_hash;
	251	addr1[1] = nt_response;
	252	addr1[2] = magic1;
	253
	254	addr2[0] = response;
	255	addr2[1] = challenge;
	256	addr2[2] = magic2;
	257
6d503f67 JM	258	if (hash_nt_password_hash(password_hash, password_hash_hash))
	259	return -1;
	260	if (sha1_vector(3, addr1, len1, response))
	261	return -1;
6fc6879b JM	262
	263	challenge_hash(peer_challenge, auth_challenge, username, username_len,
	264	challenge);
6d503f67	265	return sha1_vector(3, addr2, len2, response);
6fc6879b JM	266	}
	267
	268
	269	/**
	270	* generate_authenticator_response - GenerateAuthenticatorResponse() - RFC 2759, Sect. 8.7
c48183fc	271	* @password: 0-to-256-unicode-char Password (IN; UTF-8)
6fc6879b JM	272	* @password_len: Length of password
	273	* @nt_response: 24-octet NT-Response (IN)
	274	* @peer_challenge: 16-octet PeerChallenge (IN)
	275	* @auth_challenge: 16-octet AuthenticatorChallenge (IN)
	276	* @username: 0-to-256-char UserName (IN)
	277	* @username_len: Length of username
	278	* @response: 20-octet AuthenticatorResponse (OUT) (note: this value is usually
b39d1280	279	* encoded as a 42-octet ASCII string (S=hexdump_of_response)
6d503f67	280	* Returns: 0 on success, -1 on failure
6fc6879b	281	*/
6d503f67 JM	282	int generate_authenticator_response(const u8 *password, size_t password_len,
	283	const u8 *peer_challenge,
	284	const u8 *auth_challenge,
	285	const u8 *username, size_t username_len,
	286	const u8 nt_response, u8 response)
6fc6879b JM	287	{
6fc6879b JM	288	u8 password_hash[16];
6d503f67 JM	289	if (nt_password_hash(password, password_len, password_hash))
	290	return -1;
	291	return generate_authenticator_response_pwhash(
	292	password_hash, peer_challenge, auth_challenge,
	293	username, username_len, nt_response, response);
6fc6879b JM	294	}
	295
	296
	297	/**
	298	* nt_challenge_response - NtChallengeResponse() - RFC 2433, Sect. A.5
	299	* @challenge: 8-octet Challenge (IN)
c48183fc	300	* @password: 0-to-256-unicode-char Password (IN; UTF-8)
6fc6879b JM	301	* @password_len: Length of password
6fc6879b JM	302	* @response: 24-octet Response (OUT)
6d503f67	303	* Returns: 0 on success, -1 on failure
6fc6879b	304	*/
6d503f67 JM	305	int nt_challenge_response(const u8 challenge, const u8 password,
6d503f67 JM	306	size_t password_len, u8 *response)
6fc6879b JM	307	{
6fc6879b JM	308	u8 password_hash[16];
6d503f67 JM	309	if (nt_password_hash(password, password_len, password_hash))
6d503f67 JM	310	return -1;
6fc6879b	311	challenge_response(challenge, password_hash, response);
6d503f67	312	return 0;
6fc6879b JM	313	}
	314
	315
	316	/**
	317	* get_master_key - GetMasterKey() - RFC 3079, Sect. 3.4
	318	* @password_hash_hash: 16-octet PasswordHashHash (IN)
	319	* @nt_response: 24-octet NTResponse (IN)
	320	* @master_key: 16-octet MasterKey (OUT)
6d503f67	321	* Returns: 0 on success, -1 on failure
6fc6879b	322	*/
6d503f67 JM	323	int get_master_key(const u8 password_hash_hash, const u8 nt_response,
6d503f67 JM	324	u8 *master_key)
6fc6879b JM	325	{
	326	static const u8 magic1[27] = {
	327	0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74,
	328	0x68, 0x65, 0x20, 0x4d, 0x50, 0x50, 0x45, 0x20, 0x4d,
	329	0x61, 0x73, 0x74, 0x65, 0x72, 0x20, 0x4b, 0x65, 0x79
	330	};
	331	const unsigned char *addr[3];
	332	const size_t len[3] = { 16, 24, sizeof(magic1) };
	333	u8 hash[SHA1_MAC_LEN];
	334
	335	addr[0] = password_hash_hash;
	336	addr[1] = nt_response;
	337	addr[2] = magic1;
	338
6d503f67 JM	339	if (sha1_vector(3, addr, len, hash))
6d503f67 JM	340	return -1;
6fc6879b	341	os_memcpy(master_key, hash, 16);
6d503f67	342	return 0;
6fc6879b JM	343	}
	344
	345
	346	/**
	347	* get_asymetric_start_key - GetAsymetricStartKey() - RFC 3079, Sect. 3.4
	348	* @master_key: 16-octet MasterKey (IN)
	349	* @session_key: 8-to-16 octet SessionKey (OUT)
	350	* @session_key_len: SessionKeyLength (Length of session_key) (IN)
	351	* @is_send: IsSend (IN, BOOLEAN)
	352	* @is_server: IsServer (IN, BOOLEAN)
6d503f67	353	* Returns: 0 on success, -1 on failure
6fc6879b	354	*/
6d503f67 JM	355	int get_asymetric_start_key(const u8 master_key, u8 session_key,
	356	size_t session_key_len, int is_send,
	357	int is_server)
6fc6879b JM	358	{
	359	static const u8 magic2[84] = {
	360	0x4f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x69,
	361	0x65, 0x6e, 0x74, 0x20, 0x73, 0x69, 0x64, 0x65, 0x2c, 0x20,
	362	0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68,
	363	0x65, 0x20, 0x73, 0x65, 0x6e, 0x64, 0x20, 0x6b, 0x65, 0x79,
	364	0x3b, 0x20, 0x6f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x73,
	365	0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x73, 0x69, 0x64, 0x65,
	366	0x2c, 0x20, 0x69, 0x74, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68,
	367	0x65, 0x20, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x20,
	368	0x6b, 0x65, 0x79, 0x2e
	369	};
	370	static const u8 magic3[84] = {
	371	0x4f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x69,
	372	0x65, 0x6e, 0x74, 0x20, 0x73, 0x69, 0x64, 0x65, 0x2c, 0x20,
	373	0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68,
	374	0x65, 0x20, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x20,
	375	0x6b, 0x65, 0x79, 0x3b, 0x20, 0x6f, 0x6e, 0x20, 0x74, 0x68,
	376	0x65, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x73,
	377	0x69, 0x64, 0x65, 0x2c, 0x20, 0x69, 0x74, 0x20, 0x69, 0x73,
	378	0x20, 0x74, 0x68, 0x65, 0x20, 0x73, 0x65, 0x6e, 0x64, 0x20,
	379	0x6b, 0x65, 0x79, 0x2e
	380	};
	381	static const u8 shs_pad1[40] = {
	382	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
	383	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
	384	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
	385	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
	386	};
	387
	388	static const u8 shs_pad2[40] = {
	389	0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2,
	390	0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2,
	391	0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2,
	392	0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2
	393	};
	394	u8 digest[SHA1_MAC_LEN];
	395	const unsigned char *addr[4];
	396	const size_t len[4] = { 16, 40, 84, 40 };
	397
	398	addr[0] = master_key;
	399	addr[1] = shs_pad1;
	400	if (is_send) {
	401	addr[2] = is_server ? magic3 : magic2;
	402	} else {
	403	addr[2] = is_server ? magic2 : magic3;
	404	}
	405	addr[3] = shs_pad2;
	406
6d503f67 JM	407	if (sha1_vector(4, addr, len, digest))
6d503f67 JM	408	return -1;
6fc6879b JM	409
	410	if (session_key_len > SHA1_MAC_LEN)
	411	session_key_len = SHA1_MAC_LEN;
	412	os_memcpy(session_key, digest, session_key_len);
6d503f67	413	return 0;
6fc6879b JM	414	}
	415
	416
	417	#define PWBLOCK_LEN 516
	418
	419	/**
	420	* encrypt_pw_block_with_password_hash - EncryptPwBlockWithPasswordHash() - RFC 2759, Sect. 8.10
c48183fc	421	* @password: 0-to-256-unicode-char Password (IN; UTF-8)
6fc6879b JM	422	* @password_len: Length of password
	423	* @password_hash: 16-octet PasswordHash (IN)
	424	* @pw_block: 516-byte PwBlock (OUT)
	425	* Returns: 0 on success, -1 on failure
	426	*/
	427	int encrypt_pw_block_with_password_hash(
	428	const u8 *password, size_t password_len,
	429	const u8 password_hash, u8 pw_block)
	430	{
c48183fc	431	size_t ucs2_len, offset;
6fc6879b JM	432	u8 *pos;
6fc6879b JM	433
c48183fc EB	434	os_memset(pw_block, 0, PWBLOCK_LEN);
	435
	436	if (utf8_to_ucs2(password, password_len, pw_block, 512, &ucs2_len) < 0)
6fc6879b JM	437	return -1;
6fc6879b JM	438
c48183fc	439	if (ucs2_len > 256)
6fc6879b	440	return -1;
c48183fc EB	441
	442	offset = (256 - ucs2_len) * 2;
	443	if (offset != 0) {
	444	os_memmove(pw_block + offset, pw_block, ucs2_len * 2);
	445	if (os_get_random(pw_block, offset) < 0)
	446	return -1;
	447	}
6fc6879b JM	448	/*
	449	* PasswordLength is 4 octets, but since the maximum password length is
	450	* 256, only first two (in little endian byte order) can be non-zero.
	451	*/
	452	pos = &pw_block[2 * 256];
	453	WPA_PUT_LE16(pos, password_len * 2);
8ef16831	454	rc4_skip(password_hash, 16, 0, pw_block, PWBLOCK_LEN);
6fc6879b JM	455	return 0;
	456	}
	457
	458
	459	/**
	460	* new_password_encrypted_with_old_nt_password_hash - NewPasswordEncryptedWithOldNtPasswordHash() - RFC 2759, Sect. 8.9
c48183fc	461	* @new_password: 0-to-256-unicode-char NewPassword (IN; UTF-8)
6fc6879b	462	* @new_password_len: Length of new_password
c48183fc	463	* @old_password: 0-to-256-unicode-char OldPassword (IN; UTF-8)
6fc6879b JM	464	* @old_password_len: Length of old_password
	465	* @encrypted_pw_block: 516-octet EncryptedPwBlock (OUT)
	466	* Returns: 0 on success, -1 on failure
	467	*/
	468	int new_password_encrypted_with_old_nt_password_hash(
	469	const u8 *new_password, size_t new_password_len,
	470	const u8 *old_password, size_t old_password_len,
	471	u8 *encrypted_pw_block)
	472	{
	473	u8 password_hash[16];
	474
6d503f67 JM	475	if (nt_password_hash(old_password, old_password_len, password_hash))
6d503f67 JM	476	return -1;
6fc6879b JM	477	if (encrypt_pw_block_with_password_hash(new_password, new_password_len,
	478	password_hash,
	479	encrypted_pw_block))
	480	return -1;
	481	return 0;
	482	}
	483
	484
	485	/**
	486	* nt_password_hash_encrypted_with_block - NtPasswordHashEncryptedWithBlock() - RFC 2759, Sect 8.13
	487	* @password_hash: 16-octer PasswordHash (IN)
	488	* @block: 16-octet Block (IN)
	489	* @cypher: 16-octer Cypher (OUT)
	490	*/
	491	void nt_password_hash_encrypted_with_block(const u8 *password_hash,
	492	const u8 block, u8 cypher)
	493	{
	494	des_encrypt(password_hash, block, cypher);
	495	des_encrypt(password_hash + 8, block + 7, cypher + 8);
	496	}
	497
	498
	499	/**
	500	* old_nt_password_hash_encrypted_with_new_nt_password_hash - OldNtPasswordHashEncryptedWithNewNtPasswordHash() - RFC 2759, Sect. 8.12
c48183fc	501	* @new_password: 0-to-256-unicode-char NewPassword (IN; UTF-8)
6fc6879b	502	* @new_password_len: Length of new_password
c48183fc	503	* @old_password: 0-to-256-unicode-char OldPassword (IN; UTF-8)
6fc6879b	504	* @old_password_len: Length of old_password
a17df5fb	505	* @encrypted_password_hash: 16-octet EncryptedPasswordHash (OUT)
6d503f67	506	* Returns: 0 on success, -1 on failure
6fc6879b	507	*/
6d503f67	508	int old_nt_password_hash_encrypted_with_new_nt_password_hash(
6fc6879b JM	509	const u8 *new_password, size_t new_password_len,
	510	const u8 *old_password, size_t old_password_len,
	511	u8 *encrypted_password_hash)
	512	{
	513	u8 old_password_hash[16], new_password_hash[16];
	514
6d503f67 JM	515	if (nt_password_hash(old_password, old_password_len,
	516	old_password_hash) \|\|
	517	nt_password_hash(new_password, new_password_len,
	518	new_password_hash))
	519	return -1;
6fc6879b JM	520	nt_password_hash_encrypted_with_block(old_password_hash,
	521	new_password_hash,
	522	encrypted_password_hash);
6d503f67	523	return 0;
6fc6879b	524	}