]> git.ipfire.org Git - thirdparty/hostap.git/blob - src/crypto/ms_funcs.c
projects / thirdparty / hostap.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Return success/failure result from tls_prf_sha256()
[thirdparty/hostap.git] / src / crypto / ms_funcs.c
1 /*
2 * WPA Supplicant / shared MSCHAPV2 helper functions / RFC 2433 / RFC 2759
3 * Copyright (c) 2004-2012, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10
11 #include "common.h"
12 #include "sha1.h"
13 #include "ms_funcs.h"
14 #include "crypto.h"
15
16 /**
17 * utf8_to_ucs2 - Convert UTF-8 string to UCS-2 encoding
18 * @utf8_string: UTF-8 string (IN)
19 * @utf8_string_len: Length of utf8_string (IN)
20 * @ucs2_buffer: UCS-2 buffer (OUT)
21 * @ucs2_buffer_size: Length of UCS-2 buffer (IN)
22 * @ucs2_string_size: Number of 2-byte words in the resulting UCS-2 string
23 * Returns: 0 on success, -1 on failure
24 */
25 static int utf8_to_ucs2(const u8 *utf8_string, size_t utf8_string_len,
26 u8 *ucs2_buffer, size_t ucs2_buffer_size,
27 size_t *ucs2_string_size)
28 {
29 size_t i, j;
30
31 for (i = 0, j = 0; i < utf8_string_len; i++) {
32 u8 c = utf8_string[i];
33 if (j >= ucs2_buffer_size) {
34 /* input too long */
35 return -1;
36 }
37 if (c <= 0x7F) {
38 WPA_PUT_LE16(ucs2_buffer + j, c);
39 j += 2;
40 } else if (i == utf8_string_len - 1 ||
41 j >= ucs2_buffer_size - 1) {
42 /* incomplete surrogate */
43 return -1;
44 } else {
45 u8 c2 = utf8_string[++i];
46 if ((c & 0xE0) == 0xC0) {
47 /* two-byte encoding */
48 WPA_PUT_LE16(ucs2_buffer + j,
49 ((c & 0x1F) << 6) | (c2 & 0x3F));
50 j += 2;
51 } else if (i == utf8_string_len - 1 ||
52 j >= ucs2_buffer_size - 1) {
53 /* incomplete surrogate */
54 return -1;
55 } else {
56 /* three-byte encoding */
57 u8 c3 = utf8_string[++i];
58 WPA_PUT_LE16(ucs2_buffer + j,
59 ((c & 0xF) << 12) |
60 ((c2 & 0x3F) << 6) | (c3 & 0x3F));
61 j += 2;
62 }
63 }
64 }
65
66 if (ucs2_string_size)
67 *ucs2_string_size = j / 2;
68 return 0;
69 }
70
71
72 /**
73 * challenge_hash - ChallengeHash() - RFC 2759, Sect. 8.2
74 * @peer_challenge: 16-octet PeerChallenge (IN)
75 * @auth_challenge: 16-octet AuthenticatorChallenge (IN)
76 * @username: 0-to-256-char UserName (IN)
77 * @username_len: Length of username
78 * @challenge: 8-octet Challenge (OUT)
79 * Returns: 0 on success, -1 on failure
80 */
81 int challenge_hash(const u8 *peer_challenge, const u8 *auth_challenge,
82 const u8 *username, size_t username_len, u8 *challenge)
83 {
84 u8 hash[SHA1_MAC_LEN];
85 const unsigned char *addr[3];
86 size_t len[3];
87
88 addr[0] = peer_challenge;
89 len[0] = 16;
90 addr[1] = auth_challenge;
91 len[1] = 16;
92 addr[2] = username;
93 len[2] = username_len;
94
95 if (sha1_vector(3, addr, len, hash))
96 return -1;
97 os_memcpy(challenge, hash, 8);
98 return 0;
99 }
100
101
102 /**
103 * nt_password_hash - NtPasswordHash() - RFC 2759, Sect. 8.3
104 * @password: 0-to-256-unicode-char Password (IN; UTF-8)
105 * @password_len: Length of password
106 * @password_hash: 16-octet PasswordHash (OUT)
107 * Returns: 0 on success, -1 on failure
108 */
109 int nt_password_hash(const u8 *password, size_t password_len,
110 u8 *password_hash)
111 {
112 u8 buf[512], *pos;
113 size_t len, max_len;
114
115 max_len = sizeof(buf);
116 if (utf8_to_ucs2(password, password_len, buf, max_len, &len) < 0)
117 return -1;
118
119 len *= 2;
120 pos = buf;
121 return md4_vector(1, (const u8 **) &pos, &len, password_hash);
122 }
123
124
125 /**
126 * hash_nt_password_hash - HashNtPasswordHash() - RFC 2759, Sect. 8.4
127 * @password_hash: 16-octet PasswordHash (IN)
128 * @password_hash_hash: 16-octet PasswordHashHash (OUT)
129 * Returns: 0 on success, -1 on failure
130 */
131 int hash_nt_password_hash(const u8 *password_hash, u8 *password_hash_hash)
132 {
133 size_t len = 16;
134 return md4_vector(1, &password_hash, &len, password_hash_hash);
135 }
136
137
138 /**
139 * challenge_response - ChallengeResponse() - RFC 2759, Sect. 8.5
140 * @challenge: 8-octet Challenge (IN)
141 * @password_hash: 16-octet PasswordHash (IN)
142 * @response: 24-octet Response (OUT)
143 * Returns: 0 on success, -1 on failure
144 */
145 int challenge_response(const u8 *challenge, const u8 *password_hash,
146 u8 *response)
147 {
148 u8 zpwd[7];
149
150 if (des_encrypt(challenge, password_hash, response) < 0 ||
151 des_encrypt(challenge, password_hash + 7, response + 8) < 0)
152 return -1;
153 zpwd[0] = password_hash[14];
154 zpwd[1] = password_hash[15];
155 os_memset(zpwd + 2, 0, 5);
156 return des_encrypt(challenge, zpwd, response + 16);
157 }
158
159
160 /**
161 * generate_nt_response - GenerateNTResponse() - RFC 2759, Sect. 8.1
162 * @auth_challenge: 16-octet AuthenticatorChallenge (IN)
163 * @peer_challenge: 16-octet PeerChallenge (IN)
164 * @username: 0-to-256-char UserName (IN)
165 * @username_len: Length of username
166 * @password: 0-to-256-unicode-char Password (IN; UTF-8)
167 * @password_len: Length of password
168 * @response: 24-octet Response (OUT)
169 * Returns: 0 on success, -1 on failure
170 */
171 int generate_nt_response(const u8 *auth_challenge, const u8 *peer_challenge,
172 const u8 *username, size_t username_len,
173 const u8 *password, size_t password_len,
174 u8 *response)
175 {
176 u8 challenge[8];
177 u8 password_hash[16];
178
179 if (challenge_hash(peer_challenge, auth_challenge, username,
180 username_len, challenge) ||
181 nt_password_hash(password, password_len, password_hash) ||
182 challenge_response(challenge, password_hash, response))
183 return -1;
184 return 0;
185 }
186
187
188 /**
189 * generate_nt_response_pwhash - GenerateNTResponse() - RFC 2759, Sect. 8.1
190 * @auth_challenge: 16-octet AuthenticatorChallenge (IN)
191 * @peer_challenge: 16-octet PeerChallenge (IN)
192 * @username: 0-to-256-char UserName (IN)
193 * @username_len: Length of username
194 * @password_hash: 16-octet PasswordHash (IN)
195 * @response: 24-octet Response (OUT)
196 * Returns: 0 on success, -1 on failure
197 */
198 int generate_nt_response_pwhash(const u8 *auth_challenge,
199 const u8 *peer_challenge,
200 const u8 *username, size_t username_len,
201 const u8 *password_hash,
202 u8 *response)
203 {
204 u8 challenge[8];
205
206 if (challenge_hash(peer_challenge, auth_challenge,
207 username, username_len,
208 challenge) ||
209 challenge_response(challenge, password_hash, response))
210 return -1;
211 return 0;
212 }
213
214
215 /**
216 * generate_authenticator_response_pwhash - GenerateAuthenticatorResponse() - RFC 2759, Sect. 8.7
217 * @password_hash: 16-octet PasswordHash (IN)
218 * @nt_response: 24-octet NT-Response (IN)
219 * @peer_challenge: 16-octet PeerChallenge (IN)
220 * @auth_challenge: 16-octet AuthenticatorChallenge (IN)
221 * @username: 0-to-256-char UserName (IN)
222 * @username_len: Length of username
223 * @response: 20-octet AuthenticatorResponse (OUT) (note: this value is usually
224 * encoded as a 42-octet ASCII string (S=hexdump_of_response)
225 * Returns: 0 on success, -1 on failure
226 */
227 int generate_authenticator_response_pwhash(
228 const u8 *password_hash,
229 const u8 *peer_challenge, const u8 *auth_challenge,
230 const u8 *username, size_t username_len,
231 const u8 *nt_response, u8 *response)
232 {
233 static const u8 magic1[39] = {
234 0x4D, 0x61, 0x67, 0x69, 0x63, 0x20, 0x73, 0x65, 0x72, 0x76,
235 0x65, 0x72, 0x20, 0x74, 0x6F, 0x20, 0x63, 0x6C, 0x69, 0x65,
236 0x6E, 0x74, 0x20, 0x73, 0x69, 0x67, 0x6E, 0x69, 0x6E, 0x67,
237 0x20, 0x63, 0x6F, 0x6E, 0x73, 0x74, 0x61, 0x6E, 0x74
238 };
239 static const u8 magic2[41] = {
240 0x50, 0x61, 0x64, 0x20, 0x74, 0x6F, 0x20, 0x6D, 0x61, 0x6B,
241 0x65, 0x20, 0x69, 0x74, 0x20, 0x64, 0x6F, 0x20, 0x6D, 0x6F,
242 0x72, 0x65, 0x20, 0x74, 0x68, 0x61, 0x6E, 0x20, 0x6F, 0x6E,
243 0x65, 0x20, 0x69, 0x74, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6F,
244 0x6E
245 };
246
247 u8 password_hash_hash[16], challenge[8];
248 const unsigned char *addr1[3];
249 const size_t len1[3] = { 16, 24, sizeof(magic1) };
250 const unsigned char *addr2[3];
251 const size_t len2[3] = { SHA1_MAC_LEN, 8, sizeof(magic2) };
252
253 addr1[0] = password_hash_hash;
254 addr1[1] = nt_response;
255 addr1[2] = magic1;
256
257 addr2[0] = response;
258 addr2[1] = challenge;
259 addr2[2] = magic2;
260
261 if (hash_nt_password_hash(password_hash, password_hash_hash) ||
262 sha1_vector(3, addr1, len1, response) ||
263 challenge_hash(peer_challenge, auth_challenge, username,
264 username_len, challenge))
265 return -1;
266 return sha1_vector(3, addr2, len2, response);
267 }
268
269
270 /**
271 * generate_authenticator_response - GenerateAuthenticatorResponse() - RFC 2759, Sect. 8.7
272 * @password: 0-to-256-unicode-char Password (IN; UTF-8)
273 * @password_len: Length of password
274 * @nt_response: 24-octet NT-Response (IN)
275 * @peer_challenge: 16-octet PeerChallenge (IN)
276 * @auth_challenge: 16-octet AuthenticatorChallenge (IN)
277 * @username: 0-to-256-char UserName (IN)
278 * @username_len: Length of username
279 * @response: 20-octet AuthenticatorResponse (OUT) (note: this value is usually
280 * encoded as a 42-octet ASCII string (S=hexdump_of_response)
281 * Returns: 0 on success, -1 on failure
282 */
283 int generate_authenticator_response(const u8 *password, size_t password_len,
284 const u8 *peer_challenge,
285 const u8 *auth_challenge,
286 const u8 *username, size_t username_len,
287 const u8 *nt_response, u8 *response)
288 {
289 u8 password_hash[16];
290 if (nt_password_hash(password, password_len, password_hash))
291 return -1;
292 return generate_authenticator_response_pwhash(
293 password_hash, peer_challenge, auth_challenge,
294 username, username_len, nt_response, response);
295 }
296
297
298 /**
299 * nt_challenge_response - NtChallengeResponse() - RFC 2433, Sect. A.5
300 * @challenge: 8-octet Challenge (IN)
301 * @password: 0-to-256-unicode-char Password (IN; UTF-8)
302 * @password_len: Length of password
303 * @response: 24-octet Response (OUT)
304 * Returns: 0 on success, -1 on failure
305 */
306 int nt_challenge_response(const u8 *challenge, const u8 *password,
307 size_t password_len, u8 *response)
308 {
309 u8 password_hash[16];
310
311 if (nt_password_hash(password, password_len, password_hash) ||
312 challenge_response(challenge, password_hash, response))
313 return -1;
314 return 0;
315 }
316
317
318 /**
319 * get_master_key - GetMasterKey() - RFC 3079, Sect. 3.4
320 * @password_hash_hash: 16-octet PasswordHashHash (IN)
321 * @nt_response: 24-octet NTResponse (IN)
322 * @master_key: 16-octet MasterKey (OUT)
323 * Returns: 0 on success, -1 on failure
324 */
325 int get_master_key(const u8 *password_hash_hash, const u8 *nt_response,
326 u8 *master_key)
327 {
328 static const u8 magic1[27] = {
329 0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74,
330 0x68, 0x65, 0x20, 0x4d, 0x50, 0x50, 0x45, 0x20, 0x4d,
331 0x61, 0x73, 0x74, 0x65, 0x72, 0x20, 0x4b, 0x65, 0x79
332 };
333 const unsigned char *addr[3];
334 const size_t len[3] = { 16, 24, sizeof(magic1) };
335 u8 hash[SHA1_MAC_LEN];
336
337 addr[0] = password_hash_hash;
338 addr[1] = nt_response;
339 addr[2] = magic1;
340
341 if (sha1_vector(3, addr, len, hash))
342 return -1;
343 os_memcpy(master_key, hash, 16);
344 return 0;
345 }
346
347
348 /**
349 * get_asymetric_start_key - GetAsymetricStartKey() - RFC 3079, Sect. 3.4
350 * @master_key: 16-octet MasterKey (IN)
351 * @session_key: 8-to-16 octet SessionKey (OUT)
352 * @session_key_len: SessionKeyLength (Length of session_key) (IN)
353 * @is_send: IsSend (IN, BOOLEAN)
354 * @is_server: IsServer (IN, BOOLEAN)
355 * Returns: 0 on success, -1 on failure
356 */
357 int get_asymetric_start_key(const u8 *master_key, u8 *session_key,
358 size_t session_key_len, int is_send,
359 int is_server)
360 {
361 static const u8 magic2[84] = {
362 0x4f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x69,
363 0x65, 0x6e, 0x74, 0x20, 0x73, 0x69, 0x64, 0x65, 0x2c, 0x20,
364 0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68,
365 0x65, 0x20, 0x73, 0x65, 0x6e, 0x64, 0x20, 0x6b, 0x65, 0x79,
366 0x3b, 0x20, 0x6f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x73,
367 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x73, 0x69, 0x64, 0x65,
368 0x2c, 0x20, 0x69, 0x74, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68,
369 0x65, 0x20, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x20,
370 0x6b, 0x65, 0x79, 0x2e
371 };
372 static const u8 magic3[84] = {
373 0x4f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x69,
374 0x65, 0x6e, 0x74, 0x20, 0x73, 0x69, 0x64, 0x65, 0x2c, 0x20,
375 0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68,
376 0x65, 0x20, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x20,
377 0x6b, 0x65, 0x79, 0x3b, 0x20, 0x6f, 0x6e, 0x20, 0x74, 0x68,
378 0x65, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x73,
379 0x69, 0x64, 0x65, 0x2c, 0x20, 0x69, 0x74, 0x20, 0x69, 0x73,
380 0x20, 0x74, 0x68, 0x65, 0x20, 0x73, 0x65, 0x6e, 0x64, 0x20,
381 0x6b, 0x65, 0x79, 0x2e
382 };
383 static const u8 shs_pad1[40] = {
384 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
385 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
386 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
387 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
388 };
389
390 static const u8 shs_pad2[40] = {
391 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2,
392 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2,
393 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2,
394 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2
395 };
396 u8 digest[SHA1_MAC_LEN];
397 const unsigned char *addr[4];
398 const size_t len[4] = { 16, 40, 84, 40 };
399
400 addr[0] = master_key;
401 addr[1] = shs_pad1;
402 if (is_send) {
403 addr[2] = is_server ? magic3 : magic2;
404 } else {
405 addr[2] = is_server ? magic2 : magic3;
406 }
407 addr[3] = shs_pad2;
408
409 if (sha1_vector(4, addr, len, digest))
410 return -1;
411
412 if (session_key_len > SHA1_MAC_LEN)
413 session_key_len = SHA1_MAC_LEN;
414 os_memcpy(session_key, digest, session_key_len);
415 return 0;
416 }
417
418
419 #ifndef CONFIG_NO_RC4
420
421 #define PWBLOCK_LEN 516
422
423 /**
424 * encrypt_pw_block_with_password_hash - EncryptPwBlockWithPasswordHash() - RFC 2759, Sect. 8.10
425 * @password: 0-to-256-unicode-char Password (IN; UTF-8)
426 * @password_len: Length of password
427 * @password_hash: 16-octet PasswordHash (IN)
428 * @pw_block: 516-byte PwBlock (OUT)
429 * Returns: 0 on success, -1 on failure
430 */
431 int encrypt_pw_block_with_password_hash(
432 const u8 *password, size_t password_len,
433 const u8 *password_hash, u8 *pw_block)
434 {
435 size_t ucs2_len, offset;
436 u8 *pos;
437
438 os_memset(pw_block, 0, PWBLOCK_LEN);
439
440 if (utf8_to_ucs2(password, password_len, pw_block, 512, &ucs2_len) < 0
441 || ucs2_len > 256)
442 return -1;
443
444 offset = (256 - ucs2_len) * 2;
445 if (offset != 0) {
446 os_memmove(pw_block + offset, pw_block, ucs2_len * 2);
447 if (os_get_random(pw_block, offset) < 0)
448 return -1;
449 }
450 /*
451 * PasswordLength is 4 octets, but since the maximum password length is
452 * 256, only first two (in little endian byte order) can be non-zero.
453 */
454 pos = &pw_block[2 * 256];
455 WPA_PUT_LE16(pos, password_len * 2);
456 rc4_skip(password_hash, 16, 0, pw_block, PWBLOCK_LEN);
457 return 0;
458 }
459
460
461 /**
462 * new_password_encrypted_with_old_nt_password_hash - NewPasswordEncryptedWithOldNtPasswordHash() - RFC 2759, Sect. 8.9
463 * @new_password: 0-to-256-unicode-char NewPassword (IN; UTF-8)
464 * @new_password_len: Length of new_password
465 * @old_password: 0-to-256-unicode-char OldPassword (IN; UTF-8)
466 * @old_password_len: Length of old_password
467 * @encrypted_pw_block: 516-octet EncryptedPwBlock (OUT)
468 * Returns: 0 on success, -1 on failure
469 */
470 int new_password_encrypted_with_old_nt_password_hash(
471 const u8 *new_password, size_t new_password_len,
472 const u8 *old_password, size_t old_password_len,
473 u8 *encrypted_pw_block)
474 {
475 u8 password_hash[16];
476
477 if (nt_password_hash(old_password, old_password_len, password_hash))
478 return -1;
479 if (encrypt_pw_block_with_password_hash(new_password, new_password_len,
480 password_hash,
481 encrypted_pw_block))
482 return -1;
483 return 0;
484 }
485
486 #endif /* CONFIG_NO_RC4 */
487
488
489 /**
490 * nt_password_hash_encrypted_with_block - NtPasswordHashEncryptedWithBlock() - RFC 2759, Sect 8.13
491 * @password_hash: 16-octer PasswordHash (IN)
492 * @block: 16-octet Block (IN)
493 * @cypher: 16-octer Cypher (OUT)
494 * Returns: 0 on success, -1 on failure
495 */
496 int nt_password_hash_encrypted_with_block(const u8 *password_hash,
497 const u8 *block, u8 *cypher)
498 {
499 if (des_encrypt(password_hash, block, cypher) < 0 ||
500 des_encrypt(password_hash + 8, block + 7, cypher + 8) < 0)
501 return -1;
502 return 0;
503 }
504
505
506 /**
507 * old_nt_password_hash_encrypted_with_new_nt_password_hash - OldNtPasswordHashEncryptedWithNewNtPasswordHash() - RFC 2759, Sect. 8.12
508 * @new_password: 0-to-256-unicode-char NewPassword (IN; UTF-8)
509 * @new_password_len: Length of new_password
510 * @old_password: 0-to-256-unicode-char OldPassword (IN; UTF-8)
511 * @old_password_len: Length of old_password
512 * @encrypted_password_hash: 16-octet EncryptedPasswordHash (OUT)
513 * Returns: 0 on success, -1 on failure
514 */
515 int old_nt_password_hash_encrypted_with_new_nt_password_hash(
516 const u8 *new_password, size_t new_password_len,
517 const u8 *old_password, size_t old_password_len,
518 u8 *encrypted_password_hash)
519 {
520 u8 old_password_hash[16], new_password_hash[16];
521
522 if (nt_password_hash(old_password, old_password_len,
523 old_password_hash) ||
524 nt_password_hash(new_password, new_password_len,
525 new_password_hash) ||
526 nt_password_hash_encrypted_with_block(old_password_hash,
527 new_password_hash,
528 encrypted_password_hash))
529 return -1;
530 return 0;
531 }
Unnamed repository; edit this file 'description' to name the repository.