From: Tobias Brunner Date: Wed, 16 Nov 2016 16:12:33 +0000 (+0100) Subject: vici: Add support for NT Hash secrets X-Git-Tag: 5.5.2dr5~9^2~20 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ed105f45afca41b4e445c18f24f219352a4c6ef0;p=thirdparty%2Fstrongswan.git vici: Add support for NT Hash secrets Fixes #1002. --- diff --git a/src/libcharon/plugins/vici/vici_cred.c b/src/libcharon/plugins/vici/vici_cred.c index 04a13b4fa4..c8d71138c2 100644 --- a/src/libcharon/plugins/vici/vici_cred.c +++ b/src/libcharon/plugins/vici/vici_cred.c @@ -339,6 +339,10 @@ CALLBACK(load_shared, vici_message_t*, { type = SHARED_EAP; } + else if (strcaseeq(str, "ntlm")) + { + type = SHARED_NT_HASH; + } else { return create_reply("invalid shared key type: %s", str); diff --git a/src/swanctl/commands/load_creds.c b/src/swanctl/commands/load_creds.c index 126b61e649..8360178936 100644 --- a/src/swanctl/commands/load_creds.c +++ b/src/swanctl/commands/load_creds.c @@ -583,6 +583,7 @@ static bool load_secret(load_ctx_t *ctx, char *section) char *types[] = { "eap", "xauth", + "ntlm", "ike", "private", "rsa", @@ -605,7 +606,8 @@ static bool load_secret(load_ctx_t *ctx, char *section) fprintf(stderr, "ignoring unsupported secret '%s'\n", section); return FALSE; } - if (!streq(type, "eap") && !streq(type, "xauth") && !streq(type, "ike")) + if (!streq(type, "eap") && !streq(type, "xauth") && !streq(type, "ntlm") && + !streq(type, "ike")) { /* skip non-shared secrets */ return TRUE; } diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt index 327b8971db..8ddc9f750b 100644 --- a/src/swanctl/swanctl.opt +++ b/src/swanctl/swanctl.opt @@ -831,6 +831,28 @@ secrets.eap.id = be specified, each having an _id_ prefix, if a secret is shared between multiple users. +secrets.ntlm { # } + NTLM secret section for a specific secret. + + NTLM secret section for a specific secret. Each NTLM secret is defined in + a unique section having the _ntlm_ prefix. NTLM secrets may only be used for + EAP-MSCHAPv2 authentication. + +secrets.ntlm.secret = + Value of the NTLM secret. + + Value of the NTLM secret, which is the NT Hash of the actual secret, that + is, MD4(UTF-16LE(secret)). The resulting 16-byte value may either be given + as a hex encoded string with a _0x_ prefix or as a Base64 encoded string + with a _0s_ prefix. + +secrets.ntlm.id = + Identity the NTLM secret belongs to. + + Identity the NTLM secret belongs to. Multiple unique identities may + be specified, each having an _id_ prefix, if a secret is shared between + multiple users. + secrets.ike { # } IKE preshared secret section for a specific secret.