2 * WPA Supplicant / shared MSCHAPV2 helper functions / RFC 2433 / RFC 2759
3 * Copyright (c) 2004-2012, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
17 * utf8_to_ucs2 - Convert UTF-8 string to UCS-2 encoding
18 * @utf8_string: UTF-8 string (IN)
19 * @utf8_string_len: Length of utf8_string (IN)
20 * @ucs2_buffer: UCS-2 buffer (OUT)
21 * @ucs2_buffer_size: Length of UCS-2 buffer (IN)
22 * @ucs2_string_size: Number of 2-byte words in the resulting UCS-2 string
23 * Returns: 0 on success, -1 on failure
25 static int utf8_to_ucs2(const u8 *utf8_string, size_t utf8_string_len,
26 u8 *ucs2_buffer, size_t ucs2_buffer_size,
27 size_t *ucs2_string_size)
31 for (i = 0, j = 0; i < utf8_string_len; i++) {
32 u8 c = utf8_string[i];
33 if (j >= ucs2_buffer_size) {
38 WPA_PUT_LE16(ucs2_buffer + j, c);
40 } else if (i == utf8_string_len - 1 ||
41 j >= ucs2_buffer_size - 1) {
42 /* incomplete surrogate */
45 u8 c2 = utf8_string[++i];
46 if ((c & 0xE0) == 0xC0) {
47 /* two-byte encoding */
48 WPA_PUT_LE16(ucs2_buffer + j,
49 ((c & 0x1F) << 6) | (c2 & 0x3F));
51 } else if (i == utf8_string_len ||
52 j >= ucs2_buffer_size - 1) {
53 /* incomplete surrogate */
56 /* three-byte encoding */
57 u8 c3 = utf8_string[++i];
58 WPA_PUT_LE16(ucs2_buffer + j,
60 ((c2 & 0x3F) << 6) | (c3 & 0x3F));
67 *ucs2_string_size = j / 2;
73 * challenge_hash - ChallengeHash() - RFC 2759, Sect. 8.2
74 * @peer_challenge: 16-octet PeerChallenge (IN)
75 * @auth_challenge: 16-octet AuthenticatorChallenge (IN)
76 * @username: 0-to-256-char UserName (IN)
77 * @username_len: Length of username
78 * @challenge: 8-octet Challenge (OUT)
79 * Returns: 0 on success, -1 on failure
81 int challenge_hash(const u8 *peer_challenge, const u8 *auth_challenge,
82 const u8 *username, size_t username_len, u8 *challenge)
84 u8 hash[SHA1_MAC_LEN];
85 const unsigned char *addr[3];
88 addr[0] = peer_challenge;
90 addr[1] = auth_challenge;
93 len[2] = username_len;
95 if (sha1_vector(3, addr, len, hash))
97 os_memcpy(challenge, hash, 8);
103 * nt_password_hash - NtPasswordHash() - RFC 2759, Sect. 8.3
104 * @password: 0-to-256-unicode-char Password (IN; UTF-8)
105 * @password_len: Length of password
106 * @password_hash: 16-octet PasswordHash (OUT)
107 * Returns: 0 on success, -1 on failure
109 int nt_password_hash(const u8 *password, size_t password_len,
115 max_len = sizeof(buf);
116 if (utf8_to_ucs2(password, password_len, buf, max_len, &len) < 0)
121 return md4_vector(1, (const u8 **) &pos, &len, password_hash);
126 * hash_nt_password_hash - HashNtPasswordHash() - RFC 2759, Sect. 8.4
127 * @password_hash: 16-octet PasswordHash (IN)
128 * @password_hash_hash: 16-octet PasswordHashHash (OUT)
129 * Returns: 0 on success, -1 on failure
131 int hash_nt_password_hash(const u8 *password_hash, u8 *password_hash_hash)
134 return md4_vector(1, &password_hash, &len, password_hash_hash);
139 * challenge_response - ChallengeResponse() - RFC 2759, Sect. 8.5
140 * @challenge: 8-octet Challenge (IN)
141 * @password_hash: 16-octet PasswordHash (IN)
142 * @response: 24-octet Response (OUT)
144 void challenge_response(const u8 *challenge, const u8 *password_hash,
148 des_encrypt(challenge, password_hash, response);
149 des_encrypt(challenge, password_hash + 7, response + 8);
150 zpwd[0] = password_hash[14];
151 zpwd[1] = password_hash[15];
152 os_memset(zpwd + 2, 0, 5);
153 des_encrypt(challenge, zpwd, response + 16);
158 * generate_nt_response - GenerateNTResponse() - RFC 2759, Sect. 8.1
159 * @auth_challenge: 16-octet AuthenticatorChallenge (IN)
160 * @peer_challenge: 16-octet PeerChallenge (IN)
161 * @username: 0-to-256-char UserName (IN)
162 * @username_len: Length of username
163 * @password: 0-to-256-unicode-char Password (IN; UTF-8)
164 * @password_len: Length of password
165 * @response: 24-octet Response (OUT)
166 * Returns: 0 on success, -1 on failure
168 int generate_nt_response(const u8 *auth_challenge, const u8 *peer_challenge,
169 const u8 *username, size_t username_len,
170 const u8 *password, size_t password_len,
174 u8 password_hash[16];
176 if (challenge_hash(peer_challenge, auth_challenge, username,
177 username_len, challenge) ||
178 nt_password_hash(password, password_len, password_hash))
180 challenge_response(challenge, password_hash, response);
186 * generate_nt_response_pwhash - GenerateNTResponse() - RFC 2759, Sect. 8.1
187 * @auth_challenge: 16-octet AuthenticatorChallenge (IN)
188 * @peer_challenge: 16-octet PeerChallenge (IN)
189 * @username: 0-to-256-char UserName (IN)
190 * @username_len: Length of username
191 * @password_hash: 16-octet PasswordHash (IN)
192 * @response: 24-octet Response (OUT)
193 * Returns: 0 on success, -1 on failure
195 int generate_nt_response_pwhash(const u8 *auth_challenge,
196 const u8 *peer_challenge,
197 const u8 *username, size_t username_len,
198 const u8 *password_hash,
203 if (challenge_hash(peer_challenge, auth_challenge,
204 username, username_len,
207 challenge_response(challenge, password_hash, response);
213 * generate_authenticator_response_pwhash - GenerateAuthenticatorResponse() - RFC 2759, Sect. 8.7
214 * @password_hash: 16-octet PasswordHash (IN)
215 * @nt_response: 24-octet NT-Response (IN)
216 * @peer_challenge: 16-octet PeerChallenge (IN)
217 * @auth_challenge: 16-octet AuthenticatorChallenge (IN)
218 * @username: 0-to-256-char UserName (IN)
219 * @username_len: Length of username
220 * @response: 20-octet AuthenticatorResponse (OUT) (note: this value is usually
221 * encoded as a 42-octet ASCII string (S=hexdump_of_response)
222 * Returns: 0 on success, -1 on failure
224 int generate_authenticator_response_pwhash(
225 const u8 *password_hash,
226 const u8 *peer_challenge, const u8 *auth_challenge,
227 const u8 *username, size_t username_len,
228 const u8 *nt_response, u8 *response)
230 static const u8 magic1[39] = {
231 0x4D, 0x61, 0x67, 0x69, 0x63, 0x20, 0x73, 0x65, 0x72, 0x76,
232 0x65, 0x72, 0x20, 0x74, 0x6F, 0x20, 0x63, 0x6C, 0x69, 0x65,
233 0x6E, 0x74, 0x20, 0x73, 0x69, 0x67, 0x6E, 0x69, 0x6E, 0x67,
234 0x20, 0x63, 0x6F, 0x6E, 0x73, 0x74, 0x61, 0x6E, 0x74
236 static const u8 magic2[41] = {
237 0x50, 0x61, 0x64, 0x20, 0x74, 0x6F, 0x20, 0x6D, 0x61, 0x6B,
238 0x65, 0x20, 0x69, 0x74, 0x20, 0x64, 0x6F, 0x20, 0x6D, 0x6F,
239 0x72, 0x65, 0x20, 0x74, 0x68, 0x61, 0x6E, 0x20, 0x6F, 0x6E,
240 0x65, 0x20, 0x69, 0x74, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6F,
244 u8 password_hash_hash[16], challenge[8];
245 const unsigned char *addr1[3];
246 const size_t len1[3] = { 16, 24, sizeof(magic1) };
247 const unsigned char *addr2[3];
248 const size_t len2[3] = { SHA1_MAC_LEN, 8, sizeof(magic2) };
250 addr1[0] = password_hash_hash;
251 addr1[1] = nt_response;
255 addr2[1] = challenge;
258 if (hash_nt_password_hash(password_hash, password_hash_hash) ||
259 sha1_vector(3, addr1, len1, response) ||
260 challenge_hash(peer_challenge, auth_challenge, username,
261 username_len, challenge))
263 return sha1_vector(3, addr2, len2, response);
268 * generate_authenticator_response - GenerateAuthenticatorResponse() - RFC 2759, Sect. 8.7
269 * @password: 0-to-256-unicode-char Password (IN; UTF-8)
270 * @password_len: Length of password
271 * @nt_response: 24-octet NT-Response (IN)
272 * @peer_challenge: 16-octet PeerChallenge (IN)
273 * @auth_challenge: 16-octet AuthenticatorChallenge (IN)
274 * @username: 0-to-256-char UserName (IN)
275 * @username_len: Length of username
276 * @response: 20-octet AuthenticatorResponse (OUT) (note: this value is usually
277 * encoded as a 42-octet ASCII string (S=hexdump_of_response)
278 * Returns: 0 on success, -1 on failure
280 int generate_authenticator_response(const u8 *password, size_t password_len,
281 const u8 *peer_challenge,
282 const u8 *auth_challenge,
283 const u8 *username, size_t username_len,
284 const u8 *nt_response, u8 *response)
286 u8 password_hash[16];
287 if (nt_password_hash(password, password_len, password_hash))
289 return generate_authenticator_response_pwhash(
290 password_hash, peer_challenge, auth_challenge,
291 username, username_len, nt_response, response);
296 * nt_challenge_response - NtChallengeResponse() - RFC 2433, Sect. A.5
297 * @challenge: 8-octet Challenge (IN)
298 * @password: 0-to-256-unicode-char Password (IN; UTF-8)
299 * @password_len: Length of password
300 * @response: 24-octet Response (OUT)
301 * Returns: 0 on success, -1 on failure
303 int nt_challenge_response(const u8 *challenge, const u8 *password,
304 size_t password_len, u8 *response)
306 u8 password_hash[16];
307 if (nt_password_hash(password, password_len, password_hash))
309 challenge_response(challenge, password_hash, response);
315 * get_master_key - GetMasterKey() - RFC 3079, Sect. 3.4
316 * @password_hash_hash: 16-octet PasswordHashHash (IN)
317 * @nt_response: 24-octet NTResponse (IN)
318 * @master_key: 16-octet MasterKey (OUT)
319 * Returns: 0 on success, -1 on failure
321 int get_master_key(const u8 *password_hash_hash, const u8 *nt_response,
324 static const u8 magic1[27] = {
325 0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74,
326 0x68, 0x65, 0x20, 0x4d, 0x50, 0x50, 0x45, 0x20, 0x4d,
327 0x61, 0x73, 0x74, 0x65, 0x72, 0x20, 0x4b, 0x65, 0x79
329 const unsigned char *addr[3];
330 const size_t len[3] = { 16, 24, sizeof(magic1) };
331 u8 hash[SHA1_MAC_LEN];
333 addr[0] = password_hash_hash;
334 addr[1] = nt_response;
337 if (sha1_vector(3, addr, len, hash))
339 os_memcpy(master_key, hash, 16);
345 * get_asymetric_start_key - GetAsymetricStartKey() - RFC 3079, Sect. 3.4
346 * @master_key: 16-octet MasterKey (IN)
347 * @session_key: 8-to-16 octet SessionKey (OUT)
348 * @session_key_len: SessionKeyLength (Length of session_key) (IN)
349 * @is_send: IsSend (IN, BOOLEAN)
350 * @is_server: IsServer (IN, BOOLEAN)
351 * Returns: 0 on success, -1 on failure
353 int get_asymetric_start_key(const u8 *master_key, u8 *session_key,
354 size_t session_key_len, int is_send,
357 static const u8 magic2[84] = {
358 0x4f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x69,
359 0x65, 0x6e, 0x74, 0x20, 0x73, 0x69, 0x64, 0x65, 0x2c, 0x20,
360 0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68,
361 0x65, 0x20, 0x73, 0x65, 0x6e, 0x64, 0x20, 0x6b, 0x65, 0x79,
362 0x3b, 0x20, 0x6f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x73,
363 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x73, 0x69, 0x64, 0x65,
364 0x2c, 0x20, 0x69, 0x74, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68,
365 0x65, 0x20, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x20,
366 0x6b, 0x65, 0x79, 0x2e
368 static const u8 magic3[84] = {
369 0x4f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x69,
370 0x65, 0x6e, 0x74, 0x20, 0x73, 0x69, 0x64, 0x65, 0x2c, 0x20,
371 0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68,
372 0x65, 0x20, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x20,
373 0x6b, 0x65, 0x79, 0x3b, 0x20, 0x6f, 0x6e, 0x20, 0x74, 0x68,
374 0x65, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x73,
375 0x69, 0x64, 0x65, 0x2c, 0x20, 0x69, 0x74, 0x20, 0x69, 0x73,
376 0x20, 0x74, 0x68, 0x65, 0x20, 0x73, 0x65, 0x6e, 0x64, 0x20,
377 0x6b, 0x65, 0x79, 0x2e
379 static const u8 shs_pad1[40] = {
380 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
381 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
382 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
383 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
386 static const u8 shs_pad2[40] = {
387 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2,
388 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2,
389 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2,
390 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2
392 u8 digest[SHA1_MAC_LEN];
393 const unsigned char *addr[4];
394 const size_t len[4] = { 16, 40, 84, 40 };
396 addr[0] = master_key;
399 addr[2] = is_server ? magic3 : magic2;
401 addr[2] = is_server ? magic2 : magic3;
405 if (sha1_vector(4, addr, len, digest))
408 if (session_key_len > SHA1_MAC_LEN)
409 session_key_len = SHA1_MAC_LEN;
410 os_memcpy(session_key, digest, session_key_len);
415 #ifndef CONFIG_NO_RC4
417 #define PWBLOCK_LEN 516
420 * encrypt_pw_block_with_password_hash - EncryptPwBlockWithPasswordHash() - RFC 2759, Sect. 8.10
421 * @password: 0-to-256-unicode-char Password (IN; UTF-8)
422 * @password_len: Length of password
423 * @password_hash: 16-octet PasswordHash (IN)
424 * @pw_block: 516-byte PwBlock (OUT)
425 * Returns: 0 on success, -1 on failure
427 int encrypt_pw_block_with_password_hash(
428 const u8 *password, size_t password_len,
429 const u8 *password_hash, u8 *pw_block)
431 size_t ucs2_len, offset;
434 os_memset(pw_block, 0, PWBLOCK_LEN);
436 if (utf8_to_ucs2(password, password_len, pw_block, 512, &ucs2_len) < 0
440 offset = (256 - ucs2_len) * 2;
442 os_memmove(pw_block + offset, pw_block, ucs2_len * 2);
443 if (os_get_random(pw_block, offset) < 0)
447 * PasswordLength is 4 octets, but since the maximum password length is
448 * 256, only first two (in little endian byte order) can be non-zero.
450 pos = &pw_block[2 * 256];
451 WPA_PUT_LE16(pos, password_len * 2);
452 rc4_skip(password_hash, 16, 0, pw_block, PWBLOCK_LEN);
458 * new_password_encrypted_with_old_nt_password_hash - NewPasswordEncryptedWithOldNtPasswordHash() - RFC 2759, Sect. 8.9
459 * @new_password: 0-to-256-unicode-char NewPassword (IN; UTF-8)
460 * @new_password_len: Length of new_password
461 * @old_password: 0-to-256-unicode-char OldPassword (IN; UTF-8)
462 * @old_password_len: Length of old_password
463 * @encrypted_pw_block: 516-octet EncryptedPwBlock (OUT)
464 * Returns: 0 on success, -1 on failure
466 int new_password_encrypted_with_old_nt_password_hash(
467 const u8 *new_password, size_t new_password_len,
468 const u8 *old_password, size_t old_password_len,
469 u8 *encrypted_pw_block)
471 u8 password_hash[16];
473 if (nt_password_hash(old_password, old_password_len, password_hash))
475 if (encrypt_pw_block_with_password_hash(new_password, new_password_len,
482 #endif /* CONFIG_NO_RC4 */
486 * nt_password_hash_encrypted_with_block - NtPasswordHashEncryptedWithBlock() - RFC 2759, Sect 8.13
487 * @password_hash: 16-octer PasswordHash (IN)
488 * @block: 16-octet Block (IN)
489 * @cypher: 16-octer Cypher (OUT)
491 void nt_password_hash_encrypted_with_block(const u8 *password_hash,
492 const u8 *block, u8 *cypher)
494 des_encrypt(password_hash, block, cypher);
495 des_encrypt(password_hash + 8, block + 7, cypher + 8);
500 * old_nt_password_hash_encrypted_with_new_nt_password_hash - OldNtPasswordHashEncryptedWithNewNtPasswordHash() - RFC 2759, Sect. 8.12
501 * @new_password: 0-to-256-unicode-char NewPassword (IN; UTF-8)
502 * @new_password_len: Length of new_password
503 * @old_password: 0-to-256-unicode-char OldPassword (IN; UTF-8)
504 * @old_password_len: Length of old_password
505 * @encrypted_password_hash: 16-octet EncryptedPasswordHash (OUT)
506 * Returns: 0 on success, -1 on failure
508 int old_nt_password_hash_encrypted_with_new_nt_password_hash(
509 const u8 *new_password, size_t new_password_len,
510 const u8 *old_password, size_t old_password_len,
511 u8 *encrypted_password_hash)
513 u8 old_password_hash[16], new_password_hash[16];
515 if (nt_password_hash(old_password, old_password_len,
516 old_password_hash) ||
517 nt_password_hash(new_password, new_password_len,
520 nt_password_hash_encrypted_with_block(old_password_hash,
522 encrypted_password_hash);