2 * Copyright (c) 1997 Gabor Kincses <gabor@acm.org>
3 * 1997 - 2001 Brian Somers <brian@Awfulhak.org>
4 * based on work by Eric Rosenquist
5 * Strata Software Limited.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include <openssl/des.h>
37 #include <sys/types.h>
40 #include <openssl/des.h>
44 #include <openssl/sha.h>
52 * Documentation & specifications:
54 * MS-CHAP (CHAP80) rfc2433
55 * MS-CHAP-V2 (CHAP81) rfc2759
56 * MPPE key management draft-ietf-pppext-mppe-keys-02.txt
59 static char SHA1_Pad1[40] =
60 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
61 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
62 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
63 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
65 static char SHA1_Pad2[40] =
66 {0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2,
67 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2,
68 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2,
69 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2, 0xF2};
71 /* unused, for documentation only */
72 /* only NTResp is filled in for FreeBSD */
73 struct MS_ChapResponse {
74 u_char LANManResp[24];
76 u_char UseNT; /* If 1, ignore the LANMan response field */
80 Get7Bits(u_char *input, int startBit)
82 register unsigned int word;
84 word = (unsigned)input[startBit / 8] << 8;
85 word |= (unsigned)input[startBit / 8 + 1];
87 word >>= 15 - (startBit % 8 + 7);
92 /* IN 56 bit DES key missing parity bits
93 OUT 64 bit DES key with parity bits added */
95 MakeKey(u_char *key, u_char *des_key)
97 des_key[0] = Get7Bits(key, 0);
98 des_key[1] = Get7Bits(key, 7);
99 des_key[2] = Get7Bits(key, 14);
100 des_key[3] = Get7Bits(key, 21);
101 des_key[4] = Get7Bits(key, 28);
102 des_key[5] = Get7Bits(key, 35);
103 des_key[6] = Get7Bits(key, 42);
104 des_key[7] = Get7Bits(key, 49);
106 des_set_odd_parity((des_cblock *)des_key);
109 static void /* IN 8 octets IN 7 octest OUT 8 octets */
110 DesEncrypt(u_char *clear, u_char *key, u_char *cipher)
113 des_key_schedule key_schedule;
115 MakeKey(key, des_key);
116 des_set_key(&des_key, key_schedule);
117 des_ecb_encrypt((des_cblock *)clear, (des_cblock *)cipher, key_schedule, 1);
120 static void /* IN 8 octets IN 16 octets OUT 24 octets */
121 ChallengeResponse(u_char *challenge, u_char *pwHash, u_char *response)
123 char ZPasswordHash[21];
125 memset(ZPasswordHash, '\0', sizeof ZPasswordHash);
126 memcpy(ZPasswordHash, pwHash, 16);
128 DesEncrypt(challenge, ZPasswordHash + 0, response + 0);
129 DesEncrypt(challenge, ZPasswordHash + 7, response + 8);
130 DesEncrypt(challenge, ZPasswordHash + 14, response + 16);
134 NtPasswordHash(char *key, int keylen, char *hash)
138 MD4Init(&MD4context);
139 MD4Update(&MD4context, key, keylen);
140 MD4Final(hash, &MD4context);
144 HashNtPasswordHash(char *hash, char *hashhash)
148 MD4Init(&MD4context);
149 MD4Update(&MD4context, hash, 16);
150 MD4Final(hashhash, &MD4context);
154 ChallengeHash(char *PeerChallenge, char *AuthenticatorChallenge,
155 char *UserName, int UserNameLen, char *Challenge)
158 char Digest[SHA_DIGEST_LENGTH];
161 Name = strrchr(UserName, '\\');
169 SHA1_Update(&Context, PeerChallenge, 16);
170 SHA1_Update(&Context, AuthenticatorChallenge, 16);
171 SHA1_Update(&Context, Name, strlen(Name));
173 SHA1_Final(Digest, &Context);
174 memcpy(Challenge, Digest, 8);
178 GenerateNTResponse(char *AuthenticatorChallenge, char *PeerChallenge,
179 char *UserName, int UserNameLen, char *Password,
180 int PasswordLen, char *Response)
183 char PasswordHash[16];
185 ChallengeHash(PeerChallenge, AuthenticatorChallenge, UserName, UserNameLen,
187 NtPasswordHash(Password, PasswordLen, PasswordHash);
188 ChallengeResponse(Challenge, PasswordHash, Response);
194 SHA1_End(SHA_CTX *ctx, char *buf)
197 unsigned char digest[LENGTH];
198 static const char hex[]="0123456789abcdef";
201 buf = malloc(2*LENGTH + 1);
204 SHA1_Final(digest, ctx);
205 for (i = 0; i < LENGTH; i++) {
206 buf[i+i] = hex[digest[i] >> 4];
207 buf[i+i+1] = hex[digest[i] & 0x0f];
215 GenerateAuthenticatorResponse(char *Password, int PasswordLen,
216 char *NTResponse, char *PeerChallenge,
217 char *AuthenticatorChallenge, char *UserName,
218 int UserNameLen, char *AuthenticatorResponse)
221 char PasswordHash[16];
222 char PasswordHashHash[16];
224 u_char Digest[SHA_DIGEST_LENGTH];
228 * "Magic" constants used in response generation
231 {0x4D, 0x61, 0x67, 0x69, 0x63, 0x20, 0x73, 0x65, 0x72, 0x76,
232 0x65, 0x72, 0x20, 0x74, 0x6F, 0x20, 0x63, 0x6C, 0x69, 0x65,
233 0x6E, 0x74, 0x20, 0x73, 0x69, 0x67, 0x6E, 0x69, 0x6E, 0x67,
234 0x20, 0x63, 0x6F, 0x6E, 0x73, 0x74, 0x61, 0x6E, 0x74};
238 {0x50, 0x61, 0x64, 0x20, 0x74, 0x6F, 0x20, 0x6D, 0x61, 0x6B,
239 0x65, 0x20, 0x69, 0x74, 0x20, 0x64, 0x6F, 0x20, 0x6D, 0x6F,
240 0x72, 0x65, 0x20, 0x74, 0x68, 0x61, 0x6E, 0x20, 0x6F, 0x6E,
241 0x65, 0x20, 0x69, 0x74, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6F,
244 * Hash the password with MD4
246 NtPasswordHash(Password, PasswordLen, PasswordHash);
250 HashNtPasswordHash(PasswordHash, PasswordHashHash);
253 SHA1_Update(&Context, PasswordHashHash, 16);
254 SHA1_Update(&Context, NTResponse, 24);
255 SHA1_Update(&Context, Magic1, 39);
256 SHA1_Final(Digest, &Context);
257 ChallengeHash(PeerChallenge, AuthenticatorChallenge, UserName, UserNameLen,
260 SHA1_Update(&Context, Digest, 20);
261 SHA1_Update(&Context, Challenge, 8);
262 SHA1_Update(&Context, Magic2, 41);
265 * Encode the value of 'Digest' as "S=" followed by
266 * 40 ASCII hexadecimal digits and return it in
267 * AuthenticatorResponse.
269 * "S=0123456789ABCDEF0123456789ABCDEF01234567"
271 AuthenticatorResponse[0] = 'S';
272 AuthenticatorResponse[1] = '=';
273 SHA1_End(&Context, AuthenticatorResponse + 2);
275 AuthenticatorResponse[i] = toupper(AuthenticatorResponse[i]);
280 GetMasterKey(char *PasswordHashHash, char *NTResponse, char *MasterKey)
282 char Digest[SHA_DIGEST_LENGTH];
284 static char Magic1[27] =
285 {0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74,
286 0x68, 0x65, 0x20, 0x4d, 0x50, 0x50, 0x45, 0x20, 0x4d,
287 0x61, 0x73, 0x74, 0x65, 0x72, 0x20, 0x4b, 0x65, 0x79};
290 SHA1_Update(&Context, PasswordHashHash, 16);
291 SHA1_Update(&Context, NTResponse, 24);
292 SHA1_Update(&Context, Magic1, 27);
293 SHA1_Final(Digest, &Context);
294 memcpy(MasterKey, Digest, 16);
298 GetAsymetricStartKey(char *MasterKey, char *SessionKey, int SessionKeyLength,
299 int IsSend, int IsServer)
301 char Digest[SHA_DIGEST_LENGTH];
305 static char Magic2[84] =
306 {0x4f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x69,
307 0x65, 0x6e, 0x74, 0x20, 0x73, 0x69, 0x64, 0x65, 0x2c, 0x20,
308 0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68,
309 0x65, 0x20, 0x73, 0x65, 0x6e, 0x64, 0x20, 0x6b, 0x65, 0x79,
310 0x3b, 0x20, 0x6f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x73,
311 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x73, 0x69, 0x64, 0x65,
312 0x2c, 0x20, 0x69, 0x74, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68,
313 0x65, 0x20, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x20,
314 0x6b, 0x65, 0x79, 0x2e};
316 static char Magic3[84] =
317 {0x4f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x69,
318 0x65, 0x6e, 0x74, 0x20, 0x73, 0x69, 0x64, 0x65, 0x2c, 0x20,
319 0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68,
320 0x65, 0x20, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x20,
321 0x6b, 0x65, 0x79, 0x3b, 0x20, 0x6f, 0x6e, 0x20, 0x74, 0x68,
322 0x65, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x73,
323 0x69, 0x64, 0x65, 0x2c, 0x20, 0x69, 0x74, 0x20, 0x69, 0x73,
324 0x20, 0x74, 0x68, 0x65, 0x20, 0x73, 0x65, 0x6e, 0x64, 0x20,
325 0x6b, 0x65, 0x79, 0x2e};
342 SHA1_Update(&Context, MasterKey, 16);
343 SHA1_Update(&Context, SHA1_Pad1, 40);
344 SHA1_Update(&Context, s, 84);
345 SHA1_Update(&Context, SHA1_Pad2, 40);
346 SHA1_Final(Digest, &Context);
348 memcpy(SessionKey, Digest, SessionKeyLength);
352 GetNewKeyFromSHA(char *StartKey, char *SessionKey, long SessionKeyLength,
356 char Digest[SHA_DIGEST_LENGTH];
359 SHA1_Update(&Context, StartKey, SessionKeyLength);
360 SHA1_Update(&Context, SHA1_Pad1, 40);
361 SHA1_Update(&Context, SessionKey, SessionKeyLength);
362 SHA1_Update(&Context, SHA1_Pad2, 40);
363 SHA1_Final(Digest, &Context);
365 memcpy(InterimKey, Digest, SessionKeyLength);
370 Get_Key(char *InitialSessionKey, char *CurrentSessionKey,
371 int LengthOfDesiredKey)
374 char Digest[SHA_DIGEST_LENGTH];
377 SHA1_Update(&Context, InitialSessionKey, LengthOfDesiredKey);
378 SHA1_Update(&Context, SHA1_Pad1, 40);
379 SHA1_Update(&Context, CurrentSessionKey, LengthOfDesiredKey);
380 SHA1_Update(&Context, SHA1_Pad2, 40);
381 SHA1_Final(Digest, &Context);
383 memcpy(CurrentSessionKey, Digest, LengthOfDesiredKey);
387 /* passwordHash 16-bytes MD4 hashed password
388 challenge 8-bytes peer CHAP challenge
389 since passwordHash is in a 24-byte buffer, response is written in there */
391 mschap_NT(char *passwordHash, char *challenge)
395 ChallengeResponse(challenge, passwordHash, response);
396 memcpy(passwordHash, response, 24);
397 passwordHash[24] = 1; /* NT-style response */
401 mschap_LANMan(char *digest, char *challenge, char *secret)
403 static u_char salt[] = "KGS!@#$%"; /* RASAPI32.dll */
404 char SECRET[14], *ptr, *end;
407 end = SECRET + sizeof SECRET;
408 for (ptr = SECRET; *secret && ptr < end; ptr++, secret++)
409 *ptr = toupper(*secret);
411 memset(ptr, '\0', end - ptr);
413 DesEncrypt(salt, SECRET, hash);
414 DesEncrypt(salt, SECRET + 7, hash + 8);
416 ChallengeResponse(challenge, hash, digest);