xref: /freebsd/contrib/wpa/src/crypto/ms_funcs.c (revision 5ca8e32633c4ffbbcd6762e5888b6a4ba0708c6c)
1 /*
2  * WPA Supplicant / shared MSCHAPV2 helper functions / RFC 2433 / RFC 2759
3  * Copyright (c) 2004-2012, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "sha1.h"
13 #include "ms_funcs.h"
14 #include "crypto.h"
15 
16 /**
17  * utf8_to_ucs2 - Convert UTF-8 string to UCS-2 encoding
18  * @utf8_string: UTF-8 string (IN)
19  * @utf8_string_len: Length of utf8_string (IN)
20  * @ucs2_buffer: UCS-2 buffer (OUT)
21  * @ucs2_buffer_size: Length of UCS-2 buffer (IN)
22  * @ucs2_string_size: Number of 2-byte words in the resulting UCS-2 string
23  * Returns: 0 on success, -1 on failure
24  */
25 static int utf8_to_ucs2(const u8 *utf8_string, size_t utf8_string_len,
26                         u8 *ucs2_buffer, size_t ucs2_buffer_size,
27                         size_t *ucs2_string_size)
28 {
29 	size_t i, j;
30 
31 	for (i = 0, j = 0; i < utf8_string_len; i++) {
32 		u8 c = utf8_string[i];
33 		if (j >= ucs2_buffer_size) {
34 			/* input too long */
35 			return -1;
36 		}
37 		if (c <= 0x7F) {
38 			WPA_PUT_LE16(ucs2_buffer + j, c);
39 			j += 2;
40 		} else if (i == utf8_string_len - 1 ||
41 			   j >= ucs2_buffer_size - 1) {
42 			/* incomplete surrogate */
43 			return -1;
44 		} else {
45 			u8 c2 = utf8_string[++i];
46 			if ((c & 0xE0) == 0xC0) {
47 				/* two-byte encoding */
48 				WPA_PUT_LE16(ucs2_buffer + j,
49 					     ((c & 0x1F) << 6) | (c2 & 0x3F));
50 				j += 2;
51 			} else if (i == utf8_string_len - 1 ||
52 				   j >= ucs2_buffer_size - 1) {
53 				/* incomplete surrogate */
54 				return -1;
55 			} else {
56 				/* three-byte encoding */
57 				u8 c3 = utf8_string[++i];
58 				WPA_PUT_LE16(ucs2_buffer + j,
59 					     ((c & 0xF) << 12) |
60 					     ((c2 & 0x3F) << 6) | (c3 & 0x3F));
61 				j += 2;
62 			}
63 		}
64 	}
65 
66 	if (ucs2_string_size)
67 		*ucs2_string_size = j / 2;
68 	return 0;
69 }
70 
71 
72 /**
73  * challenge_hash - ChallengeHash() - RFC 2759, Sect. 8.2
74  * @peer_challenge: 16-octet PeerChallenge (IN)
75  * @auth_challenge: 16-octet AuthenticatorChallenge (IN)
76  * @username: 0-to-256-char UserName (IN)
77  * @username_len: Length of username
78  * @challenge: 8-octet Challenge (OUT)
79  * Returns: 0 on success, -1 on failure
80  */
81 int challenge_hash(const u8 *peer_challenge, const u8 *auth_challenge,
82 		   const u8 *username, size_t username_len, u8 *challenge)
83 {
84 	u8 hash[SHA1_MAC_LEN];
85 	const unsigned char *addr[3];
86 	size_t len[3];
87 
88 	addr[0] = peer_challenge;
89 	len[0] = 16;
90 	addr[1] = auth_challenge;
91 	len[1] = 16;
92 	addr[2] = username;
93 	len[2] = username_len;
94 
95 	if (sha1_vector(3, addr, len, hash))
96 		return -1;
97 	os_memcpy(challenge, hash, 8);
98 	return 0;
99 }
100 
101 
102 /**
103  * nt_password_hash - NtPasswordHash() - RFC 2759, Sect. 8.3
104  * @password: 0-to-256-unicode-char Password (IN; UTF-8)
105  * @password_len: Length of password
106  * @password_hash: 16-octet PasswordHash (OUT)
107  * Returns: 0 on success, -1 on failure
108  */
109 int nt_password_hash(const u8 *password, size_t password_len,
110 		      u8 *password_hash)
111 {
112 	u8 buf[512], *pos;
113 	size_t len, max_len;
114 
115 	max_len = sizeof(buf);
116 	if (utf8_to_ucs2(password, password_len, buf, max_len, &len) < 0)
117 		return -1;
118 
119 	len *= 2;
120 	pos = buf;
121 	return md4_vector(1, (const u8 **) &pos, &len, password_hash);
122 }
123 
124 
125 /**
126  * hash_nt_password_hash - HashNtPasswordHash() - RFC 2759, Sect. 8.4
127  * @password_hash: 16-octet PasswordHash (IN)
128  * @password_hash_hash: 16-octet PasswordHashHash (OUT)
129  * Returns: 0 on success, -1 on failure
130  */
131 int hash_nt_password_hash(const u8 *password_hash, u8 *password_hash_hash)
132 {
133 	size_t len = 16;
134 	return md4_vector(1, &password_hash, &len, password_hash_hash);
135 }
136 
137 
138 /**
139  * challenge_response - ChallengeResponse() - RFC 2759, Sect. 8.5
140  * @challenge: 8-octet Challenge (IN)
141  * @password_hash: 16-octet PasswordHash (IN)
142  * @response: 24-octet Response (OUT)
143  * Returns: 0 on success, -1 on failure
144  */
145 int challenge_response(const u8 *challenge, const u8 *password_hash,
146 		       u8 *response)
147 {
148 	u8 zpwd[7];
149 
150 	if (des_encrypt(challenge, password_hash, response) < 0 ||
151 	    des_encrypt(challenge, password_hash + 7, response + 8) < 0)
152 		return -1;
153 	zpwd[0] = password_hash[14];
154 	zpwd[1] = password_hash[15];
155 	os_memset(zpwd + 2, 0, 5);
156 	return des_encrypt(challenge, zpwd, response + 16);
157 }
158 
159 
160 /**
161  * generate_nt_response - GenerateNTResponse() - RFC 2759, Sect. 8.1
162  * @auth_challenge: 16-octet AuthenticatorChallenge (IN)
163  * @peer_challenge: 16-octet PeerChallenge (IN)
164  * @username: 0-to-256-char UserName (IN)
165  * @username_len: Length of username
166  * @password: 0-to-256-unicode-char Password (IN; UTF-8)
167  * @password_len: Length of password
168  * @response: 24-octet Response (OUT)
169  * Returns: 0 on success, -1 on failure
170  */
171 int generate_nt_response(const u8 *auth_challenge, const u8 *peer_challenge,
172 			 const u8 *username, size_t username_len,
173 			 const u8 *password, size_t password_len,
174 			 u8 *response)
175 {
176 	u8 challenge[8];
177 	u8 password_hash[16];
178 
179 	if (challenge_hash(peer_challenge, auth_challenge, username,
180 			   username_len, challenge) ||
181 	    nt_password_hash(password, password_len, password_hash) ||
182 	    challenge_response(challenge, password_hash, response))
183 		return -1;
184 	return 0;
185 }
186 
187 
188 /**
189  * generate_nt_response_pwhash - GenerateNTResponse() - RFC 2759, Sect. 8.1
190  * @auth_challenge: 16-octet AuthenticatorChallenge (IN)
191  * @peer_challenge: 16-octet PeerChallenge (IN)
192  * @username: 0-to-256-char UserName (IN)
193  * @username_len: Length of username
194  * @password_hash: 16-octet PasswordHash (IN)
195  * @response: 24-octet Response (OUT)
196  * Returns: 0 on success, -1 on failure
197  */
198 int generate_nt_response_pwhash(const u8 *auth_challenge,
199 				const u8 *peer_challenge,
200 				const u8 *username, size_t username_len,
201 				const u8 *password_hash,
202 				u8 *response)
203 {
204 	u8 challenge[8];
205 
206 	if (challenge_hash(peer_challenge, auth_challenge,
207 			   username, username_len,
208 			   challenge) ||
209 	    challenge_response(challenge, password_hash, response))
210 		return -1;
211 	return 0;
212 }
213 
214 
215 /**
216  * generate_authenticator_response_pwhash - GenerateAuthenticatorResponse() - RFC 2759, Sect. 8.7
217  * @password_hash: 16-octet PasswordHash (IN)
218  * @nt_response: 24-octet NT-Response (IN)
219  * @peer_challenge: 16-octet PeerChallenge (IN)
220  * @auth_challenge: 16-octet AuthenticatorChallenge (IN)
221  * @username: 0-to-256-char UserName (IN)
222  * @username_len: Length of username
223  * @response: 20-octet AuthenticatorResponse (OUT) (note: this value is usually
224  * encoded as a 42-octet ASCII string (S=hexdump_of_response)
225  * Returns: 0 on success, -1 on failure
226  */
227 int generate_authenticator_response_pwhash(
228 	const u8 *password_hash,
229 	const u8 *peer_challenge, const u8 *auth_challenge,
230 	const u8 *username, size_t username_len,
231 	const u8 *nt_response, u8 *response)
232 {
233 	static const u8 magic1[39] = {
234 		0x4D, 0x61, 0x67, 0x69, 0x63, 0x20, 0x73, 0x65, 0x72, 0x76,
235 		0x65, 0x72, 0x20, 0x74, 0x6F, 0x20, 0x63, 0x6C, 0x69, 0x65,
236 		0x6E, 0x74, 0x20, 0x73, 0x69, 0x67, 0x6E, 0x69, 0x6E, 0x67,
237 		0x20, 0x63, 0x6F, 0x6E, 0x73, 0x74, 0x61, 0x6E, 0x74
238 	};
239 	static const u8 magic2[41] = {
240 		0x50, 0x61, 0x64, 0x20, 0x74, 0x6F, 0x20, 0x6D, 0x61, 0x6B,
241 		0x65, 0x20, 0x69, 0x74, 0x20, 0x64, 0x6F, 0x20, 0x6D, 0x6F,
242 		0x72, 0x65, 0x20, 0x74, 0x68, 0x61, 0x6E, 0x20, 0x6F, 0x6E,
243 		0x65, 0x20, 0x69, 0x74, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6F,
244 		0x6E
245 	};
246 
247 	u8 password_hash_hash[16], challenge[8];
248 	const unsigned char *addr1[3];
249 	const size_t len1[3] = { 16, 24, sizeof(magic1) };
250 	const unsigned char *addr2[3];
251 	const size_t len2[3] = { SHA1_MAC_LEN, 8, sizeof(magic2) };
252 
253 	addr1[0] = password_hash_hash;
254 	addr1[1] = nt_response;
255 	addr1[2] = magic1;
256 
257 	addr2[0] = response;
258 	addr2[1] = challenge;
259 	addr2[2] = magic2;
260 
261 	if (hash_nt_password_hash(password_hash, password_hash_hash) ||
262 	    sha1_vector(3, addr1, len1, response) ||
263 	    challenge_hash(peer_challenge, auth_challenge, username,
264 			   username_len, challenge))
265 		return -1;
266 	return sha1_vector(3, addr2, len2, response);
267 }
268 
269 
270 /**
271  * generate_authenticator_response - GenerateAuthenticatorResponse() - RFC 2759, Sect. 8.7
272  * @password: 0-to-256-unicode-char Password (IN; UTF-8)
273  * @password_len: Length of password
274  * @nt_response: 24-octet NT-Response (IN)
275  * @peer_challenge: 16-octet PeerChallenge (IN)
276  * @auth_challenge: 16-octet AuthenticatorChallenge (IN)
277  * @username: 0-to-256-char UserName (IN)
278  * @username_len: Length of username
279  * @response: 20-octet AuthenticatorResponse (OUT) (note: this value is usually
280  * encoded as a 42-octet ASCII string (S=hexdump_of_response)
281  * Returns: 0 on success, -1 on failure
282  */
283 int generate_authenticator_response(const u8 *password, size_t password_len,
284 				    const u8 *peer_challenge,
285 				    const u8 *auth_challenge,
286 				    const u8 *username, size_t username_len,
287 				    const u8 *nt_response, u8 *response)
288 {
289 	u8 password_hash[16];
290 	if (nt_password_hash(password, password_len, password_hash))
291 		return -1;
292 	return generate_authenticator_response_pwhash(
293 		password_hash, peer_challenge, auth_challenge,
294 		username, username_len, nt_response, response);
295 }
296 
297 
298 /**
299  * nt_challenge_response - NtChallengeResponse() - RFC 2433, Sect. A.5
300  * @challenge: 8-octet Challenge (IN)
301  * @password: 0-to-256-unicode-char Password (IN; UTF-8)
302  * @password_len: Length of password
303  * @response: 24-octet Response (OUT)
304  * Returns: 0 on success, -1 on failure
305  */
306 int nt_challenge_response(const u8 *challenge, const u8 *password,
307 			  size_t password_len, u8 *response)
308 {
309 	u8 password_hash[16];
310 
311 	if (nt_password_hash(password, password_len, password_hash) ||
312 	    challenge_response(challenge, password_hash, response))
313 		return -1;
314 	return 0;
315 }
316 
317 
318 /**
319  * get_master_key - GetMasterKey() - RFC 3079, Sect. 3.4
320  * @password_hash_hash: 16-octet PasswordHashHash (IN)
321  * @nt_response: 24-octet NTResponse (IN)
322  * @master_key: 16-octet MasterKey (OUT)
323  * Returns: 0 on success, -1 on failure
324  */
325 int get_master_key(const u8 *password_hash_hash, const u8 *nt_response,
326 		   u8 *master_key)
327 {
328 	static const u8 magic1[27] = {
329 		0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74,
330 		0x68, 0x65, 0x20, 0x4d, 0x50, 0x50, 0x45, 0x20, 0x4d,
331 		0x61, 0x73, 0x74, 0x65, 0x72, 0x20, 0x4b, 0x65, 0x79
332 	};
333 	const unsigned char *addr[3];
334 	const size_t len[3] = { 16, 24, sizeof(magic1) };
335 	u8 hash[SHA1_MAC_LEN];
336 
337 	addr[0] = password_hash_hash;
338 	addr[1] = nt_response;
339 	addr[2] = magic1;
340 
341 	if (sha1_vector(3, addr, len, hash))
342 		return -1;
343 	os_memcpy(master_key, hash, 16);
344 	return 0;
345 }
346 
347 
348 /**
349  * get_asymetric_start_key - GetAsymetricStartKey() - RFC 3079, Sect. 3.4
350  * @master_key: 16-octet MasterKey (IN)
351  * @session_key: 8-to-16 octet SessionKey (OUT)
352  * @session_key_len: SessionKeyLength (Length of session_key) (IN)
353  * @is_send: IsSend (IN, BOOLEAN)
354  * @is_server: IsServer (IN, BOOLEAN)
355  * Returns: 0 on success, -1 on failure
356  */
357 int get_asymetric_start_key(const u8 *master_key, u8 *session_key,
358 			    size_t session_key_len, int is_send,
359 			    int is_server)
360 {
361 	static const u8 magic2[84] = {
362 		0x4f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x69,
363 		0x65, 0x6e, 0x74, 0x20, 0x73, 0x69, 0x64, 0x65, 0x2c, 0x20,
364 		0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68,
365 		0x65, 0x20, 0x73, 0x65, 0x6e, 0x64, 0x20, 0x6b, 0x65, 0x79,
366 		0x3b, 0x20, 0x6f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x73,
367 		0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x73, 0x69, 0x64, 0x65,
368 		0x2c, 0x20, 0x69, 0x74, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68,
369 		0x65, 0x20, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x20,
370 		0x6b, 0x65, 0x79, 0x2e
371 	};
372 	static const u8 magic3[84] = {
373 		0x4f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x69,
374 		0x65, 0x6e, 0x74, 0x20, 0x73, 0x69, 0x64, 0x65, 0x2c, 0x20,
375 		0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68,
376 		0x65, 0x20, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x20,
377 		0x6b, 0x65, 0x79, 0x3b, 0x20, 0x6f, 0x6e, 0x20, 0x74, 0x68,
378 		0x65, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x73,
379 		0x69, 0x64, 0x65, 0x2c, 0x20, 0x69, 0x74, 0x20, 0x69, 0x73,
380 		0x20, 0x74, 0x68, 0x65, 0x20, 0x73, 0x65, 0x6e, 0x64, 0x20,
381 		0x6b, 0x65, 0x79, 0x2e
382 	};
383 	static const u8 shs_pad1[40] = {
384 		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
385 		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
386 		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
387 		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
388 	};
389 
390 	static const u8 shs_pad2[40] = {
391 		0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2,
392 		0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2,
393 		0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2,
394 		0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2
395 	};
396 	u8 digest[SHA1_MAC_LEN];
397 	const unsigned char *addr[4];
398 	const size_t len[4] = { 16, 40, 84, 40 };
399 
400 	addr[0] = master_key;
401 	addr[1] = shs_pad1;
402 	if (is_send) {
403 		addr[2] = is_server ? magic3 : magic2;
404 	} else {
405 		addr[2] = is_server ? magic2 : magic3;
406 	}
407 	addr[3] = shs_pad2;
408 
409 	if (sha1_vector(4, addr, len, digest))
410 		return -1;
411 
412 	if (session_key_len > SHA1_MAC_LEN)
413 		session_key_len = SHA1_MAC_LEN;
414 	os_memcpy(session_key, digest, session_key_len);
415 	return 0;
416 }
417 
418 
419 #ifndef CONFIG_NO_RC4
420 
421 #define PWBLOCK_LEN 516
422 
423 /**
424  * encrypt_pw_block_with_password_hash - EncryptPwBlockWithPasswordHash() - RFC 2759, Sect. 8.10
425  * @password: 0-to-256-unicode-char Password (IN; UTF-8)
426  * @password_len: Length of password
427  * @password_hash: 16-octet PasswordHash (IN)
428  * @pw_block: 516-byte PwBlock (OUT)
429  * Returns: 0 on success, -1 on failure
430  */
431 int encrypt_pw_block_with_password_hash(
432 	const u8 *password, size_t password_len,
433 	const u8 *password_hash, u8 *pw_block)
434 {
435 	size_t ucs2_len, offset;
436 	u8 *pos;
437 
438 	os_memset(pw_block, 0, PWBLOCK_LEN);
439 
440 	if (utf8_to_ucs2(password, password_len, pw_block, 512, &ucs2_len) < 0
441 	    || ucs2_len > 256)
442 		return -1;
443 
444 	offset = (256 - ucs2_len) * 2;
445 	if (offset != 0) {
446 		os_memmove(pw_block + offset, pw_block, ucs2_len * 2);
447 		if (os_get_random(pw_block, offset) < 0)
448 			return -1;
449 	}
450 	/*
451 	 * PasswordLength is 4 octets, but since the maximum password length is
452 	 * 256, only first two (in little endian byte order) can be non-zero.
453 	 */
454 	pos = &pw_block[2 * 256];
455 	WPA_PUT_LE16(pos, password_len * 2);
456 	rc4_skip(password_hash, 16, 0, pw_block, PWBLOCK_LEN);
457 	return 0;
458 }
459 
460 
461 /**
462  * new_password_encrypted_with_old_nt_password_hash - NewPasswordEncryptedWithOldNtPasswordHash() - RFC 2759, Sect. 8.9
463  * @new_password: 0-to-256-unicode-char NewPassword (IN; UTF-8)
464  * @new_password_len: Length of new_password
465  * @old_password: 0-to-256-unicode-char OldPassword (IN; UTF-8)
466  * @old_password_len: Length of old_password
467  * @encrypted_pw_block: 516-octet EncryptedPwBlock (OUT)
468  * Returns: 0 on success, -1 on failure
469  */
470 int new_password_encrypted_with_old_nt_password_hash(
471 	const u8 *new_password, size_t new_password_len,
472 	const u8 *old_password, size_t old_password_len,
473 	u8 *encrypted_pw_block)
474 {
475 	u8 password_hash[16];
476 
477 	if (nt_password_hash(old_password, old_password_len, password_hash))
478 		return -1;
479 	if (encrypt_pw_block_with_password_hash(new_password, new_password_len,
480 						password_hash,
481 						encrypted_pw_block))
482 		return -1;
483 	return 0;
484 }
485 
486 #endif /* CONFIG_NO_RC4 */
487 
488 
489 /**
490  * nt_password_hash_encrypted_with_block - NtPasswordHashEncryptedWithBlock() - RFC 2759, Sect 8.13
491  * @password_hash: 16-octer PasswordHash (IN)
492  * @block: 16-octet Block (IN)
493  * @cypher: 16-octer Cypher (OUT)
494  * Returns: 0 on success, -1 on failure
495  */
496 int nt_password_hash_encrypted_with_block(const u8 *password_hash,
497 					  const u8 *block, u8 *cypher)
498 {
499 	if (des_encrypt(password_hash, block, cypher) < 0 ||
500 	    des_encrypt(password_hash + 8, block + 7, cypher + 8) < 0)
501 		return -1;
502 	return 0;
503 }
504 
505 
506 /**
507  * old_nt_password_hash_encrypted_with_new_nt_password_hash - OldNtPasswordHashEncryptedWithNewNtPasswordHash() - RFC 2759, Sect. 8.12
508  * @new_password: 0-to-256-unicode-char NewPassword (IN; UTF-8)
509  * @new_password_len: Length of new_password
510  * @old_password: 0-to-256-unicode-char OldPassword (IN; UTF-8)
511  * @old_password_len: Length of old_password
512  * @encrypted_password_hash: 16-octet EncryptedPasswordHash (OUT)
513  * Returns: 0 on success, -1 on failure
514  */
515 int old_nt_password_hash_encrypted_with_new_nt_password_hash(
516 	const u8 *new_password, size_t new_password_len,
517 	const u8 *old_password, size_t old_password_len,
518 	u8 *encrypted_password_hash)
519 {
520 	u8 old_password_hash[16], new_password_hash[16];
521 
522 	if (nt_password_hash(old_password, old_password_len,
523 			     old_password_hash) ||
524 	    nt_password_hash(new_password, new_password_len,
525 			     new_password_hash) ||
526 	    nt_password_hash_encrypted_with_block(old_password_hash,
527 						  new_password_hash,
528 						  encrypted_password_hash))
529 		return -1;
530 	return 0;
531 }
532