xref: /illumos-gate/usr/src/cmd/cmd-inet/usr.bin/pppd/chap_ms.c (revision da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0)
1 /*
2  * chap_ms.c - Microsoft MS-CHAP compatible implementation.
3  *
4  * Copyright (c) 2000 by Sun Microsystems, Inc.
5  * All rights reserved.
6  *
7  * Copyright (c) 1995 Eric Rosenquist, Strata Software Limited.
8  * http://www.strataware.com/
9  *
10  * All rights reserved.
11  *
12  * Redistribution and use in source and binary forms are permitted
13  * provided that the above copyright notice and this paragraph are
14  * duplicated in all such forms and that any documentation,
15  * advertising materials, and other materials related to such
16  * distribution and use acknowledge that the software was developed
17  * by Eric Rosenquist.  The name of the author may not be used to
18  * endorse or promote products derived from this software without
19  * specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
22  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
23  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
24  */
25 
26 /*
27  * This module implements MS-CHAPv1 (RFC 2433) and MS-CHAPv2 (RFC 2759).
28  *
29  * Modifications by Lauri Pesonen / lpesonen@clinet.fi, april 1997
30  *
31  *   Implemented LANManager type password response to MS-CHAP challenges.
32  *   Now pppd provides both NT style and LANMan style blocks, and the
33  *   prefered is set by option "ms-lanman". Default is to use NT.
34  *   The hash text (StdText) was taken from Win95 RASAPI32.DLL.
35  *
36  *   You should also use DOMAIN\\USERNAME as described in README.MSCHAP80
37  *
38  * Modifications by James Carlson / james.d.carlson@sun.com, June 1st, 2000.
39  *
40  *	Added MS-CHAPv2 support.
41  */
42 
43 #pragma ident	"%Z%%M%	%I%	%E% SMI"
44 #define RCSID	"$Id: chap_ms.c,v 1.15 1999/08/13 06:46:12 paulus Exp $"
45 
46 #if defined(CHAPMS) || defined(CHAPMSV2)
47 
48 #include <stdio.h>
49 #include <stdlib.h>
50 #include <string.h>
51 #include <ctype.h>
52 #include <sys/types.h>
53 #include <sys/time.h>
54 #include <unistd.h>
55 #ifdef HAVE_CRYPT_H
56 #include <crypt.h>
57 #endif
58 
59 #ifdef CHAPMSV2
60 #include "sha1.h"
61 #endif
62 
63 #ifndef USE_CRYPT
64 #include <des.h>
65 #endif
66 
67 #include "pppd.h"
68 #include "chap.h"
69 #include "chap_ms.h"
70 #include "md4.h"
71 
72 #if !defined(lint) && !defined(_lint)
73 static const char rcsid[] = RCSID;
74 #endif
75 
76 typedef struct {
77     u_char LANManResp[24];
78     u_char NTResp[24];
79     u_char UseNT;		/* If 1, ignore the LANMan response field */
80 } MS_ChapResponse;
81 /* We use MS_CHAP_RESPONSE_LEN, rather than sizeof(MS_ChapResponse),
82    in case this struct gets padded. */
83 
84 typedef struct {
85 	u_char PeerChallenge[16];
86 	u_char MustBeZero[8];
87 	u_char NTResp[24];
88 	u_char Flags;		/* Should be zero (Win98 sends 04) */
89 } MS_Chapv2Response;
90 /* We use MS_CHAPV2_RESPONSE_LEN, rather than sizeof(MS_Chapv2Response),
91    in case this struct gets padded. */
92 
93 static void	ChallengeResponse __P((u_char *, u_char *, u_char *));
94 static void	DesEncrypt __P((u_char *, u_char *, u_char *));
95 static void	MakeKey __P((u_char *, u_char *));
96 static u_char	Get7Bits __P((u_char *, int));
97 #ifdef CHAPMS
98 static void	ChapMS_NT __P((u_char *, char *, int, MS_ChapResponse *));
99 #ifdef MSLANMAN
100 static void	ChapMS_LANMan __P((u_char *, char *, int, MS_ChapResponse *));
101 #endif
102 #endif
103 #ifdef CHAPMSV2
104 static void	ChapMSv2_NT __P((char *, u_char *, char *, int,
105     MS_Chapv2Response *));
106 #endif
107 
108 #ifdef USE_CRYPT
109 static void	Expand __P((u_char *, char *));
110 static void	Collapse __P((char *, u_char *));
111 #endif
112 
113 #if defined(MSLANMAN) && defined(CHAPMS)
114 bool	ms_lanman = 0;    	/* Use LanMan password instead of NT */
115 			  	/* Has meaning only with MS-CHAP challenges */
116 #endif
117 
118 #ifdef CHAPMSV2
119 /* Specially-formatted Microsoft CHAP response message. */
120 static char status_message[256];
121 #endif
122 
123 static void
124 ChallengeResponse(challenge, pwHash, response)
125     u_char *challenge;	/* IN   8 octets */
126     u_char *pwHash;	/* IN  16 octets */
127     u_char *response;	/* OUT 24 octets */
128 {
129     u_char    ZPasswordHash[21];
130 
131     BZERO(ZPasswordHash, sizeof(ZPasswordHash));
132     BCOPY(pwHash, ZPasswordHash, MD4_SIGNATURE_SIZE);
133 
134 #if 0
135     dbglog("ChallengeResponse - ZPasswordHash %.*B",
136 	   sizeof(ZPasswordHash), ZPasswordHash);
137 #endif
138 
139     DesEncrypt(challenge, ZPasswordHash +  0, response + 0);
140     DesEncrypt(challenge, ZPasswordHash +  7, response + 8);
141     DesEncrypt(challenge, ZPasswordHash + 14, response + 16);
142 
143 #if 0
144     dbglog("ChallengeResponse - response %.24B", response);
145 #endif
146 }
147 
148 
149 #ifdef USE_CRYPT
150 static void
151 DesEncrypt(clear, key, cipher)
152     u_char *clear;	/* IN  8 octets */
153     u_char *key;	/* IN  7 octets */
154     u_char *cipher;	/* OUT 8 octets */
155 {
156     u_char des_key[8];
157     char crypt_key[66];
158     char des_input[66];
159 
160     MakeKey(key, des_key);
161 
162     Expand(des_key, crypt_key);
163     setkey(crypt_key);
164 
165 #if 0
166     CHAPDEBUG((LOG_INFO, "DesEncrypt: 8 octet input : %.8B", clear));
167 #endif
168 
169     Expand(clear, des_input);
170     encrypt(des_input, 0);
171     Collapse(des_input, cipher);
172 
173 #if 0
174     CHAPDEBUG((LOG_INFO, "DesEncrypt: 8 octet output: %.8B", cipher));
175 #endif
176 }
177 
178 #else /* USE_CRYPT */
179 
180 static void
181 DesEncrypt(clear, key, cipher)
182     u_char *clear;	/* IN  8 octets */
183     u_char *key;	/* IN  7 octets */
184     u_char *cipher;	/* OUT 8 octets */
185 {
186     des_cblock		des_key;
187     des_key_schedule	key_schedule;
188 
189     MakeKey(key, des_key);
190 
191     des_set_key(&des_key, key_schedule);
192 
193 #if 0
194     CHAPDEBUG((LOG_INFO, "DesEncrypt: 8 octet input : %.8B", clear));
195 #endif
196 
197     des_ecb_encrypt((des_cblock *)clear, (des_cblock *)cipher, key_schedule, 1);
198 
199 #if 0
200     CHAPDEBUG((LOG_INFO, "DesEncrypt: 8 octet output: %.8B", cipher));
201 #endif
202 }
203 
204 #endif /* USE_CRYPT */
205 
206 
207 static u_char Get7Bits(input, startBit)
208     u_char *input;
209     int startBit;
210 {
211     register unsigned int	word;
212 
213     word  = (unsigned)input[startBit / 8] << 8;
214     word |= (unsigned)input[startBit / 8 + 1];
215 
216     word >>= 15 - (startBit % 8 + 7);
217 
218     return word & 0xFE;
219 }
220 
221 #ifdef USE_CRYPT
222 
223 /* in == 8-byte string (expanded version of the 56-bit key)
224  * out == 64-byte string where each byte is either 1 or 0
225  * Note that the low-order "bit" is always ignored by by setkey()
226  */
227 static void Expand(in, out)
228     u_char *in;
229     char *out;
230 {
231         int j, c;
232         int i;
233 
234         for(i = 0; i < 64; in++){
235 		c = *in;
236                 for(j = 7; j >= 0; j--)
237                         *out++ = (c >> j) & 01;
238                 i += 8;
239         }
240 }
241 
242 /* The inverse of Expand
243  */
244 static void Collapse(in, out)
245     char *in;
246     u_char *out;
247 {
248         int j;
249         int i;
250 	unsigned int c;
251 
252 	for (i = 0; i < 64; i += 8, out++) {
253 	    c = 0;
254 	    for (j = 7; j >= 0; j--, in++)
255 		c |= *(u_char *)in << j;
256 	    *out = c & 0xff;
257 	}
258 }
259 #endif
260 
261 static void MakeKey(key, des_key)
262     u_char *key;	/* IN  56 bit DES key missing parity bits */
263     u_char *des_key;	/* OUT 64 bit DES key with parity bits added */
264 {
265     des_key[0] = Get7Bits(key,  0);
266     des_key[1] = Get7Bits(key,  7);
267     des_key[2] = Get7Bits(key, 14);
268     des_key[3] = Get7Bits(key, 21);
269     des_key[4] = Get7Bits(key, 28);
270     des_key[5] = Get7Bits(key, 35);
271     des_key[6] = Get7Bits(key, 42);
272     des_key[7] = Get7Bits(key, 49);
273 
274 #ifndef USE_CRYPT
275     des_set_odd_parity((des_cblock *)des_key);
276 #endif
277 
278 #if 0
279     CHAPDEBUG((LOG_INFO, "MakeKey: 56-bit input : %.7B", key));
280     CHAPDEBUG((LOG_INFO, "MakeKey: 64-bit output: %.8B", des_key));
281 #endif
282 }
283 
284 #ifdef CHAPMS
285 static void
286 ChapMS_NT(rchallenge, secret, secret_len, response)
287     u_char *rchallenge;
288     char *secret;
289     int secret_len;
290     MS_ChapResponse    *response;
291 {
292     int			i;
293 #ifdef __NetBSD__
294     /* NetBSD uses the libc md4 routines which take bytes instead of bits */
295     int			mdlen = secret_len * 2;
296 #else
297     int			mdlen = secret_len * 2 * 8;
298 #endif
299     MD4_CTX		md4Context;
300     u_char		hash[MD4_SIGNATURE_SIZE];
301     u_char		unicodePassword[MAX_NT_PASSWORD * 2];
302 
303     /* Initialize the Unicode version of the secret (== password). */
304     /* This implicitly supports 8-bit ISO8859/1 characters. */
305     BZERO(unicodePassword, sizeof(unicodePassword));
306     for (i = 0; i < secret_len; i++)
307 	unicodePassword[i * 2] = (u_char)secret[i];
308 
309     MD4Init(&md4Context);
310     MD4Update(&md4Context, unicodePassword, mdlen);
311 
312     MD4Final(hash, &md4Context); 	/* Tell MD4 we're done */
313 
314     ChallengeResponse(rchallenge, hash, response->NTResp);
315 }
316 
317 #ifdef MSLANMAN
318 static u_char *StdText = (u_char *)"KGS!@#$%"; /* key from rasapi32.dll */
319 
320 static void
321 ChapMS_LANMan(rchallenge, secret, secret_len, response)
322     u_char *rchallenge;
323     char *secret;
324     int secret_len;
325     MS_ChapResponse	*response;
326 {
327     int			i;
328     u_char		UcasePassword[MAX_NT_PASSWORD]; /* max is actually 14 */
329     u_char		PasswordHash[MD4_SIGNATURE_SIZE];
330 
331     /* LANMan password is case insensitive */
332     BZERO(UcasePassword, sizeof(UcasePassword));
333     for (i = 0; i < secret_len; i++)
334 	UcasePassword[i] = (u_char)(
335 	    islower(secret[i]) ? toupper(secret[i]) : secret[i]);
336     DesEncrypt( StdText, UcasePassword + 0, PasswordHash + 0 );
337     DesEncrypt( StdText, UcasePassword + 7, PasswordHash + 8 );
338     ChallengeResponse(rchallenge, PasswordHash, response->LANManResp);
339 }
340 #endif
341 
342 void
343 ChapMS(cstate, rchallenge, rchallenge_len, secret, secret_len)
344     chap_state *cstate;
345     u_char *rchallenge;
346     int rchallenge_len;
347     char *secret;
348     int secret_len;
349 {
350     MS_ChapResponse	response;
351 
352     if (rchallenge_len < 8) {
353 	    cstate->resp_length = 0;
354 	    return;
355     }
356 
357 #if 0
358     CHAPDEBUG((LOG_INFO, "ChapMS: secret is '%.*s'", secret_len, secret));
359 #endif
360     BZERO(&response, sizeof(response));
361 
362     /* Calculate both always */
363     ChapMS_NT(rchallenge, secret, secret_len, &response);
364 
365 #ifdef MSLANMAN
366     ChapMS_LANMan(rchallenge, secret, secret_len, &response);
367 
368     /* prefered method is set by option  */
369     response.UseNT = !ms_lanman;
370 #else
371     response.UseNT = 1;
372 #endif
373 
374     BCOPY(&response, cstate->response, MS_CHAP_RESPONSE_LEN);
375     cstate->resp_length = MS_CHAP_RESPONSE_LEN;
376 }
377 
378 static int
379 ChapMSStatus(cstate, flag)
380     chap_state *cstate;
381     int flag;
382 {
383     if (flag != 0) {
384 	cstate->stat_message = NULL;
385 	cstate->stat_length = 0;
386     } else {
387 	cstate->stat_message = "E=691 R=0 M=\"Authentication failed\"";
388 	cstate->stat_length = strlen(cstate->stat_message);
389     }
390     return (flag);
391 }
392 
393 int
394 ChapMSValidate(cstate, response, response_len, secret, secret_len)
395     chap_state *cstate;
396     u_char *response;
397     int response_len;
398     char *secret;
399     int secret_len;
400 {
401     MS_ChapResponse ckresp;
402 
403     if (response_len < MS_CHAP_RESPONSE_LEN || cstate->chal_len < 8)
404 	return (0);
405 
406     BZERO(&ckresp, sizeof(ckresp));
407 
408     if (response[MS_CHAP_RESPONSE_LEN-1]) {
409 	ChapMS_NT(cstate->challenge, secret, secret_len, &ckresp);
410 	return (ChapMSStatus(cstate, memcmp(ckresp.NTResp, response+24,
411 	    24) == 0));
412     }
413 
414 #ifdef MSLANMAN
415     ChapMS_LANMan(cstate->challenge, secret, secret_len, &ckresp);
416     return (ChapMSStatus(cstate,
417 	memcmp(ckresp.LANManResp, response, 24) == 0));
418 #else
419     return (ChapMSStatus(cstate, 0));
420 #endif
421 }
422 #endif /* CHAPMS */
423 
424 #ifdef CHAPMSV2
425 static void
426 ChallengeHash(peerchallenge, authenticatorchallenge, username, challenge)
427 u_char *peerchallenge, *authenticatorchallenge, *challenge;
428 char *username;
429 {
430     uint8_t digest[20];
431     SHA1_CTX sha1Context;
432     char *cp;
433 
434     SHA1Init(&sha1Context);
435     SHA1Update(&sha1Context, peerchallenge, 16);
436     SHA1Update(&sha1Context, authenticatorchallenge, 16);
437 
438     /*
439      * Only the user name (as presented by the peer and
440      * excluding any prepended domain name)
441      * is used as input to SHAUpdate().
442      */
443     if ((cp = strchr(username,'\\')) != NULL)
444 	username = cp;
445 
446     SHA1Update(&sha1Context, (uint8_t *)username, strlen(username));
447     SHA1Final(digest, &sha1Context);
448     BCOPY(digest, challenge, 8);
449 }
450 
451 static void
452 ChapMSv2_NT(username, rchallenge, secret, secret_len, response)
453     char *username;
454     u_char *rchallenge;
455     char *secret;
456     int secret_len;
457     MS_Chapv2Response    *response;
458 {
459     int			i;
460 #ifdef __NetBSD__
461     /* NetBSD uses the libc md4 routines that take bytes instead of bits */
462     int			mdlen = secret_len * 2;
463 #else
464     int			mdlen = secret_len * 2 * 8;
465 #endif
466     MD4_CTX		md4Context;
467     u_char		hash[MD4_SIGNATURE_SIZE];
468     u_char		challenge[8];
469     u_char		unicodePassword[MAX_NT_PASSWORD * 2];
470 
471     /* Initialize the Unicode version of the secret (== password). */
472     /* This implicitly supports 8-bit ISO8859/1 characters. */
473     BZERO(unicodePassword, sizeof(unicodePassword));
474     for (i = 0; i < secret_len && i < MAX_NT_PASSWORD; i++)
475 	if ((unicodePassword[i * 2] = (u_char)secret[i]) == '\0')
476 	    break;
477 
478     ChallengeHash(response->PeerChallenge, rchallenge, username, challenge);
479 
480     MD4Init(&md4Context);
481     MD4Update(&md4Context, unicodePassword, mdlen);
482 
483     MD4Final(hash, &md4Context); 	/* Tell MD4 we're done */
484 
485     ChallengeResponse(challenge, hash, response->NTResp);
486 }
487 
488 void
489 ChapMSv2(cstate, rchallenge, rchallenge_len, secret, secret_len)
490     chap_state *cstate;
491     u_char *rchallenge;
492     int rchallenge_len;
493     char *secret;
494     int secret_len;
495 {
496     MS_Chapv2Response	response;
497     u_char *ptr;
498     int i;
499 
500     if (rchallenge_len < 8) {
501 	cstate->resp_length = 0;
502 	return;
503     }
504 
505     BZERO(&response, sizeof(response));
506 
507     ptr = response.PeerChallenge;
508     for (i = 0; i < 16; i++)
509 	*ptr++ = (u_char) (drand48() * 0xff);
510 
511     ChapMSv2_NT(cstate->resp_name, rchallenge, secret, secret_len, &response);
512 
513     BCOPY(&response, cstate->response, MS_CHAPV2_RESPONSE_LEN);
514     cstate->resp_length = MS_CHAPV2_RESPONSE_LEN;
515 }
516 
517 static void
518 ChapMSv2Success(cstate, msresp, authchall, rhostname, secret, secret_len)
519     chap_state *cstate;
520     MS_Chapv2Response *msresp;
521     u_char *authchall;
522     char *rhostname, *secret;
523     int secret_len;
524 {
525     static const u_char Magic1[39] = "Magic server to client signing constant";
526     static const u_char Magic2[41] =
527 	"Pad to make it do more than one iteration";
528 #ifdef __NetBSD__
529     /* NetBSD uses the libc md4 routines that take bytes instead of bits */
530     int mdlen = 1;
531 #else
532     int mdlen = 8;
533 #endif
534     u_char unicodePassword[MAX_NT_PASSWORD * 2];
535     MD4_CTX md4Context;
536     u_char hash[MD4_SIGNATURE_SIZE];
537     u_char hashhash[MD4_SIGNATURE_SIZE];
538     SHA1_CTX sha1Context;
539     uint8_t digest[20];
540     u_char challenge[8];
541     char *cp;
542     static const char hexdig[] = "0123456789ABCDEF";
543     int i;
544 
545     /* Initialize the Unicode version of the secret (== password). */
546     /* This implicitly supports 8-bit ISO8859/1 characters. */
547     BZERO(unicodePassword, sizeof(unicodePassword));
548     for (i = 0; i < secret_len && i < MAX_NT_PASSWORD; i++)
549 	if ((unicodePassword[i * 2] = (u_char)secret[i]) == '\0')
550 	    break;
551 
552     /* Hash the password with MD4 */
553     MD4Init(&md4Context);
554     MD4Update(&md4Context, unicodePassword, secret_len * 2 * mdlen);
555     MD4Final(hash, &md4Context);
556 
557     /* Now hash the hash */
558     MD4Init(&md4Context);
559     MD4Update(&md4Context, hash, MD4_SIGNATURE_SIZE * mdlen);
560     MD4Final(hashhash, &md4Context);
561 
562     SHA1Init(&sha1Context);
563     SHA1Update(&sha1Context, hashhash, MD4_SIGNATURE_SIZE);
564     SHA1Update(&sha1Context, msresp->NTResp, sizeof (msresp->NTResp));
565     SHA1Update(&sha1Context, Magic1, 39);
566     SHA1Final(digest, &sha1Context);
567 
568     ChallengeHash(msresp->PeerChallenge, authchall, rhostname, challenge);
569 
570     SHA1Init(&sha1Context);
571     SHA1Update(&sha1Context, digest, 20);
572     SHA1Update(&sha1Context, challenge, 8);
573     SHA1Update(&sha1Context, Magic2, 41);
574     SHA1Final(digest, &sha1Context);
575 
576     cp = status_message;
577     *cp++ = 'S';
578     *cp++ = '=';
579     for (i = 0; i < 20; i++) {
580 	*cp++ = hexdig[digest[i]>>4];
581 	*cp++ = hexdig[digest[i]&15];
582     }
583     /*
584      * RFC 2759 says that a M=<string> greeting message is possible
585      * here.  It lies.  Any such greeting causes Windoze-98 to give
586      * error number 742, "Dial-Up Networking was unable to complete
587      * the connection.  The computer you're dialing in to does not
588      * support the data encryption requirements specified.  Please
589      * check your encryption settings in the properties of the
590      * connection.  If this problem persists, contact your network
591      * administrator."
592      */
593     *cp = '\0';
594 #if 0
595     slprintf(cp, sizeof (status_message) - (cp-status_message),
596 	"M=\"Welcome to %s.\"", hostname);
597 #endif
598     cstate->stat_message = status_message;
599     cstate->stat_length = strlen(status_message);
600 }
601 
602 int
603 ChapMSv2Validate(cstate, rhostname, response, response_len, secret, secret_len)
604     chap_state *cstate;
605     char *rhostname;
606     u_char *response;
607     int response_len;
608     char *secret;
609     int secret_len;
610 {
611     MS_Chapv2Response ckresp;
612 
613     if (response_len < MS_CHAPV2_RESPONSE_LEN ||
614 	/* response[MS_CHAPV2_RESPONSE_LEN-1] != 0 || */cstate->chal_len < 8) {
615 	cstate->stat_message = NULL;
616 	cstate->stat_length = 0;
617 	return 0;
618     }
619 
620     BZERO(&ckresp, sizeof(ckresp));
621 
622     BCOPY(response, ckresp.PeerChallenge, 16);
623 
624     ChapMSv2_NT(rhostname, cstate->challenge, secret, secret_len, &ckresp);
625     if (memcmp(ckresp.NTResp, response+24, 24) != 0) {
626 	cstate->stat_message = "E=691 R=0 C=11111111111111111111111111111111 V=3 M=\"Authentication failed\"";
627 	cstate->stat_length = strlen(cstate->stat_message);
628 	return (0);
629     }
630     ChapMSv2Success(cstate, (MS_Chapv2Response *)response, cstate->challenge,
631 	rhostname, secret, secret_len);
632     return (1);
633 }
634 #endif /* CHAPMSV2 */
635 
636 #endif /* CHAPMS or CHAPMSV2 */
637