jeltz/hostap
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

EAP-pwd server: Add support for hashed password

Browse source 
This extends EAP-pwd server support to allow NtHash version of password
storage in addition to full plaintext password.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2015-03-28 09:42:31 +02:00
parent 2bd2ed2006
commit e4840b381c
1 changed files with 28 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
src/eap_server/eap_server_pwd.c
View file

@ -10,6 +10,7 @@
#include "common.h" #include "common.h"
#include "crypto/sha256.h" #include "crypto/sha256.h"
#include "crypto/ms_funcs.h"
#include "eap_server/eap_i.h" #include "eap_server/eap_i.h"
#include "eap_common/eap_pwd_common.h" #include "eap_common/eap_pwd_common.h"
@ -24,6 +25,7 @@ struct eap_pwd_data {
size_t id_server_len; size_t id_server_len;
u8 *password; u8 *password;
size_t password_len; size_t password_len;
int password_hash;
u32 token; u32 token;
u16 group_num; u16 group_num;
EAP_PWD_group *grp; EAP_PWD_group *grp;
@ -112,6 +114,7 @@ static void * eap_pwd_init(struct eap_sm *sm)
} }
data->password_len = sm->user->password_len; data->password_len = sm->user->password_len;
os_memcpy(data->password, sm->user->password, data->password_len); os_memcpy(data->password, sm->user->password, data->password_len);
data->password_hash = sm->user->password_hash;
data->bnctx = BN_CTX_new(); data->bnctx = BN_CTX_new();
if (data->bnctx == NULL) { if (data->bnctx == NULL) {
@ -181,7 +184,8 @@ static void eap_pwd_build_id_req(struct eap_sm *sm, struct eap_pwd_data *data,
wpabuf_put_u8(data->outbuf, EAP_PWD_DEFAULT_RAND_FUNC); wpabuf_put_u8(data->outbuf, EAP_PWD_DEFAULT_RAND_FUNC);
wpabuf_put_u8(data->outbuf, EAP_PWD_DEFAULT_PRF); wpabuf_put_u8(data->outbuf, EAP_PWD_DEFAULT_PRF);
wpabuf_put_data(data->outbuf, &data->token, sizeof(data->token)); wpabuf_put_data(data->outbuf, &data->token, sizeof(data->token));
wpabuf_put_u8(data->outbuf, EAP_PWD_PREP_NONE); wpabuf_put_u8(data->outbuf, data->password_hash ? EAP_PWD_PREP_MS :
EAP_PWD_PREP_NONE);
wpabuf_put_data(data->outbuf, data->id_server, data->id_server_len); wpabuf_put_data(data->outbuf, data->id_server, data->id_server_len);
} }
@ -579,6 +583,10 @@ static void eap_pwd_process_id_resp(struct eap_sm *sm,
const u8 *payload, size_t payload_len) const u8 *payload, size_t payload_len)
{ {
struct eap_pwd_id *id; struct eap_pwd_id *id;
const u8 *password;
size_t password_len;
u8 pwhashhash[16];
int res;
if (payload_len < sizeof(struct eap_pwd_id)) { if (payload_len < sizeof(struct eap_pwd_id)) {
wpa_printf(MSG_INFO, "EAP-pwd: Invalid ID response"); wpa_printf(MSG_INFO, "EAP-pwd: Invalid ID response");
@ -610,11 +618,25 @@ static void eap_pwd_process_id_resp(struct eap_sm *sm,
"group"); "group");
return; return;
} }
if (compute_password_element(data->grp, data->group_num,
data->password, data->password_len, if (data->password_hash) {
data->id_server, data->id_server_len, res = hash_nt_password_hash(data->password, pwhashhash);
data->id_peer, data->id_peer_len, if (res)
(u8 *) &data->token)) { return;
password = pwhashhash;
password_len = sizeof(pwhashhash);
} else {
password = data->password;
password_len = data->password_len;
}
res = compute_password_element(data->grp, data->group_num,
password, password_len,
data->id_server, data->id_server_len,
data->id_peer, data->id_peer_len,
(u8 *) &data->token);
os_memset(pwhashhash, 0, sizeof(pwhashhash));
if (res) {
wpa_printf(MSG_INFO, "EAP-PWD (server): unable to compute " wpa_printf(MSG_INFO, "EAP-PWD (server): unable to compute "
"PWE"); "PWE");
return; return;