EAP-pwd server: Add support for hashed password

This extends EAP-pwd server support to allow NtHash version of password
storage in addition to full plaintext password.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2015-03-28 09:42:31 +02:00
parent 2bd2ed2006
commit e4840b381c

View file

@ -10,6 +10,7 @@
#include "common.h"
#include "crypto/sha256.h"
#include "crypto/ms_funcs.h"
#include "eap_server/eap_i.h"
#include "eap_common/eap_pwd_common.h"
@ -24,6 +25,7 @@ struct eap_pwd_data {
size_t id_server_len;
u8 *password;
size_t password_len;
int password_hash;
u32 token;
u16 group_num;
EAP_PWD_group *grp;
@ -112,6 +114,7 @@ static void * eap_pwd_init(struct eap_sm *sm)
}
data->password_len = sm->user->password_len;
os_memcpy(data->password, sm->user->password, data->password_len);
data->password_hash = sm->user->password_hash;
data->bnctx = BN_CTX_new();
if (data->bnctx == NULL) {
@ -181,7 +184,8 @@ static void eap_pwd_build_id_req(struct eap_sm *sm, struct eap_pwd_data *data,
wpabuf_put_u8(data->outbuf, EAP_PWD_DEFAULT_RAND_FUNC);
wpabuf_put_u8(data->outbuf, EAP_PWD_DEFAULT_PRF);
wpabuf_put_data(data->outbuf, &data->token, sizeof(data->token));
wpabuf_put_u8(data->outbuf, EAP_PWD_PREP_NONE);
wpabuf_put_u8(data->outbuf, data->password_hash ? EAP_PWD_PREP_MS :
EAP_PWD_PREP_NONE);
wpabuf_put_data(data->outbuf, data->id_server, data->id_server_len);
}
@ -579,6 +583,10 @@ static void eap_pwd_process_id_resp(struct eap_sm *sm,
const u8 *payload, size_t payload_len)
{
struct eap_pwd_id *id;
const u8 *password;
size_t password_len;
u8 pwhashhash[16];
int res;
if (payload_len < sizeof(struct eap_pwd_id)) {
wpa_printf(MSG_INFO, "EAP-pwd: Invalid ID response");
@ -610,11 +618,25 @@ static void eap_pwd_process_id_resp(struct eap_sm *sm,
"group");
return;
}
if (compute_password_element(data->grp, data->group_num,
data->password, data->password_len,
if (data->password_hash) {
res = hash_nt_password_hash(data->password, pwhashhash);
if (res)
return;
password = pwhashhash;
password_len = sizeof(pwhashhash);
} else {
password = data->password;
password_len = data->password_len;
}
res = compute_password_element(data->grp, data->group_num,
password, password_len,
data->id_server, data->id_server_len,
data->id_peer, data->id_peer_len,
(u8 *) &data->token)) {
(u8 *) &data->token);
os_memset(pwhashhash, 0, sizeof(pwhashhash));
if (res) {
wpa_printf(MSG_INFO, "EAP-PWD (server): unable to compute "
"PWE");
return;