EAP-pwd server: Add support for hashed password
This extends EAP-pwd server support to allow NtHash version of password storage in addition to full plaintext password. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
2bd2ed2006
commit
e4840b381c
1 changed files with 28 additions and 6 deletions
|
@ -10,6 +10,7 @@
|
|||
|
||||
#include "common.h"
|
||||
#include "crypto/sha256.h"
|
||||
#include "crypto/ms_funcs.h"
|
||||
#include "eap_server/eap_i.h"
|
||||
#include "eap_common/eap_pwd_common.h"
|
||||
|
||||
|
@ -24,6 +25,7 @@ struct eap_pwd_data {
|
|||
size_t id_server_len;
|
||||
u8 *password;
|
||||
size_t password_len;
|
||||
int password_hash;
|
||||
u32 token;
|
||||
u16 group_num;
|
||||
EAP_PWD_group *grp;
|
||||
|
@ -112,6 +114,7 @@ static void * eap_pwd_init(struct eap_sm *sm)
|
|||
}
|
||||
data->password_len = sm->user->password_len;
|
||||
os_memcpy(data->password, sm->user->password, data->password_len);
|
||||
data->password_hash = sm->user->password_hash;
|
||||
|
||||
data->bnctx = BN_CTX_new();
|
||||
if (data->bnctx == NULL) {
|
||||
|
@ -181,7 +184,8 @@ static void eap_pwd_build_id_req(struct eap_sm *sm, struct eap_pwd_data *data,
|
|||
wpabuf_put_u8(data->outbuf, EAP_PWD_DEFAULT_RAND_FUNC);
|
||||
wpabuf_put_u8(data->outbuf, EAP_PWD_DEFAULT_PRF);
|
||||
wpabuf_put_data(data->outbuf, &data->token, sizeof(data->token));
|
||||
wpabuf_put_u8(data->outbuf, EAP_PWD_PREP_NONE);
|
||||
wpabuf_put_u8(data->outbuf, data->password_hash ? EAP_PWD_PREP_MS :
|
||||
EAP_PWD_PREP_NONE);
|
||||
wpabuf_put_data(data->outbuf, data->id_server, data->id_server_len);
|
||||
}
|
||||
|
||||
|
@ -579,6 +583,10 @@ static void eap_pwd_process_id_resp(struct eap_sm *sm,
|
|||
const u8 *payload, size_t payload_len)
|
||||
{
|
||||
struct eap_pwd_id *id;
|
||||
const u8 *password;
|
||||
size_t password_len;
|
||||
u8 pwhashhash[16];
|
||||
int res;
|
||||
|
||||
if (payload_len < sizeof(struct eap_pwd_id)) {
|
||||
wpa_printf(MSG_INFO, "EAP-pwd: Invalid ID response");
|
||||
|
@ -610,11 +618,25 @@ static void eap_pwd_process_id_resp(struct eap_sm *sm,
|
|||
"group");
|
||||
return;
|
||||
}
|
||||
if (compute_password_element(data->grp, data->group_num,
|
||||
data->password, data->password_len,
|
||||
|
||||
if (data->password_hash) {
|
||||
res = hash_nt_password_hash(data->password, pwhashhash);
|
||||
if (res)
|
||||
return;
|
||||
password = pwhashhash;
|
||||
password_len = sizeof(pwhashhash);
|
||||
} else {
|
||||
password = data->password;
|
||||
password_len = data->password_len;
|
||||
}
|
||||
|
||||
res = compute_password_element(data->grp, data->group_num,
|
||||
password, password_len,
|
||||
data->id_server, data->id_server_len,
|
||||
data->id_peer, data->id_peer_len,
|
||||
(u8 *) &data->token)) {
|
||||
(u8 *) &data->token);
|
||||
os_memset(pwhashhash, 0, sizeof(pwhashhash));
|
||||
if (res) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD (server): unable to compute "
|
||||
"PWE");
|
||||
return;
|
||||
|
|
Loading…
Reference in a new issue