1
0
mirror of https://github.com/SoftEtherVPN/SoftEtherVPN.git synced 2024-11-07 18:20:41 +03:00
SoftEtherVPN/src/Cedar/Sam.c

416 lines
9.9 KiB
C
Raw Normal View History

2014-01-04 17:00:08 +04:00
// SoftEther VPN Source Code
// Cedar Communication Module
//
// SoftEther VPN Server, Client and Bridge are free software under GPLv2.
//
// Copyright (c) 2012-2014 Daiyuu Nobori.
// Copyright (c) 2012-2014 SoftEther VPN Project, University of Tsukuba, Japan.
// Copyright (c) 2012-2014 SoftEther Corporation.
//
// All Rights Reserved.
//
// http://www.softether.org/
//
// Author: Daiyuu Nobori
// Comments: Tetsuo Sugiyama, Ph.D.
//
//
// This program is free software; you can redistribute it and/or
// modify it under the terms of the GNU General Public License
// version 2 as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License version 2
// along with this program; if not, write to the Free Software
// Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
//
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
// EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
// IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
// CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
// TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
// SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
//
// THE LICENSE AGREEMENT IS ATTACHED ON THE SOURCE-CODE PACKAGE
// AS "LICENSE.TXT" FILE. READ THE TEXT FILE IN ADVANCE TO USE THE SOFTWARE.
//
//
// THIS SOFTWARE IS DEVELOPED IN JAPAN, AND DISTRIBUTED FROM JAPAN,
// UNDER JAPANESE LAWS. YOU MUST AGREE IN ADVANCE TO USE, COPY, MODIFY,
// MERGE, PUBLISH, DISTRIBUTE, SUBLICENSE, AND/OR SELL COPIES OF THIS
// SOFTWARE, THAT ANY JURIDICAL DISPUTES WHICH ARE CONCERNED TO THIS
// SOFTWARE OR ITS CONTENTS, AGAINST US (SOFTETHER PROJECT, SOFTETHER
// CORPORATION, DAIYUU NOBORI OR OTHER SUPPLIERS), OR ANY JURIDICAL
// DISPUTES AGAINST US WHICH ARE CAUSED BY ANY KIND OF USING, COPYING,
// MODIFYING, MERGING, PUBLISHING, DISTRIBUTING, SUBLICENSING, AND/OR
// SELLING COPIES OF THIS SOFTWARE SHALL BE REGARDED AS BE CONSTRUED AND
// CONTROLLED BY JAPANESE LAWS, AND YOU MUST FURTHER CONSENT TO
// EXCLUSIVE JURISDICTION AND VENUE IN THE COURTS SITTING IN TOKYO,
// JAPAN. YOU MUST WAIVE ALL DEFENSES OF LACK OF PERSONAL JURISDICTION
// AND FORUM NON CONVENIENS. PROCESS MAY BE SERVED ON EITHER PARTY IN
// THE MANNER AUTHORIZED BY APPLICABLE LAW OR COURT RULE.
//
// USE ONLY IN JAPAN. DO NOT USE IT IN OTHER COUNTRIES. IMPORTING THIS
// SOFTWARE INTO OTHER COUNTRIES IS AT YOUR OWN RISK. SOME COUNTRIES
// PROHIBIT ENCRYPTED COMMUNICATIONS. USING THIS SOFTWARE IN OTHER
// COUNTRIES MIGHT BE RESTRICTED.
//
//
// DEAR SECURITY EXPERTS
// ---------------------
//
// If you find a bug or a security vulnerability please kindly inform us
// about the problem immediately so that we can fix the security problem
// to protect a lot of users around the world as soon as possible.
//
// Our e-mail address for security reports is:
// softether-vpn-security [at] softether.org
//
// Please note that the above e-mail address is not a technical support
// inquiry address. If you need technical assistance, please visit
// http://www.softether.org/ and ask your question on the users forum.
//
// Thank you for your cooperation.
// Sam.c
// Security Accounts Manager
#include "CedarPch.h"
// Password encryption
void SecurePassword(void *secure_password, void *password, void *random)
{
BUF *b;
// Validate arguments
if (secure_password == NULL || password == NULL || random == NULL)
{
return;
}
b = NewBuf();
WriteBuf(b, password, SHA1_SIZE);
WriteBuf(b, random, SHA1_SIZE);
Hash(secure_password, b->Buf, b->Size, true);
FreeBuf(b);
}
// Generate 160bit random number
void GenRamdom(void *random)
{
// Validate arguments
if (random == NULL)
{
return;
}
Rand(random, SHA1_SIZE);
}
// Anonymous authentication of user
bool SamAuthUserByAnonymous(HUB *h, char *username)
{
bool b = false;
// Validate arguments
if (h == NULL || username == NULL)
{
return false;
}
AcLock(h);
{
USER *u = AcGetUser(h, username);
if (u)
{
Lock(u->lock);
{
if (u->AuthType == AUTHTYPE_ANONYMOUS)
{
b = true;
}
}
Unlock(u->lock);
}
ReleaseUser(u);
}
AcUnlock(h);
return b;
}
// Plaintext password authentication of user
bool SamAuthUserByPlainPassword(CONNECTION *c, HUB *hub, char *username, char *password, bool ast, UCHAR *mschap_v2_server_response_20)
{
return false;
}
// Certificate authentication of user
bool SamAuthUserByCert(HUB *h, char *username, X *x)
{
return false;
}
// Get the root certificate that signed the specified certificate from the list
X *GetIssuerFromList(LIST *cert_list, X *cert)
{
UINT i;
X *ret = NULL;
// Validate arguments
if (cert_list == NULL || cert == NULL)
{
return NULL;
}
for (i = 0;i < LIST_NUM(cert_list);i++)
{
X *x = LIST_DATA(cert_list, i);
// Name comparison
if (CheckXDateNow(x))
{
if (CompareName(x->subject_name, cert->issuer_name))
{
// Get the public key of the root certificate
K *k = GetKFromX(x);
if (k != NULL)
{
// Check the signature
if (CheckSignature(cert, k))
{
ret = x;
}
FreeK(k);
}
}
}
if (CompareX(x, cert))
{
// Complete identical
ret = x;
}
}
return ret;
}
// Get the policy to be applied for the user
POLICY *SamGetUserPolicy(HUB *h, char *username)
{
POLICY *ret = NULL;
// Validate arguments
if (h == NULL || username == NULL)
{
return NULL;
}
AcLock(h);
{
USER *u;
u = AcGetUser(h, username);
if (u)
{
USERGROUP *g = NULL;
Lock(u->lock);
{
if (u->Policy != NULL)
{
ret = ClonePolicy(u->Policy);
}
g = u->Group;
if (g != NULL)
{
AddRef(g->ref);
}
}
Unlock(u->lock);
ReleaseUser(u);
u = NULL;
if (ret == NULL)
{
if (g != NULL)
{
Lock(g->lock);
{
ret = ClonePolicy(g->Policy);
}
Unlock(g->lock);
}
}
if (g != NULL)
{
ReleaseGroup(g);
}
}
}
AcUnlock(h);
return ret;
}
// Password authentication of user
bool SamAuthUserByPassword(HUB *h, char *username, void *random, void *secure_password, char *mschap_v2_password, UCHAR *mschap_v2_server_response_20, UINT *err)
{
bool b = false;
UCHAR secure_password_check[SHA1_SIZE];
bool is_mschap = false;
IPC_MSCHAP_V2_AUTHINFO mschap;
UINT dummy = 0;
// Validate arguments
if (h == NULL || username == NULL || secure_password == NULL)
{
return false;
}
if (err == NULL)
{
err = &dummy;
}
*err = 0;
Zero(&mschap, sizeof(mschap));
is_mschap = ParseAndExtractMsChapV2InfoFromPassword(&mschap, mschap_v2_password);
if (StrCmpi(username, ADMINISTRATOR_USERNAME) == 0)
{
// Administrator mode
SecurePassword(secure_password_check, h->SecurePassword, random);
if (Cmp(secure_password_check, secure_password, SHA1_SIZE) == 0)
{
return true;
}
else
{
return false;
}
}
AcLock(h);
{
USER *u;
u = AcGetUser(h, username);
if (u)
{
Lock(u->lock);
{
if (u->AuthType == AUTHTYPE_PASSWORD)
{
AUTHPASSWORD *auth = (AUTHPASSWORD *)u->AuthData;
if (is_mschap == false)
{
// Normal password authentication
SecurePassword(secure_password_check, auth->HashedKey, random);
if (Cmp(secure_password_check, secure_password, SHA1_SIZE) == 0)
{
b = true;
}
}
else
{
// MS-CHAP v2 authentication via PPP
UCHAR challenge8[8];
UCHAR client_response[24];
if (IsZero(auth->NtLmSecureHash, MD5_SIZE))
{
// NTLM hash is not registered in the user account
*err = ERR_MSCHAP2_PASSWORD_NEED_RESET;
}
else
{
UCHAR nt_pw_hash_hash[16];
Zero(challenge8, sizeof(challenge8));
Zero(client_response, sizeof(client_response));
MsChapV2_GenerateChallenge8(challenge8, mschap.MsChapV2_ClientChallenge, mschap.MsChapV2_ServerChallenge,
mschap.MsChapV2_PPPUsername);
MsChapV2Client_GenerateResponse(client_response, challenge8, auth->NtLmSecureHash);
if (Cmp(client_response, mschap.MsChapV2_ClientResponse, 24) == 0)
{
// Hash matched
b = true;
// Calculate the response
GenerateNtPasswordHashHash(nt_pw_hash_hash, auth->NtLmSecureHash);
MsChapV2Server_GenerateResponse(mschap_v2_server_response_20, nt_pw_hash_hash,
client_response, challenge8);
}
}
}
}
}
Unlock(u->lock);
ReleaseUser(u);
}
}
AcUnlock(h);
return b;
}
// Make sure that the user exists
bool SamIsUser(HUB *h, char *username)
{
bool b;
// Validate arguments
if (h == NULL || username == NULL)
{
return false;
}
AcLock(h);
{
b = AcIsUser(h, username);
}
AcUnlock(h);
return b;
}
// Get the type of authentication used by the user
UINT SamGetUserAuthType(HUB *h, char *username)
{
UINT authtype;
// Validate arguments
if (h == NULL || username == NULL)
{
return INFINITE;
}
AcLock(h);
{
USER *u = AcGetUser(h, username);
if (u == NULL)
{
authtype = INFINITE;
}
else
{
authtype = u->AuthType;
ReleaseUser(u);
}
}
AcUnlock(h);
return authtype;
}
// Developed by SoftEther VPN Project at University of Tsukuba in Japan.
// Department of Computer Science has dozens of overly-enthusiastic geeks.
// Join us: http://www.tsukuba.ac.jp/english/admission/