this is in preparation for replacing DES ticket encryption with
something better. but first need to make the code stop making
assumptions.
the wire encoding of the Ticket might be variable length
with TICKETLEN just giving an upper bound. the details will be
handled by libauthsrv _asgetticket() and _asgetresp() funciotns.
the Authenticator and Passwordreq structures are encrypted
with the random ticket key. The encryption schmeme will depend
on the Ticket format used, so we pass the Ticket* structure
instead of the DES key.
introduce Authkey structure that will hold all the required
cryptographic keys instead of passing DES key.
this is used for wpa2 enterprise peap/mschapv2. server role
is not implemented as that would require changing the
wire format on the auth server.
the naming is unfortunate as we already have proto=mschap2 which
really refers to ntlmv2.
werrstr() takes a format string as its first argument.
a common error is to pass user controlled string buffers
into werrstr() that might contain format string escapes
causing werrstr() to take bogus arguments from the stack
and crash.
so instead of doing:
werrstr(buf);
we want todo:
werrstr("%s", buf);
or if we have a local ERRMAX sized buffer that we can override:
errstr(buf, sizeof buf);
to run aux/wpa at boot, we need factotum to be running. tho
factotum was started only after the network was configured.
what we do now is start factotum early, not fetching keys
from secstore. once network is available and the auth server
is known, we fetch keys from secstore using auth/secstore in
bootrc.
to pass the authserver for p9 authentication to factotum, we
write it in /net/ndb and the special _authdial() in factotum
will picks it up.
as we are using auth/secstore binary in any case, we remove
the duplicated secstore code from factotum and make it just
exec auth/secstore to fetch the keys on startup (unless -n
or -S is specified).
the nt blob ends with 4 zero bytes, this is not the same as
the EOL av-pair terminator!
this makes ntlmv2 work with windows xp with LmCompatibityLevel = 3
extending factotums and the auth servers mschap implementation
to handle variable length NT response for NTLMv2.
fix some minor bugs.
only tested with cifs so far.
using strlen() gives the number of bytes in the utf-8 string.
could use utflen() instead, but decided to just go in a loop
and get rid of the counters all together.
UTF-16 surrogates are not handled.