1 /*- 2 * Copyright (c) 1996 - 2001 Brian Somers <brian@Awfulhak.org> 3 * based on work by Toshiharu OHNO <tony-o@iij.ad.jp> 4 * Internet Initiative Japan, Inc (IIJ) 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 * 28 * $FreeBSD: src/usr.sbin/ppp/chap.c,v 1.61.2.7 2002/09/01 02:12:23 brian Exp $ 29 * $DragonFly: src/usr.sbin/ppp/chap.c,v 1.2 2003/06/17 04:30:00 dillon Exp $ 30 */ 31 32 #include <sys/param.h> 33 #include <netinet/in.h> 34 #include <netinet/in_systm.h> 35 #include <netinet/ip.h> 36 #include <sys/socket.h> 37 #include <sys/un.h> 38 39 #include <errno.h> 40 #include <fcntl.h> 41 #ifndef NODES 42 #include <md4.h> 43 #endif 44 #include <md5.h> 45 #include <paths.h> 46 #include <signal.h> 47 #include <stdio.h> 48 #include <stdlib.h> 49 #include <string.h> 50 #include <sys/wait.h> 51 #include <termios.h> 52 #include <unistd.h> 53 54 #include "layer.h" 55 #include "mbuf.h" 56 #include "log.h" 57 #include "defs.h" 58 #include "timer.h" 59 #include "fsm.h" 60 #include "proto.h" 61 #include "lqr.h" 62 #include "hdlc.h" 63 #include "lcp.h" 64 #include "auth.h" 65 #include "async.h" 66 #include "throughput.h" 67 #include "descriptor.h" 68 #include "chap.h" 69 #include "iplist.h" 70 #include "slcompress.h" 71 #include "ncpaddr.h" 72 #include "ipcp.h" 73 #include "filter.h" 74 #include "ccp.h" 75 #include "link.h" 76 #include "physical.h" 77 #include "mp.h" 78 #ifndef NORADIUS 79 #include "radius.h" 80 #endif 81 #include "ipv6cp.h" 82 #include "ncp.h" 83 #include "bundle.h" 84 #include "chat.h" 85 #include "cbcp.h" 86 #include "command.h" 87 #include "datalink.h" 88 #ifndef NODES 89 #include "chap_ms.h" 90 #include "mppe.h" 91 #endif 92 #include "id.h" 93 94 static const char * const chapcodes[] = { 95 "???", "CHALLENGE", "RESPONSE", "SUCCESS", "FAILURE" 96 }; 97 #define MAXCHAPCODE (sizeof chapcodes / sizeof chapcodes[0] - 1) 98 99 static void 100 ChapOutput(struct physical *physical, u_int code, u_int id, 101 const u_char *ptr, int count, const char *text) 102 { 103 int plen; 104 struct fsmheader lh; 105 struct mbuf *bp; 106 107 plen = sizeof(struct fsmheader) + count; 108 lh.code = code; 109 lh.id = id; 110 lh.length = htons(plen); 111 bp = m_get(plen, MB_CHAPOUT); 112 memcpy(MBUF_CTOP(bp), &lh, sizeof(struct fsmheader)); 113 if (count) 114 memcpy(MBUF_CTOP(bp) + sizeof(struct fsmheader), ptr, count); 115 log_DumpBp(LogDEBUG, "ChapOutput", bp); 116 if (text == NULL) 117 log_Printf(LogPHASE, "Chap Output: %s\n", chapcodes[code]); 118 else 119 log_Printf(LogPHASE, "Chap Output: %s (%s)\n", chapcodes[code], text); 120 link_PushPacket(&physical->link, bp, physical->dl->bundle, 121 LINK_QUEUES(&physical->link) - 1, PROTO_CHAP); 122 } 123 124 static char * 125 chap_BuildAnswer(char *name, char *key, u_char id, char *challenge, u_char type 126 #ifndef NODES 127 , char *peerchallenge, char *authresponse, int lanman 128 #endif 129 ) 130 { 131 char *result, *digest; 132 size_t nlen, klen; 133 134 nlen = strlen(name); 135 klen = strlen(key); 136 137 #ifndef NODES 138 if (type == 0x80) { 139 char expkey[AUTHLEN << 2]; 140 MD4_CTX MD4context; 141 int f; 142 143 if ((result = malloc(1 + nlen + MS_CHAP_RESPONSE_LEN)) == NULL) 144 return result; 145 146 digest = result; /* the response */ 147 *digest++ = MS_CHAP_RESPONSE_LEN; /* 49 */ 148 memcpy(digest + MS_CHAP_RESPONSE_LEN, name, nlen); 149 if (lanman) { 150 memset(digest + 24, '\0', 25); 151 mschap_LANMan(digest, challenge + 1, key); /* LANMan response */ 152 } else { 153 memset(digest, '\0', 25); 154 digest += 24; 155 156 for (f = 0; f < klen; f++) { 157 expkey[2*f] = key[f]; 158 expkey[2*f+1] = '\0'; 159 } 160 /* 161 * ----------- 162 * expkey = | k\0e\0y\0 | 163 * ----------- 164 */ 165 MD4Init(&MD4context); 166 MD4Update(&MD4context, expkey, klen << 1); 167 MD4Final(digest, &MD4context); 168 169 /* 170 * ---- -------- ---------------- ------- ------ 171 * result = | 49 | LANMan | 16 byte digest | 9 * ? | name | 172 * ---- -------- ---------------- ------- ------ 173 */ 174 mschap_NT(digest, challenge + 1); 175 } 176 /* 177 * ---- -------- ------------- ----- ------ 178 * | | struct MS_ChapResponse24 | | 179 * result = | 49 | LANMan | NT digest | 0/1 | name | 180 * ---- -------- ------------- ----- ------ 181 * where only one of LANMan & NT digest are set. 182 */ 183 } else if (type == 0x81) { 184 char expkey[AUTHLEN << 2]; 185 char pwdhash[CHAP81_HASH_LEN]; 186 char pwdhashhash[CHAP81_HASH_LEN]; 187 char *ntresponse; 188 int f; 189 190 if ((result = malloc(1 + nlen + CHAP81_RESPONSE_LEN)) == NULL) 191 return result; 192 193 memset(result, 0, 1 + nlen + CHAP81_RESPONSE_LEN); 194 195 digest = result; 196 *digest++ = CHAP81_RESPONSE_LEN; /* value size */ 197 198 /* Copy our challenge */ 199 memcpy(digest, peerchallenge + 1, CHAP81_CHALLENGE_LEN); 200 201 /* Expand password to Unicode XXX */ 202 for (f = 0; f < klen; f++) { 203 expkey[2*f] = key[f]; 204 expkey[2*f+1] = '\0'; 205 } 206 207 ntresponse = digest + CHAP81_NTRESPONSE_OFF; 208 209 /* Get some needed hashes */ 210 NtPasswordHash(expkey, klen * 2, pwdhash); 211 HashNtPasswordHash(pwdhash, pwdhashhash); 212 213 /* Generate NTRESPONSE to respond on challenge call */ 214 GenerateNTResponse(challenge + 1, peerchallenge + 1, name, nlen, 215 expkey, klen * 2, ntresponse); 216 217 /* Generate MPPE MASTERKEY */ 218 GetMasterKey(pwdhashhash, ntresponse, MPPE_MasterKey); /* XXX Global ! */ 219 220 /* Generate AUTHRESPONSE to verify on auth success */ 221 GenerateAuthenticatorResponse(expkey, klen * 2, ntresponse, 222 peerchallenge + 1, challenge + 1, name, nlen, 223 authresponse); 224 225 authresponse[CHAP81_AUTHRESPONSE_LEN] = 0; 226 227 memcpy(digest + CHAP81_RESPONSE_LEN, name, nlen); 228 } else 229 #endif 230 if ((result = malloc(nlen + 17)) != NULL) { 231 /* Normal MD5 stuff */ 232 MD5_CTX MD5context; 233 234 digest = result; 235 *digest++ = 16; /* value size */ 236 237 MD5Init(&MD5context); 238 MD5Update(&MD5context, &id, 1); 239 MD5Update(&MD5context, key, klen); 240 MD5Update(&MD5context, challenge + 1, *challenge); 241 MD5Final(digest, &MD5context); 242 243 memcpy(digest + 16, name, nlen); 244 /* 245 * ---- -------- ------ 246 * result = | 16 | digest | name | 247 * ---- -------- ------ 248 */ 249 } 250 251 return result; 252 } 253 254 static void 255 chap_StartChild(struct chap *chap, char *prog, const char *name) 256 { 257 char *argv[MAXARGS], *nargv[MAXARGS]; 258 int argc, fd; 259 int in[2], out[2]; 260 pid_t pid; 261 262 if (chap->child.fd != -1) { 263 log_Printf(LogWARN, "Chap: %s: Program already running\n", prog); 264 return; 265 } 266 267 if (pipe(in) == -1) { 268 log_Printf(LogERROR, "Chap: pipe: %s\n", strerror(errno)); 269 return; 270 } 271 272 if (pipe(out) == -1) { 273 log_Printf(LogERROR, "Chap: pipe: %s\n", strerror(errno)); 274 close(in[0]); 275 close(in[1]); 276 return; 277 } 278 279 pid = getpid(); 280 switch ((chap->child.pid = fork())) { 281 case -1: 282 log_Printf(LogERROR, "Chap: fork: %s\n", strerror(errno)); 283 close(in[0]); 284 close(in[1]); 285 close(out[0]); 286 close(out[1]); 287 chap->child.pid = 0; 288 return; 289 290 case 0: 291 timer_TermService(); 292 293 if ((argc = command_Interpret(prog, strlen(prog), argv)) <= 0) { 294 if (argc < 0) { 295 log_Printf(LogWARN, "CHAP: Invalid command syntax\n"); 296 _exit(255); 297 } 298 _exit(0); 299 } 300 301 close(in[1]); 302 close(out[0]); 303 if (out[1] == STDIN_FILENO) 304 out[1] = dup(out[1]); 305 dup2(in[0], STDIN_FILENO); 306 dup2(out[1], STDOUT_FILENO); 307 close(STDERR_FILENO); 308 if (open(_PATH_DEVNULL, O_RDWR) != STDERR_FILENO) { 309 log_Printf(LogALERT, "Chap: Failed to open %s: %s\n", 310 _PATH_DEVNULL, strerror(errno)); 311 exit(1); 312 } 313 for (fd = getdtablesize(); fd > STDERR_FILENO; fd--) 314 fcntl(fd, F_SETFD, 1); 315 #ifndef NOSUID 316 setuid(ID0realuid()); 317 #endif 318 command_Expand(nargv, argc, (char const *const *)argv, 319 chap->auth.physical->dl->bundle, 0, pid); 320 execvp(nargv[0], nargv); 321 printf("exec() of %s failed: %s\n", nargv[0], strerror(errno)); 322 _exit(255); 323 324 default: 325 close(in[0]); 326 close(out[1]); 327 chap->child.fd = out[0]; 328 chap->child.buf.len = 0; 329 write(in[1], chap->auth.in.name, strlen(chap->auth.in.name)); 330 write(in[1], "\n", 1); 331 write(in[1], chap->challenge.peer + 1, *chap->challenge.peer); 332 write(in[1], "\n", 1); 333 write(in[1], name, strlen(name)); 334 write(in[1], "\n", 1); 335 close(in[1]); 336 break; 337 } 338 } 339 340 static void 341 chap_Cleanup(struct chap *chap, int sig) 342 { 343 if (chap->child.pid) { 344 int status; 345 346 close(chap->child.fd); 347 chap->child.fd = -1; 348 if (sig) 349 kill(chap->child.pid, SIGTERM); 350 chap->child.pid = 0; 351 chap->child.buf.len = 0; 352 353 if (wait(&status) == -1) 354 log_Printf(LogERROR, "Chap: wait: %s\n", strerror(errno)); 355 else if (WIFSIGNALED(status)) 356 log_Printf(LogWARN, "Chap: Child received signal %d\n", WTERMSIG(status)); 357 else if (WIFEXITED(status) && WEXITSTATUS(status)) 358 log_Printf(LogERROR, "Chap: Child exited %d\n", WEXITSTATUS(status)); 359 } 360 *chap->challenge.local = *chap->challenge.peer = '\0'; 361 #ifndef NODES 362 chap->peertries = 0; 363 #endif 364 } 365 366 static void 367 chap_Respond(struct chap *chap, char *name, char *key, u_char type 368 #ifndef NODES 369 , int lm 370 #endif 371 ) 372 { 373 u_char *ans; 374 375 ans = chap_BuildAnswer(name, key, chap->auth.id, chap->challenge.peer, type 376 #ifndef NODES 377 , chap->challenge.local, chap->authresponse, lm 378 #endif 379 ); 380 381 if (ans) { 382 ChapOutput(chap->auth.physical, CHAP_RESPONSE, chap->auth.id, 383 ans, *ans + 1 + strlen(name), name); 384 #ifndef NODES 385 chap->NTRespSent = !lm; 386 MPPE_IsServer = 0; /* XXX Global ! */ 387 #endif 388 free(ans); 389 } else 390 ChapOutput(chap->auth.physical, CHAP_FAILURE, chap->auth.id, 391 "Out of memory!", 14, NULL); 392 } 393 394 static int 395 chap_UpdateSet(struct fdescriptor *d, fd_set *r, fd_set *w, fd_set *e, int *n) 396 { 397 struct chap *chap = descriptor2chap(d); 398 399 if (r && chap && chap->child.fd != -1) { 400 FD_SET(chap->child.fd, r); 401 if (*n < chap->child.fd + 1) 402 *n = chap->child.fd + 1; 403 log_Printf(LogTIMER, "Chap: fdset(r) %d\n", chap->child.fd); 404 return 1; 405 } 406 407 return 0; 408 } 409 410 static int 411 chap_IsSet(struct fdescriptor *d, const fd_set *fdset) 412 { 413 struct chap *chap = descriptor2chap(d); 414 415 return chap && chap->child.fd != -1 && FD_ISSET(chap->child.fd, fdset); 416 } 417 418 static void 419 chap_Read(struct fdescriptor *d, struct bundle *bundle, const fd_set *fdset) 420 { 421 struct chap *chap = descriptor2chap(d); 422 int got; 423 424 got = read(chap->child.fd, chap->child.buf.ptr + chap->child.buf.len, 425 sizeof chap->child.buf.ptr - chap->child.buf.len - 1); 426 if (got == -1) { 427 log_Printf(LogERROR, "Chap: Read: %s\n", strerror(errno)); 428 chap_Cleanup(chap, SIGTERM); 429 } else if (got == 0) { 430 log_Printf(LogWARN, "Chap: Read: Child terminated connection\n"); 431 chap_Cleanup(chap, SIGTERM); 432 } else { 433 char *name, *key, *end; 434 435 chap->child.buf.len += got; 436 chap->child.buf.ptr[chap->child.buf.len] = '\0'; 437 name = chap->child.buf.ptr; 438 name += strspn(name, " \t"); 439 if ((key = strchr(name, '\n')) == NULL) 440 end = NULL; 441 else 442 end = strchr(++key, '\n'); 443 444 if (end == NULL) { 445 if (chap->child.buf.len == sizeof chap->child.buf.ptr - 1) { 446 log_Printf(LogWARN, "Chap: Read: Input buffer overflow\n"); 447 chap_Cleanup(chap, SIGTERM); 448 } 449 } else { 450 #ifndef NODES 451 int lanman = chap->auth.physical->link.lcp.his_authtype == 0x80 && 452 ((chap->NTRespSent && 453 IsAccepted(chap->auth.physical->link.lcp.cfg.chap80lm)) || 454 !IsAccepted(chap->auth.physical->link.lcp.cfg.chap80nt)); 455 #endif 456 457 while (end >= name && strchr(" \t\r\n", *end)) 458 *end-- = '\0'; 459 end = key - 1; 460 while (end >= name && strchr(" \t\r\n", *end)) 461 *end-- = '\0'; 462 key += strspn(key, " \t"); 463 464 chap_Respond(chap, name, key, chap->auth.physical->link.lcp.his_authtype 465 #ifndef NODES 466 , lanman 467 #endif 468 ); 469 chap_Cleanup(chap, 0); 470 } 471 } 472 } 473 474 static int 475 chap_Write(struct fdescriptor *d, struct bundle *bundle, const fd_set *fdset) 476 { 477 /* We never want to write here ! */ 478 log_Printf(LogALERT, "chap_Write: Internal error: Bad call !\n"); 479 return 0; 480 } 481 482 static void 483 chap_ChallengeInit(struct authinfo *authp) 484 { 485 struct chap *chap = auth2chap(authp); 486 int len, i; 487 char *cp; 488 489 len = strlen(authp->physical->dl->bundle->cfg.auth.name); 490 491 if (!*chap->challenge.local) { 492 randinit(); 493 cp = chap->challenge.local; 494 495 #ifndef NORADIUS 496 if (*authp->physical->dl->bundle->radius.cfg.file) { 497 /* For radius, our challenge is 16 readable NUL terminated bytes :*/ 498 *cp++ = 16; 499 for (i = 0; i < 16; i++) 500 *cp++ = (random() % 10) + '0'; 501 } else 502 #endif 503 { 504 #ifndef NODES 505 if (authp->physical->link.lcp.want_authtype == 0x80) 506 *cp++ = 8; /* MS does 8 byte callenges :-/ */ 507 else if (authp->physical->link.lcp.want_authtype == 0x81) 508 *cp++ = 16; /* MS-CHAP-V2 does 16 bytes challenges */ 509 else 510 #endif 511 *cp++ = random() % (CHAPCHALLENGELEN-16) + 16; 512 for (i = 0; i < *chap->challenge.local; i++) 513 *cp++ = random() & 0xff; 514 } 515 memcpy(cp, authp->physical->dl->bundle->cfg.auth.name, len); 516 } 517 } 518 519 static void 520 chap_Challenge(struct authinfo *authp) 521 { 522 struct chap *chap = auth2chap(authp); 523 int len; 524 525 log_Printf(LogDEBUG, "CHAP%02X: Challenge\n", 526 authp->physical->link.lcp.want_authtype); 527 528 len = strlen(authp->physical->dl->bundle->cfg.auth.name); 529 530 /* Generate new local challenge value */ 531 if (!*chap->challenge.local) 532 chap_ChallengeInit(authp); 533 534 #ifndef NODES 535 if (authp->physical->link.lcp.want_authtype == 0x81) 536 ChapOutput(authp->physical, CHAP_CHALLENGE, authp->id, 537 chap->challenge.local, 1 + *chap->challenge.local, NULL); 538 else 539 #endif 540 ChapOutput(authp->physical, CHAP_CHALLENGE, authp->id, 541 chap->challenge.local, 1 + *chap->challenge.local + len, NULL); 542 } 543 544 static void 545 chap_Success(struct authinfo *authp) 546 { 547 struct bundle *bundle = authp->physical->dl->bundle; 548 const char *msg; 549 550 datalink_GotAuthname(authp->physical->dl, authp->in.name); 551 #ifndef NODES 552 if (authp->physical->link.lcp.want_authtype == 0x81) { 553 #ifndef NORADIUS 554 if (*bundle->radius.cfg.file && bundle->radius.msrepstr) 555 msg = bundle->radius.msrepstr; 556 else 557 #endif 558 msg = auth2chap(authp)->authresponse; 559 MPPE_MasterKeyValid = 1; /* XXX Global ! */ 560 } else 561 #endif 562 #ifndef NORADIUS 563 if (*bundle->radius.cfg.file && bundle->radius.repstr) 564 msg = bundle->radius.repstr; 565 else 566 #endif 567 msg = "Welcome!!"; 568 569 ChapOutput(authp->physical, CHAP_SUCCESS, authp->id, msg, strlen(msg), 570 NULL); 571 572 authp->physical->link.lcp.auth_ineed = 0; 573 if (Enabled(bundle, OPT_UTMP)) 574 physical_Login(authp->physical, authp->in.name); 575 576 if (authp->physical->link.lcp.auth_iwait == 0) 577 /* 578 * Either I didn't need to authenticate, or I've already been 579 * told that I got the answer right. 580 */ 581 datalink_AuthOk(authp->physical->dl); 582 } 583 584 static void 585 chap_Failure(struct authinfo *authp) 586 { 587 #ifndef NODES 588 char buf[1024], *ptr; 589 #endif 590 const char *msg; 591 592 #ifndef NORADIUS 593 struct bundle *bundle = authp->physical->link.lcp.fsm.bundle; 594 if (*bundle->radius.cfg.file && bundle->radius.errstr) 595 msg = bundle->radius.errstr; 596 else 597 #endif 598 #ifndef NODES 599 if (authp->physical->link.lcp.want_authtype == 0x80) { 600 sprintf(buf, "E=691 R=1 M=Invalid!"); 601 msg = buf; 602 } else if (authp->physical->link.lcp.want_authtype == 0x81) { 603 int i; 604 605 ptr = buf; 606 ptr += sprintf(buf, "E=691 R=0 C="); 607 for (i=0; i<16; i++) 608 ptr += sprintf(ptr, "%02X", *(auth2chap(authp)->challenge.local+1+i)); 609 610 sprintf(ptr, " V=3 M=Invalid!"); 611 msg = buf; 612 } else 613 #endif 614 msg = "Invalid!!"; 615 616 ChapOutput(authp->physical, CHAP_FAILURE, authp->id, msg, strlen(msg) + 1, 617 NULL); 618 datalink_AuthNotOk(authp->physical->dl); 619 } 620 621 static int 622 chap_Cmp(u_char type, char *myans, int mylen, char *hisans, int hislen 623 #ifndef NODES 624 , int lm 625 #endif 626 ) 627 { 628 if (mylen != hislen) 629 return 0; 630 #ifndef NODES 631 else if (type == 0x80) { 632 int off = lm ? 0 : 24; 633 634 if (memcmp(myans + off, hisans + off, 24)) 635 return 0; 636 } 637 #endif 638 else if (memcmp(myans, hisans, mylen)) 639 return 0; 640 641 return 1; 642 } 643 644 #ifndef NODES 645 static int 646 chap_HaveAnotherGo(struct chap *chap) 647 { 648 if (++chap->peertries < 3) { 649 /* Give the peer another shot */ 650 *chap->challenge.local = '\0'; 651 chap_Challenge(&chap->auth); 652 return 1; 653 } 654 655 return 0; 656 } 657 #endif 658 659 void 660 chap_Init(struct chap *chap, struct physical *p) 661 { 662 chap->desc.type = CHAP_DESCRIPTOR; 663 chap->desc.UpdateSet = chap_UpdateSet; 664 chap->desc.IsSet = chap_IsSet; 665 chap->desc.Read = chap_Read; 666 chap->desc.Write = chap_Write; 667 chap->child.pid = 0; 668 chap->child.fd = -1; 669 auth_Init(&chap->auth, p, chap_Challenge, chap_Success, chap_Failure); 670 *chap->challenge.local = *chap->challenge.peer = '\0'; 671 #ifndef NODES 672 chap->NTRespSent = 0; 673 chap->peertries = 0; 674 #endif 675 } 676 677 void 678 chap_ReInit(struct chap *chap) 679 { 680 chap_Cleanup(chap, SIGTERM); 681 } 682 683 struct mbuf * 684 chap_Input(struct bundle *bundle, struct link *l, struct mbuf *bp) 685 { 686 struct physical *p = link2physical(l); 687 struct chap *chap = &p->dl->chap; 688 char *name, *key, *ans; 689 int len, nlen; 690 u_char alen; 691 #ifndef NODES 692 int lanman; 693 #endif 694 695 if (p == NULL) { 696 log_Printf(LogERROR, "chap_Input: Not a physical link - dropped\n"); 697 m_freem(bp); 698 return NULL; 699 } 700 701 if (bundle_Phase(bundle) != PHASE_NETWORK && 702 bundle_Phase(bundle) != PHASE_AUTHENTICATE) { 703 log_Printf(LogPHASE, "Unexpected chap input - dropped !\n"); 704 m_freem(bp); 705 return NULL; 706 } 707 708 m_settype(bp, MB_CHAPIN); 709 if ((bp = auth_ReadHeader(&chap->auth, bp)) == NULL && 710 ntohs(chap->auth.in.hdr.length) == 0) 711 log_Printf(LogWARN, "Chap Input: Truncated header !\n"); 712 else if (chap->auth.in.hdr.code == 0 || chap->auth.in.hdr.code > MAXCHAPCODE) 713 log_Printf(LogPHASE, "Chap Input: %d: Bad CHAP code !\n", 714 chap->auth.in.hdr.code); 715 else { 716 len = m_length(bp); 717 ans = NULL; 718 719 if (chap->auth.in.hdr.code != CHAP_CHALLENGE && 720 chap->auth.id != chap->auth.in.hdr.id && 721 Enabled(bundle, OPT_IDCHECK)) { 722 /* Wrong conversation dude ! */ 723 log_Printf(LogPHASE, "Chap Input: %s dropped (got id %d, not %d)\n", 724 chapcodes[chap->auth.in.hdr.code], chap->auth.in.hdr.id, 725 chap->auth.id); 726 m_freem(bp); 727 return NULL; 728 } 729 chap->auth.id = chap->auth.in.hdr.id; /* We respond with this id */ 730 731 #ifndef NODES 732 lanman = 0; 733 #endif 734 switch (chap->auth.in.hdr.code) { 735 case CHAP_CHALLENGE: 736 bp = mbuf_Read(bp, &alen, 1); 737 len -= alen + 1; 738 if (len < 0) { 739 log_Printf(LogERROR, "Chap Input: Truncated challenge !\n"); 740 m_freem(bp); 741 return NULL; 742 } 743 *chap->challenge.peer = alen; 744 bp = mbuf_Read(bp, chap->challenge.peer + 1, alen); 745 bp = auth_ReadName(&chap->auth, bp, len); 746 #ifndef NODES 747 lanman = p->link.lcp.his_authtype == 0x80 && 748 ((chap->NTRespSent && IsAccepted(p->link.lcp.cfg.chap80lm)) || 749 !IsAccepted(p->link.lcp.cfg.chap80nt)); 750 751 /* Generate local challenge value */ 752 chap_ChallengeInit(&chap->auth); 753 #endif 754 break; 755 756 case CHAP_RESPONSE: 757 auth_StopTimer(&chap->auth); 758 bp = mbuf_Read(bp, &alen, 1); 759 len -= alen + 1; 760 if (len < 0) { 761 log_Printf(LogERROR, "Chap Input: Truncated response !\n"); 762 m_freem(bp); 763 return NULL; 764 } 765 if ((ans = malloc(alen + 1)) == NULL) { 766 log_Printf(LogERROR, "Chap Input: Out of memory !\n"); 767 m_freem(bp); 768 return NULL; 769 } 770 *ans = chap->auth.id; 771 bp = mbuf_Read(bp, ans + 1, alen); 772 bp = auth_ReadName(&chap->auth, bp, len); 773 #ifndef NODES 774 lanman = p->link.lcp.want_authtype == 0x80 && 775 alen == 49 && ans[alen] == 0; 776 #endif 777 break; 778 779 case CHAP_SUCCESS: 780 case CHAP_FAILURE: 781 /* chap->auth.in.name is already set up at CHALLENGE time */ 782 if ((ans = malloc(len + 1)) == NULL) { 783 log_Printf(LogERROR, "Chap Input: Out of memory !\n"); 784 m_freem(bp); 785 return NULL; 786 } 787 bp = mbuf_Read(bp, ans, len); 788 ans[len] = '\0'; 789 break; 790 } 791 792 switch (chap->auth.in.hdr.code) { 793 case CHAP_CHALLENGE: 794 case CHAP_RESPONSE: 795 if (*chap->auth.in.name) 796 log_Printf(LogPHASE, "Chap Input: %s (%d bytes from %s%s)\n", 797 chapcodes[chap->auth.in.hdr.code], alen, 798 chap->auth.in.name, 799 #ifndef NODES 800 lanman && chap->auth.in.hdr.code == CHAP_RESPONSE ? 801 " - lanman" : 802 #endif 803 ""); 804 else 805 log_Printf(LogPHASE, "Chap Input: %s (%d bytes%s)\n", 806 chapcodes[chap->auth.in.hdr.code], alen, 807 #ifndef NODES 808 lanman && chap->auth.in.hdr.code == CHAP_RESPONSE ? 809 " - lanman" : 810 #endif 811 ""); 812 break; 813 814 case CHAP_SUCCESS: 815 case CHAP_FAILURE: 816 if (*ans) 817 log_Printf(LogPHASE, "Chap Input: %s (%s)\n", 818 chapcodes[chap->auth.in.hdr.code], ans); 819 else 820 log_Printf(LogPHASE, "Chap Input: %s\n", 821 chapcodes[chap->auth.in.hdr.code]); 822 break; 823 } 824 825 switch (chap->auth.in.hdr.code) { 826 case CHAP_CHALLENGE: 827 if (*bundle->cfg.auth.key == '!' && bundle->cfg.auth.key[1] != '!') 828 chap_StartChild(chap, bundle->cfg.auth.key + 1, 829 bundle->cfg.auth.name); 830 else 831 chap_Respond(chap, bundle->cfg.auth.name, bundle->cfg.auth.key + 832 (*bundle->cfg.auth.key == '!' ? 1 : 0), 833 p->link.lcp.his_authtype 834 #ifndef NODES 835 , lanman 836 #endif 837 ); 838 break; 839 840 case CHAP_RESPONSE: 841 name = chap->auth.in.name; 842 nlen = strlen(name); 843 #ifndef NODES 844 if (p->link.lcp.want_authtype == 0x81) { 845 struct MSCHAPv2_resp *resp = (struct MSCHAPv2_resp *)(ans + 1); 846 847 chap->challenge.peer[0] = sizeof resp->PeerChallenge; 848 memcpy(chap->challenge.peer + 1, resp->PeerChallenge, 849 sizeof resp->PeerChallenge); 850 } 851 #endif 852 853 #ifndef NORADIUS 854 if (*bundle->radius.cfg.file) { 855 if (!radius_Authenticate(&bundle->radius, &chap->auth, 856 chap->auth.in.name, ans, alen + 1, 857 chap->challenge.local + 1, 858 *chap->challenge.local)) 859 chap_Failure(&chap->auth); 860 } else 861 #endif 862 { 863 if (p->link.lcp.want_authtype == 0x81 && ans[alen] != '\0' && 864 alen == sizeof(struct MSCHAPv2_resp)) { 865 struct MSCHAPv2_resp *resp = (struct MSCHAPv2_resp *)(ans + 1); 866 867 log_Printf(LogWARN, "%s: Compensating for corrupt (Win98/WinME?) " 868 "CHAP81 RESPONSE\n", l->name); 869 resp->Flags = '\0'; /* rfc2759 says it *MUST* be zero */ 870 } 871 key = auth_GetSecret(bundle, name, nlen, p); 872 if (key) { 873 #ifndef NODES 874 if (p->link.lcp.want_authtype == 0x80 && 875 lanman && !IsEnabled(p->link.lcp.cfg.chap80lm)) { 876 log_Printf(LogPHASE, "Auth failure: LANMan not enabled\n"); 877 if (chap_HaveAnotherGo(chap)) 878 break; 879 key = NULL; 880 } else if (p->link.lcp.want_authtype == 0x80 && 881 !lanman && !IsEnabled(p->link.lcp.cfg.chap80nt)) { 882 log_Printf(LogPHASE, "Auth failure: mschap not enabled\n"); 883 if (chap_HaveAnotherGo(chap)) 884 break; 885 key = NULL; 886 } else if (p->link.lcp.want_authtype == 0x81 && 887 !IsEnabled(p->link.lcp.cfg.chap81)) { 888 log_Printf(LogPHASE, "Auth failure: CHAP81 not enabled\n"); 889 key = NULL; 890 } else 891 #endif 892 { 893 char *myans = chap_BuildAnswer(name, key, chap->auth.id, 894 chap->challenge.local, 895 p->link.lcp.want_authtype 896 #ifndef NODES 897 , chap->challenge.peer, 898 chap->authresponse, lanman); 899 MPPE_IsServer = 1; /* XXX Global ! */ 900 #else 901 ); 902 #endif 903 if (myans == NULL) 904 key = NULL; 905 else { 906 if (!chap_Cmp(p->link.lcp.want_authtype, myans + 1, *myans, 907 ans + 1, alen 908 #ifndef NODES 909 , lanman 910 #endif 911 )) 912 key = NULL; 913 free(myans); 914 } 915 } 916 } 917 918 if (key) 919 chap_Success(&chap->auth); 920 else 921 chap_Failure(&chap->auth); 922 } 923 924 break; 925 926 case CHAP_SUCCESS: 927 if (p->link.lcp.auth_iwait == PROTO_CHAP) { 928 p->link.lcp.auth_iwait = 0; 929 if (p->link.lcp.auth_ineed == 0) { 930 #ifndef NODES 931 if (p->link.lcp.his_authtype == 0x81) { 932 if (strncasecmp(ans, chap->authresponse, 42)) { 933 datalink_AuthNotOk(p->dl); 934 log_Printf(LogWARN, "CHAP81: AuthenticatorResponse: (%.42s)" 935 " != ans: (%.42s)\n", chap->authresponse, ans); 936 937 } else { 938 /* Successful login */ 939 MPPE_MasterKeyValid = 1; /* XXX Global ! */ 940 datalink_AuthOk(p->dl); 941 } 942 } else 943 #endif 944 /* 945 * We've succeeded in our ``login'' 946 * If we're not expecting the peer to authenticate (or he already 947 * has), proceed to network phase. 948 */ 949 datalink_AuthOk(p->dl); 950 } 951 } 952 break; 953 954 case CHAP_FAILURE: 955 datalink_AuthNotOk(p->dl); 956 break; 957 } 958 free(ans); 959 } 960 961 m_freem(bp); 962 return NULL; 963 } 964