1 /*- 2 * Copyright (c) 1996 - 2001 Brian Somers <brian@Awfulhak.org> 3 * based on work by Toshiharu OHNO <tony-o@iij.ad.jp> 4 * Internet Initiative Japan, Inc (IIJ) 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 * 28 * $FreeBSD: src/usr.sbin/ppp/chap.c,v 1.61.2.7 2002/09/01 02:12:23 brian Exp $ 29 * $DragonFly: src/usr.sbin/ppp/chap.c,v 1.2 2003/06/17 04:30:00 dillon Exp $ 30 */ 31 32 #include <sys/param.h> 33 #include <netinet/in.h> 34 #include <netinet/in_systm.h> 35 #include <netinet/ip.h> 36 #include <sys/socket.h> 37 #include <sys/un.h> 38 39 #include <ctype.h> 40 #include <errno.h> 41 #include <fcntl.h> 42 #ifndef NODES 43 #include <md4.h> 44 #endif 45 #include <md5.h> 46 #include <paths.h> 47 #include <signal.h> 48 #include <stdio.h> 49 #include <stdlib.h> 50 #include <string.h> 51 #include <sys/wait.h> 52 #include <termios.h> 53 #include <unistd.h> 54 55 #include "layer.h" 56 #include "mbuf.h" 57 #include "log.h" 58 #include "defs.h" 59 #include "timer.h" 60 #include "fsm.h" 61 #include "proto.h" 62 #include "lqr.h" 63 #include "hdlc.h" 64 #include "lcp.h" 65 #include "auth.h" 66 #include "async.h" 67 #include "throughput.h" 68 #include "descriptor.h" 69 #include "chap.h" 70 #include "iplist.h" 71 #include "slcompress.h" 72 #include "ncpaddr.h" 73 #include "ipcp.h" 74 #include "filter.h" 75 #include "ccp.h" 76 #include "link.h" 77 #include "physical.h" 78 #include "mp.h" 79 #ifndef NORADIUS 80 #include "radius.h" 81 #endif 82 #include "ipv6cp.h" 83 #include "ncp.h" 84 #include "bundle.h" 85 #include "chat.h" 86 #include "cbcp.h" 87 #include "command.h" 88 #include "datalink.h" 89 #ifndef NODES 90 #include "chap_ms.h" 91 #include "mppe.h" 92 #endif 93 #include "id.h" 94 95 static const char * const chapcodes[] = { 96 "???", "CHALLENGE", "RESPONSE", "SUCCESS", "FAILURE" 97 }; 98 #define MAXCHAPCODE (sizeof chapcodes / sizeof chapcodes[0] - 1) 99 100 static void 101 ChapOutput(struct physical *physical, u_int code, u_int id, 102 const u_char *ptr, int count, const char *text) 103 { 104 int plen; 105 struct fsmheader lh; 106 struct mbuf *bp; 107 108 plen = sizeof(struct fsmheader) + count; 109 lh.code = code; 110 lh.id = id; 111 lh.length = htons(plen); 112 bp = m_get(plen, MB_CHAPOUT); 113 memcpy(MBUF_CTOP(bp), &lh, sizeof(struct fsmheader)); 114 if (count) 115 memcpy(MBUF_CTOP(bp) + sizeof(struct fsmheader), ptr, count); 116 log_DumpBp(LogDEBUG, "ChapOutput", bp); 117 if (text == NULL) 118 log_Printf(LogPHASE, "Chap Output: %s\n", chapcodes[code]); 119 else 120 log_Printf(LogPHASE, "Chap Output: %s (%s)\n", chapcodes[code], text); 121 link_PushPacket(&physical->link, bp, physical->dl->bundle, 122 LINK_QUEUES(&physical->link) - 1, PROTO_CHAP); 123 } 124 125 static char * 126 chap_BuildAnswer(char *name, char *key, u_char id, char *challenge 127 #ifndef NODES 128 , u_char type, char *peerchallenge, char *authresponse, 129 int lanman 130 #endif 131 ) 132 { 133 char *result, *digest; 134 size_t nlen, klen; 135 136 nlen = strlen(name); 137 klen = strlen(key); 138 139 #ifndef NODES 140 if (type == 0x80) { 141 char expkey[AUTHLEN << 2]; 142 MD4_CTX MD4context; 143 size_t f; 144 145 if ((result = malloc(1 + nlen + MS_CHAP_RESPONSE_LEN)) == NULL) 146 return result; 147 148 digest = result; /* the response */ 149 *digest++ = MS_CHAP_RESPONSE_LEN; /* 49 */ 150 memcpy(digest + MS_CHAP_RESPONSE_LEN, name, nlen); 151 if (lanman) { 152 memset(digest + 24, '\0', 25); 153 mschap_LANMan(digest, challenge + 1, key); /* LANMan response */ 154 } else { 155 memset(digest, '\0', 25); 156 digest += 24; 157 158 for (f = 0; f < klen; f++) { 159 expkey[2*f] = key[f]; 160 expkey[2*f+1] = '\0'; 161 } 162 /* 163 * ----------- 164 * expkey = | k\0e\0y\0 | 165 * ----------- 166 */ 167 MD4Init(&MD4context); 168 MD4Update(&MD4context, expkey, klen << 1); 169 MD4Final(digest, &MD4context); 170 171 /* 172 * ---- -------- ---------------- ------- ------ 173 * result = | 49 | LANMan | 16 byte digest | 9 * ? | name | 174 * ---- -------- ---------------- ------- ------ 175 */ 176 mschap_NT(digest, challenge + 1); 177 } 178 /* 179 * ---- -------- ------------- ----- ------ 180 * | | struct MS_ChapResponse24 | | 181 * result = | 49 | LANMan | NT digest | 0/1 | name | 182 * ---- -------- ------------- ----- ------ 183 * where only one of LANMan & NT digest are set. 184 */ 185 } else if (type == 0x81) { 186 char expkey[AUTHLEN << 2]; 187 char pwdhash[CHAP81_HASH_LEN]; 188 char pwdhashhash[CHAP81_HASH_LEN]; 189 char *ntresponse; 190 size_t f; 191 192 if ((result = malloc(1 + nlen + CHAP81_RESPONSE_LEN)) == NULL) 193 return result; 194 195 memset(result, 0, 1 + nlen + CHAP81_RESPONSE_LEN); 196 197 digest = result; 198 *digest++ = CHAP81_RESPONSE_LEN; /* value size */ 199 200 /* Copy our challenge */ 201 memcpy(digest, peerchallenge + 1, CHAP81_CHALLENGE_LEN); 202 203 /* Expand password to Unicode XXX */ 204 for (f = 0; f < klen; f++) { 205 expkey[2*f] = key[f]; 206 expkey[2*f+1] = '\0'; 207 } 208 209 ntresponse = digest + CHAP81_NTRESPONSE_OFF; 210 211 /* Get some needed hashes */ 212 NtPasswordHash(expkey, klen * 2, pwdhash); 213 HashNtPasswordHash(pwdhash, pwdhashhash); 214 215 /* Generate NTRESPONSE to respond on challenge call */ 216 GenerateNTResponse(challenge + 1, peerchallenge + 1, name, 217 expkey, klen * 2, ntresponse); 218 219 /* Generate MPPE MASTERKEY */ 220 GetMasterKey(pwdhashhash, ntresponse, MPPE_MasterKey); /* XXX Global ! */ 221 222 /* Generate AUTHRESPONSE to verify on auth success */ 223 GenerateAuthenticatorResponse(expkey, klen * 2, ntresponse, 224 peerchallenge + 1, challenge + 1, name, 225 authresponse); 226 227 authresponse[CHAP81_AUTHRESPONSE_LEN] = 0; 228 229 memcpy(digest + CHAP81_RESPONSE_LEN, name, nlen); 230 } else 231 #endif 232 if ((result = malloc(nlen + 17)) != NULL) { 233 /* Normal MD5 stuff */ 234 MD5_CTX MD5context; 235 236 digest = result; 237 *digest++ = 16; /* value size */ 238 239 MD5Init(&MD5context); 240 MD5Update(&MD5context, &id, 1); 241 MD5Update(&MD5context, key, klen); 242 MD5Update(&MD5context, challenge + 1, *challenge); 243 MD5Final(digest, &MD5context); 244 245 memcpy(digest + 16, name, nlen); 246 /* 247 * ---- -------- ------ 248 * result = | 16 | digest | name | 249 * ---- -------- ------ 250 */ 251 } 252 253 return result; 254 } 255 256 static void 257 chap_StartChild(struct chap *chap, char *prog, const char *name) 258 { 259 char *argv[MAXARGS], *nargv[MAXARGS]; 260 int argc, fd; 261 int in[2], out[2]; 262 pid_t pid; 263 264 if (chap->child.fd != -1) { 265 log_Printf(LogWARN, "Chap: %s: Program already running\n", prog); 266 return; 267 } 268 269 if (pipe(in) == -1) { 270 log_Printf(LogERROR, "Chap: pipe: %s\n", strerror(errno)); 271 return; 272 } 273 274 if (pipe(out) == -1) { 275 log_Printf(LogERROR, "Chap: pipe: %s\n", strerror(errno)); 276 close(in[0]); 277 close(in[1]); 278 return; 279 } 280 281 pid = getpid(); 282 switch ((chap->child.pid = fork())) { 283 case -1: 284 log_Printf(LogERROR, "Chap: fork: %s\n", strerror(errno)); 285 close(in[0]); 286 close(in[1]); 287 close(out[0]); 288 close(out[1]); 289 chap->child.pid = 0; 290 return; 291 292 case 0: 293 timer_TermService(); 294 295 if ((argc = command_Interpret(prog, strlen(prog), argv)) <= 0) { 296 if (argc < 0) { 297 log_Printf(LogWARN, "CHAP: Invalid command syntax\n"); 298 _exit(255); 299 } 300 _exit(0); 301 } 302 303 close(in[1]); 304 close(out[0]); 305 if (out[1] == STDIN_FILENO) 306 out[1] = dup(out[1]); 307 dup2(in[0], STDIN_FILENO); 308 dup2(out[1], STDOUT_FILENO); 309 close(STDERR_FILENO); 310 if (open(_PATH_DEVNULL, O_RDWR) != STDERR_FILENO) { 311 log_Printf(LogALERT, "Chap: Failed to open %s: %s\n", 312 _PATH_DEVNULL, strerror(errno)); 313 exit(1); 314 } 315 for (fd = getdtablesize(); fd > STDERR_FILENO; fd--) 316 fcntl(fd, F_SETFD, 1); 317 #ifndef NOSUID 318 setuid(ID0realuid()); 319 #endif 320 command_Expand(nargv, argc, (char const *const *)argv, 321 chap->auth.physical->dl->bundle, 0, pid); 322 execvp(nargv[0], nargv); 323 printf("exec() of %s failed: %s\n", nargv[0], strerror(errno)); 324 _exit(255); 325 326 default: 327 close(in[0]); 328 close(out[1]); 329 chap->child.fd = out[0]; 330 chap->child.buf.len = 0; 331 write(in[1], chap->auth.in.name, strlen(chap->auth.in.name)); 332 write(in[1], "\n", 1); 333 write(in[1], chap->challenge.peer + 1, *chap->challenge.peer); 334 write(in[1], "\n", 1); 335 write(in[1], name, strlen(name)); 336 write(in[1], "\n", 1); 337 close(in[1]); 338 break; 339 } 340 } 341 342 static void 343 chap_Cleanup(struct chap *chap, int sig) 344 { 345 if (chap->child.pid) { 346 int status; 347 348 close(chap->child.fd); 349 chap->child.fd = -1; 350 if (sig) 351 kill(chap->child.pid, SIGTERM); 352 chap->child.pid = 0; 353 chap->child.buf.len = 0; 354 355 if (wait(&status) == -1) 356 log_Printf(LogERROR, "Chap: wait: %s\n", strerror(errno)); 357 else if (WIFSIGNALED(status)) 358 log_Printf(LogWARN, "Chap: Child received signal %d\n", WTERMSIG(status)); 359 else if (WIFEXITED(status) && WEXITSTATUS(status)) 360 log_Printf(LogERROR, "Chap: Child exited %d\n", WEXITSTATUS(status)); 361 } 362 *chap->challenge.local = *chap->challenge.peer = '\0'; 363 #ifndef NODES 364 chap->peertries = 0; 365 #endif 366 } 367 368 static void 369 chap_Respond(struct chap *chap, char *name, char *key 370 #ifndef NODES 371 , u_char type, int lm 372 #endif 373 ) 374 { 375 u_char *ans; 376 377 ans = chap_BuildAnswer(name, key, chap->auth.id, chap->challenge.peer 378 #ifndef NODES 379 , type, chap->challenge.local, chap->authresponse, lm 380 #endif 381 ); 382 383 if (ans) { 384 ChapOutput(chap->auth.physical, CHAP_RESPONSE, chap->auth.id, 385 ans, *ans + 1 + strlen(name), name); 386 #ifndef NODES 387 chap->NTRespSent = !lm; 388 MPPE_IsServer = 0; /* XXX Global ! */ 389 #endif 390 free(ans); 391 } else 392 ChapOutput(chap->auth.physical, CHAP_FAILURE, chap->auth.id, 393 "Out of memory!", 14, NULL); 394 } 395 396 static int 397 chap_UpdateSet(struct fdescriptor *d, fd_set *r, fd_set *w __unused, 398 fd_set *e __unused, int *n) 399 { 400 struct chap *chap = descriptor2chap(d); 401 402 if (r && chap && chap->child.fd != -1) { 403 FD_SET(chap->child.fd, r); 404 if (*n < chap->child.fd + 1) 405 *n = chap->child.fd + 1; 406 log_Printf(LogTIMER, "Chap: fdset(r) %d\n", chap->child.fd); 407 return 1; 408 } 409 410 return 0; 411 } 412 413 static int 414 chap_IsSet(struct fdescriptor *d, const fd_set *fdset) 415 { 416 struct chap *chap = descriptor2chap(d); 417 418 return chap && chap->child.fd != -1 && FD_ISSET(chap->child.fd, fdset); 419 } 420 421 static void 422 chap_Read(struct fdescriptor *d, struct bundle *bundle __unused, 423 const fd_set *fdset __unused) 424 { 425 struct chap *chap = descriptor2chap(d); 426 int got; 427 428 got = read(chap->child.fd, chap->child.buf.ptr + chap->child.buf.len, 429 sizeof chap->child.buf.ptr - chap->child.buf.len - 1); 430 if (got == -1) { 431 log_Printf(LogERROR, "Chap: Read: %s\n", strerror(errno)); 432 chap_Cleanup(chap, SIGTERM); 433 } else if (got == 0) { 434 log_Printf(LogWARN, "Chap: Read: Child terminated connection\n"); 435 chap_Cleanup(chap, SIGTERM); 436 } else { 437 char *name, *key, *end; 438 439 chap->child.buf.len += got; 440 chap->child.buf.ptr[chap->child.buf.len] = '\0'; 441 name = chap->child.buf.ptr; 442 name += strspn(name, " \t"); 443 if ((key = strchr(name, '\n')) == NULL) 444 end = NULL; 445 else 446 end = strchr(++key, '\n'); 447 448 if (end == NULL) { 449 if (chap->child.buf.len == sizeof chap->child.buf.ptr - 1) { 450 log_Printf(LogWARN, "Chap: Read: Input buffer overflow\n"); 451 chap_Cleanup(chap, SIGTERM); 452 } 453 } else { 454 #ifndef NODES 455 int lanman = chap->auth.physical->link.lcp.his_authtype == 0x80 && 456 ((chap->NTRespSent && 457 IsAccepted(chap->auth.physical->link.lcp.cfg.chap80lm)) || 458 !IsAccepted(chap->auth.physical->link.lcp.cfg.chap80nt)); 459 #endif 460 461 while (end >= name && strchr(" \t\r\n", *end)) 462 *end-- = '\0'; 463 end = key - 1; 464 while (end >= name && strchr(" \t\r\n", *end)) 465 *end-- = '\0'; 466 key += strspn(key, " \t"); 467 468 chap_Respond(chap, name, key 469 #ifndef NODES 470 , chap->auth.physical->link.lcp.his_authtype, lanman 471 #endif 472 ); 473 chap_Cleanup(chap, 0); 474 } 475 } 476 } 477 478 static int 479 chap_Write(struct fdescriptor *d __unused, struct bundle *bundle __unused, 480 const fd_set *fdset __unused) 481 { 482 /* We never want to write here ! */ 483 log_Printf(LogALERT, "chap_Write: Internal error: Bad call !\n"); 484 return 0; 485 } 486 487 static void 488 chap_ChallengeInit(struct authinfo *authp) 489 { 490 struct chap *chap = auth2chap(authp); 491 int len, i; 492 char *cp; 493 494 len = strlen(authp->physical->dl->bundle->cfg.auth.name); 495 496 if (!*chap->challenge.local) { 497 randinit(); 498 cp = chap->challenge.local; 499 500 #ifndef NORADIUS 501 if (*authp->physical->dl->bundle->radius.cfg.file) { 502 /* For radius, our challenge is 16 readable NUL terminated bytes :*/ 503 *cp++ = 16; 504 for (i = 0; i < 16; i++) 505 *cp++ = (random() % 10) + '0'; 506 } else 507 #endif 508 { 509 #ifndef NODES 510 if (authp->physical->link.lcp.want_authtype == 0x80) 511 *cp++ = 8; /* MS does 8 byte callenges :-/ */ 512 else if (authp->physical->link.lcp.want_authtype == 0x81) 513 *cp++ = 16; /* MS-CHAP-V2 does 16 bytes challenges */ 514 else 515 #endif 516 *cp++ = random() % (CHAPCHALLENGELEN-16) + 16; 517 for (i = 0; i < *chap->challenge.local; i++) 518 *cp++ = random() & 0xff; 519 } 520 memcpy(cp, authp->physical->dl->bundle->cfg.auth.name, len); 521 } 522 } 523 524 static void 525 chap_Challenge(struct authinfo *authp) 526 { 527 struct chap *chap = auth2chap(authp); 528 int len; 529 530 log_Printf(LogDEBUG, "CHAP%02X: Challenge\n", 531 authp->physical->link.lcp.want_authtype); 532 533 len = strlen(authp->physical->dl->bundle->cfg.auth.name); 534 535 /* Generate new local challenge value */ 536 if (!*chap->challenge.local) 537 chap_ChallengeInit(authp); 538 539 #ifndef NODES 540 if (authp->physical->link.lcp.want_authtype == 0x81) 541 ChapOutput(authp->physical, CHAP_CHALLENGE, authp->id, 542 chap->challenge.local, 1 + *chap->challenge.local, NULL); 543 else 544 #endif 545 ChapOutput(authp->physical, CHAP_CHALLENGE, authp->id, 546 chap->challenge.local, 1 + *chap->challenge.local + len, NULL); 547 } 548 549 static void 550 chap_Success(struct authinfo *authp) 551 { 552 struct bundle *bundle = authp->physical->dl->bundle; 553 const char *msg; 554 555 datalink_GotAuthname(authp->physical->dl, authp->in.name); 556 #ifndef NODES 557 if (authp->physical->link.lcp.want_authtype == 0x81) { 558 #ifndef NORADIUS 559 if (*bundle->radius.cfg.file && bundle->radius.msrepstr) 560 msg = bundle->radius.msrepstr; 561 else 562 #endif 563 msg = auth2chap(authp)->authresponse; 564 MPPE_MasterKeyValid = 1; /* XXX Global ! */ 565 } else 566 #endif 567 #ifndef NORADIUS 568 if (*bundle->radius.cfg.file && bundle->radius.repstr) 569 msg = bundle->radius.repstr; 570 else 571 #endif 572 msg = "Welcome!!"; 573 574 ChapOutput(authp->physical, CHAP_SUCCESS, authp->id, msg, strlen(msg), 575 NULL); 576 577 authp->physical->link.lcp.auth_ineed = 0; 578 if (Enabled(bundle, OPT_UTMP)) 579 physical_Login(authp->physical, authp->in.name); 580 581 if (authp->physical->link.lcp.auth_iwait == 0) 582 /* 583 * Either I didn't need to authenticate, or I've already been 584 * told that I got the answer right. 585 */ 586 datalink_AuthOk(authp->physical->dl); 587 } 588 589 static void 590 chap_Failure(struct authinfo *authp) 591 { 592 #ifndef NODES 593 char buf[1024], *ptr; 594 #endif 595 const char *msg; 596 597 #ifndef NORADIUS 598 struct bundle *bundle = authp->physical->link.lcp.fsm.bundle; 599 if (*bundle->radius.cfg.file && bundle->radius.errstr) 600 msg = bundle->radius.errstr; 601 else 602 #endif 603 #ifndef NODES 604 if (authp->physical->link.lcp.want_authtype == 0x80) { 605 sprintf(buf, "E=691 R=1 M=Invalid!"); 606 msg = buf; 607 } else if (authp->physical->link.lcp.want_authtype == 0x81) { 608 int i; 609 610 ptr = buf; 611 ptr += sprintf(buf, "E=691 R=0 C="); 612 for (i=0; i<16; i++) 613 ptr += sprintf(ptr, "%02X", *(auth2chap(authp)->challenge.local+1+i)); 614 615 sprintf(ptr, " V=3 M=Invalid!"); 616 msg = buf; 617 } else 618 #endif 619 msg = "Invalid!!"; 620 621 ChapOutput(authp->physical, CHAP_FAILURE, authp->id, msg, strlen(msg) + 1, 622 NULL); 623 datalink_AuthNotOk(authp->physical->dl); 624 } 625 626 static int 627 chap_Cmp(char *myans, int mylen, char *hisans, int hislen 628 #ifndef NODES 629 , u_char type, int lm 630 #endif 631 ) 632 { 633 if (mylen != hislen) 634 return 0; 635 #ifndef NODES 636 else if (type == 0x80) { 637 int off = lm ? 0 : 24; 638 639 if (memcmp(myans + off, hisans + off, 24)) 640 return 0; 641 } 642 #endif 643 else if (memcmp(myans, hisans, mylen)) 644 return 0; 645 646 return 1; 647 } 648 649 #ifndef NODES 650 static int 651 chap_HaveAnotherGo(struct chap *chap) 652 { 653 if (++chap->peertries < 3) { 654 /* Give the peer another shot */ 655 *chap->challenge.local = '\0'; 656 chap_Challenge(&chap->auth); 657 return 1; 658 } 659 660 return 0; 661 } 662 #endif 663 664 void 665 chap_Init(struct chap *chap, struct physical *p) 666 { 667 chap->desc.type = CHAP_DESCRIPTOR; 668 chap->desc.UpdateSet = chap_UpdateSet; 669 chap->desc.IsSet = chap_IsSet; 670 chap->desc.Read = chap_Read; 671 chap->desc.Write = chap_Write; 672 chap->child.pid = 0; 673 chap->child.fd = -1; 674 auth_Init(&chap->auth, p, chap_Challenge, chap_Success, chap_Failure); 675 *chap->challenge.local = *chap->challenge.peer = '\0'; 676 #ifndef NODES 677 chap->NTRespSent = 0; 678 chap->peertries = 0; 679 #endif 680 } 681 682 void 683 chap_ReInit(struct chap *chap) 684 { 685 chap_Cleanup(chap, SIGTERM); 686 } 687 688 struct mbuf * 689 chap_Input(struct bundle *bundle, struct link *l, struct mbuf *bp) 690 { 691 struct physical *p = link2physical(l); 692 struct chap *chap = &p->dl->chap; 693 char *name, *key, *ans; 694 int len; 695 size_t nlen; 696 u_char alen; 697 #ifndef NODES 698 int lanman; 699 #endif 700 701 if (p == NULL) { 702 log_Printf(LogERROR, "chap_Input: Not a physical link - dropped\n"); 703 m_freem(bp); 704 return NULL; 705 } 706 707 if (bundle_Phase(bundle) != PHASE_NETWORK && 708 bundle_Phase(bundle) != PHASE_AUTHENTICATE) { 709 log_Printf(LogPHASE, "Unexpected chap input - dropped !\n"); 710 m_freem(bp); 711 return NULL; 712 } 713 714 m_settype(bp, MB_CHAPIN); 715 if ((bp = auth_ReadHeader(&chap->auth, bp)) == NULL && 716 ntohs(chap->auth.in.hdr.length) == 0) 717 log_Printf(LogWARN, "Chap Input: Truncated header !\n"); 718 else if (chap->auth.in.hdr.code == 0 || chap->auth.in.hdr.code > MAXCHAPCODE) 719 log_Printf(LogPHASE, "Chap Input: %d: Bad CHAP code !\n", 720 chap->auth.in.hdr.code); 721 else { 722 len = m_length(bp); 723 ans = NULL; 724 725 if (chap->auth.in.hdr.code != CHAP_CHALLENGE && 726 chap->auth.id != chap->auth.in.hdr.id && 727 Enabled(bundle, OPT_IDCHECK)) { 728 /* Wrong conversation dude ! */ 729 log_Printf(LogPHASE, "Chap Input: %s dropped (got id %d, not %d)\n", 730 chapcodes[chap->auth.in.hdr.code], chap->auth.in.hdr.id, 731 chap->auth.id); 732 m_freem(bp); 733 return NULL; 734 } 735 chap->auth.id = chap->auth.in.hdr.id; /* We respond with this id */ 736 737 #ifndef NODES 738 lanman = 0; 739 #endif 740 switch (chap->auth.in.hdr.code) { 741 case CHAP_CHALLENGE: 742 bp = mbuf_Read(bp, &alen, 1); 743 len -= alen + 1; 744 if (len < 0) { 745 log_Printf(LogERROR, "Chap Input: Truncated challenge !\n"); 746 m_freem(bp); 747 return NULL; 748 } 749 *chap->challenge.peer = alen; 750 bp = mbuf_Read(bp, chap->challenge.peer + 1, alen); 751 bp = auth_ReadName(&chap->auth, bp, len); 752 #ifndef NODES 753 lanman = p->link.lcp.his_authtype == 0x80 && 754 ((chap->NTRespSent && IsAccepted(p->link.lcp.cfg.chap80lm)) || 755 !IsAccepted(p->link.lcp.cfg.chap80nt)); 756 757 /* Generate local challenge value */ 758 chap_ChallengeInit(&chap->auth); 759 #endif 760 break; 761 762 case CHAP_RESPONSE: 763 auth_StopTimer(&chap->auth); 764 bp = mbuf_Read(bp, &alen, 1); 765 len -= alen + 1; 766 if (len < 0) { 767 log_Printf(LogERROR, "Chap Input: Truncated response !\n"); 768 m_freem(bp); 769 return NULL; 770 } 771 if ((ans = malloc(alen + 1)) == NULL) { 772 log_Printf(LogERROR, "Chap Input: Out of memory !\n"); 773 m_freem(bp); 774 return NULL; 775 } 776 *ans = chap->auth.id; 777 bp = mbuf_Read(bp, ans + 1, alen); 778 bp = auth_ReadName(&chap->auth, bp, len); 779 #ifndef NODES 780 lanman = p->link.lcp.want_authtype == 0x80 && 781 alen == 49 && ans[alen] == 0; 782 #endif 783 break; 784 785 case CHAP_SUCCESS: 786 case CHAP_FAILURE: 787 /* chap->auth.in.name is already set up at CHALLENGE time */ 788 if ((ans = malloc(len + 1)) == NULL) { 789 log_Printf(LogERROR, "Chap Input: Out of memory !\n"); 790 m_freem(bp); 791 return NULL; 792 } 793 bp = mbuf_Read(bp, ans, len); 794 ans[len] = '\0'; 795 break; 796 } 797 798 switch (chap->auth.in.hdr.code) { 799 case CHAP_CHALLENGE: 800 case CHAP_RESPONSE: 801 if (*chap->auth.in.name) 802 log_Printf(LogPHASE, "Chap Input: %s (%d bytes from %s%s)\n", 803 chapcodes[chap->auth.in.hdr.code], alen, 804 chap->auth.in.name, 805 #ifndef NODES 806 lanman && chap->auth.in.hdr.code == CHAP_RESPONSE ? 807 " - lanman" : 808 #endif 809 ""); 810 else 811 log_Printf(LogPHASE, "Chap Input: %s (%d bytes%s)\n", 812 chapcodes[chap->auth.in.hdr.code], alen, 813 #ifndef NODES 814 lanman && chap->auth.in.hdr.code == CHAP_RESPONSE ? 815 " - lanman" : 816 #endif 817 ""); 818 break; 819 820 case CHAP_SUCCESS: 821 case CHAP_FAILURE: 822 if (*ans) 823 log_Printf(LogPHASE, "Chap Input: %s (%s)\n", 824 chapcodes[chap->auth.in.hdr.code], ans); 825 else 826 log_Printf(LogPHASE, "Chap Input: %s\n", 827 chapcodes[chap->auth.in.hdr.code]); 828 break; 829 } 830 831 switch (chap->auth.in.hdr.code) { 832 case CHAP_CHALLENGE: 833 if (*bundle->cfg.auth.key == '!' && bundle->cfg.auth.key[1] != '!') 834 chap_StartChild(chap, bundle->cfg.auth.key + 1, 835 bundle->cfg.auth.name); 836 else 837 chap_Respond(chap, bundle->cfg.auth.name, bundle->cfg.auth.key + 838 (*bundle->cfg.auth.key == '!' ? 1 : 0) 839 840 #ifndef NODES 841 , p->link.lcp.his_authtype, lanman 842 #endif 843 ); 844 break; 845 846 case CHAP_RESPONSE: 847 name = chap->auth.in.name; 848 nlen = strlen(name); 849 #ifndef NODES 850 if (p->link.lcp.want_authtype == 0x81) { 851 struct MSCHAPv2_resp *resp = (struct MSCHAPv2_resp *)(ans + 1); 852 853 chap->challenge.peer[0] = sizeof resp->PeerChallenge; 854 memcpy(chap->challenge.peer + 1, resp->PeerChallenge, 855 sizeof resp->PeerChallenge); 856 } 857 #endif 858 859 #ifndef NORADIUS 860 if (*bundle->radius.cfg.file) { 861 if (!radius_Authenticate(&bundle->radius, &chap->auth, 862 chap->auth.in.name, ans, alen + 1, 863 chap->challenge.local + 1, 864 *chap->challenge.local)) 865 chap_Failure(&chap->auth); 866 } else 867 #endif 868 { 869 if (p->link.lcp.want_authtype == 0x81 && ans[alen] != '\0' && 870 alen == sizeof(struct MSCHAPv2_resp)) { 871 struct MSCHAPv2_resp *resp = (struct MSCHAPv2_resp *)(ans + 1); 872 873 log_Printf(LogWARN, "%s: Compensating for corrupt (Win98/WinME?) " 874 "CHAP81 RESPONSE\n", l->name); 875 resp->Flags = '\0'; /* rfc2759 says it *MUST* be zero */ 876 } 877 key = auth_GetSecret(name, nlen); 878 if (key) { 879 #ifndef NODES 880 if (p->link.lcp.want_authtype == 0x80 && 881 lanman && !IsEnabled(p->link.lcp.cfg.chap80lm)) { 882 log_Printf(LogPHASE, "Auth failure: LANMan not enabled\n"); 883 if (chap_HaveAnotherGo(chap)) 884 break; 885 key = NULL; 886 } else if (p->link.lcp.want_authtype == 0x80 && 887 !lanman && !IsEnabled(p->link.lcp.cfg.chap80nt)) { 888 log_Printf(LogPHASE, "Auth failure: mschap not enabled\n"); 889 if (chap_HaveAnotherGo(chap)) 890 break; 891 key = NULL; 892 } else if (p->link.lcp.want_authtype == 0x81 && 893 !IsEnabled(p->link.lcp.cfg.chap81)) { 894 log_Printf(LogPHASE, "Auth failure: CHAP81 not enabled\n"); 895 key = NULL; 896 } else 897 #endif 898 { 899 char *myans = chap_BuildAnswer(name, key, chap->auth.id, 900 chap->challenge.local 901 #ifndef NODES 902 , p->link.lcp.want_authtype, 903 chap->challenge.peer, 904 chap->authresponse, lanman); 905 MPPE_IsServer = 1; /* XXX Global ! */ 906 #else 907 ); 908 #endif 909 if (myans == NULL) 910 key = NULL; 911 else { 912 if (!chap_Cmp(myans + 1, *myans, ans + 1, alen 913 #ifndef NODES 914 , p->link.lcp.want_authtype, lanman 915 #endif 916 )) 917 key = NULL; 918 free(myans); 919 } 920 } 921 } 922 923 if (key) 924 chap_Success(&chap->auth); 925 else 926 chap_Failure(&chap->auth); 927 } 928 929 break; 930 931 case CHAP_SUCCESS: 932 if (p->link.lcp.auth_iwait == PROTO_CHAP) { 933 p->link.lcp.auth_iwait = 0; 934 if (p->link.lcp.auth_ineed == 0) { 935 #ifndef NODES 936 if (p->link.lcp.his_authtype == 0x81) { 937 if (strncasecmp(ans, chap->authresponse, 42)) { 938 datalink_AuthNotOk(p->dl); 939 log_Printf(LogWARN, "CHAP81: AuthenticatorResponse: (%.42s)" 940 " != ans: (%.42s)\n", chap->authresponse, ans); 941 942 } else { 943 /* Successful login */ 944 MPPE_MasterKeyValid = 1; /* XXX Global ! */ 945 datalink_AuthOk(p->dl); 946 } 947 } else 948 #endif 949 /* 950 * We've succeeded in our ``login'' 951 * If we're not expecting the peer to authenticate (or he already 952 * has), proceed to network phase. 953 */ 954 datalink_AuthOk(p->dl); 955 } 956 } 957 break; 958 959 case CHAP_FAILURE: 960 datalink_AuthNotOk(p->dl); 961 break; 962 } 963 free(ans); 964 } 965 966 m_freem(bp); 967 return NULL; 968 } 969