search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
dnscrypto-proxy: Support files updated.
[tomato.git] / release / src / router / pppd / pppd / chap-new.c
blob7edf77e2fe3ea66de1ecf29ec057f2dfcd0d07ca
1 /*
2 * chap-new.c - New CHAP implementation.
3 *
4 * Copyright (c) 2003 Paul Mackerras. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. The name(s) of the authors of this software must not be used to
14 * endorse or promote products derived from this software without
15 * prior written permission.
16 *
17 * 3. Redistributions of any form whatsoever must retain the following
18 * acknowledgment:
19 * "This product includes software developed by Paul Mackerras
20 * <paulus@samba.org>".
21 *
22 * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO
23 * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
24 * AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY
25 * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
26 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
27 * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
28 * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
29 */
30
31 #define RCSID "$Id: chap-new.c,v 1.9 2007/06/19 02:08:35 carlsonj Exp $"
32
33 #include <stdlib.h>
34 #include <string.h>
35 #include "pppd.h"
36 #include "session.h"
37 #include "chap-new.h"
38 #include "chap-md5.h"
39
40 #ifdef CHAPMS
41 #include "chap_ms.h"
42 #define MDTYPE_ALL (MDTYPE_MICROSOFT_V2 | MDTYPE_MICROSOFT | MDTYPE_MD5)
43 #else
44 #define MDTYPE_ALL (MDTYPE_MD5)
45 #endif
46
47 int chap_mdtype_all = MDTYPE_ALL;
48
49 /* Hook for a plugin to validate CHAP challenge */
50 int (*chap_verify_hook)(char *name, char *ourname, int id,
51 struct chap_digest_type *digest,
52 unsigned char *challenge, unsigned char *response,
53 char *message, int message_space) = NULL;
54
55 /*
56 * Option variables.
57 */
58 int chap_timeout_time = 3;
59 int chap_max_transmits = 10;
60 int chap_rechallenge_time = 0;
61
62 /*
63 * Command-line options.
64 */
65 static option_t chap_option_list[] = {
66 { "chap-restart", o_int, &chap_timeout_time,
67 "Set timeout for CHAP", OPT_PRIO },
68 { "chap-max-challenge", o_int, &chap_max_transmits,
69 "Set max #xmits for challenge", OPT_PRIO },
70 { "chap-interval", o_int, &chap_rechallenge_time,
71 "Set interval for rechallenge", OPT_PRIO },
72 { NULL }
73 };
74
75 /*
76 * Internal state.
77 */
78 static struct chap_client_state {
79 int flags;
80 char *name;
81 struct chap_digest_type *digest;
82 unsigned char priv[64]; /* private area for digest's use */
83 } client;
84
85 /*
86 * These limits apply to challenge and response packets we send.
87 * The +4 is the +1 that we actually need rounded up.
88 */
89 #define CHAL_MAX_PKTLEN (PPP_HDRLEN + CHAP_HDRLEN + 4 + MAX_CHALLENGE_LEN + MAXNAMELEN)
90 #define RESP_MAX_PKTLEN (PPP_HDRLEN + CHAP_HDRLEN + 4 + MAX_RESPONSE_LEN + MAXNAMELEN)
91
92 static struct chap_server_state {
93 int flags;
94 int id;
95 char *name;
96 struct chap_digest_type *digest;
97 int challenge_xmits;
98 int challenge_pktlen;
99 unsigned char challenge[CHAL_MAX_PKTLEN];
100 char message[256];
101 } server;
102
103 /* Values for flags in chap_client_state and chap_server_state */
104 #define LOWERUP 1
105 #define AUTH_STARTED 2
106 #define AUTH_DONE 4
107 #define AUTH_FAILED 8
108 #define TIMEOUT_PENDING 0x10
109 #define CHALLENGE_VALID 0x20
110
111 /*
112 * Prototypes.
113 */
114 static void chap_init(int unit);
115 static void chap_lowerup(int unit);
116 static void chap_lowerdown(int unit);
117 static void chap_timeout(void *arg);
118 static void chap_generate_challenge(struct chap_server_state *ss);
119 static void chap_handle_response(struct chap_server_state *ss, int code,
120 unsigned char *pkt, int len);
121 static int chap_verify_response(char *name, char *ourname, int id,
122 struct chap_digest_type *digest,
123 unsigned char *challenge, unsigned char *response,
124 char *message, int message_space);
125 static void chap_respond(struct chap_client_state *cs, int id,
126 unsigned char *pkt, int len);
127 static void chap_handle_status(struct chap_client_state *cs, int code, int id,
128 unsigned char *pkt, int len);
129 static void chap_protrej(int unit);
130 static void chap_input(int unit, unsigned char *pkt, int pktlen);
131 static int chap_print_pkt(unsigned char *p, int plen,
132 void (*printer) __P((void *, char *, ...)), void *arg);
133
134 /* List of digest types that we know about */
135 static struct chap_digest_type *chap_digests;
136
137 /*
138 * chap_init - reset to initial state.
139 */
140 static void
141 chap_init(int unit)
142 {
143 memset(&client, 0, sizeof(client));
144 memset(&server, 0, sizeof(server));
145
146 chap_md5_init();
147 #ifdef CHAPMS
148 chapms_init();
149 #endif
150 }
151
152 /*
153 * Add a new digest type to the list.
154 */
155 void
156 chap_register_digest(struct chap_digest_type *dp)
157 {
158 dp->next = chap_digests;
159 chap_digests = dp;
160 }
161
162 /*
163 * chap_lowerup - we can start doing stuff now.
164 */
165 static void
166 chap_lowerup(int unit)
167 {
168 struct chap_client_state *cs = &client;
169 struct chap_server_state *ss = &server;
170
171 cs->flags |= LOWERUP;
172 ss->flags |= LOWERUP;
173 if (ss->flags & AUTH_STARTED)
174 chap_timeout(ss);
175 }
176
177 static void
178 chap_lowerdown(int unit)
179 {
180 struct chap_client_state *cs = &client;
181 struct chap_server_state *ss = &server;
182
183 cs->flags = 0;
184 if (ss->flags & TIMEOUT_PENDING)
185 UNTIMEOUT(chap_timeout, ss);
186 ss->flags = 0;
187 }
188
189 /*
190 * chap_auth_peer - Start authenticating the peer.
191 * If the lower layer is already up, we start sending challenges,
192 * otherwise we wait for the lower layer to come up.
193 */
194 void
195 chap_auth_peer(int unit, char *our_name, int digest_code)
196 {
197 struct chap_server_state *ss = &server;
198 struct chap_digest_type *dp;
199
200 if (ss->flags & AUTH_STARTED) {
201 error("CHAP: peer authentication already started!");
202 return;
203 }
204 for (dp = chap_digests; dp != NULL; dp = dp->next)
205 if (dp->code == digest_code)
206 break;
207 if (dp == NULL)
208 fatal("CHAP digest 0x%x requested but not available",
209 digest_code);
210
211 ss->digest = dp;
212 ss->name = our_name;
213 /* Start with a random ID value */
214 ss->id = (unsigned char)(drand48() * 256);
215 ss->flags |= AUTH_STARTED;
216 if (ss->flags & LOWERUP)
217 chap_timeout(ss);
218 }
219
220 /*
221 * chap_auth_with_peer - Prepare to authenticate ourselves to the peer.
222 * There isn't much to do until we receive a challenge.
223 */
224 void
225 chap_auth_with_peer(int unit, char *our_name, int digest_code)
226 {
227 struct chap_client_state *cs = &client;
228 struct chap_digest_type *dp;
229
230 if (cs->flags & AUTH_STARTED) {
231 error("CHAP: authentication with peer already started!");
232 return;
233 }
234 for (dp = chap_digests; dp != NULL; dp = dp->next)
235 if (dp->code == digest_code)
236 break;
237 if (dp == NULL)
238 fatal("CHAP digest 0x%x requested but not available",
239 digest_code);
240
241 cs->digest = dp;
242 cs->name = our_name;
243 cs->flags |= AUTH_STARTED;
244 }
245
246 /*
247 * chap_timeout - It's time to send another challenge to the peer.
248 * This could be either a retransmission of a previous challenge,
249 * or a new challenge to start re-authentication.
250 */
251 static void
252 chap_timeout(void *arg)
253 {
254 struct chap_server_state *ss = arg;
255
256 ss->flags &= ~TIMEOUT_PENDING;
257 if ((ss->flags & CHALLENGE_VALID) == 0) {
258 ss->challenge_xmits = 0;
259 chap_generate_challenge(ss);
260 ss->flags |= CHALLENGE_VALID;
261 } else if (ss->challenge_xmits >= chap_max_transmits) {
262 ss->flags &= ~CHALLENGE_VALID;
263 ss->flags |= AUTH_DONE | AUTH_FAILED;
264 auth_peer_fail(0, PPP_CHAP);
265 return;
266 }
267
268 output(0, ss->challenge, ss->challenge_pktlen);
269 ++ss->challenge_xmits;
270 ss->flags |= TIMEOUT_PENDING;
271 TIMEOUT(chap_timeout, arg, chap_timeout_time);
272 }
273
274 /*
275 * chap_generate_challenge - generate a challenge string and format
276 * the challenge packet in ss->challenge_pkt.
277 */
278 static void
279 chap_generate_challenge(struct chap_server_state *ss)
280 {
281 int clen = 1, nlen, len;
282 unsigned char *p;
283
284 p = ss->challenge;
285 MAKEHEADER(p, PPP_CHAP);
286 p += CHAP_HDRLEN;
287 ss->digest->generate_challenge(p);
288 clen = *p;
289 nlen = strlen(ss->name);
290 memcpy(p + 1 + clen, ss->name, nlen);
291
292 len = CHAP_HDRLEN + 1 + clen + nlen;
293 ss->challenge_pktlen = PPP_HDRLEN + len;
294
295 p = ss->challenge + PPP_HDRLEN;
296 p[0] = CHAP_CHALLENGE;
297 p[1] = ++ss->id;
298 p[2] = len >> 8;
299 p[3] = len;
300 }
301
302 /*
303 * chap_handle_response - check the response to our challenge.
304 */
305 static void
306 chap_handle_response(struct chap_server_state *ss, int id,
307 unsigned char *pkt, int len)
308 {
309 int response_len, ok, mlen;
310 unsigned char *response, *p;
311 char *name = NULL; /* initialized to shut gcc up */
312 int (*verifier)(char *, char *, int, struct chap_digest_type *,
313 unsigned char *, unsigned char *, char *, int);
314 char rname[MAXNAMELEN+1];
315
316 if ((ss->flags & LOWERUP) == 0)
317 return;
318 if (id != ss->challenge[PPP_HDRLEN+1] || len < 2)
319 return;
320 if (ss->flags & CHALLENGE_VALID) {
321 response = pkt;
322 GETCHAR(response_len, pkt);
323 len -= response_len + 1; /* length of name */
324 name = (char *)pkt + response_len;
325 if (len < 0)
326 return;
327
328 if (ss->flags & TIMEOUT_PENDING) {
329 ss->flags &= ~TIMEOUT_PENDING;
330 UNTIMEOUT(chap_timeout, ss);
331 }
332
333 if (explicit_remote) {
334 name = remote_name;
335 } else {
336 /* Null terminate and clean remote name. */
337 slprintf(rname, sizeof(rname), "%.*v", len, name);
338 name = rname;
339 }
340
341 if (chap_verify_hook)
342 verifier = chap_verify_hook;
343 else
344 verifier = chap_verify_response;
345 ok = (*verifier)(name, ss->name, id, ss->digest,
346 ss->challenge + PPP_HDRLEN + CHAP_HDRLEN,
347 response, ss->message, sizeof(ss->message));
348 if (!ok || !auth_number()) {
349 ss->flags |= AUTH_FAILED;
350 warn("Peer %q failed CHAP authentication", name);
351 }
352 } else if ((ss->flags & AUTH_DONE) == 0)
353 return;
354
355 /* send the response */
356 p = outpacket_buf;
357 MAKEHEADER(p, PPP_CHAP);
358 mlen = strlen(ss->message);
359 len = CHAP_HDRLEN + mlen;
360 p[0] = (ss->flags & AUTH_FAILED)? CHAP_FAILURE: CHAP_SUCCESS;
361 p[1] = id;
362 p[2] = len >> 8;
363 p[3] = len;
364 if (mlen > 0)
365 memcpy(p + CHAP_HDRLEN, ss->message, mlen);
366 output(0, outpacket_buf, PPP_HDRLEN + len);
367
368 if (ss->flags & CHALLENGE_VALID) {
369 ss->flags &= ~CHALLENGE_VALID;
370 if (!(ss->flags & AUTH_DONE) && !(ss->flags & AUTH_FAILED)) {
371 /*
372 * Auth is OK, so now we need to check session restrictions
373 * to ensure everything is OK, but only if we used a
374 * plugin, and only if we're configured to check. This
375 * allows us to do PAM checks on PPP servers that
376 * authenticate against ActiveDirectory, and use AD for
377 * account info (like when using Winbind integrated with
378 * PAM).
379 */
380 if (session_mgmt &&
381 session_check(name, NULL, devnam, NULL) == 0) {
382 ss->flags |= AUTH_FAILED;
383 warn("Peer %q failed CHAP Session verification", name);
384 }
385 }
386 if (ss->flags & AUTH_FAILED) {
387 auth_peer_fail(0, PPP_CHAP);
388 } else {
389 if ((ss->flags & AUTH_DONE) == 0)
390 auth_peer_success(0, PPP_CHAP,
391 ss->digest->code,
392 name, strlen(name));
393 if (chap_rechallenge_time) {
394 ss->flags |= TIMEOUT_PENDING;
395 TIMEOUT(chap_timeout, ss,
396 chap_rechallenge_time);
397 }
398 }
399 ss->flags |= AUTH_DONE;
400 }
401 }
402
403 /*
404 * chap_verify_response - check whether the peer's response matches
405 * what we think it should be. Returns 1 if it does (authentication
406 * succeeded), or 0 if it doesn't.
407 */
408 static int
409 chap_verify_response(char *name, char *ourname, int id,
410 struct chap_digest_type *digest,
411 unsigned char *challenge, unsigned char *response,
412 char *message, int message_space)
413 {
414 int ok;
415 unsigned char secret[MAXSECRETLEN];
416 int secret_len;
417 #ifdef CHAPMS
418 char nametmp[MAXNAMELEN];
419 if (ms_ignore_domain && strrchr(name, '\\')) {
420 strcpy(nametmp, strrchr(name, '\\') + 1);
421 strcpy(name, nametmp);
422 }
423 #endif
424 /* Get the secret that the peer is supposed to know */
425 if (!get_secret(0, name, ourname, (char *)secret, &secret_len, 1)) {
426 error("No CHAP secret found for authenticating %q", name);
427 return 0;
428 }
429
430 ok = digest->verify_response(id, name, secret, secret_len, challenge,
431 response, message, message_space);
432 memset(secret, 0, sizeof(secret));
433
434 return ok;
435 }
436
437 /*
438 * chap_respond - Generate and send a response to a challenge.
439 */
440 static void
441 chap_respond(struct chap_client_state *cs, int id,
442 unsigned char *pkt, int len)
443 {
444 int clen, nlen;
445 int secret_len;
446 unsigned char *p;
447 unsigned char response[RESP_MAX_PKTLEN];
448 char rname[MAXNAMELEN+1];
449 char secret[MAXSECRETLEN+1];
450
451 if ((cs->flags & (LOWERUP | AUTH_STARTED)) != (LOWERUP | AUTH_STARTED))
452 return; /* not ready */
453 if (len < 2 || len < pkt[0] + 1)
454 return; /* too short */
455 clen = pkt[0];
456 nlen = len - (clen + 1);
457
458 /* Null terminate and clean remote name. */
459 slprintf(rname, sizeof(rname), "%.*v", nlen, pkt + clen + 1);
460
461 /* Microsoft doesn't send their name back in the PPP packet */
462 if (explicit_remote || (remote_name[0] != 0 && rname[0] == 0))
463 strlcpy(rname, remote_name, sizeof(rname));
464
465 /* get secret for authenticating ourselves with the specified host */
466 if (!get_secret(0, cs->name, rname, secret, &secret_len, 0)) {
467 secret_len = 0; /* assume null secret if can't find one */
468 warn("No CHAP secret found for authenticating us to %q", rname);
469 }
470
471 p = response;
472 MAKEHEADER(p, PPP_CHAP);
473 p += CHAP_HDRLEN;
474
475 cs->digest->make_response(p, id, cs->name, pkt,
476 secret, secret_len, cs->priv);
477 memset(secret, 0, secret_len);
478
479 clen = *p;
480 nlen = strlen(cs->name);
481 memcpy(p + clen + 1, cs->name, nlen);
482
483 p = response + PPP_HDRLEN;
484 len = CHAP_HDRLEN + clen + 1 + nlen;
485 p[0] = CHAP_RESPONSE;
486 p[1] = id;
487 p[2] = len >> 8;
488 p[3] = len;
489
490 output(0, response, PPP_HDRLEN + len);
491 }
492
493 static void
494 chap_handle_status(struct chap_client_state *cs, int code, int id,
495 unsigned char *pkt, int len)
496 {
497 const char *msg = NULL;
498
499 if ((cs->flags & (AUTH_DONE|AUTH_STARTED|LOWERUP))
500 != (AUTH_STARTED|LOWERUP))
501 return;
502 cs->flags |= AUTH_DONE;
503
504 if (code == CHAP_SUCCESS) {
505 /* used for MS-CHAP v2 mutual auth, yuck */
506 if (cs->digest->check_success != NULL) {
507 if (!(*cs->digest->check_success)(pkt, len, cs->priv))
508 code = CHAP_FAILURE;
509 } else
510 msg = "CHAP authentication succeeded";
511 } else {
512 if (cs->digest->handle_failure != NULL)
513 (*cs->digest->handle_failure)(pkt, len);
514 else
515 msg = "CHAP authentication failed";
516 }
517 if (msg) {
518 if (len > 0)
519 info("%s: %.*v", msg, len, pkt);
520 else
521 info("%s", msg);
522 }
523 if (code == CHAP_SUCCESS)
524 auth_withpeer_success(0, PPP_CHAP, cs->digest->code);
525 else {
526 cs->flags |= AUTH_FAILED;
527 error("CHAP authentication failed");
528 system("ppp_event -t CHAP_AUTH_FAIL &");
529 auth_withpeer_fail(0, PPP_CHAP);
530 }
531 }
532
533 static void
534 chap_input(int unit, unsigned char *pkt, int pktlen)
535 {
536 struct chap_client_state *cs = &client;
537 struct chap_server_state *ss = &server;
538 unsigned char code, id;
539 int len;
540
541 if (pktlen < CHAP_HDRLEN)
542 return;
543 GETCHAR(code, pkt);
544 GETCHAR(id, pkt);
545 GETSHORT(len, pkt);
546 if (len < CHAP_HDRLEN || len > pktlen)
547 return;
548 len -= CHAP_HDRLEN;
549
550 switch (code) {
551 case CHAP_CHALLENGE:
552 chap_respond(cs, id, pkt, len);
553 break;
554 case CHAP_RESPONSE:
555 chap_handle_response(ss, id, pkt, len);
556 break;
557 case CHAP_FAILURE:
558 case CHAP_SUCCESS:
559 chap_handle_status(cs, code, id, pkt, len);
560 break;
561 }
562 }
563
564 static void
565 chap_protrej(int unit)
566 {
567 struct chap_client_state *cs = &client;
568 struct chap_server_state *ss = &server;
569
570 if (ss->flags & TIMEOUT_PENDING) {
571 ss->flags &= ~TIMEOUT_PENDING;
572 UNTIMEOUT(chap_timeout, ss);
573 }
574 if (ss->flags & AUTH_STARTED) {
575 ss->flags = 0;
576 auth_peer_fail(0, PPP_CHAP);
577 }
578 if ((cs->flags & (AUTH_STARTED|AUTH_DONE)) == AUTH_STARTED) {
579 cs->flags &= ~AUTH_STARTED;
580 error("CHAP authentication failed due to protocol-reject");
581 auth_withpeer_fail(0, PPP_CHAP);
582 }
583 }
584
585 /*
586 * chap_print_pkt - print the contents of a CHAP packet.
587 */
588 static char *chap_code_names[] = {
589 "Challenge", "Response", "Success", "Failure"
590 };
591
592 static int
593 chap_print_pkt(unsigned char *p, int plen,
594 void (*printer) __P((void *, char *, ...)), void *arg)
595 {
596 int code, id, len;
597 int clen, nlen;
598 unsigned char x;
599
600 if (plen < CHAP_HDRLEN)
601 return 0;
602 GETCHAR(code, p);
603 GETCHAR(id, p);
604 GETSHORT(len, p);
605 if (len < CHAP_HDRLEN || len > plen)
606 return 0;
607
608 if (code >= 1 && code <= sizeof(chap_code_names) / sizeof(char *))
609 printer(arg, " %s", chap_code_names[code-1]);
610 else
611 printer(arg, " code=0x%x", code);
612 printer(arg, " id=0x%x", id);
613 len -= CHAP_HDRLEN;
614 switch (code) {
615 case CHAP_CHALLENGE:
616 case CHAP_RESPONSE:
617 if (len < 1)
618 break;
619 clen = p[0];
620 if (len < clen + 1)
621 break;
622 ++p;
623 nlen = len - clen - 1;
624 printer(arg, " <");
625 for (; clen > 0; --clen) {
626 GETCHAR(x, p);
627 printer(arg, "%.2x", x);
628 }
629 printer(arg, ">, name = ");
630 print_string((char *)p, nlen, printer, arg);
631 break;
632 case CHAP_FAILURE:
633 case CHAP_SUCCESS:
634 printer(arg, " ");
635 print_string((char *)p, len, printer, arg);
636 break;
637 default:
638 for (clen = len; clen > 0; --clen) {
639 GETCHAR(x, p);
640 printer(arg, " %.2x", x);
641 }
642 }
643
644 return len + CHAP_HDRLEN;
645 }
646
647 struct protent chap_protent = {
648 PPP_CHAP,
649 chap_init,
650 chap_input,
651 chap_protrej,
652 chap_lowerup,
653 chap_lowerdown,
654 NULL, /* open */
655 NULL, /* close */
656 chap_print_pkt,
657 NULL, /* datainput */
658 1, /* enabled_flag */
659 "CHAP", /* name */
660 NULL, /* data_name */
661 chap_option_list,
662 NULL, /* check_options */
663 };
Tomato firmware and modifications.