1 /* 2 * chap-new.c - New CHAP implementation. 3 * 4 * Copyright (c) 2003 Paul Mackerras. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. The name(s) of the authors of this software must not be used to 14 * endorse or promote products derived from this software without 15 * prior written permission. 16 * 17 * 3. Redistributions of any form whatsoever must retain the following 18 * acknowledgment: 19 * "This product includes software developed by Paul Mackerras 20 * <paulus (at) samba.org>". 21 * 22 * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO 23 * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 24 * AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY 25 * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 26 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN 27 * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING 28 * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 29 */ 30 31 #define RCSID "$Id: chap-new.c,v 1.6 2004/11/04 10:02:26 paulus Exp $" 32 33 #include <stdlib.h> 34 #include <string.h> 35 #include "pppd.h" 36 #include "chap-new.h" 37 #include "chap-md5.h" 38 #ifdef ANDROID_CHANGES 39 #include "openssl-hash.h" 40 #endif 41 42 #ifdef CHAPMS 43 #include "chap_ms.h" 44 #define MDTYPE_ALL (MDTYPE_MICROSOFT_V2 | MDTYPE_MICROSOFT | MDTYPE_MD5) 45 #else 46 #define MDTYPE_ALL (MDTYPE_MD5) 47 #endif 48 49 int chap_mdtype_all = MDTYPE_ALL; 50 51 /* Hook for a plugin to validate CHAP challenge */ 52 int (*chap_verify_hook)(char *name, char *ourname, int id, 53 struct chap_digest_type *digest, 54 unsigned char *challenge, unsigned char *response, 55 char *message, int message_space) = NULL; 56 57 /* 58 * Option variables. 59 */ 60 int chap_timeout_time = 3; 61 int chap_max_transmits = 10; 62 int chap_rechallenge_time = 0; 63 64 /* 65 * Command-line options. 66 */ 67 static option_t chap_option_list[] = { 68 { "chap-restart", o_int, &chap_timeout_time, 69 "Set timeout for CHAP", OPT_PRIO }, 70 { "chap-max-challenge", o_int, &chap_max_transmits, 71 "Set max #xmits for challenge", OPT_PRIO }, 72 { "chap-interval", o_int, &chap_rechallenge_time, 73 "Set interval for rechallenge", OPT_PRIO }, 74 { NULL } 75 }; 76 77 /* 78 * Internal state. 79 */ 80 static struct chap_client_state { 81 int flags; 82 char *name; 83 struct chap_digest_type *digest; 84 unsigned char priv[64]; /* private area for digest's use */ 85 } client; 86 87 /* 88 * These limits apply to challenge and response packets we send. 89 * The +4 is the +1 that we actually need rounded up. 90 */ 91 #define CHAL_MAX_PKTLEN (PPP_HDRLEN + CHAP_HDRLEN + 4 + MAX_CHALLENGE_LEN + MAXNAMELEN) 92 #define RESP_MAX_PKTLEN (PPP_HDRLEN + CHAP_HDRLEN + 4 + MAX_RESPONSE_LEN + MAXNAMELEN) 93 94 static struct chap_server_state { 95 int flags; 96 int id; 97 char *name; 98 struct chap_digest_type *digest; 99 int challenge_xmits; 100 int challenge_pktlen; 101 unsigned char challenge[CHAL_MAX_PKTLEN]; 102 } server; 103 104 /* Values for flags in chap_client_state and chap_server_state */ 105 #define LOWERUP 1 106 #define AUTH_STARTED 2 107 #define AUTH_DONE 4 108 #define AUTH_FAILED 8 109 #define TIMEOUT_PENDING 0x10 110 #define CHALLENGE_VALID 0x20 111 112 /* 113 * Prototypes. 114 */ 115 static void chap_init(int unit); 116 static void chap_lowerup(int unit); 117 static void chap_lowerdown(int unit); 118 static void chap_timeout(void *arg); 119 static void chap_generate_challenge(struct chap_server_state *ss); 120 static void chap_handle_response(struct chap_server_state *ss, int code, 121 unsigned char *pkt, int len); 122 static int chap_verify_response(char *name, char *ourname, int id, 123 struct chap_digest_type *digest, 124 unsigned char *challenge, unsigned char *response, 125 char *message, int message_space); 126 static void chap_respond(struct chap_client_state *cs, int id, 127 unsigned char *pkt, int len); 128 static void chap_handle_status(struct chap_client_state *cs, int code, int id, 129 unsigned char *pkt, int len); 130 static void chap_protrej(int unit); 131 static void chap_input(int unit, unsigned char *pkt, int pktlen); 132 static int chap_print_pkt(unsigned char *p, int plen, 133 void (*printer) __P((void *, char *, ...)), void *arg); 134 135 /* List of digest types that we know about */ 136 static struct chap_digest_type *chap_digests; 137 138 /* 139 * chap_init - reset to initial state. 140 */ 141 static void 142 chap_init(int unit) 143 { 144 memset(&client, 0, sizeof(client)); 145 memset(&server, 0, sizeof(server)); 146 147 #ifdef ANDROID_CHANGES 148 openssl_hash_init(); 149 #endif 150 chap_md5_init(); 151 #ifdef CHAPMS 152 chapms_init(); 153 #endif 154 } 155 156 /* 157 * Add a new digest type to the list. 158 */ 159 void 160 chap_register_digest(struct chap_digest_type *dp) 161 { 162 dp->next = chap_digests; 163 chap_digests = dp; 164 } 165 166 /* 167 * chap_lowerup - we can start doing stuff now. 168 */ 169 static void 170 chap_lowerup(int unit) 171 { 172 struct chap_client_state *cs = &client; 173 struct chap_server_state *ss = &server; 174 175 cs->flags |= LOWERUP; 176 ss->flags |= LOWERUP; 177 if (ss->flags & AUTH_STARTED) 178 chap_timeout(ss); 179 } 180 181 static void 182 chap_lowerdown(int unit) 183 { 184 struct chap_client_state *cs = &client; 185 struct chap_server_state *ss = &server; 186 187 cs->flags = 0; 188 if (ss->flags & TIMEOUT_PENDING) 189 UNTIMEOUT(chap_timeout, ss); 190 ss->flags = 0; 191 } 192 193 /* 194 * chap_auth_peer - Start authenticating the peer. 195 * If the lower layer is already up, we start sending challenges, 196 * otherwise we wait for the lower layer to come up. 197 */ 198 void 199 chap_auth_peer(int unit, char *our_name, int digest_code) 200 { 201 struct chap_server_state *ss = &server; 202 struct chap_digest_type *dp; 203 204 if (ss->flags & AUTH_STARTED) { 205 error("CHAP: peer authentication already started!"); 206 return; 207 } 208 for (dp = chap_digests; dp != NULL; dp = dp->next) 209 if (dp->code == digest_code) 210 break; 211 if (dp == NULL) 212 fatal("CHAP digest 0x%x requested but not available", 213 digest_code); 214 215 ss->digest = dp; 216 ss->name = our_name; 217 /* Start with a random ID value */ 218 ss->id = (unsigned char)(drand48() * 256); 219 ss->flags |= AUTH_STARTED; 220 if (ss->flags & LOWERUP) 221 chap_timeout(ss); 222 } 223 224 /* 225 * chap_auth_with_peer - Prepare to authenticate ourselves to the peer. 226 * There isn't much to do until we receive a challenge. 227 */ 228 void 229 chap_auth_with_peer(int unit, char *our_name, int digest_code) 230 { 231 struct chap_client_state *cs = &client; 232 struct chap_digest_type *dp; 233 234 if (cs->flags & AUTH_STARTED) { 235 error("CHAP: authentication with peer already started!"); 236 return; 237 } 238 for (dp = chap_digests; dp != NULL; dp = dp->next) 239 if (dp->code == digest_code) 240 break; 241 if (dp == NULL) 242 fatal("CHAP digest 0x%x requested but not available", 243 digest_code); 244 245 cs->digest = dp; 246 cs->name = our_name; 247 cs->flags |= AUTH_STARTED; 248 } 249 250 /* 251 * chap_timeout - It's time to send another challenge to the peer. 252 * This could be either a retransmission of a previous challenge, 253 * or a new challenge to start re-authentication. 254 */ 255 static void 256 chap_timeout(void *arg) 257 { 258 struct chap_server_state *ss = arg; 259 260 ss->flags &= ~TIMEOUT_PENDING; 261 if ((ss->flags & CHALLENGE_VALID) == 0) { 262 ss->challenge_xmits = 0; 263 chap_generate_challenge(ss); 264 ss->flags |= CHALLENGE_VALID; 265 } else if (ss->challenge_xmits >= chap_max_transmits) { 266 ss->flags &= ~CHALLENGE_VALID; 267 ss->flags |= AUTH_DONE | AUTH_FAILED; 268 auth_peer_fail(0, PPP_CHAP); 269 return; 270 } 271 272 output(0, ss->challenge, ss->challenge_pktlen); 273 ++ss->challenge_xmits; 274 ss->flags |= TIMEOUT_PENDING; 275 TIMEOUT(chap_timeout, arg, chap_timeout_time); 276 } 277 278 /* 279 * chap_generate_challenge - generate a challenge string and format 280 * the challenge packet in ss->challenge_pkt. 281 */ 282 static void 283 chap_generate_challenge(struct chap_server_state *ss) 284 { 285 int clen = 1, nlen, len; 286 unsigned char *p; 287 288 p = ss->challenge; 289 MAKEHEADER(p, PPP_CHAP); 290 p += CHAP_HDRLEN; 291 ss->digest->generate_challenge(p); 292 clen = *p; 293 nlen = strlen(ss->name); 294 memcpy(p + 1 + clen, ss->name, nlen); 295 296 len = CHAP_HDRLEN + 1 + clen + nlen; 297 ss->challenge_pktlen = PPP_HDRLEN + len; 298 299 p = ss->challenge + PPP_HDRLEN; 300 p[0] = CHAP_CHALLENGE; 301 p[1] = ++ss->id; 302 p[2] = len >> 8; 303 p[3] = len; 304 } 305 306 /* 307 * chap_handle_response - check the response to our challenge. 308 */ 309 static void 310 chap_handle_response(struct chap_server_state *ss, int id, 311 unsigned char *pkt, int len) 312 { 313 int response_len, ok, mlen; 314 unsigned char *response, *p; 315 char *name = NULL; /* initialized to shut gcc up */ 316 int (*verifier)(char *, char *, int, struct chap_digest_type *, 317 unsigned char *, unsigned char *, char *, int); 318 char rname[MAXNAMELEN+1]; 319 char message[256]; 320 321 if ((ss->flags & LOWERUP) == 0) 322 return; 323 if (id != ss->challenge[PPP_HDRLEN+1] || len < 2) 324 return; 325 if ((ss->flags & AUTH_DONE) == 0) { 326 if ((ss->flags & CHALLENGE_VALID) == 0) 327 return; 328 response = pkt; 329 GETCHAR(response_len, pkt); 330 len -= response_len + 1; /* length of name */ 331 name = (char *)pkt + response_len; 332 if (len < 0) 333 return; 334 335 ss->flags &= ~CHALLENGE_VALID; 336 if (ss->flags & TIMEOUT_PENDING) { 337 ss->flags &= ~TIMEOUT_PENDING; 338 UNTIMEOUT(chap_timeout, ss); 339 } 340 341 if (explicit_remote) { 342 name = remote_name; 343 } else { 344 /* Null terminate and clean remote name. */ 345 slprintf(rname, sizeof(rname), "%.*v", len, name); 346 name = rname; 347 } 348 349 if (chap_verify_hook) 350 verifier = chap_verify_hook; 351 else 352 verifier = chap_verify_response; 353 ok = (*verifier)(name, ss->name, id, ss->digest, 354 ss->challenge + PPP_HDRLEN + CHAP_HDRLEN, 355 response, message, sizeof(message)); 356 if (!ok || !auth_number()) { 357 ss->flags |= AUTH_FAILED; 358 warn("Peer %q failed CHAP authentication", name); 359 } 360 } 361 362 /* send the response */ 363 p = outpacket_buf; 364 MAKEHEADER(p, PPP_CHAP); 365 mlen = strlen(message); 366 len = CHAP_HDRLEN + mlen; 367 p[0] = (ss->flags & AUTH_FAILED)? CHAP_FAILURE: CHAP_SUCCESS; 368 p[1] = id; 369 p[2] = len >> 8; 370 p[3] = len; 371 if (mlen > 0) 372 memcpy(p + CHAP_HDRLEN, message, mlen); 373 output(0, outpacket_buf, PPP_HDRLEN + len); 374 375 if ((ss->flags & AUTH_DONE) == 0) { 376 ss->flags |= AUTH_DONE; 377 if (ss->flags & AUTH_FAILED) { 378 auth_peer_fail(0, PPP_CHAP); 379 } else { 380 auth_peer_success(0, PPP_CHAP, ss->digest->code, 381 name, strlen(name)); 382 if (chap_rechallenge_time) { 383 ss->flags |= TIMEOUT_PENDING; 384 TIMEOUT(chap_timeout, ss, 385 chap_rechallenge_time); 386 } 387 } 388 } 389 } 390 391 /* 392 * chap_verify_response - check whether the peer's response matches 393 * what we think it should be. Returns 1 if it does (authentication 394 * succeeded), or 0 if it doesn't. 395 */ 396 static int 397 chap_verify_response(char *name, char *ourname, int id, 398 struct chap_digest_type *digest, 399 unsigned char *challenge, unsigned char *response, 400 char *message, int message_space) 401 { 402 int ok; 403 unsigned char secret[MAXSECRETLEN]; 404 int secret_len; 405 406 /* Get the secret that the peer is supposed to know */ 407 if (!get_secret(0, name, ourname, (char *)secret, &secret_len, 1)) { 408 error("No CHAP secret found for authenticating %q", name); 409 return 0; 410 } 411 412 ok = digest->verify_response(id, name, secret, secret_len, challenge, 413 response, message, message_space); 414 memset(secret, 0, sizeof(secret)); 415 416 return ok; 417 } 418 419 /* 420 * chap_respond - Generate and send a response to a challenge. 421 */ 422 static void 423 chap_respond(struct chap_client_state *cs, int id, 424 unsigned char *pkt, int len) 425 { 426 int clen, nlen; 427 int secret_len; 428 unsigned char *p; 429 unsigned char response[RESP_MAX_PKTLEN]; 430 char rname[MAXNAMELEN+1]; 431 char secret[MAXSECRETLEN+1]; 432 433 if ((cs->flags & (LOWERUP | AUTH_STARTED)) != (LOWERUP | AUTH_STARTED)) 434 return; /* not ready */ 435 if (len < 2 || len < pkt[0] + 1) 436 return; /* too short */ 437 clen = pkt[0]; 438 nlen = len - (clen + 1); 439 440 /* Null terminate and clean remote name. */ 441 slprintf(rname, sizeof(rname), "%.*v", nlen, pkt + clen + 1); 442 443 /* Microsoft doesn't send their name back in the PPP packet */ 444 if (explicit_remote || (remote_name[0] != 0 && rname[0] == 0)) 445 strlcpy(rname, remote_name, sizeof(rname)); 446 447 /* get secret for authenticating ourselves with the specified host */ 448 if (!get_secret(0, cs->name, rname, secret, &secret_len, 0)) { 449 secret_len = 0; /* assume null secret if can't find one */ 450 warn("No CHAP secret found for authenticating us to %q", rname); 451 } 452 453 p = response; 454 MAKEHEADER(p, PPP_CHAP); 455 p += CHAP_HDRLEN; 456 457 cs->digest->make_response(p, id, cs->name, pkt, 458 secret, secret_len, cs->priv); 459 memset(secret, 0, secret_len); 460 461 clen = *p; 462 nlen = strlen(cs->name); 463 memcpy(p + clen + 1, cs->name, nlen); 464 465 p = response + PPP_HDRLEN; 466 len = CHAP_HDRLEN + clen + 1 + nlen; 467 p[0] = CHAP_RESPONSE; 468 p[1] = id; 469 p[2] = len >> 8; 470 p[3] = len; 471 472 output(0, response, PPP_HDRLEN + len); 473 } 474 475 static void 476 chap_handle_status(struct chap_client_state *cs, int code, int id, 477 unsigned char *pkt, int len) 478 { 479 const char *msg = NULL; 480 481 if ((cs->flags & (AUTH_DONE|AUTH_STARTED|LOWERUP)) 482 != (AUTH_STARTED|LOWERUP)) 483 return; 484 cs->flags |= AUTH_DONE; 485 486 if (code == CHAP_SUCCESS) { 487 /* used for MS-CHAP v2 mutual auth, yuck */ 488 if (cs->digest->check_success != NULL) { 489 if (!(*cs->digest->check_success)(pkt, len, cs->priv)) 490 code = CHAP_FAILURE; 491 } else 492 msg = "CHAP authentication succeeded"; 493 } else { 494 if (cs->digest->handle_failure != NULL) 495 (*cs->digest->handle_failure)(pkt, len); 496 else 497 msg = "CHAP authentication failed"; 498 } 499 if (msg) { 500 if (len > 0) 501 info("%s: %.*v", msg, len, pkt); 502 else 503 info("%s", msg); 504 } 505 if (code == CHAP_SUCCESS) 506 auth_withpeer_success(0, PPP_CHAP, cs->digest->code); 507 else { 508 cs->flags |= AUTH_FAILED; 509 auth_withpeer_fail(0, PPP_CHAP); 510 } 511 } 512 513 static void 514 chap_input(int unit, unsigned char *pkt, int pktlen) 515 { 516 struct chap_client_state *cs = &client; 517 struct chap_server_state *ss = &server; 518 unsigned char code, id; 519 int len; 520 521 if (pktlen < CHAP_HDRLEN) 522 return; 523 GETCHAR(code, pkt); 524 GETCHAR(id, pkt); 525 GETSHORT(len, pkt); 526 if (len < CHAP_HDRLEN || len > pktlen) 527 return; 528 len -= CHAP_HDRLEN; 529 530 switch (code) { 531 case CHAP_CHALLENGE: 532 chap_respond(cs, id, pkt, len); 533 break; 534 case CHAP_RESPONSE: 535 chap_handle_response(ss, id, pkt, len); 536 break; 537 case CHAP_FAILURE: 538 case CHAP_SUCCESS: 539 chap_handle_status(cs, code, id, pkt, len); 540 break; 541 } 542 } 543 544 static void 545 chap_protrej(int unit) 546 { 547 struct chap_client_state *cs = &client; 548 struct chap_server_state *ss = &server; 549 550 if (ss->flags & TIMEOUT_PENDING) { 551 ss->flags &= ~TIMEOUT_PENDING; 552 UNTIMEOUT(chap_timeout, ss); 553 } 554 if (ss->flags & AUTH_STARTED) { 555 ss->flags = 0; 556 auth_peer_fail(0, PPP_CHAP); 557 } 558 if ((cs->flags & (AUTH_STARTED|AUTH_DONE)) == AUTH_STARTED) { 559 cs->flags &= ~AUTH_STARTED; 560 auth_withpeer_fail(0, PPP_CHAP); 561 } 562 } 563 564 /* 565 * chap_print_pkt - print the contents of a CHAP packet. 566 */ 567 static char *chap_code_names[] = { 568 "Challenge", "Response", "Success", "Failure" 569 }; 570 571 static int 572 chap_print_pkt(unsigned char *p, int plen, 573 void (*printer) __P((void *, char *, ...)), void *arg) 574 { 575 int code, id, len; 576 int clen, nlen; 577 unsigned char x; 578 579 if (plen < CHAP_HDRLEN) 580 return 0; 581 GETCHAR(code, p); 582 GETCHAR(id, p); 583 GETSHORT(len, p); 584 if (len < CHAP_HDRLEN || len > plen) 585 return 0; 586 587 if (code >= 1 && code <= sizeof(chap_code_names) / sizeof(char *)) 588 printer(arg, " %s", chap_code_names[code-1]); 589 else 590 printer(arg, " code=0x%x", code); 591 printer(arg, " id=0x%x", id); 592 len -= CHAP_HDRLEN; 593 switch (code) { 594 case CHAP_CHALLENGE: 595 case CHAP_RESPONSE: 596 if (len < 1) 597 break; 598 clen = p[0]; 599 if (len < clen + 1) 600 break; 601 ++p; 602 nlen = len - clen - 1; 603 printer(arg, " <"); 604 for (; clen > 0; --clen) { 605 GETCHAR(x, p); 606 printer(arg, "%.2x", x); 607 } 608 printer(arg, ">, name = "); 609 print_string((char *)p, nlen, printer, arg); 610 break; 611 case CHAP_FAILURE: 612 case CHAP_SUCCESS: 613 printer(arg, " "); 614 print_string((char *)p, len, printer, arg); 615 break; 616 default: 617 for (clen = len; clen > 0; --clen) { 618 GETCHAR(x, p); 619 printer(arg, " %.2x", x); 620 } 621 } 622 623 return len + CHAP_HDRLEN; 624 } 625 626 struct protent chap_protent = { 627 PPP_CHAP, 628 chap_init, 629 chap_input, 630 chap_protrej, 631 chap_lowerup, 632 chap_lowerdown, 633 NULL, /* open */ 634 NULL, /* close */ 635 chap_print_pkt, 636 NULL, /* datainput */ 637 1, /* enabled_flag */ 638 "CHAP", /* name */ 639 NULL, /* data_name */ 640 chap_option_list, 641 NULL, /* check_options */ 642 }; 643
