Home | History | Annotate | Download | only in src
      1 /*-
      2  * Copyright (c) 1996 - 2001 Brian Somers <brian (at) Awfulhak.org>
      3  *          based on work by Toshiharu OHNO <tony-o (at) iij.ad.jp>
      4  *                           Internet Initiative Japan, Inc (IIJ)
      5  * All rights reserved.
      6  *
      7  * Redistribution and use in source and binary forms, with or without
      8  * modification, are permitted provided that the following conditions
      9  * are met:
     10  * 1. Redistributions of source code must retain the above copyright
     11  *    notice, this list of conditions and the following disclaimer.
     12  * 2. Redistributions in binary form must reproduce the above copyright
     13  *    notice, this list of conditions and the following disclaimer in the
     14  *    documentation and/or other materials provided with the distribution.
     15  *
     16  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
     17  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     18  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
     19  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
     20  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
     21  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
     22  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
     23  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
     24  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
     25  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
     26  * SUCH DAMAGE.
     27  *
     28  * $FreeBSD: src/usr.sbin/ppp/chap.c,v 1.86.26.1 2010/12/21 17:10:29 kensmith Exp $
     29  */
     30 
     31 #include <sys/param.h>
     32 #include <netinet/in.h>
     33 #include <netinet/in_systm.h>
     34 #include <netinet/ip.h>
     35 #include <sys/socket.h>
     36 #include <sys/un.h>
     37 
     38 #include <ctype.h>
     39 #include <errno.h>
     40 #include <fcntl.h>
     41 #ifndef NODES
     42 #include <md4.h>
     43 #endif
     44 #include <md5.h>
     45 #include <paths.h>
     46 #include <signal.h>
     47 #include <stdio.h>
     48 #include <stdlib.h>
     49 #include <string.h>
     50 #include <sys/wait.h>
     51 #include <termios.h>
     52 #include <unistd.h>
     53 
     54 #include "layer.h"
     55 #include "mbuf.h"
     56 #include "log.h"
     57 #include "defs.h"
     58 #include "timer.h"
     59 #include "fsm.h"
     60 #include "proto.h"
     61 #include "lqr.h"
     62 #include "hdlc.h"
     63 #include "lcp.h"
     64 #include "auth.h"
     65 #include "async.h"
     66 #include "throughput.h"
     67 #include "descriptor.h"
     68 #include "chap.h"
     69 #include "iplist.h"
     70 #include "slcompress.h"
     71 #include "ncpaddr.h"
     72 #include "ipcp.h"
     73 #include "filter.h"
     74 #include "ccp.h"
     75 #include "link.h"
     76 #include "physical.h"
     77 #include "mp.h"
     78 #ifndef NORADIUS
     79 #include "radius.h"
     80 #endif
     81 #include "ipv6cp.h"
     82 #include "ncp.h"
     83 #include "bundle.h"
     84 #include "chat.h"
     85 #include "cbcp.h"
     86 #include "command.h"
     87 #include "datalink.h"
     88 #ifndef NODES
     89 #include "chap_ms.h"
     90 #include "mppe.h"
     91 #endif
     92 #include "id.h"
     93 
     94 static const char * const chapcodes[] = {
     95   "???", "CHALLENGE", "RESPONSE", "SUCCESS", "FAILURE"
     96 };
     97 #define MAXCHAPCODE (sizeof chapcodes / sizeof chapcodes[0] - 1)
     98 
     99 static void
    100 ChapOutput(struct physical *physical, u_int code, u_int id,
    101 	   const u_char *ptr, int count, const char *text)
    102 {
    103   int plen;
    104   struct fsmheader lh;
    105   struct mbuf *bp;
    106 
    107   plen = sizeof(struct fsmheader) + count;
    108   lh.code = code;
    109   lh.id = id;
    110   lh.length = htons(plen);
    111   bp = m_get(plen, MB_CHAPOUT);
    112   memcpy(MBUF_CTOP(bp), &lh, sizeof(struct fsmheader));
    113   if (count)
    114     memcpy(MBUF_CTOP(bp) + sizeof(struct fsmheader), ptr, count);
    115   log_DumpBp(LogDEBUG, "ChapOutput", bp);
    116   if (text == NULL)
    117     log_Printf(LogPHASE, "Chap Output: %s\n", chapcodes[code]);
    118   else
    119     log_Printf(LogPHASE, "Chap Output: %s (%s)\n", chapcodes[code], text);
    120   link_PushPacket(&physical->link, bp, physical->dl->bundle,
    121                   LINK_QUEUES(&physical->link) - 1, PROTO_CHAP);
    122 }
    123 
    124 static char *
    125 chap_BuildAnswer(char *name, char *key, u_char id, char *challenge
    126 #ifndef NODES
    127 		 , u_char type, char *peerchallenge, char *authresponse,
    128 		 int lanman
    129 #endif
    130                 )
    131 {
    132   char *result, *digest;
    133   size_t nlen, klen;
    134 
    135   nlen = strlen(name);
    136   klen = strlen(key);
    137 
    138 #ifndef NODES
    139   if (type == 0x80) {
    140     char expkey[AUTHLEN << 2];
    141     MD4_CTX MD4context;
    142     size_t f;
    143 
    144     if ((result = malloc(1 + nlen + MS_CHAP_RESPONSE_LEN)) == NULL)
    145       return result;
    146 
    147     digest = result;					/* the response */
    148     *digest++ = MS_CHAP_RESPONSE_LEN;			/* 49 */
    149     memcpy(digest + MS_CHAP_RESPONSE_LEN, name, nlen);
    150     if (lanman) {
    151       memset(digest + 24, '\0', 25);
    152       mschap_LANMan(digest, challenge + 1, key);	/* LANMan response */
    153     } else {
    154       memset(digest, '\0', 25);
    155       digest += 24;
    156 
    157       for (f = 0; f < klen; f++) {
    158         expkey[2*f] = key[f];
    159         expkey[2*f+1] = '\0';
    160       }
    161       /*
    162        *           -----------
    163        * expkey = | k\0e\0y\0 |
    164        *           -----------
    165        */
    166       MD4Init(&MD4context);
    167       MD4Update(&MD4context, expkey, klen << 1);
    168       MD4Final(digest, &MD4context);
    169 
    170       /*
    171        *           ---- -------- ---------------- ------- ------
    172        * result = | 49 | LANMan | 16 byte digest | 9 * ? | name |
    173        *           ---- -------- ---------------- ------- ------
    174        */
    175       mschap_NT(digest, challenge + 1);
    176     }
    177     /*
    178      *           ---- -------- ------------- ----- ------
    179      *          |    |  struct MS_ChapResponse24  |      |
    180      * result = | 49 | LANMan  |  NT digest | 0/1 | name |
    181      *           ---- -------- ------------- ----- ------
    182      * where only one of LANMan & NT digest are set.
    183      */
    184   } else if (type == 0x81) {
    185     char expkey[AUTHLEN << 2];
    186     char pwdhash[CHAP81_HASH_LEN];
    187     char pwdhashhash[CHAP81_HASH_LEN];
    188     char *ntresponse;
    189     size_t f;
    190 
    191     if ((result = malloc(1 + nlen + CHAP81_RESPONSE_LEN)) == NULL)
    192       return result;
    193 
    194     memset(result, 0, 1 + nlen + CHAP81_RESPONSE_LEN);
    195 
    196     digest = result;
    197     *digest++ = CHAP81_RESPONSE_LEN;		/* value size */
    198 
    199     /* Copy our challenge */
    200     memcpy(digest, peerchallenge + 1, CHAP81_CHALLENGE_LEN);
    201 
    202     /* Expand password to Unicode XXX */
    203     for (f = 0; f < klen; f++) {
    204       expkey[2*f] = key[f];
    205       expkey[2*f+1] = '\0';
    206     }
    207 
    208     ntresponse = digest + CHAP81_NTRESPONSE_OFF;
    209 
    210     /* Get some needed hashes */
    211     NtPasswordHash(expkey, klen * 2, pwdhash);
    212     HashNtPasswordHash(pwdhash, pwdhashhash);
    213 
    214     /* Generate NTRESPONSE to respond on challenge call */
    215     GenerateNTResponse(challenge + 1, peerchallenge + 1, name,
    216                        expkey, klen * 2, ntresponse);
    217 
    218     /* Generate MPPE MASTERKEY */
    219     GetMasterKey(pwdhashhash, ntresponse, MPPE_MasterKey);    /* XXX Global ! */
    220 
    221     /* Generate AUTHRESPONSE to verify on auth success */
    222     GenerateAuthenticatorResponse(expkey, klen * 2, ntresponse,
    223                                   peerchallenge + 1, challenge + 1, name,
    224                                   authresponse);
    225 
    226     authresponse[CHAP81_AUTHRESPONSE_LEN] = 0;
    227 
    228     memcpy(digest + CHAP81_RESPONSE_LEN, name, nlen);
    229   } else
    230 #endif
    231   if ((result = malloc(nlen + 17)) != NULL) {
    232     /* Normal MD5 stuff */
    233     MD5_CTX MD5context;
    234 
    235     digest = result;
    236     *digest++ = 16;				/* value size */
    237 
    238     MD5Init(&MD5context);
    239     MD5Update(&MD5context, &id, 1);
    240     MD5Update(&MD5context, key, klen);
    241     MD5Update(&MD5context, challenge + 1, *challenge);
    242     MD5Final(digest, &MD5context);
    243 
    244     memcpy(digest + 16, name, nlen);
    245     /*
    246      *           ---- -------- ------
    247      * result = | 16 | digest | name |
    248      *           ---- -------- ------
    249      */
    250   }
    251 
    252   return result;
    253 }
    254 
    255 static void
    256 chap_StartChild(struct chap *chap, char *prog, const char *name)
    257 {
    258   char *argv[MAXARGS], *nargv[MAXARGS];
    259   int argc, fd;
    260   int in[2], out[2];
    261   pid_t pid;
    262 
    263   if (chap->child.fd != -1) {
    264     log_Printf(LogWARN, "Chap: %s: Program already running\n", prog);
    265     return;
    266   }
    267 
    268   if (pipe(in) == -1) {
    269     log_Printf(LogERROR, "Chap: pipe: %s\n", strerror(errno));
    270     return;
    271   }
    272 
    273   if (pipe(out) == -1) {
    274     log_Printf(LogERROR, "Chap: pipe: %s\n", strerror(errno));
    275     close(in[0]);
    276     close(in[1]);
    277     return;
    278   }
    279 
    280   pid = getpid();
    281   switch ((chap->child.pid = fork())) {
    282     case -1:
    283       log_Printf(LogERROR, "Chap: fork: %s\n", strerror(errno));
    284       close(in[0]);
    285       close(in[1]);
    286       close(out[0]);
    287       close(out[1]);
    288       chap->child.pid = 0;
    289       return;
    290 
    291     case 0:
    292       timer_TermService();
    293 
    294       if ((argc = command_Interpret(prog, strlen(prog), argv)) <= 0) {
    295         if (argc < 0) {
    296           log_Printf(LogWARN, "CHAP: Invalid command syntax\n");
    297           _exit(255);
    298         }
    299         _exit(0);
    300       }
    301 
    302       close(in[1]);
    303       close(out[0]);
    304       if (out[1] == STDIN_FILENO)
    305         out[1] = dup(out[1]);
    306       dup2(in[0], STDIN_FILENO);
    307       dup2(out[1], STDOUT_FILENO);
    308       close(STDERR_FILENO);
    309       if (open(_PATH_DEVNULL, O_RDWR) != STDERR_FILENO) {
    310         log_Printf(LogALERT, "Chap: Failed to open %s: %s\n",
    311                   _PATH_DEVNULL, strerror(errno));
    312         exit(1);
    313       }
    314       for (fd = getdtablesize(); fd > STDERR_FILENO; fd--)
    315         fcntl(fd, F_SETFD, 1);
    316 #ifndef NOSUID
    317       setuid(ID0realuid());
    318 #endif
    319       command_Expand(nargv, argc, (char const *const *)argv,
    320                      chap->auth.physical->dl->bundle, 0, pid);
    321       execvp(nargv[0], nargv);
    322       printf("exec() of %s failed: %s\n", nargv[0], strerror(errno));
    323       _exit(255);
    324 
    325     default:
    326       close(in[0]);
    327       close(out[1]);
    328       chap->child.fd = out[0];
    329       chap->child.buf.len = 0;
    330       write(in[1], chap->auth.in.name, strlen(chap->auth.in.name));
    331       write(in[1], "\n", 1);
    332       write(in[1], chap->challenge.peer + 1, *chap->challenge.peer);
    333       write(in[1], "\n", 1);
    334       write(in[1], name, strlen(name));
    335       write(in[1], "\n", 1);
    336       close(in[1]);
    337       break;
    338   }
    339 }
    340 
    341 static void
    342 chap_Cleanup(struct chap *chap, int sig)
    343 {
    344   if (chap->child.pid) {
    345     int status;
    346 
    347     close(chap->child.fd);
    348     chap->child.fd = -1;
    349     if (sig)
    350       kill(chap->child.pid, SIGTERM);
    351     chap->child.pid = 0;
    352     chap->child.buf.len = 0;
    353 
    354     if (wait(&status) == -1)
    355       log_Printf(LogERROR, "Chap: wait: %s\n", strerror(errno));
    356     else if (WIFSIGNALED(status))
    357       log_Printf(LogWARN, "Chap: Child received signal %d\n", WTERMSIG(status));
    358     else if (WIFEXITED(status) && WEXITSTATUS(status))
    359       log_Printf(LogERROR, "Chap: Child exited %d\n", WEXITSTATUS(status));
    360   }
    361   *chap->challenge.local = *chap->challenge.peer = '\0';
    362 #ifndef NODES
    363   chap->peertries = 0;
    364 #endif
    365 }
    366 
    367 static void
    368 chap_Respond(struct chap *chap, char *name, char *key
    369 #ifndef NODES
    370              , u_char type, int lm
    371 #endif
    372             )
    373 {
    374   u_char *ans;
    375 
    376   ans = chap_BuildAnswer(name, key, chap->auth.id, chap->challenge.peer
    377 #ifndef NODES
    378                          , type, chap->challenge.local, chap->authresponse, lm
    379 #endif
    380                         );
    381 
    382   if (ans) {
    383     ChapOutput(chap->auth.physical, CHAP_RESPONSE, chap->auth.id,
    384                ans, *ans + 1 + strlen(name), name);
    385 #ifndef NODES
    386     chap->NTRespSent = !lm;
    387     MPPE_IsServer = 0;		/* XXX Global ! */
    388 #endif
    389     free(ans);
    390   } else
    391     ChapOutput(chap->auth.physical, CHAP_FAILURE, chap->auth.id,
    392                "Out of memory!", 14, NULL);
    393 }
    394 
    395 static int
    396 chap_UpdateSet(struct fdescriptor *d, fd_set *r, fd_set *w __unused,
    397 	       fd_set *e __unused, int *n)
    398 {
    399   struct chap *chap = descriptor2chap(d);
    400 
    401   if (r && chap && chap->child.fd != -1) {
    402     FD_SET(chap->child.fd, r);
    403     if (*n < chap->child.fd + 1)
    404       *n = chap->child.fd + 1;
    405     log_Printf(LogTIMER, "Chap: fdset(r) %d\n", chap->child.fd);
    406     return 1;
    407   }
    408 
    409   return 0;
    410 }
    411 
    412 static int
    413 chap_IsSet(struct fdescriptor *d, const fd_set *fdset)
    414 {
    415   struct chap *chap = descriptor2chap(d);
    416 
    417   return chap && chap->child.fd != -1 && FD_ISSET(chap->child.fd, fdset);
    418 }
    419 
    420 static void
    421 chap_Read(struct fdescriptor *d, struct bundle *bundle __unused,
    422 	  const fd_set *fdset __unused)
    423 {
    424   struct chap *chap = descriptor2chap(d);
    425   int got;
    426 
    427   got = read(chap->child.fd, chap->child.buf.ptr + chap->child.buf.len,
    428              sizeof chap->child.buf.ptr - chap->child.buf.len - 1);
    429   if (got == -1) {
    430     log_Printf(LogERROR, "Chap: Read: %s\n", strerror(errno));
    431     chap_Cleanup(chap, SIGTERM);
    432   } else if (got == 0) {
    433     log_Printf(LogWARN, "Chap: Read: Child terminated connection\n");
    434     chap_Cleanup(chap, SIGTERM);
    435   } else {
    436     char *name, *key, *end;
    437 
    438     chap->child.buf.len += got;
    439     chap->child.buf.ptr[chap->child.buf.len] = '\0';
    440     name = chap->child.buf.ptr;
    441     name += strspn(name, " \t");
    442     if ((key = strchr(name, '\n')) == NULL)
    443       end = NULL;
    444     else
    445       end = strchr(++key, '\n');
    446 
    447     if (end == NULL) {
    448       if (chap->child.buf.len == sizeof chap->child.buf.ptr - 1) {
    449         log_Printf(LogWARN, "Chap: Read: Input buffer overflow\n");
    450         chap_Cleanup(chap, SIGTERM);
    451       }
    452     } else {
    453 #ifndef NODES
    454       int lanman = chap->auth.physical->link.lcp.his_authtype == 0x80 &&
    455                    ((chap->NTRespSent &&
    456                      IsAccepted(chap->auth.physical->link.lcp.cfg.chap80lm)) ||
    457                     !IsAccepted(chap->auth.physical->link.lcp.cfg.chap80nt));
    458 #endif
    459 
    460       while (end >= name && strchr(" \t\r\n", *end))
    461         *end-- = '\0';
    462       end = key - 1;
    463       while (end >= name && strchr(" \t\r\n", *end))
    464         *end-- = '\0';
    465       key += strspn(key, " \t");
    466 
    467       chap_Respond(chap, name, key
    468 #ifndef NODES
    469                    , chap->auth.physical->link.lcp.his_authtype, lanman
    470 #endif
    471                   );
    472       chap_Cleanup(chap, 0);
    473     }
    474   }
    475 }
    476 
    477 static int
    478 chap_Write(struct fdescriptor *d __unused, struct bundle *bundle __unused,
    479 	   const fd_set *fdset __unused)
    480 {
    481   /* We never want to write here ! */
    482   log_Printf(LogALERT, "chap_Write: Internal error: Bad call !\n");
    483   return 0;
    484 }
    485 
    486 static void
    487 chap_ChallengeInit(struct authinfo *authp)
    488 {
    489   struct chap *chap = auth2chap(authp);
    490   int len, i;
    491   char *cp;
    492 
    493   len = strlen(authp->physical->dl->bundle->cfg.auth.name);
    494 
    495   if (!*chap->challenge.local) {
    496     randinit();
    497     cp = chap->challenge.local;
    498 
    499 #ifndef NORADIUS
    500     if (*authp->physical->dl->bundle->radius.cfg.file) {
    501       /* For radius, our challenge is 16 readable NUL terminated bytes :*/
    502       *cp++ = 16;
    503       for (i = 0; i < 16; i++)
    504         *cp++ = (random() % 10) + '0';
    505     } else
    506 #endif
    507     {
    508 #ifndef NODES
    509       if (authp->physical->link.lcp.want_authtype == 0x80)
    510         *cp++ = 8;	/* MS does 8 byte callenges :-/ */
    511       else if (authp->physical->link.lcp.want_authtype == 0x81)
    512         *cp++ = 16;	/* MS-CHAP-V2 does 16 bytes challenges */
    513       else
    514 #endif
    515         *cp++ = random() % (CHAPCHALLENGELEN-16) + 16;
    516       for (i = 0; i < *chap->challenge.local; i++)
    517         *cp++ = random() & 0xff;
    518     }
    519     memcpy(cp, authp->physical->dl->bundle->cfg.auth.name, len);
    520   }
    521 }
    522 
    523 static void
    524 chap_Challenge(struct authinfo *authp)
    525 {
    526   struct chap *chap = auth2chap(authp);
    527   int len;
    528 
    529   log_Printf(LogDEBUG, "CHAP%02X: Challenge\n",
    530              authp->physical->link.lcp.want_authtype);
    531 
    532   len = strlen(authp->physical->dl->bundle->cfg.auth.name);
    533 
    534   /* Generate new local challenge value */
    535   if (!*chap->challenge.local)
    536     chap_ChallengeInit(authp);
    537 
    538 #ifndef NODES
    539   if (authp->physical->link.lcp.want_authtype == 0x81)
    540     ChapOutput(authp->physical, CHAP_CHALLENGE, authp->id,
    541              chap->challenge.local, 1 + *chap->challenge.local, NULL);
    542   else
    543 #endif
    544     ChapOutput(authp->physical, CHAP_CHALLENGE, authp->id,
    545              chap->challenge.local, 1 + *chap->challenge.local + len, NULL);
    546 }
    547 
    548 static void
    549 chap_Success(struct authinfo *authp)
    550 {
    551   struct bundle *bundle = authp->physical->dl->bundle;
    552   const char *msg;
    553 
    554   datalink_GotAuthname(authp->physical->dl, authp->in.name);
    555 #ifndef NODES
    556   if (authp->physical->link.lcp.want_authtype == 0x81) {
    557 #ifndef NORADIUS
    558     if (*bundle->radius.cfg.file && bundle->radius.msrepstr)
    559       msg = bundle->radius.msrepstr;
    560     else
    561 #endif
    562       msg = auth2chap(authp)->authresponse;
    563     MPPE_MasterKeyValid = 1;		/* XXX Global ! */
    564   } else
    565 #endif
    566 #ifndef NORADIUS
    567   if (*bundle->radius.cfg.file && bundle->radius.repstr)
    568     msg = bundle->radius.repstr;
    569   else
    570 #endif
    571     msg = "Welcome!!";
    572 
    573   ChapOutput(authp->physical, CHAP_SUCCESS, authp->id, msg, strlen(msg),
    574              NULL);
    575 
    576   authp->physical->link.lcp.auth_ineed = 0;
    577   if (Enabled(bundle, OPT_UTMP))
    578     physical_Login(authp->physical, authp->in.name);
    579 
    580   if (authp->physical->link.lcp.auth_iwait == 0)
    581     /*
    582      * Either I didn't need to authenticate, or I've already been
    583      * told that I got the answer right.
    584      */
    585     datalink_AuthOk(authp->physical->dl);
    586 }
    587 
    588 static void
    589 chap_Failure(struct authinfo *authp)
    590 {
    591 #ifndef NODES
    592   char buf[1024], *ptr;
    593 #endif
    594   const char *msg;
    595 
    596 #ifndef NORADIUS
    597   struct bundle *bundle = authp->physical->link.lcp.fsm.bundle;
    598   if (*bundle->radius.cfg.file && bundle->radius.errstr)
    599     msg = bundle->radius.errstr;
    600   else
    601 #endif
    602 #ifndef NODES
    603   if (authp->physical->link.lcp.want_authtype == 0x80) {
    604     sprintf(buf, "E=691 R=1 M=Invalid!");
    605     msg = buf;
    606   } else if (authp->physical->link.lcp.want_authtype == 0x81) {
    607     int i;
    608 
    609     ptr = buf;
    610     ptr += sprintf(buf, "E=691 R=0 C=");
    611     for (i=0; i<16; i++)
    612       ptr += sprintf(ptr, "%02X", *(auth2chap(authp)->challenge.local+1+i));
    613 
    614     sprintf(ptr, " V=3 M=Invalid!");
    615     msg = buf;
    616   } else
    617 #endif
    618     msg = "Invalid!!";
    619 
    620   ChapOutput(authp->physical, CHAP_FAILURE, authp->id, msg, strlen(msg) + 1,
    621              NULL);
    622   datalink_AuthNotOk(authp->physical->dl);
    623 }
    624 
    625 static int
    626 chap_Cmp(char *myans, int mylen, char *hisans, int hislen
    627 #ifndef NODES
    628          , u_char type, int lm
    629 #endif
    630         )
    631 {
    632   int off;
    633 
    634   if (mylen != hislen)
    635     return 0;
    636 
    637   off = 0;
    638 
    639 #ifndef NODES
    640   if (type == 0x80) {
    641     off = lm ? 0 : 24;
    642     mylen = 24;
    643   }
    644 #endif
    645 
    646   for (; mylen; off++, mylen--)
    647     if (toupper(myans[off]) != toupper(hisans[off]))
    648       return 0;
    649 
    650   return 1;
    651 }
    652 
    653 #ifndef NODES
    654 static int
    655 chap_HaveAnotherGo(struct chap *chap)
    656 {
    657   if (++chap->peertries < 3) {
    658     /* Give the peer another shot */
    659     *chap->challenge.local = '\0';
    660     chap_Challenge(&chap->auth);
    661     return 1;
    662   }
    663 
    664   return 0;
    665 }
    666 #endif
    667 
    668 void
    669 chap_Init(struct chap *chap, struct physical *p)
    670 {
    671   chap->desc.type = CHAP_DESCRIPTOR;
    672   chap->desc.UpdateSet = chap_UpdateSet;
    673   chap->desc.IsSet = chap_IsSet;
    674   chap->desc.Read = chap_Read;
    675   chap->desc.Write = chap_Write;
    676   chap->child.pid = 0;
    677   chap->child.fd = -1;
    678   auth_Init(&chap->auth, p, chap_Challenge, chap_Success, chap_Failure);
    679   *chap->challenge.local = *chap->challenge.peer = '\0';
    680 #ifndef NODES
    681   chap->NTRespSent = 0;
    682   chap->peertries = 0;
    683 #endif
    684 }
    685 
    686 void
    687 chap_ReInit(struct chap *chap)
    688 {
    689   chap_Cleanup(chap, SIGTERM);
    690 }
    691 
    692 struct mbuf *
    693 chap_Input(struct bundle *bundle, struct link *l, struct mbuf *bp)
    694 {
    695   struct physical *p = link2physical(l);
    696   struct chap *chap = &p->dl->chap;
    697   char *name, *key, *ans;
    698   int len;
    699   size_t nlen;
    700   u_char alen;
    701 #ifndef NODES
    702   int lanman;
    703 #endif
    704 
    705   if (p == NULL) {
    706     log_Printf(LogERROR, "chap_Input: Not a physical link - dropped\n");
    707     m_freem(bp);
    708     return NULL;
    709   }
    710 
    711   if (bundle_Phase(bundle) != PHASE_NETWORK &&
    712       bundle_Phase(bundle) != PHASE_AUTHENTICATE) {
    713     log_Printf(LogPHASE, "Unexpected chap input - dropped !\n");
    714     m_freem(bp);
    715     return NULL;
    716   }
    717 
    718   m_settype(bp, MB_CHAPIN);
    719   if ((bp = auth_ReadHeader(&chap->auth, bp)) == NULL &&
    720       ntohs(chap->auth.in.hdr.length) == 0)
    721     log_Printf(LogWARN, "Chap Input: Truncated header !\n");
    722   else if (chap->auth.in.hdr.code == 0 || chap->auth.in.hdr.code > MAXCHAPCODE)
    723     log_Printf(LogPHASE, "Chap Input: %d: Bad CHAP code !\n",
    724                chap->auth.in.hdr.code);
    725   else {
    726     len = m_length(bp);
    727     ans = NULL;
    728 
    729     if (chap->auth.in.hdr.code != CHAP_CHALLENGE &&
    730         chap->auth.id != chap->auth.in.hdr.id &&
    731         Enabled(bundle, OPT_IDCHECK)) {
    732       /* Wrong conversation dude ! */
    733       log_Printf(LogPHASE, "Chap Input: %s dropped (got id %d, not %d)\n",
    734                  chapcodes[chap->auth.in.hdr.code], chap->auth.in.hdr.id,
    735                  chap->auth.id);
    736       m_freem(bp);
    737       return NULL;
    738     }
    739     chap->auth.id = chap->auth.in.hdr.id;	/* We respond with this id */
    740 
    741 #ifndef NODES
    742     lanman = 0;
    743 #endif
    744     switch (chap->auth.in.hdr.code) {
    745       case CHAP_CHALLENGE:
    746         bp = mbuf_Read(bp, &alen, 1);
    747         len -= alen + 1;
    748         if (len < 0) {
    749           log_Printf(LogERROR, "Chap Input: Truncated challenge !\n");
    750           m_freem(bp);
    751           return NULL;
    752         }
    753         *chap->challenge.peer = alen;
    754         bp = mbuf_Read(bp, chap->challenge.peer + 1, alen);
    755         bp = auth_ReadName(&chap->auth, bp, len);
    756 #ifndef NODES
    757         lanman = p->link.lcp.his_authtype == 0x80 &&
    758                  ((chap->NTRespSent && IsAccepted(p->link.lcp.cfg.chap80lm)) ||
    759                   !IsAccepted(p->link.lcp.cfg.chap80nt));
    760 
    761         /* Generate local challenge value */
    762         chap_ChallengeInit(&chap->auth);
    763 #endif
    764         break;
    765 
    766       case CHAP_RESPONSE:
    767         auth_StopTimer(&chap->auth);
    768         bp = mbuf_Read(bp, &alen, 1);
    769         len -= alen + 1;
    770         if (len < 0) {
    771           log_Printf(LogERROR, "Chap Input: Truncated response !\n");
    772           m_freem(bp);
    773           return NULL;
    774         }
    775         if ((ans = malloc(alen + 1)) == NULL) {
    776           log_Printf(LogERROR, "Chap Input: Out of memory !\n");
    777           m_freem(bp);
    778           return NULL;
    779         }
    780         *ans = chap->auth.id;
    781         bp = mbuf_Read(bp, ans + 1, alen);
    782         bp = auth_ReadName(&chap->auth, bp, len);
    783 #ifndef NODES
    784         lanman = p->link.lcp.want_authtype == 0x80 &&
    785                  alen == 49 && ans[alen] == 0;
    786 #endif
    787         break;
    788 
    789       case CHAP_SUCCESS:
    790       case CHAP_FAILURE:
    791         /* chap->auth.in.name is already set up at CHALLENGE time */
    792         if ((ans = malloc(len + 1)) == NULL) {
    793           log_Printf(LogERROR, "Chap Input: Out of memory !\n");
    794           m_freem(bp);
    795           return NULL;
    796         }
    797         bp = mbuf_Read(bp, ans, len);
    798         ans[len] = '\0';
    799         break;
    800     }
    801 
    802     switch (chap->auth.in.hdr.code) {
    803       case CHAP_CHALLENGE:
    804       case CHAP_RESPONSE:
    805         if (*chap->auth.in.name)
    806           log_Printf(LogPHASE, "Chap Input: %s (%d bytes from %s%s)\n",
    807                      chapcodes[chap->auth.in.hdr.code], alen,
    808                      chap->auth.in.name,
    809 #ifndef NODES
    810                      lanman && chap->auth.in.hdr.code == CHAP_RESPONSE ?
    811                      " - lanman" :
    812 #endif
    813                      "");
    814         else
    815           log_Printf(LogPHASE, "Chap Input: %s (%d bytes%s)\n",
    816                      chapcodes[chap->auth.in.hdr.code], alen,
    817 #ifndef NODES
    818                      lanman && chap->auth.in.hdr.code == CHAP_RESPONSE ?
    819                      " - lanman" :
    820 #endif
    821                      "");
    822         break;
    823 
    824       case CHAP_SUCCESS:
    825       case CHAP_FAILURE:
    826         if (*ans)
    827           log_Printf(LogPHASE, "Chap Input: %s (%s)\n",
    828                      chapcodes[chap->auth.in.hdr.code], ans);
    829         else
    830           log_Printf(LogPHASE, "Chap Input: %s\n",
    831                      chapcodes[chap->auth.in.hdr.code]);
    832         break;
    833     }
    834 
    835     switch (chap->auth.in.hdr.code) {
    836       case CHAP_CHALLENGE:
    837         if (*bundle->cfg.auth.key == '!' && bundle->cfg.auth.key[1] != '!')
    838           chap_StartChild(chap, bundle->cfg.auth.key + 1,
    839                           bundle->cfg.auth.name);
    840         else
    841           chap_Respond(chap, bundle->cfg.auth.name, bundle->cfg.auth.key +
    842                        (*bundle->cfg.auth.key == '!' ? 1 : 0)
    843 
    844 #ifndef NODES
    845                        , p->link.lcp.his_authtype, lanman
    846 #endif
    847                       );
    848         break;
    849 
    850       case CHAP_RESPONSE:
    851         name = chap->auth.in.name;
    852         nlen = strlen(name);
    853 #ifndef NODES
    854         if (p->link.lcp.want_authtype == 0x81) {
    855           struct MSCHAPv2_resp *resp = (struct MSCHAPv2_resp *)(ans + 1);
    856 
    857           chap->challenge.peer[0] = sizeof resp->PeerChallenge;
    858           memcpy(chap->challenge.peer + 1, resp->PeerChallenge,
    859                  sizeof resp->PeerChallenge);
    860         }
    861 #endif
    862 
    863 #ifndef NORADIUS
    864         if (*bundle->radius.cfg.file) {
    865           if (!radius_Authenticate(&bundle->radius, &chap->auth,
    866                                    chap->auth.in.name, ans, alen + 1,
    867                                    chap->challenge.local + 1,
    868                                    *chap->challenge.local))
    869             chap_Failure(&chap->auth);
    870         } else
    871 #endif
    872         {
    873           if (p->link.lcp.want_authtype == 0x81 && ans[alen] != '\0' &&
    874               alen == sizeof(struct MSCHAPv2_resp)) {
    875             struct MSCHAPv2_resp *resp = (struct MSCHAPv2_resp *)(ans + 1);
    876 
    877             log_Printf(LogWARN, "%s: Compensating for corrupt (Win98/WinME?) "
    878                        "CHAP81 RESPONSE\n", l->name);
    879             resp->Flags = '\0';	/* rfc2759 says it *MUST* be zero */
    880           }
    881           key = auth_GetSecret(name, nlen);
    882           if (key) {
    883 #ifndef NODES
    884             if (p->link.lcp.want_authtype == 0x80 &&
    885                 lanman && !IsEnabled(p->link.lcp.cfg.chap80lm)) {
    886               log_Printf(LogPHASE, "Auth failure: LANMan not enabled\n");
    887               if (chap_HaveAnotherGo(chap))
    888                 break;
    889               key = NULL;
    890             } else if (p->link.lcp.want_authtype == 0x80 &&
    891                 !lanman && !IsEnabled(p->link.lcp.cfg.chap80nt)) {
    892               log_Printf(LogPHASE, "Auth failure: mschap not enabled\n");
    893               if (chap_HaveAnotherGo(chap))
    894                 break;
    895               key = NULL;
    896             } else if (p->link.lcp.want_authtype == 0x81 &&
    897                 !IsEnabled(p->link.lcp.cfg.chap81)) {
    898               log_Printf(LogPHASE, "Auth failure: CHAP81 not enabled\n");
    899               key = NULL;
    900             } else
    901 #endif
    902             {
    903               char *myans = chap_BuildAnswer(name, key, chap->auth.id,
    904                                              chap->challenge.local
    905 #ifndef NODES
    906 					     , p->link.lcp.want_authtype,
    907 					     chap->challenge.peer,
    908 					     chap->authresponse, lanman);
    909               MPPE_IsServer = 1;		/* XXX Global ! */
    910 #else
    911                                       );
    912 #endif
    913               if (myans == NULL)
    914                 key = NULL;
    915               else {
    916                 if (!chap_Cmp(myans + 1, *myans, ans + 1, alen
    917 #ifndef NODES
    918                               , p->link.lcp.want_authtype, lanman
    919 #endif
    920                              ))
    921                   key = NULL;
    922                 free(myans);
    923               }
    924             }
    925           }
    926 
    927           if (key)
    928             chap_Success(&chap->auth);
    929           else
    930             chap_Failure(&chap->auth);
    931         }
    932 
    933         break;
    934 
    935       case CHAP_SUCCESS:
    936         if (p->link.lcp.auth_iwait == PROTO_CHAP) {
    937           p->link.lcp.auth_iwait = 0;
    938           if (p->link.lcp.auth_ineed == 0) {
    939 #ifndef NODES
    940             if (p->link.lcp.his_authtype == 0x81) {
    941               if (strncasecmp(ans, chap->authresponse, 42)) {
    942                 datalink_AuthNotOk(p->dl);
    943 	        log_Printf(LogWARN, "CHAP81: AuthenticatorResponse: (%.42s)"
    944                            " != ans: (%.42s)\n", chap->authresponse, ans);
    945 
    946               } else {
    947                 /* Successful login */
    948                 MPPE_MasterKeyValid = 1;		/* XXX Global ! */
    949                 datalink_AuthOk(p->dl);
    950               }
    951             } else
    952 #endif
    953             /*
    954              * We've succeeded in our ``login''
    955              * If we're not expecting  the peer to authenticate (or he already
    956              * has), proceed to network phase.
    957              */
    958             datalink_AuthOk(p->dl);
    959           }
    960         }
    961         break;
    962 
    963       case CHAP_FAILURE:
    964         datalink_AuthNotOk(p->dl);
    965         break;
    966     }
    967     free(ans);
    968   }
    969 
    970   m_freem(bp);
    971   return NULL;
    972 }
    973