1 /*- 2 * Copyright (c) 1996 - 2001 Brian Somers <brian (at) Awfulhak.org> 3 * based on work by Toshiharu OHNO <tony-o (at) iij.ad.jp> 4 * Internet Initiative Japan, Inc (IIJ) 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 * 28 * $FreeBSD: src/usr.sbin/ppp/chap.c,v 1.86.26.1 2010/12/21 17:10:29 kensmith Exp $ 29 */ 30 31 #include <sys/param.h> 32 #include <netinet/in.h> 33 #include <netinet/in_systm.h> 34 #include <netinet/ip.h> 35 #include <sys/socket.h> 36 #include <sys/un.h> 37 38 #include <ctype.h> 39 #include <errno.h> 40 #include <fcntl.h> 41 #ifndef NODES 42 #include <md4.h> 43 #endif 44 #include <md5.h> 45 #include <paths.h> 46 #include <signal.h> 47 #include <stdio.h> 48 #include <stdlib.h> 49 #include <string.h> 50 #include <sys/wait.h> 51 #include <termios.h> 52 #include <unistd.h> 53 54 #include "layer.h" 55 #include "mbuf.h" 56 #include "log.h" 57 #include "defs.h" 58 #include "timer.h" 59 #include "fsm.h" 60 #include "proto.h" 61 #include "lqr.h" 62 #include "hdlc.h" 63 #include "lcp.h" 64 #include "auth.h" 65 #include "async.h" 66 #include "throughput.h" 67 #include "descriptor.h" 68 #include "chap.h" 69 #include "iplist.h" 70 #include "slcompress.h" 71 #include "ncpaddr.h" 72 #include "ipcp.h" 73 #include "filter.h" 74 #include "ccp.h" 75 #include "link.h" 76 #include "physical.h" 77 #include "mp.h" 78 #ifndef NORADIUS 79 #include "radius.h" 80 #endif 81 #include "ipv6cp.h" 82 #include "ncp.h" 83 #include "bundle.h" 84 #include "chat.h" 85 #include "cbcp.h" 86 #include "command.h" 87 #include "datalink.h" 88 #ifndef NODES 89 #include "chap_ms.h" 90 #include "mppe.h" 91 #endif 92 #include "id.h" 93 94 static const char * const chapcodes[] = { 95 "???", "CHALLENGE", "RESPONSE", "SUCCESS", "FAILURE" 96 }; 97 #define MAXCHAPCODE (sizeof chapcodes / sizeof chapcodes[0] - 1) 98 99 static void 100 ChapOutput(struct physical *physical, u_int code, u_int id, 101 const u_char *ptr, int count, const char *text) 102 { 103 int plen; 104 struct fsmheader lh; 105 struct mbuf *bp; 106 107 plen = sizeof(struct fsmheader) + count; 108 lh.code = code; 109 lh.id = id; 110 lh.length = htons(plen); 111 bp = m_get(plen, MB_CHAPOUT); 112 memcpy(MBUF_CTOP(bp), &lh, sizeof(struct fsmheader)); 113 if (count) 114 memcpy(MBUF_CTOP(bp) + sizeof(struct fsmheader), ptr, count); 115 log_DumpBp(LogDEBUG, "ChapOutput", bp); 116 if (text == NULL) 117 log_Printf(LogPHASE, "Chap Output: %s\n", chapcodes[code]); 118 else 119 log_Printf(LogPHASE, "Chap Output: %s (%s)\n", chapcodes[code], text); 120 link_PushPacket(&physical->link, bp, physical->dl->bundle, 121 LINK_QUEUES(&physical->link) - 1, PROTO_CHAP); 122 } 123 124 static char * 125 chap_BuildAnswer(char *name, char *key, u_char id, char *challenge 126 #ifndef NODES 127 , u_char type, char *peerchallenge, char *authresponse, 128 int lanman 129 #endif 130 ) 131 { 132 char *result, *digest; 133 size_t nlen, klen; 134 135 nlen = strlen(name); 136 klen = strlen(key); 137 138 #ifndef NODES 139 if (type == 0x80) { 140 char expkey[AUTHLEN << 2]; 141 MD4_CTX MD4context; 142 size_t f; 143 144 if ((result = malloc(1 + nlen + MS_CHAP_RESPONSE_LEN)) == NULL) 145 return result; 146 147 digest = result; /* the response */ 148 *digest++ = MS_CHAP_RESPONSE_LEN; /* 49 */ 149 memcpy(digest + MS_CHAP_RESPONSE_LEN, name, nlen); 150 if (lanman) { 151 memset(digest + 24, '\0', 25); 152 mschap_LANMan(digest, challenge + 1, key); /* LANMan response */ 153 } else { 154 memset(digest, '\0', 25); 155 digest += 24; 156 157 for (f = 0; f < klen; f++) { 158 expkey[2*f] = key[f]; 159 expkey[2*f+1] = '\0'; 160 } 161 /* 162 * ----------- 163 * expkey = | k\0e\0y\0 | 164 * ----------- 165 */ 166 MD4Init(&MD4context); 167 MD4Update(&MD4context, expkey, klen << 1); 168 MD4Final(digest, &MD4context); 169 170 /* 171 * ---- -------- ---------------- ------- ------ 172 * result = | 49 | LANMan | 16 byte digest | 9 * ? | name | 173 * ---- -------- ---------------- ------- ------ 174 */ 175 mschap_NT(digest, challenge + 1); 176 } 177 /* 178 * ---- -------- ------------- ----- ------ 179 * | | struct MS_ChapResponse24 | | 180 * result = | 49 | LANMan | NT digest | 0/1 | name | 181 * ---- -------- ------------- ----- ------ 182 * where only one of LANMan & NT digest are set. 183 */ 184 } else if (type == 0x81) { 185 char expkey[AUTHLEN << 2]; 186 char pwdhash[CHAP81_HASH_LEN]; 187 char pwdhashhash[CHAP81_HASH_LEN]; 188 char *ntresponse; 189 size_t f; 190 191 if ((result = malloc(1 + nlen + CHAP81_RESPONSE_LEN)) == NULL) 192 return result; 193 194 memset(result, 0, 1 + nlen + CHAP81_RESPONSE_LEN); 195 196 digest = result; 197 *digest++ = CHAP81_RESPONSE_LEN; /* value size */ 198 199 /* Copy our challenge */ 200 memcpy(digest, peerchallenge + 1, CHAP81_CHALLENGE_LEN); 201 202 /* Expand password to Unicode XXX */ 203 for (f = 0; f < klen; f++) { 204 expkey[2*f] = key[f]; 205 expkey[2*f+1] = '\0'; 206 } 207 208 ntresponse = digest + CHAP81_NTRESPONSE_OFF; 209 210 /* Get some needed hashes */ 211 NtPasswordHash(expkey, klen * 2, pwdhash); 212 HashNtPasswordHash(pwdhash, pwdhashhash); 213 214 /* Generate NTRESPONSE to respond on challenge call */ 215 GenerateNTResponse(challenge + 1, peerchallenge + 1, name, 216 expkey, klen * 2, ntresponse); 217 218 /* Generate MPPE MASTERKEY */ 219 GetMasterKey(pwdhashhash, ntresponse, MPPE_MasterKey); /* XXX Global ! */ 220 221 /* Generate AUTHRESPONSE to verify on auth success */ 222 GenerateAuthenticatorResponse(expkey, klen * 2, ntresponse, 223 peerchallenge + 1, challenge + 1, name, 224 authresponse); 225 226 authresponse[CHAP81_AUTHRESPONSE_LEN] = 0; 227 228 memcpy(digest + CHAP81_RESPONSE_LEN, name, nlen); 229 } else 230 #endif 231 if ((result = malloc(nlen + 17)) != NULL) { 232 /* Normal MD5 stuff */ 233 MD5_CTX MD5context; 234 235 digest = result; 236 *digest++ = 16; /* value size */ 237 238 MD5Init(&MD5context); 239 MD5Update(&MD5context, &id, 1); 240 MD5Update(&MD5context, key, klen); 241 MD5Update(&MD5context, challenge + 1, *challenge); 242 MD5Final(digest, &MD5context); 243 244 memcpy(digest + 16, name, nlen); 245 /* 246 * ---- -------- ------ 247 * result = | 16 | digest | name | 248 * ---- -------- ------ 249 */ 250 } 251 252 return result; 253 } 254 255 static void 256 chap_StartChild(struct chap *chap, char *prog, const char *name) 257 { 258 char *argv[MAXARGS], *nargv[MAXARGS]; 259 int argc, fd; 260 int in[2], out[2]; 261 pid_t pid; 262 263 if (chap->child.fd != -1) { 264 log_Printf(LogWARN, "Chap: %s: Program already running\n", prog); 265 return; 266 } 267 268 if (pipe(in) == -1) { 269 log_Printf(LogERROR, "Chap: pipe: %s\n", strerror(errno)); 270 return; 271 } 272 273 if (pipe(out) == -1) { 274 log_Printf(LogERROR, "Chap: pipe: %s\n", strerror(errno)); 275 close(in[0]); 276 close(in[1]); 277 return; 278 } 279 280 pid = getpid(); 281 switch ((chap->child.pid = fork())) { 282 case -1: 283 log_Printf(LogERROR, "Chap: fork: %s\n", strerror(errno)); 284 close(in[0]); 285 close(in[1]); 286 close(out[0]); 287 close(out[1]); 288 chap->child.pid = 0; 289 return; 290 291 case 0: 292 timer_TermService(); 293 294 if ((argc = command_Interpret(prog, strlen(prog), argv)) <= 0) { 295 if (argc < 0) { 296 log_Printf(LogWARN, "CHAP: Invalid command syntax\n"); 297 _exit(255); 298 } 299 _exit(0); 300 } 301 302 close(in[1]); 303 close(out[0]); 304 if (out[1] == STDIN_FILENO) 305 out[1] = dup(out[1]); 306 dup2(in[0], STDIN_FILENO); 307 dup2(out[1], STDOUT_FILENO); 308 close(STDERR_FILENO); 309 if (open(_PATH_DEVNULL, O_RDWR) != STDERR_FILENO) { 310 log_Printf(LogALERT, "Chap: Failed to open %s: %s\n", 311 _PATH_DEVNULL, strerror(errno)); 312 exit(1); 313 } 314 for (fd = getdtablesize(); fd > STDERR_FILENO; fd--) 315 fcntl(fd, F_SETFD, 1); 316 #ifndef NOSUID 317 setuid(ID0realuid()); 318 #endif 319 command_Expand(nargv, argc, (char const *const *)argv, 320 chap->auth.physical->dl->bundle, 0, pid); 321 execvp(nargv[0], nargv); 322 printf("exec() of %s failed: %s\n", nargv[0], strerror(errno)); 323 _exit(255); 324 325 default: 326 close(in[0]); 327 close(out[1]); 328 chap->child.fd = out[0]; 329 chap->child.buf.len = 0; 330 write(in[1], chap->auth.in.name, strlen(chap->auth.in.name)); 331 write(in[1], "\n", 1); 332 write(in[1], chap->challenge.peer + 1, *chap->challenge.peer); 333 write(in[1], "\n", 1); 334 write(in[1], name, strlen(name)); 335 write(in[1], "\n", 1); 336 close(in[1]); 337 break; 338 } 339 } 340 341 static void 342 chap_Cleanup(struct chap *chap, int sig) 343 { 344 if (chap->child.pid) { 345 int status; 346 347 close(chap->child.fd); 348 chap->child.fd = -1; 349 if (sig) 350 kill(chap->child.pid, SIGTERM); 351 chap->child.pid = 0; 352 chap->child.buf.len = 0; 353 354 if (wait(&status) == -1) 355 log_Printf(LogERROR, "Chap: wait: %s\n", strerror(errno)); 356 else if (WIFSIGNALED(status)) 357 log_Printf(LogWARN, "Chap: Child received signal %d\n", WTERMSIG(status)); 358 else if (WIFEXITED(status) && WEXITSTATUS(status)) 359 log_Printf(LogERROR, "Chap: Child exited %d\n", WEXITSTATUS(status)); 360 } 361 *chap->challenge.local = *chap->challenge.peer = '\0'; 362 #ifndef NODES 363 chap->peertries = 0; 364 #endif 365 } 366 367 static void 368 chap_Respond(struct chap *chap, char *name, char *key 369 #ifndef NODES 370 , u_char type, int lm 371 #endif 372 ) 373 { 374 u_char *ans; 375 376 ans = chap_BuildAnswer(name, key, chap->auth.id, chap->challenge.peer 377 #ifndef NODES 378 , type, chap->challenge.local, chap->authresponse, lm 379 #endif 380 ); 381 382 if (ans) { 383 ChapOutput(chap->auth.physical, CHAP_RESPONSE, chap->auth.id, 384 ans, *ans + 1 + strlen(name), name); 385 #ifndef NODES 386 chap->NTRespSent = !lm; 387 MPPE_IsServer = 0; /* XXX Global ! */ 388 #endif 389 free(ans); 390 } else 391 ChapOutput(chap->auth.physical, CHAP_FAILURE, chap->auth.id, 392 "Out of memory!", 14, NULL); 393 } 394 395 static int 396 chap_UpdateSet(struct fdescriptor *d, fd_set *r, fd_set *w __unused, 397 fd_set *e __unused, int *n) 398 { 399 struct chap *chap = descriptor2chap(d); 400 401 if (r && chap && chap->child.fd != -1) { 402 FD_SET(chap->child.fd, r); 403 if (*n < chap->child.fd + 1) 404 *n = chap->child.fd + 1; 405 log_Printf(LogTIMER, "Chap: fdset(r) %d\n", chap->child.fd); 406 return 1; 407 } 408 409 return 0; 410 } 411 412 static int 413 chap_IsSet(struct fdescriptor *d, const fd_set *fdset) 414 { 415 struct chap *chap = descriptor2chap(d); 416 417 return chap && chap->child.fd != -1 && FD_ISSET(chap->child.fd, fdset); 418 } 419 420 static void 421 chap_Read(struct fdescriptor *d, struct bundle *bundle __unused, 422 const fd_set *fdset __unused) 423 { 424 struct chap *chap = descriptor2chap(d); 425 int got; 426 427 got = read(chap->child.fd, chap->child.buf.ptr + chap->child.buf.len, 428 sizeof chap->child.buf.ptr - chap->child.buf.len - 1); 429 if (got == -1) { 430 log_Printf(LogERROR, "Chap: Read: %s\n", strerror(errno)); 431 chap_Cleanup(chap, SIGTERM); 432 } else if (got == 0) { 433 log_Printf(LogWARN, "Chap: Read: Child terminated connection\n"); 434 chap_Cleanup(chap, SIGTERM); 435 } else { 436 char *name, *key, *end; 437 438 chap->child.buf.len += got; 439 chap->child.buf.ptr[chap->child.buf.len] = '\0'; 440 name = chap->child.buf.ptr; 441 name += strspn(name, " \t"); 442 if ((key = strchr(name, '\n')) == NULL) 443 end = NULL; 444 else 445 end = strchr(++key, '\n'); 446 447 if (end == NULL) { 448 if (chap->child.buf.len == sizeof chap->child.buf.ptr - 1) { 449 log_Printf(LogWARN, "Chap: Read: Input buffer overflow\n"); 450 chap_Cleanup(chap, SIGTERM); 451 } 452 } else { 453 #ifndef NODES 454 int lanman = chap->auth.physical->link.lcp.his_authtype == 0x80 && 455 ((chap->NTRespSent && 456 IsAccepted(chap->auth.physical->link.lcp.cfg.chap80lm)) || 457 !IsAccepted(chap->auth.physical->link.lcp.cfg.chap80nt)); 458 #endif 459 460 while (end >= name && strchr(" \t\r\n", *end)) 461 *end-- = '\0'; 462 end = key - 1; 463 while (end >= name && strchr(" \t\r\n", *end)) 464 *end-- = '\0'; 465 key += strspn(key, " \t"); 466 467 chap_Respond(chap, name, key 468 #ifndef NODES 469 , chap->auth.physical->link.lcp.his_authtype, lanman 470 #endif 471 ); 472 chap_Cleanup(chap, 0); 473 } 474 } 475 } 476 477 static int 478 chap_Write(struct fdescriptor *d __unused, struct bundle *bundle __unused, 479 const fd_set *fdset __unused) 480 { 481 /* We never want to write here ! */ 482 log_Printf(LogALERT, "chap_Write: Internal error: Bad call !\n"); 483 return 0; 484 } 485 486 static void 487 chap_ChallengeInit(struct authinfo *authp) 488 { 489 struct chap *chap = auth2chap(authp); 490 int len, i; 491 char *cp; 492 493 len = strlen(authp->physical->dl->bundle->cfg.auth.name); 494 495 if (!*chap->challenge.local) { 496 randinit(); 497 cp = chap->challenge.local; 498 499 #ifndef NORADIUS 500 if (*authp->physical->dl->bundle->radius.cfg.file) { 501 /* For radius, our challenge is 16 readable NUL terminated bytes :*/ 502 *cp++ = 16; 503 for (i = 0; i < 16; i++) 504 *cp++ = (random() % 10) + '0'; 505 } else 506 #endif 507 { 508 #ifndef NODES 509 if (authp->physical->link.lcp.want_authtype == 0x80) 510 *cp++ = 8; /* MS does 8 byte callenges :-/ */ 511 else if (authp->physical->link.lcp.want_authtype == 0x81) 512 *cp++ = 16; /* MS-CHAP-V2 does 16 bytes challenges */ 513 else 514 #endif 515 *cp++ = random() % (CHAPCHALLENGELEN-16) + 16; 516 for (i = 0; i < *chap->challenge.local; i++) 517 *cp++ = random() & 0xff; 518 } 519 memcpy(cp, authp->physical->dl->bundle->cfg.auth.name, len); 520 } 521 } 522 523 static void 524 chap_Challenge(struct authinfo *authp) 525 { 526 struct chap *chap = auth2chap(authp); 527 int len; 528 529 log_Printf(LogDEBUG, "CHAP%02X: Challenge\n", 530 authp->physical->link.lcp.want_authtype); 531 532 len = strlen(authp->physical->dl->bundle->cfg.auth.name); 533 534 /* Generate new local challenge value */ 535 if (!*chap->challenge.local) 536 chap_ChallengeInit(authp); 537 538 #ifndef NODES 539 if (authp->physical->link.lcp.want_authtype == 0x81) 540 ChapOutput(authp->physical, CHAP_CHALLENGE, authp->id, 541 chap->challenge.local, 1 + *chap->challenge.local, NULL); 542 else 543 #endif 544 ChapOutput(authp->physical, CHAP_CHALLENGE, authp->id, 545 chap->challenge.local, 1 + *chap->challenge.local + len, NULL); 546 } 547 548 static void 549 chap_Success(struct authinfo *authp) 550 { 551 struct bundle *bundle = authp->physical->dl->bundle; 552 const char *msg; 553 554 datalink_GotAuthname(authp->physical->dl, authp->in.name); 555 #ifndef NODES 556 if (authp->physical->link.lcp.want_authtype == 0x81) { 557 #ifndef NORADIUS 558 if (*bundle->radius.cfg.file && bundle->radius.msrepstr) 559 msg = bundle->radius.msrepstr; 560 else 561 #endif 562 msg = auth2chap(authp)->authresponse; 563 MPPE_MasterKeyValid = 1; /* XXX Global ! */ 564 } else 565 #endif 566 #ifndef NORADIUS 567 if (*bundle->radius.cfg.file && bundle->radius.repstr) 568 msg = bundle->radius.repstr; 569 else 570 #endif 571 msg = "Welcome!!"; 572 573 ChapOutput(authp->physical, CHAP_SUCCESS, authp->id, msg, strlen(msg), 574 NULL); 575 576 authp->physical->link.lcp.auth_ineed = 0; 577 if (Enabled(bundle, OPT_UTMP)) 578 physical_Login(authp->physical, authp->in.name); 579 580 if (authp->physical->link.lcp.auth_iwait == 0) 581 /* 582 * Either I didn't need to authenticate, or I've already been 583 * told that I got the answer right. 584 */ 585 datalink_AuthOk(authp->physical->dl); 586 } 587 588 static void 589 chap_Failure(struct authinfo *authp) 590 { 591 #ifndef NODES 592 char buf[1024], *ptr; 593 #endif 594 const char *msg; 595 596 #ifndef NORADIUS 597 struct bundle *bundle = authp->physical->link.lcp.fsm.bundle; 598 if (*bundle->radius.cfg.file && bundle->radius.errstr) 599 msg = bundle->radius.errstr; 600 else 601 #endif 602 #ifndef NODES 603 if (authp->physical->link.lcp.want_authtype == 0x80) { 604 sprintf(buf, "E=691 R=1 M=Invalid!"); 605 msg = buf; 606 } else if (authp->physical->link.lcp.want_authtype == 0x81) { 607 int i; 608 609 ptr = buf; 610 ptr += sprintf(buf, "E=691 R=0 C="); 611 for (i=0; i<16; i++) 612 ptr += sprintf(ptr, "%02X", *(auth2chap(authp)->challenge.local+1+i)); 613 614 sprintf(ptr, " V=3 M=Invalid!"); 615 msg = buf; 616 } else 617 #endif 618 msg = "Invalid!!"; 619 620 ChapOutput(authp->physical, CHAP_FAILURE, authp->id, msg, strlen(msg) + 1, 621 NULL); 622 datalink_AuthNotOk(authp->physical->dl); 623 } 624 625 static int 626 chap_Cmp(char *myans, int mylen, char *hisans, int hislen 627 #ifndef NODES 628 , u_char type, int lm 629 #endif 630 ) 631 { 632 int off; 633 634 if (mylen != hislen) 635 return 0; 636 637 off = 0; 638 639 #ifndef NODES 640 if (type == 0x80) { 641 off = lm ? 0 : 24; 642 mylen = 24; 643 } 644 #endif 645 646 for (; mylen; off++, mylen--) 647 if (toupper(myans[off]) != toupper(hisans[off])) 648 return 0; 649 650 return 1; 651 } 652 653 #ifndef NODES 654 static int 655 chap_HaveAnotherGo(struct chap *chap) 656 { 657 if (++chap->peertries < 3) { 658 /* Give the peer another shot */ 659 *chap->challenge.local = '\0'; 660 chap_Challenge(&chap->auth); 661 return 1; 662 } 663 664 return 0; 665 } 666 #endif 667 668 void 669 chap_Init(struct chap *chap, struct physical *p) 670 { 671 chap->desc.type = CHAP_DESCRIPTOR; 672 chap->desc.UpdateSet = chap_UpdateSet; 673 chap->desc.IsSet = chap_IsSet; 674 chap->desc.Read = chap_Read; 675 chap->desc.Write = chap_Write; 676 chap->child.pid = 0; 677 chap->child.fd = -1; 678 auth_Init(&chap->auth, p, chap_Challenge, chap_Success, chap_Failure); 679 *chap->challenge.local = *chap->challenge.peer = '\0'; 680 #ifndef NODES 681 chap->NTRespSent = 0; 682 chap->peertries = 0; 683 #endif 684 } 685 686 void 687 chap_ReInit(struct chap *chap) 688 { 689 chap_Cleanup(chap, SIGTERM); 690 } 691 692 struct mbuf * 693 chap_Input(struct bundle *bundle, struct link *l, struct mbuf *bp) 694 { 695 struct physical *p = link2physical(l); 696 struct chap *chap = &p->dl->chap; 697 char *name, *key, *ans; 698 int len; 699 size_t nlen; 700 u_char alen; 701 #ifndef NODES 702 int lanman; 703 #endif 704 705 if (p == NULL) { 706 log_Printf(LogERROR, "chap_Input: Not a physical link - dropped\n"); 707 m_freem(bp); 708 return NULL; 709 } 710 711 if (bundle_Phase(bundle) != PHASE_NETWORK && 712 bundle_Phase(bundle) != PHASE_AUTHENTICATE) { 713 log_Printf(LogPHASE, "Unexpected chap input - dropped !\n"); 714 m_freem(bp); 715 return NULL; 716 } 717 718 m_settype(bp, MB_CHAPIN); 719 if ((bp = auth_ReadHeader(&chap->auth, bp)) == NULL && 720 ntohs(chap->auth.in.hdr.length) == 0) 721 log_Printf(LogWARN, "Chap Input: Truncated header !\n"); 722 else if (chap->auth.in.hdr.code == 0 || chap->auth.in.hdr.code > MAXCHAPCODE) 723 log_Printf(LogPHASE, "Chap Input: %d: Bad CHAP code !\n", 724 chap->auth.in.hdr.code); 725 else { 726 len = m_length(bp); 727 ans = NULL; 728 729 if (chap->auth.in.hdr.code != CHAP_CHALLENGE && 730 chap->auth.id != chap->auth.in.hdr.id && 731 Enabled(bundle, OPT_IDCHECK)) { 732 /* Wrong conversation dude ! */ 733 log_Printf(LogPHASE, "Chap Input: %s dropped (got id %d, not %d)\n", 734 chapcodes[chap->auth.in.hdr.code], chap->auth.in.hdr.id, 735 chap->auth.id); 736 m_freem(bp); 737 return NULL; 738 } 739 chap->auth.id = chap->auth.in.hdr.id; /* We respond with this id */ 740 741 #ifndef NODES 742 lanman = 0; 743 #endif 744 switch (chap->auth.in.hdr.code) { 745 case CHAP_CHALLENGE: 746 bp = mbuf_Read(bp, &alen, 1); 747 len -= alen + 1; 748 if (len < 0) { 749 log_Printf(LogERROR, "Chap Input: Truncated challenge !\n"); 750 m_freem(bp); 751 return NULL; 752 } 753 *chap->challenge.peer = alen; 754 bp = mbuf_Read(bp, chap->challenge.peer + 1, alen); 755 bp = auth_ReadName(&chap->auth, bp, len); 756 #ifndef NODES 757 lanman = p->link.lcp.his_authtype == 0x80 && 758 ((chap->NTRespSent && IsAccepted(p->link.lcp.cfg.chap80lm)) || 759 !IsAccepted(p->link.lcp.cfg.chap80nt)); 760 761 /* Generate local challenge value */ 762 chap_ChallengeInit(&chap->auth); 763 #endif 764 break; 765 766 case CHAP_RESPONSE: 767 auth_StopTimer(&chap->auth); 768 bp = mbuf_Read(bp, &alen, 1); 769 len -= alen + 1; 770 if (len < 0) { 771 log_Printf(LogERROR, "Chap Input: Truncated response !\n"); 772 m_freem(bp); 773 return NULL; 774 } 775 if ((ans = malloc(alen + 1)) == NULL) { 776 log_Printf(LogERROR, "Chap Input: Out of memory !\n"); 777 m_freem(bp); 778 return NULL; 779 } 780 *ans = chap->auth.id; 781 bp = mbuf_Read(bp, ans + 1, alen); 782 bp = auth_ReadName(&chap->auth, bp, len); 783 #ifndef NODES 784 lanman = p->link.lcp.want_authtype == 0x80 && 785 alen == 49 && ans[alen] == 0; 786 #endif 787 break; 788 789 case CHAP_SUCCESS: 790 case CHAP_FAILURE: 791 /* chap->auth.in.name is already set up at CHALLENGE time */ 792 if ((ans = malloc(len + 1)) == NULL) { 793 log_Printf(LogERROR, "Chap Input: Out of memory !\n"); 794 m_freem(bp); 795 return NULL; 796 } 797 bp = mbuf_Read(bp, ans, len); 798 ans[len] = '\0'; 799 break; 800 } 801 802 switch (chap->auth.in.hdr.code) { 803 case CHAP_CHALLENGE: 804 case CHAP_RESPONSE: 805 if (*chap->auth.in.name) 806 log_Printf(LogPHASE, "Chap Input: %s (%d bytes from %s%s)\n", 807 chapcodes[chap->auth.in.hdr.code], alen, 808 chap->auth.in.name, 809 #ifndef NODES 810 lanman && chap->auth.in.hdr.code == CHAP_RESPONSE ? 811 " - lanman" : 812 #endif 813 ""); 814 else 815 log_Printf(LogPHASE, "Chap Input: %s (%d bytes%s)\n", 816 chapcodes[chap->auth.in.hdr.code], alen, 817 #ifndef NODES 818 lanman && chap->auth.in.hdr.code == CHAP_RESPONSE ? 819 " - lanman" : 820 #endif 821 ""); 822 break; 823 824 case CHAP_SUCCESS: 825 case CHAP_FAILURE: 826 if (*ans) 827 log_Printf(LogPHASE, "Chap Input: %s (%s)\n", 828 chapcodes[chap->auth.in.hdr.code], ans); 829 else 830 log_Printf(LogPHASE, "Chap Input: %s\n", 831 chapcodes[chap->auth.in.hdr.code]); 832 break; 833 } 834 835 switch (chap->auth.in.hdr.code) { 836 case CHAP_CHALLENGE: 837 if (*bundle->cfg.auth.key == '!' && bundle->cfg.auth.key[1] != '!') 838 chap_StartChild(chap, bundle->cfg.auth.key + 1, 839 bundle->cfg.auth.name); 840 else 841 chap_Respond(chap, bundle->cfg.auth.name, bundle->cfg.auth.key + 842 (*bundle->cfg.auth.key == '!' ? 1 : 0) 843 844 #ifndef NODES 845 , p->link.lcp.his_authtype, lanman 846 #endif 847 ); 848 break; 849 850 case CHAP_RESPONSE: 851 name = chap->auth.in.name; 852 nlen = strlen(name); 853 #ifndef NODES 854 if (p->link.lcp.want_authtype == 0x81) { 855 struct MSCHAPv2_resp *resp = (struct MSCHAPv2_resp *)(ans + 1); 856 857 chap->challenge.peer[0] = sizeof resp->PeerChallenge; 858 memcpy(chap->challenge.peer + 1, resp->PeerChallenge, 859 sizeof resp->PeerChallenge); 860 } 861 #endif 862 863 #ifndef NORADIUS 864 if (*bundle->radius.cfg.file) { 865 if (!radius_Authenticate(&bundle->radius, &chap->auth, 866 chap->auth.in.name, ans, alen + 1, 867 chap->challenge.local + 1, 868 *chap->challenge.local)) 869 chap_Failure(&chap->auth); 870 } else 871 #endif 872 { 873 if (p->link.lcp.want_authtype == 0x81 && ans[alen] != '\0' && 874 alen == sizeof(struct MSCHAPv2_resp)) { 875 struct MSCHAPv2_resp *resp = (struct MSCHAPv2_resp *)(ans + 1); 876 877 log_Printf(LogWARN, "%s: Compensating for corrupt (Win98/WinME?) " 878 "CHAP81 RESPONSE\n", l->name); 879 resp->Flags = '\0'; /* rfc2759 says it *MUST* be zero */ 880 } 881 key = auth_GetSecret(name, nlen); 882 if (key) { 883 #ifndef NODES 884 if (p->link.lcp.want_authtype == 0x80 && 885 lanman && !IsEnabled(p->link.lcp.cfg.chap80lm)) { 886 log_Printf(LogPHASE, "Auth failure: LANMan not enabled\n"); 887 if (chap_HaveAnotherGo(chap)) 888 break; 889 key = NULL; 890 } else if (p->link.lcp.want_authtype == 0x80 && 891 !lanman && !IsEnabled(p->link.lcp.cfg.chap80nt)) { 892 log_Printf(LogPHASE, "Auth failure: mschap not enabled\n"); 893 if (chap_HaveAnotherGo(chap)) 894 break; 895 key = NULL; 896 } else if (p->link.lcp.want_authtype == 0x81 && 897 !IsEnabled(p->link.lcp.cfg.chap81)) { 898 log_Printf(LogPHASE, "Auth failure: CHAP81 not enabled\n"); 899 key = NULL; 900 } else 901 #endif 902 { 903 char *myans = chap_BuildAnswer(name, key, chap->auth.id, 904 chap->challenge.local 905 #ifndef NODES 906 , p->link.lcp.want_authtype, 907 chap->challenge.peer, 908 chap->authresponse, lanman); 909 MPPE_IsServer = 1; /* XXX Global ! */ 910 #else 911 ); 912 #endif 913 if (myans == NULL) 914 key = NULL; 915 else { 916 if (!chap_Cmp(myans + 1, *myans, ans + 1, alen 917 #ifndef NODES 918 , p->link.lcp.want_authtype, lanman 919 #endif 920 )) 921 key = NULL; 922 free(myans); 923 } 924 } 925 } 926 927 if (key) 928 chap_Success(&chap->auth); 929 else 930 chap_Failure(&chap->auth); 931 } 932 933 break; 934 935 case CHAP_SUCCESS: 936 if (p->link.lcp.auth_iwait == PROTO_CHAP) { 937 p->link.lcp.auth_iwait = 0; 938 if (p->link.lcp.auth_ineed == 0) { 939 #ifndef NODES 940 if (p->link.lcp.his_authtype == 0x81) { 941 if (strncasecmp(ans, chap->authresponse, 42)) { 942 datalink_AuthNotOk(p->dl); 943 log_Printf(LogWARN, "CHAP81: AuthenticatorResponse: (%.42s)" 944 " != ans: (%.42s)\n", chap->authresponse, ans); 945 946 } else { 947 /* Successful login */ 948 MPPE_MasterKeyValid = 1; /* XXX Global ! */ 949 datalink_AuthOk(p->dl); 950 } 951 } else 952 #endif 953 /* 954 * We've succeeded in our ``login'' 955 * If we're not expecting the peer to authenticate (or he already 956 * has), proceed to network phase. 957 */ 958 datalink_AuthOk(p->dl); 959 } 960 } 961 break; 962 963 case CHAP_FAILURE: 964 datalink_AuthNotOk(p->dl); 965 break; 966 } 967 free(ans); 968 } 969 970 m_freem(bp); 971 return NULL; 972 } 973
