2 * chap-new.c - New CHAP implementation.
4 * Copyright (c) 2003 Paul Mackerras. All rights reserved.
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in
15 * the documentation and/or other materials provided with the
18 * 3. The name(s) of the authors of this software must not be used to
19 * endorse or promote products derived from this software without
20 * prior written permission.
22 * 4. Redistributions of any form whatsoever must retain the following
24 * "This product includes software developed by Paul Mackerras
25 * <paulus@samba.org>".
27 * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO
28 * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
29 * AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY
30 * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
31 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
32 * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
33 * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
36 #define RCSID "$Id: chap-new.c,v 1.4 2004/01/17 05:47:55 carlsonj Exp $"
48 /* Hook for a plugin to validate CHAP challenge */
49 int (*chap_verify_hook)(char *name, char *ourname, int id,
50 struct chap_digest_type *digest,
51 unsigned char *challenge, unsigned char *response,
52 char *message, int message_space) = NULL;
57 int chap_timeout_time = 3;
58 int chap_max_transmits = 10;
59 int chap_rechallenge_time = 0;
62 * Command-line options.
64 static option_t chap_option_list[] = {
65 { "chap-restart", o_int, &chap_timeout_time,
66 "Set timeout for CHAP", OPT_PRIO },
67 { "chap-max-challenge", o_int, &chap_max_transmits,
68 "Set max #xmits for challenge", OPT_PRIO },
69 { "chap-interval", o_int, &chap_rechallenge_time,
70 "Set interval for rechallenge", OPT_PRIO },
77 static struct chap_client_state {
80 struct chap_digest_type *digest;
81 unsigned char priv[64]; /* private area for digest's use */
85 * These limits apply to challenge and response packets we send.
86 * The +4 is the +1 that we actually need rounded up.
88 #define CHAL_MAX_PKTLEN (PPP_HDRLEN + CHAP_HDRLEN + 4 + MAX_CHALLENGE_LEN + MAXNAMELEN)
89 #define RESP_MAX_PKTLEN (PPP_HDRLEN + CHAP_HDRLEN + 4 + MAX_RESPONSE_LEN + MAXNAMELEN)
91 static struct chap_server_state {
95 struct chap_digest_type *digest;
98 unsigned char challenge[CHAL_MAX_PKTLEN];
101 /* Values for flags in chap_client_state and chap_server_state */
103 #define AUTH_STARTED 2
105 #define AUTH_FAILED 8
106 #define TIMEOUT_PENDING 0x10
107 #define CHALLENGE_VALID 0x20
112 static void chap_init(int unit);
113 static void chap_lowerup(int unit);
114 static void chap_lowerdown(int unit);
115 static void chap_timeout(void *arg);
116 static void chap_generate_challenge(struct chap_server_state *ss);
117 static void chap_handle_response(struct chap_server_state *ss, int code,
118 unsigned char *pkt, int len);
119 static int chap_verify_response(char *name, char *ourname, int id,
120 struct chap_digest_type *digest,
121 unsigned char *challenge, unsigned char *response,
122 char *message, int message_space);
123 static void chap_respond(struct chap_client_state *cs, int id,
124 unsigned char *pkt, int len);
125 static void chap_handle_status(struct chap_client_state *cs, int code, int id,
126 unsigned char *pkt, int len);
127 static void chap_protrej(int unit);
128 static void chap_input(int unit, unsigned char *pkt, int pktlen);
129 static int chap_print_pkt(unsigned char *p, int plen,
130 void (*printer) __P((void *, char *, ...)), void *arg);
132 /* List of digest types that we know about */
133 static struct chap_digest_type *chap_digests;
136 * chap_init - reset to initial state.
141 memset(&client, 0, sizeof(client));
142 memset(&server, 0, sizeof(server));
151 * Add a new digest type to the list.
154 chap_register_digest(struct chap_digest_type *dp)
156 dp->next = chap_digests;
161 * chap_lowerup - we can start doing stuff now.
164 chap_lowerup(int unit)
166 struct chap_client_state *cs = &client;
167 struct chap_server_state *ss = &server;
169 cs->flags |= LOWERUP;
170 ss->flags |= LOWERUP;
171 if (ss->flags & AUTH_STARTED)
176 chap_lowerdown(int unit)
178 struct chap_client_state *cs = &client;
179 struct chap_server_state *ss = &server;
182 if (ss->flags & TIMEOUT_PENDING)
183 UNTIMEOUT(chap_timeout, ss);
188 * chap_auth_peer - Start authenticating the peer.
189 * If the lower layer is already up, we start sending challenges,
190 * otherwise we wait for the lower layer to come up.
193 chap_auth_peer(int unit, char *our_name, int digest_code)
195 struct chap_server_state *ss = &server;
196 struct chap_digest_type *dp;
198 if (ss->flags & AUTH_STARTED) {
199 error("CHAP: peer authentication already started!");
202 for (dp = chap_digests; dp != NULL; dp = dp->next)
203 if (dp->code == digest_code)
206 fatal("CHAP digest 0x%x requested but not available",
211 /* Start with a random ID value */
212 ss->id = (unsigned char)(drand48() * 256);
213 ss->flags |= AUTH_STARTED;
214 if (ss->flags & LOWERUP)
219 * chap_auth_with_peer - Prepare to authenticate ourselves to the peer.
220 * There isn't much to do until we receive a challenge.
223 chap_auth_with_peer(int unit, char *our_name, int digest_code)
225 struct chap_client_state *cs = &client;
226 struct chap_digest_type *dp;
228 if (cs->flags & AUTH_STARTED) {
229 error("CHAP: authentication with peer already started!");
232 for (dp = chap_digests; dp != NULL; dp = dp->next)
233 if (dp->code == digest_code)
236 fatal("CHAP digest 0x%x requested but not available",
241 cs->flags |= AUTH_STARTED;
245 * chap_timeout - It's time to send another challenge to the peer.
246 * This could be either a retransmission of a previous challenge,
247 * or a new challenge to start re-authentication.
250 chap_timeout(void *arg)
252 struct chap_server_state *ss = arg;
254 ss->flags &= ~TIMEOUT_PENDING;
255 if ((ss->flags & CHALLENGE_VALID) == 0) {
256 ss->challenge_xmits = 0;
257 chap_generate_challenge(ss);
258 ss->flags |= CHALLENGE_VALID;
259 } else if (ss->challenge_xmits >= chap_max_transmits) {
260 ss->flags &= ~CHALLENGE_VALID;
261 ss->flags |= AUTH_DONE | AUTH_FAILED;
262 auth_peer_fail(0, PPP_CHAP);
266 output(0, ss->challenge, ss->challenge_pktlen);
267 ++ss->challenge_xmits;
268 ss->flags |= TIMEOUT_PENDING;
269 TIMEOUT(chap_timeout, arg, chap_timeout_time);
273 * chap_generate_challenge - generate a challenge string and format
274 * the challenge packet in ss->challenge_pkt.
277 chap_generate_challenge(struct chap_server_state *ss)
279 int clen = 1, nlen, len;
283 MAKEHEADER(p, PPP_CHAP);
285 ss->digest->generate_challenge(p);
287 nlen = strlen(ss->name);
288 memcpy(p + 1 + clen, ss->name, nlen);
290 len = CHAP_HDRLEN + 1 + clen + nlen;
291 ss->challenge_pktlen = PPP_HDRLEN + len;
293 p = ss->challenge + PPP_HDRLEN;
294 p[0] = CHAP_CHALLENGE;
301 * chap_handle_response - check the response to our challenge.
304 chap_handle_response(struct chap_server_state *ss, int id,
305 unsigned char *pkt, int len)
307 int response_len, ok, mlen;
308 unsigned char *response, *p;
309 char *name = NULL; /* initialized to shut gcc up */
310 int (*verifier)(char *, char *, int, struct chap_digest_type *,
311 unsigned char *, unsigned char *, char *, int);
312 char rname[MAXNAMELEN+1];
315 if ((ss->flags & LOWERUP) == 0)
317 if (id != ss->challenge[PPP_HDRLEN+1] || len < 2)
319 if ((ss->flags & AUTH_DONE) == 0) {
320 if ((ss->flags & CHALLENGE_VALID) == 0)
323 GETCHAR(response_len, pkt);
324 len -= response_len + 1; /* length of name */
325 name = (char *)pkt + response_len;
329 ss->flags &= ~CHALLENGE_VALID;
330 if (ss->flags & TIMEOUT_PENDING) {
331 ss->flags &= ~TIMEOUT_PENDING;
332 UNTIMEOUT(chap_timeout, ss);
335 if (explicit_remote) {
338 /* Null terminate and clean remote name. */
339 slprintf(rname, sizeof(rname), "%.*v", len, name);
343 if (chap_verify_hook)
344 verifier = chap_verify_hook;
346 verifier = chap_verify_response;
347 ok = (*verifier)(name, ss->name, id, ss->digest,
348 ss->challenge + PPP_HDRLEN + CHAP_HDRLEN,
349 response, message, sizeof(message));
350 if (!ok || !auth_number()) {
351 ss->flags |= AUTH_FAILED;
352 warn("Peer %q failed CHAP authentication", name);
356 /* send the response */
358 MAKEHEADER(p, PPP_CHAP);
359 mlen = strlen(message);
360 len = CHAP_HDRLEN + mlen;
361 p[0] = (ss->flags & AUTH_FAILED)? CHAP_FAILURE: CHAP_SUCCESS;
366 memcpy(p + CHAP_HDRLEN, message, mlen);
367 output(0, outpacket_buf, PPP_HDRLEN + len);
369 if ((ss->flags & AUTH_DONE) == 0) {
370 ss->flags |= AUTH_DONE;
371 if (ss->flags & AUTH_FAILED) {
372 auth_peer_fail(0, PPP_CHAP);
374 auth_peer_success(0, PPP_CHAP, ss->digest->code,
376 if (chap_rechallenge_time) {
377 ss->flags |= TIMEOUT_PENDING;
378 TIMEOUT(chap_timeout, ss,
379 chap_rechallenge_time);
386 * chap_verify_response - check whether the peer's response matches
387 * what we think it should be. Returns 1 if it does (authentication
388 * succeeded), or 0 if it doesn't.
391 chap_verify_response(char *name, char *ourname, int id,
392 struct chap_digest_type *digest,
393 unsigned char *challenge, unsigned char *response,
394 char *message, int message_space)
397 unsigned char secret[MAXSECRETLEN];
400 /* Get the secret that the peer is supposed to know */
401 if (!get_secret(0, name, ourname, (char *)secret, &secret_len, 1)) {
402 error("No CHAP secret found for authenticating %q", name);
406 ok = digest->verify_response(id, name, secret, secret_len, challenge,
407 response, message, message_space);
408 memset(secret, 0, sizeof(secret));
414 * chap_respond - Generate and send a response to a challenge.
417 chap_respond(struct chap_client_state *cs, int id,
418 unsigned char *pkt, int len)
423 unsigned char response[RESP_MAX_PKTLEN];
424 char rname[MAXNAMELEN+1];
425 char secret[MAXSECRETLEN+1];
427 if ((cs->flags & (LOWERUP | AUTH_STARTED)) != (LOWERUP | AUTH_STARTED))
428 return; /* not ready */
429 if (len < 2 || len < pkt[0] + 1)
430 return; /* too short */
432 nlen = len - (clen + 1);
434 /* Null terminate and clean remote name. */
435 slprintf(rname, sizeof(rname), "%.*v", nlen, pkt + clen + 1);
437 /* Microsoft doesn't send their name back in the PPP packet */
438 if (explicit_remote || (remote_name[0] != 0 && rname[0] == 0))
439 strlcpy(rname, remote_name, sizeof(rname));
441 /* get secret for authenticating ourselves with the specified host */
442 if (!get_secret(0, cs->name, rname, secret, &secret_len, 0)) {
443 secret_len = 0; /* assume null secret if can't find one */
444 warn("No CHAP secret found for authenticating us to %q", rname);
448 MAKEHEADER(p, PPP_CHAP);
451 cs->digest->make_response(p, id, cs->name, pkt,
452 secret, secret_len, cs->priv);
453 memset(secret, 0, secret_len);
456 nlen = strlen(cs->name);
457 memcpy(p + clen + 1, cs->name, nlen);
459 p = response + PPP_HDRLEN;
460 len = CHAP_HDRLEN + clen + 1 + nlen;
461 p[0] = CHAP_RESPONSE;
466 output(0, response, PPP_HDRLEN + len);
470 chap_handle_status(struct chap_client_state *cs, int code, int id,
471 unsigned char *pkt, int len)
473 const char *msg = NULL;
475 if ((cs->flags & (AUTH_DONE|AUTH_STARTED|LOWERUP))
476 != (AUTH_STARTED|LOWERUP))
478 cs->flags |= AUTH_DONE;
480 if (code == CHAP_SUCCESS) {
481 /* used for MS-CHAP v2 mutual auth, yuck */
482 if (cs->digest->check_success != NULL) {
483 if (!(*cs->digest->check_success)(pkt, len, cs->priv))
486 msg = "CHAP authentication succeeded";
488 if (cs->digest->handle_failure != NULL)
489 (*cs->digest->handle_failure)(pkt, len);
491 msg = "CHAP authentication failed";
495 info("%s: %.*v", msg, len, pkt);
499 if (code == CHAP_SUCCESS)
500 auth_withpeer_success(0, PPP_CHAP, cs->digest->code);
502 cs->flags |= AUTH_FAILED;
503 auth_withpeer_fail(0, PPP_CHAP);
508 chap_input(int unit, unsigned char *pkt, int pktlen)
510 struct chap_client_state *cs = &client;
511 struct chap_server_state *ss = &server;
512 unsigned char code, id;
515 if (pktlen < CHAP_HDRLEN)
520 if (len < CHAP_HDRLEN || len > pktlen)
526 chap_respond(cs, id, pkt, len);
529 chap_handle_response(ss, id, pkt, len);
533 chap_handle_status(cs, code, id, pkt, len);
539 chap_protrej(int unit)
541 struct chap_client_state *cs = &client;
542 struct chap_server_state *ss = &server;
544 if (ss->flags & TIMEOUT_PENDING) {
545 ss->flags &= ~TIMEOUT_PENDING;
546 UNTIMEOUT(chap_timeout, ss);
548 if (ss->flags & AUTH_STARTED) {
550 auth_peer_fail(0, PPP_CHAP);
552 if ((cs->flags & (AUTH_STARTED|AUTH_DONE)) == AUTH_STARTED) {
553 cs->flags &= ~AUTH_STARTED;
554 auth_withpeer_fail(0, PPP_CHAP);
559 * chap_print_pkt - print the contents of a CHAP packet.
561 static char *chap_code_names[] = {
562 "Challenge", "Response", "Success", "Failure"
566 chap_print_pkt(unsigned char *p, int plen,
567 void (*printer) __P((void *, char *, ...)), void *arg)
573 if (plen < CHAP_HDRLEN)
578 if (len < CHAP_HDRLEN || len > plen)
581 if (code >= 1 && code <= sizeof(chap_code_names) / sizeof(char *))
582 printer(arg, " %s", chap_code_names[code-1]);
584 printer(arg, " code=0x%x", code);
585 printer(arg, " id=0x%x", id);
596 nlen = len - clen - 1;
598 for (; clen > 0; --clen) {
600 printer(arg, "%.2x", x);
602 printer(arg, ">, name = ");
603 print_string((char *)p, nlen, printer, arg);
608 print_string((char *)p, len, printer, arg);
611 for (clen = len; clen > 0; --clen) {
613 printer(arg, " %.2x", x);
617 return len + CHAP_HDRLEN;
620 struct protent chap_protent = {
630 NULL, /* datainput */
631 1, /* enabled_flag */
633 NULL, /* data_name */
635 NULL, /* check_options */