/*
- * chap.h - Challenge Handshake Authentication Protocol definitions.
+ * chap-new.c - New CHAP implementation.
*
- * Copyright (c) 1993-2002 Paul Mackerras. All rights reserved.
+ * Copyright (c) 2003 Paul Mackerras. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. The name(s) of the authors of this software must not be used to
+ * 2. The name(s) of the authors of this software must not be used to
* endorse or promote products derived from this software without
* prior written permission.
*
- * 4. Redistributions of any form whatsoever must retain the following
+ * 3. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by Paul Mackerras
* <paulus@samba.org>".
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
* AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
* OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * Copyright (c) 1991 Gregory M. Christy
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms are permitted
- * provided that the above copyright notice and this paragraph are
- * duplicated in all such forms and that any documentation,
- * advertising materials, and other materials related to such
- * distribution and use acknowledge that the software was developed
- * by the author.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
- * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- *
- * $Id: chap.h,v 1.15 2002/12/04 23:03:32 paulus Exp $
*/
-#ifndef __CHAP_INCLUDE__
+#ifndef PPP_CHAP_NEW_H
+#define PPP_CHAP_NEW_H
-/* Code + ID + length */
-#define CHAP_HEADERLEN 4
+#include "pppdconf.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
/*
- * CHAP codes.
+ * CHAP packets begin with a standard header with code, id, len (2 bytes).
*/
+#define CHAP_HDRLEN 4
-#define CHAP_DIGEST_MD5 5 /* use MD5 algorithm */
-#define MD5_SIGNATURE_SIZE 16 /* 16 bytes in a MD5 message digest */
-#define CHAP_MICROSOFT 0x80 /* use Microsoft-compatible alg. */
-#define CHAP_MICROSOFT_V2 0x81 /* use Microsoft-compatible alg. */
+/*
+ * Values for the code field.
+ */
+#define CHAP_CHALLENGE 1
+#define CHAP_RESPONSE 2
+#define CHAP_SUCCESS 3
+#define CHAP_FAILURE 4
+
+/*
+ * CHAP digest codes.
+ */
+#define CHAP_MD5 5
+#define CHAP_MICROSOFT 0x80
+#define CHAP_MICROSOFT_V2 0x81
/*
- * Digest type and selection.
+ * Semi-arbitrary limits on challenge and response fields.
*/
+#define MAX_CHALLENGE_LEN 64
+#define MAX_RESPONSE_LEN 64
/* bitmask of supported algorithms */
#define MDTYPE_MICROSOFT_V2 0x1
#define MDTYPE_MICROSOFT 0x2
#define MDTYPE_MD5 0x4
+#define MDTYPE_NONE 0
-#ifdef CHAPMS
-#define MDTYPE_ALL (MDTYPE_MICROSOFT_V2 | MDTYPE_MICROSOFT | MDTYPE_MD5)
-#else
-#define MDTYPE_ALL (MDTYPE_MD5)
-#endif
-#define MDTYPE_NONE 0
+/* hashes supported by this instance of pppd */
+extern int chap_mdtype_all;
/* Return the digest alg. ID for the most preferred digest type. */
#define CHAP_DIGEST(mdtype) \
+ ((mdtype) & MDTYPE_MD5)? CHAP_MD5: \
((mdtype) & MDTYPE_MICROSOFT_V2)? CHAP_MICROSOFT_V2: \
((mdtype) & MDTYPE_MICROSOFT)? CHAP_MICROSOFT: \
- ((mdtype) & MDTYPE_MD5)? CHAP_DIGEST_MD5: \
0
/* Return the bit flag (lsb set) for our most preferred digest type. */
#define CHAP_MDTYPE_D(digest) \
((digest) == CHAP_MICROSOFT_V2)? MDTYPE_MICROSOFT_V2: \
((digest) == CHAP_MICROSOFT)? MDTYPE_MICROSOFT: \
- ((digest) == CHAP_DIGEST_MD5)? MDTYPE_MD5: \
+ ((digest) == CHAP_MD5)? MDTYPE_MD5: \
0
/* Can we do the requested digest? */
#define CHAP_CANDIGEST(mdtype, digest) \
((digest) == CHAP_MICROSOFT_V2)? (mdtype) & MDTYPE_MICROSOFT_V2: \
((digest) == CHAP_MICROSOFT)? (mdtype) & MDTYPE_MICROSOFT: \
- ((digest) == CHAP_DIGEST_MD5)? (mdtype) & MDTYPE_MD5: \
+ ((digest) == CHAP_MD5)? (mdtype) & MDTYPE_MD5: \
0
-#define CHAP_CHALLENGE 1
-#define CHAP_RESPONSE 2
-#define CHAP_SUCCESS 3
-#define CHAP_FAILURE 4
/*
- * Challenge lengths (for challenges we send) and other limits.
+ * The code for each digest type has to supply one of these.
*/
-#define MIN_CHALLENGE_LENGTH 16
-#define MAX_CHALLENGE_LENGTH 24 /* sufficient for MS-CHAP Peer Chal. */
-#define MAX_RESPONSE_LENGTH 64 /* sufficient for MD5 or MS-CHAP */
-#define MS_AUTH_RESPONSE_LENGTH 40 /* MS-CHAPv2 authenticator response, */
- /* as ASCII */
+struct chap_digest_type {
+ int code;
+
+ /*
+ * Note: challenge and response arguments below are formatted as
+ * a length byte followed by the actual challenge/response data.
+ */
+ void (*generate_challenge)(unsigned char *challenge);
+ int (*verify_response)(int id, char *name,
+ unsigned char *secret, int secret_len,
+ unsigned char *challenge, unsigned char *response,
+ char *message, int message_space);
+ void (*make_response)(unsigned char *response, int id, char *our_name,
+ unsigned char *challenge, char *secret, int secret_len,
+ unsigned char *priv);
+ int (*check_success)(int id, unsigned char *pkt, int len);
+ void (*handle_failure)(unsigned char *pkt, int len);
+
+ struct chap_digest_type *next;
+};
/*
- * Each interface is described by a chap structure.
+ * This function will return a value of 1 to indicate that a plugin intend to supply
+ * a username or a password to pppd through the chap_passwd_hook callback.
+ *
+ * Return a value > 0 to avoid parsing the chap-secrets file.
*/
-
-typedef struct chap_state {
- int unit; /* Interface unit number */
- int clientstate; /* Client state */
- int serverstate; /* Server state */
- u_char challenge[MAX_CHALLENGE_LENGTH]; /* last challenge string sent */
- u_char chal_len; /* challenge length */
- u_char chal_id; /* ID of last challenge */
- u_char chal_type; /* hash algorithm for challenges */
- u_char id; /* Current id */
- char *chal_name; /* Our name to use with challenge */
- int chal_interval; /* Time until we challenge peer again */
- int timeouttime; /* Timeout time in seconds */
- int max_transmits; /* Maximum # of challenge transmissions */
- int chal_transmits; /* Number of transmissions of challenge */
- int resp_transmits; /* Number of transmissions of response */
- u_char response[MAX_RESPONSE_LENGTH]; /* Response to send */
- char saresponse[MS_AUTH_RESPONSE_LENGTH+1]; /* Auth response to send */
- char earesponse[MS_AUTH_RESPONSE_LENGTH+1]; /* Auth response expected */
- /* +1 for null terminator */
- u_char resp_flags; /* flags from MS-CHAPv2 auth response */
- u_char resp_length; /* length of response */
- u_char resp_id; /* ID for response messages */
- u_char resp_type; /* hash algorithm for responses */
- char *resp_name; /* Our name to send with response */
-} chap_state;
-
-/* We need the declaration of chap_state to use this prototype */
-extern int (*chap_auth_hook) __P((char *user, u_char *remmd,
- int remmd_len, chap_state *cstate));
+typedef int (chap_check_hook_fn)(void);
+extern chap_check_hook_fn *chap_check_hook;
/*
- * Client (peer) states.
+ * A plugin can chose to supply its own user and password overriding whatever
+ * has been provided by the configuration. Hook is only valid when pppd is
+ * acting as a client.
+ *
+ * The maximum size of the user argument is always MAXNAMELEN
+ * The length of the password is always MAXWORDLEN, however; secrets can't be
+ * longer than MAXSECRETLEN
+ *
+ * Return a value < 0 to fail the connection.
*/
-#define CHAPCS_INITIAL 0 /* Lower layer down, not opened */
-#define CHAPCS_CLOSED 1 /* Lower layer up, not opened */
-#define CHAPCS_PENDING 2 /* Auth us to peer when lower up */
-#define CHAPCS_LISTEN 3 /* Listening for a challenge */
-#define CHAPCS_RESPONSE 4 /* Sent response, waiting for status */
-#define CHAPCS_OPEN 5 /* We've received Success */
+typedef int (chap_passwd_hook_fn)(char *user, char *password);
+extern chap_passwd_hook_fn *chap_passwd_hook;
/*
- * Server (authenticator) states.
+ * A plugin can chose to replace the default chap_verify_response function with
+ * one of their own.
*/
-#define CHAPSS_INITIAL 0 /* Lower layer down, not opened */
-#define CHAPSS_CLOSED 1 /* Lower layer up, not opened */
-#define CHAPSS_PENDING 2 /* Auth peer when lower up */
-#define CHAPSS_INITIAL_CHAL 3 /* We've sent the first challenge */
-#define CHAPSS_OPEN 4 /* We've sent a Success msg */
-#define CHAPSS_RECHALLENGE 5 /* We've sent another challenge */
-#define CHAPSS_BADAUTH 6 /* We've sent a Failure msg */
+typedef int (chap_verify_hook_fn)(char *name, char *ourname, int id,
+ struct chap_digest_type *digest,
+ unsigned char *challenge, unsigned char *response,
+ char *message, int message_space);
+extern chap_verify_hook_fn *chap_verify_hook;
-/*
- * Timeouts.
- */
-#define CHAP_DEFTIMEOUT 3 /* Timeout time in seconds */
-#define CHAP_DEFTRANSMITS 10 /* max # times to send challenge */
+/* Called by digest code to register a digest type */
+extern void chap_register_digest(struct chap_digest_type *);
+
+/* Lookup a digest handler by type */
+extern struct chap_digest_type *chap_find_digest(int digest_code);
-extern chap_state chap[];
+/* Called by authentication code to start authenticating the peer. */
+extern void chap_auth_peer(int unit, char *our_name, int digest_code);
-void ChapAuthWithPeer __P((int, char *, int));
-void ChapAuthPeer __P((int, char *, int));
+/* Called by auth. code to start authenticating us to the peer. */
+extern void chap_auth_with_peer(int unit, char *our_name, int digest_code);
+/* Represents the CHAP protocol to the main pppd code */
extern struct protent chap_protent;
-#define __CHAP_INCLUDE__
-#endif /* __CHAP_INCLUDE__ */
+#ifdef __cplusplus
+}
+#endif
+
+#endif // PPP_CHAP_NEW_H