To avoid bleeding over to third party projects. They are all
defined and exported by pppdconf.h either way. These projects
will stil have a consistent view of how pppd was compiled.
Signed-off-by: Eivind Næss <eivnaes@yahoo.com>
15 files changed:
AC_ARG_ENABLE([microsoft-extensions],
AS_HELP_STRING([--disable-microsoft-extensions], [Disable Microsoft CHAP / MPPE extensions]))
AC_ARG_ENABLE([microsoft-extensions],
AS_HELP_STRING([--disable-microsoft-extensions], [Disable Microsoft CHAP / MPPE extensions]))
-AM_CONDITIONAL(WITH_CHAPMS, test "x${enable_microsoft_extensions}" != "xno")
-AM_COND_IF([WITH_CHAPMS],
- AC_DEFINE([CHAPMS], 1, ["Have Microsoft CHAP support"]))
+AM_CONDITIONAL(PPP_WITH_CHAPMS, test "x${enable_microsoft_extensions}" != "xno")
+AM_COND_IF([PPP_WITH_CHAPMS],
+ AC_DEFINE([PPP_WITH_CHAPMS], 1, ["Have Microsoft CHAP support"]))
-AM_CONDITIONAL(WITH_MPPE, test "x${enable_microsoft_extensions}" != "xno")
-AM_COND_IF([WITH_MPPE],
- AC_DEFINE([MPPE], 1, ["Have Microsoft MPPE support"]))
+AM_CONDITIONAL(PPP_WITH_MPPE, test "x${enable_microsoft_extensions}" != "xno")
+AM_COND_IF([PPP_WITH_MPPE],
+ AC_DEFINE([PPP_WITH_MPPE], 1, ["Have Microsoft MPPE support"]))
#
# Enable Microsoft LAN Manager support, depends on Microsoft Extensions
AC_ARG_ENABLE([mslanman],
AS_HELP_STRING([--enable-mslanman], [Enable Microsoft LAN Manager support]))
AS_IF([test "x${enable_mslanman}" = "xyes" && test "x${enable_microsoft_extensions}" != "xno"],
#
# Enable Microsoft LAN Manager support, depends on Microsoft Extensions
AC_ARG_ENABLE([mslanman],
AS_HELP_STRING([--enable-mslanman], [Enable Microsoft LAN Manager support]))
AS_IF([test "x${enable_mslanman}" = "xyes" && test "x${enable_microsoft_extensions}" != "xno"],
- AC_DEFINE([MSLANMAN], 1, ["Have Microsoft LAN Manager support"]))
+ AC_DEFINE([PPP_WITH_MSLANMAN], 1, ["Have Microsoft LAN Manager support"]))
pppd_LIBS += -lsocket -lnsl
endif
pppd_LIBS += -lsocket -lnsl
endif
pppd_SOURCES += chap_ms.c
pppd_SOURCES += pppcrypt.c
check_PROGRAMS += utest_chap
pppd_SOURCES += chap_ms.c
pppd_SOURCES += pppcrypt.c
check_PROGRAMS += utest_chap
pppd_SOURCES += cbcp.c
endif
pppd_SOURCES += cbcp.c
endif
pppd_SOURCES += mppe.c
endif
pppd_SOURCES += mppe.c
endif
bool refuse_pap = 0; /* Don't wanna auth. ourselves with PAP */
bool refuse_chap = 0; /* Don't wanna auth. ourselves with CHAP */
bool refuse_eap = 0; /* Don't wanna auth. ourselves with EAP */
bool refuse_pap = 0; /* Don't wanna auth. ourselves with PAP */
bool refuse_chap = 0; /* Don't wanna auth. ourselves with CHAP */
bool refuse_eap = 0; /* Don't wanna auth. ourselves with EAP */
bool refuse_mschap = 0; /* Don't wanna auth. ourselves with MS-CHAP */
bool refuse_mschap_v2 = 0; /* Don't wanna auth. ourselves with MS-CHAPv2 */
#else
bool refuse_mschap = 0; /* Don't wanna auth. ourselves with MS-CHAP */
bool refuse_mschap_v2 = 0; /* Don't wanna auth. ourselves with MS-CHAPv2 */
#else
"Require CHAP authentication from peer",
OPT_ALIAS | OPT_PRIOSUB | OPT_A2OR | MDTYPE_MD5,
&lcp_wantoptions[0].chap_mdtype },
"Require CHAP authentication from peer",
OPT_ALIAS | OPT_PRIOSUB | OPT_A2OR | MDTYPE_MD5,
&lcp_wantoptions[0].chap_mdtype },
{ "require-mschap", o_bool, &auth_required,
"Require MS-CHAP authentication from peer",
OPT_PRIOSUB | OPT_A2OR | MDTYPE_MICROSOFT,
{ "require-mschap", o_bool, &auth_required,
"Require MS-CHAP authentication from peer",
OPT_PRIOSUB | OPT_A2OR | MDTYPE_MICROSOFT,
"Don't allow CHAP authentication with peer",
OPT_ALIAS | OPT_A2CLRB | MDTYPE_MD5,
&lcp_allowoptions[0].chap_mdtype },
"Don't allow CHAP authentication with peer",
OPT_ALIAS | OPT_A2CLRB | MDTYPE_MD5,
&lcp_allowoptions[0].chap_mdtype },
{ "refuse-mschap", o_bool, &refuse_mschap,
"Don't agree to auth to peer with MS-CHAP",
OPT_A2CLRB | MDTYPE_MICROSOFT,
{ "refuse-mschap", o_bool, &refuse_mschap,
"Don't agree to auth to peer with MS-CHAP",
OPT_A2CLRB | MDTYPE_MICROSOFT,
case CHAP_MD5:
bit |= CHAP_MD5_PEER;
break;
case CHAP_MD5:
bit |= CHAP_MD5_PEER;
break;
case CHAP_MICROSOFT:
bit |= CHAP_MS_PEER;
break;
case CHAP_MICROSOFT:
bit |= CHAP_MS_PEER;
break;
case CHAP_MD5:
bit |= CHAP_MD5_WITHPEER;
break;
case CHAP_MD5:
bit |= CHAP_MD5_WITHPEER;
break;
case CHAP_MICROSOFT:
bit |= CHAP_MS_WITHPEER;
break;
case CHAP_MICROSOFT:
bit |= CHAP_MS_WITHPEER;
break;
/*
* Option variables.
*/
/*
* Option variables.
*/
bool refuse_mppe_stateful = 1; /* Allow stateful mode? */
#endif
bool refuse_mppe_stateful = 1; /* Allow stateful mode? */
#endif
"don't allow Predictor-1", OPT_ALIAS | OPT_PRIOSUB | OPT_A2CLR,
&ccp_allowoptions[0].predictor_1 },
"don't allow Predictor-1", OPT_ALIAS | OPT_PRIOSUB | OPT_A2CLR,
&ccp_allowoptions[0].predictor_1 },
/* MPPE options are symmetrical ... we only set wantoptions here */
{ "require-mppe", o_bool, &ccp_wantoptions[0].mppe,
"require MPPE encryption",
/* MPPE options are symmetrical ... we only set wantoptions here */
{ "require-mppe", o_bool, &ccp_wantoptions[0].mppe,
"require MPPE encryption",
fsm_input(f, p, len);
if (oldstate == OPENED && p[0] == TERMREQ && f->state != OPENED) {
notice("Compression disabled by peer.");
fsm_input(f, p, len);
if (oldstate == OPENED && p[0] == TERMREQ && f->state != OPENED) {
notice("Compression disabled by peer.");
if (ccp_gotoptions[unit].mppe) {
error("MPPE disabled, closing LCP");
lcp_close(unit, "MPPE disabled by peer");
if (ccp_gotoptions[unit].mppe) {
error("MPPE disabled, closing LCP");
lcp_close(unit, "MPPE disabled by peer");
ccp_flags_set(unit, 0, 0);
fsm_lowerdown(&ccp_fsm[unit]);
ccp_flags_set(unit, 0, 0);
fsm_lowerdown(&ccp_fsm[unit]);
if (ccp_gotoptions[unit].mppe) {
error("MPPE required but peer negotiation failed");
lcp_close(unit, "MPPE required but peer negotiation failed");
if (ccp_gotoptions[unit].mppe) {
error("MPPE required but peer negotiation failed");
lcp_close(unit, "MPPE required but peer negotiation failed");
*go = ccp_wantoptions[f->unit];
all_rejected[f->unit] = 0;
*go = ccp_wantoptions[f->unit];
all_rejected[f->unit] = 0;
if (go->mppe) {
ccp_options *ao = &ccp_allowoptions[f->unit];
int auth_mschap_bits = auth_done[f->unit];
if (go->mppe) {
ccp_options *ao = &ccp_allowoptions[f->unit];
int auth_mschap_bits = auth_done[f->unit];
ao->predictor_2 = go->predictor_2 = 0;
ao->deflate = go->deflate = 0;
}
ao->predictor_2 = go->predictor_2 = 0;
ao->deflate = go->deflate = 0;
}
/*
* Check whether the kernel knows about the various
* compression methods we might request.
*/
/*
* Check whether the kernel knows about the various
* compression methods we might request.
*/
if (go->mppe) {
opt_buf[0] = CI_MPPE;
opt_buf[1] = CILEN_MPPE;
if (go->mppe) {
opt_buf[0] = CI_MPPE;
opt_buf[1] = CILEN_MPPE;
lcp_close(f->unit, "MPPE required but not available");
}
}
lcp_close(f->unit, "MPPE required but not available");
}
}
+#endif /* PPP_WITH_MPPE */
if (go->bsd_compress) {
opt_buf[0] = CI_BSD_COMPRESS;
opt_buf[1] = CILEN_BSD_COMPRESS;
if (go->bsd_compress) {
opt_buf[0] = CI_BSD_COMPRESS;
opt_buf[1] = CILEN_BSD_COMPRESS;
* preference order. Get the kernel to allocate the first one
* in case it gets Acked.
*/
* preference order. Get the kernel to allocate the first one
* in case it gets Acked.
*/
if (go->mppe) {
u_char opt_buf[CILEN_MPPE + MPPE_MAX_KEY_LEN];
if (go->mppe) {
u_char opt_buf[CILEN_MPPE + MPPE_MAX_KEY_LEN];
ccp_options *go = &ccp_gotoptions[f->unit];
u_char *p0 = p;
ccp_options *go = &ccp_gotoptions[f->unit];
u_char *p0 = p;
if (go->mppe) {
u_char opt_buf[CILEN_MPPE];
if (go->mppe) {
u_char opt_buf[CILEN_MPPE];
memset(&no, 0, sizeof(no));
try = *go;
memset(&no, 0, sizeof(no));
try = *go;
if (go->mppe && len >= CILEN_MPPE
&& p[0] == CI_MPPE && p[1] == CILEN_MPPE) {
no.mppe = 1;
if (go->mppe && len >= CILEN_MPPE
&& p[0] == CI_MPPE && p[1] == CILEN_MPPE) {
no.mppe = 1;
lcp_close(f->unit, "MPPE required but peer negotiation failed");
}
}
lcp_close(f->unit, "MPPE required but peer negotiation failed");
}
}
+#endif /* PPP_WITH_MPPE */
if (go->deflate && len >= CILEN_DEFLATE
&& p[0] == (go->deflate_correct? CI_DEFLATE: CI_DEFLATE_DRAFT)
&& p[1] == CILEN_DEFLATE) {
if (go->deflate && len >= CILEN_DEFLATE
&& p[0] == (go->deflate_correct? CI_DEFLATE: CI_DEFLATE_DRAFT)
&& p[1] == CILEN_DEFLATE) {
if (len == 0 && all_rejected[f->unit])
return -1;
if (len == 0 && all_rejected[f->unit])
return -1;
if (go->mppe && len >= CILEN_MPPE
&& p[0] == CI_MPPE && p[1] == CILEN_MPPE) {
error("MPPE required but peer refused");
if (go->mppe && len >= CILEN_MPPE
&& p[0] == CI_MPPE && p[1] == CILEN_MPPE) {
error("MPPE required but peer refused");
int len, clen, type, nb;
ccp_options *ho = &ccp_hisoptions[f->unit];
ccp_options *ao = &ccp_allowoptions[f->unit];
int len, clen, type, nb;
ccp_options *ho = &ccp_hisoptions[f->unit];
ccp_options *ao = &ccp_allowoptions[f->unit];
bool rej_for_ci_mppe = 1; /* Are we rejecting based on a bad/missing */
/* CI_MPPE, or due to other options? */
#endif
bool rej_for_ci_mppe = 1; /* Are we rejecting based on a bad/missing */
/* CI_MPPE, or due to other options? */
#endif
clen = p[1];
switch (type) {
clen = p[1];
switch (type) {
case CI_MPPE:
if (!ao->mppe || clen != CILEN_MPPE) {
newret = CONFREJ;
case CI_MPPE:
if (!ao->mppe || clen != CILEN_MPPE) {
newret = CONFREJ;
*/
rej_for_ci_mppe = 0;
break;
*/
rej_for_ci_mppe = 0;
break;
+#endif /* PPP_WITH_MPPE */
case CI_DEFLATE:
case CI_DEFLATE_DRAFT:
if (!ao->deflate || clen != CILEN_DEFLATE
case CI_DEFLATE:
case CI_DEFLATE_DRAFT:
if (!ao->deflate || clen != CILEN_DEFLATE
else
*lenp = retp - p0;
}
else
*lenp = retp - p0;
}
if (ret == CONFREJ && ao->mppe && rej_for_ci_mppe) {
error("MPPE required but peer negotiation failed");
lcp_close(f->unit, "MPPE required but peer negotiation failed");
if (ret == CONFREJ && ao->mppe && rej_for_ci_mppe) {
error("MPPE required but peer negotiation failed");
lcp_close(f->unit, "MPPE required but peer negotiation failed");
if (!ANY_COMPRESS(*opt))
return "(none)";
switch (opt->method) {
if (!ANY_COMPRESS(*opt))
return "(none)";
switch (opt->method) {
case CI_MPPE:
{
char *p = result;
case CI_MPPE:
{
char *p = result;
notice("%s receive compression enabled", method_name(go, NULL));
} else if (ANY_COMPRESS(*ho))
notice("%s transmit compression enabled", method_name(ho, NULL));
notice("%s receive compression enabled", method_name(go, NULL));
} else if (ANY_COMPRESS(*ho))
notice("%s transmit compression enabled", method_name(ho, NULL));
if (go->mppe) {
mppe_clear_keys();
continue_networks(f->unit); /* Bring up IP et al */
if (go->mppe) {
mppe_clear_keys();
continue_networks(f->unit); /* Bring up IP et al */
UNTIMEOUT(ccp_rack_timeout, f);
ccp_localstate[f->unit] = 0;
ccp_flags_set(f->unit, 1, 0);
UNTIMEOUT(ccp_rack_timeout, f);
ccp_localstate[f->unit] = 0;
ccp_flags_set(f->unit, 1, 0);
if (ccp_gotoptions[f->unit].mppe) {
ccp_gotoptions[f->unit].mppe = 0;
if (lcp_fsm[f->unit].state == OPENED) {
if (ccp_gotoptions[f->unit].mppe) {
ccp_gotoptions[f->unit].mppe = 0;
if (lcp_fsm[f->unit].state == OPENED) {
len -= optlen;
optend = p + optlen;
switch (code) {
len -= optlen;
optend = p + optlen;
switch (code) {
case CI_MPPE:
if (optlen >= CILEN_MPPE) {
u_char mppe_opts;
case CI_MPPE:
if (optlen >= CILEN_MPPE) {
u_char mppe_opts;
*/
error("Lost compression sync: disabling compression");
ccp_close(unit, "Lost compression sync");
*/
error("Lost compression sync: disabling compression");
ccp_close(unit, "Lost compression sync");
/*
* If we were doing MPPE, we must also take the link down.
*/
/*
* If we were doing MPPE, we must also take the link down.
*/
#include "chap-new.h"
#include "chap-md5.h"
#include "chap-new.h"
#include "chap-md5.h"
#include "chap_ms.h"
#define MDTYPE_ALL (MDTYPE_MICROSOFT_V2 | MDTYPE_MICROSOFT | MDTYPE_MD5)
#else
#include "chap_ms.h"
#define MDTYPE_ALL (MDTYPE_MICROSOFT_V2 | MDTYPE_MICROSOFT | MDTYPE_MD5)
#else
memset(&server, 0, sizeof(server));
chap_md5_init();
memset(&server, 0, sizeof(server));
chap_md5_init();
#include "config.h"
#endif
#include "config.h"
#endif
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "mppe.h"
#ifdef UNIT_TEST
#include "mppe.h"
#ifdef UNIT_TEST
#endif
static void ascii2unicode (char[], int, u_char[]);
#endif
static void ascii2unicode (char[], int, u_char[]);
static void GenerateAuthenticatorResponsePlain
(char*, int, u_char[24], u_char[16], u_char *,
char *, u_char[41]);
static void GenerateAuthenticatorResponsePlain
(char*, int, u_char[24], u_char[16], u_char *,
char *, u_char[41]);
+#ifdef PPP_WITH_MSLANMAN
static void ChapMS_LANMan (u_char *, char *, int, u_char *);
#endif
static void ChapMS_LANMan (u_char *, char *, int, u_char *);
#endif
+#ifdef PPP_WITH_MSLANMAN
bool ms_lanman = 0; /* Use LanMan password instead of NT */
/* Has meaning only with MS-CHAP challenges */
#endif
bool ms_lanman = 0; /* Use LanMan password instead of NT */
/* Has meaning only with MS-CHAP challenges */
#endif
#ifdef DEBUGMPPEKEY
/* For MPPE debug */
/* Use "[]|}{?/><,`!2&&(" (sans quotes) for RFC 3079 MS-CHAPv2 test value */
#ifdef DEBUGMPPEKEY
/* For MPPE debug */
/* Use "[]|}{?/><,`!2&&(" (sans quotes) for RFC 3079 MS-CHAPv2 test value */
* Command-line options.
*/
static option_t chapms_option_list[] = {
* Command-line options.
*/
static option_t chapms_option_list[] = {
+#ifdef PPP_WITH_MSLANMAN
{ "ms-lanman", o_bool, &ms_lanman,
"Use LanMan passwd when using MS-CHAP", 1 },
#endif
{ "ms-lanman", o_bool, &ms_lanman,
"Use LanMan passwd when using MS-CHAP", 1 },
#endif
if (response_len != MS_CHAP_RESPONSE_LEN)
goto bad;
if (response_len != MS_CHAP_RESPONSE_LEN)
goto bad;
+#ifndef PPP_WITH_MSLANMAN
if (!response[MS_CHAP_USENT]) {
/* Should really propagate this into the error packet. */
notice("Peer request for LANMAN auth not supported");
if (!response[MS_CHAP_USENT]) {
/* Should really propagate this into the error packet. */
notice("Peer request for LANMAN auth not supported");
/* Generate the expected response. */
ChapMS(challenge, (char *)secret, secret_len, md);
/* Generate the expected response. */
ChapMS(challenge, (char *)secret, secret_len, md);
+#ifdef PPP_WITH_MSLANMAN
/* Determine which part of response to verify against */
if (!response[MS_CHAP_USENT])
diff = memcmp(&response[MS_CHAP_LANMANRESP],
/* Determine which part of response to verify against */
if (!response[MS_CHAP_USENT])
diff = memcmp(&response[MS_CHAP_LANMANRESP],
ChallengeResponse(Challenge, PasswordHash, NTResponse);
}
ChallengeResponse(Challenge, PasswordHash, NTResponse);
}
+#ifdef PPP_WITH_MSLANMAN
static u_char *StdText = (u_char *)"KGS!@#$%"; /* key from rasapi32.dll */
static void
static u_char *StdText = (u_char *)"KGS!@#$%"; /* key from rasapi32.dll */
static void
/*
* Set mppe_xxxx_key from MS-CHAP credentials. (see RFC 3079)
/*
* Set mppe_xxxx_key from MS-CHAP credentials. (see RFC 3079)
mppe_set_chapv2(PasswordHashHash, NTResponse, IsServer);
}
mppe_set_chapv2(PasswordHashHash, NTResponse, IsServer);
}
+#endif /* PPP_WITH_MPPE */
ChapMS_NT(rchallenge, secret, secret_len, &response[MS_CHAP_NTRESP]);
ChapMS_NT(rchallenge, secret, secret_len, &response[MS_CHAP_NTRESP]);
+#ifdef PPP_WITH_MSLANMAN
ChapMS_LANMan(rchallenge, secret, secret_len,
&response[MS_CHAP_LANMANRESP]);
ChapMS_LANMan(rchallenge, secret, secret_len,
&response[MS_CHAP_LANMANRESP]);
response[MS_CHAP_USENT] = 1;
#endif
response[MS_CHAP_USENT] = 1;
#endif
Set_Start_Key(rchallenge, secret, secret_len);
#endif
}
Set_Start_Key(rchallenge, secret, secret_len);
#endif
}
&response[MS_CHAP2_PEER_CHALLENGE],
rchallenge, user, authResponse);
&response[MS_CHAP2_PEER_CHALLENGE],
rchallenge, user, authResponse);
SetMasterKeys(secret, secret_len,
&response[MS_CHAP2_NTRESP], authenticator);
#endif
SetMasterKeys(secret, secret_len,
&response[MS_CHAP2_NTRESP], authenticator);
#endif
size_t len, SSL * ssl, void *arg);
int ssl_new_session_cb(SSL *s, SSL_SESSION *sess);
size_t len, SSL * ssl, void *arg);
int ssl_new_session_cb(SSL *s, SSL_SESSION *sess);
#define EAPTLS_MPPE_KEY_LEN 32
/*
#define EAPTLS_MPPE_KEY_LEN 32
/*
+#endif /* PPP_WITH_MPPE */
int password_callback (char *buf, int size, int rwflag, void *u)
{
int password_callback (char *buf, int size, int rwflag, void *u)
{
char *clicertfile, char *servcertfile, char *cacertfile,
char *capath, char *pkfile, char *pkcs12, int am_server);
char *clicertfile, char *servcertfile, char *cacertfile,
char *capath, char *pkfile, char *pkcs12, int am_server);
void eaptls_gen_mppe_keys(struct eaptls_session *ets, int client);
#endif
void eaptls_gen_mppe_keys(struct eaptls_session *ets, int client);
#endif
#include "eap-tls.h"
#endif /* USE_EAPTLS */
#include "eap-tls.h"
#endif /* USE_EAPTLS */
#include "chap_ms.h"
#include "chap-new.h"
extern int chapms_strip_domain;
#include "chap_ms.h"
#include "chap-new.h"
extern int chapms_strip_domain;
+#endif /* PPP_WITH_CHAPMS */
eap_state eap_states[NUM_PPP]; /* EAP state; one for each unit */
#ifdef USE_SRP
eap_state eap_states[NUM_PPP]; /* EAP state; one for each unit */
#ifdef USE_SRP
#ifdef USE_EAPTLS
esp->es_client.ea_using_eaptls = 0;
#endif /* USE_EAPTLS */
#ifdef USE_EAPTLS
esp->es_client.ea_using_eaptls = 0;
#endif /* USE_EAPTLS */
esp->es_client.digest = chap_find_digest(CHAP_MICROSOFT_V2);
esp->es_server.digest = chap_find_digest(CHAP_MICROSOFT_V2);
#endif
esp->es_client.digest = chap_find_digest(CHAP_MICROSOFT_V2);
esp->es_server.digest = chap_find_digest(CHAP_MICROSOFT_V2);
#endif
case eapMSCHAPv2Chall:
#endif
case eapMD5Chall:
case eapMSCHAPv2Chall:
#endif
case eapMD5Chall:
#endif /* USE_EAPTLS */
}
#endif /* USE_EAPTLS */
}
/*
* eap_chap_verify_response - check whether the peer's response matches
* what we think it should be. Returns 1 if it does (authentication
/*
* eap_chap_verify_response - check whether the peer's response matches
* what we think it should be. Returns 1 if it does (authentication
auth_peer_fail(esp->es_unit, PPP_EAP);
}
}
auth_peer_fail(esp->es_unit, PPP_EAP);
}
}
+#endif /* PPP_WITH_CHAPMS */
/*
* Format an EAP Request message and send it to the peer. Message
/*
* Format an EAP Request message and send it to the peer. Message
INCPTR(esp->es_server.ea_namelen, outp);
break;
INCPTR(esp->es_server.ea_namelen, outp);
break;
case eapMSCHAPv2Chall:
esp->es_server.digest->generate_challenge(esp->es_challenge);
challen = esp->es_challenge[0];
case eapMSCHAPv2Chall:
esp->es_server.digest->generate_challenge(esp->es_challenge);
challen = esp->es_challenge[0];
esp->es_server.ea_namelen);
INCPTR(esp->es_server.ea_namelen, outp);
break;
esp->es_server.ea_namelen);
INCPTR(esp->es_server.ea_namelen, outp);
break;
+#endif /* PPP_WITH_CHAPMS */
#ifdef USE_EAPTLS
case eapTlsStart:
#ifdef USE_EAPTLS
case eapTlsStart:
/*
* Format and send an CHAPV2-Challenge EAP Response message.
*/
/*
* Format and send an CHAPV2-Challenge EAP Response message.
*/
/* Check if TLS handshake is finished */
if(eaptls_is_init_finished(ets)) {
/* Check if TLS handshake is finished */
if(eaptls_is_init_finished(ets)) {
eaptls_gen_mppe_keys(ets, 1);
#endif
eaptls_free_session(ets);
eaptls_gen_mppe_keys(ets, 1);
#endif
eaptls_free_session(ets);
break;
#endif /* USE_SRP */
break;
#endif /* USE_SRP */
case EAPT_MSCHAPV2:
if (len < 4) {
error("EAP: received invalid MSCHAPv2 packet, too short");
case EAPT_MSCHAPV2:
if (len < 4) {
error("EAP: received invalid MSCHAPv2 packet, too short");
+#endif /* PPP_WITH_CHAPMS */
#ifdef USE_PEAP
case EAPT_PEAP:
#ifdef USE_PEAP
case EAPT_PEAP:
default:
info("EAP: unknown authentication type %d; Naking", typenum);
default:
info("EAP: unknown authentication type %d; Naking", typenum);
struct eaptls_session *ets;
u_char flags;
#endif /* USE_EAPTLS */
struct eaptls_session *ets;
u_char flags;
#endif /* USE_EAPTLS */
u_char opcode;
int (*chap_verifier)(char *, char *, int, struct chap_digest_type *,
unsigned char *, unsigned char *, char *, int);
char response_message[256];
u_char opcode;
int (*chap_verifier)(char *, char *, int, struct chap_digest_type *,
unsigned char *, unsigned char *, char *, int);
char response_message[256];
+#endif /* PPP_WITH_CHAPMS */
/*
* Ignore responses if we're not open
/*
* Ignore responses if we're not open
GETCHAR(flags, inp);
if(len == 1 && !flags) { /* Ack = ok */
GETCHAR(flags, inp);
if(len == 1 && !flags) { /* Ack = ok */
eaptls_gen_mppe_keys( esp->es_server.ea_session, 0 );
#endif
eap_send_success(esp);
eaptls_gen_mppe_keys( esp->es_server.ea_session, 0 );
#endif
eap_send_success(esp);
break;
#endif /* USE_EAPTLS */
break;
#endif /* USE_EAPTLS */
case EAPT_MSCHAPV2:
info("EAP: peer proposes MSCHAPv2");
/* If MSCHAPv2 digest was not found, NAK the packet */
case EAPT_MSCHAPV2:
info("EAP: peer proposes MSCHAPv2");
/* If MSCHAPv2 digest was not found, NAK the packet */
}
esp->es_server.ea_state = eapMSCHAPv2Chall;
break;
}
esp->es_server.ea_state = eapMSCHAPv2Chall;
break;
+#endif /* PPP_WITH_CHAPMS */
default:
dbglog("EAP: peer requesting unknown Type %d", vallen);
default:
dbglog("EAP: peer requesting unknown Type %d", vallen);
TIMEOUT(eap_rechallenge, esp, esp->es_rechallenge);
break;
TIMEOUT(eap_rechallenge, esp, esp->es_rechallenge);
break;
case EAPT_MSCHAPV2:
if (len < 1) {
error("EAP: received MSCHAPv2 with no data");
case EAPT_MSCHAPV2:
if (len < 1) {
error("EAP: received MSCHAPv2 with no data");
+#endif /* PPP_WITH_CHAPMS */
#ifdef USE_SRP
case EAPT_SRP:
#ifdef USE_SRP
case EAPT_SRP:
#ifdef USE_EAPTLS
u_char flags;
#endif /* USE_EAPTLS */
#ifdef USE_EAPTLS
u_char flags;
#endif /* USE_EAPTLS */
+#endif /* PPP_WITH_CHAPMS */
if (inlen < EAP_HEADERLEN)
return (0);
if (inlen < EAP_HEADERLEN)
return (0);
case EAPT_MSCHAPV2:
if (len <= 0)
break;
case EAPT_MSCHAPV2:
if (len <= 0)
break;
+#endif /* PPP_WITH_CHAPMS */
#ifdef USE_EAPTLS
case EAPT_TLS:
#ifdef USE_EAPTLS
case EAPT_TLS:
case EAPT_MSCHAPV2:
if (len <= 0)
break;
case EAPT_MSCHAPV2:
if (len <= 0)
break;
+#endif /* PPP_WITH_CHAPMS */
#ifdef USE_SRP
case EAPT_SRP:
#ifdef USE_SRP
case EAPT_SRP:
#ifdef USE_EAPTLS
enum eap_state_code ea_prev_state;
#endif
#ifdef USE_EAPTLS
enum eap_state_code ea_prev_state;
#endif
struct chap_digest_type *digest;
#endif
u_char ea_id; /* Current id */
struct chap_digest_type *digest;
#endif
u_char ea_id; /* Current id */
} while (/* CONSTCOND */ 0)
} while (/* CONSTCOND */ 0)
void mppe_set_chapv2(u_char PasswordHashHash[MD4_SIGNATURE_SIZE],
u_char NTResponse[MS_AUTH_NTRESP_LEN], int IsServer);
void mppe_set_chapv2(u_char PasswordHashHash[MD4_SIGNATURE_SIZE],
u_char NTResponse[MS_AUTH_NTRESP_LEN], int IsServer);
+#endif // #ifdef PPP_WITH_MPPE
#endif // #ifdef __MPPE_H__
#endif // #ifdef __MPPE_H__
#include "pppd.h"
#include "chap-new.h"
#include "pppd.h"
#include "chap-new.h"
#include "mppe.h"
#include "md5.h"
#endif
#include "mppe.h"
#include "md5.h"
#endif
static int get_client_port(char *ifname);
static int radius_allowed_address(u_int32_t addr);
static void radius_acct_interim(void *);
static int get_client_port(char *ifname);
static int radius_allowed_address(u_int32_t addr);
static void radius_acct_interim(void *);
static int radius_setmppekeys(VALUE_PAIR *vp, REQUEST_INFO *req_info,
unsigned char *);
static int radius_setmppekeys2(VALUE_PAIR *vp, REQUEST_INFO *req_info);
static int radius_setmppekeys(VALUE_PAIR *vp, REQUEST_INFO *req_info,
unsigned char *);
static int radius_setmppekeys2(VALUE_PAIR *vp, REQUEST_INFO *req_info);
int result;
int challenge_len, response_len;
u_char cpassword[MAX_RESPONSE_LEN + 1];
int result;
int challenge_len, response_len;
u_char cpassword[MAX_RESPONSE_LEN + 1];
/* Need the RADIUS secret and Request Authenticator to decode MPPE */
REQUEST_INFO request_info, *req_info = &request_info;
#else
/* Need the RADIUS secret and Request Authenticator to decode MPPE */
REQUEST_INFO request_info, *req_info = &request_info;
#else
/* return error for types we can't handle */
if ((digest->code != CHAP_MD5)
/* return error for types we can't handle */
if ((digest->code != CHAP_MD5)
&& (digest->code != CHAP_MICROSOFT)
&& (digest->code != CHAP_MICROSOFT_V2)
#endif
&& (digest->code != CHAP_MICROSOFT)
&& (digest->code != CHAP_MICROSOFT_V2)
#endif
cpassword, MD5_HASH_SIZE + 1, VENDOR_NONE);
break;
cpassword, MD5_HASH_SIZE + 1, VENDOR_NONE);
break;
case CHAP_MICROSOFT:
{
/* MS-CHAP-Challenge and MS-CHAP-Response */
case CHAP_MICROSOFT:
{
/* MS-CHAP-Challenge and MS-CHAP-Response */
{
u_int32_t remote;
int ms_chap2_success = 0;
{
u_int32_t remote;
int ms_chap2_success = 0;
int mppe_enc_keys = 0; /* whether or not these were received */
int mppe_enc_policy = 0;
int mppe_enc_types = 0;
int mppe_enc_keys = 0; /* whether or not these were received */
int mppe_enc_policy = 0;
int mppe_enc_types = 0;
} else if (vp->vendorcode == VENDOR_MICROSOFT) {
} else if (vp->vendorcode == VENDOR_MICROSOFT) {
switch (vp->attribute) {
case PW_MS_CHAP2_SUCCESS:
if ((vp->lvalue != 43) || strncmp((char*) vp->strvalue + 1, "S=", 2)) {
switch (vp->attribute) {
case PW_MS_CHAP2_SUCCESS:
if ((vp->lvalue != 43) || strncmp((char*) vp->strvalue + 1, "S=", 2)) {
ms_chap2_success = 1;
break;
ms_chap2_success = 1;
break;
case PW_MS_CHAP_MPPE_KEYS:
if (radius_setmppekeys(vp, req_info, challenge) < 0) {
slprintf(msg, BUF_LEN,
case PW_MS_CHAP_MPPE_KEYS:
if (radius_setmppekeys(vp, req_info, challenge) < 0) {
slprintf(msg, BUF_LEN,
mppe_enc_types = vp->lvalue; /* save for later */
break;
mppe_enc_types = vp->lvalue; /* save for later */
break;
+#endif /* PPP_WITH_MPPE */
#ifdef MSDNS
case PW_MS_PRIMARY_DNS_SERVER:
ao->dnsaddr[0] = htonl(vp->lvalue);
#ifdef MSDNS
case PW_MS_PRIMARY_DNS_SERVER:
ao->dnsaddr[0] = htonl(vp->lvalue);
break;
#endif /* MSDNS */
}
break;
#endif /* MSDNS */
}
+#endif /* PPP_WITH_CHAPMS */
if (digest && (digest->code == CHAP_MICROSOFT_V2) && !ms_chap2_success)
return -1;
if (digest && (digest->code == CHAP_MICROSOFT_V2) && !ms_chap2_success)
return -1;
/*
* Require both policy and key attributes to indicate a valid key.
* Note that if the policy value was '0' we don't set the key!
/*
* Require both policy and key attributes to indicate a valid key.
* Note that if the policy value was '0' we don't set the key!
/**********************************************************************
* %FUNCTION: radius_setmppekeys
* %ARGUMENTS:
/**********************************************************************
* %FUNCTION: radius_setmppekeys
* %ARGUMENTS:
+#endif /* PPP_WITH_MPPE */
/**********************************************************************
* %FUNCTION: radius_acct_start
/**********************************************************************
* %FUNCTION: radius_acct_start
nt_response = &response[MS_CHAP_NTRESP];
nt_response_size = MS_CHAP_NTRESP_LEN;
} else {
nt_response = &response[MS_CHAP_NTRESP];
nt_response_size = MS_CHAP_NTRESP_LEN;
} else {
+#ifdef PPP_WITH_MSLANMAN
lm_response = &response[MS_CHAP_LANMANRESP];
lm_response_size = MS_CHAP_LANMANRESP_LEN;
#else
/* Should really propagate this into the error packet. */
notice("Peer request for LANMAN auth not supported");
return NOT_AUTHENTICATED;
lm_response = &response[MS_CHAP_LANMANRESP];
lm_response_size = MS_CHAP_LANMANRESP_LEN;
#else
/* Should really propagate this into the error packet. */
notice("Peer request for LANMAN auth not supported");
return NOT_AUTHENTICATED;
+#endif /* PPP_WITH_MSLANMAN */
}
/* ship off to winbind, and check */
}
/* ship off to winbind, and check */
nt_response, nt_response_size,
session_key,
&error_string) == AUTHENTICATED) {
nt_response, nt_response_size,
session_key,
&error_string) == AUTHENTICATED) {
mppe_set_chapv1(challenge, session_key);
#endif
slprintf(message, message_space, "Access granted");
mppe_set_chapv1(challenge, session_key);
#endif
slprintf(message, message_space, "Access granted");
&response[MS_CHAP2_NTRESP],
&response[MS_CHAP2_PEER_CHALLENGE],
challenge, user, saresponse);
&response[MS_CHAP2_NTRESP],
&response[MS_CHAP2_PEER_CHALLENGE],
challenge, user, saresponse);
mppe_set_chapv2(session_key, &response[MS_CHAP2_NTRESP],
MS_CHAP2_AUTHENTICATOR);
#endif
mppe_set_chapv2(session_key, &response[MS_CHAP2_NTRESP],
MS_CHAP2_AUTHENTICATOR);
#endif
extern struct bpf_program active_filter; /* Filter for link-active pkts */
#endif
extern struct bpf_program active_filter; /* Filter for link-active pkts */
#endif
+#ifdef PPP_WITH_MSLANMAN
extern bool ms_lanman; /* Use LanMan password instead of NT */
/* Has meaning only with MS-CHAP challenges */
#endif
extern bool ms_lanman; /* Use LanMan password instead of NT */
/* Has meaning only with MS-CHAP challenges */
#endif
*/
/* "Have Microsoft CHAP support" */
*/
/* "Have Microsoft CHAP support" */
+#undef PPP_WITH_CHAPMS
+
+/* "Have Microsoft LAN Manager support" */
+#undef PPP_WITH_MSLANMAN
/* "Have Microsoft MPPE support" */
/* "Have Microsoft MPPE support" */
/* "Have multilink support" */
#undef HAVE_MULTILINK
/* "Have multilink support" */
#undef HAVE_MULTILINK