X-Git-Url: http://git.ozlabs.org/?p=ppp.git;a=blobdiff_plain;f=pppd%2Fchap.c;h=9bd85b5df40476a67707f51fef3af8f01384f8e4;hp=96348e1c1eb4967a2483db40701862192206d6c5;hb=734747f7ef4d64cc7f92ea953c4ab57581c01f8f;hpb=61ebd9732d40eade1a74d55302bdb02c2865cb6c diff --git a/pppd/chap.c b/pppd/chap.c index 96348e1..9bd85b5 100644 --- a/pppd/chap.c +++ b/pppd/chap.c @@ -33,9 +33,7 @@ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ -#ifndef lint -static char rcsid[] = "$Id: chap.c,v 1.17 1999/02/26 10:38:51 paulus Exp $"; -#endif +#define RCSID "$Id: chap.c,v 1.26 2002/01/22 16:02:58 dfs Exp $" /* * TODO: @@ -45,7 +43,6 @@ static char rcsid[] = "$Id: chap.c,v 1.17 1999/02/26 10:38:51 paulus Exp $"; #include #include #include -#include #include "pppd.h" #include "chap.h" @@ -54,16 +51,30 @@ static char rcsid[] = "$Id: chap.c,v 1.17 1999/02/26 10:38:51 paulus Exp $"; #include "chap_ms.h" #endif +/* Hook for a plugin to say if we can possibly authenticate a peer using CHAP */ +int (*chap_check_hook) __P((void)) = NULL; + +/* Hook for a plugin to get the CHAP password for authenticating us */ +int (*chap_passwd_hook) __P((char *user, char *passwd)) = NULL; + +/* Hook for a plugin to validate CHAP challenge */ +int (*chap_auth_hook) __P((char *user, + u_char *remmd, + int remmd_len, + chap_state *cstate)) = NULL; + +static const char rcsid[] = RCSID; + /* * Command-line options. */ static option_t chap_option_list[] = { { "chap-restart", o_int, &chap[0].timeouttime, - "Set timeout for CHAP" }, + "Set timeout for CHAP", OPT_PRIO }, { "chap-max-challenge", o_int, &chap[0].max_transmits, - "Set max #xmits for challenge" }, + "Set max #xmits for challenge", OPT_PRIO }, { "chap-interval", o_int, &chap[0].chal_interval, - "Set interval for rechallenge" }, + "Set interval for rechallenge", OPT_PRIO }, #ifdef MSLANMAN { "ms-lanman", o_bool, &ms_lanman, "Use LanMan passwd when using MS-CHAP", 1 }, @@ -95,6 +106,7 @@ struct protent chap_protent = { NULL, 1, "CHAP", + NULL, chap_option_list, NULL, NULL, @@ -161,7 +173,7 @@ ChapAuthWithPeer(unit, our_name, digest) /* * We get here as a result of LCP coming up. - * So even if CHAP was open before, we will + * So even if CHAP was open before, we will * have to re-authenticate ourselves. */ cstate->clientstate = CHAPCS_LISTEN; @@ -178,7 +190,7 @@ ChapAuthPeer(unit, our_name, digest) int digest; { chap_state *cstate = &chap[unit]; - + cstate->chal_name = our_name; cstate->chal_type = digest; @@ -203,7 +215,7 @@ ChapChallengeTimeout(arg) void *arg; { chap_state *cstate = (chap_state *) arg; - + /* if we aren't sending challenges, don't worry. then again we */ /* probably shouldn't be here either */ if (cstate->serverstate != CHAPSS_INITIAL_CHAL && @@ -212,7 +224,7 @@ ChapChallengeTimeout(arg) if (cstate->chal_transmits >= cstate->max_transmits) { /* give up on peer */ - syslog(LOG_ERR, "Peer failed to respond to CHAP challenge"); + error("Peer failed to respond to CHAP challenge"); cstate->serverstate = CHAPSS_BADAUTH; auth_peer_fail(cstate->unit, PPP_CHAP); return; @@ -268,7 +280,7 @@ ChapLowerUp(unit) int unit; { chap_state *cstate = &chap[unit]; - + if (cstate->clientstate == CHAPCS_INITIAL) cstate->clientstate = CHAPCS_CLOSED; else if (cstate->clientstate == CHAPCS_PENDING) @@ -294,7 +306,7 @@ ChapLowerDown(unit) int unit; { chap_state *cstate = &chap[unit]; - + /* Timeout(s) pending? Cancel if so. */ if (cstate->serverstate == CHAPSS_INITIAL_CHAL || cstate->serverstate == CHAPSS_RECHALLENGE) @@ -342,29 +354,29 @@ ChapInput(unit, inpacket, packet_len) u_char *inp; u_char code, id; int len; - + /* * Parse header (code, id and length). * If packet too short, drop it. */ inp = inpacket; if (packet_len < CHAP_HEADERLEN) { - CHAPDEBUG((LOG_INFO, "ChapInput: rcvd short header.")); + CHAPDEBUG(("ChapInput: rcvd short header.")); return; } GETCHAR(code, inp); GETCHAR(id, inp); GETSHORT(len, inp); if (len < CHAP_HEADERLEN) { - CHAPDEBUG((LOG_INFO, "ChapInput: rcvd illegal length.")); + CHAPDEBUG(("ChapInput: rcvd illegal length.")); return; } if (len > packet_len) { - CHAPDEBUG((LOG_INFO, "ChapInput: rcvd short packet.")); + CHAPDEBUG(("ChapInput: rcvd short packet.")); return; } len -= CHAP_HEADERLEN; - + /* * Action depends on code (as in fact it usually does :-). */ @@ -372,11 +384,11 @@ ChapInput(unit, inpacket, packet_len) case CHAP_CHALLENGE: ChapReceiveChallenge(cstate, inp, id, len); break; - + case CHAP_RESPONSE: ChapReceiveResponse(cstate, inp, id, len); break; - + case CHAP_FAILURE: ChapReceiveFailure(cstate, inp, id, len); break; @@ -386,7 +398,7 @@ ChapInput(unit, inpacket, packet_len) break; default: /* Need code reject? */ - syslog(LOG_WARNING, "Unknown CHAP code (%d) received.", code); + warn("Unknown CHAP code (%d) received.", code); break; } } @@ -409,24 +421,22 @@ ChapReceiveChallenge(cstate, inp, id, len) char rhostname[256]; MD5_CTX mdContext; u_char hash[MD5_SIGNATURE_SIZE]; - - CHAPDEBUG((LOG_INFO, "ChapReceiveChallenge: Rcvd id %d.", id)); + if (cstate->clientstate == CHAPCS_CLOSED || cstate->clientstate == CHAPCS_PENDING) { - CHAPDEBUG((LOG_INFO, "ChapReceiveChallenge: in state %d", - cstate->clientstate)); + CHAPDEBUG(("ChapReceiveChallenge: in state %d", cstate->clientstate)); return; } if (len < 2) { - CHAPDEBUG((LOG_INFO, "ChapReceiveChallenge: rcvd short packet.")); + CHAPDEBUG(("ChapReceiveChallenge: rcvd short packet.")); return; } GETCHAR(rchallenge_len, inp); len -= sizeof (u_char) + rchallenge_len; /* now name field length */ if (len < 0) { - CHAPDEBUG((LOG_INFO, "ChapReceiveChallenge: rcvd short packet.")); + CHAPDEBUG(("ChapReceiveChallenge: rcvd short packet.")); return; } rchallenge = inp; @@ -437,14 +447,10 @@ ChapReceiveChallenge(cstate, inp, id, len) BCOPY(inp, rhostname, len); rhostname[len] = '\000'; - CHAPDEBUG((LOG_INFO, "ChapReceiveChallenge: received name field '%s'", - rhostname)); - /* Microsoft doesn't send their name back in the PPP packet */ - if (remote_name[0] != 0 && (explicit_remote || rhostname[0] == 0)) { - strncpy(rhostname, remote_name, sizeof(rhostname)); - rhostname[sizeof(rhostname) - 1] = 0; - CHAPDEBUG((LOG_INFO, "ChapReceiveChallenge: using '%s' as remote name", + if (explicit_remote || (remote_name[0] != 0 && rhostname[0] == 0)) { + strlcpy(rhostname, remote_name, sizeof(rhostname)); + CHAPDEBUG(("ChapReceiveChallenge: using '%q' as remote name", rhostname)); } @@ -452,8 +458,7 @@ ChapReceiveChallenge(cstate, inp, id, len) if (!get_secret(cstate->unit, cstate->resp_name, rhostname, secret, &secret_len, 0)) { secret_len = 0; /* assume null secret if can't find one */ - syslog(LOG_WARNING, "No CHAP secret found for authenticating us to %s", - rhostname); + warn("No CHAP secret found for authenticating us to %q", rhostname); } /* cancel response send timeout if necessary */ @@ -464,7 +469,7 @@ ChapReceiveChallenge(cstate, inp, id, len) cstate->resp_transmits = 0; /* generate MD based on negotiated type */ - switch (cstate->resp_type) { + switch (cstate->resp_type) { case CHAP_DIGEST_MD5: MD5Init(&mdContext); @@ -483,7 +488,7 @@ ChapReceiveChallenge(cstate, inp, id, len) #endif default: - CHAPDEBUG((LOG_INFO, "unknown digest type %d", cstate->resp_type)); + CHAPDEBUG(("unknown digest type %d", cstate->resp_type)); return; } @@ -510,12 +515,9 @@ ChapReceiveResponse(cstate, inp, id, len) char secret[MAXSECRETLEN]; u_char hash[MD5_SIGNATURE_SIZE]; - CHAPDEBUG((LOG_INFO, "ChapReceiveResponse: Rcvd id %d.", id)); - if (cstate->serverstate == CHAPSS_CLOSED || cstate->serverstate == CHAPSS_PENDING) { - CHAPDEBUG((LOG_INFO, "ChapReceiveResponse: in state %d", - cstate->serverstate)); + CHAPDEBUG(("ChapReceiveResponse: in state %d", cstate->serverstate)); return; } @@ -537,7 +539,7 @@ ChapReceiveResponse(cstate, inp, id, len) } if (len < 2) { - CHAPDEBUG((LOG_INFO, "ChapReceiveResponse: rcvd short packet.")); + CHAPDEBUG(("ChapReceiveResponse: rcvd short packet.")); return; } GETCHAR(remmd_len, inp); /* get length of MD */ @@ -546,7 +548,7 @@ ChapReceiveResponse(cstate, inp, id, len) len -= sizeof (u_char) + remmd_len; if (len < 0) { - CHAPDEBUG((LOG_INFO, "ChapReceiveResponse: rcvd short packet.")); + CHAPDEBUG(("ChapReceiveResponse: rcvd short packet.")); return; } @@ -557,43 +559,47 @@ ChapReceiveResponse(cstate, inp, id, len) BCOPY(inp, rhostname, len); rhostname[len] = '\000'; - CHAPDEBUG((LOG_INFO, "ChapReceiveResponse: received name field: %s", - rhostname)); - /* * Get secret for authenticating them with us, * do the hash ourselves, and compare the result. */ code = CHAP_FAILURE; - if (!get_secret(cstate->unit, rhostname, cstate->chal_name, - secret, &secret_len, 1)) { - syslog(LOG_WARNING, "No CHAP secret found for authenticating %s", - rhostname); - } else { - - /* generate MD based on negotiated type */ - switch (cstate->chal_type) { - - case CHAP_DIGEST_MD5: /* only MD5 is defined for now */ - if (remmd_len != MD5_SIGNATURE_SIZE) - break; /* it's not even the right length */ - MD5Init(&mdContext); - MD5Update(&mdContext, &cstate->chal_id, 1); - MD5Update(&mdContext, secret, secret_len); - MD5Update(&mdContext, cstate->challenge, cstate->chal_len); - MD5Final(hash, &mdContext); - - /* compare local and remote MDs and send the appropriate status */ - if (memcmp (hash, remmd, MD5_SIGNATURE_SIZE) == 0) - code = CHAP_SUCCESS; /* they are the same! */ - break; - default: - CHAPDEBUG((LOG_INFO, "unknown digest type %d", cstate->chal_type)); + /* If a plugin will verify the response, let the plugin do it. */ + if (chap_auth_hook) { + code = (*chap_auth_hook) ( (explicit_remote ? remote_name : rhostname), + remmd, (int) remmd_len, + cstate ); + } else { + if (!get_secret(cstate->unit, (explicit_remote? remote_name: rhostname), + cstate->chal_name, secret, &secret_len, 1)) { + warn("No CHAP secret found for authenticating %q", rhostname); + } else { + + /* generate MD based on negotiated type */ + switch (cstate->chal_type) { + + case CHAP_DIGEST_MD5: /* only MD5 is defined for now */ + if (remmd_len != MD5_SIGNATURE_SIZE) + break; /* it's not even the right length */ + MD5Init(&mdContext); + MD5Update(&mdContext, &cstate->chal_id, 1); + MD5Update(&mdContext, secret, secret_len); + MD5Update(&mdContext, cstate->challenge, cstate->chal_len); + MD5Final(hash, &mdContext); + + /* compare local and remote MDs and send the appropriate status */ + if (memcmp (hash, remmd, MD5_SIGNATURE_SIZE) == 0) + code = CHAP_SUCCESS; /* they are the same! */ + break; + + default: + CHAPDEBUG(("unknown digest type %d", cstate->chal_type)); + } } - } - BZERO(secret, sizeof(secret)); + BZERO(secret, sizeof(secret)); + } ChapSendStatus(cstate, code); if (code == CHAP_SUCCESS) { @@ -604,12 +610,10 @@ ChapReceiveResponse(cstate, inp, id, len) } if (cstate->chal_interval != 0) TIMEOUT(ChapRechallenge, cstate, cstate->chal_interval); - syslog(LOG_NOTICE, "CHAP peer authentication succeeded for %s", - rhostname); + notice("CHAP peer authentication succeeded for %q", rhostname); } else { - syslog(LOG_ERR, "CHAP peer authentication failed for remote host %s", - rhostname); + error("CHAP peer authentication failed for remote host %q", rhostname); cstate->serverstate = CHAPSS_BADAUTH; auth_peer_fail(cstate->unit, PPP_CHAP); } @@ -626,16 +630,13 @@ ChapReceiveSuccess(cstate, inp, id, len) int len; { - CHAPDEBUG((LOG_INFO, "ChapReceiveSuccess: Rcvd id %d.", id)); - if (cstate->clientstate == CHAPCS_OPEN) /* presumably an answer to a duplicate response */ return; if (cstate->clientstate != CHAPCS_RESPONSE) { /* don't know what this is */ - CHAPDEBUG((LOG_INFO, "ChapReceiveSuccess: in state %d\n", - cstate->clientstate)); + CHAPDEBUG(("ChapReceiveSuccess: in state %d\n", cstate->clientstate)); return; } @@ -663,12 +664,9 @@ ChapReceiveFailure(cstate, inp, id, len) u_char id; int len; { - CHAPDEBUG((LOG_INFO, "ChapReceiveFailure: Rcvd id %d.", id)); - if (cstate->clientstate != CHAPCS_RESPONSE) { /* don't know what this is */ - CHAPDEBUG((LOG_INFO, "ChapReceiveFailure: in state %d\n", - cstate->clientstate)); + CHAPDEBUG(("ChapReceiveFailure: in state %d\n", cstate->clientstate)); return; } @@ -680,7 +678,7 @@ ChapReceiveFailure(cstate, inp, id, len) if (len > 0) PRINTMSG(inp, len); - syslog(LOG_ERR, "CHAP authentication failed"); + error("CHAP authentication failed"); auth_withpeer_fail(cstate->unit, PPP_CHAP); } @@ -714,8 +712,6 @@ ChapSendChallenge(cstate) BCOPY(cstate->chal_name, outp, name_len); /* append hostname */ output(cstate->unit, outpacket_buf, outlen + PPP_HDRLEN); - - CHAPDEBUG((LOG_INFO, "ChapSendChallenge: Sent id %d.", cstate->chal_id)); TIMEOUT(ChapChallengeTimeout, cstate, cstate->timeouttime); ++cstate->chal_transmits; @@ -735,24 +731,21 @@ ChapSendStatus(cstate, code) char msg[256]; if (code == CHAP_SUCCESS) - sprintf(msg, "Welcome to %s.", hostname); + slprintf(msg, sizeof(msg), "Welcome to %s.", hostname); else - sprintf(msg, "I don't like you. Go 'way."); + slprintf(msg, sizeof(msg), "I don't like you. Go 'way."); msglen = strlen(msg); outlen = CHAP_HEADERLEN + msglen; outp = outpacket_buf; MAKEHEADER(outp, PPP_CHAP); /* paste in a header */ - + PUTCHAR(code, outp); PUTCHAR(cstate->chal_id, outp); PUTSHORT(outlen, outp); BCOPY(msg, outp, msglen); output(cstate->unit, outpacket_buf, outlen + PPP_HDRLEN); - - CHAPDEBUG((LOG_INFO, "ChapSendStatus: Sent code %d, id %d.", code, - cstate->chal_id)); } /* @@ -768,10 +761,10 @@ ChapGenChallenge(cstate) { int chal_len; u_char *ptr = cstate->challenge; - unsigned int i; + int i; - /* pick a random challenge length between MIN_CHALLENGE_LENGTH and - MAX_CHALLENGE_LENGTH */ + /* pick a random challenge length between MIN_CHALLENGE_LENGTH and + MAX_CHALLENGE_LENGTH */ chal_len = (unsigned) ((drand48() * (MAX_CHALLENGE_LENGTH - MIN_CHALLENGE_LENGTH)) + MIN_CHALLENGE_LENGTH); @@ -780,7 +773,7 @@ ChapGenChallenge(cstate) cstate->chal_transmits = 0; /* generate a random string */ - for (i = 0; i < chal_len; i++ ) + for (i = 0; i < chal_len; i++) *ptr++ = (char) (drand48() * 0xff); }