pppd: Make MSCHAP-v2 cope better with packet loss
This implements response caching for MSCHAP-v2. It caches our
responses and the responses we expect from the peer. MSCHAP-v2 is
unusual in that the authenticatee's CHAP-Response contains what is
effectively a challenge to the authenticator, and the authenticator's
CHAP-Success packet contains a response to that challenge. Having
the response cache lets us (a) answer challenges consistently and
(b) cope with a CHAP-Success packet that corresponds to one of our
CHAP-Responses that wasn't the last one we sent.
This solves a problem where MSCHAP-v2 does not handle replay/retry
properly. Here's what a typical normal session looks like:
Mar 31 02:47:40 nbm pppd[12895]: rcvd [CHAP Challenge id=0x37 <
7ac9de47e66fc440e4b142e28c1a2064>, name = "jeeves"]
Mar 31 02:47:40 nbm pppd[12895]: sent [CHAP Response id=0x37 <12986c68266e0d60e7e0de9c8326073200000000000000005da37272ed71b6743f65bc00f7ae2ca148db9210627b646500>, name = "murka"]
Mar 31 02:47:40 nbm pppd[12895]: rcvd [CHAP Success id=0x37 "S=
ED8FB5829C8049C331AAE0C570F63F8B558DEA2C M=Access granted"]
Mar 31 02:47:40 nbm pppd[12895]: CHAP authentication succeeded
however, this breaks down if, for whatever reason - packet loss,
reordering or whatnot - server sends a second challenge that arrives
before the response - it changes client's expectation and the
authentication fails. Here's how it looks in the logs:
Mar 31 02:47:47 nbm pppd[13014]: rcvd [CHAP Challenge id=0x8a <
5070251e94455e2155d2cf4d698d23c9>, name = "jeeves"]
Mar 31 02:47:47 nbm pppd[13014]: sent [CHAP Response id=0x8a <14d788f835add58b60d2aff362c183160000000000000000d780f3849076e9e013272f67bcb8c8cfa0e9b51c0fe3ee2100>, name = "murka"]
Mar 31 02:47:48 nbm pppd[13014]: rcvd [CHAP Challenge id=0x8a <
5070251e94455e2155d2cf4d698d23c9>, name = "jeeves"]
Mar 31 02:47:48 nbm pppd[13014]: sent [CHAP Response id=0x8a <df950da43b90e235048810469d3283dd0000000000000000ace042b145f5eb9f118349b5672d4829eb5038192050a90b00>, name = "murka"]
Mar 31 02:47:48 nbm pppd[13014]: rcvd [CHAP Success id=0x8a "S=
ABAEA4DF5601FADF25F8729455D39BF6D971D501 M=Access granted"]
Mar 31 02:47:48 nbm pppd[13014]: MS-CHAPv2 mutual authentication failed.
Signed-off-by: Paul Mackerras <paulus@samba.org>