]> git.ozlabs.org Git - ppp.git/commit
projects / ppp.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: c41092d) | patch
pppd: Make MSCHAP-v2 cope better with packet loss
authorDeomid Ryabkov <myself@rojer.pp.ru>
Sat, 31 Mar 2012 04:14:23 +0000 (05:14 +0100)
committerPaul Mackerras <paulus@samba.org>
Sun, 20 May 2012 06:48:27 +0000 (16:48 +1000)
commit08ef47ca532294eb428238c831616748940e24a2
tree8adea0c24d0a187539f82c2128de023d2684ddc1tree | snapshot (tar.gz zip)
parentc41092dd4c49267f232f6cba3d31c6c68bfdf68dcommit | diff
pppd: Make MSCHAP-v2 cope better with packet loss

This implements response caching for MSCHAP-v2.  It caches our
responses and the responses we expect from the peer.  MSCHAP-v2 is
unusual in that the authenticatee's CHAP-Response contains what is
effectively a challenge to the authenticator, and the authenticator's
CHAP-Success packet contains a response to that challenge.  Having
the response cache lets us (a) answer challenges consistently and
(b) cope with a CHAP-Success packet that corresponds to one of our
CHAP-Responses that wasn't the last one we sent.

This solves a problem where MSCHAP-v2 does not handle replay/retry
properly.  Here's what a typical normal session looks like:

Mar 31 02:47:40 nbm pppd[12895]: rcvd [CHAP Challenge id=0x37 <7ac9de47e66fc440e4b142e28c1a2064>, name = "jeeves"]
Mar 31 02:47:40 nbm pppd[12895]: sent [CHAP Response id=0x37 <12986c68266e0d60e7e0de9c8326073200000000000000005da37272ed71b6743f65bc00f7ae2ca148db9210627b646500>, name = "murka"]
Mar 31 02:47:40 nbm pppd[12895]: rcvd [CHAP Success id=0x37 "S=ED8FB5829C8049C331AAE0C570F63F8B558DEA2C M=Access granted"]
Mar 31 02:47:40 nbm pppd[12895]: CHAP authentication succeeded

however, this breaks down if, for whatever reason - packet loss,
reordering or whatnot - server sends a second challenge that arrives
before the response - it changes client's expectation and the
authentication fails.  Here's how it looks in the logs:

Mar 31 02:47:47 nbm pppd[13014]: rcvd [CHAP Challenge id=0x8a <5070251e94455e2155d2cf4d698d23c9>, name = "jeeves"]
Mar 31 02:47:47 nbm pppd[13014]: sent [CHAP Response id=0x8a <14d788f835add58b60d2aff362c183160000000000000000d780f3849076e9e013272f67bcb8c8cfa0e9b51c0fe3ee2100>, name = "murka"]
Mar 31 02:47:48 nbm pppd[13014]: rcvd [CHAP Challenge id=0x8a <5070251e94455e2155d2cf4d698d23c9>, name = "jeeves"]
Mar 31 02:47:48 nbm pppd[13014]: sent [CHAP Response id=0x8a <df950da43b90e235048810469d3283dd0000000000000000ace042b145f5eb9f118349b5672d4829eb5038192050a90b00>, name = "murka"]
Mar 31 02:47:48 nbm pppd[13014]: rcvd [CHAP Success id=0x8a "S=ABAEA4DF5601FADF25F8729455D39BF6D971D501 M=Access granted"]
Mar 31 02:47:48 nbm pppd[13014]: MS-CHAPv2 mutual authentication failed.

Signed-off-by: Paul Mackerras <paulus@samba.org>
pppd/chap-new.c diff | blob | history
pppd/chap-new.h diff | blob | history
pppd/chap_ms.c diff | blob | history
PPP (Point-to-Point Protocol) implementation for Linux and Solaris