2 * chap-new.c - New CHAP implementation.
4 * Copyright (c) 2003 Paul Mackerras. All rights reserved.
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. The name(s) of the authors of this software must not be used to
14 * endorse or promote products derived from this software without
15 * prior written permission.
17 * 3. Redistributions of any form whatsoever must retain the following
19 * "This product includes software developed by Paul Mackerras
20 * <paulus@samba.org>".
22 * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO
23 * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
24 * AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY
25 * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
26 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
27 * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
28 * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
31 #define RCSID "$Id: chap-new.c,v 1.9 2007/06/19 02:08:35 carlsonj Exp $"
44 #ifdef PPP_WITH_CHAPMS
46 #define MDTYPE_ALL (MDTYPE_MICROSOFT_V2 | MDTYPE_MICROSOFT | MDTYPE_MD5)
48 #define MDTYPE_ALL (MDTYPE_MD5)
51 int chap_mdtype_all = MDTYPE_ALL;
53 /* Hook for a plugin to validate CHAP challenge */
54 int (*chap_verify_hook)(char *name, char *ourname, int id,
55 struct chap_digest_type *digest,
56 unsigned char *challenge, unsigned char *response,
57 char *message, int message_space) = NULL;
62 int chap_server_timeout_time = 3;
63 int chap_max_transmits = 10;
64 int chap_rechallenge_time = 0;
65 int chap_client_timeout_time = 60;
66 int chapms_strip_domain = 0;
69 * Command-line options.
71 static option_t chap_option_list[] = {
72 { "chap-restart", o_int, &chap_server_timeout_time,
73 "Set timeout for CHAP (as server)", OPT_PRIO },
74 { "chap-max-challenge", o_int, &chap_max_transmits,
75 "Set max #xmits for challenge", OPT_PRIO },
76 { "chap-interval", o_int, &chap_rechallenge_time,
77 "Set interval for rechallenge", OPT_PRIO },
78 { "chap-timeout", o_int, &chap_client_timeout_time,
79 "Set timeout for CHAP (as client)", OPT_PRIO },
80 { "chapms-strip-domain", o_bool, &chapms_strip_domain,
81 "Strip the domain prefix before the Username", 1 },
88 static struct chap_client_state {
91 struct chap_digest_type *digest;
92 unsigned char priv[64]; /* private area for digest's use */
96 * These limits apply to challenge and response packets we send.
97 * The +4 is the +1 that we actually need rounded up.
99 #define CHAL_MAX_PKTLEN (PPP_HDRLEN + CHAP_HDRLEN + 4 + MAX_CHALLENGE_LEN + MAXNAMELEN)
100 #define RESP_MAX_PKTLEN (PPP_HDRLEN + CHAP_HDRLEN + 4 + MAX_RESPONSE_LEN + MAXNAMELEN)
102 static struct chap_server_state {
106 struct chap_digest_type *digest;
108 int challenge_pktlen;
109 unsigned char challenge[CHAL_MAX_PKTLEN];
113 /* Values for flags in chap_client_state and chap_server_state */
115 #define AUTH_STARTED 2
117 #define AUTH_FAILED 8
118 #define TIMEOUT_PENDING 0x10
119 #define CHALLENGE_VALID 0x20
124 static void chap_init(int unit);
125 static void chap_lowerup(int unit);
126 static void chap_lowerdown(int unit);
127 static void chap_server_timeout(void *arg);
128 static void chap_client_timeout(void *arg);
129 static void chap_generate_challenge(struct chap_server_state *ss);
130 static void chap_handle_response(struct chap_server_state *ss, int code,
131 unsigned char *pkt, int len);
132 static int chap_verify_response(char *name, char *ourname, int id,
133 struct chap_digest_type *digest,
134 unsigned char *challenge, unsigned char *response,
135 char *message, int message_space);
136 static void chap_respond(struct chap_client_state *cs, int id,
137 unsigned char *pkt, int len);
138 static void chap_handle_status(struct chap_client_state *cs, int code, int id,
139 unsigned char *pkt, int len);
140 static void chap_protrej(int unit);
141 static void chap_input(int unit, unsigned char *pkt, int pktlen);
142 static int chap_print_pkt(unsigned char *p, int plen,
143 void (*printer)(void *, char *, ...), void *arg);
145 /* List of digest types that we know about */
146 static struct chap_digest_type *chap_digests;
149 * chap_init - reset to initial state.
154 memset(&client, 0, sizeof(client));
155 memset(&server, 0, sizeof(server));
158 #ifdef PPP_WITH_CHAPMS
164 * Add a new digest type to the list.
167 chap_register_digest(struct chap_digest_type *dp)
169 dp->next = chap_digests;
174 * Lookup a digest type by code
176 struct chap_digest_type *
177 chap_find_digest(int digest_code) {
178 struct chap_digest_type *dp = NULL;
179 for (dp = chap_digests; dp != NULL; dp = dp->next)
180 if (dp->code == digest_code)
186 * chap_lowerup - we can start doing stuff now.
189 chap_lowerup(int unit)
191 struct chap_client_state *cs = &client;
192 struct chap_server_state *ss = &server;
194 cs->flags |= LOWERUP;
195 ss->flags |= LOWERUP;
196 if (ss->flags & AUTH_STARTED)
197 chap_server_timeout(ss);
201 chap_lowerdown(int unit)
203 struct chap_client_state *cs = &client;
204 struct chap_server_state *ss = &server;
206 if (cs->flags & TIMEOUT_PENDING)
207 UNTIMEOUT(chap_client_timeout, cs);
209 if (ss->flags & TIMEOUT_PENDING)
210 UNTIMEOUT(chap_server_timeout, ss);
215 * chap_auth_peer - Start authenticating the peer.
216 * If the lower layer is already up, we start sending challenges,
217 * otherwise we wait for the lower layer to come up.
220 chap_auth_peer(int unit, char *our_name, int digest_code)
222 struct chap_server_state *ss = &server;
223 struct chap_digest_type *dp;
225 if (ss->flags & AUTH_STARTED) {
226 error("CHAP: peer authentication already started!");
230 dp = chap_find_digest(digest_code);
232 fatal("CHAP digest 0x%x requested but not available",
237 /* Start with a random ID value */
238 ss->id = (unsigned char)(drand48() * 256);
239 ss->flags |= AUTH_STARTED;
240 if (ss->flags & LOWERUP)
241 chap_server_timeout(ss);
245 * chap_auth_with_peer - Prepare to authenticate ourselves to the peer.
246 * There isn't much to do until we receive a challenge.
249 chap_auth_with_peer(int unit, char *our_name, int digest_code)
251 struct chap_client_state *cs = &client;
252 struct chap_digest_type *dp;
254 if (cs->flags & AUTH_STARTED) {
255 error("CHAP: authentication with peer already started!");
258 for (dp = chap_digests; dp != NULL; dp = dp->next)
259 if (dp->code == digest_code)
262 fatal("CHAP digest 0x%x requested but not available",
267 cs->flags |= AUTH_STARTED | TIMEOUT_PENDING;
268 TIMEOUT(chap_client_timeout, cs, chap_client_timeout_time);
272 * chap_server_timeout - It's time to send another challenge to the peer.
273 * This could be either a retransmission of a previous challenge,
274 * or a new challenge to start re-authentication.
277 chap_server_timeout(void *arg)
279 struct chap_server_state *ss = arg;
281 ss->flags &= ~TIMEOUT_PENDING;
282 if ((ss->flags & CHALLENGE_VALID) == 0) {
283 ss->challenge_xmits = 0;
284 chap_generate_challenge(ss);
285 ss->flags |= CHALLENGE_VALID;
286 } else if (ss->challenge_xmits >= chap_max_transmits) {
287 ss->flags &= ~CHALLENGE_VALID;
288 ss->flags |= AUTH_DONE | AUTH_FAILED;
289 auth_peer_fail(0, PPP_CHAP);
293 output(0, ss->challenge, ss->challenge_pktlen);
294 ++ss->challenge_xmits;
295 ss->flags |= TIMEOUT_PENDING;
296 TIMEOUT(chap_server_timeout, arg, chap_server_timeout_time);
299 /* chap_client_timeout - Authentication with peer timed out. */
301 chap_client_timeout(void *arg)
303 struct chap_client_state *cs = arg;
305 cs->flags &= ~TIMEOUT_PENDING;
306 cs->flags |= AUTH_DONE | AUTH_FAILED;
307 error("CHAP authentication timed out");
308 auth_withpeer_fail(0, PPP_CHAP);
312 * chap_generate_challenge - generate a challenge string and format
313 * the challenge packet in ss->challenge_pkt.
316 chap_generate_challenge(struct chap_server_state *ss)
318 int clen = 1, nlen, len;
322 MAKEHEADER(p, PPP_CHAP);
324 ss->digest->generate_challenge(p);
326 nlen = strlen(ss->name);
327 memcpy(p + 1 + clen, ss->name, nlen);
329 len = CHAP_HDRLEN + 1 + clen + nlen;
330 ss->challenge_pktlen = PPP_HDRLEN + len;
332 p = ss->challenge + PPP_HDRLEN;
333 p[0] = CHAP_CHALLENGE;
340 * chap_handle_response - check the response to our challenge.
343 chap_handle_response(struct chap_server_state *ss, int id,
344 unsigned char *pkt, int len)
346 int response_len, ok, mlen;
347 unsigned char *response, *p;
348 char *name = NULL; /* initialized to shut gcc up */
349 int (*verifier)(char *, char *, int, struct chap_digest_type *,
350 unsigned char *, unsigned char *, char *, int);
351 char rname[MAXNAMELEN+1];
353 if ((ss->flags & LOWERUP) == 0)
355 if (id != ss->challenge[PPP_HDRLEN+1] || len < 2)
357 if (ss->flags & CHALLENGE_VALID) {
359 GETCHAR(response_len, pkt);
360 len -= response_len + 1; /* length of name */
361 name = (char *)pkt + response_len;
365 if (ss->flags & TIMEOUT_PENDING) {
366 ss->flags &= ~TIMEOUT_PENDING;
367 UNTIMEOUT(chap_server_timeout, ss);
370 if (explicit_remote) {
373 /* Null terminate and clean remote name. */
374 slprintf(rname, sizeof(rname), "%.*v", len, name);
377 /* strip the MS domain name */
378 if (chapms_strip_domain && strrchr(rname, '\\')) {
379 char tmp[MAXNAMELEN+1];
381 strcpy(tmp, strrchr(rname, '\\') + 1);
386 if (chap_verify_hook)
387 verifier = chap_verify_hook;
389 verifier = chap_verify_response;
390 ok = (*verifier)(name, ss->name, id, ss->digest,
391 ss->challenge + PPP_HDRLEN + CHAP_HDRLEN,
392 response, ss->message, sizeof(ss->message));
393 if (!ok || !auth_number()) {
394 ss->flags |= AUTH_FAILED;
395 warn("Peer %q failed CHAP authentication", name);
397 } else if ((ss->flags & AUTH_DONE) == 0)
400 /* send the response */
402 MAKEHEADER(p, PPP_CHAP);
403 mlen = strlen(ss->message);
404 len = CHAP_HDRLEN + mlen;
405 p[0] = (ss->flags & AUTH_FAILED)? CHAP_FAILURE: CHAP_SUCCESS;
410 memcpy(p + CHAP_HDRLEN, ss->message, mlen);
411 output(0, outpacket_buf, PPP_HDRLEN + len);
413 if (ss->flags & CHALLENGE_VALID) {
414 ss->flags &= ~CHALLENGE_VALID;
415 if (!(ss->flags & AUTH_DONE) && !(ss->flags & AUTH_FAILED)) {
417 * Auth is OK, so now we need to check session restrictions
418 * to ensure everything is OK, but only if we used a
419 * plugin, and only if we're configured to check. This
420 * allows us to do PAM checks on PPP servers that
421 * authenticate against ActiveDirectory, and use AD for
422 * account info (like when using Winbind integrated with
426 session_check(name, NULL, devnam, NULL) == 0) {
427 ss->flags |= AUTH_FAILED;
428 warn("Peer %q failed CHAP Session verification", name);
431 if (ss->flags & AUTH_FAILED) {
432 auth_peer_fail(0, PPP_CHAP);
434 if ((ss->flags & AUTH_DONE) == 0)
435 auth_peer_success(0, PPP_CHAP,
438 if (chap_rechallenge_time) {
439 ss->flags |= TIMEOUT_PENDING;
440 TIMEOUT(chap_server_timeout, ss,
441 chap_rechallenge_time);
444 ss->flags |= AUTH_DONE;
449 * chap_verify_response - check whether the peer's response matches
450 * what we think it should be. Returns 1 if it does (authentication
451 * succeeded), or 0 if it doesn't.
454 chap_verify_response(char *name, char *ourname, int id,
455 struct chap_digest_type *digest,
456 unsigned char *challenge, unsigned char *response,
457 char *message, int message_space)
460 unsigned char secret[MAXSECRETLEN];
463 /* Get the secret that the peer is supposed to know */
464 if (!get_secret(0, name, ourname, (char *)secret, &secret_len, 1)) {
465 error("No CHAP secret found for authenticating %q", name);
469 ok = digest->verify_response(id, name, secret, secret_len, challenge,
470 response, message, message_space);
471 memset(secret, 0, sizeof(secret));
477 * chap_respond - Generate and send a response to a challenge.
480 chap_respond(struct chap_client_state *cs, int id,
481 unsigned char *pkt, int len)
486 unsigned char response[RESP_MAX_PKTLEN];
487 char rname[MAXNAMELEN+1];
488 char secret[MAXSECRETLEN+1];
490 if ((cs->flags & (LOWERUP | AUTH_STARTED)) != (LOWERUP | AUTH_STARTED))
491 return; /* not ready */
492 if (len < 2 || len < pkt[0] + 1)
493 return; /* too short */
495 nlen = len - (clen + 1);
497 /* Null terminate and clean remote name. */
498 slprintf(rname, sizeof(rname), "%.*v", nlen, pkt + clen + 1);
500 /* Microsoft doesn't send their name back in the PPP packet */
501 if (explicit_remote || (remote_name[0] != 0 && rname[0] == 0))
502 strlcpy(rname, remote_name, sizeof(rname));
504 /* get secret for authenticating ourselves with the specified host */
505 if (!get_secret(0, cs->name, rname, secret, &secret_len, 0)) {
506 secret_len = 0; /* assume null secret if can't find one */
507 warn("No CHAP secret found for authenticating us to %q", rname);
511 MAKEHEADER(p, PPP_CHAP);
514 cs->digest->make_response(p, id, cs->name, pkt,
515 secret, secret_len, cs->priv);
516 memset(secret, 0, secret_len);
519 nlen = strlen(cs->name);
520 memcpy(p + clen + 1, cs->name, nlen);
522 p = response + PPP_HDRLEN;
523 len = CHAP_HDRLEN + clen + 1 + nlen;
524 p[0] = CHAP_RESPONSE;
529 output(0, response, PPP_HDRLEN + len);
533 chap_handle_status(struct chap_client_state *cs, int code, int id,
534 unsigned char *pkt, int len)
536 const char *msg = NULL;
538 if ((cs->flags & (AUTH_DONE|AUTH_STARTED|LOWERUP))
539 != (AUTH_STARTED|LOWERUP))
541 cs->flags |= AUTH_DONE;
543 UNTIMEOUT(chap_client_timeout, cs);
544 cs->flags &= ~TIMEOUT_PENDING;
546 if (code == CHAP_SUCCESS) {
547 /* used for MS-CHAP v2 mutual auth, yuck */
548 if (cs->digest->check_success != NULL) {
549 if (!(*cs->digest->check_success)(id, pkt, len))
552 msg = "CHAP authentication succeeded";
554 if (cs->digest->handle_failure != NULL)
555 (*cs->digest->handle_failure)(pkt, len);
557 msg = "CHAP authentication failed";
561 info("%s: %.*v", msg, len, pkt);
565 if (code == CHAP_SUCCESS)
566 auth_withpeer_success(0, PPP_CHAP, cs->digest->code);
568 cs->flags |= AUTH_FAILED;
569 error("CHAP authentication failed");
570 auth_withpeer_fail(0, PPP_CHAP);
575 chap_input(int unit, unsigned char *pkt, int pktlen)
577 struct chap_client_state *cs = &client;
578 struct chap_server_state *ss = &server;
579 unsigned char code, id;
582 if (pktlen < CHAP_HDRLEN)
587 if (len < CHAP_HDRLEN || len > pktlen)
593 chap_respond(cs, id, pkt, len);
596 chap_handle_response(ss, id, pkt, len);
600 chap_handle_status(cs, code, id, pkt, len);
606 chap_protrej(int unit)
608 struct chap_client_state *cs = &client;
609 struct chap_server_state *ss = &server;
611 if (ss->flags & TIMEOUT_PENDING) {
612 ss->flags &= ~TIMEOUT_PENDING;
613 UNTIMEOUT(chap_server_timeout, ss);
615 if (ss->flags & AUTH_STARTED) {
617 auth_peer_fail(0, PPP_CHAP);
619 if ((cs->flags & (AUTH_STARTED|AUTH_DONE)) == AUTH_STARTED) {
620 cs->flags &= ~AUTH_STARTED;
621 error("CHAP authentication failed due to protocol-reject");
622 auth_withpeer_fail(0, PPP_CHAP);
627 * chap_print_pkt - print the contents of a CHAP packet.
629 static char *chap_code_names[] = {
630 "Challenge", "Response", "Success", "Failure"
634 chap_print_pkt(unsigned char *p, int plen,
635 void (*printer)(void *, char *, ...), void *arg)
641 if (plen < CHAP_HDRLEN)
646 if (len < CHAP_HDRLEN || len > plen)
649 if (code >= 1 && code <= sizeof(chap_code_names) / sizeof(char *))
650 printer(arg, " %s", chap_code_names[code-1]);
652 printer(arg, " code=0x%x", code);
653 printer(arg, " id=0x%x", id);
664 nlen = len - clen - 1;
666 for (; clen > 0; --clen) {
668 printer(arg, "%.2x", x);
670 printer(arg, ">, name = ");
671 print_string((char *)p, nlen, printer, arg);
676 print_string((char *)p, len, printer, arg);
679 for (clen = len; clen > 0; --clen) {
681 printer(arg, " %.2x", x);
685 return len + CHAP_HDRLEN;
688 struct protent chap_protent = {
698 NULL, /* datainput */
699 1, /* enabled_flag */
701 NULL, /* data_name */
703 NULL, /* check_options */