2 * chap-new.c - New CHAP implementation.
4 * Copyright (c) 2003 Paul Mackerras. All rights reserved.
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. The name(s) of the authors of this software must not be used to
14 * endorse or promote products derived from this software without
15 * prior written permission.
17 * 3. Redistributions of any form whatsoever must retain the following
19 * "This product includes software developed by Paul Mackerras
20 * <paulus@samba.org>".
22 * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO
23 * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
24 * AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY
25 * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
26 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
27 * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
28 * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
31 #define RCSID "$Id: chap-new.c,v 1.7 2005/07/10 07:31:26 paulus Exp $"
41 #define MDTYPE_ALL (MDTYPE_MICROSOFT_V2 | MDTYPE_MICROSOFT | MDTYPE_MD5)
43 #define MDTYPE_ALL (MDTYPE_MD5)
46 int chap_mdtype_all = MDTYPE_ALL;
48 /* Hook for a plugin to validate CHAP challenge */
49 int (*chap_verify_hook)(char *name, char *ourname, int id,
50 struct chap_digest_type *digest,
51 unsigned char *challenge, unsigned char *response,
52 char *message, int message_space) = NULL;
57 int chap_timeout_time = 3;
58 int chap_max_transmits = 10;
59 int chap_rechallenge_time = 0;
62 * Command-line options.
64 static option_t chap_option_list[] = {
65 { "chap-restart", o_int, &chap_timeout_time,
66 "Set timeout for CHAP", OPT_PRIO },
67 { "chap-max-challenge", o_int, &chap_max_transmits,
68 "Set max #xmits for challenge", OPT_PRIO },
69 { "chap-interval", o_int, &chap_rechallenge_time,
70 "Set interval for rechallenge", OPT_PRIO },
77 static struct chap_client_state {
80 struct chap_digest_type *digest;
81 unsigned char priv[64]; /* private area for digest's use */
85 * These limits apply to challenge and response packets we send.
86 * The +4 is the +1 that we actually need rounded up.
88 #define CHAL_MAX_PKTLEN (PPP_HDRLEN + CHAP_HDRLEN + 4 + MAX_CHALLENGE_LEN + MAXNAMELEN)
89 #define RESP_MAX_PKTLEN (PPP_HDRLEN + CHAP_HDRLEN + 4 + MAX_RESPONSE_LEN + MAXNAMELEN)
91 static struct chap_server_state {
95 struct chap_digest_type *digest;
98 unsigned char challenge[CHAL_MAX_PKTLEN];
102 /* Values for flags in chap_client_state and chap_server_state */
104 #define AUTH_STARTED 2
106 #define AUTH_FAILED 8
107 #define TIMEOUT_PENDING 0x10
108 #define CHALLENGE_VALID 0x20
113 static void chap_init(int unit);
114 static void chap_lowerup(int unit);
115 static void chap_lowerdown(int unit);
116 static void chap_timeout(void *arg);
117 static void chap_generate_challenge(struct chap_server_state *ss);
118 static void chap_handle_response(struct chap_server_state *ss, int code,
119 unsigned char *pkt, int len);
120 static int chap_verify_response(char *name, char *ourname, int id,
121 struct chap_digest_type *digest,
122 unsigned char *challenge, unsigned char *response,
123 char *message, int message_space);
124 static void chap_respond(struct chap_client_state *cs, int id,
125 unsigned char *pkt, int len);
126 static void chap_handle_status(struct chap_client_state *cs, int code, int id,
127 unsigned char *pkt, int len);
128 static void chap_protrej(int unit);
129 static void chap_input(int unit, unsigned char *pkt, int pktlen);
130 static int chap_print_pkt(unsigned char *p, int plen,
131 void (*printer) __P((void *, char *, ...)), void *arg);
133 /* List of digest types that we know about */
134 static struct chap_digest_type *chap_digests;
137 * chap_init - reset to initial state.
142 memset(&client, 0, sizeof(client));
143 memset(&server, 0, sizeof(server));
152 * Add a new digest type to the list.
155 chap_register_digest(struct chap_digest_type *dp)
157 dp->next = chap_digests;
162 * chap_lowerup - we can start doing stuff now.
165 chap_lowerup(int unit)
167 struct chap_client_state *cs = &client;
168 struct chap_server_state *ss = &server;
170 cs->flags |= LOWERUP;
171 ss->flags |= LOWERUP;
172 if (ss->flags & AUTH_STARTED)
177 chap_lowerdown(int unit)
179 struct chap_client_state *cs = &client;
180 struct chap_server_state *ss = &server;
183 if (ss->flags & TIMEOUT_PENDING)
184 UNTIMEOUT(chap_timeout, ss);
189 * chap_auth_peer - Start authenticating the peer.
190 * If the lower layer is already up, we start sending challenges,
191 * otherwise we wait for the lower layer to come up.
194 chap_auth_peer(int unit, char *our_name, int digest_code)
196 struct chap_server_state *ss = &server;
197 struct chap_digest_type *dp;
199 if (ss->flags & AUTH_STARTED) {
200 error("CHAP: peer authentication already started!");
203 for (dp = chap_digests; dp != NULL; dp = dp->next)
204 if (dp->code == digest_code)
207 fatal("CHAP digest 0x%x requested but not available",
212 /* Start with a random ID value */
213 ss->id = (unsigned char)(drand48() * 256);
214 ss->flags |= AUTH_STARTED;
215 if (ss->flags & LOWERUP)
220 * chap_auth_with_peer - Prepare to authenticate ourselves to the peer.
221 * There isn't much to do until we receive a challenge.
224 chap_auth_with_peer(int unit, char *our_name, int digest_code)
226 struct chap_client_state *cs = &client;
227 struct chap_digest_type *dp;
229 if (cs->flags & AUTH_STARTED) {
230 error("CHAP: authentication with peer already started!");
233 for (dp = chap_digests; dp != NULL; dp = dp->next)
234 if (dp->code == digest_code)
237 fatal("CHAP digest 0x%x requested but not available",
242 cs->flags |= AUTH_STARTED;
246 * chap_timeout - It's time to send another challenge to the peer.
247 * This could be either a retransmission of a previous challenge,
248 * or a new challenge to start re-authentication.
251 chap_timeout(void *arg)
253 struct chap_server_state *ss = arg;
255 ss->flags &= ~TIMEOUT_PENDING;
256 if ((ss->flags & CHALLENGE_VALID) == 0) {
257 ss->challenge_xmits = 0;
258 chap_generate_challenge(ss);
259 ss->flags |= CHALLENGE_VALID;
260 } else if (ss->challenge_xmits >= chap_max_transmits) {
261 ss->flags &= ~CHALLENGE_VALID;
262 ss->flags |= AUTH_DONE | AUTH_FAILED;
263 auth_peer_fail(0, PPP_CHAP);
267 output(0, ss->challenge, ss->challenge_pktlen);
268 ++ss->challenge_xmits;
269 ss->flags |= TIMEOUT_PENDING;
270 TIMEOUT(chap_timeout, arg, chap_timeout_time);
274 * chap_generate_challenge - generate a challenge string and format
275 * the challenge packet in ss->challenge_pkt.
278 chap_generate_challenge(struct chap_server_state *ss)
280 int clen = 1, nlen, len;
284 MAKEHEADER(p, PPP_CHAP);
286 ss->digest->generate_challenge(p);
288 nlen = strlen(ss->name);
289 memcpy(p + 1 + clen, ss->name, nlen);
291 len = CHAP_HDRLEN + 1 + clen + nlen;
292 ss->challenge_pktlen = PPP_HDRLEN + len;
294 p = ss->challenge + PPP_HDRLEN;
295 p[0] = CHAP_CHALLENGE;
302 * chap_handle_response - check the response to our challenge.
305 chap_handle_response(struct chap_server_state *ss, int id,
306 unsigned char *pkt, int len)
308 int response_len, ok, mlen;
309 unsigned char *response, *p;
310 char *name = NULL; /* initialized to shut gcc up */
311 int (*verifier)(char *, char *, int, struct chap_digest_type *,
312 unsigned char *, unsigned char *, char *, int);
313 char rname[MAXNAMELEN+1];
315 if ((ss->flags & LOWERUP) == 0)
317 if (id != ss->challenge[PPP_HDRLEN+1] || len < 2)
319 if (ss->flags & CHALLENGE_VALID) {
321 GETCHAR(response_len, pkt);
322 len -= response_len + 1; /* length of name */
323 name = (char *)pkt + response_len;
327 if (ss->flags & TIMEOUT_PENDING) {
328 ss->flags &= ~TIMEOUT_PENDING;
329 UNTIMEOUT(chap_timeout, ss);
332 if (explicit_remote) {
335 /* Null terminate and clean remote name. */
336 slprintf(rname, sizeof(rname), "%.*v", len, name);
340 if (chap_verify_hook)
341 verifier = chap_verify_hook;
343 verifier = chap_verify_response;
344 ok = (*verifier)(name, ss->name, id, ss->digest,
345 ss->challenge + PPP_HDRLEN + CHAP_HDRLEN,
346 response, ss->message, sizeof(ss->message));
347 if (!ok || !auth_number()) {
348 ss->flags |= AUTH_FAILED;
349 warn("Peer %q failed CHAP authentication", name);
351 } else if ((ss->flags & AUTH_DONE) == 0)
354 /* send the response */
356 MAKEHEADER(p, PPP_CHAP);
357 mlen = strlen(ss->message);
358 len = CHAP_HDRLEN + mlen;
359 p[0] = (ss->flags & AUTH_FAILED)? CHAP_FAILURE: CHAP_SUCCESS;
364 memcpy(p + CHAP_HDRLEN, ss->message, mlen);
365 output(0, outpacket_buf, PPP_HDRLEN + len);
367 if (ss->flags & CHALLENGE_VALID) {
368 ss->flags &= ~CHALLENGE_VALID;
369 if (ss->flags & AUTH_FAILED) {
370 auth_peer_fail(0, PPP_CHAP);
372 if ((ss->flags & AUTH_DONE) == 0)
373 auth_peer_success(0, PPP_CHAP,
376 if (chap_rechallenge_time) {
377 ss->flags |= TIMEOUT_PENDING;
378 TIMEOUT(chap_timeout, ss,
379 chap_rechallenge_time);
382 ss->flags |= AUTH_DONE;
387 * chap_verify_response - check whether the peer's response matches
388 * what we think it should be. Returns 1 if it does (authentication
389 * succeeded), or 0 if it doesn't.
392 chap_verify_response(char *name, char *ourname, int id,
393 struct chap_digest_type *digest,
394 unsigned char *challenge, unsigned char *response,
395 char *message, int message_space)
398 unsigned char secret[MAXSECRETLEN];
401 /* Get the secret that the peer is supposed to know */
402 if (!get_secret(0, name, ourname, (char *)secret, &secret_len, 1)) {
403 error("No CHAP secret found for authenticating %q", name);
407 ok = digest->verify_response(id, name, secret, secret_len, challenge,
408 response, message, message_space);
409 memset(secret, 0, sizeof(secret));
415 * chap_respond - Generate and send a response to a challenge.
418 chap_respond(struct chap_client_state *cs, int id,
419 unsigned char *pkt, int len)
424 unsigned char response[RESP_MAX_PKTLEN];
425 char rname[MAXNAMELEN+1];
426 char secret[MAXSECRETLEN+1];
428 if ((cs->flags & (LOWERUP | AUTH_STARTED)) != (LOWERUP | AUTH_STARTED))
429 return; /* not ready */
430 if (len < 2 || len < pkt[0] + 1)
431 return; /* too short */
433 nlen = len - (clen + 1);
435 /* Null terminate and clean remote name. */
436 slprintf(rname, sizeof(rname), "%.*v", nlen, pkt + clen + 1);
438 /* Microsoft doesn't send their name back in the PPP packet */
439 if (explicit_remote || (remote_name[0] != 0 && rname[0] == 0))
440 strlcpy(rname, remote_name, sizeof(rname));
442 /* get secret for authenticating ourselves with the specified host */
443 if (!get_secret(0, cs->name, rname, secret, &secret_len, 0)) {
444 secret_len = 0; /* assume null secret if can't find one */
445 warn("No CHAP secret found for authenticating us to %q", rname);
449 MAKEHEADER(p, PPP_CHAP);
452 cs->digest->make_response(p, id, cs->name, pkt,
453 secret, secret_len, cs->priv);
454 memset(secret, 0, secret_len);
457 nlen = strlen(cs->name);
458 memcpy(p + clen + 1, cs->name, nlen);
460 p = response + PPP_HDRLEN;
461 len = CHAP_HDRLEN + clen + 1 + nlen;
462 p[0] = CHAP_RESPONSE;
467 output(0, response, PPP_HDRLEN + len);
471 chap_handle_status(struct chap_client_state *cs, int code, int id,
472 unsigned char *pkt, int len)
474 const char *msg = NULL;
476 if ((cs->flags & (AUTH_DONE|AUTH_STARTED|LOWERUP))
477 != (AUTH_STARTED|LOWERUP))
479 cs->flags |= AUTH_DONE;
481 if (code == CHAP_SUCCESS) {
482 /* used for MS-CHAP v2 mutual auth, yuck */
483 if (cs->digest->check_success != NULL) {
484 if (!(*cs->digest->check_success)(pkt, len, cs->priv))
487 msg = "CHAP authentication succeeded";
489 if (cs->digest->handle_failure != NULL)
490 (*cs->digest->handle_failure)(pkt, len);
492 msg = "CHAP authentication failed";
496 info("%s: %.*v", msg, len, pkt);
500 if (code == CHAP_SUCCESS)
501 auth_withpeer_success(0, PPP_CHAP, cs->digest->code);
503 cs->flags |= AUTH_FAILED;
504 auth_withpeer_fail(0, PPP_CHAP);
509 chap_input(int unit, unsigned char *pkt, int pktlen)
511 struct chap_client_state *cs = &client;
512 struct chap_server_state *ss = &server;
513 unsigned char code, id;
516 if (pktlen < CHAP_HDRLEN)
521 if (len < CHAP_HDRLEN || len > pktlen)
527 chap_respond(cs, id, pkt, len);
530 chap_handle_response(ss, id, pkt, len);
534 chap_handle_status(cs, code, id, pkt, len);
540 chap_protrej(int unit)
542 struct chap_client_state *cs = &client;
543 struct chap_server_state *ss = &server;
545 if (ss->flags & TIMEOUT_PENDING) {
546 ss->flags &= ~TIMEOUT_PENDING;
547 UNTIMEOUT(chap_timeout, ss);
549 if (ss->flags & AUTH_STARTED) {
551 auth_peer_fail(0, PPP_CHAP);
553 if ((cs->flags & (AUTH_STARTED|AUTH_DONE)) == AUTH_STARTED) {
554 cs->flags &= ~AUTH_STARTED;
555 auth_withpeer_fail(0, PPP_CHAP);
560 * chap_print_pkt - print the contents of a CHAP packet.
562 static char *chap_code_names[] = {
563 "Challenge", "Response", "Success", "Failure"
567 chap_print_pkt(unsigned char *p, int plen,
568 void (*printer) __P((void *, char *, ...)), void *arg)
574 if (plen < CHAP_HDRLEN)
579 if (len < CHAP_HDRLEN || len > plen)
582 if (code >= 1 && code <= sizeof(chap_code_names) / sizeof(char *))
583 printer(arg, " %s", chap_code_names[code-1]);
585 printer(arg, " code=0x%x", code);
586 printer(arg, " id=0x%x", id);
597 nlen = len - clen - 1;
599 for (; clen > 0; --clen) {
601 printer(arg, "%.2x", x);
603 printer(arg, ">, name = ");
604 print_string((char *)p, nlen, printer, arg);
609 print_string((char *)p, len, printer, arg);
612 for (clen = len; clen > 0; --clen) {
614 printer(arg, " %.2x", x);
618 return len + CHAP_HDRLEN;
621 struct protent chap_protent = {
631 NULL, /* datainput */
632 1, /* enabled_flag */
634 NULL, /* data_name */
636 NULL, /* check_options */