git.ozlabs.org Git - ppp.git/commit

author	Tijs Van Buggenhout <tvbuggen@gmail.com>
	Tue, 24 Nov 2020 15:17:45 +0000 (16:17 +0100)
committer	Tijs Van Buggenhout <tvbuggen@gmail.com>
	Wed, 30 Dec 2020 23:17:46 +0000 (00:17 +0100)
commit	3a7593be1582b204214f1ff9bbce849e22a81876
tree	76a70735103bbf5f6197b5aaa3df16cad021dd57	tree \| snapshot (tar.gz zip)
parent	049d5b842deae68a0e59d5def2c19940c0042084	commit \| diff

pppd: Add support for EAP-MSCHAPv2 in server mode

This implements EAP-MSCHAPv2 as specified by
draft-kamath-pppext-eap-mschapv2-02 [1] in server mode (as the client
mode is already proposed by Thomas [2]).

The flow is camparable to MD5-Challenge, with some additional steps for
confirmation:

* Client sends an EAP request
* Server answers with MD5-Challenge
* Client Naks and requests MSCHAPv2
* Server answers with MSCHAPv2-Challenge
* Client answers with MSCHAPv2-Response
* Server answers with MSCHAPv2-{Success/Failure}
* Client possibly confirms MSCHAPv2-{Success/Failure}

I reused as much as possible from pppd/chap-new.c and pppd/chap_ms.c,
but most of the implementation is protected by static functions.

Therefore eap_chapms2_verify_response is an exact copy of
chapms2_verify_response, likewise for eap_chap_verify which is an exact
copy of chap_verify_response. This is not optimal and subject for
improvement.

By using a chap_digest_type struct/object with validator
(verify_response), validation is compatible with other (external)
plugins that have a specific CHAP implementation exposed in the
chap_verify_hook (like radius, windbind, ...).

Changes in eap.h are identical to [2], except for the additional
eapMSCHAPv2Chall server state.

[1] https://tools.ietf.org/html/draft-kamath-pppext-eap-mschapv2-02
[2] https://github.com/enaess/ppp-mschap-v2.git

Signed-off-by: Tijs Van Buggenhout <tvbuggen@gmail.com>

pppd/eap.c		diff \| blob \| history
pppd/eap.h		diff \| blob \| history