1 /*- 2 * Copyright (c) 1996 - 2001 Brian Somers <brian@Awfulhak.org> 3 * based on work by Toshiharu OHNO <tony-o@iij.ad.jp> 4 * Internet Initiative Japan, Inc (IIJ) 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 * 28 * $FreeBSD$ 29 */ 30 31 #include <sys/param.h> 32 #include <netinet/in.h> 33 #include <netinet/in_systm.h> 34 #include <netinet/ip.h> 35 #include <sys/socket.h> 36 #include <sys/un.h> 37 38 #include <errno.h> 39 #include <fcntl.h> 40 #ifndef NODES 41 #include <md4.h> 42 #endif 43 #include <md5.h> 44 #include <paths.h> 45 #include <signal.h> 46 #include <stdio.h> 47 #include <stdlib.h> 48 #include <string.h> 49 #include <sys/wait.h> 50 #include <termios.h> 51 #include <unistd.h> 52 53 #include "layer.h" 54 #include "mbuf.h" 55 #include "log.h" 56 #include "defs.h" 57 #include "timer.h" 58 #include "fsm.h" 59 #include "proto.h" 60 #include "lqr.h" 61 #include "hdlc.h" 62 #include "lcp.h" 63 #include "auth.h" 64 #include "async.h" 65 #include "throughput.h" 66 #include "descriptor.h" 67 #include "chap.h" 68 #include "iplist.h" 69 #include "slcompress.h" 70 #include "ncpaddr.h" 71 #include "ipcp.h" 72 #include "filter.h" 73 #include "ccp.h" 74 #include "link.h" 75 #include "physical.h" 76 #include "mp.h" 77 #ifndef NORADIUS 78 #include "radius.h" 79 #endif 80 #include "ipv6cp.h" 81 #include "ncp.h" 82 #include "bundle.h" 83 #include "chat.h" 84 #include "cbcp.h" 85 #include "command.h" 86 #include "datalink.h" 87 #ifndef NODES 88 #include "chap_ms.h" 89 #include "mppe.h" 90 #endif 91 #include "id.h" 92 93 static const char * const chapcodes[] = { 94 "???", "CHALLENGE", "RESPONSE", "SUCCESS", "FAILURE" 95 }; 96 #define MAXCHAPCODE (sizeof chapcodes / sizeof chapcodes[0] - 1) 97 98 static void 99 ChapOutput(struct physical *physical, u_int code, u_int id, 100 const u_char *ptr, int count, const char *text) 101 { 102 int plen; 103 struct fsmheader lh; 104 struct mbuf *bp; 105 106 plen = sizeof(struct fsmheader) + count; 107 lh.code = code; 108 lh.id = id; 109 lh.length = htons(plen); 110 bp = m_get(plen, MB_CHAPOUT); 111 memcpy(MBUF_CTOP(bp), &lh, sizeof(struct fsmheader)); 112 if (count) 113 memcpy(MBUF_CTOP(bp) + sizeof(struct fsmheader), ptr, count); 114 log_DumpBp(LogDEBUG, "ChapOutput", bp); 115 if (text == NULL) 116 log_Printf(LogPHASE, "Chap Output: %s\n", chapcodes[code]); 117 else 118 log_Printf(LogPHASE, "Chap Output: %s (%s)\n", chapcodes[code], text); 119 link_PushPacket(&physical->link, bp, physical->dl->bundle, 120 LINK_QUEUES(&physical->link) - 1, PROTO_CHAP); 121 } 122 123 static char * 124 chap_BuildAnswer(char *name, char *key, u_char id, char *challenge, u_char type 125 #ifndef NODES 126 , char *peerchallenge, char *authresponse, int lanman 127 #endif 128 ) 129 { 130 char *result, *digest; 131 size_t nlen, klen; 132 133 nlen = strlen(name); 134 klen = strlen(key); 135 136 #ifndef NODES 137 if (type == 0x80) { 138 char expkey[AUTHLEN << 2]; 139 MD4_CTX MD4context; 140 int f; 141 142 if ((result = malloc(1 + nlen + MS_CHAP_RESPONSE_LEN)) == NULL) 143 return result; 144 145 digest = result; /* the response */ 146 *digest++ = MS_CHAP_RESPONSE_LEN; /* 49 */ 147 memcpy(digest + MS_CHAP_RESPONSE_LEN, name, nlen); 148 if (lanman) { 149 memset(digest + 24, '\0', 25); 150 mschap_LANMan(digest, challenge + 1, key); /* LANMan response */ 151 } else { 152 memset(digest, '\0', 25); 153 digest += 24; 154 155 for (f = 0; f < klen; f++) { 156 expkey[2*f] = key[f]; 157 expkey[2*f+1] = '\0'; 158 } 159 /* 160 * ----------- 161 * expkey = | k\0e\0y\0 | 162 * ----------- 163 */ 164 MD4Init(&MD4context); 165 MD4Update(&MD4context, expkey, klen << 1); 166 MD4Final(digest, &MD4context); 167 168 /* 169 * ---- -------- ---------------- ------- ------ 170 * result = | 49 | LANMan | 16 byte digest | 9 * ? | name | 171 * ---- -------- ---------------- ------- ------ 172 */ 173 mschap_NT(digest, challenge + 1); 174 } 175 /* 176 * ---- -------- ------------- ----- ------ 177 * | | struct MS_ChapResponse24 | | 178 * result = | 49 | LANMan | NT digest | 0/1 | name | 179 * ---- -------- ------------- ----- ------ 180 * where only one of LANMan & NT digest are set. 181 */ 182 } else if (type == 0x81) { 183 char expkey[AUTHLEN << 2]; 184 char pwdhash[CHAP81_HASH_LEN]; 185 char pwdhashhash[CHAP81_HASH_LEN]; 186 char *ntresponse; 187 int f; 188 189 if ((result = malloc(1 + nlen + CHAP81_RESPONSE_LEN)) == NULL) 190 return result; 191 192 memset(result, 0, 1 + nlen + CHAP81_RESPONSE_LEN); 193 194 digest = result; 195 *digest++ = CHAP81_RESPONSE_LEN; /* value size */ 196 197 /* Copy our challenge */ 198 memcpy(digest, peerchallenge + 1, CHAP81_CHALLENGE_LEN); 199 200 /* Expand password to Unicode XXX */ 201 for (f = 0; f < klen; f++) { 202 expkey[2*f] = key[f]; 203 expkey[2*f+1] = '\0'; 204 } 205 206 ntresponse = digest + CHAP81_NTRESPONSE_OFF; 207 208 /* Get some needed hashes */ 209 NtPasswordHash(expkey, klen * 2, pwdhash); 210 HashNtPasswordHash(pwdhash, pwdhashhash); 211 212 /* Generate NTRESPONSE to respond on challenge call */ 213 GenerateNTResponse(challenge + 1, peerchallenge + 1, name, nlen, 214 expkey, klen * 2, ntresponse); 215 216 /* Generate MPPE MASTERKEY */ 217 GetMasterKey(pwdhashhash, ntresponse, MPPE_MasterKey); /* XXX Global ! */ 218 219 /* Generate AUTHRESPONSE to verify on auth success */ 220 GenerateAuthenticatorResponse(expkey, klen * 2, ntresponse, 221 peerchallenge + 1, challenge + 1, name, nlen, 222 authresponse); 223 224 authresponse[CHAP81_AUTHRESPONSE_LEN] = 0; 225 226 memcpy(digest + CHAP81_RESPONSE_LEN, name, nlen); 227 } else 228 #endif 229 if ((result = malloc(nlen + 17)) != NULL) { 230 /* Normal MD5 stuff */ 231 MD5_CTX MD5context; 232 233 digest = result; 234 *digest++ = 16; /* value size */ 235 236 MD5Init(&MD5context); 237 MD5Update(&MD5context, &id, 1); 238 MD5Update(&MD5context, key, klen); 239 MD5Update(&MD5context, challenge + 1, *challenge); 240 MD5Final(digest, &MD5context); 241 242 memcpy(digest + 16, name, nlen); 243 /* 244 * ---- -------- ------ 245 * result = | 16 | digest | name | 246 * ---- -------- ------ 247 */ 248 } 249 250 return result; 251 } 252 253 static void 254 chap_StartChild(struct chap *chap, char *prog, const char *name) 255 { 256 char *argv[MAXARGS], *nargv[MAXARGS]; 257 int argc, fd; 258 int in[2], out[2]; 259 pid_t pid; 260 261 if (chap->child.fd != -1) { 262 log_Printf(LogWARN, "Chap: %s: Program already running\n", prog); 263 return; 264 } 265 266 if (pipe(in) == -1) { 267 log_Printf(LogERROR, "Chap: pipe: %s\n", strerror(errno)); 268 return; 269 } 270 271 if (pipe(out) == -1) { 272 log_Printf(LogERROR, "Chap: pipe: %s\n", strerror(errno)); 273 close(in[0]); 274 close(in[1]); 275 return; 276 } 277 278 pid = getpid(); 279 switch ((chap->child.pid = fork())) { 280 case -1: 281 log_Printf(LogERROR, "Chap: fork: %s\n", strerror(errno)); 282 close(in[0]); 283 close(in[1]); 284 close(out[0]); 285 close(out[1]); 286 chap->child.pid = 0; 287 return; 288 289 case 0: 290 timer_TermService(); 291 292 if ((argc = command_Interpret(prog, strlen(prog), argv)) <= 0) { 293 if (argc < 0) { 294 log_Printf(LogWARN, "CHAP: Invalid command syntax\n"); 295 _exit(255); 296 } 297 _exit(0); 298 } 299 300 close(in[1]); 301 close(out[0]); 302 if (out[1] == STDIN_FILENO) 303 out[1] = dup(out[1]); 304 dup2(in[0], STDIN_FILENO); 305 dup2(out[1], STDOUT_FILENO); 306 close(STDERR_FILENO); 307 if (open(_PATH_DEVNULL, O_RDWR) != STDERR_FILENO) { 308 log_Printf(LogALERT, "Chap: Failed to open %s: %s\n", 309 _PATH_DEVNULL, strerror(errno)); 310 exit(1); 311 } 312 for (fd = getdtablesize(); fd > STDERR_FILENO; fd--) 313 fcntl(fd, F_SETFD, 1); 314 #ifndef NOSUID 315 setuid(ID0realuid()); 316 #endif 317 command_Expand(nargv, argc, (char const *const *)argv, 318 chap->auth.physical->dl->bundle, 0, pid); 319 execvp(nargv[0], nargv); 320 printf("exec() of %s failed: %s\n", nargv[0], strerror(errno)); 321 _exit(255); 322 323 default: 324 close(in[0]); 325 close(out[1]); 326 chap->child.fd = out[0]; 327 chap->child.buf.len = 0; 328 write(in[1], chap->auth.in.name, strlen(chap->auth.in.name)); 329 write(in[1], "\n", 1); 330 write(in[1], chap->challenge.peer + 1, *chap->challenge.peer); 331 write(in[1], "\n", 1); 332 write(in[1], name, strlen(name)); 333 write(in[1], "\n", 1); 334 close(in[1]); 335 break; 336 } 337 } 338 339 static void 340 chap_Cleanup(struct chap *chap, int sig) 341 { 342 if (chap->child.pid) { 343 int status; 344 345 close(chap->child.fd); 346 chap->child.fd = -1; 347 if (sig) 348 kill(chap->child.pid, SIGTERM); 349 chap->child.pid = 0; 350 chap->child.buf.len = 0; 351 352 if (wait(&status) == -1) 353 log_Printf(LogERROR, "Chap: wait: %s\n", strerror(errno)); 354 else if (WIFSIGNALED(status)) 355 log_Printf(LogWARN, "Chap: Child received signal %d\n", WTERMSIG(status)); 356 else if (WIFEXITED(status) && WEXITSTATUS(status)) 357 log_Printf(LogERROR, "Chap: Child exited %d\n", WEXITSTATUS(status)); 358 } 359 *chap->challenge.local = *chap->challenge.peer = '\0'; 360 #ifndef NODES 361 chap->peertries = 0; 362 #endif 363 } 364 365 static void 366 chap_Respond(struct chap *chap, char *name, char *key, u_char type 367 #ifndef NODES 368 , int lm 369 #endif 370 ) 371 { 372 u_char *ans; 373 374 ans = chap_BuildAnswer(name, key, chap->auth.id, chap->challenge.peer, type 375 #ifndef NODES 376 , chap->challenge.local, chap->authresponse, lm 377 #endif 378 ); 379 380 if (ans) { 381 ChapOutput(chap->auth.physical, CHAP_RESPONSE, chap->auth.id, 382 ans, *ans + 1 + strlen(name), name); 383 #ifndef NODES 384 chap->NTRespSent = !lm; 385 MPPE_IsServer = 0; /* XXX Global ! */ 386 #endif 387 free(ans); 388 } else 389 ChapOutput(chap->auth.physical, CHAP_FAILURE, chap->auth.id, 390 "Out of memory!", 14, NULL); 391 } 392 393 static int 394 chap_UpdateSet(struct fdescriptor *d, fd_set *r, fd_set *w, fd_set *e, int *n) 395 { 396 struct chap *chap = descriptor2chap(d); 397 398 if (r && chap && chap->child.fd != -1) { 399 FD_SET(chap->child.fd, r); 400 if (*n < chap->child.fd + 1) 401 *n = chap->child.fd + 1; 402 log_Printf(LogTIMER, "Chap: fdset(r) %d\n", chap->child.fd); 403 return 1; 404 } 405 406 return 0; 407 } 408 409 static int 410 chap_IsSet(struct fdescriptor *d, const fd_set *fdset) 411 { 412 struct chap *chap = descriptor2chap(d); 413 414 return chap && chap->child.fd != -1 && FD_ISSET(chap->child.fd, fdset); 415 } 416 417 static void 418 chap_Read(struct fdescriptor *d, struct bundle *bundle, const fd_set *fdset) 419 { 420 struct chap *chap = descriptor2chap(d); 421 int got; 422 423 got = read(chap->child.fd, chap->child.buf.ptr + chap->child.buf.len, 424 sizeof chap->child.buf.ptr - chap->child.buf.len - 1); 425 if (got == -1) { 426 log_Printf(LogERROR, "Chap: Read: %s\n", strerror(errno)); 427 chap_Cleanup(chap, SIGTERM); 428 } else if (got == 0) { 429 log_Printf(LogWARN, "Chap: Read: Child terminated connection\n"); 430 chap_Cleanup(chap, SIGTERM); 431 } else { 432 char *name, *key, *end; 433 434 chap->child.buf.len += got; 435 chap->child.buf.ptr[chap->child.buf.len] = '\0'; 436 name = chap->child.buf.ptr; 437 name += strspn(name, " \t"); 438 if ((key = strchr(name, '\n')) == NULL) 439 end = NULL; 440 else 441 end = strchr(++key, '\n'); 442 443 if (end == NULL) { 444 if (chap->child.buf.len == sizeof chap->child.buf.ptr - 1) { 445 log_Printf(LogWARN, "Chap: Read: Input buffer overflow\n"); 446 chap_Cleanup(chap, SIGTERM); 447 } 448 } else { 449 #ifndef NODES 450 int lanman = chap->auth.physical->link.lcp.his_authtype == 0x80 && 451 ((chap->NTRespSent && 452 IsAccepted(chap->auth.physical->link.lcp.cfg.chap80lm)) || 453 !IsAccepted(chap->auth.physical->link.lcp.cfg.chap80nt)); 454 #endif 455 456 while (end >= name && strchr(" \t\r\n", *end)) 457 *end-- = '\0'; 458 end = key - 1; 459 while (end >= name && strchr(" \t\r\n", *end)) 460 *end-- = '\0'; 461 key += strspn(key, " \t"); 462 463 chap_Respond(chap, name, key, chap->auth.physical->link.lcp.his_authtype 464 #ifndef NODES 465 , lanman 466 #endif 467 ); 468 chap_Cleanup(chap, 0); 469 } 470 } 471 } 472 473 static int 474 chap_Write(struct fdescriptor *d, struct bundle *bundle, const fd_set *fdset) 475 { 476 /* We never want to write here ! */ 477 log_Printf(LogALERT, "chap_Write: Internal error: Bad call !\n"); 478 return 0; 479 } 480 481 static void 482 chap_ChallengeInit(struct authinfo *authp) 483 { 484 struct chap *chap = auth2chap(authp); 485 int len, i; 486 char *cp; 487 488 len = strlen(authp->physical->dl->bundle->cfg.auth.name); 489 490 if (!*chap->challenge.local) { 491 randinit(); 492 cp = chap->challenge.local; 493 494 #ifndef NORADIUS 495 if (*authp->physical->dl->bundle->radius.cfg.file) { 496 /* For radius, our challenge is 16 readable NUL terminated bytes :*/ 497 *cp++ = 16; 498 for (i = 0; i < 16; i++) 499 *cp++ = (random() % 10) + '0'; 500 } else 501 #endif 502 { 503 #ifndef NODES 504 if (authp->physical->link.lcp.want_authtype == 0x80) 505 *cp++ = 8; /* MS does 8 byte callenges :-/ */ 506 else if (authp->physical->link.lcp.want_authtype == 0x81) 507 *cp++ = 16; /* MS-CHAP-V2 does 16 bytes challenges */ 508 else 509 #endif 510 *cp++ = random() % (CHAPCHALLENGELEN-16) + 16; 511 for (i = 0; i < *chap->challenge.local; i++) 512 *cp++ = random() & 0xff; 513 } 514 memcpy(cp, authp->physical->dl->bundle->cfg.auth.name, len); 515 } 516 } 517 518 static void 519 chap_Challenge(struct authinfo *authp) 520 { 521 struct chap *chap = auth2chap(authp); 522 int len; 523 524 log_Printf(LogDEBUG, "CHAP%02X: Challenge\n", 525 authp->physical->link.lcp.want_authtype); 526 527 len = strlen(authp->physical->dl->bundle->cfg.auth.name); 528 529 /* Generate new local challenge value */ 530 if (!*chap->challenge.local) 531 chap_ChallengeInit(authp); 532 533 #ifndef NODES 534 if (authp->physical->link.lcp.want_authtype == 0x81) 535 ChapOutput(authp->physical, CHAP_CHALLENGE, authp->id, 536 chap->challenge.local, 1 + *chap->challenge.local, NULL); 537 else 538 #endif 539 ChapOutput(authp->physical, CHAP_CHALLENGE, authp->id, 540 chap->challenge.local, 1 + *chap->challenge.local + len, NULL); 541 } 542 543 static void 544 chap_Success(struct authinfo *authp) 545 { 546 struct bundle *bundle = authp->physical->dl->bundle; 547 const char *msg; 548 549 datalink_GotAuthname(authp->physical->dl, authp->in.name); 550 #ifndef NODES 551 if (authp->physical->link.lcp.want_authtype == 0x81) { 552 #ifndef NORADIUS 553 if (*bundle->radius.cfg.file && bundle->radius.msrepstr) 554 msg = bundle->radius.msrepstr; 555 else 556 #endif 557 msg = auth2chap(authp)->authresponse; 558 MPPE_MasterKeyValid = 1; /* XXX Global ! */ 559 } else 560 #endif 561 #ifndef NORADIUS 562 if (*bundle->radius.cfg.file && bundle->radius.repstr) 563 msg = bundle->radius.repstr; 564 else 565 #endif 566 msg = "Welcome!!"; 567 568 ChapOutput(authp->physical, CHAP_SUCCESS, authp->id, msg, strlen(msg), 569 NULL); 570 571 authp->physical->link.lcp.auth_ineed = 0; 572 if (Enabled(bundle, OPT_UTMP)) 573 physical_Login(authp->physical, authp->in.name); 574 575 if (authp->physical->link.lcp.auth_iwait == 0) 576 /* 577 * Either I didn't need to authenticate, or I've already been 578 * told that I got the answer right. 579 */ 580 datalink_AuthOk(authp->physical->dl); 581 } 582 583 static void 584 chap_Failure(struct authinfo *authp) 585 { 586 #ifndef NODES 587 char buf[1024], *ptr; 588 #endif 589 const char *msg; 590 591 #ifndef NORADIUS 592 struct bundle *bundle = authp->physical->link.lcp.fsm.bundle; 593 if (*bundle->radius.cfg.file && bundle->radius.errstr) 594 msg = bundle->radius.errstr; 595 else 596 #endif 597 #ifndef NODES 598 if (authp->physical->link.lcp.want_authtype == 0x80) { 599 sprintf(buf, "E=691 R=1 M=Invalid!"); 600 msg = buf; 601 } else if (authp->physical->link.lcp.want_authtype == 0x81) { 602 int i; 603 604 ptr = buf; 605 ptr += sprintf(buf, "E=691 R=0 C="); 606 for (i=0; i<16; i++) 607 ptr += sprintf(ptr, "%02X", *(auth2chap(authp)->challenge.local+1+i)); 608 609 sprintf(ptr, " V=3 M=Invalid!"); 610 msg = buf; 611 } else 612 #endif 613 msg = "Invalid!!"; 614 615 ChapOutput(authp->physical, CHAP_FAILURE, authp->id, msg, strlen(msg) + 1, 616 NULL); 617 datalink_AuthNotOk(authp->physical->dl); 618 } 619 620 static int 621 chap_Cmp(u_char type, char *myans, int mylen, char *hisans, int hislen 622 #ifndef NODES 623 , int lm 624 #endif 625 ) 626 { 627 int off; 628 629 if (mylen != hislen) 630 return 0; 631 632 off = 0; 633 634 #ifndef NODES 635 if (type == 0x80) { 636 off = lm ? 0 : 24; 637 mylen = 24; 638 } 639 #endif 640 641 for (; mylen; off++, mylen--) 642 if (toupper(myans[off]) != toupper(hisans[off])) 643 return 0; 644 645 return 1; 646 } 647 648 #ifndef NODES 649 static int 650 chap_HaveAnotherGo(struct chap *chap) 651 { 652 if (++chap->peertries < 3) { 653 /* Give the peer another shot */ 654 *chap->challenge.local = '\0'; 655 chap_Challenge(&chap->auth); 656 return 1; 657 } 658 659 return 0; 660 } 661 #endif 662 663 void 664 chap_Init(struct chap *chap, struct physical *p) 665 { 666 chap->desc.type = CHAP_DESCRIPTOR; 667 chap->desc.UpdateSet = chap_UpdateSet; 668 chap->desc.IsSet = chap_IsSet; 669 chap->desc.Read = chap_Read; 670 chap->desc.Write = chap_Write; 671 chap->child.pid = 0; 672 chap->child.fd = -1; 673 auth_Init(&chap->auth, p, chap_Challenge, chap_Success, chap_Failure); 674 *chap->challenge.local = *chap->challenge.peer = '\0'; 675 #ifndef NODES 676 chap->NTRespSent = 0; 677 chap->peertries = 0; 678 #endif 679 } 680 681 void 682 chap_ReInit(struct chap *chap) 683 { 684 chap_Cleanup(chap, SIGTERM); 685 } 686 687 struct mbuf * 688 chap_Input(struct bundle *bundle, struct link *l, struct mbuf *bp) 689 { 690 struct physical *p = link2physical(l); 691 struct chap *chap = &p->dl->chap; 692 char *name, *key, *ans; 693 int len, nlen; 694 u_char alen; 695 #ifndef NODES 696 int lanman; 697 #endif 698 699 if (p == NULL) { 700 log_Printf(LogERROR, "chap_Input: Not a physical link - dropped\n"); 701 m_freem(bp); 702 return NULL; 703 } 704 705 if (bundle_Phase(bundle) != PHASE_NETWORK && 706 bundle_Phase(bundle) != PHASE_AUTHENTICATE) { 707 log_Printf(LogPHASE, "Unexpected chap input - dropped !\n"); 708 m_freem(bp); 709 return NULL; 710 } 711 712 m_settype(bp, MB_CHAPIN); 713 if ((bp = auth_ReadHeader(&chap->auth, bp)) == NULL && 714 ntohs(chap->auth.in.hdr.length) == 0) 715 log_Printf(LogWARN, "Chap Input: Truncated header !\n"); 716 else if (chap->auth.in.hdr.code == 0 || chap->auth.in.hdr.code > MAXCHAPCODE) 717 log_Printf(LogPHASE, "Chap Input: %d: Bad CHAP code !\n", 718 chap->auth.in.hdr.code); 719 else { 720 len = m_length(bp); 721 ans = NULL; 722 723 if (chap->auth.in.hdr.code != CHAP_CHALLENGE && 724 chap->auth.id != chap->auth.in.hdr.id && 725 Enabled(bundle, OPT_IDCHECK)) { 726 /* Wrong conversation dude ! */ 727 log_Printf(LogPHASE, "Chap Input: %s dropped (got id %d, not %d)\n", 728 chapcodes[chap->auth.in.hdr.code], chap->auth.in.hdr.id, 729 chap->auth.id); 730 m_freem(bp); 731 return NULL; 732 } 733 chap->auth.id = chap->auth.in.hdr.id; /* We respond with this id */ 734 735 #ifndef NODES 736 lanman = 0; 737 #endif 738 switch (chap->auth.in.hdr.code) { 739 case CHAP_CHALLENGE: 740 bp = mbuf_Read(bp, &alen, 1); 741 len -= alen + 1; 742 if (len < 0) { 743 log_Printf(LogERROR, "Chap Input: Truncated challenge !\n"); 744 m_freem(bp); 745 return NULL; 746 } 747 *chap->challenge.peer = alen; 748 bp = mbuf_Read(bp, chap->challenge.peer + 1, alen); 749 bp = auth_ReadName(&chap->auth, bp, len); 750 #ifndef NODES 751 lanman = p->link.lcp.his_authtype == 0x80 && 752 ((chap->NTRespSent && IsAccepted(p->link.lcp.cfg.chap80lm)) || 753 !IsAccepted(p->link.lcp.cfg.chap80nt)); 754 755 /* Generate local challenge value */ 756 chap_ChallengeInit(&chap->auth); 757 #endif 758 break; 759 760 case CHAP_RESPONSE: 761 auth_StopTimer(&chap->auth); 762 bp = mbuf_Read(bp, &alen, 1); 763 len -= alen + 1; 764 if (len < 0) { 765 log_Printf(LogERROR, "Chap Input: Truncated response !\n"); 766 m_freem(bp); 767 return NULL; 768 } 769 if ((ans = malloc(alen + 1)) == NULL) { 770 log_Printf(LogERROR, "Chap Input: Out of memory !\n"); 771 m_freem(bp); 772 return NULL; 773 } 774 *ans = chap->auth.id; 775 bp = mbuf_Read(bp, ans + 1, alen); 776 bp = auth_ReadName(&chap->auth, bp, len); 777 #ifndef NODES 778 lanman = p->link.lcp.want_authtype == 0x80 && 779 alen == 49 && ans[alen] == 0; 780 #endif 781 break; 782 783 case CHAP_SUCCESS: 784 case CHAP_FAILURE: 785 /* chap->auth.in.name is already set up at CHALLENGE time */ 786 if ((ans = malloc(len + 1)) == NULL) { 787 log_Printf(LogERROR, "Chap Input: Out of memory !\n"); 788 m_freem(bp); 789 return NULL; 790 } 791 bp = mbuf_Read(bp, ans, len); 792 ans[len] = '\0'; 793 break; 794 } 795 796 switch (chap->auth.in.hdr.code) { 797 case CHAP_CHALLENGE: 798 case CHAP_RESPONSE: 799 if (*chap->auth.in.name) 800 log_Printf(LogPHASE, "Chap Input: %s (%d bytes from %s%s)\n", 801 chapcodes[chap->auth.in.hdr.code], alen, 802 chap->auth.in.name, 803 #ifndef NODES 804 lanman && chap->auth.in.hdr.code == CHAP_RESPONSE ? 805 " - lanman" : 806 #endif 807 ""); 808 else 809 log_Printf(LogPHASE, "Chap Input: %s (%d bytes%s)\n", 810 chapcodes[chap->auth.in.hdr.code], alen, 811 #ifndef NODES 812 lanman && chap->auth.in.hdr.code == CHAP_RESPONSE ? 813 " - lanman" : 814 #endif 815 ""); 816 break; 817 818 case CHAP_SUCCESS: 819 case CHAP_FAILURE: 820 if (*ans) 821 log_Printf(LogPHASE, "Chap Input: %s (%s)\n", 822 chapcodes[chap->auth.in.hdr.code], ans); 823 else 824 log_Printf(LogPHASE, "Chap Input: %s\n", 825 chapcodes[chap->auth.in.hdr.code]); 826 break; 827 } 828 829 switch (chap->auth.in.hdr.code) { 830 case CHAP_CHALLENGE: 831 if (*bundle->cfg.auth.key == '!' && bundle->cfg.auth.key[1] != '!') 832 chap_StartChild(chap, bundle->cfg.auth.key + 1, 833 bundle->cfg.auth.name); 834 else 835 chap_Respond(chap, bundle->cfg.auth.name, bundle->cfg.auth.key + 836 (*bundle->cfg.auth.key == '!' ? 1 : 0), 837 p->link.lcp.his_authtype 838 #ifndef NODES 839 , lanman 840 #endif 841 ); 842 break; 843 844 case CHAP_RESPONSE: 845 name = chap->auth.in.name; 846 nlen = strlen(name); 847 #ifndef NODES 848 if (p->link.lcp.want_authtype == 0x81) { 849 struct MSCHAPv2_resp *resp = (struct MSCHAPv2_resp *)(ans + 1); 850 851 chap->challenge.peer[0] = sizeof resp->PeerChallenge; 852 memcpy(chap->challenge.peer + 1, resp->PeerChallenge, 853 sizeof resp->PeerChallenge); 854 } 855 #endif 856 857 #ifndef NORADIUS 858 if (*bundle->radius.cfg.file) { 859 if (!radius_Authenticate(&bundle->radius, &chap->auth, 860 chap->auth.in.name, ans, alen + 1, 861 chap->challenge.local + 1, 862 *chap->challenge.local)) 863 chap_Failure(&chap->auth); 864 } else 865 #endif 866 { 867 if (p->link.lcp.want_authtype == 0x81 && ans[alen] != '\0' && 868 alen == sizeof(struct MSCHAPv2_resp)) { 869 struct MSCHAPv2_resp *resp = (struct MSCHAPv2_resp *)(ans + 1); 870 871 log_Printf(LogWARN, "%s: Compensating for corrupt (Win98/WinME?) " 872 "CHAP81 RESPONSE\n", l->name); 873 resp->Flags = '\0'; /* rfc2759 says it *MUST* be zero */ 874 } 875 key = auth_GetSecret(bundle, name, nlen, p); 876 if (key) { 877 #ifndef NODES 878 if (p->link.lcp.want_authtype == 0x80 && 879 lanman && !IsEnabled(p->link.lcp.cfg.chap80lm)) { 880 log_Printf(LogPHASE, "Auth failure: LANMan not enabled\n"); 881 if (chap_HaveAnotherGo(chap)) 882 break; 883 key = NULL; 884 } else if (p->link.lcp.want_authtype == 0x80 && 885 !lanman && !IsEnabled(p->link.lcp.cfg.chap80nt)) { 886 log_Printf(LogPHASE, "Auth failure: mschap not enabled\n"); 887 if (chap_HaveAnotherGo(chap)) 888 break; 889 key = NULL; 890 } else if (p->link.lcp.want_authtype == 0x81 && 891 !IsEnabled(p->link.lcp.cfg.chap81)) { 892 log_Printf(LogPHASE, "Auth failure: CHAP81 not enabled\n"); 893 key = NULL; 894 } else 895 #endif 896 { 897 char *myans = chap_BuildAnswer(name, key, chap->auth.id, 898 chap->challenge.local, 899 p->link.lcp.want_authtype 900 #ifndef NODES 901 , chap->challenge.peer, 902 chap->authresponse, lanman); 903 MPPE_IsServer = 1; /* XXX Global ! */ 904 #else 905 ); 906 #endif 907 if (myans == NULL) 908 key = NULL; 909 else { 910 if (!chap_Cmp(p->link.lcp.want_authtype, myans + 1, *myans, 911 ans + 1, alen 912 #ifndef NODES 913 , lanman 914 #endif 915 )) 916 key = NULL; 917 free(myans); 918 } 919 } 920 } 921 922 if (key) 923 chap_Success(&chap->auth); 924 else 925 chap_Failure(&chap->auth); 926 } 927 928 break; 929 930 case CHAP_SUCCESS: 931 if (p->link.lcp.auth_iwait == PROTO_CHAP) { 932 p->link.lcp.auth_iwait = 0; 933 if (p->link.lcp.auth_ineed == 0) { 934 #ifndef NODES 935 if (p->link.lcp.his_authtype == 0x81) { 936 if (strncasecmp(ans, chap->authresponse, 42)) { 937 datalink_AuthNotOk(p->dl); 938 log_Printf(LogWARN, "CHAP81: AuthenticatorResponse: (%.42s)" 939 " != ans: (%.42s)\n", chap->authresponse, ans); 940 941 } else { 942 /* Successful login */ 943 MPPE_MasterKeyValid = 1; /* XXX Global ! */ 944 datalink_AuthOk(p->dl); 945 } 946 } else 947 #endif 948 /* 949 * We've succeeded in our ``login'' 950 * If we're not expecting the peer to authenticate (or he already 951 * has), proceed to network phase. 952 */ 953 datalink_AuthOk(p->dl); 954 } 955 } 956 break; 957 958 case CHAP_FAILURE: 959 datalink_AuthNotOk(p->dl); 960 break; 961 } 962 free(ans); 963 } 964 965 m_freem(bp); 966 return NULL; 967 } 968