search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Remove dependencies on CHAPMS definition in header files.
[mpls-ppp.git] / pppd / chap-new.c
blob367f95702a61bd2f07fd7cae59d54fd004061cb6
1 /*
2 * chap-new.c - New CHAP implementation.
3 *
4 * Copyright (c) 2003 Paul Mackerras. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in
15 * the documentation and/or other materials provided with the
16 * distribution.
17 *
18 * 3. The name(s) of the authors of this software must not be used to
19 * endorse or promote products derived from this software without
20 * prior written permission.
21 *
22 * 4. Redistributions of any form whatsoever must retain the following
23 * acknowledgment:
24 * "This product includes software developed by Paul Mackerras
25 * <paulus@samba.org>".
26 *
27 * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO
28 * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
29 * AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY
30 * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
31 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
32 * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
33 * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
34 */
35
36 #define RCSID "$Id: chap-new.c,v 1.5 2004/10/31 22:23:18 paulus Exp $"
37
38 #include <stdlib.h>
39 #include <string.h>
40 #include "pppd.h"
41 #include "chap-new.h"
42 #include "chap-md5.h"
43
44 #ifdef CHAPMS
45 #include "chap_ms.h"
46 #define MDTYPE_ALL (MDTYPE_MICROSOFT_V2 | MDTYPE_MICROSOFT | MDTYPE_MD5)
47 #else
48 #define MDTYPE_ALL (MDTYPE_MD5)
49 #endif
50
51 int chap_mdtype_all = MDTYPE_ALL;
52
53 /* Hook for a plugin to validate CHAP challenge */
54 int (*chap_verify_hook)(char *name, char *ourname, int id,
55 struct chap_digest_type *digest,
56 unsigned char *challenge, unsigned char *response,
57 char *message, int message_space) = NULL;
58
59 /*
60 * Option variables.
61 */
62 int chap_timeout_time = 3;
63 int chap_max_transmits = 10;
64 int chap_rechallenge_time = 0;
65
66 /*
67 * Command-line options.
68 */
69 static option_t chap_option_list[] = {
70 { "chap-restart", o_int, &chap_timeout_time,
71 "Set timeout for CHAP", OPT_PRIO },
72 { "chap-max-challenge", o_int, &chap_max_transmits,
73 "Set max #xmits for challenge", OPT_PRIO },
74 { "chap-interval", o_int, &chap_rechallenge_time,
75 "Set interval for rechallenge", OPT_PRIO },
76 { NULL }
77 };
78
79 /*
80 * Internal state.
81 */
82 static struct chap_client_state {
83 int flags;
84 char *name;
85 struct chap_digest_type *digest;
86 unsigned char priv[64]; /* private area for digest's use */
87 } client;
88
89 /*
90 * These limits apply to challenge and response packets we send.
91 * The +4 is the +1 that we actually need rounded up.
92 */
93 #define CHAL_MAX_PKTLEN (PPP_HDRLEN + CHAP_HDRLEN + 4 + MAX_CHALLENGE_LEN + MAXNAMELEN)
94 #define RESP_MAX_PKTLEN (PPP_HDRLEN + CHAP_HDRLEN + 4 + MAX_RESPONSE_LEN + MAXNAMELEN)
95
96 static struct chap_server_state {
97 int flags;
98 int id;
99 char *name;
100 struct chap_digest_type *digest;
101 int challenge_xmits;
102 int challenge_pktlen;
103 unsigned char challenge[CHAL_MAX_PKTLEN];
104 } server;
105
106 /* Values for flags in chap_client_state and chap_server_state */
107 #define LOWERUP 1
108 #define AUTH_STARTED 2
109 #define AUTH_DONE 4
110 #define AUTH_FAILED 8
111 #define TIMEOUT_PENDING 0x10
112 #define CHALLENGE_VALID 0x20
113
114 /*
115 * Prototypes.
116 */
117 static void chap_init(int unit);
118 static void chap_lowerup(int unit);
119 static void chap_lowerdown(int unit);
120 static void chap_timeout(void *arg);
121 static void chap_generate_challenge(struct chap_server_state *ss);
122 static void chap_handle_response(struct chap_server_state *ss, int code,
123 unsigned char *pkt, int len);
124 static int chap_verify_response(char *name, char *ourname, int id,
125 struct chap_digest_type *digest,
126 unsigned char *challenge, unsigned char *response,
127 char *message, int message_space);
128 static void chap_respond(struct chap_client_state *cs, int id,
129 unsigned char *pkt, int len);
130 static void chap_handle_status(struct chap_client_state *cs, int code, int id,
131 unsigned char *pkt, int len);
132 static void chap_protrej(int unit);
133 static void chap_input(int unit, unsigned char *pkt, int pktlen);
134 static int chap_print_pkt(unsigned char *p, int plen,
135 void (*printer) __P((void *, char *, ...)), void *arg);
136
137 /* List of digest types that we know about */
138 static struct chap_digest_type *chap_digests;
139
140 /*
141 * chap_init - reset to initial state.
142 */
143 static void
144 chap_init(int unit)
145 {
146 memset(&client, 0, sizeof(client));
147 memset(&server, 0, sizeof(server));
148
149 chap_md5_init();
150 #ifdef CHAPMS
151 chapms_init();
152 #endif
153 }
154
155 /*
156 * Add a new digest type to the list.
157 */
158 void
159 chap_register_digest(struct chap_digest_type *dp)
160 {
161 dp->next = chap_digests;
162 chap_digests = dp;
163 }
164
165 /*
166 * chap_lowerup - we can start doing stuff now.
167 */
168 static void
169 chap_lowerup(int unit)
170 {
171 struct chap_client_state *cs = &client;
172 struct chap_server_state *ss = &server;
173
174 cs->flags |= LOWERUP;
175 ss->flags |= LOWERUP;
176 if (ss->flags & AUTH_STARTED)
177 chap_timeout(ss);
178 }
179
180 static void
181 chap_lowerdown(int unit)
182 {
183 struct chap_client_state *cs = &client;
184 struct chap_server_state *ss = &server;
185
186 cs->flags = 0;
187 if (ss->flags & TIMEOUT_PENDING)
188 UNTIMEOUT(chap_timeout, ss);
189 ss->flags = 0;
190 }
191
192 /*
193 * chap_auth_peer - Start authenticating the peer.
194 * If the lower layer is already up, we start sending challenges,
195 * otherwise we wait for the lower layer to come up.
196 */
197 void
198 chap_auth_peer(int unit, char *our_name, int digest_code)
199 {
200 struct chap_server_state *ss = &server;
201 struct chap_digest_type *dp;
202
203 if (ss->flags & AUTH_STARTED) {
204 error("CHAP: peer authentication already started!");
205 return;
206 }
207 for (dp = chap_digests; dp != NULL; dp = dp->next)
208 if (dp->code == digest_code)
209 break;
210 if (dp == NULL)
211 fatal("CHAP digest 0x%x requested but not available",
212 digest_code);
213
214 ss->digest = dp;
215 ss->name = our_name;
216 /* Start with a random ID value */
217 ss->id = (unsigned char)(drand48() * 256);
218 ss->flags |= AUTH_STARTED;
219 if (ss->flags & LOWERUP)
220 chap_timeout(ss);
221 }
222
223 /*
224 * chap_auth_with_peer - Prepare to authenticate ourselves to the peer.
225 * There isn't much to do until we receive a challenge.
226 */
227 void
228 chap_auth_with_peer(int unit, char *our_name, int digest_code)
229 {
230 struct chap_client_state *cs = &client;
231 struct chap_digest_type *dp;
232
233 if (cs->flags & AUTH_STARTED) {
234 error("CHAP: authentication with peer already started!");
235 return;
236 }
237 for (dp = chap_digests; dp != NULL; dp = dp->next)
238 if (dp->code == digest_code)
239 break;
240 if (dp == NULL)
241 fatal("CHAP digest 0x%x requested but not available",
242 digest_code);
243
244 cs->digest = dp;
245 cs->name = our_name;
246 cs->flags |= AUTH_STARTED;
247 }
248
249 /*
250 * chap_timeout - It's time to send another challenge to the peer.
251 * This could be either a retransmission of a previous challenge,
252 * or a new challenge to start re-authentication.
253 */
254 static void
255 chap_timeout(void *arg)
256 {
257 struct chap_server_state *ss = arg;
258
259 ss->flags &= ~TIMEOUT_PENDING;
260 if ((ss->flags & CHALLENGE_VALID) == 0) {
261 ss->challenge_xmits = 0;
262 chap_generate_challenge(ss);
263 ss->flags |= CHALLENGE_VALID;
264 } else if (ss->challenge_xmits >= chap_max_transmits) {
265 ss->flags &= ~CHALLENGE_VALID;
266 ss->flags |= AUTH_DONE | AUTH_FAILED;
267 auth_peer_fail(0, PPP_CHAP);
268 return;
269 }
270
271 output(0, ss->challenge, ss->challenge_pktlen);
272 ++ss->challenge_xmits;
273 ss->flags |= TIMEOUT_PENDING;
274 TIMEOUT(chap_timeout, arg, chap_timeout_time);
275 }
276
277 /*
278 * chap_generate_challenge - generate a challenge string and format
279 * the challenge packet in ss->challenge_pkt.
280 */
281 static void
282 chap_generate_challenge(struct chap_server_state *ss)
283 {
284 int clen = 1, nlen, len;
285 unsigned char *p;
286
287 p = ss->challenge;
288 MAKEHEADER(p, PPP_CHAP);
289 p += CHAP_HDRLEN;
290 ss->digest->generate_challenge(p);
291 clen = *p;
292 nlen = strlen(ss->name);
293 memcpy(p + 1 + clen, ss->name, nlen);
294
295 len = CHAP_HDRLEN + 1 + clen + nlen;
296 ss->challenge_pktlen = PPP_HDRLEN + len;
297
298 p = ss->challenge + PPP_HDRLEN;
299 p[0] = CHAP_CHALLENGE;
300 p[1] = ++ss->id;
301 p[2] = len >> 8;
302 p[3] = len;
303 }
304
305 /*
306 * chap_handle_response - check the response to our challenge.
307 */
308 static void
309 chap_handle_response(struct chap_server_state *ss, int id,
310 unsigned char *pkt, int len)
311 {
312 int response_len, ok, mlen;
313 unsigned char *response, *p;
314 char *name = NULL; /* initialized to shut gcc up */
315 int (*verifier)(char *, char *, int, struct chap_digest_type *,
316 unsigned char *, unsigned char *, char *, int);
317 char rname[MAXNAMELEN+1];
318 char message[256];
319
320 if ((ss->flags & LOWERUP) == 0)
321 return;
322 if (id != ss->challenge[PPP_HDRLEN+1] || len < 2)
323 return;
324 if ((ss->flags & AUTH_DONE) == 0) {
325 if ((ss->flags & CHALLENGE_VALID) == 0)
326 return;
327 response = pkt;
328 GETCHAR(response_len, pkt);
329 len -= response_len + 1; /* length of name */
330 name = (char *)pkt + response_len;
331 if (len < 0)
332 return;
333
334 ss->flags &= ~CHALLENGE_VALID;
335 if (ss->flags & TIMEOUT_PENDING) {
336 ss->flags &= ~TIMEOUT_PENDING;
337 UNTIMEOUT(chap_timeout, ss);
338 }
339
340 if (explicit_remote) {
341 name = remote_name;
342 } else {
343 /* Null terminate and clean remote name. */
344 slprintf(rname, sizeof(rname), "%.*v", len, name);
345 name = rname;
346 }
347
348 if (chap_verify_hook)
349 verifier = chap_verify_hook;
350 else
351 verifier = chap_verify_response;
352 ok = (*verifier)(name, ss->name, id, ss->digest,
353 ss->challenge + PPP_HDRLEN + CHAP_HDRLEN,
354 response, message, sizeof(message));
355 if (!ok || !auth_number()) {
356 ss->flags |= AUTH_FAILED;
357 warn("Peer %q failed CHAP authentication", name);
358 }
359 }
360
361 /* send the response */
362 p = outpacket_buf;
363 MAKEHEADER(p, PPP_CHAP);
364 mlen = strlen(message);
365 len = CHAP_HDRLEN + mlen;
366 p[0] = (ss->flags & AUTH_FAILED)? CHAP_FAILURE: CHAP_SUCCESS;
367 p[1] = id;
368 p[2] = len >> 8;
369 p[3] = len;
370 if (mlen > 0)
371 memcpy(p + CHAP_HDRLEN, message, mlen);
372 output(0, outpacket_buf, PPP_HDRLEN + len);
373
374 if ((ss->flags & AUTH_DONE) == 0) {
375 ss->flags |= AUTH_DONE;
376 if (ss->flags & AUTH_FAILED) {
377 auth_peer_fail(0, PPP_CHAP);
378 } else {
379 auth_peer_success(0, PPP_CHAP, ss->digest->code,
380 name, strlen(name));
381 if (chap_rechallenge_time) {
382 ss->flags |= TIMEOUT_PENDING;
383 TIMEOUT(chap_timeout, ss,
384 chap_rechallenge_time);
385 }
386 }
387 }
388 }
389
390 /*
391 * chap_verify_response - check whether the peer's response matches
392 * what we think it should be. Returns 1 if it does (authentication
393 * succeeded), or 0 if it doesn't.
394 */
395 static int
396 chap_verify_response(char *name, char *ourname, int id,
397 struct chap_digest_type *digest,
398 unsigned char *challenge, unsigned char *response,
399 char *message, int message_space)
400 {
401 int ok;
402 unsigned char secret[MAXSECRETLEN];
403 int secret_len;
404
405 /* Get the secret that the peer is supposed to know */
406 if (!get_secret(0, name, ourname, (char *)secret, &secret_len, 1)) {
407 error("No CHAP secret found for authenticating %q", name);
408 return 0;
409 }
410
411 ok = digest->verify_response(id, name, secret, secret_len, challenge,
412 response, message, message_space);
413 memset(secret, 0, sizeof(secret));
414
415 return ok;
416 }
417
418 /*
419 * chap_respond - Generate and send a response to a challenge.
420 */
421 static void
422 chap_respond(struct chap_client_state *cs, int id,
423 unsigned char *pkt, int len)
424 {
425 int clen, nlen;
426 int secret_len;
427 unsigned char *p;
428 unsigned char response[RESP_MAX_PKTLEN];
429 char rname[MAXNAMELEN+1];
430 char secret[MAXSECRETLEN+1];
431
432 if ((cs->flags & (LOWERUP | AUTH_STARTED)) != (LOWERUP | AUTH_STARTED))
433 return; /* not ready */
434 if (len < 2 || len < pkt[0] + 1)
435 return; /* too short */
436 clen = pkt[0];
437 nlen = len - (clen + 1);
438
439 /* Null terminate and clean remote name. */
440 slprintf(rname, sizeof(rname), "%.*v", nlen, pkt + clen + 1);
441
442 /* Microsoft doesn't send their name back in the PPP packet */
443 if (explicit_remote || (remote_name[0] != 0 && rname[0] == 0))
444 strlcpy(rname, remote_name, sizeof(rname));
445
446 /* get secret for authenticating ourselves with the specified host */
447 if (!get_secret(0, cs->name, rname, secret, &secret_len, 0)) {
448 secret_len = 0; /* assume null secret if can't find one */
449 warn("No CHAP secret found for authenticating us to %q", rname);
450 }
451
452 p = response;
453 MAKEHEADER(p, PPP_CHAP);
454 p += CHAP_HDRLEN;
455
456 cs->digest->make_response(p, id, cs->name, pkt,
457 secret, secret_len, cs->priv);
458 memset(secret, 0, secret_len);
459
460 clen = *p;
461 nlen = strlen(cs->name);
462 memcpy(p + clen + 1, cs->name, nlen);
463
464 p = response + PPP_HDRLEN;
465 len = CHAP_HDRLEN + clen + 1 + nlen;
466 p[0] = CHAP_RESPONSE;
467 p[1] = id;
468 p[2] = len >> 8;
469 p[3] = len;
470
471 output(0, response, PPP_HDRLEN + len);
472 }
473
474 static void
475 chap_handle_status(struct chap_client_state *cs, int code, int id,
476 unsigned char *pkt, int len)
477 {
478 const char *msg = NULL;
479
480 if ((cs->flags & (AUTH_DONE|AUTH_STARTED|LOWERUP))
481 != (AUTH_STARTED|LOWERUP))
482 return;
483 cs->flags |= AUTH_DONE;
484
485 if (code == CHAP_SUCCESS) {
486 /* used for MS-CHAP v2 mutual auth, yuck */
487 if (cs->digest->check_success != NULL) {
488 if (!(*cs->digest->check_success)(pkt, len, cs->priv))
489 code = CHAP_FAILURE;
490 } else
491 msg = "CHAP authentication succeeded";
492 } else {
493 if (cs->digest->handle_failure != NULL)
494 (*cs->digest->handle_failure)(pkt, len);
495 else
496 msg = "CHAP authentication failed";
497 }
498 if (msg) {
499 if (len > 0)
500 info("%s: %.*v", msg, len, pkt);
501 else
502 info("%s", msg);
503 }
504 if (code == CHAP_SUCCESS)
505 auth_withpeer_success(0, PPP_CHAP, cs->digest->code);
506 else {
507 cs->flags |= AUTH_FAILED;
508 auth_withpeer_fail(0, PPP_CHAP);
509 }
510 }
511
512 static void
513 chap_input(int unit, unsigned char *pkt, int pktlen)
514 {
515 struct chap_client_state *cs = &client;
516 struct chap_server_state *ss = &server;
517 unsigned char code, id;
518 int len;
519
520 if (pktlen < CHAP_HDRLEN)
521 return;
522 GETCHAR(code, pkt);
523 GETCHAR(id, pkt);
524 GETSHORT(len, pkt);
525 if (len < CHAP_HDRLEN || len > pktlen)
526 return;
527 len -= CHAP_HDRLEN;
528
529 switch (code) {
530 case CHAP_CHALLENGE:
531 chap_respond(cs, id, pkt, len);
532 break;
533 case CHAP_RESPONSE:
534 chap_handle_response(ss, id, pkt, len);
535 break;
536 case CHAP_FAILURE:
537 case CHAP_SUCCESS:
538 chap_handle_status(cs, code, id, pkt, len);
539 break;
540 }
541 }
542
543 static void
544 chap_protrej(int unit)
545 {
546 struct chap_client_state *cs = &client;
547 struct chap_server_state *ss = &server;
548
549 if (ss->flags & TIMEOUT_PENDING) {
550 ss->flags &= ~TIMEOUT_PENDING;
551 UNTIMEOUT(chap_timeout, ss);
552 }
553 if (ss->flags & AUTH_STARTED) {
554 ss->flags = 0;
555 auth_peer_fail(0, PPP_CHAP);
556 }
557 if ((cs->flags & (AUTH_STARTED|AUTH_DONE)) == AUTH_STARTED) {
558 cs->flags &= ~AUTH_STARTED;
559 auth_withpeer_fail(0, PPP_CHAP);
560 }
561 }
562
563 /*
564 * chap_print_pkt - print the contents of a CHAP packet.
565 */
566 static char *chap_code_names[] = {
567 "Challenge", "Response", "Success", "Failure"
568 };
569
570 static int
571 chap_print_pkt(unsigned char *p, int plen,
572 void (*printer) __P((void *, char *, ...)), void *arg)
573 {
574 int code, id, len;
575 int clen, nlen;
576 unsigned char x;
577
578 if (plen < CHAP_HDRLEN)
579 return 0;
580 GETCHAR(code, p);
581 GETCHAR(id, p);
582 GETSHORT(len, p);
583 if (len < CHAP_HDRLEN || len > plen)
584 return 0;
585
586 if (code >= 1 && code <= sizeof(chap_code_names) / sizeof(char *))
587 printer(arg, " %s", chap_code_names[code-1]);
588 else
589 printer(arg, " code=0x%x", code);
590 printer(arg, " id=0x%x", id);
591 len -= CHAP_HDRLEN;
592 switch (code) {
593 case CHAP_CHALLENGE:
594 case CHAP_RESPONSE:
595 if (len < 1)
596 break;
597 clen = p[0];
598 if (len < clen + 1)
599 break;
600 ++p;
601 nlen = len - clen - 1;
602 printer(arg, " <");
603 for (; clen > 0; --clen) {
604 GETCHAR(x, p);
605 printer(arg, "%.2x", x);
606 }
607 printer(arg, ">, name = ");
608 print_string((char *)p, nlen, printer, arg);
609 break;
610 case CHAP_FAILURE:
611 case CHAP_SUCCESS:
612 printer(arg, " ");
613 print_string((char *)p, len, printer, arg);
614 break;
615 default:
616 for (clen = len; clen > 0; --clen) {
617 GETCHAR(x, p);
618 printer(arg, " %.2x", x);
619 }
620 }
621
622 return len + CHAP_HDRLEN;
623 }
624
625 struct protent chap_protent = {
626 PPP_CHAP,
627 chap_init,
628 chap_input,
629 chap_protrej,
630 chap_lowerup,
631 chap_lowerdown,
632 NULL, /* open */
633 NULL, /* close */
634 chap_print_pkt,
635 NULL, /* datainput */
636 1, /* enabled_flag */
637 "CHAP", /* name */
638 NULL, /* data_name */
639 chap_option_list,
640 NULL, /* check_options */
641 };
MPLSCP for PPP