2 * chap-new.c - New CHAP implementation.
4 * Copyright (c) 2003 Paul Mackerras. All rights reserved.
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. The name(s) of the authors of this software must not be used to
14 * endorse or promote products derived from this software without
15 * prior written permission.
17 * 3. Redistributions of any form whatsoever must retain the following
19 * "This product includes software developed by Paul Mackerras
20 * <paulus@samba.org>".
22 * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO
23 * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
24 * AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY
25 * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
26 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
27 * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
28 * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
32 #if PPP_SUPPORT && CHAP_SUPPORT /* don't build if not configured for use in lwipopts.h */
39 #include "netif/ppp/ppp_impl.h"
45 #include "netif/ppp/chap-new.h"
46 #include "netif/ppp/chap-md5.h"
48 #include "netif/ppp/chap_ms.h"
50 #include "netif/ppp/magic.h"
53 /* Hook for a plugin to validate CHAP challenge */
54 int (*chap_verify_hook)(const char *name, const char *ourname, int id,
55 const struct chap_digest_type *digest,
56 const unsigned char *challenge, const unsigned char *response,
57 char *message, int message_space) = NULL;
62 * Command-line options.
64 static option_t chap_option_list[] = {
65 { "chap-restart", o_int, &chap_timeout_time,
66 "Set timeout for CHAP", OPT_PRIO },
67 { "chap-max-challenge", o_int, &pcb->settings.chap_max_transmits,
68 "Set max #xmits for challenge", OPT_PRIO },
69 { "chap-interval", o_int, &pcb->settings.chap_rechallenge_time,
70 "Set interval for rechallenge", OPT_PRIO },
73 #endif /* PPP_OPTIONS */
76 /* Values for flags in chap_client_state and chap_server_state */
78 #define AUTH_STARTED 2
81 #define TIMEOUT_PENDING 0x10
82 #define CHALLENGE_VALID 0x20
87 static void chap_init(ppp_pcb *pcb);
88 static void chap_lowerup(ppp_pcb *pcb);
89 static void chap_lowerdown(ppp_pcb *pcb);
91 static void chap_timeout(void *arg);
92 static void chap_generate_challenge(ppp_pcb *pcb);
93 static void chap_handle_response(ppp_pcb *pcb, int code,
94 unsigned char *pkt, int len);
95 static int chap_verify_response(ppp_pcb *pcb, const char *name, const char *ourname, int id,
96 const struct chap_digest_type *digest,
97 const unsigned char *challenge, const unsigned char *response,
98 char *message, int message_space);
99 #endif /* PPP_SERVER */
100 static void chap_respond(ppp_pcb *pcb, int id,
101 unsigned char *pkt, int len);
102 static void chap_handle_status(ppp_pcb *pcb, int code, int id,
103 unsigned char *pkt, int len);
104 static void chap_protrej(ppp_pcb *pcb);
105 static void chap_input(ppp_pcb *pcb, unsigned char *pkt, int pktlen);
107 static int chap_print_pkt(const unsigned char *p, int plen,
108 void (*printer) (void *, const char *, ...), void *arg);
109 #endif /* PRINTPKT_SUPPORT */
111 /* List of digest types that we know about */
112 static const struct chap_digest_type* const chap_digests[] = {
117 #endif /* MSCHAP_SUPPORT */
122 * chap_init - reset to initial state.
124 static void chap_init(ppp_pcb *pcb) {
125 LWIP_UNUSED_ARG(pcb);
127 #if 0 /* Not necessary, everything is cleared in ppp_clear() */
128 memset(&pcb->chap_client, 0, sizeof(chap_client_state));
130 memset(&pcb->chap_server, 0, sizeof(chap_server_state));
131 #endif /* PPP_SERVER */
136 * chap_lowerup - we can start doing stuff now.
138 static void chap_lowerup(ppp_pcb *pcb) {
140 pcb->chap_client.flags |= LOWERUP;
142 pcb->chap_server.flags |= LOWERUP;
143 if (pcb->chap_server.flags & AUTH_STARTED)
145 #endif /* PPP_SERVER */
148 static void chap_lowerdown(ppp_pcb *pcb) {
150 pcb->chap_client.flags = 0;
152 if (pcb->chap_server.flags & TIMEOUT_PENDING)
153 UNTIMEOUT(chap_timeout, pcb);
154 pcb->chap_server.flags = 0;
155 #endif /* PPP_SERVER */
160 * chap_auth_peer - Start authenticating the peer.
161 * If the lower layer is already up, we start sending challenges,
162 * otherwise we wait for the lower layer to come up.
164 void chap_auth_peer(ppp_pcb *pcb, const char *our_name, int digest_code) {
165 const struct chap_digest_type *dp;
168 if (pcb->chap_server.flags & AUTH_STARTED) {
169 ppp_error("CHAP: peer authentication already started!");
172 for (i = 0; (dp = chap_digests[i]) != NULL; ++i)
173 if (dp->code == digest_code)
176 ppp_fatal("CHAP digest 0x%x requested but not available",
179 pcb->chap_server.digest = dp;
180 pcb->chap_server.name = our_name;
181 /* Start with a random ID value */
182 pcb->chap_server.id = magic();
183 pcb->chap_server.flags |= AUTH_STARTED;
184 if (pcb->chap_server.flags & LOWERUP)
187 #endif /* PPP_SERVER */
190 * chap_auth_with_peer - Prepare to authenticate ourselves to the peer.
191 * There isn't much to do until we receive a challenge.
193 void chap_auth_with_peer(ppp_pcb *pcb, const char *our_name, int digest_code) {
194 const struct chap_digest_type *dp;
200 if (pcb->chap_client.flags & AUTH_STARTED) {
201 ppp_error("CHAP: authentication with peer already started!");
204 for (i = 0; (dp = chap_digests[i]) != NULL; ++i)
205 if (dp->code == digest_code)
209 ppp_fatal("CHAP digest 0x%x requested but not available",
212 pcb->chap_client.digest = dp;
213 pcb->chap_client.name = our_name;
214 pcb->chap_client.flags |= AUTH_STARTED;
219 * chap_timeout - It's time to send another challenge to the peer.
220 * This could be either a retransmission of a previous challenge,
221 * or a new challenge to start re-authentication.
223 static void chap_timeout(void *arg) {
224 ppp_pcb *pcb = (ppp_pcb*)arg;
227 pcb->chap_server.flags &= ~TIMEOUT_PENDING;
228 if ((pcb->chap_server.flags & CHALLENGE_VALID) == 0) {
229 pcb->chap_server.challenge_xmits = 0;
230 chap_generate_challenge(pcb);
231 pcb->chap_server.flags |= CHALLENGE_VALID;
232 } else if (pcb->chap_server.challenge_xmits >= pcb->settings.chap_max_transmits) {
233 pcb->chap_server.flags &= ~CHALLENGE_VALID;
234 pcb->chap_server.flags |= AUTH_DONE | AUTH_FAILED;
235 auth_peer_fail(pcb, PPP_CHAP);
239 p = pbuf_alloc(PBUF_RAW, (u16_t)(pcb->chap_server.challenge_pktlen), PPP_CTRL_PBUF_TYPE);
242 if(p->tot_len != p->len) {
246 MEMCPY(p->payload, pcb->chap_server.challenge, pcb->chap_server.challenge_pktlen);
248 ++pcb->chap_server.challenge_xmits;
249 pcb->chap_server.flags |= TIMEOUT_PENDING;
250 TIMEOUT(chap_timeout, arg, pcb->settings.chap_timeout_time);
254 * chap_generate_challenge - generate a challenge string and format
255 * the challenge packet in pcb->chap_server.challenge_pkt.
257 static void chap_generate_challenge(ppp_pcb *pcb) {
258 int clen = 1, nlen, len;
261 p = pcb->chap_server.challenge;
262 MAKEHEADER(p, PPP_CHAP);
264 pcb->chap_server.digest->generate_challenge(pcb, p);
266 nlen = strlen(pcb->chap_server.name);
267 memcpy(p + 1 + clen, pcb->chap_server.name, nlen);
269 len = CHAP_HDRLEN + 1 + clen + nlen;
270 pcb->chap_server.challenge_pktlen = PPP_HDRLEN + len;
272 p = pcb->chap_server.challenge + PPP_HDRLEN;
273 p[0] = CHAP_CHALLENGE;
274 p[1] = ++pcb->chap_server.id;
280 * chap_handle_response - check the response to our challenge.
282 static void chap_handle_response(ppp_pcb *pcb, int id,
283 unsigned char *pkt, int len) {
284 int response_len, ok, mlen;
285 const unsigned char *response;
288 const char *name = NULL; /* initialized to shut gcc up */
290 int (*verifier)(const char *, const char *, int, const struct chap_digest_type *,
291 const unsigned char *, const unsigned char *, char *, int);
293 char rname[MAXNAMELEN+1];
296 if ((pcb->chap_server.flags & LOWERUP) == 0)
298 if (id != pcb->chap_server.challenge[PPP_HDRLEN+1] || len < 2)
300 if (pcb->chap_server.flags & CHALLENGE_VALID) {
302 GETCHAR(response_len, pkt);
303 len -= response_len + 1; /* length of name */
304 name = (char *)pkt + response_len;
308 if (pcb->chap_server.flags & TIMEOUT_PENDING) {
309 pcb->chap_server.flags &= ~TIMEOUT_PENDING;
310 UNTIMEOUT(chap_timeout, pcb);
313 if (pcb->settings.explicit_remote) {
314 name = pcb->remote_name;
316 #endif /* PPP_REMOTENAME */
318 /* Null terminate and clean remote name. */
319 ppp_slprintf(rname, sizeof(rname), "%.*v", len, name);
324 if (chap_verify_hook)
325 verifier = chap_verify_hook;
327 verifier = chap_verify_response;
328 ok = (*verifier)(name, pcb->chap_server.name, id, pcb->chap_server.digest,
329 pcb->chap_server.challenge + PPP_HDRLEN + CHAP_HDRLEN,
330 response, pcb->chap_server.message, sizeof(pcb->chap_server.message));
332 ok = chap_verify_response(pcb, name, pcb->chap_server.name, id, pcb->chap_server.digest,
333 pcb->chap_server.challenge + PPP_HDRLEN + CHAP_HDRLEN,
334 response, message, sizeof(message));
336 if (!ok || !auth_number()) {
339 pcb->chap_server.flags |= AUTH_FAILED;
340 ppp_warn("Peer %q failed CHAP authentication", name);
342 } else if ((pcb->chap_server.flags & AUTH_DONE) == 0)
345 /* send the response */
346 mlen = strlen(message);
347 len = CHAP_HDRLEN + mlen;
348 p = pbuf_alloc(PBUF_RAW, (u16_t)(PPP_HDRLEN +len), PPP_CTRL_PBUF_TYPE);
351 if(p->tot_len != p->len) {
356 outp = (unsigned char *)p->payload;
357 MAKEHEADER(outp, PPP_CHAP);
359 outp[0] = (pcb->chap_server.flags & AUTH_FAILED)? CHAP_FAILURE: CHAP_SUCCESS;
364 memcpy(outp + CHAP_HDRLEN, message, mlen);
367 if (pcb->chap_server.flags & CHALLENGE_VALID) {
368 pcb->chap_server.flags &= ~CHALLENGE_VALID;
369 if (!(pcb->chap_server.flags & AUTH_DONE) && !(pcb->chap_server.flags & AUTH_FAILED)) {
373 * Auth is OK, so now we need to check session restrictions
374 * to ensure everything is OK, but only if we used a
375 * plugin, and only if we're configured to check. This
376 * allows us to do PAM checks on PPP servers that
377 * authenticate against ActiveDirectory, and use AD for
378 * account info (like when using Winbind integrated with
382 session_check(name, NULL, devnam, NULL) == 0) {
383 pcb->chap_server.flags |= AUTH_FAILED;
384 ppp_warn("Peer %q failed CHAP Session verification", name);
389 if (pcb->chap_server.flags & AUTH_FAILED) {
390 auth_peer_fail(pcb, PPP_CHAP);
392 if ((pcb->chap_server.flags & AUTH_DONE) == 0)
393 auth_peer_success(pcb, PPP_CHAP,
394 pcb->chap_server.digest->code,
396 if (pcb->settings.chap_rechallenge_time) {
397 pcb->chap_server.flags |= TIMEOUT_PENDING;
398 TIMEOUT(chap_timeout, pcb,
399 pcb->settings.chap_rechallenge_time);
402 pcb->chap_server.flags |= AUTH_DONE;
407 * chap_verify_response - check whether the peer's response matches
408 * what we think it should be. Returns 1 if it does (authentication
409 * succeeded), or 0 if it doesn't.
411 static int chap_verify_response(ppp_pcb *pcb, const char *name, const char *ourname, int id,
412 const struct chap_digest_type *digest,
413 const unsigned char *challenge, const unsigned char *response,
414 char *message, int message_space) {
416 unsigned char secret[MAXSECRETLEN];
419 /* Get the secret that the peer is supposed to know */
420 if (!get_secret(pcb, name, ourname, (char *)secret, &secret_len, 1)) {
421 ppp_error("No CHAP secret found for authenticating %q", name);
424 ok = digest->verify_response(pcb, id, name, secret, secret_len, challenge,
425 response, message, message_space);
426 memset(secret, 0, sizeof(secret));
430 #endif /* PPP_SERVER */
433 * chap_respond - Generate and send a response to a challenge.
435 static void chap_respond(ppp_pcb *pcb, int id,
436 unsigned char *pkt, int len) {
441 char rname[MAXNAMELEN+1];
442 char secret[MAXSECRETLEN+1];
444 p = pbuf_alloc(PBUF_RAW, (u16_t)(RESP_MAX_PKTLEN), PPP_CTRL_PBUF_TYPE);
447 if(p->tot_len != p->len) {
452 if ((pcb->chap_client.flags & (LOWERUP | AUTH_STARTED)) != (LOWERUP | AUTH_STARTED))
453 return; /* not ready */
454 if (len < 2 || len < pkt[0] + 1)
455 return; /* too short */
457 nlen = len - (clen + 1);
459 /* Null terminate and clean remote name. */
460 ppp_slprintf(rname, sizeof(rname), "%.*v", nlen, pkt + clen + 1);
463 /* Microsoft doesn't send their name back in the PPP packet */
464 if (pcb->settings.explicit_remote || (pcb->settings.remote_name[0] != 0 && rname[0] == 0))
465 strlcpy(rname, pcb->settings.remote_name, sizeof(rname));
466 #endif /* PPP_REMOTENAME */
468 /* get secret for authenticating ourselves with the specified host */
469 if (!get_secret(pcb, pcb->chap_client.name, rname, secret, &secret_len, 0)) {
470 secret_len = 0; /* assume null secret if can't find one */
471 ppp_warn("No CHAP secret found for authenticating us to %q", rname);
474 outp = (u_char*)p->payload;
475 MAKEHEADER(outp, PPP_CHAP);
478 pcb->chap_client.digest->make_response(pcb, outp, id, pcb->chap_client.name, pkt,
479 secret, secret_len, pcb->chap_client.priv);
480 memset(secret, 0, secret_len);
483 nlen = strlen(pcb->chap_client.name);
484 memcpy(outp + clen + 1, pcb->chap_client.name, nlen);
486 outp = (u_char*)p->payload + PPP_HDRLEN;
487 len = CHAP_HDRLEN + clen + 1 + nlen;
488 outp[0] = CHAP_RESPONSE;
493 pbuf_realloc(p, PPP_HDRLEN + len);
497 static void chap_handle_status(ppp_pcb *pcb, int code, int id,
498 unsigned char *pkt, int len) {
499 const char *msg = NULL;
502 if ((pcb->chap_client.flags & (AUTH_DONE|AUTH_STARTED|LOWERUP))
503 != (AUTH_STARTED|LOWERUP))
505 pcb->chap_client.flags |= AUTH_DONE;
507 if (code == CHAP_SUCCESS) {
508 /* used for MS-CHAP v2 mutual auth, yuck */
509 if (pcb->chap_client.digest->check_success != NULL) {
510 if (!(*pcb->chap_client.digest->check_success)(pcb, pkt, len, pcb->chap_client.priv))
513 msg = "CHAP authentication succeeded";
515 if (pcb->chap_client.digest->handle_failure != NULL)
516 (*pcb->chap_client.digest->handle_failure)(pcb, pkt, len);
518 msg = "CHAP authentication failed";
522 ppp_info("%s: %.*v", msg, len, pkt);
526 if (code == CHAP_SUCCESS)
527 auth_withpeer_success(pcb, PPP_CHAP, pcb->chap_client.digest->code);
529 pcb->chap_client.flags |= AUTH_FAILED;
530 ppp_error("CHAP authentication failed");
531 auth_withpeer_fail(pcb, PPP_CHAP);
535 static void chap_input(ppp_pcb *pcb, unsigned char *pkt, int pktlen) {
536 unsigned char code, id;
539 if (pktlen < CHAP_HDRLEN)
544 if (len < CHAP_HDRLEN || len > pktlen)
550 chap_respond(pcb, id, pkt, len);
554 chap_handle_response(pcb, id, pkt, len);
556 #endif /* PPP_SERVER */
559 chap_handle_status(pcb, code, id, pkt, len);
566 static void chap_protrej(ppp_pcb *pcb) {
569 if (pcb->chap_server.flags & TIMEOUT_PENDING) {
570 pcb->chap_server.flags &= ~TIMEOUT_PENDING;
571 UNTIMEOUT(chap_timeout, pcb);
573 if (pcb->chap_server.flags & AUTH_STARTED) {
574 pcb->chap_server.flags = 0;
575 auth_peer_fail(pcb, PPP_CHAP);
577 #endif /* PPP_SERVER */
578 if ((pcb->chap_client.flags & (AUTH_STARTED|AUTH_DONE)) == AUTH_STARTED) {
579 pcb->chap_client.flags &= ~AUTH_STARTED;
580 ppp_error("CHAP authentication failed due to protocol-reject");
581 auth_withpeer_fail(pcb, PPP_CHAP);
587 * chap_print_pkt - print the contents of a CHAP packet.
589 static const char* const chap_code_names[] = {
590 "Challenge", "Response", "Success", "Failure"
593 static int chap_print_pkt(const unsigned char *p, int plen,
594 void (*printer) (void *, const char *, ...), void *arg) {
599 if (plen < CHAP_HDRLEN)
604 if (len < CHAP_HDRLEN || len > plen)
607 if (code >= 1 && code <= (int)sizeof(chap_code_names) / (int)sizeof(char *))
608 printer(arg, " %s", chap_code_names[code-1]);
610 printer(arg, " code=0x%x", code);
611 printer(arg, " id=0x%x", id);
622 nlen = len - clen - 1;
624 for (; clen > 0; --clen) {
626 printer(arg, "%.2x", x);
628 printer(arg, ">, name = ");
629 ppp_print_string(p, nlen, printer, arg);
634 ppp_print_string(p, len, printer, arg);
637 for (clen = len; clen > 0; --clen) {
639 printer(arg, " %.2x", x);
644 return len + CHAP_HDRLEN;
646 #endif /* PRINTPKT_SUPPORT */
648 const struct protent chap_protent = {
659 #endif /* PRINTPKT_SUPPORT */
661 NULL, /* datainput */
662 #endif /* PPP_DATAINPUT */
665 NULL, /* data_name */
666 #endif /* PRINTPKT_SUPPORT */
669 NULL, /* check_options */
670 #endif /* PPP_OPTIONS */
674 #endif /* DEMAND_SUPPORT */
677 #endif /* PPP_SUPPORT && CHAP_SUPPORT */