GopherProxy

/*
* chap.c - New CHAP implementation.
*
* Copyright (c) 2003-2024 Paul Mackerras. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO
* THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY
* SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
* AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
* OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/

#ifdef HAVE_CONFIG_H
#include "config.h"
#endif

#include <stdlib.h>
#include <string.h>
#include "pppd-private.h"
#include "options.h"
#include "session.h"
#include "chap.h"
#include "chap-md5.h"

#ifdef PPP_WITH_CHAPMS
#include "chap_ms.h"
#define MDTYPE_ALL (MDTYPE_MICROSOFT_V2 | MDTYPE_MICROSOFT | MDTYPE_MD5)
#else
#define MDTYPE_ALL (MDTYPE_MD5)
#endif

int chap_mdtype_all = MDTYPE_ALL;

/* Hook for a plugin to validate CHAP challenge */
chap_verify_hook_fn *chap_verify_hook = NULL;

/*
* Option variables.
*/
int chap_server_timeout_time = 3;
int chap_max_transmits = 10;
int chap_rechallenge_time = 0;
int chap_client_timeout_time = 60;
int chapms_strip_domain = 0;

/*
* Command-line options.
*/
static struct option chap_option_list[] = {
{ "chap-restart", o_int, &chap_server_timeout_time,
"Set timeout for CHAP (as server)", OPT_PRIO },
{ "chap-max-challenge", o_int, &chap_max_transmits,
"Set max #xmits for challenge", OPT_PRIO },
{ "chap-interval", o_int, &chap_rechallenge_time,
"Set interval for rechallenge", OPT_PRIO },
{ "chap-timeout", o_int, &chap_client_timeout_time,
"Set timeout for CHAP (as client)", OPT_PRIO },
{ "chapms-strip-domain", o_bool, &chapms_strip_domain,
"Strip the domain prefix before the Username", 1 },
{ NULL }
};

/*
* Internal state.
*/
static struct chap_client_state {
int flags;
char *name;
struct chap_digest_type *digest;
unsigned char priv[64]; /* private area for digest's use */
} client;

/*
* These limits apply to challenge and response packets we send.
* The +4 is the +1 that we actually need rounded up.
*/
#define CHAL_MAX_PKTLEN (PPP_HDRLEN + CHAP_HDRLEN + 4 + MAX_CHALLENGE_LEN + MAXNAMELEN)
#define RESP_MAX_PKTLEN (PPP_HDRLEN + CHAP_HDRLEN + 4 + MAX_RESPONSE_LEN + MAXNAMELEN)

static struct chap_server_state {
int flags;
int id;
char *name;
struct chap_digest_type *digest;
int challenge_xmits;
int challenge_pktlen;
unsigned char challenge[CHAL_MAX_PKTLEN];
char message[256];
} server;

/* Values for flags in chap_client_state and chap_server_state */
#define LOWERUP 1
#define AUTH_STARTED 2
#define AUTH_DONE 4
#define AUTH_FAILED 8
#define TIMEOUT_PENDING 0x10
#define CHALLENGE_VALID 0x20

/*
* Prototypes.
*/
static void chap_init(int unit);
static void chap_lowerup(int unit);
static void chap_lowerdown(int unit);
static void chap_server_timeout(void *arg);
static void chap_client_timeout(void *arg);
static void chap_generate_challenge(struct chap_server_state *ss);
static void chap_handle_response(struct chap_server_state *ss, int code,
unsigned char *pkt, int len);
static chap_verify_hook_fn chap_verify_response;
static void chap_respond(struct chap_client_state *cs, int id,
unsigned char *pkt, int len);
static void chap_handle_status(struct chap_client_state *cs, int code, int id,
unsigned char *pkt, int len);
static void chap_protrej(int unit);
static void chap_input(int unit, unsigned char *pkt, int pktlen);
static int chap_print_pkt(unsigned char *p, int plen,
void (*printer)(void *, char *, ...), void *arg);

/* List of digest types that we know about */
static struct chap_digest_type *chap_digests;

/*
* chap_init - reset to initial state.
*/
static void
chap_init(int unit)
{
memset(&client, 0, sizeof(client));
memset(&server, 0, sizeof(server));

chap_md5_init();
#ifdef PPP_WITH_CHAPMS
chapms_init();
#endif
}

/*
* Add a new digest type to the list.
*/
void
chap_register_digest(struct chap_digest_type *dp)
{
dp->next = chap_digests;
chap_digests = dp;
}

/*
* Lookup a digest type by code
*/
struct chap_digest_type *
chap_find_digest(int digest_code) {
struct chap_digest_type *dp = NULL;
for (dp = chap_digests; dp != NULL; dp = dp->next)
if (dp->code == digest_code)
break;
return dp;
}

/*
* chap_lowerup - we can start doing stuff now.
*/
static void
chap_lowerup(int unit)
{
struct chap_client_state *cs = &client;
struct chap_server_state *ss = &server;

cs->flags |= LOWERUP;
ss->flags |= LOWERUP;
if (ss->flags & AUTH_STARTED)
chap_server_timeout(ss);
}

static void
chap_lowerdown(int unit)
{
struct chap_client_state *cs = &client;
struct chap_server_state *ss = &server;

if (cs->flags & TIMEOUT_PENDING)
UNTIMEOUT(chap_client_timeout, cs);
cs->flags = 0;
if (ss->flags & TIMEOUT_PENDING)
UNTIMEOUT(chap_server_timeout, ss);
ss->flags = 0;
}

/*
* chap_auth_peer - Start authenticating the peer.
* If the lower layer is already up, we start sending challenges,
* otherwise we wait for the lower layer to come up.
*/
void
chap_auth_peer(int unit, char *our_name, int digest_code)
{
struct chap_server_state *ss = &server;
struct chap_digest_type *dp;

if (ss->flags & AUTH_STARTED) {
error("CHAP: peer authentication already started!");
return;
}

dp = chap_find_digest(digest_code);
if (dp == NULL)
fatal("CHAP digest 0x%x requested but not available",
digest_code);

ss->digest = dp;
ss->name = our_name;
/* Start with a random ID value */
ss->id = (unsigned char)(drand48() * 256);
ss->flags |= AUTH_STARTED;
if (ss->flags & LOWERUP)
chap_server_timeout(ss);
}

/*
* chap_auth_with_peer - Prepare to authenticate ourselves to the peer.
* There isn't much to do until we receive a challenge.
*/
void
chap_auth_with_peer(int unit, char *our_name, int digest_code)
{
struct chap_client_state *cs = &client;
struct chap_digest_type *dp;

if (cs->flags & AUTH_STARTED) {
error("CHAP: authentication with peer already started!");
return;
}
for (dp = chap_digests; dp != NULL; dp = dp->next)
if (dp->code == digest_code)
break;
if (dp == NULL)
fatal("CHAP digest 0x%x requested but not available",
digest_code);

cs->digest = dp;
cs->name = our_name;
cs->flags |= AUTH_STARTED | TIMEOUT_PENDING;
TIMEOUT(chap_client_timeout, cs, chap_client_timeout_time);
}

/*
* chap_server_timeout - It's time to send another challenge to the peer.
* This could be either a retransmission of a previous challenge,
* or a new challenge to start re-authentication.
*/
static void
chap_server_timeout(void *arg)
{
struct chap_server_state *ss = arg;

ss->flags &= ~TIMEOUT_PENDING;
if ((ss->flags & CHALLENGE_VALID) == 0) {
ss->challenge_xmits = 0;
chap_generate_challenge(ss);
ss->flags |= CHALLENGE_VALID;
} else if (ss->challenge_xmits >= chap_max_transmits) {
ss->flags &= ~CHALLENGE_VALID;
ss->flags |= AUTH_DONE | AUTH_FAILED;
auth_peer_fail(0, PPP_CHAP);
return;
}

output(0, ss->challenge, ss->challenge_pktlen);
++ss->challenge_xmits;
ss->flags |= TIMEOUT_PENDING;
TIMEOUT(chap_server_timeout, arg, chap_server_timeout_time);
}

/* chap_client_timeout - Authentication with peer timed out. */
static void
chap_client_timeout(void *arg)
{
struct chap_client_state *cs = arg;

cs->flags &= ~TIMEOUT_PENDING;
cs->flags |= AUTH_DONE | AUTH_FAILED;
error("CHAP authentication timed out");
auth_withpeer_fail(0, PPP_CHAP);
}

/*
* chap_generate_challenge - generate a challenge string and format
* the challenge packet in ss->challenge_pkt.
*/
static void
chap_generate_challenge(struct chap_server_state *ss)
{
int clen = 1, nlen, len;
unsigned char *p;

p = ss->challenge;
MAKEHEADER(p, PPP_CHAP);
p += CHAP_HDRLEN;
ss->digest->generate_challenge(p);
clen = *p;
nlen = strlen(ss->name);
memcpy(p + 1 + clen, ss->name, nlen);

len = CHAP_HDRLEN + 1 + clen + nlen;
ss->challenge_pktlen = PPP_HDRLEN + len;

p = ss->challenge + PPP_HDRLEN;
p[0] = CHAP_CHALLENGE;
p[1] = ++ss->id;
p[2] = len >> 8;
p[3] = len;
}

/*
* chap_handle_response - check the response to our challenge.
*/
static void
chap_handle_response(struct chap_server_state *ss, int id,
unsigned char *pkt, int len)
{
int response_len, ok, mlen;
unsigned char *response, *p;
char *name = NULL;
chap_verify_hook_fn *verifier;
char rname[MAXNAMELEN+1];

if ((ss->flags & LOWERUP) == 0)
return;
if (id != ss->challenge[PPP_HDRLEN+1] || len < 2)
return;
if (ss->flags & CHALLENGE_VALID) {
response = pkt;
GETCHAR(response_len, pkt);
len -= response_len + 1; /* length of name */
name = (char *)pkt + response_len;
if (len < 0)
return;

if (ss->flags & TIMEOUT_PENDING) {
ss->flags &= ~TIMEOUT_PENDING;
UNTIMEOUT(chap_server_timeout, ss);
}

if (explicit_remote) {
name = remote_name;
} else {
/* Null terminate and clean remote name. */
slprintf(rname, sizeof(rname), "%.*v", len, name);
name = rname;

/* strip the MS domain name */
if (chapms_strip_domain && strrchr(rname, '\\')) {
char tmp[MAXNAMELEN+1];

strcpy(tmp, strrchr(rname, '\\') + 1);
strcpy(rname, tmp);
}
}

if (chap_verify_hook)
verifier = chap_verify_hook;
else
verifier = chap_verify_response;
ok = (*verifier)(name, ss->name, id, ss->digest,
ss->challenge + PPP_HDRLEN + CHAP_HDRLEN,
response, ss->message, sizeof(ss->message));
if (!ok || !auth_number()) {
ss->flags |= AUTH_FAILED;
warn("Peer %q failed CHAP authentication", name);
}
} else if ((ss->flags & AUTH_DONE) == 0)
return;

/* send the response */
p = outpacket_buf;
MAKEHEADER(p, PPP_CHAP);
mlen = strlen(ss->message);
len = CHAP_HDRLEN + mlen;
p[0] = (ss->flags & AUTH_FAILED)? CHAP_FAILURE: CHAP_SUCCESS;
p[1] = id;
p[2] = len >> 8;
p[3] = len;
if (mlen > 0)
memcpy(p + CHAP_HDRLEN, ss->message, mlen);
output(0, outpacket_buf, PPP_HDRLEN + len);

if (ss->flags & CHALLENGE_VALID) {
ss->flags &= ~CHALLENGE_VALID;
if (!(ss->flags & AUTH_DONE) && !(ss->flags & AUTH_FAILED)) {
/*
* Auth is OK, so now we need to check session restrictions
* to ensure everything is OK, but only if we used a
* plugin, and only if we're configured to check. This
* allows us to do PAM checks on PPP servers that
* authenticate against ActiveDirectory, and use AD for
* account info (like when using Winbind integrated with
* PAM).
*/
if (session_mgmt &&
session_check(name, NULL, devnam, NULL) == 0) {
ss->flags |= AUTH_FAILED;
warn("Peer %q failed CHAP Session verification", name);
}
}
if (ss->flags & AUTH_FAILED) {
auth_peer_fail(0, PPP_CHAP);
} else {
if ((ss->flags & AUTH_DONE) == 0)
auth_peer_success(0, PPP_CHAP,
ss->digest->code,
name, strlen(name));
if (chap_rechallenge_time) {
ss->flags |= TIMEOUT_PENDING;
TIMEOUT(chap_server_timeout, ss,
chap_rechallenge_time);
}
}
ss->flags |= AUTH_DONE;
}
}

/*
* chap_verify_response - check whether the peer's response matches
* what we think it should be. Returns 1 if it does (authentication
* succeeded), or 0 if it doesn't.
*/
static int
chap_verify_response(char *name, char *ourname, int id,
struct chap_digest_type *digest,
unsigned char *challenge, unsigned char *response,
char *message, int message_space)
{
int ok;
unsigned char secret[MAXSECRETLEN];
int secret_len;

/* Get the secret that the peer is supposed to know */
if (!get_secret(0, name, ourname, (char *)secret, &secret_len, 1)) {
error("No CHAP secret found for authenticating %q", name);
return 0;
}

ok = digest->verify_response(id, name, secret, secret_len, challenge,
response, message, message_space);
memset(secret, 0, sizeof(secret));

return ok;
}

/*
* chap_respond - Generate and send a response to a challenge.
*/
static void
chap_respond(struct chap_client_state *cs, int id,
unsigned char *pkt, int len)
{
int clen, nlen;
int secret_len;
unsigned char *p;
unsigned char response[RESP_MAX_PKTLEN];
char rname[MAXNAMELEN+1];
char secret[MAXSECRETLEN+1];

if ((cs->flags & (LOWERUP | AUTH_STARTED)) != (LOWERUP | AUTH_STARTED))
return; /* not ready */
if (len < 2 || len < pkt[0] + 1)
return; /* too short */
clen = pkt[0];
nlen = len - (clen + 1);

/* Null terminate and clean remote name. */
slprintf(rname, sizeof(rname), "%.*v", nlen, pkt + clen + 1);

/* Microsoft doesn't send their name back in the PPP packet */
if (explicit_remote || (remote_name[0] != 0 && rname[0] == 0))
strlcpy(rname, remote_name, sizeof(rname));

/* get secret for authenticating ourselves with the specified host */
if (!get_secret(0, cs->name, rname, secret, &secret_len, 0)) {
secret_len = 0; /* assume null secret if can't find one */
warn("No CHAP secret found for authenticating us to %q", rname);
}

p = response;
MAKEHEADER(p, PPP_CHAP);
p += CHAP_HDRLEN;

cs->digest->make_response(p, id, cs->name, pkt,
secret, secret_len, cs->priv);
memset(secret, 0, secret_len);

clen = *p;
nlen = strlen(cs->name);
memcpy(p + clen + 1, cs->name, nlen);

p = response + PPP_HDRLEN;
len = CHAP_HDRLEN + clen + 1 + nlen;
p[0] = CHAP_RESPONSE;
p[1] = id;
p[2] = len >> 8;
p[3] = len;

output(0, response, PPP_HDRLEN + len);
}

static void
chap_handle_status(struct chap_client_state *cs, int code, int id,
unsigned char *pkt, int len)
{
const char *msg = NULL;

if ((cs->flags & (AUTH_DONE|AUTH_STARTED|LOWERUP))
!= (AUTH_STARTED|LOWERUP))
return;
cs->flags |= AUTH_DONE;

UNTIMEOUT(chap_client_timeout, cs);
cs->flags &= ~TIMEOUT_PENDING;

if (code == CHAP_SUCCESS) {
/* used for MS-CHAP v2 mutual auth, yuck */
if (cs->digest->check_success != NULL) {
if (!(*cs->digest->check_success)(id, pkt, len))
code = CHAP_FAILURE;
} else
msg = "CHAP authentication succeeded";
} else {
if (cs->digest->handle_failure != NULL)
(*cs->digest->handle_failure)(pkt, len);
else
msg = "CHAP authentication failed";
}
if (msg) {
if (len > 0)
info("%s: %.*v", msg, len, pkt);
else
info("%s", msg);
}
if (code == CHAP_SUCCESS)
auth_withpeer_success(0, PPP_CHAP, cs->digest->code);
else {
cs->flags |= AUTH_FAILED;
error("CHAP authentication failed");
auth_withpeer_fail(0, PPP_CHAP);
}
}

static void
chap_input(int unit, unsigned char *pkt, int pktlen)
{
struct chap_client_state *cs = &client;
struct chap_server_state *ss = &server;
unsigned char code, id;
int len;

if (pktlen < CHAP_HDRLEN)
return;
GETCHAR(code, pkt);
GETCHAR(id, pkt);
GETSHORT(len, pkt);
if (len < CHAP_HDRLEN || len > pktlen)
return;
len -= CHAP_HDRLEN;

switch (code) {
case CHAP_CHALLENGE:
chap_respond(cs, id, pkt, len);
break;
case CHAP_RESPONSE:
chap_handle_response(ss, id, pkt, len);
break;
case CHAP_FAILURE:
case CHAP_SUCCESS:
chap_handle_status(cs, code, id, pkt, len);
break;
}
}

static void
chap_protrej(int unit)
{
struct chap_client_state *cs = &client;
struct chap_server_state *ss = &server;

if (ss->flags & TIMEOUT_PENDING) {
ss->flags &= ~TIMEOUT_PENDING;
UNTIMEOUT(chap_server_timeout, ss);
}
if (ss->flags & AUTH_STARTED) {
ss->flags = 0;
auth_peer_fail(0, PPP_CHAP);
}
if ((cs->flags & (AUTH_STARTED|AUTH_DONE)) == AUTH_STARTED) {
cs->flags &= ~AUTH_STARTED;
error("CHAP authentication failed due to protocol-reject");
auth_withpeer_fail(0, PPP_CHAP);
}
}

/*
* chap_print_pkt - print the contents of a CHAP packet.
*/
static char *chap_code_names[] = {
"Challenge", "Response", "Success", "Failure"
};

static int
chap_print_pkt(unsigned char *p, int plen,
void (*printer)(void *, char *, ...), void *arg)
{
int code, id, len;
int clen, nlen;
unsigned char x;

if (plen < CHAP_HDRLEN)
return 0;
GETCHAR(code, p);
GETCHAR(id, p);
GETSHORT(len, p);
if (len < CHAP_HDRLEN || len > plen)
return 0;

if (code >= 1 && code <= sizeof(chap_code_names) / sizeof(char *))
printer(arg, " %s", chap_code_names[code-1]);
else
printer(arg, " code=0x%x", code);
printer(arg, " id=0x%x", id);
len -= CHAP_HDRLEN;
switch (code) {
case CHAP_CHALLENGE:
case CHAP_RESPONSE:
if (len < 1)
break;
clen = p[0];
if (len < clen + 1)
break;
++p;
nlen = len - clen - 1;
printer(arg, " <");
for (; clen > 0; --clen) {
GETCHAR(x, p);
printer(arg, "%.2x", x);
}
printer(arg, ">, name = ");
print_string((char *)p, nlen, printer, arg);
break;
case CHAP_FAILURE:
case CHAP_SUCCESS:
printer(arg, " ");
print_string((char *)p, len, printer, arg);
break;
default:
for (clen = len; clen > 0; --clen) {
GETCHAR(x, p);
printer(arg, " %.2x", x);
}
}

return len + CHAP_HDRLEN;
}

struct protent chap_protent = {
PPP_CHAP,
chap_init,
chap_input,
chap_protrej,
chap_lowerup,
chap_lowerdown,
NULL, /* open */
NULL, /* close */
chap_print_pkt,
NULL, /* datainput */
1, /* enabled_flag */
"CHAP", /* name */
NULL, /* data_name */
chap_option_list,
NULL, /* check_options */
};