/* * Copyright (c) 2003 Apple Computer, Inc. All rights reserved. * * @APPLE_LICENSE_HEADER_START@ * * This file contains Original Code and/or Modifications of Original Code * as defined in and that are subject to the Apple Public Source License * Version 2.0 (the 'License'). You may not use this file except in * compliance with the License. Please obtain a copy of the License at * http://www.opensource.apple.com/apsl/ and read it before using this * file. * * The Original Code and all software distributed under the License are * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. * Please see the License for the specific language governing rights and * limitations under the License. * * @APPLE_LICENSE_HEADER_END@ */ /* * chap-new.c - New CHAP implementation. * * Copyright (c) 2003 Paul Mackerras. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. The name(s) of the authors of this software must not be used to * endorse or promote products derived from this software without * prior written permission. * * 4. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by Paul Mackerras * ". * * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY * AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ #include #include #include #include #include "pppd.h" #include "chap-new.h" #include "chap-md5.h" #ifdef CHAPMS #include "chap_ms.h" #endif /* Hook for a plugin to validate CHAP challenge */ int (*chap_verify_hook)(char *name, char *ourname, int id, struct chap_digest_type *digest, unsigned char *challenge, unsigned char *response, unsigned char *message, int message_space) = NULL; /* * Option variables. */ int chap_timeout_time = 3; int chap_max_transmits = 10; int chap_rechallenge_time = 0; /* * Command-line options. */ static option_t chap_option_list[] = { { "chap-restart", o_int, &chap_timeout_time, "Set timeout for CHAP", OPT_PRIO }, { "chap-max-challenge", o_int, &chap_max_transmits, "Set max #xmits for challenge", OPT_PRIO }, { "chap-interval", o_int, &chap_rechallenge_time, "Set interval for rechallenge", OPT_PRIO }, { NULL } }; /* * Internal state. */ static struct chap_client_state { int flags; char *name; struct chap_digest_type *digest; unsigned char priv[64]; /* private area for digest's use */ } client; /* * These limits apply to challenge and response packets we send. * The +4 is the +1 that we actually need rounded up. */ #define CHAL_MAX_PKTLEN (PPP_HDRLEN + CHAP_HDRLEN + 4 + MAX_CHALLENGE_LEN + MAXNAMELEN) #define RESP_MAX_PKTLEN (PPP_HDRLEN + CHAP_HDRLEN + 4 + MAX_RESPONSE_LEN + MAXNAMELEN) #define CHGPWD_MAX_PKTLEN (PPP_MRU) static struct chap_server_state { int flags; int id; char *name; struct chap_digest_type *digest; int challenge_xmits; int challenge_pktlen; unsigned char challenge[CHAL_MAX_PKTLEN]; } server; /* Values for flags in chap_client_state and chap_server_state */ #define LOWERUP 1 #define AUTH_STARTED 2 #define AUTH_DONE 4 #define AUTH_FAILED 8 #define TIMEOUT_PENDING 0x10 #define CHALLENGE_VALID 0x20 /* * Prototypes. */ static void chap_init(int unit); static void chap_lowerup(int unit); static void chap_lowerdown(int unit); static void chap_timeout(void *arg); static void chap_generate_challenge(struct chap_server_state *ss); static void chap_handle_response(struct chap_server_state *ss, int code, unsigned char *pkt, int len); static int chap_verify_response(char *name, char *ourname, int id, struct chap_digest_type *digest, unsigned char *challenge, unsigned char *response, unsigned char *message, int message_space); static void chap_respond(struct chap_client_state *cs, int id, unsigned char *pkt, int len); static void chap_handle_status(struct chap_client_state *cs, int code, int id, unsigned char *pkt, int len); static void chap_protrej(int unit); static void chap_input(int unit, unsigned char *pkt, int pktlen); static int chap_print_pkt(unsigned char *p, int plen, void (*printer) __P((void *, char *, ...)), void *arg); /* List of digest types that we know about */ static struct chap_digest_type *chap_digests; #ifdef __APPLE__ static int inside_UI = 0; static int chap_ui_fds[2]; /* files descriptors for UI thread */ static pthread_t chap_ui_thread; /* UI thread */ static unsigned char *chap_saved_packet = 0; static unsigned char chap_last_message[MAXNAMELEN]; static int ask_password_mode = 0; /* 0 for retry, 1 for change */ #endif /* * chap_init - reset to initial state. */ static void chap_init(int unit) { memset(&client, 0, sizeof(client)); memset(&server, 0, sizeof(server)); chap_md5_init(); #ifdef CHAPMS chapms_init(); #endif } /* * Add a new digest type to the list. */ void chap_register_digest(struct chap_digest_type *dp) { dp->next = chap_digests; chap_digests = dp; } /* * chap_lowerup - we can start doing stuff now. */ static void chap_lowerup(int unit) { struct chap_client_state *cs = &client; struct chap_server_state *ss = &server; #ifdef __APPLE__ chapms_reinit(); #endif cs->flags |= LOWERUP; ss->flags |= LOWERUP; if (ss->flags & AUTH_STARTED) chap_timeout(ss); } static void chap_lowerdown(int unit) { struct chap_client_state *cs = &client; struct chap_server_state *ss = &server; cs->flags = 0; if (ss->flags & TIMEOUT_PENDING) UNTIMEOUT(chap_timeout, ss); ss->flags = 0; if (inside_UI) { pthread_cancel(chap_ui_thread); inside_UI = 0; } } /* * chap_auth_peer - Start authenticating the peer. * If the lower layer is already up, we start sending challenges, * otherwise we wait for the lower layer to come up. */ void chap_auth_peer(int unit, char *our_name, int digest_code) { struct chap_server_state *ss = &server; struct chap_digest_type *dp; if (ss->flags & AUTH_STARTED) { error("CHAP: peer authentication already started!"); return; } for (dp = chap_digests; dp != NULL; dp = dp->next) if (dp->code == digest_code) break; if (dp == NULL) fatal("CHAP digest 0x%x requested but not available", digest_code); ss->digest = dp; ss->name = our_name; /* Start with a random ID value */ ss->id = (unsigned char)(drand48() * 256); ss->flags |= AUTH_STARTED; if (ss->flags & LOWERUP) chap_timeout(ss); } /* * chap_auth_with_peer - Prepare to authenticate ourselves to the peer. * There isn't much to do until we receive a challenge. */ void chap_auth_with_peer(int unit, char *our_name, int digest_code) { struct chap_client_state *cs = &client; struct chap_digest_type *dp; if (cs->flags & AUTH_STARTED) { error("CHAP: authentication with peer already started!"); return; } for (dp = chap_digests; dp != NULL; dp = dp->next) if (dp->code == digest_code) break; if (dp == NULL) fatal("CHAP digest 0x%x requested but not available", digest_code); cs->digest = dp; cs->name = our_name; cs->flags |= AUTH_STARTED; } /* * chap_timeout - It's time to send another challenge to the peer. * This could be either a retransmission of a previous challenge, * or a new challenge to start re-authentication. */ static void chap_timeout(void *arg) { struct chap_server_state *ss = arg; ss->flags &= ~TIMEOUT_PENDING; if ((ss->flags & CHALLENGE_VALID) == 0) { ss->challenge_xmits = 0; chap_generate_challenge(ss); ss->flags |= CHALLENGE_VALID; } else if (ss->challenge_xmits >= chap_max_transmits) { ss->flags &= ~CHALLENGE_VALID; ss->flags |= AUTH_DONE | AUTH_FAILED; auth_peer_fail(0, PPP_CHAP); return; } output(0, ss->challenge, ss->challenge_pktlen); ++ss->challenge_xmits; ss->flags |= TIMEOUT_PENDING; TIMEOUT(chap_timeout, arg, chap_timeout_time); } /* * chap_generate_challenge - generate a challenge string and format * the challenge packet in ss->challenge_pkt. */ static void chap_generate_challenge(struct chap_server_state *ss) { int clen = 1, nlen, len; unsigned char *p; p = ss->challenge; MAKEHEADER(p, PPP_CHAP); p += CHAP_HDRLEN; ss->digest->generate_challenge(p); clen = *p; nlen = strlen(ss->name); memcpy(p + 1 + clen, ss->name, nlen); len = CHAP_HDRLEN + 1 + clen + nlen; ss->challenge_pktlen = PPP_HDRLEN + len; p = ss->challenge + PPP_HDRLEN; p[0] = CHAP_CHALLENGE; p[1] = ++ss->id; p[2] = len >> 8; p[3] = len; } /* * chap_handle_response - check the response to our challenge. */ static void chap_handle_response(struct chap_server_state *ss, int id, unsigned char *pkt, int len) { int response_len, ok, mlen; unsigned char *response, *p; unsigned char *name = NULL; /* initialized to shut gcc up */ int (*verifier)(char *, char *, int, struct chap_digest_type *, unsigned char *, unsigned char *, unsigned char *, int); char rname[MAXNAMELEN+1]; unsigned char message[256]; if ((ss->flags & LOWERUP) == 0) return; if (id != ss->challenge[PPP_HDRLEN+1] || len < 2) return; if ((ss->flags & AUTH_DONE) == 0) { if ((ss->flags & CHALLENGE_VALID) == 0) return; response = pkt; GETCHAR(response_len, pkt); len -= response_len + 1; /* length of name */ name = pkt + response_len; if (len < 0) return; ss->flags &= ~CHALLENGE_VALID; if (ss->flags & TIMEOUT_PENDING) { ss->flags &= ~TIMEOUT_PENDING; UNTIMEOUT(chap_timeout, ss); } if (explicit_remote) { name = remote_name; } else { /* Null terminate and clean remote name. */ slprintf(rname, sizeof(rname), "%.*v", len, name); name = rname; } if (chap_verify_hook) verifier = chap_verify_hook; else verifier = chap_verify_response; ok = (*verifier)(name, ss->name, id, ss->digest, ss->challenge + PPP_HDRLEN + CHAP_HDRLEN, response, message, sizeof(message)); if (!ok || !auth_number()) { ss->flags |= AUTH_FAILED; warning("Peer %q failed CHAP authentication", name); } } /* send the response */ p = outpacket_buf; MAKEHEADER(p, PPP_CHAP); mlen = strlen(message); len = CHAP_HDRLEN + mlen; p[0] = (ss->flags & AUTH_FAILED)? CHAP_FAILURE: CHAP_SUCCESS; p[1] = id; p[2] = len >> 8; p[3] = len; if (mlen > 0) memcpy(p + CHAP_HDRLEN, message, mlen); output(0, outpacket_buf, PPP_HDRLEN + len); if ((ss->flags & AUTH_DONE) == 0) { ss->flags |= AUTH_DONE; if (ss->flags & AUTH_FAILED) { auth_peer_fail(0, PPP_CHAP); } else { auth_peer_success(0, PPP_CHAP, ss->digest->code, name, strlen(name)); if (chap_rechallenge_time) { ss->flags |= TIMEOUT_PENDING; TIMEOUT(chap_timeout, ss, chap_rechallenge_time); } } } } /* * chap_verify_response - check whether the peer's response matches * what we think it should be. Returns 1 if it does (authentication * succeeded), or 0 if it doesn't. */ static int chap_verify_response(char *name, char *ourname, int id, struct chap_digest_type *digest, unsigned char *challenge, unsigned char *response, unsigned char *message, int message_space) { int ok; char secret[MAXSECRETLEN]; int secret_len; /* Get the secret that the peer is supposed to know */ if (!get_secret(0, name, ourname, secret, &secret_len, 1)) { error("No CHAP secret found for authenticating %q", name); return 0; } ok = digest->verify_response(id, name, secret, secret_len, challenge, response, message, message_space); memset(secret, 0, sizeof(secret)); return ok; } /* * chap_respond - Generate and send a response to a challenge. */ static void chap_respond(struct chap_client_state *cs, int id, unsigned char *pkt, int len) { int clen, nlen; int secret_len; unsigned char *p; unsigned char response[RESP_MAX_PKTLEN]; char rname[MAXNAMELEN+1]; char secret[MAXSECRETLEN+1]; if ((cs->flags & (LOWERUP | AUTH_STARTED)) != (LOWERUP | AUTH_STARTED)) return; /* not ready */ if (len < 2 || len < pkt[0] + 1) return; /* too short */ clen = pkt[0]; nlen = len - (clen + 1); /* Null terminate and clean remote name. */ slprintf(rname, sizeof(rname), "%.*v", nlen, pkt + clen + 1); /* Microsoft doesn't send their name back in the PPP packet */ if (explicit_remote || (remote_name[0] != 0 && rname[0] == 0)) strlcpy(rname, remote_name, sizeof(rname)); /* get secret for authenticating ourselves with the specified host */ if (!get_secret(0, cs->name, rname, secret, &secret_len, 0)) { secret_len = 0; /* assume null secret if can't find one */ warning("No CHAP secret found for authenticating us to %q", rname); } p = response; MAKEHEADER(p, PPP_CHAP); p += CHAP_HDRLEN; cs->digest->make_response(p, id, cs->name, pkt, secret, secret_len, cs->priv); memset(secret, 0, secret_len); clen = *p; nlen = strlen(cs->name); memcpy(p + clen + 1, cs->name, nlen); p = response + PPP_HDRLEN; len = CHAP_HDRLEN + clen + 1 + nlen; p[0] = CHAP_RESPONSE; p[1] = id; p[2] = len >> 8; p[3] = len; output(0, response, PPP_HDRLEN + len); } static void chap_wait_input_fd(void) { char result; int nlen, err; int secret_len; unsigned char *p; unsigned char response[CHGPWD_MAX_PKTLEN]; char rname[MAXNAMELEN+1]; char secret[MAXSECRETLEN+1]; struct chap_client_state *cs = &client; if (chap_ui_fds[0] != -1 && is_ready_fd(chap_ui_fds[0])) { inside_UI = 0; result = 0; read(chap_ui_fds[0], &result, 1); wait_input_hook = 0; remove_fd(chap_ui_fds[0]); close(chap_ui_fds[0]); close(chap_ui_fds[1]); chap_ui_fds[0] = -1; chap_ui_fds[1] = -1; if (result == 0) { /* user cancellation */ free(chap_saved_packet); chap_saved_packet = 0; cs->flags |= AUTH_DONE; auth_withpeer_cancelled(0, PPP_CHAP); return; } /* XXX should memorize name from previous challenge */ rname[0] = 0; /* Microsoft doesn't send their name back in the PPP packet */ if (explicit_remote || (remote_name[0] != 0 && rname[0] == 0)) strlcpy(rname, remote_name, sizeof(rname)); /* get secret for authenticating ourselves with the specified host */ if (!get_secret(0, cs->name, rname, secret, &secret_len, 0)) { secret_len = 0; /* assume null secret if can't find one */ warning("No CHAP secret found for authenticating us to %q", rname); } p = response; MAKEHEADER(p, PPP_CHAP); if (ask_password_mode == 1) err = cs->digest->make_change_password(p, cs->name, chap_saved_packet, secret, secret_len, new_passwd, strlen(new_passwd), cs->priv); else err = cs->digest->make_retry_password(p, cs->name, chap_saved_packet, secret, secret_len, cs->priv); memset(secret, 0, secret_len); free(chap_saved_packet); chap_saved_packet = 0; if (err) { /* error occured, fail authentication */ return; } nlen = p[2]; nlen <<= 8; nlen += p[3]; output(0, response, PPP_HDRLEN + nlen); } } static void *chap_UIThread(void *arg) { /* int unit = (int)arg; */ char result = -1; int err; if (pthread_detach(pthread_self()) == 0) { if (ask_password_mode == 1) err = (*change_password_hook)(chap_last_message[0] ? chap_last_message : 0); else err = (*retry_password_hook)(chap_last_message[0] ? chap_last_message : 0); if (err == 0) result = 0; } write(chap_ui_fds[1], &result, 1); return 0; } static int chap_invoke_ui() { if (pipe(chap_ui_fds) < 0) { error("chap failed to create pipe for User Interface...\n"); return -1; } if (pthread_create(&chap_ui_thread, NULL, chap_UIThread, 0 /* unit number */)) { error("chap failed to create thread for client User Interface...\n"); close(chap_ui_fds[0]); close(chap_ui_fds[1]); return -1; } wait_input_hook = chap_wait_input_fd; add_fd(chap_ui_fds[0]); return 0; } /* * chap_ask_password - Generate and send a change password packet. * change is 0 for retry password mode, 1 for change password mode */ static int chap_ask_password(struct chap_client_state *cs, int id, unsigned char *pkt, int len, int change) { int err; /* check if already processing request */ if (inside_UI) return 0; /* UI is started, save packet */ if (chap_saved_packet) free(chap_saved_packet); pkt -= CHAP_HDRLEN; chap_saved_packet = malloc(len + CHAP_HDRLEN); if (!chap_saved_packet) { error("CHAP: cannot allocate memory to save packet"); return -1; } memcpy(chap_saved_packet, pkt, len + CHAP_HDRLEN); ask_password_mode = change; err = chap_invoke_ui(change); if (err != 0) { free(chap_saved_packet); chap_saved_packet = 0; return -1; } inside_UI = 1; return 0; } static void chap_handle_status(struct chap_client_state *cs, int code, int id, unsigned char *pkt, int len) { const char *msg = NULL; int oldflags = cs->flags; if ((cs->flags & (AUTH_DONE|AUTH_STARTED|LOWERUP)) != (AUTH_STARTED|LOWERUP)) return; cs->flags |= AUTH_DONE; if (code == CHAP_SUCCESS) { /* used for MS-CHAP v2 mutual auth, yuck */ if (cs->digest->check_success != NULL) { if (!(*cs->digest->check_success)(pkt, len, cs->priv)) code = CHAP_FAILURE; } else msg = "CHAP authentication succeeded"; } else { if (cs->digest->handle_failure != NULL) { int ret; chap_last_message[0] = 0; ret = (*cs->digest->handle_failure)(pkt, len, chap_last_message, sizeof(chap_last_message)); if (ret == 1) { /* change password */ cs->flags = oldflags; if (chap_ask_password(cs, id, pkt, len, 1) == 0) return; else cs->flags |= AUTH_DONE; } else if (ret == 2) { /* incorrect password, retry allowed */ cs->flags = oldflags; if (chap_ask_password(cs, id, pkt, len, 0) == 0) return; else cs->flags |= AUTH_DONE; } } else msg = "CHAP authentication failed"; } if (msg) { if (len > 0) info("%s: %.*v", msg, len, pkt); else info("%s", msg); } if (code == CHAP_SUCCESS) auth_withpeer_success(0, PPP_CHAP, cs->digest->code); else { cs->flags |= AUTH_FAILED; auth_withpeer_fail(0, PPP_CHAP); } } static void chap_input(int unit, unsigned char *pkt, int pktlen) { struct chap_client_state *cs = &client; struct chap_server_state *ss = &server; unsigned char code, id; int len; if (pktlen < CHAP_HDRLEN) return; GETCHAR(code, pkt); GETCHAR(id, pkt); GETSHORT(len, pkt); if (len < CHAP_HDRLEN || len > pktlen) return; len -= CHAP_HDRLEN; switch (code) { case CHAP_CHALLENGE: chap_respond(cs, id, pkt, len); break; case CHAP_RESPONSE: chap_handle_response(ss, id, pkt, len); break; case CHAP_FAILURE: case CHAP_SUCCESS: chap_handle_status(cs, code, id, pkt, len); break; } } static void chap_protrej(int unit) { struct chap_client_state *cs = &client; struct chap_server_state *ss = &server; if (ss->flags & TIMEOUT_PENDING) { ss->flags &= ~TIMEOUT_PENDING; UNTIMEOUT(chap_timeout, ss); } if (ss->flags & AUTH_STARTED) { ss->flags = 0; auth_peer_fail(0, PPP_CHAP); } if ((cs->flags & (AUTH_STARTED|AUTH_DONE)) == AUTH_STARTED) { cs->flags &= ~AUTH_STARTED; auth_withpeer_fail(0, PPP_CHAP); } } /* * chap_print_pkt - print the contents of a CHAP packet. */ static char *chap_code_names[] = { "Challenge", "Response", "Success", "Failure" }; static int chap_print_pkt(unsigned char *p, int plen, void (*printer) __P((void *, char *, ...)), void *arg) { int code, id, len; int clen, nlen; unsigned char x; if (plen < CHAP_HDRLEN) return 0; GETCHAR(code, p); GETCHAR(id, p); GETSHORT(len, p); if (len < CHAP_HDRLEN || len > plen) return 0; if (code >= 1 && code <= sizeof(chap_code_names) / sizeof(char *)) printer(arg, " %s", chap_code_names[code-1]); else printer(arg, " code=0x%x", code); printer(arg, " id=0x%x", id); len -= CHAP_HDRLEN; switch (code) { case CHAP_CHALLENGE: case CHAP_RESPONSE: if (len < 1) break; clen = p[0]; if (len < clen + 1) break; ++p; nlen = len - clen - 1; printer(arg, " <"); for (; clen > 0; --clen) { GETCHAR(x, p); printer(arg, "%.2x", x); } printer(arg, ">, name = "); print_string((char *)p, nlen, printer, arg); break; case CHAP_FAILURE: case CHAP_SUCCESS: printer(arg, " "); print_string((char *)p, len, printer, arg); break; default: for (clen = len; clen > 0; --clen) { GETCHAR(x, p); printer(arg, " %.2x", x); } } return len + CHAP_HDRLEN; } struct protent chap_protent = { PPP_CHAP, chap_init, chap_input, chap_protrej, chap_lowerup, chap_lowerdown, NULL, /* open */ NULL, /* close */ chap_print_pkt, NULL, /* datainput */ 1, /* enabled_flag */ "CHAP", /* name */ NULL, /* data_name */ chap_option_list, NULL, /* check_options */ NULL, NULL, #ifdef __APPLE__ NULL, NULL, NULL #endif };