diff options
author | Kozlov Dmitry <dima@server> | 2011-07-22 11:57:35 +0400 |
---|---|---|
committer | Kozlov Dmitry <dima@server> | 2011-07-22 11:57:35 +0400 |
commit | 5242b174bfd396ea87a91e4bdd6470e98264e006 (patch) | |
tree | 2c7a9dfdd520d5b234561f9cd834d69ed9ecca53 | |
parent | 08c719bf957e65033691f6497e6aeddc4ec3eb95 (diff) | |
download | accel-ppp-5242b174bfd396ea87a91e4bdd6470e98264e006.tar.gz accel-ppp-5242b174bfd396ea87a91e4bdd6470e98264e006.zip |
auth_mschap, radius: if radius replies with MS-CHAP-Error attribute send this value in mschap failure message
-rw-r--r-- | accel-pppd/auth/auth_mschap_v1.c | 72 | ||||
-rw-r--r-- | accel-pppd/auth/auth_mschap_v2.c | 120 | ||||
-rw-r--r-- | accel-pppd/radius/auth.c | 18 |
3 files changed, 105 insertions, 105 deletions
diff --git a/accel-pppd/auth/auth_mschap_v1.c b/accel-pppd/auth/auth_mschap_v1.c index 8764dfdd..65e7b3d9 100644 --- a/accel-pppd/auth/auth_mschap_v1.c +++ b/accel-pppd/auth/auth_mschap_v1.c @@ -31,15 +31,15 @@ #define VALUE_SIZE 8 #define RESPONSE_VALUE_SIZE (24+24+1) -#define MSG_FAILURE "E=691 R=0" -#define MSG_SUCCESS "Authentication successed" - #define HDR_LEN (sizeof(struct chap_hdr_t)-2) static int conf_timeout = 5; static int conf_interval = 0; static int conf_max_failure = 3; static int conf_any_login = 0; +static char *conf_msg_failure = "E=691 R=0"; +static char *conf_msg_success = "Authentication successed"; +; static int urandom_fd; @@ -69,19 +69,6 @@ struct chap_response_t char name[0]; } __attribute__((packed)); -struct chap_failure_t -{ - struct chap_hdr_t hdr; - char message[sizeof(MSG_FAILURE)]; -} __attribute__((packed)); - -struct chap_success_t -{ - struct chap_hdr_t hdr; - char message[sizeof(MSG_SUCCESS)]; -} __attribute__((packed)); - - struct chap_auth_data_t { struct auth_data_t auth; @@ -210,36 +197,38 @@ static int lcp_recv_conf_req(struct ppp_t *ppp, struct auth_data_t *d, uint8_t * return LCP_OPT_NAK; } -static void chap_send_failure(struct chap_auth_data_t *ad) +static void chap_send_failure(struct chap_auth_data_t *ad, char *mschap_error) { - struct chap_failure_t msg = { - .hdr.proto = htons(PPP_CHAP), - .hdr.code = CHAP_FAILURE, - .hdr.id = ad->id, - .hdr.len = htons(sizeof(msg)-1-2), - .message = MSG_FAILURE, - }; - + struct chap_hdr_t *hdr = _malloc(sizeof(*hdr) + strlen(mschap_error) + 1); + hdr->proto = htons(PPP_CHAP); + hdr->code = CHAP_FAILURE; + hdr->id = ad->id; + hdr->len = htons(HDR_LEN + strlen(mschap_error)); + strcpy((char *)(hdr + 1), mschap_error); + if (conf_ppp_verbose) - log_ppp_info2("send [MSCHAP-v1 Failure id=%x \"%s\"]\n", msg.hdr.id, MSG_FAILURE); + log_ppp_info2("send [MSCHAP-v1 Failure id=%x \"%s\"]\n", hdr->id, mschap_error); + + ppp_chan_send(ad->ppp, hdr, ntohs(hdr->len) + 2); - ppp_chan_send(ad->ppp,&msg,ntohs(msg.hdr.len)+2); + _free(hdr); } static void chap_send_success(struct chap_auth_data_t *ad) { - struct chap_success_t msg = { - .hdr.proto = htons(PPP_CHAP), - .hdr.code = CHAP_SUCCESS, - .hdr.id = ad->id, - .hdr.len = htons(sizeof(msg)-1-2), - .message = MSG_SUCCESS, - }; + struct chap_hdr_t *hdr = _malloc(sizeof(*hdr) + strlen(conf_msg_success) + 1); + hdr->proto = htons(PPP_CHAP); + hdr->code = CHAP_SUCCESS; + hdr->id = ad->id; + hdr->len = htons(HDR_LEN + strlen(conf_msg_success)); + strcpy((char *)(hdr + 1), conf_msg_success); if (conf_ppp_verbose) - log_ppp_info2("send [MSCHAP-v1 Success id=%x \"%s\"]\n", msg.hdr.id, MSG_SUCCESS); + log_ppp_info2("send [MSCHAP-v1 Success id=%x \"%s\"]\n", hdr->id, conf_msg_success); - ppp_chan_send(ad->ppp, &msg, ntohs(msg.hdr.len) + 2); + ppp_chan_send(ad->ppp, hdr, ntohs(hdr->len) + 2); + + _free(hdr); } static void chap_send_challenge(struct chap_auth_data_t *ad) @@ -271,6 +260,7 @@ static void chap_recv_response(struct chap_auth_data_t *ad, struct chap_hdr_t *h { struct chap_response_t *msg = (struct chap_response_t*)hdr; char *name; + char *mschap_error = conf_msg_failure; int r; if (ad->timeout.tpd) @@ -313,7 +303,7 @@ static void chap_recv_response(struct chap_auth_data_t *ad, struct chap_hdr_t *h if (conf_any_login) { if (ppp_auth_successed(ad->ppp, name)) { - chap_send_failure(ad); + chap_send_failure(ad, mschap_error); ppp_terminate(ad->ppp, TERM_AUTH_ERROR, 0); _free(name); return; @@ -323,13 +313,13 @@ static void chap_recv_response(struct chap_auth_data_t *ad, struct chap_hdr_t *h return; } - r = pwdb_check(ad->ppp, name, PPP_CHAP, MSCHAP_V1, ad->id, ad->val, VALUE_SIZE, msg->lm_hash, msg->nt_hash, msg->flags); + r = pwdb_check(ad->ppp, name, PPP_CHAP, MSCHAP_V1, ad->id, ad->val, VALUE_SIZE, msg->lm_hash, msg->nt_hash, msg->flags, &mschap_error); if (r == PWDB_NO_IMPL) if (chap_check_response(ad, msg, name)) r = PWDB_DENIED; if (r == PWDB_DENIED) { - chap_send_failure(ad); + chap_send_failure(ad, mschap_error); if (ad->started) ppp_terminate(ad->ppp, TERM_AUTH_ERROR, 0); else @@ -338,7 +328,7 @@ static void chap_recv_response(struct chap_auth_data_t *ad, struct chap_hdr_t *h } else { if (!ad->started) { if (ppp_auth_successed(ad->ppp, name)) { - chap_send_failure(ad); + chap_send_failure(ad, mschap_error); ppp_terminate(ad->ppp, TERM_AUTH_ERROR, 0); _free(name); } else { @@ -396,7 +386,7 @@ static int chap_check_response(struct chap_auth_data_t *ad, struct chap_response if (!passwd) { if (conf_ppp_verbose) log_ppp_warn("mschap-v1: user not found\n"); - chap_send_failure(ad); + chap_send_failure(ad, conf_msg_failure); return PWDB_DENIED; } diff --git a/accel-pppd/auth/auth_mschap_v2.c b/accel-pppd/auth/auth_mschap_v2.c index f7407e80..07489513 100644 --- a/accel-pppd/auth/auth_mschap_v2.c +++ b/accel-pppd/auth/auth_mschap_v2.c @@ -31,14 +31,14 @@ #define VALUE_SIZE 16 #define RESPONSE_VALUE_SIZE (16+8+24+1) -#define MSG_FAILURE "E=691 R=0 C=cccccccccccccccccccccccccccccccc V=3 M=Authentication failure" -#define MSG_SUCCESS "S=cccccccccccccccccccccccccccccccccccccccc M=Authentication successed" - #define HDR_LEN (sizeof(struct chap_hdr_t)-2) static int conf_timeout = 5; static int conf_interval = 0; static int conf_max_failure = 3; +static char *conf_msg_failure = "E=691 R=0 V=3"; +static char *conf_msg_failure2 = "Authentication failure"; +static char *conf_msg_success = "Authentication successed"; static int urandom_fd; @@ -69,19 +69,6 @@ struct chap_response_t char name[0]; } __attribute__((packed)); -struct chap_failure_t -{ - struct chap_hdr_t hdr; - char message[sizeof(MSG_FAILURE)]; -} __attribute__((packed)); - -struct chap_success_t -{ - struct chap_hdr_t hdr; - char message[sizeof(MSG_SUCCESS)]; -} __attribute__((packed)); - - struct chap_auth_data_t { struct auth_data_t auth; @@ -211,20 +198,40 @@ static int lcp_recv_conf_req(struct ppp_t *ppp, struct auth_data_t *d, uint8_t * return LCP_OPT_NAK; } -static void chap_send_failure(struct chap_auth_data_t *ad) +static void chap_send_failure(struct chap_auth_data_t *ad, char *mschap_error, char *reply_msg) { - struct chap_failure_t msg = { - .hdr.proto = htons(PPP_CHAP), - .hdr.code = CHAP_FAILURE, - .hdr.id = ad->id, - .hdr.len = htons(sizeof(msg) - 1 - 2), - .message = MSG_FAILURE, - }; + struct chap_hdr_t *hdr = _malloc(sizeof(*hdr) + strlen(mschap_error) + strlen(reply_msg) + 4); + hdr->proto = htons(PPP_CHAP); + hdr->code = CHAP_FAILURE; + hdr->id = ad->id; + hdr->len = htons(HDR_LEN + strlen(mschap_error) + strlen(reply_msg) + 3); + + sprintf((char *)(hdr + 1), "%s M=%s", mschap_error, reply_msg); if (conf_ppp_verbose) - log_ppp_info2("send [MSCHAP-v2 Failure id=%x \"%s\"]\n", msg.hdr.id, MSG_FAILURE); + log_ppp_info2("send [MSCHAP-v2 Failure id=%x \"%s\"]\n", hdr->id, hdr + 1); - ppp_chan_send(ad->ppp, &msg, ntohs(msg.hdr.len) + 2); + ppp_chan_send(ad->ppp, hdr, ntohs(hdr->len) + 2); + + _free(hdr); +} + +static void chap_send_success(struct chap_auth_data_t *ad, struct chap_response_t *res_msg, const char *authenticator) +{ + struct chap_hdr_t *hdr = _malloc(sizeof(*hdr) + strlen(conf_msg_success) + 1 + 45); + hdr->proto = htons(PPP_CHAP), + hdr->code = CHAP_SUCCESS, + hdr->id = ad->id, + hdr->len = htons(HDR_LEN + strlen(conf_msg_success) + 45), + + sprintf((char *)(hdr + 1), "S=%s M=%s", authenticator, conf_msg_success); + + if (conf_ppp_verbose) + log_ppp_info2("send [MSCHAP-v2 Success id=%x \"%s\"]\n", hdr->id, hdr + 1); + + ppp_chan_send(ad->ppp, hdr, ntohs(hdr->len) + 2); + + _free(hdr); } static int generate_response(struct chap_auth_data_t *ad, struct chap_response_t *msg, const char *name, char *authenticator) @@ -297,24 +304,6 @@ static int generate_response(struct chap_auth_data_t *ad, struct chap_response_t return 0; } -static void chap_send_success(struct chap_auth_data_t *ad, struct chap_response_t *res_msg, const char *authenticator) -{ - struct chap_success_t msg = { - .hdr.proto = htons(PPP_CHAP), - .hdr.code = CHAP_SUCCESS, - .hdr.id = ad->id, - .hdr.len = htons(sizeof(msg) - 1 - 2), - .message = MSG_SUCCESS, - }; - - memcpy(msg.message + 2, authenticator, 40); - - if (conf_ppp_verbose) - log_ppp_info2("send [MSCHAP-v2 Success id=%x \"%s\"]\n", msg.hdr.id, msg.message); - - ppp_chan_send(ad->ppp, &msg, ntohs(msg.hdr.len) + 2); -} - static void chap_send_challenge(struct chap_auth_data_t *ad) { struct chap_challenge_t msg = { @@ -346,6 +335,10 @@ static void chap_recv_response(struct chap_auth_data_t *ad, struct chap_hdr_t *h char *name; char authenticator[41]; int r; + char *mschap_error = conf_msg_failure; + char *reply_msg = conf_msg_failure2; + + authenticator[40] = 0; if (ad->timeout.tpd) triton_timer_del(&ad->timeout); @@ -368,7 +361,7 @@ static void chap_recv_response(struct chap_auth_data_t *ad, struct chap_hdr_t *h if (msg->val_size != RESPONSE_VALUE_SIZE) { log_ppp_error("mschap-v2: incorrect value-size (%i)\n", msg->val_size); - chap_send_failure(ad); + chap_send_failure(ad, mschap_error, reply_msg); if (ad->started) ppp_terminate(ad->ppp, TERM_USER_ERROR, 0); else @@ -386,9 +379,9 @@ static void chap_recv_response(struct chap_auth_data_t *ad, struct chap_hdr_t *h return; } - r = pwdb_check(ad->ppp, name, PPP_CHAP, MSCHAP_V2, ad->id, ad->val, msg->peer_challenge, msg->reserved, msg->nt_hash, msg->flags, authenticator); + r = pwdb_check(ad->ppp, name, PPP_CHAP, MSCHAP_V2, ad->id, ad->val, msg->peer_challenge, msg->reserved, msg->nt_hash, msg->flags, authenticator, &mschap_error, &reply_msg); - if (r == PWDB_NO_IMPL) { + if (r == PWDB_NO_IMPL) { r = chap_check_response(ad, msg, name); if (r) r = PWDB_DENIED; @@ -397,7 +390,7 @@ static void chap_recv_response(struct chap_auth_data_t *ad, struct chap_hdr_t *h } if (r == PWDB_DENIED) { - chap_send_failure(ad); + chap_send_failure(ad, mschap_error, reply_msg); if (ad->started) ppp_terminate(ad->ppp, TERM_AUTH_ERROR, 0); else @@ -406,7 +399,7 @@ static void chap_recv_response(struct chap_auth_data_t *ad, struct chap_hdr_t *h } else { if (!ad->started) { if (ppp_auth_successed(ad->ppp, name)) { - chap_send_failure(ad); + chap_send_failure(ad, mschap_error, reply_msg); ppp_terminate(ad->ppp, TERM_AUTH_ERROR, 0); _free(name); } else { @@ -466,38 +459,37 @@ static int chap_check_response(struct chap_auth_data_t *ad, struct chap_response if (!passwd) { if (conf_ppp_verbose) log_ppp_warn("mschap-v2: user not found\n"); - chap_send_failure(ad); + chap_send_failure(ad, conf_msg_failure, conf_msg_failure2); return -1; } - u_passwd=_malloc(strlen(passwd)*2); - for(i=0; i<strlen(passwd); i++) - { + u_passwd = _malloc(strlen(passwd) * 2); + for (i = 0; i < strlen(passwd); i++) { u_passwd[i*2]=passwd[i]; u_passwd[i*2+1]=0; } SHA1_Init(&sha_ctx); - SHA1_Update(&sha_ctx,msg->peer_challenge,16); - SHA1_Update(&sha_ctx,ad->val,16); - SHA1_Update(&sha_ctx,name,strlen(name)); - SHA1_Final(c_hash,&sha_ctx); + SHA1_Update(&sha_ctx, msg->peer_challenge, 16); + SHA1_Update(&sha_ctx, ad->val, 16); + SHA1_Update(&sha_ctx, name, strlen(name)); + SHA1_Final(c_hash, &sha_ctx); - memset(z_hash,0,sizeof(z_hash)); + memset(z_hash, 0, sizeof(z_hash)); MD4_Init(&md4_ctx); - MD4_Update(&md4_ctx,u_passwd,strlen(passwd)*2); - MD4_Final(z_hash,&md4_ctx); + MD4_Update(&md4_ctx, u_passwd, strlen(passwd) * 2); + MD4_Final(z_hash, &md4_ctx); - des_encrypt(c_hash,z_hash,nt_hash); - des_encrypt(c_hash,z_hash+7,nt_hash+8); - des_encrypt(c_hash,z_hash+14,nt_hash+16); + des_encrypt(c_hash, z_hash, nt_hash); + des_encrypt(c_hash, z_hash + 7, nt_hash + 8); + des_encrypt(c_hash, z_hash + 14, nt_hash + 16); set_mppe_keys(ad, z_hash, msg->nt_hash); _free(passwd); _free(u_passwd); - return memcmp(nt_hash,msg->nt_hash,24); + return memcmp(nt_hash, msg->nt_hash, 24); } static void set_mppe_keys(struct chap_auth_data_t *ad, uint8_t *z_hash, uint8_t *nt_hash) diff --git a/accel-pppd/radius/auth.c b/accel-pppd/radius/auth.c index 99e6e16d..a37da0b6 100644 --- a/accel-pppd/radius/auth.c +++ b/accel-pppd/radius/auth.c @@ -350,6 +350,7 @@ int rad_auth_mschap_v1(struct radius_pd_t *rpd, const char *username, va_list ar { int r = PWDB_DENIED; uint8_t response[50]; + struct rad_attr_t *ra; int id = va_arg(args, int); const uint8_t *challenge = va_arg(args, const uint8_t *); @@ -357,6 +358,7 @@ int rad_auth_mschap_v1(struct radius_pd_t *rpd, const char *username, va_list ar const uint8_t *lm_response = va_arg(args, const uint8_t *); const uint8_t *nt_response = va_arg(args, const uint8_t *); int flags = va_arg(args, int); + char **mschap_error = va_arg(args, char **); response[0] = id; response[1] = flags; @@ -398,6 +400,7 @@ int rad_auth_mschap_v1(struct radius_pd_t *rpd, const char *username, va_list ar if (rad_packet_add_str(rpd->auth_req->pack, NULL, "Acct-Session-Id", rpd->ppp->sessionid)) goto out; + r = rad_auth_send(rpd->auth_req); if (r == PWDB_SUCCESS) { struct ev_radius_t ev = { @@ -408,6 +411,10 @@ int rad_auth_mschap_v1(struct radius_pd_t *rpd, const char *username, va_list ar triton_event_fire(EV_RADIUS_ACCESS_ACCEPT, &ev); setup_mppe(rpd->auth_req, challenge); rpd->auth_req->pack->id++; + } else if (rpd->auth_req->reply) { + ra = rad_packet_find_attr(rpd->auth_req->reply, "Microsoft", "MS-CHAP-Error"); + if (ra) + *mschap_error = ra->val.string; } return r; @@ -431,6 +438,8 @@ int rad_auth_mschap_v2(struct radius_pd_t *rpd, const char *username, va_list ar const uint8_t *response = va_arg(args, const uint8_t *); int flags = va_arg(args, int); uint8_t *authenticator = va_arg(args, uint8_t *); + char **mschap_error = va_arg(args, char **); + char **reply_msg = va_arg(args, char **); mschap_response[0] = id; mschap_response[1] = flags; @@ -491,8 +500,17 @@ int rad_auth_mschap_v2(struct radius_pd_t *rpd, const char *username, va_list ar triton_event_fire(EV_RADIUS_ACCESS_ACCEPT, &ev); setup_mppe(rpd->auth_req, NULL); rpd->auth_req->pack->id++; + } else if (rpd->auth_req->reply) { + ra = rad_packet_find_attr(rpd->auth_req->reply, "Microsoft", "MS-CHAP-Error"); + if (ra) + *mschap_error = ra->val.string; + ra = rad_packet_find_attr(rpd->auth_req->reply, NULL, "Reply-Message"); + if (ra) + *reply_msg = ra->val.string; } + + return r; out: rad_req_free(rpd->auth_req); |