summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKozlov Dmitry <dima@server>2011-07-22 11:57:35 +0400
committerKozlov Dmitry <dima@server>2011-07-22 11:57:35 +0400
commit5242b174bfd396ea87a91e4bdd6470e98264e006 (patch)
tree2c7a9dfdd520d5b234561f9cd834d69ed9ecca53
parent08c719bf957e65033691f6497e6aeddc4ec3eb95 (diff)
downloadaccel-ppp-5242b174bfd396ea87a91e4bdd6470e98264e006.tar.gz
accel-ppp-5242b174bfd396ea87a91e4bdd6470e98264e006.zip
auth_mschap, radius: if radius replies with MS-CHAP-Error attribute send this value in mschap failure message
-rw-r--r--accel-pppd/auth/auth_mschap_v1.c72
-rw-r--r--accel-pppd/auth/auth_mschap_v2.c120
-rw-r--r--accel-pppd/radius/auth.c18
3 files changed, 105 insertions, 105 deletions
diff --git a/accel-pppd/auth/auth_mschap_v1.c b/accel-pppd/auth/auth_mschap_v1.c
index 8764dfdd..65e7b3d9 100644
--- a/accel-pppd/auth/auth_mschap_v1.c
+++ b/accel-pppd/auth/auth_mschap_v1.c
@@ -31,15 +31,15 @@
#define VALUE_SIZE 8
#define RESPONSE_VALUE_SIZE (24+24+1)
-#define MSG_FAILURE "E=691 R=0"
-#define MSG_SUCCESS "Authentication successed"
-
#define HDR_LEN (sizeof(struct chap_hdr_t)-2)
static int conf_timeout = 5;
static int conf_interval = 0;
static int conf_max_failure = 3;
static int conf_any_login = 0;
+static char *conf_msg_failure = "E=691 R=0";
+static char *conf_msg_success = "Authentication successed";
+;
static int urandom_fd;
@@ -69,19 +69,6 @@ struct chap_response_t
char name[0];
} __attribute__((packed));
-struct chap_failure_t
-{
- struct chap_hdr_t hdr;
- char message[sizeof(MSG_FAILURE)];
-} __attribute__((packed));
-
-struct chap_success_t
-{
- struct chap_hdr_t hdr;
- char message[sizeof(MSG_SUCCESS)];
-} __attribute__((packed));
-
-
struct chap_auth_data_t
{
struct auth_data_t auth;
@@ -210,36 +197,38 @@ static int lcp_recv_conf_req(struct ppp_t *ppp, struct auth_data_t *d, uint8_t *
return LCP_OPT_NAK;
}
-static void chap_send_failure(struct chap_auth_data_t *ad)
+static void chap_send_failure(struct chap_auth_data_t *ad, char *mschap_error)
{
- struct chap_failure_t msg = {
- .hdr.proto = htons(PPP_CHAP),
- .hdr.code = CHAP_FAILURE,
- .hdr.id = ad->id,
- .hdr.len = htons(sizeof(msg)-1-2),
- .message = MSG_FAILURE,
- };
-
+ struct chap_hdr_t *hdr = _malloc(sizeof(*hdr) + strlen(mschap_error) + 1);
+ hdr->proto = htons(PPP_CHAP);
+ hdr->code = CHAP_FAILURE;
+ hdr->id = ad->id;
+ hdr->len = htons(HDR_LEN + strlen(mschap_error));
+ strcpy((char *)(hdr + 1), mschap_error);
+
if (conf_ppp_verbose)
- log_ppp_info2("send [MSCHAP-v1 Failure id=%x \"%s\"]\n", msg.hdr.id, MSG_FAILURE);
+ log_ppp_info2("send [MSCHAP-v1 Failure id=%x \"%s\"]\n", hdr->id, mschap_error);
+
+ ppp_chan_send(ad->ppp, hdr, ntohs(hdr->len) + 2);
- ppp_chan_send(ad->ppp,&msg,ntohs(msg.hdr.len)+2);
+ _free(hdr);
}
static void chap_send_success(struct chap_auth_data_t *ad)
{
- struct chap_success_t msg = {
- .hdr.proto = htons(PPP_CHAP),
- .hdr.code = CHAP_SUCCESS,
- .hdr.id = ad->id,
- .hdr.len = htons(sizeof(msg)-1-2),
- .message = MSG_SUCCESS,
- };
+ struct chap_hdr_t *hdr = _malloc(sizeof(*hdr) + strlen(conf_msg_success) + 1);
+ hdr->proto = htons(PPP_CHAP);
+ hdr->code = CHAP_SUCCESS;
+ hdr->id = ad->id;
+ hdr->len = htons(HDR_LEN + strlen(conf_msg_success));
+ strcpy((char *)(hdr + 1), conf_msg_success);
if (conf_ppp_verbose)
- log_ppp_info2("send [MSCHAP-v1 Success id=%x \"%s\"]\n", msg.hdr.id, MSG_SUCCESS);
+ log_ppp_info2("send [MSCHAP-v1 Success id=%x \"%s\"]\n", hdr->id, conf_msg_success);
- ppp_chan_send(ad->ppp, &msg, ntohs(msg.hdr.len) + 2);
+ ppp_chan_send(ad->ppp, hdr, ntohs(hdr->len) + 2);
+
+ _free(hdr);
}
static void chap_send_challenge(struct chap_auth_data_t *ad)
@@ -271,6 +260,7 @@ static void chap_recv_response(struct chap_auth_data_t *ad, struct chap_hdr_t *h
{
struct chap_response_t *msg = (struct chap_response_t*)hdr;
char *name;
+ char *mschap_error = conf_msg_failure;
int r;
if (ad->timeout.tpd)
@@ -313,7 +303,7 @@ static void chap_recv_response(struct chap_auth_data_t *ad, struct chap_hdr_t *h
if (conf_any_login) {
if (ppp_auth_successed(ad->ppp, name)) {
- chap_send_failure(ad);
+ chap_send_failure(ad, mschap_error);
ppp_terminate(ad->ppp, TERM_AUTH_ERROR, 0);
_free(name);
return;
@@ -323,13 +313,13 @@ static void chap_recv_response(struct chap_auth_data_t *ad, struct chap_hdr_t *h
return;
}
- r = pwdb_check(ad->ppp, name, PPP_CHAP, MSCHAP_V1, ad->id, ad->val, VALUE_SIZE, msg->lm_hash, msg->nt_hash, msg->flags);
+ r = pwdb_check(ad->ppp, name, PPP_CHAP, MSCHAP_V1, ad->id, ad->val, VALUE_SIZE, msg->lm_hash, msg->nt_hash, msg->flags, &mschap_error);
if (r == PWDB_NO_IMPL)
if (chap_check_response(ad, msg, name))
r = PWDB_DENIED;
if (r == PWDB_DENIED) {
- chap_send_failure(ad);
+ chap_send_failure(ad, mschap_error);
if (ad->started)
ppp_terminate(ad->ppp, TERM_AUTH_ERROR, 0);
else
@@ -338,7 +328,7 @@ static void chap_recv_response(struct chap_auth_data_t *ad, struct chap_hdr_t *h
} else {
if (!ad->started) {
if (ppp_auth_successed(ad->ppp, name)) {
- chap_send_failure(ad);
+ chap_send_failure(ad, mschap_error);
ppp_terminate(ad->ppp, TERM_AUTH_ERROR, 0);
_free(name);
} else {
@@ -396,7 +386,7 @@ static int chap_check_response(struct chap_auth_data_t *ad, struct chap_response
if (!passwd) {
if (conf_ppp_verbose)
log_ppp_warn("mschap-v1: user not found\n");
- chap_send_failure(ad);
+ chap_send_failure(ad, conf_msg_failure);
return PWDB_DENIED;
}
diff --git a/accel-pppd/auth/auth_mschap_v2.c b/accel-pppd/auth/auth_mschap_v2.c
index f7407e80..07489513 100644
--- a/accel-pppd/auth/auth_mschap_v2.c
+++ b/accel-pppd/auth/auth_mschap_v2.c
@@ -31,14 +31,14 @@
#define VALUE_SIZE 16
#define RESPONSE_VALUE_SIZE (16+8+24+1)
-#define MSG_FAILURE "E=691 R=0 C=cccccccccccccccccccccccccccccccc V=3 M=Authentication failure"
-#define MSG_SUCCESS "S=cccccccccccccccccccccccccccccccccccccccc M=Authentication successed"
-
#define HDR_LEN (sizeof(struct chap_hdr_t)-2)
static int conf_timeout = 5;
static int conf_interval = 0;
static int conf_max_failure = 3;
+static char *conf_msg_failure = "E=691 R=0 V=3";
+static char *conf_msg_failure2 = "Authentication failure";
+static char *conf_msg_success = "Authentication successed";
static int urandom_fd;
@@ -69,19 +69,6 @@ struct chap_response_t
char name[0];
} __attribute__((packed));
-struct chap_failure_t
-{
- struct chap_hdr_t hdr;
- char message[sizeof(MSG_FAILURE)];
-} __attribute__((packed));
-
-struct chap_success_t
-{
- struct chap_hdr_t hdr;
- char message[sizeof(MSG_SUCCESS)];
-} __attribute__((packed));
-
-
struct chap_auth_data_t
{
struct auth_data_t auth;
@@ -211,20 +198,40 @@ static int lcp_recv_conf_req(struct ppp_t *ppp, struct auth_data_t *d, uint8_t *
return LCP_OPT_NAK;
}
-static void chap_send_failure(struct chap_auth_data_t *ad)
+static void chap_send_failure(struct chap_auth_data_t *ad, char *mschap_error, char *reply_msg)
{
- struct chap_failure_t msg = {
- .hdr.proto = htons(PPP_CHAP),
- .hdr.code = CHAP_FAILURE,
- .hdr.id = ad->id,
- .hdr.len = htons(sizeof(msg) - 1 - 2),
- .message = MSG_FAILURE,
- };
+ struct chap_hdr_t *hdr = _malloc(sizeof(*hdr) + strlen(mschap_error) + strlen(reply_msg) + 4);
+ hdr->proto = htons(PPP_CHAP);
+ hdr->code = CHAP_FAILURE;
+ hdr->id = ad->id;
+ hdr->len = htons(HDR_LEN + strlen(mschap_error) + strlen(reply_msg) + 3);
+
+ sprintf((char *)(hdr + 1), "%s M=%s", mschap_error, reply_msg);
if (conf_ppp_verbose)
- log_ppp_info2("send [MSCHAP-v2 Failure id=%x \"%s\"]\n", msg.hdr.id, MSG_FAILURE);
+ log_ppp_info2("send [MSCHAP-v2 Failure id=%x \"%s\"]\n", hdr->id, hdr + 1);
- ppp_chan_send(ad->ppp, &msg, ntohs(msg.hdr.len) + 2);
+ ppp_chan_send(ad->ppp, hdr, ntohs(hdr->len) + 2);
+
+ _free(hdr);
+}
+
+static void chap_send_success(struct chap_auth_data_t *ad, struct chap_response_t *res_msg, const char *authenticator)
+{
+ struct chap_hdr_t *hdr = _malloc(sizeof(*hdr) + strlen(conf_msg_success) + 1 + 45);
+ hdr->proto = htons(PPP_CHAP),
+ hdr->code = CHAP_SUCCESS,
+ hdr->id = ad->id,
+ hdr->len = htons(HDR_LEN + strlen(conf_msg_success) + 45),
+
+ sprintf((char *)(hdr + 1), "S=%s M=%s", authenticator, conf_msg_success);
+
+ if (conf_ppp_verbose)
+ log_ppp_info2("send [MSCHAP-v2 Success id=%x \"%s\"]\n", hdr->id, hdr + 1);
+
+ ppp_chan_send(ad->ppp, hdr, ntohs(hdr->len) + 2);
+
+ _free(hdr);
}
static int generate_response(struct chap_auth_data_t *ad, struct chap_response_t *msg, const char *name, char *authenticator)
@@ -297,24 +304,6 @@ static int generate_response(struct chap_auth_data_t *ad, struct chap_response_t
return 0;
}
-static void chap_send_success(struct chap_auth_data_t *ad, struct chap_response_t *res_msg, const char *authenticator)
-{
- struct chap_success_t msg = {
- .hdr.proto = htons(PPP_CHAP),
- .hdr.code = CHAP_SUCCESS,
- .hdr.id = ad->id,
- .hdr.len = htons(sizeof(msg) - 1 - 2),
- .message = MSG_SUCCESS,
- };
-
- memcpy(msg.message + 2, authenticator, 40);
-
- if (conf_ppp_verbose)
- log_ppp_info2("send [MSCHAP-v2 Success id=%x \"%s\"]\n", msg.hdr.id, msg.message);
-
- ppp_chan_send(ad->ppp, &msg, ntohs(msg.hdr.len) + 2);
-}
-
static void chap_send_challenge(struct chap_auth_data_t *ad)
{
struct chap_challenge_t msg = {
@@ -346,6 +335,10 @@ static void chap_recv_response(struct chap_auth_data_t *ad, struct chap_hdr_t *h
char *name;
char authenticator[41];
int r;
+ char *mschap_error = conf_msg_failure;
+ char *reply_msg = conf_msg_failure2;
+
+ authenticator[40] = 0;
if (ad->timeout.tpd)
triton_timer_del(&ad->timeout);
@@ -368,7 +361,7 @@ static void chap_recv_response(struct chap_auth_data_t *ad, struct chap_hdr_t *h
if (msg->val_size != RESPONSE_VALUE_SIZE) {
log_ppp_error("mschap-v2: incorrect value-size (%i)\n", msg->val_size);
- chap_send_failure(ad);
+ chap_send_failure(ad, mschap_error, reply_msg);
if (ad->started)
ppp_terminate(ad->ppp, TERM_USER_ERROR, 0);
else
@@ -386,9 +379,9 @@ static void chap_recv_response(struct chap_auth_data_t *ad, struct chap_hdr_t *h
return;
}
- r = pwdb_check(ad->ppp, name, PPP_CHAP, MSCHAP_V2, ad->id, ad->val, msg->peer_challenge, msg->reserved, msg->nt_hash, msg->flags, authenticator);
+ r = pwdb_check(ad->ppp, name, PPP_CHAP, MSCHAP_V2, ad->id, ad->val, msg->peer_challenge, msg->reserved, msg->nt_hash, msg->flags, authenticator, &mschap_error, &reply_msg);
- if (r == PWDB_NO_IMPL) {
+ if (r == PWDB_NO_IMPL) {
r = chap_check_response(ad, msg, name);
if (r)
r = PWDB_DENIED;
@@ -397,7 +390,7 @@ static void chap_recv_response(struct chap_auth_data_t *ad, struct chap_hdr_t *h
}
if (r == PWDB_DENIED) {
- chap_send_failure(ad);
+ chap_send_failure(ad, mschap_error, reply_msg);
if (ad->started)
ppp_terminate(ad->ppp, TERM_AUTH_ERROR, 0);
else
@@ -406,7 +399,7 @@ static void chap_recv_response(struct chap_auth_data_t *ad, struct chap_hdr_t *h
} else {
if (!ad->started) {
if (ppp_auth_successed(ad->ppp, name)) {
- chap_send_failure(ad);
+ chap_send_failure(ad, mschap_error, reply_msg);
ppp_terminate(ad->ppp, TERM_AUTH_ERROR, 0);
_free(name);
} else {
@@ -466,38 +459,37 @@ static int chap_check_response(struct chap_auth_data_t *ad, struct chap_response
if (!passwd) {
if (conf_ppp_verbose)
log_ppp_warn("mschap-v2: user not found\n");
- chap_send_failure(ad);
+ chap_send_failure(ad, conf_msg_failure, conf_msg_failure2);
return -1;
}
- u_passwd=_malloc(strlen(passwd)*2);
- for(i=0; i<strlen(passwd); i++)
- {
+ u_passwd = _malloc(strlen(passwd) * 2);
+ for (i = 0; i < strlen(passwd); i++) {
u_passwd[i*2]=passwd[i];
u_passwd[i*2+1]=0;
}
SHA1_Init(&sha_ctx);
- SHA1_Update(&sha_ctx,msg->peer_challenge,16);
- SHA1_Update(&sha_ctx,ad->val,16);
- SHA1_Update(&sha_ctx,name,strlen(name));
- SHA1_Final(c_hash,&sha_ctx);
+ SHA1_Update(&sha_ctx, msg->peer_challenge, 16);
+ SHA1_Update(&sha_ctx, ad->val, 16);
+ SHA1_Update(&sha_ctx, name, strlen(name));
+ SHA1_Final(c_hash, &sha_ctx);
- memset(z_hash,0,sizeof(z_hash));
+ memset(z_hash, 0, sizeof(z_hash));
MD4_Init(&md4_ctx);
- MD4_Update(&md4_ctx,u_passwd,strlen(passwd)*2);
- MD4_Final(z_hash,&md4_ctx);
+ MD4_Update(&md4_ctx, u_passwd, strlen(passwd) * 2);
+ MD4_Final(z_hash, &md4_ctx);
- des_encrypt(c_hash,z_hash,nt_hash);
- des_encrypt(c_hash,z_hash+7,nt_hash+8);
- des_encrypt(c_hash,z_hash+14,nt_hash+16);
+ des_encrypt(c_hash, z_hash, nt_hash);
+ des_encrypt(c_hash, z_hash + 7, nt_hash + 8);
+ des_encrypt(c_hash, z_hash + 14, nt_hash + 16);
set_mppe_keys(ad, z_hash, msg->nt_hash);
_free(passwd);
_free(u_passwd);
- return memcmp(nt_hash,msg->nt_hash,24);
+ return memcmp(nt_hash, msg->nt_hash, 24);
}
static void set_mppe_keys(struct chap_auth_data_t *ad, uint8_t *z_hash, uint8_t *nt_hash)
diff --git a/accel-pppd/radius/auth.c b/accel-pppd/radius/auth.c
index 99e6e16d..a37da0b6 100644
--- a/accel-pppd/radius/auth.c
+++ b/accel-pppd/radius/auth.c
@@ -350,6 +350,7 @@ int rad_auth_mschap_v1(struct radius_pd_t *rpd, const char *username, va_list ar
{
int r = PWDB_DENIED;
uint8_t response[50];
+ struct rad_attr_t *ra;
int id = va_arg(args, int);
const uint8_t *challenge = va_arg(args, const uint8_t *);
@@ -357,6 +358,7 @@ int rad_auth_mschap_v1(struct radius_pd_t *rpd, const char *username, va_list ar
const uint8_t *lm_response = va_arg(args, const uint8_t *);
const uint8_t *nt_response = va_arg(args, const uint8_t *);
int flags = va_arg(args, int);
+ char **mschap_error = va_arg(args, char **);
response[0] = id;
response[1] = flags;
@@ -398,6 +400,7 @@ int rad_auth_mschap_v1(struct radius_pd_t *rpd, const char *username, va_list ar
if (rad_packet_add_str(rpd->auth_req->pack, NULL, "Acct-Session-Id", rpd->ppp->sessionid))
goto out;
+
r = rad_auth_send(rpd->auth_req);
if (r == PWDB_SUCCESS) {
struct ev_radius_t ev = {
@@ -408,6 +411,10 @@ int rad_auth_mschap_v1(struct radius_pd_t *rpd, const char *username, va_list ar
triton_event_fire(EV_RADIUS_ACCESS_ACCEPT, &ev);
setup_mppe(rpd->auth_req, challenge);
rpd->auth_req->pack->id++;
+ } else if (rpd->auth_req->reply) {
+ ra = rad_packet_find_attr(rpd->auth_req->reply, "Microsoft", "MS-CHAP-Error");
+ if (ra)
+ *mschap_error = ra->val.string;
}
return r;
@@ -431,6 +438,8 @@ int rad_auth_mschap_v2(struct radius_pd_t *rpd, const char *username, va_list ar
const uint8_t *response = va_arg(args, const uint8_t *);
int flags = va_arg(args, int);
uint8_t *authenticator = va_arg(args, uint8_t *);
+ char **mschap_error = va_arg(args, char **);
+ char **reply_msg = va_arg(args, char **);
mschap_response[0] = id;
mschap_response[1] = flags;
@@ -491,8 +500,17 @@ int rad_auth_mschap_v2(struct radius_pd_t *rpd, const char *username, va_list ar
triton_event_fire(EV_RADIUS_ACCESS_ACCEPT, &ev);
setup_mppe(rpd->auth_req, NULL);
rpd->auth_req->pack->id++;
+ } else if (rpd->auth_req->reply) {
+ ra = rad_packet_find_attr(rpd->auth_req->reply, "Microsoft", "MS-CHAP-Error");
+ if (ra)
+ *mschap_error = ra->val.string;
+ ra = rad_packet_find_attr(rpd->auth_req->reply, NULL, "Reply-Message");
+ if (ra)
+ *reply_msg = ra->val.string;
}
+
+
return r;
out:
rad_req_free(rpd->auth_req);