diff options
author | Kozlov Dmitry <dima@server> | 2010-09-13 11:59:21 +0400 |
---|---|---|
committer | Kozlov Dmitry <dima@server> | 2010-09-13 11:59:21 +0400 |
commit | a670641cc3c420bfd9026d3711501663aef88287 (patch) | |
tree | b2754ce3e83978759dd6ccfc7fbc1d0d0e1d96b7 /accel-pptpd/auth | |
parent | 5ef0b9025a019aeb8502cd687d17a1e0b7aa0ca4 (diff) | |
download | accel-ppp-a670641cc3c420bfd9026d3711501663aef88287.tar.gz accel-ppp-a670641cc3c420bfd9026d3711501663aef88287.zip |
radius: implemnted mschap-v2 authorization
Diffstat (limited to 'accel-pptpd/auth')
-rw-r--r-- | accel-pptpd/auth/auth_mschap_v1.c | 6 | ||||
-rw-r--r-- | accel-pptpd/auth/auth_mschap_v2.c | 54 |
2 files changed, 33 insertions, 27 deletions
diff --git a/accel-pptpd/auth/auth_mschap_v1.c b/accel-pptpd/auth/auth_mschap_v1.c index bf7c2120..bc54ed46 100644 --- a/accel-pptpd/auth/auth_mschap_v1.c +++ b/accel-pptpd/auth/auth_mschap_v1.c @@ -235,6 +235,12 @@ static void chap_recv_response(struct chap_auth_data_t *ad, struct chap_hdr_t *h } name = strndup(msg->name,ntohs(msg->hdr.len)-sizeof(*msg)+2); + if (!name) { + log_emerg("mschap-v2: out of memory\n"); + auth_failed(ad->ppp); + return; + } + r = pwdb_check(ad->ppp, name, PPP_CHAP, MSCHAP_V1, ad->id, ad->val, VALUE_SIZE, msg->lm_hash, msg->nt_hash, msg->flags); if (r == PWDB_NO_IMPL) r = chap_check_response(ad, msg, name); diff --git a/accel-pptpd/auth/auth_mschap_v2.c b/accel-pptpd/auth/auth_mschap_v2.c index 6bd2c658..798f6eed 100644 --- a/accel-pptpd/auth/auth_mschap_v2.c +++ b/accel-pptpd/auth/auth_mschap_v2.c @@ -18,6 +18,8 @@ #include "ppp_lcp.h" #include "pwdb.h" +#define MSCHAP_V2 0x81 + #define CHAP_CHALLENGE 1 #define CHAP_RESPONSE 2 #define CHAP_SUCCESS 3 @@ -95,7 +97,7 @@ struct chap_auth_data_t static void chap_send_challenge(struct chap_auth_data_t *ad); static void chap_recv(struct ppp_handler_t *h); -static int chap_check_response(struct chap_auth_data_t *ad, struct chap_response_t *res, char *name); +static int chap_check_response(struct chap_auth_data_t *ad, struct chap_response_t *msg, const char *name); static void print_buf(const uint8_t *buf,int size) { @@ -155,13 +157,13 @@ static int chap_finish(struct ppp_t *ppp, struct auth_data_t *auth) static int lcp_send_conf_req(struct ppp_t *ppp, struct auth_data_t *d, uint8_t *ptr) { - *ptr=0x81; + *ptr = MSCHAP_V2; return 1; } static int lcp_recv_conf_req(struct ppp_t *ppp, struct auth_data_t *d, uint8_t *ptr) { - if (*ptr==0x81) + if (*ptr == MSCHAP_V2) return LCP_OPT_ACK; return LCP_OPT_NAK; } @@ -182,24 +184,20 @@ static void chap_send_failure(struct chap_auth_data_t *ad) ppp_chan_send(ad->ppp,&msg,ntohs(msg.hdr.len)+2); } -static int generate_response(struct chap_auth_data_t *ad, struct chap_response_t *msg, uint8_t *response) +static int generate_response(struct chap_auth_data_t *ad, struct chap_response_t *msg, const char *name, char *authenticator) { MD4_CTX md4_ctx; SHA_CTX sha_ctx; char *passwd; char *u_passwd; - char *name; uint8_t pw_hash[MD4_DIGEST_LENGTH]; uint8_t c_hash[SHA_DIGEST_LENGTH]; + uint8_t response[SHA_DIGEST_LENGTH]; int i; - name = strndup(msg->name,ntohs(msg->hdr.len)-sizeof(*msg)+2); passwd = pwdb_get_passwd(ad->ppp,name); if (!passwd) - { - free(name); return -1; - } u_passwd=malloc(strlen(passwd)*2); for(i=0; i<strlen(passwd); i++) @@ -234,14 +232,16 @@ static int generate_response(struct chap_auth_data_t *ad, struct chap_response_t SHA1_Update(&sha_ctx,magic2,41); SHA1_Final(response,&sha_ctx); - free(name); + for(i=0; i<20; i++) + sprintf(authenticator+i*2,"%02X",response[i]); + free(passwd); free(u_passwd); return 0; } -static void chap_send_success(struct chap_auth_data_t *ad, struct chap_response_t *res_msg) +static void chap_send_success(struct chap_auth_data_t *ad, struct chap_response_t *res_msg, const char *authenticator) { struct chap_success_t msg= { @@ -251,15 +251,9 @@ static void chap_send_success(struct chap_auth_data_t *ad, struct chap_response_ .hdr.len=htons(sizeof(msg)-1-2), .message=MSG_SUCCESS, }; - uint8_t response[20]; - int i; - if (generate_response(ad,res_msg,response)) - return; - for(i=0; i<20; i++) - sprintf(msg.message+2+i*2,"%02X",response[i]); - msg.message[2+i*2]=' '; - + memcpy(msg.message + 2, authenticator, 40); + log_ppp_debug("send [MSCHAP-v2 Success id=%x \"%s\"]\n",msg.hdr.id,msg.message); ppp_chan_send(ad->ppp,&msg,ntohs(msg.hdr.len)+2); @@ -290,6 +284,8 @@ static void chap_recv_response(struct chap_auth_data_t *ad, struct chap_hdr_t *h { struct chap_response_t *msg=(struct chap_response_t*)hdr; char *name; + char authenticator[40]; + int r; log_ppp_debug("recv [MSCHAP-v2 Response id=%x <", msg->hdr.id); print_buf(msg->peer_challenge,16); @@ -319,15 +315,21 @@ static void chap_recv_response(struct chap_auth_data_t *ad, struct chap_hdr_t *h auth_failed(ad->ppp); return; } + + r = pwdb_check(ad->ppp, name, PPP_CHAP, MSCHAP_V2, ad->id, ad->val, msg->peer_challenge, msg->reserved, msg->nt_hash, msg->flags, authenticator); - if (chap_check_response(ad, msg, name)) - { + if (r == PWDB_NO_IMPL) { + r = chap_check_response(ad, msg, name); + if (generate_response(ad, msg, name, authenticator)) + r = PWDB_DENIED; + } + + if (r == PWDB_DENIED) { chap_send_failure(ad); auth_failed(ad->ppp); free(name); - }else - { - chap_send_success(ad,msg); + } else { + chap_send_success(ad, msg, authenticator); auth_successed(ad->ppp, name); } } @@ -361,7 +363,7 @@ static void des_encrypt(const uint8_t *input, const uint8_t *key, uint8_t *outpu memcpy(output,res,8); } -static int chap_check_response(struct chap_auth_data_t *ad, struct chap_response_t *msg, char *name) +static int chap_check_response(struct chap_auth_data_t *ad, struct chap_response_t *msg, const char *name) { MD4_CTX md4_ctx; SHA_CTX sha_ctx; @@ -375,7 +377,6 @@ static int chap_check_response(struct chap_auth_data_t *ad, struct chap_response passwd=pwdb_get_passwd(ad->ppp,name); if (!passwd) { - free(name); log_ppp_debug("mschap-v2: user not found\n"); chap_send_failure(ad); return -1; @@ -403,7 +404,6 @@ static int chap_check_response(struct chap_auth_data_t *ad, struct chap_response des_encrypt(c_hash,z_hash+7,nt_hash+8); des_encrypt(c_hash,z_hash+14,nt_hash+16); - free(name); free(passwd); free(u_passwd); |