diff options
| author | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2010-05-25 19:01:36 +0000 |
|---|---|---|
| committer | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2010-05-25 19:01:36 +0000 |
| commit | 1ac70afcc1f7d6d2738a34308810719b0976d29f (patch) | |
| tree | 805f6ce2a15d1a717781d7cbceac8408a74b6b0c /src/libcharon/plugins/eap_mschapv2 | |
| parent | ed7d79f96177044949744da10f4431c1d6242241 (diff) | |
| download | vyos-strongswan-1ac70afcc1f7d6d2738a34308810719b0976d29f.tar.gz vyos-strongswan-1ac70afcc1f7d6d2738a34308810719b0976d29f.zip | |
[svn-upgrade] Integrating new upstream version, strongswan (4.4.0)
Diffstat (limited to 'src/libcharon/plugins/eap_mschapv2')
| -rw-r--r-- | src/libcharon/plugins/eap_mschapv2/Makefile.am | 17 | ||||
| -rw-r--r-- | src/libcharon/plugins/eap_mschapv2/Makefile.in | 590 | ||||
| -rw-r--r-- | src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c | 1250 | ||||
| -rw-r--r-- | src/libcharon/plugins/eap_mschapv2/eap_mschapv2.h | 57 | ||||
| -rw-r--r-- | src/libcharon/plugins/eap_mschapv2/eap_mschapv2_plugin.c | 50 | ||||
| -rw-r--r-- | src/libcharon/plugins/eap_mschapv2/eap_mschapv2_plugin.h | 42 |
6 files changed, 2006 insertions, 0 deletions
diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.am b/src/libcharon/plugins/eap_mschapv2/Makefile.am new file mode 100644 index 000000000..b9555b3c1 --- /dev/null +++ b/src/libcharon/plugins/eap_mschapv2/Makefile.am @@ -0,0 +1,17 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon + +AM_CFLAGS = -rdynamic + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-eap-mschapv2.la +else +plugin_LTLIBRARIES = libstrongswan-eap-mschapv2.la +endif + +libstrongswan_eap_mschapv2_la_SOURCES = \ + eap_mschapv2_plugin.h eap_mschapv2_plugin.c \ + eap_mschapv2.h eap_mschapv2.c + +libstrongswan_eap_mschapv2_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.in b/src/libcharon/plugins/eap_mschapv2/Makefile.in new file mode 100644 index 000000000..2f6c65df4 --- /dev/null +++ b/src/libcharon/plugins/eap_mschapv2/Makefile.in @@ -0,0 +1,590 @@ +# Makefile.in generated by automake 1.11 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libcharon/plugins/eap_mschapv2 +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +libstrongswan_eap_mschapv2_la_LIBADD = +am_libstrongswan_eap_mschapv2_la_OBJECTS = eap_mschapv2_plugin.lo \ + eap_mschapv2.lo +libstrongswan_eap_mschapv2_la_OBJECTS = \ + $(am_libstrongswan_eap_mschapv2_la_OBJECTS) +libstrongswan_eap_mschapv2_la_LINK = $(LIBTOOL) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) \ + $(libstrongswan_eap_mschapv2_la_LDFLAGS) $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_eap_mschapv2_la_rpath = -rpath \ +@MONOLITHIC_FALSE@ $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_eap_mschapv2_la_rpath = +DEFAULT_INCLUDES = -I.@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libstrongswan_eap_mschapv2_la_SOURCES) +DIST_SOURCES = $(libstrongswan_eap_mschapv2_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GPERF = @GPERF@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PTHREADLIB = @PTHREADLIB@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYINCLUDE = @RUBYINCLUDE@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +default_pkcs11 = @default_pkcs11@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ +ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +ipsecuser = @ipsecuser@ +libdir = @libdir@ +libexecdir = @libexecdir@ +libhydra_plugins = @libhydra_plugins@ +libstrongswan_plugins = @libstrongswan_plugins@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +piddir = @piddir@ +plugindir = @plugindir@ +pluto_plugins = @pluto_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +strongswan_conf = @strongswan_conf@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon + +AM_CFLAGS = -rdynamic +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-mschapv2.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-mschapv2.la +libstrongswan_eap_mschapv2_la_SOURCES = \ + eap_mschapv2_plugin.h eap_mschapv2_plugin.c \ + eap_mschapv2.h eap_mschapv2.c + +libstrongswan_eap_mschapv2_la_LDFLAGS = -module -avoid-version +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_mschapv2/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libcharon/plugins/eap_mschapv2/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)" + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libstrongswan-eap-mschapv2.la: $(libstrongswan_eap_mschapv2_la_OBJECTS) $(libstrongswan_eap_mschapv2_la_DEPENDENCIES) + $(libstrongswan_eap_mschapv2_la_LINK) $(am_libstrongswan_eap_mschapv2_la_rpath) $(libstrongswan_eap_mschapv2_la_OBJECTS) $(libstrongswan_eap_mschapv2_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_mschapv2.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_mschapv2_plugin.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + ctags distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-pluginLTLIBRARIES install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am \ + uninstall-pluginLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c new file mode 100644 index 000000000..c1ccf72eb --- /dev/null +++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c @@ -0,0 +1,1250 @@ +/* + * Copyright (C) 2009 Tobias Brunner + * Copyright (C) 2010 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "eap_mschapv2.h" + +#include <ctype.h> +#include <unistd.h> + +#include <daemon.h> +#include <library.h> +#include <utils/enumerator.h> +#include <crypto/crypters/crypter.h> +#include <crypto/hashers/hasher.h> + +typedef struct private_eap_mschapv2_t private_eap_mschapv2_t; + +/** + * Private data of an eap_mschapv2_t object. + */ +struct private_eap_mschapv2_t +{ + /** + * Public authenticator_t interface. + */ + eap_mschapv2_t public; + + /** + * ID of the server + */ + identification_t *server; + + /** + * ID of the peer + */ + identification_t *peer; + + /** + * challenge sent by the server + */ + chunk_t challenge; + + /** + * generated NT-Response + */ + chunk_t nt_response; + + /** + * generated Authenticator Response + */ + chunk_t auth_response; + + /** + * generated MSK + */ + chunk_t msk; + + /** + * EAP message identifier + */ + u_int8_t identifier; + + /** + * MS-CHAPv2-ID (session ID, increases with each retry) + */ + u_int8_t mschapv2id; + + /** + * Number of retries + */ + int retries; +}; + +/** + * OpCodes + */ +enum mschapv2_opcode_t +{ + MSCHAPV2_CHALLENGE = 1, + MSCHAPV2_RESPONSE = 2, + MSCHAPV2_SUCCESS = 3, + MSCHAPV2_FAILURE = 4, + MSCHAPV2_CHANGE_PASSWORD = 7, +}; + +/** + * Names for OpCodes + */ +ENUM_BEGIN(mschapv2_opcode_names, MSCHAPV2_CHALLENGE, MSCHAPV2_FAILURE, + "CHALLENGE", + "RESPONSE", + "SUCCESS", + "FAILURE"); +ENUM_NEXT(mschapv2_opcode_names, MSCHAPV2_CHANGE_PASSWORD, MSCHAPV2_CHANGE_PASSWORD, MSCHAPV2_FAILURE, + "CHANGE_PASSWORD"); +ENUM_END(mschapv2_opcode_names, MSCHAPV2_CHANGE_PASSWORD); + +/** + * Error codes + */ +enum mschapv2_error_t +{ + ERROR_RESTRICTED_LOGON_HOURS = 646, + ERROR_ACCT_DISABLED = 647, + ERROR_PASSWD_EXPIRED = 648, + ERROR_NO_DIALIN_PERMISSION = 649, + ERROR_AUTHENTICATION_FAILURE = 691, + ERROR_CHANGING_PASSWORD = 709, +}; + +/** + * Names for error codes + */ +ENUM_BEGIN(mschapv2_error_names, ERROR_RESTRICTED_LOGON_HOURS, ERROR_NO_DIALIN_PERMISSION, + "ERROR_RESTRICTED_LOGON_HOURS", + "ERROR_ACCT_DISABLED", + "ERROR_PASSWD_EXPIRED", + "ERROR_NO_DIALIN_PERMISSION"); +ENUM_NEXT(mschapv2_error_names, ERROR_AUTHENTICATION_FAILURE, ERROR_AUTHENTICATION_FAILURE, ERROR_NO_DIALIN_PERMISSION, + "ERROR_AUTHENTICATION_FAILURE"); +ENUM_NEXT(mschapv2_error_names, ERROR_CHANGING_PASSWORD, ERROR_CHANGING_PASSWORD, ERROR_AUTHENTICATION_FAILURE, + "ERROR_CHANGING_PASSWORD"); +ENUM_END(mschapv2_error_names, ERROR_CHANGING_PASSWORD); + +/* Length of the challenge */ +#define CHALLENGE_LEN 16 +/* Length of the response (see eap_mschapv2_response_t) */ +#define RESPONSE_LEN 49 +/* Length of the authenticator response string ("S=<...>") */ +#define AUTH_RESPONSE_LEN 42 +/* Name we send as authenticator */ +#define MSCHAPV2_HOST_NAME "strongSwan" +/* Message sent on success */ +#define SUCCESS_MESSAGE " M=Welcome2strongSwan" +/* Message sent on failure */ +#define FAILURE_MESSAGE "E=691 R=1 C=" +/* Length of the complete failure message */ +#define FAILURE_MESSAGE_LEN (sizeof(FAILURE_MESSAGE) + CHALLENGE_LEN * 2) + +/* Number of seconds to delay retries */ +#define RETRY_DELAY 2 +/* Maximum number of retries */ +#define MAX_RETRIES 2 + +typedef struct eap_mschapv2_header_t eap_mschapv2_header_t; +typedef struct eap_mschapv2_challenge_t eap_mschapv2_challenge_t; +typedef struct eap_mschapv2_response_t eap_mschapv2_response_t; + +/** + * packed EAP-MS-CHAPv2 header struct + */ +struct eap_mschapv2_header_t +{ + /** EAP code (REQUEST/RESPONSE) */ + u_int8_t code; + /** unique message identifier */ + u_int8_t identifier; + /** length of whole message */ + u_int16_t length; + /** EAP type */ + u_int8_t type; + /** MS-CHAPv2 OpCode */ + u_int8_t opcode; + /** MS-CHAPv2-ID (equals identifier) */ + u_int8_t ms_chapv2_id; + /** MS-Length (defined as length - 5) */ + u_int16_t ms_length; + /** packet data (determined by OpCode) */ + u_int8_t data[]; +}__attribute__((__packed__)); + +/** + * packed data for a MS-CHAPv2 Challenge packet + */ +struct eap_mschapv2_challenge_t +{ + /** Value-Size */ + u_int8_t value_size; + /** Challenge */ + u_int8_t challenge[CHALLENGE_LEN]; + /** Name */ + u_int8_t name[]; +}__attribute__((__packed__)); + +/** + * packed data for a MS-CHAPv2 Response packet + */ +struct eap_mschapv2_response_t +{ + /** Value-Size */ + u_int8_t value_size; + /** Response */ + struct + { + /* Peer-Challenge*/ + u_int8_t peer_challenge[CHALLENGE_LEN]; + /* Reserved (=zero) */ + u_int8_t peer_reserved[8]; + /* NT-Response */ + u_int8_t nt_response[24]; + /* Flags (=zero) */ + u_int8_t flags; + } response; + /** Name */ + u_int8_t name[]; +}__attribute__((__packed__)); + +/** + * Length of the MS-CHAPv2 header + */ +#define HEADER_LEN (sizeof(eap_mschapv2_header_t)) + +/** + * Length of the header for MS-CHAPv2 success/failure packets (does not include + * MS-CHAPv2-ID and MS-Length, i.e. 3 octets) + */ +#define SHORT_HEADER_LEN (HEADER_LEN - 3) + +/** + * The minimum length of an MS-CHAPv2 Challenge packet (the name MUST be + * at least one octet) + */ +#define CHALLENGE_PAYLOAD_LEN (HEADER_LEN + sizeof(eap_mschapv2_challenge_t)) + +/** + * The minimum length of an MS-CHAPv2 Response packet + */ +#define RESPONSE_PAYLOAD_LEN (HEADER_LEN + sizeof(eap_mschapv2_response_t)) + + +/** + * Expand a 56-bit key to a 64-bit DES key by adding parity bits (odd parity) + */ +static chunk_t ExpandDESKey(chunk_t key) +{ + static const u_char bitmask[] = { 0xfe, 0xfc, 0xf8, 0xf0, 0xe0, 0xc0, 0x80 }; + int i; + u_char carry = 0; + chunk_t expanded; + + /* expand the 7 octets to 8 octets */ + expanded = chunk_alloc(8); + for (i = 0; i < 7; i++) + { + expanded.ptr[i] = ((key.ptr[i] & bitmask[i]) >> i) | (carry << (8 - i)); + carry = key.ptr[i] & ~bitmask[i]; + } + expanded.ptr[7] = carry << 1; + + /* add parity bits to each octet */ + for (i = 0; i < 8; i++) + { + u_char val = expanded.ptr[i]; + val = (val ^ (val >> 4)) & 0x0f; + expanded.ptr[i] |= (0x9669 >> val) & 1; + } + return expanded; +} + +/** + * Calculate the NT password hash (i.e. hash the (unicode) password with MD4) + */ +static status_t NtPasswordHash(chunk_t password, chunk_t *password_hash) +{ + hasher_t *hasher; + hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD4); + if (hasher == NULL) + { + DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed, no MD4 hasher available"); + return FAILED; + } + hasher->allocate_hash(hasher, password, password_hash); + hasher->destroy(hasher); + return SUCCESS; +} + +/** + * Calculate the challenge hash (i.e. hash [peer_challenge | server_challenge | + * username (without domain part)] with SHA1) + */ +static status_t ChallengeHash(chunk_t peer_challenge, chunk_t server_challenge, + chunk_t username, chunk_t *challenge_hash) +{ + chunk_t concat; + hasher_t *hasher; + hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); + if (hasher == NULL) + { + DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed, SHA1 not supported"); + return FAILED; + } + concat = chunk_cata("ccc", peer_challenge, server_challenge, username); + hasher->allocate_hash(hasher, concat, challenge_hash); + hasher->destroy(hasher); + /* we need only the first 8 octets */ + challenge_hash->len = 8; + return SUCCESS; +} + +/** + * Calculate the challenge response (i.e. expand password_hash to three DES keys + * and then encrypt the 8-octet challenge_hash with these keys and concatenate + * the results). + */ +static status_t ChallengeResponse(chunk_t challenge_hash, chunk_t password_hash, + chunk_t *response) +{ + int i; + crypter_t *crypter; + chunk_t keys[3], z_password_hash; + crypter = lib->crypto->create_crypter(lib->crypto, ENCR_DES_ECB, 8); + if (crypter == NULL) + { + DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed, DES-ECB not supported"); + return FAILED; + } + /* prepare keys: first pad password_hash to 21 octets, these get then split + * into 7-octet chunks, which then get expanded into 8-octet DES keys */ + z_password_hash = chunk_alloca(21); + memset(z_password_hash.ptr, 0, z_password_hash.len); + memcpy(z_password_hash.ptr, password_hash.ptr, password_hash.len); + chunk_split(z_password_hash, "mmm", 7, &keys[0], 7, &keys[1], 7, &keys[2]); + + *response = chunk_alloc(24); + for (i = 0; i < 3; i++) + { + chunk_t expanded, encrypted; + expanded = ExpandDESKey(keys[i]); + crypter->set_key(crypter, expanded); + crypter->encrypt(crypter, challenge_hash, chunk_empty, &encrypted); + memcpy(&response->ptr[i * 8], encrypted.ptr, encrypted.len); + chunk_clear(&encrypted); + chunk_clear(&expanded); + } + crypter->destroy(crypter); + return SUCCESS; +} + +/** + * Computes the authenticator response + */ +static status_t AuthenticatorResponse(chunk_t password_hash_hash, + chunk_t challenge_hash, chunk_t nt_response, chunk_t *response) +{ + chunk_t magic1 = chunk_from_chars( + 0x4D, 0x61, 0x67, 0x69, 0x63, 0x20, 0x73, 0x65, 0x72, 0x76, + 0x65, 0x72, 0x20, 0x74, 0x6F, 0x20, 0x63, 0x6C, 0x69, 0x65, + 0x6E, 0x74, 0x20, 0x73, 0x69, 0x67, 0x6E, 0x69, 0x6E, 0x67, + 0x20, 0x63, 0x6F, 0x6E, 0x73, 0x74, 0x61, 0x6E, 0x74); + chunk_t magic2 = chunk_from_chars( + 0x50, 0x61, 0x64, 0x20, 0x74, 0x6F, 0x20, 0x6D, 0x61, 0x6B, + 0x65, 0x20, 0x69, 0x74, 0x20, 0x64, 0x6F, 0x20, 0x6D, 0x6F, + 0x72, 0x65, 0x20, 0x74, 0x68, 0x61, 0x6E, 0x20, 0x6F, 0x6E, + 0x65, 0x20, 0x69, 0x74, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6F, + 0x6E); + chunk_t digest = chunk_empty, concat; + hasher_t *hasher; + + hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); + if (hasher == NULL) + { + DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed, SHA1 not supported"); + return FAILED; + } + + concat = chunk_cata("ccc", password_hash_hash, nt_response, magic1); + hasher->allocate_hash(hasher, concat, &digest); + concat = chunk_cata("ccc", digest, challenge_hash, magic2); + hasher->allocate_hash(hasher, concat, response); + + hasher->destroy(hasher); + chunk_free(&digest); + return SUCCESS; +} + +/** + * Generate the master session key according to RFC3079 + */ +static status_t GenerateMSK(chunk_t password_hash_hash, + chunk_t nt_response, chunk_t *msk) +{ + chunk_t magic1 = chunk_from_chars( + 0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74, + 0x68, 0x65, 0x20, 0x4d, 0x50, 0x50, 0x45, 0x20, 0x4d, + 0x61, 0x73, 0x74, 0x65, 0x72, 0x20, 0x4b, 0x65, 0x79); + chunk_t magic2 = chunk_from_chars( + 0x4f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x69, + 0x65, 0x6e, 0x74, 0x20, 0x73, 0x69, 0x64, 0x65, 0x2c, 0x20, + 0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68, + 0x65, 0x20, 0x73, 0x65, 0x6e, 0x64, 0x20, 0x6b, 0x65, 0x79, + 0x3b, 0x20, 0x6f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x73, + 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x73, 0x69, 0x64, 0x65, + 0x2c, 0x20, 0x69, 0x74, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68, + 0x65, 0x20, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x20, + 0x6b, 0x65, 0x79, 0x2e); + chunk_t magic3 = chunk_from_chars( + 0x4f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x69, + 0x65, 0x6e, 0x74, 0x20, 0x73, 0x69, 0x64, 0x65, 0x2c, 0x20, + 0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68, + 0x65, 0x20, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x20, + 0x6b, 0x65, 0x79, 0x3b, 0x20, 0x6f, 0x6e, 0x20, 0x74, 0x68, + 0x65, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x73, + 0x69, 0x64, 0x65, 0x2c, 0x20, 0x69, 0x74, 0x20, 0x69, 0x73, + 0x20, 0x74, 0x68, 0x65, 0x20, 0x73, 0x65, 0x6e, 0x64, 0x20, + 0x6b, 0x65, 0x79, 0x2e); + chunk_t shapad1 = chunk_from_chars( + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00); + chunk_t shapad2 = chunk_from_chars( + 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, + 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, + 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, + 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2); + chunk_t keypad = chunk_from_chars( + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00); + chunk_t concat, master_key, master_receive_key, master_send_key; + hasher_t *hasher; + + hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); + if (hasher == NULL) + { + DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed, SHA1 not supported"); + return FAILED; + } + + concat = chunk_cata("ccc", password_hash_hash, nt_response, magic1); + hasher->allocate_hash(hasher, concat, &master_key); + master_key.len = 16; + + concat = chunk_cata("cccc", master_key, shapad1, magic2, shapad2); + hasher->allocate_hash(hasher, concat, &master_receive_key); + master_receive_key.len = 16; + + concat = chunk_cata("cccc", master_key, shapad1, magic3, shapad2); + hasher->allocate_hash(hasher, concat, &master_send_key); + master_send_key.len = 16; + + *msk = chunk_cat("cccc", master_receive_key, master_send_key, keypad, keypad); + + hasher->destroy(hasher); + chunk_free(&master_key); + chunk_free(&master_receive_key); + chunk_free(&master_send_key); + return SUCCESS; +} + +static status_t GenerateStuff(private_eap_mschapv2_t *this, + chunk_t server_challenge, chunk_t peer_challenge, + chunk_t username, chunk_t nt_hash) +{ + status_t status = FAILED; + chunk_t nt_hash_hash = chunk_empty, challenge_hash = chunk_empty; + + if (NtPasswordHash(nt_hash, &nt_hash_hash) != SUCCESS) + { + goto error; + } + if (ChallengeHash(peer_challenge, server_challenge, username, + &challenge_hash) != SUCCESS) + { + goto error; + } + if (ChallengeResponse(challenge_hash, nt_hash, + &this->nt_response) != SUCCESS) + { + goto error; + } + if (AuthenticatorResponse(nt_hash_hash, challenge_hash, + this->nt_response, &this->auth_response) != SUCCESS) + { + goto error; + } + if (GenerateMSK(nt_hash_hash, this->nt_response, &this->msk) != SUCCESS) + { + goto error; + } + + status = SUCCESS; + +error: + chunk_free(&nt_hash_hash); + chunk_free(&challenge_hash); + return status; +} + +/** + * Converts an ASCII string into a UTF-16 (little-endian) string + */ +static chunk_t ascii_to_unicode(chunk_t ascii) +{ + int i; + chunk_t unicode = chunk_alloc(ascii.len * 2); + for (i = 0; i < ascii.len; i++) + { + unicode.ptr[i * 2] = ascii.ptr[i]; + unicode.ptr[i * 2 + 1] = 0; + } + return unicode; +} + +/** + * sanitize a string for printing + */ +static char* sanitize(char *str) +{ + char *pos = str; + + while (pos && *pos) + { + if (!isprint(*pos)) + { + *pos = '?'; + } + pos++; + } + return str; +} + +/** + * Returns a chunk of just the username part of the given user identity. + * Note: the chunk points to internal data of the identification. + */ +static chunk_t extract_username(identification_t* identification) +{ + char *has_domain; + chunk_t id; + id = identification->get_encoding(identification); + has_domain = (char*)memchr(id.ptr, '\\', id.len); + if (has_domain) + { + int len; + has_domain++; /* skip the backslash */ + len = id.len - ((u_char*)has_domain - id.ptr); + return len > 0 ? chunk_create(has_domain, len) : chunk_empty; + } + return id; +} + +/** + * Set the ms_length field using aligned write + */ +static void set_ms_length(eap_mschapv2_header_t *eap, u_int16_t len) +{ + len = htons(len - 5); + memcpy(&eap->ms_length, &len, sizeof(u_int16_t)); +} + +/** + * Implementation of eap_method_t.initiate for the peer + */ +static status_t initiate_peer(private_eap_mschapv2_t *this, eap_payload_t **out) +{ + /* peer never initiates */ + return FAILED; +} + +/** + * Implementation of eap_method_t.initiate for the server + */ +static status_t initiate_server(private_eap_mschapv2_t *this, eap_payload_t **out) +{ + rng_t *rng; + eap_mschapv2_header_t *eap; + eap_mschapv2_challenge_t *cha; + const char *name = MSCHAPV2_HOST_NAME; + u_int16_t len = CHALLENGE_PAYLOAD_LEN + sizeof(MSCHAPV2_HOST_NAME) - 1; + + rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK); + if (!rng) + { + DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed, no RNG"); + return FAILED; + } + rng->allocate_bytes(rng, CHALLENGE_LEN, &this->challenge); + rng->destroy(rng); + + eap = alloca(len); + eap->code = EAP_REQUEST; + eap->identifier = this->identifier; + eap->length = htons(len); + eap->type = EAP_MSCHAPV2; + eap->opcode = MSCHAPV2_CHALLENGE; + eap->ms_chapv2_id = this->mschapv2id; + set_ms_length(eap, len); + + cha = (eap_mschapv2_challenge_t*)eap->data; + cha->value_size = CHALLENGE_LEN; + memcpy(cha->challenge, this->challenge.ptr, this->challenge.len); + memcpy(cha->name, name, sizeof(MSCHAPV2_HOST_NAME) - 1); + + *out = eap_payload_create_data(chunk_create((void*) eap, len)); + return NEED_MORE; +} + +static bool get_nt_hash(private_eap_mschapv2_t *this, identification_t *me, + identification_t *other, chunk_t *nt_hash) +{ + shared_key_t *shared; + chunk_t password; + + /* try to find a stored NT_HASH first */ + shared = charon->credentials->get_shared(charon->credentials, + SHARED_NT_HASH, me, other); + if (shared ) + { + *nt_hash = chunk_clone(shared->get_key(shared)); + shared->destroy(shared); + return TRUE; + } + + /* fallback to plaintext password */ + shared = charon->credentials->get_shared(charon->credentials, + SHARED_EAP, me, other); + if (shared) + { + password = ascii_to_unicode(shared->get_key(shared)); + shared->destroy(shared); + + if (NtPasswordHash(password, nt_hash) == SUCCESS) + { + chunk_clear(&password); + return TRUE; + } + chunk_clear(&password); + } + return FALSE; +} + +/** + * Process MS-CHAPv2 Challenge Requests + */ +static status_t process_peer_challenge(private_eap_mschapv2_t *this, + eap_payload_t *in, eap_payload_t **out) +{ + rng_t *rng; + eap_mschapv2_header_t *eap; + eap_mschapv2_challenge_t *cha; + eap_mschapv2_response_t *res; + chunk_t data, peer_challenge, username, nt_hash; + u_int16_t len = RESPONSE_PAYLOAD_LEN; + + data = in->get_data(in); + eap = (eap_mschapv2_header_t*)data.ptr; + + /* the name MUST be at least one octet long */ + if (data.len < CHALLENGE_PAYLOAD_LEN + 1) + { + DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: too short"); + return FAILED; + } + + cha = (eap_mschapv2_challenge_t*)eap->data; + + if (cha->value_size != CHALLENGE_LEN) + { + DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: " + "invalid challenge size"); + return FAILED; + } + + this->mschapv2id = eap->ms_chapv2_id; + this->challenge = chunk_clone(chunk_create(cha->challenge, CHALLENGE_LEN)); + + rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK); + if (!rng) + { + DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed, no RNG"); + return FAILED; + } + peer_challenge = chunk_alloca(CHALLENGE_LEN); + rng->get_bytes(rng, CHALLENGE_LEN, peer_challenge.ptr); + rng->destroy(rng); + + if (!get_nt_hash(this, this->peer, this->server, &nt_hash)) + { + DBG1(DBG_IKE, "no EAP key found for hosts '%Y' - '%Y'", + this->server, this->peer); + return NOT_FOUND; + } + + username = extract_username(this->peer); + len += username.len; + + if (GenerateStuff(this, this->challenge, peer_challenge, + username, nt_hash) != SUCCESS) + { + DBG1(DBG_IKE, "EAP-MS-CHAPv2 generating NT-Response failed"); + chunk_clear(&nt_hash); + return FAILED; + } + chunk_clear(&nt_hash); + + eap = alloca(len); + eap->code = EAP_RESPONSE; + eap->identifier = this->identifier; + eap->length = htons(len); + eap->type = EAP_MSCHAPV2; + eap->opcode = MSCHAPV2_RESPONSE; + eap->ms_chapv2_id = this->mschapv2id; + set_ms_length(eap, len); + + res = (eap_mschapv2_response_t*)eap->data; + res->value_size = RESPONSE_LEN; + memset(&res->response, 0, RESPONSE_LEN); + memcpy(res->response.peer_challenge, peer_challenge.ptr, peer_challenge.len); + memcpy(res->response.nt_response, this->nt_response.ptr, this->nt_response.len); + + username = this->peer->get_encoding(this->peer); + memcpy(res->name, username.ptr, username.len); + + *out = eap_payload_create_data(chunk_create((void*) eap, len)); + return NEED_MORE; +} + +/** + * Process MS-CHAPv2 Success Requests + */ +static status_t process_peer_success(private_eap_mschapv2_t *this, + eap_payload_t *in, eap_payload_t **out) +{ + status_t status = FAILED; + enumerator_t *enumerator; + eap_mschapv2_header_t *eap; + chunk_t data, auth_string = chunk_empty; + char *message, *token, *msg = NULL; + int message_len; + u_int16_t len = SHORT_HEADER_LEN; + + data = in->get_data(in); + eap = (eap_mschapv2_header_t*)data.ptr; + + if (data.len < AUTH_RESPONSE_LEN) + { + DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: too short"); + return FAILED; + } + + message_len = data.len - HEADER_LEN; + message = malloc(message_len + 1); + memcpy(message, eap->data, message_len); + message[message_len] = '\0'; + + /* S=<auth_string> M=<msg> */ + enumerator = enumerator_create_token(message, " ", " "); + while (enumerator->enumerate(enumerator, &token)) + { + if (strneq(token, "S=", 2)) + { + chunk_t hex; + token += 2; + if (strlen(token) != AUTH_RESPONSE_LEN - 2) + { + DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: " + "invalid auth string"); + goto error; + } + hex = chunk_create(token, AUTH_RESPONSE_LEN - 2); + auth_string = chunk_from_hex(hex, NULL); + } + else if (strneq(token, "M=", 2)) + { + token += 2; + msg = strdup(token); + } + } + enumerator->destroy(enumerator); + + if (auth_string.ptr == NULL) + { + DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: " + "auth string missing"); + goto error; + } + + if (!chunk_equals(this->auth_response, auth_string)) + { + DBG1(DBG_IKE, "EAP-MS-CHAPv2 verification failed"); + goto error; + } + + DBG1(DBG_IKE, "EAP-MS-CHAPv2 succeeded: '%s'", sanitize(msg)); + + eap = alloca(len); + eap->code = EAP_RESPONSE; + eap->identifier = this->identifier; + eap->length = htons(len); + eap->type = EAP_MSCHAPV2; + eap->opcode = MSCHAPV2_SUCCESS; + + *out = eap_payload_create_data(chunk_create((void*) eap, len)); + status = NEED_MORE; + +error: + chunk_free(&auth_string); + free(message); + free(msg); + return status; +} + +static status_t process_peer_failure(private_eap_mschapv2_t *this, + eap_payload_t *in, eap_payload_t **out) +{ + status_t status = FAILED; + enumerator_t *enumerator; + eap_mschapv2_header_t *eap; + chunk_t data; + char *message, *token, *msg = NULL; + int message_len, error, retryable; + chunk_t challenge = chunk_empty; + + data = in->get_data(in); + eap = (eap_mschapv2_header_t*)data.ptr; + + if (data.len < 3) /* we want at least an error code: E=e */ + { + DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: too short"); + return FAILED; + } + + message_len = data.len - HEADER_LEN; + message = malloc(message_len + 1); + memcpy(message, eap->data, message_len); + message[message_len] = '\0'; + + /* E=eeeeeeeeee R=r C=cccccccccccccccccccccccccccccccc V=vvvvvvvvvv M=<msg> */ + enumerator = enumerator_create_token(message, " ", " "); + while (enumerator->enumerate(enumerator, &token)) + { + if (strneq(token, "E=", 2)) + { + token += 2; + error = atoi(token); + } + else if (strneq(token, "R=", 2)) + { + token += 2; + retryable = atoi(token); + } + else if (strneq(token, "C=", 2)) + { + chunk_t hex; + token += 2; + if (strlen(token) != 2 * CHALLENGE_LEN) + { + DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message:" + "invalid challenge"); + goto error; + } + hex = chunk_create(token, 2 * CHALLENGE_LEN); + challenge = chunk_from_hex(hex, NULL); + } + else if (strneq(token, "V=", 2)) + { + int version; + token += 2; + version = atoi(token); + } + else if (strneq(token, "M=", 2)) + { + token += 2; + msg = strdup(token); + } + } + enumerator->destroy(enumerator); + + DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed with error %N: '%s'", + mschapv2_error_names, error, sanitize(msg)); + + /** + * at this point, if the error is retryable, we MAY retry the authentication + * or MAY send a Change Password packet. + * + * if the error is not retryable (or if we do neither of the above), we + * SHOULD send a Failure Response packet. + * windows clients don't do that, and since windows server 2008 r2 behaves + * pretty odd if we do send a Failure Response, we just don't send one + * either. windows 7 actually sends a delete notify (which, according to the + * logs, results in an error on windows server 2008 r2). + * + * btw, windows server 2008 r2 does not send non-retryable errors for e.g. + * a disabled account but returns the windows error code in a notify payload + * of type 12345. + */ + + status = FAILED; + +error: + chunk_free(&challenge); + free(message); + free(msg); + return status; +} + +/** + * Implementation of eap_method_t.process for the peer + */ +static status_t process_peer(private_eap_mschapv2_t *this, eap_payload_t *in, + eap_payload_t **out) +{ + chunk_t data; + eap_mschapv2_header_t *eap; + + this->identifier = in->get_identifier(in); + data = in->get_data(in); + if (data.len < SHORT_HEADER_LEN) + { + DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message"); + return FAILED; + } + + eap = (eap_mschapv2_header_t*)data.ptr; + + switch (eap->opcode) + { + case MSCHAPV2_CHALLENGE: + { + return process_peer_challenge(this, in, out); + } + case MSCHAPV2_SUCCESS: + { + return process_peer_success(this, in, out); + } + case MSCHAPV2_FAILURE: + { + return process_peer_failure(this, in, out); + } + default: + { + DBG1(DBG_IKE, "EAP-MS-CHAPv2 received packet with unsupported " + "OpCode (%N)!", mschapv2_opcode_names, eap->opcode); + break; + } + } + return FAILED; +} + +/** + * Handles retries on the server + */ +static status_t process_server_retry(private_eap_mschapv2_t *this, + eap_payload_t **out) +{ + eap_mschapv2_header_t *eap; + rng_t *rng; + chunk_t hex; + char msg[FAILURE_MESSAGE_LEN]; + u_int16_t len = HEADER_LEN + FAILURE_MESSAGE_LEN - 1; /* no null byte */ + + if (++this->retries > MAX_RETRIES) + { + /* we MAY send a Failure Request with R=0, but windows 7 does not + * really like that and does not respond with a Failure Response. + * so, to clean up our state we just fail with an EAP-Failure. + * this gives an unknown error on the windows side, but is also fine + * with the standard. */ + DBG1(DBG_IKE, "EAP-MS-CHAPv2 verification failed: " + "maximum number of retries reached"); + return FAILED; + } + + DBG1(DBG_IKE, "EAP-MS-CHAPv2 verification failed, retry (%d)", this->retries); + + rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK); + if (!rng) + { + DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed, no RNG"); + return FAILED; + } + rng->get_bytes(rng, CHALLENGE_LEN, this->challenge.ptr); + rng->destroy(rng); + + chunk_free(&this->nt_response); + chunk_free(&this->auth_response); + chunk_free(&this->msk); + + eap = alloca(len); + eap->code = EAP_REQUEST; + eap->identifier = ++this->identifier; + eap->length = htons(len); + eap->type = EAP_MSCHAPV2; + eap->opcode = MSCHAPV2_FAILURE; + eap->ms_chapv2_id = this->mschapv2id++; /* increase for each retry */ + set_ms_length(eap, len); + + hex = chunk_to_hex(this->challenge, NULL, TRUE); + snprintf(msg, FAILURE_MESSAGE_LEN, "%s%s", FAILURE_MESSAGE, hex.ptr); + chunk_free(&hex); + memcpy(eap->data, msg, FAILURE_MESSAGE_LEN - 1); /* no null byte */ + *out = eap_payload_create_data(chunk_create((void*) eap, len)); + + /* delay the response for some time to make brute-force attacks harder */ + sleep(RETRY_DELAY); + + return NEED_MORE; +} + +/** + * Process MS-CHAPv2 Response response packets + */ +static status_t process_server_response(private_eap_mschapv2_t *this, + eap_payload_t *in, eap_payload_t **out) +{ + eap_mschapv2_header_t *eap; + eap_mschapv2_response_t *res; + chunk_t data, peer_challenge, username, nt_hash; + identification_t *userid; + int name_len; + char buf[256]; + + data = in->get_data(in); + eap = (eap_mschapv2_header_t*)data.ptr; + + if (data.len < RESPONSE_PAYLOAD_LEN) + { + DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: too short"); + return FAILED; + } + + res = (eap_mschapv2_response_t*)eap->data; + peer_challenge = chunk_create(res->response.peer_challenge, CHALLENGE_LEN); + + name_len = min(data.len - RESPONSE_PAYLOAD_LEN, 255); + snprintf(buf, sizeof(buf), "%.*s", name_len, res->name); + userid = identification_create_from_string(buf); + DBG2(DBG_IKE, "EAP-MS-CHAPv2 username: '%Y'", userid); + username = extract_username(userid); + + if (!get_nt_hash(this, this->server, userid, &nt_hash)) + { + DBG1(DBG_IKE, "no EAP key found for hosts '%Y' - '%Y'", + this->server, userid); + /* FIXME: windows 7 always sends the username that is first entered in + * the username box, even, if the user changes it during retries (probably + * to keep consistent with the EAP-Identity). + * thus, we could actually fail here, because retries do not make much + * sense. on the other hand, an attacker could guess usernames, if the + * error messages were different. */ + userid->destroy(userid); + return process_server_retry(this, out); + } + + if (GenerateStuff(this, this->challenge, peer_challenge, + username, nt_hash) != SUCCESS) + { + DBG1(DBG_IKE, "EAP-MS-CHAPv2 verification failed"); + userid->destroy(userid); + chunk_clear(&nt_hash); + return FAILED; + } + userid->destroy(userid); + chunk_clear(&nt_hash); + + if (memeq(res->response.nt_response, this->nt_response.ptr, + this->nt_response.len)) + { + chunk_t hex; + char msg[AUTH_RESPONSE_LEN + sizeof(SUCCESS_MESSAGE)]; + u_int16_t len = HEADER_LEN + AUTH_RESPONSE_LEN + sizeof(SUCCESS_MESSAGE); + + eap = alloca(len); + eap->code = EAP_REQUEST; + eap->identifier = ++this->identifier; + eap->length = htons(len); + eap->type = EAP_MSCHAPV2; + eap->opcode = MSCHAPV2_SUCCESS; + eap->ms_chapv2_id = this->mschapv2id; + set_ms_length(eap, len); + + hex = chunk_to_hex(this->auth_response, NULL, TRUE); + snprintf(msg, AUTH_RESPONSE_LEN + sizeof(SUCCESS_MESSAGE), + "S=%s%s", hex.ptr, SUCCESS_MESSAGE); + chunk_free(&hex); + memcpy(eap->data, msg, AUTH_RESPONSE_LEN + sizeof(SUCCESS_MESSAGE)); + *out = eap_payload_create_data(chunk_create((void*) eap, len)); + return NEED_MORE; + } + + return process_server_retry(this, out); +} + +/** + * Implementation of eap_method_t.process for the server + */ +static status_t process_server(private_eap_mschapv2_t *this, eap_payload_t *in, + eap_payload_t **out) +{ + eap_mschapv2_header_t *eap; + chunk_t data; + + if (this->identifier != in->get_identifier(in)) + { + DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: " + "unexpected identifier"); + return FAILED; + } + + data = in->get_data(in); + if (data.len < SHORT_HEADER_LEN) + { + DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: too short"); + return FAILED; + } + + eap = (eap_mschapv2_header_t*)data.ptr; + + switch (eap->opcode) + { + case MSCHAPV2_RESPONSE: + { + return process_server_response(this, in, out); + } + case MSCHAPV2_SUCCESS: + { + return SUCCESS; + } + case MSCHAPV2_FAILURE: + { + return FAILED; + } + default: + { + DBG1(DBG_IKE, "EAP-MS-CHAPv2 received packet with unsupported " + "OpCode (%N)!", mschapv2_opcode_names, eap->opcode); + break; + } + } + return FAILED; +} + +/** + * Implementation of eap_method_t.get_type. + */ +static eap_type_t get_type(private_eap_mschapv2_t *this, u_int32_t *vendor) +{ + *vendor = 0; + return EAP_MSCHAPV2; +} + +/** + * Implementation of eap_method_t.get_msk. + */ +static status_t get_msk(private_eap_mschapv2_t *this, chunk_t *msk) +{ + if (this->msk.ptr) + { + *msk = this->msk; + return SUCCESS; + } + return FAILED; +} + +/** + * Implementation of eap_method_t.is_mutual. + */ +static bool is_mutual(private_eap_mschapv2_t *this) +{ + return FALSE; +} + +/** + * Implementation of eap_method_t.destroy. + */ +static void destroy(private_eap_mschapv2_t *this) +{ + this->peer->destroy(this->peer); + this->server->destroy(this->server); + chunk_free(&this->challenge); + chunk_free(&this->nt_response); + chunk_free(&this->auth_response); + chunk_free(&this->msk); + free(this); +} + +/** + * Generic constructor + */ +static private_eap_mschapv2_t *eap_mschapv2_create_generic(identification_t *server, identification_t *peer) +{ + private_eap_mschapv2_t *this = malloc_thing(private_eap_mschapv2_t); + + this->public.eap_method_interface.initiate = NULL; + this->public.eap_method_interface.process = NULL; + this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type; + this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual; + this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk; + this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy; + + /* private data */ + this->peer = peer->clone(peer); + this->server = server->clone(server); + this->challenge = chunk_empty; + this->nt_response = chunk_empty; + this->auth_response = chunk_empty; + this->msk = chunk_empty; + this->identifier = 0; + this->mschapv2id = 0; + this->retries = 0; + + return this; +} + +/* + * see header + */ +eap_mschapv2_t *eap_mschapv2_create_server(identification_t *server, identification_t *peer) +{ + private_eap_mschapv2_t *this = eap_mschapv2_create_generic(server, peer); + + this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_server; + this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*, eap_payload_t**))process_server; + + /* generate a non-zero identifier */ + do + { + this->identifier = random(); + } while (!this->identifier); + + this->mschapv2id = this->identifier; + + return &this->public; +} + +/* + * see header + */ +eap_mschapv2_t *eap_mschapv2_create_peer(identification_t *server, identification_t *peer) +{ + private_eap_mschapv2_t *this = eap_mschapv2_create_generic(server, peer); + + this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_peer; + this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*, eap_payload_t**))process_peer; + + return &this->public; +} + diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.h b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.h new file mode 100644 index 000000000..34cc1141e --- /dev/null +++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.h @@ -0,0 +1,57 @@ +/* + * Copyright (C) 2009 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup eap_mschapv2_i eap_mschapv2 + * @{ @ingroup eap_mschapv2 + */ + +#ifndef EAP_MSCHAPV2_H_ +#define EAP_MSCHAPV2_H_ + +typedef struct eap_mschapv2_t eap_mschapv2_t; + +#include <sa/authenticators/eap/eap_method.h> + +/** + * Implementation of the eap_method_t interface using EAP-MS-CHAPv2. + */ +struct eap_mschapv2_t { + + /** + * Implemented eap_method_t interface. + */ + eap_method_t eap_method_interface; +}; + +/** + * Creates the EAP method EAP-MS-CHAPv2 acting as server. + * + * @param server ID of the EAP server + * @param peer ID of the EAP client + * @return eap_mschapv2_t object + */ +eap_mschapv2_t *eap_mschapv2_create_server(identification_t *server, identification_t *peer); + +/** + * Creates the EAP method EAP-MS-CHAPv2 acting as peer. + * + * @param server ID of the EAP server + * @param peer ID of the EAP client + * @return eap_mschapv2_t object + */ +eap_mschapv2_t *eap_mschapv2_create_peer(identification_t *server, identification_t *peer); + +#endif /** EAP_MSCHAPV2_H_ @}*/ diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2_plugin.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2_plugin.c new file mode 100644 index 000000000..a7b41ddbf --- /dev/null +++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2_plugin.c @@ -0,0 +1,50 @@ +/* + * Copyright (C) 2009 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "eap_mschapv2_plugin.h" + +#include "eap_mschapv2.h" + +#include <daemon.h> + +/** + * Implementation of plugin_t.destroy + */ +static void destroy(eap_mschapv2_plugin_t *this) +{ + charon->eap->remove_method(charon->eap, + (eap_constructor_t)eap_mschapv2_create_server); + charon->eap->remove_method(charon->eap, + (eap_constructor_t)eap_mschapv2_create_peer); + free(this); +} + +/* + * see header file + */ +plugin_t *eap_mschapv2_plugin_create() +{ + eap_mschapv2_plugin_t *this = malloc_thing(eap_mschapv2_plugin_t); + + this->plugin.destroy = (void(*)(plugin_t*))destroy; + + charon->eap->add_method(charon->eap, EAP_MSCHAPV2, 0, EAP_SERVER, + (eap_constructor_t)eap_mschapv2_create_server); + charon->eap->add_method(charon->eap, EAP_MSCHAPV2, 0, EAP_PEER, + (eap_constructor_t)eap_mschapv2_create_peer); + + return &this->plugin; +} + diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2_plugin.h b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2_plugin.h new file mode 100644 index 000000000..f250a9d47 --- /dev/null +++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2009 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup eap_mschapv2 eap_mschapv2 + * @ingroup cplugins + * + * @defgroup eap_mschapv2_plugin eap_mschapv2_plugin + * @{ @ingroup eap_mschapv2 + */ + +#ifndef EAP_MSCHAPV2_PLUGIN_H_ +#define EAP_MSCHAPV2_PLUGIN_H_ + +#include <plugins/plugin.h> + +typedef struct eap_mschapv2_plugin_t eap_mschapv2_plugin_t; + +/** + * EAP-MS-CHAPv2 plugin + */ +struct eap_mschapv2_plugin_t { + + /** + * implements plugin interface + */ + plugin_t plugin; +}; + +#endif /** EAP_MSCHAPV2_PLUGIN_H_ @}*/ |