o Send a CHAP challenge of 16 random digits when RADIUS is

configured. This isn't strictly necessary according to the rfc, but it's suggested there.... o Don't forget to include our authname when sending a CHAP challenge when RADIUS is configured. o Don't supply the ``16'' representing the chap answer length to radius_Authenticate() - libradius does this for us. o When we successfully authenticate via radius_Authenticate(), continue with datalink_AuthOk() as expected. Sponsored by: Internet Business Solutions Ltd., Switzerland
1999-01-29 22:46:31 +00:00 · 1999-01-29 22:46:31 +00:00 · 18976a511d
commit 18976a511d
parent 27d8a9a30f
2 changed files with 45 additions and 41 deletions
--- a/usr.sbin/ppp/chap.c
+++ b/usr.sbin/ppp/chap.c
@ -17,7 +17,7 @@
 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
 *
- * $Id: chap.c,v 1.37 1998/08/26 18:07:56 brian Exp $
+ * $Id: chap.c,v 1.38 1999/01/28 01:56:31 brian Exp $
 *
 *	TODO:
 */
@ -105,24 +105,24 @@ chap_SendChallenge(struct authinfo *auth, int chapid, struct physical *physical)
  randinit();
  cp = chap->challenge_data;
 #ifndef NORADIUS
  if (*physical->dl->bundle->radius.cfg.file) {
    /* For radius, our challenge is 16 readable NUL terminated bytes :*/
    *cp++ = chap->challenge_len = 16;
    for (i = 0; i < chap->challenge_len; i++)
-      *cp++ = (random() & (0x7f - 0x20)) + 0x20;
+      *cp++ = (random() % 10) + '0';
-    *cp = '\0';
+  } else
  } else {
 #endif
  {
    *cp++ = chap->challenge_len = random() % (CHAPCHALLENGELEN-16) + 16;
    for (i = 0; i < chap->challenge_len; i++)
      *cp++ = random() & 0xff;
    len = strlen(physical->dl->bundle->cfg.auth.name);
    memcpy(cp, physical->dl->bundle->cfg.auth.name, len);
    cp += len;
 #ifndef NORADIUS
  }
-#endif
+
  len = strlen(physical->dl->bundle->cfg.auth.name);
  memcpy(cp, physical->dl->bundle->cfg.auth.name, len);
  cp += len;
  ChapOutput(physical, CHAP_CHALLENGE, chapid, chap->challenge_data,
 	     cp - chap->challenge_data, NULL);
 }
@ -131,8 +131,7 @@ static void
 RecvChapTalk(struct bundle *bundle, struct fsmheader *chp, struct mbuf *bp,
             struct physical *physical)
 {
-  int valsize, len;
+  int valsize, len, arglen, keylen, namelen, success;
  int arglen, keylen, namelen;
  char *cp, *argp, *ap, *name, *digest;
  char *keyp;
  MD5_CTX MD5context;		/* context for MD5 */
@ -229,20 +228,23 @@ RecvChapTalk(struct bundle *bundle, struct fsmheader *chp, struct mbuf *bp,
    /*
     * Get a secret key corresponds to the peer
     */
    success = 0;
 #ifndef NORADIUS
    if (*bundle->radius.cfg.file) {
-      char chapname[AUTHLEN];
+      char chapname[AUTHLEN], chal[17];
      if (namelen > AUTHLEN - 1)
        namelen = AUTHLEN - 1;
      strncpy(chapname, name, namelen);
      chapname[namelen] = '\0';
-      strncpy(answer, cp-1, 17);
+      *answer = chp->id;
      strncpy(answer+1, cp, 16);
      answer[17] = '\0';
      strncpy(chal, physical->dl->chap.challenge_data + 1, 16);
      chal[16] = '\0';
-      if (radius_Authenticate(&bundle->radius, bundle, chapname, answer,
+      if (radius_Authenticate(&bundle->radius, bundle, chapname, answer, chal))
-                              physical->dl->chap.challenge_data + 1))
+        success = 1;		/* And there was much rejoicing ! */
        break;		/* And there was much rejoicing ! */
    } else
 #endif
@ -264,30 +266,31 @@ RecvChapTalk(struct bundle *bundle, struct fsmheader *chp, struct mbuf *bp,
      /*
       * Compare with the response
       */
-      if (memcmp(cp, cdigest, 16) == 0) {
+      if (memcmp(cp, cdigest, 16) == 0)
-        datalink_GotAuthname(physical->dl, name, namelen);
+        success = 1;
 	ChapOutput(physical, CHAP_SUCCESS, chp->id, "Welcome!!", 10, NULL);
 	physical->link.lcp.auth_ineed = 0;
        if (Enabled(bundle, OPT_UTMP))
          physical_Login(physical, name);
        if (physical->link.lcp.auth_iwait == 0)
          /*
           * Either I didn't need to authenticate, or I've already been
           * told that I got the answer right.
           */
          datalink_AuthOk(physical->dl);
 	break;
      }
    }
-    /*
+    if (success) {
-     * Peer is not registerd, or response digest is wrong.
+      datalink_GotAuthname(physical->dl, name, namelen);
-     */
+      ChapOutput(physical, CHAP_SUCCESS, chp->id, "Welcome!!", 10, NULL);
-    ChapOutput(physical, CHAP_FAILURE, chp->id, "Invalid!!", 9, NULL);
+      physical->link.lcp.auth_ineed = 0;
-    datalink_AuthNotOk(physical->dl);
+      if (Enabled(bundle, OPT_UTMP))
-    break;
+        physical_Login(physical, name);
      if (physical->link.lcp.auth_iwait == 0)
        /*
         * Either I didn't need to authenticate, or I've already been
         * told that I got the answer right.
         */
        datalink_AuthOk(physical->dl);
    } else {
      /*
       * Peer is not registerd, or response digest is wrong.
       */
      ChapOutput(physical, CHAP_FAILURE, chp->id, "Invalid!!", 9, NULL);
      datalink_AuthNotOk(physical->dl);
      break;
    }
  }
 }
--- a/usr.sbin/ppp/radius.c
+++ b/usr.sbin/ppp/radius.c
@ -23,7 +23,7 @@
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
- *	$Id:$
+ *	$Id: radius.c,v 1.1 1999/01/28 01:56:34 brian Exp $
 *
 */
@ -265,10 +265,11 @@ radius_Authenticate(struct radius *r, struct bundle *bundle, const char *name,
    return 0;
  }
  rad_close(h);
  r->valid = 1;
  log_Printf(LogPHASE, "radius: SUCCESS\n");
-  rad_close(h);
+  return 1;
  return r->valid = 1;
 }
 void