o Send a CHAP challenge of 16 random digits when RADIUS is

configured. This isn't strictly necessary according to the rfc, but it's suggested there.... o Don't forget to include our authname when sending a CHAP challenge when RADIUS is configured. o Don't supply the ``16'' representing the chap answer length to radius_Authenticate() - libradius does this for us. o When we successfully authenticate via radius_Authenticate(), continue with datalink_AuthOk() as expected. Sponsored by: Internet Business Solutions Ltd., Switzerland
svn path=/head/; revision=43401
1999-01-29 22:46:31 +00:00 · 1999-01-29 22:46:31 +00:00 · 82d6780c9e · 2020-12-20 02:59:44 +00:00
commit 82d6780c9e
parent d30ad2abf7
2 changed files with 45 additions and 41 deletions
--- a/usr.sbin/ppp/chap.c
+++ b/usr.sbin/ppp/chap.c
@ -17,7 +17,7 @@
 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
 *
- * $Id: chap.c,v 1.37 1998/08/26 18:07:56 brian Exp $
+ * $Id: chap.c,v 1.38 1999/01/28 01:56:31 brian Exp $
 *
 *	TODO:
 */
@ -105,24 +105,24 @@ chap_SendChallenge(struct authinfo *auth, int chapid, struct physical *physical)

  randinit();
  cp = chap->challenge_data;
+
 #ifndef NORADIUS
  if (*physical->dl->bundle->radius.cfg.file) {
    /* For radius, our challenge is 16 readable NUL terminated bytes :*/
    *cp++ = chap->challenge_len = 16;
    for (i = 0; i < chap->challenge_len; i++)
-      *cp++ = (random() & (0x7f - 0x20)) + 0x20;
-    *cp = '\0';
-  } else {
+      *cp++ = (random() % 10) + '0';
+  } else
 #endif
+  {
    *cp++ = chap->challenge_len = random() % (CHAPCHALLENGELEN-16) + 16;
    for (i = 0; i < chap->challenge_len; i++)
      *cp++ = random() & 0xff;
-    len = strlen(physical->dl->bundle->cfg.auth.name);
-    memcpy(cp, physical->dl->bundle->cfg.auth.name, len);
-    cp += len;
-#ifndef NORADIUS
  }
-#endif
+
+  len = strlen(physical->dl->bundle->cfg.auth.name);
+  memcpy(cp, physical->dl->bundle->cfg.auth.name, len);
+  cp += len;
  ChapOutput(physical, CHAP_CHALLENGE, chapid, chap->challenge_data,
 	     cp - chap->challenge_data, NULL);
 }
@ -131,8 +131,7 @@ static void
 RecvChapTalk(struct bundle *bundle, struct fsmheader *chp, struct mbuf *bp,
             struct physical *physical)
 {
-  int valsize, len;
-  int arglen, keylen, namelen;
+  int valsize, len, arglen, keylen, namelen, success;
  char *cp, *argp, *ap, *name, *digest;
  char *keyp;
  MD5_CTX MD5context;		/* context for MD5 */
@ -229,20 +228,23 @@ RecvChapTalk(struct bundle *bundle, struct fsmheader *chp, struct mbuf *bp,
    /*
     * Get a secret key corresponds to the peer
     */
+    success = 0;
 #ifndef NORADIUS
    if (*bundle->radius.cfg.file) {
-      char chapname[AUTHLEN];
+      char chapname[AUTHLEN], chal[17];

      if (namelen > AUTHLEN - 1)
        namelen = AUTHLEN - 1;
      strncpy(chapname, name, namelen);
      chapname[namelen] = '\0';
-      strncpy(answer, cp-1, 17);
+      *answer = chp->id;
+      strncpy(answer+1, cp, 16);
      answer[17] = '\0';
+      strncpy(chal, physical->dl->chap.challenge_data + 1, 16);
+      chal[16] = '\0';

-      if (radius_Authenticate(&bundle->radius, bundle, chapname, answer,
-                              physical->dl->chap.challenge_data + 1))
-        break;		/* And there was much rejoicing ! */
+      if (radius_Authenticate(&bundle->radius, bundle, chapname, answer, chal))
+        success = 1;		/* And there was much rejoicing ! */

    } else
 #endif
@ -264,30 +266,31 @@ RecvChapTalk(struct bundle *bundle, struct fsmheader *chp, struct mbuf *bp,
      /*
       * Compare with the response
       */
-      if (memcmp(cp, cdigest, 16) == 0) {
-        datalink_GotAuthname(physical->dl, name, namelen);
-	ChapOutput(physical, CHAP_SUCCESS, chp->id, "Welcome!!", 10, NULL);
-	physical->link.lcp.auth_ineed = 0;
-        if (Enabled(bundle, OPT_UTMP))
-          physical_Login(physical, name);
-
-        if (physical->link.lcp.auth_iwait == 0)
-          /*
-           * Either I didn't need to authenticate, or I've already been
-           * told that I got the answer right.
-           */
-          datalink_AuthOk(physical->dl);
-
-	break;
-      }
+      if (memcmp(cp, cdigest, 16) == 0)
+        success = 1;
    }

-    /*
-     * Peer is not registerd, or response digest is wrong.
-     */
-    ChapOutput(physical, CHAP_FAILURE, chp->id, "Invalid!!", 9, NULL);
-    datalink_AuthNotOk(physical->dl);
-    break;
+    if (success) {
+      datalink_GotAuthname(physical->dl, name, namelen);
+      ChapOutput(physical, CHAP_SUCCESS, chp->id, "Welcome!!", 10, NULL);
+      physical->link.lcp.auth_ineed = 0;
+      if (Enabled(bundle, OPT_UTMP))
+        physical_Login(physical, name);
+
+      if (physical->link.lcp.auth_iwait == 0)
+        /*
+         * Either I didn't need to authenticate, or I've already been
+         * told that I got the answer right.
+         */
+        datalink_AuthOk(physical->dl);
+    } else {
+      /*
+       * Peer is not registerd, or response digest is wrong.
+       */
+      ChapOutput(physical, CHAP_FAILURE, chp->id, "Invalid!!", 9, NULL);
+      datalink_AuthNotOk(physical->dl);
+      break;
+    }
  }
 }

--- a/usr.sbin/ppp/radius.c
+++ b/usr.sbin/ppp/radius.c
@ -23,7 +23,7 @@
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
- *	$Id:$
+ *	$Id: radius.c,v 1.1 1999/01/28 01:56:34 brian Exp $
 *
 */

@ -265,10 +265,11 @@ radius_Authenticate(struct radius *r, struct bundle *bundle, const char *name,
    return 0;
  }

+  rad_close(h);
+  r->valid = 1;
  log_Printf(LogPHASE, "radius: SUCCESS\n");

-  rad_close(h);
-  return r->valid = 1;
+  return 1;
 }

 void