o Send a CHAP challenge of 16 random digits when RADIUS is

configured.  This isn't strictly necessary according to the
  rfc, but it's suggested there....
o Don't forget to include our authname when sending a
  CHAP challenge when RADIUS is configured.
o Don't supply the ``16'' representing the chap answer
  length to radius_Authenticate() - libradius does this
  for us.
o When we successfully authenticate via radius_Authenticate(),
  continue with datalink_AuthOk() as expected.

Sponsored by: Internet Business Solutions Ltd., Switzerland
This commit is contained in:
brian 1999-01-29 22:46:31 +00:00
parent fd44edb284
commit e71381fcd9
2 changed files with 45 additions and 41 deletions

View File

@ -17,7 +17,7 @@
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*
* $Id: chap.c,v 1.37 1998/08/26 18:07:56 brian Exp $
* $Id: chap.c,v 1.38 1999/01/28 01:56:31 brian Exp $
*
* TODO:
*/
@ -105,24 +105,24 @@ chap_SendChallenge(struct authinfo *auth, int chapid, struct physical *physical)
randinit();
cp = chap->challenge_data;
#ifndef NORADIUS
if (*physical->dl->bundle->radius.cfg.file) {
/* For radius, our challenge is 16 readable NUL terminated bytes :*/
*cp++ = chap->challenge_len = 16;
for (i = 0; i < chap->challenge_len; i++)
*cp++ = (random() & (0x7f - 0x20)) + 0x20;
*cp = '\0';
} else {
*cp++ = (random() % 10) + '0';
} else
#endif
{
*cp++ = chap->challenge_len = random() % (CHAPCHALLENGELEN-16) + 16;
for (i = 0; i < chap->challenge_len; i++)
*cp++ = random() & 0xff;
len = strlen(physical->dl->bundle->cfg.auth.name);
memcpy(cp, physical->dl->bundle->cfg.auth.name, len);
cp += len;
#ifndef NORADIUS
}
#endif
len = strlen(physical->dl->bundle->cfg.auth.name);
memcpy(cp, physical->dl->bundle->cfg.auth.name, len);
cp += len;
ChapOutput(physical, CHAP_CHALLENGE, chapid, chap->challenge_data,
cp - chap->challenge_data, NULL);
}
@ -131,8 +131,7 @@ static void
RecvChapTalk(struct bundle *bundle, struct fsmheader *chp, struct mbuf *bp,
struct physical *physical)
{
int valsize, len;
int arglen, keylen, namelen;
int valsize, len, arglen, keylen, namelen, success;
char *cp, *argp, *ap, *name, *digest;
char *keyp;
MD5_CTX MD5context; /* context for MD5 */
@ -229,20 +228,23 @@ RecvChapTalk(struct bundle *bundle, struct fsmheader *chp, struct mbuf *bp,
/*
* Get a secret key corresponds to the peer
*/
success = 0;
#ifndef NORADIUS
if (*bundle->radius.cfg.file) {
char chapname[AUTHLEN];
char chapname[AUTHLEN], chal[17];
if (namelen > AUTHLEN - 1)
namelen = AUTHLEN - 1;
strncpy(chapname, name, namelen);
chapname[namelen] = '\0';
strncpy(answer, cp-1, 17);
*answer = chp->id;
strncpy(answer+1, cp, 16);
answer[17] = '\0';
strncpy(chal, physical->dl->chap.challenge_data + 1, 16);
chal[16] = '\0';
if (radius_Authenticate(&bundle->radius, bundle, chapname, answer,
physical->dl->chap.challenge_data + 1))
break; /* And there was much rejoicing ! */
if (radius_Authenticate(&bundle->radius, bundle, chapname, answer, chal))
success = 1; /* And there was much rejoicing ! */
} else
#endif
@ -264,30 +266,31 @@ RecvChapTalk(struct bundle *bundle, struct fsmheader *chp, struct mbuf *bp,
/*
* Compare with the response
*/
if (memcmp(cp, cdigest, 16) == 0) {
datalink_GotAuthname(physical->dl, name, namelen);
ChapOutput(physical, CHAP_SUCCESS, chp->id, "Welcome!!", 10, NULL);
physical->link.lcp.auth_ineed = 0;
if (Enabled(bundle, OPT_UTMP))
physical_Login(physical, name);
if (physical->link.lcp.auth_iwait == 0)
/*
* Either I didn't need to authenticate, or I've already been
* told that I got the answer right.
*/
datalink_AuthOk(physical->dl);
break;
}
if (memcmp(cp, cdigest, 16) == 0)
success = 1;
}
/*
* Peer is not registerd, or response digest is wrong.
*/
ChapOutput(physical, CHAP_FAILURE, chp->id, "Invalid!!", 9, NULL);
datalink_AuthNotOk(physical->dl);
break;
if (success) {
datalink_GotAuthname(physical->dl, name, namelen);
ChapOutput(physical, CHAP_SUCCESS, chp->id, "Welcome!!", 10, NULL);
physical->link.lcp.auth_ineed = 0;
if (Enabled(bundle, OPT_UTMP))
physical_Login(physical, name);
if (physical->link.lcp.auth_iwait == 0)
/*
* Either I didn't need to authenticate, or I've already been
* told that I got the answer right.
*/
datalink_AuthOk(physical->dl);
} else {
/*
* Peer is not registerd, or response digest is wrong.
*/
ChapOutput(physical, CHAP_FAILURE, chp->id, "Invalid!!", 9, NULL);
datalink_AuthNotOk(physical->dl);
break;
}
}
}

View File

@ -23,7 +23,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $Id:$
* $Id: radius.c,v 1.1 1999/01/28 01:56:34 brian Exp $
*
*/
@ -265,10 +265,11 @@ radius_Authenticate(struct radius *r, struct bundle *bundle, const char *name,
return 0;
}
rad_close(h);
r->valid = 1;
log_Printf(LogPHASE, "radius: SUCCESS\n");
rad_close(h);
return r->valid = 1;
return 1;
}
void