From e71381fcd931491f4ac05f2df28732f51b735745 Mon Sep 17 00:00:00 2001 From: brian Date: Fri, 29 Jan 1999 22:46:31 +0000 Subject: [PATCH] o Send a CHAP challenge of 16 random digits when RADIUS is configured. This isn't strictly necessary according to the rfc, but it's suggested there.... o Don't forget to include our authname when sending a CHAP challenge when RADIUS is configured. o Don't supply the ``16'' representing the chap answer length to radius_Authenticate() - libradius does this for us. o When we successfully authenticate via radius_Authenticate(), continue with datalink_AuthOk() as expected. Sponsored by: Internet Business Solutions Ltd., Switzerland --- usr.sbin/ppp/chap.c | 79 ++++++++++++++++++++++--------------------- usr.sbin/ppp/radius.c | 7 ++-- 2 files changed, 45 insertions(+), 41 deletions(-) diff --git a/usr.sbin/ppp/chap.c b/usr.sbin/ppp/chap.c index 21d189887727..a53915567894 100644 --- a/usr.sbin/ppp/chap.c +++ b/usr.sbin/ppp/chap.c @@ -17,7 +17,7 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: chap.c,v 1.37 1998/08/26 18:07:56 brian Exp $ + * $Id: chap.c,v 1.38 1999/01/28 01:56:31 brian Exp $ * * TODO: */ @@ -105,24 +105,24 @@ chap_SendChallenge(struct authinfo *auth, int chapid, struct physical *physical) randinit(); cp = chap->challenge_data; + #ifndef NORADIUS if (*physical->dl->bundle->radius.cfg.file) { /* For radius, our challenge is 16 readable NUL terminated bytes :*/ *cp++ = chap->challenge_len = 16; for (i = 0; i < chap->challenge_len; i++) - *cp++ = (random() & (0x7f - 0x20)) + 0x20; - *cp = '\0'; - } else { + *cp++ = (random() % 10) + '0'; + } else #endif + { *cp++ = chap->challenge_len = random() % (CHAPCHALLENGELEN-16) + 16; for (i = 0; i < chap->challenge_len; i++) *cp++ = random() & 0xff; - len = strlen(physical->dl->bundle->cfg.auth.name); - memcpy(cp, physical->dl->bundle->cfg.auth.name, len); - cp += len; -#ifndef NORADIUS } -#endif + + len = strlen(physical->dl->bundle->cfg.auth.name); + memcpy(cp, physical->dl->bundle->cfg.auth.name, len); + cp += len; ChapOutput(physical, CHAP_CHALLENGE, chapid, chap->challenge_data, cp - chap->challenge_data, NULL); } @@ -131,8 +131,7 @@ static void RecvChapTalk(struct bundle *bundle, struct fsmheader *chp, struct mbuf *bp, struct physical *physical) { - int valsize, len; - int arglen, keylen, namelen; + int valsize, len, arglen, keylen, namelen, success; char *cp, *argp, *ap, *name, *digest; char *keyp; MD5_CTX MD5context; /* context for MD5 */ @@ -229,20 +228,23 @@ RecvChapTalk(struct bundle *bundle, struct fsmheader *chp, struct mbuf *bp, /* * Get a secret key corresponds to the peer */ + success = 0; #ifndef NORADIUS if (*bundle->radius.cfg.file) { - char chapname[AUTHLEN]; + char chapname[AUTHLEN], chal[17]; if (namelen > AUTHLEN - 1) namelen = AUTHLEN - 1; strncpy(chapname, name, namelen); chapname[namelen] = '\0'; - strncpy(answer, cp-1, 17); + *answer = chp->id; + strncpy(answer+1, cp, 16); answer[17] = '\0'; + strncpy(chal, physical->dl->chap.challenge_data + 1, 16); + chal[16] = '\0'; - if (radius_Authenticate(&bundle->radius, bundle, chapname, answer, - physical->dl->chap.challenge_data + 1)) - break; /* And there was much rejoicing ! */ + if (radius_Authenticate(&bundle->radius, bundle, chapname, answer, chal)) + success = 1; /* And there was much rejoicing ! */ } else #endif @@ -264,30 +266,31 @@ RecvChapTalk(struct bundle *bundle, struct fsmheader *chp, struct mbuf *bp, /* * Compare with the response */ - if (memcmp(cp, cdigest, 16) == 0) { - datalink_GotAuthname(physical->dl, name, namelen); - ChapOutput(physical, CHAP_SUCCESS, chp->id, "Welcome!!", 10, NULL); - physical->link.lcp.auth_ineed = 0; - if (Enabled(bundle, OPT_UTMP)) - physical_Login(physical, name); - - if (physical->link.lcp.auth_iwait == 0) - /* - * Either I didn't need to authenticate, or I've already been - * told that I got the answer right. - */ - datalink_AuthOk(physical->dl); - - break; - } + if (memcmp(cp, cdigest, 16) == 0) + success = 1; } - /* - * Peer is not registerd, or response digest is wrong. - */ - ChapOutput(physical, CHAP_FAILURE, chp->id, "Invalid!!", 9, NULL); - datalink_AuthNotOk(physical->dl); - break; + if (success) { + datalink_GotAuthname(physical->dl, name, namelen); + ChapOutput(physical, CHAP_SUCCESS, chp->id, "Welcome!!", 10, NULL); + physical->link.lcp.auth_ineed = 0; + if (Enabled(bundle, OPT_UTMP)) + physical_Login(physical, name); + + if (physical->link.lcp.auth_iwait == 0) + /* + * Either I didn't need to authenticate, or I've already been + * told that I got the answer right. + */ + datalink_AuthOk(physical->dl); + } else { + /* + * Peer is not registerd, or response digest is wrong. + */ + ChapOutput(physical, CHAP_FAILURE, chp->id, "Invalid!!", 9, NULL); + datalink_AuthNotOk(physical->dl); + break; + } } } diff --git a/usr.sbin/ppp/radius.c b/usr.sbin/ppp/radius.c index 70611e409e70..b60605aeb5cc 100644 --- a/usr.sbin/ppp/radius.c +++ b/usr.sbin/ppp/radius.c @@ -23,7 +23,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id:$ + * $Id: radius.c,v 1.1 1999/01/28 01:56:34 brian Exp $ * */ @@ -265,10 +265,11 @@ radius_Authenticate(struct radius *r, struct bundle *bundle, const char *name, return 0; } + rad_close(h); + r->valid = 1; log_Printf(LogPHASE, "radius: SUCCESS\n"); - rad_close(h); - return r->valid = 1; + return 1; } void