Bug Summary

File:src/usr.sbin/npppd/npppd/chap.c
Warning:line 837, column 11
Although the value stored to 'respkt0' is used in the enclosing expression, the value is never actually read from 'respkt0'

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.0 -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name chap.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/usr.sbin/npppd/npppd/obj -resource-dir /usr/local/lib/clang/13.0.0 -I /usr/src/usr.sbin/npppd/npppd/../common -I /usr/src/usr.sbin/npppd/npppd -I /usr/src/usr.sbin/npppd/npppd/../pptp -I /usr/src/usr.sbin/npppd/npppd/../l2tp -I /usr/src/usr.sbin/npppd/npppd/../pppoe -D USE_NPPPD_PPTP -D USE_NPPPD_L2TP -D USE_NPPPD_PPPOE -D __COPYRIGHT(x)= -D __RCSID(x)= -D NPPPD_MAX_IFACE=8 -D NPPPD_MAX_POOL=8 -D USE_NPPPD_MPPE -D USE_NPPPD_PIPEX -D USE_NPPPD_RADIUS -D USE_SA_COOKIE -internal-isystem /usr/local/lib/clang/13.0.0/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/usr.sbin/npppd/npppd/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/vmm/scan-build/2022-01-12-194120-40624-1 -x c /usr/src/usr.sbin/npppd/npppd/chap.c
1/* $OpenBSD: chap.c,v 1.17 2021/03/29 03:54:39 yasuoka Exp $ */
2
3/*-
4 * Copyright (c) 2009 Internet Initiative Japan Inc.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 */
28/**@file
29 * This file provides CHAP (PPP Challenge Handshake Authentication Protocol,
30 * RFC 1994) handlers. Currently this contains authenticator side
31 * implementation only.
32 *<p>
33 * Supported authentication types:
34 * <li>MD5-CHAP</li>
35 * <li>MS-CHAP Version 2 (RFC 2759)</li>
36 * </ul></p>
37 */
38/* RFC 1994, 2433 */
39/* $Id: chap.c,v 1.17 2021/03/29 03:54:39 yasuoka Exp $ */
40#include <sys/types.h>
41#include <sys/socket.h>
42#include <sys/time.h>
43#include <netinet/in.h>
44#include <net/if_dl.h>
45#include <stdlib.h>
46#include <stdio.h>
47#include <syslog.h>
48#include <string.h>
49#include <unistd.h>
50#include <stdarg.h>
51#include <errno(*__errno()).h>
52#include <time.h>
53#include <event.h>
54#include <md5.h>
55#include <vis.h>
56
57#include "npppd.h"
58#include "ppp.h"
59
60#ifdef USE_NPPPD_RADIUS1
61#include "radius_chap_const.h"
62#include "npppd_radius.h"
63#endif
64#include "npppd_defs.h"
65
66#include "debugutil.h"
67#include "chap_ms.h"
68
69#define HEADERLEN4 4
70
71#define CHAP_STATE_INITIAL1 1
72#define CHAP_STATE_SENT_CHALLENGE2 2
73#define CHAP_STATE_AUTHENTICATING3 3
74#define CHAP_STATE_SENT_RESPONSE4 4
75#define CHAP_STATE_STOPPED5 5
76#define CHAP_STATE_PROXY_AUTHENTICATION6 6
77
78/* retry intervals */
79#define CHAP_TIMEOUT3 3
80#define CHAP_RETRY10 10
81
82#define CHAP_CHALLENGE1 1
83#define CHAP_RESPONSE2 2
84#define CHAP_SUCCESS3 3
85#define CHAP_FAILURE4 4
86
87/* from RFC 2433 */
88#define ERROR_RESTRICTED_LOGIN_HOURS646 646
89#define ERROR_ACCT_DISABLED647 647
90#define ERROR_PASSWD_EXPIRED648 648
91#define ERROR_NO_DIALIN_PERMISSION649 649
92#define ERROR_AUTHENTICATION_FAILURE691 691
93#define ERROR_CHANGING_PASSWORD709 709
94
95/* MprError.h */
96#define ERROR_AUTH_SERVER_TIMEOUT930 930
97
98#ifdef CHAP_DEBUG
99#define CHAP_DBG(x) chap_log x
100#define CHAP_ASSERT(cond) \
101 if (!(cond)) { \
102 fprintf(stderr(&__sF[2]), \
103 "\nASSERT(" #cond ") failed on %s() at %s:%d.\n"\
104 , __func__, __FILE__"/usr/src/usr.sbin/npppd/npppd/chap.c", __LINE__104); \
105 abort(); \
106 }
107#else
108#define CHAP_ASSERT(cond)
109#define CHAP_DBG(x)
110#endif
111
112static void chap_authenticate(chap *_this, u_char *, int);
113static void chap_failure(chap *, const char *, int);
114static void chap_response (chap *, int, u_char *, int);
115static void chap_create_challenge (chap *);
116static void chap_send_error (chap *, const char *);
117static void md5chap_authenticate (chap *, int, char *, u_char *, int, u_char *);
118static void mschapv2_send_error (chap *, int, int);
119static void mschapv2_authenticate (chap *, int, char *, u_char *, int, u_char *);
120#ifdef USE_NPPPD_RADIUS1
121static void chap_radius_authenticate (chap *, int, char *, u_char *, int, u_char *);
122static void chap_radius_response (void *, RADIUS_PACKET *, int, RADIUS_REQUEST_CTX);
123#endif
124static char *strip_nt_domain (char *);
125static void chap_log (chap *, uint32_t, const char *, ...) __printflike(3,4)__attribute__((__format__ (__printf__, 3, 4)));
126
127/** Initialize the CHAP */
128void
129chap_init(chap *_this, npppd_ppp *ppp)
130{
131 struct tunnconf *conf;
132
133 CHAP_ASSERT(ppp != NULL);
134 CHAP_ASSERT(_this != NULL);
135
136 memset(_this, 0, sizeof(chap));
137 _this->ppp = ppp;
138
139 conf = ppp_get_tunnconf(ppp);
140
141 if (conf->chap_name == NULL((void *)0))
142 gethostname(_this->myname, sizeof(_this->myname));
143 else
144 strlcpy(_this->myname, conf->chap_name, sizeof(_this->myname));
145
146 _this->timerctx.ctx = _this;
147 _this->state = CHAP_STATE_INITIAL1;
148
149 _this->ntry = CHAP_RETRY10;
150}
151
152/** Start CHAP as a authenticator. Send a challenge */
153void
154chap_start(chap *_this)
155{
156 u_char *challp, *challp0;
157 int lmyname;
158
159 CHAP_ASSERT(_this != NULL);
160 CHAP_ASSERT(_this->ppp != NULL);
161
162 if (_this->state == CHAP_STATE_PROXY_AUTHENTICATION6) {
163 _this->type = PPP_AUTH_CHAP_MD50x05;
164 _this->state = CHAP_STATE_AUTHENTICATING3;
165 chap_authenticate(_this, _this->ppp->proxy_authen_resp,
166 _this->ppp->lproxy_authen_resp);
167 return;
168 }
169
170 if (_this->state == CHAP_STATE_INITIAL1 ||
171 _this->state == CHAP_STATE_SENT_CHALLENGE2) {
172 if (_this->ntry > 0) {
173 _this->ntry--;
174 _this->type = _this->ppp->peer_auth;
175
176 /* The type is supported? */
177 if (_this->type != PPP_AUTH_CHAP_MS_V20x81 &&
178 _this->type != PPP_AUTH_CHAP_MD50x05) {
179 chap_log(_this, LOG_ALERT1,
180 "Requested authentication type(0x%x) "
181 "is not supported.", _this->type);
182 ppp_set_disconnect_cause(_this->ppp,
183 PPP_DISCON_AUTH_PROTOCOL_UNACCEPTABLE,
184 PPP_PROTO_CHAP0xC223, 2 /* local */, NULL((void *)0));
185 ppp_stop(_this->ppp, "Authentication Required");
186 return;
187 }
188
189
190#ifdef USE_NPPPD_MPPE1
191 /* The peer must use MS-CHAP-V2 as the type */
192 if (MPPE_IS_REQUIRED(_this->ppp)(((_this->ppp)->mppe.enabled != 0) && ((_this->
ppp)->mppe.required != 0)) &&
193 _this->type != PPP_AUTH_CHAP_MS_V20x81) {
194 chap_log(_this, LOG_ALERT1,
195 "mppe is required but try to start chap "
196 "type=0x%02x", _this->type);
197 ppp_set_disconnect_cause(_this->ppp,
198 PPP_DISCON_AUTH_PROTOCOL_UNACCEPTABLE,
199 PPP_PROTO_CHAP0xC223, 2 /* local */, NULL((void *)0));
200 ppp_stop(_this->ppp, "Authentication Required");
201 return;
202 }
203#endif
204 /* Generate a challenge packet and send it */
205 challp = ppp_packetbuf(_this->ppp, PPP_AUTH_CHAP0xc223);
206 challp += HEADERLEN4;
207 challp0 = challp;
208
209 chap_create_challenge(_this);
210
211 PUTCHAR(_this->lchall, challp){ *(challp)++ = (u_char) (_this->lchall); };
212 memcpy(challp, &_this->chall, _this->lchall);
213 challp += _this->lchall;
214
215 lmyname = strlen(_this->myname);
216
217 memcpy(challp, _this->myname, lmyname);
218 challp += lmyname;
219
220 _this->challid = ++_this->pktid;
221
222 ppp_output(_this->ppp, PPP_PROTO_CHAP0xC223, CHAP_CHALLENGE1,
223 _this->challid, challp0, challp - challp0);
224
225 _this->state = CHAP_STATE_SENT_CHALLENGE2;
226
227 TIMEOUT((void (*)(void *))chap_start, _this,{ struct timeval tv0; tv0.tv_usec = 0; tv0.tv_sec = (3); if (
!((&(_this)->timerctx.ev)->ev_flags & 0x80)) event_set
(&(_this)->timerctx.ev, -1, 0, fsm_evtimer_timeout, &
(_this)->timerctx); (_this)->timerctx.func = (void (*)(
void *))chap_start; event_del(&(_this)->timerctx.ev); event_add
(&(_this)->timerctx.ev, &tv0); }
228 CHAP_TIMEOUT){ struct timeval tv0; tv0.tv_usec = 0; tv0.tv_sec = (3); if (
!((&(_this)->timerctx.ev)->ev_flags & 0x80)) event_set
(&(_this)->timerctx.ev, -1, 0, fsm_evtimer_timeout, &
(_this)->timerctx); (_this)->timerctx.func = (void (*)(
void *))chap_start; event_del(&(_this)->timerctx.ev); event_add
(&(_this)->timerctx.ev, &tv0); };
229 } else {
230 chap_log(_this, LOG_INFO6,
231 "Client did't respond our challenage.");
232 ppp_set_disconnect_cause(_this->ppp,
233 PPP_DISCON_AUTH_FSM_TIMEOUT,
234 PPP_PROTO_CHAP0xC223, 0, NULL((void *)0));
235 ppp_stop(_this->ppp, "Authentication Required");
236 }
237 }
238}
239
240/** Stop the CHAP */
241void
242chap_stop(chap *_this)
243{
244 _this->state = CHAP_STATE_STOPPED5;
245 UNTIMEOUT(chap_start, _this)event_del(&(_this)->timerctx.ev);
246#ifdef USE_NPPPD_RADIUS1
247 if (_this->radctx != NULL((void *)0)) {
248 radius_cancel_request(_this->radctx);
249 _this->radctx = NULL((void *)0);
250 }
251#endif
252}
253
254/** Called when a CHAP packet is received. */
255void
256chap_input(chap *_this, u_char *pktp, int len)
257{
258 int code, id, length, lval, lname, authok;
259 u_char *pktp1, *val, namebuf[MAX_USERNAME_LENGTH256];
260 char *name;
261
262 if (_this->state == CHAP_STATE_STOPPED5 ||
263 _this->state == CHAP_STATE_INITIAL1) {
264 chap_log(_this, LOG_INFO6, "Received chap packet. But chap is "
265 "not started");
266 return;
267 }
268
269 CHAP_ASSERT(_this != NULL);
270 if (len < 4) {
271 chap_log(_this, LOG_ERR3, "%s: Received broken packet.",
272 __func__);
273 return;
274 }
275
276 pktp1 = pktp;
277
278 GETCHAR(code, pktp1){ (code) = *(pktp1)++; };
279 GETCHAR(id, pktp1){ (id) = *(pktp1)++; };
280 GETSHORT(length, pktp1){ (length) = *(pktp1)++ << 8; (length) |= *(pktp1)++; };
281 if (len < length || len < 5) {
282 chap_log(_this, LOG_ERR3, "%s: Received broken packet.",
283 __func__);
284 return;
285 }
286
287 if (code != CHAP_RESPONSE2) {
288 chap_log(_this, LOG_ERR3, "Received unknown code=%d", code);
289 return;
290 }
291
292 /* Create a chap response */
293
294 if (id != _this->challid) {
295 chap_log(_this, LOG_ERR3,
296 "Received challenge response has unknown id.");
297 return;
298 }
299 if (_this->state == CHAP_STATE_AUTHENTICATING3)
300 return;
301
302 authok = 0;
303 UNTIMEOUT(chap_start, _this)event_del(&(_this)->timerctx.ev);
304
305 /* pick the username */
306 GETCHAR(lval, pktp1){ (lval) = *(pktp1)++; };
307 val = pktp1;
308 pktp1 += lval;
309
310 if (lval > length) {
311 chap_log(_this, LOG_ERR3,
312 "Received challenge response has invalid Value-Size "
313 "field. %d", lval);
314 return;
315 }
316 name = pktp1;
317 lname = len - (pktp1 - pktp);
318 if (lname <= 0 || sizeof(namebuf) <= lname + 1) {
319 chap_log(_this, LOG_ERR3,
320 "Received challenge response has invalid Name "
321 "field.");
322 return;
323 }
324 memcpy(namebuf, name, lname);
325 namebuf[lname] = '\0';
326 name = namebuf;
327 if (_this->state == CHAP_STATE_SENT_RESPONSE4) {
328 if (strcmp(_this->name, name) != 0) {
329 /*
330 * The peer requests us to resend, but the username
331 * has been changed.
332 */
333 chap_log(_this, LOG_ERR3,
334 "Received AuthReq is not same as before. "
335 "%s != %s", name, _this->name);
336 return;
337 }
338 } else if (_this->state != CHAP_STATE_SENT_CHALLENGE2) {
339 chap_log(_this, LOG_ERR3,
340 "Received AuthReq in illegal state. username=%s", name);
341 return;
342 }
343 _this->state = CHAP_STATE_AUTHENTICATING3;
344 strlcpy(_this->name, name, sizeof(_this->name));
345
346 chap_authenticate(_this, val, lval);
347}
348
349static void
350chap_failure(chap *_this, const char *msg, int mschapv2err)
351{
352
353 switch(_this->type) {
354 case PPP_AUTH_CHAP_MD50x05:
355 chap_send_error(_this, "FAILED");
356 break;
357 case PPP_AUTH_CHAP_MS_V20x81:
358 mschapv2_send_error(_this, mschapv2err, 0);
359 break;
360 }
361}
362
363static void
364chap_authenticate(chap *_this, u_char *response, int lresponse)
365{
366
367 switch(_this->type) {
368 case PPP_AUTH_CHAP_MD50x05:
369 /* check the length */
370 if (lresponse != 16) {
371 chap_log(_this, LOG_ERR3,
372 "Invalid response length %d != 16", lresponse);
373 chap_failure(_this, "FAILED",
374 ERROR_AUTHENTICATION_FAILURE691);
375 return;
376 }
377 break;
378 case PPP_AUTH_CHAP_MS_V20x81:
379 /* check the length */
380 if (lresponse < 49) {
381 chap_log(_this, LOG_ERR3, "Packet too short.");
382 chap_failure(_this, "FAILED",
383 ERROR_AUTHENTICATION_FAILURE691);
384 return;
385 }
386 break;
387 }
388 if (npppd_ppp_bind_realm(_this->ppp->pppd, _this->ppp, _this->name, 0)
389 == 0) {
390 if (!npppd_ppp_is_realm_ready(_this->ppp->pppd, _this->ppp)) {
391 chap_log(_this, LOG_INFO6,
392 "username=\"%s\" realm is not ready.", _this->name);
393 chap_failure(_this, "FAILED",
394 ERROR_AUTH_SERVER_TIMEOUT930);
395 return;
396 }
397#ifdef USE_NPPPD_RADIUS1
398 if (npppd_ppp_is_realm_radius(_this->ppp->pppd, _this->ppp)) {
399 chap_radius_authenticate(_this, _this->challid,
400 _this->name, _this->chall, _this->lchall, response);
401 return;
402 /* NOTREACHED */
403 } else
404#endif
405 if (npppd_ppp_is_realm_local(_this->ppp->pppd, _this->ppp)) {
406 switch(_this->type) {
407 case PPP_AUTH_CHAP_MD50x05:
408 md5chap_authenticate(_this, _this->challid,
409 _this->name, _this->chall, _this->lchall,
410 response);
411 return;
412 /* NOTREACHED */
413 case PPP_AUTH_CHAP_MS_V20x81:
414 mschapv2_authenticate(_this, _this->challid,
415 strip_nt_domain(_this->name),
416 _this->chall, _this->lchall, response);
417 return;
418 /* NOTREACHED */
419 }
420 }
421 }
422 chap_failure(_this, "FAILED", ERROR_AUTHENTICATION_FAILURE691);
423
424 return;
425}
426
427static void
428chap_response(chap *_this, int authok, u_char *pktp, int lpktp)
429{
430 const char *realm_name;
431
432 CHAP_ASSERT(_this != NULL);
433 CHAP_ASSERT(pktp != NULL);
434 CHAP_ASSERT(_this->type == PPP_AUTH_CHAP_MD5 ||
435 _this->type == PPP_AUTH_CHAP_MS_V2);
436
437 ppp_output(_this->ppp, PPP_PROTO_CHAP0xC223, (authok)? 3 : 4, _this->challid,
438 pktp, lpktp);
439
440 realm_name = npppd_ppp_get_realm_name(_this->ppp->pppd, _this->ppp);
441 if (!authok) {
442 chap_log(_this, LOG_ALERT1,
443 "logtype=Failure username=\"%s\" realm=%s", _this->name,
444 realm_name);
445 chap_stop(_this);
446 /* Stop the PPP if the authentication is failed. */
447 ppp_set_disconnect_cause(_this->ppp,
448 PPP_DISCON_AUTH_FAILED, PPP_PROTO_CHAP0xC223, 1 /* peer */, NULL((void *)0));
449 ppp_stop(_this->ppp, "Authentication Required");
450 } else {
451 strlcpy(_this->ppp->username, _this->name,
452 sizeof(_this->ppp->username));
453 chap_log(_this, LOG_INFO6,
454 "logtype=Success username=\"%s\" "
455 "realm=%s", _this->name, realm_name);
456 chap_stop(_this);
457 /* We change our state to prepare to resend requests. */
458 _this->state = CHAP_STATE_SENT_RESPONSE4;
459 ppp_auth_ok(_this->ppp);
460 }
461}
462
463/** Generate a challenge */
464static void
465chap_create_challenge(chap *_this)
466{
467 CHAP_ASSERT(_this->ppp->peer_auth == PPP_AUTH_CHAP_MS_V2 ||
468 _this->ppp->peer_auth == PPP_AUTH_CHAP_MD5);
469
470 _this->lchall = 16;
471 arc4random_buf(_this->chall, _this->lchall);
472}
473
474/***********************************************************************
475 * Proxy Authentication
476 ***********************************************************************/
477int
478chap_proxy_authen_prepare(chap *_this, dialin_proxy_info *dpi)
479{
480
481 CHAP_ASSERT(dpi->auth_type == PPP_AUTH_CHAP_MD5);
482 CHAP_ASSERT(_this->state == CHAP_STATE_INITIAL);
483
484 _this->pktid = dpi->auth_id;
485
486#ifdef USE_NPPPD_MPPE1
487 if (MPPE_IS_REQUIRED(_this->ppp)(((_this->ppp)->mppe.enabled != 0) && ((_this->
ppp)->mppe.required != 0)) &&
488 _this->type != PPP_AUTH_CHAP_MS_V20x81) {
489 chap_log(_this, LOG_ALERT1,
490 "mppe is required but try to start chap "
491 "type=0x%02x", dpi->auth_type);
492 return -1;
493 }
494#endif
495 /* authentication */
496 if (strlen(dpi->username) >= sizeof(_this->name)) {
497 chap_log(_this, LOG_NOTICE5,
498 "\"Proxy Authen Name\" is too long.");
499 return -1;
500 }
501 if (dpi->lauth_chall >= sizeof(_this->chall)) {
502 chap_log(_this, LOG_NOTICE5,
503 "\"Proxy Authen Challenge\" is too long.");
504 return -1;
505 }
506
507 /* copy the authentication properties */
508 CHAP_ASSERT(_this->ppp->proxy_authen_resp == NULL);
509 if ((_this->ppp->proxy_authen_resp = malloc(dpi->lauth_resp)) ==
510 NULL((void *)0)) {
511 chap_log(_this, LOG_ERR3, "malloc() failed in %s(): %m",
512 __func__);
513 return -1;
514 }
515 memcpy(_this->ppp->proxy_authen_resp, dpi->auth_resp,
516 dpi->lauth_resp);
517 _this->ppp->lproxy_authen_resp = dpi->lauth_resp;
518
519 _this->challid = dpi->auth_id;
520 strlcpy(_this->name, dpi->username, sizeof(_this->name));
521
522 memcpy(_this->chall, dpi->auth_chall, dpi->lauth_chall);
523 _this->lchall = dpi->lauth_chall;
524
525 _this->state = CHAP_STATE_PROXY_AUTHENTICATION6;
526
527 return 0;
528}
529
530/************************************************************************
531 * Functions for MD5-CHAP(RFC1994)
532 ************************************************************************/
533static void
534md5chap_authenticate(chap *_this, int id, char *username, u_char *challenge,
535 int lchallenge, u_char *response)
536{
537 MD5_CTX md5ctx;
538 int rval, passlen;
539 u_char digest[16];
540 char *password, buf[MAX_PASSWORD_LENGTH256 + 1];
541
542 buf[0] = id;
543 passlen = sizeof(buf) - 1;
544 password = &buf[1];
545
546 rval = npppd_get_user_password(_this->ppp->pppd, _this->ppp, username,
547 password, &passlen);
548
549 if (rval != 0) {
550 switch (rval) {
551 case 1:
552 chap_log(_this, LOG_INFO6,
553 "username=\"%s\" user unknown", username);
554 break;
555 default:
556 chap_log(_this, LOG_ERR3,
557 "username=\"%s\" generic error", username);
558 break;
559 }
560 goto auth_failed;
561 }
562 passlen = strlen(password);
563 MD5Init(&md5ctx);
564 MD5Update(&md5ctx, buf, passlen + 1);
565 MD5Update(&md5ctx, challenge, lchallenge);
566 MD5Final(digest, &md5ctx);
567
568 if (memcmp(response, digest, 16) == 0) {
569 chap_response(_this, 1, "OK", 2);
570 return;
571 }
572 /* FALLTHROUGH. The password are not matched */
573auth_failed:
574 /* No extra information, just "FAILED" */
575 chap_send_error(_this, "FAILED");
576
577 return;
578}
579
580static void
581chap_send_error(chap *_this, const char *msg)
582{
583 u_char *pkt, *challenge;
584 int lpkt;
585
586 challenge = _this->chall;
587
588 pkt = ppp_packetbuf(_this->ppp, PPP_PROTO_CHAP0xC223) + HEADERLEN4;
589 lpkt = _this->ppp->mru - HEADERLEN4;
590
591 strlcpy(pkt, msg, lpkt);
592 lpkt = strlen(msg);
593
594 chap_response(_this, 0, pkt, lpkt);
595}
596
597/************************************************************************
598 * Functions for MS-CHAP-V2(RFC 2759)
599 ************************************************************************/
600static void
601mschapv2_send_error(chap *_this, int error, int can_retry)
602{
603 u_char *pkt, *challenge;
604 int lpkt;
605
606 challenge = _this->chall;
607
608 pkt = ppp_packetbuf(_this->ppp, PPP_PROTO_CHAP0xC223) + HEADERLEN4;
609 lpkt = _this->ppp->mru - HEADERLEN4;
610
611 /*
612 * We don't use "M=<msg>"
613 * - pppd on Mac OS 10.4 hungs up if it received a failure packet
614 * with "M=<msg>".
615 * - RRAS on windows server 2003 never uses "M=".
616 */
617 snprintf(pkt, lpkt, "E=%d R=%d C=%02x%02x%02x%02x%02x%02x%02x%02x"
618 "%02x%02x%02x%02x%02x%02x%02x%02x V=3", error, can_retry,
619 challenge[0], challenge[1], challenge[2], challenge[3],
620 challenge[4], challenge[5], challenge[6], challenge[7],
621 challenge[8], challenge[9], challenge[10], challenge[11],
622 challenge[12], challenge[13], challenge[14], challenge[15]
623 );
624 lpkt = strlen(pkt);
625
626 chap_response(_this, 0, pkt, lpkt);
627}
628
629static void
630mschapv2_authenticate(chap *_this, int id, char *username, u_char *challenge,
631 int lchallenge, u_char *response)
632{
633 int i, rval, passlen, lpkt;
634 u_char *pkt;
635 char password[MAX_PASSWORD_LENGTH256 * 2], ntresponse[24];
636#ifdef USE_NPPPD_MPPE1
637 char pwdhash[16], pwdhashhash[16];
638#endif
639
640 CHAP_DBG((_this, LOG_DEBUG, "%s()", __func__));
641 pkt = ppp_packetbuf(_this->ppp, PPP_PROTO_CHAP0xC223) + HEADERLEN4;
642 lpkt = _this->ppp->mru - HEADERLEN4;
643
644 passlen = sizeof(password) / 2;
645 rval = npppd_get_user_password(_this->ppp->pppd, _this->ppp, username,
646 password, &passlen);
647
648 if (rval != 0) {
649 switch (rval) {
650 case 1:
651 chap_log(_this, LOG_INFO6,
652 "username=\"%s\" user unknown", username);
653 break;
654 default:
655 chap_log(_this, LOG_ERR3,
656 "username=\"%s\" generic error", username);
657 break;
658 }
659 goto auth_failed;
660 }
661
662 /* Convert the string charset from ASCII to UTF16-LE */
663 passlen = strlen(password);
664 for (i = passlen - 1; i >= 0; i--) {
665 password[i*2] = password[i];
666 password[i*2+1] = 0;
667 }
668
669 mschap_nt_response(challenge, response, username, strlen(username),
670 password, passlen * 2, ntresponse);
671
672 if (memcmp(ntresponse, response + 24, 24) != 0) {
673 chap_log(_this, LOG_INFO6,
674 "username=\"%s\" password mismatch.", username);
675 goto auth_failed;
676 }
677
678 /*
679 * Authentication succeed
680 */
681 CHAP_DBG((_this, LOG_DEBUG, "%s() OK", __func__));
682
683 mschap_auth_response(password, passlen * 2, ntresponse,
684 challenge, response, username, strlen(username), pkt);
685 lpkt = 42;
686#ifdef USE_NPPPD_MPPE1
687 if (_this->ppp->mppe.enabled != 0) {
688 mschap_ntpassword_hash(password, passlen * 2, pwdhash);
689 mschap_ntpassword_hash(pwdhash, sizeof(pwdhash), pwdhashhash);
690
691 mschap_masterkey(pwdhashhash, ntresponse,
692 _this->ppp->mppe.master_key);
693 mschap_asymetric_startkey(_this->ppp->mppe.master_key,
694 _this->ppp->mppe.recv.master_key, MPPE_KEYLEN16, 0, 1);
695 mschap_asymetric_startkey(_this->ppp->mppe.master_key,
696 _this->ppp->mppe.send.master_key, MPPE_KEYLEN16, 1, 1);
697 }
698#endif
699 chap_response(_this, 1, pkt, lpkt);
700
701 return;
702auth_failed:
703 /* No extra information */
704 mschapv2_send_error(_this, ERROR_AUTHENTICATION_FAILURE691, 0);
705
706 return;
707}
708
709#ifdef USE_NPPPD_RADIUS1
710/************************************************************************
711 * Functions for RADIUS
712 * RFC 2058: RADIUS
713 * RFC 2548: Microsoft Vendor-specific RADIUS Attributes
714 ************************************************************************/
715static void
716chap_radius_authenticate(chap *_this, int id, char *username,
717 u_char *challenge, int lchallenge, u_char *response)
718{
719 void *radctx;
720 RADIUS_PACKET *radpkt;
721 radius_req_setting *rad_setting;
722 int lpkt;
723 u_char *pkt;
724 char buf0[MAX_USERNAME_LENGTH256];
725
726 radpkt = NULL((void *)0);
727 radctx = NULL((void *)0);
728
729 if ((rad_setting = npppd_get_radius_auth_setting(_this->ppp->pppd,
730 _this->ppp)) == NULL((void *)0)) {
731 goto fail; /* no radius server */
732 }
733 pkt = ppp_packetbuf(_this->ppp, PPP_PROTO_CHAP0xC223) + HEADERLEN4;
734 lpkt = _this->ppp->mru - HEADERLEN4;
735
736 if ((radpkt = radius_new_request_packet(RADIUS_CODE_ACCESS_REQUEST1))
737 == NULL((void *)0))
738 goto fail;
739 if (radius_prepare(rad_setting, _this, &radctx, chap_radius_response)
740 != 0) {
741 radius_delete_packet(radpkt);
742 goto fail;
743 }
744
745 if (ppp_set_radius_attrs_for_authreq(_this->ppp, rad_setting, radpkt)
746 != 0)
747 goto fail;
748
749 if (radius_put_string_attr(radpkt, RADIUS_TYPE_USER_NAME1,
750 npppd_ppp_get_username_for_auth(_this->ppp->pppd, _this->ppp,
751 username, buf0)) != 0)
752 goto fail;
753
754 switch (_this->type) {
755 case PPP_AUTH_CHAP_MD50x05:
756 {
757 u_char md5response[17];
758
759 md5response[0] = _this->challid;
760 memcpy(&md5response[1], response, 16);
761 if (radius_put_raw_attr(radpkt,
762 RADIUS_TYPE_CHAP_PASSWORD3, md5response, 17) != 0)
763 goto fail;
764 if (radius_put_raw_attr(radpkt,
765 RADIUS_TYPE_CHAP_CHALLENGE60, challenge, lchallenge) != 0)
766 goto fail;
767 break;
768 }
769 case PPP_AUTH_CHAP_MS_V20x81:
770 {
771 struct RADIUS_MS_CHAP2_RESPONSE msresponse;
772
773 /* Preparing RADIUS_MS_CHAP2_RESPONSE */
774 memset(&msresponse, 0, sizeof(msresponse));
775 msresponse.ident = id;
776 msresponse.flags = response[48];
777 memcpy(&msresponse.peer_challenge, response, 16);
778 memcpy(&msresponse.response, response + 24, 24);
779
780 if (radius_put_vs_raw_attr(radpkt, RADIUS_VENDOR_MICROSOFT311,
781 RADIUS_VTYPE_MS_CHAP_CHALLENGE11, challenge, 16) != 0)
782 goto fail;
783 if (radius_put_vs_raw_attr(radpkt, RADIUS_VENDOR_MICROSOFT311,
784 RADIUS_VTYPE_MS_CHAP2_RESPONSE25, &msresponse,
785 sizeof(msresponse)) != 0)
786 goto fail;
787 break;
788 }
789
790 }
791 radius_get_authenticator(radpkt, _this->authenticator);
792
793 /* Cancel previous request */
794 if (_this->radctx != NULL((void *)0))
795 radius_cancel_request(_this->radctx);
796
797 /* Send a request */
798 _this->radctx = radctx;
799 radius_request(radctx, radpkt);
800
801 return;
802fail:
803 switch (_this->type) {
804 case PPP_AUTH_CHAP_MD50x05:
805 /* No extra information, just "FAILED" */
806 chap_send_error(_this, "FAILED");
807 break;
808 case PPP_AUTH_CHAP_MS_V20x81:
809 /* No extra information */
810 mschapv2_send_error(_this, ERROR_AUTHENTICATION_FAILURE691, 0);
811 break;
812 }
813 if (radctx != NULL((void *)0))
814 radius_cancel_request(radctx);
815}
816
817static void
818chap_radius_response(void *context, RADIUS_PACKET *pkt, int flags,
819 RADIUS_REQUEST_CTX reqctx)
820{
821 int code, lrespkt;
822 const char *secret, *reason = "";
823 chap *_this;
824 u_char *respkt, *respkt0;
825 int errorCode;
826 RADIUS_REQUEST_CTX radctx;
827
828 CHAP_ASSERT(context != NULL);
829
830 reason = "";
831 errorCode = ERROR_AUTH_SERVER_TIMEOUT930;
832 _this = context;
833 secret = radius_get_server_secret(_this->radctx);
834 radctx = _this->radctx;
835 _this->radctx = NULL((void *)0); /* IMPORTANT */
836
837 respkt = respkt0 = ppp_packetbuf(_this->ppp, PPP_PROTO_CHAP0xC223)
Although the value stored to 'respkt0' is used in the enclosing expression, the value is never actually read from 'respkt0'
838 + HEADERLEN4;
839 lrespkt = _this->ppp->mru - HEADERLEN4;
840 if (pkt == NULL((void *)0)) {
841 if (flags & RADIUS_REQUEST_TIMEOUT0x0002)
842 reason = "timeout";
843 else if (flags & RADIUS_REQUEST_ERROR0x0001)
844 reason = strerror(errno(*__errno()));
845 else
846 reason = "error";
847 goto auth_failed;
848 }
849
850 code = radius_get_code(pkt);
851 if (code == RADIUS_CODE_ACCESS_REJECT3) {
852 reason="reject";
853 errorCode = ERROR_AUTHENTICATION_FAILURE691;
854 /* Windows peer will reset the password by this error code */
855 goto auth_failed;
856 } else if (code != RADIUS_CODE_ACCESS_ACCEPT2) {
857 reason="error";
858 goto auth_failed;
859 }
860 if ((flags & RADIUS_REQUEST_CHECK_AUTHENTICATOR_OK0x0010) == 0 &&
861 (flags & RADIUS_REQUEST_CHECK_AUTHENTICATOR_NO_CHECK0x0020) == 0) {
862 reason="bad_authenticator";
863 goto auth_failed;
864 }
865 /*
866 * Authentication OK
867 */
868 switch (_this->type) {
869 case PPP_AUTH_CHAP_MD50x05:
870 chap_response(_this, 1, "OK", 2);
871 break;
872 case PPP_AUTH_CHAP_MS_V20x81:
873 {
874 struct RADIUS_MS_CHAP2_SUCCESS success;
875#ifdef USE_NPPPD_MPPE1
876 struct RADIUS_MPPE_KEY sendkey, recvkey;
877#endif
878 size_t len;
879
880 len = sizeof(success);
881 if (radius_get_vs_raw_attr(pkt, RADIUS_VENDOR_MICROSOFT311,
882 RADIUS_VTYPE_MS_CHAP2_SUCCESS26, &success, &len) != 0) {
883 chap_log(_this, LOG_ERR3, "no ms_chap2_success");
884 goto auth_failed;
885 }
886#ifdef USE_NPPPD_MPPE1
887 if (_this->ppp->mppe.enabled != 0) {
888 len = sizeof(sendkey);
889 if (radius_get_vs_raw_attr(pkt, RADIUS_VENDOR_MICROSOFT311,
890 RADIUS_VTYPE_MPPE_SEND_KEY16, &sendkey, &len) != 0) {
891 chap_log(_this, LOG_ERR3, "no mppe_send_key");
892 goto auth_failed;
893 }
894 len = sizeof(recvkey);
895 if (radius_get_vs_raw_attr(pkt, RADIUS_VENDOR_MICROSOFT311,
896 RADIUS_VTYPE_MPPE_RECV_KEY17, &recvkey, &len) != 0) {
897 chap_log(_this, LOG_ERR3, "no mppe_recv_key");
898 goto auth_failed;
899 }
900
901 mschap_radiuskey(_this->ppp->mppe.send.master_key,
902 sendkey.salt, _this->authenticator, secret);
903
904 mschap_radiuskey(_this->ppp->mppe.recv.master_key,
905 recvkey.salt, _this->authenticator, secret);
906 }
907#endif
908 chap_response(_this, 1, success.str, sizeof(success.str));
909 break;
910 }
911 }
912 ppp_process_radius_framed_ip(_this->ppp, pkt);
913
914 return;
915auth_failed:
916 chap_log(_this, LOG_WARNING4, "Radius authentication request failed: %s",
917 reason);
918 /* log reply messages from radius server */
919 if (pkt != NULL((void *)0)) {
920 char radmsg[255], vissed[1024];
921 size_t rmlen = 0;
922 if ((radius_get_raw_attr(pkt, RADIUS_TYPE_REPLY_MESSAGE18,
923 radmsg, &rmlen)) == 0) {
924 if (rmlen != 0) {
925 strvisx(vissed, radmsg, rmlen, VIS_WHITE(0x04 | 0x08 | 0x10));
926 chap_log(_this, LOG_WARNING4,
927 "Radius reply message: %s", vissed);
928 }
929 }
930 }
931
932 /* No extra information */
933 chap_failure(_this, "FAILED", errorCode);
934}
935
936#endif
937
938/************************************************************************
939 * Miscellaneous functions
940 ************************************************************************/
941static char *
942strip_nt_domain(char *username)
943{
944 char *lastbackslash;
945
946 if ((lastbackslash = strrchr(username, '\\')) != NULL((void *)0))
947 return lastbackslash + 1;
948
949 return username;
950}
951
952static void
953chap_log(chap *_this, uint32_t prio, const char *fmt, ...)
954{
955 const char *protostr;
956 char logbuf[BUFSIZ1024];
957 va_list ap;
958
959 CHAP_ASSERT(_this != NULL);
960 CHAP_ASSERT(_this->ppp != NULL);
961
962 switch (_this->type) {
963 case PPP_AUTH_CHAP_MD50x05:
964 protostr = "chap";
965 break;
966 case PPP_AUTH_CHAP_MS_V20x81:
967 protostr = "mschap_v2";
968 break;
969 default:
970 protostr = "unknown";
971 break;
972 }
973
974 va_start(ap, fmt)__builtin_va_start(ap, fmt);
975 snprintf(logbuf, sizeof(logbuf), "ppp id=%u layer=chap proto=%s %s",
976 _this->ppp->id, protostr, fmt);
977 vlog_printf(prio, logbuf, ap);
978 va_end(ap)__builtin_va_end(ap);
979}