The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
rlm_eap_mschapv2.c
Go to the documentation of this file.
1/*
2 * rlm_eap_mschapv2.c Handles that are called from eap
3 *
4 * Version: $Id: 0704a2db8c2fb8603ca45bd2bc2a05442c0b48c3 $
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
19 *
20 * @copyright 2003,2006 The FreeRADIUS server project
21 */
22
23RCSID("$Id: 0704a2db8c2fb8603ca45bd2bc2a05442c0b48c3 $")
24
25#include <freeradius-devel/server/dependency.h>
26#include <freeradius-devel/server/pair.h>
27#include <freeradius-devel/server/virtual_servers.h>
28#include <freeradius-devel/unlang/call.h>
29#include <freeradius-devel/unlang/interpret.h>
30#include <freeradius-devel/util/base16.h>
31#include <freeradius-devel/util/debug.h>
32#include <freeradius-devel/util/rand.h>
33
34#include "eap_mschapv2.h"
35
36static int auth_type_parse(TALLOC_CTX *ctx, void *out, UNUSED void *parent,
37 CONF_ITEM *ci, UNUSED conf_parser_t const *rule);
38
45
49
51 { FR_CONF_OFFSET("with_ntdomain_hack", rlm_eap_mschapv2_t, with_ntdomain_hack), .dflt = "no" },
52
53 { FR_CONF_OFFSET_TYPE_FLAGS("auth_type", FR_TYPE_VOID, 0, rlm_eap_mschapv2_t, auth_type), .func = auth_type_parse, .dflt = "mschap" },
54 { FR_CONF_OFFSET("send_error", rlm_eap_mschapv2_t, send_error), .dflt = "no" },
55 { FR_CONF_OFFSET("identity", rlm_eap_mschapv2_t, identity) },
57};
58
60static fr_dict_t const *dict_radius;
61
64 { .out = &dict_freeradius, .proto = "freeradius" },
65 { .out = &dict_radius, .proto = "radius" },
66 { NULL }
67};
68
72
74
87
90 { .out = &attr_auth_type, .name = "Auth-Type", .type = FR_TYPE_UINT32, .dict = &dict_freeradius },
91 { .out = &attr_ms_chap_peer_challenge, .name = "MS-CHAP-Peer-Challenge", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
92 { .out = &attr_ms_chap_user_name, .name = "MS-CHAP-User-Name", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
93
94 { .out = &attr_microsoft, .name = "Vendor-Specific.Microsoft", .type = FR_TYPE_VENDOR, .dict = &dict_radius },
95
96 { .out = &attr_ms_chap_challenge, .name = "Vendor-Specific.Microsoft.CHAP-Challenge", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
97 { .out = &attr_ms_chap_error, .name = "Vendor-Specific.Microsoft.CHAP-Error", .type = FR_TYPE_STRING, .dict = &dict_radius },
98 { .out = &attr_ms_chap_nt_enc_pw, .name = "Vendor-Specific.Microsoft.CHAP-NT-Enc-PW", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
99 { .out = &attr_ms_chap2_cpw, .name = "Vendor-Specific.Microsoft.CHAP2-CPW", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
100 { .out = &attr_ms_chap2_response, .name = "Vendor-Specific.Microsoft.CHAP2-Response", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
101 { .out = &attr_ms_chap2_success, .name = "Vendor-Specific.Microsoft.CHAP2-Success", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
102 { .out = &attr_ms_mppe_encryption_policy, .name = "Vendor-Specific.Microsoft.MPPE-Encryption-Policy", .type = FR_TYPE_UINT32, .dict = &dict_radius },
103 { .out = &attr_ms_mppe_encryption_type, .name = "Vendor-Specific.Microsoft.MPPE-Encryption-Type", .type = FR_TYPE_UINT32, .dict = &dict_radius },
104 { .out = &attr_ms_mppe_send_key, .name = "Vendor-Specific.Microsoft.MPPE-Send-Key", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
105 { .out = &attr_ms_mppe_recv_key, .name = "Vendor-Specific.Microsoft.MPPE-Recv-Key", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
106 { .out = &attr_state, .name = "State", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
107 { .out = &attr_user_name, .name = "User-Name", .type = FR_TYPE_STRING, .dict = &dict_radius },
108 { NULL }
109};
110
112{
114
115 RDEBUG2("Storing attributes for final response");
116
117 parent = fr_pair_find_by_da_nested(&request->reply_pairs, NULL, attr_microsoft);
118 if (!parent) parent = request->reply_ctx;
119
120 RINDENT();
121 if (fr_pair_list_copy_by_da(data, &data->mppe_keys, &parent->vp_group,
124 }
125 if (fr_pair_list_copy_by_da(data, &data->mppe_keys, &parent->vp_group,
128 }
129 if (fr_pair_list_copy_by_da(data, &data->mppe_keys, &parent->vp_group,
130 attr_ms_mppe_recv_key, 0) > 0) {
131 RDEBUG2("%s", attr_ms_mppe_recv_key->name);
132 }
133 if (fr_pair_list_copy_by_da(data, &data->mppe_keys, &parent->vp_group,
134 attr_ms_mppe_send_key, 0) > 0) {
135 RDEBUG2("%s", attr_ms_mppe_send_key->name);
136 }
137 REXDENT();
138}
139
140/** Translate a string auth_type into an enumeration value
141 *
142 * @param[in] ctx to allocate data.
143 * @param[out] out Where to write the auth_type we created or resolved.
144 * @param[in] parent Base structure address.
145 * @param[in] ci #CONF_PAIR specifying the name of the auth_type.
146 * @param[in] rule unused.
147 * @return
148 * - 0 on success.
149 * - -1 on failure.
150 */
151static int auth_type_parse(UNUSED TALLOC_CTX *ctx, void *out, UNUSED void *parent,
152 CONF_ITEM *ci, UNUSED conf_parser_t const *rule)
153{
154 char const *auth_type = cf_pair_value(cf_item_to_pair(ci));
155
157 cf_log_err(ci, "Failed adding %s alias", attr_auth_type->name);
158 return -1;
159 }
161
162 return 0;
163}
164
165/*
166 * Compose the response.
167 */
168static int eap_mschapv2_compose(rlm_eap_mschapv2_t const *inst, request_t *request, eap_session_t *eap_session,
169 fr_pair_t *reply) CC_HINT(nonnull);
170static int eap_mschapv2_compose(rlm_eap_mschapv2_t const *inst, request_t *request, eap_session_t *eap_session,
171 fr_pair_t *reply)
172{
173 uint8_t *ptr;
174 int16_t length;
176 eap_round_t *eap_round = eap_session->this_round;
177
178 eap_round->request->code = FR_EAP_CODE_REQUEST;
180
181 /*
182 * Always called with vendor Microsoft
183 */
184 if (reply->da == attr_ms_chap_challenge) {
185 /*
186 * 0 1 2 3
187 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
188 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
189 * | Code | Identifier | Length |
190 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
191 * | Type | OpCode | MS-CHAPv2-ID | MS-Length...
192 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
193 * | MS-Length | Value-Size | Challenge...
194 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
195 * | Challenge...
196 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
197 * | Server Name...
198 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
199 */
200 length = MSCHAPV2_HEADER_LEN + MSCHAPV2_CHALLENGE_LEN + (talloc_array_length(inst->identity) - 1);
201 eap_round->request->type.data = talloc_array(eap_round->request, uint8_t, length);
202
203 /*
204 * Allocate room for the EAP-MS-CHAPv2 data.
205 */
206 if (!eap_round->request->type.data) return -1;
207 eap_round->request->type.length = length;
208
209 ptr = eap_round->request->type.data;
210 hdr = (mschapv2_header_t *) ptr;
211
213 hdr->mschapv2_id = eap_round->response->id + 1;
214 length = htons(length);
215 memcpy(hdr->ms_length, &length, sizeof(uint16_t));
217
218 ptr += MSCHAPV2_HEADER_LEN;
219
220 /*
221 * Copy the Challenge, success, or error over.
222 */
223 memcpy(ptr, reply->vp_octets, reply->vp_length);
224 memcpy((ptr + reply->vp_length), inst->identity, (talloc_array_length(inst->identity) - 1));
225 } else if (reply->da == attr_ms_chap2_success) {
226 /*
227 * 0 1 2 3
228 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
229 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
230 * | Code | Identifier | Length |
231 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
232 * | Type | OpCode | MS-CHAPv2-ID | MS-Length...
233 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
234 * | MS-Length | Message...
235 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
236 */
237 RDEBUG2("MS-CHAPv2 Success");
238 length = 46;
239 eap_round->request->type.data = talloc_array(eap_round->request, uint8_t, length);
240 /*
241 * Allocate room for the EAP-MS-CHAPv2 data.
242 */
243 if (!eap_round->request->type.data) return -1;
244 memset(eap_round->request->type.data, 0, length);
245 eap_round->request->type.length = length;
246
247 eap_round->request->type.data[0] = FR_EAP_MSCHAPV2_SUCCESS;
248 eap_round->request->type.data[1] = eap_round->response->id;
249 length = htons(length);
250 memcpy((eap_round->request->type.data + 2), &length, sizeof(uint16_t));
251 memcpy((eap_round->request->type.data + 4), reply->vp_strvalue + 1, 42);
252 } else if (reply->da == attr_ms_chap_error) {
253 REDEBUG("MS-CHAPv2 Failure");
254 length = 4 + reply->vp_length - 1;
255 eap_round->request->type.data = talloc_array(eap_round->request, uint8_t, length);
256
257 /*
258 * Allocate room for the EAP-MS-CHAPv2 data.
259 */
260 if (!eap_round->request->type.data) return 0;
261 memset(eap_round->request->type.data, 0, length);
262 eap_round->request->type.length = length;
263
264 eap_round->request->type.data[0] = FR_EAP_MSCHAPV2_FAILURE;
265 eap_round->request->type.data[1] = eap_round->response->id;
266 length = htons(length);
267 memcpy((eap_round->request->type.data + 2), &length, sizeof(uint16_t));
268 /*
269 * Copy the entire failure message.
270 */
271 memcpy((eap_round->request->type.data + 4), reply->vp_strvalue + 1, reply->vp_length - 1);
272 } else {
273 RERROR("%s: Internal sanity check failed", __FUNCTION__);
274 return -1;
275 }
276
277 return 0;
278}
279
280
281static unlang_action_t CC_HINT(nonnull) mod_process(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request);
282
284{
285 rlm_eap_mschapv2_rctx_t *rctx = talloc_get_type_abort(mctx->rctx, rlm_eap_mschapv2_rctx_t);
286 eap_session_t *eap_session = eap_session_get(request->parent);
287 mschapv2_opaque_t *data = talloc_get_type_abort(eap_session->opaque, mschapv2_opaque_t);
288 eap_round_t *eap_round = eap_session->this_round;
289 fr_pair_list_t response;
290 rlm_eap_mschapv2_t const *inst = mctx->mi->data;
291 rlm_rcode_t rcode = rctx->section_result.rcode;
293
294 fr_pair_list_init(&response);
295
296 /*
297 * Delete MPPE keys & encryption policy. We don't
298 * want these here.
299 */
300 mppe_keys_store(request, data);
301
302 parent = fr_pair_find_by_da_nested(&request->reply_pairs, NULL, attr_microsoft);
303 if (!parent) parent = request->reply_ctx;
304
305 /*
306 * Take the response from the mschap module, and
307 * return success or failure, depending on the result.
308 */
309 if (rcode == RLM_MODULE_OK) {
310 if (fr_pair_list_copy_by_da(data, &response, &parent->vp_group, attr_ms_chap2_success, 0) < 0) {
311 RPERROR("Failed copying %s", attr_ms_chap2_success->name);
313 }
314
316 } else if (inst->send_error) {
317 if (fr_pair_list_copy_by_da(data, &response, &parent->vp_group, attr_ms_chap_error, 0) < 0) {
318 RPERROR("Failed copying %s", attr_ms_chap_error->name);
320 }
321 if (!fr_pair_list_empty(&response)) {
322 int n, err, retry;
323 char buf[34];
324 fr_pair_t *vp = fr_pair_list_head(&response);
325
327
328 RDEBUG2("MSCHAP-Error: %pV", &vp->data);
329
330 /*
331 * Parse the new challenge out of the
332 * MS-CHAP-Error, so that if the client
333 * issues a re-try, we will know which
334 * challenge value that they used.
335 */
336 n = sscanf(vp->vp_strvalue, "%*cE=%d R=%d C=%32s", &err, &retry, &buf[0]);
337 if (n == 3) {
338 RDEBUG2("Found new challenge from MS-CHAP-Error: err=%d retry=%d challenge=%s",
339 err, retry, buf);
340 fr_base16_decode(NULL, &FR_DBUFF_TMP(data->auth_challenge, 16),
341 &FR_SBUFF_IN(buf, strlen(buf)), false);
342 } else {
343 RDEBUG2("Could not parse new challenge from MS-CHAP-Error: %d", n);
344 }
345 }
347 } else {
348 eap_round->request->code = FR_EAP_CODE_FAILURE;
350 }
351
352 /*
353 * No response, die.
354 */
355 if (fr_pair_list_empty(&response)) {
356 REDEBUG("No %s or %s attributes were found", attr_ms_chap2_success->name, attr_ms_chap_error->name);
358 }
359
360 /*
361 * Compose the response (whatever it is),
362 * and return it to the over-lying EAP module.
363 */
364 eap_mschapv2_compose(eap_session->inst, request, eap_session, fr_pair_list_head(&response));
365 fr_pair_list_free(&response);
366
368}
369
370/*
371 * Authenticate a previously sent challenge.
372 */
373static unlang_action_t CC_HINT(nonnull) mod_process(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
374{
375 rlm_eap_mschapv2_t const *inst = talloc_get_type_abort(mctx->mi->data, rlm_eap_mschapv2_t);
376 rlm_eap_mschapv2_rctx_t *rctx = talloc_get_type_abort(mctx->rctx, rlm_eap_mschapv2_rctx_t);
377 request_t *parent = request->parent;
378 eap_session_t *eap_session = eap_session_get(parent);
379 mschapv2_opaque_t *data = talloc_get_type_abort(eap_session->opaque, mschapv2_opaque_t);
380 eap_round_t *eap_round = eap_session->this_round;
381 fr_pair_t *auth_challenge, *response, *name;
382
383 CONF_SECTION *unlang;
384 int ccode;
385 uint8_t *p;
386 size_t length;
387
388 if (!fr_cond_assert(eap_session->inst)) RETURN_UNLANG_FAIL;
389
390 /*
391 * Sanity check the response.
392 */
393 if (eap_round->response->length < 6) {
394 REDEBUG("Response too short, expected at least 6 bytes, got %zu bytes",
395 eap_round->response->length);
397 }
398
399 ccode = eap_round->response->type.data[0];
400
401 switch (data->code) {
403 if (ccode == FR_EAP_MSCHAPV2_RESPONSE) {
404 RDEBUG2("Authentication re-try from client after we sent a failure");
405 break;
406 }
407
408 /*
409 * if we sent error 648 (password expired) to the client
410 * we might get an MSCHAP-CPW packet here; turn it into a
411 * regular MS-CHAP2-CPW packet and pass it to rlm_mschap
412 * (or proxy it, I guess)
413 */
414 if (ccode == FR_EAP_MSCHAPV2_CHGPASSWD) {
415 fr_pair_t *cpw;
416 int mschap_id = eap_round->response->type.data[1];
417 int copied = 0;
418 int seq = 1;
419 fr_pair_t *ms;
420
421 RDEBUG2("Password change packet received");
422
423 MEM(pair_update_request(&auth_challenge, attr_ms_chap_challenge) >= 0);
424 fr_pair_value_memdup(auth_challenge, data->auth_challenge, MSCHAPV2_CHALLENGE_LEN, false);
425
427 MEM(fr_pair_value_mem_alloc(cpw, &p, 68, false) == 0);
428 p[0] = 7;
429 p[1] = mschap_id;
430 memcpy(p + 2, eap_round->response->type.data + 520, 66);
431
432 ms = fr_pair_find_by_da_nested(&request->request_pairs, NULL, attr_microsoft);
433 if (!ms) ms = request->request_ctx;
434
435 /*
436 * break the encoded password into VPs (3 of them)
437 */
438 while (copied < 516) {
439 fr_pair_t *nt_enc;
440
441 int to_copy = 516 - copied;
442 if (to_copy > 243) to_copy = 243;
443
445 MEM(fr_pair_value_mem_alloc(nt_enc, &p, 4 + to_copy, false) == 0);
446 MEM(fr_pair_append(&ms->vp_group, nt_enc) == 0);
447 p[0] = 6;
448 p[1] = mschap_id;
449 p[2] = 0;
450 p[3] = seq++;
451 memcpy(p + 4, eap_round->response->type.data + 4 + copied, to_copy);
452
453 copied += to_copy;
454 }
455
456 RDEBUG2("Built change password packet");
457 log_request_pair_list(L_DBG_LVL_2, request, NULL, &request->request_pairs, NULL);
458
459 /*
460 * jump to "authentication"
461 */
462 goto packet_ready;
463 }
464
465 /*
466 * we sent a failure and are expecting a failure back
467 */
468 if (ccode != FR_EAP_MSCHAPV2_FAILURE) {
469 REDEBUG("Sent FAILURE expecting FAILURE but got %d", ccode);
471 }
472
473failure:
474 eap_round->request->code = FR_EAP_CODE_FAILURE;
476
478 /*
479 * we sent a success to the client; some clients send a
480 * success back as-per the RFC, some send an ACK. Permit
481 * both, I guess...
482 */
483
484 switch (ccode) {
486 eap_round->request->code = FR_EAP_CODE_SUCCESS;
487
488 if (!fr_pair_list_empty(&data->mppe_keys)) {
489 fr_pair_t *ms;
490
491 ms = fr_pair_find_by_da_nested(&parent->reply_pairs, NULL, attr_microsoft);
492 if (!ms) {
493 MEM(ms = fr_pair_afrom_da_nested(parent->reply_ctx, &parent->reply_pairs, attr_microsoft));
494 }
495
496 RDEBUG2("Adding stored attributes to parent");
497 log_request_pair_list(L_DBG_LVL_2, request, NULL, &data->mppe_keys, "parent.reply.");
498 MEM(fr_pair_list_copy(ms, &ms->vp_group, &data->mppe_keys) >= 0);
499 } else {
500 RDEBUG2("No stored attributes to copy to parent");
501 }
502
504
506 MEM(fr_pair_list_copy(parent->reply_ctx, &parent->reply_pairs, &data->reply) >= 0);
508 }
509 REDEBUG("Sent SUCCESS expecting SUCCESS (or ACK) but got %d", ccode);
511
513 if (ccode == FR_EAP_MSCHAPV2_FAILURE) goto failure;
514
515 /*
516 * we sent a challenge, expecting a response
517 */
518 if (ccode != FR_EAP_MSCHAPV2_RESPONSE) {
519 REDEBUG("Sent CHALLENGE expecting RESPONSE but got %d", ccode);
521 }
522 /* authentication happens below */
523 break;
524
525 default:
526 /* should never happen */
527 REDEBUG("Unknown state %d", data->code);
529 }
530
531
532 /*
533 * Ensure that we have at least enough data
534 * to do the following checks.
535 *
536 * EAP header (4), EAP type, MS-CHAP opcode,
537 * MS-CHAP ident, MS-CHAP data length (2),
538 * MS-CHAP value length.
539 */
540 if (eap_round->response->length < (4 + 1 + 1 + 1 + 2 + 1)) {
541 REDEBUG("Response is too short");
543 }
544
545 /*
546 * The 'value_size' is the size of the response,
547 * which is supposed to be the response (48
548 * bytes) plus 1 byte of flags at the end.
549 *
550 * NOTE: When using Cisco NEAT with EAP-MSCHAPv2, the
551 * switch supplicant will send MSCHAPv2 data (EAP type = 26)
552 * but will always set a value_size of 16 and NULL out the
553 * peer challenge.
554 *
555 */
556 if ((eap_round->response->type.data[4] != 49) &&
557 (eap_round->response->type.data[4] != 16)) {
558 REDEBUG("Response is of incorrect length %d", eap_round->response->type.data[4]);
560 }
561
562 /*
563 * The MS-Length field is 5 + value_size + length
564 * of name, which is put after the response.
565 */
566 length = fr_nbo_to_uint16(eap_round->response->type.data + 2);
567 if ((length < (5 + 49)) || (length > (256 + 5 + 49))) {
568 REDEBUG("Response contains contradictory length %zu %d", length, 5 + 49);
570 }
571
572 /*
573 * We now know that the user has sent us a response
574 * to the challenge. Let's try to authenticate it.
575 *
576 * We do this by taking the challenge from 'data',
577 * the response from the EAP packet, and creating fr_pair_t's
578 * to pass to the 'mschap' module. This is a little wonky,
579 * but it works.
580 */
581 MEM(pair_update_request(&auth_challenge, attr_ms_chap_challenge) >= 0);
582 fr_pair_value_memdup(auth_challenge, data->auth_challenge, MSCHAPV2_CHALLENGE_LEN, false);
583
585 MEM(fr_pair_value_mem_alloc(response, &p, MSCHAPV2_RESPONSE_LEN, false) == 0);
586 p[0] = eap_round->response->type.data[1];
587 p[1] = eap_round->response->type.data[5 + MSCHAPV2_RESPONSE_LEN];
588 memcpy(p + 2, &eap_round->response->type.data[5], MSCHAPV2_RESPONSE_LEN - 2);
589
590 /*
591 * If we're forcing a peer challenge, use it instead of
592 * the challenge sent by the client.
593 */
594 if (data->has_peer_challenge) memcpy(p + 2, data->peer_challenge, MSCHAPV2_CHALLENGE_LEN);
595
596 /*
597 * MS-Length - MS-Value - 5.
598 */
600 MEM(fr_pair_value_bstrndup(name, (char const *)&eap_round->response->type.data[4 + MSCHAPV2_RESPONSE_LEN],
601 length - 49 - 5, true) == 0);
602packet_ready:
603
604 /*
605 * Look for "authenticate foo" in the current virtual
606 * server. If not there, then in the parent one.
607 */
608 RDEBUG("Looking for authenticate %s { ... }", inst->auth_type->name);
609 unlang = cf_section_find(unlang_call_current(parent), "authenticate", inst->auth_type->name);
610 if (!unlang) unlang = cf_section_find(unlang_call_current(request->parent), "authenticate", inst->auth_type->name);
611 if (!unlang) {
612 RDEBUG2("authenticate %s { ... } sub-section not found.",
613 inst->auth_type->name);
615 }
616
617 return unlang_module_yield_to_section(&rctx->section_result, request, unlang, RLM_MODULE_FAIL, mschap_resume, NULL, 0, rctx);
618}
619
620/*
621 * Initiate the EAP-MSCHAPV2 session by sending a challenge to the peer.
622 */
624{
625 request_t *parent = request->parent;
626 eap_session_t *eap_session = eap_session_get(parent);
627 fr_pair_t *auth_challenge;
628 fr_pair_t *peer_challenge;
630
631 uint8_t *p;
632 int i;
633 bool created_auth_challenge;
634
636
637 /*
638 * We're looking for attributes that should come
639 * from the EAP-TTLS submodule.
640 */
642
643 /*
644 * Keep track of the challenge and the state we are in.
645 */
646 MEM(data = talloc_zero(eap_session, mschapv2_opaque_t));
648 fr_pair_list_init(&data->mppe_keys);
649 fr_pair_list_init(&data->reply);
650
651 /*
652 * Allow the administrator to set the CHAP-Challenge and Peer-Challenge attributes.
653 */
654 auth_challenge = fr_pair_find_by_da_nested(&parent->control_pairs, NULL, attr_ms_chap_challenge);
655 if (auth_challenge && (auth_challenge->vp_length != MSCHAPV2_CHALLENGE_LEN)) {
656 RWDEBUG("parent.control.MS-CHAP-Challenge is incorrect length. Ignoring it");
657 auth_challenge = NULL;
658 }
659
660 peer_challenge = fr_pair_find_by_da_nested(&parent->control_pairs, NULL, attr_ms_chap_peer_challenge);
661 if (peer_challenge && (peer_challenge->vp_length != MSCHAPV2_CHALLENGE_LEN)) {
662 RWDEBUG("parent.control.MS-CHAP-Peer-Challenge is incorrect length. Ignoring it");
663 peer_challenge = NULL;
664 }
665
666 created_auth_challenge = (auth_challenge == NULL);
667
668 /*
669 * if the administrator didn't set a challenge, then create one ourselves.
670 */
671 if (!auth_challenge) {
672 MEM(auth_challenge = fr_pair_afrom_da(eap_session, attr_ms_chap_challenge));
673 MEM(fr_pair_value_mem_alloc(auth_challenge, &p, MSCHAPV2_CHALLENGE_LEN, false) == 0);
674 for (i = 0; i < MSCHAPV2_CHALLENGE_LEN; i++) p[i] = fr_rand();
675 }
676 RDEBUG2("Issuing Challenge");
677
678 /*
679 * We're at the stage where we're challenging the user.
680 */
681 memcpy(data->auth_challenge, auth_challenge->vp_octets, MSCHAPV2_CHALLENGE_LEN);
682
683 if (peer_challenge) {
684 data->has_peer_challenge = true;
685 memcpy(data->peer_challenge, peer_challenge->vp_octets, MSCHAPV2_CHALLENGE_LEN);
686 }
687
688 eap_session->opaque = data;
689
690 /*
691 * Compose the EAP-MSCHAPV2 packet out of the data structure,
692 * and free it.
693 */
694 eap_mschapv2_compose(mctx->mi->data, request, eap_session, auth_challenge);
695 if (created_auth_challenge) TALLOC_FREE(auth_challenge);
696
697 /*
698 * We don't need to authorize the user at this point.
699 *
700 * We also don't need to keep the challenge, as it's
701 * stored in 'eap_session->this_round', which will be given back
702 * to us...
703 */
704 eap_session->process = mod_process;
705
707}
708
709/*
710 * Attach the module.
711 */
712static int mod_instantiate(module_inst_ctx_t const *mctx)
713{
714 rlm_eap_mschapv2_t *inst = talloc_get_type_abort(mctx->mi->data, rlm_eap_mschapv2_t);
715
716 if (inst->identity && (strlen(inst->identity) > 255)) {
717 cf_log_err(mctx->mi->conf, "identity is too long");
718 return -1;
719 }
720
721 if (!inst->identity) inst->identity = talloc_typed_asprintf(inst, "freeradius-%s", RADIUSD_VERSION_STRING);
722
723 return 0;
724}
725
726/*
727 * The module name should be the only globally exported symbol.
728 * That is, everything else should be 'static'.
729 */
732 .common = {
733 .name = "eap_mschapv2",
734 .magic = MODULE_MAGIC_INIT,
738 .instantiate = mod_instantiate, /* Create new submodule instance */
739 },
740 .provides = { FR_EAP_METHOD_MSCHAPV2 },
741 .session_init = mod_session_init, /* Initialise a new EAP session */
742 .clone_parent_lists = false /* HACK */
743};
unlang_action_t
Returned by unlang_op_t calls, determine the next action of the interpreter.
Definition action.h:35
int n
Definition acutest.h:577
#define fr_base16_decode(_err, _out, _in, _no_trailing)
Definition base16.h:95
#define UNCONST(_type, _ptr)
Remove const qualification from a pointer.
Definition build.h:167
#define RCSID(id)
Definition build.h:485
#define FALL_THROUGH
clang 10 doesn't recognised the FALL-THROUGH comment anymore
Definition build.h:324
#define UNUSED
Definition build.h:317
CONF_SECTION * unlang_call_current(request_t *request)
Return the last virtual server that was called.
Definition call.c:225
#define CONF_PARSER_TERMINATOR
Definition cf_parse.h:658
cf_parse_t func
Override default parsing behaviour for the specified type with a custom parsing function.
Definition cf_parse.h:612
#define FR_CONF_OFFSET(_name, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:284
#define FR_CONF_OFFSET_TYPE_FLAGS(_name, _type, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:241
Defines a CONF_PAIR to C data type mapping.
Definition cf_parse.h:595
Common header for all CONF_* types.
Definition cf_priv.h:49
A section grouping multiple CONF_PAIR.
Definition cf_priv.h:101
CONF_SECTION * cf_section_find(CONF_SECTION const *cs, char const *name1, char const *name2)
Find a CONF_SECTION with name1 and optionally name2.
Definition cf_util.c:1027
CONF_PAIR * cf_item_to_pair(CONF_ITEM const *ci)
Cast a CONF_ITEM to a CONF_PAIR.
Definition cf_util.c:663
char const * cf_pair_value(CONF_PAIR const *pair)
Return the value of a CONF_PAIR.
Definition cf_util.c:1593
#define cf_log_err(_cf, _fmt,...)
Definition cf_util.h:289
eap_type_data_t type
Definition compose.h:39
size_t length
Definition compose.h:38
eap_packet_t * response
Packet we received from the peer.
Definition compose.h:49
eap_code_t code
Definition compose.h:36
uint8_t id
Definition compose.h:37
eap_packet_t * request
Packet we will send to the peer.
Definition compose.h:50
Contains a pair of request and response packets.
Definition compose.h:48
#define FR_DBUFF_TMP(_start, _len_or_end)
Creates a compound literal to pass into functions which accept a dbuff.
Definition dbuff.h:514
#define fr_cond_assert(_x)
Calls panic_action ifndef NDEBUG, else logs error and evaluates to value of _x.
Definition debug.h:139
#define MEM(x)
Definition debug.h:36
#define RADIUSD_VERSION_STRING
Definition dependency.h:39
static fr_slen_t err
Definition dict.h:841
fr_dict_attr_t * fr_dict_attr_unconst(fr_dict_attr_t const *da)
Coerce to non-const.
Definition dict_util.c:4641
fr_dict_attr_t const ** out
Where to write a pointer to the resolved fr_dict_attr_t.
Definition dict.h:274
fr_dict_t const ** out
Where to write a pointer to the loaded/resolved fr_dict_t.
Definition dict.h:287
int fr_dict_enum_add_name_next(fr_dict_attr_t *da, char const *name)
Add an name to an integer attribute hashing the name for the integer value.
Definition dict_util.c:1956
fr_dict_enum_value_t const * fr_dict_enum_by_name(fr_dict_attr_t const *da, char const *name, ssize_t len)
Definition dict_util.c:3439
Specifies an attribute which must be present for the module to function.
Definition dict.h:273
Specifies a dictionary which must be loaded/loadable for the module to function.
Definition dict.h:286
Value of an enumerated attribute.
Definition dict.h:233
#define MODULE_MAGIC_INIT
Stop people using different module/library/server versions together.
Definition dl_module.h:63
@ FR_EAP_CODE_FAILURE
Definition types.h:40
@ FR_EAP_CODE_REQUEST
Definition types.h:37
@ FR_EAP_CODE_SUCCESS
Definition types.h:39
eap_type_t num
Definition types.h:110
size_t length
Definition types.h:111
uint8_t * data
Definition types.h:112
@ FR_EAP_METHOD_MSCHAPV2
Definition types.h:71
#define MSCHAPV2_CHALLENGE_LEN
uint8_t ms_length[2]
#define MSCHAPV2_HEADER_LEN
#define MSCHAPV2_RESPONSE_LEN
#define FR_EAP_MSCHAPV2_FAILURE
#define FR_EAP_MSCHAPV2_CHALLENGE
#define FR_EAP_MSCHAPV2_SUCCESS
#define FR_EAP_MSCHAPV2_RESPONSE
#define FR_EAP_MSCHAPV2_ACK
#define FR_EAP_MSCHAPV2_CHGPASSWD
rlm_rcode_t rcode
The current rcode, from executing the instruction or merging the result from a frame.
Definition interpret.h:134
static eap_session_t * eap_session_get(request_t *request)
Definition session.h:83
void * opaque
Opaque data used by EAP methods.
Definition session.h:63
module_method_t process
Callback that should be used to process the next round.
Definition session.h:65
void const * inst
Instance of the eap module this session was created by.
Definition session.h:49
eap_round_t * this_round
The EAP response we're processing, and the EAP request we're building.
Definition session.h:60
Tracks the progress of a single session of any EAP method.
Definition session.h:41
void log_request_pair_list(fr_log_lvl_t lvl, request_t *request, fr_pair_t const *parent, fr_pair_list_t const *vps, char const *prefix)
Print a fr_pair_list_t.
Definition log.c:828
#define REXDENT()
Exdent (unindent) R* messages by one level.
Definition log.h:443
#define RWDEBUG(fmt,...)
Definition log.h:361
#define RERROR(fmt,...)
Definition log.h:298
#define RPERROR(fmt,...)
Definition log.h:302
#define RINDENT()
Indent R* messages by one level.
Definition log.h:430
@ L_DBG_LVL_2
2nd highest priority debug messages (-xx | -X).
Definition log.h:71
unsigned short uint16_t
@ FR_TYPE_STRING
String of printable characters.
@ FR_TYPE_UINT32
32 Bit unsigned integer.
@ FR_TYPE_VENDOR
Attribute that represents a vendor in the attribute tree.
@ FR_TYPE_VOID
User data.
@ FR_TYPE_OCTETS
Raw octets.
unsigned char uint8_t
module_instance_t const * mi
Instance of the module being instantiated.
Definition module_ctx.h:42
void * rctx
Resume ctx that a module previously set.
Definition module_ctx.h:45
module_instance_t * mi
Instance of the module being instantiated.
Definition module_ctx.h:51
Temporary structure to hold arguments for module calls.
Definition module_ctx.h:41
Temporary structure to hold arguments for instantiation calls.
Definition module_ctx.h:50
static uint16_t fr_nbo_to_uint16(uint8_t const data[static sizeof(uint16_t)])
Read an unsigned 16bit integer from wire format (big endian)
Definition nbo.h:146
int fr_pair_list_copy_by_da(TALLOC_CTX *ctx, fr_pair_list_t *to, fr_pair_list_t const *from, fr_dict_attr_t const *da, unsigned int count)
Duplicate pairs in a list matching the specified da.
Definition pair.c:2407
int fr_pair_list_copy(TALLOC_CTX *ctx, fr_pair_list_t *to, fr_pair_list_t const *from)
Duplicate a list of pairs.
Definition pair.c:2320
int fr_pair_value_memdup(fr_pair_t *vp, uint8_t const *src, size_t len, bool tainted)
Copy data into an "octets" data type.
Definition pair.c:2936
fr_pair_t * fr_pair_find_by_da_nested(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find a pair with a matching fr_dict_attr_t, by walking the nested fr_dict_attr_t tree.
Definition pair.c:774
int fr_pair_append(fr_pair_list_t *list, fr_pair_t *to_add)
Add a VP to the end of the list.
Definition pair.c:1342
fr_pair_t * fr_pair_afrom_da(TALLOC_CTX *ctx, fr_dict_attr_t const *da)
Dynamically allocate a new attribute and assign a fr_dict_attr_t.
Definition pair.c:287
void fr_pair_list_init(fr_pair_list_t *list)
Initialise a pair list header.
Definition pair.c:46
int fr_pair_value_bstrndup(fr_pair_t *vp, char const *src, size_t len, bool tainted)
Copy data into a "string" type value pair.
Definition pair.c:2786
int fr_pair_value_mem_alloc(fr_pair_t *vp, uint8_t **out, size_t size, bool tainted)
Pre-allocate a memory buffer for a "octets" type value pair.
Definition pair.c:2885
fr_pair_t * fr_pair_afrom_da_nested(TALLOC_CTX *ctx, fr_pair_list_t *list, fr_dict_attr_t const *da)
Create a pair (and all intermediate parents), and append it to the list.
Definition pair.c:471
#define pair_update_request(_attr, _da)
#define REDEBUG(fmt,...)
Definition radclient.h:52
#define RDEBUG2(fmt,...)
Definition radclient.h:54
#define RDEBUG(fmt,...)
Definition radclient.h:53
uint32_t fr_rand(void)
Return a 32-bit random number.
Definition rand.c:105
#define RETURN_UNLANG_HANDLED
Definition rcode.h:59
#define RETURN_UNLANG_INVALID
Definition rcode.h:60
#define RETURN_UNLANG_FAIL
Definition rcode.h:57
#define RETURN_UNLANG_REJECT
Definition rcode.h:56
#define RETURN_UNLANG_OK
Definition rcode.h:58
rlm_rcode_t
Return codes indicating the result of the module call.
Definition rcode.h:40
@ RLM_MODULE_OK
The module is OK, continue.
Definition rcode.h:43
@ RLM_MODULE_FAIL
Module failed, don't reply.
Definition rcode.h:42
static fr_dict_attr_t const * attr_microsoft
static unlang_action_t mschap_resume(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
static int eap_mschapv2_compose(rlm_eap_mschapv2_t const *inst, request_t *request, eap_session_t *eap_session, fr_pair_t *reply)
static fr_dict_attr_t const * attr_state
static void mppe_keys_store(request_t *request, mschapv2_opaque_t *data)
static fr_dict_attr_t const * attr_ms_mppe_encryption_type
static fr_dict_t const * dict_freeradius
static int auth_type_parse(TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, UNUSED conf_parser_t const *rule)
fr_dict_enum_value_t * auth_type
static fr_dict_attr_t const * attr_ms_chap2_success
static unlang_action_t mod_process(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
static fr_dict_t const * dict_radius
static fr_dict_attr_t const * attr_ms_chap_challenge
static fr_dict_attr_t const * attr_auth_type
static fr_dict_attr_t const * attr_ms_chap_user_name
static fr_dict_attr_t const * attr_ms_chap_error
static fr_dict_attr_t const * attr_ms_mppe_send_key
unlang_result_t section_result
static fr_dict_attr_t const * attr_ms_chap2_response
fr_dict_autoload_t rlm_eap_mschapv2_dict[]
static fr_dict_attr_t const * attr_user_name
fr_dict_attr_autoload_t rlm_eap_mschapv2_dict_attr[]
static fr_dict_attr_t const * attr_ms_mppe_recv_key
static conf_parser_t submodule_config[]
static fr_dict_attr_t const * attr_ms_chap_nt_enc_pw
rlm_eap_submodule_t rlm_eap_mschapv2
static fr_dict_attr_t const * attr_ms_chap_peer_challenge
static unlang_action_t mod_session_init(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
static int mod_instantiate(module_inst_ctx_t const *mctx)
static fr_dict_attr_t const * attr_ms_chap2_cpw
static fr_dict_attr_t const * attr_ms_mppe_encryption_policy
static char const * name
#define FR_SBUFF_IN(_start, _len_or_end)
CONF_SECTION * conf
Module's instance configuration.
Definition module.h:349
void * data
Module's instance data.
Definition module.h:291
#define MODULE_RCTX(_ctype)
Definition module.h:257
#define MODULE_INST(_ctype)
Definition module.h:255
conf_parser_t const * config
How to convert a CONF_SECTION to a module instance.
Definition module.h:206
unlang_action_t unlang_module_yield_to_section(unlang_result_t *p_result, request_t *request, CONF_SECTION *subcs, rlm_rcode_t default_rcode, module_method_t resume, unlang_module_signal_t signal, fr_signal_t sigmask, void *rctx)
Definition module.c:249
eap_aka_sim_process_conf_t * inst
fr_pair_t * vp
Stores an attribute, a value and various bits of other data.
Definition pair.h:68
fr_dict_attr_t const *_CONST da
Dictionary attribute defines the attribute number, vendor and type of the pair.
Definition pair.h:69
module_t common
Common fields provided by all modules.
Definition submodule.h:50
Interface exported by EAP submodules.
Definition submodule.h:49
char * talloc_typed_asprintf(TALLOC_CTX *ctx, char const *fmt,...)
Call talloc vasprintf, setting the type on the new chunk correctly.
Definition talloc.c:514
bool fr_pair_list_empty(fr_pair_list_t const *list)
Is a valuepair list empty.
#define PAIR_VERIFY(_x)
Definition pair.h:191
void fr_pair_list_free(fr_pair_list_t *list)
Free memory used by a valuepair list.
fr_pair_t * fr_pair_list_head(fr_pair_list_t const *list)
Get the head of a valuepair list.
Definition pair_inline.c:42
static fr_slen_t parent
Definition pair.h:839
static fr_slen_t data
Definition value.h:1288
int nonnull(2, 5))
static size_t char ** out
Definition value.h:1020