2 * rlm_eap_mschapv2.c Handles that are called from eap
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2003,2006 The FreeRADIUS server project
28 #include "eap_mschapv2.h"
30 #include <freeradius-devel/rad_assert.h>
32 typedef struct rlm_eap_mschapv2_t {
33 bool with_ntdomain_hack;
37 static CONF_PARSER module_config[] = {
38 { "with_ntdomain_hack", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_eap_mschapv2_t, with_ntdomain_hack), "no" },
40 { "send_error", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_eap_mschapv2_t, send_error), "no" },
42 { NULL, -1, 0, NULL, NULL } /* end the list */
46 static void fix_mppe_keys(eap_handler_t *handler, mschapv2_opaque_t *data)
48 pairfilter(data, &data->mppe_keys, &handler->request->reply->vps, 7, VENDORPEC_MICROSOFT, TAG_ANY);
49 pairfilter(data, &data->mppe_keys, &handler->request->reply->vps, 8, VENDORPEC_MICROSOFT, TAG_ANY);
50 pairfilter(data, &data->mppe_keys, &handler->request->reply->vps, 16, VENDORPEC_MICROSOFT, TAG_ANY);
51 pairfilter(data, &data->mppe_keys, &handler->request->reply->vps, 17, VENDORPEC_MICROSOFT, TAG_ANY);
57 static int mschapv2_attach(CONF_SECTION *cs, void **instance)
59 rlm_eap_mschapv2_t *inst;
61 *instance = inst = talloc_zero(cs, rlm_eap_mschapv2_t);
65 * Parse the configuration attributes.
67 if (cf_section_parse(cs, inst, module_config) < 0) {
76 * Compose the response.
78 static int eapmschapv2_compose(eap_handler_t *handler, VALUE_PAIR *reply)
82 mschapv2_header_t *hdr;
83 EAP_DS *eap_ds = handler->eap_ds;
84 REQUEST *request = handler->request;
86 eap_ds->request->code = PW_EAP_REQUEST;
87 eap_ds->request->type.num = PW_EAP_MSCHAPV2;
90 * Always called with vendor Microsoft
92 switch (reply->da->attr) {
93 case PW_MSCHAP_CHALLENGE:
96 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
97 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
98 * | Code | Identifier | Length |
99 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
100 * | Type | OpCode | MS-CHAPv2-ID | MS-Length...
101 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
102 * | MS-Length | Value-Size | Challenge...
103 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
105 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
107 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
109 length = MSCHAPV2_HEADER_LEN + MSCHAPV2_CHALLENGE_LEN + strlen(handler->identity);
110 eap_ds->request->type.data = talloc_array(eap_ds->request, uint8_t, length);
112 * Allocate room for the EAP-MS-CHAPv2 data.
114 if (!eap_ds->request->type.data) {
117 eap_ds->request->type.length = length;
119 ptr = eap_ds->request->type.data;
120 hdr = (mschapv2_header_t *) ptr;
122 hdr->opcode = PW_EAP_MSCHAPV2_CHALLENGE;
123 hdr->mschapv2_id = eap_ds->response->id + 1;
124 length = htons(length);
125 memcpy(hdr->ms_length, &length, sizeof(uint16_t));
126 hdr->value_size = MSCHAPV2_CHALLENGE_LEN;
128 ptr += MSCHAPV2_HEADER_LEN;
131 * Copy the Challenge, success, or error over.
133 memcpy(ptr, reply->vp_octets, reply->vp_length);
134 memcpy((ptr + reply->vp_length), handler->identity, strlen(handler->identity));
137 case PW_MSCHAP2_SUCCESS:
140 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
141 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
142 * | Code | Identifier | Length |
143 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
144 * | Type | OpCode | MS-CHAPv2-ID | MS-Length...
145 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
146 * | MS-Length | Message...
147 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
149 RDEBUG2("MSCHAP Success");
151 eap_ds->request->type.data = talloc_array(eap_ds->request, uint8_t, length);
153 * Allocate room for the EAP-MS-CHAPv2 data.
155 if (!eap_ds->request->type.data) {
158 memset(eap_ds->request->type.data, 0, length);
159 eap_ds->request->type.length = length;
161 eap_ds->request->type.data[0] = PW_EAP_MSCHAPV2_SUCCESS;
162 eap_ds->request->type.data[1] = eap_ds->response->id;
163 length = htons(length);
164 memcpy((eap_ds->request->type.data + 2), &length, sizeof(uint16_t));
165 memcpy((eap_ds->request->type.data + 4), reply->vp_strvalue + 1, 42);
168 case PW_MSCHAP_ERROR:
169 REDEBUG("MSCHAP Failure");
170 length = 4 + reply->vp_length - 1;
171 eap_ds->request->type.data = talloc_array(eap_ds->request, uint8_t, length);
174 * Allocate room for the EAP-MS-CHAPv2 data.
176 if (!eap_ds->request->type.data) return 0;
177 memset(eap_ds->request->type.data, 0, length);
178 eap_ds->request->type.length = length;
180 eap_ds->request->type.data[0] = PW_EAP_MSCHAPV2_FAILURE;
181 eap_ds->request->type.data[1] = eap_ds->response->id;
182 length = htons(length);
183 memcpy((eap_ds->request->type.data + 2), &length, sizeof(uint16_t));
185 * Copy the entire failure message.
187 memcpy((eap_ds->request->type.data + 4),
188 reply->vp_strvalue + 1, reply->vp_length - 1);
192 RERROR("Internal sanity check failed");
201 * Initiate the EAP-MSCHAPV2 session by sending a challenge to the peer.
203 static int mschapv2_initiate(UNUSED void *instance, eap_handler_t *handler)
206 VALUE_PAIR *challenge;
207 mschapv2_opaque_t *data;
208 REQUEST *request = handler->request;
211 challenge = pairmake(handler, NULL, "MS-CHAP-Challenge", NULL, T_OP_EQ);
214 * Get a random challenge.
216 challenge->vp_length = MSCHAPV2_CHALLENGE_LEN;
217 challenge->vp_octets = p = talloc_array(challenge, uint8_t, challenge->vp_length);
218 for (i = 0; i < MSCHAPV2_CHALLENGE_LEN; i++) {
221 RDEBUG2("Issuing Challenge");
224 * Keep track of the challenge.
226 data = talloc_zero(handler, mschapv2_opaque_t);
227 rad_assert(data != NULL);
230 * We're at the stage where we're challenging the user.
232 data->code = PW_EAP_MSCHAPV2_CHALLENGE;
233 memcpy(data->challenge, challenge->vp_octets, MSCHAPV2_CHALLENGE_LEN);
234 data->mppe_keys = NULL;
237 handler->opaque = data;
240 * Compose the EAP-MSCHAPV2 packet out of the data structure,
243 eapmschapv2_compose(handler, challenge);
244 pairfree(&challenge);
248 * The EAP session doesn't have enough information to
249 * proxy the "inside EAP" protocol. Disable EAP proxying.
251 handler->request->options &= ~RAD_REQUEST_OPTION_PROXY_EAP;
255 * We don't need to authorize the user at this point.
257 * We also don't need to keep the challenge, as it's
258 * stored in 'handler->eap_ds', which will be given back
261 handler->stage = AUTHENTICATE;
268 * Do post-proxy processing,
272 * Called from rlm_eap.c, eap_postproxy().
274 static int CC_HINT(nonnull) mschap_postproxy(eap_handler_t *handler, UNUSED void *tunnel_data)
276 VALUE_PAIR *response = NULL;
277 mschapv2_opaque_t *data;
278 REQUEST *request = handler->request;
280 data = (mschapv2_opaque_t *) handler->opaque;
281 rad_assert(request != NULL);
283 RDEBUG2("Passing reply from proxy back into the tunnel %d", request->reply->code);
286 * There is only a limited number of possibilities.
288 switch (request->reply->code) {
289 case PW_CODE_ACCESS_ACCEPT:
290 RDEBUG2("Proxied authentication succeeded");
293 * Move the attribute, so it doesn't go into
296 pairfilter(data, &response, &request->reply->vps, PW_MSCHAP2_SUCCESS, VENDORPEC_MICROSOFT, TAG_ANY);
300 case PW_CODE_ACCESS_REJECT:
301 REDEBUG("Proxied authentication was rejected");
309 REDEBUG("Proxied reply contained no MS-CHAP2-Success or MS-CHAP-Error");
314 * Done doing EAP proxy stuff.
316 request->options &= ~RAD_REQUEST_OPTION_PROXY_EAP;
317 eapmschapv2_compose(handler, response);
318 data->code = PW_EAP_MSCHAPV2_SUCCESS;
321 * Delete MPPE keys & encryption policy
323 * FIXME: Use intelligent names...
325 fix_mppe_keys(handler, data);
328 * Save any other attributes for re-use in the final
329 * access-accept e.g. vlan, etc. This lets the PEAP
330 * use_tunneled_reply code work
332 data->reply = paircopy(data, request->reply->vps);
335 * And we need to challenge the user, not ack/reject them,
336 * so we re-write the ACK to a challenge. Yuck.
338 request->reply->code = PW_CODE_ACCESS_CHALLENGE;
346 * Authenticate a previously sent challenge.
348 static int CC_HINT(nonnull) mschapv2_authenticate(void *arg, eap_handler_t *handler)
354 mschapv2_opaque_t *data;
355 EAP_DS *eap_ds = handler->eap_ds;
356 VALUE_PAIR *challenge, *response, *name;
357 rlm_eap_mschapv2_t *inst = (rlm_eap_mschapv2_t *) arg;
358 REQUEST *request = handler->request;
360 rad_assert(handler->stage == AUTHENTICATE);
362 data = (mschapv2_opaque_t *) handler->opaque;
365 * Sanity check the response.
367 if (eap_ds->response->length <= 5) {
368 REDEBUG("corrupted data");
372 ccode = eap_ds->response->type.data[0];
374 switch (data->code) {
375 case PW_EAP_MSCHAPV2_FAILURE:
376 if (ccode == PW_EAP_MSCHAPV2_RESPONSE) {
377 RDEBUG2("Authentication re-try from client after we sent a failure");
382 * if we sent error 648 (password expired) to the client
383 * we might get an MSCHAP-CPW packet here; turn it into a
384 * regular MS-CHAP2-CPW packet and pass it to rlm_mschap
385 * (or proxy it, I guess)
387 if (ccode == PW_EAP_MSCHAPV2_CHGPASSWD) {
389 int mschap_id = eap_ds->response->type.data[1];
390 int copied = 0 ,seq = 1;
392 RDEBUG2("Password change packet received");
394 challenge = pairmake_packet("MS-CHAP-Challenge", NULL, T_OP_EQ);
395 if (!challenge) return 0;
396 pairmemcpy(challenge, data->challenge, MSCHAPV2_CHALLENGE_LEN);
398 cpw = pairmake_packet("MS-CHAP2-CPW", NULL, T_OP_EQ);
401 cpw->vp_octets = p = talloc_array(cpw, uint8_t, cpw->vp_length);
404 memcpy(p + 2, eap_ds->response->type.data + 520, 66);
407 * break the encoded password into VPs (3 of them)
409 while (copied < 516) {
412 int to_copy = 516 - copied;
413 if (to_copy > 243) to_copy = 243;
415 nt_enc = pairmake_packet("MS-CHAP-NT-Enc-PW", NULL, T_OP_ADD);
416 nt_enc->vp_length = 4 + to_copy;
418 nt_enc->vp_octets = p = talloc_array(nt_enc, uint8_t, nt_enc->vp_length);
425 memcpy(p + 4, eap_ds->response->type.data + 4 + copied, to_copy);
429 RDEBUG2("Built change password packet");
430 rdebug_pair_list(L_DBG_LVL_2, request, request->packet->vps, NULL);
433 * jump to "authentication"
439 * we sent a failure and are expecting a failure back
441 if (ccode != PW_EAP_MSCHAPV2_FAILURE) {
442 REDEBUG("Sent FAILURE expecting FAILURE but got %d", ccode);
447 request->options &= ~RAD_REQUEST_OPTION_PROXY_EAP;
448 eap_ds->request->code = PW_EAP_FAILURE;
451 case PW_EAP_MSCHAPV2_SUCCESS:
453 * we sent a success to the client; some clients send a
454 * success back as-per the RFC, some send an ACK. Permit
459 case PW_EAP_MSCHAPV2_SUCCESS:
460 eap_ds->request->code = PW_EAP_SUCCESS;
462 pairfilter(request->reply, &request->reply->vps, &data->mppe_keys, 0, 0, TAG_ANY);
465 case PW_EAP_MSCHAPV2_ACK:
468 * It's a success. Don't proxy it.
470 request->options &= ~RAD_REQUEST_OPTION_PROXY_EAP;
472 pairfilter(request->reply, &request->reply->vps, &data->reply, 0, 0, TAG_ANY);
475 REDEBUG("Sent SUCCESS expecting SUCCESS (or ACK) but got %d", ccode);
478 case PW_EAP_MSCHAPV2_CHALLENGE:
479 if (ccode == PW_EAP_MSCHAPV2_FAILURE) goto failure;
482 * we sent a challenge, expecting a response
484 if (ccode != PW_EAP_MSCHAPV2_RESPONSE) {
485 REDEBUG("Sent CHALLENGE expecting RESPONSE but got %d", ccode);
488 /* authentication happens below */
492 /* should never happen */
493 REDEBUG("Unknown state %d", data->code);
499 * Ensure that we have at least enough data
500 * to do the following checks.
502 * EAP header (4), EAP type, MS-CHAP opcode,
503 * MS-CHAP ident, MS-CHAP data length (2),
504 * MS-CHAP value length.
506 if (eap_ds->response->length < (4 + 1 + 1 + 1 + 2 + 1)) {
507 REDEBUG("Response is too short");
512 * The 'value_size' is the size of the response,
513 * which is supposed to be the response (48
514 * bytes) plus 1 byte of flags at the end.
516 if (eap_ds->response->type.data[4] != 49) {
517 REDEBUG("Response is of incorrect length %d", eap_ds->response->type.data[4]);
522 * The MS-Length field is 5 + value_size + length
523 * of name, which is put after the response.
525 length = (eap_ds->response->type.data[2] << 8) | eap_ds->response->type.data[3];
526 if ((length < (5 + 49)) || (length > (256 + 5 + 49))) {
527 REDEBUG("Response contains contradictory length %zu %d", length, 5 + 49);
532 * We now know that the user has sent us a response
533 * to the challenge. Let's try to authenticate it.
535 * We do this by taking the challenge from 'data',
536 * the response from the EAP packet, and creating VALUE_PAIR's
537 * to pass to the 'mschap' module. This is a little wonky,
540 challenge = pairmake_packet("MS-CHAP-Challenge", NULL, T_OP_EQ);
541 if (!challenge) return 0;
542 pairmemcpy(challenge, data->challenge, MSCHAPV2_CHALLENGE_LEN);
544 response = pairmake_packet("MS-CHAP2-Response", NULL, T_OP_EQ);
545 if (!response) return 0;
546 response->vp_length = MSCHAPV2_RESPONSE_LEN;
547 response->vp_octets = p = talloc_array(response, uint8_t, response->vp_length);
549 p[0] = eap_ds->response->type.data[1];
550 p[1] = eap_ds->response->type.data[5 + MSCHAPV2_RESPONSE_LEN];
551 memcpy(p + 2, &eap_ds->response->type.data[5], MSCHAPV2_RESPONSE_LEN - 2);
553 name = pairmake_packet("MS-CHAP-User-Name", NULL, T_OP_EQ);
557 * MS-Length - MS-Value - 5.
559 name->vp_length = length - 49 - 5;
560 name->vp_strvalue = q = talloc_array(name, char, name->vp_length + 1);
561 memcpy(q, &eap_ds->response->type.data[4 + MSCHAPV2_RESPONSE_LEN], name->vp_length);
562 q[name->vp_length] = '\0';
568 * If this options is set, then we do NOT authenticate the
569 * user here. Instead, now that we've added the MS-CHAP
570 * attributes to the request, we STOP, and let the outer
571 * tunnel code handle it.
573 * This means that the outer tunnel code will DELETE the
574 * EAP attributes, and proxy the MS-CHAP attributes to a
577 if (request->options & RAD_REQUEST_OPTION_PROXY_EAP) {
578 char *username = NULL;
579 eap_tunnel_data_t *tunnel;
581 RDEBUG2("Cancelling authentication and letting it be proxied");
584 * Set up the callbacks for the tunnel
586 tunnel = talloc_zero(request, eap_tunnel_data_t);
588 tunnel->tls_session = arg;
589 tunnel->callback = mschap_postproxy;
592 * Associate the callback with the request.
594 rcode = request_data_add(request,
596 REQUEST_DATA_EAP_TUNNEL_CALLBACK,
598 rad_assert(rcode == 0);
601 * The State attribute is NOT supposed to
602 * go into the proxied packet, it will confuse
603 * other RADIUS servers, and they will discard
606 * The PEAP module will take care of adding
607 * the State attribute back, before passing
608 * the handler & request back into the tunnel.
610 pairdelete(&request->packet->vps, PW_STATE, 0, TAG_ANY);
613 * Fix the User-Name when proxying, to strip off
614 * the NT Domain, if we're told to, and a User-Name
615 * exists, and there's a \\, meaning an NT-Domain
616 * in the user name, THEN discard the user name.
618 if (inst->with_ntdomain_hack &&
619 ((challenge = pairfind(request->packet->vps, PW_USER_NAME, 0, TAG_ANY)) != NULL) &&
620 ((username = strchr(challenge->vp_strvalue, '\\')) != NULL)) {
622 * Wipe out the NT domain.
624 * FIXME: Put it into MS-CHAP-Domain?
626 username++; /* skip the \\ */
627 pairstrcpy(challenge, username);
631 * Remember that in the post-proxy stage, we've got
632 * to do the work below, AFTER the call to MS-CHAP
640 * This is a wild & crazy hack.
642 rcode = process_authenticate(PW_AUTHTYPE_MS_CHAP, request);
645 * Delete MPPE keys & encryption policy. We don't
648 fix_mppe_keys(handler, data);
651 * Take the response from the mschap module, and
652 * return success or failure, depending on the result.
655 if (rcode == RLM_MODULE_OK) {
656 pairfilter(data, &response, &request->reply->vps, PW_MSCHAP2_SUCCESS, VENDORPEC_MICROSOFT, TAG_ANY);
657 data->code = PW_EAP_MSCHAPV2_SUCCESS;
658 } else if (inst->send_error) {
659 pairfilter(data, &response, &request->reply->vps, PW_MSCHAP_ERROR, VENDORPEC_MICROSOFT, TAG_ANY);
666 RDEBUG2("MSCHAP-Error: %s", response->vp_strvalue);
669 * Pxarse the new challenge out of the
670 * MS-CHAP-Error, so that if the client
671 * issues a re-try, we will know which
672 * challenge value that they used.
674 n = sscanf(response->vp_strvalue, "%*cE=%d R=%d C=%32s", &err, &retry, &buf[0]);
676 RDEBUG2("Found new challenge from MS-CHAP-Error: err=%d retry=%d challenge=%s",
678 fr_hex2bin(data->challenge, 16, buf, strlen(buf));
680 RDEBUG2("Could not parse new challenge from MS-CHAP-Error: %d", n);
683 data->code = PW_EAP_MSCHAPV2_FAILURE;
685 eap_ds->request->code = PW_EAP_FAILURE;
693 REDEBUG("No MS-CHAP2-Success or MS-CHAP-Error was found");
698 * Compose the response (whatever it is),
699 * and return it to the over-lying EAP module.
701 eapmschapv2_compose(handler, response);
708 * The module name should be the only globally exported symbol.
709 * That is, everything else should be 'static'.
711 extern rlm_eap_module_t rlm_eap_mschapv2;
712 rlm_eap_module_t rlm_eap_mschapv2 = {
714 mschapv2_attach, /* attach */
715 mschapv2_initiate, /* Start the initial request */
716 NULL, /* authorization */
717 mschapv2_authenticate, /* authentication */