2 * rlm_eap_mschapv2.c Handles that are called from eap
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2003,2006 The FreeRADIUS server project
28 #include "eap_mschapv2.h"
30 #include <freeradius-devel/rad_assert.h>
32 typedef struct rlm_eap_mschapv2_t {
33 bool with_ntdomain_hack;
38 static CONF_PARSER module_config[] = {
39 { "with_ntdomain_hack", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_eap_mschapv2_t, with_ntdomain_hack), "no" },
41 { "send_error", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_eap_mschapv2_t, send_error), "no" },
42 { "identity", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_eap_mschapv2_t, identity), NULL },
44 { NULL, -1, 0, NULL, NULL } /* end the list */
48 static void fix_mppe_keys(eap_handler_t *handler, mschapv2_opaque_t *data)
50 fr_pair_list_move_by_num(data, &data->mppe_keys, &handler->request->reply->vps, 7, VENDORPEC_MICROSOFT, TAG_ANY);
51 fr_pair_list_move_by_num(data, &data->mppe_keys, &handler->request->reply->vps, 8, VENDORPEC_MICROSOFT, TAG_ANY);
52 fr_pair_list_move_by_num(data, &data->mppe_keys, &handler->request->reply->vps, 16, VENDORPEC_MICROSOFT, TAG_ANY);
53 fr_pair_list_move_by_num(data, &data->mppe_keys, &handler->request->reply->vps, 17, VENDORPEC_MICROSOFT, TAG_ANY);
59 static int mod_instantiate(CONF_SECTION *cs, void **instance)
61 rlm_eap_mschapv2_t *inst;
63 *instance = inst = talloc_zero(cs, rlm_eap_mschapv2_t);
67 * Parse the configuration attributes.
69 if (cf_section_parse(cs, inst, module_config) < 0) {
73 if (inst->identity && (strlen(inst->identity) > 255)) {
74 cf_log_err_cs(cs, "identity is too long");
78 if (!inst->identity) {
79 inst->identity = talloc_asprintf(inst, "freeradius-%s", RADIUSD_VERSION_STRING);
87 * Compose the response.
89 static int eapmschapv2_compose(rlm_eap_mschapv2_t *inst, eap_handler_t *handler, VALUE_PAIR *reply)
93 mschapv2_header_t *hdr;
94 EAP_DS *eap_ds = handler->eap_ds;
95 REQUEST *request = handler->request;
97 eap_ds->request->code = PW_EAP_REQUEST;
98 eap_ds->request->type.num = PW_EAP_MSCHAPV2;
101 * Always called with vendor Microsoft
103 switch (reply->da->attr) {
104 case PW_MSCHAP_CHALLENGE:
107 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
108 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
109 * | Code | Identifier | Length |
110 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
111 * | Type | OpCode | MS-CHAPv2-ID | MS-Length...
112 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
113 * | MS-Length | Value-Size | Challenge...
114 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
116 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
118 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
120 length = MSCHAPV2_HEADER_LEN + MSCHAPV2_CHALLENGE_LEN + strlen(inst->identity);
121 eap_ds->request->type.data = talloc_array(eap_ds->request, uint8_t, length);
124 * Allocate room for the EAP-MS-CHAPv2 data.
126 if (!eap_ds->request->type.data) {
129 eap_ds->request->type.length = length;
131 ptr = eap_ds->request->type.data;
132 hdr = (mschapv2_header_t *) ptr;
134 hdr->opcode = PW_EAP_MSCHAPV2_CHALLENGE;
135 hdr->mschapv2_id = eap_ds->response->id + 1;
136 length = htons(length);
137 memcpy(hdr->ms_length, &length, sizeof(uint16_t));
138 hdr->value_size = MSCHAPV2_CHALLENGE_LEN;
140 ptr += MSCHAPV2_HEADER_LEN;
143 * Copy the Challenge, success, or error over.
145 memcpy(ptr, reply->vp_octets, reply->vp_length);
147 memcpy((ptr + reply->vp_length), inst->identity, strlen(inst->identity));
150 case PW_MSCHAP2_SUCCESS:
153 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
154 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
155 * | Code | Identifier | Length |
156 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
157 * | Type | OpCode | MS-CHAPv2-ID | MS-Length...
158 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
159 * | MS-Length | Message...
160 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
162 RDEBUG2("MSCHAP Success");
164 eap_ds->request->type.data = talloc_array(eap_ds->request, uint8_t, length);
166 * Allocate room for the EAP-MS-CHAPv2 data.
168 if (!eap_ds->request->type.data) {
171 memset(eap_ds->request->type.data, 0, length);
172 eap_ds->request->type.length = length;
174 eap_ds->request->type.data[0] = PW_EAP_MSCHAPV2_SUCCESS;
175 eap_ds->request->type.data[1] = eap_ds->response->id;
176 length = htons(length);
177 memcpy((eap_ds->request->type.data + 2), &length, sizeof(uint16_t));
178 memcpy((eap_ds->request->type.data + 4), reply->vp_strvalue + 1, 42);
181 case PW_MSCHAP_ERROR:
182 REDEBUG("MSCHAP Failure");
183 length = 4 + reply->vp_length - 1;
184 eap_ds->request->type.data = talloc_array(eap_ds->request, uint8_t, length);
187 * Allocate room for the EAP-MS-CHAPv2 data.
189 if (!eap_ds->request->type.data) return 0;
190 memset(eap_ds->request->type.data, 0, length);
191 eap_ds->request->type.length = length;
193 eap_ds->request->type.data[0] = PW_EAP_MSCHAPV2_FAILURE;
194 eap_ds->request->type.data[1] = eap_ds->response->id;
195 length = htons(length);
196 memcpy((eap_ds->request->type.data + 2), &length, sizeof(uint16_t));
198 * Copy the entire failure message.
200 memcpy((eap_ds->request->type.data + 4),
201 reply->vp_strvalue + 1, reply->vp_length - 1);
205 RERROR("Internal sanity check failed");
214 * Initiate the EAP-MSCHAPV2 session by sending a challenge to the peer.
216 static int mod_session_init(void *instance, eap_handler_t *handler)
219 VALUE_PAIR *challenge;
220 mschapv2_opaque_t *data;
221 REQUEST *request = handler->request;
223 bool created_challenge = false;
224 rlm_eap_mschapv2_t *inst = instance;
226 challenge = fr_pair_find_by_num(request->config, PW_MSCHAP_CHALLENGE, VENDORPEC_MICROSOFT, TAG_ANY);
227 if (challenge && (challenge->vp_length != MSCHAPV2_CHALLENGE_LEN)) {
228 RWDEBUG("control:MS-CHAP-Challenge is incorrect length. Ignoring it.");
233 created_challenge = true;
234 challenge = fr_pair_make(handler, NULL, "MS-CHAP-Challenge", NULL, T_OP_EQ);
237 * Get a random challenge.
239 challenge->vp_length = MSCHAPV2_CHALLENGE_LEN;
240 challenge->vp_octets = p = talloc_array(challenge, uint8_t, challenge->vp_length);
241 for (i = 0; i < MSCHAPV2_CHALLENGE_LEN; i++) {
245 RDEBUG2("Issuing Challenge");
248 * Keep track of the challenge.
250 data = talloc_zero(handler, mschapv2_opaque_t);
251 rad_assert(data != NULL);
254 * We're at the stage where we're challenging the user.
256 data->code = PW_EAP_MSCHAPV2_CHALLENGE;
257 memcpy(data->challenge, challenge->vp_octets, MSCHAPV2_CHALLENGE_LEN);
258 data->mppe_keys = NULL;
261 handler->opaque = data;
264 * Compose the EAP-MSCHAPV2 packet out of the data structure,
267 eapmschapv2_compose(inst, handler, challenge);
268 if (created_challenge) fr_pair_list_free(&challenge);
272 * The EAP session doesn't have enough information to
273 * proxy the "inside EAP" protocol. Disable EAP proxying.
275 handler->request->options &= ~RAD_REQUEST_OPTION_PROXY_EAP;
279 * We don't need to authorize the user at this point.
281 * We also don't need to keep the challenge, as it's
282 * stored in 'handler->eap_ds', which will be given back
285 handler->stage = PROCESS;
292 * Do post-proxy processing,
296 * Called from rlm_eap.c, eap_postproxy().
298 static int CC_HINT(nonnull) mschap_postproxy(eap_handler_t *handler, UNUSED void *tunnel_data)
300 VALUE_PAIR *response = NULL;
301 mschapv2_opaque_t *data;
302 REQUEST *request = handler->request;
304 data = (mschapv2_opaque_t *) handler->opaque;
305 rad_assert(request != NULL);
307 RDEBUG2("Passing reply from proxy back into the tunnel %d", request->reply->code);
310 * There is only a limited number of possibilities.
312 switch (request->reply->code) {
313 case PW_CODE_ACCESS_ACCEPT:
314 RDEBUG2("Proxied authentication succeeded");
317 * Move the attribute, so it doesn't go into
320 fr_pair_list_move_by_num(data, &response, &request->reply->vps, PW_MSCHAP2_SUCCESS, VENDORPEC_MICROSOFT, TAG_ANY);
324 case PW_CODE_ACCESS_REJECT:
325 REDEBUG("Proxied authentication was rejected");
333 REDEBUG("Proxied reply contained no MS-CHAP2-Success or MS-CHAP-Error");
338 * Done doing EAP proxy stuff.
340 request->options &= ~RAD_REQUEST_OPTION_PROXY_EAP;
341 eapmschapv2_compose(NULL, handler, response);
342 data->code = PW_EAP_MSCHAPV2_SUCCESS;
345 * Delete MPPE keys & encryption policy
347 * FIXME: Use intelligent names...
349 fix_mppe_keys(handler, data);
352 * Save any other attributes for re-use in the final
353 * access-accept e.g. vlan, etc. This lets the PEAP
354 * use_tunneled_reply code work
356 data->reply = fr_pair_list_copy(data, request->reply->vps);
359 * And we need to challenge the user, not ack/reject them,
360 * so we re-write the ACK to a challenge. Yuck.
362 request->reply->code = PW_CODE_ACCESS_CHALLENGE;
363 fr_pair_list_free(&response);
370 * Authenticate a previously sent challenge.
372 static int CC_HINT(nonnull) mod_process(void *arg, eap_handler_t *handler)
378 mschapv2_opaque_t *data;
379 EAP_DS *eap_ds = handler->eap_ds;
380 VALUE_PAIR *challenge, *response, *name;
381 rlm_eap_mschapv2_t *inst = (rlm_eap_mschapv2_t *) arg;
382 REQUEST *request = handler->request;
384 rad_assert(handler->stage == PROCESS);
386 data = (mschapv2_opaque_t *) handler->opaque;
389 * Sanity check the response.
391 if (eap_ds->response->length <= 5) {
392 REDEBUG("corrupted data");
396 ccode = eap_ds->response->type.data[0];
398 switch (data->code) {
399 case PW_EAP_MSCHAPV2_FAILURE:
400 if (ccode == PW_EAP_MSCHAPV2_RESPONSE) {
401 RDEBUG2("Authentication re-try from client after we sent a failure");
406 * if we sent error 648 (password expired) to the client
407 * we might get an MSCHAP-CPW packet here; turn it into a
408 * regular MS-CHAP2-CPW packet and pass it to rlm_mschap
409 * (or proxy it, I guess)
411 if (ccode == PW_EAP_MSCHAPV2_CHGPASSWD) {
413 int mschap_id = eap_ds->response->type.data[1];
414 int copied = 0 ,seq = 1;
416 RDEBUG2("Password change packet received");
418 challenge = pair_make_request("MS-CHAP-Challenge", NULL, T_OP_EQ);
419 if (!challenge) return 0;
420 fr_pair_value_memcpy(challenge, data->challenge, MSCHAPV2_CHALLENGE_LEN);
422 cpw = pair_make_request("MS-CHAP2-CPW", NULL, T_OP_EQ);
425 cpw->vp_octets = p = talloc_array(cpw, uint8_t, cpw->vp_length);
428 memcpy(p + 2, eap_ds->response->type.data + 520, 66);
431 * break the encoded password into VPs (3 of them)
433 while (copied < 516) {
436 int to_copy = 516 - copied;
437 if (to_copy > 243) to_copy = 243;
439 nt_enc = pair_make_request("MS-CHAP-NT-Enc-PW", NULL, T_OP_ADD);
440 nt_enc->vp_length = 4 + to_copy;
442 nt_enc->vp_octets = p = talloc_array(nt_enc, uint8_t, nt_enc->vp_length);
449 memcpy(p + 4, eap_ds->response->type.data + 4 + copied, to_copy);
453 RDEBUG2("Built change password packet");
454 rdebug_pair_list(L_DBG_LVL_2, request, request->packet->vps, NULL);
457 * jump to "authentication"
463 * we sent a failure and are expecting a failure back
465 if (ccode != PW_EAP_MSCHAPV2_FAILURE) {
466 REDEBUG("Sent FAILURE expecting FAILURE but got %d", ccode);
471 request->options &= ~RAD_REQUEST_OPTION_PROXY_EAP;
472 eap_ds->request->code = PW_EAP_FAILURE;
475 case PW_EAP_MSCHAPV2_SUCCESS:
477 * we sent a success to the client; some clients send a
478 * success back as-per the RFC, some send an ACK. Permit
483 case PW_EAP_MSCHAPV2_SUCCESS:
484 eap_ds->request->code = PW_EAP_SUCCESS;
486 fr_pair_list_move_by_num(request->reply, &request->reply->vps, &data->mppe_keys, 0, 0, TAG_ANY);
489 case PW_EAP_MSCHAPV2_ACK:
492 * It's a success. Don't proxy it.
494 request->options &= ~RAD_REQUEST_OPTION_PROXY_EAP;
496 fr_pair_list_move_by_num(request->reply, &request->reply->vps, &data->reply, 0, 0, TAG_ANY);
499 REDEBUG("Sent SUCCESS expecting SUCCESS (or ACK) but got %d", ccode);
502 case PW_EAP_MSCHAPV2_CHALLENGE:
503 if (ccode == PW_EAP_MSCHAPV2_FAILURE) goto failure;
506 * we sent a challenge, expecting a response
508 if (ccode != PW_EAP_MSCHAPV2_RESPONSE) {
509 REDEBUG("Sent CHALLENGE expecting RESPONSE but got %d", ccode);
512 /* authentication happens below */
516 /* should never happen */
517 REDEBUG("Unknown state %d", data->code);
523 * Ensure that we have at least enough data
524 * to do the following checks.
526 * EAP header (4), EAP type, MS-CHAP opcode,
527 * MS-CHAP ident, MS-CHAP data length (2),
528 * MS-CHAP value length.
530 if (eap_ds->response->length < (4 + 1 + 1 + 1 + 2 + 1)) {
531 REDEBUG("Response is too short");
536 * The 'value_size' is the size of the response,
537 * which is supposed to be the response (48
538 * bytes) plus 1 byte of flags at the end.
540 if (eap_ds->response->type.data[4] != 49) {
541 REDEBUG("Response is of incorrect length %d", eap_ds->response->type.data[4]);
546 * The MS-Length field is 5 + value_size + length
547 * of name, which is put after the response.
549 length = (eap_ds->response->type.data[2] << 8) | eap_ds->response->type.data[3];
550 if ((length < (5 + 49)) || (length > (256 + 5 + 49))) {
551 REDEBUG("Response contains contradictory length %zu %d", length, 5 + 49);
556 * We now know that the user has sent us a response
557 * to the challenge. Let's try to authenticate it.
559 * We do this by taking the challenge from 'data',
560 * the response from the EAP packet, and creating VALUE_PAIR's
561 * to pass to the 'mschap' module. This is a little wonky,
564 challenge = pair_make_request("MS-CHAP-Challenge", NULL, T_OP_EQ);
565 if (!challenge) return 0;
566 fr_pair_value_memcpy(challenge, data->challenge, MSCHAPV2_CHALLENGE_LEN);
568 response = pair_make_request("MS-CHAP2-Response", NULL, T_OP_EQ);
569 if (!response) return 0;
570 response->vp_length = MSCHAPV2_RESPONSE_LEN;
571 response->vp_octets = p = talloc_array(response, uint8_t, response->vp_length);
573 p[0] = eap_ds->response->type.data[1];
574 p[1] = eap_ds->response->type.data[5 + MSCHAPV2_RESPONSE_LEN];
575 memcpy(p + 2, &eap_ds->response->type.data[5], MSCHAPV2_RESPONSE_LEN - 2);
577 name = pair_make_request("MS-CHAP-User-Name", NULL, T_OP_EQ);
581 * MS-Length - MS-Value - 5.
583 name->vp_length = length - 49 - 5;
584 name->vp_strvalue = q = talloc_array(name, char, name->vp_length + 1);
585 memcpy(q, &eap_ds->response->type.data[4 + MSCHAPV2_RESPONSE_LEN], name->vp_length);
586 q[name->vp_length] = '\0';
592 * If this options is set, then we do NOT authenticate the
593 * user here. Instead, now that we've added the MS-CHAP
594 * attributes to the request, we STOP, and let the outer
595 * tunnel code handle it.
597 * This means that the outer tunnel code will DELETE the
598 * EAP attributes, and proxy the MS-CHAP attributes to a
601 if (request->options & RAD_REQUEST_OPTION_PROXY_EAP) {
602 char *username = NULL;
603 eap_tunnel_data_t *tunnel;
605 RDEBUG2("Cancelling authentication and letting it be proxied");
608 * Set up the callbacks for the tunnel
610 tunnel = talloc_zero(request, eap_tunnel_data_t);
612 tunnel->tls_session = arg;
613 tunnel->callback = mschap_postproxy;
616 * Associate the callback with the request.
618 rcode = request_data_add(request,
620 REQUEST_DATA_EAP_TUNNEL_CALLBACK,
622 rad_assert(rcode == 0);
625 * The State attribute is NOT supposed to
626 * go into the proxied packet, it will confuse
627 * other RADIUS servers, and they will discard
630 * The PEAP module will take care of adding
631 * the State attribute back, before passing
632 * the handler & request back into the tunnel.
634 fr_pair_delete_by_num(&request->packet->vps, PW_STATE, 0, TAG_ANY);
637 * Fix the User-Name when proxying, to strip off
638 * the NT Domain, if we're told to, and a User-Name
639 * exists, and there's a \\, meaning an NT-Domain
640 * in the user name, THEN discard the user name.
642 if (inst->with_ntdomain_hack &&
643 ((challenge = fr_pair_find_by_num(request->packet->vps, PW_USER_NAME, 0, TAG_ANY)) != NULL) &&
644 ((username = strchr(challenge->vp_strvalue, '\\')) != NULL)) {
646 * Wipe out the NT domain.
648 * FIXME: Put it into MS-CHAP-Domain?
650 username++; /* skip the \\ */
651 fr_pair_value_strcpy(challenge, username);
655 * Remember that in the post-proxy stage, we've got
656 * to do the work below, AFTER the call to MS-CHAP
664 * This is a wild & crazy hack.
666 rcode = process_authenticate(PW_AUTH_TYPE_MS_CHAP, request);
669 * Delete MPPE keys & encryption policy. We don't
672 fix_mppe_keys(handler, data);
675 * Take the response from the mschap module, and
676 * return success or failure, depending on the result.
679 if (rcode == RLM_MODULE_OK) {
680 fr_pair_list_move_by_num(data, &response, &request->reply->vps, PW_MSCHAP2_SUCCESS, VENDORPEC_MICROSOFT, TAG_ANY);
681 data->code = PW_EAP_MSCHAPV2_SUCCESS;
682 } else if (inst->send_error) {
683 fr_pair_list_move_by_num(data, &response, &request->reply->vps, PW_MSCHAP_ERROR, VENDORPEC_MICROSOFT, TAG_ANY);
690 RDEBUG2("MSCHAP-Error: %s", response->vp_strvalue);
693 * Pxarse the new challenge out of the
694 * MS-CHAP-Error, so that if the client
695 * issues a re-try, we will know which
696 * challenge value that they used.
698 n = sscanf(response->vp_strvalue, "%*cE=%d R=%d C=%32s", &err, &retry, &buf[0]);
700 RDEBUG2("Found new challenge from MS-CHAP-Error: err=%d retry=%d challenge=%s",
702 fr_hex2bin(data->challenge, 16, buf, strlen(buf));
704 RDEBUG2("Could not parse new challenge from MS-CHAP-Error: %d", n);
707 data->code = PW_EAP_MSCHAPV2_FAILURE;
709 eap_ds->request->code = PW_EAP_FAILURE;
717 REDEBUG("No MS-CHAP2-Success or MS-CHAP-Error was found");
722 * Compose the response (whatever it is),
723 * and return it to the over-lying EAP module.
725 eapmschapv2_compose(inst, handler, response);
726 fr_pair_list_free(&response);
732 * The module name should be the only globally exported symbol.
733 * That is, everything else should be 'static'.
735 extern rlm_eap_module_t rlm_eap_mschapv2;
736 rlm_eap_module_t rlm_eap_mschapv2 = {
737 .name = "eap_mschapv2",
738 .instantiate = mod_instantiate, /* Create new submodule instance */
739 .session_init = mod_session_init, /* Initialise a new EAP session */
740 .process = mod_process /* Process next round of EAP method */