* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*
* Copyright 2001,2002 Google, Inc.
- * Copyright 2005 Frank Cusack
+ * Copyright 2005 TRI-D Systems, Inc.
*/
/*
#ifdef FREERADIUS
#define _LRAD_MD4_H
#define _LRAD_SHA1_H
-#include "rad_assert.h"
+#include <rad_assert.h>
#endif
#include "otp.h"
#include "otp_pwe.h"
* opaque value that must be used when calling otp_pwe_cmp().
*/
int
-otp_pwe_present(const REQUEST *request)
+otp_pwe_present(const REQUEST *request, const char *log_prefix)
{
unsigned i;
for (i = 0; i < sizeof(pwattr) && pwattr[i]; i += 2) {
if (pairfind(request->packet->vps, pwattr[i]) &&
pairfind(request->packet->vps, pwattr[i + 1])) {
- DEBUG("rlm_otp: pwe_present: password attributes %d, %d",
+ DEBUG("%s: %s: password attributes %d, %d", log_prefix, __func__,
pwattr[i], pwattr[i + 1]);
return i + 1; /* Can't return 0 (indicates failure) */
}
}
- DEBUG("rlm_otp: pwe_present: no password attributes present");
+ DEBUG("%s: %s: no password attributes present", log_prefix, __func__);
return 0;
}
* the caller is responsible for freeing any vps returned.
*/
int
-otp_pwe_cmp(struct otp_pwe_cmp_t *data, const char *password)
+otp_pwe_cmp(struct otp_pwe_cmp_t *data, const char *password,
+ const char *log_prefix)
{
const REQUEST *request = data->request;
const otp_option_t *inst = data->inst;
/* If modular, this would actually call the authentication function. */
switch(pwattr[attr]) {
case PW_PASSWORD:
- DEBUG("rlm_otp: pwe_cmp: handling PW_PASSWORD");
- nmatch = strcmp(password, resp_vp->vp_strvalue);
+ DEBUG("%s: %s: handling PW_PASSWORD", log_prefix, __func__);
+ nmatch = strcmp(password, resp_vp->strvalue);
break;
case PW_CHAP_PASSWORD:
unsigned char input[1 + MAX_STRING_LEN + 16];
unsigned char output[MD5_DIGEST_LENGTH];
- DEBUG("rlm_otp: pwe_cmp: handling PW_CHAP_PASSWORD");
+ DEBUG("%s: %s: handling PW_CHAP_PASSWORD", log_prefix, __func__);
if (1 + strlen(password) + chal_vp->length > sizeof(input)) {
- DEBUG("rlm_otp: pwe_cmp: CHAP-Challenge/password too long");
+ DEBUG("%s: %s: CHAP-Challenge/password too long", log_prefix, __func__);
nmatch = -1;
break;
}
if (resp_vp->length != 17) {
- otp_log(OTP_LOG_AUTH, "pwe_cmp: CHAP-Password wrong size");
+ otp_log(OTP_LOG_AUTH, "%s: %s: CHAP-Password wrong size",
+ log_prefix, __func__);
nmatch = -1;
break;
}
- input[0] = *(resp_vp->vp_strvalue);
+ input[0] = *(resp_vp->strvalue);
(void) memcpy(&input[1], password, strlen(password));
- (void) memcpy(&input[1+strlen(password)], chal_vp->vp_strvalue,
+ (void) memcpy(&input[1+strlen(password)], chal_vp->strvalue,
chal_vp->length);
(void) MD5(input, 1 + strlen(password) + chal_vp->length, output);
- nmatch = memcmp(output, &(resp_vp->vp_strvalue)[1], MD5_DIGEST_LENGTH);
+ nmatch = memcmp(output, &(resp_vp->strvalue)[1], MD5_DIGEST_LENGTH);
} /* case PW_CHAP_PASSWORD */
break;
int password_len, i;
VALUE_PAIR *vp;
- DEBUG("rlm_otp: pwe_cmp: handling PW_MS_CHAP_RESPONSE");
+ DEBUG("%s: %s: handling PW_MS_CHAP_RESPONSE", log_prefix, __func__);
if (chal_vp->length != 8) {
- otp_log(OTP_LOG_AUTH, "pwe_cmp: MS-CHAP-Challenge wrong size");
+ otp_log(OTP_LOG_AUTH, "%s: %s: MS-CHAP-Challenge wrong size",
+ log_prefix, __func__);
nmatch = -1;
break;
}
if (resp_vp->length != 50) {
- otp_log(OTP_LOG_AUTH, "pwe_cmp: MS-CHAP-Response wrong size");
+ otp_log(OTP_LOG_AUTH, "%s: %s: MS-CHAP-Response wrong size",
+ log_prefix, __func__);
nmatch = -1;
break;
}
- if ((resp_vp->vp_strvalue)[1] != 1) {
+ if ((resp_vp->strvalue)[1] != 1) {
otp_log(OTP_LOG_AUTH,
- "pwe_cmp: MS-CHAP-Response bad flags (LM not supported)");
+ "%s: %s: MS-CHAP-Response bad flags (LM not supported)",
+ log_prefix, __func__);
nmatch = -1;
break;
}
/* This is probably overkill. */
if (strlen(password) > MAX_STRING_LEN) {
- otp_log(OTP_LOG_AUTH, "pwe_cmp: MS-CHAP password too long");
+ otp_log(OTP_LOG_AUTH, "%s: %s: MS-CHAP password too long",
+ log_prefix, __func__);
nmatch = -1;
break;
}
(void) MD4(input, 2 * password_len, nt_keys);
/* The challenge gets encrypted. */
- (void) memcpy(input, chal_vp->vp_strvalue, 8);
+ (void) memcpy(input, chal_vp->strvalue, 8);
/* Convert the password hash to keys, and do the encryptions. */
for (i = 0; i < 3; ++i) {
ks, DES_ENCRYPT);
}
- nmatch = memcmp(output, resp_vp->vp_strvalue + 26, 24);
+ nmatch = memcmp(output, resp_vp->strvalue + 26, 24);
if (nmatch || !vps)
break;
unsigned password_len, i;
VALUE_PAIR *vp;
- DEBUG("rlm_otp: pwe_cmp: handling PW_MS_CHAP2_RESPONSE");
+ DEBUG("%s: %s: handling PW_MS_CHAP2_RESPONSE", log_prefix, __func__);
if (chal_vp->length != 16) {
- otp_log(OTP_LOG_AUTH,"pwe_cmp: MS-CHAP-Challenge (v2) wrong size");
+ otp_log(OTP_LOG_AUTH, "%s: %s: MS-CHAP-Challenge (v2) wrong size",
+ log_prefix, __func__);
nmatch = -1;
break;
}
if (resp_vp->length != 50) {
- otp_log(OTP_LOG_AUTH, "pwe_cmp: MS-CHAP2-Response wrong size");
+ otp_log(OTP_LOG_AUTH, "%s: %s: MS-CHAP2-Response wrong size",
+ log_prefix, __func__);
nmatch = -1;
break;
}
/* This is probably overkill. */
if (strlen(password) > MAX_STRING_LEN) {
- otp_log(OTP_LOG_AUTH, "pwe_cmp: MS-CHAPv2 password too long");
+ otp_log(OTP_LOG_AUTH, "%s: %s: MS-CHAPv2 password too long",
+ log_prefix, __func__);
nmatch = -1;
break;
}
{
SHA_CTX ctx;
unsigned char md[SHA_DIGEST_LENGTH];
- char *username = request->username->vp_strvalue;
+ char *username = request->username->strvalue;
int username_len = request->username->length;
SHA1_Init(&ctx);
- SHA1_Update(&ctx, resp_vp->vp_strvalue + 2, 16);
- SHA1_Update(&ctx, chal_vp->vp_strvalue, 16);
+ SHA1_Update(&ctx, resp_vp->strvalue + 2, 16);
+ SHA1_Update(&ctx, chal_vp->strvalue, 16);
SHA1_Update(&ctx, username, username_len);
SHA1_Final(md, &ctx);
ks, DES_ENCRYPT);
}
- nmatch = memcmp(output, resp_vp->vp_strvalue + 26, 24);
+ nmatch = memcmp(output, resp_vp->strvalue + 26, 24);
if (nmatch || !vps)
break;
/* 0x (ID) ( ASCII("S="ASCII(auth_md))) */
char auth_octet_string[2 + 2 + (2 * sizeof(auth_md_string))];
- char *username = request->username->vp_strvalue;
+ char *username = request->username->strvalue;
int username_len = request->username->length;
/* "Magic server to client signing constant" */
(void) MD4(nt_keys, MD4_DIGEST_LENGTH, password_md_md);
SHA1_Init(&ctx);
SHA1_Update(&ctx, password_md_md, MD4_DIGEST_LENGTH);
- SHA1_Update(&ctx, resp_vp->vp_strvalue + 26, 24);
+ SHA1_Update(&ctx, resp_vp->strvalue + 26, 24);
SHA1_Update(&ctx, magic1, sizeof(magic1));
SHA1_Final(md1, &ctx);
/* MD2 */
SHA1_Init(&ctx);
- SHA1_Update(&ctx, resp_vp->vp_strvalue + 2, 16);
- SHA1_Update(&ctx, chal_vp->vp_strvalue, 16);
+ SHA1_Update(&ctx, resp_vp->strvalue + 2, 16);
+ SHA1_Update(&ctx, chal_vp->strvalue, 16);
SHA1_Update(&ctx, username, username_len);
SHA1_Final(md2, &ctx);
/* And then octet conversion. Ugh! */
auth_octet_string[0] = '0';
auth_octet_string[1] = 'x';
- (void) sprintf(&auth_octet_string[2], "%02X", resp_vp->vp_strvalue[0]);
+ (void) sprintf(&auth_octet_string[2], "%02X", resp_vp->strvalue[0]);
for (i = 0; i < sizeof(auth_md_string) - 1; ++i)
(void) sprintf(&auth_octet_string[i * 2 +4], "%02X", auth_md_string[i]);
/* Generate the master session key. */
SHA1_Init(&ctx);
SHA1_Update(&ctx, password_md_md, MD4_DIGEST_LENGTH);
- SHA1_Update(&ctx, resp_vp->vp_strvalue + 26, 24);
+ SHA1_Update(&ctx, resp_vp->strvalue + 26, 24);
SHA1_Update(&ctx, Magic1, sizeof(Magic1));
SHA1_Final(sha_md, &ctx);
(void) memcpy(MasterKey, sha_md, 16);
break;
default:
- DEBUG("rlm_otp: pwe_cmp: unknown password type");
+ DEBUG("%s: %s: unknown password type", log_prefix, __func__);
nmatch = -1;
break;