2 * rlm_eap_mschapv2.c Handles that are called from eap
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2003,2006 The FreeRADIUS server project
28 #include "eap_mschapv2.h"
30 #include <freeradius-devel/rad_assert.h>
32 typedef struct rlm_eap_mschapv2_t {
33 bool with_ntdomain_hack;
38 static CONF_PARSER module_config[] = {
39 { "with_ntdomain_hack", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_eap_mschapv2_t, with_ntdomain_hack), "no" },
41 { "send_error", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_eap_mschapv2_t, send_error), "no" },
42 { "identity", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_eap_mschapv2_t, identity), NULL },
43 CONF_PARSER_TERMINATOR
47 static void fix_mppe_keys(eap_handler_t *handler, mschapv2_opaque_t *data)
49 fr_pair_list_mcopy_by_num(data, &data->mppe_keys, &handler->request->reply->vps, 7, VENDORPEC_MICROSOFT, TAG_ANY);
50 fr_pair_list_mcopy_by_num(data, &data->mppe_keys, &handler->request->reply->vps, 8, VENDORPEC_MICROSOFT, TAG_ANY);
51 fr_pair_list_mcopy_by_num(data, &data->mppe_keys, &handler->request->reply->vps, 16, VENDORPEC_MICROSOFT, TAG_ANY);
52 fr_pair_list_mcopy_by_num(data, &data->mppe_keys, &handler->request->reply->vps, 17, VENDORPEC_MICROSOFT, TAG_ANY);
58 static int mod_instantiate(CONF_SECTION *cs, void **instance)
60 rlm_eap_mschapv2_t *inst;
62 *instance = inst = talloc_zero(cs, rlm_eap_mschapv2_t);
66 * Parse the configuration attributes.
68 if (cf_section_parse(cs, inst, module_config) < 0) {
72 if (inst->identity && (strlen(inst->identity) > 255)) {
73 cf_log_err_cs(cs, "identity is too long");
77 if (!inst->identity) {
78 inst->identity = talloc_asprintf(inst, "freeradius-%s", RADIUSD_VERSION_STRING);
86 * Compose the response.
88 static int eapmschapv2_compose(rlm_eap_mschapv2_t *inst, eap_handler_t *handler, VALUE_PAIR *reply)
92 mschapv2_header_t *hdr;
93 EAP_DS *eap_ds = handler->eap_ds;
94 REQUEST *request = handler->request;
96 eap_ds->request->code = PW_EAP_REQUEST;
97 eap_ds->request->type.num = PW_EAP_MSCHAPV2;
100 * Always called with vendor Microsoft
102 switch (reply->da->attr) {
103 case PW_MSCHAP_CHALLENGE:
106 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
107 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
108 * | Code | Identifier | Length |
109 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
110 * | Type | OpCode | MS-CHAPv2-ID | MS-Length...
111 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
112 * | MS-Length | Value-Size | Challenge...
113 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
115 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
117 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
119 length = MSCHAPV2_HEADER_LEN + MSCHAPV2_CHALLENGE_LEN + strlen(inst->identity);
120 eap_ds->request->type.data = talloc_array(eap_ds->request, uint8_t, length);
123 * Allocate room for the EAP-MS-CHAPv2 data.
125 if (!eap_ds->request->type.data) {
128 eap_ds->request->type.length = length;
130 ptr = eap_ds->request->type.data;
131 hdr = (mschapv2_header_t *) ptr;
133 hdr->opcode = PW_EAP_MSCHAPV2_CHALLENGE;
134 hdr->mschapv2_id = eap_ds->response->id + 1;
135 length = htons(length);
136 memcpy(hdr->ms_length, &length, sizeof(uint16_t));
137 hdr->value_size = MSCHAPV2_CHALLENGE_LEN;
139 ptr += MSCHAPV2_HEADER_LEN;
142 * Copy the Challenge, success, or error over.
144 memcpy(ptr, reply->vp_octets, reply->vp_length);
146 memcpy((ptr + reply->vp_length), inst->identity, strlen(inst->identity));
149 case PW_MSCHAP2_SUCCESS:
152 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
153 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
154 * | Code | Identifier | Length |
155 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
156 * | Type | OpCode | MS-CHAPv2-ID | MS-Length...
157 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
158 * | MS-Length | Message...
159 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
161 RDEBUG2("MSCHAP Success");
163 eap_ds->request->type.data = talloc_array(eap_ds->request, uint8_t, length);
165 * Allocate room for the EAP-MS-CHAPv2 data.
167 if (!eap_ds->request->type.data) {
170 memset(eap_ds->request->type.data, 0, length);
171 eap_ds->request->type.length = length;
173 eap_ds->request->type.data[0] = PW_EAP_MSCHAPV2_SUCCESS;
174 eap_ds->request->type.data[1] = eap_ds->response->id;
175 length = htons(length);
176 memcpy((eap_ds->request->type.data + 2), &length, sizeof(uint16_t));
177 memcpy((eap_ds->request->type.data + 4), reply->vp_strvalue + 1, 42);
180 case PW_MSCHAP_ERROR:
181 REDEBUG("MSCHAP Failure");
182 length = 4 + reply->vp_length - 1;
183 eap_ds->request->type.data = talloc_array(eap_ds->request, uint8_t, length);
186 * Allocate room for the EAP-MS-CHAPv2 data.
188 if (!eap_ds->request->type.data) return 0;
189 memset(eap_ds->request->type.data, 0, length);
190 eap_ds->request->type.length = length;
192 eap_ds->request->type.data[0] = PW_EAP_MSCHAPV2_FAILURE;
193 eap_ds->request->type.data[1] = eap_ds->response->id;
194 length = htons(length);
195 memcpy((eap_ds->request->type.data + 2), &length, sizeof(uint16_t));
197 * Copy the entire failure message.
199 memcpy((eap_ds->request->type.data + 4),
200 reply->vp_strvalue + 1, reply->vp_length - 1);
204 RERROR("Internal sanity check failed");
213 * Initiate the EAP-MSCHAPV2 session by sending a challenge to the peer.
215 static int mod_session_init(void *instance, eap_handler_t *handler)
218 VALUE_PAIR *challenge;
219 mschapv2_opaque_t *data;
220 REQUEST *request = handler->request;
222 bool created_challenge = false;
223 rlm_eap_mschapv2_t *inst = instance;
225 challenge = fr_pair_find_by_num(request->config, PW_MSCHAP_CHALLENGE, VENDORPEC_MICROSOFT, TAG_ANY);
226 if (challenge && (challenge->vp_length != MSCHAPV2_CHALLENGE_LEN)) {
227 RWDEBUG("control:MS-CHAP-Challenge is incorrect length. Ignoring it.");
232 created_challenge = true;
233 challenge = fr_pair_make(handler, NULL, "MS-CHAP-Challenge", NULL, T_OP_EQ);
236 * Get a random challenge.
238 challenge->vp_length = MSCHAPV2_CHALLENGE_LEN;
239 challenge->vp_octets = p = talloc_array(challenge, uint8_t, challenge->vp_length);
240 for (i = 0; i < MSCHAPV2_CHALLENGE_LEN; i++) {
244 RDEBUG2("Issuing Challenge");
247 * Keep track of the challenge.
249 data = talloc_zero(handler, mschapv2_opaque_t);
250 rad_assert(data != NULL);
253 * We're at the stage where we're challenging the user.
255 data->code = PW_EAP_MSCHAPV2_CHALLENGE;
256 memcpy(data->challenge, challenge->vp_octets, MSCHAPV2_CHALLENGE_LEN);
257 data->mppe_keys = NULL;
260 handler->opaque = data;
263 * Compose the EAP-MSCHAPV2 packet out of the data structure,
266 eapmschapv2_compose(inst, handler, challenge);
267 if (created_challenge) fr_pair_list_free(&challenge);
271 * The EAP session doesn't have enough information to
272 * proxy the "inside EAP" protocol. Disable EAP proxying.
274 handler->request->options &= ~RAD_REQUEST_OPTION_PROXY_EAP;
278 * We don't need to authorize the user at this point.
280 * We also don't need to keep the challenge, as it's
281 * stored in 'handler->eap_ds', which will be given back
284 handler->stage = PROCESS;
291 * Do post-proxy processing,
295 * Called from rlm_eap.c, eap_postproxy().
297 static int CC_HINT(nonnull) mschap_postproxy(eap_handler_t *handler, UNUSED void *tunnel_data)
299 VALUE_PAIR *response = NULL;
300 mschapv2_opaque_t *data;
301 REQUEST *request = handler->request;
303 data = (mschapv2_opaque_t *) handler->opaque;
304 rad_assert(request != NULL);
306 RDEBUG2("Passing reply from proxy back into the tunnel %d", request->reply->code);
309 * There is only a limited number of possibilities.
311 switch (request->reply->code) {
312 case PW_CODE_ACCESS_ACCEPT:
313 RDEBUG2("Proxied authentication succeeded");
316 * Move the attribute, so it doesn't go into
319 fr_pair_list_mcopy_by_num(data, &response, &request->reply->vps, PW_MSCHAP2_SUCCESS, VENDORPEC_MICROSOFT, TAG_ANY);
323 case PW_CODE_ACCESS_REJECT:
324 REDEBUG("Proxied authentication was rejected");
332 REDEBUG("Proxied reply contained no MS-CHAP2-Success or MS-CHAP-Error");
337 * Done doing EAP proxy stuff.
339 request->options &= ~RAD_REQUEST_OPTION_PROXY_EAP;
340 eapmschapv2_compose(NULL, handler, response);
341 data->code = PW_EAP_MSCHAPV2_SUCCESS;
344 * Delete MPPE keys & encryption policy
346 * FIXME: Use intelligent names...
348 fix_mppe_keys(handler, data);
351 * Save any other attributes for re-use in the final
352 * access-accept e.g. vlan, etc. This lets the PEAP
353 * use_tunneled_reply code work
355 data->reply = fr_pair_list_copy(data, request->reply->vps);
358 * And we need to challenge the user, not ack/reject them,
359 * so we re-write the ACK to a challenge. Yuck.
361 request->reply->code = PW_CODE_ACCESS_CHALLENGE;
362 fr_pair_list_free(&response);
369 * Authenticate a previously sent challenge.
371 static int CC_HINT(nonnull) mod_process(void *arg, eap_handler_t *handler)
377 mschapv2_opaque_t *data;
378 EAP_DS *eap_ds = handler->eap_ds;
379 VALUE_PAIR *challenge, *response, *name;
380 rlm_eap_mschapv2_t *inst = (rlm_eap_mschapv2_t *) arg;
381 REQUEST *request = handler->request;
383 rad_assert(handler->stage == PROCESS);
385 data = (mschapv2_opaque_t *) handler->opaque;
388 * Sanity check the response.
390 if (eap_ds->response->length <= 5) {
391 REDEBUG("corrupted data");
395 ccode = eap_ds->response->type.data[0];
397 switch (data->code) {
398 case PW_EAP_MSCHAPV2_FAILURE:
399 if (ccode == PW_EAP_MSCHAPV2_RESPONSE) {
400 RDEBUG2("Authentication re-try from client after we sent a failure");
405 * if we sent error 648 (password expired) to the client
406 * we might get an MSCHAP-CPW packet here; turn it into a
407 * regular MS-CHAP2-CPW packet and pass it to rlm_mschap
408 * (or proxy it, I guess)
410 if (ccode == PW_EAP_MSCHAPV2_CHGPASSWD) {
412 int mschap_id = eap_ds->response->type.data[1];
413 int copied = 0 ,seq = 1;
415 RDEBUG2("Password change packet received");
417 challenge = pair_make_request("MS-CHAP-Challenge", NULL, T_OP_EQ);
418 if (!challenge) return 0;
419 fr_pair_value_memcpy(challenge, data->challenge, MSCHAPV2_CHALLENGE_LEN);
421 cpw = pair_make_request("MS-CHAP2-CPW", NULL, T_OP_EQ);
424 cpw->vp_octets = p = talloc_array(cpw, uint8_t, cpw->vp_length);
427 memcpy(p + 2, eap_ds->response->type.data + 520, 66);
430 * break the encoded password into VPs (3 of them)
432 while (copied < 516) {
435 int to_copy = 516 - copied;
436 if (to_copy > 243) to_copy = 243;
438 nt_enc = pair_make_request("MS-CHAP-NT-Enc-PW", NULL, T_OP_ADD);
439 nt_enc->vp_length = 4 + to_copy;
441 nt_enc->vp_octets = p = talloc_array(nt_enc, uint8_t, nt_enc->vp_length);
448 memcpy(p + 4, eap_ds->response->type.data + 4 + copied, to_copy);
452 RDEBUG2("Built change password packet");
453 rdebug_pair_list(L_DBG_LVL_2, request, request->packet->vps, NULL);
456 * jump to "authentication"
462 * we sent a failure and are expecting a failure back
464 if (ccode != PW_EAP_MSCHAPV2_FAILURE) {
465 REDEBUG("Sent FAILURE expecting FAILURE but got %d", ccode);
470 request->options &= ~RAD_REQUEST_OPTION_PROXY_EAP;
471 eap_ds->request->code = PW_EAP_FAILURE;
474 case PW_EAP_MSCHAPV2_SUCCESS:
476 * we sent a success to the client; some clients send a
477 * success back as-per the RFC, some send an ACK. Permit
482 case PW_EAP_MSCHAPV2_SUCCESS:
483 eap_ds->request->code = PW_EAP_SUCCESS;
485 fr_pair_list_mcopy_by_num(request->reply, &request->reply->vps, &data->mppe_keys, 0, 0, TAG_ANY);
488 case PW_EAP_MSCHAPV2_ACK:
491 * It's a success. Don't proxy it.
493 request->options &= ~RAD_REQUEST_OPTION_PROXY_EAP;
495 fr_pair_list_mcopy_by_num(request->reply, &request->reply->vps, &data->reply, 0, 0, TAG_ANY);
498 REDEBUG("Sent SUCCESS expecting SUCCESS (or ACK) but got %d", ccode);
501 case PW_EAP_MSCHAPV2_CHALLENGE:
502 if (ccode == PW_EAP_MSCHAPV2_FAILURE) goto failure;
505 * we sent a challenge, expecting a response
507 if (ccode != PW_EAP_MSCHAPV2_RESPONSE) {
508 REDEBUG("Sent CHALLENGE expecting RESPONSE but got %d", ccode);
511 /* authentication happens below */
515 /* should never happen */
516 REDEBUG("Unknown state %d", data->code);
522 * Ensure that we have at least enough data
523 * to do the following checks.
525 * EAP header (4), EAP type, MS-CHAP opcode,
526 * MS-CHAP ident, MS-CHAP data length (2),
527 * MS-CHAP value length.
529 if (eap_ds->response->length < (4 + 1 + 1 + 1 + 2 + 1)) {
530 REDEBUG("Response is too short");
535 * The 'value_size' is the size of the response,
536 * which is supposed to be the response (48
537 * bytes) plus 1 byte of flags at the end.
539 if (eap_ds->response->type.data[4] != 49) {
540 REDEBUG("Response is of incorrect length %d", eap_ds->response->type.data[4]);
545 * The MS-Length field is 5 + value_size + length
546 * of name, which is put after the response.
548 length = (eap_ds->response->type.data[2] << 8) | eap_ds->response->type.data[3];
549 if ((length < (5 + 49)) || (length > (256 + 5 + 49))) {
550 REDEBUG("Response contains contradictory length %zu %d", length, 5 + 49);
555 * We now know that the user has sent us a response
556 * to the challenge. Let's try to authenticate it.
558 * We do this by taking the challenge from 'data',
559 * the response from the EAP packet, and creating VALUE_PAIR's
560 * to pass to the 'mschap' module. This is a little wonky,
563 challenge = pair_make_request("MS-CHAP-Challenge", NULL, T_OP_EQ);
564 if (!challenge) return 0;
565 fr_pair_value_memcpy(challenge, data->challenge, MSCHAPV2_CHALLENGE_LEN);
567 response = pair_make_request("MS-CHAP2-Response", NULL, T_OP_EQ);
568 if (!response) return 0;
569 response->vp_length = MSCHAPV2_RESPONSE_LEN;
570 response->vp_octets = p = talloc_array(response, uint8_t, response->vp_length);
572 p[0] = eap_ds->response->type.data[1];
573 p[1] = eap_ds->response->type.data[5 + MSCHAPV2_RESPONSE_LEN];
574 memcpy(p + 2, &eap_ds->response->type.data[5], MSCHAPV2_RESPONSE_LEN - 2);
576 name = pair_make_request("MS-CHAP-User-Name", NULL, T_OP_EQ);
580 * MS-Length - MS-Value - 5.
582 name->vp_length = length - 49 - 5;
583 name->vp_strvalue = q = talloc_array(name, char, name->vp_length + 1);
584 memcpy(q, &eap_ds->response->type.data[4 + MSCHAPV2_RESPONSE_LEN], name->vp_length);
585 q[name->vp_length] = '\0';
591 * If this options is set, then we do NOT authenticate the
592 * user here. Instead, now that we've added the MS-CHAP
593 * attributes to the request, we STOP, and let the outer
594 * tunnel code handle it.
596 * This means that the outer tunnel code will DELETE the
597 * EAP attributes, and proxy the MS-CHAP attributes to a
600 if (request->options & RAD_REQUEST_OPTION_PROXY_EAP) {
601 char *username = NULL;
602 eap_tunnel_data_t *tunnel;
604 RDEBUG2("Cancelling authentication and letting it be proxied");
607 * Set up the callbacks for the tunnel
609 tunnel = talloc_zero(request, eap_tunnel_data_t);
611 tunnel->tls_session = arg;
612 tunnel->callback = mschap_postproxy;
615 * Associate the callback with the request.
617 rcode = request_data_add(request,
619 REQUEST_DATA_EAP_TUNNEL_CALLBACK,
621 rad_assert(rcode == 0);
624 * The State attribute is NOT supposed to
625 * go into the proxied packet, it will confuse
626 * other RADIUS servers, and they will discard
629 * The PEAP module will take care of adding
630 * the State attribute back, before passing
631 * the handler & request back into the tunnel.
633 fr_pair_delete_by_num(&request->packet->vps, PW_STATE, 0, TAG_ANY);
636 * Fix the User-Name when proxying, to strip off
637 * the NT Domain, if we're told to, and a User-Name
638 * exists, and there's a \\, meaning an NT-Domain
639 * in the user name, THEN discard the user name.
641 if (inst->with_ntdomain_hack &&
642 ((challenge = fr_pair_find_by_num(request->packet->vps, PW_USER_NAME, 0, TAG_ANY)) != NULL) &&
643 ((username = strchr(challenge->vp_strvalue, '\\')) != NULL)) {
645 * Wipe out the NT domain.
647 * FIXME: Put it into MS-CHAP-Domain?
649 username++; /* skip the \\ */
650 fr_pair_value_strcpy(challenge, username);
654 * Remember that in the post-proxy stage, we've got
655 * to do the work below, AFTER the call to MS-CHAP
663 * This is a wild & crazy hack.
665 rcode = process_authenticate(PW_AUTH_TYPE_MS_CHAP, request);
668 * Delete MPPE keys & encryption policy. We don't
671 fix_mppe_keys(handler, data);
674 * Take the response from the mschap module, and
675 * return success or failure, depending on the result.
678 if (rcode == RLM_MODULE_OK) {
679 fr_pair_list_mcopy_by_num(data, &response, &request->reply->vps, PW_MSCHAP2_SUCCESS, VENDORPEC_MICROSOFT, TAG_ANY);
680 data->code = PW_EAP_MSCHAPV2_SUCCESS;
681 } else if (inst->send_error) {
682 fr_pair_list_mcopy_by_num(data, &response, &request->reply->vps, PW_MSCHAP_ERROR, VENDORPEC_MICROSOFT, TAG_ANY);
689 RDEBUG2("MSCHAP-Error: %s", response->vp_strvalue);
692 * Parse the new challenge out of the
693 * MS-CHAP-Error, so that if the client
694 * issues a re-try, we will know which
695 * challenge value that they used.
697 n = sscanf(response->vp_strvalue, "%*cE=%d R=%d C=%32s", &err, &retry, &buf[0]);
699 RDEBUG2("Found new challenge from MS-CHAP-Error: err=%d retry=%d challenge=%s",
701 fr_hex2bin(data->challenge, 16, buf, strlen(buf));
703 RDEBUG2("Could not parse new challenge from MS-CHAP-Error: %d", n);
706 data->code = PW_EAP_MSCHAPV2_FAILURE;
708 eap_ds->request->code = PW_EAP_FAILURE;
716 REDEBUG("No MS-CHAP2-Success or MS-CHAP-Error was found");
721 * Compose the response (whatever it is),
722 * and return it to the over-lying EAP module.
724 eapmschapv2_compose(inst, handler, response);
725 fr_pair_list_free(&response);
731 * The module name should be the only globally exported symbol.
732 * That is, everything else should be 'static'.
734 extern rlm_eap_module_t rlm_eap_mschapv2;
735 rlm_eap_module_t rlm_eap_mschapv2 = {
736 .name = "eap_mschapv2",
737 .instantiate = mod_instantiate, /* Create new submodule instance */
738 .session_init = mod_session_init, /* Initialise a new EAP session */
739 .process = mod_process /* Process next round of EAP method */