4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License as published by
6 * the Free Software Foundation; either version 2 of the License, or
7 * (at your option) any later version.
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write to the Free Software
16 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
18 * Copyright 2001,2002 Google, Inc.
19 * Copyright 2005,2006 TRI-D Systems, Inc.
23 * This file implements passcode (password) checking functions for each
24 * supported encoding (PAP, CHAP, etc.). The current libradius interface
25 * is not sufficient for X9.9 use.
28 static const char rcsid[] = "$Id$";
30 /* avoid inclusion of these FR headers which conflict w/ OpenSSL */
33 #include <rad_assert.h>
39 #include <openssl/des.h>
40 #include <openssl/md4.h>
41 #include <openssl/md5.h>
42 #include <openssl/sha.h>
46 /* Attribute IDs for supported password encodings. */
50 /* Initialize the pwattr array for supported password encodings. */
57 * Setup known password types. These are pairs.
58 * NB: Increase pwattr array size when adding a type.
59 * It should be sized as (number of password types * 2)
60 * NB: Array indices must match otp_pwe_t! (see otp.h)
62 (void) memset(pwattr, 0, sizeof(pwattr));
65 if ((da = dict_attrbyname("User-Password")) != NULL) {
71 if ((da = dict_attrbyname("CHAP-Challenge")) != NULL) {
73 if ((da = dict_attrbyname("CHAP-Password")) != NULL)
80 /* MS-CHAP (recommended not to use) */
81 if ((da = dict_attrbyname("MS-CHAP-Challenge")) != NULL) {
83 if ((da = dict_attrbyname("MS-CHAP-Response")) != NULL)
91 if ((da = dict_attrbyname("MS-CHAP-Challenge")) != NULL) {
93 if ((da = dict_attrbyname("MS-CHAP2-Response")) != NULL)
102 * Test for password presence in an Access-Request packet.
103 * Returns 0 for "no supported password present", or the
104 * password encoding type.
107 otp_pwe_present(const REQUEST *request)
111 for (i = 0; i < sizeof(pwattr); i += 2) {
112 if (pairfind(request->packet->vps, pwattr[i]) &&
113 pairfind(request->packet->vps, pwattr[i + 1])) {
114 DEBUG("rlm_otp: %s: password attributes %d, %d", __func__,
115 pwattr[i], pwattr[i + 1]);
116 return i + 1; /* Can't return 0 (indicates failure) */
120 DEBUG("rlm_otp: %s: no password attributes present", __func__);