* for MS-CHAPv2.
*/
} else if (chap_challenge->length == 16) {
+ VALUE_PAIR *name_attr, *response_name;
char *username_string;
RDEBUG2(" mschap2: %02x", chap_challenge->vp_octets[0]);
}
/*
+ * FIXME: Much of this is copied from
+ * below. We should put it into a
+ * separate function.
+ */
+
+ /*
* Responses are 50 octets.
*/
if (response->length < 50) {
user_name = pairfind(request->packet->vps,
PW_USER_NAME, 0);
if (!user_name) {
- RDEBUG2("User-Name is required to calculateMS-CHAPv1 Challenge.");
+ RDEBUG2("User-Name is required to calculate MS-CHAPv1 Challenge.");
return 0;
}
+ /*
+ * Check for MS-CHAP-User-Name and if found, use it
+ * to construct the MSCHAPv1 challenge. This is
+ * set by rlm_eap_mschap to the MS-CHAP Response
+ * packet Name field.
+ *
+ * We prefer this to the User-Name in the
+ * packet.
+ */
+ response_name = pairfind(request->packet->vps, PW_MS_CHAP_USER_NAME, 0);
+ if (response_name) {
+ name_attr = response_name;
+ } else {
+ name_attr = user_name;
+ }
+
/*
* with_ntdomain_hack moved here, too.
*/
- if ((username_string = strchr(user_name->vp_strvalue, '\\')) != NULL) {
+ if ((username_string = strchr(name_attr->vp_strvalue, '\\')) != NULL) {
if (inst->with_ntdomain_hack) {
username_string++;
} else {
RDEBUG2("NT Domain delimeter found, should we have enabled with_ntdomain_hack?");
- username_string = user_name->vp_strvalue;
+ username_string = name_attr->vp_strvalue;
}
} else {
- username_string = user_name->vp_strvalue;
+ username_string = name_attr->vp_strvalue;
+ }
+
+ if (response_name &&
+ ((user_name->length != response_name->length) ||
+ (strncasecmp(user_name->vp_strvalue, response_name->vp_strvalue, user_name->length) != 0))) {
+ RDEBUG("WARNING: User-Name (%s) is not the same as MS-CHAP Name (%s) from EAP-MSCHAPv2", user_name->vp_strvalue, response_name->vp_strvalue);
}
/*
* from the MS-CHAPv2 peer challenge,
* our challenge, and the user name.
*/
+ RDEBUG2("Creating challenge hash with username: %s",
+ username_string);
mschap_challenge_hash(response->vp_octets + 2,
chap_challenge->vp_octets,
username_string, buffer);
buffer, sizeof(buffer),
NULL, NULL, 1);
if (result != 0) {
+ char *p;
+ VALUE_PAIR *vp = NULL;
+
RDEBUG2("External script failed.");
+
+ vp = pairmake("Module-Failure-Message", "", T_OP_EQ);
+ if (!vp) {
+ radlog_request(L_ERR, 0, request, "No memory to allocate Module-Failure-Message");
+ return RLM_MODULE_FAIL;
+ }
+
+ p = strchr(buffer, '\n');
+ if (p) *p = '\0';
+ snprintf(vp->vp_strvalue, sizeof(vp->vp_strvalue),
+ "%s: External script says %s",
+ inst->xlat_name, buffer);
+ vp->length = strlen(vp->vp_strvalue);
+ pairadd(&request->request->vps, vp);
return -1;
}
}
if (pairfind(request->config_items, PW_AUTH_TYPE, 0)) {
- RDEBUG2("Found existing Auth-Type. Not changing it.");
+ RDEBUG2("WARNING: Auth-Type already set. Not setting to MS-CHAP");
return RLM_MODULE_NOOP;
}
PW_MSCHAP_CHALLENGE,
VENDORPEC_MICROSOFT);
if (!challenge) {
- RDEBUG2("No MS-CHAP-Challenge in the request");
+ RDEBUG("ERROR: You set 'Auth-Type = MS-CHAP' for a request that does not contain any MS-CHAP attributes!");
return RLM_MODULE_REJECT;
}
} else if ((response = pairfind(request->packet->vps, PW_MSCHAP2_RESPONSE, VENDORPEC_MICROSOFT)) != NULL) {
uint8_t mschapv1_challenge[16];
+ VALUE_PAIR *name_attr, *response_name;
/*
* MS-CHAPv2 challenges are 16 octets.
return RLM_MODULE_INVALID;
}
-
/*
- * with_ntdomain_hack moved here
+ * Check for MS-CHAP-User-Name and if found, use it
+ * to construct the MSCHAPv1 challenge. This is
+ * set by rlm_eap_mschap to the MS-CHAP Response
+ * packet Name field.
+ *
+ * We prefer this to the User-Name in the
+ * packet.
+ */
+ response_name = pairfind(request->packet->vps, PW_MS_CHAP_USER_NAME, 0);
+ if (response_name) {
+ name_attr = response_name;
+ } else {
+ name_attr = username;
+ }
+
+ /*
+ * with_ntdomain_hack moved here, too.
*/
- if ((username_string = strchr(username->vp_strvalue, '\\')) != NULL) {
- if (inst->with_ntdomain_hack) {
- username_string++;
+ if ((username_string = strchr(name_attr->vp_strvalue, '\\')) != NULL) {
+ if (inst->with_ntdomain_hack) {
+ username_string++;
} else {
- RDEBUG2(" NT Domain delimeter found, should we have enabled with_ntdomain_hack?");
- username_string = username->vp_strvalue;
+ RDEBUG2("NT Domain delimeter found, should we have enabled with_ntdomain_hack?");
+ username_string = name_attr->vp_strvalue;
}
} else {
- username_string = username->vp_strvalue;
+ username_string = name_attr->vp_strvalue;
+ }
+
+ if (response_name &&
+ ((username->length != response_name->length) ||
+ (strncasecmp(username->vp_strvalue, response_name->vp_strvalue, username->length) != 0))) {
+ RDEBUG("ERROR: User-Name (%s) is not the same as MS-CHAP Name (%s) from EAP-MSCHAPv2", username->vp_strvalue, response_name->vp_strvalue);
+ return RLM_MODULE_REJECT;
}
#ifdef __APPLE__
* MS-CHAPv2 takes some additional data to create an
* MS-CHAPv1 challenge, and then does MS-CHAPv1.
*/
+ RDEBUG2("Creating challenge hash with username: %s",
+ username_string);
mschap_challenge_hash(response->vp_octets + 2, /* peer challenge */
challenge->vp_octets, /* our challenge */
username_string, /* user name */
return RLM_MODULE_REJECT;
}
- /*
- * Get the NT-hash-hash, if necessary
- */
- if (nt_password) {
- }
-
mschap_auth_response(username_string, /* without the domain */
nthashhash, /* nt-hash-hash */
response->vp_octets + 26, /* peer response */
chap = 2;
} else { /* Neither CHAPv1 or CHAPv2 response: die */
- radlog_request(L_AUTH, 0, request, "No MS-CHAP response found");
+ RDEBUG("ERROR: You set 'Auth-Type = MS-CHAP' for a request that does not contain any MS-CHAP attributes!");
return RLM_MODULE_INVALID;
}
projects / freeradius.git / blobdiff