int main(int argc, char ** argv)
{
if (argc != 2)
goto failure;
int rc;
rc = compare1(argv[1]);
if (rc < 0)
goto failure;
printf("magic words: %s\n", get_secret());
return 0;
failure:
printf("sorry!\n");
return -1;
}
int handle_del(char *msg) {
int ret = 0;
unsigned char *user = (unsigned char*)calloc(1, sizeof(char) *
MAX_MSG_LENGTH);
if (!user)
goto no_mem_user;
struct anspass_packet *pkt = (struct anspass_packet*)calloc(1,
sizeof(struct anspass_packet));
if (!pkt)
goto no_pkt;
print_user_prompt(msg);
get_secret(user, MAX_MSG_LENGTH, 1);
printf("\n");
printf("Deleting %s:", msg);
pkt->socket = info.socket;
pkt->type = DEL;
memcpy(pkt->token, info.token, TOKEN_LEN);
memcpy(pkt->msg, msg, strlen(msg));
memcpy(pkt->user, user, strlen((char*)user));
ret = put_data(pkt);
if (ret < 0)
goto send_fail;
ret = wait_ack_reply();
if (ret) {
printf("Failed: %d\n", ret);
goto failed;
}
printf("Success\n");
failed:
/* Fall-through expected */
send_fail:
free(pkt);
no_pkt:
free(user);
no_mem_user:
return ret;
}
/*
* chap_verify_response - check whether the peer's response matches
* what we think it should be. Returns 1 if it does (authentication
* succeeded), or 0 if it doesn't.
*/
static int chap_verify_response(ppp_pcb *pcb, const char *name, const char *ourname, int id,
const struct chap_digest_type *digest,
const unsigned char *challenge, const unsigned char *response,
char *message, int message_space) {
int ok;
unsigned char secret[MAXSECRETLEN];
int secret_len;
/* Get the secret that the peer is supposed to know */
if (!get_secret(pcb, name, ourname, (char *)secret, &secret_len, 1)) {
ppp_error("No CHAP secret found for authenticating %q", name);
return 0;
}
ok = digest->verify_response(pcb, id, name, secret, secret_len, challenge,
response, message, message_space);
memset(secret, 0, sizeof(secret));
return ok;
}
void generateSeed()
{
auto private_key = fc::ecc::private_key::generate();
ui.brainkey->setText(std::string(private_key.get_secret()).c_str() );
completeChanged();
}
operator private_key_secret ()const { return get_secret(); }
/*
* chap_respond - Generate and send a response to a challenge.
*/
static void chap_respond(ppp_pcb *pcb, int id,
unsigned char *pkt, int len) {
int clen, nlen;
int secret_len;
struct pbuf *p;
u_char *outp;
char rname[MAXNAMELEN+1];
char secret[MAXSECRETLEN+1];
p = pbuf_alloc(PBUF_RAW, (u16_t)(RESP_MAX_PKTLEN), PPP_CTRL_PBUF_TYPE);
if(NULL == p)
return;
if(p->tot_len != p->len) {
pbuf_free(p);
return;
}
if ((pcb->chap_client.flags & (LOWERUP | AUTH_STARTED)) != (LOWERUP | AUTH_STARTED))
return; /* not ready */
if (len < 2 || len < pkt[0] + 1)
return; /* too short */
clen = pkt[0];
nlen = len - (clen + 1);
/* Null terminate and clean remote name. */
ppp_slprintf(rname, sizeof(rname), "%.*v", nlen, pkt + clen + 1);
#if PPP_REMOTENAME
/* Microsoft doesn't send their name back in the PPP packet */
if (pcb->settings.explicit_remote || (pcb->settings.remote_name[0] != 0 && rname[0] == 0))
strlcpy(rname, pcb->settings.remote_name, sizeof(rname));
#endif /* PPP_REMOTENAME */
/* get secret for authenticating ourselves with the specified host */
if (!get_secret(pcb, pcb->chap_client.name, rname, secret, &secret_len, 0)) {
secret_len = 0; /* assume null secret if can't find one */
ppp_warn("No CHAP secret found for authenticating us to %q", rname);
}
outp = (u_char*)p->payload;
MAKEHEADER(outp, PPP_CHAP);
outp += CHAP_HDRLEN;
pcb->chap_client.digest->make_response(pcb, outp, id, pcb->chap_client.name, pkt,
secret, secret_len, pcb->chap_client.priv);
memset(secret, 0, secret_len);
clen = *outp;
nlen = strlen(pcb->chap_client.name);
memcpy(outp + clen + 1, pcb->chap_client.name, nlen);
outp = (u_char*)p->payload + PPP_HDRLEN;
len = CHAP_HDRLEN + clen + 1 + nlen;
outp[0] = CHAP_RESPONSE;
outp[1] = id;
outp[2] = len >> 8;
outp[3] = len;
pbuf_realloc(p, PPP_HDRLEN + len);
ppp_write(pcb, p);
}
int handle_challenge (struct tunnel *t, struct challenge *chal)
{
char *us;
char *them;
if (!t->lns && !t->lac)
{
l2tp_log (LOG_DEBUG, "%s: No LNS or LAC to handle challenge!\n",
__FUNCTION__);
return -1;
}
#ifdef DEBUG_AUTH
l2tp_log (LOG_DEBUG, "%s: making response for tunnel: %d\n", __FUNCTION__,
t->ourtid);
#endif
if (t->lns)
{
if (t->lns->hostname[0])
us = t->lns->hostname;
else
us = hostname;
if (t->lns->peername[0])
them = t->lns->peername;
else
them = t->hostname;
}
else
{
if (t->lac->hostname[0])
us = t->lac->hostname;
else
us = hostname;
if (t->lac->peername[0])
them = t->lac->peername;
else
them = t->hostname;
}
if (!get_secret (us, them, chal->secret, sizeof (chal->secret)))
{
l2tp_log (LOG_DEBUG, "%s: no secret found for us='%s' and them='%s'\n",
__FUNCTION__, us, them);
return -1;
}
#if DEBUG_AUTH
l2tp_log (LOG_DEBUG, "*%s: Here comes the chal->ss:\n", __FUNCTION__);
bufferDump (&chal->ss, 1);
l2tp_log (LOG_DEBUG, "%s: Here comes the secret\n", __FUNCTION__);
bufferDump (chal->secret, strlen (chal->secret));
l2tp_log (LOG_DEBUG, "%s: Here comes the challenge\n", __FUNCTION__);
bufferDump (chal->challenge, chal->chal_len);
#endif
memset (chal->response, 0, MD_SIG_SIZE);
MD5Init (&chal->md5);
MD5Update (&chal->md5, &chal->ss, 1);
MD5Update (&chal->md5, chal->secret, strlen ((char *)chal->secret));
MD5Update (&chal->md5, chal->challenge, chal->chal_len);
MD5Final (chal->response, &chal->md5);
#ifdef DEBUG_AUTH
l2tp_log (LOG_DEBUG, "response is %X%X%X%X to '%s' and %X%X%X%X, %d\n",
*((int *) &chal->response[0]),
*((int *) &chal->response[4]),
*((int *) &chal->response[8]),
*((int *) &chal->response[12]),
chal->secret,
*((int *) &chal->challenge[0]),
*((int *) &chal->challenge[4]),
*((int *) &chal->challenge[8]),
*((int *) &chal->challenge[12]), chal->ss);
#endif
chal->state = STATE_CHALLENGED;
return 0;
}
int exec_menu(MENU menu)
{
int i=0, cidx=0, fine;
int off, ecnt=1;
char tmp[MAXLEN];
char output[MAXLEN];
MENU tmenu = menu;
int ret;
int cpid;
fine=1;
while(cidx < tmenu.ncmd && fine)
{
off=1;
switch(tmenu.cmd[cidx][0])
{
case '-':
if(*(tmenu.cmd[cidx] + off)=='!') off++;
parsecmd(tmenu.cmd[cidx] +off, tmp);
cpid = fork();
if(cpid)
{
waitpid(cpid,&ret,0);
if(ret!=-1 && WIFEXITED(ret))
ret = WEXITSTATUS(ret);
}
else
{
close(comport);
ret=system(tmp);
if(ret!=-1 && WIFEXITED(ret))
ret = WEXITSTATUS(ret);
exit(ret);
}
if(off==1) ret=1;
break;
case '+':
if(*(tmenu.cmd[cidx] + off)=='!') off++;
parsecmd(tmenu.cmd[cidx] +off, tmp);
ret=execute(tmp, output, MAXLEN);
sprintf(tmp, "$%d", ecnt++);
setvar(tmp, output);
if(off==1) ret=1;
break;
case '<':
argcnt = split(tmenu.cmd[cidx]+1, args[0], MAXARGS, MAXARGLEN);
substvar(args[0], MAXARGS, MAXARGLEN);
/*for(i=0; i<argcnt; i++)
printf("%d: --%s--\n",i,args[i]);*/
if(strcmp(args[0],"YesNo")==0 && argcnt==2)
{
ret=get_yesno(args[1]);
sprintf(output,"%d",ret-1);
setvar("$YesNo",output);
}
if(strcmp(args[0],"OnOff")==0 && argcnt==3)
{
ret=get_onoff(args[1], atoi(args[2]));
sprintf(output,"%d",ret-1);
setvar("$OnOff",output);
}
if(strcmp(args[0],"Percent")==0 && argcnt==4)
{
ret=get_percent(args[1], atoi(args[2]), atoi(args[3]));
sprintf(output,"%d",ret-1);
setvar("$Percent",output);
}
if(strcmp(args[0],"Choice")==0 && argcnt>=4)
{
init_choice();
for(i=3; i<argcnt; i++)
addchoice(args[i]);
ret=get_choice(args[1], atoi(args[2]));
sprintf(output,"%d",ret);
setvar("$Choice",output);
}
if(strcmp(args[0],"Real")==0 && (argcnt==4 || argcnt==5))
{
if(argcnt==4) strcpy(args[4],"");
ret=get_real(output, args[1], args[2], args[3], args[4]);
setvar("$Real",output);
}
if(strcmp(args[0],"Int")==0 && (argcnt==5 || argcnt==6))
{
if(argcnt==5) strcpy(args[5],"0");
ret=get_integer(output, args[1], args[2], atoi(args[3]), atoi(args[4]), atoi(args[5]));
setvar("$Int",output);
}
if(strcmp(args[0],"Phone")==0 && (argcnt==3 || argcnt==4))
{
if(argcnt==3) strcpy(args[3],"");
ret=get_phone(output, args[1], args[2], args[3]);
setvar("$Phone",output);
}
if(strcmp(args[0],"Date")==0 && argcnt==2)
{
ret=get_date(output, args[1]);
setvar("$Date",output);
}
if(strcmp(args[0],"Text")==0 && (argcnt==4 || argcnt==5))
{
if(argcnt==4) strcpy(args[4],"");
ret=get_text(output, args[1], args[2], atoi(args[3]), args[4]);
setvar("$Text",output);
}
if(strcmp(args[0],"Secret")==0 && argcnt==4)
{
ret=get_secret(output, args[1], args[2], atoi(args[3]));
setvar("$Secret",output);
}
break;
case '>':
argcnt = split(tmenu.cmd[cidx]+1, args[0], MAXARGS, MAXARGLEN);
substvar(args[0], MAXARGS, MAXARGLEN);
/*for(i=0; i<argcnt; i++)
printf("%d: --%s--\n",i,args[i]);*/
if(strcmp(args[0],"MsgBox")==0 && (argcnt==2 || argcnt==3))
{
if(argcnt==2) strcpy(args[2],"");
ret=msgbox(args[1], atoi(args[2]));
}
if(strcmp(args[0],"Info")==0 && argcnt>=3)
ret=info(args[1], args[2]);
if(strcmp(args[0],"Status")==0 && argcnt>=2)
ret=status(args[1]);
break;
case ':':
for(i=0; i<fncnt; i++)
if(strcmp(tmenu.cmd[cidx]+1,flist[i].name)==0)
ret = flist[i].fn();
break;
}
if(ret<=0) fine=0;
cidx++;
}
return 0;
}
/*
* register SAM/QFS on the host being called with CNS.
* The key value string must contain:
* sun_login
* sun_password (passed as arg cl_pwd)
* name
* email
* asset_prefix = "sam-qfs"
*
* The key value string may contain:
* prxy_enabled
* prxy_port
* prxy_host
* prxy_auth
* prxy_user
* prxy_passwd(passed as arg proxy_pwd)
*
* The cl_pwd byte array must contain the client password for
* the sun account encrypted with the public key returned from
* cns_get_public_key.
*
* If proxy_auth is set to true, the proxy_pwd must be
* the encrypted proxy password, using the same key as above.
*/
int
cns_register(
ctx_t *ctx, /* ARGSUSED */
char *kv_string,
crypt_str_t *cl_pwd,
crypt_str_t *proxy_pwd,
char *clnt_pub_key_hex) {
char *cl_clear = NULL;
unsigned char *secret = NULL;
int secret_len;
cl_reg_cfg_t cl;
sf_prod_info_t *sf;
char asset_dir[MAXPATHLEN];
int retval;
Trace(TR_MISC, "csn registration entry");
/* check the mandatory parameters */
if (ISNULL(kv_string, cl_pwd, clnt_pub_key_hex)) {
Trace(TR_ERR, "cns registration failed %d %s", samerrno,
samerrmsg);
return (-1);
}
memset(&cl, 0, sizeof (cl_reg_cfg_t));
if (cl_pwd->str == NULL) {
samerrno = SE_NULL_PARAMETER;
snprintf(samerrmsg, MAX_MSG_LEN, GetCustMsg(samerrno),
"password");
Trace(TR_ERR, "cns registration failed %d %s", samerrno,
samerrmsg);
goto err;
}
if (parse_kv(kv_string, cl_reg_cfg_tokens, &cl) != 0) {
Trace(TR_ERR, "cns registration failed %d %s", samerrno,
samerrmsg);
goto err;
}
/*
* If there was a client registration id free it. Or it will leak.
* Note that reregistration is allowed in order to change the keys
* that are used for signing the telemetry data.
*/
if (cl.reg_id) {
free(cl.reg_id);
cl.reg_id = NULL;
}
/* Complete the last phase of key agreement */
secret_len = get_secret(clnt_pub_key_hex, &secret);
if (secret_len <= 0) {
set_registration_error(-1);
Trace(TR_ERR, "cns registration failed:getsecret");
goto err;
}
/* get the password clear text */
if (decrypt_string(&cl_clear, secret, cl_pwd->str,
cl_pwd->str_len) != 0) {
set_registration_error(-1);
Trace(TR_ERR, "cns reg failed:bad clear cl pass");
goto err;
}
/* add the proxy password to the cl struct */
if (proxy_pwd != NULL) {
/*
* proxy password should be populated if it is
* present even if proxy authentication is not enabled.
* This behavior is really more forward looking for
* when telemetry is enabled.
*/
if (decrypt_string(&(cl.prxy.passwd), secret, proxy_pwd->str,
proxy_pwd->str_len) != 0) {
set_registration_error(-1);
Trace(TR_ERR, "cns reg failed:bad clear prxy pass");
goto err;
}
}
/* check the rest of the parameters */
if (check_cl_reg_cfg(&cl, B_TRUE) != 0) {
setsamerr(SE_INVALID_REG_PARAMS);
Trace(TR_ERR, "cns registration failed %d %s", samerrno,
samerrmsg);
goto err;
}
/* create the data directory for this asset */
if (cl.asset_prefix == NULL) {
set_registration_error(-1);
Trace(TR_ERR, "cns registration failed: %d %s",
samerrno, samerrmsg);
goto err;
}
snprintf(asset_dir, sizeof (upath_t), CNS_ASSETDIR_SPEC,
cl.asset_prefix);
if (create_dir(ctx, asset_dir) != 0) {
Trace(TR_ERR, "cns registration failed: %d %s",
samerrno, samerrmsg);
goto err;
}
/*
* generate the public and private keys for this client-asset pair
*/
if ((retval = regstr_generate_public_private_key(cl.asset_prefix))
!= 0) {
set_registration_error(retval);
Trace(TR_ERR, "cns registration failed: %d %s",
samerrno, samerrmsg);
goto err;
}
strlcat(asset_dir, CNS_CLIENT_CONF, sizeof (upath_t));
if (get_samfs_type(ctx) == SAMQFS) {
sf = &samqfs_swordfish_data;
} else {
sf = &qfs_swordfish_data;
}
/*
* This could save the client data now so that it can be
* fetched even if the registration fails. The user would still
* need to enter the appropriate passwords but nothing else would
* be required. The reason it is done later is that the reg_id needs
* to be saved and is not yet available.
*/
if ((retval = regstr_postclient_regis_data(&cl,
(char *)cl_clear)) != 0) {
set_registration_error(retval);
Trace(TR_ERR, "cns registration failed: %d %s",
samerrno, samerrmsg);
goto err;
}
/*
* Only post the product registration once. The reason to
* post the client registration more than once is that is how
* the key pair gets changed
*/
if (!is_registered(&cl)) {
char *addn_info;
/*
* If we can get additional version information about the
* packages include it but ignore errors.
*/
if (get_associated_package_info(&addn_info) == 0) {
sf->additional_info = addn_info;
}
if ((retval = regstr_postproduct_regis_data(sf, &cl)) != 0) {
set_registration_error(retval);
Trace(TR_ERR, "cns registration failed: %d %s",
samerrno, samerrmsg);
goto err;
}
cl.registered = B_TRUE;
if (sf->additional_info) {
free(sf->additional_info);
sf->additional_info = NULL;
}
}
if (save_client_conf(asset_dir, &cl) != 0) {
Trace(TR_ERR, "cns registration failed: %d %s",
samerrno, samerrmsg);
goto err;
}
free_sensitive_buf((char **)&secret, secret_len);
free_sensitive_buf(&(cl_clear), strlen(cl_clear));
if (cl.prxy.passwd) {
free_sensitive_buf(&(cl.prxy.passwd), strlen(cl.prxy.passwd));
}
free_cl_reg_cfg_fields(&cl);
Trace(TR_MISC, "cns registration succeeded");
return (0);
err:
if (sf->additional_info) {
free(sf->additional_info);
sf->additional_info = NULL;
}
free_sensitive_buf((char **)&secret, secret_len);
free_sensitive_buf(&(cl_clear), strlen(cl_clear));
if (cl.prxy.passwd) {
free_sensitive_buf(&(cl.prxy.passwd), strlen(cl.prxy.passwd));
}
free_cl_reg_cfg_fields(&cl);
return (-1);
}
int send_creds(int type, char *msg) {
int ret = -ENOMEM;
int match = 3;
unsigned char *user = (unsigned char*)calloc(1, sizeof(char) *
MAX_MSG_LENGTH);
if (!user)
goto no_mem_user;
unsigned char *passwd = (unsigned char*)calloc(1, sizeof(char) *
MAX_MSG_LENGTH);
if (!passwd)
goto no_mem_passwd;
unsigned char *v_passwd = (unsigned char*)calloc(1, sizeof(char) *
MAX_MSG_LENGTH);
if (!v_passwd)
goto no_mem_v_passwd;
struct anspass_packet *pkt = (struct anspass_packet*)calloc(1,
sizeof(struct anspass_packet));
if (!pkt)
goto no_pkt;
/* Get the username */
print_user_prompt(msg);
get_secret(user, MAX_MSG_LENGTH, 1);
printf("\n");
ret = -EINVAL;
do
{
if (match != MAX_PASSWD_ATTEMPT)
printf("Incorrect password. (%d more attempts)\n",
match);
/* Get the password */
printf("Please enter a password for %s\n", msg);
printf("(max of %d characters)\n", MAX_MSG_LENGTH-1);
printf("Password: "******"\n");
printf("\n");
printf("Please re-enter a password for %s\n", msg);
printf("Verify password:"******"\n");
match--;
} while(match && (ret = check_passwd(passwd, v_passwd)) );
if (ret != 0)
{
printf("Incorrect password. Maximum attempts reached\n");
goto passwd_fail;
}
pkt->socket = info.socket;
pkt->type = type;
memcpy(pkt->token, info.token, TOKEN_LEN);
memcpy(pkt->msg, msg, strlen(msg));
memcpy(pkt->user, user, strlen((char*)user));
memcpy(pkt->passwd, passwd, strlen((char*)passwd));
printf("Adding %s\n", msg);
ret = put_data(pkt);
if (ret < 0)
goto send_fail;
ret = wait_ack_reply();
if (ret) {
printf("Failed: %d\n", ret);
goto failed;
}
printf("Success\n");
ret = 0;
failed:
/* Fall-through expected */
send_fail:
/* Fall-through expected */
passwd_fail:
free(pkt);
no_pkt:
free(v_passwd);
no_mem_v_passwd:
free(passwd);
no_mem_passwd:
free(user);
no_mem_user:
return ret;
}
/*
* ChapReceiveResponse - Receive and process response.
*/
static void
ChapReceiveResponse(
chap_state *cstate,
u_char *inp,
int id,
int len)
{
u_char *remmd, remmd_len;
int secret_len, old_state;
int code;
char rhostname[256];
MD5_CTX mdContext;
unsigned char secret[MAXSECRETLEN];
u_char hash[MD5_SIGNATURE_SIZE];
if (cstate->serverstate == CHAPSS_CLOSED ||
cstate->serverstate == CHAPSS_PENDING) {
CHAPDEBUG(("ChapReceiveResponse: in state %d", cstate->serverstate));
return;
}
if (id != cstate->chal_id)
return; /* doesn't match ID of last challenge */
/*
* If we have received a duplicate or bogus Response,
* we have to send the same answer (Success/Failure)
* as we did for the first Response we saw.
*/
if (cstate->serverstate == CHAPSS_OPEN) {
ChapSendStatus(cstate, CHAP_SUCCESS);
return;
}
if (cstate->serverstate == CHAPSS_BADAUTH) {
ChapSendStatus(cstate, CHAP_FAILURE);
return;
}
if (len < 2) {
CHAPDEBUG(("ChapReceiveResponse: rcvd short packet."));
return;
}
GETCHAR(remmd_len, inp); /* get length of MD */
remmd = inp; /* get pointer to MD */
INCPTR(remmd_len, inp);
len -= sizeof (u_char) + remmd_len;
if (len < 0) {
CHAPDEBUG(("ChapReceiveResponse: rcvd short packet."));
return;
}
UNTIMEOUT(ChapChallengeTimeout, cstate);
if (len >= sizeof(rhostname))
len = sizeof(rhostname) - 1;
BCOPY(inp, rhostname, len);
rhostname[len] = '\000';
/*
* Get secret for authenticating them with us,
* do the hash ourselves, and compare the result.
*/
code = CHAP_FAILURE;
if (!get_secret(cstate->unit, (explicit_remote? remote_name: rhostname),
cstate->chal_name, secret, &secret_len, 1)) {
warn("No CHAP secret found for authenticating %q", rhostname);
} else {
/* generate MD based on negotiated type */
switch (cstate->chal_type) {
case CHAP_DIGEST_MD5: /* only MD5 is defined for now */
if (remmd_len != MD5_SIGNATURE_SIZE)
break; /* it's not even the right length */
MD5Init(&mdContext);
MD5Update(&mdContext, &cstate->chal_id, 1);
MD5Update(&mdContext, secret, secret_len);
MD5Update(&mdContext, cstate->challenge, cstate->chal_len);
MD5Final(hash, &mdContext);
/* compare local and remote MDs and send the appropriate status */
if (memcmp (hash, remmd, MD5_SIGNATURE_SIZE) == 0)
code = CHAP_SUCCESS; /* they are the same! */
break;
default:
CHAPDEBUG(("unknown digest type %d", cstate->chal_type));
}
}
BZERO(secret, sizeof(secret));
ChapSendStatus(cstate, code);
if (code == CHAP_SUCCESS) {
old_state = cstate->serverstate;
cstate->serverstate = CHAPSS_OPEN;
if (old_state == CHAPSS_INITIAL_CHAL) {
auth_peer_success(cstate->unit, PPP_CHAP, rhostname, len);
}
if (cstate->chal_interval != 0)
TIMEOUT(ChapRechallenge, cstate, cstate->chal_interval);
notice("CHAP peer authentication succeeded for %q", rhostname);
} else {
error("CHAP peer authentication failed for remote host %q", rhostname);
cstate->serverstate = CHAPSS_BADAUTH;
auth_peer_fail(cstate->unit, PPP_CHAP);
}
}
/*
* ChapReceiveChallenge - Receive Challenge and send Response.
*/
static void
ChapReceiveChallenge(
chap_state *cstate,
u_char *inp,
int id,
int len)
{
int rchallenge_len;
u_char *rchallenge;
int secret_len;
unsigned char secret[MAXSECRETLEN];
char rhostname[256];
MD5_CTX mdContext;
u_char hash[MD5_SIGNATURE_SIZE];
if (cstate->clientstate == CHAPCS_CLOSED ||
cstate->clientstate == CHAPCS_PENDING) {
CHAPDEBUG(("ChapReceiveChallenge: in state %d", cstate->clientstate));
return;
}
if (len < 2) {
CHAPDEBUG(("ChapReceiveChallenge: rcvd short packet."));
return;
}
GETCHAR(rchallenge_len, inp);
len -= sizeof (u_char) + rchallenge_len; /* now name field length */
if (len < 0) {
CHAPDEBUG(("ChapReceiveChallenge: rcvd short packet."));
return;
}
rchallenge = inp;
INCPTR(rchallenge_len, inp);
if (len >= sizeof(rhostname))
len = sizeof(rhostname) - 1;
BCOPY(inp, rhostname, len);
rhostname[len] = '\000';
/* Microsoft doesn't send their name back in the PPP packet */
if (explicit_remote || (remote_name[0] != 0 && rhostname[0] == 0)) {
strlcpy(rhostname, remote_name, sizeof(rhostname));
CHAPDEBUG(("ChapReceiveChallenge: using '%q' as remote name",
rhostname));
}
/* get secret for authenticating ourselves with the specified host */
if (!get_secret(cstate->unit, cstate->resp_name, rhostname,
secret, &secret_len, 0)) {
secret_len = 0; /* assume null secret if can't find one */
warn("No CHAP secret found for authenticating us to %q", rhostname);
}
/* cancel response send timeout if necessary */
if (cstate->clientstate == CHAPCS_RESPONSE)
UNTIMEOUT(ChapResponseTimeout, cstate);
cstate->resp_id = id;
cstate->resp_transmits = 0;
/* generate MD based on negotiated type */
switch (cstate->resp_type) {
case CHAP_DIGEST_MD5:
MD5Init(&mdContext);
MD5Update(&mdContext, &cstate->resp_id, 1);
MD5Update(&mdContext, secret, secret_len);
MD5Update(&mdContext, rchallenge, rchallenge_len);
MD5Final(hash, &mdContext);
BCOPY(hash, cstate->response, MD5_SIGNATURE_SIZE);
cstate->resp_length = MD5_SIGNATURE_SIZE;
break;
#ifdef CHAPMS
case CHAP_MICROSOFT:
ChapMS(cstate, rchallenge, rchallenge_len, secret, secret_len);
break;
#endif
default:
CHAPDEBUG(("unknown digest type %d", cstate->resp_type));
return;
}
BZERO(secret, sizeof(secret));
ChapSendResponse(cstate);
}
/* this function check the chap authentication information against a postgresql database. */
int32_t pppd__chap_verify_pgsql(char *name, char *ourname, int id, struct chap_digest_type *digest, unsigned char *challenge, unsigned char *response, char *message, int message_space) {
/* some common variables. */
uint8_t secret_name[MAXSECRETLEN];
int32_t secret_length = 0;
PGconn *pgsql = NULL;
/* check if parameters are complete. */
if (pppd__pgsql_parameter() == 0) {
/* check if postgresql connect is working. */
if (pppd__pgsql_connect(&pgsql) == 0) {
/* check if postgresql fetching was successful. */
if (pppd__pgsql_password(&pgsql, (uint8_t *)name, secret_name, &secret_length) == 0) {
/* check if password decryption was correct. */
if (pppd__decrypt_password(secret_name, &secret_length, pppd_pgsql_pass_encryption, pppd_pgsql_pass_key) == 0) {
/* verify discovered secret against the client's response. */
if (digest->verify_response(id, name, secret_name, secret_length, challenge, response, message, message_space) == 1) {
/* check if database update was successful. */
if (pppd__pgsql_status(&pgsql, (uint8_t *)name, 1) == 0) {
/* store username for ip down configuration. */
strncpy((char *)username, name, MAXNAMELEN);
/* disconnect from postgresql. */
pppd__pgsql_disconnect(&pgsql);
/* clear the memory with the password, so nobody is able to dump it. */
memset(secret_name, 0, sizeof(secret_name));
/* if no error was found, establish link. */
return 1;
}
}
}
}
/* disconnect from postgresql. */
pppd__pgsql_disconnect(&pgsql);
}
}
/* check if postgresql is not authoritative. */
if (pppd_pgsql_authoritative == 0) {
/* get the secret that the peer is supposed to know. */
if (get_secret(0, name, ourname, (char *)secret_name, &secret_length, 1) == 1) {
/* verify discovered secret against the client's response. */
if (digest->verify_response(id, name, secret_name, secret_length, challenge, response, message, message_space) == 1) {
/* clear the memory with the password, so nobody is able to dump it. */
memset(secret_name, 0, sizeof(secret_name));
/* if no error was found, establish link. */
return 1;
}
}
/* show user that fallback also fails. */
error("No CHAP secret found for authenticating %q", name);
}
/* clear the memory with the password, so nobody is able to dump it. */
memset(secret_name, 0, sizeof(secret_name));
/* return with error and terminate link. */
return 0;
}
private_key::private_key( EC_KEY* k )
{
my->_key = get_secret( k );
EC_KEY_free(k);
}
