/** This function is called on authentication succeed */
void
ppp_auth_ok(npppd_ppp *_this)
{
if (npppd_ppp_bind_iface(_this->pppd, _this) != 0) {
ppp_log(_this, LOG_WARNING, "No interface binding.");
ppp_stop(_this, NULL);
return;
}
if (_this->realm != NULL) {
npppd_ppp_get_username_for_auth(_this->pppd, _this,
_this->username, _this->username);
if (!npppd_check_calling_number(_this->pppd, _this)) {
ppp_log(_this, LOG_ALERT,
"logtype=TUNNELDENY user=\"%s\" "
"reason=\"Calling number check is failed\"",
_this->username);
/* XXX */
ppp_stop(_this, NULL);
return;
}
}
if (_this->peer_auth != 0) {
/* Limit the number of connections per the user */
if (!npppd_check_user_max_session(_this->pppd, _this)) {
ppp_log(_this, LOG_WARNING,
"user %s exceeds user-max-session limit",
_this->username);
ppp_stop(_this, NULL);
return;
}
PPP_ASSERT(_this->realm != NULL);
}
if (!npppd_ppp_iface_is_ready(_this->pppd, _this)) {
ppp_log(_this, LOG_WARNING,
"interface '%s' is not ready.",
npppd_ppp_get_iface_name(_this->pppd, _this));
ppp_stop(_this, NULL);
return;
}
if (_this->proxy_authen_resp != NULL) {
free(_this->proxy_authen_resp);
_this->proxy_authen_resp = NULL;
}
fsm_lowerup(&_this->ipcp.fsm);
fsm_open(&_this->ipcp.fsm);
#ifdef USE_NPPPD_MPPE
if (MPPE_MUST_NEGO(_this)) {
fsm_lowerup(&_this->ccp.fsm);
fsm_open(&_this->ccp.fsm);
}
#endif
return;
}
/************************************************************************
* Functions for RADIUS
* RFC 2058: RADIUS
* RFC 2548: Microsoft Vendor-specific RADIUS Attributes
************************************************************************/
static void
chap_radius_authenticate(chap *_this, int id, char *username,
u_char *challenge, int lchallenge, u_char *response)
{
void *radctx;
RADIUS_PACKET *radpkt;
radius_req_setting *rad_setting;
int lpkt;
u_char *pkt;
char buf0[MAX_USERNAME_LENGTH];
radpkt = NULL;
radctx = NULL;
if ((rad_setting = npppd_get_radius_auth_setting(_this->ppp->pppd,
_this->ppp)) == NULL) {
goto fail; /* no radius server */
}
pkt = ppp_packetbuf(_this->ppp, PPP_PROTO_CHAP) + HEADERLEN;
lpkt = _this->ppp->mru - HEADERLEN;
if ((radpkt = radius_new_request_packet(RADIUS_CODE_ACCESS_REQUEST))
== NULL)
goto fail;
if (radius_prepare(rad_setting, _this, &radctx, chap_radius_response)
!= 0) {
radius_delete_packet(radpkt);
goto fail;
}
if (ppp_set_radius_attrs_for_authreq(_this->ppp, rad_setting, radpkt)
!= 0)
goto fail;
if (radius_put_string_attr(radpkt, RADIUS_TYPE_USER_NAME,
npppd_ppp_get_username_for_auth(_this->ppp->pppd, _this->ppp,
username, buf0)) != 0)
goto fail;
switch (_this->type) {
case PPP_AUTH_CHAP_MD5:
{
u_char md5response[17];
md5response[0] = _this->challid;
memcpy(&md5response[1], response, 16);
if (radius_put_raw_attr(radpkt,
RADIUS_TYPE_CHAP_PASSWORD, md5response, 17) != 0)
goto fail;
if (radius_put_raw_attr(radpkt,
RADIUS_TYPE_CHAP_CHALLENGE, challenge, lchallenge) != 0)
goto fail;
break;
}
case PPP_AUTH_CHAP_MS_V2:
{
struct RADIUS_MS_CHAP2_RESPONSE msresponse;
/* Preparing RADIUS_MS_CHAP2_RESPONSE */
memset(&msresponse, 0, sizeof(msresponse));
msresponse.ident = id;
msresponse.flags = response[48];
memcpy(&msresponse.peer_challenge, response, 16);
memcpy(&msresponse.response, response + 24, 24);
if (radius_put_vs_raw_attr(radpkt, RADIUS_VENDOR_MICROSOFT,
RADIUS_VTYPE_MS_CHAP_CHALLENGE, challenge, 16) != 0)
goto fail;
if (radius_put_vs_raw_attr(radpkt, RADIUS_VENDOR_MICROSOFT,
RADIUS_VTYPE_MS_CHAP2_RESPONSE, &msresponse,
sizeof(msresponse)) != 0)
goto fail;
break;
}
}
radius_get_authenticator(radpkt, _this->authenticator);
/* Cancel previous request */
if (_this->radctx != NULL)
radius_cancel_request(_this->radctx);
/* Send a request */
_this->radctx = radctx;
radius_request(radctx, radpkt);
return;
fail:
switch (_this->type) {
case PPP_AUTH_CHAP_MD5:
/* No extra information, just "FAILED" */
chap_send_error(_this, "FAILED");
break;
case PPP_AUTH_CHAP_MS_V2:
/* No extra information */
mschapv2_send_error(_this, ERROR_AUTHENTICATION_FAILURE, 0);
break;
}
if (radctx != NULL)
radius_cancel_request(radctx);
}
static void
pap_radius_authenticate(pap *_this, const char *username, const char *password)
{
void *radctx;
RADIUS_PACKET *radpkt;
MD5_CTX md5ctx;
int i, j, s_len, passlen;
u_char ra[16], digest[16], pass[128];
const char *s;
radius_req_setting *rad_setting = NULL;
char buf0[MAX_USERNAME_LENGTH];
if ((rad_setting = npppd_get_radius_auth_setting(_this->ppp->pppd,
_this->ppp)) == NULL)
goto fail;
if ((radpkt = radius_new_request_packet(RADIUS_CODE_ACCESS_REQUEST))
== NULL)
goto fail;
if (radius_prepare(rad_setting, _this, &radctx, pap_radius_response)
!= 0) {
radius_delete_packet(radpkt);
goto fail;
}
if (ppp_set_radius_attrs_for_authreq(_this->ppp, rad_setting, radpkt)
!= 0)
goto fail;
if (radius_put_string_attr(radpkt, RADIUS_TYPE_USER_NAME,
npppd_ppp_get_username_for_auth(_this->ppp->pppd, _this->ppp,
username, buf0)) != 0)
goto fail;
if (_this->radctx != NULL)
radius_cancel_request(_this->radctx);
_this->radctx = radctx;
/* Create RADIUS User-Password Attribute (RFC 2865, 5.2.) */
s = radius_get_server_secret(_this->radctx);
s_len = strlen(s);
memset(pass, 0, sizeof(pass)); /* null padding */
passlen = MINIMUM(strlen(password), sizeof(pass));
memcpy(pass, password, passlen);
if ((passlen % 16) != 0)
passlen += 16 - (passlen % 16);
radius_get_authenticator(radpkt, ra);
MD5Init(&md5ctx);
MD5Update(&md5ctx, s, s_len);
MD5Update(&md5ctx, ra, 16);
MD5Final(digest, &md5ctx);
for (i = 0; i < 16; i++)
pass[i] ^= digest[i];
while (i < passlen) {
MD5Init(&md5ctx);
MD5Update(&md5ctx, s, s_len);
MD5Update(&md5ctx, &pass[i - 16], 16);
MD5Final(digest, &md5ctx);
for (j = 0; j < 16; j++, i++)
pass[i] ^= digest[j];
}
if (radius_put_raw_attr(radpkt, RADIUS_TYPE_USER_PASSWORD, pass,
passlen) != 0)
goto fail;
radius_request(_this->radctx, radpkt);
return;
fail:
if (_this->radctx != NULL)
radius_cancel_request(_this->radctx);
pap_log(_this, LOG_ERR, "%s() failed: %m", __func__);
pap_response(_this, 0, DEFAULT_ERROR_MESSAGE);
return;
}
