4 * The client does not authenticate the server, hence no CAI
8 * S -> C: random 8-byte challenge
9 * C -> S: user in UTF-8
10 * C -> S: Chapreply or MSchapreply structure
11 * S -> C: ok or 'bad why'
13 * The chap protocol requires the client to give it id=%d, the id of
14 * the PPP message containing the challenge, which is used
15 * as part of the response. Because the client protocol is message-id
16 * specific, there is no point in looping to try multiple keys.
18 * The MS chap protocol actually uses two different hashes, an
19 * older insecure one called the LM (Lan Manager) hash, and a newer
20 * more secure one called the NT hash. By default we send back only
21 * the NT hash, because the LM hash can help an eavesdropper run
22 * a brute force attack. If the key has an lm attribute, then we send only the
40 if(!strfindattr(k->attr, "user") || !strfindattr(k->privattr, "!password")){
41 werrstr("need user and !password attributes");
48 nthash(uchar hash[MShashlen], char *passwd)
53 for(i=0; *passwd && i<sizeof(buf); passwd++) {
64 desencrypt(uchar data[8], uchar key[7])
69 block_cipher(ekey, data, 0);
73 lmhash(uchar hash[MShashlen], char *passwd)
76 char *stdtext = "KGS!@#$%";
79 strncpy((char*)buf, passwd, sizeof(buf));
80 for(i=0; i<sizeof(buf); i++)
81 if(buf[i] >= 'a' && buf[i] <= 'z')
85 memcpy(hash, stdtext, 8);
86 memcpy(hash+8, stdtext, 8);
88 desencrypt(hash, buf);
89 desencrypt(hash+8, buf+7);
93 mschalresp(uchar resp[MSresplen], uchar hash[MShashlen], uchar chal[MSchallen])
98 memset(buf, 0, sizeof(buf));
99 memcpy(buf, hash, MShashlen);
102 memmove(resp+i*MSchallen, chal, MSchallen);
103 desencrypt(resp+i*MSchallen, buf+i*7);
110 int id, astype, nchal, npw, ret;
112 char *s, *pw, *user, *res;
124 if(c->proto == &chap){
126 s = strfindattr(attr, "id");
127 if(s == nil || *s == 0){
128 werrstr("need id=n attr in start message");
131 id = strtol(s, &s, 10);
132 if(*s != 0 || id < 0 || id >= 256){
133 werrstr("bad id=n attr in start message");
137 }else if(c->proto == &mschap)
140 werrstr("bad proto");
144 c->state = "find key";
145 k = keyfetch(c, "%A %s", attr, c->proto->keyprompt);
149 c->attr = addattrs(copyattr(attr), k->attr);
151 c->state = "read challenge";
152 if((nchal = convreadm(c, (char**)&chal)) < 0)
154 if(astype == AuthMSchap && nchal != MSchallen)
155 c->state = "write user";
156 if((user = strfindattr(k->attr, "user")) == nil){
157 werrstr("key has no user (cannot happen?)");
160 if(convprint(c, "%s", user) < 0)
163 c->state = "write response";
164 if((pw = strfindattr(k->privattr, "!password")) == nil){
165 werrstr("key has no password (cannot happen?)");
170 if(astype == AuthChap){
171 ds = md5(&cr.id, 1, 0, 0);
172 md5((uchar*)pw, npw, 0, ds);
173 md5(chal, nchal, (uchar*)cr.resp, ds);
174 if(convwrite(c, &cr, sizeof cr) < 0)
177 uchar hash[MShashlen];
179 memset(&mscr, 0, sizeof mscr);
180 if(strfindattr(k->attr, "lm")){
182 mschalresp((uchar*)mscr.LMresp, hash, chal);
185 mschalresp((uchar*)mscr.NTresp, hash, chal);
187 if(convwrite(c, &mscr, sizeof mscr) < 0)
191 c->state = "read result";
192 if(convreadm(c, &res) < 0)
194 if(strcmp(res, "ok") == 0){
196 werrstr("succeeded");
199 if(strncmp(res, "bad ", 4) != 0){
200 werrstr("bad result: %s", res);
204 c->state = "replace key";
205 keyevict(c, k, "%s", res+4);
206 werrstr("%s", res+4);
217 /* shared with auth dialing routines */
218 typedef struct ServerState ServerState;
229 static int chapchal(ServerState*, int, char[ChapChallen]);
230 static int chapresp(ServerState*, char*, char*);
235 char chal[ChapChallen], *user, *resp;
243 memset(&s, 0, sizeof s);
246 if(c->proto == &chap)
248 else if(c->proto == &mschap)
251 werrstr("bad proto");
255 c->state = "find key";
256 if((s.k = plan9authkey(c->attr)) == nil)
259 a = copyattr(s.k->attr);
260 a = delattr(a, "proto");
261 c->attr = addattrs(c->attr, a);
264 c->state = "authdial";
265 s.hostid = strfindattr(s.k->attr, "user");
266 s.dom = strfindattr(s.k->attr, "dom");
267 if((s.asfd = xioauthdial(nil, s.dom)) < 0){
268 werrstr("authdial %s: %r", s.dom);
272 c->state = "authchal";
273 if(chapchal(&s, astype, chal) < 0)
276 c->state = "write challenge";
277 if(convprint(c, "%s", chal) < 0)
280 c->state = "read user";
281 if(convreadm(c, &user) < 0)
284 c->state = "read response";
285 if(convreadm(c, &resp) < 0)
288 c->state = "authwrite";
289 switch(chapresp(&s, user, resp)){
291 fprint(2, "factotum: bad result from chapresp\n");
296 c->state = "write status";
297 if(convprint(c, "bad authentication failed") < 0)
302 c->state = "write status";
303 if(convprint(c, "ok") < 0)
310 c->attr = addcap(c->attr, c->sysuser, &s.t);
321 chapchal(ServerState *s, int astype, char chal[ChapChallen])
323 char trbuf[TICKREQLEN];
326 memset(&tr, 0, sizeof tr);
330 if(strlen(s->hostid) >= sizeof tr.hostid){
331 werrstr("hostid too long");
334 strcpy(tr.hostid, s->hostid);
336 if(strlen(s->dom) >= sizeof tr.authdom){
337 werrstr("domain too long");
340 strcpy(tr.authdom, s->dom);
342 convTR2M(&tr, trbuf);
343 if(xiowrite(s->asfd, trbuf, TICKREQLEN) != TICKREQLEN)
346 if(xioasrdresp(s->asfd, chal, ChapChallen) <= 5)
354 chapresp(ServerState *s, char *user, char *resp)
356 char tabuf[TICKETLEN+AUTHENTLEN];
357 char trbuf[TICKREQLEN];
364 if(memrandom(tr.chal, CHALLEN) < 0)
367 if(strlen(user) >= sizeof tr.uid){
368 werrstr("uid too long");
371 strcpy(tr.uid, user);
373 convTR2M(&tr, trbuf);
374 if(xiowrite(s->asfd, trbuf, TICKREQLEN) != TICKREQLEN)
378 if(xiowrite(s->asfd, resp, len) != len)
381 if(xioasrdresp(s->asfd, tabuf, TICKETLEN+AUTHENTLEN) != TICKETLEN+AUTHENTLEN)
384 convM2T(tabuf, &t, s->k->priv);
386 || memcmp(t.chal, tr.chal, sizeof tr.chal) != 0){
387 werrstr("key mismatch with auth server");
391 convM2A(tabuf+TICKETLEN, &a, t.key);
393 || memcmp(a.chal, tr.chal, sizeof a.chal) != 0
395 werrstr("key2 mismatch with auth server");
406 "client", chapclient,
407 "server", chapserver,
414 .checkkey= chapcheck,
415 .keyprompt= "user? !password?",
421 .checkkey= chapcheck,
422 .keyprompt= "user? !password?",