1 /*
2  * CHAP, MSCHAP
3  * 
4  * The client does not authenticate the server, hence no CAI
5  *
6  * Protocol:
7  *
8  *	S -> C: random 8-byte challenge
9  *	C -> S: user in UTF-8
10  *	C -> S: Chapreply or MSchapreply structure
11  *	S -> C: ok or 'bad why'
12  *
13  * The chap protocol requires the client to give it id=%d, the id of
14  * the PPP message containing the challenge, which is used
15  * as part of the response.  Because the client protocol is message-id
16  * specific, there is no point in looping to try multiple keys.
17  *
18  * The MS chap protocol actually uses two different hashes, an
19  * older insecure one called the LM (Lan Manager) hash, and a newer
20  * more secure one called the NT hash.  By default we send back only
21  * the NT hash, because the LM hash can help an eavesdropper run
22  * a brute force attack.  If the key has an lm attribute, then we send only the
23  * LM hash.
24  */
25 
26 #include "std.h"
27 #include "dat.h"
28 
29 extern Proto chap, mschap;
30 
31 enum {
32 	ChapChallen = 8,
33 
34 	MShashlen = 16,
35 	MSchallen = 8,
36 	MSresplen = 24
37 };
38 
39 static int
40 chapcheck(Key *k)
41 {
42 	if(!strfindattr(k->attr, "user") || !strfindattr(k->privattr, "!password")){
43 		werrstr("need user and !password attributes");
44 		return -1;
45 	}
46 	return 0;
47 }
48 
49 static void
50 nthash(uchar hash[MShashlen], char *passwd)
51 {
52 	uchar buf[512];
53 	int i;
54 	
55 	for(i=0; *passwd && i<sizeof(buf); passwd++) {
56 		buf[i++] = *passwd;
57 		buf[i++] = 0;
58 	}
59 
60 	memset(hash, 0, 16);
61 
62 	md4(buf, i, hash, 0);
63 }
64 
65 static void
66 desencrypt(uchar data[8], uchar key[7])
67 {
68 	ulong ekey[32];
69 
70 	key_setup(key, ekey);
71 	block_cipher(ekey, data, 0);
72 }
73 
74 static void
75 lmhash(uchar hash[MShashlen], char *passwd)
76 {
77 	uchar buf[14];
78 	char *stdtext = "KGS!@#$%";
79 	int i;
80 
81 	strncpy((char*)buf, passwd, sizeof(buf));
82 	for(i=0; i<sizeof(buf); i++)
83 		if(buf[i] >= 'a' && buf[i] <= 'z')
84 			buf[i] += 'A' - 'a';
85 
86 	memset(hash, 0, 16);
87 	memcpy(hash, stdtext, 8);
88 	memcpy(hash+8, stdtext, 8);
89 
90 	desencrypt(hash, buf);
91 	desencrypt(hash+8, buf+7);
92 }
93 
94 static void
95 mschalresp(uchar resp[MSresplen], uchar hash[MShashlen], uchar chal[MSchallen])
96 {
97 	int i;
98 	uchar buf[21];
99 	
100 	memset(buf, 0, sizeof(buf));
101 	memcpy(buf, hash, MShashlen);
102 
103 	for(i=0; i<3; i++) {
104 		memmove(resp+i*MSchallen, chal, MSchallen);
105 		desencrypt(resp+i*MSchallen, buf+i*7);
106 	}
107 }
108 
109 static int
110 chapclient(Conv *c)
111 {
112 	int id, astype, nchal, npw, ret;
113 	uchar *chal;
114 	char *s, *pw, *user, *res;
115 	Attr *attr;
116 	Key *k;
117 	Chapreply cr;
118 	MSchapreply mscr;
119 	DigestState *ds;
120 
121 	ret = -1;
122 	chal = nil;
123 	k = nil;
124 	attr = c->attr;
125 
126 	if(c->proto == &chap){
127 		astype = AuthChap;
128 		s = strfindattr(attr, "id");
129 		if(s == nil || *s == 0){
130 			werrstr("need id=n attr in start message");
131 			goto out;
132 		}
133 		id = strtol(s, &s, 10);
134 		if(*s != 0 || id < 0 || id >= 256){
135 			werrstr("bad id=n attr in start message");
136 			goto out;
137 		}
138 		cr.id = id;
139 	}else if(c->proto == &mschap)
140 		astype = AuthMSchap;
141 	else{
142 		werrstr("bad proto");
143 		goto out;
144 	}
145 
146 	c->state = "find key";
147 	k = keyfetch(c, "%A %s", attr, c->proto->keyprompt);
148 	if(k == nil)
149 		goto out;
150 
151 	c->attr = addattrs(copyattr(attr), k->attr);
152 
153 	c->state = "read challenge";
154 	if((nchal = convreadm(c, (char**)(void*)&chal)) < 0)
155 		goto out;
156 	if(astype == AuthMSchap && nchal != MSchallen)
157 	c->state = "write user";
158 	if((user = strfindattr(k->attr, "user")) == nil){
159 		werrstr("key has no user (cannot happen?)");
160 		goto out;
161 	}
162 	if(convprint(c, "%s", user) < 0)
163 		goto out;
164 
165 	c->state = "write response";
166 	if((pw = strfindattr(k->privattr, "!password")) == nil){
167 		werrstr("key has no password (cannot happen?)");
168 		goto out;
169 	}
170 	npw = strlen(pw);
171 
172 	if(astype == AuthChap){
173 		ds = md5(&cr.id, 1, 0, 0);
174 		md5((uchar*)pw, npw, 0, ds);
175 		md5(chal, nchal, (uchar*)cr.resp, ds);
176 		if(convwrite(c, &cr, sizeof cr) < 0)
177 			goto out;
178 	}else{
179 		uchar hash[MShashlen];
180 
181 		memset(&mscr, 0, sizeof mscr);
182 		if(strfindattr(k->attr, "lm")){
183 			lmhash(hash, pw);
184 			mschalresp((uchar*)mscr.LMresp, hash, chal);
185 		}else{
186 			nthash(hash, pw);
187 			mschalresp((uchar*)mscr.NTresp, hash, chal);
188 		}
189 		if(convwrite(c, &mscr, sizeof mscr) < 0)
190 			goto out;
191 	}
192 
193 	c->state = "read result";
194 	if(convreadm(c, &res) < 0)
195 		goto out;
196 	if(strcmp(res, "ok") == 0){
197 		ret = 0;
198 		werrstr("succeeded");
199 		goto out;
200 	}
201 	if(strncmp(res, "bad ", 4) != 0){
202 		werrstr("bad result: %s", res);
203 		goto out;
204 	}
205 
206 	c->state = "replace key";
207 	keyevict(c, k, "%s", res+4);
208 	werrstr("%s", res+4);
209 
210 out:
211 	free(res);
212 	keyclose(k);
213 	free(chal);
214 	if(c->attr != attr)
215 		freeattr(attr);
216 	return ret;
217 }
218 
219 /* shared with auth dialing routines */
220 typedef struct ServerState ServerState;
221 struct ServerState
222 {
223 	int asfd;
224 	Key *k;
225 	Ticketreq tr;
226 	Ticket t;
227 	char *dom;
228 	char *hostid;
229 };
230 
231 static int chapchal(ServerState*, int, char[ChapChallen]);
232 static int chapresp(ServerState*, char*, char*);
233 
234 static int
235 chapserver(Conv *c)
236 {
237 	char chal[ChapChallen], *user, *resp;
238 	ServerState s;
239 	int astype, ret;
240 	Attr *a;
241 
242 	ret = -1;
243 	user = nil;
244 	resp = nil;
245 	memset(&s, 0, sizeof s);
246 	s.asfd = -1;
247 
248 	if(c->proto == &chap)
249 		astype = AuthChap;
250 	else if(c->proto == &mschap)
251 		astype = AuthMSchap;
252 	else{
253 		werrstr("bad proto");
254 		goto out;
255 	}
256 
257 	c->state = "find key";
258 	if((s.k = plan9authkey(c->attr)) == nil)
259 		goto out;
260 
261 	a = copyattr(s.k->attr);
262 	a = delattr(a, "proto");
263 	c->attr = addattrs(c->attr, a);
264 	freeattr(a);
265 
266 	c->state = "authdial";
267 	s.hostid = strfindattr(s.k->attr, "user");
268 	s.dom = strfindattr(s.k->attr, "dom");
269 	if((s.asfd = xioauthdial(nil, s.dom)) < 0){
270 		werrstr("authdial %s: %r", s.dom);
271 		goto out;
272 	}
273 
274 	c->state = "authchal";
275 	if(chapchal(&s, astype, chal) < 0)
276 		goto out;
277 
278 	c->state = "write challenge";
279 	if(convprint(c, "%s", chal) < 0)
280 		goto out;
281 
282 	c->state = "read user";
283 	if(convreadm(c, &user) < 0)
284 		goto out;
285 
286 	c->state = "read response";
287 	if(convreadm(c, &resp) < 0)
288 		goto out;
289 
290 	c->state = "authwrite";
291 	switch(chapresp(&s, user, resp)){
292 	default:
293 		fprint(2, "factotum: bad result from chapresp\n");
294 		goto out;
295 	case -1:
296 		goto out;
297 	case 0:
298 		c->state = "write status";
299 		if(convprint(c, "bad authentication failed") < 0)
300 			goto out;
301 		goto out;
302 
303 	case 1:
304 		c->state = "write status";
305 		if(convprint(c, "ok") < 0)
306 			goto out;
307 		goto ok;
308 	}
309 
310 ok:
311 	ret = 0;
312 	c->attr = addcap(c->attr, c->sysuser, &s.t);
313 
314 out:
315 	keyclose(s.k);
316 	free(user);
317 	free(resp);
318 /*	xioclose(s.asfd); */
319 	return ret;
320 }
321 
322 static int
323 chapchal(ServerState *s, int astype, char chal[ChapChallen])
324 {
325 	char trbuf[TICKREQLEN];
326 	Ticketreq tr;
327 
328 	memset(&tr, 0, sizeof tr);
329 
330 	tr.type = astype;
331 
332 	if(strlen(s->hostid) >= sizeof tr.hostid){
333 		werrstr("hostid too long");
334 		return -1;
335 	}
336 	strcpy(tr.hostid, s->hostid);
337 
338 	if(strlen(s->dom) >= sizeof tr.authdom){
339 		werrstr("domain too long");
340 		return -1;
341 	}
342 	strcpy(tr.authdom, s->dom);
343 
344 	convTR2M(&tr, trbuf);
345 	if(xiowrite(s->asfd, trbuf, TICKREQLEN) != TICKREQLEN)
346 		return -1;
347 
348 	if(xioasrdresp(s->asfd, chal, ChapChallen) <= 5)
349 		return -1;
350 
351 	s->tr = tr;
352 	return 0;
353 }
354 
355 static int
356 chapresp(ServerState *s, char *user, char *resp)
357 {
358 	char tabuf[TICKETLEN+AUTHENTLEN];
359 	char trbuf[TICKREQLEN];
360 	int len;
361 	Authenticator a;
362 	Ticket t;
363 	Ticketreq tr;
364 
365 	tr = s->tr;
366 	if(memrandom(tr.chal, CHALLEN) < 0)
367 		return -1;
368 
369 	if(strlen(user) >= sizeof tr.uid){
370 		werrstr("uid too long");
371 		return -1;
372 	}
373 	strcpy(tr.uid, user);
374 
375 	convTR2M(&tr, trbuf);
376 	if(xiowrite(s->asfd, trbuf, TICKREQLEN) != TICKREQLEN)
377 		return -1;
378 
379 	len = strlen(resp);
380 	if(xiowrite(s->asfd, resp, len) != len)
381 		return -1;
382 
383 	if(xioasrdresp(s->asfd, tabuf, TICKETLEN+AUTHENTLEN) != TICKETLEN+AUTHENTLEN)
384 		return 0;
385 
386 	convM2T(tabuf, &t, s->k->priv);
387 	if(t.num != AuthTs
388 	|| memcmp(t.chal, tr.chal, sizeof tr.chal) != 0){
389 		werrstr("key mismatch with auth server");
390 		return -1;
391 	}
392 
393 	convM2A(tabuf+TICKETLEN, &a, t.key);
394 	if(a.num != AuthAc
395 	|| memcmp(a.chal, tr.chal, sizeof a.chal) != 0
396 	|| a.id != 0){
397 		werrstr("key2 mismatch with auth server");
398 		return -1;
399 	}
400 
401 	s->t = t;
402 	return 1;
403 }
404 
405 static Role
406 chaproles[] = 
407 {
408 	"client",	chapclient,
409 	"server",	chapserver,
410 	0
411 };
412 
413 Proto chap = {
414 	"chap",
415 	chaproles,
416 	"user? !password?",
417 	chapcheck
418 };
419 
420 Proto mschap = {
421 	"mschap",
422 	chaproles,
423 	"user? !password?",
424 	chapcheck
425 };
426 
427