From ab46ac9bd8ff3a61a52a732d2208e496a7185942 Mon Sep 17 00:00:00 2001 From: Sylvain Rochet Date: Sat, 18 Apr 2015 17:29:55 +0200 Subject: [PATCH] PPP, CHAP, reworked to pass ppp_pcb pointer to CHAP childs (MD5, MSCHAP, MSCHAPv2) We are going to need ppp_pcb* in MSCHAP and MSCHAPv2 for MPPE for int mppe_keys_set, u_char mppe_send_key and u_char mppe_recv_key which are currently global variable which must be moved to ppp_pcb. --- src/include/netif/ppp/chap-new.h | 10 ++--- src/include/netif/ppp/chap_ms.h | 9 ----- src/netif/ppp/chap-md5.c | 9 +++-- src/netif/ppp/chap-new.c | 10 ++--- src/netif/ppp/chap_ms.c | 63 ++++++++++++++++++++------------ 5 files changed, 55 insertions(+), 46 deletions(-) diff --git a/src/include/netif/ppp/chap-new.h b/src/include/netif/ppp/chap-new.h index c0bf024e..9e4b864f 100644 --- a/src/include/netif/ppp/chap-new.h +++ b/src/include/netif/ppp/chap-new.h @@ -132,17 +132,17 @@ struct chap_digest_type { * Note: challenge and response arguments below are formatted as * a length byte followed by the actual challenge/response data. */ - void (*generate_challenge)(unsigned char *challenge); - int (*verify_response)(int id, const char *name, + void (*generate_challenge)(ppp_pcb *pcb, unsigned char *challenge); + int (*verify_response)(ppp_pcb *pcb, int id, const char *name, const unsigned char *secret, int secret_len, const unsigned char *challenge, const unsigned char *response, char *message, int message_space); #endif /* PPP_SERVER */ - void (*make_response)(unsigned char *response, int id, const char *our_name, + void (*make_response)(ppp_pcb *pcb, unsigned char *response, int id, const char *our_name, const unsigned char *challenge, const char *secret, int secret_len, const unsigned char *priv); - int (*check_success)(unsigned char *pkt, int len, unsigned char *priv); - void (*handle_failure)(unsigned char *pkt, int len); + int (*check_success)(ppp_pcb *pcb, unsigned char *pkt, int len, unsigned char *priv); + void (*handle_failure)(ppp_pcb *pcb, unsigned char *pkt, int len); }; /* diff --git a/src/include/netif/ppp/chap_ms.h b/src/include/netif/ppp/chap_ms.h index 31d69f7e..102f8396 100644 --- a/src/include/netif/ppp/chap_ms.h +++ b/src/include/netif/ppp/chap_ms.h @@ -92,15 +92,6 @@ extern void set_mppe_enc_types(int, int); #define MS_CHAP2_AUTHENTICATEE 0 #define MS_CHAP2_AUTHENTICATOR 1 -void ChapMS (u_char *, char *, int, u_char *); -void ChapMS2 (u_char *, u_char *, char *, char *, int, - u_char *, u_char[MS_AUTH_RESPONSE_LENGTH+1], int); -#if MPPE_SUPPORT -void mppe_set_keys (u_char *, u_char[MD4_SIGNATURE_SIZE]); -void mppe_set_keys2(u_char PasswordHashHash[MD4_SIGNATURE_SIZE], - u_char NTResponse[24], int IsServer); -#endif /* MPPE_SUPPORT */ - void ChallengeHash (u_char[16], u_char *, char *, u_char[8]); void GenerateAuthenticatorResponse(u_char PasswordHashHash[MD4_SIGNATURE_SIZE], diff --git a/src/netif/ppp/chap-md5.c b/src/netif/ppp/chap-md5.c index 9a15621c..f1e8dc46 100644 --- a/src/netif/ppp/chap-md5.c +++ b/src/netif/ppp/chap-md5.c @@ -54,15 +54,16 @@ #define MD5_MIN_MAX_POWER_OF_TWO_CHALLENGE 3 /* 2^3-1 = 7, 17+7 = 24 */ #if PPP_SERVER -static void chap_md5_generate_challenge(unsigned char *cp) { +static void chap_md5_generate_challenge(ppp_pcb *pcb, unsigned char *cp) { int clen; + LWIP_UNUSED_ARG(pcb); clen = MD5_MIN_CHALLENGE + magic_pow(MD5_MIN_MAX_POWER_OF_TWO_CHALLENGE); *cp++ = clen; random_bytes(cp, clen); } -static int chap_md5_verify_response(int id, const char *name, +static int chap_md5_verify_response(ppp_pcb *pcb, int id, const char *name, const unsigned char *secret, int secret_len, const unsigned char *challenge, const unsigned char *response, char *message, int message_space) { @@ -71,6 +72,7 @@ static int chap_md5_verify_response(int id, const char *name, unsigned char hash[MD5_HASH_SIZE]; int challenge_len, response_len; LWIP_UNUSED_ARG(name); + LWIP_UNUSED_ARG(pcb); challenge_len = *challenge++; response_len = *response++; @@ -93,7 +95,7 @@ static int chap_md5_verify_response(int id, const char *name, } #endif /* PPP_SERVER */ -static void chap_md5_make_response(unsigned char *response, int id, const char *our_name, +static void chap_md5_make_response(ppp_pcb *pcb, unsigned char *response, int id, const char *our_name, const unsigned char *challenge, const char *secret, int secret_len, const unsigned char *private_) { md5_context ctx; @@ -101,6 +103,7 @@ static void chap_md5_make_response(unsigned char *response, int id, const char * int challenge_len = *challenge++; LWIP_UNUSED_ARG(our_name); LWIP_UNUSED_ARG(private_); + LWIP_UNUSED_ARG(pcb); md5_starts(&ctx); md5_update(&ctx, &idbyte, 1); diff --git a/src/netif/ppp/chap-new.c b/src/netif/ppp/chap-new.c index 9c9a3e29..bb280404 100644 --- a/src/netif/ppp/chap-new.c +++ b/src/netif/ppp/chap-new.c @@ -258,7 +258,7 @@ static void chap_generate_challenge(ppp_pcb *pcb) { p = pcb->chap_server.challenge; MAKEHEADER(p, PPP_CHAP); p += CHAP_HDRLEN; - pcb->chap_server.digest->generate_challenge(p); + pcb->chap_server.digest->generate_challenge(pcb, p); clen = *p; nlen = strlen(pcb->chap_server.name); memcpy(p + 1 + clen, pcb->chap_server.name, nlen); @@ -418,7 +418,7 @@ static int chap_verify_response(ppp_pcb *pcb, const char *name, const char *ourn ppp_error("No CHAP secret found for authenticating %q", name); return 0; } - ok = digest->verify_response(id, name, secret, secret_len, challenge, + ok = digest->verify_response(pcb, id, name, secret, secret_len, challenge, response, message, message_space); memset(secret, 0, sizeof(secret)); @@ -472,7 +472,7 @@ static void chap_respond(ppp_pcb *pcb, int id, MAKEHEADER(outp, PPP_CHAP); outp += CHAP_HDRLEN; - pcb->chap_client.digest->make_response(outp, id, pcb->chap_client.name, pkt, + pcb->chap_client.digest->make_response(pcb, outp, id, pcb->chap_client.name, pkt, secret, secret_len, pcb->chap_client.priv); memset(secret, 0, secret_len); @@ -504,13 +504,13 @@ static void chap_handle_status(ppp_pcb *pcb, int code, int id, if (code == CHAP_SUCCESS) { /* used for MS-CHAP v2 mutual auth, yuck */ if (pcb->chap_client.digest->check_success != NULL) { - if (!(*pcb->chap_client.digest->check_success)(pkt, len, pcb->chap_client.priv)) + if (!(*pcb->chap_client.digest->check_success)(pcb, pkt, len, pcb->chap_client.priv)) code = CHAP_FAILURE; } else msg = "CHAP authentication succeeded"; } else { if (pcb->chap_client.digest->handle_failure != NULL) - (*pcb->chap_client.digest->handle_failure)(pkt, len); + (*pcb->chap_client.digest->handle_failure)(pcb, pkt, len); else msg = "CHAP authentication failed"; } diff --git a/src/netif/ppp/chap_ms.c b/src/netif/ppp/chap_ms.c index 95f1eae4..03d6e064 100644 --- a/src/netif/ppp/chap_ms.c +++ b/src/netif/ppp/chap_ms.c @@ -128,10 +128,18 @@ static void ChapMS_LANMan (u_char *, char *, int, u_char *); #endif #if MPPE_SUPPORT -static void Set_Start_Key (u_char *, char *, int); -static void SetMasterKeys (char *, int, u_char[24], int); +static void mppe_set_keys(ppp_pcb *pcb, u_char *rchallenge, + u_char PasswordHashHash[MD4_SIGNATURE_SIZE]); +static void Set_Start_Key (ppp_pcb *pcb, u_char *, char *, int); +static void mppe_set_keys2(ppp_pcb *pcb, u_char PasswordHashHash[MD4_SIGNATURE_SIZE], + u_char NTResponse[24], int IsServer); +static void SetMasterKeys (ppp_pcb *pcb, char *, int, u_char[24], int); #endif /* MPPE_SUPPORT */ +static void ChapMS (ppp_pcb *pcb, u_char *, char *, int, u_char *); +static void ChapMS2 (ppp_pcb *pcb, u_char *, u_char *, char *, char *, int, + u_char *, u_char[MS_AUTH_RESPONSE_LENGTH+1], int); + #ifdef MSLANMAN bool ms_lanman = 0; /* Use LanMan password instead of NT */ /* Has meaning only with MS-CHAP challenges */ @@ -180,7 +188,9 @@ static option_t chapms_option_list[] = { * The length goes in challenge[0] and the actual challenge starts * at challenge[1]. */ -static void chapms_generate_challenge(unsigned char *challenge) { +static void chapms_generate_challenge(ppp_pcb *pcb, unsigned char *challenge) { + LWIP_UNUSED_ARG(pcb); + *challenge++ = 8; #ifdef DEBUGMPPEKEY if (mschap_challenge && strlen(mschap_challenge) == 8) @@ -190,7 +200,9 @@ static void chapms_generate_challenge(unsigned char *challenge) { random_bytes(challenge, 8); } -static void chapms2_generate_challenge(unsigned char *challenge) { +static void chapms2_generate_challenge(ppp_pcb *pcb, unsigned char *challenge) { + LWIP_UNUSED_ARG(pcb); + *challenge++ = 16; #ifdef DEBUGMPPEKEY if (mschap_challenge && strlen(mschap_challenge) == 16) @@ -200,7 +212,7 @@ static void chapms2_generate_challenge(unsigned char *challenge) { random_bytes(challenge, 16); } -static int chapms_verify_response(int id, const char *name, +static int chapms_verify_response(ppp_pcb *pcb, int id, const char *name, const unsigned char *secret, int secret_len, const unsigned char *challenge, const unsigned char *response, char *message, int message_space) { @@ -224,7 +236,7 @@ static int chapms_verify_response(int id, const char *name, #endif /* Generate the expected response. */ - ChapMS((u_char *)challenge, (char *)secret, secret_len, md); + ChapMS(pcb, (u_char *)challenge, (char *)secret, secret_len, md); #ifdef MSLANMAN /* Determine which part of response to verify against */ @@ -248,7 +260,7 @@ static int chapms_verify_response(int id, const char *name, return 0; } -static int chapms2_verify_response(int id, const char *name, +static int chapms2_verify_response(ppp_pcb *pcb, int id, const char *name, const unsigned char *secret, int secret_len, const unsigned char *challenge, const unsigned char *response, char *message, int message_space) { @@ -263,7 +275,7 @@ static int chapms2_verify_response(int id, const char *name, goto bad; /* not even the right length */ /* Generate the expected response and our mutual auth. */ - ChapMS2((u_char*)challenge, (u_char*)&response[MS_CHAP2_PEER_CHALLENGE], (char*)name, + ChapMS2(pcb, (u_char*)challenge, (u_char*)&response[MS_CHAP2_PEER_CHALLENGE], (char*)name, (char *)secret, secret_len, md, (unsigned char *)saresponse, MS_CHAP2_AUTHENTICATOR); @@ -325,7 +337,7 @@ static int chapms2_verify_response(int id, const char *name, } #endif /* PPP_SERVER */ -static void chapms_make_response(unsigned char *response, int id, const char *our_name, +static void chapms_make_response(ppp_pcb *pcb, unsigned char *response, int id, const char *our_name, const unsigned char *challenge, const char *secret, int secret_len, const unsigned char *private_) { LWIP_UNUSED_ARG(id); @@ -333,16 +345,16 @@ static void chapms_make_response(unsigned char *response, int id, const char *ou LWIP_UNUSED_ARG(private_); challenge++; /* skip length, should be 8 */ *response++ = MS_CHAP_RESPONSE_LEN; - ChapMS((u_char*)challenge, (char*)secret, secret_len, response); + ChapMS(pcb, (u_char*)challenge, (char*)secret, secret_len, response); } -static void chapms2_make_response(unsigned char *response, int id, const char *our_name, +static void chapms2_make_response(ppp_pcb *pcb, unsigned char *response, int id, const char *our_name, const unsigned char *challenge, const char *secret, int secret_len, const unsigned char *private_) { LWIP_UNUSED_ARG(id); challenge++; /* skip length, should be 16 */ *response++ = MS_CHAP2_RESPONSE_LEN; - ChapMS2((u_char*)challenge, + ChapMS2(pcb, (u_char*)challenge, #ifdef DEBUGMPPEKEY mschap2_peer_challenge, #else @@ -352,7 +364,9 @@ static void chapms2_make_response(unsigned char *response, int id, const char *o MS_CHAP2_AUTHENTICATEE); } -static int chapms2_check_success(unsigned char *msg, int len, unsigned char *private_) { +static int chapms2_check_success(ppp_pcb *pcb, unsigned char *msg, int len, unsigned char *private_) { + LWIP_UNUSED_ARG(pcb); + if ((len < MS_AUTH_RESPONSE_LENGTH + 2) || strncmp((char *)msg, "S=", 2) != 0) { /* Packet does not start with "S=" */ @@ -380,10 +394,11 @@ static int chapms2_check_success(unsigned char *msg, int len, unsigned char *pri return 1; } -static void chapms_handle_failure(unsigned char *inp, int len) { +static void chapms_handle_failure(ppp_pcb *pcb, unsigned char *inp, int len) { int err; const char *p; char msg[64]; + LWIP_UNUSED_ARG(pcb); /* We want a null-terminated string for strxxx(). */ len = LWIP_MIN(len, 63); @@ -645,7 +660,7 @@ static void GenerateAuthenticatorResponsePlain * Set mppe_xxxx_key from the NTPasswordHashHash. * RFC 2548 (RADIUS support) requires us to export this function (ugh). */ -void mppe_set_keys(u_char *rchallenge, u_char PasswordHashHash[MD4_SIGNATURE_SIZE]) { +static void mppe_set_keys(ppp_pcb *pcb, u_char *rchallenge, u_char PasswordHashHash[MD4_SIGNATURE_SIZE]) { sha1_context sha1Context; u_char Digest[SHA1_SIGNATURE_SIZE]; /* >= MPPE_MAX_KEY_LEN */ @@ -665,7 +680,7 @@ void mppe_set_keys(u_char *rchallenge, u_char PasswordHashHash[MD4_SIGNATURE_SIZ /* * Set mppe_xxxx_key from MS-CHAP credentials. (see RFC 3079) */ -static void Set_Start_Key(u_char *rchallenge, char *secret, int secret_len) { +static void Set_Start_Key(ppp_pcb *pcb, u_char *rchallenge, char *secret, int secret_len) { u_char unicodePassword[MAX_NT_PASSWORD * 2]; u_char PasswordHash[MD4_SIGNATURE_SIZE]; u_char PasswordHashHash[MD4_SIGNATURE_SIZE]; @@ -675,7 +690,7 @@ static void Set_Start_Key(u_char *rchallenge, char *secret, int secret_len) { NTPasswordHash(unicodePassword, secret_len * 2, PasswordHash); NTPasswordHash(PasswordHash, sizeof(PasswordHash), PasswordHashHash); - mppe_set_keys(rchallenge, PasswordHashHash); + mppe_set_keys(pcb, rchallenge, PasswordHashHash); } /* @@ -684,7 +699,7 @@ static void Set_Start_Key(u_char *rchallenge, char *secret, int secret_len) { * This helper function used in the Winbind module, which gets the * NTHashHash from the server. */ -void mppe_set_keys2(u_char PasswordHashHash[MD4_SIGNATURE_SIZE], +static void mppe_set_keys2(ppp_pcb *pcb, u_char PasswordHashHash[MD4_SIGNATURE_SIZE], u_char NTResponse[24], int IsServer) { sha1_context sha1Context; u_char MasterKey[SHA1_SIGNATURE_SIZE]; /* >= MPPE_MAX_KEY_LEN */ @@ -776,7 +791,7 @@ void mppe_set_keys2(u_char PasswordHashHash[MD4_SIGNATURE_SIZE], /* * Set mppe_xxxx_key from MS-CHAPv2 credentials. (see RFC 3079) */ -static void SetMasterKeys(char *secret, int secret_len, u_char NTResponse[24], int IsServer) { +static void SetMasterKeys(ppp_pcb *pcb, char *secret, int secret_len, u_char NTResponse[24], int IsServer) { u_char unicodePassword[MAX_NT_PASSWORD * 2]; u_char PasswordHash[MD4_SIGNATURE_SIZE]; u_char PasswordHashHash[MD4_SIGNATURE_SIZE]; @@ -784,13 +799,13 @@ static void SetMasterKeys(char *secret, int secret_len, u_char NTResponse[24], i ascii2unicode(secret, secret_len, unicodePassword); NTPasswordHash(unicodePassword, secret_len * 2, PasswordHash); NTPasswordHash(PasswordHash, sizeof(PasswordHash), PasswordHashHash); - mppe_set_keys2(PasswordHashHash, NTResponse, IsServer); + mppe_set_keys2(pcb, PasswordHashHash, NTResponse, IsServer); } #endif /* MPPE_SUPPORT */ -void ChapMS(u_char *rchallenge, char *secret, int secret_len, +static void ChapMS(ppp_pcb *pcb, u_char *rchallenge, char *secret, int secret_len, unsigned char *response) { BZERO(response, MS_CHAP_RESPONSE_LEN); @@ -807,7 +822,7 @@ void ChapMS(u_char *rchallenge, char *secret, int secret_len, #endif #if MPPE_SUPPORT - Set_Start_Key(rchallenge, secret, secret_len); + Set_Start_Key(pcb, rchallenge, secret, secret_len); #endif /* MPPE_SUPPORT */ } @@ -822,7 +837,7 @@ void ChapMS(u_char *rchallenge, char *secret, int secret_len, * The PeerChallenge field of response is then used for calculation of the * Authenticator Response. */ -void ChapMS2(u_char *rchallenge, u_char *PeerChallenge, +static void ChapMS2(ppp_pcb *pcb, u_char *rchallenge, u_char *PeerChallenge, char *user, char *secret, int secret_len, unsigned char *response, u_char authResponse[], int authenticator) { /* ARGSUSED */ @@ -851,7 +866,7 @@ void ChapMS2(u_char *rchallenge, u_char *PeerChallenge, rchallenge, user, authResponse); #if MPPE_SUPPORT - SetMasterKeys(secret, secret_len, + SetMasterKeys(pcb, secret, secret_len, &response[MS_CHAP2_NTRESP], authenticator); #endif /* MPPE_SUPPORT */ }