Commit 35a0ba5e authored by Robert Dubner's avatar Robert Dubner
Browse files

Migrate some changes from the RadiusClient application

parent 370440a8
Pipeline #3591 passed with stage
in 38 minutes and 4 seconds
......@@ -21,7 +21,6 @@
*/
#include "radiusov.h"
#include "lber-int.h"
#include "md4.h"
#include "mschap.h"
#include "sha1.h"
......
......@@ -49,4 +49,52 @@ void GenerateAuthenticatorResponse( uint8_t const *unicode_password,
uint8_t *response,
STATE *state );
typedef struct _MSCHAP_CHALLENGE
{
// This is generated by the server and sent to the client in the encrypted
// portion of an EAP-Message.
// See https://datatracker.ietf.org/doc/html/draft-kamath-pppext-eap-mschapv2-02
// section 2.1 Our decrypted data starts at Type, which is the fourth byte
// of the challenge packet as documented. (The documentation didn't anticipate
// that the data would be encrypted and sent in EAP-Messages.)
uint8_t Type; // 26 for EAP MS-CHAP-V2
uint8_t OpCode; // 1 for challenge
uint8_t MS_Chap_ID; // Typically the same as the containing EAP-Message identifier
uint8_t MS_Length[2]; // Big-endian
uint8_t Value_Size; // This will/should be 0x10 (decimal 16)
uint8_t Challenge[16]; // Sixteen random bytes
uint8_t Name[1]; // Might not be there at all. Not NULL or CR/LF terminated.
// // The length is inferred: MS_Length - Value_Size - 6
} MSCHAP_CHALLENGE;
typedef struct _SUB_RESPONSE
{
// The length of this structure is 49 bytes
uint8_t Peer_Challenge[16]; // Sixteen random bytes
uint8_t Reserved[6]; // Must be zero
uint8_t NT_Response[24]; // See RFC2759, Section 8.1
uint8_t Flags; // Must be zero
} SUB_RESPONSE;
typedef struct _MSCHAP_RESPONSE
{
// See https://datatracker.ietf.org/doc/html/draft-kamath-pppext-eap-mschapv2-02
// section 2.1 Our data to be encrypted starts at Type, which is the fourth byte
// of the response packet as documented. (The documentation didn't anticipate
// that the data would be encrypted and sent in EAP-Messages.)
uint8_t Type; // 26 for EAP MS-CHAP-V2
uint8_t OpCode; // 2 for response
uint8_t MS_Chap_ID; // Typically the same as the containing EAP-Message identifier
uint8_t MS_Length[8]; // Big-endian
uint8_t Value_Size; // This will/should be 0x31 (decimal 49)
SUB_RESPONSE SubResponse; // See above
uint8_t Name[1]; // Might not be there at all. Not NULL or CR/LF terminated.
// // The length is inferred: MS_Length - Value_Size - 6
} MSCHAP_RESPONSE;
#endif
\ No newline at end of file
......@@ -117,8 +117,8 @@ server_postamble( RADIUS_PACKET *response,
PACKET_CODES code = get_code(response);
if( code != PC_Access_Request
&& code != PC_Access_Accept
&& code != PC_Access_Reject)
&& code != PC_Access_Accept
&& code != PC_Access_Reject)
{
get_or_create_state_string(state_string_, request);
state_string = state_string_;
......@@ -261,17 +261,20 @@ process_eap_message_identity( RADIUS_INFO *radius_info,
build_md5_challenge(&response, request, eap_message, shared_secret);
}
static int alternating = 0;
if(alternating)
{
build_peap_challenge(&response, request, eap_message, shared_secret);
}
if(!alternating)
else
{
build_ttls_challenge(&response, request, eap_message, shared_secret);
static int alternating = 0;
if(alternating)
{
build_peap_challenge(&response, request, eap_message, shared_secret);
}
if(!alternating)
{
build_ttls_challenge(&response, request, eap_message, shared_secret);
}
alternating ^= 1;
}
alternating ^= 1;
rc = SendThePacket(&response, radius_info->udp_socket, client_addr);
// A successful send will return NO_RESPONSE_NECESSARY, which we
// pass upstairs, letting them know they need not do anything.
......@@ -2373,9 +2376,11 @@ process_eap_message_peap_or_ttls( RADIUS_INFO *radius_info,
if( state->tls_record_in_recvd_len > state->tls_record_in_total_len )
{
Debug( LDAP_DEBUG_ANY,
DPREFIX "%s() We received more bytes than we "
"were told we were going to receive\n",
__func__);
DPREFIX "%s() We received more bytes (%ld) than we "
"were told we were going to receive (%ld)\n",
__func__,
state->tls_record_in_recvd_len,
state->tls_record_in_total_len);
return FAIL_SILENTLY;
}
......
......@@ -610,6 +610,13 @@ radiusov_acceptconn(void *ctx, void *arg)
search_method = TEST_AND_DEVELOPMENT;
}
#if 0
ber_log_bprint( LDAP_DEBUG_ANY,
LDAP_DEBUG_ANY,
(const char *)incoming_request,
slen);
#endif
switch( search_method )
{
case TEST_AND_DEVELOPMENT:
......
......@@ -303,9 +303,9 @@ void build_packet_preamble( RADIUS_PACKET *response,
PACKET_CODES packet_code,
uint8_t packet_idt);
void build_packet_postamble( RADIUS_PACKET *response,
RADIUS_PACKET *request,
const char *state_string,
const char *shared_secret);
RADIUS_PACKET *request,
const char *state_string,
const char *shared_secret);
int radiusov_get_packet_from_request( RADIUS_PACKET *radius_packet,
uint8_t *incoming_request,
ssize_t recv_len);
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment