Migrate some changes from the RadiusClient application

35a0ba5e · Robert Dubner · 370440a8 · 35a0ba5e · 35a0ba5e · 35a0ba5e
Commit 35a0ba5e authored Oct 03, 2021 by Robert Dubner
--- a/contrib/slapd-modules/radiusov/mschap.c
+++ b/contrib/slapd-modules/radiusov/mschap.c
@@ -21,7 +21,6 @@
 */

 #include "radiusov.h"
-#include "lber-int.h"
 #include "md4.h"
 #include "mschap.h"
 #include "sha1.h"

--- a/contrib/slapd-modules/radiusov/mschap.h
+++ b/contrib/slapd-modules/radiusov/mschap.h
@@ -49,4 +49,52 @@ void GenerateAuthenticatorResponse( uint8_t const *unicode_password,
                                    uint8_t       *response,
                                    STATE         *state );

+typedef struct _MSCHAP_CHALLENGE
+    {
+    // This is generated by the server and sent to the client in the encrypted
+    // portion of an EAP-Message.
+    // See https://datatracker.ietf.org/doc/html/draft-kamath-pppext-eap-mschapv2-02
+    // section 2.1  Our decrypted data starts at Type, which is the fourth byte
+    // of the challenge packet as documented. (The documentation didn't anticipate
+    // that the data would be encrypted and sent in EAP-Messages.)
+    uint8_t  Type;          // 26 for EAP MS-CHAP-V2
+    uint8_t  OpCode;        //  1 for challenge
+    uint8_t  MS_Chap_ID;    // Typically the same as the containing EAP-Message identifier
+    uint8_t  MS_Length[2];  // Big-endian
+    uint8_t  Value_Size;    // This will/should be 0x10 (decimal 16)
+    uint8_t  Challenge[16]; // Sixteen random bytes
+    uint8_t  Name[1];       // Might not be there at all.  Not NULL or CR/LF terminated.
+    //                      // The length is inferred: MS_Length - Value_Size - 6
+    } MSCHAP_CHALLENGE;
+
+typedef struct _SUB_RESPONSE
+    {
+    // The length of this structure is 49 bytes
+    uint8_t Peer_Challenge[16]; // Sixteen random bytes
+    uint8_t Reserved[6];        // Must be zero
+    uint8_t NT_Response[24];    // See RFC2759, Section 8.1
+    uint8_t Flags;              // Must be zero
+    } SUB_RESPONSE;
+
+typedef struct _MSCHAP_RESPONSE
+    {
+    // See https://datatracker.ietf.org/doc/html/draft-kamath-pppext-eap-mschapv2-02
+    // section 2.1  Our data to be encrypted starts at Type, which is the fourth byte
+    // of the response packet as documented.  (The documentation didn't anticipate
+    // that the data would be encrypted and sent in EAP-Messages.)
+    uint8_t  Type;              // 26 for EAP MS-CHAP-V2
+    uint8_t  OpCode;            //  2 for response
+    uint8_t  MS_Chap_ID;        // Typically the same as the containing EAP-Message identifier
+    uint8_t  MS_Length[8];      // Big-endian
+    uint8_t  Value_Size;        // This will/should be 0x31 (decimal 49)
+    SUB_RESPONSE SubResponse;   // See above
+    uint8_t  Name[1];           // Might not be there at all.  Not NULL or CR/LF terminated.
+    //                          // The length is inferred: MS_Length - Value_Size - 6
+    } MSCHAP_RESPONSE;
+
+
+
+
+
+
 #endif
\ No newline at end of file
--- a/contrib/slapd-modules/radiusov/radius.c
+++ b/contrib/slapd-modules/radiusov/radius.c
@@ -117,8 +117,8 @@ server_postamble(   RADIUS_PACKET *response,
    PACKET_CODES code = get_code(response);

    if( code != PC_Access_Request
-        && code != PC_Access_Accept
-        && code != PC_Access_Reject)
+            && code != PC_Access_Accept
+            && code != PC_Access_Reject)
        {
        get_or_create_state_string(state_string_, request);
        state_string = state_string_;
@@ -261,17 +261,20 @@ process_eap_message_identity(   RADIUS_INFO *radius_info,
            build_md5_challenge(&response, request, eap_message, shared_secret);
            }

-        static int alternating = 0;
-
-        if(alternating)
-            {
-            build_peap_challenge(&response, request, eap_message, shared_secret);
-            }
-        if(!alternating)
+        else
            {
-            build_ttls_challenge(&response, request, eap_message, shared_secret);
+            static int alternating = 0;
+
+            if(alternating)
+                {
+                build_peap_challenge(&response, request, eap_message, shared_secret);
+                }
+            if(!alternating)
+                {
+                build_ttls_challenge(&response, request, eap_message, shared_secret);
+                }
+            alternating ^= 1;
            }
-        alternating ^= 1;
        rc = SendThePacket(&response, radius_info->udp_socket, client_addr);
        // A successful send will return NO_RESPONSE_NECESSARY, which we
        // pass upstairs, letting them know they need not do anything.
@@ -2373,9 +2376,11 @@ process_eap_message_peap_or_ttls(   RADIUS_INFO *radius_info,
                    if( state->tls_record_in_recvd_len > state->tls_record_in_total_len )
                        {
                        Debug(  LDAP_DEBUG_ANY,
-                                DPREFIX "%s() We received more bytes than we "
-                                "were told we were going to receive\n",
-                                __func__);
+                                DPREFIX "%s() We received more bytes (%ld) than we "
+                                "were told we were going to receive (%ld)\n",
+                                __func__,
+                                state->tls_record_in_recvd_len,
+                                state->tls_record_in_total_len);
                        return FAIL_SILENTLY;
                        }


--- a/contrib/slapd-modules/radiusov/radiusov.c
+++ b/contrib/slapd-modules/radiusov/radiusov.c
@@ -610,6 +610,13 @@ radiusov_acceptconn(void *ctx, void *arg)
        search_method = TEST_AND_DEVELOPMENT;
        }

+#if 0
+    ber_log_bprint( LDAP_DEBUG_ANY,
+                    LDAP_DEBUG_ANY,
+                    (const char *)incoming_request,
+                    slen);
+#endif
+
    switch( search_method )
        {
        case TEST_AND_DEVELOPMENT:

--- a/contrib/slapd-modules/radiusov/rpacket.h
+++ b/contrib/slapd-modules/radiusov/rpacket.h
@@ -303,9 +303,9 @@ void build_packet_preamble(     RADIUS_PACKET *response,
                                PACKET_CODES packet_code,
                                uint8_t packet_idt);
 void build_packet_postamble(  RADIUS_PACKET *response,
-                                RADIUS_PACKET *request,
-                                const char *state_string,
-                                const char *shared_secret);
+                              RADIUS_PACKET *request,
+                              const char *state_string,
+                              const char *shared_secret);
 int radiusov_get_packet_from_request(   RADIUS_PACKET *radius_packet,
                                        uint8_t *incoming_request,
                                        ssize_t recv_len);