Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
move code to find NT-Password and LM-Password out of main auth func
  • Loading branch information
mcnewton committed Mar 28, 2016
1 parent 5c6b610 commit dd9b928
Showing 1 changed file with 140 additions and 93 deletions.
233 changes: 140 additions & 93 deletions src/modules/rlm_mschap/rlm_mschap.c
Expand Up @@ -1478,90 +1478,20 @@ static rlm_rcode_t mschap_error(rlm_mschap_t *inst, REQUEST *request, unsigned c
return rcode;
}


/*
* mod_authenticate() - authenticate user based on given
* attributes and configuration.
* We will try to find out password in configuration
* or in configured passwd file.
* If one is found we will check paraneters given by NAS.
*
* If PW_SMB_ACCOUNT_CTRL is not set to ACB_PWNOTREQ we must have
* one of:
* PAP: PW_USER_PASSWORD or
* MS-CHAP: PW_MSCHAP_CHALLENGE and PW_MSCHAP_RESPONSE or
* MS-CHAP2: PW_MSCHAP_CHALLENGE and PW_MSCHAP2_RESPONSE
* In case of password mismatch or locked account we MAY return
* PW_MSCHAP_ERROR for MS-CHAP or MS-CHAP v2
* If MS-CHAP2 succeeds we MUST return
* PW_MSCHAP2_SUCCESS
* find_nt_password() - try and find a correct NT-Password
* attribute, or calculate one if possible.
*/
static rlm_rcode_t CC_HINT(nonnull) mod_authenticate(void *instance, REQUEST *request)
static bool CC_HINT(nonnull (1, 2, 4)) find_nt_password(rlm_mschap_t *inst,
REQUEST *request,
VALUE_PAIR *password,
VALUE_PAIR **ntpw)
{
rlm_mschap_t *inst = instance;
VALUE_PAIR *challenge = NULL;
VALUE_PAIR *response = NULL;
VALUE_PAIR *cpw = NULL;
VALUE_PAIR *password = NULL;
VALUE_PAIR *lm_password, *nt_password, *smb_ctrl;
VALUE_PAIR *username;
uint8_t nthashhash[NT_DIGEST_LENGTH];
char msch2resp[42];
char const *username_string;
int mschap_version = 0;
int mschap_result;
MSCHAP_AUTH_METHOD auth_method;

/*
* If we have ntlm_auth configured, use it unless told
* otherwise
*/
auth_method = inst->method;
VALUE_PAIR *nt_password;

/*
* If we have an ntlm_auth configuration, then we may
* want to suppress it.
*/
if (auth_method != AUTH_INTERNAL) {
VALUE_PAIR *vp = fr_pair_find_by_num(request->control, 0, PW_MS_CHAP_USE_NTLM_AUTH, TAG_ANY);
if (vp && vp->vp_integer == 0) auth_method = AUTH_INTERNAL;
}

/*
* Find the SMB-Account-Ctrl attribute, or the
* SMB-Account-Ctrl-Text attribute.
*/
smb_ctrl = fr_pair_find_by_num(request->control, 0, PW_SMB_ACCOUNT_CTRL, TAG_ANY);
if (!smb_ctrl) {
password = fr_pair_find_by_num(request->control, 0, PW_SMB_ACCOUNT_CTRL_TEXT, TAG_ANY);
if (password) {
smb_ctrl = pair_make_config("SMB-Account-CTRL", "0", T_OP_SET);
if (smb_ctrl) {
smb_ctrl->vp_integer = pdb_decode_acct_ctrl(password->vp_strvalue);
}
}
}

/*
* We're configured to do MS-CHAP authentication.
* and account control information exists. Enforce it.
*/
if (smb_ctrl) {
/*
* Password is not required.
*/
if ((smb_ctrl->vp_integer & ACB_PWNOTREQ) != 0) {
RDEBUG2("SMB-Account-Ctrl says no password is required");
return RLM_MODULE_OK;
}
}

/*
* Decide how to get the passwords.
*/
password = fr_pair_find_by_num(request->control, 0, PW_CLEARTEXT_PASSWORD, TAG_ANY);

/*
* We need an NT-Password.
* Look for NT-Password...
*/
nt_password = fr_pair_find_by_num(request->control, 0, PW_NT_PASSWORD, TAG_ANY);
if (nt_password) {
Expand Down Expand Up @@ -1599,23 +1529,37 @@ static rlm_rcode_t CC_HINT(nonnull) mod_authenticate(void *instance, REQUEST *re
nt_password = pair_make_config("NT-Password", NULL, T_OP_EQ);
if (!nt_password) {
RERROR("No memory");
return RLM_MODULE_FAIL;
return false;
}
p = talloc_array(nt_password, uint8_t, NT_DIGEST_LENGTH);
fr_pair_value_memsteal(nt_password, p);

if (mschap_ntpwdhash(p, password->vp_strvalue) < 0) {
RERROR("Failed generating NT-Password");
return RLM_MODULE_FAIL;
return false;
}
} else if (auth_method == AUTH_INTERNAL) {
} else if (inst->method == AUTH_INTERNAL) {
RWDEBUG2("No Cleartext-Password configured. Cannot create NT-Password");
}
}

/*
* Or an LM-Password.
*/
*ntpw = nt_password;
return true;
}


/*
* find_lm_password() - try and find a correct LM-Password
* attribute.
*/
static bool CC_HINT(nonnull (1, 2, 5)) find_lm_password(rlm_mschap_t *inst,
REQUEST *request,
VALUE_PAIR *password,
VALUE_PAIR *nt_password,
VALUE_PAIR **lmpw)
{
VALUE_PAIR *lm_password;

lm_password = fr_pair_find_by_num(request->control, 0, PW_LM_PASSWORD, TAG_ANY);
if (lm_password) {
VERIFY_VP(lm_password);
Expand All @@ -1641,29 +1585,132 @@ static rlm_rcode_t CC_HINT(nonnull) mod_authenticate(void *instance, REQUEST *re
}
}
/*
* ... or a Cleartext-Password, which we now transform into an LM-Password
* If we can't find an LM-Password, try and create one from password
*/
if (!lm_password) {
uint8_t *p;

if (password) {
RDEBUG2("Found Cleartext-Password, hashing to create LM-Password");
lm_password = pair_make_config("LM-Password", NULL, T_OP_EQ);
if (!lm_password) {
RERROR("No memory");
} else {
uint8_t *p;

p = talloc_array(lm_password, uint8_t, LM_DIGEST_LENGTH);
fr_pair_value_memsteal(lm_password, p);
smbdes_lmpwdhash(password->vp_strvalue, p);
return false;
}

p = talloc_array(lm_password, uint8_t, LM_DIGEST_LENGTH);
fr_pair_value_memsteal(lm_password, p);
smbdes_lmpwdhash(password->vp_strvalue, p);

/*
* Only complain if we don't have NT-Password
*/
} else if ((auth_method == AUTH_INTERNAL) && !nt_password) {
} else if (inst->method == AUTH_INTERNAL && !nt_password) {
RWDEBUG2("No Cleartext-Password configured. Cannot create LM-Password");
}
}

*lmpw = lm_password;
return true;
}


/*
* mod_authenticate() - authenticate user based on given
* attributes and configuration.
* We will try to find out password in configuration
* or in configured passwd file.
* If one is found we will check paraneters given by NAS.
*
* If PW_SMB_ACCOUNT_CTRL is not set to ACB_PWNOTREQ we must have
* one of:
* PAP: PW_USER_PASSWORD or
* MS-CHAP: PW_MSCHAP_CHALLENGE and PW_MSCHAP_RESPONSE or
* MS-CHAP2: PW_MSCHAP_CHALLENGE and PW_MSCHAP2_RESPONSE
* In case of password mismatch or locked account we MAY return
* PW_MSCHAP_ERROR for MS-CHAP or MS-CHAP v2
* If MS-CHAP2 succeeds we MUST return
* PW_MSCHAP2_SUCCESS
*/
static rlm_rcode_t CC_HINT(nonnull) mod_authenticate(void *instance, REQUEST *request)
{
rlm_mschap_t *inst = instance;
VALUE_PAIR *challenge = NULL;
VALUE_PAIR *response = NULL;
VALUE_PAIR *cpw = NULL;
VALUE_PAIR *password = NULL;
VALUE_PAIR *lm_password, *nt_password, *smb_ctrl;
VALUE_PAIR *username;
uint8_t nthashhash[NT_DIGEST_LENGTH];
char msch2resp[42];
char const *username_string;
int mschap_version = 0;
int mschap_result;
MSCHAP_AUTH_METHOD auth_method;

/*
* If we have ntlm_auth configured, use it unless told
* otherwise
*/
auth_method = inst->method;

/*
* If we have an ntlm_auth configuration, then we may
* want to suppress it.
*/
if (auth_method != AUTH_INTERNAL) {
VALUE_PAIR *vp = fr_pair_find_by_num(request->control, 0, PW_MS_CHAP_USE_NTLM_AUTH, TAG_ANY);
if (vp && vp->vp_integer == 0) auth_method = AUTH_INTERNAL;
}

/*
* Find the SMB-Account-Ctrl attribute, or the
* SMB-Account-Ctrl-Text attribute.
*/
smb_ctrl = fr_pair_find_by_num(request->control, 0, PW_SMB_ACCOUNT_CTRL, TAG_ANY);
if (!smb_ctrl) {
password = fr_pair_find_by_num(request->control, 0, PW_SMB_ACCOUNT_CTRL_TEXT, TAG_ANY);
if (password) {
smb_ctrl = pair_make_config("SMB-Account-CTRL", "0", T_OP_SET);
if (smb_ctrl) {
smb_ctrl->vp_integer = pdb_decode_acct_ctrl(password->vp_strvalue);
}
}
}

/*
* We're configured to do MS-CHAP authentication.
* and account control information exists. Enforce it.
*/
if (smb_ctrl) {
/*
* Password is not required.
*/
if ((smb_ctrl->vp_integer & ACB_PWNOTREQ) != 0) {
RDEBUG2("SMB-Account-Ctrl says no password is required");
return RLM_MODULE_OK;
}
}

/*
* Decide how to get the passwords.
*/
password = fr_pair_find_by_num(request->control, 0, PW_CLEARTEXT_PASSWORD, TAG_ANY);

/*
* Look for or create an NT-Password
*/
if (!find_nt_password(instance, request, password, &nt_password)) {
return RLM_MODULE_FAIL;
}

/*
* Look for or create an LM-Password
*/
if (!find_lm_password(instance, request, password, nt_password, &lm_password)) {
return RLM_MODULE_FAIL;
}

cpw = fr_pair_find_by_num(request->packet->vps, VENDORPEC_MICROSOFT, PW_MSCHAP2_CPW, TAG_ANY);
if (cpw) {
/*
Expand Down

0 comments on commit dd9b928

Please sign in to comment.