1
0
mirror of https://github.com/SoftEtherVPN/SoftEtherVPN.git synced 2024-11-22 09:29:52 +03:00

Radius: Make sure MS-CHAP response matches the original username

This commit is contained in:
Yihong Wu 2023-02-25 12:48:17 +00:00
parent 4ff9c6393a
commit cd2838795b
2 changed files with 14 additions and 13 deletions

View File

@ -20,7 +20,7 @@
#include "Mayaqua/Tick64.h"
// send PEAP-MSCHAPv2 auth client response
bool PeapClientSendMsChapv2AuthClientResponse(EAP_CLIENT *e, UCHAR *client_response, UCHAR *client_challenge)
bool PeapClientSendMsChapv2AuthClientResponse(EAP_CLIENT *e, UCHAR *client_response, UCHAR *client_challenge, char *username)
{
bool ret = false;
EAP_MSCHAPV2_RESPONSE msg1;
@ -38,13 +38,13 @@ bool PeapClientSendMsChapv2AuthClientResponse(EAP_CLIENT *e, UCHAR *client_respo
msg1.Type = EAP_TYPE_MS_AUTH;
msg1.Chap_Opcode = EAP_MSCHAPV2_OP_RESPONSE;
msg1.Chap_Id = e->MsChapV2Challenge.Chap_Id;
msg1.Chap_Len = Endian16(54 + StrLen(e->Username));
msg1.Chap_Len = Endian16(54 + StrLen(username));
msg1.Chap_ValueSize = 49;
Copy(msg1.Chap_PeerChallenge, client_challenge, 16);
Copy(msg1.Chap_NtResponse, client_response, 24);
Copy(msg1.Chap_Name, e->Username, MIN(StrLen(e->Username), 255));
Copy(msg1.Chap_Name, username, MIN(StrLen(username), 255));
if (SendPeapPacket(e, &msg1, 59 + StrLen(e->Username)) &&
if (SendPeapPacket(e, &msg1, 59 + StrLen(username)) &&
GetRecvPeapMessage(e, &msg2))
{
if (msg2.Type == EAP_TYPE_MS_AUTH &&
@ -633,7 +633,7 @@ void EapSetRadiusGeneralAttributes(RADIUS_PACKET *r, EAP_CLIENT *e)
}
// Send a MSCHAPv2 client auth response1
bool EapClientSendMsChapv2AuthClientResponse(EAP_CLIENT *e, UCHAR *client_response, UCHAR *client_challenge)
bool EapClientSendMsChapv2AuthClientResponse(EAP_CLIENT *e, UCHAR *client_response, UCHAR *client_challenge, char *username)
{
bool ret = false;
RADIUS_PACKET *request1 = NULL;
@ -659,17 +659,17 @@ bool EapClientSendMsChapv2AuthClientResponse(EAP_CLIENT *e, UCHAR *client_respon
eap1 = ZeroMalloc(sizeof(EAP_MSCHAPV2_RESPONSE));
eap1->Code = EAP_CODE_RESPONSE;
eap1->Id = e->LastRecvEapId;
eap1->Len = Endian16(59 + StrLen(e->Username));
eap1->Len = Endian16(59 + StrLen(username));
eap1->Type = EAP_TYPE_MS_AUTH;
eap1->Chap_Opcode = EAP_MSCHAPV2_OP_RESPONSE;
eap1->Chap_Id = e->MsChapV2Challenge.Chap_Id;
eap1->Chap_Len = Endian16(54 + StrLen(e->Username));
eap1->Chap_Len = Endian16(54 + StrLen(username));
eap1->Chap_ValueSize = 49;
Copy(eap1->Chap_PeerChallenge, client_challenge, 16);
Copy(eap1->Chap_NtResponse, client_response, 24);
Copy(eap1->Chap_Name, e->Username, MIN(StrLen(e->Username), 255));
Copy(eap1->Chap_Name, username, MIN(StrLen(username), 255));
Add(request1->AvpList, NewRadiusAvp(RADIUS_ATTRIBUTE_EAP_MESSAGE, 0, 0, eap1, StrLen(e->Username) + 59));
Add(request1->AvpList, NewRadiusAvp(RADIUS_ATTRIBUTE_EAP_MESSAGE, 0, 0, eap1, StrLen(username) + 59));
response1 = EapSendPacketAndRecvResponse(e, request1, false);
@ -1814,15 +1814,16 @@ bool RadiusLogin(CONNECTION *c, char *server, UINT port, UCHAR *secret, UINT sec
StrCpy(eap->In_VpnProtocolState, sizeof(eap->In_VpnProtocolState), opt->In_VpnProtocolState);
}
// Use the username known to the client instead of parsed by us, or response may be invalid
if (eap->PeapMode == false)
{
ret = EapClientSendMsChapv2AuthClientResponse(eap, mschap.MsChapV2_ClientResponse,
mschap.MsChapV2_ClientChallenge);
mschap.MsChapV2_ClientChallenge, mschap.MsChapV2_PPPUsername);
}
else
{
ret = PeapClientSendMsChapv2AuthClientResponse(eap, mschap.MsChapV2_ClientResponse,
mschap.MsChapV2_ClientChallenge);
mschap.MsChapV2_ClientChallenge, mschap.MsChapV2_PPPUsername);
}
if (ret)

View File

@ -253,7 +253,7 @@ EAP_CLIENT *NewEapClient(IP *server_ip, UINT server_port, char *shared_secret, U
void ReleaseEapClient(EAP_CLIENT *e);
void CleanupEapClient(EAP_CLIENT *e);
bool EapClientSendMsChapv2AuthRequest(EAP_CLIENT *e);
bool EapClientSendMsChapv2AuthClientResponse(EAP_CLIENT *e, UCHAR *client_response, UCHAR *client_challenge);
bool EapClientSendMsChapv2AuthClientResponse(EAP_CLIENT *e, UCHAR *client_response, UCHAR *client_challenge, char *username);
PPP_LCP *EapClientSendEapIdentity(EAP_CLIENT *e);
PPP_LCP *EapClientSendEapRequest(EAP_CLIENT *e, PPP_EAP *eap_request, UINT request_datasize);
void EapSetRadiusGeneralAttributes(RADIUS_PACKET *r, EAP_CLIENT *e);
@ -261,7 +261,7 @@ bool EapSendPacket(EAP_CLIENT *e, RADIUS_PACKET *r);
RADIUS_PACKET *EapSendPacketAndRecvResponse(EAP_CLIENT *e, RADIUS_PACKET *r, bool parse_inner);
bool PeapClientSendMsChapv2AuthRequest(EAP_CLIENT *eap);
bool PeapClientSendMsChapv2AuthClientResponse(EAP_CLIENT *e, UCHAR *client_response, UCHAR *client_challenge);
bool PeapClientSendMsChapv2AuthClientResponse(EAP_CLIENT *e, UCHAR *client_response, UCHAR *client_challenge, char *username);
bool StartPeapClient(EAP_CLIENT *e);
bool StartPeapSslClient(EAP_CLIENT *e);