From 7563ef02245a86f99a7903ab7fcf28045a047c79 Mon Sep 17 00:00:00 2001
From: Nigel Kukard <nkukard@lbsd.net>
Date: Mon, 27 Apr 2009 13:27:34 +0000
Subject: [PATCH] * Remove debugging info from authentication modules * Ensure
 that authentication modules use the attribute details, remove hardcoding

---
 .../modules/authentication/mod_auth_chap.pm   |  48 +++++---
 .../modules/authentication/mod_auth_mschap.pm | 103 ++++++++++++------
 2 files changed, 104 insertions(+), 47 deletions(-)

diff --git a/smradius/modules/authentication/mod_auth_chap.pm b/smradius/modules/authentication/mod_auth_chap.pm
index 89b51474..8f59b870 100644
--- a/smradius/modules/authentication/mod_auth_chap.pm
+++ b/smradius/modules/authentication/mod_auth_chap.pm
@@ -87,22 +87,44 @@ sub authenticate
 	# Check if this is a CHAP auth
 	return MOD_RES_SKIP if (!defined($challenge) || !defined($password));
 
-	$server->log(LOG_DEBUG,"This is a CHAP challenge....");
-
-
-	print(STDERR "RECEIVED\n");
-	print(STDERR "Challenge: len = ".length($challenge).", hex = ".unpack("H*",$challenge)."\n");
-	print(STDERR "Password : len = ".length($password).", hex = ".unpack("H*",$password)."\n");
-	print(STDERR "\n\n");
-
+	$server->log(LOG_DEBUG,"[MOD_AUTH_CHAP] This is a CHAP challenge");
+
+	# Grab our own version of the password
+	my $ourPassword;
+	if (defined($user->{'Attributes'}->{'User-Password'})) {
+		# Operator: ==
+		if (defined($user->{'Attributes'}->{'User-Password'}->{'=='})) {
+			# Set password
+			$ourPassword = $user->{'Attributes'}->{'User-Password'}->{'=='}->{'Value'};
+		} else {
+			$server->log(LOG_NOTICE,"[MOD_AUTH_CHAP] No valid operators for attribute 'User-Password', ".
+					"supported operators are: ==");
+		}
+	} else {
+		$server->log(LOG_NOTICE,"[MOD_AUTH_CHAP] No 'User-Password' attribute, cannot authenticate");
+		return MOD_RES_NACK;
+	}
+
+#	print(STDERR "RECEIVED\n");
+#	print(STDERR "Challenge: len = ".length($challenge).", hex = ".unpack("H*",$challenge)."\n");
+#	print(STDERR "Password : len = ".length($password).", hex = ".unpack("H*",$password)."\n");
+#	print(STDERR "\n\n");
+
+	# Pull off the ID
 	my $id = substr($password,0,1);
-	print(STDERR "ID: ".length($id).", hex = ".unpack("H*",$id)."\n");
+#	print(STDERR "ID: ".length($id).", hex = ".unpack("H*",$id)."\n");
 
-	my $result = encode_chap($id,$challenge,"mytest");
+	# Calculate the result
+	my $result = encode_chap($id,$challenge,$ourPassword);
 	
-	print(STDERR "CALC\n");
-	print(STDERR "Result   : len = ".length($result).", hex = ".unpack("H*",$result)."\n");
-	print(STDERR "\n\n");
+#	print(STDERR "CALC\n");
+#	print(STDERR "Result   : len = ".length($result).", hex = ".unpack("H*",$result)."\n");
+#	print(STDERR "\n\n");
+
+	# Check if the password and the result match
+	if ($password eq $result) {
+		return MOD_RES_ACK;
+	}
 	
 	return MOD_RES_NACK;
 }
diff --git a/smradius/modules/authentication/mod_auth_mschap.pm b/smradius/modules/authentication/mod_auth_mschap.pm
index 554f436a..177eef32 100644
--- a/smradius/modules/authentication/mod_auth_mschap.pm
+++ b/smradius/modules/authentication/mod_auth_mschap.pm
@@ -32,6 +32,7 @@ use warnings;
 
 # Modules we need
 use smradius::constants;
+use smradius::logging;
 use Crypt::DES;
 use Crypt::RC4;
 use Digest::SHA1;
@@ -109,64 +110,98 @@ sub authenticate
 	# Return if not recognized...
 	return MOD_RES_SKIP if (!defined($rawChallenge) || (!defined($rawResponse) && !defined($rawResponse2)));
 
-	print(STDERR "This is a MS-CHAP challenge....\n");
+	$server->log(LOG_DEBUG,"[MOD_AUTH_MSCHAP] This is a MSCHAP challenge");
+
+	# Grab our own version of the password
+	my $unicodePassword;
+	if (defined($user->{'Attributes'}->{'User-Password'})) {
+		# Operator: ==
+		if (defined($user->{'Attributes'}->{'User-Password'}->{'=='})) {
+			# Set password
+			$unicodePassword = $user->{'Attributes'}->{'User-Password'}->{'=='}->{'Value'};
+			$unicodePassword =~ s/(.)/$1\0/g; # convert ASCII to unicaode
+		} else {
+			$server->log(LOG_NOTICE,"[MOD_AUTH_CHAP] No valid operators for attribute 'User-Password', ".
+					"supported operators are: ==");
+		}
+	} else {
+		$server->log(LOG_NOTICE,"[MOD_AUTH_CHAP] No 'User-Password' attribute, cannot authenticate");
+		return MOD_RES_NACK;
+	}
 
+	# Grab usrename
+	my $username = $user->{'Username'};
+	if (!defined($username)) {
+		$server->log(LOG_NOTICE,"[MOD_AUTH_CHAP] No 'Username' attribute in packet, cannot authenticate");
+		return MOD_RES_NACK;
+	}
 
 	# MSCHAPv1
 	if ($rawResponse) {
+		$server->log(LOG_DEBUG,"[MOD_AUTH_MSCHAP] This is a MSCHAPv1 challenge");
+
+		# Pull off challenge & response
 		my $challenge = @{$rawChallenge}[0];
 		my $response = substr(@{$rawResponse}[0],2);
 
-		print(STDERR "RECEIVED\n");
-		print(STDERR "Challenge: len = ".length($challenge).", hex = ".unpack("H*",$challenge)."\n");
-		print(STDERR "Reponse  : len = ".length($response).", hex = ".unpack("H*",$response)."\n");
-		print(STDERR "\n\n");
-
-
+#		print(STDERR "RECEIVED\n");
+#		print(STDERR "Challenge: len = ".length($challenge).", hex = ".unpack("H*",$challenge)."\n");
+#		print(STDERR "Reponse  : len = ".length($response).", hex = ".unpack("H*",$response)."\n");
+#		print(STDERR "\n\n");
 
-		print(STDERR "CHOPPED OFFF!!\n");
+#		print(STDERR "CHOPPED OFFF!!\n");
+		# Chop off NtResponse
 		my $NtResponse = substr($response,24,24);
-		print(STDERR "NTRespons: len = ".length($NtResponse).", hex = ".unpack("H*",$NtResponse)."\n");
-		print(STDERR "\n\n");
+#		print(STDERR "NTRespons: len = ".length($NtResponse).", hex = ".unpack("H*",$NtResponse)."\n");
+#		print(STDERR "\n\n");
 
-		my $unipass = "mytest";
-		$unipass =~ s/(.)/$1\0/g; # convert ASCII to unicaode
-		my $username = "nigel";
+#		print(STDERR "TEST\n");
+		# Generate our response
+		my $ourResponse = NtChallengeResponse($challenge,$unicodePassword);
+#		print(STDERR "Calculate: len = ".length($ourResponse).", hex = ".unpack("H*",$ourResponse)."\n");
+#		print(STDERR "\n\n");
 
-		print(STDERR "TEST\n");
-		my $ourResponse = NtChallengeResponse($challenge,$unipass);
-		print(STDERR "Calculate: len = ".length($ourResponse).", hex = ".unpack("H*",$ourResponse)."\n");
-		print(STDERR "\n\n");
+		# Check responses match
+		if ($NtResponse eq $ourResponse) {
+			return MOD_RES_ACK;
+		}
 
 
 	# MSCHAPv2
 	} elsif ($rawResponse2) {
+		$server->log(LOG_DEBUG,"[MOD_AUTH_MSCHAP] This is a MSCHAPv2 challenge");
+
+		# Pull off challenge & response
 		my $challenge = @{$rawChallenge}[0];
 		my $response = substr(@{$rawResponse2}[0],2);
 
-		print(STDERR "RECEIVED\n");
-		print(STDERR "Challenge: len = ".length($challenge).", hex = ".unpack("H*",$challenge)."\n");
-		print(STDERR "Reponse  : len = ".length($response).", hex = ".unpack("H*",$response)."\n");
-		print(STDERR "\n\n");
+#		print(STDERR "RECEIVED\n");
+#		print(STDERR "Challenge: len = ".length($challenge).", hex = ".unpack("H*",$challenge)."\n");
+#		print(STDERR "Reponse  : len = ".length($response).", hex = ".unpack("H*",$response)."\n");
+#		print(STDERR "\n\n");
 
 
 
-		print(STDERR "CHOPPED OFFF!!\n");
+#		print(STDERR "CHOPPED OFFF!!\n");
+		# Grab peer challenge and response
 		my $peerChallenge = substr($response,0,16);
-		my $NtRespnse = substr($response,24,24);
-		print(STDERR "Challenge: len = ".length($peerChallenge).", hex = ".unpack("H*",$peerChallenge)."\n");
-		print(STDERR "NTRespons: len = ".length($NtRespnse).", hex = ".unpack("H*",$NtRespnse)."\n");
-		print(STDERR "\n\n");
-
-		my $unipass = "mytest";
-		$unipass =~ s/(.)/$1\0/g; # convert ASCII to unicaode
-		my $username = "nigel";
+		my $NtResponse = substr($response,24,24);
+#		print(STDERR "Challenge: len = ".length($peerChallenge).", hex = ".unpack("H*",$peerChallenge)."\n");
+#		print(STDERR "NTRespons: len = ".length($NtResponse).", hex = ".unpack("H*",$NtResponse)."\n");
+#		print(STDERR "\n\n");
 
-		print(STDERR "TEST\n");
+#		print(STDERR "TEST\n");
+		# Generate our challenge and our response
 		my $ourChallenge = ChallengeHash($peerChallenge,$challenge,$username);
-		my $ourResponse = NtChallengeResponse($ourChallenge,$unipass);
-		print(STDERR "Calculate: len = ".length($ourResponse).", hex = ".unpack("H*",$ourResponse)."\n");
-		print(STDERR "\n\n");
+		my $ourResponse = NtChallengeResponse($ourChallenge,$unicodePassword);
+#		print(STDERR "Calculate: len = ".length($ourResponse).", hex = ".unpack("H*",$ourResponse)."\n");
+#		print(STDERR "\n\n");
+
+		# Check response match
+		if ($NtResponse eq $ourResponse) {
+			return MOD_RES_ACK;
+		}
+
 	}
 
 	return MOD_RES_SKIP;
-- 
GitLab