git: 7e971892dfc5 - main - ppp: Permit CHAP challenges up to 255 bytes

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: John Baldwin <jhb_at_FreeBSD.org>
Date: Wed, 10 Jun 2026 13:52:32 UTC
The branch main has been updated by jhb:

URL: https://cgit.FreeBSD.org/src/commit/?id=7e971892dfc5aac20bd62be7817941dbaed55f42

commit 7e971892dfc5aac20bd62be7817941dbaed55f42
Author:     John Baldwin <jhb@FreeBSD.org>
AuthorDate: 2026-06-10 13:44:10 +0000
Commit:     John Baldwin <jhb@FreeBSD.org>
CommitDate: 2026-06-10 13:44:10 +0000

    ppp: Permit CHAP challenges up to 255 bytes
    
    RFC 1994 does not place any limit on the length of the value field in
    challenge messages except that the length is a single octet which
    bounds the maximum length to 255.
    
    NB: I'm not sure why the local[] and peer[] arrays contain room for an
    authentication name (AUTHLEN) in addition to a challenge value/response,
    but I've just left that in place.
    
    PR:             271955
    Reported by:    Robert Morris <rtm@lcs.mit.edu>
    Reviewed by:    des
    Differential Revision:  https://reviews.freebsd.org/D57138
---
 usr.sbin/ppp/chap.c | 4 ++--
 usr.sbin/ppp/chap.h | 4 ++--
 usr.sbin/ppp/defs.h | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/usr.sbin/ppp/chap.c b/usr.sbin/ppp/chap.c
index 9cefa6db71ce..1129aa7fb2a3 100644
--- a/usr.sbin/ppp/chap.c
+++ b/usr.sbin/ppp/chap.c
@@ -238,7 +238,7 @@ chap_BuildAnswer(char *name, char *key, u_char id, char *challenge
     MD5Init(&MD5context);
     MD5Update(&MD5context, &id, 1);
     MD5Update(&MD5context, key, klen);
-    MD5Update(&MD5context, challenge + 1, *challenge);
+    MD5Update(&MD5context, challenge + 1, (u_char)*challenge);
     MD5Final(digest, &MD5context);
 
     memcpy(digest + 16, name, nlen);
@@ -913,7 +913,7 @@ chap_Input(struct bundle *bundle, struct link *l, struct mbuf *bp)
               if (myans == NULL)
                 key = NULL;
               else {
-                if (!chap_Cmp(myans + 1, *myans, ans + 1, alen
+                if (!chap_Cmp(myans + 1, (u_char)*myans, ans + 1, alen
 #ifndef NODES
                               , p->link.lcp.want_authtype, lanman
 #endif
diff --git a/usr.sbin/ppp/chap.h b/usr.sbin/ppp/chap.h
index f697167ab165..993ed3f060f7 100644
--- a/usr.sbin/ppp/chap.h
+++ b/usr.sbin/ppp/chap.h
@@ -48,8 +48,8 @@ struct chap {
   } child;
   struct authinfo auth;
   struct {
-    u_char local[CHAPCHALLENGELEN + AUTHLEN];	/* I invented this one */
-    u_char peer[CHAPCHALLENGELEN + AUTHLEN];	/* Peer gave us this one */
+    u_char local[CHAPCHALLENGELEN + 1 + AUTHLEN]; /* I invented this one */
+    u_char peer[CHAPCHALLENGELEN + 1 + AUTHLEN];  /* Peer gave us this one */
   } challenge;
 #ifndef NODES
   unsigned NTRespSent : 1;		/* Our last response */
diff --git a/usr.sbin/ppp/defs.h b/usr.sbin/ppp/defs.h
index c76cbd8ad9cb..31f2577a6c23 100644
--- a/usr.sbin/ppp/defs.h
+++ b/usr.sbin/ppp/defs.h
@@ -58,7 +58,7 @@
 #define DEVICE_LEN SCRIPT_LEN	/* Size of individual devices */
 #define AUTHLEN 100 		/* Size of authname/authkey */
 #define CHAPDIGESTLEN 100	/* Maximum chap digest */
-#define CHAPCHALLENGELEN 48	/* Maximum chap challenge */
+#define CHAPCHALLENGELEN 255	/* Maximum chap challenge */
 #define CHAPAUTHRESPONSELEN 48	/* Maximum chap authresponse (chap81) */
 #define MAXARGS 40		/* How many args per config line */
 #define NCP_IDLE_TIMEOUT 180	/* Drop all links */