/*

 * iSCSI Authorization Library

 *

 * maintained by open-iscsi@@googlegroups.com

 *

 * Originally based on:

 * Copyright (C) 2001 Cisco Systems, Inc.

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License as published

 * by the Free Software Foundation; either version 2 of the License, or

 * (at your option) any later version.

 *

 * This program is distributed in the hope that it will be useful, but

 * WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU

 * General Public License for more details.

 *

 * This file implements the iSCSI CHAP authentication method based on

 * RFC 3720.  The code in this file is meant to be common for both kernel and

 * user level and makes use of only limited  library  functions, presently only

 * string.h. Routines specific to kernel, user level are implemented in

 * separate files under the appropriate directories.

 * This code in this files assumes a single thread of execution

 * for each iscsi_acl structure, and does no locking.

 */

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <unistd.h>

#include <fcntl.h>

#include "sysdeps.h"

#include "auth.h"

#include "initiator.h"

#include "log.h"

static const char acl_hexstring[] = "0123456789abcdefABCDEF";

static const char acl_base64_string[] =

    "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";

static const char acl_authmethod_set_chap_alg_list[] = "CHAP";

static const char acl_reject_option_name[] = "Reject";

#include <openssl/evp.h>

#include <openssl/rand.h>

static int auth_hash_init(EVP_MD_CTX **context, int chap_alg);

static void auth_hash_update(EVP_MD_CTX *context, unsigned char *md, unsigned int);

static unsigned int auth_hash_final(unsigned char *, EVP_MD_CTX *context);

size_t strlcpy(char *, const char *, size_t);

size_t strlcat(char *, const char *, size_t);

enum auth_dbg_status

acl_chap_compute_rsp(struct iscsi_acl *client, int rmt_auth, unsigned int id,

		     unsigned char *challenge_data,

		     unsigned int challenge_length,

		     unsigned char *response_data)

{

	unsigned char id_data[1];

	EVP_MD_CTX *context = NULL;

	unsigned char out_data[AUTH_STR_MAX_LEN];

	unsigned int out_length = AUTH_STR_MAX_LEN;

	if (!client->passwd_present)

		return AUTH_DBG_STATUS_LOCAL_PASSWD_NOT_SET;

	if (auth_hash_init(&context, client->negotiated_chap_alg) != 0)

		return AUTH_DBG_STATUS_AUTH_FAIL;

	/* id byte */

	id_data[0] = id;

	auth_hash_update(context, id_data, 1);

	/* decrypt password */

	if (acl_data(out_data, &out_length, client->passwd_data,

		     client->passwd_length))

		return AUTH_DBG_STATUS_PASSWD_DECRYPT_FAILED;

	if (!rmt_auth && !client->ip_sec && out_length < 12)

		return AUTH_DBG_STATUS_PASSWD_TOO_SHORT_WITH_NO_IPSEC;

	/* shared secret */

	auth_hash_update(context, out_data, out_length);

	/* clear decrypted password */

	memset(out_data, 0, AUTH_STR_MAX_LEN);

	/* challenge value */

	auth_hash_update(context, challenge_data, challenge_length);

	auth_hash_final(response_data, context);

	return AUTH_DBG_STATUS_NOT_SET;	/* no error */

}

/*

 * Authenticate a target's CHAP response.

 */

int

acl_chap_auth_request(struct iscsi_acl *client, char *username, unsigned int id,

		      unsigned char *challenge_data,

		      unsigned int challenge_length,

		      unsigned char *response_data,

		      unsigned int rsp_length)

{

	iscsi_session_t *session = client->session_handle;

	EVP_MD_CTX *context = NULL;

	unsigned char verify_data[client->chap_challenge_len];

	/* the expected credentials are in the session */

	if (session->username_in == NULL) {

		log_error("failing authentication, no incoming username "

			  "configured to authenticate target %s",

			  session->target_name);

		return AUTH_STATUS_FAIL;

	}

	if (strcmp(username, session->username_in) != 0) {

		log_error("failing authentication, received incorrect "

			  "username from target %s", session->target_name);

		return AUTH_STATUS_FAIL;

	}

	if ((session->password_in_length < 1) ||

	    (session->password_in == NULL) ||

	    (session->password_in[0] == '\0')) {

		log_error("failing authentication, no incoming password "

		       "configured to authenticate target %s",

		       session->target_name);

		return AUTH_STATUS_FAIL;

	}

	/* challenge length is I->T, and shouldn't need to be checked */

	if (rsp_length != sizeof(verify_data)) {

		log_error("failing authentication, received incorrect "

			  "CHAP response length %u from target %s",

			  rsp_length, session->target_name);

		return AUTH_STATUS_FAIL;

	}

	if (auth_hash_init(&context, client->negotiated_chap_alg) != 0)

		return AUTH_STATUS_FAIL;

	/* id byte */

	verify_data[0] = id;

	auth_hash_update(context, verify_data, 1);

	/* shared secret */

	auth_hash_update(context, (unsigned char *)session->password_in,

			session->password_in_length);

	/* challenge value */

	auth_hash_update(context, (unsigned char *)challenge_data,

			challenge_length);

	auth_hash_final(verify_data, context);

	if (memcmp(response_data, verify_data, sizeof(verify_data)) == 0) {

		log_debug(1, "initiator authenticated target %s",

			  session->target_name);

		return AUTH_STATUS_PASS;

	}

	log_error("failing authentication, received incorrect CHAP "

		  "response from target %s", session->target_name);

	return AUTH_STATUS_FAIL;

}

static int auth_hash_init(EVP_MD_CTX **context, int chap_alg) {

	const EVP_MD *digest = NULL;

	*context = EVP_MD_CTX_new();

	int rc;

	switch (chap_alg) {

	case AUTH_CHAP_ALG_MD5:

		digest = EVP_md5();

		break;

	case AUTH_CHAP_ALG_SHA1:

		digest = EVP_sha1();

		break;

	case AUTH_CHAP_ALG_SHA256:

		digest = EVP_sha256();

		break;

	case AUTH_CHAP_ALG_SHA3_256:

		digest = EVP_sha3_256();

		break;

	}

	if (*context == NULL)

		goto fail_context;

	if (digest == NULL)

		goto fail_digest;

	rc = EVP_DigestInit_ex(*context, digest, NULL);

	if (!rc)

		goto fail_init;

	return 0;

fail_init:

fail_digest:

	EVP_MD_CTX_free(*context);

	*context = NULL;

fail_context:

	return -1;

}

static void auth_hash_update(EVP_MD_CTX *context, unsigned char *data, unsigned int length) {

	EVP_DigestUpdate(context, data, length);

}

static unsigned int auth_hash_final(unsigned char *hash, EVP_MD_CTX *context) {

	unsigned int md_len;

	EVP_DigestFinal_ex(context, hash, &md_len);

	EVP_MD_CTX_free(context);

	context = NULL;

	return md_len;

}

static const char acl_none_option_name[] = "None";

static int

acl_text_to_number(const char *text, unsigned long *num)

{

	char *end;

	unsigned long number;

	if (text[0] == '0' && (text[1] == 'x' || text[1] == 'X'))

		number = strtoul(text + 2, &end, 16);

	else

		number = strtoul(text, &end, 10);

	if (*text != '\0' && *end == '\0') {

		*num = number;

		return 0;	/* No error */

	} else

		return 1;	/* Error */

}

static int

acl_chk_string(const char *s, unsigned int max_len, unsigned int *out_len)

{

	unsigned int len;

	if (!s)

		return 1;

	for (len = 0; len < max_len; len++)

		if (*s++ == '\0') {

			if (out_len)

				*out_len = len;

			return 0;

		}

	return 1;

}

static int

acl_str_index(const char *s, int c)

{

	char *str = strchr(s, c);

	if (str)

		return (str - s);

	else

		return -1;

}

static int

acl_chk_auth_mthd_optn(int val)

{

	if (val == AUTH_OPTION_NONE || val == AUTH_METHOD_CHAP)

		return 0;

	return 1;

}

static const char *

acl_authmethod_optn_to_text(int value)

{

	const char *s;

	switch (value) {

	case AUTH_OPTION_REJECT:

		s = acl_reject_option_name;

		break;

	case AUTH_OPTION_NONE:

		s = acl_none_option_name;

		break;

	case AUTH_METHOD_CHAP:

		s = acl_authmethod_set_chap_alg_list;

		break;

	default:

		s = NULL;

	}

	return s;

}

static int

acl_chk_chap_alg_optn(int chap_algorithm)

{

	if (chap_algorithm == AUTH_OPTION_NONE ||

	    chap_algorithm == AUTH_CHAP_ALG_SHA3_256 ||

	    chap_algorithm == AUTH_CHAP_ALG_SHA256 ||

	    chap_algorithm == AUTH_CHAP_ALG_SHA1 ||

	    chap_algorithm == AUTH_CHAP_ALG_MD5)

		return 0;

	return 1;

}

static int

acl_data_to_text(unsigned char *data, unsigned int data_length, char *text,

		 unsigned int text_length)

{

	unsigned long n;

	if (!text || text_length == 0)

		return 1;

	if (!data || data_length == 0) {

		*text = '\0';

		return 1;

	}

	if (text_length < 3) {

		*text = '\0';

		return 1;

	}

	*text++ = '0';

	*text++ = 'x';

	text_length -= 2;

	while (data_length > 0) {

		if (text_length < 3) {

			*text = '\0';

			return 1;

		}

		n = *data++;

		data_length--;

		*text++ = acl_hexstring[(n >> 4) & 0xf];

		*text++ = acl_hexstring[n & 0xf];

		text_length -= 2;

	}

	*text = '\0';

	return 0;

}

static int

acl_hex_to_data(const char *text, unsigned int text_length, unsigned char *data,

		unsigned int *data_lenp)

{

	int i;

	unsigned int n1;

	unsigned int n2;

	unsigned int data_length = *data_lenp;

	if ((text_length % 2) == 1) {

		i = acl_str_index(acl_hexstring, *text++);

		if (i < 0)

			return 1;	/* error, bad character */

		if (i > 15)

			i -= 6;

		n2 = i;

		if (data_length < 1)

			return 1;	/* error, too much data */

		*data++ = n2;

		data_length--;

	}

	while (*text != '\0') {

		i = acl_str_index(acl_hexstring, *text++);

		if (i < 0)

			return 1;	/* error, bad character */

		if (i > 15)

			i -= 6;

		n1 = i;

		if (*text == '\0')

			return 1;	/* error, odd string length */

		i = acl_str_index(acl_hexstring, *text++);

		if (i < 0)

			return 1;	/* error, bad character */

		if (i > 15)

			i -= 6;

		n2 = i;

		if (data_length < 1)

			return 1;	/* error, too much data */

		*data++ = (n1 << 4) | n2;

		data_length--;

	}

	if (data_length >= *data_lenp)

		return 1;	/* error, no data */

	*data_lenp = *data_lenp - data_length;

	return 0;		/* no error */

}

static int

acl_base64_to_data(const char *text, unsigned char *data,

		   unsigned int *data_lenp)

{

	int i;

	unsigned int n;

	unsigned int count;

	unsigned int data_length = *data_lenp;

	n = 0;

	count = 0;

	while (*text != '\0' && *text != '=') {

		i = acl_str_index(acl_base64_string, *text++);

		if (i < 0)

			return 1;	/* error, bad character */

		n = (n << 6 | (unsigned int)i);

		count++;

		if (count >= 4) {

			if (data_length < 3)

				return 1;	/* error, too much data */

			*data++ = n >> 16;

			*data++ = n >> 8;

			*data++ = n;

			data_length -= 3;

			n = 0;

			count = 0;

		}

	}

	while (*text != '\0')

		if (*text++ != '=')

			return 1;	/* error, bad pad */

	if (count == 0) {

		/* do nothing */

	} else if (count == 2) {

		if (data_length < 1)

			return 1;	/* error, too much data */

		n = n >> 4;

		*data++ = n;

		data_length--;

	} else if (count == 3) {

		if (data_length < 2)

			return 1;	/* error, too much data */

		n = n >> 2;

		*data++ = n >> 8;

		*data++ = n;

		data_length -= 2;

	} else

		return 1;	/* bad encoding */

	if (data_length >= *data_lenp)

		return 1;	/* error, no data */

	*data_lenp = *data_lenp - data_length;

	return 0;		/* no error */

}

static int

acl_text_to_data(const char *text, unsigned char *data,

		 unsigned int *data_length)

{

	int status;

	unsigned int text_length;

	status = acl_chk_string(text, 2 + 2 * AUTH_LARGE_BINARY_MAX_LEN + 1,

				&text_length);

	if (status)

		return status;

	if (text[0] == '0' && (text[1] == 'x' || text[1] == 'X')) {

		/* skip prefix */

		text += 2;

		text_length -= 2;

		status = acl_hex_to_data(text, text_length, data, data_length);

	} else if (text[0] == '0' && (text[1] == 'b' || text[1] == 'B')) {

		/* skip prefix */

		text += 2;

		text_length -= 2;

		status = acl_base64_to_data(text, data, data_length);

	} else

		status = 1;	/* prefix not recognized. */

	return status;

}

static void

acl_init_key_blk(struct auth_key_block *key_blk)

{

	char *str_block = key_blk->str_block;

	memset(key_blk, 0, sizeof(*key_blk));

	key_blk->str_block = str_block;

}

static void

acl_set_key_value(struct auth_key_block *key_blk, int key_type,

		  const char *key_val)

{

	unsigned int length;

	char *string;

	if (key_blk->key[key_type].value_set) {

		key_blk->dup_set = 1;

		return;

	}

	key_blk->key[key_type].value_set = 1;

	if (!key_val)

		return;

	if (acl_chk_string(key_val, AUTH_STR_MAX_LEN, &length)) {

		key_blk->str_too_long = 1;

		return;

	}

	length += 1;

	if ((key_blk->blk_length + length) > AUTH_STR_BLOCK_MAX_LEN) {

		key_blk->too_much_data = 1;

		return;

	}

	string = &key_blk->str_block[key_blk->blk_length];

	if (strlcpy(string, key_val, length) >= length) {

		key_blk->too_much_data = 1;

		return;

	}

	key_blk->blk_length += length;

	key_blk->key[key_type].string = string;

	key_blk->key[key_type].present = 1;

}

static const char *

acl_get_key_val(struct auth_key_block *key_blk, int key_type)

{

	key_blk->key[key_type].processed = 1;

	if (!key_blk->key[key_type].present)

		return NULL;

	return key_blk->key[key_type].string;

}

static void

acl_chk_key(struct iscsi_acl *client, int key_type, int *negotiated_option,

	    unsigned int option_count, int *option_list,

	    const char *(*value_to_text) (int))

{

	const char *key_val;

	int length;

	unsigned int i;

	key_val = acl_get_key_val(&client->recv_key_block, key_type);

	if (!key_val) {

		*negotiated_option = AUTH_OPTION_NOT_PRESENT;

		return;

	}

	while (*key_val != '\0') {

		length = 0;

		while (*key_val != '\0' && *key_val != ',')

			client->scratch_key_value[length++] = *key_val++;

		if (*key_val == ',')

			key_val++;

		client->scratch_key_value[length++] = '\0';

		for (i = 0; i < option_count; i++) {

			const char *s = (*value_to_text)(option_list[i]);

			if (!s)

				continue;

			if (strcmp(client->scratch_key_value, s) == 0) {

				*negotiated_option = option_list[i];

				return;

			}

		}

	}

	*negotiated_option = AUTH_OPTION_REJECT;

}

static void

acl_set_key(struct iscsi_acl *client, int key_type, unsigned int option_count,

	    int *option_list, const char *(*value_to_text)(int))

{

	unsigned int i;

	if (option_count == 0) {

		/*

		 * No valid options to send, but we always want to

		 * send something.

		 */

		acl_set_key_value(&client->send_key_block, key_type,

				  acl_none_option_name);

		return;

	}

	if (option_count == 1 && option_list[0] == AUTH_OPTION_NOT_PRESENT) {

		acl_set_key_value(&client->send_key_block, key_type, NULL);

		return;

	}

	for (i = 0; i < option_count; i++) {

		const char *s = (*value_to_text)(option_list[i]);

		if (!s)

			continue;

		if (i == 0)

			strlcpy(client->scratch_key_value, s,

				   AUTH_STR_MAX_LEN);

		else {

			strlcat(client->scratch_key_value, ",",

				   AUTH_STR_MAX_LEN);

			strlcat(client->scratch_key_value, s,

				   AUTH_STR_MAX_LEN);

		}

	}

	acl_set_key_value(&client->send_key_block, key_type,

			  client->scratch_key_value);

}

static void

acl_chk_auth_method_key(struct iscsi_acl *client)

{

	acl_chk_key(client, AUTH_KEY_TYPE_AUTH_METHOD,

		    &client->negotiated_auth_method,

		    client->auth_method_valid_count,

		    client->auth_method_valid_list,

		    acl_authmethod_optn_to_text);

}

static void

acl_set_auth_method_key(struct iscsi_acl *client,

			unsigned int auth_method_count, int *auth_method_list)

{

	acl_set_key(client, AUTH_KEY_TYPE_AUTH_METHOD, auth_method_count,

		    auth_method_list, acl_authmethod_optn_to_text);

}

static void

acl_chk_chap_alg_key(struct iscsi_acl *client)

{

	const char *key_val;

	int length;

	unsigned long number;

	unsigned int i;

	key_val = acl_get_key_val(&client->recv_key_block,

				  AUTH_KEY_TYPE_CHAP_ALG);

	if (!key_val) {

		client->negotiated_chap_alg = AUTH_OPTION_NOT_PRESENT;

		return;

	}

	while (*key_val != '\0') {

		length = 0;

		while (*key_val != '\0' && *key_val != ',')

			client->scratch_key_value[length++] = *key_val++;

		if (*key_val == ',')

			key_val++;

		client->scratch_key_value[length++] = '\0';

		if (acl_text_to_number(client->scratch_key_value, &number))

			continue;

		for (i = 0; i < client->chap_alg_count; i++)

			if (number == (unsigned long)client->chap_alg_list[i])

			{

				client->negotiated_chap_alg = number;

				switch (number) {

				case AUTH_CHAP_ALG_MD5:

					client->chap_challenge_len = AUTH_CHAP_MD5_RSP_LEN;

					break;

				case AUTH_CHAP_ALG_SHA1:

					client->chap_challenge_len = AUTH_CHAP_SHA1_RSP_LEN;

					break;

				case AUTH_CHAP_ALG_SHA256:

					client->chap_challenge_len = AUTH_CHAP_SHA256_RSP_LEN;

					break;

				case AUTH_CHAP_ALG_SHA3_256:

					client->chap_challenge_len = AUTH_CHAP_SHA3_256_RSP_LEN;

					break;

				}

				return;

			}

	}

	client->negotiated_chap_alg = AUTH_OPTION_REJECT;

}

static void

acl_set_chap_alg_key(struct iscsi_acl *client, unsigned int chap_alg_count,

		     int *chap_alg_list)

{

	unsigned int i;

	if (chap_alg_count == 0) {

		acl_set_key_value(&client->send_key_block,

				  AUTH_KEY_TYPE_CHAP_ALG, NULL);

		return;

	}

	if (chap_alg_count == 1 &&

	    chap_alg_list[0] == AUTH_OPTION_NOT_PRESENT) {

		acl_set_key_value(&client->send_key_block,

				  AUTH_KEY_TYPE_CHAP_ALG, NULL);

		return;

	}

	if (chap_alg_count == 1 && chap_alg_list[0] == AUTH_OPTION_REJECT) {

		acl_set_key_value(&client->send_key_block,

				  AUTH_KEY_TYPE_CHAP_ALG,

				  acl_reject_option_name);

		return;

	}

	for (i = 0; i < chap_alg_count; i++) {

		char s[20];

		snprintf(s, sizeof(s), "%lu",(unsigned long)chap_alg_list[i]);

		if (i == 0)

			strlcpy(client->scratch_key_value, s,

				   AUTH_STR_MAX_LEN);

		 else {

			strlcat(client->scratch_key_value, ",",

				   AUTH_STR_MAX_LEN);

			strlcat(client->scratch_key_value, s,

				   AUTH_STR_MAX_LEN);

		}

	}

	acl_set_key_value(&client->send_key_block, AUTH_KEY_TYPE_CHAP_ALG,

			  client->scratch_key_value);

}

static void

acl_next_phase(struct iscsi_acl *client)

{

	switch (client->phase) {

	case AUTH_PHASE_CONFIGURE:

		client->phase = AUTH_PHASE_NEGOTIATE;

		break;

	case AUTH_PHASE_NEGOTIATE:

		client->phase = AUTH_PHASE_AUTHENTICATE;

		if (client->negotiated_auth_method == AUTH_OPTION_REJECT ||

		    client->negotiated_auth_method == AUTH_OPTION_NOT_PRESENT ||

		    client->negotiated_auth_method == AUTH_OPTION_NONE) {

			client->local_state = AUTH_LOCAL_STATE_DONE;

			client->rmt_state = AUTH_RMT_STATE_DONE;

			if (client->auth_rmt) {

				client->rmt_auth_status = AUTH_STATUS_FAIL;

				client->phase = AUTH_PHASE_DONE;

			} else

				client->rmt_auth_status = AUTH_STATUS_PASS;

			switch (client->negotiated_auth_method) {

			case AUTH_OPTION_REJECT:

				client->dbg_status =

				    AUTH_DBG_STATUS_AUTH_METHOD_REJECT;

				break;

			case AUTH_OPTION_NOT_PRESENT:

				client->dbg_status =

				    AUTH_DBG_STATUS_AUTH_METHOD_NOT_PRESENT;

				break;

			case AUTH_OPTION_NONE:

				client->dbg_status =

				    AUTH_DBG_STATUS_AUTH_METHOD_NONE;

			}

		} else if (client->negotiated_auth_method == AUTH_METHOD_CHAP) {

			client->local_state = AUTH_LOCAL_STATE_SEND_ALG;

			client->rmt_state = AUTH_RMT_STATE_SEND_ALG;

		} else {

			client->local_state = AUTH_LOCAL_STATE_DONE;

			client->rmt_state = AUTH_RMT_STATE_DONE;

			client->rmt_auth_status = AUTH_STATUS_FAIL;

			client->dbg_status = AUTH_DBG_STATUS_AUTH_METHOD_BAD;

		}

		break;

	case AUTH_PHASE_AUTHENTICATE:

		client->phase = AUTH_PHASE_DONE;

		break;

	case AUTH_PHASE_DONE:

	case AUTH_PHASE_ERROR:

	default:

		client->phase = AUTH_PHASE_ERROR;

	}

}

static void

acl_local_auth(struct iscsi_acl *client)

{

	unsigned int chap_identifier;

	unsigned char response_data[AUTH_CHAP_RSP_MAX];

	unsigned long number;

	int status;

	enum auth_dbg_status dbg_status;

	const char *chap_identifier_key_val;

	const char *chap_challenge_key_val;

	switch (client->local_state) {

	case AUTH_LOCAL_STATE_SEND_ALG:

		if (client->node_type == TYPE_INITIATOR) {

			acl_set_chap_alg_key(client, client->chap_alg_count,

					     client->chap_alg_list);

			client->local_state = AUTH_LOCAL_STATE_RECV_ALG;

			break;

		}

		/* Fall through */

	case AUTH_LOCAL_STATE_RECV_ALG:

		acl_chk_chap_alg_key(client);

		if (client->node_type == TYPE_TARGET)

			acl_set_chap_alg_key(client, 1,

					     &client->negotiated_chap_alg);

		/* Make sure only supported CHAP algorithm is used. */

		if (client->negotiated_chap_alg == AUTH_OPTION_NOT_PRESENT) {

			client->local_state = AUTH_LOCAL_STATE_ERROR;

			client->dbg_status = AUTH_DBG_STATUS_CHAP_ALG_EXPECTED;

			break;

		} else if (client->negotiated_chap_alg == AUTH_OPTION_REJECT) {

			client->local_state = AUTH_LOCAL_STATE_ERROR;

			client->dbg_status = AUTH_DBG_STATUS_CHAP_ALG_REJECT;

			break;

		} else if ((client->negotiated_chap_alg != AUTH_CHAP_ALG_SHA3_256) &&

			   (client->negotiated_chap_alg != AUTH_CHAP_ALG_SHA256) &&

			   (client->negotiated_chap_alg != AUTH_CHAP_ALG_SHA1) &&

			   (client->negotiated_chap_alg != AUTH_CHAP_ALG_MD5)) {

			client->local_state = AUTH_LOCAL_STATE_ERROR;

			client->dbg_status = AUTH_DBG_STATUS_CHAP_ALG_BAD;

			break;

		}

		if (client->node_type == TYPE_TARGET) {

			client->local_state = AUTH_LOCAL_STATE_RECV_CHALLENGE;

			break;

		}

		/* Fall through */

	case AUTH_LOCAL_STATE_RECV_CHALLENGE:

		chap_identifier_key_val = acl_get_key_val(&client->recv_key_block,