NetServices Stack source

Dependents:   HelloWorld ServoInterfaceBoardExample1 4180_Lab4

Committer:
donatien
Date:
Fri Jun 11 16:05:15 2010 +0000
Revision:
0:632c9925f013
Child:
4:fd826cad83c0

        

Who changed what in which revision?

UserRevisionLine numberNew contents of line
donatien 0:632c9925f013 1 /*****************************************************************************
donatien 0:632c9925f013 2 * auth.c - Network Authentication and Phase Control program file.
donatien 0:632c9925f013 3 *
donatien 0:632c9925f013 4 * Copyright (c) 2003 by Marc Boucher, Services Informatiques (MBSI) inc.
donatien 0:632c9925f013 5 * Copyright (c) 1997 by Global Election Systems Inc. All rights reserved.
donatien 0:632c9925f013 6 *
donatien 0:632c9925f013 7 * The authors hereby grant permission to use, copy, modify, distribute,
donatien 0:632c9925f013 8 * and license this software and its documentation for any purpose, provided
donatien 0:632c9925f013 9 * that existing copyright notices are retained in all copies and that this
donatien 0:632c9925f013 10 * notice and the following disclaimer are included verbatim in any
donatien 0:632c9925f013 11 * distributions. No written agreement, license, or royalty fee is required
donatien 0:632c9925f013 12 * for any of the authorized uses.
donatien 0:632c9925f013 13 *
donatien 0:632c9925f013 14 * THIS SOFTWARE IS PROVIDED BY THE CONTRIBUTORS *AS IS* AND ANY EXPRESS OR
donatien 0:632c9925f013 15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
donatien 0:632c9925f013 16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
donatien 0:632c9925f013 17 * IN NO EVENT SHALL THE CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
donatien 0:632c9925f013 18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
donatien 0:632c9925f013 19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
donatien 0:632c9925f013 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
donatien 0:632c9925f013 21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
donatien 0:632c9925f013 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
donatien 0:632c9925f013 23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
donatien 0:632c9925f013 24 *
donatien 0:632c9925f013 25 ******************************************************************************
donatien 0:632c9925f013 26 * REVISION HISTORY
donatien 0:632c9925f013 27 *
donatien 0:632c9925f013 28 * 03-01-01 Marc Boucher <marc@mbsi.ca>
donatien 0:632c9925f013 29 * Ported to lwIP.
donatien 0:632c9925f013 30 * 97-12-08 Guy Lancaster <lancasterg@acm.org>, Global Election Systems Inc.
donatien 0:632c9925f013 31 * Ported from public pppd code.
donatien 0:632c9925f013 32 *****************************************************************************/
donatien 0:632c9925f013 33 /*
donatien 0:632c9925f013 34 * auth.c - PPP authentication and phase control.
donatien 0:632c9925f013 35 *
donatien 0:632c9925f013 36 * Copyright (c) 1993 The Australian National University.
donatien 0:632c9925f013 37 * All rights reserved.
donatien 0:632c9925f013 38 *
donatien 0:632c9925f013 39 * Redistribution and use in source and binary forms are permitted
donatien 0:632c9925f013 40 * provided that the above copyright notice and this paragraph are
donatien 0:632c9925f013 41 * duplicated in all such forms and that any documentation,
donatien 0:632c9925f013 42 * advertising materials, and other materials related to such
donatien 0:632c9925f013 43 * distribution and use acknowledge that the software was developed
donatien 0:632c9925f013 44 * by the Australian National University. The name of the University
donatien 0:632c9925f013 45 * may not be used to endorse or promote products derived from this
donatien 0:632c9925f013 46 * software without specific prior written permission.
donatien 0:632c9925f013 47 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
donatien 0:632c9925f013 48 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
donatien 0:632c9925f013 49 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
donatien 0:632c9925f013 50 *
donatien 0:632c9925f013 51 * Copyright (c) 1989 Carnegie Mellon University.
donatien 0:632c9925f013 52 * All rights reserved.
donatien 0:632c9925f013 53 *
donatien 0:632c9925f013 54 * Redistribution and use in source and binary forms are permitted
donatien 0:632c9925f013 55 * provided that the above copyright notice and this paragraph are
donatien 0:632c9925f013 56 * duplicated in all such forms and that any documentation,
donatien 0:632c9925f013 57 * advertising materials, and other materials related to such
donatien 0:632c9925f013 58 * distribution and use acknowledge that the software was developed
donatien 0:632c9925f013 59 * by Carnegie Mellon University. The name of the
donatien 0:632c9925f013 60 * University may not be used to endorse or promote products derived
donatien 0:632c9925f013 61 * from this software without specific prior written permission.
donatien 0:632c9925f013 62 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
donatien 0:632c9925f013 63 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
donatien 0:632c9925f013 64 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
donatien 0:632c9925f013 65 */
donatien 0:632c9925f013 66
donatien 0:632c9925f013 67 #include "lwip/opt.h"
donatien 0:632c9925f013 68
donatien 0:632c9925f013 69 #if PPP_SUPPORT /* don't build if not configured for use in lwipopts.h */
donatien 0:632c9925f013 70
donatien 0:632c9925f013 71 #include "ppp.h"
donatien 0:632c9925f013 72 #include "pppdebug.h"
donatien 0:632c9925f013 73
donatien 0:632c9925f013 74 #include "fsm.h"
donatien 0:632c9925f013 75 #include "lcp.h"
donatien 0:632c9925f013 76 #include "pap.h"
donatien 0:632c9925f013 77 #include "chap.h"
donatien 0:632c9925f013 78 #include "auth.h"
donatien 0:632c9925f013 79 #include "ipcp.h"
donatien 0:632c9925f013 80
donatien 0:632c9925f013 81 #if CBCP_SUPPORT
donatien 0:632c9925f013 82 #include "cbcp.h"
donatien 0:632c9925f013 83 #endif /* CBCP_SUPPORT */
donatien 0:632c9925f013 84
donatien 0:632c9925f013 85 #include "lwip/inet.h"
donatien 0:632c9925f013 86
donatien 0:632c9925f013 87 #include <string.h>
donatien 0:632c9925f013 88
donatien 0:632c9925f013 89 #if 0 /* UNUSED */
donatien 0:632c9925f013 90 /* Bits in scan_authfile return value */
donatien 0:632c9925f013 91 #define NONWILD_SERVER 1
donatien 0:632c9925f013 92 #define NONWILD_CLIENT 2
donatien 0:632c9925f013 93
donatien 0:632c9925f013 94 #define ISWILD(word) (word[0] == '*' && word[1] == 0)
donatien 0:632c9925f013 95 #endif /* UNUSED */
donatien 0:632c9925f013 96
donatien 0:632c9925f013 97 #if PAP_SUPPORT || CHAP_SUPPORT
donatien 0:632c9925f013 98 /* The name by which the peer authenticated itself to us. */
donatien 0:632c9925f013 99 static char peer_authname[MAXNAMELEN];
donatien 0:632c9925f013 100 #endif /* PAP_SUPPORT || CHAP_SUPPORT */
donatien 0:632c9925f013 101
donatien 0:632c9925f013 102 /* Records which authentication operations haven't completed yet. */
donatien 0:632c9925f013 103 static int auth_pending[NUM_PPP];
donatien 0:632c9925f013 104
donatien 0:632c9925f013 105 /* Set if we have successfully called plogin() */
donatien 0:632c9925f013 106 static int logged_in;
donatien 0:632c9925f013 107
donatien 0:632c9925f013 108 /* Set if we have run the /etc/ppp/auth-up script. */
donatien 0:632c9925f013 109 static int did_authup; /* @todo, we don't need this in lwip*/
donatien 0:632c9925f013 110
donatien 0:632c9925f013 111 /* List of addresses which the peer may use. */
donatien 0:632c9925f013 112 static struct wordlist *addresses[NUM_PPP];
donatien 0:632c9925f013 113
donatien 0:632c9925f013 114 #if 0 /* UNUSED */
donatien 0:632c9925f013 115 /* Wordlist giving addresses which the peer may use
donatien 0:632c9925f013 116 without authenticating itself. */
donatien 0:632c9925f013 117 static struct wordlist *noauth_addrs;
donatien 0:632c9925f013 118
donatien 0:632c9925f013 119 /* Extra options to apply, from the secrets file entry for the peer. */
donatien 0:632c9925f013 120 static struct wordlist *extra_options;
donatien 0:632c9925f013 121 #endif /* UNUSED */
donatien 0:632c9925f013 122
donatien 0:632c9925f013 123 /* Number of network protocols which we have opened. */
donatien 0:632c9925f013 124 static int num_np_open;
donatien 0:632c9925f013 125
donatien 0:632c9925f013 126 /* Number of network protocols which have come up. */
donatien 0:632c9925f013 127 static int num_np_up;
donatien 0:632c9925f013 128
donatien 0:632c9925f013 129 #if PAP_SUPPORT || CHAP_SUPPORT
donatien 0:632c9925f013 130 /* Set if we got the contents of passwd[] from the pap-secrets file. */
donatien 0:632c9925f013 131 static int passwd_from_file;
donatien 0:632c9925f013 132 #endif /* PAP_SUPPORT || CHAP_SUPPORT */
donatien 0:632c9925f013 133
donatien 0:632c9925f013 134 #if 0 /* UNUSED */
donatien 0:632c9925f013 135 /* Set if we require authentication only because we have a default route. */
donatien 0:632c9925f013 136 static bool default_auth;
donatien 0:632c9925f013 137
donatien 0:632c9925f013 138 /* Hook to enable a plugin to control the idle time limit */
donatien 0:632c9925f013 139 int (*idle_time_hook) __P((struct ppp_idle *)) = NULL;
donatien 0:632c9925f013 140
donatien 0:632c9925f013 141 /* Hook for a plugin to say whether we can possibly authenticate any peer */
donatien 0:632c9925f013 142 int (*pap_check_hook) __P((void)) = NULL;
donatien 0:632c9925f013 143
donatien 0:632c9925f013 144 /* Hook for a plugin to check the PAP user and password */
donatien 0:632c9925f013 145 int (*pap_auth_hook) __P((char *user, char *passwd, char **msgp,
donatien 0:632c9925f013 146 struct wordlist **paddrs,
donatien 0:632c9925f013 147 struct wordlist **popts)) = NULL;
donatien 0:632c9925f013 148
donatien 0:632c9925f013 149 /* Hook for a plugin to know about the PAP user logout */
donatien 0:632c9925f013 150 void (*pap_logout_hook) __P((void)) = NULL;
donatien 0:632c9925f013 151
donatien 0:632c9925f013 152 /* Hook for a plugin to get the PAP password for authenticating us */
donatien 0:632c9925f013 153 int (*pap_passwd_hook) __P((char *user, char *passwd)) = NULL;
donatien 0:632c9925f013 154
donatien 0:632c9925f013 155 /*
donatien 0:632c9925f013 156 * This is used to ensure that we don't start an auth-up/down
donatien 0:632c9925f013 157 * script while one is already running.
donatien 0:632c9925f013 158 */
donatien 0:632c9925f013 159 enum script_state {
donatien 0:632c9925f013 160 s_down,
donatien 0:632c9925f013 161 s_up
donatien 0:632c9925f013 162 };
donatien 0:632c9925f013 163
donatien 0:632c9925f013 164 static enum script_state auth_state = s_down;
donatien 0:632c9925f013 165 static enum script_state auth_script_state = s_down;
donatien 0:632c9925f013 166 static pid_t auth_script_pid = 0;
donatien 0:632c9925f013 167
donatien 0:632c9925f013 168 /*
donatien 0:632c9925f013 169 * Option variables.
donatien 0:632c9925f013 170 * lwip: some of these are present in the ppp_settings structure
donatien 0:632c9925f013 171 */
donatien 0:632c9925f013 172 bool uselogin = 0; /* Use /etc/passwd for checking PAP */
donatien 0:632c9925f013 173 bool cryptpap = 0; /* Passwords in pap-secrets are encrypted */
donatien 0:632c9925f013 174 bool refuse_pap = 0; /* Don't wanna auth. ourselves with PAP */
donatien 0:632c9925f013 175 bool refuse_chap = 0; /* Don't wanna auth. ourselves with CHAP */
donatien 0:632c9925f013 176 bool usehostname = 0; /* Use hostname for our_name */
donatien 0:632c9925f013 177 bool auth_required = 0; /* Always require authentication from peer */
donatien 0:632c9925f013 178 bool allow_any_ip = 0; /* Allow peer to use any IP address */
donatien 0:632c9925f013 179 bool explicit_remote = 0; /* User specified explicit remote name */
donatien 0:632c9925f013 180 char remote_name[MAXNAMELEN]; /* Peer's name for authentication */
donatien 0:632c9925f013 181
donatien 0:632c9925f013 182 #endif /* UNUSED */
donatien 0:632c9925f013 183
donatien 0:632c9925f013 184 /* Bits in auth_pending[] */
donatien 0:632c9925f013 185 #define PAP_WITHPEER 1
donatien 0:632c9925f013 186 #define PAP_PEER 2
donatien 0:632c9925f013 187 #define CHAP_WITHPEER 4
donatien 0:632c9925f013 188 #define CHAP_PEER 8
donatien 0:632c9925f013 189
donatien 0:632c9925f013 190 /* @todo, move this somewhere */
donatien 0:632c9925f013 191 /* Used for storing a sequence of words. Usually malloced. */
donatien 0:632c9925f013 192 struct wordlist {
donatien 0:632c9925f013 193 struct wordlist *next;
donatien 0:632c9925f013 194 char word[1];
donatien 0:632c9925f013 195 };
donatien 0:632c9925f013 196
donatien 0:632c9925f013 197
donatien 0:632c9925f013 198 extern char *crypt (const char *, const char *);
donatien 0:632c9925f013 199
donatien 0:632c9925f013 200 /* Prototypes for procedures local to this file. */
donatien 0:632c9925f013 201
donatien 0:632c9925f013 202 static void network_phase (int);
donatien 0:632c9925f013 203 static void check_idle (void *);
donatien 0:632c9925f013 204 static void connect_time_expired (void *);
donatien 0:632c9925f013 205 #if 0
donatien 0:632c9925f013 206 static int plogin (char *, char *, char **, int *);
donatien 0:632c9925f013 207 #endif
donatien 0:632c9925f013 208 static void plogout (void);
donatien 0:632c9925f013 209 static int null_login (int);
donatien 0:632c9925f013 210 static int get_pap_passwd (int, char *, char *);
donatien 0:632c9925f013 211 static int have_pap_secret (void);
donatien 0:632c9925f013 212 static int have_chap_secret (char *, char *, u32_t);
donatien 0:632c9925f013 213 static int ip_addr_check (u32_t, struct wordlist *);
donatien 0:632c9925f013 214
donatien 0:632c9925f013 215 #if 0 /* PAP_SUPPORT || CHAP_SUPPORT */
donatien 0:632c9925f013 216 static int scan_authfile (FILE *, char *, char *, char *,
donatien 0:632c9925f013 217 struct wordlist **, struct wordlist **,
donatien 0:632c9925f013 218 char *);
donatien 0:632c9925f013 219 static void free_wordlist (struct wordlist *);
donatien 0:632c9925f013 220 static void auth_script (char *);
donatien 0:632c9925f013 221 static void auth_script_done (void *);
donatien 0:632c9925f013 222 static void set_allowed_addrs (int unit, struct wordlist *addrs);
donatien 0:632c9925f013 223 static int some_ip_ok (struct wordlist *);
donatien 0:632c9925f013 224 static int setupapfile (char **);
donatien 0:632c9925f013 225 static int privgroup (char **);
donatien 0:632c9925f013 226 static int set_noauth_addr (char **);
donatien 0:632c9925f013 227 static void check_access (FILE *, char *);
donatien 0:632c9925f013 228 #endif /* 0 */ /* PAP_SUPPORT || CHAP_SUPPORT */
donatien 0:632c9925f013 229
donatien 0:632c9925f013 230 #if 0 /* UNUSED */
donatien 0:632c9925f013 231 /*
donatien 0:632c9925f013 232 * Authentication-related options.
donatien 0:632c9925f013 233 */
donatien 0:632c9925f013 234 option_t auth_options[] = {
donatien 0:632c9925f013 235 { "require-pap", o_bool, &lcp_wantoptions[0].neg_upap,
donatien 0:632c9925f013 236 "Require PAP authentication from peer", 1, &auth_required },
donatien 0:632c9925f013 237 { "+pap", o_bool, &lcp_wantoptions[0].neg_upap,
donatien 0:632c9925f013 238 "Require PAP authentication from peer", 1, &auth_required },
donatien 0:632c9925f013 239 { "refuse-pap", o_bool, &refuse_pap,
donatien 0:632c9925f013 240 "Don't agree to auth to peer with PAP", 1 },
donatien 0:632c9925f013 241 { "-pap", o_bool, &refuse_pap,
donatien 0:632c9925f013 242 "Don't allow PAP authentication with peer", 1 },
donatien 0:632c9925f013 243 { "require-chap", o_bool, &lcp_wantoptions[0].neg_chap,
donatien 0:632c9925f013 244 "Require CHAP authentication from peer", 1, &auth_required },
donatien 0:632c9925f013 245 { "+chap", o_bool, &lcp_wantoptions[0].neg_chap,
donatien 0:632c9925f013 246 "Require CHAP authentication from peer", 1, &auth_required },
donatien 0:632c9925f013 247 { "refuse-chap", o_bool, &refuse_chap,
donatien 0:632c9925f013 248 "Don't agree to auth to peer with CHAP", 1 },
donatien 0:632c9925f013 249 { "-chap", o_bool, &refuse_chap,
donatien 0:632c9925f013 250 "Don't allow CHAP authentication with peer", 1 },
donatien 0:632c9925f013 251 { "name", o_string, our_name,
donatien 0:632c9925f013 252 "Set local name for authentication",
donatien 0:632c9925f013 253 OPT_PRIV|OPT_STATIC, NULL, MAXNAMELEN },
donatien 0:632c9925f013 254 { "user", o_string, user,
donatien 0:632c9925f013 255 "Set name for auth with peer", OPT_STATIC, NULL, MAXNAMELEN },
donatien 0:632c9925f013 256 { "usehostname", o_bool, &usehostname,
donatien 0:632c9925f013 257 "Must use hostname for authentication", 1 },
donatien 0:632c9925f013 258 { "remotename", o_string, remote_name,
donatien 0:632c9925f013 259 "Set remote name for authentication", OPT_STATIC,
donatien 0:632c9925f013 260 &explicit_remote, MAXNAMELEN },
donatien 0:632c9925f013 261 { "auth", o_bool, &auth_required,
donatien 0:632c9925f013 262 "Require authentication from peer", 1 },
donatien 0:632c9925f013 263 { "noauth", o_bool, &auth_required,
donatien 0:632c9925f013 264 "Don't require peer to authenticate", OPT_PRIV, &allow_any_ip },
donatien 0:632c9925f013 265 { "login", o_bool, &uselogin,
donatien 0:632c9925f013 266 "Use system password database for PAP", 1 },
donatien 0:632c9925f013 267 { "papcrypt", o_bool, &cryptpap,
donatien 0:632c9925f013 268 "PAP passwords are encrypted", 1 },
donatien 0:632c9925f013 269 { "+ua", o_special, (void *)setupapfile,
donatien 0:632c9925f013 270 "Get PAP user and password from file" },
donatien 0:632c9925f013 271 { "password", o_string, passwd,
donatien 0:632c9925f013 272 "Password for authenticating us to the peer", OPT_STATIC,
donatien 0:632c9925f013 273 NULL, MAXSECRETLEN },
donatien 0:632c9925f013 274 { "privgroup", o_special, (void *)privgroup,
donatien 0:632c9925f013 275 "Allow group members to use privileged options", OPT_PRIV },
donatien 0:632c9925f013 276 { "allow-ip", o_special, (void *)set_noauth_addr,
donatien 0:632c9925f013 277 "Set IP address(es) which can be used without authentication",
donatien 0:632c9925f013 278 OPT_PRIV },
donatien 0:632c9925f013 279 { NULL }
donatien 0:632c9925f013 280 };
donatien 0:632c9925f013 281 #endif /* UNUSED */
donatien 0:632c9925f013 282 #if 0 /* UNUSED */
donatien 0:632c9925f013 283 /*
donatien 0:632c9925f013 284 * setupapfile - specifies UPAP info for authenticating with peer.
donatien 0:632c9925f013 285 */
donatien 0:632c9925f013 286 static int
donatien 0:632c9925f013 287 setupapfile(char **argv)
donatien 0:632c9925f013 288 {
donatien 0:632c9925f013 289 FILE * ufile;
donatien 0:632c9925f013 290 int l;
donatien 0:632c9925f013 291
donatien 0:632c9925f013 292 lcp_allowoptions[0].neg_upap = 1;
donatien 0:632c9925f013 293
donatien 0:632c9925f013 294 /* open user info file */
donatien 0:632c9925f013 295 seteuid(getuid());
donatien 0:632c9925f013 296 ufile = fopen(*argv, "r");
donatien 0:632c9925f013 297 seteuid(0);
donatien 0:632c9925f013 298 if (ufile == NULL) {
donatien 0:632c9925f013 299 option_error("unable to open user login data file %s", *argv);
donatien 0:632c9925f013 300 return 0;
donatien 0:632c9925f013 301 }
donatien 0:632c9925f013 302 check_access(ufile, *argv);
donatien 0:632c9925f013 303
donatien 0:632c9925f013 304 /* get username */
donatien 0:632c9925f013 305 if (fgets(user, MAXNAMELEN - 1, ufile) == NULL
donatien 0:632c9925f013 306 || fgets(passwd, MAXSECRETLEN - 1, ufile) == NULL){
donatien 0:632c9925f013 307 option_error("unable to read user login data file %s", *argv);
donatien 0:632c9925f013 308 return 0;
donatien 0:632c9925f013 309 }
donatien 0:632c9925f013 310 fclose(ufile);
donatien 0:632c9925f013 311
donatien 0:632c9925f013 312 /* get rid of newlines */
donatien 0:632c9925f013 313 l = strlen(user);
donatien 0:632c9925f013 314 if (l > 0 && user[l-1] == '\n')
donatien 0:632c9925f013 315 user[l-1] = 0;
donatien 0:632c9925f013 316 l = strlen(passwd);
donatien 0:632c9925f013 317 if (l > 0 && passwd[l-1] == '\n')
donatien 0:632c9925f013 318 passwd[l-1] = 0;
donatien 0:632c9925f013 319
donatien 0:632c9925f013 320 return (1);
donatien 0:632c9925f013 321 }
donatien 0:632c9925f013 322 #endif /* UNUSED */
donatien 0:632c9925f013 323
donatien 0:632c9925f013 324 #if 0 /* UNUSED */
donatien 0:632c9925f013 325 /*
donatien 0:632c9925f013 326 * privgroup - allow members of the group to have privileged access.
donatien 0:632c9925f013 327 */
donatien 0:632c9925f013 328 static int
donatien 0:632c9925f013 329 privgroup(char **argv)
donatien 0:632c9925f013 330 {
donatien 0:632c9925f013 331 struct group *g;
donatien 0:632c9925f013 332 int i;
donatien 0:632c9925f013 333
donatien 0:632c9925f013 334 g = getgrnam(*argv);
donatien 0:632c9925f013 335 if (g == 0) {
donatien 0:632c9925f013 336 option_error("group %s is unknown", *argv);
donatien 0:632c9925f013 337 return 0;
donatien 0:632c9925f013 338 }
donatien 0:632c9925f013 339 for (i = 0; i < ngroups; ++i) {
donatien 0:632c9925f013 340 if (groups[i] == g->gr_gid) {
donatien 0:632c9925f013 341 privileged = 1;
donatien 0:632c9925f013 342 break;
donatien 0:632c9925f013 343 }
donatien 0:632c9925f013 344 }
donatien 0:632c9925f013 345 return 1;
donatien 0:632c9925f013 346 }
donatien 0:632c9925f013 347 #endif
donatien 0:632c9925f013 348
donatien 0:632c9925f013 349 #if 0 /* UNUSED */
donatien 0:632c9925f013 350 /*
donatien 0:632c9925f013 351 * set_noauth_addr - set address(es) that can be used without authentication.
donatien 0:632c9925f013 352 * Equivalent to specifying an entry like `"" * "" addr' in pap-secrets.
donatien 0:632c9925f013 353 */
donatien 0:632c9925f013 354 static int
donatien 0:632c9925f013 355 set_noauth_addr(char **argv)
donatien 0:632c9925f013 356 {
donatien 0:632c9925f013 357 char *addr = *argv;
donatien 0:632c9925f013 358 int l = strlen(addr);
donatien 0:632c9925f013 359 struct wordlist *wp;
donatien 0:632c9925f013 360
donatien 0:632c9925f013 361 wp = (struct wordlist *) malloc(sizeof(struct wordlist) + l + 1);
donatien 0:632c9925f013 362 if (wp == NULL)
donatien 0:632c9925f013 363 novm("allow-ip argument");
donatien 0:632c9925f013 364 wp->word = (char *) (wp + 1);
donatien 0:632c9925f013 365 wp->next = noauth_addrs;
donatien 0:632c9925f013 366 BCOPY(addr, wp->word, l);
donatien 0:632c9925f013 367 noauth_addrs = wp;
donatien 0:632c9925f013 368 return 1;
donatien 0:632c9925f013 369 }
donatien 0:632c9925f013 370 #endif /* UNUSED */
donatien 0:632c9925f013 371
donatien 0:632c9925f013 372 /*
donatien 0:632c9925f013 373 * An Open on LCP has requested a change from Dead to Establish phase.
donatien 0:632c9925f013 374 * Do what's necessary to bring the physical layer up.
donatien 0:632c9925f013 375 */
donatien 0:632c9925f013 376 void
donatien 0:632c9925f013 377 link_required(int unit)
donatien 0:632c9925f013 378 {
donatien 0:632c9925f013 379 LWIP_UNUSED_ARG(unit);
donatien 0:632c9925f013 380
donatien 0:632c9925f013 381 AUTHDEBUG(LOG_INFO, ("link_required: %d\n", unit));
donatien 0:632c9925f013 382 }
donatien 0:632c9925f013 383
donatien 0:632c9925f013 384 /*
donatien 0:632c9925f013 385 * LCP has terminated the link; go to the Dead phase and take the
donatien 0:632c9925f013 386 * physical layer down.
donatien 0:632c9925f013 387 */
donatien 0:632c9925f013 388 void
donatien 0:632c9925f013 389 link_terminated(int unit)
donatien 0:632c9925f013 390 {
donatien 0:632c9925f013 391 AUTHDEBUG(LOG_INFO, ("link_terminated: %d\n", unit));
donatien 0:632c9925f013 392 if (lcp_phase[unit] == PHASE_DEAD) {
donatien 0:632c9925f013 393 return;
donatien 0:632c9925f013 394 }
donatien 0:632c9925f013 395 if (logged_in) {
donatien 0:632c9925f013 396 plogout();
donatien 0:632c9925f013 397 }
donatien 0:632c9925f013 398 lcp_phase[unit] = PHASE_DEAD;
donatien 0:632c9925f013 399 AUTHDEBUG(LOG_NOTICE, ("Connection terminated.\n"));
donatien 0:632c9925f013 400 pppLinkTerminated(unit);
donatien 0:632c9925f013 401 }
donatien 0:632c9925f013 402
donatien 0:632c9925f013 403 /*
donatien 0:632c9925f013 404 * LCP has gone down; it will either die or try to re-establish.
donatien 0:632c9925f013 405 */
donatien 0:632c9925f013 406 void
donatien 0:632c9925f013 407 link_down(int unit)
donatien 0:632c9925f013 408 {
donatien 0:632c9925f013 409 int i;
donatien 0:632c9925f013 410 struct protent *protp;
donatien 0:632c9925f013 411
donatien 0:632c9925f013 412 AUTHDEBUG(LOG_INFO, ("link_down: %d\n", unit));
donatien 0:632c9925f013 413
donatien 0:632c9925f013 414 if (did_authup) {
donatien 0:632c9925f013 415 /* XXX Do link down processing. */
donatien 0:632c9925f013 416 did_authup = 0;
donatien 0:632c9925f013 417 }
donatien 0:632c9925f013 418 for (i = 0; (protp = ppp_protocols[i]) != NULL; ++i) {
donatien 0:632c9925f013 419 if (!protp->enabled_flag) {
donatien 0:632c9925f013 420 continue;
donatien 0:632c9925f013 421 }
donatien 0:632c9925f013 422 if (protp->protocol != PPP_LCP && protp->lowerdown != NULL) {
donatien 0:632c9925f013 423 (*protp->lowerdown)(unit);
donatien 0:632c9925f013 424 }
donatien 0:632c9925f013 425 if (protp->protocol < 0xC000 && protp->close != NULL) {
donatien 0:632c9925f013 426 (*protp->close)(unit, "LCP down");
donatien 0:632c9925f013 427 }
donatien 0:632c9925f013 428 }
donatien 0:632c9925f013 429 num_np_open = 0; /* number of network protocols we have opened */
donatien 0:632c9925f013 430 num_np_up = 0; /* Number of network protocols which have come up */
donatien 0:632c9925f013 431
donatien 0:632c9925f013 432 if (lcp_phase[unit] != PHASE_DEAD) {
donatien 0:632c9925f013 433 lcp_phase[unit] = PHASE_TERMINATE;
donatien 0:632c9925f013 434 }
donatien 0:632c9925f013 435 pppLinkDown(unit);
donatien 0:632c9925f013 436 }
donatien 0:632c9925f013 437
donatien 0:632c9925f013 438 /*
donatien 0:632c9925f013 439 * The link is established.
donatien 0:632c9925f013 440 * Proceed to the Dead, Authenticate or Network phase as appropriate.
donatien 0:632c9925f013 441 */
donatien 0:632c9925f013 442 void
donatien 0:632c9925f013 443 link_established(int unit)
donatien 0:632c9925f013 444 {
donatien 0:632c9925f013 445 int auth;
donatien 0:632c9925f013 446 int i;
donatien 0:632c9925f013 447 struct protent *protp;
donatien 0:632c9925f013 448 lcp_options *wo = &lcp_wantoptions[unit];
donatien 0:632c9925f013 449 lcp_options *go = &lcp_gotoptions[unit];
donatien 0:632c9925f013 450 #if PAP_SUPPORT || CHAP_SUPPORT
donatien 0:632c9925f013 451 lcp_options *ho = &lcp_hisoptions[unit];
donatien 0:632c9925f013 452 #endif /* PAP_SUPPORT || CHAP_SUPPORT */
donatien 0:632c9925f013 453
donatien 0:632c9925f013 454 AUTHDEBUG(LOG_INFO, ("link_established: unit %d; Lowering up all protocols...\n", unit));
donatien 0:632c9925f013 455 /*
donatien 0:632c9925f013 456 * Tell higher-level protocols that LCP is up.
donatien 0:632c9925f013 457 */
donatien 0:632c9925f013 458 for (i = 0; (protp = ppp_protocols[i]) != NULL; ++i) {
donatien 0:632c9925f013 459 if (protp->protocol != PPP_LCP && protp->enabled_flag && protp->lowerup != NULL) {
donatien 0:632c9925f013 460 (*protp->lowerup)(unit);
donatien 0:632c9925f013 461 }
donatien 0:632c9925f013 462 }
donatien 0:632c9925f013 463 if (ppp_settings.auth_required && !(go->neg_chap || go->neg_upap)) {
donatien 0:632c9925f013 464 /*
donatien 0:632c9925f013 465 * We wanted the peer to authenticate itself, and it refused:
donatien 0:632c9925f013 466 * treat it as though it authenticated with PAP using a username
donatien 0:632c9925f013 467 * of "" and a password of "". If that's not OK, boot it out.
donatien 0:632c9925f013 468 */
donatien 0:632c9925f013 469 if (!wo->neg_upap || !null_login(unit)) {
donatien 0:632c9925f013 470 AUTHDEBUG(LOG_WARNING, ("peer refused to authenticate\n"));
donatien 0:632c9925f013 471 lcp_close(unit, "peer refused to authenticate");
donatien 0:632c9925f013 472 return;
donatien 0:632c9925f013 473 }
donatien 0:632c9925f013 474 }
donatien 0:632c9925f013 475
donatien 0:632c9925f013 476 lcp_phase[unit] = PHASE_AUTHENTICATE;
donatien 0:632c9925f013 477 auth = 0;
donatien 0:632c9925f013 478 #if CHAP_SUPPORT
donatien 0:632c9925f013 479 if (go->neg_chap) {
donatien 0:632c9925f013 480 ChapAuthPeer(unit, ppp_settings.our_name, go->chap_mdtype);
donatien 0:632c9925f013 481 auth |= CHAP_PEER;
donatien 0:632c9925f013 482 }
donatien 0:632c9925f013 483 #endif /* CHAP_SUPPORT */
donatien 0:632c9925f013 484 #if PAP_SUPPORT && CHAP_SUPPORT
donatien 0:632c9925f013 485 else
donatien 0:632c9925f013 486 #endif /* PAP_SUPPORT && CHAP_SUPPORT */
donatien 0:632c9925f013 487 #if PAP_SUPPORT
donatien 0:632c9925f013 488 if (go->neg_upap) {
donatien 0:632c9925f013 489 upap_authpeer(unit);
donatien 0:632c9925f013 490 auth |= PAP_PEER;
donatien 0:632c9925f013 491 }
donatien 0:632c9925f013 492 #endif /* PAP_SUPPORT */
donatien 0:632c9925f013 493 #if CHAP_SUPPORT
donatien 0:632c9925f013 494 if (ho->neg_chap) {
donatien 0:632c9925f013 495 ChapAuthWithPeer(unit, ppp_settings.user, ho->chap_mdtype);
donatien 0:632c9925f013 496 auth |= CHAP_WITHPEER;
donatien 0:632c9925f013 497 }
donatien 0:632c9925f013 498 #endif /* CHAP_SUPPORT */
donatien 0:632c9925f013 499 #if PAP_SUPPORT && CHAP_SUPPORT
donatien 0:632c9925f013 500 else
donatien 0:632c9925f013 501 #endif /* PAP_SUPPORT && CHAP_SUPPORT */
donatien 0:632c9925f013 502 #if PAP_SUPPORT
donatien 0:632c9925f013 503 if (ho->neg_upap) {
donatien 0:632c9925f013 504 if (ppp_settings.passwd[0] == 0) {
donatien 0:632c9925f013 505 passwd_from_file = 1;
donatien 0:632c9925f013 506 if (!get_pap_passwd(unit, ppp_settings.user, ppp_settings.passwd)) {
donatien 0:632c9925f013 507 AUTHDEBUG(LOG_ERR, ("No secret found for PAP login\n"));
donatien 0:632c9925f013 508 }
donatien 0:632c9925f013 509 }
donatien 0:632c9925f013 510 upap_authwithpeer(unit, ppp_settings.user, ppp_settings.passwd);
donatien 0:632c9925f013 511 auth |= PAP_WITHPEER;
donatien 0:632c9925f013 512 }
donatien 0:632c9925f013 513 #endif /* PAP_SUPPORT */
donatien 0:632c9925f013 514 auth_pending[unit] = auth;
donatien 0:632c9925f013 515
donatien 0:632c9925f013 516 if (!auth) {
donatien 0:632c9925f013 517 network_phase(unit);
donatien 0:632c9925f013 518 }
donatien 0:632c9925f013 519 }
donatien 0:632c9925f013 520
donatien 0:632c9925f013 521 /*
donatien 0:632c9925f013 522 * Proceed to the network phase.
donatien 0:632c9925f013 523 */
donatien 0:632c9925f013 524 static void
donatien 0:632c9925f013 525 network_phase(int unit)
donatien 0:632c9925f013 526 {
donatien 0:632c9925f013 527 int i;
donatien 0:632c9925f013 528 struct protent *protp;
donatien 0:632c9925f013 529 lcp_options *go = &lcp_gotoptions[unit];
donatien 0:632c9925f013 530
donatien 0:632c9925f013 531 /*
donatien 0:632c9925f013 532 * If the peer had to authenticate, run the auth-up script now.
donatien 0:632c9925f013 533 */
donatien 0:632c9925f013 534 if ((go->neg_chap || go->neg_upap) && !did_authup) {
donatien 0:632c9925f013 535 /* XXX Do setup for peer authentication. */
donatien 0:632c9925f013 536 did_authup = 1;
donatien 0:632c9925f013 537 }
donatien 0:632c9925f013 538
donatien 0:632c9925f013 539 #if CBCP_SUPPORT
donatien 0:632c9925f013 540 /*
donatien 0:632c9925f013 541 * If we negotiated callback, do it now.
donatien 0:632c9925f013 542 */
donatien 0:632c9925f013 543 if (go->neg_cbcp) {
donatien 0:632c9925f013 544 lcp_phase[unit] = PHASE_CALLBACK;
donatien 0:632c9925f013 545 (*cbcp_protent.open)(unit);
donatien 0:632c9925f013 546 return;
donatien 0:632c9925f013 547 }
donatien 0:632c9925f013 548 #endif /* CBCP_SUPPORT */
donatien 0:632c9925f013 549
donatien 0:632c9925f013 550 lcp_phase[unit] = PHASE_NETWORK;
donatien 0:632c9925f013 551 for (i = 0; (protp = ppp_protocols[i]) != NULL; ++i) {
donatien 0:632c9925f013 552 if (protp->protocol < 0xC000 && protp->enabled_flag && protp->open != NULL) {
donatien 0:632c9925f013 553 (*protp->open)(unit);
donatien 0:632c9925f013 554 if (protp->protocol != PPP_CCP) {
donatien 0:632c9925f013 555 ++num_np_open;
donatien 0:632c9925f013 556 }
donatien 0:632c9925f013 557 }
donatien 0:632c9925f013 558 }
donatien 0:632c9925f013 559
donatien 0:632c9925f013 560 if (num_np_open == 0) {
donatien 0:632c9925f013 561 /* nothing to do */
donatien 0:632c9925f013 562 lcp_close(0, "No network protocols running");
donatien 0:632c9925f013 563 }
donatien 0:632c9925f013 564 }
donatien 0:632c9925f013 565 /* @todo: add void start_networks(void) here (pppd 2.3.11) */
donatien 0:632c9925f013 566
donatien 0:632c9925f013 567 /*
donatien 0:632c9925f013 568 * The peer has failed to authenticate himself using `protocol'.
donatien 0:632c9925f013 569 */
donatien 0:632c9925f013 570 void
donatien 0:632c9925f013 571 auth_peer_fail(int unit, u16_t protocol)
donatien 0:632c9925f013 572 {
donatien 0:632c9925f013 573 LWIP_UNUSED_ARG(protocol);
donatien 0:632c9925f013 574
donatien 0:632c9925f013 575 AUTHDEBUG(LOG_INFO, ("auth_peer_fail: %d proto=%X\n", unit, protocol));
donatien 0:632c9925f013 576 /*
donatien 0:632c9925f013 577 * Authentication failure: take the link down
donatien 0:632c9925f013 578 */
donatien 0:632c9925f013 579 lcp_close(unit, "Authentication failed");
donatien 0:632c9925f013 580 }
donatien 0:632c9925f013 581
donatien 0:632c9925f013 582
donatien 0:632c9925f013 583 #if PAP_SUPPORT || CHAP_SUPPORT
donatien 0:632c9925f013 584 /*
donatien 0:632c9925f013 585 * The peer has been successfully authenticated using `protocol'.
donatien 0:632c9925f013 586 */
donatien 0:632c9925f013 587 void
donatien 0:632c9925f013 588 auth_peer_success(int unit, u16_t protocol, char *name, int namelen)
donatien 0:632c9925f013 589 {
donatien 0:632c9925f013 590 int pbit;
donatien 0:632c9925f013 591
donatien 0:632c9925f013 592 AUTHDEBUG(LOG_INFO, ("auth_peer_success: %d proto=%X\n", unit, protocol));
donatien 0:632c9925f013 593 switch (protocol) {
donatien 0:632c9925f013 594 case PPP_CHAP:
donatien 0:632c9925f013 595 pbit = CHAP_PEER;
donatien 0:632c9925f013 596 break;
donatien 0:632c9925f013 597 case PPP_PAP:
donatien 0:632c9925f013 598 pbit = PAP_PEER;
donatien 0:632c9925f013 599 break;
donatien 0:632c9925f013 600 default:
donatien 0:632c9925f013 601 AUTHDEBUG(LOG_WARNING, ("auth_peer_success: unknown protocol %x\n", protocol));
donatien 0:632c9925f013 602 return;
donatien 0:632c9925f013 603 }
donatien 0:632c9925f013 604
donatien 0:632c9925f013 605 /*
donatien 0:632c9925f013 606 * Save the authenticated name of the peer for later.
donatien 0:632c9925f013 607 */
donatien 0:632c9925f013 608 if (namelen > (int)sizeof(peer_authname) - 1) {
donatien 0:632c9925f013 609 namelen = sizeof(peer_authname) - 1;
donatien 0:632c9925f013 610 }
donatien 0:632c9925f013 611 BCOPY(name, peer_authname, namelen);
donatien 0:632c9925f013 612 peer_authname[namelen] = 0;
donatien 0:632c9925f013 613
donatien 0:632c9925f013 614 /*
donatien 0:632c9925f013 615 * If there is no more authentication still to be done,
donatien 0:632c9925f013 616 * proceed to the network (or callback) phase.
donatien 0:632c9925f013 617 */
donatien 0:632c9925f013 618 if ((auth_pending[unit] &= ~pbit) == 0) {
donatien 0:632c9925f013 619 network_phase(unit);
donatien 0:632c9925f013 620 }
donatien 0:632c9925f013 621 }
donatien 0:632c9925f013 622
donatien 0:632c9925f013 623 /*
donatien 0:632c9925f013 624 * We have failed to authenticate ourselves to the peer using `protocol'.
donatien 0:632c9925f013 625 */
donatien 0:632c9925f013 626 void
donatien 0:632c9925f013 627 auth_withpeer_fail(int unit, u16_t protocol)
donatien 0:632c9925f013 628 {
donatien 0:632c9925f013 629 int errCode = PPPERR_AUTHFAIL;
donatien 0:632c9925f013 630
donatien 0:632c9925f013 631 LWIP_UNUSED_ARG(protocol);
donatien 0:632c9925f013 632
donatien 0:632c9925f013 633 AUTHDEBUG(LOG_INFO, ("auth_withpeer_fail: %d proto=%X\n", unit, protocol));
donatien 0:632c9925f013 634 if (passwd_from_file) {
donatien 0:632c9925f013 635 BZERO(ppp_settings.passwd, MAXSECRETLEN);
donatien 0:632c9925f013 636 }
donatien 0:632c9925f013 637 /*
donatien 0:632c9925f013 638 * XXX Warning: the unit number indicates the interface which is
donatien 0:632c9925f013 639 * not necessarily the PPP connection. It works here as long
donatien 0:632c9925f013 640 * as we are only supporting PPP interfaces.
donatien 0:632c9925f013 641 */
donatien 0:632c9925f013 642 /* @todo: Remove pppIOCtl, it is not used anywhere else.
donatien 0:632c9925f013 643 Instead, directly set errCode. */
donatien 0:632c9925f013 644 pppIOCtl(unit, PPPCTLS_ERRCODE, &errCode);
donatien 0:632c9925f013 645
donatien 0:632c9925f013 646 /*
donatien 0:632c9925f013 647 * We've failed to authenticate ourselves to our peer.
donatien 0:632c9925f013 648 * He'll probably take the link down, and there's not much
donatien 0:632c9925f013 649 * we can do except wait for that.
donatien 0:632c9925f013 650 */
donatien 0:632c9925f013 651 }
donatien 0:632c9925f013 652
donatien 0:632c9925f013 653 /*
donatien 0:632c9925f013 654 * We have successfully authenticated ourselves with the peer using `protocol'.
donatien 0:632c9925f013 655 */
donatien 0:632c9925f013 656 void
donatien 0:632c9925f013 657 auth_withpeer_success(int unit, u16_t protocol)
donatien 0:632c9925f013 658 {
donatien 0:632c9925f013 659 int pbit;
donatien 0:632c9925f013 660
donatien 0:632c9925f013 661 AUTHDEBUG(LOG_INFO, ("auth_withpeer_success: %d proto=%X\n", unit, protocol));
donatien 0:632c9925f013 662 switch (protocol) {
donatien 0:632c9925f013 663 case PPP_CHAP:
donatien 0:632c9925f013 664 pbit = CHAP_WITHPEER;
donatien 0:632c9925f013 665 break;
donatien 0:632c9925f013 666 case PPP_PAP:
donatien 0:632c9925f013 667 if (passwd_from_file) {
donatien 0:632c9925f013 668 BZERO(ppp_settings.passwd, MAXSECRETLEN);
donatien 0:632c9925f013 669 }
donatien 0:632c9925f013 670 pbit = PAP_WITHPEER;
donatien 0:632c9925f013 671 break;
donatien 0:632c9925f013 672 default:
donatien 0:632c9925f013 673 AUTHDEBUG(LOG_WARNING, ("auth_peer_success: unknown protocol %x\n", protocol));
donatien 0:632c9925f013 674 pbit = 0;
donatien 0:632c9925f013 675 }
donatien 0:632c9925f013 676
donatien 0:632c9925f013 677 /*
donatien 0:632c9925f013 678 * If there is no more authentication still being done,
donatien 0:632c9925f013 679 * proceed to the network (or callback) phase.
donatien 0:632c9925f013 680 */
donatien 0:632c9925f013 681 if ((auth_pending[unit] &= ~pbit) == 0) {
donatien 0:632c9925f013 682 network_phase(unit);
donatien 0:632c9925f013 683 }
donatien 0:632c9925f013 684 }
donatien 0:632c9925f013 685 #endif /* PAP_SUPPORT || CHAP_SUPPORT */
donatien 0:632c9925f013 686
donatien 0:632c9925f013 687
donatien 0:632c9925f013 688 /*
donatien 0:632c9925f013 689 * np_up - a network protocol has come up.
donatien 0:632c9925f013 690 */
donatien 0:632c9925f013 691 void
donatien 0:632c9925f013 692 np_up(int unit, u16_t proto)
donatien 0:632c9925f013 693 {
donatien 0:632c9925f013 694 LWIP_UNUSED_ARG(unit);
donatien 0:632c9925f013 695 LWIP_UNUSED_ARG(proto);
donatien 0:632c9925f013 696
donatien 0:632c9925f013 697 AUTHDEBUG(LOG_INFO, ("np_up: %d proto=%X\n", unit, proto));
donatien 0:632c9925f013 698 if (num_np_up == 0) {
donatien 0:632c9925f013 699 AUTHDEBUG(LOG_INFO, ("np_up: maxconnect=%d idle_time_limit=%d\n",ppp_settings.maxconnect,ppp_settings.idle_time_limit));
donatien 0:632c9925f013 700 /*
donatien 0:632c9925f013 701 * At this point we consider that the link has come up successfully.
donatien 0:632c9925f013 702 */
donatien 0:632c9925f013 703 if (ppp_settings.idle_time_limit > 0) {
donatien 0:632c9925f013 704 TIMEOUT(check_idle, NULL, ppp_settings.idle_time_limit);
donatien 0:632c9925f013 705 }
donatien 0:632c9925f013 706
donatien 0:632c9925f013 707 /*
donatien 0:632c9925f013 708 * Set a timeout to close the connection once the maximum
donatien 0:632c9925f013 709 * connect time has expired.
donatien 0:632c9925f013 710 */
donatien 0:632c9925f013 711 if (ppp_settings.maxconnect > 0) {
donatien 0:632c9925f013 712 TIMEOUT(connect_time_expired, 0, ppp_settings.maxconnect);
donatien 0:632c9925f013 713 }
donatien 0:632c9925f013 714 }
donatien 0:632c9925f013 715 ++num_np_up;
donatien 0:632c9925f013 716 }
donatien 0:632c9925f013 717
donatien 0:632c9925f013 718 /*
donatien 0:632c9925f013 719 * np_down - a network protocol has gone down.
donatien 0:632c9925f013 720 */
donatien 0:632c9925f013 721 void
donatien 0:632c9925f013 722 np_down(int unit, u16_t proto)
donatien 0:632c9925f013 723 {
donatien 0:632c9925f013 724 LWIP_UNUSED_ARG(unit);
donatien 0:632c9925f013 725 LWIP_UNUSED_ARG(proto);
donatien 0:632c9925f013 726
donatien 0:632c9925f013 727 AUTHDEBUG(LOG_INFO, ("np_down: %d proto=%X\n", unit, proto));
donatien 0:632c9925f013 728 if (--num_np_up == 0 && ppp_settings.idle_time_limit > 0) {
donatien 0:632c9925f013 729 UNTIMEOUT(check_idle, NULL);
donatien 0:632c9925f013 730 }
donatien 0:632c9925f013 731 }
donatien 0:632c9925f013 732
donatien 0:632c9925f013 733 /*
donatien 0:632c9925f013 734 * np_finished - a network protocol has finished using the link.
donatien 0:632c9925f013 735 */
donatien 0:632c9925f013 736 void
donatien 0:632c9925f013 737 np_finished(int unit, u16_t proto)
donatien 0:632c9925f013 738 {
donatien 0:632c9925f013 739 LWIP_UNUSED_ARG(unit);
donatien 0:632c9925f013 740 LWIP_UNUSED_ARG(proto);
donatien 0:632c9925f013 741
donatien 0:632c9925f013 742 AUTHDEBUG(LOG_INFO, ("np_finished: %d proto=%X\n", unit, proto));
donatien 0:632c9925f013 743 if (--num_np_open <= 0) {
donatien 0:632c9925f013 744 /* no further use for the link: shut up shop. */
donatien 0:632c9925f013 745 lcp_close(0, "No network protocols running");
donatien 0:632c9925f013 746 }
donatien 0:632c9925f013 747 }
donatien 0:632c9925f013 748
donatien 0:632c9925f013 749 /*
donatien 0:632c9925f013 750 * check_idle - check whether the link has been idle for long
donatien 0:632c9925f013 751 * enough that we can shut it down.
donatien 0:632c9925f013 752 */
donatien 0:632c9925f013 753 static void
donatien 0:632c9925f013 754 check_idle(void *arg)
donatien 0:632c9925f013 755 {
donatien 0:632c9925f013 756 struct ppp_idle idle;
donatien 0:632c9925f013 757 u_short itime;
donatien 0:632c9925f013 758
donatien 0:632c9925f013 759 LWIP_UNUSED_ARG(arg);
donatien 0:632c9925f013 760 if (!get_idle_time(0, &idle)) {
donatien 0:632c9925f013 761 return;
donatien 0:632c9925f013 762 }
donatien 0:632c9925f013 763 itime = LWIP_MIN(idle.xmit_idle, idle.recv_idle);
donatien 0:632c9925f013 764 if (itime >= ppp_settings.idle_time_limit) {
donatien 0:632c9925f013 765 /* link is idle: shut it down. */
donatien 0:632c9925f013 766 AUTHDEBUG(LOG_INFO, ("Terminating connection due to lack of activity.\n"));
donatien 0:632c9925f013 767 lcp_close(0, "Link inactive");
donatien 0:632c9925f013 768 } else {
donatien 0:632c9925f013 769 TIMEOUT(check_idle, NULL, ppp_settings.idle_time_limit - itime);
donatien 0:632c9925f013 770 }
donatien 0:632c9925f013 771 }
donatien 0:632c9925f013 772
donatien 0:632c9925f013 773 /*
donatien 0:632c9925f013 774 * connect_time_expired - log a message and close the connection.
donatien 0:632c9925f013 775 */
donatien 0:632c9925f013 776 static void
donatien 0:632c9925f013 777 connect_time_expired(void *arg)
donatien 0:632c9925f013 778 {
donatien 0:632c9925f013 779 LWIP_UNUSED_ARG(arg);
donatien 0:632c9925f013 780
donatien 0:632c9925f013 781 AUTHDEBUG(LOG_INFO, ("Connect time expired\n"));
donatien 0:632c9925f013 782 lcp_close(0, "Connect time expired"); /* Close connection */
donatien 0:632c9925f013 783 }
donatien 0:632c9925f013 784
donatien 0:632c9925f013 785 #if 0 /* UNUSED */
donatien 0:632c9925f013 786 /*
donatien 0:632c9925f013 787 * auth_check_options - called to check authentication options.
donatien 0:632c9925f013 788 */
donatien 0:632c9925f013 789 void
donatien 0:632c9925f013 790 auth_check_options(void)
donatien 0:632c9925f013 791 {
donatien 0:632c9925f013 792 lcp_options *wo = &lcp_wantoptions[0];
donatien 0:632c9925f013 793 int can_auth;
donatien 0:632c9925f013 794 ipcp_options *ipwo = &ipcp_wantoptions[0];
donatien 0:632c9925f013 795 u32_t remote;
donatien 0:632c9925f013 796
donatien 0:632c9925f013 797 /* Default our_name to hostname, and user to our_name */
donatien 0:632c9925f013 798 if (ppp_settings.our_name[0] == 0 || ppp_settings.usehostname) {
donatien 0:632c9925f013 799 strcpy(ppp_settings.our_name, ppp_settings.hostname);
donatien 0:632c9925f013 800 }
donatien 0:632c9925f013 801
donatien 0:632c9925f013 802 if (ppp_settings.user[0] == 0) {
donatien 0:632c9925f013 803 strcpy(ppp_settings.user, ppp_settings.our_name);
donatien 0:632c9925f013 804 }
donatien 0:632c9925f013 805
donatien 0:632c9925f013 806 /* If authentication is required, ask peer for CHAP or PAP. */
donatien 0:632c9925f013 807 if (ppp_settings.auth_required && !wo->neg_chap && !wo->neg_upap) {
donatien 0:632c9925f013 808 wo->neg_chap = 1;
donatien 0:632c9925f013 809 wo->neg_upap = 1;
donatien 0:632c9925f013 810 }
donatien 0:632c9925f013 811
donatien 0:632c9925f013 812 /*
donatien 0:632c9925f013 813 * Check whether we have appropriate secrets to use
donatien 0:632c9925f013 814 * to authenticate the peer.
donatien 0:632c9925f013 815 */
donatien 0:632c9925f013 816 can_auth = wo->neg_upap && have_pap_secret();
donatien 0:632c9925f013 817 if (!can_auth && wo->neg_chap) {
donatien 0:632c9925f013 818 remote = ipwo->accept_remote? 0: ipwo->hisaddr;
donatien 0:632c9925f013 819 can_auth = have_chap_secret(ppp_settings.remote_name, ppp_settings.our_name, remote);
donatien 0:632c9925f013 820 }
donatien 0:632c9925f013 821
donatien 0:632c9925f013 822 if (ppp_settings.auth_required && !can_auth) {
donatien 0:632c9925f013 823 ppp_panic("No auth secret");
donatien 0:632c9925f013 824 }
donatien 0:632c9925f013 825 }
donatien 0:632c9925f013 826 #endif /* UNUSED */
donatien 0:632c9925f013 827
donatien 0:632c9925f013 828 /*
donatien 0:632c9925f013 829 * auth_reset - called when LCP is starting negotiations to recheck
donatien 0:632c9925f013 830 * authentication options, i.e. whether we have appropriate secrets
donatien 0:632c9925f013 831 * to use for authenticating ourselves and/or the peer.
donatien 0:632c9925f013 832 */
donatien 0:632c9925f013 833 void
donatien 0:632c9925f013 834 auth_reset(int unit)
donatien 0:632c9925f013 835 {
donatien 0:632c9925f013 836 lcp_options *go = &lcp_gotoptions[unit];
donatien 0:632c9925f013 837 lcp_options *ao = &lcp_allowoptions[0];
donatien 0:632c9925f013 838 ipcp_options *ipwo = &ipcp_wantoptions[0];
donatien 0:632c9925f013 839 u32_t remote;
donatien 0:632c9925f013 840
donatien 0:632c9925f013 841 AUTHDEBUG(LOG_INFO, ("auth_reset: %d\n", unit));
donatien 0:632c9925f013 842 ao->neg_upap = !ppp_settings.refuse_pap && (ppp_settings.passwd[0] != 0 || get_pap_passwd(unit, NULL, NULL));
donatien 0:632c9925f013 843 ao->neg_chap = !ppp_settings.refuse_chap && ppp_settings.passwd[0] != 0 /*have_chap_secret(ppp_settings.user, ppp_settings.remote_name, (u32_t)0)*/;
donatien 0:632c9925f013 844
donatien 0:632c9925f013 845 if (go->neg_upap && !have_pap_secret()) {
donatien 0:632c9925f013 846 go->neg_upap = 0;
donatien 0:632c9925f013 847 }
donatien 0:632c9925f013 848 if (go->neg_chap) {
donatien 0:632c9925f013 849 remote = ipwo->accept_remote? 0: ipwo->hisaddr;
donatien 0:632c9925f013 850 if (!have_chap_secret(ppp_settings.remote_name, ppp_settings.our_name, remote)) {
donatien 0:632c9925f013 851 go->neg_chap = 0;
donatien 0:632c9925f013 852 }
donatien 0:632c9925f013 853 }
donatien 0:632c9925f013 854 }
donatien 0:632c9925f013 855
donatien 0:632c9925f013 856 #if PAP_SUPPORT
donatien 0:632c9925f013 857 /*
donatien 0:632c9925f013 858 * check_passwd - Check the user name and passwd against the PAP secrets
donatien 0:632c9925f013 859 * file. If requested, also check against the system password database,
donatien 0:632c9925f013 860 * and login the user if OK.
donatien 0:632c9925f013 861 *
donatien 0:632c9925f013 862 * returns:
donatien 0:632c9925f013 863 * UPAP_AUTHNAK: Authentication failed.
donatien 0:632c9925f013 864 * UPAP_AUTHACK: Authentication succeeded.
donatien 0:632c9925f013 865 * In either case, msg points to an appropriate message.
donatien 0:632c9925f013 866 */
donatien 0:632c9925f013 867 u_char
donatien 0:632c9925f013 868 check_passwd( int unit, char *auser, int userlen, char *apasswd, int passwdlen, char **msg, int *msglen)
donatien 0:632c9925f013 869 {
donatien 0:632c9925f013 870 #if 1 /* XXX Assume all entries OK. */
donatien 0:632c9925f013 871 LWIP_UNUSED_ARG(unit);
donatien 0:632c9925f013 872 LWIP_UNUSED_ARG(auser);
donatien 0:632c9925f013 873 LWIP_UNUSED_ARG(userlen);
donatien 0:632c9925f013 874 LWIP_UNUSED_ARG(apasswd);
donatien 0:632c9925f013 875 LWIP_UNUSED_ARG(passwdlen);
donatien 0:632c9925f013 876 LWIP_UNUSED_ARG(msglen);
donatien 0:632c9925f013 877 *msg = (char *) 0;
donatien 0:632c9925f013 878 return UPAP_AUTHACK; /* XXX Assume all entries OK. */
donatien 0:632c9925f013 879 #else
donatien 0:632c9925f013 880 u_char ret = 0;
donatien 0:632c9925f013 881 struct wordlist *addrs = NULL;
donatien 0:632c9925f013 882 char passwd[256], user[256];
donatien 0:632c9925f013 883 char secret[MAXWORDLEN];
donatien 0:632c9925f013 884 static u_short attempts = 0;
donatien 0:632c9925f013 885
donatien 0:632c9925f013 886 /*
donatien 0:632c9925f013 887 * Make copies of apasswd and auser, then null-terminate them.
donatien 0:632c9925f013 888 */
donatien 0:632c9925f013 889 BCOPY(apasswd, passwd, passwdlen);
donatien 0:632c9925f013 890 passwd[passwdlen] = '\0';
donatien 0:632c9925f013 891 BCOPY(auser, user, userlen);
donatien 0:632c9925f013 892 user[userlen] = '\0';
donatien 0:632c9925f013 893 *msg = (char *) 0;
donatien 0:632c9925f013 894
donatien 0:632c9925f013 895 /* XXX Validate user name and password. */
donatien 0:632c9925f013 896 ret = UPAP_AUTHACK; /* XXX Assume all entries OK. */
donatien 0:632c9925f013 897
donatien 0:632c9925f013 898 if (ret == UPAP_AUTHNAK) {
donatien 0:632c9925f013 899 if (*msg == (char *) 0) {
donatien 0:632c9925f013 900 *msg = "Login incorrect";
donatien 0:632c9925f013 901 }
donatien 0:632c9925f013 902 *msglen = strlen(*msg);
donatien 0:632c9925f013 903 /*
donatien 0:632c9925f013 904 * Frustrate passwd stealer programs.
donatien 0:632c9925f013 905 * Allow 10 tries, but start backing off after 3 (stolen from login).
donatien 0:632c9925f013 906 * On 10'th, drop the connection.
donatien 0:632c9925f013 907 */
donatien 0:632c9925f013 908 if (attempts++ >= 10) {
donatien 0:632c9925f013 909 AUTHDEBUG(LOG_WARNING, ("%d LOGIN FAILURES BY %s\n", attempts, user));
donatien 0:632c9925f013 910 /*ppp_panic("Excess Bad Logins");*/
donatien 0:632c9925f013 911 }
donatien 0:632c9925f013 912 if (attempts > 3) {
donatien 0:632c9925f013 913 /* @todo: this was sleep(), i.e. seconds, not milliseconds
donatien 0:632c9925f013 914 * I don't think we really need this in lwIP - we would block tcpip_thread!
donatien 0:632c9925f013 915 */
donatien 0:632c9925f013 916 /*sys_msleep((attempts - 3) * 5);*/
donatien 0:632c9925f013 917 }
donatien 0:632c9925f013 918 if (addrs != NULL) {
donatien 0:632c9925f013 919 free_wordlist(addrs);
donatien 0:632c9925f013 920 }
donatien 0:632c9925f013 921 } else {
donatien 0:632c9925f013 922 attempts = 0; /* Reset count */
donatien 0:632c9925f013 923 if (*msg == (char *) 0) {
donatien 0:632c9925f013 924 *msg = "Login ok";
donatien 0:632c9925f013 925 }
donatien 0:632c9925f013 926 *msglen = strlen(*msg);
donatien 0:632c9925f013 927 set_allowed_addrs(unit, addrs);
donatien 0:632c9925f013 928 }
donatien 0:632c9925f013 929
donatien 0:632c9925f013 930 BZERO(passwd, sizeof(passwd));
donatien 0:632c9925f013 931 BZERO(secret, sizeof(secret));
donatien 0:632c9925f013 932
donatien 0:632c9925f013 933 return ret;
donatien 0:632c9925f013 934 #endif
donatien 0:632c9925f013 935 }
donatien 0:632c9925f013 936 #endif /* PAP_SUPPORT */
donatien 0:632c9925f013 937
donatien 0:632c9925f013 938 #if 0 /* UNUSED */
donatien 0:632c9925f013 939 /*
donatien 0:632c9925f013 940 * This function is needed for PAM.
donatien 0:632c9925f013 941 */
donatien 0:632c9925f013 942
donatien 0:632c9925f013 943 #ifdef USE_PAM
donatien 0:632c9925f013 944
donatien 0:632c9925f013 945 /* lwip does not support PAM*/
donatien 0:632c9925f013 946
donatien 0:632c9925f013 947 #endif /* USE_PAM */
donatien 0:632c9925f013 948
donatien 0:632c9925f013 949 #endif /* UNUSED */
donatien 0:632c9925f013 950
donatien 0:632c9925f013 951
donatien 0:632c9925f013 952 #if 0 /* UNUSED */
donatien 0:632c9925f013 953 /*
donatien 0:632c9925f013 954 * plogin - Check the user name and password against the system
donatien 0:632c9925f013 955 * password database, and login the user if OK.
donatien 0:632c9925f013 956 *
donatien 0:632c9925f013 957 * returns:
donatien 0:632c9925f013 958 * UPAP_AUTHNAK: Login failed.
donatien 0:632c9925f013 959 * UPAP_AUTHACK: Login succeeded.
donatien 0:632c9925f013 960 * In either case, msg points to an appropriate message.
donatien 0:632c9925f013 961 */
donatien 0:632c9925f013 962 static int
donatien 0:632c9925f013 963 plogin(char *user, char *passwd, char **msg, int *msglen)
donatien 0:632c9925f013 964 {
donatien 0:632c9925f013 965
donatien 0:632c9925f013 966 LWIP_UNUSED_ARG(user);
donatien 0:632c9925f013 967 LWIP_UNUSED_ARG(passwd);
donatien 0:632c9925f013 968 LWIP_UNUSED_ARG(msg);
donatien 0:632c9925f013 969 LWIP_UNUSED_ARG(msglen);
donatien 0:632c9925f013 970
donatien 0:632c9925f013 971
donatien 0:632c9925f013 972 /* The new lines are here align the file when
donatien 0:632c9925f013 973 * compared against the pppd 2.3.11 code */
donatien 0:632c9925f013 974
donatien 0:632c9925f013 975
donatien 0:632c9925f013 976
donatien 0:632c9925f013 977
donatien 0:632c9925f013 978
donatien 0:632c9925f013 979
donatien 0:632c9925f013 980
donatien 0:632c9925f013 981
donatien 0:632c9925f013 982
donatien 0:632c9925f013 983
donatien 0:632c9925f013 984
donatien 0:632c9925f013 985
donatien 0:632c9925f013 986
donatien 0:632c9925f013 987
donatien 0:632c9925f013 988
donatien 0:632c9925f013 989
donatien 0:632c9925f013 990 /* XXX Fail until we decide that we want to support logins. */
donatien 0:632c9925f013 991 return (UPAP_AUTHNAK);
donatien 0:632c9925f013 992 }
donatien 0:632c9925f013 993 #endif
donatien 0:632c9925f013 994
donatien 0:632c9925f013 995
donatien 0:632c9925f013 996
donatien 0:632c9925f013 997 /*
donatien 0:632c9925f013 998 * plogout - Logout the user.
donatien 0:632c9925f013 999 */
donatien 0:632c9925f013 1000 static void
donatien 0:632c9925f013 1001 plogout(void)
donatien 0:632c9925f013 1002 {
donatien 0:632c9925f013 1003 logged_in = 0;
donatien 0:632c9925f013 1004 }
donatien 0:632c9925f013 1005
donatien 0:632c9925f013 1006 /*
donatien 0:632c9925f013 1007 * null_login - Check if a username of "" and a password of "" are
donatien 0:632c9925f013 1008 * acceptable, and iff so, set the list of acceptable IP addresses
donatien 0:632c9925f013 1009 * and return 1.
donatien 0:632c9925f013 1010 */
donatien 0:632c9925f013 1011 static int
donatien 0:632c9925f013 1012 null_login(int unit)
donatien 0:632c9925f013 1013 {
donatien 0:632c9925f013 1014 LWIP_UNUSED_ARG(unit);
donatien 0:632c9925f013 1015 /* XXX Fail until we decide that we want to support logins. */
donatien 0:632c9925f013 1016 return 0;
donatien 0:632c9925f013 1017 }
donatien 0:632c9925f013 1018
donatien 0:632c9925f013 1019
donatien 0:632c9925f013 1020 /*
donatien 0:632c9925f013 1021 * get_pap_passwd - get a password for authenticating ourselves with
donatien 0:632c9925f013 1022 * our peer using PAP. Returns 1 on success, 0 if no suitable password
donatien 0:632c9925f013 1023 * could be found.
donatien 0:632c9925f013 1024 */
donatien 0:632c9925f013 1025 static int
donatien 0:632c9925f013 1026 get_pap_passwd(int unit, char *user, char *passwd)
donatien 0:632c9925f013 1027 {
donatien 0:632c9925f013 1028 LWIP_UNUSED_ARG(unit);
donatien 0:632c9925f013 1029 /* normally we would reject PAP if no password is provided,
donatien 0:632c9925f013 1030 but this causes problems with some providers (like CHT in Taiwan)
donatien 0:632c9925f013 1031 who incorrectly request PAP and expect a bogus/empty password, so
donatien 0:632c9925f013 1032 always provide a default user/passwd of "none"/"none"
donatien 0:632c9925f013 1033
donatien 0:632c9925f013 1034 @todo: This should be configured by the user, instead of being hardcoded here!
donatien 0:632c9925f013 1035 */
donatien 0:632c9925f013 1036 if(user) {
donatien 0:632c9925f013 1037 strcpy(user, "none");
donatien 0:632c9925f013 1038 }
donatien 0:632c9925f013 1039 if(passwd) {
donatien 0:632c9925f013 1040 strcpy(passwd, "none");
donatien 0:632c9925f013 1041 }
donatien 0:632c9925f013 1042 return 1;
donatien 0:632c9925f013 1043 }
donatien 0:632c9925f013 1044
donatien 0:632c9925f013 1045 /*
donatien 0:632c9925f013 1046 * have_pap_secret - check whether we have a PAP file with any
donatien 0:632c9925f013 1047 * secrets that we could possibly use for authenticating the peer.
donatien 0:632c9925f013 1048 */
donatien 0:632c9925f013 1049 static int
donatien 0:632c9925f013 1050 have_pap_secret(void)
donatien 0:632c9925f013 1051 {
donatien 0:632c9925f013 1052 /* XXX Fail until we set up our passwords. */
donatien 0:632c9925f013 1053 return 0;
donatien 0:632c9925f013 1054 }
donatien 0:632c9925f013 1055
donatien 0:632c9925f013 1056 /*
donatien 0:632c9925f013 1057 * have_chap_secret - check whether we have a CHAP file with a
donatien 0:632c9925f013 1058 * secret that we could possibly use for authenticating `client'
donatien 0:632c9925f013 1059 * on `server'. Either can be the null string, meaning we don't
donatien 0:632c9925f013 1060 * know the identity yet.
donatien 0:632c9925f013 1061 */
donatien 0:632c9925f013 1062 static int
donatien 0:632c9925f013 1063 have_chap_secret(char *client, char *server, u32_t remote)
donatien 0:632c9925f013 1064 {
donatien 0:632c9925f013 1065 LWIP_UNUSED_ARG(client);
donatien 0:632c9925f013 1066 LWIP_UNUSED_ARG(server);
donatien 0:632c9925f013 1067 LWIP_UNUSED_ARG(remote);
donatien 0:632c9925f013 1068
donatien 0:632c9925f013 1069 /* XXX Fail until we set up our passwords. */
donatien 0:632c9925f013 1070 return 0;
donatien 0:632c9925f013 1071 }
donatien 0:632c9925f013 1072 #if CHAP_SUPPORT
donatien 0:632c9925f013 1073
donatien 0:632c9925f013 1074 /*
donatien 0:632c9925f013 1075 * get_secret - open the CHAP secret file and return the secret
donatien 0:632c9925f013 1076 * for authenticating the given client on the given server.
donatien 0:632c9925f013 1077 * (We could be either client or server).
donatien 0:632c9925f013 1078 */
donatien 0:632c9925f013 1079 int
donatien 0:632c9925f013 1080 get_secret(int unit, char *client, char *server, char *secret, int *secret_len, int save_addrs)
donatien 0:632c9925f013 1081 {
donatien 0:632c9925f013 1082 #if 1
donatien 0:632c9925f013 1083 int len;
donatien 0:632c9925f013 1084 struct wordlist *addrs;
donatien 0:632c9925f013 1085
donatien 0:632c9925f013 1086 LWIP_UNUSED_ARG(unit);
donatien 0:632c9925f013 1087 LWIP_UNUSED_ARG(server);
donatien 0:632c9925f013 1088 LWIP_UNUSED_ARG(save_addrs);
donatien 0:632c9925f013 1089
donatien 0:632c9925f013 1090 addrs = NULL;
donatien 0:632c9925f013 1091
donatien 0:632c9925f013 1092 if(!client || !client[0] || strcmp(client, ppp_settings.user)) {
donatien 0:632c9925f013 1093 return 0;
donatien 0:632c9925f013 1094 }
donatien 0:632c9925f013 1095
donatien 0:632c9925f013 1096 len = (int)strlen(ppp_settings.passwd);
donatien 0:632c9925f013 1097 if (len > MAXSECRETLEN) {
donatien 0:632c9925f013 1098 AUTHDEBUG(LOG_ERR, ("Secret for %s on %s is too long\n", client, server));
donatien 0:632c9925f013 1099 len = MAXSECRETLEN;
donatien 0:632c9925f013 1100 }
donatien 0:632c9925f013 1101
donatien 0:632c9925f013 1102 BCOPY(ppp_settings.passwd, secret, len);
donatien 0:632c9925f013 1103 *secret_len = len;
donatien 0:632c9925f013 1104
donatien 0:632c9925f013 1105 return 1;
donatien 0:632c9925f013 1106 #else
donatien 0:632c9925f013 1107 int ret = 0, len;
donatien 0:632c9925f013 1108 struct wordlist *addrs;
donatien 0:632c9925f013 1109 char secbuf[MAXWORDLEN];
donatien 0:632c9925f013 1110
donatien 0:632c9925f013 1111 addrs = NULL;
donatien 0:632c9925f013 1112 secbuf[0] = 0;
donatien 0:632c9925f013 1113
donatien 0:632c9925f013 1114 /* XXX Find secret. */
donatien 0:632c9925f013 1115 if (ret < 0) {
donatien 0:632c9925f013 1116 return 0;
donatien 0:632c9925f013 1117 }
donatien 0:632c9925f013 1118
donatien 0:632c9925f013 1119 if (save_addrs) {
donatien 0:632c9925f013 1120 set_allowed_addrs(unit, addrs);
donatien 0:632c9925f013 1121 }
donatien 0:632c9925f013 1122
donatien 0:632c9925f013 1123 len = strlen(secbuf);
donatien 0:632c9925f013 1124 if (len > MAXSECRETLEN) {
donatien 0:632c9925f013 1125 AUTHDEBUG(LOG_ERR, ("Secret for %s on %s is too long\n", client, server));
donatien 0:632c9925f013 1126 len = MAXSECRETLEN;
donatien 0:632c9925f013 1127 }
donatien 0:632c9925f013 1128
donatien 0:632c9925f013 1129 BCOPY(secbuf, secret, len);
donatien 0:632c9925f013 1130 BZERO(secbuf, sizeof(secbuf));
donatien 0:632c9925f013 1131 *secret_len = len;
donatien 0:632c9925f013 1132
donatien 0:632c9925f013 1133 return 1;
donatien 0:632c9925f013 1134 #endif
donatien 0:632c9925f013 1135 }
donatien 0:632c9925f013 1136 #endif /* CHAP_SUPPORT */
donatien 0:632c9925f013 1137
donatien 0:632c9925f013 1138
donatien 0:632c9925f013 1139 #if 0 /* PAP_SUPPORT || CHAP_SUPPORT */
donatien 0:632c9925f013 1140 /*
donatien 0:632c9925f013 1141 * set_allowed_addrs() - set the list of allowed addresses.
donatien 0:632c9925f013 1142 */
donatien 0:632c9925f013 1143 static void
donatien 0:632c9925f013 1144 set_allowed_addrs(int unit, struct wordlist *addrs)
donatien 0:632c9925f013 1145 {
donatien 0:632c9925f013 1146 if (addresses[unit] != NULL) {
donatien 0:632c9925f013 1147 free_wordlist(addresses[unit]);
donatien 0:632c9925f013 1148 }
donatien 0:632c9925f013 1149 addresses[unit] = addrs;
donatien 0:632c9925f013 1150
donatien 0:632c9925f013 1151 #if 0
donatien 0:632c9925f013 1152 /*
donatien 0:632c9925f013 1153 * If there's only one authorized address we might as well
donatien 0:632c9925f013 1154 * ask our peer for that one right away
donatien 0:632c9925f013 1155 */
donatien 0:632c9925f013 1156 if (addrs != NULL && addrs->next == NULL) {
donatien 0:632c9925f013 1157 char *p = addrs->word;
donatien 0:632c9925f013 1158 struct ipcp_options *wo = &ipcp_wantoptions[unit];
donatien 0:632c9925f013 1159 u32_t a;
donatien 0:632c9925f013 1160 struct hostent *hp;
donatien 0:632c9925f013 1161
donatien 0:632c9925f013 1162 if (wo->hisaddr == 0 && *p != '!' && *p != '-' && strchr(p, '/') == NULL) {
donatien 0:632c9925f013 1163 hp = gethostbyname(p);
donatien 0:632c9925f013 1164 if (hp != NULL && hp->h_addrtype == AF_INET) {
donatien 0:632c9925f013 1165 a = *(u32_t *)hp->h_addr;
donatien 0:632c9925f013 1166 } else {
donatien 0:632c9925f013 1167 a = inet_addr(p);
donatien 0:632c9925f013 1168 }
donatien 0:632c9925f013 1169 if (a != (u32_t) -1) {
donatien 0:632c9925f013 1170 wo->hisaddr = a;
donatien 0:632c9925f013 1171 }
donatien 0:632c9925f013 1172 }
donatien 0:632c9925f013 1173 }
donatien 0:632c9925f013 1174 #endif
donatien 0:632c9925f013 1175 }
donatien 0:632c9925f013 1176 #endif /* 0 */ /* PAP_SUPPORT || CHAP_SUPPORT */
donatien 0:632c9925f013 1177
donatien 0:632c9925f013 1178 /*
donatien 0:632c9925f013 1179 * auth_ip_addr - check whether the peer is authorized to use
donatien 0:632c9925f013 1180 * a given IP address. Returns 1 if authorized, 0 otherwise.
donatien 0:632c9925f013 1181 */
donatien 0:632c9925f013 1182 int
donatien 0:632c9925f013 1183 auth_ip_addr(int unit, u32_t addr)
donatien 0:632c9925f013 1184 {
donatien 0:632c9925f013 1185 return ip_addr_check(addr, addresses[unit]);
donatien 0:632c9925f013 1186 }
donatien 0:632c9925f013 1187
donatien 0:632c9925f013 1188 static int /* @todo: integrate this funtion into auth_ip_addr()*/
donatien 0:632c9925f013 1189 ip_addr_check(u32_t addr, struct wordlist *addrs)
donatien 0:632c9925f013 1190 {
donatien 0:632c9925f013 1191 /* don't allow loopback or multicast address */
donatien 0:632c9925f013 1192 if (bad_ip_adrs(addr)) {
donatien 0:632c9925f013 1193 return 0;
donatien 0:632c9925f013 1194 }
donatien 0:632c9925f013 1195
donatien 0:632c9925f013 1196 if (addrs == NULL) {
donatien 0:632c9925f013 1197 return !ppp_settings.auth_required; /* no addresses authorized */
donatien 0:632c9925f013 1198 }
donatien 0:632c9925f013 1199
donatien 0:632c9925f013 1200 /* XXX All other addresses allowed. */
donatien 0:632c9925f013 1201 return 1;
donatien 0:632c9925f013 1202 }
donatien 0:632c9925f013 1203
donatien 0:632c9925f013 1204 /*
donatien 0:632c9925f013 1205 * bad_ip_adrs - return 1 if the IP address is one we don't want
donatien 0:632c9925f013 1206 * to use, such as an address in the loopback net or a multicast address.
donatien 0:632c9925f013 1207 * addr is in network byte order.
donatien 0:632c9925f013 1208 */
donatien 0:632c9925f013 1209 int
donatien 0:632c9925f013 1210 bad_ip_adrs(u32_t addr)
donatien 0:632c9925f013 1211 {
donatien 0:632c9925f013 1212 addr = ntohl(addr);
donatien 0:632c9925f013 1213 return (addr >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET
donatien 0:632c9925f013 1214 || IN_MULTICAST(addr) || IN_BADCLASS(addr);
donatien 0:632c9925f013 1215 }
donatien 0:632c9925f013 1216
donatien 0:632c9925f013 1217 #if 0 /* UNUSED */ /* PAP_SUPPORT || CHAP_SUPPORT */
donatien 0:632c9925f013 1218 /*
donatien 0:632c9925f013 1219 * some_ip_ok - check a wordlist to see if it authorizes any
donatien 0:632c9925f013 1220 * IP address(es).
donatien 0:632c9925f013 1221 */
donatien 0:632c9925f013 1222 static int
donatien 0:632c9925f013 1223 some_ip_ok(struct wordlist *addrs)
donatien 0:632c9925f013 1224 {
donatien 0:632c9925f013 1225 for (; addrs != 0; addrs = addrs->next) {
donatien 0:632c9925f013 1226 if (addrs->word[0] == '-')
donatien 0:632c9925f013 1227 break;
donatien 0:632c9925f013 1228 if (addrs->word[0] != '!')
donatien 0:632c9925f013 1229 return 1; /* some IP address is allowed */
donatien 0:632c9925f013 1230 }
donatien 0:632c9925f013 1231 return 0;
donatien 0:632c9925f013 1232 }
donatien 0:632c9925f013 1233
donatien 0:632c9925f013 1234 /*
donatien 0:632c9925f013 1235 * check_access - complain if a secret file has too-liberal permissions.
donatien 0:632c9925f013 1236 */
donatien 0:632c9925f013 1237 static void
donatien 0:632c9925f013 1238 check_access(FILE *f, char *filename)
donatien 0:632c9925f013 1239 {
donatien 0:632c9925f013 1240 struct stat sbuf;
donatien 0:632c9925f013 1241
donatien 0:632c9925f013 1242 if (fstat(fileno(f), &sbuf) < 0) {
donatien 0:632c9925f013 1243 warn("cannot stat secret file %s: %m", filename);
donatien 0:632c9925f013 1244 } else if ((sbuf.st_mode & (S_IRWXG | S_IRWXO)) != 0) {
donatien 0:632c9925f013 1245 warn("Warning - secret file %s has world and/or group access",
donatien 0:632c9925f013 1246 filename);
donatien 0:632c9925f013 1247 }
donatien 0:632c9925f013 1248 }
donatien 0:632c9925f013 1249
donatien 0:632c9925f013 1250
donatien 0:632c9925f013 1251 /*
donatien 0:632c9925f013 1252 * scan_authfile - Scan an authorization file for a secret suitable
donatien 0:632c9925f013 1253 * for authenticating `client' on `server'. The return value is -1
donatien 0:632c9925f013 1254 * if no secret is found, otherwise >= 0. The return value has
donatien 0:632c9925f013 1255 * NONWILD_CLIENT set if the secret didn't have "*" for the client, and
donatien 0:632c9925f013 1256 * NONWILD_SERVER set if the secret didn't have "*" for the server.
donatien 0:632c9925f013 1257 * Any following words on the line up to a "--" (i.e. address authorization
donatien 0:632c9925f013 1258 * info) are placed in a wordlist and returned in *addrs. Any
donatien 0:632c9925f013 1259 * following words (extra options) are placed in a wordlist and
donatien 0:632c9925f013 1260 * returned in *opts.
donatien 0:632c9925f013 1261 * We assume secret is NULL or points to MAXWORDLEN bytes of space.
donatien 0:632c9925f013 1262 */
donatien 0:632c9925f013 1263 static int
donatien 0:632c9925f013 1264 scan_authfile(FILE *f, char *client, char *server, char *secret, struct wordlist **addrs, struct wordlist **opts, char *filename)
donatien 0:632c9925f013 1265 {
donatien 0:632c9925f013 1266 /* We do not (currently) need this in lwip */
donatien 0:632c9925f013 1267 return 0; /* dummy */
donatien 0:632c9925f013 1268 }
donatien 0:632c9925f013 1269 /*
donatien 0:632c9925f013 1270 * free_wordlist - release memory allocated for a wordlist.
donatien 0:632c9925f013 1271 */
donatien 0:632c9925f013 1272 static void
donatien 0:632c9925f013 1273 free_wordlist(struct wordlist *wp)
donatien 0:632c9925f013 1274 {
donatien 0:632c9925f013 1275 struct wordlist *next;
donatien 0:632c9925f013 1276
donatien 0:632c9925f013 1277 while (wp != NULL) {
donatien 0:632c9925f013 1278 next = wp->next;
donatien 0:632c9925f013 1279 free(wp);
donatien 0:632c9925f013 1280 wp = next;
donatien 0:632c9925f013 1281 }
donatien 0:632c9925f013 1282 }
donatien 0:632c9925f013 1283
donatien 0:632c9925f013 1284 /*
donatien 0:632c9925f013 1285 * auth_script_done - called when the auth-up or auth-down script
donatien 0:632c9925f013 1286 * has finished.
donatien 0:632c9925f013 1287 */
donatien 0:632c9925f013 1288 static void
donatien 0:632c9925f013 1289 auth_script_done(void *arg)
donatien 0:632c9925f013 1290 {
donatien 0:632c9925f013 1291 auth_script_pid = 0;
donatien 0:632c9925f013 1292 switch (auth_script_state) {
donatien 0:632c9925f013 1293 case s_up:
donatien 0:632c9925f013 1294 if (auth_state == s_down) {
donatien 0:632c9925f013 1295 auth_script_state = s_down;
donatien 0:632c9925f013 1296 auth_script(_PATH_AUTHDOWN);
donatien 0:632c9925f013 1297 }
donatien 0:632c9925f013 1298 break;
donatien 0:632c9925f013 1299 case s_down:
donatien 0:632c9925f013 1300 if (auth_state == s_up) {
donatien 0:632c9925f013 1301 auth_script_state = s_up;
donatien 0:632c9925f013 1302 auth_script(_PATH_AUTHUP);
donatien 0:632c9925f013 1303 }
donatien 0:632c9925f013 1304 break;
donatien 0:632c9925f013 1305 }
donatien 0:632c9925f013 1306 }
donatien 0:632c9925f013 1307
donatien 0:632c9925f013 1308 /*
donatien 0:632c9925f013 1309 * auth_script - execute a script with arguments
donatien 0:632c9925f013 1310 * interface-name peer-name real-user tty speed
donatien 0:632c9925f013 1311 */
donatien 0:632c9925f013 1312 static void
donatien 0:632c9925f013 1313 auth_script(char *script)
donatien 0:632c9925f013 1314 {
donatien 0:632c9925f013 1315 char strspeed[32];
donatien 0:632c9925f013 1316 struct passwd *pw;
donatien 0:632c9925f013 1317 char struid[32];
donatien 0:632c9925f013 1318 char *user_name;
donatien 0:632c9925f013 1319 char *argv[8];
donatien 0:632c9925f013 1320
donatien 0:632c9925f013 1321 if ((pw = getpwuid(getuid())) != NULL && pw->pw_name != NULL)
donatien 0:632c9925f013 1322 user_name = pw->pw_name;
donatien 0:632c9925f013 1323 else {
donatien 0:632c9925f013 1324 slprintf(struid, sizeof(struid), "%d", getuid());
donatien 0:632c9925f013 1325 user_name = struid;
donatien 0:632c9925f013 1326 }
donatien 0:632c9925f013 1327 slprintf(strspeed, sizeof(strspeed), "%d", baud_rate);
donatien 0:632c9925f013 1328
donatien 0:632c9925f013 1329 argv[0] = script;
donatien 0:632c9925f013 1330 argv[1] = ifname;
donatien 0:632c9925f013 1331 argv[2] = peer_authname;
donatien 0:632c9925f013 1332 argv[3] = user_name;
donatien 0:632c9925f013 1333 argv[4] = devnam;
donatien 0:632c9925f013 1334 argv[5] = strspeed;
donatien 0:632c9925f013 1335 argv[6] = NULL;
donatien 0:632c9925f013 1336
donatien 0:632c9925f013 1337 auth_script_pid = run_program(script, argv, 0, auth_script_done, NULL);
donatien 0:632c9925f013 1338 }
donatien 0:632c9925f013 1339 #endif /* 0 */ /* PAP_SUPPORT || CHAP_SUPPORT */
donatien 0:632c9925f013 1340 #endif /* PPP_SUPPORT */