Kenji Arai
/
mbed-os_TYBLE16
Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Dependents: TYBLE16_simple_data_logger TYBLE16_MP3_Air
Embed:
(wiki syntax)
Show/hide line numbers
auth.c
00001 /* 00002 * auth.c - PPP authentication and phase control. 00003 * 00004 * Copyright (c) 1993-2002 Paul Mackerras. All rights reserved. 00005 * 00006 * Redistribution and use in source and binary forms, with or without 00007 * modification, are permitted provided that the following conditions 00008 * are met: 00009 * 00010 * 1. Redistributions of source code must retain the above copyright 00011 * notice, this list of conditions and the following disclaimer. 00012 * 00013 * 2. The name(s) of the authors of this software must not be used to 00014 * endorse or promote products derived from this software without 00015 * prior written permission. 00016 * 00017 * 3. Redistributions of any form whatsoever must retain the following 00018 * acknowledgment: 00019 * "This product includes software developed by Paul Mackerras 00020 * <paulus@samba.org>". 00021 * 00022 * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO 00023 * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 00024 * AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY 00025 * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 00026 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN 00027 * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING 00028 * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 00029 * 00030 * Derived from main.c, which is: 00031 * 00032 * Copyright (c) 1984-2000 Carnegie Mellon University. All rights reserved. 00033 * 00034 * Redistribution and use in source and binary forms, with or without 00035 * modification, are permitted provided that the following conditions 00036 * are met: 00037 * 00038 * 1. Redistributions of source code must retain the above copyright 00039 * notice, this list of conditions and the following disclaimer. 00040 * 00041 * 2. Redistributions in binary form must reproduce the above copyright 00042 * notice, this list of conditions and the following disclaimer in 00043 * the documentation and/or other materials provided with the 00044 * distribution. 00045 * 00046 * 3. The name "Carnegie Mellon University" must not be used to 00047 * endorse or promote products derived from this software without 00048 * prior written permission. For permission or any legal 00049 * details, please contact 00050 * Office of Technology Transfer 00051 * Carnegie Mellon University 00052 * 5000 Forbes Avenue 00053 * Pittsburgh, PA 15213-3890 00054 * (412) 268-4387, fax: (412) 268-7395 00055 * tech-transfer@andrew.cmu.edu 00056 * 00057 * 4. Redistributions of any form whatsoever must retain the following 00058 * acknowledgment: 00059 * "This product includes software developed by Computing Services 00060 * at Carnegie Mellon University (http://www.cmu.edu/computing/)." 00061 * 00062 * CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO 00063 * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 00064 * AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE 00065 * FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 00066 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN 00067 * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING 00068 * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 00069 */ 00070 00071 #include "ppp_opts.h" 00072 #if PPP_SUPPORT /* don't build if not configured for use in ppp_opts.h */ 00073 00074 #if 0 /* UNUSED */ 00075 #include <stdio.h> 00076 #include <stddef.h> 00077 #include <stdlib.h> 00078 #include <unistd.h> 00079 #include <errno.h> 00080 #include <pwd.h> 00081 #include <grp.h> 00082 #include <string.h> 00083 #include <sys/types.h> 00084 #include <sys/stat.h> 00085 #include <sys/socket.h> 00086 #include <utmp.h> 00087 #include <fcntl.h> 00088 #if defined(_PATH_LASTLOG) && defined(__linux__) 00089 #include <lastlog.h> 00090 #endif 00091 00092 #ifdef HAS_SHADOW 00093 #include <shadow.h> 00094 #ifndef PW_PPP 00095 #define PW_PPP PW_LOGIN 00096 #endif 00097 #endif 00098 00099 #include <time.h> 00100 #endif /* UNUSED */ 00101 00102 #include "ppp_impl.h" 00103 00104 #include "fsm.h" 00105 #include "lcp.h" 00106 #if CCP_SUPPORT 00107 #include "ccp.h" 00108 #endif /* CCP_SUPPORT */ 00109 #if ECP_SUPPORT 00110 #include "ecp.h" 00111 #endif /* ECP_SUPPORT */ 00112 #include "ipcp.h" 00113 #if PAP_SUPPORT 00114 #include "upap.h" 00115 #endif /* PAP_SUPPORT */ 00116 #if CHAP_SUPPORT 00117 #include "chap-new.h" 00118 #endif /* CHAP_SUPPORT */ 00119 #if EAP_SUPPORT 00120 #include "eap.h" 00121 #endif /* EAP_SUPPORT */ 00122 #if CBCP_SUPPORT 00123 #include "cbcp.h" 00124 #endif 00125 00126 #if 0 /* UNUSED */ 00127 #include "session.h" 00128 #endif /* UNUSED */ 00129 00130 #if 0 /* UNUSED */ 00131 /* Bits in scan_authfile return value */ 00132 #define NONWILD_SERVER 1 00133 #define NONWILD_CLIENT 2 00134 00135 #define ISWILD(word) (word[0] == '*' && word[1] == 0) 00136 #endif /* UNUSED */ 00137 00138 #if 0 /* UNUSED */ 00139 /* List of addresses which the peer may use. */ 00140 static struct permitted_ip *addresses[NUM_PPP]; 00141 00142 /* Wordlist giving addresses which the peer may use 00143 without authenticating itself. */ 00144 static struct wordlist *noauth_addrs; 00145 00146 /* Remote telephone number, if available */ 00147 char remote_number[MAXNAMELEN]; 00148 00149 /* Wordlist giving remote telephone numbers which may connect. */ 00150 static struct wordlist *permitted_numbers; 00151 00152 /* Extra options to apply, from the secrets file entry for the peer. */ 00153 static struct wordlist *extra_options; 00154 #endif /* UNUSED */ 00155 00156 #if 0 /* UNUSED */ 00157 /* Set if we require authentication only because we have a default route. */ 00158 static bool default_auth; 00159 00160 /* Hook to enable a plugin to control the idle time limit */ 00161 int (*idle_time_hook) (struct ppp_idle *) = NULL; 00162 00163 /* Hook for a plugin to say whether we can possibly authenticate any peer */ 00164 int (*pap_check_hook) (void) = NULL; 00165 00166 /* Hook for a plugin to check the PAP user and password */ 00167 int (*pap_auth_hook) (char *user, char *passwd, char **msgp, 00168 struct wordlist **paddrs, 00169 struct wordlist **popts) = NULL; 00170 00171 /* Hook for a plugin to know about the PAP user logout */ 00172 void (*pap_logout_hook) (void) = NULL; 00173 00174 /* Hook for a plugin to get the PAP password for authenticating us */ 00175 int (*pap_passwd_hook) (char *user, char *passwd) = NULL; 00176 00177 /* Hook for a plugin to say if we can possibly authenticate a peer using CHAP */ 00178 int (*chap_check_hook) (void) = NULL; 00179 00180 /* Hook for a plugin to get the CHAP password for authenticating us */ 00181 int (*chap_passwd_hook) (char *user, char *passwd) = NULL; 00182 00183 /* Hook for a plugin to say whether it is OK if the peer 00184 refuses to authenticate. */ 00185 int (*null_auth_hook) (struct wordlist **paddrs, 00186 struct wordlist **popts) = NULL; 00187 00188 int (*allowed_address_hook) (u32_t addr) = NULL; 00189 #endif /* UNUSED */ 00190 00191 #ifdef HAVE_MULTILINK 00192 /* Hook for plugin to hear when an interface joins a multilink bundle */ 00193 void (*multilink_join_hook) (void) = NULL; 00194 #endif 00195 00196 #if PPP_NOTIFY 00197 /* A notifier for when the peer has authenticated itself, 00198 and we are proceeding to the network phase. */ 00199 struct notifier *auth_up_notifier = NULL; 00200 00201 /* A notifier for when the link goes down. */ 00202 struct notifier *link_down_notifier = NULL; 00203 #endif /* PPP_NOTIFY */ 00204 00205 /* 00206 * Option variables. 00207 */ 00208 #if 0 /* MOVED TO ppp_settings */ 00209 bool uselogin = 0; /* Use /etc/passwd for checking PAP */ 00210 bool session_mgmt = 0; /* Do session management (login records) */ 00211 bool cryptpap = 0; /* Passwords in pap-secrets are encrypted */ 00212 bool refuse_pap = 0; /* Don't wanna auth. ourselves with PAP */ 00213 bool refuse_chap = 0; /* Don't wanna auth. ourselves with CHAP */ 00214 bool refuse_eap = 0; /* Don't wanna auth. ourselves with EAP */ 00215 #if MSCHAP_SUPPORT 00216 bool refuse_mschap = 0; /* Don't wanna auth. ourselves with MS-CHAP */ 00217 bool refuse_mschap_v2 = 0; /* Don't wanna auth. ourselves with MS-CHAPv2 */ 00218 #else /* MSCHAP_SUPPORT */ 00219 bool refuse_mschap = 1; /* Don't wanna auth. ourselves with MS-CHAP */ 00220 bool refuse_mschap_v2 = 1; /* Don't wanna auth. ourselves with MS-CHAPv2 */ 00221 #endif /* MSCHAP_SUPPORT */ 00222 bool usehostname = 0; /* Use hostname for our_name */ 00223 bool auth_required = 0; /* Always require authentication from peer */ 00224 bool allow_any_ip = 0; /* Allow peer to use any IP address */ 00225 bool explicit_remote = 0; /* User specified explicit remote name */ 00226 bool explicit_user = 0; /* Set if "user" option supplied */ 00227 bool explicit_passwd = 0; /* Set if "password" option supplied */ 00228 char remote_name[MAXNAMELEN]; /* Peer's name for authentication */ 00229 static char *uafname; /* name of most recent +ua file */ 00230 00231 extern char *crypt (const char *, const char *); 00232 #endif /* UNUSED */ 00233 /* Prototypes for procedures local to this file. */ 00234 00235 static void network_phase(ppp_pcb *pcb); 00236 #if PPP_IDLETIMELIMIT 00237 static void check_idle(void *arg); 00238 #endif /* PPP_IDLETIMELIMIT */ 00239 #if PPP_MAXCONNECT 00240 static void connect_time_expired(void *arg); 00241 #endif /* PPP_MAXCONNECT */ 00242 #if 0 /* UNUSED */ 00243 static int null_login (int); 00244 /* static int get_pap_passwd (char *); */ 00245 static int have_pap_secret (int *); 00246 static int have_chap_secret (char *, char *, int, int *); 00247 static int have_srp_secret (char *client, char *server, int need_ip, 00248 int *lacks_ipp); 00249 static int ip_addr_check (u32_t, struct permitted_ip *); 00250 static int scan_authfile (FILE *, char *, char *, char *, 00251 struct wordlist **, struct wordlist **, 00252 char *, int); 00253 static void free_wordlist (struct wordlist *); 00254 static void set_allowed_addrs (int, struct wordlist *, struct wordlist *); 00255 static int some_ip_ok (struct wordlist *); 00256 static int setupapfile (char **); 00257 static int privgroup (char **); 00258 static int set_noauth_addr (char **); 00259 static int set_permitted_number (char **); 00260 static void check_access (FILE *, char *); 00261 static int wordlist_count (struct wordlist *); 00262 #endif /* UNUSED */ 00263 00264 #ifdef MAXOCTETS 00265 static void check_maxoctets (void *); 00266 #endif 00267 00268 #if PPP_OPTIONS 00269 /* 00270 * Authentication-related options. 00271 */ 00272 option_t auth_options[] = { 00273 { "auth", o_bool, &auth_required, 00274 "Require authentication from peer", OPT_PRIO | 1 }, 00275 { "noauth", o_bool, &auth_required, 00276 "Don't require peer to authenticate", OPT_PRIOSUB | OPT_PRIV, 00277 &allow_any_ip }, 00278 { "require-pap", o_bool, &lcp_wantoptions[0].neg_upap, 00279 "Require PAP authentication from peer", 00280 OPT_PRIOSUB | 1, &auth_required }, 00281 { "+pap", o_bool, &lcp_wantoptions[0].neg_upap, 00282 "Require PAP authentication from peer", 00283 OPT_ALIAS | OPT_PRIOSUB | 1, &auth_required }, 00284 { "require-chap", o_bool, &auth_required, 00285 "Require CHAP authentication from peer", 00286 OPT_PRIOSUB | OPT_A2OR | MDTYPE_MD5, 00287 &lcp_wantoptions[0].chap_mdtype }, 00288 { "+chap", o_bool, &auth_required, 00289 "Require CHAP authentication from peer", 00290 OPT_ALIAS | OPT_PRIOSUB | OPT_A2OR | MDTYPE_MD5, 00291 &lcp_wantoptions[0].chap_mdtype }, 00292 #if MSCHAP_SUPPORT 00293 { "require-mschap", o_bool, &auth_required, 00294 "Require MS-CHAP authentication from peer", 00295 OPT_PRIOSUB | OPT_A2OR | MDTYPE_MICROSOFT, 00296 &lcp_wantoptions[0].chap_mdtype }, 00297 { "+mschap", o_bool, &auth_required, 00298 "Require MS-CHAP authentication from peer", 00299 OPT_ALIAS | OPT_PRIOSUB | OPT_A2OR | MDTYPE_MICROSOFT, 00300 &lcp_wantoptions[0].chap_mdtype }, 00301 { "require-mschap-v2", o_bool, &auth_required, 00302 "Require MS-CHAPv2 authentication from peer", 00303 OPT_PRIOSUB | OPT_A2OR | MDTYPE_MICROSOFT_V2, 00304 &lcp_wantoptions[0].chap_mdtype }, 00305 { "+mschap-v2", o_bool, &auth_required, 00306 "Require MS-CHAPv2 authentication from peer", 00307 OPT_ALIAS | OPT_PRIOSUB | OPT_A2OR | MDTYPE_MICROSOFT_V2, 00308 &lcp_wantoptions[0].chap_mdtype }, 00309 #endif /* MSCHAP_SUPPORT */ 00310 #if 0 00311 { "refuse-pap", o_bool, &refuse_pap, 00312 "Don't agree to auth to peer with PAP", 1 }, 00313 { "-pap", o_bool, &refuse_pap, 00314 "Don't allow PAP authentication with peer", OPT_ALIAS | 1 }, 00315 { "refuse-chap", o_bool, &refuse_chap, 00316 "Don't agree to auth to peer with CHAP", 00317 OPT_A2CLRB | MDTYPE_MD5, 00318 &lcp_allowoptions[0].chap_mdtype }, 00319 { "-chap", o_bool, &refuse_chap, 00320 "Don't allow CHAP authentication with peer", 00321 OPT_ALIAS | OPT_A2CLRB | MDTYPE_MD5, 00322 &lcp_allowoptions[0].chap_mdtype }, 00323 #endif 00324 #if MSCHAP_SUPPORT 00325 #if 0 00326 { "refuse-mschap", o_bool, &refuse_mschap, 00327 "Don't agree to auth to peer with MS-CHAP", 00328 OPT_A2CLRB | MDTYPE_MICROSOFT, 00329 &lcp_allowoptions[0].chap_mdtype }, 00330 { "-mschap", o_bool, &refuse_mschap, 00331 "Don't allow MS-CHAP authentication with peer", 00332 OPT_ALIAS | OPT_A2CLRB | MDTYPE_MICROSOFT, 00333 &lcp_allowoptions[0].chap_mdtype }, 00334 { "refuse-mschap-v2", o_bool, &refuse_mschap_v2, 00335 "Don't agree to auth to peer with MS-CHAPv2", 00336 OPT_A2CLRB | MDTYPE_MICROSOFT_V2, 00337 &lcp_allowoptions[0].chap_mdtype }, 00338 { "-mschap-v2", o_bool, &refuse_mschap_v2, 00339 "Don't allow MS-CHAPv2 authentication with peer", 00340 OPT_ALIAS | OPT_A2CLRB | MDTYPE_MICROSOFT_V2, 00341 &lcp_allowoptions[0].chap_mdtype }, 00342 #endif 00343 #endif /* MSCHAP_SUPPORT*/ 00344 #if EAP_SUPPORT 00345 { "require-eap", o_bool, &lcp_wantoptions[0].neg_eap, 00346 "Require EAP authentication from peer", OPT_PRIOSUB | 1, 00347 &auth_required }, 00348 #if 0 00349 { "refuse-eap", o_bool, &refuse_eap, 00350 "Don't agree to authenticate to peer with EAP", 1 }, 00351 #endif 00352 #endif /* EAP_SUPPORT */ 00353 { "name", o_string, our_name, 00354 "Set local name for authentication", 00355 OPT_PRIO | OPT_PRIV | OPT_STATIC, NULL, MAXNAMELEN }, 00356 00357 { "+ua", o_special, (void *)setupapfile, 00358 "Get PAP user and password from file", 00359 OPT_PRIO | OPT_A2STRVAL, &uafname }, 00360 00361 #if 0 00362 { "user", o_string, user, 00363 "Set name for auth with peer", OPT_PRIO | OPT_STATIC, 00364 &explicit_user, MAXNAMELEN }, 00365 00366 { "password", o_string, passwd, 00367 "Password for authenticating us to the peer", 00368 OPT_PRIO | OPT_STATIC | OPT_HIDE, 00369 &explicit_passwd, MAXSECRETLEN }, 00370 #endif 00371 00372 { "usehostname", o_bool, &usehostname, 00373 "Must use hostname for authentication", 1 }, 00374 00375 { "remotename", o_string, remote_name, 00376 "Set remote name for authentication", OPT_PRIO | OPT_STATIC, 00377 &explicit_remote, MAXNAMELEN }, 00378 00379 { "login", o_bool, &uselogin, 00380 "Use system password database for PAP", OPT_A2COPY | 1 , 00381 &session_mgmt }, 00382 { "enable-session", o_bool, &session_mgmt, 00383 "Enable session accounting for remote peers", OPT_PRIV | 1 }, 00384 00385 { "papcrypt", o_bool, &cryptpap, 00386 "PAP passwords are encrypted", 1 }, 00387 00388 { "privgroup", o_special, (void *)privgroup, 00389 "Allow group members to use privileged options", OPT_PRIV | OPT_A2LIST }, 00390 00391 { "allow-ip", o_special, (void *)set_noauth_addr, 00392 "Set IP address(es) which can be used without authentication", 00393 OPT_PRIV | OPT_A2LIST }, 00394 00395 { "remotenumber", o_string, remote_number, 00396 "Set remote telephone number for authentication", OPT_PRIO | OPT_STATIC, 00397 NULL, MAXNAMELEN }, 00398 00399 { "allow-number", o_special, (void *)set_permitted_number, 00400 "Set telephone number(s) which are allowed to connect", 00401 OPT_PRIV | OPT_A2LIST }, 00402 00403 { NULL } 00404 }; 00405 #endif /* PPP_OPTIONS */ 00406 00407 #if 0 /* UNUSED */ 00408 /* 00409 * setupapfile - specifies UPAP info for authenticating with peer. 00410 */ 00411 static int 00412 setupapfile(argv) 00413 char **argv; 00414 { 00415 FILE *ufile; 00416 int l; 00417 uid_t euid; 00418 char u[MAXNAMELEN], p[MAXSECRETLEN]; 00419 char *fname; 00420 00421 lcp_allowoptions[0].neg_upap = 1; 00422 00423 /* open user info file */ 00424 fname = strdup(*argv); 00425 if (fname == NULL) 00426 novm("+ua file name"); 00427 euid = geteuid(); 00428 if (seteuid(getuid()) == -1) { 00429 option_error("unable to reset uid before opening %s: %m", fname); 00430 return 0; 00431 } 00432 ufile = fopen(fname, "r"); 00433 if (seteuid(euid) == -1) 00434 fatal("unable to regain privileges: %m"); 00435 if (ufile == NULL) { 00436 option_error("unable to open user login data file %s", fname); 00437 return 0; 00438 } 00439 check_access(ufile, fname); 00440 uafname = fname; 00441 00442 /* get username */ 00443 if (fgets(u, MAXNAMELEN - 1, ufile) == NULL 00444 || fgets(p, MAXSECRETLEN - 1, ufile) == NULL) { 00445 fclose(ufile); 00446 option_error("unable to read user login data file %s", fname); 00447 return 0; 00448 } 00449 fclose(ufile); 00450 00451 /* get rid of newlines */ 00452 l = strlen(u); 00453 if (l > 0 && u[l-1] == '\n') 00454 u[l-1] = 0; 00455 l = strlen(p); 00456 if (l > 0 && p[l-1] == '\n') 00457 p[l-1] = 0; 00458 00459 if (override_value("user", option_priority, fname)) { 00460 strlcpy(ppp_settings.user, u, sizeof(ppp_settings.user)); 00461 explicit_user = 1; 00462 } 00463 if (override_value("passwd", option_priority, fname)) { 00464 strlcpy(ppp_settings.passwd, p, sizeof(ppp_settings.passwd)); 00465 explicit_passwd = 1; 00466 } 00467 00468 return (1); 00469 } 00470 00471 /* 00472 * privgroup - allow members of the group to have privileged access. 00473 */ 00474 static int 00475 privgroup(argv) 00476 char **argv; 00477 { 00478 struct group *g; 00479 int i; 00480 00481 g = getgrnam(*argv); 00482 if (g == 0) { 00483 option_error("group %s is unknown", *argv); 00484 return 0; 00485 } 00486 for (i = 0; i < ngroups; ++i) { 00487 if (groups[i] == g->gr_gid) { 00488 privileged = 1; 00489 break; 00490 } 00491 } 00492 return 1; 00493 } 00494 00495 00496 /* 00497 * set_noauth_addr - set address(es) that can be used without authentication. 00498 * Equivalent to specifying an entry like `"" * "" addr' in pap-secrets. 00499 */ 00500 static int 00501 set_noauth_addr(argv) 00502 char **argv; 00503 { 00504 char *addr = *argv; 00505 int l = strlen(addr) + 1; 00506 struct wordlist *wp; 00507 00508 wp = (struct wordlist *) malloc(sizeof(struct wordlist) + l); 00509 if (wp == NULL) 00510 novm("allow-ip argument"); 00511 wp->word = (char *) (wp + 1); 00512 wp->next = noauth_addrs; 00513 MEMCPY(wp->word, addr, l); 00514 noauth_addrs = wp; 00515 return 1; 00516 } 00517 00518 00519 /* 00520 * set_permitted_number - set remote telephone number(s) that may connect. 00521 */ 00522 static int 00523 set_permitted_number(argv) 00524 char **argv; 00525 { 00526 char *number = *argv; 00527 int l = strlen(number) + 1; 00528 struct wordlist *wp; 00529 00530 wp = (struct wordlist *) malloc(sizeof(struct wordlist) + l); 00531 if (wp == NULL) 00532 novm("allow-number argument"); 00533 wp->word = (char *) (wp + 1); 00534 wp->next = permitted_numbers; 00535 MEMCPY(wp->word, number, l); 00536 permitted_numbers = wp; 00537 return 1; 00538 } 00539 #endif 00540 00541 /* 00542 * An Open on LCP has requested a change from Dead to Establish phase. 00543 */ 00544 void link_required(ppp_pcb *pcb) { 00545 PPP_UNUSED_ARG(pcb); 00546 } 00547 00548 #if 0 00549 /* 00550 * Bring the link up to the point of being able to do ppp. 00551 */ 00552 void start_link(unit) 00553 int unit; 00554 { 00555 ppp_pcb *pcb = &ppp_pcb_list[unit]; 00556 char *msg; 00557 00558 status = EXIT_NEGOTIATION_FAILED; 00559 new_phase(pcb, PPP_PHASE_SERIALCONN); 00560 00561 hungup = 0; 00562 devfd = the_channel->connect(); 00563 msg = "Connect script failed"; 00564 if (devfd < 0) 00565 goto fail; 00566 00567 /* set up the serial device as a ppp interface */ 00568 /* 00569 * N.B. we used to do tdb_writelock/tdb_writeunlock around this 00570 * (from establish_ppp to set_ifunit). However, we won't be 00571 * doing the set_ifunit in multilink mode, which is the only time 00572 * we need the atomicity that the tdb_writelock/tdb_writeunlock 00573 * gives us. Thus we don't need the tdb_writelock/tdb_writeunlock. 00574 */ 00575 fd_ppp = the_channel->establish_ppp(devfd); 00576 msg = "ppp establishment failed"; 00577 if (fd_ppp < 0) { 00578 status = EXIT_FATAL_ERROR; 00579 goto disconnect; 00580 } 00581 00582 if (!demand && ifunit >= 0) 00583 set_ifunit(1); 00584 00585 /* 00586 * Start opening the connection and wait for 00587 * incoming events (reply, timeout, etc.). 00588 */ 00589 if (ifunit >= 0) 00590 ppp_notice("Connect: %s <--> %s", ifname, ppp_devnam); 00591 else 00592 ppp_notice("Starting negotiation on %s", ppp_devnam); 00593 add_fd(fd_ppp); 00594 00595 new_phase(pcb, PPP_PHASE_ESTABLISH); 00596 00597 lcp_lowerup(pcb); 00598 return; 00599 00600 disconnect: 00601 new_phase(pcb, PPP_PHASE_DISCONNECT); 00602 if (the_channel->disconnect) 00603 the_channel->disconnect(); 00604 00605 fail: 00606 new_phase(pcb, PPP_PHASE_DEAD); 00607 if (the_channel->cleanup) 00608 (*the_channel->cleanup)(); 00609 } 00610 #endif 00611 00612 /* 00613 * LCP has terminated the link; go to the Dead phase and take the 00614 * physical layer down. 00615 */ 00616 void link_terminated(ppp_pcb *pcb) { 00617 if (pcb->phase == PPP_PHASE_DEAD 00618 #ifdef HAVE_MULTILINK 00619 || pcb->phase == PPP_PHASE_MASTER 00620 #endif /* HAVE_MULTILINK */ 00621 ) 00622 return; 00623 new_phase(pcb, PPP_PHASE_DISCONNECT); 00624 00625 #if 0 /* UNUSED */ 00626 if (pap_logout_hook) { 00627 pap_logout_hook(); 00628 } 00629 session_end(devnam); 00630 #endif /* UNUSED */ 00631 00632 if (!doing_multilink) { 00633 ppp_notice("Connection terminated."); 00634 #if PPP_STATS_SUPPORT 00635 print_link_stats(); 00636 #endif /* PPP_STATS_SUPPORT */ 00637 } else 00638 ppp_notice("Link terminated."); 00639 00640 lcp_lowerdown(pcb); 00641 00642 ppp_link_terminated(pcb); 00643 #if 0 00644 /* 00645 * Delete pid files before disestablishing ppp. Otherwise it 00646 * can happen that another pppd gets the same unit and then 00647 * we delete its pid file. 00648 */ 00649 if (!doing_multilink && !demand) 00650 remove_pidfiles(); 00651 00652 /* 00653 * If we may want to bring the link up again, transfer 00654 * the ppp unit back to the loopback. Set the 00655 * real serial device back to its normal mode of operation. 00656 */ 00657 if (fd_ppp >= 0) { 00658 remove_fd(fd_ppp); 00659 clean_check(); 00660 the_channel->disestablish_ppp(devfd); 00661 if (doing_multilink) 00662 mp_exit_bundle(); 00663 fd_ppp = -1; 00664 } 00665 if (!hungup) 00666 lcp_lowerdown(pcb); 00667 if (!doing_multilink && !demand) 00668 script_unsetenv("IFNAME"); 00669 00670 /* 00671 * Run disconnector script, if requested. 00672 * XXX we may not be able to do this if the line has hung up! 00673 */ 00674 if (devfd >= 0 && the_channel->disconnect) { 00675 the_channel->disconnect(); 00676 devfd = -1; 00677 } 00678 if (the_channel->cleanup) 00679 (*the_channel->cleanup)(); 00680 00681 if (doing_multilink && multilink_master) { 00682 if (!bundle_terminating) 00683 new_phase(pcb, PPP_PHASE_MASTER); 00684 else 00685 mp_bundle_terminated(); 00686 } else 00687 new_phase(pcb, PPP_PHASE_DEAD); 00688 #endif 00689 } 00690 00691 /* 00692 * LCP has gone down; it will either die or try to re-establish. 00693 */ 00694 void link_down(ppp_pcb *pcb) { 00695 #if PPP_NOTIFY 00696 notify(link_down_notifier, 0); 00697 #endif /* PPP_NOTIFY */ 00698 00699 if (!doing_multilink) { 00700 upper_layers_down(pcb); 00701 if (pcb->phase != PPP_PHASE_DEAD 00702 #ifdef HAVE_MULTILINK 00703 && pcb->phase != PPP_PHASE_MASTER 00704 #endif /* HAVE_MULTILINK */ 00705 ) 00706 new_phase(pcb, PPP_PHASE_ESTABLISH); 00707 } 00708 /* XXX if doing_multilink, should do something to stop 00709 network-layer traffic on the link */ 00710 } 00711 00712 void upper_layers_down(ppp_pcb *pcb) { 00713 int i; 00714 const struct protent *protp; 00715 00716 for (i = 0; (protp = protocols[i]) != NULL; ++i) { 00717 if (protp->protocol != PPP_LCP && protp->lowerdown != NULL) 00718 (*protp->lowerdown)(pcb); 00719 if (protp->protocol < 0xC000 && protp->close != NULL) 00720 (*protp->close)(pcb, "LCP down"); 00721 } 00722 pcb->num_np_open = 0; 00723 pcb->num_np_up = 0; 00724 } 00725 00726 /* 00727 * The link is established. 00728 * Proceed to the Dead, Authenticate or Network phase as appropriate. 00729 */ 00730 void link_established(ppp_pcb *pcb) { 00731 #if PPP_AUTH_SUPPORT 00732 int auth; 00733 #if PPP_SERVER 00734 #if PAP_SUPPORT 00735 lcp_options *wo = &pcb->lcp_wantoptions; 00736 #endif /* PAP_SUPPORT */ 00737 lcp_options *go = &pcb->lcp_gotoptions; 00738 #endif /* PPP_SERVER */ 00739 lcp_options *ho = &pcb->lcp_hisoptions; 00740 #endif /* PPP_AUTH_SUPPORT */ 00741 int i; 00742 const struct protent *protp; 00743 00744 /* 00745 * Tell higher-level protocols that LCP is up. 00746 */ 00747 if (!doing_multilink) { 00748 for (i = 0; (protp = protocols[i]) != NULL; ++i) 00749 if (protp->protocol != PPP_LCP 00750 && protp->lowerup != NULL) 00751 (*protp->lowerup)(pcb); 00752 } 00753 00754 #if PPP_AUTH_SUPPORT 00755 #if PPP_SERVER 00756 #if PPP_ALLOWED_ADDRS 00757 if (!auth_required && noauth_addrs != NULL) 00758 set_allowed_addrs(unit, NULL, NULL); 00759 #endif /* PPP_ALLOWED_ADDRS */ 00760 00761 if (pcb->settings.auth_required && !(0 00762 #if PAP_SUPPORT 00763 || go->neg_upap 00764 #endif /* PAP_SUPPORT */ 00765 #if CHAP_SUPPORT 00766 || go->neg_chap 00767 #endif /* CHAP_SUPPORT */ 00768 #if EAP_SUPPORT 00769 || go->neg_eap 00770 #endif /* EAP_SUPPORT */ 00771 )) { 00772 00773 #if PPP_ALLOWED_ADDRS 00774 /* 00775 * We wanted the peer to authenticate itself, and it refused: 00776 * if we have some address(es) it can use without auth, fine, 00777 * otherwise treat it as though it authenticated with PAP using 00778 * a username of "" and a password of "". If that's not OK, 00779 * boot it out. 00780 */ 00781 if (noauth_addrs != NULL) { 00782 set_allowed_addrs(unit, NULL, NULL); 00783 } else 00784 #endif /* PPP_ALLOWED_ADDRS */ 00785 if (!pcb->settings.null_login 00786 #if PAP_SUPPORT 00787 || !wo->neg_upap 00788 #endif /* PAP_SUPPORT */ 00789 ) { 00790 ppp_warn("peer refused to authenticate: terminating link"); 00791 #if 0 /* UNUSED */ 00792 status = EXIT_PEER_AUTH_FAILED; 00793 #endif /* UNUSED */ 00794 pcb->err_code = PPPERR_AUTHFAIL; 00795 lcp_close(pcb, "peer refused to authenticate"); 00796 return; 00797 } 00798 } 00799 #endif /* PPP_SERVER */ 00800 00801 new_phase(pcb, PPP_PHASE_AUTHENTICATE); 00802 auth = 0; 00803 #if PPP_SERVER 00804 #if EAP_SUPPORT 00805 if (go->neg_eap) { 00806 eap_authpeer(pcb, PPP_OUR_NAME); 00807 auth |= EAP_PEER; 00808 } else 00809 #endif /* EAP_SUPPORT */ 00810 #if CHAP_SUPPORT 00811 if (go->neg_chap) { 00812 chap_auth_peer(pcb, PPP_OUR_NAME, CHAP_DIGEST(go->chap_mdtype)); 00813 auth |= CHAP_PEER; 00814 } else 00815 #endif /* CHAP_SUPPORT */ 00816 #if PAP_SUPPORT 00817 if (go->neg_upap) { 00818 upap_authpeer(pcb); 00819 auth |= PAP_PEER; 00820 } else 00821 #endif /* PAP_SUPPORT */ 00822 {} 00823 #endif /* PPP_SERVER */ 00824 00825 #if EAP_SUPPORT 00826 if (ho->neg_eap) { 00827 eap_authwithpeer(pcb, pcb->settings.user); 00828 auth |= EAP_WITHPEER; 00829 } else 00830 #endif /* EAP_SUPPORT */ 00831 #if CHAP_SUPPORT 00832 if (ho->neg_chap) { 00833 chap_auth_with_peer(pcb, pcb->settings.user, CHAP_DIGEST(ho->chap_mdtype)); 00834 auth |= CHAP_WITHPEER; 00835 } else 00836 #endif /* CHAP_SUPPORT */ 00837 #if PAP_SUPPORT 00838 if (ho->neg_upap) { 00839 upap_authwithpeer(pcb, pcb->settings.user, pcb->settings.passwd); 00840 auth |= PAP_WITHPEER; 00841 } else 00842 #endif /* PAP_SUPPORT */ 00843 {} 00844 00845 pcb->auth_pending = auth; 00846 pcb->auth_done = 0; 00847 00848 if (!auth) 00849 #endif /* PPP_AUTH_SUPPORT */ 00850 network_phase(pcb); 00851 } 00852 00853 /* 00854 * Proceed to the network phase. 00855 */ 00856 static void network_phase(ppp_pcb *pcb) { 00857 #if CBCP_SUPPORT 00858 ppp_pcb *pcb = &ppp_pcb_list[unit]; 00859 #endif 00860 #if 0 /* UNUSED */ 00861 lcp_options *go = &lcp_gotoptions[unit]; 00862 #endif /* UNUSED */ 00863 00864 #if 0 /* UNUSED */ 00865 /* Log calling number. */ 00866 if (*remote_number) 00867 ppp_notice("peer from calling number %q authorized", remote_number); 00868 #endif /* UNUSED */ 00869 00870 #if PPP_NOTIFY 00871 /* 00872 * If the peer had to authenticate, notify it now. 00873 */ 00874 if (0 00875 #if CHAP_SUPPORT 00876 || go->neg_chap 00877 #endif /* CHAP_SUPPORT */ 00878 #if PAP_SUPPORT 00879 || go->neg_upap 00880 #endif /* PAP_SUPPORT */ 00881 #if EAP_SUPPORT 00882 || go->neg_eap 00883 #endif /* EAP_SUPPORT */ 00884 ) { 00885 notify(auth_up_notifier, 0); 00886 } 00887 #endif /* PPP_NOTIFY */ 00888 00889 #if CBCP_SUPPORT 00890 /* 00891 * If we negotiated callback, do it now. 00892 */ 00893 if (go->neg_cbcp) { 00894 new_phase(pcb, PPP_PHASE_CALLBACK); 00895 (*cbcp_protent.open)(pcb); 00896 return; 00897 } 00898 #endif 00899 00900 #if PPP_OPTIONS 00901 /* 00902 * Process extra options from the secrets file 00903 */ 00904 if (extra_options) { 00905 options_from_list(extra_options, 1); 00906 free_wordlist(extra_options); 00907 extra_options = 0; 00908 } 00909 #endif /* PPP_OPTIONS */ 00910 start_networks(pcb); 00911 } 00912 00913 void start_networks(ppp_pcb *pcb) { 00914 #if CCP_SUPPORT || ECP_SUPPORT 00915 int i; 00916 const struct protent *protp; 00917 #endif /* CCP_SUPPORT || ECP_SUPPORT */ 00918 00919 new_phase(pcb, PPP_PHASE_NETWORK); 00920 00921 #ifdef HAVE_MULTILINK 00922 if (multilink) { 00923 if (mp_join_bundle()) { 00924 if (multilink_join_hook) 00925 (*multilink_join_hook)(); 00926 if (updetach && !nodetach) 00927 detach(); 00928 return; 00929 } 00930 } 00931 #endif /* HAVE_MULTILINK */ 00932 00933 #ifdef PPP_FILTER 00934 if (!demand) 00935 set_filters(&pass_filter, &active_filter); 00936 #endif 00937 #if CCP_SUPPORT || ECP_SUPPORT 00938 /* Start CCP and ECP */ 00939 for (i = 0; (protp = protocols[i]) != NULL; ++i) 00940 if ( 00941 (0 00942 #if ECP_SUPPORT 00943 || protp->protocol == PPP_ECP 00944 #endif /* ECP_SUPPORT */ 00945 #if CCP_SUPPORT 00946 || protp->protocol == PPP_CCP 00947 #endif /* CCP_SUPPORT */ 00948 ) 00949 && protp->open != NULL) 00950 (*protp->open)(pcb); 00951 #endif /* CCP_SUPPORT || ECP_SUPPORT */ 00952 00953 /* 00954 * Bring up other network protocols iff encryption is not required. 00955 */ 00956 if (1 00957 #if ECP_SUPPORT 00958 && !ecp_gotoptions[unit].required 00959 #endif /* ECP_SUPPORT */ 00960 #if MPPE_SUPPORT 00961 && !pcb->ccp_gotoptions.mppe 00962 #endif /* MPPE_SUPPORT */ 00963 ) 00964 continue_networks(pcb); 00965 } 00966 00967 void continue_networks(ppp_pcb *pcb) { 00968 int i; 00969 const struct protent *protp; 00970 00971 /* 00972 * Start the "real" network protocols. 00973 */ 00974 for (i = 0; (protp = protocols[i]) != NULL; ++i) 00975 if (protp->protocol < 0xC000 00976 #if CCP_SUPPORT 00977 && protp->protocol != PPP_CCP 00978 #endif /* CCP_SUPPORT */ 00979 #if ECP_SUPPORT 00980 && protp->protocol != PPP_ECP 00981 #endif /* ECP_SUPPORT */ 00982 && protp->open != NULL) { 00983 (*protp->open)(pcb); 00984 ++pcb->num_np_open; 00985 } 00986 00987 if (pcb->num_np_open == 0) 00988 /* nothing to do */ 00989 lcp_close(pcb, "No network protocols running"); 00990 } 00991 00992 #if PPP_AUTH_SUPPORT 00993 #if PPP_SERVER 00994 /* 00995 * auth_check_passwd - Check the user name and passwd against configuration. 00996 * 00997 * returns: 00998 * 0: Authentication failed. 00999 * 1: Authentication succeeded. 01000 * In either case, msg points to an appropriate message and msglen to the message len. 01001 */ 01002 int auth_check_passwd(ppp_pcb *pcb, char *auser, int userlen, char *apasswd, int passwdlen, const char **msg, int *msglen) { 01003 int secretuserlen; 01004 int secretpasswdlen; 01005 01006 if (pcb->settings.user && pcb->settings.passwd) { 01007 secretuserlen = (int)strlen(pcb->settings.user); 01008 secretpasswdlen = (int)strlen(pcb->settings.passwd); 01009 if (secretuserlen == userlen 01010 && secretpasswdlen == passwdlen 01011 && !memcmp(auser, pcb->settings.user, userlen) 01012 && !memcmp(apasswd, pcb->settings.passwd, passwdlen) ) { 01013 *msg = "Login ok"; 01014 *msglen = sizeof("Login ok")-1; 01015 return 1; 01016 } 01017 } 01018 01019 *msg = "Login incorrect"; 01020 *msglen = sizeof("Login incorrect")-1; 01021 return 0; 01022 } 01023 01024 /* 01025 * The peer has failed to authenticate himself using `protocol'. 01026 */ 01027 void auth_peer_fail(ppp_pcb *pcb, int protocol) { 01028 PPP_UNUSED_ARG(protocol); 01029 /* 01030 * Authentication failure: take the link down 01031 */ 01032 #if 0 /* UNUSED */ 01033 status = EXIT_PEER_AUTH_FAILED; 01034 #endif /* UNUSED */ 01035 pcb->err_code = PPPERR_AUTHFAIL; 01036 lcp_close(pcb, "Authentication failed"); 01037 } 01038 01039 /* 01040 * The peer has been successfully authenticated using `protocol'. 01041 */ 01042 void auth_peer_success(ppp_pcb *pcb, int protocol, int prot_flavor, const char *name, int namelen) { 01043 int bit; 01044 #ifndef HAVE_MULTILINK 01045 PPP_UNUSED_ARG(name); 01046 PPP_UNUSED_ARG(namelen); 01047 #endif /* HAVE_MULTILINK */ 01048 01049 switch (protocol) { 01050 #if CHAP_SUPPORT 01051 case PPP_CHAP: 01052 bit = CHAP_PEER; 01053 switch (prot_flavor) { 01054 case CHAP_MD5: 01055 bit |= CHAP_MD5_PEER; 01056 break; 01057 #if MSCHAP_SUPPORT 01058 case CHAP_MICROSOFT: 01059 bit |= CHAP_MS_PEER; 01060 break; 01061 case CHAP_MICROSOFT_V2: 01062 bit |= CHAP_MS2_PEER; 01063 break; 01064 #endif /* MSCHAP_SUPPORT */ 01065 default: 01066 break; 01067 } 01068 break; 01069 #endif /* CHAP_SUPPORT */ 01070 #if PAP_SUPPORT 01071 case PPP_PAP: 01072 bit = PAP_PEER; 01073 break; 01074 #endif /* PAP_SUPPORT */ 01075 #if EAP_SUPPORT 01076 case PPP_EAP: 01077 bit = EAP_PEER; 01078 break; 01079 #endif /* EAP_SUPPORT */ 01080 default: 01081 ppp_warn("auth_peer_success: unknown protocol %x", protocol); 01082 return; 01083 } 01084 01085 #ifdef HAVE_MULTILINK 01086 /* 01087 * Save the authenticated name of the peer for later. 01088 */ 01089 if (namelen > (int)sizeof(pcb->peer_authname) - 1) 01090 namelen = (int)sizeof(pcb->peer_authname) - 1; 01091 MEMCPY(pcb->peer_authname, name, namelen); 01092 pcb->peer_authname[namelen] = 0; 01093 #endif /* HAVE_MULTILINK */ 01094 #if 0 /* UNUSED */ 01095 script_setenv("PEERNAME", , 0); 01096 #endif /* UNUSED */ 01097 01098 /* Save the authentication method for later. */ 01099 pcb->auth_done |= bit; 01100 01101 /* 01102 * If there is no more authentication still to be done, 01103 * proceed to the network (or callback) phase. 01104 */ 01105 if ((pcb->auth_pending &= ~bit) == 0) 01106 network_phase(pcb); 01107 } 01108 #endif /* PPP_SERVER */ 01109 01110 /* 01111 * We have failed to authenticate ourselves to the peer using `protocol'. 01112 */ 01113 void auth_withpeer_fail(ppp_pcb *pcb, int protocol) { 01114 PPP_UNUSED_ARG(protocol); 01115 /* 01116 * We've failed to authenticate ourselves to our peer. 01117 * 01118 * Some servers keep sending CHAP challenges, but there 01119 * is no point in persisting without any way to get updated 01120 * authentication secrets. 01121 * 01122 * He'll probably take the link down, and there's not much 01123 * we can do except wait for that. 01124 */ 01125 pcb->err_code = PPPERR_AUTHFAIL; 01126 lcp_close(pcb, "Failed to authenticate ourselves to peer"); 01127 } 01128 01129 /* 01130 * We have successfully authenticated ourselves with the peer using `protocol'. 01131 */ 01132 void auth_withpeer_success(ppp_pcb *pcb, int protocol, int prot_flavor) { 01133 int bit; 01134 const char *prot = ""; 01135 01136 switch (protocol) { 01137 #if CHAP_SUPPORT 01138 case PPP_CHAP: 01139 bit = CHAP_WITHPEER; 01140 prot = "CHAP"; 01141 switch (prot_flavor) { 01142 case CHAP_MD5: 01143 bit |= CHAP_MD5_WITHPEER; 01144 break; 01145 #if MSCHAP_SUPPORT 01146 case CHAP_MICROSOFT: 01147 bit |= CHAP_MS_WITHPEER; 01148 break; 01149 case CHAP_MICROSOFT_V2: 01150 bit |= CHAP_MS2_WITHPEER; 01151 break; 01152 #endif /* MSCHAP_SUPPORT */ 01153 default: 01154 break; 01155 } 01156 break; 01157 #endif /* CHAP_SUPPORT */ 01158 #if PAP_SUPPORT 01159 case PPP_PAP: 01160 bit = PAP_WITHPEER; 01161 prot = "PAP"; 01162 break; 01163 #endif /* PAP_SUPPORT */ 01164 #if EAP_SUPPORT 01165 case PPP_EAP: 01166 bit = EAP_WITHPEER; 01167 prot = "EAP"; 01168 break; 01169 #endif /* EAP_SUPPORT */ 01170 default: 01171 ppp_warn("auth_withpeer_success: unknown protocol %x", protocol); 01172 bit = 0; 01173 /* no break */ 01174 } 01175 01176 ppp_notice("%s authentication succeeded", prot); 01177 01178 /* Save the authentication method for later. */ 01179 pcb->auth_done |= bit; 01180 01181 /* 01182 * If there is no more authentication still being done, 01183 * proceed to the network (or callback) phase. 01184 */ 01185 if ((pcb->auth_pending &= ~bit) == 0) 01186 network_phase(pcb); 01187 } 01188 #endif /* PPP_AUTH_SUPPORT */ 01189 01190 01191 /* 01192 * np_up - a network protocol has come up. 01193 */ 01194 void np_up(ppp_pcb *pcb, int proto) { 01195 #if PPP_IDLETIMELIMIT 01196 int tlim; 01197 #endif /* PPP_IDLETIMELIMIT */ 01198 PPP_UNUSED_ARG(proto); 01199 01200 if (pcb->num_np_up == 0) { 01201 /* 01202 * At this point we consider that the link has come up successfully. 01203 */ 01204 new_phase(pcb, PPP_PHASE_RUNNING); 01205 01206 #if PPP_IDLETIMELIMIT 01207 #if 0 /* UNUSED */ 01208 if (idle_time_hook != 0) 01209 tlim = (*idle_time_hook)(NULL); 01210 else 01211 #endif /* UNUSED */ 01212 tlim = pcb->settings.idle_time_limit; 01213 if (tlim > 0) 01214 TIMEOUT(check_idle, (void*)pcb, tlim); 01215 #endif /* PPP_IDLETIMELIMIT */ 01216 01217 #if PPP_MAXCONNECT 01218 /* 01219 * Set a timeout to close the connection once the maximum 01220 * connect time has expired. 01221 */ 01222 if (pcb->settings.maxconnect > 0) 01223 TIMEOUT(connect_time_expired, (void*)pcb, pcb->settings.maxconnect); 01224 #endif /* PPP_MAXCONNECT */ 01225 01226 #ifdef MAXOCTETS 01227 if (maxoctets > 0) 01228 TIMEOUT(check_maxoctets, NULL, maxoctets_timeout); 01229 #endif 01230 01231 #if 0 /* Unused */ 01232 /* 01233 * Detach now, if the updetach option was given. 01234 */ 01235 if (updetach && !nodetach) 01236 detach(); 01237 #endif /* Unused */ 01238 } 01239 ++pcb->num_np_up; 01240 } 01241 01242 /* 01243 * np_down - a network protocol has gone down. 01244 */ 01245 void np_down(ppp_pcb *pcb, int proto) { 01246 PPP_UNUSED_ARG(proto); 01247 if (--pcb->num_np_up == 0) { 01248 #if PPP_IDLETIMELIMIT 01249 UNTIMEOUT(check_idle, (void*)pcb); 01250 #endif /* PPP_IDLETIMELIMIT */ 01251 #if PPP_MAXCONNECT 01252 UNTIMEOUT(connect_time_expired, NULL); 01253 #endif /* PPP_MAXCONNECT */ 01254 #ifdef MAXOCTETS 01255 UNTIMEOUT(check_maxoctets, NULL); 01256 #endif 01257 new_phase(pcb, PPP_PHASE_NETWORK); 01258 } 01259 } 01260 01261 /* 01262 * np_finished - a network protocol has finished using the link. 01263 */ 01264 void np_finished(ppp_pcb *pcb, int proto) { 01265 PPP_UNUSED_ARG(proto); 01266 if (--pcb->num_np_open <= 0) { 01267 /* no further use for the link: shut up shop. */ 01268 lcp_close(pcb, "No network protocols running"); 01269 } 01270 } 01271 01272 #ifdef MAXOCTETS 01273 static void 01274 check_maxoctets(arg) 01275 void *arg; 01276 { 01277 #if PPP_STATS_SUPPORT 01278 unsigned int used; 01279 01280 update_link_stats(ifunit); 01281 link_stats_valid=0; 01282 01283 switch(maxoctets_dir) { 01284 case PPP_OCTETS_DIRECTION_IN: 01285 used = link_stats.bytes_in; 01286 break; 01287 case PPP_OCTETS_DIRECTION_OUT: 01288 used = link_stats.bytes_out; 01289 break; 01290 case PPP_OCTETS_DIRECTION_MAXOVERAL: 01291 case PPP_OCTETS_DIRECTION_MAXSESSION: 01292 used = (link_stats.bytes_in > link_stats.bytes_out) ? link_stats.bytes_in : link_stats.bytes_out; 01293 break; 01294 default: 01295 used = link_stats.bytes_in+link_stats.bytes_out; 01296 break; 01297 } 01298 if (used > maxoctets) { 01299 ppp_notice("Traffic limit reached. Limit: %u Used: %u", maxoctets, used); 01300 status = EXIT_TRAFFIC_LIMIT; 01301 lcp_close(pcb, "Traffic limit"); 01302 #if 0 /* UNUSED */ 01303 need_holdoff = 0; 01304 #endif /* UNUSED */ 01305 } else { 01306 TIMEOUT(check_maxoctets, NULL, maxoctets_timeout); 01307 } 01308 #endif /* PPP_STATS_SUPPORT */ 01309 } 01310 #endif /* MAXOCTETS */ 01311 01312 #if PPP_IDLETIMELIMIT 01313 /* 01314 * check_idle - check whether the link has been idle for long 01315 * enough that we can shut it down. 01316 */ 01317 static void check_idle(void *arg) { 01318 ppp_pcb *pcb = (ppp_pcb*)arg; 01319 struct ppp_idle idle; 01320 time_t itime; 01321 int tlim; 01322 01323 if (!get_idle_time(pcb, &idle)) 01324 return; 01325 #if 0 /* UNUSED */ 01326 if (idle_time_hook != 0) { 01327 tlim = idle_time_hook(&idle); 01328 } else { 01329 #endif /* UNUSED */ 01330 itime = PPP_MIN(idle.xmit_idle, idle.recv_idle); 01331 tlim = pcb->settings.idle_time_limit - itime; 01332 #if 0 /* UNUSED */ 01333 } 01334 #endif /* UNUSED */ 01335 if (tlim <= 0) { 01336 /* link is idle: shut it down. */ 01337 ppp_notice("Terminating connection due to lack of activity."); 01338 pcb->err_code = PPPERR_IDLETIMEOUT; 01339 lcp_close(pcb, "Link inactive"); 01340 #if 0 /* UNUSED */ 01341 need_holdoff = 0; 01342 #endif /* UNUSED */ 01343 } else { 01344 TIMEOUT(check_idle, (void*)pcb, tlim); 01345 } 01346 } 01347 #endif /* PPP_IDLETIMELIMIT */ 01348 01349 #if PPP_MAXCONNECT 01350 /* 01351 * connect_time_expired - log a message and close the connection. 01352 */ 01353 static void connect_time_expired(void *arg) { 01354 ppp_pcb *pcb = (ppp_pcb*)arg; 01355 ppp_info("Connect time expired"); 01356 pcb->err_code = PPPERR_CONNECTTIME; 01357 lcp_close(pcb, "Connect time expired"); /* Close connection */ 01358 } 01359 #endif /* PPP_MAXCONNECT */ 01360 01361 #if PPP_OPTIONS 01362 /* 01363 * auth_check_options - called to check authentication options. 01364 */ 01365 void 01366 auth_check_options() 01367 { 01368 lcp_options *wo = &lcp_wantoptions[0]; 01369 int can_auth; 01370 int lacks_ip; 01371 01372 /* Default our_name to hostname, and user to our_name */ 01373 if (our_name[0] == 0 || usehostname) 01374 strlcpy(our_name, hostname, sizeof(our_name)); 01375 /* If a blank username was explicitly given as an option, trust 01376 the user and don't use our_name */ 01377 if (ppp_settings.user[0] == 0 && !explicit_user) 01378 strlcpy(ppp_settings.user, our_name, sizeof(ppp_settings.user)); 01379 01380 /* 01381 * If we have a default route, require the peer to authenticate 01382 * unless the noauth option was given or the real user is root. 01383 */ 01384 if (!auth_required && !allow_any_ip && have_route_to(0) && !privileged) { 01385 auth_required = 1; 01386 default_auth = 1; 01387 } 01388 01389 #if CHAP_SUPPORT 01390 /* If we selected any CHAP flavors, we should probably negotiate it. :-) */ 01391 if (wo->chap_mdtype) 01392 wo->neg_chap = 1; 01393 #endif /* CHAP_SUPPORT */ 01394 01395 /* If authentication is required, ask peer for CHAP, PAP, or EAP. */ 01396 if (auth_required) { 01397 allow_any_ip = 0; 01398 if (1 01399 #if CHAP_SUPPORT 01400 && !wo->neg_chap 01401 #endif /* CHAP_SUPPORT */ 01402 #if PAP_SUPPORT 01403 && !wo->neg_upap 01404 #endif /* PAP_SUPPORT */ 01405 #if EAP_SUPPORT 01406 && !wo->neg_eap 01407 #endif /* EAP_SUPPORT */ 01408 ) { 01409 #if CHAP_SUPPORT 01410 wo->neg_chap = CHAP_MDTYPE_SUPPORTED != MDTYPE_NONE; 01411 wo->chap_mdtype = CHAP_MDTYPE_SUPPORTED; 01412 #endif /* CHAP_SUPPORT */ 01413 #if PAP_SUPPORT 01414 wo->neg_upap = 1; 01415 #endif /* PAP_SUPPORT */ 01416 #if EAP_SUPPORT 01417 wo->neg_eap = 1; 01418 #endif /* EAP_SUPPORT */ 01419 } 01420 } else { 01421 #if CHAP_SUPPORT 01422 wo->neg_chap = 0; 01423 wo->chap_mdtype = MDTYPE_NONE; 01424 #endif /* CHAP_SUPPORT */ 01425 #if PAP_SUPPORT 01426 wo->neg_upap = 0; 01427 #endif /* PAP_SUPPORT */ 01428 #if EAP_SUPPORT 01429 wo->neg_eap = 0; 01430 #endif /* EAP_SUPPORT */ 01431 } 01432 01433 /* 01434 * Check whether we have appropriate secrets to use 01435 * to authenticate the peer. Note that EAP can authenticate by way 01436 * of a CHAP-like exchanges as well as SRP. 01437 */ 01438 lacks_ip = 0; 01439 #if PAP_SUPPORT 01440 can_auth = wo->neg_upap && (uselogin || have_pap_secret(&lacks_ip)); 01441 #else 01442 can_auth = 0; 01443 #endif /* PAP_SUPPORT */ 01444 if (!can_auth && (0 01445 #if CHAP_SUPPORT 01446 || wo->neg_chap 01447 #endif /* CHAP_SUPPORT */ 01448 #if EAP_SUPPORT 01449 || wo->neg_eap 01450 #endif /* EAP_SUPPORT */ 01451 )) { 01452 #if CHAP_SUPPORT 01453 can_auth = have_chap_secret((explicit_remote? remote_name: NULL), 01454 our_name, 1, &lacks_ip); 01455 #else 01456 can_auth = 0; 01457 #endif 01458 } 01459 if (!can_auth 01460 #if EAP_SUPPORT 01461 && wo->neg_eap 01462 #endif /* EAP_SUPPORT */ 01463 ) { 01464 can_auth = have_srp_secret((explicit_remote? remote_name: NULL), 01465 our_name, 1, &lacks_ip); 01466 } 01467 01468 if (auth_required && !can_auth && noauth_addrs == NULL) { 01469 if (default_auth) { 01470 option_error( 01471 "By default the remote system is required to authenticate itself"); 01472 option_error( 01473 "(because this system has a default route to the internet)"); 01474 } else if (explicit_remote) 01475 option_error( 01476 "The remote system (%s) is required to authenticate itself", 01477 remote_name); 01478 else 01479 option_error( 01480 "The remote system is required to authenticate itself"); 01481 option_error( 01482 "but I couldn't find any suitable secret (password) for it to use to do so."); 01483 if (lacks_ip) 01484 option_error( 01485 "(None of the available passwords would let it use an IP address.)"); 01486 01487 exit(1); 01488 } 01489 01490 /* 01491 * Early check for remote number authorization. 01492 */ 01493 if (!auth_number()) { 01494 ppp_warn("calling number %q is not authorized", remote_number); 01495 exit(EXIT_CNID_AUTH_FAILED); 01496 } 01497 } 01498 #endif /* PPP_OPTIONS */ 01499 01500 #if 0 /* UNUSED */ 01501 /* 01502 * auth_reset - called when LCP is starting negotiations to recheck 01503 * authentication options, i.e. whether we have appropriate secrets 01504 * to use for authenticating ourselves and/or the peer. 01505 */ 01506 void 01507 auth_reset(unit) 01508 int unit; 01509 { 01510 lcp_options *go = &lcp_gotoptions[unit]; 01511 lcp_options *ao = &lcp_allowoptions[unit]; 01512 int hadchap; 01513 01514 hadchap = -1; 01515 ao->neg_upap = !refuse_pap && (passwd[0] != 0 || get_pap_passwd(NULL)); 01516 ao->neg_chap = (!refuse_chap || !refuse_mschap || !refuse_mschap_v2) 01517 && (passwd[0] != 0 || 01518 (hadchap = have_chap_secret(user, (explicit_remote? remote_name: 01519 NULL), 0, NULL))); 01520 ao->neg_eap = !refuse_eap && ( 01521 passwd[0] != 0 || 01522 (hadchap == 1 || (hadchap == -1 && have_chap_secret(user, 01523 (explicit_remote? remote_name: NULL), 0, NULL))) || 01524 have_srp_secret(user, (explicit_remote? remote_name: NULL), 0, NULL)); 01525 01526 hadchap = -1; 01527 if (go->neg_upap && !uselogin && !have_pap_secret(NULL)) 01528 go->neg_upap = 0; 01529 if (go->neg_chap) { 01530 if (!(hadchap = have_chap_secret((explicit_remote? remote_name: NULL), 01531 our_name, 1, NULL))) 01532 go->neg_chap = 0; 01533 } 01534 if (go->neg_eap && 01535 (hadchap == 0 || (hadchap == -1 && 01536 !have_chap_secret((explicit_remote? remote_name: NULL), our_name, 01537 1, NULL))) && 01538 !have_srp_secret((explicit_remote? remote_name: NULL), our_name, 1, 01539 NULL)) 01540 go->neg_eap = 0; 01541 } 01542 01543 /* 01544 * check_passwd - Check the user name and passwd against the PAP secrets 01545 * file. If requested, also check against the system password database, 01546 * and login the user if OK. 01547 * 01548 * returns: 01549 * UPAP_AUTHNAK: Authentication failed. 01550 * UPAP_AUTHACK: Authentication succeeded. 01551 * In either case, msg points to an appropriate message. 01552 */ 01553 int 01554 check_passwd(unit, auser, userlen, apasswd, passwdlen, msg) 01555 int unit; 01556 char *auser; 01557 int userlen; 01558 char *apasswd; 01559 int passwdlen; 01560 char **msg; 01561 { 01562 return UPAP_AUTHNAK; 01563 int ret; 01564 char *filename; 01565 FILE *f; 01566 struct wordlist *addrs = NULL, *opts = NULL; 01567 char passwd[256], user[256]; 01568 char secret[MAXWORDLEN]; 01569 static int attempts = 0; 01570 01571 /* 01572 * Make copies of apasswd and auser, then null-terminate them. 01573 * If there are unprintable characters in the password, make 01574 * them visible. 01575 */ 01576 slprintf(ppp_settings.passwd, sizeof(ppp_settings.passwd), "%.*v", passwdlen, apasswd); 01577 slprintf(ppp_settings.user, sizeof(ppp_settings.user), "%.*v", userlen, auser); 01578 *msg = ""; 01579 01580 /* 01581 * Check if a plugin wants to handle this. 01582 */ 01583 if (pap_auth_hook) { 01584 ret = (*pap_auth_hook)(ppp_settings.user, ppp_settings.passwd, msg, &addrs, &opts); 01585 if (ret >= 0) { 01586 /* note: set_allowed_addrs() saves opts (but not addrs): 01587 don't free it! */ 01588 if (ret) 01589 set_allowed_addrs(unit, addrs, opts); 01590 else if (opts != 0) 01591 free_wordlist(opts); 01592 if (addrs != 0) 01593 free_wordlist(addrs); 01594 BZERO(ppp_settings.passwd, sizeof(ppp_settings.passwd)); 01595 return ret? UPAP_AUTHACK: UPAP_AUTHNAK; 01596 } 01597 } 01598 01599 /* 01600 * Open the file of pap secrets and scan for a suitable secret 01601 * for authenticating this user. 01602 */ 01603 filename = _PATH_UPAPFILE; 01604 addrs = opts = NULL; 01605 ret = UPAP_AUTHNAK; 01606 f = fopen(filename, "r"); 01607 if (f == NULL) { 01608 ppp_error("Can't open PAP password file %s: %m", filename); 01609 01610 } else { 01611 check_access(f, filename); 01612 if (scan_authfile(f, ppp_settings.user, our_name, secret, &addrs, &opts, filename, 0) < 0) { 01613 ppp_warn("no PAP secret found for %s", user); 01614 } else { 01615 /* 01616 * If the secret is "@login", it means to check 01617 * the password against the login database. 01618 */ 01619 int login_secret = strcmp(secret, "@login") == 0; 01620 ret = UPAP_AUTHACK; 01621 if (uselogin || login_secret) { 01622 /* login option or secret is @login */ 01623 if (session_full(ppp_settings.user, ppp_settings.passwd, devnam, msg) == 0) { 01624 ret = UPAP_AUTHNAK; 01625 } 01626 } else if (session_mgmt) { 01627 if (session_check(ppp_settings.user, NULL, devnam, NULL) == 0) { 01628 ppp_warn("Peer %q failed PAP Session verification", user); 01629 ret = UPAP_AUTHNAK; 01630 } 01631 } 01632 if (secret[0] != 0 && !login_secret) { 01633 /* password given in pap-secrets - must match */ 01634 if ((cryptpap || strcmp(ppp_settings.passwd, secret) != 0) 01635 && strcmp(crypt(ppp_settings.passwd, secret), secret) != 0) 01636 ret = UPAP_AUTHNAK; 01637 } 01638 } 01639 fclose(f); 01640 } 01641 01642 if (ret == UPAP_AUTHNAK) { 01643 if (**msg == 0) 01644 *msg = "Login incorrect"; 01645 /* 01646 * XXX can we ever get here more than once?? 01647 * Frustrate passwd stealer programs. 01648 * Allow 10 tries, but start backing off after 3 (stolen from login). 01649 * On 10'th, drop the connection. 01650 */ 01651 if (attempts++ >= 10) { 01652 ppp_warn("%d LOGIN FAILURES ON %s, %s", attempts, devnam, user); 01653 lcp_close(pcb, "login failed"); 01654 } 01655 if (attempts > 3) 01656 sleep((u_int) (attempts - 3) * 5); 01657 if (opts != NULL) 01658 free_wordlist(opts); 01659 01660 } else { 01661 attempts = 0; /* Reset count */ 01662 if (**msg == 0) 01663 *msg = "Login ok"; 01664 set_allowed_addrs(unit, addrs, opts); 01665 } 01666 01667 if (addrs != NULL) 01668 free_wordlist(addrs); 01669 BZERO(ppp_settings.passwd, sizeof(ppp_settings.passwd)); 01670 BZERO(secret, sizeof(secret)); 01671 01672 return ret; 01673 } 01674 01675 /* 01676 * null_login - Check if a username of "" and a password of "" are 01677 * acceptable, and iff so, set the list of acceptable IP addresses 01678 * and return 1. 01679 */ 01680 static int 01681 null_login(unit) 01682 int unit; 01683 { 01684 char *filename; 01685 FILE *f; 01686 int i, ret; 01687 struct wordlist *addrs, *opts; 01688 char secret[MAXWORDLEN]; 01689 01690 /* 01691 * Check if a plugin wants to handle this. 01692 */ 01693 ret = -1; 01694 if (null_auth_hook) 01695 ret = (*null_auth_hook)(&addrs, &opts); 01696 01697 /* 01698 * Open the file of pap secrets and scan for a suitable secret. 01699 */ 01700 if (ret <= 0) { 01701 filename = _PATH_UPAPFILE; 01702 addrs = NULL; 01703 f = fopen(filename, "r"); 01704 if (f == NULL) 01705 return 0; 01706 check_access(f, filename); 01707 01708 i = scan_authfile(f, "", our_name, secret, &addrs, &opts, filename, 0); 01709 ret = i >= 0 && secret[0] == 0; 01710 BZERO(secret, sizeof(secret)); 01711 fclose(f); 01712 } 01713 01714 if (ret) 01715 set_allowed_addrs(unit, addrs, opts); 01716 else if (opts != 0) 01717 free_wordlist(opts); 01718 if (addrs != 0) 01719 free_wordlist(addrs); 01720 01721 return ret; 01722 } 01723 01724 /* 01725 * get_pap_passwd - get a password for authenticating ourselves with 01726 * our peer using PAP. Returns 1 on success, 0 if no suitable password 01727 * could be found. 01728 * Assumes passwd points to MAXSECRETLEN bytes of space (if non-null). 01729 */ 01730 static int 01731 get_pap_passwd(passwd) 01732 char *passwd; 01733 { 01734 char *filename; 01735 FILE *f; 01736 int ret; 01737 char secret[MAXWORDLEN]; 01738 01739 /* 01740 * Check whether a plugin wants to supply this. 01741 */ 01742 if (pap_passwd_hook) { 01743 ret = (*pap_passwd_hook)(ppp_settings,user, ppp_settings.passwd); 01744 if (ret >= 0) 01745 return ret; 01746 } 01747 01748 filename = _PATH_UPAPFILE; 01749 f = fopen(filename, "r"); 01750 if (f == NULL) 01751 return 0; 01752 check_access(f, filename); 01753 ret = scan_authfile(f, user, 01754 (remote_name[0]? remote_name: NULL), 01755 secret, NULL, NULL, filename, 0); 01756 fclose(f); 01757 if (ret < 0) 01758 return 0; 01759 if (passwd != NULL) 01760 strlcpy(passwd, secret, MAXSECRETLEN); 01761 BZERO(secret, sizeof(secret)); 01762 return 1; 01763 } 01764 01765 /* 01766 * have_pap_secret - check whether we have a PAP file with any 01767 * secrets that we could possibly use for authenticating the peer. 01768 */ 01769 static int 01770 have_pap_secret(lacks_ipp) 01771 int *lacks_ipp; 01772 { 01773 FILE *f; 01774 int ret; 01775 char *filename; 01776 struct wordlist *addrs; 01777 01778 /* let the plugin decide, if there is one */ 01779 if (pap_check_hook) { 01780 ret = (*pap_check_hook)(); 01781 if (ret >= 0) 01782 return ret; 01783 } 01784 01785 filename = _PATH_UPAPFILE; 01786 f = fopen(filename, "r"); 01787 if (f == NULL) 01788 return 0; 01789 01790 ret = scan_authfile(f, (explicit_remote? remote_name: NULL), our_name, 01791 NULL, &addrs, NULL, filename, 0); 01792 fclose(f); 01793 if (ret >= 0 && !some_ip_ok(addrs)) { 01794 if (lacks_ipp != 0) 01795 *lacks_ipp = 1; 01796 ret = -1; 01797 } 01798 if (addrs != 0) 01799 free_wordlist(addrs); 01800 01801 return ret >= 0; 01802 } 01803 01804 /* 01805 * have_chap_secret - check whether we have a CHAP file with a 01806 * secret that we could possibly use for authenticating `client' 01807 * on `server'. Either can be the null string, meaning we don't 01808 * know the identity yet. 01809 */ 01810 static int 01811 have_chap_secret(client, server, need_ip, lacks_ipp) 01812 char *client; 01813 char *server; 01814 int need_ip; 01815 int *lacks_ipp; 01816 { 01817 FILE *f; 01818 int ret; 01819 char *filename; 01820 struct wordlist *addrs; 01821 01822 if (chap_check_hook) { 01823 ret = (*chap_check_hook)(); 01824 if (ret >= 0) { 01825 return ret; 01826 } 01827 } 01828 01829 filename = _PATH_CHAPFILE; 01830 f = fopen(filename, "r"); 01831 if (f == NULL) 01832 return 0; 01833 01834 if (client != NULL && client[0] == 0) 01835 client = NULL; 01836 else if (server != NULL && server[0] == 0) 01837 server = NULL; 01838 01839 ret = scan_authfile(f, client, server, NULL, &addrs, NULL, filename, 0); 01840 fclose(f); 01841 if (ret >= 0 && need_ip && !some_ip_ok(addrs)) { 01842 if (lacks_ipp != 0) 01843 *lacks_ipp = 1; 01844 ret = -1; 01845 } 01846 if (addrs != 0) 01847 free_wordlist(addrs); 01848 01849 return ret >= 0; 01850 } 01851 01852 /* 01853 * have_srp_secret - check whether we have a SRP file with a 01854 * secret that we could possibly use for authenticating `client' 01855 * on `server'. Either can be the null string, meaning we don't 01856 * know the identity yet. 01857 */ 01858 static int 01859 have_srp_secret(client, server, need_ip, lacks_ipp) 01860 char *client; 01861 char *server; 01862 int need_ip; 01863 int *lacks_ipp; 01864 { 01865 FILE *f; 01866 int ret; 01867 char *filename; 01868 struct wordlist *addrs; 01869 01870 filename = _PATH_SRPFILE; 01871 f = fopen(filename, "r"); 01872 if (f == NULL) 01873 return 0; 01874 01875 if (client != NULL && client[0] == 0) 01876 client = NULL; 01877 else if (server != NULL && server[0] == 0) 01878 server = NULL; 01879 01880 ret = scan_authfile(f, client, server, NULL, &addrs, NULL, filename, 0); 01881 fclose(f); 01882 if (ret >= 0 && need_ip && !some_ip_ok(addrs)) { 01883 if (lacks_ipp != 0) 01884 *lacks_ipp = 1; 01885 ret = -1; 01886 } 01887 if (addrs != 0) 01888 free_wordlist(addrs); 01889 01890 return ret >= 0; 01891 } 01892 #endif /* UNUSED */ 01893 01894 #if PPP_AUTH_SUPPORT 01895 /* 01896 * get_secret - open the CHAP secret file and return the secret 01897 * for authenticating the given client on the given server. 01898 * (We could be either client or server). 01899 */ 01900 int get_secret(ppp_pcb *pcb, const char *client, const char *server, char *secret, int *secret_len, int am_server) { 01901 int len; 01902 PPP_UNUSED_ARG(server); 01903 PPP_UNUSED_ARG(am_server); 01904 01905 if (!client || !client[0] || !pcb->settings.user || !pcb->settings.passwd || strcmp(client, pcb->settings.user)) { 01906 return 0; 01907 } 01908 01909 len = (int)strlen(pcb->settings.passwd); 01910 if (len > MAXSECRETLEN) { 01911 ppp_error("Secret for %s on %s is too long", client, server); 01912 len = MAXSECRETLEN; 01913 } 01914 01915 MEMCPY(secret, pcb->settings.passwd, len); 01916 *secret_len = len; 01917 return 1; 01918 01919 #if 0 /* UNUSED */ 01920 FILE *f; 01921 int ret, len; 01922 char *filename; 01923 struct wordlist *addrs, *opts; 01924 char secbuf[MAXWORDLEN]; 01925 struct wordlist *addrs; 01926 addrs = NULL; 01927 01928 if (!am_server && ppp_settings.passwd[0] != 0) { 01929 strlcpy(secbuf, ppp_settings.passwd, sizeof(secbuf)); 01930 } else if (!am_server && chap_passwd_hook) { 01931 if ( (*chap_passwd_hook)(client, secbuf) < 0) { 01932 ppp_error("Unable to obtain CHAP password for %s on %s from plugin", 01933 client, server); 01934 return 0; 01935 } 01936 } else { 01937 filename = _PATH_CHAPFILE; 01938 addrs = NULL; 01939 secbuf[0] = 0; 01940 01941 f = fopen(filename, "r"); 01942 if (f == NULL) { 01943 ppp_error("Can't open chap secret file %s: %m", filename); 01944 return 0; 01945 } 01946 check_access(f, filename); 01947 01948 ret = scan_authfile(f, client, server, secbuf, &addrs, &opts, filename, 0); 01949 fclose(f); 01950 if (ret < 0) 01951 return 0; 01952 01953 if (am_server) 01954 set_allowed_addrs(unit, addrs, opts); 01955 else if (opts != 0) 01956 free_wordlist(opts); 01957 if (addrs != 0) 01958 free_wordlist(addrs); 01959 } 01960 01961 len = strlen(secbuf); 01962 if (len > MAXSECRETLEN) { 01963 ppp_error("Secret for %s on %s is too long", client, server); 01964 len = MAXSECRETLEN; 01965 } 01966 MEMCPY(secret, secbuf, len); 01967 BZERO(secbuf, sizeof(secbuf)); 01968 *secret_len = len; 01969 01970 return 1; 01971 #endif /* UNUSED */ 01972 } 01973 #endif /* PPP_AUTH_SUPPORT */ 01974 01975 01976 #if 0 /* UNUSED */ 01977 /* 01978 * get_srp_secret - open the SRP secret file and return the secret 01979 * for authenticating the given client on the given server. 01980 * (We could be either client or server). 01981 */ 01982 int 01983 get_srp_secret(unit, client, server, secret, am_server) 01984 int unit; 01985 char *client; 01986 char *server; 01987 char *secret; 01988 int am_server; 01989 { 01990 FILE *fp; 01991 int ret; 01992 char *filename; 01993 struct wordlist *addrs, *opts; 01994 01995 if (!am_server && ppp_settings.passwd[0] != '\0') { 01996 strlcpy(secret, ppp_settings.passwd, MAXWORDLEN); 01997 } else { 01998 filename = _PATH_SRPFILE; 01999 addrs = NULL; 02000 02001 fp = fopen(filename, "r"); 02002 if (fp == NULL) { 02003 ppp_error("Can't open srp secret file %s: %m", filename); 02004 return 0; 02005 } 02006 check_access(fp, filename); 02007 02008 secret[0] = '\0'; 02009 ret = scan_authfile(fp, client, server, secret, &addrs, &opts, 02010 filename, am_server); 02011 fclose(fp); 02012 if (ret < 0) 02013 return 0; 02014 02015 if (am_server) 02016 set_allowed_addrs(unit, addrs, opts); 02017 else if (opts != NULL) 02018 free_wordlist(opts); 02019 if (addrs != NULL) 02020 free_wordlist(addrs); 02021 } 02022 02023 return 1; 02024 } 02025 02026 /* 02027 * set_allowed_addrs() - set the list of allowed addresses. 02028 * Also looks for `--' indicating options to apply for this peer 02029 * and leaves the following words in extra_options. 02030 */ 02031 static void 02032 set_allowed_addrs(unit, addrs, opts) 02033 int unit; 02034 struct wordlist *addrs; 02035 struct wordlist *opts; 02036 { 02037 int n; 02038 struct wordlist *ap, **plink; 02039 struct permitted_ip *ip; 02040 char *ptr_word, *ptr_mask; 02041 struct hostent *hp; 02042 struct netent *np; 02043 u32_t a, mask, ah, offset; 02044 struct ipcp_options *wo = &ipcp_wantoptions[unit]; 02045 u32_t suggested_ip = 0; 02046 02047 if (addresses[unit] != NULL) 02048 free(addresses[unit]); 02049 addresses[unit] = NULL; 02050 if (extra_options != NULL) 02051 free_wordlist(extra_options); 02052 extra_options = opts; 02053 02054 /* 02055 * Count the number of IP addresses given. 02056 */ 02057 n = wordlist_count(addrs) + wordlist_count(noauth_addrs); 02058 if (n == 0) 02059 return; 02060 ip = (struct permitted_ip *) malloc((n + 1) * sizeof(struct permitted_ip)); 02061 if (ip == 0) 02062 return; 02063 02064 /* temporarily append the noauth_addrs list to addrs */ 02065 for (plink = &addrs; *plink != NULL; plink = &(*plink)->next) 02066 ; 02067 *plink = noauth_addrs; 02068 02069 n = 0; 02070 for (ap = addrs; ap != NULL; ap = ap->next) { 02071 /* "-" means no addresses authorized, "*" means any address allowed */ 02072 ptr_word = ap->word; 02073 if (strcmp(ptr_word, "-") == 0) 02074 break; 02075 if (strcmp(ptr_word, "*") == 0) { 02076 ip[n].permit = 1; 02077 ip[n].base = ip[n].mask = 0; 02078 ++n; 02079 break; 02080 } 02081 02082 ip[n].permit = 1; 02083 if (*ptr_word == '!') { 02084 ip[n].permit = 0; 02085 ++ptr_word; 02086 } 02087 02088 mask = ~ (u32_t) 0; 02089 offset = 0; 02090 ptr_mask = strchr (ptr_word, '/'); 02091 if (ptr_mask != NULL) { 02092 int bit_count; 02093 char *endp; 02094 02095 bit_count = (int) strtol (ptr_mask+1, &endp, 10); 02096 if (bit_count <= 0 || bit_count > 32) { 02097 ppp_warn("invalid address length %v in auth. address list", 02098 ptr_mask+1); 02099 continue; 02100 } 02101 bit_count = 32 - bit_count; /* # bits in host part */ 02102 if (*endp == '+') { 02103 offset = ifunit + 1; 02104 ++endp; 02105 } 02106 if (*endp != 0) { 02107 ppp_warn("invalid address length syntax: %v", ptr_mask+1); 02108 continue; 02109 } 02110 *ptr_mask = '\0'; 02111 mask <<= bit_count; 02112 } 02113 02114 hp = gethostbyname(ptr_word); 02115 if (hp != NULL && hp->h_addrtype == AF_INET) { 02116 a = *(u32_t *)hp->h_addr; 02117 } else { 02118 np = getnetbyname (ptr_word); 02119 if (np != NULL && np->n_addrtype == AF_INET) { 02120 a = ppp_htonl ((u32_t)np->n_net); 02121 if (ptr_mask == NULL) { 02122 /* calculate appropriate mask for net */ 02123 ah = ppp_ntohl(a); 02124 if (IN_CLASSA(ah)) 02125 mask = IN_CLASSA_NET; 02126 else if (IN_CLASSB(ah)) 02127 mask = IN_CLASSB_NET; 02128 else if (IN_CLASSC(ah)) 02129 mask = IN_CLASSC_NET; 02130 } 02131 } else { 02132 a = inet_addr (ptr_word); 02133 } 02134 } 02135 02136 if (ptr_mask != NULL) 02137 *ptr_mask = '/'; 02138 02139 if (a == (u32_t)-1L) { 02140 ppp_warn("unknown host %s in auth. address list", ap->word); 02141 continue; 02142 } 02143 if (offset != 0) { 02144 if (offset >= ~mask) { 02145 ppp_warn("interface unit %d too large for subnet %v", 02146 ifunit, ptr_word); 02147 continue; 02148 } 02149 a = ppp_htonl((ppp_ntohl(a) & mask) + offset); 02150 mask = ~(u32_t)0; 02151 } 02152 ip[n].mask = ppp_htonl(mask); 02153 ip[n].base = a & ip[n].mask; 02154 ++n; 02155 if (~mask == 0 && suggested_ip == 0) 02156 suggested_ip = a; 02157 } 02158 *plink = NULL; 02159 02160 ip[n].permit = 0; /* make the last entry forbid all addresses */ 02161 ip[n].base = 0; /* to terminate the list */ 02162 ip[n].mask = 0; 02163 02164 addresses[unit] = ip; 02165 02166 /* 02167 * If the address given for the peer isn't authorized, or if 02168 * the user hasn't given one, AND there is an authorized address 02169 * which is a single host, then use that if we find one. 02170 */ 02171 if (suggested_ip != 0 02172 && (wo->hisaddr == 0 || !auth_ip_addr(unit, wo->hisaddr))) { 02173 wo->hisaddr = suggested_ip; 02174 /* 02175 * Do we insist on this address? No, if there are other 02176 * addresses authorized than the suggested one. 02177 */ 02178 if (n > 1) 02179 wo->accept_remote = 1; 02180 } 02181 } 02182 02183 /* 02184 * auth_ip_addr - check whether the peer is authorized to use 02185 * a given IP address. Returns 1 if authorized, 0 otherwise. 02186 */ 02187 int 02188 auth_ip_addr(unit, addr) 02189 int unit; 02190 u32_t addr; 02191 { 02192 int ok; 02193 02194 /* don't allow loopback or multicast address */ 02195 if (bad_ip_adrs(addr)) 02196 return 0; 02197 02198 if (allowed_address_hook) { 02199 ok = allowed_address_hook(addr); 02200 if (ok >= 0) return ok; 02201 } 02202 02203 if (addresses[unit] != NULL) { 02204 ok = ip_addr_check(addr, addresses[unit]); 02205 if (ok >= 0) 02206 return ok; 02207 } 02208 02209 if (auth_required) 02210 return 0; /* no addresses authorized */ 02211 return allow_any_ip || privileged || !have_route_to(addr); 02212 } 02213 02214 static int 02215 ip_addr_check(addr, addrs) 02216 u32_t addr; 02217 struct permitted_ip *addrs; 02218 { 02219 for (; ; ++addrs) 02220 if ((addr & addrs->mask) == addrs->base) 02221 return addrs->permit; 02222 } 02223 02224 /* 02225 * bad_ip_adrs - return 1 if the IP address is one we don't want 02226 * to use, such as an address in the loopback net or a multicast address. 02227 * addr is in network byte order. 02228 */ 02229 int 02230 bad_ip_adrs(addr) 02231 u32_t addr; 02232 { 02233 addr = ppp_ntohl(addr); 02234 return (addr >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET 02235 || IN_MULTICAST(addr) || IN_BADCLASS(addr); 02236 } 02237 02238 /* 02239 * some_ip_ok - check a wordlist to see if it authorizes any 02240 * IP address(es). 02241 */ 02242 static int 02243 some_ip_ok(addrs) 02244 struct wordlist *addrs; 02245 { 02246 for (; addrs != 0; addrs = addrs->next) { 02247 if (addrs->word[0] == '-') 02248 break; 02249 if (addrs->word[0] != '!') 02250 return 1; /* some IP address is allowed */ 02251 } 02252 return 0; 02253 } 02254 02255 /* 02256 * auth_number - check whether the remote number is allowed to connect. 02257 * Returns 1 if authorized, 0 otherwise. 02258 */ 02259 int 02260 auth_number() 02261 { 02262 struct wordlist *wp = permitted_numbers; 02263 int l; 02264 02265 /* Allow all if no authorization list. */ 02266 if (!wp) 02267 return 1; 02268 02269 /* Allow if we have a match in the authorization list. */ 02270 while (wp) { 02271 /* trailing '*' wildcard */ 02272 l = strlen(wp->word); 02273 if ((wp->word)[l - 1] == '*') 02274 l--; 02275 if (!strncasecmp(wp->word, remote_number, l)) 02276 return 1; 02277 wp = wp->next; 02278 } 02279 02280 return 0; 02281 } 02282 02283 /* 02284 * check_access - complain if a secret file has too-liberal permissions. 02285 */ 02286 static void 02287 check_access(f, filename) 02288 FILE *f; 02289 char *filename; 02290 { 02291 struct stat sbuf; 02292 02293 if (fstat(fileno(f), &sbuf) < 0) { 02294 ppp_warn("cannot stat secret file %s: %m", filename); 02295 } else if ((sbuf.st_mode & (S_IRWXG | S_IRWXO)) != 0) { 02296 ppp_warn("Warning - secret file %s has world and/or group access", 02297 filename); 02298 } 02299 } 02300 02301 /* 02302 * scan_authfile - Scan an authorization file for a secret suitable 02303 * for authenticating `client' on `server'. The return value is -1 02304 * if no secret is found, otherwise >= 0. The return value has 02305 * NONWILD_CLIENT set if the secret didn't have "*" for the client, and 02306 * NONWILD_SERVER set if the secret didn't have "*" for the server. 02307 * Any following words on the line up to a "--" (i.e. address authorization 02308 * info) are placed in a wordlist and returned in *addrs. Any 02309 * following words (extra options) are placed in a wordlist and 02310 * returned in *opts. 02311 * We assume secret is NULL or points to MAXWORDLEN bytes of space. 02312 * Flags are non-zero if we need two colons in the secret in order to 02313 * match. 02314 */ 02315 static int 02316 scan_authfile(f, client, server, secret, addrs, opts, filename, flags) 02317 FILE *f; 02318 char *client; 02319 char *server; 02320 char *secret; 02321 struct wordlist **addrs; 02322 struct wordlist **opts; 02323 char *filename; 02324 int flags; 02325 { 02326 int newline, xxx; 02327 int got_flag, best_flag; 02328 FILE *sf; 02329 struct wordlist *ap, *addr_list, *alist, **app; 02330 char word[MAXWORDLEN]; 02331 char atfile[MAXWORDLEN]; 02332 char lsecret[MAXWORDLEN]; 02333 char *cp; 02334 02335 if (addrs != NULL) 02336 *addrs = NULL; 02337 if (opts != NULL) 02338 *opts = NULL; 02339 addr_list = NULL; 02340 if (!getword(f, word, &newline, filename)) 02341 return -1; /* file is empty??? */ 02342 newline = 1; 02343 best_flag = -1; 02344 for (;;) { 02345 /* 02346 * Skip until we find a word at the start of a line. 02347 */ 02348 while (!newline && getword(f, word, &newline, filename)) 02349 ; 02350 if (!newline) 02351 break; /* got to end of file */ 02352 02353 /* 02354 * Got a client - check if it's a match or a wildcard. 02355 */ 02356 got_flag = 0; 02357 if (client != NULL && strcmp(word, client) != 0 && !ISWILD(word)) { 02358 newline = 0; 02359 continue; 02360 } 02361 if (!ISWILD(word)) 02362 got_flag = NONWILD_CLIENT; 02363 02364 /* 02365 * Now get a server and check if it matches. 02366 */ 02367 if (!getword(f, word, &newline, filename)) 02368 break; 02369 if (newline) 02370 continue; 02371 if (!ISWILD(word)) { 02372 if (server != NULL && strcmp(word, server) != 0) 02373 continue; 02374 got_flag |= NONWILD_SERVER; 02375 } 02376 02377 /* 02378 * Got some sort of a match - see if it's better than what 02379 * we have already. 02380 */ 02381 if (got_flag <= best_flag) 02382 continue; 02383 02384 /* 02385 * Get the secret. 02386 */ 02387 if (!getword(f, word, &newline, filename)) 02388 break; 02389 if (newline) 02390 continue; 02391 02392 /* 02393 * SRP-SHA1 authenticator should never be reading secrets from 02394 * a file. (Authenticatee may, though.) 02395 */ 02396 if (flags && ((cp = strchr(word, ':')) == NULL || 02397 strchr(cp + 1, ':') == NULL)) 02398 continue; 02399 02400 if (secret != NULL) { 02401 /* 02402 * Special syntax: @/pathname means read secret from file. 02403 */ 02404 if (word[0] == '@' && word[1] == '/') { 02405 strlcpy(atfile, word+1, sizeof(atfile)); 02406 if ((sf = fopen(atfile, "r")) == NULL) { 02407 ppp_warn("can't open indirect secret file %s", atfile); 02408 continue; 02409 } 02410 check_access(sf, atfile); 02411 if (!getword(sf, word, &xxx, atfile)) { 02412 ppp_warn("no secret in indirect secret file %s", atfile); 02413 fclose(sf); 02414 continue; 02415 } 02416 fclose(sf); 02417 } 02418 strlcpy(lsecret, word, sizeof(lsecret)); 02419 } 02420 02421 /* 02422 * Now read address authorization info and make a wordlist. 02423 */ 02424 app = &alist; 02425 for (;;) { 02426 if (!getword(f, word, &newline, filename) || newline) 02427 break; 02428 ap = (struct wordlist *) 02429 malloc(sizeof(struct wordlist) + strlen(word) + 1); 02430 if (ap == NULL) 02431 novm("authorized addresses"); 02432 ap->word = (char *) (ap + 1); 02433 strcpy(ap->word, word); 02434 *app = ap; 02435 app = &ap->next; 02436 } 02437 *app = NULL; 02438 02439 /* 02440 * This is the best so far; remember it. 02441 */ 02442 best_flag = got_flag; 02443 if (addr_list) 02444 free_wordlist(addr_list); 02445 addr_list = alist; 02446 if (secret != NULL) 02447 strlcpy(secret, lsecret, MAXWORDLEN); 02448 02449 if (!newline) 02450 break; 02451 } 02452 02453 /* scan for a -- word indicating the start of options */ 02454 for (app = &addr_list; (ap = *app) != NULL; app = &ap->next) 02455 if (strcmp(ap->word, "--") == 0) 02456 break; 02457 /* ap = start of options */ 02458 if (ap != NULL) { 02459 ap = ap->next; /* first option */ 02460 free(*app); /* free the "--" word */ 02461 *app = NULL; /* terminate addr list */ 02462 } 02463 if (opts != NULL) 02464 *opts = ap; 02465 else if (ap != NULL) 02466 free_wordlist(ap); 02467 if (addrs != NULL) 02468 *addrs = addr_list; 02469 else if (addr_list != NULL) 02470 free_wordlist(addr_list); 02471 02472 return best_flag; 02473 } 02474 02475 /* 02476 * wordlist_count - return the number of items in a wordlist 02477 */ 02478 static int 02479 wordlist_count(wp) 02480 struct wordlist *wp; 02481 { 02482 int n; 02483 02484 for (n = 0; wp != NULL; wp = wp->next) 02485 ++n; 02486 return n; 02487 } 02488 02489 /* 02490 * free_wordlist - release memory allocated for a wordlist. 02491 */ 02492 static void 02493 free_wordlist(wp) 02494 struct wordlist *wp; 02495 { 02496 struct wordlist *next; 02497 02498 while (wp != NULL) { 02499 next = wp->next; 02500 free(wp); 02501 wp = next; 02502 } 02503 } 02504 #endif /* UNUSED */ 02505 02506 #endif /* PPP_SUPPORT */
Generated on Tue Jul 12 2022 13:54:02 by
1.7.2