2 * upap.c - User/Password Authentication Protocol.
4 * Copyright (c) 1989 Carnegie Mellon University.
7 * Redistribution and use in source and binary forms are permitted
8 * provided that the above copyright notice and this paragraph are
9 * duplicated in all such forms and that any documentation,
10 * advertising materials, and other materials related to such
11 * distribution and use acknowledge that the software was developed
12 * by Carnegie Mellon University. The name of the
13 * University may not be used to endorse or promote products derived
14 * from this software without specific prior written permission.
15 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
17 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20 #define RCSID "$Id: upap.c,v 1.28 2002/10/12 02:30:21 fcusack Exp $"
32 static const char rcsid[] = RCSID;
34 static bool hide_password = 1;
37 * Command-line options.
39 static option_t pap_option_list[] = {
40 { "hide-password", o_bool, &hide_password,
41 "Don't output passwords to log", OPT_PRIO | 1 },
42 { "show-password", o_bool, &hide_password,
43 "Show password string in debug log messages", OPT_PRIOSUB | 0 },
45 { "pap-restart", o_int, &upap[0].us_timeouttime,
46 "Set retransmit timeout for PAP", OPT_PRIO },
47 { "pap-max-authreq", o_int, &upap[0].us_maxtransmits,
48 "Set max number of transmissions for auth-reqs", OPT_PRIO },
49 { "pap-timeout", o_int, &upap[0].us_reqtimeout,
50 "Set time limit for peer PAP authentication", OPT_PRIO },
56 * Protocol entry points.
58 static void upap_init __P((int));
59 static void upap_lowerup __P((int));
60 static void upap_lowerdown __P((int));
61 static void upap_input __P((int, u_char *, int));
62 static void upap_protrej __P((int));
63 static int upap_printpkt __P((u_char *, int,
64 void (*) __P((void *, char *, ...)), void *));
66 struct protent pap_protent = {
86 upap_state upap[NUM_PPP]; /* UPAP state; one for each unit */
88 static void upap_timeout __P((void *));
89 static void upap_reqtimeout __P((void *));
90 static void upap_rauthreq __P((upap_state *, u_char *, int, int));
91 static void upap_rauthack __P((upap_state *, u_char *, int, int));
92 static void upap_rauthnak __P((upap_state *, u_char *, int, int));
93 static void upap_sauthreq __P((upap_state *));
94 static void upap_sresp __P((upap_state *, int, int, char *, int));
98 * upap_init - Initialize a UPAP unit.
104 upap_state *u = &upap[unit];
111 u->us_clientstate = UPAPCS_INITIAL;
112 u->us_serverstate = UPAPSS_INITIAL;
114 u->us_timeouttime = UPAP_DEFTIMEOUT;
115 u->us_maxtransmits = 10;
116 u->us_reqtimeout = UPAP_DEFREQTIME;
121 * upap_authwithpeer - Authenticate us with our peer (start client).
123 * Set new state and send authenticate's.
126 upap_authwithpeer(unit, user, password)
128 char *user, *password;
130 upap_state *u = &upap[unit];
132 /* Save the username and password we're given */
134 u->us_userlen = strlen(user);
135 u->us_passwd = password;
136 u->us_passwdlen = strlen(password);
139 /* Lower layer up yet? */
140 if (u->us_clientstate == UPAPCS_INITIAL ||
141 u->us_clientstate == UPAPCS_PENDING) {
142 u->us_clientstate = UPAPCS_PENDING;
146 upap_sauthreq(u); /* Start protocol */
151 * upap_authpeer - Authenticate our peer (start server).
159 upap_state *u = &upap[unit];
161 /* Lower layer up yet? */
162 if (u->us_serverstate == UPAPSS_INITIAL ||
163 u->us_serverstate == UPAPSS_PENDING) {
164 u->us_serverstate = UPAPSS_PENDING;
168 u->us_serverstate = UPAPSS_LISTEN;
169 if (u->us_reqtimeout > 0)
170 TIMEOUT(upap_reqtimeout, u, u->us_reqtimeout);
175 * upap_timeout - Retransmission timer for sending auth-reqs expired.
181 upap_state *u = (upap_state *) arg;
183 if (u->us_clientstate != UPAPCS_AUTHREQ)
186 if (u->us_transmits >= u->us_maxtransmits) {
187 /* give up in disgust */
188 error("No response to PAP authenticate-requests");
189 u->us_clientstate = UPAPCS_BADAUTH;
190 auth_withpeer_fail(u->us_unit, PPP_PAP);
194 upap_sauthreq(u); /* Send Authenticate-Request */
199 * upap_reqtimeout - Give up waiting for the peer to send an auth-req.
205 upap_state *u = (upap_state *) arg;
207 if (u->us_serverstate != UPAPSS_LISTEN)
210 auth_peer_fail(u->us_unit, PPP_PAP);
211 u->us_serverstate = UPAPSS_BADAUTH;
216 * upap_lowerup - The lower layer is up.
218 * Start authenticating if pending.
224 upap_state *u = &upap[unit];
226 if (u->us_clientstate == UPAPCS_INITIAL)
227 u->us_clientstate = UPAPCS_CLOSED;
228 else if (u->us_clientstate == UPAPCS_PENDING) {
229 upap_sauthreq(u); /* send an auth-request */
232 if (u->us_serverstate == UPAPSS_INITIAL)
233 u->us_serverstate = UPAPSS_CLOSED;
234 else if (u->us_serverstate == UPAPSS_PENDING) {
235 u->us_serverstate = UPAPSS_LISTEN;
236 if (u->us_reqtimeout > 0)
237 TIMEOUT(upap_reqtimeout, u, u->us_reqtimeout);
243 * upap_lowerdown - The lower layer is down.
245 * Cancel all timeouts.
251 upap_state *u = &upap[unit];
253 if (u->us_clientstate == UPAPCS_AUTHREQ) /* Timeout pending? */
254 UNTIMEOUT(upap_timeout, u); /* Cancel timeout */
255 if (u->us_serverstate == UPAPSS_LISTEN && u->us_reqtimeout > 0)
256 UNTIMEOUT(upap_reqtimeout, u);
258 u->us_clientstate = UPAPCS_INITIAL;
259 u->us_serverstate = UPAPSS_INITIAL;
264 * upap_protrej - Peer doesn't speak this protocol.
266 * This shouldn't happen. In any case, pretend lower layer went down.
272 upap_state *u = &upap[unit];
274 if (u->us_clientstate == UPAPCS_AUTHREQ) {
275 error("PAP authentication failed due to protocol-reject");
276 auth_withpeer_fail(unit, PPP_PAP);
278 if (u->us_serverstate == UPAPSS_LISTEN) {
279 error("PAP authentication of peer failed (protocol-reject)");
280 auth_peer_fail(unit, PPP_PAP);
282 upap_lowerdown(unit);
287 * upap_input - Input UPAP packet.
290 upap_input(unit, inpacket, l)
295 upap_state *u = &upap[unit];
301 * Parse header (code, id and length).
302 * If packet too short, drop it.
305 if (l < UPAP_HEADERLEN) {
306 UPAPDEBUG(("pap_input: rcvd short header."));
312 if (len < UPAP_HEADERLEN) {
313 UPAPDEBUG(("pap_input: rcvd illegal length."));
317 UPAPDEBUG(("pap_input: rcvd short packet."));
320 len -= UPAP_HEADERLEN;
323 * Action depends on code.
327 upap_rauthreq(u, inp, id, len);
331 upap_rauthack(u, inp, id, len);
335 upap_rauthnak(u, inp, id, len);
338 default: /* XXX Need code reject */
345 * upap_rauth - Receive Authenticate.
348 upap_rauthreq(u, inp, id, len)
354 u_char ruserlen, rpasswdlen;
355 char *ruser, *rpasswd;
361 if (u->us_serverstate < UPAPSS_LISTEN)
365 * If we receive a duplicate authenticate-request, we are
366 * supposed to return the same status as for the first request.
368 if (u->us_serverstate == UPAPSS_OPEN) {
369 upap_sresp(u, UPAP_AUTHACK, id, "", 0); /* return auth-ack */
372 if (u->us_serverstate == UPAPSS_BADAUTH) {
373 upap_sresp(u, UPAP_AUTHNAK, id, "", 0); /* return auth-nak */
381 UPAPDEBUG(("pap_rauth: rcvd short packet."));
384 GETCHAR(ruserlen, inp);
385 len -= sizeof (u_char) + ruserlen + sizeof (u_char);
387 UPAPDEBUG(("pap_rauth: rcvd short packet."));
390 ruser = (char *) inp;
391 INCPTR(ruserlen, inp);
392 GETCHAR(rpasswdlen, inp);
393 if (len < rpasswdlen) {
394 UPAPDEBUG(("pap_rauth: rcvd short packet."));
397 rpasswd = (char *) inp;
400 * Check the username and password given.
402 retcode = check_passwd(u->us_unit, ruser, ruserlen, rpasswd,
404 BZERO(rpasswd, rpasswdlen);
407 * Check remote number authorization. A plugin may have filled in
408 * the remote number or added an allowed number, and rather than
409 * return an authenticate failure, is leaving it for us to verify.
411 if (retcode == UPAP_AUTHACK) {
412 if (!auth_number()) {
413 /* We do not want to leak info about the pap result. */
414 retcode = UPAP_AUTHNAK; /* XXX exit value will be "wrong" */
415 warn("calling number %q is not authorized", remote_number);
419 msglen = strlen(msg);
422 upap_sresp(u, retcode, id, msg, msglen);
424 /* Null terminate and clean remote name. */
425 slprintf(rhostname, sizeof(rhostname), "%.*v", ruserlen, ruser);
427 if (retcode == UPAP_AUTHACK) {
428 u->us_serverstate = UPAPSS_OPEN;
429 notice("PAP peer authentication succeeded for %q", rhostname);
430 auth_peer_success(u->us_unit, PPP_PAP, 0, ruser, ruserlen);
432 u->us_serverstate = UPAPSS_BADAUTH;
433 warn("PAP peer authentication failed for %q", rhostname);
434 auth_peer_fail(u->us_unit, PPP_PAP);
437 if (u->us_reqtimeout > 0)
438 UNTIMEOUT(upap_reqtimeout, u);
443 * upap_rauthack - Receive Authenticate-Ack.
446 upap_rauthack(u, inp, id, len)
455 if (u->us_clientstate != UPAPCS_AUTHREQ) /* XXX */
462 UPAPDEBUG(("pap_rauthack: ignoring missing msg-length."));
464 GETCHAR(msglen, inp);
466 len -= sizeof (u_char);
468 UPAPDEBUG(("pap_rauthack: rcvd short packet."));
472 PRINTMSG(msg, msglen);
476 u->us_clientstate = UPAPCS_OPEN;
478 notice("PAP authentication succeeded");
479 auth_withpeer_success(u->us_unit, PPP_PAP, 0);
484 * upap_rauthnak - Receive Authenticate-Nak.
487 upap_rauthnak(u, inp, id, len)
496 if (u->us_clientstate != UPAPCS_AUTHREQ) /* XXX */
503 UPAPDEBUG(("pap_rauthnak: ignoring missing msg-length."));
505 GETCHAR(msglen, inp);
507 len -= sizeof (u_char);
509 UPAPDEBUG(("pap_rauthnak: rcvd short packet."));
513 PRINTMSG(msg, msglen);
517 u->us_clientstate = UPAPCS_BADAUTH;
519 error("PAP authentication failed");
520 auth_withpeer_fail(u->us_unit, PPP_PAP);
525 * upap_sauthreq - Send an Authenticate-Request.
534 outlen = UPAP_HEADERLEN + 2 * sizeof (u_char) +
535 u->us_userlen + u->us_passwdlen;
536 outp = outpacket_buf;
538 MAKEHEADER(outp, PPP_PAP);
540 PUTCHAR(UPAP_AUTHREQ, outp);
541 PUTCHAR(++u->us_id, outp);
542 PUTSHORT(outlen, outp);
543 PUTCHAR(u->us_userlen, outp);
544 BCOPY(u->us_user, outp, u->us_userlen);
545 INCPTR(u->us_userlen, outp);
546 PUTCHAR(u->us_passwdlen, outp);
547 BCOPY(u->us_passwd, outp, u->us_passwdlen);
549 output(u->us_unit, outpacket_buf, outlen + PPP_HDRLEN);
551 TIMEOUT(upap_timeout, u, u->us_timeouttime);
553 u->us_clientstate = UPAPCS_AUTHREQ;
558 * upap_sresp - Send a response (ack or nak).
561 upap_sresp(u, code, id, msg, msglen)
570 outlen = UPAP_HEADERLEN + sizeof (u_char) + msglen;
571 outp = outpacket_buf;
572 MAKEHEADER(outp, PPP_PAP);
576 PUTSHORT(outlen, outp);
577 PUTCHAR(msglen, outp);
578 BCOPY(msg, outp, msglen);
579 output(u->us_unit, outpacket_buf, outlen + PPP_HDRLEN);
583 * upap_printpkt - print the contents of a PAP packet.
585 static char *upap_codenames[] = {
586 "AuthReq", "AuthAck", "AuthNak"
590 upap_printpkt(p, plen, printer, arg)
593 void (*printer) __P((void *, char *, ...));
597 int mlen, ulen, wlen;
598 char *user, *pwd, *msg;
601 if (plen < UPAP_HEADERLEN)
607 if (len < UPAP_HEADERLEN || len > plen)
610 if (code >= 1 && code <= sizeof(upap_codenames) / sizeof(char *))
611 printer(arg, " %s", upap_codenames[code-1]);
613 printer(arg, " code=0x%x", code);
614 printer(arg, " id=0x%x", id);
615 len -= UPAP_HEADERLEN;
624 if (len < ulen + wlen + 2)
626 user = (char *) (p + 1);
627 pwd = (char *) (p + ulen + 2);
628 p += ulen + wlen + 2;
629 len -= ulen + wlen + 2;
630 printer(arg, " user=");
631 print_string(user, ulen, printer, arg);
632 printer(arg, " password=");
634 print_string(pwd, wlen, printer, arg);
636 printer(arg, "<hidden>");
645 msg = (char *) (p + 1);
649 print_string(msg, mlen, printer, arg);
653 /* print the rest of the bytes in the packet */
654 for (; len > 0; --len) {
656 printer(arg, " %.2x", code);