2 * upap.c - User/Password Authentication Protocol.
4 * Copyright (c) 1989 Carnegie Mellon University.
7 * Redistribution and use in source and binary forms are permitted
8 * provided that the above copyright notice and this paragraph are
9 * duplicated in all such forms and that any documentation,
10 * advertising materials, and other materials related to such
11 * distribution and use acknowledge that the software was developed
12 * by Carnegie Mellon University. The name of the
13 * University may not be used to endorse or promote products derived
14 * from this software without specific prior written permission.
15 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
17 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20 #define RCSID "$Id: upap.c,v 1.22 1999/11/15 01:51:53 paulus Exp $"
32 static const char rcsid[] = RCSID;
34 static bool hide_password;
37 * Command-line options.
39 static option_t pap_option_list[] = {
40 { "hide-password", o_bool, &hide_password,
41 "Don't output passwords to log", 1 },
42 { "pap-restart", o_int, &upap[0].us_timeouttime,
43 "Set retransmit timeout for PAP" },
44 { "pap-max-authreq", o_int, &upap[0].us_maxtransmits,
45 "Set max number of transmissions for auth-reqs" },
46 { "pap-timeout", o_int, &upap[0].us_reqtimeout,
47 "Set time limit for peer PAP authentication" },
52 * Protocol entry points.
54 static void upap_init __P((int));
55 static void upap_lowerup __P((int));
56 static void upap_lowerdown __P((int));
57 static void upap_input __P((int, u_char *, int));
58 static void upap_protrej __P((int));
59 static int upap_printpkt __P((u_char *, int,
60 void (*) __P((void *, char *, ...)), void *));
62 struct protent pap_protent = {
82 upap_state upap[NUM_PPP]; /* UPAP state; one for each unit */
84 static void upap_timeout __P((void *));
85 static void upap_reqtimeout __P((void *));
86 static void upap_rauthreq __P((upap_state *, u_char *, int, int));
87 static void upap_rauthack __P((upap_state *, u_char *, int, int));
88 static void upap_rauthnak __P((upap_state *, u_char *, int, int));
89 static void upap_sauthreq __P((upap_state *));
90 static void upap_sresp __P((upap_state *, int, int, char *, int));
94 * upap_init - Initialize a UPAP unit.
100 upap_state *u = &upap[unit];
107 u->us_clientstate = UPAPCS_INITIAL;
108 u->us_serverstate = UPAPSS_INITIAL;
110 u->us_timeouttime = UPAP_DEFTIMEOUT;
111 u->us_maxtransmits = 10;
112 u->us_reqtimeout = UPAP_DEFREQTIME;
117 * upap_authwithpeer - Authenticate us with our peer (start client).
119 * Set new state and send authenticate's.
122 upap_authwithpeer(unit, user, password)
124 char *user, *password;
126 upap_state *u = &upap[unit];
128 /* Save the username and password we're given */
130 u->us_userlen = strlen(user);
131 u->us_passwd = password;
132 u->us_passwdlen = strlen(password);
135 /* Lower layer up yet? */
136 if (u->us_clientstate == UPAPCS_INITIAL ||
137 u->us_clientstate == UPAPCS_PENDING) {
138 u->us_clientstate = UPAPCS_PENDING;
142 upap_sauthreq(u); /* Start protocol */
147 * upap_authpeer - Authenticate our peer (start server).
155 upap_state *u = &upap[unit];
157 /* Lower layer up yet? */
158 if (u->us_serverstate == UPAPSS_INITIAL ||
159 u->us_serverstate == UPAPSS_PENDING) {
160 u->us_serverstate = UPAPSS_PENDING;
164 u->us_serverstate = UPAPSS_LISTEN;
165 if (u->us_reqtimeout > 0)
166 TIMEOUT(upap_reqtimeout, u, u->us_reqtimeout);
171 * upap_timeout - Retransmission timer for sending auth-reqs expired.
177 upap_state *u = (upap_state *) arg;
179 if (u->us_clientstate != UPAPCS_AUTHREQ)
182 if (u->us_transmits >= u->us_maxtransmits) {
183 /* give up in disgust */
184 error("No response to PAP authenticate-requests");
185 u->us_clientstate = UPAPCS_BADAUTH;
186 auth_withpeer_fail(u->us_unit, PPP_PAP);
190 upap_sauthreq(u); /* Send Authenticate-Request */
195 * upap_reqtimeout - Give up waiting for the peer to send an auth-req.
201 upap_state *u = (upap_state *) arg;
203 if (u->us_serverstate != UPAPSS_LISTEN)
206 auth_peer_fail(u->us_unit, PPP_PAP);
207 u->us_serverstate = UPAPSS_BADAUTH;
212 * upap_lowerup - The lower layer is up.
214 * Start authenticating if pending.
220 upap_state *u = &upap[unit];
222 if (u->us_clientstate == UPAPCS_INITIAL)
223 u->us_clientstate = UPAPCS_CLOSED;
224 else if (u->us_clientstate == UPAPCS_PENDING) {
225 upap_sauthreq(u); /* send an auth-request */
228 if (u->us_serverstate == UPAPSS_INITIAL)
229 u->us_serverstate = UPAPSS_CLOSED;
230 else if (u->us_serverstate == UPAPSS_PENDING) {
231 u->us_serverstate = UPAPSS_LISTEN;
232 if (u->us_reqtimeout > 0)
233 TIMEOUT(upap_reqtimeout, u, u->us_reqtimeout);
239 * upap_lowerdown - The lower layer is down.
241 * Cancel all timeouts.
247 upap_state *u = &upap[unit];
249 if (u->us_clientstate == UPAPCS_AUTHREQ) /* Timeout pending? */
250 UNTIMEOUT(upap_timeout, u); /* Cancel timeout */
251 if (u->us_serverstate == UPAPSS_LISTEN && u->us_reqtimeout > 0)
252 UNTIMEOUT(upap_reqtimeout, u);
254 u->us_clientstate = UPAPCS_INITIAL;
255 u->us_serverstate = UPAPSS_INITIAL;
260 * upap_protrej - Peer doesn't speak this protocol.
262 * This shouldn't happen. In any case, pretend lower layer went down.
268 upap_state *u = &upap[unit];
270 if (u->us_clientstate == UPAPCS_AUTHREQ) {
271 error("PAP authentication failed due to protocol-reject");
272 auth_withpeer_fail(unit, PPP_PAP);
274 if (u->us_serverstate == UPAPSS_LISTEN) {
275 error("PAP authentication of peer failed (protocol-reject)");
276 auth_peer_fail(unit, PPP_PAP);
278 upap_lowerdown(unit);
283 * upap_input - Input UPAP packet.
286 upap_input(unit, inpacket, l)
291 upap_state *u = &upap[unit];
297 * Parse header (code, id and length).
298 * If packet too short, drop it.
301 if (l < UPAP_HEADERLEN) {
302 UPAPDEBUG(("pap_input: rcvd short header."));
308 if (len < UPAP_HEADERLEN) {
309 UPAPDEBUG(("pap_input: rcvd illegal length."));
313 UPAPDEBUG(("pap_input: rcvd short packet."));
316 len -= UPAP_HEADERLEN;
319 * Action depends on code.
323 upap_rauthreq(u, inp, id, len);
327 upap_rauthack(u, inp, id, len);
331 upap_rauthnak(u, inp, id, len);
334 default: /* XXX Need code reject */
341 * upap_rauth - Receive Authenticate.
344 upap_rauthreq(u, inp, id, len)
350 u_char ruserlen, rpasswdlen;
351 char *ruser, *rpasswd;
356 if (u->us_serverstate < UPAPSS_LISTEN)
360 * If we receive a duplicate authenticate-request, we are
361 * supposed to return the same status as for the first request.
363 if (u->us_serverstate == UPAPSS_OPEN) {
364 upap_sresp(u, UPAP_AUTHACK, id, "", 0); /* return auth-ack */
367 if (u->us_serverstate == UPAPSS_BADAUTH) {
368 upap_sresp(u, UPAP_AUTHNAK, id, "", 0); /* return auth-nak */
376 UPAPDEBUG(("pap_rauth: rcvd short packet."));
379 GETCHAR(ruserlen, inp);
380 len -= sizeof (u_char) + ruserlen + sizeof (u_char);
382 UPAPDEBUG(("pap_rauth: rcvd short packet."));
385 ruser = (char *) inp;
386 INCPTR(ruserlen, inp);
387 GETCHAR(rpasswdlen, inp);
388 if (len < rpasswdlen) {
389 UPAPDEBUG(("pap_rauth: rcvd short packet."));
392 rpasswd = (char *) inp;
395 * Check the username and password given.
397 retcode = check_passwd(u->us_unit, ruser, ruserlen, rpasswd,
399 BZERO(rpasswd, rpasswdlen);
400 msglen = strlen(msg);
404 upap_sresp(u, retcode, id, msg, msglen);
406 if (retcode == UPAP_AUTHACK) {
407 u->us_serverstate = UPAPSS_OPEN;
408 auth_peer_success(u->us_unit, PPP_PAP, ruser, ruserlen);
410 u->us_serverstate = UPAPSS_BADAUTH;
411 auth_peer_fail(u->us_unit, PPP_PAP);
414 if (u->us_reqtimeout > 0)
415 UNTIMEOUT(upap_reqtimeout, u);
420 * upap_rauthack - Receive Authenticate-Ack.
423 upap_rauthack(u, inp, id, len)
432 if (u->us_clientstate != UPAPCS_AUTHREQ) /* XXX */
439 UPAPDEBUG(("pap_rauthack: ignoring missing msg-length."));
441 GETCHAR(msglen, inp);
443 len -= sizeof (u_char);
445 UPAPDEBUG(("pap_rauthack: rcvd short packet."));
449 PRINTMSG(msg, msglen);
453 u->us_clientstate = UPAPCS_OPEN;
455 auth_withpeer_success(u->us_unit, PPP_PAP);
460 * upap_rauthnak - Receive Authenticate-Nakk.
463 upap_rauthnak(u, inp, id, len)
472 if (u->us_clientstate != UPAPCS_AUTHREQ) /* XXX */
479 UPAPDEBUG(("pap_rauthnak: ignoring missing msg-length."));
481 GETCHAR(msglen, inp);
483 len -= sizeof (u_char);
485 UPAPDEBUG(("pap_rauthnak: rcvd short packet."));
489 PRINTMSG(msg, msglen);
493 u->us_clientstate = UPAPCS_BADAUTH;
495 error("PAP authentication failed");
496 auth_withpeer_fail(u->us_unit, PPP_PAP);
501 * upap_sauthreq - Send an Authenticate-Request.
510 outlen = UPAP_HEADERLEN + 2 * sizeof (u_char) +
511 u->us_userlen + u->us_passwdlen;
512 outp = outpacket_buf;
514 MAKEHEADER(outp, PPP_PAP);
516 PUTCHAR(UPAP_AUTHREQ, outp);
517 PUTCHAR(++u->us_id, outp);
518 PUTSHORT(outlen, outp);
519 PUTCHAR(u->us_userlen, outp);
520 BCOPY(u->us_user, outp, u->us_userlen);
521 INCPTR(u->us_userlen, outp);
522 PUTCHAR(u->us_passwdlen, outp);
523 BCOPY(u->us_passwd, outp, u->us_passwdlen);
525 output(u->us_unit, outpacket_buf, outlen + PPP_HDRLEN);
527 TIMEOUT(upap_timeout, u, u->us_timeouttime);
529 u->us_clientstate = UPAPCS_AUTHREQ;
534 * upap_sresp - Send a response (ack or nak).
537 upap_sresp(u, code, id, msg, msglen)
546 outlen = UPAP_HEADERLEN + sizeof (u_char) + msglen;
547 outp = outpacket_buf;
548 MAKEHEADER(outp, PPP_PAP);
552 PUTSHORT(outlen, outp);
553 PUTCHAR(msglen, outp);
554 BCOPY(msg, outp, msglen);
555 output(u->us_unit, outpacket_buf, outlen + PPP_HDRLEN);
559 * upap_printpkt - print the contents of a PAP packet.
561 static char *upap_codenames[] = {
562 "AuthReq", "AuthAck", "AuthNak"
566 upap_printpkt(p, plen, printer, arg)
569 void (*printer) __P((void *, char *, ...));
573 int mlen, ulen, wlen;
574 char *user, *pwd, *msg;
577 if (plen < UPAP_HEADERLEN)
583 if (len < UPAP_HEADERLEN || len > plen)
586 if (code >= 1 && code <= sizeof(upap_codenames) / sizeof(char *))
587 printer(arg, " %s", upap_codenames[code-1]);
589 printer(arg, " code=0x%x", code);
590 printer(arg, " id=0x%x", id);
591 len -= UPAP_HEADERLEN;
600 if (len < ulen + wlen + 2)
602 user = (char *) (p + 1);
603 pwd = (char *) (p + ulen + 2);
604 p += ulen + wlen + 2;
605 len -= ulen + wlen + 2;
606 printer(arg, " user=");
607 print_string(user, ulen, printer, arg);
608 printer(arg, " password=");
610 print_string(pwd, wlen, printer, arg);
612 printer(arg, "<hidden>");
621 msg = (char *) (p + 1);
625 print_string(msg, mlen, printer, arg);
629 /* print the rest of the bytes in the packet */
630 for (; len > 0; --len) {
632 printer(arg, " %.2x", code);