2 * upap.c - User/Password Authentication Protocol.
4 * Copyright (c) 1989 Carnegie Mellon University.
7 * Redistribution and use in source and binary forms are permitted
8 * provided that the above copyright notice and this paragraph are
9 * duplicated in all such forms and that any documentation,
10 * advertising materials, and other materials related to such
11 * distribution and use acknowledge that the software was developed
12 * by Carnegie Mellon University. The name of the
13 * University may not be used to endorse or promote products derived
14 * from this software without specific prior written permission.
15 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
17 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20 #define RCSID "$Id: upap.c,v 1.24 2001/03/08 05:11:16 paulus Exp $"
32 static const char rcsid[] = RCSID;
34 static bool hide_password = 1;
37 * Command-line options.
39 static option_t pap_option_list[] = {
40 { "hide-password", o_bool, &hide_password,
41 "Don't output passwords to log", OPT_PRIO | 1 },
42 { "show-password", o_bool, &hide_password,
43 "Show password string in debug log messages", OPT_PRIOSUB | 0 },
45 { "pap-restart", o_int, &upap[0].us_timeouttime,
46 "Set retransmit timeout for PAP", OPT_PRIO },
47 { "pap-max-authreq", o_int, &upap[0].us_maxtransmits,
48 "Set max number of transmissions for auth-reqs", OPT_PRIO },
49 { "pap-timeout", o_int, &upap[0].us_reqtimeout,
50 "Set time limit for peer PAP authentication", OPT_PRIO },
56 * Protocol entry points.
58 static void upap_init __P((int));
59 static void upap_lowerup __P((int));
60 static void upap_lowerdown __P((int));
61 static void upap_input __P((int, u_char *, int));
62 static void upap_protrej __P((int));
63 static int upap_printpkt __P((u_char *, int,
64 void (*) __P((void *, char *, ...)), void *));
66 struct protent pap_protent = {
86 upap_state upap[NUM_PPP]; /* UPAP state; one for each unit */
88 static void upap_timeout __P((void *));
89 static void upap_reqtimeout __P((void *));
90 static void upap_rauthreq __P((upap_state *, u_char *, int, int));
91 static void upap_rauthack __P((upap_state *, u_char *, int, int));
92 static void upap_rauthnak __P((upap_state *, u_char *, int, int));
93 static void upap_sauthreq __P((upap_state *));
94 static void upap_sresp __P((upap_state *, int, int, char *, int));
98 * upap_init - Initialize a UPAP unit.
104 upap_state *u = &upap[unit];
111 u->us_clientstate = UPAPCS_INITIAL;
112 u->us_serverstate = UPAPSS_INITIAL;
114 u->us_timeouttime = UPAP_DEFTIMEOUT;
115 u->us_maxtransmits = 10;
116 u->us_reqtimeout = UPAP_DEFREQTIME;
121 * upap_authwithpeer - Authenticate us with our peer (start client).
123 * Set new state and send authenticate's.
126 upap_authwithpeer(unit, user, password)
128 char *user, *password;
130 upap_state *u = &upap[unit];
132 /* Save the username and password we're given */
134 u->us_userlen = strlen(user);
135 u->us_passwd = password;
136 u->us_passwdlen = strlen(password);
139 /* Lower layer up yet? */
140 if (u->us_clientstate == UPAPCS_INITIAL ||
141 u->us_clientstate == UPAPCS_PENDING) {
142 u->us_clientstate = UPAPCS_PENDING;
146 upap_sauthreq(u); /* Start protocol */
151 * upap_authpeer - Authenticate our peer (start server).
159 upap_state *u = &upap[unit];
161 /* Lower layer up yet? */
162 if (u->us_serverstate == UPAPSS_INITIAL ||
163 u->us_serverstate == UPAPSS_PENDING) {
164 u->us_serverstate = UPAPSS_PENDING;
168 u->us_serverstate = UPAPSS_LISTEN;
169 if (u->us_reqtimeout > 0)
170 TIMEOUT(upap_reqtimeout, u, u->us_reqtimeout);
175 * upap_timeout - Retransmission timer for sending auth-reqs expired.
181 upap_state *u = (upap_state *) arg;
183 if (u->us_clientstate != UPAPCS_AUTHREQ)
186 if (u->us_transmits >= u->us_maxtransmits) {
187 /* give up in disgust */
188 error("No response to PAP authenticate-requests");
189 u->us_clientstate = UPAPCS_BADAUTH;
190 auth_withpeer_fail(u->us_unit, PPP_PAP);
194 upap_sauthreq(u); /* Send Authenticate-Request */
199 * upap_reqtimeout - Give up waiting for the peer to send an auth-req.
205 upap_state *u = (upap_state *) arg;
207 if (u->us_serverstate != UPAPSS_LISTEN)
210 auth_peer_fail(u->us_unit, PPP_PAP);
211 u->us_serverstate = UPAPSS_BADAUTH;
216 * upap_lowerup - The lower layer is up.
218 * Start authenticating if pending.
224 upap_state *u = &upap[unit];
226 if (u->us_clientstate == UPAPCS_INITIAL)
227 u->us_clientstate = UPAPCS_CLOSED;
228 else if (u->us_clientstate == UPAPCS_PENDING) {
229 upap_sauthreq(u); /* send an auth-request */
232 if (u->us_serverstate == UPAPSS_INITIAL)
233 u->us_serverstate = UPAPSS_CLOSED;
234 else if (u->us_serverstate == UPAPSS_PENDING) {
235 u->us_serverstate = UPAPSS_LISTEN;
236 if (u->us_reqtimeout > 0)
237 TIMEOUT(upap_reqtimeout, u, u->us_reqtimeout);
243 * upap_lowerdown - The lower layer is down.
245 * Cancel all timeouts.
251 upap_state *u = &upap[unit];
253 if (u->us_clientstate == UPAPCS_AUTHREQ) /* Timeout pending? */
254 UNTIMEOUT(upap_timeout, u); /* Cancel timeout */
255 if (u->us_serverstate == UPAPSS_LISTEN && u->us_reqtimeout > 0)
256 UNTIMEOUT(upap_reqtimeout, u);
258 u->us_clientstate = UPAPCS_INITIAL;
259 u->us_serverstate = UPAPSS_INITIAL;
264 * upap_protrej - Peer doesn't speak this protocol.
266 * This shouldn't happen. In any case, pretend lower layer went down.
272 upap_state *u = &upap[unit];
274 if (u->us_clientstate == UPAPCS_AUTHREQ) {
275 error("PAP authentication failed due to protocol-reject");
276 auth_withpeer_fail(unit, PPP_PAP);
278 if (u->us_serverstate == UPAPSS_LISTEN) {
279 error("PAP authentication of peer failed (protocol-reject)");
280 auth_peer_fail(unit, PPP_PAP);
282 upap_lowerdown(unit);
287 * upap_input - Input UPAP packet.
290 upap_input(unit, inpacket, l)
295 upap_state *u = &upap[unit];
301 * Parse header (code, id and length).
302 * If packet too short, drop it.
305 if (l < UPAP_HEADERLEN) {
306 UPAPDEBUG(("pap_input: rcvd short header."));
312 if (len < UPAP_HEADERLEN) {
313 UPAPDEBUG(("pap_input: rcvd illegal length."));
317 UPAPDEBUG(("pap_input: rcvd short packet."));
320 len -= UPAP_HEADERLEN;
323 * Action depends on code.
327 upap_rauthreq(u, inp, id, len);
331 upap_rauthack(u, inp, id, len);
335 upap_rauthnak(u, inp, id, len);
338 default: /* XXX Need code reject */
345 * upap_rauth - Receive Authenticate.
348 upap_rauthreq(u, inp, id, len)
354 u_char ruserlen, rpasswdlen;
355 char *ruser, *rpasswd;
360 if (u->us_serverstate < UPAPSS_LISTEN)
364 * If we receive a duplicate authenticate-request, we are
365 * supposed to return the same status as for the first request.
367 if (u->us_serverstate == UPAPSS_OPEN) {
368 upap_sresp(u, UPAP_AUTHACK, id, "", 0); /* return auth-ack */
371 if (u->us_serverstate == UPAPSS_BADAUTH) {
372 upap_sresp(u, UPAP_AUTHNAK, id, "", 0); /* return auth-nak */
380 UPAPDEBUG(("pap_rauth: rcvd short packet."));
383 GETCHAR(ruserlen, inp);
384 len -= sizeof (u_char) + ruserlen + sizeof (u_char);
386 UPAPDEBUG(("pap_rauth: rcvd short packet."));
389 ruser = (char *) inp;
390 INCPTR(ruserlen, inp);
391 GETCHAR(rpasswdlen, inp);
392 if (len < rpasswdlen) {
393 UPAPDEBUG(("pap_rauth: rcvd short packet."));
396 rpasswd = (char *) inp;
399 * Check the username and password given.
401 retcode = check_passwd(u->us_unit, ruser, ruserlen, rpasswd,
403 BZERO(rpasswd, rpasswdlen);
404 msglen = strlen(msg);
408 upap_sresp(u, retcode, id, msg, msglen);
410 if (retcode == UPAP_AUTHACK) {
411 u->us_serverstate = UPAPSS_OPEN;
412 auth_peer_success(u->us_unit, PPP_PAP, ruser, ruserlen);
414 u->us_serverstate = UPAPSS_BADAUTH;
415 auth_peer_fail(u->us_unit, PPP_PAP);
418 if (u->us_reqtimeout > 0)
419 UNTIMEOUT(upap_reqtimeout, u);
424 * upap_rauthack - Receive Authenticate-Ack.
427 upap_rauthack(u, inp, id, len)
436 if (u->us_clientstate != UPAPCS_AUTHREQ) /* XXX */
443 UPAPDEBUG(("pap_rauthack: ignoring missing msg-length."));
445 GETCHAR(msglen, inp);
447 len -= sizeof (u_char);
449 UPAPDEBUG(("pap_rauthack: rcvd short packet."));
453 PRINTMSG(msg, msglen);
457 u->us_clientstate = UPAPCS_OPEN;
459 auth_withpeer_success(u->us_unit, PPP_PAP);
464 * upap_rauthnak - Receive Authenticate-Nakk.
467 upap_rauthnak(u, inp, id, len)
476 if (u->us_clientstate != UPAPCS_AUTHREQ) /* XXX */
483 UPAPDEBUG(("pap_rauthnak: ignoring missing msg-length."));
485 GETCHAR(msglen, inp);
487 len -= sizeof (u_char);
489 UPAPDEBUG(("pap_rauthnak: rcvd short packet."));
493 PRINTMSG(msg, msglen);
497 u->us_clientstate = UPAPCS_BADAUTH;
499 error("PAP authentication failed");
500 auth_withpeer_fail(u->us_unit, PPP_PAP);
505 * upap_sauthreq - Send an Authenticate-Request.
514 outlen = UPAP_HEADERLEN + 2 * sizeof (u_char) +
515 u->us_userlen + u->us_passwdlen;
516 outp = outpacket_buf;
518 MAKEHEADER(outp, PPP_PAP);
520 PUTCHAR(UPAP_AUTHREQ, outp);
521 PUTCHAR(++u->us_id, outp);
522 PUTSHORT(outlen, outp);
523 PUTCHAR(u->us_userlen, outp);
524 BCOPY(u->us_user, outp, u->us_userlen);
525 INCPTR(u->us_userlen, outp);
526 PUTCHAR(u->us_passwdlen, outp);
527 BCOPY(u->us_passwd, outp, u->us_passwdlen);
529 output(u->us_unit, outpacket_buf, outlen + PPP_HDRLEN);
531 TIMEOUT(upap_timeout, u, u->us_timeouttime);
533 u->us_clientstate = UPAPCS_AUTHREQ;
538 * upap_sresp - Send a response (ack or nak).
541 upap_sresp(u, code, id, msg, msglen)
550 outlen = UPAP_HEADERLEN + sizeof (u_char) + msglen;
551 outp = outpacket_buf;
552 MAKEHEADER(outp, PPP_PAP);
556 PUTSHORT(outlen, outp);
557 PUTCHAR(msglen, outp);
558 BCOPY(msg, outp, msglen);
559 output(u->us_unit, outpacket_buf, outlen + PPP_HDRLEN);
563 * upap_printpkt - print the contents of a PAP packet.
565 static char *upap_codenames[] = {
566 "AuthReq", "AuthAck", "AuthNak"
570 upap_printpkt(p, plen, printer, arg)
573 void (*printer) __P((void *, char *, ...));
577 int mlen, ulen, wlen;
578 char *user, *pwd, *msg;
581 if (plen < UPAP_HEADERLEN)
587 if (len < UPAP_HEADERLEN || len > plen)
590 if (code >= 1 && code <= sizeof(upap_codenames) / sizeof(char *))
591 printer(arg, " %s", upap_codenames[code-1]);
593 printer(arg, " code=0x%x", code);
594 printer(arg, " id=0x%x", id);
595 len -= UPAP_HEADERLEN;
604 if (len < ulen + wlen + 2)
606 user = (char *) (p + 1);
607 pwd = (char *) (p + ulen + 2);
608 p += ulen + wlen + 2;
609 len -= ulen + wlen + 2;
610 printer(arg, " user=");
611 print_string(user, ulen, printer, arg);
612 printer(arg, " password=");
614 print_string(pwd, wlen, printer, arg);
616 printer(arg, "<hidden>");
625 msg = (char *) (p + 1);
629 print_string(msg, mlen, printer, arg);
633 /* print the rest of the bytes in the packet */
634 for (; len > 0; --len) {
636 printer(arg, " %.2x", code);