/*
* lcp.c - PPP Link Control Protocol.
*
- * Copyright (c) 1989 Carnegie Mellon University.
- * All rights reserved.
+ * Copyright (c) 1984-2000 Carnegie Mellon University. All rights reserved.
*
- * Redistribution and use in source and binary forms are permitted
- * provided that the above copyright notice and this paragraph are
- * duplicated in all such forms and that any documentation,
- * advertising materials, and other materials related to such
- * distribution and use acknowledge that the software was developed
- * by Carnegie Mellon University. The name of the
- * University may not be used to endorse or promote products derived
- * from this software without specific prior written permission.
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
- * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. The name "Carnegie Mellon University" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For permission or any legal
+ * details, please contact
+ * Office of Technology Transfer
+ * Carnegie Mellon University
+ * 5000 Forbes Avenue
+ * Pittsburgh, PA 15213-3890
+ * (412) 268-4387, fax: (412) 268-7395
+ * tech-transfer@andrew.cmu.edu
+ *
+ * 4. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by Computing Services
+ * at Carnegie Mellon University (http://www.cmu.edu/computing/)."
+ *
+ * CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO
+ * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE
+ * FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
+ * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
+ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-#define RCSID "$Id: lcp.c,v 1.61 2002/09/12 22:51:06 paulus Exp $"
+#define RCSID "$Id: lcp.c,v 1.70 2003/07/28 12:25:41 carlsonj Exp $"
/*
* TODO:
#include "pppd.h"
#include "fsm.h"
#include "lcp.h"
-#include "chap.h"
+#include "chap-new.h"
#include "magic.h"
static const char rcsid[] = RCSID;
ao->neg_chap = 1;
ao->chap_mdtype = MDTYPE_ALL;
ao->neg_upap = 1;
+ ao->neg_eap = 1;
ao->neg_magicnumber = 1;
ao->neg_pcompression = 1;
ao->neg_accompression = 1;
lcp_finished(f);
} else
- fsm_close(&lcp_fsm[unit], reason);
+ fsm_close(f, reason);
}
* but accept A/C and protocol compressed packets
* if we are going to ask for A/C and protocol compression.
*/
- ppp_send_config(unit, PPP_MRU, 0xffffffff, 0, 0);
- ppp_recv_config(unit, PPP_MRU, (lax_recv? 0: 0xffffffff),
- wo->neg_pcompression, wo->neg_accompression);
+ if (ppp_send_config(unit, PPP_MRU, 0xffffffff, 0, 0) < 0
+ || ppp_recv_config(unit, PPP_MRU, (lax_recv? 0: 0xffffffff),
+ wo->neg_pcompression, wo->neg_accompression) < 0)
+ return;
peer_mru[unit] = PPP_MRU;
if (listen_time != 0) {
#define LENCILQR(neg) ((neg) ? CILEN_LQR: 0)
#define LENCICBCP(neg) ((neg) ? CILEN_CBCP: 0)
/*
- * NB: we only ask for one of CHAP and UPAP, even if we will
- * accept either.
+ * NB: we only ask for one of CHAP, UPAP, or EAP, even if we will
+ * accept more than one. We prefer EAP first, then CHAP, then
+ * PAP.
*/
return (LENCISHORT(go->neg_mru && go->mru != DEFMRU) +
LENCILONG(go->neg_asyncmap && go->asyncmap != 0xFFFFFFFF) +
- LENCICHAP(go->neg_chap) +
- LENCISHORT(!go->neg_chap && go->neg_upap) +
+ LENCISHORT(go->neg_eap) +
+ LENCICHAP(!go->neg_eap && go->neg_chap) +
+ LENCISHORT(!go->neg_eap && !go->neg_chap && go->neg_upap) +
LENCILQR(go->neg_lqr) +
LENCICBCP(go->neg_cbcp) +
LENCILONG(go->neg_magicnumber) +
PUTCHAR(CILEN_SHORT, ucp); \
PUTSHORT(val, ucp); \
}
-#define ADDCICHAP(opt, neg, val, digest) \
+#define ADDCICHAP(opt, neg, val) \
if (neg) { \
PUTCHAR((opt), ucp); \
PUTCHAR(CILEN_CHAP, ucp); \
- PUTSHORT((val), ucp); \
- PUTCHAR((digest), ucp); \
+ PUTSHORT(PPP_CHAP, ucp); \
+ PUTCHAR((CHAP_DIGEST(val)), ucp); \
}
#define ADDCILONG(opt, neg, val) \
if (neg) { \
ADDCISHORT(CI_MRU, go->neg_mru && go->mru != DEFMRU, go->mru);
ADDCILONG(CI_ASYNCMAP, go->neg_asyncmap && go->asyncmap != 0xFFFFFFFF,
go->asyncmap);
- ADDCICHAP(CI_AUTHTYPE, go->neg_chap, PPP_CHAP,CHAP_DIGEST(go->chap_mdtype));
- ADDCISHORT(CI_AUTHTYPE, !go->neg_chap && go->neg_upap, PPP_PAP);
+ ADDCISHORT(CI_AUTHTYPE, go->neg_eap, PPP_EAP);
+ ADDCICHAP(CI_AUTHTYPE, !go->neg_eap && go->neg_chap, go->chap_mdtype);
+ ADDCISHORT(CI_AUTHTYPE, !go->neg_eap && !go->neg_chap && go->neg_upap,
+ PPP_PAP);
ADDCILQR(CI_QUALITY, go->neg_lqr, go->lqr_period);
ADDCICHAR(CI_CALLBACK, go->neg_cbcp, CBCP_OPT);
ADDCILONG(CI_MAGICNUMBER, go->neg_magicnumber, go->magicnumber);
if (cichar != val) \
goto bad; \
}
-#define ACKCICHAP(opt, neg, val, digest) \
+#define ACKCICHAP(opt, neg, val) \
if (neg) { \
if ((len -= CILEN_CHAP) < 0) \
goto bad; \
citype != (opt)) \
goto bad; \
GETSHORT(cishort, p); \
- if (cishort != (val)) \
+ if (cishort != PPP_CHAP) \
goto bad; \
GETCHAR(cichar, p); \
- if (cichar != (digest)) \
+ if (cichar != (CHAP_DIGEST(val))) \
goto bad; \
}
#define ACKCILONG(opt, neg, val) \
ACKCISHORT(CI_MRU, go->neg_mru && go->mru != DEFMRU, go->mru);
ACKCILONG(CI_ASYNCMAP, go->neg_asyncmap && go->asyncmap != 0xFFFFFFFF,
go->asyncmap);
- ACKCICHAP(CI_AUTHTYPE, go->neg_chap, PPP_CHAP,CHAP_DIGEST(go->chap_mdtype));
- ACKCISHORT(CI_AUTHTYPE, !go->neg_chap && go->neg_upap, PPP_PAP);
+ ACKCISHORT(CI_AUTHTYPE, go->neg_eap, PPP_EAP);
+ ACKCICHAP(CI_AUTHTYPE, !go->neg_eap && go->neg_chap, go->chap_mdtype);
+ ACKCISHORT(CI_AUTHTYPE, !go->neg_eap && !go->neg_chap && go->neg_upap,
+ PPP_PAP);
ACKCILQR(CI_QUALITY, go->neg_lqr, go->lqr_period);
ACKCICHAR(CI_CALLBACK, go->neg_cbcp, CBCP_OPT);
ACKCILONG(CI_MAGICNUMBER, go->neg_magicnumber, go->magicnumber);
try.neg = 0; \
}
+ /*
+ * NOTE! There must be no assignments to individual fields of *go in
+ * the code below. Any such assignment is a BUG!
+ */
/*
* We don't care if they want to send us smaller packets than
* we want. Therefore, accept any MRU less than what we asked for,
* they are proposing a different protocol, or a different
* hash algorithm for CHAP.
*/
- if ((go->neg_chap || go->neg_upap)
+ if ((go->neg_chap || go->neg_upap || go->neg_eap)
&& len >= CILEN_SHORT
&& p[0] == CI_AUTHTYPE && p[1] >= CILEN_SHORT && p[1] <= len) {
cilen = p[1];
len -= cilen;
no.neg_chap = go->neg_chap;
no.neg_upap = go->neg_upap;
+ no.neg_eap = go->neg_eap;
INCPTR(2, p);
GETSHORT(cishort, p);
if (cishort == PPP_PAP && cilen == CILEN_SHORT) {
+ /* If we were asking for EAP, then we need to stop that. */
+ if (go->neg_eap)
+ try.neg_eap = 0;
+
+ /* If we were asking for CHAP, then we need to stop that. */
+ else if (go->neg_chap)
+ try.neg_chap = 0;
/*
- * If we were asking for CHAP, they obviously don't want to do it.
- * If we weren't asking for CHAP, then we were asking for PAP,
- * in which case this Nak is bad.
+ * If we weren't asking for CHAP or EAP, then we were asking for
+ * PAP, in which case this Nak is bad.
*/
- if (!go->neg_chap)
+ else
goto bad;
- try.neg_chap = 0;
} else if (cishort == PPP_CHAP && cilen == CILEN_CHAP) {
GETCHAR(cichar, p);
- if (go->neg_chap) {
+ /* Stop asking for EAP, if we were. */
+ if (go->neg_eap) {
+ try.neg_eap = 0;
+ /* Try to set up to use their suggestion, if possible */
+ if (CHAP_CANDIGEST(go->chap_mdtype, cichar))
+ try.chap_mdtype = CHAP_MDTYPE_D(cichar);
+ } else if (go->neg_chap) {
/*
* We were asking for our preferred algorithm, they must
* want something different.
if (cichar != CHAP_DIGEST(go->chap_mdtype)) {
if (CHAP_CANDIGEST(go->chap_mdtype, cichar)) {
/* Use their suggestion if we support it ... */
- go->chap_mdtype = CHAP_MDTYPE_D(cichar);
+ try.chap_mdtype = CHAP_MDTYPE_D(cichar);
} else {
/* ... otherwise, try our next-preferred algorithm. */
- go->chap_mdtype &= ~(CHAP_MDTYPE(go->chap_mdtype));
- if (go->chap_mdtype == MDTYPE_NONE) /* out of algos */
+ try.chap_mdtype &= ~(CHAP_MDTYPE(try.chap_mdtype));
+ if (try.chap_mdtype == MDTYPE_NONE) /* out of algos */
try.neg_chap = 0;
}
} else {
}
} else {
+
+ /*
+ * If we were asking for EAP, and they're Conf-Naking EAP,
+ * well, that's just strange. Nobody should do that.
+ */
+ if (cishort == PPP_EAP && cilen == CILEN_SHORT && go->neg_eap)
+ dbglog("Unexpected Conf-Nak for EAP");
+
/*
* We don't recognize what they're suggesting.
* Stop asking for what we were asking for.
*/
- if (go->neg_chap)
+ if (go->neg_eap)
+ try.neg_eap = 0;
+ else if (go->neg_chap)
try.neg_chap = 0;
else
try.neg_upap = 0;
* An option we don't recognize represents the peer asking to
* negotiate some option we don't support, so ignore it.
*/
- while (len > CILEN_VOID) {
+ while (len >= CILEN_VOID) {
GETCHAR(citype, p);
GETCHAR(cilen, p);
if (cilen < CILEN_VOID || (len -= cilen) < 0)
goto bad;
break;
case CI_AUTHTYPE:
- if (go->neg_chap || no.neg_chap || go->neg_upap || no.neg_upap)
+ if (go->neg_chap || no.neg_chap || go->neg_upap || no.neg_upap ||
+ go->neg_eap || no.neg_eap)
goto bad;
break;
case CI_MAGICNUMBER:
goto bad; \
try.neg = 0; \
}
-#define REJCICHAP(opt, neg, val, digest) \
+#define REJCICHAP(opt, neg, val) \
if (go->neg && \
len >= CILEN_CHAP && \
p[1] == CILEN_CHAP && \
GETSHORT(cishort, p); \
GETCHAR(cichar, p); \
/* Check rejected value. */ \
- if ((cishort != (val)) || (cichar != (digest))) \
+ if ((cishort != PPP_CHAP) || (cichar != (CHAP_DIGEST(val)))) \
goto bad; \
try.neg = 0; \
- try.neg_upap = 0; \
+ try.neg_eap = try.neg_upap = 0; \
}
#define REJCILONG(opt, neg, val) \
if (go->neg && \
REJCISHORT(CI_MRU, neg_mru, go->mru);
REJCILONG(CI_ASYNCMAP, neg_asyncmap, go->asyncmap);
- REJCICHAP(CI_AUTHTYPE, neg_chap, PPP_CHAP, CHAP_DIGEST(go->chap_mdtype));
- if (!go->neg_chap) {
- REJCISHORT(CI_AUTHTYPE, neg_upap, PPP_PAP);
+ REJCISHORT(CI_AUTHTYPE, neg_eap, PPP_EAP);
+ if (!go->neg_eap) {
+ REJCICHAP(CI_AUTHTYPE, neg_chap, go->chap_mdtype);
+ if (!go->neg_chap) {
+ REJCISHORT(CI_AUTHTYPE, neg_upap, PPP_PAP);
+ }
}
REJCILQR(CI_QUALITY, neg_lqr, go->lqr_period);
REJCICBCP(CI_CALLBACK, neg_cbcp, CBCP_OPT);
case CI_AUTHTYPE:
if (cilen < CILEN_SHORT ||
- !(ao->neg_upap || ao->neg_chap)) {
+ !(ao->neg_upap || ao->neg_chap || ao->neg_eap)) {
/*
* Reject the option if we're not willing to authenticate.
*/
+ dbglog("No auth is possible");
orc = CONFREJ;
break;
}
GETSHORT(cishort, p);
/*
- * Authtype must be PAP or CHAP.
+ * Authtype must be PAP, CHAP, or EAP.
*
- * Note: if both ao->neg_upap and ao->neg_chap are set,
- * and the peer sends a Configure-Request with two
- * authenticate-protocol requests, one for CHAP and one
- * for UPAP, then we will reject the second request.
- * Whether we end up doing CHAP or UPAP depends then on
+ * Note: if more than one of ao->neg_upap, ao->neg_chap, and
+ * ao->neg_eap are set, and the peer sends a Configure-Request
+ * with two or more authenticate-protocol requests, then we will
+ * reject the second request.
+ * Whether we end up doing CHAP, UPAP, or EAP depends then on
* the ordering of the CIs in the peer's Configure-Request.
*/
if (cishort == PPP_PAP) {
- if (ho->neg_chap || /* we've already accepted CHAP */
+ /* we've already accepted CHAP or EAP */
+ if (ho->neg_chap || ho->neg_eap ||
cilen != CILEN_SHORT) {
LCPDEBUG(("lcp_reqci: rcvd AUTHTYPE PAP, rejecting..."));
orc = CONFREJ;
break;
}
if (!ao->neg_upap) { /* we don't want to do PAP */
- orc = CONFNAK; /* NAK it and suggest CHAP */
+ orc = CONFNAK; /* NAK it and suggest CHAP or EAP */
PUTCHAR(CI_AUTHTYPE, nakp);
- PUTCHAR(CILEN_CHAP, nakp);
- PUTSHORT(PPP_CHAP, nakp);
- PUTCHAR(CHAP_DIGEST(ao->chap_mdtype), nakp);
+ if (ao->neg_eap) {
+ PUTCHAR(CILEN_SHORT, nakp);
+ PUTSHORT(PPP_EAP, nakp);
+ } else {
+ PUTCHAR(CILEN_CHAP, nakp);
+ PUTSHORT(PPP_CHAP, nakp);
+ PUTCHAR(CHAP_DIGEST(ao->chap_mdtype), nakp);
+ }
break;
}
ho->neg_upap = 1;
break;
}
if (cishort == PPP_CHAP) {
- if (ho->neg_upap || /* we've already accepted PAP */
+ /* we've already accepted PAP or EAP */
+ if (ho->neg_upap || ho->neg_eap ||
cilen != CILEN_CHAP) {
LCPDEBUG(("lcp_reqci: rcvd AUTHTYPE CHAP, rejecting..."));
orc = CONFREJ;
break;
}
if (!ao->neg_chap) { /* we don't want to do CHAP */
- orc = CONFNAK; /* NAK it and suggest PAP */
+ orc = CONFNAK; /* NAK it and suggest EAP or PAP */
PUTCHAR(CI_AUTHTYPE, nakp);
PUTCHAR(CILEN_SHORT, nakp);
- PUTSHORT(PPP_PAP, nakp);
+ if (ao->neg_eap) {
+ PUTSHORT(PPP_EAP, nakp);
+ } else {
+ PUTSHORT(PPP_PAP, nakp);
+ }
break;
}
GETCHAR(cichar, p); /* get digest type */
ho->neg_chap = 1;
break;
}
+ if (cishort == PPP_EAP) {
+ /* we've already accepted CHAP or PAP */
+ if (ho->neg_chap || ho->neg_upap || cilen != CILEN_SHORT) {
+ LCPDEBUG(("lcp_reqci: rcvd AUTHTYPE EAP, rejecting..."));
+ orc = CONFREJ;
+ break;
+ }
+ if (!ao->neg_eap) { /* we don't want to do EAP */
+ orc = CONFNAK; /* NAK it and suggest CHAP or PAP */
+ PUTCHAR(CI_AUTHTYPE, nakp);
+ if (ao->neg_chap) {
+ PUTCHAR(CILEN_CHAP, nakp);
+ PUTSHORT(PPP_CHAP, nakp);
+ PUTCHAR(ao->chap_mdtype, nakp);
+ } else {
+ PUTCHAR(CILEN_SHORT, nakp);
+ PUTSHORT(PPP_PAP, nakp);
+ }
+ break;
+ }
+ ho->neg_eap = 1;
+ break;
+ }
/*
* We don't recognize the protocol they're asking for.
* Nak it with something we're willing to do.
- * (At this point we know ao->neg_upap || ao->neg_chap.)
+ * (At this point we know ao->neg_upap || ao->neg_chap ||
+ * ao->neg_eap.)
*/
orc = CONFNAK;
PUTCHAR(CI_AUTHTYPE, nakp);
- if (ao->neg_chap) {
+ if (ao->neg_eap) {
+ PUTCHAR(CILEN_SHORT, nakp);
+ PUTSHORT(PPP_EAP, nakp);
+ } else if (ao->neg_chap) {
PUTCHAR(CILEN_CHAP, nakp);
PUTSHORT(PPP_CHAP, nakp);
PUTCHAR(CHAP_DIGEST(ao->chap_mdtype), nakp);
printer(arg, "chap");
if (p < optend) {
switch (*p) {
- case CHAP_DIGEST_MD5:
+ case CHAP_MD5:
printer(arg, " MD5");
++p;
break;
}
}
break;
+ case PPP_EAP:
+ printer(arg, "eap");
+ break;
default:
printer(arg, "0x%x", cishort);
}