X-Git-Url: http://git.ozlabs.org/?a=blobdiff_plain;f=pppd%2Fupap.c;h=135db0a22310145d2600ddd98e9aac6c897065f0;hb=aefcf5ac90dee434d605167b6a719c58c0ffcf03;hp=7e5f0d56ecc37193c4efe3c3ed53c99aeeba55d3;hpb=206bb51cbc46d49f82fdc9dbbb5823e674c7ad07;p=ppp.git diff --git a/pppd/upap.c b/pppd/upap.c index 7e5f0d5..135db0a 100644 --- a/pppd/upap.c +++ b/pppd/upap.c @@ -17,7 +17,7 @@ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ -#define RCSID "$Id: upap.c,v 1.23 1999/11/20 05:11:47 paulus Exp $" +#define RCSID "$Id: upap.c,v 1.28 2002/10/12 02:30:21 fcusack Exp $" /* * TODO: @@ -38,15 +38,17 @@ static bool hide_password = 1; */ static option_t pap_option_list[] = { { "hide-password", o_bool, &hide_password, - "Don't output passwords to log", 1 }, + "Don't output passwords to log", OPT_PRIO | 1 }, { "show-password", o_bool, &hide_password, - "Show password string in debug log messages", 0 }, + "Show password string in debug log messages", OPT_PRIOSUB | 0 }, + { "pap-restart", o_int, &upap[0].us_timeouttime, - "Set retransmit timeout for PAP" }, + "Set retransmit timeout for PAP", OPT_PRIO }, { "pap-max-authreq", o_int, &upap[0].us_maxtransmits, - "Set max number of transmissions for auth-reqs" }, + "Set max number of transmissions for auth-reqs", OPT_PRIO }, { "pap-timeout", o_int, &upap[0].us_reqtimeout, - "Set time limit for peer PAP authentication" }, + "Set time limit for peer PAP authentication", OPT_PRIO }, + { NULL } }; @@ -351,6 +353,7 @@ upap_rauthreq(u, inp, id, len) { u_char ruserlen, rpasswdlen; char *ruser, *rpasswd; + char rhostname[256]; int retcode; char *msg; int msglen; @@ -399,17 +402,35 @@ upap_rauthreq(u, inp, id, len) retcode = check_passwd(u->us_unit, ruser, ruserlen, rpasswd, rpasswdlen, &msg); BZERO(rpasswd, rpasswdlen); + + /* + * Check remote number authorization. A plugin may have filled in + * the remote number or added an allowed number, and rather than + * return an authenticate failure, is leaving it for us to verify. + */ + if (retcode == UPAP_AUTHACK) { + if (!auth_number()) { + /* We do not want to leak info about the pap result. */ + retcode = UPAP_AUTHNAK; /* XXX exit value will be "wrong" */ + warn("calling number %q is not authorized", remote_number); + } + } + msglen = strlen(msg); if (msglen > 255) msglen = 255; - upap_sresp(u, retcode, id, msg, msglen); + /* Null terminate and clean remote name. */ + slprintf(rhostname, sizeof(rhostname), "%.*v", ruserlen, ruser); + if (retcode == UPAP_AUTHACK) { u->us_serverstate = UPAPSS_OPEN; - auth_peer_success(u->us_unit, PPP_PAP, ruser, ruserlen); + notice("PAP peer authentication succeeded for %q", rhostname); + auth_peer_success(u->us_unit, PPP_PAP, 0, ruser, ruserlen); } else { u->us_serverstate = UPAPSS_BADAUTH; + warn("PAP peer authentication failed for %q", rhostname); auth_peer_fail(u->us_unit, PPP_PAP); } @@ -454,12 +475,13 @@ upap_rauthack(u, inp, id, len) u->us_clientstate = UPAPCS_OPEN; - auth_withpeer_success(u->us_unit, PPP_PAP); + notice("PAP authentication succeeded"); + auth_withpeer_success(u->us_unit, PPP_PAP, 0); } /* - * upap_rauthnak - Receive Authenticate-Nakk. + * upap_rauthnak - Receive Authenticate-Nak. */ static void upap_rauthnak(u, inp, id, len)