X-Git-Url: http://git.ozlabs.org/?p=ppp.git;a=blobdiff_plain;f=pppd%2Fauth.c;h=61b50e5b95d68e9bf249f683ab2b9c6faf504e0a;hp=ac2eee93a654066c15a2c3553d102081fc79b426;hb=d0f67b16e65edb6281d409af01de4597cc045ee6;hpb=07de73a331240b97d915c1851431a743449dd0f4 diff --git a/pppd/auth.c b/pppd/auth.c index ac2eee9..61b50e5 100644 --- a/pppd/auth.c +++ b/pppd/auth.c @@ -32,7 +32,7 @@ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ -#define RCSID "$Id: auth.c,v 1.58 1999/09/11 12:08:56 paulus Exp $" +#define RCSID "$Id: auth.c,v 1.75 2002/03/05 15:14:04 dfs Exp $" #include #include @@ -64,6 +64,7 @@ #define PW_PPP PW_LOGIN #endif #endif +#include #include "pppd.h" #include "fsm.h" @@ -112,6 +113,9 @@ static int num_np_up; /* Set if we got the contents of passwd[] from the pap-secrets file. */ static int passwd_from_file; +/* Set if we require authentication only because we have a default route. */ +static bool default_auth; + /* Hook to enable a plugin to control the idle time limit */ int (*idle_time_hook) __P((struct ppp_idle *)) = NULL; @@ -123,9 +127,26 @@ int (*pap_auth_hook) __P((char *user, char *passwd, char **msgp, struct wordlist **paddrs, struct wordlist **popts)) = NULL; +/* Hook for a plugin to know about the PAP user logout */ +void (*pap_logout_hook) __P((void)) = NULL; + /* Hook for a plugin to get the PAP password for authenticating us */ int (*pap_passwd_hook) __P((char *user, char *passwd)) = NULL; +/* Hook for a plugin to say whether it is OK if the peer + refuses to authenticate. */ +int (*null_auth_hook) __P((struct wordlist **paddrs, + struct wordlist **popts)) = NULL; + +int (*allowed_address_hook) __P((u_int32_t addr)) = NULL; + +/* A notifier for when the peer has authenticated itself, + and we are proceeding to the network phase. */ +struct notifier *auth_up_notifier = NULL; + +/* A notifier for when the link goes down. */ +struct notifier *link_down_notifier = NULL; + /* * This is used to ensure that we don't start an auth-up/down * script while one is already running. @@ -139,6 +160,8 @@ static enum script_state auth_state = s_down; static enum script_state auth_script_state = s_down; static pid_t auth_script_pid = 0; +static int used_login; /* peer authenticated against login database */ + /* * Option variables. */ @@ -146,12 +169,21 @@ bool uselogin = 0; /* Use /etc/passwd for checking PAP */ bool cryptpap = 0; /* Passwords in pap-secrets are encrypted */ bool refuse_pap = 0; /* Don't wanna auth. ourselves with PAP */ bool refuse_chap = 0; /* Don't wanna auth. ourselves with CHAP */ +#ifdef CHAPMS +bool refuse_mschap = 0; /* Don't wanna auth. ourselves with MS-CHAP */ +bool refuse_mschap_v2 = 0; /* Don't wanna auth. ourselves with MS-CHAPv2 */ +#else +bool refuse_mschap = 1; /* Don't wanna auth. ourselves with MS-CHAP */ +bool refuse_mschap_v2 = 1; /* Don't wanna auth. ourselves with MS-CHAPv2 */ +#endif bool usehostname = 0; /* Use hostname for our_name */ bool auth_required = 0; /* Always require authentication from peer */ bool allow_any_ip = 0; /* Allow peer to use any IP address */ bool explicit_remote = 0; /* User specified explicit remote name */ char remote_name[MAXNAMELEN]; /* Peer's name for authentication */ +static char *uafname; /* name of most recent +ua file */ + /* Bits in auth_pending[] */ #define PAP_WITHPEER 1 #define PAP_PEER 2 @@ -184,55 +216,113 @@ static int setupapfile __P((char **)); static int privgroup __P((char **)); static int set_noauth_addr __P((char **)); static void check_access __P((FILE *, char *)); +static int wordlist_count __P((struct wordlist *)); /* * Authentication-related options. */ option_t auth_options[] = { + { "auth", o_bool, &auth_required, + "Require authentication from peer", OPT_PRIO | 1 }, + { "noauth", o_bool, &auth_required, + "Don't require peer to authenticate", OPT_PRIOSUB | OPT_PRIV | OPT_A2COPY, + &allow_any_ip }, { "require-pap", o_bool, &lcp_wantoptions[0].neg_upap, - "Require PAP authentication from peer", 1, &auth_required }, + "Require PAP authentication from peer", + OPT_PRIOSUB | OPT_A2COPY | 1, &auth_required }, { "+pap", o_bool, &lcp_wantoptions[0].neg_upap, - "Require PAP authentication from peer", 1, &auth_required }, + "Require PAP authentication from peer", + OPT_ALIAS | OPT_PRIOSUB | OPT_A2COPY | 1, &auth_required }, + { "require-chap", o_bool, &lcp_wantoptions[0].neg_chap, + "Require CHAP authentication from peer", + OPT_PRIOSUB | OPT_A2COPY | OPT_A3OR | MDTYPE_MD5, + &auth_required, 0, 0, NULL, 0, 0, &lcp_wantoptions[0].chap_mdtype }, + { "+chap", o_bool, &lcp_wantoptions[0].neg_chap, + "Require CHAP authentication from peer", + OPT_ALIAS | OPT_PRIOSUB | OPT_A2COPY | OPT_A3OR | MDTYPE_MD5, + &auth_required, 0, 0, NULL, 0, 0, &lcp_wantoptions[0].chap_mdtype }, +#ifdef CHAPMS + { "require-mschap", o_bool, &lcp_wantoptions[0].neg_chap, + "Require MS-CHAP authentication from peer", + OPT_PRIOSUB | OPT_A2COPY | OPT_A3OR | MDTYPE_MICROSOFT, + &auth_required, 0, 0, NULL, 0, 0, &lcp_wantoptions[0].chap_mdtype }, + { "+mschap", o_bool, &lcp_wantoptions[0].neg_chap, + "Require MS-CHAP authentication from peer", + OPT_ALIAS | OPT_PRIOSUB | OPT_A2COPY | OPT_A3OR | MDTYPE_MICROSOFT, + &auth_required, 0, 0, NULL, 0, 0, &lcp_wantoptions[0].chap_mdtype }, + { "require-mschap-v2", o_bool, &lcp_wantoptions[0].neg_chap, + "Require MS-CHAPv2 authentication from peer", + OPT_PRIOSUB | OPT_A2COPY | OPT_A3OR | MDTYPE_MICROSOFT_V2, + &auth_required, 0, 0, NULL, 0, 0, &lcp_wantoptions[0].chap_mdtype }, + { "+mschap-v2", o_bool, &lcp_wantoptions[0].neg_chap, + "Require MS-CHAPv2 authentication from peer", + OPT_ALIAS | OPT_PRIOSUB | OPT_A2COPY | OPT_A3OR | MDTYPE_MICROSOFT_V2, + &auth_required, 0, 0, NULL, 0, 0, &lcp_wantoptions[0].chap_mdtype }, +#endif + { "refuse-pap", o_bool, &refuse_pap, "Don't agree to auth to peer with PAP", 1 }, { "-pap", o_bool, &refuse_pap, - "Don't allow PAP authentication with peer", 1 }, - { "require-chap", o_bool, &lcp_wantoptions[0].neg_chap, - "Require CHAP authentication from peer", 1, &auth_required }, - { "+chap", o_bool, &lcp_wantoptions[0].neg_chap, - "Require CHAP authentication from peer", 1, &auth_required }, + "Don't allow PAP authentication with peer", OPT_ALIAS | 1 }, { "refuse-chap", o_bool, &refuse_chap, - "Don't agree to auth to peer with CHAP", 1 }, + "Don't agree to auth to peer with CHAP", OPT_A2CLRB | MDTYPE_MD5, + &lcp_allowoptions[0].chap_mdtype }, { "-chap", o_bool, &refuse_chap, - "Don't allow CHAP authentication with peer", 1 }, + "Don't allow CHAP authentication with peer", + OPT_ALIAS | OPT_A2CLRB | MDTYPE_MD5, + &lcp_allowoptions[0].chap_mdtype }, +#ifdef CHAPMS + { "refuse-mschap", o_bool, &refuse_mschap, + "Don't agree to auth to peer with MS-CHAP", + OPT_A2CLRB | MDTYPE_MICROSOFT, &lcp_allowoptions[0].chap_mdtype }, + { "-mschap", o_bool, &refuse_mschap, + "Don't allow MS-CHAP authentication with peer", + OPT_ALIAS | OPT_A2CLRB | MDTYPE_MICROSOFT, + &lcp_allowoptions[0].chap_mdtype }, + { "refuse-mschap-v2", o_bool, &refuse_mschap_v2, + "Don't agree to auth to peer with MS-CHAPv2", + OPT_A2CLRB | MDTYPE_MICROSOFT_V2, &lcp_allowoptions[0].chap_mdtype }, + { "-mschap-v2", o_bool, &refuse_mschap_v2, + "Don't allow MS-CHAPv2 authentication with peer", + OPT_ALIAS | OPT_A2CLRB | MDTYPE_MICROSOFT_V2, + &lcp_allowoptions[0].chap_mdtype }, +#endif + { "name", o_string, our_name, "Set local name for authentication", - OPT_PRIV|OPT_STATIC, NULL, MAXNAMELEN }, + OPT_PRIO | OPT_PRIV | OPT_STATIC, NULL, MAXNAMELEN }, + + { "+ua", o_special, (void *)setupapfile, + "Get PAP user and password from file", + OPT_PRIO | OPT_A2STRVAL, &uafname }, + { "user", o_string, user, - "Set name for auth with peer", OPT_STATIC, NULL, MAXNAMELEN }, + "Set name for auth with peer", OPT_PRIO | OPT_STATIC, NULL, MAXNAMELEN }, + + { "password", o_string, passwd, + "Password for authenticating us to the peer", + OPT_PRIO | OPT_STATIC | OPT_HIDE, NULL, MAXSECRETLEN }, + { "usehostname", o_bool, &usehostname, "Must use hostname for authentication", 1 }, + { "remotename", o_string, remote_name, - "Set remote name for authentication", OPT_STATIC, + "Set remote name for authentication", OPT_PRIO | OPT_STATIC, &explicit_remote, MAXNAMELEN }, - { "auth", o_bool, &auth_required, - "Require authentication from peer", 1 }, - { "noauth", o_bool, &auth_required, - "Don't require peer to authenticate", OPT_PRIV, &allow_any_ip }, - { "login", o_bool, &uselogin, + + { "login", o_bool, &uselogin, "Use system password database for PAP", 1 }, + { "papcrypt", o_bool, &cryptpap, "PAP passwords are encrypted", 1 }, - { "+ua", o_special, setupapfile, - "Get PAP user and password from file" }, - { "password", o_string, passwd, - "Password for authenticating us to the peer", OPT_STATIC, - NULL, MAXSECRETLEN }, - { "privgroup", o_special, privgroup, - "Allow group members to use privileged options", OPT_PRIV }, - { "allow-ip", o_special, set_noauth_addr, + + { "privgroup", o_special, (void *)privgroup, + "Allow group members to use privileged options", OPT_PRIV | OPT_A2LIST }, + + { "allow-ip", o_special, (void *)set_noauth_addr, "Set IP address(es) which can be used without authentication", - OPT_PRIV }, + OPT_PRIV | OPT_A2LIST }, + { NULL } }; @@ -243,36 +333,47 @@ static int setupapfile(argv) char **argv; { - FILE * ufile; + FILE *ufile; int l; + char u[MAXNAMELEN], p[MAXSECRETLEN]; + char *fname; lcp_allowoptions[0].neg_upap = 1; /* open user info file */ + fname = strdup(*argv); + if (fname == NULL) + novm("+ua file name"); seteuid(getuid()); - ufile = fopen(*argv, "r"); + ufile = fopen(fname, "r"); seteuid(0); if (ufile == NULL) { - option_error("unable to open user login data file %s", *argv); + option_error("unable to open user login data file %s", fname); return 0; } - check_access(ufile, *argv); + check_access(ufile, fname); + uafname = fname; /* get username */ - if (fgets(user, MAXNAMELEN - 1, ufile) == NULL - || fgets(passwd, MAXSECRETLEN - 1, ufile) == NULL){ - option_error("unable to read user login data file %s", *argv); + if (fgets(u, MAXNAMELEN - 1, ufile) == NULL + || fgets(p, MAXSECRETLEN - 1, ufile) == NULL){ + option_error("unable to read user login data file %s", fname); return 0; } fclose(ufile); /* get rid of newlines */ - l = strlen(user); - if (l > 0 && user[l-1] == '\n') - user[l-1] = 0; - l = strlen(passwd); - if (l > 0 && passwd[l-1] == '\n') - passwd[l-1] = 0; + l = strlen(u); + if (l > 0 && u[l-1] == '\n') + u[l-1] = 0; + l = strlen(p); + if (l > 0 && p[l-1] == '\n') + p[l-1] = 0; + + if (override_value("user", option_priority, fname)) + strlcpy(user, u, sizeof(user)); + if (override_value("passwd", option_priority, fname)) + strlcpy(passwd, p, sizeof(passwd)); return (1); } @@ -312,10 +413,10 @@ set_noauth_addr(argv) char **argv; { char *addr = *argv; - int l = strlen(addr); + int l = strlen(addr) + 1; struct wordlist *wp; - wp = (struct wordlist *) malloc(sizeof(struct wordlist) + l + 1); + wp = (struct wordlist *) malloc(sizeof(struct wordlist) + l); if (wp == NULL) novm("allow-ip argument"); wp->word = (char *) (wp + 1); @@ -346,8 +447,12 @@ link_terminated(unit) { if (phase == PHASE_DEAD) return; - if (logged_in) - plogout(); + if (pap_logout_hook) { + pap_logout_hook(); + } else { + if (logged_in) + plogout(); + } new_phase(PHASE_DEAD); notice("Connection terminated."); } @@ -362,6 +467,7 @@ link_down(unit) int i; struct protent *protp; + notify(link_down_notifier, 0); auth_state = s_down; if (auth_script_state == s_up && auth_script_pid == 0) { update_link_stats(unit); @@ -379,7 +485,7 @@ link_down(unit) num_np_open = 0; num_np_up = 0; if (phase != PHASE_DEAD) - new_phase(PHASE_TERMINATE); + new_phase(PHASE_ESTABLISH); } /* @@ -405,17 +511,17 @@ link_established(unit) && protp->lowerup != NULL) (*protp->lowerup)(unit); - if (auth_required && !(go->neg_chap || go->neg_upap)) { + if (auth_required && !(go->neg_upap || go->neg_chap)) { /* * We wanted the peer to authenticate itself, and it refused: * if we have some address(es) it can use without auth, fine, * otherwise treat it as though it authenticated with PAP using - * a username * of "" and a password of "". If that's not OK, + * a username of "" and a password of "". If that's not OK, * boot it out. */ if (noauth_addrs != NULL) { - set_allowed_addrs(unit, noauth_addrs, NULL); - } else if (!wo->neg_upap || !null_login(unit)) { + set_allowed_addrs(unit, NULL, NULL); + } else if (!wo->neg_upap || uselogin || !null_login(unit)) { warn("peer refused to authenticate: terminating link"); lcp_close(unit, "peer refused to authenticate"); status = EXIT_PEER_AUTH_FAILED; @@ -424,16 +530,17 @@ link_established(unit) } new_phase(PHASE_AUTHENTICATE); + used_login = 0; auth = 0; if (go->neg_chap) { - ChapAuthPeer(unit, our_name, go->chap_mdtype); + ChapAuthPeer(unit, our_name, CHAP_DIGEST(go->chap_mdtype)); auth |= CHAP_PEER; } else if (go->neg_upap) { upap_authpeer(unit); auth |= PAP_PEER; } if (ho->neg_chap) { - ChapAuthWithPeer(unit, user, ho->chap_mdtype); + ChapAuthWithPeer(unit, user, CHAP_DIGEST(ho->chap_mdtype)); auth |= CHAP_WITHPEER; } else if (ho->neg_upap) { if (passwd[0] == 0) { @@ -463,6 +570,7 @@ network_phase(unit) * If the peer had to authenticate, run the auth-up script now. */ if (go->neg_chap || go->neg_upap) { + notify(auth_up_notifier, 0); auth_state = s_up; if (auth_script_state == s_down && auth_script_pid == 0) { auth_script_state = s_up; @@ -499,7 +607,18 @@ start_networks() struct protent *protp; new_phase(PHASE_NETWORK); -#if 0 + +#ifdef HAVE_MULTILINK + if (multilink) { + if (mp_join_bundle()) { + if (updetach && !nodetach) + detach(); + return; + } + } +#endif /* HAVE_MULTILINK */ + +#ifdef PPP_FILTER if (!demand) set_filters(&pass_filter, &active_filter); #endif @@ -560,7 +679,7 @@ auth_peer_success(unit, protocol, name, namelen) namelen = sizeof(peer_authname) - 1; BCOPY(name, peer_authname, namelen); peer_authname[namelen] = 0; - script_setenv("PEERNAME", peer_authname); + script_setenv("PEERNAME", peer_authname, 0); /* * If there is no more authentication still to be done, @@ -670,6 +789,7 @@ np_down(unit, proto) { if (--num_np_up == 0) { UNTIMEOUT(check_idle, NULL); + UNTIMEOUT(connect_time_expired, NULL); new_phase(PHASE_NETWORK); } } @@ -748,19 +868,22 @@ auth_check_options() /* * If we have a default route, require the peer to authenticate - * unless the noauth option was given. + * unless the noauth option was given or the real user is root. */ - if (!auth_required && !allow_any_ip && have_route_to(0)) + if (!auth_required && !allow_any_ip && have_route_to(0) && !privileged) { auth_required = 1; + default_auth = 1; + } /* If authentication is required, ask peer for CHAP or PAP. */ if (auth_required) { + allow_any_ip = 0; if (!wo->neg_chap && !wo->neg_upap) { - wo->neg_chap = 1; + wo->neg_chap = 1; wo->chap_mdtype = MDTYPE_ALL; wo->neg_upap = 1; } } else { - wo->neg_chap = 0; + wo->neg_chap = 0; wo->chap_mdtype = MDTYPE_NONE; wo->neg_upap = 0; } @@ -770,26 +893,29 @@ auth_check_options() */ lacks_ip = 0; can_auth = wo->neg_upap && (uselogin || have_pap_secret(&lacks_ip)); - if (!can_auth && wo->neg_chap) { + if (!can_auth && (wo->neg_chap)) { can_auth = have_chap_secret((explicit_remote? remote_name: NULL), our_name, 1, &lacks_ip); } if (auth_required && !can_auth && noauth_addrs == NULL) { - if (explicit_remote) + if (default_auth) { option_error( -"The remote system (%s) is required to authenticate itself but I", - remote_name); - else +"By default the remote system is required to authenticate itself"); option_error( -"The remote system is required to authenticate itself but I"); - - if (!lacks_ip) +"(because this system has a default route to the internet)"); + } else if (explicit_remote) option_error( -"couldn't find any suitable secret (password) for it to use to do so."); +"The remote system (%s) is required to authenticate itself", + remote_name); else option_error( -"couldn't find any secret (password) which would let it use an IP address."); +"The remote system is required to authenticate itself"); + option_error( +"but I couldn't find any suitable secret (password) for it to use to do so."); + if (lacks_ip) + option_error( +"(None of the available passwords would let it use an IP address.)"); exit(1); } @@ -808,7 +934,7 @@ auth_reset(unit) lcp_options *ao = &lcp_allowoptions[0]; ao->neg_upap = !refuse_pap && (passwd[0] != 0 || get_pap_passwd(NULL)); - ao->neg_chap = !refuse_chap + ao->neg_chap = (!refuse_chap || !refuse_mschap || !refuse_mschap_v2) && (passwd[0] != 0 || have_chap_secret(user, (explicit_remote? remote_name: NULL), 0, NULL)); @@ -868,6 +994,11 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg) if (ret) set_allowed_addrs(unit, addrs, opts); BZERO(passwd, sizeof(passwd)); + if (addrs != 0) + free_wordlist(addrs); + if (opts != 0) { + free_wordlist(opts); + } return ret? UPAP_AUTHACK: UPAP_AUTHNAK; } } @@ -887,21 +1018,29 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg) check_access(f, filename); if (scan_authfile(f, user, our_name, secret, &addrs, &opts, filename) < 0) { warn("no PAP secret found for %s", user); - } else if (secret[0] != 0) { - /* password given in pap-secrets - must match */ - if ((!cryptpap && strcmp(passwd, secret) == 0) - || strcmp(crypt(passwd, secret), secret) == 0) - ret = UPAP_AUTHACK; - else - warn("PAP authentication failure for %s", user); - } else if (uselogin) { - /* empty password in pap-secrets and login option */ - ret = plogin(user, passwd, msg); - if (ret == UPAP_AUTHNAK) - warn("PAP login failure for %s", user); } else { - /* empty password in pap-secrets and login option not used */ + /* + * If the secret is "@login", it means to check + * the password against the login database. + */ + int login_secret = strcmp(secret, "@login") == 0; ret = UPAP_AUTHACK; + if (uselogin || login_secret) { + /* login option or secret is @login */ + ret = plogin(user, passwd, msg); + if (ret == UPAP_AUTHNAK) + warn("PAP login failure for %s", user); + else + used_login = 1; + } + if (secret[0] != 0 && !login_secret) { + /* password given in pap-secrets - must match */ + if ((cryptpap || strcmp(passwd, secret) != 0) + && strcmp(crypt(passwd, secret), secret) != 0) { + ret = UPAP_AUTHNAK; + warn("PAP authentication failure for %s", user); + } + } } fclose(f); } @@ -921,8 +1060,6 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg) } if (attempts > 3) sleep((u_int) (attempts - 3) * 5); - if (addrs != NULL) - free_wordlist(addrs); if (opts != NULL) free_wordlist(opts); @@ -933,6 +1070,8 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg) set_allowed_addrs(unit, addrs, opts); } + if (addrs != NULL) + free_wordlist(addrs); BZERO(passwd, sizeof(passwd)); BZERO(secret, sizeof(secret)); @@ -1047,7 +1186,7 @@ plogin(user, passwd, msg) if (pam_error == PAM_SUCCESS && !PAM_error) { pam_error = pam_acct_mgmt (pamh, PAM_SILENT); if (pam_error == PAM_SUCCESS) - pam_open_session (pamh, PAM_SILENT); + pam_error = pam_open_session (pamh, PAM_SILENT); } *msg = (char *) pam_strerror (pamh, pam_error); @@ -1177,28 +1316,37 @@ null_login(unit) struct wordlist *addrs, *opts; char secret[MAXWORDLEN]; + /* + * Check if a plugin wants to handle this. + */ + ret = -1; + if (null_auth_hook) + ret = (*null_auth_hook)(&addrs, &opts); + /* * Open the file of pap secrets and scan for a suitable secret. */ - filename = _PATH_UPAPFILE; - addrs = NULL; - f = fopen(filename, "r"); - if (f == NULL) - return 0; - check_access(f, filename); + if (ret <= 0) { + filename = _PATH_UPAPFILE; + addrs = NULL; + f = fopen(filename, "r"); + if (f == NULL) + return 0; + check_access(f, filename); - i = scan_authfile(f, "", our_name, secret, &addrs, &opts, filename); - ret = i >= 0 && secret[0] == 0; - BZERO(secret, sizeof(secret)); + i = scan_authfile(f, "", our_name, secret, &addrs, &opts, filename); + ret = i >= 0 && secret[0] == 0; + BZERO(secret, sizeof(secret)); + fclose(f); + } if (ret) set_allowed_addrs(unit, addrs, opts); - else { - free_wordlist(addrs); + else if (opts != 0) free_wordlist(opts); - } + if (addrs != 0) + free_wordlist(addrs); - fclose(f); return ret; } @@ -1216,7 +1364,6 @@ get_pap_passwd(passwd) char *filename; FILE *f; int ret; - struct wordlist *addrs; char secret[MAXWORDLEN]; /* @@ -1229,7 +1376,6 @@ get_pap_passwd(passwd) } filename = _PATH_UPAPFILE; - addrs = NULL; f = fopen(filename, "r"); if (f == NULL) return 0; @@ -1305,6 +1451,13 @@ have_chap_secret(client, server, need_ip, lacks_ipp) char *filename; struct wordlist *addrs; + if (chap_check_hook) { + ret = (*chap_check_hook)(); + if (ret >= 0) { + return ret; + } + } + filename = _PATH_CHAPFILE; f = fopen(filename, "r"); if (f == NULL) @@ -1351,6 +1504,12 @@ get_secret(unit, client, server, secret, secret_len, am_server) if (!am_server && passwd[0] != 0) { strlcpy(secbuf, passwd, sizeof(secbuf)); + } else if (!am_server && chap_passwd_hook) { + if ( (*chap_passwd_hook)(client, secbuf) < 0) { + error("Unable to obtain CHAP password for %s on %s from plugin", + client, server); + return 0; + } } else { filename = _PATH_CHAPFILE; addrs = NULL; @@ -1370,10 +1529,10 @@ get_secret(unit, client, server, secret, secret_len, am_server) if (am_server) set_allowed_addrs(unit, addrs, opts); - else { - free_wordlist(addrs); + else if (opts != 0) free_wordlist(opts); - } + if (addrs != 0) + free_wordlist(addrs); } len = strlen(secbuf); @@ -1400,7 +1559,7 @@ set_allowed_addrs(unit, addrs, opts) struct wordlist *opts; { int n; - struct wordlist *ap, **pap; + struct wordlist *ap, **plink; struct permitted_ip *ip; char *ptr_word, *ptr_mask; struct hostent *hp; @@ -1419,14 +1578,18 @@ set_allowed_addrs(unit, addrs, opts) /* * Count the number of IP addresses given. */ - for (n = 0, pap = &addrs; (ap = *pap) != NULL; pap = &ap->next) - ++n; + n = wordlist_count(addrs) + wordlist_count(noauth_addrs); if (n == 0) return; ip = (struct permitted_ip *) malloc((n + 1) * sizeof(struct permitted_ip)); if (ip == 0) return; + /* temporarily append the noauth_addrs list to addrs */ + for (plink = &addrs; *plink != NULL; plink = &(*plink)->next) + ; + *plink = noauth_addrs; + n = 0; for (ap = addrs; ap != NULL; ap = ap->next) { /* "-" means no addresses authorized, "*" means any address allowed */ @@ -1516,6 +1679,7 @@ set_allowed_addrs(unit, addrs, opts) if (~mask == 0 && suggested_ip == 0) suggested_ip = a; } + *plink = NULL; ip[n].permit = 0; /* make the last entry forbid all addresses */ ip[n].base = 0; /* to terminate the list */ @@ -1529,8 +1693,15 @@ set_allowed_addrs(unit, addrs, opts) * which is a single host, then use that if we find one. */ if (suggested_ip != 0 - && (wo->hisaddr == 0 || !auth_ip_addr(unit, wo->hisaddr))) + && (wo->hisaddr == 0 || !auth_ip_addr(unit, wo->hisaddr))) { wo->hisaddr = suggested_ip; + /* + * Do we insist on this address? No, if there are other + * addresses authorized than the suggested one. + */ + if (n > 1) + wo->accept_remote = 1; + } } /* @@ -1548,14 +1719,20 @@ auth_ip_addr(unit, addr) if (bad_ip_adrs(addr)) return 0; + if (allowed_address_hook) { + ok = allowed_address_hook(addr); + if (ok >= 0) return ok; + } + if (addresses[unit] != NULL) { ok = ip_addr_check(addr, addresses[unit]); if (ok >= 0) return ok; } + if (auth_required) return 0; /* no addresses authorized */ - return allow_any_ip || !have_route_to(addr); + return allow_any_ip || privileged || !have_route_to(addr); } static int @@ -1705,25 +1882,26 @@ scan_authfile(f, client, server, secret, addrs, opts, filename) if (newline) continue; - /* - * Special syntax: @filename means read secret from file. - */ - if (word[0] == '@') { - strlcpy(atfile, word+1, sizeof(atfile)); - if ((sf = fopen(atfile, "r")) == NULL) { - warn("can't open indirect secret file %s", atfile); - continue; - } - check_access(sf, atfile); - if (!getword(sf, word, &xxx, atfile)) { - warn("no secret in indirect secret file %s", atfile); + if (secret != NULL) { + /* + * Special syntax: @/pathname means read secret from file. + */ + if (word[0] == '@' && word[1] == '/') { + strlcpy(atfile, word+1, sizeof(atfile)); + if ((sf = fopen(atfile, "r")) == NULL) { + warn("can't open indirect secret file %s", atfile); + continue; + } + check_access(sf, atfile); + if (!getword(sf, word, &xxx, atfile)) { + warn("no secret in indirect secret file %s", atfile); + fclose(sf); + continue; + } fclose(sf); - continue; } - fclose(sf); - } - if (secret != NULL) strlcpy(lsecret, word, sizeof(lsecret)); + } /* * Now read address authorization info and make a wordlist. @@ -1732,12 +1910,12 @@ scan_authfile(f, client, server, secret, addrs, opts, filename) for (;;) { if (!getword(f, word, &newline, filename) || newline) break; - ap = (struct wordlist *) malloc(sizeof(struct wordlist)); + ap = (struct wordlist *) + malloc(sizeof(struct wordlist) + strlen(word) + 1); if (ap == NULL) novm("authorized addresses"); - ap->word = strdup(word); - if (ap->word == NULL) - novm("authorized addresses"); + ap->word = (char *) (ap + 1); + strcpy(ap->word, word); *app = ap; app = &ap->next; } @@ -1779,6 +1957,20 @@ scan_authfile(f, client, server, secret, addrs, opts, filename) return best_flag; } +/* + * wordlist_count - return the number of items in a wordlist + */ +static int +wordlist_count(wp) + struct wordlist *wp; +{ + int n; + + for (n = 0; wp != NULL; wp = wp->next) + ++n; + return n; +} + /* * free_wordlist - release memory allocated for a wordlist. */