X-Git-Url: http://git.ozlabs.org/?p=ppp.git;a=blobdiff_plain;f=pppd%2Fauth.c;h=7408229504fbfaefa6c6f26f04198f32b8134d91;hp=dd9735b89efdf4243b9e133e47517c8cb483de25;hb=faa01ae951ca6a5809283693548a6176fbde13a3;hpb=1a2b3953feacff276850e24e6ee793ccf9c357c1 diff --git a/pppd/auth.c b/pppd/auth.c index dd9735b..7408229 100644 --- a/pppd/auth.c +++ b/pppd/auth.c @@ -33,17 +33,19 @@ */ #ifndef lint -static char rcsid[] = "$Id: auth.c,v 1.17 1995/08/16 01:37:22 paulus Exp $"; +static char rcsid[] = "$Id: auth.c,v 1.22 1996/04/04 03:31:27 paulus Exp $"; #endif #include #include #include +#include #include #include #include #include #include +#include #include #include @@ -60,10 +62,9 @@ static char rcsid[] = "$Id: auth.c,v 1.17 1995/08/16 01:37:22 paulus Exp $"; #include "pppd.h" #include "fsm.h" #include "lcp.h" +#include "ipcp.h" #include "upap.h" #include "chap.h" -#include "ipcp.h" -#include "ccp.h" #include "pathnames.h" #if defined(sun) && defined(sparc) @@ -87,31 +88,40 @@ struct wordlist { /* Records which authentication operations haven't completed yet. */ static int auth_pending[NUM_PPP]; + +/* Set if we have successfully called login() */ static int logged_in; + +/* List of addresses which the peer may use. */ static struct wordlist *addresses[NUM_PPP]; +/* Number of network protocols which we have opened. */ +static int num_np_open; + +/* Number of network protocols which have come up. */ +static int num_np_up; + /* Bits in auth_pending[] */ #define UPAP_WITHPEER 1 #define UPAP_PEER 2 #define CHAP_WITHPEER 4 #define CHAP_PEER 8 -/* Prototypes */ -void check_access __P((FILE *, char *)); +/* Prototypes for procedures local to this file. */ static void network_phase __P((int)); +static void check_idle __P((caddr_t)); static int login __P((char *, char *, char **, int *)); static void logout __P((void)); static int null_login __P((int)); static int get_upap_passwd __P((void)); static int have_upap_secret __P((void)); -static int have_chap_secret __P((char *, char *)); -static int scan_authfile __P((FILE *, char *, char *, char *, - struct wordlist **, char *)); +static int have_chap_secret __P((char *, char *, u_int32_t)); +static int ip_addr_check __P((u_int32_t, struct wordlist *)); +static int scan_authfile __P((FILE *, char *, char *, u_int32_t, char *, + struct wordlist **, char *)); static void free_wordlist __P((struct wordlist *)); -extern char *crypt __P((char *, char *)); - /* * An Open on LCP has requested a change from Dead to Establish phase. * Do what's necessary to bring the physical layer up. @@ -145,8 +155,19 @@ void link_down(unit) int unit; { - ipcp_close(0); - ccp_close(0); + int i; + struct protent *protp; + + for (i = 0; (protp = protocols[i]) != NULL; ++i) { + if (!protp->enabled_flag) + continue; + if (protp->protocol != PPP_LCP && protp->lowerdown != NULL) + (*protp->lowerdown)(unit); + if (protp->protocol < 0xC000 && protp->close != NULL) + (*protp->close)(unit, "LCP down"); + } + num_np_open = 0; + num_np_up = 0; phase = PHASE_TERMINATE; } @@ -162,6 +183,16 @@ link_established(unit) lcp_options *wo = &lcp_wantoptions[unit]; lcp_options *go = &lcp_gotoptions[unit]; lcp_options *ho = &lcp_hisoptions[unit]; + int i; + struct protent *protp; + + /* + * Tell higher-level protocols that LCP is up. + */ + for (i = 0; (protp = protocols[i]) != NULL; ++i) + if (protp->protocol != PPP_LCP && protp->enabled_flag + && protp->lowerup != NULL) + (*protp->lowerup)(unit); if (auth_required && !(go->neg_chap || go->neg_upap)) { /* @@ -171,7 +202,7 @@ link_established(unit) */ if (!wo->neg_upap || !null_login(unit)) { syslog(LOG_WARNING, "peer refused to authenticate"); - lcp_close(unit); + lcp_close(unit, "peer refused to authenticate"); phase = PHASE_TERMINATE; return; } @@ -206,9 +237,19 @@ static void network_phase(unit) int unit; { + int i; + struct protent *protp; + phase = PHASE_NETWORK; - ipcp_open(unit); - ccp_open(unit); + if (!demand) + set_filters(&pass_filter, &active_filter); + for (i = 0; (protp = protocols[i]) != NULL; ++i) + if (protp->protocol < 0xC000 && protp->enabled_flag + && protp->open != NULL) { + (*protp->open)(unit); + if (protp->protocol != PPP_CCP) + ++num_np_open; + } } /* @@ -221,7 +262,7 @@ auth_peer_fail(unit, protocol) /* * Authentication failure: take the link down */ - lcp_close(unit); + lcp_close(unit, "Authentication failed"); phase = PHASE_TERMINATE; } @@ -251,11 +292,8 @@ auth_peer_success(unit, protocol) * If there is no more authentication still to be done, * proceed to the network phase. */ - if ((auth_pending[unit] &= ~bit) == 0) { - phase = PHASE_NETWORK; - ipcp_open(unit); - ccp_open(unit); - } + if ((auth_pending[unit] &= ~bit) == 0) + network_phase(unit); } /* @@ -304,13 +342,76 @@ auth_withpeer_success(unit, protocol) /* - * check_auth_options - called to check authentication options. + * np_up - a network protocol has come up. + */ +void +np_up(unit, proto) + int unit, proto; +{ + if (num_np_up == 0 && idle_time_limit > 0) { + TIMEOUT(check_idle, NULL, idle_time_limit); + } + ++num_np_up; +} + +/* + * np_down - a network protocol has gone down. + */ +void +np_down(unit, proto) + int unit, proto; +{ + if (--num_np_up == 0 && idle_time_limit > 0) { + UNTIMEOUT(check_idle, NULL); + } +} + +/* + * np_finished - a network protocol has finished using the link. */ void -check_auth_options() +np_finished(unit, proto) + int unit, proto; +{ + if (--num_np_open <= 0) { + /* no further use for the link: shut up shop. */ + lcp_close(0, "No network protocols running"); + } +} + +/* + * check_idle - check whether the link has been idle for long + * enough that we can shut it down. + */ +static void +check_idle(arg) + caddr_t arg; +{ + struct ppp_idle idle; + time_t itime; + + if (!get_idle_time(0, &idle)) + return; + itime = MIN(idle.xmit_idle, idle.recv_idle); + if (itime >= idle_time_limit) { + /* link is idle: shut it down. */ + syslog(LOG_INFO, "Terminating connection due to lack of activity."); + lcp_close(0, "Link inactive"); + } else { + TIMEOUT(check_idle, NULL, idle_time_limit - itime); + } +} + +/* + * auth_check_options - called to check authentication options. + */ +void +auth_check_options() { lcp_options *wo = &lcp_wantoptions[0]; lcp_options *ao = &lcp_allowoptions[0]; + ipcp_options *ipwo = &ipcp_wantoptions[0]; + u_int32_t remote; /* Default our_name to hostname, and user to our_name */ if (our_name[0] == 0 || usehostname) @@ -332,14 +433,17 @@ check_auth_options() ao->neg_upap = 0; if (wo->neg_upap && !uselogin && !have_upap_secret()) wo->neg_upap = 0; - if (ao->neg_chap && !have_chap_secret(our_name, remote_name)) + if (ao->neg_chap && !have_chap_secret(our_name, remote_name, (u_int32_t)0)) ao->neg_chap = 0; - if (wo->neg_chap && !have_chap_secret(remote_name, our_name)) - wo->neg_chap = 0; + if (wo->neg_chap) { + remote = ipwo->accept_remote? 0: ipwo->hisaddr; + if (!have_chap_secret(remote_name, our_name, remote)) + wo->neg_chap = 0; + } if (auth_required && !wo->neg_chap && !wo->neg_upap) { fprintf(stderr, "\ -pppd: peer authentication required but no authentication files accessible\n"); +pppd: peer authentication required but no suitable secret(s) found\n"); exit(1); } @@ -370,6 +474,8 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg, msglen) char *filename; FILE *f; struct wordlist *addrs; + u_int32_t remote; + ipcp_options *ipwo = &ipcp_wantoptions[unit]; char passwd[256], user[256]; char secret[MAXWORDLEN]; static int attempts = 0; @@ -392,16 +498,18 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg, msglen) f = fopen(filename, "r"); if (f == NULL) { if (!uselogin) { - syslog(LOG_ERR, "Can't open upap password file %s: %m", filename); + syslog(LOG_ERR, "Can't open PAP password file %s: %m", filename); ret = UPAP_AUTHNAK; } } else { check_access(f, filename); - if (scan_authfile(f, user, our_name, secret, &addrs, filename) < 0 + remote = ipwo->accept_remote? 0: ipwo->hisaddr; + if (scan_authfile(f, user, our_name, remote, + secret, &addrs, filename) < 0 || (secret[0] != 0 && (cryptpap || strcmp(passwd, secret) != 0) && strcmp(crypt(passwd, secret), secret) != 0)) { - syslog(LOG_WARNING, "upap authentication failure for %s", user); + syslog(LOG_WARNING, "PAP authentication failure for %s", user); ret = UPAP_AUTHNAK; } fclose(f); @@ -410,7 +518,7 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg, msglen) if (uselogin && ret == UPAP_AUTHACK) { ret = login(user, passwd, msg, msglen); if (ret == UPAP_AUTHNAK) { - syslog(LOG_WARNING, "upap login failure for %s", user); + syslog(LOG_WARNING, "PAP login failure for %s", user); } } @@ -510,7 +618,7 @@ login(user, passwd, msg, msglen) tty = devnam; if (strncmp(tty, "/dev/", 5) == 0) tty += 5; - logwtmp(tty, user, ""); /* Add wtmp login entry */ + logwtmp(tty, user, remote_name); /* Add wtmp login entry */ logged_in = TRUE; return (UPAP_AUTHACK); @@ -558,7 +666,7 @@ null_login(unit) return 0; check_access(f, filename); - i = scan_authfile(f, "", our_name, secret, &addrs, filename); + i = scan_authfile(f, "", our_name, (u_int32_t)0, secret, &addrs, filename); ret = i >= 0 && (i & NONWILD_CLIENT) != 0 && secret[0] == 0; if (ret) { @@ -591,7 +699,8 @@ get_upap_passwd() if (f == NULL) return 0; check_access(f, filename); - if (scan_authfile(f, user, remote_name, secret, NULL, filename) < 0) + if (scan_authfile(f, user, remote_name, (u_int32_t)0, + secret, NULL, filename) < 0) return 0; strncpy(passwd, secret, MAXSECRETLEN); passwd[MAXSECRETLEN-1] = 0; @@ -609,13 +718,16 @@ have_upap_secret() FILE *f; int ret; char *filename; + ipcp_options *ipwo = &ipcp_wantoptions[0]; + u_int32_t remote; filename = _PATH_UPAPFILE; f = fopen(filename, "r"); if (f == NULL) return 0; - ret = scan_authfile(f, NULL, our_name, NULL, NULL, filename); + remote = ipwo->accept_remote? 0: ipwo->hisaddr; + ret = scan_authfile(f, NULL, our_name, remote, NULL, NULL, filename); fclose(f); if (ret < 0) return 0; @@ -631,9 +743,10 @@ have_upap_secret() * know the identity yet. */ static int -have_chap_secret(client, server) +have_chap_secret(client, server, remote) char *client; char *server; + u_int32_t remote; { FILE *f; int ret; @@ -649,7 +762,7 @@ have_chap_secret(client, server) else if (server[0] == 0) server = NULL; - ret = scan_authfile(f, client, server, NULL, NULL, filename); + ret = scan_authfile(f, client, server, remote, NULL, NULL, filename); fclose(f); if (ret < 0) return 0; @@ -689,7 +802,8 @@ get_secret(unit, client, server, secret, secret_len, save_addrs) } check_access(f, filename); - ret = scan_authfile(f, client, server, secbuf, &addrs, filename); + ret = scan_authfile(f, client, server, (u_int32_t)0, + secbuf, &addrs, filename); fclose(f); if (ret < 0) return 0; @@ -720,31 +834,87 @@ auth_ip_addr(unit, addr) int unit; u_int32_t addr; { - u_int32_t a; - struct hostent *hp; + return ip_addr_check(addr, addresses[unit]); +} + +static int +ip_addr_check(addr, addrs) + u_int32_t addr; struct wordlist *addrs; +{ + u_int32_t a, mask, ah; + int accept; + char *ptr_word, *ptr_mask; + struct hostent *hp; + struct netent *np; /* don't allow loopback or multicast address */ if (bad_ip_adrs(addr)) return 0; - if ((addrs = addresses[unit]) == NULL) + if (addrs == NULL) return 1; /* no restriction */ for (; addrs != NULL; addrs = addrs->next) { /* "-" means no addresses authorized */ - if (strcmp(addrs->word, "-") == 0) + ptr_word = addrs->word; + if (strcmp(ptr_word, "-") == 0) break; - if ((a = inet_addr(addrs->word)) == -1) { - if ((hp = gethostbyname(addrs->word)) == NULL) { - syslog(LOG_WARNING, "unknown host %s in auth. address list", - addrs->word); + + accept = 1; + if (*ptr_word == '!') { + accept = 0; + ++ptr_word; + } + + mask = ~ (u_int32_t) 0; + ptr_mask = strchr (ptr_word, '/'); + if (ptr_mask != NULL) { + int bit_count; + + bit_count = (int) strtol (ptr_mask+1, (char **) 0, 10); + if (bit_count <= 0 || bit_count > 32) { + syslog (LOG_WARNING, + "invalid address length %s in auth. address list", + ptr_mask); continue; - } else - a = *(u_int32_t *)hp->h_addr; + } + *ptr_mask = '\0'; + mask <<= 32 - bit_count; } - if (addr == a) - return 1; + + hp = gethostbyname(ptr_word); + if (hp != NULL && hp->h_addrtype == AF_INET) { + a = *(u_int32_t *)hp->h_addr; + mask = ~ (u_int32_t) 0; /* are we sure we want this? */ + } else { + np = getnetbyname (ptr_word); + if (np != NULL && np->n_addrtype == AF_INET) + a = htonl (*(u_int32_t *)np->n_net); + else + a = inet_addr (ptr_word); + if (ptr_mask == NULL) { + /* calculate appropriate mask for net */ + ah = ntohl(a); + if (IN_CLASSA(ah)) + mask = IN_CLASSA_NET; + else if (IN_CLASSB(ah)) + mask = IN_CLASSB_NET; + else if (IN_CLASSC(ah)) + mask = IN_CLASSC_NET; + } + } + + if (ptr_mask != NULL) + *ptr_mask = '/'; + + if (a == -1L) + syslog (LOG_WARNING, + "unknown host %s in auth. address list", + addrs->word); + else + if (((addr ^ a) & htonl(mask)) == 0) + return accept; } return 0; /* not in list => can't have it */ } @@ -791,10 +961,11 @@ check_access(f, filename) * info) are placed in a wordlist and returned in *addrs. */ static int -scan_authfile(f, client, server, secret, addrs, filename) +scan_authfile(f, client, server, ipaddr, secret, addrs, filename) FILE *f; char *client; char *server; + u_int32_t ipaddr; char *secret; struct wordlist **addrs; char *filename; @@ -802,9 +973,10 @@ scan_authfile(f, client, server, secret, addrs, filename) int newline, xxx; int got_flag, best_flag; FILE *sf; - struct wordlist *ap, *addr_list, *addr_last; + struct wordlist *ap, *addr_list, *alist, *alast; char word[MAXWORDLEN]; char atfile[MAXWORDLEN]; + char lsecret[MAXWORDLEN]; if (addrs != NULL) *addrs = NULL; @@ -880,16 +1052,12 @@ scan_authfile(f, client, server, secret, addrs, filename) fclose(sf); } if (secret != NULL) - strcpy(secret, word); - - best_flag = got_flag; + strcpy(lsecret, word); /* * Now read address authorization info and make a wordlist. */ - if (addr_list) - free_wordlist(addr_list); - addr_list = addr_last = NULL; + alist = alast = NULL; for (;;) { if (!getword(f, word, &newline, filename) || newline) break; @@ -899,12 +1067,31 @@ scan_authfile(f, client, server, secret, addrs, filename) novm("authorized addresses"); ap->next = NULL; strcpy(ap->word, word); - if (addr_list == NULL) - addr_list = ap; + if (alist == NULL) + alist = ap; else - addr_last->next = ap; - addr_last = ap; + alast->next = ap; + alast = ap; + } + + /* + * Check if the given IP address is allowed by the wordlist. + */ + if (ipaddr != 0 && !ip_addr_check(ipaddr, alist)) { + free_wordlist(alist); + continue; } + + /* + * This is the best so far; remember it. + */ + best_flag = got_flag; + if (addr_list) + free_wordlist(addr_list); + addr_list = alist; + if (secret != NULL) + strcpy(secret, lsecret); + if (!newline) break; }