X-Git-Url: http://git.ozlabs.org/?p=ppp.git;a=blobdiff_plain;f=pppd%2Fauth.c;h=cf042686a33557e14fb1f81ce29b83c7a28c787b;hp=1a8cb34ed0c3b460babd9fd33041854cb90110e2;hb=fd25394d146bb83043189608d30dd0eeb983186d;hpb=aac99e2604e20409d9f0538ceb8590c2f75220a0 diff --git a/pppd/auth.c b/pppd/auth.c index 1a8cb34..cf04268 100644 --- a/pppd/auth.c +++ b/pppd/auth.c @@ -32,7 +32,7 @@ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ -#define RCSID "$Id: auth.c,v 1.70 2001/04/27 23:13:06 paulus Exp $" +#define RCSID "$Id: auth.c,v 1.88 2002/10/27 12:56:26 fcusack Exp $" #include #include @@ -46,7 +46,7 @@ #include #include #include -#if defined(_PATH_LASTLOG) && defined(_linux_) +#if defined(_PATH_LASTLOG) && defined(__linux__) #include #endif @@ -64,10 +64,13 @@ #define PW_PPP PW_LOGIN #endif #endif +#include #include "pppd.h" #include "fsm.h" #include "lcp.h" +#include "ccp.h" +#include "ecp.h" #include "ipcp.h" #include "upap.h" #include "chap.h" @@ -90,6 +93,9 @@ char peer_authname[MAXNAMELEN]; /* Records which authentication operations haven't completed yet. */ static int auth_pending[NUM_PPP]; +/* Records which authentication operations have been completed. */ +int auth_done[NUM_PPP]; + /* Set if we have successfully called plogin() */ static int logged_in; @@ -100,6 +106,12 @@ static struct permitted_ip *addresses[NUM_PPP]; without authenticating itself. */ static struct wordlist *noauth_addrs; +/* Remote telephone number, if available */ +char remote_number[MAXNAMELEN]; + +/* Wordlist giving remote telephone numbers which may connect. */ +static struct wordlist *permitted_numbers; + /* Extra options to apply, from the secrets file entry for the peer. */ static struct wordlist *extra_options; @@ -137,6 +149,8 @@ int (*pap_passwd_hook) __P((char *user, char *passwd)) = NULL; int (*null_auth_hook) __P((struct wordlist **paddrs, struct wordlist **popts)) = NULL; +int (*allowed_address_hook) __P((u_int32_t addr)) = NULL; + /* A notifier for when the peer has authenticated itself, and we are proceeding to the network phase. */ struct notifier *auth_up_notifier = NULL; @@ -166,6 +180,13 @@ bool uselogin = 0; /* Use /etc/passwd for checking PAP */ bool cryptpap = 0; /* Passwords in pap-secrets are encrypted */ bool refuse_pap = 0; /* Don't wanna auth. ourselves with PAP */ bool refuse_chap = 0; /* Don't wanna auth. ourselves with CHAP */ +#ifdef CHAPMS +bool refuse_mschap = 0; /* Don't wanna auth. ourselves with MS-CHAP */ +bool refuse_mschap_v2 = 0; /* Don't wanna auth. ourselves with MS-CHAPv2 */ +#else +bool refuse_mschap = 1; /* Don't wanna auth. ourselves with MS-CHAP */ +bool refuse_mschap_v2 = 1; /* Don't wanna auth. ourselves with MS-CHAPv2 */ +#endif bool usehostname = 0; /* Use hostname for our_name */ bool auth_required = 0; /* Always require authentication from peer */ bool allow_any_ip = 0; /* Allow peer to use any IP address */ @@ -174,12 +195,6 @@ char remote_name[MAXNAMELEN]; /* Peer's name for authentication */ static char *uafname; /* name of most recent +ua file */ -/* Bits in auth_pending[] */ -#define PAP_WITHPEER 1 -#define PAP_PEER 2 -#define CHAP_WITHPEER 4 -#define CHAP_PEER 8 - extern char *crypt __P((const char *, const char *)); /* Prototypes for procedures local to this file. */ @@ -205,9 +220,14 @@ static int some_ip_ok __P((struct wordlist *)); static int setupapfile __P((char **)); static int privgroup __P((char **)); static int set_noauth_addr __P((char **)); +static int set_permitted_number __P((char **)); static void check_access __P((FILE *, char *)); static int wordlist_count __P((struct wordlist *)); +#ifdef MAXOCTETS +static void check_maxoctets __P((void *)); +#endif + /* * Authentication-related options. */ @@ -223,22 +243,63 @@ option_t auth_options[] = { { "+pap", o_bool, &lcp_wantoptions[0].neg_upap, "Require PAP authentication from peer", OPT_ALIAS | OPT_PRIOSUB | 1, &auth_required }, - { "require-chap", o_bool, &lcp_wantoptions[0].neg_chap, + { "require-chap", o_bool, &auth_required, "Require CHAP authentication from peer", - OPT_PRIOSUB | 1, &auth_required }, - { "+chap", o_bool, &lcp_wantoptions[0].neg_chap, + OPT_PRIOSUB | OPT_A2OR | MDTYPE_MD5, + &lcp_wantoptions[0].chap_mdtype }, + { "+chap", o_bool, &auth_required, "Require CHAP authentication from peer", - OPT_ALIAS | OPT_PRIOSUB | 1, &auth_required }, + OPT_ALIAS | OPT_PRIOSUB | OPT_A2OR | MDTYPE_MD5, + &lcp_wantoptions[0].chap_mdtype }, +#ifdef CHAPMS + { "require-mschap", o_bool, &auth_required, + "Require MS-CHAP authentication from peer", + OPT_PRIOSUB | OPT_A2OR | MDTYPE_MICROSOFT, + &lcp_wantoptions[0].chap_mdtype }, + { "+mschap", o_bool, &auth_required, + "Require MS-CHAP authentication from peer", + OPT_ALIAS | OPT_PRIOSUB | OPT_A2OR | MDTYPE_MICROSOFT, + &lcp_wantoptions[0].chap_mdtype }, + { "require-mschap-v2", o_bool, &auth_required, + "Require MS-CHAPv2 authentication from peer", + OPT_PRIOSUB | OPT_A2OR | MDTYPE_MICROSOFT_V2, + &lcp_wantoptions[0].chap_mdtype }, + { "+mschap-v2", o_bool, &auth_required, + "Require MS-CHAPv2 authentication from peer", + OPT_ALIAS | OPT_PRIOSUB | OPT_A2OR | MDTYPE_MICROSOFT_V2, + &lcp_wantoptions[0].chap_mdtype }, +#endif { "refuse-pap", o_bool, &refuse_pap, "Don't agree to auth to peer with PAP", 1 }, { "-pap", o_bool, &refuse_pap, "Don't allow PAP authentication with peer", OPT_ALIAS | 1 }, - { "refuse-chap", o_bool, &refuse_chap, - "Don't agree to auth to peer with CHAP", 1 }, + "Don't agree to auth to peer with CHAP", + OPT_A2CLRB | MDTYPE_MD5, + &lcp_allowoptions[0].chap_mdtype }, { "-chap", o_bool, &refuse_chap, - "Don't allow CHAP authentication with peer", OPT_ALIAS | 1 }, + "Don't allow CHAP authentication with peer", + OPT_ALIAS | OPT_A2CLRB | MDTYPE_MD5, + &lcp_allowoptions[0].chap_mdtype }, +#ifdef CHAPMS + { "refuse-mschap", o_bool, &refuse_mschap, + "Don't agree to auth to peer with MS-CHAP", + OPT_A2CLRB | MDTYPE_MICROSOFT, + &lcp_allowoptions[0].chap_mdtype }, + { "-mschap", o_bool, &refuse_mschap, + "Don't allow MS-CHAP authentication with peer", + OPT_ALIAS | OPT_A2CLRB | MDTYPE_MICROSOFT, + &lcp_allowoptions[0].chap_mdtype }, + { "refuse-mschap-v2", o_bool, &refuse_mschap_v2, + "Don't agree to auth to peer with MS-CHAPv2", + OPT_A2CLRB | MDTYPE_MICROSOFT_V2, + &lcp_allowoptions[0].chap_mdtype }, + { "-mschap-v2", o_bool, &refuse_mschap_v2, + "Don't allow MS-CHAPv2 authentication with peer", + OPT_ALIAS | OPT_A2CLRB | MDTYPE_MICROSOFT_V2, + &lcp_allowoptions[0].chap_mdtype }, +#endif { "name", o_string, our_name, "Set local name for authentication", @@ -275,6 +336,14 @@ option_t auth_options[] = { "Set IP address(es) which can be used without authentication", OPT_PRIV | OPT_A2LIST }, + { "remotenumber", o_string, remote_number, + "Set remote telephone number for authentication", OPT_PRIO | OPT_STATIC, + NULL, MAXNAMELEN }, + + { "allow-number", o_special, (void *)set_permitted_number, + "Set telephone number(s) which are allowed to connect", + OPT_PRIV | OPT_A2LIST }, + { NULL } }; @@ -379,6 +448,28 @@ set_noauth_addr(argv) } +/* + * set_permitted_number - set remote telephone number(s) that may connect. + */ +static int +set_permitted_number(argv) + char **argv; +{ + char *number = *argv; + int l = strlen(number) + 1; + struct wordlist *wp; + + wp = (struct wordlist *) malloc(sizeof(struct wordlist) + l); + if (wp == NULL) + novm("allow-number argument"); + wp->word = (char *) (wp + 1); + wp->next = permitted_numbers; + BCOPY(number, wp->word, l); + permitted_numbers = wp; + return 1; +} + + /* * An Open on LCP has requested a change from Dead to Establish phase. * Do what's necessary to bring the physical layer up. @@ -463,12 +554,12 @@ link_established(unit) && protp->lowerup != NULL) (*protp->lowerup)(unit); - if (auth_required && !(go->neg_chap || go->neg_upap)) { + if (auth_required && !(go->neg_upap || go->neg_chap)) { /* * We wanted the peer to authenticate itself, and it refused: * if we have some address(es) it can use without auth, fine, * otherwise treat it as though it authenticated with PAP using - * a username * of "" and a password of "". If that's not OK, + * a username of "" and a password of "". If that's not OK, * boot it out. */ if (noauth_addrs != NULL) { @@ -485,14 +576,14 @@ link_established(unit) used_login = 0; auth = 0; if (go->neg_chap) { - ChapAuthPeer(unit, our_name, go->chap_mdtype); + ChapAuthPeer(unit, our_name, CHAP_DIGEST(go->chap_mdtype)); auth |= CHAP_PEER; } else if (go->neg_upap) { upap_authpeer(unit); auth |= PAP_PEER; } if (ho->neg_chap) { - ChapAuthWithPeer(unit, user, ho->chap_mdtype); + ChapAuthWithPeer(unit, user, CHAP_DIGEST(ho->chap_mdtype)); auth |= CHAP_WITHPEER; } else if (ho->neg_upap) { if (passwd[0] == 0) { @@ -504,6 +595,7 @@ link_established(unit) auth |= PAP_WITHPEER; } auth_pending[unit] = auth; + auth_done[unit] = 0; if (!auth) network_phase(unit); @@ -518,6 +610,10 @@ network_phase(unit) { lcp_options *go = &lcp_gotoptions[unit]; + /* Log calling number. */ + if (*remote_number) + notice("peer from calling number %q authorized", remote_number); + /* * If the peer had to authenticate, run the auth-up script now. */ @@ -549,14 +645,16 @@ network_phase(unit) free_wordlist(extra_options); extra_options = 0; } - start_networks(); + start_networks(unit); } void -start_networks() +start_networks(unit) + int unit; { int i; struct protent *protp; + int ecp_required, mppe_required; new_phase(PHASE_NETWORK); @@ -574,12 +672,37 @@ start_networks() if (!demand) set_filters(&pass_filter, &active_filter); #endif + /* Start CCP and ECP */ for (i = 0; (protp = protocols[i]) != NULL; ++i) - if (protp->protocol < 0xC000 && protp->enabled_flag - && protp->open != NULL) { + if ((protp->protocol == PPP_ECP || protp->protocol == PPP_CCP) + && protp->enabled_flag && protp->open != NULL) (*protp->open)(0); - if (protp->protocol != PPP_CCP) - ++num_np_open; + + /* + * Bring up other network protocols iff encryption is not required. + */ + ecp_required = ecp_gotoptions[unit].required; + mppe_required = ccp_gotoptions[unit].mppe; + if (!ecp_required && !mppe_required) + continue_networks(unit); +} + +void +continue_networks(unit) + int unit; +{ + int i; + struct protent *protp; + + /* + * Start the "real" network protocols. + */ + for (i = 0; (protp = protocols[i]) != NULL; ++i) + if (protp->protocol < 0xC000 + && protp->protocol != PPP_CCP && protp->protocol != PPP_ECP + && protp->enabled_flag && protp->open != NULL) { + (*protp->open)(0); + ++num_np_open; } if (num_np_open == 0) @@ -605,8 +728,8 @@ auth_peer_fail(unit, protocol) * The peer has been successfully authenticated using `protocol'. */ void -auth_peer_success(unit, protocol, name, namelen) - int unit, protocol; +auth_peer_success(unit, protocol, prot_flavor, name, namelen) + int unit, protocol, prot_flavor; char *name; int namelen; { @@ -615,6 +738,19 @@ auth_peer_success(unit, protocol, name, namelen) switch (protocol) { case PPP_CHAP: bit = CHAP_PEER; + switch (prot_flavor) { + case CHAP_DIGEST_MD5: + bit |= CHAP_MD5_PEER; + break; +#ifdef CHAPMS + case CHAP_MICROSOFT: + bit |= CHAP_MS_PEER; + break; + case CHAP_MICROSOFT_V2: + bit |= CHAP_MS2_PEER; + break; +#endif + } break; case PPP_PAP: bit = PAP_PEER; @@ -633,6 +769,9 @@ auth_peer_success(unit, protocol, name, namelen) peer_authname[namelen] = 0; script_setenv("PEERNAME", peer_authname, 0); + /* Save the authentication method for later. */ + auth_done[unit] |= bit; + /* * If there is no more authentication still to be done, * proceed to the network (or callback) phase. @@ -664,14 +803,27 @@ auth_withpeer_fail(unit, protocol) * We have successfully authenticated ourselves with the peer using `protocol'. */ void -auth_withpeer_success(unit, protocol) - int unit, protocol; +auth_withpeer_success(unit, protocol, prot_flavor) + int unit, protocol, prot_flavor; { int bit; switch (protocol) { case PPP_CHAP: bit = CHAP_WITHPEER; + switch (prot_flavor) { + case CHAP_DIGEST_MD5: + bit |= CHAP_MD5_WITHPEER; + break; +#ifdef CHAPMS + case CHAP_MICROSOFT: + bit |= CHAP_MS_WITHPEER; + break; + case CHAP_MICROSOFT_V2: + bit |= CHAP_MS2_WITHPEER; + break; +#endif + } break; case PPP_PAP: if (passwd_from_file) @@ -683,6 +835,9 @@ auth_withpeer_success(unit, protocol) bit = 0; } + /* Save the authentication method for later. */ + auth_done[unit] |= bit; + /* * If there is no more authentication still being done, * proceed to the network (or callback) phase. @@ -723,6 +878,11 @@ np_up(unit, proto) if (maxconnect > 0) TIMEOUT(connect_time_expired, 0, maxconnect); +#ifdef MAXOCTETS + if (maxoctets > 0) + TIMEOUT(check_maxoctets, NULL, maxoctets_timeout); +#endif + /* * Detach now, if the updetach option was given. */ @@ -741,6 +901,10 @@ np_down(unit, proto) { if (--num_np_up == 0) { UNTIMEOUT(check_idle, NULL); + UNTIMEOUT(connect_time_expired, NULL); +#ifdef MAXOCTETS + UNTIMEOUT(check_maxoctets, NULL); +#endif new_phase(PHASE_NETWORK); } } @@ -758,6 +922,44 @@ np_finished(unit, proto) } } +#ifdef MAXOCTETS +static void +check_maxoctets(arg) + void *arg; +{ + int diff; + unsigned int used; + + update_link_stats(ifunit); + link_stats_valid=0; + + switch(maxoctets_dir) { + case PPP_OCTETS_DIRECTION_IN: + used = link_stats.bytes_in; + break; + case PPP_OCTETS_DIRECTION_OUT: + used = link_stats.bytes_out; + break; + case PPP_OCTETS_DIRECTION_MAXOVERAL: + case PPP_OCTETS_DIRECTION_MAXSESSION: + used = (link_stats.bytes_in > link_stats.bytes_out) ? link_stats.bytes_in : link_stats.bytes_out; + break; + default: + used = link_stats.bytes_in+link_stats.bytes_out; + break; + } + diff = maxoctets - used; + if(diff < 0) { + notice("Traffic limit reached. Limit: %u Used: %u", maxoctets, used); + lcp_close(0, "Traffic limit"); + need_holdoff = 0; + status = EXIT_TRAFFIC_LIMIT; + } else { + TIMEOUT(check_maxoctets, NULL, maxoctets_timeout); + } +} +#endif + /* * check_idle - check whether the link has been idle for long * enough that we can shut it down. @@ -826,15 +1028,19 @@ auth_check_options() default_auth = 1; } + /* If we selected any CHAP flavors, we should probably negotiate it. :-) */ + if (wo->chap_mdtype) + wo->neg_chap = 1; + /* If authentication is required, ask peer for CHAP or PAP. */ if (auth_required) { allow_any_ip = 0; if (!wo->neg_chap && !wo->neg_upap) { - wo->neg_chap = 1; + wo->neg_chap = 1; wo->chap_mdtype = MDTYPE_ALL; wo->neg_upap = 1; } } else { - wo->neg_chap = 0; + wo->neg_chap = 0; wo->chap_mdtype = MDTYPE_NONE; wo->neg_upap = 0; } @@ -844,7 +1050,7 @@ auth_check_options() */ lacks_ip = 0; can_auth = wo->neg_upap && (uselogin || have_pap_secret(&lacks_ip)); - if (!can_auth && wo->neg_chap) { + if (!can_auth && (wo->neg_chap)) { can_auth = have_chap_secret((explicit_remote? remote_name: NULL), our_name, 1, &lacks_ip); } @@ -885,7 +1091,7 @@ auth_reset(unit) lcp_options *ao = &lcp_allowoptions[0]; ao->neg_upap = !refuse_pap && (passwd[0] != 0 || get_pap_passwd(NULL)); - ao->neg_chap = !refuse_chap + ao->neg_chap = (!refuse_chap || !refuse_mschap || !refuse_mschap_v2) && (passwd[0] != 0 || have_chap_secret(user, (explicit_remote? remote_name: NULL), 0, NULL)); @@ -947,6 +1153,9 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg) BZERO(passwd, sizeof(passwd)); if (addrs != 0) free_wordlist(addrs); + if (opts != 0) { + free_wordlist(opts); + } return ret? UPAP_AUTHACK: UPAP_AUTHNAK; } } @@ -975,19 +1184,14 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg) ret = UPAP_AUTHACK; if (uselogin || login_secret) { /* login option or secret is @login */ - ret = plogin(user, passwd, msg); - if (ret == UPAP_AUTHNAK) - warn("PAP login failure for %s", user); - else + if ((ret = plogin(user, passwd, msg)) == UPAP_AUTHACK) used_login = 1; } if (secret[0] != 0 && !login_secret) { /* password given in pap-secrets - must match */ if ((cryptpap || strcmp(passwd, secret) != 0) - && strcmp(crypt(passwd, secret), secret) != 0) { + && strcmp(crypt(passwd, secret), secret) != 0) ret = UPAP_AUTHNAK; - warn("PAP authentication failure for %s", user); - } } } fclose(f); @@ -1134,7 +1338,7 @@ plogin(user, passwd, msg) if (pam_error == PAM_SUCCESS && !PAM_error) { pam_error = pam_acct_mgmt (pamh, PAM_SILENT); if (pam_error == PAM_SUCCESS) - pam_open_session (pamh, PAM_SILENT); + pam_error = pam_open_session (pamh, PAM_SILENT); } *msg = (char *) pam_strerror (pamh, pam_error); @@ -1197,7 +1401,7 @@ plogin(user, passwd, msg) tty = devnam; if (strncmp(tty, "/dev/", 5) == 0) tty += 5; - logwtmp(tty, user, remote_name); /* Add wtmp login entry */ + logwtmp(tty, user, ifname); /* Add wtmp login entry */ #if defined(_PATH_LASTLOG) && !defined(USE_PAM) if (pw != (struct passwd *)NULL) { @@ -1399,6 +1603,13 @@ have_chap_secret(client, server, need_ip, lacks_ipp) char *filename; struct wordlist *addrs; + if (chap_check_hook) { + ret = (*chap_check_hook)(); + if (ret >= 0) { + return ret; + } + } + filename = _PATH_CHAPFILE; f = fopen(filename, "r"); if (f == NULL) @@ -1445,6 +1656,12 @@ get_secret(unit, client, server, secret, secret_len, am_server) if (!am_server && passwd[0] != 0) { strlcpy(secbuf, passwd, sizeof(secbuf)); + } else if (!am_server && chap_passwd_hook) { + if ( (*chap_passwd_hook)(client, secbuf) < 0) { + error("Unable to obtain CHAP password for %s on %s from plugin", + client, server); + return 0; + } } else { filename = _PATH_CHAPFILE; addrs = NULL; @@ -1654,11 +1871,17 @@ auth_ip_addr(unit, addr) if (bad_ip_adrs(addr)) return 0; + if (allowed_address_hook) { + ok = allowed_address_hook(addr); + if (ok >= 0) return ok; + } + if (addresses[unit] != NULL) { ok = ip_addr_check(addr, addresses[unit]); if (ok >= 0) return ok; } + if (auth_required) return 0; /* no addresses authorized */ return allow_any_ip || privileged || !have_route_to(addr); @@ -1705,6 +1928,34 @@ some_ip_ok(addrs) return 0; } +/* + * auth_number - check whether the remote number is allowed to connect. + * Returns 1 if authorized, 0 otherwise. + */ +int +auth_number() +{ + struct wordlist *wp = permitted_numbers; + int l; + + /* Allow all if no authorization list. */ + if (!wp) + return 1; + + /* Allow if we have a match in the authorization list. */ + while (wp) { + /* trailing '*' wildcard */ + l = strlen(wp->word); + if ((wp->word)[l - 1] == '*') + l--; + if (!strncasecmp(wp->word, remote_number, l)) + return 1; + wp = wp->next; + } + + return 0; +} + /* * check_access - complain if a secret file has too-liberal permissions. */