X-Git-Url: http://git.ozlabs.org/?p=ppp.git;a=blobdiff_plain;f=pppd%2Fauth.c;h=ec137109141fa6428eed257862326aaf6048afff;hp=202d557a5a4b41539ee1065ad43fbacb1f3bc5bb;hb=HEAD;hpb=a20059a09c56555f6c2006a7193de4c1676b477a

diff --git a/pppd/auth.c b/pppd/auth.c
index 202d557..a78a697 100644
--- a/pppd/auth.c
+++ b/pppd/auth.c
@@ -1,7 +1,7 @@
 /*
  * auth.c - PPP authentication and phase control.
  *
- * Copyright (c) 1993-2002 Paul Mackerras. All rights reserved.
+ * Copyright (c) 1993-2024 Paul Mackerras. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -10,14 +10,10 @@
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  *
- * 2. The name(s) of the authors of this software must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission.
- *
- * 3. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by Paul Mackerras
- *     <paulus@samba.org>".
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
  *
  * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO
  * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
@@ -68,8 +64,6 @@
  * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-#define RCSID	"$Id: auth.c,v 1.117 2008/07/01 12:27:56 paulus Exp $"
-
 #ifdef HAVE_CONFIG_H
 #include "config.h"
 #endif
@@ -83,6 +77,7 @@
 #include <grp.h>
 #include <string.h>
 #include <strings.h>
+#include <sys/param.h>
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/socket.h>
@@ -253,6 +248,8 @@ bool explicit_remote = 0;	/* User specified explicit remote name */
 bool explicit_user = 0;		/* Set if "user" option supplied */
 bool explicit_passwd = 0;	/* Set if "password" option supplied */
 char remote_name[MAXNAMELEN];	/* Peer's name for authentication */
+char path_upapfile[MAXPATHLEN];	/* Pathname of pap-secrets file */
+char path_chapfile[MAXPATHLEN];	/* Pathname of chap-secrets file */
 
 #if defined(PPP_WITH_EAPTLS) || defined(PPP_WITH_PEAP)
 char *cacert_file  = NULL;  /* CA certificate file (pem format) */
@@ -417,6 +414,14 @@ struct option auth_options[] = {
       "Set remote name for authentication", OPT_PRIO | OPT_STATIC,
       &explicit_remote, MAXNAMELEN },
 
+    { "pap-secrets", o_string, path_upapfile,
+      "Set pathname of pap-secrets", OPT_PRIO | OPT_PRIV | OPT_STATIC,
+      NULL, MAXPATHLEN },
+
+    { "chap-secrets", o_string, path_chapfile,
+      "Set pathname of chap-secrets", OPT_PRIO | OPT_PRIV | OPT_STATIC,
+      NULL, MAXPATHLEN },
+
     { "login", o_bool, &uselogin,
       "Use system password database for PAP", OPT_A2COPY | 1 ,
       &session_mgmt },
@@ -481,6 +486,7 @@ ppp_set_remote_number(const char *buf)
 {
     if (buf) {
         strlcpy(remote_number, buf, sizeof(remote_number));
+        ppp_script_setenv("REMOTENUMBER", remote_number, 0);
     }
 }
 
@@ -1031,10 +1037,12 @@ auth_peer_success(int unit, int protocol, int prot_flavor,
 		  char *name, int namelen)
 {
     int bit;
+    const char *prot;
 
     switch (protocol) {
     case PPP_CHAP:
 	bit = CHAP_PEER;
+	prot = "CHAP";
 	switch (prot_flavor) {
 	case CHAP_MD5:
 	    bit |= CHAP_MD5_PEER;
@@ -1051,12 +1059,15 @@ auth_peer_success(int unit, int protocol, int prot_flavor,
 	break;
     case PPP_PAP:
 	bit = PAP_PEER;
+	prot = "PAP";
 	break;
     case PPP_EAP:
 	bit = EAP_PEER;
+	prot = "EAP";
 	break;
     default:
 	warn("auth_peer_success: unknown protocol %x", protocol);
+	prot = "unknown protocol";
 	return;
     }
 
@@ -1068,6 +1079,7 @@ auth_peer_success(int unit, int protocol, int prot_flavor,
     BCOPY(name, peer_authname, namelen);
     peer_authname[namelen] = 0;
     ppp_script_setenv("PEERNAME", peer_authname, 0);
+    notice("Peer %q authenticated with %s", peer_authname, prot);
 
     /* Save the authentication method for later. */
     auth_done[unit] |= bit;
@@ -1313,6 +1325,7 @@ connect_time_expired(void *arg)
     info("Connect time expired");
     ppp_set_status(EXIT_CONNECT_TIME);
     lcp_close(0, "Connect time expired");	/* Close connection */
+    need_holdoff = 0;
 }
 
 /*
@@ -1334,6 +1347,13 @@ auth_check_options(void)
     if (user[0] == 0 && !explicit_user)
 	strlcpy(user, our_name, sizeof(user));
 
+#if defined(SYSTEM_CA_PATH) && (defined(PPP_WITH_EAPTLS) || defined(PPP_WITH_PEAP))
+    /* Use system default for CA Path if not specified */
+    if (!ca_path) {
+        ca_path = SYSTEM_CA_PATH;
+    }
+#endif
+
     /*
      * If we have a default route, require the peer to authenticate
      * unless the noauth option was given or the real user is root.
@@ -1525,7 +1545,7 @@ check_passwd(int unit,
      * Open the file of pap secrets and scan for a suitable secret
      * for authenticating this user.
      */
-    filename = PPP_PATH_UPAPFILE;
+    filename = path_upapfile;
     addrs = opts = NULL;
     ret = UPAP_AUTHNAK;
     f = fopen(filename, "r");
@@ -1626,7 +1646,7 @@ null_login(int unit)
      * Open the file of pap secrets and scan for a suitable secret.
      */
     if (ret <= 0) {
-	filename = PPP_PATH_UPAPFILE;
+	filename = path_upapfile;
 	addrs = NULL;
 	f = fopen(filename, "r");
 	if (f == NULL)
@@ -1673,7 +1693,7 @@ get_pap_passwd(char *passwd)
 	    return ret;
     }
 
-    filename = PPP_PATH_UPAPFILE;
+    filename = path_upapfile;
     f = fopen(filename, "r");
     if (f == NULL)
 	return 0;
@@ -1710,7 +1730,7 @@ have_pap_secret(int *lacks_ipp)
 	    return ret;
     }
 
-    filename = PPP_PATH_UPAPFILE;
+    filename = path_upapfile;
     f = fopen(filename, "r");
     if (f == NULL)
 	return 0;
@@ -1752,7 +1772,7 @@ have_chap_secret(char *client, char *server,
 	}
     }
 
-    filename = PPP_PATH_CHAPFILE;
+    filename = path_chapfile;
     f = fopen(filename, "r");
     if (f == NULL)
 	return 0;
@@ -1838,7 +1858,7 @@ get_secret(int unit, char *client, char *server,
 	    return 0;
 	}
     } else {
-	filename = PPP_PATH_CHAPFILE;
+	filename = path_chapfile;
 	addrs = NULL;
 	secbuf[0] = 0;
 
@@ -2147,7 +2167,7 @@ int
 auth_number(void)
 {
     struct wordlist *wp = permitted_numbers;
-    int l;
+    size_t l;
 
     /* Allow all if no authorization list. */
     if (!wp)
@@ -2157,9 +2177,10 @@ auth_number(void)
     while (wp) {
 	/* trailing '*' wildcard */
 	l = strlen(wp->word);
-	if ((wp->word)[l - 1] == '*')
-	    l--;
-	if (!strncasecmp(wp->word, remote_number, l))
+	if (l > 0 && (wp->word)[l - 1] == '*') {
+	    if (!strncasecmp(wp->word, remote_number, l - 1))
+		return 1;
+	} else if (strcasecmp(wp->word, remote_number) == 0)
 	    return 1;
 	wp = wp->next;
     }