X-Git-Url: http://git.ozlabs.org/?p=ppp.git;a=blobdiff_plain;f=pppd%2Fchap.c;h=10673f26648df469b44d00af3b5d64f1294b89fb;hp=a48f69f2158500a8d906d3c79a47e1b39453bde0;hb=c942484570a7644e4e833bfe60cb1c0fdc462ed6;hpb=1aa145faffde86065d6ae1af4041d185c7733342 diff --git a/pppd/chap.c b/pppd/chap.c index a48f69f..10673f2 100644 --- a/pppd/chap.c +++ b/pppd/chap.c @@ -1,20 +1,36 @@ /* - * chap_ms.c - Challenge Handshake Authentication Protocol. + * chap.c - Challenge Handshake Authentication Protocol. * - * Copyright (c) 1993 The Australian National University. - * All rights reserved. + * Copyright (c) 1993-2002 Paul Mackerras. All rights reserved. * - * Redistribution and use in source and binary forms are permitted - * provided that the above copyright notice and this paragraph are - * duplicated in all such forms and that any documentation, - * advertising materials, and other materials related to such - * distribution and use acknowledge that the software was developed - * by the Australian National University. The name of the University - * may not be used to endorse or promote products derived from this - * software without specific prior written permission. - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED - * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. The name(s) of the authors of this software must not be used to + * endorse or promote products derived from this software without + * prior written permission. + * + * 4. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by Paul Mackerras + * ". + * + * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO + * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY + * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN + * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING + * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * * Copyright (c) 1991 Gregory M. Christy. * All rights reserved. @@ -33,7 +49,7 @@ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ -#define RCSID "$Id: chap.c,v 1.33 2002/09/01 12:00:15 dfs Exp $" +#define RCSID "$Id: chap.c,v 1.39 2003/02/16 22:32:14 paulus Exp $" /* * TODO: @@ -84,6 +100,7 @@ static option_t chap_option_list[] = { "Set max #xmits for challenge", OPT_PRIO }, { "chap-interval", o_int, &chap[0].chal_interval, "Set interval for rechallenge", OPT_PRIO }, +#ifdef MSCHAP #ifdef MSLANMAN { "ms-lanman", o_bool, &ms_lanman, "Use LanMan passwd when using MS-CHAP", 1 }, @@ -93,6 +110,7 @@ static option_t chap_option_list[] = { "specify CHAP challenge" }, { "mschap2-peer-challenge", o_string, &mschap2_peer_challenge, "specify CHAP peer challenge" }, +#endif #endif { NULL } }; @@ -457,10 +475,8 @@ ChapReceiveChallenge(cstate, inp, id, len) rchallenge = inp; INCPTR(rchallenge_len, inp); - if (len >= sizeof(rhostname)) - len = sizeof(rhostname) - 1; - BCOPY(inp, rhostname, len); - rhostname[len] = '\000'; + /* Null terminate and clean remote name. */ + slprintf(rhostname, sizeof(rhostname), "%.*v", len, inp); /* Microsoft doesn't send their name back in the PPP packet */ if (explicit_remote || (remote_name[0] != 0 && rhostname[0] == 0)) { @@ -578,10 +594,8 @@ ChapReceiveResponse(cstate, inp, id, len) UNTIMEOUT(ChapChallengeTimeout, cstate); - if (len >= sizeof(rhostname)) - len = sizeof(rhostname) - 1; - BCOPY(inp, rhostname, len); - rhostname[len] = '\000'; + /* Null terminate and clean remote name. */ + slprintf(rhostname, sizeof(rhostname), "%.*v", len, inp); #ifdef CHAPMS /* copy the flags into cstate for use elsewhere */ @@ -599,6 +613,19 @@ ChapReceiveResponse(cstate, inp, id, len) code = (*chap_auth_hook) ( (explicit_remote ? remote_name : rhostname), remmd, (int) remmd_len, cstate ); + /* + * Check remote number authorization. A plugin may have filled in + * the remote number or added an allowed number, and rather than + * return an authenticate failure, is leaving it for us to verify. + */ + if (code == CHAP_SUCCESS) { + if (!auth_number()) { + /* We do not want to leak info about the chap result. */ + code = CHAP_FAILURE; /* XXX exit value will be "wrong" */ + warn("calling number %q is not authorized", remote_number); + } + } + } else { if (!get_secret(cstate->unit, (explicit_remote? remote_name: rhostname), cstate->chal_name, secret, &secret_len, 1)) { @@ -700,7 +727,7 @@ ChapReceiveResponse(cstate, inp, id, len) notice("CHAP peer authentication succeeded for %q", rhostname); } else { - error("CHAP peer authentication failed for remote host %q", rhostname); + warn("CHAP peer authentication failed for %q", rhostname); cstate->serverstate = CHAPSS_BADAUTH; auth_peer_fail(cstate->unit, PPP_CHAP); } @@ -768,6 +795,7 @@ ChapReceiveSuccess(cstate, inp, id, len) cstate->clientstate = CHAPCS_OPEN; + notice("CHAP authentication succeeded"); auth_withpeer_success(cstate->unit, PPP_CHAP, cstate->resp_type); }