X-Git-Url: http://git.ozlabs.org/?p=ppp.git;a=blobdiff_plain;f=pppd%2Fupap.c;h=02fd8f8d9831096a2fb1cca9760c2b4156f56b63;hp=47b3477dfbf06d7e983ccd54343a748ad13d4fb6;hb=6e6bb3246106e680463c106d1ee6b773fc4f9c5a;hpb=0b63a24d54ba4708c88e31bdd74b0145956c1478 diff --git a/pppd/upap.c b/pppd/upap.c index 47b3477..02fd8f8 100644 --- a/pppd/upap.c +++ b/pppd/upap.c @@ -1,55 +1,126 @@ /* * upap.c - User/Password Authentication Protocol. * - * Copyright (c) 1989 Carnegie Mellon University. - * All rights reserved. + * Copyright (c) 1984-2000 Carnegie Mellon University. All rights reserved. * - * Redistribution and use in source and binary forms are permitted - * provided that the above copyright notice and this paragraph are - * duplicated in all such forms and that any documentation, - * advertising materials, and other materials related to such - * distribution and use acknowledge that the software was developed - * by Carnegie Mellon University. The name of the - * University may not be used to endorse or promote products derived - * from this software without specific prior written permission. - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED - * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. The name "Carnegie Mellon University" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For permission or any legal + * details, please contact + * Office of Technology Transfer + * Carnegie Mellon University + * 5000 Forbes Avenue + * Pittsburgh, PA 15213-3890 + * (412) 268-4387, fax: (412) 268-7395 + * tech-transfer@andrew.cmu.edu + * + * 4. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by Computing Services + * at Carnegie Mellon University (http://www.cmu.edu/computing/)." + * + * CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO + * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE + * FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN + * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING + * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#ifndef lint -static char rcsid[] = "$Id: upap.c,v 1.1 1993/11/11 03:54:25 paulus Exp $"; -#endif +#define RCSID "$Id: upap.c,v 1.29 2002/12/04 23:03:33 paulus Exp $" /* * TODO: */ #include -#include -#include -#include +#include -#include "ppp.h" #include "pppd.h" #include "upap.h" +static const char rcsid[] = RCSID; -upap_state upap[NPPP]; /* UPAP state; one for each unit */ +static bool hide_password = 1; +/* + * Command-line options. + */ +static option_t pap_option_list[] = { + { "hide-password", o_bool, &hide_password, + "Don't output passwords to log", OPT_PRIO | 1 }, + { "show-password", o_bool, &hide_password, + "Show password string in debug log messages", OPT_PRIOSUB | 0 }, + + { "pap-restart", o_int, &upap[0].us_timeouttime, + "Set retransmit timeout for PAP", OPT_PRIO }, + { "pap-max-authreq", o_int, &upap[0].us_maxtransmits, + "Set max number of transmissions for auth-reqs", OPT_PRIO }, + { "pap-timeout", o_int, &upap[0].us_reqtimeout, + "Set time limit for peer PAP authentication", OPT_PRIO }, + + { NULL } +}; -static void upap_timeout __ARGS((caddr_t)); -static void upap_rauthreq __ARGS((upap_state *, u_char *, int, int)); -static void upap_rauthack __ARGS((upap_state *, u_char *, int, int)); -static void upap_rauthnak __ARGS((upap_state *, u_char *, int, int)); -static void upap_sauthreq __ARGS((upap_state *)); -static void upap_sresp __ARGS((upap_state *, int, int, char *, int)); +/* + * Protocol entry points. + */ +static void upap_init __P((int)); +static void upap_lowerup __P((int)); +static void upap_lowerdown __P((int)); +static void upap_input __P((int, u_char *, int)); +static void upap_protrej __P((int)); +static int upap_printpkt __P((u_char *, int, + void (*) __P((void *, char *, ...)), void *)); + +struct protent pap_protent = { + PPP_PAP, + upap_init, + upap_input, + upap_protrej, + upap_lowerup, + upap_lowerdown, + NULL, + NULL, + upap_printpkt, + NULL, + 1, + "PAP", + NULL, + pap_option_list, + NULL, + NULL, + NULL +}; + +upap_state upap[NUM_PPP]; /* UPAP state; one for each unit */ + +static void upap_timeout __P((void *)); +static void upap_reqtimeout __P((void *)); +static void upap_rauthreq __P((upap_state *, u_char *, int, int)); +static void upap_rauthack __P((upap_state *, u_char *, int, int)); +static void upap_rauthnak __P((upap_state *, u_char *, int, int)); +static void upap_sauthreq __P((upap_state *)); +static void upap_sresp __P((upap_state *, int, int, char *, int)); /* * upap_init - Initialize a UPAP unit. */ -void +static void upap_init(unit) int unit; { @@ -65,6 +136,7 @@ upap_init(unit) u->us_id = 0; u->us_timeouttime = UPAP_DEFTIMEOUT; u->us_maxtransmits = 10; + u->us_reqtimeout = UPAP_DEFREQTIME; } @@ -117,15 +189,17 @@ upap_authpeer(unit) } u->us_serverstate = UPAPSS_LISTEN; + if (u->us_reqtimeout > 0) + TIMEOUT(upap_reqtimeout, u, u->us_reqtimeout); } /* - * upap_timeout - Timeout expired. + * upap_timeout - Retransmission timer for sending auth-reqs expired. */ static void upap_timeout(arg) - caddr_t arg; + void *arg; { upap_state *u = (upap_state *) arg; @@ -134,9 +208,9 @@ upap_timeout(arg) if (u->us_transmits >= u->us_maxtransmits) { /* give up in disgust */ - syslog(LOG_ERR, "No response to PAP authenticate-requests"); + error("No response to PAP authenticate-requests"); u->us_clientstate = UPAPCS_BADAUTH; - auth_withpeer_fail(u->us_unit, UPAP); + auth_withpeer_fail(u->us_unit, PPP_PAP); return; } @@ -144,12 +218,29 @@ upap_timeout(arg) } +/* + * upap_reqtimeout - Give up waiting for the peer to send an auth-req. + */ +static void +upap_reqtimeout(arg) + void *arg; +{ + upap_state *u = (upap_state *) arg; + + if (u->us_serverstate != UPAPSS_LISTEN) + return; /* huh?? */ + + auth_peer_fail(u->us_unit, PPP_PAP); + u->us_serverstate = UPAPSS_BADAUTH; +} + + /* * upap_lowerup - The lower layer is up. * * Start authenticating if pending. */ -void +static void upap_lowerup(unit) int unit; { @@ -163,8 +254,11 @@ upap_lowerup(unit) if (u->us_serverstate == UPAPSS_INITIAL) u->us_serverstate = UPAPSS_CLOSED; - else if (u->us_serverstate == UPAPSS_PENDING) + else if (u->us_serverstate == UPAPSS_PENDING) { u->us_serverstate = UPAPSS_LISTEN; + if (u->us_reqtimeout > 0) + TIMEOUT(upap_reqtimeout, u, u->us_reqtimeout); + } } @@ -173,14 +267,16 @@ upap_lowerup(unit) * * Cancel all timeouts. */ -void +static void upap_lowerdown(unit) int unit; { upap_state *u = &upap[unit]; - if (u->us_clientstate == UPAPCS_AUTHREQ) /* Timeout pending? */ - UNTIMEOUT(upap_timeout, (caddr_t) u); /* Cancel timeout */ + if (u->us_clientstate == UPAPCS_AUTHREQ) /* Timeout pending? */ + UNTIMEOUT(upap_timeout, u); /* Cancel timeout */ + if (u->us_serverstate == UPAPSS_LISTEN && u->us_reqtimeout > 0) + UNTIMEOUT(upap_reqtimeout, u); u->us_clientstate = UPAPCS_INITIAL; u->us_serverstate = UPAPSS_INITIAL; @@ -192,19 +288,19 @@ upap_lowerdown(unit) * * This shouldn't happen. In any case, pretend lower layer went down. */ -void +static void upap_protrej(unit) int unit; { upap_state *u = &upap[unit]; if (u->us_clientstate == UPAPCS_AUTHREQ) { - syslog(LOG_ERR, "PAP authentication failed due to protocol-reject"); - auth_withpeer_fail(unit, UPAP); + error("PAP authentication failed due to protocol-reject"); + auth_withpeer_fail(unit, PPP_PAP); } if (u->us_serverstate == UPAPSS_LISTEN) { - syslog(LOG_ERR, "PAP authentication of peer failed (protocol-reject)"); - auth_peer_fail(unit, UPAP); + error("PAP authentication of peer failed (protocol-reject)"); + auth_peer_fail(unit, PPP_PAP); } upap_lowerdown(unit); } @@ -213,7 +309,7 @@ upap_protrej(unit) /* * upap_input - Input UPAP packet. */ -void +static void upap_input(unit, inpacket, l) int unit; u_char *inpacket; @@ -230,18 +326,18 @@ upap_input(unit, inpacket, l) */ inp = inpacket; if (l < UPAP_HEADERLEN) { - UPAPDEBUG((LOG_INFO, "upap_input: rcvd short header.")); + UPAPDEBUG(("pap_input: rcvd short header.")); return; } GETCHAR(code, inp); GETCHAR(id, inp); GETSHORT(len, inp); if (len < UPAP_HEADERLEN) { - UPAPDEBUG((LOG_INFO, "upap_input: rcvd illegal length.")); + UPAPDEBUG(("pap_input: rcvd illegal length.")); return; } if (len > l) { - UPAPDEBUG((LOG_INFO, "upap_input: rcvd short packet.")); + UPAPDEBUG(("pap_input: rcvd short packet.")); return; } len -= UPAP_HEADERLEN; @@ -280,12 +376,11 @@ upap_rauthreq(u, inp, id, len) { u_char ruserlen, rpasswdlen; char *ruser, *rpasswd; + char rhostname[256]; int retcode; char *msg; int msglen; - UPAPDEBUG((LOG_INFO, "upap_rauth: Rcvd id %d.", id)); - if (u->us_serverstate < UPAPSS_LISTEN) return; @@ -305,21 +400,21 @@ upap_rauthreq(u, inp, id, len) /* * Parse user/passwd. */ - if (len < sizeof (u_char)) { - UPAPDEBUG((LOG_INFO, "upap_rauth: rcvd short packet.")); + if (len < 1) { + UPAPDEBUG(("pap_rauth: rcvd short packet.")); return; } GETCHAR(ruserlen, inp); - len -= sizeof (u_char) + ruserlen + sizeof (u_char);; + len -= sizeof (u_char) + ruserlen + sizeof (u_char); if (len < 0) { - UPAPDEBUG((LOG_INFO, "upap_rauth: rcvd short packet.")); + UPAPDEBUG(("pap_rauth: rcvd short packet.")); return; } ruser = (char *) inp; INCPTR(ruserlen, inp); GETCHAR(rpasswdlen, inp); if (len < rpasswdlen) { - UPAPDEBUG((LOG_INFO, "upap_rauth: rcvd short packet.")); + UPAPDEBUG(("pap_rauth: rcvd short packet.")); return; } rpasswd = (char *) inp; @@ -328,17 +423,42 @@ upap_rauthreq(u, inp, id, len) * Check the username and password given. */ retcode = check_passwd(u->us_unit, ruser, ruserlen, rpasswd, - rpasswdlen, &msg, &msglen); + rpasswdlen, &msg); + BZERO(rpasswd, rpasswdlen); + /* + * Check remote number authorization. A plugin may have filled in + * the remote number or added an allowed number, and rather than + * return an authenticate failure, is leaving it for us to verify. + */ + if (retcode == UPAP_AUTHACK) { + if (!auth_number()) { + /* We do not want to leak info about the pap result. */ + retcode = UPAP_AUTHNAK; /* XXX exit value will be "wrong" */ + warn("calling number %q is not authorized", remote_number); + } + } + + msglen = strlen(msg); + if (msglen > 255) + msglen = 255; upap_sresp(u, retcode, id, msg, msglen); + /* Null terminate and clean remote name. */ + slprintf(rhostname, sizeof(rhostname), "%.*v", ruserlen, ruser); + if (retcode == UPAP_AUTHACK) { u->us_serverstate = UPAPSS_OPEN; - auth_peer_success(u->us_unit, UPAP); + notice("PAP peer authentication succeeded for %q", rhostname); + auth_peer_success(u->us_unit, PPP_PAP, 0, ruser, ruserlen); } else { u->us_serverstate = UPAPSS_BADAUTH; - auth_peer_fail(u->us_unit, UPAP); + warn("PAP peer authentication failed for %q", rhostname); + auth_peer_fail(u->us_unit, PPP_PAP); } + + if (u->us_reqtimeout > 0) + UNTIMEOUT(upap_reqtimeout, u); } @@ -355,34 +475,36 @@ upap_rauthack(u, inp, id, len) u_char msglen; char *msg; - UPAPDEBUG((LOG_INFO, "upap_rauthack: Rcvd id %d.", id)); if (u->us_clientstate != UPAPCS_AUTHREQ) /* XXX */ return; /* * Parse message. */ - if (len < sizeof (u_char)) { - UPAPDEBUG((LOG_INFO, "upap_rauthack: rcvd short packet.")); - return; - } - GETCHAR(msglen, inp); - len -= sizeof (u_char); - if (len < msglen) { - UPAPDEBUG((LOG_INFO, "upap_rauthack: rcvd short packet.")); - return; + if (len < 1) { + UPAPDEBUG(("pap_rauthack: ignoring missing msg-length.")); + } else { + GETCHAR(msglen, inp); + if (msglen > 0) { + len -= sizeof (u_char); + if (len < msglen) { + UPAPDEBUG(("pap_rauthack: rcvd short packet.")); + return; + } + msg = (char *) inp; + PRINTMSG(msg, msglen); + } } - msg = (char *) inp; - PRINTMSG(msg, msglen); u->us_clientstate = UPAPCS_OPEN; - auth_withpeer_success(u->us_unit, UPAP); + notice("PAP authentication succeeded"); + auth_withpeer_success(u->us_unit, PPP_PAP, 0); } /* - * upap_rauthnak - Receive Authenticate-Nakk. + * upap_rauthnak - Receive Authenticate-Nak. */ static void upap_rauthnak(u, inp, id, len) @@ -394,30 +516,31 @@ upap_rauthnak(u, inp, id, len) u_char msglen; char *msg; - UPAPDEBUG((LOG_INFO, "upap_rauthnak: Rcvd id %d.", id)); if (u->us_clientstate != UPAPCS_AUTHREQ) /* XXX */ return; /* * Parse message. */ - if (len < sizeof (u_char)) { - UPAPDEBUG((LOG_INFO, "upap_rauthnak: rcvd short packet.")); - return; - } - GETCHAR(msglen, inp); - len -= sizeof (u_char); - if (len < msglen) { - UPAPDEBUG((LOG_INFO, "upap_rauthnak: rcvd short packet.")); - return; + if (len < 1) { + UPAPDEBUG(("pap_rauthnak: ignoring missing msg-length.")); + } else { + GETCHAR(msglen, inp); + if (msglen > 0) { + len -= sizeof (u_char); + if (len < msglen) { + UPAPDEBUG(("pap_rauthnak: rcvd short packet.")); + return; + } + msg = (char *) inp; + PRINTMSG(msg, msglen); + } } - msg = (char *) inp; - PRINTMSG(msg, msglen); u->us_clientstate = UPAPCS_BADAUTH; - syslog(LOG_ERR, "PAP authentication failed"); - auth_withpeer_fail(u->us_unit, UPAP); + error("PAP authentication failed"); + auth_withpeer_fail(u->us_unit, PPP_PAP); } @@ -435,7 +558,7 @@ upap_sauthreq(u) u->us_userlen + u->us_passwdlen; outp = outpacket_buf; - MAKEHEADER(outp, UPAP); + MAKEHEADER(outp, PPP_PAP); PUTCHAR(UPAP_AUTHREQ, outp); PUTCHAR(++u->us_id, outp); @@ -446,11 +569,9 @@ upap_sauthreq(u) PUTCHAR(u->us_passwdlen, outp); BCOPY(u->us_passwd, outp, u->us_passwdlen); - output(u->us_unit, outpacket_buf, outlen + DLLHEADERLEN); - - UPAPDEBUG((LOG_INFO, "upap_sauth: Sent id %d.", u->us_id)); + output(u->us_unit, outpacket_buf, outlen + PPP_HDRLEN); - TIMEOUT(upap_timeout, (caddr_t) u, u->us_timeouttime); + TIMEOUT(upap_timeout, u, u->us_timeouttime); ++u->us_transmits; u->us_clientstate = UPAPCS_AUTHREQ; } @@ -471,14 +592,92 @@ upap_sresp(u, code, id, msg, msglen) outlen = UPAP_HEADERLEN + sizeof (u_char) + msglen; outp = outpacket_buf; - MAKEHEADER(outp, UPAP); + MAKEHEADER(outp, PPP_PAP); PUTCHAR(code, outp); PUTCHAR(id, outp); PUTSHORT(outlen, outp); PUTCHAR(msglen, outp); BCOPY(msg, outp, msglen); - output(u->us_unit, outpacket_buf, outlen + DLLHEADERLEN); + output(u->us_unit, outpacket_buf, outlen + PPP_HDRLEN); +} + +/* + * upap_printpkt - print the contents of a PAP packet. + */ +static char *upap_codenames[] = { + "AuthReq", "AuthAck", "AuthNak" +}; + +static int +upap_printpkt(p, plen, printer, arg) + u_char *p; + int plen; + void (*printer) __P((void *, char *, ...)); + void *arg; +{ + int code, id, len; + int mlen, ulen, wlen; + char *user, *pwd, *msg; + u_char *pstart; + + if (plen < UPAP_HEADERLEN) + return 0; + pstart = p; + GETCHAR(code, p); + GETCHAR(id, p); + GETSHORT(len, p); + if (len < UPAP_HEADERLEN || len > plen) + return 0; + + if (code >= 1 && code <= sizeof(upap_codenames) / sizeof(char *)) + printer(arg, " %s", upap_codenames[code-1]); + else + printer(arg, " code=0x%x", code); + printer(arg, " id=0x%x", id); + len -= UPAP_HEADERLEN; + switch (code) { + case UPAP_AUTHREQ: + if (len < 1) + break; + ulen = p[0]; + if (len < ulen + 2) + break; + wlen = p[ulen + 1]; + if (len < ulen + wlen + 2) + break; + user = (char *) (p + 1); + pwd = (char *) (p + ulen + 2); + p += ulen + wlen + 2; + len -= ulen + wlen + 2; + printer(arg, " user="); + print_string(user, ulen, printer, arg); + printer(arg, " password="); + if (!hide_password) + print_string(pwd, wlen, printer, arg); + else + printer(arg, ""); + break; + case UPAP_AUTHACK: + case UPAP_AUTHNAK: + if (len < 1) + break; + mlen = p[0]; + if (len < mlen + 1) + break; + msg = (char *) (p + 1); + p += mlen + 1; + len -= mlen + 1; + printer(arg, " "); + print_string(msg, mlen, printer, arg); + break; + } + + /* print the rest of the bytes in the packet */ + for (; len > 0; --len) { + GETCHAR(code, p); + printer(arg, " %.2x", code); + } - UPAPDEBUG((LOG_INFO, "upap_sresp: Sent code %d, id %d.", code, id)); + return p - pstart; }