X-Git-Url: http://git.ozlabs.org/?p=ppp.git;a=blobdiff_plain;f=pppd%2Fupap.c;h=135db0a22310145d2600ddd98e9aac6c897065f0;hp=e84cb93cb8af4397cc82668454ad1edf15aac7f7;hb=9b5e4bcdc6e25f18d20200af78df94d695e428ac;hpb=72d70cf7fd4a0623fb1fe527c87d4d373df594a9 diff --git a/pppd/upap.c b/pppd/upap.c index e84cb93..135db0a 100644 --- a/pppd/upap.c +++ b/pppd/upap.c @@ -17,9 +17,7 @@ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ -#ifndef lint -static char rcsid[] = "$Id: upap.c,v 1.13 1999/03/02 05:29:39 paulus Exp $"; -#endif +#define RCSID "$Id: upap.c,v 1.28 2002/10/12 02:30:21 fcusack Exp $" /* * TODO: @@ -27,27 +25,30 @@ static char rcsid[] = "$Id: upap.c,v 1.13 1999/03/02 05:29:39 paulus Exp $"; #include #include -#include -#include -#include #include "pppd.h" #include "upap.h" -static bool hide_password; +static const char rcsid[] = RCSID; + +static bool hide_password = 1; /* * Command-line options. */ static option_t pap_option_list[] = { { "hide-password", o_bool, &hide_password, - "Don't output passwords to log" }, + "Don't output passwords to log", OPT_PRIO | 1 }, + { "show-password", o_bool, &hide_password, + "Show password string in debug log messages", OPT_PRIOSUB | 0 }, + { "pap-restart", o_int, &upap[0].us_timeouttime, - "Set retransmit timeout for PAP" }, + "Set retransmit timeout for PAP", OPT_PRIO }, { "pap-max-authreq", o_int, &upap[0].us_maxtransmits, - "Set max number of transmissions for auth-reqs" }, + "Set max number of transmissions for auth-reqs", OPT_PRIO }, { "pap-timeout", o_int, &upap[0].us_reqtimeout, - "Set time limit for peer PAP authentication" }, + "Set time limit for peer PAP authentication", OPT_PRIO }, + { NULL } }; @@ -75,6 +76,7 @@ struct protent pap_protent = { NULL, 1, "PAP", + NULL, pap_option_list, NULL, NULL, @@ -183,7 +185,7 @@ upap_timeout(arg) if (u->us_transmits >= u->us_maxtransmits) { /* give up in disgust */ - syslog(LOG_ERR, "No response to PAP authenticate-requests"); + error("No response to PAP authenticate-requests"); u->us_clientstate = UPAPCS_BADAUTH; auth_withpeer_fail(u->us_unit, PPP_PAP); return; @@ -270,11 +272,11 @@ upap_protrej(unit) upap_state *u = &upap[unit]; if (u->us_clientstate == UPAPCS_AUTHREQ) { - syslog(LOG_ERR, "PAP authentication failed due to protocol-reject"); + error("PAP authentication failed due to protocol-reject"); auth_withpeer_fail(unit, PPP_PAP); } if (u->us_serverstate == UPAPSS_LISTEN) { - syslog(LOG_ERR, "PAP authentication of peer failed (protocol-reject)"); + error("PAP authentication of peer failed (protocol-reject)"); auth_peer_fail(unit, PPP_PAP); } upap_lowerdown(unit); @@ -301,18 +303,18 @@ upap_input(unit, inpacket, l) */ inp = inpacket; if (l < UPAP_HEADERLEN) { - UPAPDEBUG((LOG_INFO, "pap_input: rcvd short header.")); + UPAPDEBUG(("pap_input: rcvd short header.")); return; } GETCHAR(code, inp); GETCHAR(id, inp); GETSHORT(len, inp); if (len < UPAP_HEADERLEN) { - UPAPDEBUG((LOG_INFO, "pap_input: rcvd illegal length.")); + UPAPDEBUG(("pap_input: rcvd illegal length.")); return; } if (len > l) { - UPAPDEBUG((LOG_INFO, "pap_input: rcvd short packet.")); + UPAPDEBUG(("pap_input: rcvd short packet.")); return; } len -= UPAP_HEADERLEN; @@ -351,12 +353,11 @@ upap_rauthreq(u, inp, id, len) { u_char ruserlen, rpasswdlen; char *ruser, *rpasswd; + char rhostname[256]; int retcode; char *msg; int msglen; - UPAPDEBUG((LOG_INFO, "pap_rauth: Rcvd id %d.", id)); - if (u->us_serverstate < UPAPSS_LISTEN) return; @@ -376,21 +377,21 @@ upap_rauthreq(u, inp, id, len) /* * Parse user/passwd. */ - if (len < sizeof (u_char)) { - UPAPDEBUG((LOG_INFO, "pap_rauth: rcvd short packet.")); + if (len < 1) { + UPAPDEBUG(("pap_rauth: rcvd short packet.")); return; } GETCHAR(ruserlen, inp); len -= sizeof (u_char) + ruserlen + sizeof (u_char); if (len < 0) { - UPAPDEBUG((LOG_INFO, "pap_rauth: rcvd short packet.")); + UPAPDEBUG(("pap_rauth: rcvd short packet.")); return; } ruser = (char *) inp; INCPTR(ruserlen, inp); GETCHAR(rpasswdlen, inp); if (len < rpasswdlen) { - UPAPDEBUG((LOG_INFO, "pap_rauth: rcvd short packet.")); + UPAPDEBUG(("pap_rauth: rcvd short packet.")); return; } rpasswd = (char *) inp; @@ -399,16 +400,37 @@ upap_rauthreq(u, inp, id, len) * Check the username and password given. */ retcode = check_passwd(u->us_unit, ruser, ruserlen, rpasswd, - rpasswdlen, &msg, &msglen); + rpasswdlen, &msg); BZERO(rpasswd, rpasswdlen); + /* + * Check remote number authorization. A plugin may have filled in + * the remote number or added an allowed number, and rather than + * return an authenticate failure, is leaving it for us to verify. + */ + if (retcode == UPAP_AUTHACK) { + if (!auth_number()) { + /* We do not want to leak info about the pap result. */ + retcode = UPAP_AUTHNAK; /* XXX exit value will be "wrong" */ + warn("calling number %q is not authorized", remote_number); + } + } + + msglen = strlen(msg); + if (msglen > 255) + msglen = 255; upap_sresp(u, retcode, id, msg, msglen); + /* Null terminate and clean remote name. */ + slprintf(rhostname, sizeof(rhostname), "%.*v", ruserlen, ruser); + if (retcode == UPAP_AUTHACK) { u->us_serverstate = UPAPSS_OPEN; - auth_peer_success(u->us_unit, PPP_PAP, ruser, ruserlen); + notice("PAP peer authentication succeeded for %q", rhostname); + auth_peer_success(u->us_unit, PPP_PAP, 0, ruser, ruserlen); } else { u->us_serverstate = UPAPSS_BADAUTH; + warn("PAP peer authentication failed for %q", rhostname); auth_peer_fail(u->us_unit, PPP_PAP); } @@ -430,34 +452,36 @@ upap_rauthack(u, inp, id, len) u_char msglen; char *msg; - UPAPDEBUG((LOG_INFO, "pap_rauthack: Rcvd id %d.", id)); if (u->us_clientstate != UPAPCS_AUTHREQ) /* XXX */ return; /* * Parse message. */ - if (len < sizeof (u_char)) { - UPAPDEBUG((LOG_INFO, "pap_rauthack: rcvd short packet.")); - return; - } - GETCHAR(msglen, inp); - len -= sizeof (u_char); - if (len < msglen) { - UPAPDEBUG((LOG_INFO, "pap_rauthack: rcvd short packet.")); - return; + if (len < 1) { + UPAPDEBUG(("pap_rauthack: ignoring missing msg-length.")); + } else { + GETCHAR(msglen, inp); + if (msglen > 0) { + len -= sizeof (u_char); + if (len < msglen) { + UPAPDEBUG(("pap_rauthack: rcvd short packet.")); + return; + } + msg = (char *) inp; + PRINTMSG(msg, msglen); + } } - msg = (char *) inp; - PRINTMSG(msg, msglen); u->us_clientstate = UPAPCS_OPEN; - auth_withpeer_success(u->us_unit, PPP_PAP); + notice("PAP authentication succeeded"); + auth_withpeer_success(u->us_unit, PPP_PAP, 0); } /* - * upap_rauthnak - Receive Authenticate-Nakk. + * upap_rauthnak - Receive Authenticate-Nak. */ static void upap_rauthnak(u, inp, id, len) @@ -469,29 +493,30 @@ upap_rauthnak(u, inp, id, len) u_char msglen; char *msg; - UPAPDEBUG((LOG_INFO, "pap_rauthnak: Rcvd id %d.", id)); if (u->us_clientstate != UPAPCS_AUTHREQ) /* XXX */ return; /* * Parse message. */ - if (len < sizeof (u_char)) { - UPAPDEBUG((LOG_INFO, "pap_rauthnak: rcvd short packet.")); - return; - } - GETCHAR(msglen, inp); - len -= sizeof (u_char); - if (len < msglen) { - UPAPDEBUG((LOG_INFO, "pap_rauthnak: rcvd short packet.")); - return; + if (len < 1) { + UPAPDEBUG(("pap_rauthnak: ignoring missing msg-length.")); + } else { + GETCHAR(msglen, inp); + if (msglen > 0) { + len -= sizeof (u_char); + if (len < msglen) { + UPAPDEBUG(("pap_rauthnak: rcvd short packet.")); + return; + } + msg = (char *) inp; + PRINTMSG(msg, msglen); + } } - msg = (char *) inp; - PRINTMSG(msg, msglen); u->us_clientstate = UPAPCS_BADAUTH; - syslog(LOG_ERR, "PAP authentication failed"); + error("PAP authentication failed"); auth_withpeer_fail(u->us_unit, PPP_PAP); } @@ -523,8 +548,6 @@ upap_sauthreq(u) output(u->us_unit, outpacket_buf, outlen + PPP_HDRLEN); - UPAPDEBUG((LOG_INFO, "pap_sauth: Sent id %d.", u->us_id)); - TIMEOUT(upap_timeout, u, u->us_timeouttime); ++u->us_transmits; u->us_clientstate = UPAPCS_AUTHREQ; @@ -554,8 +577,6 @@ upap_sresp(u, code, id, msg, msglen) PUTCHAR(msglen, outp); BCOPY(msg, outp, msglen); output(u->us_unit, outpacket_buf, outlen + PPP_HDRLEN); - - UPAPDEBUG((LOG_INFO, "pap_sresp: Sent code %d, id %d.", code, id)); } /*