* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. The name(s) of the authors of this software must not be used to
+ * 2. The name(s) of the authors of this software must not be used to
* endorse or promote products derived from this software without
* prior written permission.
*
- * 4. Redistributions of any form whatsoever must retain the following
+ * 3. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by Paul Mackerras
* <paulus@samba.org>".
* OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-#define RCSID "$Id: auth.c,v 1.90 2002/12/04 23:03:32 paulus Exp $"
+#define RCSID "$Id: auth.c,v 1.99 2004/11/04 10:02:26 paulus Exp $"
#include <stdio.h>
#include <stddef.h>
#include "ecp.h"
#include "ipcp.h"
#include "upap.h"
-#include "chap.h"
+#include "chap-new.h"
#include "eap.h"
#ifdef CBCP_SUPPORT
#include "cbcp.h"
/* Hook for a plugin to get the PAP password for authenticating us */
int (*pap_passwd_hook) __P((char *user, char *passwd)) = NULL;
+/* Hook for a plugin to say if we can possibly authenticate a peer using CHAP */
+int (*chap_check_hook) __P((void)) = NULL;
+
+/* Hook for a plugin to get the CHAP password for authenticating us */
+int (*chap_passwd_hook) __P((char *user, char *passwd)) = NULL;
+
/* Hook for a plugin to say whether it is OK if the peer
refuses to authenticate. */
int (*null_auth_hook) __P((struct wordlist **paddrs,
/* get username */
if (fgets(u, MAXNAMELEN - 1, ufile) == NULL
- || fgets(p, MAXSECRETLEN - 1, ufile) == NULL){
+ || fgets(p, MAXSECRETLEN - 1, ufile) == NULL) {
+ fclose(ufile);
option_error("unable to read user login data file %s", fname);
return 0;
}
&& protp->lowerup != NULL)
(*protp->lowerup)(unit);
+ if (!auth_required && noauth_addrs != NULL)
+ set_allowed_addrs(unit, NULL, NULL);
+
if (auth_required && !(go->neg_upap || go->neg_chap || go->neg_eap)) {
/*
* We wanted the peer to authenticate itself, and it refused:
eap_authpeer(unit, our_name);
auth |= EAP_PEER;
} else if (go->neg_chap) {
- ChapAuthPeer(unit, our_name, CHAP_DIGEST(go->chap_mdtype));
+ chap_auth_peer(unit, our_name, CHAP_DIGEST(go->chap_mdtype));
auth |= CHAP_PEER;
} else if (go->neg_upap) {
upap_authpeer(unit);
eap_authwithpeer(unit, user);
auth |= EAP_WITHPEER;
} else if (ho->neg_chap) {
- ChapAuthWithPeer(unit, user, CHAP_DIGEST(ho->chap_mdtype));
+ chap_auth_with_peer(unit, user, CHAP_DIGEST(ho->chap_mdtype));
auth |= CHAP_WITHPEER;
} else if (ho->neg_upap) {
if (passwd[0] == 0) {
case PPP_CHAP:
bit = CHAP_PEER;
switch (prot_flavor) {
- case CHAP_DIGEST_MD5:
+ case CHAP_MD5:
bit |= CHAP_MD5_PEER;
break;
#ifdef CHAPMS
case PPP_CHAP:
bit = CHAP_WITHPEER;
switch (prot_flavor) {
- case CHAP_DIGEST_MD5:
+ case CHAP_MD5:
bit |= CHAP_MD5_WITHPEER;
break;
#ifdef CHAPMS
void *arg;
{
info("Connect time expired");
- lcp_close(0, "Connect time expired"); /* Close connection */
status = EXIT_CONNECT_TIME;
+ lcp_close(0, "Connect time expired"); /* Close connection */
}
/*
if (auth_required) {
allow_any_ip = 0;
if (!wo->neg_chap && !wo->neg_upap && !wo->neg_eap) {
- wo->neg_chap = 1; wo->chap_mdtype = MDTYPE_ALL;
+ wo->neg_chap = 1;
+ wo->chap_mdtype = chap_mdtype_all;
wo->neg_upap = 1;
wo->neg_eap = 1;
}
} else {
- wo->neg_chap = 0; wo->chap_mdtype = MDTYPE_NONE;
+ wo->neg_chap = 0;
+ wo->chap_mdtype = MDTYPE_NONE;
wo->neg_upap = 0;
wo->neg_eap = 0;
}
exit(1);
}
+
+ /*
+ * Early check for remote number authorization.
+ */
+ if (!auth_number()) {
+ warn("calling number %q is not authorized", remote_number);
+ exit(EXIT_CNID_AUTH_FAILED);
+ }
}
/*
if (pap_auth_hook) {
ret = (*pap_auth_hook)(user, passwd, msg, &addrs, &opts);
if (ret >= 0) {
+ /* note: set_allowed_addrs() saves opts (but not addrs):
+ don't free it! */
if (ret)
set_allowed_addrs(unit, addrs, opts);
- BZERO(passwd, sizeof(passwd));
+ else if (opts != 0)
+ free_wordlist(opts);
if (addrs != 0)
free_wordlist(addrs);
- if (opts != 0) {
- free_wordlist(opts);
- }
+ BZERO(passwd, sizeof(passwd));
return ret? UPAP_AUTHACK: UPAP_AUTHNAK;
}
}
} else {
np = getnetbyname (ptr_word);
if (np != NULL && np->n_addrtype == AF_INET) {
- a = htonl (*(u_int32_t *)np->n_net);
+ a = htonl ((u_int32_t)np->n_net);
if (ptr_mask == NULL) {
/* calculate appropriate mask for net */
ah = ntohl(a);