X-Git-Url: https://git.ozlabs.org/?a=blobdiff_plain;ds=sidebyside;f=pppd%2Fupap.c;h=135db0a22310145d2600ddd98e9aac6c897065f0;hb=857e121025571b1c1173c2e70053bde804a46a0d;hp=5cf9c683098894f2acca9567472835bfa5986b83;hpb=07de73a331240b97d915c1851431a743449dd0f4;p=ppp.git diff --git a/pppd/upap.c b/pppd/upap.c index 5cf9c68..135db0a 100644 --- a/pppd/upap.c +++ b/pppd/upap.c @@ -17,7 +17,7 @@ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ -#define RCSID "$Id: upap.c,v 1.21 1999/09/11 12:09:00 paulus Exp $" +#define RCSID "$Id: upap.c,v 1.28 2002/10/12 02:30:21 fcusack Exp $" /* * TODO: @@ -31,20 +31,24 @@ static const char rcsid[] = RCSID; -static bool hide_password; +static bool hide_password = 1; /* * Command-line options. */ static option_t pap_option_list[] = { { "hide-password", o_bool, &hide_password, - "Don't output passwords to log", 1 }, + "Don't output passwords to log", OPT_PRIO | 1 }, + { "show-password", o_bool, &hide_password, + "Show password string in debug log messages", OPT_PRIOSUB | 0 }, + { "pap-restart", o_int, &upap[0].us_timeouttime, - "Set retransmit timeout for PAP" }, + "Set retransmit timeout for PAP", OPT_PRIO }, { "pap-max-authreq", o_int, &upap[0].us_maxtransmits, - "Set max number of transmissions for auth-reqs" }, + "Set max number of transmissions for auth-reqs", OPT_PRIO }, { "pap-timeout", o_int, &upap[0].us_reqtimeout, - "Set time limit for peer PAP authentication" }, + "Set time limit for peer PAP authentication", OPT_PRIO }, + { NULL } }; @@ -349,6 +353,7 @@ upap_rauthreq(u, inp, id, len) { u_char ruserlen, rpasswdlen; char *ruser, *rpasswd; + char rhostname[256]; int retcode; char *msg; int msglen; @@ -372,7 +377,7 @@ upap_rauthreq(u, inp, id, len) /* * Parse user/passwd. */ - if (len < sizeof (u_char)) { + if (len < 1) { UPAPDEBUG(("pap_rauth: rcvd short packet.")); return; } @@ -397,17 +402,35 @@ upap_rauthreq(u, inp, id, len) retcode = check_passwd(u->us_unit, ruser, ruserlen, rpasswd, rpasswdlen, &msg); BZERO(rpasswd, rpasswdlen); + + /* + * Check remote number authorization. A plugin may have filled in + * the remote number or added an allowed number, and rather than + * return an authenticate failure, is leaving it for us to verify. + */ + if (retcode == UPAP_AUTHACK) { + if (!auth_number()) { + /* We do not want to leak info about the pap result. */ + retcode = UPAP_AUTHNAK; /* XXX exit value will be "wrong" */ + warn("calling number %q is not authorized", remote_number); + } + } + msglen = strlen(msg); if (msglen > 255) msglen = 255; - upap_sresp(u, retcode, id, msg, msglen); + /* Null terminate and clean remote name. */ + slprintf(rhostname, sizeof(rhostname), "%.*v", ruserlen, ruser); + if (retcode == UPAP_AUTHACK) { u->us_serverstate = UPAPSS_OPEN; - auth_peer_success(u->us_unit, PPP_PAP, ruser, ruserlen); + notice("PAP peer authentication succeeded for %q", rhostname); + auth_peer_success(u->us_unit, PPP_PAP, 0, ruser, ruserlen); } else { u->us_serverstate = UPAPSS_BADAUTH; + warn("PAP peer authentication failed for %q", rhostname); auth_peer_fail(u->us_unit, PPP_PAP); } @@ -435,7 +458,7 @@ upap_rauthack(u, inp, id, len) /* * Parse message. */ - if (len < sizeof (u_char)) { + if (len < 1) { UPAPDEBUG(("pap_rauthack: ignoring missing msg-length.")); } else { GETCHAR(msglen, inp); @@ -452,12 +475,13 @@ upap_rauthack(u, inp, id, len) u->us_clientstate = UPAPCS_OPEN; - auth_withpeer_success(u->us_unit, PPP_PAP); + notice("PAP authentication succeeded"); + auth_withpeer_success(u->us_unit, PPP_PAP, 0); } /* - * upap_rauthnak - Receive Authenticate-Nakk. + * upap_rauthnak - Receive Authenticate-Nak. */ static void upap_rauthnak(u, inp, id, len) @@ -475,7 +499,7 @@ upap_rauthnak(u, inp, id, len) /* * Parse message. */ - if (len < sizeof (u_char)) { + if (len < 1) { UPAPDEBUG(("pap_rauthnak: ignoring missing msg-length.")); } else { GETCHAR(msglen, inp);