X-Git-Url: https://git.ozlabs.org/?a=blobdiff_plain;f=pppd%2Fauth.c;h=75003523b1a7c47d887c414ec48200306f0f657f;hb=4e2c49755175d05f7f4a3c1c70a42d2eef9d7839;hp=ffa0e14afb097e775e18cc0257f0e56d7256d9a9;hpb=6531eb055818ea1b4df386b3e7132392771cd0e5;p=ppp.git

diff --git a/pppd/auth.c b/pppd/auth.c
index ffa0e14..7500352 100644
--- a/pppd/auth.c
+++ b/pppd/auth.c
@@ -70,6 +70,10 @@
 
 #define RCSID	"$Id: auth.c,v 1.117 2008/07/01 12:27:56 paulus Exp $"
 
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
 #include <stdio.h>
 #include <stddef.h>
 #include <stdlib.h>
@@ -93,7 +97,7 @@
 #include <arpa/inet.h>
 
 
-#ifdef HAS_SHADOW
+#ifdef HAVE_SHADOW_H
 #include <shadow.h>
 #ifndef PW_PPP
 #define PW_PPP PW_LOGIN
@@ -101,6 +105,10 @@
 #endif
 #include <time.h>
 
+#ifdef HAVE_CRYPT_H
+#include <crypt.h>
+#endif
+
 #ifdef SYSTEMD
 #include <systemd/sd-daemon.h>
 #endif
@@ -255,16 +263,18 @@ char *cacert_file  = NULL;	/* CA certificate file (pem format) */
 char *ca_path      = NULL;	/* directory with CA certificates */
 char *cert_file    = NULL;	/* client certificate file (pem format) */
 char *privkey_file = NULL;	/* client private key file (pem format) */
+char *pkcs12_file  = NULL;	/* client private key envelope file (pkcs12 format) */
 char *crl_dir      = NULL;	/* directory containing CRL files */
 char *crl_file     = NULL;	/* Certificate Revocation List (CRL) file (pem format) */
 char *max_tls_version = NULL;	/* Maximum TLS protocol version (default=1.2) */
+char *tls_verify_method = NULL;
+bool tls_verify_key_usage = 0;
 bool need_peer_eap = 0;			/* Require peer to authenticate us */
 #endif
+bool tls_verify_cert = 0;	/* Do not verify server's SSL certificate */
 
 static char *uafname;		/* name of most recent +ua file */
 
-extern char *crypt (const char *, const char *);
-
 /* Prototypes for procedures local to this file. */
 
 static void network_phase (int);
@@ -436,6 +446,9 @@ option_t auth_options[] = {
       "Set telephone number(s) which are allowed to connect",
       OPT_PRIV | OPT_A2LIST },
 
+    { "tls-verify-certificate", o_bool, &tls_verify_cert,
+      "Enable server's SSL certificate validation", 1 },
+
 #ifdef USE_EAPTLS
     { "ca", o_string, &cacert_file,   "EAP-TLS CA certificate in PEM format" },
     { "capath", o_string, &ca_path,   "EAP-TLS CA certificate directory" },
@@ -443,8 +456,13 @@ option_t auth_options[] = {
     { "key", o_string, &privkey_file, "EAP-TLS client private key in PEM format" },
     { "crl-dir", o_string, &crl_dir,  "Use CRLs in directory" },
     { "crl", o_string, &crl_file,     "Use specific CRL file" },
+    { "pkcs12", o_string, &pkcs12_file, "EAP-TLS client credentials in PKCS12 format" },
     { "max-tls-version", o_string, &max_tls_version,
       "Maximum TLS version (1.0/1.1/1.2 (default)/1.3)" },
+    { "tls-verify-key-usage", o_bool, &tls_verify_key_usage,
+      "Verify certificate type and extended key usage" },
+    { "tls-verify-method", o_string, &tls_verify_method,
+      "Verify peer by method (none|subject|name|suffix)" },
     { "need-peer-eap", o_bool, &need_peer_eap,
       "Require the peer to authenticate us", 1 },
 #endif /* USE_EAPTLS */
@@ -876,8 +894,8 @@ network_phase(int unit)
     /*
      * If the peer had to authenticate, run the auth-up script now.
      */
+    notify(auth_up_notifier, 0);
     if (go->neg_chap || go->neg_upap || go->neg_eap) {
-	notify(auth_up_notifier, 0);
 	auth_state = s_up;
 	if (auth_script_state == s_down && auth_script_pid == 0) {
 	    auth_script_state = s_up;
@@ -1509,8 +1527,10 @@ check_passwd(int unit,
 	    if (secret[0] != 0 && !login_secret) {
 		/* password given in pap-secrets - must match */
 		if (cryptpap || strcmp(passwd, secret) != 0) {
+#ifdef HAVE_CRYPT_H
 		    char *cbuf = crypt(passwd, secret);
 		    if (!cbuf || strcmp(cbuf, secret) != 0)
+#endif
 			ret = UPAP_AUTHNAK;
 		}
 	    }
@@ -2458,6 +2478,8 @@ have_eaptls_secret_client(char *client, char *server)
 
 	if ((cacert_file || ca_path) && cert_file && privkey_file)
 		return 1;
+	if (pkcs12_file)
+		return 1;
 
     filename = _PATH_EAPTLSCLIFILE;
     f = fopen(filename, "r");
@@ -2641,7 +2663,7 @@ scan_authfile_eaptls(FILE *f, char *client, char *server,
 int
 get_eaptls_secret(int unit, char *client, char *server,
 		  char *clicertfile, char *servcertfile, char *cacertfile,
-		  char *capath, char *pkfile, int am_server)
+		  char *capath, char *pkfile, char *pkcs12, int am_server)
 {
     FILE *fp;
     int ret;
@@ -2655,6 +2677,7 @@ get_eaptls_secret(int unit, char *client, char *server,
 	bzero(cacertfile, MAXWORDLEN);
 	bzero(capath, MAXWORDLEN);
 	bzero(pkfile, MAXWORDLEN);
+	bzero(pkcs12, MAXWORDLEN);
 
 	/* the ca+cert+privkey can also be specified as options */
 	if (!am_server && (cacert_file || ca_path) && cert_file && privkey_file )
@@ -2666,6 +2689,14 @@ get_eaptls_secret(int unit, char *client, char *server,
 			strlcpy( capath, ca_path, MAXWORDLEN );
 		strlcpy( pkfile, privkey_file, MAXWORDLEN );
 	}
+    else if (!am_server && pkcs12_file)
+	{
+		strlcpy( pkcs12, pkcs12_file, MAXWORDLEN );
+		if (cacert_file)
+			strlcpy( cacertfile, cacert_file, MAXWORDLEN );
+		if (ca_path)
+			strlcpy( capath, ca_path, MAXWORDLEN );
+	}
 	else
 	{
 		filename = (am_server ? _PATH_EAPTLSSERVFILE : _PATH_EAPTLSCLIFILE);