2 * upap.c - User/Password Authentication Protocol.
4 * Copyright (c) 1989 Carnegie Mellon University.
7 * Redistribution and use in source and binary forms are permitted
8 * provided that the above copyright notice and this paragraph are
9 * duplicated in all such forms and that any documentation,
10 * advertising materials, and other materials related to such
11 * distribution and use acknowledge that the software was developed
12 * by Carnegie Mellon University. The name of the
13 * University may not be used to endorse or promote products derived
14 * from this software without specific prior written permission.
15 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
17 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20 #define RCSID "$Id: upap.c,v 1.26 2002/10/11 22:11:13 fcusack Exp $"
32 static const char rcsid[] = RCSID;
34 static bool hide_password = 1;
37 * Command-line options.
39 static option_t pap_option_list[] = {
40 { "hide-password", o_bool, &hide_password,
41 "Don't output passwords to log", OPT_PRIO | 1 },
42 { "show-password", o_bool, &hide_password,
43 "Show password string in debug log messages", OPT_PRIOSUB | 0 },
45 { "pap-restart", o_int, &upap[0].us_timeouttime,
46 "Set retransmit timeout for PAP", OPT_PRIO },
47 { "pap-max-authreq", o_int, &upap[0].us_maxtransmits,
48 "Set max number of transmissions for auth-reqs", OPT_PRIO },
49 { "pap-timeout", o_int, &upap[0].us_reqtimeout,
50 "Set time limit for peer PAP authentication", OPT_PRIO },
56 * Protocol entry points.
58 static void upap_init __P((int));
59 static void upap_lowerup __P((int));
60 static void upap_lowerdown __P((int));
61 static void upap_input __P((int, u_char *, int));
62 static void upap_protrej __P((int));
63 static int upap_printpkt __P((u_char *, int,
64 void (*) __P((void *, char *, ...)), void *));
66 struct protent pap_protent = {
86 upap_state upap[NUM_PPP]; /* UPAP state; one for each unit */
88 static void upap_timeout __P((void *));
89 static void upap_reqtimeout __P((void *));
90 static void upap_rauthreq __P((upap_state *, u_char *, int, int));
91 static void upap_rauthack __P((upap_state *, u_char *, int, int));
92 static void upap_rauthnak __P((upap_state *, u_char *, int, int));
93 static void upap_sauthreq __P((upap_state *));
94 static void upap_sresp __P((upap_state *, int, int, char *, int));
98 * upap_init - Initialize a UPAP unit.
104 upap_state *u = &upap[unit];
111 u->us_clientstate = UPAPCS_INITIAL;
112 u->us_serverstate = UPAPSS_INITIAL;
114 u->us_timeouttime = UPAP_DEFTIMEOUT;
115 u->us_maxtransmits = 10;
116 u->us_reqtimeout = UPAP_DEFREQTIME;
121 * upap_authwithpeer - Authenticate us with our peer (start client).
123 * Set new state and send authenticate's.
126 upap_authwithpeer(unit, user, password)
128 char *user, *password;
130 upap_state *u = &upap[unit];
132 /* Save the username and password we're given */
134 u->us_userlen = strlen(user);
135 u->us_passwd = password;
136 u->us_passwdlen = strlen(password);
139 /* Lower layer up yet? */
140 if (u->us_clientstate == UPAPCS_INITIAL ||
141 u->us_clientstate == UPAPCS_PENDING) {
142 u->us_clientstate = UPAPCS_PENDING;
146 upap_sauthreq(u); /* Start protocol */
151 * upap_authpeer - Authenticate our peer (start server).
159 upap_state *u = &upap[unit];
161 /* Lower layer up yet? */
162 if (u->us_serverstate == UPAPSS_INITIAL ||
163 u->us_serverstate == UPAPSS_PENDING) {
164 u->us_serverstate = UPAPSS_PENDING;
168 u->us_serverstate = UPAPSS_LISTEN;
169 if (u->us_reqtimeout > 0)
170 TIMEOUT(upap_reqtimeout, u, u->us_reqtimeout);
175 * upap_timeout - Retransmission timer for sending auth-reqs expired.
181 upap_state *u = (upap_state *) arg;
183 if (u->us_clientstate != UPAPCS_AUTHREQ)
186 if (u->us_transmits >= u->us_maxtransmits) {
187 /* give up in disgust */
188 error("No response to PAP authenticate-requests");
189 u->us_clientstate = UPAPCS_BADAUTH;
190 auth_withpeer_fail(u->us_unit, PPP_PAP);
194 upap_sauthreq(u); /* Send Authenticate-Request */
199 * upap_reqtimeout - Give up waiting for the peer to send an auth-req.
205 upap_state *u = (upap_state *) arg;
207 if (u->us_serverstate != UPAPSS_LISTEN)
210 auth_peer_fail(u->us_unit, PPP_PAP);
211 u->us_serverstate = UPAPSS_BADAUTH;
216 * upap_lowerup - The lower layer is up.
218 * Start authenticating if pending.
224 upap_state *u = &upap[unit];
226 if (u->us_clientstate == UPAPCS_INITIAL)
227 u->us_clientstate = UPAPCS_CLOSED;
228 else if (u->us_clientstate == UPAPCS_PENDING) {
229 upap_sauthreq(u); /* send an auth-request */
232 if (u->us_serverstate == UPAPSS_INITIAL)
233 u->us_serverstate = UPAPSS_CLOSED;
234 else if (u->us_serverstate == UPAPSS_PENDING) {
235 u->us_serverstate = UPAPSS_LISTEN;
236 if (u->us_reqtimeout > 0)
237 TIMEOUT(upap_reqtimeout, u, u->us_reqtimeout);
243 * upap_lowerdown - The lower layer is down.
245 * Cancel all timeouts.
251 upap_state *u = &upap[unit];
253 if (u->us_clientstate == UPAPCS_AUTHREQ) /* Timeout pending? */
254 UNTIMEOUT(upap_timeout, u); /* Cancel timeout */
255 if (u->us_serverstate == UPAPSS_LISTEN && u->us_reqtimeout > 0)
256 UNTIMEOUT(upap_reqtimeout, u);
258 u->us_clientstate = UPAPCS_INITIAL;
259 u->us_serverstate = UPAPSS_INITIAL;
264 * upap_protrej - Peer doesn't speak this protocol.
266 * This shouldn't happen. In any case, pretend lower layer went down.
272 upap_state *u = &upap[unit];
274 if (u->us_clientstate == UPAPCS_AUTHREQ) {
275 error("PAP authentication failed due to protocol-reject");
276 auth_withpeer_fail(unit, PPP_PAP);
278 if (u->us_serverstate == UPAPSS_LISTEN) {
279 error("PAP authentication of peer failed (protocol-reject)");
280 auth_peer_fail(unit, PPP_PAP);
282 upap_lowerdown(unit);
287 * upap_input - Input UPAP packet.
290 upap_input(unit, inpacket, l)
295 upap_state *u = &upap[unit];
301 * Parse header (code, id and length).
302 * If packet too short, drop it.
305 if (l < UPAP_HEADERLEN) {
306 UPAPDEBUG(("pap_input: rcvd short header."));
312 if (len < UPAP_HEADERLEN) {
313 UPAPDEBUG(("pap_input: rcvd illegal length."));
317 UPAPDEBUG(("pap_input: rcvd short packet."));
320 len -= UPAP_HEADERLEN;
323 * Action depends on code.
327 upap_rauthreq(u, inp, id, len);
331 upap_rauthack(u, inp, id, len);
335 upap_rauthnak(u, inp, id, len);
338 default: /* XXX Need code reject */
345 * upap_rauth - Receive Authenticate.
348 upap_rauthreq(u, inp, id, len)
354 u_char ruserlen, rpasswdlen;
355 char *ruser, *rpasswd;
361 if (u->us_serverstate < UPAPSS_LISTEN)
365 * If we receive a duplicate authenticate-request, we are
366 * supposed to return the same status as for the first request.
368 if (u->us_serverstate == UPAPSS_OPEN) {
369 upap_sresp(u, UPAP_AUTHACK, id, "", 0); /* return auth-ack */
372 if (u->us_serverstate == UPAPSS_BADAUTH) {
373 upap_sresp(u, UPAP_AUTHNAK, id, "", 0); /* return auth-nak */
381 UPAPDEBUG(("pap_rauth: rcvd short packet."));
384 GETCHAR(ruserlen, inp);
385 len -= sizeof (u_char) + ruserlen + sizeof (u_char);
387 UPAPDEBUG(("pap_rauth: rcvd short packet."));
390 ruser = (char *) inp;
391 INCPTR(ruserlen, inp);
392 GETCHAR(rpasswdlen, inp);
393 if (len < rpasswdlen) {
394 UPAPDEBUG(("pap_rauth: rcvd short packet."));
397 rpasswd = (char *) inp;
400 * Check the username and password given.
402 retcode = check_passwd(u->us_unit, ruser, ruserlen, rpasswd,
404 BZERO(rpasswd, rpasswdlen);
405 msglen = strlen(msg);
409 upap_sresp(u, retcode, id, msg, msglen);
411 if (ruserlen >= sizeof(rhostname))
412 ruserlen = sizeof(rhostname) - 1;
413 BCOPY(ruser, rhostname, ruserlen);
414 rhostname[ruserlen] = '\000';
416 if (retcode == UPAP_AUTHACK) {
417 u->us_serverstate = UPAPSS_OPEN;
418 notice("PAP peer authentication succeeded for %q", rhostname);
419 auth_peer_success(u->us_unit, PPP_PAP, 0, ruser, ruserlen);
421 u->us_serverstate = UPAPSS_BADAUTH;
422 error("PAP peer authentication failed for %q", rhostname);
423 auth_peer_fail(u->us_unit, PPP_PAP);
426 if (u->us_reqtimeout > 0)
427 UNTIMEOUT(upap_reqtimeout, u);
432 * upap_rauthack - Receive Authenticate-Ack.
435 upap_rauthack(u, inp, id, len)
444 if (u->us_clientstate != UPAPCS_AUTHREQ) /* XXX */
451 UPAPDEBUG(("pap_rauthack: ignoring missing msg-length."));
453 GETCHAR(msglen, inp);
455 len -= sizeof (u_char);
457 UPAPDEBUG(("pap_rauthack: rcvd short packet."));
461 PRINTMSG(msg, msglen);
465 u->us_clientstate = UPAPCS_OPEN;
467 notice("PAP authentication succeeded");
468 auth_withpeer_success(u->us_unit, PPP_PAP, 0);
473 * upap_rauthnak - Receive Authenticate-Nak.
476 upap_rauthnak(u, inp, id, len)
485 if (u->us_clientstate != UPAPCS_AUTHREQ) /* XXX */
492 UPAPDEBUG(("pap_rauthnak: ignoring missing msg-length."));
494 GETCHAR(msglen, inp);
496 len -= sizeof (u_char);
498 UPAPDEBUG(("pap_rauthnak: rcvd short packet."));
502 PRINTMSG(msg, msglen);
506 u->us_clientstate = UPAPCS_BADAUTH;
508 error("PAP authentication failed");
509 auth_withpeer_fail(u->us_unit, PPP_PAP);
514 * upap_sauthreq - Send an Authenticate-Request.
523 outlen = UPAP_HEADERLEN + 2 * sizeof (u_char) +
524 u->us_userlen + u->us_passwdlen;
525 outp = outpacket_buf;
527 MAKEHEADER(outp, PPP_PAP);
529 PUTCHAR(UPAP_AUTHREQ, outp);
530 PUTCHAR(++u->us_id, outp);
531 PUTSHORT(outlen, outp);
532 PUTCHAR(u->us_userlen, outp);
533 BCOPY(u->us_user, outp, u->us_userlen);
534 INCPTR(u->us_userlen, outp);
535 PUTCHAR(u->us_passwdlen, outp);
536 BCOPY(u->us_passwd, outp, u->us_passwdlen);
538 output(u->us_unit, outpacket_buf, outlen + PPP_HDRLEN);
540 TIMEOUT(upap_timeout, u, u->us_timeouttime);
542 u->us_clientstate = UPAPCS_AUTHREQ;
547 * upap_sresp - Send a response (ack or nak).
550 upap_sresp(u, code, id, msg, msglen)
559 outlen = UPAP_HEADERLEN + sizeof (u_char) + msglen;
560 outp = outpacket_buf;
561 MAKEHEADER(outp, PPP_PAP);
565 PUTSHORT(outlen, outp);
566 PUTCHAR(msglen, outp);
567 BCOPY(msg, outp, msglen);
568 output(u->us_unit, outpacket_buf, outlen + PPP_HDRLEN);
572 * upap_printpkt - print the contents of a PAP packet.
574 static char *upap_codenames[] = {
575 "AuthReq", "AuthAck", "AuthNak"
579 upap_printpkt(p, plen, printer, arg)
582 void (*printer) __P((void *, char *, ...));
586 int mlen, ulen, wlen;
587 char *user, *pwd, *msg;
590 if (plen < UPAP_HEADERLEN)
596 if (len < UPAP_HEADERLEN || len > plen)
599 if (code >= 1 && code <= sizeof(upap_codenames) / sizeof(char *))
600 printer(arg, " %s", upap_codenames[code-1]);
602 printer(arg, " code=0x%x", code);
603 printer(arg, " id=0x%x", id);
604 len -= UPAP_HEADERLEN;
613 if (len < ulen + wlen + 2)
615 user = (char *) (p + 1);
616 pwd = (char *) (p + ulen + 2);
617 p += ulen + wlen + 2;
618 len -= ulen + wlen + 2;
619 printer(arg, " user=");
620 print_string(user, ulen, printer, arg);
621 printer(arg, " password=");
623 print_string(pwd, wlen, printer, arg);
625 printer(arg, "<hidden>");
634 msg = (char *) (p + 1);
638 print_string(msg, mlen, printer, arg);
642 /* print the rest of the bytes in the packet */
643 for (; len > 0; --len) {
645 printer(arg, " %.2x", code);