X-Git-Url: https://git.ozlabs.org/?p=ppp.git;a=blobdiff_plain;f=pppd%2Fupap.c;h=0ae02888281d9eb069763442a862def2025e6b93;hp=61d22acbf286372abc7ef0d5bd8fc4fe57a33f10;hb=f1a34da3b2f5336e4993a729e5ac2130d0e0595a;hpb=f1085e1db51d5fc24764f1e1a9f0101e86bf7ca0 diff --git a/pppd/upap.c b/pppd/upap.c index 61d22ac..0ae0288 100644 --- a/pppd/upap.c +++ b/pppd/upap.c @@ -1,57 +1,124 @@ /* * upap.c - User/Password Authentication Protocol. * - * Copyright (c) 1989 Carnegie Mellon University. - * All rights reserved. + * Copyright (c) 1984-2000 Carnegie Mellon University. All rights reserved. * - * Redistribution and use in source and binary forms are permitted - * provided that the above copyright notice and this paragraph are - * duplicated in all such forms and that any documentation, - * advertising materials, and other materials related to such - * distribution and use acknowledge that the software was developed - * by Carnegie Mellon University. The name of the - * University may not be used to endorse or promote products derived - * from this software without specific prior written permission. - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED - * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. The name "Carnegie Mellon University" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For permission or any legal + * details, please contact + * Office of Technology Transfer + * Carnegie Mellon University + * 5000 Forbes Avenue + * Pittsburgh, PA 15213-3890 + * (412) 268-4387, fax: (412) 268-7395 + * tech-transfer@andrew.cmu.edu + * + * 4. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by Computing Services + * at Carnegie Mellon University (http://www.cmu.edu/computing/)." + * + * CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO + * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE + * FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN + * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING + * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#ifndef lint -static char rcsid[] = "$Id: upap.c,v 1.2 1994/04/11 07:13:44 paulus Exp $"; -#endif - /* * TODO: */ #include -#include -#include -#include +#include -#include "ppp.h" #include "pppd.h" #include "upap.h" -upap_state upap[NPPP]; /* UPAP state; one for each unit */ +static bool hide_password = 1; + +/* + * Command-line options. + */ +static option_t pap_option_list[] = { + { "hide-password", o_bool, &hide_password, + "Don't output passwords to log", OPT_PRIO | 1 }, + { "show-password", o_bool, &hide_password, + "Show password string in debug log messages", OPT_PRIOSUB | 0 }, + + { "pap-restart", o_int, &upap[0].us_timeouttime, + "Set retransmit timeout for PAP", OPT_PRIO }, + { "pap-max-authreq", o_int, &upap[0].us_maxtransmits, + "Set max number of transmissions for auth-reqs", OPT_PRIO }, + { "pap-timeout", o_int, &upap[0].us_reqtimeout, + "Set time limit for peer PAP authentication", OPT_PRIO }, + + { NULL } +}; + +/* + * Protocol entry points. + */ +static void upap_init(int); +static void upap_lowerup(int); +static void upap_lowerdown(int); +static void upap_input(int, u_char *, int); +static void upap_protrej(int); +static int upap_printpkt(u_char *, int, + void (*)(void *, char *, ...), void *); + +struct protent pap_protent = { + PPP_PAP, + upap_init, + upap_input, + upap_protrej, + upap_lowerup, + upap_lowerdown, + NULL, + NULL, + upap_printpkt, + NULL, + 1, + "PAP", + NULL, + pap_option_list, + NULL, + NULL, + NULL +}; +upap_state upap[NUM_PPP]; /* UPAP state; one for each unit */ -static void upap_timeout __ARGS((caddr_t)); -static void upap_rauthreq __ARGS((upap_state *, u_char *, int, int)); -static void upap_rauthack __ARGS((upap_state *, u_char *, int, int)); -static void upap_rauthnak __ARGS((upap_state *, u_char *, int, int)); -static void upap_sauthreq __ARGS((upap_state *)); -static void upap_sresp __ARGS((upap_state *, int, int, char *, int)); +static void upap_timeout(void *); +static void upap_reqtimeout(void *); +static void upap_rauthreq(upap_state *, u_char *, int, int); +static void upap_rauthack(upap_state *, u_char *, int, int); +static void upap_rauthnak(upap_state *, u_char *, int, int); +static void upap_sauthreq(upap_state *); +static void upap_sresp(upap_state *, int, int, char *, int); /* * upap_init - Initialize a UPAP unit. */ -void -upap_init(unit) - int unit; +static void +upap_init(int unit) { upap_state *u = &upap[unit]; @@ -65,6 +132,7 @@ upap_init(unit) u->us_id = 0; u->us_timeouttime = UPAP_DEFTIMEOUT; u->us_maxtransmits = 10; + u->us_reqtimeout = UPAP_DEFREQTIME; } @@ -74,9 +142,7 @@ upap_init(unit) * Set new state and send authenticate's. */ void -upap_authwithpeer(unit, user, password) - int unit; - char *user, *password; +upap_authwithpeer(int unit, char *user, char *password) { upap_state *u = &upap[unit]; @@ -104,8 +170,7 @@ upap_authwithpeer(unit, user, password) * Set new state. */ void -upap_authpeer(unit) - int unit; +upap_authpeer(int unit) { upap_state *u = &upap[unit]; @@ -117,15 +182,16 @@ upap_authpeer(unit) } u->us_serverstate = UPAPSS_LISTEN; + if (u->us_reqtimeout > 0) + TIMEOUT(upap_reqtimeout, u, u->us_reqtimeout); } /* - * upap_timeout - Timeout expired. + * upap_timeout - Retransmission timer for sending auth-reqs expired. */ static void -upap_timeout(arg) - caddr_t arg; +upap_timeout(void *arg) { upap_state *u = (upap_state *) arg; @@ -134,9 +200,9 @@ upap_timeout(arg) if (u->us_transmits >= u->us_maxtransmits) { /* give up in disgust */ - syslog(LOG_ERR, "No response to PAP authenticate-requests"); + error("No response to PAP authenticate-requests"); u->us_clientstate = UPAPCS_BADAUTH; - auth_withpeer_fail(u->us_unit, UPAP); + auth_withpeer_fail(u->us_unit, PPP_PAP); return; } @@ -144,14 +210,29 @@ upap_timeout(arg) } +/* + * upap_reqtimeout - Give up waiting for the peer to send an auth-req. + */ +static void +upap_reqtimeout(void *arg) +{ + upap_state *u = (upap_state *) arg; + + if (u->us_serverstate != UPAPSS_LISTEN) + return; /* huh?? */ + + auth_peer_fail(u->us_unit, PPP_PAP); + u->us_serverstate = UPAPSS_BADAUTH; +} + + /* * upap_lowerup - The lower layer is up. * * Start authenticating if pending. */ -void -upap_lowerup(unit) - int unit; +static void +upap_lowerup(int unit) { upap_state *u = &upap[unit]; @@ -163,8 +244,11 @@ upap_lowerup(unit) if (u->us_serverstate == UPAPSS_INITIAL) u->us_serverstate = UPAPSS_CLOSED; - else if (u->us_serverstate == UPAPSS_PENDING) + else if (u->us_serverstate == UPAPSS_PENDING) { u->us_serverstate = UPAPSS_LISTEN; + if (u->us_reqtimeout > 0) + TIMEOUT(upap_reqtimeout, u, u->us_reqtimeout); + } } @@ -173,14 +257,15 @@ upap_lowerup(unit) * * Cancel all timeouts. */ -void -upap_lowerdown(unit) - int unit; +static void +upap_lowerdown(int unit) { upap_state *u = &upap[unit]; - if (u->us_clientstate == UPAPCS_AUTHREQ) /* Timeout pending? */ - UNTIMEOUT(upap_timeout, (caddr_t) u); /* Cancel timeout */ + if (u->us_clientstate == UPAPCS_AUTHREQ) /* Timeout pending? */ + UNTIMEOUT(upap_timeout, u); /* Cancel timeout */ + if (u->us_serverstate == UPAPSS_LISTEN && u->us_reqtimeout > 0) + UNTIMEOUT(upap_reqtimeout, u); u->us_clientstate = UPAPCS_INITIAL; u->us_serverstate = UPAPSS_INITIAL; @@ -192,19 +277,18 @@ upap_lowerdown(unit) * * This shouldn't happen. In any case, pretend lower layer went down. */ -void -upap_protrej(unit) - int unit; +static void +upap_protrej(int unit) { upap_state *u = &upap[unit]; if (u->us_clientstate == UPAPCS_AUTHREQ) { - syslog(LOG_ERR, "PAP authentication failed due to protocol-reject"); - auth_withpeer_fail(unit, UPAP); + error("PAP authentication failed due to protocol-reject"); + auth_withpeer_fail(unit, PPP_PAP); } if (u->us_serverstate == UPAPSS_LISTEN) { - syslog(LOG_ERR, "PAP authentication of peer failed (protocol-reject)"); - auth_peer_fail(unit, UPAP); + error("PAP authentication of peer failed (protocol-reject)"); + auth_peer_fail(unit, PPP_PAP); } upap_lowerdown(unit); } @@ -213,11 +297,8 @@ upap_protrej(unit) /* * upap_input - Input UPAP packet. */ -void -upap_input(unit, inpacket, l) - int unit; - u_char *inpacket; - int l; +static void +upap_input(int unit, u_char *inpacket, int l) { upap_state *u = &upap[unit]; u_char *inp; @@ -230,18 +311,18 @@ upap_input(unit, inpacket, l) */ inp = inpacket; if (l < UPAP_HEADERLEN) { - UPAPDEBUG((LOG_INFO, "upap_input: rcvd short header.")); + UPAPDEBUG(("pap_input: rcvd short header.")); return; } GETCHAR(code, inp); GETCHAR(id, inp); GETSHORT(len, inp); if (len < UPAP_HEADERLEN) { - UPAPDEBUG((LOG_INFO, "upap_input: rcvd illegal length.")); + UPAPDEBUG(("pap_input: rcvd illegal length.")); return; } if (len > l) { - UPAPDEBUG((LOG_INFO, "upap_input: rcvd short packet.")); + UPAPDEBUG(("pap_input: rcvd short packet.")); return; } len -= UPAP_HEADERLEN; @@ -272,20 +353,15 @@ upap_input(unit, inpacket, l) * upap_rauth - Receive Authenticate. */ static void -upap_rauthreq(u, inp, id, len) - upap_state *u; - u_char *inp; - int id; - int len; +upap_rauthreq(upap_state *u, u_char *inp, int id, int len) { u_char ruserlen, rpasswdlen; char *ruser, *rpasswd; + char rhostname[256]; int retcode; char *msg; int msglen; - UPAPDEBUG((LOG_INFO, "upap_rauth: Rcvd id %d.", id)); - if (u->us_serverstate < UPAPSS_LISTEN) return; @@ -305,21 +381,21 @@ upap_rauthreq(u, inp, id, len) /* * Parse user/passwd. */ - if (len < sizeof (u_char)) { - UPAPDEBUG((LOG_INFO, "upap_rauth: rcvd short packet.")); + if (len < 1) { + UPAPDEBUG(("pap_rauth: rcvd short packet.")); return; } GETCHAR(ruserlen, inp); len -= sizeof (u_char) + ruserlen + sizeof (u_char); if (len < 0) { - UPAPDEBUG((LOG_INFO, "upap_rauth: rcvd short packet.")); + UPAPDEBUG(("pap_rauth: rcvd short packet.")); return; } ruser = (char *) inp; INCPTR(ruserlen, inp); GETCHAR(rpasswdlen, inp); if (len < rpasswdlen) { - UPAPDEBUG((LOG_INFO, "upap_rauth: rcvd short packet.")); + UPAPDEBUG(("pap_rauth: rcvd short packet.")); return; } rpasswd = (char *) inp; @@ -328,17 +404,42 @@ upap_rauthreq(u, inp, id, len) * Check the username and password given. */ retcode = check_passwd(u->us_unit, ruser, ruserlen, rpasswd, - rpasswdlen, &msg, &msglen); + rpasswdlen, &msg); + BZERO(rpasswd, rpasswdlen); + + /* + * Check remote number authorization. A plugin may have filled in + * the remote number or added an allowed number, and rather than + * return an authenticate failure, is leaving it for us to verify. + */ + if (retcode == UPAP_AUTHACK) { + if (!auth_number()) { + /* We do not want to leak info about the pap result. */ + retcode = UPAP_AUTHNAK; /* XXX exit value will be "wrong" */ + warn("calling number %q is not authorized", remote_number); + } + } + msglen = strlen(msg); + if (msglen > 255) + msglen = 255; upap_sresp(u, retcode, id, msg, msglen); + /* Null terminate and clean remote name. */ + slprintf(rhostname, sizeof(rhostname), "%.*v", ruserlen, ruser); + if (retcode == UPAP_AUTHACK) { u->us_serverstate = UPAPSS_OPEN; - auth_peer_success(u->us_unit, UPAP); + notice("PAP peer authentication succeeded for %q", rhostname); + auth_peer_success(u->us_unit, PPP_PAP, 0, ruser, ruserlen); } else { u->us_serverstate = UPAPSS_BADAUTH; - auth_peer_fail(u->us_unit, UPAP); + warn("PAP peer authentication failed for %q", rhostname); + auth_peer_fail(u->us_unit, PPP_PAP); } + + if (u->us_reqtimeout > 0) + UNTIMEOUT(upap_reqtimeout, u); } @@ -346,78 +447,72 @@ upap_rauthreq(u, inp, id, len) * upap_rauthack - Receive Authenticate-Ack. */ static void -upap_rauthack(u, inp, id, len) - upap_state *u; - u_char *inp; - int id; - int len; +upap_rauthack(upap_state *u, u_char *inp, int id, int len) { u_char msglen; char *msg; - UPAPDEBUG((LOG_INFO, "upap_rauthack: Rcvd id %d.", id)); if (u->us_clientstate != UPAPCS_AUTHREQ) /* XXX */ return; /* * Parse message. */ - if (len < sizeof (u_char)) { - UPAPDEBUG((LOG_INFO, "upap_rauthack: rcvd short packet.")); - return; - } - GETCHAR(msglen, inp); - len -= sizeof (u_char); - if (len < msglen) { - UPAPDEBUG((LOG_INFO, "upap_rauthack: rcvd short packet.")); - return; + if (len < 1) { + UPAPDEBUG(("pap_rauthack: ignoring missing msg-length.")); + } else { + GETCHAR(msglen, inp); + if (msglen > 0) { + len -= sizeof (u_char); + if (len < msglen) { + UPAPDEBUG(("pap_rauthack: rcvd short packet.")); + return; + } + msg = (char *) inp; + PRINTMSG(msg, msglen); + } } - msg = (char *) inp; - PRINTMSG(msg, msglen); u->us_clientstate = UPAPCS_OPEN; - auth_withpeer_success(u->us_unit, UPAP); + auth_withpeer_success(u->us_unit, PPP_PAP, 0); } /* - * upap_rauthnak - Receive Authenticate-Nakk. + * upap_rauthnak - Receive Authenticate-Nak. */ static void -upap_rauthnak(u, inp, id, len) - upap_state *u; - u_char *inp; - int id; - int len; +upap_rauthnak(upap_state *u, u_char *inp, int id, int len) { u_char msglen; char *msg; - UPAPDEBUG((LOG_INFO, "upap_rauthnak: Rcvd id %d.", id)); if (u->us_clientstate != UPAPCS_AUTHREQ) /* XXX */ return; /* * Parse message. */ - if (len < sizeof (u_char)) { - UPAPDEBUG((LOG_INFO, "upap_rauthnak: rcvd short packet.")); - return; - } - GETCHAR(msglen, inp); - len -= sizeof (u_char); - if (len < msglen) { - UPAPDEBUG((LOG_INFO, "upap_rauthnak: rcvd short packet.")); - return; + if (len < 1) { + UPAPDEBUG(("pap_rauthnak: ignoring missing msg-length.")); + } else { + GETCHAR(msglen, inp); + if (msglen > 0) { + len -= sizeof (u_char); + if (len < msglen) { + UPAPDEBUG(("pap_rauthnak: rcvd short packet.")); + return; + } + msg = (char *) inp; + PRINTMSG(msg, msglen); + } } - msg = (char *) inp; - PRINTMSG(msg, msglen); u->us_clientstate = UPAPCS_BADAUTH; - syslog(LOG_ERR, "PAP authentication failed"); - auth_withpeer_fail(u->us_unit, UPAP); + error("PAP authentication failed"); + auth_withpeer_fail(u->us_unit, PPP_PAP); } @@ -425,8 +520,7 @@ upap_rauthnak(u, inp, id, len) * upap_sauthreq - Send an Authenticate-Request. */ static void -upap_sauthreq(u) - upap_state *u; +upap_sauthreq(upap_state *u) { u_char *outp; int outlen; @@ -435,7 +529,7 @@ upap_sauthreq(u) u->us_userlen + u->us_passwdlen; outp = outpacket_buf; - MAKEHEADER(outp, UPAP); + MAKEHEADER(outp, PPP_PAP); PUTCHAR(UPAP_AUTHREQ, outp); PUTCHAR(++u->us_id, outp); @@ -446,11 +540,9 @@ upap_sauthreq(u) PUTCHAR(u->us_passwdlen, outp); BCOPY(u->us_passwd, outp, u->us_passwdlen); - output(u->us_unit, outpacket_buf, outlen + DLLHEADERLEN); + output(u->us_unit, outpacket_buf, outlen + PPP_HDRLEN); - UPAPDEBUG((LOG_INFO, "upap_sauth: Sent id %d.", u->us_id)); - - TIMEOUT(upap_timeout, (caddr_t) u, u->us_timeouttime); + TIMEOUT(upap_timeout, u, u->us_timeouttime); ++u->us_transmits; u->us_clientstate = UPAPCS_AUTHREQ; } @@ -460,42 +552,32 @@ upap_sauthreq(u) * upap_sresp - Send a response (ack or nak). */ static void -upap_sresp(u, code, id, msg, msglen) - upap_state *u; - u_char code, id; - char *msg; - int msglen; +upap_sresp(upap_state *u, int code, int id, char *msg, int msglen) { u_char *outp; int outlen; outlen = UPAP_HEADERLEN + sizeof (u_char) + msglen; outp = outpacket_buf; - MAKEHEADER(outp, UPAP); + MAKEHEADER(outp, PPP_PAP); PUTCHAR(code, outp); PUTCHAR(id, outp); PUTSHORT(outlen, outp); PUTCHAR(msglen, outp); BCOPY(msg, outp, msglen); - output(u->us_unit, outpacket_buf, outlen + DLLHEADERLEN); - - UPAPDEBUG((LOG_INFO, "upap_sresp: Sent code %d, id %d.", code, id)); + output(u->us_unit, outpacket_buf, outlen + PPP_HDRLEN); } /* * upap_printpkt - print the contents of a PAP packet. */ -char *upap_codenames[] = { +static char *upap_codenames[] = { "AuthReq", "AuthAck", "AuthNak" }; -int -upap_printpkt(p, plen, printer, arg) - u_char *p; - int plen; - void (*printer) __ARGS((void *, char *, ...)); - void *arg; +static int +upap_printpkt(u_char *p, int plen, void (*printer)(void *, char *, ...), void *arg) { int code, id, len; int mlen, ulen, wlen; @@ -534,7 +616,10 @@ upap_printpkt(p, plen, printer, arg) printer(arg, " user="); print_string(user, ulen, printer, arg); printer(arg, " password="); - print_string(pwd, wlen, printer, arg); + if (!hide_password) + print_string(pwd, wlen, printer, arg); + else + printer(arg, ""); break; case UPAP_AUTHACK: case UPAP_AUTHNAK: @@ -546,7 +631,7 @@ upap_printpkt(p, plen, printer, arg) msg = (char *) (p + 1); p += mlen + 1; len -= mlen + 1; - printer(arg, "msg="); + printer(arg, " "); print_string(msg, mlen, printer, arg); break; }