X-Git-Url: https://git.ozlabs.org/?p=ppp.git;a=blobdiff_plain;f=pppd%2Fupap.c;h=0ae02888281d9eb069763442a862def2025e6b93;hp=693c684f084105ccfc764482129a05c00d188956;hb=f1a34da3b2f5336e4993a729e5ac2130d0e0595a;hpb=a3630de20e34796f434a728bfd9cf1a961380c82 diff --git a/pppd/upap.c b/pppd/upap.c index 693c684..0ae0288 100644 --- a/pppd/upap.c +++ b/pppd/upap.c @@ -1,24 +1,45 @@ /* * upap.c - User/Password Authentication Protocol. * - * Copyright (c) 1989 Carnegie Mellon University. - * All rights reserved. + * Copyright (c) 1984-2000 Carnegie Mellon University. All rights reserved. * - * Redistribution and use in source and binary forms are permitted - * provided that the above copyright notice and this paragraph are - * duplicated in all such forms and that any documentation, - * advertising materials, and other materials related to such - * distribution and use acknowledge that the software was developed - * by Carnegie Mellon University. The name of the - * University may not be used to endorse or promote products derived - * from this software without specific prior written permission. - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED - * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. The name "Carnegie Mellon University" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For permission or any legal + * details, please contact + * Office of Technology Transfer + * Carnegie Mellon University + * 5000 Forbes Avenue + * Pittsburgh, PA 15213-3890 + * (412) 268-4387, fax: (412) 268-7395 + * tech-transfer@andrew.cmu.edu + * + * 4. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by Computing Services + * at Carnegie Mellon University (http://www.cmu.edu/computing/)." + * + * CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO + * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE + * FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN + * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING + * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#define RCSID "$Id: upap.c,v 1.19 1999/08/13 06:46:21 paulus Exp $" - /* * TODO: */ @@ -29,35 +50,38 @@ #include "pppd.h" #include "upap.h" -static const char rcsid[] = RCSID; -static bool hide_password; +static bool hide_password = 1; /* * Command-line options. */ static option_t pap_option_list[] = { { "hide-password", o_bool, &hide_password, - "Don't output passwords to log", 1 }, + "Don't output passwords to log", OPT_PRIO | 1 }, + { "show-password", o_bool, &hide_password, + "Show password string in debug log messages", OPT_PRIOSUB | 0 }, + { "pap-restart", o_int, &upap[0].us_timeouttime, - "Set retransmit timeout for PAP" }, + "Set retransmit timeout for PAP", OPT_PRIO }, { "pap-max-authreq", o_int, &upap[0].us_maxtransmits, - "Set max number of transmissions for auth-reqs" }, + "Set max number of transmissions for auth-reqs", OPT_PRIO }, { "pap-timeout", o_int, &upap[0].us_reqtimeout, - "Set time limit for peer PAP authentication" }, + "Set time limit for peer PAP authentication", OPT_PRIO }, + { NULL } }; /* * Protocol entry points. */ -static void upap_init __P((int)); -static void upap_lowerup __P((int)); -static void upap_lowerdown __P((int)); -static void upap_input __P((int, u_char *, int)); -static void upap_protrej __P((int)); -static int upap_printpkt __P((u_char *, int, - void (*) __P((void *, char *, ...)), void *)); +static void upap_init(int); +static void upap_lowerup(int); +static void upap_lowerdown(int); +static void upap_input(int, u_char *, int); +static void upap_protrej(int); +static int upap_printpkt(u_char *, int, + void (*)(void *, char *, ...), void *); struct protent pap_protent = { PPP_PAP, @@ -81,21 +105,20 @@ struct protent pap_protent = { upap_state upap[NUM_PPP]; /* UPAP state; one for each unit */ -static void upap_timeout __P((void *)); -static void upap_reqtimeout __P((void *)); -static void upap_rauthreq __P((upap_state *, u_char *, int, int)); -static void upap_rauthack __P((upap_state *, u_char *, int, int)); -static void upap_rauthnak __P((upap_state *, u_char *, int, int)); -static void upap_sauthreq __P((upap_state *)); -static void upap_sresp __P((upap_state *, int, int, char *, int)); +static void upap_timeout(void *); +static void upap_reqtimeout(void *); +static void upap_rauthreq(upap_state *, u_char *, int, int); +static void upap_rauthack(upap_state *, u_char *, int, int); +static void upap_rauthnak(upap_state *, u_char *, int, int); +static void upap_sauthreq(upap_state *); +static void upap_sresp(upap_state *, int, int, char *, int); /* * upap_init - Initialize a UPAP unit. */ static void -upap_init(unit) - int unit; +upap_init(int unit) { upap_state *u = &upap[unit]; @@ -119,9 +142,7 @@ upap_init(unit) * Set new state and send authenticate's. */ void -upap_authwithpeer(unit, user, password) - int unit; - char *user, *password; +upap_authwithpeer(int unit, char *user, char *password) { upap_state *u = &upap[unit]; @@ -149,8 +170,7 @@ upap_authwithpeer(unit, user, password) * Set new state. */ void -upap_authpeer(unit) - int unit; +upap_authpeer(int unit) { upap_state *u = &upap[unit]; @@ -171,8 +191,7 @@ upap_authpeer(unit) * upap_timeout - Retransmission timer for sending auth-reqs expired. */ static void -upap_timeout(arg) - void *arg; +upap_timeout(void *arg) { upap_state *u = (upap_state *) arg; @@ -195,8 +214,7 @@ upap_timeout(arg) * upap_reqtimeout - Give up waiting for the peer to send an auth-req. */ static void -upap_reqtimeout(arg) - void *arg; +upap_reqtimeout(void *arg) { upap_state *u = (upap_state *) arg; @@ -214,8 +232,7 @@ upap_reqtimeout(arg) * Start authenticating if pending. */ static void -upap_lowerup(unit) - int unit; +upap_lowerup(int unit) { upap_state *u = &upap[unit]; @@ -241,8 +258,7 @@ upap_lowerup(unit) * Cancel all timeouts. */ static void -upap_lowerdown(unit) - int unit; +upap_lowerdown(int unit) { upap_state *u = &upap[unit]; @@ -262,8 +278,7 @@ upap_lowerdown(unit) * This shouldn't happen. In any case, pretend lower layer went down. */ static void -upap_protrej(unit) - int unit; +upap_protrej(int unit) { upap_state *u = &upap[unit]; @@ -283,10 +298,7 @@ upap_protrej(unit) * upap_input - Input UPAP packet. */ static void -upap_input(unit, inpacket, l) - int unit; - u_char *inpacket; - int l; +upap_input(int unit, u_char *inpacket, int l) { upap_state *u = &upap[unit]; u_char *inp; @@ -341,14 +353,11 @@ upap_input(unit, inpacket, l) * upap_rauth - Receive Authenticate. */ static void -upap_rauthreq(u, inp, id, len) - upap_state *u; - u_char *inp; - int id; - int len; +upap_rauthreq(upap_state *u, u_char *inp, int id, int len) { u_char ruserlen, rpasswdlen; char *ruser, *rpasswd; + char rhostname[256]; int retcode; char *msg; int msglen; @@ -372,7 +381,7 @@ upap_rauthreq(u, inp, id, len) /* * Parse user/passwd. */ - if (len < sizeof (u_char)) { + if (len < 1) { UPAPDEBUG(("pap_rauth: rcvd short packet.")); return; } @@ -395,16 +404,37 @@ upap_rauthreq(u, inp, id, len) * Check the username and password given. */ retcode = check_passwd(u->us_unit, ruser, ruserlen, rpasswd, - rpasswdlen, &msg, &msglen); + rpasswdlen, &msg); BZERO(rpasswd, rpasswdlen); + /* + * Check remote number authorization. A plugin may have filled in + * the remote number or added an allowed number, and rather than + * return an authenticate failure, is leaving it for us to verify. + */ + if (retcode == UPAP_AUTHACK) { + if (!auth_number()) { + /* We do not want to leak info about the pap result. */ + retcode = UPAP_AUTHNAK; /* XXX exit value will be "wrong" */ + warn("calling number %q is not authorized", remote_number); + } + } + + msglen = strlen(msg); + if (msglen > 255) + msglen = 255; upap_sresp(u, retcode, id, msg, msglen); + /* Null terminate and clean remote name. */ + slprintf(rhostname, sizeof(rhostname), "%.*v", ruserlen, ruser); + if (retcode == UPAP_AUTHACK) { u->us_serverstate = UPAPSS_OPEN; - auth_peer_success(u->us_unit, PPP_PAP, ruser, ruserlen); + notice("PAP peer authentication succeeded for %q", rhostname); + auth_peer_success(u->us_unit, PPP_PAP, 0, ruser, ruserlen); } else { u->us_serverstate = UPAPSS_BADAUTH; + warn("PAP peer authentication failed for %q", rhostname); auth_peer_fail(u->us_unit, PPP_PAP); } @@ -417,11 +447,7 @@ upap_rauthreq(u, inp, id, len) * upap_rauthack - Receive Authenticate-Ack. */ static void -upap_rauthack(u, inp, id, len) - upap_state *u; - u_char *inp; - int id; - int len; +upap_rauthack(upap_state *u, u_char *inp, int id, int len) { u_char msglen; char *msg; @@ -432,36 +458,32 @@ upap_rauthack(u, inp, id, len) /* * Parse message. */ - if (len < sizeof (u_char)) { - UPAPDEBUG(("pap_rauthack: rcvd short packet.")); - return; - } - GETCHAR(msglen, inp); - if (msglen > 0) { - len -= sizeof (u_char); - if (len < msglen) { - UPAPDEBUG(("pap_rauthack: rcvd short packet.")); - return; + if (len < 1) { + UPAPDEBUG(("pap_rauthack: ignoring missing msg-length.")); + } else { + GETCHAR(msglen, inp); + if (msglen > 0) { + len -= sizeof (u_char); + if (len < msglen) { + UPAPDEBUG(("pap_rauthack: rcvd short packet.")); + return; + } + msg = (char *) inp; + PRINTMSG(msg, msglen); } - msg = (char *) inp; - PRINTMSG(msg, msglen); } u->us_clientstate = UPAPCS_OPEN; - auth_withpeer_success(u->us_unit, PPP_PAP); + auth_withpeer_success(u->us_unit, PPP_PAP, 0); } /* - * upap_rauthnak - Receive Authenticate-Nakk. + * upap_rauthnak - Receive Authenticate-Nak. */ static void -upap_rauthnak(u, inp, id, len) - upap_state *u; - u_char *inp; - int id; - int len; +upap_rauthnak(upap_state *u, u_char *inp, int id, int len) { u_char msglen; char *msg; @@ -472,19 +494,19 @@ upap_rauthnak(u, inp, id, len) /* * Parse message. */ - if (len < sizeof (u_char)) { - UPAPDEBUG(("pap_rauthnak: rcvd short packet.")); - return; - } - GETCHAR(msglen, inp); - if (msglen > 0) { - len -= sizeof (u_char); - if (len < msglen) { - UPAPDEBUG(("pap_rauthnak: rcvd short packet.")); - return; + if (len < 1) { + UPAPDEBUG(("pap_rauthnak: ignoring missing msg-length.")); + } else { + GETCHAR(msglen, inp); + if (msglen > 0) { + len -= sizeof (u_char); + if (len < msglen) { + UPAPDEBUG(("pap_rauthnak: rcvd short packet.")); + return; + } + msg = (char *) inp; + PRINTMSG(msg, msglen); } - msg = (char *) inp; - PRINTMSG(msg, msglen); } u->us_clientstate = UPAPCS_BADAUTH; @@ -498,8 +520,7 @@ upap_rauthnak(u, inp, id, len) * upap_sauthreq - Send an Authenticate-Request. */ static void -upap_sauthreq(u) - upap_state *u; +upap_sauthreq(upap_state *u) { u_char *outp; int outlen; @@ -531,11 +552,7 @@ upap_sauthreq(u) * upap_sresp - Send a response (ack or nak). */ static void -upap_sresp(u, code, id, msg, msglen) - upap_state *u; - u_char code, id; - char *msg; - int msglen; +upap_sresp(upap_state *u, int code, int id, char *msg, int msglen) { u_char *outp; int outlen; @@ -560,11 +577,7 @@ static char *upap_codenames[] = { }; static int -upap_printpkt(p, plen, printer, arg) - u_char *p; - int plen; - void (*printer) __P((void *, char *, ...)); - void *arg; +upap_printpkt(u_char *p, int plen, void (*printer)(void *, char *, ...), void *arg) { int code, id, len; int mlen, ulen, wlen;