src - OpenBSD base system

diff options


context:
space:
mode:

author	Niklas Hallqvist <niklas@cvs.openbsd.org>	1996-03-25 15:56:24 +0000
committer	Niklas Hallqvist <niklas@cvs.openbsd.org>	1996-03-25 15:56:24 +0000
commit	6967ae698477e809eb79f71e8ee2b9db37c9183a (patch)
tree	1decc90a7a3407dfdf7cdc3ff4aa11c2aa9ef862 /usr.sbin/pppd/auth.c
parent	22a628436b9c63f1069f0a15af3684d68574d575 (diff)

From NetBSD: merge of 960317

Diffstat (limited to 'usr.sbin/pppd/auth.c')

-rw-r--r--

usr.sbin/pppd/auth.c

313

1 files changed, 251 insertions, 62 deletions

diff --git a/usr.sbin/pppd/auth.c b/usr.sbin/pppd/auth.c
index 2af78f6fc94..ca66c3cb161 100644
--- a/usr.sbin/pppd/auth.c
+++ b/usr.sbin/pppd/auth.c

@@ -1,3 +1,5 @@

+/* $OpenBSD: auth.c,v 1.2 1996/03/25 15:55:30 niklas Exp $ */

* auth.c - PPP authentication and phase control.

@@ -33,17 +35,19 @@

#ifndef lint

-static char rcsid[] = "$Id: auth.c,v 1.1 1995/10/18 08:47:58 deraadt Exp $";

+static char rcsid[] = "$OpenBSD: auth.c,v 1.2 1996/03/25 15:55:30 niklas Exp $";

#endif

#include <stdio.h>

#include <stddef.h>

#include <stdlib.h>

+#include <unistd.h>

#include <syslog.h>

#include <pwd.h>

#include <string.h>

#include <sys/types.h>

#include <sys/stat.h>

+#include <sys/socket.h>

#include <netdb.h>

#include <netinet/in.h>

@@ -60,10 +64,9 @@ static char rcsid[] = "$Id: auth.c,v 1.1 1995/10/18 08:47:58 deraadt Exp $";

#include "pppd.h"

#include "fsm.h"

#include "lcp.h"

+#include "ipcp.h"

#include "upap.h"

#include "chap.h"

-#include "ipcp.h"

-#include "ccp.h"

#include "pathnames.h"

#if defined(sun) && defined(sparc)

@@ -87,31 +90,40 @@ struct wordlist {

/* Records which authentication operations haven't completed yet. */

static int auth_pending[NUM_PPP];

+/* Set if we have successfully called login() */

static int logged_in;

+/* List of addresses which the peer may use. */

static struct wordlist *addresses[NUM_PPP];

+/* Number of network protocols which we have opened. */

+static int num_np_open;

+/* Number of network protocols which have come up. */

+static int num_np_up;

/* Bits in auth_pending[] */

#define UPAP_WITHPEER 1

#define UPAP_PEER 2

#define CHAP_WITHPEER 4

#define CHAP_PEER 8

-/* Prototypes */

-void check_access __P((FILE *, char *));

+/* Prototypes for procedures local to this file. */

static void network_phase __P((int));

+static void check_idle __P((caddr_t));

static int login __P((char *, char *, char **, int *));

static void logout __P((void));

static int null_login __P((int));

static int get_upap_passwd __P((void));

static int have_upap_secret __P((void));

-static int have_chap_secret __P((char *, char *));

-static int scan_authfile __P((FILE *, char *, char *, char *,

- struct wordlist **, char *));

+static int have_chap_secret __P((char *, char *, u_int32_t));

+static int ip_addr_check __P((u_int32_t, struct wordlist *));

+static int scan_authfile __P((FILE *, char *, char *, u_int32_t, char *,

+ struct wordlist **, char *));

static void free_wordlist __P((struct wordlist *));

-extern char *crypt __P((char *, char *));

* An Open on LCP has requested a change from Dead to Establish phase.

* Do what's necessary to bring the physical layer up.

@@ -145,8 +157,19 @@ void

link_down(unit)

int unit;

{

- ipcp_close(0);

- ccp_close(0);

+ int i;

+ struct protent *protp;

+ for (i = 0; (protp = protocols[i]) != NULL; ++i) {

+ if (!protp->enabled_flag)

+ continue;

+ if (protp->protocol != PPP_LCP && protp->lowerdown != NULL)

+ (*protp->lowerdown)(unit);

+ if (protp->protocol < 0xC000 && protp->close != NULL)

+ (*protp->close)(unit);

+ }

+ num_np_open = 0;

+ num_np_up = 0;

phase = PHASE_TERMINATE;

}

@@ -162,6 +185,16 @@ link_established(unit)

lcp_options *wo = &lcp_wantoptions[unit];

lcp_options *go = &lcp_gotoptions[unit];

lcp_options *ho = &lcp_hisoptions[unit];

+ int i;

+ struct protent *protp;

+ /*

+ * Tell higher-level protocols that LCP is up.

+ */

+ for (i = 0; (protp = protocols[i]) != NULL; ++i)

+ if (protp->protocol != PPP_LCP && protp->enabled_flag

+ && protp->lowerup != NULL)

+ (*protp->lowerup)(unit);

if (auth_required && !(go->neg_chap || go->neg_upap)) {

@@ -171,7 +204,7 @@ link_established(unit)

if (!wo->neg_upap || !null_login(unit)) {

syslog(LOG_WARNING, "peer refused to authenticate");

- lcp_close(unit);

+ lcp_close(unit, "peer refused to authenticate");

phase = PHASE_TERMINATE;

return;

}

@@ -206,9 +239,19 @@ static void

network_phase(unit)

int unit;

{

+ int i;

+ struct protent *protp;

phase = PHASE_NETWORK;

- ipcp_open(unit);

- ccp_open(unit);

+ if (!demand)

+ set_filters(&pass_filter, &active_filter);

+ for (i = 0; (protp = protocols[i]) != NULL; ++i)

+ if (protp->protocol < 0xC000 && protp->enabled_flag

+ && protp->open != NULL) {

+ (*protp->open)(unit);

+ if (protp->protocol != PPP_CCP)

+ ++num_np_open;

+ }

}

@@ -221,7 +264,7 @@ auth_peer_fail(unit, protocol)

* Authentication failure: take the link down

- lcp_close(unit);

+ lcp_close(unit, "Authentication failed");

phase = PHASE_TERMINATE;

}

@@ -251,11 +294,8 @@ auth_peer_success(unit, protocol)

* If there is no more authentication still to be done,

* proceed to the network phase.

- if ((auth_pending[unit] &= ~bit) == 0) {

- phase = PHASE_NETWORK;

- ipcp_open(unit);

- ccp_open(unit);

- }

+ if ((auth_pending[unit] &= ~bit) == 0)

+ network_phase(unit);

}

@@ -304,13 +344,76 @@ auth_withpeer_success(unit, protocol)

- * check_auth_options - called to check authentication options.

+ * np_up - a network protocol has come up.

+ */

+void

+np_up(unit, proto)

+ int unit, proto;

+ if (num_np_up == 0 && idle_time_limit > 0) {

+ TIMEOUT(check_idle, NULL, idle_time_limit);

+ }

+ ++num_np_up;

+/*

+ * np_down - a network protocol has gone down.

+ */

+void

+np_down(unit, proto)

+ int unit, proto;

+ if (--num_np_up == 0 && idle_time_limit > 0) {

+ UNTIMEOUT(check_idle, NULL);

+ }

+/*

+ * np_finished - a network protocol has finished using the link.

+ */

+void

+np_finished(unit, proto)

+ int unit, proto;

+ if (--num_np_open <= 0) {

+ /* no further use for the link: shut up shop. */

+ lcp_close(0, "No network protocols running");

+ }

+/*

+ * check_idle - check whether the link has been idle for long

+ * enough that we can shut it down.

+ */

+static void

+check_idle(arg)

+ caddr_t arg;

+ struct ppp_idle idle;

+ time_t itime;

+ if (!get_idle_time(0, &idle))

+ return;

+ itime = MIN(idle.xmit_idle, idle.recv_idle);

+ if (itime >= idle_time_limit) {

+ /* link is idle: shut it down. */

+ syslog(LOG_INFO, "Terminating connection due to lack of activity.");

+ lcp_close(0, "Link inactive");

+ } else {

+ TIMEOUT(check_idle, NULL, idle_time_limit - itime);

+ }

+/*

+ * auth_check_options - called to check authentication options.

void

-check_auth_options()

+auth_check_options()

{

lcp_options *wo = &lcp_wantoptions[0];

lcp_options *ao = &lcp_allowoptions[0];

+ ipcp_options *ipwo = &ipcp_wantoptions[0];

+ u_int32_t remote;

/* Default our_name to hostname, and user to our_name */

if (our_name[0] == 0 || usehostname)

@@ -332,14 +435,17 @@ check_auth_options()

ao->neg_upap = 0;

if (wo->neg_upap && !uselogin && !have_upap_secret())

wo->neg_upap = 0;

- if (ao->neg_chap && !have_chap_secret(our_name, remote_name))

+ if (ao->neg_chap && !have_chap_secret(our_name, remote_name, (u_int32_t)0))

ao->neg_chap = 0;

- if (wo->neg_chap && !have_chap_secret(remote_name, our_name))

- wo->neg_chap = 0;

+ if (wo->neg_chap) {

+ remote = ipwo->accept_remote? 0: ipwo->hisaddr;

+ if (!have_chap_secret(remote_name, our_name, remote))

+ wo->neg_chap = 0;

+ }

if (auth_required && !wo->neg_chap && !wo->neg_upap) {

fprintf(stderr, "\

-pppd: peer authentication required but no authentication files accessible\n");

+pppd: peer authentication required but no suitable secret(s) found\n");

exit(1);

}

@@ -370,6 +476,8 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg, msglen)

char *filename;

FILE *f;

struct wordlist *addrs;

+ u_int32_t remote;

+ ipcp_options *ipwo = &ipcp_wantoptions[unit];

char passwd[256], user[256];

char secret[MAXWORDLEN];

static int attempts = 0;

@@ -392,16 +500,18 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg, msglen)

f = fopen(filename, "r");

if (f == NULL) {

if (!uselogin) {

- syslog(LOG_ERR, "Can't open upap password file %s: %m", filename);

+ syslog(LOG_ERR, "Can't open PAP password file %s: %m", filename);

ret = UPAP_AUTHNAK;

}

} else {

check_access(f, filename);

- if (scan_authfile(f, user, our_name, secret, &addrs, filename) < 0

+ remote = ipwo->accept_remote? 0: ipwo->hisaddr;

+ if (scan_authfile(f, user, our_name, remote,

+ secret, &addrs, filename) < 0

|| (secret[0] != 0 && (cryptpap || strcmp(passwd, secret) != 0)

&& strcmp(crypt(passwd, secret), secret) != 0)) {

- syslog(LOG_WARNING, "upap authentication failure for %s", user);

+ syslog(LOG_WARNING, "PAP authentication failure for %s", user);

ret = UPAP_AUTHNAK;

}

fclose(f);

@@ -410,7 +520,7 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg, msglen)

if (uselogin && ret == UPAP_AUTHACK) {

ret = login(user, passwd, msg, msglen);

if (ret == UPAP_AUTHNAK) {

- syslog(LOG_WARNING, "upap login failure for %s", user);

+ syslog(LOG_WARNING, "PAP login failure for %s", user);

}

@@ -510,7 +620,7 @@ login(user, passwd, msg, msglen)

tty = devnam;

if (strncmp(tty, "/dev/", 5) == 0)

tty += 5;

- logwtmp(tty, user, ""); /* Add wtmp login entry */

+ logwtmp(tty, user, remote_name); /* Add wtmp login entry */

logged_in = TRUE;

return (UPAP_AUTHACK);

@@ -558,7 +668,7 @@ null_login(unit)

return 0;

check_access(f, filename);

- i = scan_authfile(f, "", our_name, secret, &addrs, filename);

+ i = scan_authfile(f, "", our_name, (u_int32_t)0, secret, &addrs, filename);

ret = i >= 0 && (i & NONWILD_CLIENT) != 0 && secret[0] == 0;

if (ret) {

@@ -591,7 +701,8 @@ get_upap_passwd()

if (f == NULL)

return 0;

check_access(f, filename);

- if (scan_authfile(f, user, remote_name, secret, NULL, filename) < 0)

+ if (scan_authfile(f, user, remote_name, (u_int32_t)0,

+ secret, NULL, filename) < 0)

return 0;

strncpy(passwd, secret, MAXSECRETLEN);

passwd[MAXSECRETLEN-1] = 0;

@@ -609,13 +720,16 @@ have_upap_secret()

FILE *f;

int ret;

char *filename;

+ ipcp_options *ipwo = &ipcp_wantoptions[0];

+ u_int32_t remote;

filename = _PATH_UPAPFILE;

f = fopen(filename, "r");

if (f == NULL)

return 0;

- ret = scan_authfile(f, NULL, our_name, NULL, NULL, filename);

+ remote = ipwo->accept_remote? 0: ipwo->hisaddr;

+ ret = scan_authfile(f, NULL, our_name, remote, NULL, NULL, filename);

fclose(f);

if (ret < 0)

return 0;

@@ -631,9 +745,10 @@ have_upap_secret()

* know the identity yet.

static int

-have_chap_secret(client, server)

+have_chap_secret(client, server, remote)

char *client;

char *server;

+ u_int32_t remote;

{

FILE *f;

int ret;

@@ -649,7 +764,7 @@ have_chap_secret(client, server)

else if (server[0] == 0)

server = NULL;

- ret = scan_authfile(f, client, server, NULL, NULL, filename);

+ ret = scan_authfile(f, client, server, remote, NULL, NULL, filename);

fclose(f);

if (ret < 0)

return 0;

@@ -689,7 +804,8 @@ get_secret(unit, client, server, secret, secret_len, save_addrs)

}

check_access(f, filename);

- ret = scan_authfile(f, client, server, secbuf, &addrs, filename);

+ ret = scan_authfile(f, client, server, (u_int32_t)0,

+ secbuf, &addrs, filename);

fclose(f);

if (ret < 0)

return 0;

@@ -720,31 +836,87 @@ auth_ip_addr(unit, addr)

int unit;

u_int32_t addr;

{

- u_int32_t a;

- struct hostent *hp;

+ return ip_addr_check(addr, addresses[unit]);

+static int

+ip_addr_check(addr, addrs)

+ u_int32_t addr;

struct wordlist *addrs;

+ u_int32_t a, mask, ah;

+ int accept;

+ char *ptr_word, *ptr_mask;

+ struct hostent *hp;

+ struct netent *np;

/* don't allow loopback or multicast address */

if (bad_ip_adrs(addr))

return 0;

- if ((addrs = addresses[unit]) == NULL)

+ if (addrs == NULL)

return 1; /* no restriction */

for (; addrs != NULL; addrs = addrs->next) {

/* "-" means no addresses authorized */

- if (strcmp(addrs->word, "-") == 0)

+ ptr_word = addrs->word;

+ if (strcmp(ptr_word, "-") == 0)

break;

- if ((a = inet_addr(addrs->word)) == -1) {

- if ((hp = gethostbyname(addrs->word)) == NULL) {

- syslog(LOG_WARNING, "unknown host %s in auth. address list",

- addrs->word);

+ accept = 1;

+ if (*ptr_word == '!') {

+ accept = 0;

+ ++ptr_word;

+ }

+ mask = ~ (u_int32_t) 0;

+ ptr_mask = strchr (ptr_word, '/');

+ if (ptr_mask != NULL) {

+ int bit_count;

+ bit_count = (int) strtol (ptr_mask+1, (char **) 0, 10);

+ if (bit_count <= 0 || bit_count > 32) {

+ syslog (LOG_WARNING,

+ "invalid address length %s in auth. address list",

+ ptr_mask);

continue;

- } else

- a = *(u_int32_t *)hp->h_addr;

+ }

+ *ptr_mask = '\0';

+ mask <<= 32 - bit_count;

+ }

+ hp = gethostbyname(ptr_word);

+ if (hp != NULL && hp->h_addrtype == AF_INET) {

+ a = *(u_int32_t *)hp->h_addr;

+ mask = ~ (u_int32_t) 0; /* are we sure we want this? */

+ } else {

+ np = getnetbyname (ptr_word);

+ if (np != NULL && np->n_addrtype == AF_INET)

+ a = htonl (*(u_int32_t *)np->n_net);

+ else

+ a = inet_addr (ptr_word);

+ if (ptr_mask == NULL) {

+ /* calculate appropriate mask for net */

+ ah = ntohl(a);

+ if (IN_CLASSA(ah))

+ mask = IN_CLASSA_NET;

+ else if (IN_CLASSB(ah))

+ mask = IN_CLASSB_NET;

+ else if (IN_CLASSC(ah))

+ mask = IN_CLASSC_NET;

+ }

}

- if (addr == a)

- return 1;

+ if (ptr_mask != NULL)

+ *ptr_mask = '/';

+ if (a == -1L)

+ syslog (LOG_WARNING,

+ "unknown host %s in auth. address list",

+ addrs->word);

+ else

+ if (((addr ^ a) & htonl(mask)) == 0)

+ return accept;

}

return 0; /* not in list => can't have it */

}

@@ -791,10 +963,11 @@ check_access(f, filename)

* info) are placed in a wordlist and returned in *addrs.

static int

-scan_authfile(f, client, server, secret, addrs, filename)

+scan_authfile(f, client, server, ipaddr, secret, addrs, filename)

FILE *f;

char *client;

char *server;

+ u_int32_t ipaddr;

char *secret;

struct wordlist **addrs;

char *filename;

@@ -802,9 +975,10 @@ scan_authfile(f, client, server, secret, addrs, filename)

int newline, xxx;

int got_flag, best_flag;

FILE *sf;

- struct wordlist *ap, *addr_list, *addr_last;

+ struct wordlist *ap, *addr_list, *alist, *alast;

char word[MAXWORDLEN];

char atfile[MAXWORDLEN];

+ char lsecret[MAXWORDLEN];

if (addrs != NULL)

*addrs = NULL;

@@ -880,16 +1054,12 @@ scan_authfile(f, client, server, secret, addrs, filename)

fclose(sf);

}

if (secret != NULL)

- strcpy(secret, word);

- best_flag = got_flag;

+ strcpy(lsecret, word);

* Now read address authorization info and make a wordlist.

- if (addr_list)

- free_wordlist(addr_list);

- addr_list = addr_last = NULL;

+ alist = alast = NULL;

for (;;) {

if (!getword(f, word, &newline, filename) || newline)

break;

@@ -899,12 +1069,31 @@ scan_authfile(f, client, server, secret, addrs, filename)

novm("authorized addresses");

ap->next = NULL;

strcpy(ap->word, word);

- if (addr_list == NULL)

- addr_list = ap;

+ if (alist == NULL)

+ alist = ap;

else

- addr_last->next = ap;

- addr_last = ap;

+ alast->next = ap;

+ alast = ap;

}

+ /*

+ * Check if the given IP address is allowed by the wordlist.

+ */

+ if (ipaddr != 0 && !ip_addr_check(ipaddr, alist)) {

+ free_wordlist(alist);

+ continue;

+ }

+ /*

+ * This is the best so far; remember it.

+ */

+ best_flag = got_flag;

+ if (addr_list)

+ free_wordlist(addr_list);

+ addr_list = alist;

+ if (secret != NULL)

+ strcpy(secret, lsecret);

if (!newline)

break;

}