| blob | c637c2d5f1f95aab81f3f949367be87245de9c6e |
1 /*****************************************************************************
2 * auth.c - Network Authentication and Phase Control program file.
3 *
4 * Copyright (c) 2003 by Marc Boucher, Services Informatiques (MBSI) inc.
5 * Copyright (c) 1997 by Global Election Systems Inc. All rights reserved.
6 *
7 * The authors hereby grant permission to use, copy, modify, distribute,
8 * and license this software and its documentation for any purpose, provided
9 * that existing copyright notices are retained in all copies and that this
10 * notice and the following disclaimer are included verbatim in any
11 * distributions. No written agreement, license, or royalty fee is required
12 * for any of the authorized uses.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE CONTRIBUTORS *AS IS* AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 *
25 ******************************************************************************
26 * REVISION HISTORY
27 *
28 * 03-01-01 Marc Boucher <marc@mbsi.ca>
29 * Ported to lwIP.
30 * 97-12-08 Guy Lancaster <lancasterg@acm.org>, Global Election Systems Inc.
31 * Ported from public pppd code.
32 *****************************************************************************/
33 /*
34 * auth.c - PPP authentication and phase control.
35 *
36 * Copyright (c) 1993 The Australian National University.
37 * All rights reserved.
38 *
39 * Redistribution and use in source and binary forms are permitted
40 * provided that the above copyright notice and this paragraph are
41 * duplicated in all such forms and that any documentation,
42 * advertising materials, and other materials related to such
43 * distribution and use acknowledge that the software was developed
44 * by the Australian National University. The name of the University
45 * may not be used to endorse or promote products derived from this
46 * software without specific prior written permission.
47 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
48 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
49 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
50 *
51 * Copyright (c) 1989 Carnegie Mellon University.
52 * All rights reserved.
53 *
54 * Redistribution and use in source and binary forms are permitted
55 * provided that the above copyright notice and this paragraph are
56 * duplicated in all such forms and that any documentation,
57 * advertising materials, and other materials related to such
58 * distribution and use acknowledge that the software was developed
59 * by Carnegie Mellon University. The name of the
60 * University may not be used to endorse or promote products derived
61 * from this software without specific prior written permission.
62 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
63 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
64 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
65 */
81 #if CBCP_SUPPORT
85 /*************************/
86 /*** LOCAL DEFINITIONS ***/
87 /*************************/
89 /* Bits in auth_pending[] */
90 #define PAP_WITHPEER 1
91 #define PAP_PEER 2
92 #define CHAP_WITHPEER 4
93 #define CHAP_PEER 8
96 /************************/
97 /*** LOCAL DATA TYPES ***/
98 /************************/
99 /* Used for storing a sequence of words. Usually malloced. */
103 };
106 /***********************************/
107 /*** LOCAL FUNCTION DECLARATIONS ***/
108 /***********************************/
111 /* Prototypes for procedures local to this file. */
116 #if 0
118 #endif
129 #if CBCP_SUPPORT
134 /******************************/
135 /*** PUBLIC DATA STRUCTURES ***/
136 /******************************/
139 /*****************************/
140 /*** LOCAL DATA STRUCTURES ***/
141 /*****************************/
142 #if PAP_SUPPORT || CHAP_SUPPORT
143 /* The name by which the peer authenticated itself to us. */
147 /* Records which authentication operations haven't completed yet. */
150 /* Set if we have successfully called login() */
153 /* Set if we have run the /etc/ppp/auth-up script. */
156 /* List of addresses which the peer may use. */
159 /* Number of network protocols which we have opened. */
162 /* Number of network protocols which have come up. */
165 #if PAP_SUPPORT || CHAP_SUPPORT
166 /* Set if we got the contents of passwd[] from the pap-secrets file. */
171 /***********************************/
172 /*** PUBLIC FUNCTION DEFINITIONS ***/
173 /***********************************/
174 /*
175 * An Open on LCP has requested a change from Dead to Establish phase.
176 * Do what's necessary to bring the physical layer up.
177 */
178 void
180 {
184 }
186 /*
187 * LCP has terminated the link; go to the Dead phase and take the
188 * physical layer down.
189 */
190 void
192 {
196 }
199 }
203 }
205 /*
206 * LCP has gone down; it will either die or try to re-establish.
207 */
208 void
210 {
216 /* XXX Do link down processing. */
218 }
222 }
225 }
228 }
229 }
234 }
236 }
238 /*
239 * The link is established.
240 * Proceed to the Dead, Authenticate or Network phase as appropriate.
241 */
242 void
244 {
250 #if PAP_SUPPORT || CHAP_SUPPORT
255 /*
256 * Tell higher-level protocols that LCP is up.
257 */
261 }
262 }
264 /*
265 * We wanted the peer to authenticate itself, and it refused:
266 * treat it as though it authenticated with PAP using a username
267 * of "" and a password of "". If that's not OK, boot it out.
268 */
273 }
274 }
278 #if CHAP_SUPPORT
282 }
284 #if PAP_SUPPORT && CHAP_SUPPORT
285 else
287 #if PAP_SUPPORT
291 }
293 #if CHAP_SUPPORT
297 }
299 #if PAP_SUPPORT && CHAP_SUPPORT
300 else
302 #if PAP_SUPPORT
308 }
309 }
312 }
318 }
319 }
321 /*
322 * The peer has failed to authenticate himself using `protocol'.
323 */
324 void
326 {
330 /*
331 * Authentication failure: take the link down
332 */
334 }
337 #if PAP_SUPPORT || CHAP_SUPPORT
338 /*
339 * The peer has been successfully authenticated using `protocol'.
340 */
341 void
343 {
357 }
359 /*
360 * Save the authenticated name of the peer for later.
361 */
364 }
368 /*
369 * If there is no more authentication still to be done,
370 * proceed to the network (or callback) phase.
371 */
374 }
375 }
377 /*
378 * We have failed to authenticate ourselves to the peer using `protocol'.
379 */
380 void
382 {
390 }
391 /*
392 * XXX Warning: the unit number indicates the interface which is
393 * not necessarily the PPP connection. It works here as long
394 * as we are only supporting PPP interfaces.
395 */
398 /*
399 * We've failed to authenticate ourselves to our peer.
400 * He'll probably take the link down, and there's not much
401 * we can do except wait for that.
402 */
403 }
405 /*
406 * We have successfully authenticated ourselves with the peer using `protocol'.
407 */
408 void
410 {
421 }
427 }
429 /*
430 * If there is no more authentication still being done,
431 * proceed to the network (or callback) phase.
432 */
435 }
436 }
440 /*
441 * np_up - a network protocol has come up.
442 */
443 void
445 {
451 AUTHDEBUG((LOG_INFO, "np_up: maxconnect=%d idle_time_limit=%d\n",ppp_settings.maxconnect,ppp_settings.idle_time_limit));
452 /*
453 * At this point we consider that the link has come up successfully.
454 */
457 }
459 /*
460 * Set a timeout to close the connection once the maximum
461 * connect time has expired.
462 */
465 }
466 }
468 }
470 /*
471 * np_down - a network protocol has gone down.
472 */
473 void
475 {
482 }
483 }
485 /*
486 * np_finished - a network protocol has finished using the link.
487 */
488 void
490 {
496 /* no further use for the link: shut up shop. */
498 }
499 }
501 /*
502 * auth_reset - called when LCP is starting negotiations to recheck
503 * authentication options, i.e. whether we have appropriate secrets
504 * to use for authenticating ourselves and/or the peer.
505 */
506 void
508 {
512 u32_t remote;
515 ao->neg_upap = !ppp_settings.refuse_pap && (ppp_settings.passwd[0] != 0 || get_pap_passwd(unit, NULL, NULL));
516 ao->neg_chap = !ppp_settings.refuse_chap && ppp_settings.passwd[0] != 0 /*have_chap_secret(ppp_settings.user, ppp_settings.remote_name, (u32_t)0)*/;
520 }
525 }
526 }
527 }
529 #if PAP_SUPPORT
530 /*
531 * check_passwd - Check the user name and passwd against the PAP secrets
532 * file. If requested, also check against the system password database,
533 * and login the user if OK.
534 *
535 * returns:
536 * UPAP_AUTHNAK: Authentication failed.
537 * UPAP_AUTHACK: Authentication succeeded.
538 * In either case, msg points to an appropriate message.
539 */
540 int
541 check_passwd( int unit, char *auser, int userlen, char *apasswd, int passwdlen, char **msg, int *msglen)
542 {
543 #if 1
552 #else
559 /*
560 * Make copies of apasswd and auser, then null-terminate them.
561 */
568 /* XXX Validate user name and password. */
574 }
576 /*
577 * Frustrate passwd stealer programs.
578 * Allow 10 tries, but start backing off after 3 (stolen from login).
579 * On 10'th, drop the connection.
580 */
583 /*ppp_panic("Excess Bad Logins");*/
584 }
587 }
590 }
595 }
598 }
604 #endif
605 }
609 /*
610 * auth_ip_addr - check whether the peer is authorized to use
611 * a given IP address. Returns 1 if authorized, 0 otherwise.
612 */
613 int
615 {
617 }
619 /*
620 * bad_ip_adrs - return 1 if the IP address is one we don't want
621 * to use, such as an address in the loopback net or a multicast address.
622 * addr is in network byte order.
623 */
624 int
626 {
630 }
633 #if CHAP_SUPPORT
634 /*
635 * get_secret - open the CHAP secret file and return the secret
636 * for authenticating the given client on the given server.
637 * (We could be either client or server).
638 */
639 int get_secret( int unit, char *client, char *server, char *secret, int *secret_len, int save_addrs)
640 {
641 #if 1
653 }
659 }
665 #else
673 /* XXX Find secret. */
676 }
680 }
686 }
693 #endif
694 }
699 /*
700 * auth_check_options - called to check authentication options.
701 */
702 void
704 {
708 u32_t remote;
710 /* Default our_name to hostname, and user to our_name */
713 }
717 }
719 /* If authentication is required, ask peer for CHAP or PAP. */
723 }
725 /*
726 * Check whether we have appropriate secrets to use
727 * to authenticate the peer.
728 */
733 }
737 }
738 }
739 #endif
742 /**********************************/
743 /*** LOCAL FUNCTION DEFINITIONS ***/
744 /**********************************/
745 /*
746 * Proceed to the network phase.
747 */
748 static void
750 {
755 /*
756 * If the peer had to authenticate, run the auth-up script now.
757 */
759 /* XXX Do setup for peer authentication. */
761 }
763 #if CBCP_SUPPORT
764 /*
765 * If we negotiated callback, do it now.
766 */
771 }
780 }
781 }
782 }
785 /* nothing to do */
787 }
788 }
790 /*
791 * check_idle - check whether the link has been idle for long
792 * enough that we can shut it down.
793 */
794 static void
796 {
798 u_short itime;
803 }
806 /* link is idle: shut it down. */
811 }
812 }
814 /*
815 * connect_time_expired - log a message and close the connection.
816 */
817 static void
819 {
824 }
826 #if 0
827 /*
828 * login - Check the user name and password against the system
829 * password database, and login the user if OK.
830 *
831 * returns:
832 * UPAP_AUTHNAK: Login failed.
833 * UPAP_AUTHACK: Login succeeded.
834 * In either case, msg points to an appropriate message.
835 */
836 static int
838 {
839 /* XXX Fail until we decide that we want to support logins. */
841 }
842 #endif
844 /*
845 * logout - Logout the user.
846 */
847 static void
849 {
851 }
853 /*
854 * null_login - Check if a username of "" and a password of "" are
855 * acceptable, and iff so, set the list of acceptable IP addresses
856 * and return 1.
857 */
858 static int
860 {
862 /* XXX Fail until we decide that we want to support logins. */
864 }
866 /*
867 * get_pap_passwd - get a password for authenticating ourselves with
868 * our peer using PAP. Returns 1 on success, 0 if no suitable password
869 * could be found.
870 */
871 static int
873 {
875 /* normally we would reject PAP if no password is provided,
876 but this causes problems with some providers (like CHT in Taiwan)
877 who incorrectly request PAP and expect a bogus/empty password, so
878 always provide a default user/passwd of "none"/"none"
879 */
882 }
885 }
887 }
889 /*
890 * have_pap_secret - check whether we have a PAP file with any
891 * secrets that we could possibly use for authenticating the peer.
892 */
893 static int
895 {
896 /* XXX Fail until we set up our passwords. */
898 }
900 /*
901 * have_chap_secret - check whether we have a CHAP file with a
902 * secret that we could possibly use for authenticating `client'
903 * on `server'. Either can be the null string, meaning we don't
904 * know the identity yet.
905 */
906 static int
908 {
912 /* XXX Fail until we set up our passwords. */
914 }
917 /*
918 * set_allowed_addrs() - set the list of allowed addresses.
919 */
920 static void
922 {
925 }
928 #if 0
929 /*
930 * If there's only one authorized address we might as well
931 * ask our peer for that one right away
932 */
936 u32_t a;
945 }
948 }
949 }
950 }
951 #endif
952 }
955 static int
957 {
958 /* don't allow loopback or multicast address */
961 }
965 }
967 /* XXX All other addresses allowed. */
969 }
972 /*
973 * free_wordlist - release memory allocated for a wordlist.
974 */
975 static void
977 {
984 }
985 }