| blob | cbd3eb21b0b053c3eb6dc616f31fb6dd949d81c9 |
1 /*****************************************************************************
2 * auth.c - Network Authentication and Phase Control program file.
3 *
4 * Copyright (c) 2003 by Marc Boucher, Services Informatiques (MBSI) inc.
5 * Copyright (c) 1997 by Global Election Systems Inc. All rights reserved.
6 *
7 * The authors hereby grant permission to use, copy, modify, distribute,
8 * and license this software and its documentation for any purpose, provided
9 * that existing copyright notices are retained in all copies and that this
10 * notice and the following disclaimer are included verbatim in any
11 * distributions. No written agreement, license, or royalty fee is required
12 * for any of the authorized uses.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE CONTRIBUTORS *AS IS* AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 *
25 ******************************************************************************
26 * REVISION HISTORY
27 *
28 * 03-01-01 Marc Boucher <marc@mbsi.ca>
29 * Ported to lwIP.
30 * 97-12-08 Guy Lancaster <lancasterg@acm.org>, Global Election Systems Inc.
31 * Ported from public pppd code.
32 *****************************************************************************/
33 /*
34 * auth.c - PPP authentication and phase control.
35 *
36 * Copyright (c) 1993 The Australian National University.
37 * All rights reserved.
38 *
39 * Redistribution and use in source and binary forms are permitted
40 * provided that the above copyright notice and this paragraph are
41 * duplicated in all such forms and that any documentation,
42 * advertising materials, and other materials related to such
43 * distribution and use acknowledge that the software was developed
44 * by the Australian National University. The name of the University
45 * may not be used to endorse or promote products derived from this
46 * software without specific prior written permission.
47 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
48 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
49 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
50 *
51 * Copyright (c) 1989 Carnegie Mellon University.
52 * All rights reserved.
53 *
54 * Redistribution and use in source and binary forms are permitted
55 * provided that the above copyright notice and this paragraph are
56 * duplicated in all such forms and that any documentation,
57 * advertising materials, and other materials related to such
58 * distribution and use acknowledge that the software was developed
59 * by Carnegie Mellon University. The name of the
60 * University may not be used to endorse or promote products derived
61 * from this software without specific prior written permission.
62 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
63 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
64 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
65 */
81 #if CBCP_SUPPORT
85 #include <string.h>
87 /*************************/
88 /*** LOCAL DEFINITIONS ***/
89 /*************************/
91 /* Bits in auth_pending[] */
92 #define PAP_WITHPEER 1
93 #define PAP_PEER 2
94 #define CHAP_WITHPEER 4
95 #define CHAP_PEER 8
98 /************************/
99 /*** LOCAL DATA TYPES ***/
100 /************************/
101 /* Used for storing a sequence of words. Usually malloced. */
105 };
108 /***********************************/
109 /*** LOCAL FUNCTION DECLARATIONS ***/
110 /***********************************/
113 /* Prototypes for procedures local to this file. */
118 #if 0
120 #endif
131 #if CBCP_SUPPORT
136 /******************************/
137 /*** PUBLIC DATA STRUCTURES ***/
138 /******************************/
141 /*****************************/
142 /*** LOCAL DATA STRUCTURES ***/
143 /*****************************/
144 #if PAP_SUPPORT || CHAP_SUPPORT
145 /* The name by which the peer authenticated itself to us. */
149 /* Records which authentication operations haven't completed yet. */
152 /* Set if we have successfully called login() */
155 /* Set if we have run the /etc/ppp/auth-up script. */
158 /* List of addresses which the peer may use. */
161 /* Number of network protocols which we have opened. */
164 /* Number of network protocols which have come up. */
167 #if PAP_SUPPORT || CHAP_SUPPORT
168 /* Set if we got the contents of passwd[] from the pap-secrets file. */
173 /***********************************/
174 /*** PUBLIC FUNCTION DEFINITIONS ***/
175 /***********************************/
176 /*
177 * An Open on LCP has requested a change from Dead to Establish phase.
178 * Do what's necessary to bring the physical layer up.
179 */
180 void
182 {
186 }
188 /*
189 * LCP has terminated the link; go to the Dead phase and take the
190 * physical layer down.
191 */
192 void
194 {
198 }
201 }
205 }
207 /*
208 * LCP has gone down; it will either die or try to re-establish.
209 */
210 void
212 {
218 /* XXX Do link down processing. */
220 }
224 }
227 }
230 }
231 }
236 }
238 }
240 /*
241 * The link is established.
242 * Proceed to the Dead, Authenticate or Network phase as appropriate.
243 */
244 void
246 {
252 #if PAP_SUPPORT || CHAP_SUPPORT
257 /*
258 * Tell higher-level protocols that LCP is up.
259 */
263 }
264 }
266 /*
267 * We wanted the peer to authenticate itself, and it refused:
268 * treat it as though it authenticated with PAP using a username
269 * of "" and a password of "". If that's not OK, boot it out.
270 */
275 }
276 }
280 #if CHAP_SUPPORT
284 }
286 #if PAP_SUPPORT && CHAP_SUPPORT
287 else
289 #if PAP_SUPPORT
293 }
295 #if CHAP_SUPPORT
299 }
301 #if PAP_SUPPORT && CHAP_SUPPORT
302 else
304 #if PAP_SUPPORT
310 }
311 }
314 }
320 }
321 }
323 /*
324 * The peer has failed to authenticate himself using `protocol'.
325 */
326 void
328 {
332 /*
333 * Authentication failure: take the link down
334 */
336 }
339 #if PAP_SUPPORT || CHAP_SUPPORT
340 /*
341 * The peer has been successfully authenticated using `protocol'.
342 */
343 void
345 {
359 }
361 /*
362 * Save the authenticated name of the peer for later.
363 */
366 }
370 /*
371 * If there is no more authentication still to be done,
372 * proceed to the network (or callback) phase.
373 */
376 }
377 }
379 /*
380 * We have failed to authenticate ourselves to the peer using `protocol'.
381 */
382 void
384 {
392 }
393 /*
394 * XXX Warning: the unit number indicates the interface which is
395 * not necessarily the PPP connection. It works here as long
396 * as we are only supporting PPP interfaces.
397 */
400 /*
401 * We've failed to authenticate ourselves to our peer.
402 * He'll probably take the link down, and there's not much
403 * we can do except wait for that.
404 */
405 }
407 /*
408 * We have successfully authenticated ourselves with the peer using `protocol'.
409 */
410 void
412 {
423 }
429 }
431 /*
432 * If there is no more authentication still being done,
433 * proceed to the network (or callback) phase.
434 */
437 }
438 }
442 /*
443 * np_up - a network protocol has come up.
444 */
445 void
447 {
453 AUTHDEBUG((LOG_INFO, "np_up: maxconnect=%d idle_time_limit=%d\n",ppp_settings.maxconnect,ppp_settings.idle_time_limit));
454 /*
455 * At this point we consider that the link has come up successfully.
456 */
459 }
461 /*
462 * Set a timeout to close the connection once the maximum
463 * connect time has expired.
464 */
467 }
468 }
470 }
472 /*
473 * np_down - a network protocol has gone down.
474 */
475 void
477 {
484 }
485 }
487 /*
488 * np_finished - a network protocol has finished using the link.
489 */
490 void
492 {
498 /* no further use for the link: shut up shop. */
500 }
501 }
503 /*
504 * auth_reset - called when LCP is starting negotiations to recheck
505 * authentication options, i.e. whether we have appropriate secrets
506 * to use for authenticating ourselves and/or the peer.
507 */
508 void
510 {
514 u32_t remote;
517 ao->neg_upap = !ppp_settings.refuse_pap && (ppp_settings.passwd[0] != 0 || get_pap_passwd(unit, NULL, NULL));
518 ao->neg_chap = !ppp_settings.refuse_chap && ppp_settings.passwd[0] != 0 /*have_chap_secret(ppp_settings.user, ppp_settings.remote_name, (u32_t)0)*/;
522 }
527 }
528 }
529 }
531 #if PAP_SUPPORT
532 /*
533 * check_passwd - Check the user name and passwd against the PAP secrets
534 * file. If requested, also check against the system password database,
535 * and login the user if OK.
536 *
537 * returns:
538 * UPAP_AUTHNAK: Authentication failed.
539 * UPAP_AUTHACK: Authentication succeeded.
540 * In either case, msg points to an appropriate message.
541 */
542 int
543 check_passwd( int unit, char *auser, int userlen, char *apasswd, int passwdlen, char **msg, int *msglen)
544 {
545 #if 1
554 #else
561 /*
562 * Make copies of apasswd and auser, then null-terminate them.
563 */
570 /* XXX Validate user name and password. */
576 }
578 /*
579 * Frustrate passwd stealer programs.
580 * Allow 10 tries, but start backing off after 3 (stolen from login).
581 * On 10'th, drop the connection.
582 */
585 /*ppp_panic("Excess Bad Logins");*/
586 }
589 }
592 }
597 }
600 }
606 #endif
607 }
611 /*
612 * auth_ip_addr - check whether the peer is authorized to use
613 * a given IP address. Returns 1 if authorized, 0 otherwise.
614 */
615 int
617 {
619 }
621 /*
622 * bad_ip_adrs - return 1 if the IP address is one we don't want
623 * to use, such as an address in the loopback net or a multicast address.
624 * addr is in network byte order.
625 */
626 int
628 {
632 }
635 #if CHAP_SUPPORT
636 /*
637 * get_secret - open the CHAP secret file and return the secret
638 * for authenticating the given client on the given server.
639 * (We could be either client or server).
640 */
641 int get_secret( int unit, char *client, char *server, char *secret, int *secret_len, int save_addrs)
642 {
643 #if 1
655 }
661 }
667 #else
675 /* XXX Find secret. */
678 }
682 }
688 }
695 #endif
696 }
701 /*
702 * auth_check_options - called to check authentication options.
703 */
704 void
706 {
710 u32_t remote;
712 /* Default our_name to hostname, and user to our_name */
715 }
719 }
721 /* If authentication is required, ask peer for CHAP or PAP. */
725 }
727 /*
728 * Check whether we have appropriate secrets to use
729 * to authenticate the peer.
730 */
735 }
739 }
740 }
741 #endif
744 /**********************************/
745 /*** LOCAL FUNCTION DEFINITIONS ***/
746 /**********************************/
747 /*
748 * Proceed to the network phase.
749 */
750 static void
752 {
757 /*
758 * If the peer had to authenticate, run the auth-up script now.
759 */
761 /* XXX Do setup for peer authentication. */
763 }
765 #if CBCP_SUPPORT
766 /*
767 * If we negotiated callback, do it now.
768 */
773 }
782 }
783 }
784 }
787 /* nothing to do */
789 }
790 }
792 /*
793 * check_idle - check whether the link has been idle for long
794 * enough that we can shut it down.
795 */
796 static void
798 {
800 u_short itime;
805 }
808 /* link is idle: shut it down. */
813 }
814 }
816 /*
817 * connect_time_expired - log a message and close the connection.
818 */
819 static void
821 {
826 }
828 #if 0
829 /*
830 * login - Check the user name and password against the system
831 * password database, and login the user if OK.
832 *
833 * returns:
834 * UPAP_AUTHNAK: Login failed.
835 * UPAP_AUTHACK: Login succeeded.
836 * In either case, msg points to an appropriate message.
837 */
838 static int
840 {
841 /* XXX Fail until we decide that we want to support logins. */
843 }
844 #endif
846 /*
847 * logout - Logout the user.
848 */
849 static void
851 {
853 }
855 /*
856 * null_login - Check if a username of "" and a password of "" are
857 * acceptable, and iff so, set the list of acceptable IP addresses
858 * and return 1.
859 */
860 static int
862 {
864 /* XXX Fail until we decide that we want to support logins. */
866 }
868 /*
869 * get_pap_passwd - get a password for authenticating ourselves with
870 * our peer using PAP. Returns 1 on success, 0 if no suitable password
871 * could be found.
872 */
873 static int
875 {
877 /* normally we would reject PAP if no password is provided,
878 but this causes problems with some providers (like CHT in Taiwan)
879 who incorrectly request PAP and expect a bogus/empty password, so
880 always provide a default user/passwd of "none"/"none"
881 */
884 }
887 }
889 }
891 /*
892 * have_pap_secret - check whether we have a PAP file with any
893 * secrets that we could possibly use for authenticating the peer.
894 */
895 static int
897 {
898 /* XXX Fail until we set up our passwords. */
900 }
902 /*
903 * have_chap_secret - check whether we have a CHAP file with a
904 * secret that we could possibly use for authenticating `client'
905 * on `server'. Either can be the null string, meaning we don't
906 * know the identity yet.
907 */
908 static int
910 {
914 /* XXX Fail until we set up our passwords. */
916 }
919 /*
920 * set_allowed_addrs() - set the list of allowed addresses.
921 */
922 static void
924 {
927 }
930 #if 0
931 /*
932 * If there's only one authorized address we might as well
933 * ask our peer for that one right away
934 */
938 u32_t a;
947 }
950 }
951 }
952 }
953 #endif
954 }
957 static int
959 {
960 /* don't allow loopback or multicast address */
963 }
967 }
969 /* XXX All other addresses allowed. */
971 }
974 /*
975 * free_wordlist - release memory allocated for a wordlist.
976 */
977 static void
979 {
986 }
987 }