search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge branch 'tomato-ND-USBmod' into tomato-RT
[tomato.git] / release / src / router / ppp / pppoecd / auth.c
blobe5ac9e8003fce99ba743e1b936b117527fea9b0e
1 /*
2 * auth.c - PPP authentication and phase control.
3 *
4 * Copyright (c) 1993 The Australian National University.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms are permitted
8 * provided that the above copyright notice and this paragraph are
9 * duplicated in all such forms and that any documentation,
10 * advertising materials, and other materials related to such
11 * distribution and use acknowledge that the software was developed
12 * by the Australian National University. The name of the University
13 * may not be used to endorse or promote products derived from this
14 * software without specific prior written permission.
15 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
17 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
18 *
19 * Copyright (c) 1989 Carnegie Mellon University.
20 * All rights reserved.
21 *
22 * Redistribution and use in source and binary forms are permitted
23 * provided that the above copyright notice and this paragraph are
24 * duplicated in all such forms and that any documentation,
25 * advertising materials, and other materials related to such
26 * distribution and use acknowledge that the software was developed
27 * by Carnegie Mellon University. The name of the
28 * University may not be used to endorse or promote products derived
29 * from this software without specific prior written permission.
30 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
31 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
32 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
33 */
34
35 #define RCSID "$Id: auth.c,v 1.1.1.4 2003/10/14 08:09:54 sparq Exp $"
36
37 #include <string.h>
38 #include <netinet/in.h>
39
40 #include "pppd.h"
41 #include "fsm.h"
42 #include "lcp.h"
43 #include "ipcp.h"
44 #include "upap.h"
45 #include "chap.h"
46
47 /* The name by which the peer authenticated itself to us. */
48 char peer_authname[MAXNAMELEN];
49
50 /* Records which authentication operations haven't completed yet. */
51 static int auth_pending[NUM_PPP];
52
53 /* Number of network protocols which we have opened. */
54 static int num_np_open;
55
56 /* Number of network protocols which have come up. */
57 static int num_np_up;
58
59 /*
60 * Option variables.
61 */
62 bool uselogin = 0; /* Use /etc/passwd for checking PAP */
63 bool cryptpap = 0; /* Passwords in pap-secrets are encrypted */
64 bool refuse_pap = 0; /* Don't wanna auth. ourselves with PAP */
65 bool refuse_chap = 0; /* Don't wanna auth. ourselves with CHAP */
66 bool usehostname = 0; /* Use hostname for our_name */
67 bool auth_required = 0; /* Always require authentication from peer */
68 bool allow_any_ip = 0; /* Allow peer to use any IP address */
69 bool explicit_remote = 0; /* User specified explicit remote name */
70 char remote_name[MAXNAMELEN]; /* Peer's name for authentication */
71
72 /* Bits in auth_pending[] */
73 #define PAP_WITHPEER 1
74 #define PAP_PEER 2
75 #define CHAP_WITHPEER 4
76 #define CHAP_PEER 8
77
78 /* Prototypes for procedures local to this file. */
79
80 static void network_phase __P((int));
81 static void check_idle __P((void *));
82 static void connect_time_expired __P((void *));
83
84 /*
85 * LCP has terminated the link; go to the Dead phase and take the
86 * physical layer down.
87 */
88 void
89 link_terminated(unit)
90 int unit;
91 {
92 if (phase == PHASE_DEAD)
93 return;
94 new_phase(PHASE_DEAD);
95 LOGX_INFO("Connection terminated.");
96 notice("Connection terminated.");
97 }
98
99 /*
100 * LCP has gone down; it will either die or try to re-establish.
101 */
102 void
103 link_down(unit)
104 int unit;
105 {
106 int i;
107 struct protent *protp;
108
109 for (i = 0; (protp = protocols[i]) != NULL; ++i) {
110 if (!protp->enabled_flag)
111 continue;
112 if (protp->protocol != PPP_LCP && protp->lowerdown != NULL)
113 (*protp->lowerdown)(unit);
114 if (protp->protocol < 0xC000 && protp->close != NULL)
115 (*protp->close)(unit, "LCP down");
116 }
117 num_np_open = 0;
118 num_np_up = 0;
119 if (phase != PHASE_DEAD)
120 new_phase(PHASE_TERMINATE);
121 }
122
123 /*
124 * The link is established.
125 * Proceed to the Dead, Authenticate or Network phase as appropriate.
126 */
127 void
128 link_established(unit)
129 int unit;
130 {
131 int auth;
132 lcp_options *ho = &lcp_hisoptions[unit];
133 int i;
134 struct protent *protp;
135
136 /*
137 * Tell higher-level protocols that LCP is up.
138 */
139 for (i = 0; (protp = protocols[i]) != NULL; ++i)
140 if (protp->protocol != PPP_LCP && protp->enabled_flag
141 && protp->lowerup != NULL)
142 (*protp->lowerup)(unit);
143
144 new_phase(PHASE_AUTHENTICATE);
145 auth = 0;
146 if (ho->neg_chap) {
147 #ifdef CHAP_SUPPORT
148 ChapAuthWithPeer(unit, user, ho->chap_mdtype);
149 auth |= CHAP_WITHPEER;
150 #else
151 error("CHAP unsupported");
152 #endif
153 } else if (ho->neg_upap) {
154 if (passwd[0] == 0) {
155 error("No secret found for PAP login");
156 }
157 upap_authwithpeer(unit, user, passwd);
158 auth |= PAP_WITHPEER;
159 }
160 auth_pending[unit] = auth;
161
162 if (!auth)
163 network_phase(unit);
164 }
165
166 /*
167 * Proceed to the network phase.
168 */
169 static void
170 network_phase(unit)
171 int unit;
172 {
173 start_networks();
174 }
175
176 void
177 start_networks()
178 {
179 int i;
180 struct protent *protp;
181
182 new_phase(PHASE_NETWORK);
183
184 for (i = 0; (protp = protocols[i]) != NULL; ++i)
185 if (protp->protocol < 0xC000 && protp->enabled_flag
186 && protp->open != NULL) {
187 (*protp->open)(0);
188 if (protp->protocol != PPP_CCP)
189 ++num_np_open;
190 }
191
192 if (num_np_open == 0)
193 /* nothing to do */
194 lcp_close(0, "No network protocols running");
195 }
196
197 /*
198 * The peer has failed to authenticate himself using `protocol'.
199 */
200 void
201 auth_peer_fail(unit, protocol)
202 int unit, protocol;
203 {
204 /*
205 * Authentication failure: take the link down
206 */
207 lcp_close(unit, "Authentication failed");
208 status = EXIT_PEER_AUTH_FAILED;
209 }
210
211 /*
212 * The peer has been successfully authenticated using `protocol'.
213 */
214 void
215 auth_peer_success(unit, protocol, name, namelen)
216 int unit, protocol;
217 char *name;
218 int namelen;
219 {
220 int bit;
221
222 switch (protocol) {
223 case PPP_CHAP:
224 bit = CHAP_PEER;
225 break;
226 case PPP_PAP:
227 bit = PAP_PEER;
228 break;
229 default:
230 warn("auth_peer_success: unknown protocol %x", protocol);
231 return;
232 }
233
234 /*
235 * Save the authenticated name of the peer for later.
236 */
237 if (namelen > sizeof(peer_authname) - 1)
238 namelen = sizeof(peer_authname) - 1;
239 BCOPY(name, peer_authname, namelen);
240 peer_authname[namelen] = 0;
241 script_setenv("PEERNAME", peer_authname, 0);
242
243 /*
244 * If there is no more authentication still to be done,
245 * proceed to the network (or callback) phase.
246 */
247 if ((auth_pending[unit] &= ~bit) == 0)
248 network_phase(unit);
249 }
250
251 /*
252 * We have failed to authenticate ourselves to the peer using `protocol'.
253 */
254 void
255 auth_withpeer_fail(unit, protocol)
256 int unit, protocol;
257 {
258 /*
259 * We've failed to authenticate ourselves to our peer.
260 * Some servers keep sending CHAP challenges, but there
261 * is no point in persisting without any way to get updated
262 * authentication secrets.
263 */
264 lcp_close(unit, "Failed to authenticate ourselves to peer");
265 status = EXIT_AUTH_TOPEER_FAILED;
266 }
267
268 /*
269 * We have successfully authenticated ourselves with the peer using `protocol'.
270 */
271 void
272 auth_withpeer_success(unit, protocol)
273 int unit, protocol;
274 {
275 int bit;
276
277 switch (protocol) {
278 case PPP_CHAP:
279 bit = CHAP_WITHPEER;
280 break;
281 case PPP_PAP:
282 bit = PAP_WITHPEER;
283 break;
284 default:
285 warn("auth_withpeer_success: unknown protocol %x", protocol);
286 bit = 0;
287 }
288
289 /*
290 * If there is no more authentication still being done,
291 * proceed to the network (or callback) phase.
292 */
293 if ((auth_pending[unit] &= ~bit) == 0)
294 network_phase(unit);
295 }
296
297
298 /*
299 * np_up - a network protocol has come up.
300 */
301 void
302 np_up(unit, proto)
303 int unit, proto;
304 {
305 int tlim;
306
307 if (num_np_up == 0) {
308 /*
309 * At this point we consider that the link has come up successfully.
310 */
311 status = EXIT_OK;
312 unsuccess = 0;
313 new_phase(PHASE_RUNNING);
314
315 tlim = idle_time_limit;
316 if (tlim > 0)
317 TIMEOUT(check_idle, NULL, tlim);
318
319 /*
320 * Set a timeout to close the connection once the maximum
321 * connect time has expired.
322 */
323 if (maxconnect > 0)
324 TIMEOUT(connect_time_expired, 0, maxconnect);
325
326 /*
327 * Detach now, if the updetach option was given.
328 */
329 if (updetach && !nodetach)
330 detach();
331 }
332 ++num_np_up;
333 }
334
335 /*
336 * np_down - a network protocol has gone down.
337 */
338 void
339 np_down(unit, proto)
340 int unit, proto;
341 {
342 if (--num_np_up == 0) {
343 UNTIMEOUT(check_idle, NULL);
344 new_phase(PHASE_NETWORK);
345 }
346 }
347
348 /*
349 * np_finished - a network protocol has finished using the link.
350 */
351 void
352 np_finished(unit, proto)
353 int unit, proto;
354 {
355 if (--num_np_open <= 0) {
356 /* no further use for the link: shut up shop. */
357 lcp_close(0, "No network protocols running");
358 }
359 }
360
361 /*
362 * check_idle - check whether the link has been idle for long
363 * enough that we can shut it down.
364 */
365 static void
366 check_idle(arg)
367 void *arg;
368 {
369 struct ppp_idle idle;
370 time_t itime;
371 int tlim;
372
373 if (!get_idle_time(0, &idle))
374 return;
375 itime = MIN(idle.xmit_idle, idle.recv_idle);
376 tlim = idle_time_limit - itime;
377 if (tlim <= 0) {
378 /* link is idle: shut it down. */
379
380 LOGX_INFO("Terminating connection due to lack of activity.");
381 notice("Terminating connection due to lack of activity.");
382
383 lcp_close(0, "Link inactive");
384 need_holdoff = 0;
385 status = EXIT_IDLE_TIMEOUT;
386 } else {
387 TIMEOUT(check_idle, NULL, tlim);
388 }
389 }
390
391 /*
392 * connect_time_expired - log a message and close the connection.
393 */
394 static void
395 connect_time_expired(arg)
396 void *arg;
397 {
398 info("Connect time expired");
399 lcp_close(0, "Connect time expired"); /* Close connection */
400 status = EXIT_CONNECT_TIME;
401 }
402
403 /*
404 * auth_reset - called when LCP is starting negotiations to recheck
405 * authentication options, i.e. whether we have appropriate secrets
406 * to use for authenticating ourselves and/or the peer.
407 */
408 void
409 auth_reset(unit)
410 int unit;
411 {
412 lcp_options *ao = &lcp_allowoptions[0];
413
414 ao->neg_upap = !refuse_pap && (passwd[0] != 0);
415 ao->neg_chap = !refuse_chap && (passwd[0] != 0);
416 }
417
418 /*
419 * get_secret - open the CHAP secret file and return the secret
420 * for authenticating the given client on the given server.
421 * (We could be either client or server).
422 */
423 int
424 get_secret(unit, client, server, secret, secret_len, am_server)
425 int unit;
426 char *client;
427 char *server;
428 char *secret;
429 int *secret_len;
430 int am_server;
431 {
432 *secret_len = strlen(passwd);
433 BCOPY(passwd, secret, *secret_len);
434 return 1;
435 }
436
437 /*
438 * bad_ip_adrs - return 1 if the IP address is one we don't want
439 * to use, such as an address in the loopback net or a multicast address.
440 * addr is in network byte order.
441 */
442 int
443 bad_ip_adrs(addr)
444 u_int32_t addr;
445 {
446 addr = ntohl(addr);
447 return (addr >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET
448 || IN_MULTICAST(addr) || IN_BADCLASS(addr);
449 }
Tomato firmware and modifications.