2 * auth.c - PPP authentication and phase control.
4 * Copyright (c) 1993 The Australian National University.
7 * Redistribution and use in source and binary forms are permitted
8 * provided that the above copyright notice and this paragraph are
9 * duplicated in all such forms and that any documentation,
10 * advertising materials, and other materials related to such
11 * distribution and use acknowledge that the software was developed
12 * by the Australian National University. The name of the University
13 * may not be used to endorse or promote products derived from this
14 * software without specific prior written permission.
15 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
17 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
19 * Copyright (c) 1989 Carnegie Mellon University.
20 * All rights reserved.
22 * Redistribution and use in source and binary forms are permitted
23 * provided that the above copyright notice and this paragraph are
24 * duplicated in all such forms and that any documentation,
25 * advertising materials, and other materials related to such
26 * distribution and use acknowledge that the software was developed
27 * by Carnegie Mellon University. The name of the
28 * University may not be used to endorse or promote products derived
29 * from this software without specific prior written permission.
30 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
31 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
32 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
35 #define RCSID "$Id: auth.c,v 1.1.1.4 2003/10/14 08:09:54 sparq Exp $"
38 #include <netinet/in.h>
47 /* The name by which the peer authenticated itself to us. */
48 char peer_authname
[MAXNAMELEN
];
50 /* Records which authentication operations haven't completed yet. */
51 static int auth_pending
[NUM_PPP
];
53 /* Number of network protocols which we have opened. */
54 static int num_np_open
;
56 /* Number of network protocols which have come up. */
62 bool uselogin
= 0; /* Use /etc/passwd for checking PAP */
63 bool cryptpap
= 0; /* Passwords in pap-secrets are encrypted */
64 bool refuse_pap
= 0; /* Don't wanna auth. ourselves with PAP */
65 bool refuse_chap
= 0; /* Don't wanna auth. ourselves with CHAP */
66 bool usehostname
= 0; /* Use hostname for our_name */
67 bool auth_required
= 0; /* Always require authentication from peer */
68 bool allow_any_ip
= 0; /* Allow peer to use any IP address */
69 bool explicit_remote
= 0; /* User specified explicit remote name */
70 char remote_name
[MAXNAMELEN
]; /* Peer's name for authentication */
72 /* Bits in auth_pending[] */
73 #define PAP_WITHPEER 1
75 #define CHAP_WITHPEER 4
78 /* Prototypes for procedures local to this file. */
80 static void network_phase
__P((int));
81 static void check_idle
__P((void *));
82 static void connect_time_expired
__P((void *));
85 * LCP has terminated the link; go to the Dead phase and take the
86 * physical layer down.
92 if (phase
== PHASE_DEAD
)
94 new_phase(PHASE_DEAD
);
95 LOGX_INFO("Connection terminated.");
96 notice("Connection terminated.");
100 * LCP has gone down; it will either die or try to re-establish.
107 struct protent
*protp
;
109 for (i
= 0; (protp
= protocols
[i
]) != NULL
; ++i
) {
110 if (!protp
->enabled_flag
)
112 if (protp
->protocol
!= PPP_LCP
&& protp
->lowerdown
!= NULL
)
113 (*protp
->lowerdown
)(unit
);
114 if (protp
->protocol
< 0xC000 && protp
->close
!= NULL
)
115 (*protp
->close
)(unit
, "LCP down");
119 if (phase
!= PHASE_DEAD
)
120 new_phase(PHASE_TERMINATE
);
124 * The link is established.
125 * Proceed to the Dead, Authenticate or Network phase as appropriate.
128 link_established(unit
)
132 lcp_options
*ho
= &lcp_hisoptions
[unit
];
134 struct protent
*protp
;
137 * Tell higher-level protocols that LCP is up.
139 for (i
= 0; (protp
= protocols
[i
]) != NULL
; ++i
)
140 if (protp
->protocol
!= PPP_LCP
&& protp
->enabled_flag
141 && protp
->lowerup
!= NULL
)
142 (*protp
->lowerup
)(unit
);
144 new_phase(PHASE_AUTHENTICATE
);
148 ChapAuthWithPeer(unit
, user
, ho
->chap_mdtype
);
149 auth
|= CHAP_WITHPEER
;
151 error("CHAP unsupported");
153 } else if (ho
->neg_upap
) {
154 if (passwd
[0] == 0) {
155 error("No secret found for PAP login");
157 upap_authwithpeer(unit
, user
, passwd
);
158 auth
|= PAP_WITHPEER
;
160 auth_pending
[unit
] = auth
;
167 * Proceed to the network phase.
180 struct protent
*protp
;
182 new_phase(PHASE_NETWORK
);
184 for (i
= 0; (protp
= protocols
[i
]) != NULL
; ++i
)
185 if (protp
->protocol
< 0xC000 && protp
->enabled_flag
186 && protp
->open
!= NULL
) {
188 if (protp
->protocol
!= PPP_CCP
)
192 if (num_np_open
== 0)
194 lcp_close(0, "No network protocols running");
198 * The peer has failed to authenticate himself using `protocol'.
201 auth_peer_fail(unit
, protocol
)
205 * Authentication failure: take the link down
207 lcp_close(unit
, "Authentication failed");
208 status
= EXIT_PEER_AUTH_FAILED
;
212 * The peer has been successfully authenticated using `protocol'.
215 auth_peer_success(unit
, protocol
, name
, namelen
)
230 warn("auth_peer_success: unknown protocol %x", protocol
);
235 * Save the authenticated name of the peer for later.
237 if (namelen
> sizeof(peer_authname
) - 1)
238 namelen
= sizeof(peer_authname
) - 1;
239 BCOPY(name
, peer_authname
, namelen
);
240 peer_authname
[namelen
] = 0;
241 script_setenv("PEERNAME", peer_authname
, 0);
244 * If there is no more authentication still to be done,
245 * proceed to the network (or callback) phase.
247 if ((auth_pending
[unit
] &= ~bit
) == 0)
252 * We have failed to authenticate ourselves to the peer using `protocol'.
255 auth_withpeer_fail(unit
, protocol
)
259 * We've failed to authenticate ourselves to our peer.
260 * Some servers keep sending CHAP challenges, but there
261 * is no point in persisting without any way to get updated
262 * authentication secrets.
264 lcp_close(unit
, "Failed to authenticate ourselves to peer");
265 status
= EXIT_AUTH_TOPEER_FAILED
;
269 * We have successfully authenticated ourselves with the peer using `protocol'.
272 auth_withpeer_success(unit
, protocol
)
285 warn("auth_withpeer_success: unknown protocol %x", protocol
);
290 * If there is no more authentication still being done,
291 * proceed to the network (or callback) phase.
293 if ((auth_pending
[unit
] &= ~bit
) == 0)
299 * np_up - a network protocol has come up.
307 if (num_np_up
== 0) {
309 * At this point we consider that the link has come up successfully.
313 new_phase(PHASE_RUNNING
);
315 tlim
= idle_time_limit
;
317 TIMEOUT(check_idle
, NULL
, tlim
);
320 * Set a timeout to close the connection once the maximum
321 * connect time has expired.
324 TIMEOUT(connect_time_expired
, 0, maxconnect
);
327 * Detach now, if the updetach option was given.
329 if (updetach
&& !nodetach
)
336 * np_down - a network protocol has gone down.
342 if (--num_np_up
== 0) {
343 UNTIMEOUT(check_idle
, NULL
);
344 new_phase(PHASE_NETWORK
);
349 * np_finished - a network protocol has finished using the link.
352 np_finished(unit
, proto
)
355 if (--num_np_open
<= 0) {
356 /* no further use for the link: shut up shop. */
357 lcp_close(0, "No network protocols running");
362 * check_idle - check whether the link has been idle for long
363 * enough that we can shut it down.
369 struct ppp_idle idle
;
373 if (!get_idle_time(0, &idle
))
375 itime
= MIN(idle
.xmit_idle
, idle
.recv_idle
);
376 tlim
= idle_time_limit
- itime
;
378 /* link is idle: shut it down. */
380 LOGX_INFO("Terminating connection due to lack of activity.");
381 notice("Terminating connection due to lack of activity.");
383 lcp_close(0, "Link inactive");
385 status
= EXIT_IDLE_TIMEOUT
;
387 TIMEOUT(check_idle
, NULL
, tlim
);
392 * connect_time_expired - log a message and close the connection.
395 connect_time_expired(arg
)
398 info("Connect time expired");
399 lcp_close(0, "Connect time expired"); /* Close connection */
400 status
= EXIT_CONNECT_TIME
;
404 * auth_reset - called when LCP is starting negotiations to recheck
405 * authentication options, i.e. whether we have appropriate secrets
406 * to use for authenticating ourselves and/or the peer.
412 lcp_options
*ao
= &lcp_allowoptions
[0];
414 ao
->neg_upap
= !refuse_pap
&& (passwd
[0] != 0);
415 ao
->neg_chap
= !refuse_chap
&& (passwd
[0] != 0);
419 * get_secret - open the CHAP secret file and return the secret
420 * for authenticating the given client on the given server.
421 * (We could be either client or server).
424 get_secret(unit
, client
, server
, secret
, secret_len
, am_server
)
432 *secret_len
= strlen(passwd
);
433 BCOPY(passwd
, secret
, *secret_len
);
438 * bad_ip_adrs - return 1 if the IP address is one we don't want
439 * to use, such as an address in the loopback net or a multicast address.
440 * addr is in network byte order.
447 return (addr
>> IN_CLASSA_NSHIFT
) == IN_LOOPBACKNET
448 || IN_MULTICAST(addr
) || IN_BADCLASS(addr
);