1/*-
2 * Copyright (c) 1996 - 2001 Brian Somers <brian@Awfulhak.org>
3 * based on work by Toshiharu OHNO <tony-o@iij.ad.jp>
4 * Internet Initiative Japan, Inc (IIJ)
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 *
28 * $FreeBSD: head/usr.sbin/ppp/auth.c 174870 2007-12-22 19:29:32Z des $
29 */
30
31#include <sys/param.h>
32#include <netinet/in.h>
33#include <netinet/in_systm.h>
34#include <netinet/ip.h>
35#include <sys/socket.h>
36#include <sys/un.h>
37
38#include <pwd.h>
39#include <stdio.h>
40#include <stdlib.h>
41#include <string.h>
42#include <termios.h>
43#include <unistd.h>
44
45#ifndef NOPAM
46#include <security/pam_appl.h>
47#ifdef OPENPAM
48#include <security/openpam.h>
49#endif
50#endif /* !NOPAM */
51
52#include "layer.h"
53#include "mbuf.h"
54#include "defs.h"
55#include "log.h"
56#include "timer.h"
57#include "fsm.h"
58#include "iplist.h"
59#include "throughput.h"
60#include "slcompress.h"
61#include "lqr.h"
62#include "hdlc.h"
63#include "ncpaddr.h"
64#include "ipcp.h"
65#include "auth.h"
66#include "systems.h"
67#include "lcp.h"
68#include "ccp.h"
69#include "link.h"
70#include "descriptor.h"
71#include "chat.h"
72#include "proto.h"
73#include "filter.h"
74#include "mp.h"
75#ifndef NORADIUS
76#include "radius.h"
77#endif
78#include "cbcp.h"
79#include "chap.h"
80#include "async.h"
81#include "physical.h"
82#include "datalink.h"
83#include "ipv6cp.h"
84#include "ncp.h"
85#include "bundle.h"
86
87const char *
88Auth2Nam(u_short auth, u_char type)
89{
90 static char chap[10];
91
92 switch (auth) {
93 case PROTO_PAP:
94 return "PAP";
95 case PROTO_CHAP:
96 snprintf(chap, sizeof chap, "CHAP 0x%02x", type);
97 return chap;
98 case 0:
99 return "none";
100 }
101 return "unknown";
102}
103
104#if !defined(NOPAM) && !defined(OPENPAM)
105static int
106pam_conv(int n, const struct pam_message **msg, struct pam_response **resp,
107 void *data)
108{
109
110 if (n != 1 || msg[0]->msg_style != PAM_PROMPT_ECHO_OFF)
111 return (PAM_CONV_ERR);
112 if ((*resp = malloc(sizeof(struct pam_response))) == NULL)
113 return (PAM_CONV_ERR);
114 (*resp)[0].resp = strdup((const char *)data);
115 (*resp)[0].resp_retcode = 0;
116
117 return ((*resp)[0].resp != NULL ? PAM_SUCCESS : PAM_CONV_ERR);
118}
119#endif /* !defined(NOPAM) && !defined(OPENPAM) */
120
121static int
122auth_CheckPasswd(const char *name, const char *data, const char *key)
123{
124 if (!strcmp(data, "*")) {
125#ifdef NOPAM
126 /* Then look up the real password database */
127 struct passwd *pw;
128 int result;
129
130 result = (pw = getpwnam(name)) &&
131 !strcmp(crypt(key, pw->pw_passwd), pw->pw_passwd);
132 endpwent();
133 return result;
134#else /* !NOPAM */
135 /* Then consult with PAM. */
136 pam_handle_t *pamh;
137 int status;
138
139 struct pam_conv pamc = {
140#ifdef OPENPAM
141 &openpam_nullconv, NULL
142#else
143 &pam_conv, key
144#endif
145 };
146
147 if (pam_start("ppp", name, &pamc, &pamh) != PAM_SUCCESS)
148 return (0);
149#ifdef OPENPAM
150 if ((status = pam_set_item(pamh, PAM_AUTHTOK, key)) == PAM_SUCCESS)
151#endif
152 status = pam_authenticate(pamh, 0);
153 pam_end(pamh, status);
154 return (status == PAM_SUCCESS);
155#endif /* !NOPAM */
156 }
157
158 return !strcmp(data, key);
159}
160
161int
162auth_SetPhoneList(const char *name, char *phone, int phonelen)
163{
164 FILE *fp;
165 int n, lineno;
166 char *vector[6], buff[LINE_LEN];
167 const char *slash;
168
169 fp = OpenSecret(SECRETFILE);
170 if (fp != NULL) {
171again:
172 lineno = 0;
173 while (fgets(buff, sizeof buff, fp)) {
174 lineno++;
175 if (buff[0] == '#')
176 continue;
177 buff[strlen(buff) - 1] = '\0';
178 memset(vector, '\0', sizeof vector);
179 if ((n = MakeArgs(buff, vector, VECSIZE(vector), PARSE_REDUCE)) < 0)
180 log_Printf(LogWARN, "%s: %d: Invalid line\n", SECRETFILE, lineno);
181 if (n < 5)
182 continue;
183 if (strcmp(vector[0], name) == 0) {
184 CloseSecret(fp);
185 if (*vector[4] == '\0')
186 return 0;
187 strncpy(phone, vector[4], phonelen - 1);
188 phone[phonelen - 1] = '\0';
189 return 1; /* Valid */
190 }
191 }
192
193 if ((slash = strrchr(name, '\\')) != NULL && slash[1]) {
194 /* Look for the name without the leading domain */
195 name = slash + 1;
196 rewind(fp);
197 goto again;
198 }
199
200 CloseSecret(fp);
201 }
202 *phone = '\0';
203 return 0;
204}
205
206int
207auth_Select(struct bundle *bundle, const char *name)
208{
209 FILE *fp;
210 int n, lineno;
211 char *vector[5], buff[LINE_LEN];
212 const char *slash;
213
214 if (*name == '\0') {
215 ipcp_Setup(&bundle->ncp.ipcp, INADDR_NONE);
216 return 1;
217 }
218
219#ifndef NORADIUS
220 if (bundle->radius.valid && bundle->radius.ip.s_addr != INADDR_NONE &&
221 bundle->radius.ip.s_addr != RADIUS_INADDR_POOL) {
222 /* We've got a radius IP - it overrides everything */
223 if (!ipcp_UseHisIPaddr(bundle, bundle->radius.ip))
224 return 0;
225 ipcp_Setup(&bundle->ncp.ipcp, bundle->radius.mask.s_addr);
226 /* Continue with ppp.secret in case we've got a new label */
227 }
228#endif
229
230 fp = OpenSecret(SECRETFILE);
231 if (fp != NULL) {
232again:
233 lineno = 0;
234 while (fgets(buff, sizeof buff, fp)) {
235 lineno++;
236 if (buff[0] == '#')
237 continue;
238 buff[strlen(buff) - 1] = '\0';
239 memset(vector, '\0', sizeof vector);
240 if ((n = MakeArgs(buff, vector, VECSIZE(vector), PARSE_REDUCE)) < 0)
241 log_Printf(LogWARN, "%s: %d: Invalid line\n", SECRETFILE, lineno);
242 if (n < 2)
243 continue;
244 if (strcmp(vector[0], name) == 0) {
245 CloseSecret(fp);
246#ifndef NORADIUS
247 if (!bundle->radius.valid || bundle->radius.ip.s_addr == INADDR_NONE) {
248#endif
249 if (n > 2 && *vector[2] && strcmp(vector[2], "*") &&
250 !ipcp_UseHisaddr(bundle, vector[2], 1))
251 return 0;
252 ipcp_Setup(&bundle->ncp.ipcp, INADDR_NONE);
253#ifndef NORADIUS
254 }
255#endif
256 if (n > 3 && *vector[3] && strcmp(vector[3], "*"))
257 bundle_SetLabel(bundle, vector[3]);
258 return 1; /* Valid */
259 }
260 }
261
262 if ((slash = strrchr(name, '\\')) != NULL && slash[1]) {
263 /* Look for the name without the leading domain */
264 name = slash + 1;
265 rewind(fp);
266 goto again;
267 }
268
269 CloseSecret(fp);
270 }
271
272#ifndef NOPASSWDAUTH
273 /* Let 'em in anyway - they must have been in the passwd file */
274 ipcp_Setup(&bundle->ncp.ipcp, INADDR_NONE);
275 return 1;
276#else
277#ifndef NORADIUS
278 if (bundle->radius.valid)
279 return 1;
280#endif
281
282 /* Disappeared from ppp.secret ??? */
283 return 0;
284#endif
285}
286
287int
288auth_Validate(struct bundle *bundle, const char *name, const char *key)
289{
290 /* Used by PAP routines */
291
292 FILE *fp;
293 int n, lineno;
294 char *vector[5], buff[LINE_LEN];
295 const char *slash;
296
297 fp = OpenSecret(SECRETFILE);
298again:
299 lineno = 0;
300 if (fp != NULL) {
301 while (fgets(buff, sizeof buff, fp)) {
302 lineno++;
303 if (buff[0] == '#')
304 continue;
305 buff[strlen(buff) - 1] = 0;
306 memset(vector, '\0', sizeof vector);
307 if ((n = MakeArgs(buff, vector, VECSIZE(vector), PARSE_REDUCE)) < 0)
308 log_Printf(LogWARN, "%s: %d: Invalid line\n", SECRETFILE, lineno);
309 if (n < 2)
310 continue;
311 if (strcmp(vector[0], name) == 0) {
312 CloseSecret(fp);
313 return auth_CheckPasswd(name, vector[1], key);
314 }
315 }
316 }
317
318 if ((slash = strrchr(name, '\\')) != NULL && slash[1]) {
319 /* Look for the name without the leading domain */
320 name = slash + 1;
321 if (fp != NULL) {
322 rewind(fp);
323 goto again;
324 }
325 }
326
327 if (fp != NULL)
328 CloseSecret(fp);
329
330#ifndef NOPASSWDAUTH
331 if (Enabled(bundle, OPT_PASSWDAUTH))
332 return auth_CheckPasswd(name, "*", key);
333#endif
334
335 return 0; /* Invalid */
336}
337
338char *
339auth_GetSecret(const char *name, size_t len)
340{
341 /* Used by CHAP routines */
342
343 FILE *fp;
344 int n, lineno;
345 char *vector[5];
346 const char *slash;
347 static char buff[LINE_LEN]; /* vector[] will point here when returned */
348
349 fp = OpenSecret(SECRETFILE);
350 if (fp == NULL)
351 return (NULL);
352
353again:
354 lineno = 0;
355 while (fgets(buff, sizeof buff, fp)) {
356 lineno++;
357 if (buff[0] == '#')
358 continue;
359 n = strlen(buff) - 1;
360 if (buff[n] == '\n')
361 buff[n] = '\0'; /* Trim the '\n' */
362 memset(vector, '\0', sizeof vector);
363 if ((n = MakeArgs(buff, vector, VECSIZE(vector), PARSE_REDUCE)) < 0)
364 log_Printf(LogWARN, "%s: %d: Invalid line\n", SECRETFILE, lineno);
365 if (n < 2)
366 continue;
367 if (strlen(vector[0]) == len && strncmp(vector[0], name, len) == 0) {
368 CloseSecret(fp);
369 return vector[1];
370 }
371 }
372
373 if ((slash = strrchr(name, '\\')) != NULL && slash[1]) {
374 /* Go back and look for the name without the leading domain */
375 len -= slash - name + 1;
376 name = slash + 1;
377 rewind(fp);
378 goto again;
379 }
380
381 CloseSecret(fp);
382 return (NULL); /* Invalid */
383}
384
385static void
386AuthTimeout(void *vauthp)
387{
388 struct authinfo *authp = (struct authinfo *)vauthp;
389
390 timer_Stop(&authp->authtimer);
391 if (--authp->retry > 0) {
392 authp->id++;
393 (*authp->fn.req)(authp);
394 timer_Start(&authp->authtimer);
395 } else {
396 log_Printf(LogPHASE, "Auth: No response from server\n");
397 datalink_AuthNotOk(authp->physical->dl);
398 }
399}
400
401void
402auth_Init(struct authinfo *authp, struct physical *p, auth_func req,
403 auth_func success, auth_func failure)
404{
405 memset(authp, '\0', sizeof(struct authinfo));
406 authp->cfg.fsm.timeout = DEF_FSMRETRY;
407 authp->cfg.fsm.maxreq = DEF_FSMAUTHTRIES;
408 authp->cfg.fsm.maxtrm = 0; /* not used */
409 authp->fn.req = req;
410 authp->fn.success = success;
411 authp->fn.failure = failure;
412 authp->physical = p;
413}
414
415void
416auth_StartReq(struct authinfo *authp)
417{
418 timer_Stop(&authp->authtimer);
419 authp->authtimer.func = AuthTimeout;
420 authp->authtimer.name = "auth";
421 authp->authtimer.load = authp->cfg.fsm.timeout * SECTICKS;
422 authp->authtimer.arg = (void *)authp;
423 authp->retry = authp->cfg.fsm.maxreq;
424 authp->id = 1;
425 (*authp->fn.req)(authp);
426 timer_Start(&authp->authtimer);
427}
428
429void
430auth_StopTimer(struct authinfo *authp)
431{
432 timer_Stop(&authp->authtimer);
433}
434
435struct mbuf *
436auth_ReadHeader(struct authinfo *authp, struct mbuf *bp)
437{
438 size_t len;
439
440 len = m_length(bp);
441 if (len >= sizeof authp->in.hdr) {
442 bp = mbuf_Read(bp, (u_char *)&authp->in.hdr, sizeof authp->in.hdr);
443 if (len >= ntohs(authp->in.hdr.length))
444 return bp;
445 authp->in.hdr.length = htons(0);
446 log_Printf(LogWARN, "auth_ReadHeader: Short packet (%u > %zu) !\n",
447 ntohs(authp->in.hdr.length), len);
448 } else {
449 authp->in.hdr.length = htons(0);
450 log_Printf(LogWARN, "auth_ReadHeader: Short packet header (%u > %zu) !\n",
451 (int)(sizeof authp->in.hdr), len);
452 }
453
454 m_freem(bp);
455 return NULL;
456}
457
458struct mbuf *
459auth_ReadName(struct authinfo *authp, struct mbuf *bp, size_t len)
460{
461 if (len > sizeof authp->in.name - 1)
462 log_Printf(LogWARN, "auth_ReadName: Name too long (%zu) !\n", len);
463 else {
464 size_t mlen = m_length(bp);
465
466 if (len > mlen)
467 log_Printf(LogWARN, "auth_ReadName: Short packet (%zu > %zu) !\n",
468 len, mlen);
469 else {
470 bp = mbuf_Read(bp, (u_char *)authp->in.name, len);
471 authp->in.name[len] = '\0';
472 return bp;
473 }
474 }
475
476 *authp->in.name = '\0';
477 m_freem(bp);
478 return NULL;
479}
2 * Copyright (c) 1996 - 2001 Brian Somers <brian@Awfulhak.org>
3 * based on work by Toshiharu OHNO <tony-o@iij.ad.jp>
4 * Internet Initiative Japan, Inc (IIJ)
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 *
28 * $FreeBSD: head/usr.sbin/ppp/auth.c 174870 2007-12-22 19:29:32Z des $
29 */
30
31#include <sys/param.h>
32#include <netinet/in.h>
33#include <netinet/in_systm.h>
34#include <netinet/ip.h>
35#include <sys/socket.h>
36#include <sys/un.h>
37
38#include <pwd.h>
39#include <stdio.h>
40#include <stdlib.h>
41#include <string.h>
42#include <termios.h>
43#include <unistd.h>
44
45#ifndef NOPAM
46#include <security/pam_appl.h>
47#ifdef OPENPAM
48#include <security/openpam.h>
49#endif
50#endif /* !NOPAM */
51
52#include "layer.h"
53#include "mbuf.h"
54#include "defs.h"
55#include "log.h"
56#include "timer.h"
57#include "fsm.h"
58#include "iplist.h"
59#include "throughput.h"
60#include "slcompress.h"
61#include "lqr.h"
62#include "hdlc.h"
63#include "ncpaddr.h"
64#include "ipcp.h"
65#include "auth.h"
66#include "systems.h"
67#include "lcp.h"
68#include "ccp.h"
69#include "link.h"
70#include "descriptor.h"
71#include "chat.h"
72#include "proto.h"
73#include "filter.h"
74#include "mp.h"
75#ifndef NORADIUS
76#include "radius.h"
77#endif
78#include "cbcp.h"
79#include "chap.h"
80#include "async.h"
81#include "physical.h"
82#include "datalink.h"
83#include "ipv6cp.h"
84#include "ncp.h"
85#include "bundle.h"
86
87const char *
88Auth2Nam(u_short auth, u_char type)
89{
90 static char chap[10];
91
92 switch (auth) {
93 case PROTO_PAP:
94 return "PAP";
95 case PROTO_CHAP:
96 snprintf(chap, sizeof chap, "CHAP 0x%02x", type);
97 return chap;
98 case 0:
99 return "none";
100 }
101 return "unknown";
102}
103
104#if !defined(NOPAM) && !defined(OPENPAM)
105static int
106pam_conv(int n, const struct pam_message **msg, struct pam_response **resp,
107 void *data)
108{
109
110 if (n != 1 || msg[0]->msg_style != PAM_PROMPT_ECHO_OFF)
111 return (PAM_CONV_ERR);
112 if ((*resp = malloc(sizeof(struct pam_response))) == NULL)
113 return (PAM_CONV_ERR);
114 (*resp)[0].resp = strdup((const char *)data);
115 (*resp)[0].resp_retcode = 0;
116
117 return ((*resp)[0].resp != NULL ? PAM_SUCCESS : PAM_CONV_ERR);
118}
119#endif /* !defined(NOPAM) && !defined(OPENPAM) */
120
121static int
122auth_CheckPasswd(const char *name, const char *data, const char *key)
123{
124 if (!strcmp(data, "*")) {
125#ifdef NOPAM
126 /* Then look up the real password database */
127 struct passwd *pw;
128 int result;
129
130 result = (pw = getpwnam(name)) &&
131 !strcmp(crypt(key, pw->pw_passwd), pw->pw_passwd);
132 endpwent();
133 return result;
134#else /* !NOPAM */
135 /* Then consult with PAM. */
136 pam_handle_t *pamh;
137 int status;
138
139 struct pam_conv pamc = {
140#ifdef OPENPAM
141 &openpam_nullconv, NULL
142#else
143 &pam_conv, key
144#endif
145 };
146
147 if (pam_start("ppp", name, &pamc, &pamh) != PAM_SUCCESS)
148 return (0);
149#ifdef OPENPAM
150 if ((status = pam_set_item(pamh, PAM_AUTHTOK, key)) == PAM_SUCCESS)
151#endif
152 status = pam_authenticate(pamh, 0);
153 pam_end(pamh, status);
154 return (status == PAM_SUCCESS);
155#endif /* !NOPAM */
156 }
157
158 return !strcmp(data, key);
159}
160
161int
162auth_SetPhoneList(const char *name, char *phone, int phonelen)
163{
164 FILE *fp;
165 int n, lineno;
166 char *vector[6], buff[LINE_LEN];
167 const char *slash;
168
169 fp = OpenSecret(SECRETFILE);
170 if (fp != NULL) {
171again:
172 lineno = 0;
173 while (fgets(buff, sizeof buff, fp)) {
174 lineno++;
175 if (buff[0] == '#')
176 continue;
177 buff[strlen(buff) - 1] = '\0';
178 memset(vector, '\0', sizeof vector);
179 if ((n = MakeArgs(buff, vector, VECSIZE(vector), PARSE_REDUCE)) < 0)
180 log_Printf(LogWARN, "%s: %d: Invalid line\n", SECRETFILE, lineno);
181 if (n < 5)
182 continue;
183 if (strcmp(vector[0], name) == 0) {
184 CloseSecret(fp);
185 if (*vector[4] == '\0')
186 return 0;
187 strncpy(phone, vector[4], phonelen - 1);
188 phone[phonelen - 1] = '\0';
189 return 1; /* Valid */
190 }
191 }
192
193 if ((slash = strrchr(name, '\\')) != NULL && slash[1]) {
194 /* Look for the name without the leading domain */
195 name = slash + 1;
196 rewind(fp);
197 goto again;
198 }
199
200 CloseSecret(fp);
201 }
202 *phone = '\0';
203 return 0;
204}
205
206int
207auth_Select(struct bundle *bundle, const char *name)
208{
209 FILE *fp;
210 int n, lineno;
211 char *vector[5], buff[LINE_LEN];
212 const char *slash;
213
214 if (*name == '\0') {
215 ipcp_Setup(&bundle->ncp.ipcp, INADDR_NONE);
216 return 1;
217 }
218
219#ifndef NORADIUS
220 if (bundle->radius.valid && bundle->radius.ip.s_addr != INADDR_NONE &&
221 bundle->radius.ip.s_addr != RADIUS_INADDR_POOL) {
222 /* We've got a radius IP - it overrides everything */
223 if (!ipcp_UseHisIPaddr(bundle, bundle->radius.ip))
224 return 0;
225 ipcp_Setup(&bundle->ncp.ipcp, bundle->radius.mask.s_addr);
226 /* Continue with ppp.secret in case we've got a new label */
227 }
228#endif
229
230 fp = OpenSecret(SECRETFILE);
231 if (fp != NULL) {
232again:
233 lineno = 0;
234 while (fgets(buff, sizeof buff, fp)) {
235 lineno++;
236 if (buff[0] == '#')
237 continue;
238 buff[strlen(buff) - 1] = '\0';
239 memset(vector, '\0', sizeof vector);
240 if ((n = MakeArgs(buff, vector, VECSIZE(vector), PARSE_REDUCE)) < 0)
241 log_Printf(LogWARN, "%s: %d: Invalid line\n", SECRETFILE, lineno);
242 if (n < 2)
243 continue;
244 if (strcmp(vector[0], name) == 0) {
245 CloseSecret(fp);
246#ifndef NORADIUS
247 if (!bundle->radius.valid || bundle->radius.ip.s_addr == INADDR_NONE) {
248#endif
249 if (n > 2 && *vector[2] && strcmp(vector[2], "*") &&
250 !ipcp_UseHisaddr(bundle, vector[2], 1))
251 return 0;
252 ipcp_Setup(&bundle->ncp.ipcp, INADDR_NONE);
253#ifndef NORADIUS
254 }
255#endif
256 if (n > 3 && *vector[3] && strcmp(vector[3], "*"))
257 bundle_SetLabel(bundle, vector[3]);
258 return 1; /* Valid */
259 }
260 }
261
262 if ((slash = strrchr(name, '\\')) != NULL && slash[1]) {
263 /* Look for the name without the leading domain */
264 name = slash + 1;
265 rewind(fp);
266 goto again;
267 }
268
269 CloseSecret(fp);
270 }
271
272#ifndef NOPASSWDAUTH
273 /* Let 'em in anyway - they must have been in the passwd file */
274 ipcp_Setup(&bundle->ncp.ipcp, INADDR_NONE);
275 return 1;
276#else
277#ifndef NORADIUS
278 if (bundle->radius.valid)
279 return 1;
280#endif
281
282 /* Disappeared from ppp.secret ??? */
283 return 0;
284#endif
285}
286
287int
288auth_Validate(struct bundle *bundle, const char *name, const char *key)
289{
290 /* Used by PAP routines */
291
292 FILE *fp;
293 int n, lineno;
294 char *vector[5], buff[LINE_LEN];
295 const char *slash;
296
297 fp = OpenSecret(SECRETFILE);
298again:
299 lineno = 0;
300 if (fp != NULL) {
301 while (fgets(buff, sizeof buff, fp)) {
302 lineno++;
303 if (buff[0] == '#')
304 continue;
305 buff[strlen(buff) - 1] = 0;
306 memset(vector, '\0', sizeof vector);
307 if ((n = MakeArgs(buff, vector, VECSIZE(vector), PARSE_REDUCE)) < 0)
308 log_Printf(LogWARN, "%s: %d: Invalid line\n", SECRETFILE, lineno);
309 if (n < 2)
310 continue;
311 if (strcmp(vector[0], name) == 0) {
312 CloseSecret(fp);
313 return auth_CheckPasswd(name, vector[1], key);
314 }
315 }
316 }
317
318 if ((slash = strrchr(name, '\\')) != NULL && slash[1]) {
319 /* Look for the name without the leading domain */
320 name = slash + 1;
321 if (fp != NULL) {
322 rewind(fp);
323 goto again;
324 }
325 }
326
327 if (fp != NULL)
328 CloseSecret(fp);
329
330#ifndef NOPASSWDAUTH
331 if (Enabled(bundle, OPT_PASSWDAUTH))
332 return auth_CheckPasswd(name, "*", key);
333#endif
334
335 return 0; /* Invalid */
336}
337
338char *
339auth_GetSecret(const char *name, size_t len)
340{
341 /* Used by CHAP routines */
342
343 FILE *fp;
344 int n, lineno;
345 char *vector[5];
346 const char *slash;
347 static char buff[LINE_LEN]; /* vector[] will point here when returned */
348
349 fp = OpenSecret(SECRETFILE);
350 if (fp == NULL)
351 return (NULL);
352
353again:
354 lineno = 0;
355 while (fgets(buff, sizeof buff, fp)) {
356 lineno++;
357 if (buff[0] == '#')
358 continue;
359 n = strlen(buff) - 1;
360 if (buff[n] == '\n')
361 buff[n] = '\0'; /* Trim the '\n' */
362 memset(vector, '\0', sizeof vector);
363 if ((n = MakeArgs(buff, vector, VECSIZE(vector), PARSE_REDUCE)) < 0)
364 log_Printf(LogWARN, "%s: %d: Invalid line\n", SECRETFILE, lineno);
365 if (n < 2)
366 continue;
367 if (strlen(vector[0]) == len && strncmp(vector[0], name, len) == 0) {
368 CloseSecret(fp);
369 return vector[1];
370 }
371 }
372
373 if ((slash = strrchr(name, '\\')) != NULL && slash[1]) {
374 /* Go back and look for the name without the leading domain */
375 len -= slash - name + 1;
376 name = slash + 1;
377 rewind(fp);
378 goto again;
379 }
380
381 CloseSecret(fp);
382 return (NULL); /* Invalid */
383}
384
385static void
386AuthTimeout(void *vauthp)
387{
388 struct authinfo *authp = (struct authinfo *)vauthp;
389
390 timer_Stop(&authp->authtimer);
391 if (--authp->retry > 0) {
392 authp->id++;
393 (*authp->fn.req)(authp);
394 timer_Start(&authp->authtimer);
395 } else {
396 log_Printf(LogPHASE, "Auth: No response from server\n");
397 datalink_AuthNotOk(authp->physical->dl);
398 }
399}
400
401void
402auth_Init(struct authinfo *authp, struct physical *p, auth_func req,
403 auth_func success, auth_func failure)
404{
405 memset(authp, '\0', sizeof(struct authinfo));
406 authp->cfg.fsm.timeout = DEF_FSMRETRY;
407 authp->cfg.fsm.maxreq = DEF_FSMAUTHTRIES;
408 authp->cfg.fsm.maxtrm = 0; /* not used */
409 authp->fn.req = req;
410 authp->fn.success = success;
411 authp->fn.failure = failure;
412 authp->physical = p;
413}
414
415void
416auth_StartReq(struct authinfo *authp)
417{
418 timer_Stop(&authp->authtimer);
419 authp->authtimer.func = AuthTimeout;
420 authp->authtimer.name = "auth";
421 authp->authtimer.load = authp->cfg.fsm.timeout * SECTICKS;
422 authp->authtimer.arg = (void *)authp;
423 authp->retry = authp->cfg.fsm.maxreq;
424 authp->id = 1;
425 (*authp->fn.req)(authp);
426 timer_Start(&authp->authtimer);
427}
428
429void
430auth_StopTimer(struct authinfo *authp)
431{
432 timer_Stop(&authp->authtimer);
433}
434
435struct mbuf *
436auth_ReadHeader(struct authinfo *authp, struct mbuf *bp)
437{
438 size_t len;
439
440 len = m_length(bp);
441 if (len >= sizeof authp->in.hdr) {
442 bp = mbuf_Read(bp, (u_char *)&authp->in.hdr, sizeof authp->in.hdr);
443 if (len >= ntohs(authp->in.hdr.length))
444 return bp;
445 authp->in.hdr.length = htons(0);
446 log_Printf(LogWARN, "auth_ReadHeader: Short packet (%u > %zu) !\n",
447 ntohs(authp->in.hdr.length), len);
448 } else {
449 authp->in.hdr.length = htons(0);
450 log_Printf(LogWARN, "auth_ReadHeader: Short packet header (%u > %zu) !\n",
451 (int)(sizeof authp->in.hdr), len);
452 }
453
454 m_freem(bp);
455 return NULL;
456}
457
458struct mbuf *
459auth_ReadName(struct authinfo *authp, struct mbuf *bp, size_t len)
460{
461 if (len > sizeof authp->in.name - 1)
462 log_Printf(LogWARN, "auth_ReadName: Name too long (%zu) !\n", len);
463 else {
464 size_t mlen = m_length(bp);
465
466 if (len > mlen)
467 log_Printf(LogWARN, "auth_ReadName: Short packet (%zu > %zu) !\n",
468 len, mlen);
469 else {
470 bp = mbuf_Read(bp, (u_char *)authp->in.name, len);
471 authp->in.name[len] = '\0';
472 return bp;
473 }
474 }
475
476 *authp->in.name = '\0';
477 m_freem(bp);
478 return NULL;
479}