1/*
2 * auth.c - PPP authentication and phase control.
3 *
4 * Copyright (c) 1993 The Australian National University.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms are permitted
8 * provided that the above copyright notice and this paragraph are
9 * duplicated in all such forms and that any documentation,
10 * advertising materials, and other materials related to such
11 * distribution and use acknowledge that the software was developed
12 * by the Australian National University.  The name of the University
13 * may not be used to endorse or promote products derived from this
14 * software without specific prior written permission.
15 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
17 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
18 *
19 * Copyright (c) 1989 Carnegie Mellon University.
20 * All rights reserved.
21 *
22 * Redistribution and use in source and binary forms are permitted
23 * provided that the above copyright notice and this paragraph are
24 * duplicated in all such forms and that any documentation,
25 * advertising materials, and other materials related to such
26 * distribution and use acknowledge that the software was developed
27 * by Carnegie Mellon University.  The name of the
28 * University may not be used to endorse or promote products derived
29 * from this software without specific prior written permission.
30 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
31 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
32 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
33 */
34
35#define RCSID	"$Id: auth.c,v 1.1.1.1 2008/10/15 03:30:13 james26_jang Exp $"
36
37#include <string.h>
38#include <netinet/in.h>
39
40#include "pppd.h"
41#include "fsm.h"
42#include "lcp.h"
43#include "ipcp.h"
44#include "upap.h"
45#include "chap.h"
46
47/* The name by which the peer authenticated itself to us. */
48char peer_authname[MAXNAMELEN];
49
50/* Records which authentication operations haven't completed yet. */
51static int auth_pending[NUM_PPP];
52
53/* Number of network protocols which we have opened. */
54static int num_np_open;
55
56/* Number of network protocols which have come up. */
57static int num_np_up;
58
59/*
60 * Option variables.
61 */
62bool uselogin = 0;		/* Use /etc/passwd for checking PAP */
63bool cryptpap = 0;		/* Passwords in pap-secrets are encrypted */
64bool refuse_pap = 0;		/* Don't wanna auth. ourselves with PAP */
65bool refuse_chap = 0;		/* Don't wanna auth. ourselves with CHAP */
66bool usehostname = 0;		/* Use hostname for our_name */
67bool auth_required = 0;		/* Always require authentication from peer */
68bool allow_any_ip = 0;		/* Allow peer to use any IP address */
69bool explicit_remote = 0;	/* User specified explicit remote name */
70char remote_name[MAXNAMELEN];	/* Peer's name for authentication */
71
72/* Bits in auth_pending[] */
73#define PAP_WITHPEER	1
74#define PAP_PEER	2
75#define CHAP_WITHPEER	4
76#define CHAP_PEER	8
77
78/* Prototypes for procedures local to this file. */
79
80static void network_phase __P((int));
81static void check_idle __P((void *));
82static void connect_time_expired __P((void *));
83
84/*
85 * LCP has terminated the link; go to the Dead phase and take the
86 * physical layer down.
87 */
88void
89link_terminated(unit)
90    int unit;
91{
92    if (phase == PHASE_DEAD)
93	return;
94    new_phase(PHASE_DEAD);
95    notice("Connection terminated.");
96}
97
98/*
99 * LCP has gone down; it will either die or try to re-establish.
100 */
101void
102link_down(unit)
103    int unit;
104{
105    int i;
106    struct protent *protp;
107
108    for (i = 0; (protp = protocols[i]) != NULL; ++i) {
109	if (!protp->enabled_flag)
110	    continue;
111        if (protp->protocol != PPP_LCP && protp->lowerdown != NULL)
112	    (*protp->lowerdown)(unit);
113        if (protp->protocol < 0xC000 && protp->close != NULL)
114	    (*protp->close)(unit, "LCP down");
115    }
116    num_np_open = 0;
117    num_np_up = 0;
118    if (phase != PHASE_DEAD)
119	new_phase(PHASE_TERMINATE);
120}
121
122/*
123 * The link is established.
124 * Proceed to the Dead, Authenticate or Network phase as appropriate.
125 */
126void
127link_established(unit)
128    int unit;
129{
130    int auth;
131    lcp_options *ho = &lcp_hisoptions[unit];
132    int i;
133    struct protent *protp;
134
135    /*
136     * Tell higher-level protocols that LCP is up.
137     */
138    for (i = 0; (protp = protocols[i]) != NULL; ++i)
139        if (protp->protocol != PPP_LCP && protp->enabled_flag
140	    && protp->lowerup != NULL)
141	    (*protp->lowerup)(unit);
142
143    new_phase(PHASE_AUTHENTICATE);
144    auth = 0;
145    if (ho->neg_chap) {
146#ifdef CHAP_SUPPORT
147	ChapAuthWithPeer(unit, user, ho->chap_mdtype);
148	auth |= CHAP_WITHPEER;
149#else
150	error("CHAP unsupported");
151#endif
152    } else if (ho->neg_upap) {
153	if (passwd[0] == 0) {
154	    error("No secret found for PAP login");
155	}
156	upap_authwithpeer(unit, user, passwd);
157	auth |= PAP_WITHPEER;
158    }
159    auth_pending[unit] = auth;
160
161    if (!auth)
162	network_phase(unit);
163}
164
165/*
166 * Proceed to the network phase.
167 */
168static void
169network_phase(unit)
170    int unit;
171{
172    start_networks();
173}
174
175void
176start_networks()
177{
178    int i;
179    struct protent *protp;
180
181    new_phase(PHASE_NETWORK);
182
183    for (i = 0; (protp = protocols[i]) != NULL; ++i)
184        if (protp->protocol < 0xC000 && protp->enabled_flag
185	    && protp->open != NULL) {
186	    (*protp->open)(0);
187	    if (protp->protocol != PPP_CCP)
188		++num_np_open;
189	}
190
191    if (num_np_open == 0)
192	/* nothing to do */
193	lcp_close(0, "No network protocols running");
194}
195
196/*
197 * The peer has failed to authenticate himself using `protocol'.
198 */
199void
200auth_peer_fail(unit, protocol)
201    int unit, protocol;
202{
203    /*
204     * Authentication failure: take the link down
205     */
206    lcp_close(unit, "Authentication failed");
207    status = EXIT_PEER_AUTH_FAILED;
208}
209
210/*
211 * The peer has been successfully authenticated using `protocol'.
212 */
213void
214auth_peer_success(unit, protocol, name, namelen)
215    int unit, protocol;
216    char *name;
217    int namelen;
218{
219    int bit;
220
221    switch (protocol) {
222    case PPP_CHAP:
223	bit = CHAP_PEER;
224	break;
225    case PPP_PAP:
226	bit = PAP_PEER;
227	break;
228    default:
229	warn("auth_peer_success: unknown protocol %x", protocol);
230	return;
231    }
232
233    /*
234     * Save the authenticated name of the peer for later.
235     */
236    if (namelen > sizeof(peer_authname) - 1)
237	namelen = sizeof(peer_authname) - 1;
238    BCOPY(name, peer_authname, namelen);
239    peer_authname[namelen] = 0;
240    script_setenv("PEERNAME", peer_authname, 0);
241
242    /*
243     * If there is no more authentication still to be done,
244     * proceed to the network (or callback) phase.
245     */
246    if ((auth_pending[unit] &= ~bit) == 0)
247        network_phase(unit);
248}
249
250/*
251 * We have failed to authenticate ourselves to the peer using `protocol'.
252 */
253void
254auth_withpeer_fail(unit, protocol)
255    int unit, protocol;
256{
257    /*
258     * We've failed to authenticate ourselves to our peer.
259     * Some servers keep sending CHAP challenges, but there
260     * is no point in persisting without any way to get updated
261     * authentication secrets.
262     */
263    lcp_close(unit, "Failed to authenticate ourselves to peer");
264    status = EXIT_AUTH_TOPEER_FAILED;
265}
266
267/*
268 * We have successfully authenticated ourselves with the peer using `protocol'.
269 */
270void
271auth_withpeer_success(unit, protocol)
272    int unit, protocol;
273{
274    int bit;
275
276    switch (protocol) {
277    case PPP_CHAP:
278	bit = CHAP_WITHPEER;
279	break;
280    case PPP_PAP:
281	bit = PAP_WITHPEER;
282	break;
283    default:
284	warn("auth_withpeer_success: unknown protocol %x", protocol);
285	bit = 0;
286    }
287
288    /*
289     * If there is no more authentication still being done,
290     * proceed to the network (or callback) phase.
291     */
292    if ((auth_pending[unit] &= ~bit) == 0)
293	network_phase(unit);
294}
295
296
297/*
298 * np_up - a network protocol has come up.
299 */
300void
301np_up(unit, proto)
302    int unit, proto;
303{
304    int tlim;
305
306    if (num_np_up == 0) {
307	/*
308	 * At this point we consider that the link has come up successfully.
309	 */
310	status = EXIT_OK;
311	unsuccess = 0;
312	new_phase(PHASE_RUNNING);
313
314	tlim = idle_time_limit;
315	if (tlim > 0)
316	    TIMEOUT(check_idle, NULL, tlim);
317
318	/*
319	 * Set a timeout to close the connection once the maximum
320	 * connect time has expired.
321	 */
322	if (maxconnect > 0)
323	    TIMEOUT(connect_time_expired, 0, maxconnect);
324
325	/*
326	 * Detach now, if the updetach option was given.
327	 */
328	if (updetach && !nodetach)
329	    detach();
330    }
331    ++num_np_up;
332}
333
334/*
335 * np_down - a network protocol has gone down.
336 */
337void
338np_down(unit, proto)
339    int unit, proto;
340{
341    if (--num_np_up == 0) {
342	UNTIMEOUT(check_idle, NULL);
343	new_phase(PHASE_NETWORK);
344    }
345}
346
347/*
348 * np_finished - a network protocol has finished using the link.
349 */
350void
351np_finished(unit, proto)
352    int unit, proto;
353{
354    if (--num_np_open <= 0) {
355	/* no further use for the link: shut up shop. */
356	lcp_close(0, "No network protocols running");
357    }
358}
359
360/*
361 * check_idle - check whether the link has been idle for long
362 * enough that we can shut it down.
363 */
364static void
365check_idle(arg)
366    void *arg;
367{
368    struct ppp_idle idle;
369    time_t itime;
370    int tlim;
371
372    if (!get_idle_time(0, &idle))
373	return;
374    itime = MIN(idle.xmit_idle, idle.recv_idle);
375    tlim = idle_time_limit - itime;
376    if (tlim <= 0) {
377	/* link is idle: shut it down. */
378	notice("Terminating connection due to lack of activity.");
379	lcp_close(0, "Link inactive");
380	need_holdoff = 0;
381	status = EXIT_IDLE_TIMEOUT;
382    } else {
383	TIMEOUT(check_idle, NULL, tlim);
384    }
385}
386
387/*
388 * connect_time_expired - log a message and close the connection.
389 */
390static void
391connect_time_expired(arg)
392    void *arg;
393{
394    info("Connect time expired");
395    lcp_close(0, "Connect time expired");	/* Close connection */
396    status = EXIT_CONNECT_TIME;
397}
398
399/*
400 * auth_reset - called when LCP is starting negotiations to recheck
401 * authentication options, i.e. whether we have appropriate secrets
402 * to use for authenticating ourselves and/or the peer.
403 */
404void
405auth_reset(unit)
406    int unit;
407{
408    lcp_options *ao = &lcp_allowoptions[0];
409
410    ao->neg_upap = !refuse_pap && (passwd[0] != 0);
411    ao->neg_chap = !refuse_chap	&& (passwd[0] != 0);
412}
413
414/*
415 * get_secret - open the CHAP secret file and return the secret
416 * for authenticating the given client on the given server.
417 * (We could be either client or server).
418 */
419int
420get_secret(unit, client, server, secret, secret_len, am_server)
421    int unit;
422    char *client;
423    char *server;
424    char *secret;
425    int *secret_len;
426    int am_server;
427{
428    *secret_len = strlen(passwd);
429    BCOPY(passwd, secret, *secret_len);
430    return 1;
431}
432
433/*
434 * bad_ip_adrs - return 1 if the IP address is one we don't want
435 * to use, such as an address in the loopback net or a multicast address.
436 * addr is in network byte order.
437 */
438int
439bad_ip_adrs(addr)
440    u_int32_t addr;
441{
442    addr = ntohl(addr);
443    return (addr >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET
444	|| IN_MULTICAST(addr) || IN_BADCLASS(addr);
445}
446