1/*-
2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
3 *
4 * Copyright (c) 1996 - 2001 Brian Somers <brian@Awfulhak.org>
5 *          based on work by Toshiharu OHNO <tony-o@iij.ad.jp>
6 *                           Internet Initiative Japan, Inc (IIJ)
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 *    notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 *    notice, this list of conditions and the following disclaimer in the
16 *    documentation and/or other materials provided with the distribution.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
22 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 * SUCH DAMAGE.
29 *
30 * $FreeBSD: stable/11/usr.sbin/ppp/pap.c 330449 2018-03-05 07:26:05Z eadler $
31 */
32
33#include <sys/param.h>
34#include <netinet/in.h>
35#include <netinet/in_systm.h>
36#include <netinet/ip.h>
37#include <sys/socket.h>
38#include <sys/un.h>
39
40#include <stdlib.h>
41#include <string.h>		/* strlen/memcpy */
42#include <termios.h>
43
44#include "layer.h"
45#include "mbuf.h"
46#include "log.h"
47#include "defs.h"
48#include "timer.h"
49#include "fsm.h"
50#include "auth.h"
51#include "pap.h"
52#include "lqr.h"
53#include "hdlc.h"
54#include "lcp.h"
55#include "proto.h"
56#include "async.h"
57#include "throughput.h"
58#include "ccp.h"
59#include "link.h"
60#include "descriptor.h"
61#include "physical.h"
62#include "iplist.h"
63#include "slcompress.h"
64#include "ncpaddr.h"
65#include "ipcp.h"
66#include "filter.h"
67#include "mp.h"
68#ifndef NORADIUS
69#include "radius.h"
70#endif
71#include "ipv6cp.h"
72#include "ncp.h"
73#include "bundle.h"
74#include "chat.h"
75#include "chap.h"
76#include "cbcp.h"
77#include "datalink.h"
78
79static const char * const papcodes[] = {
80  "???", "REQUEST", "SUCCESS", "FAILURE"
81};
82#define MAXPAPCODE (sizeof papcodes / sizeof papcodes[0] - 1)
83
84static void
85pap_Req(struct authinfo *authp)
86{
87  struct bundle *bundle = authp->physical->dl->bundle;
88  struct fsmheader lh;
89  struct mbuf *bp;
90  u_char *cp;
91  int namelen, keylen, plen;
92
93  namelen = strlen(bundle->cfg.auth.name);
94  keylen = strlen(bundle->cfg.auth.key);
95  plen = namelen + keylen + 2;
96  log_Printf(LogDEBUG, "pap_Req: namelen = %d, keylen = %d\n", namelen, keylen);
97  log_Printf(LogPHASE, "Pap Output: %s ********\n", bundle->cfg.auth.name);
98  if (*bundle->cfg.auth.name == '\0')
99    log_Printf(LogWARN, "Sending empty PAP authname!\n");
100  lh.code = PAP_REQUEST;
101  lh.id = authp->id;
102  lh.length = htons(plen + sizeof(struct fsmheader));
103  bp = m_get(plen + sizeof(struct fsmheader), MB_PAPOUT);
104  memcpy(MBUF_CTOP(bp), &lh, sizeof(struct fsmheader));
105  cp = MBUF_CTOP(bp) + sizeof(struct fsmheader);
106  *cp++ = namelen;
107  memcpy(cp, bundle->cfg.auth.name, namelen);
108  cp += namelen;
109  *cp++ = keylen;
110  memcpy(cp, bundle->cfg.auth.key, keylen);
111  link_PushPacket(&authp->physical->link, bp, bundle,
112                  LINK_QUEUES(&authp->physical->link) - 1, PROTO_PAP);
113}
114
115static void
116SendPapCode(struct authinfo *authp, int code, const char *message)
117{
118  struct fsmheader lh;
119  struct mbuf *bp;
120  u_char *cp;
121  int plen, mlen;
122
123  lh.code = code;
124  lh.id = authp->id;
125  mlen = strlen(message);
126  plen = mlen + 1;
127  lh.length = htons(plen + sizeof(struct fsmheader));
128  bp = m_get(plen + sizeof(struct fsmheader), MB_PAPOUT);
129  memcpy(MBUF_CTOP(bp), &lh, sizeof(struct fsmheader));
130  cp = MBUF_CTOP(bp) + sizeof(struct fsmheader);
131  /*
132   * If our message is longer than 255 bytes, truncate the length to
133   * 255 and send the entire message anyway.  Maybe the other end will
134   * display it... (see pap_Input() !)
135   */
136  *cp++ = mlen > 255 ? 255 : mlen;
137  memcpy(cp, message, mlen);
138  log_Printf(LogPHASE, "Pap Output: %s\n", papcodes[code]);
139
140  link_PushPacket(&authp->physical->link, bp, authp->physical->dl->bundle,
141                  LINK_QUEUES(&authp->physical->link) - 1, PROTO_PAP);
142}
143
144static void
145pap_Success(struct authinfo *authp)
146{
147  struct bundle *bundle = authp->physical->dl->bundle;
148
149  datalink_GotAuthname(authp->physical->dl, authp->in.name);
150#ifndef NORADIUS
151  if (*bundle->radius.cfg.file && bundle->radius.repstr)
152    SendPapCode(authp, PAP_ACK, bundle->radius.repstr);
153  else
154#endif
155    SendPapCode(authp, PAP_ACK, "Greetings!!");
156  authp->physical->link.lcp.auth_ineed = 0;
157  if (Enabled(bundle, OPT_UTMP))
158    physical_Login(authp->physical, authp->in.name);
159
160  if (authp->physical->link.lcp.auth_iwait == 0)
161    /*
162     * Either I didn't need to authenticate, or I've already been
163     * told that I got the answer right.
164     */
165    datalink_AuthOk(authp->physical->dl);
166}
167
168static void
169pap_Failure(struct authinfo *authp)
170{
171  SendPapCode(authp, PAP_NAK, "Login incorrect");
172  datalink_AuthNotOk(authp->physical->dl);
173}
174
175void
176pap_Init(struct authinfo *pap, struct physical *p)
177{
178  auth_Init(pap, p, pap_Req, pap_Success, pap_Failure);
179}
180
181struct mbuf *
182pap_Input(struct bundle *bundle, struct link *l, struct mbuf *bp)
183{
184  struct physical *p = link2physical(l);
185  struct authinfo *authp = &p->dl->pap;
186  u_char nlen, klen, *key;
187  const char *txt;
188  int txtlen;
189
190  if (p == NULL) {
191    log_Printf(LogERROR, "pap_Input: Not a physical link - dropped\n");
192    m_freem(bp);
193    return NULL;
194  }
195
196  if (bundle_Phase(bundle) != PHASE_NETWORK &&
197      bundle_Phase(bundle) != PHASE_AUTHENTICATE) {
198    log_Printf(LogPHASE, "Unexpected pap input - dropped !\n");
199    m_freem(bp);
200    return NULL;
201  }
202
203  if ((bp = auth_ReadHeader(authp, bp)) == NULL &&
204      ntohs(authp->in.hdr.length) == 0) {
205    log_Printf(LogWARN, "Pap Input: Truncated header !\n");
206    return NULL;
207  }
208
209  if (authp->in.hdr.code == 0 || authp->in.hdr.code > MAXPAPCODE) {
210    log_Printf(LogPHASE, "Pap Input: %d: Bad PAP code !\n", authp->in.hdr.code);
211    m_freem(bp);
212    return NULL;
213  }
214
215  if (authp->in.hdr.code != PAP_REQUEST && authp->id != authp->in.hdr.id &&
216      Enabled(bundle, OPT_IDCHECK)) {
217    /* Wrong conversation dude ! */
218    log_Printf(LogPHASE, "Pap Input: %s dropped (got id %d, not %d)\n",
219               papcodes[authp->in.hdr.code], authp->in.hdr.id, authp->id);
220    m_freem(bp);
221    return NULL;
222  }
223  m_settype(bp, MB_PAPIN);
224  authp->id = authp->in.hdr.id;		/* We respond with this id */
225
226  if (bp) {
227    bp = mbuf_Read(bp, &nlen, 1);
228    if (authp->in.hdr.code == PAP_ACK) {
229      /*
230       * Don't restrict the length of our acknowledgement freetext to
231       * nlen (a one-byte length).  Show the rest of the ack packet
232       * instead.  This isn't really part of the protocol.....
233       */
234      bp = m_pullup(bp);
235      txt = MBUF_CTOP(bp);
236      txtlen = m_length(bp);
237    } else {
238      bp = auth_ReadName(authp, bp, nlen);
239      txt = authp->in.name;
240      txtlen = strlen(authp->in.name);
241    }
242  } else {
243    txt = "";
244    txtlen = 0;
245  }
246
247  log_Printf(LogPHASE, "Pap Input: %s (%.*s)\n",
248             papcodes[authp->in.hdr.code], txtlen, txt);
249
250  switch (authp->in.hdr.code) {
251    case PAP_REQUEST:
252      if (bp == NULL) {
253        log_Printf(LogPHASE, "Pap Input: No key given !\n");
254        break;
255      }
256      bp = mbuf_Read(bp, &klen, 1);
257      if (m_length(bp) < klen) {
258        log_Printf(LogERROR, "Pap Input: Truncated key !\n");
259        break;
260      }
261      if ((key = malloc(klen+1)) == NULL) {
262        log_Printf(LogERROR, "Pap Input: Out of memory !\n");
263        break;
264      }
265      bp = mbuf_Read(bp, key, klen);
266      key[klen] = '\0';
267
268#ifndef NORADIUS
269      if (*bundle->radius.cfg.file) {
270        if (!radius_Authenticate(&bundle->radius, authp, authp->in.name,
271                                 key, strlen(key), NULL, 0))
272          pap_Failure(authp);
273      } else
274#endif
275      if (auth_Validate(bundle, authp->in.name, key))
276        pap_Success(authp);
277      else
278        pap_Failure(authp);
279
280      free(key);
281      break;
282
283    case PAP_ACK:
284      auth_StopTimer(authp);
285      if (p->link.lcp.auth_iwait == PROTO_PAP) {
286        p->link.lcp.auth_iwait = 0;
287        if (p->link.lcp.auth_ineed == 0)
288          /*
289           * We've succeeded in our ``login''
290           * If we're not expecting  the peer to authenticate (or he already
291           * has), proceed to network phase.
292           */
293          datalink_AuthOk(p->dl);
294      }
295      break;
296
297    case PAP_NAK:
298      auth_StopTimer(authp);
299      datalink_AuthNotOk(p->dl);
300      break;
301  }
302
303  m_freem(bp);
304  return NULL;
305}
306