root/webserver/example/freeRTOSexample/EnergyMeters/Common/ethernet/lwIP/netif/ppp/auth.c

Revision 14, 26.3 kB (checked in by phil, 15 years ago)

added unmodified FreeRTOS package V5.4.1 with only web srv demo source for LPC2368 for CrossWorks?

Line 
1 /*****************************************************************************
2 * auth.c - Network Authentication and Phase Control program file.
3 *
4 * Copyright (c) 2003 by Marc Boucher, Services Informatiques (MBSI) inc.
5 * Copyright (c) 1997 by Global Election Systems Inc.  All rights reserved.
6 *
7 * The authors hereby grant permission to use, copy, modify, distribute,
8 * and license this software and its documentation for any purpose, provided
9 * that existing copyright notices are retained in all copies and that this
10 * notice and the following disclaimer are included verbatim in any
11 * distributions. No written agreement, license, or royalty fee is required
12 * for any of the authorized uses.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE CONTRIBUTORS *AS IS* AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 *
25 ******************************************************************************
26 * REVISION HISTORY
27 *
28 * 03-01-01 Marc Boucher <marc@mbsi.ca>
29 *   Ported to lwIP.
30 * 97-12-08 Guy Lancaster <lancasterg@acm.org>, Global Election Systems Inc.
31 *   Ported from public pppd code.
32 *****************************************************************************/
33 /*
34  * auth.c - PPP authentication and phase control.
35  *
36  * Copyright (c) 1993 The Australian National University.
37  * All rights reserved.
38  *
39  * Redistribution and use in source and binary forms are permitted
40  * provided that the above copyright notice and this paragraph are
41  * duplicated in all such forms and that any documentation,
42  * advertising materials, and other materials related to such
43  * distribution and use acknowledge that the software was developed
44  * by the Australian National University.  The name of the University
45  * may not be used to endorse or promote products derived from this
46  * software without specific prior written permission.
47  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
48  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
49  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
50  *
51  * Copyright (c) 1989 Carnegie Mellon University.
52  * All rights reserved.
53  *
54  * Redistribution and use in source and binary forms are permitted
55  * provided that the above copyright notice and this paragraph are
56  * duplicated in all such forms and that any documentation,
57  * advertising materials, and other materials related to such
58  * distribution and use acknowledge that the software was developed
59  * by Carnegie Mellon University.  The name of the
60  * University may not be used to endorse or promote products derived
61  * from this software without specific prior written permission.
62  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
63  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
64  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
65  */
66
67 #include "ppp.h"
68 #if PPP_SUPPORT > 0
69 #include "fsm.h"
70 #include "lcp.h"
71 #include "pap.h"
72 #include "chap.h"
73 #include "auth.h"
74 #include "ipcp.h"
75
76 #if CBCP_SUPPORT > 0
77 #include "cbcp.h"
78 #endif
79
80 #include "pppdebug.h"
81
82
83 /*************************/
84 /*** LOCAL DEFINITIONS ***/
85 /*************************/
86
87 /* Bits in auth_pending[] */
88 #define PAP_WITHPEER    1
89 #define PAP_PEER    2
90 #define CHAP_WITHPEER   4
91 #define CHAP_PEER   8
92
93
94                                                                    
95 /************************/
96 /*** LOCAL DATA TYPES ***/
97 /************************/
98 /* Used for storing a sequence of words.  Usually malloced. */
99 struct wordlist {
100     struct wordlist *next;
101     char        word[1];
102 };
103
104
105
106 /***********************************/
107 /*** LOCAL FUNCTION DECLARATIONS ***/
108 /***********************************/
109 extern char *crypt (const char *, const char *);
110
111 /* Prototypes for procedures local to this file. */
112
113 static void network_phase (int);
114 static void check_idle (void *);
115 static void connect_time_expired (void *);
116 #if 0
117 static int  login (char *, char *, char **, int *);
118 #endif
119 static void logout (void);
120 static int  null_login (int);
121 static int  get_pap_passwd (int, char *, char *);
122 static int  have_pap_secret (void);
123 static int  have_chap_secret (char *, char *, u32_t);
124 static int  ip_addr_check (u32_t, struct wordlist *);
125 #if 0 /* PAP_SUPPORT > 0 || CHAP_SUPPORT > 0 */
126 static void set_allowed_addrs(int unit, struct wordlist *addrs);
127 static void free_wordlist (struct wordlist *);
128 #endif
129 #if CBCP_SUPPORT > 0
130 static void callback_phase (int);
131 #endif
132
133
134 /******************************/
135 /*** PUBLIC DATA STRUCTURES ***/
136 /******************************/
137
138
139 /*****************************/
140 /*** LOCAL DATA STRUCTURES ***/
141 /*****************************/
142 #if PAP_SUPPORT > 0 || CHAP_SUPPORT > 0
143 /* The name by which the peer authenticated itself to us. */
144 static char peer_authname[MAXNAMELEN];
145 #endif
146
147 /* Records which authentication operations haven't completed yet. */
148 static int auth_pending[NUM_PPP];
149
150 /* Set if we have successfully called login() */
151 static int logged_in;
152
153 /* Set if we have run the /etc/ppp/auth-up script. */
154 static int did_authup;
155
156 /* List of addresses which the peer may use. */
157 static struct wordlist *addresses[NUM_PPP];
158
159 /* Number of network protocols which we have opened. */
160 static int num_np_open;
161
162 /* Number of network protocols which have come up. */
163 static int num_np_up;
164
165 #if PAP_SUPPORT > 0 || CHAP_SUPPORT > 0
166 /* Set if we got the contents of passwd[] from the pap-secrets file. */
167 static int passwd_from_file;
168 #endif
169
170
171
172 /***********************************/
173 /*** PUBLIC FUNCTION DEFINITIONS ***/
174 /***********************************/
175 /*
176  * An Open on LCP has requested a change from Dead to Establish phase.
177  * Do what's necessary to bring the physical layer up.
178  */
179 void link_required(int unit)
180 {
181     AUTHDEBUG((LOG_INFO, "link_required: %d\n", unit));
182 }
183
184 /*
185  * LCP has terminated the link; go to the Dead phase and take the
186  * physical layer down.
187  */
188 void link_terminated(int unit)
189 {
190     AUTHDEBUG((LOG_INFO, "link_terminated: %d\n", unit));
191    
192     if (lcp_phase[unit] == PHASE_DEAD)
193         return;
194     if (logged_in)
195         logout();
196     lcp_phase[unit] = PHASE_DEAD;
197     AUTHDEBUG((LOG_NOTICE, "Connection terminated.\n"));
198         pppMainWakeup(unit);
199 }
200
201 /*
202  * LCP has gone down; it will either die or try to re-establish.
203  */
204 void link_down(int unit)
205 {
206     int i;
207     struct protent *protp;
208    
209     AUTHDEBUG((LOG_INFO, "link_down: %d\n", unit));
210     if (did_authup) {
211         /* XXX Do link down processing. */
212         did_authup = 0;
213     }
214     for (i = 0; (protp = ppp_protocols[i]) != NULL; ++i) {
215         if (!protp->enabled_flag)
216             continue;
217         if (protp->protocol != PPP_LCP && protp->lowerdown != NULL)
218             (*protp->lowerdown)(unit);
219         if (protp->protocol < 0xC000 && protp->close != NULL)
220             (*protp->close)(unit, "LCP down");
221     }
222     num_np_open = 0;
223     num_np_up = 0;
224     if (lcp_phase[unit] != PHASE_DEAD)
225         lcp_phase[unit] = PHASE_TERMINATE;
226         pppMainWakeup(unit);
227 }
228
229 /*
230  * The link is established.
231  * Proceed to the Dead, Authenticate or Network phase as appropriate.
232  */
233 void link_established(int unit)
234 {
235     int auth;
236     int i;
237     struct protent *protp;
238     lcp_options *wo = &lcp_wantoptions[unit];
239     lcp_options *go = &lcp_gotoptions[unit];
240 #if PAP_SUPPORT > 0 || CHAP_SUPPORT > 0
241     lcp_options *ho = &lcp_hisoptions[unit];
242 #endif
243    
244     AUTHDEBUG((LOG_INFO, "link_established: %d\n", unit));
245     /*
246      * Tell higher-level protocols that LCP is up.
247      */
248     for (i = 0; (protp = ppp_protocols[i]) != NULL; ++i)
249         if (protp->protocol != PPP_LCP && protp->enabled_flag
250                 && protp->lowerup != NULL)
251             (*protp->lowerup)(unit);
252    
253     if (ppp_settings.auth_required && !(go->neg_chap || go->neg_upap)) {
254         /*
255          * We wanted the peer to authenticate itself, and it refused:
256          * treat it as though it authenticated with PAP using a username
257          * of "" and a password of "".  If that's not OK, boot it out.
258          */
259         if (!wo->neg_upap || !null_login(unit)) {
260             AUTHDEBUG((LOG_WARNING, "peer refused to authenticate\n"));
261             lcp_close(unit, "peer refused to authenticate");
262             return;
263         }
264     }
265    
266     lcp_phase[unit] = PHASE_AUTHENTICATE;
267     auth = 0;
268 #if CHAP_SUPPORT > 0
269     if (go->neg_chap) {
270         ChapAuthPeer(unit, ppp_settings.our_name, go->chap_mdtype);
271         auth |= CHAP_PEER;
272     }
273 #endif
274 #if PAP_SUPPORT > 0 && CHAP_SUPPORT > 0
275     else
276 #endif
277 #if PAP_SUPPORT > 0
278     if (go->neg_upap) {
279         upap_authpeer(unit);
280         auth |= PAP_PEER;
281     }
282 #endif
283 #if CHAP_SUPPORT > 0
284     if (ho->neg_chap) {
285         ChapAuthWithPeer(unit, ppp_settings.user, ho->chap_mdtype);
286         auth |= CHAP_WITHPEER;
287     }
288 #endif
289 #if PAP_SUPPORT > 0 && CHAP_SUPPORT > 0
290     else
291 #endif
292 #if PAP_SUPPORT > 0
293     if (ho->neg_upap) {
294         if (ppp_settings.passwd[0] == 0) {
295             passwd_from_file = 1;
296             if (!get_pap_passwd(unit, ppp_settings.user, ppp_settings.passwd))
297                 AUTHDEBUG((LOG_ERR, "No secret found for PAP login\n"));
298         }
299         upap_authwithpeer(unit, ppp_settings.user, ppp_settings.passwd);
300         auth |= PAP_WITHPEER;
301     }
302 #endif
303     auth_pending[unit] = auth;
304    
305     if (!auth)
306         network_phase(unit);
307 }
308
309
310 /*
311  * The peer has failed to authenticate himself using `protocol'.
312  */
313 void auth_peer_fail(int unit, u16_t protocol)
314 {
315     AUTHDEBUG((LOG_INFO, "auth_peer_fail: %d proto=%X\n", unit, protocol));
316     /*
317      * Authentication failure: take the link down
318      */
319     lcp_close(unit, "Authentication failed");
320 }
321
322
323 #if PAP_SUPPORT > 0 || CHAP_SUPPORT > 0
324 /*
325  * The peer has been successfully authenticated using `protocol'.
326  */
327 void auth_peer_success(int unit, u16_t protocol, char *name, int namelen)
328 {
329     int pbit;
330    
331     AUTHDEBUG((LOG_INFO, "auth_peer_success: %d proto=%X\n", unit, protocol));
332     switch (protocol) {
333     case PPP_CHAP:
334         pbit = CHAP_PEER;
335         break;
336     case PPP_PAP:
337         pbit = PAP_PEER;
338         break;
339     default:
340         AUTHDEBUG((LOG_WARNING, "auth_peer_success: unknown protocol %x\n",
341                protocol));
342         return;
343     }
344    
345     /*
346      * Save the authenticated name of the peer for later.
347      */
348     if (namelen > sizeof(peer_authname) - 1)
349         namelen = sizeof(peer_authname) - 1;
350     BCOPY(name, peer_authname, namelen);
351     peer_authname[namelen] = 0;
352    
353     /*
354      * If there is no more authentication still to be done,
355      * proceed to the network (or callback) phase.
356      */
357     if ((auth_pending[unit] &= ~pbit) == 0)
358         network_phase(unit);
359 }
360
361 /*
362  * We have failed to authenticate ourselves to the peer using `protocol'.
363  */
364 void auth_withpeer_fail(int unit, u16_t protocol)
365 {
366     int errCode = PPPERR_AUTHFAIL;
367    
368     AUTHDEBUG((LOG_INFO, "auth_withpeer_fail: %d proto=%X\n", unit, protocol));
369     if (passwd_from_file)
370         BZERO(ppp_settings.passwd, MAXSECRETLEN);
371     /*
372      * XXX Warning: the unit number indicates the interface which is
373      * not necessarily the PPP connection.  It works here as long
374      * as we are only supporting PPP interfaces.
375      */
376     pppIOCtl(unit, PPPCTLS_ERRCODE, &errCode);
377
378     /*
379      * We've failed to authenticate ourselves to our peer.
380      * He'll probably take the link down, and there's not much
381      * we can do except wait for that.
382      */
383 }
384
385 /*
386  * We have successfully authenticated ourselves with the peer using `protocol'.
387  */
388 void auth_withpeer_success(int unit, u16_t protocol)
389 {
390     int pbit;
391    
392     AUTHDEBUG((LOG_INFO, "auth_withpeer_success: %d proto=%X\n", unit, protocol));
393     switch (protocol) {
394     case PPP_CHAP:
395         pbit = CHAP_WITHPEER;
396         break;
397     case PPP_PAP:
398         if (passwd_from_file)
399             BZERO(ppp_settings.passwd, MAXSECRETLEN);
400         pbit = PAP_WITHPEER;
401         break;
402     default:
403         AUTHDEBUG((LOG_WARNING, "auth_peer_success: unknown protocol %x\n",
404                protocol));
405         pbit = 0;
406     }
407    
408     /*
409      * If there is no more authentication still being done,
410      * proceed to the network (or callback) phase.
411      */
412     if ((auth_pending[unit] &= ~pbit) == 0)
413         network_phase(unit);
414 }
415 #endif
416
417
418 /*
419  * np_up - a network protocol has come up.
420  */
421 void np_up(int unit, u16_t proto)
422 {
423     AUTHDEBUG((LOG_INFO, "np_up: %d proto=%X\n", unit, proto));
424     if (num_np_up == 0) {
425         AUTHDEBUG((LOG_INFO, "np_up: maxconnect=%d idle_time_limit=%d\n",ppp_settings.maxconnect,ppp_settings.idle_time_limit));
426         /*
427          * At this point we consider that the link has come up successfully.
428          */
429         if (ppp_settings.idle_time_limit > 0)
430             TIMEOUT(check_idle, NULL, ppp_settings.idle_time_limit);
431        
432         /*
433          * Set a timeout to close the connection once the maximum
434          * connect time has expired.
435          */
436         if (ppp_settings.maxconnect > 0)
437             TIMEOUT(connect_time_expired, 0, ppp_settings.maxconnect);
438     }
439     ++num_np_up;
440 }
441
442 /*
443  * np_down - a network protocol has gone down.
444  */
445 void np_down(int unit, u16_t proto)
446 {
447     AUTHDEBUG((LOG_INFO, "np_down: %d proto=%X\n", unit, proto));
448     if (--num_np_up == 0 && ppp_settings.idle_time_limit > 0) {
449         UNTIMEOUT(check_idle, NULL);
450     }
451 }
452
453 /*
454  * np_finished - a network protocol has finished using the link.
455  */
456 void np_finished(int unit, u16_t proto)
457 {
458     AUTHDEBUG((LOG_INFO, "np_finished: %d proto=%X\n", unit, proto));
459     if (--num_np_open <= 0) {
460         /* no further use for the link: shut up shop. */
461         lcp_close(0, "No network protocols running");
462     }
463 }
464
465 /*
466  * auth_reset - called when LCP is starting negotiations to recheck
467  * authentication options, i.e. whether we have appropriate secrets
468  * to use for authenticating ourselves and/or the peer.
469  */
470 void auth_reset(int unit)
471 {
472     lcp_options *go = &lcp_gotoptions[unit];
473     lcp_options *ao = &lcp_allowoptions[0];
474     ipcp_options *ipwo = &ipcp_wantoptions[0];
475     u32_t remote;
476    
477     AUTHDEBUG((LOG_INFO, "auth_reset: %d\n", unit));
478     ao->neg_upap = !ppp_settings.refuse_pap && (ppp_settings.passwd[0] != 0 || get_pap_passwd(unit, NULL, NULL));
479     ao->neg_chap = !ppp_settings.refuse_chap && ppp_settings.passwd[0] != 0 /*have_chap_secret(ppp_settings.user, ppp_settings.remote_name, (u32_t)0)*/;
480    
481     if (go->neg_upap && !have_pap_secret())
482         go->neg_upap = 0;
483     if (go->neg_chap) {
484         remote = ipwo->accept_remote? 0: ipwo->hisaddr;
485         if (!have_chap_secret(ppp_settings.remote_name, ppp_settings.our_name, remote))
486             go->neg_chap = 0;
487     }
488 }
489
490
491 #if PAP_SUPPORT > 0
492 /*
493  * check_passwd - Check the user name and passwd against the PAP secrets
494  * file.  If requested, also check against the system password database,
495  * and login the user if OK.
496  *
497  * returns:
498  *  UPAP_AUTHNAK: Authentication failed.
499  *  UPAP_AUTHACK: Authentication succeeded.
500  * In either case, msg points to an appropriate message.
501  */
502 int check_passwd(
503         int unit,
504         char *auser,
505         int userlen,
506         char *apasswd,
507         int passwdlen,
508         char **msg,
509         int *msglen
510 )
511 {
512 #if 1
513         *msg = (char *) 0;
514         return UPAP_AUTHACK;     /* XXX Assume all entries OK. */
515 #else
516     int ret = 0;
517     struct wordlist *addrs = NULL;
518     char passwd[256], user[256];
519     char secret[MAXWORDLEN];
520     static u_short attempts = 0;
521    
522     /*
523      * Make copies of apasswd and auser, then null-terminate them.
524      */
525     BCOPY(apasswd, passwd, passwdlen);
526     passwd[passwdlen] = '\0';
527     BCOPY(auser, user, userlen);
528     user[userlen] = '\0';
529     *msg = (char *) 0;
530
531     /* XXX Validate user name and password. */
532     ret = UPAP_AUTHACK;     /* XXX Assume all entries OK. */
533        
534     if (ret == UPAP_AUTHNAK) {
535         if (*msg == (char *) 0)
536             *msg = "Login incorrect";
537         *msglen = strlen(*msg);
538         /*
539          * Frustrate passwd stealer programs.
540          * Allow 10 tries, but start backing off after 3 (stolen from login).
541          * On 10'th, drop the connection.
542          */
543         if (attempts++ >= 10) {
544             AUTHDEBUG((LOG_WARNING, "%d LOGIN FAILURES BY %s\n", attempts, user));
545             /*ppp_panic("Excess Bad Logins");*/
546         }
547         if (attempts > 3) {
548             sys_msleep((attempts - 3) * 5);
549         }
550         if (addrs != NULL) {
551             free_wordlist(addrs);
552         }
553     } else {
554         attempts = 0;           /* Reset count */
555         if (*msg == (char *) 0)
556             *msg = "Login ok";
557         *msglen = strlen(*msg);
558         set_allowed_addrs(unit, addrs);
559     }
560    
561     BZERO(passwd, sizeof(passwd));
562     BZERO(secret, sizeof(secret));
563    
564     return ret;
565 #endif
566 }
567 #endif
568
569
570 /*
571  * auth_ip_addr - check whether the peer is authorized to use
572  * a given IP address.  Returns 1 if authorized, 0 otherwise.
573  */
574 int auth_ip_addr(int unit, u32_t addr)
575 {
576     return ip_addr_check(addr, addresses[unit]);
577 }
578
579 /*
580  * bad_ip_adrs - return 1 if the IP address is one we don't want
581  * to use, such as an address in the loopback net or a multicast address.
582  * addr is in network byte order.
583  */
584 int bad_ip_adrs(u32_t addr)
585 {
586     addr = ntohl(addr);
587     return (addr >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET
588         || IN_MULTICAST(addr) || IN_BADCLASS(addr);
589 }
590
591
592 #if CHAP_SUPPORT > 0
593 /*
594  * get_secret - open the CHAP secret file and return the secret
595  * for authenticating the given client on the given server.
596  * (We could be either client or server).
597  */
598 int get_secret(
599     int unit,
600     char *client,
601     char *server,
602     char *secret,
603     int *secret_len,
604     int save_addrs
605 )
606 {
607 #if 1
608     int len;
609     struct wordlist *addrs;
610    
611     addrs = NULL;
612
613     if(!client || !client[0] || strcmp(client, ppp_settings.user)) {
614         return 0;
615     }
616
617     len = strlen(ppp_settings.passwd);
618     if (len > MAXSECRETLEN) {
619         AUTHDEBUG((LOG_ERR, "Secret for %s on %s is too long\n", client, server));
620         len = MAXSECRETLEN;
621     }
622     BCOPY(ppp_settings.passwd, secret, len);
623     *secret_len = len;
624    
625     return 1;
626 #else
627     int ret = 0, len;
628     struct wordlist *addrs;
629     char secbuf[MAXWORDLEN];
630    
631     addrs = NULL;
632     secbuf[0] = 0;
633
634     /* XXX Find secret. */ 
635     if (ret < 0)
636         return 0;
637    
638     if (save_addrs)
639         set_allowed_addrs(unit, addrs);
640    
641     len = strlen(secbuf);
642     if (len > MAXSECRETLEN) {
643         AUTHDEBUG((LOG_ERR, "Secret for %s on %s is too long\n", client, server));
644         len = MAXSECRETLEN;
645     }
646     BCOPY(secbuf, secret, len);
647     BZERO(secbuf, sizeof(secbuf));
648     *secret_len = len;
649    
650     return 1;
651 #endif
652 }
653 #endif
654
655
656 #if 0 /* UNUSED */
657 /*
658  * auth_check_options - called to check authentication options.
659  */
660 void auth_check_options(void)
661 {
662     lcp_options *wo = &lcp_wantoptions[0];
663     int can_auth;
664     ipcp_options *ipwo = &ipcp_wantoptions[0];
665     u32_t remote;
666    
667     /* Default our_name to hostname, and user to our_name */
668     if (ppp_settings.our_name[0] == 0 || ppp_settings.usehostname)
669         strcpy(ppp_settings.our_name, ppp_settings.hostname);
670     if (ppp_settings.user[0] == 0)
671         strcpy(ppp_settings.user, ppp_settings.our_name);
672    
673     /* If authentication is required, ask peer for CHAP or PAP. */
674     if (ppp_settings.auth_required && !wo->neg_chap && !wo->neg_upap) {
675         wo->neg_chap = 1;
676         wo->neg_upap = 1;
677     }
678    
679     /*
680      * Check whether we have appropriate secrets to use
681      * to authenticate the peer.
682      */
683     can_auth = wo->neg_upap && have_pap_secret();
684     if (!can_auth && wo->neg_chap) {
685         remote = ipwo->accept_remote? 0: ipwo->hisaddr;
686         can_auth = have_chap_secret(ppp_settings.remote_name, ppp_settings.our_name, remote);
687     }
688    
689     if (ppp_settings.auth_required && !can_auth) {
690         ppp_panic("No auth secret");
691     }
692 }
693 #endif
694
695
696 /**********************************/
697 /*** LOCAL FUNCTION DEFINITIONS ***/
698 /**********************************/
699 /*
700  * Proceed to the network phase.
701  */
702 static void network_phase(int unit)
703 {
704     int i;
705     struct protent *protp;
706     lcp_options *go = &lcp_gotoptions[unit];
707    
708     /*
709      * If the peer had to authenticate, run the auth-up script now.
710      */
711     if ((go->neg_chap || go->neg_upap) && !did_authup) {
712         /* XXX Do setup for peer authentication. */
713         did_authup = 1;
714     }
715    
716 #if CBCP_SUPPORT > 0
717     /*
718      * If we negotiated callback, do it now.
719      */
720     if (go->neg_cbcp) {
721         lcp_phase[unit] = PHASE_CALLBACK;
722         (*cbcp_protent.open)(unit);
723         return;
724     }
725 #endif
726    
727     lcp_phase[unit] = PHASE_NETWORK;
728     for (i = 0; (protp = ppp_protocols[i]) != NULL; ++i)
729         if (protp->protocol < 0xC000 && protp->enabled_flag
730                 && protp->open != NULL) {
731             (*protp->open)(unit);
732             if (protp->protocol != PPP_CCP)
733                 ++num_np_open;
734         }
735    
736     if (num_np_open == 0)
737         /* nothing to do */
738         lcp_close(0, "No network protocols running");
739 }
740
741 /*
742  * check_idle - check whether the link has been idle for long
743  * enough that we can shut it down.
744  */
745 static void check_idle(void *arg)
746 {
747     struct ppp_idle idle;
748     u_short itime;
749    
750         (void)arg;
751     if (!get_idle_time(0, &idle))
752         return;
753     itime = LWIP_MIN(idle.xmit_idle, idle.recv_idle);
754     if (itime >= ppp_settings.idle_time_limit) {
755         /* link is idle: shut it down. */
756         AUTHDEBUG((LOG_INFO, "Terminating connection due to lack of activity.\n"));
757         lcp_close(0, "Link inactive");
758     } else {
759         TIMEOUT(check_idle, NULL, ppp_settings.idle_time_limit - itime);
760     }
761 }
762
763 /*
764  * connect_time_expired - log a message and close the connection.
765  */
766 static void connect_time_expired(void *arg)
767 {
768         (void)arg;
769
770     AUTHDEBUG((LOG_INFO, "Connect time expired\n"));
771     lcp_close(0, "Connect time expired");   /* Close connection */
772 }
773
774 #if 0
775 /*
776  * login - Check the user name and password against the system
777  * password database, and login the user if OK.
778  *
779  * returns:
780  *  UPAP_AUTHNAK: Login failed.
781  *  UPAP_AUTHACK: Login succeeded.
782  * In either case, msg points to an appropriate message.
783  */
784 static int login(char *user, char *passwd, char **msg, int *msglen)
785 {
786     /* XXX Fail until we decide that we want to support logins. */
787     return (UPAP_AUTHNAK);
788 }
789 #endif
790
791 /*
792  * logout - Logout the user.
793  */
794 static void logout(void)
795 {
796     logged_in = 0;
797 }
798
799
800 /*
801  * null_login - Check if a username of "" and a password of "" are
802  * acceptable, and iff so, set the list of acceptable IP addresses
803  * and return 1.
804  */
805 static int null_login(int unit)
806 {
807         (void)unit;
808     /* XXX Fail until we decide that we want to support logins. */
809     return 0;
810 }
811
812
813 /*
814  * get_pap_passwd - get a password for authenticating ourselves with
815  * our peer using PAP.  Returns 1 on success, 0 if no suitable password
816  * could be found.
817  */
818 static int get_pap_passwd(int unit, char *user, char *passwd)
819 {
820 /* normally we would reject PAP if no password is provided,
821    but this causes problems with some providers (like CHT in Taiwan)
822    who incorrectly request PAP and expect a bogus/empty password, so
823    always provide a default user/passwd of "none"/"none"
824 */
825     if(user)
826         strcpy(user,   "none");
827     if(passwd)
828         strcpy(passwd, "none");
829
830     return 1;
831 }
832
833
834 /*
835  * have_pap_secret - check whether we have a PAP file with any
836  * secrets that we could possibly use for authenticating the peer.
837  */
838 static int have_pap_secret(void)
839 {
840     /* XXX Fail until we set up our passwords. */
841     return 0;
842 }
843
844
845 /*
846  * have_chap_secret - check whether we have a CHAP file with a
847  * secret that we could possibly use for authenticating `client'
848  * on `server'.  Either can be the null string, meaning we don't
849  * know the identity yet.
850  */
851 static int have_chap_secret(char *client, char *server, u32_t remote)
852 {
853         (void)client;
854         (void)server;
855         (void)remote;
856     /* XXX Fail until we set up our passwords. */
857     return 0;
858 }
859
860
861 #if 0 /* PAP_SUPPORT > 0 || CHAP_SUPPORT > 0 */
862 /*
863  * set_allowed_addrs() - set the list of allowed addresses.
864  */
865 static void set_allowed_addrs(int unit, struct wordlist *addrs)
866 {
867     if (addresses[unit] != NULL)
868         free_wordlist(addresses[unit]);
869     addresses[unit] = addrs;
870
871 #if 0
872     /*
873      * If there's only one authorized address we might as well
874      * ask our peer for that one right away
875      */
876     if (addrs != NULL && addrs->next == NULL) {
877         char *p = addrs->word;
878         struct ipcp_options *wo = &ipcp_wantoptions[unit];
879         u32_t a;
880         struct hostent *hp;
881        
882         if (wo->hisaddr == 0 && *p != '!' && *p != '-'
883                 && strchr(p, '/') == NULL) {
884             hp = gethostbyname(p);
885             if (hp != NULL && hp->h_addrtype == AF_INET)
886                 a = *(u32_t *)hp->h_addr;
887             else
888                 a = inet_addr(p);
889             if (a != (u32_t) -1)
890                 wo->hisaddr = a;
891         }
892     }
893 #endif
894 }
895 #endif
896
897 static int ip_addr_check(u32_t addr, struct wordlist *addrs)
898 {
899    
900     /* don't allow loopback or multicast address */
901     if (bad_ip_adrs(addr))
902         return 0;
903    
904     if (addrs == NULL)
905         return !ppp_settings.auth_required;      /* no addresses authorized */
906    
907     /* XXX All other addresses allowed. */
908     return 1;
909 }
910
911 #if 0 /* PAP_SUPPORT > 0 || CHAP_SUPPORT */
912 /*
913  * free_wordlist - release memory allocated for a wordlist.
914  */
915 static void free_wordlist(struct wordlist *wp)
916 {
917     struct wordlist *next;
918    
919     while (wp != NULL) {
920         next = wp->next;
921         free(wp);
922         wp = next;
923     }
924 }
925 #endif
926
927 #endif /* PPP_SUPPORT */
Note: See TracBrowser for help on using the browser.