1 /* 2 * auth.c - PPP authentication and phase control. 3 * 4 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 5 * Use is subject to license terms. 6 * 7 * Copyright (c) 1993 The Australian National University. 8 * All rights reserved. 9 * 10 * Redistribution and use in source and binary forms are permitted 11 * provided that the above copyright notice and this paragraph are 12 * duplicated in all such forms and that any documentation, 13 * advertising materials, and other materials related to such 14 * distribution and use acknowledge that the software was developed 15 * by the Australian National University. The name of the University 16 * may not be used to endorse or promote products derived from this 17 * software without specific prior written permission. 18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 19 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 20 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. 21 * 22 * Copyright (c) 1989 Carnegie Mellon University. 23 * All rights reserved. 24 * 25 * Redistribution and use in source and binary forms are permitted 26 * provided that the above copyright notice and this paragraph are 27 * duplicated in all such forms and that any documentation, 28 * advertising materials, and other materials related to such 29 * distribution and use acknowledge that the software was developed 30 * by Carnegie Mellon University. The name of the 31 * University may not be used to endorse or promote products derived 32 * from this software without specific prior written permission. 33 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 34 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 35 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. 36 */ 37 38 /* Pull in crypt() definition. */ 39 #define __EXTENSIONS__ 40 41 #include <stdio.h> 42 #include <stddef.h> 43 #include <stdlib.h> 44 #include <unistd.h> 45 #include <pwd.h> 46 #include <grp.h> 47 #include <string.h> 48 #include <sys/types.h> 49 #include <sys/stat.h> 50 #include <sys/socket.h> 51 #include <utmp.h> 52 #include <fcntl.h> 53 #if defined(_PATH_LASTLOG) && (defined(_linux_) || defined(__linux__)) 54 #include <lastlog.h> 55 #endif 56 57 #if defined(_linux_) || defined(__linux__) 58 #include <crypt.h> 59 #endif 60 61 #include <netdb.h> 62 #include <netinet/in.h> 63 #include <arpa/inet.h> 64 65 /* Backward compatibility with old Makefiles */ 66 #if defined(USE_PAM) && !defined(ALLOW_PAM) 67 #define ALLOW_PAM 68 #endif 69 70 #ifdef ALLOW_PAM 71 #include <security/pam_appl.h> 72 #endif 73 74 #ifdef HAS_SHADOW 75 #include <shadow.h> 76 #ifndef PW_PPP 77 #define PW_PPP PW_LOGIN 78 #endif 79 #endif 80 81 #include "pppd.h" 82 #include "fsm.h" 83 #include "lcp.h" 84 #include "ipcp.h" 85 #include "upap.h" 86 #include "chap.h" 87 #ifdef CBCP_SUPPORT 88 #include "cbcp.h" 89 #endif 90 #include "pathnames.h" 91 92 /* Bits in scan_authfile return value */ 93 #define NONWILD_SERVER 1 94 #define NONWILD_CLIENT 2 95 96 #define ISWILD(word) (word[0] == '*' && word[1] == '\0') 97 98 /* The name by which the peer authenticated itself to us. */ 99 char peer_authname[MAXNAMELEN]; 100 101 /* Records which authentication operations haven't completed yet. */ 102 static int auth_pending[NUM_PPP]; 103 104 /* Set if we have successfully called plogin() */ 105 static int logged_in; 106 107 /* List of addresses which the peer may use. */ 108 static struct permitted_ip *addresses[NUM_PPP]; 109 110 /* Wordlist giving addresses which the peer may use 111 without authenticating itself. */ 112 static struct wordlist *noauth_addrs; 113 114 /* Extra options to apply, from the secrets file entry for the peer. */ 115 static struct wordlist *extra_options; 116 117 /* Source of those extra options. */ 118 static const char *extra_opt_filename; 119 static int extra_opt_line; 120 121 /* Number of network protocols which we have opened. */ 122 static int num_np_open; 123 124 /* Number of network protocols which have come up. */ 125 static int num_np_up; 126 127 /* Set if we got the contents of passwd[] from the pap-secrets file. */ 128 static int passwd_from_file; 129 130 /* Set if we require authentication only because we have a default route. */ 131 static bool default_auth; 132 133 /* Hook to enable a plugin to control the idle time limit */ 134 int (*idle_time_hook) __P((struct ppp_idle *)) = NULL; 135 136 /* Hook for a plugin to say whether we can possibly authenticate any peer */ 137 int (*pap_check_hook) __P((void)) = NULL; 138 139 /* Hook for a plugin to check the PAP user and password */ 140 int (*pap_auth_hook) __P((char *user, char *passwd, char **msgp, 141 struct wordlist **paddrs, 142 struct wordlist **popts)) = NULL; 143 144 /* Hook for a plugin to know about the PAP user logout */ 145 void (*pap_logout_hook) __P((void)) = NULL; 146 147 /* Hook for a plugin to get the PAP password for authenticating us */ 148 int (*pap_passwd_hook) __P((char *user, char *passwd)) = NULL; 149 150 /* 151 * This is used to ensure that we don't start an auth-up/down 152 * script while one is already running. 153 */ 154 enum script_state { 155 s_down, 156 s_up 157 }; 158 159 static enum script_state auth_state = s_down; 160 static enum script_state auth_script_state = s_down; 161 static pid_t auth_script_pid = 0; 162 163 /* 164 * This is set by scan_authfile if a client matches, but server doesn't 165 * (possible configuration error). 166 */ 167 static char scan_server_match_failed[MAXWORDLEN]; 168 169 /* 170 * Option variables. 171 */ 172 bool uselogin = 0; /* Use /etc/passwd for checking PAP */ 173 bool cryptpap = 0; /* Passwords in pap-secrets are encrypted */ 174 bool refuse_pap = 0; /* Don't wanna auth. ourselves with PAP */ 175 bool refuse_chap = 0; /* Don't wanna auth. ourselves with CHAP */ 176 bool usehostname = 0; /* Use hostname for our_name */ 177 bool auth_required = 0; /* Always require authentication from peer */ 178 bool allow_any_ip = 0; /* Allow peer to use any IP address */ 179 bool explicit_remote = 0; /* User specified explicit remote name */ 180 char remote_name[MAXNAMELEN]; /* Peer's name for authentication */ 181 182 #ifdef CHAPMS 183 bool refuse_mschap = 0; /* Don't wanna auth. ourself with MS-CHAPv1 */ 184 #else 185 bool refuse_mschap = 1; /* Never auth. ourself with MS-CHAPv1 */ 186 #endif 187 #ifdef CHAPMSV2 188 bool refuse_mschapv2 = 0; /* Don't wanna auth. ourself with MS-CHAPv2 */ 189 #else 190 bool refuse_mschapv2 = 1; /* Never auth. ourself with MS-CHAPv2 */ 191 #endif 192 193 #ifdef USE_PAM 194 bool use_pam = 1; /* Enable use of PAM by default */ 195 #else 196 bool use_pam = 0; /* Disable use of PAM by default */ 197 #endif 198 199 /* Bits in auth_pending[] */ 200 #define PAP_WITHPEER 1 201 #define PAP_PEER 2 202 #define CHAP_WITHPEER 4 203 #define CHAP_PEER 8 204 205 /* Prototypes for procedures local to this file. */ 206 207 static void network_phase __P((int)); 208 static void check_idle __P((void *)); 209 static void connect_time_expired __P((void *)); 210 static int plogin __P((char *, char *, char **)); 211 static void plogout __P((void)); 212 static int null_login __P((int)); 213 static int get_pap_passwd __P((char *)); 214 static int have_pap_secret __P((int *)); 215 static int have_chap_secret __P((char *, char *, int, int *)); 216 static int ip_addr_check __P((u_int32_t, struct permitted_ip *)); 217 static int scan_authfile __P((FILE *, char *, char *, char *, 218 struct wordlist **, struct wordlist **, 219 char *)); 220 static void free_wordlist __P((struct wordlist *)); 221 static void auth_script __P((char *)); 222 static void auth_script_done __P((void *, int)); 223 static void set_allowed_addrs __P((int, struct wordlist *, struct wordlist *)); 224 static int some_ip_ok __P((struct wordlist *)); 225 static int setupapfile __P((char **, option_t *)); 226 static int privgroup __P((char **, option_t *)); 227 static int set_noauth_addr __P((char **, option_t *)); 228 static void check_access __P((FILE *, char *)); 229 230 /* 231 * Authentication-related options. 232 */ 233 option_t auth_options[] = { 234 { "require-pap", o_bool, &lcp_wantoptions[0].neg_upap, 235 "Require PAP authentication from peer", 1, &auth_required }, 236 { "+pap", o_bool, &lcp_wantoptions[0].neg_upap, 237 "Require PAP authentication from peer", 1, &auth_required }, 238 { "refuse-pap", o_bool, &refuse_pap, 239 "Don't agree to auth to peer with PAP", 1 }, 240 { "-pap", o_bool, &refuse_pap, 241 "Don't allow PAP authentication with peer", 1 }, 242 { "require-chap", o_bool, &lcp_wantoptions[0].neg_chap, 243 "Require CHAP authentication from peer", 1, &auth_required }, 244 { "+chap", o_bool, &lcp_wantoptions[0].neg_chap, 245 "Require CHAP authentication from peer", 1, &auth_required }, 246 { "refuse-chap", o_bool, &refuse_chap, 247 "Don't agree to auth to peer with CHAP", 1 }, 248 { "-chap", o_bool, &refuse_chap, 249 "Don't allow CHAP authentication with peer", 1 }, 250 { "name", o_string, our_name, 251 "Set local name for authentication", 252 OPT_PRIV|OPT_STATIC, NULL, MAXNAMELEN }, 253 { "user", o_string, user, 254 "Set name for auth with peer", OPT_STATIC, NULL, MAXNAMELEN }, 255 { "usehostname", o_bool, &usehostname, 256 "Must use hostname for authentication", 1 }, 257 { "remotename", o_string, remote_name, 258 "Set remote name for authentication", OPT_STATIC, 259 &explicit_remote, MAXNAMELEN }, 260 { "auth", o_bool, &auth_required, 261 "Require authentication from peer", 1 }, 262 { "noauth", o_bool, &auth_required, 263 "Don't require peer to authenticate", OPT_PRIV, &allow_any_ip }, 264 { "login", o_bool, &uselogin, 265 "Use system password database for PAP", 1 }, 266 { "papcrypt", o_bool, &cryptpap, 267 "PAP passwords are encrypted", 1 }, 268 { "+ua", o_special, (void *)setupapfile, 269 "Get PAP user and password from file" }, 270 { "password", o_string, passwd, 271 "Password for authenticating us to the peer", OPT_STATIC, 272 NULL, MAXSECRETLEN }, 273 { "privgroup", o_special, (void *)privgroup, 274 "Allow group members to use privileged options", OPT_PRIV }, 275 { "allow-ip", o_special, (void *)set_noauth_addr, 276 "Set peer IP address(es) usable without authentication", 277 OPT_PRIV }, 278 #ifdef CHAPMS 279 { "require-mschap", o_bool, &lcp_wantoptions[0].neg_mschap, 280 "Require MS-CHAPv1 authentication from peer", 1, &auth_required }, 281 { "refuse-mschap", o_bool, &refuse_mschap, 282 "Don't agree to authenticate to peer with MS-CHAPv1", 1 }, 283 #endif 284 #ifdef CHAPMSV2 285 { "require-mschapv2", o_bool, &lcp_wantoptions[0].neg_mschapv2, 286 "Require MS-CHAPv2 authentication from peer", 1, &auth_required }, 287 { "refuse-mschapv2", o_bool, &refuse_mschapv2, 288 "Don't agree to authenticate to peer with MS-CHAPv2", 1 }, 289 #endif 290 #ifdef ALLOW_PAM 291 { "pam", o_bool, &use_pam, 292 "Enable use of Pluggable Authentication Modules", OPT_PRIV|1 }, 293 { "nopam", o_bool, &use_pam, 294 "Disable use of Pluggable Authentication Modules", OPT_PRIV|0 }, 295 #endif 296 { NULL } 297 }; 298 299 /* 300 * setupapfile - specifies UPAP info for authenticating with peer. 301 */ 302 /*ARGSUSED*/ 303 static int 304 setupapfile(argv, opt) 305 char **argv; 306 option_t *opt; 307 { 308 FILE * ufile; 309 int l; 310 311 lcp_allowoptions[0].neg_upap = 1; 312 313 /* open user info file */ 314 (void) seteuid(getuid()); 315 ufile = fopen(*argv, "r"); 316 (void) seteuid(0); 317 if (ufile == NULL) { 318 option_error("unable to open user login data file %s", *argv); 319 return 0; 320 } 321 check_access(ufile, *argv); 322 323 /* get username */ 324 if (fgets(user, MAXNAMELEN - 1, ufile) == NULL 325 || fgets(passwd, MAXSECRETLEN - 1, ufile) == NULL){ 326 option_error("unable to read user login data file %s", *argv); 327 return 0; 328 } 329 (void) fclose(ufile); 330 331 /* get rid of newlines */ 332 l = strlen(user); 333 if (l > 0 && user[l-1] == '\n') 334 user[l-1] = '\0'; 335 l = strlen(passwd); 336 if (l > 0 && passwd[l-1] == '\n') 337 passwd[l-1] = '\0'; 338 339 return (1); 340 } 341 342 343 /* 344 * privgroup - allow members of the group to have privileged access. 345 */ 346 /*ARGSUSED*/ 347 static int 348 privgroup(argv, opt) 349 char **argv; 350 option_t *opt; 351 { 352 struct group *g; 353 int i; 354 355 g = getgrnam(*argv); 356 if (g == NULL) { 357 option_error("group %s is unknown", *argv); 358 return 0; 359 } 360 for (i = 0; i < ngroups; ++i) { 361 if (groups[i] == g->gr_gid) { 362 privileged = 1; 363 break; 364 } 365 } 366 return 1; 367 } 368 369 370 /* 371 * set_noauth_addr - set address(es) that can be used without authentication. 372 * Equivalent to specifying an entry like `"" * "" addr' in pap-secrets. 373 */ 374 /*ARGSUSED*/ 375 static int 376 set_noauth_addr(argv, opt) 377 char **argv; 378 option_t *opt; 379 { 380 char *addr = *argv; 381 int l = strlen(addr); 382 struct wordlist *wp; 383 384 wp = (struct wordlist *) malloc(sizeof(struct wordlist) + l + 1); 385 if (wp == NULL) 386 novm("allow-ip argument"); 387 wp->word = (char *) (wp + 1); 388 wp->next = noauth_addrs; 389 (void) strcpy(wp->word, addr); 390 noauth_addrs = wp; 391 return 1; 392 } 393 394 /* 395 * An Open on LCP has requested a change from Dead to Establish phase. 396 * Do what's necessary to bring the physical layer up. 397 */ 398 /*ARGSUSED*/ 399 void 400 link_required(unit) 401 int unit; 402 { 403 } 404 405 /* 406 * LCP has terminated the link; go to the Dead phase and take the 407 * physical layer down. 408 */ 409 /*ARGSUSED*/ 410 void 411 link_terminated(unit) 412 int unit; 413 { 414 const char *pn1, *pn2; 415 416 if (phase == PHASE_DEAD) 417 return; 418 if (pap_logout_hook != NULL) { 419 (*pap_logout_hook)(); 420 } else { 421 if (logged_in) 422 plogout(); 423 } 424 new_phase(PHASE_DEAD); 425 if (peer_nak_auth) { 426 if ((pn1 = protocol_name(nak_auth_orig)) == NULL) 427 pn1 = "?"; 428 if ((pn2 = protocol_name(nak_auth_proto)) == NULL) 429 pn2 = "?"; 430 warn("Peer sent Configure-Nak for 0x%x (%s) to suggest 0x%x (%s)", 431 nak_auth_orig, pn1, nak_auth_proto, pn2); 432 } 433 if (unsolicited_nak_auth) { 434 if ((pn1 = protocol_name(unsolicit_auth_proto)) == NULL) 435 pn1 = "?"; 436 warn("Peer unexpectedly asked us to authenticate with 0x%x (%s)", 437 unsolicit_auth_proto, pn1); 438 } 439 if (peer_reject_auth) { 440 if ((pn1 = protocol_name(reject_auth_proto)) == NULL) 441 pn1 = "?"; 442 warn("Peer rejected our demand for 0x%x (%s)", 443 reject_auth_proto, pn1); 444 } 445 if (naked_peers_auth) { 446 if ((pn1 = protocol_name(naked_auth_orig)) == NULL) 447 pn1 = "?"; 448 if ((pn2 = protocol_name(naked_auth_proto)) == NULL) 449 pn2 = "?"; 450 warn("We set Configure-Nak for 0x%x (%s) to suggest 0x%x (%s)", 451 naked_auth_orig, pn1, naked_auth_proto, pn2); 452 } 453 if (rejected_peers_auth) { 454 if ((pn1 = protocol_name(rejected_auth_proto)) == NULL) 455 pn1 = "?"; 456 warn("We rejected the peer's demand for 0x%x (%s)", 457 rejected_auth_proto, pn1); 458 } 459 460 peer_nak_auth = unsolicited_nak_auth = peer_reject_auth = 461 rejected_peers_auth = naked_peers_auth = 0; 462 nak_auth_proto = nak_auth_orig = unsolicit_auth_proto = reject_auth_proto = 463 rejected_auth_proto = naked_auth_orig = naked_auth_proto = 0; 464 notice("Connection terminated."); 465 } 466 467 /* 468 * LCP has gone down; it will either die or try to re-establish. 469 */ 470 void 471 link_down(unit) 472 int unit; 473 { 474 int i; 475 struct protent *protp; 476 477 auth_state = s_down; 478 if (auth_script_state == s_up && auth_script_pid == 0) { 479 update_link_stats(unit); 480 auth_script_state = s_down; 481 auth_script(_PATH_AUTHDOWN); 482 } 483 for (i = 0; (protp = protocols[i]) != NULL; ++i) { 484 if (!protp->enabled_flag) 485 continue; 486 if (protp->protocol != PPP_LCP && protp->lowerdown != NULL) 487 (*protp->lowerdown)(unit); 488 if (protp->protocol < 0xC000 && protp->close != NULL) 489 (*protp->close)(unit, "LCP down"); 490 } 491 num_np_open = 0; 492 num_np_up = 0; 493 if (phase != PHASE_DEAD) 494 new_phase(PHASE_TERMINATE); 495 } 496 497 /* 498 * The link is established. 499 * Proceed to the Dead, Authenticate or Network phase as appropriate. 500 */ 501 void 502 link_established(unit) 503 int unit; 504 { 505 int auth; 506 lcp_options *wo = &lcp_wantoptions[unit]; 507 lcp_options *go = &lcp_gotoptions[unit]; 508 lcp_options *ho = &lcp_hisoptions[unit]; 509 int i; 510 struct protent *protp; 511 512 /* 513 * Tell higher-level protocols that LCP is up. 514 */ 515 for (i = 0; (protp = protocols[i]) != NULL; ++i) 516 if (protp->protocol != PPP_LCP && protp->enabled_flag 517 && protp->lowerup != NULL) 518 (*protp->lowerup)(unit); 519 520 if (auth_required && !(go->neg_chap || go->neg_mschap || 521 go->neg_mschapv2 || go->neg_upap)) { 522 /* 523 * We wanted the peer to authenticate itself, and it refused: 524 * if we have some address(es) it can use without auth, fine, 525 * otherwise treat it as though it authenticated with PAP using 526 * a username * of "" and a password of "". If that's not OK, 527 * boot it out. 528 */ 529 if (noauth_addrs != NULL) { 530 set_allowed_addrs(unit, noauth_addrs, NULL); 531 } else if (!wo->neg_upap || !null_login(unit)) { 532 warn("peer refused to authenticate: terminating link"); 533 lcp_close(unit, "peer refused to authenticate"); 534 status = EXIT_PEER_AUTH_FAILED; 535 return; 536 } 537 } 538 539 new_phase(PHASE_AUTHENTICATE); 540 auth = 0; 541 if (go->neg_chap || go->neg_mschap || go->neg_mschapv2) { 542 if (go->neg_chap) { 543 if (debug) 544 dbglog("Authenticating peer with standard CHAP"); 545 go->chap_mdtype = CHAP_DIGEST_MD5; 546 } else if (go->neg_mschap) { 547 if (debug) 548 dbglog("Authenticating peer with MS-CHAPv1"); 549 go->chap_mdtype = CHAP_MICROSOFT; 550 } else { 551 if (debug) 552 dbglog("Authenticating peer with MS-CHAPv2"); 553 go->chap_mdtype = CHAP_MICROSOFT_V2; 554 } 555 ChapAuthPeer(unit, our_name, go->chap_mdtype); 556 auth |= CHAP_PEER; 557 } else if (go->neg_upap) { 558 if (debug) 559 dbglog("Authenticating peer with PAP"); 560 upap_authpeer(unit); 561 auth |= PAP_PEER; 562 } 563 if (ho->neg_chap || ho->neg_mschap || ho->neg_mschapv2) { 564 switch (ho->chap_mdtype) { 565 case CHAP_DIGEST_MD5: 566 if (debug) 567 dbglog("Authenticating to peer with standard CHAP"); 568 break; 569 case CHAP_MICROSOFT: 570 if (debug) 571 dbglog("Authenticating to peer with MS-CHAPv1"); 572 break; 573 case CHAP_MICROSOFT_V2: 574 if (debug) 575 dbglog("Authenticating to peer with MS-CHAPv2"); 576 break; 577 default: 578 if (debug) 579 dbglog("Authenticating to peer with CHAP 0x%x", ho->chap_mdtype); 580 break; 581 } 582 ChapAuthWithPeer(unit, user, ho->chap_mdtype); 583 auth |= CHAP_WITHPEER; 584 } else if (ho->neg_upap) { 585 if (passwd[0] == '\0') { 586 passwd_from_file = 1; 587 if (!get_pap_passwd(passwd)) 588 error("No secret found for PAP login"); 589 } 590 if (debug) 591 dbglog("Authenticating to peer with PAP"); 592 upap_authwithpeer(unit, user, passwd); 593 auth |= PAP_WITHPEER; 594 } 595 auth_pending[unit] = auth; 596 597 if (!auth) 598 network_phase(unit); 599 } 600 601 /* 602 * Proceed to the network phase. 603 */ 604 static void 605 network_phase(unit) 606 int unit; 607 { 608 lcp_options *go = &lcp_gotoptions[unit]; 609 610 /* 611 * If the peer had to authenticate, run the auth-up script now. 612 */ 613 if (go->neg_chap || go->neg_mschap || go->neg_mschapv2 || go->neg_upap) { 614 auth_state = s_up; 615 if (auth_script_state == s_down && auth_script_pid == 0) { 616 auth_script_state = s_up; 617 auth_script(_PATH_AUTHUP); 618 } 619 } 620 621 /* 622 * Process extra options from the secrets file 623 */ 624 if (extra_options != NULL) { 625 option_source = (char *)extra_opt_filename; 626 option_line = extra_opt_line; 627 (void) options_from_list(extra_options, 1); 628 free_wordlist(extra_options); 629 extra_options = NULL; 630 } 631 632 #ifdef CBCP_SUPPORT 633 /* 634 * If we negotiated callback, do it now. 635 */ 636 if (go->neg_cbcp) { 637 new_phase(PHASE_CALLBACK); 638 (*cbcp_protent.open)(unit); 639 return; 640 } 641 #endif 642 643 start_networks(); 644 } 645 646 void 647 start_networks() 648 { 649 int i; 650 struct protent *protp; 651 652 new_phase(PHASE_NETWORK); 653 654 #ifdef HAVE_MULTILINK 655 if (multilink) { 656 if (mp_join_bundle()) { 657 if (updetach && !nodetach) 658 detach(); 659 return; 660 } 661 } 662 #endif /* HAVE_MULTILINK */ 663 664 #if 0 665 if (!demand) 666 set_filters(&pass_filter, &active_filter); 667 #endif 668 for (i = 0; (protp = protocols[i]) != NULL; ++i) 669 if (protp->protocol < 0xC000 && protp->enabled_flag 670 && protp->open != NULL) { 671 (*protp->open)(0); 672 if (protp->protocol != PPP_CCP) 673 ++num_np_open; 674 } 675 676 if (num_np_open == 0) 677 /* nothing to do */ 678 lcp_close(0, "No network protocols running"); 679 } 680 681 /* 682 * The peer has failed to authenticate himself using `protocol'. 683 */ 684 /*ARGSUSED*/ 685 void 686 auth_peer_fail(unit, protocol) 687 int unit, protocol; 688 { 689 /* 690 * Authentication failure: take the link down 691 */ 692 lcp_close(unit, "Authentication failed"); 693 status = EXIT_PEER_AUTH_FAILED; 694 } 695 696 /* 697 * The peer has been successfully authenticated using `protocol'. 698 */ 699 void 700 auth_peer_success(unit, protocol, name, namelen) 701 int unit, protocol; 702 char *name; 703 int namelen; 704 { 705 int bit; 706 707 switch (protocol) { 708 case PPP_CHAP: 709 bit = CHAP_PEER; 710 break; 711 case PPP_PAP: 712 bit = PAP_PEER; 713 break; 714 default: 715 warn("auth_peer_success: unknown protocol %x", protocol); 716 return; 717 } 718 719 /* 720 * Save the authenticated name of the peer for later. 721 */ 722 if (namelen > sizeof(peer_authname) - 1) 723 namelen = sizeof(peer_authname) - 1; 724 BCOPY(name, peer_authname, namelen); 725 peer_authname[namelen] = '\0'; 726 script_setenv("PEERNAME", peer_authname, 0); 727 728 /* 729 * If there is no more authentication still to be done, 730 * proceed to the network (or callback) phase. 731 */ 732 if ((auth_pending[unit] &= ~bit) == 0) 733 network_phase(unit); 734 } 735 736 /* 737 * We have failed to authenticate ourselves to the peer using `protocol'. 738 */ 739 /*ARGSUSED*/ 740 void 741 auth_withpeer_fail(unit, protocol) 742 int unit, protocol; 743 { 744 if (passwd_from_file) 745 BZERO(passwd, MAXSECRETLEN); 746 /* 747 * We've failed to authenticate ourselves to our peer. 748 * Some servers keep sending CHAP challenges, but there 749 * is no point in persisting without any way to get updated 750 * authentication secrets. 751 */ 752 lcp_close(unit, "Failed to authenticate ourselves to peer"); 753 status = EXIT_AUTH_TOPEER_FAILED; 754 } 755 756 /* 757 * We have successfully authenticated ourselves with the peer using `protocol'. 758 */ 759 void 760 auth_withpeer_success(unit, protocol) 761 int unit, protocol; 762 { 763 int bit; 764 765 switch (protocol) { 766 case PPP_CHAP: 767 bit = CHAP_WITHPEER; 768 break; 769 case PPP_PAP: 770 if (passwd_from_file) 771 BZERO(passwd, MAXSECRETLEN); 772 bit = PAP_WITHPEER; 773 break; 774 default: 775 warn("auth_withpeer_success: unknown protocol %x", protocol); 776 bit = 0; 777 } 778 779 /* 780 * If there is no more authentication still being done, 781 * proceed to the network (or callback) phase. 782 */ 783 if ((auth_pending[unit] &= ~bit) == 0) 784 network_phase(unit); 785 } 786 787 788 /* 789 * np_up - a network protocol has come up. 790 */ 791 /*ARGSUSED*/ 792 void 793 np_up(unit, proto) 794 int unit, proto; 795 { 796 int tlim; 797 798 if (num_np_up == 0) { 799 /* 800 * At this point we consider that the link has come up successfully. 801 */ 802 status = EXIT_OK; 803 unsuccess = 0; 804 805 peer_nak_auth = unsolicited_nak_auth = peer_reject_auth = 806 rejected_peers_auth = naked_peers_auth = 0; 807 nak_auth_proto = nak_auth_orig = unsolicit_auth_proto = 808 reject_auth_proto = rejected_auth_proto = naked_auth_orig = 809 naked_auth_proto = 0; 810 811 new_phase(PHASE_RUNNING); 812 813 if (idle_time_hook != NULL) 814 tlim = (*idle_time_hook)(NULL); 815 else 816 tlim = idle_time_limit; 817 if (tlim > 0) 818 TIMEOUT(check_idle, NULL, tlim); 819 820 /* 821 * Set a timeout to close the connection once the maximum 822 * connect time has expired. 823 */ 824 if (maxconnect > 0) { 825 TIMEOUT(connect_time_expired, &lcp_fsm[unit], maxconnect); 826 827 /* 828 * Tell LCP to send Time-Remaining packets. One should be 829 * sent out now, at maxconnect-300, at maxconnect-120, and 830 * again at maxconnect-30. 831 */ 832 lcp_settimeremaining(unit, maxconnect, maxconnect); 833 if (maxconnect > 300) 834 lcp_settimeremaining(unit, maxconnect, 300); 835 if (maxconnect > 120) 836 lcp_settimeremaining(unit, maxconnect, 120); 837 if (maxconnect > 30) 838 lcp_settimeremaining(unit, maxconnect, 30); 839 } 840 841 /* 842 * Detach now, if the updetach option was given. 843 */ 844 if (updetach && !nodetach) 845 detach(); 846 } 847 ++num_np_up; 848 } 849 850 /* 851 * np_down - a network protocol has gone down. 852 */ 853 /*ARGSUSED*/ 854 void 855 np_down(unit, proto) 856 int unit, proto; 857 { 858 if (--num_np_up == 0) { 859 UNTIMEOUT(check_idle, NULL); 860 new_phase(PHASE_NETWORK); 861 } 862 } 863 864 /* 865 * np_finished - a network protocol has finished using the link. 866 */ 867 /*ARGSUSED*/ 868 void 869 np_finished(unit, proto) 870 int unit, proto; 871 { 872 if (--num_np_open <= 0) { 873 /* no further use for the link: shut up shop. */ 874 lcp_close(0, "No network protocols running"); 875 } 876 } 877 878 /* 879 * check_idle - check whether the link has been idle for long 880 * enough that we can shut it down. 881 */ 882 /*ARGSUSED*/ 883 static void 884 check_idle(arg) 885 void *arg; 886 { 887 struct ppp_idle idle; 888 time_t itime; 889 int tlim; 890 891 if (!get_idle_time(0, &idle)) 892 return; 893 if (idle_time_hook != NULL) { 894 tlim = (*idle_time_hook)(&idle); 895 } else { 896 itime = MIN(idle.xmit_idle, idle.recv_idle); 897 tlim = idle_time_limit - itime; 898 } 899 if (tlim <= 0) { 900 /* link is idle: shut it down. */ 901 notice("Terminating connection due to lack of activity."); 902 lcp_close(0, "Link inactive"); 903 need_holdoff = 0; 904 status = EXIT_IDLE_TIMEOUT; 905 } else { 906 TIMEOUT(check_idle, NULL, tlim); 907 } 908 } 909 910 /* 911 * connect_time_expired - log a message and close the connection. 912 */ 913 /*ARGSUSED*/ 914 static void 915 connect_time_expired(arg) 916 void *arg; 917 { 918 fsm *f = (fsm *)arg; 919 920 info("Connect time expired"); 921 lcp_close(f->unit, "Connect time expired"); /* Close connection */ 922 status = EXIT_CONNECT_TIME; 923 } 924 925 /* 926 * auth_check_options - called to check authentication options. 927 */ 928 void 929 auth_check_options() 930 { 931 lcp_options *wo = &lcp_wantoptions[0]; 932 int can_auth; 933 int lacks_ip; 934 935 /* Default our_name to hostname, and user to our_name */ 936 if (our_name[0] == '\0' || usehostname) 937 (void) strlcpy(our_name, hostname, sizeof(our_name)); 938 if (user[0] == '\0') 939 (void) strlcpy(user, our_name, sizeof(user)); 940 941 /* 942 * If we have a default route, require the peer to authenticate 943 * unless the noauth option was given or the real user is root. 944 */ 945 if (!auth_required && !allow_any_ip && have_route_to(0) && !privileged) { 946 auth_required = 1; 947 default_auth = 1; 948 } 949 950 /* If authentication is required, ask peer for CHAP or PAP. */ 951 if (auth_required) { 952 if (!wo->neg_chap && !wo->neg_mschap && !wo->neg_mschapv2 && 953 !wo->neg_upap) { 954 wo->neg_chap = 1; 955 #ifdef CHAPMS 956 wo->neg_mschap = 1; 957 #endif 958 #ifdef CHAPMSV2 959 wo->neg_mschapv2 = 1; 960 #endif 961 wo->chap_mdtype = CHAP_DIGEST_MD5; 962 wo->neg_upap = 1; 963 } 964 } else { 965 wo->neg_chap = 0; 966 wo->neg_mschap = 0; 967 wo->neg_mschapv2 = 0; 968 wo->neg_upap = 0; 969 } 970 971 /* 972 * Check whether we have appropriate secrets to use 973 * to authenticate the peer. 974 */ 975 lacks_ip = 0; 976 can_auth = wo->neg_upap && (uselogin || have_pap_secret(&lacks_ip)); 977 if (!can_auth && (wo->neg_chap || wo->neg_mschap || wo->neg_mschapv2)) { 978 can_auth = have_chap_secret((explicit_remote? remote_name: NULL), 979 our_name, 1, &lacks_ip); 980 } 981 982 if (auth_required && !can_auth && noauth_addrs == NULL) { 983 if (default_auth) { 984 option_error( 985 "By default the remote system is required to authenticate itself"); 986 option_error( 987 "(because this system has a default route to the Internet)"); 988 } else if (explicit_remote) 989 option_error( 990 "The remote system (%s) is required to authenticate itself", 991 remote_name); 992 else 993 option_error( 994 "The remote system is required to authenticate itself"); 995 option_error( 996 "but I couldn't find any suitable secret (password) for it to use to do so."); 997 if (lacks_ip) 998 option_error( 999 "(None of the available passwords would let it use an IP address.)"); 1000 1001 exit(1); 1002 } 1003 } 1004 1005 /* 1006 * auth_reset - called when LCP is starting negotiations to recheck 1007 * authentication options, i.e. whether we have appropriate secrets 1008 * to use for authenticating ourselves and/or the peer. 1009 */ 1010 void 1011 auth_reset(unit) 1012 int unit; 1013 { 1014 lcp_options *go = &lcp_gotoptions[unit]; 1015 lcp_options *ao = &lcp_allowoptions[unit]; 1016 int havesecret; 1017 1018 ao->neg_upap = !refuse_pap && (passwd[0] != '\0' || get_pap_passwd(NULL)); 1019 1020 havesecret = passwd[0] != '\0' || 1021 have_chap_secret(user, (explicit_remote? remote_name: NULL), 0, NULL); 1022 ao->neg_chap = !refuse_chap && havesecret; 1023 ao->neg_mschap = !refuse_mschap && havesecret; 1024 ao->neg_mschapv2 = !refuse_mschapv2 && havesecret; 1025 if (ao->neg_chap) 1026 ao->chap_mdtype = CHAP_DIGEST_MD5; 1027 else if (ao->neg_mschap) 1028 ao->chap_mdtype = CHAP_MICROSOFT; 1029 else 1030 ao->chap_mdtype = CHAP_MICROSOFT_V2; 1031 1032 if (go->neg_upap && !uselogin && !have_pap_secret(NULL)) 1033 go->neg_upap = 0; 1034 if (go->neg_chap || go->neg_mschap || go->neg_mschapv2) { 1035 havesecret = have_chap_secret((explicit_remote? remote_name: NULL), 1036 our_name, 1, NULL); 1037 if (!havesecret) 1038 go->neg_chap = go->neg_mschap = go->neg_mschapv2 = 0; 1039 else if (go->neg_chap) 1040 go->chap_mdtype = CHAP_DIGEST_MD5; 1041 else if (go->neg_mschap) 1042 go->chap_mdtype = CHAP_MICROSOFT; 1043 else 1044 go->chap_mdtype = CHAP_MICROSOFT_V2; 1045 } 1046 } 1047 1048 1049 /* 1050 * check_passwd - Check the user name and passwd against the PAP secrets 1051 * file. If requested, also check against the system password database, 1052 * and login the user if OK. 1053 * 1054 * returns: 1055 * UPAP_AUTHNAK: Authentication failed. 1056 * UPAP_AUTHACK: Authentication succeeded. 1057 * In either case, msg points to an appropriate message. 1058 */ 1059 int 1060 check_passwd(unit, auser, userlen, apasswd, passwdlen, msg) 1061 int unit; 1062 char *auser; 1063 int userlen; 1064 char *apasswd; 1065 int passwdlen; 1066 char **msg; 1067 { 1068 int ret; 1069 char *filename; 1070 FILE *f; 1071 struct wordlist *addrs = NULL, *opts = NULL; 1072 char passwd[256], user[256]; 1073 char secret[MAXWORDLEN]; 1074 static int attempts = 0; 1075 1076 /* 1077 * Make copies of apasswd and auser, then null-terminate them. 1078 * If there are unprintable characters in the password, make 1079 * them visible. 1080 */ 1081 (void) slprintf(passwd, sizeof(passwd), "%.*v", passwdlen, apasswd); 1082 (void) slprintf(user, sizeof(user), "%.*v", userlen, auser); 1083 *msg = ""; 1084 1085 /* 1086 * Check if a plugin wants to handle this. 1087 */ 1088 if (pap_auth_hook != NULL) { 1089 /* Set a default and allow the plug-in to change it. */ 1090 extra_opt_filename = "plugin"; 1091 extra_opt_line = 0; 1092 ret = (*pap_auth_hook)(user, passwd, msg, &addrs, &opts); 1093 if (ret >= 0) { 1094 if (ret > 0) 1095 set_allowed_addrs(unit, addrs, opts); 1096 BZERO(passwd, sizeof(passwd)); 1097 if (addrs != NULL) 1098 free_wordlist(addrs); 1099 return ret? UPAP_AUTHACK: UPAP_AUTHNAK; 1100 } 1101 } 1102 1103 /* 1104 * Open the file of pap secrets and scan for a suitable secret 1105 * for authenticating this user. 1106 */ 1107 filename = _PATH_UPAPFILE; 1108 addrs = opts = NULL; 1109 ret = UPAP_AUTHNAK; 1110 f = fopen(filename, "r"); 1111 if (f == NULL) { 1112 error("Can't open PAP password file %s: %m", filename); 1113 1114 } else { 1115 check_access(f, filename); 1116 if (scan_authfile(f, user, our_name, secret, &addrs, &opts, filename) < 0) { 1117 warn("no PAP secret found for %s", user); 1118 if (scan_server_match_failed[0] != '\0') 1119 warn("possible configuration error: local name is %q, but " 1120 "found %q instead", our_name, scan_server_match_failed); 1121 } else if (secret[0] != '\0') { 1122 /* password given in pap-secrets - must match */ 1123 if ((!cryptpap && strcmp(passwd, secret) == 0) 1124 || strcmp(crypt(passwd, secret), secret) == 0) 1125 ret = UPAP_AUTHACK; 1126 else 1127 warn("PAP authentication failure for %s", user); 1128 } else if (uselogin) { 1129 /* empty password in pap-secrets and login option */ 1130 ret = plogin(user, passwd, msg); 1131 if (ret == UPAP_AUTHNAK) 1132 warn("PAP login failure for %s", user); 1133 } else { 1134 /* empty password in pap-secrets and login option not used */ 1135 ret = UPAP_AUTHACK; 1136 } 1137 (void) fclose(f); 1138 } 1139 1140 if (ret == UPAP_AUTHNAK) { 1141 if (**msg == '\0') 1142 *msg = "Login incorrect"; 1143 /* 1144 * Frustrate passwd stealer programs. 1145 * Allow 10 tries, but start backing off after 3 (stolen from login). 1146 * On 10'th, drop the connection. 1147 */ 1148 if (attempts++ >= 10) { 1149 warn("%d LOGIN FAILURES ON %s, %s", attempts, devnam, user); 1150 lcp_close(unit, "login failed"); 1151 } 1152 if (attempts > 3) 1153 (void) sleep((u_int) (attempts - 3) * 5); 1154 if (opts != NULL) 1155 free_wordlist(opts); 1156 1157 } else { 1158 attempts = 0; /* Reset count */ 1159 if (**msg == '\0') 1160 *msg = "Login ok"; 1161 set_allowed_addrs(unit, addrs, opts); 1162 } 1163 1164 if (addrs != NULL) 1165 free_wordlist(addrs); 1166 BZERO(passwd, sizeof(passwd)); 1167 BZERO(secret, sizeof(secret)); 1168 1169 return ret; 1170 } 1171 1172 /* 1173 * This function is needed for PAM. 1174 */ 1175 1176 #ifdef ALLOW_PAM 1177 /* Static variables used to communicate between the conversation function 1178 * and the server_login function 1179 */ 1180 static char *PAM_username; 1181 static char *PAM_password; 1182 static int PAM_error = 0; 1183 static pam_handle_t *pamh = NULL; 1184 1185 /* PAM conversation function 1186 * Here we assume (for now, at least) that echo on means login name, and 1187 * echo off means password. 1188 */ 1189 1190 /*ARGSUSED*/ 1191 static int PAM_conv (int num_msg, 1192 #ifndef SOL2 1193 const 1194 #endif 1195 struct pam_message **msg, struct pam_response **resp, void *appdata_ptr) 1196 { 1197 int replies = 0; 1198 struct pam_response *reply = NULL; 1199 1200 #define COPY_STRING(s) (s) ? strdup(s) : NULL 1201 1202 reply = malloc(sizeof(struct pam_response) * num_msg); 1203 if (reply == NULL) 1204 return PAM_CONV_ERR; 1205 1206 for (replies = 0; replies < num_msg; replies++) { 1207 switch (msg[replies]->msg_style) { 1208 case PAM_PROMPT_ECHO_ON: 1209 reply[replies].resp_retcode = PAM_SUCCESS; 1210 reply[replies].resp = COPY_STRING(PAM_username); 1211 /* PAM frees resp */ 1212 break; 1213 case PAM_PROMPT_ECHO_OFF: 1214 reply[replies].resp_retcode = PAM_SUCCESS; 1215 reply[replies].resp = COPY_STRING(PAM_password); 1216 /* PAM frees resp */ 1217 break; 1218 case PAM_TEXT_INFO: 1219 /* fall through */ 1220 case PAM_ERROR_MSG: 1221 /* ignore it, but pam still wants a NULL response... */ 1222 reply[replies].resp_retcode = PAM_SUCCESS; 1223 reply[replies].resp = NULL; 1224 break; 1225 default: 1226 /* Must be an error of some sort... */ 1227 free (reply); 1228 PAM_error = 1; 1229 return PAM_CONV_ERR; 1230 } 1231 } 1232 *resp = reply; 1233 return PAM_SUCCESS; 1234 } 1235 1236 static struct pam_conv PAM_conversation = { 1237 PAM_conv, NULL 1238 }; 1239 #endif /* ALLOW_PAM */ 1240 1241 /* 1242 * plogin - Check the user name and password against the system 1243 * password database, and login the user if OK. 1244 * 1245 * returns: 1246 * UPAP_AUTHNAK: Login failed. 1247 * UPAP_AUTHACK: Login succeeded. 1248 * In either case, msg points to an appropriate message. 1249 */ 1250 1251 static int 1252 plogin(user, passwd, msg) 1253 char *user; 1254 char *passwd; 1255 char **msg; 1256 { 1257 char *tty; 1258 #ifdef HAS_SHADOW 1259 struct spwd *spwd; 1260 #endif 1261 struct passwd *pw = NULL; 1262 1263 #ifdef ALLOW_PAM 1264 int pam_error; 1265 1266 if (use_pam) { 1267 if (debug) 1268 dbglog("using PAM for user authentication"); 1269 pam_error = pam_start ("ppp", user, &PAM_conversation, &pamh); 1270 if (pam_error != PAM_SUCCESS) { 1271 *msg = (char *) pam_strerror (pamh, pam_error); 1272 reopen_log(); 1273 return UPAP_AUTHNAK; 1274 } 1275 /* 1276 * Define the fields for the credential validation 1277 */ 1278 1279 PAM_username = user; 1280 PAM_password = passwd; 1281 PAM_error = 0; 1282 /* this might be useful to some modules; required for Solaris */ 1283 tty = devnam; 1284 if (*tty == '\0') 1285 tty = ppp_devnam; 1286 (void) pam_set_item(pamh, PAM_TTY, tty); 1287 #ifdef PAM_RHOST 1288 (void) pam_set_item(pamh, PAM_RHOST, ""); 1289 #endif 1290 1291 /* 1292 * Validate the user 1293 */ 1294 pam_error = pam_authenticate (pamh, PAM_SILENT); 1295 if (pam_error == PAM_SUCCESS && !PAM_error) { 1296 pam_error = pam_acct_mgmt (pamh, PAM_SILENT); 1297 if (pam_error == PAM_SUCCESS) 1298 (void) pam_open_session (pamh, PAM_SILENT); 1299 } 1300 1301 *msg = (char *) pam_strerror (pamh, pam_error); 1302 1303 /* 1304 * Clean up the mess 1305 */ 1306 reopen_log(); /* apparently the PAM stuff does closelog() */ 1307 PAM_username = NULL; 1308 PAM_password = NULL; 1309 if (pam_error != PAM_SUCCESS) 1310 return UPAP_AUTHNAK; 1311 } else 1312 #endif /* ALLOW_PAM */ 1313 1314 { 1315 if (debug) { 1316 #ifdef HAS_SHADOW 1317 dbglog("using passwd/shadow for user authentication"); 1318 #else 1319 dbglog("using passwd for user authentication"); 1320 #endif 1321 } 1322 /* 1323 * Use the non-PAM methods directly 1324 */ 1325 1326 pw = getpwnam(user); 1327 1328 endpwent(); 1329 if (pw == NULL) 1330 return (UPAP_AUTHNAK); 1331 1332 #ifdef HAS_SHADOW 1333 spwd = getspnam(user); 1334 endspent(); 1335 if (spwd != NULL) { 1336 /* check the age of the password entry */ 1337 long now = time(NULL) / 86400L; 1338 1339 if ((spwd->sp_expire > 0 && now >= spwd->sp_expire) 1340 || ((spwd->sp_max >= 0 && spwd->sp_max < 10000) 1341 && spwd->sp_lstchg >= 0 1342 && now >= spwd->sp_lstchg + spwd->sp_max)) { 1343 warn("Password for %s has expired", user); 1344 return (UPAP_AUTHNAK); 1345 } 1346 pw->pw_passwd = spwd->sp_pwdp; 1347 } 1348 #endif 1349 1350 /* 1351 * If no passwd, don't let them login. 1352 */ 1353 if (pw->pw_passwd == NULL || strlen(pw->pw_passwd) < 2 || 1354 strcmp(crypt(passwd, pw->pw_passwd), pw->pw_passwd) != 0) 1355 return (UPAP_AUTHNAK); 1356 } 1357 1358 /* 1359 * Write a wtmp entry for this user. 1360 */ 1361 1362 tty = devnam; 1363 if (strncmp(tty, "/dev/", 5) == 0) 1364 tty += 5; 1365 logwtmp(tty, user, remote_name); /* Add wtmp login entry */ 1366 1367 #ifdef _PATH_LASTLOG 1368 if (!use_pam && pw != (struct passwd *)NULL) { 1369 struct lastlog ll; 1370 int fd; 1371 1372 if ((fd = open(_PATH_LASTLOG, O_RDWR, 0)) >= 0) { 1373 (void)lseek(fd, (off_t)(pw->pw_uid * sizeof(ll)), SEEK_SET); 1374 BZERO((void *)&ll, sizeof(ll)); 1375 (void)time(&ll.ll_time); 1376 (void)strncpy(ll.ll_line, tty, sizeof(ll.ll_line)); 1377 (void)write(fd, (char *)&ll, sizeof(ll)); 1378 (void)close(fd); 1379 } 1380 } 1381 #endif /* _PATH_LASTLOG */ 1382 1383 info("user %s logged in", user); 1384 logged_in = 1; 1385 1386 return (UPAP_AUTHACK); 1387 } 1388 1389 /* 1390 * plogout - Logout the user. 1391 */ 1392 static void 1393 plogout() 1394 { 1395 char *tty; 1396 1397 #ifdef ALLOW_PAM 1398 int pam_error; 1399 1400 if (use_pam) { 1401 if (pamh != NULL) { 1402 pam_error = pam_close_session (pamh, PAM_SILENT); 1403 (void) pam_end (pamh, pam_error); 1404 pamh = NULL; 1405 } 1406 /* Apparently the pam stuff does closelog(). */ 1407 reopen_log(); 1408 } else 1409 #endif /* ALLOW_PAM */ 1410 1411 { 1412 tty = devnam; 1413 if (strncmp(tty, "/dev/", 5) == 0) 1414 tty += 5; 1415 /* Wipe out utmp logout entry */ 1416 logwtmp(tty, "", ""); 1417 } 1418 logged_in = 0; 1419 } 1420 1421 1422 /* 1423 * null_login - Check if a username of "" and a password of "" are 1424 * acceptable, and iff so, set the list of acceptable IP addresses 1425 * and return 1. 1426 */ 1427 static int 1428 null_login(unit) 1429 int unit; 1430 { 1431 char *filename; 1432 FILE *f; 1433 int i, ret; 1434 struct wordlist *addrs, *opts; 1435 char secret[MAXWORDLEN]; 1436 1437 /* 1438 * Open the file of pap secrets and scan for a suitable secret. 1439 */ 1440 filename = _PATH_UPAPFILE; 1441 addrs = NULL; 1442 f = fopen(filename, "r"); 1443 if (f == NULL) 1444 return 0; 1445 check_access(f, filename); 1446 1447 i = scan_authfile(f, "", our_name, secret, &addrs, &opts, filename); 1448 ret = i >= 0 && secret[0] == '\0'; 1449 BZERO(secret, sizeof(secret)); 1450 1451 if (ret) 1452 set_allowed_addrs(unit, addrs, opts); 1453 else if (opts != NULL) 1454 free_wordlist(opts); 1455 if (addrs != NULL) 1456 free_wordlist(addrs); 1457 1458 (void) fclose(f); 1459 return ret; 1460 } 1461 1462 1463 /* 1464 * get_pap_passwd - get a password for authenticating ourselves with 1465 * our peer using PAP. Returns 1 on success, 0 if no suitable password 1466 * could be found. 1467 * Assumes passwd points to MAXSECRETLEN bytes of space (if non-null). 1468 */ 1469 static int 1470 get_pap_passwd(passwd) 1471 char *passwd; 1472 { 1473 char *filename; 1474 FILE *f; 1475 int ret; 1476 char secret[MAXWORDLEN]; 1477 1478 /* 1479 * Check whether a plugin wants to supply this. 1480 */ 1481 if (pap_passwd_hook != NULL) { 1482 ret = (*pap_passwd_hook)(user, passwd); 1483 if (ret >= 0) 1484 return ret; 1485 } 1486 1487 filename = _PATH_UPAPFILE; 1488 f = fopen(filename, "r"); 1489 if (f == NULL) 1490 return 0; 1491 check_access(f, filename); 1492 ret = scan_authfile(f, user, 1493 (remote_name[0] != '\0' ? remote_name: NULL), 1494 secret, NULL, NULL, filename); 1495 (void) fclose(f); 1496 if (ret < 0) 1497 return 0; 1498 if (passwd != NULL) 1499 (void) strlcpy(passwd, secret, MAXSECRETLEN); 1500 BZERO(secret, sizeof(secret)); 1501 return 1; 1502 } 1503 1504 1505 /* 1506 * have_pap_secret - check whether we have a PAP file with any 1507 * secrets that we could possibly use for authenticating the peer. 1508 */ 1509 static int 1510 have_pap_secret(lacks_ipp) 1511 int *lacks_ipp; 1512 { 1513 FILE *f; 1514 int ret; 1515 char *filename; 1516 struct wordlist *addrs; 1517 1518 /* let the plugin decide, if there is one */ 1519 if (pap_check_hook != NULL) { 1520 ret = (*pap_check_hook)(); 1521 if (ret >= 0) 1522 return ret; 1523 } 1524 1525 filename = _PATH_UPAPFILE; 1526 f = fopen(filename, "r"); 1527 if (f == NULL) 1528 return 0; 1529 1530 ret = scan_authfile(f, (explicit_remote? remote_name: NULL), our_name, 1531 NULL, &addrs, NULL, filename); 1532 (void) fclose(f); 1533 if (ret >= 0 && !some_ip_ok(addrs)) { 1534 if (lacks_ipp != NULL) 1535 *lacks_ipp = 1; 1536 ret = -1; 1537 } 1538 if (addrs != NULL) 1539 free_wordlist(addrs); 1540 1541 return ret >= 0; 1542 } 1543 1544 1545 /* 1546 * have_chap_secret - check whether we have a CHAP file with a secret 1547 * that we could possibly use for authenticating `client' on `server'. 1548 * Either or both can be the null string, meaning we don't know the 1549 * identity yet. 1550 */ 1551 static int 1552 have_chap_secret(client, server, need_ip, lacks_ipp) 1553 char *client; 1554 char *server; 1555 int need_ip; 1556 int *lacks_ipp; 1557 { 1558 FILE *f; 1559 int ret; 1560 char *filename; 1561 struct wordlist *addrs; 1562 1563 filename = _PATH_CHAPFILE; 1564 f = fopen(filename, "r"); 1565 if (f == NULL) 1566 return 0; 1567 1568 if (client != NULL && client[0] == '\0') 1569 client = NULL; 1570 if (server != NULL && server[0] == '\0') 1571 server = NULL; 1572 1573 ret = scan_authfile(f, client, server, NULL, &addrs, NULL, filename); 1574 (void) fclose(f); 1575 if (ret >= 0 && need_ip && !some_ip_ok(addrs)) { 1576 if (lacks_ipp != NULL) 1577 *lacks_ipp = 1; 1578 ret = -1; 1579 } 1580 if (addrs != NULL) 1581 free_wordlist(addrs); 1582 1583 return ret >= 0; 1584 } 1585 1586 1587 /* 1588 * get_secret - open the CHAP secret file and return the secret 1589 * for authenticating the given client on the given server. 1590 * 1591 * "am_server" means that we're the authenticator (demanding 1592 * identity from the peer). 1593 * 1594 * "!am_server" means that we're the authenticatee (supplying 1595 * identity to the peer). 1596 */ 1597 int 1598 get_secret(unit, client, server, secret, secret_len, am_server) 1599 int unit; 1600 char *client; 1601 char *server; 1602 char *secret; 1603 int *secret_len; 1604 int am_server; 1605 { 1606 FILE *f; 1607 int ret, len; 1608 char *filename; 1609 struct wordlist *addrs, *opts; 1610 char secbuf[MAXWORDLEN]; 1611 1612 /* 1613 * Support the 'password' option on authenticatee only in order to 1614 * avoid obvious security problem (authenticator and authenticatee 1615 * within a given implementation must never share secrets). 1616 */ 1617 if (!am_server && passwd[0] != '\0') { 1618 (void) strlcpy(secbuf, passwd, sizeof(secbuf)); 1619 } else { 1620 filename = _PATH_CHAPFILE; 1621 addrs = NULL; 1622 secbuf[0] = '\0'; 1623 1624 f = fopen(filename, "r"); 1625 if (f == NULL) { 1626 error("Can't open chap secret file %s: %m", filename); 1627 return 0; 1628 } 1629 check_access(f, filename); 1630 1631 ret = scan_authfile(f, client, server, secbuf, &addrs, &opts, 1632 filename); 1633 (void) fclose(f); 1634 if (ret < 0) { 1635 if (scan_server_match_failed[0] != '\0') 1636 warn("possible configuration error: local name is %q, but " 1637 "found %q instead", our_name, scan_server_match_failed); 1638 return 0; 1639 } 1640 1641 /* Only the authenticator cares about limiting peer addresses. */ 1642 if (am_server) 1643 set_allowed_addrs(unit, addrs, opts); 1644 else if (opts != NULL) 1645 free_wordlist(opts); 1646 if (addrs != NULL) 1647 free_wordlist(addrs); 1648 } 1649 1650 len = strlen(secbuf); 1651 if (len > MAXSECRETLEN) { 1652 error("Secret for %s on %s is too long", client, server); 1653 len = MAXSECRETLEN; 1654 } 1655 /* Do not leave a temporary copy of the secret on the stack. */ 1656 BCOPY(secbuf, secret, len); 1657 BZERO(secbuf, sizeof(secbuf)); 1658 *secret_len = len; 1659 1660 return 1; 1661 } 1662 1663 /* 1664 * set_allowed_addrs() - set the list of allowed addresses. 1665 * The caller must also look for `--' indicating options to apply for 1666 * this peer and leaves the following words in extra_options. 1667 */ 1668 static void 1669 set_allowed_addrs(unit, addrs, opts) 1670 int unit; 1671 struct wordlist *addrs; 1672 struct wordlist *opts; 1673 { 1674 int n; 1675 struct wordlist *ap, **pap; 1676 struct permitted_ip *ip; 1677 char *ptr_word, *ptr_mask; 1678 struct hostent *hp; 1679 struct netent *np; 1680 u_int32_t a, mask, newmask, ah, offset; 1681 struct ipcp_options *wo = &ipcp_wantoptions[unit]; 1682 u_int32_t suggested_ip = 0; 1683 int err_num; 1684 1685 if (addresses[unit] != NULL) 1686 free(addresses[unit]); 1687 addresses[unit] = NULL; 1688 if (extra_options != NULL) 1689 free_wordlist(extra_options); 1690 extra_options = opts; 1691 1692 /* 1693 * Count the number of IP addresses given. 1694 */ 1695 for (n = 0, pap = &addrs; (ap = *pap) != NULL; pap = &ap->next) 1696 ++n; 1697 if (n == 0) 1698 return; 1699 ip = (struct permitted_ip *) malloc((n + 1) * sizeof(struct permitted_ip)); 1700 if (ip == NULL) 1701 return; 1702 1703 n = 0; 1704 for (ap = addrs; ap != NULL; ap = ap->next) { 1705 /* "-" means no addresses authorized, "*" means any address allowed */ 1706 ptr_word = ap->word; 1707 if (strcmp(ptr_word, "-") == 0) 1708 break; 1709 if (strcmp(ptr_word, "*") == 0) { 1710 ip[n].permit = 1; 1711 ip[n].base = ip[n].mask = 0; 1712 ++n; 1713 break; 1714 } 1715 1716 ip[n].permit = 1; 1717 if (*ptr_word == '!') { 1718 ip[n].permit = 0; 1719 ++ptr_word; 1720 } 1721 1722 mask = ~ (u_int32_t) 0; 1723 offset = 0; 1724 ptr_mask = strchr (ptr_word, '/'); 1725 if (ptr_mask != NULL) { 1726 int bit_count; 1727 char *endp; 1728 1729 bit_count = (int) strtol (ptr_mask+1, &endp, 10); 1730 if (bit_count <= 0 || bit_count > 32) { 1731 warn("invalid address length %v in authorized address list", 1732 ptr_mask+1); 1733 continue; 1734 } 1735 bit_count = 32 - bit_count; /* # bits in host part */ 1736 if (*endp == '+') { 1737 offset = ifunit + 1; 1738 ++endp; 1739 } 1740 if (*endp != '\0') { 1741 warn("invalid address length syntax: %v", ptr_mask+1); 1742 continue; 1743 } 1744 *ptr_mask = '\0'; 1745 mask <<= bit_count; 1746 } 1747 1748 /* Try to interpret value as host name or numeric address first */ 1749 hp = getipnodebyname(ptr_word, AF_INET, 0, &err_num); 1750 if (hp != NULL) { 1751 (void) memcpy(&a, hp->h_addr, sizeof(a)); 1752 freehostent(hp); 1753 } else { 1754 char *cp = ptr_word + strlen(ptr_word); 1755 if (cp > ptr_word) 1756 cp--; 1757 if (*cp == '+') { 1758 offset = ifunit + 1; 1759 *cp = '\0'; 1760 } 1761 np = getnetbyname (ptr_word); 1762 if (np != NULL && np->n_addrtype == AF_INET) { 1763 ah = np->n_net; 1764 newmask = (u_int32_t)~0; 1765 if ((ah & 0xff000000ul) == 0) 1766 ah <<= 8, newmask <<= 8; 1767 if ((ah & 0xff000000ul) == 0) 1768 ah <<= 8, newmask <<= 8; 1769 if ((ah & 0xff000000ul) == 0) 1770 ah <<= 8, newmask <<= 8; 1771 if (ptr_mask == NULL) 1772 mask = newmask; 1773 a = htonl(ah); 1774 } 1775 } 1776 1777 if (ptr_mask != NULL) 1778 *ptr_mask = '/'; 1779 1780 if (a == (u_int32_t)-1L) { 1781 warn("unknown host %s in auth. address list", ap->word); 1782 continue; 1783 } 1784 if (offset != 0) { 1785 if (offset >= ~mask) { 1786 warn("interface unit %d too large for subnet %v", 1787 ifunit, ptr_word); 1788 continue; 1789 } 1790 a = htonl((ntohl(a) & mask) + offset); 1791 mask = ~(u_int32_t)0; 1792 } 1793 ip[n].mask = htonl(mask); 1794 ip[n].base = a & ip[n].mask; 1795 ++n; 1796 if (~mask == 0 && suggested_ip == 0) 1797 suggested_ip = a; 1798 } 1799 1800 /* Sentinel value at end of list */ 1801 ip[n].permit = 0; /* make the last entry forbid all addresses */ 1802 ip[n].base = 0; /* to terminate the list */ 1803 ip[n].mask = 0; 1804 1805 addresses[unit] = ip; 1806 1807 /* 1808 * If the address given for the peer isn't authorized, or if 1809 * the user hasn't given one, AND there is an authorized address 1810 * which is a single host, then use that if we find one. 1811 */ 1812 if (suggested_ip != 0 1813 && (wo->hisaddr == 0 || !auth_ip_addr(unit, wo->hisaddr))) 1814 wo->hisaddr = suggested_ip; 1815 } 1816 1817 /* 1818 * auth_ip_addr - check whether the peer is authorized to use 1819 * a given IP address. Returns 1 if authorized, 0 otherwise. 1820 */ 1821 int 1822 auth_ip_addr(unit, addr) 1823 int unit; 1824 u_int32_t addr; 1825 { 1826 int ok; 1827 1828 /* don't allow loopback or multicast address */ 1829 if (bad_ip_adrs(addr)) 1830 return 0; 1831 1832 if (addresses[unit] != NULL) { 1833 ok = ip_addr_check(addr, addresses[unit]); 1834 if (ok >= 0) 1835 return ok; 1836 } 1837 if (auth_required) 1838 return 0; /* no addresses authorized */ 1839 return allow_any_ip || privileged || !have_route_to(addr); 1840 } 1841 1842 static int 1843 ip_addr_check(addr, addrs) 1844 u_int32_t addr; 1845 struct permitted_ip *addrs; 1846 { 1847 /* This loop is safe because of the sentinel value in set_allowed_addrs */ 1848 for (; ; ++addrs) 1849 if ((addr & addrs->mask) == addrs->base) 1850 return addrs->permit; 1851 } 1852 1853 /* 1854 * bad_ip_adrs - return 1 if the IP address is one we don't want 1855 * to use, such as an address in the loopback net or a multicast address. 1856 * addr is in network byte order. 1857 */ 1858 int 1859 bad_ip_adrs(addr) 1860 u_int32_t addr; 1861 { 1862 addr = ntohl(addr); 1863 return 1864 #ifndef ALLOW_127_NET 1865 (addr >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET || 1866 #endif 1867 #ifndef ALLOW_0_NET 1868 ((addr >> IN_CLASSA_NSHIFT) == 0 && addr != 0) || 1869 #endif 1870 IN_MULTICAST(addr); 1871 } 1872 1873 /* 1874 * some_ip_ok - check a wordlist to see if it authorizes any 1875 * IP address(es). 1876 */ 1877 static int 1878 some_ip_ok(addrs) 1879 struct wordlist *addrs; 1880 { 1881 for (; addrs != NULL; addrs = addrs->next) { 1882 if (addrs->word[0] == '-') 1883 break; 1884 if (addrs->word[0] != '!') 1885 return 1; /* some IP address is allowed */ 1886 } 1887 return 0; 1888 } 1889 1890 /* 1891 * check_access - complain if a secret file has too-liberal permissions. 1892 */ 1893 static void 1894 check_access(f, filename) 1895 FILE *f; 1896 char *filename; 1897 { 1898 struct stat sbuf; 1899 1900 if (fstat(fileno(f), &sbuf) < 0) { 1901 warn("cannot stat secret file %s: %m", filename); 1902 } else if ((sbuf.st_mode & (S_IRWXG | S_IRWXO)) != 0) { 1903 warn("Warning - secret file %s has world and/or group access", 1904 filename); 1905 } 1906 } 1907 1908 1909 /* 1910 * scan_authfile - Scan an authorization file for a secret suitable 1911 * for authenticating `client' on `server'. The return value is -1 if 1912 * no secret is found, otherwise >= 0. The return value has 1913 * NONWILD_CLIENT set if the secret didn't have "*" for the client, 1914 * and NONWILD_SERVER set if the secret didn't have "*" for the 1915 * server. 1916 1917 * Any following words on the line up to a "--" (i.e. address 1918 * authorization info) are placed in a wordlist and returned in 1919 * *addrs. Any following words (extra options) are placed in a 1920 * wordlist and returned in *opts. If opts is NULL, these are just 1921 * discarded. Otherwise, the extra_opt_* variables are set to 1922 * indicate the source of the options. 1923 * 1924 * We assume secret is NULL or points to MAXWORDLEN bytes of space. 1925 */ 1926 static int 1927 scan_authfile(f, client, server, secret, addrs, opts, filename) 1928 FILE *f; 1929 char *client; 1930 char *server; 1931 char *secret; 1932 struct wordlist **addrs; 1933 struct wordlist **opts; 1934 char *filename; 1935 { 1936 int newline, xxx, sline; 1937 int got_flag, best_flag; 1938 FILE *sf; 1939 struct wordlist *ap, *addr_list, *alist, **app; 1940 char word[MAXWORDLEN]; 1941 char atfile[MAXWORDLEN]; 1942 char lsecret[MAXWORDLEN]; 1943 1944 scan_server_match_failed[0] = '\0'; 1945 1946 if (addrs != NULL) 1947 *addrs = NULL; 1948 if (opts != NULL) 1949 *opts = NULL; 1950 addr_list = NULL; 1951 option_line = 0; 1952 if (!getword(f, word, &newline, filename)) { 1953 if (debug) 1954 dbglog("%s is apparently empty", filename); 1955 return -1; /* file is empty??? */ 1956 } 1957 newline = 1; 1958 best_flag = -1; 1959 for (;;) { 1960 /* 1961 * Skip until we find a word at the start of a line. 1962 */ 1963 while (!newline && getword(f, word, &newline, filename)) 1964 ; 1965 if (!newline) 1966 break; /* got to end of file */ 1967 1968 sline = option_line; 1969 /* 1970 * Got a client - check if it's a match or a wildcard. 1971 */ 1972 got_flag = 0; 1973 if (client != NULL && strcmp(word, client) != 0 && !ISWILD(word)) { 1974 newline = 0; 1975 continue; 1976 } 1977 if (!ISWILD(word)) 1978 got_flag = NONWILD_CLIENT; 1979 1980 /* 1981 * Now get a server and check if it matches. 1982 */ 1983 if (!getword(f, word, &newline, filename)) 1984 break; 1985 if (newline) 1986 continue; 1987 if (!ISWILD(word)) { 1988 if (server != NULL && strcmp(word, server) != 0) { 1989 (void) strcpy(scan_server_match_failed, word); 1990 continue; 1991 } 1992 got_flag |= NONWILD_SERVER; 1993 } 1994 1995 /* 1996 * Got some sort of a match - see if it's better than what 1997 * we have already. 1998 */ 1999 if (got_flag <= best_flag) 2000 continue; 2001 2002 /* 2003 * Get the secret. 2004 */ 2005 if (!getword(f, word, &newline, filename)) 2006 break; 2007 if (newline) 2008 continue; 2009 2010 /* 2011 * Special syntax: @filename means read secret from file. 2012 * Because the secrets files are modifiable only by root, 2013 * it's safe to open this file as root. One small addition -- 2014 * if open fails, we try as the regular user; just in case 2015 * it's over NFS and not root-equivalent. 2016 */ 2017 if (word[0] == '@') { 2018 (void) strlcpy(atfile, word+1, sizeof(atfile)); 2019 if ((sf = fopen(atfile, "r")) == NULL) { 2020 (void) seteuid(getuid()); 2021 sf = fopen(atfile, "r"); 2022 (void) seteuid(0); 2023 } 2024 if (sf == NULL) { 2025 warn("can't open indirect secret file %s: %m", atfile); 2026 continue; 2027 } 2028 check_access(sf, atfile); 2029 if (!getword(sf, word, &xxx, atfile)) { 2030 warn("no secret in indirect secret file %s", atfile); 2031 (void) fclose(sf); 2032 continue; 2033 } 2034 (void) fclose(sf); 2035 } 2036 if (secret != NULL) 2037 (void) strlcpy(lsecret, word, sizeof(lsecret)); 2038 2039 /* 2040 * Now read address authorization info and make a wordlist. 2041 */ 2042 app = &alist; 2043 for (;;) { 2044 if (!getword(f, word, &newline, filename) || newline) 2045 break; 2046 ap = (struct wordlist *) malloc(sizeof(struct wordlist)); 2047 if (ap == NULL) 2048 novm("authorized addresses"); 2049 ap->word = strdup(word); 2050 if (ap->word == NULL) 2051 novm("authorized addresses"); 2052 *app = ap; 2053 app = &ap->next; 2054 } 2055 *app = NULL; 2056 2057 /* 2058 * This is the best so far; remember it. 2059 */ 2060 best_flag = got_flag; 2061 if (addr_list != NULL) 2062 free_wordlist(addr_list); 2063 addr_list = alist; 2064 if (secret != NULL) 2065 (void) strlcpy(secret, lsecret, MAXWORDLEN); 2066 2067 if (opts != NULL) { 2068 extra_opt_filename = filename; 2069 extra_opt_line = sline; 2070 } 2071 2072 if (!newline) 2073 break; 2074 } 2075 2076 /* scan for a -- word indicating the start of options */ 2077 for (app = &addr_list; (ap = *app) != NULL; app = &ap->next) 2078 if (strcmp(ap->word, "--") == 0) 2079 break; 2080 /* ap = start of options */ 2081 if (ap != NULL) { 2082 ap = ap->next; /* first option */ 2083 free(*app); /* free the "--" word */ 2084 *app = NULL; /* terminate addr list */ 2085 } 2086 if (opts != NULL) 2087 *opts = ap; 2088 else if (ap != NULL) 2089 free_wordlist(ap); 2090 if (addrs != NULL) 2091 *addrs = addr_list; 2092 else if (addr_list != NULL) 2093 free_wordlist(addr_list); 2094 2095 return best_flag; 2096 } 2097 2098 /* 2099 * free_wordlist - release memory allocated for a wordlist. 2100 */ 2101 static void 2102 free_wordlist(wp) 2103 struct wordlist *wp; 2104 { 2105 struct wordlist *next; 2106 2107 while (wp != NULL) { 2108 next = wp->next; 2109 free(wp); 2110 wp = next; 2111 } 2112 } 2113 2114 /* 2115 * auth_script_done - called when the auth-up or auth-down script 2116 * has finished. 2117 */ 2118 /*ARGSUSED*/ 2119 static void 2120 auth_script_done(arg, status) 2121 void *arg; 2122 int status; 2123 { 2124 auth_script_pid = 0; 2125 switch (auth_script_state) { 2126 case s_up: 2127 if (auth_state == s_down) { 2128 auth_script_state = s_down; 2129 auth_script(_PATH_AUTHDOWN); 2130 } 2131 break; 2132 case s_down: 2133 if (auth_state == s_up) { 2134 auth_script_state = s_up; 2135 auth_script(_PATH_AUTHUP); 2136 } 2137 break; 2138 } 2139 } 2140 2141 /* 2142 * auth_script - execute a script with arguments 2143 * interface-name peer-name real-user tty speed 2144 */ 2145 static void 2146 auth_script(script) 2147 char *script; 2148 { 2149 char strspeed[32]; 2150 struct passwd *pw; 2151 char struid[32]; 2152 char *user_name; 2153 char *argv[8]; 2154 2155 if ((pw = getpwuid(getuid())) != NULL && pw->pw_name != NULL) 2156 user_name = pw->pw_name; 2157 else { 2158 (void) slprintf(struid, sizeof(struid), "%d", getuid()); 2159 user_name = struid; 2160 } 2161 (void) slprintf(strspeed, sizeof(strspeed), "%d", baud_rate); 2162 2163 argv[0] = script; 2164 argv[1] = ifname; 2165 argv[2] = peer_authname; 2166 argv[3] = user_name; 2167 argv[4] = devnam; 2168 argv[5] = strspeed; 2169 argv[6] = NULL; 2170 2171 auth_script_pid = run_program(script, argv, 0, auth_script_done, NULL); 2172 } 2173