1 /* $OpenBSD: auth.c,v 1.43 2024/08/21 14:57:05 florian Exp $ */ 2 3 /* 4 * auth.c - PPP authentication and phase control. 5 * 6 * Copyright (c) 1989-2002 Paul Mackerras. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 20 * 3. The name(s) of the authors of this software must not be used to 21 * endorse or promote products derived from this software without 22 * prior written permission. 23 * 24 * 4. Redistributions of any form whatsoever must retain the following 25 * acknowledgment: 26 * "This product includes software developed by Paul Mackerras 27 * <paulus@samba.org>". 28 * 29 * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO 30 * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 31 * AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY 32 * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 33 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN 34 * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING 35 * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 36 * 37 * Copyright (c) 1984-2000 Carnegie Mellon University. All rights reserved. 38 * 39 * Redistribution and use in source and binary forms, with or without 40 * modification, are permitted provided that the following conditions 41 * are met: 42 * 43 * 1. Redistributions of source code must retain the above copyright 44 * notice, this list of conditions and the following disclaimer. 45 * 46 * 2. Redistributions in binary form must reproduce the above copyright 47 * notice, this list of conditions and the following disclaimer in 48 * the documentation and/or other materials provided with the 49 * distribution. 50 * 51 * 3. The name "Carnegie Mellon University" must not be used to 52 * endorse or promote products derived from this software without 53 * prior written permission. For permission or any legal 54 * details, please contact 55 * Office of Technology Transfer 56 * Carnegie Mellon University 57 * 5000 Forbes Avenue 58 * Pittsburgh, PA 15213-3890 59 * (412) 268-4387, fax: (412) 268-7395 60 * tech-transfer@andrew.cmu.edu 61 * 62 * 4. Redistributions of any form whatsoever must retain the following 63 * acknowledgment: 64 * "This product includes software developed by Computing Services 65 * at Carnegie Mellon University (http://www.cmu.edu/computing/)." 66 * 67 * CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO 68 * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 69 * AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE 70 * FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 71 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN 72 * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING 73 * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 74 */ 75 76 #include <stdio.h> 77 #include <stddef.h> 78 #include <stdlib.h> 79 #include <unistd.h> 80 #include <limits.h> 81 #include <syslog.h> 82 #include <pwd.h> 83 #include <string.h> 84 #include <sys/types.h> 85 #include <sys/stat.h> 86 #include <sys/socket.h> 87 #include <utmp.h> 88 #include <fcntl.h> 89 #if defined(_PATH_LASTLOG) && defined(_linux_) 90 #include <lastlog.h> 91 #endif 92 93 #include <netdb.h> 94 #include <netinet/in.h> 95 #include <arpa/inet.h> 96 97 98 99 #include "pppd.h" 100 #include "fsm.h" 101 #include "lcp.h" 102 #include "ipcp.h" 103 #include "upap.h" 104 #include "chap.h" 105 #ifdef CBCP_SUPPORT 106 #include "cbcp.h" 107 #endif 108 #include "pathnames.h" 109 110 /* Used for storing a sequence of words. Usually malloced. */ 111 struct wordlist { 112 struct wordlist *next; 113 char word[1]; 114 }; 115 116 /* Bits in scan_authfile return value */ 117 #define NONWILD_SERVER 1 118 #define NONWILD_CLIENT 2 119 120 #define ISWILD(word) (word[0] == '*' && word[1] == 0) 121 122 #define FALSE 0 123 #define TRUE 1 124 125 /* The name by which the peer authenticated itself to us. */ 126 char peer_authname[MAXNAMELEN]; 127 128 /* Records which authentication operations haven't completed yet. */ 129 static int auth_pending[NUM_PPP]; 130 131 /* Set if we have successfully called plogin() */ 132 static int logged_in; 133 134 /* Set if we have run the /etc/ppp/auth-up script. */ 135 static int did_authup; 136 137 /* List of addresses which the peer may use. */ 138 static struct wordlist *addresses[NUM_PPP]; 139 140 /* Number of network protocols which we have opened. */ 141 static int num_np_open; 142 143 /* Number of network protocols which have come up. */ 144 static int num_np_up; 145 146 /* Set if we got the contents of passwd[] from the pap-secrets file. */ 147 static int passwd_from_file; 148 149 /* Bits in auth_pending[] */ 150 #define PAP_WITHPEER 1 151 #define PAP_PEER 2 152 #define CHAP_WITHPEER 4 153 #define CHAP_PEER 8 154 155 extern char *crypt(const char *, const char *); 156 157 /* Prototypes for procedures local to this file. */ 158 159 static void network_phase(int); 160 static void check_idle(void *); 161 static void connect_time_expired(void *); 162 static int plogin(char *, char *, char **, int *); 163 static void plogout(void); 164 static int null_login(int); 165 static int get_pap_passwd(char *); 166 static int have_pap_secret(void); 167 static int have_chap_secret(char *, char *, u_int32_t); 168 static int ip_addr_check(u_int32_t, struct wordlist *); 169 static int scan_authfile(FILE *, char *, char *, u_int32_t, char *, 170 struct wordlist **, char *); 171 static void free_wordlist(struct wordlist *); 172 static void auth_script(char *); 173 static void set_allowed_addrs(int, struct wordlist *); 174 175 /* 176 * An Open on LCP has requested a change from Dead to Establish phase. 177 * Do what's necessary to bring the physical layer up. 178 */ 179 void 180 link_required(int unit) 181 { 182 } 183 184 /* 185 * LCP has terminated the link; go to the Dead phase and take the 186 * physical layer down. 187 */ 188 void 189 link_terminated(int unit) 190 { 191 if (phase == PHASE_DEAD) 192 return; 193 if (logged_in) 194 plogout(); 195 phase = PHASE_DEAD; 196 syslog(LOG_NOTICE, "Connection terminated."); 197 } 198 199 /* 200 * LCP has gone down; it will either die or try to re-establish. 201 */ 202 void 203 link_down(int unit) 204 { 205 int i; 206 struct protent *protp; 207 208 if (did_authup) { 209 auth_script(_PATH_AUTHDOWN); 210 did_authup = 0; 211 } 212 for (i = 0; (protp = protocols[i]) != NULL; ++i) { 213 if (!protp->enabled_flag) 214 continue; 215 if (protp->protocol != PPP_LCP && protp->lowerdown != NULL) 216 (*protp->lowerdown)(unit); 217 if (protp->protocol < 0xC000 && protp->close != NULL) 218 (*protp->close)(unit, "LCP down"); 219 } 220 num_np_open = 0; 221 num_np_up = 0; 222 if (phase != PHASE_DEAD) 223 phase = PHASE_TERMINATE; 224 } 225 226 /* 227 * The link is established. 228 * Proceed to the Dead, Authenticate or Network phase as appropriate. 229 */ 230 void 231 link_established(int unit) 232 { 233 int auth; 234 lcp_options *wo = &lcp_wantoptions[unit]; 235 lcp_options *go = &lcp_gotoptions[unit]; 236 lcp_options *ho = &lcp_hisoptions[unit]; 237 int i; 238 struct protent *protp; 239 240 /* 241 * Tell higher-level protocols that LCP is up. 242 */ 243 for (i = 0; (protp = protocols[i]) != NULL; ++i) 244 if (protp->protocol != PPP_LCP && protp->enabled_flag 245 && protp->lowerup != NULL) 246 (*protp->lowerup)(unit); 247 248 if (auth_required && !(go->neg_chap || go->neg_upap)) { 249 /* 250 * We wanted the peer to authenticate itself, and it refused: 251 * treat it as though it authenticated with PAP using a username 252 * of "" and a password of "". If that's not OK, boot it out. 253 */ 254 if (!wo->neg_upap || !null_login(unit)) { 255 syslog(LOG_WARNING, "peer refused to authenticate"); 256 lcp_close(unit, "peer refused to authenticate"); 257 return; 258 } 259 } 260 261 phase = PHASE_AUTHENTICATE; 262 auth = 0; 263 if (go->neg_chap) { 264 ChapAuthPeer(unit, our_name, go->chap_mdtype); 265 auth |= CHAP_PEER; 266 } else if (go->neg_upap) { 267 upap_authpeer(unit); 268 auth |= PAP_PEER; 269 } 270 if (ho->neg_chap) { 271 ChapAuthWithPeer(unit, user, ho->chap_mdtype); 272 auth |= CHAP_WITHPEER; 273 } else if (ho->neg_upap) { 274 if (passwd[0] == 0) { 275 passwd_from_file = 1; 276 if (!get_pap_passwd(passwd)) 277 syslog(LOG_ERR, "No secret found for PAP login"); 278 } 279 upap_authwithpeer(unit, user, passwd); 280 auth |= PAP_WITHPEER; 281 } 282 auth_pending[unit] = auth; 283 284 if (!auth) 285 network_phase(unit); 286 } 287 288 /* 289 * Proceed to the network phase. 290 */ 291 static void 292 network_phase(int unit) 293 { 294 int i; 295 struct protent *protp; 296 lcp_options *go = &lcp_gotoptions[unit]; 297 298 /* 299 * If the peer had to authenticate, run the auth-up script now. 300 */ 301 if ((go->neg_chap || go->neg_upap) && !did_authup) { 302 auth_script(_PATH_AUTHUP); 303 did_authup = 1; 304 } 305 306 #ifdef CBCP_SUPPORT 307 /* 308 * If we negotiated callback, do it now. 309 */ 310 if (go->neg_cbcp) { 311 phase = PHASE_CALLBACK; 312 (*cbcp_protent.open)(unit); 313 return; 314 } 315 #endif 316 317 phase = PHASE_NETWORK; 318 #if 0 319 if (!demand) 320 set_filters(&pass_filter, &active_filter); 321 #endif 322 for (i = 0; (protp = protocols[i]) != NULL; ++i) 323 if (protp->protocol < 0xC000 && protp->enabled_flag 324 && protp->open != NULL) { 325 (*protp->open)(unit); 326 if (protp->protocol != PPP_CCP) 327 ++num_np_open; 328 } 329 330 if (num_np_open == 0) 331 /* nothing to do */ 332 lcp_close(0, "No network protocols running"); 333 } 334 335 /* 336 * The peer has failed to authenticate himself using `protocol'. 337 */ 338 void 339 auth_peer_fail(int unit, int protocol) 340 { 341 /* 342 * Authentication failure: take the link down 343 */ 344 lcp_close(unit, "Authentication failed"); 345 } 346 347 /* 348 * The peer has been successfully authenticated using `protocol'. 349 */ 350 void 351 auth_peer_success(int unit, int protocol, char *name, int namelen) 352 { 353 int bit; 354 355 switch (protocol) { 356 case PPP_CHAP: 357 bit = CHAP_PEER; 358 break; 359 case PPP_PAP: 360 bit = PAP_PEER; 361 break; 362 default: 363 syslog(LOG_WARNING, "auth_peer_success: unknown protocol %x", 364 protocol); 365 return; 366 } 367 368 /* 369 * Save the authenticated name of the peer for later. 370 */ 371 if (namelen > sizeof(peer_authname) - 1) 372 namelen = sizeof(peer_authname) - 1; 373 BCOPY(name, peer_authname, namelen); 374 peer_authname[namelen] = 0; 375 script_setenv("PEERNAME", peer_authname); 376 377 /* 378 * If there is no more authentication still to be done, 379 * proceed to the network (or callback) phase. 380 */ 381 if ((auth_pending[unit] &= ~bit) == 0) 382 network_phase(unit); 383 } 384 385 /* 386 * We have failed to authenticate ourselves to the peer using `protocol'. 387 */ 388 void 389 auth_withpeer_fail(int unit, int protocol) 390 { 391 if (passwd_from_file) 392 EXPLICIT_BZERO(passwd, MAXSECRETLEN); 393 /* 394 * We've failed to authenticate ourselves to our peer. 395 * He'll probably take the link down, and there's not much 396 * we can do except wait for that. 397 */ 398 } 399 400 /* 401 * We have successfully authenticated ourselves with the peer using `protocol'. 402 */ 403 void 404 auth_withpeer_success(int unit, int protocol) 405 { 406 int bit; 407 408 switch (protocol) { 409 case PPP_CHAP: 410 bit = CHAP_WITHPEER; 411 break; 412 case PPP_PAP: 413 if (passwd_from_file) 414 EXPLICIT_BZERO(passwd, MAXSECRETLEN); 415 bit = PAP_WITHPEER; 416 break; 417 default: 418 syslog(LOG_WARNING, "auth_peer_success: unknown protocol %x", 419 protocol); 420 bit = 0; 421 } 422 423 /* 424 * If there is no more authentication still being done, 425 * proceed to the network (or callback) phase. 426 */ 427 if ((auth_pending[unit] &= ~bit) == 0) 428 network_phase(unit); 429 } 430 431 432 /* 433 * np_up - a network protocol has come up. 434 */ 435 void 436 np_up(int unit, int proto) 437 { 438 if (num_np_up == 0) { 439 /* 440 * At this point we consider that the link has come up successfully. 441 */ 442 need_holdoff = 0; 443 444 if (idle_time_limit > 0) 445 TIMEOUT(check_idle, NULL, idle_time_limit); 446 447 /* 448 * Set a timeout to close the connection once the maximum 449 * connect time has expired. 450 */ 451 if (maxconnect > 0) 452 TIMEOUT(connect_time_expired, 0, maxconnect); 453 454 /* 455 * Detach now, if the updetach option was given. 456 */ 457 if (nodetach == -1) 458 detach(); 459 } 460 ++num_np_up; 461 } 462 463 /* 464 * np_down - a network protocol has gone down. 465 */ 466 void 467 np_down(int unit, int proto) 468 { 469 if (--num_np_up == 0 && idle_time_limit > 0) { 470 UNTIMEOUT(check_idle, NULL); 471 } 472 } 473 474 /* 475 * np_finished - a network protocol has finished using the link. 476 */ 477 void 478 np_finished(int unit, int roto) 479 { 480 if (--num_np_open <= 0) { 481 /* no further use for the link: shut up shop. */ 482 lcp_close(0, "No network protocols running"); 483 } 484 } 485 486 /* 487 * check_idle - check whether the link has been idle for long 488 * enough that we can shut it down. 489 */ 490 static void 491 check_idle(void *arg) 492 { 493 struct ppp_idle idle; 494 time_t itime; 495 496 if (!get_idle_time(0, &idle)) 497 return; 498 itime = MIN(idle.xmit_idle, idle.recv_idle); 499 if (itime >= idle_time_limit) { 500 /* link is idle: shut it down. */ 501 syslog(LOG_INFO, "Terminating connection due to lack of activity."); 502 lcp_close(0, "Link inactive"); 503 } else { 504 TIMEOUT(check_idle, NULL, idle_time_limit - itime); 505 } 506 } 507 508 /* 509 * connect_time_expired - log a message and close the connection. 510 */ 511 static void 512 connect_time_expired(void *arg) 513 { 514 syslog(LOG_INFO, "Connect time expired"); 515 lcp_close(0, "Connect time expired"); /* Close connection */ 516 } 517 518 /* 519 * auth_check_options - called to check authentication options. 520 */ 521 void 522 auth_check_options(void) 523 { 524 lcp_options *wo = &lcp_wantoptions[0]; 525 int can_auth; 526 ipcp_options *ipwo = &ipcp_wantoptions[0]; 527 u_int32_t remote; 528 529 /* Default our_name to hostname, and user to our_name */ 530 if (our_name[0] == 0 || usehostname) 531 strlcpy(our_name, hostname, HOST_NAME_MAX+1); 532 if (user[0] == 0) 533 strlcpy(user, our_name, MAXNAMELEN); 534 535 /* If authentication is required, ask peer for CHAP or PAP. */ 536 if (auth_required && !wo->neg_chap && !wo->neg_upap) { 537 wo->neg_chap = 1; 538 wo->neg_upap = 1; 539 } 540 541 /* 542 * Check whether we have appropriate secrets to use 543 * to authenticate the peer. 544 */ 545 can_auth = wo->neg_upap && (uselogin || have_pap_secret()); 546 if (!can_auth && wo->neg_chap) { 547 remote = ipwo->accept_remote? 0: ipwo->hisaddr; 548 can_auth = have_chap_secret(remote_name, our_name, remote); 549 } 550 551 if (auth_required && !can_auth) { 552 option_error("peer authentication required but no suitable secret(s) found\n"); 553 if (remote_name[0] == 0) 554 option_error("for authenticating any peer to us (%s)\n", our_name); 555 else 556 option_error("for authenticating peer %s to us (%s)\n", 557 remote_name, our_name); 558 exit(1); 559 } 560 561 /* 562 * Check whether the user tried to override certain values 563 * set by root. 564 */ 565 if (!auth_required && auth_req_info.priv > 0) { 566 if (!default_device && devnam_info.priv == 0) { 567 option_error("can't override device name when noauth option used"); 568 exit(1); 569 } 570 if ((connector != NULL && connector_info.priv == 0) 571 || (disconnector != NULL && disconnector_info.priv == 0) 572 || (welcomer != NULL && welcomer_info.priv == 0)) { 573 option_error("can't override connect, disconnect or welcome"); 574 option_error("option values when noauth option used"); 575 exit(1); 576 } 577 } 578 } 579 580 /* 581 * auth_reset - called when LCP is starting negotiations to recheck 582 * authentication options, i.e. whether we have appropriate secrets 583 * to use for authenticating ourselves and/or the peer. 584 */ 585 void 586 auth_reset(int unit) 587 588 { 589 lcp_options *go = &lcp_gotoptions[unit]; 590 lcp_options *ao = &lcp_allowoptions[0]; 591 ipcp_options *ipwo = &ipcp_wantoptions[0]; 592 u_int32_t remote; 593 594 ao->neg_upap = !refuse_pap && (passwd[0] != 0 || get_pap_passwd(NULL)); 595 ao->neg_chap = !refuse_chap 596 && have_chap_secret(user, remote_name, (u_int32_t)0); 597 598 if (go->neg_upap && !uselogin && !have_pap_secret()) 599 go->neg_upap = 0; 600 if (go->neg_chap) { 601 remote = ipwo->accept_remote? 0: ipwo->hisaddr; 602 if (!have_chap_secret(remote_name, our_name, remote)) 603 go->neg_chap = 0; 604 } 605 } 606 607 608 /* 609 * check_passwd - Check the user name and passwd against the PAP secrets 610 * file. If requested, also check against the system password database, 611 * and login the user if OK. 612 * 613 * returns: 614 * UPAP_AUTHNAK: Authentication failed. 615 * UPAP_AUTHACK: Authentication succeeded. 616 * In either case, msg points to an appropriate message. 617 */ 618 int 619 check_passwd(int unit, char *auser, int userlen, 620 char *apasswd, int passwdlen, char **msg, int *msglen) 621 { 622 int ret; 623 char *filename; 624 FILE *f; 625 struct wordlist *addrs; 626 u_int32_t remote; 627 ipcp_options *ipwo = &ipcp_wantoptions[unit]; 628 char passwd[256], user[256]; 629 char secret[MAXWORDLEN]; 630 static int attempts = 0; 631 632 /* 633 * Make copies of apasswd and auser, then null-terminate them. 634 */ 635 BCOPY(apasswd, passwd, passwdlen); 636 passwd[passwdlen] = '\0'; 637 BCOPY(auser, user, userlen); 638 user[userlen] = '\0'; 639 *msg = (char *) 0; 640 641 /* 642 * Open the file of pap secrets and scan for a suitable secret 643 * for authenticating this user. 644 */ 645 filename = _PATH_UPAPFILE; 646 addrs = NULL; 647 ret = UPAP_AUTHACK; 648 f = fopen(filename, "r"); 649 if (f == NULL) { 650 syslog(LOG_ERR, "Can't open PAP password file %s: %m", filename); 651 ret = UPAP_AUTHNAK; 652 } else { 653 check_access(f, filename); 654 remote = ipwo->accept_remote? 0: ipwo->hisaddr; 655 if (scan_authfile(f, user, our_name, remote, 656 secret, &addrs, filename) < 0 657 || (secret[0] != 0 && (cryptpap || strcmp(passwd, secret) != 0) 658 && strcmp(crypt(passwd, secret), secret) != 0)) { 659 syslog(LOG_WARNING, "PAP authentication failure for %s", user); 660 ret = UPAP_AUTHNAK; 661 } 662 fclose(f); 663 } 664 665 if (uselogin && ret == UPAP_AUTHACK) { 666 ret = plogin(user, passwd, msg, msglen); 667 if (ret == UPAP_AUTHNAK) { 668 syslog(LOG_WARNING, "PAP login failure for %s", user); 669 } 670 } 671 672 if (ret == UPAP_AUTHNAK) { 673 if (*msg == (char *) 0) 674 *msg = "Login incorrect"; 675 *msglen = strlen(*msg); 676 /* 677 * Frustrate passwd stealer programs. 678 * Allow 10 tries, but start backing off after 3 (stolen from login). 679 * On 10'th, drop the connection. 680 */ 681 if (attempts++ >= 10) { 682 syslog(LOG_WARNING, "%d LOGIN FAILURES ON %s, %s", 683 attempts, devnam, user); 684 quit(); 685 } 686 if (attempts > 3) 687 sleep((u_int) (attempts - 3) * 5); 688 if (addrs != NULL) 689 free_wordlist(addrs); 690 691 } else { 692 attempts = 0; /* Reset count */ 693 if (*msg == (char *) 0) 694 *msg = "Login ok"; 695 *msglen = strlen(*msg); 696 set_allowed_addrs(unit, addrs); 697 } 698 699 EXPLICIT_BZERO(passwd, sizeof(passwd)); 700 EXPLICIT_BZERO(secret, sizeof(secret)); 701 702 return ret; 703 } 704 705 /* 706 * plogin - Check the user name and password against the system 707 * password database, and login the user if OK. 708 * 709 * returns: 710 * UPAP_AUTHNAK: Login failed. 711 * UPAP_AUTHACK: Login succeeded. 712 * In either case, msg points to an appropriate message. 713 */ 714 715 static int 716 plogin(char *user, char *passwd, char **msg, int *msglen) 717 { 718 struct passwd *pw; 719 char *tty; 720 721 pw = getpwnam_shadow(user); 722 if (crypt_checkpass(passwd, pw ? pw->pw_passwd : NULL)) 723 return UPAP_AUTHNAK; 724 725 /* 726 * Write a wtmp entry for this user. 727 */ 728 729 tty = devnam; 730 if (strncmp(tty, "/dev/", 5) == 0) 731 tty += 5; 732 logwtmp(tty, user, remote_name); /* Add wtmp login entry */ 733 734 #if defined(_PATH_LASTLOG) 735 { 736 struct lastlog ll; 737 int fd; 738 739 if ((fd = open(_PATH_LASTLOG, O_RDWR)) >= 0) { 740 memset(&ll, 0, sizeof(ll)); 741 (void)time(&ll.ll_time); 742 (void)strncpy(ll.ll_line, tty, sizeof(ll.ll_line)); 743 (void)pwrite(fd, &ll, sizeof(ll), (off_t)pw->pw_uid * 744 sizeof(ll)); 745 (void)close(fd); 746 } 747 } 748 #endif 749 750 751 syslog(LOG_INFO, "user %s logged in", user); 752 logged_in = TRUE; 753 754 return (UPAP_AUTHACK); 755 } 756 757 /* 758 * plogout - Logout the user. 759 */ 760 static void 761 plogout(void) 762 { 763 char *tty; 764 765 tty = devnam; 766 if (strncmp(tty, "/dev/", 5) == 0) 767 tty += 5; 768 logwtmp(tty, "", ""); /* Wipe out utmp logout entry */ 769 770 logged_in = FALSE; 771 } 772 773 774 /* 775 * null_login - Check if a username of "" and a password of "" are 776 * acceptable, and iff so, set the list of acceptable IP addresses 777 * and return 1. 778 */ 779 static int 780 null_login(int unit) 781 { 782 char *filename; 783 FILE *f; 784 int i, ret; 785 struct wordlist *addrs; 786 char secret[MAXWORDLEN]; 787 788 /* 789 * Open the file of pap secrets and scan for a suitable secret. 790 * We don't accept a wildcard client. 791 */ 792 filename = _PATH_UPAPFILE; 793 addrs = NULL; 794 f = fopen(filename, "r"); 795 if (f == NULL) 796 return 0; 797 check_access(f, filename); 798 799 i = scan_authfile(f, "", our_name, (u_int32_t)0, secret, &addrs, filename); 800 ret = i >= 0 && (i & NONWILD_CLIENT) != 0 && secret[0] == 0; 801 EXPLICIT_BZERO(secret, sizeof(secret)); 802 803 if (ret) 804 set_allowed_addrs(unit, addrs); 805 else 806 free_wordlist(addrs); 807 808 fclose(f); 809 return ret; 810 } 811 812 813 /* 814 * get_pap_passwd - get a password for authenticating ourselves with 815 * our peer using PAP. Returns 1 on success, 0 if no suitable password 816 * could be found. 817 */ 818 static int 819 get_pap_passwd(char *passwd) 820 { 821 char *filename; 822 FILE *f; 823 int ret; 824 char secret[MAXWORDLEN]; 825 826 filename = _PATH_UPAPFILE; 827 f = fopen(filename, "r"); 828 if (f == NULL) 829 return 0; 830 check_access(f, filename); 831 ret = scan_authfile(f, user, 832 remote_name[0]? remote_name: NULL, 833 (u_int32_t)0, secret, NULL, filename); 834 fclose(f); 835 if (ret < 0) 836 return 0; 837 if (passwd != NULL) 838 strlcpy(passwd, secret, MAXSECRETLEN); 839 EXPLICIT_BZERO(secret, sizeof(secret)); 840 return 1; 841 } 842 843 844 /* 845 * have_pap_secret - check whether we have a PAP file with any 846 * secrets that we could possibly use for authenticating the peer. 847 */ 848 static int 849 have_pap_secret(void) 850 { 851 FILE *f; 852 int ret; 853 char *filename; 854 ipcp_options *ipwo = &ipcp_wantoptions[0]; 855 u_int32_t remote; 856 857 filename = _PATH_UPAPFILE; 858 f = fopen(filename, "r"); 859 if (f == NULL) 860 return 0; 861 862 remote = ipwo->accept_remote? 0: ipwo->hisaddr; 863 ret = scan_authfile(f, NULL, our_name, remote, NULL, NULL, filename); 864 fclose(f); 865 if (ret < 0) 866 return 0; 867 868 return 1; 869 } 870 871 872 /* 873 * have_chap_secret - check whether we have a CHAP file with a 874 * secret that we could possibly use for authenticating `client' 875 * on `server'. Either can be the null string, meaning we don't 876 * know the identity yet. 877 */ 878 static int 879 have_chap_secret(char *client, char *server, u_int32_t remote) 880 { 881 FILE *f; 882 int ret; 883 char *filename; 884 885 filename = _PATH_CHAPFILE; 886 f = fopen(filename, "r"); 887 if (f == NULL) 888 return 0; 889 890 if (client[0] == 0) 891 client = NULL; 892 else if (server[0] == 0) 893 server = NULL; 894 895 ret = scan_authfile(f, client, server, remote, NULL, NULL, filename); 896 fclose(f); 897 if (ret < 0) 898 return 0; 899 900 return 1; 901 } 902 903 904 /* 905 * get_secret - open the CHAP secret file and return the secret 906 * for authenticating the given client on the given server. 907 * (We could be either client or server). 908 */ 909 int 910 get_secret(int unit, char *client, char *server, 911 char *secret, int *secret_len, int save_addrs) 912 { 913 FILE *f; 914 int ret, len; 915 char *filename; 916 struct wordlist *addrs; 917 char secbuf[MAXWORDLEN]; 918 919 filename = _PATH_CHAPFILE; 920 addrs = NULL; 921 secbuf[0] = 0; 922 923 f = fopen(filename, "r"); 924 if (f == NULL) { 925 syslog(LOG_ERR, "Can't open chap secret file %s: %m", filename); 926 return 0; 927 } 928 check_access(f, filename); 929 930 ret = scan_authfile(f, client, server, (u_int32_t)0, 931 secbuf, &addrs, filename); 932 fclose(f); 933 if (ret < 0) 934 return 0; 935 936 if (save_addrs) 937 set_allowed_addrs(unit, addrs); 938 939 len = strlen(secbuf); 940 if (len > MAXSECRETLEN) { 941 syslog(LOG_ERR, "Secret for %s on %s is too long", client, server); 942 len = MAXSECRETLEN; 943 } 944 BCOPY(secbuf, secret, len); 945 EXPLICIT_BZERO(secbuf, sizeof(secbuf)); 946 *secret_len = len; 947 948 return 1; 949 } 950 951 /* 952 * set_allowed_addrs() - set the list of allowed addresses. 953 */ 954 static void 955 set_allowed_addrs(int unit, struct wordlist *addrs) 956 { 957 if (addresses[unit] != NULL) 958 free_wordlist(addresses[unit]); 959 addresses[unit] = addrs; 960 961 /* 962 * If there's only one authorized address we might as well 963 * ask our peer for that one right away 964 */ 965 if (addrs != NULL && addrs->next == NULL) { 966 char *p = addrs->word; 967 struct ipcp_options *wo = &ipcp_wantoptions[unit]; 968 struct in_addr ina; 969 struct hostent *hp; 970 971 if (*p != '!' && *p != '-' && !ISWILD(p) && strchr(p, '/') == NULL) { 972 hp = gethostbyname(p); 973 if (hp != NULL && hp->h_addrtype == AF_INET) 974 wo->hisaddr = *(u_int32_t *)hp->h_addr; 975 else if (inet_pton(AF_INET, p, &ina) == 1) 976 wo->hisaddr = ina.s_addr; 977 } 978 } 979 } 980 981 /* 982 * auth_ip_addr - check whether the peer is authorized to use 983 * a given IP address. Returns 1 if authorized, 0 otherwise. 984 */ 985 int 986 auth_ip_addr(int unit, u_int32_t addr) 987 { 988 return ip_addr_check(addr, addresses[unit]); 989 } 990 991 static int 992 ip_addr_check(u_int32_t addr, struct wordlist *addrs) 993 { 994 u_int32_t mask, ah; 995 struct in_addr ina; 996 int accept, r = 1; 997 char *ptr_word, *ptr_mask; 998 struct hostent *hp; 999 1000 /* don't allow loopback or multicast address */ 1001 if (bad_ip_adrs(addr)) 1002 return 0; 1003 1004 if (addrs == NULL) 1005 return !auth_required; /* no addresses authorized */ 1006 1007 for (; addrs != NULL; addrs = addrs->next) { 1008 /* "-" means no addresses authorized, "*" means any address allowed */ 1009 ptr_word = addrs->word; 1010 if (strcmp(ptr_word, "-") == 0) 1011 break; 1012 if (strcmp(ptr_word, "*") == 0) 1013 return 1; 1014 1015 accept = 1; 1016 if (*ptr_word == '!') { 1017 accept = 0; 1018 ++ptr_word; 1019 } 1020 1021 mask = ~ (u_int32_t) 0; 1022 ptr_mask = strchr (ptr_word, '/'); 1023 if (ptr_mask != NULL) { 1024 int bit_count; 1025 1026 bit_count = (int) strtol (ptr_mask+1, (char **) 0, 10); 1027 if (bit_count <= 0 || bit_count > 32) { 1028 syslog (LOG_WARNING, 1029 "invalid address length %s in auth. address list", 1030 ptr_mask); 1031 continue; 1032 } 1033 *ptr_mask = '\0'; 1034 mask <<= 32 - bit_count; 1035 } 1036 1037 hp = gethostbyname(ptr_word); 1038 if (hp != NULL && hp->h_addrtype == AF_INET) { 1039 ina.s_addr = *(u_int32_t *)hp->h_addr; 1040 } else { 1041 r = inet_pton(AF_INET, ptr_word, &ina); 1042 if (ptr_mask == NULL) { 1043 /* calculate appropriate mask for net */ 1044 ah = ntohl(ina.s_addr); 1045 if (IN_CLASSA(ah)) 1046 mask = IN_CLASSA_NET; 1047 else if (IN_CLASSB(ah)) 1048 mask = IN_CLASSB_NET; 1049 else if (IN_CLASSC(ah)) 1050 mask = IN_CLASSC_NET; 1051 } 1052 } 1053 1054 if (ptr_mask != NULL) 1055 *ptr_mask = '/'; 1056 1057 if (r != 1) 1058 syslog (LOG_WARNING, 1059 "unknown host %s in auth. address list", 1060 addrs->word); 1061 else 1062 /* Here ina.s_addr and addr are in network byte order, 1063 and mask is in host order. */ 1064 if (((addr ^ ina.s_addr) & htonl(mask)) == 0) 1065 return accept; 1066 } 1067 return 0; /* not in list => can't have it */ 1068 } 1069 1070 /* 1071 * bad_ip_adrs - return 1 if the IP address is one we don't want 1072 * to use, such as an address in the loopback net or a multicast address. 1073 * addr is in network byte order. 1074 */ 1075 int 1076 bad_ip_adrs(u_int32_t addr) 1077 { 1078 addr = ntohl(addr); 1079 return (addr >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET 1080 || IN_MULTICAST(addr); 1081 } 1082 1083 /* 1084 * check_access - complain if a secret file has too-liberal permissions. 1085 */ 1086 void 1087 check_access(FILE *f, char *filename) 1088 { 1089 struct stat sbuf; 1090 1091 if (fstat(fileno(f), &sbuf) < 0) { 1092 syslog(LOG_WARNING, "cannot stat secret file %s: %m", filename); 1093 } else if ((sbuf.st_mode & (S_IRWXG | S_IRWXO)) != 0) { 1094 syslog(LOG_WARNING, "Warning - secret file %s has world and/or group access", filename); 1095 } 1096 } 1097 1098 1099 /* 1100 * scan_authfile - Scan an authorization file for a secret suitable 1101 * for authenticating `client' on `server'. The return value is -1 1102 * if no secret is found, otherwise >= 0. The return value has 1103 * NONWILD_CLIENT set if the secret didn't have "*" for the client, and 1104 * NONWILD_SERVER set if the secret didn't have "*" for the server. 1105 * Any following words on the line (i.e. address authorization 1106 * info) are placed in a wordlist and returned in *addrs. 1107 */ 1108 static int 1109 scan_authfile(FILE *f, char *client, char *server, u_int32_t ipaddr, 1110 char *secret, struct wordlist **addrs, char *filename) 1111 { 1112 int newline, xxx; 1113 int got_flag, best_flag; 1114 FILE *sf; 1115 struct wordlist *ap, *addr_list, *alist, *alast; 1116 char word[MAXWORDLEN]; 1117 char atfile[MAXWORDLEN]; 1118 char lsecret[MAXWORDLEN]; 1119 1120 if (addrs != NULL) 1121 *addrs = NULL; 1122 addr_list = NULL; 1123 if (!getword(f, word, &newline, filename)) 1124 return -1; /* file is empty??? */ 1125 newline = 1; 1126 best_flag = -1; 1127 for (;;) { 1128 /* 1129 * Skip until we find a word at the start of a line. 1130 */ 1131 while (!newline && getword(f, word, &newline, filename)) 1132 ; 1133 if (!newline) 1134 break; /* got to end of file */ 1135 1136 /* 1137 * Got a client - check if it's a match or a wildcard. 1138 */ 1139 got_flag = 0; 1140 if (client != NULL && strcmp(word, client) != 0 && !ISWILD(word)) { 1141 newline = 0; 1142 continue; 1143 } 1144 if (!ISWILD(word)) 1145 got_flag = NONWILD_CLIENT; 1146 1147 /* 1148 * Now get a server and check if it matches. 1149 */ 1150 if (!getword(f, word, &newline, filename)) 1151 break; 1152 if (newline) 1153 continue; 1154 if (server != NULL && strcmp(word, server) != 0 && !ISWILD(word)) 1155 continue; 1156 if (!ISWILD(word)) 1157 got_flag |= NONWILD_SERVER; 1158 1159 /* 1160 * Got some sort of a match - see if it's better than what 1161 * we have already. 1162 */ 1163 if (got_flag <= best_flag) 1164 continue; 1165 1166 /* 1167 * Get the secret. 1168 */ 1169 if (!getword(f, word, &newline, filename)) 1170 break; 1171 if (newline) 1172 continue; 1173 1174 /* 1175 * Special syntax: @filename means read secret from file. 1176 */ 1177 if (word[0] == '@') { 1178 strlcpy(atfile, word+1, sizeof atfile); 1179 if ((sf = fopen(atfile, "r")) == NULL) { 1180 syslog(LOG_WARNING, "can't open indirect secret file %s", 1181 atfile); 1182 continue; 1183 } 1184 check_access(sf, atfile); 1185 if (!getword(sf, word, &xxx, atfile)) { 1186 syslog(LOG_WARNING, "no secret in indirect secret file %s", 1187 atfile); 1188 fclose(sf); 1189 continue; 1190 } 1191 fclose(sf); 1192 } 1193 if (secret != NULL) 1194 strlcpy(lsecret, word, sizeof lsecret); 1195 1196 /* 1197 * Now read address authorization info and make a wordlist. 1198 */ 1199 alist = alast = NULL; 1200 for (;;) { 1201 size_t wordlen; 1202 1203 if (!getword(f, word, &newline, filename) || newline) 1204 break; 1205 wordlen = strlen(word); /* NUL in struct wordlist */ 1206 ap = (struct wordlist *) malloc(sizeof(struct wordlist) + 1207 wordlen); 1208 1209 if (ap == NULL) 1210 novm("authorized addresses"); 1211 ap->next = NULL; 1212 strlcpy(ap->word, word, wordlen + 1); 1213 if (alist == NULL) 1214 alist = ap; 1215 else 1216 alast->next = ap; 1217 alast = ap; 1218 } 1219 1220 /* 1221 * Check if the given IP address is allowed by the wordlist. 1222 */ 1223 if (ipaddr != 0 && !ip_addr_check(ipaddr, alist)) { 1224 free_wordlist(alist); 1225 continue; 1226 } 1227 1228 /* 1229 * This is the best so far; remember it. 1230 */ 1231 best_flag = got_flag; 1232 if (addr_list) 1233 free_wordlist(addr_list); 1234 addr_list = alist; 1235 if (secret != NULL) 1236 strlcpy(secret, lsecret, MAXWORDLEN); 1237 1238 if (!newline) 1239 break; 1240 } 1241 1242 if (addrs != NULL) 1243 *addrs = addr_list; 1244 else if (addr_list != NULL) 1245 free_wordlist(addr_list); 1246 1247 return best_flag; 1248 } 1249 1250 /* 1251 * free_wordlist - release memory allocated for a wordlist. 1252 */ 1253 static void 1254 free_wordlist(struct wordlist *wp) 1255 { 1256 struct wordlist *next; 1257 1258 while (wp != NULL) { 1259 next = wp->next; 1260 free(wp); 1261 wp = next; 1262 } 1263 } 1264 1265 /* 1266 * auth_script - execute a script with arguments 1267 * interface-name peer-name real-user tty speed 1268 */ 1269 static void 1270 auth_script(char *script) 1271 { 1272 char strspeed[32]; 1273 struct passwd *pw; 1274 char struid[32]; 1275 char *user_name; 1276 char *argv[8]; 1277 1278 if ((pw = getpwuid(getuid())) != NULL && pw->pw_name != NULL) 1279 user_name = pw->pw_name; 1280 else { 1281 snprintf(struid, sizeof struid, "%u", getuid()); 1282 user_name = struid; 1283 } 1284 snprintf(strspeed, sizeof strspeed, "%d", baud_rate); 1285 1286 argv[0] = script; 1287 argv[1] = ifname; 1288 argv[2] = peer_authname; 1289 argv[3] = user_name; 1290 argv[4] = devnam; 1291 argv[5] = strspeed; 1292 argv[6] = NULL; 1293 1294 run_program(script, argv, 0); 1295 } 1296