1 /* $NetBSD: auth.c,v 1.5 2021/01/09 16:39:28 christos Exp $ */ 2 3 /* 4 * auth.c - PPP authentication and phase control. 5 * 6 * Copyright (c) 1993-2002 Paul Mackerras. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. The name(s) of the authors of this software must not be used to 16 * endorse or promote products derived from this software without 17 * prior written permission. 18 * 19 * 3. Redistributions of any form whatsoever must retain the following 20 * acknowledgment: 21 * "This product includes software developed by Paul Mackerras 22 * <paulus@samba.org>". 23 * 24 * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO 25 * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 26 * AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY 27 * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 28 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN 29 * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING 30 * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 31 * 32 * Derived from main.c, which is: 33 * 34 * Copyright (c) 1984-2000 Carnegie Mellon University. All rights reserved. 35 * 36 * Redistribution and use in source and binary forms, with or without 37 * modification, are permitted provided that the following conditions 38 * are met: 39 * 40 * 1. Redistributions of source code must retain the above copyright 41 * notice, this list of conditions and the following disclaimer. 42 * 43 * 2. Redistributions in binary form must reproduce the above copyright 44 * notice, this list of conditions and the following disclaimer in 45 * the documentation and/or other materials provided with the 46 * distribution. 47 * 48 * 3. The name "Carnegie Mellon University" must not be used to 49 * endorse or promote products derived from this software without 50 * prior written permission. For permission or any legal 51 * details, please contact 52 * Office of Technology Transfer 53 * Carnegie Mellon University 54 * 5000 Forbes Avenue 55 * Pittsburgh, PA 15213-3890 56 * (412) 268-4387, fax: (412) 268-7395 57 * tech-transfer@andrew.cmu.edu 58 * 59 * 4. Redistributions of any form whatsoever must retain the following 60 * acknowledgment: 61 * "This product includes software developed by Computing Services 62 * at Carnegie Mellon University (http://www.cmu.edu/computing/)." 63 * 64 * CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO 65 * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 66 * AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE 67 * FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 68 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN 69 * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING 70 * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 71 */ 72 73 #include <sys/cdefs.h> 74 #if 0 75 #define RCSID "Id: auth.c,v 1.117 2008/07/01 12:27:56 paulus Exp " 76 static const char rcsid[] = RCSID; 77 #else 78 __RCSID("$NetBSD: auth.c,v 1.5 2021/01/09 16:39:28 christos Exp $"); 79 #endif 80 81 #include <stdio.h> 82 #include <stddef.h> 83 #include <stdlib.h> 84 #include <unistd.h> 85 #include <errno.h> 86 #include <pwd.h> 87 #include <grp.h> 88 #include <string.h> 89 #include <strings.h> 90 #include <sys/types.h> 91 #include <sys/stat.h> 92 #include <sys/socket.h> 93 #include <fcntl.h> 94 #if defined(_PATH_LASTLOG) && defined(__linux__) 95 #include <lastlog.h> 96 #endif 97 98 #include <netdb.h> 99 #include <netinet/in.h> 100 #include <arpa/inet.h> 101 102 103 #ifdef HAS_SHADOW 104 #include <shadow.h> 105 #ifndef PW_PPP 106 #define PW_PPP PW_LOGIN 107 #endif 108 #endif 109 #include <time.h> 110 111 #ifdef SYSTEMD 112 #include <systemd/sd-daemon.h> 113 #endif 114 115 #include "pppd.h" 116 #include "fsm.h" 117 #include "lcp.h" 118 #include "ccp.h" 119 #include "ecp.h" 120 #include "ipcp.h" 121 #include "upap.h" 122 #include "chap-new.h" 123 #include "eap.h" 124 #ifdef USE_EAPTLS 125 #include "eap-tls.h" 126 #endif 127 #ifdef CBCP_SUPPORT 128 #include "cbcp.h" 129 #endif 130 #include "pathnames.h" 131 #include "session.h" 132 133 134 /* Bits in scan_authfile return value */ 135 #define NONWILD_SERVER 1 136 #define NONWILD_CLIENT 2 137 138 #define ISWILD(word) (word[0] == '*' && word[1] == 0) 139 140 /* The name by which the peer authenticated itself to us. */ 141 char peer_authname[MAXNAMELEN]; 142 143 /* Records which authentication operations haven't completed yet. */ 144 static int auth_pending[NUM_PPP]; 145 146 /* Records which authentication operations have been completed. */ 147 int auth_done[NUM_PPP]; 148 149 /* List of addresses which the peer may use. */ 150 static struct permitted_ip *addresses[NUM_PPP]; 151 152 /* Wordlist giving addresses which the peer may use 153 without authenticating itself. */ 154 static struct wordlist *noauth_addrs; 155 156 /* Remote telephone number, if available */ 157 char remote_number[MAXNAMELEN]; 158 159 /* Wordlist giving remote telephone numbers which may connect. */ 160 static struct wordlist *permitted_numbers; 161 162 /* Extra options to apply, from the secrets file entry for the peer. */ 163 static struct wordlist *extra_options; 164 165 /* Number of network protocols which we have opened. */ 166 static int num_np_open; 167 168 /* Number of network protocols which have come up. */ 169 static int num_np_up; 170 171 /* Set if we got the contents of passwd[] from the pap-secrets file. */ 172 static int passwd_from_file; 173 174 /* Set if we require authentication only because we have a default route. */ 175 static bool default_auth; 176 177 /* Hook to enable a plugin to control the idle time limit */ 178 int (*idle_time_hook)(struct ppp_idle *) = NULL; 179 180 /* Hook for a plugin to say whether we can possibly authenticate any peer */ 181 int (*pap_check_hook)(void) = NULL; 182 183 /* Hook for a plugin to check the PAP user and password */ 184 int (*pap_auth_hook)(char *user, char *passwd, char **msgp, 185 struct wordlist **paddrs, 186 struct wordlist **popts) = NULL; 187 188 /* Hook for a plugin to know about the PAP user logout */ 189 void (*pap_logout_hook)(void) = NULL; 190 191 /* Hook for a plugin to get the PAP password for authenticating us */ 192 int (*pap_passwd_hook)(char *user, char *passwd) = NULL; 193 194 /* Hook for a plugin to say if we can possibly authenticate a peer using CHAP */ 195 int (*chap_check_hook)(void) = NULL; 196 197 /* Hook for a plugin to get the CHAP password for authenticating us */ 198 int (*chap_passwd_hook)(char *user, char *passwd) = NULL; 199 200 #ifdef USE_EAPTLS 201 /* Hook for a plugin to get the EAP-TLS password for authenticating us */ 202 int (*eaptls_passwd_hook)(char *user, char *passwd) = NULL; 203 #endif 204 205 /* Hook for a plugin to say whether it is OK if the peer 206 refuses to authenticate. */ 207 int (*null_auth_hook)(struct wordlist **paddrs, 208 struct wordlist **popts) = NULL; 209 210 int (*allowed_address_hook)(u_int32_t addr) = NULL; 211 212 #ifdef HAVE_MULTILINK 213 /* Hook for plugin to hear when an interface joins a multilink bundle */ 214 void (*multilink_join_hook)(void) = NULL; 215 #endif 216 217 /* A notifier for when the peer has authenticated itself, 218 and we are proceeding to the network phase. */ 219 struct notifier *auth_up_notifier = NULL; 220 221 /* A notifier for when the link goes down. */ 222 struct notifier *link_down_notifier = NULL; 223 224 /* 225 * This is used to ensure that we don't start an auth-up/down 226 * script while one is already running. 227 */ 228 enum script_state { 229 s_down, 230 s_up 231 }; 232 233 static enum script_state auth_state = s_down; 234 static enum script_state auth_script_state = s_down; 235 static pid_t auth_script_pid = 0; 236 237 /* 238 * Option variables. 239 */ 240 bool uselogin = 0; /* Use /etc/passwd for checking PAP */ 241 bool session_mgmt = 0; /* Do session management (login records) */ 242 bool cryptpap = 0; /* Passwords in pap-secrets are encrypted */ 243 bool refuse_pap = 0; /* Don't wanna auth. ourselves with PAP */ 244 bool refuse_chap = 0; /* Don't wanna auth. ourselves with CHAP */ 245 bool refuse_eap = 0; /* Don't wanna auth. ourselves with EAP */ 246 #ifdef CHAPMS 247 bool refuse_mschap = 0; /* Don't wanna auth. ourselves with MS-CHAP */ 248 bool refuse_mschap_v2 = 0; /* Don't wanna auth. ourselves with MS-CHAPv2 */ 249 #else 250 bool refuse_mschap = 1; /* Don't wanna auth. ourselves with MS-CHAP */ 251 bool refuse_mschap_v2 = 1; /* Don't wanna auth. ourselves with MS-CHAPv2 */ 252 #endif 253 bool usehostname = 0; /* Use hostname for our_name */ 254 bool auth_required = 0; /* Always require authentication from peer */ 255 bool allow_any_ip = 0; /* Allow peer to use any IP address */ 256 bool explicit_remote = 0; /* User specified explicit remote name */ 257 bool explicit_user = 0; /* Set if "user" option supplied */ 258 bool explicit_passwd = 0; /* Set if "password" option supplied */ 259 char remote_name[MAXNAMELEN]; /* Peer's name for authentication */ 260 #ifdef USE_EAPTLS 261 char *cacert_file = NULL; /* CA certificate file (pem format) */ 262 char *ca_path = NULL; /* directory with CA certificates */ 263 char *cert_file = NULL; /* client certificate file (pem format) */ 264 char *privkey_file = NULL; /* client private key file (pem format) */ 265 char *crl_dir = NULL; /* directory containing CRL files */ 266 char *crl_file = NULL; /* Certificate Revocation List (CRL) file (pem format) */ 267 char *max_tls_version = NULL; /* Maximum TLS protocol version (default=1.2) */ 268 bool need_peer_eap = 0; /* Require peer to authenticate us */ 269 #endif 270 271 static char *fname; /* name of most recent +ua file */ 272 273 extern char *crypt (const char *, const char *); 274 275 /* Prototypes for procedures local to this file. */ 276 277 static void network_phase (int); 278 static void check_idle (void *); 279 static void connect_time_expired (void *); 280 static int null_login (int); 281 static int get_pap_passwd (char *); 282 static int have_pap_secret (int *); 283 static int have_chap_secret (char *, char *, int, int *); 284 static int have_srp_secret(char *client, char *server, int need_ip, 285 int *lacks_ipp); 286 287 #ifdef USE_EAPTLS 288 static int have_eaptls_secret_server 289 (char *client, char *server, int need_ip, int *lacks_ipp); 290 static int have_eaptls_secret_client (char *client, char *server); 291 static int scan_authfile_eaptls(FILE * f, char *client, char *server, 292 char *cli_cert, char *serv_cert, 293 char *ca_cert, char *pk, 294 struct wordlist ** addrs, 295 struct wordlist ** opts, 296 char *filename, int flags); 297 #endif 298 299 static int ip_addr_check (u_int32_t, struct permitted_ip *); 300 static int scan_authfile(FILE *, char *, char *, char *, 301 struct wordlist **, struct wordlist **, 302 char *, int); 303 static void free_wordlist (struct wordlist *); 304 static void auth_script (char *); 305 static void auth_script_done (void *); 306 static void set_allowed_addrs (int, struct wordlist *, struct wordlist *); 307 static int some_ip_ok (struct wordlist *); 308 static int setupapfile (char **); 309 static int privgroup (char **); 310 static int set_noauth_addr (char **); 311 static int set_permitted_number (char **); 312 static void check_access (FILE *, char *); 313 static int wordlist_count (struct wordlist *); 314 315 #ifdef MAXOCTETS 316 static void check_maxoctets (void *); 317 #endif 318 319 /* 320 * Authentication-related options. 321 */ 322 option_t auth_options[] = { 323 { "auth", o_bool, &auth_required, 324 "Require authentication from peer", OPT_PRIO | 1 }, 325 { "noauth", o_bool, &auth_required, 326 "Don't require peer to authenticate", OPT_PRIOSUB | OPT_PRIV, 327 &allow_any_ip }, 328 { "require-pap", o_bool, &lcp_wantoptions[0].neg_upap, 329 "Require PAP authentication from peer", 330 OPT_PRIOSUB | 1, &auth_required }, 331 { "+pap", o_bool, &lcp_wantoptions[0].neg_upap, 332 "Require PAP authentication from peer", 333 OPT_ALIAS | OPT_PRIOSUB | 1, &auth_required }, 334 { "require-chap", o_bool, &auth_required, 335 "Require CHAP authentication from peer", 336 OPT_PRIOSUB | OPT_A2OR | MDTYPE_MD5, 337 &lcp_wantoptions[0].chap_mdtype }, 338 { "+chap", o_bool, &auth_required, 339 "Require CHAP authentication from peer", 340 OPT_ALIAS | OPT_PRIOSUB | OPT_A2OR | MDTYPE_MD5, 341 &lcp_wantoptions[0].chap_mdtype }, 342 #ifdef CHAPMS 343 { "require-mschap", o_bool, &auth_required, 344 "Require MS-CHAP authentication from peer", 345 OPT_PRIOSUB | OPT_A2OR | MDTYPE_MICROSOFT, 346 &lcp_wantoptions[0].chap_mdtype }, 347 { "+mschap", o_bool, &auth_required, 348 "Require MS-CHAP authentication from peer", 349 OPT_ALIAS | OPT_PRIOSUB | OPT_A2OR | MDTYPE_MICROSOFT, 350 &lcp_wantoptions[0].chap_mdtype }, 351 { "require-mschap-v2", o_bool, &auth_required, 352 "Require MS-CHAPv2 authentication from peer", 353 OPT_PRIOSUB | OPT_A2OR | MDTYPE_MICROSOFT_V2, 354 &lcp_wantoptions[0].chap_mdtype }, 355 { "+mschap-v2", o_bool, &auth_required, 356 "Require MS-CHAPv2 authentication from peer", 357 OPT_ALIAS | OPT_PRIOSUB | OPT_A2OR | MDTYPE_MICROSOFT_V2, 358 &lcp_wantoptions[0].chap_mdtype }, 359 #endif 360 361 { "refuse-pap", o_bool, &refuse_pap, 362 "Don't agree to auth to peer with PAP", 1 }, 363 { "-pap", o_bool, &refuse_pap, 364 "Don't allow PAP authentication with peer", OPT_ALIAS | 1 }, 365 { "refuse-chap", o_bool, &refuse_chap, 366 "Don't agree to auth to peer with CHAP", 367 OPT_A2CLRB | MDTYPE_MD5, 368 &lcp_allowoptions[0].chap_mdtype }, 369 { "-chap", o_bool, &refuse_chap, 370 "Don't allow CHAP authentication with peer", 371 OPT_ALIAS | OPT_A2CLRB | MDTYPE_MD5, 372 &lcp_allowoptions[0].chap_mdtype }, 373 #ifdef CHAPMS 374 { "refuse-mschap", o_bool, &refuse_mschap, 375 "Don't agree to auth to peer with MS-CHAP", 376 OPT_A2CLRB | MDTYPE_MICROSOFT, 377 &lcp_allowoptions[0].chap_mdtype }, 378 { "-mschap", o_bool, &refuse_mschap, 379 "Don't allow MS-CHAP authentication with peer", 380 OPT_ALIAS | OPT_A2CLRB | MDTYPE_MICROSOFT, 381 &lcp_allowoptions[0].chap_mdtype }, 382 { "refuse-mschap-v2", o_bool, &refuse_mschap_v2, 383 "Don't agree to auth to peer with MS-CHAPv2", 384 OPT_A2CLRB | MDTYPE_MICROSOFT_V2, 385 &lcp_allowoptions[0].chap_mdtype }, 386 { "-mschap-v2", o_bool, &refuse_mschap_v2, 387 "Don't allow MS-CHAPv2 authentication with peer", 388 OPT_ALIAS | OPT_A2CLRB | MDTYPE_MICROSOFT_V2, 389 &lcp_allowoptions[0].chap_mdtype }, 390 #endif 391 392 { "require-eap", o_bool, &lcp_wantoptions[0].neg_eap, 393 "Require EAP authentication from peer", OPT_PRIOSUB | 1, 394 &auth_required }, 395 { "refuse-eap", o_bool, &refuse_eap, 396 "Don't agree to authenticate to peer with EAP", 1 }, 397 398 { "name", o_string, our_name, 399 "Set local name for authentication", 400 OPT_PRIO | OPT_PRIV | OPT_STATIC, NULL, MAXNAMELEN }, 401 402 { "+ua", o_special, (void *)setupapfile, 403 "Get PAP user and password from file", 404 OPT_PRIO | OPT_A2STRVAL, &fname }, 405 406 { "user", o_string, user, 407 "Set name for auth with peer", OPT_PRIO | OPT_STATIC, 408 &explicit_user, MAXNAMELEN }, 409 410 { "password", o_string, passwd, 411 "Password for authenticating us to the peer", 412 OPT_PRIO | OPT_STATIC | OPT_HIDE, 413 &explicit_passwd, MAXSECRETLEN }, 414 415 { "usehostname", o_bool, &usehostname, 416 "Must use hostname for authentication", 1 }, 417 418 { "remotename", o_string, remote_name, 419 "Set remote name for authentication", OPT_PRIO | OPT_STATIC, 420 &explicit_remote, MAXNAMELEN }, 421 422 { "login", o_bool, &uselogin, 423 "Use system password database for PAP", OPT_A2COPY | 1 , 424 &session_mgmt }, 425 { "enable-session", o_bool, &session_mgmt, 426 "Enable session accounting for remote peers", OPT_PRIV | 1 }, 427 428 { "papcrypt", o_bool, &cryptpap, 429 "PAP passwords are encrypted", 1 }, 430 431 { "privgroup", o_special, (void *)privgroup, 432 "Allow group members to use privileged options", OPT_PRIV | OPT_A2LIST }, 433 434 { "allow-ip", o_special, (void *)set_noauth_addr, 435 "Set IP address(es) which can be used without authentication", 436 OPT_PRIV | OPT_A2LIST }, 437 438 { "remotenumber", o_string, remote_number, 439 "Set remote telephone number for authentication", OPT_PRIO | OPT_STATIC, 440 NULL, MAXNAMELEN }, 441 442 { "allow-number", o_special, (void *)set_permitted_number, 443 "Set telephone number(s) which are allowed to connect", 444 OPT_PRIV | OPT_A2LIST }, 445 446 #ifdef USE_EAPTLS 447 { "ca", o_string, &cacert_file, "EAP-TLS CA certificate in PEM format" }, 448 { "capath", o_string, &ca_path, "EAP-TLS CA certificate directory" }, 449 { "cert", o_string, &cert_file, "EAP-TLS client certificate in PEM format" }, 450 { "key", o_string, &privkey_file, "EAP-TLS client private key in PEM format" }, 451 { "crl-dir", o_string, &crl_dir, "Use CRLs in directory" }, 452 { "crl", o_string, &crl_file, "Use specific CRL file" }, 453 { "max-tls-version", o_string, &max_tls_version, 454 "Maximum TLS version (1.0/1.1/1.2 (default)/1.3)" }, 455 { "need-peer-eap", o_bool, &need_peer_eap, 456 "Require the peer to authenticate us", 1 }, 457 #endif /* USE_EAPTLS */ 458 { NULL } 459 }; 460 461 /* 462 * setupapfile - specifies UPAP info for authenticating with peer. 463 */ 464 static int 465 setupapfile(char **argv) 466 { 467 FILE *ufile; 468 int l; 469 uid_t euid; 470 char u[MAXNAMELEN], p[MAXSECRETLEN]; 471 472 lcp_allowoptions[0].neg_upap = 1; 473 474 if (*argv == NULL) 475 novm("+ua file name"); 476 477 if (fname != NULL) 478 free(fname); 479 /* open user info file */ 480 fname = strdup(*argv); 481 if (fname == NULL) 482 novm("+ua file name"); 483 euid = geteuid(); 484 if (seteuid(getuid()) == -1) { 485 option_error("unable to reset uid before opening %s: %m", fname); 486 free(fname); 487 return 0; 488 } 489 ufile = fopen(fname, "r"); 490 if (seteuid(euid) == -1) 491 fatal("unable to regain privileges: %m"); 492 if (ufile == NULL) { 493 option_error("unable to open user login data file %s", fname); 494 free(fname); 495 return 0; 496 } 497 check_access(ufile, fname); 498 499 /* get username */ 500 if (fgets(u, MAXNAMELEN - 1, ufile) == NULL 501 || fgets(p, MAXSECRETLEN - 1, ufile) == NULL) { 502 fclose(ufile); 503 option_error("unable to read user login data file %s", fname); 504 free(fname); 505 return 0; 506 } 507 fclose(ufile); 508 509 /* get rid of newlines */ 510 l = strlen(u); 511 if (l > 0 && u[l-1] == '\n') 512 u[l-1] = 0; 513 l = strlen(p); 514 if (l > 0 && p[l-1] == '\n') 515 p[l-1] = 0; 516 517 if (override_value("user", option_priority, fname)) { 518 strlcpy(user, u, sizeof(user)); 519 explicit_user = 1; 520 } 521 if (override_value("passwd", option_priority, fname)) { 522 strlcpy(passwd, p, sizeof(passwd)); 523 explicit_passwd = 1; 524 } 525 526 free(fname); 527 return (1); 528 } 529 530 531 /* 532 * privgroup - allow members of the group to have privileged access. 533 */ 534 static int 535 privgroup(char **argv) 536 { 537 struct group *g; 538 int i; 539 540 g = getgrnam(*argv); 541 if (g == 0) { 542 option_error("group %s is unknown", *argv); 543 return 0; 544 } 545 for (i = 0; i < ngroups; ++i) { 546 if (groups[i] == g->gr_gid) { 547 privileged = 1; 548 break; 549 } 550 } 551 return 1; 552 } 553 554 555 /* 556 * set_noauth_addr - set address(es) that can be used without authentication. 557 * Equivalent to specifying an entry like `"" * "" addr' in pap-secrets. 558 */ 559 static int 560 set_noauth_addr(char **argv) 561 { 562 char *addr = *argv; 563 int l = strlen(addr) + 1; 564 struct wordlist *wp; 565 566 wp = (struct wordlist *) malloc(sizeof(struct wordlist) + l); 567 if (wp == NULL) 568 novm("allow-ip argument"); 569 wp->word = (char *) (wp + 1); 570 wp->next = noauth_addrs; 571 BCOPY(addr, wp->word, l); 572 noauth_addrs = wp; 573 return 1; 574 } 575 576 577 /* 578 * set_permitted_number - set remote telephone number(s) that may connect. 579 */ 580 static int 581 set_permitted_number(char **argv) 582 { 583 char *number = *argv; 584 int l = strlen(number) + 1; 585 struct wordlist *wp; 586 587 wp = (struct wordlist *) malloc(sizeof(struct wordlist) + l); 588 if (wp == NULL) 589 novm("allow-number argument"); 590 wp->word = (char *) (wp + 1); 591 wp->next = permitted_numbers; 592 BCOPY(number, wp->word, l); 593 permitted_numbers = wp; 594 return 1; 595 } 596 597 598 /* 599 * An Open on LCP has requested a change from Dead to Establish phase. 600 */ 601 void 602 link_required(int unit) 603 { 604 } 605 606 /* 607 * Bring the link up to the point of being able to do ppp. 608 */ 609 void start_link(int unit) 610 { 611 status = EXIT_CONNECT_FAILED; 612 new_phase(PHASE_SERIALCONN); 613 614 hungup = 0; 615 devfd = the_channel->connect(); 616 if (devfd < 0) 617 goto fail; 618 619 /* set up the serial device as a ppp interface */ 620 /* 621 * N.B. we used to do tdb_writelock/tdb_writeunlock around this 622 * (from establish_ppp to set_ifunit). However, we won't be 623 * doing the set_ifunit in multilink mode, which is the only time 624 * we need the atomicity that the tdb_writelock/tdb_writeunlock 625 * gives us. Thus we don't need the tdb_writelock/tdb_writeunlock. 626 */ 627 fd_ppp = the_channel->establish_ppp(devfd); 628 if (fd_ppp < 0) { 629 status = EXIT_FATAL_ERROR; 630 goto disconnect; 631 } 632 633 if (!demand && ifunit >= 0) 634 set_ifunit(1); 635 636 /* 637 * Start opening the connection and wait for 638 * incoming events (reply, timeout, etc.). 639 */ 640 if (ifunit >= 0) 641 notice("Connect: %s <--> %s", ifname, ppp_devnam); 642 else 643 notice("Starting negotiation on %s", ppp_devnam); 644 add_fd(fd_ppp); 645 646 status = EXIT_NEGOTIATION_FAILED; 647 new_phase(PHASE_ESTABLISH); 648 649 lcp_lowerup(0); 650 return; 651 652 disconnect: 653 new_phase(PHASE_DISCONNECT); 654 if (the_channel->disconnect) 655 the_channel->disconnect(); 656 657 fail: 658 new_phase(PHASE_DEAD); 659 if (the_channel->cleanup) 660 (*the_channel->cleanup)(); 661 } 662 663 /* 664 * LCP has terminated the link; go to the Dead phase and take the 665 * physical layer down. 666 */ 667 void 668 link_terminated(int unit) 669 { 670 if (phase == PHASE_DEAD || phase == PHASE_MASTER) 671 return; 672 new_phase(PHASE_DISCONNECT); 673 674 if (pap_logout_hook) { 675 pap_logout_hook(); 676 } 677 session_end(devnam); 678 679 if (!doing_multilink) { 680 notice("Connection terminated."); 681 print_link_stats(); 682 } else 683 notice("Link terminated."); 684 685 /* 686 * Delete pid files before disestablishing ppp. Otherwise it 687 * can happen that another pppd gets the same unit and then 688 * we delete its pid file. 689 */ 690 if (!doing_multilink && !demand) 691 remove_pidfiles(); 692 693 /* 694 * If we may want to bring the link up again, transfer 695 * the ppp unit back to the loopback. Set the 696 * real serial device back to its normal mode of operation. 697 */ 698 if (fd_ppp >= 0) { 699 remove_fd(fd_ppp); 700 clean_check(); 701 the_channel->disestablish_ppp(devfd); 702 if (doing_multilink) 703 mp_exit_bundle(); 704 fd_ppp = -1; 705 } 706 if (!hungup) 707 lcp_lowerdown(0); 708 if (!doing_multilink && !demand) 709 script_unsetenv("IFNAME"); 710 711 /* 712 * Run disconnector script, if requested. 713 * XXX we may not be able to do this if the line has hung up! 714 */ 715 if (devfd >= 0 && the_channel->disconnect) { 716 the_channel->disconnect(); 717 devfd = -1; 718 } 719 if (the_channel->cleanup) 720 (*the_channel->cleanup)(); 721 722 if (doing_multilink && multilink_master) { 723 if (!bundle_terminating) { 724 new_phase(PHASE_MASTER); 725 if (master_detach && !detached) 726 detach(); 727 } else 728 mp_bundle_terminated(); 729 } else 730 new_phase(PHASE_DEAD); 731 } 732 733 /* 734 * LCP has gone down; it will either die or try to re-establish. 735 */ 736 void 737 link_down(int unit) 738 { 739 if (auth_state != s_down) { 740 notify(link_down_notifier, 0); 741 auth_state = s_down; 742 if (auth_script_state == s_up && auth_script_pid == 0) { 743 update_link_stats(unit); 744 auth_script_state = s_down; 745 auth_script(_PATH_AUTHDOWN); 746 } 747 } 748 if (!doing_multilink) { 749 upper_layers_down(unit); 750 if (phase != PHASE_DEAD && phase != PHASE_MASTER) 751 new_phase(PHASE_ESTABLISH); 752 } 753 /* XXX if doing_multilink, should do something to stop 754 network-layer traffic on the link */ 755 } 756 757 void upper_layers_down(int unit) 758 { 759 int i; 760 struct protent *protp; 761 762 for (i = 0; (protp = protocols[i]) != NULL; ++i) { 763 if (!protp->enabled_flag) 764 continue; 765 if (protp->protocol != PPP_LCP && protp->lowerdown != NULL) 766 (*protp->lowerdown)(unit); 767 if (protp->protocol < 0xC000 && protp->close != NULL) 768 (*protp->close)(unit, "LCP down"); 769 } 770 num_np_open = 0; 771 num_np_up = 0; 772 } 773 774 /* 775 * The link is established. 776 * Proceed to the Dead, Authenticate or Network phase as appropriate. 777 */ 778 void 779 link_established(int unit) 780 { 781 int auth; 782 lcp_options *wo = &lcp_wantoptions[unit]; 783 lcp_options *go = &lcp_gotoptions[unit]; 784 lcp_options *ho = &lcp_hisoptions[unit]; 785 #ifdef USE_EAPTLS 786 lcp_options *ao = &lcp_allowoptions[unit]; 787 #endif 788 int i; 789 struct protent *protp; 790 791 /* 792 * Tell higher-level protocols that LCP is up. 793 */ 794 if (!doing_multilink) { 795 for (i = 0; (protp = protocols[i]) != NULL; ++i) 796 if (protp->protocol != PPP_LCP && protp->enabled_flag 797 && protp->lowerup != NULL) 798 (*protp->lowerup)(unit); 799 } 800 801 if (!auth_required && noauth_addrs != NULL) 802 set_allowed_addrs(unit, NULL, NULL); 803 804 if (auth_required && !(go->neg_upap || go->neg_chap || go->neg_eap)) { 805 /* 806 * We wanted the peer to authenticate itself, and it refused: 807 * if we have some address(es) it can use without auth, fine, 808 * otherwise treat it as though it authenticated with PAP using 809 * a username of "" and a password of "". If that's not OK, 810 * boot it out. 811 */ 812 if (noauth_addrs != NULL) { 813 set_allowed_addrs(unit, NULL, NULL); 814 } else if (!wo->neg_upap || uselogin || !null_login(unit)) { 815 warn("peer refused to authenticate: terminating link"); 816 status = EXIT_PEER_AUTH_FAILED; 817 lcp_close(unit, "peer refused to authenticate"); 818 return; 819 } 820 } 821 822 #ifdef USE_EAPTLS 823 if (need_peer_eap && !ao->neg_eap) { 824 warn("eap required to authenticate us but no suitable secrets"); 825 lcp_close(unit, "couldn't negotiate eap"); 826 status = EXIT_AUTH_TOPEER_FAILED; 827 return; 828 } 829 830 if (need_peer_eap && !ho->neg_eap) { 831 warn("peer doesn't want to authenticate us with eap"); 832 lcp_close(unit, "couldn't negotiate eap"); 833 status = EXIT_PEER_AUTH_FAILED; 834 return; 835 } 836 #endif 837 838 new_phase(PHASE_AUTHENTICATE); 839 auth = 0; 840 if (go->neg_eap) { 841 eap_authpeer(unit, our_name); 842 auth |= EAP_PEER; 843 } else if (go->neg_chap) { 844 chap_auth_peer(unit, our_name, CHAP_DIGEST(go->chap_mdtype)); 845 auth |= CHAP_PEER; 846 } else if (go->neg_upap) { 847 upap_authpeer(unit); 848 auth |= PAP_PEER; 849 } 850 if (ho->neg_eap) { 851 eap_authwithpeer(unit, user); 852 auth |= EAP_WITHPEER; 853 } else if (ho->neg_chap) { 854 chap_auth_with_peer(unit, user, CHAP_DIGEST(ho->chap_mdtype)); 855 auth |= CHAP_WITHPEER; 856 } else if (ho->neg_upap) { 857 /* If a blank password was explicitly given as an option, trust 858 the user and don't try to look up one. */ 859 if (passwd[0] == 0 && !explicit_passwd) { 860 passwd_from_file = 1; 861 if (!get_pap_passwd(passwd)) 862 error("No secret found for PAP login"); 863 } 864 upap_authwithpeer(unit, user, passwd); 865 auth |= PAP_WITHPEER; 866 } 867 auth_pending[unit] = auth; 868 auth_done[unit] = 0; 869 870 if (!auth) 871 network_phase(unit); 872 } 873 874 /* 875 * Proceed to the network phase. 876 */ 877 static void 878 network_phase(int unit) 879 { 880 lcp_options *go = &lcp_gotoptions[unit]; 881 882 /* Log calling number. */ 883 if (*remote_number) 884 notice("peer from calling number %q authorized", remote_number); 885 886 /* 887 * If the peer had to authenticate, run the auth-up script now. 888 */ 889 notify(auth_up_notifier, 0); 890 if (go->neg_chap || go->neg_upap || go->neg_eap) { 891 auth_state = s_up; 892 if (auth_script_state == s_down && auth_script_pid == 0) { 893 auth_script_state = s_up; 894 auth_script(_PATH_AUTHUP); 895 } 896 } 897 898 #ifdef CBCP_SUPPORT 899 /* 900 * If we negotiated callback, do it now. 901 */ 902 if (go->neg_cbcp) { 903 new_phase(PHASE_CALLBACK); 904 (*cbcp_protent.open)(unit); 905 return; 906 } 907 #endif 908 909 /* 910 * Process extra options from the secrets file 911 */ 912 if (extra_options) { 913 options_from_list(extra_options, 1); 914 free_wordlist(extra_options); 915 extra_options = 0; 916 } 917 start_networks(unit); 918 } 919 920 void 921 start_networks(int unit) 922 { 923 int i; 924 struct protent *protp; 925 int ecp_required, mppe_required; 926 927 new_phase(PHASE_NETWORK); 928 929 #ifdef HAVE_MULTILINK 930 if (multilink) { 931 if (mp_join_bundle()) { 932 if (multilink_join_hook) 933 (*multilink_join_hook)(); 934 if (updetach && !nodetach) 935 detach(); 936 return; 937 } 938 } 939 #endif /* HAVE_MULTILINK */ 940 941 #ifdef PPP_FILTER 942 if (!demand) 943 set_filters(&pass_filter_in, &pass_filter_out, 944 &active_filter_in, &active_filter_out); 945 #endif 946 /* Start CCP and ECP */ 947 for (i = 0; (protp = protocols[i]) != NULL; ++i) 948 if ((protp->protocol == PPP_ECP || protp->protocol == PPP_CCP) 949 && protp->enabled_flag && protp->open != NULL) 950 (*protp->open)(0); 951 952 /* 953 * Bring up other network protocols iff encryption is not required. 954 */ 955 ecp_required = ecp_gotoptions[unit].required; 956 mppe_required = ccp_gotoptions[unit].mppe; 957 if (!ecp_required && !mppe_required) 958 continue_networks(unit); 959 } 960 961 void 962 continue_networks(int unit) 963 { 964 int i; 965 struct protent *protp; 966 967 /* 968 * Start the "real" network protocols. 969 */ 970 for (i = 0; (protp = protocols[i]) != NULL; ++i) 971 if (protp->protocol < 0xC000 972 && protp->protocol != PPP_CCP && protp->protocol != PPP_ECP 973 && protp->enabled_flag && protp->open != NULL) { 974 (*protp->open)(0); 975 ++num_np_open; 976 } 977 978 if (num_np_open == 0) 979 /* nothing to do */ 980 lcp_close(0, "No network protocols running"); 981 } 982 983 /* 984 * The peer has failed to authenticate himself using `protocol'. 985 */ 986 void 987 auth_peer_fail(int unit, int protocol) 988 { 989 /* 990 * Authentication failure: take the link down 991 */ 992 status = EXIT_PEER_AUTH_FAILED; 993 lcp_close(unit, "Authentication failed"); 994 } 995 996 /* 997 * The peer has been successfully authenticated using `protocol'. 998 */ 999 void 1000 auth_peer_success(int unit, int protocol, int prot_flavor, 1001 char *name, int namelen) 1002 { 1003 int bit; 1004 1005 switch (protocol) { 1006 case PPP_CHAP: 1007 bit = CHAP_PEER; 1008 switch (prot_flavor) { 1009 case CHAP_MD5: 1010 bit |= CHAP_MD5_PEER; 1011 break; 1012 #ifdef CHAPMS 1013 case CHAP_MICROSOFT: 1014 bit |= CHAP_MS_PEER; 1015 break; 1016 case CHAP_MICROSOFT_V2: 1017 bit |= CHAP_MS2_PEER; 1018 break; 1019 #endif 1020 } 1021 break; 1022 case PPP_PAP: 1023 bit = PAP_PEER; 1024 break; 1025 case PPP_EAP: 1026 bit = EAP_PEER; 1027 break; 1028 default: 1029 warn("auth_peer_success: unknown protocol %x", protocol); 1030 return; 1031 } 1032 1033 /* 1034 * Save the authenticated name of the peer for later. 1035 */ 1036 if (namelen > sizeof(peer_authname) - 1) 1037 namelen = sizeof(peer_authname) - 1; 1038 BCOPY(name, peer_authname, namelen); 1039 peer_authname[namelen] = 0; 1040 script_setenv("PEERNAME", peer_authname, 0); 1041 1042 /* Save the authentication method for later. */ 1043 auth_done[unit] |= bit; 1044 1045 /* 1046 * If there is no more authentication still to be done, 1047 * proceed to the network (or callback) phase. 1048 */ 1049 if ((auth_pending[unit] &= ~bit) == 0) 1050 network_phase(unit); 1051 } 1052 1053 /* 1054 * We have failed to authenticate ourselves to the peer using `protocol'. 1055 */ 1056 void 1057 auth_withpeer_fail(int unit, int protocol) 1058 { 1059 if (passwd_from_file) 1060 BZERO(passwd, MAXSECRETLEN); 1061 /* 1062 * We've failed to authenticate ourselves to our peer. 1063 * Some servers keep sending CHAP challenges, but there 1064 * is no point in persisting without any way to get updated 1065 * authentication secrets. 1066 */ 1067 status = EXIT_AUTH_TOPEER_FAILED; 1068 lcp_close(unit, "Failed to authenticate ourselves to peer"); 1069 } 1070 1071 /* 1072 * We have successfully authenticated ourselves with the peer using `protocol'. 1073 */ 1074 void 1075 auth_withpeer_success(int unit, int protocol, int prot_flavor) 1076 { 1077 int bit; 1078 const char *prot = ""; 1079 1080 switch (protocol) { 1081 case PPP_CHAP: 1082 bit = CHAP_WITHPEER; 1083 prot = "CHAP"; 1084 switch (prot_flavor) { 1085 case CHAP_MD5: 1086 bit |= CHAP_MD5_WITHPEER; 1087 break; 1088 #ifdef CHAPMS 1089 case CHAP_MICROSOFT: 1090 bit |= CHAP_MS_WITHPEER; 1091 break; 1092 case CHAP_MICROSOFT_V2: 1093 bit |= CHAP_MS2_WITHPEER; 1094 break; 1095 #endif 1096 } 1097 break; 1098 case PPP_PAP: 1099 if (passwd_from_file) 1100 BZERO(passwd, MAXSECRETLEN); 1101 bit = PAP_WITHPEER; 1102 prot = "PAP"; 1103 break; 1104 case PPP_EAP: 1105 bit = EAP_WITHPEER; 1106 prot = "EAP"; 1107 break; 1108 default: 1109 warn("auth_withpeer_success: unknown protocol %x", protocol); 1110 bit = 0; 1111 } 1112 1113 notice("%s authentication succeeded", prot); 1114 1115 /* Save the authentication method for later. */ 1116 auth_done[unit] |= bit; 1117 1118 /* 1119 * If there is no more authentication still being done, 1120 * proceed to the network (or callback) phase. 1121 */ 1122 if ((auth_pending[unit] &= ~bit) == 0) 1123 network_phase(unit); 1124 } 1125 1126 1127 /* 1128 * np_up - a network protocol has come up. 1129 */ 1130 void 1131 np_up(int unit, int proto) 1132 { 1133 int tlim; 1134 1135 if (num_np_up == 0) { 1136 /* 1137 * At this point we consider that the link has come up successfully. 1138 */ 1139 status = EXIT_OK; 1140 unsuccess = 0; 1141 new_phase(PHASE_RUNNING); 1142 1143 if (idle_time_hook != 0) 1144 tlim = (*idle_time_hook)(NULL); 1145 else 1146 tlim = idle_time_limit; 1147 if (tlim > 0) 1148 TIMEOUT(check_idle, NULL, tlim); 1149 1150 /* 1151 * Set a timeout to close the connection once the maximum 1152 * connect time has expired. 1153 */ 1154 if (maxconnect > 0) 1155 TIMEOUT(connect_time_expired, 0, maxconnect); 1156 1157 #ifdef MAXOCTETS 1158 if (maxoctets > 0) 1159 TIMEOUT(check_maxoctets, NULL, maxoctets_timeout); 1160 #endif 1161 1162 /* 1163 * Detach now, if the updetach option was given. 1164 */ 1165 if (updetach && !nodetach) { 1166 dbglog("updetach is set. Now detaching."); 1167 detach(); 1168 #ifdef SYSTEMD 1169 } else if (nodetach && up_sdnotify) { 1170 dbglog("up_sdnotify is set. Now notifying systemd: READY=1"); 1171 sd_notify(0, "READY=1"); 1172 #endif 1173 } 1174 } 1175 ++num_np_up; 1176 } 1177 1178 /* 1179 * np_down - a network protocol has gone down. 1180 */ 1181 void 1182 np_down(int unit, int proto) 1183 { 1184 if (--num_np_up == 0) { 1185 UNTIMEOUT(check_idle, NULL); 1186 UNTIMEOUT(connect_time_expired, NULL); 1187 #ifdef MAXOCTETS 1188 UNTIMEOUT(check_maxoctets, NULL); 1189 #endif 1190 new_phase(PHASE_NETWORK); 1191 } 1192 } 1193 1194 /* 1195 * np_finished - a network protocol has finished using the link. 1196 */ 1197 void 1198 np_finished(int unit, int proto) 1199 { 1200 if (--num_np_open <= 0) { 1201 /* no further use for the link: shut up shop. */ 1202 lcp_close(0, "No network protocols running"); 1203 } 1204 } 1205 1206 #ifdef MAXOCTETS 1207 static void 1208 check_maxoctets(void *arg) 1209 { 1210 unsigned int used; 1211 1212 update_link_stats(ifunit); 1213 link_stats_valid=0; 1214 1215 switch(maxoctets_dir) { 1216 case PPP_OCTETS_DIRECTION_IN: 1217 used = link_stats.bytes_in; 1218 break; 1219 case PPP_OCTETS_DIRECTION_OUT: 1220 used = link_stats.bytes_out; 1221 break; 1222 case PPP_OCTETS_DIRECTION_MAXOVERAL: 1223 case PPP_OCTETS_DIRECTION_MAXSESSION: 1224 used = (link_stats.bytes_in > link_stats.bytes_out) ? link_stats.bytes_in : link_stats.bytes_out; 1225 break; 1226 default: 1227 used = link_stats.bytes_in+link_stats.bytes_out; 1228 break; 1229 } 1230 if (used > maxoctets) { 1231 notice("Traffic limit reached. Limit: %u Used: %u", maxoctets, used); 1232 status = EXIT_TRAFFIC_LIMIT; 1233 lcp_close(0, "Traffic limit"); 1234 need_holdoff = 0; 1235 } else { 1236 TIMEOUT(check_maxoctets, NULL, maxoctets_timeout); 1237 } 1238 } 1239 #endif 1240 1241 /* 1242 * check_idle - check whether the link has been idle for long 1243 * enough that we can shut it down. 1244 */ 1245 static void 1246 check_idle(void *arg) 1247 { 1248 struct ppp_idle idle; 1249 time_t itime; 1250 int tlim; 1251 1252 if (!get_idle_time(0, &idle)) 1253 return; 1254 if (idle_time_hook != 0) { 1255 tlim = idle_time_hook(&idle); 1256 } else { 1257 itime = MIN(idle.xmit_idle, idle.recv_idle); 1258 tlim = idle_time_limit - itime; 1259 } 1260 if (tlim <= 0) { 1261 /* link is idle: shut it down. */ 1262 notice("Terminating connection due to lack of activity."); 1263 status = EXIT_IDLE_TIMEOUT; 1264 lcp_close(0, "Link inactive"); 1265 need_holdoff = 0; 1266 } else { 1267 TIMEOUT(check_idle, NULL, tlim); 1268 } 1269 } 1270 1271 /* 1272 * connect_time_expired - log a message and close the connection. 1273 */ 1274 static void 1275 connect_time_expired(void *arg) 1276 { 1277 info("Connect time expired"); 1278 status = EXIT_CONNECT_TIME; 1279 lcp_close(0, "Connect time expired"); /* Close connection */ 1280 } 1281 1282 /* 1283 * auth_check_options - called to check authentication options. 1284 */ 1285 void 1286 auth_check_options(void) 1287 { 1288 lcp_options *wo = &lcp_wantoptions[0]; 1289 int can_auth; 1290 int lacks_ip; 1291 1292 /* Default our_name to hostname, and user to our_name */ 1293 if (our_name[0] == 0 || usehostname) 1294 strlcpy(our_name, hostname, sizeof(our_name)); 1295 /* If a blank username was explicitly given as an option, trust 1296 the user and don't use our_name */ 1297 if (user[0] == 0 && !explicit_user) 1298 strlcpy(user, our_name, sizeof(user)); 1299 1300 /* 1301 * If we have a default route, require the peer to authenticate 1302 * unless the noauth option was given or the real user is root. 1303 */ 1304 if (!auth_required && !allow_any_ip && have_route_to(0) && !privileged) { 1305 auth_required = 1; 1306 default_auth = 1; 1307 } 1308 1309 /* If we selected any CHAP flavors, we should probably negotiate it. :-) */ 1310 if (wo->chap_mdtype) 1311 wo->neg_chap = 1; 1312 1313 /* If authentication is required, ask peer for CHAP, PAP, or EAP. */ 1314 if (auth_required) { 1315 allow_any_ip = 0; 1316 if (!wo->neg_chap && !wo->neg_upap && !wo->neg_eap) { 1317 wo->neg_chap = chap_mdtype_all != MDTYPE_NONE; 1318 wo->chap_mdtype = chap_mdtype_all; 1319 wo->neg_upap = 1; 1320 wo->neg_eap = 1; 1321 } 1322 } else { 1323 wo->neg_chap = 0; 1324 wo->chap_mdtype = MDTYPE_NONE; 1325 wo->neg_upap = 0; 1326 wo->neg_eap = 0; 1327 } 1328 1329 /* 1330 * Check whether we have appropriate secrets to use 1331 * to authenticate the peer. Note that EAP can authenticate by way 1332 * of a CHAP-like exchanges as well as SRP. 1333 */ 1334 lacks_ip = 0; 1335 can_auth = wo->neg_upap && (uselogin || have_pap_secret(&lacks_ip)); 1336 if (!can_auth && (wo->neg_chap || wo->neg_eap)) { 1337 can_auth = have_chap_secret((explicit_remote? remote_name: NULL), 1338 our_name, 1, &lacks_ip); 1339 } 1340 if (!can_auth && wo->neg_eap) { 1341 can_auth = have_srp_secret((explicit_remote? remote_name: NULL), 1342 our_name, 1, &lacks_ip); 1343 } 1344 1345 #ifdef USE_EAPTLS 1346 if (!can_auth && wo->neg_eap) { 1347 can_auth = 1348 have_eaptls_secret_server((explicit_remote ? remote_name : 1349 NULL), our_name, 1, &lacks_ip); 1350 1351 } 1352 #endif 1353 1354 if (auth_required && !can_auth && noauth_addrs == NULL) { 1355 if (default_auth) { 1356 option_error( 1357 "By default the remote system is required to authenticate itself"); 1358 option_error( 1359 "(because this system has a default route to the internet)"); 1360 } else if (explicit_remote) 1361 option_error( 1362 "The remote system (%s) is required to authenticate itself", 1363 remote_name); 1364 else 1365 option_error( 1366 "The remote system is required to authenticate itself"); 1367 option_error( 1368 "but I couldn't find any suitable secret (password) for it to use to do so."); 1369 if (lacks_ip) 1370 option_error( 1371 "(None of the available passwords would let it use an IP address.)"); 1372 1373 exit(1); 1374 } 1375 1376 /* 1377 * Early check for remote number authorization. 1378 */ 1379 if (!auth_number()) { 1380 warn("calling number %q is not authorized", remote_number); 1381 exit(EXIT_CNID_AUTH_FAILED); 1382 } 1383 } 1384 1385 /* 1386 * auth_reset - called when LCP is starting negotiations to recheck 1387 * authentication options, i.e. whether we have appropriate secrets 1388 * to use for authenticating ourselves and/or the peer. 1389 */ 1390 void 1391 auth_reset(int unit) 1392 { 1393 lcp_options *go = &lcp_gotoptions[unit]; 1394 lcp_options *ao = &lcp_allowoptions[unit]; 1395 int hadchap; 1396 1397 hadchap = -1; 1398 ao->neg_upap = !refuse_pap && (passwd[0] != 0 || get_pap_passwd(NULL)); 1399 ao->neg_chap = (!refuse_chap || !refuse_mschap || !refuse_mschap_v2) 1400 && ((passwd[0] != 0 || explicit_passwd) || 1401 (hadchap = have_chap_secret(user, (explicit_remote? remote_name: 1402 NULL), 0, NULL))); 1403 ao->neg_eap = !refuse_eap && ( 1404 passwd[0] != 0 || 1405 (hadchap == 1 || (hadchap == -1 && have_chap_secret(user, 1406 (explicit_remote? remote_name: NULL), 0, NULL))) || 1407 have_srp_secret(user, (explicit_remote? remote_name: NULL), 0, NULL) 1408 #ifdef USE_EAPTLS 1409 || have_eaptls_secret_client(user, (explicit_remote? remote_name: NULL)) 1410 #endif 1411 ); 1412 1413 hadchap = -1; 1414 if (go->neg_upap && !uselogin && !have_pap_secret(NULL)) 1415 go->neg_upap = 0; 1416 if (go->neg_chap) { 1417 if (!(hadchap = have_chap_secret((explicit_remote? remote_name: NULL), 1418 our_name, 1, NULL))) 1419 go->neg_chap = 0; 1420 } 1421 if (go->neg_eap && 1422 (hadchap == 0 || (hadchap == -1 && 1423 !have_chap_secret((explicit_remote? remote_name: NULL), our_name, 1424 1, NULL))) && 1425 !have_srp_secret((explicit_remote? remote_name: NULL), our_name, 1, 1426 NULL) 1427 #ifdef USE_EAPTLS 1428 && !have_eaptls_secret_server((explicit_remote? remote_name: NULL), 1429 our_name, 1, NULL) 1430 #endif 1431 ) 1432 go->neg_eap = 0; 1433 } 1434 1435 1436 /* 1437 * check_passwd - Check the user name and passwd against the PAP secrets 1438 * file. If requested, also check against the system password database, 1439 * and login the user if OK. 1440 * 1441 * returns: 1442 * UPAP_AUTHNAK: Authentication failed. 1443 * UPAP_AUTHACK: Authentication succeeded. 1444 * In either case, msg points to an appropriate message. 1445 */ 1446 int 1447 check_passwd(int unit, 1448 char *auser, int userlen, 1449 char *apasswd, int passwdlen, char **msg) 1450 { 1451 int ret; 1452 char *filename; 1453 FILE *f; 1454 struct wordlist *addrs = NULL, *opts = NULL; 1455 char passwd[256], user[256]; 1456 char secret[MAXWORDLEN]; 1457 static int attempts = 0; 1458 1459 /* 1460 * Make copies of apasswd and auser, then null-terminate them. 1461 * If there are unprintable characters in the password, make 1462 * them visible. 1463 */ 1464 slprintf(passwd, sizeof(passwd), "%.*v", passwdlen, apasswd); 1465 slprintf(user, sizeof(user), "%.*v", userlen, auser); 1466 *msg = ""; 1467 1468 /* 1469 * Check if a plugin wants to handle this. 1470 */ 1471 if (pap_auth_hook) { 1472 ret = (*pap_auth_hook)(user, passwd, msg, &addrs, &opts); 1473 if (ret >= 0) { 1474 /* note: set_allowed_addrs() saves opts (but not addrs): 1475 don't free it! */ 1476 if (ret) 1477 set_allowed_addrs(unit, addrs, opts); 1478 else if (opts != 0) 1479 free_wordlist(opts); 1480 if (addrs != 0) 1481 free_wordlist(addrs); 1482 BZERO(passwd, sizeof(passwd)); 1483 return ret? UPAP_AUTHACK: UPAP_AUTHNAK; 1484 } 1485 } 1486 1487 /* 1488 * Open the file of pap secrets and scan for a suitable secret 1489 * for authenticating this user. 1490 */ 1491 filename = _PATH_UPAPFILE; 1492 addrs = opts = NULL; 1493 ret = UPAP_AUTHNAK; 1494 f = fopen(filename, "r"); 1495 if (f == NULL) { 1496 error("Can't open PAP password file %s: %m", filename); 1497 1498 } else { 1499 check_access(f, filename); 1500 if (scan_authfile(f, user, our_name, secret, &addrs, &opts, filename, 0) < 0) { 1501 warn("no PAP secret found for %s", user); 1502 } else { 1503 /* 1504 * If the secret is "@login", it means to check 1505 * the password against the login database. 1506 */ 1507 int login_secret = strcmp(secret, "@login") == 0; 1508 ret = UPAP_AUTHACK; 1509 if (uselogin || login_secret) { 1510 /* login option or secret is @login */ 1511 if (session_full(user, passwd, devnam, msg) == 0) { 1512 ret = UPAP_AUTHNAK; 1513 } 1514 } else if (session_mgmt) { 1515 if (session_check(user, NULL, devnam, NULL) == 0) { 1516 warn("Peer %q failed PAP Session verification", user); 1517 ret = UPAP_AUTHNAK; 1518 } 1519 } 1520 if (secret[0] != 0 && !login_secret) { 1521 /* password given in pap-secrets - must match */ 1522 if (cryptpap || strcmp(passwd, secret) != 0) { 1523 char *cbuf = crypt(passwd, secret); 1524 if (!cbuf || strcmp(cbuf, secret) != 0) 1525 ret = UPAP_AUTHNAK; 1526 } 1527 } 1528 } 1529 fclose(f); 1530 } 1531 1532 if (ret == UPAP_AUTHNAK) { 1533 if (**msg == 0) 1534 *msg = "Login incorrect"; 1535 /* 1536 * XXX can we ever get here more than once?? 1537 * Frustrate passwd stealer programs. 1538 * Allow 10 tries, but start backing off after 3 (stolen from login). 1539 * On 10'th, drop the connection. 1540 */ 1541 if (attempts++ >= 10) { 1542 warn("%d LOGIN FAILURES ON %s, %s", attempts, devnam, user); 1543 lcp_close(unit, "login failed"); 1544 } 1545 if (attempts > 3) 1546 sleep((u_int) (attempts - 3) * 5); 1547 if (opts != NULL) 1548 free_wordlist(opts); 1549 1550 } else { 1551 attempts = 0; /* Reset count */ 1552 if (**msg == 0) 1553 *msg = "Login ok"; 1554 set_allowed_addrs(unit, addrs, opts); 1555 } 1556 1557 if (addrs != NULL) 1558 free_wordlist(addrs); 1559 BZERO(passwd, sizeof(passwd)); 1560 BZERO(secret, sizeof(secret)); 1561 1562 return ret; 1563 } 1564 1565 /* 1566 * null_login - Check if a username of "" and a password of "" are 1567 * acceptable, and iff so, set the list of acceptable IP addresses 1568 * and return 1. 1569 */ 1570 static int 1571 null_login(int unit) 1572 { 1573 char *filename; 1574 FILE *f; 1575 int i, ret; 1576 struct wordlist *addrs, *opts; 1577 char secret[MAXWORDLEN]; 1578 1579 /* 1580 * Check if a plugin wants to handle this. 1581 */ 1582 ret = -1; 1583 if (null_auth_hook) 1584 ret = (*null_auth_hook)(&addrs, &opts); 1585 1586 /* 1587 * Open the file of pap secrets and scan for a suitable secret. 1588 */ 1589 if (ret <= 0) { 1590 filename = _PATH_UPAPFILE; 1591 addrs = NULL; 1592 f = fopen(filename, "r"); 1593 if (f == NULL) 1594 return 0; 1595 check_access(f, filename); 1596 1597 i = scan_authfile(f, "", our_name, secret, &addrs, &opts, filename, 0); 1598 ret = i >= 0 && secret[0] == 0; 1599 BZERO(secret, sizeof(secret)); 1600 fclose(f); 1601 } 1602 1603 if (ret) 1604 set_allowed_addrs(unit, addrs, opts); 1605 else if (opts != 0) 1606 free_wordlist(opts); 1607 if (addrs != 0) 1608 free_wordlist(addrs); 1609 1610 return ret; 1611 } 1612 1613 1614 /* 1615 * get_pap_passwd - get a password for authenticating ourselves with 1616 * our peer using PAP. Returns 1 on success, 0 if no suitable password 1617 * could be found. 1618 * Assumes passwd points to MAXSECRETLEN bytes of space (if non-null). 1619 */ 1620 static int 1621 get_pap_passwd(char *passwd) 1622 { 1623 char *filename; 1624 FILE *f; 1625 int ret; 1626 char secret[MAXWORDLEN]; 1627 1628 /* 1629 * Check whether a plugin wants to supply this. 1630 */ 1631 if (pap_passwd_hook) { 1632 ret = (*pap_passwd_hook)(user, passwd); 1633 if (ret >= 0) 1634 return ret; 1635 } 1636 1637 filename = _PATH_UPAPFILE; 1638 f = fopen(filename, "r"); 1639 if (f == NULL) 1640 return 0; 1641 check_access(f, filename); 1642 ret = scan_authfile(f, user, 1643 (remote_name[0]? remote_name: NULL), 1644 secret, NULL, NULL, filename, 0); 1645 fclose(f); 1646 if (ret < 0) 1647 return 0; 1648 if (passwd != NULL) 1649 strlcpy(passwd, secret, MAXSECRETLEN); 1650 BZERO(secret, sizeof(secret)); 1651 return 1; 1652 } 1653 1654 1655 /* 1656 * have_pap_secret - check whether we have a PAP file with any 1657 * secrets that we could possibly use for authenticating the peer. 1658 */ 1659 static int 1660 have_pap_secret(int *lacks_ipp) 1661 { 1662 FILE *f; 1663 int ret; 1664 char *filename; 1665 struct wordlist *addrs; 1666 1667 /* let the plugin decide, if there is one */ 1668 if (pap_check_hook) { 1669 ret = (*pap_check_hook)(); 1670 if (ret >= 0) 1671 return ret; 1672 } 1673 1674 filename = _PATH_UPAPFILE; 1675 f = fopen(filename, "r"); 1676 if (f == NULL) 1677 return 0; 1678 1679 ret = scan_authfile(f, (explicit_remote? remote_name: NULL), our_name, 1680 NULL, &addrs, NULL, filename, 0); 1681 fclose(f); 1682 if (ret >= 0 && !some_ip_ok(addrs)) { 1683 if (lacks_ipp != 0) 1684 *lacks_ipp = 1; 1685 ret = -1; 1686 } 1687 if (addrs != 0) 1688 free_wordlist(addrs); 1689 1690 return ret >= 0; 1691 } 1692 1693 1694 /* 1695 * have_chap_secret - check whether we have a CHAP file with a 1696 * secret that we could possibly use for authenticating `client' 1697 * on `server'. Either can be the null string, meaning we don't 1698 * know the identity yet. 1699 */ 1700 static int 1701 have_chap_secret(char *client, char *server, 1702 int need_ip, int *lacks_ipp) 1703 { 1704 FILE *f; 1705 int ret; 1706 char *filename; 1707 struct wordlist *addrs; 1708 1709 if (chap_check_hook) { 1710 ret = (*chap_check_hook)(); 1711 if (ret >= 0) { 1712 return ret; 1713 } 1714 } 1715 1716 filename = _PATH_CHAPFILE; 1717 f = fopen(filename, "r"); 1718 if (f == NULL) 1719 return 0; 1720 1721 if (client != NULL && client[0] == 0) 1722 client = NULL; 1723 else if (server != NULL && server[0] == 0) 1724 server = NULL; 1725 1726 ret = scan_authfile(f, client, server, NULL, &addrs, NULL, filename, 0); 1727 fclose(f); 1728 if (ret >= 0 && need_ip && !some_ip_ok(addrs)) { 1729 if (lacks_ipp != 0) 1730 *lacks_ipp = 1; 1731 ret = -1; 1732 } 1733 if (addrs != 0) 1734 free_wordlist(addrs); 1735 1736 return ret >= 0; 1737 } 1738 1739 1740 /* 1741 * have_srp_secret - check whether we have a SRP file with a 1742 * secret that we could possibly use for authenticating `client' 1743 * on `server'. Either can be the null string, meaning we don't 1744 * know the identity yet. 1745 */ 1746 static int 1747 have_srp_secret(char *client, char *server, int need_ip, int *lacks_ipp) 1748 { 1749 FILE *f; 1750 int ret; 1751 char *filename; 1752 struct wordlist *addrs; 1753 1754 filename = _PATH_SRPFILE; 1755 f = fopen(filename, "r"); 1756 if (f == NULL) 1757 return 0; 1758 1759 if (client != NULL && client[0] == 0) 1760 client = NULL; 1761 else if (server != NULL && server[0] == 0) 1762 server = NULL; 1763 1764 ret = scan_authfile(f, client, server, NULL, &addrs, NULL, filename, 0); 1765 fclose(f); 1766 if (ret >= 0 && need_ip && !some_ip_ok(addrs)) { 1767 if (lacks_ipp != 0) 1768 *lacks_ipp = 1; 1769 ret = -1; 1770 } 1771 if (addrs != 0) 1772 free_wordlist(addrs); 1773 1774 return ret >= 0; 1775 } 1776 1777 1778 /* 1779 * get_secret - open the CHAP secret file and return the secret 1780 * for authenticating the given client on the given server. 1781 * (We could be either client or server). 1782 */ 1783 int 1784 get_secret(int unit, char *client, char *server, 1785 char *secret, int *secret_len, int am_server) 1786 { 1787 FILE *f; 1788 int ret, len; 1789 char *filename; 1790 struct wordlist *addrs, *opts; 1791 char secbuf[MAXWORDLEN]; 1792 1793 if (!am_server && passwd[0] != 0) { 1794 strlcpy(secbuf, passwd, sizeof(secbuf)); 1795 } else if (!am_server && chap_passwd_hook) { 1796 if ( (*chap_passwd_hook)(client, secbuf) < 0) { 1797 error("Unable to obtain CHAP password for %s on %s from plugin", 1798 client, server); 1799 return 0; 1800 } 1801 } else { 1802 filename = _PATH_CHAPFILE; 1803 addrs = NULL; 1804 secbuf[0] = 0; 1805 1806 f = fopen(filename, "r"); 1807 if (f == NULL) { 1808 error("Can't open chap secret file %s: %m", filename); 1809 return 0; 1810 } 1811 check_access(f, filename); 1812 1813 ret = scan_authfile(f, client, server, secbuf, &addrs, &opts, filename, 0); 1814 fclose(f); 1815 if (ret < 0) 1816 return 0; 1817 1818 if (am_server) 1819 set_allowed_addrs(unit, addrs, opts); 1820 else if (opts != 0) 1821 free_wordlist(opts); 1822 if (addrs != 0) 1823 free_wordlist(addrs); 1824 } 1825 1826 len = strlen(secbuf); 1827 if (len > MAXSECRETLEN) { 1828 error("Secret for %s on %s is too long", client, server); 1829 len = MAXSECRETLEN; 1830 } 1831 BCOPY(secbuf, secret, len); 1832 BZERO(secbuf, sizeof(secbuf)); 1833 *secret_len = len; 1834 1835 return 1; 1836 } 1837 1838 1839 /* 1840 * get_srp_secret - open the SRP secret file and return the secret 1841 * for authenticating the given client on the given server. 1842 * (We could be either client or server). 1843 */ 1844 int 1845 get_srp_secret(int unit, char *client, char *server, 1846 char *secret, int am_server) 1847 { 1848 FILE *fp; 1849 int ret; 1850 char *filename; 1851 struct wordlist *addrs, *opts; 1852 1853 if (!am_server && passwd[0] != '\0') { 1854 strlcpy(secret, passwd, MAXWORDLEN); 1855 } else { 1856 filename = _PATH_SRPFILE; 1857 addrs = NULL; 1858 1859 fp = fopen(filename, "r"); 1860 if (fp == NULL) { 1861 error("Can't open srp secret file %s: %m", filename); 1862 return 0; 1863 } 1864 check_access(fp, filename); 1865 1866 secret[0] = '\0'; 1867 ret = scan_authfile(fp, client, server, secret, &addrs, &opts, 1868 filename, am_server); 1869 fclose(fp); 1870 if (ret < 0) 1871 return 0; 1872 1873 if (am_server) 1874 set_allowed_addrs(unit, addrs, opts); 1875 else if (opts != NULL) 1876 free_wordlist(opts); 1877 if (addrs != NULL) 1878 free_wordlist(addrs); 1879 } 1880 1881 return 1; 1882 } 1883 1884 /* 1885 * set_allowed_addrs() - set the list of allowed addresses. 1886 * Also looks for `--' indicating options to apply for this peer 1887 * and leaves the following words in extra_options. 1888 */ 1889 static void 1890 set_allowed_addrs(int unit, struct wordlist *addrs, 1891 struct wordlist *opts) 1892 { 1893 int n; 1894 struct wordlist *ap, **plink; 1895 struct permitted_ip *ip; 1896 char *ptr_word, *ptr_mask; 1897 struct hostent *hp; 1898 struct netent *np; 1899 u_int32_t a, mask, ah, offset; 1900 struct ipcp_options *wo = &ipcp_wantoptions[unit]; 1901 u_int32_t suggested_ip = 0; 1902 1903 if (addresses[unit] != NULL) 1904 free(addresses[unit]); 1905 addresses[unit] = NULL; 1906 if (extra_options != NULL) 1907 free_wordlist(extra_options); 1908 extra_options = opts; 1909 1910 /* 1911 * Count the number of IP addresses given. 1912 */ 1913 n = wordlist_count(addrs) + wordlist_count(noauth_addrs); 1914 if (n == 0) 1915 return; 1916 ip = (struct permitted_ip *) malloc((n + 1) * sizeof(struct permitted_ip)); 1917 if (ip == 0) 1918 return; 1919 1920 /* temporarily append the noauth_addrs list to addrs */ 1921 for (plink = &addrs; *plink != NULL; plink = &(*plink)->next) 1922 ; 1923 *plink = noauth_addrs; 1924 1925 n = 0; 1926 for (ap = addrs; ap != NULL; ap = ap->next) { 1927 /* "-" means no addresses authorized, "*" means any address allowed */ 1928 ptr_word = ap->word; 1929 if (strcmp(ptr_word, "-") == 0) 1930 break; 1931 if (strcmp(ptr_word, "*") == 0) { 1932 ip[n].permit = 1; 1933 ip[n].base = ip[n].mask = 0; 1934 ++n; 1935 break; 1936 } 1937 1938 ip[n].permit = 1; 1939 if (*ptr_word == '!') { 1940 ip[n].permit = 0; 1941 ++ptr_word; 1942 } 1943 1944 mask = ~ (u_int32_t) 0; 1945 offset = 0; 1946 ptr_mask = strchr (ptr_word, '/'); 1947 if (ptr_mask != NULL) { 1948 int bit_count; 1949 char *endp; 1950 1951 bit_count = (int) strtol (ptr_mask+1, &endp, 10); 1952 if (bit_count <= 0 || bit_count > 32) { 1953 warn("invalid address length %v in auth. address list", 1954 ptr_mask+1); 1955 continue; 1956 } 1957 bit_count = 32 - bit_count; /* # bits in host part */ 1958 if (*endp == '+') { 1959 offset = ifunit + 1; 1960 ++endp; 1961 } 1962 if (*endp != 0) { 1963 warn("invalid address length syntax: %v", ptr_mask+1); 1964 continue; 1965 } 1966 *ptr_mask = '\0'; 1967 mask <<= bit_count; 1968 } 1969 1970 hp = gethostbyname(ptr_word); 1971 if (hp != NULL && hp->h_addrtype == AF_INET) { 1972 a = *(u_int32_t *)hp->h_addr; 1973 } else { 1974 np = getnetbyname (ptr_word); 1975 if (np != NULL && np->n_addrtype == AF_INET) { 1976 a = htonl ((u_int32_t)np->n_net); 1977 if (ptr_mask == NULL) { 1978 /* calculate appropriate mask for net */ 1979 ah = ntohl(a); 1980 if (IN_CLASSA(ah)) 1981 mask = IN_CLASSA_NET; 1982 else if (IN_CLASSB(ah)) 1983 mask = IN_CLASSB_NET; 1984 else if (IN_CLASSC(ah)) 1985 mask = IN_CLASSC_NET; 1986 } 1987 } else { 1988 a = inet_addr (ptr_word); 1989 } 1990 } 1991 1992 if (ptr_mask != NULL) 1993 *ptr_mask = '/'; 1994 1995 if (a == (u_int32_t)-1L) { 1996 warn("unknown host %s in auth. address list", ap->word); 1997 continue; 1998 } 1999 if (offset != 0) { 2000 if (offset >= ~mask) { 2001 warn("interface unit %d too large for subnet %v", 2002 ifunit, ptr_word); 2003 continue; 2004 } 2005 a = htonl((ntohl(a) & mask) + offset); 2006 mask = ~(u_int32_t)0; 2007 } 2008 ip[n].mask = htonl(mask); 2009 ip[n].base = a & ip[n].mask; 2010 ++n; 2011 if (~mask == 0 && suggested_ip == 0) 2012 suggested_ip = a; 2013 } 2014 *plink = NULL; 2015 2016 ip[n].permit = 0; /* make the last entry forbid all addresses */ 2017 ip[n].base = 0; /* to terminate the list */ 2018 ip[n].mask = 0; 2019 2020 addresses[unit] = ip; 2021 2022 /* 2023 * If the address given for the peer isn't authorized, or if 2024 * the user hasn't given one, AND there is an authorized address 2025 * which is a single host, then use that if we find one. 2026 */ 2027 if (suggested_ip != 0 2028 && (wo->hisaddr == 0 || !auth_ip_addr(unit, wo->hisaddr))) { 2029 wo->hisaddr = suggested_ip; 2030 /* 2031 * Do we insist on this address? No, if there are other 2032 * addresses authorized than the suggested one. 2033 */ 2034 if (n > 1) 2035 wo->accept_remote = 1; 2036 } 2037 } 2038 2039 /* 2040 * auth_ip_addr - check whether the peer is authorized to use 2041 * a given IP address. Returns 1 if authorized, 0 otherwise. 2042 */ 2043 int 2044 auth_ip_addr(int unit, u_int32_t addr) 2045 { 2046 int ok; 2047 2048 /* don't allow loopback or multicast address */ 2049 if (bad_ip_adrs(addr)) 2050 return 0; 2051 2052 if (allowed_address_hook) { 2053 ok = allowed_address_hook(addr); 2054 if (ok >= 0) return ok; 2055 } 2056 2057 if (addresses[unit] != NULL) { 2058 ok = ip_addr_check(addr, addresses[unit]); 2059 if (ok >= 0) 2060 return ok; 2061 } 2062 2063 if (auth_required) 2064 return 0; /* no addresses authorized */ 2065 return allow_any_ip || privileged || !have_route_to(addr); 2066 } 2067 2068 static int 2069 ip_addr_check(u_int32_t addr, struct permitted_ip *addrs) 2070 { 2071 for (; ; ++addrs) 2072 if ((addr & addrs->mask) == addrs->base) 2073 return addrs->permit; 2074 } 2075 2076 /* 2077 * bad_ip_adrs - return 1 if the IP address is one we don't want 2078 * to use, such as an address in the loopback net or a multicast address. 2079 * addr is in network byte order. 2080 */ 2081 int 2082 bad_ip_adrs(u_int32_t addr) 2083 { 2084 addr = ntohl(addr); 2085 return (addr >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET 2086 || IN_MULTICAST(addr) || IN_BADCLASS(addr); 2087 } 2088 2089 /* 2090 * some_ip_ok - check a wordlist to see if it authorizes any 2091 * IP address(es). 2092 */ 2093 static int 2094 some_ip_ok(struct wordlist *addrs) 2095 { 2096 for (; addrs != 0; addrs = addrs->next) { 2097 if (addrs->word[0] == '-') 2098 break; 2099 if (addrs->word[0] != '!') 2100 return 1; /* some IP address is allowed */ 2101 } 2102 return 0; 2103 } 2104 2105 /* 2106 * auth_number - check whether the remote number is allowed to connect. 2107 * Returns 1 if authorized, 0 otherwise. 2108 */ 2109 int 2110 auth_number(void) 2111 { 2112 struct wordlist *wp = permitted_numbers; 2113 int l; 2114 2115 /* Allow all if no authorization list. */ 2116 if (!wp) 2117 return 1; 2118 2119 /* Allow if we have a match in the authorization list. */ 2120 while (wp) { 2121 /* trailing '*' wildcard */ 2122 l = strlen(wp->word); 2123 if ((wp->word)[l - 1] == '*') 2124 l--; 2125 if (!strncasecmp(wp->word, remote_number, l)) 2126 return 1; 2127 wp = wp->next; 2128 } 2129 2130 return 0; 2131 } 2132 2133 /* 2134 * check_access - complain if a secret file has too-liberal permissions. 2135 */ 2136 static void 2137 check_access(FILE *f, char *filename) 2138 { 2139 struct stat sbuf; 2140 2141 if (fstat(fileno(f), &sbuf) < 0) { 2142 warn("cannot stat secret file %s: %m", filename); 2143 } else if ((sbuf.st_mode & (S_IRWXG | S_IRWXO)) != 0) { 2144 warn("Warning - secret file %s has world and/or group access", 2145 filename); 2146 } 2147 } 2148 2149 2150 /* 2151 * scan_authfile - Scan an authorization file for a secret suitable 2152 * for authenticating `client' on `server'. The return value is -1 2153 * if no secret is found, otherwise >= 0. The return value has 2154 * NONWILD_CLIENT set if the secret didn't have "*" for the client, and 2155 * NONWILD_SERVER set if the secret didn't have "*" for the server. 2156 * Any following words on the line up to a "--" (i.e. address authorization 2157 * info) are placed in a wordlist and returned in *addrs. Any 2158 * following words (extra options) are placed in a wordlist and 2159 * returned in *opts. 2160 * We assume secret is NULL or points to MAXWORDLEN bytes of space. 2161 * Flags are non-zero if we need two colons in the secret in order to 2162 * match. 2163 */ 2164 static int 2165 scan_authfile(FILE *f, char *client, char *server, 2166 char *secret, struct wordlist **addrs, 2167 struct wordlist **opts, char *filename, 2168 int flags) 2169 { 2170 int newline, xxx; 2171 int got_flag, best_flag; 2172 FILE *sf; 2173 struct wordlist *ap, *addr_list, *alist, **app; 2174 char word[MAXWORDLEN]; 2175 char atfile[MAXWORDLEN]; 2176 char lsecret[MAXWORDLEN]; 2177 char *cp; 2178 2179 if (addrs != NULL) 2180 *addrs = NULL; 2181 if (opts != NULL) 2182 *opts = NULL; 2183 addr_list = NULL; 2184 if (!getword(f, word, &newline, filename)) 2185 return -1; /* file is empty??? */ 2186 newline = 1; 2187 best_flag = -1; 2188 for (;;) { 2189 /* 2190 * Skip until we find a word at the start of a line. 2191 */ 2192 while (!newline && getword(f, word, &newline, filename)) 2193 ; 2194 if (!newline) 2195 break; /* got to end of file */ 2196 2197 /* 2198 * Got a client - check if it's a match or a wildcard. 2199 */ 2200 got_flag = 0; 2201 if (client != NULL && strcmp(word, client) != 0 && !ISWILD(word)) { 2202 newline = 0; 2203 continue; 2204 } 2205 if (!ISWILD(word)) 2206 got_flag = NONWILD_CLIENT; 2207 2208 /* 2209 * Now get a server and check if it matches. 2210 */ 2211 if (!getword(f, word, &newline, filename)) 2212 break; 2213 if (newline) 2214 continue; 2215 if (!ISWILD(word)) { 2216 if (server != NULL && strcmp(word, server) != 0) 2217 continue; 2218 got_flag |= NONWILD_SERVER; 2219 } 2220 2221 /* 2222 * Got some sort of a match - see if it's better than what 2223 * we have already. 2224 */ 2225 if (got_flag <= best_flag) 2226 continue; 2227 2228 /* 2229 * Get the secret. 2230 */ 2231 if (!getword(f, word, &newline, filename)) 2232 break; 2233 if (newline) 2234 continue; 2235 2236 /* 2237 * SRP-SHA1 authenticator should never be reading secrets from 2238 * a file. (Authenticatee may, though.) 2239 */ 2240 if (flags && ((cp = strchr(word, ':')) == NULL || 2241 strchr(cp + 1, ':') == NULL)) 2242 continue; 2243 2244 if (secret != NULL) { 2245 /* 2246 * Special syntax: @/pathname means read secret from file. 2247 */ 2248 if (word[0] == '@' && word[1] == '/') { 2249 strlcpy(atfile, word+1, sizeof(atfile)); 2250 if ((sf = fopen(atfile, "r")) == NULL) { 2251 warn("can't open indirect secret file %s", atfile); 2252 continue; 2253 } 2254 check_access(sf, atfile); 2255 if (!getword(sf, word, &xxx, atfile)) { 2256 warn("no secret in indirect secret file %s", atfile); 2257 fclose(sf); 2258 continue; 2259 } 2260 fclose(sf); 2261 } 2262 strlcpy(lsecret, word, sizeof(lsecret)); 2263 } 2264 2265 /* 2266 * Now read address authorization info and make a wordlist. 2267 */ 2268 app = &alist; 2269 for (;;) { 2270 size_t len; 2271 if (!getword(f, word, &newline, filename) || newline) 2272 break; 2273 len = strlen(word) + 1; 2274 ap = (struct wordlist *)malloc(sizeof(struct wordlist) + len); 2275 if (ap == NULL) 2276 novm("authorized addresses"); 2277 ap->word = (char *) (ap + 1); 2278 memcpy(ap->word, word, len); 2279 *app = ap; 2280 app = &ap->next; 2281 } 2282 *app = NULL; 2283 2284 /* 2285 * This is the best so far; remember it. 2286 */ 2287 best_flag = got_flag; 2288 if (addr_list) 2289 free_wordlist(addr_list); 2290 addr_list = alist; 2291 if (secret != NULL) 2292 strlcpy(secret, lsecret, MAXWORDLEN); 2293 2294 if (!newline) 2295 break; 2296 } 2297 2298 /* scan for a -- word indicating the start of options */ 2299 for (app = &addr_list; (ap = *app) != NULL; app = &ap->next) 2300 if (strcmp(ap->word, "--") == 0) 2301 break; 2302 /* ap = start of options */ 2303 if (ap != NULL) { 2304 ap = ap->next; /* first option */ 2305 free(*app); /* free the "--" word */ 2306 *app = NULL; /* terminate addr list */ 2307 } 2308 if (opts != NULL) 2309 *opts = ap; 2310 else if (ap != NULL) 2311 free_wordlist(ap); 2312 if (addrs != NULL) 2313 *addrs = addr_list; 2314 else if (addr_list != NULL) 2315 free_wordlist(addr_list); 2316 2317 return best_flag; 2318 } 2319 2320 /* 2321 * wordlist_count - return the number of items in a wordlist 2322 */ 2323 static int 2324 wordlist_count(struct wordlist *wp) 2325 { 2326 int n; 2327 2328 for (n = 0; wp != NULL; wp = wp->next) 2329 ++n; 2330 return n; 2331 } 2332 2333 /* 2334 * free_wordlist - release memory allocated for a wordlist. 2335 */ 2336 static void 2337 free_wordlist(struct wordlist *wp) 2338 { 2339 struct wordlist *next; 2340 2341 while (wp != NULL) { 2342 next = wp->next; 2343 free(wp); 2344 wp = next; 2345 } 2346 } 2347 2348 /* 2349 * auth_script_done - called when the auth-up or auth-down script 2350 * has finished. 2351 */ 2352 static void 2353 auth_script_done(void *arg) 2354 { 2355 auth_script_pid = 0; 2356 switch (auth_script_state) { 2357 case s_up: 2358 if (auth_state == s_down) { 2359 auth_script_state = s_down; 2360 auth_script(_PATH_AUTHDOWN); 2361 } 2362 break; 2363 case s_down: 2364 if (auth_state == s_up) { 2365 auth_script_state = s_up; 2366 auth_script(_PATH_AUTHUP); 2367 } 2368 break; 2369 } 2370 } 2371 2372 /* 2373 * auth_script - execute a script with arguments 2374 * interface-name peer-name real-user tty speed 2375 */ 2376 static void 2377 auth_script(char *script) 2378 { 2379 char strspeed[32]; 2380 struct passwd *pw; 2381 char struid[32]; 2382 char *user_name; 2383 char *argv[8]; 2384 2385 if ((pw = getpwuid(getuid())) != NULL && pw->pw_name != NULL) 2386 user_name = pw->pw_name; 2387 else { 2388 slprintf(struid, sizeof(struid), "%d", getuid()); 2389 user_name = struid; 2390 } 2391 slprintf(strspeed, sizeof(strspeed), "%d", baud_rate); 2392 2393 argv[0] = script; 2394 argv[1] = ifname; 2395 argv[2] = peer_authname; 2396 argv[3] = user_name; 2397 argv[4] = devnam; 2398 argv[5] = strspeed; 2399 argv[6] = NULL; 2400 2401 auth_script_pid = run_program(script, argv, 0, auth_script_done, NULL, 0); 2402 } 2403 2404 2405 #ifdef USE_EAPTLS 2406 static int 2407 have_eaptls_secret_server(char *client, char *server, 2408 int need_ip, int *lacks_ipp) 2409 { 2410 FILE *f; 2411 int ret; 2412 char *filename; 2413 struct wordlist *addrs; 2414 char servcertfile[MAXWORDLEN]; 2415 char clicertfile[MAXWORDLEN]; 2416 char cacertfile[MAXWORDLEN]; 2417 char pkfile[MAXWORDLEN]; 2418 2419 filename = _PATH_EAPTLSSERVFILE; 2420 f = fopen(filename, "r"); 2421 if (f == NULL) 2422 return 0; 2423 2424 if (client != NULL && client[0] == 0) 2425 client = NULL; 2426 else if (server != NULL && server[0] == 0) 2427 server = NULL; 2428 2429 ret = 2430 scan_authfile_eaptls(f, client, server, clicertfile, servcertfile, 2431 cacertfile, pkfile, &addrs, NULL, filename, 2432 0); 2433 2434 fclose(f); 2435 2436 /* 2437 if (ret >= 0 && !eaptls_init_ssl(1, cacertfile, servcertfile, 2438 clicertfile, pkfile)) 2439 ret = -1; 2440 */ 2441 2442 if (ret >= 0 && need_ip && !some_ip_ok(addrs)) { 2443 if (lacks_ipp != 0) 2444 *lacks_ipp = 1; 2445 ret = -1; 2446 } 2447 if (addrs != 0) 2448 free_wordlist(addrs); 2449 2450 return ret >= 0; 2451 } 2452 2453 2454 static int 2455 have_eaptls_secret_client(char *client, char *server) 2456 { 2457 FILE *f; 2458 int ret; 2459 char *filename; 2460 struct wordlist *addrs = NULL; 2461 char servcertfile[MAXWORDLEN]; 2462 char clicertfile[MAXWORDLEN]; 2463 char cacertfile[MAXWORDLEN]; 2464 char pkfile[MAXWORDLEN]; 2465 2466 if (client != NULL && client[0] == 0) 2467 client = NULL; 2468 else if (server != NULL && server[0] == 0) 2469 server = NULL; 2470 2471 if ((cacert_file || ca_path) && cert_file && privkey_file) 2472 return 1; 2473 2474 filename = _PATH_EAPTLSCLIFILE; 2475 f = fopen(filename, "r"); 2476 if (f == NULL) 2477 return 0; 2478 2479 ret = 2480 scan_authfile_eaptls(f, client, server, clicertfile, servcertfile, 2481 cacertfile, pkfile, &addrs, NULL, filename, 2482 0); 2483 fclose(f); 2484 2485 /* 2486 if (ret >= 0 && !eaptls_init_ssl(0, cacertfile, clicertfile, 2487 servcertfile, pkfile)) 2488 ret = -1; 2489 */ 2490 2491 if (addrs != 0) 2492 free_wordlist(addrs); 2493 2494 return ret >= 0; 2495 } 2496 2497 2498 static int 2499 scan_authfile_eaptls(FILE *f, char *client, char *server, 2500 char *cli_cert, char *serv_cert, char *ca_cert, 2501 char *pk, struct wordlist **addrs, 2502 struct wordlist **opts, 2503 char *filename, int flags) 2504 { 2505 int newline; 2506 int got_flag, best_flag; 2507 struct wordlist *ap, *addr_list, *alist, **app; 2508 char word[MAXWORDLEN]; 2509 2510 if (addrs != NULL) 2511 *addrs = NULL; 2512 if (opts != NULL) 2513 *opts = NULL; 2514 addr_list = NULL; 2515 if (!getword(f, word, &newline, filename)) 2516 return -1; /* file is empty??? */ 2517 newline = 1; 2518 best_flag = -1; 2519 for (;;) { 2520 /* 2521 * Skip until we find a word at the start of a line. 2522 */ 2523 while (!newline && getword(f, word, &newline, filename)); 2524 if (!newline) 2525 break; /* got to end of file */ 2526 2527 /* 2528 * Got a client - check if it's a match or a wildcard. 2529 */ 2530 got_flag = 0; 2531 if (client != NULL && strcmp(word, client) != 0 && !ISWILD(word)) { 2532 newline = 0; 2533 continue; 2534 } 2535 if (!ISWILD(word)) 2536 got_flag = NONWILD_CLIENT; 2537 2538 /* 2539 * Now get a server and check if it matches. 2540 */ 2541 if (!getword(f, word, &newline, filename)) 2542 break; 2543 if (newline) 2544 continue; 2545 if (!ISWILD(word)) { 2546 if (server != NULL && strcmp(word, server) != 0) 2547 continue; 2548 got_flag |= NONWILD_SERVER; 2549 } 2550 2551 /* 2552 * Got some sort of a match - see if it's better than what 2553 * we have already. 2554 */ 2555 if (got_flag <= best_flag) 2556 continue; 2557 2558 /* 2559 * Get the cli_cert 2560 */ 2561 if (!getword(f, word, &newline, filename)) 2562 break; 2563 if (newline) 2564 continue; 2565 if (strcmp(word, "-") != 0) { 2566 strlcpy(cli_cert, word, MAXWORDLEN); 2567 } else 2568 cli_cert[0] = 0; 2569 2570 /* 2571 * Get serv_cert 2572 */ 2573 if (!getword(f, word, &newline, filename)) 2574 break; 2575 if (newline) 2576 continue; 2577 if (strcmp(word, "-") != 0) { 2578 strlcpy(serv_cert, word, MAXWORDLEN); 2579 } else 2580 serv_cert[0] = 0; 2581 2582 /* 2583 * Get ca_cert 2584 */ 2585 if (!getword(f, word, &newline, filename)) 2586 break; 2587 if (newline) 2588 continue; 2589 strlcpy(ca_cert, word, MAXWORDLEN); 2590 2591 /* 2592 * Get pk 2593 */ 2594 if (!getword(f, word, &newline, filename)) 2595 break; 2596 if (newline) 2597 continue; 2598 strlcpy(pk, word, MAXWORDLEN); 2599 2600 2601 /* 2602 * Now read address authorization info and make a wordlist. 2603 */ 2604 app = &alist; 2605 for (;;) { 2606 if (!getword(f, word, &newline, filename) || newline) 2607 break; 2608 ap = (struct wordlist *) 2609 malloc(sizeof(struct wordlist) + strlen(word) + 1); 2610 if (ap == NULL) 2611 novm("authorized addresses"); 2612 ap->word = (char *) (ap + 1); 2613 strcpy(ap->word, word); 2614 *app = ap; 2615 app = &ap->next; 2616 } 2617 *app = NULL; 2618 /* 2619 * This is the best so far; remember it. 2620 */ 2621 best_flag = got_flag; 2622 if (addr_list) 2623 free_wordlist(addr_list); 2624 addr_list = alist; 2625 2626 if (!newline) 2627 break; 2628 } 2629 2630 /* scan for a -- word indicating the start of options */ 2631 for (app = &addr_list; (ap = *app) != NULL; app = &ap->next) 2632 if (strcmp(ap->word, "--") == 0) 2633 break; 2634 /* ap = start of options */ 2635 if (ap != NULL) { 2636 ap = ap->next; /* first option */ 2637 free(*app); /* free the "--" word */ 2638 *app = NULL; /* terminate addr list */ 2639 } 2640 if (opts != NULL) 2641 *opts = ap; 2642 else if (ap != NULL) 2643 free_wordlist(ap); 2644 if (addrs != NULL) 2645 *addrs = addr_list; 2646 else if (addr_list != NULL) 2647 free_wordlist(addr_list); 2648 2649 return best_flag; 2650 } 2651 2652 2653 int 2654 get_eaptls_secret(int unit, char *client, char *server, 2655 char *clicertfile, char *servcertfile, char *cacertfile, 2656 char *capath, char *pkfile, int am_server) 2657 { 2658 FILE *fp; 2659 int ret; 2660 char *filename = NULL; 2661 struct wordlist *addrs = NULL; 2662 struct wordlist *opts = NULL; 2663 2664 /* maybe overkill, but it eases debugging */ 2665 bzero(clicertfile, MAXWORDLEN); 2666 bzero(servcertfile, MAXWORDLEN); 2667 bzero(cacertfile, MAXWORDLEN); 2668 bzero(capath, MAXWORDLEN); 2669 bzero(pkfile, MAXWORDLEN); 2670 2671 /* the ca+cert+privkey can also be specified as options */ 2672 if (!am_server && (cacert_file || ca_path) && cert_file && privkey_file ) 2673 { 2674 strlcpy( clicertfile, cert_file, MAXWORDLEN ); 2675 if (cacert_file) 2676 strlcpy( cacertfile, cacert_file, MAXWORDLEN ); 2677 if (ca_path) 2678 strlcpy( capath, ca_path, MAXWORDLEN ); 2679 strlcpy( pkfile, privkey_file, MAXWORDLEN ); 2680 } 2681 else 2682 { 2683 filename = (am_server ? _PATH_EAPTLSSERVFILE : _PATH_EAPTLSCLIFILE); 2684 addrs = NULL; 2685 2686 fp = fopen(filename, "r"); 2687 if (fp == NULL) 2688 { 2689 error("Can't open eap-tls secret file %s: %m", filename); 2690 return 0; 2691 } 2692 2693 check_access(fp, filename); 2694 2695 ret = scan_authfile_eaptls(fp, client, server, clicertfile, servcertfile, 2696 cacertfile, pkfile, &addrs, &opts, filename, 0); 2697 2698 fclose(fp); 2699 2700 if (ret < 0) return 0; 2701 } 2702 2703 if (eaptls_passwd_hook) 2704 { 2705 dbglog( "Calling eaptls password hook" ); 2706 if ( (*eaptls_passwd_hook)(pkfile, passwd) < 0) 2707 { 2708 error("Unable to obtain EAP-TLS password for %s (%s) from plugin", 2709 client, pkfile); 2710 return 0; 2711 } 2712 } 2713 if (am_server) 2714 set_allowed_addrs(unit, addrs, opts); 2715 else if (opts != NULL) 2716 free_wordlist(opts); 2717 if (addrs != NULL) 2718 free_wordlist(addrs); 2719 2720 return 1; 2721 } 2722 #endif 2723