/****************************************************************************** auth.c - Network Authentication and Phase Control program file.** Copyright (c) 2003 by Marc Boucher, Services Informatiques (MBSI) inc.* Copyright (c) 1997 by Global Election Systems Inc.  All rights reserved.** The authors hereby grant permission to use, copy, modify, distribute,* and license this software and its documentation for any purpose, provided* that existing copyright notices are retained in all copies and that this* notice and the following disclaimer are included verbatim in any * distributions. No written agreement, license, or royalty fee is required* for any of the authorized uses.** THIS SOFTWARE IS PROVIDED BY THE CONTRIBUTORS *AS IS* AND ANY EXPRESS OR* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. * IN NO EVENT SHALL THE CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.******************************************************************************** REVISION HISTORY** 03-01-01 Marc Boucher <marc@mbsi.ca>*   Ported to lwIP.* 97-12-08 Guy Lancaster <lancasterg@acm.org>, Global Election Systems Inc.*   Ported from public pppd code.*****************************************************************************//* * auth.c - PPP authentication and phase control. * * Copyright (c) 1993 The Australian National University. * All rights reserved. * * Redistribution and use in source and binary forms are permitted * provided that the above copyright notice and this paragraph are * duplicated in all such forms and that any documentation, * advertising materials, and other materials related to such * distribution and use acknowledge that the software was developed * by the Australian National University.  The name of the University * may not be used to endorse or promote products derived from this * software without specific prior written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * * Copyright (c) 1989 Carnegie Mellon University. * All rights reserved. * * Redistribution and use in source and binary forms are permitted * provided that the above copyright notice and this paragraph are * duplicated in all such forms and that any documentation, * advertising materials, and other materials related to such * distribution and use acknowledge that the software was developed * by Carnegie Mellon University.  The name of the * University may not be used to endorse or promote products derived * from this software without specific prior written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. */#include "ppp.h"#if PPP_SUPPORT > 0#include "fsm.h"#include "lcp.h"#include "pap.h"#include "chap.h"#include "auth.h"#include "ipcp.h"#if CBCP_SUPPORT > 0#include "cbcp.h"#endif#include "pppdebug.h"/*************************//*** LOCAL DEFINITIONS ***//*************************//* Bits in auth_pending[] */#define PAP_WITHPEER    1#define PAP_PEER    2#define CHAP_WITHPEER   4#define CHAP_PEER   8                                                                    /************************//*** LOCAL DATA TYPES ***//************************//* Used for storing a sequence of words.  Usually malloced. */struct wordlist {    struct wordlist *next;    char        word[1];};/***********************************//*** LOCAL FUNCTION DECLARATIONS ***//***********************************/extern char *crypt (const char *, const char *);/* Prototypes for procedures local to this file. */static void network_phase (int);static void check_idle (void *);static void connect_time_expired (void *);#if 0static int  login (char *, char *, char **, int *);#endifstatic void logout (void);static int  null_login (int);static int  get_pap_passwd (int, char *, char *);static int  have_pap_secret (void);static int  have_chap_secret (char *, char *, u32_t);static int  ip_addr_check (u32_t, struct wordlist *);#if 0 /* PAP_SUPPORT > 0 || CHAP_SUPPORT > 0 */static void set_allowed_addrs(int unit, struct wordlist *addrs);static void free_wordlist (struct wordlist *);#endif#if CBCP_SUPPORT > 0static void callback_phase (int);#endif/******************************//*** PUBLIC DATA STRUCTURES ***//******************************//*****************************//*** LOCAL DATA STRUCTURES ***//*****************************/#if PAP_SUPPORT > 0 || CHAP_SUPPORT > 0/* The name by which the peer authenticated itself to us. */static char peer_authname[MAXNAMELEN];#endif/* Records which authentication operations haven't completed yet. */static int auth_pending[NUM_PPP];/* Set if we have successfully called login() */static int logged_in;/* Set if we have run the /etc/ppp/auth-up script. */static int did_authup;/* List of addresses which the peer may use. */static struct wordlist *addresses[NUM_PPP];/* Number of network protocols which we have opened. */static int num_np_open;/* Number of network protocols which have come up. */static int num_np_up;#if PAP_SUPPORT > 0 || CHAP_SUPPORT > 0/* Set if we got the contents of passwd[] from the pap-secrets file. */static int passwd_from_file;#endif/***********************************//*** PUBLIC FUNCTION DEFINITIONS ***//***********************************//* * An Open on LCP has requested a change from Dead to Establish phase. * Do what's necessary to bring the physical layer up. */void link_required(int unit){    AUTHDEBUG((LOG_INFO, "link_required: %d\n", unit));}/* * LCP has terminated the link; go to the Dead phase and take the * physical layer down. */void link_terminated(int unit){    AUTHDEBUG((LOG_INFO, "link_terminated: %d\n", unit));        if (lcp_phase[unit] == PHASE_DEAD)        return;    if (logged_in)        logout();    lcp_phase[unit] = PHASE_DEAD;    AUTHDEBUG((LOG_NOTICE, "Connection terminated.\n"));	pppMainWakeup(unit);}/* * LCP has gone down; it will either die or try to re-establish. */void link_down(int unit){    int i;    struct protent *protp;        AUTHDEBUG((LOG_INFO, "link_down: %d\n", unit));    if (did_authup) {        /* XXX Do link down processing. */        did_authup = 0;    }    for (i = 0; (protp = ppp_protocols[i]) != NULL; ++i) {        if (!protp->enabled_flag)            continue;        if (protp->protocol != PPP_LCP && protp->lowerdown != NULL)            (*protp->lowerdown)(unit);        if (protp->protocol < 0xC000 && protp->close != NULL)            (*protp->close)(unit, "LCP down");    }    num_np_open = 0;    num_np_up = 0;    if (lcp_phase[unit] != PHASE_DEAD)        lcp_phase[unit] = PHASE_TERMINATE;	pppMainWakeup(unit);}/* * The link is established. * Proceed to the Dead, Authenticate or Network phase as appropriate. */void link_established(int unit){    int auth;    int i;    struct protent *protp;    lcp_options *wo = &lcp_wantoptions[unit];    lcp_options *go = &lcp_gotoptions[unit];#if PAP_SUPPORT > 0 || CHAP_SUPPORT > 0    lcp_options *ho = &lcp_hisoptions[unit];#endif        AUTHDEBUG((LOG_INFO, "link_established: %d\n", unit));    /*     * Tell higher-level protocols that LCP is up.     */    for (i = 0; (protp = ppp_protocols[i]) != NULL; ++i)        if (protp->protocol != PPP_LCP && protp->enabled_flag                && protp->lowerup != NULL)            (*protp->lowerup)(unit);        if (ppp_settings.auth_required && !(go->neg_chap || go->neg_upap)) {        /*         * We wanted the peer to authenticate itself, and it refused:         * treat it as though it authenticated with PAP using a username         * of "" and a password of "".  If that's not OK, boot it out.         */        if (!wo->neg_upap || !null_login(unit)) {            AUTHDEBUG((LOG_WARNING, "peer refused to authenticate\n"));            lcp_close(unit, "peer refused to authenticate");            return;        }    }        lcp_phase[unit] = PHASE_AUTHENTICATE;    auth = 0;#if CHAP_SUPPORT > 0    if (go->neg_chap) {        ChapAuthPeer(unit, ppp_settings.our_name, go->chap_mdtype);        auth |= CHAP_PEER;    } #endif#if PAP_SUPPORT > 0 && CHAP_SUPPORT > 0    else#endif#if PAP_SUPPORT > 0    if (go->neg_upap) {        upap_authpeer(unit);        auth |= PAP_PEER;    }#endif#if CHAP_SUPPORT > 0    if (ho->neg_chap) {        ChapAuthWithPeer(unit, ppp_settings.user, ho->chap_mdtype);        auth |= CHAP_WITHPEER;    }#endif#if PAP_SUPPORT > 0 && CHAP_SUPPORT > 0    else#endif#if PAP_SUPPORT > 0    if (ho->neg_upap) {        if (ppp_settings.passwd[0] == 0) {            passwd_from_file = 1;            if (!get_pap_passwd(unit, ppp_settings.user, ppp_settings.passwd))                AUTHDEBUG((LOG_ERR, "No secret found for PAP login\n"));        }        upap_authwithpeer(unit, ppp_settings.user, ppp_settings.passwd);        auth |= PAP_WITHPEER;    }#endif    auth_pending[unit] = auth;        if (!auth)        network_phase(unit);}/* * The peer has failed to authenticate himself using `protocol'. */void auth_peer_fail(int unit, u16_t protocol){    AUTHDEBUG((LOG_INFO, "auth_peer_fail: %d proto=%X\n", unit, protocol));    /*     * Authentication failure: take the link down     */    lcp_close(unit, "Authentication failed");}#if PAP_SUPPORT > 0 || CHAP_SUPPORT > 0/* * The peer has been successfully authenticated using `protocol'. */void auth_peer_success(int unit, u16_t protocol, char *name, int namelen){    int pbit;        AUTHDEBUG((LOG_INFO, "auth_peer_success: %d proto=%X\n", unit, protocol));    switch (protocol) {    case PPP_CHAP:        pbit = CHAP_PEER;        break;    case PPP_PAP:        pbit = PAP_PEER;        break;    default:        AUTHDEBUG((LOG_WARNING, "auth_peer_success: unknown protocol %x\n",               protocol));        return;    }        /*     * Save the authenticated name of the peer for later.     */    if (namelen > sizeof(peer_authname) - 1)        namelen = sizeof(peer_authname) - 1;    BCOPY(name, peer_authname, namelen);    peer_authname[namelen] = 0;        /*     * If there is no more authentication still to be done,     * proceed to the network (or callback) phase.     */    if ((auth_pending[unit] &= ~pbit) == 0)        network_phase(unit);}/* * We have failed to authenticate ourselves to the peer using `protocol'. */void auth_withpeer_fail(int unit, u16_t protocol){    int errCode = PPPERR_AUTHFAIL;        AUTHDEBUG((LOG_INFO, "auth_withpeer_fail: %d proto=%X\n", unit, protocol));    if (passwd_from_file)        BZERO(ppp_settings.passwd, MAXSECRETLEN);    /*      * XXX Warning: the unit number indicates the interface which is     * not necessarily the PPP connection.  It works here as long     * as we are only supporting PPP interfaces.     */    pppIOCtl(unit, PPPCTLS_ERRCODE, &errCode);    /*     * We've failed to authenticate ourselves to our peer.     * He'll probably take the link down, and there's not much     * we can do except wait for that.     */}/* * We have successfully authenticated ourselves with the peer using `protocol'. */void auth_withpeer_success(int unit, u16_t protocol){    int pbit;        AUTHDEBUG((LOG_INFO, "auth_withpeer_success: %d proto=%X\n", unit, protocol));    switch (protocol) {    case PPP_CHAP:        pbit = CHAP_WITHPEER;        break;    case PPP_PAP:        if (passwd_from_file)            BZERO(ppp_settings.passwd, MAXSECRETLEN);        pbit = PAP_WITHPEER;        break;    default:        AUTHDEBUG((LOG_WARNING, "auth_peer_success: unknown protocol %x\n",               protocol));        pbit = 0;    }        /*     * If there is no more authentication still being done,     * proceed to the network (or callback) phase.     */    if ((auth_pending[unit] &= ~pbit) == 0)        network_phase(unit);}#endif/* * np_up - a network protocol has come up. */void np_up(int unit, u16_t proto){    AUTHDEBUG((LOG_INFO, "np_up: %d proto=%X\n", unit, proto));    if (num_np_up == 0) {	AUTHDEBUG((LOG_INFO, "np_up: maxconnect=%d idle_time_limit=%d\n",ppp_settings.maxconnect,ppp_settings.idle_time_limit));        /*         * At this point we consider that the link has come up successfully.         */        if (ppp_settings.idle_time_limit > 0)            TIMEOUT(check_idle, NULL, ppp_settings.idle_time_limit);                /*         * Set a timeout to close the connection once the maximum         * connect time has expired.         */        if (ppp_settings.maxconnect > 0)            TIMEOUT(connect_time_expired, 0, ppp_settings.maxconnect);    }    ++num_np_up;}/* * np_down - a network protocol has gone down. */void np_down(int unit, u16_t proto){    AUTHDEBUG((LOG_INFO, "np_down: %d proto=%X\n", unit, proto));    if (--num_np_up == 0 && ppp_settings.idle_time_limit > 0) {        UNTIMEOUT(check_idle, NULL);    }}/* * np_finished - a network protocol has finished using the link. */void np_finished(int unit, u16_t proto){    AUTHDEBUG((LOG_INFO, "np_finished: %d proto=%X\n", unit, proto));    if (--num_np_open <= 0) {        /* no further use for the link: shut up shop. */        lcp_close(0, "No network protocols running");    }}