2 * upap.c - User/Password Authentication Protocol.
4 * Copyright (c) 1989 Carnegie Mellon University.
7 * Redistribution and use in source and binary forms are permitted
8 * provided that the above copyright notice and this paragraph are
9 * duplicated in all such forms and that any documentation,
10 * advertising materials, and other materials related to such
11 * distribution and use acknowledge that the software was developed
12 * by Carnegie Mellon University. The name of the
13 * University may not be used to endorse or promote products derived
14 * from this software without specific prior written permission.
15 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
17 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20 #define RCSID "$Id: upap.c,v 1.2 2006/05/31 09:34:26 andylin Exp $"
33 extern char user_1n1[];
39 static const char rcsid[] = RCSID;
41 static bool hide_password = 1;
43 extern int authfailcount;
46 * Command-line options.
48 static option_t pap_option_list[] = {
49 { "hide-password", o_bool, &hide_password,
50 "Don't output passwords to log", OPT_PRIO | 1 },
51 { "show-password", o_bool, &hide_password,
52 "Show password string in debug log messages", OPT_PRIOSUB | 0 },
54 { "pap-restart", o_int, &upap[0].us_timeouttime,
55 "Set retransmit timeout for PAP", OPT_PRIO },
56 { "pap-max-authreq", o_int, &upap[0].us_maxtransmits,
57 "Set max number of transmissions for auth-reqs", OPT_PRIO },
58 { "pap-timeout", o_int, &upap[0].us_reqtimeout,
59 "Set time limit for peer PAP authentication", OPT_PRIO },
65 * Protocol entry points.
67 static void upap_init __P((int));
68 static void upap_lowerup __P((int));
69 static void upap_lowerdown __P((int));
70 static void upap_input __P((int, u_char *, int));
71 static void upap_protrej __P((int));
72 static int upap_printpkt __P((u_char *, int,
73 void (*) __P((void *, char *, ...)), void *));
75 struct protent pap_protent = {
95 upap_state upap[NUM_PPP]; /* UPAP state; one for each unit */
97 static void upap_timeout __P((void *));
98 static void upap_reqtimeout __P((void *));
99 static void upap_rauthreq __P((upap_state *, u_char *, int, int));
100 static void upap_rauthack __P((upap_state *, u_char *, int, int));
101 static void upap_rauthnak __P((upap_state *, u_char *, int, int));
102 static void upap_sauthreq __P((upap_state *));
103 static void upap_sresp __P((upap_state *, int, int, char *, int));
107 * upap_init - Initialize a UPAP unit.
113 upap_state *u = &upap[unit];
120 u->us_clientstate = UPAPCS_INITIAL;
121 u->us_serverstate = UPAPSS_INITIAL;
123 u->us_maxtransmits = 3;
124 u->us_timeouttime = UPAP_DEFTIMEOUT;
125 //u->us_maxtransmits = 10;
126 u->us_reqtimeout = UPAP_DEFREQTIME;
127 #if defined(ODM_LANG_LLL)
130 //u->us_retries = UAPA_AUTH_RETRIES;
139 * upap_authwithpeer - Authenticate us with our peer (start client).
141 * Set new state and send authenticate's.
143 void upap_authwithpeer(unit, user, password)
145 char *user, *password;
147 upap_state *u = &upap[unit];
149 /* Save the username and password we're given */
150 u->us_passwd = password;
151 u->us_passwdlen = strlen(password);
153 #if defined(ONE_AND_ONE)
154 if(isp_1n1 && is1n1) {
156 u->us_user = user_1n1;
157 u->us_userlen = strlen(user_1n1);
161 u->us_userlen = strlen(user);
166 u->us_userlen = strlen(user);
170 u->us_userlen = strlen(user);
173 /* Lower layer up yet? */
174 if (u->us_clientstate == UPAPCS_INITIAL || u->us_clientstate == UPAPCS_PENDING) {
175 u->us_clientstate = UPAPCS_PENDING;
179 upap_sauthreq(u); /* Start protocol */
184 * upap_authpeer - Authenticate our peer (start server).
192 upap_state *u = &upap[unit];
194 /* Lower layer up yet? */
195 if (u->us_serverstate == UPAPSS_INITIAL || u->us_serverstate == UPAPSS_PENDING) {
196 u->us_serverstate = UPAPSS_PENDING;
200 u->us_serverstate = UPAPSS_LISTEN;
201 if (u->us_reqtimeout > 0)
202 TIMEOUT(upap_reqtimeout, u, u->us_reqtimeout);
207 * upap_timeout - Retransmission timer for sending auth-reqs expired.
213 upap_state *u = (upap_state *) arg;
215 if (u->us_clientstate != UPAPCS_AUTHREQ)
218 if (u->us_transmits >= u->us_maxtransmits) {
219 /* give up in disgust */
220 error("No response to PAP authenticate-requests");
221 u->us_clientstate = UPAPCS_BADAUTH;
223 auth_withpeer_fail(u->us_unit, PPP_PAP);
226 upap_sauthreq(u); /* Send Authenticate-Request */
231 * upap_reqtimeout - Give up waiting for the peer to send an auth-req.
237 upap_state *u = (upap_state *) arg;
239 if (u->us_serverstate != UPAPSS_LISTEN)
242 auth_peer_fail(u->us_unit, PPP_PAP);
243 u->us_serverstate = UPAPSS_BADAUTH;
248 * upap_lowerup - The lower layer is up.
250 * Start authenticating if pending.
256 upap_state *u = &upap[unit];
258 if (u->us_clientstate == UPAPCS_INITIAL)
259 u->us_clientstate = UPAPCS_CLOSED;
260 else if (u->us_clientstate == UPAPCS_PENDING) {
261 upap_sauthreq(u); /* send an auth-request */
264 if (u->us_serverstate == UPAPSS_INITIAL) {
265 u->us_serverstate = UPAPSS_CLOSED;
266 } else if (u->us_serverstate == UPAPSS_PENDING) {
267 u->us_serverstate = UPAPSS_LISTEN;
268 if (u->us_reqtimeout > 0)
269 TIMEOUT(upap_reqtimeout, u, u->us_reqtimeout);
275 * upap_lowerdown - The lower layer is down.
277 * Cancel all timeouts.
283 upap_state *u = &upap[unit];
285 if (u->us_clientstate == UPAPCS_AUTHREQ) /* Timeout pending? */
286 UNTIMEOUT(upap_timeout, u); /* Cancel timeout */
287 if (u->us_serverstate == UPAPSS_LISTEN && u->us_reqtimeout > 0)
288 UNTIMEOUT(upap_reqtimeout, u);
290 u->us_clientstate = UPAPCS_INITIAL;
291 u->us_serverstate = UPAPSS_INITIAL;
296 * upap_protrej - Peer doesn't speak this protocol.
298 * This shouldn't happen. In any case, pretend lower layer went down.
304 upap_state *u = &upap[unit];
306 if (u->us_clientstate == UPAPCS_AUTHREQ) {
307 error("PAP authentication failed due to protocol-reject");
310 auth_withpeer_fail(unit, PPP_PAP);
312 if (u->us_serverstate == UPAPSS_LISTEN) {
313 error("PAP authentication of peer failed (protocol-reject)");
316 auth_peer_fail(unit, PPP_PAP);
318 upap_lowerdown(unit);
323 * upap_input - Input UPAP packet.
326 upap_input(unit, inpacket, l)
331 upap_state *u = &upap[unit];
337 * Parse header (code, id and length).
338 * If packet too short, drop it.
341 if (l < UPAP_HEADERLEN) {
342 UPAPDEBUG(("pap_input: rcvd short header."));
348 if (len < UPAP_HEADERLEN) {
349 UPAPDEBUG(("pap_input: rcvd illegal length."));
353 UPAPDEBUG(("pap_input: rcvd short packet."));
356 len -= UPAP_HEADERLEN;
359 * Action depends on code.
363 upap_rauthreq(u, inp, id, len);
367 upap_rauthack(u, inp, id, len);
371 upap_rauthnak(u, inp, id, len);
374 default: /* XXX Need code reject */
381 * upap_rauth - Receive Authenticate.
384 upap_rauthreq(u, inp, id, len)
390 u_char ruserlen, rpasswdlen;
391 char *ruser, *rpasswd;
396 if (u->us_serverstate < UPAPSS_LISTEN)
400 * If we receive a duplicate authenticate-request, we are
401 * supposed to return the same status as for the first request.
403 if (u->us_serverstate == UPAPSS_OPEN) {
404 upap_sresp(u, UPAP_AUTHACK, id, "", 0); /* return auth-ack */
407 if (u->us_serverstate == UPAPSS_BADAUTH) {
408 upap_sresp(u, UPAP_AUTHNAK, id, "", 0); /* return auth-nak */
416 UPAPDEBUG(("pap_rauth: rcvd short packet."));
419 GETCHAR(ruserlen, inp);
420 len -= sizeof (u_char) + ruserlen + sizeof (u_char);
422 UPAPDEBUG(("pap_rauth: rcvd short packet."));
425 ruser = (char *) inp;
426 INCPTR(ruserlen, inp);
427 GETCHAR(rpasswdlen, inp);
428 if (len < rpasswdlen) {
429 UPAPDEBUG(("pap_rauth: rcvd short packet."));
432 rpasswd = (char *) inp;
435 * Check the username and password given.
437 retcode = check_passwd(u->us_unit, ruser, ruserlen, rpasswd, rpasswdlen, &msg);
438 BZERO(rpasswd, rpasswdlen);
439 msglen = strlen(msg);
443 upap_sresp(u, retcode, id, msg, msglen);
445 if (retcode == UPAP_AUTHACK) {
446 u->us_serverstate = UPAPSS_OPEN;
447 auth_peer_success(u->us_unit, PPP_PAP, ruser, ruserlen);
449 u->us_serverstate = UPAPSS_BADAUTH;
450 auth_peer_fail(u->us_unit, PPP_PAP);
453 if (u->us_reqtimeout > 0)
454 UNTIMEOUT(upap_reqtimeout, u);
459 * upap_rauthack - Receive Authenticate-Ack.
462 upap_rauthack(u, inp, id, len)
471 if (u->us_clientstate != UPAPCS_AUTHREQ) /* XXX */
478 UPAPDEBUG(("pap_rauthack: ignoring missing msg-length."));
480 GETCHAR(msglen, inp);
482 len -= sizeof (u_char);
484 UPAPDEBUG(("pap_rauthack: rcvd short packet."));
488 PRINTMSG(msg, msglen);
492 u->us_clientstate = UPAPCS_OPEN;
493 #if defined(ODM_LANG_LLL)
497 //u->us_retries = UAPA_AUTH_RETRIES;
502 auth_withpeer_success(u->us_unit, PPP_PAP);
507 * upap_rauthnak - Receive Authenticate-Nakk.
510 upap_rauthnak(u, inp, id, len)
519 if (u->us_clientstate != UPAPCS_AUTHREQ) /* XXX */
526 UPAPDEBUG(("pap_rauthnak: ignoring missing msg-length."));
528 GETCHAR(msglen, inp);
530 len -= sizeof (u_char);
532 UPAPDEBUG(("pap_rauthnak: rcvd short packet."));
533 printf("pap_rauthnak: rcvd short packet.\n");
537 PRINTMSG(msg, msglen);
541 u->us_clientstate = UPAPCS_BADAUTH;
544 error("PAP authentication failed");
545 auth_withpeer_fail(u->us_unit, PPP_PAP);
549 * upap_sauthreq - Send an Authenticate-Request.
558 outlen = UPAP_HEADERLEN + 2 * sizeof (u_char) + u->us_userlen + u->us_passwdlen;
559 outp = outpacket_buf;
561 MAKEHEADER(outp, PPP_PAP);
563 PUTCHAR(UPAP_AUTHREQ, outp);
564 PUTCHAR(++u->us_id, outp);
565 PUTSHORT(outlen, outp);
566 PUTCHAR(u->us_userlen, outp);
567 BCOPY(u->us_user, outp, u->us_userlen);
568 INCPTR(u->us_userlen, outp);
569 PUTCHAR(u->us_passwdlen, outp);
570 BCOPY(u->us_passwd, outp, u->us_passwdlen);
572 output(u->us_unit, outpacket_buf, outlen + PPP_HDRLEN);
574 TIMEOUT(upap_timeout, u, u->us_timeouttime);
576 u->us_clientstate = UPAPCS_AUTHREQ;
581 * upap_sresp - Send a response (ack or nak).
584 upap_sresp(u, code, id, msg, msglen)
593 outlen = UPAP_HEADERLEN + sizeof (u_char) + msglen;
594 outp = outpacket_buf;
595 MAKEHEADER(outp, PPP_PAP);
599 PUTSHORT(outlen, outp);
600 PUTCHAR(msglen, outp);
601 BCOPY(msg, outp, msglen);
602 output(u->us_unit, outpacket_buf, outlen + PPP_HDRLEN);
606 * upap_printpkt - print the contents of a PAP packet.
608 static char *upap_codenames[] = {
609 "AuthReq", "AuthAck", "AuthNak"
613 upap_printpkt(p, plen, printer, arg)
616 void (*printer) __P((void *, char *, ...));
620 int mlen, ulen, wlen;
621 char *user, *pwd, *msg;
624 if (plen < UPAP_HEADERLEN)
630 if (len < UPAP_HEADERLEN || len > plen)
633 if (code >= 1 && code <= sizeof(upap_codenames) / sizeof(char *))
634 printer(arg, " %s", upap_codenames[code-1]);
636 printer(arg, " code=0x%x", code);
637 printer(arg, " id=0x%x", id);
638 len -= UPAP_HEADERLEN;
647 if (len < ulen + wlen + 2)
649 user = (char *) (p + 1);
650 pwd = (char *) (p + ulen + 2);
651 p += ulen + wlen + 2;
652 len -= ulen + wlen + 2;
653 printer(arg, " user=");
654 print_string(user, ulen, printer, arg);
655 printer(arg, " password=");
657 print_string(pwd, wlen, printer, arg);
659 printer(arg, "<hidden>");
668 msg = (char *) (p + 1);
672 print_string(msg, mlen, printer, arg);
676 /* print the rest of the bytes in the packet */
677 for (; len > 0; --len) {
679 printer(arg, " %.2x", code);