/*
* null_login - Check if a username of "" and a password of "" are
* acceptable, and iff so, set the list of acceptable IP addresses
* and return 1.
*/
static int
null_login(int unit)
{
char *filename;
FILE *f;
int i, ret;
struct wordlist *addrs;
char secret[MAXWORDLEN];
/*
* Open the file of pap secrets and scan for a suitable secret.
* We don't accept a wildcard client.
*/
filename = _PATH_UPAPFILE;
addrs = NULL;
f = fopen(filename, "r");
if (f == NULL)
return 0;
check_access(f, filename);
i = scan_authfile(f, "", our_name, (u_int32_t)0, secret, &addrs, filename);
ret = i >= 0 && (i & NONWILD_CLIENT) != 0 && secret[0] == 0;
BZERO(secret, sizeof(secret));
if (ret)
set_allowed_addrs(unit, addrs);
else
free_wordlist(addrs);
fclose(f);
return ret;
}
/*
* get_secret - open the CHAP secret file and return the secret
* for authenticating the given client on the given server.
* (We could be either client or server).
*/
int
get_secret(int unit, char *client, char *server, char *secret, int *secret_len, int save_addrs)
{
#if 1
int len;
struct wordlist *addrs;
LWIP_UNUSED_ARG(unit);
LWIP_UNUSED_ARG(server);
LWIP_UNUSED_ARG(save_addrs);
addrs = NULL;
if(!client || !client[0] || strcmp(client, ppp_settings.user)) {
return 0;
}
len = (int)strlen(ppp_settings.passwd);
if (len > MAXSECRETLEN) {
AUTHDEBUG(LOG_ERR, ("Secret for %s on %s is too long\n", client, server));
len = MAXSECRETLEN;
}
BCOPY(ppp_settings.passwd, secret, len);
*secret_len = len;
return 1;
#else
int ret = 0, len;
struct wordlist *addrs;
char secbuf[MAXWORDLEN];
addrs = NULL;
secbuf[0] = 0;
/* XXX Find secret. */
if (ret < 0) {
return 0;
}
if (save_addrs) {
set_allowed_addrs(unit, addrs);
}
len = strlen(secbuf);
if (len > MAXSECRETLEN) {
AUTHDEBUG(LOG_ERR, ("Secret for %s on %s is too long\n", client, server));
len = MAXSECRETLEN;
}
BCOPY(secbuf, secret, len);
BZERO(secbuf, sizeof(secbuf));
*secret_len = len;
return 1;
#endif
}
/*
* get_secret - open the CHAP secret file and return the secret
* for authenticating the given client on the given server.
* (We could be either client or server).
*/
int
get_secret(int unit, char *client, char *server, char *secret, int *secret_len,
int save_addrs)
{
FILE *f;
int ret, len;
char *filename;
struct wordlist *addrs;
char secbuf[MAXWORDLEN];
filename = _PATH_CHAPFILE;
addrs = NULL;
secbuf[0] = 0;
f = fopen(filename, "r");
if (f == NULL) {
syslog(LOG_ERR, "Can't open chap secret file %s: %m", filename);
return 0;
}
check_access(f, filename);
ret = scan_authfile(f, client, server, (u_int32_t)0,
secbuf, &addrs, filename);
fclose(f);
if (ret < 0)
return 0;
if (save_addrs)
set_allowed_addrs(unit, addrs);
len = strlen(secbuf);
if (len > MAXSECRETLEN) {
syslog(LOG_ERR, "Secret for %s on %s is too long", client, server);
len = MAXSECRETLEN;
}
BCOPY(secbuf, secret, len);
BZERO(secbuf, sizeof(secbuf));
*secret_len = len;
return 1;
}
/*
* get_secret - open the CHAP secret file and return the secret
* for authenticating the given client on the given server.
* (We could be either client or server).
*/
int get_secret(
int unit,
char *client,
char *server,
char *secret,
int *secret_len,
int save_addrs
)
{
#if 1
return 0;
#else
int ret = 0, len;
struct wordlist *addrs;
char secbuf[MAXWORDLEN];
addrs = NULL;
secbuf[0] = 0;
/* XXX Find secret. */
if (ret < 0)
return 0;
if (save_addrs)
set_allowed_addrs(unit, addrs);
len = strlen(secbuf);
if (len > MAXSECRETLEN) {
ppp_trace(LOG_ERR, "Secret for %s on %s is too long\n", client, server);
len = MAXSECRETLEN;
}
BCOPY(secbuf, secret, len);
BZERO(secbuf, sizeof(secbuf));
*secret_len = len;
return 1;
#endif
}
/*
* check_passwd - Check the user name and passwd against the PAP secrets
* file. If requested, also check against the system password database,
* and login the user if OK.
*
* returns:
* UPAP_AUTHNAK: Authentication failed.
* UPAP_AUTHACK: Authentication succeeded.
* In either case, msg points to an appropriate message.
*/
int
check_passwd( int unit, char *auser, int userlen, char *apasswd, int passwdlen, char **msg, int *msglen)
{
#if 1
LWIP_UNUSED_ARG(unit);
LWIP_UNUSED_ARG(auser);
LWIP_UNUSED_ARG(userlen);
LWIP_UNUSED_ARG(apasswd);
LWIP_UNUSED_ARG(passwdlen);
LWIP_UNUSED_ARG(msglen);
*msg = (char *) 0;
return UPAP_AUTHACK; /* XXX Assume all entries OK. */
#else
int ret = 0;
struct wordlist *addrs = NULL;
char passwd[256], user[256];
char secret[MAXWORDLEN];
static u_short attempts = 0;
/*
* Make copies of apasswd and auser, then null-terminate them.
*/
BCOPY(apasswd, passwd, passwdlen);
passwd[passwdlen] = '\0';
BCOPY(auser, user, userlen);
user[userlen] = '\0';
*msg = (char *) 0;
/* XXX Validate user name and password. */
ret = UPAP_AUTHACK; /* XXX Assume all entries OK. */
if (ret == UPAP_AUTHNAK) {
if (*msg == (char *) 0) {
*msg = "Login incorrect";
}
*msglen = strlen(*msg);
/*
* Frustrate passwd stealer programs.
* Allow 10 tries, but start backing off after 3 (stolen from login).
* On 10'th, drop the connection.
*/
if (attempts++ >= 10) {
AUTHDEBUG((LOG_WARNING, "%d LOGIN FAILURES BY %s\n", attempts, user));
/*ppp_panic("Excess Bad Logins");*/
}
if (attempts > 3) {
sys_msleep((attempts - 3) * 5);
}
if (addrs != NULL) {
free_wordlist(addrs);
}
} else {
attempts = 0; /* Reset count */
if (*msg == (char *) 0) {
*msg = "Login ok";
}
*msglen = strlen(*msg);
set_allowed_addrs(unit, addrs);
}
BZERO(passwd, sizeof(passwd));
BZERO(secret, sizeof(secret));
return ret;
#endif
}
/*
* check_passwd - Check the user name and passwd against the PAP secrets
* file. If requested, also check against the system password database,
* and login the user if OK.
*
* returns:
* UPAP_AUTHNAK: Authentication failed.
* UPAP_AUTHACK: Authentication succeeded.
* In either case, msg points to an appropriate message.
*/
int
check_passwd(int unit, char *auser, int userlen, char *apasswd, int passwdlen,
char **msg, int *msglen)
{
int ret;
char *filename;
FILE *f;
struct wordlist *addrs;
u_int32_t remote;
ipcp_options *ipwo = &ipcp_wantoptions[unit];
char passwd[256], user[256];
char secret[MAXWORDLEN];
static int attempts = 0;
int len;
/*
* Make copies of apasswd and auser, then null-terminate them.
*/
len = MIN(passwdlen, sizeof(passwd) - 1);
BCOPY(apasswd, passwd, len);
passwd[len] = '\0';
len = MIN(userlen, sizeof(user) - 1);
BCOPY(auser, user, len);
user[len] = '\0';
*msg = NULL;
/*
* Open the file of pap secrets and scan for a suitable secret
* for authenticating this user.
*/
filename = _PATH_UPAPFILE;
addrs = NULL;
ret = UPAP_AUTHACK;
f = fopen(filename, "r");
if (f == NULL) {
syslog(LOG_ERR, "Can't open PAP password file %s: %m", filename);
ret = UPAP_AUTHNAK;
} else {
check_access(f, filename);
remote = ipwo->accept_remote? 0: ipwo->hisaddr;
if (scan_authfile(f, user, our_name, remote,
secret, &addrs, filename) < 0) {
warn("no PAP secret found for %s", user);
} else {
if (secret[0] != 0) {
/* password given in pap-secrets - must match */
if ((cryptpap || strcmp(passwd, secret) != 0)
&& strcmp(crypt(passwd, secret), secret) != 0) {
ret = UPAP_AUTHNAK;
warn("PAP authentication failure for %s", user);
}
}
}
fclose(f);
}
if (uselogin && ret == UPAP_AUTHACK) {
ret = plogin(user, passwd, msg, msglen);
if (ret == UPAP_AUTHNAK) {
syslog(LOG_WARNING, "PAP login failure for %s", user);
}
}
if (ret == UPAP_AUTHNAK) {
if (*msg == NULL)
*msg = "Login incorrect";
*msglen = strlen(*msg);
/*
* Frustrate passwd stealer programs.
* Allow 10 tries, but start backing off after 3 (stolen from login).
* On 10'th, drop the connection.
*/
if (attempts++ >= 10) {
syslog(LOG_WARNING, "%d LOGIN FAILURES ON %s, %s",
attempts, devnam, user);
quit();
}
if (attempts > 3)
sleep((u_int) (attempts - 3) * 5);
if (addrs != NULL)
free_wordlist(addrs);
} else {
attempts = 0; /* Reset count */
if (*msg == NULL)
*msg = "Login ok";
*msglen = strlen(*msg);
set_allowed_addrs(unit, addrs);
}
BZERO(passwd, sizeof(passwd));
BZERO(secret, sizeof(secret));
return ret;
}
