/* * null_login - Check if a username of "" and a password of "" are * acceptable, and iff so, set the list of acceptable IP addresses * and return 1. */ static int null_login(int unit) { char *filename; FILE *f; int i, ret; struct wordlist *addrs; char secret[MAXWORDLEN]; /* * Open the file of pap secrets and scan for a suitable secret. * We don't accept a wildcard client. */ filename = _PATH_UPAPFILE; addrs = NULL; f = fopen(filename, "r"); if (f == NULL) return 0; check_access(f, filename); i = scan_authfile(f, "", our_name, (u_int32_t)0, secret, &addrs, filename); ret = i >= 0 && (i & NONWILD_CLIENT) != 0 && secret[0] == 0; BZERO(secret, sizeof(secret)); if (ret) set_allowed_addrs(unit, addrs); else free_wordlist(addrs); fclose(f); return ret; }
/* * get_secret - open the CHAP secret file and return the secret * for authenticating the given client on the given server. * (We could be either client or server). */ int get_secret(int unit, char *client, char *server, char *secret, int *secret_len, int save_addrs) { #if 1 int len; struct wordlist *addrs; LWIP_UNUSED_ARG(unit); LWIP_UNUSED_ARG(server); LWIP_UNUSED_ARG(save_addrs); addrs = NULL; if(!client || !client[0] || strcmp(client, ppp_settings.user)) { return 0; } len = (int)strlen(ppp_settings.passwd); if (len > MAXSECRETLEN) { AUTHDEBUG(LOG_ERR, ("Secret for %s on %s is too long\n", client, server)); len = MAXSECRETLEN; } BCOPY(ppp_settings.passwd, secret, len); *secret_len = len; return 1; #else int ret = 0, len; struct wordlist *addrs; char secbuf[MAXWORDLEN]; addrs = NULL; secbuf[0] = 0; /* XXX Find secret. */ if (ret < 0) { return 0; } if (save_addrs) { set_allowed_addrs(unit, addrs); } len = strlen(secbuf); if (len > MAXSECRETLEN) { AUTHDEBUG(LOG_ERR, ("Secret for %s on %s is too long\n", client, server)); len = MAXSECRETLEN; } BCOPY(secbuf, secret, len); BZERO(secbuf, sizeof(secbuf)); *secret_len = len; return 1; #endif }
/* * get_secret - open the CHAP secret file and return the secret * for authenticating the given client on the given server. * (We could be either client or server). */ int get_secret(int unit, char *client, char *server, char *secret, int *secret_len, int save_addrs) { FILE *f; int ret, len; char *filename; struct wordlist *addrs; char secbuf[MAXWORDLEN]; filename = _PATH_CHAPFILE; addrs = NULL; secbuf[0] = 0; f = fopen(filename, "r"); if (f == NULL) { syslog(LOG_ERR, "Can't open chap secret file %s: %m", filename); return 0; } check_access(f, filename); ret = scan_authfile(f, client, server, (u_int32_t)0, secbuf, &addrs, filename); fclose(f); if (ret < 0) return 0; if (save_addrs) set_allowed_addrs(unit, addrs); len = strlen(secbuf); if (len > MAXSECRETLEN) { syslog(LOG_ERR, "Secret for %s on %s is too long", client, server); len = MAXSECRETLEN; } BCOPY(secbuf, secret, len); BZERO(secbuf, sizeof(secbuf)); *secret_len = len; return 1; }
/* * get_secret - open the CHAP secret file and return the secret * for authenticating the given client on the given server. * (We could be either client or server). */ int get_secret( int unit, char *client, char *server, char *secret, int *secret_len, int save_addrs ) { #if 1 return 0; #else int ret = 0, len; struct wordlist *addrs; char secbuf[MAXWORDLEN]; addrs = NULL; secbuf[0] = 0; /* XXX Find secret. */ if (ret < 0) return 0; if (save_addrs) set_allowed_addrs(unit, addrs); len = strlen(secbuf); if (len > MAXSECRETLEN) { ppp_trace(LOG_ERR, "Secret for %s on %s is too long\n", client, server); len = MAXSECRETLEN; } BCOPY(secbuf, secret, len); BZERO(secbuf, sizeof(secbuf)); *secret_len = len; return 1; #endif }
/* * check_passwd - Check the user name and passwd against the PAP secrets * file. If requested, also check against the system password database, * and login the user if OK. * * returns: * UPAP_AUTHNAK: Authentication failed. * UPAP_AUTHACK: Authentication succeeded. * In either case, msg points to an appropriate message. */ int check_passwd( int unit, char *auser, int userlen, char *apasswd, int passwdlen, char **msg, int *msglen) { #if 1 LWIP_UNUSED_ARG(unit); LWIP_UNUSED_ARG(auser); LWIP_UNUSED_ARG(userlen); LWIP_UNUSED_ARG(apasswd); LWIP_UNUSED_ARG(passwdlen); LWIP_UNUSED_ARG(msglen); *msg = (char *) 0; return UPAP_AUTHACK; /* XXX Assume all entries OK. */ #else int ret = 0; struct wordlist *addrs = NULL; char passwd[256], user[256]; char secret[MAXWORDLEN]; static u_short attempts = 0; /* * Make copies of apasswd and auser, then null-terminate them. */ BCOPY(apasswd, passwd, passwdlen); passwd[passwdlen] = '\0'; BCOPY(auser, user, userlen); user[userlen] = '\0'; *msg = (char *) 0; /* XXX Validate user name and password. */ ret = UPAP_AUTHACK; /* XXX Assume all entries OK. */ if (ret == UPAP_AUTHNAK) { if (*msg == (char *) 0) { *msg = "Login incorrect"; } *msglen = strlen(*msg); /* * Frustrate passwd stealer programs. * Allow 10 tries, but start backing off after 3 (stolen from login). * On 10'th, drop the connection. */ if (attempts++ >= 10) { AUTHDEBUG((LOG_WARNING, "%d LOGIN FAILURES BY %s\n", attempts, user)); /*ppp_panic("Excess Bad Logins");*/ } if (attempts > 3) { sys_msleep((attempts - 3) * 5); } if (addrs != NULL) { free_wordlist(addrs); } } else { attempts = 0; /* Reset count */ if (*msg == (char *) 0) { *msg = "Login ok"; } *msglen = strlen(*msg); set_allowed_addrs(unit, addrs); } BZERO(passwd, sizeof(passwd)); BZERO(secret, sizeof(secret)); return ret; #endif }
/* * check_passwd - Check the user name and passwd against the PAP secrets * file. If requested, also check against the system password database, * and login the user if OK. * * returns: * UPAP_AUTHNAK: Authentication failed. * UPAP_AUTHACK: Authentication succeeded. * In either case, msg points to an appropriate message. */ int check_passwd(int unit, char *auser, int userlen, char *apasswd, int passwdlen, char **msg, int *msglen) { int ret; char *filename; FILE *f; struct wordlist *addrs; u_int32_t remote; ipcp_options *ipwo = &ipcp_wantoptions[unit]; char passwd[256], user[256]; char secret[MAXWORDLEN]; static int attempts = 0; int len; /* * Make copies of apasswd and auser, then null-terminate them. */ len = MIN(passwdlen, sizeof(passwd) - 1); BCOPY(apasswd, passwd, len); passwd[len] = '\0'; len = MIN(userlen, sizeof(user) - 1); BCOPY(auser, user, len); user[len] = '\0'; *msg = NULL; /* * Open the file of pap secrets and scan for a suitable secret * for authenticating this user. */ filename = _PATH_UPAPFILE; addrs = NULL; ret = UPAP_AUTHACK; f = fopen(filename, "r"); if (f == NULL) { syslog(LOG_ERR, "Can't open PAP password file %s: %m", filename); ret = UPAP_AUTHNAK; } else { check_access(f, filename); remote = ipwo->accept_remote? 0: ipwo->hisaddr; if (scan_authfile(f, user, our_name, remote, secret, &addrs, filename) < 0) { warn("no PAP secret found for %s", user); } else { if (secret[0] != 0) { /* password given in pap-secrets - must match */ if ((cryptpap || strcmp(passwd, secret) != 0) && strcmp(crypt(passwd, secret), secret) != 0) { ret = UPAP_AUTHNAK; warn("PAP authentication failure for %s", user); } } } fclose(f); } if (uselogin && ret == UPAP_AUTHACK) { ret = plogin(user, passwd, msg, msglen); if (ret == UPAP_AUTHNAK) { syslog(LOG_WARNING, "PAP login failure for %s", user); } } if (ret == UPAP_AUTHNAK) { if (*msg == NULL) *msg = "Login incorrect"; *msglen = strlen(*msg); /* * Frustrate passwd stealer programs. * Allow 10 tries, but start backing off after 3 (stolen from login). * On 10'th, drop the connection. */ if (attempts++ >= 10) { syslog(LOG_WARNING, "%d LOGIN FAILURES ON %s, %s", attempts, devnam, user); quit(); } if (attempts > 3) sleep((u_int) (attempts - 3) * 5); if (addrs != NULL) free_wordlist(addrs); } else { attempts = 0; /* Reset count */ if (*msg == NULL) *msg = "Login ok"; *msglen = strlen(*msg); set_allowed_addrs(unit, addrs); } BZERO(passwd, sizeof(passwd)); BZERO(secret, sizeof(secret)); return ret; }