mirror/lwip
1
0
Fork 0
mirror of https://github.com/lwip-tcpip/lwip.git synced 2024-10-05 22:29:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

PPP, changed all the code enclosed between PPP_SERVER #if macro to our PPP PCB structure, making it easier to support PPP server in the future

Browse Source
This commit is contained in:
Sylvain Rochet 2012-09-27 23:53:20 +02:00
parent 7fb874ad28
commit e81f092520
9 changed files with 143 additions and 137 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/include/netif/ppp/chap-new.h
View File

@ -64,6 +64,13 @@
#define MAX_CHALLENGE_LEN 64
#define MAX_RESPONSE_LEN 64
/*
* These limits apply to challenge and response packets we send.
* The +4 is the +1 that we actually need rounded up.
*/
#define CHAL_MAX_PKTLEN (PPP_HDRLEN + CHAP_HDRLEN + 4 + MAX_CHALLENGE_LEN + MAXNAMELEN)
#define RESP_MAX_PKTLEN (PPP_HDRLEN + CHAP_HDRLEN + 4 + MAX_RESPONSE_LEN + MAXNAMELEN)
/* bitmask of supported algorithms */
#if MSCHAP_SUPPORT
#define MDTYPE_MICROSOFT_V2 0x1
@ -152,7 +159,7 @@ typedef struct chap_client_state {
} chap_client_state;
#if PPP_SERVER
static struct chap_server_state {
typedef struct chap_server_state {
u8_t flags;
int id;
char *name;

5
src/include/netif/ppp/ppp.h
View File

@ -158,8 +158,9 @@ typedef struct ppp_settings_s {
#if PPP_SERVER
unsigned int auth_required : 1; /* Peer is required to authenticate */
unsigned int null_login : 1; /* Username of "" and a password of "" are acceptable */
#else
unsigned int :1; /* 1 bit of padding */
unsigned int :2; /* 2 bits of padding */
#endif /* PPP_SERVER */
#if PPP_REMOTENAME
unsigned int explicit_remote : 1; /* remote_name specified with remotename opt */
@ -202,7 +203,7 @@ typedef struct ppp_settings_s {
#else
unsigned int :1; /* 1 bit of padding */
#endif
unsigned int :2; /* 2 bits of padding to round out to 16 bits */
unsigned int :1; /* 1 bit of padding to round out to 16 bits */
u16_t listen_time; /* time to listen first (ms), waiting for peer to send LCP packet */

2
src/include/netif/ppp/upap.h
View File

@ -104,7 +104,7 @@ typedef struct upap_state {
u8_t us_passwdlen; /* Password length */
u8_t us_clientstate; /* Client state */
#if PPP_SERVER
u8_t us_serverstate /* Server state */
u8_t us_serverstate; /* Server state */
#endif /* PPP_SERVER */
u8_t us_id; /* Current id */
u8_t us_timeouttime; /* Timeout (seconds) for auth-req retrans. */

29
src/netif/ppp/auth.c
View File

@ -729,15 +729,16 @@ void upper_layers_down(ppp_pcb *pcb) {
*/
void link_established(ppp_pcb *pcb) {
int auth;
#if 0 /* UNUSED */
lcp_options *wo = &lcp_wantoptions[pcb->unit];
#endif /* UNUSED */
#if PPP_SERVER
lcp_options *go = &lcp_gotoptions[pcb->unit];
#endif /* #if PPP_SERVER */
lcp_options *wo = &pcb->lcp_wantoptions;
lcp_options *go = &pcb->lcp_gotoptions;
#endif /* PPP_SERVER */
lcp_options *ho = &pcb->lcp_hisoptions;
int i;
struct protent *protp;
#if PPP_SERVER
int errcode;
#endif /* PPP_SERVER */
/*
* Tell higher-level protocols that LCP is up.
@ -749,13 +750,13 @@ void link_established(ppp_pcb *pcb) {
(*protp->lowerup)(pcb);
}
#if 0 /* UNUSED */
#if PPP_SERVER
#if PPP_ALLOWED_ADDRS
if (!auth_required && noauth_addrs != NULL)
set_allowed_addrs(unit, NULL, NULL);
#endif /* PPP_ALLOWED_ADDRS */
if (auth_required && !(0
if (pcb->settings.auth_required && !(0
#if PAP_SUPPORT
|| go->neg_upap
#endif /* PAP_SUPPORT */
@ -779,14 +780,18 @@ void link_established(ppp_pcb *pcb) {
set_allowed_addrs(unit, NULL, NULL);
} else
#endif /* PPP_ALLOWED_ADDRS */
if (!wo->neg_upap || uselogin || !null_login(unit)) {
if (!wo->neg_upap || !pcb->settings.null_login) {
ppp_warn("peer refused to authenticate: terminating link");
#if 0 /* UNUSED */
status = EXIT_PEER_AUTH_FAILED;
#endif /* UNUSED */
errcode = PPPERR_AUTHFAIL;
ppp_ioctl(pcb, PPPCTLS_ERRCODE, &errcode);
lcp_close(pcb, "peer refused to authenticate");
return;
}
}
#endif /* UNUSED */
#endif /* PPP_SERVER */
new_phase(pcb, PHASE_AUTHENTICATE);
auth = 0;
@ -997,10 +1002,14 @@ void continue_networks(ppp_pcb *pcb) {
* The peer has failed to authenticate himself using `protocol'.
*/
void auth_peer_fail(ppp_pcb *pcb, int protocol) {
int errcode = PPPERR_AUTHFAIL;
/*
* Authentication failure: take the link down
*/
#if 0 /* UNUSED */
status = EXIT_PEER_AUTH_FAILED;
#endif /* UNUSED */
ppp_ioctl(pcb, PPPCTLS_ERRCODE, &errcode);
lcp_close(pcb, "Authentication failed");
}
@ -1064,7 +1073,7 @@ void auth_peer_success(ppp_pcb *pcb, int protocol, int prot_flavor, char *name,
* proceed to the network (or callback) phase.
*/
if ((pcb->auth_pending &= ~bit) == 0)
network_phase(unit);
network_phase(pcb);
}
#endif /* PPP_SERVER */

4
src/netif/ppp/chap-md5.c
View File

@ -83,11 +83,11 @@ static int chap_md5_verify_response(int id, char *name,
/* Test if our hash matches the peer's response */
if (memcmp(hash, response, MD5_HASH_SIZE) == 0) {
slprintf(message, message_space, "Access granted");
ppp_slprintf(message, message_space, "Access granted");
return 1;
}
}
slprintf(message, message_space, "Access denied");
ppp_slprintf(message, message_space, "Access denied");
return 0;
}
#endif /* PPP_SERVER */

22
src/netif/ppp/chap-new.c
View File

@ -69,12 +69,6 @@ static option_t chap_option_list[] = {
};
#endif /* PPP_OPTIONS */
/*
* These limits apply to challenge and response packets we send.
* The +4 is the +1 that we actually need rounded up.
*/
#define CHAL_MAX_PKTLEN (PPP_HDRLEN + CHAP_HDRLEN + 4 + MAX_CHALLENGE_LEN + MAXNAMELEN)
#define RESP_MAX_PKTLEN (PPP_HDRLEN + CHAP_HDRLEN + 4 + MAX_RESPONSE_LEN + MAXNAMELEN)
/* Values for flags in chap_client_state and chap_server_state */
#define LOWERUP 1
@ -168,7 +162,7 @@ static void chap_lowerdown(ppp_pcb *pcb) {
* otherwise we wait for the lower layer to come up.
*/
void chap_auth_peer(ppp_pcb *pcb, char *our_name, int digest_code) {
struct chap_server_state *ss = &server;
struct chap_server_state *ss = &pcb->chap_server;
struct chap_digest_type *dp;
if (pcb->chap_server.flags & AUTH_STARTED) {
@ -309,10 +303,12 @@ static void chap_handle_response(ppp_pcb *pcb, int id,
pcb->chap_server.flags &= ~TIMEOUT_PENDING;
UNTIMEOUT(chap_timeout, pcb);
}
if (explicit_remote) {
name = remote_name;
} else {
#if PPP_REMOTENAME
if (pcb->settings.explicit_remote) {
name = pcb->remote_name;
} else
#endif /* PPP_REMOTENAME */
{
/* Null terminate and clean remote name. */
ppp_slprintf(rname, sizeof(rname), "%.*v", len, name);
name = rname;
@ -409,12 +405,14 @@ static int chap_verify_response(char *name, char *ourname, int id,
unsigned char secret[MAXSECRETLEN];
int secret_len;
/* FIXME: we need a way to check peer secret */
#if 0
/* Get the secret that the peer is supposed to know */
if (!get_secret(pcb, name, ourname, (char *)secret, &secret_len, 1)) {
ppp_error("No CHAP secret found for authenticating %q", name);
return 0;
}
#endif
ok = digest->verify_response(id, name, secret, secret_len, challenge,
response, message, message_space);
memset(secret, 0, sizeof(secret));

12
src/netif/ppp/chap_ms.c
View File

@ -217,7 +217,7 @@ static int chapms_verify_response(int id, char *name,
#ifndef MSLANMAN
if (!response[MS_CHAP_USENT]) {
/* Should really propagate this into the error packet. */
notice("Peer request for LANMAN auth not supported");
ppp_notice("Peer request for LANMAN auth not supported");
goto bad;
}
#endif
@ -236,13 +236,13 @@ static int chapms_verify_response(int id, char *name,
MS_CHAP_NTRESP_LEN);
if (diff == 0) {
slprintf(message, message_space, "Access granted");
ppp_slprintf(message, message_space, "Access granted");
return 1;
}
bad:
/* See comments below for MS-CHAP V2 */
slprintf(message, message_space, "E=691 R=1 C=%0.*B V=0",
ppp_slprintf(message, message_space, "E=691 R=1 C=%0.*B V=0",
challenge_len, challenge);
return 0;
}
@ -288,9 +288,9 @@ static int chapms2_verify_response(int id, char *name,
if (memcmp(&md[MS_CHAP2_NTRESP], &response[MS_CHAP2_NTRESP],
MS_CHAP2_NTRESP_LEN) == 0) {
if (response[MS_CHAP2_FLAGS])
slprintf(message, message_space, "S=%s", saresponse);
ppp_slprintf(message, message_space, "S=%s", saresponse);
else
slprintf(message, message_space, "S=%s M=%s",
ppp_slprintf(message, message_space, "S=%s M=%s",
saresponse, "Access granted");
return 1;
}
@ -317,7 +317,7 @@ static int chapms2_verify_response(int id, char *name,
* Basically, this whole bit is useless code, even the small
* implementation here is only because of overspecification.
*/
slprintf(message, message_space, "E=691 R=1 C=%0.*B V=0 M=%s",
ppp_slprintf(message, message_space, "E=691 R=1 C=%0.*B V=0 M=%s",
challenge_len, challenge, "Access denied");
return 0;
}

153
src/netif/ppp/eap.c
View File

@ -258,11 +258,7 @@ void eap_authwithpeer(ppp_pcb *pcb, char *localname) {
* Format a standard EAP Failure message and send it to the peer.
* (Server operation)
*/
static void
eap_send_failure(esp)
eap_state *esp;
{
ppp_pcb *pcb = &ppp_pcb_list[pcb->eap.es_unit];
static void eap_send_failure(ppp_pcb *pcb) {
struct pbuf *p;
u_char *outp;
@ -293,11 +289,7 @@ eap_state *esp;
* Format a standard EAP Success message and send it to the peer.
* (Server operation)
*/
static void
eap_send_success(esp)
eap_state *esp;
{
ppp_pcb *pcb = &ppp_pcb_list[pcb->eap.es_unit];
static void eap_send_success(ppp_pcb *pcb) {
struct pbuf *p;
u_char *outp;
@ -441,11 +433,7 @@ u_char *outp;
* indicates if there was an error in handling the last query. It is
* 0 for success and non-zero for failure.
*/
static void
eap_figure_next_state(esp, status)
eap_state *esp;
int status;
{
static void eap_figure_next_state(ppp_pcb *pcb, int status) {
#ifdef USE_SRP
unsigned char secbuf[MAXWORDLEN], clear[8], *sp, *dp;
struct t_pw tpw;
@ -651,18 +639,14 @@ int status;
break;
}
if (pcb->eap.es_server.ea_state == eapBadAuth)
eap_send_failure(esp);
eap_send_failure(pcb);
}
/*
* Format an EAP Request message and send it to the peer. Message
* type depends on current state. (Server operation)
*/
static void
eap_send_request(esp)
eap_state *esp;
{
ppp_pcb *pcb = &ppp_pcb_list[pcb->eap.es_unit];
static void eap_send_request(ppp_pcb *pcb) {
struct pbuf *p;
u_char *outp;
u_char *lenloc;
@ -682,16 +666,18 @@ eap_state *esp;
if (pcb->eap.es_server.ea_state < eapIdentify &&
pcb->eap.es_server.ea_state != eapInitial) {
pcb->eap.es_server.ea_state = eapIdentify;
if (explicit_remote) {
#if PPP_REMOTENAME
if (pcb->settings.explicit_remote) {
/*
* If we already know the peer's
* unauthenticated name, then there's no
* reason to ask. Go to next state instead.
*/
pcb->eap.es_server.ea_peer = remote_name;
pcb->eap.es_server.ea_peerlen = strlen(remote_name);
eap_figure_next_state(esp, 0);
pcb->eap.es_server.ea_peer = pcb->remote_name;
pcb->eap.es_server.ea_peerlen = strlen(pcb->remote_name);
eap_figure_next_state(pcb, 0);
}
#endif /* PPP_REMOTENAME */
}
if (pcb->eap.es_server.ea_maxrequests > 0 &&
@ -700,7 +686,7 @@ eap_state *esp;
ppp_error("EAP: too many Requests sent");
else
ppp_error("EAP: no response to Requests");
eap_send_failure(esp);
eap_send_failure(pcb);
return;
}
@ -888,7 +874,7 @@ eap_state *esp;
return;
}
outlen = (outp - p->payload) - PPP_HDRLEN;
outlen = (outp - (unsigned char*)p->payload) - PPP_HDRLEN;
PUTSHORT(outlen, lenloc);
pbuf_realloc(p, outlen + PPP_HDRLEN);
@ -907,7 +893,6 @@ eap_state *esp;
* after eap_lowerup.
*/
void eap_authpeer(ppp_pcb *pcb, char *localname) {
eap_state *esp = &eap_states[unit];
/* Save the name we're given. */
pcb->eap.es_server.ea_name = localname;
@ -925,7 +910,7 @@ void eap_authpeer(ppp_pcb *pcb, char *localname) {
pcb->eap.es_server.ea_state = eapPending;
/* ID number not updated here intentionally; hashed into M1 */
eap_send_request(esp);
eap_send_request(pcb);
}
/*
@ -935,11 +920,11 @@ void eap_authpeer(ppp_pcb *pcb, char *localname) {
static void eap_server_timeout(void *arg) {
ppp_pcb *pcb = (ppp_pcb*)arg;
if (!eap_server_active(esp))
if (!eap_server_active(pcb))
return;
/* EAP ID number must not change on timeout. */
eap_send_request(esp);
eap_send_request(pcb);
}
/*
@ -947,11 +932,8 @@ static void eap_server_timeout(void *arg) {
* called. Once the rechallenge is successful, the response handler
* will restart the timer. If it fails, then the link is dropped.
*/
static void
eap_rechallenge(arg)
void *arg;
{
eap_state *esp = (eap_state *)arg;
static void eap_rechallenge(void *arg) {
ppp_pcb *pcb = (ppp_pcb*)arg;
if (pcb->eap.es_server.ea_state != eapOpen &&
pcb->eap.es_server.ea_state != eapSRP4)
@ -959,16 +941,13 @@ void *arg;
pcb->eap.es_server.ea_requests = 0;
pcb->eap.es_server.ea_state = eapIdentify;
eap_figure_next_state(esp, 0);
eap_figure_next_state(pcb, 0);
pcb->eap.es_server.ea_id++;
eap_send_request(esp);
eap_send_request(pcb);
}
static void
srp_lwrechallenge(arg)
void *arg;
{
eap_state *esp = (eap_state *)arg;
static void srp_lwrechallenge(void *arg) {
ppp_pcb *pcb = (ppp_pcb*)arg;
if (pcb->eap.es_server.ea_state != eapOpen ||
pcb->eap.es_server.ea_type != EAPT_SRP)
@ -977,7 +956,7 @@ void *arg;
pcb->eap.es_server.ea_requests = 0;
pcb->eap.es_server.ea_state = eapSRP4;
pcb->eap.es_server.ea_id++;
eap_send_request(esp);
eap_send_request(pcb);
}
#endif /* PPP_SERVER */
@ -993,8 +972,11 @@ static void eap_lowerup(ppp_pcb *pcb) {
/* Discard any (possibly authenticated) peer name. */
#if PPP_SERVER
if (pcb->eap.es_server.ea_peer != NULL &&
pcb->eap.es_server.ea_peer != remote_name)
if (pcb->eap.es_server.ea_peer != NULL
#if PPP_REMOTENAME
&& pcb->eap.es_server.ea_peer != pcb->remote_name
#endif /* PPP_REMOTENAME */
)
free(pcb->eap.es_server.ea_peer);
pcb->eap.es_server.ea_peer = NULL;
#endif /* PPP_SERVER */
@ -1019,7 +1001,7 @@ static void eap_lowerdown(ppp_pcb *pcb) {
UNTIMEOUT(eap_client_timeout, pcb);
}
#if PPP_SERVER
if (eap_server_active(esp)) {
if (eap_server_active(pcb)) {
if (pcb->eap.es_server.ea_timeout > 0) {
UNTIMEOUT(eap_server_timeout, pcb);
}
@ -1027,11 +1009,11 @@ static void eap_lowerdown(ppp_pcb *pcb) {
if ((pcb->eap.es_server.ea_state == eapOpen ||
pcb->eap.es_server.ea_state == eapSRP4) &&
pcb->eap.es_rechallenge > 0) {
UNTIMEOUT(eap_rechallenge, (void *)esp);
UNTIMEOUT(eap_rechallenge, (void *)pcb);
}
if (pcb->eap.es_server.ea_state == eapOpen &&
pcb->eap.es_lwrechallenge > 0) {
UNTIMEOUT(srp_lwrechallenge, (void *)esp);
UNTIMEOUT(srp_lwrechallenge, (void *)pcb);
}
}
@ -1053,7 +1035,7 @@ static void eap_protrej(ppp_pcb *pcb) {
auth_withpeer_fail(pcb, PPP_EAP);
}
#if PPP_SERVER
if (eap_server_active(esp)) {
if (eap_server_active(pcb)) {
ppp_error("EAP authentication of peer failed on Protocol-Reject");
auth_peer_fail(pcb, PPP_EAP);
}
@ -1807,19 +1789,22 @@ static void eap_response(ppp_pcb *pcb, u_char *inp, int id, int len) {
break;
}
ppp_info("EAP: unauthenticated peer name \"%.*q\"", len, inp);
if (pcb->eap.es_server.ea_peer != NULL &&
pcb->eap.es_server.ea_peer != remote_name)
if (pcb->eap.es_server.ea_peer != NULL
#if PPP_REMOTENAME
&& pcb->eap.es_server.ea_peer != pcb->remote_name
#endif /* PPP_REMOTENAME */
)
free(pcb->eap.es_server.ea_peer);
pcb->eap.es_server.ea_peer = malloc(len + 1);
if (pcb->eap.es_server.ea_peer == NULL) {
pcb->eap.es_server.ea_peerlen = 0;
eap_figure_next_state(esp, 1);
eap_figure_next_state(pcb, 1);
break;
}
MEMCPY(pcb->eap.es_server.ea_peer, inp, len);
pcb->eap.es_server.ea_peer[len] = '\0';
pcb->eap.es_server.ea_peerlen = len;
eap_figure_next_state(esp, 0);
eap_figure_next_state(pcb, 0);
break;
case EAPT_NOTIFICATION:
@ -1829,16 +1814,20 @@ static void eap_response(ppp_pcb *pcb, u_char *inp, int id, int len) {
case EAPT_NAK:
if (len < 1) {
ppp_info("EAP: Nak Response with no suggested protocol");
eap_figure_next_state(esp, 1);
eap_figure_next_state(pcb, 1);
break;
}
GETCHAR(vallen, inp);
len--;
if (!explicit_remote && pcb->eap.es_server.ea_state == eapIdentify){
if (
#if PPP_REMOTENAME
!pcb->explicit_remote &&
#endif /* PPP_REMOTENAME */
pcb->eap.es_server.ea_state == eapIdentify){
/* Peer cannot Nak Identify Request */
eap_figure_next_state(esp, 1);
eap_figure_next_state(pcb, 1);
break;
}
@ -1846,7 +1835,7 @@ static void eap_response(ppp_pcb *pcb, u_char *inp, int id, int len) {
case EAPT_SRP:
/* Run through SRP validator selection again. */
pcb->eap.es_server.ea_state = eapIdentify;
eap_figure_next_state(esp, 0);
eap_figure_next_state(pcb, 0);
break;
case EAPT_MD5CHAP:
@ -1864,7 +1853,7 @@ static void eap_response(ppp_pcb *pcb, u_char *inp, int id, int len) {
case eapMD5Chall:
case eapSRP4:
pcb->eap.es_server.ea_state = eapIdentify;
eap_figure_next_state(esp, 0);
eap_figure_next_state(pcb, 0);
break;
default:
break;
@ -1876,19 +1865,19 @@ static void eap_response(ppp_pcb *pcb, u_char *inp, int id, int len) {
case EAPT_MD5CHAP:
if (pcb->eap.es_server.ea_state != eapMD5Chall) {
ppp_error("EAP: unexpected MD5-Response");
eap_figure_next_state(esp, 1);
eap_figure_next_state(pcb, 1);
break;
}
if (len < 1) {
ppp_error("EAP: received MD5-Response with no data");
eap_figure_next_state(esp, 1);
eap_figure_next_state(pcb, 1);
break;
}
GETCHAR(vallen, inp);
len--;
if (vallen != 16 || vallen > len) {
ppp_error("EAP: MD5-Response with bad length %d", vallen);
eap_figure_next_state(esp, 1);
eap_figure_next_state(pcb, 1);
break;
}
@ -1902,10 +1891,12 @@ static void eap_response(ppp_pcb *pcb, u_char *inp, int id, int len) {
rhostname[len - vallen] = '\0';
}
#if PPP_REMOTENAME
/* In case the remote doesn't give us his name. */
if (explicit_remote ||
(remote_name[0] != '\0' && vallen == len))
strlcpy(rhostname, remote_name, sizeof (rhostname));
#endif /* PPP_REMOTENAME */
/*
* Get the secret for authenticating the specified
@ -1914,7 +1905,7 @@ static void eap_response(ppp_pcb *pcb, u_char *inp, int id, int len) {
if (!get_secret(pcb, rhostname,
pcb->eap.es_server.ea_name, secret, &secret_len, 1)) {
ppp_dbglog("EAP: no MD5 secret for auth of %q", rhostname);
eap_send_failure(esp);
eap_send_failure(pcb);
break;
}
md5_starts(&mdContext);
@ -1924,21 +1915,21 @@ static void eap_response(ppp_pcb *pcb, u_char *inp, int id, int len) {
md5_update(&mdContext, pcb->eap.es_challenge, pcb->eap.es_challen);
md5_finish(&mdContext, hash);
if (BCMP(hash, inp, MD5_SIGNATURE_SIZE) != 0) {
eap_send_failure(esp);
eap_send_failure(pcb);
break;
}
pcb->eap.es_server.ea_type = EAPT_MD5CHAP;
eap_send_success(esp);
eap_figure_next_state(esp, 0);
eap_send_success(pcb);
eap_figure_next_state(pcb, 0);
if (pcb->eap.es_rechallenge != 0)
TIMEOUT(eap_rechallenge, esp, pcb->eap.es_rechallenge);
TIMEOUT(eap_rechallenge, pcb, pcb->eap.es_rechallenge);
break;
#ifdef USE_SRP
case EAPT_SRP:
if (len < 1) {
ppp_error("EAP: empty SRP Response");
eap_figure_next_state(esp, 1);
eap_figure_next_state(pcb, 1);
break;
}
GETCHAR(typenum, inp);
@ -1947,7 +1938,7 @@ static void eap_response(ppp_pcb *pcb, u_char *inp, int id, int len) {
case EAPSRP_CKEY:
if (pcb->eap.es_server.ea_state != eapSRP1) {
ppp_error("EAP: unexpected SRP Subtype 1 Response");
eap_figure_next_state(esp, 1);
eap_figure_next_state(pcb, 1);
break;
}
A.data = inp;
@ -1958,22 +1949,22 @@ static void eap_response(ppp_pcb *pcb, u_char *inp, int id, int len) {
if (pcb->eap.es_server.ea_skey == NULL) {
/* Client's A value is bogus; terminate now */
ppp_error("EAP: bogus A value from client");
eap_send_failure(esp);
eap_send_failure(pcb);
} else {
eap_figure_next_state(esp, 0);
eap_figure_next_state(pcb, 0);
}
break;
case EAPSRP_CVALIDATOR:
if (pcb->eap.es_server.ea_state != eapSRP2) {
ppp_error("EAP: unexpected SRP Subtype 2 Response");
eap_figure_next_state(esp, 1);
eap_figure_next_state(pcb, 1);
break;
}
if (len < sizeof (u32_t) + SHA_DIGESTSIZE) {
ppp_error("EAP: M1 length %d < %d", len,
sizeof (u32_t) + SHA_DIGESTSIZE);
eap_figure_next_state(esp, 1);
eap_figure_next_state(pcb, 1);
break;
}
GETLONG(pcb->eap.es_server.ea_keyflags, inp);
@ -1981,10 +1972,10 @@ static void eap_response(ppp_pcb *pcb, u_char *inp, int id, int len) {
assert(ts != NULL);
if (t_serververify(ts, inp)) {
ppp_info("EAP: unable to validate client identity");
eap_send_failure(esp);
eap_send_failure(pcb);
break;
}
eap_figure_next_state(esp, 0);
eap_figure_next_state(pcb, 0);
break;
case EAPSRP_ACK:
@ -1994,13 +1985,13 @@ static void eap_response(ppp_pcb *pcb, u_char *inp, int id, int len) {
break;
}
pcb->eap.es_server.ea_type = EAPT_SRP;
eap_send_success(esp);
eap_figure_next_state(esp, 0);
eap_send_success(pcb, esp);
eap_figure_next_state(pcb, 0);
if (pcb->eap.es_rechallenge != 0)
TIMEOUT(eap_rechallenge, esp,
TIMEOUT(eap_rechallenge, pcb,
pcb->eap.es_rechallenge);
if (pcb->eap.es_lwrechallenge != 0)
TIMEOUT(srp_lwrechallenge, esp,
TIMEOUT(srp_lwrechallenge, pcb,
pcb->eap.es_lwrechallenge);
break;
@ -2025,7 +2016,7 @@ static void eap_response(ppp_pcb *pcb, u_char *inp, int id, int len) {
SHA1Final(dig, &ctxt);
if (BCMP(dig, inp, SHA_DIGESTSIZE) != 0) {
ppp_error("EAP: failed Lightweight rechallenge");
eap_send_failure(esp);
eap_send_failure(pcb);
break;
}
pcb->eap.es_server.ea_state = eapOpen;
@ -2050,7 +2041,7 @@ static void eap_response(ppp_pcb *pcb, u_char *inp, int id, int len) {
if (pcb->eap.es_server.ea_state != eapBadAuth &&
pcb->eap.es_server.ea_state != eapOpen) {
pcb->eap.es_server.ea_id++;
eap_send_request(esp);
eap_send_request(pcb);
}
}
#endif /* PPP_SERVER */

44
src/netif/ppp/upap.c
View File

@ -120,16 +120,14 @@ struct protent pap_protent = {
static void upap_timeout(void *arg);
#if PPP_SERVER
static void upap_reqtimeout(void *arg);
#endif /* PPP_SERVER */
#if 0 /* UNUSED */
static void upap_rauthreq(ppp_pcb *pcb, u_char *inp, int id, int len);
#endif /* UNUSED */
#endif /* PPP_SERVER */
static void upap_rauthack(ppp_pcb *pcb, u_char *inp, int id, int len);
static void upap_rauthnak(ppp_pcb *pcb, u_char *inp, int id, int len);
static void upap_sauthreq(ppp_pcb *pcb);
#if 0 /* UNUSED */
#if PPP_SERVER
static void upap_sresp(ppp_pcb *pcb, u_char code, u_char id, char *msg, int msglen);
#endif /* UNUSED */
#endif /* PPP_SERVER */
/*
@ -255,7 +253,7 @@ static void upap_lowerup(ppp_pcb *pcb) {
else if (pcb->upap.us_serverstate == UPAPSS_PENDING) {
pcb->upap.us_serverstate = UPAPSS_LISTEN;
if (pcb->upap.us_reqtimeout > 0)
TIMEOUT(upap_reqtimeout, u, pcb->upap.us_reqtimeout);
TIMEOUT(upap_reqtimeout, pcb, pcb->upap.us_reqtimeout);
}
#endif /* PPP_SERVER */
}
@ -272,7 +270,7 @@ static void upap_lowerdown(ppp_pcb *pcb) {
UNTIMEOUT(upap_timeout, pcb); /* Cancel timeout */
#if PPP_SERVER
if (pcb->upap.us_serverstate == UPAPSS_LISTEN && pcb->upap.us_reqtimeout > 0)
UNTIMEOUT(upap_reqtimeout, u);
UNTIMEOUT(upap_reqtimeout, pcb);
#endif /* PPP_SERVER */
pcb->upap.us_clientstate = UPAPCS_INITIAL;
@ -338,9 +336,9 @@ static void upap_input(ppp_pcb *pcb, u_char *inpacket, int l) {
*/
switch (code) {
case UPAP_AUTHREQ:
#if 0 /* UNUSED */
#if PPP_SERVER
upap_rauthreq(pcb, inp, id, len);
#endif /* UNUSED */
#endif /* PPP_SERVER */
break;
case UPAP_AUTHACK:
@ -356,7 +354,7 @@ static void upap_input(ppp_pcb *pcb, u_char *inpacket, int l) {
}
}
#if 0 /* UNUSED */
#if PPP_SERVER
/*
* upap_rauth - Receive Authenticate.
*/
@ -376,11 +374,11 @@ static void upap_rauthreq(ppp_pcb *pcb, u_char *inp, int id, int len) {
* supposed to return the same status as for the first request.
*/
if (pcb->upap.us_serverstate == UPAPSS_OPEN) {
upap_sresp(u, UPAP_AUTHACK, id, "", 0); /* return auth-ack */
upap_sresp(pcb, UPAP_AUTHACK, id, "", 0); /* return auth-ack */
return;
}
if (pcb->upap.us_serverstate == UPAPSS_BADAUTH) {
upap_sresp(u, UPAP_AUTHNAK, id, "", 0); /* return auth-nak */
upap_sresp(pcb, UPAP_AUTHNAK, id, "", 0); /* return auth-nak */
return;
}
@ -404,16 +402,18 @@ static void upap_rauthreq(ppp_pcb *pcb, u_char *inp, int id, int len) {
UPAPDEBUG(("pap_rauth: rcvd short packet."));
return;
}
/* FIXME: we need a way to check peer secret */
rpasswd = (char *) inp;
/*
* Check the username and password given.
*/
#if 0
retcode = check_passwd(pcb->upap.us_unit, ruser, ruserlen, rpasswd,
rpasswdlen, &msg);
BZERO(rpasswd, rpasswdlen);
#if 0 /* UNUSED */
/*
* Check remote number authorization. A plugin may have filled in
* the remote number or added an allowed number, and rather than
@ -426,30 +426,30 @@ static void upap_rauthreq(ppp_pcb *pcb, u_char *inp, int id, int len) {
warn("calling number %q is not authorized", remote_number);
}
}
#endif /* UNUSED */
#endif
msglen = strlen(msg);
if (msglen > 255)
msglen = 255;
upap_sresp(u, retcode, id, msg, msglen);
upap_sresp(pcb, retcode, id, msg, msglen);
/* Null terminate and clean remote name. */
slprintf(rhostname, sizeof(rhostname), "%.*v", ruserlen, ruser);
ppp_slprintf(rhostname, sizeof(rhostname), "%.*v", ruserlen, ruser);
if (retcode == UPAP_AUTHACK) {
pcb->upap.us_serverstate = UPAPSS_OPEN;
notice("PAP peer authentication succeeded for %q", rhostname);
ppp_notice("PAP peer authentication succeeded for %q", rhostname);
auth_peer_success(pcb, PPP_PAP, 0, ruser, ruserlen);
} else {
pcb->upap.us_serverstate = UPAPSS_BADAUTH;
warn("PAP peer authentication failed for %q", rhostname);
ppp_warn("PAP peer authentication failed for %q", rhostname);
auth_peer_fail(pcb, PPP_PAP);
}
if (pcb->upap.us_reqtimeout > 0)
UNTIMEOUT(upap_reqtimeout, u);
UNTIMEOUT(upap_reqtimeout, pcb);
}
#endif /* UNUSED */
#endif /* PPP_SERVER */
/*
* upap_rauthack - Receive Authenticate-Ack.
@ -557,7 +557,7 @@ static void upap_sauthreq(ppp_pcb *pcb) {
pcb->upap.us_clientstate = UPAPCS_AUTHREQ;
}
#if 0 /* UNUSED */
#if PPP_SERVER
/*
* upap_sresp - Send a response (ack or nak).
*/
@ -586,7 +586,7 @@ static void upap_sresp(ppp_pcb *pcb, u_char code, u_char id, char *msg, int msgl
ppp_write(pcb, p);
}
#endif /* UNUSED */
#endif /* PPP_SERVER */
#if PRINTPKT_SUPPORT
/*