From e81f092520bcd567354f6f3209225aeaeca6907a Mon Sep 17 00:00:00 2001 From: Sylvain Rochet Date: Thu, 27 Sep 2012 23:53:20 +0200 Subject: [PATCH] PPP, changed all the code enclosed between PPP_SERVER #if macro to our PPP PCB structure, making it easier to support PPP server in the future --- src/include/netif/ppp/chap-new.h | 9 +- src/include/netif/ppp/ppp.h | 5 +- src/include/netif/ppp/upap.h | 2 +- src/netif/ppp/auth.c | 29 ++++-- src/netif/ppp/chap-md5.c | 4 +- src/netif/ppp/chap-new.c | 22 ++--- src/netif/ppp/chap_ms.c | 12 +-- src/netif/ppp/eap.c | 153 +++++++++++++++---------------- src/netif/ppp/upap.c | 44 ++++----- 9 files changed, 143 insertions(+), 137 deletions(-) diff --git a/src/include/netif/ppp/chap-new.h b/src/include/netif/ppp/chap-new.h index d7f42f13..2730a8cb 100644 --- a/src/include/netif/ppp/chap-new.h +++ b/src/include/netif/ppp/chap-new.h @@ -64,6 +64,13 @@ #define MAX_CHALLENGE_LEN 64 #define MAX_RESPONSE_LEN 64 +/* + * These limits apply to challenge and response packets we send. + * The +4 is the +1 that we actually need rounded up. + */ +#define CHAL_MAX_PKTLEN (PPP_HDRLEN + CHAP_HDRLEN + 4 + MAX_CHALLENGE_LEN + MAXNAMELEN) +#define RESP_MAX_PKTLEN (PPP_HDRLEN + CHAP_HDRLEN + 4 + MAX_RESPONSE_LEN + MAXNAMELEN) + /* bitmask of supported algorithms */ #if MSCHAP_SUPPORT #define MDTYPE_MICROSOFT_V2 0x1 @@ -152,7 +159,7 @@ typedef struct chap_client_state { } chap_client_state; #if PPP_SERVER -static struct chap_server_state { +typedef struct chap_server_state { u8_t flags; int id; char *name; diff --git a/src/include/netif/ppp/ppp.h b/src/include/netif/ppp/ppp.h index 66e711df..4676ae63 100644 --- a/src/include/netif/ppp/ppp.h +++ b/src/include/netif/ppp/ppp.h @@ -158,8 +158,9 @@ typedef struct ppp_settings_s { #if PPP_SERVER unsigned int auth_required : 1; /* Peer is required to authenticate */ + unsigned int null_login : 1; /* Username of "" and a password of "" are acceptable */ #else - unsigned int :1; /* 1 bit of padding */ + unsigned int :2; /* 2 bits of padding */ #endif /* PPP_SERVER */ #if PPP_REMOTENAME unsigned int explicit_remote : 1; /* remote_name specified with remotename opt */ @@ -202,7 +203,7 @@ typedef struct ppp_settings_s { #else unsigned int :1; /* 1 bit of padding */ #endif - unsigned int :2; /* 2 bits of padding to round out to 16 bits */ + unsigned int :1; /* 1 bit of padding to round out to 16 bits */ u16_t listen_time; /* time to listen first (ms), waiting for peer to send LCP packet */ diff --git a/src/include/netif/ppp/upap.h b/src/include/netif/ppp/upap.h index 2b58b750..ca051411 100644 --- a/src/include/netif/ppp/upap.h +++ b/src/include/netif/ppp/upap.h @@ -104,7 +104,7 @@ typedef struct upap_state { u8_t us_passwdlen; /* Password length */ u8_t us_clientstate; /* Client state */ #if PPP_SERVER - u8_t us_serverstate /* Server state */ + u8_t us_serverstate; /* Server state */ #endif /* PPP_SERVER */ u8_t us_id; /* Current id */ u8_t us_timeouttime; /* Timeout (seconds) for auth-req retrans. */ diff --git a/src/netif/ppp/auth.c b/src/netif/ppp/auth.c index ec41bd99..43f172c0 100644 --- a/src/netif/ppp/auth.c +++ b/src/netif/ppp/auth.c @@ -729,15 +729,16 @@ void upper_layers_down(ppp_pcb *pcb) { */ void link_established(ppp_pcb *pcb) { int auth; -#if 0 /* UNUSED */ - lcp_options *wo = &lcp_wantoptions[pcb->unit]; -#endif /* UNUSED */ #if PPP_SERVER - lcp_options *go = &lcp_gotoptions[pcb->unit]; -#endif /* #if PPP_SERVER */ + lcp_options *wo = &pcb->lcp_wantoptions; + lcp_options *go = &pcb->lcp_gotoptions; +#endif /* PPP_SERVER */ lcp_options *ho = &pcb->lcp_hisoptions; int i; struct protent *protp; +#if PPP_SERVER + int errcode; +#endif /* PPP_SERVER */ /* * Tell higher-level protocols that LCP is up. @@ -749,13 +750,13 @@ void link_established(ppp_pcb *pcb) { (*protp->lowerup)(pcb); } -#if 0 /* UNUSED */ +#if PPP_SERVER #if PPP_ALLOWED_ADDRS if (!auth_required && noauth_addrs != NULL) set_allowed_addrs(unit, NULL, NULL); #endif /* PPP_ALLOWED_ADDRS */ - if (auth_required && !(0 + if (pcb->settings.auth_required && !(0 #if PAP_SUPPORT || go->neg_upap #endif /* PAP_SUPPORT */ @@ -779,14 +780,18 @@ void link_established(ppp_pcb *pcb) { set_allowed_addrs(unit, NULL, NULL); } else #endif /* PPP_ALLOWED_ADDRS */ - if (!wo->neg_upap || uselogin || !null_login(unit)) { + if (!wo->neg_upap || !pcb->settings.null_login) { ppp_warn("peer refused to authenticate: terminating link"); +#if 0 /* UNUSED */ status = EXIT_PEER_AUTH_FAILED; +#endif /* UNUSED */ + errcode = PPPERR_AUTHFAIL; + ppp_ioctl(pcb, PPPCTLS_ERRCODE, &errcode); lcp_close(pcb, "peer refused to authenticate"); return; } } -#endif /* UNUSED */ +#endif /* PPP_SERVER */ new_phase(pcb, PHASE_AUTHENTICATE); auth = 0; @@ -997,10 +1002,14 @@ void continue_networks(ppp_pcb *pcb) { * The peer has failed to authenticate himself using `protocol'. */ void auth_peer_fail(ppp_pcb *pcb, int protocol) { + int errcode = PPPERR_AUTHFAIL; /* * Authentication failure: take the link down */ +#if 0 /* UNUSED */ status = EXIT_PEER_AUTH_FAILED; +#endif /* UNUSED */ + ppp_ioctl(pcb, PPPCTLS_ERRCODE, &errcode); lcp_close(pcb, "Authentication failed"); } @@ -1064,7 +1073,7 @@ void auth_peer_success(ppp_pcb *pcb, int protocol, int prot_flavor, char *name, * proceed to the network (or callback) phase. */ if ((pcb->auth_pending &= ~bit) == 0) - network_phase(unit); + network_phase(pcb); } #endif /* PPP_SERVER */ diff --git a/src/netif/ppp/chap-md5.c b/src/netif/ppp/chap-md5.c index 5e0fc714..624e690b 100644 --- a/src/netif/ppp/chap-md5.c +++ b/src/netif/ppp/chap-md5.c @@ -83,11 +83,11 @@ static int chap_md5_verify_response(int id, char *name, /* Test if our hash matches the peer's response */ if (memcmp(hash, response, MD5_HASH_SIZE) == 0) { - slprintf(message, message_space, "Access granted"); + ppp_slprintf(message, message_space, "Access granted"); return 1; } } - slprintf(message, message_space, "Access denied"); + ppp_slprintf(message, message_space, "Access denied"); return 0; } #endif /* PPP_SERVER */ diff --git a/src/netif/ppp/chap-new.c b/src/netif/ppp/chap-new.c index 5d71de0b..1adf5576 100644 --- a/src/netif/ppp/chap-new.c +++ b/src/netif/ppp/chap-new.c @@ -69,12 +69,6 @@ static option_t chap_option_list[] = { }; #endif /* PPP_OPTIONS */ -/* - * These limits apply to challenge and response packets we send. - * The +4 is the +1 that we actually need rounded up. - */ -#define CHAL_MAX_PKTLEN (PPP_HDRLEN + CHAP_HDRLEN + 4 + MAX_CHALLENGE_LEN + MAXNAMELEN) -#define RESP_MAX_PKTLEN (PPP_HDRLEN + CHAP_HDRLEN + 4 + MAX_RESPONSE_LEN + MAXNAMELEN) /* Values for flags in chap_client_state and chap_server_state */ #define LOWERUP 1 @@ -168,7 +162,7 @@ static void chap_lowerdown(ppp_pcb *pcb) { * otherwise we wait for the lower layer to come up. */ void chap_auth_peer(ppp_pcb *pcb, char *our_name, int digest_code) { - struct chap_server_state *ss = &server; + struct chap_server_state *ss = &pcb->chap_server; struct chap_digest_type *dp; if (pcb->chap_server.flags & AUTH_STARTED) { @@ -309,10 +303,12 @@ static void chap_handle_response(ppp_pcb *pcb, int id, pcb->chap_server.flags &= ~TIMEOUT_PENDING; UNTIMEOUT(chap_timeout, pcb); } - - if (explicit_remote) { - name = remote_name; - } else { +#if PPP_REMOTENAME + if (pcb->settings.explicit_remote) { + name = pcb->remote_name; + } else +#endif /* PPP_REMOTENAME */ + { /* Null terminate and clean remote name. */ ppp_slprintf(rname, sizeof(rname), "%.*v", len, name); name = rname; @@ -409,12 +405,14 @@ static int chap_verify_response(char *name, char *ourname, int id, unsigned char secret[MAXSECRETLEN]; int secret_len; +/* FIXME: we need a way to check peer secret */ +#if 0 /* Get the secret that the peer is supposed to know */ if (!get_secret(pcb, name, ourname, (char *)secret, &secret_len, 1)) { ppp_error("No CHAP secret found for authenticating %q", name); return 0; } - +#endif ok = digest->verify_response(id, name, secret, secret_len, challenge, response, message, message_space); memset(secret, 0, sizeof(secret)); diff --git a/src/netif/ppp/chap_ms.c b/src/netif/ppp/chap_ms.c index cbbcf53c..7c51614a 100644 --- a/src/netif/ppp/chap_ms.c +++ b/src/netif/ppp/chap_ms.c @@ -217,7 +217,7 @@ static int chapms_verify_response(int id, char *name, #ifndef MSLANMAN if (!response[MS_CHAP_USENT]) { /* Should really propagate this into the error packet. */ - notice("Peer request for LANMAN auth not supported"); + ppp_notice("Peer request for LANMAN auth not supported"); goto bad; } #endif @@ -236,13 +236,13 @@ static int chapms_verify_response(int id, char *name, MS_CHAP_NTRESP_LEN); if (diff == 0) { - slprintf(message, message_space, "Access granted"); + ppp_slprintf(message, message_space, "Access granted"); return 1; } bad: /* See comments below for MS-CHAP V2 */ - slprintf(message, message_space, "E=691 R=1 C=%0.*B V=0", + ppp_slprintf(message, message_space, "E=691 R=1 C=%0.*B V=0", challenge_len, challenge); return 0; } @@ -288,9 +288,9 @@ static int chapms2_verify_response(int id, char *name, if (memcmp(&md[MS_CHAP2_NTRESP], &response[MS_CHAP2_NTRESP], MS_CHAP2_NTRESP_LEN) == 0) { if (response[MS_CHAP2_FLAGS]) - slprintf(message, message_space, "S=%s", saresponse); + ppp_slprintf(message, message_space, "S=%s", saresponse); else - slprintf(message, message_space, "S=%s M=%s", + ppp_slprintf(message, message_space, "S=%s M=%s", saresponse, "Access granted"); return 1; } @@ -317,7 +317,7 @@ static int chapms2_verify_response(int id, char *name, * Basically, this whole bit is useless code, even the small * implementation here is only because of overspecification. */ - slprintf(message, message_space, "E=691 R=1 C=%0.*B V=0 M=%s", + ppp_slprintf(message, message_space, "E=691 R=1 C=%0.*B V=0 M=%s", challenge_len, challenge, "Access denied"); return 0; } diff --git a/src/netif/ppp/eap.c b/src/netif/ppp/eap.c index 235c0cd3..f0df3d08 100644 --- a/src/netif/ppp/eap.c +++ b/src/netif/ppp/eap.c @@ -258,11 +258,7 @@ void eap_authwithpeer(ppp_pcb *pcb, char *localname) { * Format a standard EAP Failure message and send it to the peer. * (Server operation) */ -static void -eap_send_failure(esp) -eap_state *esp; -{ - ppp_pcb *pcb = &ppp_pcb_list[pcb->eap.es_unit]; +static void eap_send_failure(ppp_pcb *pcb) { struct pbuf *p; u_char *outp; @@ -293,11 +289,7 @@ eap_state *esp; * Format a standard EAP Success message and send it to the peer. * (Server operation) */ -static void -eap_send_success(esp) -eap_state *esp; -{ - ppp_pcb *pcb = &ppp_pcb_list[pcb->eap.es_unit]; +static void eap_send_success(ppp_pcb *pcb) { struct pbuf *p; u_char *outp; @@ -441,11 +433,7 @@ u_char *outp; * indicates if there was an error in handling the last query. It is * 0 for success and non-zero for failure. */ -static void -eap_figure_next_state(esp, status) -eap_state *esp; -int status; -{ +static void eap_figure_next_state(ppp_pcb *pcb, int status) { #ifdef USE_SRP unsigned char secbuf[MAXWORDLEN], clear[8], *sp, *dp; struct t_pw tpw; @@ -651,18 +639,14 @@ int status; break; } if (pcb->eap.es_server.ea_state == eapBadAuth) - eap_send_failure(esp); + eap_send_failure(pcb); } /* * Format an EAP Request message and send it to the peer. Message * type depends on current state. (Server operation) */ -static void -eap_send_request(esp) -eap_state *esp; -{ - ppp_pcb *pcb = &ppp_pcb_list[pcb->eap.es_unit]; +static void eap_send_request(ppp_pcb *pcb) { struct pbuf *p; u_char *outp; u_char *lenloc; @@ -682,16 +666,18 @@ eap_state *esp; if (pcb->eap.es_server.ea_state < eapIdentify && pcb->eap.es_server.ea_state != eapInitial) { pcb->eap.es_server.ea_state = eapIdentify; - if (explicit_remote) { +#if PPP_REMOTENAME + if (pcb->settings.explicit_remote) { /* * If we already know the peer's * unauthenticated name, then there's no * reason to ask. Go to next state instead. */ - pcb->eap.es_server.ea_peer = remote_name; - pcb->eap.es_server.ea_peerlen = strlen(remote_name); - eap_figure_next_state(esp, 0); + pcb->eap.es_server.ea_peer = pcb->remote_name; + pcb->eap.es_server.ea_peerlen = strlen(pcb->remote_name); + eap_figure_next_state(pcb, 0); } +#endif /* PPP_REMOTENAME */ } if (pcb->eap.es_server.ea_maxrequests > 0 && @@ -700,7 +686,7 @@ eap_state *esp; ppp_error("EAP: too many Requests sent"); else ppp_error("EAP: no response to Requests"); - eap_send_failure(esp); + eap_send_failure(pcb); return; } @@ -888,7 +874,7 @@ eap_state *esp; return; } - outlen = (outp - p->payload) - PPP_HDRLEN; + outlen = (outp - (unsigned char*)p->payload) - PPP_HDRLEN; PUTSHORT(outlen, lenloc); pbuf_realloc(p, outlen + PPP_HDRLEN); @@ -907,7 +893,6 @@ eap_state *esp; * after eap_lowerup. */ void eap_authpeer(ppp_pcb *pcb, char *localname) { - eap_state *esp = &eap_states[unit]; /* Save the name we're given. */ pcb->eap.es_server.ea_name = localname; @@ -925,7 +910,7 @@ void eap_authpeer(ppp_pcb *pcb, char *localname) { pcb->eap.es_server.ea_state = eapPending; /* ID number not updated here intentionally; hashed into M1 */ - eap_send_request(esp); + eap_send_request(pcb); } /* @@ -935,11 +920,11 @@ void eap_authpeer(ppp_pcb *pcb, char *localname) { static void eap_server_timeout(void *arg) { ppp_pcb *pcb = (ppp_pcb*)arg; - if (!eap_server_active(esp)) + if (!eap_server_active(pcb)) return; /* EAP ID number must not change on timeout. */ - eap_send_request(esp); + eap_send_request(pcb); } /* @@ -947,11 +932,8 @@ static void eap_server_timeout(void *arg) { * called. Once the rechallenge is successful, the response handler * will restart the timer. If it fails, then the link is dropped. */ -static void -eap_rechallenge(arg) -void *arg; -{ - eap_state *esp = (eap_state *)arg; +static void eap_rechallenge(void *arg) { + ppp_pcb *pcb = (ppp_pcb*)arg; if (pcb->eap.es_server.ea_state != eapOpen && pcb->eap.es_server.ea_state != eapSRP4) @@ -959,16 +941,13 @@ void *arg; pcb->eap.es_server.ea_requests = 0; pcb->eap.es_server.ea_state = eapIdentify; - eap_figure_next_state(esp, 0); + eap_figure_next_state(pcb, 0); pcb->eap.es_server.ea_id++; - eap_send_request(esp); + eap_send_request(pcb); } -static void -srp_lwrechallenge(arg) -void *arg; -{ - eap_state *esp = (eap_state *)arg; +static void srp_lwrechallenge(void *arg) { + ppp_pcb *pcb = (ppp_pcb*)arg; if (pcb->eap.es_server.ea_state != eapOpen || pcb->eap.es_server.ea_type != EAPT_SRP) @@ -977,7 +956,7 @@ void *arg; pcb->eap.es_server.ea_requests = 0; pcb->eap.es_server.ea_state = eapSRP4; pcb->eap.es_server.ea_id++; - eap_send_request(esp); + eap_send_request(pcb); } #endif /* PPP_SERVER */ @@ -993,8 +972,11 @@ static void eap_lowerup(ppp_pcb *pcb) { /* Discard any (possibly authenticated) peer name. */ #if PPP_SERVER - if (pcb->eap.es_server.ea_peer != NULL && - pcb->eap.es_server.ea_peer != remote_name) + if (pcb->eap.es_server.ea_peer != NULL +#if PPP_REMOTENAME + && pcb->eap.es_server.ea_peer != pcb->remote_name +#endif /* PPP_REMOTENAME */ + ) free(pcb->eap.es_server.ea_peer); pcb->eap.es_server.ea_peer = NULL; #endif /* PPP_SERVER */ @@ -1019,7 +1001,7 @@ static void eap_lowerdown(ppp_pcb *pcb) { UNTIMEOUT(eap_client_timeout, pcb); } #if PPP_SERVER - if (eap_server_active(esp)) { + if (eap_server_active(pcb)) { if (pcb->eap.es_server.ea_timeout > 0) { UNTIMEOUT(eap_server_timeout, pcb); } @@ -1027,11 +1009,11 @@ static void eap_lowerdown(ppp_pcb *pcb) { if ((pcb->eap.es_server.ea_state == eapOpen || pcb->eap.es_server.ea_state == eapSRP4) && pcb->eap.es_rechallenge > 0) { - UNTIMEOUT(eap_rechallenge, (void *)esp); + UNTIMEOUT(eap_rechallenge, (void *)pcb); } if (pcb->eap.es_server.ea_state == eapOpen && pcb->eap.es_lwrechallenge > 0) { - UNTIMEOUT(srp_lwrechallenge, (void *)esp); + UNTIMEOUT(srp_lwrechallenge, (void *)pcb); } } @@ -1053,7 +1035,7 @@ static void eap_protrej(ppp_pcb *pcb) { auth_withpeer_fail(pcb, PPP_EAP); } #if PPP_SERVER - if (eap_server_active(esp)) { + if (eap_server_active(pcb)) { ppp_error("EAP authentication of peer failed on Protocol-Reject"); auth_peer_fail(pcb, PPP_EAP); } @@ -1807,19 +1789,22 @@ static void eap_response(ppp_pcb *pcb, u_char *inp, int id, int len) { break; } ppp_info("EAP: unauthenticated peer name \"%.*q\"", len, inp); - if (pcb->eap.es_server.ea_peer != NULL && - pcb->eap.es_server.ea_peer != remote_name) + if (pcb->eap.es_server.ea_peer != NULL +#if PPP_REMOTENAME + && pcb->eap.es_server.ea_peer != pcb->remote_name +#endif /* PPP_REMOTENAME */ + ) free(pcb->eap.es_server.ea_peer); pcb->eap.es_server.ea_peer = malloc(len + 1); if (pcb->eap.es_server.ea_peer == NULL) { pcb->eap.es_server.ea_peerlen = 0; - eap_figure_next_state(esp, 1); + eap_figure_next_state(pcb, 1); break; } MEMCPY(pcb->eap.es_server.ea_peer, inp, len); pcb->eap.es_server.ea_peer[len] = '\0'; pcb->eap.es_server.ea_peerlen = len; - eap_figure_next_state(esp, 0); + eap_figure_next_state(pcb, 0); break; case EAPT_NOTIFICATION: @@ -1829,16 +1814,20 @@ static void eap_response(ppp_pcb *pcb, u_char *inp, int id, int len) { case EAPT_NAK: if (len < 1) { ppp_info("EAP: Nak Response with no suggested protocol"); - eap_figure_next_state(esp, 1); + eap_figure_next_state(pcb, 1); break; } GETCHAR(vallen, inp); len--; - if (!explicit_remote && pcb->eap.es_server.ea_state == eapIdentify){ + if ( +#if PPP_REMOTENAME + !pcb->explicit_remote && +#endif /* PPP_REMOTENAME */ + pcb->eap.es_server.ea_state == eapIdentify){ /* Peer cannot Nak Identify Request */ - eap_figure_next_state(esp, 1); + eap_figure_next_state(pcb, 1); break; } @@ -1846,7 +1835,7 @@ static void eap_response(ppp_pcb *pcb, u_char *inp, int id, int len) { case EAPT_SRP: /* Run through SRP validator selection again. */ pcb->eap.es_server.ea_state = eapIdentify; - eap_figure_next_state(esp, 0); + eap_figure_next_state(pcb, 0); break; case EAPT_MD5CHAP: @@ -1864,7 +1853,7 @@ static void eap_response(ppp_pcb *pcb, u_char *inp, int id, int len) { case eapMD5Chall: case eapSRP4: pcb->eap.es_server.ea_state = eapIdentify; - eap_figure_next_state(esp, 0); + eap_figure_next_state(pcb, 0); break; default: break; @@ -1876,19 +1865,19 @@ static void eap_response(ppp_pcb *pcb, u_char *inp, int id, int len) { case EAPT_MD5CHAP: if (pcb->eap.es_server.ea_state != eapMD5Chall) { ppp_error("EAP: unexpected MD5-Response"); - eap_figure_next_state(esp, 1); + eap_figure_next_state(pcb, 1); break; } if (len < 1) { ppp_error("EAP: received MD5-Response with no data"); - eap_figure_next_state(esp, 1); + eap_figure_next_state(pcb, 1); break; } GETCHAR(vallen, inp); len--; if (vallen != 16 || vallen > len) { ppp_error("EAP: MD5-Response with bad length %d", vallen); - eap_figure_next_state(esp, 1); + eap_figure_next_state(pcb, 1); break; } @@ -1902,10 +1891,12 @@ static void eap_response(ppp_pcb *pcb, u_char *inp, int id, int len) { rhostname[len - vallen] = '\0'; } +#if PPP_REMOTENAME /* In case the remote doesn't give us his name. */ if (explicit_remote || (remote_name[0] != '\0' && vallen == len)) strlcpy(rhostname, remote_name, sizeof (rhostname)); +#endif /* PPP_REMOTENAME */ /* * Get the secret for authenticating the specified @@ -1914,7 +1905,7 @@ static void eap_response(ppp_pcb *pcb, u_char *inp, int id, int len) { if (!get_secret(pcb, rhostname, pcb->eap.es_server.ea_name, secret, &secret_len, 1)) { ppp_dbglog("EAP: no MD5 secret for auth of %q", rhostname); - eap_send_failure(esp); + eap_send_failure(pcb); break; } md5_starts(&mdContext); @@ -1924,21 +1915,21 @@ static void eap_response(ppp_pcb *pcb, u_char *inp, int id, int len) { md5_update(&mdContext, pcb->eap.es_challenge, pcb->eap.es_challen); md5_finish(&mdContext, hash); if (BCMP(hash, inp, MD5_SIGNATURE_SIZE) != 0) { - eap_send_failure(esp); + eap_send_failure(pcb); break; } pcb->eap.es_server.ea_type = EAPT_MD5CHAP; - eap_send_success(esp); - eap_figure_next_state(esp, 0); + eap_send_success(pcb); + eap_figure_next_state(pcb, 0); if (pcb->eap.es_rechallenge != 0) - TIMEOUT(eap_rechallenge, esp, pcb->eap.es_rechallenge); + TIMEOUT(eap_rechallenge, pcb, pcb->eap.es_rechallenge); break; #ifdef USE_SRP case EAPT_SRP: if (len < 1) { ppp_error("EAP: empty SRP Response"); - eap_figure_next_state(esp, 1); + eap_figure_next_state(pcb, 1); break; } GETCHAR(typenum, inp); @@ -1947,7 +1938,7 @@ static void eap_response(ppp_pcb *pcb, u_char *inp, int id, int len) { case EAPSRP_CKEY: if (pcb->eap.es_server.ea_state != eapSRP1) { ppp_error("EAP: unexpected SRP Subtype 1 Response"); - eap_figure_next_state(esp, 1); + eap_figure_next_state(pcb, 1); break; } A.data = inp; @@ -1958,22 +1949,22 @@ static void eap_response(ppp_pcb *pcb, u_char *inp, int id, int len) { if (pcb->eap.es_server.ea_skey == NULL) { /* Client's A value is bogus; terminate now */ ppp_error("EAP: bogus A value from client"); - eap_send_failure(esp); + eap_send_failure(pcb); } else { - eap_figure_next_state(esp, 0); + eap_figure_next_state(pcb, 0); } break; case EAPSRP_CVALIDATOR: if (pcb->eap.es_server.ea_state != eapSRP2) { ppp_error("EAP: unexpected SRP Subtype 2 Response"); - eap_figure_next_state(esp, 1); + eap_figure_next_state(pcb, 1); break; } if (len < sizeof (u32_t) + SHA_DIGESTSIZE) { ppp_error("EAP: M1 length %d < %d", len, sizeof (u32_t) + SHA_DIGESTSIZE); - eap_figure_next_state(esp, 1); + eap_figure_next_state(pcb, 1); break; } GETLONG(pcb->eap.es_server.ea_keyflags, inp); @@ -1981,10 +1972,10 @@ static void eap_response(ppp_pcb *pcb, u_char *inp, int id, int len) { assert(ts != NULL); if (t_serververify(ts, inp)) { ppp_info("EAP: unable to validate client identity"); - eap_send_failure(esp); + eap_send_failure(pcb); break; } - eap_figure_next_state(esp, 0); + eap_figure_next_state(pcb, 0); break; case EAPSRP_ACK: @@ -1994,13 +1985,13 @@ static void eap_response(ppp_pcb *pcb, u_char *inp, int id, int len) { break; } pcb->eap.es_server.ea_type = EAPT_SRP; - eap_send_success(esp); - eap_figure_next_state(esp, 0); + eap_send_success(pcb, esp); + eap_figure_next_state(pcb, 0); if (pcb->eap.es_rechallenge != 0) - TIMEOUT(eap_rechallenge, esp, + TIMEOUT(eap_rechallenge, pcb, pcb->eap.es_rechallenge); if (pcb->eap.es_lwrechallenge != 0) - TIMEOUT(srp_lwrechallenge, esp, + TIMEOUT(srp_lwrechallenge, pcb, pcb->eap.es_lwrechallenge); break; @@ -2025,7 +2016,7 @@ static void eap_response(ppp_pcb *pcb, u_char *inp, int id, int len) { SHA1Final(dig, &ctxt); if (BCMP(dig, inp, SHA_DIGESTSIZE) != 0) { ppp_error("EAP: failed Lightweight rechallenge"); - eap_send_failure(esp); + eap_send_failure(pcb); break; } pcb->eap.es_server.ea_state = eapOpen; @@ -2050,7 +2041,7 @@ static void eap_response(ppp_pcb *pcb, u_char *inp, int id, int len) { if (pcb->eap.es_server.ea_state != eapBadAuth && pcb->eap.es_server.ea_state != eapOpen) { pcb->eap.es_server.ea_id++; - eap_send_request(esp); + eap_send_request(pcb); } } #endif /* PPP_SERVER */ diff --git a/src/netif/ppp/upap.c b/src/netif/ppp/upap.c index fd470ac8..221b9c36 100644 --- a/src/netif/ppp/upap.c +++ b/src/netif/ppp/upap.c @@ -120,16 +120,14 @@ struct protent pap_protent = { static void upap_timeout(void *arg); #if PPP_SERVER static void upap_reqtimeout(void *arg); -#endif /* PPP_SERVER */ -#if 0 /* UNUSED */ static void upap_rauthreq(ppp_pcb *pcb, u_char *inp, int id, int len); -#endif /* UNUSED */ +#endif /* PPP_SERVER */ static void upap_rauthack(ppp_pcb *pcb, u_char *inp, int id, int len); static void upap_rauthnak(ppp_pcb *pcb, u_char *inp, int id, int len); static void upap_sauthreq(ppp_pcb *pcb); -#if 0 /* UNUSED */ +#if PPP_SERVER static void upap_sresp(ppp_pcb *pcb, u_char code, u_char id, char *msg, int msglen); -#endif /* UNUSED */ +#endif /* PPP_SERVER */ /* @@ -255,7 +253,7 @@ static void upap_lowerup(ppp_pcb *pcb) { else if (pcb->upap.us_serverstate == UPAPSS_PENDING) { pcb->upap.us_serverstate = UPAPSS_LISTEN; if (pcb->upap.us_reqtimeout > 0) - TIMEOUT(upap_reqtimeout, u, pcb->upap.us_reqtimeout); + TIMEOUT(upap_reqtimeout, pcb, pcb->upap.us_reqtimeout); } #endif /* PPP_SERVER */ } @@ -272,7 +270,7 @@ static void upap_lowerdown(ppp_pcb *pcb) { UNTIMEOUT(upap_timeout, pcb); /* Cancel timeout */ #if PPP_SERVER if (pcb->upap.us_serverstate == UPAPSS_LISTEN && pcb->upap.us_reqtimeout > 0) - UNTIMEOUT(upap_reqtimeout, u); + UNTIMEOUT(upap_reqtimeout, pcb); #endif /* PPP_SERVER */ pcb->upap.us_clientstate = UPAPCS_INITIAL; @@ -338,9 +336,9 @@ static void upap_input(ppp_pcb *pcb, u_char *inpacket, int l) { */ switch (code) { case UPAP_AUTHREQ: -#if 0 /* UNUSED */ +#if PPP_SERVER upap_rauthreq(pcb, inp, id, len); -#endif /* UNUSED */ +#endif /* PPP_SERVER */ break; case UPAP_AUTHACK: @@ -356,7 +354,7 @@ static void upap_input(ppp_pcb *pcb, u_char *inpacket, int l) { } } -#if 0 /* UNUSED */ +#if PPP_SERVER /* * upap_rauth - Receive Authenticate. */ @@ -376,11 +374,11 @@ static void upap_rauthreq(ppp_pcb *pcb, u_char *inp, int id, int len) { * supposed to return the same status as for the first request. */ if (pcb->upap.us_serverstate == UPAPSS_OPEN) { - upap_sresp(u, UPAP_AUTHACK, id, "", 0); /* return auth-ack */ + upap_sresp(pcb, UPAP_AUTHACK, id, "", 0); /* return auth-ack */ return; } if (pcb->upap.us_serverstate == UPAPSS_BADAUTH) { - upap_sresp(u, UPAP_AUTHNAK, id, "", 0); /* return auth-nak */ + upap_sresp(pcb, UPAP_AUTHNAK, id, "", 0); /* return auth-nak */ return; } @@ -404,16 +402,18 @@ static void upap_rauthreq(ppp_pcb *pcb, u_char *inp, int id, int len) { UPAPDEBUG(("pap_rauth: rcvd short packet.")); return; } + + /* FIXME: we need a way to check peer secret */ rpasswd = (char *) inp; /* * Check the username and password given. */ +#if 0 retcode = check_passwd(pcb->upap.us_unit, ruser, ruserlen, rpasswd, rpasswdlen, &msg); BZERO(rpasswd, rpasswdlen); -#if 0 /* UNUSED */ /* * Check remote number authorization. A plugin may have filled in * the remote number or added an allowed number, and rather than @@ -426,30 +426,30 @@ static void upap_rauthreq(ppp_pcb *pcb, u_char *inp, int id, int len) { warn("calling number %q is not authorized", remote_number); } } -#endif /* UNUSED */ +#endif msglen = strlen(msg); if (msglen > 255) msglen = 255; - upap_sresp(u, retcode, id, msg, msglen); + upap_sresp(pcb, retcode, id, msg, msglen); /* Null terminate and clean remote name. */ - slprintf(rhostname, sizeof(rhostname), "%.*v", ruserlen, ruser); + ppp_slprintf(rhostname, sizeof(rhostname), "%.*v", ruserlen, ruser); if (retcode == UPAP_AUTHACK) { pcb->upap.us_serverstate = UPAPSS_OPEN; - notice("PAP peer authentication succeeded for %q", rhostname); + ppp_notice("PAP peer authentication succeeded for %q", rhostname); auth_peer_success(pcb, PPP_PAP, 0, ruser, ruserlen); } else { pcb->upap.us_serverstate = UPAPSS_BADAUTH; - warn("PAP peer authentication failed for %q", rhostname); + ppp_warn("PAP peer authentication failed for %q", rhostname); auth_peer_fail(pcb, PPP_PAP); } if (pcb->upap.us_reqtimeout > 0) - UNTIMEOUT(upap_reqtimeout, u); + UNTIMEOUT(upap_reqtimeout, pcb); } -#endif /* UNUSED */ +#endif /* PPP_SERVER */ /* * upap_rauthack - Receive Authenticate-Ack. @@ -557,7 +557,7 @@ static void upap_sauthreq(ppp_pcb *pcb) { pcb->upap.us_clientstate = UPAPCS_AUTHREQ; } -#if 0 /* UNUSED */ +#if PPP_SERVER /* * upap_sresp - Send a response (ack or nak). */ @@ -586,7 +586,7 @@ static void upap_sresp(ppp_pcb *pcb, u_char code, u_char id, char *msg, int msgl ppp_write(pcb, p); } -#endif /* UNUSED */ +#endif /* PPP_SERVER */ #if PRINTPKT_SUPPORT /*