Annotation of embedaddon/mpd/src/auth.c, revision 1.1.1.1
1.1 misho 1:
2: /*
3: * auth.c
4: *
5: * Written by Archie Cobbs <archie@freebsd.org>
6: * Copyright (c) 1995-1999 Whistle Communications, Inc. All rights reserved.
7: * See ``COPYRIGHT.whistle''
8: */
9:
10: #include "ppp.h"
11: #include "auth.h"
12: #include "pap.h"
13: #include "chap.h"
14: #include "lcp.h"
15: #include "log.h"
16: #include "ngfunc.h"
17: #include "msoft.h"
18: #include "util.h"
19:
20: #ifdef USE_PAM
21: #include <security/pam_appl.h>
22: #endif
23: #ifdef USE_SYSTEM
24: #if __FreeBSD_version >= 900007
25: #include <utmpx.h>
26: #else
27: #include <utmp.h>
28: #include <libutil.h>
29: #endif
30: #endif
31:
32: /*
33: * DEFINITIONS
34: */
35:
36: #ifdef USE_OPIE
37: #define OPIE_ALG_MD5 5
38: #endif
39:
40: /*
41: * INTERNAL FUNCTIONS
42: */
43:
44: static void AuthTimeout(void *arg);
45: static int AuthGetExternalPassword(char * extcmd, char *authname,
46: char *password, size_t passlen);
47: static void AuthAsync(void *arg);
48: static void AuthAsyncFinish(void *arg, int was_canceled);
49: static int AuthPreChecks(AuthData auth);
50: static void AuthAccount(void *arg);
51: static void AuthAccountFinish(void *arg, int was_canceled);
52: static void AuthInternal(AuthData auth);
53: static int AuthExternal(AuthData auth);
54: static int AuthExternalAcct(AuthData auth);
55: #ifdef USE_SYSTEM
56: static void AuthSystem(AuthData auth);
57: static int AuthSystemAcct(AuthData auth);
58: #endif
59: #ifdef USE_PAM
60: static void AuthPAM(AuthData auth);
61: static int AuthPAMAcct(AuthData auth);
62: static int pam_conv(int n, const struct pam_message **msg,
63: struct pam_response **resp, void *data);
64: #endif
65: #ifdef USE_OPIE
66: static void AuthOpie(AuthData auth);
67: #endif
68: static const char *AuthCode(int proto, u_char code, char *buf, size_t len);
69: static int AuthSetCommand(Context ctx, int ac, char *av[], void *arg);
70:
71: /* Set menu options */
72: enum {
73: SET_ACCEPT,
74: SET_DENY,
75: SET_ENABLE,
76: SET_DISABLE,
77: SET_YES,
78: SET_NO,
79: SET_AUTHNAME,
80: SET_PASSWORD,
81: SET_EXTAUTH_SCRIPT,
82: SET_EXTACCT_SCRIPT,
83: SET_MAX_LOGINS,
84: SET_ACCT_UPDATE,
85: SET_ACCT_UPDATE_LIMIT_IN,
86: SET_ACCT_UPDATE_LIMIT_OUT,
87: SET_TIMEOUT
88: };
89:
90: /*
91: * GLOBAL VARIABLES
92: */
93:
94: const struct cmdtab AuthSetCmds[] = {
95: { "max-logins {num}", "Max concurrent logins",
96: AuthSetCommand, NULL, 2, (void *) SET_MAX_LOGINS },
97: { "authname {name}", "Authentication name",
98: AuthSetCommand, NULL, 2, (void *) SET_AUTHNAME },
99: { "password {pass}", "Authentication password",
100: AuthSetCommand, NULL, 2, (void *) SET_PASSWORD },
101: { "extauth-script {script}", "Authentication script",
102: AuthSetCommand, NULL, 2, (void *) SET_EXTAUTH_SCRIPT },
103: { "extacct-script {script}", "Accounting script",
104: AuthSetCommand, NULL, 2, (void *) SET_EXTACCT_SCRIPT },
105: { "acct-update {seconds}", "set update interval",
106: AuthSetCommand, NULL, 2, (void *) SET_ACCT_UPDATE },
107: { "update-limit-in {bytes}", "set update suppresion limit",
108: AuthSetCommand, NULL, 2, (void *) SET_ACCT_UPDATE_LIMIT_IN },
109: { "update-limit-out {bytes}", "set update suppresion limit",
110: AuthSetCommand, NULL, 2, (void *) SET_ACCT_UPDATE_LIMIT_OUT },
111: { "timeout {seconds}", "set auth timeout",
112: AuthSetCommand, NULL, 2, (void *) SET_TIMEOUT },
113: { "accept [opt ...]", "Accept option",
114: AuthSetCommand, NULL, 2, (void *) SET_ACCEPT },
115: { "deny [opt ...]", "Deny option",
116: AuthSetCommand, NULL, 2, (void *) SET_DENY },
117: { "enable [opt ...]", "Enable option",
118: AuthSetCommand, NULL, 2, (void *) SET_ENABLE },
119: { "disable [opt ...]", "Disable option",
120: AuthSetCommand, NULL, 2, (void *) SET_DISABLE },
121: { "yes [opt ...]", "Enable and accept option",
122: AuthSetCommand, NULL, 2, (void *) SET_YES },
123: { "no [opt ...]", "Disable and deny option",
124: AuthSetCommand, NULL, 2, (void *) SET_NO },
125: { NULL },
126: };
127:
128: const u_char gMsoftZeros[32];
129: int gMaxLogins = 0; /* max number of concurrent logins per user */
130: int gMaxLoginsCI = 0;
131:
132: /*
133: * INTERNAL VARIABLES
134: */
135:
136: static struct confinfo gConfList[] = {
137: { 0, AUTH_CONF_RADIUS_AUTH, "radius-auth" },
138: { 0, AUTH_CONF_RADIUS_ACCT, "radius-acct" },
139: { 0, AUTH_CONF_INTERNAL, "internal" },
140: { 0, AUTH_CONF_EXT_AUTH, "ext-auth" },
141: { 0, AUTH_CONF_EXT_ACCT, "ext-acct" },
142: #ifdef USE_SYSTEM
143: { 0, AUTH_CONF_SYSTEM_AUTH, "system-auth" },
144: { 0, AUTH_CONF_SYSTEM_ACCT, "system-acct" },
145: #endif
146: #ifdef USE_PAM
147: { 0, AUTH_CONF_PAM_AUTH, "pam-auth" },
148: { 0, AUTH_CONF_PAM_ACCT, "pam-acct" },
149: #endif
150: #ifdef USE_OPIE
151: { 0, AUTH_CONF_OPIE, "opie" },
152: #endif
153: { 0, AUTH_CONF_ACCT_MANDATORY, "acct-mandatory" },
154: { 0, 0, NULL },
155: };
156:
157: void
158: ACLCopy(struct acl *src, struct acl **dst)
159: {
160: while (src != NULL) {
161: *dst = Mdup(MB_AUTH, src, sizeof(struct acl) + strlen(src->rule));
162: src = src->next;
163: dst = &((*dst)->next);
164: };
165: *dst = NULL;
166: }
167:
168: void
169: ACLDestroy(struct acl *acl)
170: {
171: struct acl *acl1;
172:
173: while (acl != NULL) {
174: acl1 = acl->next;
175: Freee(acl);
176: acl = acl1;
177: };
178: }
179:
180: void authparamsInit(struct authparams *ap) {
181: memset(ap,0,sizeof(struct authparams));
182: ap->msdomain = NULL;
183: #ifdef SIOCSIFDESCR
184: ap->ifdescr = NULL;
185: #endif
186: SLIST_INIT(&ap->routes);
187: }
188:
189: void authparamsDestroy(struct authparams *ap) {
190: IfaceRoute r;
191: #ifdef USE_NG_BPF
192: int i;
193: #endif
194:
195: Freee(ap->eapmsg);
196: Freee(ap->state);
197: Freee(ap->class);
198:
199: #ifdef USE_IPFW
200: ACLDestroy(ap->acl_rule);
201: ACLDestroy(ap->acl_pipe);
202: ACLDestroy(ap->acl_queue);
203: ACLDestroy(ap->acl_table);
204: #endif /* USE_IPFW */
205:
206: #ifdef USE_NG_BPF
207: for (i = 0; i < ACL_FILTERS; i++)
208: ACLDestroy(ap->acl_filters[i]);
209: for (i = 0; i < ACL_DIRS; i++)
210: ACLDestroy(ap->acl_limits[i]);
211: #endif /* USE_NG_BPF */
212:
213: while ((r = SLIST_FIRST(&ap->routes)) != NULL) {
214: SLIST_REMOVE_HEAD(&ap->routes, next);
215: Freee(r);
216: }
217:
218: Freee(ap->msdomain);
219: #ifdef SIOCSIFDESCR
220: Freee(ap->ifdescr);
221: #endif
222:
223: memset(ap,0,sizeof(struct authparams));
224: }
225:
226: void authparamsCopy(struct authparams *src, struct authparams *dst) {
227: IfaceRoute r, r1;
228: #ifdef USE_NG_BPF
229: int i;
230: #endif
231:
232: memcpy(dst,src,sizeof(struct authparams));
233:
234: if (src->eapmsg)
235: dst->eapmsg = Mdup(MB_AUTH, src->eapmsg, src->eapmsg_len);
236: if (src->state)
237: dst->state = Mdup(MB_AUTH, src->state, src->state_len);
238: if (src->class)
239: dst->class = Mdup(MB_AUTH, src->class, src->class_len);
240:
241: #ifdef USE_IPFW
242: ACLCopy(src->acl_rule, &dst->acl_rule);
243: ACLCopy(src->acl_pipe, &dst->acl_pipe);
244: ACLCopy(src->acl_queue, &dst->acl_queue);
245: ACLCopy(src->acl_table, &dst->acl_table);
246: #endif /* USE_IPFW */
247: #ifdef USE_NG_BPF
248: for (i = 0; i < ACL_FILTERS; i++)
249: ACLCopy(src->acl_filters[i], &dst->acl_filters[i]);
250: for (i = 0; i < ACL_DIRS; i++)
251: ACLCopy(src->acl_limits[i], &dst->acl_limits[i]);
252: #endif
253:
254: SLIST_INIT(&dst->routes);
255: SLIST_FOREACH(r, &src->routes, next) {
256: r1 = Mdup(MB_AUTH, r, sizeof(*r1));
257: SLIST_INSERT_HEAD(&dst->routes, r1, next);
258: }
259:
260: if (src->msdomain)
261: dst->msdomain = Mstrdup(MB_AUTH, src->msdomain);
262: #ifdef SIOCSIFDESCR
263: if (src->ifdescr)
264: dst->ifdescr = Mstrdup(MB_AUTH, src->ifdescr);
265: #endif
266: }
267:
268: void authparamsMove(struct authparams *src, struct authparams *dst)
269: {
270: memcpy(dst,src,sizeof(struct authparams));
271: memset(src,0,sizeof(struct authparams));
272: }
273:
274: /*
275: * AuthInit()
276: */
277:
278: void
279: AuthInit(Link l)
280: {
281: AuthConf const ac = &l->lcp.auth.conf;
282:
283: ac->timeout = 40;
284: Enable(&ac->options, AUTH_CONF_INTERNAL);
285: Enable(&ac->options, AUTH_CONF_ACCT_MANDATORY);
286:
287: EapInit(l);
288: RadiusInit(l);
289: }
290:
291: /*
292: * AuthInst()
293: *
294: * Instantiate auth structure from template
295: */
296:
297: void
298: AuthInst(Auth auth, Auth autht)
299: {
300: memcpy(auth, autht, sizeof(*auth));
301: if (auth->conf.extauth_script)
302: autht->conf.extauth_script = Mstrdup(MB_AUTH, auth->conf.extauth_script);
303: if (auth->conf.extacct_script)
304: autht->conf.extacct_script = Mstrdup(MB_AUTH, auth->conf.extacct_script);
305: }
306:
307: /*
308: * AuthShutdown()
309: */
310:
311: void
312: AuthShutdown(Link l)
313: {
314: Auth a = &l->lcp.auth;
315:
316: if (a->thread)
317: paction_cancel(&a->thread);
318: if (a->acct_thread)
319: paction_cancel(&a->acct_thread);
320: Freee(a->conf.extauth_script);
321: Freee(a->conf.extacct_script);
322: }
323:
324: /*
325: * AuthStart()
326: *
327: * Initialize authorization info for a link
328: */
329:
330: void
331: AuthStart(Link l)
332: {
333: Auth a = &l->lcp.auth;
334:
335: /* generate a uniq session id */
336: snprintf(l->session_id, AUTH_MAX_SESSIONID, "%d-%s",
337: (int)(time(NULL) % 10000000), l->name);
338:
339: authparamsInit(&a->params);
340:
341: /* What auth protocols were negotiated by LCP? */
342: a->self_to_peer = l->lcp.peer_auth;
343: a->peer_to_self = l->lcp.want_auth;
344: a->self_to_peer_alg = l->lcp.peer_alg;
345: a->peer_to_self_alg = l->lcp.want_alg;
346:
347: /* remember self's name */
348: PhysGetSelfName(l, a->params.selfname, sizeof(a->params.selfname));
349:
350: /* remember peer's name */
351: PhysGetPeerName(l, a->params.peername, sizeof(a->params.peername));
352:
353: /* remember self's IP address */
354: PhysGetSelfAddr(l, a->params.selfaddr, sizeof(a->params.selfaddr));
355:
356: /* remember peer's IP address */
357: PhysGetPeerAddr(l, a->params.peeraddr, sizeof(a->params.peeraddr));
358:
359: /* remember peer's TCP or UDP port */
360: PhysGetPeerPort(l, a->params.peerport, sizeof(a->params.peerport));
361:
362: /* remember peer's MAC address */
363: PhysGetPeerMacAddr(l, a->params.peermacaddr, sizeof(a->params.peermacaddr));
364:
365: /* remember peer's iface */
366: PhysGetPeerIface(l, a->params.peeriface, sizeof(a->params.peeriface));
367:
368: /* remember calling number */
369: PhysGetCallingNum(l, a->params.callingnum, sizeof(a->params.callingnum));
370:
371: /* remember called number */
372: PhysGetCalledNum(l, a->params.callednum, sizeof(a->params.callednum));
373:
374: Log(LG_AUTH, ("[%s] %s: auth: peer wants %s, I want %s",
375: Pref(&l->lcp.fsm), Fsm(&l->lcp.fsm),
376: a->self_to_peer ? ProtoName(a->self_to_peer) : "nothing",
377: a->peer_to_self ? ProtoName(a->peer_to_self) : "nothing"));
378:
379: /* Is there anything to do? */
380: if (!a->self_to_peer && !a->peer_to_self) {
381: LcpAuthResult(l, TRUE);
382: return;
383: }
384:
385: /* Start global auth timer */
386: TimerInit(&a->timer, "AuthTimer",
387: l->lcp.auth.conf.timeout * SECONDS, AuthTimeout, l);
388: TimerStart(&a->timer);
389:
390: /* Start my auth to him */
391: switch (a->self_to_peer) {
392: case 0:
393: break;
394: case PROTO_PAP:
395: PapStart(l, AUTH_SELF_TO_PEER);
396: break;
397: case PROTO_CHAP:
398: ChapStart(l, AUTH_SELF_TO_PEER);
399: break;
400: case PROTO_EAP:
401: EapStart(l, AUTH_SELF_TO_PEER);
402: break;
403: default:
404: assert(0);
405: }
406:
407: /* Start his auth to me */
408: switch (a->peer_to_self) {
409: case 0:
410: break;
411: case PROTO_PAP:
412: PapStart(l, AUTH_PEER_TO_SELF);
413: break;
414: case PROTO_CHAP:
415: ChapStart(l, AUTH_PEER_TO_SELF);
416: break;
417: case PROTO_EAP:
418: EapStart(l, AUTH_PEER_TO_SELF);
419: break;
420: default:
421: assert(0);
422: }
423: }
424:
425: /*
426: * AuthInput()
427: *
428: * Deal with PAP/CHAP/EAP packet
429: */
430:
431: void
432: AuthInput(Link l, int proto, Mbuf bp)
433: {
434: AuthData auth;
435: int len;
436: struct fsmheader fsmh;
437: u_char *pkt;
438: char buf[16];
439:
440: /* Sanity check */
441: if (l->lcp.phase != PHASE_AUTHENTICATE && l->lcp.phase != PHASE_NETWORK) {
442: Log(LG_AUTH, ("[%s] AUTH: rec'd stray packet", l->name));
443: mbfree(bp);
444: return;
445: }
446:
447: len = MBLEN(bp);
448:
449: /* Sanity check length */
450: if (len < sizeof(fsmh)) {
451: Log(LG_AUTH, ("[%s] AUTH: rec'd runt packet: %d bytes",
452: l->name, len));
453: mbfree(bp);
454: return;
455: }
456:
457: auth = AuthDataNew(l);
458: auth->proto = proto;
459:
460: bp = mbread(bp, &fsmh, sizeof(fsmh));
461: if (len > ntohs(fsmh.length))
462: len = ntohs(fsmh.length);
463: len -= sizeof(fsmh);
464:
465: pkt = MBDATA(bp);
466:
467: if (proto == PROTO_EAP && bp) {
468: Log(LG_AUTH, ("[%s] %s: rec'd %s #%d len: %d, type: %s", l->name,
469: ProtoName(proto), AuthCode(proto, fsmh.code, buf, sizeof(buf)), fsmh.id,
470: ntohs(fsmh.length), EapType(pkt[0])));
471: } else {
472: Log(LG_AUTH, ("[%s] %s: rec'd %s #%d len: %d", l->name,
473: ProtoName(proto), AuthCode(proto, fsmh.code, buf, sizeof(buf)), fsmh.id,
474: ntohs(fsmh.length)));
475: }
476:
477: auth->id = fsmh.id;
478: auth->code = fsmh.code;
479: /* Status defaults to undefined */
480: auth->status = AUTH_STATUS_UNDEF;
481:
482: switch (proto) {
483: case PROTO_PAP:
484: PapInput(l, auth, pkt, len);
485: break;
486: case PROTO_CHAP:
487: ChapInput(l, auth, pkt, len);
488: break;
489: case PROTO_EAP:
490: EapInput(l, auth, pkt, len);
491: break;
492: default:
493: assert(0);
494: }
495:
496: mbfree(bp);
497: }
498:
499: /*
500: * AuthOutput()
501: *
502: */
503:
504: void
505: AuthOutput(Link l, int proto, u_int code, u_int id, const u_char *ptr,
506: int len, int add_len, u_char eap_type)
507: {
508: struct fsmheader lh;
509: Mbuf bp;
510: int plen;
511: char buf[32];
512:
513: add_len = !!add_len;
514: /* Setup header */
515: if (proto == PROTO_EAP)
516: plen = sizeof(lh) + len + add_len + 1;
517: else
518: plen = sizeof(lh) + len + add_len;
519: lh.code = code;
520: lh.id = id;
521: lh.length = htons(plen);
522:
523: /* Build packet */
524: bp = mbcopyback(NULL, 0, &lh, sizeof(lh));
525: if (proto == PROTO_EAP)
526: bp = mbcopyback(bp, MBLEN(bp), &eap_type, 1);
527: if (add_len) {
528: u_char tl = len;
529: bp = mbcopyback(bp, MBLEN(bp), &tl, 1);
530: }
531: bp = mbcopyback(bp, MBLEN(bp), ptr, len);
532:
533: if (proto == PROTO_EAP) {
534: Log(LG_AUTH, ("[%s] %s: sending %s #%d len: %d, type: %s", l->name,
535: ProtoName(proto), AuthCode(proto, code, buf, sizeof(buf)), id, plen, EapType(eap_type)));
536: } else {
537: Log(LG_AUTH, ("[%s] %s: sending %s #%d len: %d", l->name,
538: ProtoName(proto), AuthCode(proto, code, buf, sizeof(buf)), id, plen));
539: }
540:
541: /* Send it out */
542: NgFuncWritePppFrameLink(l, proto, bp);
543: }
544:
545: /*
546: * AuthFinish()
547: *
548: * Authorization is finished, so continue one way or the other
549: */
550:
551: void
552: AuthFinish(Link l, int which, int ok)
553: {
554: Auth const a = &l->lcp.auth;
555:
556: if (which == AUTH_SELF_TO_PEER)
557: a->self_to_peer = 0;
558: else
559: a->peer_to_self = 0;
560: /* Did auth fail (in either direction)? */
561: if (!ok) {
562: AuthStop(l);
563: LcpAuthResult(l, FALSE);
564: return;
565: }
566: /* Did auth succeed (in both directions)? */
567: if (!a->peer_to_self && !a->self_to_peer) {
568: AuthStop(l);
569: LcpAuthResult(l, TRUE);
570: return;
571: }
572: }
573:
574: /*
575: * AuthCleanup()
576: *
577: * Cleanup auth structure, invoked on link-down
578: */
579:
580: void
581: AuthCleanup(Link l)
582: {
583: Auth a = &l->lcp.auth;
584:
585: Log(LG_AUTH2, ("[%s] AUTH: Cleanup", l->name));
586:
587: authparamsDestroy(&a->params);
588:
589: l->session_id[0] = 0;
590: }
591:
592: /*
593: * AuthDataNew()
594: *
595: * Create a new auth-data object
596: */
597:
598: AuthData
599: AuthDataNew(Link l)
600: {
601: AuthData auth;
602: Auth a = &l->lcp.auth;
603:
604: auth = Malloc(MB_AUTH, sizeof(*auth));
605: auth->conf = l->lcp.auth.conf;
606: if (l->lcp.auth.conf.extauth_script)
607: auth->conf.extauth_script = Mstrdup(MB_AUTH, l->lcp.auth.conf.extauth_script);
608: if (l->lcp.auth.conf.extacct_script)
609: auth->conf.extacct_script = Mstrdup(MB_AUTH, l->lcp.auth.conf.extacct_script);
610:
611: strlcpy(auth->info.lnkname, l->name, sizeof(auth->info.lnkname));
612: strlcpy(auth->info.msession_id, l->msession_id, sizeof(auth->info.msession_id));
613: strlcpy(auth->info.session_id, l->session_id, sizeof(auth->info.session_id));
614: strlcpy(auth->info.peer_ident, l->lcp.peer_ident, sizeof(l->lcp.peer_ident));
615: auth->info.originate = l->originate;
616:
617: if (l->bund) {
618: strlcpy(auth->info.ifname, l->bund->iface.ifname, sizeof(auth->info.ifname));
619: auth->info.ifindex = l->bund->iface.ifindex;
620: strlcpy(auth->info.bundname, l->bund->name, sizeof(auth->info.bundname));
621: auth->info.n_links = l->bund->n_links;
622: auth->info.peer_addr = l->bund->ipcp.peer_addr;
623: }
624:
625: /* Copy current link statistics */
626: memcpy(&auth->info.stats, &l->stats, sizeof(auth->info.stats));
627:
628: #ifdef USE_NG_BPF
629: /* If it is present copy services statistics */
630: if (l->bund) {
631: IfaceGetStats(l->bund, &auth->info.ss);
632: IfaceAddStats(&auth->info.ss, &l->bund->iface.prevstats);
633: }
634: #endif
635:
636: if (l->downReasonValid)
637: auth->info.downReason = Mstrdup(MB_AUTH, l->downReason);
638:
639: auth->info.last_up = l->last_up;
640: auth->info.phys_type = l->type;
641: auth->info.linkID = l->id;
642:
643: authparamsCopy(&a->params,&auth->params);
644:
645: return auth;
646: }
647:
648: /*
649: * AuthDataDestroy()
650: *
651: * Destroy authdata
652: */
653:
654: void
655: AuthDataDestroy(AuthData auth)
656: {
657: authparamsDestroy(&auth->params);
658: Freee(auth->info.downReason);
659: Freee(auth->reply_message);
660: Freee(auth->mschap_error);
661: Freee(auth->mschapv2resp);
662: #ifdef USE_NG_BPF
663: IfaceFreeStats(&auth->info.ss);
664: #endif
665: Freee(auth->conf.extauth_script);
666: Freee(auth->conf.extacct_script);
667: Freee(auth);
668: }
669:
670: /*
671: * AuthStop()
672: *
673: * Stop the authorization process
674: */
675:
676: void
677: AuthStop(Link l)
678: {
679: Auth a = &l->lcp.auth;
680:
681: TimerStop(&a->timer);
682: PapStop(&a->pap);
683: ChapStop(&a->chap);
684: EapStop(&a->eap);
685: paction_cancel(&a->thread);
686: }
687:
688: /*
689: * AuthStat()
690: *
691: * Show auth stats
692: */
693:
694: int
695: AuthStat(Context ctx, int ac, char *av[], void *arg)
696: {
697: Auth const au = &ctx->lnk->lcp.auth;
698: AuthConf const conf = &au->conf;
699: char buf[48], buf2[16];
700: #if defined(USE_IPFW) || defined(USE_NG_BPF)
701: struct acl *a;
702: #endif
703: IfaceRoute r;
704: #ifdef USE_NG_BPF
705: int k;
706: #endif
707:
708: Printf("Configuration:\r\n");
709: Printf("\tMy authname : %s\r\n", conf->authname);
710: Printf("\tMax-Logins : %d%s\r\n", gMaxLogins, (gMaxLoginsCI?" CI":""));
711: Printf("\tAcct Update : %d\r\n", conf->acct_update);
712: Printf("\t Limit In : %d\r\n", conf->acct_update_lim_recv);
713: Printf("\t Limit Out : %d\r\n", conf->acct_update_lim_xmit);
714: Printf("\tAuth timeout : %d\r\n", conf->timeout);
715: Printf("\tExtAuth script : %s\r\n", conf->extauth_script?conf->extauth_script:"");
716: Printf("\tExtAcct script : %s\r\n", conf->extacct_script?conf->extacct_script:"");
717:
718: Printf("Auth options\r\n");
719: OptStat(ctx, &conf->options, gConfList);
720:
721: Printf("Auth Data\r\n");
722: Printf("\tPeer authname : %s\r\n", au->params.authname);
723: Printf("\tInterface name : %s\r\n", au->params.ifname);
724: #ifdef SIOCSIFDESCR
725: Printf("\tInterface descr.: \"%s\"\r\n",
726: au->params.ifdescr != NULL ? au->params.ifdescr : "<none>");
727: #endif
728: Printf("\tInterface group : %s\r\n", au->params.ifgroup);
729: Printf("\tIP range : %s\r\n", (au->params.range_valid)?
730: u_rangetoa(&au->params.range,buf,sizeof(buf)):"");
731: Printf("\tIP pool : %s\r\n", au->params.ippool);
732: Printf("\tDNS : %s %s\r\n",
733: inet_ntop(AF_INET, &au->params.peer_dns[0], buf, sizeof(buf)),
734: inet_ntop(AF_INET, &au->params.peer_dns[1], buf2, sizeof(buf2)));
735: Printf("\tNBNS : %s %s\r\n",
736: inet_ntop(AF_INET, &au->params.peer_nbns[0], buf, sizeof(buf)),
737: inet_ntop(AF_INET, &au->params.peer_nbns[1], buf2, sizeof(buf2)));
738: Printf("\tMTU : %u\r\n", au->params.mtu);
739: Printf("\tSession-Timeout : %u\r\n", au->params.session_timeout);
740: Printf("\tIdle-Timeout : %u\r\n", au->params.idle_timeout);
741: Printf("\tAcct-Update : %u\r\n", au->params.acct_update);
742: Printf("\tRoutes :\r\n");
743: SLIST_FOREACH(r, &au->params.routes, next) {
744: Printf("\t\t%s\r\n", u_rangetoa(&r->dest,buf,sizeof(buf)));
745: }
746: #ifdef USE_IPFW
747: Printf("\tIPFW rules :\r\n");
748: a = au->params.acl_rule;
749: while (a) {
750: Printf("\t\t%d\t: '%s'\r\n", a->number, a->rule);
751: a = a->next;
752: }
753: Printf("\tIPFW pipes :\r\n");
754: a = au->params.acl_pipe;
755: while (a) {
756: Printf("\t\t%d\t: '%s'\r\n", a->number, a->rule);
757: a = a->next;
758: }
759: Printf("\tIPFW queues :\r\n");
760: a = au->params.acl_queue;
761: while (a) {
762: Printf("\t\t%d\t: '%s'\r\n", a->number, a->rule);
763: a = a->next;
764: }
765: Printf("\tIPFW tables :\r\n");
766: a = au->params.acl_table;
767: while (a) {
768: if (a->number != 0)
769: Printf("\t\t%d\t: '%s'\r\n", a->number, a->rule);
770: else
771: Printf("\t\t#%d\t: '%s'\r\n", a->real_number, a->rule);
772: a = a->next;
773: }
774: #endif /* USE_IPFW */
775: #ifdef USE_NG_BPF
776: Printf("\tTraffic filters :\r\n");
777: for (k = 0; k < ACL_FILTERS; k++) {
778: a = au->params.acl_filters[k];
779: while (a) {
780: Printf("\t%d#%d\t: '%s'\r\n", (k + 1), a->number, a->rule);
781: a = a->next;
782: }
783: }
784: Printf("\tTraffic limits :\r\n");
785: for (k = 0; k < 2; k++) {
786: a = au->params.acl_limits[k];
787: while (a) {
788: Printf("\t\t%s#%d%s%s\t: '%s'\r\n", (k?"out":"in"), a->number,
789: ((a->name[0])?"#":""), a->name, a->rule);
790: a = a->next;
791: }
792: }
793: #endif /* USE_NG_BPF */
794: Printf("\tMS-Domain : %s\r\n", au->params.msdomain);
795: Printf("\tMPPE Types : %s\r\n", AuthMPPEPolicyname(au->params.msoft.policy));
796: Printf("\tMPPE Policy : %s\r\n", AuthMPPETypesname(au->params.msoft.types, buf, sizeof(buf)));
797: Printf("\tMPPE Keys : %s\r\n", au->params.msoft.has_keys ? "yes" : "no");
798:
799: return (0);
800: }
801:
802:
803: /*
804: * AuthAccount()
805: *
806: * Accounting stuff,
807: */
808:
809: void
810: AuthAccountStart(Link l, int type)
811: {
812: Auth const a = &l->lcp.auth;
813: AuthData auth;
814:
815: /* maybe an outstanding thread is running */
816: if (a->acct_thread) {
817: if (type == AUTH_ACCT_START || type == AUTH_ACCT_STOP) {
818: paction_cancel(&a->acct_thread);
819: } else {
820: Log(LG_AUTH2, ("[%s] ACCT: Accounting thread is already running",
821: l->name));
822: return;
823: }
824: }
825:
826: LinkUpdateStats(l);
827: if (type == AUTH_ACCT_STOP) {
828: Log(LG_AUTH2, ("[%s] ACCT: Accounting data for user '%s': %lu seconds, %llu octets in, %llu octets out",
829: l->name, a->params.authname,
830: (unsigned long) (time(NULL) - l->last_up),
831: (unsigned long long)l->stats.recvOctets,
832: (unsigned long long)l->stats.xmitOctets));
833: }
834:
835: if (type == AUTH_ACCT_START) {
836: u_int updateInterval;
837:
838: if (a->params.acct_update > 0)
839: updateInterval = a->params.acct_update;
840: else
841: updateInterval = a->conf.acct_update;
842:
843: if (updateInterval > 0) {
844: /* Save initial statistics. */
845: memcpy(&a->prev_stats, &l->stats,
846: sizeof(a->prev_stats));
847:
848: /* Start accounting update timer. */
849: TimerInit(&a->acct_timer, "AuthAccountTimer",
850: updateInterval * SECONDS, AuthAccountTimeout, l);
851: TimerStartRecurring(&a->acct_timer);
852: }
853: }
854:
855: if (type == AUTH_ACCT_UPDATE) {
856: /*
857: * Suppress sending of accounting update, if byte threshold
858: * is configured, and delta since last update doesn't exceed it.
859: */
860: u_int lim_recv, lim_xmit;
861:
862: if (a->params.acct_update_lim_recv > 0)
863: lim_recv = a->params.acct_update_lim_recv;
864: else
865: lim_recv = a->conf.acct_update_lim_recv;
866: if (a->params.acct_update_lim_xmit > 0)
867: lim_xmit = a->params.acct_update_lim_xmit;
868: else
869: lim_xmit = a->conf.acct_update_lim_xmit;
870: if (lim_recv > 0 || lim_xmit > 0) {
871: if ((l->stats.recvOctets - a->prev_stats.recvOctets < lim_recv) &&
872: (l->stats.xmitOctets - a->prev_stats.xmitOctets < lim_xmit)) {
873: Log(LG_AUTH2, ("[%s] ACCT: Shouldn't send Interim-Update", l->name));
874: return;
875: } else {
876: /* Save current statistics. */
877: memcpy(&a->prev_stats, &l->stats, sizeof(a->prev_stats));
878: }
879: }
880: }
881:
882: if (type == AUTH_ACCT_STOP) {
883: /* Stop accounting update timer if running. */
884: TimerStop(&a->acct_timer);
885: }
886:
887: if (Enabled(&a->conf.options, AUTH_CONF_RADIUS_ACCT) ||
888: #ifdef USE_PAM
889: Enabled(&a->conf.options, AUTH_CONF_PAM_ACCT) ||
890: #endif
891: #ifdef USE_SYSTEM
892: Enabled(&a->conf.options, AUTH_CONF_SYSTEM_ACCT) ||
893: #endif
894: Enabled(&a->conf.options, AUTH_CONF_EXT_ACCT)) {
895:
896: auth = AuthDataNew(l);
897: auth->acct_type = type;
898:
899: if (paction_start(&a->acct_thread, &gGiantMutex, AuthAccount,
900: AuthAccountFinish, auth) == -1) {
901: Log(LG_ERR, ("[%s] ACCT: Couldn't start thread: %d",
902: l->name, errno));
903: AuthDataDestroy(auth);
904: }
905: }
906:
907: }
908:
909: /*
910: * AuthAccountTimeout()
911: *
912: * Timer function for accounting updates
913: */
914:
915: void
916: AuthAccountTimeout(void *arg)
917: {
918: Link l = (Link)arg;
919:
920: Log(LG_AUTH2, ("[%s] ACCT: Time for Accounting Update",
921: l->name));
922:
923: AuthAccountStart(l, AUTH_ACCT_UPDATE);
924: }
925:
926: /*
927: * AuthAccount()
928: *
929: * Asynchr. accounting handler, called from a paction.
930: * NOTE: Thread safety is needed here
931: */
932:
933: static void
934: AuthAccount(void *arg)
935: {
936: AuthData const auth = (AuthData)arg;
937: int err = 0;
938:
939: Log(LG_AUTH2, ("[%s] ACCT: Thread started", auth->info.lnkname));
940:
941: if (Enabled(&auth->conf.options, AUTH_CONF_RADIUS_ACCT))
942: err |= RadiusAccount(auth);
943: #ifdef USE_PAM
944: if (Enabled(&auth->conf.options, AUTH_CONF_PAM_ACCT))
945: err |= AuthPAMAcct(auth);
946: #endif
947: #ifdef USE_SYSTEM
948: if (Enabled(&auth->conf.options, AUTH_CONF_SYSTEM_ACCT))
949: err |= AuthSystemAcct(auth);
950: #endif
951: if (Enabled(&auth->conf.options, AUTH_CONF_EXT_ACCT))
952: err |= AuthExternalAcct(auth);
953:
954: if (err != 0 && auth->acct_type == AUTH_ACCT_START &&
955: Enabled(&auth->conf.options, AUTH_CONF_ACCT_MANDATORY)) {
956: Log(LG_AUTH, ("[%s] ACCT: Close link due to accounting start error",
957: auth->info.lnkname));
958: auth->drop_user = 1;
959: }
960: }
961:
962: /*
963: * AuthAccountFinish
964: *
965: * Return point for the accounting thread()
966: */
967:
968: static void
969: AuthAccountFinish(void *arg, int was_canceled)
970: {
971: AuthData auth = (AuthData)arg;
972: Link l;
973:
974: if (was_canceled) {
975: Log(LG_AUTH2, ("[%s] ACCT: Thread was canceled",
976: auth->info.lnkname));
977: } else {
978: Log(LG_AUTH2, ("[%s] ACCT: Thread finished normally",
979: auth->info.lnkname));
980: }
981:
982: /* Cleanup */
983: RadiusClose(auth);
984:
985: if (was_canceled) {
986: AuthDataDestroy(auth);
987: return;
988: }
989:
990: l = gLinks[auth->info.linkID];
991: if (l == NULL) {
992: AuthDataDestroy(auth);
993: return;
994: }
995:
996: if (auth->drop_user && auth->acct_type != AUTH_ACCT_STOP) {
997: Log(LG_AUTH, ("[%s] ACCT: Link close requested by the accounting",
998: l->name));
999: RecordLinkUpDownReason(NULL, l, 0, STR_MANUALLY, NULL);
1000: LinkClose(l);
1001: }
1002: AuthDataDestroy(auth);
1003: LinkShutdownCheck(l, l->lcp.fsm.state);
1004: }
1005:
1006: /*
1007: * AuthGetData()
1008: *
1009: * NOTE: Thread safety is needed here
1010: */
1011:
1012: int
1013: AuthGetData(char *authname, char *password, size_t passlen,
1014: struct u_range *range, u_char *range_valid)
1015: {
1016: FILE *fp;
1017: int ac;
1018: char *av[20];
1019: char *line;
1020:
1021: /* Check authname, must be non-empty */
1022: if (authname == NULL || authname[0] == 0) {
1023: return(-1);
1024: }
1025:
1026: /* Search secrets file */
1027: if ((fp = OpenConfFile(SECRET_FILE, NULL)) == NULL)
1028: return(-1);
1029: while ((line = ReadFullLine(fp, NULL, NULL, 0)) != NULL) {
1030: memset(av, 0, sizeof(av));
1031: ac = ParseLine(line, av, sizeof(av) / sizeof(*av), 1);
1032: Freee(line);
1033: if (ac >= 2
1034: && (strcmp(av[0], authname) == 0
1035: || (av[1][0] == '!' && strcmp(av[0], "*") == 0))) {
1036: if (av[1][0] == '!') { /* external auth program */
1037: if (AuthGetExternalPassword((av[1]+1),
1038: authname, password, passlen) == -1) {
1039: FreeArgs(ac, av);
1040: fclose(fp);
1041: return(-1);
1042: }
1043: } else {
1044: strlcpy(password, av[1], passlen);
1045: }
1046: if (range != NULL && range_valid != NULL) {
1047: u_rangeclear(range);
1048: if (ac >= 3)
1049: *range_valid = ParseRange(av[2], range, ALLOW_IPV4);
1050: else
1051: *range_valid = FALSE;
1052: }
1053: FreeArgs(ac, av);
1054: fclose(fp);
1055: return(0);
1056: }
1057: FreeArgs(ac, av);
1058: }
1059: fclose(fp);
1060:
1061: return(-1); /* Invalid */
1062: }
1063:
1064: /*
1065: * AuthAsyncStart()
1066: *
1067: * Starts the Auth-Thread
1068: */
1069:
1070: void
1071: AuthAsyncStart(Link l, AuthData auth)
1072: {
1073: Auth const a = &l->lcp.auth;
1074: const char *rept;
1075:
1076: /* Check link action */
1077: rept = LinkMatchAction(l, 2, auth->params.authname);
1078: if (rept) {
1079: if (strcmp(rept,"##DROP##") == 0) {
1080: /* Action told we must drop this connection */
1081: Log(LG_AUTH, ("[%s] Drop connection", l->name));
1082: PhysClose(l);
1083: AuthDataDestroy(auth);
1084: return;
1085: }
1086:
1087: /* Action told we must forward this connection */
1088: if (RepCreate(l, rept)) {
1089: Log(LG_ERR, ("[%s] Repeater to \"%s\" creation error", l->name, rept));
1090: PhysClose(l);
1091: AuthDataDestroy(auth);
1092: return;
1093: }
1094: /* Create repeater */
1095: RepIncoming(l);
1096: /* Reconnect link netgraph hook to repeater */
1097: LinkNgToRep(l);
1098: /* Kill the LCP */
1099: LcpDown(l);
1100: LcpClose(l);
1101: AuthDataDestroy(auth);
1102: return;
1103: }
1104:
1105: /* Check if we are ready to process request. */
1106: if (a->thread) {
1107: auth->status = AUTH_STATUS_BUSY;
1108: auth->finish(l, auth);
1109: return;
1110: }
1111:
1112: /* perform pre authentication checks (single-login, etc.) */
1113: if (AuthPreChecks(auth) < 0) {
1114: Log(LG_AUTH, ("[%s] AUTH: AuthPreCheck failed for \"%s\"",
1115: l->name, auth->params.authname));
1116: auth->finish(l, auth);
1117: return;
1118: }
1119:
1120: if (paction_start(&a->thread, &gGiantMutex, AuthAsync,
1121: AuthAsyncFinish, auth) == -1) {
1122: Log(LG_ERR, ("[%s] AUTH: Couldn't start thread: %d",
1123: l->name, errno));
1124: auth->status = AUTH_STATUS_FAIL;
1125: auth->why_fail = AUTH_FAIL_NOT_EXPECTED;
1126: auth->finish(l, auth);
1127: }
1128: }
1129:
1130: /*
1131: * AuthAsync()
1132: *
1133: * Asynchr. auth handler, called from a paction.
1134: * NOTE: Thread safety is needed here
1135: */
1136:
1137: static void
1138: AuthAsync(void *arg)
1139: {
1140: AuthData const auth = (AuthData)arg;
1141:
1142: Log(LG_AUTH2, ("[%s] AUTH: Thread started", auth->info.lnkname));
1143:
1144: if (Enabled(&auth->conf.options, AUTH_CONF_EXT_AUTH)) {
1145: auth->params.authentic = AUTH_CONF_EXT_AUTH;
1146: Log(LG_AUTH, ("[%s] AUTH: Trying EXTERNAL", auth->info.lnkname));
1147: if (AuthExternal(auth)) {
1148: Log(LG_AUTH, ("[%s] AUTH: EXTERNAL returned error",
1149: auth->info.lnkname));
1150: } else {
1151: Log(LG_AUTH, ("[%s] AUTH: EXTERNAL returned: %s",
1152: auth->info.lnkname, AuthStatusText(auth->status)));
1153: if (auth->status == AUTH_STATUS_SUCCESS
1154: || auth->status == AUTH_STATUS_UNDEF)
1155: return;
1156: }
1157: }
1158:
1159: if (auth->proto == PROTO_EAP && auth->eap_radius) {
1160: auth->params.authentic = AUTH_CONF_RADIUS_AUTH;
1161: RadiusEapProxy(auth);
1162: return;
1163: } else if (Enabled(&auth->conf.options, AUTH_CONF_RADIUS_AUTH)) {
1164: auth->params.authentic = AUTH_CONF_RADIUS_AUTH;
1165: Log(LG_AUTH, ("[%s] AUTH: Trying RADIUS", auth->info.lnkname));
1166: if (RadiusAuthenticate(auth)) {
1167: Log(LG_AUTH, ("[%s] AUTH: RADIUS returned error",
1168: auth->info.lnkname));
1169: } else {
1170: Log(LG_AUTH, ("[%s] AUTH: RADIUS returned: %s",
1171: auth->info.lnkname, AuthStatusText(auth->status)));
1172: if (auth->status == AUTH_STATUS_SUCCESS)
1173: return;
1174: }
1175: }
1176:
1177: #ifdef USE_PAM
1178: if (Enabled(&auth->conf.options, AUTH_CONF_PAM_AUTH)) {
1179: auth->params.authentic = AUTH_CONF_PAM_AUTH;
1180: Log(LG_AUTH, ("[%s] AUTH: Trying PAM", auth->info.lnkname));
1181: AuthPAM(auth);
1182: Log(LG_AUTH, ("[%s] AUTH: PAM returned: %s",
1183: auth->info.lnkname, AuthStatusText(auth->status)));
1184: if (auth->status == AUTH_STATUS_SUCCESS
1185: || auth->status == AUTH_STATUS_UNDEF)
1186: return;
1187: }
1188: #endif
1189:
1190: #ifdef USE_SYSTEM
1191: if (Enabled(&auth->conf.options, AUTH_CONF_SYSTEM_AUTH)) {
1192: auth->params.authentic = AUTH_CONF_SYSTEM_AUTH;
1193: Log(LG_AUTH, ("[%s] AUTH: Trying SYSTEM", auth->info.lnkname));
1194: AuthSystem(auth);
1195: Log(LG_AUTH, ("[%s] AUTH: SYSTEM returned: %s",
1196: auth->info.lnkname, AuthStatusText(auth->status)));
1197: if (auth->status == AUTH_STATUS_SUCCESS
1198: || auth->status == AUTH_STATUS_UNDEF)
1199: return;
1200: }
1201: #endif
1202:
1203: #ifdef USE_OPIE
1204: if (Enabled(&auth->conf.options, AUTH_CONF_OPIE)) {
1205: auth->params.authentic = AUTH_CONF_OPIE;
1206: Log(LG_AUTH, ("[%s] AUTH: Trying OPIE", auth->info.lnkname));
1207: AuthOpie(auth);
1208: Log(LG_AUTH, ("[%s] AUTH: OPIE returned: %s",
1209: auth->info.lnkname, AuthStatusText(auth->status)));
1210: if (auth->status == AUTH_STATUS_SUCCESS
1211: || auth->status == AUTH_STATUS_UNDEF)
1212: return;
1213: }
1214: #endif /* USE_OPIE */
1215:
1216: if (Enabled(&auth->conf.options, AUTH_CONF_INTERNAL)) {
1217: auth->params.authentic = AUTH_CONF_INTERNAL;
1218: Log(LG_AUTH, ("[%s] AUTH: Trying INTERNAL", auth->info.lnkname));
1219: AuthInternal(auth);
1220: Log(LG_AUTH, ("[%s] AUTH: INTERNAL returned: %s",
1221: auth->info.lnkname, AuthStatusText(auth->status)));
1222: if (auth->status == AUTH_STATUS_SUCCESS
1223: || auth->status == AUTH_STATUS_UNDEF)
1224: return;
1225: }
1226:
1227: Log(LG_AUTH, ("[%s] AUTH: ran out of backends", auth->info.lnkname));
1228: auth->status = AUTH_STATUS_FAIL;
1229: auth->why_fail = AUTH_FAIL_INVALID_LOGIN;
1230: }
1231:
1232: /*
1233: * AuthAsyncFinish()
1234: *
1235: * Return point for the auth thread
1236: */
1237:
1238: static void
1239: AuthAsyncFinish(void *arg, int was_canceled)
1240: {
1241: AuthData auth = (AuthData)arg;
1242: Link l;
1243:
1244: if (was_canceled)
1245: Log(LG_AUTH2, ("[%s] AUTH: Thread was canceled", auth->info.lnkname));
1246:
1247: /* cleanup */
1248: RadiusClose(auth);
1249:
1250: if (was_canceled) {
1251: AuthDataDestroy(auth);
1252: return;
1253: }
1254:
1255: l = gLinks[auth->info.linkID];
1256: if (l == NULL) {
1257: AuthDataDestroy(auth);
1258: return;
1259: }
1260:
1261: Log(LG_AUTH2, ("[%s] AUTH: Thread finished normally", l->name));
1262:
1263: /* Replace modified data */
1264: authparamsDestroy(&l->lcp.auth.params);
1265: authparamsMove(&auth->params,&l->lcp.auth.params);
1266:
1267: if (strcmp(l->lcp.auth.params.action, "drop") == 0) {
1268: auth->status = AUTH_STATUS_FAIL;
1269: auth->why_fail = AUTH_FAIL_INVALID_LOGIN;
1270: } else if (strncmp(l->lcp.auth.params.action, "forward ", 8) == 0) {
1271: const char *rept = l->lcp.auth.params.action + 8;
1272:
1273: /* Action told we must forward this connection */
1274: if (RepCreate(l, rept)) {
1275: Log(LG_ERR, ("[%s] Repeater to \"%s\" creation error", l->name, rept));
1276: PhysClose(l);
1277: AuthDataDestroy(auth);
1278: return;
1279: }
1280: /* Create repeater */
1281: RepIncoming(l);
1282: /* Reconnect link netgraph hook to repeater */
1283: LinkNgToRep(l);
1284: /* Kill the LCP */
1285: LcpDown(l);
1286: LcpClose(l);
1287: AuthDataDestroy(auth);
1288: return;
1289: }
1290:
1291: auth->finish(l, auth);
1292: }
1293:
1294: /*
1295: * AuthInternal()
1296: *
1297: * Authenticate against mpd.secret
1298: */
1299:
1300: static void
1301: AuthInternal(AuthData auth)
1302: {
1303: if (AuthGetData(auth->params.authname, auth->params.password,
1304: sizeof(auth->params.password), &auth->params.range,
1305: &auth->params.range_valid) < 0) {
1306: Log(LG_AUTH, ("[%s] AUTH: User \"%s\" not found in secret file",
1307: auth->info.lnkname, auth->params.authname));
1308: auth->status = AUTH_STATUS_FAIL;
1309: auth->why_fail = AUTH_FAIL_INVALID_LOGIN;
1310: return;
1311: }
1312: auth->status = AUTH_STATUS_UNDEF;
1313: }
1314:
1315: #ifdef USE_SYSTEM
1316: /*
1317: * AuthSystem()
1318: *
1319: * Authenticate against Systems password database
1320: */
1321:
1322: static void
1323: AuthSystem(AuthData auth)
1324: {
1325: PapParams pp = &auth->params.pap;
1326: struct passwd *pw;
1327: struct passwd pwc;
1328: u_char *bin;
1329: int err;
1330:
1331: /* protect getpwnam and errno
1332: * NOTE: getpwnam_r doesen't exists on FreeBSD < 5.1 */
1333: GIANT_MUTEX_LOCK();
1334: errno = 0;
1335: pw = getpwnam(auth->params.authname);
1336: if (!pw) {
1337: err=errno;
1338: GIANT_MUTEX_UNLOCK(); /* We must release lock before Log() */
1339: if (err)
1340: Perror("[%s] AUTH: Error retrieving passwd", auth->info.lnkname);
1341: else
1342: Log(LG_AUTH, ("[%s] AUTH: User \"%s\" not found in the systems database",
1343: auth->info.lnkname, auth->params.authname));
1344: auth->status = AUTH_STATUS_FAIL;
1345: auth->why_fail = AUTH_FAIL_INVALID_LOGIN;
1346: return;
1347: }
1348: memcpy(&pwc,pw,sizeof(struct passwd)); /* we must make copy before release lock */
1349: GIANT_MUTEX_UNLOCK();
1350:
1351: Log(LG_AUTH, ("[%s] AUTH: Found user %s Uid:%d Gid:%d Fmt:%*.*s",
1352: auth->info.lnkname, pwc.pw_name, pwc.pw_uid, pwc.pw_gid, 3, 3, pwc.pw_passwd));
1353:
1354: if (auth->proto == PROTO_PAP) {
1355: /* protect non-ts crypt() */
1356: GIANT_MUTEX_LOCK();
1357: if (strcmp(crypt(pp->peer_pass, pwc.pw_passwd), pwc.pw_passwd) == 0) {
1358: auth->status = AUTH_STATUS_SUCCESS;
1359: } else {
1360: auth->status = AUTH_STATUS_FAIL;
1361: auth->why_fail = AUTH_FAIL_INVALID_LOGIN;
1362: }
1363: GIANT_MUTEX_UNLOCK();
1364: return;
1365: } else if (auth->proto == PROTO_CHAP
1366: && (auth->alg == CHAP_ALG_MSOFT
1367: || auth->alg == CHAP_ALG_MSOFTv2)) {
1368:
1369: if (!strstr(pwc.pw_passwd, "$3$$")) {
1370: Log(LG_AUTH, ("[%s] AUTH: Password has the wrong format, nth ($3$) is needed",
1371: auth->info.lnkname));
1372: auth->status = AUTH_STATUS_FAIL;
1373: auth->why_fail = AUTH_FAIL_INVALID_LOGIN;
1374: return;
1375: }
1376:
1377: bin = Hex2Bin(&pwc.pw_passwd[4]);
1378: memcpy(auth->params.msoft.nt_hash, bin, sizeof(auth->params.msoft.nt_hash));
1379: Freee(bin);
1380: NTPasswordHashHash(auth->params.msoft.nt_hash, auth->params.msoft.nt_hash_hash);
1381: auth->params.msoft.has_nt_hash = TRUE;
1382: auth->status = AUTH_STATUS_UNDEF;
1383: return;
1384:
1385: } else {
1386: Log(LG_ERR, ("[%s] AUTH: Using systems password database only possible for PAP and MS-CHAP",
1387: auth->info.lnkname));
1388: auth->status = AUTH_STATUS_FAIL;
1389: auth->why_fail = AUTH_FAIL_NOT_EXPECTED;
1390: return;
1391: }
1392:
1393: }
1394:
1395: /*
1396: * AuthSystemAcct()
1397: *
1398: * Account with system
1399: */
1400:
1401: #if __FreeBSD_version >= 900007
1402: static int
1403: AuthSystemAcct(AuthData auth)
1404: {
1405: struct utmpx ut;
1406:
1407: memset(&ut, 0, sizeof(ut));
1408: snprintf(ut.ut_id, sizeof(ut.ut_id), "mpd%x", auth->info.linkID);
1409: strlcpy(ut.ut_line, auth->info.lnkname, sizeof(ut.ut_line));
1410:
1411: if (auth->acct_type == AUTH_ACCT_START) {
1412: ut.ut_type = USER_PROCESS;
1413: strlcpy(ut.ut_host, auth->params.peeraddr, sizeof(ut.ut_host));
1414: strlcpy(ut.ut_user, auth->params.authname, sizeof(ut.ut_user));
1415: gettimeofday(&ut.ut_tv, NULL);
1416: Log(LG_AUTH, ("[%s] ACCT: wtmp %s %s %s login", auth->info.lnkname, ut.ut_line,
1417: ut.ut_user, ut.ut_host));
1418: pututxline(&ut);
1419: } else if (auth->acct_type == AUTH_ACCT_STOP) {
1420: ut.ut_type = DEAD_PROCESS;
1421: Log(LG_AUTH, ("[%s] ACCT: wtmp %s logout", auth->info.lnkname, ut.ut_line));
1422: pututxline(&ut);
1423: }
1424: return (0);
1425: }
1426: #else
1427: static int
1428: AuthSystemAcct(AuthData auth)
1429: {
1430: struct utmp ut;
1431:
1432: memset(&ut, 0, sizeof(ut));
1433: strlcpy(ut.ut_line, auth->info.lnkname, sizeof(ut.ut_line));
1434:
1435: if (auth->acct_type == AUTH_ACCT_START) {
1436: time_t t;
1437:
1438: strlcpy(ut.ut_host, auth->params.peeraddr, sizeof(ut.ut_host));
1439: strlcpy(ut.ut_name, auth->params.authname, sizeof(ut.ut_name));
1440: time(&t);
1441: ut.ut_time = t;
1442: login(&ut);
1443: Log(LG_AUTH, ("[%s] ACCT: wtmp %s %s %s login", auth->info.lnkname, ut.ut_line,
1444: ut.ut_name, ut.ut_host));
1445: } else if (auth->acct_type == AUTH_ACCT_STOP) {
1446: Log(LG_AUTH, ("[%s] ACCT: wtmp %s logout", auth->info.lnkname, ut.ut_line));
1447: logout(ut.ut_line);
1448: logwtmp(ut.ut_line, "", "");
1449: }
1450: return (0);
1451: }
1452: #endif /* __FreeBSD_version >= 900007 */
1453: #endif /* USE_SYSTEM */
1454:
1455: #ifdef USE_PAM
1456: /*
1457: * AuthPAM()
1458: *
1459: * Authenticate with PAM system
1460: */
1461:
1462: static int
1463: pam_conv(int n, const struct pam_message **msg, struct pam_response **resp,
1464: void *data)
1465: {
1466: AuthData auth = (AuthData)data;
1467: int i;
1468:
1469: for (i = 0; i < n; i++) {
1470: Log(LG_AUTH2, ("[%s] AUTH: PAM: %s",
1471: auth->info.lnkname, msg[i]->msg));
1472: }
1473:
1474: /* We support only requests for password */
1475: if (n != 1 || msg[0]->msg_style != PAM_PROMPT_ECHO_OFF)
1476: return (PAM_CONV_ERR);
1477:
1478: if ((*resp = malloc(sizeof(struct pam_response))) == NULL)
1479: return (PAM_CONV_ERR);
1480: (*resp)[0].resp = strdup(auth->params.pap.peer_pass);
1481: (*resp)[0].resp_retcode = 0;
1482:
1483: return ((*resp)[0].resp != NULL ? PAM_SUCCESS : PAM_CONV_ERR);
1484: }
1485:
1486: static void
1487: AuthPAM(AuthData auth)
1488: {
1489: struct pam_conv pamc = {
1490: &pam_conv,
1491: auth
1492: };
1493: pam_handle_t *pamh;
1494: int status;
1495:
1496: if (auth->proto != PROTO_PAP) {
1497: Log(LG_ERR, ("[%s] AUTH: Using PAM only possible for PAP", auth->info.lnkname));
1498: auth->status = AUTH_STATUS_FAIL;
1499: auth->why_fail = AUTH_FAIL_NOT_EXPECTED;
1500: return;
1501: }
1502:
1503: if (pam_start("mpd", auth->params.authname, &pamc, &pamh) != PAM_SUCCESS) {
1504: Log(LG_ERR, ("[%s] AUTH: PAM error", auth->info.lnkname));
1505: auth->status = AUTH_STATUS_FAIL;
1506: auth->why_fail = AUTH_FAIL_NOT_EXPECTED;
1507: return;
1508: }
1509:
1510: if (auth->params.peeraddr[0] &&
1511: pam_set_item(pamh, PAM_RHOST, auth->params.peeraddr) != PAM_SUCCESS) {
1512: Log(LG_ERR, ("[%s] AUTH: PAM set PAM_RHOST error", auth->info.lnkname));
1513: }
1514:
1515: if (pam_set_item(pamh, PAM_TTY, auth->info.lnkname) != PAM_SUCCESS) {
1516: Log(LG_ERR, ("[%s] AUTH: PAM set PAM_TTY error", auth->info.lnkname));
1517: }
1518:
1519: status = pam_authenticate(pamh, 0);
1520:
1521: if (status == PAM_SUCCESS) {
1522: status = pam_acct_mgmt(pamh, 0);
1523: }
1524:
1525: if (status == PAM_SUCCESS) {
1526: auth->status = AUTH_STATUS_SUCCESS;
1527: } else {
1528: Log(LG_AUTH, ("[%s] AUTH: PAM error: %s",
1529: auth->info.lnkname, pam_strerror(pamh, status)));
1530: switch (status) {
1531: case PAM_AUTH_ERR:
1532: case PAM_USER_UNKNOWN:
1533: auth->status = AUTH_STATUS_FAIL;
1534: auth->why_fail = AUTH_FAIL_INVALID_LOGIN;
1535: break;
1536: case PAM_ACCT_EXPIRED:
1537: case PAM_AUTHTOK_EXPIRED:
1538: case PAM_CRED_EXPIRED:
1539: auth->status = AUTH_STATUS_FAIL;
1540: auth->why_fail = AUTH_FAIL_ACCT_DISABLED;
1541: break;
1542: default:
1543: auth->status = AUTH_STATUS_FAIL;
1544: auth->why_fail = AUTH_FAIL_NOT_EXPECTED;
1545: }
1546: }
1547:
1548: pam_end(pamh, status);
1549: }
1550:
1551: /*
1552: * AuthPAMAcct()
1553: *
1554: * Account with system
1555: */
1556:
1557: static int
1558: AuthPAMAcct(AuthData auth)
1559: {
1560: pam_handle_t *pamh;
1561: int status;
1562: struct pam_conv pamc = {
1563: &pam_conv,
1564: auth
1565: };
1566:
1567: if (auth->acct_type != AUTH_ACCT_START &&
1568: auth->acct_type != AUTH_ACCT_STOP) {
1569: return (0);
1570: }
1571:
1572: if (pam_start("mpd", auth->params.authname, &pamc, &pamh) != PAM_SUCCESS) {
1573: Log(LG_ERR, ("[%s] ACCT: PAM error", auth->info.lnkname));
1574: return (-1);
1575: }
1576:
1577: if (auth->params.peeraddr[0] &&
1578: pam_set_item(pamh, PAM_RHOST, auth->params.peeraddr) != PAM_SUCCESS) {
1579: Log(LG_ERR, ("[%s] ACCT: PAM set PAM_RHOST error", auth->info.lnkname));
1580: return (-1);
1581: }
1582:
1583: if (pam_set_item(pamh, PAM_TTY, auth->info.lnkname) != PAM_SUCCESS) {
1584: Log(LG_ERR, ("[%s] ACCT: PAM set PAM_TTY error", auth->info.lnkname));
1585: return (-1);
1586: }
1587:
1588: if (auth->acct_type == AUTH_ACCT_START) {
1589: Log(LG_AUTH, ("[%s] ACCT: PAM open session \"%s\"",
1590: auth->info.lnkname, auth->params.authname));
1591: status = pam_open_session(pamh, 0);
1592: } else {
1593: Log(LG_AUTH, ("[%s] ACCT: PAM close session \"%s\"",
1594: auth->info.lnkname, auth->params.authname));
1595: status = pam_close_session(pamh, 0);
1596: }
1597: if (status != PAM_SUCCESS) {
1598: Log(LG_AUTH, ("[%s] ACCT: PAM session error",
1599: auth->info.lnkname));
1600: return (-1);
1601: }
1602:
1603: pam_end(pamh, status);
1604: return (0);
1605: }
1606: #endif /* USE_PAM */
1607:
1608: #ifdef USE_OPIE
1609: /*
1610: * AuthOpie()
1611: */
1612:
1613: static void
1614: AuthOpie(AuthData auth)
1615: {
1616: PapParams const pp = &auth->params.pap;
1617: struct opie_otpkey key;
1618: char opieprompt[OPIE_CHALLENGE_MAX + 1];
1619: int ret, n;
1620: char secret[OPIE_SECRET_MAX + 1];
1621: char english[OPIE_RESPONSE_MAX + 1];
1622:
1623: ret = opiechallenge(&auth->opie.data, auth->params.authname, opieprompt);
1624:
1625: auth->status = AUTH_STATUS_UNDEF;
1626:
1627: switch (ret) {
1628: case 0:
1629: break;
1630:
1631: case 1:
1632: Log(LG_ERR, ("[%s] AUTH: User \"%s\" not found in opiekeys",
1633: auth->info.lnkname, auth->params.authname));
1634: auth->status = AUTH_STATUS_FAIL;
1635: auth->why_fail = AUTH_FAIL_INVALID_LOGIN;
1636: return;
1637:
1638: case -1:
1639: case 2:
1640: default:
1641: Log(LG_ERR, ("[%s] AUTH: System error", auth->info.lnkname));
1642: auth->status = AUTH_STATUS_FAIL;
1643: auth->why_fail = AUTH_FAIL_NOT_EXPECTED;
1644: return;
1645: };
1646:
1647: Log(LG_AUTH, ("[%s] AUTH: Opieprompt:%s", auth->info.lnkname, opieprompt));
1648:
1649: if (auth->proto == PROTO_PAP ) {
1650: if (!opieverify(&auth->opie.data, pp->peer_pass)) {
1651: auth->status = AUTH_STATUS_SUCCESS;
1652: } else {
1653: auth->why_fail = AUTH_FAIL_INVALID_LOGIN;
1654: auth->status = AUTH_STATUS_FAIL;
1655: }
1656: return;
1657: }
1658:
1659: if (AuthGetData(auth->params.authname, secret, sizeof(secret), NULL, NULL) < 0) {
1660: Log(LG_AUTH, ("[%s] AUTH: Can't get credentials for \"%s\"",
1661: auth->info.lnkname, auth->params.authname));
1662: auth->status = AUTH_STATUS_FAIL;
1663: auth->why_fail = AUTH_FAIL_INVALID_LOGIN;
1664: return;
1665: }
1666:
1667: opiekeycrunch(OPIE_ALG_MD5, &key, auth->opie.data.opie_seed, secret);
1668: n = auth->opie.data.opie_n - 1;
1669: while (n-- > 0)
1670: opiehash(&key, OPIE_ALG_MD5);
1671:
1672: opiebtoe(english, &key);
1673: strlcpy(auth->params.password, english, sizeof(auth->params.password));
1674: }
1675: #endif /* USE_OPIE */
1676:
1677: /*
1678: * AuthPreChecks()
1679: */
1680:
1681: static int
1682: AuthPreChecks(AuthData auth)
1683: {
1684:
1685: if (!strlen(auth->params.authname)) {
1686: Log(LG_AUTH, ("[%s] AUTH: We don't accept empty usernames", auth->info.lnkname));
1687: auth->status = AUTH_STATUS_FAIL;
1688: auth->why_fail = AUTH_FAIL_INVALID_LOGIN;
1689: return (-1);
1690: }
1691: /* check max. number of logins */
1692: if (gMaxLogins != 0) {
1693: int ac;
1694: u_long num = 0;
1695: for(ac = 0; ac < gNumBundles; ac++) {
1696: if (gBundles[ac] && gBundles[ac]->open) {
1697: if (gMaxLoginsCI) {
1698: if (!strcasecmp(gBundles[ac]->params.authname, auth->params.authname))
1699: num++;
1700: } else {
1701: if (!strcmp(gBundles[ac]->params.authname, auth->params.authname))
1702: num++;
1703: }
1704: }
1705: }
1706:
1707: if (num >= gMaxLogins) {
1708: Log(LG_AUTH, ("[%s] AUTH: Name: \"%s\" max. number of logins exceeded",
1709: auth->info.lnkname, auth->params.authname));
1710: auth->status = AUTH_STATUS_FAIL;
1711: auth->why_fail = AUTH_FAIL_INVALID_LOGIN;
1712: return (-1);
1713: }
1714: }
1715: return (0);
1716: }
1717:
1718: /*
1719: * AuthTimeout()
1720: *
1721: * Timer expired for the whole authorization process
1722: */
1723:
1724: static void
1725: AuthTimeout(void *arg)
1726: {
1727: Link l = (Link)arg;
1728:
1729: Log(LG_AUTH, ("[%s] %s: authorization timer expired", Pref(&l->lcp.fsm), Fsm(&l->lcp.fsm)));
1730: AuthStop(l);
1731: LcpAuthResult(l, FALSE);
1732: }
1733:
1734: /*
1735: * AuthFailMsg()
1736: */
1737:
1738: const char *
1739: AuthFailMsg(AuthData auth, char *buf, size_t len)
1740: {
1741: const char *mesg;
1742:
1743: if (auth->proto == PROTO_CHAP
1744: && (auth->alg == CHAP_ALG_MSOFT || auth->alg == CHAP_ALG_MSOFTv2)) {
1745: int mscode;
1746:
1747: if (auth->mschap_error != NULL) {
1748: strlcpy(buf, auth->mschap_error, len);
1749: return(buf);
1750: }
1751:
1752: switch (auth->why_fail) {
1753: case AUTH_FAIL_ACCT_DISABLED:
1754: mscode = MSCHAP_ERROR_ACCT_DISABLED;
1755: mesg = AUTH_MSG_ACCT_DISAB;
1756: break;
1757: case AUTH_FAIL_NO_PERMISSION:
1758: mscode = MSCHAP_ERROR_NO_DIALIN_PERMISSION;
1759: mesg = AUTH_MSG_NOT_ALLOWED;
1760: break;
1761: case AUTH_FAIL_RESTRICTED_HOURS:
1762: mscode = MSCHAP_ERROR_RESTRICTED_LOGON_HOURS;
1763: mesg = AUTH_MSG_RESTR_HOURS;
1764: break;
1765: case AUTH_FAIL_INVALID_PACKET:
1766: case AUTH_FAIL_INVALID_LOGIN:
1767: case AUTH_FAIL_NOT_EXPECTED:
1768: default:
1769: mscode = MSCHAP_ERROR_AUTHENTICATION_FAILURE;
1770: mesg = AUTH_MSG_INVALID;
1771: break;
1772: }
1773:
1774: /* If we have reply message, send it instead of default. */
1775: if (auth->reply_message != NULL)
1776: mesg = auth->reply_message;
1777:
1778: snprintf(buf, len, "E=%d R=0 M=%s", mscode, mesg);
1779:
1780: } else {
1781:
1782: if (auth->reply_message != NULL) {
1783: strlcpy(buf, auth->reply_message, len);
1784: return(buf);
1785: }
1786:
1787: switch (auth->why_fail) {
1788: case AUTH_FAIL_ACCT_DISABLED:
1789: mesg = AUTH_MSG_ACCT_DISAB;
1790: break;
1791: case AUTH_FAIL_NO_PERMISSION:
1792: mesg = AUTH_MSG_NOT_ALLOWED;
1793: break;
1794: case AUTH_FAIL_RESTRICTED_HOURS:
1795: mesg = AUTH_MSG_RESTR_HOURS;
1796: break;
1797: case AUTH_FAIL_NOT_EXPECTED:
1798: mesg = AUTH_MSG_NOT_EXPECTED;
1799: break;
1800: case AUTH_FAIL_INVALID_PACKET:
1801: mesg = AUTH_MSG_BAD_PACKET;
1802: break;
1803: case AUTH_FAIL_INVALID_LOGIN:
1804: default:
1805: mesg = AUTH_MSG_INVALID;
1806: break;
1807: }
1808: strlcpy(buf, mesg, len);
1809: }
1810: return(buf);
1811: }
1812:
1813: /*
1814: * AuthStatusText()
1815: */
1816:
1817: const char *
1818: AuthStatusText(int status)
1819: {
1820: switch (status) {
1821: case AUTH_STATUS_UNDEF:
1822: return "undefined";
1823:
1824: case AUTH_STATUS_SUCCESS:
1825: return "authenticated";
1826:
1827: case AUTH_STATUS_FAIL:
1828: return "failed";
1829:
1830: case AUTH_STATUS_BUSY:
1831: return "busy";
1832:
1833: default:
1834: return "INCORRECT STATUS";
1835: }
1836: }
1837:
1838: /*
1839: * AuthMPPEPolicyname()
1840: */
1841:
1842: const char *
1843: AuthMPPEPolicyname(int policy)
1844: {
1845: switch(policy) {
1846: case MPPE_POLICY_ALLOWED:
1847: return "Allowed";
1848: case MPPE_POLICY_REQUIRED:
1849: return "Required";
1850: case MPPE_POLICY_NONE:
1851: return "Not available";
1852: default:
1853: return "Unknown Policy";
1854: }
1855:
1856: }
1857:
1858: /*
1859: * AuthMPPETypesname()
1860: */
1861:
1862: const char *
1863: AuthMPPETypesname(int types, char *buf, size_t len)
1864: {
1865: if (types == 0) {
1866: sprintf(buf, "no encryption required");
1867: return (buf);
1868: }
1869:
1870: buf[0]=0;
1871: if (types & MPPE_TYPE_40BIT) sprintf (buf, "40 ");
1872: if (types & MPPE_TYPE_56BIT) sprintf (&buf[strlen(buf)], "56 ");
1873: if (types & MPPE_TYPE_128BIT) sprintf (&buf[strlen(buf)], "128 ");
1874:
1875: if (strlen(buf) == 0) {
1876: sprintf (buf, "unknown types");
1877: } else {
1878: sprintf (&buf[strlen(buf)], "bit");
1879: }
1880:
1881: return (buf);
1882: }
1883:
1884: /*
1885: * AuthGetExternalPassword()
1886: *
1887: * Run the named external program to fill in the password for the user
1888: * mentioned in the AuthData
1889: * -1 on error (can't fork, no data read, whatever)
1890: */
1891: static int
1892: AuthGetExternalPassword(char * extcmd, char *authname, char *password, size_t passlen)
1893: {
1894: char cmd[AUTH_MAX_PASSWORD + 5 + AUTH_MAX_AUTHNAME];
1895: int ok = 0;
1896: FILE *fp;
1897: int len;
1898:
1899: snprintf(cmd, sizeof(cmd), "%s %s", extcmd, authname);
1900: Log(LG_AUTH, ("Invoking external auth program: '%s'", cmd));
1901: if ((fp = popen(cmd, "r")) == NULL) {
1902: Perror("Popen");
1903: return (-1);
1904: }
1905: if (fgets(password, passlen, fp) != NULL) {
1906: len = strlen(password); /* trim trailing newline */
1907: if (len > 0 && password[len - 1] == '\n')
1908: password[len - 1] = '\0';
1909: ok = (password[0] != '\0');
1910: } else {
1911: if (ferror(fp))
1912: Perror("Error reading from external auth program");
1913: }
1914: if (!ok)
1915: Log(LG_AUTH, ("External auth program failed for user \"%s\"",
1916: authname));
1917: pclose(fp);
1918: return (ok ? 0 : -1);
1919: }
1920:
1921: /*
1922: * AuthCode()
1923: */
1924:
1925: static const char *
1926: AuthCode(int proto, u_char code, char *buf, size_t len)
1927: {
1928: switch (proto) {
1929: case PROTO_EAP:
1930: return EapCode(code, buf, len);
1931:
1932: case PROTO_CHAP:
1933: return ChapCode(code, buf, len);
1934:
1935: case PROTO_PAP:
1936: return PapCode(code, buf, len);
1937:
1938: default:
1939: snprintf(buf, len, "code %d", code);
1940: return(buf);
1941: }
1942: }
1943:
1944:
1945: /*
1946: * AuthSetCommand()
1947: */
1948:
1949: static int
1950: AuthSetCommand(Context ctx, int ac, char *av[], void *arg)
1951: {
1952: AuthConf const autc = &ctx->lnk->lcp.auth.conf;
1953: int val;
1954:
1955: if (ac == 0)
1956: return(-1);
1957:
1958: switch ((intptr_t)arg) {
1959:
1960: case SET_AUTHNAME:
1961: strlcpy(autc->authname, *av, sizeof(autc->authname));
1962: break;
1963:
1964: case SET_PASSWORD:
1965: strlcpy(autc->password, *av, sizeof(autc->password));
1966: break;
1967:
1968: case SET_EXTAUTH_SCRIPT:
1969: Freee(autc->extauth_script);
1970: autc->extauth_script = Mstrdup(MB_AUTH, *av);
1971: break;
1972:
1973: case SET_EXTACCT_SCRIPT:
1974: Freee(autc->extacct_script);
1975: autc->extacct_script = Mstrdup(MB_AUTH, *av);
1976: break;
1977:
1978: case SET_MAX_LOGINS:
1979: gMaxLogins = atoi(av[0]);
1980: if (ac >= 2 && strcasecmp(av[1], "ci") == 0) {
1981: gMaxLoginsCI = 1;
1982: } else {
1983: gMaxLoginsCI = 0;
1984: }
1985: break;
1986:
1987: case SET_ACCT_UPDATE:
1988: val = atoi(*av);
1989: if (val < 0)
1990: Error("Update interval must be positive.");
1991: else
1992: autc->acct_update = val;
1993: break;
1994:
1995: case SET_ACCT_UPDATE_LIMIT_IN:
1996: case SET_ACCT_UPDATE_LIMIT_OUT:
1997: val = atoi(*av);
1998: if (val < 0)
1999: Error("Update suppression limit must be positive.");
2000: else {
2001: if ((intptr_t)arg == SET_ACCT_UPDATE_LIMIT_IN)
2002: autc->acct_update_lim_recv = val;
2003: else
2004: autc->acct_update_lim_xmit = val;
2005: }
2006: break;
2007:
2008: case SET_TIMEOUT:
2009: val = atoi(*av);
2010: if (val <= 20)
2011: Error("Authorization timeout must be greater then 20.");
2012: else
2013: autc->timeout = val;
2014: break;
2015:
2016: case SET_ACCEPT:
2017: AcceptCommand(ac, av, &autc->options, gConfList);
2018: break;
2019:
2020: case SET_DENY:
2021: DenyCommand(ac, av, &autc->options, gConfList);
2022: break;
2023:
2024: case SET_ENABLE:
2025: EnableCommand(ac, av, &autc->options, gConfList);
2026: break;
2027:
2028: case SET_DISABLE:
2029: DisableCommand(ac, av, &autc->options, gConfList);
2030: break;
2031:
2032: case SET_YES:
2033: YesCommand(ac, av, &autc->options, gConfList);
2034: break;
2035:
2036: case SET_NO:
2037: NoCommand(ac, av, &autc->options, gConfList);
2038: break;
2039:
2040: default:
2041: assert(0);
2042: }
2043:
2044: return(0);
2045: }
2046:
2047: /*
2048: * AuthExternal()
2049: *
2050: * Authenticate via call external script extauth-script
2051: */
2052:
2053: static int
2054: AuthExternal(AuthData auth)
2055: {
2056: char line[256];
2057: FILE *fp;
2058: char *attr, *val;
2059: int len;
2060:
2061: if (!auth->conf.extauth_script || !auth->conf.extauth_script[0]) {
2062: Log(LG_ERR, ("[%s] Ext-auth: Script not specified!",
2063: auth->info.lnkname));
2064: return (-1);
2065: }
2066: if (strchr(auth->params.authname, '\'') ||
2067: strchr(auth->params.authname, '\n')) {
2068: Log(LG_ERR, ("[%s] Ext-auth: Denied character in USER_NAME!",
2069: auth->info.lnkname));
2070: return (-1);
2071: }
2072: snprintf(line, sizeof(line), "%s '%s'",
2073: auth->conf.extauth_script, auth->params.authname);
2074: Log(LG_AUTH, ("[%s] Ext-auth: Invoking auth program: '%s'",
2075: auth->info.lnkname, line));
2076: if ((fp = popen(line, "r+")) == NULL) {
2077: Perror("Popen");
2078: return (-1);
2079: }
2080:
2081: /* SENDING REQUEST */
2082: fprintf(fp, "USER_NAME:%s\n", auth->params.authname);
2083: fprintf(fp, "AUTH_TYPE:%s", ProtoName(auth->proto));
2084: if (auth->proto == PROTO_CHAP) {
2085: switch (auth->alg) {
2086: case CHAP_ALG_MD5:
2087: fprintf(fp, " MD5\n");
2088: break;
2089: case CHAP_ALG_MSOFT:
2090: fprintf(fp, " MSOFT\n");
2091: break;
2092: case CHAP_ALG_MSOFTv2:
2093: fprintf(fp, " MSOFTv2\n");
2094: break;
2095: default:
2096: fprintf(fp, " 0x%02x\n", auth->alg);
2097: break;
2098: }
2099: } else
2100: fprintf(fp, "\n");
2101:
2102: if (auth->proto == PROTO_PAP)
2103: fprintf(fp, "USER_PASSWORD:%s\n", auth->params.pap.peer_pass);
2104:
2105: fprintf(fp, "ACCT_SESSION_ID:%s\n", auth->info.session_id);
2106: fprintf(fp, "LINK:%s\n", auth->info.lnkname);
2107: fprintf(fp, "NAS_PORT:%d\n", auth->info.linkID);
2108: fprintf(fp, "NAS_PORT_TYPE:%s\n", auth->info.phys_type->name);
2109: fprintf(fp, "CALLING_STATION_ID:%s\n", auth->params.callingnum);
2110: fprintf(fp, "CALLED_STATION_ID:%s\n", auth->params.callednum);
2111: fprintf(fp, "SELF_NAME:%s\n", auth->params.selfname);
2112: fprintf(fp, "PEER_NAME:%s\n", auth->params.peername);
2113: fprintf(fp, "SELF_ADDR:%s\n", auth->params.selfaddr);
2114: fprintf(fp, "PEER_ADDR:%s\n", auth->params.peeraddr);
2115: fprintf(fp, "PEER_PORT:%s\n", auth->params.peerport);
2116: fprintf(fp, "PEER_MAC_ADDR:%s\n", auth->params.peermacaddr);
2117: fprintf(fp, "PEER_IFACE:%s\n", auth->params.peeriface);
2118: fprintf(fp, "PEER_IDENT:%s\n", auth->info.peer_ident);
2119:
2120:
2121: /* REQUEST DONE */
2122: fprintf(fp, "\n");
2123:
2124: /* REPLY PROCESSING */
2125: auth->status = AUTH_STATUS_FAIL;
2126: while (fgets(line, sizeof(line), fp)) {
2127: /* trim trailing newline */
2128: len = strlen(line);
2129: if (len > 0 && line[len - 1] == '\n') {
2130: line[len - 1] = '\0';
2131: len--;
2132: }
2133:
2134: /* Empty line is the end marker */
2135: if (len == 0)
2136: break;
2137:
2138: /* split line on attr:value */
2139: val = line;
2140: attr = strsep(&val, ":");
2141:
2142: /* Log data w/o password */
2143: if (strcmp(attr, "USER_PASSWORD") != 0) {
2144: Log(LG_AUTH2, ("[%s] Ext-auth: attr:'%s', value:'%s'",
2145: auth->info.lnkname, attr, val));
2146: } else {
2147: Log(LG_AUTH2, ("[%s] Ext-auth: attr:'%s', value:'XXX'",
2148: auth->info.lnkname, attr));
2149: }
2150:
2151: if (strcmp(attr, "RESULT") == 0) {
2152: if (strcmp(val, "SUCCESS") == 0) {
2153: auth->status = AUTH_STATUS_SUCCESS;
2154: } else if (strcmp(val, "UNDEF") == 0) {
2155: auth->status = AUTH_STATUS_UNDEF;
2156: } else
2157: auth->status = AUTH_STATUS_FAIL;
2158:
2159: } else if (strcmp(attr, "USER_NAME") == 0) {
2160: strlcpy(auth->params.authname, val, sizeof(auth->params.authname));
2161:
2162: } else if (strcmp(attr, "USER_PASSWORD") == 0) {
2163: strlcpy(auth->params.password, val, sizeof(auth->params.password));
2164:
2165: } else if (strcmp(attr, "USER_NT_HASH") == 0) {
2166: if (strlen(val) != 32) {
2167: Log(LG_AUTH, ("[%s] Ext-auth: Incorrect USER_NT_HASH length", auth->info.lnkname));
2168: } else {
2169: u_char *bin = Hex2Bin(val);
2170: memcpy(auth->params.msoft.nt_hash, bin, sizeof(auth->params.msoft.nt_hash));
2171: Freee(bin);
2172: NTPasswordHashHash(auth->params.msoft.nt_hash, auth->params.msoft.nt_hash_hash);
2173: auth->params.msoft.has_nt_hash = TRUE;
2174: }
2175:
2176: } else if (strcmp(attr, "USER_LM_HASH") == 0) {
2177: if (strlen(val) != 32) {
2178: Log(LG_AUTH, ("[%s] Ext-auth: Incorrect USER_LM_HASH length", auth->info.lnkname));
2179: } else {
2180: u_char *bin = Hex2Bin(val);
2181: memcpy(auth->params.msoft.lm_hash, bin, sizeof(auth->params.msoft.lm_hash));
2182: Freee(bin);
2183: auth->params.msoft.has_lm_hash = TRUE;
2184: }
2185:
2186: } else if (strcmp(attr, "FRAMED_IP_ADDRESS") == 0) {
2187: auth->params.range_valid =
2188: ParseRange(val, &auth->params.range, ALLOW_IPV4);
2189:
2190: } else if (strcmp(attr, "PRIMARY_DNS_SERVER") == 0) {
2191: inet_pton(AF_INET, val, &auth->params.peer_dns[0]);
2192:
2193: } else if (strcmp(attr, "SECONDARY_DNS_SERVER") == 0) {
2194: inet_pton(AF_INET, val, &auth->params.peer_dns[1]);
2195:
2196: } else if (strcmp(attr, "PRIMARY_NBNS_SERVER") == 0) {
2197: inet_pton(AF_INET, val, &auth->params.peer_nbns[0]);
2198:
2199: } else if (strcmp(attr, "SECONDARY_NBNS_SERVER") == 0) {
2200: inet_pton(AF_INET, val, &auth->params.peer_nbns[1]);
2201:
2202: } else if (strcmp(attr, "FRAMED_ROUTE") == 0) {
2203: struct u_range range;
2204:
2205: if (!ParseRange(val, &range, ALLOW_IPV4)) {
2206: Log(LG_AUTH, ("[%s] Ext-auth: FRAMED_ROUTE: Bad route \"%s\"",
2207: auth->info.lnkname, val));
2208: } else {
2209: struct ifaceroute *r, *r1;
2210: int j;
2211:
2212: r = Malloc(MB_AUTH, sizeof(struct ifaceroute));
2213: r->dest = range;
2214: r->ok = 0;
2215: j = 0;
2216: SLIST_FOREACH(r1, &auth->params.routes, next) {
2217: if (!u_rangecompare(&r->dest, &r1->dest)) {
2218: Log(LG_AUTH, ("[%s] Ext-auth: Duplicate route", auth->info.lnkname));
2219: j = 1;
2220: }
2221: };
2222: if (j == 0) {
2223: SLIST_INSERT_HEAD(&auth->params.routes, r, next);
2224: } else {
2225: Freee(r);
2226: }
2227: }
2228:
2229: } else if (strcmp(attr, "FRAMED_IPV6_ROUTE") == 0) {
2230: struct u_range range;
2231:
2232: if (!ParseRange(val, &range, ALLOW_IPV6)) {
2233: Log(LG_AUTH, ("[%s] Ext-auth: FRAMED_IPV6_ROUTE: Bad route \"%s\"",
2234: auth->info.lnkname, val));
2235: } else {
2236: struct ifaceroute *r, *r1;
2237: int j;
2238:
2239: r = Malloc(MB_AUTH, sizeof(struct ifaceroute));
2240: r->dest = range;
2241: r->ok = 0;
2242: j = 0;
2243: SLIST_FOREACH(r1, &auth->params.routes, next) {
2244: if (!u_rangecompare(&r->dest, &r1->dest)) {
2245: Log(LG_AUTH, ("[%s] Ext-auth: Duplicate route", auth->info.lnkname));
2246: j = 1;
2247: }
2248: };
2249: if (j == 0) {
2250: SLIST_INSERT_HEAD(&auth->params.routes, r, next);
2251: } else {
2252: Freee(r);
2253: }
2254: }
2255:
2256: } else if (strcmp(attr, "SESSION_TIMEOUT") == 0) {
2257: auth->params.session_timeout = atoi(val);
2258:
2259: } else if (strcmp(attr, "IDLE_TIMEOUT") == 0) {
2260: auth->params.idle_timeout = atoi(val);
2261:
2262: } else if (strcmp(attr, "ACCT_INTERIM_INTERVAL") == 0) {
2263: auth->params.acct_update = atoi(val);
2264:
2265: } else if (strcmp(attr, "ACCT_INTERIM_LIM_RECV") == 0) {
2266: auth->params.acct_update_lim_recv = atoi(val);
2267:
2268: } else if (strcmp(attr, "ACCT_INTERIM_LIM_XMIT") == 0) {
2269: auth->params.acct_update_lim_xmit = atoi(val);
2270:
2271: } else if (strcmp(attr, "FRAMED_MTU") == 0) {
2272: auth->params.mtu = atoi(val);
2273:
2274: } else if (strcmp(attr, "FRAMED_COMPRESSION") == 0) {
2275: if (atoi(val) == 1)
2276: auth->params.vjc_enable = 1;
2277:
2278: } else if (strcmp(attr, "FRAMED_POOL") == 0) {
2279: strlcpy(auth->params.ippool, val, sizeof(auth->params.ippool));
2280:
2281: } else if (strcmp(attr, "REPLY_MESSAGE") == 0) {
2282: Freee(auth->reply_message);
2283: auth->reply_message = Mstrdup(MB_AUTH, val);
2284:
2285: } else if (strcmp(attr, "MS_CHAP_ERROR") == 0) {
2286: Freee(auth->mschap_error);
2287: /* "E=%d R=0 M=%s" */
2288: auth->mschap_error = Mstrdup(MB_AUTH, val);
2289:
2290: } else if (strcmp(attr, "MPD_ACTION") == 0) {
2291: strlcpy(auth->params.action, val, sizeof(auth->params.action));
2292:
2293: } else if (strcmp(attr, "MPD_IFACE_NAME") == 0) {
2294: strlcpy(auth->params.ifname, val, sizeof(auth->params.ifname));
2295:
2296: #ifdef SIOCSIFDESCR
2297: } else if (strcmp(attr, "MPD_IFACE_DESCR") == 0) {
2298: Freee(auth->params.ifdescr);
2299: auth->params.ifdescr = Mstrdup(MB_AUTH, val);
2300: #endif /* SIOCSIFDESCR */
2301: #ifdef SIOCAIFGROUP
2302: } else if (strcmp(attr, "MPD_IFACE_GROUP") == 0) {
2303: strlcpy(auth->params.ifgroup, val, sizeof(auth->params.ifgroup));
2304: #endif
2305: #if defined(USE_IPFW) || defined(USE_NG_BPF)
2306: } else if (strncmp(attr, "MPD_", 4) == 0) {
2307: struct acl **acls, *acls1;
2308: char *acl1, *acl2, *acl3;
2309: int i;
2310:
2311: acl1 = NULL;
2312: acls = NULL;
2313: #ifdef USE_IPFW
2314: if (strcmp(attr, "MPD_RULE") == 0) {
2315: acl1 = val;
2316: acls = &(auth->params.acl_rule);
2317: } else if (strcmp(attr, "MPD_PIPE") == 0) {
2318: acl1 = val;
2319: acls = &(auth->params.acl_pipe);
2320: } else if (strcmp(attr, "MPD_QUEUE") == 0) {
2321: acl1 = val;
2322: acls = &(auth->params.acl_queue);
2323: } else if (strcmp(attr, "MPD_TABLE") == 0) {
2324: acl1 = val;
2325: acls = &(auth->params.acl_table);
2326: } else if (strcmp(attr, "MPD_TABLE_STATIC") == 0) {
2327: acl1 = val;
2328: acls = &(auth->params.acl_table);
2329: } else
2330: #endif /* USE_IPFW */
2331: #ifdef USE_NG_BPF
2332: if (strcmp(attr, "MPD_FILTER") == 0) {
2333: acl1 = val;
2334: acl2 = strsep(&acl1, "#");
2335: i = atol(acl2);
2336: if (i <= 0 || i > ACL_FILTERS) {
2337: Log(LG_ERR, ("[%s] Ext-auth: wrong filter number: %i",
2338: auth->info.lnkname, i));
2339: continue;
2340: }
2341: acls = &(auth->params.acl_filters[i - 1]);
2342: } else if (strcmp(attr, "MPD_LIMIT") == 0) {
2343: acl1 = val;
2344: acl2 = strsep(&acl1, "#");
2345: if (strcasecmp(acl2, "in") == 0) {
2346: i = 0;
2347: } else if (strcasecmp(acl2, "out") == 0) {
2348: i = 1;
2349: } else {
2350: Log(LG_ERR, ("[%s] Ext-auth: wrong limit direction: '%s'",
2351: auth->info.lnkname, acl2));
2352: continue;
2353: }
2354: acls = &(auth->params.acl_limits[i]);
2355: } else {
2356: Log(LG_ERR, ("[%s] Ext-auth: Dropping MPD vendor specific attribute: '%s'",
2357: auth->info.lnkname, attr));
2358: continue;
2359: }
2360: #endif /* USE_NG_BPF */
2361:
2362: if (acl1 == NULL) {
2363: Log(LG_ERR, ("[%s] Ext-auth: incorrect acl!",
2364: auth->info.lnkname));
2365: continue;
2366: }
2367:
2368: acl3 = acl1;
2369: strsep(&acl3, "=");
2370: acl2 = acl1;
2371: strsep(&acl2, "#");
2372: i = atol(acl1);
2373: if (i <= 0) {
2374: Log(LG_ERR, ("[%s] Ext-auth: wrong acl number: %i",
2375: auth->info.lnkname, i));
2376: continue;
2377: }
2378: if ((acl3 == NULL) || (acl3[0] == 0)) {
2379: Log(LG_ERR, ("[%s] Ext-auth: wrong acl", auth->info.lnkname));
2380: continue;
2381: }
2382: acls1 = Malloc(MB_AUTH, sizeof(struct acl) + strlen(acl3));
2383: if (strcmp(attr, "MPD_TABLE_STATIC") != 0) {
2384: acls1->number = i;
2385: acls1->real_number = 0;
2386: } else {
2387: acls1->number = 0;
2388: acls1->real_number = i;
2389: }
2390: if (acl2)
2391: strlcpy(acls1->name, acl2, sizeof(acls1->name));
2392: strcpy(acls1->rule, acl3);
2393: while ((*acls != NULL) && ((*acls)->number < acls1->number))
2394: acls = &((*acls)->next);
2395:
2396: if (*acls == NULL) {
2397: acls1->next = NULL;
2398: } else if (((*acls)->number == acls1->number) &&
2399: (strcmp(attr, "MPD_TABLE") != 0) &&
2400: (strcmp(attr, "MPD_TABLE_STATIC") != 0)) {
2401: Log(LG_ERR, ("[%s] Ext-auth: duplicate acl",
2402: auth->info.lnkname));
2403: continue;
2404: } else {
2405: acls1->next = *acls;
2406: }
2407: *acls = acls1;
2408: #endif /* USE_IPFW or USE_NG_BPF */
2409:
2410: } else {
2411: Log(LG_ERR, ("[%s] Ext-auth: Unknown attr:'%s'",
2412: auth->info.lnkname, attr));
2413: }
2414: }
2415:
2416: pclose(fp);
2417: return (0);
2418: }
2419:
2420: /*
2421: * AuthExternalAcct()
2422: *
2423: * Accounting via call external script extacct-script
2424: */
2425:
2426: static int
2427: AuthExternalAcct(AuthData auth)
2428: {
2429: char line[256];
2430: FILE *fp;
2431: char *attr, *val;
2432: int len;
2433:
2434: if (!auth->conf.extacct_script || !auth->conf.extacct_script[0]) {
2435: Log(LG_ERR, ("[%s] Ext-acct: Script not specified!",
2436: auth->info.lnkname));
2437: return (-1);
2438: }
2439: if (strchr(auth->params.authname, '\'') ||
2440: strchr(auth->params.authname, '\n')) {
2441: Log(LG_ERR, ("[%s] Ext-acct: Denied character in USER_NAME!",
2442: auth->info.lnkname));
2443: return (-1);
2444: }
2445: snprintf(line, sizeof(line), "%s '%s'",
2446: auth->conf.extacct_script, auth->params.authname);
2447: Log(LG_AUTH, ("[%s] Ext-acct: Invoking acct program: '%s'",
2448: auth->info.lnkname, line));
2449: if ((fp = popen(line, "r+")) == NULL) {
2450: Perror("Popen");
2451: return (-1);
2452: }
2453:
2454: /* SENDING REQUEST */
2455: fprintf(fp, "ACCT_STATUS_TYPE:%s\n",
2456: (auth->acct_type == AUTH_ACCT_START)?
2457: "START":((auth->acct_type == AUTH_ACCT_STOP)?
2458: "STOP":"UPDATE"));
2459:
2460: fprintf(fp, "ACCT_SESSION_ID:%s\n", auth->info.session_id);
2461: fprintf(fp, "ACCT_MULTI_SESSION_ID:%s\n", auth->info.msession_id);
2462: fprintf(fp, "USER_NAME:%s\n", auth->params.authname);
2463: fprintf(fp, "IFACE:%s\n", auth->info.ifname);
2464: fprintf(fp, "IFACE_INDEX:%d\n", auth->info.ifindex);
2465: fprintf(fp, "BUNDLE:%s\n", auth->info.bundname);
2466: fprintf(fp, "LINK:%s\n", auth->info.lnkname);
2467: fprintf(fp, "NAS_PORT:%d\n", auth->info.linkID);
2468: fprintf(fp, "NAS_PORT_TYPE:%s\n", auth->info.phys_type->name);
2469: fprintf(fp, "ACCT_LINK_COUNT:%d\n", auth->info.n_links);
2470: fprintf(fp, "CALLING_STATION_ID:%s\n", auth->params.callingnum);
2471: fprintf(fp, "CALLED_STATION_ID:%s\n", auth->params.callednum);
2472: fprintf(fp, "SELF_NAME:%s\n", auth->params.selfname);
2473: fprintf(fp, "PEER_NAME:%s\n", auth->params.peername);
2474: fprintf(fp, "SELF_ADDR:%s\n", auth->params.selfaddr);
2475: fprintf(fp, "PEER_ADDR:%s\n", auth->params.peeraddr);
2476: fprintf(fp, "PEER_PORT:%s\n", auth->params.peerport);
2477: fprintf(fp, "PEER_MAC_ADDR:%s\n", auth->params.peermacaddr);
2478: fprintf(fp, "PEER_IFACE:%s\n", auth->params.peeriface);
2479: fprintf(fp, "PEER_IDENT:%s\n", auth->info.peer_ident);
2480:
2481: fprintf(fp, "FRAMED_IP_ADDRESS:%s\n",
2482: inet_ntoa(auth->info.peer_addr));
2483:
2484: if (auth->acct_type == AUTH_ACCT_STOP)
2485: fprintf(fp, "ACCT_TERMINATE_CAUSE:%s\n", auth->info.downReason);
2486:
2487: if (auth->acct_type != AUTH_ACCT_START) {
2488: #ifdef USE_NG_BPF
2489: struct svcstatrec *ssr;
2490: #endif
2491: fprintf(fp, "ACCT_SESSION_TIME:%ld\n",
2492: (long int)(time(NULL) - auth->info.last_up));
2493: fprintf(fp, "ACCT_INPUT_OCTETS:%llu\n",
2494: (long long unsigned)auth->info.stats.recvOctets);
2495: fprintf(fp, "ACCT_INPUT_PACKETS:%llu\n",
2496: (long long unsigned)auth->info.stats.recvFrames);
2497: fprintf(fp, "ACCT_OUTPUT_OCTETS:%llu\n",
2498: (long long unsigned)auth->info.stats.xmitOctets);
2499: fprintf(fp, "ACCT_OUTPUT_PACKETS:%llu\n",
2500: (long long unsigned)auth->info.stats.xmitFrames);
2501: #ifdef USE_NG_BPF
2502: SLIST_FOREACH(ssr, &auth->info.ss.stat[0], next) {
2503: fprintf(fp, "MPD_INPUT_OCTETS:%s:%llu\n",
2504: ssr->name, (long long unsigned)ssr->Octets);
2505: fprintf(fp, "MPD_INPUT_PACKETS:%s:%llu\n",
2506: ssr->name, (long long unsigned)ssr->Packets);
2507: }
2508: SLIST_FOREACH(ssr, &auth->info.ss.stat[1], next) {
2509: fprintf(fp, "MPD_OUTPUT_OCTETS:%s:%llu\n",
2510: ssr->name, (long long unsigned)ssr->Octets);
2511: fprintf(fp, "MPD_OUTPUT_PACKETS:%s:%llu\n",
2512: ssr->name, (long long unsigned)ssr->Packets);
2513: }
2514: #endif /* USE_NG_BPF */
2515: }
2516:
2517: /* REQUEST DONE */
2518: fprintf(fp, "\n");
2519:
2520: /* REPLY PROCESSING */
2521: while (fgets(line, sizeof(line), fp)) {
2522: /* trim trailing newline */
2523: len = strlen(line);
2524: if (len > 0 && line[len - 1] == '\n') {
2525: line[len - 1] = '\0';
2526: len--;
2527: }
2528:
2529: /* Empty line is the end marker */
2530: if (len == 0)
2531: break;
2532:
2533: /* split line on attr:value */
2534: val = line;
2535: attr = strsep(&val, ":");
2536:
2537: Log(LG_AUTH2, ("[%s] Ext-acct: attr:'%s', value:'%s'",
2538: auth->info.lnkname, attr, val));
2539:
2540: if (strcmp(attr, "MPD_DROP_USER") == 0) {
2541: auth->drop_user = atoi(val);
2542:
2543: } else {
2544: Log(LG_ERR, ("[%s] Ext-acct: Unknown attr:'%s'",
2545: auth->info.lnkname, attr));
2546: }
2547: }
2548:
2549: pclose(fp);
2550: return (0);
2551: }
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to auth.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / mpd / src