X-Git-Url: http://git.sameswireless.fr/l2tpns.git/blobdiff_plain/4db668744a024bb055695bc310bec0abc357be87..c07a2e8553cada19c523ef9aa07581ae8dd6a71f:/ppp.c?ds=sidebyside

diff --git a/ppp.c b/ppp.c
index fbc72d8..fb63d88 100644
--- a/ppp.c
+++ b/ppp.c
@@ -1,6 +1,6 @@
 // L2TPNS PPP Stuff
 
-char const *cvs_id_ppp = "$Id: ppp.c,v 1.47 2005-04-27 13:53:17 bodea Exp $";
+char const *cvs_id_ppp = "$Id: ppp.c,v 1.50 2005-05-07 08:53:23 bodea Exp $";
 
 #include <stdio.h>
 #include <string.h>
@@ -77,7 +77,7 @@ void processpap(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
 		}
 		LOG(3, s, t, "PAP login %s/%s\n", user, pass);
 	}
-	if (session[s].ip || !session[s].radius)
+	if (session[s].ip || !sess_local[s].radius)
 	{
 		// respond now, either no RADIUS available or already authenticated
 		uint8_t b[MAXCONTROL];
@@ -110,7 +110,7 @@ void processpap(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
 	else
 	{
 		// set up RADIUS request
-		uint16_t r = session[s].radius;
+		uint16_t r = sess_local[s].radius;
 
 		// Run PRE_AUTH plugins
 		struct param_pre_auth packet = { &tunnel[t], &session[s], strdup(user), strdup(pass), PPPPAP, 1 };
@@ -144,7 +144,7 @@ void processchap(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
 	CSTAT(processchap);
 
 	LOG_HEX(5, "CHAP", p, l);
-	r = session[s].radius;
+	r = sess_local[s].radius;
 	if (!r)
 	{
 		LOG(1, s, t, "Unexpected CHAP message\n");
@@ -279,8 +279,14 @@ static void dumplcp(uint8_t *p, int l)
 				{
 					int proto = ntohs(*(uint16_t *)(o + 2));
 					LOG(4, 0, 0, "   %s 0x%x (%s)\n", lcp_type(type), proto,
-						proto == PPPCHAP ? "CHAP" :
-						proto == PPPPAP  ? "PAP"  : "UNKNOWN");
+						proto == PPPPAP  ? "PAP"  : "UNSUPPORTED");
+				}
+				else if (length == 5)
+				{
+					int proto = ntohs(*(uint16_t *)(o + 2));
+					int algo = *(uint8_t *)(o + 4);
+					LOG(4, 0, 0, "   %s 0x%x 0x%x (%s)\n", lcp_type(type), proto, algo,
+						(proto == PPPCHAP && algo == 5) ? "CHAP MD5"  : "UNSUPPORTED");
 				}
 				else
 					LOG(4, 0, 0, "   %s odd length %d\n", lcp_type(type), length);
@@ -398,17 +404,28 @@ void processlcp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
 					{
 						int proto = ntohs(*(uint16_t *)(o + 2));
 						char proto_name[] = "0x0000";
+
 						if (proto == PPPPAP)
-							break;
+						{
+							if (config->radius_authtypes & AUTHPAP)
+								break;
 
-						if (response && *response != ConfigNak) // rej already queued
-							break;
+							strcpy(proto_name, "PAP");
+						}
+						else if (proto == PPPCHAP)
+						{
+							if (config->radius_authtypes & AUTHCHAP
+							    && *(o + 4) == 5) // MD5
+								break;
 
-						if (proto == PPPCHAP)
 							strcpy(proto_name, "CHAP");
+						}
 						else
 							sprintf(proto_name, "%#4.4x", proto);
 
+						if (response && *response != ConfigNak) // rej already queued
+							break;
+
 						LOG(2, s, t, "    Remote requesting %s authentication.  Rejecting.\n", proto_name);
 
 						if (!response)
@@ -419,16 +436,27 @@ void processlcp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
 							q += 4;
 						}
 
-						if ((q - b + length) > sizeof(b))
+						if ((q - b + 5) > sizeof(b)) // 5 is the larger (CHAP+MD5) of the two NAKs
 						{
 							LOG(2, s, t, "LCP overflow for %s ConfigNak.\n", proto_name);
 							break;
 						}
 
-						memcpy(q, o, length);
-						*(uint16_t *)(q += 2) = htons(PPPPAP); // NAK -> Use PAP instead
-						q += length;
-						*((uint16_t *) (response + 2)) = htons(q - response);
+						*q++ = type;
+						if (config->radius_authprefer == AUTHCHAP)
+						{
+							*q++ = 5;
+							*(uint16_t *) q = htons(PPPCHAP); q += 2;
+							*q++ = 5; // MD5
+						}
+						else
+						{
+							*q++ = 4;
+							*(uint16_t *) q = htons(PPPPAP); q += 2;
+						}
+
+						*((uint16_t *) (response + 2)) = htons(q - response); // LCP header length
+						break;
 					}
 					break;
 
@@ -483,7 +511,7 @@ void processlcp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
 	{
 		LOG(1, s, t, "Remote end sent a ConfigNak.  Ignoring\n");
 		if (config->debug > 3) dumplcp(p, l);
-		return ;
+		return;
 	}
 	else if (*p == TerminateReq)
 	{
@@ -592,7 +620,7 @@ void processipcp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
 	if (*p == ConfigAck)
 	{
 		// happy with our IPCP
-		uint16_t r = session[s].radius;
+		uint16_t r = sess_local[s].radius;
 		if ((!r || radius[r].state == RADIUSIPCP) && !session[s].walled_garden)
 		{
 			if (!r)
@@ -1084,9 +1112,8 @@ void processccp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
 void sendchap(tunnelidt t, sessionidt s)
 {
 	uint8_t b[MAXCONTROL];
-	uint16_t r = session[s].radius;
+	uint16_t r = sess_local[s].radius;
 	uint8_t *q;
-	uint8_t *l;
 
 	CSTAT(sendchap);
 
@@ -1099,8 +1126,6 @@ void sendchap(tunnelidt t, sessionidt s)
 
 	LOG(1, s, t, "Send CHAP challenge\n");
 
-	// new challenge
-	random_data(radius[r].auth, sizeof(radius[r].auth));
 	radius[r].chap = 1;		// CHAP not PAP
 	radius[r].id++;
 	if (radius[r].state != RADIUSCHAP)
@@ -1174,6 +1199,7 @@ uint8_t *makeppp(uint8_t *b, int size, uint8_t *p, int l, tunnelidt t, sessionid
 void initlcp(tunnelidt t, sessionidt s)
 {
 	char b[500], *q;
+	int size;
 
 	if (!(q = makeppp(b, sizeof(b), NULL, 0, t, s, PPPLCP)))
 		return;
@@ -1186,11 +1212,22 @@ void initlcp(tunnelidt t, sessionidt s)
 	*(uint8_t *)(q + 5) = 6;
 	*(uint32_t *)(q + 6) = htonl(session[s].magic);
 	*(uint8_t *)(q + 10) = 3;
-	*(uint8_t *)(q + 11) = 4;
-	*(uint16_t *)(q + 12) = htons(PPPPAP); // PAP
+	if (config->radius_authprefer == AUTHCHAP)
+	{
+		*(uint8_t *)(q + 11) = 5;
+		*(uint16_t *)(q + 12) = htons(PPPCHAP);
+		*(uint8_t *)(q + 14) = 5; // MD5
+		size = 15;
+	}
+	else
+	{
+		*(uint8_t *)(q + 11) = 4;
+		*(uint16_t *)(q + 12) = htons(PPPPAP);
+		size = 14;
+	}
 
-	LOG_HEX(5, "PPPLCP", q, 14);
-	tunnelsend(b, (q - b) + 14, t);
+	LOG_HEX(5, "PPPLCP", q, size);
+	tunnelsend(b, (q - b) + size, t);
 }
 
 // Send CCP request for no compression