Allow forcing of local_ip:remote_ip in pap-secrets

and chap-secrets files. This allows specific users to have pre-allocated IP numbers while others get assigned dynamically. Submitted by: David Nugent <davidn@unique.usn.blaze.net.au>
svn path=/head/; revision=24845
2025-01-04 12:52:15 +00:00 · 1997-04-13 01:07:00 +00:00 · 1997-04-13 01:07:00 +00:00 · 86fdcdef07 · 2020-12-20 02:59:44 +00:00
commit 86fdcdef07
parent 4ed9958f49
2 changed files with 64 additions and 18 deletions
--- a/usr.sbin/pppd/auth.c
+++ b/usr.sbin/pppd/auth.c
@ -33,7 +33,7 @@
 */

 #ifndef lint
-static char rcsid[] = "$Id$";
+static char rcsid[] = "$Id: auth.c,v 1.12 1997/02/22 16:11:32 peter Exp $";
 #endif

 #include <stdio.h>
@ -91,6 +91,7 @@ struct wordlist {
 /* Records which authentication operations haven't completed yet. */
 static int auth_pending[NUM_PPP];
 static int logged_in;
+static int non_wildclient =0;	/* not wild nor blank */
 static struct wordlist *addresses[NUM_PPP];

 /* Bits in auth_pending[] */
@ -112,6 +113,7 @@ static int  have_chap_secret __P((char *, char *));
 static int  scan_authfile __P((FILE *, char *, char *, char *,
 				  struct wordlist **, char *));
 static void free_wordlist __P((struct wordlist *));
+static void auth_set_ip_addr __P((int));

 /*
 * An Open on LCP has requested a change from Dead to Establish phase.
@ -254,6 +256,12 @@ auth_peer_success(unit, protocol)
 	return;
    }

+    /*
+     * If we have overridden addresses based on auth info
+     * then set that information now before continuing
+     */
+    auth_set_ip_addr(unit);
+
    /*
     * If there is no more authentication still to be done,
     * proceed to the network phase.
@ -301,6 +309,12 @@ auth_withpeer_success(unit, protocol)
 	bit = 0;
    }

+    /*
+     * If we have overridden addresses based on auth info
+     * then set that information now before continuing
+     */
+    auth_set_ip_addr(unit);
+
    /*
     * If there is no more authentication still being done,
     * proceed to the network phase.
@ -740,6 +754,27 @@ get_secret(unit, client, server, secret, secret_len, save_addrs)
    return 1;
 }

+
+static void
+auth_set_ip_addr(unit)
+    int unit;
+{
+    struct wordlist *addrs;
+
+    if (non_wildclient && (addrs = addresses[unit]) != NULL) {
+	for (; addrs != NULL; addrs = addrs->next) {
+	    /*
+	     * Look for address overrides, and set them if we have any
+	     */
+	    if (strchr(addrs->word, ':') != NULL) {
+		if (setipaddr(addrs->word))
+		    break;
+	    }
+	}
+    }
+}
+
+
 /*
 * auth_ip_addr - check whether the peer is authorized to use
 * a given IP address.  Returns 1 if authorized, 0 otherwise.
@ -749,6 +784,7 @@ auth_ip_addr(unit, addr)
    int unit;
    u_int32_t addr;
 {
+    int x, y;
    u_int32_t a;
    struct hostent *hp;
    struct wordlist *addrs;
@ -757,25 +793,31 @@ auth_ip_addr(unit, addr)
    if (bad_ip_adrs(addr))
 	return 0;

-    if ((addrs = addresses[unit]) == NULL)
-	return 1;		/* no restriction */
-
-    for (; addrs != NULL; addrs = addrs->next) {
+    x = y = 0;
+    for (addrs = addresses[unit]; addrs != NULL; addrs = addrs->next, y++) {
 	/* "-" means no addresses authorized */
 	if (strcmp(addrs->word, "-") == 0)
 	    break;
-	if ((a = inet_addr(addrs->word)) == -1) {
-	    if ((hp = gethostbyname(addrs->word)) == NULL) {
-		syslog(LOG_WARNING, "unknown host %s in auth. address list",
-		       addrs->word);
-		continue;
-	    } else
-		a = *(u_int32_t *)hp->h_addr;
+	/*
+	 * A colon in the string means that we wish to force a specific
+	 * local:remote address, but we ignore these for now
+	 */
+	if (strchr(addrs->word, ':') != NULL)
+	    x++;
+	else {
+	    if ((a = inet_addr(addrs->word)) == -1) {
+		if ((hp = gethostbyname(addrs->word)) == NULL) {
+		    syslog(LOG_WARNING, "unknown host %s in auth. address list",
+			   addrs->word);
+		    continue;
+		} else
+		    a = *(u_int32_t *)hp->h_addr;
+	    }
+	    if (addr == a)
+		return 1;
 	}
-	if (addr == a)
-	    return 1;
    }
-    return 0;			/* not in list => can't have it */
+    return x == y;		/* not in list => can't have it */
 }

 /*
@ -943,6 +985,7 @@ scan_authfile(f, client, server, secret, addrs, filename)
    else if (addr_list != NULL)
 	free_wordlist(addr_list);

+    non_wildclient = (best_flag & NONWILD_CLIENT) && *client != '\0';
    return best_flag;
 }

--- a/usr.sbin/pppd/pppd.8
+++ b/usr.sbin/pppd/pppd.8
@ -1,5 +1,5 @@
 .\" manual page [] for pppd 2.0
-.\" $Id$
+.\" $Id: pppd.8,v 1.9 1997/02/22 16:11:54 peter Exp $
 .\" SH section heading
 .\" SS subsection heading
 .\" LP paragraph
@ -497,8 +497,11 @@ directions if desired.
 A secrets file is parsed into words as for a options file.  A secret
 is specified by a line containing at least 3 words, in the order
 client name, server name, secret.  Any following words on the same line are
-taken to be a list of acceptable IP addresses for that client.  If
-there are only 3 words on the line, it is assumed that any IP address
+taken to be a list of acceptable IP addresses for that client, or an
+override for "local:remote" addresses (the same format used on the
+command line or in the options file) when on a line that contains a
+specific client name (not a wildcard nor empty).
+If there are only 3 words on the line, it is assumed that any IP address
 is OK; to disallow all IP addresses, use "-".  If the secret starts
 with an `@', what follows is assumed to be the name of a file from
 which to read the secret.  A "*" as the client or server name matches