summaryrefslogtreecommitdiff
path: root/accel-pppd/ppp
diff options
context:
space:
mode:
authorGuillaume Nault <g.nault@alphalink.fr>2018-11-19 17:44:36 +0100
committerDmitry Kozlov <xeb@mail.ru>2018-11-27 09:56:54 +0300
commit75a880700071b9d8a4a36f7c0beae5220e8c4853 (patch)
tree7d3176ad26729bbb0857793a5198eb4e8ebdc0e5 /accel-pppd/ppp
parent9ccaedcacc5ab257b18bdac4e35d4ed96a3dad08 (diff)
downloadaccel-ppp-75a880700071b9d8a4a36f7c0beae5220e8c4853.tar.gz
accel-ppp-75a880700071b9d8a4a36f7c0beae5220e8c4853.zip
lcp: reject Authentication-Protocol option in Configure-Request packets
If we receive a Configure-Request packet, that means the peer wants us to authenticate to him. However, none of our authentication backends (PAP, CHAP and MSCHAP v1/v2) supports authenticating ourself to the peer. Therefore, the LCP negotiation completes, but we hang in the authentication phase because accel-ppp never sends any credential. We should reject the Authentication-Protocol option found in Configure-Request packets sent by the peer. This way, the peer knows that we won't authenticate to him. Then it's up to him to keep connecting without authentication from our side or to drop the connection. This doesn't change the way we request the peer to authenticate to us. That part of the negotiation is handled by Configure-Request packets that are sent by us (not those sent by the peer). In practice some PPP clients wouldn't connect with the previous behaviour, but are perfectly happy with their Authentication-Protocol option being rejected. They just resend their Configure-Request without requesting authentication from our side. Also, since the peer_auth field of struct auth_option_t is never set anymore, we can remove the conditionals in auth_recv_conf_nak() and auth_recv_conf_rej(). Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Diffstat (limited to 'accel-pppd/ppp')
-rw-r--r--accel-pppd/ppp/ppp_auth.c53
1 files changed, 1 insertions, 52 deletions
diff --git a/accel-pppd/ppp/ppp_auth.c b/accel-pppd/ppp/ppp_auth.c
index 5924899..c475dad 100644
--- a/accel-pppd/ppp/ppp_auth.c
+++ b/accel-pppd/ppp/ppp_auth.c
@@ -39,7 +39,6 @@ struct auth_option_t
struct lcp_option_t opt;
struct list_head auth_list;
struct auth_data_t *auth;
- struct auth_data_t *peer_auth;
int started:1;
};
@@ -142,57 +141,11 @@ static int auth_send_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, u
static int auth_recv_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr)
{
- struct auth_option_t *auth_opt = container_of(opt,typeof(*auth_opt),opt);
- struct lcp_opt16_t *opt16 = (struct lcp_opt16_t*)ptr;
- struct auth_data_t *d;
- int r;
-
- if (auth_opt->started) {
- if (!auth_opt->auth)
- return LCP_OPT_REJ;
-
- if (!ptr || ntohs(opt16->val) != auth_opt->auth->proto)
- return LCP_OPT_NAK;
-
- return LCP_OPT_ACK;
- }
-
- if (list_empty(&auth_opt->auth_list))
- return LCP_OPT_REJ;
-
- if (!ptr)
- return LCP_OPT_ACK;
-
-
- list_for_each_entry(d, &auth_opt->auth_list, entry) {
- if (d->proto == ntohs(opt16->val)) {
- r = d->h->recv_conf_req(lcp->ppp, d, (uint8_t*)(opt16 + 1));
- if (r == LCP_OPT_FAIL)
- return LCP_OPT_FAIL;
- if (r == LCP_OPT_REJ)
- break;
- auth_opt->peer_auth = d;
- return r;
- }
- }
-
- list_for_each_entry(d, &auth_opt->auth_list, entry) {
- if (d->state != LCP_OPT_NAK) {
- auth_opt->peer_auth = d;
- return LCP_OPT_NAK;
- }
- }
-
- log_ppp_error("cann't negotiate authentication type\n");
- return LCP_OPT_FAIL;
+ return LCP_OPT_REJ;
}
static int auth_recv_conf_ack(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr)
{
- struct auth_option_t *auth_opt = container_of(opt, typeof(*auth_opt), opt);
-
- auth_opt->peer_auth = NULL;
-
return 0;
}
@@ -206,8 +159,6 @@ static int auth_recv_conf_nak(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, u
return -1;
}
auth_opt->auth->state = LCP_OPT_NAK;
- if (auth_opt->peer_auth)
- auth_opt->auth = auth_opt->peer_auth;
list_for_each_entry(d, &auth_opt->auth_list, entry) {
if (d->state != LCP_OPT_NAK)
@@ -229,8 +180,6 @@ static int auth_recv_conf_rej(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, u
}
auth_opt->auth->state = LCP_OPT_NAK;
- if (auth_opt->peer_auth)
- auth_opt->auth = auth_opt->peer_auth;
list_for_each_entry(d, &auth_opt->auth_list, entry) {
if (d->state != LCP_OPT_NAK)