diff options
author | Guillaume Nault <g.nault@alphalink.fr> | 2018-11-19 17:44:36 +0100 |
---|---|---|
committer | Dmitry Kozlov <xeb@mail.ru> | 2018-11-27 09:56:54 +0300 |
commit | 75a880700071b9d8a4a36f7c0beae5220e8c4853 (patch) | |
tree | 7d3176ad26729bbb0857793a5198eb4e8ebdc0e5 /accel-pppd/ppp | |
parent | 9ccaedcacc5ab257b18bdac4e35d4ed96a3dad08 (diff) | |
download | accel-ppp-75a880700071b9d8a4a36f7c0beae5220e8c4853.tar.gz accel-ppp-75a880700071b9d8a4a36f7c0beae5220e8c4853.zip |
lcp: reject Authentication-Protocol option in Configure-Request packets
If we receive a Configure-Request packet, that means the peer wants us
to authenticate to him. However, none of our authentication backends
(PAP, CHAP and MSCHAP v1/v2) supports authenticating ourself to the
peer. Therefore, the LCP negotiation completes, but we hang in the
authentication phase because accel-ppp never sends any credential.
We should reject the Authentication-Protocol option found in
Configure-Request packets sent by the peer. This way, the peer knows
that we won't authenticate to him. Then it's up to him to keep
connecting without authentication from our side or to drop the
connection.
This doesn't change the way we request the peer to authenticate to us.
That part of the negotiation is handled by Configure-Request packets
that are sent by us (not those sent by the peer).
In practice some PPP clients wouldn't connect with the previous
behaviour, but are perfectly happy with their Authentication-Protocol
option being rejected. They just resend their Configure-Request without
requesting authentication from our side.
Also, since the peer_auth field of struct auth_option_t is never set
anymore, we can remove the conditionals in auth_recv_conf_nak() and
auth_recv_conf_rej().
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Diffstat (limited to 'accel-pppd/ppp')
-rw-r--r-- | accel-pppd/ppp/ppp_auth.c | 53 |
1 files changed, 1 insertions, 52 deletions
diff --git a/accel-pppd/ppp/ppp_auth.c b/accel-pppd/ppp/ppp_auth.c index 5924899..c475dad 100644 --- a/accel-pppd/ppp/ppp_auth.c +++ b/accel-pppd/ppp/ppp_auth.c @@ -39,7 +39,6 @@ struct auth_option_t struct lcp_option_t opt; struct list_head auth_list; struct auth_data_t *auth; - struct auth_data_t *peer_auth; int started:1; }; @@ -142,57 +141,11 @@ static int auth_send_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, u static int auth_recv_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr) { - struct auth_option_t *auth_opt = container_of(opt,typeof(*auth_opt),opt); - struct lcp_opt16_t *opt16 = (struct lcp_opt16_t*)ptr; - struct auth_data_t *d; - int r; - - if (auth_opt->started) { - if (!auth_opt->auth) - return LCP_OPT_REJ; - - if (!ptr || ntohs(opt16->val) != auth_opt->auth->proto) - return LCP_OPT_NAK; - - return LCP_OPT_ACK; - } - - if (list_empty(&auth_opt->auth_list)) - return LCP_OPT_REJ; - - if (!ptr) - return LCP_OPT_ACK; - - - list_for_each_entry(d, &auth_opt->auth_list, entry) { - if (d->proto == ntohs(opt16->val)) { - r = d->h->recv_conf_req(lcp->ppp, d, (uint8_t*)(opt16 + 1)); - if (r == LCP_OPT_FAIL) - return LCP_OPT_FAIL; - if (r == LCP_OPT_REJ) - break; - auth_opt->peer_auth = d; - return r; - } - } - - list_for_each_entry(d, &auth_opt->auth_list, entry) { - if (d->state != LCP_OPT_NAK) { - auth_opt->peer_auth = d; - return LCP_OPT_NAK; - } - } - - log_ppp_error("cann't negotiate authentication type\n"); - return LCP_OPT_FAIL; + return LCP_OPT_REJ; } static int auth_recv_conf_ack(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr) { - struct auth_option_t *auth_opt = container_of(opt, typeof(*auth_opt), opt); - - auth_opt->peer_auth = NULL; - return 0; } @@ -206,8 +159,6 @@ static int auth_recv_conf_nak(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, u return -1; } auth_opt->auth->state = LCP_OPT_NAK; - if (auth_opt->peer_auth) - auth_opt->auth = auth_opt->peer_auth; list_for_each_entry(d, &auth_opt->auth_list, entry) { if (d->state != LCP_OPT_NAK) @@ -229,8 +180,6 @@ static int auth_recv_conf_rej(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, u } auth_opt->auth->state = LCP_OPT_NAK; - if (auth_opt->peer_auth) - auth_opt->auth = auth_opt->peer_auth; list_for_each_entry(d, &auth_opt->auth_list, entry) { if (d->state != LCP_OPT_NAK) |