Allow forcing of local_ip:remote_ip in pap-secrets

and chap-secrets files.  This allows specific users
to have pre-allocated IP numbers while others get
assigned dynamically.

Submitted by: David Nugent <davidn@unique.usn.blaze.net.au>

2 files changed, 64 insertions, 18 deletions

diff --git a/usr.sbin/pppd/auth.c b/usr.sbin/pppd/auth.c
index e983f1c..44d4bcb 100644
--- a/usr.sbin/pppd/auth.c
+++ b/usr.sbin/pppd/auth.c
@@ -33,7 +33,7 @@
  */
 
 #ifndef lint
-static char rcsid[] = "$Id$";
+static char rcsid[] = "$Id: auth.c,v 1.12 1997/02/22 16:11:32 peter Exp $";
 #endif
 
 #include <stdio.h>
@@ -91,6 +91,7 @@ struct wordlist {
 /* Records which authentication operations haven't completed yet. */
 static int auth_pending[NUM_PPP];
 static int logged_in;
+static int non_wildclient =0;	/* not wild nor blank */
 static struct wordlist *addresses[NUM_PPP];
 
 /* Bits in auth_pending[] */
@@ -112,6 +113,7 @@ static int  have_chap_secret __P((char *, char *));
 static int  scan_authfile __P((FILE *, char *, char *, char *,
 				  struct wordlist **, char *));
 static void free_wordlist __P((struct wordlist *));
+static void auth_set_ip_addr __P((int));
 
 /*
  * An Open on LCP has requested a change from Dead to Establish phase.
@@ -255,6 +257,12 @@ auth_peer_success(unit, protocol)
     }
 
     /*
+     * If we have overridden addresses based on auth info
+     * then set that information now before continuing
+     */
+    auth_set_ip_addr(unit);
+
+    /*
      * If there is no more authentication still to be done,
      * proceed to the network phase.
      */
@@ -302,6 +310,12 @@ auth_withpeer_success(unit, protocol)
     }
 
     /*
+     * If we have overridden addresses based on auth info
+     * then set that information now before continuing
+     */
+    auth_set_ip_addr(unit);
+
+    /*
      * If there is no more authentication still being done,
      * proceed to the network phase.
      */
@@ -740,6 +754,27 @@ get_secret(unit, client, server, secret, secret_len, save_addrs)
     return 1;
 }
 
+
+static void
+auth_set_ip_addr(unit)
+    int unit;
+{
+    struct wordlist *addrs;
+
+    if (non_wildclient && (addrs = addresses[unit]) != NULL) {
+	for (; addrs != NULL; addrs = addrs->next) {
+	    /*
+	     * Look for address overrides, and set them if we have any
+	     */
+	    if (strchr(addrs->word, ':') != NULL) {
+		if (setipaddr(addrs->word))
+		    break;
+	    }
+	}
+    }
+}
+
+
 /*
  * auth_ip_addr - check whether the peer is authorized to use
  * a given IP address.  Returns 1 if authorized, 0 otherwise.
@@ -749,6 +784,7 @@ auth_ip_addr(unit, addr)
     int unit;
     u_int32_t addr;
 {
+    int x, y;
     u_int32_t a;
     struct hostent *hp;
     struct wordlist *addrs;
@@ -757,25 +793,31 @@ auth_ip_addr(unit, addr)
     if (bad_ip_adrs(addr))
 	return 0;
 
-    if ((addrs = addresses[unit]) == NULL)
-	return 1;		/* no restriction */
-
-    for (; addrs != NULL; addrs = addrs->next) {
+    x = y = 0;
+    for (addrs = addresses[unit]; addrs != NULL; addrs = addrs->next, y++) {
 	/* "-" means no addresses authorized */
 	if (strcmp(addrs->word, "-") == 0)
 	    break;
-	if ((a = inet_addr(addrs->word)) == -1) {
-	    if ((hp = gethostbyname(addrs->word)) == NULL) {
-		syslog(LOG_WARNING, "unknown host %s in auth. address list",
-		       addrs->word);
-		continue;
-	    } else
-		a = *(u_int32_t *)hp->h_addr;
+	/*
+	 * A colon in the string means that we wish to force a specific
+	 * local:remote address, but we ignore these for now
+	 */
+	if (strchr(addrs->word, ':') != NULL)
+	    x++;
+	else {
+	    if ((a = inet_addr(addrs->word)) == -1) {
+		if ((hp = gethostbyname(addrs->word)) == NULL) {
+		    syslog(LOG_WARNING, "unknown host %s in auth. address list",
+			   addrs->word);
+		    continue;
+		} else
+		    a = *(u_int32_t *)hp->h_addr;
+	    }
+	    if (addr == a)
+		return 1;
 	}
-	if (addr == a)
-	    return 1;
     }
-    return 0;			/* not in list => can't have it */
+    return x == y;		/* not in list => can't have it */
 }
 
 /*
@@ -943,6 +985,7 @@ scan_authfile(f, client, server, secret, addrs, filename)
     else if (addr_list != NULL)
 	free_wordlist(addr_list);
 
+    non_wildclient = (best_flag & NONWILD_CLIENT) && *client != '\0';
     return best_flag;
 }
 
diff --git a/usr.sbin/pppd/pppd.8 b/usr.sbin/pppd/pppd.8
index c1953d8..76cef60 100644
--- a/usr.sbin/pppd/pppd.8
+++ b/usr.sbin/pppd/pppd.8
@@ -1,5 +1,5 @@
 .\" manual page [] for pppd 2.0
-.\" $Id$
+.\" $Id: pppd.8,v 1.9 1997/02/22 16:11:54 peter Exp $
 .\" SH section heading
 .\" SS subsection heading
 .\" LP paragraph
@@ -497,8 +497,11 @@ directions if desired.
 A secrets file is parsed into words as for a options file.  A secret
 is specified by a line containing at least 3 words, in the order
 client name, server name, secret.  Any following words on the same line are
-taken to be a list of acceptable IP addresses for that client.  If
-there are only 3 words on the line, it is assumed that any IP address
+taken to be a list of acceptable IP addresses for that client, or an
+override for "local:remote" addresses (the same format used on the
+command line or in the options file) when on a line that contains a
+specific client name (not a wildcard nor empty).
+If there are only 3 words on the line, it is assumed that any IP address
 is OK; to disallow all IP addresses, use "-".  If the secret starts
 with an `@', what follows is assumed to be the name of a file from
 which to read the secret.  A "*" as the client or server name matches