From f70d30b91dc2453ade7e8c00d33a8c4ae5a9dcf8 Mon Sep 17 00:00:00 2001 From: marcbou Date: Fri, 4 Jul 2003 15:55:11 +0000 Subject: [PATCH] Added PPPAUTHTYPE_ANY --- src/netif/ppp/ppp.c | 23 +++++++++++++++++++++++ src/netif/ppp/ppp.h | 20 ++++++++++++++++++++ 2 files changed, 43 insertions(+) diff --git a/src/netif/ppp/ppp.c b/src/netif/ppp/ppp.c index 1e07aaf8..3ac7995a 100644 --- a/src/netif/ppp/ppp.c +++ b/src/netif/ppp/ppp.c @@ -326,6 +326,29 @@ void pppSetAuth(enum pppAuthType authType, const char *user, const char *passwd) #endif ppp_settings.refuse_chap = 1; break; + case PPPAUTHTYPE_ANY: +/* Warning: Using PPPAUTHTYPE_ANY might have security consequences. + * RFC 1994 says: + * + * In practice, within or associated with each PPP server, there is a + * database which associates "user" names with authentication + * information ("secrets"). It is not anticipated that a particular + * named user would be authenticated by multiple methods. This would + * make the user vulnerable to attacks which negotiate the least secure + * method from among a set (such as PAP rather than CHAP). If the same + * secret was used, PAP would reveal the secret to be used later with + * CHAP. + * + * Instead, for each user name there should be an indication of exactly + * one method used to authenticate that user name. If a user needs to + * make use of different authentication methods under different + * circumstances, then distinct user names SHOULD be employed, each of + * which identifies exactly one authentication method. + * + */ + ppp_settings.refuse_pap = 0; + ppp_settings.refuse_chap = 0; + break; case PPPAUTHTYPE_PAP: ppp_settings.refuse_pap = 0; ppp_settings.refuse_chap = 1; diff --git a/src/netif/ppp/ppp.h b/src/netif/ppp/ppp.h index d4d14075..9fa06168 100644 --- a/src/netif/ppp/ppp.h +++ b/src/netif/ppp/ppp.h @@ -340,8 +340,28 @@ extern struct protent *ppp_protocols[];/* Table of pointers to supported protoco /* Initialize the PPP subsystem. */ void pppInit(void); +/* Warning: Using PPPAUTHTYPE_ANY might have security consequences. + * RFC 1994 says: + * + * In practice, within or associated with each PPP server, there is a + * database which associates "user" names with authentication + * information ("secrets"). It is not anticipated that a particular + * named user would be authenticated by multiple methods. This would + * make the user vulnerable to attacks which negotiate the least secure + * method from among a set (such as PAP rather than CHAP). If the same + * secret was used, PAP would reveal the secret to be used later with + * CHAP. + * + * Instead, for each user name there should be an indication of exactly + * one method used to authenticate that user name. If a user needs to + * make use of different authentication methods under different + * circumstances, then distinct user names SHOULD be employed, each of + * which identifies exactly one authentication method. + * + */ enum pppAuthType { PPPAUTHTYPE_NONE, + PPPAUTHTYPE_ANY, PPPAUTHTYPE_PAP, PPPAUTHTYPE_CHAP };