From d50b169a4fc6470af9d1e4b3baf298a506f814c3 Mon Sep 17 00:00:00 2001
From: goda <goda@openbsd.org>
Date: Fri, 11 Aug 2017 16:41:47 +0000
Subject: add a new option to set limits on user-max-sessions each
 AUTHENTICATION.

It can set limits on different user-max-sessions if there're using several
protocols such as PPPoE and L2TP/IPsec.

ok yasuoka@
---
 usr.sbin/npppd/npppd/npppd.c            | 30 +++++++++++++++++++++---------
 usr.sbin/npppd/npppd/npppd.conf.5       |  8 ++++++--
 usr.sbin/npppd/npppd/npppd.h            |  3 ++-
 usr.sbin/npppd/npppd/npppd_auth.c       | 21 +++++++++++++++++++--
 usr.sbin/npppd/npppd/npppd_auth.h       |  4 +++-
 usr.sbin/npppd/npppd/npppd_auth_local.h |  4 +++-
 usr.sbin/npppd/npppd/parse.y            |  5 ++++-
 usr.sbin/npppd/npppd/ppp.c              |  7 ++-----
 8 files changed, 60 insertions(+), 22 deletions(-)

(limited to 'usr.sbin/npppd')

diff --git a/usr.sbin/npppd/npppd/npppd.c b/usr.sbin/npppd/npppd/npppd.c
index 198dce790ac..9f463886918 100644
--- a/usr.sbin/npppd/npppd/npppd.c
+++ b/usr.sbin/npppd/npppd/npppd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: npppd.c,v 1.45 2017/04/18 03:28:04 yasuoka Exp $ */
+/*	$OpenBSD: npppd.c,v 1.46 2017/08/11 16:41:47 goda Exp $ */
 
 /*-
  * Copyright (c) 2005-2008,2009 Internet Initiative Japan Inc.
@@ -29,7 +29,7 @@
  * Next pppd(nppd). This file provides a npppd daemon process and operations
  * for npppd instance.
  * @author	Yasuoka Masahiko
- * $Id: npppd.c,v 1.45 2017/04/18 03:28:04 yasuoka Exp $
+ * $Id: npppd.c,v 1.46 2017/08/11 16:41:47 goda Exp $
  */
 #include "version.h"
 #include <sys/param.h>	/* ALIGNED_POINTER */
@@ -800,25 +800,37 @@ npppd_get_ppp_by_id(npppd *_this, u_int ppp_id)
 int
 npppd_check_user_max_session(npppd *_this, npppd_ppp *ppp)
 {
-	int count;
+	int global_count, realm_count;
 	npppd_ppp *ppp1;
 	slist *uppp;
 
 	/* user_max_session == 0 means unlimit */
-	if (_this->conf.user_max_session == 0)
+	if (_this->conf.user_max_session == 0 &&
+	    npppd_auth_user_session_unlimited(ppp->realm))
 		return 1;
 
-	count = 0;
+	global_count = realm_count = 0;
 	if ((uppp = npppd_get_ppp_by_user(_this, ppp->username)) != NULL) {
 		for (slist_itr_first(uppp); slist_itr_has_next(uppp); ) {
 			ppp1 = slist_itr_next(uppp);
-			if (strcmp(ppp_iface(ppp)->ifname,
-			    ppp_iface(ppp1)->ifname) == 0)
-				count++;
+			if (ppp->realm == ppp1->realm)
+				realm_count++;
+			global_count++;
 		}
 	}
 
-	return (count < _this->conf.user_max_session)? 1 : 0;
+	if (npppd_check_auth_user_max_session(ppp->realm, realm_count)) {
+		ppp_log(ppp, LOG_WARNING,
+		    "user %s exceeds user-max-session limit per auth",
+		    ppp->username);
+		return 0;
+	} else if (_this->conf.user_max_session != 0 &&
+	    _this->conf.user_max_session <= global_count) {
+		ppp_log(ppp, LOG_WARNING,
+		    "user %s exceeds user-max-session limit", ppp->username);
+		return 0;
+	} else
+		return 1;
 }
 
 /***********************************************************************
diff --git a/usr.sbin/npppd/npppd/npppd.conf.5 b/usr.sbin/npppd/npppd/npppd.conf.5
index 493ac3dde24..3347c573a4a 100644
--- a/usr.sbin/npppd/npppd/npppd.conf.5
+++ b/usr.sbin/npppd/npppd/npppd.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: npppd.conf.5,v 1.19 2017/02/22 10:16:14 patrick Exp $
+.\"	$OpenBSD: npppd.conf.5,v 1.20 2017/08/11 16:41:47 goda Exp $
 .\"
 .\" Copyright (c) 2012 YASUOKA Masahiko <yasuoka@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: February 22 2017 $
+.Dd $Mdocdate: August 11 2017 $
 .Dt NPPPD.CONF 5
 .Os
 .Sh NAME
@@ -621,6 +621,10 @@ See
 .Ic authentication-server
 section for details of
 .Ar radius-config .
+.It Ic user-max-session Ar number
+Specify the maximum number of sessions for each user for this
+.Ic authentication
+setting.
 .El
 .Sh BIND
 .Ic bind
diff --git a/usr.sbin/npppd/npppd/npppd.h b/usr.sbin/npppd/npppd/npppd.h
index 9f583fbea6e..a1dd27a0133 100644
--- a/usr.sbin/npppd/npppd/npppd.h
+++ b/usr.sbin/npppd/npppd/npppd.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: npppd.h,v 1.17 2015/12/05 16:10:31 yasuoka Exp $ */
+/*	$OpenBSD: npppd.h,v 1.18 2017/08/11 16:41:47 goda Exp $ */
 
 /*-
  * Copyright (c) 2009 Internet Initiative Japan Inc.
@@ -161,6 +161,7 @@ struct authconf {
 	bool                               strip_nt_domain;
 	bool                               strip_atmark_realm;
 	char                               users_file_path[PATH_MAX];
+	int                                user_max_session;
 	union {
 		struct {
 			struct radconf     auth;
diff --git a/usr.sbin/npppd/npppd/npppd_auth.c b/usr.sbin/npppd/npppd/npppd_auth.c
index 4ba3f0e8f7a..a732050408d 100644
--- a/usr.sbin/npppd/npppd/npppd_auth.c
+++ b/usr.sbin/npppd/npppd/npppd_auth.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: npppd_auth.c,v 1.19 2017/02/22 07:48:26 yasuoka Exp $ */
+/*	$OpenBSD: npppd_auth.c,v 1.20 2017/08/11 16:41:47 goda Exp $ */
 
 /*-
  * Copyright (c) 2009 Internet Initiative Japan Inc.
@@ -26,7 +26,7 @@
  * SUCH DAMAGE.
  */
 /**@file authentication realm */
-/* $Id: npppd_auth.c,v 1.19 2017/02/22 07:48:26 yasuoka Exp $ */
+/* $Id: npppd_auth.c,v 1.20 2017/08/11 16:41:47 goda Exp $ */
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/socket.h>
@@ -193,6 +193,7 @@ npppd_auth_reload(npppd_auth_base *base)
 	base->strip_atmark_realm = auth->strip_atmark_realm;
 	base->has_users_file = 0;
 	base->radius_ready = 0;
+	base->user_max_session = auth->user_max_session;
 
 	if (strlen(auth->users_file_path) > 0) {
 		strlcpy(base->users_file_path, auth->users_file_path,
@@ -461,6 +462,22 @@ npppd_auth_username_for_auth(npppd_auth_base *base, const char *username,
 	return username_buffer;
 }
 
+int
+npppd_auth_user_session_unlimited(npppd_auth_base *_this)
+{
+	return (_this->user_max_session == 0) ? 1 : 0;
+}
+
+int
+npppd_check_auth_user_max_session(npppd_auth_base *_this, int count)
+{
+	if (!npppd_auth_user_session_unlimited(_this) &&
+	    _this->user_max_session <= count)
+		return 1;
+	else
+		return 0;
+}
+
 /***********************************************************************
  * Account list related functions
  ***********************************************************************/
diff --git a/usr.sbin/npppd/npppd/npppd_auth.h b/usr.sbin/npppd/npppd/npppd_auth.h
index 8008583152a..1d72957ea56 100644
--- a/usr.sbin/npppd/npppd/npppd_auth.h
+++ b/usr.sbin/npppd/npppd/npppd_auth.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: npppd_auth.h,v 1.8 2014/07/12 14:04:18 yasuoka Exp $ */
+/*	$OpenBSD: npppd_auth.h,v 1.9 2017/08/11 16:41:47 goda Exp $ */
 
 /*-
  * Copyright (c) 2009 Internet Initiative Japan Inc.
@@ -83,6 +83,8 @@ const char          *npppd_auth_get_suffix (npppd_auth_base *);
 const char          *npppd_auth_username_for_auth (npppd_auth_base *, const char *, char *);
 void                *npppd_auth_radius_get_radius_auth_setting (npppd_auth_radius *);
 void                *npppd_auth_radius_get_radius_acct_setting (npppd_auth_radius *);
+int                 npppd_auth_user_session_unlimited(npppd_auth_base *);
+int                 npppd_check_auth_user_max_session(npppd_auth_base *, int);
 
 #ifdef __cplusplus
 }
diff --git a/usr.sbin/npppd/npppd/npppd_auth_local.h b/usr.sbin/npppd/npppd/npppd_auth_local.h
index d027b7ff65f..2ae55d2abc5 100644
--- a/usr.sbin/npppd/npppd/npppd_auth_local.h
+++ b/usr.sbin/npppd/npppd/npppd_auth_local.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: npppd_auth_local.h,v 1.7 2014/03/22 04:23:17 yasuoka Exp $ */
+/*	$OpenBSD: npppd_auth_local.h,v 1.8 2017/08/11 16:41:47 goda Exp $ */
 
 /*-
  * Copyright (c) 2009 Internet Initiative Japan Inc.
@@ -56,6 +56,8 @@ struct _npppd_auth_base {
 	char	users_file_path[64];
 	/** last load time */
 	time_t	last_load;
+	/**counter of sessions from this auth */
+	int    user_max_session;
 };
 
 #ifdef USE_NPPPD_RADIUS
diff --git a/usr.sbin/npppd/npppd/parse.y b/usr.sbin/npppd/npppd/parse.y
index 23cf71c6ae4..6b4c1291396 100644
--- a/usr.sbin/npppd/npppd/parse.y
+++ b/usr.sbin/npppd/npppd/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.17 2015/10/11 07:16:01 guenther Exp $ */
+/*	$OpenBSD: parse.y,v 1.18 2017/08/11 16:41:47 goda Exp $ */
 
 /*
  * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -676,6 +676,9 @@ authopt	: USERNAME_SUFFIX STRING {
 			    sizeof(curr_authconf->users_file_path));
 			free($2);
 		}
+		| USER_MAX_SESSION NUMBER {
+			curr_authconf->user_max_session = $2;
+		}
 		| AUTHENTICATION_SERVER {
 			if (curr_authconf->auth_type != NPPPD_AUTH_TYPE_RADIUS){
 				yyerror("`authentication-server' can not be "
diff --git a/usr.sbin/npppd/npppd/ppp.c b/usr.sbin/npppd/npppd/ppp.c
index eed3a956131..2402cb01a33 100644
--- a/usr.sbin/npppd/npppd/ppp.c
+++ b/usr.sbin/npppd/npppd/ppp.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ppp.c,v 1.26 2015/12/05 18:43:36 mmcc Exp $ */
+/*	$OpenBSD: ppp.c,v 1.27 2017/08/11 16:41:47 goda Exp $ */
 
 /*-
  * Copyright (c) 2009 Internet Initiative Japan Inc.
@@ -25,7 +25,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
-/* $Id: ppp.c,v 1.26 2015/12/05 18:43:36 mmcc Exp $ */
+/* $Id: ppp.c,v 1.27 2017/08/11 16:41:47 goda Exp $ */
 /**@file
  * This file provides PPP(Point-to-Point Protocol, RFC 1661) and
  * {@link :: _npppd_ppp PPP instance} related functions.
@@ -583,9 +583,6 @@ ppp_auth_ok(npppd_ppp *_this)
 	if (_this->peer_auth != 0) {
 		/* Limit the number of connections per the user */
 		if (!npppd_check_user_max_session(_this->pppd, _this)) {
-			ppp_log(_this, LOG_WARNING,
-			    "user %s exceeds user-max-session limit",
-			    _this->username);
 			ppp_stop(_this, NULL);
 
 			return;
-- 
cgit v1.2.3-59-g8ed1b