From 0117623832b2226c6ce111939c10e58f47214656 Mon Sep 17 00:00:00 2001
From: rswindell <>
Date: Wed, 7 Mar 2018 05:09:02 +0000
Subject: [PATCH] Send M_ERR instead of M_OK when a link's password doesn't
 match. I'm probably doing something wrong here, since I didn't write this
 code (particularly if there are multiple advertised addresses in the session
 which we have configured links for) - but this should at least give Al
 something to test.

---
 exec/binkit.js     |  4 +++-
 exec/load/binkp.js | 16 ++++++++++------
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/exec/binkit.js b/exec/binkit.js
index 77781d2cc5..fe47321a59 100644
--- a/exec/binkit.js
+++ b/exec/binkit.js
@@ -827,8 +827,10 @@ function inbound_auth_cb(pwd, bp)
 					addrs.push(addr);
 					check_nocrypt(bp.cb_data.binkitcfg.node[addr]);
 					ret = cpw;
-				} else
+				} else {
 					log(LOG_WARNING, "CRAM-MD5 of password does not match");
+					ret = false;	// How do we break out of this forEach loop?!?
+				}
 			}
 			else {
 				// TODO: Deal with arrays of passwords?
diff --git a/exec/load/binkp.js b/exec/load/binkp.js
index 3200574582..33eb0add0e 100644
--- a/exec/load/binkp.js
+++ b/exec/load/binkp.js
@@ -395,7 +395,7 @@ BinkP.prototype.connect = function(addr, password, auth_cb, port, inet_host)
 
 	if(!this.sock.connect(inet_host, port)) {
 		this.sock = undefined;
-		log(LOG_INFO, "Connection to "+inet_host+":"+port+" failed.");
+		log(LOG_WARNING, "Connection to "+inet_host+":"+port+" failed.");
 		return false;
 	}
 
@@ -404,11 +404,11 @@ BinkP.prototype.connect = function(addr, password, auth_cb, port, inet_host)
 		this.sendCmd(this.command.M_NUL, "OPT CRYPT");
 	else {
 		/*
-		 * TODO: This is to work around an apparent incompatability with
+		 * TODO: This is to work around an apparent incompatibility with
 		 * Radius.  I thought this worked with binkd, but it would need
 		 * to be tested again.
 		 * 
-		 * Not super-important since using encrpytion without a password
+		 * Not super-important since using encryption without a password
 		 * is about as "secure" as rot13.
 		 */
 		this.wont_crypt = true;
@@ -462,7 +462,7 @@ BinkP.prototype.connect = function(addr, password, auth_cb, port, inet_host)
 		if (this.cram === undefined || this.cram.algo !== 'MD5')
 			this.sendCmd(this.command.M_ERR, "Encryption requires CRAM-MD5 auth");
 		else {
-			log(LOG_INFO, "Initializing crypt keys.");
+			log(LOG_DEBUG, "Initializing crypt keys.");
 			this.out_keys = [0, 0, 0];
 			this.in_keys = [0, 0, 0];
     		this.crypt.init_keys(this.out_keys, password);
@@ -483,7 +483,7 @@ BinkP.prototype.connect = function(addr, password, auth_cb, port, inet_host)
 	return this.session();
 };
 /*
- * sock can be either a lisening socket or a connected socket.
+ * sock can be either a listening socket or a connected socket.
  *
  * auth_cb(passwds, this) is called to accept and add
  * files if it returns a password, the session is considered secure.  auth_cb()
@@ -553,6 +553,10 @@ BinkP.prototype.accept = function(sock, auth_cb)
 							this.sendCmd(this.command.M_ERR, "Encryption requires CRAM-MD5 auth");
 					}
 					pwd = auth_cb(args, this);
+					if (pwd === false) {
+						this.sendCmd(this.command.M_ERR, "Password mismatch");
+						break;
+					}
 					if (pwd === undefined)
 						pwd = '-';
 					if (pwd === '-') {
@@ -573,7 +577,7 @@ BinkP.prototype.accept = function(sock, auth_cb)
 	}
 
 	if (this.will_crypt) {
-		log(LOG_INFO, "Initializing crypt keys.");
+		log(LOG_DEBUG, "Initializing crypt keys.");
 		this.out_keys = [0, 0, 0];
 		this.in_keys = [0, 0, 0];
     	this.crypt.init_keys(this.in_keys, pwd);
-- 
GitLab