* Copyright 2000 Miquel van Smoorenburg <miquels@cistron.nl>
* Copyright 2000 Jeff Carneal <jeff@apex.net>
*/
-
-#include <freeradius-devel/ident.h>
RCSID("$Id$")
#include <freeradius-devel/radiusd.h>
* Return a short string showing the terminal server, port
* and calling station ID.
*/
-char *auth_name(char *buf, size_t buflen, REQUEST *request, int do_cli) {
+char *auth_name(char *buf, size_t buflen, REQUEST *request, bool do_cli)
+{
VALUE_PAIR *cli;
VALUE_PAIR *pair;
- int port = 0;
+ uint16_t port = 0;
+ char const *tls = "";
- if ((cli = pairfind(request->packet->vps, PW_CALLING_STATION_ID)) == NULL)
- do_cli = 0;
- if ((pair = pairfind(request->packet->vps, PW_NAS_PORT)) != NULL)
+ if ((cli = pairfind(request->packet->vps, PW_CALLING_STATION_ID, 0, TAG_ANY)) == NULL) {
+ do_cli = false;
+ }
+
+ if ((pair = pairfind(request->packet->vps, PW_NAS_PORT, 0, TAG_ANY)) != NULL) {
port = pair->vp_integer;
+ }
- snprintf(buf, buflen, "from client %.128s port %u%s%.128s",
- client_name_old(&request->packet->src_ipaddr), port,
- (do_cli ? " cli " : ""), (do_cli ? (char *)cli->vp_strvalue : ""));
+ if (request->packet->dst_port == 0) {
+ if (pairfind(request->packet->vps, PW_FREERADIUS_PROXIED_TO, 0, TAG_ANY)) {
+ tls = " via TLS tunnel";
+ } else {
+ tls = " via proxy to virtual server";
+ }
+ }
+
+ snprintf(buf, buflen, "from client %.128s port %u%s%.128s%s",
+ request->client->shortname, port,
+ (do_cli ? " cli " : ""), (do_cli ? cli->vp_strvalue : ""),
+ tls);
return buf;
}
* Make sure user/pass are clean
* and then log them
*/
-static int rad_authlog(const char *msg, REQUEST *request, int goodpass) {
-
+static int rad_authlog(char const *msg, REQUEST *request, int goodpass)
+{
+ int logit;
+ char const *extra_msg = NULL;
char clean_password[1024];
char clean_username[1024];
char buf[1024];
+ char extra[1024];
+ char *p;
VALUE_PAIR *username = NULL;
- if (!mainconfig.log_auth) {
+ if (!request->root->log_auth) {
return 0;
}
/*
* Get the correct username based on the configured value
*/
- if (log_stripped_names == 0) {
- username = pairfind(request->packet->vps, PW_USER_NAME);
+ if (!log_stripped_names) {
+ username = pairfind(request->packet->vps, PW_USER_NAME, 0, TAG_ANY);
} else {
username = request->username;
}
if (username == NULL) {
strcpy(clean_username, "<no User-Name attribute>");
} else {
- librad_safeprint((char *)username->vp_strvalue,
+ fr_print_string(username->vp_strvalue,
username->length,
clean_username, sizeof(clean_username));
}
/*
* Clean up the password
*/
- if (mainconfig.log_auth_badpass || mainconfig.log_auth_goodpass) {
+ if (request->root->log_auth_badpass || request->root->log_auth_goodpass) {
if (!request->password) {
VALUE_PAIR *auth_type;
- auth_type = pairfind(request->config_items,
- PW_AUTH_TYPE);
- if (auth_type && (auth_type->vp_strvalue[0] != '\0')) {
+ auth_type = pairfind(request->config_items, PW_AUTH_TYPE, 0, TAG_ANY);
+ if (auth_type) {
snprintf(clean_password, sizeof(clean_password),
"<via Auth-Type = %s>",
- auth_type->vp_strvalue);
+ dict_valnamebyattr(PW_AUTH_TYPE, 0,
+ auth_type->vp_integer));
} else {
strcpy(clean_password, "<no User-Password attribute>");
}
- } else if (pairfind(request->packet->vps, PW_CHAP_PASSWORD)) {
+ } else if (pairfind(request->packet->vps, PW_CHAP_PASSWORD, 0, TAG_ANY)) {
strcpy(clean_password, "<CHAP-Password>");
} else {
- librad_safeprint((char *)request->password->vp_strvalue,
+ fr_print_string(request->password->vp_strvalue,
request->password->length,
clean_password, sizeof(clean_password));
}
}
if (goodpass) {
- radlog(L_AUTH, "%s: [%s%s%s] (%s)",
- msg,
- clean_username,
- mainconfig.log_auth_goodpass ? "/" : "",
- mainconfig.log_auth_goodpass ? clean_password : "",
- auth_name(buf, sizeof(buf), request, 1));
+ logit = request->root->log_auth_goodpass;
+ extra_msg = request->root->auth_goodpass_msg;
+ } else {
+ logit = request->root->log_auth_badpass;
+ extra_msg = request->root->auth_badpass_msg;
+ }
+
+ if (extra_msg) {
+ extra[0] = ' ';
+ p = extra + 1;
+ if (radius_xlat(p, sizeof(extra) - 1, request, extra_msg, NULL, NULL) < 0) {
+ return -1;
+ }
} else {
- radlog(L_AUTH, "%s: [%s%s%s] (%s)",
- msg,
- clean_username,
- mainconfig.log_auth_badpass ? "/" : "",
- mainconfig.log_auth_badpass ? clean_password : "",
- auth_name(buf, sizeof(buf), request, 1));
+ *extra = '\0';
}
+ RAUTH("%s: [%s%s%s] (%s)%s",
+ msg,
+ clean_username,
+ logit ? "/" : "",
+ logit ? clean_password : "",
+ auth_name(buf, sizeof(buf), request, 1),
+ extra);
+
return 0;
}
*
* NOTE: NOT the same as the RLM_ values !
*/
-static int rad_check_password(REQUEST *request)
+static int CC_HINT(nonnull) rad_check_password(REQUEST *request)
{
+ vp_cursor_t cursor;
VALUE_PAIR *auth_type_pair;
- VALUE_PAIR *cur_config_item;
- VALUE_PAIR *password_pair;
- VALUE_PAIR *auth_item;
- uint8_t my_chap[MAX_STRING_LEN];
int auth_type = -1;
int result;
int auth_type_count = 0;
- result = 0;
/*
* Look for matching check items. We skip the whole lot
* if the authentication type is PW_AUTHTYPE_ACCEPT or
* PW_AUTHTYPE_REJECT.
*/
- cur_config_item = request->config_items;
- while(((auth_type_pair = pairfind(cur_config_item, PW_AUTH_TYPE))) != NULL) {
+ fr_cursor_init(&cursor, &request->config_items);
+ while ((auth_type_pair = fr_cursor_next_by_num(&cursor, PW_AUTH_TYPE, 0, TAG_ANY))) {
auth_type = auth_type_pair->vp_integer;
auth_type_count++;
- DEBUG2(" rad_check_password: Found Auth-Type %s",
- auth_type_pair->vp_strvalue);
- cur_config_item = auth_type_pair->next;
-
+ RDEBUG2("Found Auth-Type = %s", dict_valnamebyattr(PW_AUTH_TYPE, 0, auth_type));
if (auth_type == PW_AUTHTYPE_REJECT) {
- DEBUG2(" rad_check_password: Auth-Type = Reject, rejecting user");
+ RDEBUG2("Auth-Type = Reject, rejecting user");
+
return -2;
}
}
- if (( auth_type_count > 1) && (debug_flag)) {
- radlog(L_ERR, "Warning: Found %d auth-types on request for user '%s'",
+ /*
+ * Warn if more than one Auth-Type was found, because only the last
+ * one found will actually be used.
+ */
+ if ((auth_type_count > 1) && (debug_flag)) {
+ RERROR("Warning: Found %d auth-types on request for user '%s'",
auth_type_count, request->username->vp_strvalue);
}
/*
- * This means we have a proxy reply or an accept
- * and it wasn't rejected in the above loop. So
- * that means it is accepted and we do no further
- * authentication
+ * This means we have a proxy reply or an accept and it wasn't
+ * rejected in the above loop. So that means it is accepted and we
+ * do no further authentication.
*/
- if ((auth_type == PW_AUTHTYPE_ACCEPT) || (request->proxy)) {
- DEBUG2(" rad_check_password: Auth-Type = Accept, accepting the user");
+ if ((auth_type == PW_AUTHTYPE_ACCEPT)
+#ifdef WITH_PROXY
+ || (request->proxy)
+#endif
+ ) {
+ RDEBUG2("Auth-Type = Accept, accepting the user");
return 0;
}
- password_pair = pairfind(request->config_items, PW_USER_PASSWORD);
- if (password_pair &&
- pairfind(request->config_items, PW_CLEARTEXT_PASSWORD)) {
- pairdelete(&request->config_items, PW_USER_PASSWORD);
- password_pair = NULL;
- }
-
- if (password_pair) {
- DEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
- DEBUG("!!! Replacing User-Password in config items with Cleartext-Password. !!!");
- DEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
- DEBUG("!!! Please update your configuration so that the \"known good\" !!!");
- DEBUG("!!! clear text password is in Cleartext-Password, and not in User-Password. !!!");
- DEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
- password_pair->attribute = PW_CLEARTEXT_PASSWORD;
- strlcpy(password_pair->name, "Cleartext-Password",
- sizeof(password_pair->name));
- }
-
/*
- * Find the "known good" password.
+ * Check that Auth-Type has been set, and reject if not.
*
- * FIXME: We should get rid of these hacks, and replace
- * them with a module.
+ * Do quick checks to see if Cleartext-Password or Crypt-Password have
+ * been set, and complain if so.
*/
- if ((password_pair = pairfind(request->config_items, PW_CRYPT_PASSWORD)) != NULL) {
- /*
- * Re-write Auth-Type, but ONLY if it isn't already
- * set.
- */
- if (auth_type == -1) auth_type = PW_AUTHTYPE_CRYPT;
- } else {
- password_pair = pairfind(request->config_items, PW_CLEARTEXT_PASSWORD);
- }
-
if (auth_type < 0) {
- if (password_pair) {
- auth_type = PW_AUTHTYPE_LOCAL;
- } else {
- /*
- * The admin hasn't told us how to
- * authenticate the user, so we reject them!
- *
- * This is fail-safe.
- */
- DEBUG2("auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user");
- return -2;
+ if (pairfind(request->config_items, PW_CRYPT_PASSWORD, 0, TAG_ANY) != NULL) {
+ RWDEBUG2("Please update your configuration, and remove 'Auth-Type = Crypt'");
+ RWDEBUG2("Use the PAP module instead");
+ }
+ else if (pairfind(request->config_items, PW_CLEARTEXT_PASSWORD, 0, TAG_ANY) != NULL) {
+ RWDEBUG2("Please update your configuration, and remove 'Auth-Type = Local'");
+ RWDEBUG2("Use the PAP or CHAP modules instead");
}
- }
- switch(auth_type) {
- DICT_VALUE *dval;
-
- case PW_AUTHTYPE_CRYPT:
- /*
- * Find the password sent by the user. It
- * SHOULD be there, if it's not
- * authentication fails.
- */
- auth_item = request->password;
- if (auth_item == NULL) {
- DEBUG2("auth: No User-Password or CHAP-Password attribute in the request");
- return -1;
- }
+ /*
+ * The admin hasn't told us how to
+ * authenticate the user, so we reject them!
+ *
+ * This is fail-safe.
+ */
- DEBUG2("auth: type Crypt");
- if (password_pair == NULL) {
- DEBUG2("No Crypt-Password configured for the user");
- rad_authlog("Login incorrect "
- "(No Crypt-Password configured for the user)", request, 0);
- return -1;
- }
+ REDEBUG2("No Auth-Type found: rejecting the user via Post-Auth-Type = Reject");
+ return -2;
+ }
- switch (lrad_crypt_check((char *)auth_item->vp_strvalue,
- (char *)password_pair->vp_strvalue)) {
- case -1:
- rad_authlog("Login incorrect "
- "(system failed to supply an encrypted password for comparison)", request, 0);
- case 1:
- return -1;
- }
+ /*
+ * See if there is a module that handles
+ * this Auth-Type, and turn the RLM_ return
+ * status into the values as defined at
+ * the top of this function.
+ */
+ result = process_authenticate(auth_type, request);
+ switch (result) {
+ /*
+ * An authentication module FAIL
+ * return code, or any return code that
+ * is not expected from authentication,
+ * is the same as an explicit REJECT!
+ */
+ case RLM_MODULE_FAIL:
+ case RLM_MODULE_INVALID:
+ case RLM_MODULE_NOOP:
+ case RLM_MODULE_NOTFOUND:
+ case RLM_MODULE_REJECT:
+ case RLM_MODULE_UPDATED:
+ case RLM_MODULE_USERLOCK:
+ default:
+ result = -1;
break;
- case PW_AUTHTYPE_LOCAL:
- DEBUG2("auth: type Local");
-
- /*
- * Find the password sent by the user. It
- * SHOULD be there, if it's not
- * authentication fails.
- */
- auth_item = request->password;
- if (!auth_item)
- auth_item = pairfind(request->packet->vps,
- PW_CHAP_PASSWORD);
- if (!auth_item) {
- DEBUG2("auth: No User-Password or CHAP-Password attribute in the request");
- return -1;
- }
-
- /*
- * Plain text password.
- */
- if (password_pair == NULL) {
- DEBUG2("auth: No password configured for the user");
- rad_authlog("Login incorrect "
- "(No password configured for the user)", request, 0);
- return -1;
- }
-
- /*
- * Local password is just plain text.
- */
- if (auth_item->attribute == PW_USER_PASSWORD) {
- if (strcmp((char *)password_pair->vp_strvalue,
- (char *)auth_item->vp_strvalue) != 0) {
- DEBUG2("auth: user supplied User-Password does NOT match local User-Password");
- return -1;
- }
- DEBUG2("auth: user supplied User-Password matches local User-Password");
- break;
-
- } else if (auth_item->attribute != PW_CHAP_PASSWORD) {
- DEBUG2("The user did not supply a User-Password or a CHAP-Password attribute");
- rad_authlog("Login incorrect "
- "(no User-Password or CHAP-Password attribute)", request, 0);
- return -1;
- }
-
- rad_chap_encode(request->packet, my_chap,
- auth_item->vp_octets[0], password_pair);
-
- /*
- * Compare them
- */
- if (memcmp(my_chap + 1, auth_item->vp_strvalue + 1,
- CHAP_VALUE_LENGTH) != 0) {
- DEBUG2("auth: user supplied CHAP-Password does NOT match local User-Password");
- return -1;
- }
- DEBUG2("auth: user supplied CHAP-Password matches local User-Password");
+ case RLM_MODULE_OK:
+ result = 0;
break;
- default:
- dval = dict_valbyattr(PW_AUTH_TYPE, auth_type);
- if (dval) {
- DEBUG2("auth: type \"%s\"", dval->name);
- } else {
- DEBUG2("auth: type UNKNOWN-%d", auth_type);
- }
-
- /*
- * See if there is a module that handles
- * this type, and turn the RLM_ return
- * status into the values as defined at
- * the top of this function.
- */
- result = module_authenticate(auth_type, request);
- switch (result) {
- /*
- * An authentication module FAIL
- * return code, or any return code that
- * is not expected from authentication,
- * is the same as an explicit REJECT!
- */
- case RLM_MODULE_FAIL:
- case RLM_MODULE_INVALID:
- case RLM_MODULE_NOOP:
- case RLM_MODULE_NOTFOUND:
- case RLM_MODULE_REJECT:
- case RLM_MODULE_UPDATED:
- case RLM_MODULE_USERLOCK:
- default:
- result = -1;
- break;
- case RLM_MODULE_OK:
- result = 0;
- break;
- case RLM_MODULE_HANDLED:
- result = 1;
- break;
- }
+ case RLM_MODULE_HANDLED:
+ result = 1;
break;
}
/*
* Do post-authentication calls. ignoring the return code.
*/
- vp = pairfind(request->config_items, PW_POST_AUTH_TYPE);
+ vp = pairfind(request->config_items, PW_POST_AUTH_TYPE, 0, TAG_ANY);
if (vp) {
- DEBUG2(" Found Post-Auth-Type %s", vp->vp_strvalue);
postauth_type = vp->vp_integer;
+ RDEBUG2("Using Post-Auth-Type %s",
+ dict_valnamebyattr(PW_POST_AUTH_TYPE, 0, postauth_type));
}
- result = module_post_auth(postauth_type, request);
+ result = process_post_auth(postauth_type, request);
switch (result) {
/*
* The module failed, or said to reject the user: Do so.
case RLM_MODULE_REJECT:
case RLM_MODULE_USERLOCK:
default:
- request->reply->code = PW_AUTHENTICATION_REJECT;
+ request->reply->code = PW_CODE_ACCESS_REJECT;
result = RLM_MODULE_REJECT;
break;
/*
*/
int rad_authenticate(REQUEST *request)
{
- VALUE_PAIR *namepair;
+#ifdef WITH_SESSION_MGMT
VALUE_PAIR *check_item;
- VALUE_PAIR *auth_item;
+#endif
VALUE_PAIR *module_msg;
VALUE_PAIR *tmp = NULL;
int result;
- char umsg[MAX_STRING_LEN + 1];
- const char *user_msg = NULL;
- const char *password;
- char logstr[1024];
char autz_retry = 0;
int autz_type = 0;
- password = "";
-
+#ifdef WITH_PROXY
/*
* If this request got proxied to another server, we need
* to check whether it authenticated the request or not.
+ *
+ * request->proxy gets set only AFTER authorization, so
+ * it's safe to check it here. If it exists, it means
+ * we're doing a second pass through rad_authenticate().
*/
- if (request->proxy_reply) {
- switch (request->proxy_reply->code) {
+ if (request->proxy) {
+ int code = 0;
+
+ if (request->proxy_reply) code = request->proxy_reply->code;
+
+ switch (code) {
/*
* Reply of ACCEPT means accept, thus set Auth-Type
* accordingly.
*/
- case PW_AUTHENTICATION_ACK:
- tmp = paircreate(PW_AUTH_TYPE, PW_TYPE_INTEGER);
- if (tmp == NULL) {
- radlog(L_ERR|L_CONS, "Not enough memory");
- exit(1);
- }
- tmp->vp_integer = PW_AUTHTYPE_ACCEPT;
- pairadd(&request->config_items, tmp);
- break;
+ case PW_CODE_ACCESS_ACCEPT:
+ tmp = radius_paircreate(request,
+ &request->config_items,
+ PW_AUTH_TYPE, 0);
+ if (tmp) tmp->vp_integer = PW_AUTHTYPE_ACCEPT;
+ goto authenticate;
+
/*
* Challenges are punted back to the NAS without any
* further processing.
*/
- case PW_ACCESS_CHALLENGE:
- request->reply->code = PW_ACCESS_CHALLENGE;
+ case PW_CODE_ACCESS_CHALLENGE:
+ request->reply->code = PW_CODE_ACCESS_CHALLENGE;
return RLM_MODULE_OK;
+
/*
* ALL other replies mean reject. (this is fail-safe)
*
* are being rejected, so we minimize the amount of work
* done by the server, by rejecting them here.
*/
- case PW_AUTHENTICATION_REJECT:
- default:
+ case PW_CODE_ACCESS_REJECT:
rad_authlog("Login incorrect (Home Server says so)",
request, 0);
- request->reply->code = PW_AUTHENTICATION_REJECT;
+ request->reply->code = PW_CODE_ACCESS_REJECT;
+ return RLM_MODULE_REJECT;
+
+ default:
+ rad_authlog("Login incorrect (Home Server failed to respond)",
+ request, 0);
return RLM_MODULE_REJECT;
}
}
-
- /*
- * Get the username from the request.
- *
- * Note that namepair MAY be NULL, in which case there
- * is no User-Name attribute in the request.
- */
- namepair = request->username;
-
+#endif
/*
* Look for, and cache, passwords.
*/
if (!request->password) {
- request->password = pairfind(request->packet->vps,
- PW_USER_PASSWORD);
+ request->password = pairfind(request->packet->vps, PW_USER_PASSWORD, 0, TAG_ANY);
}
-
- /*
- * Discover which password we want to use.
- */
- auth_item = request->password;
- if (auth_item) {
- password = (const char *)auth_item->vp_strvalue;
-
- } else {
- /*
- * Maybe there's a CHAP-Password?
- */
- if ((auth_item = pairfind(request->packet->vps,
- PW_CHAP_PASSWORD)) != NULL) {
- password = "<CHAP-PASSWORD>";
-
- } else {
- /*
- * No password we recognize.
- */
- password = "<NO-PASSWORD>";
- }
+ if (!request->password) {
+ request->password = pairfind(request->packet->vps, PW_CHAP_PASSWORD, 0, TAG_ANY);
}
- request->password = auth_item;
/*
* Get the user's authorization information from the database
*/
autz_redo:
- result = module_authorize(autz_type, request);
+ result = process_authorize(autz_type, request);
switch (result) {
case RLM_MODULE_NOOP:
case RLM_MODULE_NOTFOUND:
case RLM_MODULE_OK:
case RLM_MODULE_UPDATED:
break;
- case RLM_MODULE_FAIL:
case RLM_MODULE_HANDLED:
return result;
+ case RLM_MODULE_FAIL:
case RLM_MODULE_INVALID:
case RLM_MODULE_REJECT:
case RLM_MODULE_USERLOCK:
default:
- if ((module_msg = pairfind(request->packet->vps,
- PW_MODULE_FAILURE_MESSAGE)) != NULL) {
+ if ((module_msg = pairfind(request->packet->vps, PW_MODULE_FAILURE_MESSAGE, 0, TAG_ANY)) != NULL) {
char msg[MAX_STRING_LEN + 16];
snprintf(msg, sizeof(msg), "Invalid user (%s)",
module_msg->vp_strvalue);
} else {
rad_authlog("Invalid user", request, 0);
}
- request->reply->code = PW_AUTHENTICATION_REJECT;
+ request->reply->code = PW_CODE_ACCESS_REJECT;
return result;
}
if (!autz_retry) {
- tmp = pairfind(request->config_items, PW_AUTZ_TYPE);
+ tmp = pairfind(request->config_items, PW_AUTZ_TYPE, 0, TAG_ANY);
if (tmp) {
- DEBUG2(" Found Autz-Type %s", tmp->vp_strvalue);
autz_type = tmp->vp_integer;
+ RDEBUG2("Using Autz-Type %s",
+ dict_valnamebyattr(PW_AUTZ_TYPE, 0, autz_type));
autz_retry = 1;
goto autz_redo;
}
* modules has decided that a proxy should be used. If
* so, get out of here and send the packet.
*/
- if ((request->proxy == NULL) &&
- ((tmp = pairfind(request->config_items, PW_PROXY_TO_REALM)) != NULL)) {
+ if (
+#ifdef WITH_PROXY
+ (request->proxy == NULL) &&
+#endif
+ ((tmp = pairfind(request->config_items, PW_PROXY_TO_REALM, 0, TAG_ANY)) != NULL)) {
REALM *realm;
+ realm = realm_find2(tmp->vp_strvalue);
+
/*
- * Catch users who set Proxy-To-Realm to a LOCAL
- * realm (sigh).
+ * Don't authenticate, as the request is going to
+ * be proxied.
*/
- realm = realm_find(tmp->vp_strvalue);
- if (realm && !realm->auth_pool) {
- DEBUG2(" WARNING: You set Proxy-To-Realm = %s, but it is a LOCAL realm! Cancelling invalid proxy request.", realm->name);
- } else {
- /*
- * Don't authenticate, as the request is
- * proxied.
- */
+ if (realm && realm->auth_pool) {
return RLM_MODULE_OK;
}
+
+ /*
+ * Catch users who set Proxy-To-Realm to a LOCAL
+ * realm (sigh). But don't complain if it is
+ * *the* LOCAL realm.
+ */
+ if (realm &&(strcmp(realm->name, "LOCAL") != 0)) {
+ RWDEBUG2("You set Proxy-To-Realm = %s, but it is a LOCAL realm! Cancelling proxy request.", realm->name);
+ }
+
+ if (!realm) {
+ RWDEBUG2("You set Proxy-To-Realm = %s, but the realm does not exist! Cancelling invalid proxy request.", tmp->vp_strvalue);
+ }
}
- /*
- * Perhaps there is a Stripped-User-Name now.
- */
- namepair = request->username;
+#ifdef WITH_PROXY
+ authenticate:
+#endif
/*
* Validate the user
* wants to send back.
*/
if (result < 0) {
- DEBUG2("auth: Failed to validate the user.");
- request->reply->code = PW_AUTHENTICATION_REJECT;
+ RDEBUG2("Failed to authenticate the user");
+ request->reply->code = PW_CODE_ACCESS_REJECT;
- if ((module_msg = pairfind(request->packet->vps,PW_MODULE_FAILURE_MESSAGE)) != NULL){
+ if ((module_msg = pairfind(request->packet->vps, PW_MODULE_FAILURE_MESSAGE, 0, TAG_ANY)) != NULL){
char msg[MAX_STRING_LEN+19];
snprintf(msg, sizeof(msg), "Login incorrect (%s)",
rad_authlog("Login incorrect", request, 0);
}
- /* double check: maybe the secret is wrong? */
- if ((debug_flag > 1) && (auth_item != NULL) &&
- (auth_item->attribute == PW_USER_PASSWORD)) {
- char *p;
-
- p = auth_item->vp_strvalue;
- while (*p != '\0') {
- if (!isprint((int) *p)) {
- log_debug(" WARNING: Unprintable characters in the password.\n\t Double-check the shared secret on the server and the NAS!");
- break;
+ if (request->password) {
+ VERIFY_VP(request->password);
+ /* double check: maybe the secret is wrong? */
+ if ((debug_flag > 1) && (request->password->da->attr == PW_USER_PASSWORD)) {
+ uint8_t const *p;
+
+ p = (uint8_t const *) request->password->vp_strvalue;
+ while (*p) {
+ int size;
+
+ size = fr_utf8_char(p);
+ if (!size) {
+ RWDEBUG("Unprintable characters in the password. Double-check the "
+ "shared secret on the server and the NAS!");
+ break;
+ }
+ p += size;
}
- p++;
}
}
}
+#ifdef WITH_SESSION_MGMT
if (result >= 0 &&
- (check_item = pairfind(request->config_items, PW_SIMULTANEOUS_USE)) != NULL) {
+ (check_item = pairfind(request->config_items, PW_SIMULTANEOUS_USE, 0, TAG_ANY)) != NULL) {
int r, session_type = 0;
+ char logstr[1024];
+ char umsg[MAX_STRING_LEN + 1];
- tmp = pairfind(request->config_items, PW_SESSION_TYPE);
+ tmp = pairfind(request->config_items, PW_SESSION_TYPE, 0, TAG_ANY);
if (tmp) {
- DEBUG2(" Found Session-Type %s", tmp->vp_strvalue);
session_type = tmp->vp_integer;
+ RDEBUG2("Using Session-Type %s",
+ dict_valnamebyattr(PW_SESSION_TYPE, 0, session_type));
}
/*
* User authenticated O.K. Now we have to check
* for the Simultaneous-Use parameter.
*/
- if (namepair &&
- (r = module_checksimul(session_type, request, check_item->vp_integer)) != 0) {
+ if (request->username &&
+ (r = process_checksimul(session_type, request, check_item->vp_integer)) != 0) {
char mpp_ok = 0;
if (r == 2){
/* Multilink attempt. Check if port-limit > simultaneous-use */
VALUE_PAIR *port_limit;
- if ((port_limit = pairfind(request->reply->vps, PW_PORT_LIMIT)) != NULL &&
+ if ((port_limit = pairfind(request->reply->vps, PW_PORT_LIMIT, 0, TAG_ANY)) != NULL &&
port_limit->vp_integer > check_item->vp_integer){
- DEBUG2("main auth: MPP is OK");
+ RDEBUG2("MPP is OK");
mpp_ok = 1;
}
}
if (!mpp_ok){
if (check_item->vp_integer > 1) {
- snprintf(umsg, sizeof(umsg),
- "\r\nYou are already logged in %d times - access denied\r\n\n",
- (int)check_item->vp_integer);
- user_msg = umsg;
+ snprintf(umsg, sizeof(umsg),
+ "\r\n%s (%d)\r\n\n",
+ main_config.denied_msg,
+ (int)check_item->vp_integer);
} else {
- user_msg = "\r\nYou are already logged in - access denied\r\n\n";
+ snprintf(umsg, sizeof(umsg),
+ "\r\n%s\r\n\n",
+ main_config.denied_msg);
}
- request->reply->code = PW_AUTHENTICATION_REJECT;
+ request->reply->code = PW_CODE_ACCESS_REJECT;
/*
* They're trying to log in too many times.
* Remove ALL reply attributes.
*/
pairfree(&request->reply->vps);
- tmp = pairmake("Reply-Message", user_msg, T_OP_SET);
- request->reply->vps = tmp;
+ pairmake_reply("Reply-Message",
+ umsg, T_OP_SET);
snprintf(logstr, sizeof(logstr), "Multiple logins (max %d) %s",
check_item->vp_integer,
}
}
}
+#endif
/*
* Result should be >= 0 here - if not, it means the user
}
/*
- * We might need this later. The 'password' string
- * is NOT used anywhere below here, except for logging,
- * so it should be safe...
- */
- if ((auth_item != NULL) && (auth_item->attribute == PW_CHAP_PASSWORD)) {
- password = "CHAP-Password";
- }
-
- /*
- * Add the port number to the Framed-IP-Address if
- * vp->addport is set.
- */
- if (((tmp = pairfind(request->reply->vps,
- PW_FRAMED_IP_ADDRESS)) != NULL) &&
- (tmp->flags.addport != 0)) {
- VALUE_PAIR *vpPortId;
-
- /*
- * Find the NAS port ID.
- */
- if ((vpPortId = pairfind(request->packet->vps,
- PW_NAS_PORT)) != NULL) {
- unsigned long tvalue = ntohl(tmp->vp_integer);
- tmp->vp_integer = htonl(tvalue + vpPortId->vp_integer);
- tmp->flags.addport = 0;
- ip_ntoa(tmp->vp_strvalue, tmp->vp_integer);
- } else {
- DEBUG2("WARNING: No NAS-Port attribute in request. CANNOT return a Framed-IP-Address + NAS-Port.\n");
- pairdelete(&request->reply->vps, PW_FRAMED_IP_ADDRESS);
- }
- }
-
- /*
* Set the reply to Access-Accept, if it hasn't already
* been set to something. (i.e. Access-Challenge)
*/
if (request->reply->code == 0)
- request->reply->code = PW_AUTHENTICATION_ACK;
+ request->reply->code = PW_CODE_ACCESS_ACCEPT;
- if ((module_msg = pairfind(request->packet->vps,PW_MODULE_SUCCESS_MESSAGE)) != NULL){
+ if ((module_msg = pairfind(request->packet->vps, PW_MODULE_SUCCESS_MESSAGE, 0, TAG_ANY)) != NULL){
char msg[MAX_STRING_LEN+12];
snprintf(msg, sizeof(msg), "Login OK (%s)",
rad_authlog("Login OK", request, 1);
}
+ return result;
+}
+
+/*
+ * Run a virtual server auth and postauth
+ *
+ */
+int rad_virtual_server(REQUEST *request)
+{
+ VALUE_PAIR *vp;
+ int result;
+
+ RDEBUG("server %s {", request->server);
+ RDEBUG(" Request:");
+ debug_pair_list(request->packet->vps);
+
/*
- * Run the modules in the 'post-auth' section.
+ * We currently only handle AUTH packets here.
+ * This could be expanded to handle other packets as well if required.
*/
- result = rad_postauth(request);
+ rad_assert(request->packet->code == PW_CODE_ACCESS_REQUEST);
+
+ result = rad_authenticate(request);
+
+ if (request->reply->code == PW_CODE_ACCESS_REJECT) {
+ pairdelete(&request->config_items, PW_POST_AUTH_TYPE, 0, TAG_ANY);
+ vp = pairmake_config("Post-Auth-Type", "Reject", T_OP_SET);
+ if (vp) rad_postauth(request);
+ }
+
+ if (request->reply->code == PW_CODE_ACCESS_ACCEPT) {
+ rad_postauth(request);
+ }
+
+ RDEBUG(" Reply:");
+ debug_pair_list(request->reply->vps);
+ RDEBUG("} # server %s", request->server);
return result;
}