* Copyright 2000 Miquel van Smoorenburg <miquels@cistron.nl>
* Copyright 2000 Jeff Carneal <jeff@apex.net>
*/
-
-#include <freeradius-devel/ident.h>
RCSID("$Id$")
#include <freeradius-devel/radiusd.h>
* Return a short string showing the terminal server, port
* and calling station ID.
*/
-char *auth_name(char *buf, size_t buflen, REQUEST *request, int do_cli)
+char *auth_name(char *buf, size_t buflen, REQUEST *request, bool do_cli)
{
VALUE_PAIR *cli;
VALUE_PAIR *pair;
- int port = 0;
- const char *tls = "";
+ uint16_t port = 0;
+ char const *tls = "";
+
+ if ((cli = pairfind(request->packet->vps, PW_CALLING_STATION_ID, 0, TAG_ANY)) == NULL) {
+ do_cli = false;
+ }
- if ((cli = pairfind(request->packet->vps, PW_CALLING_STATION_ID, 0, TAG_ANY)) == NULL)
- do_cli = 0;
- if ((pair = pairfind(request->packet->vps, PW_NAS_PORT, 0, TAG_ANY)) != NULL)
+ if ((pair = pairfind(request->packet->vps, PW_NAS_PORT, 0, TAG_ANY)) != NULL) {
port = pair->vp_integer;
+ }
if (request->packet->dst_port == 0) {
if (pairfind(request->packet->vps, PW_FREERADIUS_PROXIED_TO, 0, TAG_ANY)) {
snprintf(buf, buflen, "from client %.128s port %u%s%.128s%s",
request->client->shortname, port,
- (do_cli ? " cli " : ""), (do_cli ? (char *)cli->vp_strvalue : ""),
+ (do_cli ? " cli " : ""), (do_cli ? cli->vp_strvalue : ""),
tls);
return buf;
* Make sure user/pass are clean
* and then log them
*/
-static int rad_authlog(const char *msg, REQUEST *request, int goodpass)
+static int rad_authlog(char const *msg, REQUEST *request, int goodpass)
{
int logit;
- const char *extra_msg = NULL;
+ char const *extra_msg = NULL;
char clean_password[1024];
char clean_username[1024];
char buf[1024];
char extra[1024];
+ char *p;
VALUE_PAIR *username = NULL;
if (!request->root->log_auth) {
/*
* Get the correct username based on the configured value
*/
- if (log_stripped_names == 0) {
+ if (!log_stripped_names) {
username = pairfind(request->packet->vps, PW_USER_NAME, 0, TAG_ANY);
} else {
username = request->username;
if (username == NULL) {
strcpy(clean_username, "<no User-Name attribute>");
} else {
- fr_print_string((char *)username->vp_strvalue,
+ fr_print_string(username->vp_strvalue,
username->length,
clean_username, sizeof(clean_username));
}
} else if (pairfind(request->packet->vps, PW_CHAP_PASSWORD, 0, TAG_ANY)) {
strcpy(clean_password, "<CHAP-Password>");
} else {
- fr_print_string((char *)request->password->vp_strvalue,
+ fr_print_string(request->password->vp_strvalue,
request->password->length,
clean_password, sizeof(clean_password));
}
if (extra_msg) {
extra[0] = ' ';
- radius_xlat(extra + 1, sizeof(extra) - 1, extra_msg, request,
- NULL, NULL);
+ p = extra + 1;
+ if (radius_xlat(p, sizeof(extra) - 1, request, extra_msg, NULL, NULL) < 0) {
+ return -1;
+ }
} else {
*extra = '\0';
}
- radlog_request(L_AUTH, 0, request, "%s: [%s%s%s] (%s)%s",
+ RAUTH("%s: [%s%s%s] (%s)%s",
msg,
clean_username,
logit ? "/" : "",
*
* NOTE: NOT the same as the RLM_ values !
*/
-static int rad_check_password(REQUEST *request)
+static int CC_HINT(nonnull) rad_check_password(REQUEST *request)
{
+ vp_cursor_t cursor;
VALUE_PAIR *auth_type_pair;
- VALUE_PAIR *cur_config_item;
int auth_type = -1;
int result;
int auth_type_count = 0;
- result = 0;
/*
* Look for matching check items. We skip the whole lot
* if the authentication type is PW_AUTHTYPE_ACCEPT or
* PW_AUTHTYPE_REJECT.
*/
- cur_config_item = request->config_items;
- while(((auth_type_pair = pairfind(cur_config_item, PW_AUTH_TYPE, 0, TAG_ANY))) != NULL) {
+ fr_cursor_init(&cursor, &request->config_items);
+ while ((auth_type_pair = fr_cursor_next_by_num(&cursor, PW_AUTH_TYPE, 0, TAG_ANY))) {
auth_type = auth_type_pair->vp_integer;
auth_type_count++;
- RDEBUG2("Found Auth-Type = %s",
- dict_valnamebyattr(PW_AUTH_TYPE, 0, auth_type));
- cur_config_item = auth_type_pair->next;
-
+ RDEBUG2("Found Auth-Type = %s", dict_valnamebyattr(PW_AUTH_TYPE, 0, auth_type));
if (auth_type == PW_AUTHTYPE_REJECT) {
RDEBUG2("Auth-Type = Reject, rejecting user");
+
return -2;
}
}
* Warn if more than one Auth-Type was found, because only the last
* one found will actually be used.
*/
- if (( auth_type_count > 1) && (debug_flag)) {
- radlog_request(L_ERR, 0, request, "Warning: Found %d auth-types on request for user '%s'",
+ if ((auth_type_count > 1) && (debug_flag)) {
+ RERROR("Warning: Found %d auth-types on request for user '%s'",
auth_type_count, request->username->vp_strvalue);
}
*/
if (auth_type < 0) {
if (pairfind(request->config_items, PW_CRYPT_PASSWORD, 0, TAG_ANY) != NULL) {
- RDEBUG2("WARNING: Please update your configuration, and remove 'Auth-Type = Crypt'");
- RDEBUG2("WARNING: Use the PAP module instead.");
+ RWDEBUG2("Please update your configuration, and remove 'Auth-Type = Crypt'");
+ RWDEBUG2("Use the PAP module instead");
}
else if (pairfind(request->config_items, PW_CLEARTEXT_PASSWORD, 0, TAG_ANY) != NULL) {
- RDEBUG2("WARNING: Please update your configuration, and remove 'Auth-Type = Local'");
- RDEBUG2("WARNING: Use the PAP or CHAP modules instead.");
+ RWDEBUG2("Please update your configuration, and remove 'Auth-Type = Local'");
+ RWDEBUG2("Use the PAP or CHAP modules instead");
}
/*
- * The admin hasn't told us how to
- * authenticate the user, so we reject them!
- *
- * This is fail-safe.
- */
+ * The admin hasn't told us how to
+ * authenticate the user, so we reject them!
+ *
+ * This is fail-safe.
+ */
- RDEBUG2("ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user");
+ REDEBUG2("No Auth-Type found: rejecting the user via Post-Auth-Type = Reject");
return -2;
}
* status into the values as defined at
* the top of this function.
*/
- result = module_authenticate(auth_type, request);
+ result = process_authenticate(auth_type, request);
switch (result) {
/*
* An authentication module FAIL
RDEBUG2("Using Post-Auth-Type %s",
dict_valnamebyattr(PW_POST_AUTH_TYPE, 0, postauth_type));
}
- result = module_post_auth(postauth_type, request);
+ result = process_post_auth(postauth_type, request);
switch (result) {
/*
* The module failed, or said to reject the user: Do so.
case RLM_MODULE_REJECT:
case RLM_MODULE_USERLOCK:
default:
- request->reply->code = PW_AUTHENTICATION_REJECT;
+ request->reply->code = PW_CODE_ACCESS_REJECT;
result = RLM_MODULE_REJECT;
break;
/*
*/
int rad_authenticate(REQUEST *request)
{
- VALUE_PAIR *namepair;
#ifdef WITH_SESSION_MGMT
VALUE_PAIR *check_item;
#endif
- VALUE_PAIR *auth_item = NULL;
VALUE_PAIR *module_msg;
VALUE_PAIR *tmp = NULL;
int result;
- const char *password;
char autz_retry = 0;
int autz_type = 0;
- password = "";
-
#ifdef WITH_PROXY
/*
* If this request got proxied to another server, we need
* to check whether it authenticated the request or not.
+ *
+ * request->proxy gets set only AFTER authorization, so
+ * it's safe to check it here. If it exists, it means
+ * we're doing a second pass through rad_authenticate().
*/
- if (request->proxy_reply) {
- switch (request->proxy_reply->code) {
+ if (request->proxy) {
+ int code = 0;
+
+ if (request->proxy_reply) code = request->proxy_reply->code;
+
+ switch (code) {
/*
* Reply of ACCEPT means accept, thus set Auth-Type
* accordingly.
*/
- case PW_AUTHENTICATION_ACK:
+ case PW_CODE_ACCESS_ACCEPT:
tmp = radius_paircreate(request,
&request->config_items,
- PW_AUTH_TYPE, 0, PW_TYPE_INTEGER);
+ PW_AUTH_TYPE, 0);
if (tmp) tmp->vp_integer = PW_AUTHTYPE_ACCEPT;
goto authenticate;
* Challenges are punted back to the NAS without any
* further processing.
*/
- case PW_ACCESS_CHALLENGE:
- request->reply->code = PW_ACCESS_CHALLENGE;
+ case PW_CODE_ACCESS_CHALLENGE:
+ request->reply->code = PW_CODE_ACCESS_CHALLENGE;
return RLM_MODULE_OK;
+
/*
* ALL other replies mean reject. (this is fail-safe)
*
* are being rejected, so we minimize the amount of work
* done by the server, by rejecting them here.
*/
- case PW_AUTHENTICATION_REJECT:
+ case PW_CODE_ACCESS_REJECT:
rad_authlog("Login incorrect (Home Server says so)",
request, 0);
- request->reply->code = PW_AUTHENTICATION_REJECT;
+ request->reply->code = PW_CODE_ACCESS_REJECT;
return RLM_MODULE_REJECT;
default:
}
}
#endif
-
- /*
- * Get the username from the request.
- *
- * Note that namepair MAY be NULL, in which case there
- * is no User-Name attribute in the request.
- */
- namepair = request->username;
-
/*
* Look for, and cache, passwords.
*/
if (!request->password) {
request->password = pairfind(request->packet->vps, PW_USER_PASSWORD, 0, TAG_ANY);
}
-
- /*
- * Discover which password we want to use.
- */
- auth_item = request->password;
- if (auth_item) {
- password = (const char *)auth_item->vp_strvalue;
-
- } else {
- /*
- * Maybe there's a CHAP-Password?
- */
- if ((auth_item = pairfind(request->packet->vps, PW_CHAP_PASSWORD, 0, TAG_ANY)) != NULL) {
- password = "<CHAP-PASSWORD>";
-
- } else {
- /*
- * No password we recognize.
- */
- password = "<NO-PASSWORD>";
- }
+ if (!request->password) {
+ request->password = pairfind(request->packet->vps, PW_CHAP_PASSWORD, 0, TAG_ANY);
}
- request->password = auth_item;
/*
* Get the user's authorization information from the database
*/
autz_redo:
- result = module_authorize(autz_type, request);
+ result = process_authorize(autz_type, request);
switch (result) {
case RLM_MODULE_NOOP:
case RLM_MODULE_NOTFOUND:
} else {
rad_authlog("Invalid user", request, 0);
}
- request->reply->code = PW_AUTHENTICATION_REJECT;
+ request->reply->code = PW_CODE_ACCESS_REJECT;
return result;
}
if (!autz_retry) {
* *the* LOCAL realm.
*/
if (realm &&(strcmp(realm->name, "LOCAL") != 0)) {
- RDEBUG2("WARNING: You set Proxy-To-Realm = %s, but it is a LOCAL realm! Cancelling proxy request.", realm->name);
+ RWDEBUG2("You set Proxy-To-Realm = %s, but it is a LOCAL realm! Cancelling proxy request.", realm->name);
}
if (!realm) {
- RDEBUG2("WARNING: You set Proxy-To-Realm = %s, but the realm does not exist! Cancelling invalid proxy request.", tmp->vp_strvalue);
+ RWDEBUG2("You set Proxy-To-Realm = %s, but the realm does not exist! Cancelling invalid proxy request.", tmp->vp_strvalue);
}
}
#endif
/*
- * Perhaps there is a Stripped-User-Name now.
- */
- namepair = request->username;
-
- /*
* Validate the user
*/
do {
* wants to send back.
*/
if (result < 0) {
- RDEBUG2("Failed to authenticate the user.");
- request->reply->code = PW_AUTHENTICATION_REJECT;
+ RDEBUG2("Failed to authenticate the user");
+ request->reply->code = PW_CODE_ACCESS_REJECT;
if ((module_msg = pairfind(request->packet->vps, PW_MODULE_FAILURE_MESSAGE, 0, TAG_ANY)) != NULL){
char msg[MAX_STRING_LEN+19];
rad_authlog("Login incorrect", request, 0);
}
- /* double check: maybe the secret is wrong? */
- if ((debug_flag > 1) && (auth_item != NULL) &&
- (auth_item->attribute == PW_USER_PASSWORD)) {
- uint8_t *p;
-
- p = (uint8_t *) auth_item->vp_strvalue;
- while (*p) {
- int size;
-
- size = fr_utf8_char(p);
- if (!size) {
- log_debug(" WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!");
- break;
+ if (request->password) {
+ VERIFY_VP(request->password);
+ /* double check: maybe the secret is wrong? */
+ if ((debug_flag > 1) && (request->password->da->attr == PW_USER_PASSWORD)) {
+ uint8_t const *p;
+
+ p = (uint8_t const *) request->password->vp_strvalue;
+ while (*p) {
+ int size;
+
+ size = fr_utf8_char(p);
+ if (!size) {
+ RWDEBUG("Unprintable characters in the password. Double-check the "
+ "shared secret on the server and the NAS!");
+ break;
+ }
+ p += size;
}
- p += size;
}
}
}
int r, session_type = 0;
char logstr[1024];
char umsg[MAX_STRING_LEN + 1];
- const char *user_msg = NULL;
tmp = pairfind(request->config_items, PW_SESSION_TYPE, 0, TAG_ANY);
if (tmp) {
* User authenticated O.K. Now we have to check
* for the Simultaneous-Use parameter.
*/
- if (namepair &&
- (r = module_checksimul(session_type, request, check_item->vp_integer)) != 0) {
+ if (request->username &&
+ (r = process_checksimul(session_type, request, check_item->vp_integer)) != 0) {
char mpp_ok = 0;
if (r == 2){
}
if (!mpp_ok){
if (check_item->vp_integer > 1) {
- snprintf(umsg, sizeof(umsg),
- "\r\nYou are already logged in %d times - access denied\r\n\n",
- (int)check_item->vp_integer);
- user_msg = umsg;
+ snprintf(umsg, sizeof(umsg),
+ "\r\n%s (%d)\r\n\n",
+ main_config.denied_msg,
+ (int)check_item->vp_integer);
} else {
- user_msg = "\r\nYou are already logged in - access denied\r\n\n";
+ snprintf(umsg, sizeof(umsg),
+ "\r\n%s\r\n\n",
+ main_config.denied_msg);
}
- request->reply->code = PW_AUTHENTICATION_REJECT;
+ request->reply->code = PW_CODE_ACCESS_REJECT;
/*
* They're trying to log in too many times.
* Remove ALL reply attributes.
*/
pairfree(&request->reply->vps);
- radius_pairmake(request, &request->reply->vps,
- "Reply-Message",
- user_msg, T_OP_SET);
+ pairmake_reply("Reply-Message",
+ umsg, T_OP_SET);
snprintf(logstr, sizeof(logstr), "Multiple logins (max %d) %s",
check_item->vp_integer,
* been set to something. (i.e. Access-Challenge)
*/
if (request->reply->code == 0)
- request->reply->code = PW_AUTHENTICATION_ACK;
+ request->reply->code = PW_CODE_ACCESS_ACCEPT;
if ((module_msg = pairfind(request->packet->vps, PW_MODULE_SUCCESS_MESSAGE, 0, TAG_ANY)) != NULL){
char msg[MAX_STRING_LEN+12];
VALUE_PAIR *vp;
int result;
+ RDEBUG("server %s {", request->server);
+ RDEBUG(" Request:");
+ debug_pair_list(request->packet->vps);
+
/*
* We currently only handle AUTH packets here.
* This could be expanded to handle other packets as well if required.
*/
- rad_assert(request->packet->code == PW_AUTHENTICATION_REQUEST);
+ rad_assert(request->packet->code == PW_CODE_ACCESS_REQUEST);
result = rad_authenticate(request);
- if (request->reply->code == PW_AUTHENTICATION_REJECT) {
- pairdelete(&request->config_items, PW_POST_AUTH_TYPE, 0, TAG_ANY);
- vp = radius_pairmake(request, &request->config_items,
- "Post-Auth-Type", "Reject",
- T_OP_SET);
- if (vp) rad_postauth(request);
- }
+ if (request->reply->code == PW_CODE_ACCESS_REJECT) {
+ pairdelete(&request->config_items, PW_POST_AUTH_TYPE, 0, TAG_ANY);
+ vp = pairmake_config("Post-Auth-Type", "Reject", T_OP_SET);
+ if (vp) rad_postauth(request);
+ }
- if (request->reply->code == PW_AUTHENTICATION_ACK) {
- rad_postauth(request);
- }
+ if (request->reply->code == PW_CODE_ACCESS_ACCEPT) {
+ rad_postauth(request);
+ }
+
+ RDEBUG(" Reply:");
+ debug_pair_list(request->reply->vps);
+ RDEBUG("} # server %s", request->server);
return result;
}
-